Greg Hudson [Sun, 11 Feb 2018 20:23:35 +0000 (15:23 -0500)]
Simplify kdc_preauth.c systems table
Get rid of static_preauth_systems, and replace it with explicit calls
to helper functions in get_preauth_hint_list() and return_padata().
Stop preallocating pa-data lists, instead reallocating on each
addition using add_pa_data_element(). Also simplify
maybe_add_etype_info2() using add_pa_data_element().
The KRB5_PADATA_PAC_REQUEST table entry did nothing, and was probably
originally added back when the KDC would error out on unrecognized
padata types. The KRB5_PADATA_SERVER_REFERRAL entry has been disabled
since it was first added.
Greg Hudson [Thu, 21 Dec 2017 16:28:52 +0000 (11:28 -0500)]
Refactor KDC krb5_pa_data utility functions
Move alloc_padata from fast_util.c to kdc_util.c and make it
non-static so it can be used by other files. Rename it to
alloc_pa_data for consistency with add_pa_data_element. Make it
correctly handle zero length using a null contents pointer.
Make add_pa_data_element claim both the container and contents memory
from the caller, now that callers can use alloc_pa_data to simplify
allocation and copying. Remove the copy parameter and the unused
context parameter, and put the list parameter first. Adjust all
callers accordingly, making small simplifications to memory handling
where applicable.
Greg Hudson [Sat, 3 Mar 2018 18:44:00 +0000 (13:44 -0500)]
Fix capaths "." values on client
Commit b72aef2c1cbcc76f7fba14ddc54a4e66e7a4e66c (ticket 6966)
introduced k5_client_realm_path() for use on the client in place of
krb5_walk_realm_tree(), but failed to handle the special case of a
capaths "." value as is done in the latter function. Correct that
omission and add a test case.
Greg Hudson [Tue, 6 Mar 2018 05:14:49 +0000 (00:14 -0500)]
Use libkrb5support hex decoder in PKINIT
In pkinit_crypto_openssl.c, remove hex_string_to_bin() (recently added
for ease of backporting) and instead use k5_hex_decode() in
pkinit_get_certs_pkcs11(). Change the type of cert_id and cert_id_len
in pkinit_identity_crypto_context to avoid needing type conversion
intermediates.
Sumit Bose [Fri, 26 Jan 2018 16:47:50 +0000 (11:47 -0500)]
Fix hex conversion of PKINIT certid strings
When parsing a PKCS11 token specification, correctly convert from hex
to binary instead of using OpenSSL bignum functions (which would strip
leading zeros).
[ghudson@mit.edu: made hex_string_to_bin() a bit less verbose; wrote
commit message]
Greg Hudson [Sat, 13 Jun 2015 20:04:53 +0000 (16:04 -0400)]
Add ASN.1 encoders and decoders for SPAKE types
Add a new internal header k5-spake.h. Add ASN.1 encoder and decoder
functions and an internal free function for SPAKE types. Add ASN.1
tests and asn1c test vectors the new types.
The additions to to make-vectors.c use C99 designated initializers in
order to initialize unions. This is okay since make-vectors.c is only
compiled as part of "make test-vectors" and not as part of the regular
build.
Greg Hudson [Tue, 27 Feb 2018 18:09:51 +0000 (13:09 -0500)]
Improve KDC encrypting key memory management
Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d caused encrypting_key
to hold either an owned or alias pointer depending on the presence of
the KDC_OPT_ENC_TKT_IN_SKEY (u2u) flag in the request. For better
memory management safety, introducing server_keyblock to hold owned
memory in the non-u2u case, and turning encrypting_key into an alias
pointer for both cases.
Greg Hudson [Tue, 27 Feb 2018 16:56:58 +0000 (11:56 -0500)]
Fix KDC encrypting key memory leak on some errors
Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d separated the
allocation and destruction of encrypting_key, causing it to leak when
any of the intervening calls jump to the cleanup label. Currently the
leak manifests on transited or authdata failures. Move encrypting_key
destruction to the cleanup label so that it can't leak. Reported by
anedvedicky@gmail.com.
sashan [Tue, 20 Feb 2018 21:35:51 +0000 (22:35 +0100)]
Fix trivial KDC memory leak with test KDB module
If a KDB module zeroes out the master key in its fetch_master_key()
method (as the test KDB module does), krb5_db_fetch_mkey() will copy
it, allocating one byte of memory for the contents. The KDC will then
leak it on exit, as the length is zero. Simplify master key
destruction using zapfree().
sashan [Mon, 26 Feb 2018 01:03:49 +0000 (02:03 +0100)]
Improve PKINIT DH output parameter handling
Apply current practices for output parameter handling and memory
management to client_create_dh(), client_process_dh(), and
server_process_dh(). Initialize the output arguments at the
beginning, use local variables to hold their values until success is
guaranteed, and transfer memory to the output arguments at the end.
