Commit Graph

29310 Commits

Author SHA1 Message Date
Nicolas Williams
22790e4508 Test RODC interop fix 2016-11-14 21:29:47 -06:00
Nicolas Williams
9e2b696190 Make kdc name type strictness configurable 2016-11-14 21:29:47 -06:00
Jeffrey Altman
961f543a27 Set princ type to NT-SMTP-NAME when parsing
In krb5_parse_name_flags(), if the principal name is not an enterprise
name, is one component in length and contains an '@', set the principal
type to NT-SMTP-NAME as specified by RFC 4120.
2016-11-14 21:29:47 -06:00
Jeffrey Altman
6a1db3fb1c princ type NT-UNKNOWN + "host" == NT-SRV-HST
Treat principals of type NT-UNKNOWN as NT-SRV-HST if the first component
of the principal name is "host".

Change-Id: I28fb619379daac827436040e701d4ab7b279852b
2016-11-14 21:29:47 -06:00
Jeffrey Altman
5aef50c800 gss-krb5: do_delegate remove dead comment
The check on principal type has been commented out since do_delegate()
was committed.  Remove it.

Change-Id: Id98f35471e346cb3d0e9666b7cdb6f564191e6c1
2016-11-14 21:29:47 -06:00
Jeffrey Altman
09bdb3ab3e Set the right name type for anon princ (client)
In fast_wrap_req() set the correct type in KDC_REQ client principal
name.

Also fix ENOMEM handling.
2016-11-14 21:29:47 -06:00
Jeffrey Altman
020f2c733e kdc: principals of type NT-UNKNOWN can be anonymous
The _kdc_is_anonymous() helper function must take into account
that principals of type NT-UNKNOWN can match any other principal
type including NT-WELLKNOWN.

Change-Id: I6085b9471f6f1d662119e359491bbdce629ef048
2016-11-14 21:29:47 -06:00
Nicolas Williams
a59bb7132f When building a princ name pick a sane def type
This is part of the fix to #173.  MSFT RODCs insist on the name type for
krbtgt principals be set to KRB5_NT_SRV_INST.

Commentary from Jeffrey Altman <jaltman@secure-endpoints.com>

As reported by David Mulder of Dell's Quest, Active Directory will
return a BAD_INTEGRITY error when a request for a krbtgt service
ticket is received with principal type NT-PRINCIPAL instead of NT-SRV-INST
as required by RFC 4120.

[Nico: RFC4120 does not require this.  See the description of the
       name-type field of PrincipalName on page 55.]

  ERROR: VAS_ERR_KRB5: Failed to obtain credentials.
  Client: SLED10-32$@F.QAS,
  Service: SLED10-32$@F.QAS, Server: ad2-f.f.qas
  Caused by: KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353): Decrypt integrity check failed

Microsoft began enforcing principal type checking for RODCs in 2008R2.
Microsoft does state that ALL krgtgt/REALM tickets SHOULD be sent using
principal name type of KRB5_NT_SRV_INST instead of KRB5_NT_PRINCIPAL.

From Microsoft:

  "I believe we discovered the problem. There isn't a bug in Windows.
  There's been a code change to address another issue which puts in additional
  checks for Kerberos tickets. The problem is with the Unix clients when the
  client request a TGT. The Unix clients are using Name-type Principal
  [KRB_NT_PRINCIPAL (1)] instead of using Name-type Service and Instance
  [KRB_NT_SRV_INST (2)]...."

This change assigns the NT-SRV-INST principal type each time a krbtgt
service principal is created.  Unlike Microsoft, the Heimdal mostly does
not care about the name-type of any principals, with the exception of
referrals, where the name type is needed to decide how to find a
next-hop realm.
2016-11-14 21:29:47 -06:00
Jeffrey Altman
84e959a752 gssmask: log_function memory leak
Do not leak 'file' on error and reduce clutter. free() in common exit
path.

Change-Id: Icb187ea50e9c3d405076a192aa61cbade4b6d7d4
2016-11-14 17:02:02 -05:00
Jeffrey Altman
d3fc257245 gssmask: client_connect addrinfo leak
In client_connect() getaddrinfo() stores the head of the allocated
addrinfo structure list in 'res0'.  'res' is used to walk the list
and will be NULL at the end of the for() loop when freeaddrinfo(res)
is executed.  Pass 'res0' to freeaddrinfo() instead of 'res'.

