Greg Hudson [Mon, 14 Oct 2013 21:02:31 +0000 (17:02 -0400)]
Use protocol error for PKINIT cert expiry
If we fail to create a cert chain in cms_signeddata_create(), return
KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code,
rather than KRB5_PREAUTH_FAILED, which doesn't. This is also more
consistent with other error clauses in the same function.
Greg Hudson [Wed, 9 Oct 2013 17:37:17 +0000 (13:37 -0400)]
Change KRB5KDC_ERR_NO_ACCEPTABLE_KDF to 100
draft-ietf-krb-wg-pkinit-alg-agility-07 specifies
KDC_ERR_NO_ACCEPTABLE_KDF as 82, but this value conflicts with
KRB_AP_ERR_PRINCIPAL_UNKNOWN from RFC 6111. The former value has been
reassigned to 100 to fix the conflict. Use the correct value.
We believe that this error won't crop up in practice for a long time
(when SHA-2 has been superceded by other hash algorithms and people
are desupporting it), by which time implementations will mostly have
been upgraded to use the new value.
Tom Yu [Thu, 17 Oct 2013 22:20:37 +0000 (18:20 -0400)]
Fix GSSAPI krb5 cred ccache import
json_to_ccache was incorrectly indexing the JSON array when restoring
a memory ccache. Fix it.
Add test coverage for a multi-cred ccache by exporting/importing the
synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
export_import_cred from t_export_cred.c to common.c to facilitate
this. Make a note in t_export_cred.py that this case is covered in
t_s4u.py.
Tom Yu [Fri, 21 Jun 2013 21:58:25 +0000 (17:58 -0400)]
KDC null deref due to referrals [CVE-2013-1417]
An authenticated remote client can cause a KDC to crash by making a
valid TGS-REQ to a KDC serving a realm with a single-component name.
The process_tgs_req() function dereferences a null pointer because an
unusual failure condition causes a helper function to return success.
While attempting to provide cross-realm referrals for host-based
service principals, the find_referral_tgs() function could return a
TGS principal for a zero-length realm name (indicating that the
hostname in the service principal has no known realm associated with
it).
Subsequently, the find_alternate_tgs() function would attempt to
construct a path to this empty-string realm, and return success along
with a null pointer in its output parameter. This happens because
krb5_walk_realm_tree() returns a list of length one when it attempts
to construct a transit path between a single-component realm and the
empty-string realm. This list causes a loop in find_alternate_tgs()
to iterate over zero elements, resulting in the unexpected output of a
null pointer, which process_tgs_req() proceeds to dereference because
there is no error condition.
Add an error condition to find_referral_tgs() when
krb5_get_host_realm() returns an empty realm name. Also add an error
condition to find_alternate_tgs() to handle the length-one output from
krb5_walk_realm_tree().
The vulnerable configuration is not likely to arise in practice.
(Realm names that have a single component are likely to be test
realms.) Releases prior to krb5-1.11 are not vulnerable.
Tom Yu [Mon, 1 Jul 2013 19:18:33 +0000 (15:18 -0400)]
Fix spin loop reading from KDC TCP socket
In the k5_sendto code for reading from a TCP socket, detect
end-of-stream when reading the length. Otherwise we can get stuck in
an infinite loop of poll() and read().
Greg Hudson [Thu, 30 May 2013 15:39:54 +0000 (11:39 -0400)]
Properly handle use_master in k5_init_creds_get
If we make multiple requests in an initial creds exchange, the
krb5_sendto_kdc call in k5_init_creds_get may flip the use_master
value from 0 to 1 if it detects that the response was from a master
KDC. Don't turn this into a requirement for future requests during
the same exchange, or we may have trouble following AS referrals.
Reported by Sumit Bose.
Greg Hudson [Wed, 22 May 2013 05:55:12 +0000 (01:55 -0400)]
Clarify krb5_rd_req documentation
For the user-to-user case, document that callers should pass a server
principal to krb5_rd_req. For the keytab case, more accurately
document which keytab keys are tried against the ticket.
Greg Hudson [Mon, 20 May 2013 15:03:04 +0000 (11:03 -0400)]
Fix transited handling for GSSAPI acceptors
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.
To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.
Based on a bug report and patch from nalin@redhat.com.
Greg Hudson [Tue, 14 May 2013 02:59:35 +0000 (22:59 -0400)]
Rename internal Camellia symbols
Symbols from the NTT Camellia sources, used in the builtin crypto
provider, could conflict with symbols from other libraries such as
OpenSSL's libcrypto. Rename those like we rename the Gladman AES
symbols.
Tom Yu [Fri, 3 May 2013 20:26:46 +0000 (16:26 -0400)]
Fix kpasswd UDP ping-pong [CVE-2002-2443]
The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.
Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.
Thanks to Vincent Danen for alerting us to this issue.
