Greg Hudson [Thu, 18 Jun 2020 00:48:38 +0000 (20:48 -0400)]
Add three kvno options from Heimdal kgetcred
Add the flags --cached-only and --no-store, which pass the
corresponding options to krb5_get_credentials(). Add the option
--out-cache to write the retrieved credentials to a specified output
cache.
Add a Python test script for kvno command-line options, including
tests for the new options.
Isaac Boukris [Tue, 9 Jun 2020 22:32:56 +0000 (01:32 +0300)]
Interop with Heimdal KDC for S4U2Self requests
[MS-SFU] 3.1.5.1.1.1 says the KDC SHOULD send PA_S4U_X509_USER pa-data
if the TGT session key is of a newer enctype. Our S4U2Self client
code has enforced this clause as if it were a MUST. For consistency
with Microsoft and interoperability with Heimdal (which does not
implement PA_S4U_X509_USER), stop enforcing this constraint.
[ghudson@mit.edu: compressed code slightly; wrote commit message]
Nikhil Benesch [Sat, 13 Jun 2020 23:54:34 +0000 (19:54 -0400)]
Try to find <target>-ar when cross compiling
Teach the configure script to look for an ar tool prefixed with the
target triple (i.e., `<target>-ar`) when cross compiling. This matches
the behavior for tools that have built-in autoconf macros, like ranlib.
(For some reason there is no AC_PROG_AR macro.)
Also, remove the AC_PROG_ARCHIVE and AC_PROG_ARCHIVE_ADD macros, which
have been dead code since 780b34cd.
With this change, cross compiling libkrb5 works a bit better out of the
box.
Robbie Harwood [Tue, 9 Jun 2020 20:23:37 +0000 (16:23 -0400)]
Improve negoex_parse_token() code hygiene
If the while loop in negoex_parse_token() runs for zero iterations,
major will be used initialized. Currently this cannot happen, but
only because both of the call sites check for zero-length tokens.
Initialize major for safety.
Greg Hudson [Thu, 4 Jun 2020 17:19:53 +0000 (13:19 -0400)]
Set pw_expiration during LDAP load
When loading a principal entry in process_k5beta7_princ(), set the
KADM5_PW_EXPIRATION mask bit so that the password expiration time is
set on the principal entry. Add a regression test.
Greg Hudson [Wed, 27 May 2020 22:48:35 +0000 (18:48 -0400)]
Default dns_canonicalize_hostname to "fallback"
This change should mitigate some of the pain caused by the rdns=true
default (generally associated with unwanted PTR records that cannot
easily be changed), with a minimum of fallout.
Update the documentation and tests accordingly. In test environments,
disable qualify_shortname and use the uncanonicalized system hostname
(lowercased) to match the initial sn2princ result.
Greg Hudson [Fri, 22 May 2020 17:10:36 +0000 (13:10 -0400)]
Return GSS_S_NO_CRED from krb5 gss_acquire_cred
Earlier versions of the GSS-API spec (RFCs 1508 and 2078) do not list
GSS_S_NO_CRED as a valid error code for gss_acquire_cred. As a
result, the OpenVision developers of the GSSAPI krb5 mech created
GSS_S_CRED_UNAVAIL as an alias for GSS_S_FAILURE and returned it when
no valid credentials could be obtained. RFC 2743 lists GSS_S_NO_CRED
as the proper return code when matching credentials cannot be
accessed. Change the krb5 gss_acquire_cred() implementation to return
GSS_S_NO_CRED where it currently returns GSS_S_CRED_UNAVAIL.
Also stop using GSS_S_CRED_UNAVAIL in the krb5 gss_store_cred(), but
change it to explicitly use GSS_S_FAILURE instead. RFC 5588 specifies
GSS_S_NO_CRED as indicating a problem with input_cred_handle, not the
receiving store, so GSS_S_NO_CRED would be inappropriate.
Greg Hudson [Thu, 21 May 2020 18:15:25 +0000 (14:15 -0400)]
Fix SPNEGO acceptor mech filtering
Commit c2ca2f26eaf817a6a7ed42257c380437ab802bd9 (ticket 8851)
accidentally changed the SPNEGO acceptor code to filter mechanisms by
the obtainability of initiator credentials rather than acceptor
credentials, when the default acceptor credential is used.
