parent
38927eed2b
commit
c5cd90b8a8
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,34 @@
|
|||||||
|
From 347079e258e6ded99d8dda162cafaf133b982ab9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Fri, 27 Oct 2023 00:44:53 -0400
|
||||||
|
Subject: [PATCH] End connection on KDC_ERR_SVC_UNAVAILABLE
|
||||||
|
|
||||||
|
In sendto_kdc.c:service_fds(), if a message handler indicates that a
|
||||||
|
message should be discarded, kill the connection so we don't continue
|
||||||
|
waiting on it for more data.
|
||||||
|
|
||||||
|
ticket: 7899
|
||||||
|
(cherry picked from commit ca80f64c786341d5871ae1de18142e62af64f7b9)
|
||||||
|
---
|
||||||
|
src/lib/krb5/os/sendto_kdc.c | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
index 0f4bf23a95..262edf09b4 100644
|
||||||
|
--- a/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
+++ b/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
@@ -1440,7 +1440,10 @@ service_fds(krb5_context context, struct select_state *selstate,
|
||||||
|
if (msg_handler != NULL) {
|
||||||
|
krb5_data reply = make_data(state->in.buf, state->in.pos);
|
||||||
|
|
||||||
|
- stop = (msg_handler(context, &reply, msg_handler_data) != 0);
|
||||||
|
+ if (!msg_handler(context, &reply, msg_handler_data)) {
|
||||||
|
+ kill_conn(context, state, selstate);
|
||||||
|
+ stop = 0;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if (stop) {
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
@ -0,0 +1,226 @@
|
|||||||
|
From d71ebaef4619d6281551793c297caed7a025a909 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Thu, 26 Oct 2023 14:20:34 -0400
|
||||||
|
Subject: [PATCH] Add request_timeout configuration parameter
|
||||||
|
|
||||||
|
Add a parameter to limit the total amount of time taken for a KDC or
|
||||||
|
password change request.
|
||||||
|
|
||||||
|
ticket: 9106 (new)
|
||||||
|
(cherry picked from commit 802318cda963456b3ed7856c836e89da891483be)
|
||||||
|
---
|
||||||
|
doc/admin/conf_files/krb5_conf.rst | 9 ++++++
|
||||||
|
src/include/k5-int.h | 2 ++
|
||||||
|
src/lib/krb5/krb/init_ctx.c | 14 +++++++-
|
||||||
|
src/lib/krb5/os/sendto_kdc.c | 51 ++++++++++++++++++++----------
|
||||||
|
4 files changed, 58 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||||
|
index a33711d918..65fb592d98 100644
|
||||||
|
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||||
|
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||||
|
@@ -356,6 +356,15 @@ The libdefaults section may contain any of the following relations:
|
||||||
|
(:ref:`duration` string.) Sets the default renewable lifetime
|
||||||
|
for initial ticket requests. The default value is 0.
|
||||||
|
|
||||||
|
+**request_timeout**
|
||||||
|
+ (:ref:`duration` string.) Sets the maximum total time for KDC or
|
||||||
|
+ password change requests. This timeout does not affect the
|
||||||
|
+ intervals between requests, so setting a low timeout may result in
|
||||||
|
+ fewer requests being attempted and/or some servers not being
|
||||||
|
+ contacted. A value of 0 indicates no specific maximum, in which
|
||||||
|
+ case requests will time out if no server responds after several
|
||||||
|
+ tries. The default value is 0. (New in release 1.22.)
|
||||||
|
+
|
||||||
|
**spake_preauth_groups**
|
||||||
|
A whitespace or comma-separated list of words which specifies the
|
||||||
|
groups allowed for SPAKE preauthentication. The possible values
|
||||||
|
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||||
|
index b3e07945c1..69d6a6f569 100644
|
||||||
|
--- a/src/include/k5-int.h
|
||||||
|
+++ b/src/include/k5-int.h
|
||||||
|
@@ -296,6 +296,7 @@ typedef unsigned char u_char;
|
||||||
|
#define KRB5_CONF_SPAKE_PREAUTH_INDICATOR "spake_preauth_indicator"
|
||||||
|
#define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE "spake_preauth_kdc_challenge"
|
||||||
|
#define KRB5_CONF_SPAKE_PREAUTH_GROUPS "spake_preauth_groups"
|
||||||
|
+#define KRB5_CONF_REQUEST_TIMEOUT "request_timeout"
|
||||||
|
#define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime"
|
||||||
|
#define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit"
|
||||||
|
#define KRB5_CONF_UNLOCKITER "unlockiter"
|
||||||
|
@@ -1200,6 +1201,7 @@ struct _krb5_context {
|
||||||
|
kdb5_dal_handle *dal_handle;
|
||||||
|
/* allowable clock skew */
|
||||||
|
krb5_deltat clockskew;
|
||||||
|
+ krb5_deltat req_timeout;
|
||||||
|
krb5_flags kdc_default_options;
|
||||||
|
krb5_flags library_options;
|
||||||
|
krb5_boolean profile_secure;
|
||||||
|
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
||||||
|
index 2b5abcd817..582a2945ff 100644
|
||||||
|
--- a/src/lib/krb5/krb/init_ctx.c
|
||||||
|
+++ b/src/lib/krb5/krb/init_ctx.c
|
||||||
|
@@ -157,7 +157,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
||||||
|
krb5_context ctx = 0;
|
||||||
|
krb5_error_code retval;
|
||||||
|
int tmp;
|
||||||
|
- char *plugin_dir = NULL;
|
||||||
|
+ char *plugin_dir = NULL, *timeout_str = NULL;
|
||||||
|
|
||||||
|
/* Verify some assumptions. If the assumptions hold and the
|
||||||
|
compiler is optimizing, this should result in no code being
|
||||||
|
@@ -240,6 +240,17 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
||||||
|
get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp);
|
||||||
|
ctx->clockskew = tmp;
|
||||||
|
|
||||||
|
+ retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS,
|
||||||
|
+ KRB5_CONF_REQUEST_TIMEOUT, NULL, NULL,
|
||||||
|
+ &timeout_str);
|
||||||
|
+ if (retval)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ if (timeout_str != NULL) {
|
||||||
|
+ retval = krb5_string_to_deltat(timeout_str, &ctx->req_timeout);
|
||||||
|
+ if (retval)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
get_integer(ctx, KRB5_CONF_KDC_DEFAULT_OPTIONS, KDC_OPT_RENEWABLE_OK,
|
||||||
|
&tmp);
|
||||||
|
ctx->kdc_default_options = tmp;
|
||||||
|
@@ -281,6 +292,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
profile_release_string(plugin_dir);
|
||||||
|
+ profile_release_string(timeout_str);
|
||||||
|
krb5_free_context(ctx);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
index 262edf09b4..98247a1089 100644
|
||||||
|
--- a/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
+++ b/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
@@ -1395,34 +1395,41 @@ get_endtime(time_ms endtime, struct conn_state *conns)
|
||||||
|
|
||||||
|
static krb5_boolean
|
||||||
|
service_fds(krb5_context context, struct select_state *selstate,
|
||||||
|
- time_ms interval, struct conn_state *conns,
|
||||||
|
+ time_ms interval, time_ms timeout, struct conn_state *conns,
|
||||||
|
struct select_state *seltemp, const krb5_data *realm,
|
||||||
|
int (*msg_handler)(krb5_context, const krb5_data *, void *),
|
||||||
|
void *msg_handler_data, struct conn_state **winner_out)
|
||||||
|
{
|
||||||
|
int e, selret = 0;
|
||||||
|
- time_ms endtime;
|
||||||
|
+ time_ms curtime, interval_end, endtime;
|
||||||
|
struct conn_state *state;
|
||||||
|
|
||||||
|
*winner_out = NULL;
|
||||||
|
|
||||||
|
- e = get_curtime_ms(&endtime);
|
||||||
|
+ e = get_curtime_ms(&curtime);
|
||||||
|
if (e)
|
||||||
|
return TRUE;
|
||||||
|
- endtime += interval;
|
||||||
|
+ interval_end = curtime + interval;
|
||||||
|
|
||||||
|
e = 0;
|
||||||
|
while (selstate->nfds > 0) {
|
||||||
|
- e = cm_select_or_poll(selstate, get_endtime(endtime, conns),
|
||||||
|
- seltemp, &selret);
|
||||||
|
+ endtime = get_endtime(interval_end, conns);
|
||||||
|
+ /* Don't wait longer than the whole request should last. */
|
||||||
|
+ if (timeout && endtime > timeout)
|
||||||
|
+ endtime = timeout;
|
||||||
|
+ e = cm_select_or_poll(selstate, endtime, seltemp, &selret);
|
||||||
|
if (e == EINTR)
|
||||||
|
continue;
|
||||||
|
if (e != 0)
|
||||||
|
break;
|
||||||
|
|
||||||
|
- if (selret == 0)
|
||||||
|
- /* Timeout, return to caller. */
|
||||||
|
+ if (selret == 0) {
|
||||||
|
+ /* We timed out. Stop if we hit the overall request timeout. */
|
||||||
|
+ if (timeout && (get_curtime_ms(&curtime) || curtime >= timeout))
|
||||||
|
+ return TRUE;
|
||||||
|
+ /* Otherwise return to the caller to send the next request. */
|
||||||
|
return FALSE;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* Got something on a socket, process it. */
|
||||||
|
for (state = conns; state != NULL; state = state->next) {
|
||||||
|
@@ -1495,7 +1502,7 @@ k5_sendto(krb5_context context, const krb5_data *message,
|
||||||
|
void *msg_handler_data)
|
||||||
|
{
|
||||||
|
int pass;
|
||||||
|
- time_ms delay;
|
||||||
|
+ time_ms delay, timeout = 0;
|
||||||
|
krb5_error_code retval;
|
||||||
|
struct conn_state *conns = NULL, *state, **tailptr, *next, *winner;
|
||||||
|
size_t s;
|
||||||
|
@@ -1505,6 +1512,13 @@ k5_sendto(krb5_context context, const krb5_data *message,
|
||||||
|
|
||||||
|
*reply = empty_data();
|
||||||
|
|
||||||
|
+ if (context->req_timeout) {
|
||||||
|
+ retval = get_curtime_ms(&timeout);
|
||||||
|
+ if (retval)
|
||||||
|
+ return retval;
|
||||||
|
+ timeout += 1000 * context->req_timeout;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* One for use here, listing all our fds in use, and one for
|
||||||
|
* temporary use in service_fds, for the fds of interest. */
|
||||||
|
sel_state = malloc(2 * sizeof(*sel_state));
|
||||||
|
@@ -1532,8 +1546,9 @@ k5_sendto(krb5_context context, const krb5_data *message,
|
||||||
|
if (maybe_send(context, state, message, sel_state, realm,
|
||||||
|
callback_info))
|
||||||
|
continue;
|
||||||
|
- done = service_fds(context, sel_state, 1000, conns, seltemp,
|
||||||
|
- realm, msg_handler, msg_handler_data, &winner);
|
||||||
|
+ done = service_fds(context, sel_state, 1000, timeout, conns,
|
||||||
|
+ seltemp, realm, msg_handler, msg_handler_data,
|
||||||
|
+ &winner);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1545,13 +1560,13 @@ k5_sendto(krb5_context context, const krb5_data *message,
|
||||||
|
if (maybe_send(context, state, message, sel_state, realm,
|
||||||
|
callback_info))
|
||||||
|
continue;
|
||||||
|
- done = service_fds(context, sel_state, 1000, conns, seltemp,
|
||||||
|
+ done = service_fds(context, sel_state, 1000, timeout, conns, seltemp,
|
||||||
|
realm, msg_handler, msg_handler_data, &winner);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Wait for two seconds at the end of the first pass. */
|
||||||
|
if (!done) {
|
||||||
|
- done = service_fds(context, sel_state, 2000, conns, seltemp,
|
||||||
|
+ done = service_fds(context, sel_state, 2000, timeout, conns, seltemp,
|
||||||
|
realm, msg_handler, msg_handler_data, &winner);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1562,15 +1577,17 @@ k5_sendto(krb5_context context, const krb5_data *message,
|
||||||
|
if (maybe_send(context, state, message, sel_state, realm,
|
||||||
|
callback_info))
|
||||||
|
continue;
|
||||||
|
- done = service_fds(context, sel_state, 1000, conns, seltemp,
|
||||||
|
- realm, msg_handler, msg_handler_data, &winner);
|
||||||
|
+ done = service_fds(context, sel_state, 1000, timeout, conns,
|
||||||
|
+ seltemp, realm, msg_handler, msg_handler_data,
|
||||||
|
+ &winner);
|
||||||
|
if (sel_state->nfds == 0)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
/* Wait for the delay backoff at the end of this pass. */
|
||||||
|
if (!done) {
|
||||||
|
- done = service_fds(context, sel_state, delay, conns, seltemp,
|
||||||
|
- realm, msg_handler, msg_handler_data, &winner);
|
||||||
|
+ done = service_fds(context, sel_state, delay, timeout, conns,
|
||||||
|
+ seltemp, realm, msg_handler, msg_handler_data,
|
||||||
|
+ &winner);
|
||||||
|
}
|
||||||
|
if (sel_state->nfds == 0)
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
@ -0,0 +1,138 @@
|
|||||||
|
From 0bf66d2018db92c95d3bab54a62f6a3265ceb158 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Thu, 26 Oct 2023 16:26:42 -0400
|
||||||
|
Subject: [PATCH] Wait indefinitely on KDC TCP connections
|
||||||
|
|
||||||
|
When making a KDC or password change request, wait indefinitely
|
||||||
|
(limited only by request_timeout if set) once a KDC has accepted a TCP
|
||||||
|
connection.
