| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
| |
Include autoconf.h (either directly or via proxy) before system
headers, so that feature test macros defined there can affect the
system namespace. Where include order was changed, eliminate some
redundant or unnecessary includes.
ticket: 7961
|
| |
|
|
|
|
|
|
| |
Take advantage of the strerror_r portability wrapper to simplify code
using it. Remove unused macros related to strerror_r in
ldap_service_stash.c and plugins.c.
ticket: 7961
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In create_identifiers_from_stack: check for allocation errors from
PKCS7_ISSUER_AND_SERIAL_new and M_ASN1_INTEGER_dup. Use
PKCS7_ISSUER_AND_SERIAL_free to more concisely clean up the OpenSSL
issuer variable, and make sure that any partially processed value is
cleaned up on error. Use calloc to allocate krb5_cas so that all of
its pointers are initially nulled, so that
free_krb5_external_principal_identifier can operate on it safely in
case of error. Eliminate the retval variable as it was not used
safely. Rename the error label from "cleanup" to "oom" and separate
it from the successful return path (which has nothing to clean up).
ticket: 7943 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
| |
Fix three mismatched constant names, and properly alphabetize and
columnize the lists of definitions. No functional changes.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When constructing a draft9 PKINIT request, always include
KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack.
Do not accept a draft9 ReplyKeyPack in the KDC response.
For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC
support for generating a draft9 ReplyKeyPack when a draft9 PKINIT
request does not contain KRB5_PADATA_AS_CHECKSUM.
ticket: 7933
|
| |
|
|
|
|
|
|
| |
Remove the PKINIT Windows Server 2008 beta compatibility code
conditionalized under the "longhorn" variable. It is not required to
interoperate with any released version of Windows.
ticket: 7934 (new)
|
| |
|
|
|
|
| |
As contributed, the PKINIT module contained code to read the
pkinit_win2k variable, but never used it. Get rid of the structure
field and the code to populate it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per the ASN.1 definition, the KrbKey salt field is optional. Since
1.7, we have been treating it as mandatory in the encoder; since 1.11,
we have been treating it as mandatory in the decoder. Mostly by luck,
we have been encoding a salt type of 0 when key_data_ver is 1, but we
really should not be looking at key_data_type[1] or key_data_length[1]
in this situation. Treat the salt field as optional in the encoder
and decoder. Although the previous commit ensures that we continue to
always encode a salt (without any dangerous assumptions about
krb5_key_data constructors), this change will allow us to decode key
data encoded by 1.6 without salt fields.
This also fixes issue #7918, by properly setting key_data_ver to 2 if
a salt type but no salt value is present. It is difficult to get the
decoder to actually assign 2 to key_data_ver just because the salt
field is there, so take care of that in asn1_decode_sequence_of_keys.
Adjust kdbtest.c to match the new behavior by setting key_data_ver to
2 in both test keys.
ticket: 7919
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the LDAP KDB module, ensure that every krb5_key_data we pass to
asn1_encode_sequence_of_keys includes a salt type, for compatibility
with the decoder in unpatched krb5 1.11 and 1.12.
This is not a behavior change by itself; since 1.7 the encoder has
always included a KrbKey salt field because it erroneously treats that
field as non-optional. (Luckily, the encoded salt always happens to
have salt type 0 because krb5_key_data constructors start with zeroed
memory.) The next commit will fix the encoder and decoder to properly
treat the KrbKey salt field as optional, so we need this change to
ensure that our encodings remain compatible.
Also fix the ASN.1 tests to set key_data_ver correctly for the sample
test key data.
ticket: 7919
|
| |
|
|
|
|
| |
Replace most calls to krb5_set_error_message with k5_setmsg for
brevity. Leave alone plugin sources where we don't include k5-int.h
(mostly PKINIT).
|
| |
|
|
|
|
| |
As contributed, the PKINIT code contained code to read a mapping
filename, but never used the resulting structure variable. Get rid of
the structure field and the code to populate it.
|
| |
|
|
|
|
|
|
|
|
|
| |
The CK_TOKEN_INFO label field is defined to be zero-filled, but it may
not be zero-terminated if all bytes of the field are used. Use only
length-counted operations to process it. Also avoid underrunning the
buffer pointer if the label is empty or contains only whitespace.
ticket: 7917
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
Passing invalid slot IDs to C_OpenSession can cause some PKCS #11
implementations (such as the Solaris one) to crash. If a PKINIT
identity specifies a slotid, use it to filter the result of
C_GetSlotList, but don't try it if it does not appear in the list.
ticket: 7916
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
| |
Matching Subject Alternative Name from certificate with
pkinit_kdc_hostname value from krb5.conf should disregard case.
ticket: 7913 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
If the OTP configuration for a principal contains invalid JSON, the
KDC OTP module calls k5_json_get_tid on a null pointer, causing the
KDC process to crash. Fix this bug by checking the return value of
k5_json_decode in decode_config_json.
ticket: 7912 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use a library initializer to prevent multiple threads using PKINIT
from concurently initializing OpenSSL functions. For cases where
MT-safety is not assured by registering OpenSSL locking callbacks,
this significantly lowers the odds of crashes caused by races in
OpenSSL initialization. (If OpenSSL initialization functions are
called by some other thread directly, crashes are still possible.)
