Greg Hudson [Fri, 4 Mar 2016 18:25:28 +0000 (13:25 -0500)]
Allow zero cksumtype in krb5_k_verify_checksum()
A checksum type of 0 means to use the mandatory checksum type in
krb5_k_make_checksum(), krb5_k_make_checksum_iov(), and
krb5_k_verify_checksum_iov(). Extend this meaning to
krb5_k_verify_checksum() for the checksum type in the krb5_checksum
argument. This change also applies to krb5_c_verify_checksum().
Add code to t_cksums.c to test checksum verification, including with
checksum type 0 for applicable test cases.
Greg Hudson [Fri, 4 Mar 2016 18:57:19 +0000 (13:57 -0500)]
Fix assert hygiene in crypto tests
assert() should not be used with expressions with side-effects, as it
can be compiled out with the NDEBUG flag. Fix all uses of
side-effecting asserts in lib/crypto test programs.
Tom Yu [Thu, 25 Feb 2016 23:01:36 +0000 (18:01 -0500)]
Fix Makefiles for VS2010 KfW build
The new Makefile conditionals in commit 4552159e97007a45370dd49fa6b9fb963bb7d160 don't behave properly if
VISUALSTUDIOVERSION isn't set, probably due to the way nmake orders
macro expansion and boolean short circuiting. Use nested conditionals
instead.
Simo Sorce [Thu, 25 Feb 2016 21:31:09 +0000 (16:31 -0500)]
Interoperate with incomplete SPNEGO responses
We have found at least one HTTP/Negotiate implementation in Java that
does not set anything but the responseToken field in the first SPNEGO
acceptor response token. This is technically a violation of RFC 4178
section 4.2.2, but it is harmless to support; we know the mechanism we
were trying to negotiate, and can use that mechanism to process the
token.
These implementations are probably not supporting any real
negotiation, as the missing negState precludes any mechanism
negotiation on failure. If a supportedMech is included that differs
from the opportunistic one but no negState is provided,
init_ctx_reselect() will fail with GSS_S_DEFECIVE_TOKEN as it should.
[ghudson@mit.edu: edit comments and commit message]
Greg Hudson [Wed, 10 Feb 2016 16:50:54 +0000 (11:50 -0500)]
Fix and adjust t_kprop.py
The listprincs check was at the wrong indentation level and had the
wrong argument grouping; fix it so we actually verify the propagation.
Stop using the -t (runonce) flag to kpropd, so that kpropd continues
to run until k5test.py terminates it. Quit out of the read loop when
we see that the load process is completed, instead of looking for end
of input. This change is needed in order to add hooks in k5test.py
for checking daemons for memory leaks before terminating them.
Isaac Boukris [Mon, 1 Feb 2016 16:08:24 +0000 (18:08 +0200)]
Use cached S4U2Proxy tickets in GSSAPI
Ticket #7047 allowed credentials obtain using S4U2Proxy through GSSAPI
to be cached, but doesn't actually use the cached credentials. Modify
get_credentials() to check the cache for the desired client name
first, then to make an S4U2Proxy request if we don't find it.
Test this change by adding code to t_s4u.c to repeat the constrained
delegation request and verify that only three tickets are present in
the cache.
[ghudson@mit.edu: squash commits; commit message rewrite; minor style
edits; changed test code to use gss_store_cred_into() to avoid the
need to pick a principal to initialize the ccache with]
Simo Sorce [Sun, 20 Dec 2015 22:01:50 +0000 (17:01 -0500)]
Improve libkadm5 server stubs
Change the server_stubs.c functions to use thread-safe signatures (as
would be output by rpcgen -M). This change has no immediate impact
since kadmind is single-threaded, but is cleaner because it avoids the
use of static variables. Factor out some of the common initialization
and cleanup code from the server functions.
[ghudson@mit.edu: rename stub helper functions and reorder/rename
output arguments; error out in stub setup if princ is unexpectedly
null]
Greg Hudson [Tue, 23 Feb 2016 22:15:18 +0000 (17:15 -0500)]
Use blocking lock when creating db2 KDB
In 1.11 we switched from non-blocking to blocking locks in the DB2
module, but we missed one call to krb5_lock_file() in ctx_create_db().
