Greg Hudson [Fri, 2 Oct 2015 17:40:47 +0000 (13:40 -0400)]
Simplify RUN_ENV definition
In the shlib.conf definitions of RUN_ENV, instead of "var=value;
export var;" use just "var=value", taking advantage of the Bourne
shell's "var=value cmd args..." syntax. This syntax doesn't work
with for loops, so adjust the few Makefile rules which iterate over
$(RUN_VARS).
Greg Hudson [Sun, 4 Oct 2015 19:55:43 +0000 (15:55 -0400)]
Fix installed message catalog uses in kdb tests
In src/tests/Makefile.in, rename RUN_SETUP to RUN_DB_TEST, and include
"LC_ALL=C" in the definition to avoid using the message catalog. Also
include $(VALGRIND) for consistency with RUN_TEST.
Greg Hudson [Sun, 4 Oct 2015 18:45:29 +0000 (14:45 -0400)]
Use RUN_TEST and fix installed krb5.conf uses
Use $(RUN_TEST) to run most C test programs, for simplicity and to fix
accidental uses of the installed krb5.conf. Where a particular
krb5.conf must be used instead of the one in src/config-files, use a
locally defined variant like RUN_TEST_LOCAL_CONF.
Accidental references to the installed krb5.conf were present when
running t_pac, t_princ, t_etypes, t_trace, t_attr, t_attrset,
t_packet, t_remote, t_client, pkinit_kdf_test, test_chpw_message,
text_cxx_krb5, and test_cxx_k5int.
In krb5_change_password(), krb5_set_password(), and
krb5_set_password_using_ccache(), accept the new password as a const
char * instead of a char *. Propagate this change to the necessary
internal functions.
Nalin Dahyabhai [Thu, 1 Oct 2015 22:59:34 +0000 (18:59 -0400)]
Set plugin_base_dir for kadmin tests
In the krb5.conf used by the kadmin tests, include a plugin_base_dir
setting. Otherwise the KDC can load and run code from kdcpreauth
modules in the install tree.
Tomas Kuthan [Wed, 30 Sep 2015 13:18:05 +0000 (15:18 +0200)]
Check output params on GSS OID set functions
Add sanity checks for the output parameters of
generic_gss_create_empty_oid_set() and
generic_gss_add_oid_set_member(), which are used directly by the API
functions gss_create_empty_oid_set() and gss_add_oid_set_member().
k5_utf8s_to_ucs2s() reads and ignores one extra byte from the input
string before terminating its loop, possibly overrunning the input
buffer of its caller. This overrun is typically without consequence,
but can show up in tools like asan or valgrind during RC4
string-to-key operations. Fix the bug by swapping the order of the
loop conditions.
The libss in e2fsprogs exports ss_execute_command(), but does not
prototype it (as of this writing; a patch has been submitted
upstream). When using the system ss library, check if a prototype is
needed and provide one if so.
Tomas Kuthan [Wed, 16 Sep 2015 10:13:26 +0000 (12:13 +0200)]
Fix error mappings for IOV MIC mechglue funcs
The mechglue functions gss_get_mic_iov(), gss_get_mic_iov_length(),
and gss_verify_mic_iov() don't call map_error() to map
mechanism-specific error codes. As a result, a subsequent call to
gss_display_status() fails with GSS_S_BAD_MECH, because no translation
for the error code is found in the error table.
This patch adds the missing map_error call.
[ghudson@mit.edu: correct a whitespace issue, edit commit message]
In release 1.13, commit eba8c4909ec7ba0d7054d5d1b1061319e9970cc7
(ticket #7232) introduced a memory leak when skipping keytab entries
which do not match the application-provided server specification. Fix
it by freeing the keytab entry before continuing the loop on a failure
to match.
In the mechglue gss_export_sec_context(), make sure to delete the
union context if the underlying mech context has been deleted. This
can happen if the mech's gss_export_sec_context() returns a failure
and deletes the context (not a behavior exhibited by any of our
in-tree mechanisms, but an allowed behavior for other mechs), or if we
fail to allocate space for the wrapped token.
