1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
|
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 2420f2c2be..a59a65e8f6 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle,
return KADM5_BAD_MASK;
if((mask & ~ALL_PRINC_MASK))
return KADM5_BAD_MASK;
+ if (mask & KADM5_TL_DATA) {
+ for (tl_data_tail = entry->tl_data; tl_data_tail != NULL;
+ tl_data_tail = tl_data_tail->tl_data_next) {
+ if (tl_data_tail->tl_data_type < 256)
+ return KADM5_BAD_TL_TYPE;
+ }
+ }
/*
* Check to see if the principal exists
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index 535a1f309e..8b8420faa9 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op);
#define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr))
#define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr))
-#define KDB_TL_USER_INFO 0x7ffe
+#define KDB_TL_USER_INFO 0xff
#define KDB_TL_PRINCTYPE 0x01
#define KDB_TL_PRINCCOUNT 0x02
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 88a1704950..b7c9212cb2 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -651,6 +651,107 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry,
return ret;
}
+static krb5_error_code
+check_dn_in_container(krb5_context context, const char *dn,
+ char *const *subtrees, unsigned int ntrees)
+{
+ unsigned int i;
+ size_t dnlen = strlen(dn), stlen;
+
+ for (i = 0; i < ntrees; i++) {
+ if (subtrees[i] == NULL || *subtrees[i] == '\0')
+ return 0;
+ stlen = strlen(subtrees[i]);
+ if (dnlen >= stlen &&
+ strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 &&
+ (dnlen == stlen || dn[dnlen - stlen - 1] == ','))
+ return 0;
+ }
+
+ k5_setmsg(context, EINVAL, _("DN is out of the realm subtree"));
+ return EINVAL;
+}
+
+static krb5_error_code
+check_dn_exists(krb5_context context,
+ krb5_ldap_server_handle *ldap_server_handle,
+ const char *dn, krb5_boolean nonkrb_only)
+{
+ krb5_error_code st = 0, tempst;
+ krb5_ldap_context *ldap_context = context->dal_handle->db_context;
+ LDAP *ld = ldap_server_handle->ldap_handle;
+ LDAPMessage *result = NULL, *ent;
+ char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL };
+ char **values;
+
+ LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS);
+ if (st != LDAP_SUCCESS)
+ return set_ldap_error(context, st, OP_SEARCH);
+
+ ent = ldap_first_entry(ld, result);
+ CHECK_NULL(ent);
+
+ values = ldap_get_values(ld, ent, "krbticketpolicyreference");
+ if (values != NULL)
+ ldap_value_free(values);
+
+ values = ldap_get_values(ld, ent, "krbprincipalname");
+ if (values != NULL) {
+ ldap_value_free(values);
+ if (nonkrb_only) {
+ st = EINVAL;
+ k5_setmsg(context, st, _("ldap object is already kerberized"));
+ goto cleanup;
+ }
+ }
+
+cleanup:
+ ldap_msgfree(result);
+ return st;
+}
+
+static krb5_error_code
+validate_xargs(krb5_context context,
+ krb5_ldap_server_handle *ldap_server_handle,
+ const xargs_t *xargs, const char *standalone_dn,
+ char *const *subtrees, unsigned int ntrees)
+{
+ krb5_error_code st;
+
+ if (xargs->dn != NULL) {
+ /* The supplied dn must be within a realm container. */
+ st = check_dn_in_container(context, xargs->dn, subtrees, ntrees);
+ if (st)
+ return st;
+ /* The supplied dn must exist without Kerberos attributes. */
+ st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE);
+ if (st)
+ return st;
+ }
+
+ if (xargs->linkdn != NULL) {
+ /* The supplied linkdn must be within a realm container. */
+ st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees);
+ if (st)
+ return st;
+ /* The supplied linkdn must exist. */
+ st = check_dn_exists(context, ldap_server_handle, xargs->linkdn,
+ FALSE);
+ if (st)
+ return st;
+ }
+
+ if (xargs->containerdn != NULL && standalone_dn != NULL) {
+ /* standalone_dn (likely composed using containerdn) must be within a
+ * container. */
+ st = check_dn_in_container(context, standalone_dn, subtrees, ntrees);
+ if (st)
+ return st;
+ }
+
+ return 0;
+}
+
krb5_error_code
krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
char **db_args)
@@ -662,12 +763,12 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
LDAPMessage *result=NULL, *ent=NULL;
char **subtreelist = NULL;
char *user=NULL, *subtree=NULL, *principal_dn=NULL;
- char **values=NULL, *strval[10]={NULL}, errbuf[1024];
+ char *strval[10]={NULL}, errbuf[1024];
char *filtuser=NULL;
struct berval **bersecretkey=NULL;
LDAPMod **mods=NULL;
krb5_boolean create_standalone=FALSE;
- krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE;
+ krb5_boolean establish_links=FALSE;
char *standalone_principal_dn=NULL;
krb5_tl_data *tl_data=NULL;
krb5_key_data **keys=NULL;
@@ -860,24 +961,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
* any of the subtrees
*/
if (xargs.dn_from_kbd == TRUE) {
- /* make sure the DN falls in the subtree */
- int dnlen=0, subtreelen=0;
- char *dn=NULL;
- krb5_boolean outofsubtree=TRUE;
-
- if (xargs.dn != NULL) {
- dn = xargs.dn;
- } else if (xargs.linkdn != NULL) {
- dn = xargs.linkdn;
- } else if (standalone_principal_dn != NULL) {
- /*
- * Even though the standalone_principal_dn is constructed
- * within this function, there is the containerdn input
- * from the user that can become part of the it.
