oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
29,668 Commits 2 Branches 2 Tags
838431d95ecd301ca9f28d6f14133be21373960c
Commit Graph

29668 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nicolas Williams
7818f44659 gss_preauth: Fix build race 2021-08-29 13:50:39 -05:00
Luke Howard
f43dbb1d25 gss_preauth: fix header dependency 2021-08-28 16:35:05 +10:00
Luke Howard
f551ae3d82 gss_preauth: remove gss_preauth.h 
Remove gss_preauth.h, it is now auto-generated.
 2021-08-27 19:51:32 +10:00
Luke Howard
ed1ef5d776 asn1: correctly check gmtime_s() return value 
gmtime_s(), used on Windows, returns an errno_t not a struct tm *.

The previous code caused strftime() to dereference a NULL struct tm *.
 2021-08-27 16:10:03 +10:00
Luke Howard
774f50b28b gss: move GSS pre-auth helpers to convenience lib 
GSS pre-auth helpers do not belong in libgssapi, so move them to a separate
convenience library.
 2021-08-27 15:20:07 +10:00
Luke Howard
773802aecf kdc: fix _kdc_set_e_text argument in previous commit 
"r" is the realm, not the TGS request; that is priv
 2021-08-27 15:15:32 +10:00
Luke Howard
892a1ffcaa kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field 
If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour.
 2021-08-27 11:45:41 +10:00
Luke Howard
0417114794 kdc: validate sname in TGS-REQ 
In tgs_build_reply(), validate the server name in the TGS-REQ is present before
dereferencing.
 2021-08-27 11:45:41 +10:00
Nicolas Williams
a5378daa6c Revert "gss: Fix leak of output_token in GSS PA" 
This reverts commit 041907d517.
 2021-08-26 01:06:33 -05:00
Nicolas Williams
e6283e2d3f hx509: For times before 2050 use UTCTime (fix pasto) 2021-08-25 22:54:25 -05:00
Nicolas Williams
041907d517 gss: Fix leak of output_token in GSS PA 2021-08-25 22:53:52 -05:00
Andrew Bartlett
6f21611755 Avoid -Werror=address by skipping pointless _mg_buffer_zero() 
We do not need to zero out the local variable output_token
if we do not later call gss_release_buffer() on it.

This aovids a -Werror=address compile failure under the
strict compiler options Samba uses when compiled on Ubuntu
20.04 with gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

In file included from ../../source4/heimdal/lib/gssapi/preauth/pa_client.c:34:
../../source4/heimdal/lib/gssapi/preauth/pa_client.c:148:21: error: the address of ‘output_token’ will always evaluate as ‘true’ [-Werror=address]
  148 |     _mg_buffer_zero(&output_token);
      |                     ^
../../source4/heimdal/lib/gssapi/mech/mech_locl.h:72:7: note: in definition of macro ‘_mg_buffer_zero’
   72 |   if (buffer) {   \
      |       ^~~~~~

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2021-08-26 09:31:00 +10:00
Nicolas Williams
3f7972e6be hx509: Use preferred attribute string types 
The DC (domainComponent) attribute wants to be an IA5String.

