krb5.git/src/lib/gssapi/krb5, branch master MIT Kerberos patches Include autoconf.h before system headers 2014-07-08T23:19:24+00:00 Greg Hudson ghudson@mit.edu 2014-07-05T15:50:58+00:00 02a1123cf44381690c28f18ab2c4ba8036200539 Include autoconf.h (either directly or via proxy) before system headers, so that feature test macros defined there can affect the system namespace. Where include order was changed, eliminate some redundant or unnecessary includes. ticket: 7961 
Include autoconf.h (either directly or via proxy) before system
headers, so that feature test macros defined there can affect the
system namespace.  Where include order was changed, eliminate some
redundant or unnecessary includes.

ticket: 7961
Handle invalid RFC 1964 tokens [CVE-2014-4341...] 2014-06-26T15:34:42+00:00 Greg Hudson ghudson@mit.edu 2014-06-19T17:49:16+00:00 fb99962cbd063ac04c9a9d2cc7c75eab73f3533d Detect the following cases which would otherwise cause invalid memory accesses and/or integer underflow: * An RFC 1964 token being processed by an RFC 4121-only context [CVE-2014-4342] * A header with fewer than 22 bytes after the token ID or an incomplete checksum [CVE-2014-4341 CVE-2014-4342] * A ciphertext shorter than the confounder [CVE-2014-4341] * A declared padding length longer than the plaintext [CVE-2014-4341] If we detect a bad pad byte, continue on to compute the checksum to avoid creating a padding oracle, but treat the checksum as invalid even if it compares equal. CVE-2014-4341: In MIT krb5, an unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when attempting to read beyond the end of a buffer. CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C CVE-2014-4342: In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when reading beyond the end of a buffer or by causing a null pointer dereference. CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C [tlyu@mit.edu: CVE summaries, CVSS] ticket: 7949 (new) subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342] taget_version: 1.12.2 tags: pullup 
Detect the following cases which would otherwise cause invalid memory
accesses and/or integer underflow:

* An RFC 1964 token being processed by an RFC 4121-only context
  [CVE-2014-4342]

* A header with fewer than 22 bytes after the token ID or an
  incomplete checksum [CVE-2014-4341 CVE-2014-4342]

* A ciphertext shorter than the confounder [CVE-2014-4341]

* A declared padding length longer than the plaintext [CVE-2014-4341]

If we detect a bad pad byte, continue on to compute the checksum to
avoid creating a padding oracle, but treat the checksum as invalid
even if it compares equal.

CVE-2014-4341:

In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

CVE-2014-4342:

In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
attacker with the ability to inject packets into a legitimately
established GSSAPI application session can cause a program crash due
to invalid memory references when reading beyond the end of a buffer
or by causing a null pointer dereference.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

[tlyu@mit.edu: CVE summaries, CVSS]

ticket: 7949 (new)
subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342]
taget_version: 1.12.2
tags: pullup
Simplify ticket retrieval from AP-REQs 2014-06-11T03:54:41+00:00 Greg Hudson ghudson@mit.edu 2014-06-05T16:03:16+00:00 02de9935648c307098fb69da26f74424da8dde64 After krb5_rd_req_decoded or krb5_rd_req_decoded_anyflag, the ticket (with enc_part2 if we could decrypt it) is accessible via request->ticket; there is no need to copy it. Stop using the ticket parameter of those functions. Where we need to save the ticket beyond the lifetime of the krb5_ap_req, steal the pointer before freeing the request. 
After krb5_rd_req_decoded or krb5_rd_req_decoded_anyflag, the ticket
(with enc_part2 if we could decrypt it) is accessible via
request->ticket; there is no need to copy it.  Stop using the ticket
parameter of those functions.  Where we need to save the ticket beyond
the lifetime of the krb5_ap_req, steal the pointer before freeing the
request.
Use k5_setmsg 2014-06-05T15:22:50+00:00 Greg Hudson ghudson@mit.edu 2014-05-24T16:15:32+00:00 a7b5808b5df9e54ef8a8a7ac24e5faad458ddbce Replace most calls to krb5_set_error_message with k5_setmsg for brevity. Leave alone plugin sources where we don't include k5-int.h (mostly PKINIT). 
Replace most calls to krb5_set_error_message with k5_setmsg for
brevity.  Leave alone plugin sources where we don't include k5-int.h
(mostly PKINIT).
Improve pointer hygiene around gss_display_name 2014-05-24T15:11:33+00:00 Greg Hudson ghudson@mit.edu 2014-05-21T16:03:00+00:00 0bf18fd4363f9f1244688daac224bd456bf52e7f GSSAPI functions are responsible for setting their output parameters on failure. Take greater care to do so in krb5_gss_display_name. The mechglue is generally defensive about initializing variables used as outputs, and not assuming that mechs will set them on failure. Make gssint_convert_name_to_union_name initialize union_name->external_name before calling mech->gss_display_name, so that if the mech's gss_display_name doesn't touch it, we don't free an uninitialized pointer. Either one of these changes prevents an unlikely memory bug which could occur if krb5_gss_init_context fails within krb5_gss_display_name when called from gssint_convert_name_to_union_name. ticket: 7915 (new) target_version: 1.12.2 
GSSAPI functions are responsible for setting their output parameters
on failure.  Take greater care to do so in krb5_gss_display_name.

