Greg Hudson [Sat, 31 Oct 2020 21:07:05 +0000 (17:07 -0400)]
Add recursion limit for ASN.1 indefinite lengths
The libkrb5 ASN.1 decoder supports BER indefinite lengths. It
computes the tag length using recursion; the lack of a recursion limit
allows an attacker to overrun the stack and cause the process to
crash. Reported by Demi Obenour.
CVE-2020-28196:
In MIT krb5 releases 1.11 and later, an unauthenticated attacker can
cause a denial of service for any client or server to which it can
send an ASN.1-encoded Kerberos message of sufficient length.
Greg Hudson [Wed, 19 Aug 2020 15:49:29 +0000 (11:49 -0400)]
Suppress Leash error popup on MSLSA renew failure
Attempting to renew the MSLSA cache can commonly fail with
KRB5_CC_NOTFOUND due to LSA policy. Do not display an error popup in
this case. Also fix a logic error in the existing suppressions.
Greg Hudson [Wed, 19 Aug 2020 15:37:12 +0000 (11:37 -0400)]
Fix Leash crash when ticket autorenewal fails
CLeashView::RenewTicket() falls back to an ImportTicket or InitTicket
operation if ticket renewal fails. A 2004 commit (from the old
pismere repository) added code to heuristically determine whether
Leash's cache was imported by comparing the MSLSA cache principal name
to ticketinfo.Krb5.principal. Commit 9bc411e72fce5bed3ed00ae5b09f8c239309bae0 broke this code by removing
the call to initialize ticketinfo.Krb5 and by making
ticketinfo.Krb5.principal ephemeral. The strcmp() call now crashes
the process with a null dereference.
Fix the crash by removing the heuristic detection of imported tickets,
using the current value of m_importedTickets (which should be correct
unless Leash was restarted after the tickets were obtained) to decide
whether to import or initialize tickets.
In get_mech_set(), check the length before reading the first byte, and
decrease the length by the tag byte when reading and verifying the
sequence length.
In get_req_flags(), check the length before reading the first byte,
and check the context tag length after decoding it.
Greg Hudson [Fri, 19 Jun 2020 19:05:37 +0000 (15:05 -0400)]
Avoid using LMDB environments across forks
In krb5kdc and kadmind, reinitialize the DB state after daemonizing,
to prevent using an LMDB environment in a different process than it
was created. Otherwise the daemon's reader table slot appears to be
stale and can be claimed by another process.
In kadmind, this change means that global_server_handle changes value
after the loop setup. Add an extra level of pointer indirection so
that the handle passed to the loop remains valid.
kdb_init_hist() is now called twice by kadmind. Change it to avoid
leaking hist_princ on the second invocation.
Greg Hudson [Thu, 4 Jun 2020 17:19:53 +0000 (13:19 -0400)]
Set pw_expiration during LDAP load
When loading a principal entry in process_k5beta7_princ(), set the
KADM5_PW_EXPIRATION mask bit so that the password expiration time is
set on the principal entry. Add a regression test.
Greg Hudson [Fri, 16 Oct 2020 15:35:18 +0000 (11:35 -0400)]
Unregister thread key in SPNEGO finalization
Commit d160bc733a3dbeb6d84f4e175234ff18738d9f66 (ticket 7045) added a
new thread key K5_KEY_GSS_SPNEGO_STATUS and registered it in SPNEGO
library initialization, but neglected to unregister it in
finalization. As a result, loading, unloading, and reloading
libgssapi_krb5 could throw an assertion failure if libkrb5support
remained loaded. Unregister the key in SPNEGO finalization and add a
test case.
Always use six digits with leading 0s to format the microseconds in
trace log timestamps; otherwise a small value appears as too large of
a fraction of a second.
Greg Hudson [Tue, 25 Feb 2020 16:32:09 +0000 (11:32 -0500)]
Allow deletion of require_auth with LDAP KDB
In update_ldap_mod_auth_ind(), if there is no string attribute value
for require_auth, check for krbPrincipalAuthInd attributes that might
need to be removed. (This will only work if the entry is loaded and
then modified, but that is the normal case for an existing entry.)
