krb5.git/src/lib/gssapi, branch keyring MIT Kerberos patches Clean up the code to eliminate some clang warnings 2013-11-04T18:51:17+00:00 Ben Kaduk kaduk@mit.edu 2013-10-30T18:51:12+00:00 3a8eaa43045fb242739ad9729bb66f915be209b9 In ure.c, though k is a short, the literal 1 is of type 'int', and so the operation 'k + 1' is performed at the (32-bit) width of int, and therefore the "%d" format string is correct. In accept_sec_context.c, the 'length' field of krb5_data is an unsigned type, so checking for a negative value has no effect. In net-server.c, the helper routine rtm_type_name() is only used in code that is disabled with #if 0 conditionals; make the definition also disabled in the same way to avoid warnings of an unused function. In kdc_authdata.c, equality checks in double parentheses elicit a warning from clang. The double-parentheses idiom is normally used to indicate that an assignment is being performed, but the value of the assignment is also to be used as the value for the conditional. Since assignment and equality checking differ only by a single character, clang considers this worthy of a warning. Since the extra set of parentheses is redundant and against style, it is correct to remove them. In several places (sim_server.c, dump.c, kdb5_destroy.c, ovsec_kadmd.c), there are declarations of extern variables relating to getopt() functionality that are now unused in the code. Remove these unused variables. 
In ure.c, though k is a short, the literal 1 is of type 'int', and
so the operation 'k + 1' is performed at the (32-bit) width of int,
and therefore the "%d" format string is correct.

In accept_sec_context.c, the 'length' field of krb5_data is an
unsigned type, so checking for a negative value has no effect.

In net-server.c, the helper routine rtm_type_name() is only used
in code that is disabled with #if 0 conditionals; make the
definition also disabled in the same way to avoid warnings of an
unused function.

In kdc_authdata.c, equality checks in double parentheses elicit
a warning from clang.  The double-parentheses idiom is normally used
to indicate that an assignment is being performed, but the value of
the assignment is also to be used as the value for the conditional.
Since assignment and equality checking differ only by a single
character, clang considers this worthy of a warning.  Since the extra
set of parentheses is redundant and against style, it is correct to
remove them.

In several places (sim_server.c, dump.c, kdb5_destroy.c,
ovsec_kadmd.c), there are declarations of extern variables relating
to getopt() functionality that are now unused in the code.  Remove
these unused variables.
Fix gss_accept_sec_context error tokens 2013-10-15T03:52:52+00:00 Greg Hudson ghudson@mit.edu 2013-10-08T21:07:34+00:00 c547bc16f2ab6ee66c076ef944c3fbac8a66f5d4 A GSS krb5 error response contains a KRB-ERROR message, which is required to have a server principal name, although few recipients actually use it. Starting in 1.3, accept_sec_context would fail to encode the error in the GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL case (introduced by #1370) because cred->princ (which became cred->name->princ in 1.8) is unset. This problem got worse in 1.10 because we stopped setting the server field in all cases due to the changes for #6855. In 1.11 the problem got worse again when a misguided change to the mechglue started discarding output tokens when the mechanism returns an error; the mechglue should only do so when it itself causes the error. Fix krb5 gss_accept_sec_context by unconditionally decoding the AP-REQ and using krb5_rd_req_decoded, and then using the requested ticket server in the KRB-ERROR message. Fix the mechglue gss_accept_sec_context by reverting that part of commit 56feee187579905c9101b0cdbdd8c6a850adcfc9. Add a test program which artificially induces a replay cache failure (the easiest failure we can produce which has an associated RFC 4120 error code) and checks that this can be communicated back to the initiator via an error token. ticket: 1445 target_version: 1.12 tags: pullup 
A GSS krb5 error response contains a KRB-ERROR message, which is
required to have a server principal name, although few recipients
actually use it.  Starting in 1.3, accept_sec_context would fail to
encode the error in the GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL case
(introduced by #1370) because cred->princ (which became
cred->name->princ in 1.8) is unset.

This problem got worse in 1.10 because we stopped setting the server
field in all cases due to the changes for #6855.  In 1.11 the problem
got worse again when a misguided change to the mechglue started
discarding output tokens when the mechanism returns an error; the
mechglue should only do so when it itself causes the error.

Fix krb5 gss_accept_sec_context by unconditionally decoding the AP-REQ
and using krb5_rd_req_decoded, and then using the requested ticket
server in the KRB-ERROR message.  Fix the mechglue
gss_accept_sec_context by reverting that part of commit
56feee187579905c9101b0cdbdd8c6a850adcfc9.  Add a test program which
artificially induces a replay cache failure (the easiest failure we
can produce which has an associated RFC 4120 error code) and checks
that this can be communicated back to the initiator via an error
token.

ticket: 1445
target_version: 1.12
tags: pullup
Fix GSSAPI krb5 cred ccache import 2013-10-15T03:32:05+00:00 Greg Hudson ghudson@mit.edu 2013-10-07T13:51:56+00:00 48dd01f29b893a958a64dcf6eb0b734e8463425b json_to_ccache was incorrectly indexing the JSON array when restoring a memory ccache. Fix it. Add test coverage for a multi-cred ccache by exporting/importing the synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move export_import_cred from t_export_cred.c to common.c to facilitate this. Make a note in t_export_cred.py that this case is covered in t_s4u.py. ticket: 7706 target_version: 1.11.4 
json_to_ccache was incorrectly indexing the JSON array when restoring
a memory ccache.  Fix it.

