Tom Yu [Wed, 14 Dec 2011 00:07:54 +0000 (00:07 +0000)]
Squash commits for KfW updates
windows ccapiserver: replace Sleep with event wait
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
fix warning in test_cc_credentials_iterator_next.c
include test_ccapi_iterators.h for check_cc_credentials_iterator_next
Make ccapiserver exit if its receiveloop thread terminates for any reason.
This happens, for example, when the rpc endpoint is already registered
by another ccapiserver process. There's no reason to leave a zombie
process running that can't receive messages.
windows ccapi: launch server without console by default.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
windows ccapi: use a random challenge to authenticate ccapiserver.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
LeashView.cpp: only specify TVIF_TEXT if there is actually text.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: add runtime.wxi WIXINCLUDES in Makefile to fix dependencies.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
Windows leash64 fixes: use proper names for leash and krb5 dlls
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
Windows leash fixes: 'make install' installs leash exes.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: use MSVC 2010 merge modules
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: install leash32.exe
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: clean out unused #defines from Lglobals.h
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: use correct message id to obtain tgt from leash
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: update copyright notice in license.rtf
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fixes: install xpprof32
TODO: xpprof64!
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: purge support for old compilers
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: don't build installer into installer
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fixes: make leash ignore credentials that store config principals.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fix: make Leash_kdestroy() actually destroy k5 tickets
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fix: Add custom "Password incorrect" message to Leash_int_kinit_ex()
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fixes: define USE_MESSAGE_BOX in leashdll code for user feedback.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fixes: krb5_get_init_creds_opt_init->krb5_get_init_creds_opt_alloc
Should enable leash to generate config credentials (needs verification!)
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fix: int -> size_t to fix warning in krb5routines.c
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fix: restructure low ticket warning popup code to workaround mfc bug
mfc bug causes assertions when dialog is generated from
within PreTranslateMessages() (MSG input param points to a global
variable which is corrupted in the dialog message loop). So we need
to instead PostMessage() to cause the popup later.
Also fixed logic to cause warning dialog to actually be modal as intended
when the leash window is not minimized.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fixes: fix _snprintf usage; use full error code in leash_error_message
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fixes: ccapiserver only quits after all clients detach.
Not sure if this is really a good idea or not...
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: generate manifests
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: generate leash shortcuts (desktop and start menu)
...also install xpprof64
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: fix 'K5_ORIGINAL_NAME' for 64 bit dlls.
...still need to actually to define _WIN64 for rc.exe though
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: purge bufferoverflowu from custom.dll
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: rename leash32/64.exe to simply leash.exe
Also install leash.exe in 64 bit installer.
Split cci_thread_init into per-process and per-thread portions
Call the per-thread code on thread attach and per-process once per
process. Previously, while the function was named 'thread', it was
only actually called once per process. Currently, the per-thread
code does nothing on non-windows platforms and is not even actually
invoked.
Fixes a windows bug when multiple non-main threads try to use ccapi
at the same time.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw leash: add -console option to create console for debug output
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: use _WIN64 names where appropriate
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw leash: bracket krb.con code with #ifndef NO_KRB4
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: install krb5.ini to CommonAppDataFolder, not WindowsFolder
...but only if there isn't already a krb5.ini in the WindowsFolder.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: "make install" also installs pdbs
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: leash32.pdb->leash.pdb
kfw installer: add site-local.wxi
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: leash htmlhelp file source
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: use html help in leash
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: "make install" installs htmlhelp (leash.chm)
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: install leash help file (leash.chm)
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: remove line breaks from html to fix table of contents generation
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw leash help: fix/add aliases for command help
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw leash: fix bad data in get tickets dialog when -autoinit specified
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7050
version_fixed: 1.10
status: resolved
When the client application requests optimistic preauth for a preauth
type which uses the password, we don't have an etype-info2 to
interpret since we haven't talked to the KDC. So we need to guess an
enctype, salt, and s2k parameters. In 1.9 and prior, encrypted
timestamp contained code to use the first requested enctype in this
case, but encrypted challenge did not. In 1.10 prior to this change,
neither mechanism uses a reasonable default.
Set a default enctype in krb5_init_creds_init so that all
password-based preauth mechanisms will use a reasonable default in the
optimistic preauth case. The default salt and s2k parameters for this
case will be the principal-based default salt and the enctype-based
default parameters.
ticket: new
subject: FAST PKINIT
target_version: 1.10
tags: pullup
Per RFC 6113 fast should use the inner request body for the pkinit
checksum. We did that on the KDC; now do so on the client. Remove
code that explicitly blocked pkinit under FAST.
