Greg Hudson [Wed, 4 Mar 2020 22:18:51 +0000 (17:18 -0500)]
Use two queues for concurrent t_otp.py daemons
t_otp.py occasionally fails during the #8708 regression test, reading
a true answer instead of the expected false answer during the first
verify() call. Most likely the daemons are writing their answers to
the shared queue out of order. Use a separate queue for the second
daemon to ensure correct correlation of results.
Robbie Harwood [Wed, 26 Feb 2020 23:27:17 +0000 (18:27 -0500)]
Refresh manually acquired creds from client keytab
If a client keytab is present but credentials are acquired manually,
the credentials would not be refreshed because no refresh_time config
var is set in the cache. Change kg_cred_time_to_refresh() to attempt
a refresh from the client keytab on any credentials which will expire
in the next 30 seconds.
[ghudson@mit.edu: adjused code and added test case]
TBK [Wed, 26 Feb 2020 20:12:45 +0000 (21:12 +0100)]
Fix Linux build error with musl libc
Commit bf5953c549a6d279977df69ffe89b2ba51460eaf caused a build failure
on non-glibc Linux build environments. Change the conditionalization
so that __GLIBC_PREREQ will only be used if it is defined.
Greg Hudson [Tue, 25 Feb 2020 16:32:09 +0000 (11:32 -0500)]
Allow deletion of require_auth with LDAP KDB
In update_ldap_mod_auth_ind(), if there is no string attribute value
for require_auth, check for krbPrincipalAuthInd attributes that might
need to be removed. (This will only work if the entry is loaded and
then modified, but that is the normal case for an existing entry.)
Move the update_ldap_mod_auth_ind() call inside the tl-data
conditional (which should perhaps be a check for KADM5_TL_DATA in the
mask instead). A modification which did not intend to update tl-data
should not remove the krbPrincipalAuthInd attributes.
Change get_int_from_tl_data() to to zero its output so that it can't
leave a garbage value behind if it returns 0 (as it does if no
KDB_TL_USER_INFO tl-data is present).
Greg Hudson [Wed, 19 Feb 2020 20:36:38 +0000 (15:36 -0500)]
Fix AS-REQ checking of KDB-modified indicators
Commit 7196c03f18f14695abeb5ae4923004469b172f0f (ticket 8823) gave the
KDB the ability to modify auth indicators, but it happens after the
asserted indicators are checked against the server principal
requirements. In finish_process_as_req(), move the call to
check_indicators() after the call to handle_authdata() so that the
final indicator list is checked.
For the test case, add string attribute functionality to the test KDB
module, and fix a bug where test_get_principal() would return failure
if a principal has no keys. Also add a test case for AS-REQ
enforcement of normally asserted auth indicators.
Greg Hudson [Sun, 16 Feb 2020 01:34:23 +0000 (20:34 -0500)]
Replace gssrpc tests with a Python script
Replace the dejagnu RPC test framework with a short Python script to
do the same tests as fullrun.exp and gsserr.exp. Modify the server
test program to facilitate use by k5test.py.
expire.exp, together with a comment in the client test program, was
designed to test a libdb2 btree bug via the gssrpc server-side
authentication code. That code was subsequently changed not to use
libdb2, before it was merged into the main krb5 tree (in revision 1.23
of svc_auth_gssapi.c, according to the changelog removed in commit 2a43d772be1e45faa8e488d436b6e867371563fb). Remove the comment and do
not replace that test sequence.
Michael Mattioli [Tue, 26 Nov 2019 02:28:57 +0000 (21:28 -0500)]
Use GitHub Actions for CI
Use Github Actions instead of Travis and AppVeyor.
In the Windows installer config, add support for Visual Studio 2019
(aka 16.0).
[ghudson@mit.edu: switched to Ubuntu 18.04 for Linux builds; removed
macOS build job for now; added more packages to avoid skipping tests;
made it easier to see skipped tests and to see files not cleaned;
added make install command; adjusted Windows build path]
Isaac Boukris [Thu, 30 Jan 2020 18:38:44 +0000 (19:38 +0100)]
Always use S4U2Proxy second ticket parsed authdata
When the KDC handles an S4U2Proxy request, if the KDB module returned
parsed authdata for the header ticket and not for the second ticket,
we could erroneously pass the header ticket's parsed authdata to
handle_authdata(). Make sure we always pass the parsed authdata for
the second ticket.
Greg Hudson [Wed, 5 Feb 2020 23:46:11 +0000 (18:46 -0500)]
Refactor KDC authdata list management helpers
Remove the unused concat_authorization_data(). Split merge_authdata()
into two helpers, one to destructively merge without filtering and one
to add copied elements while filtering out KDC-only authdata types.
