Greg Hudson [Wed, 21 Jun 2023 14:57:39 +0000 (10:57 -0400)]
Ensure array count consistency in kadm5 RPC
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
key_data array count when decoding. Otherwise when the structure is
later freed, xdr_array() could iterate over the wrong number of
elements, either leaking some memory or freeing uninitialized
pointers. Reported by Robert Morris.
CVE-2023-36054:
An authenticated attacker can cause a kadmind process to crash by
freeing uninitialized pointers. Remote code execution is unlikely.
An attacker with control of a kadmin server can cause a kadmin client
to crash by freeing uninitialized pointers.
Julien Rische [Tue, 21 Feb 2023 09:03:35 +0000 (10:03 +0100)]
Fix meridian type in getdate.y
Commit d3356bc42191c1896ab06835a2fb245e00471420 (ticket 8927)
incorrectly tagged tMERIDIAN as <Number>. So while the lexer assigns
meridian values to the Meridian union field, the parser erroneously
reads them from the Number field. On 64-bit IBM zSystems (s390x),
this can result in using the most recently read number as a meridian
value, leading to an abort in ToSeconds().
Greg Hudson [Wed, 8 Feb 2023 17:23:28 +0000 (12:23 -0500)]
Fix read overruns in SPNEGO parsing
Fix three read overruns discovered by the GitHub Security Lab team
(GHSL-2023-016, GHSL-2023-017, and GHSL-2023-018) using OSS-Fuzz.
In get_mech_set(), error out if gss_add_oid_set_member() fails rather
than continue the loop and increment i past the current bound of
returned_mechSet. In g_verify_neg_token_init(), check for zero-byte
sequences before reading tag bytes, and reduce cur_size by one to
account for the tag byte when calling gssint_get_der_length().
Julien Rische [Thu, 17 Nov 2022 14:01:24 +0000 (15:01 +0100)]
Fix aclocal.m4 syntax error for autoconf 2.72
An incorrect closure inside KRB5_AC_INET6 is innocuous with autoconf
versions up to 2.71, but will cause an error at configure time with
the forthcoming autoconf 2.72.
[ghudson@mit.edu: added more context to commit message]
Greg Hudson [Tue, 13 Dec 2022 18:15:28 +0000 (13:15 -0500)]
Fix PKINIT CMS error checking for older OpenSSL
Commit 70f61d417261ca17efe3d60d180033bea2da60b0 updated the
CMS_verify() error code checks, using two error codes new to OpenSSL
3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM).
This change broke the build for OpenSSL 1.0 and 1.1.
Instead of looking for codes indicating an algorithm issue and
assuming that everything else is an invalid signature, check for the
code indicating an invalid signature and assume that everything else
is an algorithm issue.
The code for CMS data verification was initially written for OpenSSL's
PKCS7_verify() function. It now uses CMS_verify(), but error handling
is still done using PKCS7_verify() error identifiers. Update the
recognized error codes so that the KDC generates
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate.
Use ERR_peek_last_error() to observe the error generated closest to
the API surface.
Greg Hudson [Wed, 12 Oct 2022 04:46:52 +0000 (00:46 -0400)]
Fix null deref in KDC when decoding invalid NDR
In ndr_dec_delegation_info(), keep di->transited_services_length valid
by incrementing it as we add entries. Otherwise
ndr_free_delegation_info() could dereference a null
di->transited_services field. Also bound nservices using data->length
to prevent inordinately large memory allocations. Credit to OSS-Fuzz
for discovering the issues.
Greg Hudson [Tue, 18 Oct 2022 00:25:11 +0000 (20:25 -0400)]
Fix integer overflows in PAC parsing
In krb5_parse_pac(), check for buffer counts large enough to threaten
integer overflow in the header length and memory length calculations.
Avoid potential integer overflows when checking the length of each
buffer. Credit to OSS-Fuzz for discovering one of the issues.
