Greg Hudson [Wed, 6 Nov 2013 18:33:04 +0000 (13:33 -0500)]
Clarify realm and dbmodules configuration docs
In kdc_conf.rst, add examples showing how to configure a realm
parameter and a database parameter. Document that the default DB
configuration section is the realm name, and use that in the example.
Move the db_module_dir description to the end of the [dbmodules]
documentation since it is rarely used and could confuse a reader about
the usual structure of the section.
A related but more minor vulnerability requires authentication to
exploit, and is only present if a third-party KDC database module can
dereference a null pointer under certain conditions.
Ben Kaduk [Wed, 30 Oct 2013 18:51:12 +0000 (14:51 -0400)]
Clean up the code to eliminate some clang warnings
In ure.c, though k is a short, the literal 1 is of type 'int', and
so the operation 'k + 1' is performed at the (32-bit) width of int,
and therefore the "%d" format string is correct.
In accept_sec_context.c, the 'length' field of krb5_data is an
unsigned type, so checking for a negative value has no effect.
In net-server.c, the helper routine rtm_type_name() is only used
in code that is disabled with #if 0 conditionals; make the
definition also disabled in the same way to avoid warnings of an
unused function.
In kdc_authdata.c, equality checks in double parentheses elicit
a warning from clang. The double-parentheses idiom is normally used
to indicate that an assignment is being performed, but the value of
the assignment is also to be used as the value for the conditional.
Since assignment and equality checking differ only by a single
character, clang considers this worthy of a warning. Since the extra
set of parentheses is redundant and against style, it is correct to
remove them.
In several places (sim_server.c, dump.c, kdb5_destroy.c,
ovsec_kadmd.c), there are declarations of extern variables relating
to getopt() functionality that are now unused in the code. Remove
these unused variables.
Ben Kaduk [Wed, 30 Oct 2013 18:11:40 +0000 (14:11 -0400)]
Make set_cloexec_fd return void
We never check its return value (causing clang to emit warnings),
and its use is primarily in cases where we should continue processing
in the event of failure. Just ignore errors from the underlying
fcntl() call (if present) and treat this operation as best-effort.
Ben Kaduk [Tue, 10 Jul 2012 14:14:52 +0000 (10:14 -0400)]
Avoid deprecated krb5_get_in_tkt_with_keytab
The kprop code has been pretty unloved, and uses some routines that
are marked as deprecated (which show up as warnings in the build log).
Use the documented replacement for krb5_get_in_tkt_with_keytab,
krb5_get_init_creds_keytab, instead. As a bonus, there is no longer
a side effect of a credentials cache that needs to be destroyed.
The also-deprecated function krb5_get_in_tkt_with_skey was backending
to it when no keyblock was passed in; we can unroll the call to
krb5_get_init_creds_keytab ourselves as the documented workaround.
While here, improve style compliance with regards to cleanup.
The setkey test just wants to know whether it can use the key it
just put into a keytab to get credentials; as such the recommended
krb5_get_init_creds_keytab is quite sufficient.
While here, use that interface to request the particular enctype
as well, reducing the scope of an XXX comment.
Ben Kaduk [Tue, 3 Jul 2012 14:27:20 +0000 (10:27 -0400)]
Remove last uses of "possibly-insecure" mktemp(3)
Many libc implementations include notations to the linker to generate
warnings upon references to mktemp(3), due to its potential for
insecure operation. This has been the case for quite some time,
as was noted in RT #6199. Our usage of the function has decreased
with time, but has not yet disappeared entirely. This commit
removes the last few instances from our tree.
kprop's credentials never need to hit the disk, so a MEMORY ccache
is sufficient (and does not need randomization).
store_master_key_list is explicitly putting keys on disk so as to
do an atomic rename of the stash file, but since the stash file
should be in a root-only directory, we can just use a fixed name
for the temporary file. When using this fixed name, we must detect
(and error out) if the temporary file already exists; add a test to
confirm that we do so.
Ben Kaduk [Wed, 18 Jul 2012 14:05:33 +0000 (10:05 -0400)]
Clean up stash file error handling
The comment previously failed to match the behavior. The intent was
that if we failed to write out the entire stash file into the
temporary location, we should remove the partial file. However, the
code was actually checking whether the *real* stash file existed,
not whether the temporary one existed.
