Cherry picked from libtommath 7bbc1f8e4fe6dce75055957645117180768efb15.
Vulnerability Detail:
CVE Identifier: CVE-2023-36328
Description: Integer Overflow vulnerability in mp_grow in libtom
libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9,
allows attackers to execute arbitrary code and cause a denial of
service (DoS).
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36328
Reported-by: https://github.com/Crispy-fried-chicken
MIT commit d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5 implemented
krb5_cc_remove_cred() for FILE ccaches by setting endtime to zero
and authtime to minus one and then filtering out those credentials
from get_next().
This change sets "authtime = -1" for the removed cred to permit
MIT krb5 to ignore removed credentials from a shared FILE ccache.
MIT commit 4c0838bb4c232866b95c9f2f72a55bf77cfc1308 modified the
cred_removed() check to restore compatibility with Heimdal.
commit a9bd3c6e50 ("Fix racy file ccache
corruption in cred_delete()") implemented krb5_cc_remove_cred() for
"FILE" ccaches by overwriting the removed credential endtime value
with zero (Unix Epoch). However, it did not modify fcc_get_next()
to filter out these deleted entries. As a result, invalid credentials
can be returned from the FILE ccache where endtime < starttime.
RFC4120 requires endtime >= starttime for all tickets.
MIT Kerberos since d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5
("Implement krb5_cc_remove_cred for remaining types") modifies a
removed cred by setting
endtime = 0
authtime = -1
and then filters out removed creds from the fcc_next_cred() results.
In 2013 Heimdal broke interop with MIT processes that share the
FILE ccache by implementing remove by setting "endtime = 0" and
now MIT has broken interop with the Heimdal implementation of
fcc_remove_cred() by checking for both "endtime = 0" and "authtime = -1".
This change filters results from fcc_get_next() when the "endtime == 0"
which is acceptable because a KDC is not permitted to return a
ticket with an endtime == 0.
The 'restrict' keyword was introduced in C99 and provides a hint to
the compiler that can be used to better optimized code. The 'restrict'
keyword results in build failures when the compiler is not C99.
auditdns.c:101:37: error: expected ‘;’, ‘,’ or ‘)’ before ‘hints’
const struct addrinfo *restrict hints,
^
auditdns.c:409:45: error: expected ‘;’, ‘,’ or ‘)’ before ‘sa’
getnameinfo(const struct sockaddr *restrict sa, socklen_t salen,
^
This change defines 'register' to nothing if the compiler does not
implement the C99 standard.
Observed with gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44).
If crypt() is unavailable then DES_AFS3_string_to_key() cannot be
implemented for passwords up to 8 characters in length. Do not
advertise support for "afs3-salt" when crypt() is missing.
The callers of this macro generally do not supply this information.
Without it, the checks rely on compiler support for implicit function
declarations. It would be possible to supply this information in
the callers. But even then, with the existing macro interface, it
would be necessary to pass eg. null pointers where they trigger
undefined behavior. Therefore, use the same kludge that autoconf
uses to make up prototypes, avoiding those implicit function
declarations.
The includes/arguments macro parameters are now ignored, but preserved
for interface compatibility.
This ensures we inherit the clock skew adjustment from the AS-REQ/REP into the
memory ccache in a similar way done for the file ccache.
This means krb5_cc_get_kdc_offset() will return the correct value and
_krb5_get_cred_kdc_any() uses the adjusted time in the authenticator of
subsequent TGS-REQ.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15676
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
At least Windows KDCs return KRB5KRB_AP_ERR_SKEW without edata in
response to TGS-REQ.
This ensures the callers see the KRB5KRB_AP_ERR_SKEW error and not
KRB5_KDCREP_MODIFIED "FAST fast response is missing FX-FAST".
For the response to an amored AS-REQ, we'll now return
KRB5KRB_AP_ERR_MODIFIED instead of KRB5_KDCREP_MODIFIED,
but if there's an attack the exact error code doesn't matter.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15676
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Sequence errors are supplemental information in GSSAPI. This means
that they are not fatal, unless they are returned alongside a failure
error code. This change makes our behaviour the same as MIT's - sequence
errors are non-fatal, and return valid output information.
commit 4d48b172ab ("add pkinit
configration for btmm") introduced automatic configuration of
the 'pkinit_kdc_identity' and 'pkinit_kdc_friendly_name' on macOS
but also modified the default for the 'enable_pkinit' setting
such that pkinit is enabled on all __APPLE__ platforms overriding
the [kdc] enable-pkinit setting obtained from the configuration.
This change modifies the enable-pkinit behavior on __APPLE__ platforms
to match those on every other platform. __APPLE__ platforms will
continue to auto-configure the [kdc] pkinit_identity and
[kdc] pkinit_anchors if they are not specified in the configuration.
If the Kerberos v5 principal name is
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
and the principal type is KRB5_NT_WELLKNOWN, then gss_display_name()
is expected to return GSS_C_NT_ANONYMOUS instead of
GSS_KRB5_NT_PRINCIPAL_NAME. This change matches the behavior of
MIT Kerberos.
OS X builds started thinking they have the mitdb backend and started
failing the tests/kdc/check-mitdb test. This commit fixes that by
requiring explicit enablement of the mitdb HDB backend.
This addresses part of https://github.com/heimdal/heimdal/issues/1214
to audit potential network leaks with [libdefaults] block_dns = yes.
NI_NUMERICHOST is _probably_ sufficient -- we probably won't see many
systems using NIS to look up service names by number if we fail to
specify NI_NUMERICSERV, and such systems probably require careful
auditing of their own. And I don't know of any way NI_NUMERICSCOPE
could trigger network leaks. But named scope ids are such a niche
option with IPv6 that setting it to forestall concerns can't hurt
much, and it makes reviewing easier if we just unconditionally flip
on all the numeric-only options.
This flag has defined by POSIX for years if not decades, but glibc
and Windows apparently still don't have it.
We will use it with getnameinfo, along with all other NI_NUMERICxxx
options, to minimize risk of network leaks with block_dns.
This change has two parts:
1. Provide our own local implementation of numeric-only getaddrinfo
in auditdns.c used to audit for DNS leaks, rather than deferring
to dlsym(RTLD_NEXT, "getaddrinfo"), in terms of inet_pton.
To keep review and implementation simple, this is limited to
AI_NUMERICHOST _and_ AI_NUMERICSERV -- this requires that we
arrange to pass AI_NUMERICSERV in callers too.
2. Wherever we implement block_dns, set AI_NUMERICSERV in addition to
AI_NUMERICHOST as needed by the new auditdns.c getaddrinfo.
(In principle this might also avoid other network leaks -- POSIX
guarantees no name resolution service will be invoked, and gives
NIS+ as an example.)
One tiny semantic change to avoid tripping over the auditor:
kadmin(8) now uses the string "749" rather than the string
"kerberos-adm". (Currently we don't audit kadmin(8) for DNS leaks
but let's avoid leaving a rake to step on.) Every other caller I
found is already guaranteed to pass a numeric service rather than
named service to getaddrinfo.
fix https://github.com/heimdal/heimdal/issues/1212
We build variants of kinit and test_acquire_cred that define their
own symbols rk_dns_lookup, gethostbyname, gethostbyname2, and
getaddrinfo to print a message and abort. For getaddrinfo, we abort
only if the caller failed to specify AI_NUMERICHOST; otherwise we use
dlsym(RTLD_NEXT, "getaddrinfo") instead.
The new test tests/gss/check-nodns is like tests/gss/check-basic, but
uses kinit_auditdns and test_acquire_cred_auditdns to verify that no
DNS resolution happens.
This test should work and be effective on ELF platforms where the
getaddrinfo function is implemented by the symbol `getaddrinfo'. On
non-ELF platforms it may not be effective -- and on platforms where
the getaddrinfo function is implemented by another symbol (like
`__getaddrinfo50') it may not work, but we can cross that bridge when
we come to it.
Verified manually that the test fails, with the expected error
message and abort, without `block_dns = yes' in krb5-nodns.conf. No
automatic test of the mechanism for now because it might not work on
some platforms.
XXX check-nodns.in is copypasta of check-basic.in, should factor out
the common parts so they don't get out of sync.
Previously, the hostname was initialized to `localhost'. If it was
not cleared by init_syslog, init_logger_addr (via openlog) would
query gethostbyname to find the IP address of `localhost', which will
essentially always be 127.0.0.1. But if it was cleared by
init_syslog, init_logger_addr would return 127.0.0.1 anyway.
This way, it always returns 127.0.0.1 in the event of no init_syslog
call, and avoids a DNS lookup. You can always force a DNS lookup by
passing `localhost' to init_syslog explicitly, of course.
I'm not sure if anything even uses this as a fallback in Heimdal, but
let's avoid leaving a rake to step on.
If block_dns is set, call getaddrinfo with AI_NUMERICHOST set and
AI_CANONNAME clear.
Some paths may not have set AI_CANONNAME, but it's easier to audit
this way when the getaddrinfo prelude is uniform across call sites,
and the compiler can optimize it away.
heimdal uses 8-byte (64-bits) atomic operations for a while now (ie in
lib/krb5/krcache.c). however some platforms (ie i386, i486, ARM < 7)
don't support them natively and need to be linked against libatomic in
order to implement functionallity from <stdatomic.h>.
if the header was found check 64-bit atomics work without any additional
libraries. if not try to add linking with libatomic. if that fails as
well fallback to -DHEIM_BASE_ATOMICS_FALLBACK
no change for platfroms without <stdatomic.h>
Fixes: #1186
Instead of freeing host->ai on return from submit_request in the
http_proxy path, stash the proxy's ai in another member host->freeai
which will be freed when host is freed.
Assumption: All hosts created in submit_request cease to be used
before any of them are freed, so it's safe to pick one host to hang
the proxy's ai on and free the ai when that host is freed.
fix https://github.com/heimdal/heimdal/issues/1205
In the future we should also make it so that `make check` for `tests/db`,
`tests/gss`, and `tests/kdc` first initializes all the realms and starts all
the daemons, then runs the actual checks possibly in parallel, then shuts down
the daemons. This will require quite a bit of work, so for now we just disable
parallel make in those directories.
If multiple valid CRLs are specified for a particular issuer, only the
first will be checked. The documentation didn’t really hint at this.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
If ‘keyid’ is an empty string, then the numeric error code that gets
appended to this error message may be mistaken for the key ID. Address
this by not mentioning any ID in such cases.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Codepoints above U+10FFFF and overlong encodings are considered invalid.
Unpaired surrogates are not, as these are known to be generated on
occasion — by Windows, for example.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Under C99, Sec 6.2.4, paragraph 2:
The value of a pointer becomes indeterminate when the object it
points to reaches the end of its lifetime.
`Indeterminate' (3.17.2) includes a trap representation, and any
reference to a trap representation is undefined behaviour. Thus,
after realloc(res, ...) succeeds, any reference to res (or p) is
undefined behaviour.
So, instead of using `p - res` after res has been freed, use the
existing name for the value we know it has now: len. (We could also
use alloced because p == end in this branch, and end = res + alloced,
and p = res + len. Of course, we would have to move it up a line to
before we update alloced to have a different value.)
fix https://github.com/heimdal/heimdal/issues/1164
The call to free_KDCDHKeyInfo(), further down, could have caused heap
corruption.
Found by Coverity (Samba CID 1544611).
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Nowadays we use PACs instead of AD-SIGNEDPATH, so we want a PAC on every
TGT, but we don't necessarily want PACs on cross-realm TGTs.
Specifically, we don't interop well yet with AD when issuing cross-realm
TGTs with AD realms as the destination realm (see #1091).
Bison must generate this unsolicited, but BSD yacc does not.
The makefiles for lib/com_err and lib/sl already did this; this
change just adds it to lib/asn1 and lib/hx509 too.
fix https://github.com/heimdal/heimdal/issues/1100
key_data is unused. Presumably this was copypasta from DB_seq in
hdb/db.c, where it is used for the Heimdal database format in which
the value may be missing a principal but it can be recovered from the
key. In contrast, the mit-krb5 format appears to always store the
principal in the value and _hdb_mdb_value2entry always retrieves it,
with no need for a key2principal fallback.
fix https://github.com/heimdal/heimdal/issues/1102
This way there is no truncation and no build failure due to
-Werror=format-truncation as is the default in some compilers, such
as gcc7.4 with -Wall -Werror.
This is presumably not space-constrained or performance-critical; the
very next thing it does is another asprintf and frees it immediately.
And uname is not usually under any adversary's control.
fix https://github.com/heimdal/heimdal/issues/1105
‘r->error_code’ might have been set earlier, and we don’t want to
overwrite it with a successful error code.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
If ‘r->error_code’ was zero, we would turn it into an ERR_GENERIC error
and return that to the client. Now we return the actual error code
instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
There are a few reasons that this function could fail (e.g., failure to
allocate memory) besides random number generation being unavailable. No
other caller abort()s on failure like this.
Furthermore, krb5_generate_random_block(), which is called by
krb5_generate_random_keyblock(), already aborts if random generation
fails.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This helps with certain automation tools, such as ansible, that usually
expect failure to be visible in stderr.
Other minor changes:
* replace "doesn't" with "does not" to keep messages consistent and
avoid escaping quotes in grep, etc.
* add newlines
Pretty sure it is not useful for applications to be able to write to
this.
However, caveat: this could break programs that expect to pass around
&heimdal_version or &heimdal_long_version to functions that expect
pointers to non-const objects even if they don't modify them.
Note: This changes the types of public symbols. It is unlikely that
any applications would rightly _write_ to these arrays, but it is
possible they might require some UNCONST in order to pass the
pointers to other functions that are missing const qualifiers.
This changes the public header file but I doubt it was ever intended
that applications could change these by writing to them. (Not sure
why they're not declared as const arrays in any case.)
This is almost certainly intended never to be written to, so let's
let the operating system detect that mistake for us by mapping it in
a .rodata segment mapped read-only that will cause SIGSEGV on write.
fix https://github.com/heimdal/heimdal/issues/1136
This way if anything _does_ write to it, it has the opportunity to be
caught by SIGSEGV, by having zero_ivec in a .rodata segment mapped
read-only.
fix https://github.com/heimdal/heimdal/issues/1135
If a char width is specified the number of output buffer bytes
consumed might be greater than one. Update append_char() to
return the number of bytes consumed and use that value in xyzprintf()
instead of one.
The struct _krb5_key_type.type is krb5_enctype. Cast it to
krb5_keytype before assigning to the 'krb5_keytype *keytype'
output variable to avoid a warning from Clang 1500 on Darwin.
If the master is unreachable for a while we can end up with expired
tickets that don't get refreshed, then ipropd-slave gets stuck until
it's manually restarted.
Excluded: libtomath and libedit files, most of which appear to be
testing or example code not involved in production, and which are
derived from an upstream that should perhaps have patches submitted
upstream instead.
fix https://github.com/heimdal/heimdal/issues/1111
Check for OpenSSL features while LDFLAGS and CFLAGS are set with
the paths provided in the configure command line. This allows
detecting a non-default OpenSSL's version correctly, such as
on FreeBSD with one of the OpenSSL 3.0 ports.
decrypt_internal_derived(), decrypt_internal_enc_then_cksum(),
decrypt_internal(), and decrypt_internal_special() execute the
following pattern where 'p' is an allocation of size 'len'
l = len - n
memmove(p, p + n, l);
result->data = realloc(p, l);
if (result->data == NULL && l != 0) {
free(p);
return krb5_enomem(context);
}
result->length = l;
which when compiled by gcc 13.0.1-0.12.fc38 or gcc-13.0.1-0.13.fc39
generates the following warning
warning: pointer 'p' may be used after 'realloc' [-Wuse-after-free]
The C language specification indicates that it is only safe to free()
the pointer passed to realloc() if errno is set to ENOMEM. Yet the
warning is generated by the following pattern
l = len - n
memmove(p, p + n, l);
errno = 0;
result->data = realloc(p, l);
if (result->data == NULL && l != 0) {
if (errno == ENOMEM)
free(p);
return krb5_enomem(context);
}
result->length = l;
The value of performing the realloc() is questionable. realloc()
in many cases will need to perform a second allocation of the
smaller size and then perform a memcpy() which will slow down
the operation without saving much memory. The allocation is already
very small.
This change avoids the warning by removing the realloc() entirely.
The interface between the krb5 mechanism and the mechglue API
gsskrb5_extract_authtime_from_sec_context() assumed the authtime would fit into
an uint32_t, which is not the case on platforms where time_t is 64-bit.
Fixes: #1073
This reverts commit a9c0b8f264.
From Joseph Sutton:
> I found that this commit would result in `KRB5KRB_AP_ERR_BAD_INTEGRITY`
> errors in Samba whenever explicit FAST armor was present. Reverting the
> commit made FAST work again.
> It should be safe to use `tgs_ac` here, since it will always be non-NULL if
> `r->explicit_armor_present` is true. Maybe a local variable
> `explicit_armor_present` (which would be assigned to
> `r->explicit_armor_present` before the function returns successfully) would
> help a static analyser to deduce that its value doesn't change within the
> function, and that `tgs_ac != NULL` still holds.
a9c0b8f264 (commitcomment-95581208)
Both the len and the index was decremented, which made the exit
condition (template[len - i] == 'X') trigger before it should.
Fixes solaris10 where mkdtemp is not available.
Fix regression introduced in 62f83ad0 by adding HEIMDAL_NORETURN_ATTRIBUTE and
HEIMDAL_PRINTF_ATTRIBUTE to function definitions, so they will be included in
heimbase-protos.h.
We reject tickets that have no AD-KDC-ISSUED(!).
This was reported by Samba. The workaround they found was to set
check_pac = true in krb5.conf, as that clobbers the ret from
krb5_ticket_get_authorization_data_type() not having found an
AD-KDC-ISSUED element.
This was introduced in 1cede09a0b.
SANON cred export/import never worked correctly as the export function was
producing the wrong form of token, which was leading gss_import_cred() to
allocate more than 64MB of memory to parse the SANON exported credential. The
recent change to reduce the default `max_alloc` of krb5_storage exposed this.
We have a check for symlinks and hardlinks so that we refuse to open
ccaches through symlinks or which have hardlinks. This check is too
strict, checking for `st_nlink != 1`, which runs into trouble when a
ccache is mounted as a file into a container, in which case `stat(2)`
reports it as having zero links.
The fix is to check for `st_nlink > 1`:
- if (sb2.st_nlink != 1) {
+ if (sb2.st_nlink > 1) {
krb5_set_error_message(context, EPERM, N_("Refuses to open hardlinks for caches FILE:%s", ""), filename);
Though I question the utility of the hardlink check. MIT Kerberos
doesn't have it.
As the atomics are signed on AIX, we better try to use the largest
possible max value.
The 'int' API uses 32-bit values for both 32-bit and 64-bit binaries:
typedef int *atomic_p;
int fetch_and_add(atomic_p addr, int value);
The 'long' API uses 32-bit values for 32-bit binaries and 64-bit values
for 64-bit binaries:
typedef long *atomic_l;
long fetch_and_addlp(atomic_l addr, long value);
So we better use the 'long' API in order to avoid any potential
problems with the heim_base_atomic_integer_max magic value, where
INT[32]_MAX would be a little bit low compared to 64-bit pointer space.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
The API looks like this on AIX:
typedef int *atomic_p;
int fetch_and_add(atomic_p addr, int value);
The strange thing is that the xlc compiler ignores missing arguments by
default. (It warns but doesn't fail to compile)
As a result the value argument was just uninitialized memory,
which means that the ref_cnt variable of struct heim_base,
gets unpredictable values during heim_retain() and heim_release(),
resulting in memory leaks.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
The lib/kadm5/test_marshall program allows one to construct and check
encodings for various struct types for which we have
{kadm5,krb5}_{ret,store}_<type>() functions.
Currently supported are:
- krb5_keyblock
- krb5_principal
- krb5_times
- krb5_address
- krb5_addresses
- krb5_authdata
- krb5_creds
- krb5_key_data
- krb5_tl_data
- kadm5_principal_ent_rec
With this we'll be able to a) construct test vectors, b) use those to
drive fuzzing with AFL or other fuzzers.
Add rk_undumptext(), which NUL-terminates the contents it reads.
rk_undumptext(), and now also rk_undumpdata(), can read from regular and
non-regular files (e.g., ttys, pipes, devices, but -on Windows- not
sockets).
This means that `asn1_print` can now read from `/dev/stdin`, which can
be a pipe.
There's a way to set a limit on how much to read from non-regular files,
and that limit defaults to 10MB.
At any rate, the rk_dumpdata(), rk_undumpdata(), and rk_undumptext() functions
really do not belong in lib/roken but in lib/base. There are other utility
functions in lib/roken that don't belong there too. A rationalization of the
split between lib/roken and lib/base is overdue. And while we're at it -lest I
forget- it'd be nice to move all the krb5_storage functions out of lib/krb5 and
into lib/base, as those could come in handy for, e.g., implementing OpenSSH
style certificates and other things outside the krb5 universe.
The bug fixed herein almost certainly means that PKINIT was never
working on Windows, since lib/hx509 uses rk_undumpdata() to read regular
files containing certificates and keys, but then since rk_undumpdata()
was using net_read(), that can't have worked. On Windows net_read()
insists on the FD being a socket, and because of winsock, the namespaces
of socket and file descriptors on Windows are distinct.
hxtool is a very useful command, with a very user-friendly interface, at
least compared to OpenSSL's openssl(1). We should document it better.
Currently there are no manual pages for hxtool(1)'s subcommands, though
their --help message is pretty self-explanatory. Now the hxtool(1) page
provides better clues to the user, including examples.
This will allow us to add a --no-roots option to
hxtool copy-certificate
which is convenient when copying certificate chains from stores that may
include root CA certificates.
We have a CSR authorizer plugin for calling to an IPC service.
In this commit we add test implementation of such a service.
We also remove the simple_csr_authorizer plugin and fold its
functionality into the new test_csr_authorizer functionality.
We use the CSR authorizer system for /get-tgt and /get-tgts because,
well, the CSR authorizer system knows how to deal with principal names
("PKINIT SANs").
The caller of the /get-tgts end-point is a batch API that is meant for
super-user clients that implement orchestration for automation. For
this end-point it's important to be able to return TGTs for just the
requested principals that are authorized rather than fail the whole
request because one principal isn't. A principal might be rejected by
the authorizer if, for example, it's not meant to exist, and that might
be desirable because "synthetic" HDB entries might be configured, and we
might not want principals that don't exist to appear to exist for such
an orchestration service.
The hx509 CSR related functions allow one to mark specific requested
EKUs and SANs as authorized or not. Until now we have simply rejected
all requests that don't have all attributes approved, but for /get-tgts
we need partial request approval. This commit implements partial
request approval for the /get-tgts end-point.
Now we can use heredocs to execute multiple kadmin commands with just
one `execve()`:
```
${kadmin} <<EOF || exit 1
init ...
add ...
...
EOF
```
This will allow tests to use heredocs in setting up an HDB so as to go a
bit faster.
While we no longer have a decoder CHOICE element 0 bug, we did still
have one encode and copy and free that was leading to a memory leak (and
_save trashing) prior to the fix for
asn1: Fix 1-byte leaks in der_copy_octet_string()
This commit fixes that.
We sometimes do things like `memset(&cert, 0, sizeof(cert))` then
`copy_Certificate(&cert, &cert_copy)`, and then we end up leaking a
byte in `der_copy_octet_string()` due to it having this code:
```C
der_copy_octet_string (const heim_octet_string *from, heim_octet_string *to)
{
assert(from->length == 0 || (from->length > 0 && from->data != NULL));
if (from->length == 0)
to->data = calloc(1, 1);
else
to->data = malloc(from->length);
...
}
```
The traces where this happens always involve the `_save` field of
`Name` or `TBSCertificate`.
This code was assuming that length 0 octet strings are expected to have
a non-NULL `data`, probably in case the C library's allocator returns
non-NULL pointers for `malloc(0)`, but then, why not just call
`malloc(0)`? But calling `malloc(0)` would then still lead to this leak
in on such systems.
Now, `der_free_octet_string()` does unconditionally `free()` the
string's `data`, so the leak really is not there but elsewhere, probably
in `lib/asn1/template.c:_asn1_free()`, but it clearly does
`der_free_octet_string()` the `_save` field of types that have it.
5398425c introduced support for propagating ASN.1 default values to the emitted
JSON, but it neglected to quote string values, which caused ASN.1 parsing
errors. Correct this.
OpenSSL's d2i_ECPrivateKey() is deprecated, so we have to use
d2i_PrivateKey(), but d2i_PrivateKey() wants the whole PKCS#8 blob so it
can know what kind of key it is. So we need to let the hx509 EC layer
get that blob. The internal APIs need some refactoring, so for now we
use a hack where we try to parse the private key with and without the
PKCS#8 wrapper.
At some point before we make an 8.0 release we'll probably just remove
all the legacy, weak ciphers and hashes (except MD5, most likely).
To drop these we'll have to re-generate PKCS#12 test samples using
stronger PBEs, and possible add new PBE types.
This check is admittedly lame. But it's all I have time for at the
moment. A better check would be a program that includes the correct
headers and succeeds if the OpenSSL version macro indicates it's at
3.0 or higher. Or perhaps we could run the openssl(1) version command-
line and parse its output. But checking for functions that are in 3.0
and not 1.1 will do for the time being.
This has no real effect, but make things more clear
and matches the pattern for krb5_sendto_context().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This matches krb5_init_creds_step() from MIT. The only
difference is the type 'krb5_realm' (Heimdal) vs. 'krb5_data' (MIT).
krb5_error_code KRB5_CALLCONV
krb5_init_creds_step(krb5_context context,
krb5_init_creds_context ctx,
krb5_data *in,
krb5_data *out,
krb5_data *realm,
unsigned int *flags);
NOTE: commit 1cdc9d5f3c
"krb5: export krb5_init_creds_step()" exported
krb5_init_creds_step() the first time, but that's
not in any released version, so it should be fine
to fix up the prototype in order to make the
function actually useful for external callers.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
It should not return pointers to the internal state,
this matches the way the krb5_init_creds_step() works in MIT.
NOTE: commit 1cdc9d5f3c
"krb5: export krb5_init_creds_step()" exported
krb5_init_creds_step() the first time, but that's
not in any released version, so it should be fine
to change the behavior as there can't be any
external users of the function.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
_krb5_fast_anon_pkinit_step() should not set
KRB5_INIT_CREDS_STEP_FLAG_CONTINUE if it doesn't generate any output.
And krb5_init_creds_step() needs to return if
_krb5_fast_anon_pkinit_step() returned with
KRB5_INIT_CREDS_STEP_FLAG_CONTINUE set.
As that means the recursive call to krb5_init_creds_step()
generated output that should be send to a KDC and the
KDC response if needed as input for the next step.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
The current prototype of krb5_init_creds_step() is completely
useless as the caller has no way to know the destination
realm for the out blob.
The only internal caller of krb5_init_creds_step()
passes hostinfo=NULL and this commit makes it more obvious that hostinfo
is always NULL.
NOTE: commit 1cdc9d5f3c
"krb5: export krb5_init_creds_step()" exported
krb5_init_creds_step() the first time, but that's
not in any released version, so it should be fine
to fix up the prototype.
The aim is to remove hostinfo from the krb5_init_creds_step() internals
completely and move krb5_init_creds_step() to a useful prototype
where it returns the destination realm for the out packet.
Which means the prototype will mostly match the one MIT is using:
krb5_error_code KRB5_CALLCONV
krb5_init_creds_step(krb5_context context,
krb5_init_creds_context ctx,
krb5_data *in,
krb5_data *out,
krb5_data *realm,
unsigned int *flags);
Follow up patches demonstrate that the hostinfo related code
in pk_verify_host() is actually dead code as all layers
just passed down the NULL value from krb5_init_creds_get().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Heimdal's HDB plugin interface, and hence Samba's KDC that depends upon
it, doesn't work on 32-bit builds due to structure fields being arranged
in the wrong order. This problem presents itself in the form of
segmentation faults on 32-bit systems, but goes unnoticed on 64-bit
builds thanks to extra structure padding absorbing the errant fields.
This commit reorders the HDB plugin structure fields to prevent crashes
and introduces a common macro to ensure every plugin presents a
consistent interface.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15110
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Record when a CHOICE field is promoted from IMPLICIT to EXPLICIT and convey
this in the ASN.1 compiler's JSON output, so that other tools (e.g. which have
a representation isomorphic to the original ASN.1) may use it.
While the local stack pointers could be thought of as "only"
numbers that are not invalidated by the memory they point at
being freed, any use of the pointer after the free is undefined
and so warned about (at best).
gcc version 12.2.1 20220819 (Red Hat 12.2.1-1) (GCC)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
We can't rely on having every KDC support FAST and should still
support S4U2Self against such a KDC.
We also have the order of the PA-DATA elements "corrected",
KRB5_PADATA_TGS_REQ followed by KRB5_PADATA_FX_FAST and
finally KRB5_PADATA_FOR_USER. While the inner PA-DATA
only contains KRB5_PADATA_FOR_USER.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This is needed when a service provides support for newer entry.etypes
without having a key for that encryption type yet.
It is triggered with svc_use_strongest_session_key=TRUE.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
As described by the C standard, __func__ is a variable, not a macro.
Hence this #ifndef check does not work as intended, and only serves to
unconditionally disable __func__. A nonoperating __func__ prevents
cmocka operating correctly, so remove this definition.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Change-Id: Ieac3937b9e86f39e84c0c056ffd649e44b292099
On systems where 'unsigned long' is 32-bits and the 'size'
parameter is set to 8 and the bytes are:
0x78 0x00 0x00 0x00 0x00 0x00 0x00 0x00
When 'i' becomes 4 'v' will be 0 again. As 'unsigned long' is only
able to hold 4 bytes.
Change the type of 'v' from 'unsigned long' to 'uint64_t' which
matches the type of the output parameter 'value'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
CVE: CVE-2022-42898
Samba-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all CHOICE types used in
Heimdal, though not all cases will be exploitable. We have not
completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal since 2005. It was first reported by
Douglas Bagnall, though it had been found independently by the
Heimdal maintainers via fuzzing a few weeks earlier.
We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.
Now we properly constrain the value of padlength so underflow shouldn't
be possible.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.
In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.
That would be undefined behaviour.
The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Any command that uses lib/sl for sub-commands fails to exit with a
non-zero exit code on usage error.
The fix is a one-character change in lib/sl/slc-gram.y.
Affected are all subcommands of:
- ktutil
- kadmin
- heimtools
- hxtool
- gsstool
- kdigest
- iprop-log
- Add an import command that imports JSON as output by
`ktutil list --json --keys`.
This is enables one to filter/edit keytabs with jq!
- Add a `merge` alias for the `copy` command, since that's effectively
what it does.
- Add a `--copy-duplicates` option to the `copy`/`merge` command.
- Add a `--no-create` option to the `get` command.
- Add a `--no-change-keys` option to the `get` command.
- Make `add` complain if it can't finish writing to the keytab.
With this change it's possible to bootstrap a KDC using a client
certificate with a PKINIT SAN for iprop/fqdn. Given such a certificate
one could run ipropd-slave via kinit to pull down the initial copy of
the HDB, then start the KDC services using the HDBGET: keytab.
That should make bootstrapping new secondary KDCs very easy.
One could bootstrap the KDC with such a certificate using, e.g.,
Safeboot (https://github.com/osresearch/safeboot), enrolling the host as
a KDC.
In order to support batch jobs systems that run many users' jobs and
which jobs need credentials, we add a /get-tgts end-point that is a
batched version of the /get-tgt end-point. This end-point returns JSON.
Also, we make GETs optional, default to not-allowed in preference of
POSTs.
We also correct handling of POST (before POSTs with non-zero-length bodies
would cause the server to close the connection), and add additional CSRF
protection features, including the ability to disable all GET requests
for /get-keys and /get-config.
We set the timestamp field of krb5_keytab_entry in every case in-tree,
so we should not clobber it in krb5_kt_add_entry(). This is very
important in the context of virtual service principals, as the timestamp
of the keys in the keytab is a clue to when they must be refetched!
The idea with HEIM_JSON_F_TRY_DECODE_DATA is that on parsing of JSON
texts, if we find a base64-encoded string, decode it. But a lot of
strings that aren't base64-encoded can be decoded anyways, leaving a
mess.
Insted we should -in a future commit- implement this only for the string
values of "heimdal-type-data-76d7fca2-d0da-4b20-a126-1a10f8a0eae6" names
in singleton objects.
- Add HEIM_JSON_F_ESCAPE_NON_ASCII to indicate that non-ASCII must be
escaped as \uXXXX.
- Add HEIM_JSON_F_NO_ESCAPE_NON_ASCII to force non-escaping of BMP
codepoints.
- If the locale's codeset is not UTF-8 and
HEIM_JSON_F_NO_ESCAPE_NON_ASCII is not set, then set
HEIM_JSON_F_ESCAPE_NON_ASCII.
- Add flags for indenting with 2, 4, or 8 spaces, still defaulting to
tabs if none of those are set.
- Don't emit a newline before emitting scalar values in dicts.
- Fix markup
- Specific quoted command line for Visual Studio
build
- Caveat about line ending for gawk
- Add comments about python versions
- makeinfo.exe is no longer available from cygwin
- Add some words about APPVER setting
Without the change the build fails as:
CC hdb-ldap.lo
hdb-ldap.c:2109:5: warning: initialization of 'unsigned char:1' from 'krb5_error_code (*)(struct krb5_context_data *, void **)' {aka 'int (*)(struct krb5_context_data *, void **)'} makes integer from pointer without a cast [-Wint-conversion]
2109 | init,
| ^~~~
hdb-ldap.c:2109:5: note: (near initialization for 'hdb_ldapi_interface.is_file_based')
hdb-ldap.c:2109:5: error: initializer element is not computable at load time
hdb-ldap.c:2109:5: note: (near initialization for 'hdb_ldapi_interface.is_file_based')
hdb-ldap.c:2110:5: warning: initialization of 'unsigned char:1' from 'void (*)(void *)' makes integer from pointer without a cast [-Wint-conversion]
2110 | fini,
| ^~~~
hdb-ldap.c:2110:5: note: (near initialization for 'hdb_ldapi_interface.can_taste')
hdb-ldap.c:2110:5: error: initializer element is not computable at load time
hdb-ldap.c:2110:5: note: (near initialization for 'hdb_ldapi_interface.can_taste')
hdb-ldap.c:2111:5: warning: initialization of 'krb5_error_code (*)(struct krb5_context_data *, void **)' {aka 'int (*)(struct krb5_context_data *, void **)'} from incompatible pointer type 'char *' [-Wincompatible-pointer-types]
2111 | "ldapi",
| ^~~~~~~
hdb-ldap.c:2111:5: note: (near initialization for 'hdb_ldapi_interface.init')
hdb-ldap.c:2112:5: warning: initialization of 'void (*)(void *)' from incompatible pointer type 'krb5_error_code (*)(struct krb5_context_data *, HDB **, const char *)' {aka 'int (*)(struct krb5_context_data *, HDB **, const char *)'} [-Wincompatible-pointer-types]
2112 | hdb_ldapi_create
| ^~~~~~~~~~~~~~~~
hdb-ldap.c:2112:5: note: (near initialization for 'hdb_ldapi_interface.fini')
hdb-ldap.c:2113:1: warning: missing initializer for field 'prefix' of 'struct hdb_method' [-Wmissing-field-initializers]
2113 | };
| ^
Started failing when commit 93ada1fbf ("hdb: Remove default HDB backend
footgun") added extra fields to 'struct hdb_method'.
The 'bits' parameter to select_dh_group() is the minimum acceptable
bit size. Rename 'bits' to 'min_bits' and fix the comparision
with krb5_dh_moduli.bits to ensure that DH groups whose bit size
is the minimum acceptable are not excluded.
Fixes#1002
Reported-By: Julien Rische (GitHub: jrisc)
Heimdal supports the 2 mandatory MODP groups (group 2 and group 14)
according to RFC4556, however group 14 is defined with a size of
1760 bits instead of 2048.
Fixes#1001
Reported-by: Julien Rische (GitHub: jrisc)
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
CC test_common.o
In file included from test_common.c:34:
krb5/gsskrb5_locl.h:42:10: fatal error: gkrb5_err.h: No such file or directory
42 | #include <gkrb5_err.h>
| ^~~~~~~~~~~~~
compilation terminated.
make[3]: *** [Makefile:2347: test_common.o] Error 1 shuffle=1656680590
The change moves gkrb5_err.h and friends to BUILT_SOURCES
to guarantee their presence when main build starts.
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
Making all in doc
make[1]: Entering directory '/build/heimdal/doc'
MAKEINFO hx509.info
hx509.texi:15: @include: could not find vars.texi
hx509.texi:31: warning: undefined flag: PACKAGE_VERSION
hx509.texi:186: warning: undefined flag: PACKAGE_VERSION
make[1]: *** [Makefile:622: hx509.info] Error 1 shuffle=1656683556
The change moves vars.texi to BUILT_SOURCES to guarantee it's
presence when .info files start the build.
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
make[2]: Leaving directory '/build/heimdal/lib/gss_preauth'
Making all in hdb
make[2]: Entering directory '/build/heimdal/lib/hdb'
../../lib/asn1/asn1_compile --option-file=./hdb.opt ./hdb.asn1 hdb_asn1
for genfile in 'asn1_Event.c asn1_GENERATION.c asn1_HDB_EncTypeList.c asn1_HDB_Ext_Aliases.c asn1_HDB_Ext_Constrained_delegation_acl.c asn1_HDB_Ext_KeyRotation.c asn1_HDB_Ext_KeySet.c asn1_HDB_Ext_Lan_Manager_OWF.c asn1_HDB_Ext_Password.c asn1_HDB_Ext_PKINIT_acl.c asn1_HDB_Ext_PKINIT_cert.c asn1_HDB_Ext_PKINIT_hash.c asn1_HDB_EntryOrAlias.c asn1_HDB_entry_alias.c asn1_HDB_entry.c asn1_HDB_extension.c asn1_HDB_extensions.c asn1_HDB_keyset.c asn1_HDBFlags.c asn1_Key.c asn1_KeyRotation.c asn1_KeyRotationFlags.c asn1_Keys.c asn1_Salt.c'; do \
true -style='{BasedOnStyle: Mozilla, AlwaysBreakAfterReturnType: TopLevelDefinitions, IndentWidth: 4, SortIncludes: false}' -i ${genfile}; \
done
../../lib/com_err/compile_et hdb_err.et
make all-am
make[3]: Entering directory '/build/heimdal/lib/hdb'
CC hdb-ldap.lo
In file included from hdb_locl.h:67,
from hdb-ldap.c:36:
./hdb.h:337:10: fatal error: hdb-protos.h: No such file or directory
337 | #include <hdb-protos.h>
| ^~~~~~~~~~~~~~
compilation terminated.
The change moves hdb-protos.ha and hdb-private.h to BUILT_SOURCES
to guarantee their presence when main build starts.
The variable 'ret' is set but not used. As the value is ignored
remove it. Restructure the initialization of 'replyinCnt', 'replyout',
and 'replyoutCnt' such that a failure of vm_read() results in a
properly initialized reply structure.
get_null() can fail for two reasons. There can be a memory allocation
issue or the hints->ai_family could be unsupported. This change
informs the caller of the error state instead of returning success
with an invalid struct addrinfo output parameter.
Fixes#1007
Reported-by: opless
Apple clang version 14.0.0 (clang-1400.0.17.3.1) fails the build
because stds.h defines `fallthrough` as a macro which is then
expanded when base.h evaluates
# if __has_attribute(fallthrough) && __clang_major__ >= 5
The macOS SDK defines `DISPATCH_FALLTHROUGH` as the macro instead
of `fallthrough`.
This change replaces the use of `fallthrough` in the tree with
`HEIM_FALLTHROUGH` and updates the declaration in configure logic
to define `HEIM_FALLTHROUGH` based upon existing definitions
(if any) of `fallthrough` or `DISPATCH_FALLTHROUGH`.
We meant to clear only the UF_SMARTCARD_REQUIRED bit, but we were
instead clearing all bits excepting it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
If the AP len is large enough, we might end up computing an address
beyond the end of the 'reply' array, which is undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This commit makes the hxtool ca sub-command, when invoked with
--generate-key=TYPE and --certificate-private-key=STORE, write the
private key only to the given --certificate-private-key store and not
also the --certificate=STORE.
Before this commit, invoking the hxtool ca sub-command with both,
--generate-key=TYPE and --certificate-private-key=STORE, caused the
--generate-key option to be ignored and the private key to be read from
the given store and copied to the --certificate=STORE. That was clearly
a bug and non-sensical.
Add support for configuring the attributes of new principals created via
httpkadmind. This can be done via virtual host-based service
namespaces, which will provide default attributes even if disabled (but
the created principals will not be disabled, naturally), or via
krb5.conf.
We derive keysets for virtual host-based service principals, and that
includes the `set_time` field of keys. But applications using the kadm5
API lose that information. Our httpkadmind wants to set a Cache-Control
header with an appropriate max-age so that clients know when to re-fetch
keytabs.
We could extract some of the lib/hdb/common.c functions so that
httpkadmind could re-create an HDB_entry from a kadm5 entry then compute
the desired time, but ultimately we already have an appropriate field in
the HDB_entry and kadm5_principal_ent_rec types: "password expiration".
So let's set the `pw_end` of a virtual host-based service's HDB entry to
the time when a client should next fetch the principal's keys, and we'll
use that in httpkadmind as the `pw_expiration` field of the kadm5 entry
type.
If a virtual host-based service namespace is disabled, then the virtual
services below it cease existing.
This will be useful in a later commit where we'll use virtual host-based
service namespace for providing default attributes for new concrete
host-based service principals created via httpkadmind, whether the
namespace be enabled or disabled.
Add --no-automatic-renewal option to disable automatic TGT renewal.
Renewal can also be disabled by setting automatic_renewal to false
in the [kcm] section of krb5.conf.
Test that we can still do other things after `kadmin list` to make sure
we're not leaving -after listing- the connection in a state where other
operations can't work.
Also, no more sleeps at all in the test.
Now that we use krb5_copy_context() via kadm5_c_dup_context(), we see
occasional skew errors in the tests because context->max_skew was not
being initialized, so it was set to 0s of skew, and krb5_rd_priv() or
others could fail.
Texinfo in the GitHub OS X runners must be ancient. Even Texinfo 5.1
can handle UTF-8.
```
MAKEINFO /Users/runner/work/heimdal/heimdal/doc/heimdal.info
/Users/runner/work/heimdal/heimdal/doc/hx509.texi:11: warning: unrecognized encoding name `UTF-8'.
/Users/runner/work/heimdal/heimdal/doc/heimdal.texi:12: warning: unrecognized encoding name `UTF-8'.
/Users/runner/work/heimdal/heimdal/doc//setup.texi:380: Next field of node `Using soft aliases for configuring referrals' not pointed to (perhaps incorrect sectioning?).
/Users/runner/work/heimdal/heimdal/doc//setup.texi:404: This node (Checking the setup) has the bad Prev.
/Users/runner/work/heimdal/heimdal/doc//setup.texi:350: Prev field of node `Using hard aliases for realm migration' not pointed to.
/Users/runner/work/heimdal/heimdal/doc//setup.texi:310: This node (Using namespaces and synthetic principals to keep the database small) has the bad Next.
makeinfo: Removing output file `/Users/runner/work/heimdal/heimdal/doc/heimdal.info' due to errors; use --force to preserve.
make[1]: *** [/Users/runner/work/heimdal/heimdal/doc/heimdal.info] Error 1
```
Any callback of kadm5_iter_principals() that wants to call other kadm5
functions (such as kadm5_get_principal()) needs to do so on a different
kadm5 handle than the one used for kadm5_iter_principals().
0878a568f9 fixed a warning from Texinfo 6.7:
doc/whatis.texi:33: warning: redefining Texinfo language command: @sub
but the fix makes the doc build fail w/ Texinfo 5.1.
There may still be other problems when using Texinfo 5.1.
One user had an entry with duplicate aliases. This happened with an
earlier version of Heimdal.
This commit does not remove the duplicates, but it does tolerate them.
This is an attempt to make sure we test realm migration aliases by doing
kinit w/ a hard alias name in a different realm, and that we can get
service tickets for services in the same and other realms some of which
are hard aliases in one direction, and some in the other.
The online LIST interrupt message is a NOP, but it's expected to not
have a reply (the server doesn't send one if it receives it before the
LIST finishes).
However, if the interrupt message arrives after the LIST finished, then
it does get a reply, and this causes the client to get out of step with
the server.
Fixes include:
1) flavor the interrupt NOP to make sure it never gets a reply,
2) introduce a new kadm_list_interrtupt message that is like a NOP that
produces no reply
3) always consume -after the LIST ends- a reply to any list interrupt
NOP on the client side.
This implements (1).
The `inmsg` field of the client structure is malloc/realloc'ed in `handle_read` but never free'ed in `maybe_close`.
Seems like Apple already fixed that with this.
Now that we have a properly working API for listing principals in an
online way, and a server-side implementation of it, use it.
This should work with old and new servers, but it will only be online
and fast when talking to new servers.
(Old servers have a bug though that prevents LIST from working.)
Implement a variation on the op for listing principals where if the
client indicates support for the new variation then we stream the list
instead of collecting it into one reply. This is the server-side
version of the associated, preceding commit:
kadm5: Add online kadm5_iter_principals()
kadm5_get_principals() is not online. If you have... many principals,
it will be slow. At least it's no longer quadratic, but it, it's still
slow. Time to add a version that uses a callback:
kadm5_ret_t
kadm5_iter_principals(void *server_handle,
const char *expression,
int (*cb)(void *, const char *),
void *cbdata)
The callback gets called with the given callback data and one principal
name (unparsed).
Note that the callback MUST NOT re-enter the kadm5 library with the
*same* kadm handle. For example, the kadmin protocol doesn't really
multiplex requests well, though it could pipeline them, but it can't
pipeline when LIST is running, not with the protocol implemented here,
so a separate connection is needed, and that requires a separate kadm
handle. We add kadm5_dup_context() to deal with this.
Not sure why we ever needed the run-kadmind-for-one-operation approach
to testing. Anyways, we probably don't. Ditching that and using the
--detach mechanism of daemonization means we don't need to sleep in the
test (except when we need to restart kadmind with different options).
Seeing "End of file" errors from kadm5 client calls which were the
result of not sending back errors in many error paths in
kadmin/server.c:kadmind_dispatch().
We introduced a notion of soft vs. hard aliases in the previous commit
(hdb: Distinguish soft and hard principal aliases).
This commit corrects existing test cases and adds new test cases.
Soft aliases allow for the configuration of referrals using HDB entries.
Hard aliases are like copies of the aliased HDB entries. These are
useful for renaming principals (and realms).
See the preceding commit.
We introduce a notion of soft vs. hard aliases.
Soft aliases are aliases of WELLKNOWN/REFERRALS/TARGET@$some_realm,
where $some_realm is the realm we want the KDC to issue referrals to.
Hard aliases are all other aliases, where if the client requested
canonicalization then the KDC should update the names in the responses,
or else if the client did not request canonicalization, then the KDC
should treat the alias as a distinct principal with the same keys as the
alias' canonical name.
The logic for dealing with these is entirely located in the HDB
backends.
An HDB backend can implement hard aliases by replacing a found
HDB_entry's principal with the name used to look it up.
