Greg Hudson [Wed, 11 Oct 2017 17:19:03 +0000 (13:19 -0400)]
Fix default enctype order in docs
Commit 4c234d8754c063177bc627c6298b85020d91c223 added the aes-sha2
enctypes to the documented default enctypes, but in the wrong order.
Reported by Weijun Wang.
Robbie Harwood [Mon, 9 Oct 2017 18:59:56 +0000 (14:59 -0400)]
Remove unused SAM setup code in KDC
SAM version 1 preauth support was removed in commit 97023f5f10fb091225ad131a0b35f1d91cd12b1e. Remove some lingering KDC
code which generated a DES-MD5 key and didn't use it for anything.
Continuing client preauth after a keyboard interrupt is unexpected and
can manifest bugs (such as the one in ticket 8596) by invoking preauth
mechs we wouldn't ordinarily reach. Based on a patch by Marc Dionne.
Greg Hudson [Wed, 23 Aug 2017 21:45:02 +0000 (17:45 -0400)]
Fix AIX build issues
In k5-platform.h, only test for SHARED and define the finalizer as
static if we don't expect linker options to be used for finalizers.
SHARED is not a robust test (it isn't defined when building objects
for shared libraries on AIX, OSF/1, or sometimes IRIX because they
don't use separate PIC objects), and as linker finalizer options are
only applied when shared libraries are created, we don't have to worry
about finalizers happening for static libraries.
In expand_path.c, remove the unnecessary structure tag from "struct
token" as it conflicts with <net/if_arp.h> on AIX.
In localaddr.c, initialize output parameters at the beginning of
get_ifreq_array(). Otherwise, gcc cannot be sure that they are always
set when get_ifreq_array() returns 0, because we use errno as a return
value in one case. Also remove two unused variables.
Use socklen_t instead of int for socket lengths in sim_client.c and
sim_client.h.
Greg Hudson [Thu, 24 Aug 2017 20:00:33 +0000 (16:00 -0400)]
Limit ticket lifetime to 2^31-1 seconds
Although timestamps above 2^31-1 are now valid, intervals exceeding
2^31-1 seconds may be treated incorrectly by comparison operations.
The initially computed interval in kdc_get_ticket_endtime() could be
negative if the requested end time is far in the future, causing the
function to yield an incorrect result. (With the new larger value of
kdc_infinity, this could specifically happen if a KDC-REQ contains a
zero till field.) Cap the interval at the maximum valid value.
Reported by Weijun Wang.
Avoid delta comparisons in favor of timestamp comparions in
krb5int_validate_times(), ksu's krb5_check_exp(), and clockskew
checks.
Also use a y2038-safe timestamp comparison in set_request_times() when
comparing the requested renewable end time to the requested ticket end
time.
The openssl req commands in make-certs.sh contain -subj options which
were ignored in favor of the config file prior to OpenSSL 1.1. When
they are used, they remove elements of the subject which are now
required by t_pkinit.py. Remove them.
Greg Hudson [Thu, 24 Aug 2017 19:58:07 +0000 (15:58 -0400)]
Issue trivially renewable tickets
If the client specifically asks for renewable tickets but the
renewable end time (either requested or after restrictions) doesn't
exceed the ticket end time, issue a renewable ticket anyway. Issuing
a non-renewable ticket (as we started doing in release 1.12, due to
the refactoring in commit 4f551a7ec126c52ee1f8fea4c3954015b70987bd)
can be unfriendly to scripts.
Also make sure never to issue a ticket with the renewable flag set but
no renew-till field, by clearing the renewable flag at the start of
kdc_get_ticket_renewtime(). The flag could have been previously set
by the assignment "enc_tkt_reply = *(header_ticket->enc_part2)" in
process_tgs_req() when processing a renewal request.
Modify t_renew.py to expect renewable tickets in some tests where it
previously did not, to check for specific lifetimes, and to check the
renewable flag as well as the renewable lifetime.
Greg Hudson [Fri, 25 Aug 2017 16:39:14 +0000 (12:39 -0400)]
Add PKINIT test case for generic client cert
In t_pkinit.py, add a test case where a client cert with no extensions
is authorized via subject and issuer using a pkinit_cert_match string
attribute.
