Greg Hudson [Fri, 30 Aug 2013 16:14:00 +0000 (12:14 -0400)]
Explicitly prevent referrals for certain requests
For ticket modification requests (such as renewals), u2u requests, and
S4U2Self requests, the requested server principal is expected to match
a previously issued ticket. If that principal no longer exists, we
must fail the request; we cannot issue a referral. We are currently
doing that by rewriting request->server to the referral principal,
which causes the match against the ticket to fail. Since we would
like to stop modifying the request, we must explicitly prevent
referrals in these cases.
We don't find out whether a request is S4U2Self until after we've
looked up the server principal, so for now we have to make a
retroactive check for a referral after calling
kdc_process_s4u2self_req.
Greg Hudson [Thu, 29 Aug 2013 22:17:29 +0000 (18:17 -0400)]
Tighten up referral recognition in KDC TGS code
In do_tgs_req(), treat the search_sprinc() result as a referral only
if it is a cross-TGS principal and it doesn't match the requested
server principal. This change fixes two corner cases: (1) when a
client requests a cross-realm TGT, we won't squash the name type in
the response; and (2) if we are serving multiple realms out of the
same KDB, we will properly handle aliases to any local-realm TGT, not
just the one for the configured realm name.
Greg Hudson [Sat, 31 Aug 2013 15:46:58 +0000 (11:46 -0400)]
Fix FAST critical option bit checking
The FAST option bits 0-15 are intended to be critical--if they are
present and a KDC does not support them, the KDC is supposed to fail
the request. Because of an incorrect constant, we were erroneously
recognizing bits 24-31 as critical. Fix the constant.
Greg Hudson [Sat, 31 Aug 2013 15:45:48 +0000 (11:45 -0400)]
Support FAST hide-client-names option
In the KDC, if we see the hide-client-names option, identify the
client as the anonymous principal in KDC-REP and KRB-ERROR responses.
The actual client name is present in encrypted FAST elements.
Greg Hudson [Thu, 29 Aug 2013 15:15:02 +0000 (11:15 -0400)]
Make it possible to renew aliased service tickets
We always allow aliases in the service principal when processing
AS-REQs and TGS-REQs. If the ticket we issued is presented back to us
in a TGS-REQ as a header ticket for renewal or similar, we should
allow aliases when looking up its key to decode the AP-REQ.
Greg Hudson [Thu, 29 Aug 2013 13:07:57 +0000 (09:07 -0400)]
Don't change realm in find_alternate_tgs
If a client makes a TGS request for a cross-realm TGS within a
different realm from the one we normally serve (e.g. the KDC realm is
X, and a client makes a TGS request for the server krbtgt/Y@Z), look
for alternate TGS principals within the requested server realm, not
the realm we normally serve.
This change shouldn't break any working well-formed TGS requests,
because changing the realm would trigger a failure in check_tgs_tgt.
It may fix some corner cases when multiple realms are served out of
the same KDB. But primarily, this change makes referrals and aliases
easier to reason about, by eliminating a case where server->princ has
a different realm from request->server after the call to
search_sprinc().
Greg Hudson [Wed, 28 Aug 2013 22:39:55 +0000 (18:39 -0400)]
Don't treat local krbtgt principal as referral
If we look up a principal and in the KDB and get back the local TGS
principal, the KDC should treat this as an alias, not a referral, and
should therefore issue a ticket for the requested principal rather the
canonical name.
Greg Hudson [Wed, 28 Aug 2013 16:11:40 +0000 (12:11 -0400)]
Fix KDC reply service principal for aliases
If a client requests a service ticket for the alias of a service
principal, RFC 6806 section 6 requires that the KDC issue a ticket
which appears to be for the alias and not for the canonical name.
After calling search_sprinc(), only replace request->server with
server->princ if the latter is a TGT; this will be the case for an
alternate cross-realm TGT or a host referral, but not for a simple
service alias.
Greg Hudson [Tue, 27 Aug 2013 16:23:12 +0000 (12:23 -0400)]
Clarify flag handling in dump.c
Get rid of "flags" bitfields and just use boolean values, to make the
internal contracts for dump and load functions more precise. Rename
"add_update" to "iprop_load" and reverse its sense.
Greg Hudson [Mon, 26 Aug 2013 19:12:56 +0000 (15:12 -0400)]
Update ulog state after promoting DB when loading
If we are doing a full load, do not touch the ulog header until after
we promote the temporary DB to live. This avoids the same bugs as the
#7588 fix, but more robustly. Based on a patch from Richard Basch.
