Age | Commit message (Collapse) | Author | Files | Lines |
|
In read_secret_file() in the OTP kdcpreauth module, add a cleanup
label and free filename on exit. Also fix the whitespace stripping
code to correctly find the end offset, and use size_t rather than int
offsets. The leak was reported by Bean Zhang.
ticket: 8704
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
|
|
In otp_state.c:callback(), avoid invoking the failure callback when we
fall back to the next token. Since request_send() consumes the
request, don't try to free it.
[ghudson@mit.edu: added test case; edited commit message]
ticket: 8708
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
|
|
'register' is a reserved and unused keyword in C++17 so having it
present in the public headers presents a a compatibility issue. Also
in C the 'register' keyword is mostly obsolete, so remove all uses of
it.
[ghudson@mit.edu: adjusted style of some of the affected lines]
|
|
For now only the edwards25519 group is supported, since we are not
adding an OpenSSL dependency.
ticket: 8657
|
|
Add a new KDB module using LMDB. For this module, combine policy and
principal databases into one environment with two databases, but split
out principal lockout fields into a separate environment so that
nothing blocks KDC writes for more than a trivial amount of time.
ticket: 8674 (new)
|
|
Commit 46ff765e1fb8cbec2bb602b43311269e695dbedc (for ticket 8528)
broke rule-based matching of UPN SANs using the <SAN> rule type. To
fix this regression, make crypto_retrieve_cert_sans() return UPN SANs
in their original string form, and only parse them into principal
names in pkinit_srv.c:verify_client_san(). In
pkinit_cert_matching_data, store UPN SANs as strings separately from
PKINIT SANs instead of concatenating them together, and match original
UPN strings against <SAN> rule regexps. Add a test case.
ticket: 8670
tags: pullup
target_version: 1.16-next
|
|
Add a new callback disable_fallback() and call it from each clpreauth
module when it generates a client message using credentials to
authenticate. (For SPAKE, this is the message responding to a
challenge; for all other current mechanisms, it is the first and only
client message.) If disable_fallback() is called, do not try another
mechanism after a KDC error.
Remove k5_reset_preauth_types_tried() and its call sites, so that
preauth mechanisms which are tried optimistically will no longer be
retried after a failure.
ticket: 8654
|
|
Asking for the AS key too early can result in password prompts in
situations where SPAKE won't proceed, such as when the KDC offers only
second factor types not supported by the client.
In spake_prep_questions(), decode the received message and make sure
it's a challenge with a supported group and second factor type
(SF-NONE at the moment). Save the decoded message and use it in
spake_process(). Do not retrieve the AS key at the beginning of
spake_process(); instead do so in process_challenge() after checking
the challenge group and factor types.
Move contains_sf_none() earlier in the file so that it can be used by
spake_prep_questions() without a prototype.
ticket: 8659
|
|
In the NIST group implementations, ossl_fini() needs to free the
groupdata container as well as its fields. Also in
spake_kdc.c:parse_data(), initialize the magic field of the resulting
data object to avoid a harmless uninitialized memory copy.
ticket: 8647
|
|
This is an implementation of draft-ietf-kitten-krb-spake-preauth-05.
SPAKE preauth authenticates using the client principal long-term key,
but protects against offline dictionary attacks.
SPAKE preauth negotiates a group for use by the SPAKE2 algorithm. The
edwards25519 group is implemented using code adapted from BoringSSL.
The P-256, P-384, and P-521 groups are implemented against OpenSSL.
edwards25519 is enabled by default on the client; no groups are
enabled by default on the KDC.
SPAKE preauth can also include a second factor. Second factor support
isn't included in this implementation; comments have been left to
indicate what should change when it is added in.
Integration tests (tests/t_spake.py) are included with good coverage
of the negotiation scenarios.
Test vectors from the draft are checked against the group's "result"
operation. The "keygen" operation is inherently random and is
therefore not tested against the vectors, but is effectively exercised
by the integration tests.
KDC optimistic challenge is implemented. In the future we should
implement client optimistic SPAKE as well; this will require changes
to the generic client preauth framework.
In the future we should add per-realm configuration to deny encrypted
timestamp and encrypted challenge on a per-realm basis. This
configuration should stick across client realm referrals.
In the future we should avoid attempting encrypting timestamp or
encrypted challenge if the KDC replies to a single-factor
SPAKEResponse message with PREAUTH_FAILED. This will require a change
to the generic client preauth framework.
