Skip Menu |
 

Download (untitled) / with headers
text/plain 3.3KiB
From krb5-bugs-incoming-bounces@mit.edu Thu Apr 29 18:29:20 2004
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id SAA05074; Thu, 29 Apr 2004 18:29:19 -0400 (EDT)
Received: from pch.mit.edu (localhost [127.0.0.1])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3TMTJos012983
for <krb5-send-pr@krbdev.mit.edu>; Thu, 29 Apr 2004 18:29:19 -0400 (EDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3RMbjos014847
for <krb5-bugs-incoming@PCH.mit.edu>;
Tue, 27 Apr 2004 18:37:45 -0400 (EDT)
Received: from mailgate02.slac.stanford.edu (mailgate02.slac.stanford.edu
[134.79.18.92])i3RMbiZW012897
for <krb5-bugs@mit.edu>; Tue, 27 Apr 2004 18:37:44 -0400 (EDT)
Received: from telemark.slac.stanford.edu (telemark.slac.stanford.edu
[134.79.24.241])i3RMbhgR023819
for <krb5-bugs@mit.edu>; Tue, 27 Apr 2004 15:37:43 -0700 (PDT)
(envelope-from bbense@slac.stanford.edu)
Received: (from bbense@localhost)i3RMbhD8031760;
Tue, 27 Apr 2004 15:37:43 -0700
Date: Tue, 27 Apr 2004 15:37:43 -0700
From: Booker Bense <bbense@slac.stanford.edu>
Message-Id: <200404272237.i3RMbhD8031760@telemark.slac.stanford.edu>
To: krb5-bugs@mit.edu
X-send-pr-version: 3.99
X-Mailman-Approved-At: Thu, 29 Apr 2004 17:36:14 -0400
X-BeenThere: krb5-bugs-incoming@mit.edu
X-Mailman-Version: 2.1
Precedence: list
Reply-To: bbense@slac.stanford.edu
Sender: krb5-bugs-incoming-bounces@mit.edu
Errors-To: krb5-bugs-incoming-bounces@mit.edu


Show quoted text
>Submitter-Id: net
>Originator: Booker Bense
>Organization: Stanford Linear Accellerator
>Confidential: no
>Synopsis: AFS string_to_key broken for passwords > 8 chars
>Severity: serious
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: krb5-1.3.3
>Environment: Mac OSX,

System: Linux telemark 2.4.21-9.0.1.EL #1 Mon Feb 9 22:44:14 EST 2004 i686 i686 i386 GNU/Linux
Architecture: i686

Show quoted text
>Description:

The function mit_des_string_to_key_int contains this work around
for use with converted AFS keys in a Heimdal KDC.

if (salt->length == SALT_TYPE_AFS_LENGTH || salt->length == (unsigned) -1) {
krb5_data salt2;
char *c;
c = strchr(salt->data, '@');
if (c != NULL) *c = '\0'; /* workaround from krb5-clients/1146 */
salt2.data = salt->data;
salt2.length = strlen (salt2.data);
/* cheat and do AFS string2key instead */
return mit_afs_string_to_key (keyblock, data, &salt2);

However, this code incorrectly computes the length of the salt2 if
the '@' is missing from the original salt data. In fact there is no
guarantee that strlen is going to return anything but garbage. There
is the potential for a buffer overflow in this code.

Unfortunately, due to the extremely brain-damaged solution of using a
length field as a data type flag, there is no quick and simple solution
to this problem.

Show quoted text
>How-To-Repeat:

Use a password of longer than 8 chars with an AFS string_to_key
algorithm.


