Greg Hudson [Fri, 18 May 2018 05:05:46 +0000 (01:05 -0400)]
Require Visual Studio 2013 in Windows README
The recently added SPAKE edwards25519 code, adapted from BoringSSL,
makes frequent use of mixed declarations and code, which is supported
by VS2013 but not VS2012 and earlier. Require VS2013 as the minimum
version in the Windows README. Add suport for VS2013 and VS2015 to
the installer.
Greg Hudson [Wed, 16 May 2018 18:02:20 +0000 (11:02 -0700)]
Make plugin auto-registration work on Windows
Make plugin_base_dir subject to parameter expansion, and set its
default to %{LIBDIR}\plugins on Windows (%{LIBDIR} expands to the
directory where the krb5 DLL lives). For auto-registered modules,
assume that we will build 32-bit and 64-bit DLLs and name them
"modname32.dll" and "modname64.dll". In k5_plugin_register_dyn(), use
k5_path_join() instead of assuming the path separator is "/".
Greg Hudson [Wed, 16 May 2018 04:52:08 +0000 (21:52 -0700)]
Fix option parsing on Windows
Commit 8f9ade8ec50cde1176411085294f85ecfb2820a4 (ticket 8391) moved
the built-in getopt() and getopt_long() implementations from a static
library in util/windows to util/support, where (on Windows) it is
built into k5sprt32.dll or k5sprt64.dll. The getopt() interface uses
global variables opterr, optind, optopt, and optarg, each renamed via
macro to have a k5_ prefix when we use the built-in implementation.
Data objects exported from DLLs need special handling in Windows; they
must be marked as DATA in the DLL .def file, and they must be declared
with "__declspec(dllimport)" in calling code. Without this handling,
optind begins with a garbage value and getopt_long() returns -1
immediately, so client programs always behave as if they have no
arguments.
Stop unnecessarily declaring optind and optarg in client programs.
Declare the getopt() global variables with __declspec(dllimport) on
Windows, except when compiling getopt.c itself. When creating
libkrb5support.exports on Windows (this file is later used by
lib/Makefile.in to create k5sprt32.def), add a DATA tag to the data
objects.
Greg Hudson [Sun, 10 Jun 2018 22:32:13 +0000 (18:32 -0400)]
Use pkg.m4 macros
Add pkg.m4 from pkg-config 0.29.2 and include it in aclocal.m4. Use
PKG_CHECK_EXISTS for resolv_wrapper and PKG_CHECK_MODULES for libedit
and libverto. Based on a patch from Timo Gurr.
Greg Hudson [Wed, 6 Jun 2018 21:58:41 +0000 (17:58 -0400)]
Process profile includedir in sorted order
In the profile library, use k5_dir_filenames() so that files within an
included directory are read in a predictable order (alphanumeric
within the C locale).
Greg Hudson [Wed, 6 Jun 2018 22:26:42 +0000 (18:26 -0400)]
Fix Windows strerror_r() implementation
Commit 6351586a771e9a99e1e946cc9a0b6a87bbb14094 (ticket 7961)
introduced several variants of strerror_r(). The Windows one
contained a bug which made its return value undefined; fix that.
Greg Hudson [Mon, 21 May 2018 08:10:04 +0000 (01:10 -0700)]
Prune Leash sources
When Leash was imported in 2011-2012, some of its functionality was
removed either at compile-time or runtime--most notably krb4 support,
AFS integration, and editing of "properties" (registry values).
Remove most of the unnecessary material.
Document the new profile variables added for the LMDB KDB module and
the new configure option. Add a new admin section on database types,
and document the behavior of all current modules.
Add a new k5test function multidb_realms() which yields a realm using
BDB and a realm using LMDB. Run the tests in t_dump.py, t_iprop.py,
the lockout tests in t_policy.py, and kdbtest (in t_kdb.py) with both
databases.
If K5TEST_LMDB is set in the environment, use LMDB for all Python
tests and all tests in tests/dejagnu, with two exceptions
(t_unlockiter.py and t_kdb_locking.py) which test BDB-specific
behavior. To support those exceptions, add the "bdb_only" realm
initialization flag.
