Make keyed checksums mandatory when generating and verifying checksums, with
the following exceptions:
* the checksum is being generated or verified as part of encrypting data for
a legacy (DES) encryption type
* the KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM flag was set on the crypto
context, used to allow unkeyed checksums in krb5 authenticators
By making unkeyed checksums opt-in, we eliminate a class of potential
vulnerabilities where callers could pass unkeyed checksums.
Any code that uses the mandatory checksum type for a given non-legacy
encryption type should not be affected by this change. It could potentially
break, say, a client trying to do FAST with DES keys but, that should not be
supported (because FAST KDCs also support AES).
Closes: #835
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Closes: #767
krb5_enomem() was lacking a calling convention decoration, breaking Windows
consumers if __cdecl was not the default calling convention. Add KRB5_LIB_CALL
to make it consistent with other library functions.
Closes: #834
Add a new krbhst type, KRB5_KRBHST_TKTBRIDGEAP to krb5_krbhst_init_flags(),
that looks for the DNS SRV record kerberos-tkt-bridge. This is to support a new
PADL project.
Add unkeyed checksum types for SHA-256, SHA-384 and SHA-512, for future
internal use. They are assigned private (negative) checksum types and must
never appear in cleartext on the wire.
This reverts commit 34b374b5e4.
We are revising the GSS-API pre-authentication draft to include the nonce from
the first request in the GSS channel bindings, to avoid re-encoding issues that
may surface with Kerberos implementations that do not correctly implement DER.
Zero nonce before encoding KDC-REQ-BODY to be used as channel binding
application data in GSS-API pre-authentication. This is because the nonce may
change between AS-REQs and the channel binding data should be invariant between
calls to GSS_Init_sec_context().
Add support for GSS-API pre-authentication to the KDC, using a simplified
variation of draft-perez-krb-wg-gss-preauth-02 that encodes GSS-API context
tokens directly in PADATA, and uses FX-COOKIE for state management.
More information on the protocol and implementation may be found in
lib/gssapi/preauth/README.md.
Fix merge issue introduced in ef1d63a9 which did not update the call
site after updating the _krb5_make_fast_ap_fxarmor() prototype to take
the realm (used in the anonymous PKINIT case).
krb5_addlog_func() is used by Samba to obtain Kerberos log messages
and place them into the Samba logs.
Providing a hook down to the heim_addlog_func() is less disruptive
than needing to call multiple different APIs as Samba compiles
both with an included copy of Heimdal and against a system
Heimdal (when not an AD DC).
This API was deprecated and stubbed out in March 2020 by ea90ca8 and was
previously stable until 0c86917 (which looks like it should have been part of
e44c680).
Despite the need for the extra argument, which we add a test for, Samba would
prefer to keep the krb5_addlog_func() facility, so this adds it back.
Signed-off-by: Andrew Bartlett abartlet@samba.org
Store a data blob to the storage. The data is stored with an int32 as
length plus the data (not padded). This function only differs from
krb5_store_data() insofar as it takes a void * and a length as parameters.
Patch from Roland C. Dowdeswell <elric@imrryr.org>
krb5_get_next() and krb5_get_cache_next() do not check for krb5_kcm_call()
returning non-zero before accessing the repsonse data; they only handle the
case where the return value is KRB5_CC_END.
Return immediately if the return value of krb5_kcm_call() is not KRB5_CC_END or
0. This was fixed in the Apple code.
While Ken Hornstein's FAQ was useful in its day, much of its content
is no longer relevant (e.g., Kerberos 4) or even actively harmful
(e.g., the latest version of MIT krb5 is not 1.2.1). It was also
somewhat MIT-krb5-focused, especially relating to configuration file
snippets, which is not necessarily a great fit for the Heimdal
documentation.
Replace it with a tutorial hosted on kerberos.org and the classic
"dialogue" from Bill Bryant.
Fixes: #766
This adds support for using a Heimdal-specific PKIX extension to derive
a maximum Kerberos ticket lifetime from a client's PKINIT certificate.
KDC configuration parameters:
- pkinit_max_life_from_cert_extension
- pkinit_max_life_bound
If `pkinit_max_life_from_cert_extension` is set to true then the
certificate extension or EKU will be checked.
If `pkinit_max_life_bound` is set to a positive relative time, then that
will be the upper bound of maximum Kerberos ticket lifetime derived from
these extensions.
The KDC config `pkinit_ticket_max_life_from_cert` that was added earlier
has been renamed to `pkinit_max_life_from_cert`.
See lib/hx509 and lib/krb5/krb5.conf.5.
MSFT makes the `q` field of `DomainParameters` OPTIONAL even though it's
actually required. We currently validate DH groups not by validating
that p is a Sophie Germain prime but by checking the proposed group
against a compiled-in list and against a krb5.moduli file, therefore we
don't need q. Besides, for Oakley groups, because p is a Sophie Germain
prime, we'd have q=p/j and j=2, so we can always compute q as needed
(and MIT Kerberos does).
This adds a KDC configuration parameter that can be used to indicate
that a PKINIT client's certificate's notAfter overrides the client
principal's HDB entry's max_life. This parameter is a relative time
parameter, and it enables this only if set to a non-zero value (defaults
to zero). The value of this parameter caps the max_life inferred from
the certificate.
