Skip Menu |
 

History Show all quoted textShow full headers
# Mon Jun 02 16:05:42 2014 ghudson@mit.edu (Greg Hudson) - Ticket created
Subject: HTTP proxy support
Download (untitled) / with headers
text/plain 56B
http://k5wiki.kerberos.org/wiki/Projects/HTTP_Transport
# Mon Jun 02 18:53:28 2014 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)
# Mon Jun 02 18:53:28 2014 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'review'
# Mon Jun 02 18:53:28 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.6KiB

Use k5_transport(_strategy) enums for k5_sendto

In k5_sendto and k5_locate_server, replace "socktype" parameters with
a new enumerator k5_transport, so that we can add new transports which
are not in the socket type namespace. Control the order in which we
make connections of different types using a new k5_transport_strategy
enumerator, to simplify the logic for adding new transports later.
Control the result of k5_locate_server with a no_udp boolean rather
than a socket type.

[ghudson@mit.edu: renamed type to k5_transport; k5_locate_server
no_udp change; clarified commit message; fix for Solaris getaddrinfo]
[kaduk@mit.edu: name variables of type k5_transport 'transport']
[nalin@redhat.com: use transport rather than sock_type in more places,
add and use k5_transport_strategy, update the test program]

https://github.com/krb5/krb5/commit/9c6be00daca0b80aed94ec9680724f95e6be92e1
Author: Robbie Harwood (frozencemetery) <rharwood@club.cc.cmu.edu>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 9c6be00daca0b80aed94ec9680724f95e6be92e1
Branch: master
src/lib/krb5/os/changepw.c | 31 +++++-----
src/lib/krb5/os/hostrealm_domain.c | 2 +-
src/lib/krb5/os/locate_kdc.c | 75 +++++++++++++---------
src/lib/krb5/os/os-proto.h | 27 ++++++--
src/lib/krb5/os/sendto_kdc.c | 123 ++++++++++++++++++++++-------------
src/lib/krb5/os/t_locate_kdc.c | 24 ++++----
src/lib/krb5/os/t_std_conf.c | 2 +-
src/lib/krb5/os/t_trace.c | 6 +-
src/lib/krb5/os/t_trace.ref | 4 +-
src/lib/krb5/os/trace.c | 6 +-
10 files changed, 178 insertions(+), 122 deletions(-)
# Mon Jun 02 18:53:29 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 996B

Build support for TLS used by HTTPS proxy support

Add a --with-proxy-tls-impl option to configure, taking 'openssl',
'auto', or invocation as --without-proxy-tls-impl. Use related CFLAGS
when building lib/krb5/os, and LIBS when linking libkrb5. Call the
OpenSSL library startup functions during library initialization.

https://github.com/krb5/krb5/commit/d0be57ac45ea639baa3cff0dd2108c34e834bfa7
Author: Robbie Harwood (frozencemetery) <rharwood@club.cc.cmu.edu>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: d0be57ac45ea639baa3cff0dd2108c34e834bfa7
Branch: master
src/Makefile.in | 1 +
src/config/pre.in | 5 +++++
src/configure.in | 40 ++++++++++++++++++++++++++++++++++++++++
src/lib/krb5/Makefile.in | 3 ++-
src/lib/krb5/krb5_libinit.c | 2 ++
src/lib/krb5/os/Makefile.in | 2 +-
src/lib/krb5/os/os-proto.h | 1 +
src/lib/krb5/os/sendto_kdc.c | 14 ++++++++++++++
8 files changed, 66 insertions(+), 2 deletions(-)
# Mon Jun 02 18:53:30 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.3KiB

Add ASN.1 codec for KKDCP's KDC-PROXY-MESSAGE

Handle encoding and decoding [MS-KKDCP] proxy messages, including
handling of the additional length bytes. Early versions of [MS-KKDCP]
incorrectly omit that the size of the proxied message is prepended to
the proxied message, as it is when we're using plain TCP, before
encoding the proxy-message structure. This is fixed at least as of
version 2.1 of the spec.