The mechglue is generally defensive about initializing variables used
as outputs, and not assuming that mechs will set them on failure.
Make gssint_convert_name_to_union_name initialize
union_name->external_name before calling mech->gss_display_name, so
that if the mech's gss_display_name doesn't touch it, we don't free an
uninitialized pointer.

Either one of these changes prevents an unlikely memory bug which
could occur if krb5_gss_init_context fails within
krb5_gss_display_name when called from
gssint_convert_name_to_union_name.

ticket: 7915 (new)
target_version: 1.12.2
Fix unlikely memory leak exporting lucid context 2014-05-07T18:30:52+00:00 Neng Xue xnsuda@yahoo.com 2014-05-05T23:42:02+00:00 0477f69ba67e7071cb3671f94c466ba99f15285e If the GSSAPI context has an unrecognized proto field (which should never happen), free the context we allocated before returning EINVAL. [ghudson@mit.edu: clarify commit message] 
If the GSSAPI context has an unrecognized proto field (which should
never happen), free the context we allocated before returning EINVAL.

[ghudson@mit.edu: clarify commit message]
Use k5_change_error_message_code in krb5 GSS mech 2014-05-07T16:46:27+00:00 Greg Hudson ghudson@mit.edu 2014-04-28T16:27:11+00:00 035eb79b3f250b690502c66aaf664410b1d0e7e0 Simplify acquire_accept_cred using the new helper function. 
Simplify acquire_accept_cred using the new helper function.
Improve internal API for GSS sequence numbers 2014-03-18T15:58:50+00:00 Greg Hudson ghudson@mit.edu 2014-03-11T03:01:40+00:00 23a378046bd8122839e501b3e47bb807b66e1c03 Use an opaque structure type instead of a void pointer for the sequence number state. Rename all functions to use a g_seqstate prefix rather than a mix of g_order and g_queue. Remove the unneccessary indirection from the state object parameter in g_seqstate_check and g_seqstate_free. Return OM_uint32 where we return a GSS major code, long where we return an errno value, and void where we can't fail. 
Use an opaque structure type instead of a void pointer for the
sequence number state.  Rename all functions to use a g_seqstate
prefix rather than a mix of g_order and g_queue.  Remove the
unneccessary indirection from the state object parameter in
g_seqstate_check and g_seqstate_free.  Return OM_uint32 where we
return a GSS major code, long where we return an errno value, and void
where we can't fail.
Fix clean-unix rule for gssapi_krb5.h 2014-03-08T16:23:35+00:00 Tomas Kuthan tkuthan@gmail.com 2014-03-07T13:47:58+00:00 a2f52eee40f081b284b77828e0e58e6566886736 Don't delete gssapi_krb5.h now that it is not generated. [ghudson@mit.edu: also remove from generate-files-mac rule and from .gitignore] 
Don't delete gssapi_krb5.h now that it is not generated.

[ghudson@mit.edu: also remove from generate-files-mac rule and from
.gitignore]
Fix install rule for gssapi_krb5.h 2014-02-28T20:38:27+00:00 Greg Hudson ghudson@mit.edu 2014-02-28T05:30:05+00:00 4d239e933681785acc7fea48ab9b2d5441136e77 Revert r16428 now that gssapi_krb5.h is in the source tree. 
Revert r16428 now that gssapi_krb5.h is in the source tree.