Commit Graph

2335 Commits

Author SHA1 Message Date
Luke Howard
dca1048e96 gss: use memset rather than {0} to initialize channel bindings 2022-01-17 22:18:44 +11:00
Luke Howard
7f2cf34b1d gss: _gss_negoex_accept make error const
krb5_get_error_message() returns a const char *, not a char *. Amends
Change-Id I464b3c5.
2022-01-17 15:46:45 +11:00
Luke Howard
ce0ba125d9 gss: _gss_negoex_init make error const
krb5_get_error_message() returns a const char *, not a char *. Amends
Change-Id I870ed0b.
2022-01-17 15:46:41 +11:00
Jeffrey Altman
ff18c32ae4 lib/gssapi/ntlm: from_file do not leak 'f' on error
Change-Id: Ica774bc3c156c384a2cf7084259d31f445d24a7d
2022-01-16 23:10:33 -05:00
Jeffrey Altman
6e8ab0c204 lib/gssapi/spnego: _gss_negoex_accept do not leak error message
Change-Id: I464b3c5e5b96b36da2cda71b1dacc8ad971fda35
2022-01-16 23:04:54 -05:00
Jeffrey Altman
ac53ce5c99 lib/gssapi/spnego: _gss_negoex_init do not leak error message
Change-Id: I870ed0bd8de7bc6ab5b8cf7c6d3816d04de354fa
2022-01-16 23:02:38 -05:00
Jeffrey Altman
8254c01ae7 lib/gssapi/spnego: accept_sec_context free 'supported_mechs'
If no preferred mechanism was found 'supported_mechs' was leaked.

Change-Id: I2982f94d7e9569461f562987609ff7bff57b3f88
2022-01-16 22:57:15 -05:00
Jeffrey Altman
c822b9bc96 gssapi/krb5: _gsskrb5_inquire_name init 'major'
If no attributes are indicated 'major' is unset.  Default to
GSS_S_UNAVAILABLE.

Change-Id: I277ebdebab0fb0322b702638c57548d1f4c4be3d
2022-01-16 15:54:47 -05:00
Jeffrey Altman
7ae24732c7 clang-format generated hdb, spnego and krb5 asn1.c files
Alphabetically sorted the $(spnego_files), $(gssapi_files), and $(gen_files_hdb)
lists.

Added rules to execute clang-format when available on the included files.

Change-Id: If3cde862f3237bc7cd100bc82d4fbbf568f1a354
2022-01-16 15:11:22 -05:00
Nicolas Williams
febdcd4cbd cf: Make clang-format style common makefile macro 2022-01-16 14:07:03 -06:00
Nicolas Williams
940aea6653 gss: clang-format ASN.1 compiler outputs 2022-01-16 14:07:03 -06:00
Jeffrey Altman
f341fa7721 prevent unintended sign extension errors
When an unsigned char is shifted << 24 bits its type will be
promoted to signed 32-bits.   If the value is then assigned to
an unsigned 64-bit value sign extension will occur.

Prevent the unwanted sign extension by explicitly casting the
value to unsigned long before shifting.

Change-Id: Iabeac0f17dc3229a2dc89abe71960a8ffbf523f8
2022-01-16 00:23:05 -05:00
Jeffrey Altman
7145a8e908 gssapi/mech: mech_locl.h roken.h must be included earlier
If included roken.h should be immediately following config.h.
Doing so ensures that all platform specific headers are
included in the proper order and avoids unnecessary includes
of headers managed by roken.h.

Change-Id: I27f11b42300b6ebcfbcc8d2c53915e96b6eec1d9
2022-01-15 21:24:10 -05:00
Luke Howard
5a952ee7b5 krb5: decorate PrincipalNameAttrs with krb5_pac
Add krb5_pac to PrincipalNameAttrs to avoid needing to re-parse it each time
gss_get_name_attribute() is called.
2022-01-15 18:54:57 +11:00
Jeffrey Altman
9f3004bfd5 gssapi/krb5: _gsskrb5_export_sec_context copy/paste error
80f3194a76
("gssapi/krb5/{export,import}_sec_context: make smaller tokens.")
stored the source principal when it should have stored the target
principal.

Change-Id: Ife6b137f9fe8f63cdb78b4212f74d502080ec2a2
2022-01-14 23:01:30 -05:00
Nicolas Williams
f076ed57cc Fix make dist 2022-01-14 20:10:19 -06:00
Nicolas Williams
55fa5bf7d2 gsskrb5: Fix warnings 2022-01-14 17:39:05 -06:00
Nicolas Williams
96b7ea671d gss: Fix warnings 2022-01-14 17:39:05 -06:00
Nicolas Williams
65caff79a3 gss-token: Fix leak 2022-01-14 17:39:05 -06:00
Nicolas Williams
c607135a03 Use fallthrough statement attribute (moar) 2022-01-14 16:53:34 -06:00
Nicolas Williams
ddc6113610 Use fallthrough statement attribute 2022-01-14 16:32:58 -06:00
Nicolas Williams
05e8c0ede6 Check HMAC_Init_ex() return value 2022-01-14 12:48:32 -06:00
Nicolas Williams
0c7b06f9ca cf: Check cc support of -Werror=enum-conversion 2022-01-13 15:33:04 -06:00
Nicolas Williams
6ee1554f3e Ignore enum-conversion errors
This is not a very good fix, though the warnings remain.  Such errors
can in principle be a problem because in C there is no standard enum
sizing.