Remove context parameters where they aren't needed (taking advantage
of knowledge that some libkrb5 functions don't use their context
parameters).
Isaac Boukris [Sat, 1 Feb 2020 12:21:39 +0000 (13:21 +0100)]
Test that PAC is the first authdata element
In the test KDB module, set the PAC as the first authdata element. In
adata.c, add PAC service verification and verify that a PAC does not
appear in authdata elements after the first.
[ghudson@mit.edu: minor style changes; edited commit message]
Isaac Boukris [Sat, 1 Feb 2020 15:13:30 +0000 (16:13 +0100)]
Put KDB authdata first
Windows services, as well as some versions of Samba, may refuse
tickets if the PAC is not in the first AD-IF-RELEVANT container. In
fetch_kdb_authdata(), change the merge order so that authdata from the
KDB module appears first.
[ghudson@mit.edu: added comment and clarified commit message]
Robbie Harwood [Thu, 23 Jan 2020 18:09:00 +0000 (13:09 -0500)]
Remove private mutators for context enctypes
krb5_set_default_in_tkt_ktypes() and krb5_set_default_tgs_ktypes() are
not part of the API and are only used in test programs, so remove
them. Also remove the now-unused in_tkt_etypes field from
krb5_context. Update test suite consumers.
Fix a minor bug wherein the etinfo executable would not correctly
print its usage text.
[ghudson@mit.edu: adapted some tests rather than remove them]
Isaac Boukris [Sun, 26 Jan 2020 20:49:47 +0000 (21:49 +0100)]
Zero length fields when freeing object contents
In krb5_free_data_contents() and krb5_free_checksum_contents(), zero
the length as well as the data pointer to leave the object in a valid
state. Add asserts to existing test harnesses to verify the new
behavior.
In the krb5 GSS mech's kg_checksum_channel_bindings(), remove the code
to reallocate the checksum with xmalloc(), as it relied on
krb5_free_checksum_contents() leaving the object in an invalid state.
This code was added in commit a30fb4c4400f13a2690df7ef910b7ac0ccbcf194
to match an xfree() call, but commit 29337e7c7b796685fb6a03466d32147e17aa2d16 replaced that xfree() with a
krb5_free_checksum_contents(). (In addition, the xmalloc and xfree
wrappers never evolved to do anything beyond malloc and free.)
In kpropd's recv_database(), don't free outbuf until we are done using
its length.
Greg Hudson [Fri, 24 Jan 2020 15:25:18 +0000 (10:25 -0500)]
Honor transited-policy-checked flag in servers
For consistency with Heimdal and simplicity of server configuration,
do not check the transited field in krb5_rd_req() if the
transited-policy-checked flag is set in the ticket.
Add a cross-realm test using the gcred and rdreq harnesses to test
server transited processing. Also fix the KDC capaths case so that
the client actually doesn't know the path to the server realm. In
k5test.py, adjust _cfg_merge() to remove keys mapped to None in the
second dictionary (instead of mapping them to None in the result), so
that deleting whole sections works. Remove the corresponding check
for None in _write_cfg_section() as it is no longer needed.
Greg Hudson [Thu, 23 Jan 2020 19:49:24 +0000 (14:49 -0500)]
Further simplify test KDB module authdata code
Commit 94f7c9705879500b1dc8dda8592490efce05688f simplified the
generation of authdata elements, but left behind some unnecessary
conditionalization when assembling the elements into a list, causing a
Coverity defect. Further simplify the code.
Robbie Harwood [Tue, 14 Jan 2020 19:23:00 +0000 (14:23 -0500)]
Apply permitted_enctypes to KDC request enctypes
permitted_enctypes was initially intended only to restrict the
processing of AP requests (and was later applied to KDB key data
searches so that the KDC wouldn't issue a ticket it would refuse to
accept). Because the documentation was never clear about its scope,
many configurations assume that permitted_enctypes also applies to
clients.
In light of the existing configurations, take the simple way out and
use permitted_enctypes as the default for default_tkt_enctypes and
default_tgs_enctypes. Update the documentation, add a test to
explicitly check the new behavior, and remove now-unnecessary
configuration from the test suite.
[ghudson@mit.edu: unrolled helper function; edited documentation and
commit message; simplified test case]
Isaac Boukris [Wed, 15 Jan 2020 10:14:00 +0000 (11:14 +0100)]
Allow cross-realm RBCD with PAC and other authdata
For cross-realm S4U2Proxy requests, require a PAC to be present to
bypass signedpath verification, but do not require it to be the only
authdata element. For within-realm requests, add and verify
signedpath authdata regardless of the presence of a PAC.
