Sarah Day [Thu, 18 Feb 2016 21:54:27 +0000 (16:54 -0500)]
Default to LSA when TGT in LSA is inaccessible
When UAC is enabled and a domain user with Administrator privileges
logs in, the TGT is inaccessible. Access to the TGT in a
UAC-restricted session may allow a non-elevated user to bypass the
UAC. In a UAC-restricted session, ms2mit copies the current tickets
from the LSA ccache to the API ccache except the TGT, effectively
preventing a user session from getting additional service tickets
while appearing, for some purposes, to have a usable ccache.
Another bug is that ms2mit always copies from the LSA ccache to the
default ccache, even if the default ccache is itself the LSA ccache.
New behavior:
* If the TGT is accessible in the LSA ccache, copy the LSA ccache to
the API ccache.
* Set the registry key for the default ccname to "API:" if the copy
occurred, or to "MSLSA:" if it didn't occur.
Greg Hudson [Mon, 14 Mar 2016 21:26:34 +0000 (17:26 -0400)]
Fix LDAP null deref on empty arg [CVE-2016-3119]
In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
if there is an empty string in the db_args array. Check for this case
and avoid dereferencing a null pointer.
CVE-2016-3119:
In MIT krb5 1.6 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying an empty DB argument to the modify_principal
command, if kadmind is configured to use the LDAP KDB module.
Greg Hudson [Tue, 23 Feb 2016 22:15:18 +0000 (17:15 -0500)]
Use blocking lock when creating db2 KDB
In 1.11 we switched from non-blocking to blocking locks in the DB2
module, but we missed one call to krb5_lock_file() in ctx_create_db().
This non-blocking lock can cause krb5_db_promote() to fail if the
database is locked when we try to promote the DB, in turn causing
kdb5_util load to fail. Correct this call to make krb5_db_promote()
more robust.
Greg Hudson [Fri, 8 Jan 2016 18:16:54 +0000 (13:16 -0500)]
Fix leaks in kadmin server stubs [CVE-2015-8631]
In each kadmind server stub, initialize the client_name and
server_name variables, and release them in the cleanup handler. Many
of the stubs will otherwise leak the client and server name if
krb5_unparse_name() fails. Also make sure to free the prime_arg
variables in rename_principal_2_svc(), or we can leak the first one if
unparsing the second one fails. Discovered by Simo Sorce.
CVE-2015-8631:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one. Repeating these requests will eventually cause
kadmind to exhaust all available memory.
Greg Hudson [Fri, 8 Jan 2016 17:52:28 +0000 (12:52 -0500)]
Check for null kadm5 policy name [CVE-2015-8630]
In kadm5_create_principal_3() and kadm5_modify_principal(), check for
entry->policy being null when KADM5_POLICY is included in the mask.
CVE-2015-8630:
In MIT krb5 1.12 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying a null policy value but including KADM5_POLICY in
the mask.
Greg Hudson [Fri, 8 Jan 2016 17:45:25 +0000 (12:45 -0500)]
Verify decoded kadmin C strings [CVE-2015-8629]
In xdr_nullstring(), check that the decoded string is terminated with
a zero byte and does not contain any internal zero bytes.
CVE-2015-8629:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte. Information leakage may be possible
for an attacker with permission to modify the database.
Greg Hudson [Thu, 14 Jan 2016 22:51:53 +0000 (17:51 -0500)]
Fix iprop server stub error management
The ipropd stubs free client_name and server_name in the cleanup
handler, so should not free them in out-of-memory conditions.
Reported by Will Fiveash.
Robbie Harwood [Wed, 13 Jan 2016 23:17:09 +0000 (18:17 -0500)]
Fix EOF check in kadm5.acl line processing
On platforms where the char type is unsigned, the check for EOF (which
is negative) will always fail, leaving a 255 byte at the end of the
line. This can cause a syntax error, in turn causing the contents of
kadm5.acl to be ignored. Fix this bug by removing the cast on EOF.
