Greg Hudson [Thu, 18 Feb 2010 18:49:11 +0000 (18:49 +0000)]
The TGS code was not freeing authdata. This is an old leak which was
made more evident in 1.8 by the addition of ad-signedpath authdata
appearing in most tickets issued through the TGS path.
Greg Hudson [Thu, 18 Feb 2010 18:04:47 +0000 (18:04 +0000)]
Fix cipher state chaining in OpenSSL back end
Make cipher state chaining work in the OpenSSL back end for des, des3,
and arcfour enc providers. Subtleties:
* DES and DES3 have checks to avoid clobbering ivec with uninitialized
data if there is no data to encrypt.
* Arcfour saves the OpenSSL cipher context across calls. To protect
against a caller improperly copying the state (which happens to work
with other enc providers), a loopback pointer is used, as in GSSAPI.
* EVP_EncryptFinal_ex is unnecessary with stream ciphers and would
interfere with cipher state chaining if it did anything, so just
remove it.
Zhanna Tsitkov [Wed, 17 Feb 2010 16:09:43 +0000 (16:09 +0000)]
validator.py is a tool to validate kerb configuration files.
First, the configuration file is parsed (confparser.py) and validated against formating errors (such as mismatching brackets)
Then the list of the allowed configuration attributes is compiled from k5-int.h and rules.yml
Finally, the kerb configuration file is validated against the list of the allowed strings.
If the error, or something that validator does not understand, is found the warning is issued in the tree-like form indicating the layer where the problem has occurred.
Tom Yu [Tue, 16 Feb 2010 22:10:17 +0000 (22:10 +0000)]
MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service
Code introduced in krb5-1.7 can cause an assertion failure if a
KDC-REQ is internally inconsistent, specifically if the ASN.1 tag
doesn't match the msg_type field. Thanks to Emmanuel Bouillon (NATO
C3 Agency) for discovering and reporting this vulnerability.
Greg Hudson [Thu, 11 Feb 2010 16:07:08 +0000 (16:07 +0000)]
Minimal support for updating history key
Add minimal support for re-randomizing the history key:
* cpw -randkey kadmin/history now works, but creates only one key.
* cpw -randkey -keepold kadmin/history still fails.
* libkadm5 no longer caches the history key. Performance impact
is minimal since password changes are not common.
* randkey no longer checks the newly randomized key against old keys,
and the disabled code to do so in setkey/setv4key is gone, so now
only kadm5_chpass_principal_3 accesses the password history.
Greg Hudson [Wed, 10 Feb 2010 23:44:18 +0000 (23:44 +0000)]
Implement gss_set_neg_mechs
Implement gss_set_neg_mechs in SPNEGO by intersecting the provided
mech set with the mechanisms available in the union credential. As
we now need space to hold the mech set, the SPNEGO credential is now
a structure and not just a mechglue credential.
t_spnego.c is a test program which exercises the new logic. Like the
other GSSAPI tests, it is not run as part of "make check" at this
time.
Greg Hudson [Wed, 10 Feb 2010 01:55:36 +0000 (01:55 +0000)]
Followon fixes to r23712:
* A few formatting fixes.
* Fix unlikely leak in kdc_handle_protected_negotiation: if
add_pa_data_element with copy == FALSE fails, it's still the
caller's responsibility to free pa.contents.
* Fix pre-existing (since r23465) leak of reply_encpart.enc_padata in
process_as_req.
* Call add_pa_data_element with copy == TRUE in
return_referral_enc_padata since we are passing memory owned by the
database entry.
Sam Hartman [Tue, 9 Feb 2010 19:15:12 +0000 (19:15 +0000)]
krb5int_fast_free_state segfaults if state is null
krb5int_fast_free_state fails if state is null. INstead it should
simply return Reorganization of the get_init_creds logic has created
situations where the init_creds loop can fail between the time when
the context is initialized and the fast state is initialized.
Sam Hartman [Tue, 9 Feb 2010 19:15:07 +0000 (19:15 +0000)]
enc_padata can include empty sequence
There are two issues with return_enc_padata.
1) It often will return an empty sequence of enc_padata rather than not including the field
2) FAST negotiation is double supported in the referral tgs path and not supported in the non-referral path
Rewrite the return_enc_padata logic to:
* Split out referral interactions with kdb into its own function
* Use add_pa_data_element
Greg Hudson [Fri, 5 Feb 2010 21:46:35 +0000 (21:46 +0000)]
Consistently place $(LDFLAGS) after $(SHLIB_EXPFLAGS) when building
shared libraries. Previously we sometimes failing to use $(LDFLAGS)
at all, and at other times were putting it before $(SHLIB_EXPFLAGS)
where it could pick up tree-internal libraries from outside the build
tree.
