Nalin Dahyabhai [Thu, 31 Oct 2013 01:45:35 +0000 (21:45 -0400)]
Use an intermediate memory cache in ksu
Instead of copying source or obtained creds into the target cache and
changing ownership if everything succeeds, copy them into a MEMORY:
cache and then, if everything succeeds, create the target cache as the
target user.
We no longer need to clean up the temporary ccache when exiting in
most error cases.
Use a fake principal name ("_ksu/_ksu@_ksu") as the primary holder of
the temporary cache so that we won't accidentally select it when we
make a subsequent call to krb5_cc_cache_match() (to be added in a
later patch) to find the target location where the creds should be
stored for use while running as the target user.
Nalin Dahyabhai [Fri, 1 Nov 2013 13:48:13 +0000 (09:48 -0400)]
In ksu, don't stat() not-on-disk ccache residuals
Don't assume that ccache residual names are filenames which we can
stat() usefully. Instead, use helper functions to call the library
routines to try to read the default principal name from caches, and
use whether or not that succeeds as an indication of whether or not
there's a ccache in a given location.
In ksu, merge krb5_ccache_copy() and _restricted()
Other than whether or not they limit the creds it stores to the new
ccache based on the principal name of the client for whom the creds were
issued, there's no meaningful difference between what these two
functions do. Merge them.
Tomas Kuthan [Fri, 1 Aug 2014 13:25:50 +0000 (15:25 +0200)]
Fix LDAP key data segmentation [CVE-2014-4345]
For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno. As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values. Fix the loop to use
the correct kvno value.
CVE-2014-4345:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations. An off-by-one error while copying key
information to the new database entry results in keys sharing a common
kvno being written to different array buckets, in an array whose size
is determined by the number of kvnos present. After sufficient
iterations, the extra writes extend past the end of the
(NULL-terminated) array. The NULL terminator is always written after
the end of the loop, so no out-of-bounds data is read, it is only
written.
Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary
exploits must be tailored to the individual application and are
usually quite complicated. Depending on the allocated length of the
array, an out-of-bounds write may also cause a segmentation fault
and/or application crash.
Tom Yu [Wed, 6 Aug 2014 22:45:20 +0000 (18:45 -0400)]
Disallow unlocked iteration of hash databases
It's not clear whether unlocked iteration over a hash DB2 database
will omit unaffected entries if database additions or deletions occur
concurrently with the iteration. Avoid this situation by disabling
unlocked iteration in the unlikely event that someone is still using a
hash database for their KDB.
Greg Hudson [Tue, 5 Aug 2014 03:34:32 +0000 (23:34 -0400)]
Fix glob memory leak in GSS initialization
In loadConfigFiles, call globfree even if glob fails, since glob can
allocate memory and report partial results on failure. Also
initialize globbuf before calling glob; this is not strictly required,
but hedges against hypothetical libc implementation bugs which could
leave globbuf.gl_pathc or globbuf.gl_pathv uninitialized on error.
Tom Yu [Wed, 6 Aug 2014 19:03:03 +0000 (15:03 -0400)]
Fix KDC race in t_unlockiter.py
The second KDC startup in t_unlockiter.py could race with the
garbage-collected shutdown of the first, causing the second one to
fail to bind the listening port. Avoid the situation by setting
start_kdc=False, because there doesn't need to be a KDC running for
these tests anyway. Also use create_user=False and create_host=False,
because those principals aren't necessary either.
Ben Kaduk [Wed, 6 Aug 2014 16:49:52 +0000 (12:49 -0400)]
Fix OS X build
Commit 58312ae8beb0499ac3a06196164eb833e9f8975e, "Fix the build on
windows", had a typo that broke the build of KCM support on OS X.
Attempt to increment the cardinality of the set of buildable platforms,
instead of just adjusting its contents, by fixing the typo.
Ben Kaduk [Tue, 5 Aug 2014 15:11:45 +0000 (11:11 -0400)]
Fix the build on windows
Windows does not provide the glob() functionality used to implement
the /etc/gss/mechs.d/ feature, so we must avoid compiling the
relevant code for windows. (It would never have been called, anyway.)
