Add a clpreauth callback which gets the time of day using an offset
determined by the preauth-required error, and use it in encrypted
timestamp and encrypted challenge. This timestamp is not necessarily
authenticated, but the security consequences for those preauth mechs
are minor (and can be mitigated by turning off kdc_timesync on
clients).
When decoding an AS-REP enc part, we should accept app tags 26 (the
bogus one we generate) and 25 (the correct value). We were accepting
26 and 24. Bug report and fix by stefw@gnome.org.
When we check for password reuse, only compare keys with the most
recent kvno against history entries, or else we will always fail with
-keepold.
This bug primarily affects rollover of cross-realm TGT principals,
which typically use password-derived keys and may have an associated
password policy such as "default".
Bug report and candidate fix (taken with a slight modification) by
Nicolas Williams.
Active Directory always issues cross-realm tickets without a kvno,
which we see as kvno 0. When we see that, try the highest kvno (as we
already do) and then a few preceding kvnos so that key rollover of the
AD->MIT cross TGT can work.
Add new helpers kdc_rd_ap_req, which takes the place of a couple of
steps from kdc_process_tgs_req, and find_server_key, which takes the
place of some of the end steps of kdc_get_server_key.
Code changes by Nicolas Williams. Test cases by me.
Greg Hudson [Sat, 31 Mar 2012 00:38:20 +0000 (00:38 +0000)]
Fix data handling in rd_req_decoded_opt
We shouldn't peer at trans->tr_contents.data[0] if
trans->tr_contents.length is 0, even if the data field is non-null.
Harmless as long as the ASN.1 decoder uses null data fields for empty
krb5_data values, but still wrong.
Greg Hudson [Wed, 28 Mar 2012 21:11:06 +0000 (21:11 +0000)]
Add doc target with configured path substitutions
Add a new target "substhtml" in src/doc to create HTML documentation
with configured paths, suitable for installation by an OS package.
The build target generates a file named paths.py containing the
directory substitutions, copies it into the rst_composite directory,
and instructs conf.py to use it with the "pathsubs" tag.
Greg Hudson [Wed, 28 Mar 2012 21:11:01 +0000 (21:11 +0000)]
Use reference substitutions for paths in docs
For the default doc build (used for the web site and release tarball),
substitute path variables with links to the paths table in
mitK5defaults.rst, using symbolic names for the link text.
The substitution of kdcdir for man pages is slightly altered as a
side-effect of this commit. Regenerate the man pages to match. The
rendered man pages are unchanged.
Greg Hudson [Wed, 28 Mar 2012 02:03:33 +0000 (02:03 +0000)]
Automate RST HTML generation with doxygen info
In src/doc/Makefile.in, create an "rsthtml" target for generating
release tarball/web site HTML docs in doc/rst_html. For now,
eliminate support for the bridge to the Doxygen HTML output; just
generate XML output with Doxygen and convert it to RST format.
Greg Hudson [Tue, 27 Mar 2012 02:32:48 +0000 (02:32 +0000)]
Fix up krb5.hin Doxygen markup somewhat
* Put everything in an enclosing group, so it gets captured even
without EXTRACT_ALL.
* Make sure there's documentation for all constants referenced by
other markup.
* Fix references to the PAC constants.
Greg Hudson [Sat, 24 Mar 2012 14:29:44 +0000 (14:29 +0000)]
Remove krb5-send-pr man page
The license on the krb5-send-pr man page was incompatible with the
rest of our documentation, and the content is questionably up to date
(krb5-send-pr still exists, but we don't use GNATS any more, and
free-form mail to krb5-bugs is equally acceptable at this point). Get
rid of it for now.
Greg Hudson [Fri, 23 Mar 2012 16:27:05 +0000 (16:27 +0000)]
Install path-substituted man pages
Introduce src/doc/Makefile.in, which will eventually subsume
doc/Makefile (but will still pull sources from doc). In the rstman
target there, create man pages with symbolic path references (like
@SBINDIR@). In man/Makefile.in, substitute the path references with
the configured paths before installing.
Man pages generated from RST source are now checked into the source
tree under the name filename.man. This lets us use a single implicit
.man.sub rule for the path substitutions.