|
||||||
|
|
||||||
|
ticket: 9105 (new)
|
||||||
|
(cherry picked from commit 6436a3808061da787a43c6810f5f0370cdfb6e36)
|
||||||
|
---
|
||||||
|
doc/admin/conf_files/krb5_conf.rst | 2 +-
|
||||||
|
src/lib/krb5/os/sendto_kdc.c | 50 ++++++++++++++++--------------
|
||||||
|
2 files changed, 27 insertions(+), 25 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||||
|
index 65fb592d98..b7284c47df 100644
|
||||||
|
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||||
|
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||||
|
@@ -357,7 +357,7 @@ The libdefaults section may contain any of the following relations:
|
||||||
|
for initial ticket requests. The default value is 0.
|
||||||
|
|
||||||
|
**request_timeout**
|
||||||
|
- (:ref:`duration` string.) Sets the maximum total time for KDC or
|
||||||
|
+ (:ref:`duration` string.) Sets the maximum total time for KDC and
|
||||||
|
password change requests. This timeout does not affect the
|
||||||
|
intervals between requests, so setting a low timeout may result in
|
||||||
|
fewer requests being attempted and/or some servers not being
|
||||||
|
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
index 98247a1089..924f5b2d26 100644
|
||||||
|
--- a/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
+++ b/src/lib/krb5/os/sendto_kdc.c
|
||||||
|
@@ -134,7 +134,6 @@ struct conn_state {
|
||||||
|
krb5_data callback_buffer;
|
||||||
|
size_t server_index;
|
||||||
|
struct conn_state *next;
|
||||||
|
- time_ms endtime;
|
||||||
|
krb5_boolean defer;
|
||||||
|
struct {
|
||||||
|
const char *uri_path;
|
||||||
|
@@ -344,15 +343,19 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime,
|
||||||
|
struct select_state *out, int *sret)
|
||||||
|
{
|
||||||
|
#ifndef USE_POLL
|
||||||
|
- struct timeval tv;
|
||||||
|
+ struct timeval tv, *tvp;
|
||||||
|
#endif
|
||||||
|
krb5_error_code retval;
|
||||||
|
time_ms curtime, interval;
|
||||||
|
|
||||||
|
- retval = get_curtime_ms(&curtime);
|
||||||
|
- if (retval != 0)
|
||||||
|
- return retval;
|
||||||
|
- interval = (curtime < endtime) ? endtime - curtime : 0;
|
||||||
|
+ if (endtime != 0) {
|
||||||
|
+ retval = get_curtime_ms(&curtime);
|
||||||
|
+ if (retval != 0)
|
||||||
|
+ return retval;
|
||||||
|
+ interval = (curtime < endtime) ? endtime - curtime : 0;
|
||||||
|
+ } else {
|
||||||
|
+ interval = -1;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* We don't need a separate copy of the selstate for poll, but use one for
|
||||||
|
* consistency with how we use select. */
|
||||||
|
@@ -361,9 +364,14 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime,
|
||||||
|
#ifdef USE_POLL
|
||||||
|
*sret = poll(out->fds, out->nfds, interval);
|
||||||
|
#else
|
||||||
|
- tv.tv_sec = interval / 1000;
|
||||||
|
- tv.tv_usec = interval % 1000 * 1000;
|
||||||
|
- *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, &tv);
|
||||||
|
+ if (interval != -1) {
|
||||||
|
+ tv.tv_sec = interval / 1000;
|
||||||
|
+ tv.tv_usec = interval % 1000 * 1000;
|
||||||
|
+ tvp = &tv;
|
||||||
|
+ } else {
|
||||||
|
+ tvp = NULL;
|
||||||
|
+ }
|
||||||
|
+ *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, tvp);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return (*sret < 0) ? SOCKET_ERRNO : 0;
|
||||||
|
@@ -1099,11 +1107,6 @@ service_tcp_connect(krb5_context context, const krb5_data *realm,
|
||||||
|
}
|
||||||
|
|
||||||
|
conn->state = WRITING;
|
||||||
|
-
|
||||||
|
- /* Record this connection's timeout for service_fds. */
|
||||||
|
- if (get_curtime_ms(&conn->endtime) == 0)
|
||||||
|
- conn->endtime += 10000;
|
||||||
|
-
|
||||||
|
return conn->service_write(context, realm, conn, selstate);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1378,19 +1381,18 @@ kill_conn:
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/* Return the maximum of endtime and the endtime fields of all currently active
|
||||||
|
- * TCP connections. */
|
||||||
|
-static time_ms
|
||||||
|
-get_endtime(time_ms endtime, struct conn_state *conns)
|
||||||
|
+/* Return true if conns contains any states with connected TCP sockets. */
|
||||||
|
+static krb5_boolean
|
||||||
|
+any_tcp_connections(struct conn_state *conns)
|
||||||
|
{
|
||||||
|
struct conn_state *state;
|
||||||
|
|
||||||
|
for (state = conns; state != NULL; state = state->next) {
|
||||||
|
- if ((state->state == READING || state->state == WRITING) &&
|
||||||
|
- state->endtime > endtime)
|
||||||
|
- endtime = state->endtime;
|
||||||
|
+ if (state->addr.transport != UDP &&
|
||||||
|
+ (state->state == READING || state->state == WRITING))
|
||||||
|
+ return TRUE;
|
||||||
|
}
|
||||||
|
- return endtime;
|
||||||
|
+ return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static krb5_boolean
|
||||||
|
@@ -1413,9 +1415,9 @@ service_fds(krb5_context context, struct select_state *selstate,
|
||||||
|
|
||||||
|
e = 0;
|
||||||
|
while (selstate->nfds > 0) {
|
||||||
|
- endtime = get_endtime(interval_end, conns);
|
||||||
|
+ endtime = any_tcp_connections(conns) ? 0 : interval_end;
|
||||||
|
/* Don't wait longer than the whole request should last. */
|
||||||
|
- if (timeout && endtime > timeout)
|
||||||
|
+ if (timeout && (!endtime || endtime > timeout))
|
||||||
|
endtime = timeout;
|
||||||
|
e = cm_select_or_poll(selstate, endtime, seltemp, &selret);
|
||||||
|
if (e == EINTR)
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
@ -0,0 +1,381 @@
|
|||||||
|
From 0cb2e6c09fee3863c16664bf180e773f662cd313 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Steffen=20Kie=C3=9F?=
|
||||||
|
<steffen.kiess@cis.iti.uni-stuttgart.de>
|
||||||
|
Date: Tue, 13 Feb 2024 18:39:27 +0100
|
||||||
|
Subject: [PATCH] Avoid strict-prototype compiler errors
|
||||||
|
|
||||||
|
Commit 4b9d7f7c107f01a61600fddcd8cde3812d0366a2 added the
|
||||||
|
-Werror=strict-prototypes parameter to the build process, but left
|
||||||
|
behind 28 function definitions using "()" instead of "(void)". Most
|
||||||
|
of these definitions could not cause compiler errors for various
|
||||||
|
reasons (such as an accompanying prototype), but a few could cause
|
||||||
|
errors in gcc depending on the build configuration.
|
||||||
|
|
||||||
|
For consistency and safety, add "(void)" to all 28 definitions.
