Isaac Boukris [Wed, 16 Jan 2019 22:23:25 +0000 (00:23 +0200)]
Add KDC support for X.509 S4U2Self requests
Add a KDB function krb5_db_get_s4u_x509_principal() and an associated
method in the DAL, bumping the minor version and cleaning up a
leftover comment in the table from major version 6.
When processing an AS-REQ, look up the client principal by certificate
if the request contains a non-empty PA-S4U-X509-USER value. When
processing an S4U2Self TGS-REQ, allow requests with certificates, and
look up the client principal by certificate if one is presented.
[ghudson@mit.edu: factored out lookup_client() in AS code; rewrote
commit message and some comments; adjusted flow control changes in
kdc_process_s4u_x509_user()]
Isaac Boukris [Tue, 15 Jan 2019 00:53:25 +0000 (02:53 +0200)]
Expand S4U2Self exception in KDC lineage check
An S4U2Self TGS-REQ using only a certificate to identify the user will
not include PA-FOR-USER, so we need to check both types when making an
exception in the lineage check. (S4U2Self requests are allowed to
bypass the lineage check because cross-realm S4U2Self ends with a
backwards cross-realm request to the server realm.)
[ghudson@mit.edu: factored out padata check; deindented the code block
by combining conditionals; rewrote commit message]
Isaac Boukris [Fri, 11 Jan 2019 08:49:19 +0000 (10:49 +0200)]
Fix client code for S4U2Self with certificate
During realm identification, don't send the certificate in the AS
request if we have an enterprise name, for consistency with the
Windows LSA API behavior. If we are using just a certificate, use the
appropriate client principal name type with a single empty data
component.
krb5int_process_tgs_reply() needs to see an S4U2Self padata type in
in_padata to apply the correct logic when verifying the client
principal in the reply. If we are using only a certificate, we
currently do not pass any in_padata (because we do not send
PA-FOR-USER in this case, and the PA-S4U-X509-USER is constructed via
a callback). Change the code to place an empty PA-S4U-X509-USER in
in_padata, to be modified by the callback; that way we can reliably
detect the S4U2Self case when processing the reply.
In krb5_get_self_cred_from_kdc(), when constructing an empty client
principal for a cert-only S4U2Self request, properly terminate the
krb5_build_principal_ext() argument list to avoid a crash. Don't
bother setting the name type as it isn't sent.
Only send the certificate in the first TGS-REQ to the client realm.
To the intermediate and final realms, send the principal name only.
Use the checksum-protected principal name in the first KDC's
PA-S4U-X509-USER response for subsequent requests and to verify the
unprotected client name in the final reply.
After receiving the final reply, check if we had cached credentials
under the discovered client name (unless it's the same as the input
client name) and return the cached credentials if we find them.
Greg Hudson [Fri, 1 Mar 2019 02:28:43 +0000 (21:28 -0500)]
Use memory replay cache for DO_TIME auth contexts
Instead of requiring the caller to set up a persistent replay cache
for KRB-PRIV/KRB-SAFE/KRB-CRED messages produced in DO_TIME auth
contexts, use an in-memory replay cache.
Update the API documentation for the affected functions and correct
some inaccuracies.
Greg Hudson [Wed, 2 Jan 2019 21:54:28 +0000 (16:54 -0500)]
Improve S4U2Self realm identification internals
Realm identification for S4U2Self requests ([MS-SFU] 3.1.5.1.1.1) uses
the AS code path with some differences: we might want to include a
subject certificate in pa-data, we want to stop as soon as we get a
reply indicating which realm the client is in, and we want to
communicate that realm to the caller. The current method of making
these changes is fragile--it uses an optimistic preauth type but does
not actually pre-authenticate, and it assumes that the AS code will
terminate with a predictable error if there is no prompter and a
trivial GAK function.
Instead, add fields to krb5_get_init_creds_context for realm
identification, and support them in the AS state machine, making sure
never to invoke preauth modules. Add a new library-internal function
k5_identify_realm() to set up an appropriate context, run the state
machine, and copy out the client principal of the last request on
success.
