Commit Graph

16463 Commits

Author SHA1 Message Date
Jeffrey Altman
69fbbfdfcb krb5: fix verify_conf syslog facility check
search for facility not severity

Change-Id: I79e9104d1fd27e8d11f7f9c6006676d947086ac5
2016-11-18 21:24:26 -05:00
Jeffrey Altman
5cf454ca54 krb5: _krb5_expand_path_tokens missing va_end()
when returning early due to memory allocation error must call va_end()

Change-Id: Icc42771c166453f67679334cea19ed9be692bd87
2016-11-18 21:12:36 -05:00
Jeffrey Altman
97a40d8838 hdb: hdb_add_aliases frees uninitialized memory
This bug was never shipped in a release.  It was introduced by commit
1c81ddf4e2.

Change-Id: Ia9f6d69b2858a75cc51e50034fe70e29f13b8fc1
2016-11-18 20:58:39 -05:00
Jeffrey Altman
d07fe95b61 krb5: krb5_data_free() do not test before free()
Change-Id: I739eb0b227eb7885bb83b6e68eaf39db81b1ceb5
2016-11-18 20:43:19 -05:00
Nicolas Williams
7fa85e6d6d Round #3 of scan-build warnings cleanup 2016-11-16 23:27:27 -06:00
Nicolas Williams
1c81ddf4e2 Round #2 of scan-build warnings cleanup 2016-11-16 17:03:14 -06:00
Nicolas Williams
953dc07391 Round #1 of scan-build warnings cleanup 2016-11-15 21:27:20 -06:00
Nicolas Williams
995966f9d1 Fix hdb_create() HDB dbname parsing 2016-11-15 15:35:19 -06:00
Nicolas Williams
475c222472 Fix lib/hdb/test_hdbplugin 2016-11-15 13:54:45 -06:00
Nicolas Williams
09f0a25fda kdc --builtin-hdb should list loadable backends
This fixes the following problems from #210:

 - hdb_ldap doesn't load even when installed correctly
 - loadable hdb backends not listed by kdc --builtin-hdb

Not fixed:

 - hdb_ldap.so not installed in plugin dir
2016-11-15 11:34:54 -06:00
Viktor Dukhovni
c69a205b4c Properly integrate upstream vis/unvis
Adding appropriate changes to configure.ac and config.h
2016-11-15 02:17:58 -05:00
Viktor Dukhovni
f5b9ec280e Import (unmodified) updated upstream vis/unvis
Will not compile, full integration in next commit.
2016-11-15 02:17:03 -05:00
Jeffrey Altman
f561b55d38 krb5: windows tests require HEIMBASE
When building the lib/krb5 tests link against HEIMBASE in order to
make use of heim_abort() and friends.

Change-Id: Ifaf54177bbb14cddf0f3544add370cda158783d1
2016-11-15 00:33:55 -05:00
Jeffrey Altman
961f543a27 Set princ type to NT-SMTP-NAME when parsing
In krb5_parse_name_flags(), if the principal name is not an enterprise
name, is one component in length and contains an '@', set the principal
type to NT-SMTP-NAME as specified by RFC 4120.
2016-11-14 21:29:47 -06:00
Jeffrey Altman
6a1db3fb1c princ type NT-UNKNOWN + "host" == NT-SRV-HST
Treat principals of type NT-UNKNOWN as NT-SRV-HST if the first component
of the principal name is "host".

Change-Id: I28fb619379daac827436040e701d4ab7b279852b
2016-11-14 21:29:47 -06:00
Jeffrey Altman
5aef50c800 gss-krb5: do_delegate remove dead comment
The check on principal type has been commented out since do_delegate()
was committed.  Remove it.

Change-Id: Id98f35471e346cb3d0e9666b7cdb6f564191e6c1
2016-11-14 21:29:47 -06:00
Jeffrey Altman
09bdb3ab3e Set the right name type for anon princ (client)
In fast_wrap_req() set the correct type in KDC_REQ client principal
name.

Also fix ENOMEM handling.
2016-11-14 21:29:47 -06:00
Nicolas Williams
a59bb7132f When building a princ name pick a sane def type
This is part of the fix to #173.  MSFT RODCs insist on the name type for
krbtgt principals be set to KRB5_NT_SRV_INST.

Commentary from Jeffrey Altman <jaltman@secure-endpoints.com>

As reported by David Mulder of Dell's Quest, Active Directory will
return a BAD_INTEGRITY error when a request for a krbtgt service
ticket is received with principal type NT-PRINCIPAL instead of NT-SRV-INST
as required by RFC 4120.

