Age | Commit message (Collapse) | Author | Files | Lines |
|
In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
verify the Extra Count field of CFX wrap tokens against the encrypted
header. Reported by Jacob Champion.
In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
length too short to contain the encrypted header and extra count
bytes. Reported by Jacob Champion.
In kg_unseal_iov_token(), separately track the header IOV length and
complete token length when parsing the token's ASN.1 wrapper. This
fix contains modified versions of functions from k5-der.h and
util_token.c; this duplication will be cleaned up in a future commit.
CVE-2024-37370:
In MIT krb5 release 1.3 and later, an attacker can modify the
plaintext Extra Count field of a confidential GSS krb5 wrap token,
causing the unwrapped token to appear truncated to the application.
CVE-2024-37371:
In MIT krb5 release 1.3 and later, an attacker can cause invalid
memory reads by sending message tokens with invalid length fields.
ticket: 9128 (new)
tags: pullup
target_version: 1.21-next
|
|
|
|
The initial implementation of IAKERB in MIT krb5 mistakenly used
draft-zhu-ws-kerb instead of draft-kitten-ietf-iakerb, and
additionally used the wrong ASN.1 tag value for the target-realm field
of the IAKERB-HEADER sequence. Correct the following aspects of the
protocol implementation:
* Require and use framing on all messages, not just the initial
context token.
* Use extension value 2 for the finish message instead of 1.
* Use key usage value 41 instead of 42 for the finish message
checksum.
* Use UTF8String (12) for target-realm instead of OCTET STRING (4).
With these changes, the IAKERB implementation is interoperable with
other krb5 implementations, but not with the implementation before
these changes.
ticket: 9123 (new)
|
|
|
|
Section 5.19 of RFC 2744 (about gss_init_sec_context) states,
"Initially, the input_token parameter should be specified either as
GSS_C_NO_BUFFER, or as a pointer to a gss_buffer_desc object whose
length field contains the value zero." In iakerb_initiator_step(),
handle both cases when deciding whether to parse an acceptor message.
[ghudson@mit.edu: edited commit message]
ticket: 9126 (new)
|
|
Commit 10eb93809b1af06e2b1147aee2e3e50058ba1bbd introduced a
formatting error in the SRV record descriptions. Fix it now.
[ghudson@mit.edu: wrote commit message]
ticket: 9125
tags: pullup
target_version: 1.21-next
|
|
When parsing a "}", do not ascend to the parent node if we are still
within a discarded section after decrementing group_level, as we did
not descend into a child node at the beginning of the subsection.
(Discovered by OSS-Fuzz.)
Also adjust the level check to take into account the shifted meaning
of state->group_level, so that we properly reject a "}" within a
top-level section.
Both bugs were introduced in commit
f951625e6bd3ff44f1056958b56e35a1a043e362.
|
|
[ghudson@mit.edu: style adjustments]
bigredbutton: whitespace
|
|
Add missing "r" prefixes before literals using regexp escape
sequences.
[ghudson@mit.edu: split into separate commit; rewrote commit message]
|
|
Add "void" designations to more function declarations and definitions
not changed by commits 3ae9244cd021a75eba909d872a92c25db490714d and
4b9d7f7c107f01a61600fddcd8cde3812d0366a2.
[ghudson@mit.edu: change additional functions; split into two commits;
rewrote commit message]
|
|
Add the sitename realm variable. If set, service location via DNS
will be attempted using the site name as specified in [MS-ADTS]
6.3.2.3, falling back to regular discovery on failure.
[ghudson@mit.edu: made this strictly a realm variable; moved
k5_get_sitename() to locate_kdc.c and made it take a krb5_data input;
fixed a memory leak; corrected documentation changes; fleshed out
commit message]
ticket: 9124 (new)
|
|
The Microsoft KERB_AP_OPTIONS_CBT extension (defined in [MS-KILE]
3.2.5.8) allows the client to request strict enforcement of GSS
channel bindings. Client support for this extension was added in
commit 225e6ef7f021cd1a8ef2a054af0ca58b7288fd81 (ticket 8900) but it
requires a configuration variable to be set. The choice to include
the extension should be made by the client application code, as it is
a promise to include channel bindings when operating within TLS.
