Age | Commit message (Collapse) | Author | Files | Lines |
|
Set localstatedir and runstatedir in config/pre.in so that the default
runstatedir value of ${localstatedir}/run works. Reported by Mike
Jetzer.
(cherry picked from commit fd005a1967510004c9197f7da9f1d85ee81f4734)
ticket: 8975
version_fixed: 1.17.3
|
|
|
|
|
|
|
|
|
|
Mainline autoconf generates no shell code for AC_CONFIG_AUX_DIR().
Call it unconditionally to avoid a syntax error.
[ghudson@mit.edu: rewrote commit message]
(cherry picked from commit f78edbe30816f049e1360cb6e203fabfdf7b98df)
ticket: 8960
version_fixed: 1.17.2
|
|
The libkrb5 ASN.1 decoder supports BER indefinite lengths. It
computes the tag length using recursion; the lack of a recursion limit
allows an attacker to overrun the stack and cause the process to
crash. Reported by Demi Obenour.
CVE-2020-28196:
In MIT krb5 releases 1.11 and later, an unauthenticated attacker can
cause a denial of service for any client or server to which it can
send an ASN.1-encoded Kerberos message of sufficient length.
(cherry picked from commit 57415dda6cf04e73ffc3723be518eddfae599bfd)
ticket: 8959
version_fixed: 1.17.2
|
|
Attempting to renew the MSLSA cache can commonly fail with
KRB5_CC_NOTFOUND due to LSA policy. Do not display an error popup in
this case. Also fix a logic error in the existing suppressions.
(cherry picked from commit bfd407703a938573610af3f17aad4d5ebad615fd)
ticket: 8939
version_fixed: 1.17.2
|
|
CLeashView::RenewTicket() falls back to an ImportTicket or InitTicket
operation if ticket renewal fails. A 2004 commit (from the old
pismere repository) added code to heuristically determine whether
Leash's cache was imported by comparing the MSLSA cache principal name
to ticketinfo.Krb5.principal. Commit
9bc411e72fce5bed3ed00ae5b09f8c239309bae0 broke this code by removing
the call to initialize ticketinfo.Krb5 and by making
ticketinfo.Krb5.principal ephemeral. The strcmp() call now crashes
the process with a null dereference.
Fix the crash by removing the heuristic detection of imported tickets,
using the current value of m_importedTickets (which should be correct
unless Leash was restarted after the tickets were obtained) to decide
whether to import or initialize tickets.
(cherry picked from commit 7fc4cdae79d0689afed32f9bcfeb28f410a9d79c)
ticket: 8938
version_fixed: 1.17.2
|
|
In kdb5_ldap_util, set lockdown_keys on the special principals when
creating an LDAP KDB, as we do in kdb5_util when creating a regular
KDB.
(cherry picked from commit 6cdf7d82e74f21fb8a37efe6b1bba45744f891ba)
ticket: 8936
version_fixed: 1.17.2
|
|
In get_mech_set(), check the length before reading the first byte, and
decrease the length by the tag byte when reading and verifying the
sequence length.
In get_req_flags(), check the length before reading the first byte,
and check the context tag length after decoding it.
(cherry picked from commit 64f4b75a22212681ca293f8f09ddd24b0244d5b4)
ticket: 8933
version_fixed: 1.17.2
|
|
In krb5kdc and kadmind, reinitialize the DB state after daemonizing,
to prevent using an LMDB environment in a different process than it
was created. Otherwise the daemon's reader table slot appears to be
stale and can be claimed by another process.
In kadmind, this change means that global_server_handle changes value
after the loop setup. Add an extra level of pointer indirection so
that the handle passed to the loop remains valid.
kdb_init_hist() is now called twice by kadmind. Change it to avoid
leaking hist_princ on the second invocation.
(cherry picked from commit 38b98a14433b8858a3ca5979a0afa194df0df1e9)
ticket: 8918
version_fixed: 1.17.2
|
|
When loading a principal entry in process_k5beta7_princ(), set the
KADM5_PW_EXPIRATION mask bit so that the password expiration time is
set on the principal entry. Add a regression test.
Reported (with fix) by Glenn Machin.