In the future we should make SPAKE support apply to the Windows build,
either by adding support for building plugin DLLs or by moving the
edwards25519 and client code to libkrb5.
[npmccallum@redhat.com: split up internal headers; split out group
registry contents; implemented P-384 and P-521]
ticket: 8647 (new)
|
|
Send a freshness token in the preauth hint list if PKINIT is
configured and the request padata indicates support. Verify the
freshness token if the client includes one in a PKINIT request, and
log whether one was received. If pkinit_require_freshness is set to
true in the realm config, reject non-anonymous requests which don't
contain a freshness token.
Add freshness token tests to t_pkinit.py with some related changes.
Remove client long-term keys after testing password preauth so we get
better error reporting when pkinit_require_freshness is set and a
token is not sent. Remove ./responder invocations for test cases
which don't ask PKINIT responder questions, or else the responder
would fail now that it isn't being asked for the password. Leave
anonymous PKINIT enabled after the anonymous tests so that we can use
it again when testing enforcement of pkinit_require_freshness. Add
expected trace messages for the basic test, including one for
receiving a freshness token. Add minimal expected trace messages for
the RSA test.
ticket: 8648
|
|
Send an empty PA_AS_FRESHNESS padata item in unauthenticated AS
requests to indicate support for RFC 8070. If the KDC includes a
PA_AS_FRESHNESS value in its method data, echo it back in the new
freshnessToken field of pkAuthenticator
ticket: 8648
|
|
In pkinit_crypto_openssl.c, remove hex_string_to_bin() (recently added
for ease of backporting) and instead use k5_hex_decode() in
pkinit_get_certs_pkcs11(). Change the type of cert_id and cert_id_len
in pkinit_identity_crypto_context to avoid needing type conversion
intermediates.
|
|
When parsing a PKCS11 token specification, correctly convert from hex
to binary instead of using OpenSSL bignum functions (which would strip
leading zeros).
[ghudson@mit.edu: made hex_string_to_bin() a bit less verbose; wrote
commit message]
ticket: 8636
|
|
|
|
Apply current practices for output parameter handling and memory
management to client_create_dh(), client_process_dh(), and
server_process_dh(). Initialize the output arguments at the
beginning, use local variables to hold their values until success is
guaranteed, and transfer memory to the output arguments at the end.
Use a cleanup label which runs on both success and failure.
The client_create_dh() cleanup code conditionalizes on retval, which
we usually try to avoid, as it needs to clean up a cryptoctx field on
error only.
[ghudson@mit.edu: wrote commit message; added similar changes to
client_create_dh() and client_process_dh()]
|
|
The pkinit_identity_crypto_context creds field contains a collection
of cert info deduced from configuration, and is used to select the
identity certificate on the client and the KDC. Its lifetime is
managed separately from the context, by crypto_load_certs() and
crypto_free_cert_info().
Prior to commit 60426439f672fe273ceead17910f818da1954c5b, the lifetime
was managed purely within pkinit_identity_initialize(). When that
function now split into two phases, pkinit_identity_initialize() began
leaving the creds array around unnecessarily. The client calling
function made its own call to free the creds array, but this was not
done by the KDC calling function. The result was that the creds array
was overwritten in pkinit_identity_prompt(), leaking a small amount of
memory at KDC startup. This leak is trivial, but adds noise to leak
detection tools.
Fix the leak by freeing the creds array in
pkinit_identity_initialize() before returning, and remove the
no-longer-necessary call in pkinit_client_prep_questions(). In the
longer term, it might be better to separate the creds array from
pkinit_identity_crypto_context and manage it using local variables
within pkinit_identity_initialize() and pkinit_identity_prompt().
[ghudson@mit.edu: rewrote commit message]
|
|
Commit e5c77a11341a79e6af1e5aef7c587a5b75a9e378 introduced a memory
leak of the client public key in server_process_dh(). Free
client_pubkey on success as well as failure.
ticket: 8644 (new)
target_version: 1.16-next
target_version: 1.15-next
tags: pullup
|
|
greet_kdc_sign() must always free if_relevant.
|
|
KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB
module, and not used in disk or wire principal entries. Prevent
kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a
type number less than 256 and filtering out type numbers less than 256
in kadm5_create_principal_3(). (We already filter out low type
numbers in kadm5_modify_principal()).
