| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a client requests a service ticket for the alias of a service
principal, RFC 6806 section 6 requires that the KDC issue a ticket
which appears to be for the alias and not for the canonical name.
After calling search_sprinc(), only replace request->server with
server->princ if the latter is a TGT; this will be the case for an
alternate cross-realm TGT or a host referral, but not for a simple
service alias.
ticket: 7698
target_version: 1.11.4
tags: pullup
|
| |
|
|
|
|
| |
Get rid of "flags" bitfields and just use boolean values, to make the
internal contracts for dump and load functions more precise. Rename
"add_update" to "iprop_load" and reverse its sense.
|
| |
|
|
|
|
|
|
| |
If we are doing a full load, do not touch the ulog header until after
we promote the temporary DB to live. This avoids the same bugs as the
#7588 fix, but more robustly. Based on a patch from Richard Basch.
ticket: 7695
|
| |
|
|
|
|
|
|
|
|
| |
The no_auth_data_required bit was introduced to suppress PACs in
service tickets when the back end supports them. Make it also
suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
can be avoided for services which aren't going to do constrained
delegation.
ticket: 7697 (new)
|
| |
|
|
|
|
|
|
|
|
| |
This code can be simplified (and a potential race avoided) by using
keyctl_read_alloc() and letting it allocate the necessary memory.
This also allows to remove a helper function that is not used anymore
as well as make the code more readable. The only penalty is that we
have two allocations instad of one.
[ghudson@mit.edu: trivial simplifications]
|
| |
|
|
|
|
|
|
|
| |
numkeys is never really used in the single cache data structure.
Every time a new iteration is started, numkeys is recalculated anyway,
and then only the copy held in the cursor is used. Remove it from the
cache data and keep it only in the cursor.
[ghudson@mit.edu: clarified commit message]
|
| |
|
|
|
|
|
| |
This feature was intended to be used by gssd to access users' keyring
credentials, but it was never used.
[ghudson@mit.edu: clarified commit message]
|
| |
|
|
|
|
|
|
|
|
|
| |
krb5_cc_get_name() should allow the caller to reconstruct the full
cache name. That is not possible if thread: and process: are omitted
here. (The saved name is not used by anything except
krb5_krcc_get_name, so this change is safe.)
[ghudson@mit.edu: proofread and clarified commit message]
ticket: 7692 (new)
|
| |
|
|
|
|
|
|
|
|
| |
Support credentials larger than 4K in cc_keyring.c by calculating the
payload size in one pass, allocating a buffer of precisely the right
size, and then unparsing into that buffer.
[ghudson@mit.edu: squashed two commits; rewrote message; added length
field instead of doing pointer arithmetic on null pointers; used
proper English comments and clarified what code they apply to.]
|
| |
|
|
|
|
|
|
|
|
| |
Create a test module for the hostrealm interface, a harness to call
the realm mapping functions and display their results, and a Python
script to exercise the functionality of the interface and each module
(except the dns module, which we cannot easily test since it relies on
TXT records in the public DNS).
ticket: 7687
|
| |
|
|
|
|
|
| |
Move the remaining internal functions from hst_realm.c to hostrealm.c,
and get rid of hst_realm.c.
ticket: 7687
|
| |
|
|
|
|
|
|
|
| |
Reimplement krb5_get_host_realm, krb5_get_fallback_host_realm, and
krb5_get_default_realm in terms of the hostrealm interface. Three
built-in modules (dns, domain, and profile) implement the current
behavior.
ticket: 7687
|
| |
|
|
| |
ticket: 7687 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It has been unconditionally activated by all supported build systems
for almost two years, and no complaints or issues have been reported.
In particular, aclocal.m4 has had an unconditional AC_DEFINE() since
3d708e55 in 2003, and win-pre.in has unconditionally set KRB5_USE_DNS_KDC
since 17ffebf7 in 2011.