Adjust the ccache/Makefile.in rules to not use '-' or '@' in
make variable names that are processed by nmake.
Also in ccache/Makefile.in, remove some latent leading whitespace that
had been previously hidden by the previous rule; this exposed some
flawed dependencies that are now removed.
Windows does not provide sys/socket.h or sys/un.h, so don't try
to include them in cc_kcm.c.
The commit which moved the KKDCP TLS support to a plugin left some
dangling references to checkhost.c byproducts in os/Makefile.in,
which can be safely removed.
Use k5-platform.h in support/json.c instead of a set of system includes;
this lets windows build the static inline helper functions therein.
When ksu was explicitly told to spawn a shell, a line in .k5users which
listed "*" as the allowed command would cause the principal named on the
line to be considered as a candidate for authentication.
When ksu was not passed a command to run, which implicitly meant that
the invoking user wanted to run the target user's login shell, knowledge
that the principal was a valid candidate was ignored, which could cause
a less optimal choice of the default target principal.
This doesn't impact the authorization checks which we perform later.
Tom Yu [Mon, 4 Aug 2014 16:34:24 +0000 (12:34 -0400)]
Correct includes for unlockiter.c
Some platforms (e.g., Solaris) need a declaration of memset() for the
FD_ZERO() macro to work, contrary to POSIX standards. Add an
inclusion of <string.h> to accommodate them. Also add <sys/time.h>,
possibly needed by some older platforms, and remove a spurious
inclusion of <sys/socket.h>.
Tom Yu [Sat, 2 Aug 2014 18:20:35 +0000 (14:20 -0400)]
Ignore iprop deletion of deleted princ
Now that an iprop full dump might not hold a lock around the entire
dump, it's possible that iprop will queue an incremental update while
the dump is in progress. If a principal is deleted while the dump is
in progress, the dump could omit that principal, yet the deletion
event would still be queued in the ulog. Ignore that deletion without
generating an error.
This is the same basic change as for ticket #7753.
Tom Yu [Sat, 2 Aug 2014 18:20:33 +0000 (14:20 -0400)]
Support unlocked iteration in DB2
Add support to the DB2 KDB back end to optionally release the lock
when calling the iterator callback. This prevents the blocking of
other processes when dumps of large databases are taking place.
Tom Yu [Sat, 2 Aug 2014 18:20:33 +0000 (14:20 -0400)]
Use write lock flag for update_princ_encryption
In kdb5_util update_princ_encryption, instead of getting a write lock
on the KDB surrounding the call to krb5_db_iterate(), use the
iterflags parameter of krb5_db_iterate() to request that it obtain a
write lock around the iteration.
Neng Xue [Fri, 11 Jul 2014 23:04:42 +0000 (16:04 -0700)]
Add kiprop/<master-hostname> during KDB creation
To reduce the number of steps in the deployment of iprop, create the
kiprop/hostname principal for the master KDC during KDB creation.
Adjust tests to match the new behavior.
If we do not find a default ccache value from krb5-config and we
detect that the host platform is OS X 10.7 or higher, use KCM: as the
default ccache name instead of FILE:/tmp/krb5cc_%{uid}.
Add a new credential cache type "KCM" which performs cache operations
by speaking to a Heimdal or OS X KCM daemon, via either Unix domain
sockets or (on OS X only) Mach RPC. Add "kcm_socket" and
"kcm_mach_service" profile variables to control the socket path and
bootstrap service name respectively. In ccmarshal.c, add
k5_marshal_mcred to marshal matching credentials in the KCM protocol
representation.
This cache type is not currently supported on Windows, as Windows does
not support Unix domain sockets.
As with the keyring cache type, the lastchange method of this cache
type is mostly useless, reporting only the time of the last change
made through that cache handle. The KCM protocol currently has no
support for obtaining the last change time of the cache itself.
