Nicolas Williams [Thu, 13 May 2021 05:43:26 +0000 (00:43 -0500)]
Support site-local KDC discovery via DNS
Add the sitename realm variable. If set, service location via DNS
will be attempted using the site name as specified in [MS-ADTS]
6.3.2.3, falling back to regular discovery on failure.
[ghudson@mit.edu: made this strictly a realm variable; moved
k5_get_sitename() to locate_kdc.c and made it take a krb5_data input;
fixed a memory leak; corrected documentation changes; fleshed out
commit message]
The Microsoft KERB_AP_OPTIONS_CBT extension (defined in [MS-KILE]
3.2.5.8) allows the client to request strict enforcement of GSS
channel bindings. Client support for this extension was added in
commit 225e6ef7f021cd1a8ef2a054af0ca58b7288fd81 (ticket 8900) but it
requires a configuration variable to be set. The choice to include
the extension should be made by the client application code, as it is
a promise to include channel bindings when operating within TLS.
In libkrb5, add an option AP_OPTS_CBT_FLAG to make
krb5_mk_req[_extended]() include KERB_AP_OPTIONS_CBT. In the GSS
initiator code, set this flag when the GSS_C_CHANNEL_BOUND flag is
included in the request options. GSS_C_CHANNEL_BOUND was introduced
in commit 429a31146083fac21958631c2af572b08ec91022 (ticket 8899) as an
acceptor output flag.
The profile library has two deconstructors, profile_release() and
profile_abandon(). profile_release() flushes in-memory changes to
backing files, while profile_abandon() does not. If a krb5_context
profile contains in-memory changes, they were copied from a profile
supplied to krb5_init_context_profile(), and the caller can decide
whether to flush them.
As profile_copy() is now a public function, remove the include of
prof_int.h and the associated LOCALINCLUDES setting in Makefile.in.
Replace the current implementation of profile_copy() with one that
copies the in-memory tree structure of non-shared data objects. Make
profile_copy() a public function.
The profile library normally attempts to reload a profile data tree if
the backing file has changed. Reloading a dirty profile object
discards any modifications made by the caller. If we assume that the
modifications are destined to be flushed back out to the backing file,
then there is no good answer--one or the other set of changes will be
lost. But the caller may have a different intended use for the
modified tree (profile_flush_to_file(), profile_flush_to_buffer(),
krb5_init_context_profile()), for which the caller's modifications may
be critical. Avoid discarding in-memory edits to ensure the
correctness of these use cases.
When parsing a file, ignore sections appearing after a final-flagged
section of the same name. Adjust the meaning of group_level in the
parser state so that it is 1 inside of top-level sections instead of
0, and simplify the addition of top-level sections to the tree by
relying on profile_add_node()'s section merging.
Make the final flag work for relations as well as sections. Check it
while parsing via a new check_final parameter in profile_add_node(),
and during iteration.
Output final flags for relations in dump_profile(). Make the final
flag available to it via a new output parameter in
profile_find_node_relation().
Greg Hudson [Sun, 31 Mar 2024 16:30:18 +0000 (12:30 -0400)]
Allow modifications of empty profiles
Add the notion of a memory-only prf_data_t object, indicated by an
empty filespec field and appropriate flags (do not reload, always
dirty, not part of shared trees). Do nothing when flushing a
memory-only data object to its backing file. When setting up an empty
profile for read/write access, create a memory-only data object
instead of crashing.
Move prf_data_t mutex initialization into profile_make_prf_data(),
simplifying its callers.
Commit bdcd6075bd4593c8f67722ce075c9519faec58b7 uses
EVP_PKEY_get_base_id(), which was added in OpenSSL 3.0. Add a
compatibility macro to use the old name for OpenSSL 1.0 and 1.1.
Commit 0f870b1bcad960fd5319a3f97aafd7f4a289e2fb added ECDH support,
but did not change the OpenSSL 1.0 versions of encode_spki(),
decode_spki(), or generate_dh_pkey() to work with elliptic curve
public keys. In each function, check the key type and skip the
DH-specific handling for key types other than DH.
