| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Directly use stdint.h names for integer types in preference to the
various internal names we have made up for them.
|
| | |
|
| |
|
|
|
| |
The vtbl and locate_fptrs fields were ostensibly related to the locate
pluggable interface, but weren't actually used.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For a long time we have allowed krb5 contexts to be initialized in the
absence of krb5.conf--but only if KRB5_DNS_LOOKUP is defined,
presumably on the theory that no KDCs could be contacted without
either DNS support or profile configuration. But locate plugins could
provide the ability to find KDCs, and some libkrb5 operations (such as
IAKERB initiation) could succeed without needing to locate KDCs.
Also get rid of the profile_in_memory context flag, since we don't use
it any more.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit
The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.
The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC
request and request ID, KDC reply, primary and derived ticket and their
ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
validated, local policy violation and protocol constraints, and KDC status
message.
Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.
Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.
For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.
The new Audit system is build-time enabled and run-time pluggable.
[kaduk@mit.edu: remove potential KDC crashes, minor reordering]
ticket: 7712
target_version: 1.12
|
| |
|
|
|
| |
Make krb5int_random_string() function available outside ccache code.
Move it into a separate file under lib/krb5/krb hierarchy.
|
| |
|
|
|
|
| |
If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC.
This fix is to correct the previous behavior with [0,128] range.
For more information see krb5_err.et
|
| |
|
|
|
|
|
|
| |
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.
ticket: 7703 (new)
|
| |
|
|
|
|
|
|
|
| |
The FAST option bits 0-15 are intended to be critical--if they are
present and a KDC does not support them, the KDC is supposed to fail
the request. Because of an incorrect constant, we were erroneously
recognizing bits 24-31 as critical. Fix the constant.
ticket: 7701 (new)
|
| |
|
|
|
|
|
|
| |
In the KDC, if we see the hide-client-names option, identify the
client as the anonymous principal in KDC-REP and KRB-ERROR responses.
The actual client name is present in encrypted FAST elements.
ticket: 7700 (new)
|
| |
|
|
|
|
|
|
|
| |
Reimplement krb5_get_host_realm, krb5_get_fallback_host_realm, and
krb5_get_default_realm in terms of the hostrealm interface. Three
built-in modules (dns, domain, and profile) implement the current
behavior.
ticket: 7687
|
| |
|
|
| |
ticket: 7687 (new)
|
| |
|
|
|
|
| |
Letting calloc() do multiplication helps avoid overflow bugs, so
provide an internal k5calloc() helper which accepts both calloc
arguments, and reimplement k5alloc() in terms of it.
|
| |
|
|
|
|
|
|
| |
Rewrite the plugin internals so that modules have a well-defined
order--either the order of enable_only tags, or dynamic modules
followed by the built-in modules in order of registration.
ticket: 7665 (new)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Since net-server.c now uses libverto, only sendto_kdc.c consumes cm.c.
Move stuff out of cm.c and cm.h into sendto_kdc.c and get rid of them.
Change the sendto_kdc callback (used by chpw.c) to receive the socket
descriptor instead of the entire conn_state structure, and move the
declarations into os-proto.h. struct remote_address also needs to be
in os-proto.h so that trace.c and t_trace.c can use it. k5_curtime
isn't needed since k5-platform.h now guarantees the presence of
gettimeofday().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By a strict reading of the C standard, memcpy and memcmp have
undefined behavior if their pointer arguments aren't valid object
pointers, even if the length argument is 0. Compilers are becoming
more aggressive about breaking code with undefined behavior, so we
should try to avoid it when possible.
In a krb5_data object, we frequently use NULL as the data value when
the length is 0. Accordingly, we should avoid copying from or
comparing the data field of a length-0 krb5_data object. Add checks
to our wrapper functions (like data_eq and k5_memdup) and to code
which works with possibly-empty krb5_data objects. In a few places,
use wrapper functions to simplify the code rather than adding checks.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Move internal declarations from k5-int.h to more localized headers
(like int-proto.h) where appropriate. Rename many symbols whose
prototypes were moved to use the k5_ prefix instead of krb5int_.
