Greg Hudson [Sun, 13 May 2012 17:15:34 +0000 (13:15 -0400)]
Avoid extern inline in asn1buf.h
Avoid using extern inline in asn1buf.h, as there are two conflicting
sets of semantics (gnu89's and C99's). gcc defaults to the gnu89
semantics, which we were using, while clang defines __GNUC__ but
defaults to the C99 semantics. To simplify things, use static inline
instead, like we do in k5-int.h.
Greg Hudson [Sun, 13 May 2012 17:12:06 +0000 (13:12 -0400)]
Don't stomp minor code in spnego_gss_acquire_cred
When spnego_gss_acquire_cred passes through a failure status from the
mechglue, it overwrites the minor code with a call to
gss_release_oid_set(). Use a temporary minor status for that and a
related call.
Greg Hudson [Sat, 12 May 2012 16:54:06 +0000 (12:54 -0400)]
Null-terminate components of parsed principals
The rewritten krb5_parse_name didn't null-terminate components or
realms of principals, while the old one did. Fix the new one to do so
as well.
This means KRB5_PRINCIPAL_PARSE_IGNORE_REALM allocates one byte for
the realm instead of leaving it as empty_data(), so we need to free
the realm in build_in_tkt_name() before copying in the client realm.
Greg Hudson [Fri, 11 May 2012 18:07:30 +0000 (18:07 +0000)]
Omit start time in common AS requests
MIT and Heimdal KDCs ignore the start time for non-postdated ticket
requests, but AD yields an error if the start time is in the KDC's
future, defeating the kdc_timesync option. Omit the start time if the
caller did not specify a start time offset.
This change reenables the client check for too much clock skew in the
KDC reply in the non-timesync configuration. That check had been
unintentionally suppressed since the introduction of the
get_init_creds interfaces. Adjust the t_skew test script to expect
the new error behavior.
Code changes from stefw@gnome.org with slight modifications.
Greg Hudson [Thu, 10 May 2012 17:34:14 +0000 (17:34 +0000)]
Avoid requiring default realm for in_tkt_service
Use the new KRB5_PRINCIPAL_PARSE_IGNORE_REALM flag when parsing
in_tkt_service arguments in get_init_cred functions, since we're going
to overwrite the realm anyway.
Greg Hudson [Thu, 10 May 2012 17:34:10 +0000 (17:34 +0000)]
Add krb5_parse_name flag to ignore realm
The flag KRB5_PRINCIPAL_PARSE_IGNORE_REALM causes krb5_parse_name to
return the principal with an empty realm whether or not a realm is
present in the name.
Greg Hudson [Thu, 10 May 2012 17:34:07 +0000 (17:34 +0000)]
Rewrite krb5_parse_name
krb5_parse_name started out a bit unwieldy, and has become more so
with the introduction of flags. Rewrite it using two passes (allocate
and fill), each broken out into its own helper, and a wrapper which
handles the realm flags.
Greg Hudson [Wed, 9 May 2012 17:55:27 +0000 (17:55 +0000)]
Constify get_init_creds string input params
The get_init_creds functions take read-only string input parameters
for passwords and initial ticket services. Make these const char *
parameters instead of just char * parameters, for caller convenience.
Greg Hudson [Wed, 9 May 2012 17:40:38 +0000 (17:40 +0000)]
Add API to interpret changepw result strings
Active Directory returns structured policy information in the
nominally UTF-8 result string field of a password change reply. Add a
new API krb5_chpw_message() to convert a result string into a
displayable message, interpreting policy information if present.
Greg Hudson [Tue, 8 May 2012 03:04:15 +0000 (03:04 +0000)]
Improve traced error messages from PKINIT client
If we have no configured PKINIT client identity, or if we fail to
create a certificate chain, set a reasonable error code (not EINVAL or
ENOMEM) and a useful error message to appear in trace log output.
Zhanna Tsitkov [Sat, 5 May 2012 15:35:51 +0000 (15:35 +0000)]
Add generalized definition of krb5_ui_4 and krb5_int32 to the documentation for better cross-referencing. Do not include internal structure krb5_cc_ops into Sphinx documentation
Greg Hudson [Thu, 3 May 2012 21:43:42 +0000 (21:43 +0000)]
Make verify_init_creds work with existing ccache
As the file ccache implementation currently stands, we don't want to
turn off TC_OPENCLOSE on a file cache we're writing to, or it will be
opened read-only and stores to it will fail. Reported by Russ
Allbery.
Greg Hudson [Thu, 3 May 2012 19:42:43 +0000 (19:42 +0000)]
Try all host keys by default in vfy_increds
Factor out the core code of krb5_verify_init_creds into a helper, add
new helper functions to retrieve the list of unique host principals
from a keytab, and make krb5_verify_init_creds drive the helper once
per host principal.