Tom Yu [Fri, 5 Feb 2010 03:05:42 +0000 (03:05 +0000)]
Apply patch from Arlene Berry to return a comparable static OID object
instead of the application-passed (probably dynamically allocated)
OID, to avoid use-after-free problems.
Tom Yu [Mon, 1 Feb 2010 21:48:19 +0000 (21:48 +0000)]
set_default_enctype_var should filter not reject weak enctypes
With allow_weak_crypto=false, set_default_enctype_var() (helper
function for krb5_set_default_tgs_enctypes(), etc.) was rejecting any
application-provided enctype list that contained any weak enctype even
when valid strong enctypes were present. This broke some Samba
things. Filter the weak enctypes instead. Add test cases.
Reported to Debian by Holger Isenberg. (Debian bug #566977)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977
Thanks to Simo Sorce for testing.
Greg Hudson [Fri, 29 Jan 2010 01:22:17 +0000 (01:22 +0000)]
Make decryption of master key list more robust
krb5_def_fetch_mkey_list was incorrectly filtering mkey_aux entries
when searching the list for an entry which can be decrypted with the
stashed master key. This bug was masked in most cases by the mkvno
heuristic.
Remove the mkvno heuristic, since performance is not an issue for this
rarely-performed operation, and remove the incorrect enctype
comparison in the brute-force search.
Greg Hudson [Thu, 28 Jan 2010 21:39:31 +0000 (21:39 +0000)]
Handle migration from pre-1.7 databases with master key kvno != 1
krb5_dbe_lookup_mkvno assumes an mkvno of 1 for entries with no
explicit tl_data. We've seen at least one pre-1.7 KDB with a master
kvno of 0, violating this assumption. Fix this as follows:
* krb5_dbe_lookup_mkvno outputs 0 instead of 1 if no tl_data exists.
* A new function krb5_dbe_get_mkvno translates this 0 value to the
minimum version number in the mkey_list. (krb5_dbe_lookup_mkvno
cannot do this as it doesn't take the mkey_list as a parameter.)
* Call sites to krb5_dbe_lookup_mkvno are converted to
krb5_dbe_get_mkvno, except for an LDAP case where it is acceptable
to store 0 if the mkvno is unknown.
Greg Hudson [Wed, 27 Jan 2010 03:52:52 +0000 (03:52 +0000)]
Get rid of kdb_ext.h and allow out-of-tree KDB plugins
Move the contents of kdb_ext.h into kdb.h, since there is no meaningful
"extensions" category of DB interfaces now that this stuff is in our
tree. Allows out-of-tree KDB plugins to be built since we install
kdb.h.
Tom Yu [Tue, 26 Jan 2010 22:55:07 +0000 (22:55 +0000)]
define MIN() in lib/gssapi/krb5/prf.c
Apply patch from Doug Engert to define MIN(), which was causing prf.c
to fail compilation on Solaris. (The definition was probably leaking
from sys/param.h, included indirectly somehow.)
Greg Hudson [Tue, 19 Jan 2010 23:35:39 +0000 (23:35 +0000)]
Add krb5_allow_weak_crypto API
Add an API to allow apps to override the profile setting of
allow_weak_crypto, so that aklog can work with krb5 1.8 out of the box
until OpenAFS finishes migrating away from DES.
Greg Hudson [Thu, 14 Jan 2010 16:09:24 +0000 (16:09 +0000)]
Make history key exempt from permitted_enctypes
In kdb_init_hist, just use the first key entry in the kadmin/history
entry. This makes the history key work even if the enctype is
disallowed by allow_weak_crypto=false or other configuration.
Greg Hudson [Tue, 12 Jan 2010 01:05:37 +0000 (01:05 +0000)]
Simplify and fix FAST check for keyed checksum type
Use krb5_c_is_keyed_checksum to detect unkeyed checksums when handling
FAST requests. The old check was broken for 1.8 because
krb5_c_verify_checksum got pickier about invalid keyblocks.
Zhanna Tsitkov [Mon, 11 Jan 2010 15:19:42 +0000 (15:19 +0000)]
Group together the funtions related to the supplying options to preauth plugin modules.
Also, removed krb5int_ prefix from the names of some static functions in gic_opt.c.s
Ezra Peisach [Sat, 9 Jan 2010 16:02:13 +0000 (16:02 +0000)]
krb5int_pbkdf2_hmac_sha1 fails to set enctype on keyblock
krb5int_pbkdf2_hmac_sha1 fails to set enctype on a termporary keyblock
- resulting in valgrind picking up on a conditional branch w/ unset
value. Initialize value.