It is safe to always try to unlink the partial file, and not worry
about whether it already exists.
Ben Kaduk [Mon, 4 Nov 2013 18:09:13 +0000 (13:09 -0500)]
Use retval, not errno, when stashing master keys
The krb5_db_store_master_key{,_list} functions return a
krb5_error_code, and do not necessarily set errno on failure.
Use the correct variable while reporting errors with com_err().
Greg Hudson [Wed, 30 Oct 2013 22:22:00 +0000 (18:22 -0400)]
Clarify kpropd standalone mode documentation
The kpropd -S option is no longer needed to run kpropd in standalone
mode, but its functionality is not deprecated; standalone mode is
automatically activated when appropriate. Clarify the kpropd
documentation on standalone mode to avoid giving the impression that
the mode is deprecated.
Greg Hudson [Mon, 28 Oct 2013 15:23:11 +0000 (11:23 -0400)]
Improve LDAP KDB initialization error messages
In krb5_ldap_initialize, don't just blat the LDAP error into the
extended message; give an indication of which LDAP operation we were
trying to do and show what parameters we gave to it.
(Also, krb5_set_error_message can handle a null context argument, so
don't bother to check before calling.)
Greg Hudson [Mon, 28 Oct 2013 17:09:15 +0000 (13:09 -0400)]
Accept anonymous GSS names in kadmind
The krb5 implementation of gss_display_name() reports the name type as
GSS_C_NT_ANONYMOUS if the client uses an anonymous principal. Accept
this name type in gss_name_to_string and gss_to_krb5_name so that
anonymous kadmin can work.
Also improve code hygiene: call gss_name_to_string from
gss_to_krb5_name to reduce code repetition; use gss_oid_equal instead
of pointer comparison for name types; and don't assume that the
gss_display_name result buffer is zero-terminated.
Greg Hudson [Sun, 27 Oct 2013 00:17:10 +0000 (20:17 -0400)]
Fix decoding of mkey kvno in mkey_aux tl-data
krb5_dbe_lookup_mkey_aux was decoding a 16-bit value directly into an
int, resulting in the wrong value on big-endian platforms. The
consequences are mostly invisible because we ignore this field and try
all mkey_aux nodes in krb5_def_fetch_mkey_list.
Ben Kaduk [Fri, 25 Oct 2013 17:33:23 +0000 (13:33 -0400)]
Add tests for different salt combinations
Create a principal with a pair of enctypes using different salt types.
Confirm that the non-default salt type appears only once in the principal's
key list.
Also verify that the afs3 salt type is rejected by non-DES enctypes
The afs3 salt type is for compatibility with AFS-3 kaservers, which
are roughly krb4. As such, it only makes sense for single-DES
enctypes. The PBKDF2 and arcfour enctypes correctly reject the
key-creation parameters from the afs3 salt, but triple-DES currently
does not.
Ben Kaduk [Fri, 25 Oct 2013 18:00:29 +0000 (14:00 -0400)]
Reset key-generation parameters for each enctype
In add_key_pwd, initialize s2k_params to NULL inside the loop over
enctypes instead of outside the loop, so that if the afs3 salt type
is used it does not contaminate later enctype/salt pairs in the list.
Greg Hudson [Wed, 23 Oct 2013 15:20:50 +0000 (11:20 -0400)]
Remove old master key tests
Remove tests/mkeystash_compat and tests/mk_migr. These are superseded
by t_mkey.py, with two exceptions:
tests/mk_migr included tests for password history across master key
rollovers. Historical keys are encrypted in the kadmin/history key
(which is accessed like any other key), so there isn't a specific need
to test this unless we implement #1221.
tests/mk_migr had provisions for testing master key rollover with the
LDAP KDB module. All master key logic used in the LDAP KDB module is
shared with the DB2 module in lib/kdb, so there is no specific need to
test this combination.
Greg Hudson [Wed, 23 Oct 2013 15:17:00 +0000 (11:17 -0400)]
Add master key rollover tests in k5test framework
Add a new script t_mkey.py using the k5test framework. Test the fixes
for #6507, #7685, and #7686 as well as basic functionality and
old-stashfile compatibility.
dump.16 was created by running "kdb5_util create -s -P footes" and
"kdb5_util dump dumpfile" with krb5 1.6. The key from the resulting
stash file was extracted and placed in the struct.pack() call in the
new test script.
