Age | Commit message (Collapse) | Author | Files | Lines |
|
Commit 7196c03f18f14695abeb5ae4923004469b172f0f (ticket 8823) gave the
KDB the ability to modify auth indicators, but it happens after the
asserted indicators are checked against the server principal
requirements. In finish_process_as_req(), move the call to
check_indicators() after the call to handle_authdata() so that the
final indicator list is checked.
For the test case, add string attribute functionality to the test KDB
module, and fix a bug where test_get_principal() would return failure
if a principal has no keys. Also add a test case for AS-REQ
enforcement of normally asserted auth indicators.
(cherry picked from commit 109e30ce22c20f18b8233119f274935bdf573886)
ticket: 8876
version_fixed: 1.18.1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When the KDC handles an S4U2Proxy request, if the KDB module returned
parsed authdata for the header ticket and not for the second ticket,
we could erroneously pass the header ticket's parsed authdata to
handle_authdata(). Make sure we always pass the parsed authdata for
the second ticket.
[ghudson@mit.edu: added comment; rewrote commit message]
(cherry picked from commit 21d823991a81d64af460ec62a98585c85534850b)
ticket: 8874
version_fixed: 1.18
|
|
More recent versions of OpenSSL can fail for other reasons. Indicate
a crypto-related error occurred rather than a memory error to aid
debugging.
(cherry picked from commit bf9b2134ceddd6c727362be894b1c95c297a0f17)
ticket: 8873
version_fixed: 1.18
|
|
In the test KDB module, set the PAC as the first authdata element. In
adata.c, add PAC service verification and verify that a PAC does not
appear in authdata elements after the first.
[ghudson@mit.edu: minor style changes; edited commit message]
(cherry picked from commit d40d7c8ee8d7fb547e45c545365b21a818050130)
ticket: 8872
version_fixed: 1.18
|
|
Windows services, as well as some versions of Samba, may refuse
tickets if the PAC is not in the first AD-IF-RELEVANT container. In
fetch_kdb_authdata(), change the merge order so that authdata from the
KDB module appears first.
[ghudson@mit.edu: added comment and clarified commit message]
(cherry picked from commit 331fa4bdd34263ea20667a0f51338cb84357fdaa)
ticket: 8872
version_fixed: 1.18
|
|
|
|
|
|
|
|
|
|
|
|
For consistency with Heimdal and simplicity of server configuration,
do not check the transited field in krb5_rd_req() if the
transited-policy-checked flag is set in the ticket.
Add a cross-realm test using the gcred and rdreq harnesses to test
server transited processing. Also fix the KDC capaths case so that
the client actually doesn't know the path to the server realm. In
k5test.py, adjust _cfg_merge() to remove keys mapped to None in the
second dictionary (instead of mapping them to None in the result), so
that deleting whole sections works. Remove the corresponding check
for None in _write_cfg_section() as it is no longer needed.
(cherry picked from commit a5aa5969bc6ed404b86318b47c38dfc3d3aeb8df)
ticket: 8870
version_fixed: 1.18
|
|
permitted_enctypes was initially intended only to restrict the
processing of AP requests (and was later applied to KDB key data
searches so that the KDC wouldn't issue a ticket it would refuse to
accept). Because the documentation was never clear about its scope,
many configurations assume that permitted_enctypes also applies to
clients.
In light of the existing configurations, take the simple way out and
use permitted_enctypes as the default for default_tkt_enctypes and
default_tgs_enctypes. Update the documentation, add a test to
explicitly check the new behavior, and remove now-unnecessary
configuration from the test suite.
[ghudson@mit.edu: unrolled helper function; edited documentation and
commit message; simplified test case]
(cherry picked from commit 8f13fb2342b2a715cfb694688e3435e7f11691f8)
ticket: 8869
version_fixed: 1.18
|
|
Commit 94f7c9705879500b1dc8dda8592490efce05688f simplified the
generation of authdata elements, but left behind some unnecessary
conditionalization when assembling the elements into a list, causing a
Coverity defect. Further simplify the code.
(cherry picked from commit d035dc269e80b58cb73fd2b644b06bc5fb53e9cb)
ticket: 8868
version_fixed: 1.18
|
|
For cross-realm S4U2Proxy requests, require a PAC to be present to
bypass signedpath verification, but do not require it to be the only
authdata element. For within-realm requests, add and verify
signedpath authdata regardless of the presence of a PAC.
Simplify the test KDB authdata module and the existing RBCD tests as
we no longer need a way to suppress the test module's KDB authdata.
[ghudson@mit.edu: rewrote commit message; reordered a condition for
efficiency]
(cherry picked from commit 94f7c9705879500b1dc8dda8592490efce05688f)
ticket: 8868
version_fixed: 1.18
|
|
Commit d47f7dba3779c9e36e1dedaac830dac1dd248fb3 changed the parameters
passed to sign_authdata() for S4U2Proxy requests so that client is the
entry for the impersonated client (not the impersonator), and added a
new parameter for the impersonator entry. It should have changed the
call to handle_signticket() to use the impersonator entry. Fix the
handle_signticket() call, and change some parameter names to more
clearly indicate the flow of subject_server from process_tgs_req() to
handle_authdata() to its helpers.
[ghudson@mit.edu: edited commit message]
(cherry picked from commit 96e5d384acf174e6079b0aeeec14bd8100d24840)
ticket: 8867
version_fixed: 1.18
|
|
In adata.c, look up the server in the keytab by ticket->server (which
has the canonicalized realm), to allow testing of cross-realm RBCD
(although unused for now).
