Age | Commit message (Collapse) | Author | Files | Lines |
|
Commit 9139a60c94c24e41109574e84e7cda9c2dc3fb38 added an unconditional
include of getopt.h, which is non-portable (it isn't present on HP-UX)
and unecessary for getopt(). The same commit also disabled the
include of unistd.h (which is necessary for getopt()), as sim_client
no longer indirectly includes autoconf. Make the unistd.h include
unconditional and remove the getopt.h include.
[ghudson@mit.edu: edited commit message]
ticket: 9102 (new)
tags: pullup
target_version: 1.21-next
|
|
Requiring Python 3.4 gives us shlex.quote() (added in Python 3.3).
Use it in _shell_equiv() to quote command arguments.
|
|
When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket. Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.
[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]
CVE-2023-39975:
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.
ticket: 9101 (new)
tags: pullup
target_version: 1.21-next
|
|
The ssl.wrap_socket() function was deprecated in Python 3.7 and is
removed in Python 3.12. The ssl.SSLContext.wrap_socket() method
replaces it.
Bump the required Python version for tests to 3.4 for
ssl.create_default_context().
[ghudson@mit.edu: changed minimum Python version]
|
|
Elliptic curve certificates are already supported for PKINIT
pre-authentication, but their associated signature types aren't
advertized. Add ecdsa-with-sha512 and ecdsa-with-sha256 OIDs to the
supportedCMSTypes list sent by the client.
[ghudson@mit.edu: edited commit message]
ticket: 9100 (new)
|
|
The C2x standard removes support for non-prototype function
declarations, and clang 15 issues warnings for them
(https://reviews.llvm.org/D122895). Add -Werror=strict-prototypes to
the build and fix all of the non-prototype declarations and
definitions.
For RPC code, try to be consistent with libtirpc and recent *BSD
versions of rpcgen. This includes casting each time a concrete
function is used as an xdrproc_t value, since each XDR per-type
function accepts a different object pointer type. A few invocations
of xdrproc_t values pass a third argument with value LASTUNSIGNED,
even though XDR per-type functions accept only two parameters.
libtirpc has removed these third arguments; do so here as well.
[ghudson@mit.edu: added -Werror=strict-prototypes and fixed
declarations it breaks under gcc and clang; added xdrproc_t changes;
rewrote commit message; style changes]
|
|
Add support for elliptic curve key exchange to PKINIT (RFC 5349
section 4). Extend pkinit_dh_min_bits to allow the string values
"P-256", "P-384", and "P-521", using rough finite-field strength
equivalents to rank them relative to the Oakley Diffie-Hellman groups.
When processing TD-DH-PARAMETERS on the client, only accept the three
Oakley groups or the three supported elliptic curve groups.
Previously we accepted any Diffie-Hellman parameters that passed
EVP_PKEY_param_check()/DH_check() and had equal or better bit strength
to the original proposal.
ticket: 9095 (new)
|
|
Add an internal variant of krb5_sendto_kdc() which records the
answering KDC in a list. Callers can check the list for replica KDC
use after the success or failure of the KDC exchange is determined,
avoiding DNS queries for the primary KDCs in many common cases and
using fewer DNS queries in other cases.
Perform the fallback in k5_get_init_creds() rather than
krb5_get_init_creds_password(). For now we must additionally perform
the fallback in krb5_get_init_creds_keytab() as it does not use
k5_get_init_creds().
Preserve the current signature of krb5_sendto_kdc() (it is used within
the tree outside of libkrb5, and might be used by other software
despite being non-public), but remove the behavior of setting
*use_primary.
ticket: 7721
|
|
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
key_data array count when decoding. Otherwise when the structure is
later freed, xdr_array() could iterate over the wrong number of
elements, either leaking some memory or freeing uninitialized
pointers. Reported by Robert Morris.
CVE-2023-36054:
An authenticated attacker can cause a kadmind process to crash by
freeing uninitialized pointers. Remote code execution is unlikely.
An attacker with control of a kadmin server can cause a kadmin client
to crash by freeing uninitialized pointers.
ticket: 9099 (new)
tags: pullup
target_version: 1.21-next
target_version: 1.20-next
|
|
OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman
group parameters as EVP_PKEY objects in FIPS mode. However, OpenSSL
does not know about MODP group 2 (1024-bit), which is considered as a
custom group. As a consequence, the PKINIT kdcpreauth module fails to
load in FIPS mode.