Greg Hudson [Thu, 24 Oct 2013 16:51:18 +0000 (12:51 -0400)]
Correctly activate master keys in pre-1.7 KDBs
Starting with 1.7, databases are created with actkvno tl-data in the
K/M entry which gives the initial master key version an activation
time of 0. A database created before 1.7 will not have this tl-data,
but we should behave in the same way as we do for a more recent
database.
Move the actkvno list synthesis code from krb5_dbe_fetch_act_key_list
to krb5_dbe_lookup_actkvno so it applies to kdb5_util commands as well
as libkadm5. Synthesize the same list as we would have initialized
the KDB with, with an activation time of 0 for the earliest master
key.
Greg Hudson [Wed, 23 Oct 2013 22:56:20 +0000 (18:56 -0400)]
Don't cache active master key list in kadmind
"kdb5_util use_mkey" should not require a kadmind restart to take
effect. At the cost of fetching the K/M principal once for each key
change operation, make kadmind use the current active master key list
for each operation.
Greg Hudson [Mon, 21 Oct 2013 20:46:15 +0000 (16:46 -0400)]
Fix typos in kdb5_util master key command outputs
kdb5_util list_mkeys was beginning lines with "KNVO" instead of
"KVNO". kdb5_util purge_mkeys was displaying "follwing" instead of
"following" for both dry-run and normal cases.
Greg Hudson [Thu, 17 Oct 2013 18:02:14 +0000 (14:02 -0400)]
Fix race in util/profile/Makefile.in
$(BUILDTOP)/include/profile.h was being updated by two different
rules, which could collide with make -j. Use a dependency from
includes instead of a redundant rule.
Greg Hudson [Mon, 14 Oct 2013 22:14:00 +0000 (18:14 -0400)]
Discuss cert expiry, no-key princs in PKINIT docs
In pkinit.rst, add "-days" options to the example commands for
creating certificate and briefly discuss the issue of expiration dates
so that the administrator thinks about it. In troubleshoot.rst, add
an entry for the "certificate has expired" error which results from
PKINIT (when linked with OpenSSL) when a certificate has expired.
Greg Hudson [Mon, 14 Oct 2013 21:02:31 +0000 (17:02 -0400)]
Use protocol error for PKINIT cert expiry
If we fail to create a cert chain in cms_signeddata_create(), return
KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code,
rather than KRB5_PREAUTH_FAILED, which doesn't. This is also more
consistent with other error clauses in the same function.
Greg Hudson [Tue, 8 Oct 2013 21:07:34 +0000 (17:07 -0400)]
Fix gss_accept_sec_context error tokens
A GSS krb5 error response contains a KRB-ERROR message, which is
required to have a server principal name, although few recipients
actually use it. Starting in 1.3, accept_sec_context would fail to
encode the error in the GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL case
(introduced by #1370) because cred->princ (which became
cred->name->princ in 1.8) is unset.
This problem got worse in 1.10 because we stopped setting the server
field in all cases due to the changes for #6855. In 1.11 the problem
got worse again when a misguided change to the mechglue started
discarding output tokens when the mechanism returns an error; the
mechglue should only do so when it itself causes the error.
Fix krb5 gss_accept_sec_context by unconditionally decoding the AP-REQ
and using krb5_rd_req_decoded, and then using the requested ticket
server in the KRB-ERROR message. Fix the mechglue
gss_accept_sec_context by reverting that part of commit 56feee187579905c9101b0cdbdd8c6a850adcfc9. Add a test program which
artificially induces a replay cache failure (the easiest failure we
can produce which has an associated RFC 4120 error code) and checks
that this can be communicated back to the initiator via an error
token.
Greg Hudson [Tue, 8 Oct 2013 16:35:51 +0000 (12:35 -0400)]
Add missing entries to tests/gssapi Makefile.in
Some test sources files, objects, or programs were missing from SRCS,
OBJS, all, check-pytests, or clean. t_oid was also out of order in a
couple of places.
Greg Hudson [Wed, 9 Oct 2013 17:37:17 +0000 (13:37 -0400)]
Change KRB5KDC_ERR_NO_ACCEPTABLE_KDF to 100
draft-ietf-krb-wg-pkinit-alg-agility-07 specifies
KDC_ERR_NO_ACCEPTABLE_KDF as 82, but this value conflicts with
KRB_AP_ERR_PRINCIPAL_UNKNOWN from RFC 6111. The former value has been
reassigned to 100 to fix the conflict. Use the correct value.
