3 changed files with 1 additions and 444 deletions
--- a/SOURCES/0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch
+++ b/SOURCES/0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch
@ -1,392 +0,0 @@
 From b039f3087a13de3f34b230dbe29a7cfb1965700d Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Feb 23 2024 09:49:27 +0000
 Subject: rpcserver: validate Kerberos principal name before running kinit
 Do minimal validation of the Kerberos principal name when passing it to
 kinit command line tool. Also pass it as the final argument to prevent
 option injection.
 Accepted Kerberos principals are:
 - user names, using the following regexp
   (username with optional @realm, no spaces or slashes in the name):
   "(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$"
 - service names (with slash in the name but no spaces). Validation of
   the hostname is done. There is no validation of the service name.
 The regular expression above also covers cases where a principal name
 starts with '-'. This prevents option injection as well.
 This fixes CVE-2024-1481
 Fixes: https://pagure.io/freeipa/issue/9541
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 ---
 diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
 index cc839ec..4ad4eaa 100644
 --- a/ipalib/install/kinit.py
 +++ b/ipalib/install/kinit.py
@@ -6,12 +6,16 @@ from __future__ import absolute_import
 import logging
 import os
 +import re
 import time
 import gssapi
 from ipaplatform.paths import paths
 from ipapython.ipautil import run
 +from ipalib.constants import PATTERN_GROUPUSER_NAME
 +from ipalib.util import validate_hostname
 +from ipalib import api
 logger = logging.getLogger(__name__)
@@ -21,6 +25,40 @@ KRB5_KDC_UNREACH = 2529639068
 # A service is not available that s required to process the request
 KRB5KDC_ERR_SVC_UNAVAILABLE = 2529638941
 +PATTERN_REALM = '@?([a-zA-Z0-9.-]*)$'
 +PATTERN_PRINCIPAL = '(' + PATTERN_GROUPUSER_NAME[:-1] + ')' + PATTERN_REALM
 +PATTERN_SERVICE = '([a-zA-Z0-9.-]+)/([a-zA-Z0-9.-]+)' + PATTERN_REALM
 +
 +user_pattern = re.compile(PATTERN_PRINCIPAL)
 +service_pattern = re.compile(PATTERN_SERVICE)
 +
 +
 +def validate_principal(principal):
 +    if not isinstance(principal, str):
 +        raise RuntimeError('Invalid principal: not a string')
 +    if ('/' in principal) and (' ' in principal):
 +        raise RuntimeError('Invalid principal: bad spacing')
 +    else:
 +        realm = None
 +        match = user_pattern.match(principal)
 +        if match is None:
 +            match = service_pattern.match(principal)
 +            if match is None:
 +                raise RuntimeError('Invalid principal: cannot parse')
 +            else:
 +                # service = match[1]
 +                hostname = match[2]
 +                realm = match[3]
 +                try:
 +                    validate_hostname(hostname)
 +                except ValueError as e:
 +                    raise RuntimeError(str(e))
 +        else:  # user match, validate realm
 +            # username = match[1]
 +            realm = match[2]
 +        if realm and 'realm' in api.env and realm != api.env.realm:
 +            raise RuntimeError('Invalid principal: realm mismatch')
 +
 def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
     """
@@ -29,6 +67,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
     The optional parameter 'attempts' specifies how many times the credential
     initialization should be attempted in case of non-responsive KDC.
     """
 +    validate_principal(principal)
     errors_to_retry = {KRB5KDC_ERR_SVC_UNAVAILABLE,
                        KRB5_KDC_UNREACH}
     logger.debug("Initializing principal %s using keytab %s",
@@ -65,6 +104,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
         return None
 +
 def kinit_password(principal, password, ccache_name, config=None,
                    armor_ccache_name=None, canonicalize=False,
                    enterprise=False, lifetime=None):
@@ -73,8 +113,9 @@ def kinit_password(principal, password, ccache_name, config=None,
     web-based authentication, use armor_ccache_path to specify http service
     ccache.