Greg Hudson [Mon, 4 Mar 2019 21:11:11 +0000 (16:11 -0500)]
Update comment in lock_file.c
Gnu libc commit 06ab719d30b01da401150068054d3b8ea93dd12f fixed the OFD
locking issue on 32-bit Linux. We still need to work around the bug
for older versions, but update the comment to note the release in
which the bug was fixed.
Greg Hudson [Mon, 4 Mar 2019 16:07:45 +0000 (11:07 -0500)]
Fix ASN.1 test secure cookie comparison
One of the comparisons in ktest_equal_secure_cookie() was
tautological. Use scalar_equal() for consistency with other tests.
Also use scalar_equal() in ktest_equal_kkdcp_message().
Greg Hudson [Sun, 3 Mar 2019 20:42:04 +0000 (15:42 -0500)]
Rename configure.in to configure.ac
autotools plans to drop support for the name configure.in.
(automake's NEWS file expresses plans to drop support for it in
autoconf 2.0; autoconf added a warning in commit 560f16b52d3d3db1536d9ca5b863ce9b1a5c9e35, indicating in the commit
message that support will be dropped in a future version.)
Corene Casper [Sat, 16 Feb 2019 05:49:26 +0000 (00:49 -0500)]
Fix memory leak in 'none' replay cache type
Commit 0f06098e2ab419d02e89a1ca6bc9f2828f6bdb1e fixed part of a memory
leak in the 'none' replay cache type by freeing the outer container,
but we also need to free the mutex.
Greg Hudson [Mon, 18 Feb 2019 00:51:35 +0000 (19:51 -0500)]
Use better name type for PKINIT KDC certs
RFC 4120 recommends NT-SRV-INST for krbtgt principals; use it in
PKINIT KDC certificates rather than NT-PRINCIPAL. Regenerate test
certificates. Reported by Rick van Rein.
Greg Hudson [Fri, 15 Feb 2019 16:59:06 +0000 (11:59 -0500)]
Modernize KRB-PRIV/KRB-SAFE/KRB-CRED functions
In krb5_mk_safe(), krb5_mk_priv(), krb5_mk_ncred(), krb5_rd_safe(),
and krb5_rd_priv(), modify naming, formatting, and memory management
to meet current standards. Add k5_privsafe helpers to generate replay
data and addresses and to store replay records. For krb5_mk_ncred(),
expand the contract of the encoding function to be similar to the
other two krb5_mk functions, and use pointer aliases to reduce the
number of copies required.
Luke Howard [Fri, 28 Dec 2018 12:13:05 +0000 (23:13 +1100)]
Process SPNEGO error tokens through mech
In the SPNEGO initiator code, if the acceptor returns a token with
negState=REJCET and a mechanism token, process the token through the
mech to get a better error status.
[ghudson@mit.edu: modified approach for clarity and to prevent some
edge cases; rewrote commit message]
Greg Hudson [Tue, 22 Jan 2019 17:07:54 +0000 (12:07 -0500)]
Simplify negState choice in SPNEGO initiator
In the SPNEGO initiator code, simplify the choice of the outgoing
negState value, and remember the acceptor negState choice throughout
the process. The outgoing negState value is REJECT if sending an
error token, ACCEPT_COMPLETE when sending a final MIC, and
ACCEPT_INCOMPLETE otherwise.
RFC 4178 permits negState to be omitted in some cases, so rename
ACCEPT_DEFECTIVE_TOKEN to UNSPECIFIED for clarity. Use this value as
the acceptor negState for the first pass through
spnego_gss_init_sec_context() when there is no acceptor token.
Decide whether to return GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED at
the end of processing, instead of it being a shared responsibility of
the helper functions. Return GSS_S_COMPLETE on success in the helper
functions and use "goto cleanup" in a few more places. Leave
handle_mic() alone as it is also used by the acceptor code.
Isaac Boukris [Mon, 7 Jan 2019 19:09:34 +0000 (21:09 +0200)]
Remove erroneous text from kinit man page
Commit 4c4859fa83295db5c26f47b96c719060cfd9e2b1 changed the kinit man
page to state that kinit -E (enterprise) implies -C (canonicalize).
The client does not automatically set the canonicalize option when
getting tickets for an enterprise principal, and Windows KDCs can
issue tickets for enterprise principals without canonicalizing the
principal (contrary to the implication of RFC 6806 section 5). Remove
the misleading text.