We believe that this error won't crop up in practice for a long time
(when SHA-2 has been superceded by other hash algorithms and people
are desupporting it), by which time implementations will mostly have
been upgraded to use the new value.
Greg Hudson [Mon, 7 Oct 2013 13:51:56 +0000 (09:51 -0400)]
Fix GSSAPI krb5 cred ccache import
json_to_ccache was incorrectly indexing the JSON array when restoring
a memory ccache. Fix it.
Add test coverage for a multi-cred ccache by exporting/importing the
synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
export_import_cred from t_export_cred.c to common.c to facilitate
this. Make a note in t_export_cred.py that this case is covered in
t_s4u.py.
Greg Hudson [Wed, 9 Oct 2013 16:56:13 +0000 (12:56 -0400)]
Perform complete referrals in t_referral.py
t_referral.py was written to exercise KDC host referral logic, and did
not actually create the target realm, instead just looking at the
error message from gcred to determine whether the KDC returned a
referral or not. It's only a small amount of additional work to
actually set up the target realm and check that the client code
successfully retrieves the referral, so do that instead.
Since the referral and non-referral outcomes aren't all that similar
any more, split test() into testref() and testfail(). Get rid of the
message argument, since it wouldn't be output in most cases where we
get an unexpected result.
KDC Audit infrastructure and plugin implementation
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit
The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.
The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC
request and request ID, KDC reply, primary and derived ticket and their
ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
validated, local policy violation and protocol constraints, and KDC status
message.
Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.
Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.
For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.
The new Audit system is build-time enabled and run-time pluggable.
[kaduk@mit.edu: remove potential KDC crashes, minor reordering]
Ben Kaduk [Tue, 2 Jul 2013 20:02:43 +0000 (16:02 -0400)]
Use better URL for kerberos documentation
We have added a krb5-latest symlink for the latest stable release,
which is preferred to the krb5-current link (which points to a nightly
build of master).
Ben Kaduk [Fri, 28 Jun 2013 22:08:21 +0000 (18:08 -0400)]
Use new-style variable expansion for light.exe
With WiX 3.x, the preprocessor candle.exe expands variables using
$(); the linker light.exe expands localization and similar variables
using !(), though it accepts the $() form and prints a warning.
Switch to using the expected form to silence the warnings.
Ben Kaduk [Fri, 4 Oct 2013 16:58:30 +0000 (12:58 -0400)]
Remove unneeded variable enc_tkt_transited
There's no need to use an intermediate variable to initialize the
contents of enc_tkt_reply.transited.
Instead of setting each field to zero individually (and misspelling NULL),
use memset and set the one field which is being initialized to a nonzero
value explicitly.
Greg Hudson [Wed, 2 Oct 2013 21:55:28 +0000 (17:55 -0400)]
Add an internal constant-time comparison function
k5_bcmp acts similarly to the deprecated Unix bcmp() function,
returning zero if two memory regions are equal and nonzero if they are
not. It is implemented such that it should take the same amount of
time regardless of how many bytes are equal within the memory regions.
If the keyctl command is found and klist recognizes the KEYRING
credential cache type, then run several tests against keyring ccaches:
the collection test program in lib/krb5/ccache, the command-line
collection tests in tests/t_ccache.py, and some new tests to verify
legacy session cache behavior. Much of the Python code in t_ccache.py
is moved into a new function named "collection_test" so we can run it
once against a DIR collection and once against a KEYRING collection.
Also: fix a memory leak in the collection test program; add a test for
iteration when the default cache name is a subsidiary name; use a
process keyring ccache in t_cc.c to avoid leaving behind empty
collections in the session keyring after each test run.
Add support for the new anchor names persistent, user, and session.
The persistent anchor attempts to use a persistent keyring for a
specified uid, and falls back to the user keyring if it cannot; the
collection is stored at a fixed name within the persistent or user
keyring. The session anchor uses the session keyring without legacy
semantics.
For all keyring types except legacy, attempt to use the "big_key" key
type on systems which have keyctl_get_persistent. (They are
essentially unrelated features, but were added at the same time.)
This key type is stored in a kernel tmpfs and can store larger
tickets.
