Commit Graph

5832 Commits

Author SHA1 Message Date
Jeffrey Altman
6dd3eb836b CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
2017-07-10 16:51:25 -04:00
Nicolas Williams
122cdc578e Fix some krb5_storage_write() usages 2017-05-26 23:24:30 -04:00
Nicolas Williams
2c542ce8b1 Better corrupt keytab recovery? 2017-05-26 23:24:30 -04:00
Nicolas Williams
a7e585c85e Fix storage usage in lib/krb5/keytab_file.c 2017-05-26 23:24:30 -04:00
Nicolas Williams
48c137f355 Use stdio for keytab operations
Unlike the ccache, we can't lock less because of the way in which keytab
entries are removed: by negating their length.  Also unlike ccaches, we
hold locks across the entirety of keytab iteration.
2017-05-26 23:24:30 -04:00
Nicolas Williams
322b166c37 Use stdio, lock less to make FILE ccache faster
Use stdio.  Don't lock to read -- we only ever rename new ccaches into
place, or overwrite endtimes to delete entries, or overwrite part of the
realm name of cc config entries.

Dropping locks around ccache iterator stepping strongly implied that we
don't expect truncation, that we only expect appends (and the
overwriting done to delete entries).

Don't unlock -- let close(2) do it, thus making fewer system calls.
2017-05-26 23:24:30 -04:00
Nicolas Williams
c01c48e0f4 Add stdio-based krb5_storage 2017-05-26 23:24:30 -04:00
Nicolas Williams
3fb30ff0a6 Fix fd_store() return value for short writes 2017-05-26 23:24:30 -04:00
Nicolas Williams
e17cbff0ae Fix fd_fetch() return value for short reads 2017-05-26 23:24:30 -04:00
Viktor Dukhovni
5b39bd7c1d New KRB5_NO_TICKET_STORE env var 2017-05-26 10:53:37 -05:00
Roland C. Dowdeswell
e65db603bf Issue 282: fix tolower_ascii in lib/krb5/principal.c. 2017-05-16 11:51:33 -05:00
Jeffrey Altman
6f3ab01c75 check return copy_Realm, copy_PrincipalName, copy_EncryptionKey
The ASN.1 functions copy_Realm(), copy_PrincipalName() and
copy_EncryptionKey() can fail.  Check the return and perform error
handling as appropriate.

Change-Id: I2b3629d19db96eb41d1cd554cef1dca99745e753
2017-04-29 15:24:42 -04:00
Jeffrey Altman
029d32580a fix calls to memset_s
In random_password() and DES3_string_to_key(), do not call
memset_s() with the sizeof a pointer.

Change-Id: I7dd49b9f717e1cb5c262f2d375d2b85be82cd2db
2017-04-29 13:55:24 -04:00
Jeffrey Altman
93518bfab4 use memset_s
lib roken includes support for memset_s() but it was not applied
to the Heimdal source tree.

Change-Id: I8362ec97a9be50205bb2d398e65b629b88ce1acd
2017-04-29 01:05:59 -04:00
Roland C. Dowdeswell
2e01930cf7 krb5_kt_next_entry() needs to operate on a zero'd krb5_keytab_entry. 2017-04-25 10:22:58 -05:00
Nicolas Williams
7dfad1ab0b Use secure_getenv() instead of issuid() 2017-04-17 18:02:30 -04:00
Viktor Dukhovni
c7f54ae85a Fix error in last-minute tgt referral tweak 2017-04-14 15:26:26 -04:00
Viktor Dukhovni
1c6e1d5b1a Improve referral processing for TGTs
When using referrals to obtain krbtgt/A@B we're really looking for a
path to krbtgt/B first, and only then a ticket for krbtgt/A.
2017-04-13 18:11:52 -05:00
Viktor Dukhovni
a4fb8984dd Do not ignore realm when checking for expected ticket or referral 2017-04-13 18:11:52 -05:00
Viktor Dukhovni
10f3ab0f2a Never store TGT "aliases"
When obtaining a remote TGT krbtgt/REALM2@REALM2, an intermediate
cross-realm TGT obtained for krbtgt/REALM2@REALM1 is not equivalent
to the TGT we seek, and must not be stored under its name.
2017-04-13 18:11:52 -05:00
Viktor Dukhovni
f468c2fed1 Use actual Ticket to construct AP-REQ
When the cred passed krb5_build_ap_req() has a different name for the actual
ticket (e.g., because the entry came from a ccache with an alias name as the
entry name) then we were putting a Ticket on the wire with the name from the
cred rather than from the Ticket in the cred.  We don't think this is intended
or desirable.  The server should see the Ticket _exactly_ as minted by the KDC.

