| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Generally we want KDC status strings to be concise, informative and follow
some common rules:
- All letters in the status string should be capitalized;
- the words in the status phrase are separated by underscore;
- abbreviations should be avoided. Some acceptable "standard" acronyms
are AS_REQ, TGS_REP etc.
- since in almost all cases KDC status is set on error, no need
to state this fact as part of the status string;
- KDC status string should be an imperative phrase.
For example, "DECRYPT_SERVER_KEY".
This commit is to modify some KDC status messages to follow this format.
Even though KDC status messages are not standardized, it is possible that some
administrators use them in the Kerberos log file processing. Hence, the vast
majority of them are left unchanged pending further investigation (mostly,
feedback from the administrators).
|
| |
|
|
|
|
|
| |
My rework of the do_tgs_req.c patch introduced a null deref if
decode_krb5_tgs_req() failed.
ticket: 7802
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Under some error conditions, the KDC would log "<unknown server>" for
the service principal because service principal information is not yet
available to the logging functions. Set the appropriate variables
earlier.
do_as_req.c: After unparsing the client, immediately unparse the
server before searching for the client principal in the KDB.
do_tgs_req.c: Save a pointer to the client-requested service
principal, to make sure it gets logged if an error happens before
search_sprinc() successfully completes.
[tlyu@mit.edu: commit message; fix TGS to catch more error cases]
ticket: 7802
target_version: 1.12.1
tags: pullup
|
| | |
|
| |
|
|
|
| |
Their previous location - kdc_util.c - seems to be overloaded with
various helper functions. No code changes.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC.
CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
A related but more minor vulnerability requires authentication to
exploit, and is only present if a third-party KDC database module can
dereference a null pointer under certain conditions.
ticket: 7755 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In ure.c, though k is a short, the literal 1 is of type 'int', and
so the operation 'k + 1' is performed at the (32-bit) width of int,
and therefore the "%d" format string is correct.
In accept_sec_context.c, the 'length' field of krb5_data is an
unsigned type, so checking for a negative value has no effect.
In net-server.c, the helper routine rtm_type_name() is only used
in code that is disabled with #if 0 conditionals; make the
definition also disabled in the same way to avoid warnings of an
unused function.
In kdc_authdata.c, equality checks in double parentheses elicit
a warning from clang. The double-parentheses idiom is normally used
to indicate that an assignment is being performed, but the value of
the assignment is also to be used as the value for the conditional.
Since assignment and equality checking differ only by a single
character, clang considers this worthy of a warning. Since the extra
set of parentheses is redundant and against style, it is correct to
remove them.
In several places (sim_server.c, dump.c, kdb5_destroy.c,
ovsec_kadmd.c), there are declarations of extern variables relating
to getopt() functionality that are now unused in the code. Remove
these unused variables.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit
The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.
The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC
request and request ID, KDC reply, primary and derived ticket and their
ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
validated, local policy violation and protocol constraints, and KDC status
message.
Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.
Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.
For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.
The new Audit system is build-time enabled and run-time pluggable.
[kaduk@mit.edu: remove potential KDC crashes, minor reordering]
ticket: 7712
target_version: 1.12
|
| |
|
|
|
|
|
|
|
| |
There's no need to use an intermediate variable to initialize the
contents of enc_tkt_reply.transited.
Instead of setting each field to zero individually (and misspelling NULL),
use memset and set the one field which is being initialized to a nonzero
value explicitly.
|
| |
|
|
|
|
|
|
| |
It is general good hygeine, preventing stack garbage from accidentally
leaking out into other consumers.
Don't bother with variables that are only used in a single place, but
do initialize the 'magic' field of nolrentry before it is used.
|
| |
|
|
|
|
|
|
|
| |
In kdc_check_transited_list, consult the KDB module first. If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.
ticket: 7709
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Take one step toward re-factoring of the KDC code:
keep the service principal related code in one place.
The code pattern was changed from:
- unparse client -
- unparse service -
- db_get_ client -
- client referrals -
- db_get_ service -
- validate policies etc
into:
- unparse client -
- db_get_ client -
- client referrals -
- unparse service -
- db_get_ service -
- validate policies etc
|
| |
|
|
|
|
| |
If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC.
