| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
draft-ietf-krb-wg-pkinit-alg-agility-07 specifies
KDC_ERR_NO_ACCEPTABLE_KDF as 82, but this value conflicts with
KRB_AP_ERR_PRINCIPAL_UNKNOWN from RFC 6111. The former value has been
reassigned to 100 to fix the conflict. Use the correct value.
We believe that this error won't crop up in practice for a long time
(when SHA-2 has been superceded by other hash algorithms and people
are desupporting it), by which time implementations will mostly have
been upgraded to use the new value.
(cherry picked from commit 2938851a5ec77ab68bcd1f5cfd07991c7ccabea6)
ticket: 7725 (new)
version_fixed: 1.10.7
status: resolved
|
|
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.
To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.
Based on a bug report and patch from nalin@redhat.com.
(cherry picked from commit 57acee11b5c6682a7f4f036e35d8b2fc9292875e)
[tlyu@mit.edu: removed test due to k5test.py incompatibility]
ticket: 7649 (new)
version_fixed: 1.10.6
status: resolved
|
|
Found by clang's warnings.
(cherry picked from commit 18796a2eb6c05706c6635453b3e425955aab93f4)
ticket: 7606 (new)
version_fixed: 1.10.5
status: resolved
|
|
gssrpc raw services could not work because svcraw_create did not set
svcraw_private after allocating memory for it.
[ghudson@mit.edu: commit message, patch splitting]
(cherry picked from commit 5e3bf4ac6cb02601c5f10c5b2804fd5028c80119)
ticket: 7582 (new)
subject: Minor pointer management patches
|
|
gss_str_to_oid wasn't outputting any bytes for a zero-valued arc. It
should output one byte with value 0.
[ghudson@mit.edu: commit message]
(cherry picked from commit 54fa4433df7412267375240aba40959e97ac4fe2)
ticket: 7579 (new)
version_fixed: 1.10.4
status: resolved
|
|
(cherry picked from commit 74bee54227deb64a41c2e79f57dd2a2c5ea010a3)
ticket: 7578 (new)
version_fixed: 1.10.4
status: resolved
|
|
Result code 0 used to be converted properly by krb5_set_password,
though not krb5_change_password; this changed in 1.10 when
krb5int_setpw_result_code_string was folded into
krb5_chpw_result_code_string. Restore the old behavior, and make it
apply to krb5_change_password as well, by making
krb5_chpw_result_code_string convert result code 0.
[ghudson@mit.edu: commit message]
(cherry picked from commit 316bf74b4696058e2b60c95c9d0fc90d6c2c2ffe)
ticket: 7576 (new)
version_fixed: 1.10.4
status: resolved
|
|
In krb5_auth_con_initivector and mk_priv/rd_priv, stop assuming that
the enctype's block size is the size of the cipher state. Instead,
make and discard a cipher state to get the size.
(cherry picked from commit 8d01455ec9ed88bd3ccae939961a6e123bb3d45f)
ticket: 7575 (new)
version_fixed: 1.10.4
status: resolved
|
|
In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow. In pkinit_clnt.c, the wrong value was
checked for a null result from malloc(), and the code could be
simplified.
Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
(cherry picked from commit d3c5450ddf0b20855e86dab41735d56c6860156b)
[tlyu@mit.edu: omitted pkinit and kdb5_util fixes because they're not
conservative]
ticket: 7545 (new)
version_fixed: 1.10.4
status: resolved
|
|
gcc 4.6.2 reportedly finds some spurious maybe-uninitialized warnings.
Suppress them. Patch from Eray Aslan with some adjustment.
(cherry picked from commit cc2f16af06800bf9882c1589d3d6e9b8f19b6d6f)
ticket: 7543 (new)
version_fixed: 1.10.4
status: resolved
|
|
asserts may be compiled out with -DNDEBUG, so it's wrong to use an
assert expression with an important side effect.
(We also have scores of side-effecting asserts in test programs, but
those are less important and can be dealt with separately.)
(cherry picked from commit 221cd4a23691601a14500bc00146c265b50bdc94)
ticket: 7542 (new)
version_fixed: 1.10.4
status: resolved
|
|
Recent versions of gcc can generate a maybe-uninitialized warning from
bison output instead of a regular uninitialized warning. Suppress
both. Fix from nalin@redhat.com.
(cherry picked from commit d4f98cdd40559620531622c9c6d988f6aa850bd0)
ticket: 7541 (new)
version_fixed: 1.10.4
status: resolved
|
|
As the file ccache implementation currently stands, we don't want to
turn off TC_OPENCLOSE on a file cache we're writing to, or it will be
opened read-only and stores to it will fail. Reported by Russ
Allbery.
