From 7cd40a610569d5e54ebe323672794fb6415b5dac Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 7 Jan 2016 14:12:14 +0100 Subject: lib/krb5: allow predefined PAC_{LOGON_NAME,PRIVSVR_CHECKSUM,SERVER_CHECKSUM} elements in _krb5_pac_sign() A caller may want to specify an explicit order of PAC elements, e.g. the PAC_UPN_DNS_INFO element should be placed after the PAC_LOGON_NAME element. Signed-off-by: Stefan Metzmacher --- lib/krb5/pac.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/lib/krb5/pac.c b/lib/krb5/pac.c index 9b03dfc79..23167df5b 100644 --- a/lib/krb5/pac.c +++ b/lib/krb5/pac.c @@ -986,6 +986,40 @@ _krb5_pac_sign(krb5_context context, krb5_data_zero(&logon); + for (i = 0; i < p->pac->numbuffers; i++) { + if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) { + if (p->server_checksum == NULL) { + p->server_checksum = &p->pac->buffers[i]; + } + if (p->server_checksum != &p->pac->buffers[i]) { + ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC have two server checksums", "")); + goto out; + } + } else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) { + if (p->privsvr_checksum == NULL) { + p->privsvr_checksum = &p->pac->buffers[i]; + } + if (p->privsvr_checksum != &p->pac->buffers[i]) { + ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC have two KDC checksums", "")); + goto out; + } + } else if (p->pac->buffers[i].type == PAC_LOGON_NAME) { + if (p->logon_name == NULL) { + p->logon_name = &p->pac->buffers[i]; + } + if (p->logon_name != &p->pac->buffers[i]) { + ret = EINVAL; + krb5_set_error_message(context, ret, + N_("PAC have two logon names", "")); + goto out; + } + } + } + if (p->logon_name == NULL) num++; if (p->server_checksum == NULL) -- cgit v1.2.3 From 4c1728ff7300df38e7e1916659605395cb0a3f65 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Mon, 18 Apr 2016 22:56:04 -0500 Subject: Windows: code sign gsstool.exe Change-Id: I1d79de51bdeefe1611eb69248d11d411361ab5d6 --- lib/gssapi/NTMakefile | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/gssapi/NTMakefile b/lib/gssapi/NTMakefile index 098118fd6..402b110a1 100644 --- a/lib/gssapi/NTMakefile +++ b/lib/gssapi/NTMakefile @@ -553,6 +553,7 @@ all-tools:: $(BINDIR)\gsstool.exe $(BINDIR)\gsstool.exe: $(OBJ)\gsstool.obj $(OBJ)\gss-commands.obj $(LIBGSSAPI) $(LIBROKEN) $(LIBSL) $(LIBVERS) $(EXECONLINK) + $(EXEPREP) $(OBJ)\gss-commands.c $(OBJ)\gss-commands.h: gss-commands.in cd $(OBJ) -- cgit v1.2.3 From bc20b5fad07103660258b81fcd49597139863a85 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Mon, 18 Apr 2016 23:02:48 -0500 Subject: Windows: do not search for signtool.exe Permit an explicit version of signtool.exe to be specified via an environment variable. Now that sha256 signatures are required the version of signtool.exe that matches the SDK or Visual Studio version might not be sufficient to apply code signatures. Change-Id: I694e2b319bd692d6358ae7ce3d241da2da7648f8 --- windows/NTMakefile.w32 | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/windows/NTMakefile.w32 b/windows/NTMakefile.w32 index 48e6aed26..94fd9562d 100644 --- a/windows/NTMakefile.w32 +++ b/windows/NTMakefile.w32 @@ -123,7 +123,6 @@ LEX_CMD=flex.exe PYTHON=python.exe PERL=perl.exe CMP=cmp.exe -SIGNTOOL=signtool.exe MAKECAT=makecat.exe HHC=hhc.exe MAKEINFO=makeinfo.exe @@ -247,7 +246,7 @@ RC2RES = $(RC2RES_C) -fo $@ $** REQUIRED_TOOLS= \ "$(AWK_CMD)" "$(YACC_CMD)" "$(LEX_CMD)" "$(PYTHON)" "$(PERL)" \ - "$(CMP)" "$(SED)" "$(SIGNTOOL)" "$(MAKECAT)" "$(MAKEINFO)" "$(HHC)" + "$(CMP)" "$(SED)" "$(MAKECAT)" "$(MAKEINFO)" "$(HHC)" !ifdef BUILD_INSTALLERS REQUIRED_TOOLS=$(REQUIRED_TOOLS) "$(CANDLE_CMD)" "$(LIGHT_CMD)" @@ -488,6 +487,10 @@ _VC_MANIFEST_CLEAN= \ #---------------------------------------------------------------------- # Code and assembly signing # +# +# SIGNTOOL is fullpath to signtool.exe from Windows v8.1 or later SDK +# (earlier versions do not support SHA-2 signatures) +# # SIGNTOOL_C is any set of options required for certificate/private # key selection for code signging. # @@ -499,6 +502,10 @@ _VC_MANIFEST_CLEAN= \ _CODESIGN=( $(CODESIGN) $@ ) !else +!ifndef SIGNTOOL +SIGNTOOL=signtool.exe +!endif + !ifdef SIGNTOOL_C !ifndef SIGNTOOL_T -- cgit v1.2.3 From a234ee5265088d7bdf78420b125114eb66ccd56b Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Mon, 18 Apr 2016 23:10:48 -0500 Subject: Windows: Update code signing to support SHA256 Change-Id: I324e7c56fd73a744127c50e8fc136e8b23d860b0 --- packages/windows/assembly/NTMakefile | 2 ++ windows/NTMakefile.w32 | 17 +++++++++++------ windows/README.md | 24 +++++++++++++++++++----- 3 files changed, 32 insertions(+), 11 deletions(-) diff --git a/packages/windows/assembly/NTMakefile b/packages/windows/assembly/NTMakefile index 2b1422860..183856e0e 100644 --- a/packages/windows/assembly/NTMakefile +++ b/packages/windows/assembly/NTMakefile @@ -96,6 +96,7 @@ $(ASMKRBDIR)\$(ASMKRBNAME).cat: $(ASMKRBDIR)\$(ASMKRBMAN).cdf cd $(ASMKRBDIR) $(MAKECAT) $** $(_CODESIGN) + $(_CODESIGN_SHA256) cd $(SRCDIR) asm-krb: \ @@ -170,6 +171,7 @@ $(POLKRBCAT): $(POLKRBFILE).cdf cd $(POLKRBDIR) $(MAKECAT) $** $(_CODESIGN) + $(_CODESIGN_SHA256) cd $(SRCDIR) all:: $(POLKRBFILE) $(POLKRBCAT) diff --git a/windows/NTMakefile.w32 b/windows/NTMakefile.w32 index 94fd9562d..49099701d 100644 --- a/windows/NTMakefile.w32 +++ b/windows/NTMakefile.w32 @@ -500,6 +500,7 @@ _VC_MANIFEST_CLEAN= \ !ifdef CODESIGN _CODESIGN=( $(CODESIGN) $@ ) +_CODESIGN_SHA256=( $(CODESIGN_SHA256) $@ ) !else !ifndef SIGNTOOL @@ -509,10 +510,14 @@ SIGNTOOL=signtool.exe !ifdef SIGNTOOL_C !ifndef SIGNTOOL_T -SIGNTOOL_T=/t http://timestamp.verisign.com/scripts/timstamp.dll +SIGNTOOL_T=http://timestamp.verisign.com/scripts/timstamp.dll +!endif +!ifndef SIGNTOOL_T_SHA256 +SIGNTOOL_T_SHA256=http://timestamp.geotrust.com/tsa !endif -_CODESIGN=( $(SIGNTOOL) sign $(SIGNTOOL_O) $(SIGNTOOL_T) $(SIGNTOOL_C) /v $@ ) +_CODESIGN=( $(SIGNTOOL) sign /fd sha1 $(SIGNTOOL_O) /t $(SIGNTOOL_T) $(SIGNTOOL_C) /v $@ ) +_CODESIGN_SHA256=( $(SIGNTOOL) sign /as /fd sha256 $(SIGNTOOL_O) /tr $(SIGNTOOL_T_SHA256) $(SIGNTOOL_C) /v $@ ) !else _CODESIGN=( echo Skipping code sign ) !endif @@ -546,22 +551,22 @@ SYMSTORE_IMPORT=@echo No symbol store # prepare binaries. EXEPREP=\ -( $(_VC_MANIFEST_EMBED_EXE) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 ) +( $(_VC_MANIFEST_EMBED_EXE) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 ) EXEPREP_NOHEIM=\ -( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 ) +( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 ) EXEPREP_NODIST=\ ( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) ) || ( $(RM) $@ && exit /b 1 ) DLLPREP=\ -( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 ) +( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 ) DLLPREP_NODIST=\ ( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) ) || ( $(RM) $@ && exit /b 1 ) DLLPREP_MERGE=\ -( ( $(_MERGE_MANIFEST_DLL) || $(_INSERT_APPMANIFEST_DLL) && $(SYMSTORE_IMPORT) ) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 ) +( ( $(_MERGE_MANIFEST_DLL) || $(_INSERT_APPMANIFEST_DLL) && $(SYMSTORE_IMPORT) ) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 ) #---------------------------------------------------------------------- # Convenience macros for import libraries and assemblies diff --git a/windows/README.md b/windows/README.md index 7f1b6c81f..75d6fd5ad 100644 --- a/windows/README.md +++ b/windows/README.md @@ -35,13 +35,16 @@ work, but have not been tested. (Required for running tests). These can be found in the Cygwin distribution. MinGW or GnuWin32 may also be used instead of Cygwin. However, a recent build of `makeinfo` is required for building the - documentation. + documentation. Cygwin makeinfo 4.7 is known to work. * __Certificate for code-signing__: The Heimdal build produces a number of Assemblies that should be signed if they are to be installed via Windows Installer. In addition, all executable binaries produced by the build including installers can be signed and timestamped if a code-signing certificate is available. + As of 1 January 2016 Windows 7 and above require the use of sha256 + signatures. The signtool.exe provided with Windows SDK 8.1 or + later must be used. [1]: http://wix.sourceforge.net/ @@ -82,23 +85,34 @@ work, but have not been tested. set SIGNTOOL_C=/f c:\mycerts\codesign.pfx + set SIGNTOOL_C=/n "Certificate Subject Name" /a + - `SIGNTOOL_O`: Signing parameter options for `signtool`. Optional. E.g.: set SIGNTOOL_O=/du http://example.com/myheimdal - - `SIGNTOOL_T`: Timestamp options for `signtool`. If not specified, - defaults to `/t http://timestamp.verisign.com/scripts/timstamp.dll`. + - `SIGNTOOL_T`: SHA1 Timestamp URL for `signtool`. If not specified, + defaults to `http://timestamp.verisign.com/scripts/timstamp.dll`. + + - `SIGNTOOL_T_SHA256`: SHA256 Timestamp URL for `signtool`. If not + specified, defaults to `http://timestamp.geotrust.com/tsa`. - - `CODESIGN`: Code signer command. This environment variable, if + - `CODESIGN`: SHA1 Code signer command. This environment variable, if defined, overrides the `SIGNTOOL_*` variables. It should be defined to be a command that takes one parameter: the binary to be signed. + - `CODESIGN_SHA256`: SHA256 Code signer command. This environment variable, if + defined, applies a second SHA256 signature to the parameter. It should be + defined to be a command that takes one parameter: the binary to be + signed. + E.g.: set CODESIGN=c:\scripts\mycodesigner.cmd + set CODESIGN_SHA256=c:\scripts\mycodesigner256.cmd * Define the code sign public key token. This is contained in the environment variable `CODESIGN_PKT` and is needed to build the @@ -134,7 +148,7 @@ The build can also be invoked from any subdirectory that contains an inter-dependencies between directories and therefore it is recommended that a full build be invoked from the root of the source tree. -Tests can be invoked as: +Tests can be invoked, after a full build, by executing: nmake /f NTMakefile test -- cgit v1.2.3 From e02832b199454c4a9913be4cc910af0c74be1f4a Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 18 Apr 2016 18:02:19 -0500 Subject: Fix initialization race in evp-openssl.c --- lib/hcrypto/evp-openssl.c | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/lib/hcrypto/evp-openssl.c b/lib/hcrypto/evp-openssl.c index 0c50ee1ee..88fd40d4d 100644 --- a/lib/hcrypto/evp-openssl.c +++ b/lib/hcrypto/evp-openssl.c @@ -86,7 +86,6 @@ struct once_init_cipher_ctx { hc_EVP_CIPHER *hc_memoize; const hc_EVP_CIPHER *fallback; unsigned long flags; - unsigned char *initialized; int nid; }; @@ -207,7 +206,6 @@ get_EVP_CIPHER_once_cb(void *d) if (ossl_evp == NULL) { (void) memset(hc_evp, 0, sizeof(*hc_evp)); *arg->hc_memoizep = arg->fallback; - *arg->initialized = 1; return; } @@ -240,14 +238,13 @@ get_EVP_CIPHER_once_cb(void *d) /* Finally, set the static hc_EVP_CIPHER * to the one we just built */ *arg->hc_memoizep = hc_evp; - *arg->initialized = 1; } static const hc_EVP_CIPHER * get_EVP_CIPHER(heim_base_once_t *once, hc_EVP_CIPHER *hc_memoize, const hc_EVP_CIPHER **hc_memoizep, const hc_EVP_CIPHER *fallback, - unsigned long flags, unsigned char *initialized, int nid) + unsigned long flags, int nid) { struct once_init_cipher_ctx arg; @@ -255,7 +252,6 @@ get_EVP_CIPHER(heim_base_once_t *once, hc_EVP_CIPHER *hc_memoize, arg.hc_memoizep = hc_memoizep; arg.hc_memoize = hc_memoize; arg.fallback = fallback; - arg.initialized = initialized; arg.nid = nid; heim_base_once_f(once, &arg, get_EVP_CIPHER_once_cb); return *hc_memoizep; /* May be NULL */ @@ -268,12 +264,9 @@ get_EVP_CIPHER(heim_base_once_t *once, hc_EVP_CIPHER *hc_memoize, static hc_EVP_CIPHER ossl_##name##_st; \ static const hc_EVP_CIPHER *ossl_##name; \ static heim_base_once_t once = HEIM_BASE_ONCE_INIT; \ - static unsigned char initialized; \ - if (initialized) \ - return ossl_##name; \ return get_EVP_CIPHER(&once, &ossl_##name##_st, &ossl_##name, \ hc_EVP_hcrypto_##name(), \ - flags, &initialized, NID_##name); \ + flags, NID_##name); \ } /* As above, but for EVP_MDs */ @@ -340,7 +333,6 @@ struct once_init_md_ctx { const hc_EVP_MD *fallback; hc_evp_md_init md_init; int nid; - unsigned char *initialized; }; static void @@ -356,7 +348,6 @@ get_EVP_MD_once_cb(void *d) if (ossl_evp == NULL) { (void) memset(hc_evp, 0, sizeof(*hc_evp)); *arg->hc_memoizep = arg->fallback; - *arg->initialized = 1; return; } @@ -368,14 +359,13 @@ get_EVP_MD_once_cb(void *d) hc_evp->cleanup = ossl_md_cleanup; *arg->hc_memoizep = hc_evp; - *arg->initialized = 1; } static const hc_EVP_MD * get_EVP_MD(heim_base_once_t *once, hc_EVP_MD *hc_memoize, const hc_EVP_MD **hc_memoizep, const EVP_MD **ossl_memoizep, const hc_EVP_MD *fallback, - hc_evp_md_init md_init, unsigned char *initialized, int nid) + hc_evp_md_init md_init, int nid) { struct once_init_md_ctx ctx; @@ -384,7 +374,6 @@ get_EVP_MD(heim_base_once_t *once, hc_EVP_MD *hc_memoize, ctx.hc_memoize = hc_memoize; ctx.fallback = fallback; ctx.md_init = md_init; - ctx.initialized = initialized; ctx.nid = nid; heim_base_once_f(once, &ctx, get_EVP_MD_once_cb); return *hc_memoizep; /* May be NULL */ @@ -402,12 +391,9 @@ get_EVP_MD(heim_base_once_t *once, hc_EVP_MD *hc_memoize, { \ static hc_EVP_MD ossl_##name##_st; \ static heim_base_once_t once = HEIM_BASE_ONCE_INIT; \ - static unsigned char initialized; \ - if (initialized) \ - return ossl_##name; \ return get_EVP_MD(&once, &ossl_##name##_st, &ossl_##name, \ &ossl_EVP_##name, hc_EVP_hcrypto_##name(), \ - ossl_init_##name, &initialized, NID_##name); \ + ossl_init_##name, NID_##name); \ } #else /* HAVE_HCRYPTO_W_OPENSSL */ -- cgit v1.2.3 From a9887a843fc8001d122db97d1e3dd59ba78a24db Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 18 Apr 2016 18:20:32 -0500 Subject: cf/crypto.m4: use AC_DEFINE() for hcrypto provider --- cf/crypto.m4 | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/cf/crypto.m4 b/cf/crypto.m4 index 075568b1b..6397fb049 100644 --- a/cf/crypto.m4 +++ b/cf/crypto.m4 @@ -67,7 +67,17 @@ AC_DEFUN([KRB_CRYPTO],[ AC_ARG_WITH([hcrypto-default-backend], AS_HELP_STRING([--with-hcrypto-default-backend=cc|pkcs11_hcrypto|ossl|w32crypto|hcrypto], [specify the default hcrypto backend]), - [CFLAGS="${CFLAGS} -DHCRYPTO_DEF_PROVIDER=${withval}"], + [ + CFLAGS="${CFLAGS} -DHCRYPTO_DEF_PROVIDER=${withval}" + case "$withval" in + cc) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [cc], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + pkcs11_hcrypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [pkcs11_hcrypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + ossl) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [ossl], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + w32crypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [w32crypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + hcrypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [hcrypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + *) echo "Invalid hcrypto provider name ($withval)"; exit 5;; + esac + ], []) AC_WITH_ALL([openssl]) -- cgit v1.2.3 From 12c922266b434fde608095f1ce4391710f9f8b3b Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Tue, 19 Apr 2016 11:26:09 -0500 Subject: Fix 1DES/3DES cast bug and build --- lib/krb5/crypto-des-common.c | 3 +-- lib/krb5/crypto-des.c | 2 +- lib/krb5/crypto-des3.c | 2 +- lib/krb5/salt-des3.c | 4 ++-- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/lib/krb5/crypto-des-common.c b/lib/krb5/crypto-des-common.c index ae9a10942..2565914de 100644 --- a/lib/krb5/crypto-des-common.c +++ b/lib/krb5/crypto-des-common.c @@ -40,9 +40,8 @@ */ KRB5_LIB_FUNCTION void KRB5_LIB_CALL -_krb5_xor (DES_cblock *key, const unsigned char *b) +_krb5_xor8(unsigned char *a, const unsigned char *b) { - unsigned char *a = (unsigned char*)key; a[0] ^= b[0]; a[1] ^= b[1]; a[2] ^= b[2]; diff --git a/lib/krb5/crypto-des.c b/lib/krb5/crypto-des.c index a4430771d..8ea145b56 100644 --- a/lib/krb5/crypto-des.c +++ b/lib/krb5/crypto-des.c @@ -65,7 +65,7 @@ krb5_DES_random_to_key(krb5_context context, memcpy(k, data, key->keyvalue.length); DES_set_odd_parity(k); if(DES_is_weak_key(k)) - _krb5_xor(k, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + _krb5_xor8(*k, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); } static struct _krb5_key_type keytype_des_old = { diff --git a/lib/krb5/crypto-des3.c b/lib/krb5/crypto-des3.c index 37fadf591..566f31603 100644 --- a/lib/krb5/crypto-des3.c +++ b/lib/krb5/crypto-des3.c @@ -278,6 +278,6 @@ _krb5_DES3_random_to_key(krb5_context context, for (i = 0; i < 3; i++) { DES_set_odd_parity(&k[i]); if(DES_is_weak_key(&k[i])) - _krb5_xor(&k[i], (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + _krb5_xor8(k[i], (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); } } diff --git a/lib/krb5/salt-des3.c b/lib/krb5/salt-des3.c index c62ba6cac..342bba0d0 100644 --- a/lib/krb5/salt-des3.c +++ b/lib/krb5/salt-des3.c @@ -71,7 +71,7 @@ DES3_string_to_key(krb5_context context, memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); DES_set_odd_parity(keys + i); if(DES_is_weak_key(keys + i)) - _krb5_xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + _krb5_xor8(*(keys + i), (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); DES_set_key_unchecked(keys + i, &s[i]); } memset(&ivec, 0, sizeof(ivec)); @@ -84,7 +84,7 @@ DES3_string_to_key(krb5_context context, memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); DES_set_odd_parity(keys + i); if(DES_is_weak_key(keys + i)) - _krb5_xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + _krb5_xor8(*(keys + i), (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); } memset(tmp, 0, sizeof(tmp)); } -- cgit v1.2.3 From 7df276258a328a71b2702067fce9be97bf4ee4a2 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Tue, 19 Apr 2016 12:30:54 -0500 Subject: Fix mis-merge in evp-openssl.c --- lib/hcrypto/evp-openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/hcrypto/evp-openssl.c b/lib/hcrypto/evp-openssl.c index 88fd40d4d..66cbf4344 100644 --- a/lib/hcrypto/evp-openssl.c +++ b/lib/hcrypto/evp-openssl.c @@ -352,6 +352,8 @@ get_EVP_MD_once_cb(void *d) } /* Build the hc_EVP_MD */ + hc_evp->block_size = EVP_MD_block_size(ossl_evp); + hc_evp->hash_size = EVP_MD_size(ossl_evp); hc_evp->ctx_size = sizeof(struct ossl_md_ctx); hc_evp->init = arg->md_init; hc_evp->update = ossl_md_update; -- cgit v1.2.3 From e751e09108fd34a80e1de87ebd7cc0a706ae46b6 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Tue, 19 Apr 2016 12:31:10 -0500 Subject: Fix warnings in test_bulk.c --- lib/hcrypto/test_bulk.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/hcrypto/test_bulk.c b/lib/hcrypto/test_bulk.c index fa087f379..1abe41d81 100644 --- a/lib/hcrypto/test_bulk.c +++ b/lib/hcrypto/test_bulk.c @@ -160,7 +160,8 @@ test_bulk_cipher(const char *cname, const EVP_CIPHER *c) errx(1, "encrypt/decrypt inconsistent"); } - printf("%s: mean time %llu usec%s\n", cname, M, (M == 1) ? "" : "s"); + printf("%s: mean time %llu usec%s\n", cname, (unsigned long long)M, + (M == 1) ? "" : "s"); return 0; } @@ -184,7 +185,8 @@ test_bulk_digest(const char *cname, const EVP_MD *md) STATS_END(M); } - printf("%s: mean time %llu usec%s\n", cname, M, (M == 1) ? "" : "s"); + printf("%s: mean time %llu usec%s\n", cname, (unsigned long long)M, + (M == 1) ? "" : "s"); return 0; } -- cgit v1.2.3 From 95a996ceaee8e12cefc860d1f6b1f9be66c2ed81 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 18 Apr 2016 18:20:56 -0500 Subject: Add --without-hcrypto-fallback option --- cf/crypto.m4 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cf/crypto.m4 b/cf/crypto.m4 index 6397fb049..44b77c1d0 100644 --- a/cf/crypto.m4 +++ b/cf/crypto.m4 @@ -79,6 +79,11 @@ AC_ARG_WITH([hcrypto-default-backend], esac ], []) +AC_ARG_WITH([hcrypto-fallback], + AS_HELP_STRING([--without-hcrypto-fallback], + [disable fallback on hcrypto for unavailable algorithms]), + [AC_DEFINE([HCRYPTO_FALLBACK],0,[Set to 1 to allow fallback to hcrypto for unavailable algorithms])], + [AC_DEFINE([HCRYPTO_FALLBACK],1,[Set to 1 to allow fallback to hcrypto for unavailable algorithms])]) AC_WITH_ALL([openssl]) AC_MSG_CHECKING([for crypto library]) -- cgit v1.2.3 From 8a749ced784d9c8c172811b029b8f453c5910db9 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 18 Apr 2016 18:21:36 -0500 Subject: Check HCRYPTO_FALLBACK in ossl backend --- lib/hcrypto/evp-openssl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/hcrypto/evp-openssl.c b/lib/hcrypto/evp-openssl.c index 66cbf4344..cf9f03419 100644 --- a/lib/hcrypto/evp-openssl.c +++ b/lib/hcrypto/evp-openssl.c @@ -205,7 +205,9 @@ get_EVP_CIPHER_once_cb(void *d) ossl_evp = EVP_get_cipherbynid(arg->nid); if (ossl_evp == NULL) { (void) memset(hc_evp, 0, sizeof(*hc_evp)); +#if HCRYPTO_FALLBACK *arg->hc_memoizep = arg->fallback; +#endif return; } @@ -347,7 +349,9 @@ get_EVP_MD_once_cb(void *d) if (ossl_evp == NULL) { (void) memset(hc_evp, 0, sizeof(*hc_evp)); +#if HCRYPTO_FALLBACK *arg->hc_memoizep = arg->fallback; +#endif return; } -- cgit v1.2.3 From 7f96a2cc1a71423b45bf31f44acce7e9e6d944d9 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Tue, 19 Apr 2016 13:40:06 -0500 Subject: Check HCRYPTO_FALLBACK in CC backend --- lib/hcrypto/evp-cc.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/lib/hcrypto/evp-cc.c b/lib/hcrypto/evp-cc.c index 8f317a670..eb4793b64 100644 --- a/lib/hcrypto/evp-cc.c +++ b/lib/hcrypto/evp-cc.c @@ -175,6 +175,8 @@ EVP_cc_des_ede3_cbc(void) NULL }; return &des_ede3_cbc; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_des_ede3_cbc(); #else return NULL; #endif @@ -225,6 +227,8 @@ EVP_cc_des_cbc(void) NULL }; return &des_ede3_cbc; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_des_cbc(); #else return NULL; #endif @@ -275,6 +279,8 @@ EVP_cc_aes_128_cbc(void) NULL }; return &c; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_aes_128_cbc(); #else return NULL; #endif @@ -308,6 +314,8 @@ EVP_cc_aes_192_cbc(void) NULL }; return &c; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_aes_192_cbc(); #else return NULL; #endif @@ -341,6 +349,8 @@ EVP_cc_aes_256_cbc(void) NULL }; return &c; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_aes_256_cbc(); #else return NULL; #endif @@ -391,6 +401,8 @@ EVP_cc_aes_128_cfb8(void) NULL }; return &c; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_aes_128_cfb8(); #else return NULL; #endif @@ -424,6 +436,8 @@ EVP_cc_aes_192_cfb8(void) NULL }; return &c; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_aes_192_cfb8(); #else return NULL; #endif @@ -457,6 +471,8 @@ EVP_cc_aes_256_cfb8(void) NULL }; return &c; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_aes_256_cfb8(); #else return NULL; #endif @@ -508,6 +524,8 @@ EVP_cc_rc2_cbc(void) NULL }; return &rc2_cbc; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_rc2_cbc(); #else return NULL; #endif @@ -542,6 +560,8 @@ EVP_cc_rc2_40_cbc(void) NULL }; return &rc2_40_cbc; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_rc2_40_cbc(); #else return NULL; #endif @@ -577,6 +597,8 @@ EVP_cc_rc2_64_cbc(void) NULL }; return &rc2_64_cbc; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_rc2_64_cbc(); #else return NULL; #endif @@ -602,6 +624,8 @@ EVP_cc_md2(void) (hc_evp_md_cleanup)NULL }; return &md2; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_md2(); #else return NULL; #endif @@ -627,6 +651,8 @@ EVP_cc_md4(void) (hc_evp_md_cleanup)NULL }; return &md4; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_md4(); #else return NULL; #endif @@ -652,6 +678,8 @@ EVP_cc_md5(void) (hc_evp_md_cleanup)NULL }; return &md5; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_md5(); #else return NULL; #endif @@ -677,6 +705,8 @@ EVP_cc_sha1(void) (hc_evp_md_cleanup)NULL }; return &sha1; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_sha1(); #else return NULL; #endif @@ -702,6 +732,8 @@ EVP_cc_sha256(void) (hc_evp_md_cleanup)NULL }; return &sha256; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_sha256(); #else return NULL; #endif @@ -727,6 +759,8 @@ EVP_cc_sha384(void) (hc_evp_md_cleanup)NULL }; return &sha384; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_sha384(); #else return NULL; #endif @@ -752,6 +786,8 @@ EVP_cc_sha512(void) (hc_evp_md_cleanup)NULL }; return &sha512; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_sha512(); #else return NULL; #endif @@ -768,7 +804,11 @@ EVP_cc_sha512(void) const EVP_CIPHER * EVP_cc_camellia_128_cbc(void) { +#if HCRYPTO_FALLBACK + return EVP_hcrypto_camellia_128_cbc(); +#else return NULL; +#endif } /** @@ -782,7 +822,11 @@ EVP_cc_camellia_128_cbc(void) const EVP_CIPHER * EVP_cc_camellia_192_cbc(void) { +#if HCRYPTO_FALLBACK + return EVP_hcrypto_camellia_192_cbc(); +#else return NULL; +#endif } /** @@ -796,7 +840,11 @@ EVP_cc_camellia_192_cbc(void) const EVP_CIPHER * EVP_cc_camellia_256_cbc(void) { +#if HCRYPTO_FALLBACK + return EVP_hcrypto_camellia_256_cbc(); +#else return NULL; +#endif } #ifdef HAVE_COMMONCRYPTO_COMMONCRYPTOR_H @@ -847,6 +895,8 @@ EVP_cc_rc4(void) NULL }; return &rc4; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_rc4(); #else return NULL; #endif @@ -881,6 +931,8 @@ EVP_cc_rc4_40(void) NULL }; return &rc4_40; +#elif HCRYPTO_FALLBACK + return EVP_hcrypto_rc4_40(); #else return NULL; #endif -- cgit v1.2.3 From c6c858c0caa7ec7d1a7cc5ca75815b66d3881fbd Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Tue, 19 Apr 2016 13:40:14 -0500 Subject: Check HCRYPTO_FALLBACK in PKCS#11 backend --- lib/hcrypto/evp-pkcs11.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/hcrypto/evp-pkcs11.c b/lib/hcrypto/evp-pkcs11.c index 3118e7f5f..b648640c0 100644 --- a/lib/hcrypto/evp-pkcs11.c +++ b/lib/hcrypto/evp-pkcs11.c @@ -443,7 +443,7 @@ p11_md_cleanup(EVP_MD_CTX *ctx) const EVP_CIPHER *cipher; \ \ cipher = hc_EVP_pkcs11_ ##name(); \ - if (cipher == NULL) \ + if (cipher == NULL && HCRYPTO_FALLBACK) \ cipher = hc_EVP_hcrypto_ ##name(); \ \ *((const EVP_CIPHER **)context) = cipher; \ @@ -493,7 +493,7 @@ p11_md_cleanup(EVP_MD_CTX *ctx) const EVP_MD *md; \ \ md = hc_EVP_pkcs11_ ##name(); \ - if (md == NULL) \ + if (md == NULL && HCRYPTO_FALLBACK) \ md = hc_EVP_hcrypto_ ##name(); \ \ *((const EVP_MD **)context) = md; \ -- cgit v1.2.3 From ca0dff891b2c5ade16f3c2a4295f725d78f3a7b8 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Tue, 19 Apr 2016 13:40:24 -0500 Subject: Check HCRYPTO_FALLBACK in W32 backend --- lib/hcrypto/evp-w32.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/hcrypto/evp-w32.c b/lib/hcrypto/evp-w32.c index e58273353..7d14d1f4f 100644 --- a/lib/hcrypto/evp-w32.c +++ b/lib/hcrypto/evp-w32.c @@ -96,8 +96,10 @@ _hc_w32crypto_DllMain(HINSTANCE hinstDLL, { \ if (wincng_check_availability()) \ return hc_EVP_wincng_ ##name (); \ - else \ + else if (HCRYPTO_FALLBACK) \ return hc_EVP_hcrypto_ ##name (); \ + else \ + return NULL; \ } #define EVP_W32CRYPTO_PROVIDER_CNG_UNAVAILABLE(type, name) \ -- cgit v1.2.3 From a460601ee3803e459961644f77924892317e8a54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jelmer=20Vernoo=C4=B3?= Date: Wed, 20 Apr 2016 12:15:27 +0000 Subject: Properly fix parallel builds. --- kdc/Makefile.am | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kdc/Makefile.am b/kdc/Makefile.am index ade443ffb..962f2f608 100644 --- a/kdc/Makefile.am +++ b/kdc/Makefile.am @@ -19,9 +19,9 @@ man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8 hprop_SOURCES = hprop.c mit_dump.c hprop.h hpropd_SOURCES = hpropd.c hprop.h -kstash_SOURCES = kstash.c headers.h $(srcdir)/kdc-protos.h +kstash_SOURCES = kstash.c headers.h -string2key_SOURCES = string2key.c headers.h $(srcdir)/kdc-protos.h +string2key_SOURCES = string2key.c headers.h digest_service_SOURCES = \ digest-service.c @@ -58,7 +58,7 @@ ALL_OBJECTS = $(kdc_OBJECTS) ALL_OBJECTS += $(kdc_replay_OBJECTS) ALL_OBJECTS += $(kdc_tester_OBJECTS) ALL_OBJECTS += $(libkdc_la_OBJECTS) -ALL_OBJECTS += $(string_to_key_OBJECTS) +ALL_OBJECTS += $(string2key_OBJECTS) ALL_OBJECTS += $(kstash_OBJECTS) ALL_OBJECTS += $(hprop_OBJECTS) ALL_OBJECTS += $(hpropd_OBJECTS) -- cgit v1.2.3 From c7513145010a3e019286ac2d547f930b9ebb4718 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Sat, 23 Apr 2016 18:59:17 -0400 Subject: Windows: disable weak crypto Weak crypto is disabled on every other system. OpenAFS no longer requires it and AuriStor doesn't need it. Turn it off. Change-Id: I6fab2328f71d1c38a655560ab0f83b8df9b53c73 --- windows/NTMakefile.config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/NTMakefile.config b/windows/NTMakefile.config index adde4b649..429dce817 100644 --- a/windows/NTMakefile.config +++ b/windows/NTMakefile.config @@ -93,8 +93,8 @@ HAVE_SCC=1 DIR_hdbdir=%{COMMON_APPDATA}/heimdal/hdb -# Enable weak crypto -WEAK_CRYPTO=1 +# Disable weak crypto +WEAK_CRYPTO=0 # Disable use of GSS LOCALNAME support NO_LOCALNAME=1 -- cgit v1.2.3 From a4dae2513fdf00676285c3fa8a71759ae6461be9 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Sat, 23 Apr 2016 19:00:16 -0400 Subject: Windows: add HCRYPTO_FALLBACK config to build system HCRYPTO_FALLBACK is a required definition for building lib/hcrypto. However, it wasn't added to the Windows build system. This change does so and enables fallback functionality. Change-Id: I4a711c6da58e8832a61a3c0b2b8d9b10038425f0 --- include/NTMakefile | 1 + windows/NTMakefile.config | 3 +++ 2 files changed, 4 insertions(+) diff --git a/include/NTMakefile b/include/NTMakefile index 984984d4a..e93cf8461 100644 --- a/include/NTMakefile +++ b/include/NTMakefile @@ -61,6 +61,7 @@ while(<>) { if ("$(KRB5)") { print "#define KRB5 1\n"; } if ("$(KRB4)") { print "#define KRB4 1\n"; } if ("$(WEAK_CRYPTO)") { print "#define HEIM_WEAK_CRYPTO 1\n"; } + if ("$(HCRYPTO_FALLBACK)") { print "#define HCRYPTO_FALLBACK 1\n"; } else { print "#define HCRYPTO_FALLBACK 0\n"; } if ("$(PKINIT)") { print "#define PKINIT 1\n"; } if ("$(NO_AFS)") { print "#define NO_AFS 1\n"; } if ("$(OPENLDAP)") { print "#define OPENLDAP 1\n"; } diff --git a/windows/NTMakefile.config b/windows/NTMakefile.config index 429dce817..cea260ace 100644 --- a/windows/NTMakefile.config +++ b/windows/NTMakefile.config @@ -96,6 +96,9 @@ DIR_hdbdir=%{COMMON_APPDATA}/heimdal/hdb # Disable weak crypto WEAK_CRYPTO=0 +# Enable hcrypt fallback mechanisms +HCRYPTO_FALLBACK=1 + # Disable use of GSS LOCALNAME support NO_LOCALNAME=1 -- cgit v1.2.3 From 6c1ba826236f899b83377092f017f0d5758c1067 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Sat, 23 Apr 2016 18:57:30 -0400 Subject: hcrypto: no openssl build requires evp-hcrypto.h include When building evp-openssl.c without support for OpenSSL it is necessary to include evp-hcrypto.h to define the HCRYPTO_FALLBACK functions. Change-Id: Ifd51f9fcd2b1805a534a9f88992162818afffe7d --- lib/hcrypto/evp-openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/hcrypto/evp-openssl.c b/lib/hcrypto/evp-openssl.c index cf9f03419..5f2a5ab93 100644 --- a/lib/hcrypto/evp-openssl.c +++ b/lib/hcrypto/evp-openssl.c @@ -404,6 +404,8 @@ get_EVP_MD(heim_base_once_t *once, hc_EVP_MD *hc_memoize, #else /* HAVE_HCRYPTO_W_OPENSSL */ +#include "evp-hcrypto.h" + #define OSSL_CIPHER_ALGORITHM(name, flags) \ const hc_EVP_CIPHER *hc_EVP_ossl_##name(void) \ { \ -- cgit v1.2.3 From 3de56adbcc8a9da242b291cba1416aa39d10de61 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Sat, 23 Apr 2016 20:58:25 -0400 Subject: Windows: Skip sha256 code sign if !CODESIGN If we are not code signing we must define an action for _CODESIGN_SHA256 or the build system macros will be unbalanced. Change-Id: I3c545de3c8ee809709defd12faeead358fde26dd --- windows/NTMakefile.w32 | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/NTMakefile.w32 b/windows/NTMakefile.w32 index 49099701d..1a35af9b0 100644 --- a/windows/NTMakefile.w32 +++ b/windows/NTMakefile.w32 @@ -520,6 +520,7 @@ _CODESIGN=( $(SIGNTOOL) sign /fd sha1 $(SIGNTOOL_O) /t $(SIGNTOOL_T) $(SIGNTOOL_ _CODESIGN_SHA256=( $(SIGNTOOL) sign /as /fd sha256 $(SIGNTOOL_O) /tr $(SIGNTOOL_T_SHA256) $(SIGNTOOL_C) /v $@ ) !else _CODESIGN=( echo Skipping code sign ) +_CODESIGN_SHA256=( echo Skipping sha256 code sign ) !endif !endif -- cgit v1.2.3 From 1e085bb4da1b2949807ffedea027663ced063bce Mon Sep 17 00:00:00 2001 From: Abhinav Upadhyay Date: Thu, 28 Apr 2016 15:50:48 +0530 Subject: Various fixes in kfb5.conf man page: Fix grammar at multiple places Also, fix mdoc syntax at one place. There should be a space between the section and the comma in the .Xr macro. --- lib/krb5/krb5.conf.5 | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 482990e5f..cb199695d 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -144,7 +144,7 @@ Default realm to use, this is also known as your The default is the result of .Fn krb5_get_host_realm "local hostname" . .It Li allow_weak_crypto = Va boolean -is weaks crypto algorithms allowed to be used, among others, DES is +are weak crypto algorithms allowed to be used, among others, DES is considered weak. .It Li clockskew = Va time Maximum time differential (in seconds) allowed when comparing @@ -168,9 +168,9 @@ the default credentials cache name. If you want to change the type only use .Li default_cc_type . The string can contain variables that are expanded on runtime. -Only support variable now is +The Only supported variable currently is .Li %{uid} -that expands to the current user id. +which expands to the current user id. .It Li default_etypes = Va etypes ... A list of default encryption types to use. (Default: all enctypes if allow_weak_crypto = TRUE, else all enctypes except single DES enctypes.) @@ -243,10 +243,10 @@ It's the field ticketflags that is stored in reverse bit order for older than Heimdal 0.7. Setting this flag to .Dv TRUE -make it store the MIT way, this is default for Heimdal 0.7. +makes it store the MIT way, this is default for Heimdal 0.7. .It Li check-rd-req-server -If set to "ignore", the framework will ignore any the server input to -.Xr krb5_rd_req 3, +If set to "ignore", the framework will ignore any of the server input to +.Xr krb5_rd_req 3 , this is very useful when the GSS-API server input the wrong server name into the gss_accept_sec_context call. .It Li k5login_directory = Va directory @@ -288,7 +288,7 @@ K5login files are text files, with each line containing just a principal name; principals apearing in a user's k5login file are permitted access to the user's account. Note: this rule performs no ownership nor permissions checks on k5login files; proper ownership and -permissions/ACLs are expected due to the system k5login location being a +permissions/ACLs are expected due to the k5login location being a system location. .It Li kuserok = Va USER-K5LOGIN If set and evaluated then @@ -389,7 +389,7 @@ with explicit .Va order then all other rules in the order in which they appear. If any two rules have the same explicit -.Va order +.Va order , their order of appearance in krb5.conf breaks the tie. Explicitly specifying order can be useful where tools read and write the configuration file without preserving parameter order. -- cgit v1.2.3 From 