Greg Hudson [Wed, 6 Jan 2016 16:31:07 +0000 (11:31 -0500)]
Improve type safety of SPNEGO helper functions
Modify init_ctx_new(), init_ctx_cont(), acc_ctx_hints(),
acc_ctx_new(), and acc_ctx_cont() to operate on SPNEGO context handles
rather than generic GSS context handles. For the functions which
create a new context, move the context parameter to the end and follow
the usual practices for output parameters. Adjust stage 1 flow
control in spnego_gss_accept_sec_context() to allow acc_ctx_new() to
always be a context constructor.
Greg Hudson [Wed, 25 Nov 2015 19:43:35 +0000 (14:43 -0500)]
Fix memory leak in SPNEGO gss_init_sec_context()
After the initial call to spnego_gss_init_sec_context(), the context
handle can leak if init_ctx_cont() returns an error, because the
cleanup handler assumes that spnego_ctx contains the value of
*context_handle. Fix this leak by setting spnego_ctx before the if
block which contains that call. Reported by Adam Bernstein.
Greg Hudson [Fri, 8 Jan 2016 16:54:55 +0000 (11:54 -0500)]
Make ksu work with prompting clpreauth modules
Commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de switched ksu from
using krb5_get_in_tkt_with_password() to
krb5_get_init_creds_password(), but did not supply a prompter
argument. Pass krb5_prompter_posix so that clpreauth modules can
prompt for additional information during authentication.
Tom Yu [Wed, 30 Dec 2015 20:26:54 +0000 (15:26 -0500)]
Add .travis.yml
Do Travis CI testing with clang and gcc, on 64-bit Ubuntu Trusty.
Performance would probably be better using the container-based Travis
infrastructure, but that is currently limited to Precise, and we would
need some important apt packages whitelisted, e.g., dejagnu.
Robbie Harwood [Thu, 17 Dec 2015 00:31:22 +0000 (19:31 -0500)]
Fix interposed gss_accept_sec_context()
If gss_accept_sec_context() is interposed, selected_mech will be an
interposer OID. In this situation, pass the corresponding public OID
to gss_inquire_attrs_for_mech() to determine whether the mech is
allowed by default.
[ghudson@mit.edu: pared down from larger commit; rewrote commit message]
Simo Sorce [Tue, 5 Jan 2016 17:11:59 +0000 (12:11 -0500)]
Check internal context on init context errors
If the mechanism deletes the internal context handle on error, the
mechglue must do the same with the union context, to avoid crashes if
the application calls other functions with this invalid union context.
[ghudson@mit.edu: edit commit message and code comment]
Tom Yu [Wed, 30 Dec 2015 22:17:02 +0000 (17:17 -0500)]
Don't canonicalize hostname in sim_client.c
krb5_mk_req() already canonicalizes the target hostname, so don't try
to use a buffer of size MAXHOSTNAMELEN to canonicalize the hostname
beforehand. This buffer will be too short for some unusually long
FQDNs.
ticket: 8336 (new)
subject: MAXHOSTNAMELEN is too short for some FQDNs
Tom Yu [Wed, 6 Jan 2016 20:24:16 +0000 (15:24 -0500)]
Work around uninitialized warning in cc_kcm.c
Some versions of clang erroneously detect use of an uninitialized
variable reply_len in kcmio_call() when building on non-Mac platforms.
Initialize it to work around this warning.
Tom Yu [Tue, 22 Dec 2015 21:55:07 +0000 (16:55 -0500)]
Modernize UTF-8 conversions
Unicode and ISO/IEC 10646 now agree that the maximum valid code point
is U+10FFFF. (Unicode 8.0 Appendix C.2 implies that ISO/IEC
10646:2011 aligned the extent of the code space.)
Adjust src/util/support/utf8.c accordingly, mostly by
deleting code.
Tomas Kuthan [Tue, 29 Dec 2015 10:47:49 +0000 (11:47 +0100)]
Check context handle in gss_export_sec_context()
After commit 4f35b27a9ee38ca0b557ce8e6d059924a63d4eff, the
context_handle parameter in gss_export_sec_context() is dereferenced
before arguments are validated by val_exp_sec_ctx_args(). With a null
context_handle, the new code segfaults instead of failing gracefully.
Revert this part of the commit and only dereference context_handle if
it is non-null.
Sarah Day [Mon, 21 Dec 2015 19:29:18 +0000 (14:29 -0500)]
Add Github provided OS and IDE files to .gitignore
It is a good idea to have a fairly complete .gitignore file. It is
helpful for devs to know just what shouldn't end up in the repo, as
well as preventing accidental commits and even random trash ending up
in master.