Make k5_marshal_cred and k5_marshal_princ write to an existing struct
k5buf instead of allocating a new one, so that they can be marshalled
before or after other data.
Make struct k5buf less opaque and get rid of k5buf-int.h. Make it
easy to initialize a k5buf in an error state so that it can be freed
in a cleanup handler. Add a function k5_buf_status which returns 0 or
ENOMEM. Remove k5_buf_data and k5_buf_len. Rename k5_free_buf to
k5_buf_free. Adjust all callers to match.
Add three new libprofile tests to prof_test1, two to test for the bugs
in #7971 and one to test a bug which would have been introduced by a
candidate fix.
profile_rename_section should demand only one name.
profile_add_relation should demand only one name if it is creating a
new section. It aso needs to reset state before calling
profile_find_node for the section, in case it didn't look up any
parent sections previously.
In profile_find_node, skip deleted nodes when finding the second
match. Otherwise, profile_clear_nodes could return an error if a node
has some values to clear but the last one is deleted.
In profile_node_iterator, skip deleted nodes when looking up the
section names. Otherwise we could iterate over a deleted section
and/or ignore its replacement.
To work around a historical bug in Samba, the SPNEGO initiator treats
a counterproposal as matching the optimistic token if both are aliases
for the krb5 mech. When IAKERB support was added (#6712), IAKERB was
unintentionally added to the set of mech OIDs which were considered to
be krb5 aliases for this purpose.
Remove IAKERB from gss_mech_set_krb5_both and create a new internal
mech set, kg_all_mechs, for use by krb5_gss_indicate_mechs.
When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length. This could
result in a null dereference.
CVE-2014-4344:
In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token. This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.
David Woodhouse [Tue, 15 Jul 2014 16:54:15 +0000 (12:54 -0400)]
Fix double-free in SPNEGO [CVE-2014-4343]
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context. So don't free it.
CVE-2014-4343:
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
different underlying mechanism than was proposed by the initiator. At
this stage of the negotiation, the acceptor is unauthenticated, and
the acceptor's response could be spoofed by an attacker with the
ability to inject traffic to the initiator.
Historically, some double-free vulnerabilities can be translated into
remote code execution, though the necessary exploits must be tailored
to the individual application and are usually quite
complicated. Double-frees can also be exploited to cause an
application crash, for a denial of service. However, most GSSAPI
client applications are not vulnerable, as the SPNEGO mechanism is not
used by default (when GSS_C_NO_OID is passed as the mech_type argument
to gss_init_sec_context()). The most common use of SPNEGO is for
HTTP-Negotiate, used in web browsers and other web clients. Most such
clients are believed to not offer HTTP-Negotiate by default, instead
requiring a whitelist of sites for which it may be used to be
configured. If the whitelist is configured to only allow
HTTP-Negotiate over TLS connections ("https://"), a successful
attacker must also spoof the web server's SSL certificate, due to the
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
response message. Unfortunately, many instructions for enabling
HTTP-Negotiate in common web browsers do not include a TLS
requirement.
Greg Hudson [Mon, 16 Jun 2014 17:15:33 +0000 (13:15 -0400)]
Document LDAP SASL configuration
Document the LDAP SASL profile tags and DB options. For consistency,
also condense the kdc.conf documentation for the two bind DN variables
into one entry.
Greg Hudson [Mon, 16 Jun 2014 16:41:03 +0000 (12:41 -0400)]
Add SASL support to LDAP KDB module
Add variables for the SASL mechanism, authcid, authzid, and realm. If
a SASL mechanism is set, perform an interactive bind with that
mechanism. If <sasl/sasl.h> is found at build time, provide the
authcid, authzid, and realm in the interaction function, and provide a
SASL secret read from the service password file (under the authcid) if
we found one.
Based on a patch from Zoran Pericic <zpericic@netst.org>.
Greg Hudson [Mon, 9 Jun 2014 19:23:25 +0000 (15:23 -0400)]
Modernize some LDAP sources
Bring ldap_misc.c up to date with current practices and make limited
changes to other files. Of note:
* krb5_decode_krbsecretkey was freeing its bvalues argument; make that
the caller's responsibility.
