upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-06 23:32:52 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/crypto/heimdal/lib/gssapi/ntlm/init_sec_context.c
Cy Schubert ed549cb0c5 heimdal: Fix multiple security vulnerabilities 
The following issues are patched:

 - CVE-2022-42898 PAC parse integer overflows
 - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
 - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
 - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec

    Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
    on the Common Vulnerability Scoring System (CVSS) v3, as we believe
    it should be possible to get an RCE on a KDC, which means that
    credentials can be compromised that can be used to impersonate
    anyone in a realm or forest of realms.

    Heimdal's ASN.1 compiler generates code that allows specially
    crafted DER encodings of CHOICEs to invoke the wrong free function
    on the decoded structure upon decode error.  This is known to impact
    the Heimdal KDC, leading to an invalid free() of an address partly
    or wholly under the control of the attacker, in turn leading to a
    potential remote code execution (RCE) vulnerability.

    This error affects the DER codec for all extensible CHOICE types
    used in Heimdal, though not all cases will be exploitable.  We have
    not completed a thorough analysis of all the Heimdal components
    affected, thus the Kerberos client, the X.509 library, and other
    parts, may be affected as well.

    This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
    only affect Heimdal 1.6 and up.  It was first reported by Douglas
    Bagnall, though it had been found independently by the Heimdal
    maintainers via fuzzing a few weeks earlier.

    While no zero-day exploit is known, such an exploit will likely be
    available soon after public disclosure.

 - CVE-2019-14870: Validate client attributes in protocol-transition
 - CVE-2019-14870: Apply forwardable policy in protocol-transition
 - CVE-2019-14870: Always lookup impersonate client in DB

Sponsored by:	so (philip)
Obtained from:	so (philip)
Tested by:	philip, cy
MFC after:	immediately
2022-11-15 13:12:37 -08:00

