Fix merge issue introduced in ef1d63a9 which did not update the call
site after updating the _krb5_make_fast_ap_fxarmor() prototype to take
the realm (used in the anonymous PKINIT case).
RFC 6113 5.4.2 says that when hiding client names in the outer reply of a FAST
response, the wellknown anonymous principal MUST be used.
The previous implementation returned an empty client name and realm, which may
not be expected by some clients.
The functions for storing and retrieving GSS OIDs and buffers from
krb5_storage, added in 6554dc69, are generally useful. Move those into private
_gss_mg_XXX() API and update gss_{export,import}_{cred,sec_context} to use them
where appropriate.
Code style/consistency: store_negoex_auth_mech() should free the exported
context buffer after use. There is no leak as the buffer was freed at the end
of the function.
krb5_addlog_func() is used by Samba to obtain Kerberos log messages
and place them into the Samba logs.
Providing a hook down to the heim_addlog_func() is less disruptive
than needing to call multiple different APIs as Samba compiles
both with an included copy of Heimdal and against a system
Heimdal (when not an AD DC).
This API was deprecated and stubbed out in March 2020 by ea90ca8 and was
previously stable until 0c86917 (which looks like it should have been part of
e44c680).
Despite the need for the extra argument, which we add a test for, Samba would
prefer to keep the krb5_addlog_func() facility, so this adds it back.
Signed-off-by: Andrew Bartlett abartlet@samba.org
This is to match the Windows KDC behaviour, optionally.
Samba will use this mode, as Samba has tests that show
the difference and is keen for bug-for-bug/byte-for-byte
rather than strict RFC compliance where there is a
reasonable choice.
The Samba test (for reference) is
samba.tests.krb5.as_canonicalization_tests
The behaviour was changed in:
commit de1f37a6aa
Author: Luke Howard <lukeh@padl.com>
Date: Mon Jan 7 15:45:36 2019 +1100
kdc: omit default salt from PA-ETYPE-INFO[2]
If the salt for the AS-REP client key matches the default password salt for the
client principal in the AS-REQ, then it can be omitted from the PA-ETYPE-INFO,
PA-ETYPE-INFO2 (RFC4120) as the client will assume the default salt in its
absence.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This function became used outside the protection of
HAVE_DLOPEN (which Samba sets) with:
commit 5966c00701
Author: Luke Howard <lukeh@padl.com>
Date: Sun Aug 8 10:34:28 2021 +1000
gss: add gss_mg_name_to_oid internal API
Add a new function for future internal use, gss_mg_name_to_oid(), which takes
either a dot-separated OID or a "short" mechanism name (such as
"sanon-x25519"), and returns a mechanism OID.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
gss_{import,export}_sec_context did not work with partially accumulating
contexts, where the initial context token had not been completely accumulated,
Further, in gss_import_sec_context(), ctx->gc_input.value was not allocated to
a buffer sufficiently large to accumulate the target length.
The recently introduced gss_mg_name_to_oid() function supported looking up
dynamically loaded mechanisms by name, but did not support partial matches or
the legacy "Kerberos 5" name as supported by gss_name_to_oid().
Consolidate these into a single function, and also add support for dynamically
loaded mechanisms to gss_oid_to_name().
API behavior difference: the Kerberos mechanism is now referred to by "krb5"
rather tha "Kerberos 5", although for legacy compatibility gss_name_to_oid()
will recognize the old name. However, gss_oid_to_name() will return "krb5". The
anticipated impact is minimal as these are not standard GSS-APIs and do not
appear to have any public usage outside Heimdal.
Add a new function for future internal use, gss_mg_name_to_oid(), which takes
either a dot-separated OID or a "short" mechanism name (such as
"sanon-x25519"), and returns a mechanism OID.
Support for exporting partially established acceptor context tokens. With this,
an acceptor can send the initiator an encrypted state cookie containing the
exported context token.
(The concrete mechanism, of course, must either require a single round trip or
support partial context export itself. Kerberos and GSS EAP would work, but
Kerberos with GSS_C_DCE_STYLE would not, as currently implemented.)
Partial context export is not permitted for initiators.
Microsoft will sometimes split GSS tokens when they exceed a certain
size in some protocols. This is specified in
[MS-SPNG]: Simple and Protected GSS-API Negotiation
Mechanism (SPNEGO) Extension
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SPNG/%5bMS-SPNG%5d.pdf
sections 3.1.5.4 to 3.1.5.9.
We extend gss_accept_sec_context() to recognise partial tokens and
to accumulate the fragments until an entire token is available to
be processed. If the entire token is not yet available,
GSS_S_CONTINUE_NEEDED is returned with a zero length output token.
This is specified in RFC2744 page 25-26 to indicate that no reply
need be sent.
We include updates to the test framework to test split tokens when
using SPNEGO.
When using these functions with gss_init_sec_context(), we noticed
that some things were missing and some needed to be made optional.
ctx->order may be NULL, ctx->ac->authenticator needs to be filled
out, and ctx->state needs be stored.
Note: SPNEGO still needs a little more work.
Store a data blob to the storage. The data is stored with an int32 as
length plus the data (not padded). This function only differs from
krb5_store_data() insofar as it takes a void * and a length as parameters.
Patch from Roland C. Dowdeswell <elric@imrryr.org>
SAnon includes channel bindings as part of the key derivation function, so they
cannot be ignored. Always set GSS_C_CHANNEL_BOUND_FLAG in the SAnon acceptor.
Windows does not check the password on an account that has been locked.
Heimdal does not implement locked_out, however the Samba hdb
backend does, and needs this checked before passwords (for bad
password lockout), not after in kdc_check_access().
Based on work to update Samba to current Heimdal by
Gary Lockyer <gary@catalyst.net.nz> and including cherry-pick of
Samba commit 580a705b83014e94556b9d5a8877406816e02190 which noted
that we need to return KRB5KDC_ERR_CLIENT_REVOKED to match Windows.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Samba has a different lookup path for krbtgt/ principals.
armor_server is in this case the same as the server in a normal
TGS-REQ, just inside the FAST armor, so needs to have the same
lookup properties as the TGS-REQ does.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
For Samba the fast key is not stored in the replicated DB, so
this helps Samba find it in the Samba hdb module.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
According to #788, Windows clients expect a revoked error to be returned if the
client or service is locked out, rather than a generic policy error. This
should not affect non-Windows paths as the locked_out HDB entry flag is
otherwise not used by Heimdal.
In a strict Samba build with -Werror=strict-overflow on Ubuntu 18.04
with gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
we see
../../source4/heimdal/lib/roken/resolve.c: In function ‘rk_dns_srv_order’:
../../source4/heimdal/lib/roken/resolve.c:639:7: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow]
if(num_srv == 0)
^
cc1: all warnings being treated as errors
This avoids the issue by additionally setting a distinct flag.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
In acquire_mech_cred(), treat a credential store with no elements as equivalent
to GSS_C_NO_CRED_STORE, allowing a mechanism's gss_acquire_cred()
implementation to be called.