Isaac Boukris [Thu, 19 Mar 2020 23:17:28 +0000 (00:17 +0100)]
Add channel bindings tests
[ghudson@mit.edu: adjusted test program to output channel-bound state
instead of optionally enforcing it; adjusted tests to check program
output; split out tests into separate Python script; made cosmetic
changes]
Isaac Boukris [Tue, 10 Mar 2020 12:13:17 +0000 (13:13 +0100)]
Add client_aware_channel_bindings option
Add client support for KERB_AP_OPTIONS_CBT in the form of a profile
option "client_aware_gss_bindings". Adjust the make_etype_list()
helper so that enctype negotiation and AP_OPTIONS can be included in
the same IF-RELEVANT wrapper.
[ghudson@mit.edu: refactored; edited documentation; wrote commit
message]
Isaac Boukris [Mon, 9 Mar 2020 15:04:21 +0000 (16:04 +0100)]
Implement KERB_AP_OPTIONS_CBT (server side)
Add server support for Microsoft's KERB_AP_OPTIONS_CBT as described in
MS-KILE. If the client includes the AP option in the authenticator
authdata and the server passed channel bindings, require the bindings
to match.
[ghudson@mit.edu: refactored to put more logic in the helper function;
added a comment; clarified commit message]
Define a new channel-bound GSS return flag, and set it in the krb5
mech if the initiator sent channel bindings matching the acceptor's.
Do not error out if the acceptor specifies channel bindings and the
initiator does not send them.
[ghudson@mit.edu: simplified code changes; fleshed out commit message]
[iboukris: cherry-picked from another PR and reduced in scope]
Greg Hudson [Wed, 13 May 2020 17:01:31 +0000 (13:01 -0400)]
Add KDC helpers for current key and kvno
Add a simple static inline function current_kvno() to safely fetch the
current kvno of a principal entry, and use it where we currently write
entry->key_data[0].key_data_kvno.
Add a function get_first_current_key() to find and decrypt the first
valid current key from an entry. Use it in get_local_tgt() and when
selecting a ticket encryption key during AS and TGS processing.
Add a local_tgt_key field to krb5_kdcpreauth_rock_st and use it in
add_freshness_token() so we don't have to decrypt it again.
Greg Hudson [Wed, 13 May 2020 17:05:49 +0000 (13:05 -0400)]
Prevent use of invalid local TGT key
Commit 570967e11bd5ea60a82fc8157ad7d07602402ebb took a shortcut in
get_local_tgt() by using the first key data entry in the TGT principal
entry. This is usually correct, but if the first key data entry has
an invalid enctype (such as a single-DES enctype), we can select a key
we can't use. Call krb5_dbe_find_enctype() instead. Reported by
Leonard Peirce.
Greg Hudson [Sun, 10 May 2020 16:59:24 +0000 (12:59 -0400)]
Add stubs for some removed replay cache functions
Commit dcb853ac32779b173f39e19c0f24b0087de85771 removed some replay
cache functions that haven't been considered part of the libkrb5 API.
Some of these functions were used in OpenSSL (despite the lack of
prototypes) prior to the OpenSSL 1.1 release. Run-time linker errors
can occur if an OpenSSL 1.0.x (or earlier) libssl is used with a 1.18
libkrb5, even though the Kerberos code would likely never be used.
Add stubs for the four functions historically used in OpenSSL.
Greg Hudson [Sun, 10 May 2020 16:25:52 +0000 (12:25 -0400)]
Add KRB5_PRINCIPAL_PARSE_NO_DEF_REALM flag
Implement KRB5_PRINCIPAL_PARSE_NO_DEF_REALM from Heimdal. This flag
for krb5_parse_name_flags() suppresses the addition of the default
realm, but allows and preserves the realm if one is specified in the
string.
Greg Hudson [Wed, 6 May 2020 20:03:13 +0000 (16:03 -0400)]
Omit KDC indicator check for S4U2Self requests
As there was no initial ticket exchange from the client for an
S4U2Self request, the auth indicator check is inapplicable (and would
always fail if any auth indicators are required).
Commit 24b844714dea3e47b17511746b5df5b6ddf13d43 (ticket 8845) added
releases of sc->internal_name and sc->deleg_cred before calling the
underlying mech's gss_accept_sec_context(), to avoid a potential leak
if the mech reports a value multiple times. Commit c2ca2f26eaf817a6a7ed42257c380437ab802bd9 (ticket 8851) added a branch
which calls negoex_accept() instead of calling directly into the
underlying mech. If negoex_accept() doesn't call into the mech on the
last acceptor leg, the src_name and deleg_cred values from the final
mech call are lost.
