Tom Yu [Tue, 14 Jan 2014 20:43:35 +0000 (15:43 -0500)]
Remove mentions of krb5-send-pr
Start the process of deprecating krb5-send-pr. In practice, it causes
frustration for some users, and free-form email is good enough for
most bug reports.
Continue to install krb5-send-pr for now, but plan to remove it from
the tree in the future, probably replaced by a script that instructs
the user to send email manually.
Tom Yu [Fri, 17 Jan 2014 21:52:40 +0000 (16:52 -0500)]
Test bogus KDC-REQs
Send encodings that are invalid KDC-REQs, but pass krb5_is_as_req()
and krb5_is_tgs_req(), to make sure that the KDC recovers correctly
from failures in decode_krb5_as_req() and decode_krb5_tgs_req(). Also
send an encoding that isn't a valid KDC-REQ.
Tom Yu [Fri, 17 Jan 2014 21:43:45 +0000 (16:43 -0500)]
Add a test program for krb5_copy_context
This test program isn't completely proof against the kind of mistakes
we've made with krb5_copy_context in the past, but it at least
exercises krb5_copy_context and can detect some kinds of bugs.
Tom Yu [Fri, 17 Jan 2014 21:21:33 +0000 (16:21 -0500)]
Fix krb5_copy_context
krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists. Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs. Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.
Greg Hudson [Mon, 16 Dec 2013 20:37:56 +0000 (15:37 -0500)]
Fix GSS krb5 acceptor acquire_cred error handling
When acquiring acceptor creds with a specified name, if we fail to
open a replay cache, we leak the keytab handle. If there is no
specified name and we discover that there is no content in the keytab,
we leak the keytab handle and return the wrong major code. Memory
leak reported by Andrea Campi.
Simo Sorce [Fri, 13 Dec 2013 17:00:41 +0000 (12:00 -0500)]
Fix memory leak in SPNEGO initiator
If we eliminate a mechanism from the initiator list because
gss_init_sec_context fails, free the memory for that mech OID before
removing it from the list.
Greg Hudson [Tue, 10 Dec 2013 17:04:18 +0000 (12:04 -0500)]
Fix SPNEGO one-hop interop against old IIS
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication. In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer. If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.
[ghudson@mit.edu: small code style and commit message changes]
Tom Yu [Fri, 17 Jan 2014 20:59:13 +0000 (15:59 -0500)]
Remove dangling --with-kdc-kdb-update references
This configure option hasn't done anything since 1.8, so don't mention
it in configure --help or the documentation. The disable_last_success
and disable_lockout DB options are now used to turn it off.
A related but more minor vulnerability requires authentication to
exploit, and is only present if a third-party KDC database module can
dereference a null pointer under certain conditions.
Greg Hudson [Mon, 28 Oct 2013 15:23:11 +0000 (11:23 -0400)]
Improve LDAP KDB initialization error messages
In krb5_ldap_initialize, don't just blat the LDAP error into the
extended message; give an indication of which LDAP operation we were
trying to do and show what parameters we gave to it.
(Also, krb5_set_error_message can handle a null context argument, so
don't bother to check before calling.)
Greg Hudson [Sun, 27 Oct 2013 00:17:10 +0000 (20:17 -0400)]
Fix decoding of mkey kvno in mkey_aux tl-data
krb5_dbe_lookup_mkey_aux was decoding a 16-bit value directly into an
int, resulting in the wrong value on big-endian platforms. The
consequences are mostly invisible because we ignore this field and try
all mkey_aux nodes in krb5_def_fetch_mkey_list.
Greg Hudson [Thu, 24 Oct 2013 16:51:18 +0000 (12:51 -0400)]
Correctly activate master keys in pre-1.7 KDBs
Starting with 1.7, databases are created with actkvno tl-data in the
K/M entry which gives the initial master key version an activation
time of 0. A database created before 1.7 will not have this tl-data,
but we should behave in the same way as we do for a more recent
database.
Move the actkvno list synthesis code from krb5_dbe_fetch_act_key_list
to krb5_dbe_lookup_actkvno so it applies to kdb5_util commands as well
as libkadm5. Synthesize the same list as we would have initialized
the KDB with, with an activation time of 0 for the earliest master
key.
