| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
[ghudson@mit.edu: style adjustments]
bigredbutton: whitespace
|
|
Add the sitename realm variable. If set, service location via DNS
will be attempted using the site name as specified in [MS-ADTS]
6.3.2.3, falling back to regular discovery on failure.
[ghudson@mit.edu: made this strictly a realm variable; moved
k5_get_sitename() to locate_kdc.c and made it take a krb5_data input;
fixed a memory leak; corrected documentation changes; fleshed out
commit message]
ticket: 9124 (new)
|
|
The Microsoft KERB_AP_OPTIONS_CBT extension (defined in [MS-KILE]
3.2.5.8) allows the client to request strict enforcement of GSS
channel bindings. Client support for this extension was added in
commit 225e6ef7f021cd1a8ef2a054af0ca58b7288fd81 (ticket 8900) but it
requires a configuration variable to be set. The choice to include
the extension should be made by the client application code, as it is
a promise to include channel bindings when operating within TLS.
In libkrb5, add an option AP_OPTS_CBT_FLAG to make
krb5_mk_req[_extended]() include KERB_AP_OPTIONS_CBT. In the GSS
initiator code, set this flag when the GSS_C_CHANNEL_BOUND flag is
included in the request options. GSS_C_CHANNEL_BOUND was introduced
in commit 429a31146083fac21958631c2af572b08ec91022 (ticket 8899) as an
acceptor output flag.
[ghudson@mit.edu: rewrote commit message; adjusted some names;
simplified GSS initiator bookkeeping; added documentation]
ticket: 9122 (new)
|
|
When parsing a file, ignore sections appearing after a final-flagged
section of the same name. Adjust the meaning of group_level in the
parser state so that it is 1 inside of top-level sections instead of
0, and simplify the addition of top-level sections to the tree by
relying on profile_add_node()'s section merging.
Make the final flag work for relations as well as sections. Check it
while parsing via a new check_final parameter in profile_add_node(),
and during iteration.
Output final flags for relations in dump_profile(). Make the final
flag available to it via a new output parameter in
profile_find_node_relation().
ticket: 9120
|
|
In conf.py, exclude the formats directory (added in commit
68ac7ac1f1a1d2939a2c99fa49cecd734614d16d) when building notice.txt, to
prevent a "document isn't included in any toctree" warning.
|
|
RSA mode is no longer needed for interoperability. Reduce the attack
surface of clients and KDCs by removing support for it.
ticket: 9108 (new)
|
|
When making a KDC or password change request, wait indefinitely
(limited only by request_timeout if set) once a KDC has accepted a TCP
connection.
ticket: 9105 (new)
|
|
Add a parameter to limit the total amount of time taken for a KDC or
password change request.
ticket: 9106 (new)
|
|
Add support for elliptic curve key exchange to PKINIT (RFC 5349
section 4). Extend pkinit_dh_min_bits to allow the string values
"P-256", "P-384", and "P-521", using rough finite-field strength
equivalents to rank them relative to the Oakley Diffie-Hellman groups.
When processing TD-DH-PARAMETERS on the client, only accept the three
Oakley groups or the three supported elliptic curve groups.
Previously we accepted any Diffie-Hellman parameters that passed
EVP_PKEY_param_check()/DH_check() and had equal or better bit strength
to the original proposal.
ticket: 9095 (new)
|
|
|
|
Recognize the Red Hat passkey preauth mechanism in trace messages, and
add a declaration for it in krb5.h.
[ghudson@mit.edu: edited comment and commit message]
ticket: 9093 (new)
|
|
The KDC uses the first local TGT key for the privsvr and full PAC
checksums. If this key is of an aes-sha2 enctype in a cross-realm
TGT, a Microsoft KDC in the target realm may reject the ticket because
it has an unexpectedly large privsvr checksum buffer. This behavior
is unnecessarily picky as the target realm KDC cannot and does not
need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
checksum key to three specific enctypes.