Change-Id: Ie1358c0356b6b0f98470e46e25216cfa0ab4adac
2016-11-14 16:56:08 -05:00
Jeffrey Altman
19e8852697 hdb: hdb_ldap_common NULL dereference
In hdb_ldap_common() the test

  if (search_base == NULL && search_base[0] == '\0')
     error handling ...

must be

  if (search_base == NULL || search_base[0] == '\0')
     error handling ...

Change-Id: I8d876a9c56833431b3c4b582fbb0a8cc7353893d
2016-11-14 16:33:51 -05:00
Jeffrey Altman
95c2940a02 hdb: LDAP_message2entry fix ntPasswordIN leak
free ntPasswordIN from all exit paths.  Do not leak it.

Change-Id: I90c5240439eefabca4458fe4791eb0de693a50f7
2016-11-14 16:25:36 -05:00
Viktor Dukhovni
6ee0e99cf3 Upstream NetBSD libedit has readline.h in readline/ not editline/ 2016-11-14 16:13:42 -05:00
Viktor Dukhovni
a3eb786491 Finish X removal 2016-11-14 16:02:43 -05:00
Jeffrey Altman
f917c9d17b configure.ac: remove AC_CHECK_XUA
The prior patch removed the definition of the XUA check but failed
to remove the execution of the check.  Do so now.

Change-Id: I648a374370d3549db0d98b90f810bd018dc28962
2016-11-14 15:38:09 -05:00
Viktor Dukhovni
d454492d01 Drop X11 autoconf and travis deps 2016-11-14 14:34:43 -05:00
Viktor Dukhovni
bb507cd4d4 Goodbye push 2016-11-14 14:19:58 -05:00
Viktor Dukhovni
b77e701a22 Goodbye login 2016-11-14 02:59:12 -05:00
Viktor Dukhovni
63d2935c4f Goodbye FTP 2016-11-14 02:42:08 -05:00
Viktor Dukhovni
eeeb216451 Restore unconditional use of getpwent vs. non-POSIX getpwent_r 2016-11-14 02:22:52 -05:00
Viktor Dukhovni
77ff7185d7 Updated libedit to NetBSD upstream
Note: This unconditionally assumes wchar_t support.  May need revision
if some platforms prove problematic.
2016-11-14 02:22:51 -05:00
Viktor Dukhovni
e1c1cdb1b6 HDB compiler warnings 2016-11-14 02:22:51 -05:00
Viktor Dukhovni
e4ba666221 hcrypto compiler warnings 2016-11-14 02:22:32 -05:00
Viktor Dukhovni
17d6d0ac1e Avoid yydebug compiler warning 2016-11-14 01:05:55 -05:00
Viktor Dukhovni
6b68a56820 Updated SQLite to 3.15.1 2016-11-14 01:05:41 -05:00
Viktor Dukhovni
cf69f3321d Fix cut/paste error from f5f76ee7 that breaks LDAP 2016-11-14 16:39:42 +11:00
Jeffrey Altman
ec9c990dec refer bug reports to github issues
Change-Id: Idfd5f3423fb91ad6d235c4ebb87738641fa3d462
2016-11-12 23:40:56 -05:00
Viktor Dukhovni
da8052fefc Don't scale SRV weights when none have weight zero 2016-11-13 15:22:17 +11:00
Viktor Dukhovni
ee8b2b4253 Drop code that's been dead for 10 years or more 2016-11-13 05:36:11 +11:00
Viktor Dukhovni
c8753450b1 Fix (linux) compiler warnings in libroken 2016-11-13 03:41:33 +11:00
Nicolas Williams
2d3c21cb61 There is no lib/hcrypto/dllmain.c 2016-11-11 15:58:33 -06:00
Nicolas Williams
81c778e0a3 Fix EVP PKCS#11 backend (#194) 2016-11-11 14:34:11 -06:00
Nicolas Williams
9c8b450aa0 Add EVP backend selection to example_evp_cipher.c 2016-11-11 14:30:13 -06:00
Nicolas Williams
e803b00bca Assume OpenCryptoki on Linux for evp-pkcs11 2016-11-11 14:30:13 -06:00
Florian Best
7422cd1f6b Implement krb5_get_init_creds_opt_set_change_password_prompt() 2016-11-11 11:48:43 -06:00
Viktor Dukhovni
0ae6147483 Fix kadm5 error cleanup 2016-11-11 01:38:41 -05:00
Viktor Dukhovni
a2ce04e87b We're not in Texas anymore 2016-11-10 22:29:49 -05:00
Heath Kehoe
545b5b41ce Fix race condition with global _gsskrb5_keytab
gsskrb5_acceptor_start() was making a copy of the global pointer
_gsskrb5_keytab to use later. This invites a race condition where
another thread could call gsskrb5_register_acceptor_identity()
(thus invalidating the target of the copied pointer) before it is
used by gsskrb5_acceptor_start().

