Age | Commit message (Collapse) | Author | Files | Lines |
|
PKINIT per-request module data objects are normally created by
pkinit_server_verify_padata() and freed by
pkinit_server_return_padata(). In some unusual circumstances, the KDC
may not call the return_padata method after verification succeeds.
Add a free_modreq method and free the object there instead.
[ghudson@mit.edu: rewrote commit message]
(cherry picked from commit 883415036a4b4e0372b84a5a6e46c10b3a67aba0)
ticket: 9065
version_fixed: 1.19.4
|
|
In otp_edata(), free the generated nonce.
(cherry picked from commit 5ad465bc8e0d957a4945218bea487b77622bf433)
ticket: 9063
version_fixed: 1.19.4
|
|
Move the crypto_load_certs() probe from pkinit_identity_initialize()
to process_option_identity(). This will attempt to load a certificate
for each pkinit_identities value, and if the certificate load fails to
move to the next line.
For PKCS11, return an error if pkinit_open_session() fails, but do not
fail in pkinit_open_session() just because identity prompts are
deferred.
[ghudson@mit.edu: added test case; moved cert probe to
process_option_identity(); rewrote commit message]
(cherry picked from commit 13ae08e70a05768d4f65978ce1a8d4e16fec0d35)
ticket: 8984
version_fixed: 1.19.1
|
|
[ghudson@mit.edu: whitespace changes; reverted man page change]
ticket: 8957 (new)
|
|
Remove an unused variable in krb5_ldap_create(). Handle the return
value from krb5_dbe_get_string() in the certauth test plugin module.
Handle the return value from k5_expand_path_tokens() in
k5_rc_default(). Remove dead assignments in
krb5_get_credentials_for_user() and kg_accept_krb5().
[ghudson@mit.edu: squashed and edited commit message; simplified
k5_rc_default() change]
|
|
In kdb5_ldap_util, set lockdown_keys on the special principals when
creating an LDAP KDB, as we do in kdb5_util when creating a regular
KDB.
ticket: 8936 (new)
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
|
|
Unix-like platforms do not provide a simple method to find the
fully-qualified local hostname as the machine is expected to appear to
other hosts. Canonicalizing the gethostname() result with
getaddrinfo() usually works, but potentially uses DNS. Now that
dns_canonicalize_hostname=true is no longer the default, KDB creation
would generally create the wrong host-based principals.
kadmin/hostname is unnecessary because the client software can also
use kadmin/admin, and kiprop/hostname is one of several principals
that must be created for incremental propagation.
ticket: 8935 (new)
|
|
[ghudson@mit.edu: adjusted test program to output channel-bound state
instead of optionally enforcing it; adjusted tests to check program
output; split out tests into separate Python script; made cosmetic
changes]
ticket: 8900
|
|
Correct comment spelling errors detected using codespell.
Reported by Jens Schleusener.
|
|
Use the int128_t and uint128_t types defined by edwards25519.c, rather
than [un]signed __int128 which does not compile with gcc 4.4.
Reported by Norm Green.
ticket: 8888
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
|
|
In pkinit_client_prep_questions(), only act if the input padata type
is KRB5_PADATA_PK_AS_REQ. Otherwise we will ask questions again when
the KDC issues a ticket.
Commit 7621d2f9a87214327ca3b2594e34dc7cea84596b (ticket 8242)
unintentionally changed the behavior of pkinit_load_fs_cert_and_key(),
causing pkinit_client_prep_questions() to do nothing on its first
call. Restore the original behavior of returning 0 when prompting is
deferred.
Modify the existing "FILE identity, password on key (responder)"
PKINIT test to check that the responder is only invoked once.
ticket: 8885
|
|
|
|
In update_ldap_mod_auth_ind(), if there is no string attribute value
for require_auth, check for krbPrincipalAuthInd attributes that might
need to be removed. (This will only work if the entry is loaded and
then modified, but that is the normal case for an existing entry.)
Move the update_ldap_mod_auth_ind() call inside the tl-data
conditional (which should perhaps be a check for KADM5_TL_DATA in the
mask instead). A modification which did not intend to update tl-data
should not remove the krbPrincipalAuthInd attributes.