Many of the files here added from the Github gitignore project
found here:
Sarah Day [Fri, 4 Dec 2015 17:36:33 +0000 (12:36 -0500)]
Search for LDAP core schema in t_kdb.py
The t_kdb.py python test was hardcoded to search for the LDAP
core.schema file in a single place. OpenLDAP can be installed in more
than one place. Add a check which looks in several of these common
installation locations to find the core schema file.
Sarah Day [Fri, 4 Dec 2015 15:54:50 +0000 (10:54 -0500)]
Fix a typo that causes the jsonwalker test to fail
In the au_dict.json file that is used for testing jsonwalker, there is
a comma missing that causes cjson 1.1 to throw an exception. This
causes the python tests to fail. Adding the comma fixes the crash and
allows the test to finish successfully.
Sarah Day [Tue, 22 Dec 2015 21:33:24 +0000 (16:33 -0500)]
Set kdc_tcp_ports in kadmin test configuration
The kadmin tests were starting the KDC without setting the TCP port
number. After commit 8d88e2ab00be126237569dc72827ced2ce6b7d04, the
TCP port defaults to 88, causing the socket to fail setup if the test
is not run as root.
Tom Yu [Thu, 17 Dec 2015 21:13:33 +0000 (16:13 -0500)]
Only run export-check.pl in maintainer mode
Cross compilation environments might not be using the default nm
command. Rather than try to communicate the correct value to
util/export-check.pl, only run export-check.pl in maintainer mode.
Tom Yu [Thu, 17 Dec 2015 22:42:05 +0000 (17:42 -0500)]
Remove util/reconf
The bulk of the util/reconf script is to detect old versions of
autoconf and possibly work around bugs in them. Require
autoconf>=2.63, and remove the util/reconf script. Adjust
documentation and other scripts accordingly.
Also remove Makefile rules that remove autom4te.cache. Such rules
were supposedly necessary when mixing of different versions of
autoconf was common; this seems to be less of an issue now.
Greg Hudson [Fri, 11 Dec 2015 16:05:32 +0000 (11:05 -0500)]
Add libkrb5support dependencies to test plugins
In some build environments, dependencies on libkrb5support can be
generated just from static inline functions in our header files, even
if those functions aren't used. In two test plugin modules, use
$(KRB5_BASE_DEPLIBS) and $(KRB5_BASE_LIBS) to depend on libkrb5support
as well as libkrb5. (This also pulls in libk5crypto, which is
unnecessary for these modules, but is inconsequential for a test
module.) Reported by Will Fiveash.
Sarah Day [Mon, 7 Dec 2015 18:48:22 +0000 (13:48 -0500)]
Add IPv6 address logging support to audit plugin
The jsonwalker.py test was failing due to the audit plugin only
logging the IP for IPv4. The audit plugin should log the IP address
for both IPv4 and IPv6. Rename the JSON "ipv4" field in the
"fromaddr" JSON object to "ip" and set the field if either an IPv4 or
an IPv6 address is present. Any parsers of the audit log can tell
which address is stored in the "ip" field by checking the "type" field
in "fromaddr". Also update the jsonwalker.py reference JSON file,
au_dict.json, to handle this new field name.
Tom Yu [Fri, 11 Dec 2015 21:01:08 +0000 (16:01 -0500)]
Cast away constness when assigning to krb5_data
Some password-changing library functions take a const char * parameter
but try to assign it to krb5_data.data, which isn't const. PR #364
causes some compilers to produce errors in such situations, so cast
away the constness. This is almost certainly safe because of the
nature of the code that consumes these krb5_data values.
Greg Hudson [Fri, 11 Dec 2015 19:48:41 +0000 (14:48 -0500)]
Make krb5_ucs2 and krb5_ucs4 unsigned
krb5 contains some Unicode code adapted from OpenLDAP. OpenLDAP uses
unsigned types for UCS-2 and UCS-4 code points, but the adapted code
uses signed types, which creates pointer-sign warnings when we call
uccompatdecomp() and similar functions. To match the OpenLDAP code,
use unsigned types.
Simo Sorce [Wed, 9 Dec 2015 23:09:18 +0000 (18:09 -0500)]
Set TL_DATA mask flag for master key operations
When kdb5_util adds or removes master keys, it modifies tl-data but
doesn't set the KADM5_TL_DATA mask flag, causing KDB modules that rely
on this signaling (such as the LDAP module) not to store the tl-data
changes. Fix this issue by setting the mask bit in add_new_mkey() and
kdb5_purge_mkeys().
