The Microsoft compiler cannot handle multiple const modifiers
for the same type. It is also unhappy with the output pointer
parameter being declared const.
This change introduces new typedefs and cast of the dlsym() return
type to prevent warnings.
Change-Id: Ia92645efab8d2ec6745339a6f47c690782ae730a
Rename common_plugin_ftable to krb5_plugin_common_ftable.
Create lib/krb5/common_plugin.h to include the structure and typedef.
The common_plugin.h header is now included by ccache_plugin.h
along with a prototype for the required ccache_ops_plugin_load()
function.
Change-Id: I2b27d6d0f5cf0544482c3f01784fef945e12e8d8
As with the krb5plugin_an2ln_ftable_desc, krb5plugin_db_ftable_desc,
and krb5plugin_kuserok_ftable_desc the function pointers in
common_plugin_ftable_desc must be annotated with KRB5_LIB_CALL.
Change-Id: Ia7ea78743ee9eb8c7f6b648063852ca91a360d2c
Only fallback to loading the plugin function table directly if
if the initialization function is not exported. Failing a
consistency check should not permit falling back to a potentially
incompatible function table.
Change-Id: Ic753ed9a090aef6073853f7309f0f8f0f29d0aa9
even if tgt used an enctype with a different checksum.
Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always
HMAC_MD5, and that's what Windows and MIT clients send.
In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but windows and MIT clients fail against heimdal KDC.
Both Windows and MIT KDC would allow any keyed checksum
to be used so Heimdal client work fine against it.
Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Commit bdcd7d2f moved the KRB5_ANON_MATCH_xxx preprocessor symbols to krb5.h,
but did not remove the originals from krb5_locl.h. This commit removes them.
The combination of 8740528b24
("Windows-compatible sentinel socket type and value") and
d497d7e4a7 ("krb5_sendto_kdc:
failover for multiple AAAA/A RRs on one domain") broke
all the send to kdc loop on Windows. rk_socket_t is
a HANDLE and rk_INVALID_SOCKET is the max value. Therefore,
no valid socket will be larger and all communications
will fail.
Change-Id: I3464f78d67b19f14050ad7a01738fb32bac99385
_krb5_principal_is_anonymous() is used outside lib/krb5 and
therefore it needs to be properly exported and its flag macros
need to be in a public header: krb5.h not krb5_locl.h.
Including krb5_locl.h from within kuser_locl.h for instance
results in build failures on Solaris.
This change renames the function and makes it part of the public
api.
Change-Id: I130d1698b10bdbd150b95e8c7d32dfc362889ce6
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
when anonymous PKINIT is used. Failure to do so can permit an active
attacker to become a man-in-the-middle.
Introduced by a1ef548600. First tagged
release Heimdal 1.4.0.
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8)
Change-Id: I6cc1c0c24985936468af08693839ac6c3edda133
Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
Approved-by: Jeffrey Altman <jaltman@auritor.com>
We found that the libraries behaviour when dealing with domains with
more than one entry in them is slightly suboptimal. The situation
was
kdc1 IN A 1.2.3.4
kdc1 IN AAAA ff02::1
I.e. a single hostmame with both IPv6 and IPv4 addresses. When we
run krb5_sendto_kdc on a box with only IPv4 addresses, there is a
3s delay before it fails back to the IPv4 address. This is because
the library sets the 2nd address on each hostname to be 3s in the
future and each additional one another 3s.
We change wait_response() s.t. if one is able to make progress, we
iterate over the list of hosts and move them all 1s forward. We
also modify submit_request() to skip hosts if host_connect() fails.
Add macros to give symbolic names to the flags which can be passed to
krb5_get_init_creds_opt_set_pkinit(). Reserve flags for BTMM and not validating
KDC anchors.
Add _krb5_principal_is_anonymous() private API for checking if a principal is
anonymous or not. The third argument determines whether to match authenticated
anonymous, unauthenticated anonymous, or both types of principal.
We choose a semantic for the file offset during truncate operations
which is to leave the offset as is unless it is off the end of the
file in which case we pull it back in to the end. We update fd and
stdio handling to match the {,e}mem behaviour.
On 32-bit Windows Intel builds the __cdecl and __stdcall calling
conventions are different so labeling the functions that are
exported or assigned to function pointers matters.
Change-Id: I03b6f34baeb9ffb2e683fd979f12f27a5078a4da
Heimdal declares functions that never return as non-void. Suppress
the following warnings now that functions are labeled 'noreturn'.