In t_iprop.py, be sure to properly clean up kpropd daemons, using a
new k5test realm method stop_kpropd() to stop a kpropd daemon started
with start_kpropd() and remove it from the realm's list.
Add a new KDB module using LMDB. For this module, combine policy and
principal databases into one environment with two databases, but split
out principal lockout fields into a separate environment so that
nothing blocks KDC writes for more than a trivial amount of time.
Greg Hudson [Fri, 11 May 2018 18:02:41 +0000 (14:02 -0400)]
Remove unused Windows sources
windows/build and windows/installer/nsis are not used by the KfW 4.x
build process. windows/wintel was removed from the build in commit 530043377ee6f39b9ca95c13f6260602e6fe7674. windows/cns and most of the
windows/lib objects were removed from the build in commit 52fa910f413e016b3d432ce34e2d5bcea3230a7d. Most of the Leash krb4
files were removed from the build in commit 9f097418620513813ecc086bcd9002b6e07bf2a1; some unnecessary includes of
the corresponding header files remain, so delete those now.
LeashControlPanel.cpp was not part of the leash build when the leash
sources were imported into this tree.
Greg Hudson [Fri, 11 May 2018 17:43:42 +0000 (13:43 -0400)]
Stop building CNS for Windows
CNS is an old Windows ticket manager which was long ago supplanted by
leash. We have been building it and copying it in "nmake install",
but not including it in the KfW installer. Remove it from the build,
and trim windows/lib down to just the part used by leashdll and leash
(loadfuncs.obj).
Greg Hudson [Wed, 9 May 2018 16:37:44 +0000 (12:37 -0400)]
Update Windows build instructions
Modify windows/README for Visual Studio 2017, which has separate
32-bit and 64-bit command prompts (and which seems to omit uicc from
the 64-bit path). Mention the need for MFC if building leash, and
describe how to build without leash.
Greg Hudson [Tue, 8 May 2018 14:31:26 +0000 (07:31 -0700)]
Update kfw installer for VS2017, WiX 3.11.1
For Visual Studio 2017 (aka 15.0), add a Visual C tools version
number, and use %VCToolsRedistDir% to find the merge modules. WiX
toolset 3.11.1 requires an xmlns attribute to the WixLocalization tag.
Greg Hudson [Mon, 7 May 2018 02:29:40 +0000 (22:29 -0400)]
Fix Leash build error with recent Visual Studio
Visual Studio 2015 and later do not allow manipulation of the _flag
field inside a file handle. In Leash's out2con.cpp (used only for the
debugging -console flag), do not try to mark the allocated file handle
as free after copying it to *stdout; a one-time memory leak here is
unimportant.
Greg Hudson [Sat, 5 May 2018 21:53:54 +0000 (17:53 -0400)]
Don't specify MFC library in Leash build
Since MFC 3.0 (which shipped with Visual C++ 2.0, decades ago) it has
been unnecessary to specify the MFC library in the link line; the
headers can magically add the right one. Guessing the MFC version
from $(VISUALSTUDIOVERSION) does not work with Visual Studio 2017 (we
guess 150; the correct value is 140).
Greg Hudson [Sat, 5 May 2018 17:40:37 +0000 (13:40 -0400)]
Escape curly braces in def-check.pl regexes
Recent versions of Perl issue a warning or error when an unescaped
open curly brace is used in a position where it might introduce a
quantifier in a regular expression. Escape all regexp literal curly
braces in def-check.pl.
Robbie Harwood [Thu, 3 May 2018 18:40:45 +0000 (14:40 -0400)]
Remove "-nodes" option from make-certs scripts
The openssl command does not recognize options after positional
arguments, so in "openssl genrsa $KEYSIZE -nodes", the "-nodes" was
ignored as a excess positional argument prior to OpenSSL 1.1.0h, and
now causes an error. "-nodes" is an option to the openssl req and
pkcs12 subcommands, but genrsa creates unencrypted keys by default.
For improved auditability, check for a zero argc value earlier in
main() so that the first two calls to com_err() can't pass a NULL
whoami value--which would be harmless, but that may not be obvious to
a reader.
In ulog_replay(), instead of locking the KDB and ulog for the whole
operation, separately lock and update the ulog after each database
update, as we would for a locally initiated database operation (after
commit 444ef5fe9ec8d64a5db27b3a8aaf6813dd7ef0e0).