Since kernel commit 96b5c8fea6c0861621051290d705ec2e971963f1, new keys
created by add_key() only have VIEW permission for the user, and the
rest of the permissions require "possession," which means there is a
path from the thread, process, or session keyring to the key. For the
user and persistent anchor types, we link the collection into the
process keyring to ensure that we have a possession rights on the
collection.
Augment the KEYRING ccache type to support collection semantics
similar to those of the DIR type. For keyrings with no anchor prefix,
maintain compatibility with old code by linking the initial primary
cache directly from the session keyring and naming it after the
collection.
See http://k5wiki.kerberos.org/wiki/Projects/Keyring_collection_cache
for more information. Adapted from a patch by simo@redhat.com.
Consistently use "cache_name" and "cache_id" to talk about the name
and ID of the keyring containing the cache. In krb5_krcc_resolve, use
"residual" for the residual string as we are no longer using it for
the cache keyring name, and use "anchor_id" for the keyring identified
by the prefix to make it clear that it is not the cache keyring.
If we resolve a KEYRING cache and the key does not exist, wait until
initialize time to create it, to avoid wasting precious kernel memory
on a cache which might not ever be created. Properly error out if
store_cred or start_seq_get is called on an uninitialized cache, as we
would for a FILE cache.
If kinit chooses a client principal based on anything other than the
current default ccache's principal name, apply collection rules if
possible. When applying collection rules, if we don't find an
existing cache for the client principal, use the default cache if it
is uninitialized, instead of creating a new one.
In kdc_check_transited_list, consult the KDB module first. If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.
Create a new test program in lib/krb5/ccache named t_cccol.c which
verifies collection semantics using the API. Run it with an empty DIR
collection in t_cccol.py.
Err codes in KRB_ERROR protocol messages are < 128
If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC.
This fix is to correct the previous behavior with [0,128] range.
For more information see krb5_err.et
Add gss_get_mic_iov, gss_get_mic_iov_length, and gss_verify_mic_iov
functions, which work similarly to the corresponding IOV wrap
functions. Add a new buffer type GSS_IOV_BUFFER_TYPE_MIC_TOKEN for
the destination buffer.
Most of the internal code for this was already present, and just
needed to be fixed up and adjusted to use the new buffer type for the
MIC token.
This flag was introduced in the mskrb-integ merge but is not actually
used after r21742--while kg_unseal_iov_token sets it in vfyflags for
DCE-style contexts, it doesn't actually pass vfyflags to
g_verify_token_header or otherwise use it. Moreover, the flag is not
necessary there; we correctly set input_length to the header length
(without data, padding, or trailer) for v1 tokens in a DCE-style
context.
Add a new test program t_iov.c which tests various combinations of
wrapping and unwrapping using the IOV and AEAD interfaces. Run it
with and without SPNEGO in each enctype configuration.
Add a new helper to common.c which runs gss_init_sec_context and
gss_accept_sec_context in a loop, and use it in test programs instead
of the open-coded one-token or two-token exchanges.
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.
Greg Hudson [Fri, 30 Aug 2013 16:19:44 +0000 (12:19 -0400)]
Stop modifying TGS requests for referrals
It is no longer necessary to modify request->server when we receive a
referral. The uses of request->server break down as follows:
* Matching against previously issued tickets (e.g. for renewals). We
now explicitly disallow referrals for requests where we need to do
that.
* Using only the realm (e.g. for transited checking). Referrals are
cross-realm TGS entries within the same realm as the requested
server principal, so this does not change.
* Comparing to a local TGS principal (for restrict_anonymous_to_tgt
enforcement). Local TGS principals are not treated as referrals, so
the sense of this comparison will not change if we use the original
request.
* Setting the sname and realm fields of a KRB-ERROR response. RFC
4120 and 6806 do not specify what we should put here for referrals
or aliases and we are not aware of any uses of this field by
clients, so putting the requested server principal here should be
okay.
Greg Hudson [Fri, 30 Aug 2013 16:14:00 +0000 (12:14 -0400)]
Explicitly prevent referrals for certain requests
For ticket modification requests (such as renewals), u2u requests, and
S4U2Self requests, the requested server principal is expected to match
a previously issued ticket. If that principal no longer exists, we
must fail the request; we cannot issue a referral. We are currently
doing that by rewriting request->server to the referral principal,
which causes the match against the ticket to fail. Since we would
like to stop modifying the request, we must explicitly prevent
referrals in these cases.