4646 - function declared with __declspec(noreturn) has non-void return type
4716 - 'function' must return a value
Change-Id: Id85cc435e99688bae7326a723a5a80d828859bf2
The 'plugin_prefix' variable was declared 'const' which generates
a warning because the C string is freed.
This change removes the 'const' designation.
Change-Id: I6f3838d6dbf1bb496f286c96aea96bae8948930d
Refactor plugin framework to use a single list of loaded plugins; add a new
plugin API where DSOs export a load function that can declare dependencies and
export multiple plugins; refactor kadm5 hook API to use krb5 plugin framework.
More information in krb5-plugin(7).
- Add --keepold/keepallold/pruneall options to various kadmin/ktutil
commands. Default behavior to "prune old keys".
- When setting keys for a service, we need to specify enctypes for it:
- Always use kadm5_randkey_principal_3() instead of the older
kadm5_randkey_principal().
- Add krb5_string_to_keysalts2(), like MIT's krb5_string_to_keysalts(),
but with a context, and simpler.
- Add --enctypes options to various kadmin/ktutil commands.
- Add [libdefaults] supported_enctypes param with enctype[:salttype]
list.
- Add [realms] realm supported_enctypes param with enctype[:salttype]
list.
Default to aes128-cts-hmac-sha1-96:normal.
For compatibility with MIT Kerberos, support automatic acquisition of initiator
credentials if a client keytab is available. The default path on non-Windows is
/var/heimdal/user/%{euid}/client.keytab, but can be overriden with the
KRB5_CLIENT_KTNAME environment variable or the default_client_keytab_name
configuration option. If a client keytab does not exist, or exists but does not
contain the principal for which initiator credentials are being acquired, the
system keytab is tried.
The meaning of the two is different and we should
not implicitly set both if one was requested (this
aligns the logic with MIT kinit -C/-E options).
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
The referral function does not handle short names,
so avoid falling over it in case capath fails, in
order to preserve the error code returned by the
KDC (it wasn't a problem before the order between
the two functions has changed).
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Prior to this change a KDC response of KRB5KDC_ERR_SVC_UNAVAILABLE
would result in the client looping forever. Setting the action to
KRB5_SENTO_CONTINUE repeats the current loop without altering the
current state. Hence the infinite loop.
As of this change, the action is set to KRB5_SENDTO_RESET which
forces the current kdc's response to be cleared and then to retry.
If KRB5KDC_ERR_SVC_UNAVAILABLE continues to be returned, the retry
limit will be reached and the loop will end.
This bug was filed by multiple sources including Samba and ScottUrban
on github.
Change-Id: If1611be0ada3422cefae89541ed3b3df1f6efe29
This patch adds the "enforce_on_admin_set" configuration knob in the
[password_quality] section. When this is enabled, administrative password
changes via the kadmin or kpasswd protocols will be subject to password quality
checks. (An administrative password change is one where the authenticating
principal is different to the principal whose password is being changed.)
Note that kadmin running in local mode (-l) is unaffected by this patch.
Using non-reentrant getpwuid() (or getpwnam(), or getspnam()) can be
dangerous. We had a report of a login application / PAM that calls
those, and Heimdal, by calling them too, clobbered the cached struct
passwd used by the login app / PAM.
We add roken_get_{shell, username, appdatadir, homedir}() functions. These use
a combination of secure_getenv(), getpwuid_r(), getlogin_r(), or various WIN32
functions to get this information.
Use roken_get_appdatadir() instead of roken_get_homedir() when looking for
dotfiles.
* Fix -O3 -Werror=unused-result build in dcache.c
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10)
with -O3 -Werror=unused-result
../lib/krb5/dcache.c:85:5: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
asprintf(&path, "%s/primary-XXXXXX", dc->dir);
^
../lib/krb5/dcache.c: In function ‘primary_create’:
../lib/krb5/dcache.c:56:5: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
asprintf(&primary, "%s/primary", dc->dir);
^
../lib/krb5/dcache.c: In function ‘dcc_gen_new’:
../lib/krb5/dcache.c:423:5: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
asprintf(&name, ":%s/tktXXXXXX", dc->dir);
^
../lib/krb5/dcache.c: In function ‘dcc_resolve’:
../lib/krb5/dcache.c:340:2: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
asprintf(&dc->name, ":%s/%s", dc->dir, residual);
^
../lib/krb5/dcache.c:348:5: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
asprintf(&filename, "FILE%s", dc->name);
^
cc1: all warnings being treated as errors
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* Update dcache.c
When asprintf() fails it is not guaranteed that the output variable will be NULL on all platforms and releases.
* Update dcache.c