Greg Hudson [Thu, 22 Mar 2018 23:46:22 +0000 (19:46 -0400)]
Fix PKINIT rule matching against UPN SANs
Commit 46ff765e1fb8cbec2bb602b43311269e695dbedc (for ticket 8528)
broke rule-based matching of UPN SANs using the <SAN> rule type. To
fix this regression, make crypto_retrieve_cert_sans() return UPN SANs
in their original string form, and only parse them into principal
names in pkinit_srv.c:verify_client_san(). In
pkinit_cert_matching_data, store UPN SANs as strings separately from
PKINIT SANs instead of concatenating them together, and match original
UPN strings against <SAN> rule regexps. Add a test case.
If kadmind is run with the -proponly flag, check that iprop_enable is
set and output a reasonable error message if it isn't. Otherwise we
see the confusing message "Invalid argument while initializing
network".
Most programs in the tree will perform a null dereference when argc is
zero, but as a setuid program ksu should be extra careful about memory
errors, even if this one is harmless. Check and exit with status 1
immediately.
For TGS requests, dispatch() doesn't set state->active_realm, which
leads to a NULL dereference in finish_dispatch() if the reply is too
big for UDP. Prior to commit 0a2f14f752c32a24200363cc6b6ae64a92f81379
the active realm was a global and was set when process_tgs_req()
called setup_server_realm().
Move TGS decoding out of process_tgs_req() so that we can set
state->active_realm before any errors requiring response. Add a test
case.
[ghudson@mit.edu: edited commit message; added test case; reduced code
duplication; removed server handle from process_tgs_req() parameters]
setup_loop() does not need to peer into the server handle for network
parameters, as kadmind makes its own call to kadm5_get_config_params()
in main(). Use kadmind's copy of the parameters instead.
Commit 779a335f4e2deb2d76caf7d0dd3de847a040c050 added the
fail_to_start() helper in ovsec_kadmd.c, accidentally sending the
program name to stderr twice. Remove one of them.
Make it easier to locate a failing command in long Python test scripts
by allowing the script to output marks, and displaying the most recent
mark with command failures.
In kadm5_create(), use the global context instead of a newly created
context, so that extended error messages are displayed properly by
extended_com_err_fn().
Modify profile_add_node() to return the existing node, rather than
making a new one, when adding subsection configuration.
This fixes an issue where the first instance of a subsection will hide
the second instance entirely. In particular, it was previously
impossible to split realm-specific configuration across multiple
config files.
[ghudson@mit.edu: adjusted style, added test case]
Remove a double initialization of dwHesPwUidIndex in wshelper which
caused the first initialization to leak a thread-local storage handle.
Reported by Sergey Ilinykh.
Add a new callback disable_fallback() and call it from each clpreauth
module when it generates a client message using credentials to
authenticate. (For SPAKE, this is the message responding to a
challenge; for all other current mechanisms, it is the first and only
client message.) If disable_fallback() is called, do not try another
mechanism after a KDC error.
Remove k5_reset_preauth_types_tried() and its call sites, so that
preauth mechanisms which are tried optimistically will no longer be
retried after a failure.
Greg Hudson [Sat, 31 Mar 2018 14:43:49 +0000 (10:43 -0400)]
Be more careful asking for AS key in SPAKE client
Asking for the AS key too early can result in password prompts in
situations where SPAKE won't proceed, such as when the KDC offers only
second factor types not supported by the client.
In spake_prep_questions(), decode the received message and make sure
it's a challenge with a supported group and second factor type
(SF-NONE at the moment). Save the decoded message and use it in
spake_process(). Do not retrieve the AS key at the beginning of
spake_process(); instead do so in process_challenge() after checking
the challenge group and factor types.
Move contains_sf_none() earlier in the file so that it can be used by
spake_prep_questions() without a prototype.
The KCM server returns KRB5_CC_END in response to a GET_CACHE_BY_UUID
request to indicate that the specified ccache uuid no longer exists.
In krb5_ptcursor_next(), ignore this error and continue the iteration,
as the Heimdal KCM client code does.
