krb5.git/src/plugins, branch kinit-c MIT Kerberos patches Correct spelling 2014-12-15T20:03:16+00:00 Ben Kaduk kaduk@mit.edu 2014-12-08T21:43:36+00:00 fff8e4817c2f20e923acd87a3085842f43edf192 Remove extra 'i' from "create_standalone_prinicipal". While here, pick a slightly shorter name for the variable. 
Remove extra 'i' from "create_standalone_prinicipal".  While here,
pick a slightly shorter name for the variable.
Add helper for freeing arrays of berval pointers 2014-12-15T20:03:16+00:00 Ben Kaduk kaduk@mit.edu 2014-12-06T02:18:38+00:00 e316b24a2ac3d0b13fe50b37773f51441c63396e This eliminates a potential leak of the bv_val members from krb5_encode_krbsecretkey(). 
This eliminates a potential leak of the bv_val members from
krb5_encode_krbsecretkey().
Remove some dead code 2014-12-15T20:03:16+00:00 Ben Kaduk kaduk@mit.edu 2014-11-19T17:09:55+00:00 fb0827e065763821ed1c6c205f15189b1c70bc2a The secretkey variable is initialized to NULL and compared against NULL, but never actually set to anything after initialization. Remove the variable and all code that would have executed if it was non-NULL. 
The secretkey variable is initialized to NULL and compared against
NULL, but never actually set to anything after initialization.

Remove the variable and all code that would have executed if it
was non-NULL.
Support keyless principals in LDAP [CVE-2014-5354] 2014-12-15T20:03:16+00:00 Ben Kaduk kaduk@mit.edu 2014-11-19T17:04:46+00:00 04038bf3633c4b909b5ded3072dc88c8c419bf16 Operations like "kadmin -q 'addprinc -nokey foo'" or "kadmin -q 'purgekeys -all foo'" result in principal entries with no keys present, so krb5_encode_krbsecretkey() would just return NULL, which then got unconditionally dereferenced in krb5_add_ber_mem_ldap_mod(). Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key principals better, correct the test for an allocation failure, and slightly restructure the cleanup handler to be shorter and more appropriate for the usage. Once it no longer short-circuits when n_key_data is zero, it will produce an array of length two with both entries NULL, which is treated as an empty list by the LDAP library, the correct behavior for a keyless principal. However, attributes with empty values are only handled by the LDAP library for Modify operations, not Add operations (which only get a sequence of Attribute, with no operation field). Therefore, only add an empty krbprincipalkey to the modlist when we will be performing a Modify, and not when we will be performing an Add, which is conditional on the (misspelled) create_standalone_prinicipal boolean. CVE-2014-5354: In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause a NULL dereference by inserting into the database a principal entry which contains no long-term keys. In order for the LDAP KDC backend to translate a principal entry from the database abstraction layer into the form expected by the LDAP schema, the principal's keys are encoded into a NULL-terminated array of length-value entries to be stored in the LDAP database. However, the subroutine which produced this array did not correctly handle the case where no keys were present, returning NULL instead of an empty array, and the array was unconditionally dereferenced while adding to the list of LDAP operations to perform. Versions of MIT krb5 prior to 1.12 did not expose a way for principal entries to have no long-term key material, and therefore are not vulnerable. CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C ticket: 8041 (new) tags: pullup target_version: 1.13.1 subject: kadmind with ldap backend crashes when putting keyless entries 
Operations like "kadmin -q 'addprinc -nokey foo'" or
"kadmin -q 'purgekeys -all foo'" result in principal entries with
no keys present, so krb5_encode_krbsecretkey() would just return
NULL, which then got unconditionally dereferenced in
krb5_add_ber_mem_ldap_mod().

Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key
principals better, correct the test for an allocation failure, and
slightly restructure the cleanup handler to be shorter and more
appropriate for the usage.  Once it no longer short-circuits when
n_key_data is zero, it will produce an array of length two with both
entries NULL, which is treated as an empty list by the LDAP library,
the correct behavior for a keyless principal.

However, attributes with empty values are only handled by the LDAP
library for Modify operations, not Add operations (which only get
a sequence of Attribute, with no operation field).  Therefore, only
add an empty krbprincipalkey to the modlist when we will be performing a
Modify, and not when we will be performing an Add, which is conditional
on the (misspelled) create_standalone_prinicipal boolean.

CVE-2014-5354:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL
dereference by inserting into the database a principal entry which
contains no long-term keys.