Move the update_ldap_mod_auth_ind() call inside the tl-data
conditional (which should perhaps be a check for KADM5_TL_DATA in the
mask instead). A modification which did not intend to update tl-data
should not remove the krbPrincipalAuthInd attributes.
Change get_int_from_tl_data() to to zero its output so that it can't
leave a garbage value behind if it returns 0 (as it does if no
KDB_TL_USER_INFO tl-data is present).
Isaac Boukris [Sat, 1 Feb 2020 15:13:30 +0000 (16:13 +0100)]
Put KDB authdata first
Windows services, as well as some versions of Samba, may refuse
tickets if the PAC is not in the first AD-IF-RELEVANT container. In
fetch_kdb_authdata(), change the merge order so that authdata from the
KDB module appears first.
[ghudson@mit.edu: added comment and clarified commit message]
Greg Hudson [Sat, 11 Jan 2020 04:47:34 +0000 (23:47 -0500)]
Fix error handling in gssint_mechglue_init()
In the unlikely event that one of the functions called by
gssint_mechglue_init() returns an error, return that error to the
caller rather than continuing on and discarding the error status.
Returning success when some of the operations failed could fool the
library finalizer into thinking that initialization completed.
Reported by Spencer Malone.
Robbie Harwood [Tue, 17 Dec 2019 22:37:41 +0000 (17:37 -0500)]
Fix LDAP policy enforcement of pw_expiration
In the LDAP backend, the change mask is used to determine what LDAP
attributes to update. As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.
Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate. Add a regression test to
t_kdb.py.
[ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]
Greg Hudson [Wed, 11 Dec 2019 17:09:27 +0000 (12:09 -0500)]
In mkrel, build documentation with python3
After commit 95830231758de259abbbccedbac01613f578768a, the
documentation cannot be built with Python 2. Run make with
"PYTHON=python3" to ensure that we use Python 3.
Greg Hudson [Sun, 17 Nov 2019 00:54:51 +0000 (19:54 -0500)]
Fix kadmin addprinc -randkey -kvno
Commit f07bca9fc94a5cf2e3c0f58226c7973a4b86b7a9 made addprinc -randkey
use a single RPC request, but the server-side handling always creates
the random keys with kvno 1. If a kvno is specified in the RPC
request, set the kvno of the key data after creating it. Reported by
Andreas Ladanyi.
Greg Hudson [Mon, 11 Nov 2019 17:25:41 +0000 (12:25 -0500)]
Fix SPNEGO fallback context handling
In init_ctx_call_init(), if gss_init_sec_context() fails while
producing the first SPNEGO initiator token, we remove the first
candidate mechanism from sc->mech_set and try again. If
sc->ctx_handle is present after the error (more likely after commit 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf), we must clear it before
falling back or it will cause subsequent attempts to fail.
Greg Hudson [Sun, 6 Oct 2019 22:35:50 +0000 (18:35 -0400)]
Accept GSS mechs which don't supply attributes
If gss_inquire_attrs_for_mech() is called for a mechanism which does
not implement it, the call will succeed with mech_attrs set to
GSS_C_NO_OID_SET (as is explicitly allowed by RFC 5587).
generic_gss_test_oid_set_member() returns an error on this value,
causing gss_accept_sec_context() to erroneously deny the mechanism
when no verifier credential handle is supplied. Change
allow_mech_by_default() to explicitly check for no mech attribute set.
Commit 969331732b62e73d1e073ff3ad87bf1774ee9fd1 (ticket 7369) removed
the code to return UPDATE_BUSY if the database was modified within the
last ten seconds, but did not remove the corresponding documentation
text. Remove it now.
Remove ldapbackend.rst, as it is largely redundant with conf_ldap.rst.