Use a cleanup label which runs on both success and failure.
The client_create_dh() cleanup code conditionalizes on retval, which
we usually try to avoid, as it needs to clean up a cryptoctx field on
error only.
[ghudson@mit.edu: wrote commit message; added similar changes to
client_create_dh() and client_process_dh()]
sashan [Tue, 20 Feb 2018 21:30:53 +0000 (22:30 +0100)]
Free cert info in pkinit_identity_initialize()
The pkinit_identity_crypto_context creds field contains a collection
of cert info deduced from configuration, and is used to select the
identity certificate on the client and the KDC. Its lifetime is
managed separately from the context, by crypto_load_certs() and
crypto_free_cert_info().
Prior to commit 60426439f672fe273ceead17910f818da1954c5b, the lifetime
was managed purely within pkinit_identity_initialize(). When that
function now split into two phases, pkinit_identity_initialize() began
leaving the creds array around unnecessarily. The client calling
function made its own call to free the creds array, but this was not
done by the KDC calling function. The result was that the creds array
was overwritten in pkinit_identity_prompt(), leaking a small amount of
memory at KDC startup. This leak is trivial, but adds noise to leak
detection tools.
Fix the leak by freeing the creds array in
pkinit_identity_initialize() before returning, and remove the
no-longer-necessary call in pkinit_client_prep_questions(). In the
longer term, it might be better to separate the creds array from
pkinit_identity_crypto_context and manage it using local variables
within pkinit_identity_initialize() and pkinit_identity_prompt().
sashan [Tue, 20 Feb 2018 22:03:36 +0000 (23:03 +0100)]
Fix memory leak in KDC PKINIT code
Commit e5c77a11341a79e6af1e5aef7c587a5b75a9e378 introduced a memory
leak of the client public key in server_process_dh(). Free
client_pubkey on success as well as failure.
Robbie Harwood [Thu, 11 Jan 2018 18:47:10 +0000 (13:47 -0500)]
Fix grouping of GGF extensions in gssapi_ext.h
Move gss_import/export_cred to be with the rest of the GGF extensions
and mark them as using Heimdal's signatures. Also add clarifying
comments that gss_set_cred_option and gssspi_mech_invoke are not part
of the GGF extensions.
Greg Hudson [Sat, 10 Feb 2018 05:31:45 +0000 (00:31 -0500)]
Make public headers work with gcc -Wundef
The C standard allows undefined symbols in #if statements, giving them
the value 0 (C99 section 6.10.1). However, some software builds with
gcc -Wundef, which issues a warning on undefined symbols in
preprocessor expressions. Make the public headers safe for that
environment by using #ifdef instead of #if for TARGET_OS_MAC.
Reported by Ben Kaduk.
Greg Hudson [Fri, 12 Jan 2018 16:43:01 +0000 (11:43 -0500)]
Fix flaws in LDAP DN checking
KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB
module, and not used in disk or wire principal entries. Prevent
kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a
type number less than 256 and filtering out type numbers less than 256
in kadm5_create_principal_3(). (We already filter out low type
numbers in kadm5_modify_principal()).
In the LDAP KDB module, if containerdn and linkdn are both specified
in a put_principal operation, check both linkdn and the computed
standalone_principal_dn for container membership. To that end, factor
out the checks into helper functions and call them on all applicable
client-influenced DNs.
CVE-2018-5729:
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can cause a null
dereference in kadmind, or circumvent a DN container check, by
supplying tagged data intended to be internal to the database module.
Thanks to Sharwan Ram and Pooja Anil for discovering the potential
null dereference.
CVE-2018-5730:
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can circumvent a DN
containership check by supplying both a "linkdn" and "containerdn"
database argument, or by supplying a DN string which is a left
extension of a container DN string but is not hierarchically within
the container DN.
