| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Add a test using backreferences which don't correspond directly to
principal components, to verify that *N refers to the Nth wildcard and
not the Nth component.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many libc implementations include notations to the linker to generate
warnings upon references to mktemp(3), due to its potential for
insecure operation. This has been the case for quite some time,
as was noted in RT #6199. Our usage of the function has decreased
with time, but has not yet disappeared entirely. This commit
removes the last few instances from our tree.
kprop's credentials never need to hit the disk, so a MEMORY ccache
is sufficient (and does not need randomization).
store_master_key_list is explicitly putting keys on disk so as to
do an atomic rename of the stash file, but since the stash file
should be in a root-only directory, we can just use a fixed name
for the temporary file. When using this fixed name, we must detect
(and error out) if the temporary file already exists; add a test to
confirm that we do so.
ticket: 1794
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a principal with a pair of enctypes using different salt types.
Confirm that the non-default salt type appears only once in the principal's
key list.
Also verify that the afs3 salt type is rejected by non-DES enctypes
The afs3 salt type is for compatibility with AFS-3 kaservers, which
are roughly krb4. As such, it only makes sense for single-DES
enctypes. The PBKDF2 and arcfour enctypes correctly reject the
key-creation parameters from the afs3 salt, but triple-DES currently
does not.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove tests/mkeystash_compat and tests/mk_migr. These are superseded
by t_mkey.py, with two exceptions:
tests/mk_migr included tests for password history across master key
rollovers. Historical keys are encrypted in the kadmin/history key
(which is accessed like any other key), so there isn't a specific need
to test this unless we implement #1221.
tests/mk_migr had provisions for testing master key rollover with the
LDAP KDB module. All master key logic used in the LDAP KDB module is
shared with the DB2 module in lib/kdb, so there is no specific need to
test this combination.
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new script t_mkey.py using the k5test framework. Test the fixes
for #6507, #7685, and #7686 as well as basic functionality and
old-stashfile compatibility.
dump.16 was created by running "kdb5_util create -s -P footes" and
"kdb5_util dump dumpfile" with krb5 1.6. The key from the resulting
stash file was extracted and placed in the struct.pack() call in the
new test script.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A GSS krb5 error response contains a KRB-ERROR message, which is
required to have a server principal name, although few recipients
actually use it. Starting in 1.3, accept_sec_context would fail to
encode the error in the GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL case
(introduced by #1370) because cred->princ (which became
cred->name->princ in 1.8) is unset.
This problem got worse in 1.10 because we stopped setting the server
field in all cases due to the changes for #6855. In 1.11 the problem
got worse again when a misguided change to the mechglue started
discarding output tokens when the mechanism returns an error; the
mechglue should only do so when it itself causes the error.
Fix krb5 gss_accept_sec_context by unconditionally decoding the AP-REQ
and using krb5_rd_req_decoded, and then using the requested ticket
server in the KRB-ERROR message. Fix the mechglue
gss_accept_sec_context by reverting that part of commit
56feee187579905c9101b0cdbdd8c6a850adcfc9. Add a test program which
artificially induces a replay cache failure (the easiest failure we
can produce which has an associated RFC 4120 error code) and checks
that this can be communicated back to the initiator via an error
token.
ticket: 1445
target_version: 1.12
tags: pullup
|
|
|
|
|
|
| |
Some test sources files, objects, or programs were missing from SRCS,
OBJS, all, check-pytests, or clean. t_oid was also out of order in a
couple of places.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
json_to_ccache was incorrectly indexing the JSON array when restoring
a memory ccache. Fix it.
Add test coverage for a multi-cred ccache by exporting/importing the
synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
export_import_cred from t_export_cred.c to common.c to facilitate
this. Make a note in t_export_cred.py that this case is covered in
t_s4u.py.
ticket: 7706
target_version: 1.11.4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
t_referral.py was written to exercise KDC host referral logic, and did
not actually create the target realm, instead just looking at the
error message from gcred to determine whether the KDC returned a
referral or not. It's only a small amount of additional work to
actually set up the target realm and check that the client code
successfully retrieves the referral, so do that instead.
Since the referral and non-referral outcomes aren't all that similar
any more, split test() into testref() and testfail(). Get rid of the
message argument, since it wouldn't be output in most cases where we
get an unexpected result.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit
The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.