This non-blocking lock can cause krb5_db_promote() to fail if the
database is locked when we try to promote the DB, in turn causing
kdb5_util load to fail. Correct this call to make krb5_db_promote()
more robust.
Greg Hudson [Mon, 22 Feb 2016 21:33:07 +0000 (16:33 -0500)]
Increase initial DNS buffer size
In dnsglue.c (which is used to look up SRV and TXT records), increase
the initial buffer size guess from 2048 to 4096 to accomodate DNSSEC
signatures. Suggested by Daniel Colascione.
Simo Sorce [Fri, 18 Dec 2015 23:13:29 +0000 (18:13 -0500)]
Add the ability to lock down principal keys
A new attribute named KRB5_KDC_LOCKDOWN_KEYS can be set on principals.
This flag prevents keys for the principal from being extracted or set
to a known value by the kadmin protocol. Principals with this flag
cannot be deleted or renamed, and cannot have keys set by setkey or
chpass. chrand operations are allowed, but keys are not returned.
This attribute can be set via the modify operation but cannot be
reset; an authorization error is resturned if an attempt to reset it
is performed.
When creating a KDB, set the lockdown flag on the krbtgt and kadmin
principals.
[ghudson@mit.edu: squash with t_kadmin_acl.py commit; condense commit
message]
Simo Sorce [Thu, 17 Dec 2015 22:46:16 +0000 (17:46 -0500)]
Add get_principal_keys RPC to kadmin
Change the prototype of kadm5_get_principal_keys() to report kvno and
salt information along with each key. Add an RPC for extracting keys,
requiring a new permission bit (which is not implied by 'x' or '*' in
kadm5.acl). Add kadm5_free_kadm5_key_data().
In kadmin, deconditionalize "kadmin ktadd -norandkey". Use the new
information from kadm5_get_principal_keys() to correctly set the kvno
for each key when existing keys are extracted, fixing issue #7852.
Add tests to t_keytab.py for the #7852 fix. Add tests to
lib/kadm5/unit-test for the get_principal_keys RPC.
[ghudson@mit.edu: factor out fetch_new_keys() from add_principal();
rewrite commit message to describe new RPC; add #7852 test cases;
squash with lib/kadm5/unit-test commit]
Simo Sorce [Thu, 17 Dec 2015 16:03:53 +0000 (11:03 -0500)]
Fix and use kadm5 setkey test program
Fix build errors in setkey-test.c and add Makefile rules to build and
run it. Adjust the kadmin test environment to create the principal
"testkeys" for use by the test-setkey-client rule, and to set
allow_weak_crypto as setkey-test.c sets DES keys.
Simo Sorce [Wed, 16 Dec 2015 18:19:27 +0000 (13:19 -0500)]
Use DB allocators for default key data encryption
krb5_dbe_def_encrypt_key_data() is used by KDB modules as the default
encryption functions. It deals with structures allocated or freed by
the KDB module, so it needs to use the module's memory allocation
functions.
Greg Hudson [Thu, 18 Feb 2016 20:00:04 +0000 (15:00 -0500)]
Fix compilation issues in udppktinfo.c
Move is_socket_bound_to_wildcard() into an #if block so it doesn't get
built when it isn't used. Avoid using the identifier "socket" as it
can produce shadowed declaration warnings. Make the definition of the
fallback send_to_from() conform to the declaration.
Tom Yu [Wed, 17 Feb 2016 20:58:24 +0000 (15:58 -0500)]
Harmonize struct packing for gic_opt.c
struct extended_options in gic_opt.c extends krb5_get_init_creds_opt.
On Mac OS X, for historical reasons, we define krb5_get_init_creds_opt
with an alignment/packing of 2, conflicting with the compiler default.
This results in alignment change warnings from clang on Mac OS X.
Ensure that extended_options has the same packing.
