kinit currently outputs "Password incorrect" if it sees a
bad-integrity error code, which results if the KDC reply couldn't be
decrypted, or when encrypted timestamp preauth fails against an MIT
krb5 1.14 or earlier KDC. Expand this check to include general
preauth failures reported by the KDC, but only if a password was
prompted for.
Will Fiveash [Wed, 20 Jul 2016 00:20:51 +0000 (19:20 -0500)]
Better handle failures to resolve client keytab
In krb5_gss_acquire_cred(), treat failure to resolve the client keytab
similarly to a client keytab which resolves but does not exist or has
no entries. The client keytab could fail to resolve if its name
contains %{username} and the current process is acting on behalf of
the NSS system.
[ghudson@mit.edu: rewrote commit message; changed tracing call to use
a macro; cleared error message when ignoring krb5_kt_client_default()
error; added test case]
Greg Hudson [Thu, 16 Jun 2016 20:38:07 +0000 (16:38 -0400)]
Minimize timing leaks in PKINIT decryption
pkcs7_dataDecode() is derived from OpenSSL's PKCS7_datadecode() and is
used by PKINIT clients to decrypt ReplyKeyPack values in RSA mode.
The upstream function was changed for CVE-2012-0884 to minimize the
timing difference when RSA decryption results in the wrong padding.
Although the impact on Kerberos is negligible (because clients do not
ordinarily choose to use RSA mode, and cannot easily be induced to
make many thousands of requests with the same key), change
pkcs7_dataDecode() to match the upstream change, generating a random
symmetric key and using it when RSA decryption fails. Also rename
"tmp" and "tmp_len" to "ek" and "eklen" to match the more descriptive
upstream variable names.
Greg Hudson [Thu, 16 Jun 2016 17:54:01 +0000 (13:54 -0400)]
Simplify pkcs7_dataDecode() in PKINIT
RFC 4556 requires that the EnvelopedData in the encKeyPack contain
only one RecipientInfo. Take advantage of this constraint to simplify
pkcs7_dataDecode().
In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.
CVE-2016-3120:
In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.
Commit 632260bd1fccfb420f0827b59c85c329203eafc9 (ticket #7517) allows
better error reporting for some client pre-authentication failures.
However, it breaks an assumption in the S4U2Self code that such errors
can be recognized by the KRB5_PREAUTH_FAILED error code. Instead of
passing through the error code reported by the first real preauth
module, wrap that error and return KRB5_PREAUTH_FAILED.
Matt Rogers [Fri, 15 Jul 2016 14:17:45 +0000 (10:17 -0400)]
Add the kprop-port option to kadmind
The -k option for kadmind sets the port number that kprop is spawned
with during an iprop full resync. Fall back to checking the
KPROP_PORT environment variable if the option is not set.
Sarah Day [Wed, 23 Dec 2015 20:01:44 +0000 (15:01 -0500)]
Allow user to restrict KDC to specific addresses
krb5kdc has always only supported binding to the wildcard addresses.
Add two configuration options to allow specifying the address/port
that krb5kdc listens on for UDP and TCP connections.
[ghudson@mit.edu: edited documentation; preserved kdc_ports = ""
behavior; made kdc_ports and kdc_tcp_ports continue to work in
kdcdefaults section]
Sarah Day [Wed, 23 Dec 2015 17:11:34 +0000 (12:11 -0500)]
Allow user to restrict kadmind bind addresses
kadmind has always only supported binding to the wildcard addresses.
Add three configuration options to allow specifying the address/port
that kadmind listens on for kpasswd, kadmin, and iprop connections.
[ghudson@mit.edu: edited documentation; minimized changes to
setup_loop(); added iprop_listen]
Sarah Day [Mon, 21 Dec 2015 19:07:49 +0000 (14:07 -0500)]
Add ability to bind addresses to the net-server
The net-server.c logic can accept individual addresses to bind to
using the standard host:port string format, in a list with a comma
delimiter.
