Where we convert between UTF-8 and UCS-2 (RC4 string-to-key and PAC
client info), use UTF-16 instead of UCS-2. Add a test program for
the conversion functions.
Martin Kittel [Thu, 6 Apr 2017 19:03:23 +0000 (21:03 +0200)]
Add various bound checks
Add bounds checks where Coverity otherwise reports a defect. Most of
these checks are unlikely to be triggered in practice (Unicode regexps
are unused, and the caller of gss_krb5int_make_seal_token_v3 won't
have a plaintext object larger than half of the address space). The
checks in dump.c could prevent memory access errors resulting from a
malformed dump file.
Avoid using the krb5_error_code type (using int32_t instead), and
include k5-platform.h instead of k5-int.h, so that we can use
k5-input.h in libkrb5support.
Create a custom build matrix which passes -Werror to the clang build
via a make variable. (Using a configure variable does not currently
work, as some of our configure test programs generate warnings.)
Also set the language to C++ (so we use clang++ for the C++ test
programs and not g++ when compiling with clang), and turn on the
maintainer-mode checks for the Travis build.
Remove unused entry points as we only need to convert between
little-endian UCS-2 byte buffers and UTF-8. Rename and simplify the
remaining two function contracts. Avoid pointer alignment and
endianness issues by operating on byte buffers and using store_16_le()
and load_16_le(). Avoid two-pass operation using k5buf.
[ghudson@mit.edu: simplified code using k5buf; simplified function
names and contracts; rewrote commit message]
krb5int_utf8cs_to_ucs2les() can read slightly beyond the end of the
input buffer if the buffer ends with an invalid UTF-8 sequence. When
computing the RC4 string-to-key result, make a zero-terminated copy of
the input string and use krb5int_utf8s_to_ucs2les() instead.
Matt Rogers [Fri, 31 Mar 2017 02:18:24 +0000 (22:18 -0400)]
Add FAST encrypted challenge auth indicator
During ec_verify(), look up an authentication indicator string by the
profile realm option "encrypted_challenge_indicator". If found, add
an indicator to the reply upon succesful creation of the challenge
key. Add a test to t_authind.py. Document the option in
kdc_conf.rst.
We have had code since at least 1.6 in changepw.c and sendto_kdc.c
which assumes that we can pass a struct sockaddr * as the second
argument to getsockname() and getpeername(), so we can safely get rid
of that configure logic. Also fix potential alignment issues in
krb5_sendauth() by using a struct sockaddr_storage instead of a
1024-byte character buffer to hold the local and peer addresses.
[ghudson@mit.edu: adjusted style of new code slightly; rewrote commit
message]
When we are building a static object containing a finalizer function
(e.g. for the profile library tests), mark the finalizer as unused to
avoid warnings in gcc and clang.
[ghudson@mit.edu: commented UNUSED definition and moved it so we can
use it elsewhere later; rewrote commit message]
Robbie Harwood [Wed, 29 Mar 2017 22:34:37 +0000 (18:34 -0400)]
Avoid using tmpnam(3) in db2's hash.c
As we do not rely on anonymous db2 databases, get rid of the code
using tmpnam() for hash databases and reporting EINVAL if a filename
is not specified.
In kdb_log.h, cast through void * after computing the address in the
INDEX macro.
In ipropd_svc.c, use a void * instead of a char * as the generic
handler return value.
In rc4.c, cast through void * when using the cipher state data pointer
as a structure pointer.
In sha256.c and sha512.c, cast through void * when using the save
buffer as a structure pointer. (This code may not be conformant, but
it should work in practice given the offsets of the save field in the
sha256state and sha512state structures.)
If we reach the encrypted challenge clpreauth process method without
an armor key, error out instead of crashing. This can happen if (a)
the KDC offers encrypted challenge even though the request doesn't use
FAST (the Heimdal KDC apparently does this), and (b) we fall back to
that preauth method before generating a preauthenticated request,
typically because of a prompter failure in encrypted timestamp.
Reported by Nico Williams.
Simo Sorce [Thu, 30 Mar 2017 15:27:09 +0000 (11:27 -0400)]
Add support to query the SSF of a GSS context
Cyrus SASL provides a Security Strength Factor number to assess the
relative "strength" of the negotiated mechanism, and applications
sometimes make access control decisions based on it.
Add a call that allows us to query the mechanism that established the
GSS security context to ask what is the current SSF, based on the
enctype of the session key.
The kprop protocol uses cipher state via this call, perhaps along with
other. As there is no replacement, the call should not be deprecated
in the API.
