Revert 18b02f3e839c007fff54fc9b693f479b7563ec73 in the KDC. Instead,
when making an initial request with a keytab, transmit the whole
default_tkt_enctypes list, but sorted with the enctypes we have in the
keytab first. That way the KDC should prefer enctypes which we have
keys for (for both reply key and session key), but the other enctypes
are still available for use as ticket session keys.
Greg Hudson [Fri, 22 Jun 2012 16:48:26 +0000 (12:48 -0400)]
Add client keytab initiation support
Support acquiring GSSAPI krb5 credentials by fetching initial
credentials using the client keytab. Credentials obtained this way
will be stored in the default ccache or collection, and will be
refreshed when they are halfway to expiring.
Greg Hudson [Sat, 30 Jun 2012 01:45:26 +0000 (21:45 -0400)]
Document GSSAPI name type behavior
Separate out the general interpretation of GSSAPI name types by the
krb5 mechanism from the specific behavior of host-based and principal
name types when used as acceptor names.
Greg Hudson [Fri, 15 Jun 2012 15:14:39 +0000 (11:14 -0400)]
Add krb5_kt_client_default API
The default client keytab is intended to be used to automatically
acquire initial credentials for client applications. The current
hardcoded default is a placeholder, and will likely change before
1.11.
Add test framework settings to ensure that a system default client
keytab doesn't interfere with tests, and to allow tests to be written
to deliberately use the default client keytab.
Add documentation about keytabs to the concepts section of the RST
docs, and describe the default client keytab there.
In the regular krb5 code path, only get a default krb5 cred for the
initial token, since we don't need the cred for mutual_auth anyway.
In the IAKERB mechanism, cache the default cred in iakerb_ctx_id_rec
so we don't have to construct it again for each token. Also, get an
IAKERB default cred, not a regular krb5 cred (a bug which is harmless
now, but becomes more of a problem with keytab initiation changes).
When making a keytab-based AS request, a client has to choose between
sending its reply key enctype preference list (the enctypes it has in
the keytab) and its session key enctype preference list (all of the
enctypes it supports). Heimdal and MIT krb5 1.11 clients send the
reply key preference list. If this list doesn't overlap with the
server principal keys (say, because the krbtgt principal has only a
DES key), then the AS request will fail.
Try to make this work by making the KDC optimistically pick the first
permitted enctype in the request as the session key, even though it
can't be certain that other KDCs in the realm support that enctype.
Make sure to exercise this case in t_keytab.py by doing a multipass
keytab kinit test.
Greg Hudson [Wed, 27 Jun 2012 20:04:32 +0000 (16:04 -0400)]
Rename gss-krb5 cred tgt_expire field
The tgt_expire field is used to store non-TGT expiry times in a couple
of cases: when the ccache has no TGT, and after we've obtained a cred
for the target service. Rename it to just "expire" to be less
misleading.
Tom Yu [Mon, 25 Jun 2012 19:17:02 +0000 (15:17 -0400)]
Restore some spaces in trval
This is a cosmetic change to reintroduce some space characters that cff6ea939f061d17a5742a04b8eeb2905c1813dc removed, e.g. between the tag
and the length or short value.
Greg Hudson [Mon, 25 Jun 2012 15:19:56 +0000 (11:19 -0400)]
Fix crash on invalid DIR ccache primary file
If read_primary_file() fails with an error other than ENOENT, abort
cache resolution rather than dereferencing a null pointer. Reported
by Oliver Loch.
Greg Hudson [Fri, 22 Jun 2012 18:47:16 +0000 (14:47 -0400)]
Eliminate trailing whitespace in trval output
Modify the trval output slightly so that the reference trval output
files don't containing trailing whitespace, to make them friendlier to
our git hooks. (The pkinit and ldap trval reference files now contain
a leading blank line, which isn't very elegant, but avoiding that
requires too much Makefile.in complexity.) Also correct a typo.
Greg Hudson [Fri, 15 Jun 2012 22:06:43 +0000 (18:06 -0400)]
Simplify acquire_cred.c
struct acquire_cred_args was used purely to pass arguments to
acquire_cred (a static function), and had no advantages for that
purpose over positional arguments.
