Greg Hudson [Mon, 27 Jun 2016 21:49:57 +0000 (17:49 -0400)]
Fix leaks on error in krb5 gss_acquire_cred()
In acquire_cred_context(), when releasing the partially constructed
cred on error, make sure to free the password and impersonator fields,
and to destroy the ccache if we created it.
Greg Hudson [Fri, 24 Jun 2016 16:33:05 +0000 (12:33 -0400)]
Fix memory leak in db2 policy DB initialization
osa_adb_init_db() maintains a static linked list mapping filenames to
lock structures. Entries are never removed from the list; when their
reference counts hit 0, the lockfile is closed but the filename
remains allocated. However, the filename is allocated each time the
lockfile is re-opened, leaking the old value. Fix this leak by moving
filename initialization to entry creation.
Tom Yu [Wed, 3 Aug 2016 21:00:05 +0000 (17:00 -0400)]
Warn about dump -recurse nonfunctionality
kdb5_util dump -recurse hasn't behaved as documented since krb5-1.5,
when the DAL was integrated. Restoring it is a nontrivial amount of
work, so just document it for now.
In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.
CVE-2016-3120:
In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.
Commit 632260bd1fccfb420f0827b59c85c329203eafc9 (ticket #7517) allows
better error reporting for some client pre-authentication failures.
However, it breaks an assumption in the S4U2Self code that such errors
can be recognized by the KRB5_PREAUTH_FAILED error code. Instead of
passing through the error code reported by the first real preauth
module, wrap that error and return KRB5_PREAUTH_FAILED.
The KDC now needs write access to the LDAP KDB, unless password
lockout and tracking of the last successful authentication time are
disabled. Update the example LDAP access control configuration in
conf_ldap.rst to reflect this, add a note that only read access is
required if lockout is disabled, and add a section to lockout.rst
calling out the need for write access. Reported by Will Fiveash.
Greg Hudson [Thu, 23 Jun 2016 16:01:56 +0000 (12:01 -0400)]
Fix profile_flush_to_file() state corruption
In write_data_to_file(), do not clear the profile data object's flags.
If the call to this function resulted from profile_flush_to_file(), we
do not want to clear the DIRTY flag, and we especially do not want to
clear the SHARED flag for a data object which is part of
g_shared_trees. Instead, clear the DIRTY flag in
profile_flush_file_data().
Add a test case to prof_test1 to exercise the bug in unfixed code.
Also modify test1 to abandon the altered profile after flushing it to
a file, to preserve the external behavior of the script before this
fix.
When the default realm name is unspecified, and none was set in the
krb5_context object, return KRB5_CONFIG_NODEFREALM from libkdb5
instead of the confusing KRB5_KDB_DBTYPE_NOTFOUND. To accomplish
this, make kdb_get_library_name() return a krb5_error_code.
Before this patch libkrad would always subtract the existing buffer
length from pktlen before passing it to recv(). In the case of stream
sockets, this is incorrect since krad_packet_bytes_needed() already
performs this calculation. Subtracting the buffer length twice could
cause integer underflow on the len parameter to recv().
Greg Hudson [Wed, 8 Jun 2016 04:00:55 +0000 (00:00 -0400)]
Fix kadmin min_life check with nonexistent policy
In kadmind, self-service key changes require a check against the
policy's min_life field. If the policy does not exist, this check
should succeed according to the semantics introduced by ticket #7385.
Fix check_min_life() to return 0 if kadm5_get_policy() returns
KADM5_UNK_POLICY. Reported by John Devitofranceschi.
Greg Hudson [Mon, 9 May 2016 17:45:06 +0000 (13:45 -0400)]
Fix unlikely pointer error in get_in_tkt.c
In add_padata(), reset the caller's pointer and ensure the list is
terminated as soon as realloc() succeeds; otherwise, the old pointer
could be left behind if a later allocation fails.
Tom Yu [Fri, 27 May 2016 19:19:43 +0000 (15:19 -0400)]
Relax t_sn2princ.py reverse resolution test
Relax t_sn2princ.py check of the reverse resolution of the test
hostname. The new requirement is that it be different from the
forward resolved hostname. (There is also an existing implicit
requirement that it be in the mit.edu domain.) This makes
t_sn2princ.py more robust against changes in the reverse resolution of
the test hostname.
