krb5.git, branch kinit-c MIT Kerberos patches Do not loop on principal unknown errors 2015-01-20T19:27:06+00:00 Simo Sorce simo@redhat.com 2015-01-20T18:48:34+00:00 fa32f6c018e8894ece11c0d32d5f666644239ca2 If the canonicalize flag is set, the MIT KDC always return the client principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned. Check that this is really a referral by testing that the returned client realm differs from the requested one. Signed-off-by: Simo Sorce <simo@redhat.com> 
If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.

Check that this is really a referral by testing that the returned
client realm differs from the requested one.

Signed-off-by: Simo Sorce <simo@redhat.com>
Check for null *iter_p in profile_iterator() 2015-01-15T16:47:43+00:00 Greg Hudson ghudson@mit.edu 2015-01-14T18:10:39+00:00 9a343200d305e7c8df6e556d63afaee42194175f In profile_iterator(), return PROF_MAGIC_ITERATOR if *iter_p is NULL, instead of dereferencing a null pointer, as we did prior to 1.10. Correct calling code will not trigger this case, but incorrect code has been reported in the field. ticket: 8059 (new) target_version: 1.13.1 tags: pullup 
In profile_iterator(), return PROF_MAGIC_ITERATOR if *iter_p is NULL,
instead of dereferencing a null pointer, as we did prior to 1.10.
Correct calling code will not trigger this case, but incorrect code
has been reported in the field.

ticket: 8059 (new)
target_version: 1.13.1
tags: pullup
Fix OTP tests with pyrad 2.x 2015-01-04T23:25:28+00:00 Greg Hudson ghudson@mit.edu 2014-12-22T23:37:36+00:00 57dc24093015d292189ef23313ef8ff2a81431e4 Declare User-Password as having type "octets" instead of "string" or pyrad 2.x will throw a decoding error when retrieving it. ticket: 8053 (new) target_version: 1.13.1 tags: pullup 
Declare User-Password as having type "octets" instead of "string" or
pyrad 2.x will throw a decoding error when retrieving it.

ticket: 8053 (new)
target_version: 1.13.1
tags: pullup
Include file ccache name in error messages 2014-12-15T22:33:46+00:00 Nicolas Williams nico@cryptonector.com 2014-10-30T00:42:49+00:00 98b55e86d7ec8b0a3b9b9f9b415ffdf78f4fd2e8 When a FILE ccache method returns an error, append the filename to the standard message for the code. Remove code to set extended messages in helper functions as they would just be overwritten. Also change the interpretation of errno values. Treat ENAMETOOLONG as KRB5_FCC_NOFILE instead of KRB5_FCC_INTERNAL, since it has an external cause and a name that long can't be opened by normal means. Treat EROFS as KRB5_FCC_PERM. Treat ENOTDIR and ELOOP as KRB5_FCC_NOFILE instead of KRB5_FCC_PERM as both errors imply that the full pathname doesn't exist. Treat EBUSY and ETXTBSY as KRB5_CC_IO instead of KRB5_FCC_PERM as they indicate a conflict rather than a permission issue. [ghudson@mit.edu: renamed set_error to set_errmsg_filename; removed now-inoperative code to set extended messages in helper functions; trimmed changes to interpret_errno; clarified and shortened commit message] ticket: 8052 (new) 
When a FILE ccache method returns an error, append the filename to the
standard message for the code.  Remove code to set extended messages
in helper functions as they would just be overwritten.

Also change the interpretation of errno values.  Treat ENAMETOOLONG as
KRB5_FCC_NOFILE instead of KRB5_FCC_INTERNAL, since it has an external
cause and a name that long can't be opened by normal means.  Treat
EROFS as KRB5_FCC_PERM.  Treat ENOTDIR and ELOOP as KRB5_FCC_NOFILE
instead of KRB5_FCC_PERM as both errors imply that the full pathname
doesn't exist.  Treat EBUSY and ETXTBSY as KRB5_CC_IO instead of
KRB5_FCC_PERM as they indicate a conflict rather than a permission
issue.

[ghudson@mit.edu: renamed set_error to set_errmsg_filename; removed
now-inoperative code to set extended messages in helper functions;
trimmed changes to interpret_errno; clarified and shortened commit
message]

ticket: 8052 (new)
Use OFD locks where available 2014-12-15T20:22:39+00:00 Greg Hudson ghudson@mit.edu 2014-10-07T16:12:11+00:00 0008014a748310e38b3e4d69e3227af935e86cf7 Linux 3.15 has added OFD locks, which contend with POSIX file locks but are owned by the open file description instead of the process. Use these in krb5_lock_file where available, for safer concurrency behavior. ticket: 8023 (new) 
Linux 3.15 has added OFD locks, which contend with POSIX file locks
but are owned by the open file description instead of the process.
Use these in krb5_lock_file where available, for safer concurrency
behavior.