Greg Hudson [Wed, 7 Feb 2018 15:45:31 +0000 (10:45 -0500)]
Fix Leash AddDisplayItem() declaration
Commit a9cbbf0899f270fbb14f63ffbed1b6d542333641 changed three
parameters in AddDisplayItem() from long to time_t, but did not change
the corresponding declaration in LeashView.h. Fix that now.
gcc 7 cannot determine that appdefault_get() always sets *ret_value
when it returns zero, so issues a "may be used uninitialized" warning
in its caller. Set *ret_value at the beginning of the function body
in accordance with current practices.
Greg Hudson [Fri, 19 Jan 2018 18:01:43 +0000 (13:01 -0500)]
Fix type error in klog com_err hook
As a variable argument, buf.data won't be automatically cast from
void * to char * when passed to krb5_klog_syslog(), so to be correct
we must do it manually.
Greg Hudson [Wed, 17 Jan 2018 23:31:43 +0000 (18:31 -0500)]
Trace log on k5tls load failure
If sendto_kdc fails to establish an MS-KKDCP connection because the
k5tls module cannot be loaded, output a trace log before closing the
connection. Reported by Jochen Hein.
Greg Hudson [Thu, 18 Jan 2018 21:56:12 +0000 (16:56 -0500)]
Back off Travis build to default dist
Travis appears to have deployed a testing xenial environment which
runs a daemon that sometimes interferes with apt commands. Remove the
"dist: xenial" line so we run in the default, supported distribution
(currently trusty).
Greg Hudson [Mon, 8 Jan 2018 16:14:06 +0000 (11:14 -0500)]
Remove logging default severity
The default severity for syslog outputs was only used for com_err()
messages (which are rare so far), and doesn't really make sense;
severity is a property of an individual message, not of a device.
Remove the severity field in a backward-compatible manner.
Greg Hudson [Thu, 4 Jan 2018 16:01:28 +0000 (11:01 -0500)]
Improve klog com_err hook
Remove the code to read a severity from the first byte of format, as
it is an unclear interface and likely unused. Also stop using the
configured default severity for syslog devices. Instead, log at error
severity if a code is given, and at informational severity if one is
not.
Pass the formatted message to krb5_klog_syslog() so that it uses the
same format in log files as regular logged messages.
Add krb5_klog_set_context() to allow the context for extended error
messages to be reset, so that KDC plugins can log using the context
object for the realm being served for each request.
Use k5buf for simpler memory management in the hook function.
Greg Hudson [Wed, 3 Jan 2018 16:59:14 +0000 (11:59 -0500)]
Include etype-info in for hardware preauth hints
If a principal has the requires_hwauth bit set, include PA-ETYPE-INFO
or PA-ETYPE-INFO2 padata in the PREAUTH_REQUIRED error, as preauth
mechs involving hardware tokens may also use the principal's Kerberos
password.
Robbie Harwood [Mon, 13 Nov 2017 18:32:37 +0000 (13:32 -0500)]
Expose context errors in pkinit_server_plugin_init
Commit 3ff426b9048a8024e5c175256c63cd0ad0572320 attempted to display
an error when OCSP support was requested, but this error message was
suppressed in pkinit_server_plugin_init(). Add a trace log for each
realm initialization error, and pass through the realm initialization
error when the KDC serves only one realm. Other error messages from
pkinit_init_kdc_profile(), such as missing pkinit_identity or
pkinit_anchors, are also now exposted.
Greg Hudson [Sat, 11 Nov 2017 18:42:28 +0000 (13:42 -0500)]
Length check when parsing GSS token encapsulation
gssint_get_mech_type_oid() is used by gss_accept_sec_context() to
determine the mechanism of the token. Without length checking, it
might read a few bytes past the end of the input token buffer. Add
length checking as well as test cases for truncated encapsulations.
Reported by Bar Katz.
Greg Hudson [Wed, 11 Oct 2017 17:19:03 +0000 (13:19 -0400)]
Fix default enctype order in docs
Commit 4c234d8754c063177bc627c6298b85020d91c223 added the aes-sha2
enctypes to the documented default enctypes, but in the wrong order.
Reported by Weijun Wang.
