From ghudson at mit.edu Mon Jul 1 20:20:40 2024 From: ghudson at mit.edu (ghudson at mit.edu) Date: Mon, 1 Jul 2024 20:20:40 -0400 (EDT) Subject: krb5 commit: Adjust removed cred detection in FILE ccache Message-ID: <20240702002040.5F927101AD6@krbdev.mit.edu> https://github.com/krb5/krb5/commit/4c0838bb4c232866b95c9f2f72a55bf77cfc1308 commit 4c0838bb4c232866b95c9f2f72a55bf77cfc1308 Author: Greg Hudson Date: Sun Jun 23 20:10:44 2024 -0400 Adjust removed cred detection in FILE ccache In the FILE ccache, consider a cred to be removed if it has endtime 0 and authtime non-zero, instead of specifically authtime -1. This change will let us filter out normal credentials deleted by Heimdal, although not synthetic credentials such as config entries. ticket: 9131 (new) src/lib/krb5/ccache/cc_file.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c index c70a28274..198152a9e 100644 --- a/src/lib/krb5/ccache/cc_file.c +++ b/src/lib/krb5/ccache/cc_file.c @@ -745,12 +745,15 @@ cleanup: return set_errmsg_filename(context, ret, data->filename); } -/* Return true if cred is a removed entry (assuming that no legitimate cred - * entries will have authtime=-1 and endtime=0). */ +/* + * Return true if cred is a removed entry. We assume that any active entry + * with endtime=0 (such as a config entry or gssproxy encrypted credential) + * will also have authtime=0. + */ static inline krb5_boolean cred_removed(krb5_creds *c) { - return c->times.endtime == 0 && c->times.authtime == -1; + return c->times.endtime == 0 && c->times.authtime != 0; } /* Get the next credential from the cache file. */ From ghudson at mit.edu Mon Jul 1 21:29:45 2024 From: ghudson at mit.edu (ghudson at mit.edu) Date: Mon, 1 Jul 2024 21:29:45 -0400 (EDT) Subject: krb5 commit: Change krb5_get_credentials() endtime behavior Message-ID: <20240702012945.B484F101AD6@krbdev.mit.edu> https://github.com/krb5/krb5/commit/e68890329f8ab766f9b746351b5c7d2d18d8dd48 commit e68890329f8ab766f9b746351b5c7d2d18d8dd48 Author: Greg Hudson Date: Thu Jun 27 07:25:21 2024 -0400 Change krb5_get_credentials() endtime behavior Historically, krb5_get_credentials() uses in_creds->times.endtime both as the TGS request endtime and as a cache lookup criterion. These uses are in conflict; setting a TGS request endtime can only serve to limit the maximum lifetime of the issued ticket, while a cache lookup endtime restricts the minimum lifetime of an acceptable cached ticket. The likely outcome is to never use a cached ticket, leading to poor performance as we add an entry to the cache for each request. Change to the Heimdal behavior of using in_creds->times.endtime only as the TGS request endtime. ticket: 9132 (new) src/include/krb5/krb5.hin | 8 ++++---- src/lib/krb5/krb/get_creds.c | 13 +++++-------- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 7c4fc10dd..99b637872 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -3043,10 +3043,10 @@ krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts); * session key type is specified in @a in_creds->keyblock.enctype, if it is * nonzero. * - * The expiration date is specified in @a in_creds->times.endtime. - * The KDC may return tickets with an earlier expiration date. - * If @a in_creds->times.endtime is set to 0, the latest possible - * expiration date will be requested. + * If @a in_creds->times.endtime is specified, it is used as the requested + * expiration date if a TGS request is made. If @a in_creds->times.endtime is + * set to 0, the latest possible expiration date will be requested. The KDC or + * cache may return a ticket with an earlier expiration date. * * Any returned ticket and intermediate ticket-granting tickets are stored * in @a ccache. diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c index e986844a7..00becae96 100644 --- a/src/lib/krb5/krb/get_creds.c +++ b/src/lib/krb5/krb/get_creds.c @@ -53,18 +53,16 @@ construct_matching_creds(krb5_context context, krb5_flags options, krb5_creds *in_creds, krb5_creds *mcreds, krb5_flags *fields) { + krb5_error_code ret; + if (!in_creds || !in_creds->server || !in_creds->client) return EINVAL; memset(mcreds, 0, sizeof(krb5_creds)); mcreds->magic = KV5M_CREDS; - if (in_creds->times.endtime != 0) { - mcreds->times.endtime = in_creds->times.endtime; - } else { - krb5_error_code retval; - retval = krb5_timeofday(context, &mcreds->times.endtime); - if (retval != 0) return retval; - } + ret = krb5_timeofday(context, &mcreds->times.endtime); + if (ret) + return ret; mcreds->keyblock = in_creds->keyblock; mcreds->authdata = in_creds->authdata; mcreds->server = in_creds->server; @@ -75,7 +73,6 @@ construct_matching_creds(krb5_context context, krb5_flags options, | KRB5_TC_SUPPORTED_KTYPES; if (mcreds->keyblock.enctype) { krb5_enctype *ktypes; - krb5_error_code ret; int i; *fields |= KRB5_TC_MATCH_KTYPE; From ghudson at mit.edu Mon Jul 8 19:34:24 2024 From: ghudson at mit.edu (ghudson at mit.edu) Date: Mon, 8 Jul 2024 19:34:24 -0400 (EDT) Subject: krb5 commit: Remove unused GSS code Message-ID: <20240708233424.5F86D1019F1@krbdev.mit.edu> https://github.com/krb5/krb5/commit/354f176ba6d6cc544e1c15712a13f9c006ca605d commit 354f176ba6d6cc544e1c15712a13f9c006ca605d Author: Greg Hudson Date: Mon Jul 1 22:58:45 2024 -0400 Remove unused GSS code Commit b0031448502561da31fb8c2543c8b01d7df9a872 removed the only consumers of util_set.c. Also remove declarations for g_strdup() and g_local_host_name(), which were unused as far back as krb5-1.0. src/lib/gssapi/generic/Makefile.in | 3 -- src/lib/gssapi/generic/gssapiP_generic.h | 37 ------------- src/lib/gssapi/generic/util_set.c | 91 -------------------------------- src/lib/gssapi/krb5/gssapiP_krb5.h | 2 - src/lib/gssapi/krb5/gssapi_krb5.c | 6 --- 5 files changed, 139 deletions(-) diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in index 1a95a7d3b..2eb4857fb 100644 --- a/src/lib/gssapi/generic/Makefile.in +++ b/src/lib/gssapi/generic/Makefile.in @@ -66,7 +66,6 @@ SRCS = \ $(srcdir)/util_buffer.c \ $(srcdir)/util_buffer_set.c \ $(srcdir)/util_errmap.c \ - $(srcdir)/util_set.c \ $(srcdir)/util_seqstate.c \ $(srcdir)/util_token.c \ gssapi_err_generic.c @@ -83,7 +82,6 @@ OBJS = \ $(OUTPRE)util_buffer.$(OBJEXT) \ $(OUTPRE)util_buffer_set.$(OBJEXT) \ $(OUTPRE)util_errmap.$(OBJEXT) \ - $(OUTPRE)util_set.$(OBJEXT) \ $(OUTPRE)util_seqstate.$(OBJEXT) \ $(OUTPRE)util_token.$(OBJEXT) \ $(OUTPRE)gssapi_err_generic.