Augment the test harness and test cases to better test the new
behavior. Add a k5test method to retrieve an NFS principal for the
test realm for the sake of the new test cases.
Greg Hudson [Thu, 3 May 2012 15:15:51 +0000 (15:15 +0000)]
In sn2princ, getaddrinfo without AI_ADDRCONFIG
When canonicalizing a principal, use AI_CANONNAME alone in the hint
flags for getaddrinfo, for two reasons. First, it works around a gnu
libc bug where getaddrinfo does a PTR lookup for the canonical name
(we tried to work around this in r24977 bug the addition of
AI_ADDRCONFIG caused the same problem as the use of AF_INET). Second,
an IPv4-only host should be able create a principal for an IPv6-only
host even if it can't contact the host.
This does result in extra AAAA queries in the common case (IPv4-only
host contacting IPv4-only service), which is unfortunate. But we need
to leave that optimization up to the platform at this point.
Turn the last two entries of the pa_types table into helper functions
which we invoke before the loop. Then, get rid of the part of the
loop which consults the pa_types table.
Tom Yu [Fri, 27 Apr 2012 22:40:21 +0000 (22:40 +0000)]
Use correct name-type in TGS-REQs for 2008R2 RODCs
Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST
in TGS-REQs. (Previously, only AS-REQs had the name-type set in this
way.) Windows Server 2008 R2 read-only domain controllers (RODCs)
insist on having the correct name-type for the TGS principal in
TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case.
Thanks to Sebastian Galiano for reporting this bug and helping with
testing.
The addition of afs3-salt processing in get_etype_info made it overly
large, so split out the pw-salt/afs3-salt processing into a separate
function. Also fix two dumb bugs.
In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to
track whether we're still using the default salt instead of
overloading salt.length. In preauth2.c, process afs3 salt values like
we would in krb5int_des_string_to_key, and set an s2kparams indicator
instead of overloading salt.length. Also use an s2kparams indicator
in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded
salt lengths, except for a sanity check.
Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or
pa-afs3-salt value in pa_salt(). If it's an afs3-salt, we're going to
throw away the length and use strcspn in krb5int_des_string_to_key,
which isn't safe if the value is unterminated.
Add a method to the securid_sam2 plugin, built with alternate
compile-time flags, which supplies a plain-text challenge to the
client to be used as the OTP value. This lets us manually exercise
the SAM-2 client code and a little bit of the KDC code.
securid_make_sam_challenge_2_and_cksum is moved into the method-
independent code and renamed. get_securid_edata_2 has its sc2b
parameter removed as it was not used by the caller.
Although the kadmin client never generates a KADM5_POLICY_CLR mask bit
with addprinc, the bit will be set if a kadm5.acl line imposes the
-clearpolicy restriction. Relax the sanity checking in
kadm5_create_principal_3 to allow KADM5_POLICY_CLR as long as
KADM5_POLICY is not also set.
Add K5Realm.prep_kadmin() to create a ccache and K5Realm.run_kadmin()
to run a kadmin query using it. Modify t_stringattr.py to use these
helpers instead of its own.
Initialize use_count fields in krb5_preauth_request_context_init,
which is invoked before each AS request. Previously they were
initialized only in krb5_init_preauth_context, which is only invoked
once per krb5 library context.
Move some tests out of the multipass_realms loop since they aren't
enctype-dependent. Fix the success message not to mention kvno
wrapping. Don't start kadmind in the multipass_realms loop since we
don't use it.
A database created prior to 1.3 will have multiple password history
keys, and kadmin prior to 1.8 won't necessarily choose the first one.
So if there are multiple keys, we have to try them all. If none of
the keys can decrypt a password history entry, don't fail the password
change operation; it's not worth it without positive evidence of
password reuse.
Use krb5_init_creds_set_keytab in krb5_get_init_creds_keytab, so that
processing added to the former will be used by the latter. This is
slightly awkward because of the way we do the use_master fallback, in
that we have to duplicate some of krb5int_get_init_creds.
Create a test script for keytab-related tests. Move the kvno wrapping
test there from t_general.py, and augment it to better match what's in
standalone.exp. Add tests for kinit with keytab, including kinit with
the most-preferred enctype missing from the keytab (which currently
fails).
Add a clpreauth callback which gets the time of day using an offset
determined by the preauth-required error, and use it in encrypted
timestamp and encrypted challenge. This timestamp is not necessarily
authenticated, but the security consequences for those preauth mechs
are minor (and can be mitigated by turning off kdc_timesync on
clients).
When decoding an AS-REP enc part, we should accept app tags 26 (the
bogus one we generate) and 25 (the correct value). We were accepting
26 and 24. Bug report and fix by stefw@gnome.org.
When we check for password reuse, only compare keys with the most
recent kvno against history entries, or else we will always fail with
-keepold.
This bug primarily affects rollover of cross-realm TGT principals,
which typically use password-derived keys and may have an associated
password policy such as "default".
