| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Call krb5_get_default_realm instead of directly accessing
context->default_realm, to remove the requirement that
krb5_get_default_realm or krb5_set_default_realm be used before
krb5_db_open.
|
|
|
|
|
|
|
|
|
|
|
|
| |
In t_spnego.c, add code to make a SPNEGO request with the erroneous
Microsoft OID value and examine the response to make sure that it uses
the same OID value as the request did. The token and tmp variables
were unused, so rename them to itok and atok for the purpose of the
new test code.
ticket: 7858
target_version: 1.12.2
tags: pullup
|
|
|
|
|
| |
Add a test program which compares gss_pseudo_random outputs against
expected values for each enctype.
|
| |
|
|
|
|
| |
ticket: 884
|
|
|
|
|
|
|
|
|
|
|
| |
Send encodings that are invalid KDC-REQs, but pass krb5_is_as_req()
and krb5_is_tgs_req(), to make sure that the KDC recovers correctly
from failures in decode_krb5_as_req() and decode_krb5_tgs_req(). Also
send an encoding that isn't a valid KDC-REQ.
ticket: 7811 (new)
target_version: 1.12.1
tags: pullup
|
|
|
|
|
|
|
|
|
| |
keyctl purge was added in keyutils 1.5 (released in March 2011). Use
keyctl unlink to clean up keys instead, as it is more universal.
ticket: 7810
target_version: 1.12.1
tags: pullup
|
|
|
|
|
|
|
|
|
|
| |
Add an adapted version of extended_com_err_fn from kinit to klist and
use it. In do_ccache(), rely on the ccache type to set a reasonable
message if krb5_cc_set_flags() or krb5_cc_get_principal() fails due to
a nonexistent or unreadable ccache, and don't confuse the user with
the name of the ccache operation that failed.
ticket: 7809
|
|
|
|
|
|
|
| |
Now that #7045 is fixed, we can check for the correct error message
from t_s4u2proxy_krb5 with --spnego.
ticket: 7045
|
|
|
|
|
| |
A few test programs didn't make it into .gitignore, OBJS, or
EXTRADEPSRCS.
|
| |
|
| |
|
|
|
|
|
|
| |
Add a test using backreferences which don't correspond directly to
principal components, to verify that *N refers to the Nth wildcard and
not the Nth component.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many libc implementations include notations to the linker to generate
warnings upon references to mktemp(3), due to its potential for
insecure operation. This has been the case for quite some time,
as was noted in RT #6199. Our usage of the function has decreased
with time, but has not yet disappeared entirely. This commit
removes the last few instances from our tree.
kprop's credentials never need to hit the disk, so a MEMORY ccache
is sufficient (and does not need randomization).
store_master_key_list is explicitly putting keys on disk so as to
do an atomic rename of the stash file, but since the stash file
should be in a root-only directory, we can just use a fixed name
for the temporary file. When using this fixed name, we must detect
(and error out) if the temporary file already exists; add a test to
confirm that we do so.
ticket: 1794
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a principal with a pair of enctypes using different salt types.
Confirm that the non-default salt type appears only once in the principal's
key list.
Also verify that the afs3 salt type is rejected by non-DES enctypes
The afs3 salt type is for compatibility with AFS-3 kaservers, which
are roughly krb4. As such, it only makes sense for single-DES
enctypes. The PBKDF2 and arcfour enctypes correctly reject the
key-creation parameters from the afs3 salt, but triple-DES currently
does not.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove tests/mkeystash_compat and tests/mk_migr. These are superseded
by t_mkey.py, with two exceptions:
tests/mk_migr included tests for password history across master key
rollovers. Historical keys are encrypted in the kadmin/history key
(which is accessed like any other key), so there isn't a specific need
to test this unless we implement #1221.
tests/mk_migr had provisions for testing master key rollover with the
LDAP KDB module. All master key logic used in the LDAP KDB module is
shared with the DB2 module in lib/kdb, so there is no specific need to
test this combination.