[ghudson@mit.edu: commit message; rename exit label to "cleanup" and
make it valid for all exit cases]
Although our built-in KDB modules do not support client referrals for
AS requests, the KDC is supposed to return one if a third-party module
returns a DB entry containing a principal in a foreign realm.
Unfortunately, this code has never worked; in prepare_error_as(), we
erroneously compare the protocol code errcode against the com_err code
KRB5KDC_ERR_WRONG_REALM; as a result, we never supply the canonical
client principal. Fix this by comparing errcode against the protocol
code KDC_ERR_WRONG_REALM instead.
Tom Yu [Wed, 9 Sep 2015 18:06:06 +0000 (14:06 -0400)]
Add tabular dump capability to kdb5_util
This new kdb5_util tabdump command provides a reporting-friendly
tabular dump format for the KDC database. This format is also
suitable for importing into relational databases for queries. Output
is in tab-separated or CSV format. The user can select an output
table with a fixed number of columns.
Currently, this only provides tables for a subset of the available
principal data. This includes making visible some data that is hidden
in hexadecimal strings in the tl_data of the ordinary dump format.
Tom Yu [Wed, 9 Sep 2015 18:05:24 +0000 (14:05 -0400)]
Add utility functions for tabular dumps
These utility functions allow for tab-separated and comma-separated
(CSV) output. These are primarily to support the tabular dump
capability for kdb5_util. Additional output options can be added
later.
ticket: 8243 (new)
subjetct: Add tabular dump capability to kdb5_util
When a non-trivial OpenSSL function fails during PKINIT processing,
try to ensure that the error message includes an indication of the
what PKINIT was doing and the reason for the first queued OpenSSL
error, and flush all queued OpenSSL errors to the trace log. For
certificate verification failures, also include the higher-level error
from the cert store. Add new helper functions oerr() and oerr_cert()
to minimize the amount of code needed to handle each error.
Solly Ross [Thu, 27 Aug 2015 19:55:35 +0000 (15:55 -0400)]
Check for null name_type in gss_display_name_ext
It is possible for the input name's name_type to be GSS_C_NO_OID.
g_OID_equal() does not account for GSS_C_NO_OID, so we have to
manually check before use to prevent null pointer dereferences.
It has only received cosmetic and build fix changes since it was
introduced in 1997 and doesn't do anything useful. The motivation for
removal at this point is to avoid spending time on build fixes for
newer tool chains like VS2015, and because GINA modules are only
supported by Windows versions prior to Windows Vista.
Rather than hardcode support for VS2010 and VS2012, assume that the
right MFC version can be obtained by removing the "." in the
VisualStudioVersion variable. This is true for VS2010, VS2012,
VS2013, and VS2015 at least. If VisualStudioVersion it is not set,
fall back to using MFC100(D) as before.
Greg Hudson [Mon, 17 Aug 2015 22:26:36 +0000 (18:26 -0400)]
Add etype-info2 to MORE_PREAUTH_DATA_REQUIRED
A multi-round-trip preauth mechanism may require key information, but
not for the initial message from the client. To support optimistic
preauth for such mechanisms, make the KDC include etype-info2
information in a MORE_PREAUTH_DATA_REQUIRED error if the client didn't
include a PA-FX-COOKIE in its request.
Add optimistic preauth support to the test preauth module and to
etinfo.c, and add a test case to t_etype_info.py to verify that
etype-info2 is included in the optimistic multi-hop scenario.
Greg Hudson [Mon, 17 Aug 2015 21:41:22 +0000 (17:41 -0400)]
Refactor finish_check_padata() in KDC
Use a helper function to filter the error codes from preauth modules.
Use a cleanup handler so that we aren't separately considering the
disposition of state and state->pa_e_data along different exit paths.
Greg Hudson [Sun, 16 Aug 2015 04:30:46 +0000 (00:30 -0400)]
Document secure cookie format and callbacks
In kdcpreauth.rst, describe the set_cookie and get_cookie callbacks
and explain how to generate a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
for multi-round-trip mechanisms. Add a new file formats/cookie.rst
documenting the secure cookie format.