Greg Hudson [Wed, 20 Mar 2024 21:17:50 +0000 (17:17 -0400)]
Improve error message for DES kadmin/history key
If the kadmin/history entry contains an unsupported encryption type,
produce a better error message than "Bad encryption type". Reuse the
error code KADM5_BAD_HIST_KEY (unused since release 1.8). Non-updated
kadmin clients will report the message "Password history principal key
version mismatch", which at least points in the direction of password
history.
Greg Hudson [Tue, 12 Mar 2024 16:45:24 +0000 (12:45 -0400)]
Fix type mismatches detected by LTO
Building with link-time optimization reveals some type mismatches in
the interface between libkrb5 serialization and the profile library,
as well as in consumers of the SS library. Fix them. Reported by Eli
Schwartz.
Greg Hudson [Wed, 6 Mar 2024 00:53:07 +0000 (19:53 -0500)]
Fix two unlikely memory leaks
In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
could probably never be triggered) leaks plain.data. Fix this leak
and use current practices for cleanup throughout the function.
In xmt_rmtcallres() (unused within the tree and likely elsewhere),
store port_ptr into crp->port_ptr as soon as it is allocated;
otherwise it could leak if the subsequent xdr_u_int32() operation
fails.
Greg Hudson [Tue, 5 Mar 2024 22:38:49 +0000 (17:38 -0500)]
Fix leak in KDC NDR encoding
If the KDC tries to encode a principal containing encode invalid UTF-8
sequences for inclusion in a PAC delegation info buffer, it will leak
a small amount of memory in enc_wchar_pointer() before failing. Fix
the leak.
Greg Hudson [Wed, 21 Feb 2024 20:29:02 +0000 (15:29 -0500)]
Support PKCS11 EC client certs in PKINIT
Move the digest computation and DigestInfo encoding from
cms_signeddata_create() to pkinit_sign_data_pkcs11(), and
conditionalize the DigestInfo encoding on the key type. Use CKM_ECDSA
instead of CKM_RSA_PKCS for EC keys, and convert the resulting
signature from the PKS11 encoding to the ASN.1 encoding required by
CMS.
Regenerate the test certificates with an additional EC client cert.
Add test cases for EC client certs with and without PKCS11.
Greg Hudson [Fri, 9 Feb 2024 22:57:40 +0000 (17:57 -0500)]
Correct PKINIT EC cert signature metadata
When generating CMS SignedData in PKINIT, check the certificate's
public key type and set the signatureAlgorithm field appropriately.
(This field is currently ignored by OpenSSL when verifying CMS
SignedData.)
Greg Hudson [Fri, 9 Feb 2024 22:32:40 +0000 (17:32 -0500)]
Simplify PKINIT cert representation
In the _pkinit_identity_crypto_context structure, the my_certs field
is a stack which only ever contains one cert and is only ever used to
retrieve that one cert. The cert_index field is always 0. Replace
these fields with a my_cert field pointing directly to the X509
certificate.
Simplify crypto_cert_select_default() by making it call
crypto_cert_select() with index 0 after verifying the certificate
count.
Greg Hudson [Tue, 27 Feb 2024 00:03:38 +0000 (19:03 -0500)]
Use SoftHSMv2 for PKCS11 PKINIT tests
Instead of softpkcs11, use SoftHSMv2 to mock the PKCS11 token for
PKINIT tests. Use pkcs11-tool from OpenSC to initialize the token and
import a certificate and key. SoftHSM does not support PIN-less
tokens (see https://github.com/opendnssec/SoftHSMv2/issues/480) so
remove that test for now.
Steffen Kieß [Tue, 13 Feb 2024 17:39:27 +0000 (18:39 +0100)]
Avoid strict-prototype compiler errors
Commit 4b9d7f7c107f01a61600fddcd8cde3812d0366a2 added the
-Werror=strict-prototypes parameter to the build process, but left
behind 28 function definitions using "()" instead of "(void)". Most
of these definitions could not cause compiler errors for various
reasons (such as an accompanying prototype), but a few could cause
errors in gcc depending on the build configuration.