Greg Hudson [Mon, 21 Oct 2013 20:46:15 +0000 (16:46 -0400)]
Fix typos in kdb5_util master key command outputs
kdb5_util list_mkeys was beginning lines with "KNVO" instead of
"KVNO". kdb5_util purge_mkeys was displaying "follwing" instead of
"following" for both dry-run and normal cases.
Greg Hudson [Wed, 9 Oct 2013 17:37:17 +0000 (13:37 -0400)]
Change KRB5KDC_ERR_NO_ACCEPTABLE_KDF to 100
draft-ietf-krb-wg-pkinit-alg-agility-07 specifies
KDC_ERR_NO_ACCEPTABLE_KDF as 82, but this value conflicts with
KRB_AP_ERR_PRINCIPAL_UNKNOWN from RFC 6111. The former value has been
reassigned to 100 to fix the conflict. Use the correct value.
We believe that this error won't crop up in practice for a long time
(when SHA-2 has been superceded by other hash algorithms and people
are desupporting it), by which time implementations will mostly have
been upgraded to use the new value.
Nicolas Williams [Wed, 12 Sep 2012 16:36:54 +0000 (11:36 -0500)]
Fix lock inconsistency in ctx_unlock()
The lock inconsistency fixed here is quite possibly the same as
described in https://bugzilla.redhat.com/show_bug.cgi?id=586032 .
The problem is that ctx_unlock() fails to unlock the principal DB if
it fails to unlock the policy DB, and this happens when ctx_lock()
fails to lock the policy DB (likely because the caller is racing
against a kdb5_util load, which will be using a "permanent" lock,
meaning that the lock file will be unlinked after acquiring the
lock). The fix is to perform both unlock operations *then* handle
any errors that either or both might have returned.
An RFC 6113 KrbFastReq contains a padata sequence and a KDC-REQ-BODY,
neither of which contain the msg-type field found in a KDC-REQ. So
when we decode the FAST request, the resulting krb5_kdc_req structure
has a msg_type of 0. Copy msg_type from the outer body, since we make
use of it in further KDC processing.
Tom Yu [Wed, 10 Apr 2013 03:47:54 +0000 (23:47 -0400)]
Allow config of dh_min_bits < 2048
Allow configuration to override the default dh_min_bits of 2048 to
1024. Disallow configuration of dh_min_bits < 1024, but continue to
default to 2048.
Tom Yu [Wed, 29 May 2013 21:33:05 +0000 (17:33 -0400)]
Fix transited handling for GSSAPI acceptors
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.
To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.
Based on a bug report and patch from nalin@redhat.com.
Tom Yu [Fri, 3 May 2013 20:26:46 +0000 (16:26 -0400)]
Fix kpasswd UDP ping-pong [CVE-2002-2443]
The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.
Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.
Thanks to Vincent Danen for alerting us to this issue.
rbasch [Mon, 4 Mar 2013 03:55:41 +0000 (22:55 -0500)]
Reset ulog if database load failed
If an iprop slave tries to load a dump from the master and it fails,
reset the ulog header so we take another full dump, instead of
reporting that the slave is current when it isn't.
Tom Yu [Fri, 29 Mar 2013 23:27:33 +0000 (19:27 -0400)]
KDC TGS-REQ null deref [CVE-2013-1416]
By sending an unusual but valid TGS-REQ, an authenticated remote
attacker can cause the KDC process to crash by dereferencing a null
pointer.
prep_reprocess_req() can cause a null pointer dereference when
processing a service principal name. Code in this function can
inappropriately pass a null pointer to strlcpy(). Unmodified client
software can trivially trigger this vulnerability, but the attacker
must have already authenticated and received a valid Kerberos ticket.
The vulnerable code was introduced by the implementation of new
service principal realm referral functionality in krb5-1.7, but was
corrected as a side effect of the KDC refactoring in krb5-1.11.
Greg Hudson [Fri, 1 Feb 2013 16:52:48 +0000 (11:52 -0500)]
Fix kdb5_util dump.c uninitialized warnings
Some versions of clang report an uninitialized variable warning (which
we treat as an error) in process_k5beta_record. Due to the if-ladder
style of the function, uninitialized tmpint values can be copied
around in certain error cases, although the garbage values would be
ultimately ignored. As a minimal fix, initialize the tmpint
variables.