In addition to addressing the case where a third party deletes a cache
between the GET_CACHE_UUID_LIST request and when we reach that uuid in
the iteration, this change also fixes a bug in kdestroy -A where the
caller deletes the primary cache and we later request it by uuid when
iterating over the list.
Greg Hudson [Tue, 27 Mar 2018 14:36:05 +0000 (10:36 -0400)]
Fix SPAKE memory leak
In the NIST group implementations, ossl_fini() needs to free the
groupdata container as well as its fields. Also in
spake_kdc.c:parse_data(), initialize the magic field of the resulting
data object to avoid a harmless uninitialized memory copy.
Greg Hudson [Wed, 21 Mar 2018 22:17:08 +0000 (18:17 -0400)]
Simplify ASN.1 encoding
Like most ASN.1 DER implementations, we encode backwards. The
existing asn1buf implementation inserts bytes forward into a
resizeable buffer, then reallocates the number of bytes inserted and
reverses them.
Throw out this implementation and replace it with two simple inline
functions in asn1_encode.c, which conditionally insert bytes in
reverse order and unconditionally increment a count. Make two passes
over the input representation, once to count the encoding size and
once to actually encode it into a precisely allocated buffer. Remove
all of the explicit length counting from encoding functions; in the
places where we need intermediate lengths, compute them from the
difference in buffer byte count. Make a few encoding functions return
void as they no longer have error cases.
Greg Hudson [Wed, 21 Mar 2018 15:04:32 +0000 (11:04 -0400)]
Use stdint types in ASN.1 code
Replace krb5 fixed-width typedef names with [u]int{16,32}_t, and use
uint8_t in place of unsigned char and asn1_octet. Use krb5_error_code
in place of asn1_error_code, and remove dependencies on internal ASN.1
headers from the tests.
This is an implementation of draft-ietf-kitten-krb-spake-preauth-05.
SPAKE preauth authenticates using the client principal long-term key,
but protects against offline dictionary attacks.
SPAKE preauth negotiates a group for use by the SPAKE2 algorithm. The
edwards25519 group is implemented using code adapted from BoringSSL.
The P-256, P-384, and P-521 groups are implemented against OpenSSL.
edwards25519 is enabled by default on the client; no groups are
enabled by default on the KDC.
SPAKE preauth can also include a second factor. Second factor support
isn't included in this implementation; comments have been left to
indicate what should change when it is added in.
Integration tests (tests/t_spake.py) are included with good coverage
of the negotiation scenarios.
Test vectors from the draft are checked against the group's "result"
operation. The "keygen" operation is inherently random and is
therefore not tested against the vectors, but is effectively exercised
by the integration tests.
KDC optimistic challenge is implemented. In the future we should
implement client optimistic SPAKE as well; this will require changes
to the generic client preauth framework.
In the future we should add per-realm configuration to deny encrypted
timestamp and encrypted challenge on a per-realm basis. This
configuration should stick across client realm referrals.
In the future we should avoid attempting encrypting timestamp or
encrypted challenge if the KDC replies to a single-factor
SPAKEResponse message with PREAUTH_FAILED. This will require a change
to the generic client preauth framework.
In the future we should make SPAKE support apply to the Windows build,
either by adding support for building plugin DLLs or by moving the
edwards25519 and client code to libkrb5.
[npmccallum@redhat.com: split up internal headers; split out group
registry contents; implemented P-384 and P-521]
Greg Hudson [Sun, 4 Feb 2018 01:53:42 +0000 (20:53 -0500)]
Add vector support to k5_sha256()
Add a length argument so that multiple krb5_data values can be passed
to k5_sha256(), for efficient computation of SHA-256 hashes over
concatenations of data values.
Greg Hudson [Sun, 18 Mar 2018 02:47:34 +0000 (22:47 -0400)]
Report extended errors in kinit -k -t KDB:
In kinit, if we recreate the context using kinit_kdb_init(), also
reset the global errctx so that we use the new context to retrieve
extended error messages.
Greg Hudson [Mon, 19 Mar 2018 01:41:02 +0000 (21:41 -0400)]
Avoid rereading non-regular profile files
If a profile file is a special device such as a pipe, then reloading
it will cause us to discard its contents. Repurpose the first
PROFILE_FILE flag bit to indicate that the file should not be
reloaded. In profile_update_file_data_locked(), set the flag on the
first load if stat() doesn't indicate a regular file, and check the
flag before testing whether we need to perform any subsequent reload.
