Greg Hudson [Fri, 25 Feb 2011 17:23:54 +0000 (17:23 +0000)]
Now that all PRNG modules fit nicely into a single source file,
simplify the PRNG abstraction, flattening the implementations into
crypto/krb and removing the indirection through function pointers.
Move the guts of the NSS PRNG implementation into the nss subdir so
that crypto/krb doesn't need to be built with CRYPTO_IMPL_CFLAGS.
Greg Hudson [Thu, 24 Feb 2011 09:58:45 +0000 (09:58 +0000)]
Fortuna as default PRNG
Rewrite prng_fortuna.c to much more closely match the description of
Fortuna in chapter 9 of Cryptography Engineering. Add a facility to
get OS entropy and implement it for Unix and Windows (not yet tested
on Windows) to replace prng/fortuna/entropy.c. Rewrite the test
harness to always ensure stable output and perform a statistical test
on the predictable internal state resulting from the stable-output
tests.
Greg Hudson [Fri, 18 Feb 2011 15:06:57 +0000 (15:06 +0000)]
Fix a conceptual bug in r24639: the intermediate key container length
should be the hash's output size, not its block size. (The bug did
not show up in testing because it is harmless in practice; MD5 has a
larger block size than output size.)
Greg Hudson [Wed, 16 Feb 2011 23:34:37 +0000 (23:34 +0000)]
Don't reject AP-REQs based on PACs
Experience has shown that it was a mistake to fail AP-REQ verification
based on failure to verify the signature of PAC authdata contained in
the ticket. We've had two rounds of interoperability issues with the
hmac-md5 checksum code, an interoperability issue OSX generating
unsigned PACs, and another problem where PACs are copied by older KDCs
from a cross-realm TGT into the service ticket. If a PAC signature
cannot be verified, just don't mark it as verified and continue on
with the AP exchange.
Greg Hudson [Wed, 16 Feb 2011 22:52:41 +0000 (22:52 +0000)]
hmac-md5 checksum doesn't work with DES keys
krb5int_hmacmd5_checksum calculates an intermediate key using an HMAC.
The container for this key should be allocated using the HMAC output
size (which is the hash blocksize), not the original key size. This
bug was causing the function to fail with DES keys, which can be used
with hmac-md5 in PAC signatures.
Greg Hudson [Sun, 13 Feb 2011 21:14:00 +0000 (21:14 +0000)]
Defer hostname lookups in krb5_sendto_kdc
Restructure the locate_kdc and sendto_kdc code to defer getaddrinfo
calls until we need the answer. This requires many changes:
* struct addrlist is now called struct serverlist, and is declared in
os-proto.h instead of k5-int.h. It contains an array of struct
server_entry structures which can hold either a name or an address.
(Address entries are used for locate_kdc module results.)
* The connection state list is now a linked list, and holds address
information directly instead of using a struct addrinfo (this
simplifies memory management). Each connection entry contains a
callback buffer (previously stored in a separate array) and an index
into the server list.
* The {addrstate} trace formatting primitive is no longer needed, and
has been replaced by {connstate}. There is also a new tracing event
for resolving hostnames.
* locate_server, locate_kdc, free_serverlist, and sendto get their
prefixes changed from krb5int_ to k5_ as their prototypes were being
adjusted anyway. The family argument is gone from the locate
functions as it was never productively used. k5_sendto now receives
the socket types of interest.
* krb5_sendto_kdc will now pass a 0 socktype to k5_locate_kdc if both
socket types are wanted. There were some allowances for this in
locate but this was never previously done. In order to be
conservative when invoking locate modules, we always pass an
explicit socktype, thus calling lookup twice (as we did before,
albeit with a separate init/fini cycle) in the common case. When
creating hostname entries in serverlist from profile configuration,
we preserve the 0 value of socktype, and later create both TCP and
UDP addresses from the getaddrinfo results when the host is
resolved.
* Some accessor functions previously used by libkrb4 have been removed
as they impinged upon this work.
Greg Hudson [Sun, 13 Feb 2011 19:12:36 +0000 (19:12 +0000)]
Trace logging file descriptor leak
File descriptors created for trace logging were never being closed.
With short-lived contexts this leak would eventually overflow the
process's file table. Correct this oversight by closing the file
descriptor in file_trace_cb before freeing its container.
Greg Hudson [Wed, 9 Feb 2011 04:46:46 +0000 (04:46 +0000)]
Assume ELF on FreeBSD if objformat doesn't exist
If /usr/bin/objformat doesn't exist on a FreeBSD system, it could
indicate a pre-3.0 a.out version or a post-7.0 ELF version. Since
FreeBSD 3.0 is now twelve years old, it's safer to assume ELF than
a.out.
Zhanna Tsitkov [Tue, 8 Feb 2011 21:25:21 +0000 (21:25 +0000)]
Set JAVADOC_AUTOBRIEF to YES to allow Doxygen interpret the first line of a JavaDoc-style comment as the brief description.