As a workaround, add a string attribute which can force the privsvr
key to use a specified enctype using key derivation when issuing
tickets to that principal. This attribute can be set on cross-realm
TGT entries when the target realm uses Active Directory and the local
TGT uses an aes-sha2 primary key.
ticket: 9089 (new)
|
|
|
|
A paper by Tom Tervoort noted that computing the PAC privsvr checksum
over only the server checksum is vulnerable to collision attacks
(CVE-2022-37967). In response, Microsoft has added a second KDC
checksum over the full contents of the PAC. Generate and verify full
KDC checksums in PACs for service tickets. Update the t_pac.c ticket
test case to use a ticket issued by a recent version of Active
Directory (provided by Stefan Metzmacher).
ticket: 9084 (new)
|
|
A paper by Tom Tervoort noted that rc4-hmac pre-hashes the input for
its checksum and GSS operations before applying HMAC, and is therefore
potentially vulnerable to hash collision attacks if a protocol
contains a restricted signing oracle.
In light of these potential attacks, begin the functional deprecation
of DES3 and RC4 by disallowing their use as session key enctypes by
default. Add the variables allow_des3 and allow_rc4 in case
negotiability of these enctypes for session keys needs to be turned
back on, with the expectation that in future releases the enctypes
will be more comprehensively deprecated.
ticket: 9081
|
|
Rewrite parts of database.rst and appl_servers.rst to avoid including
full option descriptions from the (already linked) man pages.
|
|
Add an API credential cache implementation using the CCAPI stubs in
the macOS Kerberos framework, tailored to access the native
collections used by macOS 10.6 and later (KCM before macOS 11, XCACHE
afterwards). Make API: the default ccache name for macOS 10.6 and
later.
[ghudson@mit.edu: used shared CCAPI credential conversion functions;
changed ptcursor behavior to match current Unix collection semantics;
adjusted naming and code style]
ticket: 9052 (new)
|
|
[ghudson@mit.edu: added documentation of configure variable and doc
substitution; shortened commit message]
ticket: 9058 (new)
|
|
|
|
Try to make it clearer that princ is the requested client principal,
not a principal extracted from the certificate, and that the module
must decode the certificate and inspect its attributes. Document
KRB5_CERTAUTH_HWAUTH_PASS in certauth_plugin.h.
ticket: 9051 (new)
|
|
|
|
Remove all of the AD-SIGNEDPATH code. Instead, issue a signed minimal
PAC in all tickets and require a valid PAC to be present in all
tickets presented for S4U operations. Remove the get_authdata_info()
and sign_authdata() DAL methods, and add an issue_pac() method to
allow the KDB to add or copy buffers to the PAC. Add a disable_pac
realm flag.
Microsoft revised the S4U2Proxy rules for forwardable tickets. All
S4U2Proxy operations require forwardable evidence tickets, but
S4U2Self should issue a forwardable ticket if the requesting service
has no ok-to-auth-as-delegate bit but also no constrained delegation
privileges for traditional S4U2Proxy. Implement these rules,
extending the check_allowed_to_delegate() DAL method so that the KDC
can ask if a principal has any delegation privileges.
Combine the KRB5_KDB_FLAG_ISSUE_PAC and
KRB5_FLAG_CLIENT_REFERRALS_ONLY flags into KRB5_KDB_FLAG_CLIENT.
Rename the KRB5_KDB_FLAG_CANONICALIZE flag to
KRB5_KDB_FLAG_REFERRAL_OK, and only pass it to get_principal() for
lookup operations that can use a realm referral.
For consistency with Active Directory, honor the no-auth-data-required
server principal flag for S4U2Proxy but not for S4U2Self. Previously
we did the reverse.
ticket: 9044 (new)
|
|
Microsoft added a third PAC signature over the ticket to prevent
servers from setting the forwardable flag on evidence tickets. Add
new APIs to generate and verify ticket signatures, as well as defines
for this and other new PAC buffer types. Deprecate the old signing
functions as they cannot generate ticket signatures. Modify several
error returns to better match the protocol errors generated by Active
Directory.
[ghudson@mit.edu: adjusted contracts for KDC requirements; simplified
and commented code changes; wrote commit message. rharwood@redhat.com
also did some work on this commit.]
ticket: 9043 (new)
|
|
Recognize the Red Hat IdP preauth mechanism in trace messages, and add
a declaration for it in krb5.h.
[ghudson@mit.edu: edited comment and commit message]
ticket: 9041 (new)
|
|
Although MIT krb5 had been using the value 9 for unkeyed SHA-1 since
its 1.0 release in 1996, RFC 3961 instead assigned this value to
rsa-md5-des3 (likely never used), and assigned the values 10 and 14 to
SHA-1. Heimdal and Microsoft use the value 14. Unkeyed SHA-1 almost
never appears on the wire, but has been seen in PKINIT asChecksum
fields in replies from Windows KDCs (despite the field being specified
as a keyed checksum).