So instead, clone the keytab to a new one while protected by the
mutex lock (similar to get_keytab() in acquire_cred.c).

Signed-off-by: Nicolas Williams <nico@twosigma.com>
2016-11-10 18:32:15 -06:00
Nicolas Williams
ab65f51c52 Apply band-aid to install-build-headers (#114) 2016-11-10 17:58:21 -06:00
Jeffrey Altman
a013e93e95 default life/renewlife time to KDC policy
Instead of imposing a default 10 hour ticket lifetime and 1 month renew
lifetime when requesting tickets, increase the default lifetime and
renew lifetime to 2147483647 seconds.  This ensures that in the absence
of any other configuration or command line parameters that the KDC will
determine the ticket lifetime and renew lifetime.

Change-Id: I52b6eeac1ee830a9bf4d0130e8f4ec7b70bc8694
Signed-off-by: Nicolas Williams <nico@twosigma.com>
2016-11-10 16:13:10 -06:00
Nicolas Williams
616aaf95a8 Don't suppress DNS search list by appending '.'
The original motivation was to avoid extra timeouts when the network is
broken.  However this doesn't avoid one of the timeouts and adds
complexity and introduced bugs.

To really suppress search lists use ndots.
2016-11-10 13:17:19 -06:00
Nicolas Williams
99b79d1f4c Check for mig(1), not just libdispatch 2016-11-10 13:15:07 -06:00
Remi Ferrand
298ee93ac2 Autoconf detection of Perl5 and Perl5 modules
Add m4 macros for checking for perl modules (JSON)

Fix #74, #29.

Signed-off-by: Nico Williams <nico@twosigma.com>
2016-11-10 11:55:56 -06:00
Nicolas Williams
7b6bf87685 Also look for editline/readline.h (fix #38) 2016-11-10 11:35:36 -06:00
Roland C. Dowdeswell
eb682c1bf4 Fix weight zero entries when ordering SRV RR results.
In lib/roken/resolve.c, we find rk_dns_srv_order() which re-orders
the results of an SRV RR lookup by the algorithm in RFC2782.  We
note that the algorithm doesn't behave according to the RFC w.r.t.
entries of weight zero.  We solve this by scaling out the remaining
weights by the number of zeros we find at a particular priority
level and acting like the zero weights have a weight of one.
2016-11-10 04:45:07 -05:00
Roland C. Dowdeswell
44a1a2a273 Fix bias in ordering SRV RR results by weight.
In lib/roken/resolve.c, we find rk_dns_srv_order() which re-orders
the results of an SRV RR lookup by the algorithm in RFC2782.  We
fix a bias in the random weight sorting by changing the order of
operations when selecting rnd.  rnd should be a non-zero random
number less than the sum of the weights at a particular priority,
but zero was included as a legitimate output thus biasing the
selection process.  rk_random() % sum is still biased as a 32
bit int modulo a number which doesn't divide 2^32 does not have
a uniform distribution, but the bias should be small enough to
live with for our purposes here.
2016-11-10 04:45:07 -05:00
Nicolas Williams
13cb3b5646 Don't inhibit /etc/services matches 2016-11-09 22:49:03 -06:00
Nicolas Williams
6a68376a33 Don't inhibit /etc/hosts matches (fix #32)
Apending '.' to the hostname passed to `getaddrinfo()` is good for
avoiding extra timeouts when the search list is non-empty and the
network is broken, but searches in /etc/hosts are typically inhibited
then.  The fix is to try again without the trailing '.' if the first
lookup failed for any reason other than a timeout.
2016-11-09 22:49:03 -06:00
Viktor Dukhovni
f9749627f0 New test case detects previous template bug 2016-11-09 18:34:24 -05:00
Sergio Gelato
7c8b66d76b Use off_t in for constants used in iprop log seeks
On 32-bit architectures with _FILE_OFFSET_BITS=64,
 sizeof(off_t) > sizeof(size_t) .

LOG_HEADER_SZ was #define'd as an expression of type size_t, so in order
to get the sign extension right we need -(off_t)LOG_HEADER_SZ instead of
(off_t)(-LOG_HEADER_SZ).  However, we can just define the *_SZ macros to
cast to off_t, then we don't need to worry about negation.

Fixes Debian bug #822749, PR 175.

Signed-off-by (and updated by): Nicolas Williams <nico@twosigma.com>
2016-11-09 13:35:08 -06:00