(cherry picked from commit 0ae663d35b7dcbf2c469ad0688a67f4d1c0e425e)
ticket: 7538 (new)
version_fixed: 1.10.4
status: resolved
|
|
Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or
pa-afs3-salt value in pa_salt(). If it's an afs3-salt, we're going to
throw away the length and use strcspn in krb5int_des_string_to_key,
which isn't safe if the value is unterminated.
(cherry picked from commit f566fee75f2455d6e5e7ee4fcdf5a0d327808639)
ticket: 7537 (new)
version_fixed: 1.10.4
status: resolved
|
|
In get_in_tkt.c, a time offset is computed between the KDC's auth_time
and the current system time after the reply is decrypted. Time may
have elapsed between these events because of a gak_fct invocation
which blocks on user input. The resulting spurious time offset can
cause subsequent TGS-REQs to fail and can also cause the end time of
the next AS request to be in the past (issue #889) in cases where the
old ccache is opened to find the default principal.
Use the system time, without offset, for the request time of an AS
request, for more predictable kinit behavior. Use this request time,
rather than the current time, when computing the clock skew after the
reply is decrypted.
(cherry picked from commit 37b0e55e21926c7875b7176e24e13005920915a6)
ticket: 7528 (new)
version_fixed: 1.10.4
status: resolved
|
|
Revision fcdd2de1 added the K5_KEY_GSS_KRB5_ERROR_MESSAGE key, and
registered it in the gssapi library initialization routine, but
did not unregister it in the libary finalization routine.
When the library is unloaded and reloaded in the same process,
this leads to an assertion failure, since we check that
destructors_set[keynum] is zero (no destructor set) when registering
a key in util/support/threads.c.
Unregister the key on library cleanup to resolve the error.
(cherry picked from commit 4ab584c830024757cc628b1783dde6220a9fec6d)
ticket: 7353
version_fixed: 1.10.4
status: resolved
|
|
In the MSLSA cache, if we get back a zero-length ticket, don't
accept it as success; continue on to try and get an acceptable
ticket.
(cherry picked from commit cd58adf4b0f52d0293ec8bf9d7d3e87bd1e6ce3f)
ticket: 7349
version_fixed: 1.10.4
status: resolved
|
|
We can't mix the KRB5 and CC error constants; standardize on the CC ones
and translate appropriately.
(cherry picked from commit c326061409d6e48e68808e6f37b243e4f7356935)
ticket: 7339
version_fixed: 1.10.4
status: resolved
|
|
It is not really clear this is correct, but neither was the
previous behavior.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit c654e9c7436cdd57cb61c0bd29b26c79e3675a01)
ticket: 7255
status: resolved
|
|
We used to explicitly check if a process was UAC-limited and deny all
access to the TGT in that case; however, this makes the MSLSA cache
effectively useless.
Do not try to outsmart UAC, and let it do its own checking -- this allows
UAC-limited access to the MSLSA ccache, which should mean read-write
access to service tickets, and write-only access to the TGT.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
[kaduk@mit.edu: delete instead of comment out, move comment.]
(cherry picked from commit 8020c64554dd25a4f09df8a28dca924c6ecb5608)
ticket: 7254
status: resolved
|
|
Only one mslsa ccache is supported, so switch_to is not needed.
Likewise, struct krb5int_lcc_iterator is unneccesary.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit c19826ccddd0d712ca581d67cdcf317c36dfaa85)
ticket: 7236
version_fixed: 1.10.4
status: resolved
|
|
The source file preauth_sam2.c is not present on the krb5-1.10 branch,
so don't try building it.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
[tlyu@mit.edu: clarify commit message]
ticket: 7277 (new)
version_fixed: 1.10.4
status: resolved
|
|
krb5_gss_export_name uses malloc to construct a gss_buffer_desc value,
and should use gssalloc_malloc instead.
(cherry picked from commit e54c8d7e6c6185ff4d0e1b472f98897c2e3fc5b3)
ticket: 7233
version_fixed: 1.10.4
status: resolved
|
|
Fix some GSSAPI buffer allocations which were missed in
800358b1790ef82710af0b6021c6ff2dca2b0de7: gss_export_sec_context,
gss_display_name, and IAKERB and SPNEGO token construction.
(cherry picked from commit 45e4eaa298e0dcebef46d07a6acb54cd9affb2ca)
ticket: 7233
|
|
In gssint_import_internal_name, don't map the minor code from
mech->gss_duplicate_name if it returned successfully. Fixes an
"unexpected non-zero minor status" error reported by SAP's gsstest
when it invokes gss_canonicalize_name().