[ghudson@mit.edu: more precisely describe consequences of bug in
commit message]
Greg Hudson [Wed, 25 Nov 2015 19:43:35 +0000 (14:43 -0500)]
Fix memory leak in SPNEGO gss_init_sec_context()
After the initial call to spnego_gss_init_sec_context(), the context
handle can leak if init_ctx_cont() returns an error, because the
cleanup handler assumes that spnego_ctx contains the value of
*context_handle. Fix this leak by setting spnego_ctx before the if
block which contains that call. Reported by Adam Bernstein.
Greg Hudson [Fri, 8 Jan 2016 16:54:55 +0000 (11:54 -0500)]
Make ksu work with prompting clpreauth modules
Commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de switched ksu from
using krb5_get_in_tkt_with_password() to
krb5_get_init_creds_password(), but did not supply a prompter
argument. Pass krb5_prompter_posix so that clpreauth modules can
prompt for additional information during authentication.
Tom Yu [Wed, 30 Dec 2015 20:26:54 +0000 (15:26 -0500)]
Add .travis.yml
Do Travis CI testing with clang and gcc, on 64-bit Ubuntu Trusty.
Performance would probably be better using the container-based Travis
infrastructure, but that is currently limited to Precise, and we would
need some important apt packages whitelisted, e.g., dejagnu.
Tom Yu [Wed, 30 Dec 2015 22:17:02 +0000 (17:17 -0500)]
Don't canonicalize hostname in sim_client.c
krb5_mk_req() already canonicalizes the target hostname, so don't try
to use a buffer of size MAXHOSTNAMELEN to canonicalize the hostname
beforehand. This buffer will be too short for some unusually long
FQDNs.
Tom Yu [Wed, 6 Jan 2016 20:24:16 +0000 (15:24 -0500)]
Work around uninitialized warning in cc_kcm.c
Some versions of clang erroneously detect use of an uninitialized
variable reply_len in kcmio_call() when building on non-Mac platforms.
Initialize it to work around this warning.
Simo Sorce [Tue, 5 Jan 2016 17:11:59 +0000 (12:11 -0500)]
Check internal context on init context errors
If the mechanism deletes the internal context handle on error, the
mechglue must do the same with the union context, to avoid crashes if
the application calls other functions with this invalid union context.
[ghudson@mit.edu: edit commit message and code comment]
Tomas Kuthan [Tue, 29 Dec 2015 10:47:49 +0000 (11:47 +0100)]
Check context handle in gss_export_sec_context()
After commit 4f35b27a9ee38ca0b557ce8e6d059924a63d4eff, the
context_handle parameter in gss_export_sec_context() is dereferenced
before arguments are validated by val_exp_sec_ctx_args(). With a null
context_handle, the new code segfaults instead of failing gracefully.
Revert this part of the commit and only dereference context_handle if
it is non-null.
Simo Sorce [Wed, 9 Dec 2015 23:09:18 +0000 (18:09 -0500)]
Set TL_DATA mask flag for master key operations
When kdb5_util adds or removes master keys, it modifies tl-data but
doesn't set the KADM5_TL_DATA mask flag, causing KDB modules that rely
on this signaling (such as the LDAP module) not to store the tl-data
changes. Fix this issue by setting the mask bit in add_new_mkey() and
kdb5_purge_mkeys().
Greg Hudson [Fri, 11 Dec 2015 16:05:32 +0000 (11:05 -0500)]
Add libkrb5support dependencies to test plugins
In some build environments, dependencies on libkrb5support can be
generated just from static inline functions in our header files, even
if those functions aren't used. In two test plugin modules, use
$(KRB5_BASE_DEPLIBS) and $(KRB5_BASE_LIBS) to depend on libkrb5support
as well as libkrb5. (This also pulls in libk5crypto, which is
unnecessary for these modules, but is inconsequential for a test
module.) Reported by Will Fiveash.
