30892 Commits

Author SHA1 Message Date
cea03aebfb asdf 2025-03-29 17:30:49 +01:00
161e2b8ed7 fixup! WIP: find libsystemd with autoconfig 2025-03-29 16:56:30 +01:00
3761a26a59 WIP: find libsystemd with autoconfig 2025-03-26 13:01:01 +01:00
5b9d81284c Set up nix tooling 2025-03-26 12:51:53 +01:00
3fba586bf5 zed: set tab width 2025-03-26 12:51:52 +01:00
fd2d434dd3 libtommath: Fix possible integer overflow CVE-2023-36328
Cherry picked from libtommath 7bbc1f8e4fe6dce75055957645117180768efb15.

Vulnerability Detail:
  CVE Identifier: CVE-2023-36328
  Description: Integer Overflow vulnerability in mp_grow in libtom
    libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9,
    allows attackers to execute arbitrary code and cause a denial of
    service (DoS).
  Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36328

Reported-by: https://github.com/Crispy-fried-chicken
2024-09-10 09:00:32 -04:00
614bc16130 update .gitignore
/confdefs.h
/conftest.c
/conftest.err
/tmp.h
2024-09-04 10:24:44 -04:00
305ab03155 krb5: Fix DNS SRV name collision handling 2024-09-03 15:14:42 -04:00
8d20888e09 krb5: Red Hat gssproxy FILE ccache remove cred compatibility
gssproxy stores its credentials to the ccache with endtime == 0.
Therefore, it is not safe to skip ccache entries unless authtime
is non-zero as well.
2024-09-03 14:19:20 -04:00
b7e699597e krb5: MIT krb5 FILE ccache remove cred compatibility
MIT commit d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5 implemented
krb5_cc_remove_cred() for FILE ccaches by setting endtime to zero
and authtime to minus one and then filtering out those credentials
from get_next().

This change sets "authtime = -1" for the removed cred to permit
MIT krb5 to ignore removed credentials from a shared FILE ccache.

MIT commit 4c0838bb4c232866b95c9f2f72a55bf77cfc1308 modified the
cred_removed() check to restore compatibility with Heimdal.
2024-09-03 14:19:20 -04:00
68dbf1ba10 krb5: fcc_next_cred do not return removed creds
commit a9bd3c6e50 ("Fix racy file ccache
corruption in cred_delete()") implemented krb5_cc_remove_cred() for
"FILE" ccaches by overwriting the removed credential endtime value
with zero (Unix Epoch).  However, it did not modify fcc_get_next()
to filter out these deleted entries.  As a result, invalid credentials
can be returned from the FILE ccache where endtime < starttime.
RFC4120 requires endtime >= starttime for all tickets.

MIT Kerberos since d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5
("Implement krb5_cc_remove_cred for remaining types") modifies a
removed cred by setting

  endtime = 0
  authtime = -1

and then filters out removed creds from the fcc_next_cred() results.

In 2013 Heimdal broke interop with MIT processes that share the
FILE ccache by implementing remove by setting "endtime = 0" and
now MIT has broken interop with the Heimdal implementation of
fcc_remove_cred() by checking for both "endtime = 0" and "authtime = -1".

This change filters results from fcc_get_next() when the "endtime == 0"
which is acceptable because a KDC is not permitted to return a
ticket with an endtime == 0.
2024-09-03 14:19:20 -04:00
ec37879038 appl/tests: auditdns eliminate use of 'restrict' keyword if !C99
The 'restrict' keyword was introduced in C99 and provides a hint to
the compiler that can be used to better optimized code.  The 'restrict'
keyword results in build failures when the compiler is not C99.

  auditdns.c:101:37: error: expected ‘;’, ‘,’ or ‘)’ before ‘hints’
     const struct addrinfo *restrict hints,
                                     ^
  auditdns.c:409:45: error: expected ‘;’, ‘,’ or ‘)’ before ‘sa’
     getnameinfo(const struct sockaddr *restrict sa, socklen_t salen,
                                                 ^

This change defines 'register' to nothing if the compiler does not
implement the C99 standard.

