| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Augment the KEYRING ccache type to support collection semantics
similar to those of the DIR type. For keyrings with no anchor prefix,
maintain compatibility with old code by linking the initial primary
cache directly from the session keyring and naming it after the
collection.
See http://k5wiki.kerberos.org/wiki/Projects/Keyring_collection_cache
for more information. Adapted from a patch by simo@redhat.com.
ticket: 7711 (new)
|
| |
|
|
|
|
|
|
|
|
| |
Consistently use "cache_name" and "cache_id" to talk about the name
and ID of the keyring containing the cache. In krb5_krcc_resolve, use
"residual" for the residual string as we are no longer using it for
the cache keyring name, and use "anchor_id" for the keyring identified
by the prefix to make it clear that it is not the cache keyring.
Adapted from a patch by simo@redhat.com.
|
| |
|
|
|
|
|
|
|
|
| |
If we resolve a KEYRING cache and the key does not exist, wait until
initialize time to create it, to avoid wasting precious kernel memory
on a cache which might not ever be created. Properly error out if
store_cred or start_seq_get is called on an uninitialized cache, as we
would for a FILE cache.
Adapted from a patch by simo@redhat.com.
|
| |
|
|
|
| |
Add a utility function in k5test.py to look for a command in the
executable path, and remove it from t_kdb.py.
|
| |
|
|
|
|
|
|
|
|
| |
If kinit chooses a client principal based on anything other than the
current default ccache's principal name, apply collection rules if
possible. When applying collection rules, if we don't find an
existing cache for the client principal, use the default cache if it
is uninitialized, instead of creating a new one.
ticket: 7689
|
| |
|
|
|
|
|
|
|
| |
In kdc_check_transited_list, consult the KDB module first. If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.
ticket: 7709
|
| |
|
|
|
|
| |
Create a new test program in lib/krb5/ccache named t_cccol.c which
verifies collection semantics using the API. Run it with an empty DIR
collection in t_cccol.py.
|
| |
|
|
|
| |
Make krb5int_random_string() function available outside ccache code.
Move it into a separate file under lib/krb5/krb hierarchy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Take one step toward re-factoring of the KDC code:
keep the service principal related code in one place.
The code pattern was changed from:
- unparse client -
- unparse service -
- db_get_ client -
- client referrals -
- db_get_ service -
- validate policies etc
into:
- unparse client -
- db_get_ client -
- client referrals -
- unparse service -
- db_get_ service -
- validate policies etc
|
| |
|
|
|
|
| |
If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC.
This fix is to correct the previous behavior with [0,128] range.
For more information see krb5_err.et
|
| |
|
|
|
|
| |
Some literal blocks in the new AEAD and IOV documentation in
gssapi.rst started with ":" instead of "::", causing documentation
build errors.
|
| |
|
|
| |
Avoid using "magic numbers" for better maintainability.
|
| |
|
|
| |
Release 1.9.5 was the last planned release for the krb5-1.9 series.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add gss_get_mic_iov, gss_get_mic_iov_length, and gss_verify_mic_iov
functions, which work similarly to the corresponding IOV wrap
functions. Add a new buffer type GSS_IOV_BUFFER_TYPE_MIC_TOKEN for
the destination buffer.
Most of the internal code for this was already present, and just
needed to be fixed up and adjusted to use the new buffer type for the
MIC token.
ticket: 7705 (new)
|
| |
|
|
| |
Some text mistakenly referred to password quality plugin.
|
| |
|
|
|
|
|
|
|
|
| |
This flag was introduced in the mskrb-integ merge but is not actually
used after r21742--while kg_unseal_iov_token sets it in vfyflags for
DCE-style contexts, it doesn't actually pass vfyflags to
g_verify_token_header or otherwise use it. Moreover, the flag is not
necessary there; we correctly set input_length to the header length
(without data, padding, or trailer) for v1 tokens in a DCE-style
context.
|
| | |
|
| |
|
|
|
|
| |
Add a new test program t_iov.c which tests various combinations of
wrapping and unwrapping using the IOV and AEAD interfaces. Run it
with and without SPNEGO in each enctype configuration.
|
| |
|
|
|
|
| |
Add a new helper to common.c which runs gss_init_sec_context and
gss_accept_sec_context in a loop, and use it in test programs instead
of the open-coded one-token or two-token exchanges.
|
| |
|
|
|
|
|
|
| |
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.
ticket: 7703 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is no longer necessary to modify request->server when we receive a
referral. The uses of request->server break down as follows:
* Matching against previously issued tickets (e.g. for renewals). We
now explicitly disallow referrals for requests where we need to do
that.