Greg Hudson [Tue, 20 Aug 2013 00:01:03 +0000 (20:01 -0400)]
Omit signedpath if no_auth_data_required is set
The no_auth_data_required bit was introduced to suppress PACs in
service tickets when the back end supports them. Make it also
suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
can be avoided for services which aren't going to do constrained
delegation.
Simo Sorce [Fri, 9 Aug 2013 00:10:56 +0000 (20:10 -0400)]
Simplify krb5_krcc_start_seq_get
This code can be simplified (and a potential race avoided) by using
keyctl_read_alloc() and letting it allocate the necessary memory.
This also allows to remove a helper function that is not used anymore
as well as make the code more readable. The only penalty is that we
have two allocations instad of one.
Simo Sorce [Thu, 8 Aug 2013 23:52:46 +0000 (19:52 -0400)]
Remove unused counter in keyring ccache
numkeys is never really used in the single cache data structure.
Every time a new iteration is started, numkeys is recalculated anyway,
and then only the copy held in the cursor is used. Remove it from the
cache data and keep it only in the cursor.
Simo Sorce [Wed, 7 Aug 2013 21:47:16 +0000 (17:47 -0400)]
Save the full residual for keyring caches
krb5_cc_get_name() should allow the caller to reconstruct the full
cache name. That is not possible if thread: and process: are omitted
here. (The saved name is not used by anything except
krb5_krcc_get_name, so this change is safe.)
[ghudson@mit.edu: proofread and clarified commit message]
Simo Sorce [Fri, 2 Aug 2013 21:53:27 +0000 (17:53 -0400)]
Use dry-run unparses in keyring ccache
Support credentials larger than 4K in cc_keyring.c by calculating the
payload size in one pass, allocating a buffer of precisely the right
size, and then unparsing into that buffer.
[ghudson@mit.edu: squashed two commits; rewrote message; added length
field instead of doing pointer arithmetic on null pointers; used
proper English comments and clarified what code they apply to.]
Greg Hudson [Mon, 5 Aug 2013 20:10:10 +0000 (16:10 -0400)]
Add hostrealm interface tests
Create a test module for the hostrealm interface, a harness to call
the realm mapping functions and display their results, and a Python
script to exercise the functionality of the interface and each module
(except the dns module, which we cannot easily test since it relies on
TXT records in the public DNS).
Greg Hudson [Mon, 5 Aug 2013 19:57:29 +0000 (15:57 -0400)]
Use hostrealm interface for realm mapping
Reimplement krb5_get_host_realm, krb5_get_fallback_host_realm, and
krb5_get_default_realm in terms of the hostrealm interface. Three
built-in modules (dns, domain, and profile) implement the current
behavior.
Ben Kaduk [Wed, 14 Aug 2013 19:47:03 +0000 (15:47 -0400)]
Remove KRB5_DNS_LOOKUP_KDC
It has been unconditionally activated by all supported build systems
for almost two years, and no complaints or issues have been reported.
In particular, aclocal.m4 has had an unconditional AC_DEFINE() since 3d708e55 in 2003, and win-pre.in has unconditionally set KRB5_USE_DNS_KDC
since 17ffebf7 in 2011.
While here, simplify some other DNS conditionals in win-pre.in where
only one branch was ever taken.
Ben Kaduk [Mon, 12 Aug 2013 17:47:42 +0000 (13:47 -0400)]
Remove redundant domain_realm mappings
This fixes a long-standing documentation bug where we claimed that
a domain_realm mapping for a host name would not affect entries
under that domain name. The code has always had the behavior where
a host name mapping implies the corresponding domain name mapping,
since the 1.0 release.
While here, replace media-lab with csail in example files, as the
media lab realm is no longer in use. Also strip port 88 from KDC
specifications, and drop the harmful default_{tgs,tkt}_enctypes
lines from src/util/profile/krb5.conf.
Further cleanup on these files to remove defunct realms may be in order.
Greg Hudson [Mon, 12 Aug 2013 18:29:28 +0000 (14:29 -0400)]
Add trace logging for TXT lookups
Rename krb5_try_realm_txt_rr (an internal function despite the name)
and add a context parameter. Generate trace logs when we successfully
look up a record and when a record is not found.
Greg Hudson [Tue, 6 Aug 2013 03:47:52 +0000 (23:47 -0400)]
Fix gss_krb5_set_allowable_enctypes for acceptor
The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req(). It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context. This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.
Instead, use krb5_auth_con_setpermetypes on the auth context. This
list is only used for session key enctype negotiation. Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.
