Greg Hudson [Tue, 3 Aug 2021 05:15:27 +0000 (01:15 -0400)]
Fix KDC null deref on TGS inner body null server
After the KDC decodes a FAST inner body, it does not check for a null
server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
would typically result in an error from krb5_unparse_name(), but with
the addition of get_local_tgt() it results in a null dereference. Add
a null check.
Reported by Joseph Sutton of Catalyst.
CVE-2021-37750:
In MIT krb5 releases 1.14 and later, an authenticated attacker can
cause a null dereference in the KDC by sending a FAST TGS request with
no server field.
Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
management of krb5_gss_inquire_cred(), introducing defcred to act as
an owner pointer when the function must acquire a default credential.
The commit neglected to update the code to release the default cred
along the successful path. The old code does not trigger because
cred_handle is now reassigned, so the default credential is leaked.
Robbie Harwood [Sat, 29 May 2021 17:25:59 +0000 (13:25 -0400)]
Fix use-after-free during krad remote_shutdown()
Since elements of the queue can be removed on out-of-memory errors,
the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH.
Reported by Coverity.
Greg Hudson [Sun, 20 Jun 2021 23:24:07 +0000 (19:24 -0400)]
Using locking in MEMORY krb5_cc_get_principal()
Without locking, the principal pointer could be freed out from under
krb5_copy_principal() by another thread calling krb5_cc_initialize()
or krb5_cc_destroy().
Joseph Sutton [Tue, 6 Jul 2021 23:47:44 +0000 (11:47 +1200)]
Fix KDC null deref on bad encrypted challenge
The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
to avoid further processing if the armor key is NULL. However, this
check is bypassed by a call to k5memdup0() which overwrites retval
with 0 if the allocation succeeds. If the armor key is NULL, a call
to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
crash. Add a check before the k5memdup0() call to avoid overwriting
retval.
CVE-2021-36222:
In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
cause a null dereference in the KDC by sending a request containing a
PA-ENCRYPTED-CHALLENGE padata element without using FAST.
[ghudson@mit.edu: trimmed patch; added test case; edited commit
message]
Fix three Windows-specific argument type errors, including a crash bug
in the default replay cache type. Change the compiler flags to treat
several argument type warnings as errors.
The replay cache bug was reported by Thomas Wagner.
Greg Hudson [Sat, 31 Oct 2020 21:07:05 +0000 (17:07 -0400)]
Add recursion limit for ASN.1 indefinite lengths
The libkrb5 ASN.1 decoder supports BER indefinite lengths. It
computes the tag length using recursion; the lack of a recursion limit
allows an attacker to overrun the stack and cause the process to
crash. Reported by Demi Obenour.
CVE-2020-28196:
In MIT krb5 releases 1.11 and later, an unauthenticated attacker can
cause a denial of service for any client or server to which it can
send an ASN.1-encoded Kerberos message of sufficient length.
Greg Hudson [Wed, 19 Aug 2020 15:49:29 +0000 (11:49 -0400)]
Suppress Leash error popup on MSLSA renew failure
Attempting to renew the MSLSA cache can commonly fail with
KRB5_CC_NOTFOUND due to LSA policy. Do not display an error popup in
this case. Also fix a logic error in the existing suppressions.
Greg Hudson [Wed, 19 Aug 2020 15:37:12 +0000 (11:37 -0400)]
Fix Leash crash when ticket autorenewal fails
CLeashView::RenewTicket() falls back to an ImportTicket or InitTicket
operation if ticket renewal fails. A 2004 commit (from the old
pismere repository) added code to heuristically determine whether
Leash's cache was imported by comparing the MSLSA cache principal name
to ticketinfo.Krb5.principal. Commit 9bc411e72fce5bed3ed00ae5b09f8c239309bae0 broke this code by removing
the call to initialize ticketinfo.Krb5 and by making
ticketinfo.Krb5.principal ephemeral. The strcmp() call now crashes
the process with a null dereference.
Fix the crash by removing the heuristic detection of imported tickets,
using the current value of m_importedTickets (which should be correct
unless Leash was restarted after the tickets were obtained) to decide
whether to import or initialize tickets.
In get_mech_set(), check the length before reading the first byte, and
decrease the length by the tag byte when reading and verifying the
sequence length.
In get_req_flags(), check the length before reading the first byte,
and check the context tag length after decoding it.
