- Add an import command that imports JSON as output by
`ktutil list --json --keys`.
This is enables one to filter/edit keytabs with jq!
- Add a `merge` alias for the `copy` command, since that's effectively
what it does.
- Add a `--copy-duplicates` option to the `copy`/`merge` command.
- Add a `--no-create` option to the `get` command.
- Add a `--no-change-keys` option to the `get` command.
- Make `add` complain if it can't finish writing to the keytab.
With this change it's possible to bootstrap a KDC using a client
certificate with a PKINIT SAN for iprop/fqdn. Given such a certificate
one could run ipropd-slave via kinit to pull down the initial copy of
the HDB, then start the KDC services using the HDBGET: keytab.
That should make bootstrapping new secondary KDCs very easy.
One could bootstrap the KDC with such a certificate using, e.g.,
Safeboot (https://github.com/osresearch/safeboot), enrolling the host as
a KDC.
In order to support batch jobs systems that run many users' jobs and
which jobs need credentials, we add a /get-tgts end-point that is a
batched version of the /get-tgt end-point. This end-point returns JSON.
Also, we make GETs optional, default to not-allowed in preference of
POSTs.
We also correct handling of POST (before POSTs with non-zero-length bodies
would cause the server to close the connection), and add additional CSRF
protection features, including the ability to disable all GET requests
for /get-keys and /get-config.
We set the timestamp field of krb5_keytab_entry in every case in-tree,
so we should not clobber it in krb5_kt_add_entry(). This is very
important in the context of virtual service principals, as the timestamp
of the keys in the keytab is a clue to when they must be refetched!
The idea with HEIM_JSON_F_TRY_DECODE_DATA is that on parsing of JSON
texts, if we find a base64-encoded string, decode it. But a lot of
strings that aren't base64-encoded can be decoded anyways, leaving a
mess.
Insted we should -in a future commit- implement this only for the string
values of "heimdal-type-data-76d7fca2-d0da-4b20-a126-1a10f8a0eae6" names
in singleton objects.
- Add HEIM_JSON_F_ESCAPE_NON_ASCII to indicate that non-ASCII must be
escaped as \uXXXX.
- Add HEIM_JSON_F_NO_ESCAPE_NON_ASCII to force non-escaping of BMP
codepoints.
- If the locale's codeset is not UTF-8 and
HEIM_JSON_F_NO_ESCAPE_NON_ASCII is not set, then set
HEIM_JSON_F_ESCAPE_NON_ASCII.
- Add flags for indenting with 2, 4, or 8 spaces, still defaulting to
tabs if none of those are set.
- Don't emit a newline before emitting scalar values in dicts.
- Fix markup
- Specific quoted command line for Visual Studio
build
- Caveat about line ending for gawk
- Add comments about python versions
- makeinfo.exe is no longer available from cygwin
- Add some words about APPVER setting
Without the change the build fails as:
CC hdb-ldap.lo
hdb-ldap.c:2109:5: warning: initialization of 'unsigned char:1' from 'krb5_error_code (*)(struct krb5_context_data *, void **)' {aka 'int (*)(struct krb5_context_data *, void **)'} makes integer from pointer without a cast [-Wint-conversion]
2109 | init,
| ^~~~
hdb-ldap.c:2109:5: note: (near initialization for 'hdb_ldapi_interface.is_file_based')
hdb-ldap.c:2109:5: error: initializer element is not computable at load time
hdb-ldap.c:2109:5: note: (near initialization for 'hdb_ldapi_interface.is_file_based')
hdb-ldap.c:2110:5: warning: initialization of 'unsigned char:1' from 'void (*)(void *)' makes integer from pointer without a cast [-Wint-conversion]
2110 | fini,
| ^~~~
hdb-ldap.c:2110:5: note: (near initialization for 'hdb_ldapi_interface.can_taste')
hdb-ldap.c:2110:5: error: initializer element is not computable at load time
hdb-ldap.c:2110:5: note: (near initialization for 'hdb_ldapi_interface.can_taste')
hdb-ldap.c:2111:5: warning: initialization of 'krb5_error_code (*)(struct krb5_context_data *, void **)' {aka 'int (*)(struct krb5_context_data *, void **)'} from incompatible pointer type 'char *' [-Wincompatible-pointer-types]
2111 | "ldapi",
| ^~~~~~~
hdb-ldap.c:2111:5: note: (near initialization for 'hdb_ldapi_interface.init')
hdb-ldap.c:2112:5: warning: initialization of 'void (*)(void *)' from incompatible pointer type 'krb5_error_code (*)(struct krb5_context_data *, HDB **, const char *)' {aka 'int (*)(struct krb5_context_data *, HDB **, const char *)'} [-Wincompatible-pointer-types]
2112 | hdb_ldapi_create
| ^~~~~~~~~~~~~~~~
hdb-ldap.c:2112:5: note: (near initialization for 'hdb_ldapi_interface.fini')
hdb-ldap.c:2113:1: warning: missing initializer for field 'prefix' of 'struct hdb_method' [-Wmissing-field-initializers]
2113 | };
| ^
Started failing when commit 93ada1fbf ("hdb: Remove default HDB backend
footgun") added extra fields to 'struct hdb_method'.