Matt Rogers [Wed, 5 Apr 2017 20:48:55 +0000 (16:48 -0400)]
Use the canonical client principal name for OTP
In the OTP module, when constructing the RADIUS request, use the
canonicalized client principal (using the new client_name kdcpreauth
callback) instead of the request client principal.
Martin Kittel [Wed, 15 Mar 2017 16:21:28 +0000 (17:21 +0100)]
Fix krb5int_open_plugin_dirs() error handling
In krb5int_open_plugin_dirs(), if constructing filepath fails,
filepath is set to null but accessed a few lines later. Add an error
check before calling krb5int_open_plugin().
Martin Kittel [Wed, 29 Mar 2017 07:22:18 +0000 (09:22 +0200)]
Add null check to placate static analysis tools
In trace_format() when processing lenstr, if p is NULL and len is 0,
skip the call to buf_add_printable_len() as Coverity considers it an
unconditional dereference of p.
[ghudson@mit.edu: added explanation to commit message]
Greg Hudson [Mon, 27 Mar 2017 19:40:08 +0000 (15:40 -0400)]
Simplify null salt handling in string-to-key
The per-enctype string_to_key implementations are inconsistent about
whether a null salt is treated as empty or results in a null
dereference. Since the original DES string-to-key allowed a null
salt, substitute an empty salt in krb5_c_string_to_key_with_params().
Eliminate conditionals on accessing salt in the per-enctype
implementations as they are no longer needed. Based on a patch by
Martin Kittel.
Greg Hudson [Fri, 24 Mar 2017 15:07:21 +0000 (11:07 -0400)]
Ignore dotfiles in profile includedir
Editors and filesystems may create artifacts related to .conf files
which don't change the file suffix; these artifacts generally begin
with "." so that they don't appear in normal directory listings
(e.g. ".#filename" for emacs interlock files). Make sure to ignore
any such artifacts when processing a profile includedir directive.
Greg Hudson [Thu, 23 Mar 2017 18:26:50 +0000 (14:26 -0400)]
Remove some unnecessary PKINIT code
In cms_signeddata_create(), alg_buf and digest_buf are allocated but
never used. (Instead, a combined buffer is allocated and the alg and
digest objects are marshalled into it.) Remove them.
Matt Rogers [Wed, 15 Mar 2017 23:57:15 +0000 (19:57 -0400)]
Add the certauth dbmatch module
Add and enable the "dbmatch" builtin module. Add the
pkinit_client_cert_match() and crypto_req_cert_matching_data() helper
functions. Add dbmatch tests to t_pkinit.py. Add documentation to
krb5_conf.rst, pkinit.rst, and kadmin_local.rst.
Matt Rogers [Wed, 22 Mar 2017 01:24:14 +0000 (21:24 -0400)]
Simplify PKINIT cert iteration and selection
Remove the pkinit_cert_handle structures and iteration functions used
during certificate matching. Instead, make pkinit_matching.c obtain a
list of matching data objects from the crypto code, and then select a
cert based on the index into that list.
Also fix a typo in the name of crypto_retrieve_X509_key_usage().
Matt Rogers [Tue, 28 Feb 2017 20:55:24 +0000 (15:55 -0500)]
Add certauth pluggable interface
Add the header include/krb5/certauth_plugin.h, defining a pluggable
interface to control authorization of PKINIT client certificates.
Add the "pkinit_san" and "pkinit_eku" builtin certauth modules and
related PKINIT crypto X.509 helper functions. Add authorize_cert() as
the entry function for certauth plugin module checks called in
pkinit_server_verify_padata(). Modify kdcpreauth_moddata to hold the
list of certauth module handles, and load the modules when the PKINIT
kdcpreauth server plugin is initialized. Change
crypto_retrieve_X509_sans() to return ENOENT when no SAN is found.
Add test modules in plugins/certauth/test. Create t_certauth.py with
basic certauth tests. Add plugin interface documentation in
doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst.
Greg Hudson [Tue, 14 Mar 2017 23:39:38 +0000 (19:39 -0400)]
Force autoconf rebuild in maintainer rules
autoconf normally avoids recreating files that it does not consider
obsolete. Since it knows nothing about patchlevel.h (which we read at
autoconf time using m4's esyscmd()), changes to patchlevel.h won't be
reflected in configure unless another input to configure has changed,
and the maintainer rule will re-run autoconf over and over again. Fix
this issue by passing the force flag to autoconf when we invoke it
from the maintainer rule.