In otp_client_process(), call cb->set_as_key() later in the function
after the OTP request has been created. The previous position of this
call caused the AS key to be replaced even when later code in the
function failed, preventing other preauth mechanisms from retrieving
the correct AS key.
Greg Hudson [Thu, 12 May 2016 20:03:06 +0000 (16:03 -0400)]
Check princ length in krb5_sname_match()
krb5_sname_match() can read past the end of princ's component array in
some circumstances (typically when a keytab contains both "x" and
"x/y" principals). Add a length check. Reported by Spencer Jackson.
Greg Hudson [Mon, 28 Mar 2016 17:48:52 +0000 (13:48 -0400)]
Improve errors when DB2 database cannot be opened
When we cannot open a DB2 database, set a useful error message.
Change the signature of open_db() to to allow it to return an error
code with a message set.
Greg Hudson [Mon, 29 Feb 2016 21:51:22 +0000 (16:51 -0500)]
Skip unnecessary mech calls in gss_inquire_cred()
If the caller does not request a name, lifetime, or cred_usage when
calling gss_inquire_cred(), service the call by copying the mechanism
list (if requested) but do not call into the mech.
This change alleviates an issue (reported by Adam Bernstein) where
SPNEGO can fail in the presence of expired krb5 credentials rather
than proceeding with a different mechanism, or can resolve a krb5
credential without the benefit of the target name.
Sarah Day [Thu, 18 Feb 2016 21:54:27 +0000 (16:54 -0500)]
Default to LSA when TGT in LSA is inaccessible
When UAC is enabled and a domain user with Administrator privileges
logs in, the TGT is inaccessible. Access to the TGT in a
UAC-restricted session may allow a non-elevated user to bypass the
UAC. In a UAC-restricted session, ms2mit copies the current tickets
from the LSA ccache to the API ccache except the TGT, effectively
preventing a user session from getting additional service tickets
while appearing, for some purposes, to have a usable ccache.
Another bug is that ms2mit always copies from the LSA ccache to the
default ccache, even if the default ccache is itself the LSA ccache.
New behavior:
* If the TGT is accessible in the LSA ccache, copy the LSA ccache to
the API ccache.
* Set the registry key for the default ccname to "API:" if the copy
occurred, or to "MSLSA:" if it didn't occur.
Greg Hudson [Mon, 14 Mar 2016 21:26:34 +0000 (17:26 -0400)]
Fix LDAP null deref on empty arg [CVE-2016-3119]
In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
if there is an empty string in the db_args array. Check for this case
and avoid dereferencing a null pointer.
CVE-2016-3119:
In MIT krb5 1.6 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying an empty DB argument to the modify_principal
command, if kadmind is configured to use the LDAP KDB module.
Robbie Harwood [Tue, 12 Jan 2016 20:59:49 +0000 (15:59 -0500)]
Use public OID for interposing several functions
This resolves an issue where an interposer would receive the private
OID, and be unable to call back into krb5 in the expected manner in
gss_inquire_names_for_mech(), gss_inquire_cred_by_mech(),
gss_localname(), gss_store_cred(), and gss_store_cred_into().
Also change the return code of gss_localname() to GSS_S_BAD_MECH
instead of GSS_S_UNAVAILABLE on mech lookup failure, for consistency
with other functions.
Robbie Harwood [Tue, 12 Jan 2016 16:13:09 +0000 (11:13 -0500)]
Enable interposing gss_inquire_saslname_for_mech
The behavior of gss_inquire_saslname_for_mech() changes slightly, to
report GSS_S_BAD_MECH when an unsupported mech oid is given. Also
call map_error() on the minor code resulting from the mech.
Note that gss_inquire_mech_for_saslname() cannot be interposed, as
mech_type is specified as output-only in RFC 5801.
Greg Hudson [Tue, 15 Mar 2016 21:45:26 +0000 (17:45 -0400)]
Revisit inquire_attrs_for_mech on old mechs
In gss_inquire_attrs_for_mech(), if the mech does not implement RFC
5587, return success with empty mech_attrs and known_mech_attrs sets
to indicate a lack of knowledge for all attributes. The previous
behavior of returning an error caused gss_indicate_mechs_by_attr() to
fail out in the presence of an old mechanism, in turn causing
gss_acquire_cred() and SPNEGO to break.