Greg Hudson [Fri, 11 Jan 2013 15:13:25 +0000 (10:13 -0500)]
Fix no_host_referral concatention in KDC
If no_host_referral is set in both [kdcdefaults] and the realm
subsection, we're supposed to concatenate their values. But the logic
in handle_referral_params would overwrite the value with the
non-concatenated realm value. Similar bugs of this nature were fixed
in 639c9d0f5a7c68dc98a2a452abc05ca32443cddf (r22037) but this one was
missed.
Xi Wang [Thu, 14 Feb 2013 23:17:40 +0000 (18:17 -0500)]
PKINIT null pointer deref [CVE-2013-1415]
Don't dereference a null pointer when cleaning up.
The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.
Jonathan Reams [Fri, 15 Feb 2013 07:11:57 +0000 (02:11 -0500)]
Convert success in krb5_chpw_result_code_string
Result code 0 used to be converted properly by krb5_set_password,
though not krb5_change_password; this changed in 1.10 when
krb5int_setpw_result_code_string was folded into
krb5_chpw_result_code_string. Restore the old behavior, and make it
apply to krb5_change_password as well, by making
krb5_chpw_result_code_string convert result code 0.
Greg Hudson [Sun, 3 Feb 2013 18:21:34 +0000 (13:21 -0500)]
Make kprop/kpropd work with RC4 session key
In krb5_auth_con_initivector and mk_priv/rd_priv, stop assuming that
the enctype's block size is the size of the cipher state. Instead,
make and discard a cipher state to get the size.
Tom Yu [Fri, 11 Jan 2013 20:53:23 +0000 (15:53 -0500)]
Fix various integer issues
In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow. In pkinit_clnt.c, the wrong value was
checked for a null result from malloc(), and the code could be
simplified.
Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
Greg Hudson [Thu, 21 Jun 2012 21:20:29 +0000 (17:20 -0400)]
Handle PKINIT DH replies with no certs
If a PKINIT Diffie-Hellman reply contains no certificates in the
SignedData object, that may be because the signer certificate was a
trust anchor as transmitted to the KDC. Heimdal's KDC, for instance,
filters client trust anchors out of the returned set of certificates.
Match against idctx->trustedCAs and idctx->intermediateCAs to handle
this case. This fix only works with OpenSSL 1.0 or later; when built
against OpenSSL 0.9.x, the client will still require a cert in the
reply.
Greg Hudson [Fri, 27 Jan 2012 21:27:47 +0000 (21:27 +0000)]
Suppress maybe-uninitialized warning in x-deltat.y
Recent versions of gcc can generate a maybe-uninitialized warning from
bison output instead of a regular uninitialized warning. Suppress
both. Fix from nalin@redhat.com.
Tom Yu [Wed, 22 Feb 2012 19:27:56 +0000 (19:27 +0000)]
Fail during configure if unable to find ar
Fail during configure time if the configure script can't locate the
"ar" program, instead of producing a delayed failure during build time
by running the "false" command. Some Solaris releases have ar in
/usr/ccs/bin, which is not in the default path for some users.
Greg Hudson [Thu, 3 May 2012 21:43:42 +0000 (21:43 +0000)]
Make verify_init_creds work with existing ccache
As the file ccache implementation currently stands, we don't want to
turn off TC_OPENCLOSE on a file cache we're writing to, or it will be
opened read-only and stores to it will fail. Reported by Russ
Allbery.
Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or
pa-afs3-salt value in pa_salt(). If it's an afs3-salt, we're going to
throw away the length and use strcspn in krb5int_des_string_to_key,
which isn't safe if the value is unterminated.
Greg Hudson [Fri, 7 Dec 2012 02:40:05 +0000 (21:40 -0500)]
Don't return a host referral to the service realm
A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst. Don't
respond with one in the KDC.
Nalin Dahyabhai [Thu, 13 Dec 2012 19:26:07 +0000 (14:26 -0500)]
PKINIT (draft9) null ptr deref [CVE-2012-1016]
Don't check for an agility KDF identifier in the non-draft9 reply
structure when we're building a draft9 reply, because it'll be NULL.
The KDC plugin for PKINIT can dereference a null pointer when handling
a draft9 request, leading to a crash of the KDC process. An attacker
would need to have a valid PKINIT certificate, or an unauthenticated
attacker could execute the attack if anonymous PKINIT is enabled.