The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC
request and request ID, KDC reply, primary and derived ticket and their
ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
validated, local policy violation and protocol constraints, and KDC status
message.
Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.
Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.
For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.
The new Audit system is build-time enabled and run-time pluggable.
[kaduk@mit.edu: remove potential KDC crashes, minor reordering]
ticket: 7712
target_version: 1.12
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the keyctl command is found and klist recognizes the KEYRING
credential cache type, then run several tests against keyring ccaches:
the collection test program in lib/krb5/ccache, the command-line
collection tests in tests/t_ccache.py, and some new tests to verify
legacy session cache behavior. Much of the Python code in t_ccache.py
is moved into a new function named "collection_test" so we can run it
once against a DIR collection and once against a KEYRING collection.
Also: fix a memory leak in the collection test program; add a test for
iteration when the default cache name is a subsidiary name; use a
process keyring ccache in t_cc.c to avoid leaving behind empty
collections in the session keyring after each test run.
Adapted from a patch by simo@redhat.com.
ticket: 7711
|
|
|
|
|
| |
Add a utility function in k5test.py to look for a command in the
executable path, and remove it from t_kdb.py.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add gss_get_mic_iov, gss_get_mic_iov_length, and gss_verify_mic_iov
functions, which work similarly to the corresponding IOV wrap
functions. Add a new buffer type GSS_IOV_BUFFER_TYPE_MIC_TOKEN for
the destination buffer.
Most of the internal code for this was already present, and just
needed to be fixed up and adjusted to use the new buffer type for the
MIC token.
ticket: 7705 (new)
|
| |
|
|
|
|
|
|
| |
Add a new test program t_iov.c which tests various combinations of
wrapping and unwrapping using the IOV and AEAD interfaces. Run it
with and without SPNEGO in each enctype configuration.
|
|
|
|
|
|
| |
Add a new helper to common.c which runs gss_init_sec_context and
gss_accept_sec_context in a loop, and use it in test programs instead
of the open-coded one-token or two-token exchanges.
|
|
|
|
|
|
|
|
|
| |
We always allow aliases in the service principal when processing
AS-REQs and TGS-REQs. If the ticket we issued is presented back to us
in a TGS-REQ as a header ticket for renewal or similar, we should
allow aliases when looking up its key to decode the AP-REQ.
ticket: 7699 (new)
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Create a test module for the hostrealm interface, a harness to call
the realm mapping functions and display their results, and a Python
script to exercise the functionality of the interface and each module
(except the dns module, which we cannot easily test since it relies on
TXT records in the public DNS).
ticket: 7687
|
|
|
|
|
|
|
|
| |
Commit 2e956074b228ff4df3b7462037ab69e4e88ffffe omitted adding a
dependency to the "all" target to force the build of the t_enctypes
test program.
ticket: 7688
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req(). It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context. This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.
Instead, use krb5_auth_con_setpermetypes on the auth context. This
list is only used for session key enctype negotiation. Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.
ticket: 7688 (new)
target_version: 1.11.4
tags: pullup
|
|
|
|
|
|
|
|
|
| |
When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.
[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]
|
|
|
|
|
|
|
| |
Make the purgekeys RPC allow self-service, like the chpass and chrand
RPCs.
ticket: 7681 (new)
|
|
|
|
|
|
|
|
|
| |
Don't create a bunch of identically configured realms; just reuse the
same one. Remove a redundant assignment from the soft-pkcs11.so
check. Move the pkinit_identity setting from krb5.conf to kdc.conf,
since it's only used by the KDC. Add a test for trying anonymous
PKINIT when it isn't configured. Check for a specific error message
when testing restricted anonymous PKINIT.
|
| |
|
|
|
|
|
|
| |
Before we test authenticated PKINIT, slip in a test to check that
password-based preauthentication still works when the KDC is offering
PKINIT, but the client has no PKINIT credentials.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We now also test that the PKINIT challenge looks like we expect it to
look, that PKINIT fails if we don't provide a response or a prompter
callback, and that PKINIT succeeds with a response provided using either
the raw responder API or the PKINIT responder functions.