In this case we have two enums with the same elements and so the same
size, so it's clearly not a problem.
2022-01-11 17:15:59 -06:00
Nicolas Williams
472509fd46 gsskrb5: Do not leak authenticator on retry
We have a Heimdal special where when the acceptor sends back an error
token for clock skew or ticket-not-yet-valid errors then the acceptor
application will get GSS_S_CONTINUE_NEEDED from gss_accept_sec_context()
so that the initiator may retry with the same context.

But we were retaining the auth_context, which means that when the
initiator does send a new token, the acceptor leaks memory because
krb5_verify_ap_req2() doesn't clean up the auth_context on reuse.  The
end result is that we leak a lot in those cases.
2022-01-07 21:04:19 -06:00
Nicolas Williams
2d83a0b8cd gss: Make sure to indicate PAC buffers 2022-01-08 10:38:01 +11:00
Nicolas Williams
c2e3c5b66e gss: Add way to set authenticator authz-data
Now we can set Authenticator authorization-data with
gss_set_name_attribute().
2022-01-08 10:38:01 +11:00
Nicolas Williams
fe11481cc5 gss: Make krb5 name attrs table-driven
The implementation of GSS name attributes for Kerberos (or any mechanism
with more than a tiny handful) is much nicer as a table-driven
implementation.

We now have stubs for setting and deleting attributes as well, though
these currently always fail.
2022-01-08 10:38:01 +11:00
Luke Howard
27d62bb27e gss: avoid showing PAC in test_context if anon
The Heimdal KDC does not add a PAC if an anonymous ticket was issued. As such,
test_context should not expect PAC naming attributes to be present if the
--anonymous option was passed. (This is irrelevant for now as GSS_C_ANON_FLAG
is not honored by the krb5 mechanism.)
2022-01-08 10:12:07 +11:00
Luke Howard
402884a310 gss: validate attr enumeration in test_context
Ensure the "urn:mspac:client-info" name attribute is enumerated by
gss_inquire_name(), as well as being available via gss_get_name_attribute().
2022-01-08 09:38:30 +11:00
Nicolas Williams
2b9b701dc4 gss: Fix warnings (from be708ca3cf) 2022-01-06 16:21:55 -06:00
Nicolas Williams
3af6926c7d gss: Fix sign extension bug (from be708ca3cf)
When unsigned char values are shifted, they are promoted to int (unless
sizeof(int) == sizeof(char)).  This means that the change in be708ca3cf
ultimately leads to a sign extension bug.
2022-01-06 15:25:38 -06:00
Nicolas Williams
2375fa9d1e gss: Too many compilers don't support 'restrict' 2022-01-05 18:03:39 -06:00
Jeffrey Altman
9427796f1a Generate .x source files as .c source files
The generated .x source and .hx header files are plain C source files.
Generate them as .c source files and avoid unnecessary file copying
and special makefile rules.

Change-Id: Ifc4bbe3c46dd357fdd642040ad964c7cfe1d395c
2022-01-05 17:36:24 -06:00
Jeffrey Altman
3efca1e98a lib/gssapi: define LIB_ASN1 on Windows if ASN1 generated objects
The LIB_ASN1 definition instructs the library objects to access
exported ASN1 generated DATA symbols as internal symbols.

Change-Id: Ia8c674c879c9bc46ca9dc7f249114f22b1d0dfd5
2022-01-05 12:58:48 -06:00
Luke Howard
6d505df510 gss: link test_names.exe against Heimdal DLL 2022-01-04 14:35:28 +11:00
Luke Howard
4803969580 gssapi: add name_attrs.c to Windows build 2022-01-04 13:06:48 +11:00
Luke Howard
5cce73a6ef gss: expose canonical name from PAC if present
Expose canonical name via the canonical-name naming attribute.
2022-01-03 15:59:16 +11:00
Luke Howard
2a826d769f gss: expose PAC info buffers under urn:mspac:
Expose PAC info buffers using naming attributes prefixed with urn:mspac:,
aligned with MIT.
2022-01-03 15:59:16 +11:00
Nicolas Williams
7e311ea9bf gss: Fix test_names clang-13 build 2022-01-02 21:19:13 -06:00
Nicolas Williams
be708ca3cf gsskrb5: Add simple name attributes support
This adds Kerberos mechanism support for:

 - composite principal name export/import
 - getting rudimentary name attributes from GSS names using
   gss_get_name_attribute():
    - all (raw) authorization data from the Ticket
    - all (raw) authorization data from the Authenticator
    - transit path
    - realm
    - component count
    - each component
 - gss_inquire_name()
 - gss_display_name_ext() (just for the hostbased service name type
                           though)

