Commit Graph

29737 Commits

Author SHA1 Message Date
Nicolas Williams
a8874a62bb krb5: Fix kinit harder
The previous fixes for using `krb5_cc_default_for()` weren't quite
correct.
2020-03-17 19:13:16 -05:00
Nicolas Williams
4c736cbeec krb5: Allow rename of empty FILE ccaches 2020-03-17 14:55:42 -05:00
Nicolas Williams
d725f28384 gss: Sometimes set KRB5CCNAME when not overwriting 2020-03-13 18:53:52 -05:00
Nicolas Williams
93d638a486 gss: Fix default cache preference 2020-03-13 18:14:17 -05:00
Nicolas Williams
327d7e7b43 Fix Appveyor Windows build 2020-03-12 23:05:50 -05:00
Nicolas Williams
312f353b98 gss: Prefer the default ccache when user_realm
gss_store_cred_into*() will now switch the new cred cache to be the
primary/default cred cache when

 - the caller requested it and,
 - if the caller passed in a user name, the creds' principal is the best
   principal for the named user.

A principal is the best principal for a user when the principal has just
one component, the component is the user's username, and the realm is
the configured user_realm.
2020-03-12 21:02:09 -05:00
Nicolas Williams
02db43a1ae kinit: Prefer the default ccache when user_realm
If using the new --cache-default-for option, use the real default if the
principal is the best principal for the user.

A principal is the best principal for a user when the principal has just
one component, the component is the user's username, and the realm is
the configured user_realm.
2020-03-12 21:02:09 -05:00
Nicolas Williams
7dae771eef kinit: Add --cache-default-for flag (fix check-cc) 2020-03-12 21:02:09 -05:00
Nicolas Williams
64d5f86ec3 Fix warnings (some bugs, some spurious)
Many spurious VC warnings not quieted though.
2020-03-12 21:02:09 -05:00
Nicolas Williams
f3e6c4ffd4 krb5: Make FILE ccache type a collection type! 2020-03-12 21:02:09 -05:00
Nicolas Williams
f70ccfa967 krb5: Restore FILE as the default ccache type 2020-03-12 10:57:49 -05:00
Nicolas Williams
3a1f700cef gsskrb5: Add unique ccache k/v for cred store
This will allow sshd and such to be configured to request unique ccache
names.
2020-03-12 10:57:49 -05:00
Nicolas Williams
bc5070d36f krb5: Add krb5_set_config() for test_cc 2020-03-12 10:57:49 -05:00
Nicolas Williams
86bb80d7cf Revert cccol changes to kinit 2020-03-12 10:57:49 -05:00
Jeffrey Altman
713aa7961a kdc: kx509.c fix build failures
bcb5ed28fb ("kdc/kx509.c: clean up
krb5_get_error_message strings used for mk_error_resp") introduced a
build failure.  'context' is not a local variable but a field in the
kx509_req_context.

Change-Id: I38a8a9b1a19c3370dfc039d6e09445425936c32b
2020-03-08 12:01:35 -04:00
Daria Phoebe Brashear
bcb5ed28fb kdc/kx509.c: clean up krb5_get_error_message strings used for mk_error_resp
mk_error_response expects the strings it builds will need to be freed but
not those passed in; krb5_get_error_message generates a string which needs to
be freed. keep track of and free those strings.
2020-03-06 11:56:03 -06:00
Daria Phoebe Brashear
c295233648 lib/base log_file should free filename in all cases
once we've used the filename we built, free it before exit
2020-03-06 11:56:03 -06:00
Daria Phoebe Brashear
59d132f825 hdb: don't use lock_file name after free in open_lock_file 2020-03-06 11:56:03 -06:00
Daria Phoebe Brashear
efba1c21e9 lib/kadm5 kadm5_c_randkey_principal allow keyblock cleanup on error
the code to perform cleanup is present but an overzealous goto out
precludes it from being called. break from our for loop in event of error
and allow cleanup to take place
2020-03-06 11:56:03 -06:00
Daria Phoebe Brashear
c2a7041402 krb5_mk_ncred: clean enc_krb_cred_part before use
the early exit case can try to free enc_krb_cred_part, which will be
stack garbage. clear it before it's used.
2020-03-06 11:56:03 -06:00
Daria Phoebe Brashear
bfcc7a90ed kdc kx509: avoid double free of cprinc and s in check_authz
on error from der_parse_heim_old we early exit via out, which frees
s and cprinc; we should not do so a second time unless we explicitly
NULL the pointers but there is no value in doing so.
2020-03-06 11:56:03 -06:00
Nicolas Williams
c6b891556e krb5: Init mutex of anon MEMORY ccaches 2020-03-04 14:11:52 -06:00
Nicolas Williams
7bf4d76e75 krb5: Improve cccol sub naming; add gss_store_cred_into2()
- Formalize the TYPE:collection_name:subsidiary_name naming scheme for
   ccaches in ccache collections
    - KEYRING: ccaches are weird because they have one more optional field: the
      "anchor", so rather than just assume a naming convention everywhere, we
      add new functions as well
 - Add krb5_cc_{resolve,default}_sub() that allows one to specify a
   "subsidiary" ccache name in a collection separately from the
   collection name
 - Add krb5_cc_{resolve,default}_for() which take a principal name,
   unparse it, and use it as the subsidiary ccache name (with colons
   replaced)
 - Make kinit use the new interfaces
 - Add missing DIR ccache iteration functionality
 - Revamps test_cc
 - Add krb5_cc_get_collection() and krb5_cc_get_subsidiary()
 - Bump the ccops SPI version number
 - Add gss_store_cred_into2()
 - Make MEMORY:anonymous not linked into the global MEMORY ccache
   collection, and uses this for delegated cred handles