$(OBJEXT) @@ -98,7 +96,6 @@ STLIBOBJS = \ util_buffer.o \ util_buffer_set.o \ util_errmap.o \ - util_set.o \ util_seqstate.o \ util_token.o \ gssapi_err_generic.o diff --git a/src/lib/gssapi/generic/gssapiP_generic.h b/src/lib/gssapi/generic/gssapiP_generic.h index 3c6bfa53d..7201f2ad5 100644 --- a/src/lib/gssapi/generic/gssapiP_generic.h +++ b/src/lib/gssapi/generic/gssapiP_generic.h @@ -66,11 +66,6 @@ /** helper functions **/ /* hide names from applications, especially glib applications */ -#define g_set_init gssint_g_set_init -#define g_set_destroy gssint_g_set_destroy -#define g_set_entry_add gssint_g_set_entry_add -#define g_set_entry_delete gssint_g_set_entry_delete -#define g_set_entry_get gssint_g_set_entry_get #define g_make_string_buffer gssint_g_make_string_buffer #define g_token_size gssint_g_token_size #define g_make_token_header gssint_g_make_token_header @@ -84,39 +79,9 @@ #define g_seqstate_externalize gssint_g_seqstate_externalize #define g_seqstate_internalize gssint_g_seqstate_internalize #define g_canonicalize_host gssint_g_canonicalize_host -#define g_local_host_name gssint_g_local_host_name -#define g_strdup gssint_g_strdup - -typedef struct _g_set_elt *g_set_elt; -typedef struct { - k5_mutex_t mutex; - void *data; -} g_set; -#define G_SET_INIT { K5_MUTEX_PARTIAL_INITIALIZER, 0 } typedef struct g_seqnum_state_st *g_seqnum_state; -int g_set_init (g_set_elt *s); -int g_set_destroy (g_set_elt *s); -int g_set_entry_add (g_set_elt *s, void *key, void *value); -int g_set_entry_delete (g_set_elt *s, void *key); -int g_set_entry_get (g_set_elt *s, void *key, void **value); - -int g_save_name (g_set *vdb, gss_name_t name); -int g_save_cred_id (g_set *vdb, gss_cred_id_t cred); -int g_save_ctx_id (g_set *vdb, gss_ctx_id_t ctx); -int g_save_lucidctx_id (g_set *vdb, void *lctx); - -int g_validate_name (g_set *vdb, gss_name_t name); -int g_validate_cred_id (g_set *vdb, gss_cred_id_t cred); -int g_validate_ctx_id (g_set *vdb, gss_ctx_id_t ctx); -int g_validate_lucidctx_id (g_set *vdb, void *lctx); - -int g_delete_name (g_set *vdb, gss_name_t name); -int g_delete_cred_id (g_set *vdb, gss_cred_id_t cred); -int g_delete_ctx_id (g_set *vdb, gss_ctx_id_t ctx); -int g_delete_lucidctx_id (g_set *vdb, void *lctx); - int g_make_string_buffer (const char *str, gss_buffer_t buffer); unsigned int g_token_size (const gss_OID_desc * mech, unsigned int body_size); @@ -152,8 +117,6 @@ long g_seqstate_externalize(g_seqnum_state state, unsigned char **buf, long g_seqstate_internalize(g_seqnum_state *state_out, unsigned char **buf, size_t *lenremain); -char *g_strdup (char *str); - /** declarations of internal name mechanism functions **/ OM_uint32 diff --git a/src/lib/gssapi/generic/util_set.c b/src/lib/gssapi/generic/util_set.c deleted file mode 100644 index 432a9ee0d..000000000 --- a/src/lib/gssapi/generic/util_set.c +++ /dev/null @@ -1,91 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright 1995 by OpenVision Technologies, Inc. - * - * Permission to use, copy, modify, distribute, and sell this software - * and its documentation for any purpose is hereby granted without fee, - * provided that the above copyright notice appears in all copies and - * that both that copyright notice and this permission notice appear in - * supporting documentation, and that the name of OpenVision not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. OpenVision makes no - * representations about the suitability of this software for any - * purpose. It is provided "as is" without express or implied warranty. - * - * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO - * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * $Id$ - */ - -#include "gssapiP_generic.h" - -struct _g_set_elt { - void *key; - void *value; - struct _g_set_elt *next; -}; - -int g_set_init(g_set_elt *s) -{ - *s = NULL; - - return(0); -} - -int g_set_entry_add(g_set_elt *s, void *key, void *value) -{ - g_set_elt first; - - if ((first = (struct _g_set_elt *) malloc(sizeof(struct _g_set_elt))) == NULL) - return(ENOMEM); - - first->key = key; - first->value = value; - first->next = *s; - - *s = first; - - return(0); -} - -int g_set_entry_delete(g_set_elt *s, void *key) -{ - g_set_elt *p; - - for (p=s; *p; p = &((*p)->next)) { - if ((*p)->key == key) { - g_set_elt next = (*p)->next; - free(*p); - *p = next; - - return(0); - } - } - - return(-1); -} - -int g_set_entry_get(g_set_elt *s, void *key, void **value) -{ - g_set_elt p; - - for (p = *s; p; p = p->next) { - if (p->key == key) { - *value = p->value; - - return(0); - } - } - - *value = NULL; - - return(-1); -} diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 0ebe3a63c..3d6aaccf7 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -247,8 +247,6 @@ typedef struct _krb5_gss_ctx_id_rec { krb5_authdata **authdata; } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t; -extern g_set kg_vdb; - #ifndef LEAN_CLIENT extern k5_mutex_t gssint_krb5_keytab_lock; #endif /* LEAN_CLIENT */ diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index 370b7d152..6c7cf2344 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -188,8 +188,6 @@ const gss_OID_set gss_mech_set_krb5_old = &kg_oidsets[1]; const gss_OID_set gss_mech_set_krb5_both = &kg_oidsets[2]; const gss_OID_set kg_all_mechs = &kg_oidsets[3]; -g_set kg_vdb = G_SET_INIT; - /** default credential support */ /* @@ -1073,9 +1071,6 @@ int gss_krb5int_lib_init(void) err = k5_mutex_finish_init(&kg_kdc_flag_mutex); if (err) return err; - err = k5_mutex_finish_init(&kg_vdb.mutex); - if (err) - return err; #endif #ifdef _GSS_STATIC_LINK err = gss_krb5mechglue_init(); @@ -1107,7 +1102,6 @@ void gss_krb5int_lib_fini(void) k5_key_delete(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME); k5_key_delete(K5_KEY_GSS_KRB5_CCACHE_NAME); k5_key_delete(K5_KEY_GSS_KRB5_ERROR_MESSAGE); - k5_mutex_destroy(&kg_vdb.mutex); #ifndef _WIN32 k5_mutex_destroy(&kg_kdc_flag_mutex); #endif From ghudson at mit.edu Mon Jul 22 17:09:50 2024 From: ghudson at mit.edu (ghudson at mit.edu) Date: Mon, 22 Jul 2024 17:09:50 -0400 (EDT) Subject: krb5 commit: Make krb5_get_default_config_files() public Message-ID: <20240722210950.1C5A4101AE6@krbdev.mit.edu> https://github.com/krb5/krb5/commit/8e60fc5600d1771769dc9cabd282f0d533b4c524 commit 8e60fc5600d1771769dc9cabd282f0d533b4c524 Author: Greg Hudson Date: Mon Jul 8 19:19:40 2024 -0400 Make krb5_get_default_config_files() public Add krb5_get_default_config_files() to the public API; it was already in the library export list and the DLL export list. Also add krb5_free_config_files(). ticket: 9130 doc/appdev/refs/api/index.rst | 2 ++ src/include/k5-int.h | 4 ---- src/include/krb5/krb5.hin | 27 +++++++++++++++++++++++++++ 3 files changed, 29 insertions(+), 4 deletions(-) diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst index d12be47c3..648dc2ed9 100644 --- a/doc/appdev/refs/api/index.rst +++ b/doc/appdev/refs/api/index.rst @@ -25,6 +25,7 @@ Frequently used public interfaces krb5_change_password.rst krb5_chpw_message.rst krb5_expand_hostname.rst + krb5_free_config_files.rst krb5_free_context.rst krb5_free_error_message.rst krb5_free_principal.rst @@ -33,6 +34,7 @@ Frequently used public interfaces krb5_get_error_message.rst krb5_get_host_realm.rst krb5_get_credentials.rst + krb5_get_default_config_files.rst krb5_get_fallback_host_realm.rst krb5_get_init_creds_keytab.rst krb5_get_init_creds_opt_alloc.rst diff --git a/src/include/k5-int.h b/src/include/k5-int.h index a5763bf68..80c966ec5 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -2143,10 +2143,6 @@ void KRB5_CALLCONV krb5_free_tkt_authent(krb5_context, krb5_tkt_authent *); void KRB5_CALLCONV krb5_free_enc_data(krb5_context, krb5_enc_data *); krb5_error_code krb5_set_config_files(krb5_context, const char **); -krb5_error_code KRB5_CALLCONV krb5_get_default_config_files(char ***filenames); - -void KRB5_CALLCONV krb5_free_config_files(char **filenames); - krb5_error_code krb5_rd_req_decoded(krb5_context, krb5_auth_context *, const krb5_ap_req *, krb5_const_principal, krb5_keytab, krb5_flags *, krb5_ticket **); diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 99b637872..c6998adc5 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -2935,6 +2935,33 @@ krb5_free_context(krb5_context context); krb5_error_code KRB5_CALLCONV krb5_copy_context(krb5_context ctx, krb5_context *nctx_out); +/** + * Return a list of default configuration filenames + * + * @param [out] filenames Configuration filename list + * + * Fill in @a filenames with a null-terminated list of configuration files + * which will be read by krb5_init_context() in the current process + * environment. + * + * Use krb5_free_config_files() to free @a filenames when it is no longer + * needed. + * + * @version New in 1.22 + */ +krb5_error_code KRB5_CALLCONV +krb5_get_default_config_files(char ***filenames); + +/** + * Free a list allocated by krb5_get_default_config_files() + * + * @param [in] filenames Configuration filename list + * + * @version New in 1.22 + */ +void KRB5_CALLCONV +krb5_free_config_files(char **filenames); + /** * Set default TGS encryption types in a krb5_context structure. * From ghudson at mit.edu Mon Jul 22 17:25:34 2024 From: ghudson at mit.edu (ghudson at mit.edu) Date: Mon, 22 Jul 2024 17:25:34 -0400 (EDT) Subject: krb5 commit: Add acceptor-side IAKERB realm discovery Message-ID: <20240722212534.99E2B101AE6@krbdev.mit.edu> https://github.com/krb5/krb5/commit/6e20892369a9fafa09294529fb4d331e4fcbb97a commit 6e20892369a9fafa09294529fb4d331e4fcbb97a Author: Greg Hudson Date: Tue Jul 9 15:14:03 2024 -0400 Add acceptor-side IAKERB realm discovery draft-ietf-kitten-iakerb-03 section 3.1 specifies a way for the initiator to query the acceptor's realm. Implement this facility in the IAKERB acceptor. ticket: 9133 (new) .gitignore | 1 + src/lib/gssapi/krb5/iakerb.c | 66 +++++++++++++++++++++++++++++---- src/tests/gssapi/Makefile.in | 32 ++++++++-------- src/tests/gssapi/t_gssapi.py | 2 + src/tests/gssapi/t_iakerb.c | 88 ++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 167 insertions(+), 22 deletions(-) diff --git a/.gitignore b/.gitignore index db1478fed..90bfa0e20 100644 --- a/.gitignore +++ b/.gitignore @@ -463,6 +463,7 @@ local.properties /src/tests/gssapi/t_export_cred /src/tests/gssapi/t_export_name /src/tests/gssapi/t_gssexts +/src/tests/gssapi/t_iakerb /src/tests/gssapi/t_imp_cred /src/tests/gssapi/t_imp_name /src/tests/gssapi/t_invalid diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c index 9e8bc05da..69c3445d6 100644 --- a/src/lib/gssapi/krb5/iakerb.c +++ b/src/lib/gssapi/krb5/iakerb.c @@ -283,6 +283,53 @@ cleanup: return code; } +/* Generate a response to a realm discovery request. */ +static krb5_error_code +iakerb_acceptor_realm(iakerb_ctx_id_t ctx, gss_cred_id_t verifier_cred, + gss_buffer_t output_token) +{ + krb5_error_code ret; + OM_uint32 dummy; + krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t)verifier_cred; + krb5_data realm = empty_data(), reply = empty_data(); + krb5_error error = { 0 }; + char *defrealm = NULL; + + /* Get the acceptor realm from the verifier cred if we can; otherwise try + * to use the default realm. */ + if (cred != NULL && cred->name != NULL && + cred->name->princ->realm.length > 0) { + realm = cred->name->princ->realm; + } else { + ret = krb5_get_default_realm(ctx->k5c, &defrealm); + if (ret) { + /* Generate an error reply if there is no default realm. */ + error.error = KRB_ERR_GENERIC; + ret = krb5_mk_error(ctx->k5c, &error, &reply); + if (ret) + goto cleanup; + } else { + realm = string2data(defrealm); + } + } + + ret = iakerb_make_token(ctx, &realm, NULL, &reply, output_token); + if (ret) + goto cleanup; + ret = iakerb_save_token(ctx, output_token); + if (ret) + goto cleanup; + + ctx->count++; + +cleanup: + if (ret) + gss_release_buffer(&dummy, output_token); + krb5_free_default_realm(ctx->k5c, defrealm); + krb5_free_data_contents(ctx->k5c, &reply); + return ret; +} + /* * Parse the IAKERB token in input_token and send the contained KDC * request to the KDC for the realm. @@ -290,7 +337,7 @@ cleanup: * Wrap the KDC reply in output_token. */ static krb5_error_code -iakerb_acceptor_step(iakerb_ctx_id_t ctx, +iakerb_acceptor_step(iakerb_ctx_id_t ctx, gss_cred_id_t verifier_cred, const gss_buffer_t input_token, gss_buffer_t output_token) { @@ -313,15 +360,19 @@ iakerb_acceptor_step(iakerb_ctx_id_t ctx, if (code != 0) goto cleanup; - if (realm.length == 0 || request.length == 0) { - code = KRB5_BAD_MSIZE; - goto cleanup; - } - code = iakerb_save_token(ctx, input_token); if (code != 0) goto cleanup; + if (realm.length == 0 && request.length == 0) { + /* This is a realm discovery request. */ + code = iakerb_acceptor_realm(ctx, verifier_cred, output_token); + goto cleanup; + } else if (realm.length == 0 || request.length == 0) { + code = KRB5_BAD_MSIZE; + goto cleanup; + } + for (tcp_only = 0; tcp_only <= 1; tcp_only++) { use_primary = 0; code = krb5_sendto_kdc(ctx->k5c, &request, &realm, @@ -770,7 +821,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, major_status = GSS_S_DEFECTIVE_TOKEN; goto cleanup; } - code = iakerb_acceptor_step(ctx, input_token, output_token); + code = iakerb_acceptor_step(ctx, verifier_cred_handle, input_token, + output_token); if (code == (OM_uint32)KRB5_BAD_MSIZE) major_status = GSS_S_DEFECTIVE_TOKEN; if (code != 0) diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in index ee65a65f3..97a6ac3f3 100644 --- a/src/tests/gssapi/Makefile.in +++ b/src/tests/gssapi/Makefile.in @@ -13,9 +13,9 @@ SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \ $(srcdir)/t_bindings.c $(srcdir)/t_ccselect.c $(srcdir)/t_ciflags.c \ $(srcdir)/t_context.c $(srcdir)/t_credstore.c $(srcdir)/t_enctypes.c \ $(srcdir)/t_err.c $(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \ - $(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \ - $(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \ - $(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \ + $(srcdir)/t_gssexts.c $(srcdir)/t_iakerb.c $(srcdir)/t_imp_cred.c \ + $(srcdir)/t_imp_name.c $(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c \ + $(srcdir)/t_inq_ctx.c $(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \ $(srcdir)/t_lifetime.c $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c \ $(srcdir)/t_pcontok.c $(srcdir)/t_prf.c $(srcdir)/t_s4u.c \ $(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \ @@ -24,20 +24,20 @@ SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \ OBJS= ccinit.o ccrefresh.o common.o reload.o t_accname.o t_add_cred.o \ t_bindings.o t_ccselect.o t_ciflags.o t_context.o t_credstore.o \ t_enctypes.o t_err.o t_export_cred.o t_export_name.o t_gssexts.o \ - t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o t_inq_ctx.o \ - t_inq_mechs_name.o t_iov.o t_lifetime.o t_namingexts.o t_oid.o \ - t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \ - t_spnego.o t_srcattrs.o t_store_cred.o + t_iakerb.o t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o \ + t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_lifetime.o t_namingexts.o \ + t_oid.o t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \ + t_spnego.o t_srcattrs.o t_store_cred.o t_iakerb.o COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS) all: ccinit ccrefresh reload t_accname t_add_cred t_bindings t_ccselect \ t_ciflags t_context t_credstore t_enctypes t_err t_export_cred \ - t_export_name t_gssexts t_imp_cred t_imp_name t_invalid t_inq_cred \ - t_inq_ctx t_inq_mechs_name t_iov t_lifetime t_namingexts t_oid \ - t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs \ - t_store_cred + t_export_name t_gssexts t_iakerb t_imp_cred t_imp_name t_invalid \ + t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime t_namingexts \ + t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego \ + t_srcattrs t_store_cred check-unix: t_invalid t_oid t_prf t_imp_name reload $(RUN_TEST) ./t_invalid @@ -93,6 +93,8 @@ t_export_name: t_export_name.