(cherry picked from commit 778d3fd9de50ab0c87cf0031e1dd24a8ec4bd552)
ticket: 8882
version_fixed: 1.17.2
|
|
Commit d160bc733a3dbeb6d84f4e175234ff18738d9f66 (ticket 7045) added a
new thread key K5_KEY_GSS_SPNEGO_STATUS and registered it in SPNEGO
library initialization, but neglected to unregister it in
finalization. As a result, loading, unloading, and reloading
libgssapi_krb5 could throw an assertion failure if libkrb5support
remained loaded. Unregister the key in SPNEGO finalization and add a
test case.
Reported and investigated by Adam Dabrowski.
(cherry picked from commit 07ff54d0bb85109df114612bbbfa6559f4a1e0cb)
ticket: 8614
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
|
|
|
|
Always use six digits with leading 0s to format the microseconds in
trace log timestamps; otherwise a small value appears as too large of
a fraction of a second.
(cherry picked from commit 734bf341da54e09add9160e65ea7308072b97f13)
ticket: 8894
version_fixed: 1.17.2
|
|
In update_ldap_mod_auth_ind(), if there is no string attribute value
for require_auth, check for krbPrincipalAuthInd attributes that might
need to be removed. (This will only work if the entry is loaded and
then modified, but that is the normal case for an existing entry.)
Move the update_ldap_mod_auth_ind() call inside the tl-data
conditional (which should perhaps be a check for KADM5_TL_DATA in the
mask instead). A modification which did not intend to update tl-data
should not remove the krbPrincipalAuthInd attributes.
Change get_int_from_tl_data() to to zero its output so that it can't
leave a garbage value behind if it returns 0 (as it does if no
KDB_TL_USER_INFO tl-data is present).
Based on a patch by Glenn Machin.
(cherry picked from commit 6d9da7bb216f96cbdd731aa894714bd84213a9d0)
ticket: 8877
version_fixed: 1.17.2
|
|
More recent versions of OpenSSL can fail for other reasons. Indicate
a crypto-related error occurred rather than a memory error to aid
debugging.
(cherry picked from commit bf9b2134ceddd6c727362be894b1c95c297a0f17)
ticket: 8873
version_fixed: 1.17.2
|
|
Windows services, as well as some versions of Samba, may refuse
tickets if the PAC is not in the first AD-IF-RELEVANT container. In
fetch_kdb_authdata(), change the merge order so that authdata from the
KDB module appears first.
[ghudson@mit.edu: added comment and clarified commit message]
(cherry picked from commit 331fa4bdd34263ea20667a0f51338cb84357fdaa)
ticket: 8872
version_fixed: 1.17.2
|
|
In the unlikely event that one of the functions called by
gssint_mechglue_init() returns an error, return that error to the
caller rather than continuing on and discarding the error status.
Returning success when some of the operations failed could fool the
library finalizer into thinking that initialization completed.
Reported by Spencer Malone.
(cherry picked from commit c120ed5b211ee684b830a6722fc3ab3222afbfa1)
ticket: 8864
version_fixed: 1.17.2
|
|
In the LDAP backend, the change mask is used to determine what LDAP
attributes to update. As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.
Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate. Add a regression test to
t_kdb.py.
[ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]
(cherry picked from commit 6b004dd5739bded71be4290c11e7ac3a816c7e09)
ticket: 8861
version_fixed: 1.17.2
|
|
In extract_cammacs(), avoid a null dereference if the CAMMAC service
verifier is invalid or the CAMMAC is empty.
(cherry picked from commit 8451ff6ed57361de585a35f35a39c54dc48172c7)
ticket: 8856
version_fixed: 1.17.2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
After commit 95830231758de259abbbccedbac01613f578768a, the
documentation cannot be built with Python 2. Run make with
"PYTHON=python3" to ensure that we use Python 3.
(cherry picked from commit 17b40b1acb8f2e2c1f646ae76a9919089c4ba85c)
|
|
The DEBUG_GSSALLOC version of gssalloc_realloc() must add the sentinel
size to the byte count.
The mechglue gss_decapsulate_token(), gss_encapsulate_token(), and
gss_export_sec_context() must use gssalloc_malloc() to allocate
output buffers.
The krb5 mech's gss_export_name_composite() and gss_pseudo_random()
implementations must use gssalloc_malloc() to allocate output buffers.
SPNEGO's gss_display_status() implementation must use gssalloc for the
output buffer.