Greg Hudson [Sat, 16 Jun 2012 15:38:57 +0000 (11:38 -0400)]
Limit size of lookaside cache
Add a preprocessor constant LOOKASIDE_MAX_SIZE (defaulting to 10MB)
which limits the total size of the lookaside cache entries. Purge
stale entries in kdc_insert_lookaside instead of kdc_check_lookaside,
and when doing so, continue purging non-stale entries until the total
cache size (including the new entry) is within the size constraint.
Greg Hudson [Thu, 21 Jun 2012 21:20:29 +0000 (17:20 -0400)]
Handle PKINIT DH replies with no certs
If a PKINIT Diffie-Hellman reply contains no certificates in the
SignedData object, that may be because the signer certificate was a
trust anchor as transmitted to the KDC. Heimdal's KDC, for instance,
filters client trust anchors out of the returned set of certificates.
Match against idctx->trustedCAs and idctx->intermediateCAs to handle
this case. This fix only works with OpenSSL 1.0 or later; when built
against OpenSSL 0.9.x, the client will still require a cert in the
reply.
Greg Hudson [Thu, 14 Jun 2012 18:15:05 +0000 (14:15 -0400)]
Fail from gss_acquire_cred if we have no creds
If a caller tries to acquire krb5 initiator creds with no desired name
and we have no credentials in the cache collection, fail from
gss_acquire_cred intead of deferring until gss_init_sec_context.
Greg Hudson [Fri, 8 Jun 2012 21:02:28 +0000 (17:02 -0400)]
Remove big-endian gss-krb5 support
The big_endian flag in krb5_gss_ctx_id_rec is there for
interoperability with a really ancient implementation which we believe
is no longer in use. Get rid of it and the code to handle it.
Greg Hudson [Thu, 7 Jun 2012 16:58:26 +0000 (12:58 -0400)]
Rename and add to etype utility functions
Rename krb5int_count_etypes and krb5int_copy_etypes to have k5_
prefixes, and make them available outside of libkrb5 (but not part of
the public API). Add k5_etypes_contains to search an etype list, and
use it in krb5_is_permitted_enctype.
Greg Hudson [Wed, 6 Jun 2012 23:13:13 +0000 (19:13 -0400)]
Don't free caller's principal in vfy_increds
#7125 took out the copy of the krb5_verify_init_creds server argument
but left in the corresponding free, so it was freeing a caller-owned
principal. Reported by Russ Allbery.
Greg Hudson [Wed, 6 Jun 2012 20:37:02 +0000 (16:37 -0400)]
Try to make t_trace.c output consistent
Attempt to choose tracing inputs in t_trace.c which will produce
consistent output across platforms and logins. Re-enable the
comparison against the reference file.
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
Greg Hudson [Wed, 6 Jun 2012 15:23:19 +0000 (11:23 -0400)]
Allow daemon debugging in k5test.py
Allow --debug to be used for commands which start daemons, to make it
easier to debug startup issues. After debugging a daemon, the script
will exit, since the daemon won't be running after the debugging
session is over.
Greg Hudson [Tue, 5 Jun 2012 04:48:37 +0000 (00:48 -0400)]
Fix k5test.py hostname canonicalization
r25844 (#7124) stopped using AI_ADDRCONFIG when canonicalizing
hostnames in sn2princ. So we need to also stop using it in k5test.c's
_get_hostname() or we could come up with a different result on a
system where forward and reverse resolution via IPv4 and IPv6 produce
different results. That in turn causes a t_gssapi.py test (the one
using the un-canonicalized hostname) to fail, because libkrb5 looks
for a different host principal than k5test.py put in the keytab.
Greg Hudson [Tue, 5 Jun 2012 03:56:22 +0000 (23:56 -0400)]
Disable trace test comparison for now
The t_trace output isn't consistent from run to run. To fix "make
check", disable the comparison against the reference file until we can
make the output consistent.
Greg Hudson [Mon, 4 Jun 2012 15:23:00 +0000 (11:23 -0400)]
Fix trace log unit test
Only use common denominator Bourne shell syntax for exporting
environment variables. Don't rely on /dev/stdout working. Compare
the output with a reference file to detect changes, instead of just
sending it to stdout.
Greg Hudson [Mon, 4 Jun 2012 00:46:30 +0000 (20:46 -0400)]
Fail from gss_acquire_cred if we have no keytab
If a caller tries to acquire krb5 acceptor creds with no desired name
and we have no keytab keys, fail from gss_acquire_cred instead of
deferring until gss_accept_sec_context.
