Greg Hudson [Thu, 28 Jan 2010 21:39:31 +0000 (21:39 +0000)]
Handle migration from pre-1.7 databases with master key kvno != 1
krb5_dbe_lookup_mkvno assumes an mkvno of 1 for entries with no
explicit tl_data. We've seen at least one pre-1.7 KDB with a master
kvno of 0, violating this assumption. Fix this as follows:
* krb5_dbe_lookup_mkvno outputs 0 instead of 1 if no tl_data exists.
* A new function krb5_dbe_get_mkvno translates this 0 value to the
minimum version number in the mkey_list. (krb5_dbe_lookup_mkvno
cannot do this as it doesn't take the mkey_list as a parameter.)
* Call sites to krb5_dbe_lookup_mkvno are converted to
krb5_dbe_get_mkvno, except for an LDAP case where it is acceptable
to store 0 if the mkvno is unknown.
Greg Hudson [Wed, 27 Jan 2010 03:52:52 +0000 (03:52 +0000)]
Get rid of kdb_ext.h and allow out-of-tree KDB plugins
Move the contents of kdb_ext.h into kdb.h, since there is no meaningful
"extensions" category of DB interfaces now that this stuff is in our
tree. Allows out-of-tree KDB plugins to be built since we install
kdb.h.
Tom Yu [Tue, 26 Jan 2010 22:55:07 +0000 (22:55 +0000)]
define MIN() in lib/gssapi/krb5/prf.c
Apply patch from Doug Engert to define MIN(), which was causing prf.c
to fail compilation on Solaris. (The definition was probably leaking
from sys/param.h, included indirectly somehow.)
Greg Hudson [Tue, 19 Jan 2010 23:35:39 +0000 (23:35 +0000)]
Add krb5_allow_weak_crypto API
Add an API to allow apps to override the profile setting of
allow_weak_crypto, so that aklog can work with krb5 1.8 out of the box
until OpenAFS finishes migrating away from DES.
Greg Hudson [Thu, 14 Jan 2010 16:09:24 +0000 (16:09 +0000)]
Make history key exempt from permitted_enctypes
In kdb_init_hist, just use the first key entry in the kadmin/history
entry. This makes the history key work even if the enctype is
disallowed by allow_weak_crypto=false or other configuration.
Greg Hudson [Tue, 12 Jan 2010 01:05:37 +0000 (01:05 +0000)]
Simplify and fix FAST check for keyed checksum type
Use krb5_c_is_keyed_checksum to detect unkeyed checksums when handling
FAST requests. The old check was broken for 1.8 because
krb5_c_verify_checksum got pickier about invalid keyblocks.
Zhanna Tsitkov [Mon, 11 Jan 2010 15:19:42 +0000 (15:19 +0000)]
Group together the funtions related to the supplying options to preauth plugin modules.
Also, removed krb5int_ prefix from the names of some static functions in gic_opt.c.s
Ezra Peisach [Sat, 9 Jan 2010 16:02:13 +0000 (16:02 +0000)]
krb5int_pbkdf2_hmac_sha1 fails to set enctype on keyblock
krb5int_pbkdf2_hmac_sha1 fails to set enctype on a termporary keyblock
- resulting in valgrind picking up on a conditional branch w/ unset
value. Initialize value.
Greg Hudson [Fri, 8 Jan 2010 02:43:21 +0000 (02:43 +0000)]
Restore interoperability with 1.6 addprinc -randkey
The arcfour string-to-key operation in krb5 1.7 (or later) disagrees
with the dummy password used by the addprinc -randkey operation in
krb5 1.6's kadmin client, because it's not valid UTF-8. Recognize the
1.6 dummy password and use a random password instead.
Ezra Peisach [Fri, 8 Jan 2010 02:12:24 +0000 (02:12 +0000)]
yarrow code does not initialize keyblock enctype and uses unitialized value
The yarrow code uses a keyblock that is partially initialized. This results
in krb5_k_free_key trying to look up the enctype to call the free handler.
One of the valgrind reports: (there are several paths)
==26701== Conditional jump or move depends on uninitialised value(s)
==26701== at 0x40E9AF0: find_enctype (etypes.h:81)
==26701== by 0x40E9C9E: krb5_k_free_key (key.c:91)
==26701== by 0x40D641A: krb5int_yarrow_cipher_init (ycipher.c:49)
==26701== by 0x40D593A: yarrow_gate_locked (yarrow.c:578)
==26701== by 0x40D5349: krb5int_yarrow_output_Block (yarrow.c:423)
==26701== by 0x40D581B: yarrow_output_locked (yarrow.c:553)
==26701== by 0x40D5667: krb5int_yarrow_output (yarrow.c:513)
==26701== by 0x40EBD2D: krb5_c_random_make_octets (prng.c:112)
==26701== by 0x40D4119: krb5int_old_encrypt (old_aead.c:97)
==26701== by 0x40E9696: krb5_k_encrypt_iov (encrypt_iov.c:42)
==26701== by 0x8049554: main (t_encrypt.c:206)
==26701==
Ezra Peisach [Fri, 8 Jan 2010 01:51:19 +0000 (01:51 +0000)]
krb5int_derive_key results in cache with uninitialized values
krb5int_derive_key creates a temporary keyblock to add to the derived cache.
krb5_k_free_key will iterate over the derived keys and for ones with cache will
lookup the enctype for the key_cleanup handler.
