From nobody Wed Feb 21 14:01:55 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tfyd069gJz5CF0Q;
	Wed, 21 Feb 2024 14:01:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Tfyd01b9wz4h0g;
	Wed, 21 Feb 2024 14:01:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1708524116;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/9iL6LcGMYQQXHsLtxchKyJ9eg1eGp0mTSEy3poJDo8=;
	b=p+k8YubMSNoLqaO6rsDvdOBbhNy7H6nG0NV6yzOuUh/1OXdqSRBWp7L2BYeEfCdGpio8p8
	JZ65NHuBL5zTRnISBLj3YYmZ/Aw0aoIrkfVaVGPS13hVLwD88bu0KI7g3PsP6XN39SkrOu
	CSGdKOp5iJ8v2X1MuwuQfLnZnZlJJWMSX0UtKBjwngZvpSxuYl+S6cY6+1lgkLc+V9tIO/
	miNXpfxdKWpC+bHEWtrPRXVfkGz4F6nj/iD4JGThU4CS5jfGzUBjY0CcQQeuwztIW2gP7m
	WuBv5BguJbcRfkDQRSMlS/1qcH5Nkn4mH8Z2d2ycnrdJJ6zwWnFNkwPVL8I40A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1708524116;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/9iL6LcGMYQQXHsLtxchKyJ9eg1eGp0mTSEy3poJDo8=;
	b=OacTE117pnFFGrkp4ePKqSY6U4AXW0QQDToEaeQnGXyHRc9f32/QAEkzc6QZ2uCquFgpvB
	CtHZpcne8CQZc1hOr7gNswda5548+Zgg/LoS/748iKCtEr+cQwobZVX1r3mTGv0qTqbTjE
	1hZfEAhsQYZUPOo8cWhKT1eMcoYo0tcgSDf7hzu54B+PvNrEdZQLC/5iaij0zgVKY8nd8R
	HDAV3SY5qMX1SqzcXRfo0bvL15RLrNcl93Ci5tfjTfbf+ctubarJUC5mGNofUNza36gRQa
	2yPiYu0f28kNIyimsnVHWBZ4Zqt+DjVng/SLI+rUjQcul0VRuQzpoBLZMqnfxw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1708524116; a=rsa-sha256; cv=none;
	b=EnZWaKiYyBkDidhjmpWSHN8Ow6CTxP5AqIqvgRzBDkhwwxsn0xN4Cw7+DMFNS5r8hKynM4
	Q4ZneVJ13GPfvWU8IPJ1jwyv2gH6gfajXbGM+UNSDdm4joeUL4nK3aRGwdefVWtKyfBBRJ
	ZPB4E0Ztq2ey1foNgiE9Ujf5WmL6WyUJFGG79HJYeL0cb+bRu9n3Ij5y3uNYmehQ7Bu516
	cnjdaH2Tzqfa8OJvMKHy4T34Y5R8XKYQABQL6zL11AVUJva+EYV0SkyMxAPFBAsPD4TH3t
	dNcPGETmL+8bLMEWhkLMwBFfa7CKZN+mn3JkMuot3/EQEGhyDFIE5KEKIaDWzA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Tfyd00dBbz14jc;
	Wed, 21 Feb 2024 14:01:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 41LE1tHe080298;
	Wed, 21 Feb 2024 14:01:55 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 41LE1teR080295;
	Wed, 21 Feb 2024 14:01:55 GMT
	(envelope-from git)
Date: Wed, 21 Feb 2024 14:01:55 GMT
Message-Id: <202402211401.41LE1teR080295@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Cy Schubert <cy@FreeBSD.org>
Subject: git: 9f2e70a87d6e - releng/13.3 - heimdal: always confirm
  PA-PKINIT-KX for anon PKINIT
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cy
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/13.3
X-Git-Reftype: branch
X-Git-Commit: 9f2e70a87d6ed48df418e1f7a3ccc09b469c2dad
Auto-Submitted: auto-generated

The branch releng/13.3 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=9f2e70a87d6ed48df418e1f7a3ccc09b469c2dad

commit 9f2e70a87d6ed48df418e1f7a3ccc09b469c2dad
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2024-02-15 01:58:06 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2024-02-21 14:01:48 +0000

    heimdal: always confirm PA-PKINIT-KX for anon PKINIT
    
    Import upstream 38c797e1a.
    
    Upstream notes:
    
        RFC8062 Section 7 requires verification of the PA-PKINIT-KX key
        excahnge when anonymous PKINIT is used.  Failure to do so can
        permit an active attacker to become a man-in-the-middle.
    
