Age | Commit message (Collapse) | Author | Files | Lines |
|
Double-colon rules allow the flexibility to specify commands in
multiple places, but they also make the order of commands and
dependencies dependent on the order of declarations in the Makefile.
Convert all of our double-colon rules to single-colon rules, with the
exception of "clean-unix" and "clean-windows" which have commands
defined in both post.in and in numerous Makefile.in files.
|
|
Some BSD-derived systems (e.g., FreeBSD and Mac OS X) inappropriately
include sys/queue.h from some non-kernel network-related headers that
we include (net/if.h is one example). Because our k5-queue.h is a
copy from a BSD sys/queue.h, many compilers will warn about macro
redefinitions on those systems. Rename the queue macros to have a K5_
prefix.
Also delete the QUEUEDEBUG macros because they are only useful for
kernel use on the BSD systems where this header originated.
ticket: 8466 (new)
|
|
Instead, a new TRACE_* macro should be defined for each trace point, and
that macro used from the library code.
|
|
In krb5_gss_acquire_cred(), treat failure to resolve the client keytab
similarly to a client keytab which resolves but does not exist or has
no entries. The client keytab could fail to resolve if its name
contains %{username} and the current process is acting on behalf of
the NSS system.
[ghudson@mit.edu: rewrote commit message; changed tracing call to use
a macro; cleared error message when ignoring krb5_kt_client_default()
error; added test case]
ticket: 8462 (new)
|
|
krb5kdc has always only supported binding to the wildcard addresses.
Add two configuration options to allow specifying the address/port
that krb5kdc listens on for UDP and TCP connections.
[ghudson@mit.edu: edited documentation; preserved kdc_ports = ""
behavior; made kdc_ports and kdc_tcp_ports continue to work in
kdcdefaults section]
ticket: 1093
|
|
kadmind has always only supported binding to the wildcard addresses.
Add three configuration options to allow specifying the address/port
that kadmind listens on for kpasswd, kadmin, and iprop connections.
[ghudson@mit.edu: edited documentation; minimized changes to
setup_loop(); added iprop_listen]
ticket: 1093
|
|
The net-server.c logic can accept individual addresses to bind to
using the standard host:port string format, in a list with a comma
delimiter.
Since pktinfo support was removed, users with systems lacking
pktinfo that have multiple NICs may specify each of the local
addresses directly that kadmind or krb5kdc should listen on in
kdc.conf.
[ghudson@mit.edu: edited comments and variable names; simplified
setup_socket()]
ticket: 1093
|
|
Currently if the system doesn't support pktinfo and kadmind or
krb5kdc are binding to a UDP address, then the net server binds to
all the local addresses. Currently most systems support pktinfo,
so the workaround isn't really required anymore. Removing the
workaround will only affect systems that don't have pktinfo
support, have multiple NICs, and are listening on a wildcard
address.
ticket: 8348
|
|
include/Makefile uses a regex to perform variable substitution with '+'
as the sed delimiter. Paths containing " are already invalid in this
approach, so it is better to use " as the delimiter instead of any
other rare symbol.
ticket: 8429 (new)
|
|
Handle CAMMAC contained authdata similarly to KDC-issued authdata, where
it is verified before passing to the import function.
[ghudson@mit.edu: fix memory leak and reduce copying in
extract_cammac()]
ticket: 8425
|
|
Add k5_unwrap_cammac_svc() and k5_authind_decode() internal functions
to libkrb5, for use by test programs and the forthcoming
auth-indicator authdata module. Remove the unused
cammac_check_svcver() from the KDC code. Modify tests/adata.c to use
the new functions, and add a test case to t_authdata.py for multiple
indicator values.
[ghudson@mit.edu: squash three commits; make k5_cammac_check_svcver()
a static helper]
ticket: 8425
|
|
Add a helper function k5_parse_host_string() containing the
hostname-and-port parsing logic currently inlined into
locate_srv_conf_1(). The new function will also accept a port number
without hostname, for parsing listener addresses.
