Heimdal supports the 2 mandatory MODP groups (group 2 and group 14)
according to RFC4556, however group 14 is defined with a size of
1760 bits instead of 2048.
Fixes#1001
Reported-by: Julien Rische (GitHub: jrisc)
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
CC test_common.o
In file included from test_common.c:34:
krb5/gsskrb5_locl.h:42:10: fatal error: gkrb5_err.h: No such file or directory
42 | #include <gkrb5_err.h>
| ^~~~~~~~~~~~~
compilation terminated.
make[3]: *** [Makefile:2347: test_common.o] Error 1 shuffle=1656680590
The change moves gkrb5_err.h and friends to BUILT_SOURCES
to guarantee their presence when main build starts.
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
make[2]: Leaving directory '/build/heimdal/lib/gss_preauth'
Making all in hdb
make[2]: Entering directory '/build/heimdal/lib/hdb'
../../lib/asn1/asn1_compile --option-file=./hdb.opt ./hdb.asn1 hdb_asn1
for genfile in 'asn1_Event.c asn1_GENERATION.c asn1_HDB_EncTypeList.c asn1_HDB_Ext_Aliases.c asn1_HDB_Ext_Constrained_delegation_acl.c asn1_HDB_Ext_KeyRotation.c asn1_HDB_Ext_KeySet.c asn1_HDB_Ext_Lan_Manager_OWF.c asn1_HDB_Ext_Password.c asn1_HDB_Ext_PKINIT_acl.c asn1_HDB_Ext_PKINIT_cert.c asn1_HDB_Ext_PKINIT_hash.c asn1_HDB_EntryOrAlias.c asn1_HDB_entry_alias.c asn1_HDB_entry.c asn1_HDB_extension.c asn1_HDB_extensions.c asn1_HDB_keyset.c asn1_HDBFlags.c asn1_Key.c asn1_KeyRotation.c asn1_KeyRotationFlags.c asn1_Keys.c asn1_Salt.c'; do \
true -style='{BasedOnStyle: Mozilla, AlwaysBreakAfterReturnType: TopLevelDefinitions, IndentWidth: 4, SortIncludes: false}' -i ${genfile}; \
done
../../lib/com_err/compile_et hdb_err.et
make all-am
make[3]: Entering directory '/build/heimdal/lib/hdb'
CC hdb-ldap.lo
In file included from hdb_locl.h:67,
from hdb-ldap.c:36:
./hdb.h:337:10: fatal error: hdb-protos.h: No such file or directory
337 | #include <hdb-protos.h>
| ^~~~~~~~~~~~~~
compilation terminated.
The change moves hdb-protos.ha and hdb-private.h to BUILT_SOURCES
to guarantee their presence when main build starts.
The variable 'ret' is set but not used. As the value is ignored
remove it. Restructure the initialization of 'replyinCnt', 'replyout',
and 'replyoutCnt' such that a failure of vm_read() results in a
properly initialized reply structure.
get_null() can fail for two reasons. There can be a memory allocation
issue or the hints->ai_family could be unsupported. This change
informs the caller of the error state instead of returning success
with an invalid struct addrinfo output parameter.
Fixes#1007
Reported-by: opless
Apple clang version 14.0.0 (clang-1400.0.17.3.1) fails the build
because stds.h defines `fallthrough` as a macro which is then
expanded when base.h evaluates
# if __has_attribute(fallthrough) && __clang_major__ >= 5
The macOS SDK defines `DISPATCH_FALLTHROUGH` as the macro instead
of `fallthrough`.
This change replaces the use of `fallthrough` in the tree with
`HEIM_FALLTHROUGH` and updates the declaration in configure logic
to define `HEIM_FALLTHROUGH` based upon existing definitions
(if any) of `fallthrough` or `DISPATCH_FALLTHROUGH`.
We meant to clear only the UF_SMARTCARD_REQUIRED bit, but we were
instead clearing all bits excepting it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
If the AP len is large enough, we might end up computing an address
beyond the end of the 'reply' array, which is undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This commit makes the hxtool ca sub-command, when invoked with
--generate-key=TYPE and --certificate-private-key=STORE, write the
private key only to the given --certificate-private-key store and not
also the --certificate=STORE.
Before this commit, invoking the hxtool ca sub-command with both,
--generate-key=TYPE and --certificate-private-key=STORE, caused the
--generate-key option to be ignored and the private key to be read from
the given store and copied to the --certificate=STORE. That was clearly
a bug and non-sensical.
We derive keysets for virtual host-based service principals, and that
includes the `set_time` field of keys. But applications using the kadm5
API lose that information. Our httpkadmind wants to set a Cache-Control
header with an appropriate max-age so that clients know when to re-fetch
keytabs.
