In get_mech_set(), check the length before reading the first byte, and
decrease the length by the tag byte when reading and verifying the
sequence length.
In get_req_flags(), check the length before reading the first byte,
and check the context tag length after decoding it.
When reading an OID in a SPNEGO token, use gssint_get_der_length()
rather than assuming the length fits in one byte. Although OID
lengths greater than 127 are unlikely, some NetApp products have been
observed to incorrectly encode the length in multiple bytes. Reported
by Richard Sharpe.
Greg Hudson [Wed, 26 Aug 2020 15:15:11 +0000 (11:15 -0400)]
Fix KRB5_GC_CACHED for S4U2Self requests
In krb5_get_credentials_for_user(), always exit after the first cache
check if KRB5_GC_CACHED is specified. Not making network requests
with this flag is more important than finding a post-realm-discovery
cached entry.
If KRB5_GC_CACHED is specified without a principal name, fail
immediately, as we cannot check the cache by certificate.
Greg Hudson [Thu, 25 Jun 2020 00:48:14 +0000 (20:48 -0400)]
Use the term "primary KDC" in source and docs
Where it does not affect program behavior, use the term "primary KDC".
This commit does not change any profile variables, DNS labels,
pathnames, or externally visible identifiers, nor does it change the
term "master key".
Greg Hudson [Wed, 19 Aug 2020 15:49:29 +0000 (11:49 -0400)]
Suppress Leash error popup on MSLSA renew failure
Attempting to renew the MSLSA cache can commonly fail with
KRB5_CC_NOTFOUND due to LSA policy. Do not display an error popup in
this case. Also fix a logic error in the existing suppressions.
Replace the TARGET_OS_MAC conditionals with the conditionals used in
Heimdal, so that we do not pack structures inconsistently with macOS
on ARM. Suggested by Luke Howard.
Robbie Harwood [Thu, 20 Aug 2020 21:49:29 +0000 (17:49 -0400)]
Unify kvno option documentation
Add missing kvno options to the kvno.rst synopsis and option
descriptions, and to the kvno usage message. Remove mention of '-h'
(help text), from kvno.rst as it is an implicit option. Note that the
three new caching options were added in release 1.19.
Indicate the two exclusions (-u/-S and --u2u with the S4U2Self options)
and dependency (-P on S4U2Self) where they are missing.
Switch xusage() to print only a single localized string, rather than
running each line of output through localization separately.
Leave kvno -C undocumented for now, as the semantics of
KRB5_GC_CANONICALIZE are minimally useful and likely to change.
[ghudson@mit.edu: edited documentation and commit message]
Isaac Boukris [Mon, 20 Jul 2020 22:40:06 +0000 (00:40 +0200)]
Cache S4U2Proxy requests by second ticket
krb5_get_credentials() does not know the client principal for an
S4U2Proxy request until the end, because it is in the encrypted part
of the evidence ticket. However, we can check the cache by second
ticket, since all S4U2Proxy requests in a cache will generally be made
with the same evidence ticket.
In the ccache types, allow mcreds->client and mcreds->server to be
NULL (as Heimdal does) to ignore them for the purpose of matching. In
krb5int_construct_matching_creds(), set mcreds->client to NULL for
S4U2Proxy requests. Add a cache check to
k5_get_proxy_cred_from_kdc(), and remove the cache check from
krb5_get_credentials_for_proxy() and the krb5 mech's
get_credentials().
In get_proxy_cred_from_kdc(), fix a bug where cross-realm S4U2Proxy
would cache the evidence ticket used in the final request, rather than
the original evidence ticket.
[ghudson@mit.edu: debugged cache check and cross-realm caching;
switched from new flag to null matching cred principals; wrote commit
message]
In krb5_sname_to_principal(), when using fallback, defer realm lookup
and any kind of hostname canonicalization until use. Add a
lightweight iterator k5_canonprinc() to yield the one or two possible
candidates for a principal. In the iterator, don't yield the same
hostname part twice.
