Simo Sorce [Thu, 30 Mar 2017 15:27:09 +0000 (11:27 -0400)]
Add support to query the SSF of a GSS context
Cyrus SASL provides a Security Strength Factor number to assess the
relative "strength" of the negotiated mechanism, and applications
sometimes make access control decisions based on it.
Add a call that allows us to query the mechanism that established the
GSS security context to ask what is the current SSF, based on the
enctype of the session key.
The kprop protocol uses cipher state via this call, perhaps along with
other. As there is no replacement, the call should not be deprecated
in the API.
Matt Rogers [Wed, 5 Apr 2017 20:48:55 +0000 (16:48 -0400)]
Use the canonical client principal name for OTP
In the OTP module, when constructing the RADIUS request, use the
canonicalized client principal (using the new client_name kdcpreauth
callback) instead of the request client principal.
Martin Kittel [Wed, 15 Mar 2017 16:21:28 +0000 (17:21 +0100)]
Fix krb5int_open_plugin_dirs() error handling
In krb5int_open_plugin_dirs(), if constructing filepath fails,
filepath is set to null but accessed a few lines later. Add an error
check before calling krb5int_open_plugin().
Martin Kittel [Wed, 29 Mar 2017 07:22:18 +0000 (09:22 +0200)]
Add null check to placate static analysis tools
In trace_format() when processing lenstr, if p is NULL and len is 0,
skip the call to buf_add_printable_len() as Coverity considers it an
unconditional dereference of p.
[ghudson@mit.edu: added explanation to commit message]
Greg Hudson [Mon, 27 Mar 2017 19:40:08 +0000 (15:40 -0400)]
Simplify null salt handling in string-to-key
The per-enctype string_to_key implementations are inconsistent about
whether a null salt is treated as empty or results in a null
dereference. Since the original DES string-to-key allowed a null
salt, substitute an empty salt in krb5_c_string_to_key_with_params().
Eliminate conditionals on accessing salt in the per-enctype
implementations as they are no longer needed. Based on a patch by
Martin Kittel.
Greg Hudson [Fri, 24 Mar 2017 15:07:21 +0000 (11:07 -0400)]
Ignore dotfiles in profile includedir
Editors and filesystems may create artifacts related to .conf files
which don't change the file suffix; these artifacts generally begin
with "." so that they don't appear in normal directory listings
(e.g. ".#filename" for emacs interlock files). Make sure to ignore
any such artifacts when processing a profile includedir directive.
Greg Hudson [Thu, 23 Mar 2017 18:26:50 +0000 (14:26 -0400)]
Remove some unnecessary PKINIT code
In cms_signeddata_create(), alg_buf and digest_buf are allocated but
never used. (Instead, a combined buffer is allocated and the alg and
digest objects are marshalled into it.) Remove them.
Matt Rogers [Wed, 15 Mar 2017 23:57:15 +0000 (19:57 -0400)]
Add the certauth dbmatch module
Add and enable the "dbmatch" builtin module. Add the
pkinit_client_cert_match() and crypto_req_cert_matching_data() helper
functions. Add dbmatch tests to t_pkinit.py. Add documentation to
krb5_conf.rst, pkinit.rst, and kadmin_local.rst.
Matt Rogers [Wed, 22 Mar 2017 01:24:14 +0000 (21:24 -0400)]
Simplify PKINIT cert iteration and selection
Remove the pkinit_cert_handle structures and iteration functions used
during certificate matching. Instead, make pkinit_matching.c obtain a
list of matching data objects from the crypto code, and then select a
cert based on the index into that list.
Also fix a typo in the name of crypto_retrieve_X509_key_usage().
Matt Rogers [Tue, 28 Feb 2017 20:55:24 +0000 (15:55 -0500)]
Add certauth pluggable interface
Add the header include/krb5/certauth_plugin.h, defining a pluggable
interface to control authorization of PKINIT client certificates.