An HDB backend can implement soft aliases by returning
HDB_ERR_WRONG_REALM to trigger the AS or TGS to return a referral.
Currently only in-tree HDB backends support this feature that use
_hdb_fetch_kvno() as their hdb_fetch_kvno() method implementation.
That's all HDB backends other than SQLite3.
Out-of-tree backends should be unaffected.
We've added a decoration field to HDB_entry: aliased -- an int
(boolean). This is only used internally in libhdb at this time.
Out-of-tree HDB backends could have a use for this decoration, but we
have not decided whether it is a public interface yet.
INTxx_MIN plus a positive integer of the same type will always be
negative, and so the result will always compare less than a positive
integer. Fix this check so that we produce the correct result when
adding two negative time_t values.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
In a cross-realm situation the client KDC exchange may use on orphaned
strengthen_key (from the previous exchange) if the current KDC
doesn't not support FAST and the previous KDC supported it.
Otherwise init_creds_step() or fast_tgs_strengthen_key()
generate the reply key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Since plugins no longer have a way of accessing the 'ek' member of the
request structure, this function provides a way for a plugin to add
encrypted padata to the response.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This allows these functions to be used with PACs obtained from KDC
accessor functions such as kdc_request_get_pac().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
With HDB_ERR_WRONG_REALM the backend needs to expose the
principal, so we should not free the entry otherwise
the main kdc code will crash.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
PAC_TYPE_CLIENT_CLAIMS_INFO and PAC_TYPE_DEVICE_CLAIMS_INFO are
of zero length unless any claims are actually defined.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Closes: #969
PAC_TYPE_CLIENT_CLAIMS_INFO and PAC_TYPE_DEVICE_CLAIMS_INFO are
of zero length unless any claims are actually defined.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Honor the return code of _kdc_audit_request(), propagating if non-zero. Note
that this is principally intended to allow the audit plugin to return
HDB_ERR_NOT_FOUND_HERE, which influences whether the KDC sends an error reply
or not. If the audit plugin also wishes to rewrite r->error_code, it must do so
separately.
Closes: #964
_kdc_fast_check_armor_pac() already checks the PAC of the armor,
but it should also remember it if it's an TGS-REQ with explicit armor.
This will allow the kdc pac hooks to generate a compound identity PAC
with PAC_TYPE_DEVICE_INFO.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Closes: #967
Roken functions rk_copyhostent(), rk_freeaddrinfo(), rk_freehostent()
rk_getaddrinfo(), rk_getipnodebyaddr(), rk_getipnodebyname(), and
rk_getnameinfo() should never be built without the "rk_" prefix. Doing
so overrides the system provided functions of the same name when they
exist.
Add libkdc wrappers for heimbase object accessors so plugins can use audit and
request attribute APIs without consuming libheimbase. Exposed API surface is
minimal and is limited to reading array collections, and reading/creating base
and custom types.
Do not leak the object when the intent is to free it.
Introduced by 40d1271094
("asn1: Expand decoration w/ C types")
Change-Id: If8cd502f61d6f9b72118630839525933911c6697
3a7c2c6a7f
("krb5.h: define DOMAIN_X500_COMPRESS macro")
defined DOMAIN_X500_COMPRESS to the wrong name.
Change-Id: I5c60d86b856ce6d3fa94b1fa8d7ffe17b97c8513
ec866e635e
("Windows 10 SDK build fixes") inverted the meaning selecting
Debug versions for NODEBUG and vice versa.
Change-Id: I90771a71cd3efc93ba47076fbf5cd1efb0948f6f
Ah, we can't use context->default_cc_name because that will be taken
from KRB5CCNAME if it's set, and then we'll think whatever that value is
is the default, but we're really looking to special case resolving of
the "%{UID}" KCM cache name. So do that.
Our kcm daemon will resolve default cache names (%{UID}) to the user's
session's default cache name. SSSD's kcm daemon will not.
Therefore we add a heuristic for "if we're resolving what may be the
local configured default KCM cache, and it doesn't exist as such in the
KCM session, then use the KCM session's default cache".
This allows our kinit and klist to work as intended.
krb5_store_string, krb5_store_stringz, krb5_store_stringnl
If the input string is NULL, fail the call with EINVAL.
Do not pass the NULL pointer to strlen().
Change-Id: Id87d72e263dde798f300353ec4c1656b310d17a4
Both MIT and Heimdal are unable to, in krb5_cc_default(), call to KCM
(or CCAPI, or LSA, or...) to get the user's default ccache name in their
collection. Instead, the default ccache name is obtained in a static
way, and for KCM that's "%{UID}". When we krb5_cc_switch(), we simply
maintain a pointer to the name of the ccache that was made the default,
but klist can't make use of this because krb5_cc_default() can't.
The solution here is to first try resolving the ccache name given by the
client, and if that fails but the name happens to be what would be the
library's default KCM ccache name for that user, then try resolving it
through the default ccache name pointer saved at switch time.
Wrap all KCM cc ops that need to call kcm_alloc() so that they pass in
the cc ops pointer that they're associated with so that kcm_alloc() can
use the correct ccache type name if needed.
is_preauth (KFE_IS_PREAUTH is set) might require replying with
PA-ETYPE-INFO[2] which requires use of the long-term keys.
Without this change is_default_salt_p() can be called with 'key'
eq NULL.
Change-Id: I513fa768680225d4501d8b390e349a011666d90c
If mp_ubin_size(s) returns zero then mp_to_ubin() will fail and
not return MP_OKAY. If MP_OKAY is not returned, NULL is returned
to the caller of mpz2BN().
This change avoids the unnecessary memory allocation and function
calls. It also removes a dereference after null warning from
coverity.
Change-Id: I52ff2c166964e41cb4eef1dac637904bf2bf13bf
Use 'sizeof(*w)' to compute the correct size passed to erealloc().
Although sizeof(char **) == sizeof(char *), it is not guaranteed.
Change-Id: I5f66fafe20343d7e736922038d24abcd48bab8bd
190263bb7a
("assert non-NULL ptrs before calling mem funcs") introduced
two wrong size argument warnings. These locations are not
errors since the allocation is simply to ensure that the
data pointer is non-NULL; length is zero.
Change-Id: I7b3b58247799a48da3653008c7b6d7fbbbf83e25
The definitions of memcpy(), memmove(), and memset() state that
the behaviour is undefined if any of the pointer arguments are
NULL, and some compilers are known to make use of this to
optimise away existing NULL checks in the source.
Change-Id: I489bc256e3eac7ff41d91becb0b43aba73dbb3f9
Link: https://www.imperialviolet.org/2016/06/26/nonnull.html
If 'local_realm' is true, must protect against failure
of krb5_get_default_realm() and krb5_principal_set_realm().
Otherwise, the wrong realm might be used.
Change-Id: Ib7a92559da1ac062c71228c5530106a13d836d53
instead of testing both cb_ctx.h and cb_ctx.h->prefix
for non-NULL, ensure that cb_ctx.h is NULL after each
failed for() loop. This also ensures that cb_ctx.h
is never left pointing to an invalid non-NULL value.
Change-Id: I3264577b0fbf1d620b00f87d251e8c43b81e0f29
Assign zero to the output size parameter at the start so that
callers that use the value when an error occurs do not see
garbage that might be misinterpreted.
Change-Id: Iccfcf4f6944b1bf72789c83919901d9b9d6f9153
AND and OR are now binary operators, left-associative, with AND having
higher precedence than OR.
The not operator is now higher-precedence than the AND and OR operators.
There remains one tough shift/reduce conflict, the warning for which is
quieted with an `%expect 1` directive.
The remaining conflict has to do with whether a constraint attaches to
the inner type that some other outer type is a SET OF or SEQUENCE OF or
tagged-type of, or whether it attaches to the outer type. The two are
really the same thing. The latter is the reduce side, so it's not used,
but if it were we could grab the constraint in the action and attach it
to the inner type anyways.
In order to resolve some shift/reduce conflicts in the ASn.1 compiler's
grammar we need to be strict about value names starting with lower case
and type names starting with upper-case.
Using `AC_PROG_YACC` means accepting that `bison` gets invoked in yacc
compatibility mode (i.e., with the `-y` command-line option). In recent
versions Bison has started to warn about use of Bison extensions when in
yacc compatibility mode -- even for things yacc itself accepts but which
it doesn't document.
I've confirmed that `bison -d` and `byacc -d` both work for the ASN.1
compiler.
8dcc5e617b
("kadmin: add_one_principal refactor") made 'princ_name' a
top-level variable. This precludes the need to declare
subsequent block-level variables with the same name.
Change-Id: I4bf9e54b49a0e366ed4cd39920d3fe58439beb33
The pseudo keyword 'fallthrough' is defined such that case statement
blocks must end with any of these keywords:
* break;
* fallthrough;
* continue;
* goto <label>;
* return [expression];
*
* gcc: https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html#Statement-Attributes
The macro is defined either as
__attribute__((__fallthrough__))
or as
do {} while (0) /* fallthrough */
not including the semicolon.
This change implements the Linux kernel style and updates several locations
where "/*fallthrough*/ and /* FALLTHROUGH */ were not previously replaced.
Externally imported code such as libedit, libtommath and sqlite are
restored to their unaltered state.
Change-Id: I69db8167b0d5884f55d96d72de3059a0235a1ba3
124b8d0f78 ("kadmin: kadmind_dispatch
do not write NULL 'rsp' to 'out'") was committed with an
unintentional source code removal.
Change-Id: I3de21e3624d713a9b5a1e89d147a5db5f1f55ab1
1b213c1082 ("kadmind: Add missing
error checks") altered the behavior of kadmin_dispatch() such that
it unconditionally called
krb5_storage_to_data(rsp, out);
This change was unsafe because krb5_unparse_name_fixed() failure
would skip the allocation of the 'rsp' and 'sp' krb5_storage
objects.
This change allocates the krb5_storage objects prior to performing
any work. If either of them fail, kadmin_dispatch() immediately
returns ENOMEM.
Change-Id: I14fd96afe029a4e74bb769605286ca0e17d25043
In function ‘afslog_cell.isra’:
afslog.c:144:13: warning: ‘%s’ directive argument is null [-Wformat-overflow=]
144 | warnx("No cell matching \"%s\" found.", cell);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
caused by expand_cell_name() returning the input pointer.
Alter the behavior of expand_cell_name() to match its usage.
Change-Id: I3b15c4b3e59b597af5351e5e62f5d7751be50feb
If rand_password is true, allocate princ_name early to prevent
memory allocation errors after the principal was added.
Use memset_s to clear the 'password' so that it will not be
optimized away.
Change-Id: I80d11546166d2350e6a79c5a376cb9e8cb191fa3
Obtain the unparsed principal name early so that there is no
risk of memory allocation failure after kadm5_chpass_principal_3()
succeeds.
Change-Id: I389281004826da5752081c2f26127d55e3dc3989
1b213c1082 ("kadmind: Add missing
error checks") altered the behavior of kadmin_dispatch() such that
it unconditionally called
krb5_storage_to_data(rsp, out);
Previously kadmin_dispatch() only wrote to 'out' on success.
Doing so is important because 'rsp' might be NULL on error.
Change-Id: I2688a5c47db0f94d955971e785037c578d3f3fa4
1b213c1082 ("kadmind: Add missing
error checks") altered the scope of the
if (ret == HEIM_ERR_EOF)
ret = 0;
treatment of HEIM_ERR_EOF as a success code. Prior to that
commit HEIM_ERR_EOF meant success only when reading the 'keepold'
value. It indicated a premature failure if returned when reading
'princ' or 'n_key_data'.
This change corrects the scope of HEIM_ERR_EOF indicating success.
Change-Id: If5463b47dc3eabee6fa2f8e717147f02adc1586c
asprintf() return code must be checked because in case of failure
the value of the output buffer variable is undefined.
Change-Id: I75e06fffe2330ec10dbe4f678479ded479ab5931
The tests depend upon an ERANGE error for buffer length zero.
They broken due to 8324a2af1d
("lib/krb5: unparse_name_fixed error if invalid name buffer or length")
which returned EINVAL.
Change-Id: I81693f9d3f5fdc1838c11ffbfe0dafc742d9b207
If make_local_fast_ap_fxarmor() is called without a ccache
it will segmentation fault. Set a krb5 error message in the
context and fail with EINVAL.
Change-Id: I8a72a026dbae931e41498f55cd634ad2fee26772
krb5_cc_end_seq_get() is not expected to fail because it is a
cleanup routine. If it fails it indicates something wrong with
the cache or the system. Return the failure if there is one.
Otherwise, the failure from krb5_cc_next_cred() should be
returned UNLESS it is KRB5_CC_END in which case return success.
Change-Id: I80e07103e2fb38aa40418a436fa5351fb89549d3
Calls to krb5_principal_set_realm() can fail due to memory
allocation failures. If the client realm cannot be set in
the generated principal the wrong realm will be used.
Check for the result of krb5_principal_set_realm() and if
there is a failure, clean up and return the error code to
the caller.
Change-Id: Icadd04c858e88c1ba1d4344c60a784885a6a1344
If the output 'name' buffer is NULL or length is zero, there is
no place to unparse the principal name to. Fail with EINVAL and
if possible set an error message on the krb5_context.
This avoids potential NULL pointer dereferences.
Change-Id: Ie38d284f1867be883a2f2e31103ea50cd130a0fe
Refactor krb5_vset_error_message() to remove the many conditional
tests on the existence of krb5_context. If there is no krb5_context
then _krb5_debug() is a no-op. Therefore, there is no point in
performing any of the other work.
Change-Id: Ib88b592a542a195f27e352a80ced0a98a6f85300
Add an internal-use setter accessor for use by mssfu.c when principal names are
replaced. This also fixes a leak where r->client_princ was not freed before
being replaced with the impersonated client name.
krb5_kt_get_entry() allows a NULL principal to be given ("match all").
The get method of the HDB-as-keytab keytab did not know this, and could
dereference a NULL as a result.
This is needed so that it can be optional for path token expansion,
which has to have the context be optional for ccapi (lib/krb5/acache.c),
which in some cases calls path token expansion functions w/ a NULL
context.
As we move more and more state into astgs_request_t we need to be
careful not to leave locals and function arguments aliasing objects from
the astgs_request_t.
We weren't checking for errors, and we weren't using the convience
SEQUENCE OF add_METHOD_DATA() and add_ETYPE_INFO() functions generated
by the ASN.1 compiler. Using those utilities made get_pa_etype_info()
and make_etype_info_entry() sufficiently simpler that merging the two
makes for simpler, more readable code.
Build the entry to write to the log file in memory, the write it with
O_APPEND. This should make writes to the request log file safer in
multi-process KDC configurations.
Also, check results of krb5_store_*() functions (coverity alerted to
this).
We will use the kdc_ rather than krb5_kdc_ prefix for new public APIs exported
from libkdc. Amend the recently introduced
request_{get,set,copy,delete}_attribute APIs to conform.
Let the KRB5_SENDTO_DONE and KRB5_SENDTO_FAILED action states be
handled by the provided switch blocks. This ensures that the
'ret' value is set appropriately before exiting the loop.
Change-Id: I56f4cea83efd86203a9a7a36cf48c80f632cf779
If use_strongest_session_key and no keys are found the return
code will be set to KRB5KDC_ERR_ETYPE_NOSUPP. However, before
exiting if the principal is a weak exception then the return
code will be set to success and a NULL key pointer will be
dereferenced. Skip the weak exception check if the return
code is non-zero.
Change-Id: I36d0e1b179b3392171ad6767c75111d59c3f2f7d
warning: 'mp_read_unsigned_bin' is deprecated
(declared at ./libtommath/tommath.h:732): replaced by mp_from_ubin
[-Wdeprecated-declarations]
warning: 'mp_unsigned_bin_size' is deprecated
(declared at ./libtommath/tommath.h:731): replaced by mp_ubin_size
[-Wdeprecated-declarations]
warning: 'mp_to_unsigned_bin' is deprecated
(declared at ./libtommath/tommath.h:733): replaced by mp_to_ubin
[-Wdeprecated-declarations]
warning: 'mp_unsigned_bin_size' is deprecated
(declared at ./libtommath/tommath.h:731): replaced by mp_ubin_size
[-Wdeprecated-declarations]
warning: ignoring return value of 'mp_init_multi',
declared with attribute warn_unused_result [-Wunused-result]
warning: ignoring return value of 'mp_to_unsigned_bin',
declared with attribute warn_unused_result [-Wunused-result]
warning: ignoring return value of 'mp_read_unsigned_bin',
declared with attribute warn_unused_result [-Wunused-result]
Change-Id: I510fd7a57c9cd52b59086a85d13aa6204ebb9fd9
Refactor the call to verify_common() to pass the krb5_cred by
pointer to and call krb5_free_cred_contents() in
verify_user_opt_int() instead of verify_common().
Calling strerror() with a negative value is an error.
Besides fixing that, we streamline hx509_get_error_string(), making it much
simpler and easier to read.
Samba clients are often machine accounts with non-default salts that
will fail if they can't use the AES encryption type they know the KDC
supports. The problem is that arcfour-hmac-md5 has no salt so was
being used in preference.
Samba started to fail when
kdc_config->preauth_use_strongest_session_key = true;
was forced into the KDC configuration.
The history here is an attempt to avoid Kerberos v4 salts in des-cbc-crc
keys, but this instead broke Samba clients with AES-keys on machine accounts
as these have a non-default salt by default. These accounts were incorrectly
restricted to arcfour-hmac-md5 and they didn't like that.
A broader fix than Samba commit 8e1efd8bd3bf698dc0b6ed2081919f49b1412b53
REF: https://lists.samba.org/archive/samba/2021-October/237844.html
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14864
Change-Id: Ia8908a5a2eef107e6b133d7f0e4343c1988c18bb
First, we enlarge Member's val field to int64_t.
Then we warn about skipping 2int, int2, and parse units glue for such
things with too-large members.
And we error out when generating the template for such things with
>UINT32_MAX members.
What about too-negative members? That could be a thing for INTEGER /
ENUMERATED. We'll look at that later.
We sometimes use this idiom where we ignore the result of some function
such as krb5_unparse_name() and then we log something and we use the
ternary operator to handle any error from that function by substituting
a string like "<unknown>" or "<out-of-memory>". This yields some static
analyzer complaints. Maybe casting the function's result to void will
help.
Coverity thinks `handle` in lib/krb5/send_to_kdc.c:krb5_sendto_context()
at 1241 can be NULL, leading to a NULL derefence in `get_next()`. This
is an attempt to fix this by having `get_next()` check handle for NULL.
if _hx509_unparse_KRB5PrincipalName() fails return the error code
to the hx509_request_get_san() caller.
Change-Id: I3ad8ceda23f00263890115f292ca7e4c8ce9317b
1a793c04fa
("lib/hx509: revoke_print free revoke_context") forgot to pass
the address of 'revoke_ctx' to hx509_revoke_free().
Change-Id: I430a72a4dc7bce7099fc02bbe1feae625304a53a
The output buffer returned from hx509_name_to_string() must be
freed before it is overwritten by another call to
hx509_name_to_string().
Change-Id: Iaf28b14a2712cd28085ac5452819818e739d43ed
_hx509_unparse_utf8_string_name() and
_hx509_unparse_KRB5PrincipalName() can return a strpool even if
they fail. The strpool must be passed through rk_strpoolcollect()
in order to return the contents to the caller of
hx509_request_get_san().
Change-Id: Ifda5620f4e9e00ca188aa138f692fccc12621ae8
Tighten up all of the call sites of hx509_request_get_san()
to free the output string returned upon failure.
Use frees(&s) instead of free(s); s = NULL;.
Change-Id: I71035d7c1d2330a1a3a1b3b730cdd6ba1e6b7da3
kadm5_ad_destroy() frees the contents of the kadm5_ad_context
but not the kadm5_ad_context itself.
Change-Id: I70dc1fc0236166ed9725f681dfeb935f449e38cb
If the cache principal name cannot be determined free the client
principal created from the input client name.
Change-Id: I75f96ef9f490bd9eb761a900e7a26250f1ac2b9c
If getaddrinfo() succeeds and returns the gTLD name collision
address the result is ignored but the allocated addrinfo was not
freed.
If allocation of the krb5_krbhst_info structure fails the addrinfo
would also be leaked.
Change-Id: I94111e081cba9548f57ad7b7e7cbea3faab7502c
_krb5_mk_req_internal() accepts a (krb5_auth_context *) because
it can allocate and return a krb5_auth_context to the caller.
mkae_pa_tgs_req() should never be called with a non-NULL
krb5_auth_context but to avoid confusion, alter the signature
to accept a (krb5_auth_context *) instead of (krb5_auth_context)
so _krb5_mk_req_internal() is not called with a pointer to an
input parameter.
Change-Id: I6c2293529766eb06a9eebf41715533d8195b1f72
CHECK(ret, func(), label) jumps to the label if the function
returns non-zero. As a result it bypasses the free(s2) call.
Use the common out label to free(s2).
Change-Id: I9a79df669e6407a82991f4a849fc16a0afaae561
5be5faa722
("Use all DES keys, not just des-cbc-md5, verify that they all are the same.")
introduced a common out but missed a code path.
Change-Id: I27c1913c8cf87600ae34c42874bfc9d49ae1d22e
hx509_get_error_string() returns an allocated string that must
be freed with hx509_free_error_string().
Change-Id: Ib24713d2425f53eb69fc9ebfc7cc1af3272b6271
hx509_get_error_string() returns an allocated string that must
be freed with hx509_free_error_string().
Change-Id: I58d160ce1b09c48b587e8adce74277f6da469ceb
7ae2dfd853
("krb5: Fix error msg when removing keytab entries") allocated
'emsg' to prevent the leak but then forgot to use it in place
of the original krb5_get_error_message() call.
Change-Id: I0b5acdab54d75399be970837a421740f2ad7d73b
Change-Id: I4e872126f5c1deb48d36f5bdac22da7c0df3c8a1
warning: missing braces around initializer [-Wmissing-braces]
warning: (near initialization for 'fastreq.fast_options') [-Wmissing-braces]
warning: missing initializer for field 'padata' of 'struct KrbFastReq' [-Wmissing-field-initializers]
warning: ‘ver’ may be used uninitialized in this function [-Wmaybe-uninitialized]
'ver' can be uninitialized if get_right() fails.
Change-Id: If6019cc3c491b8be321ff3e08f3d27292f0f1f95
Change-Id: Icc211f165c7aff1b0268b4c6df12eb976df2f8bd
warning: missing braces around initializer [-Wmissing-braces]
warning: (near initialization for 'rep.kdc_rep') [-Wmissing-braces]
warning: missing initializer for field 'enc_part' of 'krb5_kdc_rep' [-Wmissing-field-initializers]
Alphabetically sorted the $(spnego_files), $(gssapi_files), and $(gen_files_hdb)
lists.
Added rules to execute clang-format when available on the included files.
Change-Id: If3cde862f3237bc7cd100bc82d4fbbf568f1a354
do not pass negative values to malloc
do not pass negative values to strerror
do not pass negative values to ftruncate
do not pass negative values to fclose
Change-Id: I79ebef4e22edd14343ebeebb2ef8308785064fe8
When an unsigned char is shifted << 24 bits its type will be
promoted to signed 32-bits. If the value is then assigned to
an unsigned 64-bit value sign extension will occur.
Prevent the unwanted sign extension by explicitly casting the
value to unsigned long before shifting.
Change-Id: Iabeac0f17dc3229a2dc89abe71960a8ffbf523f8
If the input 'bn' is NULL then BN_bin2bn() will allocate and
return a BIGNUM which will then be leaked. BN_set_word()
would then return true even though it didn't set the word
into a BIGNUM known to the caller.
Change-Id: I6681f548e6bfb330cec009ae7c18e6151016179e
Prior to this commit only those C structs for SET and SEQUENCE types
could be decorated. Now those for CHOICE types also can be decorated.
We could further extend this to SET OF and SEQUENCE OF types if it
proves useful.
Now that ETYPE_xxx names are macros to the KRB5_ENCTYPE_xxx
symbols there is no longer a need to cast to (krb5_enctype).
Change-Id: Ib561f6e45346abac7a53eb1db0bfef60ee3bcb74
Use of an anonymous enum for ETYPE_xxx and ENCTYPE_xxx alternative
names results in loss of the original KRB5_ENCTYPE_xxx type.
Use CPP macros instead.
Change-Id: I84620aabd672db1d2cd0ff7a65f3ae8b34c0c684
If included roken.h should be immediately following config.h.
Doing so ensures that all platform specific headers are
included in the proper order and avoids unnecessary includes
of headers managed by roken.h.
Change-Id: I27f11b42300b6ebcfbcc8d2c53915e96b6eec1d9
Instead of triggering scan-build builds on pushes to the `scan-build` branch,
or valgrind builds on pushes to the `valgrind` branch, let's have pushes to
branches matching `scan-build*` and `valgrind*` branch name globs trigger the
corresponding builds.
Do not forget to delete those branches when you're done!
- s/build.yml/${build}.yml/ for the existing builds
- add filter on branches on push
- add scan-build build triggered by pushes to the scan-build branch or by PRs
that touch the scan-build.yml
- add valgrind build triggered by pushes to the valgrind branch or by PRs that
touch the valgrind.yml
Make krb5_pac a heim_object_t and use heim_retain() (i.e. reference count +1)
as the copy constructor for the type decoration.
Note: this assumes that PACs included in naming attributes are immutable.
Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
an additional context member in hdb_entry which is managed by the free_entry
method in HDB).
Decorate HDB_entry with context and move free_entry callback into HDB structure
itself. Requires updating hdb_free_entry() signature to include HDB parameter.
A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry
member) into hdb_entry.
80f3194a76
("gssapi/krb5/{export,import}_sec_context: make smaller tokens.")
stored the source principal when it should have stored the target
principal.
Change-Id: Ife6b137f9fe8f63cdb78b4212f74d502080ec2a2
s_read_urandom has a while loop to handle read() that returns less
than the full buffer (either due to EINTR or because more than the
atomic guarantee from urandom was requested). However, the target
of the read was always the base pointer p instead of the updated
pointer q, so in the end less than the requested randomness is returned.
Use q instead of p in the read() call.
Upstream pull request:
https://github.com/libtom/libtommath/pull/512
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
ec866e635e
("Windows 10 SDK build fixes") introduced CPP macros
timezone -> _timezone
tzname -> _tzname
but these names are common and the macros rewrite too much.
The name mapping is only required when building strftime.c
with Visual Studio 2017 and later. Move the definitions
into strftime.c.
Change-Id: Ic813bff842124595fd3d86761cee6dcea4ae44e4
We should split build.yml into separate workflows for each OS, that way
we can have Windows builds triggered by changes to NTMakefiles, but not
Linux builds.
db7763ca7b
("asn1: X.681/682/683 magic handling of open types")
renamed 'DOMAIN_X500_COMPRESS' to 'domain_X500_Compress'
for compliance with ASN.1 which requires values to start with
lower case and types to start with upper case.
This change adds a CPP macro DOMAIN_X500_COMPRESS for use by
third-party applications that rely upon the prior name.
Change-Id: I2eb6fec2c795c8adeeef893b00909a202257ad74
12826c9586
("Handle partial writes on non-blocking sockets") introduced
unconditional use of 'use_write' which is only declared if
defined(SOCKET_IS_NOT_AN_FD).
Change-Id: I0c43ed44a86b4f245acba849afabeb9ce739d0e5
ee2a92c547 ("bits: Fix warnings")
introduced unconditional use of snprintf(). Use of snprintf in
most of the tree is acceptable whenever roken is available because
roken provides snprintf() for platforms that do not provide it.
However, bits.c cannot use roken and therefore must not
unconditionally call snprintf().
This change restores the prior implementation of BITSIZE(TYPE)
when HAVE_SNPRINTF is undefined.
Change-Id: Ibbd2f003abe9f9fb612719266544cfd545809a18
The hc_evp_md_init, hc_evp_md_update and hc_evp_md_final typedefs
are defined as functions returning an int, but null_Init, null_Update
and null_Final are defined as void, and cast with the typedef when
assigned to the function vector.
This might result in some uninitialized value being returned to the
caller, if some of them make use of the return value. It also causes
warnings if the -Wcast-function-type warning is enabled.
Change the type to in to match the typedef, and return 1 (success).
This is not a very good fix, though the warnings remain. Such errors
can in principle be a problem because in C there is no standard enum
sizing.
In this case we have two enums with the same elements and so the same
size, so it's clearly not a problem.
This commits allows `heim_object_t` as a type and causes the generated
code to use the `heim_retain()` and `heim_release()` functions for
copying and releasing values of such types.
Also, now one can have more than one decoration per-type.
If the decorated external type is a void *, don't include the decoration
header in the ASN.1 header, only in the template implementation. This allows
the copy constructor and destructor to be implementation private.
This adds support for asn1_compile --decorate=... variation that causes
decoration of an ASN.1 SET/SEQUENCE type with a field of a non-ASN.1
type.
This means we can now have an ASN.1 type to represent a request that can
then have a "hidden" field -- hidden in that it is neither encoded nor
decoded. This field will be copied and freed when the decoration is of
an ASN.1 type or of a external, C type that comes with copy constructor
and destructor functions. Decoration with a `void *` field which is
neither copied nor freed is also supported.
We may end up using this to, for example, replace the `hdb_entry_ex`
type by decorating `HDB_entry` with a C type that points to the `HDB` in
which the entry was found or to which it should be written.
Fix regression introduced in 9427796f, where checked in files matching asn1_*.c
would be clobbered by "make clean".
Change-Id: Ifc4bbe3c46dd357fdd642040ad964c7cfe1d395c
Recent auditing changes (b1dcc1a4) introduced a leak into pa_enc_ts_validate()
where the encryption type name and error message could be leaked.
This patch fixes a compile error in the original commit.
We have a Heimdal special where when the acceptor sends back an error
token for clock skew or ticket-not-yet-valid errors then the acceptor
application will get GSS_S_CONTINUE_NEEDED from gss_accept_sec_context()
so that the initiator may retry with the same context.
But we were retaining the auth_context, which means that when the
initiator does send a new token, the acceptor leaks memory because
krb5_verify_ap_req2() doesn't clean up the auth_context on reuse. The
end result is that we leak a lot in those cases.
The implementation of GSS name attributes for Kerberos (or any mechanism
with more than a tiny handful) is much nicer as a table-driven
implementation.
We now have stubs for setting and deleting attributes as well, though
these currently always fail.
The Heimdal KDC does not add a PAC if an anonymous ticket was issued. As such,
test_context should not expect PAC naming attributes to be present if the
--anonymous option was passed. (This is irrelevant for now as GSS_C_ANON_FLAG
is not honored by the krb5 mechanism.)
When unsigned char values are shifted, they are promoted to int (unless
sizeof(int) == sizeof(char)). This means that the change in be708ca3cf
ultimately leads to a sign extension bug.
Use uintptr_t for hash type; this is consistent with CoreFoundation, which uses
32-bit integers on 32-bit platforms for the hash code, and 64-bit integers on
64-bit platforms. (libheimbase is modelled on CoreFoundation.)
Previously we used unsigned long, which would have the same behavior on
LP32/LP64 systems, but not on Windows (where unsigned long is 32-bits on 64-bit
platforms).
Cast integer constants to (void *) with an intermediate cast to
(uintptr_t). On Windows this avoid warnings about a signed
integer being cast to a pointer of larger size.
No functional change.
Change-Id: I7289fb772870c5f492c1a8b988e0d80cf008b7f4
The generated .x source and .hx header files are plain C source files.
Generate them as .c source files and avoid unnecessary file copying
and special makefile rules.
Change-Id: Ifc4bbe3c46dd357fdd642040ad964c7cfe1d395c
When generating code cast integer constants to (void *) with an
intermediate cast to (uintptr_t). On Windows this avoid hundreds
of warnings about a signed integer being cast to a pointer of larger
size.
No functional change.
Change-Id: Ifd2acd0cfe99a7859aad58e79ab0f0c12b28fdeb
This commit builds a static runtime version of the asn1 library
which is required for some thirdparty applications.
LIBASN1_S =$(LIBDIR)\libasn1_s.lib
This differs from libasn1.lib which is compiled to use the
dynamic runtime.
Change-Id: Ib04f5b53a7f16d7bbe9d2debb75e944322a6792a
Instead of defining ASN1_LIB in each of the generated ASN1 source
files require that the generated source file be compiled with the
ASN1_LIB symbol defined (on Windows). All of the compiled objects
linked into the same library which might be accessing an ASN1 exported
symbol must have ASN1_LIB defined to ensure that the use of the
exported symbols will not be via an import.
Change-Id: Ie38c105d1d376419717fce0830dc28f5b82547d4
The LIB_ASN1 definition instructs the library objects to access
exported ASN1 generated DATA symbols as internal symbols.
Change-Id: I58b055808893c6f3af48fc2dd997e0dedea2ffcb
The LIB_ASN1 definition instructs the library objects to access
exported ASN1 generated DATA symbols as internal symbols.
Change-Id: Ia8c674c879c9bc46ca9dc7f249114f22b1d0dfd5
The LIB_ASN1 definition instructs the library objects to access
exported DATA symbols as internal symbols.
Change-Id: Ifbc80a4e3c357cb323f7763c116101ae495b11df
oid_resolution.obj does not depend upon $(LIBASN1_OBJ) object
files. It depends upon the generated .x files produced by
asn1_compile.exe when building $(gen_files_xxx). Create a
new list of those dependencies explicitly for oid_resolution.obj.
Change-Id: I09a4dc9efb7a84e68da939b6a3ec5f55354c02ee
Build without Win32.mak, and using Universal C Runtime (UCRT)
windows: Check for APPVER, not VCVER for UCRT
When deciding whether UCRT is used (and thus no CRT merge modules), check for
Windows 10 rather than the version of Visual Studio, as we may be building with
an older SDK.
Add some notes about the KDC plugin API contract, and require plugins to
explicitly indicate which version of the API they support (remove the macro
alias for the current version).
r->canon_client_princ is always an alias to r->client->entry.principal in the
AS, but use it for consistency with the TGS. (In the TGS, it may also come from
te PAC.)
Move the Services for User (SFU/S4U) implementation -- protocol transition and
constrained delegation -- into its own compilation unit, with an interface that
only takes an astgs_request_t, so it can be easily factored out into a plugin
module in the future.
This refactoring is also careful to update all client names in the request
structure after the SFU/S4U validation has successfully completed.
Instead of having distinct preauth success/failure events for different
mechanisms, have a single event; the mechanism can be disambiguated by querying
the HDB_REQUEST_KV_PA_NAME key.
Note: there is still an explicit event for long-term key-based success/failure
in order to help the backend implement lockout.
Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
than in each mechanism. Success is still audited in the mechanism to allow
client pre-authentication success to be noted even if something subsequent
(e.g. encoding a reply, memory allocation) fails. The generic catch-all for
success remains.
Use of the C99 'restrict' keyword was introduced by
be708ca3cf
("gsskrb5: Add simple name attributes support")
Change-Id: I8272f595af53741ee7c59750bb2d388faeb01f8f
ASTGS_REQUEST_DESC_COMMON_ELEMENTS should not terminate in a semi-colon;
the consuming structure should include it. This is consistent with
HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS. This fixes the build on Windows.
Annotate libkdc APIs with KDC_LIB_{CALL,FUNCTION} to ensure correct calling
convention and optimized DLL importing on Windows.
Ensure Windows and libtool export tables are consistent.
Now heim_audit_addkv() correctly supports multiple values, the other functions
that (by design) replace existing values with a single value should use the
heim_audit_setkv prefix.
A subsequent commit could add variants that support multiple values for
non-string types.
Build without Win32.mak, and using Universal C Runtime (UCRT)
windows: Check for APPVER, not VCVER for UCRT
When deciding whether UCRT is used (and thus no CRT merge modules), check for
Windows 10 rather than the version of Visual Studio, as we may be building with
an older SDK.
787d9ceec9 ("check for db6/db.h")
added a check for the db6 header defining HAVE_DB6_DB_H but failed
to add a check for existence of db_create() in the libdb-6 library.
Previously, if heim_audit_vaddkv() was called multiple times, values would be
concatenated; since changing the request kv type to a dictionary, only the most
recently set value was preserved.
Fix this by promoting multi-valued values to an array of values, which is
visualized in the same manner as it was prior to b1dcc1a4.
Rename the "windc" plugin API to the more general "kdc" plugin API, for two
reasons: the Heimdal KDC uses the Windows PAC even when not emulating a domain
controller, and the plugin API has accreted methods that are not specific to
emulating a domain controller (such as referral_policy and finalize_reply).
Allow the windc plugin to also implement an audit callback. As part of this
change, both the HDB and windc audit function signatures are changed to return
void.
Active Directory/Samba-specific referral policy should be implemented by a
windc plugin, not in the main KDC code. It looks like it probably isn't
necessary at all if Samba wishes to bypass Heimdal's referral handling.
This reverts commit 6f0cafa6cf.
Add a referral policy hook to the TGS as a more elegant way of resolving
referral detection for Samba). The hook can either rewrite the server_princ in
the request, or it can return an error to disable built-in referral processing.
Add a new method for issuing referrals for entire namespaces of hostnames.
An alias of the form WELLKNOWN/HOSTBASED-NAMESPACE/service/namespace-fqdn@REALM
will cause all requests for host-based principals in the given namespace to be
referred to the given realm.
This adds Kerberos mechanism support for:
- composite principal name export/import
- getting rudimentary name attributes from GSS names using
gss_get_name_attribute():
- all (raw) authorization data from the Ticket
- all (raw) authorization data from the Authenticator
- transit path
- realm
- component count
- each component
- gss_inquire_name()
- gss_display_name_ext() (just for the hostbased service name type
though)
The test exercises almost all of the functionality, except for:
- getting the PAC
- getting authz-data from the Authenticator
- getting the transit path
TBD (much) later:
- amend test_context to do minimal name attribute checks as well
- gss_set_name_attribute() (to request authz-data)
- gss_delete_name_attribute()
- getting specific authorization data elements via URN fragments (as
opposed to all of them)
- parsing the PAC, extracting SIDs (each one as a separate value)
- some configurable local policy (?)
- plugin interface for additional local policy
We now have what we need in krb5_principal to implement much of RFC6680.
Now we populate those fields so that they can be accessed by GSS-API
RFC6680 name attributes functions.
The next commit should add much of the GSS-API RFC6680 name attributes
functions and functionality.
The auth event details audit key (formerly, parameter to auth_status)
contained, variously, an encryption type name; a PKINIT client certificate
name; or, a GSS initiator name. Audit these instead using individual keys that
reflect the values' contents.
Preserve integer/boolean audit values as their native types; convert to strings
when logging only. This commit goes some way towards unifying the two auditing
APIs.
Make Samba-specific HDB auth status API a wrapper on the existing auditing API,
with a view towards unifying the two APIs in a future commit.
The term "auth status" is replaced with "auth event", and the HDB auth_status
method is replaced with a more general purpose audit method which has access to
the entire request structure.
Return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, not HDB_ERR_NOENTRY, if a client
principal could not be found during pre-authentication.
This fixes a regression introduced with synthetic principals in 00358252d3.
We're logging SUCCESS even when the KDC sends error replies. That's
because we're returning success to process_request() even when we send
errors to clients. The error we want to send to the client, and that we
succeed or fail to send it, are different statuses.
Also, further move things into `r` and out of function arguments.
We're logging SUCCESS even when the KDC sends error replies. That's
because we're returning success to process_request() even when we send
errors to clients. The error we want to send to the client, and that we
succeed or fail to send it, are different statuses.
To fix this we'll add a `ret` field to the common service request state
structure, HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS /
heim_svc_req_desc_common_s.
Remove the outpadata field from astgs_request_t, because it's not something we
wish to expose publically (yet it is something that Samba needs in the
client_access plugin API, to add Windows error information).
Instead, allocate rep->padata at the start of AS/TGS request handling, and
ensure it is valid for the lifetime of the request until it is encoded (at
which point it will be freed and set to NULL if zero length, to avoid sending a
zero length METHOD-DATA to the client).
(The previous approach of setting rep->padata to point to &r->outpadata was
fragile, because it required clearing the pointer before freeing the KDC-REP.)
Make client_access plugin API take a single argument, astgs_request_t. Note: in
order to avoid making r->outpadata public (it's an internal buffer), but allow
Samba to modify the reply pa data, some pointer magic is required.
Add a helper function that returns TRUE if a PAC should be included in ticket
authorization data, that can be called from both AS and TGS paths.
Per [MS-KILE] 3.3.5.3, PACs are always included for TGTs; for service
tickets, policy is governed by whether the client explicitly requested
a PAC be omitted when requesting a TGT, or if the no-auth-data-reqd
flag is set on the service principal entry.
Remove the unwieldy pac_attributes_present field from the request structure.
Instead, if PAC attributes are not present in the TGT, the default is to assume
they were set to KRB5_PAC_WAS_GIVEN_IMPLICITLY.
Distinguish pre-authentication mechanisms that replace the reply key from those
that use the client's long-term key. In the general case, one is the inverse of
the other, however KRB5_PADATA_ENCRYPTED_CHALLENGE replaces the reply-key with
one derived from the long-term key.
PA_REPLACE_REPLY_KEY indicates that the kvno should be set to zero in the
reply; the absence of PA_USES_LONG_TERM_KEY indicates that the client's
long-term key may be included in the PAC (PAC_CREDENTIAL_INFO with Samba only).
Corrects e8984871.
Distinguish pre-authentication mechanisms that replace the reply key from those
that use the client's long-term key. In the general case, one is the inverse of
the other, however KRB5_PADATA_ENCRYPTED_CHALLENGE replaces the reply-key with
one derived from the long-term key.
PA_REPLACE_REPLY_KEY indicates that the kvno should be set to zero in the
reply; the absence of PA_USES_LONG_TERM_KEY indicates that the client's
long-term key may be included in the PAC (PAC_CREDENTIAL_INFO with Samba only).
PACs are included when issuing TGTs, if there is no PAC_ATTRIBUTES buffer
(legacy behavior) or if the attributes buffer indicates the AS client requested
one.
Only include the PAC_ATTRIBUTES PAC info buffer if we are issuing a TGT, as its
contents are not relevant to application services. (The buffer contains a bit
indicating whether the client explicitly or implicitly requested a PAC.)
In the altsecid GSS pre-authentication authorizer plugin, don't add the
REQUESTOR_SID PAC info buffer unless the client requested a TGT. It is not
relevant to application services.
Only set the PAC_EXTRA_LOGON_INFO_FLAGS_UPN_DEFAULTED flag in the
UPN_DNS_INFO_EX PAC buffer, if the provided UPN matches the cname.
This is a NOOP at present, as no UPN is provided by the Heimdal KDC.
Update the sample GSS pre-authentication authorizer plugin to allow the PAC to
be pinned to the authenticating user's SID.
There is still a race condition between the time the user authenticates and the
time the SID is looked up via LDAP, but it should be sufficient as an example;
if more security is required, then users should be enrolled with their SIDs.
Note the selected pre-authentication mechanism, and add a callback to allow the
pre-authentication mechanism to update the PAC immediately prior to signing.
Add PAC_ATTRIBUTES_INFO to the PAC. This info buffer indicates whether the user
explicitly requested a PAC be present or absent.
Note: this changes the windc plugin ABI.
Use the UPN_DNS_INFO buffer of the PAC to include the canonical principal name.
Arguably we should use AD-LOGIN-ALIAS as defined in RFC6806, but we may not
always know all the principal's aliases, and this approach allows us to share
application service logic with Windows.
If the UPN_DNS_INFO buffer in the Windows PAC contains a canonical principal
name, use it in lieu of the ticket client name to determine the GSS-API
initiator name.
See `asn1: Add --decorate=... for internal bookkeeping`, which adds an
option to `asn1_compile` for decorating SET/SEQUENCE types with fields
that are neither encoded nor decoded, but which _are_ copied and freed.
We'll use this to add name attributes to the `Principal` type (which is
used to represent Kerberos principal names in the krb5 GSS mechanism)
without having to rototill the GSS krb5 mechanism nor the krb5 library,
and without affecting the encodings of HDB entries (which happen to use
the `Principal` type).
This option, `--decorate=TYPE-NAME:FIELD-TYPE:field-name[?]` allows one to add
a field to any struct generated by the ASN.1 compiler for any SET or SEQUENCE
type such that:
- the field will be freed by the `free_TYPE_NAME()` function
- the field will be copied by the `copy_TYPE_NAME()` function
- the field will not be printed by the `print_TYPE_NAME()` function
- the field will NOT be encoded or decoded
This is useful for internal bookkeeping.
The first use of this may well be for adding an optional field to
`Principal` where information about name attributes will be stored,
which will then allow us to have GSS name attributes for the krb5
mechanism w/o having to refactor the mechanism to use a different
structure for representing `gss_name_t` mechnames than the one currently
used (`Principal`; `krb5_principal` happens to be a typedef alias of
`Principal *`).
So w/o massive rototilling of the GSS krb5 mechanism we can have name
attributes, _and_ we'll also be able to have those in the krb5 API as
well w/o any massive rototilling there either.
r->client_princ and r->server_princ are only set in the AS-REQ case, but
we perform the PAC check in the TGS-REQ case, so calling
krb5_unparse_name() will dereference a NULL pointer. Instead, use
r->cname and r->sname.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
add HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL to the capability flags for the
SQLite backend, as it uses the common _hdb_fetch_kvno() helper which supports
enterprise principals.
Failure to set this flag resulted in hdb_fetch_kvno() incorrectly returning
HDB_ERR_WRONG_REALM when enterprise principals were being used, as the
enterprise name translation was instead done by _kdc_db_fetch(), thereby
squashing the enterprise name type (which otherwise would have set the
force_canonicalize option).
08e0305b introduced a patch to validate armor ticket PACs, but required that
the armor client principal was in the local realm (as it did not allow
_kdc_db_fetch() to fail).
Allow cross-realm FAST armor clients by using the same logic to look up the
client principal as the TGS itself does, i.e. use db_fetch_client() which
handles the case where the client is not local to the KDC.
Note: the armor PAC is only required to be validated when issuing a final,
non-referral service ticket, as this is the only point upon which device claims
should be inserted (according to my understanding).
Closes: #901
Add a new authorization data type to indicate a synthetic principal was used,
to allow synthetic clients acquired outside of PKINIT (e.g. with GSS-API
pre-authentication) to use the TGS.
Note: we continue to honor KRB5_AUTHDATA_INITIAL_VERIFIED_CAS to indicate that
it is OK for the client to be synthetic, even though it is only an indication
that the client *may* have been synthetic.
This reverts commit 6f81e4c93b.
This patch may have originated in Samba from before force_canonicalize was
supported. Because the server_principal argument to tgs_make_reply() is
canonicalized prior to calling (if the server entry has force_canonicalize
set), honoring it again in tgs_make_reply() is superfluous.
Initialize the tgs_req buffer in init_tgs_req() so pointers are valid when
freed. Fixes regression introduced when Apple TGS-REQ FAST code was imported in
PR #805.
Look up the client name of the armor TGT in the database, and check that
the PAC is valid.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Closes: #891
This allows Samba to have a behaviour where
even if canonicalize flag is not set, the canonical realm
is returned, allowing a HDB module to require behaviour
that is the same as Windows.
