In SAnon:
The is_initiator bitfield must be unsigned to avoid undefined behaviour, as
there is only a single bit defined. Thanks to Nico Williams for explaining
this.
We were passing SANON flags to _gss_mg_import_rfc4121_context(), which
wants GSS flags. Meanwhile, I broke gss_inquire_context() on imported
SAnon contexts when I did my review of SAnon.
This commit fixes both issues and removes SANON_FLAG_*, which were only
ever needed because of a flag to track whether a context was locally
initiated or accepted. Now we use a separate int field of the sanon_ctx
to track whether a context was locally initiated. Once an SAnon context
is fully established, we rely on gss_inquire_context() on the rfc4121
sub-context for all metadata that isn't the initiator and acceptor names
nor the mechanism OID.
Add support for SAnon, a simple key agreement protocol that provides no
authentication of initiator or acceptor using x25519 ECDH key exchange.
See doc/standardization/draft-howard-gss-sanon-xx.txt for a protocol
description.
Fix for issue #486 based on a patch by Nico Williams.
A GSS-API acceptor can return an error token to be sent to the initiator. Our
SPNEGO implementation discarded these when sending a SPNEGO reject response.
This patch fixes the SPNEGO acceptor to convey those in the SPNEGO response.
The SPNEGO initiator is also updated to not bail out early on receiving a
SPNEGO reject response from the acceptor, but instead pass the response token
(if any) to gss_init_sec_context(). A reject response with no response token
will continue to return an error.
gss_release_cred_by_mech() was previously used by SPNEGO's implementation of
gss_set_neg_mechs(). This is now implemented in the mechanism glue. As we never
shipped gss_release_cred_by_mech(), it is safe to remove it and its exported
symbol.
SPNEGO was already using union creds. Now make the mechglue know about
it, delete all of the cred-related SPNEGO stubs that are now not called
(lib/gssapi/spnego/cred_stubs.c), and implement gss_get/set_neg_mechs()
by storing the OID set in the union cred.
This commit was essentially authored as much if not more by Luke Howard
<lukeh at padl.com> as much as by the listed author.
gss_add_oid_set_member() should according to RFC2744 add a copy of the OID to
the set; the current implementation just stored a pointer (which may not be
stable). As we have _gss_intern_oid(), call that before adding.
If an initial security context token doesn't have a standard header per
RFC2743 then try all mechanisms until one succeeds or all fail.
We still try to guess NTLMSSP, raw Kerberos, and SPNEGO, from tasting
the initial security context token.
gss_decapsulate_token() should return GSS_S_BAD_MECH if the mechanism did not
match the expected one, and GSS_S_DEFECTIVE_TOKEN if the token could not be
parsed for some other reason, rather than GSS_S_FAILURE in both cases
Add a new private interface (accessed through _gss_mg_import_rfc4121_context())
through which a skeletal krb5 mechanism context can be created, suitable for
RFC4121 message protection and PRF services.
The NegoEx gss_{exchange,query}_meta_data functions set allocated_ctx but never
did anything with it. Use it to determine whether we should free the context
handle on error.
Allow the source and target names to be NULL when exporting or importing a
security context for the krb5 mechanism. This will be used in the future to
support skeletal contexts that only provide RFC4121 message protection
services.
_gss_secure_release_buffer_set() patch changed minor_status to 0, not
*minor_status as correct. No behavioural change as
_gss_secure_release_buffer_set() would have set it anyway, but obviously this
was unintentional.
Anonymous names should always compare FALSE in GSS_Compare_name(). If the names
are being compared at the mechglue layer then we should check for
GSS_C_NT_ANONYMOUS.
Add the --export-import-context flag to test_context, for validating that
security contexts round-trip through GSS_Export_sec_context() and
GSS_Import_sec_context().
The prototype for gss_set_sec_context_option() allows it to return a new
context, however this was not implemented. This functionality is required by
GSS_KRB5_IMPORT_RFC4121_CONTEXT_X.
The SPNEGO dispatch table does not include gss_duplicate_cred(). It can call
directly into the mechglue because a SPNEGO credential is a mechglue
credential.
SPNEGO credentials are mechglue credentials. SPNEGO credential wrapper
functions can be replaced with direct calls into the mechglue, unless a
specific check is required to avoid infinite recursion (as is the case where
the mechglue enumerates all mechanism when passed a null credential handle).
The recent changes to SPNEGO removed support for GSS_C_PEER_HAS_UPDATED_SPNEGO,
through which the Kerberos mechanism could indicate to SPNEGO that the peer did
not suffer from SPNEGO conformance bugs present in some versions of Windows.*
This patch restores this workaround, documented in [MS-SPNG] Appendix A <7>
Section 3.1.5.1. Whilst improving interoperability with these admittedly now
unsupported versions of Windows, it does introduce a risk that Kerberos with
pre-AES ciphers could be negotiated in lieu of a stronger and more preferred
mechanism.
Note: this patch inverts the mechanism interface from
GSS_C_PEER_HAS_UPDATED_SPNEGO to GSS_C_INQ_PEER_HAS_BUGGY_SPNEGO, so that new
mechanisms (which did not ship with these older versions of Windows) are not
required to implement it.
* Windows 2000, Windows 2003, and Windows XP
Pending integration of #551, the krb5 mechanism does not support
GSS_C_ANON_FLAG. Remove the GSS_C_MA_AUTH_INIT_ANON mechanism attribute until
such time it does.