Windows Remote Management, when used with an RC4 session key, appears
to generate GSS wrap tokens with no padding instead of the expected
one byte (RFC 4757 section 7.3). These tokens cannot be decoded with
gss_unwrap() or a STREAM buffer (even with Microsoft SSPI), but SSPI
allows them to be decoded using explicit IOVs with either a
zero-length padding buffer or no padding buffer. Allow these cases to
work in kg_fixup_padding_iov(). (It is already possible to make this
work with HEADER | DATA | DATA, but only by
accident--kg_fixup_padding_iov() doesn't find a data buffer because
kg_locate_iov() only looks for singleton buffers, so it exits early.)
Greg Hudson [Fri, 19 Jun 2020 19:05:37 +0000 (15:05 -0400)]
Avoid using LMDB environments across forks
In krb5kdc and kadmind, reinitialize the DB state after daemonizing,
to prevent using an LMDB environment in a different process than it
was created. Otherwise the daemon's reader table slot appears to be
stale and can be claimed by another process.
In kadmind, this change means that global_server_handle changes value
after the loop setup. Add an extra level of pointer indirection so
that the handle passed to the loop remains valid.
kdb_init_hist() is now called twice by kadmind. Change it to avoid
leaking hist_princ on the second invocation.
Greg Hudson [Thu, 4 Jun 2020 17:19:53 +0000 (13:19 -0400)]
Set pw_expiration during LDAP load
When loading a principal entry in process_k5beta7_princ(), set the
KADM5_PW_EXPIRATION mask bit so that the password expiration time is
set on the principal entry. Add a regression test.
Greg Hudson [Fri, 16 Oct 2020 15:35:18 +0000 (11:35 -0400)]
Unregister thread key in SPNEGO finalization
Commit d160bc733a3dbeb6d84f4e175234ff18738d9f66 (ticket 7045) added a
new thread key K5_KEY_GSS_SPNEGO_STATUS and registered it in SPNEGO
library initialization, but neglected to unregister it in
finalization. As a result, loading, unloading, and reloading
libgssapi_krb5 could throw an assertion failure if libkrb5support
remained loaded. Unregister the key in SPNEGO finalization and add a
test case.
Robbie Harwood [Thu, 20 Aug 2020 21:49:29 +0000 (17:49 -0400)]
Unify kvno option documentation
Add missing kvno options to the kvno.rst synopsis and option
descriptions, and to the kvno usage message. Remove mention of '-h'
(help text), from kvno.rst as it is an implicit option.
Indicate the two exclusions (-u/-S and --u2u with the S4U2Self options)
and dependency (-P on S4U2Self) where they are missing.
Switch xusage() to print only a single localized string, rather than
running each line of output through localization separately.
Leave kvno -C undocumented for now, as the semantics of
KRB5_GC_CANONICALIZE are minimally useful and likely to change.
[ghudson@mit.edu: edited documentation and commit message]
Greg Hudson [Thu, 21 May 2020 18:15:25 +0000 (14:15 -0400)]
Fix SPNEGO acceptor mech filtering
Commit c2ca2f26eaf817a6a7ed42257c380437ab802bd9 (ticket 8851)
accidentally changed the SPNEGO acceptor code to filter mechanisms by
the obtainability of initiator credentials rather than acceptor
credentials, when the default acceptor credential is used.
Greg Hudson [Wed, 13 May 2020 17:05:49 +0000 (13:05 -0400)]
Prevent use of invalid local TGT key
Commit 570967e11bd5ea60a82fc8157ad7d07602402ebb took a shortcut in
get_local_tgt() by using the first key data entry in the TGT principal
entry. This is usually correct, but if the first key data entry has
an invalid enctype (such as a single-DES enctype), we can select a key
we can't use. Call krb5_dbe_find_enctype() instead. Reported by
Leonard Peirce.
Greg Hudson [Sun, 10 May 2020 16:59:24 +0000 (12:59 -0400)]
Add stubs for some removed replay cache functions
Commit dcb853ac32779b173f39e19c0f24b0087de85771 removed some replay
cache functions that haven't been considered part of the libkrb5 API.
Some of these functions were used in OpenSSL (despite the lack of
prototypes) prior to the OpenSSL 1.1 release. Run-time linker errors
can occur if an OpenSSL 1.0.x (or earlier) libssl is used with a 1.18
libkrb5, even though the Kerberos code would likely never be used.
Add stubs for the four functions historically used in OpenSSL.
Commit 24b844714dea3e47b17511746b5df5b6ddf13d43 (ticket 8845) added
releases of sc->internal_name and sc->deleg_cred before calling the
underlying mech's gss_accept_sec_context(), to avoid a potential leak
if the mech reports a value multiple times. Commit c2ca2f26eaf817a6a7ed42257c380437ab802bd9 (ticket 8851) added a branch
which calls negoex_accept() instead of calling directly into the
underlying mech. If negoex_accept() doesn't call into the mech on the
last acceptor leg, the src_name and deleg_cred values from the final
mech call are lost.