|
||||||
|
|
||||||
|
[ghudson@mit.edu: rewrote commit message]
|
||||||
|
|
||||||
|
(cherry picked from commit 3ae9244cd021a75eba909d872a92c25db490714d)
|
||||||
|
---
|
||||||
|
src/clients/kcpytkt/kcpytkt.c | 2 +-
|
||||||
|
src/clients/kdeltkt/kdeltkt.c | 2 +-
|
||||||
|
src/clients/kinit/kinit.c | 4 ++--
|
||||||
|
src/clients/kinit/kinit_kdb.c | 2 +-
|
||||||
|
src/clients/klist/klist.c | 4 ++--
|
||||||
|
src/kadmin/cli/kadmin.c | 2 +-
|
||||||
|
src/kadmin/dbutil/kdb5_util.c | 4 ++--
|
||||||
|
src/kdc/main.c | 2 +-
|
||||||
|
src/kprop/kpropd.c | 4 ++--
|
||||||
|
src/lib/crypto/builtin/enc_provider/aes.c | 2 +-
|
||||||
|
src/lib/crypto/openssl/hmac.c | 2 +-
|
||||||
|
src/lib/krb5/ccache/t_memory.c | 4 ++--
|
||||||
|
src/lib/krb5/ccache/t_stdio.c | 4 ++--
|
||||||
|
src/plugins/kdb/db2/libdb2/btree/bt_debug.c | 2 +-
|
||||||
|
src/plugins/kdb/db2/libdb2/btree/bt_open.c | 4 ++--
|
||||||
|
src/plugins/kdb/db2/libdb2/hash/dbm.c | 2 +-
|
||||||
|
src/plugins/kdb/db2/libdb2/test/btree.tests/main.c | 2 +-
|
||||||
|
src/plugins/kdb/db2/libdb2/test/dbtest.c | 2 +-
|
||||||
|
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 2 +-
|
||||||
|
src/plugins/tls/k5tls/openssl.c | 2 +-
|
||||||
|
src/tests/asn.1/make-vectors.c | 2 +-
|
||||||
|
21 files changed, 28 insertions(+), 28 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/clients/kcpytkt/kcpytkt.c b/src/clients/kcpytkt/kcpytkt.c
|
||||||
|
index 0b8802261e..f1d50e5de0 100644
|
||||||
|
--- a/src/clients/kcpytkt/kcpytkt.c
|
||||||
|
+++ b/src/clients/kcpytkt/kcpytkt.c
|
||||||
|
@@ -10,7 +10,7 @@ static char *prog;
|
||||||
|
static int quiet = 0;
|
||||||
|
|
||||||
|
static void
|
||||||
|
-xusage()
|
||||||
|
+xusage(void)
|
||||||
|
{
|
||||||
|
fprintf(stderr, "xusage: %s [-c from_ccache] [-e etype] [-f flags] "
|
||||||
|
"dest_ccache service1 service2 ...\n", prog);
|
||||||
|
diff --git a/src/clients/kdeltkt/kdeltkt.c b/src/clients/kdeltkt/kdeltkt.c
|
||||||
|
index cd0bf637db..66a32a8bd3 100644
|
||||||
|
--- a/src/clients/kdeltkt/kdeltkt.c
|
||||||
|
+++ b/src/clients/kdeltkt/kdeltkt.c
|
||||||
|
@@ -10,7 +10,7 @@ static char *prog;
|
||||||
|
static int quiet = 0;
|
||||||
|
|
||||||
|
static void
|
||||||
|
-xusage()
|
||||||
|
+xusage(void)
|
||||||
|
{
|
||||||
|
fprintf(stderr, "xusage: %s [-c ccache] [-e etype] [-f flags] service1 "
|
||||||
|
"service2 ...\n", prog);
|
||||||
|
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
|
||||||
|
index 7a33ffae59..b27b723f2d 100644
|
||||||
|
--- a/src/clients/kinit/kinit.c
|
||||||
|
+++ b/src/clients/kinit/kinit.c
|
||||||
|
@@ -55,7 +55,7 @@ get_name_from_os(void)
|
||||||
|
#else /* HAVE_PWD_H */
|
||||||
|
#ifdef _WIN32
|
||||||
|
static char *
|
||||||
|
-get_name_from_os()
|
||||||
|
+get_name_from_os(void)
|
||||||
|
{
|
||||||
|
static char name[1024];
|
||||||
|
DWORD name_size = sizeof(name);
|
||||||
|
@@ -69,7 +69,7 @@ get_name_from_os()
|
||||||
|
}
|
||||||
|
#else /* _WIN32 */
|
||||||
|
static char *
|
||||||
|
-get_name_from_os()
|
||||||
|
+get_name_from_os(void)
|
||||||
|
{
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
diff --git a/src/clients/kinit/kinit_kdb.c b/src/clients/kinit/kinit_kdb.c
|
||||||
|
index fbd174bf0c..4e7cd50169 100644
|
||||||
|
--- a/src/clients/kinit/kinit_kdb.c
|
||||||
|
+++ b/src/clients/kinit/kinit_kdb.c
|
||||||
|
@@ -69,7 +69,7 @@ kinit_kdb_init(krb5_context *pcontext, char *realm)
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
-kinit_kdb_fini()
|
||||||
|
+kinit_kdb_fini(void)
|
||||||
|
{
|
||||||
|
kadm5_destroy(server_handle);
|
||||||
|
}
|
||||||
|
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
|
||||||
|
index c797b1698f..27cf0ee11b 100644
|
||||||
|
--- a/src/clients/klist/klist.c
|
||||||
|
+++ b/src/clients/klist/klist.c
|
||||||
|
@@ -359,7 +359,7 @@ do_keytab(const char *name)
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
-list_all_ccaches()
|
||||||
|
+list_all_ccaches(void)
|
||||||
|
{
|
||||||
|
krb5_error_code ret;
|
||||||
|
krb5_ccache cache;
|
||||||
|
@@ -451,7 +451,7 @@ show_all_ccaches(void)
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
-do_ccache()
|
||||||
|
+do_ccache(void)
|
||||||
|
{
|
||||||
|
krb5_error_code ret;
|
||||||
|
krb5_ccache cache;
|
||||||
|
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
|
||||||
|
index 23b64b0f58..c1256f7708 100644
|
||||||
|
--- a/src/kadmin/cli/kadmin.c
|
||||||
|
+++ b/src/kadmin/cli/kadmin.c
|
||||||
|
@@ -607,7 +607,7 @@ kadmin_startup(int argc, char *argv[], char **request_out, char ***args_out)
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
-quit()
|
||||||
|
+quit(void)
|
||||||
|
{
|
||||||
|
kadm5_ret_t retval;
|
||||||
|
|
||||||
|
diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
|
||||||
|
index 55d529fa4c..b9b61e3f91 100644
|
||||||
|
--- a/src/kadmin/dbutil/kdb5_util.c
|
||||||
|
+++ b/src/kadmin/dbutil/kdb5_util.c
|
||||||
|
@@ -367,7 +367,7 @@ main(int argc, char *argv[])
|
||||||
|
* program is run).
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
-open_db_and_mkey()
|
||||||
|
+open_db_and_mkey(void)
|
||||||
|
{
|
||||||
|
krb5_error_code retval;
|
||||||
|
krb5_data scratch, pwd, seed;
|
||||||
|
@@ -489,7 +489,7 @@ open_db_and_mkey()
|
||||||
|
#endif
|
||||||
|
|
||||||
|
int
|
||||||
|
-quit()
|
||||||
|
+quit(void)
|
||||||
|
{
|
||||||
|
krb5_error_code retval;
|
||||||
|
static krb5_boolean finished = 0;
|
||||||
|
diff --git a/src/kdc/main.c b/src/kdc/main.c
|
||||||
|
index b43fe9a082..2dfad5673f 100644
|
||||||
|
--- a/src/kdc/main.c
|
||||||
|
+++ b/src/kdc/main.c
|
||||||
|
@@ -854,7 +854,7 @@ write_pid_file(const char *path)
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
-finish_realms()
|
||||||
|
+finish_realms(void)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
|
||||||
|
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
|
||||||
|
index f883ae2df8..fbb8e37ae9 100644
|
||||||
|
--- a/src/kprop/kpropd.c
|
||||||
|
+++ b/src/kprop/kpropd.c
|
||||||
|
@@ -376,7 +376,7 @@ get_wildcard_addr(struct addrinfo **res)
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
-do_standalone()
|
||||||
|
+do_standalone(void)
|
||||||
|
{
|
||||||
|
struct sockaddr_in frominet;
|
||||||
|
struct addrinfo *res;
|
||||||
|
@@ -639,7 +639,7 @@ full_resync(CLIENT *clnt)
|
||||||
|
* Returns non-zero on failure due to errors.
|
||||||
|
*/
|
||||||
|
krb5_error_code
|
||||||
|
-do_iprop()
|
||||||
|
+do_iprop(void)
|
||||||
|
{
|
||||||
|
kadm5_ret_t retval;
|
||||||
|
krb5_principal iprop_svc_principal = NULL;
|
||||||
|
diff --git a/src/lib/crypto/builtin/enc_provider/aes.c b/src/lib/crypto/builtin/enc_provider/aes.c
|
||||||
|
index 7fa9449797..39e2a84005 100644
|
||||||
|
--- a/src/lib/crypto/builtin/enc_provider/aes.c
|
||||||
|
+++ b/src/lib/crypto/builtin/enc_provider/aes.c
|
||||||
|
@@ -69,7 +69,7 @@ void k5_iEnc256_CBC(struct aes_data *data);
|
||||||
|
void k5_iDec256_CBC(struct aes_data *data);
|
||||||
|
|
||||||
|
static krb5_boolean
|
||||||
|
-aesni_supported_by_cpu()
|
||||||
|
+aesni_supported_by_cpu(void)
|
||||||
|
{
|
||||||
|
unsigned int a, b, c, d;
|
||||||
|
|
||||||
|
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
|
||||||
|
index 25a419d73a..32dec3022e 100644
|
||||||
|
--- a/src/lib/crypto/openssl/hmac.c
|
||||||
|
+++ b/src/lib/crypto/openssl/hmac.c
|
||||||
|
@@ -71,7 +71,7 @@
|
||||||
|
|
||||||
|
#define HMAC_CTX_new compat_hmac_ctx_new
|
||||||
|
static HMAC_CTX *
|
||||||
|
-compat_hmac_ctx_new()
|
||||||
|
+compat_hmac_ctx_new(void)
|
||||||
|
{
|
||||||
|
HMAC_CTX *ctx;
|
||||||
|
|
||||||
|
diff --git a/src/lib/krb5/ccache/t_memory.c b/src/lib/krb5/ccache/t_memory.c
|
||||||
|
index 6d103a00d1..0f94e823cb 100644
|
||||||
|
--- a/src/lib/krb5/ccache/t_memory.c
|
||||||
|
+++ b/src/lib/krb5/ccache/t_memory.c
|
||||||
|
@@ -85,7 +85,7 @@ krb5_creds test_creds = {
|
||||||
|
};
|
||||||
|
|
||||||
|
void
|
||||||
|
-init_test_cred()
|
||||||
|
+init_test_cred(void)
|
||||||
|
{
|
||||||
|
test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3);
|
||||||
|
test_creds.client[0] = &client1;
|
||||||
|
@@ -104,7 +104,7 @@ init_test_cred()
|
||||||
|
};
|
||||||
|
|
||||||
|
void
|
||||||
|
-mcc_test()
|
||||||
|
+mcc_test(void)
|
||||||
|
{
|
||||||
|
krb5_ccache id;
|
||||||
|
krb5_creds creds;
|
||||||
|
diff --git a/src/lib/krb5/ccache/t_stdio.c b/src/lib/krb5/ccache/t_stdio.c
|
||||||
|
index 15185e301c..06a9c2dea1 100644
|
||||||
|
--- a/src/lib/krb5/ccache/t_stdio.c
|
||||||
|
+++ b/src/lib/krb5/ccache/t_stdio.c
|
||||||
|
@@ -98,7 +98,7 @@ krb5_creds test_creds = {
|
||||||
|
};
|
||||||
|
|
||||||
|
void
|
||||||
|
-init_test_cred()
|
||||||
|
+init_test_cred(void)
|
||||||
|
{
|
||||||
|
test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3);
|
||||||
|
test_creds.client[0] = &client1;
|
||||||
|
@@ -118,7 +118,7 @@ init_test_cred()
|
||||||
|
|
||||||
|
int flags = 0;
|
||||||
|
void
|
||||||
|
-scc_test()
|
||||||
|
+scc_test(void)
|
||||||
|
{
|
||||||
|
krb5_ccache id;
|
||||||
|
krb5_creds creds;
|
||||||
|
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_debug.c b/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
|
||||||
|
index bc71076a35..5a955e09be 100644
|
||||||
|
--- a/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
|
||||||
|
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
|
||||||
|
@@ -56,7 +56,7 @@ static FILE *tracefp;
|
||||||
|
* initialize debugging.