This fix is to correct the previous behavior with [0,128] range.
For more information see krb5_err.et
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is no longer necessary to modify request->server when we receive a
referral. The uses of request->server break down as follows:
* Matching against previously issued tickets (e.g. for renewals). We
now explicitly disallow referrals for requests where we need to do
that.
* Using only the realm (e.g. for transited checking). Referrals are
cross-realm TGS entries within the same realm as the requested
server principal, so this does not change.
* Comparing to a local TGS principal (for restrict_anonymous_to_tgt
enforcement). Local TGS principals are not treated as referrals, so
the sense of this comparison will not change if we use the original
request.
* Setting the sname and realm fields of a KRB-ERROR response. RFC
4120 and 6806 do not specify what we should put here for referrals
or aliases and we are not aware of any uses of this field by
clients, so putting the requested server principal here should be
okay.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For ticket modification requests (such as renewals), u2u requests, and
S4U2Self requests, the requested server principal is expected to match
a previously issued ticket. If that principal no longer exists, we
must fail the request; we cannot issue a referral. We are currently
doing that by rewriting request->server to the referral principal,
which causes the match against the ticket to fail. Since we would
like to stop modifying the request, we must explicitly prevent
referrals in these cases.
We don't find out whether a request is S4U2Self until after we've
looked up the server principal, so for now we have to make a
retroactive check for a referral after calling
kdc_process_s4u2self_req.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In do_tgs_req(), treat the search_sprinc() result as a referral only
if it is a cross-TGS principal and it doesn't match the requested
server principal. This change fixes two corner cases: (1) when a
client requests a cross-realm TGT, we won't squash the name type in
the response; and (2) if we are serving multiple realms out of the
same KDB, we will properly handle aliases to any local-realm TGT, not
just the one for the configured realm name.
ticket: 7555
|
| |
|
|
|
|
|
|
| |
In the KDC, if we see the hide-client-names option, identify the
client as the anonymous principal in KDC-REP and KRB-ERROR responses.
The actual client name is present in encrypted FAST elements.
ticket: 7700 (new)
|
| |
|
|
|
|
|
|
|
| |
We always allow aliases in the service principal when processing
AS-REQs and TGS-REQs. If the ticket we issued is presented back to us
in a TGS-REQ as a header ticket for renewal or similar, we should
allow aliases when looking up its key to decode the AP-REQ.
ticket: 7699 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a client makes a TGS request for a cross-realm TGS within a
different realm from the one we normally serve (e.g. the KDC realm is
X, and a client makes a TGS request for the server krbtgt/Y@Z), look
for alternate TGS principals within the requested server realm, not
the realm we normally serve.
This change shouldn't break any working well-formed TGS requests,
because changing the realm would trigger a failure in check_tgs_tgt.
It may fix some corner cases when multiple realms are served out of
the same KDB. But primarily, this change makes referrals and aliases
easier to reason about, by eliminating a case where server->princ has
a different realm from request->server after the call to
search_sprinc().
|
| |
|
|
|
|
|
|
|
| |
If we look up a principal and in the KDB and get back the local TGS
principal, the KDC should treat this as an alias, not a referral, and
should therefore issue a ticket for the requested principal rather the
canonical name.
ticket: 7698
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a client requests a service ticket for the alias of a service
principal, RFC 6806 section 6 requires that the KDC issue a ticket
which appears to be for the alias and not for the canonical name.
After calling search_sprinc(), only replace request->server with
server->princ if the latter is a TGT; this will be the case for an
alternate cross-realm TGT or a host referral, but not for a simple
service alias.
ticket: 7698
target_version: 1.11.4
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
The no_auth_data_required bit was introduced to suppress PACs in
service tickets when the back end supports them. Make it also
suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
can be avoided for services which aren't going to do constrained
delegation.
ticket: 7697 (new)
|
| |
|
|
|
| |
Wherever we use k5alloc with a multiplication in the size parameter,,
use the new k5calloc helper function instead.
|
| |
|
|
|
|
|
|
|
|
| |
This plugin implements the proposal for providing OTP support by
proxying requests to RADIUS. Details can be found inside the
provided documentation as well as on the project page.
http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS
ticket: 7678
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An authenticated remote client can cause a KDC to crash by making a
valid TGS-REQ to a KDC serving a realm with a single-component name.
