Commit Graph

371 Commits

Author SHA1 Message Date
Luke Howard
e80248ed36 gss: add some missing GM_USE_MG_CRED checks
GM_USE_MG_CRED allows a mechanism glue credential to be used by a mechanism
without additional wrapping. Although no extant mechanisms use this flag, the
flag had sporadic support in the mechanism glue already. In the interest of
consistency, add missing GM_USE_MG_CRED checks. If this functionality is not
desired, then all checks should be removed.
2020-02-04 17:28:35 +11:00
Luke Howard
340cc3f092 gss: make krb5 default GSS mech earlier in path
Defensively default to GSS_KRB5_MECHANISM on all calls to
gss_init_sec_context() if mech_type is GSS_C_NO_OID (rather than only on the
first call).
2020-02-04 17:28:35 +11:00
Luke Howard
e69c2a8111 gss: expose gss_destroy_cred()
Build and export gss_destroy_cred(). This permanently destroys the credential,
rather than releasing a handle to it.
2020-02-04 17:28:35 +11:00
Luke Howard
8478dd1c88 gss: merge Apple name helper APIs
Add helper APIs to the mechanism glue from the Apple implementation.
gss_mg_export_name() can be used by a mechanism to create an exported name
(this is used by the future SAnon implementation). _gss_mech_import_name()
allows the mechanism to pass in a list of parsing functions for specific name
tiypes. This commit only adds support to the mechanism glue itself.
2020-02-04 17:28:35 +11:00
Luke Howard
6af3ea9099 gss: merge enhanced Apple mechglue logging
Add _gss_mg_log() and friends for logging from within the mechanism glue and
SPNEGO. These APIs wrap around the libkrb5 logging APIs.
2020-02-04 17:28:35 +11:00
Luke Howard
31af9ba703 gss: use tail queue instead of singly linked list in mechglue
The GSS mechglue uses singly linked lists for mechanisms and mechanism objects,
to which new entries are inserted at the head. This breaks ordering of
mechanisms specified in OID sets and in /etc/gss/mech, as they will be back to
front. Use a tail queue instead so that new entries are inserted at the end.
2020-02-04 17:28:35 +11:00
Luke Howard
64d5d138a9 gss: mechanism optional interfaces
Make mechanism interfaces that are optional in usage, optional in
implementation, i.e. do not require them to be present when dynamically loading
a mechanism. In order to aid minimal mechanism implementation, more of these
should likely be made optional (this will require an additional check in the
mechglue to return GSS_S_UNAVAILABLE if the function pointer is NULL). This is
left as a future exercise.
2020-02-04 17:28:35 +11:00
Nicolas Williams
d021710efc gss: Fix leak in gss_add_cred_from() 2019-12-06 23:07:16 -06:00
Nicolas Williams
2709f28a1b Make gss_store_cred*() work
krb5_cc_cache_match() searches all ccache collections for a ccache that
has credentials for a given principal name.  This includes MEMORY
ccaches, which means it can find the same ccache as is referenced by a
GSS cred handle given to gss_store_cred(), which means that
gss_store_cred() can fail.

For now we work around this by including a private variant of
krb5_cc_cache_match() that only searches the default ccache, not all
collections.  Eventually we should ensure that krb5_cc_default() also
searches all collection-type (other than MEMORY) ccaches for a default
credential, then we can go back to using krb5_cc_cache_match() (though
we'll need to make sure that MEMORY is searched last or not at all).
2019-09-05 09:52:49 -05:00
Jeffrey Altman
9358747426 lib/gssapi/mech: gss_acquire_cred_from calling conventions
gss_acquire_cred_from() is an exported function and therefore
must be tagged with GSSAPI_LIB_FUNCTION and GSSAPI_LIB_CALL.