We could extract some of the lib/hdb/common.c functions so that
httpkadmind could re-create an HDB_entry from a kadm5 entry then compute
the desired time, but ultimately we already have an appropriate field in
the HDB_entry and kadm5_principal_ent_rec types: "password expiration".
So let's set the `pw_end` of a virtual host-based service's HDB entry to
the time when a client should next fetch the principal's keys, and we'll
use that in httpkadmind as the `pw_expiration` field of the kadm5 entry
type.
If a virtual host-based service namespace is disabled, then the virtual
services below it cease existing.
This will be useful in a later commit where we'll use virtual host-based
service namespace for providing default attributes for new concrete
host-based service principals created via httpkadmind, whether the
namespace be enabled or disabled.
Now that we use krb5_copy_context() via kadm5_c_dup_context(), we see
occasional skew errors in the tests because context->max_skew was not
being initialized, so it was set to 0s of skew, and krb5_rd_priv() or
others could fail.
One user had an entry with duplicate aliases. This happened with an
earlier version of Heimdal.
This commit does not remove the duplicates, but it does tolerate them.
The online LIST interrupt message is a NOP, but it's expected to not
have a reply (the server doesn't send one if it receives it before the
LIST finishes).
However, if the interrupt message arrives after the LIST finished, then
it does get a reply, and this causes the client to get out of step with
the server.
Fixes include:
1) flavor the interrupt NOP to make sure it never gets a reply,
2) introduce a new kadm_list_interrtupt message that is like a NOP that
produces no reply
3) always consume -after the LIST ends- a reply to any list interrupt
NOP on the client side.
This implements (1).
The `inmsg` field of the client structure is malloc/realloc'ed in `handle_read` but never free'ed in `maybe_close`.
Seems like Apple already fixed that with this.
kadm5_get_principals() is not online. If you have... many principals,
it will be slow. At least it's no longer quadratic, but it, it's still
slow. Time to add a version that uses a callback:
kadm5_ret_t
kadm5_iter_principals(void *server_handle,
const char *expression,
int (*cb)(void *, const char *),
void *cbdata)
The callback gets called with the given callback data and one principal
name (unparsed).
Note that the callback MUST NOT re-enter the kadm5 library with the
*same* kadm handle. For example, the kadmin protocol doesn't really
multiplex requests well, though it could pipeline them, but it can't
pipeline when LIST is running, not with the protocol implemented here,
so a separate connection is needed, and that requires a separate kadm
handle. We add kadm5_dup_context() to deal with this.
We introduce a notion of soft vs. hard aliases.
Soft aliases are aliases of WELLKNOWN/REFERRALS/TARGET@$some_realm,
where $some_realm is the realm we want the KDC to issue referrals to.
Hard aliases are all other aliases, where if the client requested
canonicalization then the KDC should update the names in the responses,
or else if the client did not request canonicalization, then the KDC
should treat the alias as a distinct principal with the same keys as the
alias' canonical name.
The logic for dealing with these is entirely located in the HDB
backends.
An HDB backend can implement hard aliases by replacing a found
HDB_entry's principal with the name used to look it up.
An HDB backend can implement soft aliases by returning
HDB_ERR_WRONG_REALM to trigger the AS or TGS to return a referral.
Currently only in-tree HDB backends support this feature that use
_hdb_fetch_kvno() as their hdb_fetch_kvno() method implementation.
That's all HDB backends other than SQLite3.
Out-of-tree backends should be unaffected.
We've added a decoration field to HDB_entry: aliased -- an int
(boolean). This is only used internally in libhdb at this time.
Out-of-tree HDB backends could have a use for this decoration, but we
have not decided whether it is a public interface yet.
INTxx_MIN plus a positive integer of the same type will always be
negative, and so the result will always compare less than a positive
integer. Fix this check so that we produce the correct result when
adding two negative time_t values.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
In a cross-realm situation the client KDC exchange may use on orphaned
strengthen_key (from the previous exchange) if the current KDC
doesn't not support FAST and the previous KDC supported it.
Otherwise init_creds_step() or fast_tgs_strengthen_key()
generate the reply key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This allows these functions to be used with PACs obtained from KDC
accessor functions such as kdc_request_get_pac().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
With HDB_ERR_WRONG_REALM the backend needs to expose the
principal, so we should not free the entry otherwise
the main kdc code will crash.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
PAC_TYPE_CLIENT_CLAIMS_INFO and PAC_TYPE_DEVICE_CLAIMS_INFO are
of zero length unless any claims are actually defined.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Closes: #969
PAC_TYPE_CLIENT_CLAIMS_INFO and PAC_TYPE_DEVICE_CLAIMS_INFO are
of zero length unless any claims are actually defined.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