Sarah Day [Thu, 11 Feb 2016 20:39:04 +0000 (15:39 -0500)]
Add support for IP_SENDSRCADDR for UDP pktinfo
FreeBSD uses IP_RECVDSTADDR and IP_SENDSRCADDR instead of IP_PKTINFO
for IPv4 pktinfo functionality. Add support for using this when
IP_PKTINFO is not available.
Sarah Day [Wed, 10 Feb 2016 17:42:47 +0000 (12:42 -0500)]
Move pktinfo functions into a new file
Move the functions set_pktinfo(), recv_from_to(), and send_to_from()
out of net_server.c into a new file udppktinfo.c. The function
setup_udp_pktinfo_ports() will now always try to set the pktinfo
option for the socket on UDP wildcard sockets, and will fallback to
binding to the individual addresses at runtime when pktinfo isn't
supported.
Robbie Harwood [Tue, 12 Jan 2016 20:59:49 +0000 (15:59 -0500)]
Use public OID for interposing several functions
This resolves an issue where an interposer would receive the private
OID, and be unable to call back into krb5 in the expected manner in
gss_inquire_names_for_mech(), gss_inquire_cred_by_mech(),
gss_localname(), gss_store_cred(), and gss_store_cred_into().
Also change the return code of gss_localname() to GSS_S_BAD_MECH
instead of GSS_S_UNAVAILABLE on mech lookup failure, for consistency
with other functions.
Robbie Harwood [Tue, 12 Jan 2016 16:13:09 +0000 (11:13 -0500)]
Enable interposing gss_inquire_saslname_for_mech
The behavior of gss_inquire_saslname_for_mech() changes slightly, to
report GSS_S_BAD_MECH when an unsupported mech oid is given. Also
call map_error() on the minor code resulting from the mech.
Note that gss_inquire_mech_for_saslname() cannot be interposed, as
mech_type is specified as output-only in RFC 5801.
Robbie Harwood [Wed, 27 Jan 2016 23:48:04 +0000 (18:48 -0500)]
Report inquire_attrs_for_mech mech failures
Previously, gss_inquire_attrs_for_mech() would return a list of mech
attributes that it knew about when given a bad mech oid or a mechanism
which did not provide a gss_inquire_attrs_for_mech() method. It seems
more useful to just report the failure to the application rather than
allowing it to continue with a faulty mechanism.
Robbie Harwood [Mon, 11 Jan 2016 22:50:39 +0000 (17:50 -0500)]
Enable interposing gss_inquire_attrs_for_mech()
Use gssint_select_mech_type() to locate an interposer mechanism, and
pass the public mech OID to the mech. Also call map_error() on the
resulting minor code.
Greg Hudson [Fri, 12 Feb 2016 16:19:44 +0000 (11:19 -0500)]
Remove form feed characters
Some older code in the tree uses form feed characters. kdevelop does
not appear to preserve them, and it is not our current practice to use
them, so get rid of them in almost all files under src. Leave alone
lib/gssapi/krb5/3des.txt, which is a formatted internet draft.
Greg Hudson [Thu, 4 Feb 2016 22:36:16 +0000 (17:36 -0500)]
Fix populate_krb5_db_entry() princ_ent init
The most recent commit introduced a new variable princ_ent in
populate_krb5_db_entry(). princ_ent is cleaned up by the function's
cleanup label, so it must be initialized before any "goto cleanup"
statements.
Sarah Day [Tue, 26 Jan 2016 17:22:41 +0000 (12:22 -0500)]
Implement password history in LDAP KDB module
The password history is stored in the kerberos LDAP schema attribute
'krbPwdHistory', with one history entry per attribute. When the
history is decoded, the history entries are sorted by kvno with the
next replacement key set to the end of the list. Based on a patch
from Tomas Kuthan.
Sarah Day [Thu, 21 Jan 2016 16:17:12 +0000 (11:17 -0500)]
Only store latest keys in key history entry
If a password is changed with the -keepold option, then changed again,
the history entry contains both the latest password and the one that
was kept. Fix create_history_entry to only store the latest kvno in
the history entry. Also add a test to ensure that the bug is fixed.
