This is the second of two commits in a series that must be picked together.
This series of two commits moves parts of lib/krb5/ infrastructure
functionality to lib/base/, leaving behind wrappers.
Some parts of libkrb5 are entirely generic or easily made so, and could
be useful in various parts of Heimdal that are not specific to the krb5
API, such as:
- lib/gssapi/ (especially since the integration of NegoEx)
- lib/hx509/
- bx509d (which should really move out of kdc/)
For the above we need to move these bits of lib/krb5/:
- lib/krb5/config_file.c (all of it, leaving forwardings behind)
- lib/krb5/config_reg.c (all of it)
- lib/krb5/plugin.c (all of it, leaving forwardings behind)
- lib/krb5/log.c (all of it, ditto)
- lib/krb5/heim_err.et (all of it)
And because of those two, these too must also move:
- lib/krb5/expand_path.c (all of it, leaving forwardings behind)
- lib/krb5/warn.c (just the warning functions, ditto)
The changes to the moved files are mostly quite straightforward and are
best reviewed with --word-diff=color.
We're also creating a heim_context and a heim API to go with it. But
it's as thin as possible, with as little state as necessary to enable
this move. Functions for dealing with error messages use callbacks.
Moving plugin.c does have one knock-on effect on all users of the old
krb5 plugin API (which remains), which is that a global search and
replace of struct krb5_plugin_data to struct heim_plugin_data was
needed, though the layout and size of that structure doesn't change, so
the ABI doesn't either.
As well, we now build lib/vers/ and lib/com_err/ before lib/base/ so as
to be able to move lib/krb5/heim_err.et to lib/base/ so that we can make
use of HEIM_ERR_* in lib/base/, specifically in the files that moved.
Once this is all done we'll be able to use config files and plugins in
lib/hx509/, we'll be able to move bx509d out of kdc/, and so on.
Most if not all of the new functions in lib/base/ are Heimdal-private,
thus calling conventions for them are not declared.
Status:
- builds and passes CIs (Travis, Appveyor)
- ran make check-valgrind and no new leaks or other memory errors
- ready for review
HOW TO REVIEW:
$ # Review file moves:
$ git log --stat -n1 HEAD^
$
$ # Review changes to moved files using --word-diff=color
$ git log -p -b -w --word-diff=color HEAD^..HEAD \
lib/base/config_file.c \
lib/base/config_reg.c \
lib/base/expand_path.c \
lib/base/warn.c \
lib/krb5/config_file.c \
lib/krb5/config_reg.c \
lib/krb5/expand_path.c \
lib/krb5/warn.c
$
$ # Review the whole thing, possibly adding -b and/or -w, and
$ # maybe --word-diff=color:
$ git log -p origin/master..HEAD
$ git log -p -b -w origin/master..HEAD
$ git log -p -b -w --word-diff=color origin/master..HEAD
TBD (future commits):
- make lib/gssapi use the new heimbase functions
- move kx509/bx509d common code to lib/hx509/ or other approp. location
- move bx509d out of kdc/
Initialize mechanism output parameters before calling mechanism
GSS_Accept_sec_context(), to behave robustly with poorly implemented mechanisms
that may return before initializing them.
test_negoex_mech, being a simple test mechanism ported from MIT that was not
designed to be particularly robust, failed to initialize various output
parameters such as the source name. On Heimdal this triggered an invalid read
because the mechglue did not initialize those variables before calling the
mechanism. This commit fixes this.
NTLM erroneously requires a mechListMIC at the SPNEGO layer if an internal MIC
in the NTLM protocol was used. Add a private interface between SPNEGO and the
Samba NTLM mechanism to allow the mechanism to signal that a mechListMIC is
required even if it otherwise would not be.
This interface is the same as that supported by MIT.
Note that only the Samba NTLM mechanism currently implements this feature, it
is not implemented by the Heimdal NTLM mechanism (which does not support NTLM
authenticate message MICs).
Previously krb5 was tried explicitly, but now the internal mech list is
reordered so that krb5 is first, this should no longer be required. This
permits an application to specify another mechanism as preferred over krb5
using gss_set_neg_mechs().
RFC 4178 4.2.2 uses the field name negState rather than negResult in
NegTokenResp, to denote the negotiation state. Harmonize with this, also
replacing the underscores in accept-completed and accepet-incomplete to match
the RFC.
An implementation of draft-zhu-negoex-04 for MIT Kerberos was developed in
2011. This has been recently integrated, with many fixes from Greg Hudson. This
commit ports it to Heimdal. The implementation has been interoperability tested
with MIT Kerberos and Windows, using the GSS EAP mechanism developed as part of
the Moonshot project.
The SPNEGO code was also updated to import the state machine from Apple which
improves mechListMIC processing and avoids discarding initial context tokens
generated during mechanism probing, that can be used for optimistic tokens.
Finally, to aid in testing, the GSS-API mechanism glue configuration file can
be changed using the environment variable GSS_MECH_CONFIG. This environment
variable name, along with the format of the configuration file, is compatible
with MIT (although it would be difficult for a single mechanism binary to
support both implementations).
Wrapping GSS names at the SPNEGO level serves no purpose; remove it and return
mechglue names directly. This required a small change to the NTLM mechanism to
allow NULL names to be passed to its release name function.
GM_USE_MG_CRED allows a mechanism glue credential to be used by a mechanism
without additional wrapping. Although no extant mechanisms use this flag, the
flag had sporadic support in the mechanism glue already. In the interest of
consistency, add missing GM_USE_MG_CRED checks. If this functionality is not
desired, then all checks should be removed.