503 lines
12 KiB
C
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
* Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "ntlm.h"
static int
from_file(const char *fn, const char *target_domain,
char **username, struct ntlm_buf *key)
{
char *str, buf[1024];
FILE *f;
f = fopen(fn, "r");
if (f == NULL)
return ENOENT;
rk_cloexec_file(f);
while (fgets(buf, sizeof(buf), f) != NULL) {
char *d, *u, *p;
buf[strcspn(buf, "\r\n")] = '\0';
if (buf[0] == '#')
continue;
str = NULL;
d = strtok_r(buf, ":", &str);
if (!d)
continue;
if (d && strcasecmp(target_domain, d) != 0)
continue;
u = strtok_r(NULL, ":", &str);
p = strtok_r(NULL, ":", &str);
if (u == NULL || p == NULL)
continue;
*username = strdup(u);
heim_ntlm_nt_key(p, key);
memset(buf, 0, sizeof(buf));
fclose(f);
return 0;
}
memset(buf, 0, sizeof(buf));
fclose(f);
return ENOENT;
}
static int
get_user_file(const ntlm_name target_name,
char **username, struct ntlm_buf *key)
{
const char *fn;
if (issuid())
return ENOENT;
fn = getenv("NTLM_USER_FILE");
if (fn == NULL)
return ENOENT;
if (from_file(fn, target_name->domain, username, key) == 0)
return 0;
return ENOENT;
}
/*
* Pick up the ntlm cred from the default krb5 credential cache.
*/
static int
get_user_ccache(const ntlm_name name, char **username, struct ntlm_buf *key)
{
krb5_context context = NULL;
krb5_principal client;
krb5_ccache id = NULL;
krb5_error_code ret;
char *confname;
krb5_data data;
*username = NULL;
krb5_data_zero(&data);
key->length = 0;
key->data = NULL;
ret = krb5_init_context(&context);
if (ret)
return ret;
ret = krb5_cc_default(context, &id);
if (ret)
goto out;
ret = krb5_cc_get_principal(context, id, &client);
if (ret)
goto out;
ret = krb5_unparse_name_flags(context, client,
KRB5_PRINCIPAL_UNPARSE_NO_REALM,
username);
krb5_free_principal(context, client);
if (ret)
goto out;
asprintf(&confname, "ntlm-key-%s", name->domain);
if (confname == NULL) {
krb5_clear_error_message(context);
ret = ENOMEM;
goto out;
}
ret = krb5_cc_get_config(context, id, NULL,
confname, &data);
if (ret)
goto out;
key->data = malloc(data.length);
if (key->data == NULL) {
ret = ENOMEM;
goto out;
}
key->length = data.length;
memcpy(key->data, data.data, data.length);
out:
krb5_data_free(&data);
if (id)
krb5_cc_close(context, id);
krb5_free_context(context);
return ret;
}
int
_gss_ntlm_get_user_cred(const ntlm_name target_name,
ntlm_cred *rcred)
{
ntlm_cred cred;
int ret;
cred = calloc(1, sizeof(*cred));
if (cred == NULL)
return ENOMEM;
ret = get_user_file(target_name, &cred->username, &cred->key);
if (ret)
ret = get_user_ccache(target_name, &cred->username, &cred->key);
if (ret) {
free(cred);
return ret;
}
cred->domain = strdup(target_name->domain);
*rcred = cred;
return ret;
}
static int
_gss_copy_cred(ntlm_cred from, ntlm_cred *to)
{
*to = calloc(1, sizeof(**to));
if (*to == NULL)
return ENOMEM;
(*to)->username = strdup(from->username);
if ((*to)->username == NULL) {
free(*to);
return ENOMEM;
}
(*to)->domain = strdup(from->domain);
if ((*to)->domain == NULL) {
free((*to)->username);
free(*to);
return ENOMEM;
}
(*to)->key.data = malloc(from->key.length);
if ((*to)->key.data == NULL) {
free((*to)->domain);
free((*to)->username);
free(*to);
return ENOMEM;
}
memcpy((*to)->key.data, from->key.data, from->key.length);
(*to)->key.length = from->key.length;
return 0;
}
OM_uint32 GSSAPI_CALLCONV
_gss_ntlm_init_sec_context
(OM_uint32 * minor_status,
const gss_cred_id_t initiator_cred_handle,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
const gss_channel_bindings_t input_chan_bindings,
const gss_buffer_t input_token,
gss_OID * actual_mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec
)
{
ntlm_ctx ctx;
ntlm_name name = (ntlm_name)target_name;
*minor_status = 0;
if (ret_flags)
*ret_flags = 0;
if (time_rec)
*time_rec = 0;
if (actual_mech_type)
*actual_mech_type = GSS_C_NO_OID;
if (*context_handle == GSS_C_NO_CONTEXT) {
struct ntlm_type1 type1;
struct ntlm_buf data;
uint32_t flags = 0;
int ret;
ctx = calloc(1, sizeof(*ctx));
if (ctx == NULL) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
*context_handle = (gss_ctx_id_t)ctx;
if (initiator_cred_handle != GSS_C_NO_CREDENTIAL) {
ntlm_cred cred = (ntlm_cred)initiator_cred_handle;
ret = _gss_copy_cred(cred, &ctx->client);
} else
ret = _gss_ntlm_get_user_cred(name, &ctx->client);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
if (req_flags & GSS_C_CONF_FLAG)
flags |= NTLM_NEG_SEAL;