* Make is_principal_in_realm and has_modify_increment return
krb5_boolean, reversing the sense of their results.
* Remove broken code path in decode_tl_data when an integer value has
a length other than 2 (which should never happen).
* Simplify krb5_ldap_readpassword and make it take filename/name
parameters instead of an LDAP context.
* Make krb5_ldap_bind (renamed to authenticate) responsible for
setting a useful error message, so that its caller doesn't assume
knowledge of the bind parameters.
* Make krb5_ldap_initialize (renamed to initialize_server) responsible
for updating the handle list, and remove the otherwise unused
krb5_update_ldap_handle.
* Remove remaining skeletal certificate support, including the unused
has_sasl_external_mech function.
* Remove unused krb5_get_containerdn and KDB_TL_CONTAINERDN.
* Remove kdb_xdr.h; all of its prototypes were for functions that
don't exist in the module or were duplicated in other headers.
* Remove krb5_ldap_get_strings and use ldap_get_values directly at
its call sites; there was no need to copy the result.
Make the configure option for TLS implementation more generic, in case
we use the k5tls module for something other than KDC proxy support.
Rename all of the associated symbols for consistency.
Greg Hudson [Sun, 22 Jun 2014 14:42:14 +0000 (10:42 -0400)]
Move KKDCP OpenSSL code to an internal plugin
Create an internal pluggable interface "tls" with one in-tree dynamic
plugin module named "k5tls". Move all of the OpenSSL calls to the
plugin module, and make the libkrb5 code load and invoke the plugin.
This way we do not load or initialize libssl unless an HTTP proxy is
used.
Remove copyright statement added to bindresvport.c
Andreas's copyright statement was added to the Oracle license
statement by mistake; the code changes made to turn bindresvport into
bindresvport_sa are minimal. Remove it with Andreas's permission.
In prng_fortuna.c, if krb5_c_random_make_octets detects that we do not
have entropy, set an error message saying that the random number
generator could not be seeded, as we likely failed previously to read
from /dev/urandom or the Windows equivalent.
Michael Mattioli [Tue, 15 Jul 2014 16:48:58 +0000 (12:48 -0400)]
Improve indentation of t_otp.py
Move the RADIUS attribute dictionary text to a global variable defined
at indent level 0, so that we don't go back to indent level 0 in the
middle of the RadiusDaemon class definition.
[ghudson@mit.edu: clarified commit message, moved comment, changed
variable name]
Lukas Slebodnik [Sat, 21 Jun 2014 14:43:12 +0000 (16:43 +0200)]
Avoid closing fd -1 in libkrad
If a krad_remote is released before its fd is set, we could close the
file descriptor -1, which is harmless but incorrect. Check the fd in
remote_disconnect to avoid this.
[ghudson@mit.edu: clarified commit message, minor style change]
Greg Hudson [Wed, 11 Jun 2014 03:53:31 +0000 (23:53 -0400)]
Fix several memory leaks in LDAP KDB modules
Fix memory leaks discovered by running valgrind over kdbtest, and some
related leaks. Many of them result from not calling ldap_msgfree
after an unsuccessful search (as the OpenLDAP documentation requires)
or after an exception following a search, so many of the fixes move or
add ldap_msgfree calls to cleanup labels.
ldap_osa_free_princ_ent was not used, and could not be used because it
frees the container while krb5_lookup_tl_kadm_data uses a
caller-allocated container. Change it to leave the container alone,
but to correctly destroy xdrs. Use it in krb5_ldap_put_principal
where princ_ent was leaked.
In krb5_ldap_put_principal, subtreelist is declared twice in interior
scopes and not properly freed; move it to function scope and free it
up in the cleanup label. Also in krb5_ldap_put_principal, avoiding
decoding multiple KBR5_TL_KADM_DATA values (which we don't expect to
see) as later decodes would cause earlier decodes to leak.