Add test coverage for a multi-cred ccache by exporting/importing the
synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
export_import_cred from t_export_cred.c to common.c to facilitate
this.  Make a note in t_export_cred.py that this case is covered in
t_s4u.py.

ticket: 7706
target_version: 1.11.4
Use constant-time comparisons for checksums 2013-10-03T19:26:00+00:00 Greg Hudson ghudson@mit.edu 2013-10-02T21:58:06+00:00 07d68eec2788bfe80686608813f644838707c168 






Err codes in KRB_ERROR protocol messages are < 128
2013-09-23T16:06:47+00:00

Zhanna Tsitkov
tsitkova@mit.edu

2013-09-19T17:11:15+00:00

58ea3bdbfe6330225a2d58dfb00ccf1ad70617fe

If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC.
This fix is to correct the previous behavior with [0,128] range.
For more information see  krb5_err.et





If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC.
This fix is to correct the previous behavior with [0,128] range.
For more information see  krb5_err.et







Add GSSAPI IOV MIC functions
2013-09-18T22:22:16+00:00

Greg Hudson
ghudson@mit.edu

2013-09-08T01:13:48+00:00

d750ef3130b76dd079e863ed395eb3620a37386b

Add gss_get_mic_iov, gss_get_mic_iov_length, and gss_verify_mic_iov
functions, which work similarly to the corresponding IOV wrap
functions.  Add a new buffer type GSS_IOV_BUFFER_TYPE_MIC_TOKEN for
the destination buffer.

Most of the internal code for this was already present, and just
needed to be fixed up and adjusted to use the new buffer type for the
MIC token.

ticket: 7705 (new)





Add gss_get_mic_iov, gss_get_mic_iov_length, and gss_verify_mic_iov
functions, which work similarly to the corresponding IOV wrap
functions.  Add a new buffer type GSS_IOV_BUFFER_TYPE_MIC_TOKEN for
the destination buffer.

Most of the internal code for this was already present, and just
needed to be fixed up and adjusted to use the new buffer type for the
MIC token.

ticket: 7705 (new)







Get rid of G_VFY_TOKEN_HDR_IGNORE_SEQ_SIZE
2013-09-08T18:18:26+00:00

Greg Hudson
ghudson@mit.edu

2013-09-08T18:10:37+00:00

daf42938a262c3a88164b07972f2a2e6e8552620

This flag was introduced in the mskrb-integ merge but is not actually
used after r21742--while kg_unseal_iov_token sets it in vfyflags for
DCE-style contexts, it doesn't actually pass vfyflags to
g_verify_token_header or otherwise use it.  Moreover, the flag is not
necessary there; we correctly set input_length to the header length
(without data, padding, or trailer) for v1 tokens in a DCE-style
context.





This flag was introduced in the mskrb-integ merge but is not actually
used after r21742--while kg_unseal_iov_token sets it in vfyflags for
DCE-style contexts, it doesn't actually pass vfyflags to
g_verify_token_header or otherwise use it.  Moreover, the flag is not
necessary there; we correctly set input_length to the header length
(without data, padding, or trailer) for v1 tokens in a DCE-style
context.







Fix gss_krb5_set_allowable_enctypes for acceptor
2013-08-12T15:48:30+00:00

Greg Hudson
ghudson@mit.edu

2013-08-06T03:47:52+00:00

2e956074b228ff4df3b7462037ab69e4e88ffffe

The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req().  It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context.  This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.

Instead, use krb5_auth_con_setpermetypes on the auth context.  This
list is only used for session key enctype negotiation.  Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.

ticket: 7688 (new)
target_version: 1.11.4
tags: pullup





The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req().  It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context.  This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.

Instead, use krb5_auth_con_setpermetypes on the auth context.  This
list is only used for session key enctype negotiation.  Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.

ticket: 7688 (new)
target_version: 1.11.4
tags: pullup







Load import/export cred functions from GSS modules
2013-07-21T06:24:11+00:00

Simo Sorce
simo@redhat.com

2013-07-20T17:20:43+00:00

744d6f873393b6bbd12e1c1884738676a089fa65

When the import/export credential feature was implement the related
functions were added to struct gss_config, but the initialization
function that dynamically loads modules was not changed to see if
the plugin being loaded provided such functions.

This will allow non-builtin mechanism and interposer mechanism to
implement custom import/export credential extensions if they wish.

ticket: 7682





When the import/export credential feature was implement the related
functions were added to struct gss_config, but the initialization
function that dynamically loads modules was not changed to see if
the plugin being loaded provided such functions.

This will allow non-builtin mechanism and interposer mechanism to
implement custom import/export credential extensions if they wish.

ticket: 7682







Load cred store functions from GSS modules
2013-07-21T06:24:00+00:00

Simo Sorce
simo@redhat.com

2013-07-20T17:19:19+00:00

ee53a887bead08ec1354de3e74659da537f87515

When the credential store feature was implement the related functions
were added to struct gss_config, but the initialization function that
dynamically loads modules was not changed to see if the plugin being
loaded provided such functions.

This will allow non-builtin mechanism and interposer mechanism to
implement custom credential store extensions if they wish.

ticket: 7682





When the credential store feature was implement the related functions
were added to struct gss_config, but the initialization function that
dynamically loads modules was not changed to see if the plugin being
loaded provided such functions.

This will allow non-builtin mechanism and interposer mechanism to
implement custom credential store extensions if they wish.

ticket: 7682