Simplify conf_ldap.rst, using kerberos.openldap.ldif (added by ticket
8529) and removing unnecessary command arguments. Mention the
possibility of using SASL authentication (added by ticket 7944) as an
alternative to binding with DN and password. Remove unnecessary
access rights.
In kdc_conf.rst, remove ldap_servers from the list of relations read
from [dbdefaults], as it is only read from the realm's database
configuration section.
In kdb5_ldap_util.rst, document "-r" as a global parameter, as it
applies in some fashion to all commands. Make the same changes to the
kdb5_ldap_util usage message, and make it fit within 80 columns.
Robbie Harwood [Wed, 14 Aug 2019 17:52:27 +0000 (13:52 -0400)]
Fix KCM client time offset propagation
An inverted status check in get_kdc_offset() would cause querying the
offset time from the ccache to always fail (silently) on KCM. Fix the
status check so that KCM can properly handle desync.
Greg Hudson [Wed, 14 Aug 2019 15:46:14 +0000 (11:46 -0400)]
Don't skip past zero byte in profile parsing
In parse_quoted_string(), only process an escape sequence if there is
a second character after the backlash, to avoid reading past the
terminating zero byte. Reported by Lutz Justen.
Robbie Harwood [Fri, 9 Aug 2019 18:07:22 +0000 (14:07 -0400)]
Initialize life/rlife in kdcpolicy interface
A value of 0 indicates that the plugin doesn't wish to modify lifetimes.
Make this the default, rather than requiring all plugins to set these
values themselves.
Michael Mattioli [Sun, 14 Jul 2019 21:35:17 +0000 (17:35 -0400)]
Correct documentation of final profiles
The documentation for krb5.conf explaining final values is incorrect.
Only sections and subsections may usefully be marked as final, and
final designations only apply to later files, not to the same file.
[ghudson@mit.edu: corrected and shortened documentation; rewrote
commit message]
Greg Hudson [Thu, 6 Jun 2019 15:35:36 +0000 (11:35 -0400)]
Improve logging documentation
The default severity was removed by commit 6ce8fd4cfa2e9b1e92debd204a5b2ddf053cca55 (ticket 8630) but the example
still talks about it; remove that text. Add a note about the default
being syslog if nothing else is specified, and a note on how to
disable logging.
Greg Hudson [Tue, 28 May 2019 14:55:56 +0000 (10:55 -0400)]
Fix Python fallback in configure.ac
Commit 2bd410ecdb366083fe9b4e5f6ac4b741b624230b (ticket 8709)
contained a typo "text" for "test", preventing the Python path check
from falling back from python2 to python. This is now a fallback from
python3 to python, but the typo remains. Fix it now.
Greg Hudson [Sun, 5 May 2019 23:32:21 +0000 (19:32 -0400)]
Remove outdated text in krb5kdc/kadmind man pages
Some init systems, such as systemd, can run daemon processes in the
foreground, so admonishments to let krb5kdc and kadmind background
themselves in normal operation can be confusing. Remove those
sentences.
The example code for gss_get_mic_iov() using a caller-provided buffer
calls gss_wrap_iov_length() and gss_wrap_iov() instead of
gss_get_mic_iov_length() and gss_get_mic_iov() as intended. Reported
by Frank Filz.
Greg Hudson [Mon, 21 Oct 2019 14:29:35 +0000 (10:29 -0400)]
Fix gssalloc_realloc() on Windows
gss_inquire_sec_context_by_oid(GSS_C_INQ_SSPI_SESSION_KEY) fails on
Windows because generic_gss_add_buffer_set_member() relies on the
ability to realloc() a null pointer. Unlike realloc(), HeapReAlloc()
requires an input pointer that (from the MSDN documentation) "is
returned by an earlier call to the HeapAlloc or HeapReAlloc function".
So gssalloc_realloc() must test for null inputs and call HeapAlloc()
instead.