Perhaps AP-REQ should have used an OCTET STRING to contain the Ticket given that
Ticket is a PDU, which would make a byte-for-byte copy trivial, but as it is it
uses Ticket instead.  Therefore this commit has it decode the Ticket from the
cred and then C struct assign that value to the AP-REP's ticket field -- this
then copies the Ticket as exactly as vended.
2017-04-13 18:11:52 -05:00
Jeffrey Altman
23ee804e9d lib/krb5: krb5_config_parse_file_multi use after free
If the file is not a regular file, the 'fname' buffer will be freed
before it is passed to the krb5_set_error_message() routine.  That
this is true is not obvious from code inspection but 'newfname'
and 'fname' refer to the same memory.

Change-Id: I7780eae9ceaf01b245df488a2f7d7f406770864f
2017-03-18 15:22:33 -04:00
Nicolas Williams
9609397874 Misc 64-bit time support (debug message)
Originally by Christos Zoulas.  Originally used %jd and casts to
intmax_t, however, we can't use those on Windows yet.
2017-03-13 18:39:41 -04:00
Nicolas Williams
6a0f45c4d7 Use __attribute__ ((__name__)) form
Protect against macros named noreturn and so on.
2017-03-13 18:39:41 -04:00
Nicolas Williams
0259f1c449 Fix CR comments on include/includedir 2017-03-10 17:33:12 -05:00
Roland C. Dowdeswell
a39bd42576 Remove #if 0'd code.
This is a slightly different fix than that proposed in Pull Request #151.
2017-03-09 14:12:39 -05:00
Nicolas Williams
fe43be8558 Add include/includedir directives for krb5.conf 2017-02-27 18:15:59 -06:00
Jeffrey Altman
ec39b832ff kdc: fix kx509 service principal match
Each KDC is a kx509 server.  The service principal must be of the
form

  kca_service/<localhost.domain>@<DEFAULT_REALM>

where localhost.domain is the hostname returned by gethostname()
and <DEFAULT_REALM> is one of the realms for which the KDC has a service
principal "kca_service/<localhost.domain>".

The matching code was broken by a5e77c578e
when krb5_sname_to_principal() began to always return a referral
principal.

Since the second component is a host name update the default principal
type for service "kca_service" to be KRB5_NT_SRV_HST.

Change-Id: I6bd5f90b674ebb7220d8efafa6d339fdc21e1a07
2017-01-27 00:37:08 -05:00
Nicolas Williams
3e65dfbc32 Fix make dist missing files (#228) 2016-12-15 12:15:56 -06:00
Viktor Dukhovni
3657f23a9e Fix more doxygen bitrot 2016-12-15 04:28:21 -05:00
Nicolas Williams
2ebec2e4ec Fix some Doxygen warnings 2016-12-14 22:05:46 -06:00
Nicolas Williams
bbaae5f43c Fix 32-bit time_t regression (#220) 2016-12-06 22:44:23 -06:00
Nicolas Williams
6e5bbbf65d Fix FAST client memleak 2016-12-06 22:44:23 -06:00
Nicolas Williams
e5126ab924 Fix warnings 2016-11-28 17:34:44 -06:00
Nicolas Williams
3ba12317a0 Misc fixes (coverity) 2016-11-28 15:09:55 -06:00
Nicolas Williams
f38089257b Misc fixes (coverity) 2016-11-20 17:43:51 -06:00
Nicolas Williams
6696920d9e Fix leak in krb5_rd_rep() callers 2016-11-20 17:43:51 -06:00
Nicolas Williams
52a562a3a4 Misc fixes (coverity) 2016-11-18 22:21:45 -06:00
Jeffrey Altman
69fbbfdfcb krb5: fix verify_conf syslog facility check
search for facility not severity

