Greg Hudson [Tue, 25 May 2010 02:44:45 +0000 (02:44 +0000)]
FAST negotiation could erroneously succeed
When FAST negotiation is performed against an older KDC
(rep->enc_part2->flags & TKT_FLG_ENC_PA_REP not set),
krb5int_fast_verify_nego did not set the value of *fast_avail, causing
stack garbage to be used in init_creds_step_reply. Initialize
*fast_avail at the beginning of the function per coding practices.
Greg Hudson [Sun, 23 May 2010 20:23:31 +0000 (20:23 +0000)]
Make signedpath authdata visible via GSS naming exts
Merge users/lhoward/signedpath-naming-exts to trunk. Adds an authdata
provider which makes non-PAC S4U2Proxy signedpath authdata visible to
application servers via GSS naming extensions.
Greg Hudson [Fri, 21 May 2010 19:29:04 +0000 (19:29 +0000)]
Remove a non-functional and unnecessary check in kdb5_util's
master_key_convert(). (key_data->key_data_length is an array, so its
address is never null.)
Greg Hudson [Fri, 21 May 2010 03:08:18 +0000 (03:08 +0000)]
Document the disable_last_success and disable_lockout variables in
krb5.conf.M. Also document database_name in krb5.conf.M and slightly
adjust the wording in admin.texinfo.
Tom Yu [Thu, 20 May 2010 20:42:26 +0000 (20:42 +0000)]
kdc_tcp_ports not documented in kdc.conf.M
The kdc.conf setting kdc_tcp_ports was not documented in kdc.conf.M,
though it was documented in doc/admin.texinfo. Copy text from there
for now. The setting defaults to an empty string at the moment,
causing the KDC to not listen on TCP by default, confusing some users.
Changing this behavior is a separate issue.
Greg Hudson [Thu, 20 May 2010 15:13:06 +0000 (15:13 +0000)]
In gss_acquire_cred_with_password() and gss_add_cred_with_password(),
require desired_name to be set, and always honor it. This is
consistent with the Sun implementation and simplifies the code.
Greg Hudson [Tue, 18 May 2010 17:19:15 +0000 (17:19 +0000)]
When parsing a KDC or admin server string, allow the name or address
to be enclosed in brackets so that IPv6 addresses can be represented.
(IPv6 addresses contain colons, which look like port separators.)
Greg Hudson [Tue, 18 May 2010 16:17:15 +0000 (16:17 +0000)]
Improve the error message from kadmin when hostname resolution fails
for the admin server. (The extended message won't be displayed by
kadmin currently; that's a separate issue.)
Greg Hudson [Mon, 17 May 2010 20:38:24 +0000 (20:38 +0000)]
If gss_inquire_cred is called with a null credential, acquire a
default initiator credential and process it normally, instead of using
a completely different code path (the default mechanism's inquire_cred
handler).
Greg Hudson [Mon, 17 May 2010 20:01:29 +0000 (20:01 +0000)]
The mechglue always passes null for desired_mechs and actual_mechs
when invoking gss_acquire_cred and friends. Eliminate a lot of unused
and untestable logic in the krb5 mech which processed those arguments.
Greg Hudson [Mon, 17 May 2010 17:11:28 +0000 (17:11 +0000)]
The mechglue never invokes a mech's gss_add_cred function. Remove the
krb5 mech's add_cred implementation and null it out in the table.
(This has the effect of removing the IAKERB add_cred implementation.
SPNEGO already had it nulled out.)
Greg Hudson [Thu, 13 May 2010 17:34:33 +0000 (17:34 +0000)]
Negative enctypes improperly read from keytabs
When reading enctypes from keytabs, we need to ntohs() the 16-bit
value we read in before sign-extending it to a 32-bit value in the
keyblock, or we run the risk of extending the wrong sign.
Greg Hudson [Wed, 12 May 2010 20:49:11 +0000 (20:49 +0000)]
Reimplement krb5_get_in_tkt_with_skey in terms of krb5_get_init_creds,
similar to how the password and keytab equivalents were done.
Eliminate krb5_get_in_tkt. It's been very hard to use since we made
krb5_kdc_rep_decrypt_proc private (in krb5 1.7 the prototype was taken
out of krb5.h altogether), and it's unlikely that anything would have
used it directly in the first place.
Remove and/or simplify a lot of code depended on by krb_get_in_tkt,
including all of preauth.c.
Greg Hudson [Mon, 10 May 2010 22:42:04 +0000 (22:42 +0000)]
Add lockout-related performance tuning variables
The account lockout feature of krb5 1.8 came at a cost in database
accesses for principals requiring preauth, even if lockout is not
used. Add dbmodules variables disable_last_success and
disable_lockout for the DB2 and LDAP back ends, allowing the admin to
recover the lost performance at the cost of new functionality.
(Unrelated documentation fix: document database_name as a DB2-specific
dbmodules variable instead of the realm variable it used to be.)
Greg Hudson [Mon, 10 May 2010 22:23:57 +0000 (22:23 +0000)]
Make KADM5_FAIL_AUTH_COUNT_INCREMENT more robust with LDAP
In krb5_ldap_put_principal, use krb5_get_attributes_mask to determine
whether krbLoginFailedCount existed on the entry when it was
retrieved. If it didn't exist, don't try to use LDAP_MOD_INCREMENT,
and don't assert an old value when not using LDAP_MOD_INCREMENT.
Also, create the krbLoginFailedCount attribute when creating new
entries. This allows us to use LDAP_MOD_INCREMENT during the first
failed login (if the server supports it), avoiding a race condition.