The process_tgs_req() function dereferences a null pointer because an
unusual failure condition causes a helper function to return success.
While attempting to provide cross-realm referrals for host-based
service principals, the find_referral_tgs() function could return a
TGS principal for a zero-length realm name (indicating that the
hostname in the service principal has no known realm associated with
it).
Subsequently, the find_alternate_tgs() function would attempt to
construct a path to this empty-string realm, and return success along
with a null pointer in its output parameter. This happens because
krb5_walk_realm_tree() returns a list of length one when it attempts
to construct a transit path between a single-component realm and the
empty-string realm. This list causes a loop in find_alternate_tgs()
to iterate over zero elements, resulting in the unexpected output of a
null pointer, which process_tgs_req() proceeds to dereference because
there is no error condition.
Add an error condition to find_referral_tgs() when
krb5_get_host_realm() returns an empty realm name. Also add an error
condition to find_alternate_tgs() to handle the length-one output from
krb5_walk_realm_tree().
The vulnerable configuration is not likely to arise in practice.
(Realm names that have a single component are likely to be test
realms.) Releases prior to krb5-1.11 are not vulnerable.
Thanks to Sol Jerome for reporting this problem.
CVSSv2: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
ticket: 7668 (new)
tags: pullup
target_version: 1.11.4
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a new helper to compute the renewable lifetime for AS and TGS
requests. This has some minor behavior differences:
* We only issue a renewable ticket if the renewable lifetime is greater
than the normal ticket lifetime.
* We give RENEWABLE precedence over RENEWABLE-OK in determining the
requested renewable lifetime, instead of sometimes doing the
reverse.
* We use the client's maximum renewable life for TGS requests if we
have looked up its DB entry.
* Instead of rejecting requests for renewable tickets (if the client
or server principal doesn't allow it, or a TGS request's TGT isn't
renewable), issue non-renewable tickets.
ticket: 7661 (new)
|
| |
|
|
|
|
|
|
|
| |
Provide default values in pre.in for PROG_LIBPATH, PROG_RPATH,
SHLIB_DIRS, SHLIB_RDIRS, and STOBJLISTS so that they don't have to be
specified in the common case. Rename KRB5_RUN_ENV and KRB5_RUN_VARS
to RUN_SETUP (already the most commonly used name) and RUN_VARS. Make
sure to use DEFINES for local defines (not DEFS). Remove some other
unnecessary makefile content.
|
| |
|
|
|
|
|
|
| |
If we cannot find a client key while preparing an AS reply, give
preauth mechanisms a chance to replace the reply key before erroring
out.
ticket: 7630
|
| |
|
|
|
|
|
|
| |
RFC 4120 prohibits empty ETYPE-INFO2 sequences (though not ETYPE-INFO
sequences), and our client errors out if it sees an empty sequence of
either.
ticket: 7630
|
| |
|
|
|
|
|
|
| |
Encrypted timestamp and encrypted challenge cannot succeed if the
client has no long-term key matching the request enctypes, so do not
offer them in that case.
ticket: 7630
|
| |
|
|
|
|
|
|
| |
Add a new have_client_keys callback to the kdcpreauth interface,
allowing modules to efficiently check whether the client DB entry has
any keys matching the request enctypes.
ticket: 7630
|
| |
|
|
|
|
|
|
|
|
|
|
| |
An RFC 6113 KrbFastReq contains a padata sequence and a KDC-REQ-BODY,
neither of which contain the msg-type field found in a KDC-REQ. So
when we decode the FAST request, the resulting krb5_kdc_req structure
has a msg_type of 0. Copy msg_type from the outer body, since we make
use of it in further KDC processing.
ticket: 7605 (new)
target_version: 1.11.3
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By a strict reading of the C standard, memcpy and memcmp have
undefined behavior if their pointer arguments aren't valid object
pointers, even if the length argument is 0. Compilers are becoming
more aggressive about breaking code with undefined behavior, so we
should try to avoid it when possible.