Greg Hudson [Mon, 21 Oct 2019 17:56:55 +0000 (13:56 -0400)]
Fix t_otp.py for pyrad 2.2
pyrad 2.2 throws a KeyError exception in DecodePacket if any
attributes from the packet are not defined in the dictionary. Add a
dictionary entry for Service-Type so this doesn't happen.
Greg Hudson [Wed, 19 Jun 2019 04:57:30 +0000 (00:57 -0400)]
Convert OTP and kdcproxy tests to Python 3
Commit e23d24beacb73581bbf4351250f3955e6fd44361 did not convert
t_otp.py or paste-kdcproxy.py. Convert t_otp.py to Python3. Rewrite
paste-kdcproxy.py using wsgiref from the standard Python library to
avoid the Paste dependency.
Rewriting the qualname Perl script to use getaddrinfo created an
unchecked dependency on Perl 5.14. Instead, remove the script and use
the C program in tests/resolve for the kadmin and gssrpc test suites.
In the utilities used by the dejagnu test suites, use
getaddrinfo()/getnameinfo() instead of
gethostbyname()/gethostbyaddr(), as the results can vary when the
local hostname appears in multiple lines in /etc/hosts.
In t_ccselect.py, don't cause an error if the canonicalized local
hostname is "localhost". The tests will continue to run in this case,
as long as we don't try to create duplicate principals.
In sim_server.c, bind to the wildcard address instead of the resolved
local hostname, to resolve a mysterious problem observed in Travis
where the second of three sim_client send() operations fails with
ECONNREFUSED.
Greg Hudson [Tue, 19 Mar 2019 15:15:26 +0000 (11:15 -0400)]
Suppress krb5_cc_start_seq_get() popups in Leash
Under some circumstances (perhaps related to a February Windows 10
update), Leash can get past the krb5_cc_get_principal() step when
processing an empty MSLSA ccache, and get a KRB5_CC_NOMATCH error from
krb5_cc_start_seq_get(). Do not display a modal error dialog if this
happens.
Corene Casper [Sat, 16 Feb 2019 05:49:26 +0000 (00:49 -0500)]
Fix memory leak in 'none' replay cache type
Commit 0f06098e2ab419d02e89a1ca6bc9f2828f6bdb1e fixed part of a memory
leak in the 'none' replay cache type by freeing the outer container,
but we also need to free the mutex.
Isaac Boukris [Mon, 7 Jan 2019 19:09:34 +0000 (21:09 +0200)]
Remove erroneous text from kinit man page
Commit 4c4859fa83295db5c26f47b96c719060cfd9e2b1 changed the kinit man
page to state that kinit -E (enterprise) implies -C (canonicalize).
The client does not automatically set the canonicalize option when
getting tickets for an enterprise principal, and Windows KDCs can
issue tickets for enterprise principals without canonicalizing the
principal (contrary to the implication of RFC 6806 section 5). Remove
the misleading text.
[ghudson@mit.edu: updated RST man page and regenerated nroff file;
rewrote commit message]
sashan [Tue, 18 Dec 2018 11:04:56 +0000 (12:04 +0100)]
Fix build issues with Solaris native compiler
In the LDAP KDB module, fix an empty initializer. In the SPAKE
edwards25519 code, use autoconf tests to determine whether to use the
64-bit code. In the SPAKE update_thash() function, make sure the
types of the conditional expression results match exactly. In
libkrb5support, link against zap.o now that k5buf.o can use zap() (as
of commit 8ee8246c14702dc03b02e31b9fb5b7c2bb674bfb).
Isaac Boukris [Sat, 15 Dec 2018 09:56:36 +0000 (11:56 +0200)]
Remove incorrect KDC assertion
The assertion in return_enc_padata() is reachable because
kdc_make_s4u2self_rep() may have previously added encrypted padata.
It is no longer necessary because the code uses add_pa_data_element()
instead of allocating a new list.
CVE-2018-20217:
In MIT krb5 1.8 or later, an authenticated user who can obtain a TGT
using an older encryption type (DES, DES3, or RC4) can cause an
assertion failure in the KDC by sending an S4U2Self request.