Greg Hudson [Wed, 9 Dec 2015 19:56:34 +0000 (14:56 -0500)]
Error on incompatible argument types if possible
gcc 4.x has no option short of -Werror to error on "makes pointer from
integer without a cast" or "incompatible pointer type" warnings, but
clang and (I think) gcc 5.x do. Use -Werror=int-conversion and
-Werror=incompatible-pointer-types when the compiler supports them.
At least in clang, -Werror=incompatible-pointer-types also throws an
error when passing an argument discards a const qualifier, which is a
less serious type violation. But cleaning those up is relatively easy.
Greg Hudson [Wed, 9 Dec 2015 21:44:11 +0000 (16:44 -0500)]
Clean up const qualifier warnings
In server_acl.c, add const qualifiers to the kadm5int_acl_find_entry()
principal parameters, and to the kadm5int_acl_match_data() parameters,
to avoid discarding const qualifiers when calling them. In
kdb_ldap.c, cast the has_rootdse_ava() attribute before passing it to
ldap_search_ext_s(), which does not modify its attrs parameter but
does not declare it with a const qualifier.
Tom Yu [Wed, 9 Dec 2015 18:49:22 +0000 (13:49 -0500)]
Correctly use k5_wrapmsg() in ldap_principal2.c
Commit ebcdf02f8ec212555b1762007fa8454615900f36 incorrectly used
k5_prependmsg() in an error handling clause in
krb5_ldap_get_principal(). Use k5_wrapmsg() instead.
Greg Hudson [Tue, 8 Dec 2015 04:59:31 +0000 (23:59 -0500)]
Fix FILE ccache negative enctype unmarshalling
Commit b99c7c79dee33de966c8bed02ac79439989f6f99 broke the
unmarshalling of negative enctype values from FILE ccaches. Fix it by
sign-extending the 16-bit enctype value in unmarshal_keyblock().
Sarah Day [Fri, 4 Dec 2015 15:01:11 +0000 (10:01 -0500)]
Add some common files to .gitignore
Add some OS specific files and Eclipse project files, as well as the
top level build directory because it is recommended in the wiki to
perform your build inside of it. Also ignore the autom4te.cache
directory.
Simo Sorce [Fri, 13 Nov 2015 19:54:11 +0000 (14:54 -0500)]
Fix impersonate_name to work with interposers
This follows the same modifications applied to
gss_acquire_cred_with_password() when interposer plugins were
introduced.
[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in
spnego_gss_acquire_cred_impersonate_name() since it is released in the
cleanup handler]
Greg Hudson [Mon, 2 Nov 2015 03:46:56 +0000 (22:46 -0500)]
Fix SPNEGO context import
The patches for CVE-2015-2695 did not implement a SPNEGO
gss_import_sec_context() function, under the erroneous belief that an
exported SPNEGO context would be tagged with the underlying context
mechanism. Implement it now to allow SPNEGO contexts to be
successfully exported and imported after establishment.
Greg Hudson [Mon, 2 Nov 2015 03:45:21 +0000 (22:45 -0500)]
Fix IAKERB context export/import [CVE-2015-2698]
The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory. Fix the regression by properly
dereferencing the context_handle pointer before casting it.
Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief that an exported IAKERB context
would be tagged as a krb5 context. Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.
CVE-2015-2698:
In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.
Greg Hudson [Tue, 27 Oct 2015 04:44:24 +0000 (00:44 -0400)]
Fix two IAKERB comments
The comment explaining why there is no iakerb_gss_import_sec_context()
erroneously referenced SPNEGO instead of IAKERB (noticed by Ben
Kaduk). The comment above iakerb_gss_delete_sec_context() is out of
date after the last commit.
Greg Hudson [Wed, 21 Oct 2015 17:21:48 +0000 (13:21 -0400)]
Zap secure cookie contents when freeing
Secure cookies are intended to hold secret values which may contribute
to key data, and therefore should be sanitized when released. Also
fix a memory leak in kdc_fast_make_cookie().
In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string. This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
affected.
CVE-2015-2697:
In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte. If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm. Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.
Add tests for partial IAKERB and SPNEGO initiators, and for partial
krb5 (DCE-style), IAKERB, and SPNEGO acceptors. Make flag checking
more strict for existing tests.
