We now have what we need in krb5_principal to implement much of RFC6680.
Now we populate those fields so that they can be accessed by GSS-API
RFC6680 name attributes functions.
The next commit should add much of the GSS-API RFC6680 name attributes
functions and functionality.
See `asn1: Add --decorate=... for internal bookkeeping`, which adds an
option to `asn1_compile` for decorating SET/SEQUENCE types with fields
that are neither encoded nor decoded, but which _are_ copied and freed.
We'll use this to add name attributes to the `Principal` type (which is
used to represent Kerberos principal names in the krb5 GSS mechanism)
without having to rototill the GSS krb5 mechanism nor the krb5 library,
and without affecting the encodings of HDB entries (which happen to use
the `Principal` type).
This option, `--decorate=TYPE-NAME:FIELD-TYPE:field-name[?]` allows one to add
a field to any struct generated by the ASN.1 compiler for any SET or SEQUENCE
type such that:
- the field will be freed by the `free_TYPE_NAME()` function
- the field will be copied by the `copy_TYPE_NAME()` function
- the field will not be printed by the `print_TYPE_NAME()` function
- the field will NOT be encoded or decoded
This is useful for internal bookkeeping.
The first use of this may well be for adding an optional field to
`Principal` where information about name attributes will be stored,
which will then allow us to have GSS name attributes for the krb5
mechanism w/o having to refactor the mechanism to use a different
structure for representing `gss_name_t` mechnames than the one currently
used (`Principal`; `krb5_principal` happens to be a typedef alias of
`Principal *`).
So w/o massive rototilling of the GSS krb5 mechanism we can have name
attributes, _and_ we'll also be able to have those in the krb5 API as
well w/o any massive rototilling there either.
Add a new authorization data type to indicate a synthetic principal was used,
to allow synthetic clients acquired outside of PKINIT (e.g. with GSS-API
pre-authentication) to use the TGS.
Note: we continue to honor KRB5_AUTHDATA_INITIAL_VERIFIED_CAS to indicate that
it is OK for the client to be synthetic, even though it is only an indication
that the client *may* have been synthetic.
Previously, if left==right==A1_HEADER_LEN(tos), this would read past the
end of the template array. Now we treat [left, right) as a half-open
interval and no longer try to read from 'right'.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Sync with most changes in AS/TGS client from Apple's Heimdal-597.121.1
(opensource.apple.com).
Changes include:
- FAST support in TGS client
- Refactored pre-auth client to be more easily extensible
- Pin KDC host and AD site name in API calls
Note the completely refactored TGS client loop is not imported as that was
considered too intrusive.
Decoding a FAST request will only give us the FastOptions flags that are
explicitly declared in the ASN1 source. This meant that the check for
unsupported mandatory options would never succeed, and an unsupported
option would go undetected.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Samba is starting to protect against bi-di attacks and the starting point
is to require that input files be fully UTF-8. In 2021 this is a reasonable
starting point anyway.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Although not required to address bad code generation in
some versions of gcc 9 and 10, a coding style that requires
explicit comparison of the result to zero before use is
both clearer and would have avoided the generation of bad
code.
This change converts all use of cmp function usage from
```
if (strcmp(a, b) || !strcmp(c, d)) ...
```
to
```
if (strcmp(a, b) != 0 || strcmp(c, d)) == 0
```
for all C library cmp functions and related:
- strcmp(), strncmp()
- strcasecmp(), strncasecmp()
- stricmp(), strnicmp()
- memcmp()
Change-Id: Ic60c15e1e3a07e4faaf10648eefe3adae2543188
This reverts commit e27e056b45.
e27e056b45 was needed mainly for ENOTSUP.
ENOTSUP is not available in older C run-times.
Also, lib/roken has wrappers for the CRT allocator, but we don't need
those in lib/asn1 because all the functions generated by the compiler
effectively encapsulate the corresponding DLL's CRT's allocator.
This will be followed by a change to not use ENOTSUP.
Otherwise, on 32-bit Windows there is a mismatch that and the
ESP register will not be populated correctly.
Prior to this change some exports were ASN1CALL and others
were not. All of the tests assume ASN1CALL.
Change-Id: Icecff44aed4726b86100c939f64628d121bbd7ee
roken ensures the correct headers are used for each platform,
ensures availability of non-portable constants (e.g. ENOTSUP),
and on Windows enforces a consistent source for memory management.
Change-Id: I31aa2935d0af9f3d9529166679d9eff35ccedfad
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).
Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.
Add unkeyed checksum types for SHA-256, SHA-384 and SHA-512, for future
internal use. They are assigned private (negative) checksum types and must
never appear in cleartext on the wire.
To comply with the latest POSIX standard, in Yacc compatibility mode
(options `-y`/`--yacc`) Bison now generates prototypes for yyerror and
yylex. In some situations, this is breaking compatibility: if the user
has already declared these functions but with some differences (e.g., to
declare them as static, or to use specific attributes), the generated
parser will fail to compile. To disable these prototypes, #define yyerror
(to `yyerror`), and likewise for yylex.
refer: https://git.savannah.gnu.org/cgit/bison.git/tree/NEWS
GNU Bison 3.8
Add support for GSS-API pre-authentication to the KDC, using a simplified
variation of draft-perez-krb-wg-gss-preauth-02 that encodes GSS-API context
tokens directly in PADATA, and uses FX-COOKIE for state management.
More information on the protocol and implementation may be found in
lib/gssapi/preauth/README.md.
Windows 32-bit builds were broken as the ASN1CALL calling convention
macro was not included in the output of gen_template.c, only in the
generated header.
vis.h is not built on platforms (such as macOS) that already have
that header, which resulted in prototypes for Heimdal-specific
vis.h extensions being absent.
Move those prototypes to a separate header, vis-extras.h, which
must be explicitly included in order to use the Heimdal extensions.
The codegen backend is faster than the template backend, even for
modules that don't use IOS. On x64 we see the template backend being
4% slower for TGS requests using the kdc-tester program.
So let's build both, libasn1 (codegen) and libasn1template when
configured with --disable-asn1-templating, but make sure that the
asn1_print utility is linked with libasn1template.
Eventually we'll want to either optimize the template backend better,
or add IOS and JSON printing support to the codegen backend.