In krb5_encode_krbsecretkey, fix a leak of the krb5_data container and
also add an error check when calling asn1_encode_sequence_of_keys;
otherwise we would dereference a null pointer if we run out of memory
encoding keys (very unlikely).
glibc does not declare a number of common, useful extensions such as
asprintf unless _GNU_SOURCE is defined. Define it early in the
configure process so that it is available for autoconf tests.
Defining _GNU_SOURCE unfortunately causes glibc to use the non-POSIX
version of strerror_r, which we now handle using the k5-platform.h
wrapper.
Include autoconf.h (either directly or via proxy) before system
headers, so that feature test macros defined there can affect the
system namespace. Where include order was changed, eliminate some
redundant or unnecessary includes.
Take advantage of the strerror_r portability wrapper to simplify code
using it. Remove unused macros related to strerror_r in
ldap_service_stash.c and plugins.c.
On systems where strerror_r is not the POSIX version, define it to
k5_strerror_r. Implement k5_strerror_r in libkrb5support using
strerror_s, strerror, or the GNU strerror_r as appropriate.
Remove code to set or reference the length fields of socket addresses
(sa_len/sin_len/sin6_len), since they aren't portable and setting them
is not required. Remove autoconf tests for those fields which are no
longer used or which were never used.
There is one exception: in localaddr.c, we still neeed to reference
sa_len for the definition of ifreq_size on platforms which have
sa_len. Leave that behind, along with the autoconf test which defines
SA_LEN.
In socket-utils.h, replace the socklen macro with an inline function
sa_socklen which always uses the address family, even on platforms
with the sa_len sockaddr field. This removes the need to set sa_len
in socket addresses we construct.
In setup_udp_port_1, remove the haddrbuf parameter and use paddr like
we already do for one of the log messages. In setup_udp_port, remove
the long switch statement and just look for AF_INET/AF_INET6
addresses. Split up udp_flags into two booleans for clarity. Update
the comment in loop_setup_network since we did the "To do" item a long
time ago.
Ben Kaduk [Thu, 3 Jul 2014 14:42:21 +0000 (10:42 -0400)]
Fix build on systems without RTM_OLD*
For example, FreeBSD has removed RTM_OLDADD and RTM_OLDDEL from its API
in March 2014, with the message:
Garbage collect long time obsoleted (or never used) stuff from routing API
Only attempt to define behavior for these cases if they are defined.
Tom Yu [Wed, 2 Jul 2014 20:13:23 +0000 (16:13 -0400)]
Fix bugs in bindresvport_sa() changes
In svctcp_create() and svcudp_bufcreate(), set sa->sa_len on platforms
where that field exists, so that a subsequent call to socklen() will
return the correct result.
To make the code more self-evidently correct, zero the entire struct
sockaddr_storage object, using the memset(&ss, 0, sizeof(ss)) idiom.
Greg Hudson [Thu, 12 Jun 2014 18:34:26 +0000 (14:34 -0400)]
Remove indent workaround in man page RST sources
docutils 0.10 properly adds indentation to example blocks in man
pages, so we do not need to force an extra indentation level. Get rid
of the workaround wherever we use it.
Neng Xue [Mon, 30 Jun 2014 21:04:56 +0000 (14:04 -0700)]
Fix unlikely null dereference in TGS client code
If krb5_get_tgs_ktypes fails (due to an out-of-memory condition or an
error re-reading the profile), k5_make_tgs_req will dereference a null
pointer. Check the return value before dereferencing defenctypes.
Make clnttcp_create, clntudp_bufcreate, svctcp_create, and
svcudp_bufcreate work with unbound IPv6 sockets using bindresvport_sa
and other socket helpers. For caller-supplied sockets, call
getsockname to determine the address family we should attempt to bind.
[ghudson@mit.edu: clarified commit message, minimized code changes,
used socket-utils.h helpers, fixed fallback find on bindresvport
failure, restored getsockaddr call to get port after binding]
This functions allows you to pass IPv4 and IPv6 addresses. If no
address is given, t will determine the family by checking the socket
with getsockname.
