We must switch to OpenSSL 3.x, and getting lib/hcrypto to provide
OpenSSL 3.x APIs is too large an undertaking. Plus the hcrypto backend
is not safe, not secure (probably has timing leaks galore), and no one
has the resources to make it a world-class crypto library, so it just
has to go.
The lib/kadm5/test_marshall program allows one to construct and check
encodings for various struct types for which we have
{kadm5,krb5}_{ret,store}_<type>() functions.
Currently supported are:
- krb5_keyblock
- krb5_principal
- krb5_times
- krb5_address
- krb5_addresses
- krb5_authdata
- krb5_creds
- krb5_key_data
- krb5_tl_data
- kadm5_principal_ent_rec
With this we'll be able to a) construct test vectors, b) use those to
drive fuzzing with AFL or other fuzzers.
Refactor plugin framework to use a single list of loaded plugins; add a new
plugin API where DSOs export a load function that can declare dependencies and
export multiple plugins; refactor kadm5 hook API to use krb5 plugin framework.
More information in krb5-plugin(7).
This change adds plugin support to the kadmin libraries for performing
actions before and after a password change is committed to the KDC database
and after a change is made to the attributes of a principal (specifically,
a change to DISALLOW_ALL_TIX).
This change adds a hook_libraries configuration option to the [kadmin]
section of krb5.conf (or kdc.conf if you use that file) that must be set
to load the module. That configuration option is in the form:
[kadmin]
hook_libraries = /usr/local/lib/krb5/plugins/kadm5_hook/krb5_sync.so
where the value is the full path to the plugin that you want to load. If
this option is not present, kadmind will not load a plugin and the changes
from the patch will be inactive. If this option is given and the plugin
cannot be loaded, kadmind startup will abort with a (hopefully useful)
error message in syslog.
Any plugin used with this patch must expose a public function named
kadm5_hook_init of type kadm5_hook_init_t that returns a kadm5_hook structure.
See sample_hook.c for an example of this initialization function.
typedef struct kadm5_hook {
const char *name;
uint32_t version;
const char *vendor;
void (KRB5_CALLCONV *fini)(krb5_context, void *data);
krb5_error_code (KRB5_CALLCONV *chpass)(krb5_context context,
void *data,
enum kadm5_hook_stage stage,
krb5_error_code code,
krb5_const_principal princ,
uint32_t flags,
size_t n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
const char *password,
char **error_msg);
...
};
where enum kadm5_hook_stage is:
enum kadm5_hook_stage {
KADM5_HOOK_STAGE_PRECOMMIT,
KADM5_HOOK_STAGE_POSTCOMMIT
};
init creates a hook context that is passed into all subsequent calls.
chpass is called for password changes, create is called for principal
creation (with the newly-created principal in the kadm5_principal_ent_t
argument), and modify is called when a principal is modified. The purpose of
the remaining functions should be self-explanatory.
returning 0 on success and a Kerberos error code on failure, setting the
Kerberos error message in the provided context. The error code passed in is
valid for post-commit hooks and contains the result of the update operation.
This change is submitted under the following license
Copyright 2012, 2013
The Board of Trustees of the Leland Stanford Junior University
Portions Copyright 2018 AuriStor Inc.
Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and
this notice are preserved. This file is offered as-is, without any
warranty.
When new keys are added (typically via kadm5_setkey_principal_3),
truncate the key history to remove old keys, that is keys older than
the newest key which was in effect prior longer ago than the principal's
maximum ticket lifetime. This feature is controlled via the "[kadmin]"
section's "prune-key-history" boolean parameter, which defaults to false.
Currently this happens only when kadm5_setkey_principal_3()
is called directly on the server, the client API simulates
kadm5_setkey_principal_3() via a get, update, modify sequence that does
not prune the key history. The plan is to add a new kadm5 protocol RPC
and convert clients to call that instead.
In setkey_principal_3 seal keys after entry key update
Also, for now, don't check the return value of kadm5_log_modify() in
the new kadm5_s_setkey_principal_3(). This has to be addressed more
globally.
Censor stale keys in kadm5_s_get_principal
In order to support plugins for kadmin that use libkadm5srv, the
libkadm5clnt library has to be versioned to avoid hijacking all
of the function calls that should go to the server library. Omit
the _kadm5_ clients from the public interface, and version
everything else.
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
To stop the errors when building concurrently, we make a number of
changes:
1. stop including generated files in *_SOURCES,
2. make *-protos.h and *-private.h depend on the *_SOURCES,
3. make all objects depend on *-{protos,private}.h,
4. in a few places change dir/header.h to $(srcdir)/dir/header.h,
This appears to work for me with make -j16 on a 4-way box.
Added to 11 out of 14 directories with map files. Not lib/ntlm,
lib/hcrypto and kdc which have the map file as an explicit dependency
to _OBBJECTS.
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