One thing that we don't check is which specific error code we get when
PKINIT fails: the OpenSSL and NSS versions return different error codes
(some mixture of EIO, ENOMEM, ENOENT, and KRB5KDC_ERR_PREAUTH_FAILED)
when they encounter trouble loading client credentials.
ticket: 7680
|
|
|
|
| |
ticket: 7680
|
|
|
|
|
|
|
|
|
| |
Add kadmin support for "addprinc -nokey", which creates a principal
with no keys, and "purgekeys -all", which deletes all keys from a
principal. The KDC was modified by #7630 to support principals
without keys.
ticket: 7679 (new)
|
|
|
|
|
|
|
| |
Reorder (and trim) the imports in t_otp.py so that k5test is pulled in
before we try to import pyrad and multiprocessing. Otherwise
success() isn't defined in the case where we decide to skip the entire
test script.
|
|
|
|
|
|
|
|
|
|
| |
This plugin implements the proposal for providing OTP support by
proxying requests to RADIUS. Details can be found inside the
provided documentation as well as on the project page.
http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS
ticket: 7678
|
|
|
|
|
|
| |
ticket: 7670 (new)
tags: pullup
target_version: 1.11.4
|
|
|
|
|
|
|
|
|
|
| |
Create a test module for the pwqual interface, and script to exercise
the built-in and test modules through kadmin.local. Also create a
test harness to display the order of pwqual modules for the current
configuration, and use it to test the plugin module ordering
guarantees.
ticket: 7665
|
|
|
|
|
|
|
|
|
| |
When we are testing maximum renewable lifetimes, the KDC might process
the request at a later time than the request time (typically by no
more than one second). So we need to ask for a ticket lifetime longer
than the maximum renewable lifetime, not equal to it, or we risk
getting a just-barely-renewable ticket instead of a non-renewable one.
Also fix a couple of typos in comments.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a new helper to compute the renewable lifetime for AS and TGS
requests. This has some minor behavior differences:
* We only issue a renewable ticket if the renewable lifetime is greater
than the normal ticket lifetime.
* We give RENEWABLE precedence over RENEWABLE-OK in determining the
requested renewable lifetime, instead of sometimes doing the
reverse.
* We use the client's maximum renewable life for TGS requests if we
have looked up its DB entry.
* Instead of rejecting requests for renewable tickets (if the client
or server principal doesn't allow it, or a TGS request's TGT isn't
renewable), issue non-renewable tickets.
ticket: 7661 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the gak_data value used by krb5_get_as_key_password, separate the
already-known password from the storage we might have allocated to put
it in, so that we no longer use an empty data buffer to determine
whether we know the password. This allows empty passwords to work via
the API.
Remove the kadm5 test which explicitly uses an empty password.
Based on a patch from Stef Walter.
ticket: 7642
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.
To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.
Based on a bug report and patch from nalin@redhat.com.
ticket: 7639
target_version: 1.11.3
tags: pullup
|
|
|
|
|
|
|
|
|
| |
Provide default values in pre.in for PROG_LIBPATH, PROG_RPATH,
SHLIB_DIRS, SHLIB_RDIRS, and STOBJLISTS so that they don't have to be
specified in the common case. Rename KRB5_RUN_ENV and KRB5_RUN_VARS
to RUN_SETUP (already the most commonly used name) and RUN_VARS. Make
sure to use DEFINES for local defines (not DEFS). Remove some other
unnecessary makefile content.
|
|
|
|
| |
ticket: 7635 (new)
|
|
|
|
|
|
| |
The test, as submitted, included a copy/paste error which caused it to
test PKINIT using unencrypted PKCS12 bundles twice, and to not test a
DIR: location containing unencrypted PEM-formatted keys at all.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add tests for non-anonymous PKINIT:
* FILE: with no password
* FILE: with a password
* DIR: with no password
* DIR: with a password
* PKCS12: with no password
* PKCS12: with a password
* PKCS11: with a password, if soft-pkcs11.so is found via ctypes
[ghudson@mit.edu: reformatted to 79 columns; removed intermediate
success() calls]
|
|
|
|
| |
[ghudson@mit.edu: reformatted to limit lines to 79 columns]
|
|
|
|
|
| |
Correctly check whether the next argument is NULL in the while loop
which parses store elements.
|
|
|
|
|
|
|
|
| |
Modify t_credstore.c to be more flexible and adjust t_gssapi.py
accordingly. Add a test to t_client_keytab.py which acquire creds
using a programmatically specified client keytab.
ticket: 7598
|
| |
|