Sarah Day [Thu, 21 Jan 2016 16:16:21 +0000 (11:16 -0500)]
Sort principal key_data retrieved from KDB module
Some krb5 code expects principal keys to be sorted by kvno in
descending order. To make sure this is followed in all KDB
implementations, sort the keys in libkdb5 after principals are
retrieved.
Greg Hudson [Fri, 8 Jan 2016 18:16:54 +0000 (13:16 -0500)]
Fix leaks in kadmin server stubs [CVE-2015-8631]
In each kadmind server stub, initialize the client_name and
server_name variables, and release them in the cleanup handler. Many
of the stubs will otherwise leak the client and server name if
krb5_unparse_name() fails. Also make sure to free the prime_arg
variables in rename_principal_2_svc(), or we can leak the first one if
unparsing the second one fails. Discovered by Simo Sorce.
CVE-2015-8631:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one. Repeating these requests will eventually cause
kadmind to exhaust all available memory.
Greg Hudson [Fri, 8 Jan 2016 17:52:28 +0000 (12:52 -0500)]
Check for null kadm5 policy name [CVE-2015-8630]
In kadm5_create_principal_3() and kadm5_modify_principal(), check for
entry->policy being null when KADM5_POLICY is included in the mask.
CVE-2015-8630:
In MIT krb5 1.12 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying a null policy value but including KADM5_POLICY in
the mask.
Greg Hudson [Fri, 8 Jan 2016 17:45:25 +0000 (12:45 -0500)]
Verify decoded kadmin C strings [CVE-2015-8629]
In xdr_nullstring(), check that the decoded string is terminated with
a zero byte and does not contain any internal zero bytes.
CVE-2015-8629:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte. Information leakage may be possible
for an attacker with permission to modify the database.
Tomas Kuthan [Wed, 30 Dec 2015 13:10:32 +0000 (14:10 +0100)]
Replace MD5 use in rcache with SHA-256
The rcache implementation uses an unkeyed MD5 hash of the
authenticator to distinguish between different requests with equal
client principal, server principal, and microsecond time. When the
OpenSSL crypto provider is used and the underlying OpenSSL library is
run in FIPS mode, the MD5 algorithm is disabled and
gss_accept_sec_context() results in an abort in rcache processing.
This change effectively implements a different rcache extension.
The new extension identifier is 'SHA256:' (instead of 'HASH:')
and the new has algorithm is SHA-256.
Greg Hudson [Tue, 12 Jan 2016 17:08:58 +0000 (12:08 -0500)]
Remove nss libk5crypto implementation
Delete the nss libk5crypto implementation because: (1) the original
contributor no longer requires it; (2) as far as we know it is rarely
or never used; (3) NSS has significant impedance mismatch with MIT
krb5's requirements, such as the inability to preserve crypto state
across fork(); (4) NSS cannot do PBKDF2 with SHA-256 or SHA-384, as
will be required for the aes-sha2 enctypes.
Greg Hudson [Thu, 14 Jan 2016 23:03:40 +0000 (18:03 -0500)]
Fix ksetpwd password reading loop
In ksetpwd (which we do not install), fix the loop which reads the new
password twice until they match. Previously it would stop with a
dangling pointer to freed memory in new_password if they don't match
on the first try. Reported by Will Fiveash.
Greg Hudson [Thu, 14 Jan 2016 22:51:53 +0000 (17:51 -0500)]
Fix iprop server stub error management
The ipropd stubs free client_name and server_name in the cleanup
handler, so should not free them in out-of-memory conditions.
Reported by Will Fiveash.
Greg Hudson [Thu, 14 Jan 2016 17:24:31 +0000 (12:24 -0500)]
Work around uninitialized warning in logger.c
gcc 4.6.3 erroneously detects uninitialized use of the variable f
after commit 9914b93516bbce9b1123ed5f9f796b7028944892. Initialize it
to work around this warning.