* Using only the realm (e.g. for transited checking). Referrals are
cross-realm TGS entries within the same realm as the requested
server principal, so this does not change.
* Comparing to a local TGS principal (for restrict_anonymous_to_tgt
enforcement). Local TGS principals are not treated as referrals, so
the sense of this comparison will not change if we use the original
request.
* Setting the sname and realm fields of a KRB-ERROR response. RFC
4120 and 6806 do not specify what we should put here for referrals
or aliases and we are not aware of any uses of this field by
clients, so putting the requested server principal here should be
okay.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For ticket modification requests (such as renewals), u2u requests, and
S4U2Self requests, the requested server principal is expected to match
a previously issued ticket. If that principal no longer exists, we
must fail the request; we cannot issue a referral. We are currently
doing that by rewriting request->server to the referral principal,
which causes the match against the ticket to fail. Since we would
like to stop modifying the request, we must explicitly prevent
referrals in these cases.
We don't find out whether a request is S4U2Self until after we've
looked up the server principal, so for now we have to make a
retroactive check for a referral after calling
kdc_process_s4u2self_req.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In do_tgs_req(), treat the search_sprinc() result as a referral only
if it is a cross-TGS principal and it doesn't match the requested
server principal. This change fixes two corner cases: (1) when a
client requests a cross-realm TGT, we won't squash the name type in
the response; and (2) if we are serving multiple realms out of the
same KDB, we will properly handle aliases to any local-realm TGT, not
just the one for the configured realm name.
ticket: 7555
|
| |
|
|
|
|
|
|
|
| |
The FAST option bits 0-15 are intended to be critical--if they are
present and a KDC does not support them, the KDC is supposed to fail
the request. Because of an incorrect constant, we were erroneously
recognizing bits 24-31 as critical. Fix the constant.
ticket: 7701 (new)
|
| |
|
|
|
|
|
|
| |
In the KDC, if we see the hide-client-names option, identify the
client as the anonymous principal in KDC-REP and KRB-ERROR responses.
The actual client name is present in encrypted FAST elements.
ticket: 7700 (new)
|
| |
|
|
|
|
|
|
|
| |
We always allow aliases in the service principal when processing
AS-REQs and TGS-REQs. If the ticket we issued is presented back to us
in a TGS-REQ as a header ticket for renewal or similar, we should
allow aliases when looking up its key to decode the AP-REQ.
ticket: 7699 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a client makes a TGS request for a cross-realm TGS within a
different realm from the one we normally serve (e.g. the KDC realm is
X, and a client makes a TGS request for the server krbtgt/Y@Z), look
for alternate TGS principals within the requested server realm, not
the realm we normally serve.
This change shouldn't break any working well-formed TGS requests,
because changing the realm would trigger a failure in check_tgs_tgt.
It may fix some corner cases when multiple realms are served out of
the same KDB. But primarily, this change makes referrals and aliases
easier to reason about, by eliminating a case where server->princ has
a different realm from request->server after the call to
search_sprinc().
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If we look up a principal and in the KDB and get back the local TGS
principal, the KDC should treat this as an alias, not a referral, and
should therefore issue a ticket for the requested principal rather the
canonical name.
ticket: 7698
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a client requests a service ticket for the alias of a service
principal, RFC 6806 section 6 requires that the KDC issue a ticket
which appears to be for the alias and not for the canonical name.