Also, use the reply key *before* the strengthen key is applied when
verifying the PADATA_PKINIT_KX.
ticket: 7023
subject: Clean up client-side preauth error data handling
target_version: 1.10
tags: pullup
Change the clpreauth tryagain method to accept a list of pa-data,
taken either from the FAST response or from decoding the e_data as
either pa-data or typed-data. Also change the in_padata argument to
contain just the type of the request padata rather than the whole
element, since modules generally shouldn't care about the contents of
their request padata (or they can remember it).
In krb5int_fast_process_error, no longer re-encode FAST pa-data as
typed-data for the inner error e_data, but decode traditional error
e_data for all error types, and try both pa-data and typed-data
encoding.
In PKINIT, try all elements of the new pa-data list, since it may
contain FAST elements as well as the actual PKINIT array. (Fixes an
outstanding bug in FAST PKINIT.)
ticket: 7021
subject: Fix failure interval of 0 in LDAP lockout code
target_version: 1.10
tags: pullup
A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
pass the lockout check (but didn't cause a reset of the failure count
in krb5_ldap_lockout_audit). It should be treated as forever, as in
the DB2 back end.
This bug is the previously unknown cause of the assertion failure
fixed in CVE-2011-1528.
Minor status codes were not displaying properly when originated from
the IAKERB mech, because of a safety check on mech_type. From Ralf
Haferkamp <rhafer@suse.de>.
ticket: 7019
subject: Make verto context available to kdcpreauth modules
target_version: 1.10
tags: pullup
Add an event_context callback to kdcpreauth. Adjust the internal KDC
and main loop interfaces to pass around the event context, and expose
it to kdcpreauth modules via the rock.
Update verto sources to 0.2.2 release versions. verto_reinitialize()
now has a return value; check it in kdc/main.c. Store verto-libev.c
alongside verto-k5ev.c to make it easy to diff corresponding versions
when updating.
Alter the contract for the kdcpreauth request_body callback so that it
returns an alias to the encoded body instead of a fresh copy. At the
beginning of AS request processing, save a copy of the encoded request
body, or the encoded inner request body for FAST requests. Previously
the request_body callback would re-encode the request structure, which
in some cases has been modified by the AS request code.
No kdcpreauth modules currently use the request_body callback, but
PKINIT will need to start using it in order to handle FAST requests
correctly.
ticket: 7016
subject: Handle TGS referrals to the same realm
target_version: 1.9.3
tags: pullup
krb5 1.6 through 1.8 contained a workaround for the Active Directory
behavior of returning a TGS referral to the same realm as the request.
1.9 responds to this behavior by caching the returned TGT, trying
again, and detecting a referral loop. This is a partial regression of
ticket #4955. Detect this case and fall back to a non-referreal
request.
make check was failing in util/gss-kernel-lib due to dependencies
when the build is configured with --with-system-et, because depfix.pl
wasn't smart enough to substitute the dependency on com_err.h in the
current directory. Make depfix.pl smarter, and adjust COM_ERR_DEPS
to be com_err.h in gss-kernel-lib when building with the bundled
com_err.
ticket: 6430
subject: Avoid looping when preauth can't be generated
target_version: 1.10
tags: pullup
If we receive a PREAUTH_REQUIRED error and fail to generate any real
preauthentication, error out immediately instead of continuing to
generate non-preauthenticated requests until we hit the loop count.
There is a lot of room to generate a more meaningful error about why
we failed to generate preauth (although in many cases the answer may
be too complicated to explain in an error message), but that requires
more radical restructuring of the preauth framework.
ticket: 6996
subject: Make krb5_check_clockskew public
target_version: 1.10
tags: pullup
Rename krb5int_check_clockskew to krb5_check_clockskew and make it
public, in order to give kdcpreauth plugins a way to check timestamps
against the configured clock skew.
ticket: 7003
subject: Fix month/year units in getdate
target_version: 1.10
tags: pullup
getdate strings like "1 month" or "next year" would fail some of the
time, depending on the value of stack garbage, because DSTcorrect()
doesn't set *error on success and RelativeMonth() doesn't initialize
error. Make DSTcorrect() responsible for setting *error in all cases.
NOTICE was missing the copyright statement for verto (it's not quite
the same as other Red Hat licenses). util/verto had no README file,
and neither the verto nor k5ev README contained pointers to the
upstream project pages.
ticket: 7000
subject: Exit on error in kadmind kprop child
target_version: 1.10
tags: pullup
When we fork from kadmind to dump the database and kprop to an iprop
slave, if we encounter an error in the child process we should exit
rather than returning to the main loop.