In order for the LDAP KDC backend to translate a principal entry
from the database abstraction layer into the form expected by the
LDAP schema, the principal's keys are encoded into a
NULL-terminated array of length-value entries to be stored in the
LDAP database.  However, the subroutine which produced this array
did not correctly handle the case where no keys were present,
returning NULL instead of an empty array, and the array was
unconditionally dereferenced while adding to the list of LDAP
operations to perform.

Versions of MIT krb5 prior to 1.12 did not expose a way for
principal entries to have no long-term key material, and
therefore are not vulnerable.

    CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C

ticket: 8041 (new)
tags: pullup
target_version: 1.13.1
subject: kadmind with ldap backend crashes when putting keyless entries
Fix LDAP misused policy name crash [CVE-2014-5353] 2014-12-15T20:01:34+00:00 Greg Hudson ghudson@mit.edu 2014-12-05T19:01:39+00:00 d1f707024f1d0af6e54a18885322d70fa15ec4d3 In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns successfully with no results, return KRB5_KDB_NOENTRY instead of returning success with a zeroed-out policy object. This fixes a null dereference when an admin attempts to use an LDAP ticket policy name as a password policy name. CVE-2014-5353: In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause a NULL dereference by attempting to use a named ticket policy object as a password policy for a principal. The attacker needs to be authenticated as a user who has the elevated privilege for setting password policy by adding or modifying principals. Queries to LDAP scoped to the krbPwdPolicy object class will correctly not return entries of other classes, such as ticket policy objects, but may return success with no returned elements if an object with the requested DN exists in a different object class. In this case, the routine to retrieve a password policy returned success with a password policy object that consisted entirely of zeroed memory. In particular, accesses to the policy name will dereference a NULL pointer. KDC operation does not access the policy name field, but most kadmin operations involving the principal with incorrect password policy will trigger the crash. Thanks to Patrik Kis for reporting this problem. CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C [kaduk@mit.edu: CVE description and CVSS score] ticket: 8051 (new) target_version: 1.13.1 tags: pullup 
In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
successfully with no results, return KRB5_KDB_NOENTRY instead of
returning success with a zeroed-out policy object.  This fixes a null
dereference when an admin attempts to use an LDAP ticket policy name
as a password policy name.

CVE-2014-5353:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal.  The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals.

Queries to LDAP scoped to the krbPwdPolicy object class will correctly
not return entries of other classes, such as ticket policy objects, but
may return success with no returned elements if an object with the
requested DN exists in a different object class.  In this case, the
routine to retrieve a password policy returned success with a password
policy object that consisted entirely of zeroed memory.  In particular,
accesses to the policy name will dereference a NULL pointer.  KDC
operation does not access the policy name field, but most kadmin
operations involving the principal with incorrect password policy
will trigger the crash.

Thanks to Patrik Kis for reporting this problem.

CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C

[kaduk@mit.edu: CVE description and CVSS score]

ticket: 8051 (new)
target_version: 1.13.1
tags: pullup
Use new error message wrapping APIs 2014-12-07T20:11:01+00:00 Nicolas Williams nico@cryptonector.com 2014-11-12T21:49:37+00:00 ebcdf02f8ec212555b1762007fa8454615900f36 Define internal names k5_prendmsg and k5_wrapmsg and use them where we amend error messages. This slightly changes the error message when we fail to construct FAST AP-REQ armor, decrypt a FAST reply, or store credentials in a gic_opts output ccache. Adjust the test suite for the latter of those changes. [ghudson@mit.edu: define and use internal names for brevity; pull in test fix from later commit; expand commit message; fix redundant separators in LDAP messages] ticket: 8046 
Define internal names k5_prendmsg and k5_wrapmsg and use them where we
amend error messages.  This slightly changes the error message when we
fail to construct FAST AP-REQ armor, decrypt a FAST reply, or store
credentials in a gic_opts output ccache.  Adjust the test suite for
the latter of those changes.

