Kevin Coffman [Wed, 20 Jun 2007 22:01:15 +0000 (22:01 +0000)]
Fix pa-type 15 request against Heimdal server which
returns a different OID.
Fix a typo in the doc pointed out by Olga Kornievskaia
Add a comment about why SILLYDECRYPT is there.
Fix some formatting to prevent line-wrapping.
Encapsulate all the work-arounds for working against a
Longhorn server within #ifdef LONGHORN_BETA_COMPAT so they
are easily recognized and can be removed when the issues
are fixed in released versions of Longhorn.
Fix a memory leak in the server. (Change the client code
to copy OID values rather than returning pointers to static
memory so that no special cases are required when freeing
structures which reference them.)
Remove an fprintf() from the pkinit_matching code.
Change functino definitions in pkinit_lib.c to match the
coding style.
Kevin Coffman [Thu, 14 Jun 2007 23:20:13 +0000 (23:20 +0000)]
Update documentation:
kinit man-page
admin-guide: krb5.conf options
admin-guide: kdc.conf options
---
Add more functions to accessor structure.
---
Patch from Ken Raeburn, minus the README changes.
README needs major updating or should be removed.
Hopefully, it is now all captured in the doc changes.
Log:
r807@dh169: raeburn | 2007-05-30 19:23:15 -0400
dev
r810@dh169: raeburn | 2007-05-31 15:44:25 -0400
Add crypto lib check at top level, to make maintainer mode happier.
No comma at end of enum lists.
Remove extraneous ';'.
Fix uninitialized variable.
No variadic macros.
---
returning authorization data only for pa-type 16
---
return signed attributes only for pa-type 16
---
Don't segfault if we fail to decode the PKCS7 message in
cms_signeddata_verify().
---
append PIN warnings to PIN prompt
---
translate pkcs11 error codes to text
---
Change get_cert() and get_key() to return an error code so we can
give a better reason why they failed.
---
Fix more compiler warnings.
---
In crypto_cert_select_default(), enforce that there is exactly one
cert to choose from.
---
add (currently-hardcoded des3) supportedCMSTypes to pa-type 16 request
---
accept various oids in the envelopeddata for pa-type 15 request
---
fix ad_type for authorization data
---
Kevin Coffman [Tue, 29 May 2007 22:20:17 +0000 (22:20 +0000)]
Remove some old code from src/lib/krb5/asn.1/asn1_k_decode.c and
src/lib/krb5/krb/preauth2.c
Add new file pkinit_matching.c which implements the ability
for an admin to configure things such that the "right" certificate
from several available ones will be used for pkinit.
Fix a couple of things the Solaris compiler doesn't like.
Kevin Coffman [Thu, 24 May 2007 02:06:43 +0000 (02:06 +0000)]
- Create a new file, pkinit_identity.c, which has all the identity
parsing and processing code outside the crypto-spcecific code
into common code. Some of this came out of pkinit_lib.c and
some came out of pkinit_crypto_openssl.c.
- Move some corresponding #defines from pkinit_crypto_openssl.h
into pkinit.h.
- Moved some of the identity values out of the id_cryptoctx and
into the idopts. (Some are later duplicated into the id_cryptoctx.)
- Create "new" crypto functions, crypto_load_certs() and
crypto_load_cas_and_crls(). These are slight modifications of
the pre-existing functions.
Kevin Coffman [Thu, 17 May 2007 18:15:14 +0000 (18:15 +0000)]
- Add new config file option pkinit_longhorn which indicates
we are talking to a Longhorn KDC and allows the necessary
hacks to work with a Longhorn (beta 3) server
- Add pkcs12 support (required for gssmonger testing)
- Modify SAN and EKU processing so that it does not use
pa_type and so that it allows checking with certificates
containing more than one SAN
- add new configuration file option, "pkinit_eku_checking"
for the kdc, this can be specified as [kpClientAuth | scLogin | none]
for the client, this can be specified as [kpKDC | kpServerAuth | none]
- Restructure code to make DN and SAN matching possible.