Move the releases to the non-NegoEx branch. negoex_accept() already
does its own releases when it calls into the mech.
Commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6 (ticket 8800) caused
ksu to ignore KRB5CCNAME from the environment. ksu uses euid
switching to access the source cache, and should honor KRB5CCNAME to
find the ccache to potentially authorize the su operation.
Add a helper function init_ksu_context() to create the ksu context,
with explicit code to honor KRB5CCNAME using
krb5_cc_set_default_name().
Always use six digits with leading 0s to format the microseconds in
trace log timestamps; otherwise a small value appears as too large of
a fraction of a second.
Greg Hudson [Mon, 30 Mar 2020 19:26:02 +0000 (15:26 -0400)]
Correctly import "service@" GSS host-based name
The intended way to specify only a service in a GSS host-based name is
to omit the "@" separator. Some applications include the separator
but no hostname, and this happened to yield wildcard hostname behavior
prior to commit 996353767fe8afa7f67a3b5b465e4d70e18bad7c when
shortname qualification was added. To restore this behavior, check in
parse_hostbased() that at least one character is present after the "@"
separator before copying the hostname. Add a test case to t_gssapi.py.
Greg Hudson [Tue, 24 Mar 2020 06:00:25 +0000 (02:00 -0400)]
Make fiat 128-bit typedefs work with older gcc
Use the int128_t and uint128_t types defined by edwards25519.c, rather
than [un]signed __int128 which does not compile with gcc 4.4.
Reported by Norm Green.
Greg Hudson [Mon, 23 Mar 2020 23:10:03 +0000 (19:10 -0400)]
Eliminate redundant PKINIT responder invocation
In pkinit_client_prep_questions(), only act if the input padata type
is KRB5_PADATA_PK_AS_REQ. Otherwise we will ask questions again when
the KDC issues a ticket.
Commit 7621d2f9a87214327ca3b2594e34dc7cea84596b (ticket 8242)
unintentionally changed the behavior of pkinit_load_fs_cert_and_key(),
causing pkinit_client_prep_questions() to do nothing on its first
call. Restore the original behavior of returning 0 when prompting is
deferred.
Modify the existing "FILE identity, password on key (responder)"
PKINIT test to check that the responder is only invoked once.
Jiri Sasek [Fri, 13 Mar 2020 18:02:58 +0000 (19:02 +0100)]
Add finalization safety check to com_err
If the linker erroneously runs the libkrb5 finalizer after the
libcom_err finalizer, the consequent remove_error_table() calls could
crash due to accessing a destroyed mutex or an invalid et_list
pointer. Add an unsynchronized check on finalized in
remove_error_table(), and set et_list to null in com_err_terminate()
after destroying the list.
[ghudson@mit.edu: minimized code hanges; rewrote comment and commit
message]
Isaac Boukris [Wed, 29 Jan 2020 21:35:50 +0000 (22:35 +0100)]
Change KDC constrained-delegation precedence order
MS-SFU errata from 2019/12/09 indicates that legacy constrained
delegation should be prefered over resource-based constrained
delegation, which results slight diferences.
Also clarify that in the get_authdata_info KDB method, the PAC must be
verified and checked for user sensitivity for S4U2Proxy. Document
that the client name should only be provided in the cross-realm
S4U2Proxy case.
[ghudson@mit.edu: clarified comments and commit message]
Greg Hudson [Wed, 4 Mar 2020 22:18:51 +0000 (17:18 -0500)]
Use two queues for concurrent t_otp.py daemons
t_otp.py occasionally fails during the #8708 regression test, reading
a true answer instead of the expected false answer during the first
verify() call. Most likely the daemons are writing their answers to
the shared queue out of order. Use a separate queue for the second
daemon to ensure correct correlation of results.
Robbie Harwood [Wed, 26 Feb 2020 23:27:17 +0000 (18:27 -0500)]
Refresh manually acquired creds from client keytab
If a client keytab is present but credentials are acquired manually,
the credentials would not be refreshed because no refresh_time config
var is set in the cache. Change kg_cred_time_to_refresh() to attempt
a refresh from the client keytab on any credentials which will expire
in the next 30 seconds.