Greg Hudson [Sun, 12 Mar 2017 16:42:37 +0000 (12:42 -0400)]
Fix minor memory leaks in kvno
In do_k5_kvno(), free allocated values on success as well as failure.
In t_kdb.py, run kvno with multiple arguments to manifest this leak in
asan and valgrind. Reported by Cel Skeggs.
Greg Hudson [Sun, 12 Mar 2017 16:29:50 +0000 (12:29 -0400)]
Fix memory leaks in test programs
Eliminate memory leaks detected by asan in test programs (and
introduced since commit 4947c270032691d556140b290e1b10846b692968), to
make it easier to find more serious leaks.
Isaac Boukris [Sat, 4 Mar 2017 19:23:32 +0000 (21:23 +0200)]
Allow null outputs to gss_get_name_attribute()
In krb5_gss_get_name_attribute(), always ask for kvalue and
kdisplay_value when calling krb5_authdata_get_attribute(), as it
currently expect non-null arguments. This change allows applications
to pass GSS_C_NO_BUFFER for the value and display_value output
parameters. (Passing NULL for the authenticated and complete output
parameters already works.)
[ghudson@mit.edu: initialized kvalue and kdisplay_value for safety]
Greg Hudson [Tue, 28 Feb 2017 03:35:07 +0000 (22:35 -0500)]
Fix udp_preference_limit with SRV records
In sendto_kdc:resolve_server() when resolving a server entry with a
specified transport, defer the resulting addresses if the strategy
dictates that the specified transport is not preferred. Reported by
Jochen Hein.
Greg Hudson [Fri, 24 Feb 2017 18:41:53 +0000 (13:41 -0500)]
Fix PKINIT two-component matching rule parsing
In pkinit_matching.c:parse_rule_set(), apply the default relation when
parsing the second component of a rule, not the third. Otherwise we
apply no default relation to two-component matching rules, effectively
reducing such rules to their second components. Reported by Sumit
Bose.
Greg Hudson [Fri, 20 Jan 2017 17:44:12 +0000 (12:44 -0500)]
Add test cases for preauth fallback behavior
Add options to icred for performing optimistic preauth and setting
preauth options, and for choosing between the normal and stepwise
interfaces. Add options to the test preauth module to allow induced
failures at several points in processing, factoring out some padata
manipulation functions into a new file to avoid repeating too much
code. Add test cases to t_preauth.py using the new facilities to
exercise and verify several preauth fallback scenarios. Amend the
tryagain test case in t_pkinit.py to look for more trace log messages.
Greg Hudson [Sat, 14 Jan 2017 18:55:22 +0000 (13:55 -0500)]
Continue preauth after client-side failures
If the module for the selected preauth mechanism fails when processing
a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error, or fails a tryagain
operation, try again with a different preauth mech using the cached
method data.
If optimistic preauth fails on the client side, send an
unauthenticated request, allowing the mechanisms we tried
optimistically to be tried again.
Greg Hudson [Fri, 13 Jan 2017 20:35:48 +0000 (15:35 -0500)]
Preserve method data in get_in_tkt.c
To continue after preauth failures, we need a persistent field in
krb5_init_creds_context containing the METHOD-DATA from a
KDC_PREAUTH_REQUIRED or KDC_PREAUTH_FAILED error. If we overwrite
this field with the padata in a KDC_MORE_PREAUTH_DATA_REQUIRED error,
or conflate it with an optimistic padata list, we won't be able to
correctly continue after a preauth failure.
In krb5_init_creds_context, split the preauth_to_use field into
optimistic_padata, method_padata, and more_padata. Separately handle
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED in init_creds_step_request() and
init_creds_step_reply(), and separately handle optimistic preauth in
init_creds_step_request(). Do not call k5_preauth() if none of the
padata lists are set.
Also stop clearing ctx->err_reply when processing a
KDC_ERR_PREAUTH_REQUIRED response. Instead look for that error code
in init_creds_step_request(). Eliminate the preauth_required field of
krb5_init_creds_context as it can be inferred from whether we are
performing optimistic preauth.
Simo Sorce [Thu, 26 Jan 2017 10:45:17 +0000 (05:45 -0500)]
Add OID to inquire GSS cred impersonator name
In the krb5 GSS mechanism, add support in gss_inquire_cred_by_oid()
for inquiring the impersonator name of a credential object, using OID
1.2.840.113554.1.2.2.5.14.
Greg Hudson [Fri, 17 Feb 2017 18:38:19 +0000 (13:38 -0500)]
Add GSSAPI S4U documentation
Describe how a GSS application can perform S4U2Self and S4U2Proxy
requests using the MIT krb5 GSS library. Also add a reference to RFC
7546 at the top, and fix a reference to gssapi_krb5.h.