In libkrb5, add an option AP_OPTS_CBT_FLAG to make
krb5_mk_req[_extended]() include KERB_AP_OPTIONS_CBT. In the GSS
initiator code, set this flag when the GSS_C_CHANNEL_BOUND flag is
included in the request options. GSS_C_CHANNEL_BOUND was introduced
in commit 429a31146083fac21958631c2af572b08ec91022 (ticket 8899) as an
acceptor output flag.
[ghudson@mit.edu: rewrote commit message; adjusted some names;
simplified GSS initiator bookkeeping; added documentation]
ticket: 9122 (new)
|
|
The profile library has two deconstructors, profile_release() and
profile_abandon(). profile_release() flushes in-memory changes to
backing files, while profile_abandon() does not. If a krb5_context
profile contains in-memory changes, they were copied from a profile
supplied to krb5_init_context_profile(), and the caller can decide
whether to flush them.
As profile_copy() is now a public function, remove the include of
prof_int.h and the associated LOCALINCLUDES setting in Makefile.in.
ticket: 9121 (new)
|
|
Replace the current implementation of profile_copy() with one that
copies the in-memory tree structure of non-shared data objects. Make
profile_copy() a public function.
ticket: 9119 (new)
|
|
The profile library normally attempts to reload a profile data tree if
the backing file has changed. Reloading a dirty profile object
discards any modifications made by the caller. If we assume that the
modifications are destined to be flushed back out to the backing file,
then there is no good answer--one or the other set of changes will be
lost. But the caller may have a different intended use for the
modified tree (profile_flush_to_file(), profile_flush_to_buffer(),
krb5_init_context_profile()), for which the caller's modifications may
be critical. Avoid discarding in-memory edits to ensure the
correctness of these use cases.
ticket: 9118
|
|
When parsing a file, ignore sections appearing after a final-flagged
section of the same name. Adjust the meaning of group_level in the
parser state so that it is 1 inside of top-level sections instead of
0, and simplify the addition of top-level sections to the tree by
relying on profile_add_node()'s section merging.
Make the final flag work for relations as well as sections. Check it
while parsing via a new check_final parameter in profile_add_node(),
and during iteration.
Output final flags for relations in dump_profile(). Make the final
flag available to it via a new output parameter in
profile_find_node_relation().
ticket: 9120
|
|
Add the notion of a memory-only prf_data_t object, indicated by an
empty filespec field and appropriate flags (do not reload, always
dirty, not part of shared trees). Do nothing when flushing a
memory-only data object to its backing file. When setting up an empty
profile for read/write access, create a memory-only data object
instead of crashing.
Move prf_data_t mutex initialization into profile_make_prf_data(),
simplifying its callers.
ticket: 9110
|
|
Commit f745c9a9bd6c0c73b944182173f1ac305d03dc3a uses ECDSA_SIG_set0(),
which was added in OpenSSL 1.1. Add a compatibility version for
OpenSSL 1.0.
Commit bdcd6075bd4593c8f67722ce075c9519faec58b7 uses
EVP_PKEY_get_base_id(), which was added in OpenSSL 3.0. Add a
compatibility macro to use the old name for OpenSSL 1.0 and 1.1.
Commit 0f870b1bcad960fd5319a3f97aafd7f4a289e2fb added ECDH support,
but did not change the OpenSSL 1.0 versions of encode_spki(),
decode_spki(), or generate_dh_pkey() to work with elliptic curve
public keys. In each function, check the key type and skip the
DH-specific handling for key types other than DH.
|
|
If the kadmin/history entry contains an unsupported encryption type,
produce a better error message than "Bad encryption type". Reuse the
error code KADM5_BAD_HIST_KEY (unused since release 1.8). Non-updated
kadmin clients will report the message "Password history principal key
version mismatch", which at least points in the direction of password
history.
ticket: 9116 (new)
|
|
Building with link-time optimization reveals some type mismatches in
the interface between libkrb5 serialization and the profile library,
as well as in consumers of the SS library. Fix them. Reported by Eli
Schwartz.
ticket: 9114
|
|
In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
could probably never be triggered) leaks plain.data. Fix this leak
and use current practices for cleanup throughout the function.