    Reported by:    emaste
    Obtained from:  upstream 38c797e1a
    Security:       CVE-2019-12098
    MFS requested by:       re (cperciva)
    Approved by:            re (cperciva)
    
    (cherry picked from commit 60616b445eb5b01597092fef5b14549f95000130)
    (cherry picked from commit a311b9d70863f78c232d5622ee579c6cd45bb1d8)
---
 crypto/heimdal/lib/krb5/krb5_locl.h |  1 +
 crypto/heimdal/lib/krb5/pkinit.c    | 92 +++++++++++++++++++++++++++++++++++++
 2 files changed, 93 insertions(+)

diff --git a/crypto/heimdal/lib/krb5/krb5_locl.h b/crypto/heimdal/lib/krb5/krb5_locl.h
index d0c68927ffbd..0ea132f94c82 100644
--- a/crypto/heimdal/lib/krb5/krb5_locl.h
+++ b/crypto/heimdal/lib/krb5/krb5_locl.h
@@ -240,6 +240,7 @@ struct _krb5_get_init_creds_opt_private {
 #define KRB5_INIT_CREDS_CANONICALIZE		1
 #define KRB5_INIT_CREDS_NO_C_CANON_CHECK	2
 #define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK	4
+#define KRB5_INIT_CREDS_PKINIT_KX_VALID		32
     struct {
         krb5_gic_process_last_req func;
         void *ctx;
diff --git a/crypto/heimdal/lib/krb5/pkinit.c b/crypto/heimdal/lib/krb5/pkinit.c
index 7164a118c34a..3c914bb31f35 100644
--- a/crypto/heimdal/lib/krb5/pkinit.c
+++ b/crypto/heimdal/lib/krb5/pkinit.c
@@ -1306,6 +1306,98 @@ pk_rd_pa_reply_enckey(krb5_context context,
     return ret;
 }
 
+/*
+ * RFC 8062 section 7:
+ *
+ *  The client then decrypts the KDC contribution key and verifies that
+ *  the ticket session key in the returned ticket is the combined key of
+ *  the KDC contribution key and the reply key.
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_pk_kx_confirm(krb5_context context,
+		    krb5_pk_init_ctx ctx,
+		    krb5_keyblock *reply_key,
+		    krb5_keyblock *session_key,
+		    PA_DATA *pa_pkinit_kx)
+{
+    krb5_error_code ret;
+    EncryptedData ed;
+    krb5_keyblock ck, sk_verify;
+    krb5_crypto ck_crypto = NULL;
+    krb5_crypto rk_crypto = NULL;
+    size_t len;
+    krb5_data data;
+    krb5_data p1 = { sizeof("PKINIT") - 1, "PKINIT" };
+    krb5_data p2 = { sizeof("KEYEXCHANGE") - 1, "KEYEXCHANGE" };
+
+    heim_assert(ctx != NULL, "PKINIT context is non-NULL");
+    heim_assert(reply_key != NULL, "reply key is non-NULL");
+    heim_assert(session_key != NULL, "session key is non-NULL");
+
+    /* PA-PKINIT-KX is optional unless anonymous */
+    if (pa_pkinit_kx == NULL)
+	return ctx->anonymous ? KRB5_KDCREP_MODIFIED : 0;
+
+    memset(&ed, 0, sizeof(ed));
+    krb5_keyblock_zero(&ck);
+    krb5_keyblock_zero(&sk_verify);
+    krb5_data_zero(&data);
+
+    ret = decode_EncryptedData(pa_pkinit_kx->padata_value.data,
+			       pa_pkinit_kx->padata_value.length,
+			       &ed, &len);
+    if (ret)
+	goto out;
+
+    if (len != pa_pkinit_kx->padata_value.length) {
+	ret = KRB5_KDCREP_MODIFIED;
+	goto out;
+    }
+
+    ret = krb5_crypto_init(context, reply_key, 0, &rk_crypto);
+    if (ret)
+	goto out;
+
+    ret = krb5_decrypt_EncryptedData(context, rk_crypto,
+				     KRB5_KU_PA_PKINIT_KX,
+				     &ed, &data);
+    if (ret)
+	goto out;
+
+    ret = decode_EncryptionKey(data.data, data.length,
+			       &ck, &len);
+    if (ret)
+	goto out;
+
+    ret = krb5_crypto_init(context, &ck, 0, &ck_crypto);
+    if (ret)
+	goto out;
+
+    ret = krb5_crypto_fx_cf2(context, ck_crypto, rk_crypto,
+			     &p1, &p2, session_key->keytype,
+			     &sk_verify);
+    if (ret)
+	goto out;
+
+    if (sk_verify.keytype != session_key->keytype ||
+	krb5_data_ct_cmp(&sk_verify.keyvalue, &session_key->keyvalue) != 0) {
+	ret = KRB5_KDCREP_MODIFIED;
+	goto out;
+    }
+
+out:
+    free_EncryptedData(&ed);
+    krb5_free_keyblock_contents(context, &ck);
+    krb5_free_keyblock_contents(context, &sk_verify);
+    if (ck_crypto)
+	krb5_crypto_destroy(context, ck_crypto);
+    if (rk_crypto)
+	krb5_crypto_destroy(context, rk_crypto);
+    krb5_data_free(&data);
+
+    return ret;
+}
+
 static krb5_error_code
 pk_rd_pa_reply_dh(krb5_context context,
 		  const heim_octet_string *indata,