Kevin Wasserman [Tue, 17 Jul 2012 17:17:46 +0000 (13:17 -0400)]
Fix leashdll code to search for existing tickets
When we have a desired principal, search the entire credential cache
collection for existing tickets for that principal before using a prompter.
If no principal is specified, check only the default cache.
Kevin Wasserman [Thu, 21 Jun 2012 19:30:24 +0000 (15:30 -0400)]
Use file mapping to marshall message data
GlobalAlloc() is no longer supported for this purpose.
Also split out leash message marshalling code into a separate function
acquire_tkt_send_message_leash and improve string copy safety.
Kevin Wasserman [Thu, 21 Jun 2012 17:27:27 +0000 (13:27 -0400)]
Set kfw GUI read-only princ flag when appropriate
When receiving a request to obtain tickets (from another process), if a
particular principal is requested, set the read-only flag to prevent
the user from changing the principal.
Kevin Wasserman [Thu, 21 Jun 2012 17:22:39 +0000 (13:22 -0400)]
Add 'read-only principal' flag
Reserve the high-order 16 bits of dlgtype for flags.
Add DLGFLAG_READONLY_PRINC. When specified, the get tickets dialog
does not allow the user to change the principal.
Kevin Wasserman [Fri, 15 Jun 2012 02:57:59 +0000 (22:57 -0400)]
Send kfw 'obtain ticket' messages to main frame
Previous versions of kfw would attempt to send 'obtain tickets' messages
directly to the 'view' window by sending to the first child of the main
frame. But with the ribbon UI, the ribbon toolbar is now the first child,
so that method no longer works. Instead we now send the message to the
main frame and the main frame forwards to the active view.
Kevin Wasserman [Sat, 2 Jun 2012 14:34:09 +0000 (10:34 -0400)]
KfW auto-complete support
Use the registry to store and retrieve principals for auto-complete.
Remember principals from successful autentications.
TODO: combine realm/username in principal; 'remember principal' checkbox;
reset button; add to support 'change password' dialog as well.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
[kaduk@mit.edu: style cleanup, copyright/license on new file.]
Kevin Wasserman [Mon, 14 May 2012 16:14:20 +0000 (12:14 -0400)]
Do not be over-restrictive in the presence of UAC
We used to explicitly check if a process was UAC-limited and deny all
access to the TGT in that case; however, this makes the MSLSA cache
effectively useless.
Do not try to outsmart UAC, and let it do its own checking -- this allows
UAC-limited access to the MSLSA ccache, which should mean read-write
access to service tickets, and write-only access to the TGT.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
[kaduk@mit.edu: delete instead of comment out, move comment.]
Kevin Wasserman [Mon, 23 Jul 2012 08:30:27 +0000 (04:30 -0400)]
kfw support for multiple identities
We need a sense of what the default identity is, then, with a way
to set it and list it.
The memory management model changes some, as well.
Use a bold font to indicate the current default identity in the
GUI; while here use an italic font for expired credentials.
In the process, rip out some krb4 remenants, and remove ancient
code conditional on the lack of KRB5_TC_NOTICKET.
Define USE_MESSAGE_BOX when building leash and use MessageBox().
[kaduk@mit.edu: adjust for style, flesh out commit message.]
Kevin Wasserman [Sat, 21 Jul 2012 12:52:50 +0000 (08:52 -0400)]
Use ListView; add ViewColumn abstraction
Punting FormView since we really only need ListCtrl and using
ListView makes the header column and window resizing work.
The ViewColumn abstraction eliminates some copy/paste code blocks.
HDN_ITEMCHANGED tracks user changes to column widths.
Remove CTreeCtrl-related code.
Also remove some unused code that was generating warnings.
Kevin Wasserman [Tue, 3 Apr 2012 11:02:43 +0000 (07:02 -0400)]
Prep for KfW conversion to ribbon toolbar
Upgrade classes: CWinApp->CWinAppEx, CFrameWnd->CFrameWndEx,
CStatusBar->CMFCStatusBar, CToolBar->CMFCToolBar.
Call AfxOleInit() from CLeashApp::InitInstance()
Do not call LoadBarState() (crashes)
or GetToolBarCtrl() (no longer exists)
Greg Hudson [Sat, 11 Aug 2012 04:13:05 +0000 (00:13 -0400)]
Use gssalloc in more parts of GSSAPI
Fix some GSSAPI buffer allocations which were missed in 800358b1790ef82710af0b6021c6ff2dca2b0de7: gss_export_sec_context,
gss_display_name, and IAKERB and SPNEGO token construction.
