krb5.git/src/lib/gssapi/krb5, branch kinit-c MIT Kerberos patches Stop using KRB5_TC_OPENCLOSE 2014-11-03T16:40:38+00:00 Greg Hudson ghudson@mit.edu 2014-10-06T14:05:41+00:00 ec3a2e9ea2d4fdb2e00fc7b2a6bfed7feac10880 Since KRB5_TC_OPENCLOSE no longer does anything, stop setting it when we iterate over ccaches. ticket: 7804 
Since KRB5_TC_OPENCLOSE no longer does anything, stop setting it when
we iterate over ccaches.

ticket: 7804
Use gssalloc_malloc for GSS error tokens 2014-10-09T15:35:51+00:00 Greg Hudson ghudson@mit.edu 2014-10-08T00:22:52+00:00 68cfc8b4e6338b78dce5a960ce47974a73906fac In kg_accept_krb5, use gssalloc_malloc when allocating space for the error token, since it will be freed with gssalloc_free. Using malloc can cause heap corruption on Windows. This bug was masked by #1445 before 1.12. ticket: 8024 (new) target_version: 1.13.1 tags: pullup 
In kg_accept_krb5, use gssalloc_malloc when allocating space for the
error token, since it will be freed with gssalloc_free.  Using malloc
can cause heap corruption on Windows.  This bug was masked by #1445
before 1.12.

ticket: 8024 (new)
target_version: 1.13.1
tags: pullup
Fix krb5 gss_acquire_cred_impersonate_name crash 2014-09-19T20:32:56+00:00 Greg Hudson ghudson@mit.edu 2014-09-19T15:35:10+00:00 17689700b27c6fb6d26156330d11b57ef79385d3 If gss_acquire_cred_impersonate_name is called using an impersonator_cred_handle acquired with GSS_C_ACCEPT, we could dereference null fields of the cred handle and crash. Fix this by checking the impersonator_cred_handle usage and returning GSS_S_NO_CRED if it isn't what we expect, just as we do in init_sec_context. Based on a patch from Solly Ross <sross@redhat.com>. ticket: 8017 (new) target_version: 1.13 tags: pullup 
If gss_acquire_cred_impersonate_name is called using an
impersonator_cred_handle acquired with GSS_C_ACCEPT, we could
dereference null fields of the cred handle and crash.  Fix this by
checking the impersonator_cred_handle usage and returning
GSS_S_NO_CRED if it isn't what we expect, just as we do in
init_sec_context.

Based on a patch from Solly Ross <sross@redhat.com>.

ticket: 8017 (new)
target_version: 1.13
tags: pullup
Let libgssapi see TGTs in the MSLSA cache 2014-09-09T19:01:13+00:00 Ben Kaduk kaduk@mit.edu 2014-08-21T22:56:24+00:00 0794746f8d8e6b8ce3748d442d2bc1faecf960ce When the current user is a local administrator of a windows machine where User Account Control (UAC) is enabled, the Windows LSA will return a block of zeros as the session key for any TGT entry in the MSLSA: cache. The lcc_retrieve() implementation checks for such "null" session keys and prevents them from escaping to callers (as attempts to use them would encounger strange errors). However, when the TGT is the only entry in the cache, this filtering prevents scan_ccache() from detecting that the cache contains non-expired credentials (and that there is a TGT present). Since scan_ccache() is only looking at metadata in the cache entries, and does not need to actually use any tickets or session keys, set the KRB5_TC_NOTICKET flag on the ccache before scanning it. This will allow the MSLSA implementation to return a cred for the TGT entry and cause the GSSAPI credential selection algorithm to function properly. ticket: 8000 (new) tags: pullup target_version: 1.12.3 subject: gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is enabled 
When the current user is a local administrator of a windows machine
where User Account Control (UAC) is enabled, the Windows LSA will
return a block of zeros as the session key for any TGT entry in the
MSLSA: cache.  The lcc_retrieve() implementation checks for such
"null" session keys and prevents them from escaping to callers (as
attempts to use them would encounger strange errors).  However,
when the TGT is the only entry in the cache, this filtering prevents
scan_ccache() from detecting that the cache contains non-expired
credentials (and that there is a TGT present).

Since scan_ccache() is only looking at metadata in the cache entries,
and does not need to actually use any tickets or session keys, set
the KRB5_TC_NOTICKET flag on the ccache before scanning it.  This
will allow the MSLSA implementation to return a cred for the TGT
entry and cause the GSSAPI credential selection algorithm to function
properly.

ticket: 8000 (new)
tags: pullup
target_version: 1.12.3
subject: gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is enabled
Try to scan_ccache() after leash picks a cache 2014-09-09T19:01:12+00:00 Ben Kaduk kaduk@mit.edu 2014-08-21T16:48:39+00:00 674f7d7abe2d4f8bc3fe791e4347a332e3ccfd41 We need to call scan_ccache() in order to notice that there are credentials and read their expire time. The call to scan_ccache() in the Leash case was inadvertently removed as part of commit 8651f3339ccc5a623172a8edfb9cf522883acacd. ticket: 7998 (new) tags: pullup target_version: 1.12.3 subject: gssapi.dll tries to get initial creds even when some are present 
We need to call scan_ccache() in order to notice that there
are credentials and read their expire time.