|
||||||
|
*/
|
||||||
|
static void
|
||||||
|
-__bt_dinit()
|
||||||
|
+__bt_dinit(void)
|
||||||
|
{
|
||||||
|
static int first = 1;
|
||||||
|
|
||||||
|
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||||
|
index a2910422eb..ef7515c3d4 100644
|
||||||
|
--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||||
|
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||||
|
@@ -391,7 +391,7 @@ nroot(BTREE *t)
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
-tmp()
|
||||||
|
+tmp(void)
|
||||||
|
{
|
||||||
|
#ifdef SIG_BLOCK
|
||||||
|
sigset_t set, oset;
|
||||||
|
@@ -438,7 +438,7 @@ tmp()
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
-byteorder()
|
||||||
|
+byteorder(void)
|
||||||
|
{
|
||||||
|
u_int32_t x;
|
||||||
|
u_char *p;
|
||||||
|
diff --git a/src/plugins/kdb/db2/libdb2/hash/dbm.c b/src/plugins/kdb/db2/libdb2/hash/dbm.c
|
||||||
|
index 2dca256dc3..e643634433 100644
|
||||||
|
--- a/src/plugins/kdb/db2/libdb2/hash/dbm.c
|
||||||
|
+++ b/src/plugins/kdb/db2/libdb2/hash/dbm.c
|
||||||
|
@@ -143,7 +143,7 @@ kdb2_store(datum key, datum dat)
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
-no_open_db()
|
||||||
|
+no_open_db(void)
|
||||||
|
{
|
||||||
|
(void)fprintf(stderr, "dbm: no open database.\n");
|
||||||
|
}
|
||||||
|
diff --git a/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c b/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
|
||||||
|
index 088f903231..eec843d4db 100644
|
||||||
|
--- a/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
|
||||||
|
+++ b/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
|
||||||
|
@@ -908,7 +908,7 @@ keydata(key, data)
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
-usage()
|
||||||
|
+usage(void)
|
||||||
|
{
|
||||||
|
(void)fprintf(stderr,
|
||||||
|
"usage: %s [-bdluw] [-c cache] [-i file] [-p page] [file]\n",
|
||||||
|
diff --git a/src/plugins/kdb/db2/libdb2/test/dbtest.c b/src/plugins/kdb/db2/libdb2/test/dbtest.c
|
||||||
|
index 04bf34b90d..a2866b4412 100644
|
||||||
|
--- a/src/plugins/kdb/db2/libdb2/test/dbtest.c
|
||||||
|
+++ b/src/plugins/kdb/db2/libdb2/test/dbtest.c
|
||||||
|
@@ -792,7 +792,7 @@ xmalloc(char *text, size_t len)
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
-usage()
|
||||||
|
+usage(void)
|
||||||
|
{
|
||||||
|
(void)fprintf(stderr,
|
||||||
|
"usage: dbtest [-l] [-f file] [-i info] [-o file] type script\n");
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
index 6d96499d77..af3fa9ee8b 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
@@ -3090,7 +3090,7 @@ cleanup:
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
-pkinit_openssl_init()
|
||||||
|
+pkinit_openssl_init(void)
|
||||||
|
{
|
||||||
|
/* Initialize OpenSSL. */
|
||||||
|
ERR_load_crypto_strings();
|
||||||
|
diff --git a/src/plugins/tls/k5tls/openssl.c b/src/plugins/tls/k5tls/openssl.c
|
||||||
|
index 99fda7ffcd..aab67c01cb 100644
|
||||||
|
--- a/src/plugins/tls/k5tls/openssl.c
|
||||||
|
+++ b/src/plugins/tls/k5tls/openssl.c
|
||||||
|
@@ -49,7 +49,7 @@ static int ex_handle_id = -1;
|
||||||
|
MAKE_INIT_FUNCTION(init_openssl);
|
||||||
|
|
||||||
|
int
|
||||||
|
-init_openssl()
|
||||||
|
+init_openssl(void)
|
||||||
|
{
|
||||||
|
SSL_library_init();
|
||||||
|
SSL_load_error_strings();
|
||||||
|
diff --git a/src/tests/asn.1/make-vectors.c b/src/tests/asn.1/make-vectors.c
|
||||||
|
index 2fc85466bb..6f2b7dd021 100644
|
||||||
|
--- a/src/tests/asn.1/make-vectors.c
|
||||||
|
+++ b/src/tests/asn.1/make-vectors.c
|
||||||
|
@@ -224,7 +224,7 @@ printbuf(void)
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
-main()
|
||||||
|
+main(void)
|
||||||
|
{
|
||||||
|
/* Initialize values which can't use static initializers. */
|
||||||
|
asn_long2INTEGER(&otp_format, 2); /* Alphanumeric */
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
@ -0,0 +1,42 @@
|
|||||||
|
From f54763bc90df9c76c69ee9a837cf856bcf93e633 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Tue, 5 Mar 2024 17:38:49 -0500
|
||||||
|
Subject: [PATCH] Fix leak in KDC NDR encoding
|
||||||
|
|
||||||
|
If the KDC tries to encode a principal containing encode invalid UTF-8
|
||||||
|
sequences for inclusion in a PAC delegation info buffer, it will leak
|
||||||
|
a small amount of memory in enc_wchar_pointer() before failing. Fix
|
||||||
|
the leak.
|
||||||
|
|
||||||
|
ticket: 9115 (new)
|
||||||
|
tags: pullup
|
||||||
|
target_version: 1.21-next
|
||||||
|
|
||||||
|
(cherry picked from commit 7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe)
|
||||||
|
---
|
||||||
|
src/kdc/ndr.c | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c
|
||||||
|
index 48395abe52..d438408ee2 100644
|
||||||
|
--- a/src/kdc/ndr.c
|
||||||
|
+++ b/src/kdc/ndr.c
|
||||||
|
@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out)
|
||||||
|
size_t utf16len, num_wchars;
|
||||||
|
uint8_t *utf16;
|
||||||
|
|
||||||
|
- k5_buf_init_dynamic(&b);
|
||||||
|
-
|
||||||
|
ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len);
|
||||||
|
if (ret)
|
||||||
|
return ret;
|
||||||
|
|
||||||
|
num_wchars = utf16len / 2;
|
||||||
|
|
||||||
|
+ k5_buf_init_dynamic(&b);
|
||||||
|
k5_buf_add_uint32_le(&b, num_wchars + 1);
|
||||||
|
k5_buf_add_uint32_le(&b, 0);
|
||||||
|
k5_buf_add_uint32_le(&b, num_wchars);
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
@ -0,0 +1,206 @@
|
|||||||
|
From d230c72573430803c569817a71b79be8656fa6c5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Tue, 5 Mar 2024 19:53:07 -0500
|
||||||
|
Subject: [PATCH] Fix two unlikely memory leaks
|
||||||
|
|
||||||
|
In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
|
||||||
|
could probably never be triggered) leaks plain.data. Fix this leak
|
||||||
|
and use current practices for cleanup throughout the function.
|
||||||
|
|
||||||
|
In xmt_rmtcallres() (unused within the tree and likely elsewhere),
|
||||||
|
store port_ptr into crp->port_ptr as soon as it is allocated;
|
||||||
|
otherwise it could leak if the subsequent xdr_u_int32() operation
|
||||||
|
fails.
|
||||||
|
|
||||||
|
(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d)
|
||||||
|
---
|
||||||
|
src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
|
||||||
|
src/lib/rpc/pmap_rmt.c | 10 +++---
|
||||||
|
2 files changed, 29 insertions(+), 37 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
|
||||||
|
index 3b4f8cb837..e881eee835 100644
|
||||||
|
--- a/src/lib/gssapi/krb5/k5sealv3.c
|
||||||
|
+++ b/src/lib/gssapi/krb5/k5sealv3.c
|
||||||
|
@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
int conf_req_flag, int toktype)
|
||||||
|
{
|
||||||
|
size_t bufsize = 16;
|
||||||
|
- unsigned char *outbuf = 0;
|
||||||
|
+ unsigned char *outbuf = NULL;
|
||||||
|
krb5_error_code err;
|
||||||
|
int key_usage;
|
||||||
|
unsigned char acceptor_flag;
|
||||||
|
@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
#endif
|
||||||
|
size_t ec;
|
||||||
|
unsigned short tok_id;
|
||||||
|
- krb5_checksum sum;
|
||||||
|
+ krb5_checksum sum = { 0 };
|
||||||
|
krb5_key key;
|
||||||
|
krb5_cksumtype cksumtype;
|
||||||
|
+ krb5_data plain = empty_data();
|
||||||
|
+
|
||||||
|
+ token->value = NULL;
|
||||||
|
+ token->length = 0;
|
||||||
|
|
||||||
|
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
|
||||||
|
key_usage = (toktype == KG_TOK_WRAP_MSG
|
||||||
|
@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
|
||||||
|
- krb5_data plain;
|
||||||
|
krb5_enc_data cipher;
|
||||||
|
size_t ec_max;
|
||||||
|
size_t encrypt_size;
|
||||||
|
|
||||||
|
/* 300: Adds some slop. */
|
||||||
|
- if (SIZE_MAX - 300 < message->length)
|
||||||
|
- return ENOMEM;
|
||||||
|
+ if (SIZE_MAX - 300 < message->length) {
|
||||||
|
+ err = ENOMEM;
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
ec_max = SIZE_MAX - message->length - 300;
|
||||||
|
if (ec_max > 0xffff)
|
||||||
|
ec_max = 0xffff;
|
||||||
|
@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
#endif
|
||||||
|
err = alloc_data(&plain, message->length + 16 + ec);
|
||||||
|
if (err)
|
||||||
|
- return err;
|
||||||
|
+ goto cleanup;
|
||||||
|
|
||||||
|
/* Get size of ciphertext. */
|
||||||
|
encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
|
||||||
|
if (encrypt_size > SIZE_MAX / 2) {
|
||||||
|
err = ENOMEM;
|
||||||
|
- goto error;
|
||||||
|
+ goto cleanup;
|
||||||
|
}
|
||||||
|
bufsize = 16 + encrypt_size;
|
||||||
|
/* Allocate space for header plus encrypted data. */
|
||||||
|
outbuf = gssalloc_malloc(bufsize);
|
||||||
|
if (outbuf == NULL) {
|
||||||
|
- free(plain.data);
|
||||||
|
- return ENOMEM;
|
||||||
|
+ err = ENOMEM;
|
||||||
|
+ goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* TOK_ID */
|
||||||
|
@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
cipher.ciphertext.length = bufsize - 16;
|
||||||
|
cipher.enctype = key->keyblock.enctype;
|
||||||
|
err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
|
||||||
|
- zap(plain.data, plain.length);
|
||||||
|
- free(plain.data);
|
||||||
|
- plain.data = 0;
|
||||||
|
if (err)
|
||||||
|
- goto error;
|
||||||
|
+ goto cleanup;
|
||||||
|
|
||||||
|
/* Now that we know we're returning a valid token.... */
|
||||||
|
ctx->seq_send++;
|
||||||
|
@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
/* If the rotate fails, don't worry about it. */
|
||||||
|
#endif
|
||||||
|
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
|
||||||
|
- krb5_data plain;
|
||||||
|
size_t cksumsize;
|
||||||
|
|
||||||
|
/* Here, message is the application-supplied data; message2 is
|
||||||
|
@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
wrap_with_checksum:
|
||||||
|
err = alloc_data(&plain, message->length + 16);
|
||||||
|
if (err)
|
||||||
|
- return err;
|
||||||
|
+ goto cleanup;
|
||||||
|
|
||||||
|
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
|
||||||
|
if (err)
|
||||||
|
- goto error;
|
||||||
|
+ goto cleanup;
|
||||||
|
|
||||||
|
assert(cksumsize <= 0xffff);
|
||||||
|
|
||||||
|
bufsize = 16 + message2->length + cksumsize;
|
||||||
|
outbuf = gssalloc_malloc(bufsize);
|
||||||
|
if (outbuf == NULL) {
|
||||||
|
- free(plain.data);
|
||||||
|
- plain.data = 0;
|
||||||
|
err = ENOMEM;
|
||||||
|
- goto error;
|
||||||
|
+ goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* TOK_ID */
|
||||||
|
@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
if (message2->length)
|
||||||
|
memcpy(outbuf + 16, message2->value, message2->length);
