Greg Hudson [Mon, 4 Jan 2010 21:22:00 +0000 (21:22 +0000)]
Add preauth_module_dir support to the KDC preauth module loader
(should have been part of r23531). Most or all of this logic should
be moved into the plugin code or a layer above it, after the branch.
Sam Hartman [Mon, 4 Jan 2010 19:59:16 +0000 (19:59 +0000)]
Bring back krb5_kt_free_entry which really does the same thing as
krb5_free_keytab_entry_contents per discussion on krbdev in order to
avoid breaking samba builds.
Ken Raeburn [Sun, 3 Jan 2010 23:39:12 +0000 (23:39 +0000)]
Enable caching of key-derived context info such as key schedules from
one encryption operation to another. Use a new function in the
enc_provider structure for cleanup. Implement caching of aes_ctx
values.
Using Greg's performance tests from the derived-key caching work, on a
2.8GHz Xeon, I see 1 million AES-128 encryptions of 16 bytes improved
by 5-6%; encryptions of 1024 bytes and checksums are not significantly
affected.
Ezra Peisach [Fri, 1 Jan 2010 16:41:04 +0000 (16:41 +0000)]
Change db_args from being a global to only defined in the function
that uses it. This removes a warning of shadowed variable names. Change
several functions to static when limited to main.c
Russ Allbery [Fri, 1 Jan 2010 05:09:57 +0000 (05:09 +0000)]
Add a new -P option to krb5kdc and kadmind which, if given, specifies
the path to which to write the PID file of the daemon after it finishes
initializing.
Russ Allbery [Thu, 31 Dec 2009 04:21:34 +0000 (04:21 +0000)]
Fix spelling and hyphen errors in man pages
Fix spelling errors in man pages detected by Debian's Lintian program.
Also escape some -'s that are intended to be literal ASCII dashes and
not Unicode hyphens so that groff won't change them into true hyphens.
Ken Raeburn [Thu, 31 Dec 2009 04:07:03 +0000 (04:07 +0000)]
NetBSD 5.0.1 uses an OpenSSL snapshot that describes itself as 0.9.9,
and has the EVP_PKEY_decrypt API change that was already being worked
around for OpenSSL 1.0.0. Work around it for 0.9.9 too.
Tom Yu [Tue, 29 Dec 2009 02:42:51 +0000 (02:42 +0000)]
MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referrals
On certain error conditions, prep_reprocess_req() calls kdc_err() with
a null pointer as the format string, causing a null dereference and
denial of service. Legitimate protocol requests can trigger this
problem.
Greg Hudson [Mon, 28 Dec 2009 20:13:39 +0000 (20:13 +0000)]
Add dejagnu test suite support for finding the preauth modules in the
fake install. Not yet tested, except to verify that it doesn't break
the existing test suite.
Greg Hudson [Mon, 28 Dec 2009 19:59:10 +0000 (19:59 +0000)]
Add a new profile variable preauth_module_dir, which specifies
directories to look for preauth plugins in prior to the hardcoded
locations. Undocumented for now since, like db_module_dir, this is
mostly intended for the test suite.
Greg Hudson [Mon, 28 Dec 2009 19:25:09 +0000 (19:25 +0000)]
Move krb5_get_profile back to init_os_ctx.c for now and revert r23519.
At this time we link t_etypes against init_ctx.so during "make check",
which breaks if init_ctx contains reference to the profile library.
More general solutions to this problem are under discussion.
Sam Hartman [Mon, 28 Dec 2009 17:15:30 +0000 (17:15 +0000)]
Anonymous support for Kerberos
This ticket implements Project/Anonymous pkinit from k5wiki. Provides
support for completely anonymous principals and untested client
support for realm-exposed anonymous authentication.
* Introduce kinit -n
* Introduce kadmin -n
* krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache
* No longer generate ad-initial-verified-cas in pkinit
* Fix pkinit interactions with non-TGT authentication
Greg Hudson [Mon, 21 Dec 2009 17:58:12 +0000 (17:58 +0000)]
Add a set_cred_option handler for SPNEGO which forwards to the
underlying mechanism. Fixes SPNEGO credential delegation in 1.7 and
copying of SPNEGO initiator creds in both 1.7 and trunk. Patch
provided by nalin@redhat.com.
Greg Hudson [Tue, 15 Dec 2009 17:40:27 +0000 (17:40 +0000)]
On Luke's advice, remove krb5_init_creds_store_creds. It is not a
Heimdal API and its functionality is covered by
krb5_get_init_creds_opt_set_out_ccache.