While here, simplify some other DNS conditionals in win-pre.in where
only one branch was ever taken.
ticket: 7691 (new)
|
| |
|
|
|
|
|
| |
This routine is now used in the gssapi library and must be exported
as such.
ticket: 7688
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a long-standing documentation bug where we claimed that
a domain_realm mapping for a host name would not affect entries
under that domain name. The code has always had the behavior where
a host name mapping implies the corresponding domain name mapping,
since the 1.0 release.
While here, replace media-lab with csail in example files, as the
media lab realm is no longer in use. Also strip port 88 from KDC
specifications, and drop the harmful default_{tgs,tkt}_enctypes
lines from src/util/profile/krb5.conf.
Further cleanup on these files to remove defunct realms may be in order.
ticket: 7690 (new)
tags: pullup
target_version: 1.11.4
|
| |
|
|
|
| |
localauth modules were not freed by krb5_free_context(), causing a
memory leak.
|
| |
|
|
|
|
|
|
| |
Commit 2e956074b228ff4df3b7462037ab69e4e88ffffe omitted adding a
dependency to the "all" target to force the build of the t_enctypes
test program.
ticket: 7688
|
| |
|
|
|
|
| |
Rename krb5_try_realm_txt_rr (an internal function despite the name)
and add a context parameter. Generate trace logs when we successfully
look up a record and when a record is not found.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req(). It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context. This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.
Instead, use krb5_auth_con_setpermetypes on the auth context. This
list is only used for session key enctype negotiation. Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.
ticket: 7688 (new)
target_version: 1.11.4
tags: pullup
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Copy in the latest config.guess and config.sub from upstream git
master as of 2013-07-26 (revision 79c4c50fc754d742286706b4db5ed8ce2a0de925).
Our previous version didn't recognize arm64.
Reported as Debian bug 717840.
ticket: 7683 (new)
tags: pullup
target_version: 1.11.4
|
| |
|
|
|
| |
The check_policy functions return com_err codes, not protocol codes,
so use a com_err constant in the example.
|
| |
|
|
|
|
|
| |
The credential serialization functions do not operate on a ccache, so
do not need it as an argument.
[ghudson@mit.edu: clarified commit message, rewrapped shortened lines]
|
| |
|
|
| |
Based on a patch from simo@redhat.com.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
kdb5_util update_princ_encryption iterates over the KDB and writes
modified entries. With the DB2 back end, the first write operation
has to upgrade the lock and reopen the DB, which resets the cursor
state. Take out an explicit write lock before iterating to avoid this
step.
ticket: 7684 (new)
|
| |
|
|
|
|
|
| |
The commented code in question is present in set_conn_state_msg_length
which is called immediately after the comments.
[ghudson@mit.edu: clarified commit message]
|
| |
|
|
|
|
|
| |
This field is redundant with addr.type.
[ghudson@mit.edu: removed extraneous changes; clarified commit
message]
|
| |
|
|
|
| |
This was previously not an issue because nothing outside of
libkrb5support used them.
|
| |
|
|
|
|
|
|
|
| |
When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.
[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When the import/export credential feature was implement the related
functions were added to struct gss_config, but the initialization
function that dynamically loads modules was not changed to see if
the plugin being loaded provided such functions.
This will allow non-builtin mechanism and interposer mechanism to
implement custom import/export credential extensions if they wish.
ticket: 7682
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When the credential store feature was implement the related functions
were added to struct gss_config, but the initialization function that
dynamically loads modules was not changed to see if the plugin being
loaded provided such functions.
This will allow non-builtin mechanism and interposer mechanism to
implement custom credential store extensions if they wish.
ticket: 7682
|
| |
|
|
|
|
|
| |
Make the purgekeys RPC allow self-service, like the chpass and chrand
RPCs.
ticket: 7681 (new)
|
| |
|
|
|
|
|
|
|
| |
Don't create a bunch of identically configured realms; just reuse the
same one. Remove a redundant assignment from the soft-pkcs11.so
check. Move the pkinit_identity setting from krb5.conf to kdc.conf,
since it's only used by the KDC. Add a test for trying anonymous
PKINIT when it isn't configured. Check for a specific error message
when testing restricted anonymous PKINIT.
|
| | |
|
| |
|
|
|
|
| |
Before we test authenticated PKINIT, slip in a test to check that
password-based preauthentication still works when the KDC is offering
PKINIT, but the client has no PKINIT credentials.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We now also test that the PKINIT challenge looks like we expect it to
look, that PKINIT fails if we don't provide a response or a prompter
callback, and that PKINIT succeeds with a response provided using either
the raw responder API or the PKINIT responder functions.