Nicolas Williams [Mon, 14 Sep 2015 16:28:36 +0000 (12:28 -0400)]
Fix IAKERB context aliasing bugs [CVE-2015-2696]
The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type. Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.
CVE-2015-2696:
In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. Java server applications using the
native JGSS provider are vulnerable to this bug. A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.
Nicolas Williams [Mon, 14 Sep 2015 16:27:52 +0000 (12:27 -0400)]
Fix SPNEGO context aliasing bugs [CVE-2015-2695]
The SPNEGO mechanism currently replaces its context handle with the
mechanism context handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the SPNEGO context structure after context
establishment and refer to it in all GSS methods. Add initiate and
opened flags to the SPNEGO context structure for use in
gss_inquire_context() prior to context establishment.
CVE-2015-2695:
In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context(). Java server
applications using the native JGSS provider are vulnerable to this
bug. A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.
Greg Hudson [Fri, 23 Oct 2015 19:20:33 +0000 (15:20 -0400)]
Fix env-setup.shin after RUN_ENV simplification
env-setup.shin converts @KRB5_RUN_ENV@ to a shell expression and evals
it. Now that RUN_ENV no longer contains export statements, we need to
do that explicitly.
Greg Hudson [Thu, 8 Oct 2015 12:53:37 +0000 (08:53 -0400)]
Allow clock skew in krb5 gss_accept_sec_context()
Remove an unnecessarily strict check for ticket expiration from
kg_accept_krb5() and kg_accept_dce(). Instead, add the maximum
allowable clock skew to the reported lifetime of acceptor contexts.
Greg Hudson [Sun, 4 Oct 2015 23:54:35 +0000 (19:54 -0400)]
Make ksu work when unsetenv() returns NULL
Some older platforms (OS X 10.4, glibc 2.2.1) declare unsetenv() as
returning void, as does ksu's compatibility definition of unsetenv().
Don't use the return value in get_configured_defccname().
Greg Hudson [Fri, 2 Oct 2015 17:40:47 +0000 (13:40 -0400)]
Simplify RUN_ENV definition
In the shlib.conf definitions of RUN_ENV, instead of "var=value;
export var;" use just "var=value", taking advantage of the Bourne
shell's "var=value cmd args..." syntax. This syntax doesn't work
with for loops, so adjust the few Makefile rules which iterate over
$(RUN_VARS).
Greg Hudson [Sun, 4 Oct 2015 19:55:43 +0000 (15:55 -0400)]
Fix installed message catalog uses in kdb tests
In src/tests/Makefile.in, rename RUN_SETUP to RUN_DB_TEST, and include
"LC_ALL=C" in the definition to avoid using the message catalog. Also
include $(VALGRIND) for consistency with RUN_TEST.
Greg Hudson [Sun, 4 Oct 2015 18:45:29 +0000 (14:45 -0400)]
Use RUN_TEST and fix installed krb5.conf uses
Use $(RUN_TEST) to run most C test programs, for simplicity and to fix
accidental uses of the installed krb5.conf. Where a particular
krb5.conf must be used instead of the one in src/config-files, use a
locally defined variant like RUN_TEST_LOCAL_CONF.
Accidental references to the installed krb5.conf were present when
running t_pac, t_princ, t_etypes, t_trace, t_attr, t_attrset,
t_packet, t_remote, t_client, pkinit_kdf_test, test_chpw_message,
text_cxx_krb5, and test_cxx_k5int.
In krb5_change_password(), krb5_set_password(), and
krb5_set_password_using_ccache(), accept the new password as a const
char * instead of a char *. Propagate this change to the necessary
internal functions.
Nalin Dahyabhai [Thu, 1 Oct 2015 22:59:34 +0000 (18:59 -0400)]
Set plugin_base_dir for kadmin tests
In the krb5.conf used by the kadmin tests, include a plugin_base_dir
setting. Otherwise the KDC can load and run code from kdcpreauth
modules in the install tree.
Tomas Kuthan [Wed, 30 Sep 2015 13:18:05 +0000 (15:18 +0200)]
Check output params on GSS OID set functions
Add sanity checks for the output parameters of
generic_gss_create_empty_oid_set() and
generic_gss_add_oid_set_member(), which are used directly by the API
functions gss_create_empty_oid_set() and gss_add_oid_set_member().
k5_utf8s_to_ucs2s() reads and ignores one extra byte from the input
string before terminating its loop, possibly overrunning the input
buffer of its caller. This overrun is typically without consequence,
but can show up in tools like asan or valgrind during RC4
string-to-key operations. Fix the bug by swapping the order of the
loop conditions.
