Commit Graph

132 Commits

Author SHA1 Message Date
Luke Howard
69973757ce gss: remove gss_get_instance() 2022-01-30 14:20:05 -05:00
Nicolas Williams
be708ca3cf gsskrb5: Add simple name attributes support
This adds Kerberos mechanism support for:

 - composite principal name export/import
 - getting rudimentary name attributes from GSS names using
   gss_get_name_attribute():
    - all (raw) authorization data from the Ticket
    - all (raw) authorization data from the Authenticator
    - transit path
    - realm
    - component count
    - each component
 - gss_inquire_name()
 - gss_display_name_ext() (just for the hostbased service name type
                           though)

The test exercises almost all of the functionality, except for:

 - getting the PAC
 - getting authz-data from the Authenticator
 - getting the transit path

TBD (much) later:

 - amend test_context to do minimal name attribute checks as well
 - gss_set_name_attribute() (to request authz-data)
 - gss_delete_name_attribute()
 - getting specific authorization data elements via URN fragments (as
   opposed to all of them)
 - parsing the PAC, extracting SIDs (each one as a separate value)
 - some configurable local policy (?)
 - plugin interface for additional local policy
2022-01-01 23:30:15 -06:00
Robert Crowston
5d462795ce Add stub for gss_acquire_cred_impersonate_name(). 2021-10-19 20:45:40 +11:00
Luke Howard
774f50b28b gss: move GSS pre-auth helpers to convenience lib
GSS pre-auth helpers do not belong in libgssapi, so move them to a separate
convenience library.
2021-08-27 15:20:07 +10:00
Luke Howard
49f3f5bd99 kdc: support for GSS-API pre-authentication
Add support for GSS-API pre-authentication to the KDC, using a simplified
variation of draft-perez-krb-wg-gss-preauth-02 that encodes GSS-API context
tokens directly in PADATA, and uses FX-COOKIE for state management.

More information on the protocol and implementation may be found in
lib/gssapi/preauth/README.md.
2021-08-12 17:37:01 +10:00
Luke Howard
18c18d84b1 gss: merge gss_name_to_oid and gss_mg_name_to_oid
The recently introduced gss_mg_name_to_oid() function supported looking up
dynamically loaded mechanisms by name, but did not support partial matches or
the legacy "Kerberos 5" name as supported by gss_name_to_oid().

Consolidate these into a single function, and also add support for dynamically
loaded mechanisms to gss_oid_to_name().

API behavior difference: the Kerberos mechanism is now referred to by "krb5"
rather tha "Kerberos 5", although for legacy compatibility gss_name_to_oid()
will recognize the old name. However, gss_oid_to_name() will return "krb5". The
anticipated impact is minimal as these are not standard GSS-APIs and do not
appear to have any public usage outside Heimdal.
2021-08-08 11:37:09 +10:00
Isaac Boukris
51ce4c8d15 gssapi: add channel-bound return flag
In gss_accept_sec_context, return a new flag to let
the caller know that bindings were provided and verified.
2021-08-06 13:15:19 +10:00
Roland C. Dowdeswell
8f0506c514 gssapi/gssapi.h: we need stdarg.h because va_list is ref'd here. 2020-10-12 21:55:51 +01:00
Luke Howard
4a7eb74374 gss: SAnon - the Simple Anonymous GSS-API mechanism
Add support for SAnon, a simple key agreement protocol that provides no
authentication of initiator or acceptor using x25519 ECDH key exchange.
See doc/standardization/draft-howard-gss-sanon-xx.txt for a protocol
description.
2020-04-25 23:19:30 -05:00
Luke Howard
3bfe62df6a gss: remove gss_release_cred_by_mech()
gss_release_cred_by_mech() was previously used by SPNEGO's implementation of
gss_set_neg_mechs(). This is now implemented in the mechanism glue. As we never
shipped gss_release_cred_by_mech(), it is safe to remove it and its exported
symbol.
2020-04-21 00:21:32 -05:00
Nicolas Williams
9f3d9e1a0a Add gss_duplicate_oid_set() 2020-04-21 00:13:50 -05:00
Luke Howard
26a69856f6 gss: GSS_KRB5_IMPORT_RFC4121_CONTEXT_X / _gss_mg_import_rfc4121_context()
Add a new private interface (accessed through _gss_mg_import_rfc4121_context())
through which a skeletal krb5 mechanism context can be created, suitable for
RFC4121 message protection and PRF services.
2020-04-17 11:04:33 +10:00
Luke Howard
7df0195c26 gss: fix downlevel Windows interop regression
The recent changes to SPNEGO removed support for GSS_C_PEER_HAS_UPDATED_SPNEGO,
through which the Kerberos mechanism could indicate to SPNEGO that the peer did
not suffer from SPNEGO conformance bugs present in some versions of Windows.*