(cherry picked from commit a02fcceeaeab1441d815255d569aaa6c193c2725)
ticket: 7194
version_fixed: 1.10.4
status: resolved
|
|
Use gssapi calls to construct the oid sets. It is not safe on windows
to use malloc to hand-construct the set and then call gss_release_oid_set()
to clean it up.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit 4cfdf8da69f52c778af4faaea663981a67634bb6)
ticket: 7227
version_fixed: 1.10.3
status: resolved
|
|
Fix KDC heap corruption and crash vulnerabilities [MITKRB5-SA-2012-001
CVE-2012-1014 CVE-2012-1015].
CVE-2012-1015: The cleanup code in kdc_handle_protected_negotiation()
in kdc_util.c could free an uninitialized pointer in some error
conditions involving "similar" enctypes and a failure in
krb5_c_make_checksum(). Initialize the pointer correctly.
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of
CVE-2012-1015 (possibly in unpatched KDCs).
CVE-2012-1014: process_as_req() could encounter an error condition
(typically a malformed AS-REQ message) that could cause its cleanup
code to dereference an uninitialized pointer, causing a crash.
Initialize the pointer correctly.
ticket: 7226 (new)
version_fixed: 1.10.3
status: resolved
|
|
For MSVC compatibility
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit 0552f29887201227788d1ca3df9d2b2c4f2447d2)
ticket: 7208
version_fixed: 1.10.3
status: resolved
|
|
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit 5ae666d1591f5ab8bc1182d053cdda7ce9a855d2)
ticket: 7207
version_fixed: 1.10.3
status: resolved
|
|
(cherry picked from commit 7c3ecf5c77e33f6d04d6226b041071c6ce23b062)
ticket: 7150
version_fixed: 1.10.3
status: resolved
|
|
Don't treat an error returned by krb5_parse_name as a cc-internal error.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit fbe77b2c7d4340097690cbed7b48fd9888feacd4)
ticket: 7214
version_fixed: 1.10.3
status: resolved
|
|
Also implement switch_to stub
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit 218193bb93d8cf9fd82087533c45602b6a8c5151)
Fix macro redefinition warnings in cc_mslsa.c
Include ntstatus.h and define WIN32_NO_STATUS before including winnt.h
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit ee6fbe222b34b28c617d4e6df994700af471b1b6)
fix leak in cc_mslsa.c
cc_name needs to be freed in krb5_lcc_close().
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit dcd9202f058830eacbbdfd0dd26bd82d8101e8fd)
ticket: 7213
version_fixed: 1.10.3
status: resolved
|
|
Also change parameter types to eliminate casts.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit 7acb524f5aa00274771dbbfac19d2dd779aad409)
ticket: 7212
version_fixed: 1.10.3
status: resolved
|
|
USE_CCAPI_V3 provides cccol iteration support for ccapi.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit 227a1b093cb22eb7c6d7fee0759f28816572db70)
Build lib/krb5/ccache/ccapi on Windows only
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit 8c3d2bfab7017a587d0c9a7de262cdcf18ce21c8)
ticket: 7209
version_fixed: 1.10.3
status: resolved
|
|
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit d319617ba9dd1256784fe325ae5a3858cf4603e7)
ticket: 7203
version_fixed: 1.10.3
status: resolved
|
|
Set the default credential cache name for all processes for the current
user. Currently implemented, for windows only, by setting
HKEY_CURRENT_USER\Software\MIT\Kerberos5:ccname to the specified
ccache name. This will not override the environment variable 'KRB5CCNAME'.
It will override HKEY_LOCAL_MACHINE and 'indirect' registry values.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit 80097093062822dde3f1140d250023576e52f59c)
ticket: 7199
version_fixed: 1.10.3
status: resolved
|
|
krb5_stdccv3_switch_to() calls cc_ccache_set_default().
krb5_stdccv3_resolve() checks for NULL or empty residual and calls
cc_context_get_default_ccache_name() in those cases.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
(cherry picked from commit 2648a94ea1cf3dec91186dfec59b75de9dac793d)
ticket: 7198
version_fixed: 1.10.3
status: resolved
|
|
If read_primary_file() fails with an error other than ENOENT, abort
cache resolution rather than dereferencing a null pointer. Reported
by Oliver Loch.
(cherry picked from commit 036ca94bdc00cc8eb248dc5c0da85ab556d3373e)
ticket: 7185
version_fixed: 1.10.3
status: resolved
|
|
In r21879, when we converted to using KRB5_CONF macros for profile
variable names, we made a typo in krb5_get_tgs_ktypes and erroneously
started using default_tkt_enctypes instead of default_tgs_enctypes for
TGS requests. Fix the typo and return to the documented behavior.
(cherry picked from commit 627ed34ba368fe989b7498bddf9d9dae40d76135)
ticket: 7155
version_fixed: 1.10.3
status: resolved
|
|
|
|
The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.
CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
[ghudson@mit.edu: Minor style change and commit message]
(cherry picked from commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b)
ticket: 7152
version_fixed: 1.10.2
status: resolved
|
|
Although there are few legitimate reasons to use gss_mech_krb5_wrong,
it's declared in the public header and exported in the Windows DLL.
So export it from the Unix library as well.
(cherry picked from commit 9b693c2c5370a3a792f594ccb08475465438cd19)
ticket: 7148
version_fixed: 1.10.2
status: resolved
|
|
In 1.10, encrypted timestamp became a built-in module instead of a
hardcoded padata handler. This changed the behavior of
krb5_get_init_creds as invoked by s4u_identify_user such that
KRB5_PREAUTH_FAILED is returned instead of the gak function's error.
(Module failures are not treated as hard errors, while hardcoded
padata handler errors are.) Accordingly, we should look for
KRB5_PREAUTH_FAILED in s4u_identify_user.
On a less harmful note, the gak function was returning a protocol
error code instead of a com_err code, and the caller was testing for a
different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could
never be returned by krb5_get_init_creds. Clean up both of those by
returning KRB5_PREAUTH_FAILED from the gak function and testing for
that alone.
Reported by Michael Morony.
(cherry picked from commit 33a64a7f9dc7342880f7a477a8b3447891d20af5)
ticket: 7136
version_fixed: 1.10.2
status: resolved
|
|
krb5_set_trace_callback and krb5_set_trace_filename were added to
krb5.h in krb5 1.9, but were mistakenly left out of the library export
lists. Add them now. Reported by Russ Allbery.
(backported from commit 61e6ab231b75f7ac3ff8967f002436e48ce05620)
ticket: 7143
version_fixed: 1.10.2
status: resolved
|
|
When canonicalizing a principal, use AI_CANONNAME alone in the hint
flags for getaddrinfo, for two reasons. First, it works around a gnu
libc bug where getaddrinfo does a PTR lookup for the canonical name
(we tried to work around this in r24977 bug the addition of
AI_ADDRCONFIG caused the same problem as the use of AF_INET). Second,
an IPv4-only host should be able create a principal for an IPv6-only
host even if it can't contact the host.
This does result in extra AAAA queries in the common case (IPv4-only
host contacting IPv4-only service), which is unfortunate. But we need
to leave that optimization up to the platform at this point.
(cherry picked from commit c3ab5fe0b01a68b14d5657740006488721b48b7b)
ticket: 7124
version_fixed: 1.10.2
status: resolved
|
|
This fix is not very general or clean, but is suitable for backporting
because it is minimally invasive. A more comprehensive fix will
follow.
(cherry picked from commit b9ff95a51ef11742abc9687a70b6d8324eda6803)
ticket: 7127
version_fixed: 1.10.2
status: resolved
|
|
Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST
in TGS-REQs. (Previously, only AS-REQs had the name-type set in this
way.) Windows Server 2008 R2 read-only domain controllers (RODCs)
insist on having the correct name-type for the TGS principal in
TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case.
Thanks to Sebastian Galiano for reporting this bug and helping with
testing.
(cherry picked from commit 5994d8928b8ff88751b14bc60c7d7bfce8b30e57)
ticket: 7120
version_fixed: 1.10.2
status: resolved
|
|
Initialize use_count fields in krb5_preauth_request_context_init,
which is invoked before each AS request. Previously they were
initialized only in krb5_init_preauth_context, which is only invoked
once per krb5 library context.
(cherry picked from commit f469d77cc53c43a2e85f80ab3cf68caa82c4d24b)
ticket: 7119
version_fixed: 1.10.2
status: resolved
|
|
A database created prior to 1.3 will have multiple password history
keys, and kadmin prior to 1.8 won't necessarily choose the first one.
So if there are multiple keys, we have to try them all. If none of
the keys can decrypt a password history entry, don't fail the password
change operation; it's not worth it without positive evidence of
password reuse.
(backported from commit 2782e80a12bccd920fa71e23166ac97c4470a637)
ticket: 7099
version_fixed: 1.10.2
status: resolved
|
|
------------------------------------------------------------------------
r25730 | ghudson | 2012-03-05 12:35:14 -0500 (Mon, 05 Mar 2012) | 15 lines
ticket: 7098
subject: Fix spurious password expiry warning
target_version: 1.9.4
tags: pullup
r24241 (#6755) introduced a bug where if the KDC sends a LastReq entry
containing an account expiry time, we send a prompter warning for
password expiry even if there was no entry containing a password
expiry time. Typically, this results in the message "Warning: Your
password will expire in less than one hour on Thu Jan 1 12:00:00
1970".
Fix this by explicitly checking for pw_exp == 0 in warn_pw_expiry()
after we've gotten past the conditional for invoking the callback.
ticket: 7098
version_fixed: 1.10.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25741 dc483132-0cff-0310-8789-dd5450dbe970
|