Robbie Harwood [Mon, 9 Oct 2017 18:59:56 +0000 (14:59 -0400)]
Remove unused SAM setup code in KDC
SAM version 1 preauth support was removed in commit 97023f5f10fb091225ad131a0b35f1d91cd12b1e. Remove some lingering KDC
code which generated a DES-MD5 key and didn't use it for anything.
Continuing client preauth after a keyboard interrupt is unexpected and
can manifest bugs (such as the one in ticket 8596) by invoking preauth
mechs we wouldn't ordinarily reach. Based on a patch by Marc Dionne.
Greg Hudson [Wed, 23 Aug 2017 21:45:02 +0000 (17:45 -0400)]
Fix AIX build issues
In k5-platform.h, only test for SHARED and define the finalizer as
static if we don't expect linker options to be used for finalizers.
SHARED is not a robust test (it isn't defined when building objects
for shared libraries on AIX, OSF/1, or sometimes IRIX because they
don't use separate PIC objects), and as linker finalizer options are
only applied when shared libraries are created, we don't have to worry
about finalizers happening for static libraries.
In expand_path.c, remove the unnecessary structure tag from "struct
token" as it conflicts with <net/if_arp.h> on AIX.
In localaddr.c, initialize output parameters at the beginning of
get_ifreq_array(). Otherwise, gcc cannot be sure that they are always
set when get_ifreq_array() returns 0, because we use errno as a return
value in one case. Also remove two unused variables.
Use socklen_t instead of int for socket lengths in sim_client.c and
sim_client.h.
Greg Hudson [Thu, 24 Aug 2017 20:00:33 +0000 (16:00 -0400)]
Limit ticket lifetime to 2^31-1 seconds
Although timestamps above 2^31-1 are now valid, intervals exceeding
2^31-1 seconds may be treated incorrectly by comparison operations.
The initially computed interval in kdc_get_ticket_endtime() could be
negative if the requested end time is far in the future, causing the
function to yield an incorrect result. (With the new larger value of
kdc_infinity, this could specifically happen if a KDC-REQ contains a
zero till field.) Cap the interval at the maximum valid value.
Reported by Weijun Wang.
Avoid delta comparisons in favor of timestamp comparions in
krb5int_validate_times(), ksu's krb5_check_exp(), and clockskew
checks.
Also use a y2038-safe timestamp comparison in set_request_times() when
comparing the requested renewable end time to the requested ticket end
time.
The openssl req commands in make-certs.sh contain -subj options which
were ignored in favor of the config file prior to OpenSSL 1.1. When
they are used, they remove elements of the subject which are now
required by t_pkinit.py. Remove them.
Greg Hudson [Thu, 24 Aug 2017 19:58:07 +0000 (15:58 -0400)]
Issue trivially renewable tickets
If the client specifically asks for renewable tickets but the
renewable end time (either requested or after restrictions) doesn't
exceed the ticket end time, issue a renewable ticket anyway. Issuing
a non-renewable ticket (as we started doing in release 1.12, due to
the refactoring in commit 4f551a7ec126c52ee1f8fea4c3954015b70987bd)
can be unfriendly to scripts.
Also make sure never to issue a ticket with the renewable flag set but
no renew-till field, by clearing the renewable flag at the start of
kdc_get_ticket_renewtime(). The flag could have been previously set
by the assignment "enc_tkt_reply = *(header_ticket->enc_part2)" in
process_tgs_req() when processing a renewal request.
Modify t_renew.py to expect renewable tickets in some tests where it
previously did not, to check for specific lifetimes, and to check the
renewable flag as well as the renewable lifetime.
Greg Hudson [Fri, 25 Aug 2017 16:39:14 +0000 (12:39 -0400)]
Add PKINIT test case for generic client cert
In t_pkinit.py, add a test case where a client cert with no extensions
is authorized via subject and issuer using a pkinit_cert_match string
attribute.
Greg Hudson [Thu, 24 Aug 2017 15:11:46 +0000 (11:11 -0400)]
Fix certauth built-in module returns
The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication. Therefore, pkinit_eku_authorize() should return
KRB5_PLUGIN_NO_HANDLE on success, not 0.
The certauth san module should pass if it does not find any SANs of
the types it can match against; the presence of other types of SANs
should not cause it to explicitly deny a certificate. Check for an
empty result from crypto_retrieve_cert_sans() in verify_client_san(),
instead of returning ENOENT from crypto_retrieve_cert_sans() when
there are no SANs at all.