Greg Hudson [Thu, 22 Mar 2012 14:07:44 +0000 (14:07 +0000)]
Suppress some gcc uninitialized variable warnings
ticket: 7107
gcc 4.6.2 reportedly finds some spurious maybe-uninitialized warnings.
Suppress them. Patch from Eray Aslan with some adjustment.
Greg Hudson [Wed, 21 Mar 2012 16:57:05 +0000 (16:57 +0000)]
Only store master mey list in DAL handle
r24314 (#6778) created a hybrid owernship model for the master key
list, with one virtual copy stored in the DAL handle and one provided
to the caller of krb5_db_fetch_mkey_list. Replace this with a model
where only the DAL handle owns the list, and a caller can get access
to an alias pointer with a new function krb5_db_mkey_list_alias().
Functions which previously accepted the master key list as an input
parameter now expect to find it in the DAL handle.
Greg Hudson [Fri, 16 Mar 2012 13:57:50 +0000 (13:57 +0000)]
Move privileges section in database admin docs
The "Privileges" section in the RST database administration
documentation was tucked away in the middle of a section on principal
operations. Move it out and put it between policy operations and
kdb5_util operations, without changing its content.
(We may want to replace this whole section with a reference to the
appropriate part of the kadmind man page, but that requires a bit of
reconciliation since the kadmind man page doesn't document
restrictions yet.)
Greg Hudson [Fri, 16 Mar 2012 13:57:05 +0000 (13:57 +0000)]
Revise RST install guide client configuration
Stop recommending login.krb5. Remove outdated OSX instructions.
Don't suggest modifying /etc/services as we don't rely on it any more
(and it's generally already done by the OS these days). Add new
guidance for krb5.conf settings.
Greg Hudson [Wed, 14 Mar 2012 21:06:01 +0000 (21:06 +0000)]
Add plugin configuration documentation
In the RST admin guide, add a page for host configuration, and include
a subsection on registering, enabling, and disabling plugin modules.
For now, do not cover the private KDB and authdata plugin interfaces.
Greg Hudson [Wed, 14 Mar 2012 19:55:49 +0000 (19:55 +0000)]
Add config file section in RST user guide
Move the .k5identity and .k5login man pages to a separate section from
user commands. Also, kadmin.local and k5srvutil are not user-oriented
commands, so don't link to them in the user_commands index.
Greg Hudson [Wed, 14 Mar 2012 19:55:44 +0000 (19:55 +0000)]
Remove user_appl section in RST docs
The user_appl directory contained documentation for krb5_appl programs
which have largely been subsumed by ssh, for ksu (essentially
duplicating the ksu man page), and for ssh (a stub). Get rid of the
whole thing for now; we can add an ssh section back into the user
guide when we have more written about it.
Greg Hudson [Mon, 12 Mar 2012 20:24:45 +0000 (20:24 +0000)]
Edit RST admin guide for clarity and accuracy
Some more notable changes include:
* plugin development is a top-level guide, so remove the advanced
topic page in the admin guide.
* Remove krb5-appl references in firewall configuration section.
* Remove dns.rst since it was only referenced from a man page (which
doesn't work) and just contained a pair of links, one of which was
to the immediately preceding section.
* Don't document TXT record support as if it were supported in the
default build. It can be documented in an appendix.
* A couple of troubleshooting segments gave very
specifically-applicable advice based on general error messages, or
described problems which were fixed several releases ago.
Greg Hudson [Thu, 8 Mar 2012 22:38:58 +0000 (22:38 +0000)]
Add pluggable interface RST documentation
Create a new top-level section for plugin module developers. Document
the general conventions for pluggable interfaces and an overview of
each existing interface (except for GSSAPI mechanisms).
Since we're not currently generating doxygen markup for plugin
interface headers, refer to header files for detail-level
documentation for now.
Greg Hudson [Thu, 8 Mar 2012 00:37:47 +0000 (00:37 +0000)]
Properly decode etype-info2 with no salt
The data-driven decoder for etype-info2 was neglecting to call
init_no_salt() when no salt is present in the encoding. Add in the
missing call. Also add decode test cases for etype-info2, which would
have caught this if they weren't missing.