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_export_name.o $(COMMON_LIBS) t_gssexts: t_gssexts.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_gssexts.o $(COMMON_LIBS) +t_iakerb: t_iakerb.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_iakerb.o $(COMMON_LIBS) t_imp_cred: t_imp_cred.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_imp_cred.o $(COMMON_LIBS) t_imp_name: t_imp_name.o $(COMMON_DEPS) @@ -133,7 +135,7 @@ t_store_cred: t_store_cred.o $(COMMON_DEPS) clean: $(RM) ccinit ccrefresh reload t_accname t_add_cred t_bindings $(RM) t_ccselect t_ciflags t_context t_credstore t_enctypes t_err - $(RM) t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name - $(RM) t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime - $(RM) t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 - $(RM) t_saslname t_spnego t_srcattrs t_store_cred + $(RM) t_export_cred t_export_name t_gssexts t_iakerb t_imp_cred + $(RM) t_imp_name t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov + $(RM) t_lifetime t_namingexts t_oid t_pcontok t_prf t_s4u + $(RM) t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs t_store_cred diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index 5f093a198..e1ed571fd 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -13,6 +13,8 @@ realm = K5Realm() # Test gss_add_cred(). realm.run(['./t_add_cred']) +realm.run(['./t_iakerb']) + ### Test acceptor name behavior. # Create some host-based principals and put most of them into the diff --git a/src/tests/gssapi/t_iakerb.c b/src/tests/gssapi/t_iakerb.c new file mode 100644 index 000000000..a81b526e7 --- /dev/null +++ b/src/tests/gssapi/t_iakerb.c @@ -0,0 +1,88 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/gssapi/t_iakerb.c - IAKERB tests */ +/* + * Copyright (C) 2024 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include "common.h" + +static uint8_t +realm_query[] = { + /* ASN.1 wrapper for IAKERB mech */ + 0x60, 0x10, + 0x06, 0x06, 0x2B, 0x06, 0x01, 0x05, 0x02, 0x05, + /* IAKERB_PROXY token type */ + 0x05, 0x01, + /* IAKERB-HEADER with empty target-realm */ + 0x30, 0x04, + 0xA1, 0x02, 0x0C, 0x00 +}; + +static uint8_t +realm_response[] = { + /* ASN.1 wrapper for IAKERB mech */ + 0x60, 0x1B, + 0x06, 0x06, 0x2B, 0x06, 0x01, 0x05, 0x02, 0x05, + /* IAKERB_PROXY token type */ + 0x05, 0x01, + /* IAKERB-HEADER with configured realm */ + 0x30, 0x0F, + 0xA1, 0x0D, 0x0C, 0x0B, + 'K', 'R', 'B', 'T', 'E', 'S', 'T', '.', 'C', 'O', 'M' +}; + +int +main(void) +{ + OM_uint32 major, minor; + gss_cred_id_t cred; + gss_buffer_desc in, out; + gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; + + major = gss_acquire_cred(&minor, GSS_C_NO_NAME, 0, &mechset_iakerb, + GSS_C_ACCEPT, &cred, NULL, NULL); + check_gsserr("gss_acquire_cred", major, minor); + + in.value = realm_query; + in.length = sizeof(realm_query); + major = gss_accept_sec_context(&minor, &ctx, cred, &in, + GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, &out, + NULL, NULL, NULL); + check_gsserr("gss_accept_sec_context", major, minor); + assert(out.length == sizeof(realm_response)); + assert(memcmp(out.value, realm_response, out.length) == 0); + + gss_release_buffer(&minor, &out); + gss_delete_sec_context(&minor, &ctx, NULL); + gss_release_cred(&minor, &cred); + return 0; +} From ghudson at mit.edu Mon Jul 22 17:39:50 2024 From: ghudson at mit.edu (ghudson at mit.edu) Date: Mon, 22 Jul 2024 17:39:50 -0400 (EDT) Subject: krb5 commit: Remove unused files Message-ID: <20240722213950.7B288101B0D@krbdev.mit.edu> https://github.com/krb5/krb5/commit/f43e77fad655bd0b02cfe8b8ccd642d38616d1f5 commit f43e77fad655bd0b02cfe8b8ccd642d38616d1f5 Author: Greg Hudson Date: Thu Jul 11 15:15:46 2024 -0400 Remove unused files src/Makefile.in | 4 +- src/config-files/convert-config-files | 84 - src/config-files/mech | 3 - src/config/libnodeps.in | 4 - src/config/ren2long | 9 - src/config/ren2long.awk | 75 - src/config/wconfig.pl | 77 - src/kadmin/kdbkeys/Makefile.in | 16 - src/kadmin/kdbkeys/do-test.pl | 56 - src/kadmin/scripts/inst-hdrs.sh | 14 - src/kdc/Makefile.in | 13 +- src/kdc/deps | 6 +- src/kdc/kdc5_err.et | 35 - src/kdc/main.c | 3 - src/lib/crypto/ISSUES | 14 - src/lib/crypto/builtin/des/ISSUES | 13 - src/lib/crypto/builtin/md4/ISSUES | 4 - src/lib/crypto/builtin/md5/ISSUES | 4 - src/lib/crypto/builtin/sha1/ISSUES | 8 - src/lib/crypto/crypto_tests/Poly.pm | 182 - src/lib/crypto/crypto_tests/t_mdcksum.c | 203 - src/lib/crypto/crypto_tests/t_prng.comments | 14 - src/lib/crypto/crypto_tests/t_prng.expected | 4 - src/lib/crypto/crypto_tests/t_prng.seed | 25 - src/lib/crypto/crypto_tests/test/Readme.txt | 22 - src/lib/crypto/crypto_tests/test/cbc_d_m.txt | 7224 ------------------------ src/lib/crypto/crypto_tests/test/cbc_e_m.txt | 7224 ------------------------ src/lib/crypto/crypto_tests/test/ecb_d_m.txt | 6024 -------------------- src/lib/crypto/crypto_tests/test/ecb_e_m.txt | 6024 -------------------- src/lib/crypto/crypto_tests/test/ecb_iv.readme | 19 - src/lib/crypto/crypto_tests/test/ecb_iv.txt | 123 - src/lib/crypto/crypto_tests/test/ecb_tbl.txt | 1955 ------- src/lib/crypto/crypto_tests/test/ecb_vk.txt | 2334 -------- src/lib/crypto/crypto_tests/test/ecb_vt.txt | 1566 ----- src/lib/crypto/crypto_tests/test/katmct.pdf | Bin 100812 -> 0 bytes src/lib/crypto/crypto_tests/vb.txt | 87 - src/lib/gssapi/README_SAMPLE_APP | 4 - src/lib/gssapi/spnego/mech_spnego.exports | 1 - src/lib/krb5/Makefile.in | 5 +- src/lib/krb5/asn.1/KRB5-asn.py | 436 -- src/lib/krb5/ccache/scc.h | 88 - src/lib/krb5/ccache/t_memory.c | 138 - src/lib/krb5/ccache/t_stdio.c | 168 - src/lib/krb5/posix/Makefile.in | 15 - src/lib/krb5/posix/syslog.c | 11 - src/lib/krb5/rcache/RELEASE | 17 - src/tests/dump.c | 42 - src/tests/test1.c | 192 - src/util/check-ac-syms | 33 - src/util/exitsleep.c | 49 - src/util/getsyms | 63 - src/util/getsyms.sed | 42 - src/util/lndir | 103 - src/util/profile/dosshell.ini | 537 -- src/util/profile/prof_FSp_glue.c | 92 - src/util/profile/profile.exp | 35 - src/util/profile/profile.pbexp | 33 - src/util/profile/prtest.in | 36 - src/util/profile/prtest.script | 11 - src/util/trim-valgrind-logs | 71 - 60 files changed, 6 insertions(+), 35688 deletions(-) Diff larger than 5000 lines; suppressing. From ghudson at mit.edu Mon Jul 22 17:56:56 2024 From: ghudson at mit.edu (ghudson at mit.edu) Date: Mon, 22 Jul 2024 17:56:56 -0400 (EDT) Subject: krb5 commit: Add fortify flag to gcc CI build Message-ID: <20240722215656.64952101AE6@krbdev.mit.edu> https://github.com/krb5/krb5/commit/aafc170587c69346a9b06583db6f1bb8edf524f2 commit aafc170587c69346a9b06583db6f1bb8edf524f2 Author: Greg Hudson Date: Fri Jul 19 18:07:46 2024 -0400 Add fortify flag to gcc CI build .