Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
|
|
Set localstatedir and runstatedir in config/pre.in so that the default
runstatedir value of ${localstatedir}/run works. Reported by Mike
Jetzer.
(cherry picked from commit fd005a1967510004c9197f7da9f1d85ee81f4734)
ticket: 8975
version_fixed: 1.19
|
|
Field testing of dns_canonicalize_hostname=fallback (ticket 8911)
revealed more disruptive edge cases than anticipated. Many were fixed
by ticket 8930, but host-based GSS initiator names were recently
discovered to not work, and one other edge case could not be resolved
without a change to external code.
Restore the default to true for now. Set the value to fallback in the
test suite, to continue testing the desired configuration and to avoid
restoring tests/resolve.
(cherry picked from commit 15f8c4fd7d62d07ea2759a7b6d684c000430559e)
ticket: 8973
version_fixed: 1.19
|
|
Commit 3fcc365a6f049730b3f47168f7112c03997c5c0b added fallback support
to krb5_rd_req(), but acquiring acceptor creds for a host-based name
could still fail within check_keytab() in the krb5 mech.
Add an internal libkrb5 API k5_kt_have_match() to check for a matching
keytab entry with canonicalization, and use it in check_keytab(). Add
a library-internal function k5_sname_wildcard_host() to share logic
between rd_req and k5_kt_have_match().
(cherry picked from commit 7e0a2a7a3a76205ebd7192f06a99f23bad8dc5bd)
ticket: 8971
version_fixed: 1.19
|
|
Commit becd1ad6830b526d08ddaf5b2b6f213154c6446c attempted to unify the
synopsis, option descriptions, and xusage(), but missed several
options in the synopsis.
(cherry picked from commit b89d63a51271bd0258b9d24732e9f0cb0ba5d006)
ticket: 8969
version_fixed: 1.19
|
|
Although Heimdal's KCM client only continues after KRB5_CC_END,
Heimdal's and macOS's KCM server returns KRB5_FCC_NOFILE if a cache
uuid no longer exists. Check for both errors during iteration. Also
set ret to 0 when continuing, in case the skipped uuid is the last one
in the list.
(cherry picked from commit f7b3cb8bbe90817f7bfbc545f1e427c16f52a79c)
ticket: 8967
version_fixed: 1.19
|
|
When making TGS requests, if start_realm is set in the cache, use the
named realm to look up the initial TGT for referral or cross-realm
requests. (Also correct a comment in struct _tkt_creds_context: the
ccache field is an owner pointer, not an alias.)
Add an internal API k5_cc_store_primary_cred(), which sets start_realm
if the cred being stored is a TGT for a realm other than the client
realm. Use this API when acquiring initial tickets with a
caller-specified output ccache, when renewing or validating tickets
with kinit, when accepting a delegated credential in a GSS context,
and when storing a single cred with kvno --out-cache.
(cherry picked from commit 0d56740ab9fcc40dc7f46c6fbebdf8f1214f9d96)
ticket: 8332
version_fixed: 1.19
|
|
|
|
|
|
|
|
Update from https://git.savannah.gnu.org/cgit/config.git commit
888c8e3d5f7bf7464bba83aaf54304a956eefa60.
|
|
If both input and output credentials are provided to gss_add_cred() or
gss_add_cred_from(), check for a duplicate element in the input handle.
[ghudson@mit.edu: reorganized code; rewrote commit message]
ticket: 8966 (new)
|
|
RPM expects this behavior, and systems with contrary policies (like
Debian) address permissions at the packaging layer. Most other build
systems appear to install shared libraries as executable.
[ghudson@mit.edu: edited commit message]
ticket: 8965 (new)
|
|
The verify option instructs acquire_cred_from to verify a credential
obtained via a password, using the default keytab or the keytab
provided via the "keytab" key. The value is a principal name (in
string form) for a key in the selected keytab, or the empty string to
use any host key in the keytab.
[ghudson@mit.edu: fleshed out tests; adjusted verify params contracts;
rewrote commit message]
ticket: 8963 (new)
|
|
Add an option for initial creds acquisition via password to
gss_acquire_cred_from(), storing credentials in a new MEMORY ccache.
