Kevin Wasserman [Sat, 21 Jul 2012 12:52:50 +0000 (08:52 -0400)]
Use ListView; add ViewColumn abstraction
Punting FormView since we really only need ListCtrl and using
ListView makes the header column and window resizing work.
The ViewColumn abstraction eliminates some copy/paste code blocks.
HDN_ITEMCHANGED tracks user changes to column widths.
Remove CTreeCtrl-related code.
Also remove some unused code that was generating warnings.
Kevin Wasserman [Tue, 3 Apr 2012 11:02:43 +0000 (07:02 -0400)]
Prep for KfW conversion to ribbon toolbar
Upgrade classes: CWinApp->CWinAppEx, CFrameWnd->CFrameWndEx,
CStatusBar->CMFCStatusBar, CToolBar->CMFCToolBar.
Call AfxOleInit() from CLeashApp::InitInstance()
Do not call LoadBarState() (crashes)
or GetToolBarCtrl() (no longer exists)
Greg Hudson [Sat, 11 Aug 2012 04:13:05 +0000 (00:13 -0400)]
Use gssalloc in more parts of GSSAPI
Fix some GSSAPI buffer allocations which were missed in 800358b1790ef82710af0b6021c6ff2dca2b0de7: gss_export_sec_context,
gss_display_name, and IAKERB and SPNEGO token construction.
In gssint_import_internal_name, don't map the minor code from
mech->gss_duplicate_name if it returned successfully. Fixes an
"unexpected non-zero minor status" error reported by SAP's gsstest
when it invokes gss_canonicalize_name().
Kevin Wasserman [Wed, 1 Aug 2012 22:30:02 +0000 (18:30 -0400)]
Fix oid set construction in gss_inquire_cred()
Use gssapi calls to construct the oid sets. It is not safe on windows
to use malloc to hand-construct the set and then call gss_release_oid_set()
to clean it up.
Tom Yu [Wed, 1 Aug 2012 03:20:30 +0000 (23:20 -0400)]
Fix KDC uninit ptrs [CVE-2012-1014 CVE-2012-1015]
Fix KDC heap corruption and crash vulnerabilities [MITKRB5-SA-2012-001
CVE-2012-1014 CVE-2012-1015].
CVE-2012-1015: The cleanup code in kdc_handle_protected_negotiation()
in kdc_util.c could free an uninitialized pointer in some error
conditions involving "similar" enctypes and a failure in
krb5_c_make_checksum(). Initialize the pointer correctly.
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of
CVE-2012-1015 (possibly in unpatched KDCs).
CVE-2012-1014: process_as_req() could encounter an error condition
(typically a malformed AS-REQ message) that could cause its cleanup
code to dereference an uninitialized pointer, causing a crash.
Initialize the pointer correctly.
wshelper is clearly not intended to use unicode:
wprintf is used extensively and exclusively to write to char[] buffers and
fields in dns structs are used as explicitly ASCII text.
Kevin Wasserman [Wed, 6 Jun 2012 22:22:22 +0000 (18:22 -0400)]
KFW win-mac.h fixes
kfw: add int16_t, uint16_t typedefs to win-mac.h
uint16_t is used in chpw.c
include stdlib.h, crtdbg.h in win-mac.h
Allows leak-tracking using built-in msvc tools on windows.
crtdbg.h needs to come _after_ stdlib.h, but _before_ checking for
strdup. Define DEBUG and CRTDBG_MAP_ALLOC for full tracking.
Tom Yu [Thu, 12 Jul 2012 18:26:15 +0000 (14:26 -0400)]
Handle huge /bin directories in libdb2 test
The test suite for libdb2 uses /bin as a source of filenames and
contents for insertion into databases. Fedora 17 (and possibly other
OSes) have /bin symlinked to /usr/bin, which can vastly increase the
number of files found, exceeding some limits of the test databases.
Truncate this list of files at 100 to prevent this problem.
Tom Yu [Thu, 12 Jul 2012 03:35:44 +0000 (23:35 -0400)]
Always recreate acl files during dejagnu tests
The dejagnu tests create some persistent acl files containing
hostname-derived principal names. These can get out of date if the
host has changed names since the last time the dejagnu tests were run,
causing failures (notably in iprop.exp). To avoid this problem,
change the dejagnu tests to always create new acl files for each test
run.