Show quoted text
>Fix:

Obviously, if there are other key salt type available this
problem goes away. Changing your password after conversion is one
work around. As far as fixing the actual code itself, this would require
significant reworking of the libraries. At a minimum you should
add some sanity checks before calling strlen, it also would be a
good idea to check the result of strchr as well.
Download (untitled) / with headers
text/plain 3.4KiB
From krb5-bugs-incoming-bounces@mit.edu Thu Apr 29 18:29:58 2004
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id SAA05092; Thu, 29 Apr 2004 18:29:58 -0400 (EDT)
Received: from pch.mit.edu (localhost [127.0.0.1])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3TMTvos013003
for <krb5-send-pr@krbdev.mit.edu>; Thu, 29 Apr 2004 18:29:57 -0400 (EDT)
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3TJXMos008869
for <krb5-bugs-incoming@PCH.mit.edu>;
Thu, 29 Apr 2004 15:33:22 -0400 (EDT)
Received: from mailgate01.slac.stanford.edu (mailgate01.slac.stanford.edu
[134.79.18.80])i3TJXKuh019411
for <krb5-bugs@mit.edu>; Thu, 29 Apr 2004 15:33:20 -0400 (EDT)
Received: from telemark.slac.stanford.edu (telemark.slac.stanford.edu
[134.79.24.241])i3TJXI5S013781
for <krb5-bugs@mit.edu>; Thu, 29 Apr 2004 12:33:18 -0700 (PDT)
(envelope-from bbense@slac.stanford.edu)
Date: Thu, 29 Apr 2004 12:33:18 -0700 (PDT)
From: Booker Bense <bbense@slac.stanford.edu>
To: krb5-bugs@mit.edu
Message-ID: <Pine.LNX.4.58.0404291228320.12489@telemark.slac.stanford.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Mailman-Approved-At: Thu, 29 Apr 2004 17:36:14 -0400
Subject: Bug in AFS string_to_key
X-BeenThere: krb5-bugs-incoming@mit.edu
X-Mailman-Version: 2.1
Precedence: list
Sender: krb5-bugs-incoming-bounces@mit.edu
Errors-To: krb5-bugs-incoming-bounces@mit.edu


- My apologies if you've seen this already. I didn't see it in
the krb5-bugs archive and I sent it via krb5-send-pr two days
ago.

Show quoted text
>Submitter-Id: net
>Originator: Booker Bense
>Organization: Stanford Linear Accellerator
>Confidential: no
>Synopsis: AFS string_to_key broken for passwords > 8 chars
>Severity: serious
>Priority: medium
>Category: krb5 libraries
>Class: sw-bug
>Release: krb5-1.3.3
>Environment: Mac OSX,

System: Linux telemark 2.4.21-9.0.1.EL #1 Mon Feb 9 22:44:14 EST 2004 i686 i686 i386 GNU/Linux
Architecture: i686

Show quoted text
>Description:

The function mit_des_string_to_key_int contains this work around
for use with converted AFS keys in a Heimdal KDC.

if (salt->length == SALT_TYPE_AFS_LENGTH || salt->length == (unsigned) -1) {
krb5_data salt2;
char *c;
c = strchr(salt->data, '@');
if (c != NULL) *c = '\0'; /* workaround from krb5-clients/1146 */
salt2.data = salt->data;
salt2.length = strlen (salt2.data);
/* cheat and do AFS string2key instead */
return mit_afs_string_to_key (keyblock, data, &salt2);

However, this code incorrectly computes the length of the salt2 if
the '@' is missing from the original salt data. In fact there is no
guarantee that strlen is going to return anything but garbage. There
is the potential for a buffer overflow in this code, or at least
random memory corruption.

Unfortunately, due to the extremely brain-damaged solution of using a
length field as a data type flag, there is no quick and simple solution
to this problem.

Show quoted text
>How-To-Repeat:

Use a password of longer than 8 chars with an AFS string_to_key
algorithm.


Show quoted text
>Fix:

Obviously, if there are other key salt type available this
problem goes away. Changing your password after conversion is one
work around. As far as fixing the actual code itself, this would require
significant reworking of the libraries. At a minimum you should
and some sanity checks before calling strlen, it also would be a
good idea to check the result of strchr as well.
To: rt@krbdev.mit.edu
Cc:
Subject: Re: [krbdev.mit.edu #2545] AFS string_to_key broken for passwords > 8 chars
From: Sam Hartman <hartmans@mit.edu>
Date: Thu, 29 Apr 2004 22:53:18 -0400
RT-Send-Cc:

One work around might be to convince the Heimdal KDC to send the
appropriate etype_info2 s2kparams to indicate that the AFS3 salt
should be used. If your KDC does this, our code should do the right
thing.
Date: Fri, 30 Apr 2004 15:20:08 -0700 (PDT)
From: Booker Bense <bbense@slac.stanford.edu>
To: Sam Hartman via RT <rt-comment@krbdev.mit.edu>
Cc: krb5-prs@mit.edu
Subject: Re: [krbdev.mit.edu #2545] AFS string_to_key broken for passwords > 8 chars
RT-Send-Cc:
On Thu, 29 Apr 2004, Sam Hartman via RT wrote:

Show quoted text
>
> One work around might be to convince the Heimdal KDC to send the
> appropriate etype_info2 s2kparams to indicate that the AFS3 salt
> should be used. If your KDC does this, our code should do the right
> thing.
>

_ Even for 8 char and less passwords? I'm not seeing how that
could happen since the right algorithm is only in
mit_afs_string_to_key and that is only called in one
place. I agree it would work for 9 char password, but there
is no way for the KDC to know the length of your password.

_ Is there some code path I'm missing?

_ Booker C. Bense
To: rt@krbdev.mit.edu
Cc: krb5-prs@mit.edu
Subject: Re: [krbdev.mit.edu #2545] AFS string_to_key broken for passwords > 8 chars
From: Sam Hartman <hartmans@mit.edu>
Date: Fri, 30 Apr 2004 22:44:12 -0400
RT-Send-Cc:
Show quoted text
>>>>> "bbense@slac" == bbense@slac stanford edu via RT <rt-comment@krbdev.mit.edu> writes:

bbense@slac> _ Is there some code path I'm missing?

Yes, I believe so.

I will check next week.
To: rt@krbdev.mit.edu
Subject: [krbdev.mit.edu #2545]
Date: Mon, 3 May 2004 19:49:06 -0400 (EDT)
From: hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:


Yes, afs string2key is also called from
src/lib/crypto/old/des_string2key.c in the s2kparams = 1 case.
However I'm not sure that code actually helps your problem because it
doesn't look like the AFS s2k function takes a length at all.


How did this ever work?
To: krb5-bugs@mit.edu
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Wed, 3 Aug 2005 15:22:59 -0700
Subject: Cannot kinit with AFS password longer than 8 char on RedHat Enterprise 3 UG 4
Tcpdump traces, test case, and login for relevant machine sent to
Jeffrey Altman.

The same user can klog, and can also use the kinit on MacOS X 10.3.9
(as well as the Heimdal kinit on OSX.3.9). I think it's really weird
that it depends on *both* the key type *and* the platform.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
Download (untitled) / with headers
text/plain 3.7KiB
Some archaeology on the evolution of this and related bugs:

* 1.0-beta6: etype-info support is added, but is only returned in the
preauth hint list (not AS replies) and is only used by the client
preauth system after a preauth-required error (not to decrypt AS
replies).

AFS string-to-key support is also added. It is communicated with the
afs3-salt padata type and a null-terminated salt. The client reacts by
setting a salt->length of -1. mit_des_string_to_key_int recognizes this
and calls mit_afs_string_to_key, which (unsafely) assumes that the salt
is null-terminated.

AFS keys do not appear to work with etype-info (no type information is
communicated), which means AFS keys probably don't work with preauth at
this point.

* 1.1: the get_init_creds system is added. The corresponding rewritten
preauth system (preauth2.c) uses the same logic to handle the hint list
and the AS reply, but appears to have no etype-info support (so it uses
pw-salt/afs3-salt in both the hint list and the AS reply).

* 1.1.1: preauth2.c gains etype-info support, preferring it over pw-
salt/afs3-salt, in order to work around a 1.0 KDC bug in the generation
of pw-salt in the preauth hint list. This is the first time etype-info
is used by the client when decrypting AS replies (but the KDC isn't
sending etype-info in AS replies, so AFS keys still mostly work in
practice).

* 1.2.6: a hack is added to truncate the salt at '@' for
interoperability with Heimdal.