We don't find out whether a request is S4U2Self until after we've
looked up the server principal, so for now we have to make a
retroactive check for a referral after calling
kdc_process_s4u2self_req.
Greg Hudson [Thu, 29 Aug 2013 22:17:29 +0000 (18:17 -0400)]
Tighten up referral recognition in KDC TGS code
In do_tgs_req(), treat the search_sprinc() result as a referral only
if it is a cross-TGS principal and it doesn't match the requested
server principal. This change fixes two corner cases: (1) when a
client requests a cross-realm TGT, we won't squash the name type in
the response; and (2) if we are serving multiple realms out of the
same KDB, we will properly handle aliases to any local-realm TGT, not
just the one for the configured realm name.
Greg Hudson [Sat, 31 Aug 2013 15:46:58 +0000 (11:46 -0400)]
Fix FAST critical option bit checking
The FAST option bits 0-15 are intended to be critical--if they are
present and a KDC does not support them, the KDC is supposed to fail
the request. Because of an incorrect constant, we were erroneously
recognizing bits 24-31 as critical. Fix the constant.
Greg Hudson [Sat, 31 Aug 2013 15:45:48 +0000 (11:45 -0400)]
Support FAST hide-client-names option
In the KDC, if we see the hide-client-names option, identify the
client as the anonymous principal in KDC-REP and KRB-ERROR responses.
The actual client name is present in encrypted FAST elements.
Greg Hudson [Thu, 29 Aug 2013 15:15:02 +0000 (11:15 -0400)]
Make it possible to renew aliased service tickets
We always allow aliases in the service principal when processing
AS-REQs and TGS-REQs. If the ticket we issued is presented back to us
in a TGS-REQ as a header ticket for renewal or similar, we should
allow aliases when looking up its key to decode the AP-REQ.
Greg Hudson [Thu, 29 Aug 2013 13:07:57 +0000 (09:07 -0400)]
Don't change realm in find_alternate_tgs
If a client makes a TGS request for a cross-realm TGS within a
different realm from the one we normally serve (e.g. the KDC realm is
X, and a client makes a TGS request for the server krbtgt/Y@Z), look
for alternate TGS principals within the requested server realm, not
the realm we normally serve.
This change shouldn't break any working well-formed TGS requests,
because changing the realm would trigger a failure in check_tgs_tgt.
It may fix some corner cases when multiple realms are served out of
the same KDB. But primarily, this change makes referrals and aliases
easier to reason about, by eliminating a case where server->princ has
a different realm from request->server after the call to
search_sprinc().
Greg Hudson [Wed, 28 Aug 2013 22:39:55 +0000 (18:39 -0400)]
Don't treat local krbtgt principal as referral
If we look up a principal and in the KDB and get back the local TGS
principal, the KDC should treat this as an alias, not a referral, and
should therefore issue a ticket for the requested principal rather the
canonical name.
Greg Hudson [Wed, 28 Aug 2013 16:11:40 +0000 (12:11 -0400)]
Fix KDC reply service principal for aliases
If a client requests a service ticket for the alias of a service
principal, RFC 6806 section 6 requires that the KDC issue a ticket
which appears to be for the alias and not for the canonical name.
After calling search_sprinc(), only replace request->server with
server->princ if the latter is a TGT; this will be the case for an
alternate cross-realm TGT or a host referral, but not for a simple
service alias.
Greg Hudson [Tue, 27 Aug 2013 16:23:12 +0000 (12:23 -0400)]
Clarify flag handling in dump.c
Get rid of "flags" bitfields and just use boolean values, to make the
internal contracts for dump and load functions more precise. Rename
"add_update" to "iprop_load" and reverse its sense.
Greg Hudson [Mon, 26 Aug 2013 19:12:56 +0000 (15:12 -0400)]
Update ulog state after promoting DB when loading
If we are doing a full load, do not touch the ulog header until after
we promote the temporary DB to live. This avoids the same bugs as the
#7588 fix, but more robustly. Based on a patch from Richard Basch.
Greg Hudson [Tue, 20 Aug 2013 00:01:03 +0000 (20:01 -0400)]
Omit signedpath if no_auth_data_required is set
The no_auth_data_required bit was introduced to suppress PACs in
service tickets when the back end supports them. Make it also
suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
can be avoided for services which aren't going to do constrained
delegation.