This really doesn't matter, but if we want to conform to the spec (RFC 4519,
referenced by RFC 5280), then we have to do this.
 2021-08-25 17:00:12 -05:00
Nicolas Williams
f425e116b5 hx509: For times before 2050 use UTCTime 2021-08-25 16:48:10 -05:00
Nicolas Williams
edf259dac9 asn1: Update comment in rfc2459.asn1 2021-08-25 15:42:24 -05:00
Nicolas Williams
75449e1071 gss: Fix build for GSS preauth helpers 2021-08-25 15:41:35 -05:00
Luke Howard
76624dd4eb krb5: export krb5_set_log_dest() 
krb5_set_log_dest() was not exported. Export it.
 2021-08-24 21:16:10 +10:00
Luke Howard
b3511c145c gss: check for NULL before calling dlclose() 
Calling dlclose(NULL) on some recent versions of Linux appears to cause the
process to segfault.
 2021-08-20 00:07:12 +10:00
Luke Howard
a56c3ad819 krb5: fix prototype in pa_gss_finish() 
Fix merge issue that arose after merging another fix from the
lukeh/gss-preauth-apple branch.
 2021-08-18 08:17:04 +10:00
Luke Howard
1cdc9d5f3c krb5: export krb5_init_creds_step() 
Public API included in headers but not exported.
 2021-08-16 22:42:36 +10:00
Luke Howard
576ce5d663 kdc: remove unused label in _kdc_gss_mk_pa_reply() 
_kdc_gss_mk_pa_reply() out: label was unused. remove it.
 2021-08-15 20:56:34 +10:00
Luke Howard
5fb3cc998e kdc: check gcp != NULL 
in _kdc_gss_rd_padata() failure path, check gcp != NULL before failing
 2021-08-15 16:29:21 +10:00
Luke Howard
386b8d328a kdc: refactor/improve error handling in GSS pa 2021-08-15 16:07:46 +10:00
Luke Howard
a2538aeb38 kdc: fix leak in previous commit 
Don't zero output_token unless it was moved to PA-GSS padata.
 2021-08-15 15:52:08 +10:00
Luke Howard
df9e74b292 kdc: allow GSS error tokens in PA reply 
If GSS_Accept_sec_context() returns an error status and error token, ensure we
include the error token in the PA-GSS padata in the KRB-ERROR reply, rather
than bailing out early.
 2021-08-15 15:40:59 +10:00
Luke Howard
432fe0ad56 krb5: treat KRB5_NT_SRV_HST and KRB5_NT_SRV_INST identically 
Update previous commit, mapping KRB5_NT_SRV_HST as well as KRB5_NT_SRV_INST to
GSS_C_NT_HOSTBASED_SERVICE.
 2021-08-15 15:04:21 +10:00
Luke Howard
95d553e009 krb5: improve krb5 to GSS name conversion 
First attempt to import krb5 names as GSS_KRB5_NT_PRINCIPAL_NAME; if that
fails, choose the most appropriate name form based on Kerberos name type.
 2021-08-15 14:48:14 +10:00
Luke Howard
939cdbe4ad krb5: always canonicalize GSS federated name 
When using WELLKNOWN/FEDERATED in GSS-API pre-authentication, always
replace with the cname in the AS-REP.
 2021-08-15 13:50:21 +10:00
Luke Howard
e840681451 krb5: try GSS_KRB5_NT_PRINCIPAL_NAME first for PA 
When importing a Kerberos name for GSS pre-auth, first try to import the name
as GSS_KRB5_NT_PRINCIPAL_NAME. If that fails, fall back to GSS_C_NT_USER_NAME.
 2021-08-15 09:54:45 +10:00
Luke Howard
f73f08eef1 kdc: ensure GSS-API pre-auth acceptor name is TGS 
The target (acceptor) name for GSS-API pre-authentication should be the name of
the TGS, not the server name in the AS-REQ, as it is the KDC which is being
mutually authenticated. If the client is not requesting a TGT, they may differ.
 2021-08-15 09:14:58 +10:00
Nicolas Williams
b8112ac562 hx509: Build libhx509template and hxtool with it 2021-08-12 17:31:35 -05:00
Nicolas Williams
df4b09f8af asn1: Also pretty-print cert policies 2021-08-12 17:31:35 -05:00
Luke Howard
7db298668b kdc: fix pa_gss_authorize_cb calling convention 
pa_gss_authorize_cb() needs to be marked KRB5_LIB_CALL to build on 32-bit
Windows
 2021-08-12 18:13:45 +10:00
Luke Howard
95339c1068 gss: fix Windows preauth build issues 
Fix lib/gssapi NTMakefile for GSS-API pre-authentication dependencies
 2021-08-12 18:09:40 +10:00
Luke Howard
3302b38e53 gss: fix Windows preauth build issues 
Fix kdc/kuser NTMakefiles for GSS-API pre-authentication dependencies
 2021-08-12 17:57:17 +10:00
Luke Howard
49f3f5bd99 kdc: support for GSS-API pre-authentication 
Add support for GSS-API pre-authentication to the KDC, using a simplified
variation of draft-perez-krb-wg-gss-preauth-02 that encodes GSS-API context
tokens directly in PADATA, and uses FX-COOKIE for state management.