Greg Hudson [Sun, 16 Aug 2015 04:28:53 +0000 (00:28 -0400)]
Add cookie tests
Add cookie and KDC_ERR_MORE_PREAUTH_DATA_REQUIRED functionality to the
test preauth plugins modules. Create a new test script t_preauth.py
and move a test there from t_etype_info.py which is only marginally
related to etype-info. Add a new test which exercises a multi-hop
preauth scenario and generates different cookies for each KDC error.
Greg Hudson [Wed, 12 Aug 2015 15:58:17 +0000 (11:58 -0400)]
Add secure cookie support
Remove the existing support for creating trivial cookies. Add new
functions to fast_util.c for reading and generating secure cookies.
Add new kdcpreauth callbacks "get_cookie" and "set_cookie" to allow
preauth mechs to retrieve and set cookie values.
Add an internal type declaration, ASN.1 encoder and decoder functions,
an internal free function, and ASN.1 tests for krb5_secure_cookie.
The reference DER encoding was constructed by hand.
To save on space, we don't use context tags, and use an integer rather
than a KerberosTime for the timestamp. The timestamp is stored in a
time_t; this requires a bugfix to the 64-bit case in
asn1_encode.c:store_int().
[ghudson@mit.edu: reference encoding; decode test; minor adustments to
free functions; added comments; alterations for space savings; commit
message]
Greg Hudson [Fri, 21 Aug 2015 22:48:06 +0000 (18:48 -0400)]
Update SPNEGO hintName value to current spec
[MS-SPNG] currently specifies that the hintName field of NegHints
should contain "not_defined_in_RFC4178@please_ignore". Heimdal
implements this behavior, but we instead try to include a display
name. Implement the currently specified behavior, and add a test to
t_spnego.c to verify that the expected hint token is generated.
Further cleanup is possible; the negHints encoding is now constant (so
it does not need to be generated dynamically), and we could avoid
abusing the mechListMIC parameter of make_spnego_tokenInit_msg() to
transport it.
Greg Hudson [Thu, 20 Aug 2015 16:26:57 +0000 (12:26 -0400)]
Check mech in gss_accept_sec_context w/ no cred
If no verifier_cred_handle is passed to gss_accept_sec_context(),
accept the same mechs as we would with a default acceptor
credential--that is, not those which assert the GSS_C_MA_DEPRECATED or
GSS_C_MA_NOT_DFLT_MECH attributes.
Greg Hudson [Fri, 21 Aug 2015 16:26:17 +0000 (12:26 -0400)]
Adjust SPNEGO Microsoft krb5 OID tests
In the Microsoft krb5 OID tests in t_spnego.c, use the proper krb5 OID
for the framing of the mech token, which better reflects the behavior
of Microsoft clients that use the wrong OID. Move the test to a
separate function and run it twice, once with an acceptor cred and
once without.
Also add a comment noting that the reselection test no longer
exercises what it was designed to. We can't really fix that until we
add gss_acquire_cred_with_cred() or similar.
Simo Sorce [Fri, 21 Aug 2015 16:16:07 +0000 (12:16 -0400)]
Keep valgrind happy after time_rec change
In gss_acquire_cred_from(), initialize initTimeOut and acceptTimeOut
so valgrind does not complain. All these values are ignored if
time_rec is NULL, so not having those variables initialized is
harmless, but it is annoying to get noise in the valgrind output.
Simo Sorce [Mon, 17 Aug 2015 17:21:42 +0000 (13:21 -0400)]
Resolve krb5 GSS creds if time_rec is requested
The code normally tries to defer credential acquisition to a later
time. However, if the application requests the lifetime, the code
needs to resolve the credential and return the actual expiration time.
Returning 0 would cause the application to think credentials are
expired.
In the mechglue, pass through null time_rec pointers to the mech so
that the mech knows whether it was requested. In SPNEGO, pass through
time_rec to the mech when acquiring creds, via a new parameter to
get_available_mechs().