Tom Yu [Mon, 23 Jul 2012 18:56:10 +0000 (14:56 -0400)]
Add krb5int_cc_user_set_default_name
Set the default credential cache name for all processes for the current
user. Currently implemented, for windows only, by setting
HKEY_CURRENT_USER\Software\MIT\Kerberos5:ccname to the specified
ccache name. This will not override the environment variable 'KRB5CCNAME'.
It will override HKEY_LOCAL_MACHINE and 'indirect' registry values.
Kevin Wasserman [Sun, 6 May 2012 19:23:10 +0000 (15:23 -0400)]
Implement switch_to for ccapiv3
krb5_stdccv3_switch_to() calls cc_ccache_set_default().
krb5_stdccv3_resolve() checks for NULL or empty residual and calls
cc_context_get_default_ccache_name() in those cases.
Kevin Wasserman [Fri, 20 Apr 2012 15:36:13 +0000 (11:36 -0400)]
Translate WinSock errors to Posix counterparts
MSVC 2010 defines both Posix and WinSock error values so we can no longer
simply #define the Posix error values to be their WinSock counterpart.
This patch explicitly #includes <errno.h> in port-sockets.h and still
conditionally defines the Posix error values for compatibility with older
MSVC but also translates WinSock errors to Posix for MSVC 2010
compatibility.
The downside to this approach is that there are some Posix errors we
do not currently detect (e.g. EADDRINUSE) that are neither #defined nor
translated. If we use one of those in the future but fail to update
TranslateWSAGetLastError() we'll once again be in the situation that the
windows build will compile but fail to work, possibly only when some rare
error condition occurs.
Greg Hudson [Mon, 25 Jun 2012 15:19:56 +0000 (11:19 -0400)]
Fix crash on invalid DIR ccache primary file
If read_primary_file() fails with an error other than ENOENT, abort
cache resolution rather than dereferencing a null pointer. Reported
by Oliver Loch.
Tom Yu [Fri, 15 Jun 2012 19:12:16 +0000 (15:12 -0400)]
Use correct profile var in krb5_get_tgs_ktypes
In r21879, when we converted to using KRB5_CONF macros for profile
variable names, we made a typo in krb5_get_tgs_ktypes and erroneously
started using default_tkt_enctypes instead of default_tgs_enctypes for
TGS requests. Fix the typo and return to the documented behavior.
Richard Basch [Tue, 29 May 2012 18:07:03 +0000 (14:07 -0400)]
Null pointer deref in kadmind [CVE-2012-1013]
The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.
Greg Hudson [Tue, 22 May 2012 17:45:18 +0000 (13:45 -0400)]
Export gss_mech_krb5_wrong from libgssapi_krb5
Although there are few legitimate reasons to use gss_mech_krb5_wrong,
it's declared in the public header and exported in the Windows DLL.
So export it from the Unix library as well.
Greg Hudson [Thu, 24 May 2012 17:03:26 +0000 (13:03 -0400)]
Fix S4U user identification in preauth case
In 1.10, encrypted timestamp became a built-in module instead of a
hardcoded padata handler. This changed the behavior of
krb5_get_init_creds as invoked by s4u_identify_user such that
KRB5_PREAUTH_FAILED is returned instead of the gak function's error.
(Module failures are not treated as hard errors, while hardcoded
padata handler errors are.) Accordingly, we should look for
KRB5_PREAUTH_FAILED in s4u_identify_user.
On a less harmful note, the gak function was returning a protocol
error code instead of a com_err code, and the caller was testing for a
different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could
never be returned by krb5_get_init_creds. Clean up both of those by
returning KRB5_PREAUTH_FAILED from the gak function and testing for
that alone.
Greg Hudson [Mon, 21 May 2012 05:39:14 +0000 (01:39 -0400)]
Export krb5_set_trace_callback/filename
krb5_set_trace_callback and krb5_set_trace_filename were added to
krb5.h in krb5 1.9, but were mistakenly left out of the library export
lists. Add them now. Reported by Russ Allbery.