For consistency and safety, add "(void)" to all 28 definitions.
Greg Hudson [Wed, 24 Jan 2024 22:33:18 +0000 (17:33 -0500)]
Fix NOTICE generation and regenerate it
In conf.py, exclude the formats directory (added in commit 68ac7ac1f1a1d2939a2c99fa49cecd734614d16d) when building notice.txt, to
prevent a "document isn't included in any toctree" warning.
Julien Rische [Mon, 8 Jan 2024 15:52:27 +0000 (16:52 +0100)]
Remove klist's defname global variable
Addition of a "cleanup" section in kinit's show_ccache() function as
part of commit 6c5471176f5266564fbc8a7e02f03b4b042202f8 introduced a
double-free bug, because defname is a global variable. After the
first call, successive calls may take place with a dangling pointer in
defname, which will be freed if krb5_cc_get_principal() fails.
Convert "defname" to a local variable initialized at the beginning of
show_ccache().
Greg Hudson [Sat, 2 Dec 2023 00:40:02 +0000 (19:40 -0500)]
Refactor PKINIT KDF internal interfaces
Simplify the client and server PKINIT code by renaming
pkinit_alg_agility_kdf() to pkinit_kdf() and making it do RFC 4556
octet2string if alg_oid is null. Move responsibility for tracing
inside the new interface. Constify some parameters and remove some
unnecessary casts. Rename "key" to "secret" in several internal
functions to avoid confusion between the input DH secret and the
output key.
Greg Hudson [Sat, 25 Nov 2023 16:04:56 +0000 (11:04 -0500)]
In PKINIT, check for null PKCS7 enveloped fields
The PKCS7 ContentInfo content field and EncryptedContentInfo
encryptedContent field are optional. Check for null values in
cms_envelopeddata_verify() before calling pkcs7_decrypt(). Reported
by Bahaa Naamneh.
unknown [Tue, 24 Oct 2023 01:29:14 +0000 (18:29 -0700)]
Make def-check.pl work with Windows git-bash perl
The version of Perl included in git-bash does not translate line
endings or filter out the end-of-file marker when reading from files
in text mode. Adjust def-check.pl to work in this environment.
Greg Hudson [Fri, 27 Oct 2023 04:44:53 +0000 (00:44 -0400)]
End connection on KDC_ERR_SVC_UNAVAILABLE
In sendto_kdc.c:service_fds(), if a message handler indicates that a
message should be discarded, kill the connection so we don't continue
waiting on it for more data.
ksu attempts to exit with the same status as its child process, but
does not do so correctly. Use WEXITSTATUS() to extract the exit code.
Reported by Todd Lubin.
Greg Hudson [Tue, 29 Aug 2023 20:40:58 +0000 (16:40 -0400)]
Add ksu test script
Add a test script for ksu, which must be run under sudo and makes
potentially disruptive temporary changes to the host environment. Do
not run it as part of "make check", but do run it as part of the
Github Actions CI.
Doxygen 1.9.7 avoids duplicating member definitions in the XML
documents for groups and header files (doxygen/doxygen#9797). This
change breaks the current Doxygen-REST bridge, which expects to find
memberdef elements in krb5_8hin.xml. To work around this problem,
remove the @group and @ref declarations in krb5.hin; they were not
translated into REST as it was.
Ilya Gladyshev [Wed, 30 Aug 2023 20:19:59 +0000 (21:19 +0100)]
Fix krb5_cccol_have_content() bad pointer free
krb5_cccol_have_content() calls krb5_cc_get_principal() within a loop,
and frees the resulting principal on success or failure. Set princ to
null before each call to ensure we don't free a dangling pointer.
[ghudson@mit.edu: rewrote commit message; moved assignment for greater
clarity]
Fold pkinit_crypto_openssl.h into the one source file where it was
used. Also clean up the include of <arpa/inet.h>, as htonl() is no
longer used after commit 1c87ce6c44a9de0824580a2d72a8a202237e01f4.