Add fallback processing to the stepwise TGS state machine, and remove
it from krb5_get_credentials(). Add fallback processing to
k5_get_proxy_cred_from_kdc().
Add fallback processing to krb5_init_creds_set_keytab(), and use the
principal we find in the keytab as the request client principal.
Defer restart_init_creds_loop() to the first step call so that server
principal is built using the correct realm.
Unix-like platforms do not provide a simple method to find the
fully-qualified local hostname as the machine is expected to appear to
other hosts. Canonicalizing the gethostname() result with
getaddrinfo() usually works, but potentially uses DNS. Now that
dns_canonicalize_hostname=true is no longer the default, KDB creation
would generally create the wrong host-based principals.
kadmin/hostname is unnecessary because the client software can also
use kadmin/admin, and kiprop/hostname is one of several principals
that must be created for incremental propagation.
The MIT krb5 kadmin protocol originally used kadmin/admin as the
service principal. Commits 493f0da5fbf92b0ac2f10e887706d1964d8a15e8
and 5cfaec38a8e8f1c4b76228ba0a252987af797ca4 changed it to use
kadmin/hostname preferentially, with kadmin/admin as a fallback, for
interoperability with the Solaris SEAM administrative protocol.
Change the preference order so that kadmin/admin is tried first, with
kadmin/hostname as a fallback.
Xcode 12 will change its clang to have
-Werror=implicit-function-declaration by default. Fix three autoconf
tests which generate this warning due to missing include declarations.
Reported by Misty De Meo.
Bison 3.5 adds a POSIX yacc compliance warning that %type should only
be applied to non-terminals. Use %token for terminals in getdate.y.
Reported by Norm Green.
Fixes a problem where the presence of legacy/unrecognized keysalts in
supported_enctypes would prevent the kadmin programs from starting.
[ghudson@mit.edu: ideally we would put a warning in the kadmind log,
but that is difficult to do when the parsing is done inside a library.
Even adding a trace log is difficult because the kadm5 str_conv
functions do not accept contexts.]
Windows Remote Management, when used with an RC4 session key, appears
to generate GSS wrap tokens with no padding instead of the expected
one byte (RFC 4757 section 7.3). These tokens cannot be decoded with
gss_unwrap() or a STREAM buffer (even with Microsoft SSPI), but SSPI
allows them to be decoded using explicit IOVs with either a
zero-length padding buffer or no padding buffer. Allow these cases to
work in kg_fixup_padding_iov(). (It is already possible to make this
work with HEADER | DATA | DATA, but only by
accident--kg_fixup_padding_iov() doesn't find a data buffer because
kg_locate_iov() only looks for singleton buffers, so it exits early.)
When considering or bypassing an empty record in a keytab file, check
for a lenth of INT32_MIN. Otherwise we could perform a backwards
seek, as the inverse of INT32_MIN is still negative.
[ghudson@mit.edu: adjusted comments; wrote commit message]
Greg Hudson [Fri, 19 Jun 2020 19:05:37 +0000 (15:05 -0400)]
Avoid using LMDB environments across forks
In krb5kdc and kadmind, reinitialize the DB state after daemonizing,
to prevent using an LMDB environment in a different process than it
was created. Otherwise the daemon's reader table slot appears to be
stale and can be claimed by another process.
In kadmind, this change means that global_server_handle changes value
after the loop setup. Add an extra level of pointer indirection so
that the handle passed to the loop remains valid.
kdb_init_hist() is now called twice by kadmind. Change it to avoid
leaking hist_princ on the second invocation.
Isaac Boukris [Mon, 12 Aug 2019 11:13:07 +0000 (11:13 +0000)]
Add GSS_KRB5_NT_X509_CERT name type
If this name type is used for the desired_name parameter of
gss_acquire_cred_impersonate_name(), identify the S4U2Self user by
certificate. Co-authored with Purand Chand <pchand@vmware.com>.
