krb5.git/src/kdc, branch master Unnamed repository; edit this file 'description' to name the repository. Make KDC "status" statements more homogeneous 2014-02-19T19:23:40+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-12-23T14:23:54+00:00 daa80b9f4a478ce57be08f9dc3b7d5e65c6e7e66 Generally we want KDC status strings to be concise, informative and follow some common rules: - All letters in the status string should be capitalized; - the words in the status phrase are separated by underscore; - abbreviations should be avoided. Some acceptable "standard" acronyms are AS_REQ, TGS_REP etc. - since in almost all cases KDC status is set on error, no need to state this fact as part of the status string; - KDC status string should be an imperative phrase. For example, "DECRYPT_SERVER_KEY". This commit is to modify some KDC status messages to follow this format. Even though KDC status messages are not standardized, it is possible that some administrators use them in the Kerberos log file processing. Hence, the vast majority of them are left unchanged pending further investigation (mostly, feedback from the administrators). 
Generally we want KDC status strings to be concise, informative and follow
some common rules:

- All letters in the status string should be capitalized;
- the words in the status phrase are separated by underscore;
- abbreviations should be avoided.  Some acceptable "standard" acronyms
  are AS_REQ, TGS_REP etc.
- since in almost all cases KDC status is set on error, no need
  to state this fact as part of the status string;
- KDC status string should be an imperative phrase.

For example, "DECRYPT_SERVER_KEY".

This commit is to modify some KDC status messages to follow this format.

Even though KDC status messages are not standardized, it is possible that some
administrators use them in the Kerberos log file processing. Hence, the vast
majority of them are left unchanged pending further investigation (mostly,
feedback from the administrators).
Fix possible null deref in previous 2014-01-01T01:27:00+00:00 Tom Yu tlyu@mit.edu 2014-01-01T00:41:12+00:00 30589b2a1636de9f9b68591f0e546cb0fa21989f My rework of the do_tgs_req.c patch introduced a null deref if decode_krb5_tgs_req() failed. ticket: 7802 
My rework of the do_tgs_req.c patch introduced a null deref if
decode_krb5_tgs_req() failed.

ticket: 7802
Log service princ in KDC more reliably 2013-12-30T23:58:03+00:00 rbasch probe@tardis.internal.bright-prospects.com 2013-12-16T15:54:41+00:00 f37067776f9431879769f3874fdab6120ba3f155 Under some error conditions, the KDC would log "<unknown server>" for the service principal because service principal information is not yet available to the logging functions. Set the appropriate variables earlier. do_as_req.c: After unparsing the client, immediately unparse the server before searching for the client principal in the KDB. do_tgs_req.c: Save a pointer to the client-requested service principal, to make sure it gets logged if an error happens before search_sprinc() successfully completes. [tlyu@mit.edu: commit message; fix TGS to catch more error cases] ticket: 7802 target_version: 1.12.1 tags: pullup 
Under some error conditions, the KDC would log "<unknown server>" for
the service principal because service principal information is not yet
available to the logging functions.  Set the appropriate variables
earlier.

do_as_req.c: After unparsing the client, immediately unparse the
server before searching for the client principal in the KDB.

do_tgs_req.c: Save a pointer to the client-requested service
principal, to make sure it gets logged if an error happens before
search_sprinc() successfully completes.

[tlyu@mit.edu: commit message; fix TGS to catch more error cases]

ticket: 7802
target_version: 1.12.1
tags: pullup
make depend 2013-12-21T04:13:57+00:00 Greg Hudson ghudson@mit.edu 2013-12-21T04:13:57+00:00 f5d5fa24c6c58b54349351beaea8220f5ca0f3ef 






Move kdc log routines into a separate file
2013-12-21T00:23:32+00:00

Zhanna Tsitkov
tsitkova@mit.edu

2013-12-21T00:18:57+00:00

cf035ea27f98f351cc87d3c3b829f3604002f119

Their previous location - kdc_util.c - seems to be overloaded with
various helper functions. No code changes.





Their previous location - kdc_util.c - seems to be overloaded with
various helper functions. No code changes.







make depend
2013-12-11T03:24:03+00:00

Tom Yu
tlyu@mit.edu

2013-12-11T03:24:03+00:00

88bc9cfb9bcbdb0daffe02db5bdb8e22d14b6853












Multi-realm KDC null deref [CVE-2013-1418]
2013-11-04T19:37:05+00:00

Tom Yu
tlyu@mit.edu

2013-11-04T18:44:29+00:00

5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf

If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC.

CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

A related but more minor vulnerability requires authentication to
exploit, and is only present if a third-party KDC database module can
dereference a null pointer under certain conditions.

ticket: 7755 (new)
target_version: 1.12
tags: pullup





If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC.

CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

A related but more minor vulnerability requires authentication to
exploit, and is only present if a third-party KDC database module can
dereference a null pointer under certain conditions.

ticket: 7755 (new)
target_version: 1.12
tags: pullup







Clean up the code to eliminate some clang warnings
2013-11-04T18:51:17+00:00

Ben Kaduk
kaduk@mit.edu

2013-10-30T18:51:12+00:00

3a8eaa43045fb242739ad9729bb66f915be209b9

In ure.c, though k is a short, the literal 1 is of type 'int', and
so the operation 'k + 1' is performed at the (32-bit) width of int,
and therefore the "%d" format string is correct.

In accept_sec_context.c, the 'length' field of krb5_data is an
unsigned type, so checking for a negative value has no effect.

In net-server.c, the helper routine rtm_type_name() is only used
in code that is disabled with #if 0 conditionals; make the
definition also disabled in the same way to avoid warnings of an
unused function.

In kdc_authdata.c, equality checks in double parentheses elicit
a warning from clang.  The double-parentheses idiom is normally used
to indicate that an assignment is being performed, but the value of
the assignment is also to be used as the value for the conditional.
Since assignment and equality checking differ only by a single
character, clang considers this worthy of a warning.  Since the extra
set of parentheses is redundant and against style, it is correct to
remove them.

In several places (sim_server.c, dump.c, kdb5_destroy.c,
ovsec_kadmd.c), there are declarations of extern variables relating
to getopt() functionality that are now unused in the code.  Remove
these unused variables.





In ure.c, though k is a short, the literal 1 is of type 'int', and
so the operation 'k + 1' is performed at the (32-bit) width of int,
and therefore the "%d" format string is correct.

In accept_sec_context.c, the 'length' field of krb5_data is an
unsigned type, so checking for a negative value has no effect.

In net-server.c, the helper routine rtm_type_name() is only used
in code that is disabled with #if 0 conditionals; make the
definition also disabled in the same way to avoid warnings of an
unused function.

In kdc_authdata.c, equality checks in double parentheses elicit
a warning from clang.  The double-parentheses idiom is normally used
to indicate that an assignment is being performed, but the value of
the assignment is also to be used as the value for the conditional.
Since assignment and equality checking differ only by a single
character, clang considers this worthy of a warning.  Since the extra
set of parentheses is redundant and against style, it is correct to
remove them.

In several places (sim_server.c, dump.c, kdb5_destroy.c,
ovsec_kadmd.c), there are declarations of extern variables relating
to getopt() functionality that are now unused in the code.  Remove
these unused variables.







KDC Audit infrastructure and plugin implementation
2013-10-05T00:25:49+00:00

Zhanna Tsitkov
tsitkova@mit.edu

2013-07-20T19:47:42+00:00

1003f0173f266a6428ccf2c89976f0029d3ee831

Per project http://k5wiki.kerberos.org/wiki/Projects/Audit

The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.

The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges.  This includes client address and port, KDC
  request and request ID, KDC reply, primary and derived ticket and their
  ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
  validated, local policy violation and protocol constraints, and KDC status
  message.

Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.

Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.

For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.

The new Audit system is build-time enabled and run-time pluggable.

[kaduk@mit.edu: remove potential KDC crashes, minor reordering]

ticket: 7712
target_version: 1.12





Per project http://k5wiki.kerberos.org/wiki/Projects/Audit

The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.

The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges.  This includes client address and port, KDC
  request and request ID, KDC reply, primary and derived ticket and their
  ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
  validated, local policy violation and protocol constraints, and KDC status
  message.

Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.

Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.

For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.

The new Audit system is build-time enabled and run-time pluggable.

[kaduk@mit.edu: remove potential KDC crashes, minor reordering]

ticket: 7712
target_version: 1.12







Remove unneeded variable enc_tkt_transited
2013-10-04T17:23:30+00:00

Ben Kaduk
kaduk@mit.edu

2013-10-04T16:58:30+00:00

36c8a474bdd05d3f5be94b007dae46f0986adfa2

There's no need to use an intermediate variable to initialize the
contents of enc_tkt_reply.transited.

Instead of setting each field to zero individually (and misspelling NULL),
use memset and set the one field which is being initialized to a nonzero
value explicitly.





There's no need to use an intermediate variable to initialize the
contents of enc_tkt_reply.transited.

Instead of setting each field to zero individually (and misspelling NULL),
use memset and set the one field which is being initialized to a nonzero
value explicitly.