Ben Kaduk [Fri, 26 Jul 2013 22:30:44 +0000 (18:30 -0400)]
Update config.guess and config.sub
Copy in the latest config.guess and config.sub from upstream git
master as of 2013-07-26 (revision 79c4c50fc754d742286706b4db5ed8ce2a0de925).
Our previous version didn't recognize arm64.
kdb5_util update_princ_encryption iterates over the KDB and writes
modified entries. With the DB2 back end, the first write operation
has to upgrade the lock and reopen the DB, which resets the cursor
state. Take out an explicit write lock before iterating to avoid this
step.
When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.
[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]
Simo Sorce [Sat, 20 Jul 2013 17:20:43 +0000 (13:20 -0400)]
Load import/export cred functions from GSS modules
When the import/export credential feature was implement the related
functions were added to struct gss_config, but the initialization
function that dynamically loads modules was not changed to see if
the plugin being loaded provided such functions.
This will allow non-builtin mechanism and interposer mechanism to
implement custom import/export credential extensions if they wish.
Simo Sorce [Sat, 20 Jul 2013 17:19:19 +0000 (13:19 -0400)]
Load cred store functions from GSS modules
When the credential store feature was implement the related functions
were added to struct gss_config, but the initialization function that
dynamically loads modules was not changed to see if the plugin being
loaded provided such functions.
This will allow non-builtin mechanism and interposer mechanism to
implement custom credential store extensions if they wish.
Don't create a bunch of identically configured realms; just reuse the
same one. Remove a redundant assignment from the soft-pkcs11.so
check. Move the pkinit_identity setting from krb5.conf to kdc.conf,
since it's only used by the KDC. Add a test for trying anonymous
PKINIT when it isn't configured. Check for a specific error message
when testing restricted anonymous PKINIT.
Before we test authenticated PKINIT, slip in a test to check that
password-based preauthentication still works when the KDC is offering
PKINIT, but the client has no PKINIT credentials.
Add tests for PKINIT using responder functionality
We now also test that the PKINIT challenge looks like we expect it to
look, that PKINIT fails if we don't provide a response or a prompter
callback, and that PKINIT succeeds with a response provided using either
the raw responder API or the PKINIT responder functions.
One thing that we don't check is which specific error code we get when
PKINIT fails: the OpenSSL and NSS versions return different error codes
(some mixture of EIO, ENOMEM, ENOENT, and KRB5KDC_ERR_PREAUTH_FAILED)
when they encounter trouble loading client credentials.
Add wrappers for the JSON-oriented APIs for PKINIT responder items,
modeled after the API we provide for OTP items:
* krb5_responder_pkinit_get_challenge() returns the list of
identities for which we need PINs
* krb5_responder_pkinit_challenge_free() frees the structure that
was returned by krb5_responder_pkinit_get_challenge()
* krb5_responder_pkinit_set_answer() sets the answer to the PIN for
one of the identities
[ghudson@mit.edu: style cleanup; added comment pointing to main body
of PKINIT module]
Nalin Dahyabhai [Fri, 28 Jun 2013 21:12:39 +0000 (17:12 -0400)]
Support PKINIT OpenSSL deferred identity prompting
Add a password to the set of things that we can pass to a PEM password
callback and the function we use for loading PKCS12 bundles. If we're
meant to defer identity prompts, just store the name of the identity
which we're loading. Otherwise, if we're passed a password, use it.
Otherwise, use the prompter callback.
Add a password to the set of things that we can pass to the function
that we use for logging in to PKCS11 tokens, too, but if we're deferring
identity prompts, just return the identity name without doing anything
else. If not, and we're passed a password, use that. Otherwise, try to
use the prompter callback to get one.
The password callback which we usually supply to NSS already gets a
pointer to the pkinit_identity_crypto_context structure, but it needs to
be passed the name of the identity for which it's being called.
If it gets a name, and it's deferring prompting, just add the identity
to the list of deferred identity prompts (the password callback wouldn't
have been called if its result wasn't needed), and either return NULL
(as an indication that we couldn't get a password) or an empty string (a
value which we know is invalid) if that's handier.
Otherwise, check for a password that's been stashed for its use for that
identity, and return a copy of it if one's found. If none of that
works, try to use the prompter callback to ask for the password.
Use the list of deferred identity prompts and warnings, which we have
after calling pkinit_identity_initialize(), to build a list of questions
to supply to responder callbacks.
Before calling pkinit_identity_prompt() to actually load identities that
are protected, save any passwords and PINs which a responder callback
may have supplied.
