Sam Hartman [Wed, 23 Dec 2009 21:11:12 +0000 (21:11 +0000)]
Always supply a padata item to the return callback in a preauth plugin so that callback can determine what type of padata it is requested to return. If there is no item in the request, synthesize an empty one
Sam Hartman [Wed, 23 Dec 2009 21:11:06 +0000 (21:11 +0000)]
Client side of PA_PKINIT_KX
The anonymous draft specifies the use of PA_PKINIT_KX to confirm that
both the client and KDc contributed to the session key and to confirm
the session key is fresh. Implement client support for this item.
* krb5.hin: define padata and key usage constants
* get_in_tkt.c: New function verify_anonymous to perform verification
Sam Hartman [Wed, 23 Dec 2009 21:10:55 +0000 (21:10 +0000)]
Change kinit -n logic to support an interface for both fully and
partially anonymous principals.
* New API krb5_get_init_creds_opt_set_anonymous
* In krb5_get_init_creds_init, map @REALM to WELLKNOWN/ANONYMOUS@REALM
* Change logic for what canonicalization is acceptable to support realm-exposed anonymous principals too
* Use the above in kinit
Sam Hartman [Wed, 23 Dec 2009 21:10:52 +0000 (21:10 +0000)]
For fully anonymous kadmin, the KDC will change the realm to the
anonymous realm.
* kadm5_init_creds_iter: let get_init_creds store the credentials
* krb5_setup_gss: If we obtained creds (instead of getting them passed in) then use the default client name
kadmin: Support canonicalization of client name by KDC
Sam Hartman [Wed, 23 Dec 2009 21:10:49 +0000 (21:10 +0000)]
Per discussion with Greg and Luke, hold an alias to the out_ccache.
There is some ambiguity in whether it is appropriate for
get_init_creds_opts to hold an alias. However if it is going to copy
the ccache, we all believe that a duplicate routine in ccfns.c is
preferred.
Sam Hartman [Wed, 23 Dec 2009 21:10:30 +0000 (21:10 +0000)]
pkinit authentication only works for TGT
Pkinit's verification of the KDC SAN requires that the certificate
have a SAN for the server principal. That's not correct according to
RFC 4556. The KDC should have a SAN for the TGS principal; that's
independent of whether the TGS principal is actually the server.
Sam Hartman [Wed, 23 Dec 2009 21:10:26 +0000 (21:10 +0000)]
Implement support for the anonymous name type in GSS-API
* Import GSS_C_NT_ANONYMOUS as WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
* the display text of the anonymous name is the krb5 principal, but the nametype is set to GSS_C_NT_ANONYMOUS
Sam Hartman [Wed, 23 Dec 2009 21:10:16 +0000 (21:10 +0000)]
KDC policy handling for anonymous tickets:
* In TGS, set the anonymous flag if the anonymous flag is set in the AS
* Only authdata systems that support anonymous are called for anonymous tickets
* Currently we copy authdata from request and TGT buth nothing else
Note that if we support anonymous TGS requests in the future, copying
authdata from the TGT would be the wrong thing to do in that case.
Sam Hartman [Wed, 23 Dec 2009 21:09:53 +0000 (21:09 +0000)]
Implement support for unsigned pkinit messages
* cms_signeddata_verify will take a ContentInfo as well as SignedData and returns an indication of whether a message is signed
* Accept unsigned authpacks in the anonymous case.
Sam Hartman [Wed, 23 Dec 2009 21:09:50 +0000 (21:09 +0000)]
ad-initial-verified-cas logic broken
In the initial pkinit implementation, the server plugin generates an
incorrect encoding for ad-initial-verified-cas. In particular, it
assumes that ad-if-relevant takes a single authorization data element
not a sequence of authorization data elements. Nothing looked at the
authorization data in 1.6.3 so this was not noticed. However in 1.7,
the FAST implementation looks for authorization data. In 1.8 several
more parts of the KDC examine authorization data. The net result is
that the KDC fails to process the TGT it issues.
However on top of this bug, there is a spec problem. For many of its intended uses, ad-initial-verified-cas needs to be integrity protected by the KDC in order to prevent a client from injecting it. So, it should be contained in kdc-issued not ad-if-relevant.
For now we're simply removing the generation of this AD element until the spec is clarified.
Sam Hartman [Wed, 23 Dec 2009 21:09:46 +0000 (21:09 +0000)]
Revert "In case of anonymous client principal, use the realm of the server"
This reverts commit 34d2748e9052debc6a061911c2c786b46507b531. As the
entire working group has apparently forgotten, the KDC-REQ body only
has one realm field. That's used in an AS REQ for both the server and
client realm . So, in the anonymous pkinit case, I think we want to
send using a client of WELLKNOWN/ANONYMOUS@REAL_REALM. Waiting to
hear back from the WG on this.