Simplify the test KDB authdata module and the existing RBCD tests as
we no longer need a way to suppress the test module's KDB authdata.
[ghudson@mit.edu: rewrote commit message; reordered a condition for
efficiency]
Isaac Boukris [Wed, 15 Jan 2020 12:54:44 +0000 (13:54 +0100)]
Fix KDC crash in handle_signticket
Commit d47f7dba3779c9e36e1dedaac830dac1dd248fb3 changed the parameters
passed to sign_authdata() for S4U2Proxy requests so that client is the
entry for the impersonated client (not the impersonator), and added a
new parameter for the impersonator entry. It should have changed the
call to handle_signticket() to use the impersonator entry. Fix the
handle_signticket() call, and change some parameter names to more
clearly indicate the flow of subject_server from process_tgs_req() to
handle_authdata() to its helpers.
Isaac Boukris [Thu, 12 Dec 2019 02:20:44 +0000 (03:20 +0100)]
Add tests for S4U request-authdata handling
In adata.c, look up the server in the keytab by ticket->server (which
has the canonicalized realm), to allow testing of cross-realm RBCD
(although unused for now).
In s4u2proxy.c, set KRB5_GC_CANONICALIZE to support RBCD, and add an
authdata request option. Add an s4u2self test harness with authdata
request option.
[ghudson@mit.edu: minor code simplifications; edited commit message]
Greg Hudson [Sat, 11 Jan 2020 04:47:34 +0000 (23:47 -0500)]
Fix error handling in gssint_mechglue_init()
In the unlikely event that one of the functions called by
gssint_mechglue_init() returns an error, return that error to the
caller rather than continuing on and discarding the error status.
Returning success when some of the operations failed could fool the
library finalizer into thinking that initialization completed.
Reported by Spencer Malone.
Isaac Boukris [Sun, 12 Jan 2020 17:57:10 +0000 (18:57 +0100)]
Restrict test KDB to local principals
Ignoring the lookup realm for principal matching could cause the test
KDB module to successfully look up entries (with the correct key data)
for principals that a real KDB wouldn't have, such as krbtgt/B@A
within realm C. Add a realm check to test_get_principal(), allowing
only local principal names or incoming cross-TGS names.
Robbie Harwood [Tue, 17 Dec 2019 22:37:41 +0000 (17:37 -0500)]
Fix LDAP policy enforcement of pw_expiration
In the LDAP backend, the change mask is used to determine what LDAP
attributes to update. As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.
Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate. Add a regression test to
t_kdb.py.
[ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]
Greg Hudson [Thu, 19 Dec 2019 18:52:32 +0000 (13:52 -0500)]
Work around macOS SIP in the test suite
In macOS 10.11 and later with System Integrity Protection enabled,
system programs (including the shell) purge DYLD_LIBRARY_PATH from the
environment at startup. As a result, any part of "make check" which
runs via a shell script must explicitly restore the runtime
environment. Add a common rule for runenv.sh, and create and source
it where shell scripts are run. Dejagnu's runtest is a shell script,
so create a tcl file for the kadmin and RPC unit tests and source it
from unix.exp. Avoid using the shell to run commands in several
places. Use return_trace=True for tests that previously indirected
through /usr/bin/env.
Do not include <malloc.h> in t_parse_host_string.c, as it does not
exist on macOS and is not needed.
Skip the iprop tests on macOS when SIP is enabled, as signal
restrictions appear to prevent the kpropd child process from informing
the parent process that a full resync has completed.
In net-server.c, set SO_REUSEPORT as well as SO_REUSEADDR on listener
sockets. Otherwise the krb5kdc processes run by the test suite
sometimes fail to start with "address in use" errors.
In configure.ac, only generate po/Makefile if we will descend into it.
Greg Hudson [Tue, 10 Dec 2019 17:06:05 +0000 (12:06 -0500)]
Fix xdr_bytes() strict-aliasing violations
When xdr_bytes() is used for a gss_buffer_desc object, a temporary
character pointer must be used for the data value to avoid a strict
aliasing violation.
When xdr_bytes() is used for a krb5_keyblock object, a temporary
character pointer must also be used, even though the data pointer is
of type unsigned char *, to avoid a clang warning on macOS due to the
"#pragma pack" declaration in krb5.h.