Change-Id: I80918cb8083eaeac2d0eba5347f7b428e997cfaa
2019-01-14 06:12:36 -05:00
Luke Howard
83d2951c0d gssapi: SPNEGO does not reset NTLM RC4 state (#509) 2019-01-06 20:50:24 -06:00
Luke Howard
7de958252c gssapi: add some Apple (c) notices for mechglue bugfix import
ad426d03 imported some minor bugfixes from the Darwin Heimdal-520 drop; a few
copyright notices were omitted in the merge, which are included here.
2019-01-04 21:30:10 +11:00
Luke Howard
7fc79a393c gssapi: defensively initialize *out in gss_duplicate_cred() 2019-01-04 18:12:11 +11:00
Luke Howard
178588516d gssapi: refactor gss_duplicate_cred()
Refactor gss_duplicate_cred() to consolidate branches in copy_cred_element()
and eliminate use of GSS_S_UNAVAILABLE sentinel
2019-01-04 18:07:41 +11:00
Luke Howard
e23b0a39d3 gssapi: argument validation fixes gss_store_cred_into() 2019-01-04 17:31:28 +11:00
Jeffrey Altman
00c590e4ff fix null pointer dereference errors
Change-Id: I82a849afe9f432a1084ad2505ce88b1fe4d3d3af
2019-01-04 01:02:59 -05:00
Luke Howard
735039dbdc gssapi: implement gss_set_neg_mechs() (#495)
Implementation of gss_set_neg_mechs() and gss_get_neg_mechs() as defined in RFC
4178. New gss_release_cred_by_mech() API for dropping a credential from a
mechanism glue credential.
2019-01-04 15:50:11 +11:00
Luke Howard
befe1b8f90 always load plugins with RTLD_LOCAL/RTLD_GROUP if available 2019-01-03 20:06:27 -06:00
Luke Howard
e9b3b2326d gssapi: remove non-mech status from _gss_mg_error() from Heimdal-520
_gss_mg_error() should only handle mechanism-specific status codes which are
returned in minor_status. major_status has a global namespace.
2019-01-03 14:38:39 -06:00
Luke Howard
83f15553e0 gssapi: import mechglue allocation utility functions from Heimdal-520
Apple's Heimdal impelmentation uses a number of utility functions for
allocating names and credentials, to avoid calling malloc or calloc directly.
Import them.
2019-01-03 14:38:39 -06:00
Luke Howard
e0bb9c10ca gssapi: credential store extensions (#451)
Implement the GSS-API credential store API extensions defined by MIT here:

https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions

Note: we kill off gss_acquire_cred_ext() here. This was never a public API,
although mechanisms could have implemented it and I briefly used it in my
BrowserID prototype mechanism. gss_acquire_cred_ext_from() occupies the place
in the dispatch table where gss_acquire_cred_ext() used to, but this structure
was never visible outside Heimdal (i.e. it is only used by internal
mechanisms);