Add helper APIs to the mechanism glue from the Apple implementation.
gss_mg_export_name() can be used by a mechanism to create an exported name
(this is used by the future SAnon implementation). _gss_mech_import_name()
allows the mechanism to pass in a list of parsing functions for specific name
tiypes. This commit only adds support to the mechanism glue itself.
The GSS mechglue uses singly linked lists for mechanisms and mechanism objects,
to which new entries are inserted at the head. This breaks ordering of
mechanisms specified in OID sets and in /etc/gss/mech, as they will be back to
front. Use a tail queue instead so that new entries are inserted at the end.
Make mechanism interfaces that are optional in usage, optional in
implementation, i.e. do not require them to be present when dynamically loading
a mechanism. In order to aid minimal mechanism implementation, more of these
should likely be made optional (this will require an additional check in the
mechglue to return GSS_S_UNAVAILABLE if the function pointer is NULL). This is
left as a future exercise.
_gss_ntlm_accept_sec_context() does not provide the acceptor domain to
nsi_probe(); for consistency, _gss_ntlm_acquire_cred_from() should do that
same. Providing the acceptor domain was breaking tests.
Note that the Heimdal NTLM implementation is old and has few consumers (Apple
and Samba use their own implementations). Arguably we should merge the Apple
implementation or remove it.
The Kerberos GSS mechanism specific error table in gkrb5_err.et was never
registered with libkrb5, so the messages corresponding to those errors would
never be available. Register them with the thread local context used by the
krb5 mechanism.
Refactor and enhance TGT forwarding to allow forwarding of leaf
(destination) TGTs for selected destination realms.
Enhance kinit(1) to renew non-origin realm tickets
Document delegate-destination-tgt
Use the newly implemented _krb5_mk_1cred().
krb5_cc_cache_match() searches all ccache collections for a ccache that
has credentials for a given principal name. This includes MEMORY
ccaches, which means it can find the same ccache as is referenced by a
GSS cred handle given to gss_store_cred(), which means that
gss_store_cred() can fail.
For now we work around this by including a private variant of
krb5_cc_cache_match() that only searches the default ccache, not all
collections. Eventually we should ensure that krb5_cc_default() also
searches all collection-type (other than MEMORY) ccaches for a default
credential, then we can go back to using krb5_cc_cache_match() (though
we'll need to make sure that MEMORY is searched last or not at all).
gss_acquire_cred_from() is an exported function and therefore
must be tagged with GSSAPI_LIB_FUNCTION and GSSAPI_LIB_CALL.
Change-Id: I80918cb8083eaeac2d0eba5347f7b428e997cfaa
Implementation of gss_set_neg_mechs() and gss_get_neg_mechs() as defined in RFC
4178. New gss_release_cred_by_mech() API for dropping a credential from a
mechanism glue credential.
SPNEGO uses the callback function acceptor_approved() in order to determine
which mechanisms to advertise to the initiator in the case that the initiator
sent an empty initial context token. Prior to this commit, that function was
not passed in the acceptor credential (if present), so always uses a default
credential. For correctness, we should only advertise the availability of
mechanisms for which we have a credential.
Apple's Heimdal impelmentation uses a number of utility functions for
allocating names and credentials, to avoid calling malloc or calloc directly.
Import them.
Implement the GSS-API credential store API extensions defined by MIT here:
https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions
Note: we kill off gss_acquire_cred_ext() here. This was never a public API,
although mechanisms could have implemented it and I briefly used it in my
BrowserID prototype mechanism. gss_acquire_cred_ext_from() occupies the place
in the dispatch table where gss_acquire_cred_ext() used to, but this structure
was never visible outside Heimdal (i.e. it is only used by internal
mechanisms);
(Mechanisms that need to accept arbitrary key/value dictionaries from
applications should now implement gss_acquire_cred_from().)
SPNEGO uses the callback function initiator_approved() in order to determine
mechanism availability. Prior to this commit, is not passed in the initiator
credential, so it always uses a default credential. This breaks SPNEGO if a
non-default credential (such as one acquired with
gss_acquire_cred_with_password()) is used. This commit addresses this.
gss_krb5_set_allowable_enctypes() was declared with an array of int32_t types
representing the enctype list, but the definition had an array of krb5_enctype.
Whilst these are likely the same size, they may not be. On the receiving end,
allocate an array of krb5_enctype.
* check `ctx->gc_ctx` in `gss_inquire_context()`
* check `gm_inquire_cred != NULL` in `gss_inquire_context()`
* check `min_lifetime` in `gss_inquire_cred()`
* check `gm_inquire_cred_by_mech != NULL` in `gss_inquire_cred_by_mech()`
* set mech error in `gss_inquire_cred_by_oid()`
* don't clobber error in `gss_inquire_cred_by_oid()`
* don't pass NULL minor_status to `gss_krb5_free_lucid_sec_context()`
* allow NULL ccache in `gss_krb5_ccache_name()`
* NULL names OK in `_gss_find_mn()`
* allow empty names in `gss_import_name()` (removes `input_name_buffer` length
check). to support ANONYMOUS. in `gss_import_name()`, ignore mech name
import failure as long as it's possible to import the name in some other
mechanism
* better argument validation in `gss_export_sec_context()`
* in `gss_compare_name()`, check `mn2 != NULL`
* check `gss_add_oid_set_member()` return code in `gss_indicate_mechs()`
* in `gss_destroy_cred()`, set output cred handle to `GSS_C_NO_CREDENTIAL`
* cast size_t to OM_uint32 where required