Observed with gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44).
2024-09-03 13:41:22 -04:00
2262e19a40 lib/gssapi/krb5: don't ignore _gsskrb5_decapsulate() result in init_sec_context responses
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15603

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2024-09-03 13:38:15 -04:00
99a53d76e6 krb5: Correct inverted conditions
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
2024-09-03 13:35:38 -04:00
347822cf76 ENABLE_AFS_STRING_TO_KEY requires crypt()
If crypt() is unavailable then DES_AFS3_string_to_key() cannot be
implemented for passwords up to 8 characters in length.  Do not
advertise support for "afs3-salt" when crypt() is missing.
2024-09-03 13:31:34 -04:00
b09f3b3c28 otp: prevent implicit function declarations if HAVE_DB_NDBM
include ndbm.h if HAVE_DB_NDBM is defined to avoid implicit function
declarations.
2024-09-03 13:30:37 -04:00
323d555c82 cf: Do not use headers and argument lists in AC_FIND_FUNC_NO_LIBS2
The callers of this macro generally do not supply this information.
Without it, the checks rely on compiler support for implicit function
declarations.  It would be possible to supply this information in
the callers.  But even then, with the existing macro interface, it
would be necessary to pass eg. null pointers where they trigger
undefined behavior.  Therefore, use the same kludge that autoconf
uses to make up prototypes, avoiding those implicit function
declarations.

The includes/arguments macro parameters are now ignored, but preserved
for interface compatibility.
2024-09-03 11:12:23 -04:00
c711cbf7cc cf: Include <string.h> for memset in AC_HAVE_STRUCT_FIELD
Otherwise, the check relies on an implicit function declaration,
and will fail unconditionally with compilers that do not support
them.
2024-09-03 11:12:23 -04:00
78f017fe01 krb5/fast.c: fix copying source/dest for copy_KrbFastArmor
if using armoring service.
2024-09-02 14:01:39 -04:00
ba8c3dbc62 lib/gssapi/krb5: implement GSS_C_CHANNEL_BOUND_FLAG for gss_init_sec_context()
This will force KERB_AP_OPTIONS_CBT to be sent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2024-07-06 16:14:43 -04:00
6b08c05258 kdc: Enforce hardware authentication for accounts requiring it
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
2024-07-06 16:08:56 -04:00
a2a765f88e lib/krb5: initialize kdc_offset in the memory ccache from the krb5_context
This ensures we inherit the clock skew adjustment from the AS-REQ/REP into the
memory ccache in a similar way done for the file ccache.

This means krb5_cc_get_kdc_offset() will return the correct value and
_krb5_get_cred_kdc_any() uses the adjusted time in the authenticator of
subsequent TGS-REQ.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15676

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2024-07-06 16:07:17 -04:00
c2e68593a5 lib/krb5: use check_fast() in _krb5_fast_unwrap_error()
At least Windows KDCs return KRB5KRB_AP_ERR_SKEW without edata in
response to TGS-REQ.

This ensures the callers see the KRB5KRB_AP_ERR_SKEW error and not
KRB5_KDCREP_MODIFIED "FAST fast response is missing FX-FAST".

For the response to an amored AS-REQ, we'll now return
KRB5KRB_AP_ERR_MODIFIED instead of KRB5_KDCREP_MODIFIED,
but if there's an attack the exact error code doesn't matter.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15676