Robbie Harwood [Wed, 13 Jan 2016 23:17:09 +0000 (18:17 -0500)]
Fix EOF check in kadm5.acl line processing
On platforms where the char type is unsigned, the check for EOF (which
is negative) will always fail, leaving a 255 byte at the end of the
line. This can cause a syntax error, in turn causing the contents of
kadm5.acl to be ignored. Fix this bug by removing the cast on EOF.
[ghudson@mit.edu: more precisely describe consequences of bug in
commit message]
Robbie Harwood [Thu, 17 Dec 2015 18:31:39 +0000 (13:31 -0500)]
Create KDC and kadmind log files with mode 0640
In krb5_klog_init(), use open() and fdopen() to open log files so that
we can specify a mode. Specify a mode which doesn't include the
group-write, other-read, or other-write bits even if the process umask
allows them.
[ghudson@mit.edu: wrote commit message, de-indented post-open setup
code]
Greg Hudson [Wed, 6 Jan 2016 16:31:07 +0000 (11:31 -0500)]
Improve type safety of SPNEGO helper functions
Modify init_ctx_new(), init_ctx_cont(), acc_ctx_hints(),
acc_ctx_new(), and acc_ctx_cont() to operate on SPNEGO context handles
rather than generic GSS context handles. For the functions which
create a new context, move the context parameter to the end and follow
the usual practices for output parameters. Adjust stage 1 flow
control in spnego_gss_accept_sec_context() to allow acc_ctx_new() to
always be a context constructor.
Greg Hudson [Wed, 25 Nov 2015 19:43:35 +0000 (14:43 -0500)]
Fix memory leak in SPNEGO gss_init_sec_context()
After the initial call to spnego_gss_init_sec_context(), the context
handle can leak if init_ctx_cont() returns an error, because the
cleanup handler assumes that spnego_ctx contains the value of
*context_handle. Fix this leak by setting spnego_ctx before the if
block which contains that call. Reported by Adam Bernstein.
Greg Hudson [Fri, 8 Jan 2016 16:54:55 +0000 (11:54 -0500)]
Make ksu work with prompting clpreauth modules
Commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de switched ksu from
using krb5_get_in_tkt_with_password() to
krb5_get_init_creds_password(), but did not supply a prompter
argument. Pass krb5_prompter_posix so that clpreauth modules can
prompt for additional information during authentication.
Tom Yu [Wed, 30 Dec 2015 20:26:54 +0000 (15:26 -0500)]
Add .travis.yml
Do Travis CI testing with clang and gcc, on 64-bit Ubuntu Trusty.
Performance would probably be better using the container-based Travis
infrastructure, but that is currently limited to Precise, and we would
need some important apt packages whitelisted, e.g., dejagnu.
Robbie Harwood [Thu, 17 Dec 2015 00:31:22 +0000 (19:31 -0500)]
Fix interposed gss_accept_sec_context()
If gss_accept_sec_context() is interposed, selected_mech will be an
interposer OID. In this situation, pass the corresponding public OID
to gss_inquire_attrs_for_mech() to determine whether the mech is
allowed by default.
[ghudson@mit.edu: pared down from larger commit; rewrote commit message]
Simo Sorce [Tue, 5 Jan 2016 17:11:59 +0000 (12:11 -0500)]
Check internal context on init context errors
If the mechanism deletes the internal context handle on error, the
mechglue must do the same with the union context, to avoid crashes if
the application calls other functions with this invalid union context.
[ghudson@mit.edu: edit commit message and code comment]
Tom Yu [Wed, 30 Dec 2015 22:17:02 +0000 (17:17 -0500)]
Don't canonicalize hostname in sim_client.c
krb5_mk_req() already canonicalizes the target hostname, so don't try
to use a buffer of size MAXHOSTNAMELEN to canonicalize the hostname
beforehand. This buffer will be too short for some unusually long
FQDNs.
ticket: 8336 (new)
subject: MAXHOSTNAMELEN is too short for some FQDNs
Tom Yu [Wed, 6 Jan 2016 20:24:16 +0000 (15:24 -0500)]
Work around uninitialized warning in cc_kcm.c
Some versions of clang erroneously detect use of an uninitialized
variable reply_len in kcmio_call() when building on non-Mac platforms.
