diff options
49 files changed, 480 insertions, 253 deletions
@@ -1,4 +1,4 @@ -Copyright (C) 1985-2023 by the Massachusetts Institute of Technology. +Copyright (C) 1985-2024 by the Massachusetts Institute of Technology. All rights reserved. @@ -6,7 +6,7 @@ Copyright and Other Notices --------------------------- -Copyright (C) 1985-2023 by the Massachusetts Institute of Technology +Copyright (C) 1985-2024 by the Massachusetts Institute of Technology and its contributors. All rights reserved. Please see the file named NOTICE for additional notices. @@ -97,6 +97,30 @@ removed. Beginning with the krb5-1.18 release, all support for single-DES encryption types has been removed. +Major changes in 1.21.3 (2024-06-26) +------------------------------------ + +This is a bug fix release. + +* Fix vulnerabilities in GSS message token handling [CVE-2024-37370, + CVE-2024-37371]. + +* Fix a potential bad pointer free in krb5_cccol_have_contents(). + +* Fix a memory leak in the macOS ccache type. + +krb5-1.21.2 changes by ticket ID +-------------------------------- + +9102 Eliminate sim_client include of getopt.h +9103 segfault trying to free a garbage pointer +9104 Work around Doxygen 1.9.7 change +9107 In PKINIT, check for null PKCS7 enveloped fields +9109 memory leak on macos +9115 Fix leak in KDC NDR encoding +9125 Formatting error in realm_config.rst +9128 Fix vulnerabilities in GSS message token handling + Major changes in 1.21.2 (2023-08-14) ------------------------------------ @@ -324,6 +348,7 @@ reports, suggestions, and valuable resources: Michael Calmer Andrea Campi Julien Chaffraix + Jacob Champion Puran Chand Ravi Channavajhala Srinivas Cheruku @@ -454,6 +479,7 @@ reports, suggestions, and valuable resources: Mantas Mikulėnas Markus Moeller Kyle Moffett + Jon Moore Paul Moore Keiichi Mori Michael Morony @@ -506,6 +532,7 @@ reports, suggestions, and valuable resources: Richard Silverman Cel Skeggs Simo Sorce + Anthony Sottile Michael Spang Michael Ströder Bjørn Tore Sund diff --git a/doc/admin/realm_config.rst b/doc/admin/realm_config.rst index 35e4857..9f5ad50 100644 --- a/doc/admin/realm_config.rst +++ b/doc/admin/realm_config.rst @@ -156,7 +156,8 @@ _kerberos-master._udp If you have only one KDC, or for whatever reason there is no accessible KDC that would get database changes faster than the - others, you do not need to define this entry. _kerberos-adm._tcp + others, you do not need to define this entry. +_kerberos-adm._tcp This should list port 749 on your primary KDC. Support for it is not complete at this time, but it will eventually be used by the :ref:`kadmin(1)` program and related utilities. For now, you will diff --git a/doc/conf.py b/doc/conf.py index cd76f59..ecf9020 100644 --- a/doc/conf.py +++ b/doc/conf.py @@ -45,7 +45,7 @@ else: # General information about the project. project = u'MIT Kerberos' -copyright = u'1985-2023, MIT' +copyright = u'1985-2024, MIT' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the diff --git a/doc/copyright.rst b/doc/copyright.rst index a98b268..85ecebe 100644 --- a/doc/copyright.rst +++ b/doc/copyright.rst @@ -1,7 +1,7 @@ Copyright ========= -Copyright |copy| 1985-2023 by the Massachusetts Institute of +Copyright |copy| 1985-2024 by the Massachusetts Institute of Technology and its contributors. All rights reserved. See :ref:`mitK5license` for additional copyright and license diff --git a/doc/notice.rst b/doc/notice.rst index 93e096a..498e287 100644 --- a/doc/notice.rst +++ b/doc/notice.rst @@ -1,4 +1,4 @@ -Copyright |copy| 1985-2023 by the Massachusetts Institute of Technology. +Copyright |copy| 1985-2024 by the Massachusetts Institute of Technology. All rights reserved. diff --git a/src/appl/simple/client/sim_client.c b/src/appl/simple/client/sim_client.c index ea1379e..6f42833 100644 --- a/src/appl/simple/client/sim_client.c +++ b/src/appl/simple/client/sim_client.c @@ -39,10 +39,7 @@ #include <string.h> #include <errno.h> #include <netdb.h> -#include <getopt.h> -#ifdef HAVE_UNISTD_H #include <unistd.h> -#endif #include "simple.h" diff --git a/src/doc/Doxyfile.in b/src/doc/Doxyfile.in index c225864..aeaae64 100644 --- a/src/doc/Doxyfile.in +++ b/src/doc/Doxyfile.in @@ -11,6 +11,5 @@ GENERATE_HTML = NO GENERATE_LATEX = NO GENERATE_XML = YES PREDEFINED = KRB5_DEPRECATED KRB5_OLD_CRYPTO -CLASS_DIAGRAMS = NO CASE_SENSE_NAMES = NO QUIET = YES diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 9c76780..4e09ed3 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -52,10 +52,6 @@ #ifndef KRB5_GENERAL__ #define KRB5_GENERAL__ -/** @defgroup KRB5_H krb5 library API - * @{ - */ - /* By default, do not expose deprecated interfaces. */ #ifndef KRB5_DEPRECATED #define KRB5_DEPRECATED 0 @@ -410,7 +406,7 @@ typedef struct _krb5_enc_data { * structures before calling into an iov API. */ typedef struct _krb5_crypto_iov { - krb5_cryptotype flags; /**< @ref KRB5_CRYPTO_TYPE type of the iov */ + krb5_cryptotype flags; /**< iov type (see KRB5_CRYPTO_TYPE macros) */ krb5_data data; } krb5_crypto_iov; @@ -500,7 +496,7 @@ enum { * * @param [in] context Library context * @param [in] key Encryption key - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in,out] cipher_state Cipher state; specify NULL if not needed * @param [in] input Data to be encrypted * @param [out] output Encrypted data @@ -528,7 +524,7 @@ krb5_c_encrypt(krb5_context context, const krb5_keyblock *key, * * @param [in] context Library context * @param [in] key Encryption key - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in,out] cipher_state Cipher state; specify NULL if not needed * @param [in] input Encrypted data * @param [out] output Decrypted data @@ -601,7 +597,7 @@ krb5_c_keylengths(krb5_context context, krb5_enctype enctype, * * @param [in] context Library context * @param [in] key Key - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [out] new_state New cipher state * * @retval 0 Success; otherwise - Kerberos error codes @@ -854,7 +850,7 @@ krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2, * @param [in] context Library context * @param [in] cksumtype Checksum type (0 for mandatory type) * @param [in] key Encryption key for a keyed checksum - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in] input Input data * @param [out] cksum Generated checksum * @@ -936,9 +932,6 @@ krb5_error_code KRB5_CALLCONV krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, unsigned int *count, krb5_cksumtype **cksumtypes); -/** @defgroup KRB5_KEYUSAGE KRB5_KEYUSAGE - * @{ - */ #define KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS 1 #define KRB5_KEYUSAGE_KDC_REP_TICKET 2 #define KRB5_KEYUSAGE_AS_REP_ENCPART 3 @@ -969,15 +962,15 @@ krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, /* Defined in Integrating SAM Mechanisms with Kerberos draft */ #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM 25 -/** Note conflict with @ref KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST */ +/* Note conflict with KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST */ #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID 26 -/** Note conflict with @ref KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY */ +/* Note conflict with KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY */ #define KRB5_KEYUSAGE_PA_SAM_RESPONSE 27 /* Defined in [MS-SFU] */ -/** Note conflict with @ref KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID */ +/* Note conflict with KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID */ #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST 26 -/** Note conflict with @ref KRB5_KEYUSAGE_PA_SAM_RESPONSE */ +/* Note conflict with KRB5_KEYUSAGE_PA_SAM_RESPONSE */ #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY 27 /* unused */ @@ -1002,7 +995,6 @@ krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, * implementation. */ #define KRB5_KEYUSAGE_PA_FX_COOKIE 513 /**< Used for encrypted FAST cookies */ #define KRB5_KEYUSAGE_PA_AS_FRESHNESS 514 /**< Used for freshness tokens */ -/** @} */ /* end of KRB5_KEYUSAGE group */ /** * Verify that a specified encryption type is a valid Kerberos encryption type. @@ -1046,9 +1038,6 @@ krb5_boolean KRB5_CALLCONV krb5_c_is_keyed_cksum(krb5_cksumtype ctype); /* AEAD APIs */ -/** @defgroup KRB5_CRYPTO_TYPE KRB5_CRYPTO_TYPE - * @{ - */ #define KRB5_CRYPTO_TYPE_EMPTY 0 /**< [in] ignored */ #define KRB5_CRYPTO_TYPE_HEADER 1 /**< [out] header */ #define KRB5_CRYPTO_TYPE_DATA 2 /**< [in, out] plaintext */ @@ -1059,7 +1048,6 @@ krb5_c_is_keyed_cksum(krb5_cksumtype ctype); #define KRB5_CRYPTO_TYPE_STREAM 7 /**< [in] entire message without decomposing the structure into header, data and trailer buffers */ -/** @} */ /* end of KRB5_CRYPTO_TYPE group */ /** * Fill in a checksum element in IOV array (operates on keyblock) @@ -1067,7 +1055,7 @@ krb5_c_is_keyed_cksum(krb5_cksumtype ctype); * @param [in] context Library context * @param [in] cksumtype Checksum type (0 for mandatory type) * @param [in] key Encryption key for a keyed checksum - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in,out] data IOV array * @param [in] num_data Size of @a data * @@ -1093,7 +1081,7 @@ krb5_c_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, * @param [in] context Library context * @param [in] cksumtype Checksum type (0 for mandatory type) * @param [in] key Encryption key for a keyed checksum - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in] data IOV array * @param [in] num_data Size of @a data * @param [out] valid Non-zero for success, zero for failure @@ -1120,7 +1108,7 @@ krb5_c_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, * * @param [in] context Library context * @param [in] keyblock Encryption key - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in] cipher_state Cipher state; specify NULL if not needed * @param [in,out] data IOV array. Modified in-place. * @param [in] num_data Size of @a data @@ -1155,7 +1143,7 @@ krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock *keyblock, * * @param [in] context Library context * @param [in] keyblock Encryption key - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in] cipher_state Cipher state; specify NULL if not needed * @param [in,out] data IOV array. Modified in-place. * @param [in] num_data Size of @a data @@ -1190,7 +1178,7 @@ krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock *keyblock, * * @param [in] context Library context * @param [in] enctype Encryption type - * @param [in] type Type field (See @ref KRB5_CRYPTO_TYPE types) + * @param [in] type Type field (See KRB5_CRYPTO_TYPE macros) * @param [out] size Length of the @a type specific to @a enctype * * @retval 0 Success; otherwise - Kerberos error codes @@ -1273,7 +1261,7 @@ krb5_k_key_enctype(krb5_context context, krb5_key key); * * @param [in] context Library context * @param [in] key Encryption key - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in,out] cipher_state Cipher state; specify NULL if not needed * @param [in] input Data to be encrypted * @param [out] output Encrypted data @@ -1301,7 +1289,7 @@ krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage, * * @param [in] context Library context * @param [in] key Encryption key - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in] cipher_state Cipher state; specify NULL if not needed * @param [in,out] data IOV array. Modified in-place. * @param [in] num_data Size of @a data @@ -1336,7 +1324,7 @@ krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, * * @param [in] context Library context * @param [in] key Encryption key - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in,out] cipher_state Cipher state; specify NULL if not needed * @param [in] input Encrypted data * @param [out] output Decrypted data @@ -1365,7 +1353,7 @@ krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage, * * @param [in] context Library context * @param [in] key Encryption key - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in] cipher_state Cipher state; specify NULL if not needed * @param [in,out] data IOV array. Modified in-place. * @param [in] num_data Size of @a data @@ -1400,7 +1388,7 @@ krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, * @param [in] context Library context * @param [in] cksumtype Checksum type (0 for mandatory type) * @param [in] key Encryption key for a keyed checksum - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in] input Input data * @param [out] cksum Generated checksum * @@ -1430,7 +1418,7 @@ krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype, * @param [in] context Library context * @param [in] cksumtype Checksum type (0 for mandatory type) * @param [in] key Encryption key for a keyed checksum - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in,out] data IOV array * @param [in] num_data Size of @a data * @@ -1484,7 +1472,7 @@ krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage, * @param [in] context Library context * @param [in] cksumtype Checksum type (0 for mandatory type) * @param [in] key Encryption key for a keyed checksum - * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) + * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) * @param [in] data IOV array * @param [in] num_data Size of @a data * @param [out] valid Non-zero for success, zero for failure @@ -1662,11 +1650,9 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, /* definitions for ap_options fields */ -/** @defgroup AP_OPTS AP_OPTS - * +/* * ap_options are 32 bits; each host is responsible to put the 4 bytes * representing these bits into net order before transmission - * @{ */ #define AP_OPTS_RESERVED 0x80000000 #define AP_OPTS_USE_SESSION_KEY 0x40000000 /**< Use session key */ @@ -1707,7 +1693,6 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, #define AP_OPTS_WIRE_MASK 0xfffffff0 -/** @} */ /* end of AP_OPTS group */ /* definitions for ad_type fields. */ #define AD_TYPE_RESERVED 0x8000 @@ -1863,9 +1848,6 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, /* authorization data types. See RFC 4120 section 5.2.6 */ -/** @defgroup KRB5_AUTHDATA KRB5_AUTHDATA - * @{ - */ #define KRB5_AUTHDATA_IF_RELEVANT 1 #define KRB5_AUTHDATA_KDC_ISSUED 4 #define KRB5_AUTHDATA_AND_OR 5 @@ -1880,7 +1862,6 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, #define KRB5_AUTHDATA_FX_ARMOR 71 #define KRB5_AUTHDATA_AUTH_INDICATOR 