In gssint_import_internal_name, don't map the minor code from
mech->gss_duplicate_name if it returned successfully. Fixes an
"unexpected non-zero minor status" error reported by SAP's gsstest
when it invokes gss_canonicalize_name().
Kevin Wasserman [Wed, 1 Aug 2012 22:30:02 +0000 (18:30 -0400)]
Fix oid set construction in gss_inquire_cred()
Use gssapi calls to construct the oid sets. It is not safe on windows
to use malloc to hand-construct the set and then call gss_release_oid_set()
to clean it up.
Tom Yu [Wed, 1 Aug 2012 03:20:30 +0000 (23:20 -0400)]
Fix KDC uninit ptrs [CVE-2012-1014 CVE-2012-1015]
Fix KDC heap corruption and crash vulnerabilities [MITKRB5-SA-2012-001
CVE-2012-1014 CVE-2012-1015].
CVE-2012-1015: The cleanup code in kdc_handle_protected_negotiation()
in kdc_util.c could free an uninitialized pointer in some error
conditions involving "similar" enctypes and a failure in
krb5_c_make_checksum(). Initialize the pointer correctly.
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of
CVE-2012-1015 (possibly in unpatched KDCs).
CVE-2012-1014: process_as_req() could encounter an error condition
(typically a malformed AS-REQ message) that could cause its cleanup
code to dereference an uninitialized pointer, causing a crash.
Initialize the pointer correctly.
wshelper is clearly not intended to use unicode:
wprintf is used extensively and exclusively to write to char[] buffers and
fields in dns structs are used as explicitly ASCII text.
Kevin Wasserman [Wed, 6 Jun 2012 22:22:22 +0000 (18:22 -0400)]
KFW win-mac.h fixes
kfw: add int16_t, uint16_t typedefs to win-mac.h
uint16_t is used in chpw.c
include stdlib.h, crtdbg.h in win-mac.h
Allows leak-tracking using built-in msvc tools on windows.
crtdbg.h needs to come _after_ stdlib.h, but _before_ checking for
strdup. Define DEBUG and CRTDBG_MAP_ALLOC for full tracking.
Tom Yu [Thu, 12 Jul 2012 18:26:15 +0000 (14:26 -0400)]
Handle huge /bin directories in libdb2 test
The test suite for libdb2 uses /bin as a source of filenames and
contents for insertion into databases. Fedora 17 (and possibly other
OSes) have /bin symlinked to /usr/bin, which can vastly increase the
number of files found, exceeding some limits of the test databases.
Truncate this list of files at 100 to prevent this problem.
Tom Yu [Thu, 12 Jul 2012 03:35:44 +0000 (23:35 -0400)]
Always recreate acl files during dejagnu tests
The dejagnu tests create some persistent acl files containing
hostname-derived principal names. These can get out of date if the
host has changed names since the last time the dejagnu tests were run,
causing failures (notably in iprop.exp). To avoid this problem,
change the dejagnu tests to always create new acl files for each test
run.
Tom Yu [Mon, 23 Jul 2012 18:56:10 +0000 (14:56 -0400)]
Add krb5int_cc_user_set_default_name
Set the default credential cache name for all processes for the current
user. Currently implemented, for windows only, by setting
HKEY_CURRENT_USER\Software\MIT\Kerberos5:ccname to the specified
ccache name. This will not override the environment variable 'KRB5CCNAME'.
It will override HKEY_LOCAL_MACHINE and 'indirect' registry values.
Kevin Wasserman [Sun, 6 May 2012 19:23:10 +0000 (15:23 -0400)]
Implement switch_to for ccapiv3
krb5_stdccv3_switch_to() calls cc_ccache_set_default().
krb5_stdccv3_resolve() checks for NULL or empty residual and calls
cc_context_get_default_ccache_name() in those cases.
Kevin Wasserman [Fri, 20 Apr 2012 15:36:13 +0000 (11:36 -0400)]
Translate WinSock errors to Posix counterparts
MSVC 2010 defines both Posix and WinSock error values so we can no longer
simply #define the Posix error values to be their WinSock counterpart.
This patch explicitly #includes <errno.h> in port-sockets.h and still
conditionally defines the Posix error values for compatibility with older
MSVC but also translates WinSock errors to Posix for MSVC 2010
compatibility.
The downside to this approach is that there are some Posix errors we
do not currently detect (e.g. EADDRINUSE) that are neither #defined nor
translated. If we use one of those in the future but fail to update
TranslateWSAGetLastError() we'll once again be in the situation that the
windows build will compile but fail to work, possibly only when some rare
error condition occurs.
