| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
A multi-round-trip preauth mechanism may require key information, but
not for the initial message from the client. To support optimistic
preauth for such mechanisms, make the KDC include etype-info2
information in a MORE_PREAUTH_DATA_REQUIRED error if the client didn't
include a PA-FX-COOKIE in its request.
Add optimistic preauth support to the test preauth module and to
etinfo.c, and add a test case to t_etype_info.py to verify that
etype-info2 is included in the optimistic multi-hop scenario.
ticket: 8234 (new)
|
|
Use a helper function to filter the error codes from preauth modules.
Use a cleanup handler so that we aren't separately considering the
disposition of state and state->pa_e_data along different exit paths.
|
|
Remove the existing support for creating trivial cookies. Add new
functions to fast_util.c for reading and generating secure cookies.
Add new kdcpreauth callbacks "get_cookie" and "set_cookie" to allow
preauth mechs to retrieve and set cookie values.
Based on a patch by Nathaniel McCallum.
ticket: 8233 (new)
|
|
Add a new kdcpreauth callback add_auth_indicator, which adds an
authentication indicator string. This commit doesn't do anything with
the asserted authentication indicators; they are tracked in the
auth_indicators field of struct as_req_state to be used later.
ticket: 8157
|
|
In kdc_preauth.c, commit be20a5f5cee8d6c4072d1b81712520dbf9f6eefd made
load_preauth_plugins() handle negative preauth type numbers.
get_plugin_vtables() also needs to handle negative preauth type
numbers, or it can return the wrong count and load_preauth_plugins()
can overflow the table.
ticket: 8200
|
|
Add internal clpreauth and kdcpreauth modules named "test" which can
exercise the client_keyblock callback (as well as get_string and
get_as_key on the client side). Add tests to t_etype_info.py to
verify that the callback matches the etype info sent by the KDC.
In the KDC's load_preauth_plugins(), correct a test for the end of
pa_type_list so that we can use a negative preauth type number for the
test module. (RFC 4120 reserves negative preauth type values for
unregistered use.)
ticket: 8200
|
|
Add a new kdcpreauth callback which gets the selected client key.
This callback can be used by preauth mechs which need to use the
singular reply key in a challenge sent by the KDC, now that we send
only one etype-info entry in PREAUTH_REQUIRED errors.
ticket: 8200 (new)
|
|
As described in RFC 6113 section 2.1, the KDC can choose a single
long-term key at the beginning of the preauth conversation based on
the request enctype list. Implement this change for the PA-ETYPE-INFO
and PA-ETYPE-INFO2 padata included in preauth hint lists, by selecting
the client key before checking padata, making the client keyblock
available in the preauth rock, and unifying the etype-info handlers to
use a single helper function for edata and AS-REP padata.
ticket: 8199 (new)
|
|
Add support for multi-hop preauth mechs.
In the KDC, allow kdcpreauth modules to return
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113.
In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth
modules can use the modreq parameter to distinguish between the first
and subsequent KDC messages. We assume that the error padata will
include an element of the preauth mech's type, or at least of a type
recognized by the clpreauth module.
Also reset the list of previously attempted preauth types for both
kinds of errors. That list is really only appropriate for retrying
after a failed preauth attempt, which we don't currently do. Add an
intermediate variable for the reply code to avoid a long conditional
expression.
[ghudson@mit.edu: adjust get_in_tkt.c logic to avoid needing a helper
function; clarify commit message]
ticket: 8063 (new)
|
|
Wherever we use k5alloc with a multiplication in the size parameter,,
use the new k5calloc helper function instead.
|
|
This plugin implements the proposal for providing OTP support by
proxying requests to RADIUS. Details can be found inside the
provided documentation as well as on the project page.
http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS
ticket: 7678
|
|
If we cannot find a client key while preparing an AS reply, give
preauth mechanisms a chance to replace the reply key before erroring
out.
ticket: 7630
|
|
RFC 4120 prohibits empty ETYPE-INFO2 sequences (though not ETYPE-INFO
sequences), and our client errors out if it sees an empty sequence of
either.
ticket: 7630
|
|
Add a new have_client_keys callback to the kdcpreauth interface,
allowing modules to efficiently check whether the client DB entry has
any keys matching the request enctypes.
ticket: 7630
|
|
Add k5-int.h static functions to duplicate byte ranges, optionally
with a trailing zero byte, and set an error code like k5alloc does.
