Commit Graph

17988 Commits

Author SHA1 Message Date
Nicolas Williams
ae8908bf81 kadmin: Add disallow-client attribute
This is useful for services that need not be clients.  For example, an
untrusted service that need only accept authentication from clients,
but not initiate authentication to other services.
2021-06-22 13:01:24 -05:00
Nicolas Williams
f6ac4ee864 roken: Fix parse flags bug 2021-06-22 13:01:24 -05:00
Luke Howard
0452d8c601 krb5: check return value in krb5_get[_cache]_next()
krb5_get_next() and krb5_get_cache_next() do not check for krb5_kcm_call()
returning non-zero before accessing the repsonse data; they only handle the
case where the return value is KRB5_CC_END.

Return immediately if the return value of krb5_kcm_call() is not KRB5_CC_END or
0. This was fixed in the Apple code.
2021-06-16 12:09:19 +10:00
Luke Howard
718e3f8b68 hx509: correct ASN.1 OID typo for SHA-384
A copy and paste error initialized the SHA-384 structure in libhx509
with the OID for SHA-512.

Fixes: 776
2021-05-19 14:41:03 +10:00
Luke Howard
497a561b4d gss: avoid string concatenation warning in error message init
Some compilers with -Wstring-concatenation enabled warned about a suspicious
concatenation of string literals in the initialization of the GSS-API error
message array.

At the expense of a long line, avoid this warning but explicitly concatenating
the offending string literal.

Fixes: #775
2021-05-17 10:09:01 +10:00
Luke Howard
f67dd0f903 roken: move Heimdal vis.h extensions to separate header
vis.h is not built on platforms (such as macOS) that already have
that header, which resulted in prototypes for Heimdal-specific
vis.h extensions being absent.

Move those prototypes to a separate header, vis-extras.h, which
must be explicitly included in order to use the Heimdal extensions.
2021-05-17 10:05:58 +10:00
Nicolas Williams
5aaf12351a iprop: More default HDB type fixes 2021-05-04 14:53:40 -05:00
Nicolas Williams
0c1cd18e03 iprop: Fix default dbname choice on initial prop
If a DB does not already exist, ipropd-slave will use the compiled
default, which is not necessarily what is desired or configured in
`[kdc]`.

This change makes `hdb_default_db()` return the first dbanme in the
`[kdc]` configuration, falling back on `HDB_DEFAULT_DB`.

Also, this adds a `--database` option to `ipropd-slave`.
2021-05-03 15:02:43 -05:00
Nicolas Williams
034413892e roken: Fix Makefile race 2021-04-26 14:40:00 -05:00
Nicolas Williams
1e65ebd5eb asn1: Fix Windows build 2021-04-25 10:45:43 -05:00
Nicolas Williams
ec171ef0b6 asn1: Add missing file gen_print.c 2021-04-25 10:45:43 -05:00
Nicolas Williams
5c93af553b asn1: Build both backends
The codegen backend is faster than the template backend, even for
modules that don't use IOS.  On x64 we see the template backend being
4% slower for TGS requests using the kdc-tester program.

So let's build both, libasn1 (codegen) and libasn1template when
configured with --disable-asn1-templating, but make sure that the
asn1_print utility is linked with libasn1template.