Tomas Kuthan [Wed, 30 Sep 2015 13:18:05 +0000 (15:18 +0200)]
Check output params on GSS OID set functions
Add sanity checks for the output parameters of
generic_gss_create_empty_oid_set() and
generic_gss_add_oid_set_member(), which are used directly by the API
functions gss_create_empty_oid_set() and gss_add_oid_set_member().
k5_utf8s_to_ucs2s() reads and ignores one extra byte from the input
string before terminating its loop, possibly overrunning the input
buffer of its caller. This overrun is typically without consequence,
but can show up in tools like asan or valgrind during RC4
string-to-key operations. Fix the bug by swapping the order of the
loop conditions.
Tomas Kuthan [Wed, 16 Sep 2015 10:13:26 +0000 (12:13 +0200)]
Fix error mappings for IOV MIC mechglue funcs
The mechglue functions gss_get_mic_iov(), gss_get_mic_iov_length(),
and gss_verify_mic_iov() don't call map_error() to map
mechanism-specific error codes. As a result, a subsequent call to
gss_display_status() fails with GSS_S_BAD_MECH, because no translation
for the error code is found in the error table.
This patch adds the missing map_error call.
[ghudson@mit.edu: correct a whitespace issue, edit commit message]
Ticket #7223 added new policy fields and a new dump format version to
marshal them, but did not add a new iprop dump format version. As a
result, slave KDCs running 1.11 or later cannot receive full resyncs
from master KDCs running 1.10 or earlier. (Reported by John
Devitofranceschi.)
Retroactively add support for pre-1.11 policy entries by making
process_r1_11_policy() read the first ten fields, check whether the
next whitespace character is a newline, and then read the rest if it
is not.
Greg Hudson [Mon, 2 Nov 2015 03:46:56 +0000 (22:46 -0500)]
Fix SPNEGO context import
The patches for CVE-2015-2695 did not implement a SPNEGO
gss_import_sec_context() function, under the erroneous belief that an
exported SPNEGO context would be tagged with the underlying context
mechanism. Implement it now to allow SPNEGO contexts to be
successfully exported and imported after establishment.
Greg Hudson [Mon, 2 Nov 2015 03:45:21 +0000 (22:45 -0500)]
Fix IAKERB context export/import [CVE-2015-2698]
The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory. Fix the regression by properly
dereferencing the context_handle pointer before casting it.
Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief that an exported IAKERB context
would be tagged as a krb5 context. Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.
CVE-2015-2698:
In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.
Greg Hudson [Tue, 27 Oct 2015 04:44:24 +0000 (00:44 -0400)]
Fix two IAKERB comments
The comment explaining why there is no iakerb_gss_import_sec_context()
erroneously referenced SPNEGO instead of IAKERB (noticed by Ben
Kaduk). The comment above iakerb_gss_delete_sec_context() is out of
date after the last commit.
In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string. This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
affected.
CVE-2015-2697:
In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte. If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm. Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.
Nicolas Williams [Mon, 14 Sep 2015 16:28:36 +0000 (12:28 -0400)]
Fix IAKERB context aliasing bugs [CVE-2015-2696]
The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type. Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.
CVE-2015-2696:
In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. Java server applications using the
native JGSS provider are vulnerable to this bug. A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.
Nicolas Williams [Mon, 14 Sep 2015 16:27:52 +0000 (12:27 -0400)]
Fix SPNEGO context aliasing bugs [CVE-2015-2695]
The SPNEGO mechanism currently replaces its context handle with the
mechanism context handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the SPNEGO context structure after context
establishment and refer to it in all GSS methods. Add initiate and
opened flags to the SPNEGO context structure for use in
gss_inquire_context() prior to context establishment.
CVE-2015-2695:
In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context(). Java server
applications using the native JGSS provider are vulnerable to this
bug. A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.