Greg Hudson [Mon, 28 Aug 2017 16:20:36 +0000 (12:20 -0400)]
Fix kdcpolicy build issues
Fix mydir in plugins/kdcpolicy/test/Makefile.in so that the Makefile
can be rebuilt correctly. Also change the name of the shared object
from "policy_test.so" to "kdcpolicy_test.so" for consistency.
Greg Hudson [Tue, 29 Aug 2017 15:19:36 +0000 (11:19 -0400)]
Don't set ctime in KDC error replies
Setting the error ctime field to the client nonce assumes that the
client used its system time as the nonce, which is not recommended by
RFC 1510 and is prohibited by RFC 4120. Omit the field instead, by
setting the structure field to 0.
After gss_init_sec_context() or gss_accept_sec_context() has created a
context, don't delete the mechglue context on failures from subsequent
calls, even if the mechanism deletes the mech-specific context (which
is allowed by RFC 2744 but not preferred). Check for union contexts
with no mechanism context in each GSS function which accepts a
gss_ctx_id_t.
CVE-2017-11462:
RFC 2744 permits a GSS-API implementation to delete an existing
security context on a second or subsequent call to
gss_init_sec_context() or gss_accept_sec_context() if the call results
in an error. This API behavior has been found to be dangerous,
leading to the possibility of memory errors in some callers. For
safety, GSS-API implementations should instead preserve existing
security contexts on error until the caller deletes them.
All versions of MIT krb5 prior to this change may delete acceptor
contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through
1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts on
error.
Greg Hudson [Sat, 19 Aug 2017 18:26:15 +0000 (14:26 -0400)]
Use standard comment in certauth plugin header
Each pluggable interface header needs to include some boilerplate text
to make it clear what a module implementor needs to provide. Include
that text in certauth_plugin.h.
Greg Hudson [Sat, 19 Aug 2017 23:09:24 +0000 (19:09 -0400)]
Fix bugs in kdcpolicy commit
Commit d0969f6a8170344031ef58fd2a161190f1edfb96 added tests using
"klist ccachname -e", which does not work with a POSIX-conformant
getopt() implementation such as the one in Solaris. Fix
t_kdcpolicy.py to use "klist -e ccachename" instead.
The tests could fail if the clock second rolled over between kinit and
kvno. Divide service ticket maximum lifetimes by 2 in the test module
to correctly exercise TGS policy restrictions and ensure that service
tickets are not constrained by the TGT end time.
Also use the correct trace macro when a kdcpolicy module declines to
initialize (my mistake when revising the commit, noted by rharwood).
Greg Hudson [Sat, 19 Aug 2017 18:21:31 +0000 (14:21 -0400)]
Fix bugs in kadm5_auth commit
Commit 92a1a7efe2fc43337416098f2227038a72f1e35a uses line after it is
freed in load_acl_file(). Move the k5_setmsg() call earlier to fix
it. The same commit also used the wrong header underline in
krb5_conf.rst for the kadm5_auth interface subsection. Fix it.
Greg Hudson [Mon, 14 Aug 2017 15:47:44 +0000 (11:47 -0400)]
Avoid repeating typedef in certauth_plugin.h
Repeating an identical typedef is allowed by C11, but not C99 or C89.
Use the underlying structure type in certauth_plugin.h so that it can
safely be included along with kdb.h.
Robbie Harwood [Tue, 27 Jun 2017 21:15:39 +0000 (17:15 -0400)]
Add KDC policy pluggable interface
Add the header include/krb5/kdcpolicy_plugin.h, defining a pluggable
interface for modules to deny AS and TGS requests and set maximum
ticket lifetimes. This interface replaces the policy.c stub functions.
Add check_kdcpolicy_as() and check_kdcpolicy_tgs() as entry functions.
Call them after auth indicators and ticket lifetimes have been
determined.
Add a test module and a test script with basic kdcpolicy tests. Add
plugin interface documentation in doc/plugindev/policy.rst.
Also authored by Matt Rogers <mrogers@redhat.com>.
Add a test plugin module to exercise features of the kadm5_auth
interface, and a Python test script using the module. Also test the
initial ticket requirement for self-service key changes in
t_kadmin_acl.py.