(Mechanisms that need to accept arbitrary key/value dictionaries from
applications should now implement gss_acquire_cred_from().)
2019-01-03 14:38:39 -06:00
Luke Howard
2242b5bc5b gssapi: gss_krb5_set_allowable_enctypes prototype mismatch
gss_krb5_set_allowable_enctypes() was declared with an array of int32_t types
representing the enctype list, but the definition had an array of krb5_enctype.
Whilst these are likely the same size, they may not be. On the receiving end,
allocate an array of krb5_enctype.
2019-01-03 17:54:38 +11:00
Luke Howard
728650f3dd gssapi: canonicalize mech OID in gss_accept_sec_context() 2019-01-03 17:54:32 +11:00
Luke Howard
ad426d0385 gssapi: import bugfixes from Apple Heimdal-520
* check `ctx->gc_ctx` in `gss_inquire_context()`
* check `gm_inquire_cred != NULL` in `gss_inquire_context()`
* check `min_lifetime` in `gss_inquire_cred()`
* check `gm_inquire_cred_by_mech != NULL` in `gss_inquire_cred_by_mech()`
* set mech error in `gss_inquire_cred_by_oid()`
* don't clobber error in `gss_inquire_cred_by_oid()`
* don't pass NULL minor_status to `gss_krb5_free_lucid_sec_context()`
* allow NULL ccache in `gss_krb5_ccache_name()`
* NULL names OK in `_gss_find_mn()`
* allow empty names in `gss_import_name()` (removes `input_name_buffer` length
  check). to support ANONYMOUS.  in `gss_import_name()`, ignore mech name
  import failure as long as it's possible to import the name in some other
  mechanism
* better argument validation in `gss_export_sec_context()`
* in `gss_compare_name()`, check `mn2 != NULL`
* check `gss_add_oid_set_member()` return code in `gss_indicate_mechs()`
* in `gss_destroy_cred()`, set output cred handle to `GSS_C_NO_CREDENTIAL`
* cast size_t to OM_uint32 where required
2019-01-03 17:53:25 +11:00
Luke Howard
29fe69f95f gssapi: fix dlsym() return value casting
Fix warnings on Windows (and possibly other platforms) but appropriately
casting the return value of dlsym().
2019-01-03 17:53:15 +11:00
Luke Howard
f17e48f613 gssapi: gss_compare_name() both ways (#503)
In the case that one name has no MNs and the second name only has an MN, then
the order in which the two names are passed in matters, but it shouldn't. Run
the comparison both ways.
2019-01-03 16:27:31 +11:00
Nicolas Williams
7b76d6719f Fix VC warning about enctypes 2019-01-02 13:56:04 -05:00
Luke Howard
7e0ff63b38 gssapi: add OPTSYM for gss_duplicate_cred() (#487)
Allow API-as-SPI mechanisms to provide gss_duplicate_cred(), introduced
in e6d1c108.
2018-12-29 20:22:12 +11:00
Nicolas Williams
e6d1c10808 Rewrite gss_add_cred() (fix #413)
It turns out gss_add_cred() really needed a complete rewrite.  It's much
better to first have a gss_duplicate_cred() (which has been needed for
other reasons anyways), and use that when the input_cred_handle is not
GSS_C_NO_CREDENTIAL and output_cred_handle is not NULL, then mutate that
duplicate credential handle (or the input_cred_handle if
output_cred_handle is NULL).
2018-12-28 19:26:25 -06:00
Luke Howard
3c92747f2a gss: fix leak in add_builtin() if interning OID fails
4a93c477 (#447) introduced a leak in add_builtin().  Reported by
jaltman@auristor.com.
2018-12-23 15:34:27 +11:00
Luke Howard
efc5ad8b3c gss: cleanup warnings in HEIM_SLIST_ATOMIC_FOREACH (#447)
Cleanup unused result warning when calling heim_base_exchange_pointer()
from HEIM_SLIST_ATOMIC_FOREACH() in mechqueue.h.
2018-12-19 00:36:11 -08:00
Luke Howard
4a93c4774a gss: intern OIDs (#447)
Intern OIDs so that gss_release_oid() can be a NOOP.
2018-12-18 23:28:38 -06:00
Gary Lockyer
1c8cae58cc heimdal: Use #ifdef HAVE_DLOPEN around functions and variables used by HAVE_DLOPEN
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2018-09-10 14:40:51 -04:00
Nicolas Williams
122cdc578e Fix some krb5_storage_write() usages 2017-05-26 23:24:30 -04:00
Nicolas Williams
8e5e8aacbc Misc fixes to man pages
Originally by Christos Zoulas.
2017-03-13 18:39:41 -04:00
Nicolas Williams
2ebec2e4ec Fix some Doxygen warnings 2016-12-14 22:05:46 -06:00
Nicolas Williams
1c81ddf4e2 Round #2 of scan-build warnings cleanup 2016-11-16 17:03:14 -06:00
Jeffrey Altman
a08431b658 gss/mech: fix make_sasl_name ctx leak
The EVP_MD_CTX created in make_sasl_name() must be destroyed
to prevent a memory allocation leak.

Change-Id: I0b7f5b1b0f4f252bfcdaec755d09ed75de505f75
2016-04-17 15:11:42 -05:00
aaptel
c868b6ac0b lib/gssapi/mech/gss_compare_name.c: fix memcmp() call
Make memcmp() compare the name1 and name2 value instead of comparing
name1 with itself.