The 'bits' parameter to select_dh_group() is the minimum acceptable
bit size. Rename 'bits' to 'min_bits' and fix the comparision
with krb5_dh_moduli.bits to ensure that DH groups whose bit size
is the minimum acceptable are not excluded.
Fixes#1002
Reported-By: Julien Rische (GitHub: jrisc)
Heimdal supports the 2 mandatory MODP groups (group 2 and group 14)
according to RFC4556, however group 14 is defined with a size of
1760 bits instead of 2048.
Fixes#1001
Reported-by: Julien Rische (GitHub: jrisc)
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
CC test_common.o
In file included from test_common.c:34:
krb5/gsskrb5_locl.h:42:10: fatal error: gkrb5_err.h: No such file or directory
42 | #include <gkrb5_err.h>
| ^~~~~~~~~~~~~
compilation terminated.
make[3]: *** [Makefile:2347: test_common.o] Error 1 shuffle=1656680590
The change moves gkrb5_err.h and friends to BUILT_SOURCES
to guarantee their presence when main build starts.
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
Making all in doc
make[1]: Entering directory '/build/heimdal/doc'
MAKEINFO hx509.info
hx509.texi:15: @include: could not find vars.texi
hx509.texi:31: warning: undefined flag: PACKAGE_VERSION
hx509.texi:186: warning: undefined flag: PACKAGE_VERSION
make[1]: *** [Makefile:622: hx509.info] Error 1 shuffle=1656683556
The change moves vars.texi to BUILT_SOURCES to guarantee it's
presence when .info files start the build.
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
make[2]: Leaving directory '/build/heimdal/lib/gss_preauth'
Making all in hdb
make[2]: Entering directory '/build/heimdal/lib/hdb'
../../lib/asn1/asn1_compile --option-file=./hdb.opt ./hdb.asn1 hdb_asn1
for genfile in 'asn1_Event.c asn1_GENERATION.c asn1_HDB_EncTypeList.c asn1_HDB_Ext_Aliases.c asn1_HDB_Ext_Constrained_delegation_acl.c asn1_HDB_Ext_KeyRotation.c asn1_HDB_Ext_KeySet.c asn1_HDB_Ext_Lan_Manager_OWF.c asn1_HDB_Ext_Password.c asn1_HDB_Ext_PKINIT_acl.c asn1_HDB_Ext_PKINIT_cert.c asn1_HDB_Ext_PKINIT_hash.c asn1_HDB_EntryOrAlias.c asn1_HDB_entry_alias.c asn1_HDB_entry.c asn1_HDB_extension.c asn1_HDB_extensions.c asn1_HDB_keyset.c asn1_HDBFlags.c asn1_Key.c asn1_KeyRotation.c asn1_KeyRotationFlags.c asn1_Keys.c asn1_Salt.c'; do \
true -style='{BasedOnStyle: Mozilla, AlwaysBreakAfterReturnType: TopLevelDefinitions, IndentWidth: 4, SortIncludes: false}' -i ${genfile}; \
done
../../lib/com_err/compile_et hdb_err.et
make all-am
make[3]: Entering directory '/build/heimdal/lib/hdb'
CC hdb-ldap.lo
In file included from hdb_locl.h:67,
from hdb-ldap.c:36:
./hdb.h:337:10: fatal error: hdb-protos.h: No such file or directory
337 | #include <hdb-protos.h>
| ^~~~~~~~~~~~~~
compilation terminated.