|
||||||
|
|
||||||
|
- sum.contents = outbuf + 16 + message2->length;
|
||||||
|
- sum.length = cksumsize;
|
||||||
|
-
|
||||||
|
err = krb5_k_make_checksum(context, cksumtype, key,
|
||||||
|
key_usage, &plain, &sum);
|
||||||
|
- zap(plain.data, plain.length);
|
||||||
|
- free(plain.data);
|
||||||
|
- plain.data = 0;
|
||||||
|
if (err) {
|
||||||
|
zap(outbuf,bufsize);
|
||||||
|
- goto error;
|
||||||
|
+ goto cleanup;
|
||||||
|
}
|
||||||
|
if (sum.length != cksumsize)
|
||||||
|
abort();
|
||||||
|
memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
|
||||||
|
- krb5_free_checksum_contents(context, &sum);
|
||||||
|
- sum.contents = 0;
|
||||||
|
/* Now that we know we're actually generating the token... */
|
||||||
|
ctx->seq_send++;
|
||||||
|
|
||||||
|
@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
|
||||||
|
|
||||||
|
token->value = outbuf;
|
||||||
|
token->length = bufsize;
|
||||||
|
- return 0;
|
||||||
|
+ outbuf = NULL;
|
||||||
|
+ err = 0;
|
||||||
|
|
||||||
|
-error:
|
||||||
|
+cleanup:
|
||||||
|
+ krb5_free_checksum_contents(context, &sum);
|
||||||
|
+ zapfree(plain.data, plain.length);
|
||||||
|
gssalloc_free(outbuf);
|
||||||
|
- token->value = NULL;
|
||||||
|
- token->length = 0;
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
|
||||||
|
index 434e4eea65..f55ca46c60 100644
|
||||||
|
--- a/src/lib/rpc/pmap_rmt.c
|
||||||
|
+++ b/src/lib/rpc/pmap_rmt.c
|
||||||
|
@@ -161,12 +161,12 @@ xdr_rmtcallres(
|
||||||
|
caddr_t port_ptr;
|
||||||
|
|
||||||
|
port_ptr = (caddr_t)(void *)crp->port_ptr;
|
||||||
|
- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
|
||||||
|
- (xdrproc_t)xdr_u_int32) &&
|
||||||
|
- xdr_u_int32(xdrs, &crp->resultslen)) {
|
||||||
|
- crp->port_ptr = (uint32_t *)(void *)port_ptr;
|
||||||
|
+ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
|
||||||
|
+ (xdrproc_t)xdr_u_int32))
|
||||||
|
+ return (FALSE);
|
||||||
|
+ crp->port_ptr = (uint32_t *)(void *)port_ptr;
|
||||||
|
+ if (xdr_u_int32(xdrs, &crp->resultslen))
|
||||||
|
return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
|
||||||
|
- }
|
||||||
|
return (FALSE);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,175 @@
|
|||||||
|
From 5464ad5b64f7ce7c3d78082352189af7c8feb95f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Fri, 6 Sep 2024 17:18:11 +0200
|
||||||
|
Subject: [PATCH] Fix various issues detected by static analysis
|
||||||
|
|
||||||
|
(cherry picked from commit 53d352949941ee236461658d01f03c37abafc6f6)
|
||||||
|
---
|
||||||
|
src/clients/klist/klist.c | 13 +++++++------
|
||||||
|
src/kadmin/dbutil/dump.c | 5 +++++
|
||||||
|
src/kdc/ndr.c | 2 +-
|
||||||
|
src/lib/kdb/decrypt_key.c | 2 +-
|
||||||
|
src/lib/rpc/svc_auth_gss.c | 5 ++++-
|
||||||
|
src/lib/rpc/svc_udp.c | 13 +++++++------
|
||||||
|
src/util/support/threads.c | 2 --
|
||||||
|
7 files changed, 25 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
|
||||||
|
index 27cf0ee11b..9db66f6072 100644
|
||||||
|
--- a/src/clients/klist/klist.c
|
||||||
|
+++ b/src/clients/klist/klist.c
|
||||||
|
@@ -666,7 +666,7 @@ show_credential(krb5_creds *cred)
|
||||||
|
krb5_error_code ret;
|
||||||
|
krb5_ticket *tkt = NULL;
|
||||||
|
char *name = NULL, *sname = NULL, *tktsname, *flags;
|
||||||
|
- int extra_field = 0, ccol = 0, i;
|
||||||
|
+ int extra_field = 0, ccol = 0, i, r;
|
||||||
|
krb5_boolean is_config = krb5_is_config_principal(context, cred->server);
|
||||||
|
|
||||||
|
ret = krb5_unparse_name(context, cred->client, &name);
|
||||||
|
@@ -696,11 +696,12 @@ show_credential(krb5_creds *cred)
|
||||||
|
fputs("config: ", stdout);
|
||||||
|
ccol = 8;
|
||||||
|
for (i = 1; i < cred->server->length; i++) {
|
||||||
|
- ccol += printf("%s%.*s%s",
|
||||||
|
- i > 1 ? "(" : "",
|
||||||
|
- (int)cred->server->data[i].length,
|
||||||
|
- cred->server->data[i].data,
|
||||||
|
- i > 1 ? ")" : "");
|
||||||
|
+ r = printf("%s%.*s%s", i > 1 ? "(" : "",
|
||||||
|
+ (int)cred->server->data[i].length,
|
||||||
|
+ cred->server->data[i].data,
|
||||||
|
+ i > 1 ? ")" : "");
|
||||||
|
+ if (r >= 0)
|
||||||
|
+ ccol += r;
|
||||||
|
}
|
||||||
|
fputs(" = ", stdout);
|
||||||
|
ccol += 3;
|
||||||
|
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
|
||||||
|
index 4d6cc0bdf9..feb053d834 100644
|
||||||
|
--- a/src/kadmin/dbutil/dump.c
|
||||||
|
+++ b/src/kadmin/dbutil/dump.c
|
||||||
|
@@ -704,6 +704,11 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
|
||||||
|
|
||||||
|
dbentry->len = u1;
|
||||||
|
dbentry->n_key_data = u4;
|
||||||
|
+
|
||||||
|
+ if (u5 > UINT16_MAX) {
|
||||||
|
+ load_err(fname, *linenop, _("invalid principal extra data size"));
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
dbentry->e_length = u5;
|
||||||
|
|
||||||
|
if (kp != NULL) {
|
||||||
|
diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c
|
||||||
|
index d438408ee2..38be9fe42a 100644
|
||||||
|
--- a/src/kdc/ndr.c
|
||||||
|
+++ b/src/kdc/ndr.c
|
||||||
|
@@ -242,7 +242,7 @@ ndr_enc_delegation_info(struct pac_s4u_delegation_info *in, krb5_data *out)
|
||||||
|
{
|
||||||
|
krb5_error_code ret;
|
||||||
|
size_t i;
|
||||||
|
- struct k5buf b;
|
||||||
|
+ struct k5buf b = EMPTY_K5BUF;
|
||||||
|
struct encoded_wchars pt_encoded = { 0 }, *tss_encoded = NULL;
|
||||||
|
uint32_t pointer = 0;
|
||||||
|
|
||||||
|
diff --git a/src/lib/kdb/decrypt_key.c b/src/lib/kdb/decrypt_key.c
|
||||||
|
index 82bbed6312..c971793c9d 100644
|
||||||
|
--- a/src/lib/kdb/decrypt_key.c
|
||||||
|
+++ b/src/lib/kdb/decrypt_key.c
|
||||||
|
@@ -60,7 +60,7 @@ krb5_dbe_def_decrypt_key_data(krb5_context context, const krb5_keyblock *mkey,
|
||||||
|
krb5_keyblock *dbkey_out,
|
||||||
|
krb5_keysalt *keysalt_out)
|
||||||
|
{
|
||||||
|
- krb5_error_code ret;
|
||||||
|
+ krb5_error_code ret = KRB5_CRYPTO_INTERNAL;
|
||||||
|
int16_t keylen;
|
||||||
|
krb5_enc_data cipher;
|
||||||
|
krb5_data plain = empty_data();
|
||||||
|
diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
|
||||||
|
index 98d601c8ab..461e5de542 100644
|
||||||
|
--- a/src/lib/rpc/svc_auth_gss.c
|
||||||
|
+++ b/src/lib/rpc/svc_auth_gss.c
|
||||||
|
@@ -297,7 +297,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
|
||||||
|
struct opaque_auth *oa;
|
||||||
|
gss_buffer_desc rpcbuf, checksum;
|
||||||
|
OM_uint32 maj_stat, min_stat, qop_state;
|
||||||
|
- u_char rpchdr[128];
|
||||||
|
+ u_char rpchdr[32 + MAX_AUTH_BYTES];
|
||||||
|
int32_t *buf;
|
||||||
|
|
||||||
|
log_debug("in svcauth_gss_validate()");
|
||||||
|
@@ -315,6 +315,8 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
|
||||||
|
return (FALSE);
|
||||||
|
|
||||||
|
buf = (int32_t *)(void *)rpchdr;
|
||||||
|
+
|
||||||
|
+ /* Write the 32 first bytes of the header. */
|
||||||
|
IXDR_PUT_LONG(buf, msg->rm_xid);
|
||||||
|
IXDR_PUT_ENUM(buf, msg->rm_direction);
|
||||||
|
IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);
|
||||||
|
@@ -323,6 +325,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
|
||||||
|
IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
|
||||||
|
IXDR_PUT_ENUM(buf, oa->oa_flavor);
|
||||||
|
IXDR_PUT_LONG(buf, oa->oa_length);
|
||||||
|
+
|
||||||
|
if (oa->oa_length) {
|
||||||
|
memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
|
||||||
|
buf += RNDUP(oa->oa_length) / sizeof(int32_t);
|
||||||
|
diff --git a/src/lib/rpc/svc_udp.c b/src/lib/rpc/svc_udp.c
|
||||||
|
index 8ecbdf2b33..3aff277eb7 100644
|
||||||
|
--- a/src/lib/rpc/svc_udp.c
|
||||||
|
+++ b/src/lib/rpc/svc_udp.c
|
||||||
|
@@ -248,8 +248,9 @@ static bool_t svcudp_reply(
|
||||||
|
{
|
||||||
|
struct svcudp_data *su = su_data(xprt);
|
||||||
|
XDR *xdrs = &su->su_xdrs;
|
||||||
|
- int slen;
|
||||||
|
+ u_int slen;
|
||||||
|
bool_t stat = FALSE;
|
||||||
|
+ ssize_t r;
|
||||||
|
|
||||||
|
xdrproc_t xdr_results = NULL;
|
||||||
|
caddr_t xdr_location = 0;
|
||||||
|
@@ -272,12 +273,12 @@ static bool_t svcudp_reply(
|
||||||
|
if (xdr_replymsg(xdrs, msg) &&
|
||||||
|
(!has_args ||
|
||||||
|
(SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {
|
||||||
|
- slen = (int)XDR_GETPOS(xdrs);
|
||||||
|
- if (sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,
|
||||||
|
- (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen)
|
||||||
|
- == slen) {
|
||||||
|
+ slen = XDR_GETPOS(xdrs);
|
||||||
|
+ r = sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,
|
||||||
|
+ (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen);
|
||||||
|
+ if (r >= 0 && (u_int)r == slen) {
|
||||||
|
stat = TRUE;
|
||||||
|
- if (su->su_cache && slen >= 0) {
|
||||||
|
+ if (su->su_cache) {
|
||||||
|
cache_set(xprt, (uint32_t) slen);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/src/util/support/threads.c b/src/util/support/threads.c
|
||||||
|
index be7e4c2e3f..4ded805b79 100644
|
||||||
|
--- a/src/util/support/threads.c
|
||||||
|
+++ b/src/util/support/threads.c
|
||||||
|
@@ -118,7 +118,6 @@ struct tsd_block {
|
||||||
|
# pragma weak pthread_mutex_destroy
|
||||||
|
# pragma weak pthread_mutex_init
|
||||||
|
# pragma weak pthread_self
|
||||||
|
-# pragma weak pthread_equal
|
||||||
|
# pragma weak pthread_getspecific
|
||||||
|
# pragma weak pthread_setspecific
|
||||||
|
# pragma weak pthread_key_create
|
||||||
|
@@ -151,7 +150,6 @@ int krb5int_pthread_loaded (void)
|
||||||
|
|| &pthread_mutex_destroy == 0
|
||||||
|
|| &pthread_mutex_init == 0
|
||||||
|
|| &pthread_self == 0
|
||||||
|
- || &pthread_equal == 0
|
||||||
|
/* Any program that's really multithreaded will have to be
|
||||||
|
able to create threads. */
|
||||||
|
|| &pthread_create == 0
|
||||||
|
--
|
||||||
|
2.46.0
|
||||||
|
|
@ -0,0 +1,629 @@
|
|||||||
|
From 023dcf87d34e29649dd76d33ce7d896c2b6f61d2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Thu, 22 Aug 2024 17:15:50 +0200
|
||||||
|
Subject: [PATCH] Generate and verify message MACs in libkrad
|
||||||
|
|
||||||
|
Implement some of the measures specified in
|
||||||
|
draft-ietf-radext-deprecating-radius-03 for mitigating the BlastRADIUS
|
||||||
|
attack (CVE-2024-3596):
|
||||||
|
|
||||||
|
* Include a Message-Authenticator MAC as the first attribute when
|
||||||
|
generating a packet of type Access-Request, Access-Reject,
|
||||||
|
Access-Accept, or Access-Challenge (sections 5.2.1 and 5.2.4), if
|
||||||
|
the secret is non-empty. (An empty secret indicates the use of Unix
|
||||||
|
domain socket transport.)