Greg Hudson [Fri, 30 Jun 2017 15:54:09 +0000 (11:54 -0400)]
Use kadm5_auth interface in kadmind
Convert the ACL code to a kadm5_auth module, and create a new module
for self-service authorization. Use the kadm5_auth consumer code
instead of directly using the ACL code to authorize requests.
Do not assume self-service authorization in the RPC stubs or in
schpw_util_wrapper(). For key change requests, enforce the initial
ticket requirement whenever a client changes its own keys, regardless
of how it is authorized or which protocol it uses. The initial ticket
check for protocol version 1 in process_chpw_request() is redundant
after this change, so remove it.
The old kadmin-based password change client authenticates to
kadmin/changepw and performs self-service get_principal, get_policy,
and chpass requests. Continue to allow these operations, enforcing
the self-service requirement in addition to checking through the
kadm5_auth interface. For get_policy requests, always look up the
client principal's policy name, for this check and for the
authorization layer's use.
The error messages for rename authorization failures are now more
vague (because there is a specific rename operation check in the
kadm5_auth interface, and we do not find out whether it failed due to
missing add or delete privileges). Adjust t_kadmin_acl.py
accordingly.
pkinit_kdc_ocsp is non-functional in the PKINIT OpenSSL crypto
implementation, so remove most traces of it, including its man page
entry. If it is present in kdc.conf, error out of PKINIT
initialization instead of silently ignoring the realm entirely.
In klist and kdestroy, if a ccache name is specified, set it as the
default ccache name, simplifying the code and making klist -l, klist
-A, and kdestroy -A can work with a specified ccache name. Reported
by Robbie Harwood.
Will Fiveash [Tue, 18 Jul 2017 23:24:18 +0000 (18:24 -0500)]
Allow WARN_CFLAGS override for Solaris
In aclocal.m4, do not set WARN_CFLAGS and WARN_CXXFLAGS for the
Solaris native compiler if those variables were already set by the
user. (We already did the same for gcc warning flags.)
If krb5_db_fetch_mkey() prompts for a master key and needs to
determine the kvno, check that the master entry contains any key data
before dereferencing the first element. Reported by Joshua Schaeffer.
Omit assigning status values for very unlikely error cases. Remove
the "UNKNOWN_REASON" fallback for validate_as_request() and
validate_tgs_request() as that fallback is now applied globally.
Assign status values if S4U2Self padata fails to decode, if an
S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
uses an evidence ticket which does not match the canonicalized request
server principal name. Reported by Samuel Cabrero.
If a status value is not assigned during KDC processing, default to
"UNKNOWN_REASON" rather than failing an assertion. This change will
prevent future denial of service bugs due to similar mistakes, and
will allow us to omit assigning status values for unlikely errors such
as small memory allocation failures.
CVE-2017-11368:
In MIT krb5 1.7 and later, an authenticated attacker can cause an
assertion failure in krb5kdc by sending an invalid S4U2Self or
S4U2Proxy request.
Update the macros imported from autoconf-archive to current versions.
Fixes an issue where ACX_PTHREAD fails on Solaris with the native
compiler because it detects an uninitialized read and treats it as an
error.
Greg Hudson [Wed, 21 Jun 2017 04:54:32 +0000 (00:54 -0400)]
Parse all kadm5.acl fields at startup
Parse the client principal name, target principal name, and
restrictions field of kadm5.acl entries when the file is loaded, not
later on when an attempt is made to match the entry.
This change affects the error-handling behavior of kadm5.acl files.
Previously, a syntax error in the line structure (such as having only
one field) would cause the whole file to be rejected, but an error
within a principal name or restrictions string would cause only that
entry to be discarded. After this change, any parsing failure will
cause the whole file to be rejected.
Greg Hudson [Wed, 21 Jun 2017 14:38:41 +0000 (10:38 -0400)]
Modernize auth_acl.c
Change auth_acl.c to match current coding conventions. Use more
consistent identifier names, and drop the kadm5int_ prefix as the code
is now part of kadmind. Remove the acl_inited, acl_debug_level, and
acl_catchall_entry variables. Move global state into a structure, to
make it easier to migrate to a module handle later. Move
parse_restrictions() above parse_line() so it can later be used from
parse_line() without a forward declaration. Rewrite get_line() and
parse_line() to avoid the use of fixed-sized static buffers and
sscanf(). Add a parse_entry() helper to make memory management in
parse_line() easier. Add a free_acl_entry() helper (split out from
free_acl_entries()) to make error handling in parse_entry() easier.