In the LDAP KDB module, if containerdn and linkdn are both specified
in a put_principal operation, check both linkdn and the computed
standalone_principal_dn for container membership. To that end, factor
out the checks into helper functions and call them on all applicable
client-influenced DNs.
CVE-2018-5729:
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can cause a null
dereference in kadmind, or circumvent a DN container check, by
supplying tagged data intended to be internal to the database module.
Thanks to Sharwan Ram and Pooja Anil for discovering the potential
null dereference.
CVE-2018-5730:
In MIT krb5 1.6 or later, an authenticated kadmin user with permission
to add principals to an LDAP Kerberos database can circumvent a DN
containership check by supplying both a "linkdn" and "containerdn"
database argument, or by supplying a DN string which is a left
extension of a container DN string but is not hierarchically within
the container DN.
ticket: 8643 (new)
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
|
|
When looking up the client long-term key, look for any salt type, not
just the default salt type.
ticket: 8629
|
|
Commit 3ff426b9048a8024e5c175256c63cd0ad0572320 attempted to display
an error when OCSP support was requested, but this error message was
suppressed in pkinit_server_plugin_init(). Add a trace log for each
realm initialization error, and pass through the realm initialization
error when the KDC serves only one realm. Other error messages from
pkinit_init_kdc_profile(), such as missing pkinit_identity or
pkinit_anchors, are also now exposted.
[ghudson@mit.edu: clarified commit message]
ticket: 8621 (new)
target_version: 1.16
tags: pullup
|
|
Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.
ticket: 8617
target_version: 1.16
target_version: 1.15-next
target_version: 1.14-next
tags: pullup
|
|
|
|
The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication. Therefore, pkinit_eku_authorize() should return
KRB5_PLUGIN_NO_HANDLE on success, not 0.
The certauth san module should pass if it does not find any SANs of
the types it can match against; the presence of other types of SANs
should not cause it to explicitly deny a certificate. Check for an
empty result from crypto_retrieve_cert_sans() in verify_client_san(),
instead of returning ENOENT from crypto_retrieve_cert_sans() when
there are no SANs at all.
ticket: 8561
|
|
Fix mydir in plugins/kdcpolicy/test/Makefile.in so that the Makefile
can be rebuilt correctly. Also change the name of the shared object
from "policy_test.so" to "kdcpolicy_test.so" for consistency.
ticket: 8606
|
|
Commit d0969f6a8170344031ef58fd2a161190f1edfb96 added tests using
"klist ccachname -e", which does not work with a POSIX-conformant
getopt() implementation such as the one in Solaris. Fix
t_kdcpolicy.py to use "klist -e ccachename" instead.
The tests could fail if the clock second rolled over between kinit and
kvno. Divide service ticket maximum lifetimes by 2 in the test module
to correctly exercise TGS policy restrictions and ensure that service
tickets are not constrained by the TGT end time.
Also use the correct trace macro when a kdcpolicy module declines to
initialize (my mistake when revising the commit, noted by rharwood).
ticket: 8606
|
|
Repeating an identical typedef is allowed by C11, but not C99 or C89.
Use the underlying structure type in certauth_plugin.h so that it can
safely be included along with kdb.h.
Also constify the name field in the vtable.
ticket: 8561
|
|
Add the header include/krb5/kdcpolicy_plugin.h, defining a pluggable
interface for modules to deny AS and TGS requests and set maximum
ticket lifetimes. This interface replaces the policy.c stub functions.
Add check_kdcpolicy_as() and check_kdcpolicy_tgs() as entry functions.
Call them after auth indicators and ticket lifetimes have been
determined.
Add a test module and a test script with basic kdcpolicy tests. Add
plugin interface documentation in doc/plugindev/policy.rst.
Also authored by Matt Rogers <mrogers@redhat.com>.
ticket: 8606 (new)
|
|
Add a test plugin module to exercise features of the kadm5_auth
interface, and a Python test script using the module. Also test the
initial ticket requirement for self-service key changes in
t_kadmin_acl.py.
ticket: 8595
|
|
pkinit_kdc_ocsp is non-functional in the PKINIT OpenSSL crypto
implementation, so remove most traces of it, including its man page
entry. If it is present in kdc.conf, error out of PKINIT
initialization instead of silently ignoring the realm entirely.
ticket: 8603 (new)
|
|
The server_info_update_pending field of krb5_ldap_server_handle was
never set to true, and we never define ASYNC_BIND. Noted by Will
Fiveash.
|
|
In the KDC, pass the local address from dispatch() to
process_as_req(), then to log_as_req(), then to
krb5_db_audit_as_req(), and finally to the KDB modules.
