diff options
author | Jelmer Vernooij <jelmer@jelmer.uk> | 2016-05-15 19:38:46 +0000 |
---|---|---|
committer | Jelmer Vernooij <jelmer@jelmer.uk> | 2016-05-15 19:38:46 +0000 |
commit | 6a4d0fe03aa5b86d10553ff789aef231afade301 (patch) | |
tree | f4d87185c319c8fe2d3387a08159ecd8b6b2cabe | |
parent | 30644adf6a9966d6405d1f4a9789dee921496db0 (diff) | |
parent | b05adcb637201afe0306265208ece1772ca2eb8b (diff) |
Merge tag 'upstream/1.7_git20160515+dfsg' into experimental
Upstream version 1.7~git20160515+dfsg
-rw-r--r-- | .gitignore | 11 | ||||
-rw-r--r-- | cf/Makefile.am.common | 3 | ||||
-rw-r--r-- | cf/crypto.m4 | 35 | ||||
-rw-r--r-- | include/NTMakefile | 1 | ||||
-rw-r--r-- | kdc/Makefile.am | 2 | ||||
-rw-r--r-- | lib/asn1/libasn1-exports.def | 6 | ||||
-rw-r--r-- | lib/gssapi/NTMakefile | 1 | ||||
-rw-r--r-- | lib/hcrypto/Makefile.am | 6 | ||||
-rw-r--r-- | lib/hcrypto/evp-cc.c | 52 | ||||
-rw-r--r-- | lib/hcrypto/evp-openssl.c | 30 | ||||
-rw-r--r-- | lib/hcrypto/evp-pkcs11.c | 4 | ||||
-rw-r--r-- | lib/hcrypto/evp-w32.c | 4 | ||||
-rw-r--r-- | lib/hcrypto/test_bulk.c | 6 | ||||
-rw-r--r-- | lib/hdb/hdb-mitdb.c | 9 | ||||
-rw-r--r-- | lib/hx509/Makefile.am | 8 | ||||
-rw-r--r-- | lib/krb5/Makefile.am | 2 | ||||
-rw-r--r-- | lib/krb5/crypto-des-common.c | 3 | ||||
-rw-r--r-- | lib/krb5/crypto-des.c | 2 | ||||
-rw-r--r-- | lib/krb5/crypto-des3.c | 2 | ||||
-rw-r--r-- | lib/krb5/krb5.conf.5 | 16 | ||||
-rw-r--r-- | lib/krb5/pac.c | 34 | ||||
-rw-r--r-- | lib/krb5/salt-des3.c | 4 | ||||
-rw-r--r-- | packages/windows/assembly/NTMakefile | 2 | ||||
-rw-r--r-- | windows/NTMakefile.config | 7 | ||||
-rw-r--r-- | windows/NTMakefile.w32 | 29 | ||||
-rw-r--r-- | windows/README.md | 24 |
26 files changed, 235 insertions, 68 deletions
diff --git a/.gitignore b/.gitignore index 8b38cec7b..73678830d 100644 --- a/.gitignore +++ b/.gitignore @@ -155,6 +155,7 @@ asn1_*.[cx] /include/bits /include/config.h.in /include/gssapi/*.h +/include/hcrypto/*.h /include/kadm5/*.h /include/stamp-h1 /include/version.h.in @@ -222,6 +223,7 @@ asn1_*.[cx] /lib/gssapi/ntlm/ntlm-private.h /lib/gssapi/spnego/spnego-private.h /lib/gssapi/test_acquire_cred +/lib/gssapi/test_add_store_cred /lib/gssapi/test_cfx /lib/gssapi/test_context /lib/gssapi/test_cred @@ -229,6 +231,10 @@ asn1_*.[cx] /lib/gssapi/test_names /lib/gssapi/test_ntlm /lib/gssapi/test_oid +/lib/hcrypto/hcrypto +/lib/hcrypto/hcrypto-link +/lib/hcrypto/test_rand +/lib/roken/test-detach /lib/hdb/hdb-protos.h /lib/hdb/hdb-private.h /lib/hdb/test_dbinfo @@ -413,6 +419,7 @@ asn1_*.[cx] /out /po/gen-po.sh /scripts +/tests/bin/intr /tests/bin/setup-env /tests/can/check-can /tests/can/current-db.db @@ -426,6 +433,9 @@ asn1_*.[cx] /tests/db/dbinfo.out /tests/db/have-db /tests/db/krb5.conf +/tests/db/krb5.conf-db1 +/tests/db/krb5.conf-db3 +/tests/db/krb5.conf-lmdb /tests/db/krb5.conf-sqlite /tests/db/loaddump-db /tests/db/tempfile @@ -490,6 +500,7 @@ asn1_*.[cx] /tests/kdc/krb5-pkinit-win.conf /tests/kdc/krb5-pkinit.conf /tests/kdc/krb5-slave.conf +/tests/kdc/krb5-slave2.conf /tests/kdc/krb5-weak.conf /tests/kdc/krb5.conf /tests/kdc/krb5-cc.conf diff --git a/cf/Makefile.am.common b/cf/Makefile.am.common index c0cddf6a0..a9ea71edd 100644 --- a/cf/Makefile.am.common +++ b/cf/Makefile.am.common @@ -45,6 +45,9 @@ LIB_tgetent = @LIB_tgetent@ LIB_com_err = @LIB_com_err@ LIB_door_create = @LIB_door_create@ +LIB_openssl_crypto = @LIB_openssl_crypto@ +INCLUDE_openssl_crypto = @INCLUDE_openssl_crypto@ + HESIODLIB = @HESIODLIB@ HESIODINCLUDE = @HESIODINCLUDE@ INCLUDE_hesiod = @INCLUDE_hesiod@ diff --git a/cf/crypto.m4 b/cf/crypto.m4 index 075568b1b..b8b011dd1 100644 --- a/cf/crypto.m4 +++ b/cf/crypto.m4 @@ -67,8 +67,23 @@ AC_DEFUN([KRB_CRYPTO],[ AC_ARG_WITH([hcrypto-default-backend], AS_HELP_STRING([--with-hcrypto-default-backend=cc|pkcs11_hcrypto|ossl|w32crypto|hcrypto], [specify the default hcrypto backend]), - [CFLAGS="${CFLAGS} -DHCRYPTO_DEF_PROVIDER=${withval}"], + [ + CFLAGS="${CFLAGS} -DHCRYPTO_DEF_PROVIDER=${withval}" + case "$withval" in + cc) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [cc], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + pkcs11_hcrypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [pkcs11_hcrypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + ossl) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [ossl], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + w32crypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [w32crypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + hcrypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [hcrypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + *) echo "Invalid hcrypto provider name ($withval)"; exit 5;; + esac + ], []) +AC_ARG_WITH([hcrypto-fallback], + AS_HELP_STRING([--without-hcrypto-fallback], + [disable fallback on hcrypto for unavailable algorithms]), + [AC_DEFINE([HCRYPTO_FALLBACK],0,[Set to 1 to allow fallback to hcrypto for unavailable algorithms])], + [AC_DEFINE([HCRYPTO_FALLBACK],1,[Set to 1 to allow fallback to hcrypto for unavailable algorithms])]) AC_WITH_ALL([openssl]) AC_MSG_CHECKING([for crypto library]) @@ -79,18 +94,22 @@ if test "$with_openssl" = "yes"; then with_openssl=/usr fi if test "$with_openssl" != "no"; then + saved_CFLAGS="${CFLAGS}" + saved_LDFLAGS="${LDFLAGS}" INCLUDE_openssl_crypto= LIB_openssl_crypto= if test "$with_openssl_include" != ""; then - INCLUDE_openssl_crypto="${with_openssl_include}" + INCLUDE_openssl_crypto="-I${with_openssl_include}" else - INCLUDE_openssl_crypto="${with_openssl}/include" + INCLUDE_openssl_crypto="-I${with_openssl}/include" fi if test "$with_openssl_lib" != ""; then LIB_openssl_crypto="-L${with_openssl_lib}" + elif test "${with_openssl}" != "/usr" -a -d "${with_openssl}/lib"; then + LIB_openssl_crypto="-L${with_openssl}/lib" fi - CFLAGS="-DHAVE_HCRYPTO_W_OPENSSL -I${INCLUDE_openssl_crypto} ${CFLAGS}" - # XXX What about rpath? Yeah... + CFLAGS="-DHAVE_HCRYPTO_W_OPENSSL ${INCLUDE_openssl_crypto} ${CFLAGS}" + LDFLAGS="${LIB_openssl_crypto} ${LDFLAGS}" AC_CHECK_LIB([crypto], [OPENSSL_init], [LIB_openssl_crypto="${LIB_openssl_crypto} -lcrypto"; openssl=yes], [openssl=no], []) # These cases are just for static linking on older OSes, @@ -107,6 +126,12 @@ if test "$with_openssl" != "no"; then AC_CHECK_LIB([crypto], [OPENSSL_init], [LIB_openssl_crypto="${LIB_openssl_crypto} -lcrypto -ldl -lnsl -lsocket"; openssl=yes], [openssl=no], [-ldl -lnsl -lsocket]) fi + if test "$openssl" = "no"; then + INCLUDE_openssl_crypto= + LIB_openssl_crypto= + fi + CFLAGS="${saved_CFLAGS}" + LDFLAGS="${saved_LDFLAGS}" fi LIB_hcrypto='$(top_builddir)/lib/hcrypto/libhcrypto.la' diff --git a/include/NTMakefile b/include/NTMakefile index 984984d4a..e93cf8461 100644 --- a/include/NTMakefile +++ b/include/NTMakefile @@ -61,6 +61,7 @@ while(<>) { if ("$(KRB5)") { print "#define KRB5 1\n"; } if ("$(KRB4)") { print "#define KRB4 1\n"; } if ("$(WEAK_CRYPTO)") { print "#define HEIM_WEAK_CRYPTO 1\n"; } + if ("$(HCRYPTO_FALLBACK)") { print "#define HCRYPTO_FALLBACK 1\n"; } else { print "#define HCRYPTO_FALLBACK 0\n"; } if ("$(PKINIT)") { print "#define PKINIT 1\n"; } if ("$(NO_AFS)") { print "#define NO_AFS 1\n"; } if ("$(OPENLDAP)") { print "#define OPENLDAP 1\n"; } diff --git a/kdc/Makefile.am b/kdc/Makefile.am index 2a5899410..465d1bc23 100644 --- a/kdc/Makefile.am +++ b/kdc/Makefile.am @@ -2,7 +2,7 @@ include $(top_srcdir)/Makefile.am.common -AM_CPPFLAGS += $(INCLUDE_libintl) -I$(srcdir)/../lib/krb5 +AM_CPPFLAGS += $(INCLUDE_libintl) $(INCLUDE_openssl_crypto) -I$(srcdir)/../lib/krb5 lib_LTLIBRARIES = libkdc.la diff --git a/lib/asn1/libasn1-exports.def b/lib/asn1/libasn1-exports.def index 63dfdffa6..62f4337ad 100644 --- a/lib/asn1/libasn1-exports.def +++ b/lib/asn1/libasn1-exports.def @@ -58,9 +58,15 @@ EXPORTS asn1_oid_id_ecPublicKey DATA asn1_oid_id_ec_group_secp160r1 DATA asn1_oid_id_ec_group_secp160r2 DATA + asn1_oid_id_ec_group_secp224r1 DATA asn1_oid_id_ec_group_secp256r1 DATA + asn1_oid_id_ec_group_secp384r1 DATA + asn1_oid_id_ec_group_secp521r1 DATA asn1_oid_id_ecdsa_with_SHA1 DATA + asn1_oid_id_ecdsa_with_SHA224 DATA asn1_oid_id_ecdsa_with_SHA256 DATA + asn1_oid_id_ecdsa_with_SHA384 DATA + asn1_oid_id_ecdsa_with_SHA512 DATA asn1_oid_id_heim_rsa_pkcs1_x509 DATA asn1_oid_id_ms_cert_enroll_domaincontroller DATA asn1_oid_id_ms_client_authentication DATA diff --git a/lib/gssapi/NTMakefile b/lib/gssapi/NTMakefile index 098118fd6..402b110a1 100644 --- a/lib/gssapi/NTMakefile +++ b/lib/gssapi/NTMakefile @@ -553,6 +553,7 @@ all-tools:: $(BINDIR)\gsstool.exe $(BINDIR)\gsstool.exe: $(OBJ)\gsstool.obj $(OBJ)\gss-commands.obj $(LIBGSSAPI) $(LIBROKEN) $(LIBSL) $(LIBVERS) $(EXECONLINK) + $(EXEPREP) $(OBJ)\gss-commands.c $(OBJ)\gss-commands.h: gss-commands.in cd $(OBJ) diff --git a/lib/hcrypto/Makefile.am b/lib/hcrypto/Makefile.am index d2bb42494..a67b683ce 100644 --- a/lib/hcrypto/Makefile.am +++ b/lib/hcrypto/Makefile.am @@ -2,8 +2,10 @@ include $(top_srcdir)/Makefile.am.common +AUTOMAKE_OPTIONS = subdir-objects + if HAVE_HCRYPTO_W_OPENSSL -AM_CPPFLAGS += -I$(INCLUDE_openssl_crypto) +AM_CPPFLAGS += $(INCLUDE_openssl_crypto) endif AM_CPPFLAGS += -I$(top_srcdir)/lib/hx509 \ @@ -99,7 +101,7 @@ check_SCRIPTS = $(SCRIPT_TESTS) TESTS = $(PROGRAM_TESTS) $(SCRIPT_TESTS) -LDADD = $(lib_LTLIBRARIES) $(LIB_roken) +LDADD = $(lib_LTLIBRARIES) $(LIB_roken) $(LIB_openssl_crypto) test_rand_LDADD = $(LDADD) -lm libhcrypto_la_SOURCES = \ diff --git a/lib/hcrypto/evp-cc.c b/lib/hcrypto/evp-cc.c index 8f317a670..eb4793b64 100644 --- a/lib/hcrypto/evp-cc.c +++ b/lib/hcrypto/evp-cc.c @@ -175,6 +175,8 @@ EVP_cc_des_ede3_cbc(void) NULL }; return &des_ede3_cbc; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_des_ede3_cbc(); #else return NULL; #endif @@ -225,6 +227,8 @@ EVP_cc_des_cbc(void) NULL }; return &des_ede3_cbc; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_des_cbc(); #else return NULL; #endif @@ -275,6 +279,8 @@ EVP_cc_aes_128_cbc(void) NULL }; return &c; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_aes_128_cbc(); #else return NULL; #endif @@ -308,6 +314,8 @@ EVP_cc_aes_192_cbc(void) NULL }; return &c; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_aes_192_cbc(); #else return NULL; #endif @@ -341,6 +349,8 @@ EVP_cc_aes_256_cbc(void) NULL }; return &c; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_aes_256_cbc(); #else return NULL; #endif @@ -391,6 +401,8 @@ EVP_cc_aes_128_cfb8(void) NULL }; return &c; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_aes_128_cfb8(); #else return NULL; #endif @@ -424,6 +436,8 @@ EVP_cc_aes_192_cfb8(void) NULL }; return &c; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_aes_192_cfb8(); #else return NULL; #endif @@ -457,6 +471,8 @@ EVP_cc_aes_256_cfb8(void) NULL }; return &c; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_aes_256_cfb8(); #else return NULL; #endif @@ -508,6 +524,8 @@ EVP_cc_rc2_cbc(void) NULL }; return &rc2_cbc; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_rc2_cbc(); #else return NULL; #endif @@ -542,6 +560,8 @@ EVP_cc_rc2_40_cbc(void) NULL }; return &rc2_40_cbc; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_rc2_40_cbc(); #else return NULL; #endif @@ -577,6 +597,8 @@ EVP_cc_rc2_64_cbc(void) NULL }; return &rc2_64_cbc; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_rc2_64_cbc(); #else return NULL; #endif @@ -602,6 +624,8 @@ EVP_cc_md2(void) (hc_evp_md_cleanup)NULL }; return &md2; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_md2(); #else return NULL; #endif @@ -627,6 +651,8 @@ EVP_cc_md4(void) (hc_evp_md_cleanup)NULL }; return &md4; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_md4(); #else return NULL; #endif @@ -652,6 +678,8 @@ EVP_cc_md5(void) (hc_evp_md_cleanup)NULL }; return &md5; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_md5(); #else return NULL; #endif @@ -677,6 +705,8 @@ EVP_cc_sha1(void) (hc_evp_md_cleanup)NULL }; return &sha1; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_sha1(); #else return NULL; #endif @@ -702,6 +732,8 @@ EVP_cc_sha256(void) (hc_evp_md_cleanup)NULL }; return &sha256; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_sha256(); #else return NULL; #endif @@ -727,6 +759,8 @@ EVP_cc_sha384(void) (hc_evp_md_cleanup)NULL }; return &sha384; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_sha384(); #else return NULL; #endif @@ -752,6 +786,8 @@ EVP_cc_sha512(void) (hc_evp_md_cleanup)NULL }; return &sha512; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_sha512(); #else return NULL; #endif @@ -768,7 +804,11 @@ EVP_cc_sha512(void) const EVP_CIPHER * EVP_cc_camellia_128_cbc(void) { +#if HCRYPTO_FALLBACK + return EVP_hcrypto_camellia_128_cbc(); +#else return NULL; +#endif } /** @@ -782,7 +822,11 @@ EVP_cc_camellia_128_cbc(void) const EVP_CIPHER * EVP_cc_camellia_192_cbc(void) { +#if HCRYPTO_FALLBACK + return EVP_hcrypto_camellia_192_cbc(); +#else return NULL; +#endif } /** @@ -796,7 +840,11 @@ EVP_cc_camellia_192_cbc(void) const EVP_CIPHER * EVP_cc_camellia_256_cbc(void) { +#if HCRYPTO_FALLBACK + return EVP_hcrypto_camellia_256_cbc(); +#else return NULL; +#endif } #ifdef HAVE_COMMONCRYPTO_COMMONCRYPTOR_H @@ -847,6 +895,8 @@ EVP_cc_rc4(void) NULL }; return &rc4; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_rc4(); #else return NULL; #endif @@ -881,6 +931,8 @@ EVP_cc_rc4_40(void) NULL }; return &rc4_40; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_rc4_40(); #else return NULL; #endif diff --git a/lib/hcrypto/evp-openssl.c b/lib/hcrypto/evp-openssl.c index 0c50ee1ee..5f2a5ab93 100644 --- a/lib/hcrypto/evp-openssl.c +++ b/lib/hcrypto/evp-openssl.c @@ -86,7 +86,6 @@ struct once_init_cipher_ctx { hc_EVP_CIPHER *hc_memoize; const hc_EVP_CIPHER *fallback; unsigned long flags; - unsigned char *initialized; int nid; }; @@ -206,8 +205,9 @@ get_EVP_CIPHER_once_cb(void *d) ossl_evp = EVP_get_cipherbynid(arg->nid); if (ossl_evp == NULL) { (void) memset(hc_evp, 0, sizeof(*hc_evp)); +#if HCRYPTO_FALLBACK *arg->hc_memoizep = arg->fallback; - *arg->initialized = 1; +#endif return; } @@ -240,14 +240,13 @@ get_EVP_CIPHER_once_cb(void *d) /* Finally, set the static hc_EVP_CIPHER * to the one we just built */ *arg->hc_memoizep = hc_evp; - *arg->initialized = 1; } static const hc_EVP_CIPHER * get_EVP_CIPHER(heim_base_once_t *once, hc_EVP_CIPHER *hc_memoize, const hc_EVP_CIPHER **hc_memoizep, const hc_EVP_CIPHER *fallback, - unsigned long flags, unsigned char *initialized, int nid) + unsigned long flags, int nid) { struct once_init_cipher_ctx arg; @@ -255,7 +254,6 @@ get_EVP_CIPHER(heim_base_once_t *once, hc_EVP_CIPHER *hc_memoize, arg.hc_memoizep = hc_memoizep; arg.hc_memoize = hc_memoize; arg.fallback = fallback; - arg.initialized = initialized; arg.nid = nid; heim_base_once_f(once, &arg, get_EVP_CIPHER_once_cb); return *hc_memoizep; /* May be NULL */ @@ -268,12 +266,9 @@ get_EVP_CIPHER(heim_base_once_t *once, hc_EVP_CIPHER *hc_memoize, static hc_EVP_CIPHER ossl_##name##_st; \ static const hc_EVP_CIPHER *ossl_##name; \ static heim_base_once_t once = HEIM_BASE_ONCE_INIT; \ - static unsigned char initialized; \ - if (initialized) \ - return ossl_##name; \ return get_EVP_CIPHER(&once, &ossl_##name##_st, &ossl_##name, \ hc_EVP_hcrypto_##name(), \ - flags, &initialized, NID_##name); \ + flags, NID_##name); \ } /* As above, but for EVP_MDs */ @@ -340,7 +335,6 @@ struct once_init_md_ctx { const hc_EVP_MD *fallback; hc_evp_md_init md_init; int nid; - unsigned char *initialized; }; static void @@ -355,12 +349,15 @@ get_EVP_MD_once_cb(void *d) if (ossl_evp == NULL) { (void) memset(hc_evp, 0, sizeof(*hc_evp)); +#if HCRYPTO_FALLBACK *arg->hc_memoizep = arg->fallback; - *arg->initialized = 1; +#endif return; } /* Build the hc_EVP_MD */ + hc_evp->block_size = EVP_MD_block_size(ossl_evp); + hc_evp->hash_size = EVP_MD_size(ossl_evp); hc_evp->ctx_size = sizeof(struct ossl_md_ctx); hc_evp->init = arg->md_init; hc_evp->update = ossl_md_update; @@ -368,14 +365,13 @@ get_EVP_MD_once_cb(void *d) hc_evp->cleanup = ossl_md_cleanup; *arg->hc_memoizep = hc_evp; - *arg->initialized = 1; } static const hc_EVP_MD * get_EVP_MD(heim_base_once_t *once, hc_EVP_MD *hc_memoize, const hc_EVP_MD **hc_memoizep, const EVP_MD **ossl_memoizep, const hc_EVP_MD *fallback, - hc_evp_md_init md_init, unsigned char *initialized, int nid) + hc_evp_md_init md_init, int nid) { struct once_init_md_ctx ctx; @@ -384,7 +380,6 @@ get_EVP_MD(heim_base_once_t *once, hc_EVP_MD *hc_memoize, ctx.hc_memoize = hc_memoize; ctx.fallback = fallback; ctx.md_init = md_init; - ctx.initialized = initialized; ctx.nid = nid; heim_base_once_f(once, &ctx, get_EVP_MD_once_cb); return *hc_memoizep; /* May be NULL */ @@ -402,16 +397,15 @@ get_EVP_MD(heim_base_once_t *once, hc_EVP_MD *hc_memoize, { \ static hc_EVP_MD ossl_##name##_st; \ static heim_base_once_t once = HEIM_BASE_ONCE_INIT; \ - static unsigned char initialized; \ - if (initialized) \ - return ossl_##name; \ return get_EVP_MD(&once, &ossl_##name##_st, &ossl_##name, \ &ossl_EVP_##name, hc_EVP_hcrypto_##name(), \ - ossl_init_##name, &initialized, NID_##name); \ + ossl_init_##name, NID_##name); \ } #else /* HAVE_HCRYPTO_W_OPENSSL */ +#include "evp-hcrypto.h" + #define OSSL_CIPHER_ALGORITHM(name, flags) \ const hc_EVP_CIPHER *hc_EVP_ossl_##name(void) \ { \ diff --git a/lib/hcrypto/evp-pkcs11.c b/lib/hcrypto/evp-pkcs11.c index 3118e7f5f..b648640c0 100644 --- a/lib/hcrypto/evp-pkcs11.c +++ b/lib/hcrypto/evp-pkcs11.c @@ -443,7 +443,7 @@ p11_md_cleanup(EVP_MD_CTX *ctx) const EVP_CIPHER *cipher; \ \ cipher = hc_EVP_pkcs11_ ##name(); \ - if (cipher == NULL) \ + if (cipher == NULL && HCRYPTO_FALLBACK) \ cipher = hc_EVP_hcrypto_ ##name(); \ \ *((const EVP_CIPHER **)context) = cipher; \ @@ -493,7 +493,7 @@ p11_md_cleanup(EVP_MD_CTX *ctx) const EVP_MD *md; \ \ md = hc_EVP_pkcs11_ ##name(); \ - if (md == NULL) \ + if (md == NULL && HCRYPTO_FALLBACK) \ md = hc_EVP_hcrypto_ ##name(); \ \ *((const EVP_MD **)context) = md; \ diff --git a/lib/hcrypto/evp-w32.c b/lib/hcrypto/evp-w32.c index e58273353..7d14d1f4f 100644 --- a/lib/hcrypto/evp-w32.c +++ b/lib/hcrypto/evp-w32.c @@ -96,8 +96,10 @@ _hc_w32crypto_DllMain(HINSTANCE hinstDLL, { \ if (wincng_check_availability()) \ return hc_EVP_wincng_ ##name (); \ - else \ + else if (HCRYPTO_FALLBACK) \ return hc_EVP_hcrypto_ ##name (); \ + else \ + return NULL; \ } #define EVP_W32CRYPTO_PROVIDER_CNG_UNAVAILABLE(type, name) \ diff --git a/lib/hcrypto/test_bulk.c b/lib/hcrypto/test_bulk.c index fa087f379..1abe41d81 100644 --- a/lib/hcrypto/test_bulk.c +++ b/lib/hcrypto/test_bulk.c @@ -160,7 +160,8 @@ test_bulk_cipher(const char *cname, const EVP_CIPHER *c) errx(1, "encrypt/decrypt inconsistent"); } - printf("%s: mean time %llu usec%s\n", cname, M, (M == 1) ? "" : "s"); + printf("%s: mean time %llu usec%s\n", cname, (unsigned long long)M, + (M == 1) ? "" : "s"); return 0; } @@ -184,7 +185,8 @@ test_bulk_digest(const char *cname, const EVP_MD *md) STATS_END(M); } - printf("%s: mean time %llu usec%s\n", cname, M, (M == 1) ? "" : "s"); + printf("%s: mean time %llu usec%s\n", cname, (unsigned long long)M, + (M == 1) ? "" : "s"); return 0; } diff --git a/lib/hdb/hdb-mitdb.c b/lib/hdb/hdb-mitdb.c index f3a20d9ef..3eefc62bc 100644 --- a/lib/hdb/hdb-mitdb.c +++ b/lib/hdb/hdb-mitdb.c @@ -959,13 +959,13 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) if ((flags & HDB_F_PRECHECK)) { ret = mdb_principal2key(context, entry->entry.principal, &key); if (ret) return ret; - code = db->hdb__get(context, db, key, &value); + ret = db->hdb__get(context, db, key, &value); krb5_data_free(&key); - if (code == 0) + if (ret == 0) krb5_data_free(&value); - if (code == HDB_ERR_NOENTRY) + if (ret == HDB_ERR_NOENTRY) return 0; - return code ? code : HDB_ERR_EXISTS; + return ret ? ret : HDB_ERR_EXISTS; } sp = krb5_storage_emem(); @@ -1010,6 +1010,7 @@ mdb_remove(krb5_context context, HDB *db, { krb5_error_code code; krb5_data key; + krb5_data value = { 0, 0 }; if ((flags & HDB_F_PRECHECK)) { code = db->hdb__get(context, db, key, &value); diff --git a/lib/hx509/Makefile.am b/lib/hx509/Makefile.am index cd8ccc553..d1a00bd49 100644 --- a/lib/hx509/Makefile.am +++ b/lib/hx509/Makefile.am @@ -1,5 +1,7 @@ include $(top_srcdir)/Makefile.am.common +AM_CPPFLAGS += $(INCLUDE_openssl_crypto) + lib_LTLIBRARIES = libhx509.la libhx509_la_LDFLAGS = -version-info 5:0:0 @@ -206,10 +208,10 @@ check_PROGRAMS = $(PROGRAM_TESTS) test_soft_pkcs11 LDADD = libhx509.la -test_soft_pkcs11_LDADD = libhx509.la +test_soft_pkcs11_LDADD = libhx509.la $(top_builddir)/lib/asn1/libasn1.la -test_name_LDADD = libhx509.la $(LIB_roken) -test_expr_LDADD = libhx509.la $(LIB_roken) +test_name_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la +test_expr_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la TESTS = $(SCRIPT_TESTS) $(PROGRAM_TESTS) diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am index 7174aee0c..99880bc66 100644 --- a/lib/krb5/Makefile.am +++ b/lib/krb5/Makefile.am @@ -2,7 +2,7 @@ include $(top_srcdir)/Makefile.am.common -AM_CPPFLAGS += -I../com_err -I$(srcdir)/../com_err $(INCLUDE_sqlite3) $(INCLUDE_libintl) +AM_CPPFLAGS += -I../com_err -I$(srcdir)/../com_err $(INCLUDE_sqlite3) $(INCLUDE_libintl) $(INCLUDE_openssl_crypto) bin_PROGRAMS = verify_krb5_conf diff --git a/lib/krb5/crypto-des-common.c b/lib/krb5/crypto-des-common.c index ae9a10942..2565914de 100644 --- a/lib/krb5/crypto-des-common.c +++ b/lib/krb5/crypto-des-common.c @@ -40,9 +40,8 @@ */ KRB5_LIB_FUNCTION void KRB5_LIB_CALL -_krb5_xor (DES_cblock *key, const unsigned char *b) +_krb5_xor8(unsigned char *a, const unsigned char *b) { - unsigned char *a = (unsigned char*)key; a[0] ^= b[0]; a[1] ^= b[1]; a[2] ^= b[2]; diff --git a/lib/krb5/crypto-des.c b/lib/krb5/crypto-des.c index a4430771d..8ea145b56 100644 --- a/lib/krb5/crypto-des.c +++ b/lib/krb5/crypto-des.c @@ -65,7 +65,7 @@ krb5_DES_random_to_key(krb5_context context, memcpy(k, data, key->keyvalue.length); DES_set_odd_parity(k); if(DES_is_weak_key(k)) - _krb5_xor(k, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + _krb5_xor8(*k, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); } static struct _krb5_key_type keytype_des_old = { diff --git a/lib/krb5/crypto-des3.c b/lib/krb5/crypto-des3.c index 37fadf591..566f31603 100644 --- a/lib/krb5/crypto-des3.c +++ b/lib/krb5/crypto-des3.c @@ -278,6 +278,6 @@ _krb5_DES3_random_to_key(krb5_context context, for (i = 0; i < 3; i++) { DES_set_odd_parity(&k[i]); if(DES_is_weak_key(&k[i])) - _krb5_xor(&k[i], (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + _krb5_xor8(k[i], (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); } } diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 482990e5f..cb199695d 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -144,7 +144,7 @@ Default realm to use, this is also known as your The default is the result of .Fn krb5_get_host_realm "local hostname" . .It Li allow_weak_crypto = Va boolean -is weaks crypto algorithms allowed to be used, among others, DES is +are weak crypto algorithms allowed to be used, among others, DES is considered weak. .It Li clockskew = Va time Maximum time differential (in seconds) allowed when comparing @@ -168,9 +168,9 @@ the default credentials cache name. If you want to change the type only use .Li default_cc_type . The string can contain variables that are expanded on runtime. -Only support variable now is +The Only supported variable currently is .Li %{uid} -that expands to the current user id. +which expands to the current user id. .It Li default_etypes = Va etypes ... A list of default encryption types to use. (Default: all enctypes if allow_weak_crypto = TRUE, else all enctypes except single DES enctypes.) @@ -243,10 +243,10 @@ It's the field ticketflags that is stored in reverse bit order for older than Heimdal 0.7. Setting this flag to .Dv TRUE -make it store the MIT way, this is default for Heimdal 0.7. +makes it store the MIT way, this is default for Heimdal 0.7. .It Li check-rd-req-server -If set to "ignore", the framework will ignore any the server input to -.Xr krb5_rd_req 3, +If set to "ignore", the framework will ignore any of the server input to +.Xr krb5_rd_req 3 , this is very useful when the GSS-API server input the wrong server name into the gss_accept_sec_context call. .It Li k5login_directory = Va directory @@ -288,7 +288,7 @@ K5login files are text files, with each line containing just a principal name; principals apearing in a user's k5login file are permitted access to the user's account. Note: this rule performs no ownership nor permissions checks on k5login files; proper ownership and -permissions/ACLs are expected due to the system k5login location being a +permissions/ACLs are expected due to the k5login location being a system location. .It Li kuserok = Va USER-K5LOGIN If set and evaluated then @@ -389,7 +389,7 @@ with explicit .Va order then all other rules in the order in which they appear. If any two rules have the same explicit -.Va order +.Va order , their order of appearance in krb5.conf breaks the tie. Explicitly specifying order can be useful where tools read and write the configuration file without preserving parameter order. diff --git a/lib/krb5/pac.c b/lib/krb5/pac.c index caa1828c2..9c82b96f7 100644 --- a/lib/krb5/pac.c +++ b/lib/krb5/pac.c @@ -986,6 +986,40 @@ _krb5_pac_sign(krb5_context context, krb5_data_zero(&logon); + for (i = 0; i < p->pac->numbuffers; i++) { + if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) { + if (p->server_checksum == NULL) { + p->server_checksum = &p->pac->buffers[i]; + } + if (p->server_checksum != &p->pac->buffers[i]) { + ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC have two server checksums", "")); + goto out; + } + } else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) { + if (p->privsvr_checksum == NULL) { + p->privsvr_checksum = &p->pac->buffers[i]; + } + if (p->privsvr_checksum != &p->pac->buffers[i]) { + ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC have two KDC checksums", "")); + goto out; + } + } else if (p->pac->buffers[i].type == PAC_LOGON_NAME) { + if (p->logon_name == NULL) { + p->logon_name = &p->pac->buffers[i]; + } + if (p->logon_name != &p->pac->buffers[i]) { + ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC have two logon names", "")); + goto out; + } + } + } + if (p->logon_name == NULL) num++; if (p->server_checksum == NULL) diff --git a/lib/krb5/salt-des3.c b/lib/krb5/salt-des3.c index c62ba6cac..342bba0d0 100644 --- a/lib/krb5/salt-des3.c +++ b/lib/krb5/salt-des3.c @@ -71,7 +71,7 @@ DES3_string_to_key(krb5_context context, memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); DES_set_odd_parity(keys + i); if(DES_is_weak_key(keys + i)) - _krb5_xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + _krb5_xor8(*(keys + i), (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); DES_set_key_unchecked(keys + i, &s[i]); } memset(&ivec, 0, sizeof(ivec)); @@ -84,7 +84,7 @@ DES3_string_to_key(krb5_context context, memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); DES_set_odd_parity(keys + i); if(DES_is_weak_key(keys + i)) - _krb5_xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + _krb5_xor8(*(keys + i), (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); } memset(tmp, 0, sizeof(tmp)); } diff --git a/packages/windows/assembly/NTMakefile b/packages/windows/assembly/NTMakefile index 2b1422860..183856e0e 100644 --- a/packages/windows/assembly/NTMakefile +++ b/packages/windows/assembly/NTMakefile @@ -96,6 +96,7 @@ $(ASMKRBDIR)\$(ASMKRBNAME).cat: $(ASMKRBDIR)\$(ASMKRBMAN).cdf cd $(ASMKRBDIR) $(MAKECAT) $** $(_CODESIGN) + $(_CODESIGN_SHA256) cd $(SRCDIR) asm-krb: \ @@ -170,6 +171,7 @@ $(POLKRBCAT): $(POLKRBFILE).cdf cd $(POLKRBDIR) $(MAKECAT) $** $(_CODESIGN) + $(_CODESIGN_SHA256) cd $(SRCDIR) all:: $(POLKRBFILE) $(POLKRBCAT) diff --git a/windows/NTMakefile.config b/windows/NTMakefile.config index adde4b649..cea260ace 100644 --- a/windows/NTMakefile.config +++ b/windows/NTMakefile.config @@ -93,8 +93,11 @@ HAVE_SCC=1 DIR_hdbdir=%{COMMON_APPDATA}/heimdal/hdb -# Enable weak crypto -WEAK_CRYPTO=1 +# Disable weak crypto +WEAK_CRYPTO=0 + +# Enable hcrypt fallback mechanisms +HCRYPTO_FALLBACK=1 # Disable use of GSS LOCALNAME support NO_LOCALNAME=1 diff --git a/windows/NTMakefile.w32 b/windows/NTMakefile.w32 index 48e6aed26..1a35af9b0 100644 --- a/windows/NTMakefile.w32 +++ b/windows/NTMakefile.w32 @@ -123,7 +123,6 @@ LEX_CMD=flex.exe PYTHON=python.exe PERL=perl.exe CMP=cmp.exe -SIGNTOOL=signtool.exe MAKECAT=makecat.exe HHC=hhc.exe MAKEINFO=makeinfo.exe @@ -247,7 +246,7 @@ RC2RES = $(RC2RES_C) -fo $@ $** REQUIRED_TOOLS= \ "$(AWK_CMD)" "$(YACC_CMD)" "$(LEX_CMD)" "$(PYTHON)" "$(PERL)" \ - "$(CMP)" "$(SED)" "$(SIGNTOOL)" "$(MAKECAT)" "$(MAKEINFO)" "$(HHC)" + "$(CMP)" "$(SED)" "$(MAKECAT)" "$(MAKEINFO)" "$(HHC)" !ifdef BUILD_INSTALLERS REQUIRED_TOOLS=$(REQUIRED_TOOLS) "$(CANDLE_CMD)" "$(LIGHT_CMD)" @@ -488,6 +487,10 @@ _VC_MANIFEST_CLEAN= \ #---------------------------------------------------------------------- # Code and assembly signing # +# +# SIGNTOOL is fullpath to signtool.exe from Windows v8.1 or later SDK +# (earlier versions do not support SHA-2 signatures) +# # SIGNTOOL_C is any set of options required for certificate/private # key selection for code signging. # @@ -497,17 +500,27 @@ _VC_MANIFEST_CLEAN= \ !ifdef CODESIGN _CODESIGN=( $(CODESIGN) $@ ) +_CODESIGN_SHA256=( $(CODESIGN_SHA256) $@ ) !else +!ifndef SIGNTOOL +SIGNTOOL=signtool.exe +!endif + !ifdef SIGNTOOL_C !ifndef SIGNTOOL_T -SIGNTOOL_T=/t http://timestamp.verisign.com/scripts/timstamp.dll +SIGNTOOL_T=http://timestamp.verisign.com/scripts/timstamp.dll +!endif +!ifndef SIGNTOOL_T_SHA256 +SIGNTOOL_T_SHA256=http://timestamp.geotrust.com/tsa !endif -_CODESIGN=( $(SIGNTOOL) sign $(SIGNTOOL_O) $(SIGNTOOL_T) $(SIGNTOOL_C) /v $@ ) +_CODESIGN=( $(SIGNTOOL) sign /fd sha1 $(SIGNTOOL_O) /t $(SIGNTOOL_T) $(SIGNTOOL_C) /v $@ ) +_CODESIGN_SHA256=( $(SIGNTOOL) sign /as /fd sha256 $(SIGNTOOL_O) /tr $(SIGNTOOL_T_SHA256) $(SIGNTOOL_C) /v $@ ) !else _CODESIGN=( echo Skipping code sign ) +_CODESIGN_SHA256=( echo Skipping sha256 code sign ) !endif !endif @@ -539,22 +552,22 @@ SYMSTORE_IMPORT=@echo No symbol store # prepare binaries. EXEPREP=\ -( $(_VC_MANIFEST_EMBED_EXE) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 ) +( $(_VC_MANIFEST_EMBED_EXE) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 ) EXEPREP_NOHEIM=\ -( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 ) +( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 ) EXEPREP_NODIST=\ ( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) ) || ( $(RM) $@ && exit /b 1 ) DLLPREP=\ -( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 ) +( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 ) DLLPREP_NODIST=\ ( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) ) || ( $(RM) $@ && exit /b 1 ) DLLPREP_MERGE=\ -( ( $(_MERGE_MANIFEST_DLL) || $(_INSERT_APPMANIFEST_DLL) && $(SYMSTORE_IMPORT) ) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 ) +( ( $(_MERGE_MANIFEST_DLL) || $(_INSERT_APPMANIFEST_DLL) && $(SYMSTORE_IMPORT) ) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 ) #---------------------------------------------------------------------- # Convenience macros for import libraries and assemblies diff --git a/windows/README.md b/windows/README.md index 7f1b6c81f..75d6fd5ad 100644 --- a/windows/README.md +++ b/windows/README.md @@ -35,13 +35,16 @@ work, but have not been tested. (Required for running tests). These can be found in the Cygwin distribution. MinGW or GnuWin32 may also be used instead of Cygwin. However, a recent build of `makeinfo` is required for building the - documentation. + documentation. Cygwin makeinfo 4.7 is known to work. * __Certificate for code-signing__: The Heimdal build produces a number of Assemblies that should be signed if they are to be installed via Windows Installer. In addition, all executable binaries produced by the build including installers can be signed and timestamped if a code-signing certificate is available. + As of 1 January 2016 Windows 7 and above require the use of sha256 + signatures. The signtool.exe provided with Windows SDK 8.1 or + later must be used. [1]: http://wix.sourceforge.net/ @@ -82,23 +85,34 @@ work, but have not been tested. set SIGNTOOL_C=/f c:\mycerts\codesign.pfx + set SIGNTOOL_C=/n "Certificate Subject Name" /a + - `SIGNTOOL_O`: Signing parameter options for `signtool`. Optional. E.g.: set SIGNTOOL_O=/du http://example.com/myheimdal - - `SIGNTOOL_T`: Timestamp options for `signtool`. If not specified, - defaults to `/t http://timestamp.verisign.com/scripts/timstamp.dll`. + - `SIGNTOOL_T`: SHA1 Timestamp URL for `signtool`. If not specified, + defaults to `http://timestamp.verisign.com/scripts/timstamp.dll`. + + - `SIGNTOOL_T_SHA256`: SHA256 Timestamp URL for `signtool`. If not + specified, defaults to `http://timestamp.geotrust.com/tsa`. - - `CODESIGN`: Code signer command. This environment variable, if + - `CODESIGN`: SHA1 Code signer command. This environment variable, if defined, overrides the `SIGNTOOL_*` variables. It should be defined to be a command that takes one parameter: the binary to be signed. + - `CODESIGN_SHA256`: SHA256 Code signer command. This environment variable, if + defined, applies a second SHA256 signature to the parameter. It should be + defined to be a command that takes one parameter: the binary to be + signed. + E.g.: set CODESIGN=c:\scripts\mycodesigner.cmd + set CODESIGN_SHA256=c:\scripts\mycodesigner256.cmd * Define the code sign public key token. This is contained in the environment variable `CODESIGN_PKT` and is needed to build the @@ -134,7 +148,7 @@ The build can also be invoked from any subdirectory that contains an inter-dependencies between directories and therefore it is recommended that a full build be invoked from the root of the source tree. -Tests can be invoked as: +Tests can be invoked, after a full build, by executing: nmake /f NTMakefile test |