Add a match_princ() helper to simplify find_entry().
Remove the GSS name translation wrapper in auth_acl.c. In the server
stubs, use handle->current_caller for the client principal. In the
iprop RPCs(), add a wrapper to parse the client display name before
calling acl_check().
Greg Hudson [Mon, 26 Jun 2017 21:31:37 +0000 (17:31 -0400)]
Fix kadm5 setkey operation with LDAP KDB
Add mask assignments to kadm5_setv4key_principal() and
kadm5_setkey_principal_4() so that their changes to the principal are
properly written to KDB modules which use the mask flag, such as the
LDAP KDB module. Reported by Frank Lonigro.
Greg Hudson [Mon, 19 Jun 2017 15:30:38 +0000 (11:30 -0400)]
Fix kadm5.acl error reporting
In kadm5int_acl_get_line(), increment *lnp after skipping a blank or
comment line, so that kadm5int_acl_load_acl_file() correctly reports
the line number if it fails to parse a line.
In acl_syn_err_msg, use %.10s to limit the amount of the line included
in the error message, not %10s to left-pad it with spaces if it is
shorter than ten characters.
Greg Hudson [Thu, 15 Jun 2017 15:59:18 +0000 (11:59 -0400)]
Suppress y2038 GSS tests when time_t is 32-bit
The GSSAPI time_t tests do not run correctly on 32-bit Solaris because
time_t conversions are involved in the "kinit -l 8500d" step.
Suppress the GSS y2038 tests when time_t is 32-bit.
Greg Hudson [Thu, 15 Jun 2017 00:45:15 +0000 (20:45 -0400)]
Turn off -Wmaybe-uninitialized
In gcc, maybe-uninitialized gives different warnings depending on the
optimization level, and in our experience usually gives false
positives. We don't ask for it (except implicitly through -Wall), but
gcc bundles it into the error behavior of -Werror=uninitialized.
Explicitly turn it off so that builds with -Og and -Os don't error
out.
In the KDC, pass the local address from dispatch() to
process_as_req(), then to log_as_req(), then to
krb5_db_audit_as_req(), and finally to the KDB modules.
[ghudson@mit.edu: squashed commits and rewrote commit message]
In net-server.c, pass a krb5_fulladdr representation of the local
address to dispatch. This representation is more convenient for
kadmind, and will make it more convenient for the KDC to pass the
local address to the DAL audit_as_req.
In libkdb5, libapputils, the KDC, kadmind, and both KDB modules, use
the name "remote_addr" for the variable containing the remote address.
In schpw.c:process_chpw_request(), use the name "local_addr" for the
parameter containing the local address. Make the remote_addr
parameter const in libkdb5 and the DAL.
[ghudson@mit.edu: combined commits and rewrote commit message]
In net-server.c:process_tcp_connection_read(), we don't expect
getsockname() to fail under ordinary circumstances, so instead of
passing a null local address to dispatch(), just error out. Simplify
schpw.c:dispatch() by assuming a non-null local_saddr.
Greg Hudson [Fri, 26 May 2017 20:20:11 +0000 (16:20 -0400)]
Fix gmt_mktime for y2038
gmt_mktime() is used as a fallback when the platform does not have
timegm(). Make it work for dates in the unsigned 32-bit range, not
the signed 32-bit range.
Tomas Kuthan [Tue, 16 May 2017 09:24:40 +0000 (11:24 +0200)]
Free GSS checksum data deterministically
In the normal course of execution, md5.contents allocated by
kg_checksum_channel_bindings() in make_ap_req_v1() is freed in
make_gss_checksum(). But when there is a failure in
krb5_mk_req_extended() or in make_gss_checksum() before free is
called, the memory leaks.
This patch frees the memory unconditionally in make_ap_req_v1().
Greg Hudson [Mon, 22 May 2017 19:12:58 +0000 (15:12 -0400)]
Remove ksetpwd
ksetpwd was added in commit ec50322c3076ab4517fb4fb5cc3a931f6adb4f20
but is not installed as it was "not of release quality yet." It has
not materially improved since then, and under current policy we do not
include unfinished code in the tree, so remove it.
projects / thirdparty / krb5.git / log
