This has most of the features needed to act as a kinit that uses GSS
APIs, specifically gss_acquire_cred_from() and gss_store_cred_into2().
It's missing some functionality, such as being able to drive prompts
from AS responses (if we add minor status codes for representing KDC
pre-auth proposals, then we do drive prompts, but we would have to
encode a lot of mechanism-specific knowledge into gsstool).
The point of this commit is to explore:
- GSS functionality for kinit-like actions
- credential store key/value pairs supported by the mechanisms
- document the credential store key/value pairs (in gsstool.1)
that might lead to further enhancements. But gsstool acquire-cred
is quite functional at this point!
We must switch to OpenSSL 3.x, and getting lib/hcrypto to provide
OpenSSL 3.x APIs is too large an undertaking. Plus the hcrypto backend
is not safe, not secure (probably has timing leaks galore), and no one
has the resources to make it a world-class crypto library, so it just
has to go.
There were cases where we weren't negotiating SANON where we should
have. But we really don't want to overdo it. In particular we really
never ever want a user with expired or absent Kerberos credentials (say)
to accidentally negotiate SANON as that will then lead to authorization
errors down the line, and those would be hard to diagnose as they would
be masking the real issue (expired or absent credentials).
So basically either the user passes GSS_C_ANON_FLAG or (and/or) they
call gss_set_neg_mechs() to explicitly request SANON.
Partly authored by me, partly authored by Claude with heavy human
guidance, and reviewed by me.
To speed up tests/gss/check-gssmask we need to remove the `sleep 10`
found there, and to do that we need to make the gssmask daemons use
roken_detach_prep()/roken_detach_finish(), and to do that we need to
split up mini_inetd_addrinfo().
This commit authored by Claude with human guidance and review.
Windows clients forget GSS_C_MUTUAL_FLAG in some situations where they
use GSS_C_DCE_STYLE, in the assumption that GSS_C_MUTUAL_FLAG is
implied.
Both Windows and MIT as server already imply GSS_C_MUTUAL_FLAG
when GSS_C_DCE_STYLE is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15740
Signed-off-by: Stefan Metzmacher <metze@samba.org>
4c34168b01 ("base: Fix use of
HEIM_USE_PATH_TOKENS") relocated the expansion of path tokens
within heim_config_parse_file_multi() so it is only performed
for non-plist files. However, parse_plist_config() does not
understand tokens and will treat them as path components. As
a result, plist paths such as
%{USERCONFIG}/Library/Preferences/com.apple.Kerberos.plist
will not be expanded. If parse_plist_config() fails with ENOENT,
then the plist configuration will be skipped and krb5_init_context()
will succeed. However, if the current working directory is invalid,
then parse_plist_config() would return ENOMEM which is a fatal
error and krb5_init_context() would fail.
For example, on macOS, if the cwd is in /afs and the user's
tokens have expired:
user@MacBookAir user % ~/src/heimdal/kuser/heimtools klist
shell-init: error retrieving current directory:
getcwd: cannot access parent directories: Permission denied
chdir: error retrieving current directory:
getcwd: cannot access parent directories: Permission denied
heimtools: krb5_init_context failed: 12
With this change %{USERCONFIG} is expanded and parse_plist_config()
is called with an absolute path. Even though the specified file
is inaccessible, the krb5_init_context() call succeeds.
If parse_plist_config() is called with a non-absolute path which
is defined as a path whose first character is not '/', then
CFReadStreamCreateWithFile() must determine the current working
directory in order to return a CFURLRef to an absolute path.
If getcwd() fails, then CFReadStreamCreateWithFile() returns
NULL.
Instead of unconditionally returning ENOMEM when NULL is returned,
check if the path is non-absolute and call getcwd(). If getcwd()
fails, return errno. Otherwise, return ENOMEM. This permits
ENOENT (a component of the pathname no longer exists) or EACCES
(read or search permission was denied for a component of the
pathname) to be returned as the reason.
ENOMEM is a fatal error when constructing the configuration for
krb5_init_context() whereas ENOENT and EACCES are not fatal.
Without this patch on macOS, if the cwd is in /afs and the user's
tokens have expired, then krb5_init_context() fails with ENOMEM (12).
user@MacBookAir user % ~/src/heimdal/kuser/heimtools klist
shell-init: error retrieving current directory: \
getcwd: cannot access parent directories: Permission denied
chdir: error retrieving current directory: \
getcwd: cannot access parent directories: Permission denied
heimtools: krb5_init_context failed: 12
With this change krb5_init_context() succeeds.
Cherry picked from libtommath 7bbc1f8e4fe6dce75055957645117180768efb15.
Vulnerability Detail:
CVE Identifier: CVE-2023-36328
Description: Integer Overflow vulnerability in mp_grow in libtom
libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9,
allows attackers to execute arbitrary code and cause a denial of
service (DoS).
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36328
Reported-by: https://github.com/Crispy-fried-chicken