Eventually we'll want to either optimize the template backend better,
or add IOS and JSON printing support to the codegen backend.
2021-04-23 22:15:51 -05:00
Nicolas Williams
32b314b174 asn1: Generate print stubs (codegen) 2021-04-23 22:15:51 -05:00
Nicolas Williams
e3359f6bf5 roken: Install useful rk utils 2021-04-23 22:15:51 -05:00
Nicolas Williams
83fe958211 hx509/bx509: Long-lived certs weren't being issued 2021-04-23 14:49:03 -05:00
Nicolas Williams
407f12cc0b asn1: Fix --disable-asn1-templating build 2021-04-21 22:40:41 -05:00
Nicolas Williams
6ff3dbf297 bx509: Add addresses q-param for /get-tgt 2021-04-14 19:28:08 -05:00
Nicolas Williams
16d6bda3aa krb5: Add _krb5_parse_address_no_lookup() 2021-04-14 19:27:21 -05:00
Nicolas Williams
a5e289f4f7 kdc: Add warn_ticket_addresses config option 2021-04-13 23:22:45 -05:00
Nicolas Williams
9dcab76724 asn1: Fix build concurrency bug 2021-04-01 01:08:00 -05:00
Nicolas Williams
9ff74bcd21 asn1: Fix check/print type confusion 2021-04-01 01:08:00 -05:00
Nicolas Williams
e7a8457fd2 asn1: Fix extra.c printer functions 2021-04-01 01:08:00 -05:00
Nicolas Williams
6216117da0 iprop: Optional async slave HDB writes
New command-line option for ipropd-slave to disable sync HDB writes
also when replaying the log.
2021-03-31 22:59:38 -05:00
Nicolas Williams
c2bf9b9e71 kx509: Improve start_realm logic 2021-03-31 22:59:38 -05:00
Nicolas Williams
5443189b96 krb: Fix ccache resolve bug affecting ssh/kinit 2021-03-31 22:59:38 -05:00
Nicolas Williams
614b3a5914 asn1: Fix OS X build
We can't use VIS_DQ on when the OS has a vis implementation but lacks
VIS_DQ.
2021-03-27 23:29:34 -05:00
Nicolas Williams
eb2bd63207 roken: Fix OS X build? 2021-03-27 11:35:21 -05:00
Benjamin Kaduk
7f3445f1b7 Replace dead link in kerberos.8
While Ken Hornstein's FAQ was useful in its day, much of its content
is no longer relevant (e.g., Kerberos 4) or even actively harmful
(e.g., the latest version of MIT krb5 is not 1.2.1).  It was also
somewhat MIT-krb5-focused, especially relating to configuration file
snippets, which is not necessarily a great fit for the Heimdal
documentation.

Replace it with a tutorial hosted on kerberos.org and the classic
"dialogue" from Bill Bryant.

Fixes: #766
2021-03-26 18:47:49 -05:00
Nicolas Williams
7985f402cb asn1: Attempt to fix makefile concurrency bug 2021-03-26 17:27:47 -05:00
Nicolas Williams
c74c57a143 asn1: Fix lib/asn1/Makefile.am buglet 2021-03-26 17:27:47 -05:00
Nicolas Williams
6abb8bc286 Document OID arcs delegated to Heimdal by SU 2021-03-25 10:38:28 -05:00
Nicolas Williams
dc74e9d00c kdc: Add Heimdal cert ext for ticket max_life
This adds support for using a Heimdal-specific PKIX extension to derive
a maximum Kerberos ticket lifetime from a client's PKINIT certificate.

KDC configuration parameters:

 - pkinit_max_life_from_cert_extension
 - pkinit_max_life_bound

If `pkinit_max_life_from_cert_extension` is set to true then the
certificate extension or EKU will be checked.

If `pkinit_max_life_bound` is set to a positive relative time, then that
will be the upper bound of maximum Kerberos ticket lifetime derived from
these extensions.

The KDC config `pkinit_ticket_max_life_from_cert` that was added earlier
has been renamed to `pkinit_max_life_from_cert`.