[ghudson@mit.edu: minor style changes; edit and expand commit message]
Greg Hudson [Tue, 4 Aug 2015 00:45:17 +0000 (20:45 -0400)]
Make cross-realm S4U2Self work
When sending a S4U2Self query to a foreign realm, send an enterprise
server principal so that the foreign KDC can identify the home realm
of the server principal.
To make this work, adjust the memory management of
krb5_get_self_cred_from_kdc(). s4u_creds is now a shallow copy of
in_creds which owns no memory. A new variable eprinc owns the
enterprise form of the server principal, constructed using a new
helper function convert_to_enterprise(). Since we have to set the
server realm for KDC-REQ encoding to work, a new temporary variable
sprinc holds a shallow copy of *eprinc with the realm pointing to the
realm we are currently querying.
Greg Hudson [Tue, 11 Aug 2015 15:32:56 +0000 (11:32 -0400)]
Fix new doxygen parameter lists
Use [out] instead of [in] for the output parameters of
krb5_c_prfplus() and krb5_c_derive_prfplus(). Also use "out" instead
of "output" for krb5_c_derive_prfplus() to match the parameter name in
the definition.
To simplify callers, make restart_init_creds_loop() reset the
err_reply and err_padata fields and free per-request preauth moddata.
Change its padata argument to a boolean argument for FAST upgrades,
instead of sometimes passing in ctx->err_padata (which would become
invalid partway through the function now that we're freeing it).
Split up the upgrade-to-FAST and downgrade-to-no-padata cases in
init_creds_step_reply(), and eliminate negotiation_requests_restart().
For brevity, rename the krb5_init_creds_context have_restarted field
to restarted. Rename krb5int_upgrade_to_fast_p() to
k5_upgrade_to_fast_p() and make it a true predicate. Change some flag
field assignments to use TRUE/FALSE instead of 1/0. Reset
enc_pa_rep_permitted after a client realm referral, since we don't
know that the new realm's KDCs will fail on informational padata.
Add the GSS_C_MA_NOT_DFLT_MECH attribute to IAKERB, and filter out
mechs with that attribute from the SPNEGO and gss_acquire_cred()
default mechanisms.
Add a -iakerb option to gss-server and pass it when performing IAKERB
tests. Also add tests using the wrong password, to verify that
gss_acquire_cred_with_password() fails with the wrong password when
using SPNEGO.
gss_inquire_attrs_for_mech() should not add GSS_C_MA_NOT_DFLT_MECH to
mechs which aren't the default. The attribute means "MUST NOT be used
as a default mechanism" (RFC 5587) and is intended to be used by the
mechglue. It does not mean "is not the default mech".
Define HAVE_VSNPRINTF for VS2015 or newer. Avoid putting constants
directly after string literals without whitespace, or the VS2015
compiler thinks it's a string suffix. Prefix the OVERFLOW identifier
in x-deltat.y (along with NUM and LONGNUM for consistency) to avoid a
conflict with math.h. Regenerate deltat.c.
[ghudson@mit.edu: squashed three commits and condensed commit
messages; avoid creating long lines]
This commit permits the external use of the RFC 6113 PRF+ function.
It also adds a function to derive a key from an input key and string
using PRF+.
[ghudson@mit.edu: adjust style; avoid new C99isms; use string2data(),
empty_data(), and alloc_data() where appropriate; add some explanatory
comments; edit docstrings and commit message]
Greg Hudson [Mon, 3 Aug 2015 15:44:58 +0000 (11:44 -0400)]
Support OTP auth indicators in string attribute
To better support integration with FreeIPA, allow authentication
indicators to be specified in the "otp" string attribute, overriding
any indicators in the token type.
Before this patch, libkrad would follow the same exact logic for all
socket types when the retries parameter was non-zero. This meant that
when connecting with SOCK_STREAM, multiple requests were sent in case
of packet drops, which, of course, cannot happen for SOCK_STREAM.
Instead, just disable retries for SOCK_STREAM sockets.
Simo Sorce [Tue, 4 Aug 2015 18:04:14 +0000 (14:04 -0400)]
Allow missing authenticator checksum with GSSAPI
Some SMB client implementations omit the authenticator checksum. To
interoperate with these clients, a server needs to allow missing
checksums and assume no flags are requested. This is being documented
in MS-KILE as well, as Microsoft does the same.