[ghudson@mit.edu: define and use internal names for brevity; pull in
test fix from later commit; expand commit message; fix redundant
separators in LDAP messages]

ticket: 8046
Remove length limit on PKINIT PKCS#12 prompt 2014-10-30T01:59:32+00:00 Greg Hudson ghudson@mit.edu 2014-10-29T16:16:40+00:00 3c330ea5846ca02da36a0cb5a5c879364d28a267 Long pathnames can trigger the 128-byte prompt length limit in pkinit_get_certs_pkcs12. Use asprintf instead of snprintf. Also check the result of the prompter invocation. ticket: 8011 target_version: 1.13.1 tags: pullup 
Long pathnames can trigger the 128-byte prompt length limit in
pkinit_get_certs_pkcs12.  Use asprintf instead of snprintf.  Also
check the result of the prompter invocation.

ticket: 8011
target_version: 1.13.1
tags: pullup
Autodetect OpenSSL CMS for LibreSSL compatibility 2014-08-15T14:54:14+00:00 maurerpe junk4me46806@yahoo.com 2014-08-14T21:43:55+00:00 a7a8e3186a21c15132cd8fb6c141afcf25a1fb74 LibreSSL currently does not support CMS, so checking for CMS via OPENSSL_VERSION_NUMBER isn't reliable. Detect CMS support via autoconf instead. [ghudson@mit.edu: clarified commit message; minor style changes] ticket: 7993 (new) target_version: 1.13 tags: pullup 
LibreSSL currently does not support CMS, so checking for CMS via
OPENSSL_VERSION_NUMBER isn't reliable.  Detect CMS support via
autoconf instead.

[ghudson@mit.edu: clarified commit message; minor style changes]

ticket: 7993 (new)
target_version: 1.13
tags: pullup
Fix LDAP key data segmentation [CVE-2014-4345] 2014-08-07T22:15:59+00:00 Tomas Kuthan tkuthan@gmail.com 2014-08-01T13:25:50+00:00 81c332e29f10887c6b9deb065f81ba259f4c7e03 For principal entries having keys with multiple kvnos (due to use of -keepold), the LDAP KDB module makes an attempt to store all the keys having the same kvno into a single krbPrincipalKey attribute value. There is a fencepost error in the loop, causing currkvno to be set to the just-processed value instead of the next kvno. As a result, the second and all following groups of multiple keys by kvno are each stored in two krbPrincipalKey attribute values. Fix the loop to use the correct kvno value. CVE-2014-4345: In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause it to perform an out-of-bounds write (buffer overrun) by performing multiple cpw -keepold operations. An off-by-one error while copying key information to the new database entry results in keys sharing a common kvno being written to different array buckets, in an array whose size is determined by the number of kvnos present. After sufficient iterations, the extra writes extend past the end of the (NULL-terminated) array. The NULL terminator is always written after the end of the loop, so no out-of-bounds data is read, it is only written. Historically, it has been possible to convert an out-of-bounds write into remote code execution in some cases, though the necessary exploits must be tailored to the individual application and are usually quite complicated. Depending on the allocated length of the array, an out-of-bounds write may also cause a segmentation fault and/or application crash. CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C [ghudson@mit.edu: clarified commit message] [kaduk@mit.edu: CVE summary, CVSSv2 vector] ticket: 7980 (new) target_version: 1.12.2 tags: pullup 
For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno.  As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values.  Fix the loop to use
the correct kvno value.

CVE-2014-4345:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations.  An off-by-one error while copying key
information to the new database entry results in keys sharing a common
kvno being written to different array buckets, in an array whose size
is determined by the number of kvnos present.  After sufficient
iterations, the extra writes extend past the end of the
(NULL-terminated) array.  The NULL terminator is always written after
the end of the loop, so no out-of-bounds data is read, it is only
written.

Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary
exploits must be tailored to the individual application and are
usually quite complicated.  Depending on the allocated length of the
array, an out-of-bounds write may also cause a segmentation fault
and/or application crash.

    CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: clarified commit message]
[kaduk@mit.edu: CVE summary, CVSSv2 vector]

ticket: 7980 (new)
target_version: 1.12.2
tags: pullup
Disallow unlocked iteration of hash databases 2014-08-07T20:23:55+00:00 Tom Yu tlyu@mit.edu 2014-08-06T22:45:20+00:00 ded6f17bbda92419a68478b822ce79406c0be1e0 It's not clear whether unlocked iteration over a hash DB2 database will omit unaffected entries if database additions or deletions occur concurrently with the iteration. Avoid this situation by disabling unlocked iteration in the unlikely event that someone is still using a hash database for their KDB. ticket: 7977 
It's not clear whether unlocked iteration over a hash DB2 database
will omit unaffected entries if database additions or deletions occur
concurrently with the iteration.  Avoid this situation by disabling
unlocked iteration in the unlikely event that someone is still using a
hash database for their KDB.

ticket: 7977