Since pktinfo support was removed, users with systems lacking
pktinfo that have multiple NICs may specify each of the local
addresses directly that kadmind or krb5kdc should listen on in
kdc.conf.
[ghudson@mit.edu: edited comments and variable names; simplified
setup_socket()]
Sarah Day [Mon, 21 Mar 2016 20:35:15 +0000 (16:35 -0400)]
Remove workaround when pktinfo is unsupported
Currently if the system doesn't support pktinfo and kadmind or
krb5kdc are binding to a UDP address, then the net server binds to
all the local addresses. Currently most systems support pktinfo,
so the workaround isn't really required anymore. Removing the
workaround will only affect systems that don't have pktinfo
support, have multiple NICs, and are listening on a wildcard
address.
The KDC now needs write access to the LDAP KDB, unless password
lockout and tracking of the last successful authentication time are
disabled. Update the example LDAP access control configuration in
conf_ldap.rst to reflect this, add a note that only read access is
required if lockout is disabled, and add a section to lockout.rst
calling out the need for write access. Reported by Will Fiveash.
Matt Rogers [Tue, 26 Jan 2016 19:59:43 +0000 (14:59 -0500)]
Add hints for -A flag to kdestroy
When using a collection ccache, a user accustomed to the FILE ccache
behavior may not be aware of all active caches, and the default
kdestroy command could make it seem like there is no active cache
left. Print a warning to use -A after kdestroy if there are other
caches.
Greg Hudson [Thu, 23 Jun 2016 16:01:56 +0000 (12:01 -0400)]
Fix profile_flush_to_file() state corruption
In write_data_to_file(), do not clear the profile data object's flags.
If the call to this function resulted from profile_flush_to_file(), we
do not want to clear the DIRTY flag, and we especially do not want to
clear the SHARED flag for a data object which is part of
g_shared_trees. Instead, clear the DIRTY flag in
profile_flush_file_data().
Add a test case to prof_test1 to exercise the bug in unfixed code.
Also modify test1 to abandon the altered profile after flushing it to
a file, to preserve the external behavior of the script before this
fix.
When the default realm name is unspecified, and none was set in the
krb5_context object, return KRB5_CONFIG_NODEFREALM from libkdb5
instead of the confusing KRB5_KDB_DBTYPE_NOTFOUND. To accomplish
this, make kdb_get_library_name() return a krb5_error_code.
Greg Hudson [Tue, 21 Jun 2016 22:46:28 +0000 (18:46 -0400)]
Fix recent memory leak in locate_kdc.c
Commit ce112dec844e4650b5ad174bd40f21c32aebe1d1 introduced a memory
leak in locate_srv_conf_1() by moving the free(realmstr) call to the
cleanup handler, because there was an early return after realmstr is
allocated. Convert that early return to a goto.
Before this patch libkrad would always subtract the existing buffer
length from pktlen before passing it to recv(). In the case of stream
sockets, this is incorrect since krad_packet_bytes_needed() already
performs this calculation. Subtracting the buffer length twice could
cause integer underflow on the len parameter to recv().
Greg Hudson [Tue, 21 Jun 2016 22:29:00 +0000 (18:29 -0400)]
Fix and simplify auth-indicator authdata module
Remove the authind_context count field. The indicators list must be
null-terminated because it is freed with k5_free_data_ptr_list().
authind_internalize() didn't null-terminate the list, and the presence
of the count field made it appear that this wasn't a bug. Use a
different scheme for setting *more in authind_get_attribute() to avoid
requiring an element count.
Also check more thoroughly for errors in authind_externalize() and
authind_internalize(), and remove some unnecessary pointer casts.
Dmitry Kalinkin [Fri, 17 Jun 2016 17:52:23 +0000 (13:52 -0400)]
Fix Makefile for paths containing '+' character
include/Makefile uses a regex to perform variable substitution with '+'
as the sed delimiter. Paths containing " are already invalid in this
approach, so it is better to use " as the delimiter instead of any
other rare symbol.
