This was broken with KRB5SignedPath but now that we switch to PAC
we get it fixed without KDC changes, so we can just test it.
See also PR #599 from where these tests were taken.
krb5_enomem() was lacking a calling convention decoration, breaking Windows
consumers if __cdecl was not the default calling convention. Add KRB5_LIB_CALL
to make it consistent with other library functions.
Closes: #834
When validating the KDC-REQ-BODY checksum introduced in 0ed4d90a, don't leak
the sec_context_token retrieved from the FX-COOKIE if checksum verifications
fails.
Add a new krbhst type, KRB5_KRBHST_TKTBRIDGEAP to krb5_krbhst_init_flags(),
that looks for the DNS SRV record kerberos-tkt-bridge. This is to support a new
PADL project.
Whilst channel bindings are used to bind the KDC-REQ-BODY to the GSS-API
context, we need to also bind the KDC-REQ-BODY across multiple requests in a
pre-authentication conversation.
Do this by making a digest of the first KDC-REQ-BODY (with the nonce zeroed, as
this may change), and verifying it in each subsequent request.
Add unkeyed checksum types for SHA-256, SHA-384 and SHA-512, for future
internal use. They are assigned private (negative) checksum types and must
never appear in cleartext on the wire.
This reverts commit 34b374b5e4.
We are revising the GSS-API pre-authentication draft to include the nonce from
the first request in the GSS channel bindings, to avoid re-encoding issues that
may surface with Kerberos implementations that do not correctly implement DER.
To comply with the latest POSIX standard, in Yacc compatibility mode
(options `-y`/`--yacc`) Bison now generates prototypes for yyerror and
yylex. In some situations, this is breaking compatibility: if the user
has already declared these functions but with some differences (e.g., to
declare them as static, or to use specific attributes), the generated
parser will fail to compile. To disable these prototypes, #define yyerror
(to `yyerror`), and likewise for yylex.
refer: https://git.savannah.gnu.org/cgit/bison.git/tree/NEWS
GNU Bison 3.8
Zero nonce before encoding KDC-REQ-BODY to be used as channel binding
application data in GSS-API pre-authentication. This is because the nonce may
change between AS-REQs and the channel binding data should be invariant between
calls to GSS_Init_sec_context().
If clang-format is not available, AC_CHECK_PROG sets CLANG_FORMAT=no,
not empty string. This results in an error at build time for those
without clang-format installed. Instead check if the program is
executable.
Correctly implement gss_krb5_ccache_name() in terms of
gss_set_sec_context_option(GSS_KRB5_CCACHE_NAME_X). The previous implementation
was a NOOP.
Note: global ccache name should really be thread-specific rather than global.
Closes#803.
Add a sample GSS preauth authorization plugin, which will be built and
installed if OpenLDAP is available, but otherwise not enabled (by virtue of not
being installed into the plugin directory).
The plugin authorizes federated GSS preauth clients by querying an Active
Directory domain controller for the altSecurityIdentities attribute.
Once the user entry is found, the name is canonicalized by reading the
sAMAccountName attribute and concatenating it with the KDC realm.
We do not need to zero out the local variable output_token
if we do not later call gss_release_buffer() on it.
This aovids a -Werror=address compile failure under the
strict compiler options Samba uses when compiled on Ubuntu
20.04 with gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
In file included from ../../source4/heimdal/lib/gssapi/preauth/pa_client.c:34:
../../source4/heimdal/lib/gssapi/preauth/pa_client.c:148:21: error: the address of ‘output_token’ will always evaluate as ‘true’ [-Werror=address]
148 | _mg_buffer_zero(&output_token);
| ^
../../source4/heimdal/lib/gssapi/mech/mech_locl.h:72:7: note: in definition of macro ‘_mg_buffer_zero’
72 | if (buffer) { \
| ^~~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The DC (domainComponent) attribute wants to be an IA5String.
This really doesn't matter, but if we want to conform to the spec (RFC 4519,
referenced by RFC 5280), then we have to do this.
If GSS_Accept_sec_context() returns an error status and error token, ensure we
include the error token in the PA-GSS padata in the KRB-ERROR reply, rather
than bailing out early.