[ghudson@mit.edu: simplified parsing code and better handle edge
cases; split into two commits]
|
|
Alter the KDB module contract to require that KDB modules use an
allocator compatible with the malloc() seen by libkrb5 and libkdb5.
Change krb5_db_alloc() and krb5_db_free() to provide access to this
allocator. Remove free_principal, free_policy, alloc, and free from
the KDB interface and from all in-tree KDB modules.
ticket: 8414 (new)
|
|
Previously libkadm5srv renamed principals by getting the principal
entry, renaming the entry, putting it in the DB, then deleting the old
one. This does not work in certain KDB modules such as LDAP. A new
DAL function is necessary to support all KDB modules. Add a new DAL
function to support custom renames in all KDB modules, with a default
implementation that performs the previous functionality of adding and
deleting the principal entry.
NOTE: if the default rename function isn't used and iprop logging is
enabled, iprop would fail since it doesn't formally support renaming.
In that case, the call to krb5_db_rename_principal() will fail with
the code KRB5_PLUGIN_OP_NOTSUPP.
ticket: 8065
|
|
Add a function krb5_dbe_specialize_salt() to libkdb5 which transforms
a principal entry's salt to KRB5_KDB_SALTTYPE_SPECIAL.
ticket: 8418 (new)
|
|
Support a new profile relation "debug" in the [logging] section to
indicate whether debugging messages should be included, defaulting to
false.
ticket: 8394 (new)
|
|
Add a new public function to set a PAC request option for an AS
request.
[ghudson@mit.edu: simplified code; made signature conform to Heimdal
function; expanded on doxygen comment; added new function to API
reference; changed code to send encoded KERB-PA-PAC-REQUEST instead
of a single octet]
ticket: 7985
|
|
In the Doxygen comments for the new APIs and types, include @version
tags indicating that they are new in 1.15, and put @param declarations
just after the brief message for consistency with other comments.
ticket: 8386
|
|
Relocate the internal getopt() and getopt_long() code to util/support,
and build conditionally. Put declarations in k5-platform.h. Adjust
Windows build directives for src/clients. Remove getopt-related #defines
from kinit.c, allowing kinit to use getopt_long() on all platforms.
[ghudson@mit.edu: fix some Windows build issues]
ticket: 8391
|
|
The KDC was still listening on port 750 despite the fact that
this functionality was supposed to have been removed in the
past. Remove port 750 from the list of UDP ports that the KDC
listens on. Also remove port 750 from the default ports that
the client connects to, and from example config fragments.
ticket: 8388 (new)
|
|
ticket: 8387 (new)
target_version: 1.14-next
tags: pullup
|
|
Add two new APIs, krb5_set_kdc_send_hook() and
krb5_set_kdc_recv_hook(), which can be used to inspect and override
messages sent to KDCs.
[ghudson@mit.edu: style and documentation changes]
ticket: 8386 (new)
|
|
A checksum type of 0 means to use the mandatory checksum type in
krb5_k_make_checksum(), krb5_k_make_checksum_iov(), and
krb5_k_verify_checksum_iov(). Extend this meaning to
krb5_k_verify_checksum() for the checksum type in the krb5_checksum
argument. This change also applies to krb5_c_verify_checksum().
Add code to t_cksums.c to test checksum verification, including with
checksum type 0 for applicable test cases.
ticket: 8375 (new)
|
|
A new attribute named KRB5_KDC_LOCKDOWN_KEYS can be set on principals.
This flag prevents keys for the principal from being extracted or set
to a known value by the kadmin protocol. Principals with this flag
cannot be deleted or renamed, and cannot have keys set by setkey or
chpass. chrand operations are allowed, but keys are not returned.
This attribute can be set via the modify operation but cannot be
reset; an authorization error is resturned if an attempt to reset it
is performed.
When creating a KDB, set the lockdown flag on the krbtgt and kadmin
principals.
