Greg Hudson [Wed, 1 May 2013 18:40:31 +0000 (14:40 -0400)]
Disable UDP pass of gssrpc tests on all platforms
The AUTH_GSSAPI flavor of rpc authentication uses IP address channel
bindings. These are broken over UDP, because svcudp_recv() fails to
get the destination address of incoming packets (it tries to use the
recvmsg() msg_name field to get the destination IP address, which
instead gets the source address; see ticket #5540).
There is no simple or comprehensive way to fix this; using IP_PKTINFO
is a fair amount of code and only works on some platforms. It's also
not very important--nobody should be using AUTH_GSSAPI except perhaps
for compatibility with really old kadmin, and kadmin only runs over
TCP. Since the gssrpc tests are closely wedded to AUTH_GSSAPI, the
simplest fix is to only run the TCP pass.
Greg Hudson [Wed, 28 May 2014 22:06:59 +0000 (18:06 -0400)]
Make tcl_kadm5.c work with Tcl 8.6
Directly accessing the result field of Tcl_Interp has been deprecated
for a long time, requires a special define in Tcl 8.6, and will be
impossible in Tcl 9. Use Tcl_SetResult instead. The new error
messages are less helpful than the old ones, but this is just support
infrastructure for old tests, so it isn't important.
Tom Yu [Thu, 10 Oct 2013 17:59:27 +0000 (13:59 -0400)]
Fix KDC lock persistence on error conditions
If k5db2_dbopen() returns an error, krb5_db2_lock() can return an
error without unlocking the lock file. This lock will persist until
krb5_db2_lock() executes successfully, preventing kadmind from making
changes to the KDB. One possible trigger is running out of file
descriptors.
Tom Yu [Wed, 3 Jul 2013 22:16:38 +0000 (18:16 -0400)]
Fix lock inconsistency in krb5_db2_unlock()
[ text below refers to new function names in krb5-1.10+ ]
The lock inconsistency fixed here is quite possibly the same as
described in https://bugzilla.redhat.com/show_bug.cgi?id=586032 .
The problem is that ctx_unlock() fails to unlock the principal DB if
it fails to unlock the policy DB, and this happens when ctx_lock()
fails to lock the policy DB (likely because the caller is racing
against a kdb5_util load, which will be using a "permanent" lock,
meaning that the lock file will be unlinked after acquiring the
lock). The fix is to perform both unlock operations *then* handle
any errors that either or both might have returned.
rbasch [Mon, 4 Mar 2013 03:55:41 +0000 (22:55 -0500)]
Reset ulog if database load failed
If an iprop slave tries to load a dump from the master and it fails,
reset the ulog header so we take another full dump, instead of
reporting that the slave is current when it isn't.
Tom Yu [Fri, 29 Mar 2013 23:27:33 +0000 (19:27 -0400)]
KDC TGS-REQ null deref [CVE-2013-1416]
By sending an unusual but valid TGS-REQ, an authenticated remote
attacker can cause the KDC process to crash by dereferencing a null
pointer.
prep_reprocess_req() can cause a null pointer dereference when
processing a service principal name. Code in this function can
inappropriately pass a null pointer to strlcpy(). Unmodified client
software can trivially trigger this vulnerability, but the attacker
must have already authenticated and received a valid Kerberos ticket.
The vulnerable code was introduced by the implementation of new
service principal realm referral functionality in krb5-1.7, but was
corrected as a side effect of the KDC refactoring in krb5-1.11.
Greg Hudson [Fri, 1 Feb 2013 16:52:48 +0000 (11:52 -0500)]
Fix kdb5_util dump.c uninitialized warnings
Some versions of clang report an uninitialized variable warning (which
we treat as an error) in process_k5beta_record. Due to the if-ladder
style of the function, uninitialized tmpint values can be copied
around in certain error cases, although the garbage values would be
ultimately ignored. As a minimal fix, initialize the tmpint
variables.
Greg Hudson [Fri, 11 Jan 2013 15:13:25 +0000 (10:13 -0500)]
Fix no_host_referral concatention in KDC
If no_host_referral is set in both [kdcdefaults] and the realm
subsection, we're supposed to concatenate their values. But the logic
in handle_referral_params would overwrite the value with the
non-concatenated realm value. Similar bugs of this nature were fixed
in 639c9d0f5a7c68dc98a2a452abc05ca32443cddf (r22037) but this one was
missed.