Remove some unused declarations or move them to the single source file
they were needed in. Remove krb5_creds_compare since it isn't used
any more.
|
| |
|
|
|
| |
These functions were always internal. They haven't been used since
v5passwdd was eliminated in krb5 1.4.
|
| |
|
|
|
| |
These variables were marked as internal in 1996. Two are unused and
the other is easily replaced with the macro it is initialized from.
|
| |
|
|
|
|
|
|
| |
Add a new pluggable interface for local authorization, and replace the
existing krb5_aname_to_localname and krb5_kuserok implementations with
implementations based on the pluggable interface.
ticket: 7583 (new)
|
| |
|
|
|
|
|
| |
Rename krb5_free_ktypes to krb5_free_enctypes and add it to the public
API.
ticket: 7584
|
| |
|
|
|
|
| |
Add k5-int.h static functions to duplicate byte ranges, optionally
with a trailing zero byte, and set an error code like k5alloc does.
Use them where they would shorten existing code.
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove some unnecessary optimizations to reduce code complexity. Get
rid of krb5_match_config_pattern in favor of a simpler helper function
in do_tgs_req_c. Get rid of KRB5_CONF_ASTERISK and just use "*"
instead. Use a helper function to combine [kdcdefaults] and realm
subsection values of variables, and don't bother adding leading and
trailing spaces. Consistently use the names "hostbased" and
"no_referral" to refer to variable values (with a "realm_" prefix for
structures which currently use it).
|
| |
|
|
|
| |
KRB5_CONF_ prefix should be used for the krb5/kdc.conf parameters.
Use KRB5_CC_CONF_ prefix for cache configuration variables.
|
| |
|
|
|
|
| |
Nothing was using KRB5_KDB_SRV_TYPE_PASSWD, so get rid of it.
(kpasswdd is part of kadmind and interacts with the KDB using
KRB5_KDB_SRV_TYPE_ADMIN.)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The preauth functions are internal to libkrb5, so use the k5_ prefix,
don't use KRB5_CALLCONV, and prototype them in int-proto.h. Also
remove krb5_do_preauth from the Unix libkrb5 export list.
Reorder the k5_preauth() and k5_preauth_tryagain() arguments for more
consistency with the clpreauth interface, and put the output padata
arguments at the end.
Rename any remaining uses of "kcontext" to "context" in preauth2.c.
|
| |
|
|
|
|
|
| |
Since there is no overlap between the clpreauth and kdcpreauth
interface declarations, there's no particular reason to combine them
into one header. For backward compatibility and convenience, leave
behind a preauth_plugin.h which includes both.
|
| |
|
|
|
|
|
|
|
|
|
| |
* Read a "pa_config_data" item from an in_ccache, if provided, and add a
callback which client preauth plugins can use to retrieve a string
value from it that's keyed by a string.
* Add a callback which client preauth plugins can use to provide string
key/value pairs to be stored in the ccache.
* Moves the definition of (struct krb5_clpreauth_rock_st) from k5-int.h
to init_creds_ctx.h to try to reduce the number of files that will
need to include k5-json.h to understand k5_json_value.
|
| |
|
|
|
|
|
|
|
| |
* Add a krb5int_build_conf_principals() function to allow our get/set
code to directly prune out duplicate config entries.
* Verify that when we specify a pa_type, it affects whether or not we
will use a particular preauth plugin.
* Verify that we correctly save the KDC's preauth type number, that we
tried to answer, to the out_ccache.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* When producing preauth data, keep track of the type of padata in the
KDC's list of acceptable types which prompted the module to produce
padata.
* After obtaining credentials, store that value as a "pa_type"
configuration item in the out_ccache.
* Read that allowed preauth type from an in_ccache, if possible.
* If we have an allowed preauth type, only call "real" modules that
handle that value when filling in responder items and producing a
client request.
ticket: 7414 (new)
|
| |
|
|
|
|
|
|
| |
Add a krb5_get_init_creds_opt_set_in_ccache() function. An input
ccache may hold configuration data which the client libraries can
use to influence their decisions.
ticket: 7413 (new)
|
| |
|
|
|
| |
This follows the design laid out on the project page:
http://k5wiki.kerberos.org/wiki/Projects/Password_response_item
|
| |
|
|
|
|
|
|
|
|
| |
The Camellia enctypes and cksumtypes have received IANA assignments.