Greg Hudson [Mon, 9 Dec 2019 16:42:47 +0000 (11:42 -0500)]
Add NegoEx assertion to squash defect
Coverity sees negoex_init() test whether input_token is null before
parsing messages, then dereference input_token in verify_checksum().
Of course verify_checksum() will not find a checksum message if no
messages were parsed. Add an assert to squash the false positive
forward-null defect.
Isaac Boukris [Wed, 25 Dec 2019 23:23:21 +0000 (00:23 +0100)]
Remove KRB5_KDB_FLAG_ALIAS_OK
It is simpler and more consistent with Windows to let the KDB module
always return aliases, and use KDC logic (already present) to decide
whether to use the requested or canonical principal name in the
ticket.
With the removal of this flag, "kinit alias" (without the -C flag)
against the LDAP KDB module will issue a ticket for the alias name,
instead of failing with a "client not found" error.
[ghudson@mit.edu: edited comments; wrote commit message]
Isaac Boukris [Sat, 2 Nov 2019 12:32:32 +0000 (13:32 +0100)]
Do not always canonicalize enterprise principals
When processing an AS request in the KDC, do not assume
KRB5_KDB_FLAG_CANONICALIZE for enterprise client names. This change
allows the KDB module to only canonicalize enterprise client names if
the canonicalize flag was set on the request, as Windows does. The
KDB module may check the principal type and apply canonicalization as
appropriate.
Robbie Harwood [Thu, 19 Dec 2019 22:49:05 +0000 (17:49 -0500)]
Don't warn in kadmin when no policy is specified
Not having policy defined is a normal occurrence. While it's a useful
message to log in case it's unexpected, the current form is
unnecessarily alarmist.
Greg Hudson [Thu, 19 Dec 2019 07:25:15 +0000 (02:25 -0500)]
Simplify keytab creation in kadmin and RPC tests
In init_db and init.exp, do not create an ovsec_adm.keytab; kadmind
has authenticated directly against the KDB since commit 416d9a774090ee78c30a844025887bd2b9e79d16. Since we no longer create
ovsec_adkm principals, perform the deletion and recreation tests with
kadmin/ principals.
In helpers.exp, use kadmin to create the server keytab file, instead
of using make-host-keytab.pl.
Remove environment variable settings for make-host-keytab.pl from
scripts that no longer use it.
Greg Hudson [Wed, 11 Dec 2019 17:09:27 +0000 (12:09 -0500)]
In mkrel, build documentation with python3
After commit 95830231758de259abbbccedbac01613f578768a, the
documentation cannot be built with Python 2. Run make with
"PYTHON=python3" to ensure that we use Python 3.
Add a mock NegoEx-only GSS module, a test program which establishes a
SPNEGO context, and a Python script to exercise a variety of NegoEx
negotiation scenarios.
Luke Howard [Wed, 26 Dec 2018 11:52:18 +0000 (22:52 +1100)]
Implement NegoEx
Implement draft-zhu-negoex. Mechanisms supporting the NegoEx GSS
extensions will be negotiated only through NegoEx, unless they assert
the GSS_C_MA_NEGOEX_AND_SPNEGO mech attribute, in which case they may
also be negotiated directly via SPNEGO.
Greg Hudson [Sat, 30 Nov 2019 01:39:38 +0000 (20:39 -0500)]
Qualify short hostnames when not using DNS
When DNS forward canonicalization is turned off or fails, qualify
single-component hostnames with the first DNS search domain. Add the
qualify_shortname relation to override this suffix.
For one of the tests we need to disable qualification, which is
accomplished with an empty value. Adjust k5test.py to correctly emit
empty values when writing profiles.
Greg Hudson [Tue, 3 Dec 2019 20:32:29 +0000 (15:32 -0500)]
Improve type safety of serialization code
Remove the serialization table from krb5_context, the functions to
find and register serializers, and the polymorphic serialization
functions. Instead, directly call per-type serialization functions
for the type of object we need to serialize.
Remove the krb5_context parameter from most serialization functions as
the interfaces are not public and the context is not needed.
Remove the ccache, keytab, and rcache serialization handlers as they
were not used.
In t_ser.c, repeat the externalize-internalize-reexternalize logic for
each type, but simplify the code by aborting on failure and removing
the verbose flag.
The krb5_context and krb5_keyblock sizing functions both reported an
extra four bytes. The new test program does not tolerate that
inconsistency, so fix them.
Greg Hudson [Tue, 19 Nov 2019 20:02:04 +0000 (15:02 -0500)]
Factor out mechglue union context creation
Add a helper function gssint_create_union_context() and use it in the
four mechglue functions which create a context. In
gss_import_sec_context(), create the union context later and eliminate
the cleanup label.
