Commit Graph

2313 Commits

Author SHA1 Message Date
Nicolas Williams
0c7b06f9ca cf: Check cc support of -Werror=enum-conversion 2022-01-13 15:33:04 -06:00
Nicolas Williams
6ee1554f3e Ignore enum-conversion errors
This is not a very good fix, though the warnings remain.  Such errors
can in principle be a problem because in C there is no standard enum
sizing.

In this case we have two enums with the same elements and so the same
size, so it's clearly not a problem.
2022-01-11 17:15:59 -06:00
Nicolas Williams
472509fd46 gsskrb5: Do not leak authenticator on retry
We have a Heimdal special where when the acceptor sends back an error
token for clock skew or ticket-not-yet-valid errors then the acceptor
application will get GSS_S_CONTINUE_NEEDED from gss_accept_sec_context()
so that the initiator may retry with the same context.

But we were retaining the auth_context, which means that when the
initiator does send a new token, the acceptor leaks memory because
krb5_verify_ap_req2() doesn't clean up the auth_context on reuse.  The
end result is that we leak a lot in those cases.
2022-01-07 21:04:19 -06:00
Nicolas Williams
2d83a0b8cd gss: Make sure to indicate PAC buffers 2022-01-08 10:38:01 +11:00
Nicolas Williams
c2e3c5b66e gss: Add way to set authenticator authz-data
Now we can set Authenticator authorization-data with
gss_set_name_attribute().
2022-01-08 10:38:01 +11:00
Nicolas Williams
fe11481cc5 gss: Make krb5 name attrs table-driven
The implementation of GSS name attributes for Kerberos (or any mechanism
with more than a tiny handful) is much nicer as a table-driven
implementation.

We now have stubs for setting and deleting attributes as well, though
these currently always fail.
2022-01-08 10:38:01 +11:00
Luke Howard
27d62bb27e gss: avoid showing PAC in test_context if anon
The Heimdal KDC does not add a PAC if an anonymous ticket was issued. As such,
test_context should not expect PAC naming attributes to be present if the
--anonymous option was passed. (This is irrelevant for now as GSS_C_ANON_FLAG
is not honored by the krb5 mechanism.)
2022-01-08 10:12:07 +11:00
Luke Howard
402884a310 gss: validate attr enumeration in test_context
Ensure the "urn:mspac:client-info" name attribute is enumerated by
gss_inquire_name(), as well as being available via gss_get_name_attribute().
2022-01-08 09:38:30 +11:00
Nicolas Williams
2b9b701dc4 gss: Fix warnings (from be708ca3cf) 2022-01-06 16:21:55 -06:00
Nicolas Williams
3af6926c7d gss: Fix sign extension bug (from be708ca3cf)
When unsigned char values are shifted, they are promoted to int (unless
sizeof(int) == sizeof(char)).  This means that the change in be708ca3cf
ultimately leads to a sign extension bug.
2022-01-06 15:25:38 -06:00
Nicolas Williams
2375fa9d1e gss: Too many compilers don't support 'restrict' 2022-01-05 18:03:39 -06:00
Jeffrey Altman
9427796f1a Generate .x source files as .c source files
The generated .x source and .hx header files are plain C source files.
Generate them as .c source files and avoid unnecessary file copying
and special makefile rules.

Change-Id: Ifc4bbe3c46dd357fdd642040ad964c7cfe1d395c
2022-01-05 17:36:24 -06:00
Jeffrey Altman
3efca1e98a lib/gssapi: define LIB_ASN1 on Windows if ASN1 generated objects
The LIB_ASN1 definition instructs the library objects to access
exported ASN1 generated DATA symbols as internal symbols.