Greg Hudson [Fri, 8 Jan 2010 02:43:21 +0000 (02:43 +0000)]
Restore interoperability with 1.6 addprinc -randkey
The arcfour string-to-key operation in krb5 1.7 (or later) disagrees
with the dummy password used by the addprinc -randkey operation in
krb5 1.6's kadmin client, because it's not valid UTF-8. Recognize the
1.6 dummy password and use a random password instead.
Ezra Peisach [Fri, 8 Jan 2010 02:12:24 +0000 (02:12 +0000)]
yarrow code does not initialize keyblock enctype and uses unitialized value
The yarrow code uses a keyblock that is partially initialized. This results
in krb5_k_free_key trying to look up the enctype to call the free handler.
One of the valgrind reports: (there are several paths)
==26701== Conditional jump or move depends on uninitialised value(s)
==26701== at 0x40E9AF0: find_enctype (etypes.h:81)
==26701== by 0x40E9C9E: krb5_k_free_key (key.c:91)
==26701== by 0x40D641A: krb5int_yarrow_cipher_init (ycipher.c:49)
==26701== by 0x40D593A: yarrow_gate_locked (yarrow.c:578)
==26701== by 0x40D5349: krb5int_yarrow_output_Block (yarrow.c:423)
==26701== by 0x40D581B: yarrow_output_locked (yarrow.c:553)
==26701== by 0x40D5667: krb5int_yarrow_output (yarrow.c:513)
==26701== by 0x40EBD2D: krb5_c_random_make_octets (prng.c:112)
==26701== by 0x40D4119: krb5int_old_encrypt (old_aead.c:97)
==26701== by 0x40E9696: krb5_k_encrypt_iov (encrypt_iov.c:42)
==26701== by 0x8049554: main (t_encrypt.c:206)
==26701==
Ezra Peisach [Fri, 8 Jan 2010 01:51:19 +0000 (01:51 +0000)]
krb5int_derive_key results in cache with uninitialized values
krb5int_derive_key creates a temporary keyblock to add to the derived cache.
krb5_k_free_key will iterate over the derived keys and for ones with cache will
lookup the enctype for the key_cleanup handler.
Unfortunatly, there isn't a keyblock init function that does not allocate the
keyblock - as I suspect this problem will appear in other places.
The valgrind log of this problem is:
==7281== Conditional jump or move depends on uninitialised value(s)
==7281== at 0x40E9AE8: find_enctype (etypes.h:81)
==7281== by 0x40E9C96: krb5_k_free_key (key.c:91)
==7281== by 0x40E9C52: krb5_k_free_key (key.c:86)
==7281== by 0x40EBB00: krb5_c_prf (prf.c:87)
==7281== by 0x40E7B1B: prf_plus (cf2.c:77)
==7281== by 0x40E7CE6: krb5_c_fx_cf2_simple (cf2.c:125)
==7281== by 0x804899C: main (t_cf2.c:70)
==7281==
Greg Hudson [Wed, 6 Jan 2010 23:44:04 +0000 (23:44 +0000)]
Make krb5_dbe_def_search_enctype more consistent about when it returns
KRB5_KDB_NO_PERMITTED_KEY. Now it will return that error if it sees
any non-permitted enctypes which match the search criteria.
Greg Hudson [Mon, 4 Jan 2010 21:22:00 +0000 (21:22 +0000)]
Add preauth_module_dir support to the KDC preauth module loader
(should have been part of r23531). Most or all of this logic should
be moved into the plugin code or a layer above it, after the branch.
Sam Hartman [Mon, 4 Jan 2010 19:59:16 +0000 (19:59 +0000)]
Bring back krb5_kt_free_entry which really does the same thing as
krb5_free_keytab_entry_contents per discussion on krbdev in order to
avoid breaking samba builds.
Ken Raeburn [Sun, 3 Jan 2010 23:39:12 +0000 (23:39 +0000)]
Enable caching of key-derived context info such as key schedules from
one encryption operation to another. Use a new function in the
enc_provider structure for cleanup. Implement caching of aes_ctx
values.
Using Greg's performance tests from the derived-key caching work, on a
2.8GHz Xeon, I see 1 million AES-128 encryptions of 16 bytes improved
by 5-6%; encryptions of 1024 bytes and checksums are not significantly
affected.
Ezra Peisach [Fri, 1 Jan 2010 16:41:04 +0000 (16:41 +0000)]
Change db_args from being a global to only defined in the function
that uses it. This removes a warning of shadowed variable names. Change
several functions to static when limited to main.c
Russ Allbery [Fri, 1 Jan 2010 05:09:57 +0000 (05:09 +0000)]
Add a new -P option to krb5kdc and kadmind which, if given, specifies
the path to which to write the PID file of the daemon after it finishes
initializing.
projects / thirdparty / krb5.git / log