[nalin@redhat.com: add tests]

https://github.com/krb5/krb5/commit/bb89afd7c59deea855d2818fe36ef7472b4abf2e
Author: Nathaniel McCallum <npmccallum@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: bb89afd7c59deea855d2818fe36ef7472b4abf2e
Branch: master
src/include/k5-int.h | 13 ++++++++++++
src/lib/krb5/asn.1/asn1_k_encode.c | 14 ++++++++++++
src/lib/krb5/krb/kfree.c | 10 +++++++++
src/lib/krb5/libkrb5.exports | 3 ++
src/tests/asn.1/krb5_decode_test.c | 18 ++++++++++++++++
src/tests/asn.1/krb5_encode_test.c | 8 +++++++
src/tests/asn.1/ktest.c | 23 +++++++++++++++++++++
src/tests/asn.1/ktest.h | 5 ++++
src/tests/asn.1/ktest_equal.c | 12 +++++++++++
src/tests/asn.1/ktest_equal.h | 3 ++
src/tests/asn.1/reference_encode.out | 1 +
src/tests/asn.1/trval_reference.out | 37 ++++++++++++++++++++++++++++++++++
12 files changed, 147 insertions(+), 0 deletions(-)
# Mon Jun 02 18:53:31 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 946B

Dispatch-style protocol switching for transport

Switch to using per-transport-type functions when a socket that we're
using to communicate with a server becomes readable or writable, and add
them as pointers to the connection state. The functions are passed the
name of the realm of the server being contacted, as we expect to need
this in the near future.

[nalin@redhat.com: replace macros with typedefs]
[nalin@redhat.com: compare transports with TCP_OR_UDP rather than with 0]

https://github.com/krb5/krb5/commit/606e2ccc0a2546a23761f910482a55c5bf0f98ac
Author: Robbie Harwood (frozencemetery) <rharwood@club.cc.cmu.edu>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 606e2ccc0a2546a23761f910482a55c5bf0f98ac
Branch: master
src/lib/krb5/os/changepw.c | 6 +-
src/lib/krb5/os/os-proto.h | 1 +
src/lib/krb5/os/sendto_kdc.c | 297 +++++++++++++++++++++++------------------
3 files changed, 171 insertions(+), 133 deletions(-)
# Mon Jun 02 18:53:32 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.4KiB

HTTPS transport (Microsoft KKDCPP implementation)

Add an 'HTTPS' transport type which connects to an [MS-KKDCP] proxy
server using HTTPS to communicate with a KDC. The KDC's name should
take the form of an HTTPS URL (e.g. "https://proxybox/KdcProxy").

An HTTPS connection's encryption layer can be reading and writing when
the application layer is expecting to write and read, so the HTTPS
callbacks have to handle being called multiple times.

[nalin@redhat.com: use cleanup labels, make sure we always send the
realm name, keep a copy of the URI on-hand, move most of the
conditionally-compiled sections into their own conditionally-built
functions, break out HTTPS request formatting into a helper function,
handle the MS-KKDCP length bytes, update comments to mention specific
versions of the MS-KKDCP spec, differentiate TCP and HTTP trace
messages, trace unparseable responses]

https://github.com/krb5/krb5/commit/d950809ff49e3e7603594186d77135a09ab6b1b2
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: d950809ff49e3e7603594186d77135a09ab6b1b2
Branch: master
src/include/k5-trace.h | 13 ++
src/lib/krb5/os/locate_kdc.c | 63 ++++++-
src/lib/krb5/os/os-proto.h | 2 +
src/lib/krb5/os/sendto_kdc.c | 417 ++++++++++++++++++++++++++++++++++++++--
src/lib/krb5/os/t_locate_kdc.c | 2 +
src/lib/krb5/os/trace.c | 2 +
6 files changed, 471 insertions(+), 28 deletions(-)
# Mon Jun 02 18:53:33 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 746B

Load custom anchors when using KKDCP

Add an http_anchors per-realm setting which we'll apply when using an
HTTPS proxy, more or less mimicking the syntax of its similarly-named
PKINIT counterpart. We only check the [realms] section, though.