Matt Rogers [Fri, 13 May 2016 00:36:41 +0000 (20:36 -0400)]
Fail on error when processing KDC-issued authdata
Have k5_get_kdc_issued_authdata() return 0 on a verification failure and
non-zero for other failures, rather than call assert(). Check the
return value when called in krb5int_authdata_verify().
Matt Rogers [Fri, 13 May 2016 00:06:42 +0000 (20:06 -0400)]
Add auth indicator authdata module
This authdata module makes the 'auth-indicator' attribute available to
the GSSAPI name extension functions. The auth indicator values are UTF8
strings imported during AP_REQ processing.
Matt Rogers [Thu, 12 May 2016 23:43:55 +0000 (19:43 -0400)]
Add libkrb5 CAMMAC and auth-indicator functions
Add k5_unwrap_cammac_svc() and k5_authind_decode() internal functions
to libkrb5, for use by test programs and the forthcoming
auth-indicator authdata module. Remove the unused
cammac_check_svcver() from the KDC code. Modify tests/adata.c to use
the new functions, and add a test case to t_authdata.py for multiple
indicator values.
[ghudson@mit.edu: squash three commits; make k5_cammac_check_svcver()
a static helper]
Matt Rogers [Fri, 22 Apr 2016 16:23:37 +0000 (12:23 -0400)]
Add kprop and iprop default_realm tests
Add tests to t_iprop.py and t_kprop.py that exercise cases where
default_realm and domain_realm maps differ, as well as overriding the
default realm with the -r argument. This includes the testing of -r
with kadmind, and an update of expected ulog numbers for tests following
the addition of an incremental test. Also refactor some common code in
t_kprop.py to use in the new tests.
Matt Rogers [Thu, 25 Feb 2016 15:38:07 +0000 (10:38 -0500)]
Fix kprop and kpropd realm handling
Add the sn2princ_with_realm() helper function (currently duplicated in
kprop.c and kpropd.c) to simplify principal realm substitution. Use
sn2princ_with_realm() in kprop.c and kpropd.c in place of
krb5_sname_to_principal(), with the default realm if -r is not provided.
If a realm is given to kpropd, set it as the default realm on the
kpropd_context, allowing a later call of ulog_replay() to open the
correct database.
Remove referral realm code in kprop.c and kpropd.c. Pass the realm
(default or provided) to the kdb5_util and kprop commands called by
kadmind.
Greg Hudson [Thu, 9 Jun 2016 17:23:48 +0000 (13:23 -0400)]
Fix use_master handling with KDC hook reply
A post-receive KDC hook may synthesize a reply if k5_sendto() returns
an error. If this happens, krb5_sendto_kdc() must not use server_used
to check if the reply came from a master KDC, as it does not have a
valid value. Preemptively set *use_master to 1 in this case to bypass
the check.
Greg Hudson [Wed, 8 Jun 2016 04:00:55 +0000 (00:00 -0400)]
Fix kadmin min_life check with nonexistent policy
In kadmind, self-service key changes require a check against the
policy's min_life field. If the policy does not exist, this check
should succeed according to the semantics introduced by ticket #7385.
Fix check_min_life() to return 0 if kadm5_get_policy() returns
KADM5_UNK_POLICY. Reported by John Devitofranceschi.
Greg Hudson [Thu, 2 Jun 2016 15:58:35 +0000 (11:58 -0400)]
Fix bugs in recent locate_kdc.c change
The most recent change to locate_srv_conf_1() introduced a possible
double-free bug (detected by Coverity), and also broke MS-KKDCP
support. Separate the three uses of the "host" variable: the C string
copy of the realm name (now "realmstr"), the pointer to the hostname
or hostname:port specification in the profile values array (now
"hostspec"), and the hostname result of k5_parse_host_string() (still
"host"). Pass the correct pointer to k5_parse_host_string() if the
profile value is a URI.