Greg Hudson [Sun, 17 Nov 2019 00:54:51 +0000 (19:54 -0500)]
Fix kadmin addprinc -randkey -kvno
Commit f07bca9fc94a5cf2e3c0f58226c7973a4b86b7a9 made addprinc -randkey
use a single RPC request, but the server-side handling always creates
the random keys with kvno 1. If a kvno is specified in the RPC
request, set the kvno of the key data after creating it. Reported by
Andreas Ladanyi.
Greg Hudson [Mon, 11 Nov 2019 17:25:41 +0000 (12:25 -0500)]
Fix SPNEGO fallback context handling
In init_ctx_call_init(), if gss_init_sec_context() fails while
producing the first SPNEGO initiator token, we remove the first
candidate mechanism from sc->mech_set and try again. If
sc->ctx_handle is present after the error (more likely after commit 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf), we must clear it before
falling back or it will cause subsequent attempts to fail.
Robbie Harwood [Tue, 12 Nov 2019 18:38:59 +0000 (13:38 -0500)]
Update test suite cert message digest to sha256
Certain openssl configurations (such as Debian testing) will fail out
the sha1 certificates with errors like "ssl.SSLError: [SSL:
CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3833)" or similar. Also update
the certs in question.
Robbie Harwood [Fri, 8 Nov 2019 19:28:56 +0000 (14:28 -0500)]
Fix minor errors in softpkcs11
Fix a printf type mismatch in attributes_match() reported by Coverity,
and a possible uninitizlied use of key_type in add_certificate()
reported by clang.
[ghudson@mit.edu: squashed commits and rewrote commit message]
Greg Hudson [Thu, 7 Nov 2019 04:02:51 +0000 (23:02 -0500)]
Fix SPNEGO output parameter bugs
When accepting, do not leak a name if the underlying mech reports a
src_name twice. Record mech_type and delegated_cred_handle and report
them to the caller at the final SPNEGO step, not when the underlying
mech reports them.
When initiating or accepting, report ret_flags at every step, and
filter out PROT_READY as required by RFC 4178 section 3.1. Report a
time_rec value at the final step even if we didn't call into the
underlying mech, using a call to gss_context_time() if necessary.
In the mechglue, initialize ret_flags and time_rec for both
gss_initialize_sec_context() and gss_accept_sec_context().
Greg Hudson [Tue, 5 Nov 2019 21:51:02 +0000 (16:51 -0500)]
Restrict SPNEGO acceptor mechs by cred acquisition
When the default cred is used, the SPNEGO initiator restricts the list
of negotiable mechanisms to those we can acquire a cred for, so that
we don't propose a mech we know can't work. The acceptor should do
the same.
Greg Hudson [Wed, 23 Oct 2019 22:31:05 +0000 (18:31 -0400)]
Simplify AS request time handling in KDC
The kdc_time and authtime fields of struct as_req_state are redundant
and can be condensed to just kdc_time. Copying the times structure
from enc_tkt_reply to reply_encpart already sets the authtime field to
kdc_time, so there is no need to repeat that assignment.
Also remove two prototypes for functions which never existed in the
mainline KDC code.
In process_as_req(), get the current time before any KDB lookups, so
that KDB modules can more correctly audit how long the processing of
an AS request takes.
Isaac Boukris [Tue, 15 Oct 2019 17:41:49 +0000 (20:41 +0300)]
Allow client canonicalization in non-krbtgt AS-REP
If a caller makes an AS-REQ with the canonicalize flag set (or with an
enterprise client principal or the anonymous flag), always allow the
KDC to change the client principal. Continue to restrict server name
changes to requests for TGS principals.
Also remove the conditional for setting canon_ok for fully anonymous
requests. Both kinds of anonymous requests change the client
principal or realm, but neither kind changes the server principal or
realm, so this logic is no longer needed now that canon_ok only
applies to server name changes.
Greg Hudson [Wed, 23 Oct 2019 04:48:25 +0000 (00:48 -0400)]
Work around glibc bug 11941 (dlclose assertion)
When building against glibc 2.24 or earlier, suppress calls to
dlclose() to prevent the assertion failure "_dl_close: Assertion
`map->l_init_called' failed" at process exit. We need this workaround
to enable automated tests that load GSSAPI modules.