The memcmp() is only executed if the left-hand side of the || is false
i.e. when both length are equal so the length argument is correct (no out-of-bounds reads).
2016-03-10 10:51:58 +01:00
Luke Howard
33ce593b6d gss_wrap/gss_unwrap_aead implementation
Signed-off-by: Nicolas Williams <nico@twosigma.com>
2016-02-05 18:01:15 -06:00
Luke Howard
bfd72f9ed5 gssapi: correct OID for GSS_C_PEER_HAS_UPDATED_SPNEGO
restore correct OID for GSS_C_PEER_HAS_UPDATED_SPNEGO, this should have no
ABI implications, it's for internal use only. The current OID was incorrectly
copied in commit dbeeb18a, it should belong to 1.3.6.1.4.1.5322.19 which is
... enterprise(1) padl(5322) gssKrb5Extensions(19). The OID we were camping
on belongs to another party.
2015-12-16 23:26:20 +11:00
Douglas Bagnall
832d7af018 GSSAPI: regenerate lib/gssapi/mech/gss_oid.c with consistent sort
This is generated from lib/gssapi/oid.txt using lib/gssapi/gen-oid.pl,
which sorts the entries to ensure minimal diff churn when an oid is
added or changed.

The lack of effective changes can be seen by sorting both versions, a
bit like this:

$ git show HEAD~~:lib/gssapi/mech/gss_oid.c | sort > /tmp/gss_oid.c-OLD
$ cat lib/gssapi/mech/gss_oid.c | sort > /tmp/gss_oid.c-NEW
$ diff -u /tmp/gss_oid.c*
$ #Nothing to see!

This is of course not a reliable check in general, but works for this
simple file in concert with ordinary inspection.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2015-07-31 15:51:13 +12:00
Douglas Bagnall
afab2ff867 GSSAPI: use rk_UNCONST() on password and cert oid
These missed out on the rk_UNCONST()ification by virtue of being added
in a parallel branch. In the diagram below, they got added in 02cf28e,
while the rk_UNCONSTs were added in f5f9014.

* cc47c8f Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix issues.
*   3069d80 Merge branch 'master' into lukeh/acquire-cred-ex
|\
| * f5f9014 Warning fixes from Christos Zoulas
* | 02cf28e implement gss_acquire_cred_ex with password support
|/
* 2170219 add more oids

rk_UNCONST amounts to a cast to (void *), removing const.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2015-07-31 15:51:13 +12:00
Jeffrey Altman
2de3d14937 YFS Coverity 11745
Change-Id: I4172f81a187cf398c4538de36067ae19eb2534e3
2015-04-21 21:57:23 -04:00
Nicolas Williams
290e2430c4 Don't use mech default cred when input cred isn't
gss_init_sec_context() with input_cred_handle != GSS_C_NO_CREDENTIAL
should NOT proceed if there is no element in the given credential for
the requested mechanism.
2015-04-17 10:55:47 -05:00
Nicolas Williams
5822db085d Fix memory leak in _gss_acquire_mech_cred 2015-04-15 12:37:52 -05:00
Nicolas Williams
db2ba88384 Make gss_acquire_cred_with_password() like Solaris
Solaris'/Illumos' gss_acquire_cred_with_password() does not have
side-effects.  MIT and Heimdal have differed, but it's now agreed that
the Solaris/Illumos behavior is correct.

To make a credential obained with gss_acquire_cred_with_password()
available to other processes, use gss_store_cred().
2015-04-15 12:27:40 -05:00
Nicolas Williams
d5044abac8 Improve gss_store_cred() for cred sets 2015-04-13 16:59:19 -05:00
Nicolas Williams
533578e726 Make gss_store_cred() work 2015-03-24 11:50:00 -05:00
Luke Howard
788d39b3ce set m->gm_mech.gm_name 2014-01-04 16:31:01 +11:00