src/crypto/heimdal/lib/gssapi, branch main FreeBSD source tree Revert "heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()" 2024-02-16T17:31:13+00:00 Cy Schubert cy@FreeBSD.org 2024-02-16T17:31:13+00:00 5130b35ef561edf87be53721ed68de7927843fd4 This was already applied by ed549cb0c53f. Repored by: Gunther Nikl <gnikl@justmail.de> This reverts commit 9286d46a794f25482880d29864a8901ef6666fae. 
This was already applied by ed549cb0c53f.

Repored by:	Gunther Nikl <gnikl@justmail.de>

This reverts commit 9286d46a794f25482880d29864a8901ef6666fae.
heimdal: Fix NULL deref 2024-02-15T21:27:55+00:00 Cy Schubert cy@FreeBSD.org 2024-02-15T15:41:07+00:00 fc773115fa2dbb6c01377f2ed47dabf79a4e361a A flawed logical condition allows a malicious actor to remotely trigger a NULL pointer dereference using a crafted negTokenInit token. Upstream notes: Reported to Heimdal by Michał Kępień <michal@isc.org>. From the report: Acknowledgement --------------- This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND TKEY Query Heap-based Buffer Overflow Remote Code Execution Vulnerability, which was reported to ISC by Trend Micro's Zero Day Security: CVE-2022-3116 Obtained from: upstream 7a19658c1 MFC after: 1 week 
A flawed logical condition allows a malicious actor to remotely
trigger a NULL pointer dereference using a crafted negTokenInit
token.

Upstream notes:

    Reported to Heimdal by Michał Kępień <michal@isc.org>.

    From the report:

    Acknowledgement
    ---------------

    This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
    TKEY Query Heap-based Buffer Overflow Remote Code Execution
    Vulnerability, which was reported to ISC by Trend Micro's Zero Day

Security:	CVE-2022-3116
Obtained from:	upstream 7a19658c1
MFC after:	1 week
heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech() 2024-02-15T21:27:55+00:00 Cy Schubert cy@FreeBSD.org 2024-02-15T00:54:46+00:00 9286d46a794f25482880d29864a8901ef6666fae Apply upstream 22749e918 to fix a buffer overflow. Upstream notes: If len_len is equal to total_len - 1 (i.e. the input consists only of a 0x60 byte and a length), the expression 'total_len - 1 - len_len - 1', used as the 'len' parameter to der_get_length(), will overflow to SIZE_MAX. Then der_get_length() will proceed to read, unconstrained, whatever data follows in memory. Add a check to ensure that doesn't happen This is similar to samba CVE-2022-3437. Reported by: emaste Security: CVE-2022-41916 Obtained from: upstream 22749e918 MFC after: 1 week 
Apply upstream 22749e918 to fix a buffer overflow.

Upstream notes:

    If len_len is equal to total_len - 1 (i.e. the input consists only of a
    0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
    used as the 'len' parameter to der_get_length(), will overflow to
    SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
    whatever data follows in memory. Add a check to ensure that doesn't
    happen

This is similar to samba CVE-2022-3437.

Reported by:	emaste
Security:	CVE-2022-41916
Obtained from:	upstream 22749e918
MFC after:	1 week
heimdal: Fix CVE-2022-4152, signature validation error 2023-03-10T01:18:49+00:00 Cy Schubert cy@FreeBSD.org 2023-03-10T01:03:52+00:00 5abaf0866445a61c11665fffc148ecd13a7bb9ac When CVE-2022-3437 was fixed by changing memcmp to be a constant time and the workaround for th e compiler was to add "!=0". However the logic implmented was inverted resulting in CVE-2022-4152. Reported by: Timothy E Zingelman <zingelman _AT_ fnal.gov> MFC after: 1 day Security: CVE-2022-4152 Security: https://www.cve.org/CVERecord?id=CVE-2022-45142 Security: https://nvd.nist.gov/vuln/detail/CVE-2022-45142 Security: https://security-tracker.debian.org/tracker/CVE-2022-45142 Security: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2022-45142 Security: https://bugzilla.samba.org/show_bug.cgi?id=15296 Security: https://www.openwall.com/lists/oss-security/2023/02/08/1 
When CVE-2022-3437 was fixed by changing memcmp to be a constant
time and the workaround for th e compiler was to add "!=0". However
the logic implmented was inverted resulting in CVE-2022-4152.