https://github.com/krb5/krb5/commit/f220067c2969aab107bd1300ad1cb8d4855389a7
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: f220067c2969aab107bd1300ad1cb8d4855389a7
Branch: master
doc/admin/conf_files/krb5_conf.rst | 26 ++++++
src/include/k5-int.h | 1 +
src/include/k5-trace.h | 7 ++
src/lib/krb5/os/sendto_kdc.c | 169 +++++++++++++++++++++++++++++++++++-
4 files changed, 201 insertions(+), 2 deletions(-)
# Mon Jun 02 18:53:34 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 815B

Check names in the server's cert when using KKDCP

When we connect to a KDC using an HTTPS proxy, check that the naming
information in the certificate matches the name or address which we
extracted from the server URL in the configuration.

https://github.com/krb5/krb5/commit/f7825e81b1ebf533c1dba9f84ae9ad36073a89cf
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: f7825e81b1ebf533c1dba9f84ae9ad36073a89cf
Branch: master
src/include/k5-trace.h | 5 +
src/lib/krb5/os/Makefile.in | 3 +
src/lib/krb5/os/checkhost.c | 251 ++++++++++++++++++++++++++++++++++++++++++
src/lib/krb5/os/checkhost.h | 39 +++++++
src/lib/krb5/os/deps | 14 ++-
src/lib/krb5/os/sendto_kdc.c | 53 ++++++++--
6 files changed, 355 insertions(+), 10 deletions(-)
# Mon Jun 02 18:53:35 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 699B

Add some longer-form docs for HTTPS

Add some longer-form documentation for the new HTTPS support, walking a
prospective administrator through generating a bare minimal signing
setup, deploying a WSGI-based proxy server onto an Apache httpd server
using mod_ssl and mod_wsgi, and configuring clients to use it.

https://github.com/krb5/krb5/commit/b52acabf478e8d1aa19f7823aade81eed1553143
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: b52acabf478e8d1aa19f7823aade81eed1553143
Branch: master
doc/admin/https.rst | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
doc/admin/index.rst | 1 +
2 files changed, 49 insertions(+), 0 deletions(-)
# Mon Jun 02 18:53:36 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 515B

Have k5test.py provide 'runenv' to python tests

Expose the formerly-internal _runenv module as k5test.runenv, so that
settings we store in the top-level runenv.py will be available to them.

https://github.com/krb5/krb5/commit/f78f8b1a46534db3a4547323ba952c1fa1b41fe9
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: f78f8b1a46534db3a4547323ba952c1fa1b41fe9
Branch: master
src/util/k5test.py | 15 ++++++++++-----
1 files changed, 10 insertions(+), 5 deletions(-)
# Mon Jun 02 18:53:36 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1KiB

Add a simple KDC proxy test server

This proxy server uses python-paste to run the kdcproxy from
https://pypi.python.org/pypi/kdcproxy. It should be used along
with the proxy.pem certificate in ../tests/dejagnu/proxy-certs.

https://github.com/krb5/krb5/commit/142255ba9af4ce1016a8eadf147e599ee490f1f7
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 142255ba9af4ce1016a8eadf147e599ee490f1f7
Branch: master
src/tests/dejagnu/proxy-certs/ca.pem | 28 +++++
src/tests/dejagnu/proxy-certs/make-certs.sh | 124 ++++++++++++++++++++++
src/tests/dejagnu/proxy-certs/proxy-badsig.pem | 56 ++++++++++
src/tests/dejagnu/proxy-certs/proxy-ideal.pem | 56 ++++++++++
src/tests/dejagnu/proxy-certs/proxy-no-match.pem | 54 ++++++++++
src/tests/dejagnu/proxy-certs/proxy-san.pem | 56 ++++++++++
src/tests/dejagnu/proxy-certs/proxy-subject.pem | 54 ++++++++++
src/util/paste-kdcproxy.py | 18 +++
8 files changed, 446 insertions(+), 0 deletions(-)
# Mon Jun 02 18:53:37 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 599B

Add tests for MS-KKDCP client support

Exercise the MS-KKDCP client support using the test proxy server, for
AS, TGS, and kpasswd requests while also checking the certificate
verification and name checks.

https://github.com/krb5/krb5/commit/3e2c7cc557048faac3400ae41b0228bd37a82a4c
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 3e2c7cc557048faac3400ae41b0228bd37a82a4c
Branch: master
src/tests/Makefile.in | 1 +
src/tests/t_proxy.py | 219 +++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 220 insertions(+), 0 deletions(-)
# Thu Jun 12 13:12:15 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 625B

Simplify and fix k5_check_cert_address

Get rid of the address union. Store the result of get_cert_cn in a
signed variable so we can meaningfully check for negative results.
Make get_cert_cn return int for consistency with
X509_NAME_get_text_by_NID and its two callers.