Define a new symbol CKSUMTYPE_SHA1 with the value 14, and use it where
we currently use CKSUMTYPE_NIST_SHA. Continue to allow the value 9
for ABI compatibility. Remove the pkinit_clnt.c workaround as the
value 14 will now work without adjustment.
ticket: 9040 (new)
|
|
If a certauth module returns KRB5_CERTAUTH_HWAUTH_PASS, the certauth
accumulator sets the hw-authent flag in the ticket (like it would for
KRB5_CERTAUTH_HWAUTH), but defers authorization to other modules (like
it would for KRB5_PLUGIN_NO_HANDLE).
[ghudson@mit.edu: simplify tests by removing the HWAUTH returns from
the test2 module and allowing it to pass by authenticating as nocert]
|
|
Remove the fortuna and device PRNG modules and PRNG modularity, and
move the prng_os implementation into prng.c. Remove the crypto_mod.h
requirement to implement failure-free AES256 and SHA256. Deprecate
krb5_c_random_add_entropy() and krb5_c_random_os_entropy() and remove
their call sites. Deprecate and ignore the -W (weak random) option to
kadmind and kdb5_util create, and stop using it in the test suite.
ticket: 9032 (new)
|
|
Select an output credential cache using similar logic to kinit. Do
not require the target cache to be initialized.
Try to use the per-thread cache set by gss_krb5_ccache_name() if no
output cache was specified via a cred store.
When the destination is a collection, honor the default_cred flag by
switching the primary cache to the selected output cache. When the
destination is not a collection, ignore the default_cred flag.
(Previously the default_cred flag was mandatory for gss_store_cred()
even though it is an advisory flag, and ignored for
gss_store_cred_into() even if no ccache was specified in the cred
store.)
Honor the overwrite_cred flag by refusing to replace an initialized
cache if it is not set. Stop using gss_acquire_cred() for this
purpose as it could go out and fetch credentials from a client keytab.
Perform atomic replacement of the target cache when possible, using
krb5_cc_move().
Add a test harness for calling gss_store_cred() or
gss_store_cred_into() and a suite of tests. Fix a broken trace log
message for krb5_cc_move() and update the expected trace logs for an
existing t_credstore.py test.
ticket: 8010
|
|
ticket: 9027 (new)
|
|
[ghudson@mit.edu: switched from /admin25 links to /admin links and
updated commit message]
ticket: 9025 (new)
|
|
Most importantly, note for gss_import_name() that the mechanism OID
encoding includes the ASN.1 tag prefix (per RFC 2743 section 3.2), and
add the length prefix for the mechanism token. For
gss_import_sec_context() and gss_import_cred(), note that the
concatenated OID must be used.
[ghudson@mit.edu: reverted part of gss_import_cred() change; reworded
gss_import_name() change; rewrote commit message]
ticket: 9017
|
|
|
|
ticket: (new)
tags: pullup
target_version: 1.19-next
|
|
Of the remaining test scripts, kprop.exp has a corresponding Python
script, and standalone.exp is covered by t_general.py, t_dump.py,
t_keytab.py, and t_pkinit.py.
|
|
Use app.add_css_file() to register krb5.css if possible (it was added
in Sphinx 1.8), since the old name app.add_stylesheet() was removed in
Sphinx 4.0.
Use the highlight directive instead of the highlightlang directive,
which was removed in Sphinx 4.0.
Remove two duplicate table of contents entries to fix warnings.
In the Github Actions configuration, add a second doc build using the
newest version of Sphinx.
ticket: 9006
tags: pullup
target_version: 1.19-next
|
|
|
|
The example of writing to a file named "keytab" is ambiguous. Name
the file "alice.keytab" instead, to match the example user principal
name.
|
|
Commit 281210909beef4683be3b63bc1ac1e75c2c9c7eb added handling for
verbatim tags in doxybuilder_types.py, but did not check for tail
text. This wasn't a problem in Doxygen 1.8 because its XML output
ended paragraph tags after verbatim tags, but that isn't the case in
Doxygen 1.9. Move the is_tail check earlier so we don't have to check
for each tag type.