Later on in profile_update_file_data_locked(), specifically unset the
DIRTY flag rather than unsetting all flags other than SHARED, so that
we don't clear the NO_RELOAD flag.
Greg Hudson [Mon, 12 Mar 2018 19:44:39 +0000 (15:44 -0400)]
Omit AS-REP etype-info for replaced reply keys
etype-info in AS-REP is currently only useful when no
pre-authentication took place. Don't send it if a preauth mech
replaced the reply key, as we can't send something consistently
meaningful (the enctype must match the replaced reply key per RFC
4120, but the salt from the client key data corresponds to the initial
reply key).
Greg Hudson [Tue, 13 Feb 2018 21:33:33 +0000 (16:33 -0500)]
Always use AS-REP enctype in PKINIT client
The get_etype() callback originally only returned the AS-REP enctype
for PKINIT, but was changed for encrypted challenge to sometimes
return the enctype from etype-info. (Encrypted challenge no longer
uses the callback; PKINIT is currently the only known consumer.) Make
sure to always return the AS-REP enctype if an AS-REP has been
received, so that the PKINIT clpreauth module uses the correct enctype
even if the KDC sends a different enctype in etype-info in violation
of RFC 4120.
Robbie Harwood [Thu, 15 Mar 2018 18:37:28 +0000 (14:37 -0400)]
Include preauth name in trace output if possible
Add a {patype} trace format specifier for a single pa-type value. Add
a krb5_preauthtype to string conversion function to trace machinery
and use it when formatting {patype} or {patypes}.
[ghudson@mit.edu: wrote conversion function; edited commit message]
Greg Hudson [Mon, 12 Mar 2018 15:31:46 +0000 (11:31 -0400)]
Add PKINIT KDC support for freshness token
Send a freshness token in the preauth hint list if PKINIT is
configured and the request padata indicates support. Verify the
freshness token if the client includes one in a PKINIT request, and
log whether one was received. If pkinit_require_freshness is set to
true in the realm config, reject non-anonymous requests which don't
contain a freshness token.
Add freshness token tests to t_pkinit.py with some related changes.
Remove client long-term keys after testing password preauth so we get
better error reporting when pkinit_require_freshness is set and a
token is not sent. Remove ./responder invocations for test cases
which don't ask PKINIT responder questions, or else the responder
would fail now that it isn't being asked for the password. Leave
anonymous PKINIT enabled after the anonymous tests so that we can use
it again when testing enforcement of pkinit_require_freshness. Add
expected trace messages for the basic test, including one for
receiving a freshness token. Add minimal expected trace messages for
the RSA test.
Greg Hudson [Tue, 31 Jan 2017 22:02:34 +0000 (17:02 -0500)]
Add PKINIT client support for freshness token
Send an empty PA_AS_FRESHNESS padata item in unauthenticated AS
requests to indicate support for RFC 8070. If the KDC includes a
PA_AS_FRESHNESS value in its method data, echo it back in the new
freshnessToken field of pkAuthenticator
Greg Hudson [Fri, 16 Mar 2018 00:27:30 +0000 (20:27 -0400)]
Fix read overflow in KDC sort_pa_data()
sort_pa_data() could read past the end of pa_order if all preauth
systems in the table have the PA_REPLACES_KEY flag, causing a
dereference of preauth_systems[-1]. This situation became possible
after commit fea1a488924faa3938ef723feaa1ff12d22a91ff with the
elimination of static_preauth_systems; before that there were always
table entries which did not have PA_REPLACES_KEY set.
Fix this bug by removing the loop to count n_key_replacers, and
instead get the count from the prior loop by stopping once we move all
of the key-replacing modules to the front.
Robbie Harwood [Wed, 14 Mar 2018 18:31:22 +0000 (14:31 -0400)]
Exit with status 0 from kadmind
Typically, 0 denotes successful exit. In particular, init systems
will complain if another different value is returned. This presents a
problem for automated installation jobs which want to restart kadmind.
`service kadmin stop` typically sends SIGTERM, which is caught by
verto and passed to our handler. Besides cleanup, we then call
verto_break(), which causes the verto_run() event loop to return. The
weird return code has been present since the addition of the kadmin
code, which used a similar event model for signals.