Greg Hudson [Mon, 21 Oct 2019 14:29:35 +0000 (10:29 -0400)]
Fix gssalloc_realloc() on Windows
gss_inquire_sec_context_by_oid(GSS_C_INQ_SSPI_SESSION_KEY) fails on
Windows because generic_gss_add_buffer_set_member() relies on the
ability to realloc() a null pointer. Unlike realloc(), HeapReAlloc()
requires an input pointer that (from the MSDN documentation) "is
returned by an earlier call to the HeapAlloc or HeapReAlloc function".
So gssalloc_realloc() must test for null inputs and call HeapAlloc()
instead.
Greg Hudson [Thu, 17 Oct 2019 04:52:04 +0000 (00:52 -0400)]
Improve argument validation in some GSS APIs
The prevailing discpline of public GSS APIs is to set output
parameters to default values, then validate input parameters. Some
more recent APIs did not do this consistently, leading to the
possibility of minor_status retaining its previous value or similar
issues.
Greg Hudson [Sun, 6 Oct 2019 22:35:50 +0000 (18:35 -0400)]
Accept GSS mechs which don't supply attributes
If gss_inquire_attrs_for_mech() is called for a mechanism which does
not implement it, the call will succeed with mech_attrs set to
GSS_C_NO_OID_SET (as is explicitly allowed by RFC 5587).
generic_gss_test_oid_set_member() returns an error on this value,
causing gss_accept_sec_context() to erroneously deny the mechanism
when no verifier credential handle is supplied. Change
allow_mech_by_default() to explicitly check for no mech attribute set.
Greg Hudson [Mon, 21 Oct 2019 17:56:55 +0000 (13:56 -0400)]
Fix t_otp.py for pyrad 2.2
pyrad 2.2 throws a KeyError exception in DecodePacket if any
attributes from the packet are not defined in the dictionary. Add a
dictionary entry for Service-Type so this doesn't happen.
Commit 8d8e68283b599e680f9fe45eff8af397e827bd6c logs both invalid and
deprecated enctypes as "DEPRECATED:". An invalid enctype might be too
old or marginal to be supported (like single-DES) or too new to be
recognized. For clarity, prefix invalid enctypes with "UNSUPPORTED:"
instead.
Commit 969331732b62e73d1e073ff3ad87bf1774ee9fd1 (ticket 7369) removed
the code to return UPDATE_BUSY if the database was modified within the
last ten seconds, but did not remove the corresponding documentation
text. Remove it now.
Remove ldapbackend.rst, as it is largely redundant with conf_ldap.rst.
Simplify conf_ldap.rst, using kerberos.openldap.ldif (added by ticket
8529) and removing unnecessary command arguments. Mention the
possibility of using SASL authentication (added by ticket 7944) as an
alternative to binding with DN and password. Remove unnecessary
access rights.
In kdc_conf.rst, remove ldap_servers from the list of relations read
from [dbdefaults], as it is only read from the realm's database
configuration section.
In kdb5_ldap_util.rst, document "-r" as a global parameter, as it
applies in some fashion to all commands. Make the same changes to the
kdb5_ldap_util usage message, and make it fit within 80 columns.
If the environment variable GSS_MECH_CONFIG is set (and the process is
not privileged), read it instead of /etc/gss/mech or files within
/etc/gss/mech.d.
Set GSS_MECH_CONFIG in test frameworks so that system configuration
does not interfere with tests.
Fix documentation to indicate that the default mech config file is in
sysconfdir, not necessarily /etc.
Commit c426ef2ca2ba45dbf96f5380cf7d153ec0679424 added
KRB5_PADATA_PAC_OPTIONS to krb5.hin, but did not put it in an API
index, causing a documentation build failure. Add it now.
Robbie Harwood [Fri, 30 Aug 2019 15:19:52 +0000 (11:19 -0400)]
Remove null check in krb5_gss_duplicate_name()
Within the krb5 mechanism, we require minor_status to be writable
without checking. Remove the null check in krb5_gss_duplicate_name()
to squash a forward-null defect.
Robbie Harwood [Fri, 30 Aug 2019 15:16:58 +0000 (11:16 -0400)]
Squash apparent forward-null in clnttcp_create()
clnttcp_create() only allows raddr to be NULL if *sockp is set.
Static analyzers cannot know this, so can report a forward null
defect. Add an raddr check before calling connect() to squash the
defect.
Isaac Boukris [Sun, 12 May 2019 11:20:29 +0000 (11:20 +0000)]
Add tests for local and cross-realm RBCD requests
Add fake PAC generation and verification facilities to the test KDB
module, and implement the get_authdata_info() and
allowed_to_delegate_from() methods. In t_s4u.py, construct realms
using the test KDB module and test a variety of RBCD scenarios.