CVE-2022-42898:
In MIT krb5 releases 1.8 and later, an authenticated attacker may be
able to cause a KDC or kadmind process to crash by reading beyond the
bounds of allocated memory, creating a denial of service. A
privileged attacker may similarly be able to cause a Kerberos or GSS
application service to crash. On 32-bit platforms, an attacker can
also cause insufficient memory to be allocated for the result,
potentially leading to remote code execution in a KDC, kadmind, or GSS
or Kerberos application server process. An attacker with the
privileges of a cross-realm KDC may be able to extract secrets from a
KDC process's memory by having them copied into the PAC of a new
ticket.
sashan [Fri, 17 Jun 2022 22:05:32 +0000 (00:05 +0200)]
Fix PKCS11 module path search
Commit c5c11839e02c7993eb78f2c94c75c10cf93f2195 switched the loading
of the PKCS#11 module from dlopen() to krb5int_open_plugin(). Because
krb5int_open_plugin() includes a stat() test, this change has the
unintended consequence of requiring the module name to be an absolute
or relative path to the library, not a filename within the dynamic
linker search path.
Within krb5int_open_plugin(), only stat() the filename on the
platforms which will use the file type.
[ghudson@mit.edu: adjusted conditionals to call stat() on Windows;
rewrote commit message]
sashan [Sun, 29 May 2022 08:32:57 +0000 (10:32 +0200)]
Fix uncommon PKINIT memory leak
PKINIT per-request module data objects are normally created by
pkinit_server_verify_padata() and freed by
pkinit_server_return_padata(). In some unusual circumstances, the KDC
may not call the return_padata method after verification succeeds.
Add a free_modreq method and free the object there instead.
Greg Hudson [Fri, 3 Jun 2022 18:38:45 +0000 (14:38 -0400)]
Free verto context later in KDC cleanup
The KDC supplies the verto context to kdcpreauth modules via the loop
method (added in commit 83b4ecd20e50ad330cd761977d5dadefe30a785b).
This context should remain valid until kdcpreauth modules are
unloaded, as modules might refer to it during cleanup. In particular,
the OTP module references the verto context when freeing the RADIUS
client object (commit e89abc2d4ea1fea1ec28d470f297514b828e4842), which
can cause a memory error during KDC shutdown without this change.
sashan [Thu, 26 May 2022 06:51:10 +0000 (08:51 +0200)]
Fix memory leak in SPAKE kdcpreauth module
Commit ff57dc682a27bd205d715f3c0bed84890f2453c4 introduced a memory
leak into verify_response(). reply_key is no longer passed to the
callback and therefore needs to be freed by this function.
Simo Sorce [Thu, 19 May 2022 16:27:40 +0000 (12:27 -0400)]
Read GSS configuration files with mtime 0
There is at least one case (with flatpaks) where configuration files
in the special read-only /etc all have an mtime of 0. Using an
initial last modified time of 0 in g_initialize.c causes these files
to never be read.
Change the initial high value to the be the "invalid" value
(time_t)-1. Since the C and POSIX standards do not require time_t to
be signed, special-case the checks in load_if_changed() and
updateMechList() to treat all mod times as newer than -1.
Greg Hudson [Mon, 28 Mar 2022 23:06:29 +0000 (19:06 -0400)]
Fix iprop with fallback
kpropd produces a client principal name with
krb5_sname_to_principal(), then converts it to a string to pass as the
client principal to kadm5_init_with_skey(). This conversion loses the
name type, so no canonicalization is performed by libkadm5.
Commit dcb79089276624d7ddf44e08d35bd6d7d7e557d2 addresses this problem
for kadmin -k by looking for the referral realm, but kpropd sets the
realm in the krb5_sname_to_principal() result. Add an additional
check for a two-component principal with kiprop as the first
component.
Greg Hudson [Fri, 4 Mar 2022 05:45:00 +0000 (00:45 -0500)]
Try harder to avoid password change replay errors
Commit d7b3018d338fc9c989c3fa17505870f23c3759a8 (ticket 7905) changed
change_set_password() to prefer TCP. However, because UDP_LAST falls
back to UDP after one second, we can still get a replay error due to a
dropped packet, before the TCP layer has a chance to retry.
Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
TCP fails completely without reaching a server. In sendto_kdc.c,
implement an ONLY_UDP transport strategy to allow the UDP fallback.
Julien Rische [Wed, 19 Jan 2022 18:46:08 +0000 (19:46 +0100)]
Make kprop work for dump files larger than 4GB
If the dump file size does not fit in 32 bits, encode four zero bytes
(forcing an error for unmodified kpropd) followed by the size in the
next 64 bits.
Add a functional test case, but only run it when an environment
variable is set, as processing a 4GB dump file is too
resource-intensive for make check.