TBD:

 - Split this up into a krb5 change and gss mech_krb5 change?
 - Add krb5_cc_init_and_store() utility, per Greg's suggestion?
2020-03-02 17:48:04 -06:00
Nicolas Williams
a7359d6898 roken: Add mkdtemp() 2020-03-02 17:48:04 -06:00
Nicolas Williams
77619f245d roken: Add base32 2020-03-02 17:48:04 -06:00
Nicolas Williams
5ab1a2b7a6 appveyor: Minor improvements for debugging 2020-03-02 10:56:13 -06:00
Nicolas Williams
3c0f59b658 hdb: Fix memory leak in hdb_generate_key_set() 2020-03-02 10:56:13 -06:00
Nicolas Williams
ea90ca8666 Move some infra bits of lib/krb5/ to lib/base/ (2)
This is the second of two commits in a series that must be picked together.

This series of two commits moves parts of lib/krb5/ infrastructure
functionality to lib/base/, leaving behind wrappers.

Some parts of libkrb5 are entirely generic or easily made so, and could
be useful in various parts of Heimdal that are not specific to the krb5
API, such as:

 - lib/gssapi/  (especially since the integration of NegoEx)
 - lib/hx509/
 - bx509d       (which should really move out of kdc/)

For the above we need to move these bits of lib/krb5/:

 - lib/krb5/config_file.c   (all of it, leaving forwardings behind)
 - lib/krb5/config_reg.c    (all of it)
 - lib/krb5/plugin.c        (all of it, leaving forwardings behind)
 - lib/krb5/log.c           (all of it, ditto)
 - lib/krb5/heim_err.et     (all of it)

And because of those two, these too must also move:

 - lib/krb5/expand_path.c   (all of it, leaving forwardings behind)
 - lib/krb5/warn.c          (just the warning functions, ditto)

The changes to the moved files are mostly quite straightforward and are
best reviewed with --word-diff=color.

We're also creating a heim_context and a heim API to go with it.  But
it's as thin as possible, with as little state as necessary to enable
this move.  Functions for dealing with error messages use callbacks.

Moving plugin.c does have one knock-on effect on all users of the old
krb5 plugin API (which remains), which is that a global search and
replace of struct krb5_plugin_data to struct heim_plugin_data was
needed, though the layout and size of that structure doesn't change, so
the ABI doesn't either.

As well, we now build lib/vers/ and lib/com_err/ before lib/base/ so as
to be able to move lib/krb5/heim_err.et to lib/base/ so that we can make
use of HEIM_ERR_* in lib/base/, specifically in the files that moved.

Once this is all done we'll be able to use config files and plugins in
lib/hx509/, we'll be able to move bx509d out of kdc/, and so on.

Most if not all of the new functions in lib/base/ are Heimdal-private,
thus calling conventions for them are not declared.