More information on the protocol and implementation may be found in
lib/gssapi/preauth/README.md.
 2021-08-12 17:37:01 +10:00
Luke Howard
15c82996a4 windows: add /td sha256 argument to signtool 
Recent versions of signtool require an additional /td sha256 argument to
indicate the timestamp hash type.
 2021-08-12 16:33:56 +10:00
Luke Howard
6e3bc8341c doc: make intermediate Windows help directory 
The hx509 and heimdal subdirectories are required to exist before
Windows help compilation can proceed.
 2021-08-12 16:33:51 +10:00
Luke Howard
89ff0eb462 asn1: ensure template generator includes ASN1CALL 
Windows 32-bit builds were broken as the ASN1CALL calling convention
macro was not included in the output of gen_template.c, only in the
generated header.
 2021-08-12 16:33:45 +10:00
Luke Howard
3a9e7346cc gss: cast HEIM_ERR_EOF to OM_uint32 before check (2) 
In gss_import_cred(): HEIM_ERR_EOF is negative, cast to OM_uint32 before
checking against *minor_status
 2021-08-12 09:20:22 +10:00
Luke Howard
3f4d894dd3 gss: cast HEIM_ERR_EOF to OM_uint32 before check 
In gss_import_cred(): HEIM_ERR_EOF is negative, cast to OM_uint32 before
checking against *minor_status
 2021-08-12 09:18:22 +10:00
Luke Howard
2f4619fbbd cf: check for undefined variables 
The w32-hh-toc-from-info.pl script would fail with more recent versions
of Perl, as it attempted to access undefined variables.
 2021-08-12 08:46:03 +10:00
Luke Howard
1175fa0435 gss: don't include mech_locl.h in spnego 
including mech_locl.h in spnego/context_storage.c is unnecessary and
breaks the build on Windows
 2021-08-11 19:12:11 +10:00
Luke Howard
0c74bec235 krb5: pass realm to _krb5_make_fast_ap_fxarmor() 
Fix merge issue introduced in ef1d63a9 which did not update the call
site after updating the _krb5_make_fast_ap_fxarmor() prototype to take
the realm (used in the anonymous PKINIT case).
 2021-08-11 19:09:18 +10:00
Luke Howard
ab3d52e1a2 base: use correct calling convention for log_file() 
Use the correct HEIM_CALLCONV calling convention when setting log_file()
callback, otherwise Windows build fails.
 2021-08-11 19:09:08 +10:00
Luke Howard
b216697924 kdc: use anonymous, not empty, cname when hiding 
RFC 6113 5.4.2 says that when hiding client names in the outer reply of a FAST
response, the wellknown anonymous principal MUST be used.

The previous implementation returned an empty client name and realm, which may
not be expected by some clients.
 2021-08-11 12:23:25 +10:00
Luke Howard
b510b90239 krb5: export krb5_time_abs for test_time 
Function introduced in 8a4ce995 needs to be exported.
 2021-08-10 20:47:44 +10:00
Luke Howard
a27a3af0c2 gss: store_spnego_context(): remove redundant overflow check 
ctx->negoex_step is now a uint8_t, so it can never be bigger than 0xff. Remove
redundant overflow check.
 2021-08-10 20:11:35 +10:00
Luke Howard
d34700b4d9 krb5: add extra sanity check in pk_verify_sign() 
Assert either PKINIT signer certificate was validated, or caller requested no
KDC certificate validation.
 2021-08-10 16:25:26 +10:00
Luke Howard
ef1d63a997 kinit: add --pk-anon-fast-armor option 
Add the  --pk-anon-fast-armor option, which acquires a temporary anonymous
PKINIT TGT to use as a FAST armor key.
 2021-08-10 15:30:45 +10:00