Remove errcode_2_string and release_errcode_string from the DAL table,
and stop using them in kdb5.c. Modules can simply set error messages
in the krb5 context on error.
Remove db_supported_realms and db_free_supported_realms from the DAL
table, and remove the corresponding libkdb5 interfaces (which don't
seem to have been in the library export table).
Add KRB5_KDB_API_VERSION to allow callers to adjust to incompatible
changes in libkdb; to be kept in sync with the libkdb major version,
which is bumped to 5 in anticipation of other changes.
Add KRB5_KDB_DAL_VERSION to allow database modules to detect when they
are mismatched with the KDB version. Since KDB modules are often
developed concurrently with trunk code, this is defined to be the date
of the last incompatible DAL change. The DAL version is passed to the
init_library DAL function; the module should check it against the value
of KRB5_KDB_DAL_VERSION it was compiled with and return
KRB5_KDB_DBTYPE_MISMATCH if it doesn't match.
In kpropd, when getting a wildcard address to listen on, try IPv6
explicitly (with AI_ADDRCONFIG specified where available, to avoid
IPv6 on hosts with no IPv6 interface) and then fall back to IPv4.
Only set IPV6_V6ONLY on the listener socket if the resulting address
is IPv6.
Note: we have mostly confirmed that OpenBSD does not have dual-stack
support, meaning that it would be better to open separate IPv4 and
IPv6 listener sockets, as we do in krb5kdc and kadmind.
Unfortunately, the complicated iprop retry-and-backoff logic makes
this less than straightforward.
Greg Hudson [Sat, 26 Jun 2010 03:32:55 +0000 (03:32 +0000)]
Make kadmin work over IPv6
Make gssrpc work over IPv6 TCP sockets provided that the client
creates and connects/binds the sockets and doesn't query their
addresses or use bindresvport(). Make kadmin work within those
constraints and handle IPv6. Specific changes:
* Make svctcp_create() able to extract the port from an IPv6 socket,
using a new helper function getport().
* Make clnttcp_create() handle a null raddr value if *sockp is set.
* Make kadm5_get_service_name() use getaddrinfo() to canonicalize the
admin server name.
* Make libkadm5clnt's init_any() responsible for connecting its socket
using a new helper function connect_to_server(), which uses
getaddrinfo instead of gethostbyname. Pass a null address to
clnttcp_create().
* Make libapputil's net-server.c set up IPv6 as well as IPv4 listener
ports for RPC connections.
* Adjust the error code expected in a libkadm5 unit test.
Greg Hudson [Fri, 25 Jun 2010 22:26:04 +0000 (22:26 +0000)]
Adjust function names and declarations in libkadm5's client_init.c; in
particular, avoid the use of library namespace prefixes for static
helper functions.
Greg Hudson [Mon, 21 Jun 2010 19:56:29 +0000 (19:56 +0000)]
kdb5_stash() contains its own kdb5_db_open() call (because it doesn't
use util_context for some reason), which didn't work with the LDAP
back end because LDAP doesn't recognize KRB5_KDB_SRV_TYPE_OTHER. As a
minimal fix, change that to KRB5_KDB_SRV_TYPE_ADMIN to be consistent
with open_db_and_mkey()--see also r18736.
Greg Hudson [Mon, 21 Jun 2010 15:18:37 +0000 (15:18 +0000)]
Add correct error table when initializing gss-krb5
gss_krb5int_lib_init was adding the generic GSS error table (again)
instead of the krb5 error table, which could lead to crashes on
library unload. This bug was introduced in krb5 1.7; the fix is also
applicable there.
Patch from Leonardo Chiquitto <leonardo.lists@gmail.com>.
Tom Yu [Fri, 18 Jun 2010 19:41:48 +0000 (19:41 +0000)]
only test t_locate_kdc if known-good DNS name is present
Running "make check" while offline or on a firewalled network may
result in failure in lib/krb5/os because the invocation of
t_locate_kdc requires that the DNS servers for ATHENA.MIT.EDU be
reachable. Autodetect DNS utilities "dig" and "nslookup", and use
them to check for existence of the known-good DNS name. Also
parameterize the test so that the known-good DNS name can be
overridden on the make command line.
Greg Hudson [Mon, 14 Jun 2010 20:00:03 +0000 (20:00 +0000)]
Adjust the PKINIT DH debugging code:
* Use %p and void * for pointers instead of %x and int
* Don't call the computed symmetric key the "secret key" since
that's easily confused with the private key g^x.
* Print the private key when printing DH parameters, instead of the
q value (not even sure what they is).
Greg Hudson [Fri, 11 Jun 2010 21:03:03 +0000 (21:03 +0000)]
Use getaddrinfo() in kprop and kpropd, and recognize IPv6 addresses
when setting up krb5_address structures. kpropd still only binds to
one socket to avoid the need for a select() loop, so we turn off
IPV6_V6ONLY on that socket to ensure that IPv4 connections will still
be accepted.
