This project is mirrored from Pull mirroring updated .
  1. 19 Oct, 2021 1 commit
  2. 16 Oct, 2021 1 commit
  3. 15 Oct, 2021 2 commits
  4. 11 Oct, 2021 13 commits
    • Nicolas Williams's avatar
      base: Fix leak on ENOMEM · 341848a2
      Nicolas Williams authored
    • Nicolas Williams's avatar
      kdc: Fix leak and loss of kdc_check_flags() reason · 7672ad31
      Nicolas Williams authored
      We were losing and leaking the reason for which kdc_check_flags() was
      rejecting any S4U requests, yielding incomplete error messages.
      The issue is that kdc_check_flags() wants to check the client and server
      principals in the input state structure, but doesn't know about
      impersonated principal name, and so we want to pass it a state structure
      that has the impersonated instead of the impersonator client name.  This
      is a bad design, but I'm ignoring that for now and just fixing this one
    • Nicolas Williams's avatar
      kdc: Fix leak on TGS referral · 7e17db9f
      Nicolas Williams authored
    • Nicolas Williams's avatar
    • Nicolas Williams's avatar
    • Nicolas Williams's avatar
      kdc: Test referrals via HDB entry aliases · 4e7c0fd1
      Nicolas Williams authored
      When a principal name is an alias of another in a different realm, the
      KDC will return a referral to that realm.  Test that.
    • Nicolas Williams's avatar
      kadmin: Add add_alias, del_alias · ba98690a
      Nicolas Williams authored
    • Nicolas Williams's avatar
      hdb: Support referrals via aliases · decd8f41
      Nicolas Williams authored
      The TGS will issue referrals based on [domain_realm] mappings.
      With this change the TGS will also issue referrals based on HDB entry
      The TGS needed no changes for this, only support in lib/hdb was missing.
      All we had to do was return HDB_ERR_WRONG_REALM from hdb_fetch_kvno()
      when the given principal is an alias and its canonical name's realm is
      different from the alias'.
      This feature is important because the KDC currently does not re-read
      krb5.conf and must be restarted for changes to e.g., [domain_realm]
      mappings to take effect.  As well, making krb5.conf changes to all the
      KDCs for a realm would need to be arranged.  But with aliases in the
      HDB, these problems go away.
      Relatedly, we should really have an option to store the KDC's entire
      configuration in the HDB...
       - Add support for aliasing of entire namespaces via HDB aliases with
         WELLKNOWN namespace name forms.  This will round out domain-to-realm
         mapping configuration support via HDB.
    • Nicolas Williams's avatar
      hdb: Deleting aliases corrupts iprop log · a703bd12
      Nicolas Williams authored
      Deleting an alias causes the HDB_entry_alias entry value encoding to be
      written to the iprop log, which later cannot be decoded as an HDB_entry.
      Meanwhile, the alias is removed from the HDB but not from the list of
      aliases in the canonical principal's HDB entry.
      This commit makes deletion of alias names an error.
    • Nicolas Williams's avatar
    • Nicolas Williams's avatar
      kadm5: Teach perform_tl_data() about aliases · fb298a02
      Nicolas Williams authored
      Sort of.  It already knew.
      We have a mess where new things get sent to the server as
      KRB5_TL_EXTENSION, but old things get sent to the client as whatever
      appropriate KRB5_TL we have, and... we call perform_tl_data() on all TL,
      but we don't remove unmodified TL on the client side, and...
      Anyways.  This commit is a band-aid, but it works.
    • Nicolas Williams's avatar
      krb5: Fix krb5.conf.5 man page bug · 838431d9
      Nicolas Williams authored
    • Luke Howard's avatar
      gss: _gss_spnego_set_sec_context_option return · 06e61139
      Luke Howard authored
      Fix _gss_spnego_set_sec_context_option() to return GSS_S_UNAVAILABLE if no
      context handle is provided, so that mechglue will skip to the next mechanism.
      There are no globally settable options on SPNEGO itself.
      Fixes: #803
  5. 07 Oct, 2021 1 commit
  6. 28 Sep, 2021 1 commit
  7. 23 Sep, 2021 8 commits
  8. 21 Sep, 2021 5 commits
    • Luke Howard's avatar
      various: squash MSVC uninitialized variable warnings (C4701) · 8fc67658
      Luke Howard authored
      Initialize some variables to silence some false positive MSVC warnings.
    • Luke Howard's avatar
      asn1: initialize L in ASN1_MALLOC_ENCODE · 18a7562f
      Luke Howard authored
      MSVC complains about uninitialized variables, set (L) to zero in failure case
      from ASN1_MALLOC_ENCODE()
    • Luke Howard's avatar
      krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails · cba3f9a5
      Luke Howard authored
      Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if
      the checksum is absent or unkeyed.
    • Luke Howard's avatar
      Luke Howard authored
      RFC4120 says KRB5KDC_ERR_SUMTYPE_NOSUPP should be returned if the KDC does not
      support a given checksum type. Return this instead of KRB5_PROG_SUMTYPE_NOSUPP
      by introducing a new wrapper function, _kdc_verify_checksum().
    • Luke Howard's avatar
      krb5: make keyed checksums mandatory where possible · 85756bd2
      Luke Howard authored
      Make keyed checksums mandatory when generating and verifying checksums, with
      the following exceptions:
      * the checksum is being generated or verified as part of encrypting data for
        a legacy (DES) encryption type
      * the KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM flag was set on the crypto
        context, used to allow unkeyed checksums in krb5 authenticators
      By making unkeyed checksums opt-in, we eliminate a class of potential
      vulnerabilities where callers could pass unkeyed checksums.
      Any code that uses the mandatory checksum type for a given non-legacy
      encryption type should not be affected by this change. It could potentially
      break, say, a client trying to do FAST with DES keys but, that should not be
      supported (because FAST KDCs also support AES).
      Closes: #835
  9. 20 Sep, 2021 3 commits
  10. 19 Sep, 2021 5 commits
    • Luke Howard's avatar
      krb5: fix test_pac format string · 2acc4508
      Luke Howard authored
      Don't pass a potentially (although in reality, not) untrusted string to
      krb5_err(); cleanup error handling.
    • Isaac Boukris's avatar
      krb5: add pac ticket-signature unit tests · 6c339fd5
      Isaac Boukris authored
    • Isaac Boukris's avatar
      kdc: sign ticket using Windows PAC · 2ffaba94
      Isaac Boukris authored
      Split Windows PAC signing and verification logic, as the signing has to be when
      the ticket is ready.
      Create sign and verify the PAC KDC signature if the plugin did not, allowing
      for S4U2Proxy to work, instead of KRB5SignedPath.
      Use the header key to verify PAC server signature, as the same key used to
      encrypt/decrypt the ticket should be used for PAC server signature, like U2U
      tickets are signed witht the tgt session-key and not with the longterm key,
      and so krbtgt should be no different and the header key should be used.
      Lookup the delegated client in DB instead of passing the delegator DB entry.
      Add PAC ticket-signatures and related functions.
      Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
      against new KDC will not work if the evidence ticket was acquired from
      an old KDC, and vide versa.
      Closes: #767
    • Isaac Boukris's avatar
      kdc: remove KRB5SignedPath, to be replaced with PAC · bb1d8f2a
      Isaac Boukris authored
      KRB5SignedPath was a Heimdal-specific authorization data element used to
      protect the authenticity of evidence tickets when used in constrained
      delegation (without a Windows PAC).
      Remove this, to be replaced with the Windows PAC which itself now supports
      signing the entire ticket in the TGS key.
    • Isaac Boukris's avatar