- */
- dn = standalone_principal_dn;
- }
-
/* Get the current subtree list if we haven't already done so. */
if (subtreelist == NULL) {
st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees);
@@ -885,81 +968,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
goto cleanup;
}
- for (tre=0; tre<ntrees; ++tre) {
- if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
- outofsubtree = FALSE;
- break;
- } else {
- dnlen = strlen (dn);
- subtreelen = strlen(subtreelist[tre]);
- if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
- outofsubtree = FALSE;
- break;
- }
- }
- }
-
- if (outofsubtree == TRUE) {
- st = EINVAL;
- k5_setmsg(context, st, _("DN is out of the realm subtree"));
+ st = validate_xargs(context, ldap_server_handle, &xargs,
+ standalone_principal_dn, subtreelist, ntrees);
+ if (st)
goto cleanup;
- }
-
- /*
- * dn value will be set either by dn, linkdn or the standalone_principal_dn
- * In the first 2 cases, the dn should be existing and in the last case we
- * are supposed to create the ldap object. so the below should not be
- * executed for the last case.
- */
-
- if (standalone_principal_dn == NULL) {
- /*
- * If the ldap object is missing, this results in an error.
- */
-
- /*
- * Search for krbprincipalname attribute here.
- * This is to find if a kerberos identity is already present
- * on the ldap object, in which case adding a kerberos identity
- * on the ldap object should result in an error.
- */
- char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
-
- ldap_msgfree(result);
- result = NULL;
- LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
- if (st == LDAP_SUCCESS) {
- ent = ldap_first_entry(ld, result);
- if (ent != NULL) {
- if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
- krb_identity_exists = TRUE;
- ldap_value_free(values);
- }
- }
- } else {
- st = set_ldap_error(context, st, OP_SEARCH);
- goto cleanup;
- }
- }
- }
-
- /*
- * If xargs.dn is set then the request is to add a
- * kerberos principal on a ldap object, but if
- * there is one already on the ldap object this
- * should result in an error.
- */
-
- if (xargs.dn != NULL && krb_identity_exists == TRUE) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf),
- _("ldap object is already kerberized"));
- k5_setmsg(context, st, "%s", errbuf);
- goto cleanup;
}
if (xargs.linkdn != NULL) {
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 217f2cdc3b..6e563b1032 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -203,6 +203,12 @@ def ldap_add(dn, objectclass, attrs=[]):
# in the test LDAP server.
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
expected_code=1, expected_msg='DN is out of the realm subtree')
+# Check that the DN container check is a hierarchy test, not a simple
+# suffix match (CVE-2018-5730). We expect this operation to fail
+# either way (because "xcn" isn't a valid DN tag) but the container
+# check should happen before the DN is parsed.
+realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'],
+ expected_code=1, expected_msg='DN is out of the realm subtree')
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1'])
realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1')
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'],
@@ -226,6 +232,11 @@ def ldap_add(dn, objectclass, attrs=[]):
'princ3'])
realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'],
expected_code=1, expected_msg='containerdn option not supported')
+# Verify that containerdn is checked when linkdn is also supplied
+# (CVE-2018-5730).
+realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5',
+ '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1,
+ expected_msg='DN is out of the realm subtree')
# Create and modify a ticket policy.
kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour',
|
GitWeb