Greg Hudson [Fri, 8 Jun 2012 21:02:28 +0000 (17:02 -0400)]
Remove big-endian gss-krb5 support
The big_endian flag in krb5_gss_ctx_id_rec is there for
interoperability with a really ancient implementation which we believe
is no longer in use. Get rid of it and the code to handle it.
Greg Hudson [Thu, 7 Jun 2012 16:58:26 +0000 (12:58 -0400)]
Rename and add to etype utility functions
Rename krb5int_count_etypes and krb5int_copy_etypes to have k5_
prefixes, and make them available outside of libkrb5 (but not part of
the public API). Add k5_etypes_contains to search an etype list, and
use it in krb5_is_permitted_enctype.
Greg Hudson [Wed, 6 Jun 2012 23:13:13 +0000 (19:13 -0400)]
Don't free caller's principal in vfy_increds
#7125 took out the copy of the krb5_verify_init_creds server argument
but left in the corresponding free, so it was freeing a caller-owned
principal. Reported by Russ Allbery.
Greg Hudson [Wed, 6 Jun 2012 20:37:02 +0000 (16:37 -0400)]
Try to make t_trace.c output consistent
Attempt to choose tracing inputs in t_trace.c which will produce
consistent output across platforms and logins. Re-enable the
comparison against the reference file.
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
Greg Hudson [Wed, 6 Jun 2012 15:23:19 +0000 (11:23 -0400)]
Allow daemon debugging in k5test.py
Allow --debug to be used for commands which start daemons, to make it
easier to debug startup issues. After debugging a daemon, the script
will exit, since the daemon won't be running after the debugging
session is over.
Greg Hudson [Tue, 5 Jun 2012 04:48:37 +0000 (00:48 -0400)]
Fix k5test.py hostname canonicalization
r25844 (#7124) stopped using AI_ADDRCONFIG when canonicalizing
hostnames in sn2princ. So we need to also stop using it in k5test.c's
_get_hostname() or we could come up with a different result on a
system where forward and reverse resolution via IPv4 and IPv6 produce
different results. That in turn causes a t_gssapi.py test (the one
using the un-canonicalized hostname) to fail, because libkrb5 looks
for a different host principal than k5test.py put in the keytab.
Greg Hudson [Tue, 5 Jun 2012 03:56:22 +0000 (23:56 -0400)]
Disable trace test comparison for now
The t_trace output isn't consistent from run to run. To fix "make
check", disable the comparison against the reference file until we can
make the output consistent.
Greg Hudson [Mon, 4 Jun 2012 15:23:00 +0000 (11:23 -0400)]
Fix trace log unit test
Only use common denominator Bourne shell syntax for exporting
environment variables. Don't rely on /dev/stdout working. Compare
the output with a reference file to detect changes, instead of just
sending it to stdout.
Greg Hudson [Mon, 4 Jun 2012 00:46:30 +0000 (20:46 -0400)]
Fail from gss_acquire_cred if we have no keytab
If a caller tries to acquire krb5 acceptor creds with no desired name
and we have no keytab keys, fail from gss_acquire_cred instead of
deferring until gss_accept_sec_context.
Greg Hudson [Mon, 4 Jun 2012 00:39:08 +0000 (20:39 -0400)]
Use first mech's status in gss_acquire_cred
If we can't acquire creds for any mech in gss_acquire_cred, return the
status of the first mech instead of the last mech, as it's more useful
in the typical case (where the first mech is krb5 and the last mech is
SPNEGO). This error reporting is not ideal when the user was
expecting to use some mech other than krb5, but it's about as good as
things were prior to #6894.
Greg Hudson [Sat, 2 Jun 2012 18:06:58 +0000 (14:06 -0400)]
Add krb5_kt_have_content API
Add the krb5_kt_have_content API from Heimdal, which can be used to
test whether a keytab exists and contains entries. Add tests to
t_keytab.c.
There is a deviation from Heimdal in the function signature.
Heimdal's signature returns a krb5_boolean at the moment, because the
Heimdal implementation actually returns a krb5_error_code. These are
generally the same type anyway (int).