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 350ed3de5..8d7d02e74 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,6 +26,7 @@ jobs: - name: linux-gcc os: ubuntu-latest compiler: gcc + makevars: CPPFLAGS=-D_FORTIFY_SOURCE=3 steps: - name: Checkout repository uses: actions/checkout at v1 From ghudson at mit.edu Tue Jul 30 20:23:45 2024 From: ghudson at mit.edu (ghudson at mit.edu) Date: Tue, 30 Jul 2024 20:23:45 -0400 (EDT) Subject: krb5 commit: Refactor GSS token header parsing Message-ID: <20240731002345.DEF27101B2F@krbdev.mit.edu> https://github.com/krb5/krb5/commit/3ebe2ec4c1c5afe39f094b50590dd6f56cbce5ca commit 3ebe2ec4c1c5afe39f094b50590dd6f56cbce5ca Author: Greg Hudson Date: Wed Jun 19 18:55:35 2024 -0400 Refactor GSS token header parsing Rewrite g_verify_token_header() to use k5input and not to handle two-byte token IDs (which are specific to the krb5 mechanism). Add a more general g_get_token_header() which can handle detached wrappers and cases where the mech is not known in advance. Adjust all current callers, and get rid of the duplicate DER parsing code added in commit b0a2f8a5365f2eec3e27d78907de9f9d2c80505a. In k5-input.h, split out tag and length parsing into k5_der_get_taglen(), needed by g_get_token_header(). src/include/k5-der.h | 36 ++++++-- src/lib/gssapi/generic/gssapiP_generic.h | 12 +-- src/lib/gssapi/generic/util_token.c | 83 +++++++++-------- src/lib/gssapi/krb5/accept_sec_context.c | 82 +++++++++-------- src/lib/gssapi/krb5/iakerb.c | 32 +++---- src/lib/gssapi/krb5/init_sec_context.c | 42 ++++----- src/lib/gssapi/krb5/k5unseal.c | 40 ++------ src/lib/gssapi/krb5/k5unsealiov.c | 128 +++++--------------------- src/lib/gssapi/mechglue/g_decapsulate_token.c | 18 ++-- src/lib/gssapi/mechglue/g_glue.c | 28 ++---- src/lib/gssapi/mechglue/mglueP.h | 2 - 11 files changed, 198 insertions(+), 305 deletions(-) diff --git a/src/include/k5-der.h b/src/include/k5-der.h index b8371d9b4..aff45f1d5 100644 --- a/src/include/k5-der.h +++ b/src/include/k5-der.h @@ -105,19 +105,15 @@ k5_der_add_value(struct k5buf *buf, uint8_t idbyte, const void *contents, /* * If the next byte in in matches idbyte and the subsequent DER length is - * valid, advance in past the value, set *contents_out to the value contents, - * and return true. Otherwise return false. Only set an error on in if the - * next bytes matches idbyte but the ensuing length is invalid. contents_out - * may be aliased to in; it will only be written to on successful decoding of a - * value. + * valid, advance in past the tag and length, set *len_out to the decoded + * length, and return true. Otherwise return false. Only set an error on in + * if the next byte matches idbyte but the ensuing length is invalid. */ static inline bool -k5_der_get_value(struct k5input *in, uint8_t idbyte, - struct k5input *contents_out) +k5_der_get_taglen(struct k5input *in, uint8_t idbyte, size_t *len_out) { uint8_t lenbyte, i; size_t len; - const void *bytes; /* Do nothing if in is empty or the next byte doesn't match idbyte. */ if (in->status || in->len == 0 || *in->ptr != idbyte) @@ -139,6 +135,30 @@ k5_der_get_value(struct k5input *in, uint8_t idbyte, } } + if (in->status) + return false; + + *len_out = len; + return true; +} + +/* + * If the next byte in in matches idbyte and the subsequent DER length is + * valid, advance in past the value, set *contents_out to the value contents, + * and return true. Otherwise return false. Only set an error on in if the + * next byte matches idbyte but the ensuing length is invalid. contents_out + * may be aliased to in; it will only be written to on successful decoding of a + * value. + */ +static inline bool +k5_der_get_value(struct k5input *in, uint8_t idbyte, + struct k5input *contents_out) +{ + size_t len; + const void *bytes; + + if (!k5_der_get_taglen(in, idbyte, &len)) + return false; bytes = k5_input_get_bytes(in, len); if (bytes == NULL) return false; diff --git a/src/lib/gssapi/generic/gssapiP_generic.h b/src/lib/gssapi/generic/gssapiP_generic.h index 7201f2ad5..96dd60546 100644 --- a/src/lib/gssapi/generic/gssapiP_generic.h +++ b/src/lib/gssapi/generic/gssapiP_generic.h @@ -47,6 +47,7 @@ #include "k5-platform.h" #include "k5-buf.h" +#include "k5-input.h" /** helper macros **/ @@ -69,6 +70,7 @@ #define g_make_string_buffer gssint_g_make_string_buffer #define g_token_size gssint_g_token_size #define g_make_token_header gssint_g_make_token_header +#define g_get_token_header gssint_g_get_token_header #define g_verify_token_header gssint_g_verify_token_header #define g_display_major_status gssint_g_display_major_status #define g_display_com_err_status gssint_g_display_com_err_status @@ -89,14 +91,10 @@ unsigned int g_token_size (const gss_OID_desc * mech, unsigned int body_size); void g_make_token_header (struct k5buf *buf, const gss_OID_desc *mech, size_t body_size, int tok_type); -/* flags for g_verify_token_header() */ -#define G_VFY_TOKEN_HDR_WRAPPER_REQUIRED 0x01 +int g_get_token_header (struct k5input *in, gss_OID oid_out, + size_t *token_len_out); -gss_int32 g_verify_token_header (const gss_OID_desc * mech, - unsigned int *body_size, - unsigned char **buf, int tok_type, - unsigned int toksize_in, - int flags); +int g_verify_token_header(struct k5input *in, gss_const_OID expected_mech); OM_uint32 g_display_major_status (OM_uint32 *minor_status, OM_uint32 status_value, diff --git a/src/lib/gssapi/generic/util_token.c b/src/lib/gssapi/generic/util_token.c index 2369cae22..1ee948fcc 100644 --- a/src/lib/gssapi/generic/util_token.c +++ b/src/lib/gssapi/generic/util_token.c @@ -62,47 +62,56 @@ g_make_token_header(struct k5buf *buf, const gss_OID_desc *mech, } /* - * Given a buffer containing a token, reads and verifies the token, - * leaving buf advanced past the token header, and setting body_size - * to the number of remaining bytes. Returns 0 on success, - * G_BAD_TOK_HEADER for a variety of errors, and G_WRONG_MECH if the - * mechanism in the token does not match the mech argument. buf and - * *body_size are left unmodified on error. + * If a valid GSSAPI generic token header is present at the beginning of *in, + * advance past it, set *oid_out to the mechanism OID in the header, set + * *token_len_out to the total token length (including the header) as indicated + * by length of the outermost DER value, and return true. Otherwise return + * false, leaving *in unchanged if it did not begin with a 0x60 byte. + * + * Do not verify that the outermost length matches or fits within in->len, as + * we need to be able to handle a detached header for krb5 IOV unwrap. It is + * the caller's responsibility to validate *token_len_out if necessary. */ - -gss_int32 -g_verify_token_header( - const gss_OID_desc * mech, - unsigned int *body_size, - unsigned char **buf_in, - int tok_type, - unsigned int toksize_in, - int flags) +int +g_get_token_header(struct k5input *in, gss_OID oid_out, size_t *token_len_out) { - struct k5input in, mech_der; - gss_OID_desc toid; + size_t len, tlen; + const uint8_t *orig_ptr = in->ptr; + struct k5input oidbytes; - k5_input_init(&in, *buf_in, toksize_in); + /* Read the outermost tag and length, and compute the full token length. */ + if (!k5_der_get_taglen(in, 0x60, &len)) + return 0; + tlen = len + (in->ptr - orig_ptr); - if (k5_der_get_value(&in, 0x60, &in)) { - if (in.ptr + in.len != *buf_in + toksize_in) - return G_BAD_TOK_HEADER; - if (!k5_der_get_value(&in, 0x06, &mech_der)) - return