[ghudson@mit.edu: adjused code and added test case]
TBK [Wed, 26 Feb 2020 20:12:45 +0000 (21:12 +0100)]
Fix Linux build error with musl libc
Commit bf5953c549a6d279977df69ffe89b2ba51460eaf caused a build failure
on non-glibc Linux build environments. Change the conditionalization
so that __GLIBC_PREREQ will only be used if it is defined.
Greg Hudson [Tue, 25 Feb 2020 16:32:09 +0000 (11:32 -0500)]
Allow deletion of require_auth with LDAP KDB
In update_ldap_mod_auth_ind(), if there is no string attribute value
for require_auth, check for krbPrincipalAuthInd attributes that might
need to be removed. (This will only work if the entry is loaded and
then modified, but that is the normal case for an existing entry.)
Move the update_ldap_mod_auth_ind() call inside the tl-data
conditional (which should perhaps be a check for KADM5_TL_DATA in the
mask instead). A modification which did not intend to update tl-data
should not remove the krbPrincipalAuthInd attributes.
Change get_int_from_tl_data() to to zero its output so that it can't
leave a garbage value behind if it returns 0 (as it does if no
KDB_TL_USER_INFO tl-data is present).
Greg Hudson [Wed, 19 Feb 2020 20:36:38 +0000 (15:36 -0500)]
Fix AS-REQ checking of KDB-modified indicators
Commit 7196c03f18f14695abeb5ae4923004469b172f0f (ticket 8823) gave the
KDB the ability to modify auth indicators, but it happens after the
asserted indicators are checked against the server principal
requirements. In finish_process_as_req(), move the call to
check_indicators() after the call to handle_authdata() so that the
final indicator list is checked.
For the test case, add string attribute functionality to the test KDB
module, and fix a bug where test_get_principal() would return failure
if a principal has no keys. Also add a test case for AS-REQ
enforcement of normally asserted auth indicators.
Greg Hudson [Sun, 16 Feb 2020 01:34:23 +0000 (20:34 -0500)]
Replace gssrpc tests with a Python script
Replace the dejagnu RPC test framework with a short Python script to
do the same tests as fullrun.exp and gsserr.exp. Modify the server
test program to facilitate use by k5test.py.
expire.exp, together with a comment in the client test program, was
designed to test a libdb2 btree bug via the gssrpc server-side
authentication code. That code was subsequently changed not to use
libdb2, before it was merged into the main krb5 tree (in revision 1.23
of svc_auth_gssapi.c, according to the changelog removed in commit 2a43d772be1e45faa8e488d436b6e867371563fb). Remove the comment and do
not replace that test sequence.
Michael Mattioli [Tue, 26 Nov 2019 02:28:57 +0000 (21:28 -0500)]
Use GitHub Actions for CI
Use Github Actions instead of Travis and AppVeyor.
In the Windows installer config, add support for Visual Studio 2019
(aka 16.0).
[ghudson@mit.edu: switched to Ubuntu 18.04 for Linux builds; removed
macOS build job for now; added more packages to avoid skipping tests;
made it easier to see skipped tests and to see files not cleaned;
added make install command; adjusted Windows build path]
Isaac Boukris [Thu, 30 Jan 2020 18:38:44 +0000 (19:38 +0100)]
Always use S4U2Proxy second ticket parsed authdata
When the KDC handles an S4U2Proxy request, if the KDB module returned
parsed authdata for the header ticket and not for the second ticket,
we could erroneously pass the header ticket's parsed authdata to
handle_authdata(). Make sure we always pass the parsed authdata for
the second ticket.
Greg Hudson [Wed, 5 Feb 2020 23:46:11 +0000 (18:46 -0500)]
Refactor KDC authdata list management helpers
Remove the unused concat_authorization_data(). Split merge_authdata()
into two helpers, one to destructively merge without filtering and one
to add copied elements while filtering out KDC-only authdata types.
Remove context parameters where they aren't needed (taking advantage
of knowledge that some libkrb5 functions don't use their context
parameters).
Isaac Boukris [Sat, 1 Feb 2020 12:21:39 +0000 (13:21 +0100)]
Test that PAC is the first authdata element
In the test KDB module, set the PAC as the first authdata element. In
adata.c, add PAC service verification and verify that a PAC does not
appear in authdata elements after the first.