[ghudson@mit.edu: simplify code changes and commit message]
ticket: 6413
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Stop adding OIDs to the global OpenSSL table. It isn't thread-safe
(even with locking callbacks registered), and calling OBJ_cleanup
could break other uses of OpenSSL. Instead, use anonymous OIDs
created with OBJ_txt2oid. Anonymous OIDs need to be managed more
careful to avoid double-freeing, so create a copy before calling
PKCS7_add_signed_attribute, and don't free the result of
pkinit_pkcs7type2oid in cms_contentinfo_create.
ticket: 7889
|
| |
|
|
|
|
|
|
|
|
|
| |
pkinit_crypto_openssl.c currently creates a shadow entry for
id-pkcs7-data so that OpenSSL will expect to see the corresponding
octet string in d.other instead than d.data. This shadowing is very
unfriendly to other uses of OpenSSL and we should stop. Eliminate the
shadowing and rewrite create_contentinfo so that it sets up the PKCS7
object correctly if the OID is id-pkcs7-data.
ticket: 7889
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In pkinit_as_req_create, create and encode stack-allocated auth-pack
structures containing only alias pointers, instead of heap-allocated
structures containing a mix of alias pointers, owner pointers, and
appropriated caller memory. Keep everything we temporarily allocate
in separate local variables and free them through those variables.
In pa_pkinit_gen_req, use safer memory practices to avoid problems
like issue #7878. Free the checksum since pkinit_as_req_create no
longer takes ownership it. Remove a broken overly defensive check
after calling pkinit_as_req_create.
Remove init_krb5_auth_pack and init_krb5_auth_pack_draft9 as they are
no longer required.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again. This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.
ticket: 7878 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
The LDAP debug level option (#7551) causes a build failure with the
Solaris LDAP library, which does not have LDAP_OPT_DEBUG_LEVEL.
ticket: 7870 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
| |
Make unconditional use of <stdint.h> and fixed-width types such as
uint32_t. k5-plugin.h doesn't use any special integer types, so
remove the conditional include block there. Nothing uses
INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now.
|
| |
|
|
|
|
|
|
|
|
| |
The built-in word list is not long enough for all of the libdb2 tests
to run properly. Revert d21a86e47a7cda29225013e08d060095b94b2ee7 and
go back to using the system dictionary if we find one. However, omit
any lines from the chosen word list which contain non-alphabetical
characters.
ticket: 7860
|
| |
|
|
|
|
|
|
|
| |
The optimizer in gcc 4.8.1 (but not the current gcc head revision)
breaks the queue.h CIRCLEQ macros, apparently due to an overzealous
strict aliasing deduction. Use TAILQ macros in the libdb2 mpool code
instead.
ticket: 7860
|
| |
|
|
|
|
|
|
|
| |
The system dictionary may contain entries with punctuation, which can
confuse the shell. It's more predictable to always use the word list
from the source tree.
ticket: 7860
status: open
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some system configurations expect Unix-domain sockets to live under
/run or /var/run, and not other parts of /var where persistent
application state lives. Define a new directory KDC_RUN_DIR using
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
if it's not set) and use that for the default socket path.
[ghudson@mit.edu: commit message, otp.rst formatting fix]
ticket: 7859 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Start the process of deprecating krb5-send-pr. In practice, it causes
frustration for some users, and free-form email is good enough for
most bug reports.
Continue to install krb5-send-pr for now, but plan to remove it from
the tree in the future, probably replaced by a script that instructs
the user to send email manually.
ticket: 5566
target_version: 1.12.1
tags: pullup
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In krb5_ldap_initialize, don't just blat the LDAP error into the
extended message; give an indication of which LDAP operation we were
trying to do and show what parameters we gave to it.
(Also, krb5_set_error_message can handle a null context argument, so
don't bother to check before calling.)
ticket: 7739 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
If we fail to create a cert chain in cms_signeddata_create(), return
KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code,
rather than KRB5_PREAUTH_FAILED, which doesn't. This is also more
consistent with other error clauses in the same function.
ticket: 7718 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
| |
Check if the fopen result is NULL, not whether it's less than zero.
ticket: 7713 (new)
target_version: 1.12
tags: pullups
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit
The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.