Greg Hudson [Thu, 24 Aug 2017 15:11:46 +0000 (11:11 -0400)]
Fix certauth built-in module returns
The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication. Therefore, pkinit_eku_authorize() should return
KRB5_PLUGIN_NO_HANDLE on success, not 0.
The certauth san module should pass if it does not find any SANs of
the types it can match against; the presence of other types of SANs
should not cause it to explicitly deny a certificate. Check for an
empty result from crypto_retrieve_cert_sans() in verify_client_san(),
instead of returning ENOENT from crypto_retrieve_cert_sans() when
there are no SANs at all.
Greg Hudson [Mon, 28 Aug 2017 16:20:36 +0000 (12:20 -0400)]
Fix kdcpolicy build issues
Fix mydir in plugins/kdcpolicy/test/Makefile.in so that the Makefile
can be rebuilt correctly. Also change the name of the shared object
from "policy_test.so" to "kdcpolicy_test.so" for consistency.
Greg Hudson [Tue, 29 Aug 2017 15:19:36 +0000 (11:19 -0400)]
Don't set ctime in KDC error replies
Setting the error ctime field to the client nonce assumes that the
client used its system time as the nonce, which is not recommended by
RFC 1510 and is prohibited by RFC 4120. Omit the field instead, by
setting the structure field to 0.
After gss_init_sec_context() or gss_accept_sec_context() has created a
context, don't delete the mechglue context on failures from subsequent
calls, even if the mechanism deletes the mech-specific context (which
is allowed by RFC 2744 but not preferred). Check for union contexts
with no mechanism context in each GSS function which accepts a
gss_ctx_id_t.
CVE-2017-11462:
RFC 2744 permits a GSS-API implementation to delete an existing
security context on a second or subsequent call to
gss_init_sec_context() or gss_accept_sec_context() if the call results
in an error. This API behavior has been found to be dangerous,
leading to the possibility of memory errors in some callers. For
safety, GSS-API implementations should instead preserve existing
security contexts on error until the caller deletes them.
All versions of MIT krb5 prior to this change may delete acceptor
contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through
1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts on
error.
Greg Hudson [Sat, 19 Aug 2017 18:26:15 +0000 (14:26 -0400)]
Use standard comment in certauth plugin header
Each pluggable interface header needs to include some boilerplate text
to make it clear what a module implementor needs to provide. Include
that text in certauth_plugin.h.
Greg Hudson [Sat, 19 Aug 2017 23:09:24 +0000 (19:09 -0400)]
Fix bugs in kdcpolicy commit
Commit d0969f6a8170344031ef58fd2a161190f1edfb96 added tests using
"klist ccachname -e", which does not work with a POSIX-conformant
getopt() implementation such as the one in Solaris. Fix
t_kdcpolicy.py to use "klist -e ccachename" instead.
The tests could fail if the clock second rolled over between kinit and
kvno. Divide service ticket maximum lifetimes by 2 in the test module
to correctly exercise TGS policy restrictions and ensure that service
tickets are not constrained by the TGT end time.
Also use the correct trace macro when a kdcpolicy module declines to
initialize (my mistake when revising the commit, noted by rharwood).
Greg Hudson [Sat, 19 Aug 2017 18:21:31 +0000 (14:21 -0400)]
Fix bugs in kadm5_auth commit
Commit 92a1a7efe2fc43337416098f2227038a72f1e35a uses line after it is
freed in load_acl_file(). Move the k5_setmsg() call earlier to fix
it. The same commit also used the wrong header underline in
krb5_conf.rst for the kadm5_auth interface subsection. Fix it.
Greg Hudson [Mon, 14 Aug 2017 15:47:44 +0000 (11:47 -0400)]
Avoid repeating typedef in certauth_plugin.h
Repeating an identical typedef is allowed by C11, but not C99 or C89.
Use the underlying structure type in certauth_plugin.h so that it can
safely be included along with kdb.h.
