Changed return types of the plugin related functions per "Plugin support improvements" Project Proposal review.
Introduced plugin_version and removed plugin_id config attr.
Zhanna Tsitkov [Mon, 28 Jun 2010 21:32:54 +0000 (21:32 +0000)]
Added facilities to handle dynamic plugins
For the purpose of demonstration, a new plugin pwd_qlty_DYN was created.
The new section in krb5.conf for dynamic plugins looks as follows
plugin_list = PQ_DYN
PQ_DYN = {
plugin_api = plugin_pwd_qlty
plugin_factory_name = plugin_dyn_factory
plugin_factory_type = dynamic
plugin_name = plugin_pwd_qlty_DYN
plugin_factory_path = /var/tsitkova/Sources/pl/src/plugin_dynamic/libplugin_dynamic.so
plugin_id = 33
}
The test appl is server_misc.c.
Zhanna Tsitkov [Mon, 14 Jun 2010 19:26:20 +0000 (19:26 +0000)]
Added facilities to handle multiple impls of the same static plugins. It is based on plugin_id
As a proof of the concept, the password quality validation plugins were considered.
So, the following happens:
In the krb5.conf we indicate that we potentially want two pwd quality plugins: plugin_pwd_qlty_krb (native MIT kerb code extracted from server_mics.c) and plugin_pwd_qlty_X (bogus,as a matter of fact, almost identical to plugin_pwd_qlty_krb impl).
In the caller, i.e. in passwd_check of lib/kadm5/srv/server_misc.c, we call KRB and X impl's and verify the pwd against both of the policies:
plugin_manager_get_service(srv_handle->context->pl_handle, "plugin_pwd_qlty", PWD_QLTY_KRB);
plugin_manager_get_service(srv_handle->context->pl_handle, "plugin_pwd_qlty", PWD_QLTY_X);
Zhanna Tsitkov [Fri, 28 May 2010 14:58:08 +0000 (14:58 +0000)]
Introduced a new static plugin - password quality validator. It is based on the old/existing built-in pwd verification functionality. ( for proof of the concept and demonstration purposes)
Zhanna Tsitkov [Wed, 26 May 2010 17:54:37 +0000 (17:54 +0000)]
Implementation of yarrow prng as a plugin requires the vast majority of the routines in crypto lib to have a krb5_context as an argument. (This is needed to pass ref to pl_handle.) Unfortunately, it is not the case for the current state of crypto lib. Introducing krb5_context is a very invasive change and might be unsuitable for 1.9 release. So, yarrow is moved from plugins to crypto/krb and is treated as built-in functionality again.
Zhanna Tsitkov [Wed, 19 May 2010 19:53:03 +0000 (19:53 +0000)]
Moved plugin handle initialization from lib init into krb5_ctx.
At the moment we do not have "default" plugin configuration => needed to update come krb5 config files for "make check" tests to work.
For the experiment and as a proof of the concept, implement preauth/encrypted_challenge server side as a new plugin under the new arch.
This commit is for plugin implementation and initialization only. Next step is to invoke the code in kdc.
Moved plugin initialization into krb5int_lib_init from the applications. (It is still needed in the appl, e.g. t_prng, where krb5 lib is not initialized).
Make check works until it reaches ./t_gssapi.py
New plugin architecture code - first draft.
This design provides the following advantages:
1. Simple and clear additions of new plugin APIs and new implementations of the existing plugins
2. Handle both static and dynamic plugins
3. Handle two types of plugins: Listener and Service
4. Uniform way to supply parameters for plugin configuration
5. Possible versioning of configuration
6. Potentially, configuration file may contain hash values for the library validity verification
7. Tables of functions are created during make.
It was tested by implementing yarrow as PRNG plugin. (There is also a bogus plugin_prng_os implementation which uses system rand calls just for the demonstration purpose)
t_prng and all other tests in crypto_tests work (need to run "make check" from crypto_tests dir)
This particular version suggests using plugin configuration file in yaml format. It can be alternated by hardcoded or any other configuration.
Greg Hudson [Mon, 29 Mar 2010 22:08:21 +0000 (22:08 +0000)]
Fix backwards flag output in krb5_init_creds_step()
krb5_init_creds_step() is taken from Heimdal, which sets *flags to 1
for "continue" and 0 for "stop". Unfortunately, we got it backwards
in 1.8; fix it for 1.8.1.