Regression (for a HDB module wanting AD behaviour) was
introduced by commit:
378f34b4be
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
[abartlet@samba.org Similar to Samba commit a9e6119ca0c2a78ef314c3162122539ee834aa04
but made conditional on server->entry.flags.force_canonicalize to
allow upstream submission]
If the pre-authentication mechanism replaced the reply key, then the kvno in
the KDC-REP should be zero, as the reply is not encrypted in the client's
(versioned) long-term key.
Closes: #899
We now pass on the original client name and the client address to allow
consistent audit logging in Samba across multiple protocols.
We also log the authentication duration.
This is not a general purpose profiling solution, but in Smaba
these JSON logs are already being generated and stored, so this
is worth adding.
Some administrators are very keen to know how long authentication
takes, particularly due to long replication transactions in other
Samba processes.
We use config->db[0] to find the first database to record incorrect
users.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(Similar to Samba commit f498ba77df2313e78863e5f2706840c43e232a96 and
bb2a1c6b3eaccf114ac3f3b5b51f57828a04996)
[metze@samba.org: improved for heimdal upstream]
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org: improved again for Heimdal based on feedback]
AES256 and AES128 are newer enctypes because they are officially
specified in RFC4120 and RFC8009, while enctypes not officially
specified since RFC4120 are considered older. This function differs from
older_enctype() in that it does not report unknown or non-existent
enctypes as being 'newer'.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Assists Samba to address CVE-2020-25719
It is critical to ensure that the name in the U2U TGT is still associated with
the account was issued to, so we must check the PAC to verify the SID.
Otherwise the SPN check via the S4U2Self hook might be mislead.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(Similar to Samba commit 49a13f0fc942d1cfb767d5b6bf49d62241d52046)
Assists Samba to address CVE-2020-25719
Again, this may be contary to RFC4120 3.3.3
https://datatracker.ietf.org/doc/html/rfc4120/#section-3.3.3
(clearer at the GSS spec here:
https://datatracker.ietf.org/doc/html/draft-swift-win2k-krb-user2user-03 )
as server-name is decribed as optional, however Windows AD and Samba
both require that the server-name exist and be a valid SPN matching
the provided TGT.
The lookup of SPN -> entry ensures that the SPN the client thought it
was connecting to was held by the target server. it could be the
typical user principal, or a service principal, but needs to be checked
for the client not to be fooled into connecting to the wrong service.
The check is the same as needed for S4U2Self so the same HDB hook is re-used.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
(Similar to Samba commit f08e6ac86226dcd939fd0e40b6f7dc80c5c00e79)
Assists Samba to address CVE-2020-25719
This may be contary to RFC4120 3.3.3 at
https://datatracker.ietf.org/doc/html/rfc4120/#section-3.3.3
(clearer in the GSS mechanism here:
https://datatracker.ietf.org/doc/html/draft-swift-win2k-krb-user2user-03 )
as server-name is decribed as optional, however Windows AD and Samba
both require that the server-name exist and be a valid SPN matching
the provided TGT.
The lookup of SPN -> entry ensures that the SPN the client thought it
was connecting to was held by the target server. it could be the
typical user principal, or a service principal, but needs to be checked
for the client not to be fooled into connecting to the wrong service.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(Similar to Samba commit fd50fecbe99ae4fc63843c796d0a516731a1fe6a)
Assists Samba to address CVE-2020-25719
Passing in target_server as a string principal means that for
an alias we must looking up the DB twice.
This is subject to a race and is a poor use of resources,
so instead just pass in the record we
already got when trying to confirm that the server in
S4U2Self is the same as the requesting client.
We also avoid doing a name comparison if the HDB plugin provides
a validation hook, this allows the HDB layer more freedom
to choose how to handle things.
In Samba AD the client record has already been bound to the the
original client by the SID check in the PAC, so the record is
known to match the ticket.
Likewise by looking up server only once we ensure that the
keys looked up originally (to decrypt) are in the record
we confirm the SID for here.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(Based on Samba commit 05898cfb139ae0674c8251acc9d64c4c3d4c8376)
Instead of always advertising PADATA-ENCRYPTED-CHALLENGE, we only
advertise it if FAST is in use.
We also check configuration options to only advertise
PADATA-ENC-TIMESTAMP if it will be accepted based on whether FAST is
currently in use. This permits the non-RFC behaviour required to avoid
breaking earlier Heimdal clients.
This incorporates changes from Apple Heimdal-597.140.2.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Normally when FAST is used with a TGS-REQ, the armor key is implicitly
derived from the TGT rather than armor being explicitly present, as for
AS-REQs. However, Windows allows a TGS-REQ to be explicitly armored with
a computer's TGT, so that the armor key also depends on the ticket
session key.
This is used for compound identity, where the computer's group
membership and claims are added to the PAC of the resulting ticket.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Samba includes the user's long-term credentials (encrypted in the AS reply key)
to allow legacy authentication protocols such as NTLM to work even if the
pre-authentication mechanism replaced the reply key (as PKINIT does).
Samba also needs to know whether the client explicitly requested a PAC be
included (or excluded), in order to defer PAC exclusion until a service ticket
is issued (thereby avoiding a name binding attack if the user is renamed
between TGT and service ticket issuance).
References:
https://bugzilla.samba.org/show_bug.cgi?id=11441https://bugzilla.samba.org/show_bug.cgi?id=14561Closes: #864
Original authors:
- Joseph Sutton <josephsutton@catalyst.net.nz>
- Andrew Bartlett <abartlet@samba.org>
- Stefan Metzmacher <metze@samba.org>
This lets us call it from Samba.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
[abartlet@samba.org Similar to Samba commit 3bdce12789af1e7a7aba56691f184625a432410d
but also fixed for caller in Heimdal windc plugin tests]
Previously, if left==right==A1_HEADER_LEN(tos), this would read past the
end of the template array. Now we treat [left, right) as a half-open
interval and no longer try to read from 'right'.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Always require a strengthen key to be used if GSS pre-authentication is used
within FAST. TRhis avoids a MITM attack that could result in unintended
privilege escalation, should a KDC add additional positive authorization data
from the armor ticket to the issued ticket.
An upcoming revision of the draft will reflect this.
Import KDC FAST from Apple's Heimdal-597.121.1, adding support for:
- PA-ENC-CHALLENGE
- reply key strengthening
- FAST authentication in TGS
kuser: Apple sync (squash)
krb5_init_creds_store_config/krb5_init_creds_warn_user in kinit
Sync with most changes in AS/TGS client from Apple's Heimdal-597.121.1
(opensource.apple.com).
Changes include:
- FAST support in TGS client
- Refactored pre-auth client to be more easily extensible
- Pin KDC host and AD site name in API calls
Note the completely refactored TGS client loop is not imported as that was
considered too intrusive.
This reverts commit 24a7a82e82.
After further discussion in #863, the alignment (which differs according to
info buffer type) should be handled by the caller.
Decoding a FAST request will only give us the FastOptions flags that are
explicitly declared in the ASN1 source. This meant that the check for
unsupported mandatory options would never succeed, and an unsupported
option would go undetected.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The reply structure was not being zero-initialised in all cases, leading
to crashes or possible heap corruption on error paths when we later
freed it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Setting `dns_lookup_realm = false` in `[libdefaults]` and setting name
canon rules that force the empty realm causes destination-TGT delegation
to break because the client doesn't know the service's realm.
Because MIT and Heimdal check that the (unauthenticated plaintext)
sname/realm of the Ticket in the KDC reply matches the sname/srealm in
the enc-part of the KDC reply, we know we can trust the realm of the
ticket found in the ccache. So use that.
Setting `dns_lookup_realm = false` in `[libdefaults]` and setting name
canon rules that force the empty realm causes destination-TGT delegation
to break because the client doesn't know the service's realm.
Because MIT and Heimdal check that the (unauthenticated plaintext)
sname/realm of the Ticket in the KDC reply matches the sname/srealm in
the enc-part of the KDC reply, we know we can trust the realm of the
ticket found in the ccache. So use that.
Samba3 sends an AP-REQ, rather than 8003, checksum in a Kerberos inital context
token. This regressed in #835 as we forgot to set the
KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM flag before processing the AP-REQ
checksum in this path.
SQLite3 defaults to 0644 unless overridden, relying on the process'
umask to make that tighter.
Our in-tree SQLite3 uses 0600 as the permissions for DB files it
creates.
Out-of-tree builds of SQLite3 probably get the 0644 default.
We can't change the umask in libraries -- it's not thread-safe.
So this commit changes the SCC ccache type's default ccname to include
an intermediate directory which is created with `mkdir(2)` with
permissions set to 0700, then it chmods the DB file to 0644.
The in-tree SQLite3 is used for HDB and ccache -- these should have
0600 permissions.
Of course, if we're using an out-of-tree SQLite3, then we need to rely
on the process' umask, but we use SQLite3 in libraries, where we can't
set the umask...
What to do?
TBD:
- On Windows: nothing to do.
- On Unix: if SQLite3 is out of tree then [v]fork() to create the
connection then close, then connect again after??
Or... maybe make sure to create an intermediate directory with 0700
permissions?
'uuid' is seen as an 'unsigned char*', thus '*uuid' is an 'unsigned char' where size is 1.
This solves a problem where two KCM ccaches's uuid have the same first byte hides each other.
What we observe:
* A user cannot discover tickets with (klist -l) but can access it with it's name
* The 'rpc.gssd' daemon is doing the same kind of pattern but using GSS calls (gss_acquire_cred)
Whet GDB told us:
* The 'kcm_ccache_get_uuids' is okay, all ccache are really present
* The 'kcm_ccache_resolve_by_uuid' is buggy, it only compare the first byte of each uuid.
Which may be the same as the one we're seeking. Selected ccache that will be, most probably, filtered-out afterward with a call to 'kcm_access'.
This leads to 'KRB5_FCC_NOFILE' errors while the uuid is correct.
Similar calls may be present.
This reverts commit 936017e4d6,
Samba is starting to protect against bi-di attacks and the starting point
is to require that input files be fully UTF-8. In 2021 this is a reasonable
starting point anyway.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Although not required to address bad code generation in
some versions of gcc 9 and 10, a coding style that requires
explicit comparison of the result to zero before use is
both clearer and would have avoided the generation of bad
code.
This change converts all use of cmp function usage from
```
if (strcmp(a, b) || !strcmp(c, d)) ...
```
to
```
if (strcmp(a, b) != 0 || strcmp(c, d)) == 0
```
for all C library cmp functions and related:
- strcmp(), strncmp()
- strcasecmp(), strncasecmp()
- stricmp(), strnicmp()
- memcmp()
Change-Id: Ic60c15e1e3a07e4faaf10648eefe3adae2543188
As documented in Russell O'Connor's blog, Heimdal when compiled with
some versions of gcc 9 and 10 would generate incorrect behaviors from
_gssapi_verify_mic_arcfour(), _gssapi_unwrap_arcfour(),
_gssapi_unwrap_iov_arcfour() and _gssapi_unwrap_iov_arcfour().
As a result of the bug, code of the form
if (memcmp(a, "\x00\x00\x00\x00"))
and
cmp = memcmp(a, "\x00\x00\x00\x00")
will be compiled as if it were written as
if (strcmp(a, "\x00\x00\x00\x00"))
and
cmp = strcmp(a, "\x00\x00\x00\x00")
but not
if (memcmp(a, "\x00\x00\x00\x00") != 0)
and
cmp = (memcmp(a, "\x00\x00\x00\x00") != 0)
Bad code is generated whenever one of the parameters to memcmp()
is a constant with at least one NUL in the first four octets and
the return value is used immediated without a boolean comparison.
The gcc bug 95189 has since been fixed.
This change applies a defensive programming technique to avoid
the broken code generation.
Change-Id: I1db2a561735317cb6cac66a0ec9caf5443e65e03
Link: https://r6.ca/blog/20200929T023701Z.html
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189
Reported-by: Buck Huppmann (buckh@pobox.com) <buckh@pobox.com>
ad3acc2aef ("lib/gssapi/krb5:
implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5")
introduced a duplicate block of code.
This change removes the unnecessary code duplication.
Change-Id: I557c590aea51b73dc25d6ce4be4ea84b9dfadd9f
krb5tgs.c: In function ‘_kdc_tgs_rep’:
krb5tgs.c:1785:25: warning: ‘header_key’ may be used uninitialized in this function [-Wmaybe-uninitialized]
1785 | &tkey_check->key, &tkey_check->key, tgt, &kdc_issued, &mspac);
| ^~~~~~~~~~~~~~~~
krb5tgs.c:2302:10: note: ‘header_key’ was declared here
2302 | Key *header_key;
| ^~~~~~~~~~
On Ubuntu 20.04 in a default Heimdal build with
gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
The compiler doesn't trust that *header_key = tkey; is always
executed in tgs_parse_request() for ret == 0.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This reverts commit e27e056b45.
e27e056b45 was needed mainly for ENOTSUP.
ENOTSUP is not available in older C run-times.
Also, lib/roken has wrappers for the CRT allocator, but we don't need
those in lib/asn1 because all the functions generated by the compiler
effectively encapsulate the corresponding DLL's CRT's allocator.
This will be followed by a change to not use ENOTSUP.
The plugin interfaces were originally implemented for use on
Unix where KRB5_CALLCONV, HEIM_CALLCONV and similar are defined
as nothing. However, on 32-bit Windows the calling convention
matters and executing a __stdcall function through a __cdecl
function pointer will result in failures.
This change updates the krb5plugin_windc, krb5plugin_service_locate,
krb5plugin_send_to_kdc plugins to specify the KRB5_CALLCONV for
functions. This brings the plugins into compliance with the
heim_plugin_common interface requirement that init() and fini()
use the platform specified HEIM_CALLCONV.
The krb5-plugin(7) man page is updated and the lib/krb5/test_plugin
test is also fixed.
With this change all tests pass on 32-bit Windows.
Change-Id: Ic9d2e1285c9c179e3898dc9d071ed092bcddc406
find_normalize() can under some circumstances read one element
beyond the input array. The contents are discarded immediately
without further use.
This change prevents the unintended read.
Change-Id: Ia2759a5632d64f7fa6553f879b5bbbf43ba3513e
Otherwise, on 32-bit Windows there is a mismatch that and the
ESP register will not be populated correctly.
Prior to this change some exports were ASN1CALL and others
were not. All of the tests assume ASN1CALL.
Change-Id: Icecff44aed4726b86100c939f64628d121bbd7ee
roken ensures the correct headers are used for each platform,
ensures availability of non-portable constants (e.g. ENOTSUP),
and on Windows enforces a consistent source for memory management.
Change-Id: I31aa2935d0af9f3d9529166679d9eff35ccedfad
Reported to Heimdal by Michał Kępień <michal@isc.org>.
From the report:
Acknowledgement
---------------
This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
TKEY Query Heap-based Buffer Overflow Remote Code Execution
Vulnerability, which was reported to ISC by Trend Micro's Zero Day
Initiative.
We were losing and leaking the reason for which kdc_check_flags() was
rejecting any S4U requests, yielding incomplete error messages.
The issue is that kdc_check_flags() wants to check the client and server
principals in the input state structure, but doesn't know about
impersonated principal name, and so we want to pass it a state structure
that has the impersonated instead of the impersonator client name. This
is a bad design, but I'm ignoring that for now and just fixing this one
leak.
The TGS will issue referrals based on [domain_realm] mappings.
With this change the TGS will also issue referrals based on HDB entry
aliases.
The TGS needed no changes for this, only support in lib/hdb was missing.
All we had to do was return HDB_ERR_WRONG_REALM from hdb_fetch_kvno()
when the given principal is an alias and its canonical name's realm is
different from the alias'.
This feature is important because the KDC currently does not re-read
krb5.conf and must be restarted for changes to e.g., [domain_realm]
mappings to take effect. As well, making krb5.conf changes to all the
KDCs for a realm would need to be arranged. But with aliases in the
HDB, these problems go away.
Relatedly, we should really have an option to store the KDC's entire
configuration in the HDB...
Futures:
- Add support for aliasing of entire namespaces via HDB aliases with
WELLKNOWN namespace name forms. This will round out domain-to-realm
mapping configuration support via HDB.
Deleting an alias causes the HDB_entry_alias entry value encoding to be
written to the iprop log, which later cannot be decoded as an HDB_entry.
Meanwhile, the alias is removed from the HDB but not from the list of
aliases in the canonical principal's HDB entry.
This commit makes deletion of alias names an error.
Sort of. It already knew.
We have a mess where new things get sent to the server as
KRB5_TL_EXTENSION, but old things get sent to the client as whatever
appropriate KRB5_TL we have, and... we call perform_tl_data() on all TL,
but we don't remove unmodified TL on the client side, and...
Anyways. This commit is a band-aid, but it works.
Fix _gss_spnego_set_sec_context_option() to return GSS_S_UNAVAILABLE if no
context handle is provided, so that mechglue will skip to the next mechanism.
There are no globally settable options on SPNEGO itself.
Fixes: #803
When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.
Patch from Isaac Bourkis <iboukris@gmail.com>.
The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
split_spec() should free output parameters if it fails. This was not a leak in
practice because its single caller cleaned up anyway, but cleaning up for good
hygiene.
RFC4120 says KRB5KDC_ERR_SUMTYPE_NOSUPP should be returned if the KDC does not
support a given checksum type. Return this instead of KRB5_PROG_SUMTYPE_NOSUPP
by introducing a new wrapper function, _kdc_verify_checksum().
Make keyed checksums mandatory when generating and verifying checksums, with
the following exceptions:
* the checksum is being generated or verified as part of encrypting data for
a legacy (DES) encryption type
* the KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM flag was set on the crypto
context, used to allow unkeyed checksums in krb5 authenticators
By making unkeyed checksums opt-in, we eliminate a class of potential
vulnerabilities where callers could pass unkeyed checksums.
Any code that uses the mandatory checksum type for a given non-legacy
encryption type should not be affected by this change. It could potentially
break, say, a client trying to do FAST with DES keys but, that should not be
supported (because FAST KDCs also support AES).
Closes: #835
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Closes: #767
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).
Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.
This was broken with KRB5SignedPath but now that we switch to PAC
we get it fixed without KDC changes, so we can just test it.
See also PR #599 from where these tests were taken.
krb5_enomem() was lacking a calling convention decoration, breaking Windows
consumers if __cdecl was not the default calling convention. Add KRB5_LIB_CALL
to make it consistent with other library functions.
Closes: #834
When validating the KDC-REQ-BODY checksum introduced in 0ed4d90a, don't leak
the sec_context_token retrieved from the FX-COOKIE if checksum verifications
fails.
Add a new krbhst type, KRB5_KRBHST_TKTBRIDGEAP to krb5_krbhst_init_flags(),
that looks for the DNS SRV record kerberos-tkt-bridge. This is to support a new
PADL project.
Whilst channel bindings are used to bind the KDC-REQ-BODY to the GSS-API
context, we need to also bind the KDC-REQ-BODY across multiple requests in a
pre-authentication conversation.
Do this by making a digest of the first KDC-REQ-BODY (with the nonce zeroed, as
this may change), and verifying it in each subsequent request.
Add unkeyed checksum types for SHA-256, SHA-384 and SHA-512, for future
internal use. They are assigned private (negative) checksum types and must
never appear in cleartext on the wire.
This reverts commit 34b374b5e4.
We are revising the GSS-API pre-authentication draft to include the nonce from
the first request in the GSS channel bindings, to avoid re-encoding issues that
may surface with Kerberos implementations that do not correctly implement DER.
To comply with the latest POSIX standard, in Yacc compatibility mode
(options `-y`/`--yacc`) Bison now generates prototypes for yyerror and
yylex. In some situations, this is breaking compatibility: if the user
has already declared these functions but with some differences (e.g., to
declare them as static, or to use specific attributes), the generated
parser will fail to compile. To disable these prototypes, #define yyerror
(to `yyerror`), and likewise for yylex.
refer: https://git.savannah.gnu.org/cgit/bison.git/tree/NEWS
GNU Bison 3.8
Zero nonce before encoding KDC-REQ-BODY to be used as channel binding
application data in GSS-API pre-authentication. This is because the nonce may
change between AS-REQs and the channel binding data should be invariant between
calls to GSS_Init_sec_context().
If clang-format is not available, AC_CHECK_PROG sets CLANG_FORMAT=no,
not empty string. This results in an error at build time for those
without clang-format installed. Instead check if the program is
executable.
Correctly implement gss_krb5_ccache_name() in terms of
gss_set_sec_context_option(GSS_KRB5_CCACHE_NAME_X). The previous implementation
was a NOOP.
Note: global ccache name should really be thread-specific rather than global.
Closes#803.
Add a sample GSS preauth authorization plugin, which will be built and
installed if OpenLDAP is available, but otherwise not enabled (by virtue of not
being installed into the plugin directory).
The plugin authorizes federated GSS preauth clients by querying an Active
Directory domain controller for the altSecurityIdentities attribute.
Once the user entry is found, the name is canonicalized by reading the
sAMAccountName attribute and concatenating it with the KDC realm.
We do not need to zero out the local variable output_token
if we do not later call gss_release_buffer() on it.
This aovids a -Werror=address compile failure under the
strict compiler options Samba uses when compiled on Ubuntu
20.04 with gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
In file included from ../../source4/heimdal/lib/gssapi/preauth/pa_client.c:34:
../../source4/heimdal/lib/gssapi/preauth/pa_client.c:148:21: error: the address of ‘output_token’ will always evaluate as ‘true’ [-Werror=address]
148 | _mg_buffer_zero(&output_token);
| ^
../../source4/heimdal/lib/gssapi/mech/mech_locl.h:72:7: note: in definition of macro ‘_mg_buffer_zero’
72 | if (buffer) { \
| ^~~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The DC (domainComponent) attribute wants to be an IA5String.
This really doesn't matter, but if we want to conform to the spec (RFC 4519,
referenced by RFC 5280), then we have to do this.
If GSS_Accept_sec_context() returns an error status and error token, ensure we
include the error token in the PA-GSS padata in the KRB-ERROR reply, rather
than bailing out early.
When importing a Kerberos name for GSS pre-auth, first try to import the name
as GSS_KRB5_NT_PRINCIPAL_NAME. If that fails, fall back to GSS_C_NT_USER_NAME.
The target (acceptor) name for GSS-API pre-authentication should be the name of
the TGS, not the server name in the AS-REQ, as it is the KDC which is being
mutually authenticated. If the client is not requesting a TGT, they may differ.
Add support for GSS-API pre-authentication to the KDC, using a simplified
variation of draft-perez-krb-wg-gss-preauth-02 that encodes GSS-API context
tokens directly in PADATA, and uses FX-COOKIE for state management.
More information on the protocol and implementation may be found in
lib/gssapi/preauth/README.md.
Windows 32-bit builds were broken as the ASN1CALL calling convention
macro was not included in the output of gen_template.c, only in the
generated header.
Fix merge issue introduced in ef1d63a9 which did not update the call
site after updating the _krb5_make_fast_ap_fxarmor() prototype to take
the realm (used in the anonymous PKINIT case).
RFC 6113 5.4.2 says that when hiding client names in the outer reply of a FAST
response, the wellknown anonymous principal MUST be used.
The previous implementation returned an empty client name and realm, which may
not be expected by some clients.
The functions for storing and retrieving GSS OIDs and buffers from
krb5_storage, added in 6554dc69, are generally useful. Move those into private
_gss_mg_XXX() API and update gss_{export,import}_{cred,sec_context} to use them
where appropriate.
Code style/consistency: store_negoex_auth_mech() should free the exported
context buffer after use. There is no leak as the buffer was freed at the end
of the function.
krb5_addlog_func() is used by Samba to obtain Kerberos log messages
and place them into the Samba logs.
Providing a hook down to the heim_addlog_func() is less disruptive
than needing to call multiple different APIs as Samba compiles
both with an included copy of Heimdal and against a system
Heimdal (when not an AD DC).
This API was deprecated and stubbed out in March 2020 by ea90ca8 and was
previously stable until 0c86917 (which looks like it should have been part of
e44c680).
Despite the need for the extra argument, which we add a test for, Samba would
prefer to keep the krb5_addlog_func() facility, so this adds it back.
Signed-off-by: Andrew Bartlett abartlet@samba.org
This is to match the Windows KDC behaviour, optionally.
Samba will use this mode, as Samba has tests that show
the difference and is keen for bug-for-bug/byte-for-byte
rather than strict RFC compliance where there is a
reasonable choice.
The Samba test (for reference) is
samba.tests.krb5.as_canonicalization_tests
The behaviour was changed in:
commit de1f37a6aa
Author: Luke Howard <lukeh@padl.com>
Date: Mon Jan 7 15:45:36 2019 +1100
kdc: omit default salt from PA-ETYPE-INFO[2]
If the salt for the AS-REP client key matches the default password salt for the
client principal in the AS-REQ, then it can be omitted from the PA-ETYPE-INFO,
PA-ETYPE-INFO2 (RFC4120) as the client will assume the default salt in its
absence.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This function became used outside the protection of
HAVE_DLOPEN (which Samba sets) with:
commit 5966c00701
Author: Luke Howard <lukeh@padl.com>
Date: Sun Aug 8 10:34:28 2021 +1000
gss: add gss_mg_name_to_oid internal API
Add a new function for future internal use, gss_mg_name_to_oid(), which takes
either a dot-separated OID or a "short" mechanism name (such as
"sanon-x25519"), and returns a mechanism OID.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
gss_{import,export}_sec_context did not work with partially accumulating
contexts, where the initial context token had not been completely accumulated,
Further, in gss_import_sec_context(), ctx->gc_input.value was not allocated to
a buffer sufficiently large to accumulate the target length.
The recently introduced gss_mg_name_to_oid() function supported looking up
dynamically loaded mechanisms by name, but did not support partial matches or
the legacy "Kerberos 5" name as supported by gss_name_to_oid().
Consolidate these into a single function, and also add support for dynamically
loaded mechanisms to gss_oid_to_name().
API behavior difference: the Kerberos mechanism is now referred to by "krb5"
rather tha "Kerberos 5", although for legacy compatibility gss_name_to_oid()
will recognize the old name. However, gss_oid_to_name() will return "krb5". The
anticipated impact is minimal as these are not standard GSS-APIs and do not
appear to have any public usage outside Heimdal.
Add a new function for future internal use, gss_mg_name_to_oid(), which takes
either a dot-separated OID or a "short" mechanism name (such as
"sanon-x25519"), and returns a mechanism OID.
Support for exporting partially established acceptor context tokens. With this,
an acceptor can send the initiator an encrypted state cookie containing the
exported context token.
(The concrete mechanism, of course, must either require a single round trip or
support partial context export itself. Kerberos and GSS EAP would work, but
Kerberos with GSS_C_DCE_STYLE would not, as currently implemented.)
Partial context export is not permitted for initiators.
Microsoft will sometimes split GSS tokens when they exceed a certain
size in some protocols. This is specified in
[MS-SPNG]: Simple and Protected GSS-API Negotiation
Mechanism (SPNEGO) Extension
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SPNG/%5bMS-SPNG%5d.pdf
sections 3.1.5.4 to 3.1.5.9.
We extend gss_accept_sec_context() to recognise partial tokens and
to accumulate the fragments until an entire token is available to
be processed. If the entire token is not yet available,
GSS_S_CONTINUE_NEEDED is returned with a zero length output token.
This is specified in RFC2744 page 25-26 to indicate that no reply
need be sent.
We include updates to the test framework to test split tokens when
using SPNEGO.
When using these functions with gss_init_sec_context(), we noticed
that some things were missing and some needed to be made optional.
ctx->order may be NULL, ctx->ac->authenticator needs to be filled
out, and ctx->state needs be stored.
Note: SPNEGO still needs a little more work.
Store a data blob to the storage. The data is stored with an int32 as
length plus the data (not padded). This function only differs from
krb5_store_data() insofar as it takes a void * and a length as parameters.
Patch from Roland C. Dowdeswell <elric@imrryr.org>
SAnon includes channel bindings as part of the key derivation function, so they
cannot be ignored. Always set GSS_C_CHANNEL_BOUND_FLAG in the SAnon acceptor.
Windows does not check the password on an account that has been locked.
Heimdal does not implement locked_out, however the Samba hdb
backend does, and needs this checked before passwords (for bad
password lockout), not after in kdc_check_access().
Based on work to update Samba to current Heimdal by
Gary Lockyer <gary@catalyst.net.nz> and including cherry-pick of
Samba commit 580a705b83014e94556b9d5a8877406816e02190 which noted
that we need to return KRB5KDC_ERR_CLIENT_REVOKED to match Windows.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Samba has a different lookup path for krbtgt/ principals.
armor_server is in this case the same as the server in a normal
TGS-REQ, just inside the FAST armor, so needs to have the same
lookup properties as the TGS-REQ does.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
For Samba the fast key is not stored in the replicated DB, so
this helps Samba find it in the Samba hdb module.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
According to #788, Windows clients expect a revoked error to be returned if the
client or service is locked out, rather than a generic policy error. This
should not affect non-Windows paths as the locked_out HDB entry flag is
otherwise not used by Heimdal.
In a strict Samba build with -Werror=strict-overflow on Ubuntu 18.04
with gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
we see
../../source4/heimdal/lib/roken/resolve.c: In function ‘rk_dns_srv_order’:
../../source4/heimdal/lib/roken/resolve.c:639:7: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow]
if(num_srv == 0)
^
cc1: all warnings being treated as errors
This avoids the issue by additionally setting a distinct flag.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
In acquire_mech_cred(), treat a credential store with no elements as equivalent
to GSS_C_NO_CRED_STORE, allowing a mechanism's gss_acquire_cred()
implementation to be called.
GM_USE_MG_NAME was not honored in the case where the mechanism emitted a name,
but the caller of gss_accept_sec_context() did not request it be returned. This
would result in m->gm_release_name() being called on the mechglue name, which
would crash either because that function pointer was NULL or because it would
have expected a mechanism name.
To avoid future regressions such as the one corrected in 0dd19003, make
IS_DCE_STYLE() an inline function (rather than a macro) so that its
argument is typed.
4b543b7 introduced a regression in the krb5 mechanism's gss_unwrap for
DCE applications, owing to IS_DCE_STYLE() being called with a krb5
instead of mechanism context handle.
On Ubuntu 20.04 with gcc version 9.3.0 during a strict
Samba build with -Werror=maybe-uninitialized we get:
../../source4/heimdal/lib/hdb/hdb.c: In function ‘hdb_create’:
../../source4/heimdal/lib/hdb/hdb.c:831:13: error: ‘ret’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
831 | if (*db && ret == 0)
| ~~~~^~~~~~~~~~~
cc1: all warnings being treated as errors
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
On Ubuntu 20.04 with gcc version 9.3.0 in a Samba compile
using -Wdiscarded-qualifiers and -Werror we get:
../../source4/heimdal/kdc/kerberos5.c:2516:21: warning: passing argument 2 of ‘_kdc_set_e_text’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
2516 | _kdc_set_e_text(r, "Client have no reply key");
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
../../source4/heimdal/kdc/kerberos5.c:428:42: note: expected ‘char *’ but argument is of type ‘const char *’
428 | _kdc_set_e_text(astgs_request_t r, char *fmt, ...)
| ~~~~~~^~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
73debbc166 accidentially reverted
the critical part of 040a093654,
presumably during conflict resolution.
Found by a strict Samba compile during import of current Heimdal.
See #780
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Combined with the synthetic_clients feature, this will allow hosts that
have a PKINIT-worthy client certificate with a SAN with their host
principals to create their own principals and "extract" their host
keytabs. Together with some other PKIX credential bootstrapping
protocol, this can help hosts bootstrap Kerberos host credentials.
Samba compiles Heimdal internally without HAVE_DLOPEN to keep
to internally supplied mechanisms and plugins.
Samba compiles with strict warning flags and on Ubuntu 20.04
with gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04) we see:
../../source4/heimdal/lib/gssapi/mech/gss_mech_switch.c: In function ‘_gss_load_mech’:
../../source4/heimdal/lib/gssapi/mech/gss_mech_switch.c:462:1: error: label ‘out’ defined but not used [-Werror=unused-label]
462 | out:
| ^~~
cc1: all warnings being treated as errors
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
When b->kdc_options.enc_tkt_in_skey is set, the variable 'spn'
provided to verify_flags() for the purpose of logging is not
yet set, it is still NULL from the initialiser.
On Samba we see, when compiling with -O3 and strict warning rules with
gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04):
$ make -k
PYTHONHASHSEED=1 WAF_MAKE=1 ./buildtools/bin/waf build
Waf: Entering directory `/home/abartlet/heimdal-import/samba/bin/default'
Selected embedded Heimdal build
[2822/4527] Compiling source4/heimdal/kdc/krb5tgs.c
In function ‘verify_flags’,
inlined from ‘verify_flags’ at ../../source4/heimdal/kdc/krb5tgs.c:625:1,
inlined from ‘tgs_build_reply.isra.0’ at ../../source4/heimdal/kdc/krb5tgs.c:1671:8:
../../source4/heimdal/kdc/krb5tgs.c:635:2: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
635 | kdc_log(context, config, 4, "Ticket not valid (%s)", pstr);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘verify_flags’,
inlined from ‘tgs_build_reply.isra.0’ at ../../source4/heimdal/kdc/krb5tgs.c:1671:8:
../../source4/heimdal/kdc/krb5tgs.c:631:2: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
631 | kdc_log(context, config, 4, "Ticket expired (%s)", pstr);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Essentially, with an optimising compiler, the funciton is inlined
and the compiler notices that the kdc_log() argument is always NULL.
Based on patches by Stefan Metzmacher <metze@samba.org>
in his master-heimdal branch at:
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=2ac326b9cb8f896f874edfa6725f087034270322#patch2https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master-heimdal
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Sorting the units fixes a bug introduced in:
ae8908bf8 kadmin: Add disallow-client attribute
that I had fixed via:
f6ac4ee86 roken: Fix parse flags bug
which wasn't a bug at all.
This is useful for services that need not be clients. For example, an
untrusted service that need only accept authentication from clients,
but not initiate authentication to other services.
krb5_get_next() and krb5_get_cache_next() do not check for krb5_kcm_call()
returning non-zero before accessing the repsonse data; they only handle the
case where the return value is KRB5_CC_END.
Return immediately if the return value of krb5_kcm_call() is not KRB5_CC_END or
0. This was fixed in the Apple code.
Some compilers with -Wstring-concatenation enabled warned about a suspicious
concatenation of string literals in the initialization of the GSS-API error
message array.
At the expense of a long line, avoid this warning but explicitly concatenating
the offending string literal.
Fixes: #775
vis.h is not built on platforms (such as macOS) that already have
that header, which resulted in prototypes for Heimdal-specific
vis.h extensions being absent.
Move those prototypes to a separate header, vis-extras.h, which
must be explicitly included in order to use the Heimdal extensions.
- Don't log "Request from wrong address (ignoring)".
- Add "wrongaddr=yes" kv to final log message.
- Add request and ticket addresses (up to 3) to final log message.
If a DB does not already exist, ipropd-slave will use the compiled
default, which is not necessarily what is desired or configured in
`[kdc]`.
This change makes `hdb_default_db()` return the first dbanme in the
`[kdc]` configuration, falling back on `HDB_DEFAULT_DB`.
Also, this adds a `--database` option to `ipropd-slave`.
The codegen backend is faster than the template backend, even for
modules that don't use IOS. On x64 we see the template backend being
4% slower for TGS requests using the kdc-tester program.
So let's build both, libasn1 (codegen) and libasn1template when
configured with --disable-asn1-templating, but make sure that the
asn1_print utility is linked with libasn1template.
Eventually we'll want to either optimize the template backend better,
or add IOS and JSON printing support to the codegen backend.
While Ken Hornstein's FAQ was useful in its day, much of its content
is no longer relevant (e.g., Kerberos 4) or even actively harmful
(e.g., the latest version of MIT krb5 is not 1.2.1). It was also
somewhat MIT-krb5-focused, especially relating to configuration file
snippets, which is not necessarily a great fit for the Heimdal
documentation.
Replace it with a tutorial hosted on kerberos.org and the classic
"dialogue" from Bill Bryant.
Fixes: #766
This adds support for using a Heimdal-specific PKIX extension to derive
a maximum Kerberos ticket lifetime from a client's PKINIT certificate.
KDC configuration parameters:
- pkinit_max_life_from_cert_extension
- pkinit_max_life_bound
If `pkinit_max_life_from_cert_extension` is set to true then the
certificate extension or EKU will be checked.
If `pkinit_max_life_bound` is set to a positive relative time, then that
will be the upper bound of maximum Kerberos ticket lifetime derived from
these extensions.
The KDC config `pkinit_ticket_max_life_from_cert` that was added earlier
has been renamed to `pkinit_max_life_from_cert`.
See lib/hx509 and lib/krb5/krb5.conf.5.
This adds support for using a Heimdal-specific PKIX extension to derive
a maximum Kerberos ticket lifetime from a client's PKINIT certificate:
- a `--pkinit-max-life` to the `hxtool ca` command
- `hx509_ca_tbs_set_pkinit_max_life()`
- `hx509_cert_get_pkinit_max_life()`
- `HX509_CA_TEMPLATE_PKINIT_MAX_LIFE`
There are two extensions. One is an EKU, which if present means that
the maximum ticket lifetime should be derived from the notAfter minus
notBefore. The other is a certificate extension whose value is a
maximum ticket lifetime in seconds. The latter is preferred.
MSFT makes the `q` field of `DomainParameters` OPTIONAL even though it's
actually required. We currently validate DH groups not by validating
that p is a Sophie Germain prime but by checking the proposed group
against a compiled-in list and against a krb5.moduli file, therefore we
don't need q. Besides, for Oakley groups, because p is a Sophie Germain
prime, we'd have q=p/j and j=2, so we can always compute q as needed
(and MIT Kerberos does).
A common complaint about hxtool(1) is that if one fails to add a TYPE:
prefix to a CSR or certificate/private key store names, then hxtool
fails somewhat inscrutably. We can't just fix hx509_certs_init() or
hx509_certs_append() because they default to "MEMORY" so who knows what
might break. Instead we fix all uses of user-provided store names in
hxtool to have a FILE: prefix if no type was given. For CSRs we'll
default to adding the only type prefix supported, "PKCS10".
This adds a KDC configuration parameter that can be used to indicate
that a PKINIT client's certificate's notAfter overrides the client
principal's HDB entry's max_life. This parameter is a relative time
parameter, and it enables this only if set to a non-zero value (defaults
to zero). The value of this parameter caps the max_life inferred from
the certificate.
autoconf-2.70 and newer are more strict with quoting etc. and thus generate
a broken configure file:
configure: 20855: Syntax error: ")" unexpected (expecting "fi")
Gentoo-bug: https://bugs.gentoo.org/776241
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
We need to revisit a lot of code in lib/hx509/, lib/krb5/, and kdc/ now
that the ASN.1 compiler properly handles IMPLICIT tagging. And we
should take advantage of automatic open type handling.
Add a `lifetime=NUMunit` query parameter.
Also add a krb5.conf parameter to indicate whether this is allowed.
We already have a max lifetime configuration parameter.
The TCG EK cert profile says that the context tags in the
TPMSecurityAssertions type are IMPLICIT. The sample EK cert we have
has them as EXPLICIT.
What to do?
The value we initialize a CHOICE's `element` enum field to, prior to
decoding the CHOICE value, needs be one that does not cause
`asn1_free()` to do anything since we've not done anything yet either.
Should always run AFL before pushing changes to the ASN.1 compiler or
template interpreter!
Still fuzzing. There are crashers in the _asn1_print() path, though
right now they cannot affect anything else in Heimdal other than
asn1_print, since that's the only thing calling it yet.
For now we just add new types that can auto-decode through open types
in CSRs, but we leave the originals as they were to avoid having to
update lib/hx509/req.c for now.
Our asn1_print, like OpenSSL's, just knows how to parse and dump DER.
Ours can attempt to decode OCTET STRING and IMPLICIT-tagged constructed
values as DER, which is very useful.
But _now_ it's even better. Now it knows about all types exported from
all ASN.1 modules in `lib/asn1/` in Heimdal, and if told to print as
some type, it will use the new printing interface to print JSON-like
representations of values:
```
$ ./asn1_print /tmp/t490/ek2.crt Certificate |
jq '.tbsCertificate.extensions[3]._extnValue[]._values'
[
{
"_type": "TPMSpecification",
"family": "2.0",
"level": "0",
"revision": "138"
}
]
[
{
"_type": "TPMSecurityAssertions",
"version": "0",
"fieldUpgradable": true,
"ekGenerationType": "655617",
"ekGenerationLocation": "655616",
"ekCertificateGenerationLocation": "655616",
"ccInfo": {
"_type": "CommonCriteriaMeasures",
"version": "3.1",
"assurancelevel": "4",
"evaluationStatus": "2",
"plus": true,
"strengthOfFunction": null,
"profileOid": null,
"profileUri": null,
"targetOid": null,
"targetUri": null
},
"fipsLevel": {
"_type": "FIPSLevel",
"version": "140-2",
"level": "2",
"plus": false
},
"iso9000Certified": false,
"iso9000Uri": null
}
]
```
Status:
- And it works!
- We have an extensive test based on decoding a rich EK certficate.
This test exercises all of:
- decoding
- encoding with and without decoded open types
- copying of decoded values with decoded open types
- freeing of decoded values with decoded open types
Valgrind finds no memory errors.
- Added a manual page for the compiler.
- rfc2459.asn1 now has all three primary PKIX types that we care about
defined as in RFC5912, with IOS constraints and parameterization:
- `Extension` (embeds open type in an `OCTET STRING`)
- `OtherName` (embeds open type in an `ANY`-like type)
- `SingleAttribute` (embeds open type in an `ANY`-like type)
- `AttributeSet` (embeds open type in a `SET OF ANY`-like type)
All of these use OIDs as the open type type ID field, but integer
open type type ID fields are also supported (and needed, for
Kerberos).
That will cover every typed hole pattern in all our ASN.1 modules.
With this we'll be able to automatically and recursively decode
through all subject DN attributes even when the subject DN is a
directoryName SAN, and subjectDirectoryAttributes, and all
extensions, and all SANs, and all authorization-data elements, and
PA-data, and...
We're not really using `SingleAttribute` and `AttributeSet` yet
because various changes are needed in `lib/hx509` for that.
- `asn1_compile` builds and recognizes the subset of X.681/682/683 that
we need for, and now use in, rfc2459.asn1. It builds the necessary
AST, generates the correct C types, and generates templating for
object sets and open types!
- See READMEs for details.
- Codegen backend not tested; I won't make it implement automatic open
type handling, but it should at least not crash by substituting
`heim_any` for open types not embedded in `OCTET STRING`.
- We're _really_ starting to have problems with the ITU-T ASN.1
grammar and our version of it...
Type names have to start with upper-case, value names with
lower-case, but it's not enough to disambiguate.
The fact the we've allowed value and type names to violate their
respective start-with case rules is causing us trouble now that we're
adding grammar from X.681/682/683, and we're going to have to undo
that.
In preparation for that I'm capitalizing the `heim_any` and
`heim_any_set` types, and doing some additional cleanup, which
requires changes to other parts of Heimdal (all in this same commit
for now).
Problems we have because of this:
- We cannot IMPORT values into modules because we have no idea if a
symbol being imported refers to a value or a type because the only
clue we would have is the symbol's name, so we assume IMPORTed
symbols are for types.
This means we can't import OIDs, for example, which is super
annoying.
One thing we might be able to do here is mark imported symbols as
being of an undetermined-but-not-undefined type, then coerce the
symbol's type the first time it's used in a context where its type
is inferred as type, value, object, object set, or class. (Though
since we don't generate C symbols for objects or classes, we won't
be able to import them, especially since we need to know them at
compile time and cannot defer their handling to link- or
run-time.)
- The `NULL` type name, and the `NULL` value name now cause two
reduce/reduce conflicts via the `FieldSetting` production.
- Various shift/reduce conflicts involving `NULL` values in
non-top-level contexts (in constraints, for example).
- Currently I have a bug where to disambiguate the grammar I have a
CLASS_IDENTIFIER token that is all caps, while TYPE_IDENTIFIER must
start with a capital but not be all caps, but this breaks Kerberos
since all its types are all capitalized -- oof!
To fix this I made it so class names have to be all caps and
start with an underscore (ick).
TBD:
- Check all the XXX comments and address them
- Apply this treatment to Kerberos! Automatic handling of authz-data
sounds useful :)
- Apply this treatment to PKCS#10 (CSRs) and other ASN.1 modules too.
- Replace various bits of code in `lib/hx509/` with uses of this
feature.
- Add JER.
- Enhance `hxtool` and `asn1_print`.
Getting there!
This is a much better and more complete implementation of POSIX RTLD
functions than what we had. In particular this gets us a more complete
`dladdr()` implementation.
This adds enough support for SET { ... } types to the template backend
to allow the X.690 sample test to be run with the template backend.
Limitations:
- For DER encoding, the SET { ... } members must be manually sorted by
the module author.
- Decoding of out-of-order encodings (BER) is not supported at this
time.
These shortcomings will be addressed later.
Note that because we don't parse IMPORTed modules at this time, we can't
sort SET { ... } members at compile time if any of them out an
outer-most tag that the compiler cannot see without learning to parse
IMPORTed modules.
The regular ASN.1 compiler does NOT sort SET { ... } types' members by
tag, though it should. It cannot because if a field is of an untagged
imported type, then the compiler won't know the field's tag because the
compiler does not read and parse IMPORTed modules. At least the regular
ASN.1 compiler does handle out-of-order encodings on decode.
The template ASN.1 compiler did not even support SET { ... } types at
all. With this commit the template ASN.1 compiler does, but still it
does not sort members on encode, and it does not decode out-of-
[definition-]order encodings.
A proper fix to these issues will require run-time sorting of SET
members on encode. An even better fix will require making the compiler
able to read and parse more than one module in one run, that way it can
know all the things about IMPORTed types that it currently leaves to
run-time.
Now that the ASN.1 compiler properly supports IMPLICIT tagging of named
CHOICE types (meaning: treat them as EXPLICIT tags), we can remove one
workaround for that.
The template compiler was applying IMPLICIT tags to CHOICE types. This
is very wrong, as the tag of a CHOICE's taken choice cannot be replaced
without making it impossible to figure out what the choice was. An
example of this is GeneralName's directoryName, which is an IMPLICIT-
tagged CHOICE.
Separately, the non-template compiler was requiring inlining of
IMPLICIT-tagged CHOICEs, which also happens in GeneralName's
directoryName case:
```
205 Name ::= CHOICE {
206 rdnSequence RDNSequence
207 }
...
287 GeneralName ::= CHOICE {
288 otherName [0] IMPLICIT -- OtherName --
SEQUENCE {
289 type-id OBJECT IDENTIFIER,
290 value [0] EXPLICIT heim_any
291 },
292 rfc822Name [1] IMPLICIT IA5String,
293 dNSName [2] IMPLICIT IA5String,
294 -- x400Address [3] IMPLICIT ORAddress,--
--->295 directoryName [4] IMPLICIT -- Name -- CHOICE
{
296 rdnSequence RDNSequence
297 },
298 -- ediPartyName [5] IMPLICIT EDIPartyName, --
299 uniformResourceIdentifier [6] IMPLICIT IA5String,
300 iPAddress [7] IMPLICIT OCTET STRING,
301 registeredID [8] IMPLICIT OBJECT IDENTIFIER
302 }
```
Anyways, that's fixed now, though changing that will require making
corresponding changes to `lib/hx509/`.