[ghudson@mit.edu: clarified commit message, split out setport helper,
squashed with next commit, minimized code changes from old
bindresvport, used socket-utils.h helpers]
Greg Hudson [Wed, 18 Jun 2014 16:58:39 +0000 (12:58 -0400)]
Fix KDC worker process argument parsing
To create worker processes, the KDC shuts down realms, forks off the
worker processes, then reinitializes realms in each child.
Reinitializing realms requires making a second pass over the
command-line arguments. To do this with getopt, optind must be
reinitialized to 1 for each pass; otherwise, no options will be seen
the second time around.
Greg Hudson [Thu, 19 Jun 2014 17:49:16 +0000 (13:49 -0400)]
Handle invalid RFC 1964 tokens [CVE-2014-4341...]
Detect the following cases which would otherwise cause invalid memory
accesses and/or integer underflow:
* An RFC 1964 token being processed by an RFC 4121-only context
[CVE-2014-4342]
* A header with fewer than 22 bytes after the token ID or an
incomplete checksum [CVE-2014-4341 CVE-2014-4342]
* A ciphertext shorter than the confounder [CVE-2014-4341]
* A declared padding length longer than the plaintext [CVE-2014-4341]
If we detect a bad pad byte, continue on to compute the checksum to
avoid creating a padding oracle, but treat the checksum as invalid
even if it compares equal.
CVE-2014-4341:
In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.
In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
attacker with the ability to inject packets into a legitimately
established GSSAPI application session can cause a program crash due
to invalid memory references when reading beyond the end of a buffer
or by causing a null pointer dereference.
Greg Hudson [Wed, 25 Jun 2014 15:41:54 +0000 (11:41 -0400)]
Load plugins with RTLD_NODELETE if possible
On platforms which support RTLD_NODELETE, use it to load plugin
modules. While using this flag makes plugins stay in the process map
after libkrb5/libgssapi_krb5 are unloaded, it solves several problems:
1. It prevents plugin modules which link against OpenSSL (PKINIT and
k5tls) from repeatedly initializing instances of libssl or libcrypto,
leaking heap memory each time. This is only an issue because we
cannot safely uninitialize OpenSSL.
2. It prevents finalization ordering issues from causing a process
crash when unloading libgssapi_krb5 (issue #7135).
3. It makes memory leak tracing with valgrind easier.
Nalin Dahyabhai [Wed, 25 Jun 2014 16:56:42 +0000 (12:56 -0400)]
Fix unlikely null dereference in mk_cred()
If krb5_encrypt_keyhelper() returns an error, the ciphertext structure
may contain a non-zero length, but it will already have freed the
pointer to its data, making encrypt_credencpart()'s subsequent attempt
to clear and free the memory fail. Remove that logic.
Greg Hudson [Sat, 14 Jun 2014 15:23:08 +0000 (11:23 -0400)]
Fix error checking in PKINIT authdata creation
In create_identifiers_from_stack: check for allocation errors from
PKCS7_ISSUER_AND_SERIAL_new and M_ASN1_INTEGER_dup. Use
PKCS7_ISSUER_AND_SERIAL_free to more concisely clean up the OpenSSL
issuer variable, and make sure that any partially processed value is
cleaned up on error. Use calloc to allocate krb5_cas so that all of
its pointers are initially nulled, so that
free_krb5_external_principal_identifier can operate on it safely in
case of error. Eliminate the retval variable as it was not used
safely. Rename the error label from "cleanup" to "oom" and separate
it from the successful return path (which has nothing to clean up).
Greg Hudson [Mon, 16 Jun 2014 19:46:09 +0000 (15:46 -0400)]
Consolidate DB option documentation
Document DB options in the kadmin/kadmin.local man page, in their own
section. Refer to that section from the documentation of the -x
parameter of each other command which supports DB options. Add
documentation for the "dbname" DB2 option.
Ben Kaduk [Fri, 13 Jun 2014 18:59:39 +0000 (14:59 -0400)]
Update the kadm5.acl example
Make the example and documentation a closer match to reality.