[ghudson@mit.edu: squash with t_kadmin_acl.py commit; condense commit
message]
ticket: 8365 (new)
|
|
Some older code in the tree uses form feed characters. kdevelop does
not appear to preserve them, and it is not our current practice to use
them, so get rid of them in almost all files under src. Leave alone
lib/gssapi/krb5/3des.txt, which is a formatted internet draft.
|
|
Some krb5 code expects principal keys to be sorted by kvno in
descending order. To make sure this is followed in all KDB
implementations, sort the keys in libkdb5 after principals are
retrieved.
|
|
Add a simple private libk5crypto interface for computing SHA-256
hashes.
|
|
The bulk of the util/reconf script is to detect old versions of
autoconf and possibly work around bugs in them. Require
autoconf>=2.63, and remove the util/reconf script. Adjust
documentation and other scripts accordingly.
Also remove Makefile rules that remove autom4te.cache. Such rules
were supposedly necessary when mixing of different versions of
autoconf was common; this seems to be less of an issue now.
ticket: 8299
subject: Remove util/reconf
|
|
krb5 contains some Unicode code adapted from OpenLDAP. OpenLDAP uses
unsigned types for UCS-2 and UCS-4 code points, but the adapted code
uses signed types, which creates pointer-sign warnings when we call
uccompatdecomp() and similar functions. To match the OpenLDAP code,
use unsigned types.
|
|
As we no longer support pre-C89 platforms, assume that the fopen "b"
flag is always allowed.
|
|
Secure cookies are intended to hold secret values which may contribute
to key data, and therefore should be sanitized when released. Also
fix a memory leak in kdc_fast_make_cookie().
ticket: 8271 (new)
target_version: 1.14
tags: pullup
|
|
In krb5_change_password(), krb5_set_password(), and
krb5_set_password_using_ccache(), accept the new password as a const
char * instead of a char *. Propagate this change to the necessary
internal functions.
[ghudson@mit.edu: commit message rewrite]
ticket: 8269 (new)
target_version: 1.14
tags: pullup
|
|
Remove the existing support for creating trivial cookies. Add new
functions to fast_util.c for reading and generating secure cookies.
Add new kdcpreauth callbacks "get_cookie" and "set_cookie" to allow
preauth mechs to retrieve and set cookie values.
Based on a patch by Nathaniel McCallum.
ticket: 8233 (new)
|
|
Add an internal type declaration, ASN.1 encoder and decoder functions,
an internal free function, and ASN.1 tests for krb5_secure_cookie.
The reference DER encoding was constructed by hand.
To save on space, we don't use context tags, and use an integer rather
than a KerberosTime for the timestamp. The timestamp is stored in a
time_t; this requires a bugfix to the 64-bit case in
asn1_encode.c:store_int().
[ghudson@mit.edu: reference encoding; decode test; minor adustments to
free functions; added comments; alterations for space savings; commit
message]
|
|
Use [out] instead of [in] for the output parameters of
krb5_c_prfplus() and krb5_c_derive_prfplus(). Also use "out" instead
of "output" for krb5_c_derive_prfplus() to match the parameter name in
the definition.
ticket: 8228
|
|
Define KDC_ERR_PREAUTH_EXPIRED and KRB5KDC_ERR_PREAUTH_EXPIRED. In
init_creds_step_reply(), handle a preauth-expired error by restarting
the exchange.
ticket: 8224 (new)
|
|
Define HAVE_VSNPRINTF for VS2015 or newer. Avoid putting constants
directly after string literals without whitespace, or the VS2015
compiler thinks it's a string suffix. Prefix the OVERFLOW identifier
in x-deltat.y (along with NUM and LONGNUM for consistency) to avoid a
conflict with math.h. Regenerate deltat.c.
[ghudson@mit.edu: squashed three commits and condensed commit
messages; avoid creating long lines]
ticket: 8231
|
|
This commit permits the external use of the RFC 6113 PRF+ function.
It also adds a function to derive a key from an input key and string
using PRF+.
[ghudson@mit.edu: adjust style; avoid new C99isms; use string2data(),
empty_data(), and alloc_data() where appropriate; add some explanatory
comments; edit docstrings and commit message]
ticket: 8228 (new)
|
|
Before this patch, libkrad would follow the same exact logic for all
socket types when the retries parameter was non-zero. This meant that
when connecting with SOCK_STREAM, multiple requests were sent in case
of packet drops, which, of course, cannot happen for SOCK_STREAM.