Reported by:	Timothy E Zingelman <zingelman _AT_ fnal.gov>
MFC after:	1 day
Security:	CVE-2022-4152
Security:	https://www.cve.org/CVERecord?id=CVE-2022-45142
Security:	https://nvd.nist.gov/vuln/detail/CVE-2022-45142
Security:	https://security-tracker.debian.org/tracker/CVE-2022-45142
Security:	https://bugs.gentoo.org/show_bug.cgi?id=CVE-2022-45142
Security:	https://bugzilla.samba.org/show_bug.cgi?id=15296
Security:	https://www.openwall.com/lists/oss-security/2023/02/08/1
heimdal: Fix multiple security vulnerabilities 2022-11-15T21:12:37+00:00 Cy Schubert cy@FreeBSD.org 2022-11-08T08:53:29+00:00 ed549cb0c53f8438c52593ce811f6fcc812248e9 The following issues are patched: - CVE-2022-42898 PAC parse integer overflows - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0 on the Common Vulnerability Scoring System (CVSS) v3, as we believe it should be possible to get an RCE on a KDC, which means that credentials can be compromised that can be used to impersonate anyone in a realm or forest of realms. Heimdal's ASN.1 compiler generates code that allows specially crafted DER encodings of CHOICEs to invoke the wrong free function on the decoded structure upon decode error. This is known to impact the Heimdal KDC, leading to an invalid free() of an address partly or wholly under the control of the attacker, in turn leading to a potential remote code execution (RCE) vulnerability. This error affects the DER codec for all extensible CHOICE types used in Heimdal, though not all cases will be exploitable. We have not completed a thorough analysis of all the Heimdal components affected, thus the Kerberos client, the X.509 library, and other parts, may be affected as well. This bug has been in Heimdal's ASN.1 compiler since 2005, but it may only affect Heimdal 1.6 and up. It was first reported by Douglas Bagnall, though it had been found independently by the Heimdal maintainers via fuzzing a few weeks earlier. While no zero-day exploit is known, such an exploit will likely be available soon after public disclosure. - CVE-2019-14870: Validate client attributes in protocol-transition - CVE-2019-14870: Apply forwardable policy in protocol-transition - CVE-2019-14870: Always lookup impersonate client in DB Sponsored by: so (philip) Obtained from: so (philip) Tested by: philip, cy MFC after: immediately 
The following issues are patched:

 - CVE-2022-42898 PAC parse integer overflows
 - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
 - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
 - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec

    Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
    on the Common Vulnerability Scoring System (CVSS) v3, as we believe
    it should be possible to get an RCE on a KDC, which means that
    credentials can be compromised that can be used to impersonate
    anyone in a realm or forest of realms.

    Heimdal's ASN.1 compiler generates code that allows specially
    crafted DER encodings of CHOICEs to invoke the wrong free function
    on the decoded structure upon decode error.  This is known to impact
    the Heimdal KDC, leading to an invalid free() of an address partly
    or wholly under the control of the attacker, in turn leading to a
    potential remote code execution (RCE) vulnerability.

    This error affects the DER codec for all extensible CHOICE types
    used in Heimdal, though not all cases will be exploitable.  We have
    not completed a thorough analysis of all the Heimdal components
    affected, thus the Kerberos client, the X.509 library, and other
    parts, may be affected as well.

    This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
    only affect Heimdal 1.6 and up.  It was first reported by Douglas
    Bagnall, though it had been found independently by the Heimdal
    maintainers via fuzzing a few weeks earlier.

    While no zero-day exploit is known, such an exploit will likely be
    available soon after public disclosure.