     """
 +    validate_principal(principal)
     logger.debug("Initializing principal %s using password", principal)
 -    args = [paths.KINIT, principal, '-c', ccache_name]
 +    args = [paths.KINIT, '-c', ccache_name]
     if armor_ccache_name is not None:
         logger.debug("Using armor ccache %s for FAST webauth",
                      armor_ccache_name)
@@ -91,6 +132,7 @@ def kinit_password(principal, password, ccache_name, config=None,
         logger.debug("Using enterprise principal")
         args.append('-E')
 +    args.extend(['--', principal])
     env = {'LC_ALL': 'C'}
     if config is not None:
         env['KRB5_CONFIG'] = config
@@ -154,6 +196,7 @@ def kinit_pkinit(
     :raises: CalledProcessError if PKINIT fails
     """
 +    validate_principal(principal)
     logger.debug(
         "Initializing principal %s using PKINIT %s", principal, user_identity
     )
@@ -168,7 +211,7 @@ def kinit_pkinit(
             assert pkinit_anchor.startswith(("FILE:", "DIR:", "ENV:"))
             args.extend(["-X", f"X509_anchors={pkinit_anchor}"])
     args.extend(["-X", f"X509_user_identity={user_identity}"])
 -    args.append(principal)
 +    args.extend(['--', principal])
     # this workaround enables us to capture stderr and put it
     # into the raised exception in case of unsuccessful authentication
 diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
 index 3555014..60bfa61 100644
 --- a/ipaserver/rpcserver.py
 +++ b/ipaserver/rpcserver.py
@@ -1134,10 +1134,6 @@ class login_password(Backend, KerberosSession):
                 canonicalize=True,
                 lifetime=self.api.env.kinit_lifetime)
 -            if armor_path:
 -                logger.debug('Cleanup the armor ccache')
 -                ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
 -                            env={'KRB5CCNAME': armor_path}, raiseonerr=False)
         except RuntimeError as e:
             if ('kinit: Cannot read password while '
                     'getting initial credentials') in str(e):
@@ -1155,6 +1151,11 @@ class login_password(Backend, KerberosSession):
                 raise KrbPrincipalWrongFAST(principal=principal)
             raise InvalidSessionPassword(principal=principal,
                                          message=unicode(e))
 +        finally:
 +            if armor_path:
 +                logger.debug('Cleanup the armor ccache')
 +                ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
 +                            env={'KRB5CCNAME': armor_path}, raiseonerr=False)
 class change_password(Backend, HTTP_Status):
 diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
 index 91be057..400a248 100644
 --- a/ipatests/prci_definitions/gating.yaml
 +++ b/ipatests/prci_definitions/gating.yaml
@@ -310,3 +310,15 @@ jobs:
         template: *ci-ipa-4-9-latest
         timeout: 3600
         topology: *master_1repl_1client
 +
 +  fedora-latest-ipa-4-9/test_ipalib_install:
 +    requires: [fedora-latest-ipa-4-9/build]
 +    priority: 100
 +    job:
 +      class: RunPytest
 +      args:
 +        build_url: '{fedora-latest-ipa-4-9/build_url}'
 +        test_suite: test_ipalib_install/test_kinit.py
 +        template: *ci-ipa-4-9-latest
 +        timeout: 600
 +        topology: *master_1repl
 diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
 index b2ab765..7c03a48 100644
 --- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
 +++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -1801,3 +1801,15 @@ jobs:
         template: *ci-ipa-4-9-latest
         timeout: 5000
         topology: *master_2repl_1client
 +
 +  fedora-latest-ipa-4-9/test_ipalib_install:
 +    requires: [fedora-latest-ipa-4-9/build]
 +    priority: 50
 +    job:
 +      class: RunPytest
 +      args:
 +        build_url: '{fedora-latest-ipa-4-9/build_url}'