The test exercises almost all of the functionality, except for:

 - getting the PAC
 - getting authz-data from the Authenticator
 - getting the transit path

TBD (much) later:

 - amend test_context to do minimal name attribute checks as well
 - gss_set_name_attribute() (to request authz-data)
 - gss_delete_name_attribute()
 - getting specific authorization data elements via URN fragments (as
   opposed to all of them)
 - parsing the PAC, extracting SIDs (each one as a separate value)
 - some configurable local policy (?)
 - plugin interface for additional local policy
2022-01-01 23:30:15 -06:00
Luke Howard
f3484d5e2e gss: pass GSS_C_NO_OID name type through to mechanism
Allow the mechanism, rather than the mechanism glue, to determine the default
name type if GSS_C_NO_OID was passed in when importing a name.
2022-01-02 16:28:20 +11:00
Nicolas Williams
09f3f96467 gsskrb5: Use optimistic anon PKINIT armored FAST 2021-12-30 18:54:54 +11:00
Nicolas Williams
83625d349e gss: Make initiator inq. ctx. return canon. target
Make gss_inquire_context() on the established context on the initiator
side return the canonical target acceptor name.
2021-12-06 17:39:22 -06:00
Nicolas Williams
5ace5f5a6a gss: Fix dst TGT deleg w/o dns_lookup_realm
Setting `dns_lookup_realm = false` in `[libdefaults]` and setting name
canon rules that force the empty realm causes destination-TGT delegation
to break because the client doesn't know the service's realm.

Because MIT and Heimdal check that the (unauthenticated plaintext)
sname/realm of the Ticket in the KDC reply matches the sname/srealm in
the enc-part of the KDC reply, we know we can trust the realm of the
ticket found in the ccache.  So use that.
2021-12-06 17:39:22 -06:00
Luke Howard
eb293680a8 gss: fix regression in non-8003 checksums
Samba3 sends an AP-REQ, rather than 8003, checksum in a Kerberos inital context
token. This regressed in #835 as we forgot to set the
KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM flag before processing the AP-REQ
checksum in this path.
2021-12-07 10:41:40 +11:00
Andrew Bartlett
7686028718 Use UTF-8 in KTH copyright notice
Samba is starting to protect against bi-di attacks and the starting point
is to require that input files be fully UTF-8.  In 2021 this is a reasonable
starting point anyway.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2021-11-29 12:50:26 +11:00
Nicolas Williams
5f63215d0d Always perform == or != operation on cmp function result
Although not required to address bad code generation in
some versions of gcc 9 and 10, a coding style that requires
explicit comparison of the result to zero before use is
both clearer and would have avoided the generation of bad
code.

This change converts all use of cmp function usage from

```
    if (strcmp(a, b) || !strcmp(c, d)) ...
```

to

```
    if (strcmp(a, b) != 0 || strcmp(c, d)) == 0
```

for all C library cmp functions and related:

 - strcmp(), strncmp()
 - strcasecmp(), strncasecmp()
 - stricmp(), strnicmp()
 - memcmp()

Change-Id: Ic60c15e1e3a07e4faaf10648eefe3adae2543188
2021-11-24 22:30:44 -05:00
Jeffrey Altman
02200d55ea Address GCC Bug 95189 memcmp wrongly stripped like strcmp
As documented in Russell O'Connor's blog, Heimdal when compiled with
some versions of gcc 9 and 10 would generate incorrect behaviors from
_gssapi_verify_mic_arcfour(), _gssapi_unwrap_arcfour(),
_gssapi_unwrap_iov_arcfour() and _gssapi_unwrap_iov_arcfour().

As a result of the bug, code of the form

   if (memcmp(a, "\x00\x00\x00\x00"))

and

   cmp = memcmp(a, "\x00\x00\x00\x00")

will be compiled as if it were written as

   if (strcmp(a, "\x00\x00\x00\x00"))

and

   cmp = strcmp(a, "\x00\x00\x00\x00")

but not

   if (memcmp(a, "\x00\x00\x00\x00") != 0)

and

   cmp = (memcmp(a, "\x00\x00\x00\x00") != 0)

Bad code is generated whenever one of the parameters to memcmp()
is a constant with at least one NUL in the first four octets and
the return value is used immediated without a boolean comparison.

The gcc bug 95189 has since been fixed.

This change applies a defensive programming technique to avoid
the broken code generation.

Change-Id: I1db2a561735317cb6cac66a0ec9caf5443e65e03
Link: https://r6.ca/blog/20200929T023701Z.html
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189
Reported-by: Buck Huppmann (buckh@pobox.com) <buckh@pobox.com>
2021-11-24 22:30:44 -05:00
Jeffrey Altman
8123ffc3f2 _gssapi_unwrap_iov_arcfour remove duplicate code block
ad3acc2aef ("lib/gssapi/krb5:
implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5")
introduced a duplicate block of code.

This change removes the unnecessary code duplication.

Change-Id: I557c590aea51b73dc25d6ce4be4ea84b9dfadd9f
2021-11-24 22:30:44 -05:00