After calling search_sprinc(), only replace request->server with
server->princ if the latter is a TGT; this will be the case for an
alternate cross-realm TGT or a host referral, but not for a simple
service alias.
ticket: 7698
target_version: 1.11.4
tags: pullup
|
| |
|
|
|
|
| |
Get rid of "flags" bitfields and just use boolean values, to make the
internal contracts for dump and load functions more precise. Rename
"add_update" to "iprop_load" and reverse its sense.
|
| |
|
|
|
|
|
|
| |
If we are doing a full load, do not touch the ulog header until after
we promote the temporary DB to live. This avoids the same bugs as the
#7588 fix, but more robustly. Based on a patch from Richard Basch.
ticket: 7695
|
| |
|
|
|
|
|
|
|
|
| |
The no_auth_data_required bit was introduced to suppress PACs in
service tickets when the back end supports them. Make it also
suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
can be avoided for services which aren't going to do constrained
delegation.
ticket: 7697 (new)
|
| |
|
|
|
|
|
|
|
|
| |
This code can be simplified (and a potential race avoided) by using
keyctl_read_alloc() and letting it allocate the necessary memory.
This also allows to remove a helper function that is not used anymore
as well as make the code more readable. The only penalty is that we
have two allocations instad of one.
[ghudson@mit.edu: trivial simplifications]
|
| |
|
|
|
|
|
|
|
| |
numkeys is never really used in the single cache data structure.
Every time a new iteration is started, numkeys is recalculated anyway,
and then only the copy held in the cursor is used. Remove it from the
cache data and keep it only in the cursor.
[ghudson@mit.edu: clarified commit message]
|
| |
|
|
|
|
|
| |
This feature was intended to be used by gssd to access users' keyring
credentials, but it was never used.
[ghudson@mit.edu: clarified commit message]
|
| |
|
|
|
|
|
|
|
| |
Put a note in the the policies section of the documentation for how to
apply policies to principals.
[kaduk@mit.edu: reformat commit message]
ticket: 7693 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
krb5_cc_get_name() should allow the caller to reconstruct the full
cache name. That is not possible if thread: and process: are omitted
here. (The saved name is not used by anything except
krb5_krcc_get_name, so this change is safe.)
[ghudson@mit.edu: proofread and clarified commit message]
ticket: 7692 (new)
|
| |
|
|
|
|
|
|
|
|
| |
Support credentials larger than 4K in cc_keyring.c by calculating the
payload size in one pass, allocating a buffer of precisely the right
size, and then unparsing into that buffer.
[ghudson@mit.edu: squashed two commits; rewrote message; added length
field instead of doing pointer arithmetic on null pointers; used
proper English comments and clarified what code they apply to.]
|
| |
|
|
| |
ticket: 7687
|
| |
|
|
|
|
|
|
|
|
| |
Create a test module for the hostrealm interface, a harness to call
the realm mapping functions and display their results, and a Python
script to exercise the functionality of the interface and each module
(except the dns module, which we cannot easily test since it relies on
TXT records in the public DNS).
ticket: 7687
|
| |
|
|
|
|
|
| |
Move the remaining internal functions from hst_realm.c to hostrealm.c,
and get rid of hst_realm.c.
ticket: 7687
|
| |
|
|
|
|
|
|
|
| |
Reimplement krb5_get_host_realm, krb5_get_fallback_host_realm, and
krb5_get_default_realm in terms of the hostrealm interface. Three
built-in modules (dns, domain, and profile) implement the current
behavior.
ticket: 7687
|
| |
|
|
| |
ticket: 7687 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It has been unconditionally activated by all supported build systems
for almost two years, and no complaints or issues have been reported.
In particular, aclocal.m4 has had an unconditional AC_DEFINE() since
3d708e55 in 2003, and win-pre.in has unconditionally set KRB5_USE_DNS_KDC
since 17ffebf7 in 2011.
While here, simplify some other DNS conditionals in win-pre.in where
only one branch was ever taken.
ticket: 7691 (new)
|
| |
|
|
|
|
|
| |
This routine is now used in the gssapi library and must be exported
as such.
ticket: 7688
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a long-standing documentation bug where we claimed that
a domain_realm mapping for a host name would not affect entries
under that domain name. The code has always had the behavior where
a host name mapping implies the corresponding domain name mapping,
since the 1.0 release.
While here, replace media-lab with csail in example files, as the
media lab realm is no longer in use. Also strip port 88 from KDC
specifications, and drop the harmful default_{tgs,tkt}_enctypes
lines from src/util/profile/krb5.conf.
Further cleanup on these files to remove defunct realms may be in order.
ticket: 7690 (new)
tags: pullup
target_version: 1.11.4
|
| |
|
|
|
| |
localauth modules were not freed by krb5_free_context(), causing a
memory leak.
|