[ghudson@mit.edu: rewrote commit message with CVE description]
Greg Hudson [Mon, 26 Nov 2018 18:37:46 +0000 (13:37 -0500)]
Document necessary delay in master key rolllover
During master key rollover, if the old master key is purged
immediately after updating principal encryption, running processes may
not successfully update their in-memory copies of the master key.
Document that the administrator should delay purging the master key
until after propagation and some daemon activity.
Robbie Harwood [Mon, 5 Nov 2018 18:49:52 +0000 (13:49 -0500)]
Fix spurious errors from kcmio_unix_socket_write
Commit 33634a940166d0b21c3105bab8dcf5550fbbd678 accidentally changed
the return value from kcmio_unix_socket_write to be the result of the
write call. Most commonly this resulted in it returning 8, which led
to many commands failing with "Exec format error".
Greg Hudson [Sat, 27 Oct 2018 00:26:48 +0000 (20:26 -0400)]
Update auto-generated files
Regenerate dependency files and mit-krb5.pot. Regenerate man pages
and NOTICE with python-sphinx 1.6.7. Regenerate deltat.c with bison
3.0.4. Update config.guess and config.sub from upstream (commit 2fa97a8a0ed37bec720bd118d65e674cebf50404).
Robbie Harwood [Tue, 16 Oct 2018 19:19:46 +0000 (15:19 -0400)]
Retry KCM writes once on remote hangup
sssd's KCM daemon has a client timeout (typically 60 seconds). Add
reconnection logic to kcmio_unix_socket_write() to allow this
behavior, and to potentially allow for the daemon to be upgraded.
[ghudson@mit.edu: adjusted commit message, comment, and code slightly]
Greg Hudson [Thu, 25 Oct 2018 16:55:50 +0000 (12:55 -0400)]
Improve code hygiene of kdb5_util dump helpers
kdb5_util dump can very briefly leak a file handle if the ok file
cannot be locked, or if the existing dump file cannot be read. Add a
cleanup handler to prep_ok_file() and use proper output parameter
handling. Change current_dump_sno_in_ulog() to close its file handle
before checking the result of fgets(). Reported by Bean Zhang.
Greg Hudson [Thu, 25 Oct 2018 15:56:58 +0000 (11:56 -0400)]
Fix leak on error in kadm5 randkey handling
An attempt to change the kadmin/history key with the -keepold flag
would leak the KDB entry and keysalt tuple as it returned an error.
Use the cleanup handler instead of returning directly. Reported by
Bean Zhang.
Greg Hudson [Wed, 24 Oct 2018 03:00:24 +0000 (23:00 -0400)]
Document aliases for enterprise get_principal
Enterprise principals are always aliases. In most contexts when we
see them we pass KRB5_KDB_FLAG_ALIAS_OK to the KDB module's
get_principal method, but for S4U2Self clients we currently do not.
Document that a KDB module may return an alias for enterprise
principals regardless of flags.
Robbie Harwood [Mon, 15 Oct 2018 19:19:12 +0000 (15:19 -0400)]
Update man pages to reference kerberos(7)
Remove broken references to old kerberos(1). Reference kerberos(7)
from all man pages, and create/update their environment section so
that it references kerberos(7).
Robbie Harwood [Mon, 15 Oct 2018 17:20:30 +0000 (13:20 -0400)]
Modernize kerberos(7)
Update environment variable descriptions, using env_variables.rst as a
guide. Replace the content in env_variables.rst with a pointer to
documentation at kerberos(7) so that we don't break external links and
don't duplicate content.
Replace references to rlogin. Clarify and modernize other language.
Robbie Harwood [Tue, 9 Oct 2018 21:05:10 +0000 (17:05 -0400)]
Bring back general kerberos man page
Restore the content of kerberos(1) as it stood in 0f81e372a2830c9170f6e08dfa956841d0ebdfb1. Convert to ReST to match
the other man pages, and install it as the more appropriate
kerberos(7).