Michael Osipov [Tue, 22 Aug 2023 08:05:24 +0000 (10:05 +0200)]
Eliminate sim_client include of getopt.h
Commit 9139a60c94c24e41109574e84e7cda9c2dc3fb38 added an unconditional
include of getopt.h, which is non-portable (it isn't present on HP-UX)
and unecessary for getopt(). The same commit also disabled the
include of unistd.h (which is necessary for getopt()), as sim_client
no longer indirectly includes autoconf. Make the unistd.h include
unconditional and remove the getopt.h include.
When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket. Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.
[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]
CVE-2023-39975:
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.
Julien Rische [Wed, 21 Jun 2023 16:27:11 +0000 (18:27 +0200)]
Add ecdsa-with-sha512/256 to supportedCMSTypes
Elliptic curve certificates are already supported for PKINIT
pre-authentication, but their associated signature types aren't
advertized. Add ecdsa-with-sha512 and ecdsa-with-sha256 OIDs to the
supportedCMSTypes list sent by the client.
Ken Hornstein [Sat, 10 Jun 2023 03:53:53 +0000 (23:53 -0400)]
Eliminate old-style function declarations
The C2x standard removes support for non-prototype function
declarations, and clang 15 issues warnings for them
(https://reviews.llvm.org/D122895). Add -Werror=strict-prototypes to
the build and fix all of the non-prototype declarations and
definitions.
For RPC code, try to be consistent with libtirpc and recent *BSD
versions of rpcgen. This includes casting each time a concrete
function is used as an xdrproc_t value, since each XDR per-type
function accepts a different object pointer type. A few invocations
of xdrproc_t values pass a third argument with value LASTUNSIGNED,
even though XDR per-type functions accept only two parameters.
libtirpc has removed these third arguments; do so here as well.
[ghudson@mit.edu: added -Werror=strict-prototypes and fixed
declarations it breaks under gcc and clang; added xdrproc_t changes;
rewrote commit message; style changes]
Greg Hudson [Fri, 12 May 2023 19:38:46 +0000 (15:38 -0400)]
PKINIT ECDH support
Add support for elliptic curve key exchange to PKINIT (RFC 5349
section 4). Extend pkinit_dh_min_bits to allow the string values
"P-256", "P-384", and "P-521", using rough finite-field strength
equivalents to rank them relative to the Oakley Diffie-Hellman groups.
When processing TD-DH-PARAMETERS on the client, only accept the three
Oakley groups or the three supported elliptic curve groups.
Previously we accepted any Diffie-Hellman parameters that passed
EVP_PKEY_param_check()/DH_check() and had equal or better bit strength
to the original proposal.
Add an internal variant of krb5_sendto_kdc() which records the
answering KDC in a list. Callers can check the list for replica KDC
use after the success or failure of the KDC exchange is determined,
avoiding DNS queries for the primary KDCs in many common cases and
using fewer DNS queries in other cases.
Perform the fallback in k5_get_init_creds() rather than
krb5_get_init_creds_password(). For now we must additionally perform
the fallback in krb5_get_init_creds_keytab() as it does not use
k5_get_init_creds().
Preserve the current signature of krb5_sendto_kdc() (it is used within
the tree outside of libkrb5, and might be used by other software
despite being non-public), but remove the behavior of setting
*use_primary.
Greg Hudson [Wed, 21 Jun 2023 14:57:39 +0000 (10:57 -0400)]
Ensure array count consistency in kadm5 RPC
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
key_data array count when decoding. Otherwise when the structure is
later freed, xdr_array() could iterate over the wrong number of
elements, either leaking some memory or freeing uninitialized
pointers. Reported by Robert Morris.
CVE-2023-36054:
An authenticated attacker can cause a kadmind process to crash by
freeing uninitialized pointers. Remote code execution is unlikely.
An attacker with control of a kadmin server can cause a kadmin client
to crash by freeing uninitialized pointers.