Allow initialization of PKINIT plugin if at least one of the MODP
well-known group parameters successfully decodes.
[ghudson@mit.edu: minor commit message and code edits]
ticket: 9096 (new)
|
|
Update various checks to include "ARM64" and "_M_ARM64".
Remove a /BASE flag which fixes an "ARM64 image cannot have base
address below 4GB" error and which arguably shouldn't be used in
modern times since it prevents using dynamic base addresses.
ticket: 9094 (new)
|
|
|
|
|
|
|
|
|
|
In the certauth pluggable interface, add an extended init method which
receives the realm list.
ticket: 9090 (new)
|
|
Recognize the Red Hat passkey preauth mechanism in trace messages, and
add a declaration for it in krb5.h.
[ghudson@mit.edu: edited comment and commit message]
ticket: 9093 (new)
|
|
The Oracle database wire protocol contains a cipher reinitialization
operation using the ticket session key. Add a query operation
(similar to GSS_C_INQ_SSPI_SESSION_KEY) to retrieve the ticket session
key rather than the subkey.
ticket: 9091 (new)
|
|
Fixes a warning from autoconf 2.70 that $as_echo is obsolete.
|
|
The ubuntu-18.04 image no longer works on Github Actions. Run most
jobs on ubuntu-latest instead.
libresolv-wrapper does not work on ubuntu-22.04 at this time
(Launchpad bug #2015570), so don't install it for now. The URI
discovery tests will be skipped until this is rectified.
For the doc build, move doc-newest-sphix to ubuntu-latest; the Ubuntu
version doesn't matter much for this build as it downloads sphinx from
pypi.org. Move the doc-older-sphinx to ubuntu-22.04 (currently the
same as ubuntu-latest), skipping ubuntu-20.04 as its version of
doxygen (1.18.17) doesn't correctly the type declaration for
krb5_const_principal.
|
|
|
|
In __delpair(), the assignment to next_key is not used unless DEBUG is
defined, and the debugging assert can never fail--next_realkey() will
always return n + 1 as we just checked KEY_OFF(pagep, n + 1). Remove
the variable, the assert, and the otherwise unused next_realkey()
function. This change eliminates a warning issued by clang 14.
|
|
clang 14 issues a warning for having the next line at the same
indentation level as the if body.
|
|
binutils 2.37 makes --with-symbol-versions the default for nm. In
export-check.pl, remove the default symbol versions in the nm output
if they are present.
ticket: 9092 (new)
|
|
The KDC uses the first local TGT key for the privsvr and full PAC
checksums. If this key is of an aes-sha2 enctype in a cross-realm
TGT, a Microsoft KDC in the target realm may reject the ticket because
it has an unexpectedly large privsvr checksum buffer. This behavior
is unnecessarily picky as the target realm KDC cannot and does not
need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
checksum key to three specific enctypes.
As a workaround, add a string attribute which can force the privsvr
key to use a specified enctype using key derivation when issuing
tickets to that principal. This attribute can be set on cross-realm
TGT entries when the target realm uses Active Directory and the local
TGT uses an aes-sha2 primary key.
ticket: 9089 (new)
|
|
In get_negTokenInit(), reject a zero-length mechTypes field before
copying it into *der_mechSet, to prevent allocating a zero-length GSS
buffer.
|
|
Use dynamic k5buf structures to replace the two uses of the TWRITE_
macros, and replace the uses of TREAD_ macros with the equivalent
pointer assignments.
|
|
Remove the DER implementations in lib/gssapi and use k5-der.h instead.
|
|
|
|
Remove the invariant that buf.data is always zero-terminated, to allow
marshalling of binary data into precisely allocated fixed regions.
Add k5_buf_cstring() to zero-terminate the buffer and retrieve the
data pointer. Adjust all callers that build C strings appropriately.
Add a k5_buf_add_byte() convenience wrapper alongside the integer
marshalling wrappers. Change k5_buf_init_fixed() to accept a void
pointer so it can more conveniently be used with uint8_t arrays.
|
|
|
|
ticket: 9088 (new)
|
|
Put the version and buffers directly in krb5_pac_data to avoid using a
variable-length array. Use k5input for krb5_pac_parse(). Adjust some
names and comments.
|
|
|
|
In krb5_dbe_def_encrypt_key_data(), when we free
key_data->key_data_contents[0], reset it to null so the caller doesn't
free it as well.
Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug
manifests as a double-free during KDB creation if master key
encryption fails.
[ghudson@mit.edu: edited commit message]
ticket: 9086 (new)
tags: pullup
target_version: 1.20-next
|
|
In sim_client.c, remove the calls to krb5_gen_portaddr() and
krb5_gen_replay_name() as they don't do anything after commit
dcb853ac32779b173f39e19c0f24b0087de85771. Remove them, and include
krb5.h plus appropriate system headers rather than k5-int.h.
Also use a subkey when negotiating the auth context. Kerberos
application protocols should generally use subkeys to prevent
cross-connection replay attacks.
|
|
Commit d3356bc42191c1896ab06835a2fb245e00471420 (ticket 8927)
incorrectly tagged tMERIDIAN as <Number>. So while the lexer assigns
meridian values to the Meridian union field, the parser erroneously
reads them from the Number field. On 64-bit IBM zSystems (s390x),
this can result in using the most recently read number as a meridian
value, leading to an abort in ToSeconds().
Fix the tMERIDIAN token type to be <Meridian>.
[ghudson@mit.edu: edited commit message]
ticket: 9087 (new)
tags: pullup
target_version: 1.20-next
|
|
Fix three read overruns discovered by the GitHub Security Lab team
(GHSL-2023-016, GHSL-2023-017, and GHSL-2023-018) using OSS-Fuzz.
In get_mech_set(), error out if gss_add_oid_set_member() fails rather
than continue the loop and increment i past the current bound of
returned_mechSet. In g_verify_neg_token_init(), check for zero-byte
sequences before reading tag bytes, and reduce cur_size by one to
account for the tag byte when calling gssint_get_der_length().
ticket: 9085 (new)
tags: pullup
target_version: 1.20-next
target_version: 1.19-next
|
|
Very occasionally a test using expired tickets will fail because the
ticket isn't seen as expired. Obtain tickets with a longer expiration
margin to avoid these failures.
|
|
|
|
A paper by Tom Tervoort noted that computing the PAC privsvr checksum
over only the server checksum is vulnerable to collision attacks
(CVE-2022-37967). In response, Microsoft has added a second KDC
checksum over the full contents of the PAC. Generate and verify full
KDC checksums in PACs for service tickets. Update the t_pac.c ticket
test case to use a ticket issued by a recent version of Active
Directory (provided by Stefan Metzmacher).
ticket: 9084 (new)
|
|
A paper by Tom Tervoort noted that rc4-hmac pre-hashes the input for
its checksum and GSS operations before applying HMAC, and is therefore
potentially vulnerable to hash collision attacks if a protocol
contains a restricted signing oracle.
In light of these potential attacks, begin the functional deprecation
of DES3 and RC4 by disallowing their use as session key enctypes by
default. Add the variables allow_des3 and allow_rc4 in case
negotiability of these enctypes for session keys needs to be turned
back on, with the expectation that in future releases the enctypes
will be more comprehensively deprecated.
ticket: 9081
|
|
To facilitate negotiating session keys with acceptable security,
assume that services support aes256-cts-hmac-sha1 unless a
session_enctypes string attribute says otherwise.
ticket: 9075
|
|
Rewrite parts of database.rst and appl_servers.rst to avoid including
full option descriptions from the (already linked) man pages.
|
|
Commit 70f61d417261ca17efe3d60d180033bea2da60b0 updated the
CMS_verify() error code checks, using two error codes new to OpenSSL
3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM).
This change broke the build for OpenSSL 1.0 and 1.1.
Instead of looking for codes indicating an algorithm issue and
assuming that everything else is an invalid signature, check for the
code indicating an invalid signature and assume that everything else
is an algorithm issue.
ticket: 9069
|
|
In osa_adb_open_and_lock(), if the btree dbopen() call returns EINVAL
or EFTYPE and the fallback hash dbopen() call also returns an error,
release the lock and return an error instead of returning success with
a null database.
ticket: 9082 (new)
|
|
ticket: 9083 (new)
tags: pullup
target_version: 1.20-next
target_version: 1.19-next
|
|
|
|
Only validate the message as a UTF-8 string, rather than normalizing
it.
|
|
Line continuations cause issues for the awk in MinGW, so just have
long lines instead.
[ghudson@mit.edu: rewrote commit message; factored out some string
constructions for readability]
|