The sample GSS server must use gss_release_buffer() to free the result
of gss_export_sec_context().
(cherry picked from commit ab5c4259bdbe51dd3f4b5c5aff22628188d04322)
ticket: 8852
version_fixed: 1.17.1
|
|
If gss_set_sec_context_option() creates a union context object, it
must set the loopback pointer.
[ghudson@mit.edu: extracted this from a larger commit and wrote commit
message]
(cherry picked from commit 93b6d2a83849e157d7bec4f83fd94dbef10d6f05)
ticket: 8850
version_fixed: 1.17.1
|
|
Commit f07bca9fc94a5cf2e3c0f58226c7973a4b86b7a9 made addprinc -randkey
use a single RPC request, but the server-side handling always creates
the random keys with kvno 1. If a kvno is specified in the RPC
request, set the kvno of the key data after creating it. Reported by
Andreas Ladanyi.
(cherry picked from commit 462e85208d57b8d4120c99e801fbd156b9ccf16f)
ticket: 8848
version_fixed: 1.17.1
|
|
In init_ctx_call_init(), if gss_init_sec_context() fails while
producing the first SPNEGO initiator token, we remove the first
candidate mechanism from sc->mech_set and try again. If
sc->ctx_handle is present after the error (more likely after commit
56f7b1bc95a2a3eeb420e069e7655fb181ade5cf), we must clear it before
falling back or it will cause subsequent attempts to fail.
(cherry picked from commit 40ecfad10dd36700028ff0f3d0d79ce7925fe545)
ticket: 8846
version_fixed: 1.17.1
|
|
If gss_inquire_attrs_for_mech() is called for a mechanism which does
not implement it, the call will succeed with mech_attrs set to
GSS_C_NO_OID_SET (as is explicitly allowed by RFC 5587).
generic_gss_test_oid_set_member() returns an error on this value,
causing gss_accept_sec_context() to erroneously deny the mechanism
when no verifier credential handle is supplied. Change
allow_mech_by_default() to explicitly check for no mech attribute set.
(cherry picked from commit bd321c9caa6dc4b034bc3279a1af39af4c41210d)
ticket: 8840
version_fixed: 1.17.1
|
|
/etc/gss/mech lines begin with a name field, but this field was not
included in the format documentation.
(cherry picked from commit 208e85530f8a0d0490e50d89aed4f6f11acfd86a)
ticket: 8839
version_fixed: 1.17.1
|
|
Commit 969331732b62e73d1e073ff3ad87bf1774ee9fd1 (ticket 7369) removed
the code to return UPDATE_BUSY if the database was modified within the
last ten seconds, but did not remove the corresponding documentation
text. Remove it now.
(cherry picked from commit 16c3a5917a8fd2706a1e1b2e5a58e1319f8fa8f7)
ticket: 8835
version_fixed: 1.17.1
|
|
In commit 38a31852c3e58f6e2f6b3b035a87f817d1db5537, the aes-sha1
enctypes became the only defaults, but the documentation was not
updated.
(cherry picked from commit 56982b666e10fbb47c1fb70947b3e176c9a5e2d1)
ticket: 8834
version_fixed: 1.17.1
|
|
Remove ldapbackend.rst, as it is largely redundant with conf_ldap.rst.
Simplify conf_ldap.rst, using kerberos.openldap.ldif (added by ticket
8529) and removing unnecessary command arguments. Mention the
possibility of using SASL authentication (added by ticket 7944) as an
alternative to binding with DN and password. Remove unnecessary
access rights.
In kdc_conf.rst, remove ldap_servers from the list of relations read
from [dbdefaults], as it is only read from the realm's database
configuration section.
In kdb5_ldap_util.rst, document "-r" as a global parameter, as it
applies in some fashion to all commands. Make the same changes to the
kdb5_ldap_util usage message, and make it fit within 80 columns.
Reported by Dilyan Palauzov.
(cherry picked from commit ca1057fe6a03b6679b7907ee41b8abd444acc70d)
ticket: 8831
version_fixed: 1.17.1
|
|
An inverted status check in get_kdc_offset() would cause querying the
offset time from the ccache to always fail (silently) on KCM. Fix the
status check so that KCM can properly handle desync.