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new script t_mkey.py using the k5test framework. Test the fixes
for #6507, #7685, and #7686 as well as basic functionality and
old-stashfile compatibility.
dump.16 was created by running "kdb5_util create -s -P footes" and
"kdb5_util dump dumpfile" with krb5 1.6. The key from the resulting
stash file was extracted and placed in the struct.pack() call in the
new test script.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A GSS krb5 error response contains a KRB-ERROR message, which is
required to have a server principal name, although few recipients
actually use it. Starting in 1.3, accept_sec_context would fail to
encode the error in the GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL case
(introduced by #1370) because cred->princ (which became
cred->name->princ in 1.8) is unset.
This problem got worse in 1.10 because we stopped setting the server
field in all cases due to the changes for #6855. In 1.11 the problem
got worse again when a misguided change to the mechglue started
discarding output tokens when the mechanism returns an error; the
mechglue should only do so when it itself causes the error.
Fix krb5 gss_accept_sec_context by unconditionally decoding the AP-REQ
and using krb5_rd_req_decoded, and then using the requested ticket
server in the KRB-ERROR message. Fix the mechglue
gss_accept_sec_context by reverting that part of commit
56feee187579905c9101b0cdbdd8c6a850adcfc9. Add a test program which
artificially induces a replay cache failure (the easiest failure we
can produce which has an associated RFC 4120 error code) and checks
that this can be communicated back to the initiator via an error
token.
ticket: 1445
target_version: 1.12
tags: pullup
|
|
|
|
|
|
| |
Some test sources files, objects, or programs were missing from SRCS,
OBJS, all, check-pytests, or clean. t_oid was also out of order in a
couple of places.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
json_to_ccache was incorrectly indexing the JSON array when restoring
a memory ccache. Fix it.
Add test coverage for a multi-cred ccache by exporting/importing the
synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
export_import_cred from t_export_cred.c to common.c to facilitate
this. Make a note in t_export_cred.py that this case is covered in
t_s4u.py.
ticket: 7706
target_version: 1.11.4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
t_referral.py was written to exercise KDC host referral logic, and did
not actually create the target realm, instead just looking at the
error message from gcred to determine whether the KDC returned a
referral or not. It's only a small amount of additional work to
actually set up the target realm and check that the client code
successfully retrieves the referral, so do that instead.
Since the referral and non-referral outcomes aren't all that similar
any more, split test() into testref() and testfail(). Get rid of the
message argument, since it wouldn't be output in most cases where we
get an unexpected result.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit
The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.
The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC
request and request ID, KDC reply, primary and derived ticket and their
ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
validated, local policy violation and protocol constraints, and KDC status
message.
Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.
Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.
For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.
The new Audit system is build-time enabled and run-time pluggable.
[kaduk@mit.edu: remove potential KDC crashes, minor reordering]
ticket: 7712
target_version: 1.12
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the keyctl command is found and klist recognizes the KEYRING
credential cache type, then run several tests against keyring ccaches:
the collection test program in lib/krb5/ccache, the command-line
collection tests in tests/t_ccache.py, and some new tests to verify
legacy session cache behavior. Much of the Python code in t_ccache.py
is moved into a new function named "collection_test" so we can run it
once against a DIR collection and once against a KEYRING collection.
Also: fix a memory leak in the collection test program; add a test for
iteration when the default cache name is a subsidiary name; use a
process keyring ccache in t_cc.c to avoid leaving behind empty
collections in the session keyring after each test run.
Adapted from a patch by simo@redhat.com.
ticket: 7711
|
|
|
|
|
| |
Add a utility function in k5test.py to look for a command in the
executable path, and remove it from t_kdb.py.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add gss_get_mic_iov, gss_get_mic_iov_length, and gss_verify_mic_iov
functions, which work similarly to the corresponding IOV wrap
functions. Add a new buffer type GSS_IOV_BUFFER_TYPE_MIC_TOKEN for
the destination buffer.
