Skip Menu |
 

From: ghudson@mit.edu
Subject: git commit

Check for FAST in encrypted challenge client

If we reach the encrypted challenge clpreauth process method without
an armor key, error out instead of crashing. This can happen if (a)
the KDC offers encrypted challenge even though the request doesn't use
FAST (the Heimdal KDC apparently does this), and (b) we fall back to
that preauth method before generating a preauthenticated request,
typically because of a prompter failure in encrypted timestamp.
Reported by Nico Williams.

https://github.com/krb5/krb5/commit/ff6aac3e018e80fa32df2e14446c6ed9595dfc3c
Author: Greg Hudson <ghudson@mit.edu>
Commit: ff6aac3e018e80fa32df2e14446c6ed9595dfc3c
Branch: master
src/lib/krb5/krb/preauth_ec.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
From: Marc Dionne <marc.dionne@auristor.com>
Date: Wed, 5 Jul 2017 15:58:13 -0300
Subject: kinit segfault with Heimdal server
To: krb5-bugs@mit.edu
Download (untitled) / with headers
text/plain 3.7KiB
Hi,

The following sequence, where REALM has a Heimdal kdc, leads to kinit
dumping core:

$ kinit user@REALM
Password for user@REALM: <hit ctrl-c here>
Password for user@REALM: <hit enter here>
Segmentation fault (core dumped)

First encountered on Fedora 26
(krb5-workstation-1.15.1-8.fc26.x86_64), but also reproduces on Fedora
25 and Centos 7.

The core backtrace looks like:
(gdb) bt

#0 krb5_c_fx_cf2_simple (context=context@entry=0x560a3e1de0d0,
k1=k1@entry=0x0, pepper1=pepper1@entry=0x7fb40acdca01
"clientchallengearmor", k2=0x560a3e1decb0,
pepper2=pepper2@entry=0x7fb40acdc9dd "challengelongterm",
out=out@entry=0x7ffdf2e6b3b0) at cf2.c:139
#1 0x00007fb40aca977c in ec_process (context=0x560a3e1de0d0,
moddata=<optimized out>, modreq=<optimized out>, opt=<optimized out>,
cb=0x7fb40af300c0 <callbacks>,
rock=0x560a3e1deb20, request=0x560a3e1ded20,
encoded_request_body=0x560a3e1e2320,
encoded_previous_request=0x560a3e1e0600, padata=0x560a3e1e1b20,
prompter=0x560a3dca8350 <kinit_prompter>,
prompter_data=0x7ffdf2e6cb40, out_padata=0x7ffdf2e6b500) at
preauth_ec.c:107
#2 0x00007fb40aca90a9 in clpreauth_process
(pa_data_out=0x7ffdf2e6b500, prompter_data=<optimized out>,
prompter=<optimized out>, pa_data=0x560a3e1e1b20,
prev_req=<optimized out>, req_body=<optimized out>, req=<optimized
Show quoted text
out>, rock=0x560a3e1deb20, cb=0x7fb40af300c0 <callbacks>,
opt=<optimized out>, h=0x560a3e1e0380,
context=0x560a3e1de0d0) at preauth2.c:281
#3 process_pa_data (out_type=0x560a3e1dece8,
out_pa_list_size=0x7ffdf2e6b4e4, out_pa_list=0x7ffdf2e6b4e8,
must_preauth=1, in_pa_list=0x560a3e1fa490,
ctx=0x560a3e1deb20, context=0x560a3e1de0d0) at preauth2.c:611
#4 k5_preauth (context=context@entry=0x560a3e1de0d0,
ctx=ctx@entry=0x560a3e1deb20, in_padata=0x560a3e1fa490,
must_preauth=1, padata_out=0x560a3e1ded28,
pa_type_out=pa_type_out@entry=0x560a3e1dece8) at preauth2.c:984
#5 0x00007fb40ac99b65 in init_creds_step_request (out=0x7ffdf2e6b6b0,
ctx=0x560a3e1deb20, context=0x560a3e1de0d0) at get_in_tkt.c:1354
#6 krb5_init_creds_step (context=0x560a3e1de0d0, ctx=0x560a3e1deb20,
in=<optimized out>, out=0x7ffdf2e6b6b0, realm=0x7ffdf2e6b6d0,
flags=0x7ffdf2e6b6a8)
at get_in_tkt.c:1717
#7 0x00007fb40ac9a622 in k5_init_creds_get
(context=context@entry=0x560a3e1de0d0, ctx=0x560a3e1deb20,
use_master=use_master@entry=0x7ffdf2e6b868) at get_in_tkt.c:624
#8 0x00007fb40ac9a774 in k5_get_init_creds
(context=context@entry=0x560a3e1de0d0,
creds=creds@entry=0x7ffdf2e6cb90, client=client@entry=0x560a3e1de480,
prompter=prompter@entry=0x560a3dca8350 <kinit_prompter>,
prompter_data=prompter_data@entry=0x7ffdf2e6cb40,
start_time=start_time@entry=0, in_tkt_service=0x0,
options=0x560a3e1dea70, gak_fct=0x7fb40ac9c250
<krb5_get_as_key_password>, gak_data=0x7ffdf2e6b8d0,
use_master=0x7ffdf2e6b868, as_reply=0x7ffdf2e6b870)
at get_in_tkt.c:1783
#9 0x00007fb40ac9c823 in krb5_get_init_creds_password
(context=0x560a3e1de0d0, creds=0x7ffdf2e6cb90, client=0x560a3e1de480,
password=0x0,
prompter=0x560a3dca8350 <kinit_prompter>, data=0x7ffdf2e6cb40,
start_time=0, in_tkt_service=0x0, options=0x560a3e1dea70) at
gic_pwd.c:317
#10 0x0000560a3dca8074 in k5_kinit (k5=0x7ffdf2e6cb60,
opts=0x7ffdf2e6cc10) at kinit.c:819
#11 main (argc=<optimized out>, argv=<optimized out>) at kinit.c:948