In a krb5_data object, we frequently use NULL as the data value when
the length is 0. Accordingly, we should avoid copying from or
comparing the data field of a length-0 krb5_data object. Add checks
to our wrapper functions (like data_eq and k5_memdup) and to code
which works with possibly-empty krb5_data objects. In a few places,
use wrapper functions to simplify the code rather than adding checks.
|
| |
|
|
|
| |
Fix some small memory leaks which happen only in rare failure
conditions. Reported by Will Fiveash <will.fiveash@oracle.com>.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Move internal declarations from k5-int.h to more localized headers
(like int-proto.h) where appropriate. Rename many symbols whose
prototypes were moved to use the k5_ prefix instead of krb5int_.
Remove some unused declarations or move them to the single source file
they were needed in. Remove krb5_creds_compare since it isn't used
any more.
|
| |
|
|
|
|
| |
Add k5-int.h static functions to duplicate byte ranges, optionally
with a trailing zero byte, and set an error code like k5alloc does.
Use them where they would shorten existing code.
|
| |
|
|
|
|
|
|
|
| |
Commit c072b059ecff257e7600be0e86869decd135d422 did not have the
intended effect because, at the point where is_referral is set,
request->server has already been modified to contain server->princ.
ticket: 7555
status: open
|
| |
|
|
|
|
|
|
|
| |
A server response which is a cross-realm TGT is not a referral if it
was directly requested by the client. Misclassifying such a response
as a referral means we don't mirror the request's name type, which has
been observed to break older Java clients.
ticket: 7555 (new)
|
| |
|
|
|
|
|
| |
Read realm parameters directly from the profile in the KDC's
init_realm(), getting rid of the intermediate krb5_realm_params
structure. Then get rid of krb5_realm_params and
krb5_read_realm_params, since nothing else uses it.
|
| |
|
|
|
|
| |
Stop using macros to refer to kdc_realm_t fields, as they could
conflict with structure field names for the same. Leave behind the
kdc_context and tgs_server macros for now.
|
| |
|
|
|
|
|
| |
krb5_realm_params is only consumed by the KDC (everything else uses
kadm5_config_params), so only needs to contain fields used by the KDC.
Get rid of everything else. Also get rid of realm_profile, which is
read in by KDC code but never used (and was never set anyway).
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove some unnecessary optimizations to reduce code complexity. Get
rid of krb5_match_config_pattern in favor of a simpler helper function
in do_tgs_req_c. Get rid of KRB5_CONF_ASTERISK and just use "*"
instead. Use a helper function to combine [kdcdefaults] and realm
subsection values of variables, and don't bother adding leading and
trailing spaces. Consistently use the names "hostbased" and
"no_referral" to refer to variable values (with a "realm_" prefix for
structures which currently use it).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If no_host_referral is set in both [kdcdefaults] and the realm
subsection, we're supposed to concatenate their values. But the logic
in handle_referral_params would overwrite the value with the
non-concatenated realm value. Similar bugs of this nature were fixed
in 639c9d0f5a7c68dc98a2a452abc05ca32443cddf (r22037) but this one was
missed.
ticket: 7539 (new)
target_version: 1.11.1
tags: pullup
|
| |
|
|
|
|
| |
adm.h predates the ovsec kadm5 integration. It contains a bunch of
obsolete defines and a redundant definition of krb5_realm_params. Get
rid of it, and include <kadm5/admin.h> where we currently include it.
|
| |
|
|
|
| |
Mostly this gets rid of the trailing space on line 2 after
bb76891f5386526bdf91bc790c614fc9296cb5fa.
|
| |
|
|
|
|
|
|
|
| |
In prepare_error_tgs, kdc_free_rstate, and kdc_fast_handle_error,
remove unnecessary null checks. The callers avoid passing null
states, and in each case we've already dereferenced the pointer
earlier. Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
ticket: 7511
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The initial k5test.py design, copied from the dejagnu suite, is to
create config files and environments for four expected roles: client,
server, master, and slave. This approach exaggerates the complexity
of the common case, where the configurations don't need to vary, and
limits us to having just one slave for kprop/iprop tests.
Instead, create just one configuration by default, and add a
special_env() method which sets up a differently configured
environment for the few test cases which need one. The run_as_*()
methods are collapsed into just run(), which accepts an optional
argument for the environment returned by special_env().
|