[ghudson@mit.edu: minor style changes; edited commit message]
Isaac Boukris [Sat, 1 Feb 2020 15:13:30 +0000 (16:13 +0100)]
Put KDB authdata first
Windows services, as well as some versions of Samba, may refuse
tickets if the PAC is not in the first AD-IF-RELEVANT container. In
fetch_kdb_authdata(), change the merge order so that authdata from the
KDB module appears first.
[ghudson@mit.edu: added comment and clarified commit message]
Robbie Harwood [Thu, 23 Jan 2020 18:09:00 +0000 (13:09 -0500)]
Remove private mutators for context enctypes
krb5_set_default_in_tkt_ktypes() and krb5_set_default_tgs_ktypes() are
not part of the API and are only used in test programs, so remove
them. Also remove the now-unused in_tkt_etypes field from
krb5_context. Update test suite consumers.
Fix a minor bug wherein the etinfo executable would not correctly
print its usage text.
[ghudson@mit.edu: adapted some tests rather than remove them]
Isaac Boukris [Sun, 26 Jan 2020 20:49:47 +0000 (21:49 +0100)]
Zero length fields when freeing object contents
In krb5_free_data_contents() and krb5_free_checksum_contents(), zero
the length as well as the data pointer to leave the object in a valid
state. Add asserts to existing test harnesses to verify the new
behavior.
In the krb5 GSS mech's kg_checksum_channel_bindings(), remove the code
to reallocate the checksum with xmalloc(), as it relied on
krb5_free_checksum_contents() leaving the object in an invalid state.
This code was added in commit a30fb4c4400f13a2690df7ef910b7ac0ccbcf194
to match an xfree() call, but commit 29337e7c7b796685fb6a03466d32147e17aa2d16 replaced that xfree() with a
krb5_free_checksum_contents(). (In addition, the xmalloc and xfree
wrappers never evolved to do anything beyond malloc and free.)
In kpropd's recv_database(), don't free outbuf until we are done using
its length.
Greg Hudson [Fri, 24 Jan 2020 15:25:18 +0000 (10:25 -0500)]
Honor transited-policy-checked flag in servers
For consistency with Heimdal and simplicity of server configuration,
do not check the transited field in krb5_rd_req() if the
transited-policy-checked flag is set in the ticket.
Add a cross-realm test using the gcred and rdreq harnesses to test
server transited processing. Also fix the KDC capaths case so that
the client actually doesn't know the path to the server realm. In
k5test.py, adjust _cfg_merge() to remove keys mapped to None in the
second dictionary (instead of mapping them to None in the result), so
that deleting whole sections works. Remove the corresponding check
for None in _write_cfg_section() as it is no longer needed.
Greg Hudson [Thu, 23 Jan 2020 19:49:24 +0000 (14:49 -0500)]
Further simplify test KDB module authdata code
Commit 94f7c9705879500b1dc8dda8592490efce05688f simplified the
generation of authdata elements, but left behind some unnecessary
conditionalization when assembling the elements into a list, causing a
Coverity defect. Further simplify the code.
Robbie Harwood [Tue, 14 Jan 2020 19:23:00 +0000 (14:23 -0500)]
Apply permitted_enctypes to KDC request enctypes
permitted_enctypes was initially intended only to restrict the
processing of AP requests (and was later applied to KDB key data
searches so that the KDC wouldn't issue a ticket it would refuse to
accept). Because the documentation was never clear about its scope,
many configurations assume that permitted_enctypes also applies to
clients.
In light of the existing configurations, take the simple way out and
use permitted_enctypes as the default for default_tkt_enctypes and
default_tgs_enctypes. Update the documentation, add a test to
explicitly check the new behavior, and remove now-unnecessary
configuration from the test suite.
[ghudson@mit.edu: unrolled helper function; edited documentation and
commit message; simplified test case]
Isaac Boukris [Wed, 15 Jan 2020 10:14:00 +0000 (11:14 +0100)]
Allow cross-realm RBCD with PAC and other authdata
For cross-realm S4U2Proxy requests, require a PAC to be present to
bypass signedpath verification, but do not require it to be the only
authdata element. For within-realm requests, add and verify
signedpath authdata regardless of the presence of a PAC.
Simplify the test KDB authdata module and the existing RBCD tests as
we no longer need a way to suppress the test module's KDB authdata.