.. where it is derefencing the NULL armor_key pointer.

Testing against an MIT server, the ctrl-C results in:
kinit: Password read interrupted while getting initial credentials

but here the call stack where the prompting occurs is quite different,
and the KRB5_LIBOS_PWDINTR from the prompter function is lost in the
process_pa_data loop.

Not sure if that's the right solution (although it seems logical), but
checking for KRB5_LIBOS_PWDINTR and bailing out there gives a similar
behaviour to the MIT server one. See attached experimental patch.

Thanks,
Marc
Download patch_kinit
application/octet-stream 691B

Message body not shown because it is not plain text.

Nico reported this bug in April. It was assigned #8573 (which I will
merge this ticket into). We fixed the encrypted challenge client code
to check for no armor key on master, and marked the fix for pullup to
the 1.15 and 1.14 release branches. We haven't yet pulled up the fix to
the release branches or issued patch releases, so it's not surprising
that you would still see the bug in OS-packaged krb5 builds.

I agree that it is also weird that the client can walk down the preauth
mechanisms via prompter interrupts (or other prompter failures),
especially for these two mechanisms. Your patch might be a good idea
independent of this segfault bug; I will think about it.
From: Marc Dionne <marc.dionne@auristor.com>
Date: Thu, 6 Jul 2017 06:43:18 -0300
Subject: Re: [krbdev.mit.edu #8596] kinit segfault with Heimdal server
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.2KiB
On Wed, Jul 5, 2017 at 5:46 PM, Greg Hudson via RT
<rt-comment@krbdev.mit.edu> wrote:
Show quoted text
> Nico reported this bug in April. It was assigned #8573 (which I will
> merge this ticket into). We fixed the encrypted challenge client code
> to check for no armor key on master, and marked the fix for pullup to
> the 1.15 and 1.14 release branches. We haven't yet pulled up the fix to
> the release branches or issued patch releases, so it's not surprising
> that you would still see the bug in OS-packaged krb5 builds.