We're getting closer to parity between the two compilers. The template
compiler is still missing support for `SET { ... }` types. Speaking of
`SET { ... }`, the regular compiler generates code that uses `qsort()`
to sort the encoded values values of the members of such a set, but this
seems silly because the order of members is knowable at compile time, as
for DER and CER the order by the tags of the members, from lowest to
highest (see X.690, section 9.3 and X.680, section 8.6). As it happens
using `qsort()` on the encodings of the members works, but it would be
be better to sort in `lib/asn1/asn1parse.y` and then not have to bother
anywhere else. Sorting SETs at definition time will help keep the
tamplate compiler simple. Not that we _need_ `SET { ... }` for anything
in-tree other than the X.690 sample...
While we're at it, let's note that the core of PKIX from the RFC
2459/3280/5280/5912 consists of *two* ASN.1 modules, one with
default-EXPLICIT tags, and one with default-IMPLICIT tags, and
Heimdal has these merged as a default-EXPLICIT tags module in
`lib/asn1/rfc2459.asn1`, with `IMPLICIT` added in by hand in all the
tags in the default-IMPLICIT tagged module. This fixes one recently
added type from PKIX that didn't have `IMPLICIT` added in manually!
Finally. We're almost at parity for the template compiler.
Now we have a build option to use templating:
`./configure --enable-asn1-templating`
Tests fail if you build `rfc2459.asn1` with `--template`.
TBD: Figure out what differences remain between the two compilers, and
fix the templating compiler accordingly, adding tests along the
way.
Making IMPLICIT tags work in the templating compiler turned out to be a
simple fix: don't attempt to do anything clever about IMPLICIT tags in
the template generator in the compiler other than denoting them --
instead leave all the smarts about IMPLICIT tags to the interpreter.
This might be a very slight pessimization, but also a great
simplification.
The result is very elegant: when the interpreter finds an IMPLICIT
tag it then recurses to find the template for the body of the type
so-tagged, and evaluates that. Much more elegant than the code
generated by the non-template compiler, not least for not needing
any additional temporary memory allocation.
With this we finally have parity in basic testing of the template
compiler. Indeed, for IMPLICIT tags the template compiler and
interpreter might even be better because they support IMPLICIT tags
with BER lengths, whereas the non-template compiler doesn't (mostly
because `der_replace_tag()` needs to be changed to support it.
And, of course, the template compiler is simply superior in that it
produces smaller code and is *much* easier to work with because the
functions to interpret templates are small and simple. Which means we
can add more functions to deal with other encoding rules fairly
trivially. It should be possible to add all of these with very little
work, almost all of it localized to `lib/asn1/template.c`:
- PER Packed Encoding Rules [X.691]
- XER XML Encoding Rules [X.693]
- OER Octet Encoding Rules [X.696] (intended to replace PER)
- JER JSON Encoding Rules [X.697] (doubles as visual representation)
- GSER Generic String E.R.s [RFC3641] (a visual representation)
- XDR External Data Repr. [STD67][RFC4506]
(XDR is *not* an ASN.1 encoding rules specification, but it's a
*lot* like PER/OER but with 4-octet alignment, and is specified
for the syntax equivalent (XDR) of only a subset of ASN.1 syntax
and semantics.)
All we'd have to do is add variants of `_asn1_{length,encode,decode}()`
for each set of rules, then generate per-type stub functions that call
them (as we already do for DER).
We could then have an encoding rule transliteration program that takes a
`TypeName` and some representation of a value encoded by some encoding
rules, and outputs the same thing encoded by a different set of rules.
This would double as a pretty-printer and parser if we do add support
for JER and/or GSER. It would find the template for the given type
using `dlsym()` against some shared object (possibly `libasn1` itself).
Whereas generating source code for C (or whatever language) for
additional ERs requires much more work. Plus, templates are much
smaller, and the interpreter is tiny, which yields much smaller text and
much smaller CPU icache/dcache footprint, which yields better
performance in many cases.
As well, the template system should be much easier to port to other
languages. Though in the cases of, e.g., Rust, it would require use of
`unsafe` in the interpreter, so in fact the inverse might be true: that
it's easier to generate safe Rust code than to implement a template
interpreter in Rust. Similarly for Haskell, OCAML, etc. But wherever
the template interpreter is easy to implement, it's a huge win.
Note that implementing OER and PER using the templates as they are
currently would be a bit of a challenge, as the interpreter would have
to first do a pass of each SEQUENCE/SET to determine the size and
layout of the OER/PER sequence/set preamble by counting the number of
OPTIONAL/DEFAULT members, BOOLEAN members, and extensibility markers
with extensions present. We could always generate more entries to
encode precomputed preamble metadata. We would also need to add a
template entry type for extensibility markers, which currently we do
not.
The earlier fixes to the ASN.1 compiler for IMPLICIT tags did not
include the template interpreter.
TBD:
- TESTImplicit encoding/decoding still fails due to a bug in the
template generator.
- There are missing cases in the template interpreter. See XXX
comments.
`lib/asn1/check-gen.c` almost works with templates, and is a pretty
extensive test. The only thing that fails is everything to do with
IMPLICIT tags (so, `test_implicit()`).
So now we compile `lib/asn1/test.asn1` both, w/ and w/o templating, and
we build two programs from `lib/asn1/check-gen.c`: `check-gen` and
`check-gen-template`, respectively linking with the non-templated and
the templated compilation of `lib/asn1/test.asn1`.
Because the template compiler still doesn't support IMPLICIT tagging
well, we disable testing of IMPLICIT tags in `check-gen-template`.
This will make it much harder to break the template compiler in the
future.
Commit 89389bc7a (asn1: Fix long-standing IMPLICIT tagging brokenness)
was incomplete. Removing the hacks in lib/asn1/cms.asn1 revealed this.
Now the ASN.1 compiler generates enums to indicate what is the class and
tag of each type. This is needed so the decoder functions generated by
the compiler can know what tag to restore.
Now, too, the compiler does handle IMPLICIT tags whose encoded length is
different from that of the underlying type.
However, we now don't handle indefinite BER and non-DER definite lengths
(DCE) following IMPLICIT tags. This would affect only CMS in-tree.
This adds hx509 API and hxtool(1) support for PermanentIdentifier,
HardwareModuleName, and DNSSRV SAN types, as well as for serialNumber,
TPMManufacturer, TPMModel, and TPMVersion DN attributes.
These are sample certificates from the Trusted Computing Group
Endorsement Key Credential Profile For TPM Family 2.0; Level 0.
- lib/hx509/data/tcg-ek-cp.pem (Endorsement Key certificate)
- lib/hx509/data/tcg-devid.pem (DevID certificate)
https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdfhttps://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p3_r2_pub.pdfhttps://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf
This certificate came from the Trusted Computing Group Endorsement Key
(EK) Credential Profile [0], Appendix A, page 34.
[0] https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p3_r2_pub.pdf
Note that hxtool at this point both certificates, including all their
extensions, HardwareModule Name SAN, certificate policies, and the new
DN attributes TPMVersion, TPMModel, and TPMManufacturer, as shown below.
The work on the ASN.1 compiler helped.
The goal of this work will be to enable a Heimdal service for device
enrolment using TPMs. More TCG profiling has to be done, and perhaps
some ECC work as well. But Heimdal will mostly just be a relying party
and CA, and will not include the client side piece of enrolment.
$ cd build/lib/hx509
$ ./hxtool print --content PEM-FILE:../../../lib/hx509/data/tcg-ek-cp.pem
cert: 0
friendly name:
private key: no
issuer: "CN=ExampleCA"
subject: ""
serial: 01
keyusage: keyEncipherment
subject name:
issuer name: CN=ExampleCA
Validity:
notBefore 2014-01-15 15:40:50
notAfter 2015-01-15 15:40:50
checking extension: authorityInfoAccess
Critical not set on MUST
type: 1.3.6.1.5.5.7.48.2
dirname: URI: http://www.example.com/ExampleCA.crt
checking extension: keyUsage
checking extension: subjectAltName
Critical set on MUST NOT
directoryName: TPMVersion=id:00010023,TPMModel=ABCDEF123456,TPMManufacturer=id:54434700
checking extension: basicConstraints
is NOT a CA
checking extension: cRLDistributionPoints
CRL Distribution Points:
Fullname:
URI: http://www.example.com/ExampleCA.crl
checking extension: certificatePolicies
Policy: 1.2.3.4
checking extension: authorityKeyIdentifier
authority key id: 347767244C44AFE79E2AE0B24C69579524B33DDA
checking extension: extKeyUsage
eku-0: 2.23.133.8.1
checking extension: subjectDirectoryAttributes
Doesn't have SubjectKeyIdentifier
$
$
$ ./hxtool print --content PEM-FILE:../../../lib/hx509/data/tcg-devid.pem
cert: 0
friendly name:
private key: no
issuer: "CN=ExampleCA"
subject: ""
serial: 01
keyusage: keyEncipherment
subject name:
issuer name: CN=ExampleCA
Validity:
notBefore 2014-01-15 15:40:50
notAfter 2015-01-15 15:40:50
checking extension: authorityInfoAccess
Critical not set on MUST
type: 1.3.6.1.5.5.7.48.2
dirname: URI: http://www.example.com/ExampleCA.crt
checking extension: keyUsage
checking extension: subjectAltName
Critical set on MUST NOT
directoryName: TPMVersion=id:00010023,TPMModel=ABCDEF123456,TPMManufacturer=id:54434700
otherName: 1.3.6.1.5.5.7.8.4 HardwareModuleName 2.23.133.1.2:tpmserialnumber
checking extension: basicConstraints
is NOT a CA
checking extension: cRLDistributionPoints
CRL Distribution Points:
Fullname:
URI: http://www.example.com/ExampleCA.crl
checking extension: certificatePolicies
Policy: 1.2.3.4
checking extension: authorityKeyIdentifier
authority key id: 347767244C44AFE79E2AE0B24C69579524B33DDA
checking extension: extKeyUsage
eku-0: 2.23.133.8.1
checking extension: subjectDirectoryAttributes
Doesn't have SubjectKeyIdentifier
$
Checking the error code of decoding a blob as an hdb_entry or
hdb_entry_alias to determine which of those the blob is depends on a
detail of the Heimdal ASN.1 compiler and library that shouldn't be
depended on. Using a CHOICE adds no octets to the encoding:
HDB-EntryOrAlias ::= CHOICE {
entry hdb_entry,
alias hdb_entry_alias
}
since we're adding no additional tags and the two arms of the CHOICE
already differ in tag (hdb_entry's tag is a [UNIVERSAL Sequence] tag,
while hdb_entry_alias's is an [APPLICATION 0] tag).
This helped find a bug fixed in the preceding commit.
This also depends on the earlier fixes to IMPLICT tagging support, thus
implementing a test of that using a test vector from a standard.
This commit _mostly_ fixes the Heimdal ASN.1 compiler to properly
support IMPLICIT tagging in most if not all the many cases where it
didn't already, as you could see in lib/asn1/canthandle.asn1 prior to
this commit.
This fix is a bit of a hack in that a proper fix would change the
function prototypes of the encode/decode/length functions generated by
the compiler to take an optional IMPLICIT tag to tag with instead of the
type they code. That fix would not be localized to lib/asn1/ however,
and would change the API and ABI of generated code (which is mostly not
an ABI for Heimdal, but still, some external projects would have to make
changes).
Instead, for IMPLICIT tags we currently depend on the IMPLICIT tag and
the sub-type's tag having the same size -- this can be fixed with extra
allocation on the encoder side as we do on the decoder side, but we
might leave it for later.
The issue we're fixing manifested as:
-- The [CONTEXT 0] tag in Bar below was turned into an EXPLICIT tag
-- instead of an IMPLICIT one, netting the DER encoding for the `foo`
-- member as:
-- [CONTEXT 0] [UNIVERSAL Seq] [UNIVERSAL Int] <encoding of i>
-- instead of the correct:
-- [CONTEXT 0] [UNIVERSAL Int] <encoding of i>
Foo ::= SEQUENCE { i INTEGER }
Bar ::= SEQUENCE { foo [0] IMPLICIT Foo }
or
Foo ::= INTEGER
Bar ::= SEQUENCE { foo [0] IMPLICIT Foo } -- tag context 0 marked
-- constructed!
I've reviewed this in part by reviewing the output of the compiler
before and after this change using this procedure:
- Run an earlier version of the ASN.1 compiler output for all
modules in lib/asn1/. Save these in a different location.
- Run this (or later) version of the ASN.1 compiler output for
the same modules, adding --original-order for modules that
have been manually sorted already (e.g., rfc2459.asn1).
- Run clang-format on the saved and newest generated C source
and header files.
- Diff the generated output. Substantial differences will
relate to handling of IMPLICIT tagging. These are
particularly evident in the tcg.asn1 module, which uses a lot
of those.
Later commits add test data (certificates with extensions that use
IMPLICIT tagging) taken from external specifications as well, which
exercise this fix.
Non-urgent brokenness yet to be fixed:
- When the IMPLICIT tag and the tag of the underlying type require
differing numbers of bytes to encode, the encoding and decoding will
fail. The prototypes of generated length_*() functions make it
impossible to do much better.
- SET OF <primitive> still crashes the compiler (not a new bug).
Futures:
- Unwind hackery in cms.asn1 that worked around our lack of proper
IMPLICIT tagging support.
Here are some of the generated code deltas one expects to see around
this commit:
$ git checkout $earlier_version
$ ./autogen.sh
$ mkdir build
$ cd build
$ ../configure ...
$ make -j4
$ make check
$ cd lib/asn1
$ for i in *.c; do
[[ $i = asn1parse.? || $i = lex.? || $i = *.h ]] && continue
clang-format -i $i $i
cmp /tmp/save/$i $i && echo NO DIFFS: $i && continue; echo DIFF: $i
done
NO DIFFS: asn1_cms_asn1.c
NO DIFFS: asn1_digest_asn1.c
NO DIFFS: asn1_err.c
NO DIFFS: asn1_krb5_asn1.c
/tmp/save/asn1_kx509_asn1.c asn1_kx509_asn1.c differ: byte 6433, line 264
DIFF: asn1_kx509_asn1.c
NO DIFFS: asn1_ocsp_asn1.c
NO DIFFS: asn1_pkcs10_asn1.c
/tmp/save/asn1_pkcs12_asn1.c asn1_pkcs12_asn1.c differ: byte 12934, line 455
DIFF: asn1_pkcs12_asn1.c
NO DIFFS: asn1_pkcs8_asn1.c
NO DIFFS: asn1_pkcs9_asn1.c
NO DIFFS: asn1_pkinit_asn1.c
/tmp/save/asn1_rfc2459_asn1.c asn1_rfc2459_asn1.c differ: byte 20193, line 532
DIFF: asn1_rfc2459_asn1.c
NO DIFFS: asn1_rfc4043_asn1.c
/tmp/save/asn1_rfc4108_asn1.c asn1_rfc4108_asn1.c differ: byte 595, line 26
DIFF: asn1_rfc4108_asn1.c
/tmp/save/asn1_tcg_asn1.c asn1_tcg_asn1.c differ: byte 31835, line 1229
DIFF: asn1_tcg_asn1.c
/tmp/save/asn1_test_asn1.c asn1_test_asn1.c differ: byte 384, line 21
DIFF: asn1_test_asn1.c
/tmp/save/test_template_asn1-template.c test_template_asn1-template.c differ: byte 650, line 20
DIFF: test_template_asn1-template.c
$
$ cd ../..
$ git checkout $newer_version
$ make -j4 && make check
$ cd lib/asn1
$ for i in *.[ch]; do
[[ $i = asn1parse.? || $i = lex.? || $i = *.h ]] && continue
clang-format -i $i $i
cmp /tmp/save/$i $i && echo NO DIFFS: $i && continue
diff -ubw /tmp/save/$i $i
done | $PAGER
and one should see deltas such as the following:
- a small enhancement to handling of OPTIONAL members:
(data)->macData = calloc(1, sizeof(*(data)->macData));
if ((data)->macData == NULL)
goto fail;
e = decode_PKCS12_MacData(p, len, (data)->macData, &l);
- if (e) {
+ if (e == ASN1_MISSING_FIELD) {
free((data)->macData);
(data)->macData = NULL;
+ } else if (e) {
+ goto fail;
} else {
p += l;
len -= l;
ret += l;
- more complete handling of DEFAULTed members:
e = decode_FWReceiptVersion(p, len, &(data)->version, &l);
- if (e)
+ if (e == ASN1_MISSING_FIELD) {
+ (data)->version = 1;
+ } else if (e) {
goto fail;
- p += l;
- len -= l;
- ret += l;
+ } else {
+ p += l;
+ len -= l;
+ ret += l;
+ }
{
- replacement of tags with implicit tags (encode side):
/* targetUri */
if ((data)->targetUri) {
size_t Top_tag_oldret HEIMDAL_UNUSED_ATTRIBUTE = ret;
ret = 0;
e = encode_URIReference(p, len, (data)->targetUri, &l);
if (e)
return e;
p -= l;
len -= l;
ret += l;
- e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, PRIM, 4, &l);
+ e = der_replace_tag(p, len, ASN1_C_CONTEXT, CONS, 4);
if (e)
return e;
p -= l;
len -= l;
ret += l;
ret += Top_tag_oldret;
}
- replacement of tags with implicit tags (decode side):
strengthOfFunction_oldlen = len;
if (strengthOfFunction_datalen > len) {
e = ASN1_OVERRUN;
goto fail;
}
len = strengthOfFunction_datalen;
- e = decode_StrengthOfFunction(p, len, (data)->strengthOfFunction, &l);
- if (e)
- goto fail;
- p += l;
- len -= l;
- ret += l;
+ {
+ unsigned char *pcopy;
+ pcopy = calloc(1, len);
+ if (pcopy == 0) {
+ e = ENOMEM;
+ goto fail;
+ }
+ memcpy(pcopy, p, len);
+ e = der_replace_tag(pcopy, len, ASN1_C_UNIV, PRIM, 0);
+ if (e)
+ goto fail;
+ e = decode_StrengthOfFunction(p, len, (data)->strengthOfFunction, &l);
+ if (e)
+ goto fail;
+ p += l;
+ len -= l;
+ ret += l;
+ free(pcopy);
+ }
len = strengthOfFunction_oldlen - strengthOfFunction_datalen;
}
}
{
size_t profileOid_datalen, profileOid_oldlen;
- correct determination of implicit tag constructed vs no for IMPLICT-
tagged named primitive types:
{
size_t profileUri_datalen, profileUri_oldlen;
Der_type profileUri_type;
e = der_match_tag_and_length(p, len, ASN1_C_CONTEXT, &profileUri_type, 2,
&profileUri_datalen, &l);
- if (e == 0 && profileUri_type != PRIM) {
+ if (e == 0 && profileUri_type != CONS) {
e = ASN1_BAD_ID;
}
if (e) {
(data)->profileUri = NULL;
} else {
(data)->profileUri = calloc(1, sizeof(*(data)->profileUri));
if ((data)->profileUri == NULL) {
e = ENOMEM;
goto fail;
}
- correct determination of length of IMPLICT-tagged OIDs:
if ((data)->profileOid) {
size_t Top_tag_oldret = ret;
ret = 0;
ret += der_length_oid((data)->profileOid);
+ ret += 1 + der_length_len(ret);
ret += Top_tag_oldret;
}
These deltas should be examined with the corresponding ASN.1 module at
hand, cross-referencing the source code to the ASN.1 type definitions
and manually applying X.690 rules to double-check the choices of
primitive vs. constructed tag, and the choices of when to replace tags
and when not.
- Giving asn1_compile the name of an ASN.1 module w/o the ".asn1" stem
will cause the compiler to add the ".asn1" stem, and it will cause
the compiler to look for a ".opt" file as well.
- The default C module name substring derivation from the .asn1 file
name is improved.
- There is now a --gen-name=NAME option for specifying the C module
name substring. This is useful for specifying that in a .opt file.
- More options now have helpful usage messages.
This will allow simplification of lib/asn1/Makefile.am's invocations of
asn1_compile.
We may well end up requiring the automatic .opt file finding feature
when we eventualy add support for parsing multiple modules in a single
invocation for better support of IMPORTs.
Many external ASN.1 modules that we have imported over time define types
like this:
Foo ::= SEQUENCE { bar Bar }
Bar ::= SEQUENCE { aMember INTEGER }
and before this change one had to re-order the definitions so that the
one for `Bar` came first. No more.
We can now have out of order definitions in ASN.1 modules and the
compiler will topologically sort output C type declarations so that one
no longer has to manually sort types in ASN.1 modules when importing
them.
Besides that, it is now possible to create circular data types using
OPTIONAL since we generate such fields as pointers (which can then be
pointers to incomplete struct declarations):
Circular ::= SEQUENCE {
name UTF8String,
next Circular OPTIONAL
}
Circular types aren't necessarily useful, but they have been used in the
past. E.g., the rpc.mountd protocol uses a circular type as a linked
list -- it should just have used an array, of course, as that's
semantically equivalent but more space efficient in its encoding, but
the point is that such types exist out there.
C enum labels have to be globally unique. ASN.1 module ENUMERATED and
INTEGER types with named values are not globally unique. This means
that ASN.1 integer type value names and enumerations can cause conflicts
when compiled to C.
This new option allows the user to specify a prefix to apply to such
names. Then this:
Foo ::= ENUMERATED { v1 (0) }
can generate:
typedef enum Foo {
prefix_v1 = 0,
} Foo;
instead of
typedef enum Foo {
v1 = 0,
} Foo;
which is very likely to conflict.
TBD: Add option to use the type name as the prefix?
TRUE/FALSE may not be defined, so emitting those symbols when generating
code for `... BOOLEAN DEFAULT TRUE -- or FALSE` causes the generated
code to fail to compile. We could move the definitions of TRUE/FALSE to
krb5-types.h, or maybe we could have an asn1_compile option to force
inclusion of more than one header file so we can have headers defining
such constants. But the simplest fix is to just emit 1/0 instead of
TRUE/FALSE.
This explains why some BOOLEAN DEFAULT usages in PKIX are made OPTIONAL
in Heimdal.
In preparation for adding support for TPM attestations as an authentication
method in bx509d for a host trust bootstrap mechanism based on TPMs and their
endorsement keys and endorsement key certificates.
The plan is to add support to libhx509 and hxtool for PermanentIdentifier
(RFC4043) and HardwareModuleName (RFC4108) SANs, and then to add a query
parameter to bx509d for passing an attestation and a proof-of-possession
(either CMS or CSR), and add an authorizer plugin call for authorizing a device
manufacturer and serial number to hostname. Support for TPMs w/o endorsement
key certificates should also be possible based on a digest of the endorsement
key as the "serial number".
macOS packs ccapi structures to 16 bits on PowerPC and Intel platforms only;
no special packing is used on ARM (Apple Silicon). Harmonize so Heimdal is ABI
compatible.
When encountering a backslash character the memmove() call removes it. But then the pointer p should only be incremented by 1 to skip the escaped character rather than 2, which also skips the character following the escaped one.
Fix the possible leak of 's' allocated by asprintf()
When squashing the changes reference "this fixes an issue introduced by 7bf4d76 ("krb5: Improve cccol sub naming; add gss_store_cred_into2()")" in the commit message.
Test that we can dump an HDB w/o blocking write transactions.
This currently works for different processes (both backends), but not
for threads (for either backend), and it's not yet clear why.
Do not allow a change in build configuration time default HDB backend
selection cause existing default HDBs to not be possible to open.
Otherwise such a change will cause a KDC configured to use the default
HDB (i.e., without setting it in the "database" stanza in the "[kdc]"
section of krb5.conf) to not start.
tests/kdc/check-iprop.in tends to wait for a log message then it reads a
status file. Well, we shouldn't write the log message before writing
the status file then!
Running ipropd-slave on a system whose hostname's realm is not the
requested realm breaks. Since the iprop client principal should really
be in the same realm as the master, we now force it after calling
krb5_sname_to_principal().
The new [hdb] new_service_key_delay parameter should not apply to
principal entries when used as clients. Otherwise new passwords would
not take effect immediately, and that would be very confusing.
This is a large commit that adds several features:
- Revamps and moves virtual host-based service principal functionality
from kdc/ to lib/hdb/ so that it may be automatically visible to
lib/kadm5/, as well as kadmin(1)/kadmind(8) and ktutil(1).
The changes are backwards-incompatible.
- Completes support for documenting a service principal's supported
enctypes in its HDB entry independently of its long-term keys. This
will reduce HDB bloat by not requiring that service principals have
more long-term keys than they need just to document the service's
supported enctypes.
- Adds support for storing krb5.conf content in principals' HDB
entries. This may eventually be used for causing Heimdal KDC
services to reconfigure primary/secondary roles automatically by
discovering the configured primary in an HDB entry for the realm.
For now this will be used to help reduce the amount of configuration
needed by clients of an upcoming HTTP binding of the kadmin service.
Make error reporting in socket test programs consistent with other usages by
removing redundant newline, using strerror() and reporting error in
parentheses.
The deprecated OSAtomicCompareAndSwapPtrBarrier() function is used by a code
path only taken on macOS systems with a single CPU. As very few Macs have a
single CPU today, remove this optimization. (Replacing it with <stdatomic.h> as
suggested would break compatability with macOS prior to 10.12.)
Rename heim_base_atomic_max to heim_base_atomic_integer_max (ditto with _type)
in order to better reflect their usage, now we have a separate
heim_base_atomic() macro for making an atomic version of any type.
heim_base_exchange_32() and heim_base_exchange_64() inline functions for
platforms without atomics were missing (these are very inefficient but,
clearly rarely used given the lack of build error reports)
On Windows i386 the asn1 tests would crash due to stack corruption
as a result of functions being executed with the wrong calling
conventions.
Change-Id: Ic4f8b3a05dad36e3db6397fbd9270b98f0a5dfc5
The code generators were shifting "1LU" by (<< 32) and (<< 63) which
are undefined operations for a 32-bit integer. To ensure the integer
is 64-bit use "1ULL".
Change-Id: I062cae5638139a9fe51563f64b1964f87e2f49e3
acquire_cred_with_password() must call
krb5_get_init_creds_opt_set_default_flags() to initialize the
krb5_get_init_creds option flags to the values obtained from
the krb5_context.
Change-Id: Icd8c500dd0787a781c2382284f19cef277b1d30b
gss_unwrap_iov() with rc4-hmac (RFC4757) encryption types would fail unless
GSS_C_DCE_STYLE was specified, as an incorrect length was passed to
_gssapi_verify_mech_header(). (The correct length is the header length for
GSS_C_DCE_STYLE, and the wrap token length otherwise.)
RFC 4121/4757 don't require padding as they operate as stream ciphers. Make the
PADDING buffer optional when using these encryption types with gss_wrap_iov()
and gss_unwrap_iov().
Our initiator supports configuration-driven delegation of destination
TGTs.
This commit adds acceptor-side handling of destination TGT policy to
reject storing of non-destination TGTs when destination TGTs are
desired.
Currently we use the same appdefault for this.
Background:
A root TGT is one of the form krbtgt/REALM@SAME-REALM.
A destination TGT is a root TGT for the same realm as the acceptor
service's realm.
Normally clients delegate a root TGT for the client's realm.
In some deployments clients may want to delegate destination TGTs as
a form of constrained delegation: so that the destination service
cannot use the delegated credential to impersonate the client
principal to services in its home realm (due to KDC lineage/transit
checks). In those deployments there may not even be a route back to
the KDCs of the client's realm, and attempting to use a
non-destination TGT might even lead to timeouts.
Using syscall() directly on macOS has been deprecated since 10.12. The value of
AFS_SYSCALL on libkafs overlaps with SYS_poll, causing k_hasafs() to hang on
macOS 11.0. Remove the AFS_SYSCALL macro to disable the AFS syscall on macOS.
_gsskrb5_init_sec_context() when called with GSS_C_NO_CREDENTIAL
opens the default ccache and sets the CLOSE_CCACHE flag indicating
that the ccache lifetime is tied to the gsskrb5_ctx. When
_gsskrb5_delete_sec_context() is called, it must close the ccache
if the CLOSE_CCACHE flag is set. Otherwise, the ccache resources
will leak.
Leaked since 39fe446983.
Change-Id: I8d0faab1e844d68fe71b11b715f8d88fcd2f4af7
hx509_context_free() must call heim_config_file_free() on
the hx509_context.cf section binding. Otherwise the memory
is leaked.
Change-Id: Ib3350a5be67203904fc1aee727c342c3ed552978
When the "KRB5_CONFIG" is unset on Windows, the registry values
HKLM\Software\Heimdal "config"
HKCU\Software\Heimdal "config"
are used. The migration of krb5_config to heimbase failed to
differentiate between KRB5_CONFIG, HX509_CONFIG, etc. The above
registry values are only for the KRB5_CONFIG.
This change permits the envvar name to be searched for in the
registry. For HX509_CONFIG the registry values
HKLM\Software\Heimdal "HX509_CONFIG"
HKCU\Software\Heimdal "HX509_CONFIG"
will be searched for configuration information.
Change-Id: I140945fa603d668d270eb5d740a11edc6fc121d7
First, bison (and probably flex and other pkgs) got published to the
chocolatey pacman repos compressed using ZST, which requires installing
zstd and broke our Appveyor builds.
Then someone published zstd compressed using ZST, which further broke
our Appveyor build by creating an irrecoverable chicken-egg situation:
pacman can't install zstd because it indirectly depends on zstd.
Possible fixes include trying to install the last version of zstd that
did not have this problem (zstd-1.4.4-2, ascertained from inspecting the
Appveyor build history).
This commit simply stops adding pacman-mirrors, and stops refreshing the
database, and this does get the Appveyor build going again.
ea90ca8666
("Move some infra bits of lib/krb5/ to lib/base/ (2)") introduced
struct heim_config_binding to heimbase.h and removed the
struct krb5_config_binding definition from krb5.h. It changed
the krb5_config_binding typedef to be based upon the heim_config_binding
typedef.
These changes broke out of tree callers of krb5_config_get_list()
and krb5_config_vget_list(). The internals of struct krb5_config_binding
are required by callers of krb5_config_get_list() and krb5_config_vget_list()
and the names must remain the same.
This change restores struct krb5_config_binding to krb5.h. The
structure cannot be changed because it is public and leaves struct
heim_config_binding as an independent structure definition within
heimbase.h. As a result struct heim_config_binding in heimbase.h must
remain binary compatible until such time as krb5_config_get_list() and
krb5_config_vget_list() are no longer supported.
Change-Id: I69b4fda3f656cc8daa8f5fcd0c7151cee222fc8c
Seen on Ubuntu 18.04 with
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
giving:
test_cipher.c: In function ‘test_cipher’:
test_cipher.c:299:19: error: suggest braces around empty body in an ‘if’ statement [-Werror=empty-body]
/* XXXX check */;
^
cc1: all warnings being treated as errors
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Similar to f6e0d19cc0 but
fixed in the header by making it a proper static inline
function (as some callers treats it as one, so do it
for all now for consistency).
Seen on Ubuntu 18.04 with
giving:
In file included from getaddrinfo-test.c:36:0:
getaddrinfo-test.c: In function ‘main’:
roken.h:110:24: error: statement with no effect [-Werror=unused-value]
#define rk_SOCK_INIT() 0
^
getaddrinfo-test.c:132:5: note: in expansion of macro ‘rk_SOCK_INIT’
rk_SOCK_INIT();
^~~~~~~~~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Seen on Ubuntu 18.04 with
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
giving:
rsa-ltm.c: In function ‘ltm_rsa_private_calculate’:
rsa-ltm.c:135:9: error: variable ‘where’ set but not used [-Werror=unused-but-set-variable]
int where = 0; /* Ignore the set-but-unused warning from this */
^~~~~
rsa-ltm.c: In function ‘gen_p’:
rsa-ltm.c:482:9: error: variable ‘where’ set but not used [-Werror=unused-but-set-variable]
int where = 0; /* Ignore the set-but-unused warning from this */
^~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This will make it harder to commit code that triggers warnings.
This list of allowed warnings is too long, but can be trimmed down
over time.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Seen with Ubuntu 18.04
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
mech/gss_krb5.c: In function ‘gss_krb5_ccache_name’:
mech/gss_krb5.c:501:18: error: the address of ‘buffer’ will always evaluate as ‘true’ [-Werror=address]
_mg_buffer_zero(&buffer);
^
mech/mech_locl.h:72:7: note: in definition of macro ‘_mg_buffer_zero’
if (buffer) { \
^~~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The krb5_cc_ops structure is an extensible structure to which new
functionality has been added over the years.
Version zero was the original. It included all functions up to
and including get_default_name().
Version one added set_default().
Version two added lastchange().
Version three added set_kdc_offset() and get_kdc_offset().
Version four broke compatibility by modifying the signatures
of get_name() and resolve(). This was in change
7bf4d76e75 ("krb5: Improve cccol sub
naming; add gss_store_cred_into2()").
Version five restores the original signatures of get_name()
and resolve() and introduces get_name_2() and resolve_2() that
provide the additional cccol functionality.
This change
* introduces version five
* documents which functions are part of each version
* replaces KRB5_CC_OPS_VERSION with KRB5_CC_OPS_VERSION_0,
KRB5_CC_OPS_VERSION_1, KRB5_CC_OPS_VERSION_2, KRB5_CC_OPS_VERSION_3,
and KRB5_CC_OPS_VERSION_5. KRB5_CC_OPS_VERSION_4 is skipped
because of the aforementioned breakage.
* compatibility logic is added to permit ccache plugins to implement
any of version one, two, three, five or a future version.
* all in-tree krb5_cc_ops implementations are updated to version 5.
Change-Id: Iadfce01d10834bc6151939e4d9d196f03001626e
common_plugin.h is expected to be usable on its own.
For backward compatibility, restore the definitions of
KRB5_CALLCONV and KRB5_LIB_CALL.
Change-Id: I6d2239f91ab48b9a6b71816b5221807382dc5914
krb5_get_instance() is meant to ensure that the shared library
instance of heimdal loaded by a plugin matches the instance that
loaded the plugin. It works by declaring a static C string whose
memory address will be used as an instance identifier. If the
instance returned from the plugin matches the instance obtain
by the code that loads the plugin, then we can conclude the two
instances are the same.
This doesn't work on Windows 7. When heimdal.dll loads a plugin
that is linked to heimdal.dll, the plugin's heimdal.dll is always
a new instance. However, the requirement for plugin safety is
not that the plugin be the same instance in memory but that they
be the same instance on disk.
This change loads the path name and version string for the module
and generates a hash of those strings as an instance identifier.
Change-Id: I1c0651969e9738c5feecb0b323969d13efd4704d
This avoids these compiler warnings on Ubuntu 18.04
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
expand_path.c: In function ‘expand_token’:
expand_path.c:493:17: warning: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Wunused-result]
asprintf(&arg, "%.*s", (int)(token_end - colon - 1), colon + 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
log.c: In function ‘fmtkv’:
log.c:646:5: warning: ignoring return value of ‘vasprintf’, declared with attribute warn_unused_result [-Wunused-result]
vasprintf(&buf1, fmt, ap);
^~~~~~~~~~~~~~~~~~~~~~~~~
mech/context.c: In function ‘gss_mg_set_error_string’:
mech/context.c:212:5: warning: ignoring return value of ‘vasprintf’, declared with attribute warn_unused_result [-Wunused-result]
(void) vasprintf(&str, fmt, ap);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mech/context.c: In function ‘_gss_mg_log_name’:
mech/context.c:319:6: warning: ignoring return value of ‘vasprintf’, declared with attribute warn_unused_result [-Wunused-result]
(void) vasprintf(&str, fmt, ap);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mech/context.c: In function ‘_gss_mg_log_cred’:
mech/context.c:346:5: warning: ignoring return value of ‘vasprintf’, declared with attribute warn_unused_result [-Wunused-result]
(void) vasprintf(&str, fmt, ap);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
kerberos5.c: In function ‘_kdc_set_e_text’:
kerberos5.c:338:5: warning: ignoring return value of ‘vasprintf’, declared with attribute warn_unused_result [-Wunused-result]
vasprintf(&e_text, fmt, ap);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
ea90ca86664c73fb8d415f3cc7baacdf8a6dd685("Move some infra bits of
lib/krb5/ to lib/base/ (2)") forgot to add typedefs
heim_get_instance_func_t
krb5_get_instance_t
required for compilation of krb5_get_instance style plugins.
Change-Id: I3130f86034be1f9f79694eca0d1b309e247fd03f
Even though krb5_get_error_message() returns 'const char *' the
C-string is allocated and must be freed using krb5_free_error_message().
Change-Id: I8d4ef6fce12f113617443d15abadf51f1e04cf1a
This call
heim_warn(context, ret, "Ignoring", fname);
doesn't require the 'fname' paramter. Remove it.
Change-Id: Ia339568658306a903a64ff9e098f914e7387bdd7
At present Heimdal silently ignores included configuration files that
cannot be successfully opened or parsed. This is done to ensure that
an administrator or configuration management tool cannot lock users
out of a machine due to an editing mistake.
This change modifies heim_config_parse_file_multi() to warn the user
if a configuration file cannot be parsed or if an included ("include"
or "includedir") configuration file cannot be opened. Example warnings
for a configuration file starting with:
includedir c:/temp
where some of the matching file names cannot be parsed:
Ignoring: c:\temp\20170516:1: binding before section
or opened:
Ignoring: open or stat c:\temp\AUAA-83: Permission denied
A top level configuration file will also generate a warning if it
can be opened but cannot be parsed successfully produces
Ignoring: c:\temp\foo.cmd:1: binding before section
Ignoring: C:\ProgramData\Kerberos\krb5.conf:22: unmatched }
Change-Id: I455854156f4a61e1b7dad7f96601eca23d2368eb
Refactor heim_config_parse_file() to use a common exit and
ensure that 'newfname' is freed on all exit paths.
Change-Id: Ie805ce2f9d6cbd26a3b98dc944b40864945b6d80
A non-zero return value from heim_config_parse_debug() means there
was an failure to open or parse the configuration data. However, it
is not necessarily an error code. Callers when setting an error
message must use an error code.
This change to heim_config_parse_file_multi() and
heim_config_parse_string_multi() set an error code of
HEIM_ERR_CONFIG_BADFORMAT when setting the error message.
Change-Id: I534b9af1c50e32d79799a936cb6252dab99c2a64
In heim_config_parse_dir_multi() do not call heim_enomem(context)
when returning ENOMEM when a better error has already been set in
the context. Just return ENOMEM.
Change-Id: I9bd9de552b2b04b5a7328ac635e911d6e95422ef
The caller of heim_config_parse_debug() expects the output
parameters to be initialized even when the return code is non-zero.
This change initializes the output parameters in case the caller
did not. Not all code paths assign values to the output parameters
which can result in unexpected termination of the process when
an uninitialized stack pointer is assumed to be valid.
Change-Id: Ib7530a9f16ba3e1500a7e27ccdd8ad9f0492b464
not_found() is called internally with error code KRB5_CC_NOTFOUND
from find_cred() and get_cred_kdc_capath_worker() where a hard
coded error string "Matching credential not found" makes sense.
However, it is also called from krb5_get_creds() and
krb5_get_credentials_with_flags() with error codes that are
returned from the KDC where hiding the true error string
confuses the end user and hampers debugging.
This change replaces the hard coded string with the result
of krb5_get_error_message() and appends the service ticket
name.
Change-Id: I275c66c7b5783ae25029dce5b851cb389b118bcc
PATH_SEP is declared on Windows to be ";" and not ":"
by include/config.h.w32.
lib/base/context.c and lib/hx509.c must not override an existing
setting. Otherwise, file lists cannot be separated and will be
treated as a single file name.
Change-Id: I5521188faca36e41fbae95fbb8942970eab261c8
ea90ca8666 ("Move some infra bits of
lib/krb5/ to lib/base/ (2)") inappropriately altered the declaration
of the "ldebug" macro which stores the switches passed to "link.exe".
There is no "/RELEASE" switch and the "/DEBUG" switch instructs the
linker to produce files containing debug symbols (.pdb) which are
required for generating the Windows assemblies.
This change restores the prior behavior.
Change-Id: I61b8fd4759ba84671858f7c8275dbd25af1638e6
KRB5_USE_PATH_TOKENS cannot be used within lib/base as its value
is declared in lib/krb5/krb5.h. Declare HEIM_BASE_USE_PATH_TOKENS
in lib/base/baselocl.h and test for it in
heim_config_parse_file_multi().
By conditionalizing heim_config_parse_file_multi() behavior on
KRB5_USE_PATH_TOKENS heim_expand_path_tokens() is not executed
and open() is called on a path without token substitution. As a
result open() always fails with ENOENT.
Change-Id: I29dc018bc560519b76314232b2d51f53bde6313c
libtommath 1.2.0 c403b66082
("hcrypto: import libtommath v1.2.0") needs more from stdint.h
than what Heimdal previously declared. Add more integer type
declarations and integer MIN/MAX macros.
Also, on Windows declare 64-bit integers using __int64 as
"long long" is not supported as 64-bit type across all visual
studio compiler versions.
Change-Id: I944bedc67bcb26374ffb30eb3dfd7c6108a98fc3
When a function is assigned to a function pointer that is declared
with a particular calling convention, then the assigned function
must be declared with that calling convention as well. Otherwise,
kaboom!!!
The following functions are fixed by this change:
kuser/kx509.c
validate1()
add1_2chain()
lib/base/log.c
log_syslog()
close_syslog()
log_file()
close_file()
lib/gssapi/mech/context.c
gss_set_log_function()
lib/krb5/kx509.c
certs_export_func()
Change-Id: Ib68abf739e3385e98136fa4e4f5a0240e9fce033
Some pacman packages are now being compressed with the ZST algorithm,
but pacman can't handle that unless we first install `zstd`. This
commit does that.
SAnon unconditionally sets the replay, sequence, confidentiality, and integrity
flags on the acceptor; do so on the initiator as well. Some indentation
cleanups are also included in this commit.
In SAnon, the optional flags send in the initial context token are input into
the key derivation function. Mask out the flags we wish to ignore after (not
before) calling the key derivation function, as the initiator may not know
which flags we wish to ignore.
In SAnon:
The is_initiator bitfield must be unsigned to avoid undefined behaviour, as
there is only a single bit defined. Thanks to Nico Williams for explaining
this.
We were passing SANON flags to _gss_mg_import_rfc4121_context(), which
wants GSS flags. Meanwhile, I broke gss_inquire_context() on imported
SAnon contexts when I did my review of SAnon.
This commit fixes both issues and removes SANON_FLAG_*, which were only
ever needed because of a flag to track whether a context was locally
initiated or accepted. Now we use a separate int field of the sanon_ctx
to track whether a context was locally initiated. Once an SAnon context
is fully established, we rely on gss_inquire_context() on the rfc4121
sub-context for all metadata that isn't the initiator and acceptor names
nor the mechanism OID.
Add support for SAnon, a simple key agreement protocol that provides no
authentication of initiator or acceptor using x25519 ECDH key exchange.
See doc/standardization/draft-howard-gss-sanon-xx.txt for a protocol
description.
The X25519 implementation comes from libsodium. Explicit copyright
notices have been added to each file as well as some portability changes
(e.g. align.h).
Just like krb5.conf, but hx509.conf, with all the same default locations
on Windows, OS X, and elsewhere, and HX509_CONFIG as the environment
variable equivalent of KRB5_CONFIG.
Fix for issue #486 based on a patch by Nico Williams.
A GSS-API acceptor can return an error token to be sent to the initiator. Our
SPNEGO implementation discarded these when sending a SPNEGO reject response.
This patch fixes the SPNEGO acceptor to convey those in the SPNEGO response.
The SPNEGO initiator is also updated to not bail out early on receiving a
SPNEGO reject response from the acceptor, but instead pass the response token
(if any) to gss_init_sec_context(). A reject response with no response token
will continue to return an error.
Reduce the number of trials when generating RSA keys by calling
mp_prime_rabin_miller_trials() with the number of desired bits.
See libtom/libtommath#482.
gss_release_cred_by_mech() was previously used by SPNEGO's implementation of
gss_set_neg_mechs(). This is now implemented in the mechanism glue. As we never
shipped gss_release_cred_by_mech(), it is safe to remove it and its exported
symbol.
SPNEGO was already using union creds. Now make the mechglue know about
it, delete all of the cred-related SPNEGO stubs that are now not called
(lib/gssapi/spnego/cred_stubs.c), and implement gss_get/set_neg_mechs()
by storing the OID set in the union cred.
This commit was essentially authored as much if not more by Luke Howard
<lukeh at padl.com> as much as by the listed author.
gss_add_oid_set_member() should according to RFC2744 add a copy of the OID to
the set; the current implementation just stored a pointer (which may not be
stable). As we have _gss_intern_oid(), call that before adding.
If an initial security context token doesn't have a standard header per
RFC2743 then try all mechanisms until one succeeds or all fail.
We still try to guess NTLMSSP, raw Kerberos, and SPNEGO, from tasting
the initial security context token.
gss_decapsulate_token() should return GSS_S_BAD_MECH if the mechanism did not
match the expected one, and GSS_S_DEFECTIVE_TOKEN if the token could not be
parsed for some other reason, rather than GSS_S_FAILURE in both cases
Add a new private interface (accessed through _gss_mg_import_rfc4121_context())
through which a skeletal krb5 mechanism context can be created, suitable for
RFC4121 message protection and PRF services.
The NegoEx gss_{exchange,query}_meta_data functions set allocated_ctx but never
did anything with it. Use it to determine whether we should free the context
handle on error.
Allow the source and target names to be NULL when exporting or importing a
security context for the krb5 mechanism. This will be used in the future to
support skeletal contexts that only provide RFC4121 message protection
services.
_gss_secure_release_buffer_set() patch changed minor_status to 0, not
*minor_status as correct. No behavioural change as
_gss_secure_release_buffer_set() would have set it anyway, but obviously this
was unintentional.
Anonymous names should always compare FALSE in GSS_Compare_name(). If the names
are being compared at the mechglue layer then we should check for
GSS_C_NT_ANONYMOUS.
Add the --export-import-context flag to test_context, for validating that
security contexts round-trip through GSS_Export_sec_context() and
GSS_Import_sec_context().
The prototype for gss_set_sec_context_option() allows it to return a new
context, however this was not implemented. This functionality is required by
GSS_KRB5_IMPORT_RFC4121_CONTEXT_X.
The SPNEGO dispatch table does not include gss_duplicate_cred(). It can call
directly into the mechglue because a SPNEGO credential is a mechglue
credential.
SPNEGO credentials are mechglue credentials. SPNEGO credential wrapper
functions can be replaced with direct calls into the mechglue, unless a
specific check is required to avoid infinite recursion (as is the case where
the mechglue enumerates all mechanism when passed a null credential handle).
The recent changes to SPNEGO removed support for GSS_C_PEER_HAS_UPDATED_SPNEGO,
through which the Kerberos mechanism could indicate to SPNEGO that the peer did
not suffer from SPNEGO conformance bugs present in some versions of Windows.*
This patch restores this workaround, documented in [MS-SPNG] Appendix A <7>
Section 3.1.5.1. Whilst improving interoperability with these admittedly now
unsupported versions of Windows, it does introduce a risk that Kerberos with
pre-AES ciphers could be negotiated in lieu of a stronger and more preferred
mechanism.