Status:

 - builds and passes CIs (Travis, Appveyor)
 - ran make check-valgrind and no new leaks or other memory errors
 - ready for review

HOW TO REVIEW:

     $ # Review file moves:
     $ git log --stat -n1 HEAD^
     $
     $ # Review changes to moved files using --word-diff=color
     $ git log -p -b -w --word-diff=color HEAD^..HEAD   \
               lib/base/config_file.c                   \
               lib/base/config_reg.c                    \
               lib/base/expand_path.c                   \
               lib/base/warn.c                          \
               lib/krb5/config_file.c                   \
               lib/krb5/config_reg.c                    \
               lib/krb5/expand_path.c                   \
               lib/krb5/warn.c
     $
     $ # Review the whole thing, possibly adding -b and/or -w, and
     $ # maybe --word-diff=color:
     $ git log -p origin/master..HEAD
     $ git log -p -b -w origin/master..HEAD
     $ git log -p -b -w --word-diff=color origin/master..HEAD

TBD (future commits):

 - make lib/gssapi use the new heimbase functions
 - move kx509/bx509d common code to lib/hx509/ or other approp. location
 - move bx509d out of kdc/
2020-03-02 10:56:13 -06:00
Nicolas Williams
b2823cbd74 Move some infra bits of lib/krb5/ to lib/base/ (1)
This is the first of two commits in a series that must be picked
together.

This series of two commits moves parts of lib/krb5/ infrastructure
functionality to lib/base/, leaving behind wrappers.

This commit only renames files to enable git log/diff/blame to follow
the renames: to help future code archeology, and to make reviewing these
two commits easier.

The next commit in this series ensures that the moved files have the
correct content (i.e., defining heim APIs instead of krb5 APIs), and
will create files in lib/krb5 with the same names and krb5 API wrappers
around the new heim API functions.

The next commit also explains the motivation, which, briefly, is to:

 - remove krb5 API usage from lib/gssapi/,
 - enable the use of configuration and plugins in lib/hx509/
   (as well as lib/gssapi/ and future projects),

and

 - enable the further disentanglement of bx509d from kdc/.
2020-03-02 10:56:13 -06:00
Luke Howard
e8de24f236 gss: initialize mech output parameters in mechglue
Initialize mechanism output parameters before calling mechanism
GSS_Accept_sec_context(), to behave robustly with poorly implemented mechanisms
that may return before initializing them.
2020-03-02 17:17:03 +11:00
Luke Howard
41cb135b30 gss: plug leak in test_negoex_mech
test_negoex_mech should free the result of calling decode_GSSAPIContextToken()
2020-03-02 17:16:58 +11:00
Luke Howard
aaf4cf89a5 gss: initialize output params in test_negoex_mech
test_negoex_mech, being a simple test mechanism ported from MIT that was not
designed to be particularly robust, failed to initialize various output
parameters such as the source name. On Heimdal this triggered an invalid read
because the mechglue did not initialize those variables before calling the
mechanism. This commit fixes this.
2020-03-02 17:16:52 +11:00
Isaac Boukris
839b073fac tgs-req: strip forwardable and proxiable if the server is disallowed 2020-02-11 02:49:36 -05:00
Luke Howard
921d528d8b gss: add mechanism-force-mechListMIC hook to SPNEGO
NTLM erroneously requires a mechListMIC at the SPNEGO layer if an internal MIC
in the NTLM protocol was used. Add a private interface between SPNEGO and the
Samba NTLM mechanism to allow the mechanism to signal that a mechListMIC is
required even if it otherwise would not be.

This interface is the same as that supported by MIT.

Note that only the Samba NTLM mechanism currently implements this feature, it
is not implemented by the Heimdal NTLM mechanism (which does not support NTLM
authenticate message MICs).
2020-02-04 17:28:35 +11:00
Luke Howard
5d1a33f780 gss: don't explicitly reorder krb5 to front of spnego
Previously krb5 was tried explicitly, but now the internal mech list is
reordered so that krb5 is first, this should no longer be required. This
permits an application to specify another mechanism as preferred over krb5
using gss_set_neg_mechs().
2020-02-04 17:28:35 +11:00
Luke Howard
161f846d76 gss: harmonize negState with RFC 4178
RFC 4178 4.2.2 uses the field name negState rather than negResult in
NegTokenResp, to denote the negotiation state. Harmonize with this, also
replacing the underscores in accept-completed and accepet-incomplete to match
the RFC.
2020-02-04 17:28:35 +11:00
Luke Howard
3e69aacbe2 gss: harmonize SPNEGO with [MS-SPNG]
In [MS-SPNG], the Microsoft extension is defined as NegTokenInit2 rather than
NegTokenInitWin. Harmonize with the specification.
2020-02-04 17:28:35 +11:00
Luke Howard
044c1c6b63 gss: don't generate mechListMIC in SPNEGO if it is safe to omit it 2020-02-04 17:28:35 +11:00
Luke Howard
4fb6a6adc9 gss: port NegoEx implementation from MIT
An implementation of draft-zhu-negoex-04 for MIT Kerberos was developed in
2011. This has been recently integrated, with many fixes from Greg Hudson. This
commit ports it to Heimdal. The implementation has been interoperability tested
with MIT Kerberos and Windows, using the GSS EAP mechanism developed as part of
the Moonshot project.