Add #defines using those assignments to krb5.h, remove the CAMELLIA
conditional, and enable testing code as appropriate.
The Camellia draft has not received an RFC number yet, so there is no
Doxygen markup for the enctype and cksumtype #defines. That can be
added once the RFC number is known.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Make kpropd in iprop mode fork a child to listen for kprops from the
master. The child writes progress and outcome reports to the parent
for each kprop. This fixes a race between asking for a full resync
and setting up a listener socket for it.
- Add runonce (-t) for kpropd do_standalone() too.
- Add a new iprop parameter: iprop_resync_timeout. kpropd will keep
asking for incremental updates while waiting for a full resync to
finish, and will re-request a full resync if kadmind continues to
indicate that one is needed after this timeout passes since the
previous full resync was requested.
- Allow polling intervals less than 10 seconds.
[ghudson@mit.edu: split out debug output changes; note polling interval
change in commit message]
ticket: 7373
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new APIs:
* krb5_get_init_creds_opt_set_responder
* krb5_responder_get_challenge
* krb5_responder_list_questions
* krb5_responder_set_answer
If a caller sets a responder, it will be invoked after preauth modules
have had a chance to review their incoming padata but before they produce
outgoing padata. The responder will be presented a set of questions with
optional challenges. The responder should then answer all questions it knows
how to handle. Both the answers and the challenges are printable UTF-8 and
may contain encoded, structured data specific to the question asked.
Add two new callbacks and one optional method to the clpreauth
interface. The new method (prep_questions) allows modules to ask questions
by setting them in the responder context using one of the new callbacks
(ask_responder_question). The other new callback (get_responder_answer) is
used by the process method to read the answers to the questions asked.
ticket: 7355 (new)
|
| |
|
|
|
|
| |
Since zapfree(str, strlen(str)) won't work for possibly-null values of
str, add a helper zapfreestr() which only calls strlen() if the string
value is non-null.
|
| |
|
|
|
|
|
| |
Implements the client side of RFC 6560. Not all features are
implemented, but it should work for the most common cases.
ticket: 7242 (new)
|
| |
|
|
|
|
|
| |
Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE,
PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more
thorough testing, add support for generating test encodings using
asn1c for sample objects (currently only for the OTP types).
|
| |
|
|
|
|
|
| |
Like default_keytab_name and default_client_keytab_name,
default_ccache_name is subject to parameter expansion.
ticket: 7220 (new)
|
| |
|
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7215 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Set the default credential cache name for all processes for the current
user. Currently implemented, for windows only, by setting
HKEY_CURRENT_USER\Software\MIT\Kerberos5:ccname to the specified
ccache name. This will not override the environment variable 'KRB5CCNAME'.
It will override HKEY_LOCAL_MACHINE and 'indirect' registry values.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7199 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Support acquiring GSSAPI krb5 credentials by fetching initial
credentials using the client keytab. Credentials obtained this way
will be stored in the default ccache or collection, and will be
refreshed when they are halfway to expiring.
ticket: 7189 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default client keytab is intended to be used to automatically
acquire initial credentials for client applications. The current
hardcoded default is a placeholder, and will likely change before
1.11.
Add test framework settings to ensure that a system default client
keytab doesn't interfere with tests, and to allow tests to be written
to deliberately use the default client keytab.
Add documentation about keytabs to the concepts section of the RST
docs, and describe the default client keytab there.
ticket: 7188 (new)
|
| | |
|
| |
|
|
|
| |
krb5int_cc_os_default_name has been unused since #6955 removed the
call to it in cccursor.c. Get rid of it.
|
| |
|
|
|
|
|
| |
Rename krb5int_count_etypes and krb5int_copy_etypes to have k5_
prefixes, and make them available outside of libkrb5 (but not part of
the public API). Add k5_etypes_contains to search an etype list, and
use it in krb5_is_permitted_enctype.
|
| |
|
|
|
| |
It's an internal function (not in krb5.h or the libkrb5 export list)
and nothing uses it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
|