In xmt_rmtcallres() (unused within the tree and likely elsewhere),
store port_ptr into crp->port_ptr as soon as it is allocated;
otherwise it could leak if the subsequent xdr_u_int32() operation
fails.
|
|
If the KDC tries to encode a principal containing encode invalid UTF-8
sequences for inclusion in a PAC delegation info buffer, it will leak
a small amount of memory in enc_wchar_pointer() before failing. Fix
the leak.
ticket: 9115 (new)
tags: pullup
target_version: 1.21-next
|
|
Create a helper p11err() to set extended error message for failed
PKCS11 operations, and use it instead of pkiDebug() and pkcs11error().
ticket: 9113 (new)
|
|
Move the digest computation and DigestInfo encoding from
cms_signeddata_create() to pkinit_sign_data_pkcs11(), and
conditionalize the DigestInfo encoding on the key type. Use CKM_ECDSA
instead of CKM_RSA_PKCS for EC keys, and convert the resulting
signature from the PKS11 encoding to the ASN.1 encoding required by
CMS.
Regenerate the test certificates with an additional EC client cert.
Add test cases for EC client certs with and without PKCS11.
ticket: 9112 (new)
|
|
When generating CMS SignedData in PKINIT, check the certificate's
public key type and set the signatureAlgorithm field appropriately.
(This field is currently ignored by OpenSSL when verifying CMS
SignedData.)
ticket: 9111 (new)
|
|
In the _pkinit_identity_crypto_context structure, the my_certs field
is a stack which only ever contains one cert and is only ever used to
retrieve that one cert. The cert_index field is always 0. Replace
these fields with a my_cert field pointing directly to the X509
certificate.
Simplify crypto_cert_select_default() by making it call
crypto_cert_select() with index 0 after verifying the certificate
count.
|
|
softpkcs11 is no longer required for the test suite after the previous
commit, so remove it.
|
|
Instead of softpkcs11, use SoftHSMv2 to mock the PKCS11 token for
PKINIT tests. Use pkcs11-tool from OpenSC to initialize the token and
import a certificate and key. SoftHSM does not support PIN-less
tokens (see https://github.com/opendnssec/SoftHSMv2/issues/480) so
remove that test for now.
|
|
|
|
Commit 4b9d7f7c107f01a61600fddcd8cde3812d0366a2 added the
-Werror=strict-prototypes parameter to the build process, but left
behind 28 function definitions using "()" instead of "(void)". Most
of these definitions could not cause compiler errors for various
reasons (such as an accompanying prototype), but a few could cause
errors in gcc depending on the build configuration.
For consistency and safety, add "(void)" to all 28 definitions.
[ghudson@mit.edu: rewrote commit message]
|
|
In conf.py, exclude the formats directory (added in commit
68ac7ac1f1a1d2939a2c99fa49cecd734614d16d) when building notice.txt, to
prevent a "document isn't included in any toctree" warning.
|
|
Addition of a "cleanup" section in kinit's show_ccache() function as
part of commit 6c5471176f5266564fbc8a7e02f03b4b042202f8 introduced a
double-free bug, because defname is a global variable. After the
first call, successive calls may take place with a dangling pointer in
defname, which will be freed if krb5_cc_get_principal() fails.
Convert "defname" to a local variable initialized at the beginning of
show_ccache().
[ghudson@mit.edu: edited commit message]
|
|
In get_primary_name(), use the proper function to free conn.