The SPNEGO code was also updated to import the state machine from Apple which
improves mechListMIC processing and avoids discarding initial context tokens
generated during mechanism probing, that can be used for optimistic tokens.

Finally, to aid in testing, the GSS-API mechanism glue configuration file can
be changed using the environment variable GSS_MECH_CONFIG. This environment
variable name, along with the format of the configuration file, is compatible
with MIT (although it would be difficult for a single mechanism binary to
support both implementations).
2020-02-04 17:28:35 +11:00
Luke Howard
ae5c60286a gss: remove SPNEGO name wrappers
Wrapping GSS names at the SPNEGO level serves no purpose; remove it and return
mechglue names directly. This required a small change to the NTLM mechanism to
allow NULL names to be passed to its release name function.
2020-02-04 17:28:35 +11:00
Luke Howard
e80248ed36 gss: add some missing GM_USE_MG_CRED checks
GM_USE_MG_CRED allows a mechanism glue credential to be used by a mechanism
without additional wrapping. Although no extant mechanisms use this flag, the
flag had sporadic support in the mechanism glue already. In the interest of
consistency, add missing GM_USE_MG_CRED checks. If this functionality is not
desired, then all checks should be removed.
2020-02-04 17:28:35 +11:00
Luke Howard
340cc3f092 gss: make krb5 default GSS mech earlier in path
Defensively default to GSS_KRB5_MECHANISM on all calls to
gss_init_sec_context() if mech_type is GSS_C_NO_OID (rather than only on the
first call).
2020-02-04 17:28:35 +11:00
Luke Howard
e69c2a8111 gss: expose gss_destroy_cred()
Build and export gss_destroy_cred(). This permanently destroys the credential,
rather than releasing a handle to it.
2020-02-04 17:28:35 +11:00
Luke Howard
8478dd1c88 gss: merge Apple name helper APIs
Add helper APIs to the mechanism glue from the Apple implementation.
gss_mg_export_name() can be used by a mechanism to create an exported name
(this is used by the future SAnon implementation). _gss_mech_import_name()
allows the mechanism to pass in a list of parsing functions for specific name
tiypes. This commit only adds support to the mechanism glue itself.
2020-02-04 17:28:35 +11:00
Luke Howard
6af3ea9099 gss: merge enhanced Apple mechglue logging
Add _gss_mg_log() and friends for logging from within the mechanism glue and
SPNEGO. These APIs wrap around the libkrb5 logging APIs.
2020-02-04 17:28:35 +11:00
Luke Howard
31af9ba703 gss: use tail queue instead of singly linked list in mechglue
The GSS mechglue uses singly linked lists for mechanisms and mechanism objects,
to which new entries are inserted at the head. This breaks ordering of
mechanisms specified in OID sets and in /etc/gss/mech, as they will be back to
front. Use a tail queue instead so that new entries are inserted at the end.
2020-02-04 17:28:35 +11:00
Luke Howard
d7138cfbe7 base: make heimqueue.h a shared header
Share heimqueue.h between base and asn1, to avoid duplication of code.
2020-02-04 17:28:35 +11:00
Luke Howard
64d5d138a9 gss: mechanism optional interfaces
Make mechanism interfaces that are optional in usage, optional in
implementation, i.e. do not require them to be present when dynamically loading
a mechanism. In order to aid minimal mechanism implementation, more of these
should likely be made optional (this will require an additional check in the
mechglue to return GSS_S_UNAVAILABLE if the function pointer is NULL). This is
left as a future exercise.
2020-02-04 17:28:35 +11:00
Luke Howard
920cfc5584 gss: use _gss_ntlm_set_keys() in gss_init_sec_context()
DRY: use the _gss_ntlm_set_keys() helper function to initialize the key state
for both initiator and acceptor.
2020-02-04 17:28:35 +11:00
Luke Howard
c510e6d474 gss: don't provide domain to nsi_probe() in NTLM
_gss_ntlm_accept_sec_context() does not provide the acceptor domain to
nsi_probe(); for consistency, _gss_ntlm_acquire_cred_from() should do that
same. Providing the acceptor domain was breaking tests.

Note that the Heimdal NTLM implementation is old and has few consumers (Apple
and Samba use their own implementations). Arguably we should merge the Apple
implementation or remove it.
2020-02-04 17:28:35 +11:00