Greg Hudson [Wed, 7 Mar 2012 18:02:29 +0000 (18:02 +0000)]
Document KDC settings in kdc.conf manual
Move the documentation for the [logging], [dbdefaults], and
[dbmodules] sections and the database_module tag in kdc.conf rather
than krb5.conf, now that (as of r18009, aka #3761, which went into
krb5 1.5) KDC settings can be placed in either file.
Greg Hudson [Mon, 5 Mar 2012 17:35:14 +0000 (17:35 +0000)]
Fix spurious password expiry warning
r24241 (#6755) introduced a bug where if the KDC sends a LastReq entry
containing an account expiry time, we send a prompter warning for
password expiry even if there was no entry containing a password
expiry time. Typically, this results in the message "Warning: Your
password will expire in less than one hour on Thu Jan 1 12:00:00
1970".
Fix this by explicitly checking for pw_exp == 0 in warn_pw_expiry()
after we've gotten past the conditional for invoking the callback.
Greg Hudson [Sun, 4 Mar 2012 00:38:48 +0000 (00:38 +0000)]
Remove admin_keytab references in code and docs
The admin keytab hasn't been needed or used by kadmind since 1.4
(except possibly by legacy admin daemons which we no longer ship).
Eliminate remaining references to it in code, test cases, and
documentation.
Greg Hudson [Fri, 2 Mar 2012 19:18:33 +0000 (19:18 +0000)]
Consolidate RST install docs into larger files
Create two larger files (install_kdc.rst and install_clients.rst) and
remove the install_kdc and install_clients directories. No
significant changes to content.
Greg Hudson [Thu, 1 Mar 2012 20:49:17 +0000 (20:49 +0000)]
Fix KDB iteration when callback does write calls
kdb_db2's ctx_iterate makes an convenience alias to dbc->db in order
to call more invoke call the DB's seq method. This alias may become
invalidated if the callback writes to the DB, since ctx_lock() may
re-open the DB in order to acquire a write lock. Fix the bug by
getting rid of the convenience alias.
Most KDB iteration operations in the code base do not write to the DB,
but kdb5_util update_princ_encryption does.
Bug discovered and diagnosed by will.fiveash@oracle.com.
Greg Hudson [Wed, 29 Feb 2012 18:49:04 +0000 (18:49 +0000)]
Add GSSAPI acceptor names documentation
In the application developer documentation, create a little bit of
framing for documentation about krb5 GSS mechanism behavior and
extensions, and create an initial section about how host-based service
names affect keytab principal selection.
Ken Raeburn [Tue, 28 Feb 2012 16:15:56 +0000 (16:15 +0000)]
Require IPv6 support
The configure-time options to enable and disable IPv6 support have
been deprecated for some time, but the checks for OS support were
kept. This removes those checks, and unconditionally compiles in the
IPv6 support.
There was a configure-time test to see if the macro INET6 needed to be
defined in order to enable (visibility of) OS support for IPv6, which
was needed on an IRIX system we tested with. That check is retained,
but the revised code is untested on IRIX.
Greg Hudson [Sun, 26 Feb 2012 16:45:09 +0000 (16:45 +0000)]
Format pass over RST documentation
Without substantially changing the content, reformat RST
documentation sources, normalizing:
* Whitespace: four-space indentation where indentation is arbitrary;
no trailing whitespace or tabs. Two spaces after sentence periods.
* 70-column fill where lines can be wrapped (outside tables, mostly)
* Section header underlines: = for page titles, - for sections, ~ and
then # for subsections. Underlines exactly as long as titles. No
trailing punctuation in titles.
* Bullet lists: * for top-level bullets, - for sub-bullets. No
indentation of the list bullets relative to the surrounding content.
* Inline markup: italics for words representing variable text,
boldface for config keywords and command option names, monospaced
text for examples, pathnames. No adornment for command names and
filenames.
* Man page subcommands: subsection header for the subcommand, indented
command synposis, then non-indented description and option list.
* Man page command synopses: newline in source before each option. All
parts of synopsis at same indentation level. (Ideally we'd want a
hanging indent to the length of the command name, but RST doesn't
seem to support that.)
* Feedback links: in a separate section at the end. (This will need
to be revisited as it affects some multi-level tables of contents.)