[ghudson@mit.edu: edited and reformatted comment; edited commit
message summary]
If we encounter any errors during krb5_cccol_have_content(), preserve
the message for the first one and wrap it. If we do not encounter any
errors, report the default ccache name. Based on a patch from Nico
Williams.
Release any previous value of ctx->err_padata before setting it in
init_creds_step_reply(). It could have a prior value after a realm
referral or retriable error.
Since ticket #7665, explicitly registered kdcpreauth modules have
appeared before built-in modules (disregarding the static preauth
systems, which are all informational). Therefore, the test preauth
module can be used without disabling encrypted timestamp. Remove an
erroneous comment in kdctest.c and simplify test scripts which use the
test preauth module.
Greg Hudson [Mon, 23 Mar 2015 17:03:32 +0000 (13:03 -0400)]
Document authentication indicators
Add a new file auth_indicator.rst to the admin guide. Also document
the pkinit_indicator and OTP indicator profile variables, the
require_auth string attribute, and the add_auth_indicator kdcpreauth
callback. Add references to the new public constants in
appdev/refs/macros/index.rst.
Greg Hudson [Mon, 23 Mar 2015 16:20:15 +0000 (12:20 -0400)]
Add indicator support to PKINIT
Read a "pkinit_indicator" profile variable for PKINIT realm
configuration and assert its values as indicators when PKINIT is used
to authenticate. Add a test case in t_pkinit.py for this feature.
Greg Hudson [Thu, 8 Jan 2015 20:56:37 +0000 (15:56 -0500)]
Add indicator support to OTP
Read an "indicator" profile variable for OTP token types and assert
its values as indicators when that token type is used to authenticate.
Add a test case in t_otp.py for this feature.
Greg Hudson [Sun, 15 Mar 2015 19:56:34 +0000 (15:56 -0400)]
Test auth indicator functionality
Modify adata.c to handle CAMMAC containers and display auth
indicators. Modify the test preauth module to transmit a list of
indicators (specified by a gic opt) from the clpreauth module to the
kdcpreauth module and assert them to the KDC. Add a new s4u2proxy
test harness in src/tests which can be used to exercise S4U2Proxy
without going through GSSAPI, using a second ccache containing an
existing evidence ticket.
Add tests to t_authdata.py to exercise a variety of ticket issuing
scenarios and verify that the correct auth indicators appear in each
ticket.
Greg Hudson [Wed, 28 Jan 2015 22:10:36 +0000 (17:10 -0500)]
Enforce auth indicator restrictions in KDC
If the string attribute "require_auth" is set on a the server
principal of an AS or TGS request, deny the request unless one of the
named indicators is present was asserted for the client's initial
authentication.
Greg Hudson [Sun, 18 Jan 2015 19:46:11 +0000 (14:46 -0500)]
Add authentication indicators in AS-REQs
Add an auth_indicators parameter to handle_authdata(). In
finish_process_as_req(), supply the auth indicators asserted by
preauth modules. In handle_authdata(), wrap any supplied auth
indicators in CAMMAC and IF-RELEVANT containers and include them in
the ticket.
Greg Hudson [Mon, 22 Dec 2014 17:44:08 +0000 (12:44 -0500)]
Add kdcpreauth callback for auth indicators
Add a new kdcpreauth callback add_auth_indicator, which adds an
authentication indicator string. This commit doesn't do anything with
the asserted authentication indicators; they are tracked in the
auth_indicators field of struct as_req_state to be used later.
Greg Hudson [Fri, 19 Dec 2014 17:19:23 +0000 (12:19 -0500)]
Add ASN.1 encoder/decoder for UTF-8 strings
Add functions to encode and decode SEQUENCE OF UTF8String into a
null-terminated array of krb5_data pointers. This type is simple
enough that we don't need specific tests for it.
Ticket #7223 added new policy fields and a new dump format version to
marshal them, but did not add a new iprop dump format version. As a
result, slave KDCs running 1.11 or later cannot receive full resyncs
from master KDCs running 1.10 or earlier. (Reported by John
Devitofranceschi.)