Greg Hudson [Fri, 26 Mar 2010 22:43:11 +0000 (22:43 +0000)]
In gc_frm_kdc.c, rename cur_kdc to cur_realm and nxt_kdc to nxt_realm,
to make it easier to distinguish them from cur_tgt and nxt_tgt. Make
similar name changes to lst_kdc and kdc_list, as well as the function
find_nxt_kdc().
Greg Hudson [Thu, 25 Mar 2010 03:08:12 +0000 (03:08 +0000)]
Straighten the if-ladder in encrypted challenge's process_preauth,
making it clearer that control drops through if one of the first
couple of steps fails.
Tom Yu [Tue, 23 Mar 2010 06:09:02 +0000 (06:09 +0000)]
krb5_typed_data not castable to krb5_pa_data on 64-bit MacOSX
Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because
krb5int_fast_process_error was assuming that it was safe to cast it to
krb5_pa_data. It's not safe to do the cast on 64-bit MacOSX because
krb5.hin uses #pragma pack on that platform.
Greg Hudson [Sat, 20 Mar 2010 03:50:06 +0000 (03:50 +0000)]
Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data
type, was used to implement PAC-less constrained delegation in krb5
1.8. Unfortunately, it was found that Microsoft was using 142 for
other purposes, which could result in a ticket issued by an MIT or
Heimdal KDC being rejected by a Windows Server 2008 R2 application
server. Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate
among a realm's KDCs, it is relatively easy to change the number, so
MIT and Heimdal are both migrating to a new number. This change will
cause a transitional interoperability issue when a realm mixes MIT
krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal
1.3.2) KDCs, but only for constrained delegation evidence tickets.
Ken Raeburn [Wed, 17 Mar 2010 06:00:56 +0000 (06:00 +0000)]
Merge users/raeburn/branches/network-merge
Re-integrates the forked versions of network.c in kdc and
kadmin/server. Server-specific initialization and SIGHUP-reset code
is moved into other source files; the more generic network-servicing
code is merged and moved into apputils library already used by both
programs.
Tom Yu [Tue, 16 Mar 2010 19:14:33 +0000 (19:14 +0000)]
handle NT_SRV_INST in service principal referrals
Handle NT_SRV_INST in service principal cross-realm referrals, as
Windows apparently uses that instead of NT_SRV_HST for at least some
service principals.
Greg Hudson [Thu, 11 Mar 2010 17:05:24 +0000 (17:05 +0000)]
Lazy history key creation
Create kadmin/history lazily when we need it (i.e. when a password is
changed on a principal with a policy) instead of whenever we open the
database. Allows kadmin.local to be used as a read-only tool on non-
kadmin-conformant database back ends such as the Samba bridge.
Greg Hudson [Mon, 8 Mar 2010 04:39:08 +0000 (04:39 +0000)]
Add a "make testrealm" target using the Python test framework. As
part of this, expose the environments in K5Realm as attributes so
that test scripts can modify them.
Ezra Peisach [Sun, 7 Mar 2010 20:01:36 +0000 (20:01 +0000)]
Make python test start_in_inetd function
util/k5test.py: Fix incorrect variable used
tests/dejagnu/t_inetd.c: Flush stdout after outputting "Ready!"
tests/dejagnu/Makefile.in: Always compile t_inetd - even in runtest is not
present
Greg Hudson [Fri, 5 Mar 2010 17:45:46 +0000 (17:45 +0000)]
Ignore improperly encoded signedpath AD elements
We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_ad_signedpath(). For better interoperability, treat such
tickets as unsigned, rather than invalid.
Greg Hudson [Thu, 4 Mar 2010 21:24:54 +0000 (21:24 +0000)]
Python test framework
Add a framework for writing tests in Python. Documentation is in the
initial docstring of util/k5test.py. Inaugurate the framework with
two test scripts, t_general.py and t_anonypkinit.py, which together
test the same operations as standalone.exp from the dejagnu test
suite.
Greg Hudson [Sun, 28 Feb 2010 20:32:00 +0000 (20:32 +0000)]
Remove some more test suite cruft:
* localhostname from get_hostname was unused.