Sam Hartman [Wed, 23 Dec 2009 21:09:43 +0000 (21:09 +0000)]
In case of anonymous client principal, use the realm of the server
principal or if not specified the default realm for determining what
KDC to contact.
Sam Hartman [Wed, 23 Dec 2009 21:09:39 +0000 (21:09 +0000)]
If the anonymous principal is used, then do not initialize the
identity context.
# Please enter the commit message for your
changes. Lines starting # with '#' will be ignored, and an empty
message aborts the commit. # On branch anonymous # Your branch is
ahead of 'krb5/trunk' by 3 commits. # # Changes to be committed: #
(use "git reset HEAD <file>..." to unstage) # # modified:
../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c # modified:
../src/plugins/preauth/pkinit/pkinit_identity.c # # Untracked files: #
(use "git add <file>..." to include in what will be committed) # # ./
../src/include/autoconf.stmp # ../static/
Greg Hudson [Thu, 10 Dec 2009 17:10:10 +0000 (17:10 +0000)]
Restructure the crypto checksum implementation to minimize
dependencies on the internals of modules.
* Keyhash providers are gone.
* The cksumtypes table contains checksum and verify functions,
similar to the etypes encrypt and decrypt functions. New checksum
functions parallel the old keyhash providers, and there are also
functions for unkeyed and derived-key HMAC checksums.
* The flags field is now used to indicate whether a checksum is
unkeyed, but not whether it is a derived-key HMAC checksum.
* The descbc checksum is handled through a new enc_provider function
which calculates a CBC MAC.
The OpenSSL module does not implement the CBC MAC function (it didn't
implement descbc before). builtin/des could probably get rid of
f_cksum.c (the old DES CBC routine) with some alterations to
string2key.c.
Ezra Peisach [Tue, 8 Dec 2009 03:24:23 +0000 (03:24 +0000)]
Remove dependency on /bin/csh in test suite
The libdb2 test suite would fail if /bin/csh was not present. The
tests did not execute /bin/csh - but used the contents as data to put
into the test database. Iterate over a few "known" files until one is found
that could be used for it... Tests for /bin/csh, /bin/cat, /usr/bin/cat,
/bin/ls, /usr/bin/ls. If none of these exist - then fail.
Tom Yu [Mon, 7 Dec 2009 15:30:37 +0000 (15:30 +0000)]
handle negative enctypes better
krb5_dbe_def_search_enctype and krb5int_parse_enctype_list were making
assumptions that enctype numbers are positive. Potentially more code
makes this assumption, but these appear to be the major ones.
Greg Hudson [Sun, 6 Dec 2009 16:23:11 +0000 (16:23 +0000)]
Make the libk5crypto hash_provider interface take crypto_iov lists
instead of lists of krb5_data. Make the base HMAC APIs take
crypto_iov lists and drop the _iov variants.
Greg Hudson [Sun, 6 Dec 2009 15:57:36 +0000 (15:57 +0000)]
In the built-in des3 provider, remove the unused version of
validate_and_schedule, and drop the _iov suffix from the one we do
use. (Cleanup from r23444.)
Greg Hudson [Fri, 4 Dec 2009 05:12:35 +0000 (05:12 +0000)]
Consolidate the IOV and non-IOV encryption/decryption code paths, and
drop the _iov suffix from most encryption- and decryption-related
functions. The enc_provider encrypt and decrypt functions take IOVs,
as do the enctype entries in etypes.c, and there are no separate
encrypt_iov or decrypt_iov functions.
aead_provider is gone. Enctype functions now take pointers to the
enctype entry instead of pointers to the enc/hash/aead providers; this
allows dk_encrypt and dk_decrypt to be polymorphic in the length
function they use now that AES and DES3 can't differentiate by aead
provider.
aes_string_to_key needed to be moved into the krb/ fold for this since
it's an enctype function; it was duplicated between builtin/ and
openssl/ before. This leaves openssl/aes empty; the build system
currently demands that all modules have the same directory structure,
so the directory and Makefile will stick around for now.
Three separate copies of the derive_random logic are also now
consolidated into one.
Ken Raeburn [Thu, 3 Dec 2009 02:17:28 +0000 (02:17 +0000)]
fix slow behavior on Mac OS X with link-local addresses
When using my previous patch, if a local hostname like "foobar.local"
is looked up, you may get back a link-local IPv6 address. However,
the KDC seems to be unable to respond from that address, resulting in
a ~1s delay for each KDC exchange while waiting for the client to fail
over to another address (in my case, another IPv6 address).
Create a new object for holding whatever auxiliary information might
be needed to properly transmit the response to the client. Currently,
that only means the interface index number under IPv6. Fill it in on
receipt, always; copy it back to the pktinfo structure when
transmitting, ONLY if the local source address is link-local.
