| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Since KRB5_TC_OPENCLOSE no longer does anything, stop setting it when
we iterate over ccaches.
ticket: 7804
|
| |
|
|
|
|
|
|
|
|
|
| |
In kg_accept_krb5, use gssalloc_malloc when allocating space for the
error token, since it will be freed with gssalloc_free. Using malloc
can cause heap corruption on Windows. This bug was masked by #1445
before 1.12.
ticket: 8024 (new)
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If gss_acquire_cred_impersonate_name is called using an
impersonator_cred_handle acquired with GSS_C_ACCEPT, we could
dereference null fields of the cred handle and crash. Fix this by
checking the impersonator_cred_handle usage and returning
GSS_S_NO_CRED if it isn't what we expect, just as we do in
init_sec_context.
Based on a patch from Solly Ross <sross@redhat.com>.
ticket: 8017 (new)
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the current user is a local administrator of a windows machine
where User Account Control (UAC) is enabled, the Windows LSA will
return a block of zeros as the session key for any TGT entry in the
MSLSA: cache. The lcc_retrieve() implementation checks for such
"null" session keys and prevents them from escaping to callers (as
attempts to use them would encounger strange errors). However,
when the TGT is the only entry in the cache, this filtering prevents
scan_ccache() from detecting that the cache contains non-expired
credentials (and that there is a TGT present).
Since scan_ccache() is only looking at metadata in the cache entries,
and does not need to actually use any tickets or session keys, set
the KRB5_TC_NOTICKET flag on the ccache before scanning it. This
will allow the MSLSA implementation to return a cred for the TGT
entry and cause the GSSAPI credential selection algorithm to function
properly.
ticket: 8000 (new)
tags: pullup
target_version: 1.12.3
subject: gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is enabled
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We need to call scan_ccache() in order to notice that there
are credentials and read their expire time.
The call to scan_ccache() in the Leash case was inadvertently
removed as part of commit 8651f3339ccc5a623172a8edfb9cf522883acacd.
ticket: 7998 (new)
tags: pullup
target_version: 1.12.3
subject: gssapi.dll tries to get initial creds even when some are present
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For interoperability with Windows Server 2003 and earlier, loosen the
initiator's enforcement of RFC 4178's mechlistMIC requirement when
falling back to NTLMSSP.
[ghudson@mit.edu: rewrote commit message, added comment to NTLMSSP
OID]
ticket: 7975
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The krb5 gss_accept_sec_context could erroneously return
GSS_C_DELEG_FLAG in ret_flags if either:
* The token included the GSS_C_DELEG_FLAG but did not include at least
28 bytes in the authenticator checksum.
* The initial token included the GSS_C_DELEG_FLAG but a DCE-style
exchange was performed.
Fix both of these cases.
ticket: 7987 (new)
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
In loadConfigFiles, call globfree even if glob fails, since glob can
allocate memory and report partial results on failure. Also
initialize globbuf before calling glob; this is not strictly required,
but hedges against hypothetical libc implementation bugs which could
leave globbuf.gl_pathc or globbuf.gl_pathv uninitialized on error.
ticket: 7981
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Windows does not provide the glob() functionality used to implement
the /etc/gss/mechs.d/ feature, so we must avoid compiling the
relevant code for windows. (It would never have been called, anyway.)
Adjust the ccache/Makefile.in rules to not use '-' or '@' in
make variable names that are processed by nmake.
Also in ccache/Makefile.in, remove some latent leading whitespace that
had been previously hidden by the previous rule; this exposed some
flawed dependencies that are now removed.
Windows does not provide sys/socket.h or sys/un.h, so don't try
to include them in cc_kcm.c.
The commit which moved the KKDCP TLS support to a plugin left some
dangling references to checkhost.c byproducts in os/Makefile.in,
which can be safely removed.
Use k5-platform.h in support/json.c instead of a set of system includes;
this lets windows build the static inline helper functions therein.
|
| |
|
|
|
|
|
|
| |
Make struct k5buf less opaque and get rid of k5buf-int.h. Make it
easy to initialize a k5buf in an error state so that it can be freed
in a cleanup handler. Add a function k5_buf_status which returns 0 or
ENOMEM. Remove k5_buf_data and k5_buf_len. Rename k5_free_buf to
k5_buf_free. Adjust all callers to match.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To work around a historical bug in Samba, the SPNEGO initiator treats
a counterproposal as matching the optimistic token if both are aliases
for the krb5 mech. When IAKERB support was added (#6712), IAKERB was
unintentionally added to the set of mech OIDs which were considered to
be krb5 aliases for this purpose.