An RFC 6113 KrbFastReq contains a padata sequence and a KDC-REQ-BODY,
neither of which contain the msg-type field found in a KDC-REQ. So
when we decode the FAST request, the resulting krb5_kdc_req structure
has a msg_type of 0. Copy msg_type from the outer body, since we make
use of it in further KDC processing.
Tom Yu [Wed, 10 Apr 2013 03:47:54 +0000 (23:47 -0400)]
Allow config of dh_min_bits < 2048
Allow configuration to override the default dh_min_bits of 2048 to
1024. Disallow configuration of dh_min_bits < 1024, but continue to
default to 2048.
rbasch [Mon, 4 Mar 2013 03:55:41 +0000 (22:55 -0500)]
Reset ulog if database load failed
If an iprop slave tries to load a dump from the master and it fails,
reset the ulog header so we take another full dump, instead of
reporting that the slave is current when it isn't.
Greg Hudson [Mon, 25 Mar 2013 16:42:49 +0000 (12:42 -0400)]
Export verto_set_flags from libverto
When the bundled libverto was updated from 0.2.2 to 0.2.5,
verto_set_flags should have been added to libverto.exports along with
the other new functions.
Simo Sorce [Sat, 16 Mar 2013 19:23:03 +0000 (15:23 -0400)]
Fix import_sec_context with interposers
The code was correctly selecting the mechanism to execute, but it was
improperly setting the mechanism type of the internal context when the
selected mechanism was that of an interposer and vice versa.
When an interposer is involved the internal context is that of the
interposer, so the mechanism type of the context needs to be the
interposer oid. Conversely, when an interposer re-enters gssapi and
presents a token with a special oid, the mechanism called is the real
mechanism, and the context returned is a real mechanism context. In
this case the mechanism type of the context needs to be that of the
real mechanism.
Greg Hudson [Thu, 21 Feb 2013 17:36:07 +0000 (12:36 -0500)]
Fix fd leak in DIR ccache cursor function
If dcc_ptcursor_next reached the end of a directory, it called free()
on the directory handle instead of closedir(), causing the directory
fd to be leaked. Call closedir() instead.
Greg Hudson [Wed, 20 Feb 2013 17:06:12 +0000 (12:06 -0500)]
Fix memory leak closing DIR ccaches
A ccache type's close function is supposed to free the cache container
as well as the type-specific data. dcc_close was not doing so,
causing a small memory leak each time a ccache is created or
destroyed.
Jonathan Reams [Fri, 15 Feb 2013 07:11:57 +0000 (02:11 -0500)]
Convert success in krb5_chpw_result_code_string
Result code 0 used to be converted properly by krb5_set_password,
though not krb5_change_password; this changed in 1.10 when
krb5int_setpw_result_code_string was folded into
krb5_chpw_result_code_string. Restore the old behavior, and make it
apply to krb5_change_password as well, by making
krb5_chpw_result_code_string convert result code 0.
Greg Hudson [Sun, 17 Feb 2013 17:23:30 +0000 (12:23 -0500)]
Allow multi-hop SAM-2 exchanges
Prior to 1.11, it was possible to do SAM-2 preauth exchanges with
multiple hops by sending repeated preauth-required errors with
different challenges (which is not the way multi-hop exchanges are
described in RFC 6113, but it can still work). This stopped working
when SAM-2 was converted to a built-in module because of the use_count
field. Disable the use count for SAM-2 specifically.
Xi Wang [Thu, 14 Feb 2013 23:17:40 +0000 (18:17 -0500)]
PKINIT null pointer deref [CVE-2013-1415]
Don't dereference a null pointer when cleaning up.
The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.
Greg Hudson [Tue, 12 Feb 2013 02:13:15 +0000 (21:13 -0500)]
Fix RFC 5587 const pointer typedefs
gss_const_ctx_id_t, gss_const_cred_id_t, and gss_const_name_t are
supposed to be const pointers to the appropriate structures, not the
structures themselves. These are not used by any prototypes yet, and
no application would have any reason to use them as they are, so it
should be safe to change them within the public header.
Greg Hudson [Sun, 3 Feb 2013 18:21:34 +0000 (13:21 -0500)]
Make kprop/kpropd work with RC4 session key
In krb5_auth_con_initivector and mk_priv/rd_priv, stop assuming that
the enctype's block size is the size of the cipher state. Instead,
make and discard a cipher state to get the size.
Greg Hudson [Fri, 1 Feb 2013 16:52:48 +0000 (11:52 -0500)]
Fix kdb5_util dump.c uninitialized warnings
Some versions of clang report an uninitialized variable warning (which
we treat as an error) in process_k5beta_record. Due to the if-ladder
style of the function, uninitialized tmpint values can be copied
around in certain error cases, although the garbage values would be
ultimately ignored. As a minimal fix, initialize the tmpint
variables.