Greg Hudson [Tue, 30 May 2023 05:21:48 +0000 (01:21 -0400)]
Enable PKINIT if at least one group is available
OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman
group parameters as EVP_PKEY objects in FIPS mode. However, OpenSSL
does not know about MODP group 2 (1024-bit), which is considered as a
custom group. As a consequence, the PKINIT kdcpreauth module fails to
load in FIPS mode.
Allow initialization of PKINIT plugin if at least one of the MODP
well-known group parameters successfully decodes.
[ghudson@mit.edu: minor commit message and code edits]
Gerald Combs [Sun, 14 May 2023 16:46:13 +0000 (09:46 -0700)]
Get arm64-windows builds working
Update various checks to include "ARM64" and "_M_ARM64".
Remove a /BASE flag which fixes an "ARM64 image cannot have base
address below 4GB" error and which arguably shouldn't be used in
modern times since it prevents using dynamic base addresses.
The Oracle database wire protocol contains a cipher reinitialization
operation using the ticket session key. Add a query operation
(similar to GSS_C_INQ_SSPI_SESSION_KEY) to retrieve the ticket session
key rather than the subkey.
The ubuntu-18.04 image no longer works on Github Actions. Run most
jobs on ubuntu-latest instead.
libresolv-wrapper does not work on ubuntu-22.04 at this time
(Launchpad bug #2015570), so don't install it for now. The URI
discovery tests will be skipped until this is rectified.
For the doc build, move doc-newest-sphix to ubuntu-latest; the Ubuntu
version doesn't matter much for this build as it downloads sphinx from
pypi.org. Move the doc-older-sphinx to ubuntu-22.04 (currently the
same as ubuntu-latest), skipping ubuntu-20.04 as its version of
doxygen (1.18.17) doesn't correctly the type declaration for
krb5_const_principal.
In __delpair(), the assignment to next_key is not used unless DEBUG is
defined, and the debugging assert can never fail--next_realkey() will
always return n + 1 as we just checked KEY_OFF(pagep, n + 1). Remove
the variable, the assert, and the otherwise unused next_realkey()
function. This change eliminates a warning issued by clang 14.
binutils 2.37 makes --with-symbol-versions the default for nm. In
export-check.pl, remove the default symbol versions in the nm output
if they are present.
Greg Hudson [Tue, 21 Mar 2023 04:51:17 +0000 (00:51 -0400)]
Add pac_privsvr_enctype string attribute
The KDC uses the first local TGT key for the privsvr and full PAC
checksums. If this key is of an aes-sha2 enctype in a cross-realm
TGT, a Microsoft KDC in the target realm may reject the ticket because
it has an unexpectedly large privsvr checksum buffer. This behavior
is unnecessarily picky as the target realm KDC cannot and does not
need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
checksum key to three specific enctypes.
As a workaround, add a string attribute which can force the privsvr
key to use a specified enctype using key derivation when issuing
tickets to that principal. This attribute can be set on cross-realm
TGT entries when the target realm uses Active Directory and the local
TGT uses an aes-sha2 primary key.
Greg Hudson [Wed, 15 Mar 2023 20:23:09 +0000 (16:23 -0400)]
Eliminate TWRITE macros in GSS library
Use dynamic k5buf structures to replace the two uses of the TWRITE_
macros, and replace the uses of TREAD_ macros with the equivalent
pointer assignments.
Greg Hudson [Mon, 13 Mar 2023 21:42:50 +0000 (17:42 -0400)]
Make k5buf more flexible for binary data
Remove the invariant that buf.data is always zero-terminated, to allow
marshalling of binary data into precisely allocated fixed regions.
Add k5_buf_cstring() to zero-terminate the buffer and retrieve the
data pointer. Adjust all callers that build C strings appropriately.
Add a k5_buf_add_byte() convenience wrapper alongside the integer
marshalling wrappers. Change k5_buf_init_fixed() to accept a void
pointer so it can more conveniently be used with uint8_t arrays.