In release 1.13, commit eba8c4909ec7ba0d7054d5d1b1061319e9970cc7
(ticket #7232) introduced a memory leak when skipping keytab entries
which do not match the application-provided server specification. Fix
it by freeing the keytab entry before continuing the loop on a failure
to match.
In the mechglue gss_export_sec_context(), make sure to delete the
union context if the underlying mech context has been deleted. This
can happen if the mech's gss_export_sec_context() returns a failure
and deletes the context (not a behavior exhibited by any of our
in-tree mechanisms, but an allowed behavior for other mechs), or if we
fail to allocate space for the wrapped token.
[ghudson@mit.edu: commit message; rename exit label to "cleanup" and
make it valid for all exit cases]
Although our built-in KDB modules do not support client referrals for
AS requests, the KDC is supposed to return one if a third-party module
returns a DB entry containing a principal in a foreign realm.
Unfortunately, this code has never worked; in prepare_error_as(), we
erroneously compare the protocol code errcode against the com_err code
KRB5KDC_ERR_WRONG_REALM; as a result, we never supply the canonical
client principal. Fix this by comparing errcode against the protocol
code KDC_ERR_WRONG_REALM instead.
Solly Ross [Thu, 27 Aug 2015 19:55:35 +0000 (15:55 -0400)]
Check for null name_type in gss_display_name_ext
It is possible for the input name's name_type to be GSS_C_NO_OID.
g_OID_equal() does not account for GSS_C_NO_OID, so we have to
manually check before use to prevent null pointer dereferences.
Before this patch, libkrad would follow the same exact logic for all
socket types when the retries parameter was non-zero. This meant that
when connecting with SOCK_STREAM, multiple requests were sent in case
of packet drops, which, of course, cannot happen for SOCK_STREAM.
Instead, just disable retries for SOCK_STREAM sockets.
Release any previous value of ctx->err_padata before setting it in
init_creds_step_reply(). It could have a prior value after a realm
referral or retriable error.
crypto_retrieve_cert_sans() is allowed to set its princs output to
NULL, although the OpenSSL implementation rarely does. Fix the
TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC for loop to allow this like other
parts of the function do, and also get rid of the unnecessary princptr
variable by using an integer index like other parts of the function.
Greg Hudson [Wed, 10 Jun 2015 23:48:51 +0000 (19:48 -0400)]
Tolerate null oid pointer in gss_release_oid()
Under some circumstances, gss_inquire_name() can call
gss_release_oid() with a null oid pointer, which currently causes a
null dereference. The least invasive fix is for gss_release_oid() to
check for the invalid null pointer and return an error, like other
GSS-API functions do.
Ben Kaduk [Wed, 24 Jun 2015 17:34:32 +0000 (13:34 -0400)]
Make the Principal column wider by default
The current 100-pixel default is too small to fit most principal
names (particularly the realm). There is no reason why all the
columns must be the same width, so promote this one as needing
more space.
Ben Kaduk [Tue, 23 Jun 2015 14:38:19 +0000 (10:38 -0400)]
Make registry hostrealm module highest precedence
Testing reveals that there are a number of machines in the wild
which retain old krb5.ini files across domain configuration changes,
and it is difficult to determine which machines are potentially
affected by incorrect stale configuration data.
To enable domain administrators to easily ensure that the correct
default realm is set, allow the registry hostrealm module to take
precedence over the profile.
Note that the registry hostrealm module can still be disabled
in the hostrealm interface configuration statment in the
[plugins] section of the profile.
Ben Kaduk [Fri, 29 May 2015 18:46:58 +0000 (14:46 -0400)]
Stop using the WiX src attribute
The src attribute has been deprecated for a while in favor of
different (more descriptive) attributes for the different XML
elements involved.
For the File element, use the Source attribute.
For the Directory element, use the FileSource attribute.
For the Merge, Binary, and Text elements, use the SourceFile attribute.
This makes the installer build much quieter, with the warnings from
the light.exe invocation all fitting into the default history buffer.
