Ticket History #8425: Add auth-indicator authdata module

# Tue May 31 13:54:31 2016 ghudson@mit.edu (Greg Hudson) - Ticket created

Subject:

Add auth-indicator authdata module

Download (untitled) / with headers
text/plain 162B

To make auth-indicator authorization data visible to server applications,
we should add an authdata module which surfaces these values via GSS name
attributes.

# Tue May 31 13:54:42 2016 ghudson@mit.edu (Greg Hudson) - Tags enhancement added

# Mon Jun 20 11:54:13 2016 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Mon Jun 20 11:54:13 2016 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'review'

# Mon Jun 20 11:54:13 2016 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1.1KiB

Add libkrb5 CAMMAC and auth-indicator functions

Add k5_unwrap_cammac_svc() and k5_authind_decode() internal functions
to libkrb5, for use by test programs and the forthcoming
auth-indicator authdata module. Remove the unused
cammac_check_svcver() from the KDC code. Modify tests/adata.c to use
the new functions, and add a test case to t_authdata.py for multiple
indicator values.

[ghudson@mit.edu: squash three commits; make k5_cammac_check_svcver()
a static helper]

https://github.com/krb5/krb5/commit/3563485fdb54024bd79a4491000c84943cc20ab9
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 3563485fdb54024bd79a4491000c84943cc20ab9
Branch: master
src/include/k5-int.h | 6 +++
src/kdc/cammac.c | 21 ---------
src/kdc/kdc_util.h | 4 --
src/lib/krb5/krb/Makefile.in | 3 +
src/lib/krb5/krb/authdata_dec.c | 45 ++++++++++++++++++++
src/lib/krb5/krb/cammac_util.c | 86 +++++++++++++++++++++++++++++++++++++++
src/lib/krb5/libkrb5.exports | 2 +
src/tests/adata.c | 30 ++-----------
src/tests/t_authdata.py | 7 +++
9 files changed, 154 insertions(+), 50 deletions(-)

# Mon Jun 20 11:54:14 2016 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 651B

Add CAMMAC handling to the authdata framework

Handle CAMMAC contained authdata similarly to KDC-issued authdata, where
it is verified before passing to the import function.

[ghudson@mit.edu: fix memory leak and reduce copying in
extract_cammac()]

https://github.com/krb5/krb5/commit/f4f619e7905d762204695dd66450e586c183c9fd
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: f4f619e7905d762204695dd66450e586c183c9fd
Branch: master
src/include/krb5/authdata_plugin.h | 3 +-
src/lib/krb5/krb/authdata.c | 77 ++++++++++++++++++++++++++++++++++++
2 files changed, 79 insertions(+), 1 deletions(-)

# Mon Jun 20 11:54:15 2016 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 746B

Add auth indicator authdata module

This authdata module makes the 'auth-indicator' attribute available to
the GSSAPI name extension functions. The auth indicator values are UTF8
strings imported during AP_REQ processing.

https://github.com/krb5/krb5/commit/365ac06e3d70f48e6dbfff4dfe259e2725a9f6c1
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 365ac06e3d70f48e6dbfff4dfe259e2725a9f6c1
Branch: master
src/lib/krb5/krb/Makefile.in | 5 +-
src/lib/krb5/krb/ai_authdata.c | 340 ++++++++++++++++++++++++++++++++++++++++
src/lib/krb5/krb/authdata.c | 1 +
src/lib/krb5/krb/authdata.h | 1 +
src/lib/krb5/krb/deps | 12 ++
5 files changed, 358 insertions(+), 1 deletions(-)

# Mon Jun 20 11:54:15 2016 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 572B

Fail on error when processing KDC-issued authdata

Have k5_get_kdc_issued_authdata() return 0 on a verification failure and
non-zero for other failures, rather than call assert(). Check the
return value when called in krb5int_authdata_verify().

https://github.com/krb5/krb5/commit/19eee5ffaca1cc5f2c8696188e524240e33af777
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 19eee5ffaca1cc5f2c8696188e524240e33af777
Branch: master
src/lib/krb5/krb/authdata.c | 13 ++++++++++---
1 files changed, 10 insertions(+), 3 deletions(-)

# Mon Jun 20 11:54:16 2016 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 597B

Add GSSAPI auth indicator name attribute tests

[ghudson@mit.edu: simplify test harness]

https://github.com/krb5/krb5/commit/80641fd4f1b98ee5d7405c9075a711f865534880
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 80641fd4f1b98ee5d7405c9075a711f865534880
Branch: master
.gitignore | 1 +
src/tests/gssapi/Makefile.in | 15 ++++++---
src/tests/gssapi/t_authind.py | 38 ++++++++++++++++++++++++
src/tests/gssapi/t_srcattrs.c | 63 +++++++++++++++++++++++++++++++++++++++++
4 files changed, 112 insertions(+), 5 deletions(-)

# Mon Jun 20 11:54:17 2016 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 561B

Add GSSAPI name attribute documentation

Also add a reference to the auth-indicator name attribute in
auth_indicator.rst.

[ghudson@mit.edu: edited for brevity and cross-referencing]

https://github.com/krb5/krb5/commit/af2442f04e408bfa04cbe2e317be982ec47af674
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: af2442f04e408bfa04cbe2e317be982ec47af674
Branch: master
doc/admin/auth_indicator.rst | 4 ++++
doc/appdev/gssapi.rst | 22 ++++++++++++++++++++++
2 files changed, 26 insertions(+), 0 deletions(-)

# Wed Jun 22 12:45:58 2016 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 455B

Filter CAMMAC authdata by module->ad_type

Also, do not leak cammac_authdata.

[ghudson@mit.edu: also fix two sizeof() expressions]

https://github.com/krb5/krb5/commit/7df4aec92aebabaaf14de9de062f526228e65f48
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 7df4aec92aebabaaf14de9de062f526228e65f48
Branch: master
src/lib/krb5/krb/authdata.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)

# Wed Jun 22 13:14:07 2016 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 865B

Fix and simplify auth-indicator authdata module

Remove the authind_context count field. The indicators list must be
null-terminated because it is freed with k5_free_data_ptr_list().
authind_internalize() didn't null-terminate the list, and the presence
of the count field made it appear that this wasn't a bug. Use a
different scheme for setting *more in authind_get_attribute() to avoid
requiring an element count.

Also check more thoroughly for errors in authind_externalize() and
authind_internalize(), and remove some unnecessary pointer casts.

https://github.com/krb5/krb5/commit/0b741b1ee4005a68aee76616642a91ba85042f05
Author: Greg Hudson <ghudson@mit.edu>
Commit: 0b741b1ee4005a68aee76616642a91ba85042f05
Branch: master
src/lib/krb5/krb/ai_authdata.c | 73 ++++++++++++++++++++-------------------
1 files changed, 37 insertions(+), 36 deletions(-)

# Thu Oct 13 16:45:43 2016 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Thu Oct 13 16:45:43 2016 tlyu (Taylor Yu) - Version_Fixed 1.15 added