 +        test_suite: test_ipalib_install/test_kinit.py
 +        template: *ci-ipa-4-9-latest
 +        timeout: 600
 +        topology: *master_1repl
 diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
 index b7b3d3b..802bd2a 100644
 --- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
 +++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
@@ -1944,3 +1944,16 @@ jobs:
         template: *ci-ipa-4-9-latest
         timeout: 5000
         topology: *master_2repl_1client
 +
 +  fedora-latest-ipa-4-9/test_ipalib_install:
 +    requires: [fedora-latest-ipa-4-9/build]
 +    priority: 50
 +    job:
 +      class: RunPytest
 +      args:
 +        build_url: '{fedora-latest-ipa-4-9/build_url}'
 +        selinux_enforcing: True
 +        test_suite: test_ipalib_install/test_kinit.py
 +        template: *ci-ipa-4-9-latest
 +        timeout: 600
 +        topology: *master_1repl
 diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
 index eb3849e..1e1adb8 100644
 --- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
 +++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -1801,3 +1801,15 @@ jobs:
         template: *ci-ipa-4-9-previous
         timeout: 5000
         topology: *master_2repl_1client
 +
 +  fedora-previous-ipa-4-9/test_ipalib_install:
 +    requires: [fedora-previous-ipa-4-9/build]
 +    priority: 50
 +    job:
 +      class: RunPytest
 +      args:
 +        build_url: '{fedora-previous-ipa-4-9/build_url}'
 +        test_suite: test_ipalib_install/test_kinit.py
 +        template: *ci-ipa-4-9-previous
 +        timeout: 600
 +        topology: *master_1repl
 diff --git a/ipatests/setup.py b/ipatests/setup.py
 index 6217a1b..0aec4a7 100644
 --- a/ipatests/setup.py
 +++ b/ipatests/setup.py
@@ -41,6 +41,7 @@ if __name__ == '__main__':
             "ipatests.test_integration",
             "ipatests.test_ipaclient",
             "ipatests.test_ipalib",
 +            "ipatests.test_ipalib_install",
             "ipatests.test_ipaplatform",
             "ipatests.test_ipapython",
             "ipatests.test_ipaserver",
 diff --git a/ipatests/test_ipalib_install/__init__.py b/ipatests/test_ipalib_install/__init__.py
 new file mode 100644
 index 0000000..e69de29
 --- /dev/null
 +++ b/ipatests/test_ipalib_install/__init__.py
 diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
 new file mode 100644
 index 0000000..f89ea17
 --- /dev/null
 +++ b/ipatests/test_ipalib_install/test_kinit.py
@@ -0,0 +1,29 @@
 +#
 +# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 +#
 +"""Tests for ipalib.install.kinit module
 +"""
 +
 +import pytest
 +
 +from ipalib.install.kinit import validate_principal
 +
 +
 +# None means no exception is expected
 +@pytest.mark.parametrize('principal, exception', [
 +    ('testuser', None),
 +    ('testuser@EXAMPLE.TEST', None),
 +    ('test/ipa.example.test', None),
 +    ('test/ipa.example.test@EXAMPLE.TEST', None),
 +    ('test/ipa@EXAMPLE.TEST', RuntimeError),
 +    ('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
 +    ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError),
 +    ('test /ipa.example,test', RuntimeError),
 +    ('testuser@OTHER.TEST', RuntimeError),
 +    ('test/ipa.example.test@OTHER.TEST', RuntimeError),
 +])
 +def test_validate_principal(principal, exception):
 +    try:
 +        validate_principal(principal)
 +    except Exception as e:
 +        assert e.__class__ == exception
 From 96a478bbedd49c31e0f078f00f2d1cb55bb952fd Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Feb 23 2024 09:49:27 +0000
 Subject: validate_principal: Don't try to verify that the realm is known
 The actual value is less important than whether it matches the
 regular expression. A number of legal but difficult to know in
 context realms could be passed in here (trust for example).