[ghudson@mit.edu: updated RST man page and regenerated nroff file;
rewrote commit message]
krb5_cc_lock(), krb5_cc_unlock(), krb5_cccol_lock(), and
krb5_cccol_unlock() are used internally, so remove them from krb5.h
and rename them to k5_cc_lock(), k5_cc_unlock(), k5_cccol_lock(), and
k5_cccol_unlock() respectively.
krb5_cccol_last_change_time() is not used, so remove it.
krb5_cc_last_change_time() is also not used, so remove it as well.
Update ccache interface to reflect removal. Of particular note, this
function didn't behave as documented for KCM or KEYRING ccaches at
time of removal.
Robbie Harwood [Thu, 10 Jan 2019 21:34:54 +0000 (16:34 -0500)]
Mark deprecated enctypes when used
Preface ETYPE_DEPRECATED enctypes with "DEPRECATED:" in klist output,
KDC logs, and kadmin interactions. Also complain in krb5kdc when the
stash file has a deprecated enctype or a deprecated enctype is
requested with -k.
Robbie Harwood [Tue, 8 Jan 2019 22:42:35 +0000 (17:42 -0500)]
Make etype names in KDC logs human-readable
Introduce enctype_name() as a wrapper over krb5_enctype_to_name for
converting between registered constants and names. Adjust signatures
and rewrite ktypes2str() and rep_etypes2str() to operate on dynamic
buffers.
Robbie Harwood [Tue, 15 Jan 2019 21:16:57 +0000 (16:16 -0500)]
Add function and enctype flag for deprecations
krb5int_c_deprecated_enctype() checks for the ETYPE_DEPRECATED flag on
enctypes. All ENCTYPE_WEAK enctypes are currently deprecated; not all
deprecated enctypes are considered weak. Deprecations follow RFC 6649
and RFC 8429.
Robbie Harwood [Tue, 15 Jan 2019 18:41:16 +0000 (13:41 -0500)]
In kpropd, debug-log proper ticket enctype names
This change replaces the last call of krb5_enctype_to_string() in our
sources with krb5_enctype_to_name(), ensuring that we log consistently
to users using readily discoverable strings.
Robbie Harwood [Mon, 14 Jan 2019 22:14:42 +0000 (17:14 -0500)]
In rd_req_dec, always log non-permitted enctypes
The buffer specified in negotiate_etype() is too small for use with
the AES enctypes when used with krb5_enctype_to_string(), so switch to
using krb5_enctype_to_name().
Greg Hudson [Sun, 30 Dec 2018 21:40:28 +0000 (16:40 -0500)]
Address some optimized-out memset() calls
Ilja Van Sprundel reported a list of memset() calls which gcc
optimizes out. In krb_auth_su.c, use zap() to clear the password, and
remove two memset() calls when there is no password to clear. In
iakerb.c, remove an unnecessary memset() before setting the only two
fields of the IAKERB header structure. In svr_principal.c, use
krb5_free_key_keyblock_contents() instead of hand-freeing key data.
In asn1_k_encode.c, remove an unnecessary memset() of the kdc_req_hack
shell before returning.
sashan [Tue, 18 Dec 2018 11:04:56 +0000 (12:04 +0100)]
Fix build issues with Solaris native compiler
In the LDAP KDB module, fix an empty initializer. In the SPAKE
edwards25519 code, use autoconf tests to determine whether to use the
64-bit code. In the SPAKE update_thash() function, make sure the
types of the conditional expression results match exactly. In
libkrb5support, link against zap.o now that k5buf.o can use zap() (as
of commit 8ee8246c14702dc03b02e31b9fb5b7c2bb674bfb).
Simo Sorce [Tue, 4 Dec 2018 20:22:55 +0000 (15:22 -0500)]
Add dns_canonicalize_hostname=fallback support
Turn dns_canonicalize_hostname into a tristate variable, allowing the
value "fallback" as well as the true/false booleans. If it is set to
fallback, delay DNS canonicalization and attempt it only in
krb5_get_credentials() if the KDC responds that the requested server
principal name is unknown.
Isaac Boukris [Sat, 15 Dec 2018 09:56:36 +0000 (11:56 +0200)]
Remove incorrect KDC assertion
The assertion in return_enc_padata() is reachable because
kdc_make_s4u2self_rep() may have previously added encrypted padata.