Note: this patch inverts the mechanism interface from
GSS_C_PEER_HAS_UPDATED_SPNEGO to GSS_C_INQ_PEER_HAS_BUGGY_SPNEGO, so that new
mechanisms (which did not ship with these older versions of Windows) are not
required to implement it.
* Windows 2000, Windows 2003, and Windows XP
Pending integration of #551, the krb5 mechanism does not support
GSS_C_ANON_FLAG. Remove the GSS_C_MA_AUTH_INIT_ANON mechanism attribute until
such time it does.
Sort the list of mechanisms proposed by the initiator so that mechanisms are
preferred by their advertised support for GSS flags. For example, if
GSS_C_MUTUAL_FLAG is requested, a mechanism that offers GSS_C_MA_AUTH_TARG will
be preferred over one that doesn't. The flag/mechanism attribute combinations
are also assigned a weight (mutual trumps anonymous, for example).
Add mergesort_r() as a stable sort function that can be used by other
components of Heimdal. Note that there is no standardized prototype for this
function, however it appears that both FreeBSD and glibc would adopt the glibc
convention (where the private data argument appears last). See:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214248
__gss_c_attr_stream_sizes_oid_desc was tagged with GSSAPI_LIB_FUNCTION instead
of GSSAPI_LIB_VARIABLE; whilst the macro expansion is identical, fix for
cleanliness
This is needed so that sshd and such can get make practical use of the
"ccache" key in GSS cred stores.
This commit only changes the store path, not the acquisition path.
gss_store_cred_into*() will now switch the new cred cache to be the
primary/default cred cache when
- the caller requested it and,
- if the caller passed in a user name, the creds' principal is the best
principal for the named user.
A principal is the best principal for a user when the principal has just
one component, the component is the user's username, and the realm is
the configured user_realm.
If using the new --cache-default-for option, use the real default if the
principal is the best principal for the user.
A principal is the best principal for a user when the principal has just
one component, the component is the user's username, and the realm is
the configured user_realm.
bcb5ed28fb ("kdc/kx509.c: clean up
krb5_get_error_message strings used for mk_error_resp") introduced a
build failure. 'context' is not a local variable but a field in the
kx509_req_context.
Change-Id: I38a8a9b1a19c3370dfc039d6e09445425936c32b
mk_error_response expects the strings it builds will need to be freed but
not those passed in; krb5_get_error_message generates a string which needs to
be freed. keep track of and free those strings.
the code to perform cleanup is present but an overzealous goto out
precludes it from being called. break from our for loop in event of error
and allow cleanup to take place
on error from der_parse_heim_old we early exit via out, which frees
s and cprinc; we should not do so a second time unless we explicitly
NULL the pointers but there is no value in doing so.
- Formalize the TYPE:collection_name:subsidiary_name naming scheme for
ccaches in ccache collections
- KEYRING: ccaches are weird because they have one more optional field: the
"anchor", so rather than just assume a naming convention everywhere, we
add new functions as well
- Add krb5_cc_{resolve,default}_sub() that allows one to specify a
"subsidiary" ccache name in a collection separately from the
collection name
- Add krb5_cc_{resolve,default}_for() which take a principal name,
unparse it, and use it as the subsidiary ccache name (with colons
replaced)
- Make kinit use the new interfaces
- Add missing DIR ccache iteration functionality
- Revamps test_cc
- Add krb5_cc_get_collection() and krb5_cc_get_subsidiary()
- Bump the ccops SPI version number
- Add gss_store_cred_into2()
- Make MEMORY:anonymous not linked into the global MEMORY ccache
collection, and uses this for delegated cred handles
TBD:
- Split this up into a krb5 change and gss mech_krb5 change?
- Add krb5_cc_init_and_store() utility, per Greg's suggestion?
This is the second of two commits in a series that must be picked together.
This series of two commits moves parts of lib/krb5/ infrastructure
functionality to lib/base/, leaving behind wrappers.
Some parts of libkrb5 are entirely generic or easily made so, and could
be useful in various parts of Heimdal that are not specific to the krb5
API, such as:
- lib/gssapi/ (especially since the integration of NegoEx)
- lib/hx509/
- bx509d (which should really move out of kdc/)
For the above we need to move these bits of lib/krb5/:
- lib/krb5/config_file.c (all of it, leaving forwardings behind)
- lib/krb5/config_reg.c (all of it)
- lib/krb5/plugin.c (all of it, leaving forwardings behind)
- lib/krb5/log.c (all of it, ditto)
- lib/krb5/heim_err.et (all of it)
And because of those two, these too must also move:
- lib/krb5/expand_path.c (all of it, leaving forwardings behind)
- lib/krb5/warn.c (just the warning functions, ditto)
The changes to the moved files are mostly quite straightforward and are
best reviewed with --word-diff=color.
We're also creating a heim_context and a heim API to go with it. But
it's as thin as possible, with as little state as necessary to enable
this move. Functions for dealing with error messages use callbacks.
Moving plugin.c does have one knock-on effect on all users of the old
krb5 plugin API (which remains), which is that a global search and
replace of struct krb5_plugin_data to struct heim_plugin_data was
needed, though the layout and size of that structure doesn't change, so
the ABI doesn't either.
As well, we now build lib/vers/ and lib/com_err/ before lib/base/ so as
to be able to move lib/krb5/heim_err.et to lib/base/ so that we can make
use of HEIM_ERR_* in lib/base/, specifically in the files that moved.
Once this is all done we'll be able to use config files and plugins in
lib/hx509/, we'll be able to move bx509d out of kdc/, and so on.
Most if not all of the new functions in lib/base/ are Heimdal-private,
thus calling conventions for them are not declared.
Status:
- builds and passes CIs (Travis, Appveyor)
- ran make check-valgrind and no new leaks or other memory errors
- ready for review
HOW TO REVIEW:
$ # Review file moves:
$ git log --stat -n1 HEAD^
$
$ # Review changes to moved files using --word-diff=color
$ git log -p -b -w --word-diff=color HEAD^..HEAD \
lib/base/config_file.c \
lib/base/config_reg.c \
lib/base/expand_path.c \
lib/base/warn.c \
lib/krb5/config_file.c \
lib/krb5/config_reg.c \
lib/krb5/expand_path.c \
lib/krb5/warn.c
$
$ # Review the whole thing, possibly adding -b and/or -w, and
$ # maybe --word-diff=color:
$ git log -p origin/master..HEAD
$ git log -p -b -w origin/master..HEAD
$ git log -p -b -w --word-diff=color origin/master..HEAD
TBD (future commits):
- make lib/gssapi use the new heimbase functions
- move kx509/bx509d common code to lib/hx509/ or other approp. location
- move bx509d out of kdc/
This is the first of two commits in a series that must be picked
together.
This series of two commits moves parts of lib/krb5/ infrastructure
functionality to lib/base/, leaving behind wrappers.
This commit only renames files to enable git log/diff/blame to follow
the renames: to help future code archeology, and to make reviewing these
two commits easier.
The next commit in this series ensures that the moved files have the
correct content (i.e., defining heim APIs instead of krb5 APIs), and
will create files in lib/krb5 with the same names and krb5 API wrappers
around the new heim API functions.
The next commit also explains the motivation, which, briefly, is to:
- remove krb5 API usage from lib/gssapi/,
- enable the use of configuration and plugins in lib/hx509/
(as well as lib/gssapi/ and future projects),
and
- enable the further disentanglement of bx509d from kdc/.
Initialize mechanism output parameters before calling mechanism
GSS_Accept_sec_context(), to behave robustly with poorly implemented mechanisms
that may return before initializing them.
test_negoex_mech, being a simple test mechanism ported from MIT that was not
designed to be particularly robust, failed to initialize various output
parameters such as the source name. On Heimdal this triggered an invalid read
because the mechglue did not initialize those variables before calling the
mechanism. This commit fixes this.
NTLM erroneously requires a mechListMIC at the SPNEGO layer if an internal MIC
in the NTLM protocol was used. Add a private interface between SPNEGO and the
Samba NTLM mechanism to allow the mechanism to signal that a mechListMIC is
required even if it otherwise would not be.
This interface is the same as that supported by MIT.
Note that only the Samba NTLM mechanism currently implements this feature, it
is not implemented by the Heimdal NTLM mechanism (which does not support NTLM
authenticate message MICs).
Previously krb5 was tried explicitly, but now the internal mech list is
reordered so that krb5 is first, this should no longer be required. This
permits an application to specify another mechanism as preferred over krb5
using gss_set_neg_mechs().
RFC 4178 4.2.2 uses the field name negState rather than negResult in
NegTokenResp, to denote the negotiation state. Harmonize with this, also
replacing the underscores in accept-completed and accepet-incomplete to match
the RFC.
An implementation of draft-zhu-negoex-04 for MIT Kerberos was developed in
2011. This has been recently integrated, with many fixes from Greg Hudson. This
commit ports it to Heimdal. The implementation has been interoperability tested
with MIT Kerberos and Windows, using the GSS EAP mechanism developed as part of
the Moonshot project.
The SPNEGO code was also updated to import the state machine from Apple which
improves mechListMIC processing and avoids discarding initial context tokens
generated during mechanism probing, that can be used for optimistic tokens.
Finally, to aid in testing, the GSS-API mechanism glue configuration file can
be changed using the environment variable GSS_MECH_CONFIG. This environment
variable name, along with the format of the configuration file, is compatible
with MIT (although it would be difficult for a single mechanism binary to
support both implementations).
Wrapping GSS names at the SPNEGO level serves no purpose; remove it and return
mechglue names directly. This required a small change to the NTLM mechanism to
allow NULL names to be passed to its release name function.
GM_USE_MG_CRED allows a mechanism glue credential to be used by a mechanism
without additional wrapping. Although no extant mechanisms use this flag, the
flag had sporadic support in the mechanism glue already. In the interest of
consistency, add missing GM_USE_MG_CRED checks. If this functionality is not
desired, then all checks should be removed.
Add helper APIs to the mechanism glue from the Apple implementation.
gss_mg_export_name() can be used by a mechanism to create an exported name
(this is used by the future SAnon implementation). _gss_mech_import_name()
allows the mechanism to pass in a list of parsing functions for specific name
tiypes. This commit only adds support to the mechanism glue itself.
The GSS mechglue uses singly linked lists for mechanisms and mechanism objects,
to which new entries are inserted at the head. This breaks ordering of
mechanisms specified in OID sets and in /etc/gss/mech, as they will be back to
front. Use a tail queue instead so that new entries are inserted at the end.
Make mechanism interfaces that are optional in usage, optional in
implementation, i.e. do not require them to be present when dynamically loading
a mechanism. In order to aid minimal mechanism implementation, more of these
should likely be made optional (this will require an additional check in the
mechglue to return GSS_S_UNAVAILABLE if the function pointer is NULL). This is
left as a future exercise.
_gss_ntlm_accept_sec_context() does not provide the acceptor domain to
nsi_probe(); for consistency, _gss_ntlm_acquire_cred_from() should do that
same. Providing the acceptor domain was breaking tests.
Note that the Heimdal NTLM implementation is old and has few consumers (Apple
and Samba use their own implementations). Arguably we should merge the Apple
implementation or remove it.
The Kerberos GSS mechanism specific error table in gkrb5_err.et was never
registered with libkrb5, so the messages corresponding to those errors would
never be available. Register them with the thread local context used by the
krb5 mechanism.
Since at least SDK V6.1 HCRYPTPROV has been specified as ULONG_PTR
this means that comparing or setting one with NULL causes a cast
warning.
Use an explicit cast from zero to that type.
A HEAD or GET of / or /health will now produce a 200 instead of a 404.
Ideally we should add configuration arguments that would allow /health
to get a token, make a CSR, and test the /bx509 (and/or /bnegotiate)
functionality, that way we'd have a real health check. For now we defer
that work, as external health monitoring can be done using a simple
script anyways.
The Negotiate token validation plugin links against libgssapi, but on macOS the
dynamic linker cannot find it before Heimdal is installed. This causes tests to
fail. Although test_token_validator itself does not require libgsaspi, link
against it so that the test can proceed.
The --connect-to option is much nicer and better than --resolve for testing,
but for testing against localhost --resolve is good enough and available in
older versions of curl.
Now we'll put the "reason=..." last in the log lines and we won't escape
spaces -- just newlines and other control characters. This makes
reading log lines much easier without complicating parsing of log lines
because interior key=value pairs do get whitespace escaped or removed.
Add two ways to exclude private keys when dealing with an hx509
certificate store. One as a load option (load no private keys, never
add private keys), one as a store option (store no private keys).
This is useful for CA code so it can have a single store with the
issuer's credentials _and_ the chain for it, and copy those to a store
with the issued certificate and _not_ accidentally include the issuer's
private key.
It would be much safer still to flip the default for this flag, but that
could break out-of-tree libhx509 dependents.
krb5_kdc_process_request() must return 0 when it produces a reply, and only
return non-zero when it could not construct any kind of reply (e.g., ENOMEM, or
-1 if no handler claimed responsibility for the request).
We take all of the kdc_log() and _kdc_r_log() calls in AS and TGS
and move their log levels down to debugging on the assumption that
our new log line subsumes the "informational" requirements. We
collect some additional information in the kv-pair "pe-text" which
is like e-text except it is not returned to the client.
We refactor the code a bit to extend kdc_request_t which until now
was only used for the AS. We make the structure extensible and
start using it for the TGS as well. We leave digest and kx509
alone for the time being.
We also define the concept of kv-pairs in our audit trail which
allows us to define a rigorous but extensible format:
type error from-addr client server key1=val1 key2=val2 ...
Our logging framework used to strnvisx(3) each and every line
iff it is written to a FILE. This is often unhelpful because
the line usually contains a number of elements that have already
been quoted and it makes the logs much more difficult to read in
this case. An example if krb5_unparse_name() which will already
quote most characters that one cares about.
We change the behaviour to simply drop unprintable characters
rather than encoding them. We thus rely on the rest of the
code to properly encode data elements written into the logs.
This commit adds a few functions for marking KU, EKUs, and SANs as
authorized, and for getting a count of unsupported certificate
extensions requested, and a count of authorized KU/EKUs/SANs.
The intent is to make it easier to build CSR authorization and CA code
that is robust in the face of future support for certificate extensions
and SAN types not currently supported. An application could parse a
CSR, iterate all KU/EKUs/SANs, check a subject's authorization to them,
mark them authorized where authorized, then check if there are any
remaining unauthorized extensions or unsupported extensions requested.
Ultimately, if a CSR's KU/EKUs/SANs are all authorized, then they can
all be copied to a TBS, and a certificate can be issued.
In 0cc708ba36, we removed the definition of id-ms-client-authentication
without a corresponding removal from lib/asn1/libasn1-exports.def.
Maybe we should generate lib*-exports.def?
This will help programs that need to URL-escape strings.
Also, this changes `do_hvis()` to not fallback on `do_svis()` for chars in
`extra` -- that `do_hvis()` was doing that seems like an oversight. Christos
Zoulas, of NetBSD, agrees. `do_hvis()` still falls back on `do_svis()` for
characters not in the RFC 1808 / 3986 to-be-escaped set *and* characters not in
the `extra` set -- that much seems to have been the intent.
Now that we're using krb5_net_write() with non-blocking sockets in
ipropd_master, we MUST correctly account for partial writes.
Therefore, roken net_write() called from krb5_net_write() now
returns the number of bytes written when the socket error was
EWOULDBLOCK (or EAGAIN).
Also, fix potential issue on Windows, where errno was used instead
of rk_SOCKET_ERRNO whether or not we used _write() or send().
The Verisign and Symantec timestamping services have been shutdown.
Switch to the Digicert service which replaced the Symantec services
as of 31 Oct 2019.
http://timestamp.digicert.com
Change-Id: I365e6c3698b8fc99b18e8d1e5a54ce3519f3c5eb
Most consumers of PEM files don't care about the order in which private
keys and certificates are stored. However, Postfix does care when
multiple EE certs (and chains) are stored in a file, in which case it
requires that private keys come before their certificates.
Refactor and enhance TGT forwarding to allow forwarding of leaf
(destination) TGTs for selected destination realms.
Enhance kinit(1) to renew non-origin realm tickets
Document delegate-destination-tgt
Use the newly implemented _krb5_mk_1cred().
We define the meaning of the various log levels in the man page
for krb5_openlog(3). If logging configured and levels are not
specified, we change the default levels to 0-3 which should exclude
debugging messages which are generally only desired in exceptional
circumstances.
We also go through the KDC and adjust the levels to be appropriate.
This commit adds support for proof of posession to the kx509 protocol by
using PKCS#10 CSRs.
This allows conveyance of extReq CSR attributes requesting desired
Certificate Extensions.
This is necessary in order to add proper support for CSRs in kx509,
where the KDC can examine all requested KUs/EKUs/SANs, check
authorization, and issue a certificate with all those extensions if
authorized.
This is the convention used by OpenSSL, of encoding all the KU, EKUs,
and SANs being requested as Extensions as they would appear in the
TBSCertificate, then putting those in as a single Attribute in the CSR's
Attributes list with attribute OID {id-pkcs-9, 14}.
- expose all hx509_request_*() functions
- finish support in hx509_request_parse*() for KU, EKU, and SAN CSR
attributes
- finish support in hx509_request_to_pkcs10() for encoding all
requested KU, EKU, and SAN extensions as a CSR extReq (extension request)
- add hx509_request_add_*() support for:
- id-pkinit-san and ms-upn-pkinit-san
- XMPP (Jabber) SAN
- registeredID (useless but trivial)
- add hxtool request-create options for all supported SANs
- add hxtool request-create options for KeyUsage
- add hxtool request-create options for ExtKeyUsage
- add hxtool request-print support for all these things
- fix bugs in existing id-pkinit-san handling
Possible future improvements
- add HX509_TRACE env var and support (it would be nice to be able to
observe why some certificate is rejected, or not matched in a query)
- add testing that CSR creating and printing round-trip for all KUs,
EKUs, and SANs
(probably in tests/kdc/check-pkinit.in)
- add testing that OpenSSL can print a CSR made by hxtool and
vice-versa
- hxtool ca: add KU sanity checking (via hx509_ca_sign() and/or friends)
(don't allow encrypt for signing-only algs)
(don't allow encrypt for RSA at all, or for RSA with small e exponents)
- hxtool request-print: warn about all unknown attributes and
extensions
- hxtool ca: MAYBE add support for adding requested extensions from the
--req=CSR
("Maybe" because CA operators should really verify and authorize all
requested attributes, and should acknowledge that they have, and the
simplest way to do this is to make them add all the corresponding
CLI arguments to the hxtool ca command, but too, that is
error-prone, thus it's not clear yet which approach is best.
Perhaps interactively prompt for yes/no for each attribute.)
- add additional SAN types:
- iPAddress (useless?)
- dNSSrv (useful!)
- directoryName (useless, but trivial)
- uniformResourceIdentifier (useful)
- it would be nice if the ASN.1 compiler could generate print
functions..., and/or even better, to-JSON functions
- it would be nice if we had a known-OID db, including the names of the
types they refer to in certificate extensions, otherName SANs and CSR
attributes, then we could generate a CSR and certificate printer for
all known options even when they are not supported by the rest of
Heimdal
- and we could also get friendly names for OIDs, and we could
resolve their arc names
- longer term, we could also stand to add some ASN.1 information
object system functionality, just enough to make
lib/hx509/asn1_print awesome by being able to automatically decode
all heim_any and OCTET STRING content (better than its current
--inner option)
This commit adds support for kx509 in libkrb5, and revamps the KDC's
kx509 service (fixing bugs, adding features).
Of note is that kx509 is attempted optimistically by the client, with
the certificate and private key stored in the ccache, and optionally in
an external PEM or DER file.
NOTE: We do not optimistically use kx509 in krb5_cc_store_cred() if the
ccache is a MEMORY ccache so we don't generate a key when
accepting a GSS context with a delegated credential.
kx509 protocol issues to be fixed in an upcoming commit:
- no proof of possession (this is mostly not too bad, but we'll want to
fix it by using CSRs)
- no algorithm agility (only plain RSA is supported)
- very limited (no way to request any options in regards to the
requested cert)
- error codes are not very useful
Things we're adding in this commit:
- libkrb5 kx509 client
- automatic kx509 usage hooked in via krb5_cc_store_cred() of start TGT
- per-realm templates on the KDC side
- per-realm issuer certificates
- send error messages on the KDC side
(this is essential to avoid client-side timeouts on error)
- authenticate as many error messages
- add a protocol probe feature so we can avoid generating a
keypair if the service is not enabled
(once we add support for ECC algorithms we won't need this
anymore; the issue is that RSA keygen is slow)
- support for different types of client principals, not just username:
- host-based service and domain-based service, each with its own
template set per-{realm, service} or per-service
(the idea is to support issuance of server certificates too, not
just client/user certs)
- more complete support for SAN types
- tests (including that PKINIT->kx509->PKINIT works, which makes it
possible to have "delegation" of PKIX credentials by just delegating
Kerberos credentials)
- document the protocol in lib/krb5/kx509.c
Future work:
- add option for longer-ticket-lifetime service certs
- add support for ECDSA, and some day for ed25519 and ed448
- reuse private key when running kinit
(this will require rethinking how we trigger optimistic kx509
usage)
- HDB lookup for:
- optional revocation check (not strictly necessary)
- adding to certificates those SANs listed in HDB
- hostname aliases (dNSName SANs)
- rfc822Name (email)
- XMPP SANs
- id-pkinit-san (a user could have aliases too)
- support username wild-card A RRs, ala OSKT/krb5_admin
i.e., if a host/f.q.d.n principal asks for a certificate for
some service at some-label.f.q.d.n, then issue it
(this is not needed at OSKT sites because OSKT already
supports keying such service principals, which means kx509
will issue certificates for them, however, it would be nice
to be able to have this independent of OSKT)
(a better way to do this would be to integrate more of OSKT
into Heimdal proper)
- a kx509 command, or heimtools kx509 subcommand for explicitly
attempting use of the kx509 protocol (as opposed to implicit, as is
done in kinit via krb5_cc_store_cred() magic right now)
Issues:
- optimistically trying kx509 on start realm TGT store -> timeout issues!
- newer KDCs will return errors because of this commit; older ones
will not, which causes timouts
- need a separate timeout setting for kx509 for optimistic case
- need a [realm] config item and DNS SRV RR lookup for whether a
realm is expected to support kx509 service
Now we'll use mkostemp() and rename() into place to make
hx509_certs_store() atomic for FILE/DER-FILE/PEM-FILE stores.
This is not ideal, as it can leave temp files in place if a process
crashes in between the mkostemp() and the rename into place.
On Linux we'll eventually make use of O_TMPFILE and linkat(). The idea
will be to first create an anonymous, zero-link file in the directory
that will contain the file at the end, write the file, then linkat() the
file into place as a .new file, then rename() the .new into place. That
will limit the amount of junk that may be left behind to just one file.
(If the linkat() fails, then unlink() the .new and try again. If the
rename() fails that just means the caller raced with another and the
operation is complete.)
We should really make a lib/roken interface that does this.
Prior to this commit the Heimdal ASN.1 compiler supported DEFAULTing
SEQUENCE fields on the encoder side, but not the decoder side, where
ASN1_MISSING_FIELD would inevitably result when fields were defaulted.
This patch adds the missing decode-side support for DEFAULT.
This commit adds functions for finding OIDs by symbolic name, meaning by
their symbolic names given in the ASN.1 modules that define them.
TBD:
- Resolve OIDs to names.
- Support a file in /etc for additional OID resolution.
- Add support for resolving OID arc names.
This will help us generate a directory of OIDs from all the ASN.1
modules in lib/asn1, which will then help us create an hx509 API for
resolving OIDs to/from friendly names, which ultimately will help us
make hxtool more user-friendly.
When a slave is many diffs behind, send these in batches of up to
50, then handle other slaves.
This also implements a fast-path that makes incremental diffs faster
when the log has not rolled over.
Related code cleanup.
If a slave is slow to consume what the master sends it, the master can
block and all iprop operations with it.
With minimal effort we make the master async oriented.
ipropd-master sends AYT messages often as a result of a possibly-
transient error, but if the slave responds to such an AYT with I_HAVE,
then the same code path that failed will be executed on the master, and
if the error wasn't transient then we'll loop hard. So don't send an
I_HAVE in response to an AYT.
Refactor krb5_cc_set_default_name() by splitting out the part that looks
for a configured default ccache name. This will allow one to check if a
given ccache is a default ccache for a process ignoring KRB5CCNAME,
which might prove useful in the kx509 client.
It's still not supported, but at least it generates valid JSON now.
Note that --json w/o -v is functional but has issues, specifically the
rtbl_add_column_entry() does not encode strings properly for output as JSON
strings. Fixing this will take significantly more effort. One wonders if it
might not be better to use a proper JSON library instead of the rtbl stuff.
Move init/copy/destroy fallback sequence from fcc_move() to
krb5_cc_move().
Make sure all backends's move() method calls krb5_cc_destroy() on the
source on success (and only on success).
In text_cc make sure that we can find in the destination the cred
stored into the source.
This is necessary in order to have more control over, e.g., template
certificates for kx509. But also it's good to have this more generally.
Some batteries not included. Specifically: no attempt is made to validate that
given KeyUsage values are compatible with the subjectPublicKey's alrogithm and
parameters.
```
hxtool request-create --subject=... \
--generate-key=... \
--key-bits=... \
--key=STORE \
store
```
wants to generate a key, store it in the location specified by the --key
argument, then read it back, then generate the CSR, and store it in
`store`.
But it didn't work because for generating a key this really wants the
`--key` argument to be a file path into which a raw DER-encoded RSA key
will be written (only RSA is supported, ay!), but for reading the key
back it uses `hx509_certs_init()`, which wants `TYPE:name` keystore
specification. A deadly embrace.
Now that we have improved libhx509 functionality for reading/writing
private keys from/to PEM files we use this functionality and require a
store type in the `--key=STORE` argument.
This commit adds:
- hx509_cert_init_private_key() for creating an hx509_cert object that
has just a private key
- hx509_cert_have_private_key_only() for checking whether an hx509_cert
object has just a private key
This also generalizes the get_key() internal function in hxtool, which
is tasked with reding or generating a private key for use in signing
CSRs. Now hxtool request-create can read/write private keys to/from PEM
files, not just DER files.
This is needed to support key types other than just RSA for CSRs and
certificates.
The header file was not installed, and the manpage had the wrong
name for the plugin load function, it is "krb5_plugin_kuserok_plugin_load",
not "kuserok_plugin_load".
%{loginname} is for getlogin_r().
Now %{username} uses only the $USER and $LOGNAME environment variables
(if the caller is not set-uid), or if absent or the caller is set-uid,
then getpwuid_r().
The intent is to allow kadmin(1) to use the loginname instead of the
username for the construction of the kadmin client principal name. This
is helpful when the user runs kadmin as root via sudo and/or su.
In order to support certain use cases, we implement a mechanism to
allow wildcard principals to be defined and for the KDC to issue
tickets for said principals by deriving a key for them from a
cluster master entry in the HDB.
The way that this works is we defined an entry of the form:
WELLKNOWN/DERIVED-KEY/KRB5-CRYPTO-PRFPLUS/<hostname>@REALM
When reading from the Kerberos DB, if we can't find an entry for
what looks like a hostbased principal, then we will attempt to
search for a principal of the above form chopping name components
off the front as we search.
If we find an entry, then we derive keys for it by using
krb5_crypto_prfplus() with the entry's key and the principal name
of the request.
When the master sees a burst of updates (perhaps sustained), the
slaves "I_HAVE" messages can fall behind the version we've already
sent, and the unpatched code would retransmit already sent diffs!
This can result in substantial amplification (in a local test, 3000
ops turned into 427,000 ops). Though the number of *messages* sent
was actually somewhat smaller, the ever growing message size
ultimately leads to failure.
krb5_cc_cache_match() searches all ccache collections for a ccache that
has credentials for a given principal name. This includes MEMORY
ccaches, which means it can find the same ccache as is referenced by a
GSS cred handle given to gss_store_cred(), which means that
gss_store_cred() can fail.
For now we work around this by including a private variant of
krb5_cc_cache_match() that only searches the default ccache, not all
collections. Eventually we should ensure that krb5_cc_default() also
searches all collection-type (other than MEMORY) ccaches for a default
credential, then we can go back to using krb5_cc_cache_match() (though
we'll need to make sure that MEMORY is searched last or not at all).
* Anonymous pkinit responses from the KDC where the name
type is not well-known (as issued by 7.5 KDCs and earlier)
are accepted by the client. There is no need for the client
to strictly enforce the name type.
* With historical_anon_pkinit = true, the kinit(1) client's
"--anonymous" option only performs anon pkinit, and does
not require an '@' prefix for the realm argument.
* With historical_anon_realm = true, the KDC issues anon
pkinit tickets with the legacy pre-7.0 "real" realm.
Drafts 0 through 10 of the Kerberos anonymity internet draft,
https://tools.ietf.org/html/draft-ietf-krb-wg-anon, specified the
TicketFlags.anonymous flag as bit 14 and the KDCOptions.anonymous
flag as bit 14. These were changed to bit 16 by MIT after it was
discovered that Microsoft used KDCOptions bit 14 for S4U2Proxy
cname-in-addl-tkt.
(Feb 2007) Heimdal added constrained delegation support prior to
1.0 but named the KDCOptions flag constrained_delegation instead of
cname-in-addl-tkt as per MS-SFU. It also assigned bit 16 instead
of bit 14. Perhaps this was done in the hope that the conflict
with Microsoft would be resolved in favor of the IETF internet
draft instead of the proprietary protocol extension.
adf9121822 ("Add PA-ClientCanonicalized
and friends.") introduced the KDCOptions.constrained_delegation flag
as bit 16.
(June 2007) In order to make Heimdal's constrained delegation work
with Microsoft's implementation Heimdal began to set both KDCOptions
bits 14 and 16 when requesting constrained delegation.
d5bb7a7c56 ("(krb5_get_creds): if
KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the
anonymous and constrained_delegation TicketFlags when issuing a
S4U2Proxy request.
(June 2010) MIT reassigned the KDCOption.anonymous and
TicketFlags.anonymous flags to bit 16. draft-ietf-krb-anon-11
was published with this change.
(July 2014) After the release of Heimdal 1.5.0 and prior to 1.5.1
it was noticed that Heimdal's anonymous TGT support did not
interoperate with MIT.
86554f5a7f ("Use correct value for
anonymous flags") swapped the bit assignments for request_anonymous
and constrained_delegation but failed to remove the setting of
KDCOptions bit 16 ("anonymous") when requesting constrained
delegation.
(May 2019) Prior to the 7.6 release many corrections to Heimdal's
anonymity support were introduced to bring it into compliance
with RFC8062. This included support for requesting anonymous
tickets via the TGS service. Because not all KDC can satisfy
anonymous requests the client must verify if the response was
anonymized. This check wasn't added until after 7.6 was
released.
014e318d6b ("krb5: check KDC
supports anonymous if requested").
The combination of setting KDCOption.anonymous when requesting
constrained delegation and the anonymized ticket validation
broke S4U2Proxy requests to Windows KDCs. Windows KDCs ignore
the KDCOption.anonymous flag when processing a TGS request
with KDCOption.cname-in-addl-tkt set.
ea7615ade3 ("Do not set
anonymous flag in S4U2Proxy request") removed the behavior
of setting the KDCOption.anonymous flag that should have
been removed in July 2014.
(June 2019) The Heimdal KDC includes fallback logic to handle
Heimdal clients from 1.0 to 1.5.0, inclusive, that set the
KDCOptions.anonymous flag as bit 14. Prior to the 7.7 release
this logic only handled AS request but failed to handle the
constrained delegation request case where both bits 14 and 16
were set in the TGS request.
cdd0b70d37 ("kdc: don't misidentify
constrained delegation requests as anonymous") added the TGS
request validation to distinguish anonymous requests from
constrained delegation requests.
This change documents the history in the commit message and
updates some in-tree comments.
Change-Id: I625cd012e2e6c263c71948c6021cc2fad4d2e53a
Earlier (pre-7.6) Heimdal clients would send both the request-anonymous and
cname-in-addl-tkt flags for constrained delegation requests. A true anonymous
TGS request will only have the former flag set. Do not treat TGS requests with
both flags set as anonymous requests.
_kdc_is_anon_request() is only used by the AS, so make it static.
Centralize anonymous poilcy checks shared between AS and TGS into a shared
function, _kdc_check_anon_policy().
When issuing an anonymous ticket, set the ticket flag early and test that
rather than re-testing the request.
backends
When running with verify-password-quality and a back-end that stores
history (such as heimdal-history) this command can cause an update to
the database meaning the password can no longer be used with this
principal in the future
At one point in time, the configuration option was named
"password-quality" but this was later changed to
"verify-password-quality". Update the kadmin(1) man page to reflect
this change.
On Solaris, the memset_s() prototype is only visible if _STDC_C11_BCI
is defined.
93518bfab4 ("use memset_s")
introduced warnings on Solaris
warning: implicit declaration of function âmemset_sâ;
did you mean âmemsetâ? [-Wimplicit-function-declaration]
Change-Id: Ia02db5e96021a26fb30aa1a593ef6a2b3e3a5b5f
The fix involves:
- Removing HAVE_STRFTIME from config.h.w32
- Adding strftime.c to the makefile
- Defining timezone and tzname to their windows equivalent
for the compile of this module
MIT prefers underscores in ccache configuration file keys, so in the interest
of future interoperability use anon_pkinit_realm instead of anon-pkinit-realm
when storing the anonymous PKINIT TGS realm.
The Microsoft compiler cannot handle multiple const modifiers
for the same type. It is also unhappy with the output pointer
parameter being declared const.
This change introduces new typedefs and cast of the dlsym() return
type to prevent warnings.
Change-Id: Ia92645efab8d2ec6745339a6f47c690782ae730a
Rename common_plugin_ftable to krb5_plugin_common_ftable.
Create lib/krb5/common_plugin.h to include the structure and typedef.
The common_plugin.h header is now included by ccache_plugin.h
along with a prototype for the required ccache_ops_plugin_load()
function.
Change-Id: I2b27d6d0f5cf0544482c3f01784fef945e12e8d8
As with the krb5plugin_an2ln_ftable_desc, krb5plugin_db_ftable_desc,
and krb5plugin_kuserok_ftable_desc the function pointers in
common_plugin_ftable_desc must be annotated with KRB5_LIB_CALL.
Change-Id: Ia7ea78743ee9eb8c7f6b648063852ca91a360d2c
Only fallback to loading the plugin function table directly if
if the initialization function is not exported. Failing a
consistency check should not permit falling back to a potentially
incompatible function table.
Change-Id: Ic753ed9a090aef6073853f7309f0f8f0f29d0aa9
Anonymous PKINIT tickets discard the realm information used to locate the
issuing AS. Store the issuing realm in the credentials cache in order to locate
a KDC which can renew them.
When generating KRB5SignedPath in the AS, use the reply client name rather than
the one from the request, so validation will work correctly in the TGS.
even if tgt used an enctype with a different checksum.
Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always
HMAC_MD5, and that's what Windows and MIT clients send.
In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but windows and MIT clients fail against heimdal KDC.
Both Windows and MIT KDC would allow any keyed checksum
to be used so Heimdal client work fine against it.
Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Before committing to a PKCS#11 mechanism, check that it can provide the
required encryption or digest services by validating the flags returned by
C_GetMechanismInfo().
Commit bdcd7d2f moved the KRB5_ANON_MATCH_xxx preprocessor symbols to krb5.h,
but did not remove the originals from krb5_locl.h. This commit removes them.
The combination of 8740528b24
("Windows-compatible sentinel socket type and value") and
d497d7e4a7 ("krb5_sendto_kdc:
failover for multiple AAAA/A RRs on one domain") broke
all the send to kdc loop on Windows. rk_socket_t is
a HANDLE and rk_INVALID_SOCKET is the max value. Therefore,
no valid socket will be larger and all communications
will fail.
Change-Id: I3464f78d67b19f14050ad7a01738fb32bac99385
_krb5_principal_is_anonymous() is used outside lib/krb5 and
therefore it needs to be properly exported and its flag macros
need to be in a public header: krb5.h not krb5_locl.h.
Including krb5_locl.h from within kuser_locl.h for instance
results in build failures on Solaris.
This change renames the function and makes it part of the public
api.
Change-Id: I130d1698b10bdbd150b95e8c7d32dfc362889ce6
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
when anonymous PKINIT is used. Failure to do so can permit an active
attacker to become a man-in-the-middle.
Introduced by a1ef548600. First tagged
release Heimdal 1.4.0.
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8)
Change-Id: I6cc1c0c24985936468af08693839ac6c3edda133
Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
Approved-by: Jeffrey Altman <jaltman@auritor.com>
S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.
S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.
There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed. This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user name
(principal) user@EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).
==================
CVSSv3 calculation
==================
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
=========================
Workaround and Mitigation
=========================
If server does not take privileged actions based on Kerberos tickets
obtained by S4U2Self nor obtains Kerberos tickets via further
S4U2Proxy requests then this issue cannot be exploited.
Note that the path to an exploit is not generic, the KDC is not harmed
by the malicious checksum, it is the client service requesting the
ticket being mislead, because it trusted the KDC to return the correct
ticket and PAC.
It is out of scope for Samba to describe all of the possible tool
chains that might be vulnerable. Here are two examples of possible
exploits in order to explain the issue more clearly.
1). SFU2Self might be used by a web service authenticating an end user
via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
Kerberos service ticket for use by any Kerberos service principal the
web service has a keytab for. One example is acquiring an AFS token
by requesting an afs/cell@REALM service ticket for a client via
SFU2Self. With this exploit an organization that deploys a KDC built
from Heimdal (be it Heimdal directly or vendor versions such as found
in Samba) is vulnerable to privilege escalation attacks.
2). If a server authenticates users using X509 certificates, and then
uses S4U2Self to obtain a Kerberos service ticket on behalf of the
user (principal) in order to authorize access to local resources, a
man-in-the-middle attacker could allow a non-privilaged user to access
privilaged resources being protected by the server, or privilaged
resources being protected by a second server, if the first server uses
the S4U2Proxy extension in order to get a new Kerberos service ticket
to obtain access to the second server.
In both these scenarios under conditions allowing man-in-the-middle
active network protocol manipulation, a malicious user could
authenticate using the non-Kerborized credentials of an unprivileged
user, and then elevate its privileges by intercepting the packet from
the server to the KDC and changing the requested user name (principal).
The only Samba clients that use S4U2Self are:
- the "net ads kerberos pac dump" (debugging) tool.
- the CIFS proxy in the deprecated/developer-only NTVFS file
server. Note this code is not compiled or enabled by default.
In particular, winbindd does *not* use S4U2Self.
Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
for Samba AD is understood not to be impacted.
===============
Further Reading
===============
There is more detail on and a description of the protocols in
[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained
Delegation Protocol
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
=======
Credits
=======
Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
Team and Catalyst.
Patches provided by Isaac Boukris.
Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
Allison.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685
Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
We found that the libraries behaviour when dealing with domains with
more than one entry in them is slightly suboptimal. The situation
was
kdc1 IN A 1.2.3.4
kdc1 IN AAAA ff02::1
I.e. a single hostmame with both IPv6 and IPv4 addresses. When we
run krb5_sendto_kdc on a box with only IPv4 addresses, there is a
3s delay before it fails back to the IPv4 address. This is because
the library sets the 2nd address on each hostname to be 3s in the
future and each additional one another 3s.
We change wait_response() s.t. if one is able to make progress, we
iterate over the list of hosts and move them all 1s forward. We
also modify submit_request() to skip hosts if host_connect() fails.
Add macros to give symbolic names to the flags which can be passed to
krb5_get_init_creds_opt_set_pkinit(). Reserve flags for BTMM and not validating
KDC anchors.
Add _krb5_principal_is_anonymous() private API for checking if a principal is
anonymous or not. The third argument determines whether to match authenticated
anonymous, unauthenticated anonymous, or both types of principal.
Allow non-anonymous tickets to be used to obtain an anonymous service ticket,
by setting the anonymous KDC option. Do not include Win2K PAC in anonymous
service tickets. Validate anonymous flags per RFC 8062.
RFC8062 section 4.1 allows clients with long-term KDC keys to set the anonymous
flag; in this case their identity is authenticated but the returned ticket
contains the anonymous principal name as the client name.
kdc: allow authenticated anonymous PKINIT
The KDC PKINIT code conflated the checks for authenticated and unauthenticated
anonymous by only looking at the anonymous KDC request option.
The utility function _kdc_make_anonymous_principalname() previously returned a
principal of "anonymous" rather than "WELLKNOWN/ANONYMOUS", as specified by
RFC8062. This is not used by the AS-REQ code.
The PAC will typically contain information that may reveal the identity of a
principal. Do not include it for anonymous requests, at least until such time
as the PAC plugin API supports indicating that the request was anonymous.
RFC 8062 states that if the client in the AS request is anonymous, the
anonymous KDC option must be set in the request; otherwise, KDC_ERR_BADOPTION
must be returned. We were previously returning KDC_ERR_C_PRINCIPAL_UNKNOWN.
95eb83c424 ("roken: Add roken_get_username() and friends")
failed to copy the username C-String NUL terminator. As a result
a "DOMAIN\user" is returned as "userIN\user".
Change-Id: I10027e4eef18364074eecf385fa9fab1ae68dbe7
Modern OpenSSL no longer has the 2038 year restriction. Update the
certs to last 500 years rather than 10 years.
Modern crypto requirements suggest a stronger key strength than 1024.
Update to use a minimum of 4096.
Fix executable bit on gen-req.sh
We choose a semantic for the file offset during truncate operations
which is to leave the offset as is unless it is off the end of the
file in which case we pull it back in to the end. We update fd and
stdio handling to match the {,e}mem behaviour.
The rk_UNCONST macro exists because neither __DECONST nor uintptr_t
are available on all platforms (for example, AIX).
Change-Id: Ie36f0dd7a9ce454d411761ee4dbd6fc1f7c6692c
b10ad7eb57
("roken: strtoll.c negation is a no-op on unsigned integer")
broke strtoll() by failing to assign 'ret' in the success case.
Change-Id: I30535d83a2bef305140f1a6bd1ed2eeba23db9b9
strtoull() returns an unsigned long long. However, then the input
string represents a negative number the return value is supposed to
be the unsigned representation of the negative value. Before applying
the negation the value must be cast to (long long).
Change-Id: Icf9e75400ff736819b1f7e0e6fb3c8abd707a23a
strtoll() returns a signed long long not an unsigned long long.
When applying the negation for negatives the value must be cast
from unsigned to signed and then stored in a signed variable
before returning it.
Change-Id: If568afd2509d27c7bf206ca59d32ca150cb34857
__declspec not _declspec
Include "err.h" not <err.h>
Include "roken.h" before "err.h"
Indent "#if" as "# if" within roken.h.in when CPP rules must be copied
into the generated "roken.h".
Correct verr() attribute to be ROKEN_LIB_NORETURN_FUNCTION.
Change-Id: I4289ecaba4a097175b4a5a1cde529b59038c72e3
chpass_principal_with_key_hook_cb added by 57c25d9828 must be
KRB5_LIB_CALL for 32-bit Windows builds.
Change-Id: Ifd61caeee76f9d048bb13f93e226b99ce7e8b75c
On 32-bit Windows Intel builds the __cdecl and __stdcall calling
conventions are different so labeling the functions that are
exported or assigned to function pointers matters.
Change-Id: I03b6f34baeb9ffb2e683fd979f12f27a5078a4da
the code generated by asn1_compile.exe includes a large number
of unreferenced local variables. The resulting warnings drown
out other potentially more serious warnings.
This change suppresses the C4101 warnings in the generated
source files.
Change-Id: I17642ff427f457c885b1eb0e62436f3bc9057ee1
Heimdal declares functions that never return as non-void. Suppress
the following warnings now that functions are labeled 'noreturn'.
4646 - function declared with __declspec(noreturn) has non-void return type
4716 - 'function' must return a value
Change-Id: Id85cc435e99688bae7326a723a5a80d828859bf2
The 'plugin_prefix' variable was declared 'const' which generates
a warning because the C string is freed.
This change removes the 'const' designation.
Change-Id: I6f3838d6dbf1bb496f286c96aea96bae8948930d
gss_acquire_cred_from() is an exported function and therefore
must be tagged with GSSAPI_LIB_FUNCTION and GSSAPI_LIB_CALL.
Change-Id: I80918cb8083eaeac2d0eba5347f7b428e997cfaa
Add a hook for changing a password with a key. This hook should be consolidated
into one shared with randkey and setkey, but for now I have continued to have
the hooks follow the kadm5 APIs themselves in both signature and quantity.
(This means the randkey one isn't actually very useful because it doesn't
provide the hook with the keys.)
Now that we always enforce password quality policies, ktutil get fails
because it uses "x" as a password when creating a principal.
Of course, it's probably a misfeature that ktutil get creates principals when
they don't exist...
If the salt for the AS-REP client key matches the default password salt for the
client principal in the AS-REQ, then it can be omitted from the PA-ETYPE-INFO,
PA-ETYPE-INFO2 (RFC4120) as the client will assume the default salt in its
absence.
Older databases may lack explicitly stored salts where the salt is the default
one. When fetching a client entry for an AS-REQ, add default salts to keys that
lack one.
Heimdal's current behavior regarding the generation of PA-ETYPE-INFO2
and PA-ETYPE-INFO violates RFC4120 in two ways:
1. when generating responding both PA-ETYPE-INFO2 and PA-ETYPE-INFO
the hints returned in the inverse order: INFO then INFO2 instead
of INFO2 then INFO.
2. the determination that both PA-ETYPE-INFO2 and PA-ETYPE-INFO is
currently based upon the KDC selected enctype when it should be
determine based upon examining the entire enctype list specified
by the requesting client.
This change corrects the behavior to follow the RFC4120 guidance.
Change-Id: I6ebda8a813c25f9296f10314e32e93a22380ca72
Whilst Windows does not canonicalize enterprise principal names if the
canonicalize flag is unset, the original specification in
draft-ietf-krb-wg-kerberos-referrals-03.txt says we should. Non-Windows
deployments of Heimdals are unlikely to understand enterprise principal names
in tickets, and are also unlikely to set the canonicalize flag, so this makes
sense. (It was also the behavior prior to moving the name canonicalization
logic into the KDC.)
This reverts commit 1b7e196e66.
It turns out that, contrary to the referrals draft, Windows does not
canonicalize enterprise principal names if the canonicalize KDC option is
unset.
Enterprise principal client names in AS-REQs should always be canonicalized
irrespective of the setting the canonicalize KDC option. Perform this check in
the KDC rather than HDB.
Do not set the HDB_F_GET_KRBTGT flag unless the client actually requested a TGS
principal.
Mirroring the logic recently introduced in the TGS, this patch modifies the KDC
to perform client and server canonicalization itself rather than relying on the
backend to do so. Per RFC 6806, the behavior is slightly different for the AS
in that the setting of the canonicalize flag in the AS-REQ does impact the
returned names in the ticket. In order to support realm canonicalization or
other custom behavior, we allow the backend to force the KDC to canonicalize by
setting the force-canonicalize flag in the returned client or server entries.
e11abf41 added support in libhdb for always dereferencing principal aliases
during an AS-REQ (where dereferencing refers to enabling alias lookups, and
rewriting the returned entry with the alias name unless canonicalization was
enabled).