Use them where they would shorten existing code.
|
|
Since there is no overlap between the clpreauth and kdcpreauth
interface declarations, there's no particular reason to combine them
into one header. For backward compatibility and convenience, leave
behind a preauth_plugin.h which includes both.
|
|
In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow. In pkinit_clnt.c, the wrong value was
checked for a null result from malloc(), and the code could be
simplified.
Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
ticket: 7488
|
|
[ghudson@mit.edu: avoid verto.h header dependency; minor fixes]
ticket: 7426 (new)
target_version: 1.11
tags: pullup
|
|
Make kdc_active_realm a local variable in every function that needs
it. Pass it around in various state structures as needed. Keep the
macros that reference its members remain for now.
|
|
Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001
CVE-2012-1015]. The cleanup code in
kdc_handle_protected_negotiation() in kdc_util.c could free an
uninitialized pointer in some error conditions involving "similar"
enctypes and a failure in krb5_c_make_checksum().
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of this
vulnerability (possibly in unpatched KDCs).
Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only
applies to the krb5-1.10 branch and doesn't affect the master branch
or releases prior to krb5-1.10.
ticket: 7225 (new)
target_version: 1.9.5
tags: pullup
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25830 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Add an event_context callback to kdcpreauth. Adjust the internal KDC
and main loop interfaces to pass around the event context, and expose
it to kdcpreauth modules via the rock.
ticket: 7019
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25475 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Alter the contract for the kdcpreauth request_body callback so that it
returns an alias to the encoded body instead of a fresh copy. At the
beginning of AS request processing, save a copy of the encoded request
body, or the encoded inner request body for FAST requests. Previously
the request_body callback would re-encode the request structure, which
in some cases has been modified by the AS request code.
No kdcpreauth modules currently use the request_body callback, but
PKINIT will need to start using it in order to handle FAST requests
correctly.
ticket: 7017
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25473 dc483132-0cff-0310-8789-dd5450dbe970
|
|
There have been a couple of uninitialized field bugs in the
restructured KDC code, partly because compilers can't find these bugs
as easily as they can find uninitialized local variable bugs. Use
zero-filled state structures to make this type of bug less likely.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25422 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Add a new API krb5_dbe_compute_salt() to determine the salt for a key
data entry, and use it in the three places we currently compute salts.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25410 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Correctly include an empty padata value if a KDC preauth system has no
get_edata method. This bug prevented the KDC from indicating FAST
support in preauth-required errors.
ticket: 6988
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25385 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Also fix pkinit_crypto_nss.c struct initializers and add parens to a
ternary operator in do_as_req.c for better indentation.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25362 dc483132-0cff-0310-8789-dd5450dbe970
|
|
From npmccallum@redhat.com with changes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25348 dc483132-0cff-0310-8789-dd5450dbe970
|
|
From npmccallum@redhat.com with changes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25347 dc483132-0cff-0310-8789-dd5450dbe970
|
|
This code should have been removed in r25319 but was not.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25346 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Break out the encrypted timestamp code from kdc_preauth.c and
preauth2.c into built-in modules, allowing admins to disable it and
reducing the size of the framework code.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25319 dc483132-0cff-0310-8789-dd5450dbe970
|
|
String attributes should be useful to preauth modules without having
to link against libkdb5. Add a callback to make client string
attributes accessible to modules.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25318 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Replace the generic get_data functions in clpreauth and kdcpreauth
with structures containing callback functions. Each structure has a
minor version number to allow adding new callbacks.
For simplicity, the new fast armor key callbacks return aliases, which
is how we would supply the armor key as a function parameter. The new
client keys callback is paired with a free_keys callback to reduce the
amount of cleanup code needed in modules.
ticket: 6971
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25315 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Instead of passing a request and entry to the kdcpreauth get_data
callback, pass an opaque handle. Remove DB entry and key data
parameters from kdcpreauth methods (but keep the request, since that's
transparent).
The SecurID plugin links against libkdb5 and needs access to the client
DB entry. Rather than continue to pass a DB entry to kdcpreauth
methods, add a get_data callback to get the client DB entry for the few
plugins which might need it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300 dc483132-0cff-0310-8789-dd5450dbe970
|
|
All current known uses of e_data are encoded as pa-data or typed-data.