Initialize it to work around this warning.
Tom Yu [Tue, 22 Dec 2015 21:55:07 +0000 (16:55 -0500)]
Modernize UTF-8 conversions
Unicode and ISO/IEC 10646 now agree that the maximum valid code point
is U+10FFFF. (Unicode 8.0 Appendix C.2 implies that ISO/IEC
10646:2011 aligned the extent of the code space.)
Adjust src/util/support/utf8.c accordingly, mostly by
deleting code.
Tomas Kuthan [Tue, 29 Dec 2015 10:47:49 +0000 (11:47 +0100)]
Check context handle in gss_export_sec_context()
After commit 4f35b27a9ee38ca0b557ce8e6d059924a63d4eff, the
context_handle parameter in gss_export_sec_context() is dereferenced
before arguments are validated by val_exp_sec_ctx_args(). With a null
context_handle, the new code segfaults instead of failing gracefully.
Revert this part of the commit and only dereference context_handle if
it is non-null.
Sarah Day [Mon, 21 Dec 2015 19:29:18 +0000 (14:29 -0500)]
Add Github provided OS and IDE files to .gitignore
It is a good idea to have a fairly complete .gitignore file. It is
helpful for devs to know just what shouldn't end up in the repo, as
well as preventing accidental commits and even random trash ending up
in master.
Many of the files here added from the Github gitignore project
found here:
Sarah Day [Fri, 4 Dec 2015 17:36:33 +0000 (12:36 -0500)]
Search for LDAP core schema in t_kdb.py
The t_kdb.py python test was hardcoded to search for the LDAP
core.schema file in a single place. OpenLDAP can be installed in more
than one place. Add a check which looks in several of these common
installation locations to find the core schema file.
Sarah Day [Fri, 4 Dec 2015 15:54:50 +0000 (10:54 -0500)]
Fix a typo that causes the jsonwalker test to fail
In the au_dict.json file that is used for testing jsonwalker, there is
a comma missing that causes cjson 1.1 to throw an exception. This
causes the python tests to fail. Adding the comma fixes the crash and
allows the test to finish successfully.
Sarah Day [Tue, 22 Dec 2015 21:33:24 +0000 (16:33 -0500)]
Set kdc_tcp_ports in kadmin test configuration
The kadmin tests were starting the KDC without setting the TCP port
number. After commit 8d88e2ab00be126237569dc72827ced2ce6b7d04, the
TCP port defaults to 88, causing the socket to fail setup if the test
is not run as root.
Tom Yu [Thu, 17 Dec 2015 21:13:33 +0000 (16:13 -0500)]
Only run export-check.pl in maintainer mode
Cross compilation environments might not be using the default nm
command. Rather than try to communicate the correct value to
util/export-check.pl, only run export-check.pl in maintainer mode.
Tom Yu [Thu, 17 Dec 2015 22:42:05 +0000 (17:42 -0500)]
Remove util/reconf
The bulk of the util/reconf script is to detect old versions of
autoconf and possibly work around bugs in them. Require
autoconf>=2.63, and remove the util/reconf script. Adjust
documentation and other scripts accordingly.
Also remove Makefile rules that remove autom4te.cache. Such rules
were supposedly necessary when mixing of different versions of
autoconf was common; this seems to be less of an issue now.
Greg Hudson [Fri, 11 Dec 2015 16:05:32 +0000 (11:05 -0500)]
Add libkrb5support dependencies to test plugins
In some build environments, dependencies on libkrb5support can be
generated just from static inline functions in our header files, even
if those functions aren't used. In two test plugin modules, use
$(KRB5_BASE_DEPLIBS) and $(KRB5_BASE_LIBS) to depend on libkrb5support
as well as libkrb5. (This also pulls in libk5crypto, which is
unnecessary for these modules, but is inconsequential for a test
module.) Reported by Will Fiveash.