Greg Hudson [Fri, 25 Nov 2022 15:11:29 +0000 (10:11 -0500)]
Modernize PAC code
Put the version and buffers directly in krb5_pac_data to avoid using a
variable-length array. Use k5input for krb5_pac_parse(). Adjust some
names and comments.
Greg Hudson [Fri, 24 Feb 2023 19:15:14 +0000 (14:15 -0500)]
Avoid using internal APIs in sim_client
In sim_client.c, remove the calls to krb5_gen_portaddr() and
krb5_gen_replay_name() as they don't do anything after commit dcb853ac32779b173f39e19c0f24b0087de85771. Remove them, and include
krb5.h plus appropriate system headers rather than k5-int.h.
Also use a subkey when negotiating the auth context. Kerberos
application protocols should generally use subkeys to prevent
cross-connection replay attacks.
Julien Rische [Tue, 21 Feb 2023 09:03:35 +0000 (10:03 +0100)]
Fix meridian type in getdate.y
Commit d3356bc42191c1896ab06835a2fb245e00471420 (ticket 8927)
incorrectly tagged tMERIDIAN as <Number>. So while the lexer assigns
meridian values to the Meridian union field, the parser erroneously
reads them from the Number field. On 64-bit IBM zSystems (s390x),
this can result in using the most recently read number as a meridian
value, leading to an abort in ToSeconds().
Greg Hudson [Wed, 8 Feb 2023 17:23:28 +0000 (12:23 -0500)]
Fix read overruns in SPNEGO parsing
Fix three read overruns discovered by the GitHub Security Lab team
(GHSL-2023-016, GHSL-2023-017, and GHSL-2023-018) using OSS-Fuzz.
In get_mech_set(), error out if gss_add_oid_set_member() fails rather
than continue the loop and increment i past the current bound of
returned_mechSet. In g_verify_neg_token_init(), check for zero-byte
sequences before reading tag bytes, and reduce cur_size by one to
account for the tag byte when calling gssint_get_der_length().
Greg Hudson [Sat, 28 Jan 2023 01:13:12 +0000 (20:13 -0500)]
Add margin to expired tickets in test suite
Very occasionally a test using expired tickets will fail because the
ticket isn't seen as expired. Obtain tickets with a longer expiration
margin to avoid these failures.
Greg Hudson [Thu, 22 Dec 2022 08:05:23 +0000 (03:05 -0500)]
Add PAC full checksums
A paper by Tom Tervoort noted that computing the PAC privsvr checksum
over only the server checksum is vulnerable to collision attacks
(CVE-2022-37967). In response, Microsoft has added a second KDC
checksum over the full contents of the PAC. Generate and verify full
KDC checksums in PACs for service tickets. Update the t_pac.c ticket
test case to use a ticket issued by a recent version of Active
Directory (provided by Stefan Metzmacher).
Greg Hudson [Fri, 16 Dec 2022 23:31:07 +0000 (18:31 -0500)]
Don't issue session keys with deprecated enctypes
A paper by Tom Tervoort noted that rc4-hmac pre-hashes the input for
its checksum and GSS operations before applying HMAC, and is therefore
potentially vulnerable to hash collision attacks if a protocol
contains a restricted signing oracle.
In light of these potential attacks, begin the functional deprecation
of DES3 and RC4 by disallowing their use as session key enctypes by
default. Add the variables allow_des3 and allow_rc4 in case
negotiability of these enctypes for session keys needs to be turned
back on, with the expectation that in future releases the enctypes
will be more comprehensively deprecated.
Greg Hudson [Wed, 14 Dec 2022 18:20:46 +0000 (13:20 -0500)]
In KDC, assume all services support aes256-sha1
To facilitate negotiating session keys with acceptable security,
assume that services support aes256-cts-hmac-sha1 unless a
session_enctypes string attribute says otherwise.