Still need the actual matching code.
- Fix from Ken Renard re: using ENV: for identity processing
- Create new header, pkinit_crypto.h separating out the crypto
interface definition.
Kevin Coffman [Fri, 20 Apr 2007 20:22:01 +0000 (20:22 +0000)]
[lib/krb5/asn.1/asn1_k_decode.c]
- define two macros to deal with implicitly tagged
octet strings
- modified begin_choice() macro and removed
begin_explicit_choice()
- use the get_implicit_octet_string() and
opt_implicit_octet_string() macros to clean up
a lot of hand-coded stuff.
- remove (almost) all the "#if 0" stuff (see below)
- asn1_decode_trusted_ca() still needs testing and cleanup
of "#if 0" code!
[lib/krb5/asn.1/asn1_k_decode.h]
- add prototype for asn1_decode_sequence_of_algorithm_identifier
[lib/krb5/asn.1/asn1_k_encode.cs]
- Fix up some comments for our added macros
[pkinit directory changes]
- Move parsing of filesystem identity location into a separate function,
parse_fs_options(), like parse_pkcs11_options().
- Add the ability to specify ENV: as suggested by Doug Engert.
- Add the ability to specify alternatives to use for finding identity.
(This adds a pkinit_identity_alt config file option that specifies
alternative locations to try and find user identity information.
This config file option may be specified multiple times, and the
alternatives are tried in the order given in the config file.)
If the user does not specify -X X509_user_identity on the command
line, then the code will check if the environment variable
X509_USER_IDENTITY is defined. If it is not defined, or does not
specify a valid identity, then envvar X509_USER_PROXY will be tried.
If that fails, then it will attempt PKCS11 with module opensc-pkcs11.so.
If all the alternatives fail, then pkinit preauth is not available
and password authentication is attempted.
- Many changes to clean up almost all compiler warnings
- Add config option, pkinit_win2k_hostname, to specify win2k
hostname(s) to be checked in the certificate.
Kevin Coffman [Tue, 6 Mar 2007 15:31:40 +0000 (15:31 +0000)]
Allow pkinit to support multiple realms within a single KDC.
Allow per-realm pkinit configuration.
- include/krb5/preauth_plugin.h
Add NULL-terminated realm name list to preauth_server_init_proc interface.
- kdc/kdc_preauth.c
Construct realm name list and pass it to preauth_server_init_proc
(and free it).
- plugins/preauth/pkinit/pkinit.h
Add realmname and name length to kdc (per-realm) plugin context.
Change interface to config/profile routines to pass the realm name.
- plugins/preauth/pkinit/pkinit_crypto_openssl.c
Restructure the init/fini functions a bit.
Make sure OBJ_cleanup() is only called once by using a refcount.
- plugins/preauth/pkinit/pkinit_profile.c
Change routines to pass in realm name rather than depending on
default_realm being set in the context.
- plugins/preauth/pkinit/pkinit_srv.c
Create a plugin context for each realm that should be supported.
Add function to find the correct realm context. Call it at the
beginning of each major preauth function (get_edata,
verify_padata, return_padata).
Kevin Coffman [Thu, 15 Feb 2007 14:44:22 +0000 (14:44 +0000)]
Various fixes:
---
Ignore the mechanism list, always use CKM_RSA_PKCS and calculate the sha1
digest ourselves.
Works for Cryptoflex, Activcard, and (I think) CAC.
---
don't specify a usage when looking for a private key, it confuses
some cards (coolkey)
---
send invalid certificate instead of trusted certifiers for
the TD-INVALID-CERTIFICATE typed data
---
include the right oid for the draft9 reply
---
Remove all traces of krb5_get_init_creds_opt_set_pkinit()
---
Kevin Coffman [Thu, 11 Jan 2007 22:07:56 +0000 (22:07 +0000)]
-- thanks to Ken Renard, fixed checksum problem in the KDC.
The KDC may alter the original request after decoding it.