[ghudson@mit.edu: edited comments and commit message; eliminated use
of defined constant in some cases; added test case]
Tianjiao Yin [Mon, 7 Feb 2022 08:48:05 +0000 (00:48 -0800)]
Replace macros with typedefs in gssrpc types.h
Defining bool_t and enum_t with the preprocessor conflicts with
namespaced declarations in fbthrift's headers. Use typedefs to avoid
this conflict and for consistency with other Sun RPC implementations.
Greg Hudson [Tue, 25 Jan 2022 23:09:21 +0000 (18:09 -0500)]
Clarify certauth interface documentation
Try to make it clearer that princ is the requested client principal,
not a principal extracted from the certificate, and that the module
must decode the certificate and inspect its attributes. Document
KRB5_CERTAUTH_HWAUTH_PASS in certauth_plugin.h.
Greg Hudson [Wed, 23 Feb 2022 05:31:13 +0000 (00:31 -0500)]
Run Windows CI on windows-2019 image for now
The Github Actions windows-latest runner label now uses Windows Server
2022, which requires different setup steps for the Visual Studio
environment and does not contain CRT merge modules for VS 2022 (though
it does for VS 2017). For now, run the Windows build on windows-2019.
Greg Hudson [Fri, 28 Jan 2022 15:44:21 +0000 (10:44 -0500)]
Remove unneeded SPAKE free_modreq method
Commit ff57dc682a27bd205d715f3c0bed84890f2453c4 removed the use of
per-request module data in SPAKE, but neglected to remove the
corresponding free_modreq method.
Greg Hudson [Fri, 21 Jan 2022 15:58:46 +0000 (10:58 -0500)]
Avoid passing null for asprintf strings
It is undefined behavior to pass null to a printf function for a %.*s
substitution, even if the accompanying length is zero. OpenBSD
generates syslog warnings from libc when it sees a null pointer in a
string substitution (reported by Nathanael Rensen).
krb5_sname_to_principal() passes a null pointer in the usual case
where there is no port trailer. Address this case and others where we
use asprintf() with %.*s substitutions and might pass null, either by
avoiding the use of asprintf() or by ensuring that the pointer isn't
null.
Greg Hudson [Tue, 18 Jan 2022 22:06:46 +0000 (17:06 -0500)]
Pass client flag to KDB for client preauth match
In the kdcpreauth match_client() callback, if it is necessary to look
up the given principal in the KDB, pass KRB5_KDB_FLAG_CLIENT to
krb5_db_get_principal(). Samba requires this flag to properly handle
enterprise client principals.
Greg Hudson [Thu, 13 Jan 2022 19:33:14 +0000 (14:33 -0500)]
Implement replaced_reply_key input to issue_pac()
If a kdcpreauth module fully replaces the reply key during an AS
request, pass the reply key as the replaced_reply_key input to
issue_pac(). In Windows environments this is used to provide an NTLM
hash to the LSA when the client cannot be presumed to have a password
to derive it from.
To test this, add a fake PAC_CREDENTIALS_INFO buffer to the PAC in the
test KDB module, and alter adata.c to display the set of PAC buffer
types when a PAC is present.
Greg Hudson [Thu, 13 Jan 2022 17:58:32 +0000 (12:58 -0500)]
Add replace_reply_key kdcpreauth callback
Provide an explicit way for kdcpreauth modules to replace the reply
key, and internally track when the reply key is fully replaced (as
opposed to strengthened by replacing it with a derivative of the
client long-term key). Use this facility in the FAST OTP, PKINIT, and
SPAKE kdcpreauth modules.
Greg Hudson [Mon, 24 Jan 2022 16:20:12 +0000 (11:20 -0500)]
Add k5test.py facilities for PKINIT
Add the global variables pkinit_enabled and pkinit_certs. Add the
realm flag pkinit=True. Add the realm method pkinit(). Use these
facilities in t_pkinit.py, t_certauth.py, and t_authdata.py.
Greg Hudson [Sat, 8 Jan 2022 03:41:30 +0000 (22:41 -0500)]
Replace AD-SIGNEDPATH with minimal PACs
Remove all of the AD-SIGNEDPATH code. Instead, issue a signed minimal
PAC in all tickets and require a valid PAC to be present in all
tickets presented for S4U operations. Remove the get_authdata_info()
and sign_authdata() DAL methods, and add an issue_pac() method to
allow the KDB to add or copy buffers to the PAC. Add a disable_pac
realm flag.