131c8dd30e83fb33a56b3007e71dc078420f6650 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sat, 7 May 2016 00:52:43 +0000 Subject: Export new ASN1 oid symbols and fix build We added some new OID symbols in libasn1, make them public. When an older Heimdal is already installed and its libraries don't have some newly created symbols we run into build or test problems, if libtool decides to use installed rather than just-built libraries. This was happening with a few of test programs in libhx509. Fixed. --- lib/asn1/libasn1-exports.def | 6 ++++++ lib/hx509/Makefile.am | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/asn1/libasn1-exports.def b/lib/asn1/libasn1-exports.def index 63dfdffa6..62f4337ad 100644 --- a/lib/asn1/libasn1-exports.def +++ b/lib/asn1/libasn1-exports.def @@ -58,9 +58,15 @@ EXPORTS asn1_oid_id_ecPublicKey DATA asn1_oid_id_ec_group_secp160r1 DATA asn1_oid_id_ec_group_secp160r2 DATA + asn1_oid_id_ec_group_secp224r1 DATA asn1_oid_id_ec_group_secp256r1 DATA + asn1_oid_id_ec_group_secp384r1 DATA + asn1_oid_id_ec_group_secp521r1 DATA asn1_oid_id_ecdsa_with_SHA1 DATA + asn1_oid_id_ecdsa_with_SHA224 DATA asn1_oid_id_ecdsa_with_SHA256 DATA + asn1_oid_id_ecdsa_with_SHA384 DATA + asn1_oid_id_ecdsa_with_SHA512 DATA asn1_oid_id_heim_rsa_pkcs1_x509 DATA asn1_oid_id_ms_cert_enroll_domaincontroller DATA asn1_oid_id_ms_client_authentication DATA diff --git a/lib/hx509/Makefile.am b/lib/hx509/Makefile.am index cd8ccc553..24c21eaf6 100644 --- a/lib/hx509/Makefile.am +++ b/lib/hx509/Makefile.am @@ -206,10 +206,10 @@ check_PROGRAMS = $(PROGRAM_TESTS) test_soft_pkcs11 LDADD = libhx509.la -test_soft_pkcs11_LDADD = libhx509.la +test_soft_pkcs11_LDADD = libhx509.la $(top_builddir)/lib/asn1/libasn1.la -test_name_LDADD = libhx509.la $(LIB_roken) -test_expr_LDADD = libhx509.la $(LIB_roken) +test_name_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la +test_expr_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la TESTS = $(SCRIPT_TESTS) $(PROGRAM_TESTS) -- cgit v1.2.3 From 9393d53538298e8a919efb92965759789da84d9b Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sat, 7 May 2016 02:36:34 -0400 Subject: Actually capture libcrypto autoconf results Also infer lib path not just include path, and set rpath if not from /usr. Also need libcrypto for test_rand. --- cf/Makefile.am.common | 3 +++ cf/crypto.m4 | 7 +++++++ lib/hcrypto/Makefile.am | 2 +- 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/cf/Makefile.am.common b/cf/Makefile.am.common index c0cddf6a0..a9ea71edd 100644 --- a/cf/Makefile.am.common +++ b/cf/Makefile.am.common @@ -45,6 +45,9 @@ LIB_tgetent = @LIB_tgetent@ LIB_com_err = @LIB_com_err@ LIB_door_create = @LIB_door_create@ +LIB_openssl_crypto = @LIB_openssl_crypto@ +INCLUDE_openssl_crypto = @INCLUDE_openssl_crypto@ + HESIODLIB = @HESIODLIB@ HESIODINCLUDE = @HESIODINCLUDE@ INCLUDE_hesiod = @INCLUDE_hesiod@ diff --git a/cf/crypto.m4 b/cf/crypto.m4 index 44b77c1d0..c6f72561e 100644 --- a/cf/crypto.m4 +++ b/cf/crypto.m4 @@ -94,6 +94,8 @@ if test "$with_openssl" = "yes"; then with_openssl=/usr fi if test "$with_openssl" != "no"; then + saved_CFLAGS="${CFLAGS}" + saved_LDFLAGS="${LDFLAGS}" INCLUDE_openssl_crypto= LIB_openssl_crypto= if test "$with_openssl_include" != ""; then @@ -103,8 +105,11 @@ if test "$with_openssl" != "no"; then fi if test "$with_openssl_lib" != ""; then LIB_openssl_crypto="-L${with_openssl_lib}" + elif test "${with_openssl}" != "/usr" -a -d "${with_openssl}/lib"; then + LIB_openssl_crypto="-L${with_openssl}/lib -Wl,-R,${with_openssl}/lib" fi CFLAGS="-DHAVE_HCRYPTO_W_OPENSSL -I${INCLUDE_openssl_crypto} ${CFLAGS}" + LDFLAGS="${LIB_openssl_crypto} ${LDFLAGS}" # XXX What about rpath? Yeah... AC_CHECK_LIB([crypto], [OPENSSL_init], [LIB_openssl_crypto="${LIB_openssl_crypto} -lcrypto"; openssl=yes], [openssl=no], []) @@ -122,6 +127,8 @@ if test "$with_openssl" != "no"; then AC_CHECK_LIB([crypto], [OPENSSL_init], [LIB_openssl_crypto="${LIB_openssl_crypto} -lcrypto -ldl -lnsl -lsocket"; openssl=yes], [openssl=no], [-ldl -lnsl -lsocket]) fi + CFLAGS="${saved_CFLAGS}" + LDFLAGS="${saved_LDFLAGS}" fi LIB_hcrypto='$(top_builddir)/lib/hcrypto/libhcrypto.la' diff --git a/lib/hcrypto/Makefile.am b/lib/hcrypto/Makefile.am index d2bb42494..6ef5cf9a4 100644 --- a/lib/hcrypto/Makefile.am +++ b/lib/hcrypto/Makefile.am @@ -99,7 +99,7 @@ check_SCRIPTS = $(SCRIPT_TESTS) TESTS = $(PROGRAM_TESTS) $(SCRIPT_TESTS) -LDADD = $(lib_LTLIBRARIES) $(LIB_roken) +LDADD = $(lib_LTLIBRARIES) $(LIB_roken) $(LIB_openssl_crypto) test_rand_LDADD = $(LDADD) -lm libhcrypto_la_SOURCES = \ -- cgit v1.2.3 From 1017a594ef126f1247b5515b80f7a5ef9db0ce67 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sat, 7 May 2016 07:02:09 +0000 Subject: Use OpenSSL include path as needed For consistency make "-I" part of the macro value set by autoconf. For now, don't attempt to handle OpenSSL rpath in cf/crypto.m4. That's much easier by just setting LDFLAGS when running configure. Otherwise too many Makefiles to edit and libtool and automake do their best to undo the rpath. --- cf/crypto.m4 | 13 ++++++++----- kdc/Makefile.am | 2 +- lib/hcrypto/Makefile.am | 2 +- lib/hx509/Makefile.am | 2 ++ lib/krb5/Makefile.am | 2 +- 5 files changed, 13 insertions(+), 8 deletions(-) diff --git a/cf/crypto.m4 b/cf/crypto.m4 index c6f72561e..b8b011dd1 100644 --- a/cf/crypto.m4 +++ b/cf/crypto.m4 @@ -99,18 +99,17 @@ if test "$with_openssl" != "no"; then INCLUDE_openssl_crypto= LIB_openssl_crypto= if test "$with_openssl_include" != ""; then - INCLUDE_openssl_crypto="${with_openssl_include}" + INCLUDE_openssl_crypto="-I${with_openssl_include}" else - INCLUDE_openssl_crypto="${with_openssl}/include" + INCLUDE_openssl_crypto="-I${with_openssl}/include" fi if test "$with_openssl_lib" != ""; then LIB_openssl_crypto="-L${with_openssl_lib}" elif test "${with_openssl}" != "/usr" -a -d "${with_openssl}/lib"; then - LIB_openssl_crypto="-L${with_openssl}/lib -Wl,-R,${with_openssl}/lib" + LIB_openssl_crypto="-L${with_openssl}/lib" fi - CFLAGS="-DHAVE_HCRYPTO_W_OPENSSL -I${INCLUDE_openssl_crypto} ${CFLAGS}" + CFLAGS="-DHAVE_HCRYPTO_W_OPENSSL ${INCLUDE_openssl_crypto} ${CFLAGS}" LDFLAGS="${LIB_openssl_crypto} ${LDFLAGS}" - # XXX What about rpath? Yeah... AC_CHECK_LIB([crypto], [OPENSSL_init], [LIB_openssl_crypto="${LIB_openssl_crypto} -lcrypto"; openssl=yes], [openssl=no], []) # These cases are just for static linking on older OSes, @@ -127,6 +126,10 @@ if test "$with_openssl" != "no"; then AC_CHECK_LIB([crypto], [OPENSSL_init], [LIB_openssl_crypto="${LIB_openssl_crypto} -lcrypto -ldl -lnsl -lsocket"; openssl=yes], [openssl=no], [-ldl -lnsl -lsocket]) fi + if test "$openssl" = "no"; then + INCLUDE_openssl_crypto= + LIB_openssl_crypto= + fi CFLAGS="${saved_CFLAGS}" LDFLAGS="${saved_LDFLAGS}" fi diff --git a/kdc/Makefile.am b/kdc/Makefile.am index ade443ffb..e2a7b14d6 100644 --- a/kdc/Makefile.am +++ b/kdc/Makefile.am @@ -2,7 +2,7 @@ include $(top_srcdir)/Makefile.am.common -AM_CPPFLAGS += $(INCLUDE_libintl) -I$(srcdir)/../lib/krb5 +AM_CPPFLAGS += $(INCLUDE_libintl) $(INCLUDE_openssl_crypto) -I$(srcdir)/../lib/krb5 lib_LTLIBRARIES = libkdc.la diff --git a/lib/hcrypto/Makefile.am b/lib/hcrypto/Makefile.am index 6ef5cf9a4..05df273a0 100644 --- a/lib/hcrypto/Makefile.am +++ b/lib/hcrypto/Makefile.am @@ -3,7 +3,7 @@ include $(top_srcdir)/Makefile.am.common if HAVE_HCRYPTO_W_OPENSSL -AM_CPPFLAGS += -I$(INCLUDE_openssl_crypto) +AM_CPPFLAGS += $(INCLUDE_openssl_crypto) endif AM_CPPFLAGS += -I$(top_srcdir)/lib/hx509 \ diff --git a/lib/hx509/Makefile.am b/lib/hx509/Makefile.am index 24c21eaf6..d1a00bd49 100644 --- a/lib/hx509/Makefile.am +++ b/lib/hx509/Makefile.am @@ -1,5 +1,7 @@ include $(top_srcdir)/Makefile.am.common +AM_CPPFLAGS += $(INCLUDE_openssl_crypto) + lib_LTLIBRARIES = libhx509.la libhx509_la_LDFLAGS = -version-info 5:0:0 diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am index 57ee89a74..c462d9372 100644 --- a/lib/krb5/Makefile.am +++ b/lib/krb5/Makefile.am @@ -2,7 +2,7 @@ include $(top_srcdir)/Makefile.am.common -AM_CPPFLAGS += -I../com_err -I$(srcdir)/../com_err $(INCLUDE_sqlite3) $(INCLUDE_libintl) +AM_CPPFLAGS += -I../com_err -I$(srcdir)/../com_err $(INCLUDE_sqlite3) $(INCLUDE_libintl) $(INCLUDE_openssl_crypto) bin_PROGRAMS = verify_krb5_conf -- cgit v1.2.3 From b49431e47a78582ee0d5147a3b7916852da85e83 Mon Sep 17 00:00:00 2001 From: "Roland C. Dowdeswell" Date: Thu, 12 May 2016 15:18:38 -0400 Subject: lib/hcrypto/Makefile.am: set automake option: subdir-objects --- lib/hcrypto/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/hcrypto/Makefile.am b/lib/hcrypto/Makefile.am index 05df273a0..a67b683ce 100644 --- a/lib/hcrypto/Makefile.am +++ b/lib/hcrypto/Makefile.am @@ -2,6 +2,8 @@ include $(top_srcdir)/Makefile.am.common +AUTOMAKE_OPTIONS = subdir-objects + if HAVE_HCRYPTO_W_OPENSSL AM_CPPFLAGS += $(INCLUDE_openssl_crypto) endif -- cgit v1.2.3 From 82054b4b798571372e19ec07faff0d1725a272e3 Mon Sep 17 00:00:00 2001 From: "Roland C. Dowdeswell" Date: Thu, 12 May 2016 16:44:51 -0400 Subject: lib/hdb/hdb-mitdb.c: this was failing to build due to undefined variables. --- lib/hdb/hdb-mitdb.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/hdb/hdb-mitdb.c b/lib/hdb/hdb-mitdb.c index f3a20d9ef..3eefc62bc 100644 --- a/lib/hdb/hdb-mitdb.c +++ b/lib/hdb/hdb-mitdb.c @@ -959,13 +959,13 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) if ((flags & HDB_F_PRECHECK)) { ret = mdb_principal2key(context, entry->entry.principal, &key); if (ret) return ret; - code = db->hdb__get(context, db, key, &value); + ret = db->hdb__get(context, db, key, &value); krb5_data_free(&key); - if (code == 0) + if (ret == 0) krb5_data_free(&value); - if (code == HDB_ERR_NOENTRY) + if (ret == HDB_ERR_NOENTRY) return 0; - return code ? code : HDB_ERR_EXISTS; + return ret ? ret : HDB_ERR_EXISTS; } sp = krb5_storage_emem(); @@ -1010,6 +1010,7 @@ mdb_remove(krb5_context context, HDB *db, { krb5_error_code code; krb5_data key; + krb5_data value = { 0, 0 }; if ((flags & HDB_F_PRECHECK)) { code = db->hdb__get(context, db, key, &value); -- cgit v1.2.3 From 4fb67dcbc1c77fe64c7340f9eb1b2b15f8a86938 Mon Sep 17 00:00:00 2001 From: "Roland C. Dowdeswell" Date: Thu, 12 May 2016 16:53:36 -0400 Subject: Update .gitignore to catch some additional artefacts. --- .gitignore | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.gitignore b/.gitignore index 8b38cec7b..73678830d 100644 --- a/.gitignore +++ b/.gitignore @@ -155,6 +155,7 @@ asn1_*.[cx] /include/bits /include/config.h.in /include/gssapi/*.h +/include/hcrypto/*.h /include/kadm5/*.h /include/stamp-h1 /include/version.h.in @@ -222,6 +223,7 @@ asn1_*.[cx] /lib/gssapi/ntlm/ntlm-private.h /lib/gssapi/spnego/spnego-private.h /lib/gssapi/test_acquire_cred +/lib/gssapi/test_add_store_cred /lib/gssapi/test_cfx /lib/gssapi/test_context /lib/gssapi/test_cred @@ -229,6 +231,10 @@ asn1_*.[cx] /lib/gssapi/test_names /lib/gssapi/test_ntlm /lib/gssapi/test_oid +/lib/hcrypto/hcrypto +/lib/hcrypto/hcrypto-link +/lib/hcrypto/test_rand +/lib/roken/test-detach /lib/hdb/hdb-protos.h /lib/hdb/hdb-private.h /lib/hdb/test_dbinfo @@ -413,6 +419,7 @@ asn1_*.[cx] /out /po/gen-po.sh /scripts +/tests/bin/intr /tests/bin/setup-env /tests/can/check-can /tests/can/current-db.db @@ -426,6 +433,9 @@ asn1_*.[cx] /tests/db/dbinfo.out /tests/db/have-db /tests/db/krb5.conf +/tests/db/krb5.conf-db1 +/tests/db/krb5.conf-db3 +/tests/db/krb5.conf-lmdb /tests/db/krb5.conf-sqlite /tests/db/loaddump-db /tests/db/tempfile @@ -490,6 +500,7 @@ asn1_*.[cx] /tests/kdc/krb5-pkinit-win.conf /tests/kdc/krb5-pkinit.conf /tests/kdc/krb5-slave.conf +/tests/kdc/krb5-slave2.conf /tests/kdc/krb5-weak.conf /tests/kdc/krb5.conf /tests/kdc/krb5-cc.conf -- cgit v1.2.3