Xi Wang [Thu, 14 Feb 2013 23:17:40 +0000 (18:17 -0500)]
PKINIT null pointer deref [CVE-2013-1415]
Don't dereference a null pointer when cleaning up.
The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.
Tom Yu [Wed, 22 Feb 2012 19:27:56 +0000 (19:27 +0000)]
Fail during configure if unable to find ar
Fail during configure time if the configure script can't locate the
"ar" program, instead of producing a delayed failure during build time
by running the "false" command. Some Solaris releases have ar in
/usr/ccs/bin, which is not in the default path for some users.
Greg Hudson [Thu, 3 May 2012 21:43:42 +0000 (21:43 +0000)]
Make verify_init_creds work with existing ccache
As the file ccache implementation currently stands, we don't want to
turn off TC_OPENCLOSE on a file cache we're writing to, or it will be
opened read-only and stores to it will fail. Reported by Russ
Allbery.
Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or
pa-afs3-salt value in pa_salt(). If it's an afs3-salt, we're going to
throw away the length and use strcspn in krb5int_des_string_to_key,
which isn't safe if the value is unterminated.
Tom Yu [Mon, 22 Apr 2013 22:18:12 +0000 (18:18 -0400)]
Don't return a host referral to the service realm
A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst. Don't
respond with one in the KDC.
Greg Hudson [Wed, 11 Jan 2012 21:20:08 +0000 (21:20 +0000)]
Fix spurious clock skew caused by gak_fct delay
In get_in_tkt.c, a time offset is computed between the KDC's auth_time
and the current system time after the reply is decrypted. Time may
have elapsed between these events because of a gak_fct invocation
which blocks on user input. The resulting spurious time offset can
cause subsequent TGS-REQs to fail and can also cause the end time of
the next AS request to be in the past (issue #889) in cases where the
old ccache is opened to find the default principal.
Use the system time, without offset, for the request time of an AS
request, for more predictable kinit behavior. Use this request time,
rather than the current time, when computing the clock skew after the
reply is decrypted.
Tom Yu [Wed, 1 Aug 2012 02:45:08 +0000 (22:45 -0400)]
Fix KDC heap corruption vuln [CVE-2012-1015]
Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001
CVE-2012-1015]. The cleanup code in
kdc_handle_protected_negotiation() in kdc_util.c could free an
uninitialized pointer in some error conditions involving "similar"
enctypes and a failure in krb5_c_make_checksum().
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of this
vulnerability (possibly in unpatched KDCs).
Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only
applies to the krb5-1.10 branch and doesn't affect the master branch
or releases prior to krb5-1.10.
Greg Hudson [Tue, 22 May 2012 17:45:18 +0000 (13:45 -0400)]
Export gss_mech_krb5_wrong from libgssapi_krb5
Although there are few legitimate reasons to use gss_mech_krb5_wrong,
it's declared in the public header and exported in the Windows DLL.
So export it from the Unix library as well.
Greg Hudson [Mon, 21 May 2012 05:39:14 +0000 (01:39 -0400)]
Export krb5_set_trace_callback/filename
krb5_set_trace_callback and krb5_set_trace_filename were added to
krb5.h in krb5 1.9, but were mistakenly left out of the library export
lists. Add them now. Reported by Russ Allbery.
Richard Basch [Tue, 29 May 2012 18:07:03 +0000 (14:07 -0400)]
Null pointer deref in kadmind [CVE-2012-1013]
The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.
Greg Hudson [Thu, 23 Jun 2011 04:13:38 +0000 (04:13 +0000)]
Work around glibc getaddrinfo PTR lookups
In krb5_sname_to_principal(), we always do a forward canonicalization
using getaddrinfo() with AI_CANONNAME set. Then, we do a reverse
canonicalization with getnameinfo() if rdns isn't set to false in
libdefaults.
Current glibc (tested with eglibc 2.11.1) has the arguably buggy
behavior of doing PTR lookups in getaddrinfo() to get the canonical
name, if hints.ai_family is set to something other than AF_UNSPEC.