Change get_int_from_tl_data() to to zero its output so that it can't
leave a garbage value behind if it returns 0 (as it does if no
KDB_TL_USER_INFO tl-data is present).
Based on a patch by Glenn Machin.
ticket: 8877
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
|
|
In PKINIT, if a certauth module returns KRB5_CERTAUTH_HWAUTH from its
authorize method, set the hw-authent flag in the ticket.
ticket: 8879 (new)
|
|
Commit 7196c03f18f14695abeb5ae4923004469b172f0f (ticket 8823) gave the
KDB the ability to modify auth indicators, but it happens after the
asserted indicators are checked against the server principal
requirements. In finish_process_as_req(), move the call to
check_indicators() after the call to handle_authdata() so that the
final indicator list is checked.
For the test case, add string attribute functionality to the test KDB
module, and fix a bug where test_get_principal() would return failure
if a principal has no keys. Also add a test case for AS-REQ
enforcement of normally asserted auth indicators.
ticket: 8876 (new)
tags: pullup
target_version: 1.18-next
|
|
In the test KDB module, set the PAC as the first authdata element. In
adata.c, add PAC service verification and verify that a PAC does not
appear in authdata elements after the first.
[ghudson@mit.edu: minor style changes; edited commit message]
ticket: 8872
|
|
Commit 94f7c9705879500b1dc8dda8592490efce05688f simplified the
generation of authdata elements, but left behind some unnecessary
conditionalization when assembling the elements into a list, causing a
Coverity defect. Further simplify the code.
ticket: 8868
|
|
For cross-realm S4U2Proxy requests, require a PAC to be present to
bypass signedpath verification, but do not require it to be the only
authdata element. For within-realm requests, add and verify
signedpath authdata regardless of the presence of a PAC.
Simplify the test KDB authdata module and the existing RBCD tests as
we no longer need a way to suppress the test module's KDB authdata.
[ghudson@mit.edu: rewrote commit message; reordered a condition for
efficiency]
ticket: 8868 (new)
tags: pullup
target_version: 1.18
|
|
Ignoring the lookup realm for principal matching could cause the test
KDB module to successfully look up entries (with the correct key data)
for principals that a real KDB wouldn't have, such as krbtgt/B@A
within realm C. Add a realm check to test_get_principal(), allowing
only local principal names or incoming cross-TGS names.
[ghudson@mit.edu: changed error code; rewrote commit message]
|
|
In the LDAP backend, the change mask is used to determine what LDAP
attributes to update. As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.
Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate. Add a regression test to
t_kdb.py.
[ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]
ticket: 8861 (new)
tags: pullup
target_version: 1.17-next
|
|
In macOS 10.11 and later with System Integrity Protection enabled,
system programs (including the shell) purge DYLD_LIBRARY_PATH from the
environment at startup. As a result, any part of "make check" which
runs via a shell script must explicitly restore the runtime
environment. Add a common rule for runenv.sh, and create and source
it where shell scripts are run. Dejagnu's runtest is a shell script,
so create a tcl file for the kadmin and RPC unit tests and source it
from unix.exp. Avoid using the shell to run commands in several
places. Use return_trace=True for tests that previously indirected
through /usr/bin/env.
Do not include <malloc.h> in t_parse_host_string.c, as it does not
exist on macOS and is not needed.
Skip the iprop tests on macOS when SIP is enabled, as signal
restrictions appear to prevent the kpropd child process from informing
the parent process that a full resync has completed.
In net-server.c, set SO_REUSEPORT as well as SO_REUSEADDR on listener
sockets. Otherwise the krb5kdc processes run by the test suite
sometimes fail to start with "address in use" errors.
In configure.ac, only generate po/Makefile if we will descend into it.
|
|
It is simpler and more consistent with Windows to let the KDB module
always return aliases, and use KDC logic (already present) to decide
whether to use the requested or canonical principal name in the
ticket.
With the removal of this flag, "kinit alias" (without the -C flag)
against the LDAP KDB module will issue a ticket for the alias name,
instead of failing with a "client not found" error.
[ghudson@mit.edu: edited comments; wrote commit message]
ticket: 8859 (new)
|
|
Add a mock NegoEx-only GSS module, a test program which establishes a
SPNEGO context, and a Python script to exercise a variety of NegoEx
negotiation scenarios.
ticket: 8851
|
|
|
|
Remove ldapbackend.rst, as it is largely redundant with conf_ldap.rst.