[ghudson@mit.edu: added documentation; updated to use a boolean at the
GSS layer rather than a new krb5 name type; rewrote commit message]
Greg Hudson [Tue, 23 Jun 2020 17:30:59 +0000 (13:30 -0400)]
Fix KDC choice to send encrypted S4U_X509_USER
The KDC's decision to send a PA_S4U_X509_USER entry in encrypted
padata has no connection to the client USE_REPLY_KEY_USAGE flag. Only
conditionalize on the enctype.
Greg Hudson [Thu, 18 Jun 2020 00:48:38 +0000 (20:48 -0400)]
Add three kvno options from Heimdal kgetcred
Add the flags --cached-only and --no-store, which pass the
corresponding options to krb5_get_credentials(). Add the option
--out-cache to write the retrieved credentials to a specified output
cache.
Add a Python test script for kvno command-line options, including
tests for the new options.
Isaac Boukris [Tue, 9 Jun 2020 22:32:56 +0000 (01:32 +0300)]
Interop with Heimdal KDC for S4U2Self requests
[MS-SFU] 3.1.5.1.1.1 says the KDC SHOULD send PA_S4U_X509_USER pa-data
if the TGT session key is of a newer enctype. Our S4U2Self client
code has enforced this clause as if it were a MUST. For consistency
with Microsoft and interoperability with Heimdal (which does not
implement PA_S4U_X509_USER), stop enforcing this constraint.
[ghudson@mit.edu: compressed code slightly; wrote commit message]
Nikhil Benesch [Sat, 13 Jun 2020 23:54:34 +0000 (19:54 -0400)]
Try to find <target>-ar when cross compiling
Teach the configure script to look for an ar tool prefixed with the
target triple (i.e., `<target>-ar`) when cross compiling. This matches
the behavior for tools that have built-in autoconf macros, like ranlib.
(For some reason there is no AC_PROG_AR macro.)
Also, remove the AC_PROG_ARCHIVE and AC_PROG_ARCHIVE_ADD macros, which
have been dead code since 780b34cd.
With this change, cross compiling libkrb5 works a bit better out of the
box.
Robbie Harwood [Tue, 9 Jun 2020 20:23:37 +0000 (16:23 -0400)]
Improve negoex_parse_token() code hygiene
If the while loop in negoex_parse_token() runs for zero iterations,
major will be used initialized. Currently this cannot happen, but
only because both of the call sites check for zero-length tokens.
Initialize major for safety.
Greg Hudson [Thu, 4 Jun 2020 17:19:53 +0000 (13:19 -0400)]
Set pw_expiration during LDAP load
When loading a principal entry in process_k5beta7_princ(), set the
KADM5_PW_EXPIRATION mask bit so that the password expiration time is
set on the principal entry. Add a regression test.
Greg Hudson [Wed, 27 May 2020 22:48:35 +0000 (18:48 -0400)]
Default dns_canonicalize_hostname to "fallback"
This change should mitigate some of the pain caused by the rdns=true
default (generally associated with unwanted PTR records that cannot
easily be changed), with a minimum of fallout.
Update the documentation and tests accordingly. In test environments,
disable qualify_shortname and use the uncanonicalized system hostname
(lowercased) to match the initial sn2princ result.
Greg Hudson [Fri, 22 May 2020 17:10:36 +0000 (13:10 -0400)]
Return GSS_S_NO_CRED from krb5 gss_acquire_cred
Earlier versions of the GSS-API spec (RFCs 1508 and 2078) do not list
GSS_S_NO_CRED as a valid error code for gss_acquire_cred. As a
result, the OpenVision developers of the GSSAPI krb5 mech created
GSS_S_CRED_UNAVAIL as an alias for GSS_S_FAILURE and returned it when
no valid credentials could be obtained. RFC 2743 lists GSS_S_NO_CRED
as the proper return code when matching credentials cannot be
accessed. Change the krb5 gss_acquire_cred() implementation to return
GSS_S_NO_CRED where it currently returns GSS_S_CRED_UNAVAIL.
