| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This extension makes it possible for an interposer to know which
interposed mechanism the mechglue intended to use when multiple
mechanisms are being interposed by the same plugin.
|
| |
|
|
|
|
| |
This extension makes it possible for an interposer to know which
interposed mechanism the mechglue intended to use when multiple
mechanisms are being interposed by the same plugin.
|
| |
|
|
|
|
| |
This extension makes it possible for an interposer to know which
interposed mechanism the mechglue intended to use when multiple
mechanisms are being interposed by the same plugin.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pick the right set of OIDs to use in mechglue functions.
We have 3 oids to care for:
The desired/requested oid, it can be a valid oid or a special interposer oid
used to avoid looping back to an interposer plugin when the interposer wants to
access a local mechanism.
The selected_oid, that is the actual oid of the mechanism we are going to use,
it could be an interposer oid.
The public oid, which normally is the same as the desired/requested oid except
when a special interposer oid is used by an interposer.
FIXME: Set the right mech_type on contexts
- issue with accept_sec_context, how to fallback to local mechanism ?
- may need to use magic fallback error
|
| |
|
|
|
|
|
|
| |
Special care needs to be taken to avoid returning special interposer plugin
OIDs to user applications.
The public OID is the OID that should be returned to users of the GSSAPI.
This is not the same as the internal OID which could be a special interposer
plugin OID.
|
| |
|
|
|
|
|
| |
This is needed since gssint_get_mechanism(NULL) now can return an interposer
mechanism, and then mech->mech_type will not point to the right mechanism
type, but to the interposer plugin OID. Also for special interposer OIDs we
need to use the real mechanism type when the passed in oid is special.
|
| |
|
|
|
|
| |
This function is used to return te reply for gss_indicate_mechs(), and we do
not want applications to see interposer mechs, they should never be exposed
directly to apps.
|
| |
|
|
|
|
| |
Also initialialize any interposer plugin as soon as configuration is
loaded from the file. This is to insure interposer are configured
before actual mechanisms they may want to interpose are.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revision fcdd2de1 added the K5_KEY_GSS_KRB5_ERROR_MESSAGE key, and
registered it in the gssapi library initialization routine, but
did not unregister it in the libary finalization routine.
When the library is unloaded and reloaded in the same process,
this leads to an assertion failure, since we check that
destructors_set[keynum] is zero (no destructor set) when registering
a key in util/support/threads.c.
Unregister the key on library cleanup to resolve the error.
ticket: 7353
target_version: 1.10.4
tags: pullup
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
In the MSLSA cache, if we get back a zero-length ticket, don't
accept it as success; continue on to try and get an acceptable
ticket.
ticket: 7349 (new)
subject: SapGUI sometimes crashes on new session with MSLSA cache
target_version: 1.10.4
tags: pullup
|
| |
|
|
| |
ticket: 7354
|
| |
|
|
|
|
|
| |
Using the new internal JSON support to implement serialization and
unserialization of krb5 GSS credentials.
ticket: 7354
|
| |
|
|
|
|
|
|
| |
Add gss_export_cred and gss_import_cred mechglue functions to
serialize and unserialize GSSAPI credential handles. Mechanism
implementations and tests will follow.
ticket: 7354 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new APIs:
* krb5_get_init_creds_opt_set_responder
* krb5_responder_get_challenge
* krb5_responder_list_questions
* krb5_responder_set_answer
If a caller sets a responder, it will be invoked after preauth modules
have had a chance to review their incoming padata but before they produce
outgoing padata. The responder will be presented a set of questions with
optional challenges. The responder should then answer all questions it knows
how to handle. Both the answers and the challenges are printable UTF-8 and
may contain encoded, structured data specific to the question asked.
Add two new callbacks and one optional method to the clpreauth
interface. The new method (prep_questions) allows modules to ask questions
by setting them in the responder context using one of the new callbacks
(ask_responder_question). The other new callback (get_responder_answer) is
used by the process method to read the answers to the questions asked.
ticket: 7355 (new)
|
| |
|
|
|
|
|
| |
25ee704e83c2c63d4b5ecd12ea31c1979239041e added three new public GSSAPI
functions; add them to the DLL export file.
ticket: 7217
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The upstream libverto depends on dynamic loading and in particular on
dladdr(), which is not universal. To avoid this dependency, stub out
support for module loading (by replacing module.c) and instead
integrate the k5ev module directly into the bundled verto library.
This change removes the need to link, include, and invoke libverto
differently depending on whether we're using the bundled library; we
can always just link with -lverto and call verto_default().
bigredbutton: whitespace
ticket: 7351 (new)
|
| |
|
|
| |
ticket: 7347 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When using v4 file credentials caches, client clock skew offsets
obtained when running with the kdc_timesync option set are persisted in
the ccache. This allows the offsets to be used across separate contexts,
e.g. when obtaining credentials using krb5 interfaces and subsequently
importing those credentials for use in gssapi. This patch adds similar
support for memory credentials caches.
[ghudson@mit.edu: Minor style corrections.]
ticket: 7346 (new)
|
| |
|
|
|
| |
The most recent commit to g_acquire_cred.c allocates an OID set to
pass to the mech, but never releases it. Fix that.
|
| |
|
|
|
|
|
|
|
| |
We can't mix the KRB5 and CC error constants; standardize on the CC ones
and translate appropriately.
ticket: 7339 (new)
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is not really clear this is correct, but neither was the
previous behavior.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7255 (new)
queue: kfw
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We used to explicitly check if a process was UAC-limited and deny all
access to the TGT in that case; however, this makes the MSLSA cache
effectively useless.