97 #define KRB5_AUTHDATA_AP_OPTIONS 143 -/** @} */ /* end of KRB5_AUTHDATA group */ /* password change constants */ #define KRB5_KPASSWD_SUCCESS 0 /**< Success */ @@ -2190,9 +2171,6 @@ typedef struct _krb5_pa_pac_req { * begin "safepriv.h" */ -/** @defgroup KRB5_AUTH_CONTEXT KRB5_AUTH_CONTEXT - * @{ - */ /** Prevent replays with timestamps and replay cache. */ #define KRB5_AUTH_CONTEXT_DO_TIME 0x00000001 /** Save timestamps for application. */ @@ -2203,7 +2181,6 @@ typedef struct _krb5_pa_pac_req { #define KRB5_AUTH_CONTEXT_RET_SEQUENCE 0x00000008 #define KRB5_AUTH_CONTEXT_PERMIT_ALL 0x00000010 #define KRB5_AUTH_CONTEXT_USE_SUBKEY 0x00000020 -/** @} */ /* end of KRB5_AUTH_CONTEXT group */ /** * Replay data. @@ -3033,9 +3010,6 @@ krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt, void KRB5_CALLCONV krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts); -/** @defgroup KRB5_GC KRB5_GC - * @{ - */ #define KRB5_GC_USER_USER 1 /**< Want user-user ticket */ #define KRB5_GC_CACHED 2 /**< Want cached ticket only */ #define KRB5_GC_CANONICALIZE 4 /**< Set canonicalize KDC option */ @@ -3043,7 +3017,6 @@ krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts); #define KRB5_GC_FORWARDABLE 16 /**< Acquire forwardable tickets */ #define KRB5_GC_NO_TRANSIT_CHECK 32 /**< Disable transited check */ #define KRB5_GC_CONSTRAINED_DELEGATION 64 /**< Constrained delegation */ -/** @} */ /* end of KRB5_GC group */ /** * Get an additional ticket. @@ -3142,7 +3115,7 @@ krb5_get_credentials_renew(krb5_context context, krb5_flags options, * * @param [in] context Library context * @param [in,out] auth_context Pre-existing or newly created auth context - * @param [in] ap_req_options @ref AP_OPTS options + * @param [in] ap_req_options Options (see AP_OPTS macros) * @param [in] service Service name, or NULL to use @c "host" * @param [in] hostname Host name, or NULL to use local hostname * @param [in] in_data Application data to be checksummed in the @@ -3170,7 +3143,7 @@ krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, * * @param [in] context Library context * @param [in,out] auth_context Pre-existing or newly created auth context - * @param [in] ap_req_options @ref AP_OPTS options + * @param [in] ap_req_options Options (see AP_OPTS macros) * @param [in] in_data Application data to be checksummed in the * authenticator, or NULL * @param [in] in_creds Credentials for the service with valid ticket @@ -5279,7 +5252,7 @@ krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, * * Fields in @a auth_context specify the checksum type, the keyblock that * can be used to seed the checksum, full addresses (host and port) for - * the sender and receiver, and @ref KRB5_AUTH_CONTEXT flags. + * the sender and receiver, and KRB5_AUTH_CONTEXT flags. * * The local address in @a auth_context must be set, and is used to form the * sender address used in the KRB-SAFE message. The remote address is @@ -5367,7 +5340,7 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, * with the receiver's application version * @param [in] client Client principal * @param [in] server Server principal - * @param [in] ap_req_options @ref AP_OPTS options + * @param [in] ap_req_options Options (see AP_OPTS macros) * @param [in] in_data Data to be sent to the server * @param [in] in_creds Input credentials, or NULL to use @a ccache * @param [in] ccache Credential cache @@ -6608,13 +6581,13 @@ krb5_prompter_posix(krb5_context context, void *data, const char *name, /** * A container for a set of preauthentication questions and answers * - * A responder context is supplied by the krb5 authentication system to a @ref + * A responder context is supplied by the krb5 authentication system to a * krb5_responder_fn callback. It contains a list of questions and can receive * answers. Questions contained in a responder context can be listed using * krb5_responder_list_questions(), retrieved using * krb5_responder_get_challenge(), or answered using - * krb5_responder_set_answer(). The form of a question's challenge and - * answer depend on the question name. + * krb5_responder_set_answer(). The form of a question's challenge and answer + * depend on the question name. * * @version New in 1.11 */ @@ -7527,7 +7500,7 @@ typedef struct _krb5_tkt_creds_context *krb5_tkt_creds_context; * @param[in] context Library context * @param[in] ccache Credential cache handle * @param[in] creds Input credentials - * @param[in] options @ref KRB5_GC options for this request. + * @param[in] options Options (see KRB5_GC macros) * @param[out] ctx New TGS request context * * This function prepares to obtain credentials matching @a creds, either by @@ -8064,7 +8037,7 @@ krb5_clear_error_message(krb5_context ctx); * Unwrap authorization data. * * @param [in] context Library context - * @param [in] type @ref KRB5_AUTHDATA type of @a container + * @param [in] type Container type (see KRB5_AUTHDATA macros) * @param [in] container Authorization data to be decoded * @param [out] authdata List of decoded authorization data * @@ -8081,7 +8054,7 @@ krb5_decode_authdata_container(krb5_context context, * Wrap authorization data in a container. * * @param [in] context Library context - * @param [in] type @ref KRB5_AUTHDATA type of @a container + * @param [in] type Container type (see KRB5_AUTHDATA macros) * @param [in] authdata List of authorization data to be encoded * @param [out] container List of encoded authorization data * @@ -8614,6 +8587,4 @@ KRB5INT_END_DECLS #undef KRB5_ATTR_DEPRECATED -/** @} */ /* end of KRB5_H group */ - #endif /* KRB5_GENERAL__ */ diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c index 48395ab..d438408 100644 --- a/src/kdc/ndr.c +++ b/src/kdc/ndr.c @@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out) size_t utf16len, num_wchars; uint8_t *utf16; - k5_buf_init_dynamic(&b); - ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len); if (ret) return ret; num_wchars = utf16len / 2; + k5_buf_init_dynamic(&b); k5_buf_add_uint32_le(&b, num_wchars + 1); k5_buf_add_uint32_le(&b, 0); k5_buf_add_uint32_le(&b, num_wchars); diff --git a/src/lib/gssapi/krb5/deps b/src/lib/gssapi/krb5/deps index 40451c8..2d93c72 100644 --- a/src/lib/gssapi/krb5/deps +++ b/src/lib/gssapi/krb5/deps @@ -461,8 +461,9 @@ k5unsealiov.so k5unsealiov.po $(OUTPRE)k5unsealiov.$(OBJEXT): \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-der.