Sarah Day [Mon, 7 Dec 2015 18:48:22 +0000 (13:48 -0500)]
Add IPv6 address logging support to audit plugin
The jsonwalker.py test was failing due to the audit plugin only
logging the IP for IPv4. The audit plugin should log the IP address
for both IPv4 and IPv6. Rename the JSON "ipv4" field in the
"fromaddr" JSON object to "ip" and set the field if either an IPv4 or
an IPv6 address is present. Any parsers of the audit log can tell
which address is stored in the "ip" field by checking the "type" field
in "fromaddr". Also update the jsonwalker.py reference JSON file,
au_dict.json, to handle this new field name.
Tom Yu [Fri, 11 Dec 2015 21:01:08 +0000 (16:01 -0500)]
Cast away constness when assigning to krb5_data
Some password-changing library functions take a const char * parameter
but try to assign it to krb5_data.data, which isn't const. PR #364
causes some compilers to produce errors in such situations, so cast
away the constness. This is almost certainly safe because of the
nature of the code that consumes these krb5_data values.
Greg Hudson [Fri, 11 Dec 2015 19:48:41 +0000 (14:48 -0500)]
Make krb5_ucs2 and krb5_ucs4 unsigned
krb5 contains some Unicode code adapted from OpenLDAP. OpenLDAP uses
unsigned types for UCS-2 and UCS-4 code points, but the adapted code
uses signed types, which creates pointer-sign warnings when we call
uccompatdecomp() and similar functions. To match the OpenLDAP code,
use unsigned types.
Simo Sorce [Wed, 9 Dec 2015 23:09:18 +0000 (18:09 -0500)]
Set TL_DATA mask flag for master key operations
When kdb5_util adds or removes master keys, it modifies tl-data but
doesn't set the KADM5_TL_DATA mask flag, causing KDB modules that rely
on this signaling (such as the LDAP module) not to store the tl-data
changes. Fix this issue by setting the mask bit in add_new_mkey() and
kdb5_purge_mkeys().
Greg Hudson [Wed, 9 Dec 2015 19:56:34 +0000 (14:56 -0500)]
Error on incompatible argument types if possible
gcc 4.x has no option short of -Werror to error on "makes pointer from
integer without a cast" or "incompatible pointer type" warnings, but
clang and (I think) gcc 5.x do. Use -Werror=int-conversion and
-Werror=incompatible-pointer-types when the compiler supports them.
At least in clang, -Werror=incompatible-pointer-types also throws an
error when passing an argument discards a const qualifier, which is a
less serious type violation. But cleaning those up is relatively easy.
Greg Hudson [Wed, 9 Dec 2015 21:44:11 +0000 (16:44 -0500)]
Clean up const qualifier warnings
In server_acl.c, add const qualifiers to the kadm5int_acl_find_entry()
principal parameters, and to the kadm5int_acl_match_data() parameters,
to avoid discarding const qualifiers when calling them. In
kdb_ldap.c, cast the has_rootdse_ava() attribute before passing it to
ldap_search_ext_s(), which does not modify its attrs parameter but
does not declare it with a const qualifier.
Tom Yu [Wed, 9 Dec 2015 18:49:22 +0000 (13:49 -0500)]
Correctly use k5_wrapmsg() in ldap_principal2.c
Commit ebcdf02f8ec212555b1762007fa8454615900f36 incorrectly used
k5_prependmsg() in an error handling clause in
krb5_ldap_get_principal(). Use k5_wrapmsg() instead.
Greg Hudson [Tue, 8 Dec 2015 04:59:31 +0000 (23:59 -0500)]
Fix FILE ccache negative enctype unmarshalling
Commit b99c7c79dee33de966c8bed02ac79439989f6f99 broke the
unmarshalling of negative enctype values from FILE ccaches. Fix it by
sign-extending the 16-bit enctype value in unmarshal_keyblock().
Sarah Day [Fri, 4 Dec 2015 15:01:11 +0000 (10:01 -0500)]
Add some common files to .gitignore
Add some OS specific files and Eclipse project files, as well as the
top level build directory because it is recommended in the wiki to
perform your build inside of it. Also ignore the autom4te.cache
directory.