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2024-07-06 16:07:17 -04:00
2f7a9d9530 gssapi: Fix ordering logic in _gssapi_msg_order_check
A typo in _gssapi_msg_order_check means that sequence numbers
received out of sequence are not correctly added to the internal
order array.
2024-07-06 16:06:54 -04:00
05e292e1af gssapi: Sequence errors should not be fatal
Sequence errors are supplemental information in GSSAPI. This means
that they are not fatal, unless they are returned alongside a failure
error code. This change makes our behaviour the same as MIT's - sequence
errors are non-fatal, and return valid output information.
2024-07-06 16:06:54 -04:00
1b57b62d82 cf/largefile.m4: Fix build with autoconf-2.72
Fixes https://github.com/heimdal/heimdal/issues/1201
2024-06-16 23:31:51 -04:00
aff90c322e Fix spelling 2024-06-16 23:30:48 -04:00
c80c04b235 spelling fixes (underun prefered relase encyption confunder)
[abartlet@samba.org: From Samba debian package at
 https://salsa.debian.org/samba-team/samba/-/blob/master/debian/patches/heimdal-spelling.patch?ref_type=heads]

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2024-06-16 23:28:43 -04:00
c753ed5b7f kdc: APPLE disable enable-pkinit by default as documented
commit 4d48b172ab ("add pkinit
configration for btmm") introduced automatic configuration of
the 'pkinit_kdc_identity' and 'pkinit_kdc_friendly_name' on macOS
but also modified the default for the 'enable_pkinit' setting
such that pkinit is enabled on all __APPLE__ platforms overriding
the [kdc] enable-pkinit setting obtained from the configuration.

This change modifies the enable-pkinit behavior on __APPLE__ platforms
to match those on every other platform.  __APPLE__ platforms will
continue to auto-configure the [kdc] pkinit_identity and
[kdc] pkinit_anchors if they are not specified in the configuration.
2024-06-16 23:27:37 -04:00
5ba8b7f177 gssapi/mech: -Wcalloc-transposed args
warning: 'calloc' sizes specified with 'sizeof' in the earlier argument
and not in the later argument [-Wcalloc-transposed-args].

Swap the args.
2024-06-04 06:22:37 -04:00
2d89b4c27c kdc: -Wcalloc-transposed args
warning: 'calloc' sizes specified with 'sizeof' in the earlier argument
and not in the later argument [-Wcalloc-transposed-args].

Swap the args.
2024-06-04 06:22:37 -04:00
1ffff7e4ff kadmin: ext.c -Wcalloc-transposed args
warning: 'calloc' sizes specified with 'sizeof' in the earlier argument
and not in the later argument [-Wcalloc-transposed-args].

Swap the args.
2024-06-04 06:22:37 -04:00
b74ab765c7 sl: osad -Wcalloc-transposed args
warning: 'calloc' sizes specified with 'sizeof' in the earlier argument
and not in the later argument [-Wcalloc-transposed-args].

Swap the args.
2024-06-04 06:22:37 -04:00
17402aef07 roken: warning: ‘line’ defined but not used [-Wunused-variable]
In rkpty.c line[] must be defined if defined(HAVE_OPENPTY),
defined(__osf__), or defined(STREAMSPTY).  Otherwise, it is unused.
2024-06-04 06:22:37 -04:00
17f31adbff gssapi/krb5: _gsskrb5_display_name return GSS_C_NT_ANONYMOUS
If the Kerberos v5 principal name is

  WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

and the principal type is KRB5_NT_WELLKNOWN, then gss_display_name()
is expected to return GSS_C_NT_ANONYMOUS instead of
GSS_KRB5_NT_PRINCIPAL_NAME.  This change matches the behavior of
MIT Kerberos.
2024-06-04 06:22:37 -04:00
d8c10e68a6 kdc: per-target CPPFLAGS do not have an _AM in the variable name
when microhttpd is present, bx509d does not build because the
automake-emitted makefile is wrong
2024-05-20 22:04:21 -04:00
1b62220778 tests: Use here-doc kadmin in Java test 2024-01-20 16:13:21 -06:00
366016b1f6 tests: Speed up tests/gss/check-gssmask 2024-01-17 16:55:35 -06:00
1aa0a495c2 tests: Use kadmin w/ here-document to speed up tests 2024-01-16 16:28:35 -06:00
016373931d tests: Kill daemons on ^C 2024-01-16 16:28:35 -06:00
7a0915c630 tests: Make check-hdb-mitdb a bit more verbose 2024-01-16 16:28:35 -06:00
408a62a7b4 cf: Add --with-mitdb=PATH option
OS X builds started thinking they have the mitdb backend and started
failing the tests/kdc/check-mitdb test.  This commit fixes that by
requiring explicit enablement of the mitdb HDB backend.
2024-01-16 16:28:35 -06:00
2e94b7855c doc: Clarify kdc --ports / [kdc] ports (fix ) 2024-01-16 11:28:35 -06:00
cb9a130322 auditdns: Cover getnameinfo and gethostbyaddr too.
Fixes the final remaining part of:
https://github.com/heimdal/heimdal/issues/1214
2024-01-09 21:19:30 -06:00
e0aeef2bd3 krb5_sock_to_principal: Respect option [libdefaults] block_dns.
This fixes the one leaky part of:
https://github.com/heimdal/heimdal/issues/1214
2024-01-09 21:19:30 -06:00
f051c36471 Pass NI_NUMERICSERV|NI_NUMERICSCOPE if NI_NUMERICHOST to getnameinfo.
This addresses part of https://github.com/heimdal/heimdal/issues/1214
to audit potential network leaks with [libdefaults] block_dns = yes.

NI_NUMERICHOST is _probably_ sufficient -- we probably won't see many
systems using NIS to look up service names by number if we fail to
specify NI_NUMERICSERV, and such systems probably require careful
auditing of their own.  And I don't know of any way NI_NUMERICSCOPE
could trigger network leaks.  But named scope ids are such a niche
option with IPv6 that setting it to forestall concerns can't hurt
much, and it makes reviewing easier if we just unconditionally flip
on all the numeric-only options.
2024-01-09 21:19:30 -06:00
4d39fe8d04 libroken: Fill in NI_NUMERICSCOPE as 0 if not defined.
This flag has defined by POSIX for years if not decades, but glibc
and Windows apparently still don't have it.

We will use it with getnameinfo, along with all other NI_NUMERICxxx
options, to minimize risk of network leaks with block_dns.
2024-01-09 21:19:30 -06:00
d73910c588 auditdns: Tidy up minor issues.
- Omit needless semicolon.
- Reject obscene service numbers in getaddrinfo.
- Fix mistake in comment about EAI_NONAME failure branch.

Leftovers from: https://github.com/heimdal/heimdal/pull/1213
2024-01-09 21:19:30 -06:00
e75e549252 Use AI_NUMERICSERV if block_dns, and use local getaddrinfo to audit.
This change has two parts:

1. Provide our own local implementation of numeric-only getaddrinfo
   in auditdns.c used to audit for DNS leaks, rather than deferring
   to dlsym(RTLD_NEXT, "getaddrinfo"), in terms of inet_pton.

   To keep review and implementation simple, this is limited to
   AI_NUMERICHOST _and_ AI_NUMERICSERV -- this requires that we
   arrange to pass AI_NUMERICSERV in callers too.

2. Wherever we implement block_dns, set AI_NUMERICSERV in addition to
   AI_NUMERICHOST as needed by the new auditdns.c getaddrinfo.

   (In principle this might also avoid other network leaks -- POSIX
   guarantees no name resolution service will be invoked, and gives
   NIS+ as an example.)

   One tiny semantic change to avoid tripping over the auditor:
   kadmin(8) now uses the string "749" rather than the string
   "kerberos-adm".  (Currently we don't audit kadmin(8) for DNS leaks
   but let's avoid leaving a rake to step on.)  Every other caller I
   found is already guaranteed to pass a numeric service rather than
   named service to getaddrinfo.

fix https://github.com/heimdal/heimdal/issues/1212
2024-01-09 16:06:32 -06:00
1d8f4347bb lib/krb5: Fix error message typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-01-09 16:06:06 -06:00