| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
Check that this is really a referral by testing that the returned
client realm differs from the requested one.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In profile_iterator(), return PROF_MAGIC_ITERATOR if *iter_p is NULL,
instead of dereferencing a null pointer, as we did prior to 1.10.
Correct calling code will not trigger this case, but incorrect code
has been reported in the field.
ticket: 8059 (new)
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Declare User-Password as having type "octets" instead of "string" or
pyrad 2.x will throw a decoding error when retrieving it.
ticket: 8053 (new)
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a FILE ccache method returns an error, append the filename to the
standard message for the code. Remove code to set extended messages
in helper functions as they would just be overwritten.
Also change the interpretation of errno values. Treat ENAMETOOLONG as
KRB5_FCC_NOFILE instead of KRB5_FCC_INTERNAL, since it has an external
cause and a name that long can't be opened by normal means. Treat
EROFS as KRB5_FCC_PERM. Treat ENOTDIR and ELOOP as KRB5_FCC_NOFILE
instead of KRB5_FCC_PERM as both errors imply that the full pathname
doesn't exist. Treat EBUSY and ETXTBSY as KRB5_CC_IO instead of
KRB5_FCC_PERM as they indicate a conflict rather than a permission
issue.
[ghudson@mit.edu: renamed set_error to set_errmsg_filename; removed
now-inoperative code to set extended messages in helper functions;
trimmed changes to interpret_errno; clarified and shortened commit
message]
ticket: 8052 (new)
|
| |
|
|
|
|
|
|
|
| |
Linux 3.15 has added OFD locks, which contend with POSIX file locks
but are owned by the open file description instead of the process.
Use these in krb5_lock_file where available, for safer concurrency
behavior.
ticket: 8023 (new)
|
| |
|
|
|
| |
Remove extra 'i' from "create_standalone_prinicipal". While here,
pick a slightly shorter name for the variable.
|
| |
|
|
|
| |
This eliminates a potential leak of the bv_val members from
krb5_encode_krbsecretkey().
|
| |
|
|
|
|
|
|
| |
The secretkey variable is initialized to NULL and compared against
NULL, but never actually set to anything after initialization.
Remove the variable and all code that would have executed if it
was non-NULL.
|
| |
|
|
|
|
| |
Confirm that kadmind does not crash when creating/modifying a principal
to have no keys, and confirm that no keys are present after a
purgekeys -all.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Operations like "kadmin -q 'addprinc -nokey foo'" or
"kadmin -q 'purgekeys -all foo'" result in principal entries with
no keys present, so krb5_encode_krbsecretkey() would just return
NULL, which then got unconditionally dereferenced in
krb5_add_ber_mem_ldap_mod().
Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key
principals better, correct the test for an allocation failure, and
slightly restructure the cleanup handler to be shorter and more
appropriate for the usage. Once it no longer short-circuits when
n_key_data is zero, it will produce an array of length two with both
entries NULL, which is treated as an empty list by the LDAP library,
the correct behavior for a keyless principal.
However, attributes with empty values are only handled by the LDAP
library for Modify operations, not Add operations (which only get
a sequence of Attribute, with no operation field). Therefore, only
add an empty krbprincipalkey to the modlist when we will be performing a
Modify, and not when we will be performing an Add, which is conditional
on the (misspelled) create_standalone_prinicipal boolean.
CVE-2014-5354:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL
dereference by inserting into the database a principal entry which
contains no long-term keys.
In order for the LDAP KDC backend to translate a principal entry
from the database abstraction layer into the form expected by the
LDAP schema, the principal's keys are encoded into a
NULL-terminated array of length-value entries to be stored in the
LDAP database. However, the subroutine which produced this array
did not correctly handle the case where no keys were present,
returning NULL instead of an empty array, and the array was
unconditionally dereferenced while adding to the list of LDAP
operations to perform.
Versions of MIT krb5 prior to 1.12 did not expose a way for
principal entries to have no long-term key material, and
therefore are not vulnerable.
CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C
ticket: 8041 (new)
tags: pullup
target_version: 1.13.1
subject: kadmind with ldap backend crashes when putting keyless entries
|
| |
|
|
| |
ticket: 8051
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
successfully with no results, return KRB5_KDB_NOENTRY instead of
returning success with a zeroed-out policy object. This fixes a null
dereference when an admin attempts to use an LDAP ticket policy name
as a password policy name.