Microsoft revised the S4U2Proxy rules for forwardable tickets. All
S4U2Proxy operations require forwardable evidence tickets, but
S4U2Self should issue a forwardable ticket if the requesting service
has no ok-to-auth-as-delegate bit but also no constrained delegation
privileges for traditional S4U2Proxy. Implement these rules,
extending the check_allowed_to_delegate() DAL method so that the KDC
can ask if a principal has any delegation privileges.
Combine the KRB5_KDB_FLAG_ISSUE_PAC and
KRB5_FLAG_CLIENT_REFERRALS_ONLY flags into KRB5_KDB_FLAG_CLIENT.
Rename the KRB5_KDB_FLAG_CANONICALIZE flag to
KRB5_KDB_FLAG_REFERRAL_OK, and only pass it to get_principal() for
lookup operations that can use a realm referral.
For consistency with Active Directory, honor the no-auth-data-required
server principal flag for S4U2Proxy but not for S4U2Self. Previously
we did the reverse.
Isaac Boukris [Fri, 7 Jan 2022 18:46:24 +0000 (13:46 -0500)]
Add PAC ticket signature APIs
Microsoft added a third PAC signature over the ticket to prevent
servers from setting the forwardable flag on evidence tickets. Add
new APIs to generate and verify ticket signatures, as well as defines
for this and other new PAC buffer types. Deprecate the old signing
functions as they cannot generate ticket signatures. Modify several
error returns to better match the protocol errors generated by Active
Directory.
[ghudson@mit.edu: adjusted contracts for KDC requirements; simplified
and commented code changes; wrote commit message. rharwood@redhat.com
also did some work on this commit.]
Isaac Boukris [Sun, 26 Dec 2021 01:28:41 +0000 (03:28 +0200)]
Don't fail krb5_cc_select() for no default realm
If the target server principal is a host-based service without
multiple dotted components and no default realm is configured,
krb5_cc_select() can fail, and therefore gss_init_sec_context().
Continue without filling in the realm in this case.
[ghudson@mit.edu: edited commit message and comment; slightly adjusted
flow control]
Nikhil Benesch [Wed, 22 Dec 2021 23:58:17 +0000 (18:58 -0500)]
Remove unnecessary flag in macOS build
The configuration logic for adding the `-search_paths_first` linker
flag on Darwin does not correctly handle cross compilation. It should
check the value of $krb5_cv_host rather than `uname -s` to detect when
the compilation target is Darwin, rather than the build machine.
It turns out `-search_paths_first` has been the default behavior of ld
on macOS since XCode 4. So just remove that bit of logic entirely.
(The flag was added in commit acd27af0e845f8b93de2e226cc2ec9ac8af52077
in 2004; XCode 4 was released in 2010.)
Greg Hudson [Sat, 11 Dec 2021 06:25:34 +0000 (01:25 -0500)]
Use 14 instead of 9 for unkeyed SHA-1 checksum
Although MIT krb5 had been using the value 9 for unkeyed SHA-1 since
its 1.0 release in 1996, RFC 3961 instead assigned this value to
rsa-md5-des3 (likely never used), and assigned the values 10 and 14 to
SHA-1. Heimdal and Microsoft use the value 14. Unkeyed SHA-1 almost
never appears on the wire, but has been seen in PKINIT asChecksum
fields in replies from Windows KDCs (despite the field being specified
as a keyed checksum).
Define a new symbol CKSUMTYPE_SHA1 with the value 14, and use it where
we currently use CKSUMTYPE_NIST_SHA. Continue to allow the value 9
for ABI compatibility. Remove the pkinit_clnt.c workaround as the
value 14 will now work without adjustment.
Greg Hudson [Thu, 2 Dec 2021 00:35:32 +0000 (19:35 -0500)]
Fix PAC handling of authtimes after y2038
Remove the unnecessary handling of negative inputs in
k5_time_to_seconds_since_1970() and k5_seconds_since_1970_to_time(),
and cast the krb5_timestamp input to uint32_t to properly handle
values after y2038.
Commit 3b163eed1cf1f55dd4a7bc6d6fffc34f55695b00 mistakenly separated
the call to kdc_process_s4u2self_req() from its error check, causing
the KDC to ignore S4U2Self padata with bad checksums. Restore the
error check so that the KDC replies with an error as intended.