|
||||||
|
|
||||||
|
* Validate the Message-Authenticator MAC in received packets, if
|
||||||
|
present.
|
||||||
|
|
||||||
|
FreeRADIUS enforces Message-Authenticator as of versions 3.2.5 and
|
||||||
|
3.0.27. libkrad must generate Message-Authenticator attributes in
|
||||||
|
order to remain compatible with these implementations.
|
||||||
|
|
||||||
|
[ghudson@mit.edu: adjusted style and naming; simplified some
|
||||||
|
functions; edited commit message]
|
||||||
|
|
||||||
|
ticket: 9142 (new)
|
||||||
|
tags: pullup
|
||||||
|
target_version: 1.21-next
|
||||||
|
|
||||||
|
(cherry picked from commit 871125fea8ce0370a972bf65f7d1de63f619b06c)
|
||||||
|
---
|
||||||
|
src/include/k5-int.h | 5 +
|
||||||
|
src/lib/crypto/krb/checksum_hmac_md5.c | 28 ++++
|
||||||
|
src/lib/crypto/libk5crypto.exports | 1 +
|
||||||
|
src/lib/krad/attr.c | 17 ++
|
||||||
|
src/lib/krad/attrset.c | 59 +++++--
|
||||||
|
src/lib/krad/internal.h | 7 +-
|
||||||
|
src/lib/krad/packet.c | 206 +++++++++++++++++++++++--
|
||||||
|
src/lib/krad/t_attrset.c | 2 +-
|
||||||
|
src/lib/krad/t_daemon.py | 3 +-
|
||||||
|
src/lib/krad/t_packet.c | 11 ++
|
||||||
|
src/tests/t_otp.py | 3 +
|
||||||
|
11 files changed, 311 insertions(+), 31 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||||
|
index 69d6a6f569..b7789a2dd8 100644
|
||||||
|
--- a/src/include/k5-int.h
|
||||||
|
+++ b/src/include/k5-int.h
|
||||||
|
@@ -2403,4 +2403,9 @@ krb5_boolean
|
||||||
|
k5_sname_compare(krb5_context context, krb5_const_principal sname,
|
||||||
|
krb5_const_principal princ);
|
||||||
|
|
||||||
|
+/* Generate an HMAC-MD5 keyed checksum as specified by RFC 2104. */
|
||||||
|
+krb5_error_code
|
||||||
|
+k5_hmac_md5(const krb5_data *key, const krb5_crypto_iov *data, size_t num_data,
|
||||||
|
+ krb5_data *output);
|
||||||
|
+
|
||||||
|
#endif /* _KRB5_INT_H */
|
||||||
|
diff --git a/src/lib/crypto/krb/checksum_hmac_md5.c b/src/lib/crypto/krb/checksum_hmac_md5.c
|
||||||
|
index ec024f3966..a809388549 100644
|
||||||
|
--- a/src/lib/crypto/krb/checksum_hmac_md5.c
|
||||||
|
+++ b/src/lib/crypto/krb/checksum_hmac_md5.c
|
||||||
|
@@ -92,3 +92,31 @@ cleanup:
|
||||||
|
free(hash_iov);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+krb5_error_code
|
||||||
|
+k5_hmac_md5(const krb5_data *key, const krb5_crypto_iov *data, size_t num_data,
|
||||||
|
+ krb5_data *output)
|
||||||
|
+{
|
||||||
|
+ krb5_error_code ret;
|
||||||
|
+ const struct krb5_hash_provider *hash = &krb5int_hash_md5;
|
||||||
|
+ krb5_keyblock keyblock = { 0 };
|
||||||
|
+ krb5_data hashed_key;
|
||||||
|
+ uint8_t hkeybuf[16];
|
||||||
|
+ krb5_crypto_iov iov;
|
||||||
|
+
|
||||||
|
+ /* Hash the key if it is longer than the block size. */
|
||||||
|
+ if (key->length > hash->blocksize) {
|
||||||
|
+ hashed_key = make_data(hkeybuf, sizeof(hkeybuf));
|
||||||
|
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
|
||||||
|
+ iov.data = *key;
|
||||||
|
+ ret = hash->hash(&iov, 1, &hashed_key);
|
||||||
|
+ if (ret)
|
||||||
|
+ return ret;
|
||||||
|
+ key = &hashed_key;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ keyblock.magic = KV5M_KEYBLOCK;
|
||||||
|
+ keyblock.length = key->length;
|
||||||
|
+ keyblock.contents = (uint8_t *)key->data;
|
||||||
|
+ return krb5int_hmac_keyblock(hash, &keyblock, data, num_data, output);
|
||||||
|
+}
|
||||||
|
diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports
|
||||||
|
index d8ffa63304..00e0ce1812 100644
|
||||||
|
--- a/src/lib/crypto/libk5crypto.exports
|
||||||
|
+++ b/src/lib/crypto/libk5crypto.exports
|
||||||
|
@@ -102,3 +102,4 @@ krb5_c_prfplus
|
||||||
|
krb5_c_derive_prfplus
|
||||||
|
k5_enctype_to_ssf
|
||||||
|
krb5int_c_deprecated_enctype
|
||||||
|
+k5_hmac_md5
|
||||||
|
diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c
|
||||||
|
index 42d354a3b5..65ed1d35e7 100644
|
||||||
|
--- a/src/lib/krad/attr.c
|
||||||
|
+++ b/src/lib/krad/attr.c
|
||||||
|
@@ -125,6 +125,23 @@ static const attribute_record attributes[UCHAR_MAX] = {
|
||||||
|
{"NAS-Port-Type", 4, 4, NULL, NULL},
|
||||||
|
{"Port-Limit", 4, 4, NULL, NULL},
|
||||||
|
{"Login-LAT-Port", 1, MAX_ATTRSIZE, NULL, NULL},
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Password-Retry */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Prompt */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Connect-Info */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* Configuration-Token */
|
||||||
|
+ {NULL, 0, 0, NULL, NULL}, /* EAP-Message */
|
||||||
|
+ {"Message-Authenticator", MD5_DIGEST_SIZE, MD5_DIGEST_SIZE, NULL, NULL},
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Encode User-Password attribute. */
|
||||||
|
diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
|
||||||
|
index 6ec031e320..e5457ebfd7 100644
|
||||||
|
--- a/src/lib/krad/attrset.c
|
||||||
|
+++ b/src/lib/krad/attrset.c
|
||||||
|
@@ -164,15 +164,44 @@ krad_attrset_copy(const krad_attrset *set, krad_attrset **copy)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Place an encoded attributes into outbuf at position *i. Increment *i by the
|
||||||
|
+ * length of the encoding. */
|
||||||
|
+static krb5_error_code
|
||||||
|
+append_attr(krb5_context ctx, const char *secret,
|
||||||
|
+ const uint8_t *auth, krad_attr type, const krb5_data *data,
|
||||||
|
+ uint8_t outbuf[MAX_ATTRSETSIZE], size_t *i, krb5_boolean *is_fips)
|
||||||
|
+{
|
||||||
|
+ uint8_t buffer[MAX_ATTRSIZE];
|
||||||
|
+ size_t attrlen;
|
||||||
|
+ krb5_error_code retval;
|
||||||
|
+
|
||||||
|
+ retval = kr_attr_encode(ctx, secret, auth, type, data, buffer, &attrlen,
|
||||||
|
+ is_fips);
|
||||||
|
+ if (retval)
|
||||||
|
+ return retval;
|
||||||
|
+
|
||||||
|
+ if (attrlen > MAX_ATTRSETSIZE - *i - 2)
|
||||||
|
+ return EMSGSIZE;
|
||||||
|
+
|
||||||
|
+ outbuf[(*i)++] = type;
|
||||||
|
+ outbuf[(*i)++] = attrlen + 2;
|
||||||
|
+ memcpy(outbuf + *i, buffer, attrlen);
|
||||||
|
+ *i += attrlen;
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
krb5_error_code
|
||||||
|
kr_attrset_encode(const krad_attrset *set, const char *secret,
|
||||||
|
- const unsigned char *auth,
|
||||||
|
+ const uint8_t *auth, krb5_boolean add_msgauth,
|
||||||
|
unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen,
|
||||||
|
krb5_boolean *is_fips)
|
||||||
|
{
|
||||||
|
- unsigned char buffer[MAX_ATTRSIZE];
|
||||||
|
krb5_error_code retval;
|
||||||
|
- size_t i = 0, attrlen;
|
||||||
|
+ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
|
||||||
|
+ const uint8_t zeroes[MD5_DIGEST_SIZE] = { 0 };
|
||||||
|
+ krb5_data zerodata;
|
||||||
|
+ size_t i = 0;
|
||||||
|
attr *a;
|
||||||
|
|
||||||
|
if (set == NULL) {
|
||||||
|
@@ -180,19 +209,21 @@ kr_attrset_encode(const krad_attrset *set, const char *secret,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
- K5_TAILQ_FOREACH(a, &set->list, list) {
|
||||||
|
- retval = kr_attr_encode(set->ctx, secret, auth, a->type, &a->attr,
|
||||||
|
- buffer, &attrlen, is_fips);
|
||||||
|
- if (retval != 0)
|
||||||
|
+ if (add_msgauth) {
|
||||||
|
+ /* Encode Message-Authenticator as the first attribute, per
|
||||||
|
+ * draft-ietf-radext-deprecating-radius-03 section 5.2. */
|
||||||
|
+ zerodata = make_data((uint8_t *)zeroes, MD5_DIGEST_SIZE);
|
||||||
|
+ retval = append_attr(set->ctx, secret, auth, msgauth_type, &zerodata,
|
||||||
|
+ outbuf, &i, is_fips);
|
||||||
|
+ if (retval)
|
||||||
|
return retval;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if (i + attrlen + 2 > MAX_ATTRSETSIZE)
|
||||||
|
- return EMSGSIZE;
|
||||||
|
-
|
||||||
|
- outbuf[i++] = a->type;
|
||||||
|
- outbuf[i++] = attrlen + 2;
|
||||||
|
- memcpy(&outbuf[i], buffer, attrlen);
|
||||||
|
- i += attrlen;
|
||||||
|
+ K5_TAILQ_FOREACH(a, &set->list, list) {
|
||||||
|
+ retval = append_attr(set->ctx, secret, auth, a->type, &a->attr,
|
||||||
|
+ outbuf, &i, is_fips);
|
||||||
|
+ if (retval)
|
||||||
|
+ return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
*outlen = i;
|
||||||
|
diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
|
||||||
|
index a17b6f39b1..ca66f3ec68 100644
|
||||||
|
--- a/src/lib/krad/internal.h
|
||||||
|
+++ b/src/lib/krad/internal.h
|
||||||
|
@@ -49,6 +49,8 @@
|
||||||
|
#define UCHAR_MAX 255
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#define MD5_DIGEST_SIZE 16
|
||||||
|
+
|
||||||
|
/* RFC 2865 */
|
||||||
|
#define MAX_ATTRSIZE (UCHAR_MAX - 2)
|
||||||
|
#define MAX_ATTRSETSIZE (KRAD_PACKET_SIZE_MAX - 20)
|
||||||
|
@@ -79,10 +81,11 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
||||||
|
krad_attr type, const krb5_data *in,
|
||||||
|
unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
|
||||||
|
|
||||||
|