See lib/hx509 and lib/krb5/krb5.conf.5.
2021-03-24 19:12:00 -05:00
Nicolas Williams
15b2094079 hx509: Add Heimdal cert ext for ticket max_life
This adds support for using a Heimdal-specific PKIX extension to derive
a maximum Kerberos ticket lifetime from a client's PKINIT certificate:

 - a `--pkinit-max-life` to the `hxtool ca` command
 - `hx509_ca_tbs_set_pkinit_max_life()`
 - `hx509_cert_get_pkinit_max_life()`
 - `HX509_CA_TEMPLATE_PKINIT_MAX_LIFE`

There are two extensions.  One is an EKU, which if present means that
the maximum ticket lifetime should be derived from the notAfter minus
notBefore.  The other is a certificate extension whose value is a
maximum ticket lifetime in seconds.  The latter is preferred.
2021-03-24 19:12:00 -05:00
Nicolas Williams
f0e628c2cf asn1: Add Heimdal cert ext for ticket max_life 2021-03-24 19:12:00 -05:00
Nicolas Williams
09274ca3dc hx509: Finish any-EKU support 2021-03-24 17:48:17 -05:00
Nicolas Williams
cb2064d387 krb5: Make q param of DH moduli optional
MSFT makes the `q` field of `DomainParameters` OPTIONAL even though it's
actually required.  We currently validate DH groups not by validating
that p is a Sophie Germain prime but by checking the proposed group
against a compiled-in list and against a krb5.moduli file, therefore we
don't need q.  Besides, for Oakley groups, because p is a Sophie Germain
prime, we'd have q=p/j and j=2, so we can always compute q as needed
(and MIT Kerberos does).
2021-03-24 17:48:17 -05:00
Nicolas Williams
5d939ba1b6 hx509: Make hxtool default store type to FILE
A common complaint about hxtool(1) is that if one fails to add a TYPE:
prefix to a CSR or certificate/private key store names, then hxtool
fails somewhat inscrutably.  We can't just fix hx509_certs_init() or
hx509_certs_append() because they default to "MEMORY" so who knows what
might break.  Instead we fix all uses of user-provided store names in
hxtool to have a FILE: prefix if no type was given.  For CSRs we'll
default to adding the only type prefix supported, "PKCS10".
2021-03-24 11:03:14 -05:00
Nicolas Williams
8e7c7209e8 kdc: Add param to derive max_life from client cert
This adds a KDC configuration parameter that can be used to indicate
that a PKINIT client's certificate's notAfter overrides the client
principal's HDB entry's max_life.  This parameter is a relative time
parameter, and it enables this only if set to a non-zero value (defaults
to zero).  The value of this parameter caps the max_life inferred from
the certificate.
2021-03-23 16:44:50 -05:00
Nicolas Williams
dfdc6c3a06 kdc: Document PKINIT config options 2021-03-23 16:24:25 -05:00
Nicolas Williams
94f9d67b3d asn1: Update AFL screenshot 2021-03-18 18:07:23 -05:00
Nicolas Williams
36c6342230 asn1: Fix Linux build 2021-03-18 18:03:34 -05:00
Nicolas Williams
57de79ce6d asn1: Make asn1_print good for benchmarking 2021-03-11 11:58:41 -06:00
Nicolas Williams
c4ff603adf asn1: Fix asn1_print build w/ templating 2021-03-11 11:58:18 -06:00
Nicolas Williams
36c6ff407e asn1: Fix Windows build harder 2021-03-11 09:57:18 -06:00
Nicolas Williams
a858821194 asn1: Fix Windows build 2021-03-11 09:50:48 -06:00
Nicolas Williams
4d39e8c1b2 asn1: Also fuzz using X.690 sample 2021-03-11 09:36:53 -06:00
Nicolas Williams
d0298e5804 asn1: Fix recent der_replace_tag() bug
Recently introduced.
2021-03-11 09:13:09 -06:00
Nicolas Williams
5bb5887f8c asn1: Fix recent der_match_tag2() bug
Recently introduced.
2021-03-11 09:12:43 -06:00
Nicolas Williams
1b5fe4a35c asn1: Test x690 sample with both backends
And remove it from the library itself.
2021-03-10 22:52:07 -06:00
Nicolas Williams
6595f080e1 hx509: Fix hxtool building w/o ASN.1 templating 2021-03-10 21:21:26 -06:00