The libss in e2fsprogs exports ss_execute_command(), but does not
prototype it (as of this writing; a patch has been submitted
upstream). When using the system ss library, check if a prototype is
needed and provide one if so.
Tomas Kuthan [Wed, 16 Sep 2015 10:13:26 +0000 (12:13 +0200)]
Fix error mappings for IOV MIC mechglue funcs
The mechglue functions gss_get_mic_iov(), gss_get_mic_iov_length(),
and gss_verify_mic_iov() don't call map_error() to map
mechanism-specific error codes. As a result, a subsequent call to
gss_display_status() fails with GSS_S_BAD_MECH, because no translation
for the error code is found in the error table.
This patch adds the missing map_error call.
[ghudson@mit.edu: correct a whitespace issue, edit commit message]
In release 1.13, commit eba8c4909ec7ba0d7054d5d1b1061319e9970cc7
(ticket #7232) introduced a memory leak when skipping keytab entries
which do not match the application-provided server specification. Fix
it by freeing the keytab entry before continuing the loop on a failure
to match.
In the mechglue gss_export_sec_context(), make sure to delete the
union context if the underlying mech context has been deleted. This
can happen if the mech's gss_export_sec_context() returns a failure
and deletes the context (not a behavior exhibited by any of our
in-tree mechanisms, but an allowed behavior for other mechs), or if we
fail to allocate space for the wrapped token.
[ghudson@mit.edu: commit message; rename exit label to "cleanup" and
make it valid for all exit cases]
Although our built-in KDB modules do not support client referrals for
AS requests, the KDC is supposed to return one if a third-party module
returns a DB entry containing a principal in a foreign realm.
Unfortunately, this code has never worked; in prepare_error_as(), we
erroneously compare the protocol code errcode against the com_err code
KRB5KDC_ERR_WRONG_REALM; as a result, we never supply the canonical
client principal. Fix this by comparing errcode against the protocol
code KDC_ERR_WRONG_REALM instead.
Tom Yu [Wed, 9 Sep 2015 18:06:06 +0000 (14:06 -0400)]
Add tabular dump capability to kdb5_util
This new kdb5_util tabdump command provides a reporting-friendly
tabular dump format for the KDC database. This format is also
suitable for importing into relational databases for queries. Output
is in tab-separated or CSV format. The user can select an output
table with a fixed number of columns.
Currently, this only provides tables for a subset of the available
principal data. This includes making visible some data that is hidden
in hexadecimal strings in the tl_data of the ordinary dump format.
Tom Yu [Wed, 9 Sep 2015 18:05:24 +0000 (14:05 -0400)]
Add utility functions for tabular dumps
These utility functions allow for tab-separated and comma-separated
(CSV) output. These are primarily to support the tabular dump
capability for kdb5_util. Additional output options can be added
later.
ticket: 8243 (new)
subjetct: Add tabular dump capability to kdb5_util
When a non-trivial OpenSSL function fails during PKINIT processing,
try to ensure that the error message includes an indication of the
what PKINIT was doing and the reason for the first queued OpenSSL
error, and flush all queued OpenSSL errors to the trace log. For
certificate verification failures, also include the higher-level error
from the cert store. Add new helper functions oerr() and oerr_cert()
to minimize the amount of code needed to handle each error.
Solly Ross [Thu, 27 Aug 2015 19:55:35 +0000 (15:55 -0400)]
Check for null name_type in gss_display_name_ext
It is possible for the input name's name_type to be GSS_C_NO_OID.
g_OID_equal() does not account for GSS_C_NO_OID, so we have to
manually check before use to prevent null pointer dereferences.
It has only received cosmetic and build fix changes since it was
introduced in 1997 and doesn't do anything useful. The motivation for
removal at this point is to avoid spending time on build fixes for
newer tool chains like VS2015, and because GINA modules are only
supported by Windows versions prior to Windows Vista.
Rather than hardcode support for VS2010 and VS2012, assume that the
right MFC version can be obtained by removing the "." in the
VisualStudioVersion variable. This is true for VS2010, VS2012,
VS2013, and VS2015 at least. If VisualStudioVersion it is not set,
fall back to using MFC100(D) as before.