[ghudson@mit.edu: removed old error check later on in the code;
rewrote commit message]
Greg Hudson [Tue, 19 Oct 2021 14:42:34 +0000 (10:42 -0400)]
Use OpenSSL CMAC implementation with OpenSSL 3
Make krb5int_cmac_checksum() a crypto module interface. Move the
existing CMAC implementation from krb to builtin. Add an OpenSSL 3
implementation using EVP_MAC. Only implement Camellia CBC-MAC if
using the builtin CMAC implementation (it uses functions deprecated in
OpenSSL 3). Switch to using krb5int_camellia_encrypt() for
camellia-test.c since krb5int_camellia_cbc_mac() won't always be
available.
[ghudson@mit.edu: made the new SHA-1 and key decryption code work with
all suported OpenSSL versions with just one implementation; added
Diffie-Hellman changes]
In OpenSSL's terminology, id-pkinit-kdf is an instance of SSKDF,
AES-SHA2 and Camellia use KBKDF, and the KDF for DES3 and AES-SHA1 has
been named KRB5KDF. Support for these KDFs was added in OpenSSL 3; we
already supported the existing PBKDF2.
[ghudson@mit.edu: reorganize into builtin and openssl versions of the
file; detect hash and encryption provider identity using pointer
equality like we do in the OpenSSL PBKDF implementation; add helpers
for this translation; simplify and better refactor the PKINIT code;
fix some latent pkinit_kdf_test.c bugs]
Sumit Bose [Mon, 8 Nov 2021 16:48:50 +0000 (17:48 +0100)]
Support larger RADIUS attributes in libkrad
In kr_attrset_decode(), explicitly treat the length byte as unsigned.
Otherwise attributes longer than 125 characters will be rejected with
EBADMSG.
Add a 253-character-long NAS-Identifier attribute to the tests to make
sure that attributes with the maximal number of characters are working
as expected.
[ghudson@mit.edu: used uint8_t cast per current practices; edited
commit message]
Greg Hudson [Tue, 9 Nov 2021 18:00:43 +0000 (13:00 -0500)]
Avoid use after free during libkrad cleanup
libkrad client requests contain a list of references to remotes, with
no back-references or reference counts. To prevent accesses to
dangling references during cleanup, cancel all requests on all remotes
before freeing any remotes.
Remove the code for aging out unused servers. This code was fairly
safe as all requests referencing a remote should have completed or
timed out during an hour of disuse, but in the current design we have
no way to guarantee or check that. The set of addresses we send
RADIUS requests to will generally be small, so aging out servers is
unnecessary.
Greg Hudson [Fri, 5 Nov 2021 23:22:32 +0000 (19:22 -0400)]
Remove pkinit_kdf_constants.c
Commit 9a0575f84e988a23709429f7d4e626db833ab562 renamed this file to
pkinit_constants.c but neglected to remove it. Remove it now, and
also regenerate dependencies.
Greg Hudson [Thu, 28 Oct 2021 04:00:20 +0000 (00:00 -0400)]
Use EVP key agreement in PKINIT
In pkinit_crypto_openssl.c, use EVP_PKEY objects and interfaces to
perform DH operations to the extent possible in OpenSSL 1.0 and 1.1.
Define helper functions for DH operations to make it easier to
conditionalize on OpenSSL version.
Greg Hudson [Mon, 25 Oct 2021 05:51:59 +0000 (01:51 -0400)]
Use OpenSSL SubjectPublicKeyInfo parsing in PKINIT
Shift responsibility for encoding and decoding SubjectPublicKeyInfo
from libkrb5 to the PKINIT ASN.1 module. OpenSSL 1.0 does not support
DHX (RFC 3279 section 3), so for that version use custom ASN.1
marshalling of the parameters and compose that into
SubjectPublicKeyInfo marshalling using X509_PUBKEY.
Greg Hudson [Sat, 23 Oct 2021 20:40:23 +0000 (16:40 -0400)]
Use pre-encoded DH parameter constants in PKINIT
Rename pkinit_kdf_constants.c to pkinit_constants.c and add encodings
of the three well-known Oakley groups. Use them to greatly simplify
pkinit_create_td_dh_parameters() and eliminate make_oakley_dh().
Change the interface for decoding parameters to take a krb5_data
pointer for caller convenience.
Ken Hornstein [Thu, 30 Sep 2021 21:10:06 +0000 (17:10 -0400)]
Support KRB5_CERTAUTH_HWAUTH_PASS in certauth
If a certauth module returns KRB5_CERTAUTH_HWAUTH_PASS, the certauth
accumulator sets the hw-authent flag in the ticket (like it would for
KRB5_CERTAUTH_HWAUTH), but defers authorization to other modules (like
it would for KRB5_PLUGIN_NO_HANDLE).