G_BAD_TOK_HEADER; - toid.elements = (uint8_t *)mech_der.ptr; - toid.length = mech_der.len; - if (!g_OID_equal(&toid, mech)) - return G_WRONG_MECH; - } else if (flags & G_VFY_TOKEN_HDR_WRAPPER_REQUIRED) { - return G_BAD_TOK_HEADER; - } + /* Read the mechanism OID. */ + if (!k5_der_get_value(in, 0x06, &oidbytes)) + return 0; + oid_out->length = oidbytes.len; + oid_out->elements = (uint8_t *)oidbytes.ptr; - if (tok_type != -1) { - if (k5_input_get_uint16_be(&in) != tok_type) - return in.status ? G_BAD_TOK_HEADER : G_WRONG_TOKID; - } + *token_len_out = tlen; + return 1; +} - *buf_in = (uint8_t *)in.ptr; - *body_size = in.len; - return 0; +/* + * If a token header for expected_mech is present in *in and the token length + * indicated by the header is equal to in->len, advance past the header and + * return true. Otherwise return false. Leave *in unmodified if no token + * header is present or it is for a different mechanism. + */ +int +g_verify_token_header(struct k5input *in, gss_const_OID expected_mech) +{ + struct k5input orig = *in; + gss_OID_desc mech; + size_t tlen, orig_len = in->len; + + if (!g_get_token_header(in, &mech, &tlen) || tlen != orig_len) + return 0; + if (!g_OID_equal(&mech, expected_mech)) { + *in = orig; + return 0; + } + return 1; } diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index c224ee9ac..c9987b757 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -625,6 +625,44 @@ fail: return status; } +/* + * Verify the ASN.1 framing and token type in an RFC 4121 initiator token. Set + * *mech_used_out to the mechanism in the framing, as a pointer to a global OID + * for one of the expected mechanisms. Set *ap_req_out to the portion of the + * token containing the AP-REQ encoding. Return G_BAD_TOK_HEADER if the + * framing is invalid. Return G_WRONG_TOKID if the token type is incorrect. + * Return G_WRONG_MECH if the mechanism OID in the framing is not one of the + * expected Kerberos mechanisms. + */ +static OM_uint32 +parse_init_token(gss_buffer_t input_token, gss_const_OID *mech_used_out, + krb5_data *ap_req_out) +{ + struct k5input in; + gss_OID_desc mech; + size_t tlen; + + k5_input_init(&in, input_token->value, input_token->length); + if (!g_get_token_header(&in, &mech, &tlen) || tlen != input_token->length) + return G_BAD_TOK_HEADER; + if (k5_input_get_uint16_be(&in) != KG_TOK_CTX_AP_REQ) + return G_WRONG_TOKID; + + if (g_OID_equal(&mech, gss_mech_krb5)) + *mech_used_out = gss_mech_krb5; + else if (g_OID_equal(&mech, gss_mech_iakerb)) + *mech_used_out = gss_mech_iakerb; + else if (g_OID_equal(&mech, gss_mech_krb5_wrong)) + *mech_used_out = gss_mech_krb5_wrong; + else if (g_OID_equal(&mech, gss_mech_krb5_old)) + *mech_used_out = gss_mech_krb5_old; + else + return G_WRONG_MECH; + + *ap_req_out = make_data((uint8_t *)in.ptr, in.len); + return 0; +} + static OM_uint32 kg_accept_krb5(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, gss_cred_id_t verifier_cred_handle, gss_buffer_t input_token, @@ -635,7 +673,6 @@ kg_accept_krb5(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, krb5_gss_ctx_ext_t exts) { krb5_context context; - unsigned char *ptr; krb5_gss_cred_id_t cred = 0; krb5_data ap_rep, ap_req; krb5_error_code code; @@ -723,56 +760,21 @@ kg_accept_krb5(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, goto fail; } - /* verify the token's integrity, and leave the token in ap_req. - figure out which mech oid was used, and save it */ - - ptr = (unsigned char *) input_token->value; - - if (!(code = g_verify_token_header(gss_mech_krb5, - &(ap_req.length), - &ptr, KG_TOK_CTX_AP_REQ, - input_token->length, 1))) { - mech_used = gss_mech_krb5; - } else if ((code == G_WRONG_MECH) - &&!(code = g_verify_token_header((gss_OID) gss_mech_iakerb, - &(ap_req.length), - &ptr, KG_TOK_CTX_AP_REQ, - input_token->length, 1))) { - mech_used = gss_mech_iakerb; - } else if ((code == G_WRONG_MECH) - &&!(code = g_verify_token_header((gss_OID) gss_mech_krb5_wrong, - &(ap_req.length), - &ptr, KG_TOK_CTX_AP_REQ, - input_token->length, 1))) { - mech_used = gss_mech_krb5_wrong; - } else if ((code == G_WRONG_MECH) && - !(code = g_verify_token_header(gss_mech_krb5_old, - &(ap_req.length), - &ptr, KG_TOK_CTX_AP_REQ, - input_token->length, 1))) { - /* - * Previous versions of this library used the old mech_id - * and some broken behavior (wrong IV on checksum - * encryption). We support the old mech_id for - * compatibility, and use it to decide when to use the - * old behavior. - */ - mech_used = gss_mech_krb5_old; - } else if (code == G_WRONG_TOKID) { + code = parse_init_token(input_token, &mech_used, &ap_req); + if (code == G_WRONG_TOKID) { major_status = GSS_S_CONTINUE_NEEDED; code = KRB5KRB_AP_ERR_MSG_TYPE; mech_used = gss_mech_krb5; goto fail; } else if (code == G_BAD_TOK_HEADER) { /* DCE style not encapsulated */ - ap_req.length = input_token->length; + ap_req = make_data(input_token->value, input_token->length); mech_used = gss_mech_krb5; no_encap = 1; - } else { + } else if (code) { major_status = GSS_S_DEFECTIVE_TOKEN; goto fail; } - ap_req.data = (char *)ptr; /* construct the sender_addr */ diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c index 69c3445d6..539b23195 100644 --- a/src/lib/gssapi/krb5/iakerb.c +++ b/src/lib/gssapi/krb5/iakerb.c @@ -170,8 +170,7 @@ iakerb_parse_token(iakerb_ctx_id_t ctx, { krb5_error_code code; krb5_iakerb_header *iah = NULL; - unsigned int bodysize; - uint8_t *body; + const uint8_t *token_body; krb5_data data; struct k5input in, seq; @@ -180,21 +179,21 @@ iakerb_parse_token(iakerb_ctx_id_t ctx, goto cleanup; } - body = token->value; - code = g_verify_token_header(gss_mech_iakerb, &bodysize, &body, - IAKERB_TOK_PROXY, token->length, - G_VFY_TOKEN_HDR_WRAPPER_REQUIRED); - if (code != 0) + k5_input_init(&in, token->value, token->length); + if (!g_verify_token_header(&in, gss_mech_iakerb) || + k5_input_get_uint16_be(&in) != IAKERB_TOK_PROXY) { + code = G_BAD_TOK_HEADER; goto cleanup; + } /* Find the end of the DER sequence tag and decode it (with the tag) as the - * IAKERB jeader. */ - k5_input_init(&in, body, bodysize); + * IAKERB header. */ + token_body = in.ptr; if (!k5_der_get_value(&in, 0x30, &seq)) { code = ASN1_BAD_ID; goto cleanup; } - data = make_data(body, seq.ptr + seq.len - body); + data = make_data((uint8_t *)token_body, seq.ptr + seq.len - token_body); code = decode_krb5_iakerb_header(&data, &iah); if (code != 0) goto cleanup; @@ -767,16 +766,11 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, static krb5_boolean iakerb_is_iakerb_token(const gss_buffer_t token) { - krb5_error_code code; - unsigned int bodysize = token->length; - unsigned char *ptr = token->value; - - code = g_verify_token_header(gss_mech_iakerb, - &bodysize, &ptr, - IAKERB_TOK_PROXY, - token->length, 0); + struct k5input in; - return (code == 0); + k5_input_init(&in, token->value, token->length); + return g_verify_token_header(&in, gss_mech_iakerb) && + k5_input_get_uint16_be(&in) == IAKERB_TOK_PROXY; } static void diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 0a088c574..27011d0c9 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -709,8 +709,9 @@ mutual_auth( krb5_context context) { OM_uint32 major_status; - unsigned char *ptr; - krb5_data ap_rep; + struct k5input in; + uint16_t toktype; + krb5_data body; krb5_ap_rep_enc_part *ap_rep_data; krb5_timestamp now; krb5_gss_ctx_id_rec *ctx; @@ -753,24 +754,19 @@ mutual_auth( goto fail; } - ptr = (unsigned char *) input_token->value; - if (ctx->gss_flags & GSS_C_DCE_STYLE) { /* Raw AP-REP */ - ap_rep.length = input_token->length; - } else if (g_verify_token_header(ctx->mech_used, - &(ap_rep.length), - &ptr, KG_TOK_CTX_AP_REP, - input_token->length, 1)) { - if (g_verify_token_header((gss_OID) ctx->mech_used, - &(ap_rep.length), - &ptr, KG_TOK_CTX_ERROR, - input_token->length, 1) == 0) { - - /* Handle a KRB_ERROR message from the server */ - - ap_rep.data = (char *)ptr; - code = krb5_rd_error(context, &ap_rep, &krb_error); + body = make_data(input_token->value, input_token->length); + } else { + k5_input_init(&in, input_token->value, input_token->length); + if (!g_verify_token_header(&in, ctx->mech_used)) { + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + toktype = k5_input_get_uint16_be(&in); + body = make_data((uint8_t *)in.ptr, in.len); + if (toktype == KG_TOK_CTX_ERROR) { + code = krb5_rd_error(context, &body, &krb_error); if (code) goto fail; if (krb_error->error) @@ -779,24 +775,22 @@ mutual_auth( code = 0; krb5_free_error(context, krb_error); goto fail; - } else { + } else if (toktype != KG_TOK_CTX_AP_REP) { *minor_status = 0; return(GSS_S_DEFECTIVE_TOKEN); } } - ap_rep.data = (char *)ptr; /* decode the ap_rep */ - if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep, - &ap_rep_data))) { + code = krb5_rd_rep(context, ctx->auth_context, &body, &ap_rep_data); + if (code) { /* * XXX A hack for backwards compatibility. * To be removed in 1999 -- proven */ krb5_auth_con_setuseruserkey(context, ctx->auth_context, &ctx->subkey->keyblock); - if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep, - &ap_rep_data))) + if (krb5_rd_rep(context, ctx->auth_context, &body, &ap_rep_data) != 0) goto fail; } diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index c63e04bd1..5e57487da 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -358,12 +358,9 @@ kg_unseal(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int *conf_state, gss_qop_t *qop_state, int toktype) { krb5_gss_ctx_id_rec *ctx; - unsigned char *ptr; - unsigned int bodysize; - int err; int toktype2; - int vfyflags = 0; OM_uint32 ret; + struct k5input in; ctx = (krb5_gss_ctx_id_rec *) context_handle; @@ -376,42 +373,25 @@ kg_unseal(OM_uint32 *minor_status, gss_ctx_id_t context_handle, /* verify the header */ - ptr = (unsigned char *) input_token_buffer->value; - - - err = g_verify_token_header(ctx->mech_used, - &bodysize, &ptr, -1, - input_token_buffer->length, - vfyflags); - if (err) { - *minor_status = err; - return GSS_S_DEFECTIVE_TOKEN; - } - - if (bodysize < 2) { - *minor_status = (OM_uint32)G_BAD_TOK_HEADER; - return GSS_S_DEFECTIVE_TOKEN; - } - - toktype2 = load_16_be(ptr); - - ptr += 2; - bodysize -= 2; + k5_input_init(&in, input_token_buffer->value, input_token_buffer->length); + (void)g_verify_token_header(&in, ctx->mech_used); + toktype2 = k5_input_get_uint16_be(&in); switch (toktype2) { case KG2_TOK_MIC_MSG: case KG2_TOK_WRAP_MSG: case KG2_TOK_DEL_CTX: ret = gss_krb5int_unseal_token_v3(&ctx->k5_context, minor_status, ctx, - ptr, bodysize, message_buffer, - conf_state, qop_state, toktype); + (uint8_t *)in.ptr, in.len, + message_buffer, conf_state, + qop_state, toktype); break; case KG_TOK_MIC_MSG: case KG_TOK_WRAP_MSG: case KG_TOK_DEL_CTX: - ret = kg_unseal_v1(ctx->k5_context, minor_status, ctx, ptr, bodysize, - message_buffer, conf_state, qop_state, - toktype); + ret = kg_unseal_v1(ctx->k5_context, minor_status, ctx, + (uint8_t *)in.ptr, in.len, message_buffer, + conf_state, qop_state, toktype); break; default: *minor_status = (OM_uint32)G_BAD_TOK_HEADER; diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c index 21b501731..de79f3016 100644 --- a/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c @@ -266,73 +266,6 @@ cleanup: return retval; } -/* Similar to k5_der_get_value(), but output an unchecked content length - * instead of a k5input containing the contents. */ -static inline bool -get_der_tag(struct k5input *in, uint8_t idbyte, size_t *len_out) -{ - uint8_t lenbyte, i; - size_t len; - - /* Do nothing if in is empty or the next byte doesn't match idbyte. */ - if (in->status || in->len == 0 || *in->ptr != idbyte) - return false; - - /* Advance past the identifier byte and decode the length. */ - (void)k5_input_get_byte(in); - lenbyte = k5_input_get_byte(in); - if (lenbyte < 128) { - len = lenbyte; - } else { - len = 0; - for (i = 0; i < (lenbyte & 0x7F); i++) { - if (len > (SIZE_MAX >> 8)) { - k5_input_set_status(in, EOVERFLOW); - return false; - } - len = (len << 8) | k5_input_get_byte(in); - } - } - - if (in->status) - return false; - - *len_out = len; - return true; -} - -/* - * Similar to g_verify_token_header() without toktype or flags, but do not read - * more than *header_len bytes of ASN.1 wrapper, and on output set *header_len - * to the remaining number of header bytes. Verify the outer DER tag's length - * against token_len, which may be larger (but not smaller) than *header_len. - */ -static gss_int32 -verify_detached_wrapper(const gss_OID_desc *mech, size_t *header_len, - uint8_t **header_in, size_t token_len) -{ - struct k5input in, mech_der; - gss_OID_desc toid; - size_t len; - - k5_input_init(&in, *header_in, *header_len); - - if (get_der_tag(&in, 0x60, &len)) { - if (len != token_len - (in.ptr - *header_in)) - return G_BAD_TOK_HEADER; - if (!k5_der_get_value(&in, 0x06, &mech_der)) - return G_BAD_TOK_HEADER; - toid.elements = (uint8_t *)mech_der.ptr; - toid.length = mech_der.len; - if (!g_OID_equal(&toid, mech)) - return G_WRONG_MECH; - } - - *header_in = (uint8_t *)in.ptr; - *header_len = in.len; - return 0; -} - /* * Caller must provide TOKEN | DATA | PADDING | TRAILER, except * for DCE in which case it can just provide TOKEN | DATA (must @@ -349,11 +282,12 @@ kg_unseal_iov_token(OM_uint32 *minor_status, { krb5_error_code code; krb5_context context = ctx->k5_context; - unsigned char *ptr; + struct k5input in; + gss_OID_desc mech; + size_t tlen, header_tlen; gss_iov_buffer_t header; gss_iov_buffer_t padding; gss_iov_buffer_t trailer; - size_t input_length, hlen; int toktype2; header = kg_locate_header_iov(iov, iov_count, toktype); @@ -365,40 +299,32 @@ kg_unseal_iov_token(OM_uint32 *minor_status, padding = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING); trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); - ptr = (unsigned char *)header->buffer.value; - input_length = header->buffer.length; - + tlen = header->buffer.length; if ((ctx->gss_flags & GSS_C_DCE_STYLE) == 0 && toktype == KG_TOK_WRAP_MSG) { size_t data_length, assoc_data_length; kg_iov_msglen(iov, iov_count, &data_length, &assoc_data_length); - input_length += data_length - assoc_data_length; + tlen += data_length - assoc_data_length; if (padding != NULL) - input_length += padding->buffer.length; + tlen += padding->buffer.length; if (trailer != NULL) - input_length += trailer->buffer.length; + tlen += trailer->buffer.length; } - hlen = header->buffer.length; - code = verify_detached_wrapper(ctx->mech_used, &hlen, &ptr, input_length); - if (code != 0) { - *minor_status = code; - return GSS_S_DEFECTIVE_TOKEN; - } - - if (hlen < 2) { - *minor_status = (OM_uint32)G_BAD_TOK_HEADER; - return GSS_S_DEFECTIVE_TOKEN; + /* If there is a token header, advance past it and verify its mech and + * token length. */ + k5_input_init(&in, header->buffer.value, header->buffer.length); + if (g_get_token_header(&in, &mech, &header_tlen)) { + if (!g_OID_equal(&mech, ctx->mech_used) || header_tlen != tlen) { + *minor_status = G_BAD_TOK_HEADER; + return GSS_S_DEFECTIVE_TOKEN; + } } - - toktype2 = load_16_be(ptr); - - ptr += 2; - hlen -= 2; + toktype2 = k5_input_get_uint16_be(&in); switch (toktype2) { case KG2_TOK_MIC_MSG: @@ -411,7 +337,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status, case KG_TOK_WRAP_MSG: case KG_TOK_DEL_CTX: code = kg_unseal_v1_iov(context, minor_status, ctx, iov, iov_count, - (size_t)(ptr - (unsigned char *)header->buffer.value), + (size_t)(in.ptr - (unsigned char *)header->buffer.value), conf_state, qop_state, toktype); break; default: @@ -439,6 +365,7 @@ kg_unseal_stream_iov(OM_uint32 *minor_status, int iov_count, int toktype) { + struct k5input in; unsigned char *ptr; unsigned int bodysize; OM_uint32 code = 0, major_status = GSS_S_FAILURE; @@ -461,23 +388,16 @@ kg_unseal_stream_iov(OM_uint32 *minor_status, ptr = (unsigned char *)stream->buffer.value; - code = g_verify_token_header(ctx->mech_used, - &bodysize, &ptr, -1, - stream->buffer.length, 0); - if (code != 0) { - major_status = GSS_S_DEFECTIVE_TOKEN; - goto cleanup; - } - - if (bodysize < 2) { + k5_input_init(&in, stream->buffer.value, stream->buffer.length); + (void)g_verify_token_header(&in, ctx->mech_used); + toktype2 = k5_input_get_uint16_be(&in); + if (in.status) { *minor_status = (OM_uint32)G_BAD_TOK_HEADER; return GSS_S_DEFECTIVE_TOKEN; } - toktype2 = load_16_be(ptr); - - ptr += 2; - bodysize -= 2; + ptr = (uint8_t *)in.ptr; + bodysize = in.len; tiov = (gss_iov_buffer_desc *)calloc((size_t)iov_count + 2, sizeof(gss_iov_buffer_desc)); if (tiov == NULL) { diff --git a/src/lib/gssapi/mechglue/g_decapsulate_token.c b/src/lib/gssapi/mechglue/g_decapsulate_token.c index 1c04e2f27..0b7346373 100644 --- a/src/lib/gssapi/mechglue/g_decapsulate_token.c +++ b/src/lib/gssapi/mechglue/g_decapsulate_token.c @@ -37,9 +37,7 @@ gss_decapsulate_token(gss_const_buffer_t input_token, gss_const_OID token_oid, gss_buffer_t output_token) { - OM_uint32 minor; - unsigned int body_size = 0; - unsigned char *buf_in; + struct k5input in; if (input_token == GSS_C_NO_BUFFER || token_oid == GSS_C_NO_OID) return GSS_S_CALL_INACCESSIBLE_READ; @@ -47,20 +45,16 @@ gss_decapsulate_token(gss_const_buffer_t input_token, if (output_token == GSS_C_NO_BUFFER) return GSS_S_CALL_INACCESSIBLE_WRITE; - buf_in = input_token->value; - - minor = g_verify_token_header(token_oid, &body_size, &buf_in, - -1, input_token->length, - G_VFY_TOKEN_HDR_WRAPPER_REQUIRED); - if (minor != 0) + k5_input_init(&in, input_token->value, input_token->length); + if (!g_verify_token_header(&in, token_oid)) return GSS_S_DEFECTIVE_TOKEN; - output_token->value = gssalloc_malloc(body_size); + output_token->value = gssalloc_malloc(in.len); if (output_token->value == NULL) return GSS_S_FAILURE; - memcpy(output_token->value, buf_in, body_size); - output_token->length = body_size; + memcpy(output_token->value, in.ptr, in.len); + output_token->length = in.len; return GSS_S_COMPLETE; } diff --git a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c index 47f499307..76da8a83c 100644 --- a/src/lib/gssapi/mechglue/g_glue.c +++ b/src/lib/gssapi/mechglue/g_glue.c @@ -39,27 +39,6 @@ extern gss_mechanism *gssint_mechs_array; * This file contains the support routines for the glue layer. */ -/* Retrieve the mechanism OID from an RFC 2743 InitialContextToken. Place - * the result into *oid_out, aliasing memory from token. */ -OM_uint32 gssint_get_mech_type_oid(gss_OID oid_out, gss_buffer_t token) -{ - struct k5input in; - - if (oid_out == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); - if (token == NULL || token->value == NULL) - return (GSS_S_DEFECTIVE_TOKEN); - - k5_input_init(&in, token->value, token->length); - if (!k5_der_get_value(&in, 0x60, &in)) - return (GSS_S_DEFECTIVE_TOKEN); - if (!k5_der_get_value(&in, 0x06, &in)) - return (GSS_S_DEFECTIVE_TOKEN); - oid_out->length = in.len; - oid_out->elements = (uint8_t *)in.ptr; - return (GSS_S_COMPLETE); -} - /* * The following mechanisms do not always identify themselves * per the GSS-API specification, when interoperating with MS @@ -78,6 +57,9 @@ static gss_OID_desc gss_krb5_mechanism_oid_desc = OM_uint32 gssint_get_mech_type(gss_OID OID, gss_buffer_t token) { + struct k5input in; + size_t tlen; + /* Check for interoperability exceptions */ if (token->length >= sizeof(NTLMSSP_SIGNATURE) && memcmp(token->value, NTLMSSP_SIGNATURE, @@ -90,7 +72,9 @@ gssint_get_mech_type(gss_OID OID, gss_buffer_t token) } else if (token->length == 0) { *OID = gss_spnego_mechanism_oid_desc; } else { - return gssint_get_mech_type_oid(OID, token); + k5_input_init(&in, token->value, token->length); + return (g_get_token_header(&in, OID, &tlen) ? GSS_S_COMPLETE : + GSS_S_DEFECTIVE_TOKEN); } return (GSS_S_COMPLETE); diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h index 7f836fbb0..edd759cb0 100644 --- a/src/lib/gssapi/mechglue/mglueP.h +++ b/src/lib/gssapi/mechglue/mglueP.h @@ -79,8 +79,6 @@ typedef struct gss_cred_id_struct { /* it to initialize the GSSAPI library */ int gssint_mechglue_initialize_library(void); -OM_uint32 gssint_get_mech_type_oid(gss_OID OID, gss_buffer_t token); - /* * This table is used to access mechanism-specific versions of the GSSAPI * functions. It contains all of the functions defined in gssapi.h except for From ghudson at mit.edu Tue Jul 30 20:44:49 2024 From: ghudson at mit.edu (ghudson at mit.edu) Date: Tue, 30 Jul 2024 20:44:49 -0400 (EDT) Subject: krb5 commit: Restore test coverage for old session key types Message-ID: <20240731004449.58100101B2F@krbdev.mit.edu> https://github.com/krb5/krb5/commit/2063e72ca296a55768c071fb70727ff4688c3496 commit 2063e72ca296a55768c071fb70727ff4688c3496 Author: Greg Hudson Date: Mon Jul 29 12:34:10 2024 -0400 Restore test coverage for old session key types Commit 1b57a4d134bbd0e7c52d5885a92eccc815726463 made the KDC stop issuing des3 and rc4 session keys by default. To make the des3 and arcfour passes of the test suite work, it added aes256-sha1 to the permitted enctypes for those passes. Negotiating AES session keys reduces coverage of pre-CFX GSSAPI code and other uses of the older enctypes. Instead set the enable_des3 and enable_rc4 variables. src/util/k5test.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/util/k5test.py b/src/util/k5test.py index f205f0ab3..f3e0045c2 100644 --- a/src/util/k5test.py +++ b/src/util/k5test.py @@ -1339,14 +1339,14 @@ _passes = [ # Exercise the DES3 enctype. ('des3', None, - {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}}, + {'libdefaults': {'permitted_enctypes': 'des3', 'allow_des3': 'true'}}, {'realms': {'$realm': { 'supported_enctypes': 'des3-cbc-sha1:normal', 'master_key_type': 'des3-cbc-sha1'}}}), # Exercise the arcfour enctype. ('arcfour', None, - {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}}, + {'libdefaults': {'permitted_enctypes': 'rc4', 'allow_rc4': 'true'}}, {'realms': {'$realm': { 'supported_enctypes': 'arcfour-hmac:normal', 'master_key_type': 'arcfour-hmac'}}}),