If an error occurs while transmitting the reply, print both the remote
destination address and the local source address. Use getnameinfo
instead of inet_ntop.
Apply the same changes to kadmind, to keep the versions of network.c
more or less in sync.
Ken Raeburn [Thu, 3 Dec 2009 02:17:24 +0000 (02:17 +0000)]
allow testing even if name->addr->name mapping doesn't work
Many of the tests are set up to fail if the local hostname can't be
mapped to an address and back to a name again. If the name results in
an address, and we can get a fully-qualified name or something that
looks like it, though, we should be able to just go ahead and run some
tests.
This is also closer to the current behavior of sname_to_principal when
reverse DNS is enabled.
Ken Raeburn [Wed, 2 Dec 2009 23:09:33 +0000 (23:09 +0000)]
Perform the AES-CBC XOR operations 4 bytes at a time, using the helper
functions for loading and storing potentially-unaligned values.
Improves bulk AES encryption performance by 2% or so on 32-bit x86
with gcc 4.
Greg Hudson [Wed, 2 Dec 2009 22:37:16 +0000 (22:37 +0000)]
Speed up the per-block loops of AES, DES3, and DES IOV encryption by
avoiding function calls and copies in the case where the next block
is wholly contained within the current buffer. To do this, introduce
two new inline functions in aead.h called iov_next_block and
iov_store_block.
Greg Hudson [Wed, 2 Dec 2009 19:52:54 +0000 (19:52 +0000)]
Clean up the AES enc_provider code a bit. Chiefly, work with unsigned
char blocks, casting input->data and output->data once each upon entry
to the non-IOV encrypt and decrypt functions, rather than casting our
working buffers each time we need to work with an outside function.
Greg Hudson [Tue, 1 Dec 2009 01:36:42 +0000 (01:36 +0000)]
Fix AES IOV decryption of small messages
AES messages never need to be padded because the confounder ensures
that the plaintext is at least one block long. Remove a check in
krb5int_dk_decrypt_iov which was rejecting short AES messages because
it didn't count the header length.
Greg Hudson [Tue, 1 Dec 2009 01:32:02 +0000 (01:32 +0000)]
Make krb5int_c_decrypt_aead_compat more efficient by building the
buffers explicitly rather than using stream decryption. Sidesteps
some machinery and avoids copying the output.
Greg Hudson [Mon, 30 Nov 2009 19:03:58 +0000 (19:03 +0000)]
Fix ivec chaining for DES iov encryption
krb5int_des_cbc_decrypt_iov was using a plaintext block to update the
ivec. Fix it to use the last cipher block, borrowing from the
corresponding des3 function. The impact of this bug is not serious
since ivec chaining is not typically used with IOV encryption in 1.7.
Greg Hudson [Mon, 30 Nov 2009 16:19:24 +0000 (16:19 +0000)]
Add an AEAD provider for enctypes which use krb5_old_encrypt and
krb5_old_decrypt; this makes every enctype have an AEAD provider. To
make this work, expose make_unkeyed_checksum_iov to other files (under
the name krb5int_hash_iov) and make krb5int_c_padding_length take into
account the header length.
Greg Hudson [Mon, 30 Nov 2009 16:12:36 +0000 (16:12 +0000)]
Make the crc32 hash provider correctly chain multiple input buffers,
so that it returns the same result if you pass it one big buffer or
many small buffers containing the same data. To do this, change the
contract of mit_crc32 so that the cksum parameter is in-out.
Greg Hudson [Sun, 29 Nov 2009 23:13:57 +0000 (23:13 +0000)]
Remove the non-iov entry point introduced in r23378, since it's easy
to use the iov entry point at both call sites. Rename the iov entry
point to remove the "_iov" suffix since it's no longer needed to
disambiguate.
Greg Hudson [Sun, 29 Nov 2009 15:43:29 +0000 (15:43 +0000)]
Avoid using strncpy in the production of the arcfour salt because it
produces a (spurious) Coverity defect. Fix a memory leak in
krb5int_arcfour_encrypt.
Greg Hudson [Sat, 28 Nov 2009 23:10:31 +0000 (23:10 +0000)]
Create functional internal interfaces to allow GSSAPI to perform
arcfour encryption of GSS tokens. This factors out derivation of
the usage and encryption keys, and removes the need for the provider
structures to be visible to all of krb5 via k5-int.h.
Greg Hudson [Sat, 28 Nov 2009 15:53:39 +0000 (15:53 +0000)]
Clean up the arcfour token encryption and decryption functions by
making use of newer convenience functions and by factoring out the
derivation of the usage and encryption keys.
Greg Hudson [Fri, 27 Nov 2009 21:15:53 +0000 (21:15 +0000)]
Allow null keys to be referenced (a no-op) for simpler "copying" of
keys which might or might not exist. Consistent with allowing freeing
of null keys.
projects / thirdparty / krb5.git / log