Simo Sorce [Fri, 13 Nov 2015 19:54:11 +0000 (14:54 -0500)]
Fix impersonate_name to work with interposers
This follows the same modifications applied to
gss_acquire_cred_with_password() when interposer plugins were
introduced.
[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in
spnego_gss_acquire_cred_impersonate_name() since it is released in the
cleanup handler]
Greg Hudson [Mon, 2 Nov 2015 03:46:56 +0000 (22:46 -0500)]
Fix SPNEGO context import
The patches for CVE-2015-2695 did not implement a SPNEGO
gss_import_sec_context() function, under the erroneous belief that an
exported SPNEGO context would be tagged with the underlying context
mechanism. Implement it now to allow SPNEGO contexts to be
successfully exported and imported after establishment.
Greg Hudson [Mon, 2 Nov 2015 03:45:21 +0000 (22:45 -0500)]
Fix IAKERB context export/import [CVE-2015-2698]
The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory. Fix the regression by properly
dereferencing the context_handle pointer before casting it.
Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief that an exported IAKERB context
would be tagged as a krb5 context. Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.
CVE-2015-2698:
In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.
Greg Hudson [Tue, 27 Oct 2015 04:44:24 +0000 (00:44 -0400)]
Fix two IAKERB comments
The comment explaining why there is no iakerb_gss_import_sec_context()
erroneously referenced SPNEGO instead of IAKERB (noticed by Ben
Kaduk). The comment above iakerb_gss_delete_sec_context() is out of
date after the last commit.
Greg Hudson [Wed, 21 Oct 2015 17:21:48 +0000 (13:21 -0400)]
Zap secure cookie contents when freeing
Secure cookies are intended to hold secret values which may contribute
to key data, and therefore should be sanitized when released. Also
fix a memory leak in kdc_fast_make_cookie().
In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string. This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
affected.
CVE-2015-2697:
In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte. If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm. Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.
Add tests for partial IAKERB and SPNEGO initiators, and for partial
krb5 (DCE-style), IAKERB, and SPNEGO acceptors. Make flag checking
more strict for existing tests.
Nicolas Williams [Mon, 14 Sep 2015 16:28:36 +0000 (12:28 -0400)]
Fix IAKERB context aliasing bugs [CVE-2015-2696]
The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type. Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.
CVE-2015-2696:
In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. Java server applications using the
native JGSS provider are vulnerable to this bug. A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.
Nicolas Williams [Mon, 14 Sep 2015 16:27:52 +0000 (12:27 -0400)]
Fix SPNEGO context aliasing bugs [CVE-2015-2695]
The SPNEGO mechanism currently replaces its context handle with the
mechanism context handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the SPNEGO context structure after context
establishment and refer to it in all GSS methods. Add initiate and
opened flags to the SPNEGO context structure for use in
gss_inquire_context() prior to context establishment.
CVE-2015-2695:
In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context(). Java server
applications using the native JGSS provider are vulnerable to this
bug. A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.
Greg Hudson [Fri, 23 Oct 2015 19:20:33 +0000 (15:20 -0400)]
Fix env-setup.shin after RUN_ENV simplification
env-setup.shin converts @KRB5_RUN_ENV@ to a shell expression and evals
it. Now that RUN_ENV no longer contains export statements, we need to
do that explicitly.
Greg Hudson [Thu, 8 Oct 2015 12:53:37 +0000 (08:53 -0400)]
Allow clock skew in krb5 gss_accept_sec_context()
Remove an unnecessarily strict check for ticket expiration from
kg_accept_krb5() and kg_accept_dce(). Instead, add the maximum
allowable clock skew to the reported lifetime of acceptor contexts.
Greg Hudson [Sun, 4 Oct 2015 23:54:35 +0000 (19:54 -0400)]
Make ksu work when unsetenv() returns NULL
Some older platforms (OS X 10.4, glibc 2.2.1) declare unsetenv() as
returning void, as does ksu's compatibility definition of unsetenv().
Don't use the return value in get_configured_defccname().
projects / thirdparty / krb5.git / log