Add the "pkinit_san" and "pkinit_eku" builtin certauth modules and
related PKINIT crypto X.509 helper functions. Add authorize_cert() as
the entry function for certauth plugin module checks called in
pkinit_server_verify_padata(). Modify kdcpreauth_moddata to hold the
list of certauth module handles, and load the modules when the PKINIT
kdcpreauth server plugin is initialized. Change
crypto_retrieve_X509_sans() to return ENOENT when no SAN is found.
Add test modules in plugins/certauth/test. Create t_certauth.py with
basic certauth tests. Add plugin interface documentation in
doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst.
Greg Hudson [Tue, 14 Mar 2017 23:39:38 +0000 (19:39 -0400)]
Force autoconf rebuild in maintainer rules
autoconf normally avoids recreating files that it does not consider
obsolete. Since it knows nothing about patchlevel.h (which we read at
autoconf time using m4's esyscmd()), changes to patchlevel.h won't be
reflected in configure unless another input to configure has changed,
and the maintainer rule will re-run autoconf over and over again. Fix
this issue by passing the force flag to autoconf when we invoke it
from the maintainer rule.
Greg Hudson [Sun, 12 Mar 2017 16:42:37 +0000 (12:42 -0400)]
Fix minor memory leaks in kvno
In do_k5_kvno(), free allocated values on success as well as failure.
In t_kdb.py, run kvno with multiple arguments to manifest this leak in
asan and valgrind. Reported by Cel Skeggs.
Greg Hudson [Sun, 12 Mar 2017 16:29:50 +0000 (12:29 -0400)]
Fix memory leaks in test programs
Eliminate memory leaks detected by asan in test programs (and
introduced since commit 4947c270032691d556140b290e1b10846b692968), to
make it easier to find more serious leaks.
Isaac Boukris [Sat, 4 Mar 2017 19:23:32 +0000 (21:23 +0200)]
Allow null outputs to gss_get_name_attribute()
In krb5_gss_get_name_attribute(), always ask for kvalue and
kdisplay_value when calling krb5_authdata_get_attribute(), as it
currently expect non-null arguments. This change allows applications
to pass GSS_C_NO_BUFFER for the value and display_value output
parameters. (Passing NULL for the authenticated and complete output
parameters already works.)
[ghudson@mit.edu: initialized kvalue and kdisplay_value for safety]
Greg Hudson [Tue, 28 Feb 2017 03:35:07 +0000 (22:35 -0500)]
Fix udp_preference_limit with SRV records
In sendto_kdc:resolve_server() when resolving a server entry with a
specified transport, defer the resulting addresses if the strategy
dictates that the specified transport is not preferred. Reported by
Jochen Hein.
Greg Hudson [Fri, 24 Feb 2017 18:41:53 +0000 (13:41 -0500)]
Fix PKINIT two-component matching rule parsing
In pkinit_matching.c:parse_rule_set(), apply the default relation when
parsing the second component of a rule, not the third. Otherwise we
apply no default relation to two-component matching rules, effectively
reducing such rules to their second components. Reported by Sumit
Bose.
Greg Hudson [Fri, 20 Jan 2017 17:44:12 +0000 (12:44 -0500)]
Add test cases for preauth fallback behavior
Add options to icred for performing optimistic preauth and setting
preauth options, and for choosing between the normal and stepwise
interfaces. Add options to the test preauth module to allow induced
failures at several points in processing, factoring out some padata
manipulation functions into a new file to avoid repeating too much
code. Add test cases to t_preauth.py using the new facilities to
exercise and verify several preauth fallback scenarios. Amend the
tryagain test case in t_pkinit.py to look for more trace log messages.
Greg Hudson [Sat, 14 Jan 2017 18:55:22 +0000 (13:55 -0500)]
Continue preauth after client-side failures
If the module for the selected preauth mechanism fails when processing
a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error, or fails a tryagain
operation, try again with a different preauth mech using the cached
method data.