Due to the KDC setting HDB_F_FOR_AS_REQ for all lookups from the AS, this
allowed aliases on the TGS itself to be dereferenced during an AS-REQ; however,
on presenting the TGT, the TGS would fail to resolve. Creating an explicit TGS
principal for the aliased realm would work (at least prior to c555ed6a), but
this could be confusing to deploy.
This commit changes enables alias dereferencing when HDB_F_GET_ANY is set,
which essentially means dereference whenever the request is coming from the KDC
(as opposed to, say, kadmin).
We also backout c555ed6a, which changed the TGS to always canonicalize the
server realm, as this breaks serving multiple realms from a single KDC, where
server principals in different realms share a single canonical entry.
HDB_F_CANON is now passed to the backend as a hint only, and per RFC 6806 the
principal name is never changed in TGS replies. (However, for Samba interop,
backends can override this by setting the force-canonicalize HDB flag.)
windc doesn't link against libkdc, so it doesn't need to check its instance;
however, we will continue to export kdc_get_instance() from libkdc in case
other windc plugins do link against it.
warning: incompatible pointer types passing 'int *' to parameter
of type 'size_t *' (aka 'unsigned long *') [-Wincompatible-pointer-types]
Change-Id: Id75b1b1c9b46b63ab61134f4f91b7c2909d87077
Implementation of gss_set_neg_mechs() and gss_get_neg_mechs() as defined in RFC
4178. New gss_release_cred_by_mech() API for dropping a credential from a
mechanism glue credential.
SPNEGO uses the callback function acceptor_approved() in order to determine
which mechanisms to advertise to the initiator in the case that the initiator
sent an empty initial context token. Prior to this commit, that function was
not passed in the acceptor credential (if present), so always uses a default
credential. For correctness, we should only advertise the availability of
mechanisms for which we have a credential.
Refactor plugin framework to use a single list of loaded plugins; add a new
plugin API where DSOs export a load function that can declare dependencies and
export multiple plugins; refactor kadm5 hook API to use krb5 plugin framework.
More information in krb5-plugin(7).
Apple's Heimdal impelmentation uses a number of utility functions for
allocating names and credentials, to avoid calling malloc or calloc directly.
Import them.
Implement the GSS-API credential store API extensions defined by MIT here:
https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions
Note: we kill off gss_acquire_cred_ext() here. This was never a public API,
although mechanisms could have implemented it and I briefly used it in my
BrowserID prototype mechanism. gss_acquire_cred_ext_from() occupies the place
in the dispatch table where gss_acquire_cred_ext() used to, but this structure
was never visible outside Heimdal (i.e. it is only used by internal
mechanisms);
(Mechanisms that need to accept arbitrary key/value dictionaries from
applications should now implement gss_acquire_cred_from().)
SPNEGO uses the callback function initiator_approved() in order to determine
mechanism availability. Prior to this commit, is not passed in the initiator
credential, so it always uses a default credential. This breaks SPNEGO if a
non-default credential (such as one acquired with
gss_acquire_cred_with_password()) is used. This commit addresses this.
gss_krb5_set_allowable_enctypes() was declared with an array of int32_t types
representing the enctype list, but the definition had an array of krb5_enctype.
Whilst these are likely the same size, they may not be. On the receiving end,
allocate an array of krb5_enctype.
* check `ctx->gc_ctx` in `gss_inquire_context()`
* check `gm_inquire_cred != NULL` in `gss_inquire_context()`
* check `min_lifetime` in `gss_inquire_cred()`
* check `gm_inquire_cred_by_mech != NULL` in `gss_inquire_cred_by_mech()`
* set mech error in `gss_inquire_cred_by_oid()`
* don't clobber error in `gss_inquire_cred_by_oid()`
* don't pass NULL minor_status to `gss_krb5_free_lucid_sec_context()`
* allow NULL ccache in `gss_krb5_ccache_name()`
* NULL names OK in `_gss_find_mn()`
* allow empty names in `gss_import_name()` (removes `input_name_buffer` length
check). to support ANONYMOUS. in `gss_import_name()`, ignore mech name
import failure as long as it's possible to import the name in some other
mechanism
* better argument validation in `gss_export_sec_context()`
* in `gss_compare_name()`, check `mn2 != NULL`
* check `gss_add_oid_set_member()` return code in `gss_indicate_mechs()`
* in `gss_destroy_cred()`, set output cred handle to `GSS_C_NO_CREDENTIAL`
* cast size_t to OM_uint32 where required
In the case that one name has no MNs and the second name only has an MN, then
the order in which the two names are passed in matters, but it shouldn't. Run
the comparison both ways.
Coverity determined that a NULL pointer segmentation fault could occur
if krb5_storage_emem() fails. Use krb5_enomem() to set an error message
on the context and do not perform further krb5_storage operations.
Change-Id: I9587208e46c184bb061443a44581a32dd722de33
- Add --keepold/keepallold/pruneall options to various kadmin/ktutil
commands. Default behavior to "prune old keys".
- When setting keys for a service, we need to specify enctypes for it:
- Always use kadm5_randkey_principal_3() instead of the older
kadm5_randkey_principal().
- Add krb5_string_to_keysalts2(), like MIT's krb5_string_to_keysalts(),
but with a context, and simpler.
- Add --enctypes options to various kadmin/ktutil commands.
- Add [libdefaults] supported_enctypes param with enctype[:salttype]
list.
- Add [realms] realm supported_enctypes param with enctype[:salttype]
list.
Default to aes128-cts-hmac-sha1-96:normal.
libhx509 is not built according to the same export and calling conventions
on Windows as the other libraries. This change declares and applies
HX509_LIB_FUNCTION, HX509_LIB_NORETURN_FUNCTION, HX509_LIB_CALL and
HX509_LIB_VARIABLE to lib/hx509.
As a result of this change the calling convention for exported functions
will be __stdcall instead of __cdecl.
Change-Id: Ibc3f05e8088030ef7d13798f1d9c9b190bc57797
If a memory allocation failure occurs, return an error instead of
triggering a segmentation fault.
Change-Id: I38f5e88ca2f1ba7411b05a35b925168015261eb4
fix breakage introduced by 6341132175
("roken: fix build breakage, AT_HWCAP2 may be undefined (#446)").
Detected by Coverity.
Change-Id: Iefdb73d4392e5184a69a99208945ece6b7b8ecb3
For compatibility with MIT Kerberos, support automatic acquisition of initiator
credentials if a client keytab is available. The default path on non-Windows is
/var/heimdal/user/%{euid}/client.keytab, but can be overriden with the
KRB5_CLIENT_KTNAME environment variable or the default_client_keytab_name
configuration option. If a client keytab does not exist, or exists but does not
contain the principal for which initiator credentials are being acquired, the
system keytab is tried.
It turns out gss_add_cred() really needed a complete rewrite. It's much
better to first have a gss_duplicate_cred() (which has been needed for
other reasons anyways), and use that when the input_cred_handle is not
GSS_C_NO_CREDENTIAL and output_cred_handle is not NULL, then mutate that
duplicate credential handle (or the input_cred_handle if
output_cred_handle is NULL).
When WIN32 is undefined an unreachable code warning was generated
since "/bin/sh" is returned as the default resposne.
Change-Id: I757c9d05db62c1d52fee0e510259098d73273a84
We start slapd in the foreground (-d0) but backgrounded in the shell,
then we wait 4 seconds. This causes a race condition however. This
commit makes the slapd-init script more robust and limits the wait to
however many seconds (up to 30) that slapd needs to start service.
Since c6bf100b password quality checks have been moved out of kadmindd and into
libkadm5. This means that all password changes are subject to quality checks,
if enforce_on_admin_set is true (the default). In rare instances it could be
possible for realm initialization to fail because the randomly generated
passwords do not pass the password quality test. Fix this by creating
principals with no password or key, rather than with a random password.
Random *keys* continue to be set immediately after the principal is created,
and before DISALLOW_ALL_TIX is unset, so there should be no functionality or
security implications from this change. It is safe to call a server-side API
such as kadm5_s_create_principal_with_key() as local_flag is asserted to be
true.
Since c6bf100b password quality checks have been moved out of kadmindd and into
libkadm5. This means that all password changes are subject to quality checks,
if enforce_on_admin_set is true (the default). In rare instances it could be
possible for realm initialization to fail because the randomly generated
passwords do not pass the password quality test. Fix this by creating
principals with no password or key, rather than with a random password.
Random *keys* continue to be set immediately after the principal is created,
and before DISALLOW_ALL_TIX is unset, so there should be no functionality or
security implications from this change. It is safe to call a server-side API
such as kadm5_s_create_principal_with_key() as local_flag is asserted to be
true.
Centralize logging for kadm5 hook failure, log successful hook loading, better
logging on hook load failures and on platforms that do not support dlopen().
The meaning of the two is different and we should
not implicitly set both if one was requested (this
aligns the logic with MIT kinit -C/-E options).
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
The referral function does not handle short names,
so avoid falling over it in case capath fails, in
order to preserve the error code returned by the
KDC (it wasn't a problem before the order between
the two functions has changed).
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Without it, Windows clients will perform an
extra AS-REQ, causing password lockout count
to increase by two instead of one.
This is an alternative to Samba commit:
978bc8681e74ffa17f96fd5d4355094c4a26691c
One difference however, it doesn't return
ENC_TIMESTAMP in PREAUTH_REQUIRED, only the
necessary ETYPE_INFO{,2} (same as Windows).
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
This is used by Samba to set the canonical realm in
case netbios realm was requested (same as Windows).
Regression introduced by upstream commit:
378f34b4be
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
When arc4random() is available, rk_random_init() does not have to
call arc4random_stir(). ac4random_stir() will be called as a result
of the first call to arc4random().
Change-Id: I6f4a3be7c39752746657945ed15896472908f889
Prior to this change a KDC response of KRB5KDC_ERR_SVC_UNAVAILABLE
would result in the client looping forever. Setting the action to
KRB5_SENTO_CONTINUE repeats the current loop without altering the
current state. Hence the infinite loop.
As of this change, the action is set to KRB5_SENDTO_RESET which
forces the current kdc's response to be cleared and then to retry.
If KRB5KDC_ERR_SVC_UNAVAILABLE continues to be returned, the retry
limit will be reached and the loop will end.
This bug was filed by multiple sources including Samba and ScottUrban
on github.
Change-Id: If1611be0ada3422cefae89541ed3b3df1f6efe29
When connect() fails in connect_unix() the path_ctx.fd is not
set to -1 after close(). When common_release() is executed due
to the error return from connect_unix() it calls close() a second
time.
There is no need to call close() from connect_unix(). Remove the
duplicate request.
This issue was reported by YASUOKA Masahiko.
Change-Id: I825e274cc7f12e50a8779a2b62ddb756817cdb52
Update gen-punycode-examples.py for python 3.
gen-punycode-examples.py parses the Sample strings from section 7.1
of rfc3492.txt and generates the punycode_examples.[ch] sources containing
the punycode_examples[].
Python 3 requires that print output be surrounded by parentheses
and the split and join operations have been moved from the "string"
class to built-ins.
This change adds the missing parentheses and switches to the built-in
split and join str operations.
The "string" class is no longer required as an import.
Change-Id: Ic5f341080d2ff2feef692c89e0b28dcbf4e48cb4
Note that this has a slight behavior change to c89d3f3b in order to continue
allow kadmin in local mode to bypass password quality checks. Password quality
checks are always bypassed if the *client* kadmin principal is kadmin/admin,
i.e. that of the kadmin service itself. This is the case when running kadmin in
local mode. As this is the equivalent of a superuser account, one would
anticipate that deployments would use specific administrator instances for
appropriate ACLs for day-to-day administration; operations by these will be
subject to password quality checks if enforce_on_admin_set is TRUE, or if the
user is changing their own password.
This change adds plugin support to the kadmin libraries for performing
actions before and after a password change is committed to the KDC database
and after a change is made to the attributes of a principal (specifically,
a change to DISALLOW_ALL_TIX).
This change adds a hook_libraries configuration option to the [kadmin]
section of krb5.conf (or kdc.conf if you use that file) that must be set
to load the module. That configuration option is in the form:
[kadmin]
hook_libraries = /usr/local/lib/krb5/plugins/kadm5_hook/krb5_sync.so
where the value is the full path to the plugin that you want to load. If
this option is not present, kadmind will not load a plugin and the changes
from the patch will be inactive. If this option is given and the plugin
cannot be loaded, kadmind startup will abort with a (hopefully useful)
error message in syslog.
Any plugin used with this patch must expose a public function named
kadm5_hook_init of type kadm5_hook_init_t that returns a kadm5_hook structure.
See sample_hook.c for an example of this initialization function.
typedef struct kadm5_hook {
const char *name;
uint32_t version;
const char *vendor;
void (KRB5_CALLCONV *fini)(krb5_context, void *data);
krb5_error_code (KRB5_CALLCONV *chpass)(krb5_context context,
void *data,
enum kadm5_hook_stage stage,
krb5_error_code code,
krb5_const_principal princ,
uint32_t flags,
size_t n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
const char *password,
char **error_msg);
...
};
where enum kadm5_hook_stage is:
enum kadm5_hook_stage {
KADM5_HOOK_STAGE_PRECOMMIT,
KADM5_HOOK_STAGE_POSTCOMMIT
};
init creates a hook context that is passed into all subsequent calls.
chpass is called for password changes, create is called for principal
creation (with the newly-created principal in the kadm5_principal_ent_t
argument), and modify is called when a principal is modified. The purpose of
the remaining functions should be self-explanatory.
returning 0 on success and a Kerberos error code on failure, setting the
Kerberos error message in the provided context. The error code passed in is
valid for post-commit hooks and contains the result of the update operation.
This change is submitted under the following license
Copyright 2012, 2013
The Board of Trustees of the Leland Stanford Junior University
Portions Copyright 2018 AuriStor Inc.
Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and
this notice are preserved. This file is offered as-is, without any
warranty.
Fix a regression introduced in c89d3f3b where administrative password changes
would be logged as user password changes, if enforce_on_admin_set was set.
This patch adds the "enforce_on_admin_set" configuration knob in the
[password_quality] section. When this is enabled, administrative password
changes via the kadmin or kpasswd protocols will be subject to password quality
checks. (An administrative password change is one where the authenticating
principal is different to the principal whose password is being changed.)
Note that kadmin running in local mode (-l) is unaffected by this patch.
Using non-reentrant getpwuid() (or getpwnam(), or getspnam()) can be
dangerous. We had a report of a login application / PAM that calls
those, and Heimdal, by calling them too, clobbered the cached struct
passwd used by the login app / PAM.
We add roken_get_{shell, username, appdatadir, homedir}() functions. These use
a combination of secure_getenv(), getpwuid_r(), getlogin_r(), or various WIN32
functions to get this information.
Use roken_get_appdatadir() instead of roken_get_homedir() when looking for
dotfiles.
We no longer use it since removing ftp from appl/.
Note that expansion of ~username/ couldn't have been working because
k_getpwnam() was being called with an unsigned short * that was forcibly
cast to char *, but it really was shorts, not chars... Anyone who ever
feels like reviving lib/roken/glob.[ch] will want to fix that...
Perform error checking for each function call and consistently return
errors at the point of failure.
Refactor functions to use a common exit path. Preserve error messages
stored in the kadm5_client_context.context when appropriate.
Change-Id: I7aa04020e4de3454066f0d88ba805fed999dbd1a
* Fix -O3 -Werror=unused-result build in dcache.c
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10)
with -O3 -Werror=unused-result
../lib/krb5/dcache.c:85:5: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
asprintf(&path, "%s/primary-XXXXXX", dc->dir);
^
../lib/krb5/dcache.c: In function ‘primary_create’:
../lib/krb5/dcache.c:56:5: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
asprintf(&primary, "%s/primary", dc->dir);
^
../lib/krb5/dcache.c: In function ‘dcc_gen_new’:
../lib/krb5/dcache.c:423:5: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
asprintf(&name, ":%s/tktXXXXXX", dc->dir);
^
../lib/krb5/dcache.c: In function ‘dcc_resolve’:
../lib/krb5/dcache.c:340:2: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
asprintf(&dc->name, ":%s/%s", dc->dir, residual);
^
../lib/krb5/dcache.c:348:5: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
asprintf(&filename, "FILE%s", dc->name);
^
cc1: all warnings being treated as errors
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* Update dcache.c
When asprintf() fails it is not guaranteed that the output variable will be NULL on all platforms and releases.
* Update dcache.c
After the for loop 'key' cannot have the value -1. The loop
must execute at least once resulting either in the function
returning to the caller or the value of 'key' getting set to
a value other than -1.
Change-Id: Idaf65e3cf3d22a27828ad0dd04650a4f54ba94fc
At the completion of the while loop the value of 'ret' cannot
be zero. The expected value is KRB5_CC_END. Any other value
is an error to return to the caller. If 'ret' is KRB5_CC_END
then return krcc_end_get() result().
Change-Id: Ic2afb5a754e03d521c10a259c53fc70b86b4a132
OpenSSL 1.1 has the pkInitKDC OID built in, which breaks as it was redefined by
openssl.cnf in Heimdal. Try to determine if OpenSSL >= 1.1 and if so, use a
configuration file that omits this OID definition. The implementation is not
robust but as this is simply an example (not run by the test suites), it should
be adequete.
kinit does not destroy ccaches created with krb5_cc_new_unique() if ticket
acquisition fails. This was leaving dangling keyring entries with the keyring
ccache.
From a suggestion by nicowilliams, put double quotes aroung the varaible
$foopassword in case the password contains whitespace or other special
characters.
When we use a custom patch that makes strong passwords required even for
administrators the check-kadmin test will fail because "foo" (the password
used in check-kadmin.in) is not a strong password. So, we make the
password used in check-kadmin.in settable as a parameter. This way, we
only have to change one line of check-kadmin.in rather than a dozen to get
check-kadmin to pass when using the strong-passwords everywhere patch.
Note that this change makes no real change to any of the tests in
check-kadmin.in: no tests are changed, removed, or added.
Adding a principal with a random key or password did not respect non-default
password expiration times, because the act of setting the key or password would
clobber it with the default. As we update the principal anyway after setting
the keys, use this opportunity to restore the requested password expiration
time. (There are other ways to solve this, but this is the least intrusive.)
krb5_get_init_creds_opt_set_change_password_prompt() was being ignored by
krb5_init_creds_step() which broke pam_krb5 tests. MIT doesn't handle password
expiration within krb5_init_creds_step(), instead deferring to higher level
functions such as krb5_get_init_creds_password(). However, Heimdal kinit uses
krb5_init_creds_step() directly and thus requires this behaviour to be
implemented to pass its own tests.
Adds support for "hard" aliases when initially authenticating, that is,
allowing a client or server principal to be known by many names without
requiring that the client support name canonicalization.
In order to avoid changing the behavior for other backends such as Samba, this
is implemented in the HDB backend rather than the KDC.
To use, add an alias for both the client and TGS ("krbtgt") principals using
kadmin. This behavior is unchanged if name canonicalization is enabled.
This fixes compilation with -Wstrict-overflow=2.
with CFLAGS="-O3 -Werror=strict-overflow -Wstrict-overflow=2"
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) gives:
addr_families.c: In function ‘krb5_sockaddr2address’:
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:851:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_sockaddr2address (krb5_context context,
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c: In function ‘krb5_sockaddr2port’:
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:879:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_sockaddr2port (krb5_context context,
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c: In function ‘krb5_addr2sockaddr’:
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:914:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_addr2sockaddr (krb5_context context,
^
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c: In function ‘krb5_max_sockaddr_size’:
addr_families.c:955:2: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for(a = at; a < at + num_addrs; ++a)
^
addr_families.c:950:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_max_sockaddr_size (void)
^
addr_families.c:955:2: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for(a = at; a < at + num_addrs; ++a)
^
addr_families.c:955:2: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c:955:2: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c: In function ‘krb5_sockaddr_uninteresting’:
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:974:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_sockaddr_uninteresting(const struct sockaddr *sa)
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c: In function ‘krb5_sockaddr_is_loopback’:
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:983:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_sockaddr_is_loopback(const struct sockaddr *sa)
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c: In function ‘krb5_h_addr2sockaddr’:
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:1011:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_h_addr2sockaddr (krb5_context context,
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c: In function ‘krb5_h_addr2addr’:
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:1042:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_h_addr2addr (krb5_context context,
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c: In function ‘krb5_anyaddr’:
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:1073:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_anyaddr (krb5_context context,
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c: In function ‘krb5_print_address’:
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:1108:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_print_address (const krb5_address *addr,
^
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c: In function ‘krb5_address_order’:
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:1238:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_address_order(krb5_context context,
^
addr_families.c:1238:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c: In function ‘krb5_free_address’:
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:1333:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_free_address(krb5_context context,
^
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c: In function ‘krb5_copy_address’:
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:1383:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_copy_address(krb5_context context,
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:820:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
addr_families.c: In function ‘krb5_address_prefixlen_boundary’:
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:1537:1: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
krb5_address_prefixlen_boundary(krb5_context context,
^
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
for (a = at; a < at + num_addrs; ++a)
^
addr_families.c:831:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow]
CC libkrb5_la-config_file.lo
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(Similar to Samba commit aa17db1f4061920512396032fcd3c7c8a4a8f38f)
This fixes compilation with -Wstrict-overflow=2
with CFLAGS="-O3 -Werror=strict-overflow -Wstrict-overflow=2"
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) gives:
config_file.c: In function ‘krb5_config_vget_strings’:
config_file.c:1122:10: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow]
while(nstr--)
^
Upstream pull request:
https://github.com/heimdal/heimdal/pull/354
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to Samba commit 72979d1d60ca2eab1e7903c2e77b8cca69667691,
cut down to just the config_file.c and keytab_any.c changes reproduced
above by abartlet)
The size of portstr is too small to print an integer.
Instead just let snprintf do the work.
This fixes building with GCC 7.1
Based on feedback by Jeffrey Altman
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930
(Inspired by Samba commit abd74c3ba5e3ee3f5320bff6ed7dff4fbcb79373)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
with CFLAGS="-O3 -Werror=strict-overflow -Wstrict-overflow=2"
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) gives:
keytab_any.c: In function ‘any_remove_entry’:
keytab_any.c:241:7: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow]
if(!found)
^
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry-picked from Samba commit e8fec94827c933041acd5b447eeeefd0b7b507ef)
The Solaris auxval test fails, because Solaris uses different preprocessor
symbols (and numbers) for its UID and GID auxval types.
Note that issuid() could simply be an alias of issetugid() on Solaris, so
perhaps this is not necessary.
it turns out that we don't need to tell lex we don't plan to use unput;
we can just.... not use unput. however, if we're flex, use the command
line option if it's available, to avoid warnings
In KCM, when allocating new kcm_ccache struct, there is missing inicialization
of kdc_offset. It is getting random values in my case and stored tickets are
unusable, last time I got this value to "klist -v": KDC time offset: 61 years
11 months 2 weeks 3 days 5 hours 28 minutes 32 seconds This commit seems to
correct it.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from Samba commit 521bc6056edc5252f2256664f4eacba13a3749e3)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from Samba commit e2c0af6bcdf271ff75c455695c129bc18322bd5a)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from Samba commit 899ef5d186c2c44f63c1cbf415daa33e9f668a5b)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from Samba commit a0c8c8c8331856d9f09d18b389b7dd01c8d33de2)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from Samba commit b342e6f038b5277cf30115f11cf0f30d238c12ea)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from Samba commit 0358d57db4705b2330e294b5d6318c1a78a8518c)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from Samba commit 82c84513331da9d0f42ba73d03e58dce5d0f76d3)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from Samba commit b2b0f8191dde58fe234b0147c4a0bd39020aa504)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from Samba commit d20e85d008e1b7badbea5ada8b22639f7767a097)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from Samba commit c6884138e4c1aec80e8f99ef0978b43919ae9d3a)
Without this, in an AS-REQ that has no local key for FAST
we would send the AS-REQ again, which can bump the bad
password count on the KDC twice.
So only try again if FAST was actually tried.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
In VC15 GetVersionEx has been deprecated. In order to continue to
support Win2K use the undeprecated VerifyVersionInfoW API
(available since Win2K).
Inline helper functions used in latest Win10 SDK to simplify code.
Zero out the DES_cblock structure instead of the (not yet used at this point
in the function) key schedule. The contents could potentially be left
on the stack in the case of an error return from _gssapi_verify_pad().
We generally clear out the cryptographic key and key schedule from
local variables before relinquishing control flow, but this case was
missed. Reported by jhb@FreeBSD.org.
GetSystemTimeAsFileTime() has 16ms precision.
GetSystemTimePreciseAsFileTime() has <1ns precision but is only available
on Windows 8 or later.
This change dynamically loads GetSystemTimePreciseAsFileTime() if it is
available.
Change-Id: Ib9c616c01948384e6b256ac9b6023f1e39673613
The iovec encryption code doesn't handle 0 length iovecs correctly.
Instead of just skipping them, _krb5_evp_encrypt_iov_cts() will spin
on the 0 length iovec.
Modify the _krb5_evp_iov_cursor_expand helper so that iovec expansion
simply skips 0 length iovecs, and make _krb5_evp_iov_cursor_nextcrypt
do the same.
Original bug report and tests from Andrew Bartlett <abartlet@samba.org>
../lib/com_err/compile_et.c: In function ‘generate_h’:
../lib/com_err/compile_et.c:138:33: error: ‘%s’ directive output may be truncated writing up to 127 bytes into a region of size 126 [-Werror=format-truncation=]
snprintf(fn, sizeof(fn), "__%s__", hfn);
^~ ~~~
../lib/com_err/compile_et.c:138:5: note: ‘snprintf’ output between 5 and 132 bytes into a destination of size 128
snprintf(fn, sizeof(fn), "__%s__", hfn);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/com_err/compile_et.c: In function ‘main’:
../lib/com_err/compile_et.c:234:35: error: ‘.h’ directive output may be truncated writing 2 bytes into a region of size between 1 and 128 [-Werror=format-truncation=]
snprintf(hfn, sizeof(hfn), "%s.h", Basename);
^~
../lib/com_err/compile_et.c:234:5: note: ‘snprintf’ output between 3 and 130 bytes into a destination of size 128
snprintf(hfn, sizeof(hfn), "%s.h", Basename);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/com_err/compile_et.c:235:35: error: ‘.c’ directive output may be truncated writing 2 bytes into a region of size between 1 and 128 [-Werror=format-truncation=]
snprintf(cfn, sizeof(cfn), "%s.c", Basename);
^~
../lib/com_err/compile_et.c:235:5: note: ‘snprintf’ output between 3 and 130 bytes into a destination of size 128
snprintf(cfn, sizeof(cfn), "%s.c", Basename);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun 8 13:23:51 CEST 2018 on sn-devel-144
(cherry picked from Samba commit 7ddbf6035dfec6806536f99d0257245f70661363)
The struct krb5_context_data field can be passed to plugins
which might not be aware of the new structure layout. To
reduce the risk of data corruption, fields must never be
removed, modified or reordered. Old unused fields are marked
deprecated and new fields are appended to the end of the structure.
This change moves two fields that were added to master which
are not present in Heimdal 7.x:
fe43be8558 added config_include_depth.
5b39bd7c1d added no_ticket_store.
Change-Id: I28b157e128732324972c99b246a93a828bc077c1
Some versions of gcc can't follow the logic in the encryption path
of the _krb5_evp_encrypt_iov_cts code, and believe that it is
possible for the lastpos structure to be used uninitialised.
This isn't actually possible. On entry to the loop, remaining is
guaranteed to be both greater than, and a multiple of blocksize.
In order to exit the loop, remaining must be set to 0. If
cursor.current.length >= remaining, then we set remaining to 0 and
also set lastpos. Otherwise, we calculate the number of whole blocks
in the current iovec, which must be less than remaining, and subtract
that from remaining. Remaining must still be a multiple of and greater
than or equal to blocksize. If remaining == blocksize, we set lastpos,
and set remaining to 0. Otherwise we consume a single block, and go
around again. All of the paths which may set remaining to 0 also
set lastpos, so lastpos must be populated when the loop terminates.
Coverity has a similiar misconception, albeit with ivec2, which is
mistaken for the same reasons.
When we have an underlying iovec encryption function, use iovecs for
checksum-then-encrypt alogrithms in decrypt_iov_ivec, rather than
coalescing iovecs into a single memory buffer.
Add a verify operation for this checksum. If a verify operation isn't
defined, then the verify_checksum code has to dynamically allocate and
free a block of memory for the computed checksum, which can be a
significant overhead when performing bulk data encryption.
Add iovec routines for both padded CBC, and CTS EVP based encryption.
These routines go to great lengths to minimise the number of times
we call EVP_Cipher. With some EVP implementations (such as OpenSSL's
AES-NI) there is a significant entrance and exit overhead from this
routine, due to the use of SIMD vectors for the ivec.
Add a encrypt_iov function pointer to all of our encryption types
which can be used to implement an iovec based encryption routine.
Modify krb5_encrypt_iov so that it calls the iovec based routine
if it is available.
Use the iovec checksum routines in krb5_encrypt_iov_ivec. This
still marshalls all of the iovecs together to perform the encryption
operation, but this change halves the amount of time spent on
data marshalling in this function.
When we decide we need to zero the padding iovec, do so with 0, not
with the length that we've determined.
This had no effect because we zero the padding properly later, but it
should be fixed, so that things still work when the later memset() goes
away.
So that we can eventually use iovec hashes with encrypt, as well
as sign operations, add CRYPTO_TYPE_HEADER and CRYPTO_TYPE_PADDING
to the list of iovecs which will be hashed.
Creating and destroying an EVP_CTX_MD structure with every hash
operation is very expensive. Speed things up by caching one within
the krb5_crypto structure. krb5_crypto can already only be safely
used by one thread at a time - adding a message digest context here
shouldn't introduce any further threading risks.
Users of the stashed context must be careful to ensure that they
call no other hash functions whilst they are in the middle of using
the context.
Instead of flattening the iovecs passed into
krb5_verify_checksum_iov, create a new internal verify_checksum_iov
function which passes iovecs down onto the individual ->verify or
->checksum functions.
_krb5_find_enctype is a moderately expensive operation, as it
does a linear search of the enctype lists. Avoid calling it
in _key_schedule when we already have a key schedule in place.
This change makes the most common check the first in the function.
Rather than flattening the iovecs supplied to
krb5_create_checksum_iov into a malloc()'d memory block, refactor
the function so that they can be passed straight through to the
backend hash functions.
Modify the signature of the checksum operation in the
krb5_checksum_type structure so that it processes iovecs rather than
solid blocks of data.
Update all of the implementations of these functions for all of the
checksum types that we support so that they process iovecs, either
by iterating through the iovec in each function, or by calling
_krb5_evp_digest_iov or _krb5_evp_hmac_iov()
Update callers of these functions so that they turn their single blocks
of data into a single iovec of the correct type before calling checksum
Add a function which will perform an HMAC over a set of iovecs,
using the hcrypto provided HMAC functions.
Join contiguous iovecs together before passing them to the hash
function so we make as few calls into the hash as possible.
Add a pair of functions which can be used to allocate and free
an HMAC_CTX structure on the heap. This means that the caller doesn't
need to know the size of the underlying structure.
When replying to a door call, if allocating the buffer using malloc()
fails, we return EAGAIN to the client to avoid it hanging, using a
variable on the stack. However in this case the code did not reset the
reply length, which would result in it reading past the end of the stack.
At the expense of a goto, this patch uses the same path for returning an
error as if it was generating by the application.
Also, ensure that reply->length is set to zero when returning an error;
it shouldn't affect the client as it will not read this in the event of
a non-zero return code, but it avoids leaking uninitialized memory.
The ucred_t argument must be initialized to zero otherwise it is assumed to
point to allocated memory. Also, the logic is inverted: getpeerucred()
returns zero on success, not failure.
In the interest of being paranoid, when a WinCNG crypto or digest
context is being reinitialized, zero out the backing store as well
as destroying the handle.
This is required as the PKCS#11 library needs to be reinitialized after
forking. This was causing a problem with ipropd.
This fix appears to incur a repeatable 10ms performance penalty on aes-test.
Caching the initialization status using a once control and invalidating it
on fork provided no measurable performance benefit on Solaris 11. Other
approaches would not be thread-safe or would involve more intrusive code
changes, such as exposing heimbase's atomics.
Similar fix to a88d0066, but for the WinCNG EVP backend. However this
is just a fix for leaking handles if the same EVP context is used with
a new key; there is no functionality issue as cipherstate is maintained
directly in the EVP context, not internally by WinCNG.
Clients of the EVP API can reinitialize message digest contexts
without destroying them. The PKCS#11 backend assumed they were
only used once, and was leaking session handles upon reinitialization.
This fix disposes of any existing PKCS#11 message digest context
in the initialization method.
Some callers of EVP_DigestUpdate (such as libntlm) pass NULL as the
data argument. PKCS#11 returns CKR_ARGUMENTS_BAD which may poison
the context. Pass an empty string to C_DigestUpdate work around this.
81c778e broke the PKCS#11 hcrypto backend broke for many cases as it did
not support cipherstate resetting. (Prior to 81c778e, which was to fix#194,
the PKCS#11 backend did not support cipherstate chaining across invocations.)
hcrypto backends that maintain cipherstate independently of the hcrypto
context IV field need to set EVP_CIPH_ALWAYS_CALL_INIT to avoid the two
diverging. Their init function should support resetting the cipherstate
independently of key scheduling.
Solaris make won't allow @echo in a shell command string as there is no
command called @echo, and it passes the whole shell command to the shell
without poaching off the @ itself first
despite the fact that the called function returns void,
returning a result here throws an error with solaris cc.
just call the function and don't return
camellia-ntt had none of its symbols renamed into the hc_ namespace,
and rand's missed timer_method (while all other methods were done). rename
these like we do for others
if when we need to determine if getauxval sets errno, we determine it doesn't
after getting a 0 return code, make sure we return a value, since we didn't
previously. fall through to code we'd otherwise have called in this case
above.
This can happen in the error path when processing malformed AS
requests with a NULL client name. Bug originally introduced on
Fri Feb 13 09:26:01 2015 +0100 in commit:
a873e21d7c
kdc: base _kdc_fast_mk_error() on krb5_mk_error_ext()
Original patch by Jeffrey Altman <jaltman@secure-endpoints.com>
depending what's available when you compile for iOS it's possible to
be __APPLE__ and not have CF; actually test for it instead of blythely
assuming it can be used
- Simplify child process creation rate limit by moving
select_sleep() to happen right after the parent fork().
- Consider child pid table slots to be empty if the pid is
non-positive, rather than just -1 or just 0.
- Log warnings should we ever spawn a child with no free
slot to track it, or reap a child that does not match
a tracked slot.
This allows the optimized checksum->verify() function to be used.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from Samba commit fb318ab0203297019c5e47c6bef4a9abfdeea8a5)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from Samba commit 05cc099499ef3a07d140981ef82937c842a3ffef)
Doing an fsync per-record when receiving the complete HDB is a performance
disaster. Among other things, if the HDB is very large, then one slave
receving a full HDB can cause other slaves to timeout and, if HDB write
activity is high enough to cause iprop log truncation, then also need full
syncs, which leads to a cycle of full syncs for all slaves until HDB write
activity drops.
Allowing the iprop log to be larger helps, but improving receive_everything()
performance helps even more.
This reverts commit ccb63bb0aa, which was
unnecessary and broke tests/kdc/check-kadmin (and other things).
host->port happens to be an unsigned short, so that promotion to an integer in
the snprintf() call is safe in that the promoted value will still be
non-negative, and no larger than an unsigned short's maximum value. We're
still assuming that 7 bytes is sufficient to hold the text representation of
that maximum value, which indeed it is, assuming sizeof(unsigned short) == 2
and CHAR_BIT == 8, which are fair assumptions here. A better patch, if we
needed it, would be to just make portstr[] an array of 11 char, or perhaps make
it a VLA (but we can't yet use VLAs, I don't think, because of older Windows
systems that must be supported still).
Heimdal will refuse to create new entries when an entry already exists even
if said entry has no kerberos info and is a new entry.
This patch fixes this issue by allowing object modifications even if the
flags disallow them when we are inserting a new principal on the database.
Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
The default client principal for krb5_set_password, if the
principal argument were NULL, was krb5_get_default_principal. But
krb5_set_password requires credentials for the password change service
be passed in, and those credentials are already associated with a
client principal that's much more likely to be the correct choice for
a default. Use that principal instead of krb5_get_default_principal.
If the hostname was already set, a typo in a test meant we were not
freeing it. While we're at it, handle the unlikely possibility that
the existing pointer is passed as the new value.
On Debian stretch systems PAM modules linked against Heimdal run into
symbol conflicts with parse_time() in systemd libraries. We redefine
parse_time() and friends to rk_parse_time(), ... while keeping the old
names for ABI compatibility with existing clients.
The legacy names should eventually be droppped.
When the termination of a child process is observed by reap_kid() it
clears the pids[] element by assigning it the invalid pid value
(pid_t)-1. However, start_kdc() assumes that the unused pid[[] element
value is 0. As a result, each pid[] element's associated child process
can only be restarted once since start_kdc() will not be able to locate
an unused element.
This change alters start_kdc() to initialize all elements of pids[] to
(pid_t)-1 and use that as the marker for unused elements. By doing so
start_kdc() can properly record child process pids and indefinitely
restart child processes as necessary.
Change-Id: Ia93c9284ab21289994eca7fc9cf1278be7c00683
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
Unlike the ccache, we can't lock less because of the way in which keytab
entries are removed: by negating their length. Also unlike ccaches, we
hold locks across the entirety of keytab iteration.
Use stdio. Don't lock to read -- we only ever rename new ccaches into
place, or overwrite endtimes to delete entries, or overwrite part of the
realm name of cc config entries.
Dropping locks around ccache iterator stepping strongly implied that we
don't expect truncation, that we only expect appends (and the
overwriting done to delete entries).
Don't unlock -- let close(2) do it, thus making fewer system calls.
The ASN.1 functions copy_Realm(), copy_PrincipalName() and
copy_EncryptionKey() can fail. Check the return and perform error
handling as appropriate.
Change-Id: I2b3629d19db96eb41d1cd554cef1dca99745e753
When comparing the first component of a multi-component
string that uses a field separator (e.g., '/' or ':'), be sure
to include the separator in the comparison to ensure that the
comparison does not succeed due to a prefix match.
Change-Id: Ieec3e73cb015a83bb652ec11cd7d83e57755c3d2
Fix the numeric error value comparison performed by error_cmp().
Identified by AppChecker and previously fixed by Darwin.
Change-Id: I0a72fd381bef0b34b7e7d155bfff03ab4196d38e
if defined(HAVE_GETAUXVAL) && !defined(GETAUXVAL_SETS_ERRNO) the
stack variable declaration for 'a' is missing:
const auxv_t *a
Declare 'a' so that Heimdal can build again.
Change-Id: If64dd497f240688b76f3dd6139ac68c2ff149a0e
In 13c8a2c212 permits fclose() to
be issued on 'stdin' and forgets to use the N_() macro for text
strings.
Change-Id: I5e9ac1354da8dcff5277c39e4784a768ad76afdd
Though a race was never observed, the re-sync, slave DB deletion,
master changes and restart did not take into account late changes
in the master before slave down.
Creation of a random key HDB entry takes 3 updates, not one. Instead of
hard-coding this magic count, wait for the appearance of the expected
entry with no "invalid" flag among its attributes.
When obtaining a remote TGT krbtgt/REALM2@REALM2, an intermediate
cross-realm TGT obtained for krbtgt/REALM2@REALM1 is not equivalent
to the TGT we seek, and must not be stored under its name.
When the cred passed krb5_build_ap_req() has a different name for the actual
ticket (e.g., because the entry came from a ccache with an alias name as the
entry name) then we were putting a Ticket on the wire with the name from the
cred rather than from the Ticket in the cred. We don't think this is intended
or desirable. The server should see the Ticket _exactly_ as minted by the KDC.
Perhaps AP-REQ should have used an OCTET STRING to contain the Ticket given that
Ticket is a PDU, which would make a byte-for-byte copy trivial, but as it is it
uses Ticket instead. Therefore this commit has it decode the Ticket from the
cred and then C struct assign that value to the AP-REP's ticket field -- this
then copies the Ticket as exactly as vended.
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
If the file is not a regular file, the 'fname' buffer will be freed
before it is passed to the krb5_set_error_message() routine. That
this is true is not obvious from code inspection but 'newfname'
and 'fname' refer to the same memory.
Change-Id: I7780eae9ceaf01b245df488a2f7d7f406770864f
The output of `wc -l` includes leading white-space, and at least
in FreeBSD 11, `expr 1 + "$foo"` fails when "$foo" (captured as
`wc -l` output) has leading whitespace. Instead, just emit one
more line for "wc" to count.
For krb5.conf include/includedir we want to reject non-absolute paths,
but then we need to make sure that we use absolute paths in the tests,
otherwise they fail. Of course ./configure has been defaulting to
relative paths for $srcdir and $objdir. This commit canonicalizes
$srcdir; eventually, no doubt, we'll have to canonicalize $objdir too.
Must export hdb_generate_key_set_password_with_ks_tuple() on Windows
which was introduced in 4303174a49.
Change-Id: Iea2993a17aba44c7cb0360716138c26239254e05
The change to the signature of hdb_generate_key_set_password() in
Heimdal 7.1 broke API/ABI compatibility with previous releases. We
fix this by renaming it hdb_generate_key_set_password_with_ks_tuple()
and creating a new hdb_generate_key_set_password() which calls our
new function with zeroes for the added arguments.
Issue #246https://github.com/heimdal/heimdal/issues/246
Each KDC is a kx509 server. The service principal must be of the
form
kca_service/<localhost.domain>@<DEFAULT_REALM>
where localhost.domain is the hostname returned by gethostname()
and <DEFAULT_REALM> is one of the realms for which the KDC has a service
principal "kca_service/<localhost.domain>".
The matching code was broken by a5e77c578e
when krb5_sname_to_principal() began to always return a referral
principal.
Since the second component is a host name update the default principal
type for service "kca_service" to be KRB5_NT_SRV_HST.
Change-Id: I6bd5f90b674ebb7220d8efafa6d339fdc21e1a07
Commit 7dc4481ed2 which changed from
pidfile -> rk_pidfile was incomplete. Must handle the NO_PIDFILE case.
Change-Id: Ifc0b135e1fa7abdf4e370ad4b8fe2eb1305760f5
In _kdc_do_kx509() do not free 'principal' until after its last
use. Move declaration to top of function and free it during the
common exit processing.
Introduced by 10a5976e45.
Change-Id: Iaf000eb090b0fa523f04a4864c6b17058d922995
If some external library lives in a directory in which Heimdal is
already installed, we may pick up LD_LIBRARY_PATH Heimdal objects
from a different release. Move the external deps to the end, to
ensure a more appropriate LD_LIBRARY_PATH.
cf/make-proto.pl copies Doxygen docs to -private and -protos headers.
We need to either extract these from those files but not source files,
or only from source files but not the generated headers. This commit
does the latter.
We should really check whether pthread_once() is in libc so that then we
don't have to add an unnecessary dependency on -lpthread.
Also, we have a proper once implementation that we could use when we
don't have pthread_once(), so we should fallback on that if we detect
that we have neither pthread_once() in libc and --disable-pthread is
given.
The kdc nowadays forks and restarts worker children. This is nice, but
for leak checking in tests on OS X with leak(1) we really need the
worker to be the one process.
The prior structure of the code was safe but can appear otherwise to
static analyzers since the assignment to pids[i] occurs after exitting
the for() loop.
While here use calloc() instead of malloc()/memset().
Change-Id: I8455aa259fd8c7c17778827937ec26127fe0785c
if krb5_get_config_strings() returns the empty string do not return
immediately. Instead the for() loop will be skipped because the empty
string represents the end of the string list permitting
krb5_config_free_strings() to free the allocated memory.
Change-Id: Ia6fdb13f716c07b53c8b3857af4f7ab8be578882
Commit 4b6bd40106 made hdb_ldap_create and
hdb_ldapi_create static in the OPENLDAP_MODULE case. However, by
failing to leave a blank line between the static and the function
declaration the perl program that produces the hdb-protos.h file
skips the functions.
Add appropriate spacing.
Change-Id: I9ad24176fc31a0bce92b51f7adab141e8fa70fa3
read_master_keytab() should always return with *mkey == NULL on
failure. Doing otherwise can result in memory leaks or use of
an uninitialized pointer.
Change-Id: Ice1fd504ca573d73bb51dd3b01770c3f8bc59fd4
Apparmor on Ubuntu prevents slapd from using the Unix domain socket we
want it to. The fix is to copy the slapd executable into the objdir,
which disables the apparmor profile for slapd.
Also, make sure the ldapi: URI has the right path for the socket in
krb5.conf.
This fixes the following problems from #210:
- hdb_ldap doesn't load even when installed correctly
- loadable hdb backends not listed by kdc --builtin-hdb
Not fixed:
- hdb_ldap.so not installed in plugin dir
When building the lib/krb5 tests link against HEIMBASE in order to
make use of heim_abort() and friends.
Change-Id: Ifaf54177bbb14cddf0f3544add370cda158783d1
In krb5_parse_name_flags(), if the principal name is not an enterprise
name, is one component in length and contains an '@', set the principal
type to NT-SMTP-NAME as specified by RFC 4120.
Treat principals of type NT-UNKNOWN as NT-SRV-HST if the first component
of the principal name is "host".
Change-Id: I28fb619379daac827436040e701d4ab7b279852b
The _kdc_is_anonymous() helper function must take into account
that principals of type NT-UNKNOWN can match any other principal
type including NT-WELLKNOWN.
Change-Id: I6085b9471f6f1d662119e359491bbdce629ef048
This is part of the fix to #173. MSFT RODCs insist on the name type for
krbtgt principals be set to KRB5_NT_SRV_INST.
Commentary from Jeffrey Altman <jaltman@secure-endpoints.com>
As reported by David Mulder of Dell's Quest, Active Directory will
return a BAD_INTEGRITY error when a request for a krbtgt service
ticket is received with principal type NT-PRINCIPAL instead of NT-SRV-INST
as required by RFC 4120.
[Nico: RFC4120 does not require this. See the description of the
name-type field of PrincipalName on page 55.]
ERROR: VAS_ERR_KRB5: Failed to obtain credentials.
Client: SLED10-32$@F.QAS,
Service: SLED10-32$@F.QAS, Server: ad2-f.f.qas
Caused by: KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353): Decrypt integrity check failed
Microsoft began enforcing principal type checking for RODCs in 2008R2.
Microsoft does state that ALL krgtgt/REALM tickets SHOULD be sent using
principal name type of KRB5_NT_SRV_INST instead of KRB5_NT_PRINCIPAL.
From Microsoft:
"I believe we discovered the problem. There isn't a bug in Windows.
There's been a code change to address another issue which puts in additional
checks for Kerberos tickets. The problem is with the Unix clients when the
client request a TGT. The Unix clients are using Name-type Principal
[KRB_NT_PRINCIPAL (1)] instead of using Name-type Service and Instance
[KRB_NT_SRV_INST (2)]...."
This change assigns the NT-SRV-INST principal type each time a krbtgt
service principal is created. Unlike Microsoft, the Heimdal mostly does
not care about the name-type of any principals, with the exception of
referrals, where the name type is needed to decide how to find a
next-hop realm.