Also add an emacs mode line to the top of the file.

https://github.com/krb5/krb5/commit/b6ec31e4e599db867ff19beef3be9b0bfa5b70eb
Author: Greg Hudson <ghudson@mit.edu>
Commit: b6ec31e4e599db867ff19beef3be9b0bfa5b70eb
Branch: master
src/lib/krb5/os/checkhost.c | 31 ++++++++++++-------------------
1 files changed, 12 insertions(+), 19 deletions(-)
# Sat Jul 19 16:25:32 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.6KiB

Move KKDCP OpenSSL code to an internal plugin

Create an internal pluggable interface "tls" with one in-tree dynamic
plugin module named "k5tls". Move all of the OpenSSL calls to the
plugin module, and make the libkrb5 code load and invoke the plugin.
This way we do not load or initialize libssl unless an HTTP proxy is
used.

https://github.com/krb5/krb5/commit/472349d2a47fbc7db82e46ba46411b95c312fc1f
Author: Greg Hudson <ghudson@mit.edu>
Commit: 472349d2a47fbc7db82e46ba46411b95c312fc1f
Branch: master
src/Makefile.in | 3 +-
src/config/pre.in | 1 +
src/configure.in | 6 +
src/include/k5-int.h | 7 +-
src/include/k5-tls.h | 104 +++++++
src/include/k5-trace.h | 33 +-
src/lib/krb5/Makefile.in | 3 +-
src/lib/krb5/krb/copy_ctx.c | 1 +
src/lib/krb5/krb/init_ctx.c | 1 +
src/lib/krb5/krb/plugin.c | 3 +-
src/lib/krb5/krb5_libinit.c | 2 -
src/lib/krb5/os/Makefile.in | 3 +-
src/lib/krb5/os/checkhost.c | 244 ---------------
src/lib/krb5/os/checkhost.h | 39 ---
src/lib/krb5/os/deps | 13 +-
src/lib/krb5/os/locate_kdc.c | 8 -
src/lib/krb5/os/os-proto.h | 1 -
src/lib/krb5/os/sendto_kdc.c | 425 ++++++---------------------
src/plugins/tls/k5tls/Makefile.in | 22 ++
src/plugins/tls/k5tls/deps | 25 ++
src/plugins/tls/k5tls/k5tls.exports | 1 +
src/plugins/tls/k5tls/notls.c | 53 ++++
src/plugins/tls/k5tls/openssl.c | 570 +++++++++++++++++++++++++++++++++++
23 files changed, 899 insertions(+), 669 deletions(-)
# Sat Jul 19 16:25:33 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 874B

Rename --with-proxy-tls-impl to --with-tls-impl

Make the configure option for TLS implementation more generic, in case
we use the k5tls module for something other than KDC proxy support.
Rename all of the associated symbols for consistency.

https://github.com/krb5/krb5/commit/788e70c7c77b0c1f4a79e3f1b6c96a0cf99e0327
Author: Greg Hudson <ghudson@mit.edu>
Commit: 788e70c7c77b0c1f4a79e3f1b6c96a0cf99e0327
Branch: master
src/Makefile.in | 2 +-
src/config/pre.in | 8 +++---
src/configure.in | 42 +++++++++++++++++-------------------
src/plugins/tls/k5tls/Makefile.in | 4 +-
src/plugins/tls/k5tls/notls.c | 4 +-
src/plugins/tls/k5tls/openssl.c | 4 +-
src/tests/t_proxy.py | 5 +--
src/util/k5test.py | 4 +-
8 files changed, 35 insertions(+), 38 deletions(-)
# Tue Aug 12 18:27:39 2014 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'
# Tue Aug 12 18:27:39 2014 tlyu (Taylor Yu) - Version_Fixed 1.13 added