We need to do the checksum on the original request contents
from the client. Use the original packet data to calculate
the checksum.
-- client now sends the certificate chain in the request
-- added a debug message for when we fail to create a certificate
chain on the client and fail the request
Kevin Coffman [Tue, 12 Dec 2006 03:08:07 +0000 (03:08 +0000)]
Pull in changes for the extended get_init_creds_opt structure
Pull in changes to add get_init_creds_opt_set_pa(),
get_init_creds_opt_get_pa(), and get_init_creds_opt_free_pa()
Change client interface to pass in the get_init_creds_opt structure
to the process and tryagain functions.
Pull in changes to kinit to pass preauth options entered with "-X"
Create typedefs for all the preauth plugin client and server
interface functions and use them. Eliminates mismatches
and enables better type checking of the interface paremeters.
Add *temporary* code to client side of pkinit to handle preauth options
and set the appropriate environment variables.
(Currently only X509_user_identity, X509_anchors, and
flag_RSA_PROTOCOL are handled.)
Add code to use krb5int_accessor to obtain pointers to internal functions
for ASN.1 encode/decode routines rather than exporting them from
libkrb5.
Various updates and improvements in the pkinit smartcard code.
Kevin Coffman [Tue, 21 Nov 2006 14:37:11 +0000 (14:37 +0000)]
free error message when freeing context
Call krb5_clear_error_message() to free any allocated error message
before freeing the context.
The condition that triggered this was a plugin library which fails to
load because of unresolved references. It appears dlopen() on Linux
leaks four bytes for each failing library in this situation.
Tom Yu [Sat, 18 Nov 2006 01:53:27 +0000 (01:53 +0000)]
* src/lib/krb5/ccache/ccbase.c (krb5int_cc_getops): Internal
function to fetch ops vector given ccache prefix string.
(krb5_cc_new_unique): New function to generate a new unique
ccache of a given type.
* src/include/krb5/krb5.hin: Prototype for krb5_cc_new_unique().
Jeffrey Altman [Fri, 17 Nov 2006 23:14:27 +0000 (23:14 +0000)]
reset use_master flag when master_kdc cannot be found
krb5_get_init_creds_password:
if the master_kdc cannot be identified reset the use_master
flag. otherwise, the krb5_get_init_creds("kadmin/changepw")
call will attempt to communicate with the master_kdc that
cannot be reached.
Jeffrey Altman [Fri, 17 Nov 2006 17:23:24 +0000 (17:23 +0000)]
commits for KFW 3.1 Beta 4
KfW 3.1 beta 4 (NetIDMgr 1.1.6.0)
nidmgr32.dll (1.1.6.0)
- Fix a race condition where the initialization process might be
flagged as complete even if the identity provider hasn't finished
initialization yet.
krb5cred.dll (1.1.6.0)
- When assigning the default credentials cache for each identity,
favor API and FILE caches over MSLSA if they exist.
- When renewing an identity which was the result of importing
credentials from the MSLSA cache, attempt to re-import the
credentials from MSLSA instead of renewing the imported credentials.
- Prevent possible crash if a Kerberos 5 context could not be obtained
during the renewal operation.
- Prevent memory leak in the credentials destroy handler due to the
failure to free a Kerberos 5 context.
- Properly match principals and realms when importing credentials from
the MSLSA cache.
- Determine the correct credentials cache to place imported
credentials in by checking the configuration for preferred cache
name.
- Keep track of identities where credentials imports have occurred.
- When setting the default identity, ignore the KRB5CCNAME environment
variable.
- Do not re-compute the credentials cache and timestamps when updating
an identity. The cache and timestamp information is computed when
listing credentials and do not change between listing and identity
update.
- When refreshing the default identity, also handle the case where the
default credentials cache does not contain a principal, but the name
of the cache can be used to infer the principal name.
- Invoke a listing of credentials after a successful import.
- Do not free a Kerberos 5 context prematurely during plug-in
initialization.
netidmgr.exe (1.1.6.0)
- Fix the UI context logic to handle layouts which aren't based around
identities.