Greg Hudson [Mon, 4 Jun 2012 00:39:08 +0000 (20:39 -0400)]
Use first mech's status in gss_acquire_cred
If we can't acquire creds for any mech in gss_acquire_cred, return the
status of the first mech instead of the last mech, as it's more useful
in the typical case (where the first mech is krb5 and the last mech is
SPNEGO). This error reporting is not ideal when the user was
expecting to use some mech other than krb5, but it's about as good as
things were prior to #6894.
Greg Hudson [Sat, 2 Jun 2012 18:06:58 +0000 (14:06 -0400)]
Add krb5_kt_have_content API
Add the krb5_kt_have_content API from Heimdal, which can be used to
test whether a keytab exists and contains entries. Add tests to
t_keytab.c.
There is a deviation from Heimdal in the function signature.
Heimdal's signature returns a krb5_boolean at the moment, because the
Heimdal implementation actually returns a krb5_error_code. These are
generally the same type anyway (int).
Greg Hudson [Sat, 2 Jun 2012 17:54:12 +0000 (13:54 -0400)]
Tighten up error checking in t_keytab.c
When checking for specific error codes, using CHECK() meant that we
wouldn't properly fail if we got error code 0. Define and use a
CHECK_ERR() to test for a specific error code, and define CHECK() in
terms of it.
Greg Hudson [Fri, 1 Jun 2012 13:52:20 +0000 (09:52 -0400)]
Use correct profile var in krb5_get_tgs_ktypes
In r21879, when we converted to using KRB5_CONF macros for profile
variable names, we made a typo in krb5_get_tgs_ktypes and erroneously
started using default_tkt_enctypes instead of default_tgs_enctypes for
TGS requests. Fix the typo and return to the documented behavior.
Greg Hudson [Thu, 24 May 2012 06:07:18 +0000 (02:07 -0400)]
Use a hash table in the KDC lookaside cache
Add a hash table to kdc/replay.c for fast lookup of incoming packets.
Continue to keep a time-ordered linked list of all entries for fast
expiry of stale entries. The preprocessor constant
LOOKASIDE_HASH_SIZE can be used to change the size of the hash table.
Richard Basch [Tue, 29 May 2012 18:07:03 +0000 (14:07 -0400)]
Null pointer deref in kadmind [CVE-2012-1013]
The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.
Greg Hudson [Thu, 24 May 2012 17:03:26 +0000 (13:03 -0400)]
Fix S4U user identification in preauth case
In 1.10, encrypted timestamp became a built-in module instead of a
hardcoded padata handler. This changed the behavior of
krb5_get_init_creds as invoked by s4u_identify_user such that
KRB5_PREAUTH_FAILED is returned instead of the gak function's error.
(Module failures are not treated as hard errors, while hardcoded
padata handler errors are.) Accordingly, we should look for
KRB5_PREAUTH_FAILED in s4u_identify_user.
On a less harmful note, the gak function was returning a protocol
error code instead of a com_err code, and the caller was testing for a
different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could
never be returned by krb5_get_init_creds. Clean up both of those by
returning KRB5_PREAUTH_FAILED from the gak function and testing for
that alone.
W. Trevor King [Fri, 18 May 2012 01:26:36 +0000 (21:26 -0400)]
Convert DEBUG_REFERRALS to TRACE_* framework
The referrals debugging code under DEBUG_REFERRALS ceased building
correctly at some point. Convert this debugging code to use the
tracing framework instead, including adding new trace macros to
k5-trace.h.
Greg Hudson [Tue, 22 May 2012 17:45:18 +0000 (13:45 -0400)]
Export gss_mech_krb5_wrong from libgssapi_krb5
Although there are few legitimate reasons to use gss_mech_krb5_wrong,
it's declared in the public header and exported in the Windows DLL.
So export it from the Unix library as well.
Greg Hudson [Mon, 21 May 2012 05:39:14 +0000 (01:39 -0400)]
Export krb5_set_trace_callback/filename
krb5_set_trace_callback and krb5_set_trace_filename were added to
krb5.h in krb5 1.9, but were mistakenly left out of the library export
lists. Add them now. Reported by Russ Allbery.