 - CVE-2019-14870: Validate client attributes in protocol-transition
 - CVE-2019-14870: Apply forwardable policy in protocol-transition
 - CVE-2019-14870: Always lookup impersonate client in DB

Sponsored by:	so (philip)
Obtained from:	so (philip)
Tested by:	philip, cy
MFC after:	immediately
Update the existing heimdal implementation for OpenSSL 1.1. 2018-10-05T16:35:24+00:00 John Baldwin jhb@FreeBSD.org 2018-10-05T16:35:24+00:00 e4456411a8c2d4a9bfbccd60f2cf914fd402f817 Existing work is underway to import a newer version of heimdal, but this patchset gets us to a fully working tree to enable more wide spread testing of OpenSSL 1.1 for now. I've also enabled WARNS=1 for kerberos (which is the reason for the change in libroken). Having -Werror enabled was useful during the 1.1 updates and we probably should have warnings enabled by default for kerberos anyway. This passes make tinderbox, and I have also done some very light runtime testing on amd64. Reviewed by: bjk, jkim, emaste Differential Revision: https://reviews.freebsd.org/D17276 
Existing work is underway to import a newer version of heimdal, but
this patchset gets us to a fully working tree to enable more wide
spread testing of OpenSSL 1.1 for now.

I've also enabled WARNS=1 for kerberos (which is the reason for the
change in libroken).  Having -Werror enabled was useful during the
1.1 updates and we probably should have warnings enabled by default
for kerberos anyway.

This passes make tinderbox, and I have also done some very light
runtime testing on amd64.

Reviewed by:	bjk, jkim, emaste
Differential Revision:	https://reviews.freebsd.org/D17276
Apply patch from upstream Heimdal for encoding fix 2013-12-13T03:09:29+00:00 Benjamin Kaduk bjk@FreeBSD.org 2013-12-13T03:09:29+00:00 0782240958117692ab9861abb5483c9e64f6bc39 RFC 4402 specifies the implementation of the gss_pseudo_random() function for the krb5 mechanism (and the C bindings therein). The implementation uses a PRF+ function that concatenates the output of individual krb5 pseudo-random operations produced with a counter and seed. The original implementation of this function in Heimdal incorrectly encoded the counter as a little-endian integer, but the RFC specifies the counter encoding as big-endian. The implementation initializes the counter to zero, so the first block of output (16 octets, for the modern AES enctypes 17 and 18) is unchanged. (RFC 4402 specifies that the counter should begin at 1, but both existing implementations begin with zero and it looks like the standard will be re-issued, with test vectors, to begin at zero.) This is upstream's commit f85652af868e64811f2b32b815d4198e7f9017f6, from 13 October, 2013: % Fix krb5's gss_pseudo_random() (n is big-endian) % % The first enctype RFC3961 prf output length's bytes are correct because % the little- and big-endian representations of unsigned zero are the % same. The second block of output was wrong because the counter was not % being encoded as big-endian. % % This change could break applications. But those applications would not % have been interoperating with other implementations anyways (in % particular: MIT's). Approved by: hrs (mentor, src committer) MFC after: 3 days 
RFC 4402 specifies the implementation of the gss_pseudo_random()
function for the krb5 mechanism (and the C bindings therein).
The implementation uses a PRF+ function that concatenates the output
of individual krb5 pseudo-random operations produced with a counter
and seed.  The original implementation of this function in Heimdal
incorrectly encoded the counter as a little-endian integer, but the
RFC specifies the counter encoding as big-endian.  The implementation
initializes the counter to zero, so the first block of output (16 octets,
for the modern AES enctypes 17 and 18) is unchanged.  (RFC 4402 specifies
that the counter should begin at 1, but both existing implementations
begin with zero and it looks like the standard will be re-issued, with
test vectors, to begin at zero.)

This is upstream's commit f85652af868e64811f2b32b815d4198e7f9017f6,
from 13 October, 2013:
% Fix krb5's gss_pseudo_random() (n is big-endian)
%
% The first enctype RFC3961 prf output length's bytes are correct because
% the little- and big-endian representations of unsigned zero are the
% same.  The second block of output was wrong because the counter was not
% being encoded as big-endian.
%
% This change could break applications.  But those applications would not
% have been interoperating with other implementations anyways (in
% particular: MIT's).