One thing that we don't check is which specific error code we get when
PKINIT fails: the OpenSSL and NSS versions return different error codes
(some mixture of EIO, ENOMEM, ENOENT, and KRB5KDC_ERR_PREAUTH_FAILED)
when they encounter trouble loading client credentials.
ticket: 7680
|
| |
|
|
| |
ticket: 7680
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add wrappers for the JSON-oriented APIs for PKINIT responder items,
modeled after the API we provide for OTP items:
* krb5_responder_pkinit_get_challenge() returns the list of
identities for which we need PINs
* krb5_responder_pkinit_challenge_free() frees the structure that
was returned by krb5_responder_pkinit_get_challenge()
* krb5_responder_pkinit_set_answer() sets the answer to the PIN for
one of the identities
[ghudson@mit.edu: style cleanup; added comment pointing to main body
of PKINIT module]
ticket: 7680
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a password to the set of things that we can pass to a PEM password
callback and the function we use for loading PKCS12 bundles. If we're
meant to defer identity prompts, just store the name of the identity
which we're loading. Otherwise, if we're passed a password, use it.
Otherwise, use the prompter callback.
Add a password to the set of things that we can pass to the function
that we use for logging in to PKCS11 tokens, too, but if we're deferring
identity prompts, just return the identity name without doing anything
else. If not, and we're passed a password, use that. Otherwise, try to
use the prompter callback to get one.
ticket: 7680
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The password callback which we usually supply to NSS already gets a
pointer to the pkinit_identity_crypto_context structure, but it needs to
be passed the name of the identity for which it's being called.
If it gets a name, and it's deferring prompting, just add the identity
to the list of deferred identity prompts (the password callback wouldn't
have been called if its result wasn't needed), and either return NULL
(as an indication that we couldn't get a password) or an empty string (a
value which we know is invalid) if that's handier.
Otherwise, check for a password that's been stashed for its use for that
identity, and return a copy of it if one's found. If none of that
works, try to use the prompter callback to ask for the password.
ticket: 7680
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the list of deferred identity prompts and warnings, which we have
after calling pkinit_identity_initialize(), to build a list of questions
to supply to responder callbacks.
Before calling pkinit_identity_prompt() to actually load identities that
are protected, save any passwords and PINs which a responder callback
may have supplied.
Because pkinit_client_prep_questions() can be called multiple times, and
we don't want to try to load all of our identities each of those times,
take some steps to ensure that we only call pkinit_identity_initialize()
and pkinit_identity_prompt() once per request.
ticket: 7680
|
| |
|
|
|
| |
When called to free identity information, do what the OpenSSL-based
version does, and error out if the identity information is NULL.
|
| |
|
|
|
| |
Do what the OpenSSL-using code paths do, and load PKCS11_MODNAME if no
module is specified when we're told to use a PKCS11 identity.
|
| |
|
|
|
|
|
|
|
|
|
| |
Learn to manage a list of deferred identities, for which we want to
prompt for passwords or PINs, in pkinit_identity_crypto_context
structures, along with their associated token flags. These are opaque
outside of pkinit_crypto_openssl and pkinit_crypto_nss, so both
implementations need to provide wrapper functions that can be called
from elsewhere in the module to populate and query the lists.
ticket: 7680
|
| |
|
|
|
|
|
|
|
|
|
| |
Split part of pkinit_identity_initialize() into a second piece named
pkinit_identity_prompt(). Have each piece pass a new boolean flag to
crypto_load_certs() to indicate if it should defer prompting for a
password/PIN for client identities that require one. If the flag isn't
set, then crypto_load_certs() should attempt to use a responder-supplied
value, or call the prompter if there isn't one.
ticket: 7680
|