Greg Hudson [Sat, 2 Jun 2012 17:54:12 +0000 (13:54 -0400)]
Tighten up error checking in t_keytab.c
When checking for specific error codes, using CHECK() meant that we
wouldn't properly fail if we got error code 0. Define and use a
CHECK_ERR() to test for a specific error code, and define CHECK() in
terms of it.
Greg Hudson [Fri, 1 Jun 2012 13:52:20 +0000 (09:52 -0400)]
Use correct profile var in krb5_get_tgs_ktypes
In r21879, when we converted to using KRB5_CONF macros for profile
variable names, we made a typo in krb5_get_tgs_ktypes and erroneously
started using default_tkt_enctypes instead of default_tgs_enctypes for
TGS requests. Fix the typo and return to the documented behavior.
Greg Hudson [Thu, 24 May 2012 06:07:18 +0000 (02:07 -0400)]
Use a hash table in the KDC lookaside cache
Add a hash table to kdc/replay.c for fast lookup of incoming packets.
Continue to keep a time-ordered linked list of all entries for fast
expiry of stale entries. The preprocessor constant
LOOKASIDE_HASH_SIZE can be used to change the size of the hash table.
Richard Basch [Tue, 29 May 2012 18:07:03 +0000 (14:07 -0400)]
Null pointer deref in kadmind [CVE-2012-1013]
The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.
Greg Hudson [Thu, 24 May 2012 17:03:26 +0000 (13:03 -0400)]
Fix S4U user identification in preauth case
In 1.10, encrypted timestamp became a built-in module instead of a
hardcoded padata handler. This changed the behavior of
krb5_get_init_creds as invoked by s4u_identify_user such that
KRB5_PREAUTH_FAILED is returned instead of the gak function's error.
(Module failures are not treated as hard errors, while hardcoded
padata handler errors are.) Accordingly, we should look for
KRB5_PREAUTH_FAILED in s4u_identify_user.
On a less harmful note, the gak function was returning a protocol
error code instead of a com_err code, and the caller was testing for a
different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could
never be returned by krb5_get_init_creds. Clean up both of those by
returning KRB5_PREAUTH_FAILED from the gak function and testing for
that alone.
W. Trevor King [Fri, 18 May 2012 01:26:36 +0000 (21:26 -0400)]
Convert DEBUG_REFERRALS to TRACE_* framework
The referrals debugging code under DEBUG_REFERRALS ceased building
correctly at some point. Convert this debugging code to use the
tracing framework instead, including adding new trace macros to
k5-trace.h.
Greg Hudson [Tue, 22 May 2012 17:45:18 +0000 (13:45 -0400)]
Export gss_mech_krb5_wrong from libgssapi_krb5
Although there are few legitimate reasons to use gss_mech_krb5_wrong,
it's declared in the public header and exported in the Windows DLL.
So export it from the Unix library as well.
Greg Hudson [Mon, 21 May 2012 05:39:14 +0000 (01:39 -0400)]
Export krb5_set_trace_callback/filename
krb5_set_trace_callback and krb5_set_trace_filename were added to
krb5.h in krb5 1.9, but were mistakenly left out of the library export
lists. Add them now. Reported by Russ Allbery.
Tom Yu [Thu, 17 May 2012 23:32:41 +0000 (19:32 -0400)]
Add missing $(LIBS) to some shared libraries
Add $(LIBS) to the $(SHLIB_EXPLIBS) for some shared libraries which
did not previously include it, which prevented gcov from working
properly in some cases.
Tom Yu [Tue, 15 May 2012 19:15:07 +0000 (15:15 -0400)]
Make mkrel work on non-master branches
Appending "--" to the git checkout arguments appears to prevent it
from automatically creating a local branch from the remote. Also
correct the default git URL and clean up a spurious find warning.
Greg Hudson [Sun, 13 May 2012 17:15:34 +0000 (13:15 -0400)]
Avoid extern inline in asn1buf.h
Avoid using extern inline in asn1buf.h, as there are two conflicting
sets of semantics (gnu89's and C99's). gcc defaults to the gnu89
semantics, which we were using, while clang defines __GNUC__ but
defaults to the C99 semantics. To simplify things, use static inline
instead, like we do in k5-int.h.