The call to scan_ccache() in the Leash case was inadvertently
removed as part of commit 8651f3339ccc5a623172a8edfb9cf522883acacd.

ticket: 7998 (new)
tags: pullup
target_version: 1.12.3
subject: gssapi.dll tries to get initial creds even when some are present
Fix GSS krb5 GSS_C_DELEG_FLAG ret_flags result 2014-08-09T16:31:32+00:00 Greg Hudson ghudson@mit.edu 2014-08-08T20:50:38+00:00 d899084e24555dc8fd091eb08187ca2a45a08324 The krb5 gss_accept_sec_context could erroneously return GSS_C_DELEG_FLAG in ret_flags if either: * The token included the GSS_C_DELEG_FLAG but did not include at least 28 bytes in the authenticator checksum. * The initial token included the GSS_C_DELEG_FLAG but a DCE-style exchange was performed. Fix both of these cases. ticket: 7987 (new) target_version: 1.13 tags: pullup 
The krb5 gss_accept_sec_context could erroneously return
GSS_C_DELEG_FLAG in ret_flags if either:

* The token included the GSS_C_DELEG_FLAG but did not include at least
  28 bytes in the authenticator checksum.
* The initial token included the GSS_C_DELEG_FLAG but a DCE-style
  exchange was performed.

Fix both of these cases.

ticket: 7987 (new)
target_version: 1.13
tags: pullup
Don't equate IAKERB and krb5 in SPNEGO initiator 2014-07-21T16:53:18+00:00 Greg Hudson ghudson@mit.edu 2014-07-15T17:20:43+00:00 887951cd141dd2253912a17da08da016a8030a24 To work around a historical bug in Samba, the SPNEGO initiator treats a counterproposal as matching the optimistic token if both are aliases for the krb5 mech. When IAKERB support was added (#6712), IAKERB was unintentionally added to the set of mech OIDs which were considered to be krb5 aliases for this purpose. Remove IAKERB from gss_mech_set_krb5_both and create a new internal mech set, kg_all_mechs, for use by krb5_gss_indicate_mechs. ticket: 7974 (new) 
To work around a historical bug in Samba, the SPNEGO initiator treats
a counterproposal as matching the optimistic token if both are aliases
for the krb5 mech.  When IAKERB support was added (#6712), IAKERB was
unintentionally added to the set of mech OIDs which were considered to
be krb5 aliases for this purpose.

Remove IAKERB from gss_mech_set_krb5_both and create a new internal
mech set, kg_all_mechs, for use by krb5_gss_indicate_mechs.

ticket: 7974 (new)
Remove unused variables 2014-07-12T17:35:45+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-06-21T20:41:08+00:00 43a26c6d8ea9e2a82f780171cd34365911d71228 [ghudson@mit.edu: squashed with similar commits] 
[ghudson@mit.edu: squashed with similar commits]
Include autoconf.h before system headers 2014-07-08T23:19:24+00:00 Greg Hudson ghudson@mit.edu 2014-07-05T15:50:58+00:00 02a1123cf44381690c28f18ab2c4ba8036200539 Include autoconf.h (either directly or via proxy) before system headers, so that feature test macros defined there can affect the system namespace. Where include order was changed, eliminate some redundant or unnecessary includes. ticket: 7961 
Include autoconf.h (either directly or via proxy) before system
headers, so that feature test macros defined there can affect the
system namespace.  Where include order was changed, eliminate some
redundant or unnecessary includes.

ticket: 7961
Handle invalid RFC 1964 tokens [CVE-2014-4341...] 2014-06-26T15:34:42+00:00 Greg Hudson ghudson@mit.edu 2014-06-19T17:49:16+00:00 fb99962cbd063ac04c9a9d2cc7c75eab73f3533d Detect the following cases which would otherwise cause invalid memory accesses and/or integer underflow: * An RFC 1964 token being processed by an RFC 4121-only context [CVE-2014-4342] * A header with fewer than 22 bytes after the token ID or an incomplete checksum [CVE-2014-4341 CVE-2014-4342] * A ciphertext shorter than the confounder [CVE-2014-4341] * A declared padding length longer than the plaintext [CVE-2014-4341] If we detect a bad pad byte, continue on to compute the checksum to avoid creating a padding oracle, but treat the checksum as invalid even if it compares equal. CVE-2014-4341: In MIT krb5, an unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when attempting to read beyond the end of a buffer. CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C CVE-2014-4342: In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when reading beyond the end of a buffer or by causing a null pointer dereference. CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C [tlyu@mit.edu: CVE summaries, CVSS] ticket: 7949 (new) subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342] taget_version: 1.12.2 tags: pullup 
Detect the following cases which would otherwise cause invalid memory
accesses and/or integer underflow:

* An RFC 1964 token being processed by an RFC 4121-only context
  [CVE-2014-4342]

* A header with fewer than 22 bytes after the token ID or an
  incomplete checksum [CVE-2014-4341 CVE-2014-4342]

* A ciphertext shorter than the confounder [CVE-2014-4341]

* A declared padding length longer than the plaintext [CVE-2014-4341]

If we detect a bad pad byte, continue on to compute the checksum to
avoid creating a padding oracle, but treat the checksum as invalid
even if it compares equal.

CVE-2014-4341:

In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

CVE-2014-4342:

In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
attacker with the ability to inject packets into a legitimately
established GSSAPI application session can cause a program crash due
to invalid memory references when reading beyond the end of a buffer
or by causing a null pointer dereference.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

[tlyu@mit.edu: CVE summaries, CVSS]

ticket: 7949 (new)
subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342]
taget_version: 1.12.2
tags: pullup