Robbie Harwood [Wed, 27 Jan 2016 23:48:04 +0000 (18:48 -0500)]
Report inquire_attrs_for_mech mech failures
Previously, gss_inquire_attrs_for_mech() would return a list of mech
attributes that it knew about when given a bad mech oid or a mechanism
which did not provide a gss_inquire_attrs_for_mech() method. It seems
more useful to just report the failure to the application rather than
allowing it to continue with a faulty mechanism.
Robbie Harwood [Mon, 11 Jan 2016 22:50:39 +0000 (17:50 -0500)]
Enable interposing gss_inquire_attrs_for_mech()
Use gssint_select_mech_type() to locate an interposer mechanism, and
pass the public mech OID to the mech. Also call map_error() on the
resulting minor code.
Greg Hudson [Tue, 23 Feb 2016 22:15:18 +0000 (17:15 -0500)]
Use blocking lock when creating db2 KDB
In 1.11 we switched from non-blocking to blocking locks in the DB2
module, but we missed one call to krb5_lock_file() in ctx_create_db().
This non-blocking lock can cause krb5_db_promote() to fail if the
database is locked when we try to promote the DB, in turn causing
kdb5_util load to fail. Correct this call to make krb5_db_promote()
more robust.
Greg Hudson [Fri, 8 Jan 2016 18:16:54 +0000 (13:16 -0500)]
Fix leaks in kadmin server stubs [CVE-2015-8631]
In each kadmind server stub, initialize the client_name and
server_name variables, and release them in the cleanup handler. Many
of the stubs will otherwise leak the client and server name if
krb5_unparse_name() fails. Also make sure to free the prime_arg
variables in rename_principal_2_svc(), or we can leak the first one if
unparsing the second one fails. Discovered by Simo Sorce.
CVE-2015-8631:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one. Repeating these requests will eventually cause
kadmind to exhaust all available memory.
Greg Hudson [Fri, 8 Jan 2016 17:52:28 +0000 (12:52 -0500)]
Check for null kadm5 policy name [CVE-2015-8630]
In kadm5_create_principal_3() and kadm5_modify_principal(), check for
entry->policy being null when KADM5_POLICY is included in the mask.
CVE-2015-8630:
In MIT krb5 1.12 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying a null policy value but including KADM5_POLICY in
the mask.
Greg Hudson [Fri, 8 Jan 2016 17:45:25 +0000 (12:45 -0500)]
Verify decoded kadmin C strings [CVE-2015-8629]
In xdr_nullstring(), check that the decoded string is terminated with
a zero byte and does not contain any internal zero bytes.
CVE-2015-8629:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte. Information leakage may be possible
for an attacker with permission to modify the database.
Greg Hudson [Thu, 14 Jan 2016 22:51:53 +0000 (17:51 -0500)]
Fix iprop server stub error management
The ipropd stubs free client_name and server_name in the cleanup
handler, so should not free them in out-of-memory conditions.
Reported by Will Fiveash.
Robbie Harwood [Wed, 13 Jan 2016 23:17:09 +0000 (18:17 -0500)]
Fix EOF check in kadm5.acl line processing
On platforms where the char type is unsigned, the check for EOF (which
is negative) will always fail, leaving a 255 byte at the end of the
line. This can cause a syntax error, in turn causing the contents of
kadm5.acl to be ignored. Fix this bug by removing the cast on EOF.
[ghudson@mit.edu: more precisely describe consequences of bug in
commit message]
Greg Hudson [Wed, 25 Nov 2015 19:43:35 +0000 (14:43 -0500)]
Fix memory leak in SPNEGO gss_init_sec_context()
After the initial call to spnego_gss_init_sec_context(), the context
handle can leak if init_ctx_cont() returns an error, because the
cleanup handler assumes that spnego_ctx contains the value of
*context_handle. Fix this leak by setting spnego_ctx before the if
block which contains that call. Reported by Adam Bernstein.
Greg Hudson [Fri, 8 Jan 2016 16:54:55 +0000 (11:54 -0500)]
Make ksu work with prompting clpreauth modules
Commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de switched ksu from
using krb5_get_in_tkt_with_password() to
krb5_get_init_creds_password(), but did not supply a prompter
argument. Pass krb5_prompter_posix so that clpreauth modules can
prompt for additional information during authentication.