Build kerberos(7) and check it in to avoid breaking the build.
Isaac Boukris [Mon, 15 Oct 2018 15:33:15 +0000 (18:33 +0300)]
Add GSS_KRB5_NT_ENTERPRISE_NAME name type
Add a new name-type OID which causes a string to be imported as an
enterprise name. This is useful for authenticating and impersonating
users with their UPN names.
Resurrect t_imp_name test to exercise importing of the new name OID.
Also add a test using the new name in cross-realm protocol transition,
to exercise s4u_identify_user() with multiple realms.
[ghudson@mit.edu: added Windows export entry; adjusted comments and
test code; edited commit message]
Isaac Boukris [Tue, 23 Oct 2018 09:52:41 +0000 (12:52 +0300)]
Start S4U2Self realm lookup at server realm
When looking up the realm of an enterprise principal, start with the
realm of the server instead of the realm attached to the enterprise
name, as specified in [MS-SFU] 3.1.5.1.1.1.
[ghudson@mit.edu: simplified out client_data+client into just client;
edited commit message]
Greg Hudson [Mon, 15 Oct 2018 22:00:35 +0000 (18:00 -0400)]
Fix up kdb5_util documentation
In kdb5_util.rst, reorder the main option summary to match the order
they are documented in below, and document the -x option. Remove the
kdb5_util create -h switch case as 'h' has never been in the getopt
string. Add the -r18 option to the kdb5_util dump and load option
summaries. Reword the kdb5_util load -hash option. Remove the
nonexistent kdb5_util load dbname parameter.
In database.rst, alter the example for loading a single principal to
use the dump principal filtering functionality, as that functionality
does not currently exist for load.
In the kdb5_util usage error message, reorder the main options to
match the order in the documentation and to fit within 79 columns.
Also add the -P option.
Greg Hudson [Mon, 15 Oct 2018 23:12:45 +0000 (19:12 -0400)]
Use port-sockets.h macros in cc_kcm, sendto_kdc
Use SOCKET_CONNECT in cc_kcm.c and sendto_kdc.c to prevent SIGPIPE on
BSD-like systems. Use other port-sockets.h macros in cc_kcm.c in case
it is ever used on Windows.
Greg Hudson [Thu, 4 Oct 2018 22:10:48 +0000 (18:10 -0400)]
Fix 64-bit Windows socket write error handling
Add casts to ensure that the result type of SOCKET_WRITEV() on Windows
can represent -1. Otherwise it will be treated as 2^32-1 when cast to
ssize_t on 64-bit Windows, which can lead to crashes in
krb5_sendto_kdc(). Reported by Puran Chand.
Isaac Boukris [Fri, 5 Oct 2018 11:43:51 +0000 (14:43 +0300)]
Add more constraints to S4U2Self processing
Of the eight possible combinations of local or cross TGT, local or
non-local user, and local server or referral, four are valid. The
previous commit rejects two of the invalid cases (local TGT and
referral, with local or non-local user). Document the four valid
cases and reject the remaining two invalid combinations.
Isaac Boukris [Fri, 5 Oct 2018 11:14:32 +0000 (14:14 +0300)]
Allow referrals for cross-realm S4U2Self requests
According to MS-SFU 3.2.5.1.1, the KDC should issue a referral for
S4U2Self requests if the requesting service is not in the KDC's realm.
Commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f explicitly prevents
referrals for S4U2Self requests; on further analysis, this appears to
have been preserving a bug rather than applying a proper constraint.
However, we should not issue referrals for within-realm S4U2Self
requests. (This should only come up if a server possesses a TGT but
its principal entry has been deleted.)
Remove the S4U2Self referral check in process_tgs_req(). Instead add
a more specific check in kdc_process_s4u2self_req(), adding new
parameters for the header server principal and a flag indicating
whether a referral is indicated.
projects / thirdparty / krb5.git / log