Greg Hudson [Thu, 22 Aug 2019 16:38:14 +0000 (12:38 -0400)]
Add minimal cross-realm support to test KDB module
Cross-realm is already possible with the test KDB module, but because
the lookup realm is not included in the profile query or key
derivation, inbound cross-TGTs are implicit and use the same keys as
the local TGT, potentially obscuring bugs. Add the lookup realm to
key derivation so that they use different keys.
Isaac Boukris [Mon, 24 Jun 2019 10:06:38 +0000 (13:06 +0300)]
Fix authdata signatures for non-TGT AS-REQs
PACs (as well as anything wrapped in CAMMAC) should be signed using
the local TGT key. Cross-realm TGS requests, ticket renewal and
validation requests, and non-TGT AS requests currently do not pass the
local TGT DB entry or its key to sign_authdata(), forcing the KDB
module to do a redundant lookup in order to properly sign PACs.
Rename the existing krbtgt and krbtgt_key parameters to header_server
and header_key, to better indicate that they are for the header ticket
server. For AS requests, pass NULL for these parameters instead of
passing a duplicate of server/server_key.
Add local_tgt and local_tgt_key parameters for the realm's local TGT
and its first key.
Isaac Boukris [Wed, 7 Aug 2019 19:39:10 +0000 (19:39 +0000)]
Add API to get client account name from PAC
Add a krb5_pac_get_client_info() API to interpret the PAC_CLIENT_INFO
buffer of a PAC. This API is needed by KDB plugin modules to set the
reply client for cross-realm RBCD requests.
Isaac Boukris [Wed, 7 Aug 2019 19:41:25 +0000 (19:41 +0000)]
Add KDC support for RBCD requests
Add two new KDB methods to support resource-based constrained
delegation. The get_authdata_info method extracts the client
principal for the authdata (necessary for cross-realm RBCD requests as
the evidence ticket is a cross-realm TGT with the requested client's
authdata), and also returns an opaque pointer for consumption by other
KDB methods. The allowed_to_delegate_from method performs a
constrained delegation policy check on the principal entry of the
target principal.
Add the server principal and abstract authdata representation to the
sign_authdata method. Also pass the second ticket server as
header_server since we pass the authorization data from the second
ticket, and pass the impersonated client (if it is in the local realm)
as client instead of the impersonator.
Add core KDC code for RBCD requests. For local RBCD requests
(impersonator and target in the same realm), KDC handling is similar
to existing constrained delegation support. The evidence ticket is
not required to be forwardable, and allowed_to_delegate_from is used
in preference to check_allowed_to_delegate.
For cross-realm RBCD requests, the KDC could be in the impersonator
realm, the target realm, or in a transit realm between the two. In
the transit realm case, the request looks like a regular cross-realm
request for a krbtgt service except for the information in the PAC, so
this case is handled by the KDB module sign_authdata() method.
[ghudson@mit.edu: made style and documentation edits; edited commit
message]
Isaac Boukris [Sat, 3 Aug 2019 21:57:14 +0000 (21:57 +0000)]
Add KDC support functions for PA-PAC-OPTIONS
Add helper functions kdc_get_pa_pac_options() and
kdc_add_pa_pac_options(), to retrieve PA-PAC-OPTIONS values from
request padata and to set a PA-PAC-OPTIONS value in encrypted padata.
Don't actually call kdc_add_pa_pac_options() yet.
[ghudson@mit.edu: rewrote commit message; minor style edits]
Isaac Boukris [Tue, 12 Mar 2019 19:59:55 +0000 (21:59 +0200)]
S4U2Proxy evidence tickets needn't be forwardable
With the introduction of resource-based constrained delegation, the
absence of the forwardable flag no longer implies that a ticket cannot
be used for constrained delegation requests.
Instead, we should check in the PAC to see if the user is marked as
sensitive, and error out in that case rather than making a failed
request. But we don't always have access to the PAC and we currently
do not have the code to retrieve this attribute from the PAC.
Since krb5_get_credentials_for_proxy() no longer needs to look at the
decrypted ticket, change kvno to not require a keytab for constrained
delegation.
[ghudson@mit.edu: made minor style changes and commit message edits;
updated documentation]
Isaac Boukris [Thu, 20 Jun 2019 05:00:06 +0000 (05:00 +0000)]
Add RBCD client support
When making S4U2Proxy requests, include a PA-PAC-OPTIONS pa-data
element advertising resource-based constrained delegation support. If
the KDC returns a referral TGT for the initial request and advertises
RBCD support, chase referrals to the target realm with both a regular
and proxy TGT, and make an S4U2Proxy request to the target realm with
the proxy TGT as evidence ticket.