[Nico: RFC4120 does not require this.  See the description of the
       name-type field of PrincipalName on page 55.]

  ERROR: VAS_ERR_KRB5: Failed to obtain credentials.
  Client: SLED10-32$@F.QAS,
  Service: SLED10-32$@F.QAS, Server: ad2-f.f.qas
  Caused by: KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353): Decrypt integrity check failed

Microsoft began enforcing principal type checking for RODCs in 2008R2.
Microsoft does state that ALL krgtgt/REALM tickets SHOULD be sent using
principal name type of KRB5_NT_SRV_INST instead of KRB5_NT_PRINCIPAL.

From Microsoft:

  "I believe we discovered the problem. There isn't a bug in Windows.
  There's been a code change to address another issue which puts in additional
  checks for Kerberos tickets. The problem is with the Unix clients when the
  client request a TGT. The Unix clients are using Name-type Principal
  [KRB_NT_PRINCIPAL (1)] instead of using Name-type Service and Instance
  [KRB_NT_SRV_INST (2)]...."

This change assigns the NT-SRV-INST principal type each time a krbtgt
service principal is created.  Unlike Microsoft, the Heimdal mostly does
not care about the name-type of any principals, with the exception of
referrals, where the name type is needed to decide how to find a
next-hop realm.
2016-11-14 21:29:47 -06:00
Jeffrey Altman
19e8852697 hdb: hdb_ldap_common NULL dereference
In hdb_ldap_common() the test

  if (search_base == NULL && search_base[0] == '\0')
     error handling ...

must be

  if (search_base == NULL || search_base[0] == '\0')
     error handling ...

Change-Id: I8d876a9c56833431b3c4b582fbb0a8cc7353893d
2016-11-14 16:33:51 -05:00
Jeffrey Altman
95c2940a02 hdb: LDAP_message2entry fix ntPasswordIN leak
free ntPasswordIN from all exit paths.  Do not leak it.

Change-Id: I90c5240439eefabca4458fe4791eb0de693a50f7
2016-11-14 16:25:36 -05:00
Viktor Dukhovni
6ee0e99cf3 Upstream NetBSD libedit has readline.h in readline/ not editline/ 2016-11-14 16:13:42 -05:00
Viktor Dukhovni
eeeb216451 Restore unconditional use of getpwent vs. non-POSIX getpwent_r 2016-11-14 02:22:52 -05:00
Viktor Dukhovni
77ff7185d7 Updated libedit to NetBSD upstream
Note: This unconditionally assumes wchar_t support.  May need revision
if some platforms prove problematic.
2016-11-14 02:22:51 -05:00
Viktor Dukhovni
e1c1cdb1b6 HDB compiler warnings 2016-11-14 02:22:51 -05:00
Viktor Dukhovni
e4ba666221 hcrypto compiler warnings 2016-11-14 02:22:32 -05:00
Viktor Dukhovni
17d6d0ac1e Avoid yydebug compiler warning 2016-11-14 01:05:55 -05:00
Viktor Dukhovni
6b68a56820 Updated SQLite to 3.15.1 2016-11-14 01:05:41 -05:00
Viktor Dukhovni
cf69f3321d Fix cut/paste error from f5f76ee7 that breaks LDAP 2016-11-14 16:39:42 +11:00
Viktor Dukhovni
da8052fefc Don't scale SRV weights when none have weight zero 2016-11-13 15:22:17 +11:00
Viktor Dukhovni
ee8b2b4253 Drop code that's been dead for 10 years or more 2016-11-13 05:36:11 +11:00
Viktor Dukhovni
c8753450b1 Fix (linux) compiler warnings in libroken 2016-11-13 03:41:33 +11:00
Nicolas Williams
2d3c21cb61 There is no lib/hcrypto/dllmain.c 2016-11-11 15:58:33 -06:00
Nicolas Williams
81c778e0a3 Fix EVP PKCS#11 backend (#194) 2016-11-11 14:34:11 -06:00
Nicolas Williams
9c8b450aa0 Add EVP backend selection to example_evp_cipher.c 2016-11-11 14:30:13 -06:00
Nicolas Williams
e803b00bca Assume OpenCryptoki on Linux for evp-pkcs11 2016-11-11 14:30:13 -06:00
Florian Best
7422cd1f6b Implement krb5_get_init_creds_opt_set_change_password_prompt() 2016-11-11 11:48:43 -06:00
Viktor Dukhovni
0ae6147483 Fix kadm5 error cleanup 2016-11-11 01:38:41 -05:00
Viktor Dukhovni
a2ce04e87b We're not in Texas anymore 2016-11-10 22:29:49 -05:00
Heath Kehoe
545b5b41ce Fix race condition with global _gsskrb5_keytab
gsskrb5_acceptor_start() was making a copy of the global pointer
_gsskrb5_keytab to use later. This invites a race condition where
another thread could call gsskrb5_register_acceptor_identity()
(thus invalidating the target of the copied pointer) before it is
used by gsskrb5_acceptor_start().