Remove IAKERB from gss_mech_set_krb5_both and create a new internal
mech set, kg_all_mechs, for use by krb5_gss_indicate_mechs.
ticket: 7974 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length. This could
result in a null dereference.
CVE-2014-4344:
In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token. This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
[kaduk@mit.edu: CVE summary, CVSSv2 vector]
ticket: 7970 (new)
subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context. So don't free it.
CVE-2014-4343:
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
different underlying mechanism than was proposed by the initiator. At
this stage of the negotiation, the acceptor is unauthenticated, and
the acceptor's response could be spoofed by an attacker with the
ability to inject traffic to the initiator.
Historically, some double-free vulnerabilities can be translated into
remote code execution, though the necessary exploits must be tailored
to the individual application and are usually quite
complicated. Double-frees can also be exploited to cause an
application crash, for a denial of service. However, most GSSAPI
client applications are not vulnerable, as the SPNEGO mechanism is not
used by default (when GSS_C_NO_OID is passed as the mech_type argument
to gss_init_sec_context()). The most common use of SPNEGO is for
HTTP-Negotiate, used in web browsers and other web clients. Most such
clients are believed to not offer HTTP-Negotiate by default, instead
requiring a whitelist of sites for which it may be used to be
configured. If the whitelist is configured to only allow
HTTP-Negotiate over TLS connections ("https://"), a successful
attacker must also spoof the web server's SSL certificate, due to the
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
response message. Unfortunately, many instructions for enabling
HTTP-Negotiate in common web browsers do not include a TLS
requirement.
CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
[kaduk@mit.edu: CVE summary and CVSSv2 vector]
ticket: 7969 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If krb5int_get_plugin_func fails, errinfo may contain an allocated
error message. Free it on error when loading GSS modules.
[ghudson@mit.edu: also fix GSS_ADD_DYNAMIC_METHOD; clarify commit
message]
ticket: 7966 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
| |
[ghudson@mit.edu: squashed with similar commits]
|
| |
|
|
|
|
|
|
|
| |
Include autoconf.h (either directly or via proxy) before system
headers, so that feature test macros defined there can affect the
system namespace. Where include order was changed, eliminate some
redundant or unnecessary includes.
ticket: 7961
|
| |
|
|
| |
ticket: 7949
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Detect the following cases which would otherwise cause invalid memory
accesses and/or integer underflow:
* An RFC 1964 token being processed by an RFC 4121-only context
[CVE-2014-4342]
* A header with fewer than 22 bytes after the token ID or an
incomplete checksum [CVE-2014-4341 CVE-2014-4342]
* A ciphertext shorter than the confounder [CVE-2014-4341]
* A declared padding length longer than the plaintext [CVE-2014-4341]
If we detect a bad pad byte, continue on to compute the checksum to
avoid creating a padding oracle, but treat the checksum as invalid
even if it compares equal.
CVE-2014-4341:
In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
CVE-2014-4342:
In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
attacker with the ability to inject packets into a legitimately
established GSSAPI application session can cause a program crash due
to invalid memory references when reading beyond the end of a buffer
or by causing a null pointer dereference.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
[tlyu@mit.edu: CVE summaries, CVSS]
ticket: 7949 (new)
subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342]
taget_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
After krb5_rd_req_decoded or krb5_rd_req_decoded_anyflag, the ticket
(with enc_part2 if we could decrypt it) is accessible via
request->ticket; there is no need to copy it. Stop using the ticket
parameter of those functions. Where we need to save the ticket beyond
the lifetime of the krb5_ap_req, steal the pointer before freeing the
request.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Several new GSS-API methods were added but GSSAPI_ADD_METHOD was
called to add them rather than GSSAPI_ADD_METHOD_NOLOOP. This means
that the implementation from the GSS-API mechglue would be used if the
mechanism had no implementation. As a result, the mechglue will call
into itself exhausting the call stack in an endless loop when one of
these methods is called.