Tom Yu [Thu, 17 May 2012 23:32:41 +0000 (19:32 -0400)]
Add missing $(LIBS) to some shared libraries
Add $(LIBS) to the $(SHLIB_EXPLIBS) for some shared libraries which
did not previously include it, which prevented gcov from working
properly in some cases.
Tom Yu [Tue, 15 May 2012 19:15:07 +0000 (15:15 -0400)]
Make mkrel work on non-master branches
Appending "--" to the git checkout arguments appears to prevent it
from automatically creating a local branch from the remote. Also
correct the default git URL and clean up a spurious find warning.
Greg Hudson [Sun, 13 May 2012 17:15:34 +0000 (13:15 -0400)]
Avoid extern inline in asn1buf.h
Avoid using extern inline in asn1buf.h, as there are two conflicting
sets of semantics (gnu89's and C99's). gcc defaults to the gnu89
semantics, which we were using, while clang defines __GNUC__ but
defaults to the C99 semantics. To simplify things, use static inline
instead, like we do in k5-int.h.
Greg Hudson [Sun, 13 May 2012 17:12:06 +0000 (13:12 -0400)]
Don't stomp minor code in spnego_gss_acquire_cred
When spnego_gss_acquire_cred passes through a failure status from the
mechglue, it overwrites the minor code with a call to
gss_release_oid_set(). Use a temporary minor status for that and a
related call.
Greg Hudson [Sat, 12 May 2012 16:54:06 +0000 (12:54 -0400)]
Null-terminate components of parsed principals
The rewritten krb5_parse_name didn't null-terminate components or
realms of principals, while the old one did. Fix the new one to do so
as well.
This means KRB5_PRINCIPAL_PARSE_IGNORE_REALM allocates one byte for
the realm instead of leaving it as empty_data(), so we need to free
the realm in build_in_tkt_name() before copying in the client realm.
Greg Hudson [Fri, 11 May 2012 18:07:30 +0000 (18:07 +0000)]
Omit start time in common AS requests
MIT and Heimdal KDCs ignore the start time for non-postdated ticket
requests, but AD yields an error if the start time is in the KDC's
future, defeating the kdc_timesync option. Omit the start time if the
caller did not specify a start time offset.
This change reenables the client check for too much clock skew in the
KDC reply in the non-timesync configuration. That check had been
unintentionally suppressed since the introduction of the
get_init_creds interfaces. Adjust the t_skew test script to expect
the new error behavior.
Code changes from stefw@gnome.org with slight modifications.
Greg Hudson [Thu, 10 May 2012 17:34:14 +0000 (17:34 +0000)]
Avoid requiring default realm for in_tkt_service
Use the new KRB5_PRINCIPAL_PARSE_IGNORE_REALM flag when parsing
in_tkt_service arguments in get_init_cred functions, since we're going
to overwrite the realm anyway.
Greg Hudson [Thu, 10 May 2012 17:34:10 +0000 (17:34 +0000)]
Add krb5_parse_name flag to ignore realm
The flag KRB5_PRINCIPAL_PARSE_IGNORE_REALM causes krb5_parse_name to
return the principal with an empty realm whether or not a realm is
present in the name.
Greg Hudson [Thu, 10 May 2012 17:34:07 +0000 (17:34 +0000)]
Rewrite krb5_parse_name
krb5_parse_name started out a bit unwieldy, and has become more so
with the introduction of flags. Rewrite it using two passes (allocate
and fill), each broken out into its own helper, and a wrapper which
handles the realm flags.
Greg Hudson [Wed, 9 May 2012 17:55:27 +0000 (17:55 +0000)]
Constify get_init_creds string input params
The get_init_creds functions take read-only string input parameters
for passwords and initial ticket services. Make these const char *
parameters instead of just char * parameters, for caller convenience.
Greg Hudson [Wed, 9 May 2012 17:40:38 +0000 (17:40 +0000)]
Add API to interpret changepw result strings
Active Directory returns structured policy information in the
nominally UTF-8 result string field of a password change reply. Add a
new API krb5_chpw_message() to convert a result string into a
displayable message, interpreting policy information if present.
Greg Hudson [Tue, 8 May 2012 03:04:15 +0000 (03:04 +0000)]
Improve traced error messages from PKINIT client
If we have no configured PKINIT client identity, or if we fail to
create a certificate chain, set a reasonable error code (not EINVAL or
ENOMEM) and a useful error message to appear in trace log output.
projects / thirdparty / krb5.git / log