Change-Id: Ia8c674c879c9bc46ca9dc7f249114f22b1d0dfd5
2022-01-05 12:58:48 -06:00
Luke Howard
6d505df510 gss: link test_names.exe against Heimdal DLL 2022-01-04 14:35:28 +11:00
Luke Howard
4803969580 gssapi: add name_attrs.c to Windows build 2022-01-04 13:06:48 +11:00
Luke Howard
5cce73a6ef gss: expose canonical name from PAC if present
Expose canonical name via the canonical-name naming attribute.
2022-01-03 15:59:16 +11:00
Luke Howard
2a826d769f gss: expose PAC info buffers under urn:mspac:
Expose PAC info buffers using naming attributes prefixed with urn:mspac:,
aligned with MIT.
2022-01-03 15:59:16 +11:00
Nicolas Williams
7e311ea9bf gss: Fix test_names clang-13 build 2022-01-02 21:19:13 -06:00
Nicolas Williams
be708ca3cf gsskrb5: Add simple name attributes support
This adds Kerberos mechanism support for:

 - composite principal name export/import
 - getting rudimentary name attributes from GSS names using
   gss_get_name_attribute():
    - all (raw) authorization data from the Ticket
    - all (raw) authorization data from the Authenticator
    - transit path
    - realm
    - component count
    - each component
 - gss_inquire_name()
 - gss_display_name_ext() (just for the hostbased service name type
                           though)

The test exercises almost all of the functionality, except for:

 - getting the PAC
 - getting authz-data from the Authenticator
 - getting the transit path

TBD (much) later:

 - amend test_context to do minimal name attribute checks as well
 - gss_set_name_attribute() (to request authz-data)
 - gss_delete_name_attribute()
 - getting specific authorization data elements via URN fragments (as
   opposed to all of them)
 - parsing the PAC, extracting SIDs (each one as a separate value)
 - some configurable local policy (?)
 - plugin interface for additional local policy
2022-01-01 23:30:15 -06:00
Luke Howard
f3484d5e2e gss: pass GSS_C_NO_OID name type through to mechanism
Allow the mechanism, rather than the mechanism glue, to determine the default
name type if GSS_C_NO_OID was passed in when importing a name.
2022-01-02 16:28:20 +11:00
Nicolas Williams
09f3f96467 gsskrb5: Use optimistic anon PKINIT armored FAST 2021-12-30 18:54:54 +11:00
Nicolas Williams
83625d349e gss: Make initiator inq. ctx. return canon. target
Make gss_inquire_context() on the established context on the initiator
side return the canonical target acceptor name.
2021-12-06 17:39:22 -06:00
Nicolas Williams
5ace5f5a6a gss: Fix dst TGT deleg w/o dns_lookup_realm
Setting `dns_lookup_realm = false` in `[libdefaults]` and setting name
canon rules that force the empty realm causes destination-TGT delegation
to break because the client doesn't know the service's realm.

Because MIT and Heimdal check that the (unauthenticated plaintext)
sname/realm of the Ticket in the KDC reply matches the sname/srealm in
the enc-part of the KDC reply, we know we can trust the realm of the
ticket found in the ccache.  So use that.
2021-12-06 17:39:22 -06:00
Luke Howard
eb293680a8 gss: fix regression in non-8003 checksums
Samba3 sends an AP-REQ, rather than 8003, checksum in a Kerberos inital context
token. This regressed in #835 as we forgot to set the
KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM flag before processing the AP-REQ
checksum in this path.
2021-12-07 10:41:40 +11:00
Andrew Bartlett
7686028718 Use UTF-8 in KTH copyright notice
Samba is starting to protect against bi-di attacks and the starting point
is to require that input files be fully UTF-8.  In 2021 this is a reasonable
starting point anyway.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2021-11-29 12:50:26 +11:00
Nicolas Williams
5f63215d0d Always perform == or != operation on cmp function result
Although not required to address bad code generation in
some versions of gcc 9 and 10, a coding style that requires
explicit comparison of the result to zero before use is
both clearer and would have avoided the generation of bad
code.