Simplify conf_ldap.rst, using kerberos.openldap.ldif (added by ticket
8529) and removing unnecessary command arguments. Mention the
possibility of using SASL authentication (added by ticket 7944) as an
alternative to binding with DN and password. Remove unnecessary
access rights.
In kdc_conf.rst, remove ldap_servers from the list of relations read
from [dbdefaults], as it is only read from the realm's database
configuration section.
In kdb5_ldap_util.rst, document "-r" as a global parameter, as it
applies in some fashion to all commands. Make the same changes to the
kdb5_ldap_util usage message, and make it fit within 80 columns.
Reported by Dilyan Palauzov.
ticket: 8831 (new)
tags: pullup
target_version: 1.17-next
|
|
Add fake PAC generation and verification facilities to the test KDB
module, and implement the get_authdata_info() and
allowed_to_delegate_from() methods. In t_s4u.py, construct realms
using the test KDB module and test a variety of RBCD scenarios.
ticket: 8479
|
|
Cross-realm is already possible with the test KDB module, but because
the lookup realm is not included in the profile query or key
derivation, inbound cross-TGTs are implicit and use the same keys as
the local TGT, potentially obscuring bugs. Add the lookup realm to
key derivation so that they use different keys.
|
|
PACs (as well as anything wrapped in CAMMAC) should be signed using
the local TGT key. Cross-realm TGS requests, ticket renewal and
validation requests, and non-TGT AS requests currently do not pass the
local TGT DB entry or its key to sign_authdata(), forcing the KDB
module to do a redundant lookup in order to properly sign PACs.
Rename the existing krbtgt and krbtgt_key parameters to header_server
and header_key, to better indicate that they are for the header ticket
server. For AS requests, pass NULL for these parameters instead of
passing a duplicate of server/server_key.
Add local_tgt and local_tgt_key parameters for the realm's local TGT
and its first key.
[ghudson@mit.edu: rewrote commit message]
ticket: 8829 (new)
|
|
Add two new KDB methods to support resource-based constrained
delegation. The get_authdata_info method extracts the client
principal for the authdata (necessary for cross-realm RBCD requests as
the evidence ticket is a cross-realm TGT with the requested client's
authdata), and also returns an opaque pointer for consumption by other
KDB methods. The allowed_to_delegate_from method performs a
constrained delegation policy check on the principal entry of the
target principal.
Add the server principal and abstract authdata representation to the
sign_authdata method. Also pass the second ticket server as
header_server since we pass the authorization data from the second
ticket, and pass the impersonated client (if it is in the local realm)
as client instead of the impersonator.
Add core KDC code for RBCD requests. For local RBCD requests
(impersonator and target in the same realm), KDC handling is similar
to existing constrained delegation support. The evidence ticket is
not required to be forwardable, and allowed_to_delegate_from is used
in preference to check_allowed_to_delegate.
For cross-realm RBCD requests, the KDC could be in the impersonator
realm, the target realm, or in a transit realm between the two. In
the transit realm case, the request looks like a regular cross-realm
request for a krbtgt service except for the information in the PAC, so
this case is handled by the KDB module sign_authdata() method.
[ghudson@mit.edu: made style and documentation edits; edited commit
message]
ticket: 8479
|
|
Amend the sign_authdata method signature to include a modifiable
auth_indicators array. Bump the DAL major version and the libkdb5
soname. Add a test case using the test KDB module.
ticket: 8823 (new)
|
|
Bring the SPAKE edwards25519.c code up to date with BoringSSL, adding
edwards25519_fiat.h to contain the Fiat-generated code which BoringSSL
has split out. The relevant BoringSSL commits are:
302bb3964ad8cc4fb8540ee4783a936c5515605d
5590c715e26790d9b60384e1ac092529a19208af
32e59d2d3264e4e104b355ef73663b8b79ac4093
899835fad40f50f4c29bf7042b415eb72ad0e7d7
9847cdd785abae6313412fc5a824b938bef6ba98
The updated code avoids undefined signed left-shift behavior (not a
problem in practice, so far) and compiles to faster code with gcc on
platforms where the 64-bit code cannot be used.
|
|
|
|
PKINIT draft 9 support is required to interoperate with Windows 2000,
Windows XP, and Windows Server 2003, all of which are well beyond
end-of-life. Remove it.
ticket: 8817 (new)
|
|
Move http links to https where appropriate. Update links which have
moved. Remove a couple of links which no longer work and have no
obvious replacement. Remove a link from a comment in the German
translation which does not appear to be related to the message.