The presence of dgettext in libc or libintl doesn't imply that msgfmt
is installed, so conditionalize building the po subdir on whether
msgfmt is installed.
The typed_e_data field in struct as_req_state was not properly
initialized, causing the KDC to sometimes respond with typed-data
e_data for a preauth-required error when the client sends no padata.
This bug was masked with recent clients, which send a
KRB5_ENCPADATA_REQ_ENC_PA_REP padata.
When using hmac-md5, the intermediate key length is the output of the
hash function (128 bits), not the input key length. Relevant if the
input key is not an RC4 key.
ticket: 6988
subject: Fix handling of null edata method in KDC preauth
target_version: 1.10
tags: pullup
Correctly include an empty padata value if a KDC preauth system has no
get_edata method. This bug prevented the KDC from indicating FAST
support in preauth-required errors.
krb5_cc_set_config has been non-functional since r24753 on cache types
which don't support removal of credential entries. Fix it by only
calling krb5_cc_remove_cred if data is NULL, since krb5_cc_store_cred
will do it anyway in the positive case.
Also fix an old memory leak in an uncommon error case.
Greg Hudson [Mon, 17 Oct 2011 17:15:31 +0000 (17:15 +0000)]
Add AC_LANG_SOURCE to PKINIT NSS version check
The configure.in code for the PKINIT NSS back end version check was
copied from the k5crypto NSS back end version check, but from before
r25181 which added AC_LANG_SOURCE wrappers.
Sam Hartman [Mon, 17 Oct 2011 00:45:30 +0000 (00:45 +0000)]
gssalloc-related fixes to naming_exts.c
renamed kg_data_list_to_buffer_set_nocopy to data_list_buffer_set
(since nocopy is no longer guaranteed).
removed extra indirection to input krb5_data list.
ensured input krb5_data list is always completely freed.
no longer returns EINVAL when output buffer set is NULL.
fixed krb5_gss_get_name_attribute to use data_to_gss.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25358 dc483132-0cff-0310-8789-dd5450dbe970
Sam Hartman [Mon, 17 Oct 2011 00:45:23 +0000 (00:45 +0000)]
RFC 4120 says that we should not canonicalize using DNS. We cannot get
that far today, but there's no reason we should fail to use a
perfectly good principal name just because DNS is failing. For some
services there isn't even a requirement they be in DNS. With
AI_ADDRCONFIG there's no reason that Kerberos canonicalization should
fail simply because a v6 address is not present, for example. So, if
getaddrinfo fails in krb5_sname_to_principal simply use the input
hostname uncanonicalized.
Greg Hudson [Sat, 15 Oct 2011 16:56:30 +0000 (16:56 +0000)]
Allow password changes over NATs
In the kpasswd server code, don't set a remote address in the auth
context before calling krb5_rd_priv, since the kpasswd protocol is
well-protected against reflection attacks. This allows password
changes to work in cases where a NAT has changed the client IP address
as it is seen by the server.
Greg Hudson [Sat, 15 Oct 2011 16:56:26 +0000 (16:56 +0000)]
Allow rd_priv/rd_safe without remote address
Allow krb5_rd_priv and krb5_rd_safe to work when there is no remote
address set in the auth context, unless the KRB5_AUTH_CONTEXT_DO_TIMES
flag is set (in which case we need the remote address for the replay
cache name). Note that failing to set the remote address can create a
vulnerability to reflection attacks in some protocols, although it is
fairly easy to defend against--either use sequence numbers, or make
sure that requests don't look like replies, or both.
Greg Hudson [Sat, 15 Oct 2011 16:29:28 +0000 (16:29 +0000)]
Install krb5/preauth_plugin.h
The clpreauth and kdcpreauth pluggable interfaces are public as of
krb5 1.10. Install the header so that preauth modules can be built
outside of the krb5 source tree.
Greg Hudson [Sat, 15 Oct 2011 16:26:27 +0000 (16:26 +0000)]
Rename PAC type constants to avoid conflicts
Since the PAC type constants are now exposed in krb5.h, give them a
KRB5_ prefix so they don't conflict with similar PAC type constants
in other packages, like Samba.
Greg Hudson [Sat, 15 Oct 2011 16:06:03 +0000 (16:06 +0000)]
Hide gak_fct interface and arguments in clpreauth
Remove the gak_fct, gak_data, salt, s2kparams, and as_key arguments
of krb5_clpreauth_process_fn and krb5_clpreauth_tryagain_fn. To
replace them, add two callbacks: one which gets the AS key using the
previously selected etype-info2 information, and a second which lets
the module replace the AS key with one it has computed.