Also stop using GSS_S_CRED_UNAVAIL in the krb5 gss_store_cred(), but
change it to explicitly use GSS_S_FAILURE instead. RFC 5588 specifies
GSS_S_NO_CRED as indicating a problem with input_cred_handle, not the
receiving store, so GSS_S_NO_CRED would be inappropriate.
Greg Hudson [Thu, 21 May 2020 18:15:25 +0000 (14:15 -0400)]
Fix SPNEGO acceptor mech filtering
Commit c2ca2f26eaf817a6a7ed42257c380437ab802bd9 (ticket 8851)
accidentally changed the SPNEGO acceptor code to filter mechanisms by
the obtainability of initiator credentials rather than acceptor
credentials, when the default acceptor credential is used.
Isaac Boukris [Thu, 19 Mar 2020 23:17:28 +0000 (00:17 +0100)]
Add channel bindings tests
[ghudson@mit.edu: adjusted test program to output channel-bound state
instead of optionally enforcing it; adjusted tests to check program
output; split out tests into separate Python script; made cosmetic
changes]
Isaac Boukris [Tue, 10 Mar 2020 12:13:17 +0000 (13:13 +0100)]
Add client_aware_channel_bindings option
Add client support for KERB_AP_OPTIONS_CBT in the form of a profile
option "client_aware_gss_bindings". Adjust the make_etype_list()
helper so that enctype negotiation and AP_OPTIONS can be included in
the same IF-RELEVANT wrapper.
[ghudson@mit.edu: refactored; edited documentation; wrote commit
message]
Isaac Boukris [Mon, 9 Mar 2020 15:04:21 +0000 (16:04 +0100)]
Implement KERB_AP_OPTIONS_CBT (server side)
Add server support for Microsoft's KERB_AP_OPTIONS_CBT as described in
MS-KILE. If the client includes the AP option in the authenticator
authdata and the server passed channel bindings, require the bindings
to match.
[ghudson@mit.edu: refactored to put more logic in the helper function;
added a comment; clarified commit message]
Define a new channel-bound GSS return flag, and set it in the krb5
mech if the initiator sent channel bindings matching the acceptor's.
Do not error out if the acceptor specifies channel bindings and the
initiator does not send them.
[ghudson@mit.edu: simplified code changes; fleshed out commit message]
[iboukris: cherry-picked from another PR and reduced in scope]
Greg Hudson [Wed, 13 May 2020 17:01:31 +0000 (13:01 -0400)]
Add KDC helpers for current key and kvno
Add a simple static inline function current_kvno() to safely fetch the
current kvno of a principal entry, and use it where we currently write
entry->key_data[0].key_data_kvno.
Add a function get_first_current_key() to find and decrypt the first
valid current key from an entry. Use it in get_local_tgt() and when
selecting a ticket encryption key during AS and TGS processing.
Add a local_tgt_key field to krb5_kdcpreauth_rock_st and use it in
add_freshness_token() so we don't have to decrypt it again.
Greg Hudson [Wed, 13 May 2020 17:05:49 +0000 (13:05 -0400)]
Prevent use of invalid local TGT key
Commit 570967e11bd5ea60a82fc8157ad7d07602402ebb took a shortcut in
get_local_tgt() by using the first key data entry in the TGT principal
entry. This is usually correct, but if the first key data entry has
an invalid enctype (such as a single-DES enctype), we can select a key
we can't use. Call krb5_dbe_find_enctype() instead. Reported by
Leonard Peirce.
Greg Hudson [Sun, 10 May 2020 16:59:24 +0000 (12:59 -0400)]
Add stubs for some removed replay cache functions
Commit dcb853ac32779b173f39e19c0f24b0087de85771 removed some replay
cache functions that haven't been considered part of the libkrb5 API.
Some of these functions were used in OpenSSL (despite the lack of
prototypes) prior to the OpenSSL 1.1 release. Run-time linker errors
can occur if an OpenSSL 1.0.x (or earlier) libssl is used with a 1.18
libkrb5, even though the Kerberos code would likely never be used.