Change-Id: I79e9104d1fd27e8d11f7f9c6006676d947086ac5
2016-11-18 21:24:26 -05:00
Jeffrey Altman
5cf454ca54 krb5: _krb5_expand_path_tokens missing va_end()
when returning early due to memory allocation error must call va_end()

Change-Id: Icc42771c166453f67679334cea19ed9be692bd87
2016-11-18 21:12:36 -05:00
Jeffrey Altman
d07fe95b61 krb5: krb5_data_free() do not test before free()
Change-Id: I739eb0b227eb7885bb83b6e68eaf39db81b1ceb5
2016-11-18 20:43:19 -05:00
Nicolas Williams
7fa85e6d6d Round #3 of scan-build warnings cleanup 2016-11-16 23:27:27 -06:00
Nicolas Williams
1c81ddf4e2 Round #2 of scan-build warnings cleanup 2016-11-16 17:03:14 -06:00
Nicolas Williams
953dc07391 Round #1 of scan-build warnings cleanup 2016-11-15 21:27:20 -06:00
Jeffrey Altman
f561b55d38 krb5: windows tests require HEIMBASE
When building the lib/krb5 tests link against HEIMBASE in order to
make use of heim_abort() and friends.

Change-Id: Ifaf54177bbb14cddf0f3544add370cda158783d1
2016-11-15 00:33:55 -05:00
Jeffrey Altman
961f543a27 Set princ type to NT-SMTP-NAME when parsing
In krb5_parse_name_flags(), if the principal name is not an enterprise
name, is one component in length and contains an '@', set the principal
type to NT-SMTP-NAME as specified by RFC 4120.
2016-11-14 21:29:47 -06:00
Jeffrey Altman
6a1db3fb1c princ type NT-UNKNOWN + "host" == NT-SRV-HST
Treat principals of type NT-UNKNOWN as NT-SRV-HST if the first component
of the principal name is "host".

Change-Id: I28fb619379daac827436040e701d4ab7b279852b
2016-11-14 21:29:47 -06:00
Jeffrey Altman
09bdb3ab3e Set the right name type for anon princ (client)
In fast_wrap_req() set the correct type in KDC_REQ client principal
name.

Also fix ENOMEM handling.
2016-11-14 21:29:47 -06:00
Nicolas Williams
a59bb7132f When building a princ name pick a sane def type
This is part of the fix to #173.  MSFT RODCs insist on the name type for
krbtgt principals be set to KRB5_NT_SRV_INST.

Commentary from Jeffrey Altman <jaltman@secure-endpoints.com>

As reported by David Mulder of Dell's Quest, Active Directory will
return a BAD_INTEGRITY error when a request for a krbtgt service
ticket is received with principal type NT-PRINCIPAL instead of NT-SRV-INST
as required by RFC 4120.

[Nico: RFC4120 does not require this.  See the description of the
       name-type field of PrincipalName on page 55.]

  ERROR: VAS_ERR_KRB5: Failed to obtain credentials.
  Client: SLED10-32$@F.QAS,
  Service: SLED10-32$@F.QAS, Server: ad2-f.f.qas
  Caused by: KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353): Decrypt integrity check failed

Microsoft began enforcing principal type checking for RODCs in 2008R2.
Microsoft does state that ALL krgtgt/REALM tickets SHOULD be sent using
principal name type of KRB5_NT_SRV_INST instead of KRB5_NT_PRINCIPAL.

From Microsoft:

  "I believe we discovered the problem. There isn't a bug in Windows.
  There's been a code change to address another issue which puts in additional
  checks for Kerberos tickets. The problem is with the Unix clients when the
  client request a TGT. The Unix clients are using Name-type Principal
  [KRB_NT_PRINCIPAL (1)] instead of using Name-type Service and Instance
  [KRB_NT_SRV_INST (2)]...."

This change assigns the NT-SRV-INST principal type each time a krbtgt
service principal is created.  Unlike Microsoft, the Heimdal mostly does
not care about the name-type of any principals, with the exception of
referrals, where the name type is needed to decide how to find a
next-hop realm.
2016-11-14 21:29:47 -06:00
Florian Best
7422cd1f6b Implement krb5_get_init_creds_opt_set_change_password_prompt() 2016-11-11 11:48:43 -06:00