Move existing cred store tests from t_gssapi.py to t_credstore.py and
add new ones for password acquisition.
[ghudson@mit.edu: squashed commits; rewrote commit message]
ticket: 8962 (new)
|
|
Add a separate IAKERB entry point for gss_acquire_cred_from() and
correctly pass down the iakerb flag to acquire_cred_context(), so that
we don't attempt to acquire initial credentials directly.
[ghudson@mit.edu: rebased earlier in sequence; rewrote commit message]
ticket: 8961 (new)
|
|
Remove support for BER indefinite-length encodings, which are not
valid in DER. Enforce validity of digits in GeneralizedTime values.
Reject signed integer encodings large enough to possibly overflow
intmax_t, and use regular arithmetic to avoid the undefined behavior
of left-shifting a negative integer. Reject trailing garbage in
explicitly-tagged single values. Remove the unnecessary
KRB5_GENEROUS_LR_TYPE workaround; our KDC doesn't generate last-req
information, so the broken pre-2000 encoding behavior had no impact.
[ghudson@mit.edu: edited commit message]
|
|
Mainline autoconf generates no shell code for AC_CONFIG_AUX_DIR().
Call it unconditionally to avoid a syntax error.
[ghudson@mit.edu: rewrote commit message]
ticket: 8960 (new)
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
|
|
The libkrb5 ASN.1 decoder supports BER indefinite lengths. It
computes the tag length using recursion; the lack of a recursion limit
allows an attacker to overrun the stack and cause the process to
crash. Reported by Demi Obenour.
CVE-2020-28196:
In MIT krb5 releases 1.11 and later, an unauthenticated attacker can
cause a denial of service for any client or server to which it can
send an ASN.1-encoded Kerberos message of sufficient length.
ticket: 8959 (new)
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
|
|
Active Directory canonicalizes the srealm field of TGS replies,
whether or not the client requests canonicalization. Allow this for
regular TGS and S4U2Self referrals queries by comparing only the name
part of the service principal. The S4U2Proxy code is already correct.
ticket: 8943 (new)
|
|
|
|
Move the following validity checks:
* the INVALID ticket flag check from kdc_process_tgs_req()
* the lineage check from process_tgs_req()
* the user-to-user second ticket client check from process_tgs_req()
* all S4U2Self validity checks from kdc_process_s4u2self_req()
* S4U2Proxy validity checks (but not KDB authorization checks) from
kdc_process_s4u2proxy_req()
In process_tgs_req(), call validate_tgs_request() after
kdc_process_s4u2self_req() and decrypt_2ndtkt() so that their outputs
can be used as validation inputs. Add stkt and is_crossrealm locals
for convenience, and remove st_idx.
There are some minor behavior changes:
* For invalid S4U2Self request options, the status string is changed
from "INVALID AS OPTIONS" to "INVALID S4U2SELF OPTIONS".
* For a header ticket with the INVALID flag, the reply code is changed
to KRB_AP_ERR_TKT_NYV (as specified in RFC 4120) and the status
string to "TICKET NOT VALID".
* For a lineage check failure, the explicit KDC log is removed, and
the status string is changed to "INVALID LINEAGE".
* For a user-to-user second ticket client mismatch, the explicit audit
call is removed, and the log message does not include the second
ticket client.
* e_data returned from the KDB check_policy_as() method will be
included in the error for S4U2Self requests.
ticket: 8953 (new)
|
|
[ghudson@mit.edu: whitespace changes; reverted man page change]
ticket: 8957 (new)
|
|
Remove an unused variable in krb5_ldap_create(). Handle the return
value from krb5_dbe_get_string() in the certauth test plugin module.
Handle the return value from k5_expand_path_tokens() in
k5_rc_default(). Remove dead assignments in
krb5_get_credentials_for_user() and kg_accept_krb5().