This change converts all use of cmp function usage from

```
    if (strcmp(a, b) || !strcmp(c, d)) ...
```

to

```
    if (strcmp(a, b) != 0 || strcmp(c, d)) == 0
```

for all C library cmp functions and related:

 - strcmp(), strncmp()
 - strcasecmp(), strncasecmp()
 - stricmp(), strnicmp()
 - memcmp()

Change-Id: Ic60c15e1e3a07e4faaf10648eefe3adae2543188
2021-11-24 22:30:44 -05:00
Jeffrey Altman
02200d55ea Address GCC Bug 95189 memcmp wrongly stripped like strcmp
As documented in Russell O'Connor's blog, Heimdal when compiled with
some versions of gcc 9 and 10 would generate incorrect behaviors from
_gssapi_verify_mic_arcfour(), _gssapi_unwrap_arcfour(),
_gssapi_unwrap_iov_arcfour() and _gssapi_unwrap_iov_arcfour().

As a result of the bug, code of the form

   if (memcmp(a, "\x00\x00\x00\x00"))

and

   cmp = memcmp(a, "\x00\x00\x00\x00")

will be compiled as if it were written as

   if (strcmp(a, "\x00\x00\x00\x00"))

and

   cmp = strcmp(a, "\x00\x00\x00\x00")

but not

   if (memcmp(a, "\x00\x00\x00\x00") != 0)

and

   cmp = (memcmp(a, "\x00\x00\x00\x00") != 0)

Bad code is generated whenever one of the parameters to memcmp()
is a constant with at least one NUL in the first four octets and
the return value is used immediated without a boolean comparison.

The gcc bug 95189 has since been fixed.

This change applies a defensive programming technique to avoid
the broken code generation.

Change-Id: I1db2a561735317cb6cac66a0ec9caf5443e65e03
Link: https://r6.ca/blog/20200929T023701Z.html
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189
Reported-by: Buck Huppmann (buckh@pobox.com) <buckh@pobox.com>
2021-11-24 22:30:44 -05:00
Jeffrey Altman
8123ffc3f2 _gssapi_unwrap_iov_arcfour remove duplicate code block
ad3acc2aef ("lib/gssapi/krb5:
implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5")
introduced a duplicate block of code.

This change removes the unnecessary code duplication.

Change-Id: I557c590aea51b73dc25d6ce4be4ea84b9dfadd9f
2021-11-24 22:30:44 -05:00
Nicolas Williams
8ed48bc54d gss-token: Fix exit code 2021-11-17 17:27:40 -06:00
Nicolas Williams
2f31063e97 spnego: Minor style cleanup 2021-11-11 22:41:13 -06:00
Nicolas Williams
7a19658c1f spnego: Fix NULL deref
Reported to Heimdal by Michał Kępień <michal@isc.org>.

From the report:

Acknowledgement
---------------

This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
TKEY Query Heap-based Buffer Overflow Remote Code Execution
Vulnerability, which was reported to ISC by Trend Micro's Zero Day
Initiative.
2021-11-11 22:41:13 -06:00
Robert Crowston
5d462795ce Add stub for gss_acquire_cred_impersonate_name(). 2021-10-19 20:45:40 +11:00
Luke Howard
06e6113960 gss: _gss_spnego_set_sec_context_option return
Fix _gss_spnego_set_sec_context_option() to return GSS_S_UNAVAILABLE if no
context handle is provided, so that mechglue will skip to the next mechanism.
There are no globally settable options on SPNEGO itself.

Fixes: #803
2021-10-11 14:57:09 +11:00
Luke Howard
8fc67658a6 various: squash MSVC uninitialized variable warnings (C4701)
Initialize some variables to silence some false positive MSVC warnings.
2021-09-21 18:59:38 +10:00
Robert Crowston
9b46d6436f Only #include <malloc.h> if it is available.
e.g., OpenBSD does not provide this header.
2021-09-07 12:49:19 +10:00
Luke Howard
fc9f9b322a gss: implement gss_krb5_ccache_name()
Correctly implement gss_krb5_ccache_name() in terms of
gss_set_sec_context_option(GSS_KRB5_CCACHE_NAME_X). The previous implementation
was a NOOP.

Note: global ccache name should really be thread-specific rather than global.