Unfortunatly, there isn't a keyblock init function that does not allocate the
keyblock - as I suspect this problem will appear in other places.
The valgrind log of this problem is:
==7281== Conditional jump or move depends on uninitialised value(s)
==7281== at 0x40E9AE8: find_enctype (etypes.h:81)
==7281== by 0x40E9C96: krb5_k_free_key (key.c:91)
==7281== by 0x40E9C52: krb5_k_free_key (key.c:86)
==7281== by 0x40EBB00: krb5_c_prf (prf.c:87)
==7281== by 0x40E7B1B: prf_plus (cf2.c:77)
==7281== by 0x40E7CE6: krb5_c_fx_cf2_simple (cf2.c:125)
==7281== by 0x804899C: main (t_cf2.c:70)
==7281==
Greg Hudson [Wed, 6 Jan 2010 23:44:04 +0000 (23:44 +0000)]
Make krb5_dbe_def_search_enctype more consistent about when it returns
KRB5_KDB_NO_PERMITTED_KEY. Now it will return that error if it sees
any non-permitted enctypes which match the search criteria.
Greg Hudson [Mon, 4 Jan 2010 21:22:00 +0000 (21:22 +0000)]
Add preauth_module_dir support to the KDC preauth module loader
(should have been part of r23531). Most or all of this logic should
be moved into the plugin code or a layer above it, after the branch.
Sam Hartman [Mon, 4 Jan 2010 19:59:16 +0000 (19:59 +0000)]
Bring back krb5_kt_free_entry which really does the same thing as
krb5_free_keytab_entry_contents per discussion on krbdev in order to
avoid breaking samba builds.
Ken Raeburn [Sun, 3 Jan 2010 23:39:12 +0000 (23:39 +0000)]
Enable caching of key-derived context info such as key schedules from
one encryption operation to another. Use a new function in the
enc_provider structure for cleanup. Implement caching of aes_ctx
values.
Using Greg's performance tests from the derived-key caching work, on a
2.8GHz Xeon, I see 1 million AES-128 encryptions of 16 bytes improved
by 5-6%; encryptions of 1024 bytes and checksums are not significantly
affected.
Ezra Peisach [Fri, 1 Jan 2010 16:41:04 +0000 (16:41 +0000)]
Change db_args from being a global to only defined in the function
that uses it. This removes a warning of shadowed variable names. Change
several functions to static when limited to main.c
Russ Allbery [Fri, 1 Jan 2010 05:09:57 +0000 (05:09 +0000)]
Add a new -P option to krb5kdc and kadmind which, if given, specifies
the path to which to write the PID file of the daemon after it finishes
initializing.
Russ Allbery [Thu, 31 Dec 2009 04:21:34 +0000 (04:21 +0000)]
Fix spelling and hyphen errors in man pages
Fix spelling errors in man pages detected by Debian's Lintian program.
Also escape some -'s that are intended to be literal ASCII dashes and
not Unicode hyphens so that groff won't change them into true hyphens.
Ken Raeburn [Thu, 31 Dec 2009 04:07:03 +0000 (04:07 +0000)]
NetBSD 5.0.1 uses an OpenSSL snapshot that describes itself as 0.9.9,
and has the EVP_PKEY_decrypt API change that was already being worked
around for OpenSSL 1.0.0. Work around it for 0.9.9 too.
Tom Yu [Tue, 29 Dec 2009 02:42:51 +0000 (02:42 +0000)]
MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referrals
On certain error conditions, prep_reprocess_req() calls kdc_err() with
a null pointer as the format string, causing a null dereference and
denial of service. Legitimate protocol requests can trigger this
problem.
Greg Hudson [Mon, 28 Dec 2009 20:13:39 +0000 (20:13 +0000)]
Add dejagnu test suite support for finding the preauth modules in the
fake install. Not yet tested, except to verify that it doesn't break
the existing test suite.
Greg Hudson [Mon, 28 Dec 2009 19:59:10 +0000 (19:59 +0000)]
Add a new profile variable preauth_module_dir, which specifies
directories to look for preauth plugins in prior to the hardcoded
locations. Undocumented for now since, like db_module_dir, this is
mostly intended for the test suite.
Greg Hudson [Mon, 28 Dec 2009 19:25:09 +0000 (19:25 +0000)]
Move krb5_get_profile back to init_os_ctx.c for now and revert r23519.
At this time we link t_etypes against init_ctx.so during "make check",
which breaks if init_ctx contains reference to the profile library.
More general solutions to this problem are under discussion.
Sam Hartman [Mon, 28 Dec 2009 17:15:30 +0000 (17:15 +0000)]
Anonymous support for Kerberos
This ticket implements Project/Anonymous pkinit from k5wiki. Provides
support for completely anonymous principals and untested client
support for realm-exposed anonymous authentication.
* Introduce kinit -n
* Introduce kadmin -n
* krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache
* No longer generate ad-initial-verified-cas in pkinit
* Fix pkinit interactions with non-TGT authentication
projects / thirdparty / krb5.git / log