The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC
request and request ID, KDC reply, primary and derived ticket and their
ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
validated, local policy violation and protocol constraints, and KDC status
message.
Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.
Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.
For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.
The new Audit system is build-time enabled and run-time pluggable.
[kaduk@mit.edu: remove potential KDC crashes, minor reordering]
ticket: 7712
target_version: 1.12
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Create a test module for the hostrealm interface, a harness to call
the realm mapping functions and display their results, and a Python
script to exercise the functionality of the interface and each module
(except the dns module, which we cannot easily test since it relies on
TXT records in the public DNS).
ticket: 7687
|
| |
|
|
|
|
|
|
|
| |
When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.
[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a password to the set of things that we can pass to a PEM password
callback and the function we use for loading PKCS12 bundles. If we're
meant to defer identity prompts, just store the name of the identity
which we're loading. Otherwise, if we're passed a password, use it.
Otherwise, use the prompter callback.
Add a password to the set of things that we can pass to the function
that we use for logging in to PKCS11 tokens, too, but if we're deferring
identity prompts, just return the identity name without doing anything
else. If not, and we're passed a password, use that. Otherwise, try to
use the prompter callback to get one.
ticket: 7680
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The password callback which we usually supply to NSS already gets a
pointer to the pkinit_identity_crypto_context structure, but it needs to
be passed the name of the identity for which it's being called.
If it gets a name, and it's deferring prompting, just add the identity
to the list of deferred identity prompts (the password callback wouldn't
have been called if its result wasn't needed), and either return NULL
(as an indication that we couldn't get a password) or an empty string (a
value which we know is invalid) if that's handier.
Otherwise, check for a password that's been stashed for its use for that
identity, and return a copy of it if one's found. If none of that
works, try to use the prompter callback to ask for the password.
ticket: 7680
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the list of deferred identity prompts and warnings, which we have
after calling pkinit_identity_initialize(), to build a list of questions
to supply to responder callbacks.
Before calling pkinit_identity_prompt() to actually load identities that
are protected, save any passwords and PINs which a responder callback
may have supplied.
Because pkinit_client_prep_questions() can be called multiple times, and
we don't want to try to load all of our identities each of those times,
take some steps to ensure that we only call pkinit_identity_initialize()
and pkinit_identity_prompt() once per request.
ticket: 7680
|
| |
|
|
|
| |
When called to free identity information, do what the OpenSSL-based
version does, and error out if the identity information is NULL.
|
| |
|
|
|
| |
Do what the OpenSSL-using code paths do, and load PKCS11_MODNAME if no
module is specified when we're told to use a PKCS11 identity.
|
| |
|
|
|
|
|
|
|
|
|
| |
Learn to manage a list of deferred identities, for which we want to
prompt for passwords or PINs, in pkinit_identity_crypto_context
structures, along with their associated token flags. These are opaque
outside of pkinit_crypto_openssl and pkinit_crypto_nss, so both
implementations need to provide wrapper functions that can be called
from elsewhere in the module to populate and query the lists.
ticket: 7680
|
| |
|
|
|
|
|
|
|
|
|
| |
Split part of pkinit_identity_initialize() into a second piece named
pkinit_identity_prompt(). Have each piece pass a new boolean flag to
crypto_load_certs() to indicate if it should defer prompting for a
password/PIN for client identities that require one. If the flag isn't
set, then crypto_load_certs() should attempt to use a responder-supplied
value, or call the prompter if there isn't one.
ticket: 7680
|
| |
|
|
|
|
| |
If cb->get_string returns 0 with no result in otp_edata, make sure we
set retval to avoid sending an empty OTP hint. If cb->get_string
returns an error code in otp_verify, avoid masking that code.
|
| |
|
|
|
|
|
|
| |
When we allocate space for an array of key_data structures, make sure
we allocate at least one, so we don't spuriously fail on platforms
where malloc(0) returns NULL. Where we use malloc, use k5calloc
instead. Where we use krb5_db_alloc or realloc, just allocate an
extra entry.
|
| |
|
|
|
| |
When retrieving the list of a certificate's subjectAltName values, we
weren't freeing some of the temporary memory we used.
|
| |
|
|
|
|
|
|
| |
The stacks of certificates and CRLs that we retrieve from CMS objects
include newly-owned references to the certificates and CRLs, so when we
go to free them, we need to remember to free those.
[ghudson@mit.edu: minor formatting change; removed unrelated style fix]
|
| | |
|
| |
|
|
|
| |
Wherever we use k5alloc with a multiplication in the size parameter,,
use the new k5calloc helper function instead.
|