* 1.3: etype-info2 support is added to the client and KDC. preauth2.c
prefers etype-info2 over etype-info. etype-info is suppressed if newer
enctypes (which basically means AES) are present in the request. etype-
info2 is returned in the AS reply as well as the hint list, but etype-
info is still never returned there. etype-info2 tags AFS keys using
s2kparams (it does not null-terminate the salt value).
krb5int_des_string_to_key recognizes the s2kparams and calls
mit_afs_string_to_key. mit_afs_string_to_key is fixed to use salt-
Show quoted text
>length. Along this new code path, there is no '@' hack and no
assumption of null-terminated salt values. AFS keys probably work with
preauth at this point (given a 1.3 KDC and client).

The old AFS trap door in mit_des_string_to_key_int still exists, still
has the '@' hack, and is still used if the AS reply contains no etype-
info2. It sets a length on the salt value passed to
mit_afs_string_to_key, but still assumes a null-terminated salt value
when doing so.

krb5_data's length element changes from int to unsigned int in this
release, and a constant SALT_TYPE_AFS_LENGTH (equal to UINT_MAX)
replaces the use of -1 in salt->length.

* 1.4.3: the KDC starts including etype-info in AS replies, if no newer
enctype is requested, in order to better conform with RFC 4120 (#3207).
Since etype-info doesn't tag AFS keys, 1.1.1 through 1.2.8 clients break
with AFS keys. This is reported in #3456 with a candidate patch to
avoid sending etype-info for AFS keys, but the patch is not taken. (It
may still be a good idea, although the interop issue is almost certainly
moot by now.)

Nothing has really changed since then. I believe AFS keys work along
all code paths assuming that afs3-salt padata values come with null
termination (true of all MIT KDC versions), but that code path on the
client is still unsafe.

I would speculate that this particular bug report pertains to a Heimdal
KDC which was sending afs3-salt padata values with (1) no null
terminator, (2) no '@' in the salt, and (3) a salt (realm) longer than
eight bytes. When the password is eight bytes or less, only the first
eight bytes of the salt are used and everything works. When the
password is more than eight bytes, the full salt is used, with some
trailing garbage due to the lack of a null terminator.
From: ghudson@mit.edu
Subject: SVN Commit
Ensure null termination of AFS salts

Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or
pa-afs3-salt value in pa_salt(). If it's an afs3-salt, we're going to
throw away the length and use strcspn in krb5int_des_string_to_key,
which isn't safe if the value is unterminated.

https://github.com/krb5/krb5/commit/f566fee75f2455d6e5e7ee4fcdf5a0d327808639
Commit By: ghudson
Revision: 25833
Changed Files:
U trunk/src/lib/krb5/krb/preauth2.c
A much cleaner, but more invasive, fix would be to stop using
SALT_TYPE_AFS_LENGTH to tag AFS salts, and instead use s2kparams along all
code paths. Some care would be required to preserve the '@' hack for
afs3-salt values.
Subject: Re: [krbdev.mit.edu #2545] SVN Commit
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Fri, 27 Apr 2012 15:13:05 -0700
CC: Booker Bense <bbense@slac.stanford.edu>
To: <rt-comment@krbdev.mit.edu>
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.1KiB

On Apr 27, 2012, at 10:04 AM, Greg Hudson via RT wrote:

Show quoted text
> Ensure null termination of AFS salts
>
> Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or
> pa-afs3-salt value in pa_salt(). If it's an afs3-salt, we're going to
> throw away the length and use strcspn in krb5int_des_string_to_key,
> which isn't safe if the value is unterminated.
>
> https://github.com/krb5/krb5/commit/f566fee75f2455d6e5e7ee4fcdf5a0d327808639
> Commit By: ghudson
> Revision: 25833
> Changed Files:
> U trunk/src/lib/krb5/krb/preauth2.c

I'm guessing that this resolves the old problem with AFS-salted passwords longer than 8 characters?

Don't get me wrong, if something's in the code it ought to be correct, or removed, so good! However we will have eliminated Kerberos 4 by the end of May, and with luck I expect to eliminate single-DES within a month or two after that (except for some service principals like "afs@JPL.NASA.GOV". At that point I, personally, won't care any more.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
I think it should resolve the problem, yes. I realize this is probably
coming long after people stopped having AFS-salted keys to worry about.