In client_connect() getaddrinfo() stores the head of the allocated
addrinfo structure list in 'res0'. 'res' is used to walk the list
and will be NULL at the end of the for() loop when freeaddrinfo(res)
is executed. Pass 'res0' to freeaddrinfo() instead of 'res'.
Change-Id: Ie1358c0356b6b0f98470e46e25216cfa0ab4adac
In hdb_ldap_common() the test
if (search_base == NULL && search_base[0] == '\0')
error handling ...
must be
if (search_base == NULL || search_base[0] == '\0')
error handling ...
Change-Id: I8d876a9c56833431b3c4b582fbb0a8cc7353893d
The prior patch removed the definition of the XUA check but failed
to remove the execution of the check. Do so now.
Change-Id: I648a374370d3549db0d98b90f810bd018dc28962
gsskrb5_acceptor_start() was making a copy of the global pointer
_gsskrb5_keytab to use later. This invites a race condition where
another thread could call gsskrb5_register_acceptor_identity()
(thus invalidating the target of the copied pointer) before it is
used by gsskrb5_acceptor_start().
So instead, clone the keytab to a new one while protected by the
mutex lock (similar to get_keytab() in acquire_cred.c).
Signed-off-by: Nicolas Williams <nico@twosigma.com>
Instead of imposing a default 10 hour ticket lifetime and 1 month renew
lifetime when requesting tickets, increase the default lifetime and
renew lifetime to 2147483647 seconds. This ensures that in the absence
of any other configuration or command line parameters that the KDC will
determine the ticket lifetime and renew lifetime.
Change-Id: I52b6eeac1ee830a9bf4d0130e8f4ec7b70bc8694
Signed-off-by: Nicolas Williams <nico@twosigma.com>
The original motivation was to avoid extra timeouts when the network is
broken. However this doesn't avoid one of the timeouts and adds
complexity and introduced bugs.
To really suppress search lists use ndots.
In lib/roken/resolve.c, we find rk_dns_srv_order() which re-orders
the results of an SRV RR lookup by the algorithm in RFC2782. We
note that the algorithm doesn't behave according to the RFC w.r.t.
entries of weight zero. We solve this by scaling out the remaining
weights by the number of zeros we find at a particular priority
level and acting like the zero weights have a weight of one.
In lib/roken/resolve.c, we find rk_dns_srv_order() which re-orders
the results of an SRV RR lookup by the algorithm in RFC2782. We
fix a bias in the random weight sorting by changing the order of
operations when selecting rnd. rnd should be a non-zero random
number less than the sum of the weights at a particular priority,
but zero was included as a legitimate output thus biasing the
selection process. rk_random() % sum is still biased as a 32
bit int modulo a number which doesn't divide 2^32 does not have
a uniform distribution, but the bias should be small enough to
live with for our purposes here.
Apending '.' to the hostname passed to `getaddrinfo()` is good for
avoiding extra timeouts when the search list is non-empty and the
network is broken, but searches in /etc/hosts are typically inhibited
then. The fix is to try again without the trailing '.' if the first
lookup failed for any reason other than a timeout.
On 32-bit architectures with _FILE_OFFSET_BITS=64,
sizeof(off_t) > sizeof(size_t) .
LOG_HEADER_SZ was #define'd as an expression of type size_t, so in order
to get the sign extension right we need -(off_t)LOG_HEADER_SZ instead of
(off_t)(-LOG_HEADER_SZ). However, we can just define the *_SZ macros to
cast to off_t, then we don't need to worry about negation.
Fixes Debian bug #822749, PR 175.
Signed-off-by (and updated by): Nicolas Williams <nico@twosigma.com>
The correct test for a windows build is if defined(_WIN32), not just
if _WIN32. Fix a few places in the build which do the wrong thing, as
it gives compiler warnings.
All of the hcrypto source files were updated with commit
0f97855826 to include roken.h. This
means that hash.h no longer needs to include the roken header.
Remove the multiple inclusion.
When processing a request, current tgs_make_reply uses the requested
set of addrs of the request to establish the set of addresses to
associate with the ticket in reply.
However, when the request input set of addrs is NULL, it reverts to
using the TGT set of addresses instead. As a result, it is not
possible to acquire an addressless TGS (or forwarded TGT) using a
TGT that is addressed.
This patch remove the fallback ensuring that a TGS_REQ with a set
of addrs set to NULL enables to acquire an addressless ticket.
When reading configuration file, keep an extra copy of
the encryption types, and use this when resetting the
encryption types to default.
GSSAPI always resets the enctypes to default before obtaining
a TGS, because the enctypes might have previously altered,
so this prevents changing the etypes from the configured ones
to the full set of supported etypes.
Signed-off-by: Uri Simchoni <uri@samba.org>
Some portions of libhcrypto are reused by other projects in
diverse environments, including within operating system kernel modules.
In some such build environments, hardening measures such as grsecurity
can (randomly) reorder structure elements, so as to make it harder
for an attacker to determine the offset from a known field's address
to a different field that is needed for an attack.
However, doing so requires the use of C99 designated initializers
to make the source code compatible with such structure rearrangement,
as opposed to the "traditional" C aggregate type initializers, which
just list fields in order. This feature is also available as a
GCC extension since early versions of GCC. However, it is not
provided by many common versions of visual studio (and presumably
also not by the vendor compiler for various commercial Unixes),
so the traditional initializers must remain, behind a conditional.
__GNUC__ or __STDC_VERSION__ >= 199901 should be enough to get
most cases with support for designated initializers, at least
for now.
Signed-off-by: Nicolas Williams <nico@twosigma.com>
Newer versions of SQLite3 have a number of new features that are
desirable to users who host other DBs in the same file as the HDB (for
example), as well as performance and bug fixes.
We should consider switching the SQLite3 backend for HDB to WITHOUT
ROWID tables for performance reasons. We should also consider using
foreign keys instead of triggers. Making any such changes requires care
to permit both, upgrade and downgrade.
We might want to use the SQLite3 session extension for a SQLite3-
specific, low-level replication (iprop). Given conflict resultion code,
or a sufficiently normalized schema, the session extension would make it
easy to create a multi-master replication system, not unlike what one
would expect of an LDAP setup, though with none of the atomicity that
LDAP is supposed to provide (specifically, O_EXCL semantics for creates
and predicates for updates) unless we were to add a locking protocol.
Note that as of 3.14, the session extension is mutually exclusive of
WITHOUT ROWID tables.
On a low update rate master, if we don't update old_version after
processing a poll timeout, we will generate spurious warnings about
missed (change) signals every time the timer expires, and will
needlessly contact the slaves.
Also implement KDC hierarchical transit policy checks. The "hier_capaths"
parameter defaults to "yes" in [libdefaults] or can be set explicitly in
[realms] per-realm.
Commit efed5633 (r24759) prefixed some symbols with rk_, but
introduced 6 duplicate symbols in the version script (because the
rk_-prefixed versions of the symbols were already present).
When the master's log does not contain the complete history, slaves
that bootstrap from scratch encountered a loop, because the master
falsely assumed a race with log truncation.
The HDB_F_ALL_KVNOS flag is not getting set in _kdc_db_fetch() if
kvno_ptr == NULL. Fix the conditional to ensure that one of
HDB_F_ALL_KVNOS or HDB_F_KVNO_SPECIFIED is set in the flags field.
Prior to this change cross-realm TGS_REQ failed with KRB5_GENERIC_ERROR
and e-text "encryption key has bad length". With this change, the
cross-realm TGS_REQ succeeds.
Change-Id: I4216137a192032544dfbdada12b5c377603ca4b6
The function, found in lib/krb5/mit_glue.c, is currently using
krb5_generate_random_keyblock(). This compiles because warning-level is
not high enough, but does not work. At runtime the
krb5_generate_random_keyblock() interprets the second argument as the
krb5_enctype (rather than a length of anything) and tries to verify it.
When the length does not match any known enctype, as usually happens, the
function fails and returns an error. If the length happened to correspond
to an enctype, the function would likely crash due to misinterpreting its
third argument as a valid krb5_keyblock.
The change uses krb5_generate_random_block() instead. This function does
not return anything -- upon detecting failure it will cause the entire
application to exist instead...
Change-Id: I865a360037a513ce91abc7abba1dc554f844b464
Follow Apple's lead and do not fail krb5_set_config_files() simply
because one of the files in the profile list fails to parse correctly.
Doing so can lead to hard to find failures and could lead to an end
user shooting themselves in the foot and no longer be able to login
to their system to fix it.
Parse as many of the files as we can. Only fail krb5_set_config_files()
if init_context_from_config_file() fails.
Change-Id: I122664c6d707a5f926643808ba414bf4f681f8b8
When flushing the uber record, retain the current log version. When the
uber record is the only (thus last) record in the log, return its nominal
version as the last version, not 0. Upgrade the log if the current uber
record version number is not 0.
Otherwise we risk storing a name with the referral (empty) realm name,
which will then cause various knock-on effects, such as thinking that
the start_realm is "", and failing to find matching credentials in the
ccache.
When storing credentials whose ticket principal is not equal to the
requested principal, store the ticket under both names not only when
the original realm is the referral realm, but more generally for any
difference at all. This matches MIT behaviour.
Allow explicit name_canon rules to specify a realm to go with the
canonicalized hostname, if that realm is empty the effect is the
same "use-referrals"
Also fix segfault when no creds and debugging
At least one "windc" plugin provided by OS X lacks a client_access()
entry point and caused the KDC to crash. The KDC now checks for each
entry point in "windc" plugins and either falls back on alternative
default functionality or fails more gracefully than by crashing.
On OS X anyways, since Heimdal cannot be built to replace the system
Kerberos implementation in OS X (even though it's based on Heimdal).
Heimdal plugins other than the CCAPI plugins have private ABIs with
strong coupling to the internals of the Heimdal libraries, thus using
system plugins in a non-system Heimdal is likely to end in tears (e.g.,
segfaults).
This means, for example, that OS X's plugins for PAC creation and
verification cannot be used by Heimdal.
When the master's log has all entries from version 1 to now, and no
uber entry (legacy master), then new slaves will not pull version 1,
because their uber record has version 1.
The fix is to force the uber version to 0 always, and avoid adding a
truncate nop when doing a full prop. The uber record now records the
database version even in the absence of any other log entries so that
we know what to pull going forward.
Prior change 83011252d7 which fixed
cross-realm trusts from AD to Heimdal removed the assignment of
'*kvno_ptr' to 'kvno' in the case where a non-zero key version
number is supplied by the caller. This breaks cross-realm trusts
from Heimdal to another realm.
This change restores the missing assignment.
Change-Id: Ic041d9d797ba4c8c0c567da55066ba5d3d1874bb
A KVNO is unsigned and this is reflected in the internal
interfaces. However, for compatibility reasons its encoding
is signed and this creates a pointer mismatch when passing a
kvno pointer to _kdc_db_fetch.
Signed-off-by: Uri Simchoni <uri@samba.org>
For consistency make "-I" part of the macro value set by autoconf.
For now, don't attempt to handle OpenSSL rpath in cf/crypto.m4.
That's much easier by just setting LDFLAGS when running configure.
Otherwise too many Makefiles to edit and libtool and automake do
their best to undo the rpath.
We added some new OID symbols in libasn1, make them public.
When an older Heimdal is already installed and its libraries don't
have some newly created symbols we run into build or test problems,
if libtool decides to use installed rather than just-built libraries.
This was happening with a few of test programs in libhx509. Fixed.
If we are not code signing we must define an action for _CODESIGN_SHA256
or the build system macros will be unbalanced.
Change-Id: I3c545de3c8ee809709defd12faeead358fde26dd
When building evp-openssl.c without support for OpenSSL it is necessary
to include evp-hcrypto.h to define the HCRYPTO_FALLBACK functions.
Change-Id: Ifd51f9fcd2b1805a534a9f88992162818afffe7d
HCRYPTO_FALLBACK is a required definition for building lib/hcrypto.
However, it wasn't added to the Windows build system. This change
does so and enables fallback functionality.
Change-Id: I4a711c6da58e8832a61a3c0b2b8d9b10038425f0
Weak crypto is disabled on every other system. OpenAFS no longer
requires it and AuriStor doesn't need it. Turn it off.
Change-Id: I6fab2328f71d1c38a655560ab0f83b8df9b53c73
Permit an explicit version of signtool.exe to be specified via an
environment variable. Now that sha256 signatures are required the version
of signtool.exe that matches the SDK or Visual Studio version might not
be sufficient to apply code signatures.
Change-Id: I694e2b319bd692d6358ae7ce3d241da2da7648f8
Move roken.h to the top of the header after config.h and remove the
includes that are duplicated by roken.h.
Change-Id: I33e29736519177f17c36e5c5948d7022011ab2b2
All source files must start with
include <config.h>
include <roken.h>
when krb5_locl.h or kdc_locl.h are includes, they must come before
other Heimdal include files.
Do not include stdint.h when roken.h is included.
Do not include config.h more than once.
Change-Id: I0baecb5d48317996f48b1a6c41b051f42f2fde61
In verify() if krb5_unparse_name() fails 'sname' will be used
unitialized in the subsequent krb5_warnx() and free() calls.
Change-Id: I5a49bf06879eb5a77cf2d1d3f0d4b9c6549aeff8
Coverity complains about the leakage of 'handle' when the identifier
goes out of scope. Change handle into a static global to hold the
value instead of a stack variable.
Change-Id: I040707ac731558f7d523f128a006a80b98d45b79
The Windows and PKCS#11 backends do this. The Common Crypto (OS X)
backend does not. Ideally this should be a ./configure option, and that
might be the next step, but right now we need this fallback in order to
get tests passing in Travis-CI.
The resolver plugin doesn't have a way to say "and stop here", so the
lookup done in lib/krb5/test_plugin.c can produce more results than used
to be expected, and indeed nowadays it does. The fix is to ensure that
we have the desired results and ignore the others.
This adds a new backend for libhcrypto: the OpenSSL backend.
Now libhcrypto has these backends:
- hcrypto itself (i.e., the algorithms coded in lib/hcrypto)
- Common Crypto (OS X)
- PKCS#11 (specifically for Solaris, but not Solaris-specific)
- Windows CNG (Windows)
- OpenSSL (generic)
The ./configure --with-openssl=... option no longer disables the use of
hcrypto. Instead it enables the use of OpenSSL as a (and the default)
backend in libhcrypto. The libhcrypto framework is now always used.
OpenSSL should no longer be used directly within Heimdal, except in the
OpenSSL hcrypto backend itself, and files where elliptic curve (EC)
crypto is needed.
Because libhcrypto's EC support is incomplete, we can only use OpenSSL
for EC. Currently that means separating all EC-using code so that it
does not use hcrypto, thus the libhx509/hxtool and PKINIT EC code has
been moved out of the files it used to be in.
Also, zero return means "success", non-zero means "failure" and the
non-zero value is a system error. That's how it is for the other
platforms' thread primitives.
(The no-threads defaults are still wrong though, as then are macros that
expand into do..while, which can't be used as expressions and don't
"return" values.)
The error string
missing @ or \ in name
must have the backslash double quoted as
missing @ or \\\\ in name
because of how compile_et parses the input and generates its output.
Otherwise, when compiling the generated ntlm_err.c a warning will
be produced because of invalid quoting of a space.
Change-Id: I994d3eb896098914702e418a0ef5cad783d16a5a
In srv_find_realm() the conditional for testing whether an entry
is the invalid gTLD response was inverted. Refactor the conditional
into a helper function is_invalid_tld_srv_target(). Use the helper
to simplify the conditional making it easier to confirm that the
test is correct.
Change-Id: I3220753b5585ac535862c4617030377c7a1f4bbe
The function _krb5_put_int() is a private function exported from
lib/krb5. Its declaration should come from krb5-private.h. A local
declaration will not result in the proper import qualifiers on
Windows.
See also: e1a244f Make it possible to include krb5_locl.h in kadm5
Change-Id: I53e7aeea9f2f34cab105f2e331f3c6522847ccfe
krb5_locl.h cannot be included from within lib/kadm5 in the
current UNIX builds. Reverting this change which is necessary
to properly build on Windows until an alternate solution is
agreed upon.
This reverts commit ffc525aad1.
The hdb_method functions cannot be KRB5_LIB_CALL as lib/hdb is not
lib/krb5. KRB5_LIB_CALL will be inconsistently defined.
This inconsistency resulted in crashes of test_hdbplugin on 32-bit
Windows.
Change-Id: I4cf8d3ef76f31a3cae923df234a19610d956e7ee
The function _krb5_put_int() is a private function exported from
lib/krb5. Its declaration should come from krb5-private.h. A local
declaration will not result in the proper import qualifiers on
Windows.
Change-Id: I53e7aeea9f2f34cab105f2e331f3c6522847ccfe
If there is no MSLSA: credential cache principal, then try to
fallback to the MIT default MIT credential cache name, API:krb5cc.
Change-Id: I8f981c5401b4f962cf808e7b0dc782e42bc03023
If there is no default credential cache obtained from the registry
or from configuration files, then check to see if there is a valid
principal available from the MSLSA: credential cache. If so, use
"MSLSA:" as the default credential cache. This will simply configuration
for users on domain joined Windows machines when logged in using a
domain account.
Change-Id: I4c4392e0fdcec89aff3d258ce1b753e6458e3eec
Remove unnecessary levels of indentation.
Switch the conditional from "(e == NULL)" to "(p == NULL)" since it
the variable 'p' that is actually used to store the name of the
default credential cache.
Change-Id: Id884e2cd80b42e47d3c219ac3777161087467a14
Windows queries the default ccache name via the registry. Prior
to this change only the HKEY_CURRENT_USER hive. Fallback to
HKEY_LOCAL_MACHINE if there is no "ccname" value specified for the
user. This permits system or domain administrators to set the
default ccache to MSLSA: for all users.
Change-Id: Ide3b51358f8fc6944ca698e4a68295be9463d4e0
As per
https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf
prior to a new top-level domain being put into service there is controlled
interuption service which will return explicit responses to DNS A, MX, SRV, and TXT
queries that can be used to detect private namespace collisions.
When performing fallback_get_hosts() check the AF_INET responses to ensure
that they are not the gTLD name collision address 127.0.53.53. If so, add
an error message to the context and return KRB5_KDC_UNREACH.
Write a warning to the log (if any).
Change-Id: I2578f13948b8327cc3f06542c1e489f02410143a
As per
https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf
prior to a new top-level domain being put into service there is a
controlled interuption service which will return explicit responses to DNS
A, MX, SRV, and TXT queries that can be used to detect private namespace collisions.
Modify SRV records lookups to detect the special hostname returned in the
SRV response, skip the response, and record an appropriate error if it is detected.
Write a warning to the log (if any).
Change-Id: I47e049b617e39e49939bc92d513a547de1d04624
As per
https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf
prior to a new top-level domain being put into service there is a
controlled interuption service which will return explicit responses to DNS
A, MX, SRV, and TXT queries that can be used to detect private namespace collisions.
Modify the signature of copy_txt_to_realm() to accept a krb5_context so
that meaningful errors can be recorded.
Write a warning to the log (if any).
Change-Id: I51ff8feed4f9d2af8b956bd4ba26e1c4644247c2
Instead of allocating a separate mutex object on the heap,
include the HEIMDAL_MUTEX in the krb5_context structure.
Change-Id: If6db484177410487176985e43e3b43e0f2166518
Add a basic set of tests for the HEIMDAL_MUTEX and HEIMDAL_RWLOCK
abstraction using both static and dynamic initialization.
Change-Id: Iaeb16e5dfcf00d29be7eaa4f2e6970c4f1268fb0
All source files in lib/hcrypto should be built the same way.
Since this source directory is dependent on libroken then all source
files must be built using the roken.h declarations and included headers.
Also, there is no config.h in the local directory so angle brackets
include of quotes should be used.
Finally, because roken.h includes stdio.h, stdlib.h, stdarg.h, limits.h,
strings.h, sys/types.h, etc., do not include them separately.
Start all source files with
#include <config.h>
#include <roken.h>
Change-Id: I09ab47f8a5472018efe6c8b59a0e51fde8f24724
Make memcmp() compare the name1 and name2 value instead of comparing
name1 with itself.
The memcmp() is only executed if the left-hand side of the || is false
i.e. when both length are equal so the length argument is correct (no out-of-bounds reads).
We need the uber record all the time now, actually, except when merely
inspecting a log file. This is important as we depend on replaying
entries written to the log in order to complete the HDB writes, and if
we don't have an uber record we can't do this step.
Also, log_init() should cleanup on error.
When new keys are added (typically via kadm5_setkey_principal_3),
truncate the key history to remove old keys, that is keys older than
the newest key which was in effect prior longer ago than the principal's
maximum ticket lifetime. This feature is controlled via the "[kadmin]"
section's "prune-key-history" boolean parameter, which defaults to false.
Currently this happens only when kadm5_setkey_principal_3()
is called directly on the server, the client API simulates
kadm5_setkey_principal_3() via a get, update, modify sequence that does
not prune the key history. The plan is to add a new kadm5 protocol RPC
and convert clients to call that instead.
In setkey_principal_3 seal keys after entry key update
Also, for now, don't check the return value of kadm5_log_modify() in
the new kadm5_s_setkey_principal_3(). This has to be addressed more
globally.
Censor stale keys in kadm5_s_get_principal
CVE-2016-2400
kadmind(8) was not checking for 'add' permission to aliases added via
kadm5_modify_principal(). This is a security vulnerability. The impact
of this vulnerability is mostly minor because most sites that use
kadmind(8) generally grant roughly the same level of permissions to all
administrators. However, the impact will be higher for sites that grant
modify privileges to large numbers of less-privileged users.
From what we know of existing deployments of Heimdal, it seems very
likely that the impact of this vulnerability will be minor for most
sites.
- fix int/uint confusion and use unsigned integral types for time
- improve messages
- add --verbose option
- attempt transaction recovery in ipropd-master during idle times
- begin hardening daemons against dying at the slightest provocation
- better recovery from various errors
- daemons now restart automatically in most of the many error cases
where the daemons still die
We used to update the iprop log and HDB in different orders depending on
the kadm5 operation, which then led to various race conditions.
The iprop log now functions as a two-phase commit (with roll forward)
log for HDB changes. The log is auto-truncated, keeping the latest
entries that fit in a configurable maximum number of bytes (defaults to
50MB). See the log-max-size parameter description in krb5.conf(5).
The iprop log format and the protocol remain backwards-compatible with
earlier versions of Heimdal. This is NOT a flag-day; there is NO need
to update all the slaves at once with the master, though it is advisable
in general. Rolling upgrades and downgrades should work.
The sequence of updates is now (with HDB and log open and locked):
a) check that the HDB operation will succeed if attempted,
b) append to iprop log and fsync() it,
c) write to HDB (which should fsync()),
d) mark last log record committed (no fsync in this case).
Every kadm5 write operation recover transactions not yet confirmed as
committed, thus there can be at most one unconfirmed commit on a master
KDC.
Reads via kadm5_get_principal() also attempt to lock the log, and if
successful, recover unconfirmed transactions; readers must have write
access and must win any race to lock the iprop log.
The ipropd-master daemon also attempts to recover unconfirmed
transactions when idle.
The log now starts with a nop record whose payload records the offset of
the logical end of the log: the end of the last confirmed committed
transaction. This is kown as the "uber record". Its purpose is
two-fold: act as the confirmation of committed transactions, and provide
an O(1) method of finding the end of the log (i.e., without having to
traverse the entire log front to back).
Two-phase commit makes all kadm5 writes single-operation atomic
transactions (though some kadm5 operations, such as renames of
principals, and changes to principals' aliases, use multiple low-level
HDB write operations, but still all in one transaction). One can still
hold a lock on the HDB across many operations (e.g., by using the lock
command in a kadmin -l or calling kadm5_lock()) in order to push
multiple transactions in sequence, but this sequence will not be atomic
if the process or host crashes in the middle.
As before, HDB writes which do not go through the kadm5 API are excluded
from all of this, but there should be no such writes.
Lastly, the iprop-log(1) command is enhanced as follows:
- The dump, last-version, truncate, and replay sub-commands now have an
option to not lock the log. This is useful for inspecting a running
system's log file, especially on slave KDCs.
- The dump, last-version, truncate, and replay sub-commands now take an
optional iprop log file positional argument, so that they may be used
to inspect log files other than the running system's
configured/default log file.
Extensive code review and some re-writing for clarity by Viktor Dukhovni.
A caller may want to specify an explicit order of PAC elements,
e.g. the PAC_UPN_DNS_INFO element should be placed after the PAC_LOGON_NAME
element.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This is just a hack to get Appveyor builds to complete successfully.
Eventually we should get packages and installers to build correctly, and
even for x86 and x86_64 combined. But it's early days and this is
useful enough.
The build was failing at lib/hcrypto/evp-pkcs11.c because roken.h was
being included after <assert.h>. It's not clear why that would be a
problem.
Here are some of the errors and warnings that resulted from including
<roken.h> after <assert.h> in evp-pkcs11.c:
evp-pkcs11.c C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\ws2def.h(91) : warning C4005: 'AF_IPX' : macro redefinition s C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\winsock.h(460) : see previous definition of 'AF_IPX'
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\ws2def.h(124) : warning C4005: 'AF_MAX' : macro redefinition
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\winsock.h(479) : see previous definition of 'AF_MAX'
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\ws2def.h(168) : warning C4005: 'SO_DONTLINGER' : macro redefinition
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\winsock.h(402) : see previous definition of 'SO_DONTLINGER'
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\ws2def.h(212) : error C2011: 'sockaddr' : 'struct' type redefinition
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\winsock.h(485) : see declaration of 'sockaddr'
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\ws2def.h(390) : error C2059: syntax error : 'constant'
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\ws2def.h(524) : warning C4005: 'IN_CLASSA' : macro redefinition
C:\Program Files\Microsoft SDKs\Windows\v7.1\INCLUDE\winsock.h(287) : see previous definition of 'IN_CLASSA'
restore correct OID for GSS_C_PEER_HAS_UPDATED_SPNEGO, this should have no
ABI implications, it's for internal use only. The current OID was incorrectly
copied in commit dbeeb18a, it should belong to 1.3.6.1.4.1.5322.19 which is
... enterprise(1) padl(5322) gssKrb5Extensions(19). The OID we were camping
on belongs to another party.
As implemented by Jeffrey Altman heim_base_once_f() is a variant of the
"double-checked gate lock pattern". Full memory barriers must be used
when determining whether or not to call SwitchToThread().
Change-Id: I2f8446a56c50a37c921d6e993433c9a3f7488f50
Provide a Windows implementation of heim_base_once that relies upon
InterlockedCompareExchange() and SwitchToThread().
Change-Id: I9cdbda796d1a27fe1e17be63f287b10132858d7f
When __APPLE__ is defined and HCRYPTO_DEF_PROVIDER is not defined,
define HCRYPTO_DEF_PROVIDER to be "cc" so that Apple's CommonCrypto
implementations are used instead of the built-in "hcrypto"
implementations.
Change-Id: I393e5fc3f6c3b9339c96db58d926ff8ea1867cbb
We now fork(2) a number of separate KDC processes rather than a single
process. By default, the number is selected by asking how many CPUs
the machine has. We also have a master process which monitors all
of the children (which do the actual work) and it will restart kids
who die for any reason. The children will die when the parent dies.
In the case of MacOS X, we also move the bonjour code into another
separate child as it creates threads and this is known to play
rather poorly with fork(2). We could move this logic into a
designated child at some point in the future.
We slow down the spawning to one every 25ms to prevent instant crashes
and restarts from consuming all available system time. This approach
may want to be revisited in the future.
The EGD daemon is completely unmaintained and has not seen a release
since 13 years which is not an acceptable timeframe for cryptographic
software. It is not packaged in any linux distribution I know of
and definitely not in *BSD.
LibreSSL has already dropped support for RAND_egd.
A careful code review was undertaken, and it was determined
that the best way to store the extended attributes was in a
native ASN1 encoded field. LDAP does not understand the
SEQUENCE of SEQUENCE structures used extensively throughout
the extended attributes structure, and there was already a
precedent set for storing the krb5Key data in a native ASN1
encoded field.
Change 29f6290fe6 removed the
PA_ClientCanon* ASN.1 functionality but failed to remove the generated
symbols from the Windows export list.
Change-Id: I9a46532ed7d8612fbc597dec9848505d4b440e09
A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ
for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ.
entry_ex->entry.principal->realm needs to return the real realm of the principal
(or at least a the realm of the next cross-realm trust hop).
This is needed to route enterprise principals between AD domain trusts.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This gives the caller the ability to skip the client_name
and only provide client_realm. This is required for
KDC_ERR_WRONG_REALM messages.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
An AS-REQ with an enterprise principal will always directed to a kdc of the local
(default) realm. The KDC directs the client into the direction of the
final realm. See rfc6806.txt.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
FreeIPA can generate tickets with a client principal of
'host/hostname.example.com'.
verify_logonname() should just verify the principal name
in the PAC_LOGON_NAME is the same as the principal of
the client principal (without realm) of the ticket.
Samba commit b7cc8c1187ff967e44587cd0d09185330378f366
break this. We try to compare ['host']['hostname.example.com']
with ['host/hostname.example.com]' (as we interpret it as enterprise principal)
this fail if we don't compare them as strings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Oid regenerate
The GSSAPI oid C files were originally generated by a perl 4 script that no longer runs on a modern system. Subsequently the C has been manually modified.
These patches update the script to perl 5 and alter its output to reflect the manually changed C.
Because modern perl uses hash randomisation, the order of the oids in the C file is sorted -- otherwise
they will be ordered differently every time, making changes hard to review.
This is generated from lib/gssapi/oid.txt using lib/gssapi/gen-oid.pl,
which sorts the entries to ensure minimal diff churn when an oid is
added or changed.
The lack of effective changes can be seen by sorting both versions, a
bit like this:
$ git show HEAD~~:lib/gssapi/mech/gss_oid.c | sort > /tmp/gss_oid.c-OLD
$ cat lib/gssapi/mech/gss_oid.c | sort > /tmp/gss_oid.c-NEW
$ diff -u /tmp/gss_oid.c*
$ #Nothing to see!
This is of course not a reliable check in general, but works for this
simple file in concert with ordinary inspection.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
As seen in commit cc47c8fa7 (Roland C. Dowdeswell <elric@imrryr.org>,
"Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix
issues"), compilers can be persuaded to dislike a single {NULL} and
prefer {NULL, NULL, NULL, NULL}. That patch altered the C code
directly; here we change the generating file to match.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
These missed out on the rk_UNCONST()ification by virtue of being added
in a parallel branch. In the diagram below, they got added in 02cf28e,
while the rk_UNCONSTs were added in f5f9014.
* cc47c8f Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix issues.
* 3069d80 Merge branch 'master' into lukeh/acquire-cred-ex
|\
| * f5f9014 Warning fixes from Christos Zoulas
* | 02cf28e implement gss_acquire_cred_ex with password support
|/
* 2170219 add more oids
rk_UNCONST amounts to a cast to (void *), removing const.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
The invocation `require "getopts.pl"; Getopts(...)` works in Perl 4,
but not in recent Perl 5.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Some non-GSSAPI implementations that instead try to create compatible packets by wrapping krb5_mk_req()
can trigger a NULL authenticator here. Assume this to be equvilent to specifying an all-zero
channel bindings and some reasonable (fixed) flags.
Original patch by Andrew Bartlett, restructured by Douglas Bagnall
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
This will shortly be removed from krb5.asn1.
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Andrew Bartlett based on work by metze to remove it from othert parts of the code
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
(Samba commit 9ebd10b3432c271625db9fbc1987759c02b23f83 forward-ported
to Heimdal master by Andrew Bartlett)
This change ensures that our RODC will correctly proxy when asked to provide
a ticket for a service or user where the keys are not on this RODC.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The resource allocated by krb5_default_default_realm() should be
free()'d by krb5_free_default_realm() instead of plain free()
for better readability.
Signed-off-by: Santosh Kumar Pradhan <spradhan@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The checking of the KDC signature is more complex than it looks, it may be of a different
enc type to that which the ticket is encrypted with, and may even be prefixed
with the RODC number.
This is better handled in the plugin which can easily look up the DB for the
correct key to verify this with, and can also quickly determine if this is
an interdomain trust, which we cannot verify the PAC for.
Andrew Bartlett
This is required to ensure the client still gets errors like KRB5KDC_ERR_PREAUTH_FAILED, rather than
KRB5KDC_ERR_PREAUTH_REQUIRED, which become a confusing KRB5_GET_IN_TKT_LOOP.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
The following sequence of events results in slave B having a stale HDB:
- slave A connects to master, master dumps HDB for the slave
- kadm5 operations
- slave B connects to master, master sends previously dumped HDB
slave B won't discover any updates until the next transaction.
The fix is simple: the slave should immediately call ihave() after
receiving a complete HDB.
It should be possible to pass a format string of "%.s" to permit
a non-nul terminated string to be used as input. The test of remaining
precision and the test for NUL needs to be reversed to permit this
behavior to function correctly.
Change-Id: I200f9c2886419dc4c3870f5f44bc10e81245f56c
gss_init_sec_context() with input_cred_handle != GSS_C_NO_CREDENTIAL
should NOT proceed if there is no element in the given credential for
the requested mechanism.
It isn't possible to use non-default credentials to init a context with
a mechanism for which the credential doesn't have an element. That's
exactly what was happening here. The code was left commented out to
describe how one might use SPNEGO with delegated credentials:
store them with gss_store_cred(), then acquire them back.
This is needed so that the NTLM GSS mechanism can have a meaningful
concept of default credential (the NTLM key for the default domain found
in the ccache).
Instead of hard coding 10 hours as the default ticket lifetime within
lib/krb5/init_cred_pw.c init_cred(), add a preprocessor macro,
KRB5_TKT_LIFETIME_DEFAULT, that can be overridden at build time.
The value of KRB5_TKT_LIFETIME_DEFAULT is 10 hours if not previously
defined.
Change-Id: I63e729fedee8e8c6f542e4a4665de5f40db34c03
Bugs exposed by 61720a0:
- test_context --client-name=... --mech-type=ntlm ... fails;
- gss_acquire_cred() with desired_mech=NTLM and
desired_name==GSS_C_NO_NAME fails;
- gss_init_sec_context() with non-default cred handle calls the
mechanism even when the given cred handle has no element for the
requencet mechanism.
tests/gss/check-ntlm works by accident: gss_acquire_cred() with
desired_mechs==GSS_C_NO_OID_SET succeeds mostly because there are
Kerberos credentials available, and then the subsequent
gss_init_sec_context() call works because of the third bug described
above.
Solaris'/Illumos' gss_acquire_cred_with_password() does not have
side-effects. MIT and Heimdal have differed, but it's now agreed that
the Solaris/Illumos behavior is correct.
To make a credential obained with gss_acquire_cred_with_password()
available to other processes, use gss_store_cred().
In at least two instances the krb5 cred handle expiration time was misused
as a remaining lifetime. This is not surprising since the field name is
wrong ("lifetime" not "expiration"). This commit fixes the code, the next
commit will rename the field and change its type from OM_uint32 to time_t.
When looking for a ticket, use the capath codepath first when we know
the service's realm: because we might have local policy as to how to get
there.
Then, if that doesn't work, try referrals. (For now unconditionally.)
On Windows if the compiler and C RTL is >= 1400 then the rand_s()
function is available. rand_s() unlike rand() makes use of the
RtlGenRandom() API to produce a random number between 0 and UINT_MAX.
If rand_s() is not available or fails, fallback to rand().
One of the benefits of rand_s() is that no initialization is required
so it will provide random output even if rk_random_init() is not called.
Change-Id: I2768155de744bd49604fc8237728bb205d637f2a
gss_add_cred() with GSS_C_NO_CREDENTIAL as the input_cred_handle should
act like gss_acquire_cred() with desired_mechs containing just the
desired_mech.
This utility, inspired by the old SunOS 4.x intr(8) utility, will be
used to start daemons with --detach and a timeout, like this:
intr -t 5 kdc --detach || { echo failed to start kdc; exit 1 }
This will allow tests to stop having to sleep poll for "started" output
from the daemons they start, allowing them to run faster and to impose a
reasonable timeout on daemon startup.
The default timeout is 3 seconds.
Tests that start daemons have to "wait" for them to start.
This commit makes Heimdal daemons prep to detach (when requested) by
forking early, then having the child signal readiness to the parent when
the child really is ready. The parent exits only which the child is
ready. This means that tests will no longer need to wait for daemons.
However, tests will still need a pidfile or such so they can stop the
daemons.
Note that the --detach options should not be used on OS X from launchd,
only from tests.
Modify the NTMakefile rules for tests so that a failed test does
not prevent subsequent tests from being executed.
Change-Id: I9595ad4a1527feae7c402241bf06ab21a0b76d4a
The library delay loads bcrypt.dll so that it can run on versions of
Windows older than Vista. Remove the compile time checks.
Change-Id: I632b248dcca8b6e40e47011fc11d277e911ff209
The Heimdal kadmind sends bogus keys when the client has 'get'
but not 'get-keys' permission. For some kadmin commands this is
dangerous. For example, ext_keytab could happily write bogus
keys to a keytab when real keys are expected, causing eventual
breakage. Sending bogus keys is important for the kadmin get
command: so it can list the keysets that a principal has.
This patch implements a heuristic detection of kadmin get vs.
ext_keytab, add_enctype, del_enctype, and check commands. If the
client principal lacks 'get-keys' permission, then the server
will fail requests that appear to be from those kadmin commands,
but will continue to serve bogus keys to kadmin get commands.
Thanks to Nico Williams for the idea behind this implementation.
When performing a permission check for a GET operation the
KADM5_PRIV_GET_KEYS privilege should not be assumed to be a pure
superset of KADM5_PRIV_GET. If the "get" permission is denied the
user cannot get an entry with or without key data.
kadmin should not permit a modify that stores invalid keys into the
database. Accepting bad key data into the database will result in
errors when those keys are eventually used.
This change does not address the general case. It does address the
specific case of the kadmin client attempting to store the magic
bogus key since that is trivial to check for and can be unintentionally
returned to kadmind by a 1.6rc2 or prior client. This can happen when
a user has get privilege but lacks the new get-keys privilege.
Change-Id: I44795e6428472b75ab1e4257ce7cb9160f0299f5
If any of the keys returned by kadmin are the magic bogus key
generate a warning to the user that they are missing the git-keys
privilege.
Change-Id: I235b87eeb2f81e8fd8c8481154d613e92a7e11e2
If kadmind returned bogus keys it means that the user lacks the
get-keys permission. Generate a warning and exit.
Change-Id: Ib76dd86b65bd84a00f3e27c245b9cfc0173fff56
If kadmind returned bogus keys it means that the user lacks the
get-keys permission. Generate a warning and exit.
Also use calloc() to allocate the new_key_data.
Change-Id: I21b697e2ff5adf753b1cfe698877b3f593bbea9e
Introduce kadm5_all_keys_are_bogus() and kadm5_some_keys_are_bogus()
which will be used in later changes.
Change-Id: I3a07ffe07bee7d6eb17c3d2eae91c107e0bac255
krb5_get_credentials_with_flags() and krb5_get_creds() do not store
obtained TGTs if the KRB5_GC_NO_STORE flag is set.
Change-Id: Ie999ec4e985463ff60e9d499c3e870880033dfa7
In get_cred_kdc_capath_worker() if the credentials obtained by
get_cred_kdc_address() does not exactly match the requested service
principal discard them and return KRB5KC_ERR_S_PRINCIPAL_UNKNOWN.
Change-Id: Iaeacd07f87374f64e3a7bb860adfeb2dc9550fd1
Prior to this change _krb5_get_cred_kdc_any() would include TGTs obtained
via KDC referrals in the "*ret_tgts" array returned to the caller. The
caller typically stores these TGTs in the active credential cache.
However, referrals TGTs must not be cached or reused for any request
beyond the one it was issued for. The referral is for a specific service
principal and the resulting TGT could include service specific AuthData.
The referral might also direct the client along a transitive path that
is specific to this service and not applicable in the general case.
This change removes the *ret_tgts parameter from get_cred_kdc_referral()
so that the obtained TGTs are never returned to its caller. This also
prevents these TGTs from being used by any subsequent call to
get_cred_kdc_capath().
Change-Id: Iacc76c5b1639af3cf6bf277966cfd1535dd1e84d
Prior to this change hdb_unseal_keys_kvno() could return successfully (0)
if the choice_HDB_extension_data_hist_keys extension was found but the
hist_keys list was empty. As a side effect callers would believe that the
provide hdb_entry keys were unsealed when they weren't. This could cause
the KDC or kadmin to report invalid key size errors.
If the extension is present and the history list is empty attempt to
unseal the provided hdb_entry using hdb_unseal_keys_mkey().
Change-Id: I9218b02bccdbcf22133a9464a677374db53ade85
The KDC's _kdc_db_fetch() cals the database's hdb_fetch_kvno() to obtain
one or more decrypted versioned key sets. The KDC either requires one
specific key set if a non-zero key version number is provided or all key sets.
The key version zero indicates that the latest key version should be used.
Prior to this change the KDC called hdb_fetch_kvno() with the
HDB_F_KVNO_SPECIFIED flag when the kvno is zero breaking cross-realm
with Active Directory.
As of this change, HDB_F_KVNO_SPECIFIED is set for a non-zero kvno and
HDB_F_ALL_KVNOS is set otherwise.
Change-Id: I32f4d8da9b601d7bbec7d80cc34d0ff94f6670be
In gsskrb5_accept_delegated_token() it is wrong to store the delegated
credentials in the default ccache by default. When the caller does not
provide a target credential handle, we just do nothing and return success.
Test the return value of gsskrb5_accept_delegated_token() against
GSS_S_COMPLETE, rather than 0.
Delegated or other explicit credentials were mishandled, the code only
worked correctly when processing default credentials. In particular
this caused root's default credential cache to be accessed when accepting
delegated credentials in SSH:
ssh_gssapi_accept_ctx() ->
ssh_gssapi_getclient() ->
gss_inquire_cred_by_mech()
When /tmp/krb5cc_0 contained expired tickets, cascaded credentials
stopped working for non-root users!
Add an implementation of memset_s to roken.
Some optimising compilers may remove the memset() instruction when it
is used immediately before a free, which defeats its purpose if the
intention is to zero memory before returning it to the heap or stack.
C11 added memset_s, provide a fallback in roken so that memset_s can
be used on all platforms.
Previously getenv("KRB5_KTNAME") happened in
init_context_from_config_file()
which would capture the environment value as an override without
using strdup() to get a private copy, so it would get trashed in
applications that dynamically update the environment (e.g. Perl
code that has a tied %ENV).
The patch delays getenv("KRB5_KTNAME") until the context's value
of default_keytab is actually needed, and the environment can preempt
the context's default at that time.
[ Do we need to worry about issuid() being true initially when the
context is created, but not later, because the application changes
both the real and effective uid? If so the issuid() state should
be saved when the context is created and the saved value queried. ]
On any OS with a properly implemented getaddrinfo() this change is a
no-op. Passing NULL for the hint is supposed to be the same as an
addrinfo structure with all fields set to 0. There is no need to set
ai_family to AF_UNSPEC because that value is already 0.
GNU libc doesn't follow standard behaviour. Quoting from
http://man7.org/linux/man-pages/man3/getaddrinfo.3.html :
"Specifying hints as NULL is equivalent to setting ai_socktype and
ai_protocol to 0; ai_family to AF_UNSPEC; and ai_flags to
(AI_V4MAPPED | AI_ADDRCONFIG). (POSIX specifies different defaults for
ai_flags; see NOTES.)"
The NOTES section says:
"According to POSIX.1-2001, specifying hints as NULL should cause
ai_flags to be assumed as 0. The GNU C library instead assumes a value
of (AI_V4MAPPED | AI_ADDRCONFIG) for this case, since this value is
considered an improvement on the specification."
The patch makes sure that krb5_parse_address works consistently on both
GNU libc and systems that follow POSIX.1-2001 to the letter. Some
incorrect Fedora 17 patches managed to break IPv6 connectivity and were
later backed out (see discussion at https://bugzilla.redhat.com/808147).
This patch resolves the incompatibility.
Signed-off-by: Ken Dreyer <ktdreyer@ktdreyer.com>
Commit ad7e54d698 introduced the use
of _krb5_expand_path_tokens() to expand tokens (and on Windows convert
path delimiters) within credential cache names. This is safe to do
for the path based credential cache types FILE, DIR and SCC but on
Windows is unsafe for the non-path types.
For example on Windows, the API credential cache names are often based
on the principal name and the principal name is parsed from the ccname.
This practice was introduced with the version v2 ccapi when there was
no method of enumerating the caches from the krb5 library.
This change adds a "filepath" boolean parameter to _krb5_expand_path_tokens()
which is set to TRUE (non-zero) when the input is a file path and FALSE
(zero) when the input is not a file path. _krb5_expand_path_tokens() will
only perform directory separator normalization on Windows when the
"filepath" parameter is TRUE.
This change is not the preferred solution because it requires that the
library be aware of all credential cache types that use path based
residuals. The preferred solution would require that the credential cache
implementation indicate whether or not it uses a path based residual.
This change has been implemented using a prefix test and not a change to
struct krb5_cc_ops because existing ccache plugins will not know how to
advertise their use of path based residuals and that path expansion is
safe.
Change-Id: I8135991e8ce69fc5273d381ea9c2078bc2bcd19a
_hc_CryptProvider() returns a global handle to a Win32 Crypt Provider.
If the global handle is NULL, then a handle is allocated. Unfortunately,
due to a coding mistake the global handle variable, g_cryptprovider, was
never set and a new handle was allocated with each call.
Refactor the function to ensure that the global handle is the value
that is returned. Use NULL instead of 0 for pointer assignment.
Change-Id: If1ef3aa19cbd1d51860370db24c086e86922ff0d
Add support for the "rxkad-kdf" protocol for deriving rxkad session keys
from non-DES Kerberos session keys. This allows rxkad to be used in
realms where the KDC is unwilling or unable to issue tickets with
single-DES session keys.
This fixes a segfault if the _kdc_db_fetch function does not find
the entry in the database (the entry pointer will be NULL if entry
is not found).
Signed-off-by: Samuel Cabrero <scabrero@zentyal.com>
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
RFC6112 provides a method of computing a session key when the PKINIT DH
is used, and mandates it for anonymous pkinit. The session key is computed
using KRB-FX-CF2 from the reply key and a random key chosen by the kdc.
The random key is provided to the client, which is supposed to verify
that the session key was computed this way.
rfc6112 requires kdcs implementing anonymous PKINIT to include an
empty PKINIT-KX padata in PREAUTH_REQUIRED messages.
Including this improves compatibility with MIT kerberos.
The KDC Option and Ticket Flag for the anonymous extension were changed
from 14 to 16 due to a conflict with S4U2Proxy in version 11 of the anonymous
draft (now RFC6112). Fix the definitions
A comparison of (len > len + 1) is permitted to be optimized out
as dead code because it can't be true. Overflowing is an exceptional
condition that results in undefined behavior. The correct conditional
is (len == SIZE_MAX) when len is size_t.
Change-Id: Ia5586556a973d9fa5228430c4304ea9792c996bb
When running as a service under systemd, kadmin cannot successfully use
setpgid(). The call fails with EPERM. Do not treat this as a fatal
error; instead, allow kadmind to continue starting up.