If optimistic preauth fails on the client side, send an
unauthenticated request, allowing the mechanisms we tried
optimistically to be tried again.
Greg Hudson [Fri, 13 Jan 2017 20:35:48 +0000 (15:35 -0500)]
Preserve method data in get_in_tkt.c
To continue after preauth failures, we need a persistent field in
krb5_init_creds_context containing the METHOD-DATA from a
KDC_PREAUTH_REQUIRED or KDC_PREAUTH_FAILED error. If we overwrite
this field with the padata in a KDC_MORE_PREAUTH_DATA_REQUIRED error,
or conflate it with an optimistic padata list, we won't be able to
correctly continue after a preauth failure.
In krb5_init_creds_context, split the preauth_to_use field into
optimistic_padata, method_padata, and more_padata. Separately handle
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED in init_creds_step_request() and
init_creds_step_reply(), and separately handle optimistic preauth in
init_creds_step_request(). Do not call k5_preauth() if none of the
padata lists are set.
Also stop clearing ctx->err_reply when processing a
KDC_ERR_PREAUTH_REQUIRED response. Instead look for that error code
in init_creds_step_request(). Eliminate the preauth_required field of
krb5_init_creds_context as it can be inferred from whether we are
performing optimistic preauth.
Simo Sorce [Thu, 26 Jan 2017 10:45:17 +0000 (05:45 -0500)]
Add OID to inquire GSS cred impersonator name
In the krb5 GSS mechanism, add support in gss_inquire_cred_by_oid()
for inquiring the impersonator name of a credential object, using OID
1.2.840.113554.1.2.2.5.14.
Greg Hudson [Fri, 17 Feb 2017 18:38:19 +0000 (13:38 -0500)]
Add GSSAPI S4U documentation
Describe how a GSS application can perform S4U2Self and S4U2Proxy
requests using the MIT krb5 GSS library. Also add a reference to RFC
7546 at the top, and fix a reference to gssapi_krb5.h.
Matt Rogers [Fri, 10 Feb 2017 17:53:42 +0000 (12:53 -0500)]
Use fallback realm for GSSAPI ccache selection
In krb5_cc_select(), if the server principal has an empty realm, use
krb5_get_fallback_host_realm() and set the server realm to the first
fallback found. This helps with the selection of a non-default ccache
when there is no [domain_realms] configuration for the server domain.
Modify t_ccselect.py tests to account for fallback behavior.
Greg Hudson [Fri, 23 Dec 2016 02:49:09 +0000 (21:49 -0500)]
Use LDIF config and add mdb support in t_kdb.py
When setting up slapd, use slapadd with cn=config LDIF directives
instead of the deprecated config file. By adding one cn=config object
at a time, we can detect specific specific configuration failures,
including unsupported database types. Try the mdb and bdb database
types, to work with older and newer OpenLDAP versions.
Greg Hudson [Tue, 7 Feb 2017 18:12:24 +0000 (13:12 -0500)]
Avoid draft 9 fallback after PKINIT failure
If a KDC offers both RFC 4556 and draft 9 PKINIT, and we experience a
client-side failure trying RFC 4556 PKINIT (e.g. due to the user
entering the wrong PKCS #11 PIN), do not try to use draft 9 PKINIT.
Greg Hudson [Fri, 13 Jan 2017 17:16:04 +0000 (12:16 -0500)]
Track preauth failures instead of tries
In preauth2.c, instead of noting whenever we try a real preauth mech,
note when a mechanism fails on our side. Tracking only failures
eliminates the need to reset the list for multi-step preauth exchanges
or for processing padata in the AS-REP, but we will need the function
later for continuing after optimistic preauth failures.
Greg Hudson [Sat, 14 Jan 2017 01:45:48 +0000 (20:45 -0500)]
Simplify k5_preauth_tryagain()
When retrying pre-authentication for an error, try only the module for
the selected preauth type, not all preauth types in the original
method data. Pass the error and its padata to k5_preauth_tryagain()
explicitly, so that those fields of krb5_init_creds_context are only
referenced in get_in_tkt.c. Handle a degenerate case in
init_creds_step_reply() to simplify the code in
init_creds_step_request().