CVE-2014-5353:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal. The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals.
Queries to LDAP scoped to the krbPwdPolicy object class will correctly
not return entries of other classes, such as ticket policy objects, but
may return success with no returned elements if an object with the
requested DN exists in a different object class. In this case, the
routine to retrieve a password policy returned success with a password
policy object that consisted entirely of zeroed memory. In particular,
accesses to the policy name will dereference a NULL pointer. KDC
operation does not access the policy name field, but most kadmin
operations involving the principal with incorrect password policy
will trigger the crash.
Thanks to Patrik Kis for reporting this problem.
CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
[kaduk@mit.edu: CVE description and CVSS score]
ticket: 8051 (new)
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
Do not try to run the SASL EXTERNAL auth test if we could not define a
useful interact function. With current libraries the interact
function is asked for an authorization name, and the bind fails if it
gets an unsuccessful result or if no interaction function is defined.
ticket: 8049 (new)
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
|
|
| |
[ghudson@mit.edu: move tests to new file; stop messing with
KRB5CCNAME; use K5Realm.special_env instead of multiple K5Realm
objects]
ticket: 8047
|
| |
|
|
|
|
|
|
|
|
| |
Support the err_fmt relation in [libdefaults] which allows custom
error message formatting.
[ghudson@mit.edu: maintain alphabetical order in documentation and
reword docs; simplify err_fmt_fmt; expand commit message]
ticket: 8047 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define internal names k5_prendmsg and k5_wrapmsg and use them where we
amend error messages. This slightly changes the error message when we
fail to construct FAST AP-REQ armor, decrypt a FAST reply, or store
credentials in a gic_opts output ccache. Adjust the test suite for
the latter of those changes.
[ghudson@mit.edu: define and use internal names for brevity; pull in
test fix from later commit; expand commit message; fix redundant
separators in LDAP messages]
ticket: 8046
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add four new public APIs for wrapping error messages:
krb5_prepend_error_message, krb5_vprepend_error_message,
krb5_wrap_error_message, and krb5_vwrap_error_message. The first two
functions are from Heimdal and allow a prefix to be added to the
existing message for a code. The latter two functions also allow the
code to be changed.
[ghudson@mit.edu: rename krb5_prepend_error_message2 to
krb5_wrap_error_message; clarify doxygen comments and put them in the
proper form; implement krb5_prepend_error_message in terms of
krb5_wrap_error_message; fix leak and null context handling in
krb5_wrap_error_message; rewrite commit message]
ticket: 8046 (new)
|
| |
|
|
|
|
|
|
|
|
| |
ksu -D does not work in the default build, so we should not document
it. Remove any mention of it from the usage message and from ksu.rst.
[ghudson@mit.edu: edited commit message; omit change to generated man
page]
ticket: 8048 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implementations of fdopen() are inconsistent about the state of
the file offset after fdopen(., "a+") -- some position the stream
at the end of the file immediately (e.g., Solaris), for both reading
and writing, but others let reads occur from the beginning of the
file (e.g., glibc).
As it turns out, we only ever write to the file descriptor, not
through stdio, so opening the file with O_APPEND and using fdopen()
with "r+b" should give us sufficient append semantics, while
more portably letting the stream read from the beginning of the file.
This fixes the test suite on Solaris, a regression introduced
by commit 6979ead5e5c24ca0ec3569eb4bef48c2e5d8a726.
ticket: 8026
|
| |
|
|
|
| |
There's not an easy way to test for infinite loops other than
making the test suite hang, unfortunately.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When duplicate suppression was requested, we would enter an
infinite loop upon encountering a duplicate entry, a bug
introduced in commit 0918990bf1d8560d74473fc0e41d08d433da1a15
and thus present in release 1.13.
Rework the conditional to avoid the loop, at the expense of
additional indentation for some of the code.
Ticket: 8038
tags: pullup
target_version: 1.13.1
|
| |
|
|
|
|
|
| |
The des3 and arcfour (rc4) enctypes use weak string-to-key algorithms,
and should not be used for producing password-derived keys.
ticket: 7903
|
| |
|
|
|
|
|
|
| |
If we fail to open the cache file in fcc_initialize, we could wind up
calling close(-1) which is harmless but incorrect. Avoid this by
initializing fd and conditionalizing its cleanup.
ticket: 8026
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In two of the kinit tests run by t_skew.py, we expect kinit to exit
before reading the password. If we supply a password input for those
commands, we can fail with a broken pipe exception if the master
process tries to write the password after the slave process exits.