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-input.h $(top_srcdir)/include/k5-int-pkinit.h \ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c index 3b4f8cb..1fcbdfb 100644 --- a/src/lib/gssapi/krb5/k5sealv3.c +++ b/src/lib/gssapi/krb5/k5sealv3.c @@ -408,10 +408,15 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr, /* Don't use bodysize here! Use the fact that cipher.ciphertext.length has been adjusted to the correct length. */ + if (plain.length < 16 + ec) { + free(plain.data); + goto defective; + } althdr = (unsigned char *)plain.data + plain.length - 16; if (load_16_be(althdr) != KG2_TOK_WRAP_MSG || althdr[2] != ptr[2] || althdr[3] != ptr[3] + || load_16_be(althdr+4) != ec || memcmp(althdr+8, ptr+8, 8)) { free(plain.data); goto defective; diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c index 333ee12..f8e90c3 100644 --- a/src/lib/gssapi/krb5/k5sealv3iov.c +++ b/src/lib/gssapi/krb5/k5sealv3iov.c @@ -402,9 +402,10 @@ gss_krb5int_unseal_v3_iov(krb5_context context, if (load_16_be(althdr) != KG2_TOK_WRAP_MSG || althdr[2] != ptr[2] || althdr[3] != ptr[3] + || load_16_be(althdr + 4) != ec || memcmp(althdr + 8, ptr + 8, 8) != 0) { *minor_status = 0; - return GSS_S_BAD_SIG; + return GSS_S_DEFECTIVE_TOKEN; } } else { /* Verify checksum: note EC is checksum size here, not padding */ diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c index 85a9574..21b5017 100644 --- a/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c @@ -25,6 +25,7 @@ */ #include "k5-int.h" +#include "k5-der.h" #include "gssapiP_krb5.h" static OM_uint32 @@ -265,6 +266,73 @@ cleanup: return retval; } +/* Similar to k5_der_get_value(), but output an unchecked content length + * instead of a k5input containing the contents. */ +static inline bool +get_der_tag(struct k5input *in, uint8_t idbyte, size_t *len_out) +{ + uint8_t lenbyte, i; + size_t len; + + /* Do nothing if in is empty or the next byte doesn't match idbyte. */ + if (in->status || in->len == 0 || *in->ptr != idbyte) + return false; + + /* Advance past the identifier byte and decode the length. */ + (void)k5_input_get_byte(in); + lenbyte = k5_input_get_byte(in); + if (lenbyte < 128) { + len = lenbyte; + } else { + len = 0; + for (i = 0; i < (lenbyte & 0x7F); i++) { + if (len > (SIZE_MAX >> 8)) { + k5_input_set_status(in, EOVERFLOW); + return false; + } + len = (len << 8) | k5_input_get_byte(in); + } + } + + if (in->status) + return false; + + *len_out = len; + return true; +} + +/* + * Similar to g_verify_token_header() without toktype or flags, but do not read + * more than *header_len bytes of ASN.1 wrapper, and on output set *header_len + * to the remaining number of header bytes. Verify the outer DER tag's length + * against token_len, which may be larger (but not smaller) than *header_len. + */ +static gss_int32 +verify_detached_wrapper(const gss_OID_desc *mech, size_t *header_len, + uint8_t **header_in, size_t token_len) +{ + struct k5input in, mech_der; + gss_OID_desc toid; + size_t len; + + k5_input_init(&in, *header_in, *header_len); + + if (get_der_tag(&in, 0x60, &len)) { + if (len != token_len - (in.ptr - *header_in)) + return G_BAD_TOK_HEADER; + if (!k5_der_get_value(&in, 0x06, &mech_der)) + return G_BAD_TOK_HEADER; + toid.elements = (uint8_t *)mech_der.ptr; + toid.length = mech_der.len; + if (!g_OID_equal(&toid, mech)) + return G_WRONG_MECH; + } + + *header_in = (uint8_t *)in.ptr; + *header_len = in.len; + return 0; +} + /* * Caller must provide TOKEN | DATA | PADDING | TRAILER, except * for DCE in which case it can just provide TOKEN | DATA (must @@ -285,8 +353,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status, gss_iov_buffer_t header; gss_iov_buffer_t padding; gss_iov_buffer_t trailer; - size_t input_length; - unsigned int bodysize; + size_t input_length, hlen; int toktype2; header = kg_locate_header_iov(iov, iov_count, toktype); @@ -316,15 +383,14 @@ kg_unseal_iov_token(OM_uint32 *minor_status, input_length += trailer->buffer.length; } - code = g_verify_token_header(ctx->mech_used, - &bodysize, &ptr, -1, - input_length, 0); + hlen = header->buffer.length; + code = verify_detached_wrapper(ctx->mech_used, &hlen, &ptr, input_length); if (code != 0) { *minor_status = code; return GSS_S_DEFECTIVE_TOKEN; } - if (bodysize < 2) { + if (hlen < 2) { *minor_status = (OM_uint32)G_BAD_TOK_HEADER; return GSS_S_DEFECTIVE_TOKEN; } @@ -332,7 +398,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status, toktype2 = load_16_be(ptr); ptr += 2; - bodysize -= 2; + hlen -= 2; switch (toktype2) { case KG2_TOK_MIC_MSG: diff --git a/src/lib/krb5/ccache/cc_api_macos.c b/src/lib/krb5/ccache/cc_api_macos.c index 3bf30c9..34b1c35 100644 --- a/src/lib/krb5/ccache/cc_api_macos.c +++ b/src/lib/krb5/ccache/cc_api_macos.c @@ -219,7 +219,7 @@ cleanup: if (reply != NULL) xpc_release(reply); if (conn != NULL) - xpc_connection_cancel(conn); + xpc_release(conn); return ret; } diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c index 4bcb66b..926873f 100644 --- a/src/lib/krb5/ccache/cccursor.c +++ b/src/lib/krb5/ccache/cccursor.c @@ -249,6 +249,7 @@ krb5_cccol_have_content(krb5_context context) save_first_error(context, ret, &errsave); if (ret || cache == NULL) break; + princ = NULL; ret = krb5_cc_get_principal(context, cache, &princ); save_first_error(context, ret, &errsave); if (!ret) diff --git a/src/man/k5identity.man b/src/man/k5identity.man index baf18f9..9176445 100644 --- a/src/man/k5identity.man +++ b/src/man/k5identity.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "K5IDENTITY" "5" " " "1.21.2" "MIT Kerberos" -.SH NAME -k5identity \- Kerberos V5 client principal selection rules . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "K5IDENTITY" "5" " " "1.21.3" "MIT Kerberos" +.SH NAME +k5identity \- Kerberos V5 client principal selection rules .SH DESCRIPTION .sp The .k5identity file, which resides in a user\(aqs home directory, @@ -98,6 +98,6 @@ kerberos(1), krb5.conf(5) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/k5login.man b/src/man/k5login.man index ff3329b..6605a7e 100644 --- a/src/man/k5login.man +++ b/src/man/k5login.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "K5LOGIN" "5" " " "1.21.2" "MIT Kerberos" -.SH NAME -k5login \- Kerberos V5 acl file for host access . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "K5LOGIN" "5" " " "1.21.3" "MIT Kerberos" +.SH NAME +k5login \- Kerberos V5 acl file for host access .SH DESCRIPTION .sp The .k5login file, which resides in a user\(aqs home directory, contains @@ -91,6 +91,6 @@ kerberos(1) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man index a6cd986..f3590b6 100644 --- a/src/man/k5srvutil.man +++ b/src/man/k5srvutil.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "K5SRVUTIL" "1" " " "1.21.2" "MIT Kerberos" -.SH NAME -k5srvutil \- host key table (keytab) manipulation utility . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "K5SRVUTIL" "1" " " "1.21.3" "MIT Kerberos" +.SH NAME +k5srvutil \- host key table (keytab) manipulation utility .SH SYNOPSIS .sp \fBk5srvutil\fP \fIoperation\fP @@ -90,6 +90,6 @@ kadmin(1), ktutil(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man index 8332d5d..334db0c 100644 --- a/src/man/kadm5.acl.man +++ b/src/man/kadm5.acl.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KADM5.ACL" "5" " " "1.21.2" "MIT Kerberos" -.SH NAME -kadm5.acl \- Kerberos ACL file . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KADM5.ACL" "5" " " "1.21.3" "MIT Kerberos" +.SH NAME +kadm5.acl \- Kerberos ACL file .SH DESCRIPTION .sp The Kerberos kadmind(8) daemon uses an Access Control List @@ -274,6 +274,6 @@ kdc.conf(5), kadmind(8) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kadmin.man b/src/man/kadmin.man index 4612070..8413e70 100644 --- a/src/man/kadmin.man +++ b/src/man/kadmin.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KADMIN" "1" " " "1.21.2" "MIT Kerberos" -.SH NAME -kadmin \- Kerberos V5 database administration program . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KADMIN" "1" " " "1.21.3" "MIT Kerberos" +.SH NAME +kadmin \- Kerberos V5 database administration program .SH SYNOPSIS .sp \fBkadmin\fP @@ -1094,6 +1094,6 @@ kpasswd(1), kadmind(8), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kadmind.man b/src/man/kadmind.man index fbb6bda..32b9213 100644 --- a/src/man/kadmind.man +++ b/src/man/kadmind.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KADMIND" "8" " " "1.21.2" "MIT Kerberos" -.SH NAME -kadmind \- KADM5 administration server . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KADMIND" "8" " " "1.21.3" "MIT Kerberos" +.SH NAME +kadmind \- KADM5 administration server .SH SYNOPSIS .sp \fBkadmind\fP @@ -148,6 +148,6 @@ kdb5_ldap_util(8), kadm5.acl(5), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man index e11f875..125e59a 100644 --- a/src/man/kdb5_ldap_util.man +++ b/src/man/kdb5_ldap_util.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KDB5_LDAP_UTIL" "8" " " "1.21.2" "MIT Kerberos" -.SH NAME -kdb5_ldap_util \- Kerberos configuration utility . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KDB5_LDAP_UTIL" "8" " " "1.21.3" "MIT Kerberos" +.SH NAME +kdb5_ldap_util \- Kerberos configuration utility .SH SYNOPSIS .sp \fBkdb5_ldap_util\fP @@ -522,6 +522,6 @@ kadmin(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man index dfd2594..d43d913 100644 --- a/src/man/kdb5_util.man +++ b/src/man/kdb5_util.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KDB5_UTIL" "8" " " "1.21.2" "MIT Kerberos" -.SH NAME -kdb5_util \- Kerberos database maintenance utility . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KDB5_UTIL" "8" " " "1.21.3" "MIT Kerberos" +.SH NAME +kdb5_util \- Kerberos database maintenance utility .SH SYNOPSIS .sp \fBkdb5_util\fP @@ -554,6 +554,6 @@ kadmin(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man index 3942755..98a7222 100644 --- a/src/man/kdc.conf.man +++ b/src/man/kdc.conf.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KDC.CONF" "5" " " "1.21.2" "MIT Kerberos" -.SH NAME -kdc.conf \- Kerberos V5 KDC configuration file . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KDC.CONF" "5" " " "1.21.3" "MIT Kerberos" +.SH NAME +kdc.conf \- Kerberos V5 KDC configuration file .sp The kdc.conf file supplements krb5.conf(5) for programs which are typically only used on a KDC, such as the krb5kdc(8) and @@ -1190,6 +1190,6 @@ krb5.conf(5), krb5kdc(8), kadm5.acl(5) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man index 7b1e758..c17b254 100644 --- a/src/man/kdestroy.man +++ b/src/man/kdestroy.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KDESTROY" "1" " " "1.21.2" "MIT Kerberos" -.SH NAME -kdestroy \- destroy Kerberos tickets . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KDESTROY" "1" " " "1.21.3" "MIT Kerberos" +.SH NAME +kdestroy \- destroy Kerberos tickets .SH SYNOPSIS .sp \fBkdestroy\fP @@ -90,6 +90,6 @@ kinit(1), klist(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kerberos.man b/src/man/kerberos.man index 253c9e4..ec1d84d 100644 --- a/src/man/kerberos.man +++ b/src/man/kerberos.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KERBEROS" "7" " " "1.21.2" "MIT Kerberos" -.SH NAME -kerberos \- Overview of using Kerberos . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KERBEROS" "7" " " "1.21.3" "MIT Kerberos" +.SH NAME +kerberos \- Overview of using Kerberos .SH DESCRIPTION .sp The Kerberos system authenticates individual users in a network @@ -212,6 +212,6 @@ Institute of Technology .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kinit.man b/src/man/kinit.man index 9c6bc7b..32f57c4 100644 --- a/src/man/kinit.man +++ b/src/man/kinit.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KINIT" "1" " " "1.21.2" "MIT Kerberos" -.SH NAME -kinit \- obtain and cache Kerberos ticket-granting ticket . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KINIT" "1" " " "1.21.3" "MIT Kerberos" +.SH NAME +kinit \- obtain and cache Kerberos ticket-granting ticket .SH SYNOPSIS .sp \fBkinit\fP @@ -254,6 +254,6 @@ klist(1), kdestroy(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/klist.man b/src/man/klist.man index beb7932..3061e5c 100644 --- a/src/man/klist.man +++ b/src/man/klist.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KLIST" "1" " " "1.21.2" "MIT Kerberos" -.SH NAME -klist \- list cached Kerberos tickets . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KLIST" "1" " " "1.21.3" "MIT Kerberos" +.SH NAME +klist \- list cached Kerberos tickets .SH SYNOPSIS .sp \fBklist\fP @@ -153,6 +153,6 @@ kinit(1), kdestroy(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man index 537ddc6..846224b 100644 --- a/src/man/kpasswd.man +++ b/src/man/kpasswd.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KPASSWD" "1" " " "1.21.2" "MIT Kerberos" -.SH NAME -kpasswd \- change a user's Kerberos password . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KPASSWD" "1" " " "1.21.3" "MIT Kerberos" +.SH NAME +kpasswd \- change a user's Kerberos password .SH SYNOPSIS .sp \fBkpasswd\fP [\fIprincipal\fP] @@ -63,6 +63,6 @@ kadmin(1), kadmind(8), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kprop.man b/src/man/kprop.man index 09c0536..6091173 100644 --- a/src/man/kprop.man +++ b/src/man/kprop.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KPROP" "8" " " "1.21.2" "MIT Kerberos" -.SH NAME -kprop \- propagate a Kerberos V5 principal database to a replica server . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KPROP" "8" " " "1.21.3" "MIT Kerberos" +.SH NAME +kprop \- propagate a Kerberos V5 principal database to a replica server .SH SYNOPSIS .sp \fBkprop\fP @@ -77,6 +77,6 @@ kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kpropd.man b/src/man/kpropd.man index 8cb6482..2c44d4f 100644 --- a/src/man/kpropd.man +++ b/src/man/kpropd.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KPROPD" "8" " " "1.21.2" "MIT Kerberos" -.SH NAME -kpropd \- Kerberos V5 replica KDC update server . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KPROPD" "8" " " "1.21.3" "MIT Kerberos" +.SH NAME +kpropd \- Kerberos V5 replica KDC update server .SH SYNOPSIS .sp \fBkpropd\fP @@ -166,6 +166,6 @@ kerberos(7), inetd(8) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kproplog.man b/src/man/kproplog.man index b6a0caf..f7e93f3 100644 --- a/src/man/kproplog.man +++ b/src/man/kproplog.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KPROPLOG" "8" " " "1.21.2" "MIT Kerberos" -.SH NAME -kproplog \- display the contents of the Kerberos principal update log . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KPROPLOG" "8" " " "1.21.3" "MIT Kerberos" +.SH NAME +kproplog \- display the contents of the Kerberos principal update log .SH SYNOPSIS .sp \fBkproplog\fP [\fB\-h\fP] [\fB\-e\fP \fInum\fP] [\-v] @@ -110,6 +110,6 @@ kpropd(8), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man index 5ac268b..021c581 100644 --- a/src/man/krb5-config.man +++ b/src/man/krb5-config.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KRB5-CONFIG" "1" " " "1.21.2" "MIT Kerberos" -.SH NAME -krb5-config \- tool for linking against MIT Kerberos libraries . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KRB5-CONFIG" "1" " " "1.21.3" "MIT Kerberos" +.SH NAME +krb5-config \- tool for linking against MIT Kerberos libraries .SH SYNOPSIS .sp \fBkrb5\-config\fP @@ -136,6 +136,6 @@ kerberos(7), cc(1) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man index 644496a..6c0e9af 100644 --- a/src/man/krb5.conf.man +++ b/src/man/krb5.conf.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KRB5.CONF" "5" " " "1.21.2" "MIT Kerberos" -.SH NAME -krb5.conf \- Kerberos configuration file . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KRB5.CONF" "5" " " "1.21.3" "MIT Kerberos" +.SH NAME +krb5.conf \- Kerberos configuration file .sp The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos @@ -1500,6 +1500,6 @@ syslog(3) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man index d61d0bb..dc6bc4d 100644 --- a/src/man/krb5kdc.man +++ b/src/man/krb5kdc.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KRB5KDC" "8" " " "1.21.2" "MIT Kerberos" -.SH NAME -krb5kdc \- Kerberos V5 KDC . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KRB5KDC" "8" " " "1.21.3" "MIT Kerberos" +.SH NAME +krb5kdc \- Kerberos V5 KDC .SH SYNOPSIS .sp \fBkrb5kdc\fP @@ -135,6 +135,6 @@ kdb5_ldap_util(8), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/ksu.man b/src/man/ksu.man index 121a2b5..bb87113 100644 --- a/src/man/ksu.man +++ b/src/man/ksu.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KSU" "1" " " "1.21.2" "MIT Kerberos" -.SH NAME -ksu \- Kerberized super-user . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KSU" "1" " " "1.21.3" "MIT Kerberos" +.SH NAME +ksu \- Kerberized super-user .SH SYNOPSIS .sp \fBksu\fP @@ -474,6 +474,6 @@ kerberos(7), kinit(1) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kswitch.man b/src/man/kswitch.man index e7ff8c2..83ae58f 100644 --- a/src/man/kswitch.man +++ b/src/man/kswitch.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KSWITCH" "1" " " "1.21.2" "MIT Kerberos" -.SH NAME -kswitch \- switch primary ticket cache . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KSWITCH" "1" " " "1.21.3" "MIT Kerberos" +.SH NAME +kswitch \- switch primary ticket cache .SH SYNOPSIS .sp \fBkswitch\fP @@ -66,6 +66,6 @@ kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/ktutil.man b/src/man/ktutil.man index f621068..63466cf 100644 --- a/src/man/ktutil.man +++ b/src/man/ktutil.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KTUTIL" "1" " " "1.21.2" "MIT Kerberos" -.SH NAME -ktutil \- Kerberos keytab file maintenance utility . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KTUTIL" "1" " " "1.21.3" "MIT Kerberos" +.SH NAME +ktutil \- Kerberos keytab file maintenance utility .SH SYNOPSIS .sp \fBktutil\fP @@ -159,6 +159,6 @@ kadmin(1), kdb5_util(8), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kvno.man b/src/man/kvno.man index 15c840d..9b5cd39 100644 --- a/src/man/kvno.man +++ b/src/man/kvno.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "KVNO" "1" " " "1.21.2" "MIT Kerberos" -.SH NAME -kvno \- print key version numbers of Kerberos principals . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "KVNO" "1" " " "1.21.3" "MIT Kerberos" +.SH NAME +kvno \- print key version numbers of Kerberos principals .SH SYNOPSIS .sp \fBkvno\fP @@ -136,6 +136,6 @@ kinit(1), kdestroy(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/sclient.man b/src/man/sclient.man index 5aef2f9..0ccd194 100644 --- a/src/man/sclient.man +++ b/src/man/sclient.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "SCLIENT" "1" " " "1.21.2" "MIT Kerberos" -.SH NAME -sclient \- sample Kerberos version 5 client . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "SCLIENT" "1" " " "1.21.3" "MIT Kerberos" +.SH NAME +sclient \- sample Kerberos version 5 client .SH SYNOPSIS .sp \fBsclient\fP \fIremotehost\fP @@ -49,6 +49,6 @@ kinit(1), sserver(8), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/sserver.man b/src/man/sserver.man index 68e7caa..59de163 100644 --- a/src/man/sserver.man +++ b/src/man/sserver.man @@ -1,8 +1,5 @@ .\" Man page generated from reStructuredText. . -.TH "SSERVER" "8" " " "1.21.2" "MIT Kerberos" -.SH NAME -sserver \- sample Kerberos version 5 server . .nr rst2man-indent-level 0 . @@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. +.TH "SSERVER" "8" " " "1.21.3" "MIT Kerberos" +.SH NAME +sserver \- sample Kerberos version 5 server .SH SYNOPSIS .sp \fBsserver\fP @@ -193,6 +193,6 @@ sclient(1), kerberos(7), services(5), inetd(8) .SH AUTHOR MIT .SH COPYRIGHT -1985-2023, MIT +1985-2024, MIT .\" Generated by docutils manpage writer. . diff --git a/src/patchlevel.h b/src/patchlevel.h index 455baea..9efb35a 100644 --- a/src/patchlevel.h +++ b/src/patchlevel.h @@ -51,7 +51,7 @@ */ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 21 -#define KRB5_PATCHLEVEL 2 -#define KRB5_RELTAIL "kfw-4.3-beta1" +#define KRB5_PATCHLEVEL 3 +#define KRB5_RELTAIL "postrelease" /* #undef KRB5_RELDATE */ -#define KRB5_RELTAG "kfw-4.3-beta1" +#define KRB5_RELTAG "krb5-1.21" diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index f413287..cb9c796 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -2272,7 +2272,9 @@ cms_envelopeddata_verify(krb5_context context, } /* verify that the received message is PKCS7 EnvelopedData message */ - if (OBJ_obj2nid(p7->type) != NID_pkcs7_enveloped) { + if (OBJ_obj2nid(p7->type) != NID_pkcs7_enveloped || + p7->d.enveloped == NULL || + p7->d.enveloped->enc_data->enc_data == NULL) { pkiDebug("Expected id-enveloped PKCS7 msg (received type = %d)\n", OBJ_obj2nid(p7->type)); krb5_set_error_message(context, retval, "wrong oid\n"); diff --git a/src/po/mit-krb5.pot b/src/po/mit-krb5.pot index 77263f4..52a3fb7 100644 --- a/src/po/mit-krb5.pot +++ b/src/po/mit-krb5.pot @@ -6,9 +6,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: mit-krb5 1.21.2\n" +"Project-Id-Version: mit-krb5 1.21.3\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2023-08-14 02:19-0400\n" +"POT-Creation-Date: 2024-06-26 13:09-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" @@ -3290,15 +3290,15 @@ msgstr "" #: ../../src/kadmin/server/ovsec_kadmd.c:278 #, c-format msgid "" -"WARNING! Forged/garbled request: %s, claimed client = %.*s%s, server = %.*s" -"%s, addr = %s" +"WARNING! Forged/garbled request: %s, claimed client = %.*s%s, server = " +"%.*s%s, addr = %s" msgstr "" #: ../../src/kadmin/server/ovsec_kadmd.c:284 #, c-format msgid "" -"WARNING! Forged/garbled request: %d, claimed client = %.*s%s, server = %.*s" -"%s, addr = %s" +"WARNING! Forged/garbled request: %d, claimed client = %.*s%s, server = " +"%.*s%s, addr = %s" msgstr "" #: ../../src/kadmin/server/ovsec_kadmd.c:298 @@ -3440,8 +3440,8 @@ msgstr "" #: ../../src/kadmin/server/server_stubs.c:675 #, c-format msgid "" -"Unauthorized request: kadm5_rename_principal, %.*s%s to %.*s%s, client=%.*s" -"%s, service=%.*s%s, addr=%s" +"Unauthorized request: kadm5_rename_principal, %.*s%s to %.*s%s, " +"client=%.*s%s, service=%.