- Don't try to show a property sheet when there are no property pages
supplied for the corresponding UI context.
- Use consistent context menus.
- Bring a modal dialog box to the foreground when it should be active.
- Do not accept action triggers when the application is not ready to
process actions yet.
- Do not force the new credentials dialog to the top if there's
already a modal dialog box showing.
- Change the default per-identity layout to also group by location.
Ken Raeburn [Thu, 16 Nov 2006 01:20:47 +0000 (01:20 +0000)]
* rd_req_dec.c: Whitespace changes in function headers.
(krb5_rd_req_decoded_opt): Include more info in error text for AP_WRONG_PRINC
and NOPERM_ETYPE errors.
Ken Raeburn [Thu, 16 Nov 2006 01:14:14 +0000 (01:14 +0000)]
avoid double frees in ccache manipulation around gen_new
* krb5/krb/vfy_increds.c (krb5_verify_init_creds): If krb5_cc_gen_new fails,
don't both close and destroy the template ccache.
* gssapi/krb5/accept_sec_context.c (rd_and_store_for_creds): Likewise.
Ken Raeburn [Thu, 16 Nov 2006 00:51:21 +0000 (00:51 +0000)]
fix some warnings in ldap code
* libkdb_ldap/ldap_realm.c (ignore_duplicates, compare): Unused functions deleted.
(krb5_ldap_modify_realm, krb5_ldap_read_realm_params): Conditionalize declarations of
automatic variables that are only used for eDirectory.
* libkdb_ldap/ldap_service_stash.c (tohex): Use one sprintf call instead of two.
(dec_password): Use an unsigned type to fetch values with %x.
* libkdb_ldap/ldap_realm.h (ldap_filter_correct): Declare.
* libkdb_dlap/ldap_misc.c (my_strndup): Only define if HAVE_LDAP_STR2DN.
(populate_krb5_db_entry): Remove unused automatic variable.
* ldap_util/kdb5_ldap_util.c (cmd_table): Fix typo in preprocessing conditional.
* ldap_util/kdb5_ldap_realm.c (get_ticket_policy): Declarations first, then code.
* ldap_util/kdb5_ldap_services.c (kdb5_ldap_stash_service_password): On error, increment
exit_status; don't return a value.
* ldap_util/kdb5_ldap_services.h (kdb5_ldap_stash_service_password): Update decl.
Ken Raeburn [Wed, 15 Nov 2006 23:56:02 +0000 (23:56 +0000)]
LDAP patch from Novell, 2006-10-13
Patch from 13 November from Savitha R:
> Fix for delpol deleting ticket policies
> Removed references to old schema
> Moved some unused code under #ifdef HAVE_EDIRECTORY
Kevin Coffman [Mon, 13 Nov 2006 22:59:55 +0000 (22:59 +0000)]
allow server preauth plugin verify_padata function to return e-data
Change server-side preauth plugin interface to allow the plugin's
verify_padata function to return e-data to be returned to the client.
(Patch from Nalin Dahyabhai <nalin@redhat.com>)
Update sample plugins to return e-data to exercise the code.
Fix memory leak in the wpse plugin.
ticket: new
Component: krb5-kdc
Target_Version: 1.6
Tags: pullup
Russ Allbery [Thu, 9 Nov 2006 23:29:26 +0000 (23:29 +0000)]
Delay kadmind random number initialization until after fork
Target_Version 1.6
Tags: pullup
Delay initialization of the random number generator in kadmind until
after the fork and backgrounding of the process. Otherwise, a lack of
sufficient entropy during the system boot process will delay system
boot on systems that run each init script in series and that start
kadmind via an init script.
ticket: new
Component: krb5-admin
Version_Reported: 1.4.4
Jeffrey Altman [Wed, 8 Nov 2006 09:58:49 +0000 (09:58 +0000)]
commits for KFW 3.1 Beta 3
KfW 3.1 beta 3 (NetIDMgr 1.1.4.0)
source for 1.1.4.0
- Eliminate unused commented out code.
nidmgr32.dll (1.1.4.0)
- The configuration provider was incorrectly handling the case where a
configuration value also specifies a configuration path, resulting
in the configuration value not being found. Fixed.