[ghudson@mit.edu: adjusted changes; rewrote commit message]
|
|
Handle the attribute 'nsAccountLock' from Netscape derivatives. Based
on a patch by Nalin Dahyabhai and Simo Sorce.
ticket: 5891
|
|
ticket: 8805 (new)
|
|
def_kslist was part of kdb5_create.c since its addition (commit
edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1) and has always been
irrelevant since the rblock structure is fully initialized in
kdb5_create().
def_klist was copied into kdb5_ldap_realm.c (present in addition at
commit 42d9d6ab320ee3a661fe21472be542acd542d5be). The global rblock
structure (and therefore the initializer) was removed in commit
9c850f8b62784170a5e42315c1a9552ddcf4ca2b, leaving def_kslist
unreferenced.
Remove def_kslist from both files, and remove the rblock initializer
from kdb5_create.c.
[ghudson@mit.edu: edited commit message]
|
|
|
|
Fold pkcs7_decrypt() and pkcs7_dataDecode() into a single function,
and make it output the plaintext rather than a BIO.
[ghudson@mit.edu: continued a modernization of pkcs7_dataDecode() into
a larger refactoring]
|
|
ticket: 8800
|
|
test_get_s4u_x509_principal() needs to free canon before exiting.
|
|
[ghudson@mit.edu: fixed memory leaks in test KDB method]
ticket: 8781
|
|
In the LDAP KDB module, fix an empty initializer. In the SPAKE
edwards25519 code, use autoconf tests to determine whether to use the
64-bit code. In the SPAKE update_thash() function, make sure the
types of the conditional expression results match exactly. In
libkrb5support, link against zap.o now that k5buf.o can use zap() (as
of commit 8ee8246c14702dc03b02e31b9fb5b7c2bb674bfb).
[ghudson@mit.edu: squashed commits; rewrote commit message; adjusted
autoconf tests; minor code changes]
ticket: 8769 (new)
tags: pullup
target_version: 1.17
|
|
Regenerate dependency files and mit-krb5.pot. Regenerate man pages
and NOTICE with python-sphinx 1.6.7. Regenerate deltat.c with bison
3.0.4. Update config.guess and config.sub from upstream (commit
2fa97a8a0ed37bec720bd118d65e674cebf50404).
|
|
Add a new name-type OID which causes a string to be imported as an
enterprise name. This is useful for authenticating and impersonating
users with their UPN names.
Resurrect t_imp_name test to exercise importing of the new name OID.
Also add a test using the new name in cross-realm protocol transition,
to exercise s4u_identify_user() with multiple realms.
[ghudson@mit.edu: added Windows export entry; adjusted comments and
test code; edited commit message]
ticket: 8756 (new)
|
|
[ghudson@mit.edu: factored out tgtname() in kdb_test.c; added trace
messages to tests and removed old redundant test]
ticket: 8747
|
|
ticket: 8738 (new)
|
|
ticket: 8743 (new)
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
|
|
The LDAP KDB module contained a duplicate set of functions to marshal
osa_princ_ent_ret structures, perhaps to avoid a circular dependency
on libkadm5srv before KDB modules were dynamically loaded. We have
been using the libkadm5srv versions of those functions from the DB2
KDB module since release 1.8. Use them from the LDAP KDB module as
well.
Since no rpcgen output remains in princ_xdr.c and princ_xdr.h, add
emacs mode lines for the krb5 C style to those files and make small
formatting adjustments to match.
|
|
pkinit_identity.c:parse_fs_options() could crash if the first
strtok_r() call returns NULL, which happens when the residual string
begins with ','. Fix this bug by checking for a leading comma and
checking the strtok_r() result, and add a test case. Reported by Bean
Zhang.
Also return EINVAL rather than 0 on invalid input, and don't leave an
allocated value in idopts->cert_filename if we fail to copy the key
filename.
ticket: 8726
|