Greg Hudson [Thu, 3 May 2012 15:15:51 +0000 (15:15 +0000)]
In sn2princ, getaddrinfo without AI_ADDRCONFIG
When canonicalizing a principal, use AI_CANONNAME alone in the hint
flags for getaddrinfo, for two reasons. First, it works around a gnu
libc bug where getaddrinfo does a PTR lookup for the canonical name
(we tried to work around this in r24977 bug the addition of
AI_ADDRCONFIG caused the same problem as the use of AF_INET). Second,
an IPv4-only host should be able create a principal for an IPv6-only
host even if it can't contact the host.
This does result in extra AAAA queries in the common case (IPv4-only
host contacting IPv4-only service), which is unfortunate. But we need
to leave that optimization up to the platform at this point.
Appending "--" to the git checkout arguments appears to prevent it
from automatically creating a local branch from the remote. Also
correct the default git URL and clean up a spurious find warning.
(cherry picked from commit 4fc9c72e5d30c94399baf7069a0d0db25e940a68)
Tom Yu [Fri, 27 Apr 2012 22:40:21 +0000 (22:40 +0000)]
Use correct name-type in TGS-REQs for 2008R2 RODCs
Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST
in TGS-REQs. (Previously, only AS-REQs had the name-type set in this
way.) Windows Server 2008 R2 read-only domain controllers (RODCs)
insist on having the correct name-type for the TGS principal in
TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case.
Thanks to Sebastian Galiano for reporting this bug and helping with
testing.
Initialize use_count fields in krb5_preauth_request_context_init,
which is invoked before each AS request. Previously they were
initialized only in krb5_init_preauth_context, which is only invoked
once per krb5 library context.
A database created prior to 1.3 will have multiple password history
keys, and kadmin prior to 1.8 won't necessarily choose the first one.
So if there are multiple keys, we have to try them all. If none of
the keys can decrypt a password history entry, don't fail the password
change operation; it's not worth it without positive evidence of
password reuse.
r24241 (#6755) introduced a bug where if the KDC sends a LastReq entry
containing an account expiry time, we send a prompter warning for
password expiry even if there was no entry containing a password
expiry time. Typically, this results in the message "Warning: Your
password will expire in less than one hour on Thu Jan 1 12:00:00
1970".
Fix this by explicitly checking for pw_exp == 0 in warn_pw_expiry()
after we've gotten past the conditional for invoking the callback.
ticket: 7096
subject: Fix KDB iteration when callback does write calls
target_version: 1.10.1
tags: pullup
kdb_db2's ctx_iterate makes an convenience alias to dbc->db in order
to call more invoke call the DB's seq method. This alias may become
invalidated if the callback writes to the DB, since ctx_lock() may
re-open the DB in order to acquire a write lock. Fix the bug by
getting rid of the convenience alias.
Most KDB iteration operations in the code base do not write to the DB,
but kdb5_util update_princ_encryption does.
Bug discovered and diagnosed by will.fiveash@oracle.com.
ticket: 7092
subject: kvno ASN.1 encoding interop with Windows RODCs
RFC 4120 defines the EncryptedData kvno field as an integer in the
range of unsigned 32-bit numbers. Windows encodes and decodes the
field as a signed 32-bit integer. Historically we do the same in our
encoder in 1.6 and prior, and in our decoder through 1.10. (Actually,
our decoder through 1.10 decoded the value as a long and then cast the
result to unsigned int, so it would accept positive values >= 2^31 on
64-bit platforms but not on 32-bit platforms.)
kvno values that large (or negative) are only likely to appear in the
context of Windows read-only domain controllers. So do what Windows
does instead of what RFC 4120 says.
In the kadmin protocol, make the access controls for
get_strings/set_string mirror those of get_principal/modify_principal.
Previously, anyone with global list privileges could get or modify
string attributes on any principal. The impact of this depends on how
generous the kadmind acl is with list permission and whether string
attributes are used in a deployment (nothing in the core code uses
them yet).