This changes limits module flexibility in a few ways. Modules cannot
check whether the AS key was already obtained before asking for it,
and they cannot use the etype-info2 salt and s2kparams for purposes
other than getting the password-based AS key. It is believed that
of existing preauth mechanisms, only SAM-2 preauth needs more
flexibility than the new interfaces provide, and as an internal legacy
mechanism it can cheat. Future mechanisms should be okay since the
current IETF philosophy is that etype-info2 information should not be
used for other purposes.
Greg Hudson [Sat, 15 Oct 2011 15:35:46 +0000 (15:35 +0000)]
Drop retransmits while processing requests
Supporting asynchronous preauth modules means that the KDC can receive
a retransmitted request before it finishes processing the initial
request. Ignore those retransmits instead of processing them.
Sam Hartman [Fri, 14 Oct 2011 14:40:10 +0000 (14:40 +0000)]
Use gssalloc memory management where appropriate
gss_buffer_t may be freed in a different module from where they
are allocated so it is not safe to use strdup/malloc/calloc/free.
similarly, gss_OID_set need to use gssalloc functions.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25332 dc483132-0cff-0310-8789-dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:40:05 +0000 (14:40 +0000)]
Utility functions to move allocations from k5buf/krb5_data to gss_buffer_t
On Unix, these simply move the buffer pointer, but on windows they need to
reallocated with gssalloc_malloc and coied since the gss_buffer_t may need
to be freed in a separate module with potentially mismatched c runtime.
Also fix a mismatched parameter warning in generic_gss_copy_oid_set().
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25331 dc483132-0cff-0310-8789-dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:39:01 +0000 (14:39 +0000)]
Add new header gssapi_alloc.h
Contains allocator methods for use with mechanisms and mechglues for
allocations that must be made in one module but freed in another. On
windows, an allocation made in one module cannot safely be freed in
another using the usual c runtime malloc/free; runtime dll mismatch
will cause heap corruption in that case. But it is safe to instead
directly use HeapAlloc()/HeapFree() specifying the default process
heap. For now, this header is not public. If it becomes public
strncpy will need to be used instead of strlcpy.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25330 dc483132-0cff-0310-8789-dd5450dbe970
Greg Hudson [Wed, 12 Oct 2011 16:34:07 +0000 (16:34 +0000)]
Make krb5_pac_sign public
krb5int_pac_sign was created as a private API because it is only
needed by the KDC. But it is actually used by DAL or authdata plugin
modules, not the core KDC code. Since plugin modules should not need
to consume internal libkrb5 functions, rename krb5int_pac_sign to
krb5_pac_sign and make it public.
Zhanna Tsitkov [Fri, 7 Oct 2011 21:19:41 +0000 (21:19 +0000)]
Removed references to non-existing krb5_default_local_realm(3) and some source-code-defined macros from the administration programs documentation.
Also, minor cleanup & corrections.
Greg Hudson [Fri, 7 Oct 2011 14:26:25 +0000 (14:26 +0000)]
Use built-in modules for encrypted timestamp
Break out the encrypted timestamp code from kdc_preauth.c and
preauth2.c into built-in modules, allowing admins to disable it and
reducing the size of the framework code.
Greg Hudson [Thu, 6 Oct 2011 20:08:29 +0000 (20:08 +0000)]
Add get_string, free_string kdcpreauth callbacks
String attributes should be useful to preauth modules without having
to link against libkdb5. Add a callback to make client string
attributes accessible to modules.
Greg Hudson [Thu, 6 Oct 2011 19:24:56 +0000 (19:24 +0000)]
Ditch fast_factor.h since it contains only stubs
Leave a comment behind where we called fast_set_kdc_verified().
Remove the call to fast_kdc_replace_reply_key() since it's wrong
(encrypted challenge doesn't replace the reply key in that sense).
Greg Hudson [Thu, 6 Oct 2011 16:18:56 +0000 (16:18 +0000)]
Use type-safe callbacks in preauth interface
Replace the generic get_data functions in clpreauth and kdcpreauth
with structures containing callback functions. Each structure has a
minor version number to allow adding new callbacks.
For simplicity, the new fast armor key callbacks return aliases, which
is how we would supply the armor key as a function parameter. The new
client keys callback is paired with a free_keys callback to reduce the
amount of cleanup code needed in modules.
projects / thirdparty / krb5.git / log