Greg Hudson [Fri, 13 Jan 2017 15:14:36 +0000 (10:14 -0500)]
Adjust processing of pa_type ccache config
Read the allowed preauth type from the input ccache in
restart_init_creds_loop(); there is no need to reread it each time we
produce a request. Move read_allowed_preauth_type() earlier in the
file to allow it to be called from restart_init_creds_loop() without a
prototype.
Clear the selected preauth type in restart_init_creds_loop(), not in
init_creds_step_request(). We want to make sure that it doesn't
survive a restart due to a realm referral or expiry, but we don't want
to forget about it when retrying after an error.
Greg Hudson [Mon, 30 Jan 2017 17:30:51 +0000 (12:30 -0500)]
Document multi-component PKINIT client certs
In pkinit.rst, note that the extensions.client file only works for
single-component client principals, and describe how to modify it for
multi-component principals.
Greg Hudson [Wed, 25 Jan 2017 18:07:42 +0000 (13:07 -0500)]
Document default realm and login authorization
Add documentation to host_config.rst describing what the default realm
does. Also add documentation discussing login authorization
configuration, and give an example showing how to give login access to
principals from a realm other than the default realm.
Greg Hudson [Mon, 9 Jan 2017 16:44:29 +0000 (11:44 -0500)]
Document and check init_creds context requirement
To ensure that the same clpreauth plugin modules and moddata pointers
are used for each step of an initial creds operation, the caller must
use the same library context for krb5_init_creds_init(),
krb5_init_creds_step(), and krb5_init_creds_free(). Document and
enforce this requirement.
Greg Hudson [Wed, 4 Jan 2017 23:31:15 +0000 (18:31 -0500)]
Add tests for per-request preauth data scoping
Add a test harness which interleaves calls for multiple initial creds
contexts using the same library context. Add a test case to
t_preauth.py using the new harness and the test preauth module to
verify that modreq pointers are correctly tracked.
Greg Hudson [Tue, 20 Dec 2016 21:06:24 +0000 (16:06 -0500)]
Properly scope per-request preauth data
It should be possible to successfully use multiple initial credentials
contexts with the same library context. Create a new internal type
krb5_preauth_req_context containing per-request preauth state,
including the clpreauth modreq handles and the list of preauth types
already tried. Remove this state from clpreauth_handle and
krb5_preauth_context.
Greg Hudson [Tue, 20 Dec 2016 20:25:29 +0000 (15:25 -0500)]
Make krb5_preauth_context a pointer type
For consistency with krb5_context and krb5_init_creds_context, make
krb5_preauth_context a pointer type. In preauth2.c, use the typedef
name rather than the structure tag except when defining the structure.
Add an optional method to kdb_vftabl to free e_data pointer in a
principal entry, in case it was populated by a module using a more
complex structure than a single memory region.
[ghudson@mit.edu: handled minor version bump; simplified code; rewrote
commit message]
Greg Hudson [Wed, 18 Jan 2017 16:40:49 +0000 (11:40 -0500)]
Explicitly copy KDB vtable fields
In preparation for bumping the kdb_vftabl minor version, use explicit
field assignments when copying the module vtable to the internal copy,
so that we can conditionalize assignments for minor versions greater
than 0.
Greg Hudson [Tue, 17 Jan 2017 16:24:41 +0000 (11:24 -0500)]
Add k5test expected_msg, expected_trace
In k5test.py, add the optional keyword argument "expected_msg" to
methods that run commands, to make it easier to look for substrings in
the command output. Add the optional keyword "expected_trace" to run
the command with KRB5_TRACE enabled and look for an ordered series of
substrings in the trace output.