GSS functions which accept gss_buffer_t output arguments should
initialize those buffers to empty on startup (see gss_wrap, for
instance). Do so for gss_get_name_attribute in the mechglue.
ticket: 7087
status: open
target_version: 1.10.1
tags: pullup
Set display_value in krb5_gss_get_name_attribute
A backwards conditional in r25358 caused krb5_gss_get_name_attribute
not to set display_value on success. Fix the sense of the
conditional.
We still don't quite correctly handle the cases where data_to_gss()
fails, but those should be rare and the problem in those cases isn't
severe, so it can be fixed separately.
Also, value and display_value should probably be initialized to null
buffers on failure, as is common with GSS interfaces.
gcc -O3 is agressive enough to detect that do_cons() doesn't always
set the value of rlen2, so trval2() gets a maybe-uninitialized
warning. Squash it by initializing rlen2.
krb5_gss_inquire_cred_by_mech checks its mech argument against two of
the four mechs a krb5 cred might have (the krb5 mech and the old krb5
mech, but not the wrong Microsoft mech or the IAKERB mech), so would
spuriously fail for the other two mechs. There is no reason to check
the mechanism if we assume a reasonable mechglue is interpreting
application gss_inquire_cred_by_mech calls, so just remove the check.
Don't touch the lookaside cache if we're responding with a lookaside
cache entry. Also, leave the null entry behind if we're deliberately
dropping a request (a rare case) so that we don't have to process it
again. Fixes several lookaside problems in 1.10:
* When dropping a request because it was already being processed, we
were erroneously removing the null entry, causing us to process the
request again upon a second retransmit.
* When responding to a finished request with a lookaside entry, we
were removing and re-adding the entry to the cache, resetting its
time and performing unnecessary work.
* We were not caching responses we couldn't deliver because they were
too big for UDP, causing us to re-process the request when it came
in again via TCP instead of simply delivering the cached response.
ticket: 7081
subject: Don't use stack variable address in as_req state
target_version: 1.10
tags: pullup
The KDC's process_as_req was storing the address of a stack variable
(client_princ), which fails if the request is not immediately
serviced. Move that variable to the state structure so its address
remains valid for the lifetime of the request.
ticket: new Subject: LIBS should not include PKINIT_CRYPTO_IMPL_LIBS tags: pullup target_version: 1.10
AC_CHECK_LIB should put -lcrypto in PKINIT_CRYPTO_IMPL_LIBS not LIBS
for pkinit. A similar problem exists for crypto_impl and is not
addressed by this patch.
If krb5_server_decrypt_ticket_keytab doesn't find a key of the
appropriate enctype in an iterable keytab, it returns 0 (without
decrypting the ticket) due to a misplaced initialization of retval.
This bug causes kinit -k to claim "keytab entry valid" when it
shouldn't. Reported by mark@mproehl.net.
r25348 made modified the edata method of the kdcpreauth interface to
be async-capable, but neglected to convert the securid_sam2 module's
edata function. Do that now.
Fix an unlikely memory leak in r25591
------------------------------------------------------------------------
r25591 | ghudson | 2011-12-16 18:19:01 -0500 (Fri, 16 Dec 2011) | 14 lines
ticket: 6936
target_version: 1.10
tags: pullup
Do mech fallback for first SPNEGO context token
When producing the first SPNEGO security context token, if the first
mechanism's init_sec_context fails, fall back to a later mechanism.
This fixes a regression in 1.10 for SPNEGO initiators using non-krb5
credentials. The identity selection work causes errors to be deferred
from krb5's acquire_cred in some cases, which means SPNEGO doesn't see
an error until it tries the krb5 init_sec_context.
In spnego_gss_ctx_id_rec, store the set of negotiable mechanisms as
well as the currently selected internal_mech, which becomes an alias
into mech_set. In init_ctx_reselect, locate the acceptor's counter-
proposal in sc->mech_set and consider the token defective if it is not
found.
Tom Yu [Wed, 14 Dec 2011 00:07:54 +0000 (00:07 +0000)]
Squash commits for KfW updates
windows ccapiserver: replace Sleep with event wait
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
fix warning in test_cc_credentials_iterator_next.c
include test_ccapi_iterators.h for check_cc_credentials_iterator_next
Make ccapiserver exit if its receiveloop thread terminates for any reason.