Bug report and candidate fix (taken with a slight modification) by
Nicolas Williams.
Active Directory always issues cross-realm tickets without a kvno,
which we see as kvno 0. When we see that, try the highest kvno (as we
already do) and then a few preceding kvnos so that key rollover of the
AD->MIT cross TGT can work.
Add new helpers kdc_rd_ap_req, which takes the place of a couple of
steps from kdc_process_tgs_req, and find_server_key, which takes the
place of some of the end steps of kdc_get_server_key.
Code changes by Nicolas Williams. Test cases by me.
Greg Hudson [Sat, 31 Mar 2012 00:38:20 +0000 (00:38 +0000)]
Fix data handling in rd_req_decoded_opt
We shouldn't peer at trans->tr_contents.data[0] if
trans->tr_contents.length is 0, even if the data field is non-null.
Harmless as long as the ASN.1 decoder uses null data fields for empty
krb5_data values, but still wrong.
Greg Hudson [Wed, 28 Mar 2012 21:11:06 +0000 (21:11 +0000)]
Add doc target with configured path substitutions
Add a new target "substhtml" in src/doc to create HTML documentation
with configured paths, suitable for installation by an OS package.
The build target generates a file named paths.py containing the
directory substitutions, copies it into the rst_composite directory,
and instructs conf.py to use it with the "pathsubs" tag.
Greg Hudson [Wed, 28 Mar 2012 21:11:01 +0000 (21:11 +0000)]
Use reference substitutions for paths in docs
For the default doc build (used for the web site and release tarball),
substitute path variables with links to the paths table in
mitK5defaults.rst, using symbolic names for the link text.
The substitution of kdcdir for man pages is slightly altered as a
side-effect of this commit. Regenerate the man pages to match. The
rendered man pages are unchanged.
Greg Hudson [Wed, 28 Mar 2012 02:03:33 +0000 (02:03 +0000)]
Automate RST HTML generation with doxygen info
In src/doc/Makefile.in, create an "rsthtml" target for generating
release tarball/web site HTML docs in doc/rst_html. For now,
eliminate support for the bridge to the Doxygen HTML output; just
generate XML output with Doxygen and convert it to RST format.
Greg Hudson [Tue, 27 Mar 2012 02:32:48 +0000 (02:32 +0000)]
Fix up krb5.hin Doxygen markup somewhat
* Put everything in an enclosing group, so it gets captured even
without EXTRACT_ALL.
* Make sure there's documentation for all constants referenced by
other markup.
* Fix references to the PAC constants.
Greg Hudson [Sat, 24 Mar 2012 14:29:44 +0000 (14:29 +0000)]
Remove krb5-send-pr man page
The license on the krb5-send-pr man page was incompatible with the
rest of our documentation, and the content is questionably up to date
(krb5-send-pr still exists, but we don't use GNATS any more, and
free-form mail to krb5-bugs is equally acceptable at this point). Get
rid of it for now.
Greg Hudson [Fri, 23 Mar 2012 16:27:05 +0000 (16:27 +0000)]
Install path-substituted man pages
Introduce src/doc/Makefile.in, which will eventually subsume
doc/Makefile (but will still pull sources from doc). In the rstman
target there, create man pages with symbolic path references (like
@SBINDIR@). In man/Makefile.in, substitute the path references with
the configured paths before installing.
Man pages generated from RST source are now checked into the source
tree under the name filename.man. This lets us use a single implicit
.man.sub rule for the path substitutions.
Greg Hudson [Thu, 22 Mar 2012 14:07:44 +0000 (14:07 +0000)]
Suppress some gcc uninitialized variable warnings
ticket: 7107
gcc 4.6.2 reportedly finds some spurious maybe-uninitialized warnings.
Suppress them. Patch from Eray Aslan with some adjustment.
Greg Hudson [Wed, 21 Mar 2012 16:57:05 +0000 (16:57 +0000)]
Only store master mey list in DAL handle
r24314 (#6778) created a hybrid owernship model for the master key
list, with one virtual copy stored in the DAL handle and one provided
to the caller of krb5_db_fetch_mkey_list. Replace this with a model
where only the DAL handle owns the list, and a caller can get access
to an alias pointer with a new function krb5_db_mkey_list_alias().
Functions which previously accepted the master key list as an input
parameter now expect to find it in the DAL handle.
Greg Hudson [Fri, 16 Mar 2012 13:57:50 +0000 (13:57 +0000)]
Move privileges section in database admin docs
The "Privileges" section in the RST database administration
documentation was tucked away in the middle of a section on principal
operations. Move it out and put it between policy operations and
kdb5_util operations, without changing its content.
(We may want to replace this whole section with a reference to the
appropriate part of the kadmind man page, but that requires a bit of
reconciliation since the kadmind man page doesn't document
restrictions yet.)
projects / thirdparty / krb5.git / log