* database_name is no longer used except (misleadingly) in kdb5_util
output.
* admin_database_name and admin_database_lockfile are no longer used.
* default_domain is only used for v4->v5 principal conversion, which
isn't tested.
* libkadm5's init-v2.exp had a copy of get_hostname; domain and
localhostname from it were unused.
Greg Hudson [Sat, 27 Feb 2010 09:49:32 +0000 (09:49 +0000)]
On Linux platforms, use -Wl,--enable-new-dtags when linking shared
libraries and programs using them. The primary effect is to get ld to
set DT_RUNPATH in addition to DT_RPATH, which in turn allows the
LD_LIBRARY_PATH environment variable to override the compiled-in
runpath, which is friendlier to the test framework.
Greg Hudson [Wed, 24 Feb 2010 18:57:08 +0000 (18:57 +0000)]
Two problems in kadm5_get_principal mask handling
KADM5_MOD_NAME was being applied to entry->principal instead of
entry->mod_name. KADM5_MKVNO was not being applied to entry->mkvno.
Patch from Marcus Watts <mdw@umich.edu>.
Greg Hudson [Mon, 22 Feb 2010 18:12:51 +0000 (18:12 +0000)]
Remove some unused cruft in the dejagnu test suite's default.exp:
* RLOGIN, RLOGIN_FLAGS, ROOT_PROMPT, ROOT_SHELL, check_k5login,
restore_kerberos_env, setup_root_shell, setup_root_shell_noremote,
setup_wrapper: No longer used now that the applications are in a
separate tree.
* v4_compatible_enctype: No longer used with krb4 support gone.
* tail1, krb_exit: Apparently never used.
* KERBEROS_SERVER: Added long ago in r5686 and removed shortly after
in r5695, but the test suite support for it never got excised.
Greg Hudson [Mon, 22 Feb 2010 04:52:30 +0000 (04:52 +0000)]
Fix two unrelated problems in SPNEGO which don't crop up with the krb5
mechanism.
1. The third call to spnego_init_accept_context uses faulty logic to
determine if the exchange is complete, preventing a third mech token
from being sent to the acceptor if no MIC exchange is required.
Follow the logic used in the second call (in init_ctx_nego), which is
correct.
2. If the acceptor selects a mech other than the optimistic mech, it
sets sc->mic_reqd to 1 whether or not the selected mech supports MICs
(which isn't known until the mech completes). Most code outside of
handle_mic checks sc->mic_reqd along with (sc->ctx_flags &
GSS_C_INTEG_FLAG), but the code in acc_ctx_call_acc neglected to do
so, so it could improperly delegate responsibility for deciding when
the negotiation was finished to handle_mic--which never gets called if
(sc->ctx_flags & GSS_C_INTEG_FLAG) is false. Fix acc_ctx_call_acc to
check sc->ctx_flags so that mechs which don't support integrity
protection can complete if they are selected non-optimistically.
Greg Hudson [Thu, 18 Feb 2010 18:49:11 +0000 (18:49 +0000)]
The TGS code was not freeing authdata. This is an old leak which was
made more evident in 1.8 by the addition of ad-signedpath authdata
appearing in most tickets issued through the TGS path.
Greg Hudson [Thu, 18 Feb 2010 18:04:47 +0000 (18:04 +0000)]
Fix cipher state chaining in OpenSSL back end
Make cipher state chaining work in the OpenSSL back end for des, des3,
and arcfour enc providers. Subtleties:
* DES and DES3 have checks to avoid clobbering ivec with uninitialized
data if there is no data to encrypt.
* Arcfour saves the OpenSSL cipher context across calls. To protect
against a caller improperly copying the state (which happens to work
with other enc providers), a loopback pointer is used, as in GSSAPI.
* EVP_EncryptFinal_ex is unnecessary with stream ciphers and would
interfere with cipher state chaining if it did anything, so just
remove it.
Zhanna Tsitkov [Wed, 17 Feb 2010 16:09:43 +0000 (16:09 +0000)]
validator.py is a tool to validate kerb configuration files.
First, the configuration file is parsed (confparser.py) and validated against formating errors (such as mismatching brackets)
Then the list of the allowed configuration attributes is compiled from k5-int.h and rules.yml
Finally, the kerb configuration file is validated against the list of the allowed strings.