This patch restores this workaround, documented in [MS-SPNG] Appendix A <7>
Section 3.1.5.1. Whilst improving interoperability with these admittedly now
unsupported versions of Windows, it does introduce a risk that Kerberos with
pre-AES ciphers could be negotiated in lieu of a stronger and more preferred
mechanism.

Note: this patch inverts the mechanism interface from
GSS_C_PEER_HAS_UPDATED_SPNEGO to GSS_C_INQ_PEER_HAS_BUGGY_SPNEGO, so that new
mechanisms (which did not ship with these older versions of Windows) are not
required to implement it.

* Windows 2000, Windows 2003, and Windows XP
2020-04-13 10:26:38 +10:00
Nicolas Williams
64d5f86ec3 Fix warnings (some bugs, some spurious)
Many spurious VC warnings not quieted though.
2020-03-12 21:02:09 -05:00
Nicolas Williams
7bf4d76e75 krb5: Improve cccol sub naming; add gss_store_cred_into2()
- Formalize the TYPE:collection_name:subsidiary_name naming scheme for
   ccaches in ccache collections
    - KEYRING: ccaches are weird because they have one more optional field: the
      "anchor", so rather than just assume a naming convention everywhere, we
      add new functions as well
 - Add krb5_cc_{resolve,default}_sub() that allows one to specify a
   "subsidiary" ccache name in a collection separately from the
   collection name
 - Add krb5_cc_{resolve,default}_for() which take a principal name,
   unparse it, and use it as the subsidiary ccache name (with colons
   replaced)
 - Make kinit use the new interfaces
 - Add missing DIR ccache iteration functionality
 - Revamps test_cc
 - Add krb5_cc_get_collection() and krb5_cc_get_subsidiary()
 - Bump the ccops SPI version number
 - Add gss_store_cred_into2()
 - Make MEMORY:anonymous not linked into the global MEMORY ccache
   collection, and uses this for delegated cred handles

TBD:

 - Split this up into a krb5 change and gss mech_krb5 change?
 - Add krb5_cc_init_and_store() utility, per Greg's suggestion?
2020-03-02 17:48:04 -06:00
Luke Howard
921d528d8b gss: add mechanism-force-mechListMIC hook to SPNEGO
NTLM erroneously requires a mechListMIC at the SPNEGO layer if an internal MIC
in the NTLM protocol was used. Add a private interface between SPNEGO and the
Samba NTLM mechanism to allow the mechanism to signal that a mechListMIC is
required even if it otherwise would not be.

This interface is the same as that supported by MIT.

Note that only the Samba NTLM mechanism currently implements this feature, it
is not implemented by the Heimdal NTLM mechanism (which does not support NTLM
authenticate message MICs).
2020-02-04 17:28:35 +11:00
Luke Howard
4fb6a6adc9 gss: port NegoEx implementation from MIT
An implementation of draft-zhu-negoex-04 for MIT Kerberos was developed in
2011. This has been recently integrated, with many fixes from Greg Hudson. This
commit ports it to Heimdal. The implementation has been interoperability tested
with MIT Kerberos and Windows, using the GSS EAP mechanism developed as part of
the Moonshot project.