[ghudson@mit.edu: rewrote commit message; reordered a condition for
efficiency]
Isaac Boukris [Wed, 15 Jan 2020 12:54:44 +0000 (13:54 +0100)]
Fix KDC crash in handle_signticket
Commit d47f7dba3779c9e36e1dedaac830dac1dd248fb3 changed the parameters
passed to sign_authdata() for S4U2Proxy requests so that client is the
entry for the impersonated client (not the impersonator), and added a
new parameter for the impersonator entry. It should have changed the
call to handle_signticket() to use the impersonator entry. Fix the
handle_signticket() call, and change some parameter names to more
clearly indicate the flow of subject_server from process_tgs_req() to
handle_authdata() to its helpers.
Isaac Boukris [Thu, 12 Dec 2019 02:20:44 +0000 (03:20 +0100)]
Add tests for S4U request-authdata handling
In adata.c, look up the server in the keytab by ticket->server (which
has the canonicalized realm), to allow testing of cross-realm RBCD
(although unused for now).
In s4u2proxy.c, set KRB5_GC_CANONICALIZE to support RBCD, and add an
authdata request option. Add an s4u2self test harness with authdata
request option.
[ghudson@mit.edu: minor code simplifications; edited commit message]
Greg Hudson [Sat, 11 Jan 2020 04:47:34 +0000 (23:47 -0500)]
Fix error handling in gssint_mechglue_init()
In the unlikely event that one of the functions called by
gssint_mechglue_init() returns an error, return that error to the
caller rather than continuing on and discarding the error status.
Returning success when some of the operations failed could fool the
library finalizer into thinking that initialization completed.
Reported by Spencer Malone.
Isaac Boukris [Sun, 12 Jan 2020 17:57:10 +0000 (18:57 +0100)]
Restrict test KDB to local principals
Ignoring the lookup realm for principal matching could cause the test
KDB module to successfully look up entries (with the correct key data)
for principals that a real KDB wouldn't have, such as krbtgt/B@A
within realm C. Add a realm check to test_get_principal(), allowing
only local principal names or incoming cross-TGS names.
Robbie Harwood [Tue, 17 Dec 2019 22:37:41 +0000 (17:37 -0500)]
Fix LDAP policy enforcement of pw_expiration
In the LDAP backend, the change mask is used to determine what LDAP
attributes to update. As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.
Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate. Add a regression test to
t_kdb.py.
[ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]
Greg Hudson [Thu, 19 Dec 2019 18:52:32 +0000 (13:52 -0500)]
Work around macOS SIP in the test suite
In macOS 10.11 and later with System Integrity Protection enabled,
system programs (including the shell) purge DYLD_LIBRARY_PATH from the
environment at startup. As a result, any part of "make check" which
runs via a shell script must explicitly restore the runtime
environment. Add a common rule for runenv.sh, and create and source
it where shell scripts are run. Dejagnu's runtest is a shell script,
so create a tcl file for the kadmin and RPC unit tests and source it
from unix.exp. Avoid using the shell to run commands in several
places. Use return_trace=True for tests that previously indirected
through /usr/bin/env.
Do not include <malloc.h> in t_parse_host_string.c, as it does not
exist on macOS and is not needed.
Skip the iprop tests on macOS when SIP is enabled, as signal
restrictions appear to prevent the kpropd child process from informing
the parent process that a full resync has completed.
In net-server.c, set SO_REUSEPORT as well as SO_REUSEADDR on listener
sockets. Otherwise the krb5kdc processes run by the test suite
sometimes fail to start with "address in use" errors.
In configure.ac, only generate po/Makefile if we will descend into it.
Greg Hudson [Tue, 10 Dec 2019 17:06:05 +0000 (12:06 -0500)]
Fix xdr_bytes() strict-aliasing violations
When xdr_bytes() is used for a gss_buffer_desc object, a temporary
character pointer must be used for the data value to avoid a strict
aliasing violation.
When xdr_bytes() is used for a krb5_keyblock object, a temporary
character pointer must also be used, even though the data pointer is
of type unsigned char *, to avoid a clang warning on macOS due to the
"#pragma pack" declaration in krb5.h.