Based on a patch from Michael Stapelberg <michael@stapelberg.de>.
Greg Hudson [Tue, 8 Jun 2010 18:18:03 +0000 (18:18 +0000)]
kadmin ktadd may display wrong name of default keytab
kadmin's ktadd (and ktrem) displays WRFILE:/etc/krb5.keytab whenever
it uses the default keytab, even if the default has been overridden
(e.g. by KRB5_KTNAME). Use krb5_kt_get_name to get the correct name
of the default cache instead of displaying the string we think was
used to open it.
Greg Hudson [Tue, 8 Jun 2010 17:53:19 +0000 (17:53 +0000)]
When we display enctypes, display the input name rather than the
description. Affects klist -e, kdb5_util list_mkeys, kdb5_util stash
(error message), kadmin getprinc, kadmin ktadd, and ktutil list -e.
Greg Hudson [Tue, 8 Jun 2010 16:26:23 +0000 (16:26 +0000)]
Stop checking the current time against the context expiration time in
the message wrap/unwrap functions in the krb5 GSS mech. Heimdal
doesn't do it, and it generally results in poor app behavior when a
ticket expires. In exchange, it doesn't provide much security benefit
since it's not enforced across the board--for example, ssh sessions
can persist beyond ticket expiration time since they don't use GSS to
wrap payload data.
(This is a continuation of r24120, which should have contained the
changes to all four files.)
Greg Hudson [Tue, 8 Jun 2010 16:14:24 +0000 (16:14 +0000)]
Stop checking the current time against the context expiration time in
the message wrap/unwrap functions in the krb5 GSS mech. Heimdal
doesn't do it, and it generally results in poor app behavior when a
ticket expires. In exchange, it doesn't provide much security benefit
since it's not enforced across the board--for example, ssh sessions
can persist beyond ticket expiration time since they don't use GSS to
wrap payload data.
Greg Hudson [Mon, 7 Jun 2010 18:26:17 +0000 (18:26 +0000)]
Trace logging
Add trace logging infrastructure code, enabled by the KRB5_TRACE
environment variable or the API functions krb5_set_trace_callback()
or krb5_set_trace_filename(). As a start, add tracing events for:
* AS-REQ client code, including FAST and preauth
* TGS-REQ client code
* AP-REQ and AP-REP code (client and server)
* sendto_kdc
* Selected ccache operations
* Selected keytab operations
Greg Hudson [Tue, 25 May 2010 02:44:45 +0000 (02:44 +0000)]
FAST negotiation could erroneously succeed
When FAST negotiation is performed against an older KDC
(rep->enc_part2->flags & TKT_FLG_ENC_PA_REP not set),
krb5int_fast_verify_nego did not set the value of *fast_avail, causing
stack garbage to be used in init_creds_step_reply. Initialize
*fast_avail at the beginning of the function per coding practices.
Greg Hudson [Sun, 23 May 2010 20:23:31 +0000 (20:23 +0000)]
Make signedpath authdata visible via GSS naming exts
Merge users/lhoward/signedpath-naming-exts to trunk. Adds an authdata
provider which makes non-PAC S4U2Proxy signedpath authdata visible to
application servers via GSS naming extensions.
Greg Hudson [Fri, 21 May 2010 19:29:04 +0000 (19:29 +0000)]
Remove a non-functional and unnecessary check in kdb5_util's
master_key_convert(). (key_data->key_data_length is an array, so its
address is never null.)
Greg Hudson [Fri, 21 May 2010 03:08:18 +0000 (03:08 +0000)]
Document the disable_last_success and disable_lockout variables in
krb5.conf.M. Also document database_name in krb5.conf.M and slightly
adjust the wording in admin.texinfo.
Tom Yu [Thu, 20 May 2010 20:42:26 +0000 (20:42 +0000)]
kdc_tcp_ports not documented in kdc.conf.M
The kdc.conf setting kdc_tcp_ports was not documented in kdc.conf.M,
though it was documented in doc/admin.texinfo. Copy text from there
for now. The setting defaults to an empty string at the moment,
causing the KDC to not listen on TCP by default, confusing some users.
Changing this behavior is a separate issue.
Greg Hudson [Thu, 20 May 2010 15:13:06 +0000 (15:13 +0000)]
In gss_acquire_cred_with_password() and gss_add_cred_with_password(),
require desired_name to be set, and always honor it. This is
consistent with the Sun implementation and simplifies the code.
Greg Hudson [Tue, 18 May 2010 17:19:15 +0000 (17:19 +0000)]
When parsing a KDC or admin server string, allow the name or address
to be enclosed in brackets so that IPv6 addresses can be represented.
(IPv6 addresses contain colons, which look like port separators.)