[ghudson@mit.edu: simplify tests by removing the HWAUTH returns from
the test2 module and allowing it to pass by authenticating as nocert]
Greg Hudson [Fri, 8 Oct 2021 21:45:03 +0000 (17:45 -0400)]
Use builtin MD4, RC4 for OpenSSL 3.0
In OpenSSL 3.0, to use MD4 or RC4 one must load the "legacy" crypto
provider. To do this in libk5crypto, we would need to create and use
an OpenSSL library context to avoid interfering with other users of
the library. Tearing down this context at finalization time would be
further complicated by OpenSSL's use of atexit() for library
finalization, which causes its finalizer to be run earlier than
properly registered finalizers on Linux.
For simplicity, use the builtin implementations of MD4 and RC4 for
OpenSSL 3.0 and later. Also use the builtin DES key parity
implementation since OpenSSL 3.0 deprecates DES_set_odd_parity() with
no replacement.
Greg Hudson [Fri, 8 Oct 2021 21:44:15 +0000 (17:44 -0400)]
Make test PKINIT certs work with OpenSSL 3.0
Add shell functions to reduce repetition in make-certs.sh. Create
PKCS12 files with the -descert flag so that they can be read by
OpenSSL 3.0 without enabling the legacy provider.
Greg Hudson [Thu, 7 Oct 2021 14:45:26 +0000 (10:45 -0400)]
Allow selective overrides in crypto back-ends
In the build system, always descend into all crypto subdirectories and
build all library objects. Conditionalize each object (or
enc_provider/hash_provider entry) on a preprocessor symbol defined in
crypto_int.h.
Remove crypto_mod.h and the libk5crypto initialization and
finalization functions as they are not currently needed. Remove stub
directories in the openssl back-end as it is no longer required to
maintain the same directory structure as builtin.
Make CRYPTO_IMPL_CFLAGS work if it is set manually at configure time
(previously only CRYPTO_IMPL_LIBS worked).
Remove the fortuna and device PRNG modules and PRNG modularity, and
move the prng_os implementation into prng.c. Remove the crypto_mod.h
requirement to implement failure-free AES256 and SHA256. Deprecate
krb5_c_random_add_entropy() and krb5_c_random_os_entropy() and remove
their call sites. Deprecate and ignore the -W (weak random) option to
kadmind and kdb5_util create, and stop using it in the test suite.
Isaac Boukris [Tue, 10 Aug 2021 14:50:35 +0000 (17:50 +0300)]
Fix verification of RODC-issued PAC KDC signature
Per [MS-PAC] 2.8, PAC_SIGNATURE_DATA may contain an RODCIdentifier
following the checksum. In k5_pac_verify_kdc_checksum(), do not
assume that the checksum spans the remainder of the buffer; instead,
look up the checksum length by its type.
[ghudson@mit.edu: edited commit message and comment; reordered code
for clarity]
Select an output credential cache using similar logic to kinit. Do
not require the target cache to be initialized.
Try to use the per-thread cache set by gss_krb5_ccache_name() if no
output cache was specified via a cred store.
When the destination is a collection, honor the default_cred flag by
switching the primary cache to the selected output cache. When the
destination is not a collection, ignore the default_cred flag.
(Previously the default_cred flag was mandatory for gss_store_cred()
even though it is an advisory flag, and ignored for
gss_store_cred_into() even if no ccache was specified in the cred
store.)
Honor the overwrite_cred flag by refusing to replace an initialized
cache if it is not set. Stop using gss_acquire_cred() for this
purpose as it could go out and fetch credentials from a client keytab.
Perform atomic replacement of the target cache when possible, using
krb5_cc_move().
Add a test harness for calling gss_store_cred() or
gss_store_cred_into() and a suite of tests. Fix a broken trace log
message for krb5_cc_move() and update the expected trace logs for an
existing t_credstore.py test.
Pavel Březina [Wed, 8 Sep 2021 13:44:30 +0000 (15:44 +0200)]
Constify name field in four plugin vtables
For consistency with the other plugin vtables, declare the name field
as const char * in the audit, authdata, clpreauth, and kdcpreauth
pluggable interface headers.