Robbie Harwood [Tue, 27 Jun 2017 21:15:39 +0000 (17:15 -0400)]
Add KDC policy pluggable interface
Add the header include/krb5/kdcpolicy_plugin.h, defining a pluggable
interface for modules to deny AS and TGS requests and set maximum
ticket lifetimes. This interface replaces the policy.c stub functions.
Add check_kdcpolicy_as() and check_kdcpolicy_tgs() as entry functions.
Call them after auth indicators and ticket lifetimes have been
determined.
Add a test module and a test script with basic kdcpolicy tests. Add
plugin interface documentation in doc/plugindev/policy.rst.
Also authored by Matt Rogers <mrogers@redhat.com>.
Add a test plugin module to exercise features of the kadm5_auth
interface, and a Python test script using the module. Also test the
initial ticket requirement for self-service key changes in
t_kadmin_acl.py.
Greg Hudson [Fri, 30 Jun 2017 15:54:09 +0000 (11:54 -0400)]
Use kadm5_auth interface in kadmind
Convert the ACL code to a kadm5_auth module, and create a new module
for self-service authorization. Use the kadm5_auth consumer code
instead of directly using the ACL code to authorize requests.
Do not assume self-service authorization in the RPC stubs or in
schpw_util_wrapper(). For key change requests, enforce the initial
ticket requirement whenever a client changes its own keys, regardless
of how it is authorized or which protocol it uses. The initial ticket
check for protocol version 1 in process_chpw_request() is redundant
after this change, so remove it.
The old kadmin-based password change client authenticates to
kadmin/changepw and performs self-service get_principal, get_policy,
and chpass requests. Continue to allow these operations, enforcing
the self-service requirement in addition to checking through the
kadm5_auth interface. For get_policy requests, always look up the
client principal's policy name, for this check and for the
authorization layer's use.
The error messages for rename authorization failures are now more
vague (because there is a specific rename operation check in the
kadm5_auth interface, and we do not find out whether it failed due to
missing add or delete privileges). Adjust t_kadmin_acl.py
accordingly.
pkinit_kdc_ocsp is non-functional in the PKINIT OpenSSL crypto
implementation, so remove most traces of it, including its man page
entry. If it is present in kdc.conf, error out of PKINIT
initialization instead of silently ignoring the realm entirely.
In klist and kdestroy, if a ccache name is specified, set it as the
default ccache name, simplifying the code and making klist -l, klist
-A, and kdestroy -A can work with a specified ccache name. Reported
by Robbie Harwood.
Will Fiveash [Tue, 18 Jul 2017 23:24:18 +0000 (18:24 -0500)]
Allow WARN_CFLAGS override for Solaris
In aclocal.m4, do not set WARN_CFLAGS and WARN_CXXFLAGS for the
Solaris native compiler if those variables were already set by the
user. (We already did the same for gcc warning flags.)
If krb5_db_fetch_mkey() prompts for a master key and needs to
determine the kvno, check that the master entry contains any key data
before dereferencing the first element. Reported by Joshua Schaeffer.
Omit assigning status values for very unlikely error cases. Remove
the "UNKNOWN_REASON" fallback for validate_as_request() and
validate_tgs_request() as that fallback is now applied globally.
Assign status values if S4U2Self padata fails to decode, if an
S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
uses an evidence ticket which does not match the canonicalized request
server principal name. Reported by Samuel Cabrero.
If a status value is not assigned during KDC processing, default to
"UNKNOWN_REASON" rather than failing an assertion. This change will
prevent future denial of service bugs due to similar mistakes, and
will allow us to omit assigning status values for unlikely errors such
as small memory allocation failures.
CVE-2017-11368:
In MIT krb5 1.7 and later, an authenticated attacker can cause an
assertion failure in krb5kdc by sending an invalid S4U2Self or
S4U2Proxy request.
Update the macros imported from autoconf-archive to current versions.
Fixes an issue where ACX_PTHREAD fails on Solaris with the native
compiler because it detects an uninitialized read and treats it as an
error.
Greg Hudson [Wed, 21 Jun 2017 04:54:32 +0000 (00:54 -0400)]
Parse all kadm5.acl fields at startup
Parse the client principal name, target principal name, and
restrictions field of kadm5.acl entries when the file is loaded, not
later on when an attempt is made to match the entry.