Tom Yu [Wed, 30 Dec 2015 20:26:54 +0000 (15:26 -0500)]
Add .travis.yml
Do Travis CI testing with clang and gcc, on 64-bit Ubuntu Trusty.
Performance would probably be better using the container-based Travis
infrastructure, but that is currently limited to Precise, and we would
need some important apt packages whitelisted, e.g., dejagnu.
Tom Yu [Wed, 30 Dec 2015 22:17:02 +0000 (17:17 -0500)]
Don't canonicalize hostname in sim_client.c
krb5_mk_req() already canonicalizes the target hostname, so don't try
to use a buffer of size MAXHOSTNAMELEN to canonicalize the hostname
beforehand. This buffer will be too short for some unusually long
FQDNs.
Tom Yu [Wed, 6 Jan 2016 20:24:16 +0000 (15:24 -0500)]
Work around uninitialized warning in cc_kcm.c
Some versions of clang erroneously detect use of an uninitialized
variable reply_len in kcmio_call() when building on non-Mac platforms.
Initialize it to work around this warning.
Robbie Harwood [Thu, 17 Dec 2015 00:31:22 +0000 (19:31 -0500)]
Fix interposed gss_accept_sec_context()
If gss_accept_sec_context() is interposed, selected_mech will be an
interposer OID. In this situation, pass the corresponding public OID
to gss_inquire_attrs_for_mech() to determine whether the mech is
allowed by default.
[ghudson@mit.edu: pared down from larger commit; rewrote commit message]
Simo Sorce [Tue, 5 Jan 2016 17:11:59 +0000 (12:11 -0500)]
Check internal context on init context errors
If the mechanism deletes the internal context handle on error, the
mechglue must do the same with the union context, to avoid crashes if
the application calls other functions with this invalid union context.
[ghudson@mit.edu: edit commit message and code comment]
Tomas Kuthan [Tue, 29 Dec 2015 10:47:49 +0000 (11:47 +0100)]
Check context handle in gss_export_sec_context()
After commit 4f35b27a9ee38ca0b557ce8e6d059924a63d4eff, the
context_handle parameter in gss_export_sec_context() is dereferenced
before arguments are validated by val_exp_sec_ctx_args(). With a null
context_handle, the new code segfaults instead of failing gracefully.
Revert this part of the commit and only dereference context_handle if
it is non-null.
Simo Sorce [Wed, 9 Dec 2015 23:09:18 +0000 (18:09 -0500)]
Set TL_DATA mask flag for master key operations
When kdb5_util adds or removes master keys, it modifies tl-data but
doesn't set the KADM5_TL_DATA mask flag, causing KDB modules that rely
on this signaling (such as the LDAP module) not to store the tl-data
changes. Fix this issue by setting the mask bit in add_new_mkey() and
kdb5_purge_mkeys().
Greg Hudson [Fri, 11 Dec 2015 16:05:32 +0000 (11:05 -0500)]
Add libkrb5support dependencies to test plugins
In some build environments, dependencies on libkrb5support can be
generated just from static inline functions in our header files, even
if those functions aren't used. In two test plugin modules, use
$(KRB5_BASE_DEPLIBS) and $(KRB5_BASE_LIBS) to depend on libkrb5support
as well as libkrb5. (This also pulls in libk5crypto, which is
unnecessary for these modules, but is inconsequential for a test
module.) Reported by Will Fiveash.
Tom Yu [Wed, 9 Dec 2015 18:49:22 +0000 (13:49 -0500)]
Correctly use k5_wrapmsg() in ldap_principal2.c
Commit ebcdf02f8ec212555b1762007fa8454615900f36 incorrectly used
k5_prependmsg() in an error handling clause in
krb5_ldap_get_principal(). Use k5_wrapmsg() instead.
Greg Hudson [Mon, 2 Nov 2015 03:46:56 +0000 (22:46 -0500)]
Fix SPNEGO context import
The patches for CVE-2015-2695 did not implement a SPNEGO
gss_import_sec_context() function, under the erroneous belief that an
exported SPNEGO context would be tagged with the underlying context
mechanism. Implement it now to allow SPNEGO contexts to be
successfully exported and imported after establishment.
Greg Hudson [Mon, 2 Nov 2015 03:45:21 +0000 (22:45 -0500)]
Fix IAKERB context export/import [CVE-2015-2698]
The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory. Fix the regression by properly
dereferencing the context_handle pointer before casting it.
Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief that an exported IAKERB context
would be tagged as a krb5 context. Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.
CVE-2015-2698:
In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.
Greg Hudson [Tue, 27 Oct 2015 04:44:24 +0000 (00:44 -0400)]
Fix two IAKERB comments
The comment explaining why there is no iakerb_gss_import_sec_context()
erroneously referenced SPNEGO instead of IAKERB (noticed by Ben
Kaduk). The comment above iakerb_gss_delete_sec_context() is out of
date after the last commit.
Greg Hudson [Wed, 21 Oct 2015 17:21:48 +0000 (13:21 -0400)]
Zap secure cookie contents when freeing
Secure cookies are intended to hold secret values which may contribute
to key data, and therefore should be sanitized when released. Also
fix a memory leak in kdc_fast_make_cookie().
In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string. This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
affected.
CVE-2015-2697:
In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte. If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm. Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.
Add tests for partial IAKERB and SPNEGO initiators, and for partial
krb5 (DCE-style), IAKERB, and SPNEGO acceptors. Make flag checking
more strict for existing tests.
Nicolas Williams [Mon, 14 Sep 2015 16:28:36 +0000 (12:28 -0400)]
Fix IAKERB context aliasing bugs [CVE-2015-2696]
The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type. Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.
CVE-2015-2696:
In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. Java server applications using the
native JGSS provider are vulnerable to this bug. A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.
Nicolas Williams [Mon, 14 Sep 2015 16:27:52 +0000 (12:27 -0400)]
Fix SPNEGO context aliasing bugs [CVE-2015-2695]
The SPNEGO mechanism currently replaces its context handle with the
mechanism context handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the SPNEGO context structure after context
establishment and refer to it in all GSS methods. Add initiate and
opened flags to the SPNEGO context structure for use in
gss_inquire_context() prior to context establishment.
CVE-2015-2695:
In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context(). Java server
applications using the native JGSS provider are vulnerable to this
bug. A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.
Greg Hudson [Thu, 8 Oct 2015 12:53:37 +0000 (08:53 -0400)]
Allow clock skew in krb5 gss_accept_sec_context()
Remove an unnecessarily strict check for ticket expiration from
kg_accept_krb5() and kg_accept_dce(). Instead, add the maximum
allowable clock skew to the reported lifetime of acceptor contexts.
Greg Hudson [Sun, 4 Oct 2015 23:54:35 +0000 (19:54 -0400)]
Make ksu work when unsetenv() returns NULL
Some older platforms (OS X 10.4, glibc 2.2.1) declare unsetenv() as
returning void, as does ksu's compatibility definition of unsetenv().
Don't use the return value in get_configured_defccname().
Greg Hudson [Sun, 4 Oct 2015 19:55:43 +0000 (15:55 -0400)]
Fix installed message catalog uses in kdb tests
In src/tests/Makefile.in, rename RUN_SETUP to RUN_DB_TEST, and include
"LC_ALL=C" in the definition to avoid using the message catalog. Also
include $(VALGRIND) for consistency with RUN_TEST.
Greg Hudson [Sun, 4 Oct 2015 18:45:29 +0000 (14:45 -0400)]
Use RUN_TEST and fix installed krb5.conf uses
Use $(RUN_TEST) to run most C test programs, for simplicity and to fix
accidental uses of the installed krb5.conf. Where a particular
krb5.conf must be used instead of the one in src/config-files, use a
locally defined variant like RUN_TEST_LOCAL_CONF.
Accidental references to the installed krb5.conf were present when
running t_pac, t_princ, t_etypes, t_trace, t_attr, t_attrset,
t_packet, t_remote, t_client, pkinit_kdf_test, test_chpw_message,
text_cxx_krb5, and test_cxx_k5int.
In krb5_change_password(), krb5_set_password(), and
krb5_set_password_using_ccache(), accept the new password as a const
char * instead of a char *. Propagate this change to the necessary
internal functions.
Nalin Dahyabhai [Thu, 1 Oct 2015 22:59:34 +0000 (18:59 -0400)]
Set plugin_base_dir for kadmin tests
In the krb5.conf used by the kadmin tests, include a plugin_base_dir
setting. Otherwise the KDC can load and run code from kdcpreauth
modules in the install tree.
projects / thirdparty / krb5.git / log