Ben Kaduk [Wed, 27 May 2015 19:36:51 +0000 (15:36 -0400)]
Stop using the WiX Registry element
It is deprecated in favor of more specific XML elements such
as RegistryKey, RegistryValue, and RemoveRegistryKey, so as to
stop overloading a single element for what are fundamentally
different types and operations.
RegistryValue elements can be children of RegistryKey elements,
allowing the Key attribute to be inherited, or bare within the
containing Component. We do not take advantage of the inheritance
at this time, since that would be a more disruptive change.
WiX would prefer for us to not use the createAndRemoveOnUninstall
attribute of <RegistryKey>, in favor of ForceCreateOnInstall
and/or ForceRemoveOnUninstall, but that can wait for a follow-up
commit.
Some instances of <Registry> were commented-out and can simply be
removed.
Some of the <Registry> elements used to create keys were also
setting the KeyPath attribute, which is not permitted in the
<RegistryKey> element. According to
http://sourceforge.net/p/wix/bugs/3197/ , this should never have
been allowed, and non-value registry keys should not be used as
MSI KeyPaths. In all affected cases, there are child
RegistryValue elements that are suitable for use as KeyPath
elements instead.
Some of the <Registry> elements were present with a duplicate
element with different Id that added no new attributes; those
duplicate elements can safely be removed.
<RemoveRegistryKey> is used to replace <Registry> elements
with Action=removeKeyOnInstall.
Ben Kaduk [Mon, 22 Jun 2015 23:11:28 +0000 (19:11 -0400)]
Put focus on password field when principal is set
In the Leash "Get Ticket" window, under some user-customized
configurations, the principal field can be pre-populated. In this case,
it makes sense for the default focus to be on the password field,
since most users will only be using a single principal and should
go directly to typing their password.
The focus was already set to the password field in the case when
the principal was not modifiable (such as when the "Get Ticket" dialog
was opened by an application requesting a specific ticket).
Ben Kaduk [Fri, 22 May 2015 18:38:27 +0000 (14:38 -0400)]
Add leash column for the ccache name
Previously, it was fairly easy to set the default cache to MSLSA:,
which is not collection-enabled (as opposed to the normal default
of API:, which is), and the non-collection behavior proved confusing
to many users.
Ideally there would be an option to choose the output ccache in
the "Get Ticket" window, but that is more complicated to implement
than just a display of what cache a given ticket is in. This
extra display column should still help to alleviate user confusion.
Ben Kaduk [Fri, 22 May 2015 18:42:02 +0000 (14:42 -0400)]
Make ribbon home tab more pretty
In the absence of a label title for a given command group, the
text "MS Shell Dlg" was inserted, which is somewhat confusing to
the user. Give the ticket-maniuplation group a title consisting
of a space, which removes the confusing text from the display.
Ben Kaduk [Mon, 11 May 2015 17:08:42 +0000 (13:08 -0400)]
Reboot after KfW installs to help the LSA cache
It seems that we need to restart in order to be able to query the
contents of the the LSA cache, even if the only contents of the LSA
cache are what we put there, and even if the Microsoft klist.exe
correctly reports the presence of tickets in the LSA cache.
Ben Kaduk [Tue, 5 May 2015 20:55:41 +0000 (16:55 -0400)]
Supply a hostrealm module to query the registry
Implement a default_realm function that checks the
{HKLM,HKCU}\Software\MIT\Kerberos5\default_realm registry values
on Windows, and just returns KRB5_PLUGIN_NO_HANDLE on Unix.
Ben Kaduk [Fri, 6 Mar 2015 20:42:10 +0000 (15:42 -0500)]
Fix loop to determine MSLSA principal name
When looping over principals, check the i-th entry instead of
looking at the 0-th entry each time through the loop. This would
only affect cases when multiple ticket entries were returned from
the LSA, the first one did not have a valid principal name, but
some other one did. It is expected that all of the returned
ticket entries will always have a valid client principal name, so
this is unlikely to cause any functional difference.