It is no longer necessary because the code uses add_pa_data_element()
instead of allocating a new list.
CVE-2018-20217:
In MIT krb5 1.8 or later, an authenticated user who can obtain a TGT
using an older encryption type (DES, DES3, or RC4) can cause an
assertion failure in the KDC by sending an S4U2Self request.
[ghudson@mit.edu: rewrote commit message with CVE description]
Greg Hudson [Mon, 26 Nov 2018 18:37:46 +0000 (13:37 -0500)]
Document necessary delay in master key rolllover
During master key rollover, if the old master key is purged
immediately after updating principal encryption, running processes may
not successfully update their in-memory copies of the master key.
Document that the administrator should delay purging the master key
until after propagation and some daemon activity.
Greg Hudson [Thu, 15 Nov 2018 18:40:43 +0000 (13:40 -0500)]
Clear forwardable flag instead of denying request
If the client requests a forwardable or proxiable ticket and the
option cannot be honored by policy, issue a non-forwardable or
non-proxiable ticket rather than denying the request.
Add a test script for testing KDC request options and populate it with
tests for the forwardable and proxiable flags.
Robbie Harwood [Mon, 5 Nov 2018 18:49:52 +0000 (13:49 -0500)]
Fix spurious errors from kcmio_unix_socket_write
Commit 33634a940166d0b21c3105bab8dcf5550fbbd678 accidentally changed
the return value from kcmio_unix_socket_write to be the result of the
write call. Most commonly this resulted in it returning 8, which led
to many commands failing with "Exec format error".
Greg Hudson [Sat, 27 Oct 2018 00:26:48 +0000 (20:26 -0400)]
Update auto-generated files
Regenerate dependency files and mit-krb5.pot. Regenerate man pages
and NOTICE with python-sphinx 1.6.7. Regenerate deltat.c with bison
3.0.4. Update config.guess and config.sub from upstream (commit 2fa97a8a0ed37bec720bd118d65e674cebf50404).
Robbie Harwood [Tue, 16 Oct 2018 19:19:46 +0000 (15:19 -0400)]
Retry KCM writes once on remote hangup
sssd's KCM daemon has a client timeout (typically 60 seconds). Add
reconnection logic to kcmio_unix_socket_write() to allow this
behavior, and to potentially allow for the daemon to be upgraded.
[ghudson@mit.edu: adjusted commit message, comment, and code slightly]
Greg Hudson [Thu, 25 Oct 2018 16:55:50 +0000 (12:55 -0400)]
Improve code hygiene of kdb5_util dump helpers
kdb5_util dump can very briefly leak a file handle if the ok file
cannot be locked, or if the existing dump file cannot be read. Add a
cleanup handler to prep_ok_file() and use proper output parameter
handling. Change current_dump_sno_in_ulog() to close its file handle
before checking the result of fgets(). Reported by Bean Zhang.
Greg Hudson [Thu, 25 Oct 2018 15:56:58 +0000 (11:56 -0400)]
Fix leak on error in kadm5 randkey handling
An attempt to change the kadmin/history key with the -keepold flag
would leak the KDB entry and keysalt tuple as it returned an error.
Use the cleanup handler instead of returning directly. Reported by
Bean Zhang.
Greg Hudson [Wed, 24 Oct 2018 03:00:24 +0000 (23:00 -0400)]
Document aliases for enterprise get_principal
Enterprise principals are always aliases. In most contexts when we
see them we pass KRB5_KDB_FLAG_ALIAS_OK to the KDB module's
get_principal method, but for S4U2Self clients we currently do not.
Document that a KDB module may return an alias for enterprise
principals regardless of flags.
Robbie Harwood [Mon, 15 Oct 2018 19:19:12 +0000 (15:19 -0400)]
Update man pages to reference kerberos(7)
Remove broken references to old kerberos(1). Reference kerberos(7)
from all man pages, and create/update their environment section so
that it references kerberos(7).
Robbie Harwood [Mon, 15 Oct 2018 17:20:30 +0000 (13:20 -0400)]
Modernize kerberos(7)
Update environment variable descriptions, using env_variables.rst as a
guide. Replace the content in env_variables.rst with a pointer to
documentation at kerberos(7) so that we don't break external links and
don't duplicate content.