Add stubs for the four functions historically used in OpenSSL.
Greg Hudson [Sun, 10 May 2020 16:25:52 +0000 (12:25 -0400)]
Add KRB5_PRINCIPAL_PARSE_NO_DEF_REALM flag
Implement KRB5_PRINCIPAL_PARSE_NO_DEF_REALM from Heimdal. This flag
for krb5_parse_name_flags() suppresses the addition of the default
realm, but allows and preserves the realm if one is specified in the
string.
Greg Hudson [Wed, 6 May 2020 20:03:13 +0000 (16:03 -0400)]
Omit KDC indicator check for S4U2Self requests
As there was no initial ticket exchange from the client for an
S4U2Self request, the auth indicator check is inapplicable (and would
always fail if any auth indicators are required).
Commit 24b844714dea3e47b17511746b5df5b6ddf13d43 (ticket 8845) added
releases of sc->internal_name and sc->deleg_cred before calling the
underlying mech's gss_accept_sec_context(), to avoid a potential leak
if the mech reports a value multiple times. Commit c2ca2f26eaf817a6a7ed42257c380437ab802bd9 (ticket 8851) added a branch
which calls negoex_accept() instead of calling directly into the
underlying mech. If negoex_accept() doesn't call into the mech on the
last acceptor leg, the src_name and deleg_cred values from the final
mech call are lost.
Move the releases to the non-NegoEx branch. negoex_accept() already
does its own releases when it calls into the mech.
Commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6 (ticket 8800) caused
ksu to ignore KRB5CCNAME from the environment. ksu uses euid
switching to access the source cache, and should honor KRB5CCNAME to
find the ccache to potentially authorize the su operation.
Add a helper function init_ksu_context() to create the ksu context,
with explicit code to honor KRB5CCNAME using
krb5_cc_set_default_name().
Always use six digits with leading 0s to format the microseconds in
trace log timestamps; otherwise a small value appears as too large of
a fraction of a second.
Greg Hudson [Mon, 30 Mar 2020 19:26:02 +0000 (15:26 -0400)]
Correctly import "service@" GSS host-based name
The intended way to specify only a service in a GSS host-based name is
to omit the "@" separator. Some applications include the separator
but no hostname, and this happened to yield wildcard hostname behavior
prior to commit 996353767fe8afa7f67a3b5b465e4d70e18bad7c when
shortname qualification was added. To restore this behavior, check in
parse_hostbased() that at least one character is present after the "@"
separator before copying the hostname. Add a test case to t_gssapi.py.
Greg Hudson [Tue, 24 Mar 2020 06:00:25 +0000 (02:00 -0400)]
Make fiat 128-bit typedefs work with older gcc
Use the int128_t and uint128_t types defined by edwards25519.c, rather
than [un]signed __int128 which does not compile with gcc 4.4.
Reported by Norm Green.
Greg Hudson [Mon, 23 Mar 2020 23:10:03 +0000 (19:10 -0400)]
Eliminate redundant PKINIT responder invocation
In pkinit_client_prep_questions(), only act if the input padata type
is KRB5_PADATA_PK_AS_REQ. Otherwise we will ask questions again when
the KDC issues a ticket.
Commit 7621d2f9a87214327ca3b2594e34dc7cea84596b (ticket 8242)
unintentionally changed the behavior of pkinit_load_fs_cert_and_key(),
causing pkinit_client_prep_questions() to do nothing on its first
call. Restore the original behavior of returning 0 when prompting is
deferred.
Modify the existing "FILE identity, password on key (responder)"
PKINIT test to check that the responder is only invoked once.
Jiri Sasek [Fri, 13 Mar 2020 18:02:58 +0000 (19:02 +0100)]
Add finalization safety check to com_err
If the linker erroneously runs the libkrb5 finalizer after the
libcom_err finalizer, the consequent remove_error_table() calls could
crash due to accessing a destroyed mutex or an invalid et_list
pointer. Add an unsynchronized check on finalized in
remove_error_table(), and set et_list to null in com_err_terminate()
after destroying the list.