ticket: 7926
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
| |
Replace most calls to krb5_set_error_message with k5_setmsg for
brevity. Leave alone plugin sources where we don't include k5-int.h
(mostly PKINIT).
|
| |
|
|
|
|
|
|
|
|
| |
Always read /etc/gss/mech, even if globbing /etc/gss/mech.d/*.conf
doesn't work. Doing this using GLOB_DOOFFS proved error-prone, so use
a simpler approach: factor out the per-pathname handling into a helper
function load_if_changed, call it with MECH_CONF before the glob, then
pass each glob result through the helper.
ticket: 7925
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GSSAPI functions are responsible for setting their output parameters
on failure. Take greater care to do so in krb5_gss_display_name.
The mechglue is generally defensive about initializing variables used
as outputs, and not assuming that mechs will set them on failure.
Make gssint_convert_name_to_union_name initialize
union_name->external_name before calling mech->gss_display_name, so
that if the mech's gss_display_name doesn't touch it, we don't free an
uninitialized pointer.
Either one of these changes prevents an unlikely memory bug which
could occur if krb5_gss_init_context fails within
krb5_gss_display_name when called from
gssint_convert_name_to_union_name.
ticket: 7915 (new)
target_version: 1.12.2
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In addition to loading /etc/gss/mech, glob for *.conf files in
/etc/gss/mech.d. Load only config files which have changed since the
highest mtime we saw in the previous scan. Scan at most once per
second to avoid excessive numbers of filesystem syscalls for busy
GSSAPI applications.
[ghudson@mit.edu: rewrote commit message; style changes; added
once-per-second throttle on glob/stat calls]
ticket: 7882 (new)
|
| |
|
|
|
|
|
|
| |
The stat check in gss_indicate_mechs had no consequent and would have
been redundant with logic in updateMechList if it did.
[ghudson@mit.edu: elaborated commit message; removed unused
g_mechSetTime and now-irrelevant comment]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During a SPNEGO negotiation, if the NTLMSSP mechanism is used and a
MIC is produced within the final initiator mechanism token, Microsoft
servers require a mechlistMIC even if NTLMSSP was the most preferred
mechanism.
In spnego_mech.c, add a helper function mech_requires_mechlistMIC
which queries the mechanism to determine whether we might need to
produce a mechlistMIC for interoperability. Call it after each call
to the mechanism's gss_init_sec_context and set sc->mic_reqd if it
returns true. Although only the second call to NTLMSSP will actually
ever return true, the first call makes the mechanism aware that the
SPNEGO implementation supports this feature.
[ghudson@mit.edu: clarified commit message and code]
ticket: 7907 (new)
|
| |
|
|
|
|
|
| |
If the GSSAPI context has an unrecognized proto field (which should
never happen), free the context we allocated before returning EINVAL.
[ghudson@mit.edu: clarify commit message]
|
| |
|
|
| |
Simplify acquire_accept_cred using the new helper function.
|
| |
|
|
|
|
|
|
|
| |
The Solaris native compiler (as of version 5.9) outputs code for
static inline functions even if they are not used. So the
k5buf_to_gss helper in gssapiP_generic.h causes t_seqstate to have a
dependency on libkrb5support.
ticket: 7872
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace util_ordering.c with a new file util_seqstate.c, implemented
using a bitmap of previously received sequence numbers instead of a
20-element circular queue. This approach has slightly different
limitations--it can check for replays for values within 64 of the
expected next number, where the old code could check within the range
of the last 20 received numbers regardless of how far apart they are.
The new approach should work as well or better for any realistic
packet reordering scenario.
ticket: 7879 (new)
|
| |
|
|
|
|
|
|
|
|
| |
Use an opaque structure type instead of a void pointer for the
sequence number state. Rename all functions to use a g_seqstate
prefix rather than a mix of g_order and g_queue. Remove the
unneccessary indirection from the state object parameter in
g_seqstate_check and g_seqstate_free. Return OM_uint32 where we
return a GSS major code, long where we return an errno value, and void
where we can't fail.
|
| |
|
|
| |
ticket: 7872
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since #2040, the dummy queue element inserted by g_order_init no
longer compares less than the initial sequence number, so we fail when
the first few sequence numbers are received out of order. Properly
detect when a sequence number fits between the dummy element and the
first real queue element.