Greg Hudson [Sun, 13 May 2012 17:12:06 +0000 (13:12 -0400)]
Don't stomp minor code in spnego_gss_acquire_cred
When spnego_gss_acquire_cred passes through a failure status from the
mechglue, it overwrites the minor code with a call to
gss_release_oid_set(). Use a temporary minor status for that and a
related call.
Greg Hudson [Sat, 12 May 2012 16:54:06 +0000 (12:54 -0400)]
Null-terminate components of parsed principals
The rewritten krb5_parse_name didn't null-terminate components or
realms of principals, while the old one did. Fix the new one to do so
as well.
This means KRB5_PRINCIPAL_PARSE_IGNORE_REALM allocates one byte for
the realm instead of leaving it as empty_data(), so we need to free
the realm in build_in_tkt_name() before copying in the client realm.
Greg Hudson [Fri, 11 May 2012 18:07:30 +0000 (18:07 +0000)]
Omit start time in common AS requests
MIT and Heimdal KDCs ignore the start time for non-postdated ticket
requests, but AD yields an error if the start time is in the KDC's
future, defeating the kdc_timesync option. Omit the start time if the
caller did not specify a start time offset.
This change reenables the client check for too much clock skew in the
KDC reply in the non-timesync configuration. That check had been
unintentionally suppressed since the introduction of the
get_init_creds interfaces. Adjust the t_skew test script to expect
the new error behavior.
Code changes from stefw@gnome.org with slight modifications.
Greg Hudson [Thu, 10 May 2012 17:34:14 +0000 (17:34 +0000)]
Avoid requiring default realm for in_tkt_service
Use the new KRB5_PRINCIPAL_PARSE_IGNORE_REALM flag when parsing
in_tkt_service arguments in get_init_cred functions, since we're going
to overwrite the realm anyway.
Greg Hudson [Thu, 10 May 2012 17:34:10 +0000 (17:34 +0000)]
Add krb5_parse_name flag to ignore realm
The flag KRB5_PRINCIPAL_PARSE_IGNORE_REALM causes krb5_parse_name to
return the principal with an empty realm whether or not a realm is
present in the name.
Greg Hudson [Thu, 10 May 2012 17:34:07 +0000 (17:34 +0000)]
Rewrite krb5_parse_name
krb5_parse_name started out a bit unwieldy, and has become more so
with the introduction of flags. Rewrite it using two passes (allocate
and fill), each broken out into its own helper, and a wrapper which
handles the realm flags.
Greg Hudson [Wed, 9 May 2012 17:55:27 +0000 (17:55 +0000)]
Constify get_init_creds string input params
The get_init_creds functions take read-only string input parameters
for passwords and initial ticket services. Make these const char *
parameters instead of just char * parameters, for caller convenience.
Greg Hudson [Wed, 9 May 2012 17:40:38 +0000 (17:40 +0000)]
Add API to interpret changepw result strings
Active Directory returns structured policy information in the
nominally UTF-8 result string field of a password change reply. Add a
new API krb5_chpw_message() to convert a result string into a
displayable message, interpreting policy information if present.
Greg Hudson [Tue, 8 May 2012 03:04:15 +0000 (03:04 +0000)]
Improve traced error messages from PKINIT client
If we have no configured PKINIT client identity, or if we fail to
create a certificate chain, set a reasonable error code (not EINVAL or
ENOMEM) and a useful error message to appear in trace log output.
Zhanna Tsitkov [Sat, 5 May 2012 15:35:51 +0000 (15:35 +0000)]
Add generalized definition of krb5_ui_4 and krb5_int32 to the documentation for better cross-referencing. Do not include internal structure krb5_cc_ops into Sphinx documentation
Greg Hudson [Thu, 3 May 2012 21:43:42 +0000 (21:43 +0000)]
Make verify_init_creds work with existing ccache
As the file ccache implementation currently stands, we don't want to
turn off TC_OPENCLOSE on a file cache we're writing to, or it will be
opened read-only and stores to it will fail. Reported by Russ
Allbery.