Greg Hudson [Mon, 9 Dec 2019 16:42:47 +0000 (11:42 -0500)]
Add NegoEx assertion to squash defect
Coverity sees negoex_init() test whether input_token is null before
parsing messages, then dereference input_token in verify_checksum().
Of course verify_checksum() will not find a checksum message if no
messages were parsed. Add an assert to squash the false positive
forward-null defect.
Isaac Boukris [Wed, 25 Dec 2019 23:23:21 +0000 (00:23 +0100)]
Remove KRB5_KDB_FLAG_ALIAS_OK
It is simpler and more consistent with Windows to let the KDB module
always return aliases, and use KDC logic (already present) to decide
whether to use the requested or canonical principal name in the
ticket.
With the removal of this flag, "kinit alias" (without the -C flag)
against the LDAP KDB module will issue a ticket for the alias name,
instead of failing with a "client not found" error.
[ghudson@mit.edu: edited comments; wrote commit message]
Isaac Boukris [Sat, 2 Nov 2019 12:32:32 +0000 (13:32 +0100)]
Do not always canonicalize enterprise principals
When processing an AS request in the KDC, do not assume
KRB5_KDB_FLAG_CANONICALIZE for enterprise client names. This change
allows the KDB module to only canonicalize enterprise client names if
the canonicalize flag was set on the request, as Windows does. The
KDB module may check the principal type and apply canonicalization as
appropriate.
Robbie Harwood [Thu, 19 Dec 2019 22:49:05 +0000 (17:49 -0500)]
Don't warn in kadmin when no policy is specified
Not having policy defined is a normal occurrence. While it's a useful
message to log in case it's unexpected, the current form is
unnecessarily alarmist.
Greg Hudson [Thu, 19 Dec 2019 07:25:15 +0000 (02:25 -0500)]
Simplify keytab creation in kadmin and RPC tests
In init_db and init.exp, do not create an ovsec_adm.keytab; kadmind
has authenticated directly against the KDB since commit 416d9a774090ee78c30a844025887bd2b9e79d16. Since we no longer create
ovsec_adkm principals, perform the deletion and recreation tests with
kadmin/ principals.
In helpers.exp, use kadmin to create the server keytab file, instead
of using make-host-keytab.pl.
Remove environment variable settings for make-host-keytab.pl from
scripts that no longer use it.
Greg Hudson [Wed, 11 Dec 2019 17:09:27 +0000 (12:09 -0500)]
In mkrel, build documentation with python3
After commit 95830231758de259abbbccedbac01613f578768a, the
documentation cannot be built with Python 2. Run make with
"PYTHON=python3" to ensure that we use Python 3.
Add a mock NegoEx-only GSS module, a test program which establishes a
SPNEGO context, and a Python script to exercise a variety of NegoEx
negotiation scenarios.
Luke Howard [Wed, 26 Dec 2018 11:52:18 +0000 (22:52 +1100)]
Implement NegoEx
Implement draft-zhu-negoex. Mechanisms supporting the NegoEx GSS
extensions will be negotiated only through NegoEx, unless they assert
the GSS_C_MA_NEGOEX_AND_SPNEGO mech attribute, in which case they may
also be negotiated directly via SPNEGO.
Greg Hudson [Sat, 30 Nov 2019 01:39:38 +0000 (20:39 -0500)]
Qualify short hostnames when not using DNS
When DNS forward canonicalization is turned off or fails, qualify
single-component hostnames with the first DNS search domain. Add the
qualify_shortname relation to override this suffix.
For one of the tests we need to disable qualification, which is
accomplished with an empty value. Adjust k5test.py to correctly emit
empty values when writing profiles.
Greg Hudson [Tue, 3 Dec 2019 20:32:29 +0000 (15:32 -0500)]
Improve type safety of serialization code
Remove the serialization table from krb5_context, the functions to
find and register serializers, and the polymorphic serialization
functions. Instead, directly call per-type serialization functions
for the type of object we need to serialize.
Remove the krb5_context parameter from most serialization functions as
the interfaces are not public and the context is not needed.
Remove the ccache, keytab, and rcache serialization handlers as they
were not used.
In t_ser.c, repeat the externalize-internalize-reexternalize logic for
each type, but simplify the code by aborting on failure and removing
the verbose flag.
The krb5_context and krb5_keyblock sizing functions both reported an
extra four bytes. The new test program does not tolerate that
inconsistency, so fix them.
projects / thirdparty / krb5.git / log