ticket: 8023 (new)
Correct spelling 2014-12-15T20:03:16+00:00 Ben Kaduk kaduk@mit.edu 2014-12-08T21:43:36+00:00 fff8e4817c2f20e923acd87a3085842f43edf192 Remove extra 'i' from "create_standalone_prinicipal". While here, pick a slightly shorter name for the variable. 
Remove extra 'i' from "create_standalone_prinicipal".  While here,
pick a slightly shorter name for the variable.
Add helper for freeing arrays of berval pointers 2014-12-15T20:03:16+00:00 Ben Kaduk kaduk@mit.edu 2014-12-06T02:18:38+00:00 e316b24a2ac3d0b13fe50b37773f51441c63396e This eliminates a potential leak of the bv_val members from krb5_encode_krbsecretkey(). 
This eliminates a potential leak of the bv_val members from
krb5_encode_krbsecretkey().
Remove some dead code 2014-12-15T20:03:16+00:00 Ben Kaduk kaduk@mit.edu 2014-11-19T17:09:55+00:00 fb0827e065763821ed1c6c205f15189b1c70bc2a The secretkey variable is initialized to NULL and compared against NULL, but never actually set to anything after initialization. Remove the variable and all code that would have executed if it was non-NULL. 
The secretkey variable is initialized to NULL and compared against
NULL, but never actually set to anything after initialization.

Remove the variable and all code that would have executed if it
was non-NULL.
Regression tests for keyless principals 2014-12-15T20:03:16+00:00 Ben Kaduk kaduk@mit.edu 2014-11-21T19:00:20+00:00 71201ced154fd3d1a87358ebdaf209d24885ed13 Confirm that kadmind does not crash when creating/modifying a principal to have no keys, and confirm that no keys are present after a purgekeys -all. 
Confirm that kadmind does not crash when creating/modifying a principal
to have no keys, and confirm that no keys are present after a
purgekeys -all.
Support keyless principals in LDAP [CVE-2014-5354] 2014-12-15T20:03:16+00:00 Ben Kaduk kaduk@mit.edu 2014-11-19T17:04:46+00:00 04038bf3633c4b909b5ded3072dc88c8c419bf16 Operations like "kadmin -q 'addprinc -nokey foo'" or "kadmin -q 'purgekeys -all foo'" result in principal entries with no keys present, so krb5_encode_krbsecretkey() would just return NULL, which then got unconditionally dereferenced in krb5_add_ber_mem_ldap_mod(). Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key principals better, correct the test for an allocation failure, and slightly restructure the cleanup handler to be shorter and more appropriate for the usage. Once it no longer short-circuits when n_key_data is zero, it will produce an array of length two with both entries NULL, which is treated as an empty list by the LDAP library, the correct behavior for a keyless principal. However, attributes with empty values are only handled by the LDAP library for Modify operations, not Add operations (which only get a sequence of Attribute, with no operation field). Therefore, only add an empty krbprincipalkey to the modlist when we will be performing a Modify, and not when we will be performing an Add, which is conditional on the (misspelled) create_standalone_prinicipal boolean. CVE-2014-5354: In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause a NULL dereference by inserting into the database a principal entry which contains no long-term keys. In order for the LDAP KDC backend to translate a principal entry from the database abstraction layer into the form expected by the LDAP schema, the principal's keys are encoded into a NULL-terminated array of length-value entries to be stored in the LDAP database. However, the subroutine which produced this array did not correctly handle the case where no keys were present, returning NULL instead of an empty array, and the array was unconditionally dereferenced while adding to the list of LDAP operations to perform. Versions of MIT krb5 prior to 1.12 did not expose a way for principal entries to have no long-term key material, and therefore are not vulnerable. CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C ticket: 8041 (new) tags: pullup target_version: 1.13.1 subject: kadmind with ldap backend crashes when putting keyless entries 
Operations like "kadmin -q 'addprinc -nokey foo'" or
"kadmin -q 'purgekeys -all foo'" result in principal entries with
no keys present, so krb5_encode_krbsecretkey() would just return
NULL, which then got unconditionally dereferenced in
krb5_add_ber_mem_ldap_mod().

Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key
principals better, correct the test for an allocation failure, and
slightly restructure the cleanup handler to be shorter and more
appropriate for the usage.  Once it no longer short-circuits when
n_key_data is zero, it will produce an array of length two with both
entries NULL, which is treated as an empty list by the LDAP library,
the correct behavior for a keyless principal.

However, attributes with empty values are only handled by the LDAP
library for Modify operations, not Add operations (which only get
a sequence of Attribute, with no operation field).  Therefore, only
add an empty krbprincipalkey to the modlist when we will be performing a
Modify, and not when we will be performing an Add, which is conditional
on the (misspelled) create_standalone_prinicipal boolean.

CVE-2014-5354:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL
dereference by inserting into the database a principal entry which
contains no long-term keys.

In order for the LDAP KDC backend to translate a principal entry
from the database abstraction layer into the form expected by the
LDAP schema, the principal's keys are encoded into a
NULL-terminated array of length-value entries to be stored in the
LDAP database.  However, the subroutine which produced this array
did not correctly handle the case where no keys were present,
returning NULL instead of an empty array, and the array was
unconditionally dereferenced while adding to the list of LDAP
operations to perform.

Versions of MIT krb5 prior to 1.12 did not expose a way for
principal entries to have no long-term key material, and
therefore are not vulnerable.

    CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C

ticket: 8041 (new)
tags: pullup
target_version: 1.13.1
subject: kadmind with ldap backend crashes when putting keyless entries