The resolver plugin doesn't have a way to say "and stop here", so the
lookup done in lib/krb5/test_plugin.c can produce more results than used
to be expected, and indeed nowadays it does. The fix is to ensure that
we have the desired results and ignore the others.
This adds a new backend for libhcrypto: the OpenSSL backend.
Now libhcrypto has these backends:
- hcrypto itself (i.e., the algorithms coded in lib/hcrypto)
- Common Crypto (OS X)
- PKCS#11 (specifically for Solaris, but not Solaris-specific)
- Windows CNG (Windows)
- OpenSSL (generic)
The ./configure --with-openssl=... option no longer disables the use of
hcrypto. Instead it enables the use of OpenSSL as a (and the default)
backend in libhcrypto. The libhcrypto framework is now always used.
OpenSSL should no longer be used directly within Heimdal, except in the
OpenSSL hcrypto backend itself, and files where elliptic curve (EC)
crypto is needed.
Because libhcrypto's EC support is incomplete, we can only use OpenSSL
for EC. Currently that means separating all EC-using code so that it
does not use hcrypto, thus the libhx509/hxtool and PKINIT EC code has
been moved out of the files it used to be in.
In srv_find_realm() the conditional for testing whether an entry
is the invalid gTLD response was inverted. Refactor the conditional
into a helper function is_invalid_tld_srv_target(). Use the helper
to simplify the conditional making it easier to confirm that the
test is correct.
Change-Id: I3220753b5585ac535862c4617030377c7a1f4bbe
If there is no MSLSA: credential cache principal, then try to
fallback to the MIT default MIT credential cache name, API:krb5cc.
Change-Id: I8f981c5401b4f962cf808e7b0dc782e42bc03023
If there is no default credential cache obtained from the registry
or from configuration files, then check to see if there is a valid
principal available from the MSLSA: credential cache. If so, use
"MSLSA:" as the default credential cache. This will simply configuration
for users on domain joined Windows machines when logged in using a
domain account.
Change-Id: I4c4392e0fdcec89aff3d258ce1b753e6458e3eec
Remove unnecessary levels of indentation.
Switch the conditional from "(e == NULL)" to "(p == NULL)" since it
the variable 'p' that is actually used to store the name of the
default credential cache.
Change-Id: Id884e2cd80b42e47d3c219ac3777161087467a14
Windows queries the default ccache name via the registry. Prior
to this change only the HKEY_CURRENT_USER hive. Fallback to
HKEY_LOCAL_MACHINE if there is no "ccname" value specified for the
user. This permits system or domain administrators to set the
default ccache to MSLSA: for all users.
Change-Id: Ide3b51358f8fc6944ca698e4a68295be9463d4e0
As per
https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf
prior to a new top-level domain being put into service there is controlled
interuption service which will return explicit responses to DNS A, MX, SRV, and TXT
queries that can be used to detect private namespace collisions.
When performing fallback_get_hosts() check the AF_INET responses to ensure
that they are not the gTLD name collision address 127.0.53.53. If so, add
an error message to the context and return KRB5_KDC_UNREACH.
Write a warning to the log (if any).
Change-Id: I2578f13948b8327cc3f06542c1e489f02410143a
As per
https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf
prior to a new top-level domain being put into service there is a
controlled interuption service which will return explicit responses to DNS
A, MX, SRV, and TXT queries that can be used to detect private namespace collisions.
Modify SRV records lookups to detect the special hostname returned in the
SRV response, skip the response, and record an appropriate error if it is detected.
Write a warning to the log (if any).
Change-Id: I47e049b617e39e49939bc92d513a547de1d04624
As per
https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf
prior to a new top-level domain being put into service there is a
controlled interuption service which will return explicit responses to DNS
A, MX, SRV, and TXT queries that can be used to detect private namespace collisions.
Modify the signature of copy_txt_to_realm() to accept a krb5_context so
that meaningful errors can be recorded.
Write a warning to the log (if any).
Change-Id: I51ff8feed4f9d2af8b956bd4ba26e1c4644247c2
Instead of allocating a separate mutex object on the heap,
include the HEIMDAL_MUTEX in the krb5_context structure.
Change-Id: If6db484177410487176985e43e3b43e0f2166518
When new keys are added (typically via kadm5_setkey_principal_3),
truncate the key history to remove old keys, that is keys older than
the newest key which was in effect prior longer ago than the principal's
maximum ticket lifetime. This feature is controlled via the "[kadmin]"
section's "prune-key-history" boolean parameter, which defaults to false.
Currently this happens only when kadm5_setkey_principal_3()
is called directly on the server, the client API simulates
kadm5_setkey_principal_3() via a get, update, modify sequence that does
not prune the key history. The plan is to add a new kadm5 protocol RPC
and convert clients to call that instead.