Also correctly check the output of the last kinit invocation.
ticket: 8034 (new)
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
gcc 4.6.3 (present in Ubuntu 12.04) is smart enough to look at
get_size and see that it does not always assign to *size_out, but not
smart enough to figure out that it always assigns to *size_out when it
returns 0. As a result, it outputs two warnings which we treat as
errors. Add an initial assignment to *size_out at the beginning of
get_size to work around this.
ticket: 8026
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove open file state from the cache handle, use stdio for reading,
use single O_APPEND writes for writing, and use O_CLOEXEC when
opening. Keep the file handle open during iteration. These changes
simplify the code, fix some concurrency issues, and reduce the
dependency on POSIX file locks. We still acquire file locks for
compatibility with older code, and in case O_APPEND writes aren't
concurrency-atomic.
Helper functions change as follows:
* open_cache_file yields a stdio handle, and only opens and locks.
* close_cache_file takes a stdio handle.
* read_header (new) reads the file header and yields a version.
* invalidate_cache and fcc_lseek are no longer needed.
* get_size, read_bytes, and load_bytes operate on a stdio handle.
* read32, read16, load_data, load_principal, and load_cred operate on
a stdio handle and version.
* write_bytes, store32, store16, and store_principal are no longer
needed.
fcc_initialize now takes responsibility for writing the header and
default client principal, using a single write.
ticket: 8026 (new)
|
| |
|
|
|
|
|
|
| |
The FILE ccache type maintains a global reference-counted table of
handles, which is perhaps an imperfect workaround for POSIX
per-process file locks. Remove this table, since we plan to maintain
read fds in cursors and use O_APPEND writes to render locking less
important.
|
| |
|
|
|
|
|
| |
Since KRB5_TC_OPENCLOSE no longer does anything, stop setting it when
we iterate over ccaches.
ticket: 7804
|
| |
|
|
|
|
| |
Stop processing the KRB5_TC_OPENCLOSE flag in cc_file.c; always reopen
the file instead. This will be replaced with more efficient cursor
handling. Also remove some unused KRB5_TC_OPENCLOSE macros in scc.h.
|
| |
|
|
|
|
|
|
|
| |
asn1c 0.9.22 added support for representing integers using unsigned
types if they have appropriate constraints. This changes the
representation of RFC4120's UInt32 type from Integer_t to unsigned
long. In make-vectors.c, this means we can use a static initializer
for kvno, and that the old method of calling asn_long2INTEGER doesn't
work. Adjust make-vectors.c to assume the newer version of asn1c.
|
| |
|
|
|
|
|
|
|
|
| |
Long pathnames can trigger the 128-byte prompt length limit in
pkinit_get_certs_pkcs12. Use asprintf instead of snprintf. Also
check the result of the prompter invocation.
ticket: 8011
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
|
|
| |
Expand out MAKE_CODEC macro invocations into MAKE_ENCODER and
MAKE_DECODER invocations, so that the defined function names appear in
the macro calls. This makes it easier to find the function
definitions using grep, although one still has to look up the macro to
see what it does.
|
| |
|
|
|
|
|
| |
Commit 29dee7d2cece615bec4616fa9b727e77210051db removed the
need for a ccache to hold the credentials used by the process,
but did not remove the ccname and ccache variables which became
unused as a result.
|
| |
|
|
|
|
|
|
|
| |
In copy_creds_except, call krb5_cc_end_seq_get so we don't leak the
ccache cursor.
ticket: 8029 (new)
target_version: 1.13.1
tags: pullup
|
| |
|
|
| |
ticket: 8028
|
| |
|
|
|
|
|
|
|
|
| |
In init_creds_step_reply, if we get an error storing output
credentials, do set ctx->complete (since retrieving creds or times
will work at this point) but don't suppress the error code.
ticket: 8028 (new)
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
The remote kadmin client would not parse the "-norandkey" option to
the ktadd subcommand, terminating option parsing and possibly causing
options to be interpreted as principal names.
ticket: 7962
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
| |
ticket: 7880
target_version: 1.13.1
tags: pullup
|
| | |
|
| |
|
|
| |
In show_all_ccaches, don't output newlines if status_only is set.