Greg Hudson [Wed, 11 Jan 2012 21:20:08 +0000 (21:20 +0000)]
Fix spurious clock skew caused by gak_fct delay
In get_in_tkt.c, a time offset is computed between the KDC's auth_time
and the current system time after the reply is decrypted. Time may
have elapsed between these events because of a gak_fct invocation
which blocks on user input. The resulting spurious time offset can
cause subsequent TGS-REQs to fail and can also cause the end time of
the next AS request to be in the past (issue #889) in cases where the
old ccache is opened to find the default principal.
Use the system time, without offset, for the request time of an AS
request, for more predictable kinit behavior. Use this request time,
rather than the current time, when computing the clock skew after the
reply is decrypted.
Ben Kaduk [Wed, 5 Dec 2012 21:53:26 +0000 (16:53 -0500)]
Ready for KfW 4.0.1 beta 1
Bump versions where appropriate, and drop buildlevel back to zero
for the new version.
While here, remove KRB5_RELTAG and KRB5_RELDATE from
src/windows/kerberos.ver as they are unused and merely serve
to cause confusion with the values in src/patchlevel.h.
Ben Kaduk [Mon, 3 Dec 2012 19:21:55 +0000 (14:21 -0500)]
Access keys for the KfW ribbon interface
Improve accessibility by actually enabling access keys for ribbon
elements (tap alt and follow the onscreen hints for keys to press),
instead of just underlining a letter in the name of each element.
Supply an underlined letter in the text of each element, corresponding
to this access key, even if there is not a shortcut key bound to that
element. While here, fix conflicting assignment to 'R' on the 'options'
tab (between "Renewable Until" and "Automatic Ticket Renewal") by
making "Automatic Ticket Renewal" use 'T'. Microsoft's UI recommendations
seem to say that access keys should be easy to locate when searching
through the menu, and thus using the first letter of the first or
second word is advisable.
The Ribbon XML Reference seems to indicate that these elements should
be "keytip" elements, but MSVS creates "keys" elements, which seem
to work, whereas "keytip" does not. Apparently 'F' is standard for
the application button menu (which contains exit). Access keys work
somewhat poorly for us in this menu, as they appear on top of the text
of the menu items, since we have no icons here.
Ben Kaduk [Mon, 3 Dec 2012 17:25:07 +0000 (12:25 -0500)]
Leave 'OK' button visible in Leash AboutBox
The AboutBox dialog as specified in the resource file is larger than
the one we display; the dialog init routine marks several things as
non-visible, moves the 'OK' button up to where the now-invisible items
were, and shrinks the dialog's bounding rectangle.
However, the edit boxes containing copyright and version information
seem to always present as being on top of the 'OK' button, and their
background causes the button to appear almost invisible with the current
repositioning.
To keep the 'OK' button visible, reduce the amount that it is moved
(and the amount the dialog is shrunk) so that the button does not overlap
with the edit box.
Tom Yu [Thu, 27 Sep 2012 21:18:18 +0000 (17:18 -0400)]
Cache TGS-REPs too
Changes in r25660 inadvertently failed to insert TGS-REPs into the
lookaside cache. Call finish_dispatch_cache() at the end of
dispatch() to handle this case.
The file 'checkbox blank.png' is unneeded and contains a space in the
name, unnecessarily interfering with running find | xargs over the
source tree. Remove it.
Ben Kaduk [Wed, 19 Sep 2012 16:13:30 +0000 (12:13 -0400)]
Update windows/README
The build instructions have changed somewhat, as have the requirements
for a build environment.
The default behavior for KRB5_CONFIG and KRB5CCNAME has also changed.
Attempt to remove mention of overly specific Windows versions that
are now quite old when the behavior persists in newer versions of Windows.
Document the usage of DNS by default and the reduced need for a large
krb5.ini file.
Talk a little more about the LSA cache.
Ben Kaduk [Tue, 18 Sep 2012 21:53:18 +0000 (17:53 -0400)]
Remove NSIS installs when upgrading to 64-bit
The NSIS installer appears to have only ever existed as a 32-bit
software. As such, unconditionally check the 32-bit registry tree
for an uninstall string; the architecture of the current package
being installed is not relevant to what was previously installed.
Ben Kaduk [Wed, 12 Sep 2012 18:17:59 +0000 (14:17 -0400)]
Improve LEASHAUTOINIT description
This installer option determines whether the -autoinit argument
is passed to the MIT Kerberos executable.
On startup, if this argument is passed, and if there are no tickets
in the default cache, and if no useful tickets can be imported from
the LSA cache, MIT Kerberos will open the get ticket dialog and prompt
for a password; this option does not appear to have any other effect.