Replace references to rlogin. Clarify and modernize other language.
Robbie Harwood [Tue, 9 Oct 2018 21:05:10 +0000 (17:05 -0400)]
Bring back general kerberos man page
Restore the content of kerberos(1) as it stood in 0f81e372a2830c9170f6e08dfa956841d0ebdfb1. Convert to ReST to match
the other man pages, and install it as the more appropriate
kerberos(7).
Build kerberos(7) and check it in to avoid breaking the build.
Isaac Boukris [Mon, 15 Oct 2018 15:33:15 +0000 (18:33 +0300)]
Add GSS_KRB5_NT_ENTERPRISE_NAME name type
Add a new name-type OID which causes a string to be imported as an
enterprise name. This is useful for authenticating and impersonating
users with their UPN names.
Resurrect t_imp_name test to exercise importing of the new name OID.
Also add a test using the new name in cross-realm protocol transition,
to exercise s4u_identify_user() with multiple realms.
[ghudson@mit.edu: added Windows export entry; adjusted comments and
test code; edited commit message]
Isaac Boukris [Tue, 23 Oct 2018 09:52:41 +0000 (12:52 +0300)]
Start S4U2Self realm lookup at server realm
When looking up the realm of an enterprise principal, start with the
realm of the server instead of the realm attached to the enterprise
name, as specified in [MS-SFU] 3.1.5.1.1.1.
[ghudson@mit.edu: simplified out client_data+client into just client;
edited commit message]
Greg Hudson [Mon, 15 Oct 2018 22:00:35 +0000 (18:00 -0400)]
Fix up kdb5_util documentation
In kdb5_util.rst, reorder the main option summary to match the order
they are documented in below, and document the -x option. Remove the
kdb5_util create -h switch case as 'h' has never been in the getopt
string. Add the -r18 option to the kdb5_util dump and load option
summaries. Reword the kdb5_util load -hash option. Remove the
nonexistent kdb5_util load dbname parameter.
In database.rst, alter the example for loading a single principal to
use the dump principal filtering functionality, as that functionality
does not currently exist for load.
In the kdb5_util usage error message, reorder the main options to
match the order in the documentation and to fit within 79 columns.
Also add the -P option.
Greg Hudson [Mon, 15 Oct 2018 23:12:45 +0000 (19:12 -0400)]
Use port-sockets.h macros in cc_kcm, sendto_kdc
Use SOCKET_CONNECT in cc_kcm.c and sendto_kdc.c to prevent SIGPIPE on
BSD-like systems. Use other port-sockets.h macros in cc_kcm.c in case
it is ever used on Windows.
Greg Hudson [Thu, 4 Oct 2018 22:10:48 +0000 (18:10 -0400)]
Fix 64-bit Windows socket write error handling
Add casts to ensure that the result type of SOCKET_WRITEV() on Windows
can represent -1. Otherwise it will be treated as 2^32-1 when cast to
ssize_t on 64-bit Windows, which can lead to crashes in
krb5_sendto_kdc(). Reported by Puran Chand.
Isaac Boukris [Fri, 5 Oct 2018 11:43:51 +0000 (14:43 +0300)]
Add more constraints to S4U2Self processing
Of the eight possible combinations of local or cross TGT, local or
non-local user, and local server or referral, four are valid. The
previous commit rejects two of the invalid cases (local TGT and
referral, with local or non-local user). Document the four valid
cases and reject the remaining two invalid combinations.
Isaac Boukris [Fri, 5 Oct 2018 11:14:32 +0000 (14:14 +0300)]
Allow referrals for cross-realm S4U2Self requests
According to MS-SFU 3.2.5.1.1, the KDC should issue a referral for
S4U2Self requests if the requesting service is not in the KDC's realm.
Commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f explicitly prevents
referrals for S4U2Self requests; on further analysis, this appears to
have been preserving a bug rather than applying a proper constraint.
However, we should not issue referrals for within-realm S4U2Self
requests. (This should only come up if a server possesses a TGT but
its principal entry has been deleted.)