Move the releases to the non-NegoEx branch. negoex_accept() already
does its own releases when it calls into the mech.
Commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6 (ticket 8800) caused
ksu to ignore KRB5CCNAME from the environment. ksu uses euid
switching to access the source cache, and should honor KRB5CCNAME to
find the ccache to potentially authorize the su operation.
Add a helper function init_ksu_context() to create the ksu context,
with explicit code to honor KRB5CCNAME using
krb5_cc_set_default_name().
Always use six digits with leading 0s to format the microseconds in
trace log timestamps; otherwise a small value appears as too large of
a fraction of a second.
Greg Hudson [Tue, 24 Mar 2020 06:00:25 +0000 (02:00 -0400)]
Make fiat 128-bit typedefs work with older gcc
Use the int128_t and uint128_t types defined by edwards25519.c, rather
than [un]signed __int128 which does not compile with gcc 4.4.
Reported by Norm Green.
Isaac Boukris [Wed, 29 Jan 2020 21:35:50 +0000 (22:35 +0100)]
Change KDC constrained-delegation precedence order
MS-SFU errata from 2019/12/09 indicates that legacy constrained
delegation should be prefered over resource-based constrained
delegation, which results slight diferences.
Also clarify that in the get_authdata_info KDB method, the PAC must be
verified and checked for user sensitivity for S4U2Proxy. Document
that the client name should only be provided in the cross-realm
S4U2Proxy case.
[ghudson@mit.edu: clarified comments and commit message]
TBK [Wed, 26 Feb 2020 20:12:45 +0000 (21:12 +0100)]
Fix Linux build error with musl libc
Commit bf5953c549a6d279977df69ffe89b2ba51460eaf caused a build failure
on non-glibc Linux build environments. Change the conditionalization
so that __GLIBC_PREREQ will only be used if it is defined.
Greg Hudson [Tue, 25 Feb 2020 16:32:09 +0000 (11:32 -0500)]
Allow deletion of require_auth with LDAP KDB
In update_ldap_mod_auth_ind(), if there is no string attribute value
for require_auth, check for krbPrincipalAuthInd attributes that might
need to be removed. (This will only work if the entry is loaded and
then modified, but that is the normal case for an existing entry.)
Move the update_ldap_mod_auth_ind() call inside the tl-data
conditional (which should perhaps be a check for KADM5_TL_DATA in the
mask instead). A modification which did not intend to update tl-data
should not remove the krbPrincipalAuthInd attributes.
Change get_int_from_tl_data() to to zero its output so that it can't
leave a garbage value behind if it returns 0 (as it does if no
KDB_TL_USER_INFO tl-data is present).
Greg Hudson [Wed, 19 Feb 2020 20:36:38 +0000 (15:36 -0500)]
Fix AS-REQ checking of KDB-modified indicators
Commit 7196c03f18f14695abeb5ae4923004469b172f0f (ticket 8823) gave the
KDB the ability to modify auth indicators, but it happens after the
asserted indicators are checked against the server principal
requirements. In finish_process_as_req(), move the call to
check_indicators() after the call to handle_authdata() so that the
final indicator list is checked.
For the test case, add string attribute functionality to the test KDB
module, and fix a bug where test_get_principal() would return failure
if a principal has no keys. Also add a test case for AS-REQ
enforcement of normally asserted auth indicators.
Isaac Boukris [Thu, 30 Jan 2020 18:38:44 +0000 (19:38 +0100)]
Always use S4U2Proxy second ticket parsed authdata
When the KDC handles an S4U2Proxy request, if the KDB module returned
parsed authdata for the header ticket and not for the second ticket,
we could erroneously pass the header ticket's parsed authdata to
handle_authdata(). Make sure we always pass the parsed authdata for
the second ticket.
Isaac Boukris [Sat, 1 Feb 2020 12:21:39 +0000 (13:21 +0100)]
Test that PAC is the first authdata element
In the test KDB module, set the PAC as the first authdata element. In
adata.c, add PAC service verification and verify that a PAC does not
appear in authdata elements after the first.
[ghudson@mit.edu: minor style changes; edited commit message]
Isaac Boukris [Sat, 1 Feb 2020 15:13:30 +0000 (16:13 +0100)]
Put KDB authdata first
Windows services, as well as some versions of Samba, may refuse
tickets if the PAC is not in the first AD-IF-RELEVANT container. In
fetch_kdb_authdata(), change the merge order so that authdata from the
KDB module appears first.