- Fix a race condition when refreshing identities where removing an
identity during a refresh cycle may a crash.
- Fix a bug which would cause an assertion to fail if an item was
removed from one of the system defined menus.
- When creating an indirect UI context, khui_context_create() will
correctly fill up a credential set using the selected credentials.
krb5cred.dll (1.1.4.0)
- Fix a race condition during new credentials acquisition which may
cause the Krb5 plug-in to abandon a call to
krb5_get_init_creds_password() and make another call unnecessarily.
- If krb5_get_init_creds_password() KRB5KDC_ERR_KEY_EXP, the new
credentials dialog will automatically prompt for a password change
instead of notifying the user that the password needs to be changed.
- When handling WMNC_DIALOG_PREPROCESS messages, the plug-in thread
would only be notified of any changes to option if the user
confirmed the new credentials operation instead of cancelling it.
- Additional debug output for the DEBUG build.
- Reset the sync flag when reloading new credentials options for an
identity. Earlier, the flag was not being reset, which can result
in the new credentials dialog not obtaining credentials using the
new options.
- Handle the case where the new credentials dialog maybe closed during
the plug-in thread is processing a request.
- Fix a condition which would cause the Krb5 plug-in to clear the
custom prompts even if Krb5 was not the identity provider.
- Once a password is changed, use the new password to obtain new
credentials for the identity.
netidmgr.exe (1.1.4.0)
- Fix a redraw issue which left areas of the credentials window
unupdated if another window was dragged across it.
- Handle WM_PRINTCLIENT messages so that the NetIDMgr window will
support window animation and other features that require a valid
WM_PRINTCLIENT handler.
- During window repaints, NetIDMgr will no longer invoke the default
window procedure.
- Add support for properly activating and bringing the NetIDMgr window
to the foreground when necessary. If the window cannot be brought
to the foreground, it will flash the window to notify the user that
she needs to manually activate the NetIDMgr window.
- When a new credentials dialog is launched as a result of an external
application requesting credentials, if the NetIDMgr application is
not minimized, it will be brought to the foreground before the new
credentials dialog is brought to the foreground. Earlier, the new
credentials dialog may remain hidden behind other windows in some
circumstances.
- When displaying custom prompts for the new credentials dialog, align
the input controls on the right.
krb5.h not C++-safe due to "struct krb5_cccol_cursor"
Fixed definition of "struct krb5_cccol_cursor" in krb5.h to be C++ safe.
In C++ the struct name is also a type so there can't be a typedef of the same
name, in this case "typedef struct krb5_cccol_cursor *krb5_cccol_cursor;".
ticket: new
status: open
target_version: 1.6
tags: pullup
Jeffrey Altman [Mon, 6 Nov 2006 21:55:13 +0000 (21:55 +0000)]
krb5_get_init_creds_password does not consistently prompt for password changing
krb5_get_init_creds_password() previously did not consistently
handle KRB5KDC_ERR_KEY_EXP errors. If there is a "master_kdc"
entry for the realm and the KDC is reachable, then the function
will prompt the user for a password change. Otherwise, it will
return the error code to the caller. If the caller is a ticket
manager, it will prompt the user for a password change with a
dialog that is different from the one generated by the prompter
function passed to krb5_get_init_creds_password.
With this change krb5_get_init_creds_password() will always
prompt the user if it would return KRB5KDC_ERR_KEY_EXP unless
the function is compiled with USE_LOGIN_LIBRARY. (KFM)
Kevin Coffman [Wed, 1 Nov 2006 22:40:30 +0000 (22:40 +0000)]
Modify the preath plugin interface so that a plugin's context is
global to all the modules within a plugin. Also, change the
client-side interface so that the preauth plugin context (once
created) lives the lifetime of a krb5_context. This will allow
future changes that can set plugin parameters. The client side
request context lives the lifetime of a call to krb5_get_init_creds().