Sarah Day [Tue, 19 Jan 2016 14:47:10 +0000 (09:47 -0500)]
Add k5_parse_host_string()
Add a helper function k5_parse_host_string() containing the
hostname-and-port parsing logic currently inlined into
locate_srv_conf_1(). The new function will also accept a port number
without hostname, for parsing listener addresses.
[ghudson@mit.edu: simplified parsing code and better handle edge
cases; split into two commits]
Greg Hudson [Mon, 9 May 2016 17:45:06 +0000 (13:45 -0400)]
Fix unlikely pointer error in get_in_tkt.c
In add_padata(), reset the caller's pointer and ensure the list is
terminated as soon as realloc() succeeds; otherwise, the old pointer
could be left behind if a later allocation fails.
Tom Yu [Fri, 27 May 2016 19:19:43 +0000 (15:19 -0400)]
Relax t_sn2princ.py reverse resolution test
Relax t_sn2princ.py check of the reverse resolution of the test
hostname. The new requirement is that it be different from the
forward resolved hostname. (There is also an existing implicit
requirement that it be in the mit.edu domain.) This makes
t_sn2princ.py more robust against changes in the reverse resolution of
the test hostname.
Simo Sorce [Wed, 30 Mar 2016 17:00:19 +0000 (13:00 -0400)]
Add SPNEGO special case for NTLMSSP+MechListMIC
MS-SPNG section 3.3.5.1 documents an odd behavior the SPNEGO layer
needs to implement specifically for the NTLMSSP mechanism. This is
required for compatibility with Windows services.
In otp_client_process(), call cb->set_as_key() later in the function
after the OTP request has been created. The previous position of this
call caused the AS key to be replaced even when later code in the
function failed, preventing other preauth mechanisms from retrieving
the correct AS key.
Robbie Harwood [Fri, 20 May 2016 00:31:38 +0000 (20:31 -0400)]
Do not indicate deprecated GSS mechanisms
The mechanisms themeselves will continue to work if requested, but will
not be included in the gss_indicate_mech() list. This works around a
bug in some legacy applications that cannot cope with deprecated mechs
being returned.
Greg Hudson [Thu, 12 May 2016 20:03:06 +0000 (16:03 -0400)]
Check princ length in krb5_sname_match()
krb5_sname_match() can read past the end of princ's component array in
some circumstances (typically when a keytab contains both "x" and
"x/y" principals). Add a length check. Reported by Spencer Jackson.
Greg Hudson [Tue, 17 May 2016 23:28:25 +0000 (19:28 -0400)]
Simplify principal and policy manipulation code
Now that principal entry and policy fields are allocated using the
malloc visible to the krb5 libraries, we don't need to use
krb5_db_alloc() and krb5_db_free() when modifying them within our
code.
Greg Hudson [Tue, 17 May 2016 02:54:06 +0000 (22:54 -0400)]
Use library malloc for principal, policy entries
Alter the KDB module contract to require that KDB modules use an
allocator compatible with the malloc() seen by libkrb5 and libkdb5.
Change krb5_db_alloc() and krb5_db_free() to provide access to this
allocator. Remove free_principal, free_policy, alloc, and free from
the KDB interface and from all in-tree KDB modules.
Sarah Day [Fri, 29 Apr 2016 14:26:31 +0000 (10:26 -0400)]
Implement principal renaming in LDAP
The generic method of renaming principals (by adding a new entry and
deleting the old one) does not work in LDAP. Add an LDAP
implementation of rename that properly renames the DN and attributes
when necessary.
[ghudson@mit.edu: minor naming changes and code simplifications]
Sarah Day [Thu, 31 Mar 2016 21:49:55 +0000 (17:49 -0400)]
Add new DAL function for renaming principals
Previously libkadm5srv renamed principals by getting the principal
entry, renaming the entry, putting it in the DB, then deleting the old
one. This does not work in certain KDB modules such as LDAP. A new
DAL function is necessary to support all KDB modules. Add a new DAL
function to support custom renames in all KDB modules, with a default
implementation that performs the previous functionality of adding and
deleting the principal entry.