[ghudson@mit.edu: squashed commits and rewrote commit message]
ticket: 8583
|
|
In libkdb5, libapputils, the KDC, kadmind, and both KDB modules, use
the name "remote_addr" for the variable containing the remote address.
In schpw.c:process_chpw_request(), use the name "local_addr" for the
parameter containing the local address. Make the remote_addr
parameter const in libkdb5 and the DAL.
[ghudson@mit.edu: combined commits and rewrote commit message]
|
|
As this is an incompatible change to the API, also increment the DAL
and KDB versions.
ticket: 8583 (new)
|
|
Wherever we manipulate krb5_timestamp values using arithmetic,
comparison operations, or conversion to time_t, use the new helper
functions in k5-int.h to ensure that the operations work after y2038
and do not exhibit undefined behavior. (Relying on
implementation-defined conversion to signed values is okay as we test
that in configure.in.)
In printf format strings, use %u instead of signed types. When
exporting creds with k5_json_array_fmt(), use a long long so that
timestamps after y2038 aren't marshalled as negative numbers. When
parsing timestamps in test programs, use atoll() instead of atol() so
that positive timestamps after y2038 can be used as input.
In ksu and klist, make printtime() take a krb5_timestamp parameter to
avoid an unnecessary conversion to time_t and back.
As Leash does not use k5-int.h, use time_t values internally and
safely convert from libkrb5 timestamp values.
ticket: 8352
|
|
|
|
As we do not rely on anonymous db2 databases, get rid of the code
using tmpnam() for hash databases and reporting EINVAL if a filename
is not specified.
[ghudson@mit.edu: rewrote commit message; condensed conditionals]
|
|
|
|
|
|
[ghudson@mit.edu: added intermediate variables to simplify code]
|
|
In the OTP module, when constructing the RADIUS request, use the
canonicalized client principal (using the new client_name kdcpreauth
callback) instead of the request client principal.
ticket: 8571 (new)
|
|
ticket: 8568 (new)
|
|
Remove the unused and buggy NSS PKINIT crypto backend.
|
|
In cms_signeddata_create(), alg_buf and digest_buf are allocated but
never used. (Instead, a combined buffer is allocated and the alg and
digest objects are marshalled into it.) Remove them.
|
|
In crypto_encode_der_cert(), if the second i2d_X509() invocation
fails, make sure to free the allocated pointer and not the
possibly-modified alias.
ticket: 8561
|
|
Add and enable the "dbmatch" builtin module. Add the
pkinit_client_cert_match() and crypto_req_cert_matching_data() helper
functions. Add dbmatch tests to t_pkinit.py. Add documentation to
krb5_conf.rst, pkinit.rst, and kadmin_local.rst.
[ghudson@mit.edu: simplified code, edited docs]
ticket: 8562 (new)
|
|
Remove the pkinit_cert_handle structures and iteration functions used
during certificate matching. Instead, make pkinit_matching.c obtain a
list of matching data objects from the crypto code, and then select a
cert based on the index into that list.
Also fix a typo in the name of crypto_retrieve_X509_key_usage().
[ghudson@mit.edu: simplified code]
|
|
Add the header include/krb5/certauth_plugin.h, defining a pluggable
interface to control authorization of PKINIT client certificates.
Add the "pkinit_san" and "pkinit_eku" builtin certauth modules and
related PKINIT crypto X.509 helper functions. Add authorize_cert() as
the entry function for certauth plugin module checks called in
pkinit_server_verify_padata(). Modify kdcpreauth_moddata to hold the
list of certauth module handles, and load the modules when the PKINIT
kdcpreauth server plugin is initialized. Change
crypto_retrieve_X509_sans() to return ENOENT when no SAN is found.
Add test modules in plugins/certauth/test. Create t_certauth.py with
basic certauth tests. Add plugin interface documentation in
doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst.
[ghudson@mit.edu: simplified code, edited docs]
ticket: 8561 (new)
|
|
In pkinit_matching.c:parse_rule_set(), apply the default relation when
parsing the second component of a rule, not the third. Otherwise we
apply no default relation to two-component matching rules, effectively
reducing such rules to their second components. Reported by Sumit
Bose.
ticket: 8553 (new)
target_version: 1.15-next
target_version: 1.14-next
tags: pullup
|