*s%s, addr=%s" msgstr "" #: ../../src/kadmin/server/server_stubs.c:690 @@ -5456,11 +5456,11 @@ msgstr "" msgid "Can't find client principal %s in cache collection" msgstr "" -#: ../../src/lib/krb5/ccache/cccursor.c:270 +#: ../../src/lib/krb5/ccache/cccursor.c:271 msgid "No Kerberos credentials available" msgstr "" -#: ../../src/lib/krb5/ccache/cccursor.c:276 +#: ../../src/lib/krb5/ccache/cccursor.c:277 #, c-format msgid "No Kerberos credentials available (default cache: %s)" msgstr "" @@ -6552,7 +6552,7 @@ msgid "%s (depth %d): %s" msgstr "" #: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1193 -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4133 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4135 msgid "Pass phrase for" msgstr "" @@ -6600,42 +6600,42 @@ msgstr "" msgid "Failed to decode PKCS7" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2286 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2288 msgid "Failed to decrypt PKCS7 message" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2709 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2711 msgid "Failed to fetch SSKDF" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2716 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2718 msgid "Failed to instantiate SSKDF" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2729 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2731 msgid "Failed to derive key using SSKDF" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2791 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2793 msgid "Failed to compute digest" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4253 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4255 #, c-format msgid "Cannot read certificate file '%s'" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4261 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4263 #, c-format msgid "Cannot read key file '%s'" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5112 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5114 #, c-format msgid "Cannot open file '%s'" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5119 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5121 #, c-format msgid "Cannot read file '%s'" msgstr "" diff --git a/src/prototype/prototype.c b/src/prototype/prototype.c index 2670316..77cc8c2 100644 --- a/src/prototype/prototype.c +++ b/src/prototype/prototype.c @@ -1,7 +1,7 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* prototype/prototype.c - <<< One-line description of file >>> */ /* - * Copyright (C) 2023 by the Massachusetts Institute of Technology. + * Copyright (C) 2024 by the Massachusetts Institute of Technology. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/src/prototype/prototype.h b/src/prototype/prototype.h index 7c0fab7..c6d4241 100644 --- a/src/prototype/prototype.h +++ b/src/prototype/prototype.h @@ -1,7 +1,7 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* prototype/prototype.h - <<< One-line description of file >>> */ /* - * Copyright (C) 2023 by the Massachusetts Institute of Technology. + * Copyright (C) 2024 by the Massachusetts Institute of Technology. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c index 9876a11..882e163 100644 --- a/src/tests/gssapi/t_invalid.c +++ b/src/tests/gssapi/t_invalid.c @@ -36,31 +36,41 @@ * * 1. A pre-CFX wrap or MIC token processed with a CFX-only context causes a * null pointer dereference. (The token must use SEAL_ALG_NONE or it will - * be rejected.) + * be rejected.) This vulnerability also applies to IOV unwrap. * - * 2. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1 + * 2. A CFX wrap token with a different value of EC between the plaintext and + * encrypted copies will be erroneously accepted, which allows a message + * truncation attack. This vulnerability also applies to IOV unwrap. + * + * 3. A CFX wrap token with a plaintext length fewer than 16 bytes causes an + * access before the beginning of the input buffer, possibly leading to a + * crash. + * + * 4. A CFX wrap token with a plaintext EC value greater than the plaintext + * length - 16 causes an integer underflow when computing the result length, + * likely causing a crash. + * + * 5. An IOV unwrap operation will overrun the header buffer if an ASN.1 + * wrapper longer than the header buffer is present. + * + * 6. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1 * header causes an input buffer overrun, usually leading to either a segv * or a GSS_S_DEFECTIVE_TOKEN error due to garbage algorithm, filler, or - * sequence number values. + * sequence number values. This vulnerability also applies to IOV unwrap. * - * 3. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1 + * 7. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1 * header causes an integer underflow when computing the ciphertext length, * leading to an allocation error on 32-bit platforms or a segv on 64-bit * platforms. A pre-CFX MIC token of this size causes an input buffer * overrun when comparing the checksum, perhaps leading to a segv. * - * 4. A pre-CFX wrap token with fewer than conflen + padlen bytes in the + * 8. A pre-CFX wrap token with fewer than conflen + padlen bytes in the * ciphertext (where padlen is the last byte of the decrypted ciphertext) * causes an integer underflow when computing the original message length, * leading to an allocation error. * - * 5. In the mechglue, truncated encapsulation in the initial context token can + * 9. In the mechglue, truncated encapsulation in the initial context token can * cause input buffer overruns in gss_accept_sec_context(). - * - * Vulnerabilities #1 and #2 also apply to IOV unwrap, although tokens with - * fewer than 16 bytes after the ASN.1 header will be rejected. - * Vulnerabilities #2 and #5 can only be robustly detected using a - * memory-checking environment such as valgrind. */ #include "k5-int.h" @@ -109,17 +119,25 @@ struct test { } }; -/* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key. */ +static void * +ealloc(size_t len) +{ + void *ptr = calloc(len, 1); + + if (ptr == NULL) + abort(); + return ptr; +} + +/* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key. + * The context takes ownership of subkey. */ static gss_ctx_id_t -make_fake_cfx_context() +make_fake_cfx_context(krb5_key subkey) { gss_union_ctx_id_t uctx; krb5_gss_ctx_id_t kgctx; - krb5_keyblock kb; - kgctx = calloc(1, sizeof(*kgctx)); - if (kgctx == NULL) - abort(); + kgctx = ealloc(sizeof(*kgctx)); kgctx->established = 1; kgctx->proto = 1; if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0) @@ -128,15 +146,10 @@ make_fake_cfx_context() kgctx->sealalg = -1; kgctx->signalg = -1; - kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96; - kb.length = 16; - kb.contents = (unsigned char *)"1234567887654321"; - if (krb5_k_create_key(NULL, &kb, &kgctx->subkey) != 0) - abort(); + kgctx->subkey = subkey; + kgctx->cksumtype = CKSUMTYPE_HMAC_SHA1_96_AES128; - uctx = calloc(1, sizeof(*uctx)); - if (uctx == NULL) - abort(); + uctx = ealloc(sizeof(*uctx)); uctx->mech_type = &mech_krb5; uctx->internal_ctx_id = (gss_ctx_id_t)kgctx; return (gss_ctx_id_t)uctx; @@ -150,9 +163,7 @@ make_fake_context(const struct test *test) krb5_gss_ctx_id_t kgctx; krb5_keyblock kb; - kgctx = calloc(1, sizeof(*kgctx)); - if (kgctx == NULL) - abort(); + kgctx = ealloc(sizeof(*kgctx)); kgctx->established = 1; if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0) abort(); @@ -174,9 +185,7 @@ make_fake_context(const struct test *test) if (krb5_k_create_key(NULL, &kb, &kgctx->enc) != 0) abort(); - uctx = calloc(1, sizeof(*uctx)); - if (uctx == NULL) - abort(); + uctx = ealloc(sizeof(*uctx)); uctx->mech_type = &mech_krb5; uctx->internal_ctx_id = (gss_ctx_id_t)kgctx; return (gss_ctx_id_t)uctx; @@ -206,9 +215,7 @@ make_token(unsigned char *token, size_t len, gss_buffer_t out) assert(mech_krb5.length == 9); assert(len + 11 < 128); - wrapped = malloc(len + 13); - if (wrapped == NULL) - abort(); + wrapped = ealloc(len + 13); wrapped[0] = 0x60; wrapped[1] = len + 11; wrapped[2] = 0x06; @@ -219,6 +226,18 @@ make_token(unsigned char *token, size_t len, gss_buffer_t out) out->value = wrapped; } +/* Create a 16-byte header for a CFX confidential wrap token to be processed by + * the fake CFX context. */ +static void +write_cfx_header(uint16_t ec, uint8_t *out) +{ + memset(out, 0, 16); + store_16_be(KG2_TOK_WRAP_MSG, out); + out[2] = FLAG_WRAP_CONFIDENTIAL; + out[3] = 0xFF; + store_16_be(ec, out + 4); +} + /* Unwrap a superficially valid RFC 1964 token with a CFX-only context, with * regular and IOV unwrap. */ static void @@ -250,6 +269,134 @@ test_bogus_1964_token(gss_ctx_id_t ctx) free(in.value); } +static void +test_cfx_altered_ec(gss_ctx_id_t ctx, krb5_key subkey) +{ + OM_uint32 major, minor; + uint8_t tokbuf[128], plainbuf[24]; + krb5_data plain; + krb5_enc_data cipher; + gss_buffer_desc in, out; + gss_iov_buffer_desc iov[2]; + + /* Construct a header with a plaintext EC value of 3. */ + write_cfx_header(3, tokbuf); + + /* Encrypt a plaintext and a copy of the header with the EC value 0. */ + memcpy(plainbuf, "truncate", 8); + memcpy(plainbuf + 8, tokbuf, 16); + store_16_be(0, plainbuf + 12); + plain = make_data(plainbuf, 24); + cipher.ciphertext.data = (char *)tokbuf + 16; + cipher.ciphertext.length = sizeof(tokbuf) - 16; + cipher.enctype = subkey->keyblock.enctype; + if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL, + &plain, &cipher) != 0) + abort(); + + /* Verify that the token is rejected by gss_unwrap(). */ + in.value = tokbuf; + in.length = 16 + cipher.ciphertext.length; + major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL); + if (major != GSS_S_DEFECTIVE_TOKEN) + abort(); + (void)gss_release_buffer(&minor, &out); + + /* Verify that the token is rejected by gss_unwrap_iov(). */ + iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM; + iov[0].buffer = in; + iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; + major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2); + if (major != GSS_S_DEFECTIVE_TOKEN) + abort(); +} + +static void +test_cfx_short_plaintext(gss_ctx_id_t ctx, krb5_key subkey) +{ + OM_uint32 major, minor; + uint8_t tokbuf[128], zerobyte = 0; + krb5_data plain; + krb5_enc_data cipher; + gss_buffer_desc in, out; + + write_cfx_header(0, tokbuf); + + /* Encrypt a single byte, with no copy of the header. */ + plain = make_data(&zerobyte, 1); + cipher.ciphertext.data = (char *)tokbuf + 16; + cipher.ciphertext.length = sizeof(tokbuf) - 16; + cipher.enctype = subkey->keyblock.enctype; + if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL, + &plain, &cipher) != 0) + abort(); + + /* Verify that the token is rejected by gss_unwrap(). */ + in.value = tokbuf; + in.length = 16 + cipher.ciphertext.length; + major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL); + if (major != GSS_S_DEFECTIVE_TOKEN) + abort(); + (void)gss_release_buffer(&minor, &out); +} + +static void +test_cfx_large_ec(gss_ctx_id_t ctx, krb5_key subkey) +{ + OM_uint32 major, minor; + uint8_t tokbuf[128] = { 0 }, plainbuf[20]; + krb5_data plain; + krb5_enc_data cipher; + gss_buffer_desc in, out; + + /* Construct a header with an EC value of 5. */ + write_cfx_header(5, tokbuf); + + /* Encrypt a 4-byte plaintext plus the header. */ + memcpy(plainbuf, "abcd", 4); + memcpy(plainbuf + 4, tokbuf, 16); + plain = make_data(plainbuf, 20); + cipher.ciphertext.data = (char *)tokbuf + 16; + cipher.ciphertext.length = sizeof(tokbuf) - 16; + cipher.enctype = subkey->keyblock.enctype; + if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL, + &plain, &cipher) != 0) + abort(); + + /* Verify that the token is rejected by gss_unwrap(). */ + in.value = tokbuf; + in.length = 16 + cipher.ciphertext.length; + major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL); + if (major != GSS_S_DEFECTIVE_TOKEN) + abort(); + (void)gss_release_buffer(&minor, &out); +} + +static void +test_iov_large_asn1_wrapper(gss_ctx_id_t ctx) +{ + OM_uint32 minor, major; + uint8_t databuf[10] = { 0 }; + gss_iov_buffer_desc iov[2]; + + /* + * In this IOV array, the header contains a DER tag with a dangling eight + * bytes of length field. The data IOV indicates a total token length + * sufficient to contain the length bytes. + */ + iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; + iov[0].buffer.value = ealloc(2); + iov[0].buffer.length = 2; + memcpy(iov[0].buffer.value, "\x60\x88", 2); + iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; + iov[1].buffer.value = databuf; + iov[1].buffer.length = 10; + major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2); + if (major != GSS_S_DEFECTIVE_TOKEN) + abort(); + free(iov[0].buffer.value); +} + /* Process wrap and MIC tokens with incomplete headers. */ static void test_short_header(gss_ctx_id_t ctx) @@ -399,9 +546,7 @@ try_accept(void *value, size_t len) gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; /* Copy the provided value to make input overruns more obvious. */ - in.value = malloc(len); - if (in.value == NULL) - abort(); + in.value = ealloc(len); memcpy(in.value, value, len); in.length = len; (void)gss_accept_sec_context(&minor, &ctx, GSS_C_NO_CREDENTIAL, &in, @@ -436,11 +581,23 @@ test_short_encapsulation() int main(int argc, char **argv) { + krb5_keyblock kb; + krb5_key cfx_subkey; gss_ctx_id_t ctx; size_t i; - ctx = make_fake_cfx_context(); + kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96; + kb.length = 16; + kb.contents = (unsigned char *)"1234567887654321"; + if (krb5_k_create_key(NULL, &kb, &cfx_subkey) != 0) + abort(); + + ctx = make_fake_cfx_context(cfx_subkey); test_bogus_1964_token(ctx); + test_cfx_altered_ec(ctx, cfx_subkey); + test_cfx_short_plaintext(ctx, cfx_subkey); + test_cfx_large_ec(ctx, cfx_subkey); + test_iov_large_asn1_wrapper(ctx); free_fake_context(ctx); for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) { diff --git a/src/windows/version.rc b/src/windows/version.rc index b9ab57a..53294e7 100644 --- a/src/windows/version.rc +++ b/src/windows/version.rc @@ -41,7 +41,7 @@ #define K5_PRODUCT_VERSION_STRING MAJOR_MINOR MAYBE_PATCH RELTAIL "\0" #define K5_PRODUCT_VERSION KRB5_MAJOR_RELEASE, KRB5_MINOR_RELEASE, KRB5_PATCHLEVEL, KRB5_BUILDLEVEL -#define K5_COPYRIGHT "Copyright (C) 1997-2023 by the Massachusetts Institute of Technology\0" +#define K5_COPYRIGHT "Copyright (C) 1997-2024 by the Massachusetts Institute of Technology\0" #define K5_COMPANY_NAME "Massachusetts Institute of Technology.\0" /* |