Also, minor argument name fix in krb5.hin
Greg Hudson [Mon, 7 Feb 2011 18:40:00 +0000 (18:40 +0000)]
Improve acceptor name flexibility
Be more flexible about the principal names we will accept for a given
GSS acceptor name. Also add support for a new libdefaults profile
variable ignore_acceptor_hostname, which causes the hostnames of
host-based service principals to be ignored when passed by server
applications as acceptor names.
Note that we still always invoke krb5_sname_to_principal() when
importing a gss-krb5 mechanism name, even though we won't always use
the result. This is an unfortunate waste of getaddrinfo/getnameinfo
queries in some situations, but the code surgery necessary to defer
it appears too risky at this time.
Greg Hudson [Tue, 1 Feb 2011 01:11:51 +0000 (01:11 +0000)]
kadmin's ktremove can remove wrong entries when removing kvno 0
Because of 8-bit wraparound, keytabs can contain entries with kvno 0.
Because 0 is a distinguished kvno value for krb5_kt_get_entry(),
kadmin's remove_principal() winds up substituting the specified kvno
with the highest-numbered kvno of the specified principal in the
keytab. Make sure not to perform this substitution when in
specified-kvno mode.
(This fix leaves behind a very minor bug where "ktrem principal 0"
returns silently, instead of producing an error message like it
normally would, if principal exists in the keytab but not at kvno 0.)
Greg Hudson [Tue, 25 Jan 2011 05:20:07 +0000 (05:20 +0000)]
Make principal renaming work in libkadm5srv by converting to explicit
salts as necessary. Add a principal rename command to the client.
(The RPC infrastructure was already present.)
Adapted from patches submitted by mdw@umich.edu and lha@apple.com.
Greg Hudson [Tue, 25 Jan 2011 00:23:48 +0000 (00:23 +0000)]
Make gss_krb5_set_allowable_enctypes work for the acceptor
With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
can choose an enctype for the acceptor subkey other than the one in
the keytab. If the resulting security context will be exported and
re-imported by another gss-krb5 implementation (such as one in the
kernel), the acceptor needs a way to restrict the set of negotiated
enctypes to those supported by the other implementation. We had that
functionality for the initiator already in the form of
gss_krb5_set_allowable_enctypes; this change makes it work for the
acceptor as well.
Zhanna Tsitkov [Tue, 11 Jan 2011 20:00:52 +0000 (20:00 +0000)]
Asn.1 decode related file rearrangement. It was made based on the following criteria:
1. based on functionality (for example, kdc-only code)
2. Well defined clusters of functions (fast, sam).
Greg Hudson [Mon, 10 Jan 2011 20:32:56 +0000 (20:32 +0000)]
Tighten up the error handling in the mechglue's gss_canonicalize_name,
eliminating a null pointer dereference in the (unlikely) case that
allocation of out_union fails. Reported by aberry@likewise.com.
Greg Hudson [Mon, 10 Jan 2011 18:25:36 +0000 (18:25 +0000)]
Fix a couple of cases in the SPNEGO implementation where a
half-constructed SPNEGO context could be leaked. Patch from
aberry@likewise.com, slightly amended.
Greg Hudson [Tue, 28 Dec 2010 18:27:17 +0000 (18:27 +0000)]
Don't attempt to serialize a NULL authdata context when serializing a
GSSAPI context (most often seen with initiator contexts). Patch from
aberry@likewise.com.
Greg Hudson [Tue, 14 Dec 2010 18:46:46 +0000 (18:46 +0000)]
Ensure time() is prototyped in g_accept_sec_context.c
r22736 added a call to time() in g_accept_sec_context.c. Include
<time.h> to ensure that this call is correctly prototyped. Previously
<time.h> was only included implicitly through <pthread.h>, which
doesn't apply when thread support is disabled.
Greg Hudson [Tue, 14 Dec 2010 17:28:38 +0000 (17:28 +0000)]
Fix a regression in the client-side ticket renewal code where KDC
options were not folded into the renewal request (most notably, the
KDC_OPT_RENEWABLE flag), so we didn't request renewable renewed
tickets. Add a simple test case for ticket renewal.
Tom Yu [Fri, 10 Dec 2010 01:06:26 +0000 (01:06 +0000)]
handle MS PACs that lack server checksum
target_version 1.9
tags: pullup
Apple Mac OS X Server's Open Directory KDC issues MS PAC like
authorization data that lacks a server checksum. If this checksum is
missing, mark the PAC as unverfied, but allow
krb5int_authdata_verify() to succeed. Filter out the unverified PAC
in subsequent calls to krb5_authdata_get_attribute(). Add trace
points to indicate where this behavior occurs.
Thanks to Helmut Grohne for help with analysis. This bug is also
Debian Bug #604925:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925
This change should also get backported to krb5-1.8.x.