Remove the S4U2Self referral check in process_tgs_req(). Instead add
a more specific check in kdc_process_s4u2self_req(), adding new
parameters for the header server principal and a flag indicating
whether a referral is indicated.
Greg Hudson [Thu, 11 Oct 2018 19:33:35 +0000 (15:33 -0400)]
Fix multiple leaks in ktutil addent
In ktutil_add(), free allocations on success as well as failure.
Change all early returns to jumps to the cleanup label. Free the
password buffer and unparsed principal name. Do list manipulation as
the final step to simplify cleanup. Reported by Bean Zhang.
Isaac Boukris [Sat, 29 Sep 2018 04:21:56 +0000 (07:21 +0300)]
Add PAC APIs which can include a client realm
These APIs are needed for KDC handling of cross-realm S4U2Self
tickets; see [MS-SFU] 3.2.5.x. Note that we currently do not allow
re-signing a PAC to include the realm; the caller must create a new
one.
Robbie Harwood [Mon, 8 Oct 2018 20:02:12 +0000 (16:02 -0400)]
Prefer TCP to UDP for password changes
When password changes are performed over UDP, spotty networks may
cause the client to retransmit. This leads to replay errors if the
kpasswd server receives both requests, which hide the actual request
status and make it appear that the password has not been changed, when
it may in fact have been. Use TCP instead with UDP fallback to avoid
this issue.
Add a -f flag to ktutil addent. If specified, the enctype need not be
specified (although it can be) and ktutil will request etype-info from
the KDC to produce the string-to-key parameters.
Mubashir Kazia [Sat, 24 Jun 2017 19:47:53 +0000 (19:47 +0000)]
Add API to retrieve etype-info from KDC
Add the krb5_get_etype_info() API, which sends an initial ticket
request to the KDC and extracts an enctype, salt, and s2kparams value
from the first KDC reply. This function will help ktutil use the
correct salt and s2kparams when creating keytabs.
[ghudson@mit.edu: renamed API to krb5_get_etype_info() and adjusted
behavior]
Change the default dump filename for iprop to "replica_datatrans", and
the iprop poll interval profile variable to "iprop_replica_poll",
preserving compatibility with the old name.
Isaac Boukris [Sat, 15 Sep 2018 07:28:48 +0000 (10:28 +0300)]
Don't rely on default realm in S4U2Self client
When converting server principal to enterprise name (to be possibly
used for cross-realm), ignore the realm when reparsing, to avoid a
spurious error if a default realm isn't configured.
[ghudson@mit.edu: added rewritten test case; edited commit message]
Commit 28fd0a934cdc7b3b42ce213c6d334d4edf1ab591 muted a warning from
bison about shift/reduce conflicts in the grammer. However, the
extension for suppressing the warning is bison-only. Revert that
portion of the change and live with the warning rather than adding
additional conditionalization. Reported by Michael Osipov.
The LDAP KDB module contained a duplicate set of functions to marshal
osa_princ_ent_ret structures, perhaps to avoid a circular dependency
on libkadm5srv before KDB modules were dynamically loaded. We have
been using the libkadm5srv versions of those functions from the DB2
KDB module since release 1.8. Use them from the LDAP KDB module as
well.
Since no rpcgen output remains in princ_xdr.c and princ_xdr.h, add
emacs mode lines for the krb5 C style to those files and make small
formatting adjustments to match.
The documentation for pkinit_identities implies that we try harder to
use each value before ignoring the rest, when in fact we only go as
far as the first successful parse. Soften the language and describe
the most likely use case for multiple values under the current
semantics.
pkinit_identity.c:parse_fs_options() could crash if the first
strtok_r() call returns NULL, which happens when the residual string
begins with ','. Fix this bug by checking for a leading comma and
checking the strtok_r() result, and add a test case. Reported by Bean
Zhang.
Also return EINVAL rather than 0 on invalid input, and don't leave an
allocated value in idopts->cert_filename if we fail to copy the key
filename.
gcc warns that the `if` statement doesn't guard the length
assignment, which is true. However, it wouldn't make sense for the
length assignment to be guarded by the `if` clause anyway, since the
previous statement is a `goto`. De-indent for clarity.