Because pkinit_client_prep_questions() can be called multiple times, and
we don't want to try to load all of our identities each of those times,
take some steps to ensure that we only call pkinit_identity_initialize()
and pkinit_identity_prompt() once per request.
Nalin Dahyabhai [Fri, 28 Jun 2013 21:12:39 +0000 (17:12 -0400)]
Add support for PKINIT deferring identity prompts
Learn to manage a list of deferred identities, for which we want to
prompt for passwords or PINs, in pkinit_identity_crypto_context
structures, along with their associated token flags. These are opaque
outside of pkinit_crypto_openssl and pkinit_crypto_nss, so both
implementations need to provide wrapper functions that can be called
from elsewhere in the module to populate and query the lists.
Nalin Dahyabhai [Fri, 28 Jun 2013 21:12:39 +0000 (17:12 -0400)]
Split pkinit_identity_initialize into two phases
Split part of pkinit_identity_initialize() into a second piece named
pkinit_identity_prompt(). Have each piece pass a new boolean flag to
crypto_load_certs() to indicate if it should defer prompting for a
password/PIN for client identities that require one. If the flag isn't
set, then crypto_load_certs() should attempt to use a responder-supplied
value, or call the prompter if there isn't one.
If cb->get_string returns 0 with no result in otp_edata, make sure we
set retval to avoid sending an empty OTP hint. If cb->get_string
returns an error code in otp_verify, avoid masking that code.
Add kadmin support for "addprinc -nokey", which creates a principal
with no keys, and "purgekeys -all", which deletes all keys from a
principal. The KDC was modified by #7630 to support principals
without keys.
When we allocate space for an array of key_data structures, make sure
we allocate at least one, so we don't spuriously fail on platforms
where malloc(0) returns NULL. Where we use malloc, use k5calloc
instead. Where we use krb5_db_alloc or realloc, just allocate an
extra entry.
When walking the cache, if we skip a cred because it's a config entry,
make sure to free it. Also free the result of krb5_cc_get_principal.
Based on a patch from Nalin Dahyabhai.
The stacks of certificates and CRLs that we retrieve from CMS objects
include newly-owned references to the certificates and CRLs, so when we
go to free them, we need to remember to free those.
[ghudson@mit.edu: minor formatting change; removed unrelated style fix]
We've never used sigwait() before, and it has some problems on Solaris
10 (a nonconformant prototype by default, and experimentally it didn't
seem to work correctly with _POSIX_PTHREAD_SEMANTICS defined). Use a
pipe instead. Make t_daemon.py less chatty on stdout to avoid filling
the pipe buffer.
Letting calloc() do multiplication helps avoid overflow bugs, so
provide an internal k5calloc() helper which accepts both calloc
arguments, and reimplement k5alloc() in terms of it.
Reorder (and trim) the imports in t_otp.py so that k5test is pulled in
before we try to import pyrad and multiprocessing. Otherwise
success() isn't defined in the case where we decide to skip the entire
test script.
This plugin implements the proposal for providing OTP support by
proxying requests to RADIUS. Details can be found inside the
provided documentation as well as on the project page.
The new library libkrad provides code for the parsing of RADIUS packets
as well as client implementation based around libverto. This library
should be considered unstable.
The previous commit updated the header file references for 1.12 in the
clpreauth and kdcpreauth plugin interface documentation. Add a
parenthetical so that the reference is still useful for prior
releases.
Tom Yu [Fri, 21 Jun 2013 21:58:25 +0000 (17:58 -0400)]
KDC null deref due to referrals [CVE-2013-1417]
An authenticated remote client can cause a KDC to crash by making a
valid TGS-REQ to a KDC serving a realm with a single-component name.
The process_tgs_req() function dereferences a null pointer because an
unusual failure condition causes a helper function to return success.
While attempting to provide cross-realm referrals for host-based
service principals, the find_referral_tgs() function could return a
TGS principal for a zero-length realm name (indicating that the
hostname in the service principal has no known realm associated with
it).
Subsequently, the find_alternate_tgs() function would attempt to
construct a path to this empty-string realm, and return success along
with a null pointer in its output parameter. This happens because
krb5_walk_realm_tree() returns a list of length one when it attempts
to construct a transit path between a single-component realm and the
empty-string realm. This list causes a loop in find_alternate_tgs()
to iterate over zero elements, resulting in the unexpected output of a
null pointer, which process_tgs_req() proceeds to dereference because
there is no error condition.
Add an error condition to find_referral_tgs() when
krb5_get_host_realm() returns an empty realm name. Also add an error
condition to find_alternate_tgs() to handle the length-one output from
krb5_walk_realm_tree().