Retroactively add support for pre-1.11 policy entries by making
process_r1_11_policy() read the first ten fields, check whether the
next whitespace character is a newline, and then read the rest if it
is not.
Filter out mechs with the GSS_C_MA_DEPRECATED attribute from the set
of mechanisms obtained by SPNEGO, and from the set used when
gss_acquire_cred() is called with no desired_mechs attribute.
SPNEGO acceptors will still accept the old and wrong krb5 OIDs, but
SPNEGO initiators will not offer them. According to [MS-SPNG], only
Windows 2000 does not recognize the standard krb5 OID, and it is
client-only.
In gss-client.c, use the standard krb5 OID for the -krb5 option, as
acceptors who call gss_acquire_cred() with no desired_mechs to create
an acceptor cred will no longer accept the old or wrong krb5 OIDs.
t_spnego.c contains a test for properly reflecting the erroneous
Microsoft krb5 OID. Currently this test produces its input token by
acquiring a SPNEGO cred and using gss_set_neg_mechs() to offer only
the wrong krb5 OID. This method will not work when SPNEGO is changed
not to acquire multiple krb5 creds in the next commit, so rewrite it
to manually produce the SPNEGO initiator token.
kadmind should be quiet in nofork mode after it prints the
"starting..." sentinel line, or it can fill the pipe buffer when run
from k5test.py. Since there is currently no run-time debuf flag,
conditionalize the DPRINT macro in ipropd_svc.c on DEBUG at compile
time.
Tom Yu [Mon, 13 Jul 2015 22:05:35 +0000 (18:05 -0400)]
Fix princflags memory management
Fix some out of memory error cases (found by Coverity) that could
cause multiple frees or freeing of invalid pointers. In
krb5_flagnum_to_string(), don't assume that asprintf() stores a null
pointer on failure (it does in BSD but not in glibc). In
krb5_flags_to_strings(), free the correct pointer in the cleanup loop
in on error.
Roland Mainz [Tue, 21 Oct 2014 16:06:42 +0000 (12:06 -0400)]
Add support for directories in profile paths
If a profile path component is a directory, process files in the
directory as we would for an "includedir" directive.
[ghudson@mit.edu: don't change default profile path; simplify
profile_process_directory using prior commit; only check stat bits,
not final character of pathname; misc style changes; commit message]
Greg Hudson [Thu, 23 Oct 2014 21:07:36 +0000 (17:07 -0400)]
Simplify prof_parse.c include support
We do not need to pass the whole parser state to parse_include_file
and parse_include_dir, only the root section. Also constify the
filename and dirname parameters.
Greg Hudson [Fri, 24 Oct 2014 20:56:47 +0000 (16:56 -0400)]
Add ASN.1 encoder and decoder for CAMMAC
Add internal type declarations for krb5_verifier_mac and krb5_cammac.
Add ASN.1 encoder and decoder functions and an internal free function
for krb5_cammac. Add ASN.1 tests for krb5_cammac as well as asn1c
test vectors for Verifier and AD-CAMMAC.
In kdc_preauth.c, commit be20a5f5cee8d6c4072d1b81712520dbf9f6eefd made
load_preauth_plugins() handle negative preauth type numbers.
get_plugin_vtables() also needs to handle negative preauth type
numbers, or it can return the wrong count and load_preauth_plugins()
can overflow the table.
Tom Yu [Thu, 2 Jul 2015 20:16:07 +0000 (16:16 -0400)]
Unify KDB principal flag conversion functions
These changes unify the KDB principal flag specifiers used by kadmin,
kdc.conf default_principal_flags, and kadm5.acl. Each of those
interfaces will now accept any of the historically accepted input
forms of any of those interfaces. Additionally, accept flag
specifiers in the forms that kadmin prints, as well as hexadecimal
numbers.
Replace krb5_string_to_flags() with krb5_flagspec_to_mask(). The
latter has a pseudo-ternary output, allowing different pointers for
flags to set versus flags to clear. Additional functionality includes
parsing hexadecimal numbers for flag settings.