Matt Rogers [Fri, 10 Feb 2017 17:53:42 +0000 (12:53 -0500)]
Use fallback realm for GSSAPI ccache selection
In krb5_cc_select(), if the server principal has an empty realm, use
krb5_get_fallback_host_realm() and set the server realm to the first
fallback found. This helps with the selection of a non-default ccache
when there is no [domain_realms] configuration for the server domain.
Modify t_ccselect.py tests to account for fallback behavior.
Greg Hudson [Fri, 23 Dec 2016 02:49:09 +0000 (21:49 -0500)]
Use LDIF config and add mdb support in t_kdb.py
When setting up slapd, use slapadd with cn=config LDIF directives
instead of the deprecated config file. By adding one cn=config object
at a time, we can detect specific specific configuration failures,
including unsupported database types. Try the mdb and bdb database
types, to work with older and newer OpenLDAP versions.
Greg Hudson [Tue, 7 Feb 2017 18:12:24 +0000 (13:12 -0500)]
Avoid draft 9 fallback after PKINIT failure
If a KDC offers both RFC 4556 and draft 9 PKINIT, and we experience a
client-side failure trying RFC 4556 PKINIT (e.g. due to the user
entering the wrong PKCS #11 PIN), do not try to use draft 9 PKINIT.
Greg Hudson [Fri, 13 Jan 2017 17:16:04 +0000 (12:16 -0500)]
Track preauth failures instead of tries
In preauth2.c, instead of noting whenever we try a real preauth mech,
note when a mechanism fails on our side. Tracking only failures
eliminates the need to reset the list for multi-step preauth exchanges
or for processing padata in the AS-REP, but we will need the function
later for continuing after optimistic preauth failures.
Greg Hudson [Sat, 14 Jan 2017 01:45:48 +0000 (20:45 -0500)]
Simplify k5_preauth_tryagain()
When retrying pre-authentication for an error, try only the module for
the selected preauth type, not all preauth types in the original
method data. Pass the error and its padata to k5_preauth_tryagain()
explicitly, so that those fields of krb5_init_creds_context are only
referenced in get_in_tkt.c. Handle a degenerate case in
init_creds_step_reply() to simplify the code in
init_creds_step_request().
Greg Hudson [Fri, 13 Jan 2017 15:14:36 +0000 (10:14 -0500)]
Adjust processing of pa_type ccache config
Read the allowed preauth type from the input ccache in
restart_init_creds_loop(); there is no need to reread it each time we
produce a request. Move read_allowed_preauth_type() earlier in the
file to allow it to be called from restart_init_creds_loop() without a
prototype.
Clear the selected preauth type in restart_init_creds_loop(), not in
init_creds_step_request(). We want to make sure that it doesn't
survive a restart due to a realm referral or expiry, but we don't want
to forget about it when retrying after an error.
Greg Hudson [Mon, 30 Jan 2017 17:30:51 +0000 (12:30 -0500)]
Document multi-component PKINIT client certs
In pkinit.rst, note that the extensions.client file only works for
single-component client principals, and describe how to modify it for
multi-component principals.
Greg Hudson [Wed, 25 Jan 2017 18:07:42 +0000 (13:07 -0500)]
Document default realm and login authorization
Add documentation to host_config.rst describing what the default realm
does. Also add documentation discussing login authorization
configuration, and give an example showing how to give login access to
principals from a realm other than the default realm.
Greg Hudson [Mon, 9 Jan 2017 16:44:29 +0000 (11:44 -0500)]
Document and check init_creds context requirement
To ensure that the same clpreauth plugin modules and moddata pointers
are used for each step of an initial creds operation, the caller must
use the same library context for krb5_init_creds_init(),
krb5_init_creds_step(), and krb5_init_creds_free(). Document and
enforce this requirement.
Greg Hudson [Wed, 4 Jan 2017 23:31:15 +0000 (18:31 -0500)]
Add tests for per-request preauth data scoping
Add a test harness which interleaves calls for multiple initial creds
contexts using the same library context. Add a test case to
t_preauth.py using the new harness and the test preauth module to
verify that modreq pointers are correctly tracked.
Greg Hudson [Tue, 20 Dec 2016 21:06:24 +0000 (16:06 -0500)]
Properly scope per-request preauth data
It should be possible to successfully use multiple initial credentials
contexts with the same library context. Create a new internal type
krb5_preauth_req_context containing per-request preauth state,
including the clpreauth modreq handles and the list of preauth types
already tried. Remove this state from clpreauth_handle and
krb5_preauth_context.