Tom Yu [Wed, 22 Feb 2012 19:27:56 +0000 (19:27 +0000)]
Fail during configure if unable to find ar
Fail during configure time if the configure script can't locate the
"ar" program, instead of producing a delayed failure during build time
by running the "false" command. Some Solaris releases have ar in
/usr/ccs/bin, which is not in the default path for some users.
Greg Hudson [Tue, 21 Feb 2012 19:14:47 +0000 (19:14 +0000)]
Access controls for string RPCs [CVE-2012-1012]
In the kadmin protocol, make the access controls for
get_strings/set_string mirror those of get_principal/modify_principal.
Previously, anyone with global list privileges could get or modify
string attributes on any principal. The impact of this depends on how
generous the kadmind acl is with list permission and whether string
attributes are used in a deployment (nothing in the core code uses
them yet).
Greg Hudson [Tue, 21 Feb 2012 18:57:44 +0000 (18:57 +0000)]
kvno ASN.1 encoding interop with Windows RODCs
RFC 4120 defines the EncryptedData kvno field as an integer in the
range of unsigned 32-bit numbers. Windows encodes and decodes the
field as a signed 32-bit integer. Historically we do the same in our
encoder in 1.6 and prior, and in our decoder through 1.10. (Actually,
our decoder through 1.10 decoded the value as a long and then cast the
result to unsigned int, so it would accept positive values >= 2^31 on
64-bit platforms but not on 32-bit platforms.)
kvno values that large (or negative) are only likely to appear in the
context of Windows read-only domain controllers. So do what Windows
does instead of what RFC 4120 says.
Greg Hudson [Tue, 14 Feb 2012 18:26:50 +0000 (18:26 +0000)]
Initialize gss_get_name_attribute output buffers
GSS functions which accept gss_buffer_t output arguments should
initialize those buffers to empty on startup (see gss_wrap, for
instance). Do so for gss_get_name_attribute in the mechglue.
Greg Hudson [Mon, 13 Feb 2012 22:41:25 +0000 (22:41 +0000)]
Add explanatory README for ASN.1 infrastructure
Since we're not yet at the point of having an ASN.1 compiler for our
ASN.1 encoder, create a document explaining how to write macro
invocations for type descriptors from an ASN.1 module.
Greg Hudson [Sun, 12 Feb 2012 06:00:24 +0000 (06:00 +0000)]
Remove unneeded ASN.1 code
Get rid of a whole bunch of ASN.1 decoder infrastructure now that
we're using the data-driven decoder for everything. Define taginfo in
asn1_encode.h since asn1_get.h is going away. Rewrite split_der() to
use get_tag() since it still had an unintended dependency on the
previous generation of decoder infrastructure.
Greg Hudson [Sun, 12 Feb 2012 05:25:22 +0000 (05:25 +0000)]
Convert utility functions to new decoder
Create a special type to plug authdata types from authdata and make
krb5int_get_authdata_containee_types use it. Add a test case for it
as well. Move krb5_decode_ticket (a trivial wrapper) into
asn1_k_encode.c so that krb5_decode.c is empty.
Greg Hudson [Sat, 11 Feb 2012 23:25:25 +0000 (23:25 +0000)]
Data-driven ASN.1 decoder
Add a general ASN.1 decoder implementation in asn1_encode.c using the
same data structures as the encoder (augmented where necessary), and
use it to define decoder functions in asn1_k_encode.c. Add a boolean
type to atype_info, as it is needed for the pa_pac_req decoder. For
the moment, just #if out the old decoder functions; they and their
support code can be cleaned up later after a a few remaining utility
functions are addressed.
Changes to encoder and decoder interfaces are minimized, but there are
two small ones. ldap_seqof_key_data has a kvno field added, and some
of the decoder logic is pushed up into the caller. The safe_with_body
decoder now outputs an allocated krb5_data * instead of a krb5_data
with aliases into the input buffer.
Greg Hudson [Sat, 11 Feb 2012 23:25:21 +0000 (23:25 +0000)]
Change optional handling in ASN.1 encoder
Create a new atype_optional with a function pointer to decide whether
the type is present in the C object. For simple cases, sequences just
reference the optional version of a type. For more complex cases (such
as when the presence of the usec field of a sequence depends on whether
the timestamp is set), we define a predicate on the structure object
and nest the field type inside the optional type.
projects / thirdparty / krb5.git / log