(cherry picked from commit 323abb6d1ebe5469d6c2167c29aa5d696d099b90)
ticket: 8826
version_fixed: 1.17.1
|
|
In parse_quoted_string(), only process an escape sequence if there is
a second character after the backlash, to avoid reading past the
terminating zero byte. Reported by Lutz Justen.
(cherry picked from commit a449bfc16c32019fec8b4deea963a3e474b0d14d)
ticket: 8825
version_fixed: 1.17.1
|
|
A value of 0 indicates that the plugin doesn't wish to modify lifetimes.
Make this the default, rather than requiring all plugins to set these
values themselves.
(cherry picked from commit d81c5870013240c04642c8e0cb994b4c49e40ddf)
ticket: 8824
version_fixed: 1.17.1
|
|
The documentation for krb5.conf explaining final values is incorrect.
Only sections and subsections may usefully be marked as final, and
final designations only apply to later files, not to the same file.
[ghudson@mit.edu: corrected and shortened documentation; rewrote
commit message]
(cherry picked from commit 5105a91c9dc3210e242dff156b861e77aa80959a)
ticket: 8821
version_fixed: 1.17.1
|
|
The default severity was removed by commit
6ce8fd4cfa2e9b1e92debd204a5b2ddf053cca55 (ticket 8630) but the example
still talks about it; remove that text. Add a note about the default
being syslog if nothing else is specified, and a note on how to
disable logging.
(cherry picked from commit 4dabc3d0bcdcdcd5aad070b97a27141a3abd0bbd)
ticket: 8813
version_fixed: 1.17.1
|
|
Commit 2bd410ecdb366083fe9b4e5f6ac4b741b624230b (ticket 8709)
contained a typo "text" for "test", preventing the Python path check
from falling back from python2 to python. This is now a fallback from
python3 to python, but the typo remains. Fix it now.
Based on a patch by Michael Osipov.
(cherry picked from commit b7c260b22c5d815b83ff37a35569e07e847cd9c3)
ticket: 8810
version_fixed: 1.17.1
|
|
NetBSD 8's stdlib.h declares a hmac() function; rename ours to avoid a
conflict.
[ghudson@mit.edu: picked a different name and added a comment]
(cherry picked from commit e8b463c8d2c9b903d61c8646af3c0106808f906d)
ticket: 8803
version_fixed: 1.17.1
|
|
Some init systems, such as systemd, can run daemon processes in the
foreground, so admonishments to let krb5kdc and kadmind background
themselves in normal operation can be confusing. Remove those
sentences.
(cherry picked from commit 4ded6dbc23d27068567943bccf4d2d986b6f7d08)
ticket: 8802
version_fixed: 1.17.1
|
|
Fix five cases where return codes could be set (in unlikely cases) but
did not result in error exits.
[ghudson@mit.edu: squashed commits and rewrote commit message]
(cherry picked from commit 7c26740f9df3c79c3f01c3a4dda4d9dabba5298d)
ticket: 8801
version_fixed: 1.17.1
|
|
The example code for gss_get_mic_iov() using a caller-provided buffer
calls gss_wrap_iov_length() and gss_wrap_iov() instead of
gss_get_mic_iov_length() and gss_get_mic_iov() as intended. Reported
by Frank Filz.
(cherry picked from commit bf4156db4f6c2e8cd420cd556bfa9e39f1a3d556)
ticket: 8797
version_fixed: 1.17.1
|
|
Document that if no krb5kdc -r option is specified, the default realm
is served.
(cherry picked from commit e5f866de8f47b91f609a6bab0d0e002f1a826222)
ticket: 8796
version_fixed: 1.17.1
|
|
gss_inquire_sec_context_by_oid(GSS_C_INQ_SSPI_SESSION_KEY) fails on
Windows because generic_gss_add_buffer_set_member() relies on the
ability to realloc() a null pointer. Unlike realloc(), HeapReAlloc()
requires an input pointer that (from the MSDN documentation) "is
returned by an earlier call to the HeapAlloc or HeapReAlloc function".
So gssalloc_realloc() must test for null inputs and call HeapAlloc()
instead.
Reported by Eric Pauly.
(cherry picked from commit d66b311093f1782c3610bbc77bd78fce411e8f79)
ticket: 8735
version_fixed: 1.17.1
|