Because cross-realm S4U2Proxy requests must use referrals, an explicit
foreign realm in the server name cannot be honored. In the GSSAPI
krb5 mech, if a host-based server name is used, omit the realm (if one
was obtained from [domain_realm] or similar) when calling
krb5_get_credentials() for constrained delegation.
[ghudson@mit.edu: rewrote commit message; made style changes]
Isaac Boukris [Sun, 16 Jun 2019 21:21:38 +0000 (00:21 +0300)]
Move S4U2Proxy client code to s4u_creds.c
Add an internal libkrb5 interface k5_get_proxy_cred_from_kdc(), which
implements S4U2Proxy requests synchronously. Call it from
krb5_get_credentials() if constrained delegation is requested.
[ghudson@mit.edu: rewrote commit message; made style changes]
Greg Hudson [Thu, 22 Aug 2019 20:19:12 +0000 (16:19 -0400)]
Simplify krb5_dbe_def_search_enctype()
Key data is now sorted in descending kvno order (since commit 44ad57d8d38efc944f64536354435f5b721c0ee0) and key enctypes can be
compared with a simple equality test (since single-DES support was
removed in commit fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8). Use
these assumptions to simplify krb5_dbe_def_search_enctype().
The rewrite contains one probably-unnoticeable bugfix: if enctype,
salttype, and kvno are all given as -1 in a repeated search, yield all
key entries of permitted enctype, not just entries of the maximum
kvno.
Greg Hudson [Wed, 7 Aug 2019 21:51:17 +0000 (17:51 -0400)]
Allow the KDB to see and modify auth indicators
Amend the sign_authdata method signature to include a modifiable
auth_indicators array. Bump the DAL major version and the libkdb5
soname. Add a test case using the test KDB module.
Greg Hudson [Thu, 22 Aug 2019 06:04:28 +0000 (02:04 -0400)]
Track first local TGT key in KDC code
Decrypt the first local TGT key in get_local_tgt() and save it in the
AS and TGS processing functions. (As we now sort key data by
descending kvno, this is guaranteed to be the most recent key.) Pass
this key to the authdata and FAST cookie functions to simplify cookie
encryption and authdata signing. Decryption and verification
functions must still sometimes decrypt earlier keys to process tickets
predating the last local TGT key rollover.
Isaac Boukris [Sat, 17 Aug 2019 22:59:25 +0000 (22:59 +0000)]
Change definition of KRB5_KDB_FLAG_CROSS_REALM
Set the CROSS_REALM flag if the header ticket was issued by a
different realm, instead of when the client is part of a different
realm. The affected corner cases are:
* In the final request of a cross-realm S4U2Self request, the header
ticket client is local but the header ticket was issued by a
different realm. The CROSS_REALM flag will now be set in this case.
* If a foreign client renews or validates a locally issued ticket, the
CROSS_REALM flag will no longer be set.
* If a foreign client requests a local TGT and then uses it to make a
request, the CROSS_REALM flag will no longer be set.
Also add a new flag KRB5_KDB_FLAG_ISSUING_REFERRAL, which is set when
the KDC decides to issue a referral or alternate TGT. Use the new
flag meanings to simplify S4U2Self processing.
[ghudson@mit.edu: edited comments and commit messages]
Greg Hudson [Mon, 19 Aug 2019 04:51:07 +0000 (00:51 -0400)]
Remove KRB5_KDB_XREALM_NON_TRANSITIVE code
validate_transit_path() was introduced in the mskrb-integ merge, but
the flag it enforces has no documentation and no kadmin support.
Remove the function and the flag. Also remove the
KRB5_KDB_TICKET_GRANTING_SERVICE flag which has no associated code.
Greg Hudson [Fri, 9 Aug 2019 05:17:54 +0000 (01:17 -0400)]
Improve daemon checking in Python test scripts
If a daemon exits early and we detect it with check_daemon(), avoid
trying to terminate it again as the process entry will have been
reaped. Check all daemons on successful exit and exit with an error
if any daemons exited early.
Also remove a piece of Python 2.5 compatibility code which is no
longer relevant with Python 3.
Greg Hudson [Wed, 14 Aug 2019 15:46:14 +0000 (11:46 -0400)]
Don't skip past zero byte in profile parsing
In parse_quoted_string(), only process an escape sequence if there is
a second character after the backlash, to avoid reading past the
terminating zero byte. Reported by Lutz Justen.
projects / thirdparty / krb5.git / log