Greg Hudson [Wed, 11 Jan 2017 15:49:30 +0000 (10:49 -0500)]
Add test case for PKINIT DH renegotiation
In t_pkinit.py, add a PKINIT test case where the KDC sends
KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED and the client retries with the
KDC's TD_DH_PARAMETERS value, using the clpreauth tryagain method.
Use the trace log to verify that the renegotiation actually takes
place.
Greg Hudson [Wed, 11 Jan 2017 14:46:46 +0000 (09:46 -0500)]
Clean up krb5_db2_free_policy()
Commit 03d34fcfa329fbc2f686a0b34e2731e37f483a34 (ticket 8414) removed
the prototype and all uses of krb5_db2_free_policy(), but neglected to
remove the function definition, resulting in a warning. Remove the
definition now.
Ken Raeburn [Sat, 7 Jan 2017 03:39:39 +0000 (22:39 -0500)]
Fix detection of supported warnings in clang
Without -Werror=unknown-warning-option, clang will warn for
unrecognized -W options like "-Werror=discarded-qualifiers" but won't
return a nonzero exit status, leading configure to think the options
are supported and thus include them during the build, leading to a
rather noisy log.
This option isn't needed during the build, though it won't hurt
anything either. It is desirable during the testing of other -W
options for cleaner results, but the existing code tests each option
independently, requiring different handling for this option than for
other -W options.
Greg Hudson [Mon, 2 Jan 2017 19:20:29 +0000 (14:20 -0500)]
Remove addevent flag in net-server.c
The addevent flag to make_event() was always set to true except when
setting up the routing socket. Since we no longer set up the routing
socket (ticket 8348), we can remove the flag.
Greg Hudson [Mon, 2 Jan 2017 19:10:12 +0000 (14:10 -0500)]
Remove struct socksetup from net-server.c
struct socksetup was required when we iterated over local addresses
using foreach_localaddr. Since we no longer do that (ticket 8348),
the functions which use it can simply accept the parameters they
require and return error codes.
Greg Hudson [Mon, 26 Dec 2016 20:18:05 +0000 (15:18 -0500)]
Use pktinfo for explicit UDP wildcard listeners
In net-server.c, use pktinfo on UDP server sockets if they are bound
to wildcard addresses, whether that is explicit or implicit in the
address specification.
Greg Hudson [Mon, 26 Dec 2016 20:09:24 +0000 (15:09 -0500)]
Fix KDC/kadmind startup on some IPv4-only systems
getaddrinfo(NULL, ...) may yield an IPv6 wildcard address on IPv4-only
systems, and creating a socket for that address may result in an
EAFNOSUPPORT error. Tolerate that error as long as we can bind at
least one socket for the address.
Greg Hudson [Wed, 4 Jan 2017 16:33:57 +0000 (11:33 -0500)]
Deindent crypto_retrieve_X509_sans()
Fix some long lines in crypto_retrieve_X509_sans() by returning early
if X509_get_ext_by_NID() returns a negative result. Also ensure that
return parameters are always initialized.
Matt Rogers [Mon, 5 Dec 2016 17:17:59 +0000 (12:17 -0500)]
Improve PKINIT UPN SAN matching
Add the match_client() kdcpreauth callback and use it in
verify_client_san(). match_client() preserves the direct UPN to
request principal comparison and adds a direct comparison to the
client principal, falling back to an alias DB search and comparison
against the client principal. Change crypto_retreive_X509_sans() to
parse UPN values as enterprise principals.
[ghudson@mit.edu: use match_client for both kinds of SANs]
Greg Hudson [Wed, 14 Dec 2016 16:31:48 +0000 (11:31 -0500)]
Clean up PKINIT decode_data functions
In pkinit_crypto_openssl.c, fold decrypt_data() into its caller
pkinit_decode_data_fs(), and simplify its error-handling logic.
Initialize output parameters in pkinit_decode_data_pkcs11() and
pkinit_decode_data().