-/* Encode the attributes into the buffer. */
|
||||||
|
+/* Encode set into outbuf. If add_msgauth is true, include a zeroed
|
||||||
|
+ * Message-Authenticator as the first attribute. */
|
||||||
|
krb5_error_code
|
||||||
|
kr_attrset_encode(const krad_attrset *set, const char *secret,
|
||||||
|
- const unsigned char *auth,
|
||||||
|
+ const uint8_t *auth, krb5_boolean add_msgauth,
|
||||||
|
unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen,
|
||||||
|
krb5_boolean *is_fips);
|
||||||
|
|
||||||
|
diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c
|
||||||
|
index c5446b890c..3c1a4d507e 100644
|
||||||
|
--- a/src/lib/krad/packet.c
|
||||||
|
+++ b/src/lib/krad/packet.c
|
||||||
|
@@ -36,6 +36,7 @@
|
||||||
|
typedef unsigned char uchar;
|
||||||
|
|
||||||
|
/* RFC 2865 */
|
||||||
|
+#define MSGAUTH_SIZE (2 + MD5_DIGEST_SIZE)
|
||||||
|
#define OFFSET_CODE 0
|
||||||
|
#define OFFSET_ID 1
|
||||||
|
#define OFFSET_LENGTH 2
|
||||||
|
@@ -222,6 +223,106 @@ packet_set_attrset(krb5_context ctx, const char *secret, krad_packet *pkt)
|
||||||
|
return kr_attrset_decode(ctx, &tmp, secret, pkt_auth(pkt), &pkt->attrset);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Determine if a packet requires a Message-Authenticator attribute. */
|
||||||
|
+static inline krb5_boolean
|
||||||
|
+requires_msgauth(const char *secret, krad_code code)
|
||||||
|
+{
|
||||||
|
+ /* If no secret is provided, assume that the transport is a UNIX socket.
|
||||||
|
+ * Message-Authenticator is required only on UDP and TCP connections. */
|
||||||
|
+ if (*secret == '\0')
|
||||||
|
+ return FALSE;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Per draft-ietf-radext-deprecating-radius-03 sections 5.2.1 and 5.2.4,
|
||||||
|
+ * Message-Authenticator is required in Access-Request packets and all
|
||||||
|
+ * potential responses when UDP or TCP transport is used.
|
||||||
|
+ */
|
||||||
|
+ return code == krad_code_name2num("Access-Request") ||
|
||||||
|
+ code == krad_code_name2num("Access-Reject") ||
|
||||||
|
+ code == krad_code_name2num("Access-Accept") ||
|
||||||
|
+ code == krad_code_name2num("Access-Challenge");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* Check if the packet has a Message-Authenticator attribute. */
|
||||||
|
+static inline krb5_boolean
|
||||||
|
+has_pkt_msgauth(const krad_packet *pkt)
|
||||||
|
+{
|
||||||
|
+ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
|
||||||
|
+
|
||||||
|
+ return krad_attrset_get(pkt->attrset, msgauth_type, 0) != NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* Return the beginning of the Message-Authenticator attribute in pkt, or NULL
|
||||||
|
+ * if no such attribute is present. */
|
||||||
|
+static const uint8_t *
|
||||||
|
+lookup_msgauth_addr(const krad_packet *pkt)
|
||||||
|
+{
|
||||||
|
+ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
|
||||||
|
+ size_t i;
|
||||||
|
+ uint8_t *p;
|
||||||
|
+
|
||||||
|
+ i = OFFSET_ATTR;
|
||||||
|
+ while (i + 2 < pkt->pkt.length) {
|
||||||
|
+ p = (uint8_t *)offset(&pkt->pkt, i);
|
||||||
|
+ if (msgauth_type == *p)
|
||||||
|
+ return p;
|
||||||
|
+ i += p[1];
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Calculate the message authenticator MAC for pkt as specified in RFC 2869
|
||||||
|
+ * section 5.14, placing the result in mac_out. Use the provided authenticator
|
||||||
|
+ * auth, which may be from pkt or from a corresponding request.
|
||||||
|
+ */
|
||||||
|
+static krb5_error_code
|
||||||
|
+calculate_mac(const char *secret, const krad_packet *pkt,
|
||||||
|
+ const uint8_t auth[AUTH_FIELD_SIZE],
|
||||||
|
+ uint8_t mac_out[MD5_DIGEST_SIZE])
|
||||||
|
+{
|
||||||
|
+ uint8_t zeroed_msgauth[MSGAUTH_SIZE];
|
||||||
|
+ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
|
||||||
|
+ const uint8_t *msgauth_attr, *msgauth_end, *pkt_end;
|
||||||
|
+ krb5_crypto_iov input[5];
|
||||||
|
+ krb5_data ksecr, mac;
|
||||||
|
+
|
||||||
|
+ msgauth_attr = lookup_msgauth_addr(pkt);
|
||||||
|
+ if (msgauth_attr == NULL)
|
||||||
|
+ return EINVAL;
|
||||||
|
+ msgauth_end = msgauth_attr + MSGAUTH_SIZE;
|
||||||
|
+ pkt_end = (const uint8_t *)pkt->pkt.data + pkt->pkt.length;
|
||||||
|
+
|
||||||
|
+ /* Read code, id, and length from the packet. */
|
||||||
|
+ input[0].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||||
|
+ input[0].data = make_data(pkt->pkt.data, OFFSET_AUTH);
|
||||||
|
+
|
||||||
|
+ /* Read the provided authenticator. */
|
||||||
|
+ input[1].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||||
|
+ input[1].data = make_data((uint8_t *)auth, AUTH_FIELD_SIZE);
|
||||||
|
+
|
||||||
|
+ /* Read any attributes before Message-Authenticator. */
|
||||||
|
+ input[2].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||||
|
+ input[2].data = make_data(pkt_attr(pkt), msgauth_attr - pkt_attr(pkt));
|
||||||
|
+
|
||||||
|
+ /* Read Message-Authenticator with the data bytes all set to zero, per RFC
|
||||||
|
+ * 2869 section 5.14. */
|
||||||
|
+ zeroed_msgauth[0] = msgauth_type;
|
||||||
|
+ zeroed_msgauth[1] = MSGAUTH_SIZE;
|
||||||
|
+ memset(zeroed_msgauth + 2, 0, MD5_DIGEST_SIZE);
|
||||||
|
+ input[3].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||||
|
+ input[3].data = make_data(zeroed_msgauth, MSGAUTH_SIZE);
|
||||||
|
+
|
||||||
|
+ /* Read any attributes after Message-Authenticator. */
|
||||||
|
+ input[4].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||||
|
+ input[4].data = make_data((uint8_t *)msgauth_end, pkt_end - msgauth_end);
|
||||||
|
+
|
||||||
|
+ mac = make_data(mac_out, MD5_DIGEST_SIZE);
|
||||||
|
+ ksecr = string2data((char *)secret);
|
||||||
|
+ return k5_hmac_md5(&ksecr, input, 5, &mac);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
ssize_t
|
||||||
|
krad_packet_bytes_needed(const krb5_data *buffer)
|
||||||
|
{
|
||||||
|
@@ -255,6 +356,7 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code,
|
||||||
|
krad_packet *pkt;
|
||||||
|
uchar id;
|
||||||
|
size_t attrset_len;
|
||||||
|
+ krb5_boolean msgauth_required;
|
||||||
|
|
||||||
|
pkt = packet_new();
|
||||||
|
if (pkt == NULL) {
|
||||||
|
@@ -274,9 +376,13 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code,
|
||||||
|
if (retval != 0)
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
+ /* Determine if Message-Authenticator is required. */
|
||||||
|
+ msgauth_required = (*secret != '\0' &&
|
||||||
|
+ code == krad_code_name2num("Access-Request"));
|
||||||
|
+
|
||||||
|
/* Encode the attributes. */
|
||||||
|
- retval = kr_attrset_encode(set, secret, pkt_auth(pkt), pkt_attr(pkt),
|
||||||
|
- &attrset_len, &pkt->is_fips);
|
||||||
|
+ retval = kr_attrset_encode(set, secret, pkt_auth(pkt), msgauth_required,
|
||||||
|
+ pkt_attr(pkt), &attrset_len, &pkt->is_fips);
|
||||||
|
if (retval != 0)
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
@@ -285,6 +391,13 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code,
|
||||||
|
pkt_code_set(pkt, code);
|
||||||
|
pkt_len_set(pkt, pkt->pkt.length);
|
||||||
|
|
||||||
|
+ if (msgauth_required) {
|
||||||
|
+ /* Calculate and set the Message-Authenticator MAC. */
|
||||||
|
+ retval = calculate_mac(secret, pkt, pkt_auth(pkt), pkt_attr(pkt) + 2);
|
||||||
|
+ if (retval != 0)
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Copy the attrset for future use. */
|
||||||
|
retval = packet_set_attrset(ctx, secret, pkt);
|
||||||
|
if (retval != 0)
|
||||||
|
@@ -307,14 +420,19 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code,
|
||||||
|
krb5_error_code retval;
|
||||||
|
krad_packet *pkt;
|
||||||
|
size_t attrset_len;
|
||||||
|
+ krb5_boolean msgauth_required;
|
||||||
|
|
||||||
|
pkt = packet_new();
|
||||||
|
if (pkt == NULL)
|
||||||
|
return ENOMEM;
|
||||||
|
|
||||||
|
+ /* Determine if Message-Authenticator is required. */
|
||||||
|
+ msgauth_required = requires_msgauth(secret, code);
|
||||||
|
+
|
||||||
|
/* Encode the attributes. */
|
||||||
|
- retval = kr_attrset_encode(set, secret, pkt_auth(request), pkt_attr(pkt),
|
||||||
|
- &attrset_len, &pkt->is_fips);
|
||||||
|
+ retval = kr_attrset_encode(set, secret, pkt_auth(request),
|
||||||
|
+ msgauth_required, pkt_attr(pkt), &attrset_len,
|
||||||
|
+ &pkt->is_fips);
|
||||||
|
if (retval != 0)
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
@@ -330,6 +448,18 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code,
|
||||||
|
if (retval != 0)
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
+ if (msgauth_required) {
|
||||||
|
+ /*
|
||||||
|
+ * Calculate and replace the Message-Authenticator MAC. Per RFC 2869
|
||||||
|
+ * section 5.14, use the authenticator from the request, not from the
|
||||||
|
+ * response.