Greg Hudson [Tue, 18 May 2010 16:17:15 +0000 (16:17 +0000)]
Improve the error message from kadmin when hostname resolution fails
for the admin server. (The extended message won't be displayed by
kadmin currently; that's a separate issue.)
Greg Hudson [Mon, 17 May 2010 20:38:24 +0000 (20:38 +0000)]
If gss_inquire_cred is called with a null credential, acquire a
default initiator credential and process it normally, instead of using
a completely different code path (the default mechanism's inquire_cred
handler).
Greg Hudson [Mon, 17 May 2010 20:01:29 +0000 (20:01 +0000)]
The mechglue always passes null for desired_mechs and actual_mechs
when invoking gss_acquire_cred and friends. Eliminate a lot of unused
and untestable logic in the krb5 mech which processed those arguments.
Greg Hudson [Mon, 17 May 2010 17:11:28 +0000 (17:11 +0000)]
The mechglue never invokes a mech's gss_add_cred function. Remove the
krb5 mech's add_cred implementation and null it out in the table.
(This has the effect of removing the IAKERB add_cred implementation.
SPNEGO already had it nulled out.)
Greg Hudson [Thu, 13 May 2010 17:34:33 +0000 (17:34 +0000)]
Negative enctypes improperly read from keytabs
When reading enctypes from keytabs, we need to ntohs() the 16-bit
value we read in before sign-extending it to a 32-bit value in the
keyblock, or we run the risk of extending the wrong sign.
Greg Hudson [Wed, 12 May 2010 20:49:11 +0000 (20:49 +0000)]
Reimplement krb5_get_in_tkt_with_skey in terms of krb5_get_init_creds,
similar to how the password and keytab equivalents were done.
Eliminate krb5_get_in_tkt. It's been very hard to use since we made
krb5_kdc_rep_decrypt_proc private (in krb5 1.7 the prototype was taken
out of krb5.h altogether), and it's unlikely that anything would have
used it directly in the first place.
Remove and/or simplify a lot of code depended on by krb_get_in_tkt,
including all of preauth.c.
Greg Hudson [Mon, 10 May 2010 22:42:04 +0000 (22:42 +0000)]
Add lockout-related performance tuning variables
The account lockout feature of krb5 1.8 came at a cost in database
accesses for principals requiring preauth, even if lockout is not
used. Add dbmodules variables disable_last_success and
disable_lockout for the DB2 and LDAP back ends, allowing the admin to
recover the lost performance at the cost of new functionality.
(Unrelated documentation fix: document database_name as a DB2-specific
dbmodules variable instead of the realm variable it used to be.)
Greg Hudson [Mon, 10 May 2010 22:23:57 +0000 (22:23 +0000)]
Make KADM5_FAIL_AUTH_COUNT_INCREMENT more robust with LDAP
In krb5_ldap_put_principal, use krb5_get_attributes_mask to determine
whether krbLoginFailedCount existed on the entry when it was
retrieved. If it didn't exist, don't try to use LDAP_MOD_INCREMENT,
and don't assert an old value when not using LDAP_MOD_INCREMENT.
Also, create the krbLoginFailedCount attribute when creating new
entries. This allows us to use LDAP_MOD_INCREMENT during the first
failed login (if the server supports it), avoiding a race condition.
Greg Hudson [Tue, 4 May 2010 05:44:07 +0000 (05:44 +0000)]
Refactor the kdb_db2.c code which processes db_args and profile
variables to configure a DB context, to avoid repeating that code
three times in open/create/destroy.
Greg Hudson [Mon, 3 May 2010 19:02:16 +0000 (19:02 +0000)]
Eliminate the use of variables for format strings in kdb5_util. Many
were unused, and localization will probably be done through _()
macros, not collecting all the strings together. Elminates a number
of format-security static analysis defects.
Greg Hudson [Sat, 1 May 2010 17:53:04 +0000 (17:53 +0000)]
Fix some bugs in the IAKERB code discovered by Coverity. Also trim
down iakerb_initiator_step() a little using krb5_data constructors
and avoiding vertical function arguments.
Add IAKERB mechanism and gss_acquire_cred_with_password
Merge branches/iakerb to trunk. Includes the following:
* New IAKERB mechanism.
* New gss_acquire_cred_with_password mechglue function.
* ASN.1 encoders and decoders for IAKERB structures (with tests).
* New shortcuts in gss-sample client and server.
* Tests to exercise SPNEGO and IAKERB using gss-sample application.
Eliminate the use of tail -f in the dejagnu test suite. Instead, use
the sentinel lines printed by krb5kdc and kadmind to detect when the
listening sockets are ready.
Run Python tests as individual rule commands (friendlier to make -k)
instead of in a loop. Build runenv.py as part of make fake-install;
it's harmless if Python is unavailable. Import runenv later in
k5test so that we get a beter error message if make fake-install
hasn't been run.
projects / thirdparty / krb5.git / log