[ghudson@mit.edu: minimized code hanges; rewrote comment and commit
message]
Isaac Boukris [Wed, 29 Jan 2020 21:35:50 +0000 (22:35 +0100)]
Change KDC constrained-delegation precedence order
MS-SFU errata from 2019/12/09 indicates that legacy constrained
delegation should be prefered over resource-based constrained
delegation, which results slight diferences.
Also clarify that in the get_authdata_info KDB method, the PAC must be
verified and checked for user sensitivity for S4U2Proxy. Document
that the client name should only be provided in the cross-realm
S4U2Proxy case.
[ghudson@mit.edu: clarified comments and commit message]
Greg Hudson [Wed, 4 Mar 2020 22:18:51 +0000 (17:18 -0500)]
Use two queues for concurrent t_otp.py daemons
t_otp.py occasionally fails during the #8708 regression test, reading
a true answer instead of the expected false answer during the first
verify() call. Most likely the daemons are writing their answers to
the shared queue out of order. Use a separate queue for the second
daemon to ensure correct correlation of results.
Robbie Harwood [Wed, 26 Feb 2020 23:27:17 +0000 (18:27 -0500)]
Refresh manually acquired creds from client keytab
If a client keytab is present but credentials are acquired manually,
the credentials would not be refreshed because no refresh_time config
var is set in the cache. Change kg_cred_time_to_refresh() to attempt
a refresh from the client keytab on any credentials which will expire
in the next 30 seconds.
[ghudson@mit.edu: adjused code and added test case]
TBK [Wed, 26 Feb 2020 20:12:45 +0000 (21:12 +0100)]
Fix Linux build error with musl libc
Commit bf5953c549a6d279977df69ffe89b2ba51460eaf caused a build failure
on non-glibc Linux build environments. Change the conditionalization
so that __GLIBC_PREREQ will only be used if it is defined.
Greg Hudson [Tue, 25 Feb 2020 16:32:09 +0000 (11:32 -0500)]
Allow deletion of require_auth with LDAP KDB
In update_ldap_mod_auth_ind(), if there is no string attribute value
for require_auth, check for krbPrincipalAuthInd attributes that might
need to be removed. (This will only work if the entry is loaded and
then modified, but that is the normal case for an existing entry.)
Move the update_ldap_mod_auth_ind() call inside the tl-data
conditional (which should perhaps be a check for KADM5_TL_DATA in the
mask instead). A modification which did not intend to update tl-data
should not remove the krbPrincipalAuthInd attributes.
Change get_int_from_tl_data() to to zero its output so that it can't
leave a garbage value behind if it returns 0 (as it does if no
KDB_TL_USER_INFO tl-data is present).
Greg Hudson [Wed, 19 Feb 2020 20:36:38 +0000 (15:36 -0500)]
Fix AS-REQ checking of KDB-modified indicators
Commit 7196c03f18f14695abeb5ae4923004469b172f0f (ticket 8823) gave the
KDB the ability to modify auth indicators, but it happens after the
asserted indicators are checked against the server principal
requirements. In finish_process_as_req(), move the call to
check_indicators() after the call to handle_authdata() so that the
final indicator list is checked.
For the test case, add string attribute functionality to the test KDB
module, and fix a bug where test_get_principal() would return failure
if a principal has no keys. Also add a test case for AS-REQ
enforcement of normally asserted auth indicators.
Greg Hudson [Sun, 16 Feb 2020 01:34:23 +0000 (20:34 -0500)]
Replace gssrpc tests with a Python script
Replace the dejagnu RPC test framework with a short Python script to
do the same tests as fullrun.exp and gsserr.exp. Modify the server
test program to facilitate use by k5test.py.
expire.exp, together with a comment in the client test program, was
designed to test a libdb2 btree bug via the gssrpc server-side
authentication code. That code was subsequently changed not to use
libdb2, before it was merged into the main krb5 tree (in revision 1.23
of svc_auth_gssapi.c, according to the changelog removed in commit 2a43d772be1e45faa8e488d436b6e867371563fb). Remove the comment and do
not replace that test sequence.