[ghudson@mit.edu: rewrote commit message]
ticket: 7872
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
| |
Don't delete gssapi_krb5.h now that it is not generated.
[ghudson@mit.edu: also remove from generate-files-mac rule and from
.gitignore]
|
| |
|
|
| |
Revert r16428 now that gssapi_krb5.h is in the source tree.
|
| |
|
|
|
|
|
|
| |
Since we no longer prefix an "#include <stdint.h>" in the gssapi.h
preamble at build time, include it in gssapi.hin.
Update util/gss/kernel-lib/Makefile.in to account for gssapi_krb5.h
being in the source tree.
|
| |
|
|
|
| |
Directly use stdint.h names for integer types in preference to the
various internal names we have made up for them.
|
| |
|
|
|
|
|
| |
We started generating gssapi_krb5.h from gssapi_krb5.hin when we
needed to use a 64-bit type for lucid contexts. Since we can now
assume a standard name for 64-bit types, we can stop generating the
header.
|
| |
|
|
|
|
|
| |
Make unconditional use of <stdint.h> and fixed-width types such as
uint32_t. k5-plugin.h doesn't use any special integer types, so
remove the conditional include block there. Nothing uses
INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r25590 changed negotiate_mech() to return an alias into the acceptor's
mech set, with the unfortunate side effect of transforming the
erroneous Microsoft krb5 mech OID into the correct krb5 mech OID,
meaning that we answer with a different OID than the requested one.
Return an alias into the initiator's mech set instead, and store that
in mech_set field the SPNEGO context. The acceptor code only uses
mech_set to hold the allocated storage pointed into by internal_mech,
so this change is safe.
ticket: 7858
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Nobody is likely to ever ask for zero bytes of output from
gss_pseudo_random, but if they do, just return an empty buffer without
allocating. Otherwise we leak memory because gss_release_buffer
doesn't do anything to buffers with length 0.
ticket: 7838 (new)
|
| |
|
|
|
|
|
|
|
| |
There is no reason to deny a zero-length cred store, so don't check
for it in val_acq_cred_args or val_add_cred_args.
ticket: 7836 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
The "rcache" cred store entry can specify a replay cache type and name
to be used with the credentials being acquired.
[ghudson@mit.edu: split up, simplified, and altered to fit preparatory
commits]
ticket: 7819 (new)
|
| |
|
|
|
|
|
|
|
| |
The error handler in acquire_cred_context didn't release the rcache,
which would cause it to leak if we failed after acquire_accept_cred.
ticket: 7818 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
| |
Use a cleanup handler instead of releasing kt in multiple error
clauses. Wrap a long line and fix a comment with a missing word.
Rewrap the function arguments to use fewer lines.
|
| |
|
|
|
|
|
|
|
| |
RFCs 2743 and 4121 recommend that implementations produce empty tokens
from gss_delete_sec_context, and trying to produce one can cause
gss_delete_sec_context to fail on a partially established context.
Patch from Tomas Kuthan.
ticket: 7816 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To avoid potential recursion we use a thread local variable that tells
us whether the ancestor was called via spnego_gss_display_name(). If
we detect recursion, we assume that we returned a com_err code like
ENOMEM and call error_message(); in the worst case that will result in
an "Unknown error" message.
[ghudson@mit.edu: Edited comments and commit message; removed an
unneeded line of code.]
ticket: 7045
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When acquiring acceptor creds with a specified name, if we fail to
open a replay cache, we leak the keytab handle. If there is no
specified name and we discover that there is no content in the keytab,
we leak the keytab handle and return the wrong major code. Memory
leak reported by Andrea Campi.
ticket: 7805
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If we eliminate a mechanism from the initiator list because
gss_init_sec_context fails, free the memory for that mech OID before
removing it from the list.
[ghudson@mit.edu: clarified commit message]
ticket: 7803 (new)
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
|
|
|
| |
In init_ctx_cont, if the response token contains no fields, we set a
return value but don't actually quit out of the function. We do not
need this check (we will fail later on if a piece of required
information isn't present), so just remove it. Reported by
simo@redhat.com.
|