The change moves hdb-protos.ha and hdb-private.h to BUILT_SOURCES
to guarantee their presence when main build starts.
The variable 'ret' is set but not used. As the value is ignored
remove it. Restructure the initialization of 'replyinCnt', 'replyout',
and 'replyoutCnt' such that a failure of vm_read() results in a
properly initialized reply structure.
get_null() can fail for two reasons. There can be a memory allocation
issue or the hints->ai_family could be unsupported. This change
informs the caller of the error state instead of returning success
with an invalid struct addrinfo output parameter.
Fixes#1007
Reported-by: opless
Apple clang version 14.0.0 (clang-1400.0.17.3.1) fails the build
because stds.h defines `fallthrough` as a macro which is then
expanded when base.h evaluates
# if __has_attribute(fallthrough) && __clang_major__ >= 5
The macOS SDK defines `DISPATCH_FALLTHROUGH` as the macro instead
of `fallthrough`.
This change replaces the use of `fallthrough` in the tree with
`HEIM_FALLTHROUGH` and updates the declaration in configure logic
to define `HEIM_FALLTHROUGH` based upon existing definitions
(if any) of `fallthrough` or `DISPATCH_FALLTHROUGH`.
We meant to clear only the UF_SMARTCARD_REQUIRED bit, but we were
instead clearing all bits excepting it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
If the AP len is large enough, we might end up computing an address
beyond the end of the 'reply' array, which is undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This commit makes the hxtool ca sub-command, when invoked with
--generate-key=TYPE and --certificate-private-key=STORE, write the
private key only to the given --certificate-private-key store and not
also the --certificate=STORE.
Before this commit, invoking the hxtool ca sub-command with both,
--generate-key=TYPE and --certificate-private-key=STORE, caused the
--generate-key option to be ignored and the private key to be read from
the given store and copied to the --certificate=STORE. That was clearly
a bug and non-sensical.
Add support for configuring the attributes of new principals created via
httpkadmind. This can be done via virtual host-based service
namespaces, which will provide default attributes even if disabled (but
the created principals will not be disabled, naturally), or via
krb5.conf.
We derive keysets for virtual host-based service principals, and that
includes the `set_time` field of keys. But applications using the kadm5
API lose that information. Our httpkadmind wants to set a Cache-Control
header with an appropriate max-age so that clients know when to re-fetch
keytabs.
We could extract some of the lib/hdb/common.c functions so that
httpkadmind could re-create an HDB_entry from a kadm5 entry then compute
the desired time, but ultimately we already have an appropriate field in
the HDB_entry and kadm5_principal_ent_rec types: "password expiration".
So let's set the `pw_end` of a virtual host-based service's HDB entry to
the time when a client should next fetch the principal's keys, and we'll
use that in httpkadmind as the `pw_expiration` field of the kadm5 entry
type.
If a virtual host-based service namespace is disabled, then the virtual
services below it cease existing.
This will be useful in a later commit where we'll use virtual host-based
service namespace for providing default attributes for new concrete
host-based service principals created via httpkadmind, whether the
namespace be enabled or disabled.
Add --no-automatic-renewal option to disable automatic TGT renewal.
Renewal can also be disabled by setting automatic_renewal to false
in the [kcm] section of krb5.conf.
Test that we can still do other things after `kadmin list` to make sure
we're not leaving -after listing- the connection in a state where other
operations can't work.
Also, no more sleeps at all in the test.