Ben Kaduk [Wed, 5 Dec 2012 17:15:07 +0000 (12:15 -0500)]
KfW shortcuts for make default, change password
Shortcut keys such as these (in the ACCELERATORS entry in the resource
file) are what let users type, e.g., ctrl-t to get to the "get tickets"
dialog directly from the main frame. We had shortcut keys for all the
other buttons already, so add these to complete the set.
The make default and change password functionality were already available
using keyboard-only interfaces via the ribbon access keys (tap alt,
then letters to walk through the tree of controls), but the two forms
of keyboard access are implemented differently.
Ben Kaduk [Fri, 10 Apr 2015 21:33:40 +0000 (17:33 -0400)]
Switch to Windows SDK Ribbon from MFC Ribbon
The MFC Ribbon implementation is not very accessible (e.g., to
screen reading software), whereas the windows ribbon provides
essentially the same functionality and good integration with
screen reading software, including the built-in Windows Narrator.
Remove the RT_RIBBON_XML resource from the resource file and
replace it with an inclusion of the generated kfwribbon.rc file.
Also remove the ribbon1.mfcribbon-ms ribbon description from the
res/ directory. Add the appropriate dependency relation in the
Makefile.
LeashUIApplication implements the IUIUApplication interfaces. It
appears to be difficult to cleanly tear down the underlying
IUIFramework and ribbon, since the WM_DESTROY event is handled by the
parent MFC window, which will not call IUIFramework::Destroy().
Manually inserting a call to IUIFramework::Destroy() in the shutdown
handling of the MFC classes is difficult, since the WM_DESTROY message
is handled by a different window than where the ribbon is initialized,
and the MFC framework will attempt to access window objects
corresponding to the UI Ribbon resources after they are destroyed,
which raises exceptions. It seems best to just go without destroying
the IUIFramework, since its lifecycle matches that of the application
and there will be no leaks during the application lifecycle.
LeashUICommandHandler implements the IUICommandHandler interfaces,
passing messages through to the existing MFC handlers, though the
default values for the various checkbox controls must be duplicated.
The (MFC) CMainFrame creates and maintains a handle to the
LeashUIApplication associated with the ribbon it creates, so that
it can query the height of the ribbon and redraw when the
LeashUIApplication signals that the ribbon size has changed.
Record that the added object files depend on kfwribbon.h, so that
the XML markup is compiled sufficiently early in the build.
Ben Kaduk [Thu, 19 Mar 2015 18:14:02 +0000 (14:14 -0400)]
Mention Visual Studio 2010 SP1 in windows README
The service pack is needed to avoid a linker error due to an
issue with the cvtres.exe utility, which manifests as
LINK: fatal error LNK1123: failure during conversion to COFF: file
invalid or corrupt.
Benjamin Kaduk [Fri, 17 Jan 2014 21:02:13 +0000 (16:02 -0500)]
XML Ribbon markup file
The standard windows library ribbon interface is either constructed
at runtime or specified in an XML file. Since we have a static
set of functionality in our ribbon, it is simplest to just use the
XML file.
This should duplicate the interfaces currently provided by the
MFC ribbon, though the menu items in the file menu are slightly
taller than they used to be.
Use uicc.exe to compile the XML to the binary format and produce
a kfwribon.rc resource file and kfwribbon.h header.
Benjamin Kaduk [Mon, 27 Jan 2014 18:07:38 +0000 (13:07 -0500)]
Import separate large ribbon bitmaps
This is the content from homelarge.bmp split up into the
separate component images, since the windows ribbon has the
(more sane) interface of using a separate resource for each
graphic, instead of expecting them all in a single bitmap which
is sliced up at runtime.
The bitmaps are required to have alpha channels, and it seems that
the easiest way to generate bitmaps with alpha channels is to use
Microsoft Paint, since the normal Unix open-source graphics tools
do not want to output this format.