Greg Hudson [Fri, 11 Jan 2013 15:13:25 +0000 (10:13 -0500)]
Fix no_host_referral concatention in KDC
If no_host_referral is set in both [kdcdefaults] and the realm
subsection, we're supposed to concatenate their values. But the logic
in handle_referral_params would overwrite the value with the
non-concatenated realm value. Similar bugs of this nature were fixed
in 639c9d0f5a7c68dc98a2a452abc05ca32443cddf (r22037) but this one was
missed.
Tom Yu [Fri, 21 Dec 2012 20:45:53 +0000 (15:45 -0500)]
Add more formats to krb5_timestamp_to_sfstring
krb5_timestamp_to_string() can produce ambiguous dates. The final
fallback, "%d/%m/%Y %R", contains a European order date format that
can be confused with a US date format. Add some additional strftime()
format strings, including locale-dependent formats and some ISO 8601
formats. Remove the hardcoded strftime() format that had an ambiguous
date order.
Ben Kaduk [Thu, 13 Dec 2012 20:26:38 +0000 (15:26 -0500)]
Update retiring-des with real-world experience
We took notes when upgrading the ZONE.MIT.EDU realm to reduce
its usage of single-DES. Use these to give examples for the upgrade
procedure, and flesh out some parts of it that were missing or
under-specified.
Tom Yu [Mon, 17 Dec 2012 20:44:27 +0000 (15:44 -0500)]
Add copyright footer to HTML docs
The technique we use for inserting the feedback link in the footer
overrides the Sphinx basic/layout.html and agogo/layout.html footers
in a way that prevents us from getting the copyright link footer.
Copy the relevant part of the Sphinx basic/layout.html for now.
Add a copyright.rst that links to mitK5license.rst.
Nalin Dahyabhai [Thu, 13 Dec 2012 19:26:07 +0000 (14:26 -0500)]
PKINIT (draft9) null ptr deref [CVE-2012-1016]
Don't check for an agility KDF identifier in the non-draft9 reply
structure when we're building a draft9 reply, because it'll be NULL.
The KDC plugin for PKINIT can dereference a null pointer when handling
a draft9 request, leading to a crash of the KDC process. An attacker
would need to have a valid PKINIT certificate, or an unauthenticated
attacker could execute the attack if anonymous PKINIT is enabled.
Tom Yu [Thu, 13 Dec 2012 23:07:51 +0000 (18:07 -0500)]
Conditionally include MITKC logo in HTML doc
Conditionally include the MITKC logo in the HTML output from Sphinx if
the environment variable HTML_LOGO is set. During official builds for
the web site, that environment variable will point to an appropriately
scaled copy of the MITKC logo.
Ben Kaduk [Wed, 12 Dec 2012 18:23:03 +0000 (13:23 -0500)]
Better names for doxygen-Sphinx bridge functions
It is confusing when the codepath for the production doc build
involves calling functions with names like "test". Rename things
which are in active use so that routines which are actually only
used for testing are more discernable as such.
Ben Kaduk [Wed, 12 Dec 2012 15:36:18 +0000 (10:36 -0500)]
Make the doc build quieter
Don't print out every node processed (or not processed) in the
doxygen-Sphinx bridge, nor print out a summary of how many types
or functions were processed.
While here, tell doxygen to be quiet in its output as well, and
not print out each file that is generated. It still outputs
warnings, though.
Greg Hudson [Thu, 13 Dec 2012 19:53:58 +0000 (14:53 -0500)]
Use an empty challenge for the password question
If a question's challenge is NULL, it is unnecessarily difficult for a
responder callback to detect whether it was asked. So it's better to
use an empty challenge when there is no challenge data to communicate.
Do this for the "password" question.
Tom Yu [Wed, 12 Dec 2012 21:51:02 +0000 (16:51 -0500)]
Fix various integer issues
In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow.
Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
Ben Kaduk [Tue, 11 Dec 2012 22:19:44 +0000 (17:19 -0500)]
Regenerate checked-in man pages
Pick up changes to kadmin.rst and krb5_conf.rst adding cross-references
for account lockout and detailing parameter expansion for keytab
and credentials cache names in krb5.conf
Ben Kaduk [Tue, 27 Nov 2012 23:45:59 +0000 (18:45 -0500)]
Make sphinx warnings fatal for doc build
We currently do not have any warnings. Let us keep it that way by
making warnings fatal in maintainer-mode (and configurable on the
buildslaves). Using sphinx-build -W also causes errors to be reported
in the exit status and picked up by make, which is quite useful.
In order to allow the build bot to use -W but end-users to not use it,
SPHINX_ARGS must be passed on the command line; it cannot be set by
the convenience target 'htmlsrc'. Document this.