Greg Hudson [Tue, 4 May 2010 05:44:07 +0000 (05:44 +0000)]
Refactor the kdb_db2.c code which processes db_args and profile
variables to configure a DB context, to avoid repeating that code
three times in open/create/destroy.
Greg Hudson [Mon, 3 May 2010 19:02:16 +0000 (19:02 +0000)]
Eliminate the use of variables for format strings in kdb5_util. Many
were unused, and localization will probably be done through _()
macros, not collecting all the strings together. Elminates a number
of format-security static analysis defects.
Greg Hudson [Sat, 1 May 2010 17:53:04 +0000 (17:53 +0000)]
Fix some bugs in the IAKERB code discovered by Coverity. Also trim
down iakerb_initiator_step() a little using krb5_data constructors
and avoiding vertical function arguments.
Add IAKERB mechanism and gss_acquire_cred_with_password
Merge branches/iakerb to trunk. Includes the following:
* New IAKERB mechanism.
* New gss_acquire_cred_with_password mechglue function.
* ASN.1 encoders and decoders for IAKERB structures (with tests).
* New shortcuts in gss-sample client and server.
* Tests to exercise SPNEGO and IAKERB using gss-sample application.
Eliminate the use of tail -f in the dejagnu test suite. Instead, use
the sentinel lines printed by krb5kdc and kadmind to detect when the
listening sockets are ready.
Run Python tests as individual rule commands (friendlier to make -k)
instead of in a loop. Build runenv.py as part of make fake-install;
it's harmless if Python is unavailable. Import runenv later in
k5test so that we get a beter error message if make fake-install
hasn't been run.
Eliminate a non-useful NULL check in the KDC's dispatch() function.
If process_as_req or process_tgs_req return successfully, they will
always fill in *response. (If they didn't, the subsequence
(*response)->length check would crash anyway.)
In the kdc5_hammer test program, simplify the cleanup logic of
get_server_key. Fixes a memory leak where the result of
krb5_get_credentials() didn't get freed if krb5_mk_req_extended()
failed.
When setting up to get a TGT for the service realm in the TGS code,
get the cached local TGT before setting up the realm path.
Prior to this change, calling krb5_get_credentials() with an empty
ccache would result in KRB5_CC_NOTFOUND for a foreign server
principal, but would result in KRB5_NO_TKT_IN_REALM (generated by
krb5_walk_realm_tree) for a local server principal. With this change,
KRB5_CC_NOTFOUND is returned in both cases.
Add KRB5_INIT_CREDS_STEP_FLAG_CONTINUE for parity with Heimdal.
Rename KRB5_TKT_CREDS_CONTINUE to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE
for consistency.
Adjust init_creds context to be less confusing in light of the above.
Tom Yu [Fri, 16 Apr 2010 21:45:22 +0000 (21:45 +0000)]
Build runenv.py, holding environment variable settings required for
running programs out of the build tree during python-based tests.
Also updates shilb.conf to set RUN_VARS to make it easier to generate
this sort of thing.
Merged from branches/iakerb: add new asynchronous krb5_tkt_creds APIs,
which allow a caller to take responsibility for transporting requests
to the KDC and getting responses back. Rewrite the existing
krb5_get_credentials API in terms of the new functions. Get rid of
krb5_get_cred_from_kdc and friends, since they are no longer used.
The validate and renew APIs were using get_cred_from_kdc, which
always presents a TGT to get credentials. Instead, they should
present the ticket they are trying to validate or renew. This is
most easily done with krb5_get_cred_via_tkt(). Move the relevant
code into a new file since it now has nothing in common with the
other APIs implemented in get_creds.c.
Greg Hudson [Mon, 29 Mar 2010 22:08:21 +0000 (22:08 +0000)]
Fix backwards flag output in krb5_init_creds_step()
krb5_init_creds_step() is taken from Heimdal, which sets *flags to 1
for "continue" and 0 for "stop". Unfortunately, we got it backwards
in 1.8; fix it for 1.8.1.
Greg Hudson [Fri, 26 Mar 2010 22:43:11 +0000 (22:43 +0000)]
In gc_frm_kdc.c, rename cur_kdc to cur_realm and nxt_kdc to nxt_realm,
to make it easier to distinguish them from cur_tgt and nxt_tgt. Make
similar name changes to lst_kdc and kdc_list, as well as the function
find_nxt_kdc().
Greg Hudson [Thu, 25 Mar 2010 03:08:12 +0000 (03:08 +0000)]
Straighten the if-ladder in encrypted challenge's process_preauth,
making it clearer that control drops through if one of the first
couple of steps fails.
Tom Yu [Tue, 23 Mar 2010 06:09:02 +0000 (06:09 +0000)]
krb5_typed_data not castable to krb5_pa_data on 64-bit MacOSX
Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because
krb5int_fast_process_error was assuming that it was safe to cast it to
krb5_pa_data. It's not safe to do the cast on 64-bit MacOSX because
krb5.hin uses #pragma pack on that platform.
Greg Hudson [Sat, 20 Mar 2010 03:50:06 +0000 (03:50 +0000)]
Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data
type, was used to implement PAC-less constrained delegation in krb5
1.8. Unfortunately, it was found that Microsoft was using 142 for
other purposes, which could result in a ticket issued by an MIT or
Heimdal KDC being rejected by a Windows Server 2008 R2 application
server. Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate
among a realm's KDCs, it is relatively easy to change the number, so
MIT and Heimdal are both migrating to a new number. This change will
cause a transitional interoperability issue when a realm mixes MIT
krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal
1.3.2) KDCs, but only for constrained delegation evidence tickets.
projects / thirdparty / krb5.git / log