This change affects the error-handling behavior of kadm5.acl files.
Previously, a syntax error in the line structure (such as having only
one field) would cause the whole file to be rejected, but an error
within a principal name or restrictions string would cause only that
entry to be discarded. After this change, any parsing failure will
cause the whole file to be rejected.
Greg Hudson [Wed, 21 Jun 2017 14:38:41 +0000 (10:38 -0400)]
Modernize auth_acl.c
Change auth_acl.c to match current coding conventions. Use more
consistent identifier names, and drop the kadm5int_ prefix as the code
is now part of kadmind. Remove the acl_inited, acl_debug_level, and
acl_catchall_entry variables. Move global state into a structure, to
make it easier to migrate to a module handle later. Move
parse_restrictions() above parse_line() so it can later be used from
parse_line() without a forward declaration. Rewrite get_line() and
parse_line() to avoid the use of fixed-sized static buffers and
sscanf(). Add a parse_entry() helper to make memory management in
parse_line() easier. Add a free_acl_entry() helper (split out from
free_acl_entries()) to make error handling in parse_entry() easier.
Add a match_princ() helper to simplify find_entry().
Remove the GSS name translation wrapper in auth_acl.c. In the server
stubs, use handle->current_caller for the client principal. In the
iprop RPCs(), add a wrapper to parse the client display name before
calling acl_check().
Greg Hudson [Mon, 26 Jun 2017 21:31:37 +0000 (17:31 -0400)]
Fix kadm5 setkey operation with LDAP KDB
Add mask assignments to kadm5_setv4key_principal() and
kadm5_setkey_principal_4() so that their changes to the principal are
properly written to KDB modules which use the mask flag, such as the
LDAP KDB module. Reported by Frank Lonigro.
Greg Hudson [Mon, 19 Jun 2017 15:30:38 +0000 (11:30 -0400)]
Fix kadm5.acl error reporting
In kadm5int_acl_get_line(), increment *lnp after skipping a blank or
comment line, so that kadm5int_acl_load_acl_file() correctly reports
the line number if it fails to parse a line.
In acl_syn_err_msg, use %.10s to limit the amount of the line included
in the error message, not %10s to left-pad it with spaces if it is
shorter than ten characters.
Greg Hudson [Thu, 15 Jun 2017 15:59:18 +0000 (11:59 -0400)]
Suppress y2038 GSS tests when time_t is 32-bit
The GSSAPI time_t tests do not run correctly on 32-bit Solaris because
time_t conversions are involved in the "kinit -l 8500d" step.
Suppress the GSS y2038 tests when time_t is 32-bit.
Greg Hudson [Thu, 15 Jun 2017 00:45:15 +0000 (20:45 -0400)]
Turn off -Wmaybe-uninitialized
In gcc, maybe-uninitialized gives different warnings depending on the
optimization level, and in our experience usually gives false
positives. We don't ask for it (except implicitly through -Wall), but
gcc bundles it into the error behavior of -Werror=uninitialized.
Explicitly turn it off so that builds with -Og and -Os don't error
out.
In the KDC, pass the local address from dispatch() to
process_as_req(), then to log_as_req(), then to
krb5_db_audit_as_req(), and finally to the KDB modules.
[ghudson@mit.edu: squashed commits and rewrote commit message]
In net-server.c, pass a krb5_fulladdr representation of the local
address to dispatch. This representation is more convenient for
kadmind, and will make it more convenient for the KDC to pass the
local address to the DAL audit_as_req.
In libkdb5, libapputils, the KDC, kadmind, and both KDB modules, use
the name "remote_addr" for the variable containing the remote address.
In schpw.c:process_chpw_request(), use the name "local_addr" for the
parameter containing the local address. Make the remote_addr
parameter const in libkdb5 and the DAL.
[ghudson@mit.edu: combined commits and rewrote commit message]
In net-server.c:process_tcp_connection_read(), we don't expect
getsockname() to fail under ordinary circumstances, so instead of
passing a null local address to dispatch(), just error out. Simplify
schpw.c:dispatch() by assuming a non-null local_saddr.