|
||||||
|
+ */
|
||||||
|
+ retval = calculate_mac(secret, pkt, pkt_auth(request),
|
||||||
|
+ pkt_attr(pkt) + 2);
|
||||||
|
+ if (retval != 0)
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Copy the attrset for future use. */
|
||||||
|
retval = packet_set_attrset(ctx, secret, pkt);
|
||||||
|
if (retval != 0)
|
||||||
|
@@ -343,6 +473,34 @@ error:
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Verify the Message-Authenticator value in pkt, using the provided
|
||||||
|
+ * authenticator (which may be from pkt or from a corresponding request). */
|
||||||
|
+static krb5_error_code
|
||||||
|
+verify_msgauth(const char *secret, const krad_packet *pkt,
|
||||||
|
+ const uint8_t auth[AUTH_FIELD_SIZE])
|
||||||
|
+{
|
||||||
|
+ uint8_t mac[MD5_DIGEST_SIZE];
|
||||||
|
+ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
|
||||||
|
+ const krb5_data *msgauth;
|
||||||
|
+ krb5_error_code retval;
|
||||||
|
+
|
||||||
|
+ msgauth = krad_packet_get_attr(pkt, msgauth_type, 0);
|
||||||
|
+ if (msgauth == NULL)
|
||||||
|
+ return ENODATA;
|
||||||
|
+
|
||||||
|
+ retval = calculate_mac(secret, pkt, auth, mac);
|
||||||
|
+ if (retval)
|
||||||
|
+ return retval;
|
||||||
|
+
|
||||||
|
+ if (msgauth->length != MD5_DIGEST_SIZE)
|
||||||
|
+ return EMSGSIZE;
|
||||||
|
+
|
||||||
|
+ if (k5_bcmp(mac, msgauth->data, MD5_DIGEST_SIZE) != 0)
|
||||||
|
+ return EBADMSG;
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* Decode a packet. */
|
||||||
|
static krb5_error_code
|
||||||
|
decode_packet(krb5_context ctx, const char *secret, const krb5_data *buffer,
|
||||||
|
@@ -394,21 +552,35 @@ krad_packet_decode_request(krb5_context ctx, const char *secret,
|
||||||
|
krad_packet **reqpkt)
|
||||||
|
{
|
||||||
|
const krad_packet *tmp = NULL;
|
||||||
|
+ krad_packet *req;
|
||||||
|
krb5_error_code retval;
|
||||||
|
|
||||||
|
- retval = decode_packet(ctx, secret, buffer, reqpkt);
|
||||||
|
- if (cb != NULL && retval == 0) {
|
||||||
|
+ retval = decode_packet(ctx, secret, buffer, &req);
|
||||||
|
+ if (retval)
|
||||||
|
+ return retval;
|
||||||
|
+
|
||||||
|
+ /* Verify Message-Authenticator if present. */
|
||||||
|
+ if (has_pkt_msgauth(req)) {
|
||||||
|
+ retval = verify_msgauth(secret, req, pkt_auth(req));
|
||||||
|
+ if (retval) {
|
||||||
|
+ krad_packet_free(req);
|
||||||
|
+ return retval;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (cb != NULL) {
|
||||||
|
for (tmp = (*cb)(data, FALSE); tmp != NULL; tmp = (*cb)(data, FALSE)) {
|
||||||
|
if (pkt_id_get(*reqpkt) == pkt_id_get(tmp))
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
- }
|
||||||
|
|
||||||
|
- if (cb != NULL && (retval != 0 || tmp != NULL))
|
||||||
|
- (*cb)(data, TRUE);
|
||||||
|
+ if (tmp != NULL)
|
||||||
|
+ (*cb)(data, TRUE);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
+ *reqpkt = req;
|
||||||
|
*duppkt = tmp;
|
||||||
|
- return retval;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
krb5_error_code
|
||||||
|
@@ -435,9 +607,17 @@ krad_packet_decode_response(krb5_context ctx, const char *secret,
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* If the authenticator matches, then the response is valid. */
|
||||||
|
- if (memcmp(pkt_auth(*rsppkt), auth, sizeof(auth)) == 0)
|
||||||
|
- break;
|
||||||
|
+ /* Verify the response authenticator. */
|
||||||
|
+ if (k5_bcmp(pkt_auth(*rsppkt), auth, sizeof(auth)) != 0)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ /* Verify Message-Authenticator if present. */
|
||||||
|
+ if (has_pkt_msgauth(*rsppkt)) {
|
||||||
|
+ if (verify_msgauth(secret, *rsppkt, pkt_auth(tmp)) != 0)
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c
|
||||||
|
index 4cdb8b7d8e..f9c66509bd 100644
|
||||||
|
--- a/src/lib/krad/t_attrset.c
|
||||||
|
+++ b/src/lib/krad/t_attrset.c
|
||||||
|
@@ -63,7 +63,7 @@ main(void)
|
||||||
|
noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp));
|
||||||
|
|
||||||
|
/* Encode attrset. */
|
||||||
|
- noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len,
|
||||||
|
+ noerror(kr_attrset_encode(set, "foo", auth, FALSE, buffer, &encode_len,
|
||||||
|
&is_fips));
|
||||||
|
krad_attrset_free(set);
|
||||||
|
|
||||||
|
diff --git a/src/lib/krad/t_daemon.py b/src/lib/krad/t_daemon.py
|
||||||
|
index 4a3de079c7..647d4894eb 100755
|
||||||
|
--- a/src/lib/krad/t_daemon.py
|
||||||
|
+++ b/src/lib/krad/t_daemon.py
|
||||||
|
@@ -40,6 +40,7 @@ DICTIONARY = """
|
||||||
|
ATTRIBUTE\tUser-Name\t1\tstring
|
||||||
|
ATTRIBUTE\tUser-Password\t2\toctets
|
||||||
|
ATTRIBUTE\tNAS-Identifier\t32\tstring
|
||||||
|
+ATTRIBUTE\tMessage-Authenticator\t80\toctets
|
||||||
|
"""
|
||||||
|
|
||||||
|
class TestServer(server.Server):
|
||||||
|
@@ -52,7 +53,7 @@ class TestServer(server.Server):
|
||||||
|
if key == "User-Password":
|
||||||
|
passwd = [pkt.PwDecrypt(x) for x in pkt[key]]
|
||||||
|
|
||||||
|
- reply = self.CreateReplyPacket(pkt)
|
||||||
|
+ reply = self.CreateReplyPacket(pkt, message_authenticator=True)
|
||||||
|
if passwd == ['accept']:
|
||||||
|
reply.code = packet.AccessAccept
|
||||||
|
else:
|
||||||
|
diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c
|
||||||
|
index c22489144f..104b6507a2 100644
|
||||||
|
--- a/src/lib/krad/t_packet.c
|
||||||
|
+++ b/src/lib/krad/t_packet.c
|
||||||
|
@@ -172,6 +172,9 @@ main(int argc, const char **argv)
|
||||||
|
krb5_data username, password;
|
||||||
|
krb5_boolean auth = FALSE;
|
||||||
|
krb5_context ctx;
|
||||||
|
+ const krad_packet *dupreq;
|
||||||
|
+ const krb5_data *encpkt;
|
||||||
|
+ krad_packet *decreq;
|
||||||
|
|
||||||
|
username = string2data("testUser");
|
||||||
|
|
||||||
|
@@ -184,9 +187,17 @@ main(int argc, const char **argv)
|
||||||
|
|
||||||
|
password = string2data("accept");
|
||||||
|
noerror(make_packet(ctx, &username, &password, &packets[ACCEPT_PACKET]));
|
||||||
|
+ encpkt = krad_packet_encode(packets[ACCEPT_PACKET]);
|
||||||
|
+ noerror(krad_packet_decode_request(ctx, "foo", encpkt, NULL, NULL,
|
||||||
|
+ &dupreq, &decreq));
|
||||||
|
+ krad_packet_free(decreq);
|
||||||
|
|
||||||
|
password = string2data("reject");
|
||||||
|
noerror(make_packet(ctx, &username, &password, &packets[REJECT_PACKET]));
|
||||||
|
+ encpkt = krad_packet_encode(packets[REJECT_PACKET]);
|
||||||
|
+ noerror(krad_packet_decode_request(ctx, "foo", encpkt, NULL, NULL,
|
||||||
|
+ &dupreq, &decreq));
|
||||||
|
+ krad_packet_free(decreq);
|
||||||
|
|
||||||
|
memset(&hints, 0, sizeof(hints));
|
||||||
|
hints.ai_family = AF_INET;
|
||||||
|
diff --git a/src/tests/t_otp.py b/src/tests/t_otp.py
|
||||||
|
index c3b820a411..dd5cdc5c26 100755
|
||||||
|
--- a/src/tests/t_otp.py
|
||||||
|
+++ b/src/tests/t_otp.py
|
||||||
|
@@ -49,6 +49,7 @@ ATTRIBUTE User-Name 1 string
|
||||||
|
ATTRIBUTE User-Password 2 octets
|
||||||
|
ATTRIBUTE Service-Type 6 integer
|
||||||
|
ATTRIBUTE NAS-Identifier 32 string
|
||||||
|
+ATTRIBUTE Message-Authenticator 80 octets
|
||||||
|
'''
|
||||||
|
|
||||||
|
class RadiusDaemon(Process):
|
||||||
|
@@ -97,6 +98,8 @@ class RadiusDaemon(Process):
|
||||||
|
reply.code = packet.AccessReject
|
||||||
|
replyq['reply'] = False
|
||||||
|
|
||||||
|
+ reply.add_message_authenticator()
|
||||||
|
+
|
||||||
|
outq.put(replyq)
|
||||||
|
if addr is None:
|
||||||
|
sock.send(reply.ReplyPacket())
|
||||||
|
--
|
||||||
|
2.46.0
|
||||||
|
|
Loading…
Reference in new issue