From nobody Thu Feb 15 21:30:37 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TbSsV0gmhz5BHMK; Thu, 15 Feb 2024 21:30:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TbSsT53myz4Sdy; Thu, 15 Feb 2024 21:30:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1708032637; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bGAtK/wUqVvLz4SAscGdicGvcey2QEPBYsQKiKYmS8o=; b=MkeEtqFmHNako68o1YkQqUNdgVDozXSk9qXv5svZpFYOU/P5bktWsY4pFO9azv2NhkhG8j JOr1XnwjDzfrkH+Ep95Vnb3jlyEtrltBqnFsXX+HHbVfDBTXV/RK2b2k9ivrOLJcFfYJBi kuo8FuLHJ18VTOFoUTCKQM/Ewu+/NXwyfKDbf98xhd11SGQ9nnr5CyAkZNX8qVFB039Ev6 fIQljQdomCr3JJ61ibojEmdbTeZRpijpRz3e9zegz73jrtxT9UhMPU9jvwxp4cAaS+TZWo IHV7LcoSSV+nDvx3rvwmshEVKQjEQCFOJkYujGrOKnO7ak6P94CC1EdhiAF4rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1708032637; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bGAtK/wUqVvLz4SAscGdicGvcey2QEPBYsQKiKYmS8o=; b=lLzqVUW1dB5ghaTQ8LnpYjb2rVYxcARMtRbNAGyT9ZTWvD6efhuCOywT/0CooSGa3iQCUb lwslVAoXeJ1y+FEe7229l8DsBLxz7PUks84kCGV2Zdr2YG4IfTv/q0knw+RhrE/zV2ud19 m9l6H3GyMTnq/S06nQCJW1g5BKWGeauxQq37XSc51x+S9EP/r2sHbniMlHwC8xhyp+Zho3 0LcH2ZHf4g7D7aNYmsOkaBpAhBfnSmS68kL58xyFpeBroMYUfC6tOjWMQg+ziGMC2KzevQ /Zknuu82n7N6tELppQlCHxBQEBSCH6ByQ1cRY4CQuzU0N1bb9ptPYNE0kBHKlw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1708032637; a=rsa-sha256; cv=none; b=D1L/qXrDlrgifviXay2ldmrLF46g/9O4Ag39+BUB1eJkhbF3EZoZoSehemEAOzOFalPAyW jUcGvpFqE39exHRcDy1iXtRQVYNsZSbJa+LZ5RVKMxoSU0SBt5HRRQSiPTH+ZPmu+4L84q Om4pgXRvkNh2H4LjNNuf/mGahNfPav64PzZdCxX/EyuOQH2bMKJRnfddD99jXgxmecoTAv LjEQs8P28Lg5THUGciNOUJC1J5fUR4OhjzCbrRLwBCJx7AGrs5mPCPFCx9qaKWbMoQ8ezu g7r4jJ+5aB6wInSY/UI20S+TGYxZKPPJAMBm75xH5REwwd6W7tFlKO9byRU8IA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TbSsT49GTzxxr; Thu, 15 Feb 2024 21:30:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 41FLUbGG063582; Thu, 15 Feb 2024 21:30:37 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 41FLUbnO063579; Thu, 15 Feb 2024 21:30:37 GMT (envelope-from git) Date: Thu, 15 Feb 2024 21:30:37 GMT Message-Id: <202402152130.41FLUbnO063579@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Cy Schubert Subject: git: 60616b445eb5 - main - heimdal: always confirm PA-PKINIT-KX for anon PKINIT List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 60616b445eb5b01597092fef5b14549f95000130 Auto-Submitted: auto-generated The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=60616b445eb5b01597092fef5b14549f95000130 commit 60616b445eb5b01597092fef5b14549f95000130 Author: Cy Schubert AuthorDate: 2024-02-15 01:58:06 +0000 Commit: Cy Schubert CommitDate: 2024-02-15 21:27:55 +0000 heimdal: always confirm PA-PKINIT-KX for anon PKINIT Import upstream 38c797e1a. Upstream notes: RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge when anonymous PKINIT is used. Failure to do so can permit an active attacker to become a man-in-the-middle. Reported by: emaste Obtained from: upstream 38c797e1a Security: CVE-2019-12098 MFC after: 1 week --- crypto/heimdal/lib/krb5/krb5_locl.h | 1 + crypto/heimdal/lib/krb5/pkinit.c | 92 +++++++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+) diff --git a/crypto/heimdal/lib/krb5/krb5_locl.h b/crypto/heimdal/lib/krb5/krb5_locl.h