Instead, just disable retries for SOCK_STREAM sockets.
[ghudson@mit.edu: minor wording edits]
ticket: 8229 (new)
target_version: 1.13.3
tags: pullup
|
|
If the string attribute "require_auth" is set on a the server
principal of an AS or TGS request, deny the request unless one of the
named indicators is present was asserted for the client's initial
authentication.
ticket: 8157
|
|
Add a new kdcpreauth callback add_auth_indicator, which adds an
authentication indicator string. This commit doesn't do anything with
the asserted authentication indicators; they are tracked in the
auth_indicators field of struct as_req_state to be used later.
ticket: 8157
|
|
ticket: 8157
|
|
Add functions to encode and decode SEQUENCE OF UTF8String into a
null-terminated array of krb5_data pointers. This type is simple
enough that we don't need specific tests for it.
ticket: 8157
|
|
Add internal type declarations for krb5_verifier_mac and krb5_cammac.
Add ASN.1 encoder and decoder functions and an internal free function
for krb5_cammac. Add ASN.1 tests for krb5_cammac as well as asn1c
test vectors for Verifier and AD-CAMMAC.
|
|
These changes unify the KDB principal flag specifiers used by kadmin,
kdc.conf default_principal_flags, and kadm5.acl. Each of those
interfaces will now accept any of the historically accepted input
forms of any of those interfaces. Additionally, accept flag
specifiers in the forms that kadmin prints, as well as hexadecimal
numbers.
Replace krb5_string_to_flags() with krb5_flagspec_to_mask(). The
latter has a pseudo-ternary output, allowing different pointers for
flags to set versus flags to clear. Additional functionality includes
parsing hexadecimal numbers for flag settings.
Remove krb5_input_flag_to_string(), which nothing in the tree used,
and probably hasn't ever worked properly due to long-standing gaps in
the flag number sequence.
Remove krb5_flags_to_string(), which nothing in the tree used.
Verbose flag output can be added back through another interface if
there is demand.
Add krb5_flagnum_to_string(), which produces a string representation
of a flag number. Additional functionality includes output of
hexadecimal numbers for unknown flags.
Add krb5_flags_to_strings(), which produces an array of strings
describing the flags, using the output from krb5_flagnum_to_string().
ticket: 8215
|
|
Add a new kdcpreauth callback which gets the selected client key.
This callback can be used by preauth mechs which need to use the
singular reply key in a challenge sent by the KDC, now that we send
only one etype-info entry in PREAUTH_REQUIRED errors.
ticket: 8200 (new)
|
|
Bump the minor version of the kadm5_hook interface to 2 and add a
rename method. Invoke the rename method in kadm5_rename_principal()
like we do for other libkadm5srv operations.
Partly based on a patch from John Hascall.
ticket: 8171
|
|
In a TGS request, the header ticket server is usually a local or
cross-realm TGS principal, but for ticket modification requests it
doesn't have to be. Similarly, the server for an AS request is
usually a krbtgt principal, but in some cases it is not. Since the
KDC code must consider all possibilities, avoid using the name
"krbtgt" for entries which aren't necessarily TGTs.
In process_tgs_req(), rename krbtgt to header_server and tgskey to
header_key. In handle_authdata(), rename the parameters similarly and
pass NULL from process_as_req() for the header_server and header_key
parameters; the code which uses those parameters is adjusted to match.
In validate_transit_path(), rename krbtgt to header_srv.
Do not change the semantics of the sign_authdata DAL method at this
time, but more accurately document the krbtgt and krbtgt_key
parameters.
|
|
Remove the server authdata interface declarations from authdata.h and
the code to load and invoke old KDC authdata modules. Add code to
load and invoke authdata modules using the new kdcauthdata pluggable
interface.
|
|
Add a pluggable interface for KDC authdata using the current plugin
infrastructure, mirroring the KDC functionality of authdata_plugin.h.
Like the old interface, this one isn't yet public.
|