Most of the internal code for this was already present, and just
needed to be fixed up and adjusted to use the new buffer type for the
MIC token.
ticket: 7705 (new)
|
| |
|
|
|
|
|
|
| |
Add a new test program t_iov.c which tests various combinations of
wrapping and unwrapping using the IOV and AEAD interfaces. Run it
with and without SPNEGO in each enctype configuration.
|
|
|
|
|
|
| |
Add a new helper to common.c which runs gss_init_sec_context and
gss_accept_sec_context in a loop, and use it in test programs instead
of the open-coded one-token or two-token exchanges.
|
|
|
|
|
|
|
|
|
| |
We always allow aliases in the service principal when processing
AS-REQs and TGS-REQs. If the ticket we issued is presented back to us
in a TGS-REQ as a header ticket for renewal or similar, we should
allow aliases when looking up its key to decode the AP-REQ.
ticket: 7699 (new)
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Create a test module for the hostrealm interface, a harness to call
the realm mapping functions and display their results, and a Python
script to exercise the functionality of the interface and each module
(except the dns module, which we cannot easily test since it relies on
TXT records in the public DNS).
ticket: 7687
|
|
|
|
|
|
|
|
| |
Commit 2e956074b228ff4df3b7462037ab69e4e88ffffe omitted adding a
dependency to the "all" target to force the build of the t_enctypes
test program.
ticket: 7688
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req(). It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context. This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.
Instead, use krb5_auth_con_setpermetypes on the auth context. This
list is only used for session key enctype negotiation. Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.
ticket: 7688 (new)
target_version: 1.11.4
tags: pullup
|
|
|
|
|
|
|
|
|
| |
When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.
[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]
|
|
|
|
|
|
|
| |
Make the purgekeys RPC allow self-service, like the chpass and chrand
RPCs.
ticket: 7681 (new)
|
|
|
|
|
|
|
|
|
| |
Don't create a bunch of identically configured realms; just reuse the
same one. Remove a redundant assignment from the soft-pkcs11.so
check. Move the pkinit_identity setting from krb5.conf to kdc.conf,
since it's only used by the KDC. Add a test for trying anonymous
PKINIT when it isn't configured. Check for a specific error message
when testing restricted anonymous PKINIT.
|
| |
|
|
|
|
|
|
| |
Before we test authenticated PKINIT, slip in a test to check that
password-based preauthentication still works when the KDC is offering
PKINIT, but the client has no PKINIT credentials.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We now also test that the PKINIT challenge looks like we expect it to
look, that PKINIT fails if we don't provide a response or a prompter
callback, and that PKINIT succeeds with a response provided using either
the raw responder API or the PKINIT responder functions.
One thing that we don't check is which specific error code we get when
PKINIT fails: the OpenSSL and NSS versions return different error codes
(some mixture of EIO, ENOMEM, ENOENT, and KRB5KDC_ERR_PREAUTH_FAILED)
when they encounter trouble loading client credentials.
ticket: 7680
|
|
|
|
| |
ticket: 7680
|
|
|
|
|
|
|
|
|
| |
Add kadmin support for "addprinc -nokey", which creates a principal
with no keys, and "purgekeys -all", which deletes all keys from a
principal. The KDC was modified by #7630 to support principals
without keys.
ticket: 7679 (new)
|
|
|
|
|
|
|
| |
Reorder (and trim) the imports in t_otp.py so that k5test is pulled in
before we try to import pyrad and multiprocessing. Otherwise
success() isn't defined in the case where we decide to skip the entire
test script.
|
|
|
|
|
|
|
|
|
|
| |
This plugin implements the proposal for providing OTP support by
proxying requests to RADIUS. Details can be found inside the
provided documentation as well as on the project page.
http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS
ticket: 7678
|
|
|
|
|
|
| |
ticket: 7670 (new)
tags: pullup
target_version: 1.11.4
|
|
|
|
|
|
|
|
|
|
| |
Create a test module for the pwqual interface, and script to exercise
the built-in and test modules through kadmin.local. Also create a
test harness to display the order of pwqual modules for the current
configuration, and use it to test the plugin module ordering
guarantees.
ticket: 7665
|
|
|
|
|
|
|
|
|
| |
When we are testing maximum renewable lifetimes, the KDC might process
the request at a later time than the request time (typically by no
more than one second). So we need to ask for a ticket lifetime longer
than the maximum renewable lifetime, not equal to it, or we risk
getting a just-barely-renewable ticket instead of a non-renewable one.
Also fix a couple of typos in comments.
|
| |
|