Greg Hudson [Tue, 13 Dec 2022 18:15:28 +0000 (13:15 -0500)]
Fix PKINIT CMS error checking for older OpenSSL
Commit 70f61d417261ca17efe3d60d180033bea2da60b0 updated the
CMS_verify() error code checks, using two error codes new to OpenSSL
3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM).
This change broke the build for OpenSSL 1.0 and 1.1.
Instead of looking for codes indicating an algorithm issue and
assuming that everything else is an invalid signature, check for the
code indicating an invalid signature and assume that everything else
is an algorithm issue.
Greg Hudson [Mon, 12 Dec 2022 19:36:47 +0000 (14:36 -0500)]
Fix policy DB fallback error handling
In osa_adb_open_and_lock(), if the btree dbopen() call returns EINVAL
or EFTYPE and the fallback hash dbopen() call also returns an error,
release the lock and return an error instead of returning success with
a null database.
ChenChen Zhou [Sun, 27 Nov 2022 14:57:14 +0000 (22:57 +0800)]
Fix gic_keytab crash on memory exhaustion
get_as_key_keytab() does not check the result of krb5_copy_keyblock(),
and dereferences a null pointer if it fails. Remove the call and
steal the memory from kt_ent instead.
ChenChen Zhou [Thu, 24 Nov 2022 13:59:21 +0000 (21:59 +0800)]
Fix profile crash on memory exhaustion
In profile_get_values(), if init_list() fails to allocate values.list,
end_list() will dereference a null pointer. Fix end_list() to handle
list->list being null.
Julien Rische [Thu, 17 Nov 2022 14:01:24 +0000 (15:01 +0100)]
Fix aclocal.m4 syntax error for autoconf 2.72
An incorrect closure inside KRB5_AC_INET6 is innocuous with autoconf
versions up to 2.71, but will cause an error at configure time with
the forthcoming autoconf 2.72.
[ghudson@mit.edu: added more context to commit message]
Greg Hudson [Tue, 18 Oct 2022 20:17:55 +0000 (16:17 -0400)]
Use memmove() in Unicode functions
Where the upstream OpenLDAP code uses AC_MEMCPY(), use memmove()
instead of memcpy() as the copies frequently involve overlapping
memory regions. Credit to OSS-Fuzz for discovering one instance of
the issue.
Greg Hudson [Tue, 18 Oct 2022 00:25:11 +0000 (20:25 -0400)]
Fix integer overflows in PAC parsing
In krb5_parse_pac(), check for buffer counts large enough to threaten
integer overflow in the header length and memory length calculations.
Avoid potential integer overflows when checking the length of each
buffer. Credit to OSS-Fuzz for discovering one of the issues.
CVE-2022-42898:
In MIT krb5 releases 1.8 and later, an authenticated attacker may be
able to cause a KDC or kadmind process to crash by reading beyond the
bounds of allocated memory, creating a denial of service. A
privileged attacker may similarly be able to cause a Kerberos or GSS
application service to crash. On 32-bit platforms, an attacker can
also cause insufficient memory to be allocated for the result,
potentially leading to remote code execution in a KDC, kadmind, or GSS
or Kerberos application server process. An attacker with the
privileges of a cross-realm KDC may be able to extract secrets from a
KDC process's memory by having them copied into the PAC of a new
ticket.
Greg Hudson [Wed, 12 Oct 2022 04:46:52 +0000 (00:46 -0400)]
Fix null deref in KDC when decoding invalid NDR
In ndr_dec_delegation_info(), keep di->transited_services_length valid
by incrementing it as we add entries. Otherwise
ndr_free_delegation_info() could dereference a null
di->transited_services field. Also bound nservices using data->length
to prevent inordinately large memory allocations. Credit to OSS-Fuzz
for discovering the issues.
Greg Hudson [Wed, 12 Oct 2022 04:27:17 +0000 (00:27 -0400)]
Avoid small read overrun in UTF8 normalization
In krb5int_utf8_normalize(), check the length of the current character
against the buffer length before reading more than one byte. Credit
to OSS-Fuzz for discovering the overrun.
projects / thirdparty / krb5.git / log