NOTE: if the default rename function isn't used and iprop logging is
enabled, iprop would fail since it doesn't formally support renaming.
In that case, the call to krb5_db_rename_principal() will fail with
the code KRB5_PLUGIN_OP_NOTSUPP.
Greg Hudson [Mon, 2 May 2016 16:51:03 +0000 (12:51 -0400)]
Fix cstyle-file.py when emacs is not installed
emacs_reindent() is intended to fail gracefully when emacs is not
installed, but instead subprocess.call() throws an OSError. Check for
this error and return normally.
For each file we check in cstyle-file.py, try to use emacs to
batch-reindent a copy of the file, and compare the resulting lines to
the input to detect indentation errors.
In logger.c, remove conditionals around uses of syslog.h, syslog(),
openlog(), closelog(), and syslog priority constants. This header and
these symbols are used unconditionally in other non-Windows parts of
the tree. Leave the conditionals around facility constants for now,
as not all of the facility constants are specified in POSIX.
Greg Hudson [Mon, 28 Mar 2016 17:48:52 +0000 (13:48 -0400)]
Improve errors when DB2 database cannot be opened
When we cannot open a DB2 database, set a useful error message.
Change the signature of open_db() to to allow it to return an error
code with a message set.
Tom Yu [Thu, 28 Apr 2016 20:44:21 +0000 (16:44 -0400)]
Unconstify some krb5 GSS OIDs
gssapi_krb5.h declared some well-known OID constants as pointers to
const gss_OID_desc, which can't be assigned to application-declared
gss_OID variables or passed to GSSAPI functions without causing
warnings.
Declare these OID constants without the const qualifier on
gss_OID_desc, at the expense of some type safety. (Fixing this
"correctly" probably requires some standards revision.)
Add a sign_authdata method to the test KDB module. Add tests to
t_authdata.py for KDB module authdata and the kinit --request-pac and
--no-request-pac options.
Add a new public function to set a PAC request option for an AS
request.
[ghudson@mit.edu: simplified code; made signature conform to Heimdal
function; expanded on doxygen comment; added new function to API
reference; changed code to send encoded KERB-PA-PAC-REQUEST instead
of a single octet]
Matt Rogers [Tue, 26 Apr 2016 18:36:55 +0000 (14:36 -0400)]
Skip password prompt when running ksu as root
A change introduced in 5fd5a67 resulted in root always being prompted for
the target user password when running ksu. Restore the previous behavior
which is to only prompt if the principal is provided with -n.
Use strdur() to output the maximum and minimum password life for
policies, and output "[never]" instead of "[none]" for a zero password
expiration date for consistency with other dates.
When parsing kadmin time intervals using getdate.y relative time
formats, make sure the same timestamp is added to and substracted from
the relative value. To accomplish this, rename get_date() to
get_date_rel() with a second parameter for the current time, and make
get_date() a wrapper with the current signature for the benefit of
kdb5_util and kdb5_ldap_util.
When parsing time intervals in kadmin commands, try
krb5_string_to_deltat() first, then fall back to subtracting the
current time from get_date(). If we do fall back, treat "never" as a
zero interval, and error out rather than yield a huge interval if
get_date() returns a time in the past.
Notable behavior differences: bare numbers of seconds and suffixed
numbers (e.g. "5m" or "6h") are now supported for all intervals;
HH:MM:SS and HH:MM are now treated as intervals rather than absolute
times with the current time subtracted.
Greg Hudson [Mon, 29 Feb 2016 21:51:22 +0000 (16:51 -0500)]
Skip unnecessary mech calls in gss_inquire_cred()
If the caller does not request a name, lifetime, or cred_usage when
calling gss_inquire_cred(), service the call by copying the mechanism
list (if requested) but do not call into the mech.
This change alleviates an issue (reported by Adam Bernstein) where
SPNEGO can fail in the presence of expired krb5 credentials rather
than proceeding with a different mechanism, or can resolve a krb5
credential without the benefit of the target name.