The SPNEGO code was also updated to import the state machine from Apple which
improves mechListMIC processing and avoids discarding initial context tokens
generated during mechanism probing, that can be used for optimistic tokens.

Finally, to aid in testing, the GSS-API mechanism glue configuration file can
be changed using the environment variable GSS_MECH_CONFIG. This environment
variable name, along with the format of the configuration file, is compatible
with MIT (although it would be difficult for a single mechanism binary to
support both implementations).
2020-02-04 17:28:35 +11:00
Luke Howard
e69c2a8111 gss: expose gss_destroy_cred()
Build and export gss_destroy_cred(). This permanently destroys the credential,
rather than releasing a handle to it.
2020-02-04 17:28:35 +11:00
Luke Howard
6af3ea9099 gss: merge enhanced Apple mechglue logging
Add _gss_mg_log() and friends for logging from within the mechanism glue and
SPNEGO. These APIs wrap around the libkrb5 logging APIs.
2020-02-04 17:28:35 +11:00
Luke Howard
83d2951c0d gssapi: SPNEGO does not reset NTLM RC4 state (#509) 2019-01-06 20:50:24 -06:00
Luke Howard
735039dbdc gssapi: implement gss_set_neg_mechs() (#495)
Implementation of gss_set_neg_mechs() and gss_get_neg_mechs() as defined in RFC
4178. New gss_release_cred_by_mech() API for dropping a credential from a
mechanism glue credential.
2019-01-04 15:50:11 +11:00
Luke Howard
e0bb9c10ca gssapi: credential store extensions (#451)
Implement the GSS-API credential store API extensions defined by MIT here:

https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions

Note: we kill off gss_acquire_cred_ext() here. This was never a public API,
although mechanisms could have implemented it and I briefly used it in my
BrowserID prototype mechanism. gss_acquire_cred_ext_from() occupies the place
in the dispatch table where gss_acquire_cred_ext() used to, but this structure
was never visible outside Heimdal (i.e. it is only used by internal
mechanisms);

(Mechanisms that need to accept arbitrary key/value dictionaries from
applications should now implement gss_acquire_cred_from().)
2019-01-03 14:38:39 -06:00
Nicolas Williams
e6d1c10808 Rewrite gss_add_cred() (fix #413)
It turns out gss_add_cred() really needed a complete rewrite.  It's much
better to first have a gss_duplicate_cred() (which has been needed for
other reasons anyways), and use that when the input_cred_handle is not
GSS_C_NO_CREDENTIAL and output_cred_handle is not NULL, then mutate that
duplicate credential handle (or the input_cred_handle if
output_cred_handle is NULL).
2018-12-28 19:26:25 -06:00
Chris Lamb
946caad7d0 Correct "extention" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from Samba commit afa9bb4ac55d616fe7816e3830bab5e3a51aed7a)
2018-09-10 14:42:18 -04:00
Luke Howard
33ce593b6d gss_wrap/gss_unwrap_aead implementation
Signed-off-by: Nicolas Williams <nico@twosigma.com>
2016-02-05 18:01:15 -06:00
Nicolas Williams
774f166e31 First attempt s/\<const gss_.*_t/gss_const_.*_t/g 2013-06-02 15:30:58 -05:00
Russ Allbery
39460d0045 Remove duplicate __gss_krb5_mechanism_oid_desc definition
__gss_krb5_mechanism_oid_desc is now defined in gssapi/gssapi_oid.h,
so remove the definition in gssapi/gssapi_krb5.h in favor of including
that header.