Ben Kaduk [Mon, 10 Dec 2012 20:02:14 +0000 (15:02 -0500)]
Do not document unused symbols
The macro KRB5_KEYUSAGE_PA_REFERRAL was defined in an early revision
of draft-ietf-krb-wg-kerberos-referrals but did not make it into
RFC 6806. We retain the definition so as to not break code implementing
the early draft, but need not document it.
Likewise, the krb5_octet_data structure and krb5_free_octet_data routine
are marked as having been originally introduced for PKINIT and "Do not
use this." They are in fact unused, and should not be documented, but
the actual definitions must remain for compatibility.
Ben Kaduk [Thu, 29 Nov 2012 00:06:44 +0000 (19:06 -0500)]
Note notice.txt's dependency on version.py
This dependency has been in effect since the notice build was changed
to use the main conf.py, due to its unconditional execfile('version.py').
Adding another conditional in conf.py seems to add needless complication,
it is easier to just note the dependency in the Makefile and carry on.
Ben Kaduk [Tue, 27 Nov 2012 18:31:34 +0000 (13:31 -0500)]
Do not generate unused parts of toctree
Our css only displays up to depth 3 of the toctree, partially
because the API reference content explodes at depth 4 and that would
not be pretty to see in the sidebar. However, we would previously
always generate HTML for the full toctree and hide parts with CSS.
For the apiref, this proved to be about 65k per html file, and we
have one html file per function/type/macro.
Limit the depth of the toctree that gets generated to save on space
in the release tarball.
Unfortunately, there seems to be a Sphinx bug wherein the toctree
will only be generated to depth 1 for a document at a depth greater
than the maxdepth of the toctree, so the sidebar table of contents
on individual apiref pages will just be the toplevel toctree.
This issue is being tracked at
https://bitbucket.org/birkenfeld/sphinx/issue/1046/
Ben Kaduk [Wed, 28 Nov 2012 19:19:43 +0000 (14:19 -0500)]
Reformat RST to avoid sphinx warnings
Old versions of docutils will see inline markup (e.g., :ref:`foo`)
at the beginning of a line in the content of a directive block
and attempt to interpret that markup as options or arguments
to the directive. RST intended as inline markup (as opposed to
modifying the behavior of the directive) will not be interpretable
in this context, and causes Sphinx to emit a warning.
Work around this behavior by always leaving a blank line before
the content of a directive block, forcing it to be interpreted
as content and not options or arguments.
The buggy behavior was only encountered in note environments, but
for consistency of style, also reformat warning and error blocks.
Tom Yu [Thu, 6 Dec 2012 23:35:59 +0000 (18:35 -0500)]
Make resources.rst more useful to non-devs
Reorder the IRC channel listing so #kerberos is first. (Developers
form a smaller part of our audience for this documentation set.)
Remove some details that are available on the wiki and not of interest
to non-developers.
Greg Hudson [Fri, 7 Dec 2012 02:40:05 +0000 (21:40 -0500)]
Don't return a host referral to the service realm
A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst. Don't
respond with one in the KDC.
Ben Kaduk [Mon, 3 Dec 2012 19:21:55 +0000 (14:21 -0500)]
Access keys for the KfW ribbon interface
Improve accessibility by actually enabling access keys for ribbon
elements (tap alt and follow the onscreen hints for keys to press),
instead of just underlining a letter in the name of each element.
Supply an underlined letter in the text of each element, corresponding
to this access key, even if there is not a shortcut key bound to that
element. While here, fix conflicting assignment to 'R' on the 'options'
tab (between "Renewable Until" and "Automatic Ticket Renewal") by
making "Automatic Ticket Renewal" use 'T'. Microsoft's UI recommendations
seem to say that access keys should be easy to locate when searching
through the menu, and thus using the first letter of the first or
second word is advisable.
The Ribbon XML Reference seems to indicate that these elements should
be "keytip" elements, but MSVS creates "keys" elements, which seem
to work, whereas "keytip" does not. Apparently 'F' is standard for
the application button menu (which contains exit). Access keys work
somewhat poorly for us in this menu, as they appear on top of the text
of the menu items, since we have no icons here.
Ben Kaduk [Mon, 3 Dec 2012 17:25:07 +0000 (12:25 -0500)]
Leave 'OK' button visible in Leash AboutBox
The AboutBox dialog as specified in the resource file is larger than
the one we display; the dialog init routine marks several things as
non-visible, moves the 'OK' button up to where the now-invisible items
were, and shrinks the dialog's bounding rectangle.
However, the edit boxes containing copyright and version information
seem to always present as being on top of the 'OK' button, and their
background causes the button to appear almost invisible with the current
repositioning.
To keep the 'OK' button visible, reduce the amount that it is moved
(and the amount the dialog is shrunk) so that the button does not overlap
with the edit box.
projects / thirdparty / krb5.git / log