Greg Hudson [Fri, 26 May 2017 20:20:11 +0000 (16:20 -0400)]
Fix gmt_mktime for y2038
gmt_mktime() is used as a fallback when the platform does not have
timegm(). Make it work for dates in the unsigned 32-bit range, not
the signed 32-bit range.
Tomas Kuthan [Tue, 16 May 2017 09:24:40 +0000 (11:24 +0200)]
Free GSS checksum data deterministically
In the normal course of execution, md5.contents allocated by
kg_checksum_channel_bindings() in make_ap_req_v1() is freed in
make_gss_checksum(). But when there is a failure in
krb5_mk_req_extended() or in make_gss_checksum() before free is
called, the memory leaks.
This patch frees the memory unconditionally in make_ap_req_v1().
Greg Hudson [Mon, 22 May 2017 19:12:58 +0000 (15:12 -0400)]
Remove ksetpwd
ksetpwd was added in commit ec50322c3076ab4517fb4fb5cc3a931f6adb4f20
but is not installed as it was "not of release quality yet." It has
not materially improved since then, and under current policy we do not
include unfinished code in the tree, so remove it.
Greg Hudson [Wed, 17 May 2017 19:21:34 +0000 (15:21 -0400)]
Remove vestigial svr_principal.c code
In kadm5_chpass_principal_3(), kadm5_randkey_principal_3(), and
kadm5_setv4key_principal(), remove the disabled code to enforce
pw_min_life (which is enforced in kadmind as noted in the comments),
as well as the unnecessary last_pwd lookups beforehand.
Add a test program for krb5int_validate_times() covering cases before
and across the y2038 boundary. Add a GSSAPI test program to exercise
lifetime queries, and tests using it in t_gssapi.py for ticket end
times after y2038. Add a new test script t_y2038.py which only runs
on platforms with 64-bit time_t to exercise end-user operations across
and after y2038. Add an LDAP test case to test storage of post-y2038
timestamps.
Wherever we manipulate krb5_timestamp values using arithmetic,
comparison operations, or conversion to time_t, use the new helper
functions in k5-int.h to ensure that the operations work after y2038
and do not exhibit undefined behavior. (Relying on
implementation-defined conversion to signed values is okay as we test
that in configure.in.)
In printf format strings, use %u instead of signed types. When
exporting creds with k5_json_array_fmt(), use a long long so that
timestamps after y2038 aren't marshalled as negative numbers. When
parsing timestamps in test programs, use atoll() instead of atol() so
that positive timestamps after y2038 can be used as input.
In ksu and klist, make printtime() take a krb5_timestamp parameter to
avoid an unnecessary conversion to time_t and back.
As Leash does not use k5-int.h, use time_t values internally and
safely convert from libkrb5 timestamp values.
Add k5-int.h helper functions to manipulate krb5_timestamp values,
avoiding undefined behavior and treating negative timestamp values as
times between 2038 and 2106. Add a doxygen comment for krb5_timestamp
indicating how third-party code should use it safely.
Commit ae0fee058ad883b2e82fa2b34f4e5f059e827a1b (ticket #5425) changed
the AS client code to use a random nonce, but left the TGS client code
using the current timestamp. Use a random nonce for TGS requests as
well.
During a TGS request, if we get a TGT response that we didn't directly
ask for (a referral TGT or an alternate TGT), don't cache it. It
would have limited value in the cache as similar operations won't look
for that TGT. If the overall TGS operation fails and is repeated, we
could wind up caching the same entry multiple times, which doesn't
work well with our current ccache implementations.
The flags field in krb5_lcc_data is not initialized in
krb5_lcc_resolve(), so krb5_lcc_next_cred() can sometimes fail to
include a ticket when retrieving a ccache entry. This results in a
"Request did not supply a ticket" error from k5_make_tgs_req() when
trying to use the credential.
Add a context parameter to the in_clock_skew() macro so that it isn't
implicitly relying on a local variable. Use it in
get_in_tkt.c:verify_as_reply().
Commit b496ce4095133536e0ace36b74130e4b9ecb5e11 (ticket #8268) adds
the clock skew to krb5 acceptor context lifetimes for
gss_accept_sec_context() and gss_inquire_context(), but not for
gss_context_time(). Add the clock skew in gss_context_time() as well.