Greg Hudson [Fri, 2 Dec 2016 16:10:52 +0000 (11:10 -0500)]
Improve cleanup in krb5_rc_io_fetch()
In the error cleanup for krb5_rc_io_fetch(), null out rep->msghash
after freeing it, like we do with rep->client and rep->server. This
omission is currently harmless because krb5_rc_io_fetch() never sets
rep->msghash before failing, but it could result in a double-free or
use after free if the code changes.
Tomas Kuthan [Fri, 2 Dec 2016 14:22:54 +0000 (15:22 +0100)]
Add krbPwdPolicy attributes to kerberos.ldif
When LDAP backend support for policy extensions was added by 5edafa0532 (ticket 7223), the kerberos.ldif change neglected to add
the new attributes to krbPwdPolicy.
Greg Hudson [Sun, 27 Nov 2016 23:37:12 +0000 (18:37 -0500)]
Allow slapd path configuration in t_kdb.py
The upstream OpenLDAP installs slapd in libexec, which is not
typically in the path. Also, copying the binary can sometimes cause
it to fail; for instance, in the OpenCSW package,
/opt/csw/libexec/slapd is a script which chooses a binary based on the
system architecture and the path to the script. Allow the test runner
to set the SLAPD environment variable to specify the slapd location
and avoid the copy.
Greg Hudson [Tue, 22 Nov 2016 07:17:38 +0000 (02:17 -0500)]
Simplify LDAP module by relying on OpenLDAP 2.1
Solaris 11 provides an OpenLDAP library (which we don't auto-detect,
but should) in addition to the old Mozilla LDAP library; this will
become the default LDAP library in the next release. As there is no
longer a need to build against the Mozilla LDAP library, and as we
have unwittingly relied on some OpenLDAP-specific features since 1.13,
remove the compatibility code for the Mozilla LDAP library and just
require OpenLDAP 2.1 (which added ldap_str2dn).
Greg Hudson [Mon, 31 Oct 2016 15:48:54 +0000 (11:48 -0400)]
Make zap() more reliable
The gcc assembly version of zap() could still be optimized out under
gcc 5.1 or later, and the krb5int_zap() function could be optimized
out with link-time optimization. Based on work by Zhaomo Yang and
Brian Johannesmeyer, use the C11 memset_s() when available, then fall
back to a memory barrier with gcc or clang, and finally fall back to
using krb5int_zap(). Modify krb5int_zap() to use a volatile pointer
in case link-time optimization is used.
Greg Hudson [Fri, 28 Oct 2016 14:26:04 +0000 (10:26 -0400)]
Add doxygen comments for RFC 8009, RFC 4757
The aes-sha2 specification has been published as RFC 8009. Add
Doxygen comments to the #defines for its enctype and checksum type
comments. Also add comments for the RC4 enctype and checksum type
constants referring to RFC 4757.
Greg Hudson [Fri, 7 Oct 2016 15:23:02 +0000 (11:23 -0400)]
Clarify krb5_kt_resolve() API documentation
Explicitly say to use krb5_kt_close() like we do for most other
allocating API calls. Note the default type. Instead of saying "The
key table is not opened," say that the keytab file for FILE keytabs is
not opened by this call.
Greg Hudson [Thu, 6 Oct 2016 15:28:33 +0000 (11:28 -0400)]
Suggest unlocked iteration for mkey rollover
In database.rst when discussing the procedure for master key rollover,
suggest using unlocked iteration for large databases. Also make it
clear that unavailability due to locking during iteration is specific
to DB2.
Greg Hudson [Wed, 5 Oct 2016 14:51:52 +0000 (10:51 -0400)]
Fix "make depend" when cmocka.h not present
Add an intermediary header file k5-cmocka.h, which only includes
cmocka.h if we detected an appropriate version of cmocka at configure
time. This allows "make depend" to successfully run over cmocka test
programs when cmocka.h isn't present on the build platform.
For convenience, k5-cmocka.h also includes stdarg.h, stddef.h, and
setjmp.h, which are required to include cmocka.h.
projects / thirdparty / krb5.git / log