Greg Hudson [Wed, 23 Mar 2016 17:15:58 +0000 (13:15 -0400)]
Amend KDC hook documentation
In the Doxygen comments for the new APIs and types, include @version
tags indicating that they are new in 1.15, and put @param declarations
just after the brief message for consistency with other comments.
Greg Hudson [Wed, 16 Dec 2015 17:51:36 +0000 (12:51 -0500)]
Fix kdb5_ldap_util stashsrvpw password file logic
kdb5_ldap_util stashsrvpw has several inconsistencies with the
password file determination in libkdb_ldap, and could try to fopen() a
NULL filename in some cases. Factor out the determination of the
configured password file and make it consistent with libkdb_ldap.
DEF_SERVICE_PASSWD_FILE is no longer used after these changes, as it
is not respected by libkdb_ldap.
Greg Hudson [Tue, 29 Mar 2016 22:32:56 +0000 (18:32 -0400)]
Integrate with appveyor for Windows CI
appveyor.com is a hosted continuous integration service for Windows.
Add an appveyor.yml file containing build instructions. The appveyor
virtual machines do not include the MFC libraries, so change
util/wshelper/resource.rc to avoid including <afxres.h> (which it does
not need) and add a build conditional for leash.
Right now we do not build the installers; the appveyor VMs do not
appear to have the version of the WiX toolkit we need, and we would
also have problems with the missing leash executable.
Matt Rogers [Wed, 24 Feb 2016 21:06:53 +0000 (16:06 -0500)]
Move the util/windows getopt to libkrb5support
Relocate the internal getopt() and getopt_long() code to util/support,
and build conditionally. Put declarations in k5-platform.h. Adjust
Windows build directives for src/clients. Remove getopt-related #defines
from kinit.c, allowing kinit to use getopt_long() on all platforms.
Sarah Day [Thu, 18 Feb 2016 21:54:27 +0000 (16:54 -0500)]
Default to LSA when TGT in LSA is inaccessible
When UAC is enabled and a domain user with Administrator privileges
logs in, the TGT is inaccessible. Access to the TGT in a
UAC-restricted session may allow a non-elevated user to bypass the
UAC. In a UAC-restricted session, ms2mit copies the current tickets
from the LSA ccache to the API ccache except the TGT, effectively
preventing a user session from getting additional service tickets
while appearing, for some purposes, to have a usable ccache.
Another bug is that ms2mit always copies from the LSA ccache to the
default ccache, even if the default ccache is itself the LSA ccache.
New behavior:
* If the TGT is accessible in the LSA ccache, copy the LSA ccache to
the API ccache.
* Set the registry key for the default ccname to "API:" if the copy
occurred, or to "MSLSA:" if it didn't occur.
Tom Yu [Mon, 28 Mar 2016 18:57:10 +0000 (14:57 -0400)]
Fix calling conventions
Commit fb4d426ddeb9d4802a53dfbd74189ef8eacbe65e added two new APIs but
didn't make the KRB5_CALLCONV decorations consistent between
declarations and definitions. This broke the build on Windows.
Peter Jones [Fri, 26 Feb 2016 14:49:58 +0000 (09:49 -0500)]
Make profile includedir accept all *.conf files
Since the main config file is krb5.conf, it is intuitive to name
included files with a ".conf" extension; currently such files are
silently ignored. Accept filenames ending in ".conf" as well as files
with no special characters.
[ghudson@mit.edu: shorten commit message and comment; accept the
filename ".conf" itself for simplicity; add a test; adjust
documentation change to note that allowing .conf is new in 1.15]
Sarah Day [Thu, 14 Jan 2016 18:11:21 +0000 (13:11 -0500)]
Remove port 750 from the KDC default ports
The KDC was still listening on port 750 despite the fact that
this functionality was supposed to have been removed in the
past. Remove port 750 from the list of UDP ports that the KDC
listens on. Also remove port 750 from the default ports that
the client connects to, and from example config fragments.
projects / thirdparty / krb5.git / log