So instead, clone the keytab to a new one while protected by the
mutex lock (similar to get_keytab() in acquire_cred.c).

Signed-off-by: Nicolas Williams <nico@twosigma.com>
2016-11-10 18:32:15 -06:00
Jeffrey Altman
a013e93e95 default life/renewlife time to KDC policy
Instead of imposing a default 10 hour ticket lifetime and 1 month renew
lifetime when requesting tickets, increase the default lifetime and
renew lifetime to 2147483647 seconds.  This ensures that in the absence
of any other configuration or command line parameters that the KDC will
determine the ticket lifetime and renew lifetime.

Change-Id: I52b6eeac1ee830a9bf4d0130e8f4ec7b70bc8694
Signed-off-by: Nicolas Williams <nico@twosigma.com>
2016-11-10 16:13:10 -06:00
Nicolas Williams
616aaf95a8 Don't suppress DNS search list by appending '.'
The original motivation was to avoid extra timeouts when the network is
broken.  However this doesn't avoid one of the timeouts and adds
complexity and introduced bugs.

To really suppress search lists use ndots.
2016-11-10 13:17:19 -06:00
Roland C. Dowdeswell
eb682c1bf4 Fix weight zero entries when ordering SRV RR results.
In lib/roken/resolve.c, we find rk_dns_srv_order() which re-orders
the results of an SRV RR lookup by the algorithm in RFC2782.  We
note that the algorithm doesn't behave according to the RFC w.r.t.
entries of weight zero.  We solve this by scaling out the remaining
weights by the number of zeros we find at a particular priority
level and acting like the zero weights have a weight of one.
2016-11-10 04:45:07 -05:00
Roland C. Dowdeswell
44a1a2a273 Fix bias in ordering SRV RR results by weight.
In lib/roken/resolve.c, we find rk_dns_srv_order() which re-orders
the results of an SRV RR lookup by the algorithm in RFC2782.  We
fix a bias in the random weight sorting by changing the order of
operations when selecting rnd.  rnd should be a non-zero random
number less than the sum of the weights at a particular priority,
but zero was included as a legitimate output thus biasing the
selection process.  rk_random() % sum is still biased as a 32
bit int modulo a number which doesn't divide 2^32 does not have
a uniform distribution, but the bias should be small enough to
live with for our purposes here.
2016-11-10 04:45:07 -05:00
Nicolas Williams
13cb3b5646 Don't inhibit /etc/services matches 2016-11-09 22:49:03 -06:00
Nicolas Williams
6a68376a33 Don't inhibit /etc/hosts matches (fix #32)
Apending '.' to the hostname passed to `getaddrinfo()` is good for
avoiding extra timeouts when the search list is non-empty and the
network is broken, but searches in /etc/hosts are typically inhibited
then.  The fix is to try again without the trailing '.' if the first
lookup failed for any reason other than a timeout.
2016-11-09 22:49:03 -06:00
Viktor Dukhovni
f9749627f0 New test case detects previous template bug 2016-11-09 18:34:24 -05:00
Sergio Gelato
7c8b66d76b Use off_t in for constants used in iprop log seeks
On 32-bit architectures with _FILE_OFFSET_BITS=64,
 sizeof(off_t) > sizeof(size_t) .

LOG_HEADER_SZ was #define'd as an expression of type size_t, so in order
to get the sign extension right we need -(off_t)LOG_HEADER_SZ instead of
(off_t)(-LOG_HEADER_SZ).  However, we can just define the *_SZ macros to
cast to off_t, then we don't need to worry about negation.

Fixes Debian bug #822749, PR 175.

Signed-off-by (and updated by): Nicolas Williams <nico@twosigma.com>
2016-11-09 13:35:08 -06:00
Viktor Dukhovni
9be93ad9ff Fix typo 2016-11-09 11:50:07 -05:00
Viktor Dukhovni
be2527500d Restored check-gen.c inadvertently deleted 2016-11-09 11:40:57 -05:00
Simon Wilkinson
67ac841f8f hcrypto: Fix Win 32 cpp checks
The correct test for a windows build is if defined(_WIN32), not just
if _WIN32. Fix a few places in the build which do the wrong thing, as
it gives compiler warnings.
2016-11-09 15:36:04 +00:00