In particular, the list permission is all-or-nothing; it is not
restricted in scope by the target_principal field. Change the
table entry to try and indicate this fact, and do not put list
permissions on any example line that is scoped by a target_principal
pattern.
While here, remove the nonsensical granting of global inquire
permissions to */* (inaccurately described as "all principals"),
and the granting of privileges to foreign-realm principals.
It is not possible to obtain an initial ticket (as required by
the kadmin service) for a principal in a different realm, and
the current kadmind implementation can serve only a single realm
at a time -- this permission literally has no effect. Replace
it with a (presumably automated) "Service Management System"
example, where it might make sense to limit the principals which
are automatically created.
Greg Hudson [Sat, 7 Jun 2014 03:24:00 +0000 (23:24 -0400)]
Remove pkinit_win2k_require_binding option
When constructing a draft9 PKINIT request, always include
KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack.
Do not accept a draft9 ReplyKeyPack in the KDC response.
For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC
support for generating a draft9 ReplyKeyPack when a draft9 PKINIT
request does not contain KRB5_PADATA_AS_CHECKSUM.
Greg Hudson [Sat, 7 Jun 2014 02:48:04 +0000 (22:48 -0400)]
Remove PKINIT longhorn compatibility option
Remove the PKINIT Windows Server 2008 beta compatibility code
conditionalized under the "longhorn" variable. It is not required to
interoperate with any released version of Windows.
Greg Hudson [Fri, 6 Jun 2014 21:41:51 +0000 (17:41 -0400)]
Improve PKINIT certificate documentation
Describe how to use a commercially-issued server certificate for
anonymous PKINIT. Separate the KDC and client configuration
instructions so that the steps necessary for anonymous PKINIT are not
combined with the additional steps necessary for regular PKINIT.
Describe kpServerAuth as the EKU used in commercially issued server
certificates, not as the value used by Microsoft (which does not
appear to be true according to [MS-PKCA]).
Greg Hudson [Tue, 3 Jun 2014 15:48:13 +0000 (11:48 -0400)]
Simplify and fix k5_check_cert_address
Get rid of the address union. Store the result of get_cert_cn in a
signed variable so we can meaningfully check for negative results.
Make get_cert_cn return int for consistency with
X509_NAME_get_text_by_NID and its two callers.
Also add an emacs mode line to the top of the file.
Greg Hudson [Fri, 6 Jun 2014 21:56:23 +0000 (17:56 -0400)]
Remove stub pkinit_win2k code
As contributed, the PKINIT module contained code to read the
pkinit_win2k variable, but never used it. Get rid of the structure
field and the code to populate it.
Greg Hudson [Wed, 4 Jun 2014 20:18:21 +0000 (16:18 -0400)]
Add missing profile functions to libkrb5 exports
profile_flush_to_buffer, profile_flush_to_file, profile_free_buffer,
profile_init_flags, and profile_init_vtable are all public profile
functions, but are inaccessible to libkrb5 applications on some
platforms because they were never added to the export list. Add them
now.
(libprofile functions have never been part of the Windows DLL export
list, so do not change krb5_32.def at this time.)
Greg Hudson [Thu, 5 Jun 2014 16:03:16 +0000 (12:03 -0400)]
Simplify ticket retrieval from AP-REQs
After krb5_rd_req_decoded or krb5_rd_req_decoded_anyflag, the ticket
(with enc_part2 if we could decrypt it) is accessible via
request->ticket; there is no need to copy it. Stop using the ticket
parameter of those functions. Where we need to save the ticket beyond
the lifetime of the krb5_ap_req, steal the pointer before freeing the
request.
rbasch [Tue, 3 Jun 2014 22:44:17 +0000 (18:44 -0400)]
In KDC, log client principal in bad header ticket
Fix KDC logging to include client principal in TGS_REQ logging even
during error conditions such as "Ticket expired". As long as the
TGS_REQ can be decrypted and the client principal is available, it
should be included in the log, regardless of other errors which might
be detected.
krb5_rd_req_decoded and krb5_rd_req_decoded_anyflag (not public
interfaces) now leave the decrypted ticket in req->ticket->enc_part2
on success or failure, if the ticket was successfully decrypted. This
does not affect the behavior of krb5_rd_req.