Provide a new internal function called get_switched() to encapsulate
the algorithm for selecting a credential cache when the selected
ccache type supports switching. There is no change in behavior for
UNIX which always calls krb5_cc_new_unique(). However, on Windows
alternate behavior is provided when the ccache type is API or MSLSA.
For the API ccache the default ccache name is stored in the Windows
registry which is shared across all logon sessions belonging to a
user. For users that are members of the Administrators group this
includes both the UAC restricted and elevated sessions sharing the
same desktop. It is very disconcerting when the elevated session obtains
credentials for the same client principal as the restricted session
and then all apps in the restricted session lose access to their
credential cache. For Windows, the API credential caches are named
after the principal that is stored within them. It provides for a
better end user experience.
For the MSLSA ccache tickets belonging to multiple principals are
all stored within the MSLSA ccache. As a result, all attempts to
switch ccache names default back to the one and only one name.
Change-Id: I7865cd044cff01ff38ab107ec0961e42788fa073
Now that test_fx checks 1DES keys, we need to call allow_weak_crypto on
the test's context.
Without this fix, "make check" was failing with the following error:
lt-test_fx: krb5_crypto_init: Encryption type des-cbc-crc not
supported
The hdb_ldap_create and hdb_ldapi_create prototypes use the "static"
keyword, but the functions themselves are not implemented as static.
Heimdal's buildsystem dynamically adds function declarations to
hdb-protos.h based on the actual function implementations. Those
declarations in hdb-protos.h are not declared as static.
Since the build system generates the declarations dynamically, just
remove them from hdb-ldap.c.
When we added the get-keys privilege we lost the ability to setup
keytabs with the kadmin ext command. The fix is to note that we got
bogus key data and randkey (as we used to).
(rebased on current Heimdal by abartlet)
The error Coverity complains about is in the malloc. krb5_enctypes is
an enum, so it is usually smaller than the size of a pointer. So we
overallocate, but in the memcpy further down we copy from potentially
invalid memory.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 13 11:05:44 CET 2013 on sn-devel-104
In the error case without EXTRA_ADDRESSES we access ignore_addresses
without initialization
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This makes sure config.h gets includes first.
This should fix the build on AIX.
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jun 17 16:16:24 CEST 2012 on sn-devel-104
This should fix the build on AIX.
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jun 16 23:59:07 CEST 2012 on sn-devel-104
This is a static const struct and the name is never used,
so just make it an anonymous struct.
This hopefully fixes the build on AIX:
"../lib/roken/roken-common.h", line 276.9: 1506-236 (W) Macro name __attribute__ has been redefined.
"../lib/roken/roken-common.h", line 276.9: 1506-358 (I) "__attribute__" is defined on line 45 of ../lib/com_err/com_err.h.
"../lib/krb5/expand_path.c", line 331.21: 1506-334 (S) Identifier token has already been defined on line 98 of "/usr/include/net/if_arp.h".
"../lib/krb5/expand_path.c", line 390.43: 1506-019 (S) Expecting an array or a pointer to object type.
"../lib/krb5/expand_path.c", line 391.31: 1506-019 (S) Expecting an array or a pointer to object type.
"../lib/krb5/expand_path.c", line 392.20: 1506-019 (S) Expecting an array or a pointer to object type.
"../lib/krb5/expand_path.c", line 392.48: 1506-019 (S) Expecting an array or a pointer to object type.
"../lib/krb5/expand_path.c", line 393.39: 1506-019 (S) Expecting an array or a pointer to object type.
Waf: Leaving directory `/opt/home/build/build_farm/samba_4_0_test/bin'
Build failed: -> task failed (err #1):
{task: cc expand_path.c -> expand_path_52.o}
gmake: *** [all] Error 1
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jun 16 15:20:59 CEST 2012 on sn-devel-104
This handles referrals for SPNs of the form
E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/REALM, which are
used during DRS replication when we don't know the dnsHostName of the
target DC (which we don't know until the first replication from that
DC completes).
We use the 3rd part of the SPN directly as the realm name in the
referral.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
It is necessary to use the RFC3961 random_to_key operation when
creating a key from a bitstring.
Signed-off-by: Nicolas Williams <nico@cryptonector.com>
RFC 3961 says the simplified profile PRF should truncate the hash
output to "multiple of m", which MIT krb5 interprets as the largest
possible multiple of m. RFC 6113 appendix A also uses that
interpretation for the KRB-FX-CF2 test vector. So the DES3 PRF should
truncate the 20-byte SHA-1 result to 16 bytes, not 8. Also make
krb5_crypto_prf_length work with DES3 by giving the DES3 enctype a
non-zero PRF length.
Signed-off-by: Nicolas Williams <nico@cryptonector.com>
It is much easier (i.e. actually possible) to debug transit path policy
violations when the logs specify the client and server realms, not just
the transit realm.
The problem is that fcc_get_cache_next() is called in a context where
context->default_cc_name is not set. We should call
krb5_cc_default_name(), and that fixes the problem. There's a comment
warning that this can result in reentering krb5_cc_cache_match(), but
nothing in libkrb5 calls krb5_cc_cache_match(), so the comment is wrong,
at least in the github tree.
An alternative would be to call krb5_cc_set_default_name(NULL) in
kuser/kinit.c before calling krb5_cc_cache_match(), however, that seems
like an insufficiently general solution. Also, the semantics of
krb5_cc_cache_match() would differ from MIT's -- it seems better to
match MIT's semantics.
Add a version of usleep() which is capable of sleeping in one
millisecond increments instead of microseconds.
Change-Id: I173f7e6f91a947cdb66f7cc6df5520e1c03f10b7
openpty() is not available on all Linux distributions. Trust autoconf's
determination for HAVE_OPENPTY instead of unconditionally using
openpty() on all Linux.
The pop3, telnet and rsh/rcp support was removed from the tree in
e55b0d0ca5. Delete the corresponding
Makefiles so autoconf doesn't try to look for them.
hx509_ca_tbs_set_signature_algorithm was added by commit
c69c4634ad. It must be exported
for use by hxtool on Windows.
Change-Id: I14b927abde96814ae2e0a90f232ab00915a9f29e
comment the HAVE_DLADDR preprocessor #else and #endif
because they are so many lines apart.
indent the strrchr() call after the _Win32 block to demonstrate
they are related.
Change-Id: I112dc91b350b277cdb1dc1cd3ccd8f31a2084409
On Windows a file descriptor is an int value allocated by the
local module instance of the C Run Time Library. A socket handle is a
SOCKET value allocated by a Winsock Provider for the requested family and
protocol. These two values cannot be mixed and there is no mechanism for
converting between the two. The _get_osfhandle() and _open_osfhandle()
functions can work with a standard HANDLE (file, pipe, etc) but cannot be
used for a SOCKET.
The Heimdal krb5_storage_from_fd() routine counted on the osf conversion
functions working on SOCKET values. Since they do not any attempt to call
krb5_storage_from_fd() on a socket resulted in an assertion being thrown
by the C RTL.
Another problem is SOCKET value truncation when storing a 64-bit value
into a 32-bit int.
To address these problems a new krb5_storage_from_socket() routine is
introduced. This routine setups a krb5_storage that stores a socket value
as a rk_socket_t and provides a set of helper routines that always use
network ready functions.
The krb5_storage_from_fd() routines no longer use net_read() and
net_write() but provide helpers that follow their logic so that pipes can
be processed.
All call sites that allocate a socket now store the socket as rk_socket_t
and call krb5_storage_from_socket().
All locations that previously called the bare close() on a socket value
now call rk_closesocket().
Change-Id: I045f775b2a5dbf5cf803751409490bc27fffe597
kadm5_c_destroy did not use rk_closesocket when cleaning up
the context. This results in an exception on Windows since a
socket is not a file descriptor.
Change-Id: I9ebddad61f0199acb495a0773925df4f41e4fef2
In the previous implementation when .k5login or .k5login.d existed
and k5login_authoritative was false, no further plugins were tried.
Also when k5login_authoritative was true and .k5login did not match,
the directory was never tried.
mechanism credentials created by dynamically loaded mechanisms do not work
because the gm_mech_oid field is unset for such mechanisms (instead, only
gm_mech.gm_mech_oid is).
In order to support plugins for kadmin that use libkadm5srv, the
libkadm5clnt library has to be versioned to avoid hijacking all
of the function calls that should go to the server library. Omit
the _kadm5_ clients from the public interface, and version
everything else.
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
kx509 fails to create certs for principals with slashes in them. For
example:
client% kinit foo/admin
foo/admin@EXAMPLE.COM's Password:
client% kx509
Timed out waiting on KCA
The KCA reports: "Principal is not a user." However, there is a use
case set out in this post:
https://thestaticvoid.com/post/2012/10/25/protecting-puppet-with-kerberos/
that would create a kx509 cert for a host principal for authenticating
against a secure HTTP service. This commit modifies the certificate
creation code to allow principals with slashes in them.
The TGS was incorrectly using authtime to compute renew_till for new
tickets, which was in turn leading to endtime potentially being equal to
starttime, which caused the TGS to return KRB5KDC_ERR_NEVER_VALID.
This happens when the TGT renewal lifetime is longer than the max renew
lifetime of any other services, after that much time (target services'
max renew life) passes. The TGT is still good but TGS-REQs fail.
This makes it easier to install Heimdal and MIT kerberos on
the same system by just providing the heimdal-krb5.pc file;
the krb5.pc file is provided by both.
This is similar to what's done with heimdal-gssapi.pc/krb5-gssapi.pc.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
The first enctype RFC3961 prf output length's bytes are correct because
the little- and big-endian representations of unsigned zero are the
same. The second block of output was wrong because the counter was not
being encoded as big-endian.
This change could break applications. But those applications would not
have been interoperating with other implementations anyways (in
particular: MIT's).
The use of the wrong value for the length of ":mkey=" was identified
by Brian May and reported via github:
https://github.com/heimdal/heimdal/issues/40
Change-Id: I0aed86a5bb0359b7a266369076fde5e62f23b5fe
In order for the 64-bit FULL installer to install both the 64-bit
and 32-bit versions of gssapi.dll a merge module needs to be created
so that both versions can exist within the same install package.
Change-Id: Iaa979556e1691d3906e497f87e7d12cd89b1d980
When installing the gssapi.dll within the Heimdal\bin directory
make sure to install the version that has the assembly manifest.
Otherwise, the DLL cannot find the heimdal.dll.
Change-Id: Idd6f8f00db718f8a764e1cfa9d06d188ab22a313
gssapi.dll is supposed to be implementation agnostic. No version
numbers and no manifest required to load it. In addition to the
version that is installed as part of the assembly also include a
version that can be discovered by LoadLibrary() via PATH search.
Change-Id: I1865dd2ecec208745a40e699837bd2a888341a31
Modify the signature of mp_find_prime() to permit the number of
Miller-Rabin rounds to be specified. In addition, valid responses
now include MP_NO, MP_YES, and MP_VAL which is returned when
mp_prime_is_prime() fails.
Change-Id: I0195129a4dd75875e6dddb6d49a5ceb30afb1a17
libtommath protects the inclusion of functions by wrapping their
declarations by CPP #ifdef tests and defining the matching macros
within libtommath_class.h.
Add missing macros:
BN_MP_FIND_PRIME_C
BN_MP_ISPRIME_C
Change-Id: Ic577300114f8e88d7a3af3d9f717a249d57f03b1
As pointed out by Steffen Jaeckel [https://github.com/sjaeckel],
within bn_mp_prime_next_prime() t <= PRIME_SIZE as per the check
at the top of the function. Remove the unnecessary comparison in
a for loop conditional.
Change-Id: I868bee1a7a019e0ab06bf2b81cc71cf66ca9acff
C++ does not permit struct names and typedef names to be the same.
Rename
struct krb5_name_canon_rule to struct krb5_name_canon_rule_data
and
struct krb5_name_canon_iterator to struct krb5_name_canon_iterator_data
Change-Id: I92766e0878bf0beef92de1649baf9e5cafbf86aa
Since the memory is allocated inside the Kerberos library, it
should be freed by code inside the same library. free, as
previously recommended, therefore doesn't seem appropriate.
Instead, recommend krb5_xfree, which exists for this purpose.
krb5_set_default_realm.3 man page update
Change-Id: I11d119edf03148cbdc654480c72ddffb540084ec
Programs like sshd may create or access a ccache with
ruid != user's UID, euid == user's UID.
Set-uid-0 programs (ob reminder: they start life as ruid == user's UID,
euid == 0) shouldn't unintentionally access ccaches. Therefore we
shouldn't check both of ruid and euid, just euid.
Eventually we'll need to make sure that a) libroken's stdint.h defines
the max integer types, b) the libroken *printf()s can handle all the
standard length and conversion specifiers.
Create a heimdal-version.mak include file which can be included
in third party installer makefiles to determine which compiler and run
time library type was used to build the merge modules. It is the
responsibility of third party installer packages to include the Visual
Studio CRT merge modules that are required for execution.
Change-Id: Icec2f47755ef7cc5f7dde2e0426603dece7e4933
This reverts commit a759e5091f.
The policy assembly is now skipped on XP from within the policy assembly
itself so it can be safely installed elsewhere.
A bug in Fusion on XP causes downlevel issues with upgrade. The long
term fix is to duplicate the Fusion behavior. For now we just suppress
the install on XP
On XP there is a bug which prevents two installers from including a
policy assembly of the same name. Policy Assembly names are
<Product>.<Major>.<Minor>
For now do not install the policy assembly until we have a work around
for XP or a method of conditionally not installing the policy on XP.
Change-Id: If92bea3c625e6124eb64c2bcc3e5008a58f04404
When building a multiplatform installer 64-bit Heimdal.Command.msm
should not include the 32-bit components.
Change-Id: I5a3545d50edb69e982ea6b2febb45637764a8ca2
NTMakefile.version defines company names and build options.
Do not require third parties to commit their modifications
within the Heimdal repo.
Change-Id: Ifb4d82e05f40023a2c29bd5cb4c3445c0bd876d3
Remove third party plugins from installers now that they must be part
of the assemblies.
Add support for thirdparty heimdal-assemblies.wxs and heimdal-policy.wxs
files.
Change-Id: Idb29ebcf39b14ebcd2b01dc8c53b9bb7fbb8eaab
Note that the explanation of how to set CODESIGN_PKT is located
in windows/README.
Remove dead code.
Add an @arch@ substitution rule which is replaced by either "32" or "64"
depending upon $(CPU).
Change-Id: Ia009209aa7837109669172dcd841db846dcc9127
Windows file resources can be marked as Private, Special, Debug
and Pre-release. Extend the Heimdal Assembly name to include
designations for these various build options to ensure that
private, special, debug and pre-release builds do not conflict
with the assembly name reserved for public releases. This permits
a private, special, debug and pre-release build to be installed
side-by-side with the final release without interference.
Change-Id: I569ce2ff911ddbaebd81ba2e8b477ba6fb520502
patchset b9d7e33a2f introduced some
garbage at the beginning of the include/NTMakefile. remove it.
Change-Id: Ia24ea3a03aa9ed10b8076112b6486e23f1c36b7c
The multiplatform installer must include the 32-bit command
merge module. When Heimdal.Command was split out into a separate
merge module it was left out.
Change-Id: I07b06d6dfff66e61869f1d8c81bb0f1bce281501
LoadLibrary() is unable to load DLLs which are being loaded from
a global side by side assembly directory. Instead, use
LoadLibraryEx() with LOAD_WITH_ALTERED_SEARCH_PATH
This permits a DLL to be loaded from the WinSxs tree when a fully
qualified path is provided.
Change-Id: I0e5da1a8610c6b571f73c0e7b0beabeecbbb3b77
Quote path names in case there are ever spaces
Prepend $(MKDIR) rule is "-" to avoid failures if the output
directories already exist.
Change-Id: I1e5cfb408042617a73edeeae99eb269a061ba61d
Heimdal plugins are not safe on windows. Plugins are bound to a
specific assembly and if the plugin assembly is not the same as
the Heimdal DLL that is loading the plugin heap corruption will
occur.
Change-Id: Icf43a989684c4aacd3c4a225482a9bed9b60e29d
Patchset 1ad02ec31a removed the
createAndRemoveOnUninistall actions from a number of registry keys.
Get the same behavior with the ForceDeleteOnUninstall Wix 3.x Attribute.
Change-Id: I8c0623fa39055844d10035cbffb3870cc2d39ec6
It's not ready to always be run. First, it's slow. Second, it tortures
the system. Third, it doesn't look for signs of failure. Fourth, if it
did it'd fail: because something about the racing is causing the KDC to
think that the foo principal doesn't exist.
We *really* need a ccache instance ID tag. In fact, we should probably
never krb5_cc_initialize() a ccache that doesn't have such a tag. But
for now cred_delete() is now safe enough.
If we're racing enough we could complain about symlinks where there were
none. This was very surprising. Make it surprise less.
We should really #ifndef O_NOFOLLOW that code chunk too, for the obvious
reason that we don't need to worry about symlinks if we have and use
O_NOFOLLOW.
Also, since all uses of fcc_open() use O_NOFOLLOW we should move that
into fcc_open(). Ditto O_BINARY and O_CLOEXEC.
Patchset 58ff480763 calls write() and read()
on rk_socket_t objects which on Windows are SOCKETs not C RTL file
descriptors. This patchset uses krb5_net_write() and krb5_net_read()
in place of the direct write() and read() operations.
Change-Id: I3f7d4756357d432e4e62910f9a36824eb188b6e4
Windows plugins must be loaded from the same directory as the
heimdal.dll in order to ensure that "DLL Hell" is not revisited.
Since plugins cannot be grouped in a directory by "module" name
the plugins must have a name of the form:
plugin_<module>_<name>.dll
Construct the "plugin_<module>_" prefix string dynamically and
test for both the prefix and the ".dll" extension when building
the list of plugins to load.
Change-Id: I0ff7bf7287f8fb38061c226f0844d7d0f1fb59ec
rename callback() to cc_plugin_register_to_context() and document
its purpose.
The parameter that is the cc_ops structure is 'plugctx' not 'plug'.
This is critical because 'plug' is the common_plugin_model structure
and casting the wrong object leads to random behavior including
crashes.
The test to exit without action was reversed.
With these changes ccache plugins can be registered on each
krb5_init_context() operation.
Change-Id: I295ea91759f69b36ac13b1bfff87306d40df4a26
Windows treats '\\' and '/' equivalently but we cannot control
the form that will be used by end users. Introduce ISPATHSEP()
macro which tests only for '/' on UNIX and both on Windows.
Introduce ISTILDE() macro to test for '~'. When testing for
'/' with strchr() or strrchr() add conditional checks for '\\' on
Windows.
Change-Id: Ia85e698fc88f15a6a71db649db5417f02ef7e5fe
st_dev and st_ino are not set in a consistent fashion by stat()
and fstat() so disable the symlink test.
disable the open group/other readable test because st_mode
cannot be used to perform such a test on Windows.
Change-Id: I1b68c672f882018def7e6d40d4bc7f7add58df36
Do not look for plugin DLLs in either
$ORIGIN/../lib/plugin/krb5
$ORIGIN/../lib
Only look for plugin DLLs in $ORIGIN
Change-Id: I432cd81720b172e7451601b56ea7bba3c03d7d47
Execute tests that were built on Windows but previously skipped.
Remove the duplicate build rules for test-rfc3961.exe.
Change-Id: Icc84c07a33afbdc6ffa509222a3c81de35168eaf
Rely on roken to determine which random function should be
used.
Rename parameter "rand" to "randbytes" to avoid collision with
functions named "rand()".
Change-Id: Ic07cf149daef1cd568b58277773fbe27aef04f7b
With roken.h at the end of the include list two different versions
of Winsock get imported on Windows. roken.h should always be
immediately after config.h if included.
Change-Id: Id3f6761028ddaa5b44183fe6648c5ab292ca8865
Normally one would dlopen() a shared object's basename, not its absolute
path. However, lib/krb5/plugin.c, in an effort to be zero-conf-ish,
wants to readdir() to find plugins to load, and in the process it ends
up defeating the RTLD's search-the-caller's-rpath.
This commit partially addresses this by allowing the use of $ORIGIN in
plugin_dir values and using them for the default (except on OS X).
This allows multiple Heimdal versions installed on the same host, but
with different plugin ABIs, to co-exist. A step forward for doing make
check on hosts where Heimdal is installed.
For now we hardcode $ORIGIN/../lib/plugin/krb5 (linux, Solaris, *BSD),
or $ORIGIN (Windows; for assemblies objects need to be in the same
directory) and we eval $ORIGIN by using dladdr() (Linux, Solaris) or
GetModuleHandleEx() (Win32, via a dladdr() wrapper in libroken) to find
the path to libkrb5 whose dirname to use as $ORIGIN. For Windows,
because we need the plugins to be in the same directory as libkrb5, we
require a prefix on plugin DLLs ("plugin_krb5_") to distinguish them
from other objects.
We should add a special token to mean "look in $ORIGIN, sure, but
dlopen() the plugin basenames only (so the RTLD can search the rpath)".
For hx509.texi, we need the copyright macros for both html and info.
Just remove the "ifhtml" conditionals.
For whatis.texi, texinfo 5.1 inserts the sub{} macro inline with no
newlines, so there are errors about @html not being at the end of a
line, etc.
rk_mkdir() should not be redefined to mkdir() nor should mkdir()
be redefined to rk_mkdir() when compiling lib/roken/mkdir.c
Change-Id: I329fd2eb5794548635d33218a65df8958746a6f9
The default heimdal KDC chokes when trying to encrypt a ticket with a weak
server key that has a different type than the session key. The problem
happens in the krb5_crypto_init function called from the _kdc_encode_reply
function.
The existing work-around of the problem temporarily enabled the weak
enctype in case it was disabled but the principal was on the (hard-coded)
exception list.
Unfortunately the code used the keytype of the key encoded in the ticked
(the session key) instead of the keytype of the key used to encrypt the ticket
(the serverkey) thus enabling the incorrect encryption type if those two
are different, for instance des-cbc-md5 and des-cbc-crc.
Change-Id: Ia55dc344e3e5fc9ec1eb93c9e8ebb0a58c673d57
if the query is "preauth" and the caller is seeking a Key, search
try to find a Key that has the default salt but do not exclude keys
that have a non-default salt.
Move the assignment of 'ret' and 'enctype' before the preauth
default salt test. If the only key of the given type is the non-default
salt key, it should be used.
If the caller is not seeking a Key, do not bother with the preauth
test at all since the Key itself doesn't matter and we are simply
seeking an enctype.
Change-Id: I7cd37c579c0bfdd88bccfbc9eb5e5f55cd1910cb
As part of the keytype validity checks within _kdc_get_preferred_key
_kdc_is_weak_exception must be used to permit the afs/* principals
to have only DES in the key list.
Change-Id: I70801ce9b8c4d3f057542541ce11e06d195efd52
If _kdc_find_etype() is being called with 'ret_key' != NULL, the
caller is attempting to find an actual principal key. If 'ret_key'
is NULL then it is seeking a session key type. Only return an enctype
that is not in the principal key list unless 'ret_key' is NULL.
As part of this change remove 'clientbest' and the associated
logic as it is both unnecessary and can produce an enctype for
which the key cannot be returned.
Change-Id: Iba319e95fc1eac139f00b0cce20e1249482d2c6f
The 'use_strongest_session_key' block and its alternate should
have similar behavior except for the order in which the enctype
lists are processed. This patchset attempts to consolidate the
exit processing and ensure that the inner loop enctype and key
validation is the same.
Bugs fixed:
1. In the 'use_strongest_session_key' case, the _kdc_is_weak_exception()
test was applied during the client enctype loop which is only
processed for acceptable enctypes. This test is moved to the
local supported enctypes loop so as not to filter out weak keys
when the service principal has an explicit exception.
2. In the 'use_strongest_session_key' case, the possibility of an
enctype having keys with more than one salt was excluded.
3. In the 'use_strongest_session_key' case, the 'key' variable was
not reset to NULL within each loop of the client enctype list.
4. In the '!use_strongest_session_key' case, the default salt test
and is_preauth was inconsistent with the 'use_strongest_session_key'
block.
With this consolidation, if no enctype is selected and the service
principal is permitted to use 1DES, then 1DES is selected. It doesn't
matter whether 'use_strongest_session_key' is in use or not.
Change-Id: Ib57264fc8bc23df64c70d39b4f6de48beeb54739
Although rk_mkdir can be provided on all platforms there is no
reason to require that it be used by unconditionally mapping
mkdir -> rk_mkdir
Change-Id: Ic149500037abf446434332bf6ba67dfb3906cd72
- use O_NOFOLLOW
- be more strict not to follow symlinks
- require cache files to be owned by the user
- have sane permissions (not group/other readable)
As kerberos(8) provides a brief outline of this network authentication
system I would suggest extending SEE ALSO to include a few section 8
commands. I have excluded kadmind(8) and kpasswdd(8) as these servers
can be easily reachable from kadmin(8) and kpasswd(8) manual pages
respectively.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
There is no fchmod() implementation on Windows. For now prevent its
use on Windows with #ifndef _WIN32 but in the future set_default_cache()
should be updated to set ownership permissions for the cache file.
Change-Id: I57214dfecbd25d7b337a568fa5e522c0a22dbb76
The Windows version of mkdir() does not share the same signature
as the POSIX version. Add rk_mkdir() with an POSIX compliant signature
to libroken. The current implementation ignores the 'mode' parameter
on Windows but a future implementation could provide the required
functionality with native Win32 APIs.
Change-Id: I084d42e0f27932e9b8131d310dbf34849f5fe4b6
POSIX mkdir (unlike the Windows version) takes a 'mode_t' parameter.
Provide definitions for the mode_t constants.
Change-Id: Ie57e746aa3e579e28f93064ab430f1128508cc84
Windows has neither O_NONBLOCK nor FIOBIO and sockets aren't file
descriptors in any case. Avoid warning that 'flags' is unused in
socket_set_nonblocking().
Change-Id: I431cfae3a88577e75b5230f645639b5a17832f5c
Instead of locally defining prototypes for private functions
_krb5_crc_update and _krb5_crc_init_table simply include
krb5-private.h.
Change-Id: Ia7931f8df2e68eb038d112797edfd456ffcdd23a
If the registry type is NONE and the string is all numeric or
if the type is DWORD, the string is converted to a DWORD and then
stored into the registry as a REG_DWORD using RegSetValueEx().
The input parameter should be a pointer to the DWORD variable not
its value.
Change-Id: I9ff12121c6c17eb5afb2ea89adf8bb9cc6aa3a89
Everywhere that roken is used supports limits.h. The behavior of
roken should not depend on whether or not the including application
includes limits.h before or after roken.h. Include limits.h in
roken.h and be done with it.
Change-Id: Id0be5487c791592dfe722ce880b8400bb16d05b1
unix_seed(), called by the add-seed-data op unix_add(), attempts to
write seed data to the random data device. If this fails, the failure
is ignored, as it must be, since there is no way to inform the caller.
This change modifies the way in which the return value from write(2)
is ignored, to avoid compiler warnings when building on Ubuntu 12.10,
with gcc 4.7.2 and eglibc 2.15-0ubuntu20.1.
If a program does not include limits.h (or includes it after roken.h),
it can end up with PATH_MAX defined to be MAX_PATH, but MAX_PATH
undefined. This causes consumers of PATH_MAX to become unhappy.
Work around this case by only using MAX_PATH if it is available, and
a constant otherwise.
When PAM is configured to use a user_realm that is different from the
default realm, do likewise in kinit with bare user names or the default
principal computed from the login name.
Similarly, when using a keytab, if no realm is specified find the most
suitable match in the keytab file.
- KRB5_PRINCIPAL_PARSE_IGNORE_REALM: MIT compatible
- KRB5_PRINCIPAL_PARSE_NO_DEF_REALM: Don't default the realm
The first ignores the realm if present.
The second does not impute the default realm if no realm is given and
leaves the realm NULL. This will be used in kinit to determine whether
the user provided a realm or not, and if not we may use the user_realm,
or find the realm via the keytab.
Set the realm argument to NULL to get the usual default realm.
The krb5_parse_name_flags() function is now a wrapper around
krb5_parse_name_flags_realm().
This uses a seperate hdb-ldap-secret-file configuration value, which
specifies an external file that may be used to supply the LDAP bind dn
and password. This allows that specific file to be configured with more
restrictive permissions than the global krb5.conf.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Also, we were stopping as soon as one registered plugin returned
something other than KRB5_PLUGIN_NO_HANDLE, but we weren't doing the
same for discovered plugins. Add KRB5_PLUGIN_INVOKE_ALL flag to deal
with this; by default we'll stop at the first plugin that returns
anything other than KRB5_PLUGIN_NO_HANDLE.
Other buglets fixed as in c1423a8.
Commit 9f696b11c2 changed the
behaviour of key expiry for principals that have an sambaPwdLastSet
attribute in LDAP. The change was twofold:
* if "password_lifetime" is not set in kdc.conf a default lifetime
of 1 year is enforced
* krb5PasswordEnd is not honoured.
This patch causes pw_end to be modified only if sambaPwdLastSet
*and* "password_lifetime" is defined in kdc.conf.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
o implement add1() using 32 bit ints, this makes _krb5_n_fold()
about 5% faster on an amd64 platform. 64 bit ints yield a
further improvement but we would need to test the platform
to see if they are natively supported. This should yield
better performance improvements on big endian machines as
we have to byte swap on little endian boxen.
o fix two cases where a malloc(3)d pointer may be dereferenced
before we test that it is not NULL.
All in lib/krb5/n-fold.c:
1. eliminate malloc/free from rr13() because it is always a
buffer of the same size called in a tight loop.
2. eliminate memcpy(3) from rr13() by bouncing back and forth
between two buffers buf1, buf2 instead of performing the
calculation into a tmp buffer and memcpy(3)ing the result
back into buf.
3. eliminate code cases from rr13() that I can visually determine
will never occur but I'm guessing that the compiler can't, i.e.
i. now that we're no longer using malloc(3), rr13()
cannot fail, so make it void and avoid the if in
the calling routine checking its error code. In
case you ask, yes, this made the tests run a little
faster,
ii. rr13() has code for being passed a number of bits
not divisble by 8 but _krb5_n_fold() only passes
an int * 8. So, we eliminate this conditional and
the associated code.
4. we make rr13() take 2 destination buffers and copy the results
into both of them, we use this to eliminate another memcpy(3)
from the calling routine. This appears to make it a bit faster
as well.
In both hx509_cert_init() and hx509_cert_init_data(), there is an
output parameter for the error code but there are cases where the
error is used as a return value instead of the specified hx509_cert.
We fix these issues. We also check if error is non-NULL and only
set the error in this case, allowing the functions to be called
with error == NULL without segfault.
1. in ticket_lifetime() calculate the remaining lifetime
of the ticket rather than the requested lifetime.
2. in renew_func(), attempt to renew if the tickets are
renewable rather than only if --renewable is specified.
3. fix the call to renew_validate() in renew_func() to
specify renewable tickets if the original tickets are
renewable rather than only if --renewable is specified.
4. stop printing constant warnings to the terminal about
how tickets cannot be obtained if they expire, cannot
be renewed and we can't non-interactively obtain fresh
ones. We limit it to a single warning.
5. after the tickets expire, we backoff the requests to
obtain fresh tickets exponentially.
__sync_add_and_fetch is treated as a built in function by the compiler if the return value is not used (as in the autoconf test), but it is treated as a regular function when the return value is used
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
When building with OpenSSL at a custom prefix, some test cases will fail
to compile due to missing include path compiler options. This patch adds
them, as well as defining CPPFLAGS and LDADD for test_expr.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
To stop the errors when building concurrently, we make a number of
changes:
1. stop including generated files in *_SOURCES,
2. make *-protos.h and *-private.h depend on the *_SOURCES,
3. make all objects depend on *-{protos,private}.h,
4. in a few places change dir/header.h to $(srcdir)/dir/header.h,
This appears to work for me with make -j16 on a 4-way box.
OpenSSL_add_all_algorithms() should only be run once per application
or it will cause data structures to expand. It's not a classic
memory leak as all of the memory will be free(3)d when EVP_cleanup()
is called but as we are a library we cannot call this. We provide
a short term fix here which is using heim_base_once_f() to ensure
that we only call it once.
But the long term fix should be to stop using OpenSSL_add_all_algorithms()
entirely because it both has side effects outside our library and
the caller may destroy our OpenSSL global variables by calling
EVP_cleanup() on his own. It is suboptimal to have potential
interactions between our library and other code in this way.
Currently the Heimdal code calls connect(2) on TCP connexions to
the KDC without setting O_NONBLOCK. This code implements a
timed_connect() function which will in the case of SOCK_STREAM
sockets put the socket into non-blocking mode prior to calling
connect and use select(2) to apply the configured timeout to connect
completion. This does not entirely solve the problem of potential
timeouts in the code as it is still possible to block while writing
to the socket. A proper implementation would also likely start
new connexions after a short interval before timing out existing
connexions and return the results from the first KDC which successfully
responds but we did not do that yet.
This patch is from heimdal-1-5-branch patches:
5b55e4429caed27b32aac4bc5930f2672a43f273
6b66321b271ee4672e70ad349ec796dd755cf897
2e12c7f3e8dca7e1696ebd92199617ce413565e7
Squashed together along with a quick shadowed variable warning fix
to allow it to compile with --enable-developer.
krb5_enomem() is a wrapper around krb5_set_error_message() which
is used throughout the lib/krb5 sources. Some of the lib/krb5
sources are imported into third party projects and those projects
must be able to pull in krb5_enomem() without other baggage.
Create a new source file lib/krb5/enomem.c.
Change-Id: Id109386d48e3e2988b705b82525adf4f1fa5ea98
Windows applications become very unhappy when memory is allocated
in one module (exe or dll) and deallocated in another. This is
because each of the C run time library instances uses its own
heap. Mixing allocating in one heap and deallocating in another
will lead to memory leaks and heap corruption. For modules that
build against roken avoid this problem by sharing roken's allocator
with the module that uses it.
Change-Id: I31e35c600a78350b168a281811160696dc327544
This reverts commit cb6f7ea40e.
stdint.h can be included everywhere now that the Windows
platform generates and installs a stdint.h when Visual
Studio does not provide one.
Change-Id: Ia3cab28d7f5806203cd45227765debda54ac7472
The lib/krb5 export lists contained the following functions
that are no longer in the tree:
krb5_425_conv_principal
krb5_425_conv_principal_ext2
krb5_425_conv_principal_ext
krb5_524_conv_principal
_krb5_krb_tf_setup
_krb5_krb_dest_tkt
_krb5_krb_life_to_time
_krb5_krb_decomp_ticket
_krb5_krb_create_ticket
_krb5_krb_create_ciph
_krb5_krb_create_auth_reply
_krb5_krb_rd_req
_krb5_krb_free_auth_data
_krb5_krb_time_to_life
_krb5_krb_cr_err_reply
Change-Id: I1f73768de2f7e9243e4e7a623b54af282ec54641
synchronize the export lists on Windows and UNIX.
When new functions are exported on UNIX or Windows,
the "test" build target on Windows will verify if
the export lists are in sync.
Change-Id: I9df3607983b03ee8dc6fa7cd22f85b07a6cee784
heim_abort and heim_assert are not exported from heimdal.dll.
must link against heimbase to use them.
Change-Id: I57a29b90360f9036723c114f03a95684a4802529
cc-1028 cc: ERROR File = ../source4/heimdal/lib/asn1/gen_template.c, Line = 548
The expression used must have a constant value.
struct templatehead template = { 0L, &(template). tqh_first };
^
If this really fixes the IRIX build, we'll propose this for heimdal upstream.
metze
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
EAFNOSUPPORT is defined by VS2010 errno.h. Use the VS2010
value instead of WSAEAFNOSUPPORT if EAFNOSUPPORT is not defined.
Change-Id: Ie641fd8f212ea1be11811dbb2e0def9fdbac795f
Looks like they defined basename() in string.h and ntohs/htonl are
implemented in terms of __bswap16() which is a macro with tmp
variables and so one cannot embed one call to ntohs/htons in another.
Not good but we workaround this limitation in glibc.
This wasn't having the intended effect because after we #include
config.h and #undef ENABLE_PTHREAD_SUPPORT we then #include other
headers that also #include config.h. I've moved this lower so that
it has the effect that appears to be intended but the correct answer
may be to make it work but this will require #including pthread.h
as the build fails with -Werror when pthread functions are called.
We should not hold locks on the master's database while waiting
for network I/O which may take a terribly long time to complete as
this will block out all writers and could therefore be slightly
problematic. ipropd-master was holding a shared lock on the database
while sending a complete propation to slaves which are out of sync
with the log file. We fix this by writing what we intend to send
in record format into a file hdb_db_dir()/ipropd.dumpfile while
holding a shared lock on the database and then we send the contents
of the file after releasing the lock. We also save and re-use the file
that we generated during future complete propagation events as long
as the log is long enough to get us back to the state previously
dumped.
We can't use O_TRUNC on open because (without O_EXLOCK which is
not portable) we would be modifying the file without an exclusive
lock. So, we drop the use of O_TRUNC and use ftruncate(2) after
obtaining the lock via flock(2).
On NetBSD /bin/sh with vfork() is noticeably faster than /bin/bash,
and in particular the reader manages to read the the database before
slave replication completes.
We add a function to cause krb5_storage's to be sync'd to their backing
store. For memory backed storages, this is a NOP. For files, it calls
fsync on the file descriptor.
Multiple concurrent writers would cause the HDB to become corrupted
as the locking was not sufficient to prevent these sorts of issues
from occurring. We fix this in a similar way to the prior DB1 patch.
Multiple concurrent writers would cause the HDB to become corrupted
as the locking was not sufficient to prevent these sorts of issues
from occurring. We have changed the locking to obtain the appropriate
kind of lock on database open and to hold that lock until the
database closes. We need to do this as Berkeley DB 1.85 will cache
information from the database in memory and if if this information
is updated without our knowledge then our later writes will corrupt
the database. We speculate that there would be issues with a single
writer and reader but did not reproduce them.
Before this change Heimdal could read KDBs. Now it can write to
them too.
Heimdal can now also dump HDBs (including KDBs) in MIT format, which
can then be imported with kdb5_util load.
This is intended to help in migrations from MIT to Heimdal by
allowing migrations from Heimdal to MIT so that it is possible
to rollback from Heimdal to MIT should there be any issues. The
idea is to allow a) running Heimdal kdc/kadmind with a KDB, or
b) running Heimdal with an HDB converted from a KDB and then
rollback by dumping the HDB and loading a KDB.
Note that not all TL data types are supported, only two: last
password change and modify-by. This is the minimum necessary.
PKINIT users may need to add support for KRB5_TL_USER_CERTIFICATE,
and for databases with K/M history we may need to add KRB5_TL_MKVNO
support.
Support for additional TL data types can be added in
lib/hdb/hdb-mitdb.c:_hdb_mdb_value2entry() and
lib/hdb/print.c:entry2mit_string_int().
appl/test/tcp_server and gssapi_server try to open the keytab file only when processing a connection.
This patch verifies the existence of the keytab file on program startup, so that troubleshooting is easier. In addition it adds some comments.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
...rather than the authenticated principal's realm section. We do
this both to maintain compatibility with MIT and because it makes
more sense. We should likely also fix the auth_to_local_names as
cursory inspection reveals that it has the same incompatibility.
The source files generated by compile_et and asn1-compile must
begin with:
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
This permits conditional includes based on HAVE_STDINT_H and
HAVE_UNISTD_H to work.
Change-Id: Iefe25317ac3cb1970793748b8318174bcd7a087f
Commit c04aa9e082 specified the
mutex type, pthread_mutex_t, directly instead of using the
abstraction, HEIMDAL_MUTEX.
Change-Id: Iedfc46163140cf23014d357cc8ccc9f0e6224327
__gss_krb5_mechanism_oid_desc is now defined in gssapi/gssapi_oid.h,
so remove the definition in gssapi/gssapi_krb5.h in favor of including
that header.
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
md2.c was doing memset(m, 0, sizeof(m)), and so was only clearing
the first 4 bytes of the passed md2 structure in MD2_Final. Fix
this to clear the entire structure, as expected.
In most cases stdint.h should be inherited from roken.h.
In those cases where it cannot be, it must be protected by
#ifdef HAVE_STDINT_H
Change-Id: I46cbaeab1d65939468f84179aeeef7e4f898b0bb
We update krb5-config to support --all, --deps, and --vendor. So,
now if you specify --libs, you will only get those libraries that
are required for dynamic linking. If you are linking statically,
you must provide --deps. We also allow multiple libraries to be
specified on the command line for applications that use, say, gssapi
and krb5. And we elide -L and -I args if they have the prefix=/usr
as that's implied. We also update the --help output to be a little
more verbose.
We turn on a few extra warnings and fix the fallout that occurs
when building with --enable-developer. Note that we get different
warnings on different machines and so this will be a work in
progress. So far, we have built on NetBSD/amd64 5.99.64 (which
uses gcc 4.5.3) and Ubuntu 10.04.3 LTS (which uses gcc 4.4.3).
Notably, we fixed
1. a lot of missing structure initialisers,
2. unchecked return values for functions that glibc
marks as __attribute__((warn-unused-result)),
3. made minor modifications to slc and asn1_compile
which can generate code which generates warnings,
and
4. a few stragglers here and there.
We turned off the extended warnings for many programs in appl/ as
they are nearing the end of their useful lifetime, e.g. rsh, rcp,
popper, ftp and telnet.
Interestingly, glibc's strncmp() macro needed to be worked around
whereas the function calls did not.
We have not yet tried this on 32 bit platforms, so there will be
a few more warnings when we do.
This is necessary because some applications actually need or run
better with renewable service tickets. kca is an example
application; AFS tokens are also another example.
The ipropd_slave will log its status to /var/heimdal/ipropd-slave-status
if its connecting, up to date, or disconnected.
The master will now also confirm to slaves that are are in fact up to date
if they just restart, before there was no confirmation, the slave just didn't
get any deltas.
On NetBSD, cgetent has a prototype of ``const char *const *'' for
argument two. Many other OSes have ``char **''. It seems that
gcc will generate a warning if you pass a char ** to it. Casting
the value to void avoids this warning.
getxxyyy.c uses the USER environment variable to determine a user
to test getpwnam_r(). If this variable is unset then the test will
seg fault. We work around this issue by defaulting to ``root'' if
USER is not set. This is not perfect as root may not exist on the
system but given that user does exist on most systems, this is the
best default that we can choose if we have no other options available.
[Code reviewed by Love Hörnquist Åstrand <lha@kth.se>]
Added heim_db_*() entry points for dealing with databases, and
make krb5_aname_to_localname() use it.
The following enhancements to libheimbase are included:
- Add heim_data_t and heim_string_t "reference" variants to
avoid memory copies of potentially large data/strings.
See heim_data_ref_create() and heim_string_ref_create().
- Added enhancements to heim_array_t to allow their use for
queues and stacks, and to improve performance. See
heim_array_insert_value().
- Added XPath-like accessors for heim_object_t. See
heim_path_get(), heim_path_copy(), heim_path_create(), and
heim_path_delete(). These are used extensively in the DB
framework's generic composition of ACID support and in the
test_base program
- Made libheimbase more consistent with Core Foundation naming
conventions. See heim_{dict, array}_{get, copy}_value() and
heim_path_{get, copy}().
- Added functionality to and fixed bugs in base/json.c:
- heim_serialize();
- depth limit for JSON parsing (for DoS protection);
- pretty-printing;
- JSON compliance (see below);
- flag options for parsing and serializing; these are needed
because of impedance mismatches between heim_object_t and
JSON (e.g., heim_dict_t allows non-string keys, but JSON
does not; heimbase supports binary data, while JSON does
not).
- Added heim_error_enomem().
- Enhanced the test_base program to test new functionality and
to use heim_path*() to better test JSON encoding. This
includes some fuzz testing of JSON parsing, and running the
test under valgrind.
- Started to add doxygen documentation for libheimbase (but doc
build for libheimbase is still incomplete).
Note that there's still some incomplete JSON support:
- JSON string quoting is not fully implemented;
- libheimbase lacks support for real numbers, while JSON has
it -- otherwise libheimbase is a superset of JSON,
specifically in that any heim_object_t can be a key for an
associative array.
The following DB backends are supported natively:
- "sorted-text", a binary search of sorted (in C locale), flat
text files;
- "json", a backend that stores DB contents serialized as JSON
(this is intended for configuration-like contents).
The DB framework supports:
- multiple key/value tables per-DB
- ACID transactions
The DB framework also natively implements ACID transactions for
any DB backends that a) do not provide transactions natively, b)
do provide lock/unlock/sync methods (even on Windows). This
includes autocommit of DB updates outside transactions.
Future DB enhancements may include:
- add backends for various DB types (BDB, CDB, MDB, ...);
- make libhdb use heim_db_t;
- add a command-line tool for interfacing to databases via
libheimbase (e.g., to get/set/delete values, create/copy/
backup DBs, inspect history, check integrity);
- framework-level transaction logging (with redo and undo
logging), for generic incremental replication;
- framework-level DB integrity checking.
We could store a MAC of the XOR of a hash function applied to
{key, value} for every entry in the DB, then use this to check
DB integrity incrementally during incremental replication, as
well as for the whole DB.
2012-02-05 16:26:32 -06:00
2076 changed files with 378754 additions and 214967 deletions
- if [ $TRAVIS_OS_NAME = linux ]; then echo "thread apply all bt" > x; find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done; fi
- if [ $TRAVIS_OS_NAME = osx ]; then find . -name core -print | while read core; do echo bt | lldb --core "$core" `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done; fi
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.DdMarch7,2004
.DtRXTELNET1
.OsKTH_KRB
.ShNAME
.Nmrxtelnet
.NdstartatelnetandforwardX-connections.
.ShSYNOPSIS
.Nmrxtelnet
.OpFllArusername
.OpFlk
.OpFltArtelnet_args
.OpFlxArxterm_args
.OpFlKArkx_args
.OpFlwArterm_emulator
.OpFlbArtelnet_program
.OpFln
.OpFlv
.Arhost
.OpArport
.ShDESCRIPTION
The
.Nm
program starts an
.Nmxterm
window with a telnet to host
.Arhost.
From this window you will also be able to run X clients that will be
able to connect securely to your X server. If
.Arport
is given, that port will be used instead of the default.
.Pp
If setting up the X forwarding failes,
.Nm
will still telnet in to the remote host, but without X forwarding.
.Pp
The supported options are:
.Bl-tag-widthDs
.ItFll
Log in on the remote host as user
.Arusername.
.ItFlk
Disables keep-alives.
.ItFlt
Send
.Artelnet_args
as arguments to
.Nmtelnet.
.ItFlx
Send
.Arxterm_args
as arguments to
.Nmxterm.
.ItFlX
Send
.Arkx_args
as arguments to
.Nmkx.
.ItFlw
Use
.Arterm_emulator
instead of xterm.
.ItFlb
Use
.Artelnet_program
instead of telnet.
.ItFln
Do not start any terminal emulator.
.ItFlv
Be verbose.
.El
.ShEXAMPLE
To login from host
.Vafoo
(where your display is)
to host
.Vabar,
you might do the following.
.Bl-enum
.It
On foo:
.Nm
.Vabar
.It
You will get a new window with a
.Nmtelnet
to
.Vabar.
In this window you will be able to start X clients.
.El
.ShSEEALSO
.Xrkx1,
.Xrrxterm1,
.Xrtelnet1,
.Xrtenletxr1,
.Xrkxd8
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