Robbie Harwood [Wed, 15 Feb 2017 02:19:45 +0000 (21:19 -0500)]
Find gss_get_mic_iov extensions in GSS modules
Commit d750ef3130b76dd079e863ed395eb3620a37386b added
gss_get_mic_iov(), gss_verify_mic_iov(), and gss_get_mic_iov_length(),
but did not add them to the symbols looked up in external GSS modules
and interposer modules. Add them now.
Robbie Harwood [Wed, 15 Feb 2017 02:18:55 +0000 (21:18 -0500)]
Clarify and correct interposer plugin docs
Most importantly, note for gss_import_name() that the mechanism OID
encoding includes the ASN.1 tag prefix (per RFC 2743 section 3.2), and
add the length prefix for the mechanism token. For
gss_import_sec_context() and gss_import_cred(), note that the
concatenated OID must be used.
[ghudson@mit.edu: reverted part of gss_import_cred() change; reworded
gss_import_name() change; rewrote commit message]
Greg Hudson [Tue, 3 Aug 2021 03:15:12 +0000 (23:15 -0400)]
Add more dump.c bounds checks
Although dump files are privileged inputs, the code to read them
should not admit integer overflows. Add bounds checks for several
fields which are used as allocation lengths or are assigned to
structure fields of smaller size and different signedness. Reported
by Sharwan Ram and Kihong Keo.
Greg Hudson [Tue, 17 Aug 2021 15:26:59 +0000 (11:26 -0400)]
Perform atomic ccache refreshes when possible
Allow ccache types to implement atomic replacement via a new replace
method (replacing the unused "move" vtable slot). Make krb5_cc_move()
use this method when possible, falling back to non-atomic replacement.
Implement atomic replacement for FILE, DIR, MEMORY, and KCM (using a
new opcode, falling back when it is not implemented).
Use krb5_cc_move() in get_in_tkt.c when an output ccache is specified,
in kinit for ticket validation and renewal, and in kvno --out-cache.
Add a test program to exercise concurrent krb5_get_credentials() and
cache refresh.
This commit does not implement atomic replacement for KEYRING or for
gss_store_creds().
Greg Hudson [Wed, 18 Aug 2021 16:07:04 +0000 (12:07 -0400)]
Fix conformance issue in GSSAPI tests
Although some C compilers allow a function returning void to be called
in a return statement from another function returning void, it isn't
conformant and generates an error from (at least) the HP-UX native
compiler. Reported by Michael Osipov.
Greg Hudson [Tue, 3 Aug 2021 05:15:27 +0000 (01:15 -0400)]
Fix KDC null deref on TGS inner body null server
After the KDC decodes a FAST inner body, it does not check for a null
server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
would typically result in an error from krb5_unparse_name(), but with
the addition of get_local_tgt() it results in a null dereference. Add
a null check.
Reported by Joseph Sutton of Catalyst.
CVE-2021-37750:
In MIT krb5 releases 1.14 and later, an authenticated attacker can
cause a null dereference in the KDC by sending a FAST TGS request with
no server field.
Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
management of krb5_gss_inquire_cred(), introducing defcred to act as
an owner pointer when the function must acquire a default credential.
The commit neglected to update the code to release the default cred
along the successful path. The old code does not trigger because
cred_handle is now reassigned, so the default credential is leaked.
Unify the success and failure cleanup for this function so that
defcred is properly released on success.
Reorganize ec_verify() and ec_return() to use cleanup labels instead
of if-ladders. Also use unconditional calls to free functions and
change a few variable names.
Joseph Sutton [Tue, 6 Jul 2021 23:47:44 +0000 (11:47 +1200)]
Fix KDC null deref on bad encrypted challenge
The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
to avoid further processing if the armor key is NULL. However, this
check is bypassed by a call to k5memdup0() which overwrites retval
with 0 if the allocation succeeds. If the armor key is NULL, a call
to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
crash. Add a check before the k5memdup0() call to avoid overwriting
retval.
CVE-2021-36222:
In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
cause a null dereference in the KDC by sending a request containing a
PA-ENCRYPTED-CHALLENGE padata element without using FAST.
[ghudson@mit.edu: trimmed patch; added test case; edited commit
message]
Robbie Harwood [Wed, 26 May 2021 22:22:10 +0000 (18:22 -0400)]
Clean up gssapi_krb5 ccache name functions
Modernize kg_get_ccache_name() and kg_get_ccache_name(). Drop
unnecessary use of const in kg_get_ccache_name() so that its return
value can be properly freed. Fixes some static analyzer false
positives.
projects / thirdparty / krb5.git / log