Michael Mattioli [Tue, 26 Nov 2019 02:28:57 +0000 (21:28 -0500)]
Use GitHub Actions for CI
Use Github Actions instead of Travis and AppVeyor.
In the Windows installer config, add support for Visual Studio 2019
(aka 16.0).
[ghudson@mit.edu: switched to Ubuntu 18.04 for Linux builds; removed
macOS build job for now; added more packages to avoid skipping tests;
made it easier to see skipped tests and to see files not cleaned;
added make install command; adjusted Windows build path]
Isaac Boukris [Thu, 30 Jan 2020 18:38:44 +0000 (19:38 +0100)]
Always use S4U2Proxy second ticket parsed authdata
When the KDC handles an S4U2Proxy request, if the KDB module returned
parsed authdata for the header ticket and not for the second ticket,
we could erroneously pass the header ticket's parsed authdata to
handle_authdata(). Make sure we always pass the parsed authdata for
the second ticket.
Greg Hudson [Wed, 5 Feb 2020 23:46:11 +0000 (18:46 -0500)]
Refactor KDC authdata list management helpers
Remove the unused concat_authorization_data(). Split merge_authdata()
into two helpers, one to destructively merge without filtering and one
to add copied elements while filtering out KDC-only authdata types.
Remove context parameters where they aren't needed (taking advantage
of knowledge that some libkrb5 functions don't use their context
parameters).
Isaac Boukris [Sat, 1 Feb 2020 12:21:39 +0000 (13:21 +0100)]
Test that PAC is the first authdata element
In the test KDB module, set the PAC as the first authdata element. In
adata.c, add PAC service verification and verify that a PAC does not
appear in authdata elements after the first.
[ghudson@mit.edu: minor style changes; edited commit message]
Isaac Boukris [Sat, 1 Feb 2020 15:13:30 +0000 (16:13 +0100)]
Put KDB authdata first
Windows services, as well as some versions of Samba, may refuse
tickets if the PAC is not in the first AD-IF-RELEVANT container. In
fetch_kdb_authdata(), change the merge order so that authdata from the
KDB module appears first.
[ghudson@mit.edu: added comment and clarified commit message]
Robbie Harwood [Thu, 23 Jan 2020 18:09:00 +0000 (13:09 -0500)]
Remove private mutators for context enctypes
krb5_set_default_in_tkt_ktypes() and krb5_set_default_tgs_ktypes() are
not part of the API and are only used in test programs, so remove
them. Also remove the now-unused in_tkt_etypes field from
krb5_context. Update test suite consumers.
Fix a minor bug wherein the etinfo executable would not correctly
print its usage text.
[ghudson@mit.edu: adapted some tests rather than remove them]
Isaac Boukris [Sun, 26 Jan 2020 20:49:47 +0000 (21:49 +0100)]
Zero length fields when freeing object contents
In krb5_free_data_contents() and krb5_free_checksum_contents(), zero
the length as well as the data pointer to leave the object in a valid
state. Add asserts to existing test harnesses to verify the new
behavior.
In the krb5 GSS mech's kg_checksum_channel_bindings(), remove the code
to reallocate the checksum with xmalloc(), as it relied on
krb5_free_checksum_contents() leaving the object in an invalid state.
This code was added in commit a30fb4c4400f13a2690df7ef910b7ac0ccbcf194
to match an xfree() call, but commit 29337e7c7b796685fb6a03466d32147e17aa2d16 replaced that xfree() with a
krb5_free_checksum_contents(). (In addition, the xmalloc and xfree
wrappers never evolved to do anything beyond malloc and free.)
In kpropd's recv_database(), don't free outbuf until we are done using
its length.