This behavior defeats the ability to turn off rdns. Work around this
behavior by using AF_UNSPEC in krb5_sname_to_principal() from the
start, instead of starting with AF_INET and falling back. Specify
AI_ADDRCONFIG to avoid AAAA lookups on hosts with no IPv6 addresses.
When canonicalizing a principal, use AI_CANONNAME alone in the hint
flags for getaddrinfo, for two reasons. First, it works around a gnu
libc bug where getaddrinfo does a PTR lookup for the canonical name
(we tried to work around this in r24977 bug the addition of
AI_ADDRCONFIG caused the same problem as the use of AF_INET). Second,
an IPv4-only host should be able create a principal for an IPv6-only
host even if it can't contact the host.
This does result in extra AAAA queries in the common case (IPv4-only
host contacting IPv4-only service), which is unfortunate. But we need
to leave that optimization up to the platform at this point.
A database created prior to 1.3 will have multiple password history
keys, and kadmin prior to 1.8 won't necessarily choose the first one.
So if there are multiple keys, we have to try them all. If none of
the keys can decrypt a password history entry, don't fail the password
change operation; it's not worth it without positive evidence of
password reuse.
Tom Yu [Fri, 27 Apr 2012 22:40:21 +0000 (22:40 +0000)]
Use correct name-type in TGS-REQs for 2008R2 RODCs
Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST
in TGS-REQs. (Previously, only AS-REQs had the name-type set in this
way.) Windows Server 2008 R2 read-only domain controllers (RODCs)
insist on having the correct name-type for the TGS principal in
TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case.
Thanks to Sebastian Galiano for reporting this bug and helping with
testing.
Appending "--" to the git checkout arguments appears to prevent it
from automatically creating a local branch from the remote. Also
correct the default git URL and clean up a spurious find warning.
(cherry picked from commit 4fc9c72e5d30c94399baf7069a0d0db25e940a68)
r24241 (#6755) introduced a bug where if the KDC sends a LastReq entry
containing an account expiry time, we send a prompter warning for
password expiry even if there was no entry containing a password
expiry time. Typically, this results in the message "Warning: Your
password will expire in less than one hour on Thu Jan 1 12:00:00
1970".
Fix this by explicitly checking for pw_exp == 0 in warn_pw_expiry()
after we've gotten past the conditional for invoking the callback.
ticket: 7096
subject: Fix KDB iteration when callback does write calls
target_version: 1.10.1
tags: pullup
kdb_db2's ctx_iterate makes an convenience alias to dbc->db in order
to call more invoke call the DB's seq method. This alias may become
invalidated if the callback writes to the DB, since ctx_lock() may
re-open the DB in order to acquire a write lock. Fix the bug by
getting rid of the convenience alias.
Most KDB iteration operations in the code base do not write to the DB,
but kdb5_util update_princ_encryption does.
Bug discovered and diagnosed by will.fiveash@oracle.com.
ticket: 7092
subject: kvno ASN.1 encoding interop with Windows RODCs
RFC 4120 defines the EncryptedData kvno field as an integer in the
range of unsigned 32-bit numbers. Windows encodes and decodes the
field as a signed 32-bit integer. Historically we do the same in our
encoder in 1.6 and prior, and in our decoder through 1.10. (Actually,
our decoder through 1.10 decoded the value as a long and then cast the
result to unsigned int, so it would accept positive values >= 2^31 on
64-bit platforms but not on 32-bit platforms.)
kvno values that large (or negative) are only likely to appear in the
context of Windows read-only domain controllers. So do what Windows
does instead of what RFC 4120 says.
If krb5_server_decrypt_ticket_keytab doesn't find a key of the
appropriate enctype in an iterable keytab, it returns 0 (without
decrypting the ticket) due to a misplaced initialization of retval.
This bug causes kinit -k to claim "keytab entry valid" when it
shouldn't. Reported by mark@mproehl.net.
ticket: 7021
subject: Fix failure interval of 0 in LDAP lockout code
target_version: 1.10
tags: pullup
A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
pass the lockout check (but didn't cause a reset of the failure count
in krb5_ldap_lockout_audit). It should be treated as forever, as in
the DB2 back end.