Greg Hudson [Mon, 17 Aug 2015 22:26:36 +0000 (18:26 -0400)]
Add etype-info2 to MORE_PREAUTH_DATA_REQUIRED
A multi-round-trip preauth mechanism may require key information, but
not for the initial message from the client. To support optimistic
preauth for such mechanisms, make the KDC include etype-info2
information in a MORE_PREAUTH_DATA_REQUIRED error if the client didn't
include a PA-FX-COOKIE in its request.
Add optimistic preauth support to the test preauth module and to
etinfo.c, and add a test case to t_etype_info.py to verify that
etype-info2 is included in the optimistic multi-hop scenario.
Greg Hudson [Mon, 17 Aug 2015 21:41:22 +0000 (17:41 -0400)]
Refactor finish_check_padata() in KDC
Use a helper function to filter the error codes from preauth modules.
Use a cleanup handler so that we aren't separately considering the
disposition of state and state->pa_e_data along different exit paths.
Greg Hudson [Sun, 16 Aug 2015 04:30:46 +0000 (00:30 -0400)]
Document secure cookie format and callbacks
In kdcpreauth.rst, describe the set_cookie and get_cookie callbacks
and explain how to generate a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
for multi-round-trip mechanisms. Add a new file formats/cookie.rst
documenting the secure cookie format.
Greg Hudson [Sun, 16 Aug 2015 04:28:53 +0000 (00:28 -0400)]
Add cookie tests
Add cookie and KDC_ERR_MORE_PREAUTH_DATA_REQUIRED functionality to the
test preauth plugins modules. Create a new test script t_preauth.py
and move a test there from t_etype_info.py which is only marginally
related to etype-info. Add a new test which exercises a multi-hop
preauth scenario and generates different cookies for each KDC error.
Greg Hudson [Wed, 12 Aug 2015 15:58:17 +0000 (11:58 -0400)]
Add secure cookie support
Remove the existing support for creating trivial cookies. Add new
functions to fast_util.c for reading and generating secure cookies.
Add new kdcpreauth callbacks "get_cookie" and "set_cookie" to allow
preauth mechs to retrieve and set cookie values.
Add an internal type declaration, ASN.1 encoder and decoder functions,
an internal free function, and ASN.1 tests for krb5_secure_cookie.
The reference DER encoding was constructed by hand.
To save on space, we don't use context tags, and use an integer rather
than a KerberosTime for the timestamp. The timestamp is stored in a
time_t; this requires a bugfix to the 64-bit case in
asn1_encode.c:store_int().
[ghudson@mit.edu: reference encoding; decode test; minor adustments to
free functions; added comments; alterations for space savings; commit
message]
Greg Hudson [Fri, 21 Aug 2015 22:48:06 +0000 (18:48 -0400)]
Update SPNEGO hintName value to current spec
[MS-SPNG] currently specifies that the hintName field of NegHints
should contain "not_defined_in_RFC4178@please_ignore". Heimdal
implements this behavior, but we instead try to include a display
name. Implement the currently specified behavior, and add a test to
t_spnego.c to verify that the expected hint token is generated.
Further cleanup is possible; the negHints encoding is now constant (so
it does not need to be generated dynamically), and we could avoid
abusing the mechListMIC parameter of make_spnego_tokenInit_msg() to
transport it.
Greg Hudson [Thu, 20 Aug 2015 16:26:57 +0000 (12:26 -0400)]
Check mech in gss_accept_sec_context w/ no cred
If no verifier_cred_handle is passed to gss_accept_sec_context(),
accept the same mechs as we would with a default acceptor
credential--that is, not those which assert the GSS_C_MA_DEPRECATED or
GSS_C_MA_NOT_DFLT_MECH attributes.
Greg Hudson [Fri, 21 Aug 2015 16:26:17 +0000 (12:26 -0400)]
Adjust SPNEGO Microsoft krb5 OID tests
In the Microsoft krb5 OID tests in t_spnego.c, use the proper krb5 OID
for the framing of the mech token, which better reflects the behavior
of Microsoft clients that use the wrong OID. Move the test to a
separate function and run it twice, once with an acceptor cred and
once without.
Also add a comment noting that the reselection test no longer
exercises what it was designed to. We can't really fix that until we
add gss_acquire_cred_with_cred() or similar.
Simo Sorce [Fri, 21 Aug 2015 16:16:07 +0000 (12:16 -0400)]
Keep valgrind happy after time_rec change
In gss_acquire_cred_from(), initialize initTimeOut and acceptTimeOut
so valgrind does not complain. All these values are ignored if
time_rec is NULL, so not having those variables initialized is
harmless, but it is annoying to get noise in the valgrind output.
projects / thirdparty / krb5.git / log
