| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
Use PORT_ErrorToName() to let us print an error name instead of an error
code in a couple of debug messages, since in practice we just end up
looking up the code in <secerr.h> anyway.
|
| |
|
|
|
|
|
|
| |
When PKINIT is built with NSS, change how it traverses tokens to match
the way it's done when built using OpenSSL: ignore slot names (we used
to treat the token label as a possible slot label, too), and either only
look at the token with the specified label, or the first token if a no
token label was specified.
|
| |
|
|
|
| |
We already call SEC_PKCS12DecoderFinish() before entering the switch()
statement, so don't call it again.
|
| |
|
|
|
|
|
|
| |
When PKINIT is built with NSS, make the text of prompts that we issue to
the user better match the text we use when we build with OpenSSL: ask
for a pass phrase when we're asking about a hardware token, ask for a
password the rest of the time, and take advantage of translations for
requests for a password.
|
| |
|
|
|
|
|
|
| |
When we're doing certificate matching and we're asked for the list of
SAN values for a certifiate, and it contains none, don't return an
error, as that will eventually cause the module to just return an error.
Instead, just return an empty list of SAN values so that processing will
continue on to check if other certificates match.
|
| |
|
|
|
|
| |
The locking wrapper for audit_as_req used the wrong function
signature, which was harmless but produced a couple of warnings. Fix
it.
|
| |
|
|
|
|
|
|
|
| |
The string "KDB:" has four characters, not three; check for all four
of them.
[ghudson@mit.edu: commit message]
ticket: 7636
|
| |
|
|
| |
ticket: 7635 (new)
|
| |
|
|
| |
ticket: 7634
|
| |
|
|
|
|
|
| |
If we cannot open the LDAP password file or cannot find the bind DN in
it, include the filename and DN in the error message.
ticket: 7632
|
| |
|
|
|
|
| |
The reassembled names used "," as a separator between attributes, when
passed-in values use ":". This was due to the original submitter being
confused - they weren't intended to be different.
|
| |
|
|
|
|
| |
When attempting to clean the files out from our temporary directory,
correct the test which was supposed to let us skip over "." and ".." so
that we actually don't try to remove them with remove().
|
| |
|
|
|
|
| |
The test, as submitted, included a copy/paste error which caused it to
test PKINIT using unencrypted PKCS12 bundles twice, and to not test a
DIR: location containing unencrypted PEM-formatted keys at all.
|
| | |
|
| |
|
|
|
|
|
| |
Remove a reference to eDirectory that persisted after support for
eDirectory was removed. Almost certainly harmless anyway.
[ghudson@mit.edu: also quote $with_ldap]
|
| |
|
|
|
|
|
|
| |
If we cannot find a client key while preparing an AS reply, give
preauth mechanisms a chance to replace the reply key before erroring
out.
ticket: 7630
|
| |
|
|
|
|
|
|
| |
RFC 4120 prohibits empty ETYPE-INFO2 sequences (though not ETYPE-INFO
sequences), and our client errors out if it sees an empty sequence of
either.
ticket: 7630
|
| |
|
|
|
|
|
|
| |
Encrypted timestamp and encrypted challenge cannot succeed if the
client has no long-term key matching the request enctypes, so do not
offer them in that case.
ticket: 7630
|
| |
|
|
|
|
|
|
| |
Add a new have_client_keys callback to the kdcpreauth interface,
allowing modules to efficiently check whether the client DB entry has
any keys matching the request enctypes.
ticket: 7630
|
| |
|
|
|
| |
The mechglue definitions of gssint_get_der_length and friends use
unsigned int for the buffer length, not OM_uint32.
|
| |
|
|
|
|
| |
Reported by Arlene Berry.
ticket: 7629
|
| |
|
|
| |
ticket: 7628
|
| |
|
|
|
|
|
|
| |
On many Linux systems, due to what is arguably a bug in rpcbind, the
portmapper doesn't allow service registration from non-root processes.
This causes the RPC tests to be frequently skipped. Modify the tests
so that they don't need the portmapper, by grabbing the port number
from the server process and passing it to the client.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AUTH_GSSAPI flavor of rpc authentication uses IP address channel
bindings. These are broken over UDP, because svcudp_recv() fails to
get the destination address of incoming packets (it tries to use the
recvmsg() msg_name field to get the destination IP address, which
instead gets the source address; see ticket #5540).
There is no simple or comprehensive way to fix this; using IP_PKTINFO
is a fair amount of code and only works on some platforms. It's also
not very important--nobody should be using AUTH_GSSAPI except perhaps
for compatibility with really old kadmin, and kadmin only runs over
TCP. Since the gssrpc tests are closely wedded to AUTH_GSSAPI, the
simplest fix is to only run the TCP pass.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The "expired" test in expire.exp tries to authenticate to the server
process with an expired TGT (obtained using kinit -l -1m). Using an
expired TGT to get an expired service cred no longer works after
#6948. We could use kinit -S to get an expired service cred, but
krb5_get_credentials won't return expired service cred from the cache
(even before #6948). We could use time offsets to simulate clock skew
between the client and server process, but that would be difficult
because the test programs don't have access to the krb5_context
objects used by the client or server process. Since we don't have a
simple workaround, disable the test.
|
| |
|
|
| |
ticket: 7620
|
| |
|
|
| |
ticket: 7620
|
| |
|
|
|
| |
Define KDC_DIR in osconf.hin and use it for paths within the KDC
directory.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We want to generate a KRB5_AP_ERR_TKT_EXPIRED code when the TGT is
expired, like we would if we tried the TGT against the KCD. To make
this work, separate the helpers for getting local and crossrealm
cached TGTs. For a crossrealm TGT, match against the endtime, as
there could be multiple entries. For a local TGT, find any match, but
check if it's expired. The cache_code field is no longer needed after
this change, so get rid of it.