This bug is the previously unknown cause of the assertion failure
fixed in CVE-2011-1528.
ticket: 7016
subject: Handle TGS referrals to the same realm
target_version: 1.9.3
tags: pullup
krb5 1.6 through 1.8 contained a workaround for the Active Directory
behavior of returning a TGS referral to the same realm as the request.
1.9 responds to this behavior by caching the returned TGT, trying
again, and detecting a referral loop. This is a partial regression of
ticket #4955. Detect this case and fall back to a non-referreal
request.
ticket: 7003
subject: Fix month/year units in getdate
target_version: 1.10
tags: pullup
getdate strings like "1 month" or "next year" would fail some of the
time, depending on the value of stack garbage, because DSTcorrect()
doesn't set *error on success and RelativeMonth() doesn't initialize
error. Make DSTcorrect() responsible for setting *error in all cases.
ticket: 7000
subject: Exit on error in kadmind kprop child
target_version: 1.10
tags: pullup
When we fork from kadmind to dump the database and kprop to an iprop
slave, if we encounter an error in the child process we should exit
rather than returning to the main loop.
When using hmac-md5, the intermediate key length is the output of the
hash function (128 bits), not the input key length. Relevant if the
input key is not an RC4 key.
krb5_calculate_checksum() and krb5_verify_checksum(), both deprecated,
construct invalid keyblocks and pass them to the real functions, which
used to work but now doesn't. Try harder to construct valid keyblocks
or pass NULL if there's no key.
Prior to ticket #6746, the RPC library opened the kadmin socket and
took responsibility for closing. When we added IPv6 support, the
calling code became the owner of the socket but wasn't closing it,
resulting in a file descriptor leak.
ticket: 6941
subject: Fix accidental KDC use of replay cache
target_version: 1.9.2
tags: pullup
r24464 (ticket #6804) intended to remove the KDC replay cache by
eliminating all of the USE_RCACHE code, but it had the unintended side
effect of causing krb5_rd_req_decoded to use the default server
rcache. Using this cache is much less efficient because it is opened
and re-read for each request.
Set appropriate flags on the auth context to disable replay cache use
for TGS requests altogether.
Fix gss_set_cred_option cred creation with no name.
When creating a cred in the mechglue with gss_acquire_cred, the
mechanism is allowed to return no name from gss_inquire_cred. But in
the analagous operation in gss_set_cred_option, that would result in
an error from gss_display_name. Make the call to gss_display_name
conditional on the mechanism name being set. Reported by Andrew
Bartlett.
r24147 (ticket #6746) made libgssrpc ignorant of the remote address of
the kadmin socket, even when it's IPv4. This made old-style GSSAPI
authentication fail because it uses the wrong channel bindings. Fix
this problem by making clnttcp_create() get the remote address from
the socket using getpeername() if the caller doesn't provide it and
it's an IPv4 address.
ticket: 6917
subject: Restore fallback non-referral TGS request to same realm
target_version: 1.9.2
tags: pullup
MIT krb5 1.2 and earlier KDCs reject TGS requests if the canonicalize
bit is set. Prior to 1.9, we used to handle this by making a
non-referral fallback request on any error, but the rewrite in 1.9
mistakenly changed the behavior so that fallback requests are only
made if the original request used the referral realm and the fallback
realm is different from the default realm. Restore the old behavior.
The krb5_get_credentials() rewrite for IAKERB accidentally omitted the
final step of restoring the requested realm in the output credentials.
As a result, referral entries are not cached, and the caller sees the
actual realm in (*out_creds)->server instead of the referral realm as
before. Fix this in complete() by swapping ctx->req_server into
ctx->reply_creds->server.
krb5_dbe_update_tl_data() accepts a single read-only tl-data entry,
but ulog_conv_2dbentry() expects it to process a full list. Fix
ulog_conv_2dbentry() to call krb5_db2_update_tl_data() on each entry
individually, simplifying its memory management in the process.
ticket: 6912
subject: Use hmac-md5 checksum for PA-FOR-USER padata
target_version: 1.9.2
tags: pullup
The MS-S4U documentation specifies that hmac-md5 be used for
PA-FOR-USER checksums; we were using the mandatory checksum type for
the key. Although some other checksum types appear to be allowed by
Active Directory KDCs, Richard Silverman reports that md5-des is not
one of them, causing S4U2Self requests to fail for DES keys.