Benjamin Kaduk [Wed, 22 Jan 2014 05:05:57 +0000 (00:05 -0500)]
Remove MBCS from leash's DEFINES
This is just enabling the use of multi-byte character set in the
MFC library, but we do not appear to make use of this feature.
Visual Studio 2013 gives ominous warnings that support for it may
be removed in future versions, so quiet the build and do not
enable the deprecated feature we are not using.
Ben Kaduk [Tue, 14 Apr 2015 19:33:20 +0000 (15:33 -0400)]
Fix leash crash found in some build environments
When freeing a credentials cache name obtained from
krb5_cc_get_full_name(), the code was using plain free()
instead of the matching krb5_free_string(). If these routines
are picked from different modules at runtime, the mismatch
will cause a crash in free(), so change to using the matched
deallocation function.
In order to use it in leash, it must be declared in Lglobals.h and
the function pointer symbol defined in Leash.cpp.
Ben Kaduk [Thu, 14 Aug 2014 17:57:48 +0000 (13:57 -0400)]
Avoid unneeded GetMSTGT() calls in cc_mslsa.c
Both lcc_resolve() and lcc_get_principal() were using GetMSTGT()
to fetch a ticket from which to obtain the client principal name
of the credentials cache. However, that name is contained in
the results of the the cache information query; there is no need
to retrieve a full ticket of any sort to get it. Since there
may sometimes be difficulties obtaining a TGT when UAC is enabled,
avoid these unneeded calls.
Ben Kaduk [Wed, 13 Aug 2014 20:28:57 +0000 (16:28 -0400)]
Remove unused code from cc_mslsa.c
Remove PreserveInitialTicketIdentity() and IsKerberosLogon(), as well
as the preprocessor conditionals ENABLE_PURGING and PURGE_ALL, which
have not been used in a very long time, if ever.
There was one potential callsite of IsKerberosLogon(), in
lcc_resolve(), which was disabled. It is perfectly reasonable to want
to use the MSLSA cache on a non-domain-joined workstation, as it is
now a read-write cache type, so we need not concern ourselves whether
the logon was performed or may have been performed using kerberos.
Ben Kaduk [Wed, 13 Aug 2014 20:31:49 +0000 (16:31 -0400)]
comment some future cleanup for cc_mslsa.c
The function does_query_ticket_cache_ex2() will not be needed once
Windows Server 2003 drops out of support in approximately one year's
time. Note the doom timer at its definition, to facilitate future
cleanup.
Ben Kaduk [Wed, 13 Aug 2014 16:54:37 +0000 (12:54 -0400)]
Remove old Windows support from cc_mslsa.c
It is safe to remove is_windows_2000(), is_windows_xp(), and
is_windows_vista(), since the former two only check for very old
versions of windows which are no longer supported, and
is_windows_vista() was unused. Note that the check being implemented
was whether the running OS was the named version or higher, not an
exact match. The current Microsoft documentation recommends against
the sort of OS version checks that were employed here, in favor of
explicit feature tests.
Remove is_broken_wow64() as the problem it works around (Microsoft
Article ID 960077) is believed to have been fixed in subsequent
updates to Windows Server 2003 and XP.
Remove does_retrieve_ticket_cache_ticket() since support for the
KERB_RETRIEVE_TICKET_CACHE_TICKET flag in the
KERB_RETRIEVE_TKT_REQUEST structure was added in service packs for
Windows Server 2003 and XP. Also remove buildtime fallbacks that
are no longer needed.
Remove the conditionals TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS,
HAVE_CACHE_INFO_EX2, and KERB_SUBMIT_TICKET as all current SDK
versions have the relevant functionality.
In all cases, de-indent chunks that are no longer conditional.
Where indentation levels changed, update the style of the reindented
code to current practices.
projects / thirdparty / krb5.git / log