Greg Hudson [Thu, 3 May 2012 19:42:43 +0000 (19:42 +0000)]
Try all host keys by default in vfy_increds
Factor out the core code of krb5_verify_init_creds into a helper, add
new helper functions to retrieve the list of unique host principals
from a keytab, and make krb5_verify_init_creds drive the helper once
per host principal.
Augment the test harness and test cases to better test the new
behavior. Add a k5test method to retrieve an NFS principal for the
test realm for the sake of the new test cases.
Greg Hudson [Thu, 3 May 2012 15:15:51 +0000 (15:15 +0000)]
In sn2princ, getaddrinfo without AI_ADDRCONFIG
When canonicalizing a principal, use AI_CANONNAME alone in the hint
flags for getaddrinfo, for two reasons. First, it works around a gnu
libc bug where getaddrinfo does a PTR lookup for the canonical name
(we tried to work around this in r24977 bug the addition of
AI_ADDRCONFIG caused the same problem as the use of AF_INET). Second,
an IPv4-only host should be able create a principal for an IPv6-only
host even if it can't contact the host.
This does result in extra AAAA queries in the common case (IPv4-only
host contacting IPv4-only service), which is unfortunate. But we need
to leave that optimization up to the platform at this point.
Turn the last two entries of the pa_types table into helper functions
which we invoke before the loop. Then, get rid of the part of the
loop which consults the pa_types table.
Tom Yu [Fri, 27 Apr 2012 22:40:21 +0000 (22:40 +0000)]
Use correct name-type in TGS-REQs for 2008R2 RODCs
Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST
in TGS-REQs. (Previously, only AS-REQs had the name-type set in this
way.) Windows Server 2008 R2 read-only domain controllers (RODCs)
insist on having the correct name-type for the TGS principal in
TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case.
Thanks to Sebastian Galiano for reporting this bug and helping with
testing.
The addition of afs3-salt processing in get_etype_info made it overly
large, so split out the pw-salt/afs3-salt processing into a separate
function. Also fix two dumb bugs.
In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to
track whether we're still using the default salt instead of
overloading salt.length. In preauth2.c, process afs3 salt values like
we would in krb5int_des_string_to_key, and set an s2kparams indicator
instead of overloading salt.length. Also use an s2kparams indicator
in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded
salt lengths, except for a sanity check.
Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or
pa-afs3-salt value in pa_salt(). If it's an afs3-salt, we're going to
throw away the length and use strcspn in krb5int_des_string_to_key,
which isn't safe if the value is unterminated.
Add a method to the securid_sam2 plugin, built with alternate
compile-time flags, which supplies a plain-text challenge to the
client to be used as the OTP value. This lets us manually exercise
the SAM-2 client code and a little bit of the KDC code.
securid_make_sam_challenge_2_and_cksum is moved into the method-
independent code and renamed. get_securid_edata_2 has its sc2b
parameter removed as it was not used by the caller.
Although the kadmin client never generates a KADM5_POLICY_CLR mask bit
with addprinc, the bit will be set if a kadm5.acl line imposes the
-clearpolicy restriction. Relax the sanity checking in
kadm5_create_principal_3 to allow KADM5_POLICY_CLR as long as
KADM5_POLICY is not also set.
Add K5Realm.prep_kadmin() to create a ccache and K5Realm.run_kadmin()
to run a kadmin query using it. Modify t_stringattr.py to use these
helpers instead of its own.
Initialize use_count fields in krb5_preauth_request_context_init,
which is invoked before each AS request. Previously they were
initialized only in krb5_init_preauth_context, which is only invoked
once per krb5 library context.
Move some tests out of the multipass_realms loop since they aren't
enctype-dependent. Fix the success message not to mention kvno
wrapping. Don't start kadmind in the multipass_realms loop since we
don't use it.
A database created prior to 1.3 will have multiple password history
keys, and kadmin prior to 1.8 won't necessarily choose the first one.
So if there are multiple keys, we have to try them all. If none of
the keys can decrypt a password history entry, don't fail the password
change operation; it's not worth it without positive evidence of
password reuse.
projects / thirdparty / krb5.git / log