Also avoid putting spaces at the beginnings and ends of lines when
joining the elements of the result list, to avoid confusing the RST
parser at the end of literal blocks.
|
|
ticket: 8989 (new)
tags: pullup
target_version: 1.19-next
|
|
Command-line options are described in the following places:
- .rst file "SYNOPSIS" section
- .rst file "OPTIONS" section
- parameters to getopt()
- results of getopt() that are actually handled
- a usage() or xusage() function
- occasionally, a long form in usage()/xusage()
- occasionally, libss subcommand specifications
Over time, these have drifted. Make an effort to correct this drift,
marking deprecated options as such. For consistency, remove mention
of long arguments that have an equivalent short form.
ticket: 8987 (new)
tags: pullup
target_version: 1.19-next
|
|
Move the crypto_load_certs() probe from pkinit_identity_initialize()
to process_option_identity(). This will attempt to load a certificate
for each pkinit_identities value, and if the certificate load fails to
move to the next line.
For PKCS11, return an error if pkinit_open_session() fails, but do not
fail in pkinit_open_session() just because identity prompts are
deferred.
[ghudson@mit.edu: added test case; moved cert probe to
process_option_identity(); rewrote commit message]
ticket: 8984 (new)
|
|
The [domain_realm] section provides a mapping from hostnames to realm
names, but the individual mappings apply to domains (including
subdomains) or subdomains, not to hostnames. Reported by Ulf Bremer.
ticket: 8981
|
|
Faciliate KCM daemon implementations by providing functions to
deserialize and reserialize credentials in the FILE v4 format.
[ghudson@mit.edu: minor editorial changes]
ticket: 8980 (new)
|
|
|
|
Field testing of dns_canonicalize_hostname=fallback (ticket 8911)
revealed more disruptive edge cases than anticipated. Many were fixed
by ticket 8930, but host-based GSS initiator names were recently
discovered to not work, and one other edge case could not be resolved
without a change to external code.
Restore the default to true for now. Set the value to fallback in the
test suite, to continue testing the desired configuration and to avoid
restoring tests/resolve.
ticket: 8973 (new)
tags: pullup
target_version: 1.19
|
|
When making TGS requests, if start_realm is set in the cache, use the
named realm to look up the initial TGT for referral or cross-realm
requests. (Also correct a comment in struct _tkt_creds_context: the
ccache field is an owner pointer, not an alias.)
Add an internal API k5_cc_store_primary_cred(), which sets start_realm
if the cred being stored is a TGT for a realm other than the client
realm. Use this API when acquiring initial tickets with a
caller-specified output ccache, when renewing or validating tickets
with kinit, when accepting a delegated credential in a GSS context,
and when storing a single cred with kvno --out-cache.
ticket: 8332
tags: pullup
target_version: 1.19
|
|
Commit becd1ad6830b526d08ddaf5b2b6f213154c6446c attempted to unify the
synopsis, option descriptions, and xusage(), but missed several
options in the synopsis.
ticket: 8969 (new)
tags: pullup
target_version: 1.19
|
|
|
|
Add documentation for gss_acquire_cred_from() and
gss_store_cred_into(), including descriptions of the currently
supported options for the krb5 mechanism.
ticket: 8964 (new)
|
|
Update lib/crypto/builtin/aes to commit
8798ad829374cd5ff312f55ba3ccccfcf586fa11 of
https://github.com/BrianGladman/aes .
The following changes are made to the upstream code:
* In aes.h, #defines are added to give the linker-visible symbols a
prefix.
* In aes.h, AES_192 is undefined, since we only need AES-128 and
AES-256.
* In aesopt.h, USE_INTEL_AES_IF_PRESENT and USE_VIA_ACE_IF_PRESENT are
suppressed by changing the corresponding "#if 1"s to "#if 0"s.
* In aesopt.h, the conditionals for ENC_UNROLL, DEC_UNROLL, ENC_ROUND,
LAST_ENC_ROUND, DEC_ROUND, LAST_DEC_ROUND, and KEY_SCHED are changed
from "#if 1" to "#if !defined(CONFIG_SMALL) ||
defined(CONFIG_SMALL_NO_CRYPTO)".
bigredbutton: whitespace
ticket: 8954
|