Ben Kaduk [Wed, 12 Sep 2012 15:35:04 +0000 (11:35 -0400)]
Unregister error message key on library unload
Revision fcdd2de1 added the K5_KEY_GSS_KRB5_ERROR_MESSAGE key, and
registered it in the gssapi library initialization routine, but
did not unregister it in the libary finalization routine.
When the library is unloaded and reloaded in the same process,
this leads to an assertion failure, since we check that
destructors_set[keynum] is zero (no destructor set) when registering
a key in util/support/threads.c.
Unregister the key on library cleanup to resolve the error.
We already define EV_USE_REALTIME to 0 to avoid the use of
clock_gettime() (to avoid depending on librt). But in some build
environments libev can detect support for a monotonic clock, which
also results in using clock_gettime(). Define EV_USE_MONOTONIC to 0
as well to prevent this.
Ben Kaduk [Fri, 31 Aug 2012 17:41:26 +0000 (13:41 -0400)]
Use separate components for shortcuts
Since the Start Menu and Desktop are different folders, we should
use different components for the shortcuts in those folders, given
that components operate at directory granularity.
Take the opportunity to use the newer style for installing shortcuts
and registry keys, and make the names more descriptive.
Increment the buildlevel to ensure new files are installed.
Ben Kaduk [Thu, 23 Aug 2012 16:38:57 +0000 (12:38 -0400)]
Do not emit debug printfs under NODEBUG
These printfs spew to the console when command-line utilities
such as 'klist' and 'aklog' are run, reducing usability.
These printfs can also cause application hangs.
On a multiprocessor machine, when PuTTY and the ccapiserver are
running on different CPUs, PuTTY appears to deadlock with three
concurrent threads inside cci_debug_printf().
Ben Kaduk [Wed, 22 Aug 2012 03:19:56 +0000 (23:19 -0400)]
KfW version update for kfw-4.0-beta8
Also bump the build level, since beta 7 has started to escape into
the wild, and we want to ensure that the file version numbers
are strictly increasing.
Kevin Wasserman [Tue, 21 Aug 2012 15:44:46 +0000 (11:44 -0400)]
Fix KfW thread-local storage allocation issues
Allocate thread-local storage on demand; don't rely on
the DLL_THREAD_ATTACH case in DllMain() since pre-existing
threads will never execute that code.
Ben Kaduk [Thu, 16 Aug 2012 20:03:48 +0000 (16:03 -0400)]
Kill running processes on upgrades/uninstalls
The InstallValidate action of the windows installer will bring up
a dialog informing us that some currently running processes must
be terminated before installation may proceed, and offers to do so,
but does not actually kill the processes. We have our own code to
kill running processes which did not execute, for two reasons:
it was sequenced after InstallValidate, and we did not have a current
list of processes to look for.
Add the right processes to look for and kill, and use our own
process-killing code since it actually works.
Ben Kaduk [Wed, 15 Aug 2012 18:50:42 +0000 (14:50 -0400)]
Make finding 32-bit libs easier
Our 64-bit installer provides 32-bit libraries as well as 64-bit
libraries, but not all 32-bit applications (e.g., PuTTY, Pidgin)
are able to locate them in C:\Program Files\MIT\Kerberos .
Including an InstallDir key under the Wow6432Node tree lets them
work out-of-the-box; while here set all the registry keys in this
component in the compatibility tree, for consistency.
Ben Kaduk [Mon, 13 Aug 2012 22:01:47 +0000 (18:01 -0400)]
Upgrade 64-bit KfW installations
We use separate UpgradeCodes for 32- and 64-bit installers, so
we must check for both of them when seeing if we are upgrading an
old/existing installation.
Ben Kaduk [Mon, 13 Aug 2012 19:03:45 +0000 (15:03 -0400)]
Upgrade from KfW betas, too
Instead of using 3.9.9 as a conditional for the maximum version to
upgrade from, just use the current version.
This seems to pick up beta tags properly (so we can upgrade
from, e.g., beta 6 to beta 7 using the installer's upgrade tools),
and is future-proof.
Note that a 64-bit installer will not pick up an existing 32-bit
install (or vice versa), but there does not seem to be infrastructure
to deal with this situation easily.
Also, "downgrading" by running an older installer with a newer version
already installed will cause both versions to be simultaneously
installed; only do this if you know what you're doing.
projects / thirdparty / krb5.git / log