Isaac Boukris [Tue, 13 Mar 2018 23:19:17 +0000 (01:19 +0200)]
Allow validation of PACs with enterprise names
In k5_pac_validate_client(), if we are verifying against an enterprise
principal, parse the PAC_CLIENT_INFO field as an enterprise principal.
This scenario may arise in the response to an S4U2Self request for an
enterprise principal, as the KDC does not appear to canonicalize the
client principal requested in PA-FOR-USER.
Greg Hudson [Sun, 11 Feb 2018 20:23:35 +0000 (15:23 -0500)]
Simplify kdc_preauth.c systems table
Get rid of static_preauth_systems, and replace it with explicit calls
to helper functions in get_preauth_hint_list() and return_padata().
Stop preallocating pa-data lists, instead reallocating on each
addition using add_pa_data_element(). Also simplify
maybe_add_etype_info2() using add_pa_data_element().
The KRB5_PADATA_PAC_REQUEST table entry did nothing, and was probably
originally added back when the KDC would error out on unrecognized
padata types. The KRB5_PADATA_SERVER_REFERRAL entry has been disabled
since it was first added.
Greg Hudson [Thu, 21 Dec 2017 16:28:52 +0000 (11:28 -0500)]
Refactor KDC krb5_pa_data utility functions
Move alloc_padata from fast_util.c to kdc_util.c and make it
non-static so it can be used by other files. Rename it to
alloc_pa_data for consistency with add_pa_data_element. Make it
correctly handle zero length using a null contents pointer.
Make add_pa_data_element claim both the container and contents memory
from the caller, now that callers can use alloc_pa_data to simplify
allocation and copying. Remove the copy parameter and the unused
context parameter, and put the list parameter first. Adjust all
callers accordingly, making small simplifications to memory handling
where applicable.
Greg Hudson [Sat, 3 Mar 2018 18:44:00 +0000 (13:44 -0500)]
Fix capaths "." values on client
Commit b72aef2c1cbcc76f7fba14ddc54a4e66e7a4e66c (ticket 6966)
introduced k5_client_realm_path() for use on the client in place of
krb5_walk_realm_tree(), but failed to handle the special case of a
capaths "." value as is done in the latter function. Correct that
omission and add a test case.
Greg Hudson [Tue, 6 Mar 2018 05:14:49 +0000 (00:14 -0500)]
Use libkrb5support hex decoder in PKINIT
In pkinit_crypto_openssl.c, remove hex_string_to_bin() (recently added
for ease of backporting) and instead use k5_hex_decode() in
pkinit_get_certs_pkcs11(). Change the type of cert_id and cert_id_len
in pkinit_identity_crypto_context to avoid needing type conversion
intermediates.
Sumit Bose [Fri, 26 Jan 2018 16:47:50 +0000 (11:47 -0500)]
Fix hex conversion of PKINIT certid strings
When parsing a PKCS11 token specification, correctly convert from hex
to binary instead of using OpenSSL bignum functions (which would strip
leading zeros).
[ghudson@mit.edu: made hex_string_to_bin() a bit less verbose; wrote
commit message]
Greg Hudson [Sat, 13 Jun 2015 20:04:53 +0000 (16:04 -0400)]
Add ASN.1 encoders and decoders for SPAKE types
Add a new internal header k5-spake.h. Add ASN.1 encoder and decoder
functions and an internal free function for SPAKE types. Add ASN.1
tests and asn1c test vectors the new types.
The additions to to make-vectors.c use C99 designated initializers in
order to initialize unions. This is okay since make-vectors.c is only
compiled as part of "make test-vectors" and not as part of the regular
build.
Greg Hudson [Tue, 27 Feb 2018 18:09:51 +0000 (13:09 -0500)]
Improve KDC encrypting key memory management
Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d caused encrypting_key
to hold either an owned or alias pointer depending on the presence of
the KDC_OPT_ENC_TKT_IN_SKEY (u2u) flag in the request. For better
memory management safety, introducing server_keyblock to hold owned
memory in the non-u2u case, and turning encrypting_key into an alias
pointer for both cases.