Simo Sorce [Fri, 9 Aug 2013 00:10:56 +0000 (20:10 -0400)]
Simplify krb5_krcc_start_seq_get
This code can be simplified (and a potential race avoided) by using
keyctl_read_alloc() and letting it allocate the necessary memory.
This also allows to remove a helper function that is not used anymore
as well as make the code more readable. The only penalty is that we
have two allocations instad of one.
Simo Sorce [Thu, 8 Aug 2013 23:52:46 +0000 (19:52 -0400)]
Remove unused counter in keyring ccache
numkeys is never really used in the single cache data structure.
Every time a new iteration is started, numkeys is recalculated anyway,
and then only the copy held in the cursor is used. Remove it from the
cache data and keep it only in the cursor.
Simo Sorce [Wed, 7 Aug 2013 21:47:16 +0000 (17:47 -0400)]
Save the full residual for keyring caches
krb5_cc_get_name() should allow the caller to reconstruct the full
cache name. That is not possible if thread: and process: are omitted
here. (The saved name is not used by anything except
krb5_krcc_get_name, so this change is safe.)
[ghudson@mit.edu: proofread and clarified commit message]
Simo Sorce [Fri, 2 Aug 2013 21:53:27 +0000 (17:53 -0400)]
Use dry-run unparses in keyring ccache
Support credentials larger than 4K in cc_keyring.c by calculating the
payload size in one pass, allocating a buffer of precisely the right
size, and then unparsing into that buffer.
[ghudson@mit.edu: squashed two commits; rewrote message; added length
field instead of doing pointer arithmetic on null pointers; used
proper English comments and clarified what code they apply to.]
Greg Hudson [Mon, 5 Aug 2013 20:10:10 +0000 (16:10 -0400)]
Add hostrealm interface tests
Create a test module for the hostrealm interface, a harness to call
the realm mapping functions and display their results, and a Python
script to exercise the functionality of the interface and each module
(except the dns module, which we cannot easily test since it relies on
TXT records in the public DNS).
Greg Hudson [Mon, 5 Aug 2013 19:57:29 +0000 (15:57 -0400)]
Use hostrealm interface for realm mapping
Reimplement krb5_get_host_realm, krb5_get_fallback_host_realm, and
krb5_get_default_realm in terms of the hostrealm interface. Three
built-in modules (dns, domain, and profile) implement the current
behavior.
Ben Kaduk [Wed, 14 Aug 2013 19:47:03 +0000 (15:47 -0400)]
Remove KRB5_DNS_LOOKUP_KDC
It has been unconditionally activated by all supported build systems
for almost two years, and no complaints or issues have been reported.
In particular, aclocal.m4 has had an unconditional AC_DEFINE() since 3d708e55 in 2003, and win-pre.in has unconditionally set KRB5_USE_DNS_KDC
since 17ffebf7 in 2011.
While here, simplify some other DNS conditionals in win-pre.in where
only one branch was ever taken.
Ben Kaduk [Mon, 12 Aug 2013 17:47:42 +0000 (13:47 -0400)]
Remove redundant domain_realm mappings
This fixes a long-standing documentation bug where we claimed that
a domain_realm mapping for a host name would not affect entries
under that domain name. The code has always had the behavior where
a host name mapping implies the corresponding domain name mapping,
since the 1.0 release.
While here, replace media-lab with csail in example files, as the
media lab realm is no longer in use. Also strip port 88 from KDC
specifications, and drop the harmful default_{tgs,tkt}_enctypes
lines from src/util/profile/krb5.conf.
Further cleanup on these files to remove defunct realms may be in order.
Greg Hudson [Mon, 12 Aug 2013 18:29:28 +0000 (14:29 -0400)]
Add trace logging for TXT lookups
Rename krb5_try_realm_txt_rr (an internal function despite the name)
and add a context parameter. Generate trace logs when we successfully
look up a record and when a record is not found.
Greg Hudson [Tue, 6 Aug 2013 03:47:52 +0000 (23:47 -0400)]
Fix gss_krb5_set_allowable_enctypes for acceptor
The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req(). It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context. This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.
Instead, use krb5_auth_con_setpermetypes on the auth context. This
list is only used for session key enctype negotiation. Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.
projects / thirdparty / krb5.git / log