Greg Hudson [Thu, 10 Dec 2009 17:10:10 +0000 (17:10 +0000)]
Restructure the crypto checksum implementation to minimize
dependencies on the internals of modules.
* Keyhash providers are gone.
* The cksumtypes table contains checksum and verify functions,
similar to the etypes encrypt and decrypt functions. New checksum
functions parallel the old keyhash providers, and there are also
functions for unkeyed and derived-key HMAC checksums.
* The flags field is now used to indicate whether a checksum is
unkeyed, but not whether it is a derived-key HMAC checksum.
* The descbc checksum is handled through a new enc_provider function
which calculates a CBC MAC.
The OpenSSL module does not implement the CBC MAC function (it didn't
implement descbc before). builtin/des could probably get rid of
f_cksum.c (the old DES CBC routine) with some alterations to
string2key.c.
Ezra Peisach [Tue, 8 Dec 2009 03:24:23 +0000 (03:24 +0000)]
Remove dependency on /bin/csh in test suite
The libdb2 test suite would fail if /bin/csh was not present. The
tests did not execute /bin/csh - but used the contents as data to put
into the test database. Iterate over a few "known" files until one is found
that could be used for it... Tests for /bin/csh, /bin/cat, /usr/bin/cat,
/bin/ls, /usr/bin/ls. If none of these exist - then fail.
Tom Yu [Mon, 7 Dec 2009 15:30:37 +0000 (15:30 +0000)]
handle negative enctypes better
krb5_dbe_def_search_enctype and krb5int_parse_enctype_list were making
assumptions that enctype numbers are positive. Potentially more code
makes this assumption, but these appear to be the major ones.
Greg Hudson [Sun, 6 Dec 2009 16:23:11 +0000 (16:23 +0000)]
Make the libk5crypto hash_provider interface take crypto_iov lists
instead of lists of krb5_data. Make the base HMAC APIs take
crypto_iov lists and drop the _iov variants.
Greg Hudson [Sun, 6 Dec 2009 15:57:36 +0000 (15:57 +0000)]
In the built-in des3 provider, remove the unused version of
validate_and_schedule, and drop the _iov suffix from the one we do
use. (Cleanup from r23444.)
Greg Hudson [Fri, 4 Dec 2009 05:12:35 +0000 (05:12 +0000)]
Consolidate the IOV and non-IOV encryption/decryption code paths, and
drop the _iov suffix from most encryption- and decryption-related
functions. The enc_provider encrypt and decrypt functions take IOVs,
as do the enctype entries in etypes.c, and there are no separate
encrypt_iov or decrypt_iov functions.
aead_provider is gone. Enctype functions now take pointers to the
enctype entry instead of pointers to the enc/hash/aead providers; this
allows dk_encrypt and dk_decrypt to be polymorphic in the length
function they use now that AES and DES3 can't differentiate by aead
provider.
aes_string_to_key needed to be moved into the krb/ fold for this since
it's an enctype function; it was duplicated between builtin/ and
openssl/ before. This leaves openssl/aes empty; the build system
currently demands that all modules have the same directory structure,
so the directory and Makefile will stick around for now.
Three separate copies of the derive_random logic are also now
consolidated into one.
Ken Raeburn [Thu, 3 Dec 2009 02:17:28 +0000 (02:17 +0000)]
fix slow behavior on Mac OS X with link-local addresses
When using my previous patch, if a local hostname like "foobar.local"
is looked up, you may get back a link-local IPv6 address. However,
the KDC seems to be unable to respond from that address, resulting in
a ~1s delay for each KDC exchange while waiting for the client to fail
over to another address (in my case, another IPv6 address).
Create a new object for holding whatever auxiliary information might
be needed to properly transmit the response to the client. Currently,
that only means the interface index number under IPv6. Fill it in on
receipt, always; copy it back to the pktinfo structure when
transmitting, ONLY if the local source address is link-local.
If an error occurs while transmitting the reply, print both the remote
destination address and the local source address. Use getnameinfo
instead of inet_ntop.
Apply the same changes to kadmind, to keep the versions of network.c
more or less in sync.
Ken Raeburn [Thu, 3 Dec 2009 02:17:24 +0000 (02:17 +0000)]
allow testing even if name->addr->name mapping doesn't work
Many of the tests are set up to fail if the local hostname can't be
mapped to an address and back to a name again. If the name results in
an address, and we can get a fully-qualified name or something that
looks like it, though, we should be able to just go ahead and run some
tests.
This is also closer to the current behavior of sname_to_principal when
reverse DNS is enabled.
projects / thirdparty / krb5.git / log