In setkey_principal_3 seal keys after entry key update
Also, for now, don't check the return value of kadm5_log_modify() in
the new kadm5_s_setkey_principal_3(). This has to be addressed more
globally.
Censor stale keys in kadm5_s_get_principal
We used to update the iprop log and HDB in different orders depending on
the kadm5 operation, which then led to various race conditions.
The iprop log now functions as a two-phase commit (with roll forward)
log for HDB changes. The log is auto-truncated, keeping the latest
entries that fit in a configurable maximum number of bytes (defaults to
50MB). See the log-max-size parameter description in krb5.conf(5).
The iprop log format and the protocol remain backwards-compatible with
earlier versions of Heimdal. This is NOT a flag-day; there is NO need
to update all the slaves at once with the master, though it is advisable
in general. Rolling upgrades and downgrades should work.
The sequence of updates is now (with HDB and log open and locked):
a) check that the HDB operation will succeed if attempted,
b) append to iprop log and fsync() it,
c) write to HDB (which should fsync()),
d) mark last log record committed (no fsync in this case).
Every kadm5 write operation recover transactions not yet confirmed as
committed, thus there can be at most one unconfirmed commit on a master
KDC.
Reads via kadm5_get_principal() also attempt to lock the log, and if
successful, recover unconfirmed transactions; readers must have write
access and must win any race to lock the iprop log.
The ipropd-master daemon also attempts to recover unconfirmed
transactions when idle.
The log now starts with a nop record whose payload records the offset of
the logical end of the log: the end of the last confirmed committed
transaction. This is kown as the "uber record". Its purpose is
two-fold: act as the confirmation of committed transactions, and provide
an O(1) method of finding the end of the log (i.e., without having to
traverse the entire log front to back).
Two-phase commit makes all kadm5 writes single-operation atomic
transactions (though some kadm5 operations, such as renames of
principals, and changes to principals' aliases, use multiple low-level
HDB write operations, but still all in one transaction). One can still
hold a lock on the HDB across many operations (e.g., by using the lock
command in a kadmin -l or calling kadm5_lock()) in order to push
multiple transactions in sequence, but this sequence will not be atomic
if the process or host crashes in the middle.
As before, HDB writes which do not go through the kadm5 API are excluded
from all of this, but there should be no such writes.
Lastly, the iprop-log(1) command is enhanced as follows:
- The dump, last-version, truncate, and replay sub-commands now have an
option to not lock the log. This is useful for inspecting a running
system's log file, especially on slave KDCs.
- The dump, last-version, truncate, and replay sub-commands now take an
optional iprop log file positional argument, so that they may be used
to inspect log files other than the running system's
configured/default log file.
Extensive code review and some re-writing for clarity by Viktor Dukhovni.
A caller may want to specify an explicit order of PAC elements,
e.g. the PAC_UPN_DNS_INFO element should be placed after the PAC_LOGON_NAME
element.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
The EGD daemon is completely unmaintained and has not seen a release
since 13 years which is not an acceptable timeframe for cryptographic
software. It is not packaged in any linux distribution I know of
and definitely not in *BSD.
LibreSSL has already dropped support for RAND_egd.
This gives the caller the ability to skip the client_name
and only provide client_realm. This is required for
KDC_ERR_WRONG_REALM messages.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
An AS-REQ with an enterprise principal will always directed to a kdc of the local
(default) realm. The KDC directs the client into the direction of the
final realm. See rfc6806.txt.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
FreeIPA can generate tickets with a client principal of
'host/hostname.example.com'.
verify_logonname() should just verify the principal name
in the PAC_LOGON_NAME is the same as the principal of
the client principal (without realm) of the ticket.
Samba commit b7cc8c1187ff967e44587cd0d09185330378f366
break this. We try to compare ['host']['hostname.example.com']
with ['host/hostname.example.com]' (as we interpret it as enterprise principal)
this fail if we don't compare them as strings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will shortly be removed from krb5.asn1.
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Andrew Bartlett based on work by metze to remove it from othert parts of the code
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The resource allocated by krb5_default_default_realm() should be
free()'d by krb5_free_default_realm() instead of plain free()
for better readability.
Signed-off-by: Santosh Kumar Pradhan <spradhan@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Instead of hard coding 10 hours as the default ticket lifetime within
lib/krb5/init_cred_pw.c init_cred(), add a preprocessor macro,
KRB5_TKT_LIFETIME_DEFAULT, that can be overridden at build time.
The value of KRB5_TKT_LIFETIME_DEFAULT is 10 hours if not previously
defined.
Change-Id: I63e729fedee8e8c6f542e4a4665de5f40db34c03
When looking for a ticket, use the capath codepath first when we know
the service's realm: because we might have local policy as to how to get
there.
Then, if that doesn't work, try referrals. (For now unconditionally.)