FAST requires that e_data be expressed as pa-data. Change the DAL and
kdcpreauth interfaces so that e_data is returned as a sequence of
pa-data elements. Add a preauth module flag to indicate that the
sequence should be encoded as typed-data in non-FAST errors.
ticket: 6969
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25298 dc483132-0cff-0310-8789-dd5450dbe970
|
|
From npmccallum@redhat.com with changes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25294 dc483132-0cff-0310-8789-dd5450dbe970
|
|
From npmccallum@redhat.com with changes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25293 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Since it has no external dependencies, split up encrypted preauth into
clpreauth and kdcpreauth chunks and link them directly into the
consumers.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25227 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Signed-off-by: Margaret Wasserman <mrw@painless-security.com>
pkinit: changes to call alg-agility KDF
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25218 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Some minor reformatting added in places to avoid exceeding 80 columns.
Used Emacs 22.1 built-in C mode.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25144 dc483132-0cff-0310-8789-dd5450dbe970
|
|
The preauth plugin interface was introduced in 1.6 but was never made
a public API. In preparation for making it public in 1.10, convert it
to use the new plugin framework. This will require changes to any
existing preauth plugins.
A number of symbols were renamed for namespace cleanliness, and
abstract types were introduced for module data and module per-request
data for better type safety.
On the consumer end (preauth2.c and kdc_preauth.c), this is a pretty
rough conversion. Eventually we should create proper consumer APIs
with module handles, and the flat lists of preauth types should hold
pointers to module handles rather than copies of the vtables. The
built-in preauth type handlers should then be converted to built-in
module providers linked into the consumer code (as should encrypted
challenge, since it has no external dependencies). None of this will
impact the provider API for preauth plugins, so it can wait.
ticket: 6921
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24970 dc483132-0cff-0310-8789-dd5450dbe970
|
|
ticket: 6918
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
|
|
and license comments.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
|
|
after r24403.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24676 dc483132-0cff-0310-8789-dd5450dbe970
|
|
error code 0. Simplify some overly paranoid code accordingly.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24489 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Fixes to get securID preauth plugin working. A separate patch will
address error handling and build issues.
* Permit a preauth plugin to return KRB5KDC_ERR_PREAUTH_REQUIRED from
the verify entry point.
* If verify_securid2 fails, save the return value and return that
rather than success after dealing with encoding the out_edata
* Use the client key not the securid principal key for the sam
checksum
* indicate that securID is hardware authentication
ticket: 6805
target_version: 1.9
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24465 dc483132-0cff-0310-8789-dd5450dbe970
|
|
should not respond to a packet
* Do not generate an error response in this case
* Drop a TCP connection if we are not going to respond to it.
kdc: add KRB5KDC_ERR_DISCARD
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24406 dc483132-0cff-0310-8789-dd5450dbe970
|
|
preauth type per discussion on krbdev. The pa-sam-challenge-2 code
remains in the client.
preauth: remove pa-sam-challenge
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24403 dc483132-0cff-0310-8789-dd5450dbe970
|
|
kdb_dbe_decrypt_key_data
Previously, code needed to run a loop to find the current master key,
possibly fetch a new master key list and try finding the master key
again around each key decryption. This was not universally done;
there are cases where only the current master key was used. In
addition, the correct ideom for decrypting key data is too complicated
and is potentially unavailable to plugins that do not have access to
the master key. Instead, store the master key list in the dal_handle
whenever it is fetched and permit a NULL master key for
krb5_dbe_decrypt_key_data.
* Remove APIs for krb5_db_{get|set}_mkey_list
* krb5_db_fetch_mkey_list: memoize master key list in dal_handle
* krb5_db_free_mkey_list: don't free the memoized list; arrange for it to be freed later
* krb5_dbe_decrypt_key_data: Search for correct master key on NULL argument
* change call sites to take advantage
ticket: 6778
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24314 dc483132-0cff-0310-8789-dd5450dbe970
|
|
free_principal, delete_principal, and get_policy. Make get_principal
allocate the DB entry container. Fold krb5_db_get_principal_ext into
krb5_db_get_principal.
ticket: 6749
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24175 dc483132-0cff-0310-8789-dd5450dbe970
|