[ghudson@mit.edu: squashed and edited commit message; simplified
k5_rc_default() change]
|
|
Commit d160bc733a3dbeb6d84f4e175234ff18738d9f66 (ticket 7045) added a
new thread key K5_KEY_GSS_SPNEGO_STATUS and registered it in SPNEGO
library initialization, but neglected to unregister it in
finalization. As a result, loading, unloading, and reloading
libgssapi_krb5 could throw an assertion failure if libkrb5support
remained loaded. Unregister the key in SPNEGO finalization and add a
test case.
Reported and investigated by Adam Dabrowski.
ticket: 8614
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
|
|
Update lib/crypto/builtin/aes to commit
8798ad829374cd5ff312f55ba3ccccfcf586fa11 of
https://github.com/BrianGladman/aes .
The following changes are made to the upstream code:
* In aes.h, #defines are added to give the linker-visible symbols a
prefix.
* In aes.h, AES_192 is undefined, since we only need AES-128 and
AES-256.
* In aesopt.h, USE_INTEL_AES_IF_PRESENT and USE_VIA_ACE_IF_PRESENT are
suppressed by changing the corresponding "#if 1"s to "#if 0"s.
* In aesopt.h, the conditionals for ENC_UNROLL, DEC_UNROLL, ENC_ROUND,
LAST_ENC_ROUND, DEC_ROUND, LAST_DEC_ROUND, and KEY_SCHED are changed
from "#if 1" to "#if !defined(CONFIG_SMALL) ||
defined(CONFIG_SMALL_NO_CRYPTO)".
bigredbutton: whitespace
ticket: 8954
|
|
Address all warnings issued by "python -Werror::DeprecationWarning"
in the test suite and doc build, as of Python 3.8.2.
|
|
Where possible, use the realm of the request server principal
(canonicalized via KDB lookup, if available) in preference to
tgs_server. This change facilitates alias realm support and potential
future support for serving multiple realms from the same KDB.
S4U2Self local user testing currently uses the uncanonicalized request
realm after this change, which will require attention for alias realm
support.
FAST armor ticket checking is unaffected by this change (it still
compares against tgs_server). This check poses no issue for realm
aliases, as both tgs_server and the armor ticket server should have
canonical realms, but it will require attention for multi-realm KDB
support.
Remove is_local_principal() as it is no longer used. Add an
is_local_tgs_principal() helper and shorten is_cross_tgs_principal().
Move the header ticket lineage check from kdc_process_tgs_req() to
process_tgs_req(), where we have the canonical request server name and
a more natural indication of whether the request was an S4U2Self
request.
|
|
When validating AS or TGS requests, pass pointers to DB entry
structures, not the structures themselves.
|
|
In krb5.hin, fix some apparently harmless whitespace nits in comments
which cause newer Doxygen versions to generate <detaileddescription>
content containing <linebreak/> tags. Also remove the explicit "@n"
linebreaks in the responder JSON schemas, instead relying on Doxygen
markup support (added in Doxygen 1.8). Add a verbatim handler in
doxybuilder_types.py to translate the resulting section, replacing the
linebreak handler which is no longer needed.
css_files is deprecated in Sphinx. Instead use app.add_stylesheet()
in a setup function in conf.py. (Sphinx 1.8 has a slightly simpler
method, but that is currently too recent to depend on.) Also remove
the obsolete html_use_smartypants setting.
In func_document.tmpl, fix an incorrent use of "is".
ticket: 8952 (new)
|
|
In process_tgs_req() when verifying the user-to-user second ticket,
compare the canonical names of the request server and the second
ticket client.
[ghudson@mit.edu: expanded commit message; trimmed tests]
ticket: 8951 (new)
|
|
Change the name of is_client_alias() to is_client_db_alias(), and
change the contract so that the already-canonical principal name comes
from a DB entry (which is less flexible, but clearer since DB entries
always contain canonical principal names). Make the function
available outside of kdc_util.c.
[ghudson@mit.edu: clarified commit message]
|
|
During initial authentication, if des3-cbc-sha1 is used for either the
reply key or session key, display a warning that it will be disabled.
ticket: 8947 (new)
|
|
When processing an S4U2Self request, check for DB aliases when
matching the TGT client against the request server. When processing
an S4U2Proxy request, check for DB aliases when matching the TGT
client against the evidence ticket server.