Greg Hudson [Tue, 27 Feb 2018 16:56:58 +0000 (11:56 -0500)]
Fix KDC encrypting key memory leak on some errors
Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d separated the
allocation and destruction of encrypting_key, causing it to leak when
any of the intervening calls jump to the cleanup label. Currently the
leak manifests on transited or authdata failures. Move encrypting_key
destruction to the cleanup label so that it can't leak. Reported by
anedvedicky@gmail.com.
sashan [Tue, 20 Feb 2018 21:35:51 +0000 (22:35 +0100)]
Fix trivial KDC memory leak with test KDB module
If a KDB module zeroes out the master key in its fetch_master_key()
method (as the test KDB module does), krb5_db_fetch_mkey() will copy
it, allocating one byte of memory for the contents. The KDC will then
leak it on exit, as the length is zero. Simplify master key
destruction using zapfree().
sashan [Mon, 26 Feb 2018 01:03:49 +0000 (02:03 +0100)]
Improve PKINIT DH output parameter handling
Apply current practices for output parameter handling and memory
management to client_create_dh(), client_process_dh(), and
server_process_dh(). Initialize the output arguments at the
beginning, use local variables to hold their values until success is
guaranteed, and transfer memory to the output arguments at the end.
Use a cleanup label which runs on both success and failure.
The client_create_dh() cleanup code conditionalizes on retval, which
we usually try to avoid, as it needs to clean up a cryptoctx field on
error only.
[ghudson@mit.edu: wrote commit message; added similar changes to
client_create_dh() and client_process_dh()]
sashan [Tue, 20 Feb 2018 21:30:53 +0000 (22:30 +0100)]
Free cert info in pkinit_identity_initialize()
The pkinit_identity_crypto_context creds field contains a collection
of cert info deduced from configuration, and is used to select the
identity certificate on the client and the KDC. Its lifetime is
managed separately from the context, by crypto_load_certs() and
crypto_free_cert_info().
Prior to commit 60426439f672fe273ceead17910f818da1954c5b, the lifetime
was managed purely within pkinit_identity_initialize(). When that
function now split into two phases, pkinit_identity_initialize() began
leaving the creds array around unnecessarily. The client calling
function made its own call to free the creds array, but this was not
done by the KDC calling function. The result was that the creds array
was overwritten in pkinit_identity_prompt(), leaking a small amount of
memory at KDC startup. This leak is trivial, but adds noise to leak
detection tools.
Fix the leak by freeing the creds array in
pkinit_identity_initialize() before returning, and remove the
no-longer-necessary call in pkinit_client_prep_questions(). In the
longer term, it might be better to separate the creds array from
pkinit_identity_crypto_context and manage it using local variables
within pkinit_identity_initialize() and pkinit_identity_prompt().
sashan [Tue, 20 Feb 2018 22:03:36 +0000 (23:03 +0100)]
Fix memory leak in KDC PKINIT code
Commit e5c77a11341a79e6af1e5aef7c587a5b75a9e378 introduced a memory
leak of the client public key in server_process_dh(). Free
client_pubkey on success as well as failure.
Robbie Harwood [Thu, 11 Jan 2018 18:47:10 +0000 (13:47 -0500)]
Fix grouping of GGF extensions in gssapi_ext.h
Move gss_import/export_cred to be with the rest of the GGF extensions
and mark them as using Heimdal's signatures. Also add clarifying
comments that gss_set_cred_option and gssspi_mech_invoke are not part
of the GGF extensions.
Greg Hudson [Sat, 10 Feb 2018 05:31:45 +0000 (00:31 -0500)]
Make public headers work with gcc -Wundef
The C standard allows undefined symbols in #if statements, giving them
the value 0 (C99 section 6.10.1). However, some software builds with
gcc -Wundef, which issues a warning on undefined symbols in
preprocessor expressions. Make the public headers safe for that
environment by using #ifdef instead of #if for TARGET_OS_MAC.
Reported by Ben Kaduk.
Greg Hudson [Fri, 12 Jan 2018 16:43:01 +0000 (11:43 -0500)]
Fix flaws in LDAP DN checking
KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB
module, and not used in disk or wire principal entries. Prevent
kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a
type number less than 256 and filtering out type numbers less than 256
in kadm5_create_principal_3(). (We already filter out low type
numbers in kadm5_modify_principal()).