We apply (as of ticket #7604) a ten-second minimum delay after a TCP
connection is accepted before creating new connections or sending UDP
packets. Apply this timeout to HTTPS connections as well, by removing
the transport check in get_endtime(). As the endtime field is only
set by service_tcp_connect(), it will always have the value 0 for UDP
connection state objects, so there is no need to check the transport
type.
Where we convert between UTF-8 and UCS-2 (RC4 string-to-key and PAC
client info), use UTF-16 instead of UCS-2. Add a test program for
the conversion functions.
Martin Kittel [Thu, 6 Apr 2017 19:03:23 +0000 (21:03 +0200)]
Add various bound checks
Add bounds checks where Coverity otherwise reports a defect. Most of
these checks are unlikely to be triggered in practice (Unicode regexps
are unused, and the caller of gss_krb5int_make_seal_token_v3 won't
have a plaintext object larger than half of the address space). The
checks in dump.c could prevent memory access errors resulting from a
malformed dump file.
Avoid using the krb5_error_code type (using int32_t instead), and
include k5-platform.h instead of k5-int.h, so that we can use
k5-input.h in libkrb5support.
Create a custom build matrix which passes -Werror to the clang build
via a make variable. (Using a configure variable does not currently
work, as some of our configure test programs generate warnings.)
Also set the language to C++ (so we use clang++ for the C++ test
programs and not g++ when compiling with clang), and turn on the
maintainer-mode checks for the Travis build.
Remove unused entry points as we only need to convert between
little-endian UCS-2 byte buffers and UTF-8. Rename and simplify the
remaining two function contracts. Avoid pointer alignment and
endianness issues by operating on byte buffers and using store_16_le()
and load_16_le(). Avoid two-pass operation using k5buf.
[ghudson@mit.edu: simplified code using k5buf; simplified function
names and contracts; rewrote commit message]
krb5int_utf8cs_to_ucs2les() can read slightly beyond the end of the
input buffer if the buffer ends with an invalid UTF-8 sequence. When
computing the RC4 string-to-key result, make a zero-terminated copy of
the input string and use krb5int_utf8s_to_ucs2les() instead.
Matt Rogers [Fri, 31 Mar 2017 02:18:24 +0000 (22:18 -0400)]
Add FAST encrypted challenge auth indicator
During ec_verify(), look up an authentication indicator string by the
profile realm option "encrypted_challenge_indicator". If found, add
an indicator to the reply upon succesful creation of the challenge
key. Add a test to t_authind.py. Document the option in
kdc_conf.rst.
We have had code since at least 1.6 in changepw.c and sendto_kdc.c
which assumes that we can pass a struct sockaddr * as the second
argument to getsockname() and getpeername(), so we can safely get rid
of that configure logic. Also fix potential alignment issues in
krb5_sendauth() by using a struct sockaddr_storage instead of a
1024-byte character buffer to hold the local and peer addresses.
[ghudson@mit.edu: adjusted style of new code slightly; rewrote commit
message]
When we are building a static object containing a finalizer function
(e.g. for the profile library tests), mark the finalizer as unused to
avoid warnings in gcc and clang.
[ghudson@mit.edu: commented UNUSED definition and moved it so we can
use it elsewhere later; rewrote commit message]
Robbie Harwood [Wed, 29 Mar 2017 22:34:37 +0000 (18:34 -0400)]
Avoid using tmpnam(3) in db2's hash.c
As we do not rely on anonymous db2 databases, get rid of the code
using tmpnam() for hash databases and reporting EINVAL if a filename
is not specified.
In kdb_log.h, cast through void * after computing the address in the
INDEX macro.
In ipropd_svc.c, use a void * instead of a char * as the generic
handler return value.
In rc4.c, cast through void * when using the cipher state data pointer
as a structure pointer.
In sha256.c and sha512.c, cast through void * when using the save
buffer as a structure pointer. (This code may not be conformant, but
it should work in practice given the offsets of the save field in the
sha256state and sha512state structures.)
projects / thirdparty / krb5.git / log