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
2012-04-05 22:55:01 -07:00
Luke Howard
07777511d1 implement gss_localname 2011-10-08 12:15:09 +11:00
Love Hörnquist Åstrand
052c5767fd fixup type for GSS_C_ATTR_LOCAL_LOGIN_USER 2011-07-24 12:47:55 -07:00
Love Hornquist Astrand
ed91d4c9e3 Mac compat 2011-07-22 11:50:30 -07:00
Jeffrey Altman
27cc30d38e GSS_C_ATTR_LOCAL_LOGIN_USER
Be consistent with other GSSAPI global variables.  GSS_C_ATTR_LOCAL_LOGIN_USER
becomes a macro in gssapi.h that refers to an exported variable
__gss_c_attr_local_login_user

Change-Id: I2661d74cd0f760780f75b35f92d6b4f9112080dc
2011-07-21 11:46:15 -04:00
Love Hornquist Astrand
0879b9831a remove trailing whitespace 2011-05-21 11:57:31 -07:00
Luke Howard
79ff133ae9 make gss_acquire_cred_ext private 2011-05-20 14:31:08 +02:00
Love Hornquist Astrand
305596d9ad Rename subsystem_DEPRECATED to subsystem_DEPRECATED_FUNCTION(X)
Start to explain what the replacement function is.
Generate the #define/#undef logic in generated header files.
Use gcc style where the deprecation warning is after the prototype.
2011-05-17 23:12:51 -07:00
Luke Howard
c73848354c remove extraneous gss_acquire_cred_with_password declaration 2011-05-14 23:11:01 +02:00
Luke Howard
33d1877c21 use gss_const_OID for gss_acquire_cred_ext 2011-05-14 17:16:49 +02:00
Luke Howard
dfba868910 Merge branch 'master' into lukeh/acquire-cred-ex-moonshot-integ
Conflicts:
	lib/gssapi/Makefile.am
	lib/gssapi/mech/gss_acquire_cred_with_password.c
	lib/gssapi/test_context.c
	lib/gssapi/version-script.map
2011-05-14 16:48:49 +02:00
Luke Howard
02cf28e20b implement gss_acquire_cred_ex with password support
add missing SPIs to gss_mech_switch

s/acquire_cred_ex/acquire_cred_ext/g
2011-04-16 11:06:24 +02:00
Luke Howard
0d7bc0c549 remove user_ok from gss_authorize_localname 2011-04-09 13:41:51 +10:00
Luke Howard
6c6e483e00 gss_authorize_localname implementation 2011-04-08 10:58:57 +10:00
Luke Howard
093403a2a7 Merge branch 'master' into lukeh/moonshot 2011-04-03 18:08:23 +10:00
Luke Howard
1a6d126023 Use RFC 5587 const types for draft-josefsson-gss-capsulate APIs 2011-04-03 18:07:07 +10:00
Luke Howard
0f13ae9fe5 fix macro compile error 2011-03-20 19:41:52 +11:00
Luke Howard
9455577b65 Merge branch 'master' of github.com:heimdal/heimdal
Conflicts:
	lib/gssapi/gssapi/gssapi.h
	lib/gssapi/gssapi_mech.h
	lib/gssapi/mech/gss_mech_switch.c
2011-03-20 19:08:10 +11:00
Love Hornquist Astrand
217021914d add more oids 2011-03-13 13:40:52 -07:00
Love Hornquist Astrand
7013c453eb x 2011-03-12 18:49:44 -08:00
Love Hornquist Astrand
4248882381 drop gss_name_any since it removed from the draft 2011-03-12 12:49:42 -08:00
Luke Howard
2b2ab30f53 Add naming extension SPIs
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2011-03-12 12:35:43 -08:00
Luke Howard
65ebfb5712 Merge branch 'master' of github.com:heimdal/heimdal
Conflicts:
	lib/gssapi/gssapi/gssapi.h
	lib/gssapi/mech/gss_mech_switch.c
2011-02-28 10:21:31 +11:00
Love Hornquist Astrand
4be5db6a32 define GSS_IOV_BUFFER_FLAG_ALLOCATE and friends 2011-01-18 16:49:03 +01:00