If gss_add_cred() is called with both an input_cred_handle and an
output_cred_handle, it creates a new credential with the elements of
the input credential plus the requested element. Making a shallow
copy of mechs_array and cred_array from the old credential creates
aliased pointers which become invalid when one of the two credentials
is released, leading to use-after-free and double-free errors.
Instead, make a full copy of the input cred for this case. Make this
copy at the beginning so that union_cred can always be modified in
place (and freed on error using gss_release_cred() if we created it),
removing the need for new_union_cred, new_mechs_array, and
new_cred_array. Use a stack object for target_mechs to simplify
cleanup and reduce the number of failure cases.
GSSAPI provides no facility for copying a credential; since we mostly
use the GSSAPI as our SPI for mechanisms, we have no simple way to
copy mechanism creds when copying the union cred. Use
gss_export_cred() and gss_import_cred() if the mechanism provides
them; otherwise fall back to gss_inquire_cred() and
gss_acquire_cred().
If gss_add_cred() is called with no input_cred_handle, it creates a
new credential with one element. At the end of the function, use the
created credential as the output container, rather than creating a
second one and leaking the first.
If gss_inquire_cred_by_mech() is called with a mechanism and there is
no corresponding mechanism credential in the union cred, return
GSS_S_NO_CRED (as Heimdal does) instead of interrogating the mechanism
about the default credential.
strftime() is specified in C89. The tree has not built without a
native strftime() at least as far back as 1.7 (because it is used
unconditionally in kdb5_mkey.c) and possibly for much longer. Remove
the two copies of the NetBSD strftime.c and the fallback ctime() in
logger.c.
In logger.c:klog_vsyslog(), check the return value of localtime(). In
ldap_principal2.c:getstringtime(), check the strftime() result and
don't leak strtime on error.
Greg Hudson [Fri, 31 Aug 2018 17:19:21 +0000 (13:19 -0400)]
Fix name of .pdb file in ccapi/test/Makefile.in
The -Fd cl option specifies the location of the program database
filename, which should have the extension .pdb. Using a .obj
extension causes a build failure with MSVC version 14.15.26726.
Greg Hudson [Wed, 29 Aug 2018 19:04:13 +0000 (15:04 -0400)]
Check return values of time functions
Where ctime(), localtime(), or localtime_r() is used, check for
failure even if it is unlikely (reported by Bean Zhang). Constify the
strdate() return type in kdb5_mkey.c and kadmin.c and the
ctime_uint32() return type in kproplog.c. Use localtime_r()
unconditionally in str_conv.c as there is already a wrapper in that
file for the case where the platform doesn't have it. Remove an
inoperative localtime() call in ktutil.c.
Greg Hudson [Tue, 28 Aug 2018 01:10:53 +0000 (21:10 -0400)]
Check strdup return in kadm5_get_config_params()
When copying the realm string, if strdup() returns NULL, fail out with
ENOMEM instead of pretending the realm wasn't specified. When copying
KRB5_DEFAULT_SUPPORTED_ENCTYPES, if strdup() returns NULL, fail out
with ENOMEM instead of crashing. Reported by Bean Zhang.
Greg Hudson [Fri, 3 Aug 2018 04:36:10 +0000 (00:36 -0400)]
Limit matching of user-to-user ccache credentials
In krb5int_cc_creds_match_request(), do not yield a user-to-user
credential if the caller is not looking for one; it would not be
useful when a normal service ticket (encrypted in the service key) is
required. Reported by Todd Lubin.
Greg Hudson [Fri, 3 Aug 2018 15:07:03 +0000 (11:07 -0400)]
Don't tag S4U2Proxy result creds as user-to-user
S4U2Proxy and user-to-user tickets are both obtained using a
second-ticket input, but only user-to-user tickets are encrypted in
the session key of the second ticket. In gc_via_tkt.c, stop deducing
the is_skey flag from the presence of a second ticket and instead set
it based on the request KDC options.
Greg Hudson [Fri, 24 Aug 2018 15:40:39 +0000 (11:40 -0400)]
Add kvno option for user-to-user
Add a --u2u option to kvno, with an argument to specify a credential
cache containing a krbtgt for the server principal. Move the
-allow_svr test from appl/user_to_user to a new test script and add
additional tests. Suggested by Chris Hecker.
projects / thirdparty / krb5.git / log