Remove krb5_input_flag_to_string(), which nothing in the tree used,
and probably hasn't ever worked properly due to long-standing gaps in
the flag number sequence.
Remove krb5_flags_to_string(), which nothing in the tree used.
Verbose flag output can be added back through another interface if
there is demand.
Add krb5_flagnum_to_string(), which produces a string representation
of a flag number. Additional functionality includes output of
hexadecimal numbers for unknown flags.
Add krb5_flags_to_strings(), which produces an array of strings
describing the flags, using the output from krb5_flagnum_to_string().
Tom Yu [Wed, 1 Jul 2015 20:28:45 +0000 (16:28 -0400)]
Add test suite for KDB principal flags
Test kadmin.local reading of principal flag specifiers, kdc.conf
setting of default_principal_flags, and kadm5.acl restrictions. Only
really tests one flag at a time.
Also start requiring Python 2.5 for the test suite. It's been around
for long enough, and some syntax features such as conditional
expressions are useful.
ticket: 8215 (new)
subject: Unify KDB principal flag specifiers
target_version: 1.14
Greg Hudson [Sun, 15 Mar 2015 19:56:34 +0000 (15:56 -0400)]
Test client_keyblock kdcpreauth callback
Add internal clpreauth and kdcpreauth modules named "test" which can
exercise the client_keyblock callback (as well as get_string and
get_as_key on the client side). Add tests to t_etype_info.py to
verify that the callback matches the etype info sent by the KDC.
In the KDC's load_preauth_plugins(), correct a test for the end of
pa_type_list so that we can use a negative preauth type number for the
test module. (RFC 4120 reserves negative preauth type values for
unregistered use.)
Greg Hudson [Thu, 4 Jun 2015 18:08:06 +0000 (14:08 -0400)]
Add client_keyblock kdcpreauth callback
Add a new kdcpreauth callback which gets the selected client key.
This callback can be used by preauth mechs which need to use the
singular reply key in a challenge sent by the KDC, now that we send
only one etype-info entry in PREAUTH_REQUIRED errors.
Greg Hudson [Sat, 6 Jun 2015 01:19:15 +0000 (21:19 -0400)]
Add tests for KDC etype-info behavior
Create a new test harness etinfo.c which can display etype-info2
information in KDC responses. Use it to test the etype-info results
in preauth_required error e-data and AS-REP padata.
Greg Hudson [Sat, 6 Jun 2015 19:45:39 +0000 (15:45 -0400)]
Only include one key in etype-info
As described in RFC 6113 section 2.1, the KDC can choose a single
long-term key at the beginning of the preauth conversation based on
the request enctype list. Implement this change for the PA-ETYPE-INFO
and PA-ETYPE-INFO2 padata included in preauth hint lists, by selecting
the client key before checking padata, making the client keyblock
available in the preauth rock, and unifying the etype-info handlers to
use a single helper function for edata and AS-REP padata.
crypto_retrieve_cert_sans() is allowed to set its princs output to
NULL, although the OpenSSL implementation rarely does. Fix the
TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC for loop to allow this like other
parts of the function do, and also get rid of the unnecessary princptr
variable by using an integer index like other parts of the function.
Bump the minor version of the kadm5_hook interface to 2 and add a
rename method. Invoke the rename method in kadm5_rename_principal()
like we do for other libkadm5srv operations.
Use memory cache in gss_acquire_cred_with_password
gss_acquire_cred_with_password() was originally introduced in Solaris.
When we introduced it in 1.9, we unfortunately gave it different and
less useful semantics. Restore this function to the Solaris
semantics, which are to always get credentials and store them in a
private memory ccache. The caller can use gss_store_cred() to make
the resulting creds visible to other processes if desired.
Tom Yu [Thu, 25 Jun 2015 23:31:53 +0000 (19:31 -0400)]
Deindent krb5_string_to_keysalts
Remove a level of indentation for the list-appending part of the
krb5_string_to_keysalts() loop body by consolidating the strtok_r()
calls into the controlling expreession of the loop.
projects / thirdparty / krb5.git / log