In the LDAP KDB module, if containerdn and linkdn are both specified
in a put_principal operation, check both linkdn and the computed
standalone_principal_dn for container membership. To that end, factor
out the checks into helper functions and call them on all applicable
client-influenced DNs.
CVE-2018-5729:
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can cause a null
dereference in kadmind, or circumvent a DN container check, by
supplying tagged data intended to be internal to the database module.
Thanks to Sharwan Ram and Pooja Anil for discovering the potential
null dereference.
CVE-2018-5730:
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can circumvent a DN
containership check by supplying both a "linkdn" and "containerdn"
database argument, or by supplying a DN string which is a left
extension of a container DN string but is not hierarchically within
the container DN.
Greg Hudson [Wed, 7 Feb 2018 15:45:31 +0000 (10:45 -0500)]
Fix Leash AddDisplayItem() declaration
Commit a9cbbf0899f270fbb14f63ffbed1b6d542333641 changed three
parameters in AddDisplayItem() from long to time_t, but did not change
the corresponding declaration in LeashView.h. Fix that now.
gcc 7 cannot determine that appdefault_get() always sets *ret_value
when it returns zero, so issues a "may be used uninitialized" warning
in its caller. Set *ret_value at the beginning of the function body
in accordance with current practices.
Greg Hudson [Fri, 19 Jan 2018 18:01:43 +0000 (13:01 -0500)]
Fix type error in klog com_err hook
As a variable argument, buf.data won't be automatically cast from
void * to char * when passed to krb5_klog_syslog(), so to be correct
we must do it manually.
Greg Hudson [Wed, 17 Jan 2018 23:31:43 +0000 (18:31 -0500)]
Trace log on k5tls load failure
If sendto_kdc fails to establish an MS-KKDCP connection because the
k5tls module cannot be loaded, output a trace log before closing the
connection. Reported by Jochen Hein.
Greg Hudson [Thu, 18 Jan 2018 21:56:12 +0000 (16:56 -0500)]
Back off Travis build to default dist
Travis appears to have deployed a testing xenial environment which
runs a daemon that sometimes interferes with apt commands. Remove the
"dist: xenial" line so we run in the default, supported distribution
(currently trusty).
Greg Hudson [Mon, 8 Jan 2018 16:14:06 +0000 (11:14 -0500)]
Remove logging default severity
The default severity for syslog outputs was only used for com_err()
messages (which are rare so far), and doesn't really make sense;
severity is a property of an individual message, not of a device.
Remove the severity field in a backward-compatible manner.
Greg Hudson [Thu, 4 Jan 2018 16:01:28 +0000 (11:01 -0500)]
Improve klog com_err hook
Remove the code to read a severity from the first byte of format, as
it is an unclear interface and likely unused. Also stop using the
configured default severity for syslog devices. Instead, log at error
severity if a code is given, and at informational severity if one is
not.
Pass the formatted message to krb5_klog_syslog() so that it uses the
same format in log files as regular logged messages.
Add krb5_klog_set_context() to allow the context for extended error
messages to be reset, so that KDC plugins can log using the context
object for the realm being served for each request.
Use k5buf for simpler memory management in the hook function.
Greg Hudson [Wed, 3 Jan 2018 16:59:14 +0000 (11:59 -0500)]
Include etype-info in for hardware preauth hints
If a principal has the requires_hwauth bit set, include PA-ETYPE-INFO
or PA-ETYPE-INFO2 padata in the PREAUTH_REQUIRED error, as preauth
mechs involving hardware tokens may also use the principal's Kerberos
password.
Robbie Harwood [Mon, 13 Nov 2017 18:32:37 +0000 (13:32 -0500)]
Expose context errors in pkinit_server_plugin_init
Commit 3ff426b9048a8024e5c175256c63cd0ad0572320 attempted to display
an error when OCSP support was requested, but this error message was
suppressed in pkinit_server_plugin_init(). Add a trace log for each
realm initialization error, and pass through the realm initialization
error when the KDC serves only one realm. Other error messages from
pkinit_init_kdc_profile(), such as missing pkinit_identity or
pkinit_anchors, are also now exposted.
projects / thirdparty / krb5.git / log