Sorry I didn't spot that one; but I didn't look at tickets in the
"review" state, and not sure that the subject would have stood out.

Show quoted text
> I agree that it is also weird that the client can walk down the preauth
> mechanisms via prompter interrupts (or other prompter failures),
> especially for these two mechanisms. Your patch might be a good idea
> independent of this segfault bug; I will think about it.

Seems to me that for a typical user not familiar with what's going on
under the hood, the intention when hitting ctrl-C is surely to abort
the whole command, not just the prompt and the single step associated
with it (these steps are not obvious/visible to the user). So IMO it
makes sense to bail out here on ctrl-C.

Thanks,
Marc
From: Marc Dionne <marc.dionne@auristor.com>
Date: Thu, 6 Jul 2017 06:43:18 -0300
Subject: Re: [krbdev.mit.edu #8596] kinit segfault with Heimdal server
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.2KiB
On Wed, Jul 5, 2017 at 5:46 PM, Greg Hudson via RT
<rt-comment@krbdev.mit.edu> wrote:
Show quoted text
> Nico reported this bug in April. It was assigned #8573 (which I will
> merge this ticket into). We fixed the encrypted challenge client code
> to check for no armor key on master, and marked the fix for pullup to
> the 1.15 and 1.14 release branches. We haven't yet pulled up the fix to
> the release branches or issued patch releases, so it's not surprising
> that you would still see the bug in OS-packaged krb5 builds.

Sorry I didn't spot that one; but I didn't look at tickets in the
"review" state, and not sure that the subject would have stood out.

Show quoted text
> I agree that it is also weird that the client can walk down the preauth
> mechanisms via prompter interrupts (or other prompter failures),
> especially for these two mechanisms. Your patch might be a good idea
> independent of this segfault bug; I will think about it.

Seems to me that for a typical user not familiar with what's going on
under the hood, the intention when hitting ctrl-C is surely to abort
the whole command, not just the prompt and the single step associated
with it (these steps are not obvious/visible to the user). So IMO it
makes sense to bail out here on ctrl-C.

Thanks,
Marc
From: ghudson@mit.edu
Subject: git commit

Check for FAST in encrypted challenge client

If we reach the encrypted challenge clpreauth process method without
an armor key, error out instead of crashing. This can happen if (a)
the KDC offers encrypted challenge even though the request doesn't use
FAST (the Heimdal KDC apparently does this), and (b) we fall back to
that preauth method before generating a preauthenticated request,
typically because of a prompter failure in encrypted timestamp.
Reported by Nico Williams.

(cherry picked from commit ff6aac3e018e80fa32df2e14446c6ed9595dfc3c)

https://github.com/krb5/krb5/commit/39a8a84b9bc880ef2879667f93c18b4d1b989eff
Author: Greg Hudson <ghudson@mit.edu>
Commit: 39a8a84b9bc880ef2879667f93c18b4d1b989eff
Branch: krb5-1.14
src/lib/krb5/krb/preauth_ec.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Check for FAST in encrypted challenge client

If we reach the encrypted challenge clpreauth process method without
an armor key, error out instead of crashing. This can happen if (a)
the KDC offers encrypted challenge even though the request doesn't use
FAST (the Heimdal KDC apparently does this), and (b) we fall back to
that preauth method before generating a preauthenticated request,
typically because of a prompter failure in encrypted timestamp.
Reported by Nico Williams.

(cherry picked from commit ff6aac3e018e80fa32df2e14446c6ed9595dfc3c)

https://github.com/krb5/krb5/commit/ab8ab286f9c27ea34fb569dcb4472896abbf96d8
Author: Greg Hudson <ghudson@mit.edu>
Commit: ab8ab286f9c27ea34fb569dcb4472896abbf96d8
Branch: krb5-1.15
src/lib/krb5/krb/preauth_ec.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)