index d0c68927ffbd..0ea132f94c82 100644 --- a/crypto/heimdal/lib/krb5/krb5_locl.h +++ b/crypto/heimdal/lib/krb5/krb5_locl.h @@ -240,6 +240,7 @@ struct _krb5_get_init_creds_opt_private { #define KRB5_INIT_CREDS_CANONICALIZE 1 #define KRB5_INIT_CREDS_NO_C_CANON_CHECK 2 #define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK 4 +#define KRB5_INIT_CREDS_PKINIT_KX_VALID 32 struct { krb5_gic_process_last_req func; void *ctx; diff --git a/crypto/heimdal/lib/krb5/pkinit.c b/crypto/heimdal/lib/krb5/pkinit.c index 7164a118c34a..3c914bb31f35 100644 --- a/crypto/heimdal/lib/krb5/pkinit.c +++ b/crypto/heimdal/lib/krb5/pkinit.c @@ -1306,6 +1306,98 @@ pk_rd_pa_reply_enckey(krb5_context context, return ret; } +/* + * RFC 8062 section 7: + * + * The client then decrypts the KDC contribution key and verifies that + * the ticket session key in the returned ticket is the combined key of + * the KDC contribution key and the reply key. + */ +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_pk_kx_confirm(krb5_context context, + krb5_pk_init_ctx ctx, + krb5_keyblock *reply_key, + krb5_keyblock *session_key, + PA_DATA *pa_pkinit_kx) +{ + krb5_error_code ret; + EncryptedData ed; + krb5_keyblock ck, sk_verify; + krb5_crypto ck_crypto = NULL; + krb5_crypto rk_crypto = NULL; + size_t len; + krb5_data data; + krb5_data p1 = { sizeof("PKINIT") - 1, "PKINIT" }; + krb5_data p2 = { sizeof("KEYEXCHANGE") - 1, "KEYEXCHANGE" }; + + heim_assert(ctx != NULL, "PKINIT context is non-NULL"); + heim_assert(reply_key != NULL, "reply key is non-NULL"); + heim_assert(session_key != NULL, "session key is non-NULL"); + + /* PA-PKINIT-KX is optional unless anonymous */ + if (pa_pkinit_kx == NULL) + return ctx->anonymous ? KRB5_KDCREP_MODIFIED : 0; + + memset(&ed, 0, sizeof(ed)); + krb5_keyblock_zero(&ck); + krb5_keyblock_zero(&sk_verify); + krb5_data_zero(&data); + + ret = decode_EncryptedData(pa_pkinit_kx->padata_value.data, + pa_pkinit_kx->padata_value.length, + &ed, &len); + if (ret) + goto out; + + if (len != pa_pkinit_kx->padata_value.length) { + ret = KRB5_KDCREP_MODIFIED; + goto out; + } + + ret = krb5_crypto_init(context, reply_key, 0, &rk_crypto); + if (ret) + goto out; + + ret = krb5_decrypt_EncryptedData(context, rk_crypto, + KRB5_KU_PA_PKINIT_KX, + &ed, &data); + if (ret) + goto out; + + ret = decode_EncryptionKey(data.data, data.length, + &ck, &len); + if (ret) + goto out; + + ret = krb5_crypto_init(context, &ck, 0, &ck_crypto); + if (ret) + goto out; + + ret = krb5_crypto_fx_cf2(context, ck_crypto, rk_crypto, + &p1, &p2, session_key->keytype, + &sk_verify); + if (ret) + goto out; + + if (sk_verify.keytype != session_key->keytype || + krb5_data_ct_cmp(&sk_verify.keyvalue, &session_key->keyvalue) != 0) { + ret = KRB5_KDCREP_MODIFIED; + goto out; + } + +out: + free_EncryptedData(&ed); + krb5_free_keyblock_contents(context, &ck); + krb5_free_keyblock_contents(context, &sk_verify); + if (ck_crypto) + krb5_crypto_destroy(context, ck_crypto); + if (rk_crypto) + krb5_crypto_destroy(context, rk_crypto); + krb5_data_free(&data); + + return ret; +} + static krb5_error_code pk_rd_pa_reply_dh(krb5_context context, const heim_octet_string *indata,