[ghudson@mit.edu: wrote commit message]
ticket: 9109
tags: pullup
target_version: 1.21-next
|
|
Simplify the client and server PKINIT code by renaming
pkinit_alg_agility_kdf() to pkinit_kdf() and making it do RFC 4556
octet2string if alg_oid is null. Move responsibility for tracing
inside the new interface. Constify some parameters and remove some
unnecessary casts. Rename "key" to "secret" in several internal
functions to avoid confusion between the input DH secret and the
output key.
|
|
RSA mode is no longer needed for interoperability. Reduce the attack
surface of clients and KDCs by removing support for it.
ticket: 9108 (new)
|
|
The PKCS7 ContentInfo content field and EncryptedContentInfo
encryptedContent field are optional. Check for null values in
cms_envelopeddata_verify() before calling pkcs7_decrypt(). Reported
by Bahaa Naamneh.
ticket: 9107 (new)
tags: pullup
target_version: 1.21-next
target_version: 1.20-next
|
|
The version of Perl included in git-bash does not translate line
endings or filter out the end-of-file marker when reading from files
in text mode. Adjust def-check.pl to work in this environment.
|
|
When making a KDC or password change request, wait indefinitely
(limited only by request_timeout if set) once a KDC has accepted a TCP
connection.
ticket: 9105 (new)
|
|
Add a parameter to limit the total amount of time taken for a KDC or
password change request.
ticket: 9106 (new)
|
|
In sendto_kdc.c:service_fds(), if a message handler indicates that a
message should be discarded, kill the connection so we don't continue
waiting on it for more data.
ticket: 7899
|
|
Eliminate memory leaks detected through static analysis and manual
review. These leaks are unlikely to happen repeatedly in long-running
processes.
[jrische@redhat.com: fixed many additional leaks]
[ghudson@mit.edu: fixed additional leaks; edited for style; removed
some unused ksu functions; rewrote commit message]
|
|
ksu attempts to exit with the same status as its child process, but
does not do so correctly. Use WEXITSTATUS() to extract the exit code.
Reported by Todd Lubin.
ticket: 8618
|
|
Add a test script for ksu, which must be run under sudo and makes
potentially disruptive temporary changes to the host environment. Do
not run it as part of "make check", but do run it as part of the
Github Actions CI.
|
|
Doxygen 1.9.7 avoids duplicating member definitions in the XML
documents for groups and header files (doxygen/doxygen#9797). This
change breaks the current Doxygen-REST bridge, which expects to find
memberdef elements in krb5_8hin.xml. To work around this problem,
remove the @group and @ref declarations in krb5.hin; they were not
translated into REST as it was.
Also remove a deprecated setting in Doxyfile.
ticket: 9104 (new)
tags: pullup
target_version: 1.21-next
target_version: 1.20-next
|
|
krb5_cccol_have_content() calls krb5_cc_get_principal() within a loop,
and frees the resulting principal on success or failure. Set princ to
null before each call to ensure we don't free a dangling pointer.
[ghudson@mit.edu: rewrote commit message; moved assignment for greater
clarity]
ticket: 9103
tags: pullup
target_version: 1.21-next
target_version: 1.20-next
|
|
|
|
Fold pkinit_crypto_openssl.h into the one source file where it was
used. Also clean up the include of <arpa/inet.h>, as htonl() is no
longer used after commit 1c87ce6c44a9de0824580a2d72a8a202237e01f4.
|
|
Commit 9139a60c94c24e41109574e84e7cda9c2dc3fb38 added an unconditional
include of getopt.h, which is non-portable (it isn't present on HP-UX)
and unecessary for getopt(). The same commit also disabled the
include of unistd.h (which is necessary for getopt()), as sim_client
no longer indirectly includes autoconf. Make the unistd.h include
unconditional and remove the getopt.h include.
[ghudson@mit.edu: edited commit message]
ticket: 9102 (new)
tags: pullup
target_version: 1.21-next
|
|
Requiring Python 3.4 gives us shlex.quote() (added in Python 3.3).
Use it in _shell_equiv() to quote command arguments.
|
|
When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket. Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.
[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]
CVE-2023-39975:
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.
ticket: 9101 (new)
tags: pullup
target_version: 1.21-next
|