Since r21690, gss_krb5_export_lucid_sec_context() has been passing a
union context to krb5_gss_delete_sec_context(), causing a crash as the
krb5 routine attempts to interpret a union context structure as a krb5
GSS context. Call the mechglue gss_delete_sec_context instead.
In r21175 (on the mskrb branch, merged in r21690) the result codes for
password quality and other errors were accidentally reversed. Fix
them so that password quality errors generate a "soft" failure and
other errors generate a "hard" failure, as Heimdal and Microsoft do.
Also recognize KADM5_PASS_Q_GENERIC (added in 1.9) as a password
quality error.
Remove the weak key checks from the builtin rc4 enc provider. There
is no standards support for avoiding RC4 weak keys, so rejecting them
causes periodic failures. Heimdal and Microsoft do not check for weak
keys. Attacks based on these weak keys are probably thwarted by the
use of a confounder, and even if not, the reduction in work factor is
not terribly significant for 128-bit keys.
ticket: 6885
subject: KDC memory leak of reply padata for FAST replies
target_version: 1.9.1
tags: pullup
kdc_fast_response_handle_padata() replaces rep->padata, causing the
old value to be leaked. As a minimal fix, free the old value of
rep->padata before replacing it.
ticket: 6884
subject: KDC memory leak in FAST error path
target_version: 1.9.1
tags: pullup
When kdc_fast_handle_error() produces a FAST-encoded error, it puts it
into err->e_data and it never gets freed (since in the non-FAST case,
err->e_data contains aliased pointers). Fix this by storing the
encoded error in an output variable which is placed into the error's
e_data by the caller and then freed.
Fix the sole case in process_chpw_request() where a return could occur
without allocating the data pointer in the response. This prevents a
later free() of an invalid pointer in kill_tcp_or_rpc_connection().
Also initialize rep->data to NULL in process_chpw_request() and clean
up *response in dispatch() as an additional precaution.
Make sure ulog_map() is invoked whenever we open the database in
kdb5_util. Fixes all of the master key rollover commands in the
presence of iprop. Reported by kacarstensen@csupomona.edu.
ticket: 6870
subject: Don't reject AP-REQs based on PACs
target_version: 1.9.1
tags: pullup
Experience has shown that it was a mistake to fail AP-REQ verification
based on failure to verify the signature of PAC authdata contained in
the ticket. We've had two rounds of interoperability issues with the
hmac-md5 checksum code, an interoperability issue OSX generating
unsigned PACs, and another problem where PACs are copied by older KDCs
from a cross-realm TGT into the service ticket. If a PAC signature
cannot be verified, just don't mark it as verified and continue on
with the AP exchange.
Fix a conceptual bug in r24639: the intermediate key container length
should be the hash's output size, not its block size. (The bug did
not show up in testing because it is harmless in practice; MD5 has a
larger block size than output size.)
ticket: 6869
subject: hmac-md5 checksum doesn't work with DES keys
target_version: 1.9
tags: pullup
krb5int_hmacmd5_checksum calculates an intermediate key using an HMAC.
The container for this key should be allocated using the HMAC output
size (which is the hash blocksize), not the original key size. This
bug was causing the function to fail with DES keys, which can be used
with hmac-md5 in PAC signatures.
File descriptors created for trace logging were never being closed.
With short-lived contexts this leak would eventually overflow the
process's file table. Correct this oversight by closing the file
descriptor in file_trace_cb before freeing its container.
ticket: 6852
subject: Make gss_krb5_set_allowable_enctypes work for the acceptor
target_version: 1.9.1
tags: pullup
With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
can choose an enctype for the acceptor subkey other than the one in
the keytab. If the resulting security context will be exported and
re-imported by another gss-krb5 implementation (such as one in the
kernel), the acceptor needs a way to restrict the set of negotiated
enctypes to those supported by the other implementation. We had that
functionality for the initiator already in the form of
gss_krb5_set_allowable_enctypes; this change makes it work for the
acceptor as well.
projects / thirdparty / krb5.git / log