If the error, or something that validator does not understand, is found the warning is issued in the tree-like form indicating the layer where the problem has occurred.
Tom Yu [Tue, 16 Feb 2010 22:10:17 +0000 (22:10 +0000)]
MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service
Code introduced in krb5-1.7 can cause an assertion failure if a
KDC-REQ is internally inconsistent, specifically if the ASN.1 tag
doesn't match the msg_type field. Thanks to Emmanuel Bouillon (NATO
C3 Agency) for discovering and reporting this vulnerability.
Greg Hudson [Thu, 11 Feb 2010 16:07:08 +0000 (16:07 +0000)]
Minimal support for updating history key
Add minimal support for re-randomizing the history key:
* cpw -randkey kadmin/history now works, but creates only one key.
* cpw -randkey -keepold kadmin/history still fails.
* libkadm5 no longer caches the history key. Performance impact
is minimal since password changes are not common.
* randkey no longer checks the newly randomized key against old keys,
and the disabled code to do so in setkey/setv4key is gone, so now
only kadm5_chpass_principal_3 accesses the password history.
Greg Hudson [Wed, 10 Feb 2010 23:44:18 +0000 (23:44 +0000)]
Implement gss_set_neg_mechs
Implement gss_set_neg_mechs in SPNEGO by intersecting the provided
mech set with the mechanisms available in the union credential. As
we now need space to hold the mech set, the SPNEGO credential is now
a structure and not just a mechglue credential.
t_spnego.c is a test program which exercises the new logic. Like the
other GSSAPI tests, it is not run as part of "make check" at this
time.
Greg Hudson [Wed, 10 Feb 2010 01:55:36 +0000 (01:55 +0000)]
Followon fixes to r23712:
* A few formatting fixes.
* Fix unlikely leak in kdc_handle_protected_negotiation: if
add_pa_data_element with copy == FALSE fails, it's still the
caller's responsibility to free pa.contents.
* Fix pre-existing (since r23465) leak of reply_encpart.enc_padata in
process_as_req.
* Call add_pa_data_element with copy == TRUE in
return_referral_enc_padata since we are passing memory owned by the
database entry.
Sam Hartman [Tue, 9 Feb 2010 19:15:12 +0000 (19:15 +0000)]
krb5int_fast_free_state segfaults if state is null
krb5int_fast_free_state fails if state is null. INstead it should
simply return Reorganization of the get_init_creds logic has created
situations where the init_creds loop can fail between the time when
the context is initialized and the fast state is initialized.
Sam Hartman [Tue, 9 Feb 2010 19:15:07 +0000 (19:15 +0000)]
enc_padata can include empty sequence
There are two issues with return_enc_padata.
1) It often will return an empty sequence of enc_padata rather than not including the field
2) FAST negotiation is double supported in the referral tgs path and not supported in the non-referral path
Rewrite the return_enc_padata logic to:
* Split out referral interactions with kdb into its own function
* Use add_pa_data_element
Greg Hudson [Fri, 5 Feb 2010 21:46:35 +0000 (21:46 +0000)]
Consistently place $(LDFLAGS) after $(SHLIB_EXPFLAGS) when building
shared libraries. Previously we sometimes failing to use $(LDFLAGS)
at all, and at other times were putting it before $(SHLIB_EXPFLAGS)
where it could pick up tree-internal libraries from outside the build
tree.
Tom Yu [Fri, 5 Feb 2010 03:05:42 +0000 (03:05 +0000)]
Apply patch from Arlene Berry to return a comparable static OID object
instead of the application-passed (probably dynamically allocated)
OID, to avoid use-after-free problems.
Tom Yu [Mon, 1 Feb 2010 21:48:19 +0000 (21:48 +0000)]
set_default_enctype_var should filter not reject weak enctypes
With allow_weak_crypto=false, set_default_enctype_var() (helper
function for krb5_set_default_tgs_enctypes(), etc.) was rejecting any
application-provided enctype list that contained any weak enctype even
when valid strong enctypes were present. This broke some Samba
things. Filter the weak enctypes instead. Add test cases.
Reported to Debian by Holger Isenberg. (Debian bug #566977)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977
Thanks to Simo Sorce for testing.
projects / thirdparty / krb5.git / log