In s4u2proxy.c, set KRB5_GC_CANONICALIZE to support RBCD, and add an
authdata request option. Add an s4u2self test harness with authdata
request option.
[ghudson@mit.edu: minor code simplifications; edited commit message]
(cherry picked from commit 2d039a2b4c3ba6d71da8fcf76658dc63bc659f0c)
ticket: 8866
version_fixed: 1.18
|
|
Only send client authdata in the initial request, and note
request authdata in out_creds.
(cherry picked from commit ef655640db9ac51979fa4529168aa05a4a8f45e4)
ticket: 8866
version_fixed: 1.18
|
|
(cherry picked from commit deb64d5eca602c7147b4253e51976c45f58b465f)
ticket: 8865
version_fixed: 1.18
|
|
In the unlikely event that one of the functions called by
gssint_mechglue_init() returns an error, return that error to the
caller rather than continuing on and discarding the error status.
Returning success when some of the operations failed could fool the
library finalizer into thinking that initialization completed.
Reported by Spencer Malone.
(cherry picked from commit c120ed5b211ee684b830a6722fc3ab3222afbfa1)
ticket: 8864
version_fixed: 1.18
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In the LDAP backend, the change mask is used to determine what LDAP
attributes to update. As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.
Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate. Add a regression test to
t_kdb.py.
[ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]
ticket: 8861 (new)
tags: pullup
target_version: 1.17-next
|
|
In kpropd, don't set a remote address in the auth context, so that
propagation can work if the client address is changed by a NAT.
ticket: 8860 (new)
|
|
In extract_cammacs(), avoid a null dereference if the CAMMAC service
verifier is invalid or the CAMMAC is empty.
ticket: 8856
tags: pullup
target_version: 1.17-next
|
|
In macOS 10.11 and later with System Integrity Protection enabled,
system programs (including the shell) purge DYLD_LIBRARY_PATH from the
environment at startup. As a result, any part of "make check" which
runs via a shell script must explicitly restore the runtime
environment. Add a common rule for runenv.sh, and create and source
it where shell scripts are run. Dejagnu's runtest is a shell script,
so create a tcl file for the kadmin and RPC unit tests and source it
from unix.exp. Avoid using the shell to run commands in several
places. Use return_trace=True for tests that previously indirected
through /usr/bin/env.
Do not include <malloc.h> in t_parse_host_string.c, as it does not
exist on macOS and is not needed.
Skip the iprop tests on macOS when SIP is enabled, as signal
restrictions appear to prevent the kpropd child process from informing
the parent process that a full resync has completed.
In net-server.c, set SO_REUSEPORT as well as SO_REUSEADDR on listener
sockets. Otherwise the krb5kdc processes run by the test suite
sometimes fail to start with "address in use" errors.
In configure.ac, only generate po/Makefile if we will descend into it.
|
|
If return_trace=True is specified when running a command in a Python
test, collect the trace output and return it in a tuple with the
regular output.
|
|
Define __APPLE_USE_RFC_3542 to expose the definition of IPV6_PKTINFO
on macOS.
ticket: 8349
|
|
When xdr_bytes() is used for a gss_buffer_desc object, a temporary
character pointer must be used for the data value to avoid a strict
aliasing violation.
When xdr_bytes() is used for a krb5_keyblock object, a temporary
character pointer must also be used, even though the data pointer is
of type unsigned char *, to avoid a clang warning on macOS due to the
"#pragma pack" declaration in krb5.h.
|
|
Coverity sees negoex_init() test whether input_token is null before
parsing messages, then dereference input_token in verify_checksum().
Of course verify_checksum() will not find a checksum message if no
messages were parsed. Add an assert to squash the false positive
forward-null defect.
|
|
One of the changes in commit 81e47875e3de0e52fbb11d61ef30a9406497af73
unintentionally caused the return value of profile_ser_externalize()
to be ignored.
|
|
It is simpler and more consistent with Windows to let the KDB module
always return aliases, and use KDC logic (already present) to decide
whether to use the requested or canonical principal name in the
ticket.
With the removal of this flag, "kinit alias" (without the -C flag)
against the LDAP KDB module will issue a ticket for the alias name,
instead of failing with a "client not found" error.
[ghudson@mit.edu: edited comments; wrote commit message]
ticket: 8859 (new)
|
|
When processing an AS request in the KDC, do not assume
KRB5_KDB_FLAG_CANONICALIZE for enterprise client names. This change
allows the KDB module to only canonicalize enterprise client names if
the canonicalize flag was set on the request, as Windows does. The
KDB module may check the principal type and apply canonicalization as
appropriate.
[ghudson@mit.edu: edited comments; rewrote commit message]
ticket: 8858 (new)
|
|
Not having policy defined is a normal occurrence. While it's a useful
message to log in case it's unexpected, the current form is
unnecessarily alarmist.
ticket: 8857 (new)
|
|
|
|
In init_db and init.exp, do not create an ovsec_adm.keytab; kadmind
has authenticated directly against the KDB since commit
416d9a774090ee78c30a844025887bd2b9e79d16. Since we no longer create
ovsec_adkm principals, perform the deletion and recreation tests with
kadmin/ principals.
In helpers.exp, use kadmin to create the server keytab file, instead
of using make-host-keytab.pl.
Remove environment variable settings for make-host-keytab.pl from
scripts that no longer use it.
|
|
After commit 95830231758de259abbbccedbac01613f578768a, the
documentation cannot be built with Python 2. Run make with
"PYTHON=python3" to ensure that we use Python 3.
|
|
Add a mock NegoEx-only GSS module, a test program which establishes a
SPNEGO context, and a Python script to exercise a variety of NegoEx
negotiation scenarios.
ticket: 8851
|