Greg Hudson [Mon, 25 Jun 2012 15:19:56 +0000 (11:19 -0400)]
Fix crash on invalid DIR ccache primary file
If read_primary_file() fails with an error other than ENOENT, abort
cache resolution rather than dereferencing a null pointer. Reported
by Oliver Loch.
Tom Yu [Fri, 15 Jun 2012 19:12:16 +0000 (15:12 -0400)]
Use correct profile var in krb5_get_tgs_ktypes
In r21879, when we converted to using KRB5_CONF macros for profile
variable names, we made a typo in krb5_get_tgs_ktypes and erroneously
started using default_tkt_enctypes instead of default_tgs_enctypes for
TGS requests. Fix the typo and return to the documented behavior.
Richard Basch [Tue, 29 May 2012 18:07:03 +0000 (14:07 -0400)]
Null pointer deref in kadmind [CVE-2012-1013]
The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.
Greg Hudson [Tue, 22 May 2012 17:45:18 +0000 (13:45 -0400)]
Export gss_mech_krb5_wrong from libgssapi_krb5
Although there are few legitimate reasons to use gss_mech_krb5_wrong,
it's declared in the public header and exported in the Windows DLL.
So export it from the Unix library as well.
Greg Hudson [Thu, 24 May 2012 17:03:26 +0000 (13:03 -0400)]
Fix S4U user identification in preauth case
In 1.10, encrypted timestamp became a built-in module instead of a
hardcoded padata handler. This changed the behavior of
krb5_get_init_creds as invoked by s4u_identify_user such that
KRB5_PREAUTH_FAILED is returned instead of the gak function's error.
(Module failures are not treated as hard errors, while hardcoded
padata handler errors are.) Accordingly, we should look for
KRB5_PREAUTH_FAILED in s4u_identify_user.
On a less harmful note, the gak function was returning a protocol
error code instead of a com_err code, and the caller was testing for a
different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could
never be returned by krb5_get_init_creds. Clean up both of those by
returning KRB5_PREAUTH_FAILED from the gak function and testing for
that alone.
Greg Hudson [Mon, 21 May 2012 05:39:14 +0000 (01:39 -0400)]
Export krb5_set_trace_callback/filename
krb5_set_trace_callback and krb5_set_trace_filename were added to
krb5.h in krb5 1.9, but were mistakenly left out of the library export
lists. Add them now. Reported by Russ Allbery.
Greg Hudson [Thu, 3 May 2012 15:15:51 +0000 (15:15 +0000)]
In sn2princ, getaddrinfo without AI_ADDRCONFIG
When canonicalizing a principal, use AI_CANONNAME alone in the hint
flags for getaddrinfo, for two reasons. First, it works around a gnu
libc bug where getaddrinfo does a PTR lookup for the canonical name
(we tried to work around this in r24977 bug the addition of
AI_ADDRCONFIG caused the same problem as the use of AF_INET). Second,
an IPv4-only host should be able create a principal for an IPv6-only
host even if it can't contact the host.
This does result in extra AAAA queries in the common case (IPv4-only
host contacting IPv4-only service), which is unfortunate. But we need
to leave that optimization up to the platform at this point.
Appending "--" to the git checkout arguments appears to prevent it
from automatically creating a local branch from the remote. Also
correct the default git URL and clean up a spurious find warning.
(cherry picked from commit 4fc9c72e5d30c94399baf7069a0d0db25e940a68)
Tom Yu [Fri, 27 Apr 2012 22:40:21 +0000 (22:40 +0000)]
Use correct name-type in TGS-REQs for 2008R2 RODCs
Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST
in TGS-REQs. (Previously, only AS-REQs had the name-type set in this
way.) Windows Server 2008 R2 read-only domain controllers (RODCs)
insist on having the correct name-type for the TGS principal in
TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case.
Thanks to Sebastian Galiano for reporting this bug and helping with
testing.
Initialize use_count fields in krb5_preauth_request_context_init,
which is invoked before each AS request. Previously they were
initialized only in krb5_init_preauth_context, which is only invoked
once per krb5 library context.
A database created prior to 1.3 will have multiple password history
keys, and kadmin prior to 1.8 won't necessarily choose the first one.
So if there are multiple keys, we have to try them all. If none of
the keys can decrypt a password history entry, don't fail the password
change operation; it's not worth it without positive evidence of
password reuse.
projects / thirdparty / krb5.git / log