Tom Yu [Tue, 7 Dec 2010 23:45:15 +0000 (23:45 +0000)]
Add comment noting that RFC 4121 appears to omit RC4-HMAC from the
list of "not-newer" enctypes, even though RFC 4757 effectively treats
it as one. Suggested by Derrick Brashear.
Greg Hudson [Wed, 1 Dec 2010 20:01:46 +0000 (20:01 +0000)]
Implement restrict_anonymous_to_tgt realm flag
Implement a new realm flag to reject ticket requests from anonymous
principals to any principal other than the local TGT. Allows FAST to
be deployed using anonymous tickets as armor in realms where the set
of authenticatable users must be constrained.
Greg Hudson [Tue, 30 Nov 2010 21:20:49 +0000 (21:20 +0000)]
SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
Fix multiple checksum handling bugs, as described in:
CVE-2010-1324
CVE-2010-1323
CVE-2010-4020
CVE-2010-4021
* Return the correct (keyed) checksums as the mandatory checksum type
for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
with simplified-profile key derivation or other algorithms relying
on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.
Greg Hudson [Sun, 28 Nov 2010 01:36:42 +0000 (01:36 +0000)]
Use for loops for recursion in the Windows build, cutting down on the
verbiage in Makefile.in files. For correctness of output, every
Makefile.in mydir= definition is changed to use $(S) instead of /.
Greg Hudson [Thu, 25 Nov 2010 20:28:30 +0000 (20:28 +0000)]
Fix Windows build
Repair the Windows build. Tested with the prepare-on-Unix method.
Some specific changes include:
* Removed the IPC finalizer (no longer used after r20787) from
ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency
chain for the pingtest build in ccapi/test. Also updated pingtest
to use the k5_ipc_stream interfaces since cci_stream is gone.
* Reverted the apparently non-functional r20277.
* klist -V prints just "Kerberos for Windows", since it has no access
to PACKAGE_NAME and PACKAGE_VERSION from autoconf. This should be
addressed correctly.
* krb5, telnet, gssftp, and NIM are removed from the build.
* Some files had CRLFs; these were replaced with LFs and the
svn:eol-style property set on the files. Otherwise the CRLFs became
CRCRLFs after the zip transfer.
* Windows does not have opendir/readdir, so added Windows code to
prof_parse.c for includedir. Probable fodder for a libkrb5support
portability shim.
Tom Yu [Tue, 23 Nov 2010 23:51:50 +0000 (23:51 +0000)]
Update krb5_gic_opt_private and related code to reflect the change of
krb5_expire_callback_func from a function typedef to a function
pointer typedef. This was causing segfaults.
Greg Hudson [Sun, 21 Nov 2010 17:35:49 +0000 (17:35 +0000)]
Suppress building camellia-gen in "make check" for now (it has a build
issue on Solaris which will go away when Camellia support becomes
unconditional).
Greg Hudson [Tue, 16 Nov 2010 02:30:16 +0000 (02:30 +0000)]
Handle referral realm in kprop client principal
kprop uses krb5_sname_to_principal() to determine its client
principal. If the local hostname cannot be mapped to a realm based on
the profile's domain_realm section, krb5_sname_to_principal() will (as
of 1.6) return a principal with the referral realm (""), which does
not work in a client principal. Handle this by substituting the
default realm.
Greg Hudson [Tue, 16 Nov 2010 00:12:38 +0000 (00:12 +0000)]
The iprop dejagnu test had some deceptive commented-out debugging code
(it would set up the user to run kpropd in the master environment
instead of the slave environment). Make it more useful.
Greg Hudson [Sat, 6 Nov 2010 00:02:13 +0000 (00:02 +0000)]
After a failed kdb5_util load, make a subsequent load operation work
by removing the remnant temporary files after obtaining a lock. To
make this safe, the private contract for temporary DB creation and
promotion had to be altered, along with many of the DB2 internal
helper functions.
Greg Hudson [Thu, 4 Nov 2010 21:27:03 +0000 (21:27 +0000)]
Further kdb_db2 code cleanup: make gen_dbsuffix return a
krb5_error_code to simplify error handling in callers, and discard the
db_lf_time field which was set but never used.
Greg Hudson [Tue, 2 Nov 2010 17:21:28 +0000 (17:21 +0000)]
Clean up the DB2 KDB module code a bit, making it more conformant with
current coding practices. Mostly namespace changes, but also simplify
krb5_db2_destroy().
Greg Hudson [Tue, 26 Oct 2010 19:36:58 +0000 (19:36 +0000)]
FILE keytabs have been able to handle write operations since krb5 1.7,
as an apparently unintended side effect of r20594. Clean up the code
by combining the identical resolve functions for FILE and WRFILE, and
removing the code to set up a WRFILE default keytab name in kadmin.c.
Also fixes a slight display bug; k5test.py needs to be adjusted to
expect the correct output.
projects / thirdparty / krb5.git / log