Closes #803.
2021-09-06 13:26:55 +10:00
Luke Howard
774f50b28b gss: move GSS pre-auth helpers to convenience lib
GSS pre-auth helpers do not belong in libgssapi, so move them to a separate
convenience library.
2021-08-27 15:20:07 +10:00
Nicolas Williams
a5378daa6c Revert "gss: Fix leak of output_token in GSS PA"
This reverts commit 041907d517.
2021-08-26 01:06:33 -05:00
Nicolas Williams
041907d517 gss: Fix leak of output_token in GSS PA 2021-08-25 22:53:52 -05:00
Andrew Bartlett
6f21611755 Avoid -Werror=address by skipping pointless _mg_buffer_zero()
We do not need to zero out the local variable output_token
if we do not later call gss_release_buffer() on it.

This aovids a -Werror=address compile failure under the
strict compiler options Samba uses when compiled on Ubuntu
20.04 with gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

In file included from ../../source4/heimdal/lib/gssapi/preauth/pa_client.c:34:
../../source4/heimdal/lib/gssapi/preauth/pa_client.c:148:21: error: the address of ‘output_token’ will always evaluate as ‘true’ [-Werror=address]
  148 |     _mg_buffer_zero(&output_token);
      |                     ^
../../source4/heimdal/lib/gssapi/mech/mech_locl.h:72:7: note: in definition of macro ‘_mg_buffer_zero’
   72 |   if (buffer) {   \
      |       ^~~~~~

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2021-08-26 09:31:00 +10:00
Nicolas Williams
75449e1071 gss: Fix build for GSS preauth helpers 2021-08-25 15:41:35 -05:00
Luke Howard
b3511c145c gss: check for NULL before calling dlclose()
Calling dlclose(NULL) on some recent versions of Linux appears to cause the
process to segfault.
2021-08-20 00:07:12 +10:00
Luke Howard
a56c3ad819 krb5: fix prototype in pa_gss_finish()
Fix merge issue that arose after merging another fix from the
lukeh/gss-preauth-apple branch.
2021-08-18 08:17:04 +10:00
Luke Howard
386b8d328a kdc: refactor/improve error handling in GSS pa 2021-08-15 16:07:46 +10:00
Luke Howard
432fe0ad56 krb5: treat KRB5_NT_SRV_HST and KRB5_NT_SRV_INST identically
Update previous commit, mapping KRB5_NT_SRV_HST as well as KRB5_NT_SRV_INST to
GSS_C_NT_HOSTBASED_SERVICE.
2021-08-15 15:04:21 +10:00
Luke Howard
95d553e009 krb5: improve krb5 to GSS name conversion
First attempt to import krb5 names as GSS_KRB5_NT_PRINCIPAL_NAME; if that
fails, choose the most appropriate name form based on Kerberos name type.
2021-08-15 14:48:14 +10:00
Luke Howard
e840681451 krb5: try GSS_KRB5_NT_PRINCIPAL_NAME first for PA
When importing a Kerberos name for GSS pre-auth, first try to import the name
as GSS_KRB5_NT_PRINCIPAL_NAME. If that fails, fall back to GSS_C_NT_USER_NAME.
2021-08-15 09:54:45 +10:00
Luke Howard
f73f08eef1 kdc: ensure GSS-API pre-auth acceptor name is TGS
The target (acceptor) name for GSS-API pre-authentication should be the name of
the TGS, not the server name in the AS-REQ, as it is the KDC which is being
mutually authenticated. If the client is not requesting a TGT, they may differ.
2021-08-15 09:14:58 +10:00
Luke Howard
95339c1068 gss: fix Windows preauth build issues
Fix lib/gssapi NTMakefile for GSS-API pre-authentication dependencies
2021-08-12 18:09:40 +10:00
Luke Howard
3302b38e53 gss: fix Windows preauth build issues
Fix kdc/kuser NTMakefiles for GSS-API pre-authentication dependencies
2021-08-12 17:57:17 +10:00