Approved by:	hrs (mentor, src committer)
MFC after:	3 days
Fix gssapi/gssapi_krb5.h after Heimdal 1.5.1 import. 2013-06-30T07:46:22+00:00 Hiroki Sato hrs@FreeBSD.org 2013-06-30T07:46:22+00:00 3fbceebb4af85423548ff31c942629c8aac07dfe Reviewed by: dfr 
Reviewed by:	dfr
- Update FreeBSD's Heimdal distribution to 1.5.2. This is a bugfix 2012-04-08T08:19:17+00:00 Stanislav Sedov stas@FreeBSD.org 2012-04-08T08:19:17+00:00 cf771f223b1a69e11fd1b70b0a274a73fe844335 release, which fixes a DoS issue in libkrb5. 
  release, which fixes a DoS issue in libkrb5.
- Update FreeBSD Heimdal distribution to version 1.5.1. This also brings 2012-03-22T08:48:42+00:00 Stanislav Sedov stas@FreeBSD.org 2012-03-22T08:48:42+00:00 ae77177087c655fc883075af4f425b37e032cd05 several new kerberos related libraries and applications to FreeBSD: o kgetcred(1) allows one to manually get a ticket for a particular service. o kf(1) securily forwards ticket to another host through an authenticated and encrypted stream. o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1) and other user kerberos operations. klist and kswitch are just symlinks to kcc(1) now. o kswitch(1) allows you to easily switch between kerberos credentials if you're running KCM. o hxtool(1) is a certificate management tool to use with PKINIT. o string2key(1) maps a password into key. o kdigest(8) is a userland tool to access the KDC's digest interface. o kimpersonate(8) creates a "fake" ticket for a service. We also now install manpages for some lirbaries that were not installed before, libheimntlm and libhx509. - The new HEIMDAL version no longer supports Kerberos 4. All users are recommended to switch to Kerberos 5. - Weak ciphers are now disabled by default. To enable DES support (used by telnet(8)), use "allow_weak_crypto" option in krb5.conf. - libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings disabled due to the function they use (krb5_get_err_text(3)) being deprecated. I plan to work on this next. - Heimdal's KDC now require sqlite to operate. We use the bundled version and install it as libheimsqlite. If some other FreeBSD components will require it in the future we can rename it to libbsdsqlite and use for these components as well. - This is not a latest Heimdal version, the new one was released while I was working on the update. I will update it to 1.5.2 soon, as it fixes some important bugs and security issues. 
  several new kerberos related libraries and applications to FreeBSD:
  o kgetcred(1) allows one to manually get a ticket for a particular service.
  o kf(1) securily forwards ticket to another host through an authenticated
    and encrypted stream.
  o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
    and other user kerberos operations. klist and kswitch are just symlinks
    to kcc(1) now.
  o kswitch(1) allows you to easily switch between kerberos credentials if
    you're running KCM.
  o hxtool(1) is a certificate management tool to use with PKINIT.
  o string2key(1) maps a password into key.
  o kdigest(8) is a userland tool to access the KDC's digest interface.
  o kimpersonate(8) creates a "fake" ticket for a service.

  We also now install manpages for some lirbaries that were not installed
  before, libheimntlm and libhx509.

- The new HEIMDAL version no longer supports Kerberos 4.  All users are
  recommended to switch to Kerberos 5.

- Weak ciphers are now disabled by default.  To enable DES support (used
  by telnet(8)), use "allow_weak_crypto" option in krb5.conf.

- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
  disabled due to the function they use (krb5_get_err_text(3)) being
  deprecated.  I plan to work on this next.

- Heimdal's KDC now require sqlite to operate.  We use the bundled version
  and install it as libheimsqlite.  If some other FreeBSD components will
  require it in the future we can rename it to libbsdsqlite and use for these
  components as well.

- This is not a latest Heimdal version, the new one was released while I was
  working on the update.  I will update it to 1.5.2 soon, as it fixes some
  important bugs and security issues.