|
| |
|
|
|
|
|
| |
Make klist -s succeed for a cache which contains a non-expired
credential and no TGT cred.
ticket: 8022
|
| |
|
|
|
|
| |
In klist, use separate functions to display a ccache and check its
status. Also use a helper function to check if a credential's server
principal is the local krbtgt principal for the realm.
|
| |
|
|
|
|
|
|
|
|
|
| |
In kg_accept_krb5, use gssalloc_malloc when allocating space for the
error token, since it will be freed with gssalloc_free. Using malloc
can cause heap corruption on Windows. This bug was masked by #1445
before 1.12.
ticket: 8024 (new)
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
|
| |
Commit 6e51f9cc3152c8e419fe7f459bcf521d60358434 attempted to fix two
minor memory leaks in klist, but one of the fixes was dead code. In
do_ccache, free princ before we look at the code which terminated the
loop, not after we have returned on either branch.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In kadmind's randkey operation, if a client specifies the keepold
flag, do not include the preserved old keys in the response.
CVE-2014-5351:
An authenticated remote attacker can retrieve the current keys for a
service principal when generating a new set of keys for that
principal. The attacker needs to be authenticated as a user who has
the elevated privilege for randomizing the keys of other principals.
Normally, when a Kerberos administrator randomizes the keys of a
service principal, kadmind returns only the new keys. This prevents
an administrator who lacks legitimate privileged access to a service
from forging tickets to authenticate to that service. If the
"keepold" flag to the kadmin randkey RPC operation is true, kadmind
retains the old keys in the KDC database as intended, but also
unexpectedly returns the old keys to the client, which exposes the
service to ticket forgery attacks from the administrator.
A mitigating factor is that legitimate clients of the affected service
will start failing to authenticate to the service once they begin to
receive service tickets encrypted in the new keys. The affected
service will be unable to decrypt the newly issued tickets, possibly
alerting the legitimate administrator of the affected service.
CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
[tlyu@mit.edu: CVE description and CVSS score]
ticket: 8018 (new)
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If gss_acquire_cred_impersonate_name is called using an
impersonator_cred_handle acquired with GSS_C_ACCEPT, we could
dereference null fields of the cred handle and crash. Fix this by
checking the impersonator_cred_handle usage and returning
GSS_S_NO_CRED if it isn't what we expect, just as we do in
init_sec_context.
Based on a patch from Solly Ross <sross@redhat.com>.
ticket: 8017 (new)
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If two processes try to initialize the same replay cache at the same
time, krb5_rc_io_creat can race between unlink and open, leading to a
KRB5_RC_IO_PERM error. When this happens, make the losing process
retry so that it can continue.
This does not solve the replay cache creation race, nor is that the
only replay cache race issue. It simply prevents the race from
causing a spurious failure.
ticket: 3498
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The use of "stored" was originally for marking whether or not creds
had been found in the source cache and copied to the target. If it was
false, the obtain-a-TGT-using-a-password path would be triggered and
it would populate the target ccache directly.
When the intermediate cache was introduced (in commit dccc80a), the
variable started marking whether or not creds had been copied to the
intermediate cache, and this was then used to decide whether or not to
copy creds to the target cache.
The obtain-a-TGT-using-a-password path began storing its creds in the
temporary cache as well, but neglected to set the flag so that the
creds would be copied to the target cache later, so the target ccache
would never be created and populated with the newly-obtained TGT.
ticket: 8016 (new)
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to allow ksu to use any locally-present service key for
verifying creds, the previous change to ksu switched from using a
retrieved or obtained TGT to fetch creds for the local "host" service,
and then passing those creds to krb5_verify_init_creds(), to passing the
retrieved TGT directly to krb5_verify_init_creds().
It did not take care to retrieve the TGT from the temporary ccache if it
had obtained them, and in those cases it would attempt to verify NULL
creds.
Modify the krb5_get_tkt_via_passwd() function to call
krb5_get_init_creds_password(), to pass back the freshly-obtained creds,
to take a "krb5_get_init_creds_opt" pointer instead of a locally-defined
options structure, and rename it to ksu_get_tgt_via_passwd().
ticket: 8015 (new)
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
| |
Make the KDC default to listening on TCP.
ticket: 6731
target_version: 1.13
tags: pullup
|