ticket: 6948
|
| |
|
|
| |
ticket: 6948
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add tests for non-anonymous PKINIT:
* FILE: with no password
* FILE: with a password
* DIR: with no password
* DIR: with a password
* PKCS12: with no password
* PKCS12: with a password
* PKCS11: with a password, if soft-pkcs11.so is found via ctypes
[ghudson@mit.edu: reformatted to 79 columns; removed intermediate
success() calls]
|
| |
|
|
| |
[ghudson@mit.edu: reformatted to limit lines to 79 columns]
|
| |
|
|
|
|
|
|
| |
If the context's default ccache name is a subsidiary file of a
directory collection, include that single cache in the cursor walk
over the DIR type.
ticket: 7172
|
| |
|
|
|
| |
Mostly, based on
http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml
|
| |
|
|
|
| |
Replace numeric value '132' by the macro KRB5_PADATA_AS_CHECKSUM
in preauth plugin.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
An RFC 6113 KrbFastReq contains a padata sequence and a KDC-REQ-BODY,
neither of which contain the msg-type field found in a KDC-REQ. So
when we decode the FAST request, the resulting krb5_kdc_req structure
has a msg_type of 0. Copy msg_type from the outer body, since we make
use of it in further KDC processing.
ticket: 7605 (new)
target_version: 1.11.3
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
Allow configuration to override the default dh_min_bits of 2048 to
1024. Disallow configuration of dh_min_bits < 1024, but continue to
default to 2048.
ticket: 7602
target_version: 1.11.3
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
Change pkinit_check_dh_params() to take two DH* parameters, and only
compare p and g, because q is fully determined by them and might be
missing.
Also refactor some parameter checks into check_dh_wellknown() that
were previously done separately in the pkinit_process_td_dh_params()
and server_check_dh().
|
| |
|
|
|
|
|
|
|
| |
Some implementations don't send the required Q value in dh_params, so
allow it to be absent.
ticket: 7596
target_version: 1.11.3
tags: pullup
|
| | |
|
| |
|
|
|
| |
It's a lot of code, and trace logging should cover most of the cases
where it's useful.
|
| |
|
|
|
|
|
|
|
|
|
| |
Wait ten seconds for a TCP connection to succeed or fail before moving
on. During this wait time, other TCP connections will be serviced if
we already initiated them, but no new TCP connections will be created
and no UDP packets will be retransmitted.
[ghudson@mit.edu: minor adjustments; commit message]
ticket: 7604 (new)
|
| |
|
|
|
|
|
|
|
|
| |
Replace the end_time field of struct select_state with an endtime
argument to cm_select_or_poll, expressed in milliseconds since the
epoch. Add a helper function to get the current time in that format.
Use a millisecond interval argument to service_fds for consistency.
[ghudson@mit.edu: fix overflow issue in get_curtime_ms; service_fds
interval argument change; log message]
|
| |
|
|
|
|
|
|
|
|
|
| |
Since net-server.c now uses libverto, only sendto_kdc.c consumes cm.c.
Move stuff out of cm.c and cm.h into sendto_kdc.c and get rid of them.
Change the sendto_kdc callback (used by chpw.c) to receive the socket
descriptor instead of the entire conn_state structure, and move the
declarations into os-proto.h. struct remote_address also needs to be
in os-proto.h so that trace.c and t_trace.c can use it. k5_curtime
isn't needed since k5-platform.h now guarantees the presence of
gettimeofday().
|
| |
|
|
|
|
|
| |
In struct conn_state, collect together the fields for the remote
address and put them in a substructure. Pass this substructure to
trace logging macros instead of the entire conn_state structure, so
that trace.c doesn't have to know about the whole structure.
|
| |
|
|
| |
Avoid or notice truncations, rather than letting them happen silently.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since krb5 1.3, krb5_get_host_realm (and therefore
krb5_sname_to_principal) has refused hostnames which appear to be
numeric addresses--with the exception of 1.6, which was ignoring
errors from clean_hostname. In specialized environments, it may be
desirable to use IP addresses in service principal names, and there's
no compelling reason for us to get in the way of that.
Move the numeric address check out of k5_clean_hostname into a new
helper function, and simply skip the domain-based mechanisms if it
returns true. Factor out the [domain_realm] search into a second new
helper function to make it easier to skip.
ticket: 7603 (new)
|
| |
|
|
|
| |
Bring this file up to date with current coding style. No functional
changes, except some trace logs were removed.
|
| |
|
|
|
|
|
|
| |
After k5memdup0 was slightly modified in
31124ffb81e8c0935403a9fdc169dead5ecaa777, some older versions of gcc
complain about outpos being possibly used before it is initialized.
This can't actually happen, but we can silence the error and also
simplify how outpos is initialized.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By a strict reading of the C standard, memcpy and memcmp have
undefined behavior if their pointer arguments aren't valid object
pointers, even if the length argument is 0. Compilers are becoming
more aggressive about breaking code with undefined behavior, so we
should try to avoid it when possible.
In a krb5_data object, we frequently use NULL as the data value when
the length is 0. Accordingly, we should avoid copying from or
comparing the data field of a length-0 krb5_data object. Add checks
to our wrapper functions (like data_eq and k5_memdup) and to code
which works with possibly-empty krb5_data objects. In a few places,
use wrapper functions to simplify the code rather than adding checks.
|