Make the sample preauth plugins buildable outside the source tree.
Fix minor memory leak in sort_krb5_padata_sequence().
Add a prototype for krb5_do_preauth_tryagain() and change the plugin
interface.
Incorporates fixes from Nalin Dahyabhai <nalin@redhat.com> for leaks
of the function table pointers (rt #4566) and fix KDC crash (rt #4567)
Will Fiveash [Mon, 30 Oct 2006 20:56:57 +0000 (20:56 +0000)]
latest Novell ldap patches and kdb5_util dump support for ldap
I've applied Novell's latest patches for their LDAP KDB plugin. I've
also implemented and tested support for kdb5_util dump using the LDAP
KDB plugin. I also added a Sun copyright on files that I've modified.
Ken Raeburn [Sat, 28 Oct 2006 03:06:30 +0000 (03:06 +0000)]
don't confuse profile iterator in 425 princ conversion
The profile iterator code hangs onto and uses the list of names passed
in. The krb5_425_conv_principal code reuses that array when the
iterator may still be used.
* conv_princ.c (krb5_425_conv_principal): Use separate name arrays for
the iterator and the v4_realm lookup that may be done inside the
iteration loop.
Will Fiveash [Mon, 23 Oct 2006 21:36:46 +0000 (21:36 +0000)]
fix krb5_ldap_iterate to handle NULL match_expr and open_db_and_mkey to use KRB5_KDB_SRV_TYPE_ADMIN
When I ran kdb5_util dump I had two initial problems. First, the LDAP
plugin was not finding the bind DN because open_db_and_mkey() was
passing KRB5_KDB_SRV_TYPE_OTHER to krb5_db_open(). When I change this
to KRB5_KDB_SRV_TYPE_ADMIN then the ldap_kadmind_dn parameter is used
from krb5.conf and a valid bind DN is found. Second,
krb5_ldap_iterate() will core dump when it is called withy a NULL
match_expr arg. This is how dump_db calls krb5_db_iterate(). I updated
krb5_ldap_iterate() to use a default_match_expr of "*" if match_expr ==
NULL.
Kevin Coffman [Mon, 23 Oct 2006 16:15:50 +0000 (16:15 +0000)]
fix invalid access found by valgrind
Valgrind found that we were reading past the end of the
preferred padata string. p is manually updated within
the loop and there is no need for the increment. It was
causing the null terminator to be skipped over, rather
than properly terminating the loop.
Ezra Peisach [Sun, 22 Oct 2006 11:59:02 +0000 (11:59 +0000)]
osf1 -oldstyle_liblookup typo
Not really relevant anymore - as we do not support static linking now.
But in ticket 927 (r16776) - a test was added to determine if gnu ld
was in use and change the linker flags accordingly. The variable in
aclocal.m4 was krb5_cv_prog_gnu_ld and this was testing for
krb5_cv_gnu_ld.
Sam Hartman [Sat, 21 Oct 2006 20:20:30 +0000 (20:20 +0000)]
Delete src/lib/ccapi.
The ccapi shipped in 1.6 will not be based off this code
and will live in src/ccapi.
It will be copied onto the trunk and branch when ready, but this code is being removed before the branch cut.
Will Fiveash [Sat, 21 Oct 2006 00:33:24 +0000 (00:33 +0000)]
enabling LDAP mix-in support for kdb5_util load
I now have mix-in working for the kdb5_util load. If the krbSubTrees
realm attr contains a base DN where non-krb entries live the
load/krb5_ldap_put_principal() code will modify those entries whose
krbPrincipalName attr matches that of the dump princ record being loaded
otherwise a standalone krbprinc entry will be created under the realm
container.
I also fixed a small bug in krb5_ldap_policydn_to_name() for the version
that uses ldap_explode_dn().
projects / thirdparty / krb5.git / log