[ghudson@mit.edu: added comment and clarified commit message]
Greg Hudson [Fri, 24 Jan 2020 15:25:18 +0000 (10:25 -0500)]
Honor transited-policy-checked flag in servers
For consistency with Heimdal and simplicity of server configuration,
do not check the transited field in krb5_rd_req() if the
transited-policy-checked flag is set in the ticket.
Add a cross-realm test using the gcred and rdreq harnesses to test
server transited processing. Also fix the KDC capaths case so that
the client actually doesn't know the path to the server realm. In
k5test.py, adjust _cfg_merge() to remove keys mapped to None in the
second dictionary (instead of mapping them to None in the result), so
that deleting whole sections works. Remove the corresponding check
for None in _write_cfg_section() as it is no longer needed.
Robbie Harwood [Tue, 14 Jan 2020 19:23:00 +0000 (14:23 -0500)]
Apply permitted_enctypes to KDC request enctypes
permitted_enctypes was initially intended only to restrict the
processing of AP requests (and was later applied to KDB key data
searches so that the KDC wouldn't issue a ticket it would refuse to
accept). Because the documentation was never clear about its scope,
many configurations assume that permitted_enctypes also applies to
clients.
In light of the existing configurations, take the simple way out and
use permitted_enctypes as the default for default_tkt_enctypes and
default_tgs_enctypes. Update the documentation, add a test to
explicitly check the new behavior, and remove now-unnecessary
configuration from the test suite.
[ghudson@mit.edu: unrolled helper function; edited documentation and
commit message; simplified test case]
Greg Hudson [Thu, 23 Jan 2020 19:49:24 +0000 (14:49 -0500)]
Further simplify test KDB module authdata code
Commit 94f7c9705879500b1dc8dda8592490efce05688f simplified the
generation of authdata elements, but left behind some unnecessary
conditionalization when assembling the elements into a list, causing a
Coverity defect. Further simplify the code.
Isaac Boukris [Wed, 15 Jan 2020 10:14:00 +0000 (11:14 +0100)]
Allow cross-realm RBCD with PAC and other authdata
For cross-realm S4U2Proxy requests, require a PAC to be present to
bypass signedpath verification, but do not require it to be the only
authdata element. For within-realm requests, add and verify
signedpath authdata regardless of the presence of a PAC.
Simplify the test KDB authdata module and the existing RBCD tests as
we no longer need a way to suppress the test module's KDB authdata.
[ghudson@mit.edu: rewrote commit message; reordered a condition for
efficiency]
Isaac Boukris [Wed, 15 Jan 2020 12:54:44 +0000 (13:54 +0100)]
Fix KDC crash in handle_signticket
Commit d47f7dba3779c9e36e1dedaac830dac1dd248fb3 changed the parameters
passed to sign_authdata() for S4U2Proxy requests so that client is the
entry for the impersonated client (not the impersonator), and added a
new parameter for the impersonator entry. It should have changed the
call to handle_signticket() to use the impersonator entry. Fix the
handle_signticket() call, and change some parameter names to more
clearly indicate the flow of subject_server from process_tgs_req() to
handle_authdata() to its helpers.
Isaac Boukris [Thu, 12 Dec 2019 02:20:44 +0000 (03:20 +0100)]
Add tests for S4U request-authdata handling
In adata.c, look up the server in the keytab by ticket->server (which
has the canonicalized realm), to allow testing of cross-realm RBCD
(although unused for now).
In s4u2proxy.c, set KRB5_GC_CANONICALIZE to support RBCD, and add an
authdata request option. Add an s4u2self test harness with authdata
request option.
[ghudson@mit.edu: minor code simplifications; edited commit message]
Greg Hudson [Sat, 11 Jan 2020 04:47:34 +0000 (23:47 -0500)]
Fix error handling in gssint_mechglue_init()
In the unlikely event that one of the functions called by
gssint_mechglue_init() returns an error, return that error to the
caller rather than continuing on and discarding the error status.
Returning success when some of the operations failed could fool the
library finalizer into thinking that initialization completed.
Reported by Spencer Malone.
Robbie Harwood [Tue, 17 Dec 2019 22:37:41 +0000 (17:37 -0500)]
Fix LDAP policy enforcement of pw_expiration
In the LDAP backend, the change mask is used to determine what LDAP
attributes to update. As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.
Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate. Add a regression test to
t_kdb.py.
[ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]
Greg Hudson [Thu, 19 Dec 2019 18:52:32 +0000 (13:52 -0500)]
Work around macOS SIP in the test suite
In macOS 10.11 and later with System Integrity Protection enabled,
system programs (including the shell) purge DYLD_LIBRARY_PATH from the
environment at startup. As a result, any part of "make check" which
runs via a shell script must explicitly restore the runtime
environment. Add a common rule for runenv.sh, and create and source
it where shell scripts are run. Dejagnu's runtest is a shell script,
so create a tcl file for the kadmin and RPC unit tests and source it
from unix.exp. Avoid using the shell to run commands in several
places. Use return_trace=True for tests that previously indirected
through /usr/bin/env.
Do not include <malloc.h> in t_parse_host_string.c, as it does not
exist on macOS and is not needed.
Skip the iprop tests on macOS when SIP is enabled, as signal
restrictions appear to prevent the kpropd child process from informing
the parent process that a full resync has completed.
In net-server.c, set SO_REUSEPORT as well as SO_REUSEADDR on listener
sockets. Otherwise the krb5kdc processes run by the test suite
sometimes fail to start with "address in use" errors.
In configure.ac, only generate po/Makefile if we will descend into it.
Greg Hudson [Tue, 10 Dec 2019 17:06:05 +0000 (12:06 -0500)]
Fix xdr_bytes() strict-aliasing violations
When xdr_bytes() is used for a gss_buffer_desc object, a temporary
character pointer must be used for the data value to avoid a strict
aliasing violation.
When xdr_bytes() is used for a krb5_keyblock object, a temporary
character pointer must also be used, even though the data pointer is
of type unsigned char *, to avoid a clang warning on macOS due to the
"#pragma pack" declaration in krb5.h.
Greg Hudson [Mon, 9 Dec 2019 16:42:47 +0000 (11:42 -0500)]
Add NegoEx assertion to squash defect
Coverity sees negoex_init() test whether input_token is null before
parsing messages, then dereference input_token in verify_checksum().
Of course verify_checksum() will not find a checksum message if no
messages were parsed. Add an assert to squash the false positive
forward-null defect.
Isaac Boukris [Wed, 25 Dec 2019 23:23:21 +0000 (00:23 +0100)]
Remove KRB5_KDB_FLAG_ALIAS_OK
It is simpler and more consistent with Windows to let the KDB module
always return aliases, and use KDC logic (already present) to decide
whether to use the requested or canonical principal name in the
ticket.
With the removal of this flag, "kinit alias" (without the -C flag)
against the LDAP KDB module will issue a ticket for the alias name,
instead of failing with a "client not found" error.
[ghudson@mit.edu: edited comments; wrote commit message]
Isaac Boukris [Sat, 2 Nov 2019 12:32:32 +0000 (13:32 +0100)]
Do not always canonicalize enterprise principals
When processing an AS request in the KDC, do not assume
KRB5_KDB_FLAG_CANONICALIZE for enterprise client names. This change
allows the KDB module to only canonicalize enterprise client names if
the canonicalize flag was set on the request, as Windows does. The
KDB module may check the principal type and apply canonicalization as
appropriate.
Robbie Harwood [Thu, 19 Dec 2019 22:49:05 +0000 (17:49 -0500)]
Don't warn in kadmin when no policy is specified
Not having policy defined is a normal occurrence. While it's a useful
message to log in case it's unexpected, the current form is
unnecessarily alarmist.
Greg Hudson [Thu, 19 Dec 2019 07:25:15 +0000 (02:25 -0500)]
Simplify keytab creation in kadmin and RPC tests
In init_db and init.exp, do not create an ovsec_adm.keytab; kadmind
has authenticated directly against the KDB since commit 416d9a774090ee78c30a844025887bd2b9e79d16. Since we no longer create
ovsec_adkm principals, perform the deletion and recreation tests with
kadmin/ principals.
In helpers.exp, use kadmin to create the server keytab file, instead
of using make-host-keytab.pl.
Remove environment variable settings for make-host-keytab.pl from
scripts that no longer use it.
Greg Hudson [Wed, 11 Dec 2019 17:09:27 +0000 (12:09 -0500)]
In mkrel, build documentation with python3
After commit 95830231758de259abbbccedbac01613f578768a, the
documentation cannot be built with Python 2. Run make with
"PYTHON=python3" to ensure that we use Python 3.
Add a mock NegoEx-only GSS module, a test program which establishes a
SPNEGO context, and a Python script to exercise a variety of NegoEx
negotiation scenarios.
projects / thirdparty / krb5.git / log