Sort the list of mechanisms proposed by the initiator so that mechanisms are
preferred by their advertised support for GSS flags. For example, if
GSS_C_MUTUAL_FLAG is requested, a mechanism that offers GSS_C_MA_AUTH_TARG will
be preferred over one that doesn't. The flag/mechanism attribute combinations
are also assigned a weight (mutual trumps anonymous, for example).
__gss_c_attr_stream_sizes_oid_desc was tagged with GSSAPI_LIB_FUNCTION instead
of GSSAPI_LIB_VARIABLE; whilst the macro expansion is identical, fix for
cleanliness
This is needed so that sshd and such can get make practical use of the
"ccache" key in GSS cred stores.
This commit only changes the store path, not the acquisition path.
gss_store_cred_into*() will now switch the new cred cache to be the
primary/default cred cache when
- the caller requested it and,
- if the caller passed in a user name, the creds' principal is the best
principal for the named user.
A principal is the best principal for a user when the principal has just
one component, the component is the user's username, and the realm is
the configured user_realm.
- Formalize the TYPE:collection_name:subsidiary_name naming scheme for
ccaches in ccache collections
- KEYRING: ccaches are weird because they have one more optional field: the
"anchor", so rather than just assume a naming convention everywhere, we
add new functions as well
- Add krb5_cc_{resolve,default}_sub() that allows one to specify a
"subsidiary" ccache name in a collection separately from the
collection name
- Add krb5_cc_{resolve,default}_for() which take a principal name,
unparse it, and use it as the subsidiary ccache name (with colons
replaced)
- Make kinit use the new interfaces
- Add missing DIR ccache iteration functionality
- Revamps test_cc
- Add krb5_cc_get_collection() and krb5_cc_get_subsidiary()
- Bump the ccops SPI version number
- Add gss_store_cred_into2()
- Make MEMORY:anonymous not linked into the global MEMORY ccache
collection, and uses this for delegated cred handles
TBD:
- Split this up into a krb5 change and gss mech_krb5 change?
- Add krb5_cc_init_and_store() utility, per Greg's suggestion?
This is the second of two commits in a series that must be picked together.
This series of two commits moves parts of lib/krb5/ infrastructure
functionality to lib/base/, leaving behind wrappers.
Some parts of libkrb5 are entirely generic or easily made so, and could
be useful in various parts of Heimdal that are not specific to the krb5
API, such as:
- lib/gssapi/ (especially since the integration of NegoEx)
- lib/hx509/
- bx509d (which should really move out of kdc/)
For the above we need to move these bits of lib/krb5/:
- lib/krb5/config_file.c (all of it, leaving forwardings behind)
- lib/krb5/config_reg.c (all of it)
- lib/krb5/plugin.c (all of it, leaving forwardings behind)
- lib/krb5/log.c (all of it, ditto)
- lib/krb5/heim_err.et (all of it)
And because of those two, these too must also move:
- lib/krb5/expand_path.c (all of it, leaving forwardings behind)
- lib/krb5/warn.c (just the warning functions, ditto)
The changes to the moved files are mostly quite straightforward and are
best reviewed with --word-diff=color.
We're also creating a heim_context and a heim API to go with it. But
it's as thin as possible, with as little state as necessary to enable
this move. Functions for dealing with error messages use callbacks.
Moving plugin.c does have one knock-on effect on all users of the old
krb5 plugin API (which remains), which is that a global search and
replace of struct krb5_plugin_data to struct heim_plugin_data was
needed, though the layout and size of that structure doesn't change, so
the ABI doesn't either.
As well, we now build lib/vers/ and lib/com_err/ before lib/base/ so as
to be able to move lib/krb5/heim_err.et to lib/base/ so that we can make
use of HEIM_ERR_* in lib/base/, specifically in the files that moved.
Once this is all done we'll be able to use config files and plugins in
lib/hx509/, we'll be able to move bx509d out of kdc/, and so on.
Most if not all of the new functions in lib/base/ are Heimdal-private,
thus calling conventions for them are not declared.
Status:
- builds and passes CIs (Travis, Appveyor)
- ran make check-valgrind and no new leaks or other memory errors
- ready for review
HOW TO REVIEW:
$ # Review file moves:
$ git log --stat -n1 HEAD^
$
$ # Review changes to moved files using --word-diff=color
$ git log -p -b -w --word-diff=color HEAD^..HEAD \
lib/base/config_file.c \
lib/base/config_reg.c \
lib/base/expand_path.c \
lib/base/warn.c \
lib/krb5/config_file.c \
lib/krb5/config_reg.c \
lib/krb5/expand_path.c \
lib/krb5/warn.c
$
$ # Review the whole thing, possibly adding -b and/or -w, and
$ # maybe --word-diff=color:
$ git log -p origin/master..HEAD
$ git log -p -b -w origin/master..HEAD
$ git log -p -b -w --word-diff=color origin/master..HEAD
TBD (future commits):
- make lib/gssapi use the new heimbase functions
- move kx509/bx509d common code to lib/hx509/ or other approp. location
- move bx509d out of kdc/
Initialize mechanism output parameters before calling mechanism
GSS_Accept_sec_context(), to behave robustly with poorly implemented mechanisms
that may return before initializing them.