[ghudson@mit.edu: minor edits; rewrote commit message]
ticket: 8946 (new)
|
|
Copying tickets from the MSLSA cache to another cache is no longer
possible in most circumstances, and the Leash ribbon UI does not have
an import button. Remove all remaining support for importing tickets.
ticket: 8940 (new)
|
|
CLeashView::RenewTicket() falls back to an ImportTicket or InitTicket
operation if ticket renewal fails. A 2004 commit (from the old
pismere repository) added code to heuristically determine whether
Leash's cache was imported by comparing the MSLSA cache principal name
to ticketinfo.Krb5.principal. Commit
9bc411e72fce5bed3ed00ae5b09f8c239309bae0 broke this code by removing
the call to initialize ticketinfo.Krb5 and by making
ticketinfo.Krb5.principal ephemeral. The strcmp() call now crashes
the process with a null dereference.
Fix the crash by removing the heuristic detection of imported tickets,
using the current value of m_importedTickets (which should be correct
unless Leash was restarted after the tickets were obtained) to decide
whether to import or initialize tickets.
ticket: 8938
tags: pullup
target_version: 1.17-next
target_version: 1.18-next
|
|
Remove out2con.cpp, which no longer works. Replace it with a simple
method for creating a console and redirecting stdout and stderr to it.
ticket: 8937 (new)
|
|
In get_mech_set(), check the length before reading the first byte, and
decrease the length by the tag byte when reading and verifying the
sequence length.
In get_req_flags(), check the length before reading the first byte,
and check the context tag length after decoding it.
ticket: 8933 (new)
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
|
|
When reading an OID in a SPNEGO token, use gssint_get_der_length()
rather than assuming the length fits in one byte. Although OID
lengths greater than 127 are unlikely, some NetApp products have been
observed to incorrectly encode the length in multiple bytes. Reported
by Richard Sharpe.
ticket: 8932 (new)
|
|
In krb5_get_credentials_for_user(), always exit after the first cache
check if KRB5_GC_CACHED is specified. Not making network requests
with this flag is more important than finding a post-realm-discovery
cached entry.
If KRB5_GC_CACHED is specified without a principal name, fail
immediately, as we cannot check the cache by certificate.
ticket: 8942 (new)
|
|
Use "primary_kdc" and "iprop_ulogsize" as the preferred names of the
two relations. Fall back to the old keys if the new ones are not set.
ticket: 8921
|
|
Where it does not affect program behavior, use the term "primary KDC".
This commit does not change any profile variables, DNS labels,
pathnames, or externally visible identifiers, nor does it change the
term "master key".
ticket: 8921 (new)
|
|
Attempting to renew the MSLSA cache can commonly fail with
KRB5_CC_NOTFOUND due to LSA policy. Do not display an error popup in
this case. Also fix a logic error in the existing suppressions.
ticket: 8939 (new)
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
|
|
Replace the TARGET_OS_MAC conditionals with the conditionals used in
Heimdal, so that we do not pack structures inconsistently with macOS
on ARM. Suggested by Luke Howard.
ticket: 8944 (new)
|
|
|
|
Add missing kvno options to the kvno.rst synopsis and option
descriptions, and to the kvno usage message. Remove mention of '-h'
(help text), from kvno.rst as it is an implicit option. Note that the
three new caching options were added in release 1.19.
Indicate the two exclusions (-u/-S and --u2u with the S4U2Self options)
and dependency (-P on S4U2Self) where they are missing.
Switch xusage() to print only a single localized string, rather than
running each line of output through localization separately.
Leave kvno -C undocumented for now, as the semantics of
KRB5_GC_CANONICALIZE are minimally useful and likely to change.
[ghudson@mit.edu: edited documentation and commit message]
ticket: 7476
tags: pullup
target_version: 1.18-next
|
|
In kdb5_ldap_util, set lockdown_keys on the special principals when
creating an LDAP KDB, as we do in kdb5_util when creating a regular
KDB.
ticket: 8936 (new)
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
|