This happens, for example, when the rpc endpoint is already registered
by another ccapiserver process. There's no reason to leave a zombie
process running that can't receive messages.
windows ccapi: launch server without console by default.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
windows ccapi: use a random challenge to authenticate ccapiserver.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
LeashView.cpp: only specify TVIF_TEXT if there is actually text.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: add runtime.wxi WIXINCLUDES in Makefile to fix dependencies.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
Windows leash64 fixes: use proper names for leash and krb5 dlls
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
Windows leash fixes: 'make install' installs leash exes.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: use MSVC 2010 merge modules
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: install leash32.exe
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: clean out unused #defines from Lglobals.h
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: use correct message id to obtain tgt from leash
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: update copyright notice in license.rtf
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fixes: install xpprof32
TODO: xpprof64!
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: purge support for old compilers
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: don't build installer into installer
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fixes: make leash ignore credentials that store config principals.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fix: make Leash_kdestroy() actually destroy k5 tickets
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fix: Add custom "Password incorrect" message to Leash_int_kinit_ex()
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fixes: define USE_MESSAGE_BOX in leashdll code for user feedback.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fixes: krb5_get_init_creds_opt_init->krb5_get_init_creds_opt_alloc
Should enable leash to generate config credentials (needs verification!)
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fix: int -> size_t to fix warning in krb5routines.c
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fix: restructure low ticket warning popup code to workaround mfc bug
mfc bug causes assertions when dialog is generated from
within PreTranslateMessages() (MSG input param points to a global
variable which is corrupted in the dialog message loop). So we need
to instead PostMessage() to cause the popup later.
Also fixed logic to cause warning dialog to actually be modal as intended
when the leash window is not minimized.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fixes: fix _snprintf usage; use full error code in leash_error_message
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw fixes: ccapiserver only quits after all clients detach.
Not sure if this is really a good idea or not...
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: generate manifests
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: generate leash shortcuts (desktop and start menu)
...also install xpprof64
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: fix 'K5_ORIGINAL_NAME' for 64 bit dlls.
...still need to actually to define _WIN64 for rc.exe though
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: purge bufferoverflowu from custom.dll
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: rename leash32/64.exe to simply leash.exe
Also install leash.exe in 64 bit installer.
Split cci_thread_init into per-process and per-thread portions
Call the per-thread code on thread attach and per-process once per
process. Previously, while the function was named 'thread', it was
only actually called once per process. Currently, the per-thread
code does nothing on non-windows platforms and is not even actually
invoked.
Fixes a windows bug when multiple non-main threads try to use ccapi
at the same time.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw leash: add -console option to create console for debug output
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: use _WIN64 names where appropriate
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw leash: bracket krb.con code with #ifndef NO_KRB4
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: install krb5.ini to CommonAppDataFolder, not WindowsFolder
...but only if there isn't already a krb5.ini in the WindowsFolder.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: "make install" also installs pdbs
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: leash32.pdb->leash.pdb
kfw installer: add site-local.wxi
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: leash htmlhelp file source
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: use html help in leash
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: "make install" installs htmlhelp (leash.chm)
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw installer: install leash help file (leash.chm)
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw: remove line breaks from html to fix table of contents generation
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw leash help: fix/add aliases for command help
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
kfw leash: fix bad data in get tickets dialog when -autoinit specified
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7050
version_fixed: 1.10
status: resolved
When the client application requests optimistic preauth for a preauth
type which uses the password, we don't have an etype-info2 to
interpret since we haven't talked to the KDC. So we need to guess an
enctype, salt, and s2k parameters. In 1.9 and prior, encrypted
timestamp contained code to use the first requested enctype in this
case, but encrypted challenge did not. In 1.10 prior to this change,
neither mechanism uses a reasonable default.
Set a default enctype in krb5_init_creds_init so that all
password-based preauth mechanisms will use a reasonable default in the
optimistic preauth case. The default salt and s2k parameters for this
case will be the principal-based default salt and the enctype-based
default parameters.
projects / thirdparty / krb5.git / log