Greg Hudson [Fri, 24 Jan 2020 15:25:18 +0000 (10:25 -0500)]
Honor transited-policy-checked flag in servers
For consistency with Heimdal and simplicity of server configuration,
do not check the transited field in krb5_rd_req() if the
transited-policy-checked flag is set in the ticket.
Add a cross-realm test using the gcred and rdreq harnesses to test
server transited processing. Also fix the KDC capaths case so that
the client actually doesn't know the path to the server realm. In
k5test.py, adjust _cfg_merge() to remove keys mapped to None in the
second dictionary (instead of mapping them to None in the result), so
that deleting whole sections works. Remove the corresponding check
for None in _write_cfg_section() as it is no longer needed.
Greg Hudson [Thu, 23 Jan 2020 19:49:24 +0000 (14:49 -0500)]
Further simplify test KDB module authdata code
Commit 94f7c9705879500b1dc8dda8592490efce05688f simplified the
generation of authdata elements, but left behind some unnecessary
conditionalization when assembling the elements into a list, causing a
Coverity defect. Further simplify the code.
Robbie Harwood [Tue, 14 Jan 2020 19:23:00 +0000 (14:23 -0500)]
Apply permitted_enctypes to KDC request enctypes
permitted_enctypes was initially intended only to restrict the
processing of AP requests (and was later applied to KDB key data
searches so that the KDC wouldn't issue a ticket it would refuse to
accept). Because the documentation was never clear about its scope,
many configurations assume that permitted_enctypes also applies to
clients.
In light of the existing configurations, take the simple way out and
use permitted_enctypes as the default for default_tkt_enctypes and
default_tgs_enctypes. Update the documentation, add a test to
explicitly check the new behavior, and remove now-unnecessary
configuration from the test suite.
[ghudson@mit.edu: unrolled helper function; edited documentation and
commit message; simplified test case]
Isaac Boukris [Wed, 15 Jan 2020 10:14:00 +0000 (11:14 +0100)]
Allow cross-realm RBCD with PAC and other authdata
For cross-realm S4U2Proxy requests, require a PAC to be present to
bypass signedpath verification, but do not require it to be the only
authdata element. For within-realm requests, add and verify
signedpath authdata regardless of the presence of a PAC.
Simplify the test KDB authdata module and the existing RBCD tests as
we no longer need a way to suppress the test module's KDB authdata.
[ghudson@mit.edu: rewrote commit message; reordered a condition for
efficiency]
Isaac Boukris [Wed, 15 Jan 2020 12:54:44 +0000 (13:54 +0100)]
Fix KDC crash in handle_signticket
Commit d47f7dba3779c9e36e1dedaac830dac1dd248fb3 changed the parameters
passed to sign_authdata() for S4U2Proxy requests so that client is the
entry for the impersonated client (not the impersonator), and added a
new parameter for the impersonator entry. It should have changed the
call to handle_signticket() to use the impersonator entry. Fix the
handle_signticket() call, and change some parameter names to more
clearly indicate the flow of subject_server from process_tgs_req() to
handle_authdata() to its helpers.
Isaac Boukris [Thu, 12 Dec 2019 02:20:44 +0000 (03:20 +0100)]
Add tests for S4U request-authdata handling
In adata.c, look up the server in the keytab by ticket->server (which
has the canonicalized realm), to allow testing of cross-realm RBCD
(although unused for now).
In s4u2proxy.c, set KRB5_GC_CANONICALIZE to support RBCD, and add an
authdata request option. Add an s4u2self test harness with authdata
request option.
[ghudson@mit.edu: minor code simplifications; edited commit message]
Greg Hudson [Sat, 11 Jan 2020 04:47:34 +0000 (23:47 -0500)]
Fix error handling in gssint_mechglue_init()
In the unlikely event that one of the functions called by
gssint_mechglue_init() returns an error, return that error to the
caller rather than continuing on and discarding the error status.
Returning success when some of the operations failed could fool the
library finalizer into thinking that initialization completed.
Reported by Spencer Malone.
projects / thirdparty / krb5.git / log