[ghudson@mit.edu: removed extraneous change, added commit message
summary and description of internal API change, fixed possible memory
leak, removed comment and #if 0 code block of purely historical
interest]
Sam Hartman [Wed, 4 Jun 2014 16:06:27 +0000 (12:06 -0400)]
Do not loop on add_cred_from and other new methods
Several new GSS-API methods were added but GSSAPI_ADD_METHOD was
called to add them rather than GSSAPI_ADD_METHOD_NOLOOP. This means
that the implementation from the GSS-API mechglue would be used if the
mechanism had no implementation. As a result, the mechglue will call
into itself exhausting the call stack in an endless loop when one of
these methods is called.
Greg Hudson [Fri, 23 May 2014 23:58:41 +0000 (19:58 -0400)]
Treat LDAP KrbKey salt field as optional
Per the ASN.1 definition, the KrbKey salt field is optional. Since
1.7, we have been treating it as mandatory in the encoder; since 1.11,
we have been treating it as mandatory in the decoder. Mostly by luck,
we have been encoding a salt type of 0 when key_data_ver is 1, but we
really should not be looking at key_data_type[1] or key_data_length[1]
in this situation. Treat the salt field as optional in the encoder
and decoder. Although the previous commit ensures that we continue to
always encode a salt (without any dangerous assumptions about
krb5_key_data constructors), this change will allow us to decode key
data encoded by 1.6 without salt fields.
This also fixes issue #7918, by properly setting key_data_ver to 2 if
a salt type but no salt value is present. It is difficult to get the
decoder to actually assign 2 to key_data_ver just because the salt
field is there, so take care of that in asn1_decode_sequence_of_keys.
Adjust kdbtest.c to match the new behavior by setting key_data_ver to
2 in both test keys.
Greg Hudson [Sun, 25 May 2014 02:58:26 +0000 (22:58 -0400)]
Always include salt in LDAP KrbKey encoding
In the LDAP KDB module, ensure that every krb5_key_data we pass to
asn1_encode_sequence_of_keys includes a salt type, for compatibility
with the decoder in unpatched krb5 1.11 and 1.12.
This is not a behavior change by itself; since 1.7 the encoder has
always included a KrbKey salt field because it erroneously treats that
field as non-optional. (Luckily, the encoded salt always happens to
have salt type 0 because krb5_key_data constructors start with zeroed
memory.) The next commit will fix the encoder and decoder to properly
treat the KrbKey salt field as optional, so we need this change to
ensure that our encodings remain compatible.
Also fix the ASN.1 tests to set key_data_ver correctly for the sample
test key data.
Greg Hudson [Thu, 29 May 2014 03:51:49 +0000 (23:51 -0400)]
Read /etc/gss/mech if no mech.d/*.conf found
Always read /etc/gss/mech, even if globbing /etc/gss/mech.d/*.conf
doesn't work. Doing this using GLOB_DOOFFS proved error-prone, so use
a simpler approach: factor out the per-pathname handling into a helper
function load_if_changed, call it with MECH_CONF before the glob, then
pass each glob result through the helper.
Greg Hudson [Sun, 1 Jun 2014 14:44:51 +0000 (10:44 -0400)]
Remove stub pkinit_mapping_file code
As contributed, the PKINIT code contained code to read a mapping
filename, but never used the resulting structure variable. Get rid of
the structure field and the code to populate it.
Nalin Dahyabhai [Fri, 7 Feb 2014 23:56:10 +0000 (18:56 -0500)]
Add tests for MS-KKDCP client support
Exercise the MS-KKDCP client support using the test proxy server, for
AS, TGS, and kpasswd requests while also checking the certificate
verification and name checks.
projects / thirdparty / krb5.git / log