Do not try to outsmart UAC, and let it do its own checking -- this allows
UAC-limited access to the MSLSA ccache, which should mean read-write
access to service tickets, and write-only access to the TGT.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
[kaduk@mit.edu: delete instead of comment out, move comment.]
ticket: 7254 (new)
queue: kfw
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
| |
unistd.h is not available on Windows and isn't needed for this file,
so don't include it. Two arguments to asprintf in choose_token() were
reversed.
|
| |
|
|
|
|
|
|
|
|
|
| |
Only one mslsa ccache is supported, so switch_to is not needed.
Likewise, struct krb5int_lcc_iterator is unneccesary.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7236 (new)
target_version: 1.10.4
tags: pullup
|
| | |
|
| |
|
|
|
| |
Fix minor typos in lib/krb5/krb/Makefile.in and
tests/gssapi/Makefile.in so that "make depend" will work.
|
| |
|
|
|
|
|
| |
Implements the client side of RFC 6560. Not all features are
implemented, but it should work for the most common cases.
ticket: 7242 (new)
|
| |
|
|
|
|
|
| |
Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE,
PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more
thorough testing, add support for generating test encodings using
asn1c for sample objects (currently only for the OTP types).
|
| |
|
|
|
|
|
| |
k5buf_to_gss was used in only one place (generic_gss_oid_to_str),
where we want to include the terminating null byte in the GSS buffer.
Remove that assumption from the helper, and instead explicitly append
the null byte to the buffer before translating.
|
| |
|
|
|
|
|
|
|
| |
If apply_keysalt_policy is called with null result arguments (as from
kadm5_setkey_principal_3), we would dereference a null pointer if the
principal has no policy or no policy allowed_keysalts field, due to an
incorrect optimization. Reported by Nico.
ticket: 7223
|
| | |
|
| |
|
|
|
|
|
| |
krb5_gss_export_name uses malloc to construct a gss_buffer_desc value,
and should use gssalloc_malloc instead.
ticket: 7233
|
| |
|
|
|
|
|
| |
Use free() instead of gss_release_buffer() when freeing buffers in
libgssrpc which weren't constructed by GSSAPI. This mixing is
harmless in normal configurations (since libgssrpc is only used on
Unix), but fails with DEBUG_GSSALLOC.
|
| |
|
|
|
|
|
|
|
| |
Fix some GSSAPI buffer allocations which were missed in
800358b1790ef82710af0b6021c6ff2dca2b0de7: gss_export_sec_context,
gss_display_name, and IAKERB and SPNEGO token construction.
ticket: 7233 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
Because the gssalloc macros are normally equivalent to malloc and free
on Unix, we cannot use the full test suite to find cases where we
allocate with malloc and free with gssalloc_free or vice versa.
Provide a way to test for this kind of bug (if only in a special build
configuration) by supporting a DEBUG_GSSALLOC symbol, which causes the
gssalloc wrappers to be deliberately incompatible with malloc and
free.
|
| |
|
|
|
|
|
|
| |
This function did not serve any useful purpose. Remove it and the
special case it creates; move the only function it contained to the
main gss_mechanism structure where it belongs. Note that the function
name is preserved so that loadable modules are not affected by this
change.
|
| |
|
|
|
|
|
| |
After 74beb75bb07e3921d10c8eec05eacb1f393e5e44, allocate_princ()
allocates a one-byte realm field even if the principal doesn't have
one, so if we're replacing it with the default realm, we need to free
that.
|
| |
|
|
|
|
|
| |
The library isn't attempting a replay attack on itself, so any detected
replays are only going to be false-positives.
ticket: 7229 (new)
|
| |
|
|
|
|
| |
This way the mechanism handler knows what mech type is intended.
This allows plugin that implement multiple mechanisms or interposer
plugins to know what they are being asked to do.
|
| |
|
|
|
|
|
|
| |
Follow previous change to add_cred_from.
The only case where the spnego gss_*_cred_* functions can be called
with specific OIDs is if the mechglue calls spnego with the spengo
oid, which we never want to loop on anyway. So always consider it as
null, it's the correct behavior with current semantics.
|
| | |
|
| |
|
|
|
|
|
| |
The only case where the spnego gss_aquire_cred function can be called
with specific OIDs is if the mechglue calls spenego with the spengo
oid, which we never want to loop on anyway. So always consider it as
null, it's the correct behavior with current semantics.
|
| |
|
|
|
|
| |
This allows us to still use it for type safety in the APIs while at
the same time prevent code from trying to dereference internal_ctx_id
by mistake.
|
| |
|
|
|
|
|
|
|
|
|
| |
Use gssapi calls to construct the oid sets. It is not safe on windows
to use malloc to hand-construct the set and then call gss_release_oid_set()
to clean it up.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7227 (new)
tags: pullup
|
| | |
|
| |
|
|
|
|
|
|
| |
For Unix-like platforms, add %{username} to the path expansion
facility, expanding to the result of getpwuid on the euid.
Also, for manual testing convenience, make t_expand_path print the
result if no second argument is given.
|