if (req_flags & GSS_C_INTEG_FLAG)
flags |= NTLM_NEG_SIGN;
else
flags |= NTLM_NEG_ALWAYS_SIGN;
flags |= NTLM_NEG_UNICODE;
flags |= NTLM_NEG_NTLM;
flags |= NTLM_NEG_NTLM2_SESSION;
flags |= NTLM_NEG_KEYEX;
memset(&type1, 0, sizeof(type1));
type1.flags = flags;
type1.domain = name->domain;
type1.hostname = NULL;
type1.os[0] = 0;
type1.os[1] = 0;
ret = heim_ntlm_encode_type1(&type1, &data);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
output_token->value = data.data;
output_token->length = data.length;
return GSS_S_CONTINUE_NEEDED;
} else {
krb5_error_code ret;
struct ntlm_type2 type2;
struct ntlm_type3 type3;
struct ntlm_buf data;
ctx = (ntlm_ctx)*context_handle;
data.data = input_token->value;
data.length = input_token->length;
ret = heim_ntlm_decode_type2(&data, &type2);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ctx->flags = type2.flags;
/* XXX check that type2.targetinfo matches `target_name´ */
/* XXX check verify targetinfo buffer */
memset(&type3, 0, sizeof(type3));
type3.username = ctx->client->username;
type3.flags = type2.flags;
type3.targetname = type2.targetname;
type3.ws = rk_UNCONST("workstation");
/*
* NTLM Version 1 if no targetinfo buffer.
*/
if (1 || type2.targetinfo.length == 0) {
struct ntlm_buf sessionkey;
if (type2.flags & NTLM_NEG_NTLM2_SESSION) {
unsigned char nonce[8];
if (RAND_bytes(nonce, sizeof(nonce)) != 1) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
ret = heim_ntlm_calculate_ntlm2_sess(nonce,
type2.challenge,
ctx->client->key.data,
&type3.lm,
&type3.ntlm);
} else {
ret = heim_ntlm_calculate_ntlm1(ctx->client->key.data,
ctx->client->key.length,
type2.challenge,
&type3.ntlm);
}
if (ret) {
_gss_ntlm_delete_sec_context(minor_status,context_handle,NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = heim_ntlm_build_ntlm1_master(ctx->client->key.data,
ctx->client->key.length,
&sessionkey,
&type3.sessionkey);
if (ret) {
if (type3.lm.data)
free(type3.lm.data);
if (type3.ntlm.data)
free(type3.ntlm.data);
_gss_ntlm_delete_sec_context(minor_status,context_handle,NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_data_copy(&ctx->sessionkey,
sessionkey.data, sessionkey.length);
free(sessionkey.data);
if (ret) {
if (type3.lm.data)
free(type3.lm.data);
if (type3.ntlm.data)
free(type3.ntlm.data);
_gss_ntlm_delete_sec_context(minor_status,context_handle,NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ctx->status |= STATUS_SESSIONKEY;
} else {
struct ntlm_buf sessionkey;
unsigned char ntlmv2[16];
struct ntlm_targetinfo ti;
/* verify infotarget */
ret = heim_ntlm_decode_targetinfo(&type2.targetinfo, 1, &ti);
if(ret) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
if (ti.domainname && strcmp(ti.domainname, name->domain) != 0) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
ret = heim_ntlm_calculate_ntlm2(ctx->client->key.data,
ctx->client->key.length,
ctx->client->username,
name->domain,
type2.challenge,
&type2.targetinfo,
ntlmv2,
&type3.ntlm);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = heim_ntlm_build_ntlm1_master(ntlmv2, sizeof(ntlmv2),
&sessionkey,
&type3.sessionkey);
memset(ntlmv2, 0, sizeof(ntlmv2));
if (ret) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ctx->flags |= NTLM_NEG_NTLM2_SESSION;
ret = krb5_data_copy(&ctx->sessionkey,
sessionkey.data, sessionkey.length);
free(sessionkey.data);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
}
if (ctx->flags & NTLM_NEG_NTLM2_SESSION) {
ctx->status |= STATUS_SESSIONKEY;
_gss_ntlm_set_key(&ctx->u.v2.send, 0, (ctx->flags & NTLM_NEG_KEYEX),
ctx->sessionkey.data,
ctx->sessionkey.length);
_gss_ntlm_set_key(&ctx->u.v2.recv, 1, (ctx->flags & NTLM_NEG_KEYEX),
ctx->sessionkey.data,
ctx->sessionkey.length);
} else {
ctx->status |= STATUS_SESSIONKEY;
RC4_set_key(&ctx->u.v1.crypto_recv.key,
ctx->sessionkey.length,
ctx->sessionkey.data);
RC4_set_key(&ctx->u.v1.crypto_send.key,
ctx->sessionkey.length,
ctx->sessionkey.data);
}
ret = heim_ntlm_encode_type3(&type3, &data);
free(type3.sessionkey.data);
if (type3.lm.data)
free(type3.lm.data);
if (type3.ntlm.data)
free(type3.ntlm.data);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
output_token->length = data.length;
output_token->value = data.data;
if (actual_mech_type)
*actual_mech_type = GSS_NTLM_MECHANISM;
if (ret_flags)
*ret_flags = 0;
if (time_rec)
*time_rec = GSS_C_INDEFINITE;
ctx->status |= STATUS_OPEN;
return GSS_S_COMPLETE;
}
}
Reference in a new issue View git blame Copy permalink