Greg Hudson [Tue, 20 Dec 2016 20:25:29 +0000 (15:25 -0500)]
Make krb5_preauth_context a pointer type
For consistency with krb5_context and krb5_init_creds_context, make
krb5_preauth_context a pointer type. In preauth2.c, use the typedef
name rather than the structure tag except when defining the structure.
Add an optional method to kdb_vftabl to free e_data pointer in a
principal entry, in case it was populated by a module using a more
complex structure than a single memory region.
[ghudson@mit.edu: handled minor version bump; simplified code; rewrote
commit message]
Greg Hudson [Wed, 18 Jan 2017 16:40:49 +0000 (11:40 -0500)]
Explicitly copy KDB vtable fields
In preparation for bumping the kdb_vftabl minor version, use explicit
field assignments when copying the module vtable to the internal copy,
so that we can conditionalize assignments for minor versions greater
than 0.
Greg Hudson [Tue, 17 Jan 2017 16:24:41 +0000 (11:24 -0500)]
Add k5test expected_msg, expected_trace
In k5test.py, add the optional keyword argument "expected_msg" to
methods that run commands, to make it easier to look for substrings in
the command output. Add the optional keyword "expected_trace" to run
the command with KRB5_TRACE enabled and look for an ordered series of
substrings in the trace output.
Greg Hudson [Wed, 11 Jan 2017 15:49:30 +0000 (10:49 -0500)]
Add test case for PKINIT DH renegotiation
In t_pkinit.py, add a PKINIT test case where the KDC sends
KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED and the client retries with the
KDC's TD_DH_PARAMETERS value, using the clpreauth tryagain method.
Use the trace log to verify that the renegotiation actually takes
place.
Greg Hudson [Wed, 11 Jan 2017 14:46:46 +0000 (09:46 -0500)]
Clean up krb5_db2_free_policy()
Commit 03d34fcfa329fbc2f686a0b34e2731e37f483a34 (ticket 8414) removed
the prototype and all uses of krb5_db2_free_policy(), but neglected to
remove the function definition, resulting in a warning. Remove the
definition now.
Ken Raeburn [Sat, 7 Jan 2017 03:39:39 +0000 (22:39 -0500)]
Fix detection of supported warnings in clang
Without -Werror=unknown-warning-option, clang will warn for
unrecognized -W options like "-Werror=discarded-qualifiers" but won't
return a nonzero exit status, leading configure to think the options
are supported and thus include them during the build, leading to a
rather noisy log.
This option isn't needed during the build, though it won't hurt
anything either. It is desirable during the testing of other -W
options for cleaner results, but the existing code tests each option
independently, requiring different handling for this option than for
other -W options.
Greg Hudson [Mon, 2 Jan 2017 19:20:29 +0000 (14:20 -0500)]
Remove addevent flag in net-server.c
The addevent flag to make_event() was always set to true except when
setting up the routing socket. Since we no longer set up the routing
socket (ticket 8348), we can remove the flag.
Greg Hudson [Mon, 2 Jan 2017 19:10:12 +0000 (14:10 -0500)]
Remove struct socksetup from net-server.c
struct socksetup was required when we iterated over local addresses
using foreach_localaddr. Since we no longer do that (ticket 8348),
the functions which use it can simply accept the parameters they
require and return error codes.
Greg Hudson [Mon, 26 Dec 2016 20:18:05 +0000 (15:18 -0500)]
Use pktinfo for explicit UDP wildcard listeners
In net-server.c, use pktinfo on UDP server sockets if they are bound
to wildcard addresses, whether that is explicit or implicit in the
address specification.
Greg Hudson [Mon, 26 Dec 2016 20:09:24 +0000 (15:09 -0500)]
Fix KDC/kadmind startup on some IPv4-only systems
getaddrinfo(NULL, ...) may yield an IPv6 wildcard address on IPv4-only
systems, and creating a socket for that address may result in an
EAFNOSUPPORT error. Tolerate that error as long as we can bind at
least one socket for the address.
Greg Hudson [Wed, 4 Jan 2017 16:33:57 +0000 (11:33 -0500)]
Deindent crypto_retrieve_X509_sans()
Fix some long lines in crypto_retrieve_X509_sans() by returning early
if X509_get_ext_by_NID() returns a negative result. Also ensure that
return parameters are always initialized.
projects / thirdparty / krb5.git / log