The vulnerable configuration is not likely to arise in practice.
(Realm names that have a single component are likely to be test
realms.) Releases prior to krb5-1.11 are not vulnerable.
Ben Kaduk [Fri, 28 Jun 2013 16:08:13 +0000 (12:08 -0400)]
Update windows README for VS2012/Windows SDK 8
The Windows SDK 8 dropped the command-line build environment, so
provide instructions for building with the Visual Studio (2012)
command-line build environment.
Ben Kaduk [Wed, 26 Jun 2013 20:30:41 +0000 (16:30 -0400)]
Require Windows Installer 4.5 or higher
As advised by the VC 11 merge modules.
Windows Installer 4.5 requires Windows Server 2008, Windows Vista, Windows XP
with Service Pack 2 (SP2) and later, or Windows Server 2003 with Service
Pack 1 (SP1) and later. I believe we already enforce these restrictions
manually elsewhere, so this should not restrict our set of valid target
machines.
Greg Hudson [Fri, 14 Jun 2013 19:28:06 +0000 (15:28 -0400)]
Add tests for pwqual modules and plugin ordering
Create a test module for the pwqual interface, and script to exercise
the built-in and test modules through kadmin.local. Also create a
test harness to display the order of pwqual modules for the current
configuration, and use it to test the plugin module ordering
guarantees.
Greg Hudson [Fri, 14 Jun 2013 05:33:26 +0000 (01:33 -0400)]
Provide plugin module ordering guarantees
Rewrite the plugin internals so that modules have a well-defined
order--either the order of enable_only tags, or dynamic modules
followed by the built-in modules in order of registration.
Viktor Dukhovni [Tue, 25 Jun 2013 16:27:42 +0000 (12:27 -0400)]
Fix spin loop reading from KDC TCP socket
In the k5_sendto code for reading from a TCP socket, detect
end-of-stream when reading the length. Otherwise we can get stuck in
an infinite loop of poll() and read().
Greg Hudson [Sun, 16 Jun 2013 20:42:00 +0000 (16:42 -0400)]
Fix timing edge cases in t_renew.py
When we are testing maximum renewable lifetimes, the KDC might process
the request at a later time than the request time (typically by no
more than one second). So we need to ask for a ticket lifetime longer
than the maximum renewable lifetime, not equal to it, or we risk
getting a just-barely-renewable ticket instead of a non-renewable one.
Also fix a couple of typos in comments.
Greg Hudson [Thu, 13 Jun 2013 15:06:23 +0000 (11:06 -0400)]
Fix sentinel position in sample u2u server
Print "Server started" after calling listen(), or there wil be a race
where the client tries to connect before there is a listen queue and
gets ECONNREFUSED.
Greg Hudson [Thu, 6 Jun 2013 18:44:30 +0000 (14:44 -0400)]
Refactor KDC renewable ticket handling
Create a new helper to compute the renewable lifetime for AS and TGS
requests. This has some minor behavior differences:
* We only issue a renewable ticket if the renewable lifetime is greater
than the normal ticket lifetime.
* We give RENEWABLE precedence over RENEWABLE-OK in determining the
requested renewable lifetime, instead of sometimes doing the
reverse.
* We use the client's maximum renewable life for TGS requests if we
have looked up its DB entry.
* Instead of rejecting requests for renewable tickets (if the client
or server principal doesn't allow it, or a TGS request's TGT isn't
renewable), issue non-renewable tickets.
Greg Hudson [Sun, 2 Jun 2013 05:22:38 +0000 (01:22 -0400)]
Use KDC clock skew for AS-REQ timestamps
Calculate request timestamps each time we encode a request, and use
the adjusted current time when calculating them, including adjustments
resulting from preauth-required errors early in the AS exchange.
As a side effect, this reverts one of the changes in commit 37b0e55e21926c7875b7176e24e13005920915a6 (#7063); we will once again
use the time adjustment from any ccache we read before the AS
exchange, if we don't have a more specific adjustment from a
preauth-required error.
Greg Hudson [Sun, 2 Jun 2013 04:31:04 +0000 (00:31 -0400)]
Refactor AS-REQ nonce and timestamp handling
Create helper functions to set the request nonce and to set the
request timestamp. Don't bother picking a nonce in
restart_init_creds_loop since we will just pick a new one in
init_creds_step_request. Create a library-internal function to get
the current time with possible adjustment from a preauth-required
error. Only set ctx->request_time in one place (just before encoding
each request). Remove unused parameters from stash_as_reply.
projects / thirdparty / krb5.git / log