 This fixes CVE-2024-1481
 Fixes: https://pagure.io/freeipa/issue/9541
 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 ---
 diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
 index 4ad4eaa..d5fb56b 100644
 --- a/ipalib/install/kinit.py
 +++ b/ipalib/install/kinit.py
@@ -15,7 +15,6 @@ from ipaplatform.paths import paths
 from ipapython.ipautil import run
 from ipalib.constants import PATTERN_GROUPUSER_NAME
 from ipalib.util import validate_hostname
 -from ipalib import api
 logger = logging.getLogger(__name__)
@@ -39,7 +38,9 @@ def validate_principal(principal):
     if ('/' in principal) and (' ' in principal):
         raise RuntimeError('Invalid principal: bad spacing')
     else:
 -        realm = None
 +        # For a user match in the regex
 +        # username = match[1]
 +        # realm = match[2]
         match = user_pattern.match(principal)
         if match is None:
             match = service_pattern.match(principal)
@@ -48,16 +49,11 @@ def validate_principal(principal):
             else:
                 # service = match[1]
                 hostname = match[2]
 -                realm = match[3]
 +                # realm = match[3]
                 try:
                     validate_hostname(hostname)
                 except ValueError as e:
                     raise RuntimeError(str(e))
 -        else:  # user match, validate realm
 -            # username = match[1]
 -            realm = match[2]
 -        if realm and 'realm' in api.env and realm != api.env.realm:
 -            raise RuntimeError('Invalid principal: realm mismatch')
 def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
 diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
 index f89ea17..8289c4b 100644
 --- a/ipatests/test_ipalib_install/test_kinit.py
 +++ b/ipatests/test_ipalib_install/test_kinit.py
@@ -17,13 +17,16 @@ from ipalib.install.kinit import validate_principal
     ('test/ipa.example.test@EXAMPLE.TEST', None),
     ('test/ipa@EXAMPLE.TEST', RuntimeError),
     ('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
 -    ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError),
 +    ('test/ipa.1example.test@EXAMPLE.TEST', None),
     ('test /ipa.example,test', RuntimeError),
 -    ('testuser@OTHER.TEST', RuntimeError),
 -    ('test/ipa.example.test@OTHER.TEST', RuntimeError),
 +    ('testuser@OTHER.TEST', None),
 +    ('test/ipa.example.test@OTHER.TEST', None)
 ])
 def test_validate_principal(principal, exception):
     try:
         validate_principal(principal)
     except Exception as e:
         assert e.__class__ == exception
 +    else:
 +        if exception is not None:
 +            raise RuntimeError('Test should have failed')
--- a/SOURCES/0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch
+++ b/SOURCES/0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch
@ -1,43 +0,0 @@
 From d7c1ba0672fc8964f7674a526f3019429a551372 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Mar 06 2024 08:34:57 +0000
 Subject: Vault: add additional fallback to RSA-OAEP wrapping algo
 There is a fallback when creating the wrapping key but one was missing
 when trying to use the cached transport_cert.
 This allows, along with forcing keyWrap.useOAEP=true, vault creation
 on an nCipher HSM.
 This can be seen in HSMs where the device doesn't support the
 PKCS#1 v1.5 mechanism. It will error out with either "invalid
 algorithm" or CKR_FUNCTION_FAILED.
 Related: https://pagure.io/freeipa/issue/9191
 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 ---
 diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
 index ed16c73..1523187 100644
 --- a/ipaclient/plugins/vault.py
 +++ b/ipaclient/plugins/vault.py
@@ -757,8 +757,12 @@ class ModVaultData(Local):
         Calls the internal counterpart of the command.
         """
         # try call with cached transport certificate
 -        result = self._do_internal(algo, transport_cert, False,
 -                                   False, *args, **options)
 +        try:
 +            result = self._do_internal(algo, transport_cert, False,
 +                                       False, *args, **options)
 +        except errors.EncodingError:
 +            result = self._do_internal(algo, transport_cert, False,
 +                                       True, *args, **options)
         if result is not None:
             return result
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@ -189,7 +189,7 @@
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        8%{?rc_version:.%rc_version}%{?dist}
+Release:        7%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 License:        GPLv3+
@ -230,8 +230,6 @@ Patch0019:      0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch
 Patch0020:      0020-Vault-improve-vault-server-archival-retrieval-calls-.patch
 Patch0021:      0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch
 Patch0022:      0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch
 Patch0023:      0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch
 Patch0024:      0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch
 %if 0%{?rhel} >= 8
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@ -1747,12 +1745,6 @@ fi
 %endif
 %changelog
 * Thu Mar 07 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-8
 - rpcserver: validate Kerberos principal name before running kinit
  Resolves: RHEL-26153
 - Vault: add additional fallback to RSA-OAEP wrapping algo
  Resolves: RHEL-28259
 * Tue Feb 20 2024 Julien Rische <jrische@redhat.com> - 4.9.13-7
 - ipa-kdb: Fix double free in ipadb_reinit_mspac()
  Resolves: RHEL-25742