Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Commits on May 11, 2015
  1. @kaduk

    Reboot after KfW installs to help the LSA cache

    kaduk authored
    It seems that we need to restart in order to be able to query the
    contents of the the LSA cache, even if the only contents of the LSA
    cache are what we put there, and even if the Microsoft klist.exe
    correctly reports the presence of tickets in the LSA cache.
    ticket: 8176 (new)
    queue: kfw
    tags: pullup
    target_version: 1.13.3
  2. @kaduk

    Bump KRB5_MINOR_RELEASE for windows

    kaduk authored
    Future releases will come from the KfW 4.1.x. series.
    ticket: 8174 (new)
    tags: pullup
    target_version: 1.13.3
  3. @kaduk

    Supply a hostrealm module to query the registry

    kaduk authored
    Implement a default_realm function that checks the
    {HKLM,HKCU}\Software\MIT\Kerberos5\default_realm registry values
    on Windows, and just returns KRB5_PLUGIN_NO_HANDLE on Unix.
    ticket: 8173 (new)
    tags: pullup
    target_version: 1.13.3
  4. @kaduk

    Do not set allow_weak_crypto for KfW

    kaduk authored
    The MIT-internal users no longer need this crutch.
    ticket: 8178 (new)
    queue: kfw
    tags: pullup
    target_version: 1.13.3
  5. @kaduk

    Fix loop to determine MSLSA principal name

    kaduk authored
    When looping over principals, check the i-th entry instead of
    looking at the 0-th entry each time through the loop.  This would
    only affect cases when multiple ticket entries were returned from
    the LSA, the first one did not have a valid principal name, but
    some other one did.  It is expected that all of the returned
    ticket entries will always have a valid client principal name, so
    this is unlikely to cause any functional difference.
    ticket: 8177 (new)
    queue: kfw
    tags: pullup
    target_version: 1.13.3
  6. @kaduk

    KfW shortcuts for make default, change password

    kaduk authored
    Shortcut keys such as these (in the ACCELERATORS entry in the resource
    file) are what let users type, e.g., ctrl-t to get to the "get tickets"
    dialog directly from the main frame.  We had shortcut keys for all the
    other buttons already, so add these to complete the set.
    The make default and change password functionality were already available
    using keyboard-only interfaces via the ribbon access keys (tap alt,
    then letters to walk through the tree of controls), but the two forms
    of keyboard access are implemented differently.
    ticket: 7442
    tags: pullup
    target_version: 1.13.3
Commits on Apr 30, 2015
  1. @kaduk

    Remove (old) consolidated ribbon bitmaps

    kaduk authored
    We are no longer using the MFC ribbon, so these resources
    are now unused.  Garbage-collect them accordingly.
  2. @kaduk

    Remove another lingering Leash reference

    kaduk authored
    Be consistent with the MIT Kerberos brand.
  3. @kaduk

    Switch to Windows SDK Ribbon from MFC Ribbon

    kaduk authored
    The MFC Ribbon implementation is not very accessible (e.g., to
    screen reading software), whereas the windows ribbon provides
    essentially the same functionality and good integration with
    screen reading software, including the built-in Windows Narrator.
    Remove the RT_RIBBON_XML resource from the resource file and
    replace it with an inclusion of the generated kfwribbon.rc file.
    Also remove the ribbon1.mfcribbon-ms ribbon description from the
    res/ directory.  Add the appropriate dependency relation in the
    LeashUIApplication implements the IUIUApplication interfaces.  It
    appears to be difficult to cleanly tear down the underlying
    IUIFramework and ribbon, since the WM_DESTROY event is handled by the
    parent MFC window, which will not call IUIFramework::Destroy().
    Manually inserting a call to IUIFramework::Destroy() in the shutdown
    handling of the MFC classes is difficult, since the WM_DESTROY message
    is handled by a different window than where the ribbon is initialized,
    and the MFC framework will attempt to access window objects
    corresponding to the UI Ribbon resources after they are destroyed,
    which raises exceptions.  It seems best to just go without destroying
    the IUIFramework, since its lifecycle matches that of the application
    and there will be no leaks during the application lifecycle.
    LeashUICommandHandler implements the IUICommandHandler interfaces,
    passing messages through to the existing MFC handlers, though the
    default values for the various checkbox controls must be duplicated.
    The (MFC) CMainFrame creates and maintains a handle to the
    LeashUIApplication associated with the ribbon it creates, so that
    it can query the height of the ribbon and redraw when the
    LeashUIApplication signals that the ribbon size has changed.
    Record that the added object files depend on kfwribbon.h, so that
    the XML markup is compiled sufficiently early in the build.
  4. @kaduk

    Mention Visual Studio 2010 SP1 in windows README

    kaduk authored
    The service pack is needed to avoid a linker error due to an
    issue with the cvtres.exe utility, which manifests as
    LINK: fatal error LNK1123: failure during conversion to COFF: file
    invalid or corrupt.
  5. @kaduk

    Do not link atl.lib into leash

    kaduk authored
    We do not consume anything from the Active Template Library, and
    the atl.lib form of it has been removed from Visual Studio 2013.
  6. @kaduk

    XML Ribbon markup file

    kaduk authored
    The standard windows library ribbon interface is either constructed
    at runtime or specified in an XML file.  Since we have a static
    set of functionality in our ribbon, it is simplest to just use the
    XML file.
    This should duplicate the interfaces currently provided by the
    MFC ribbon, though the menu items in the file menu are slightly
    taller than they used to be.
    Use uicc.exe to compile the XML to the binary format and produce
    a kfwribon.rc resource file and kfwribbon.h header.
  7. @kaduk

    Import separate large ribbon bitmaps

    kaduk authored
    This is the content from homelarge.bmp split up into the
    separate component images, since the windows ribbon has the
    (more sane) interface of using a separate resource for each
    graphic, instead of expecting them all in a single bitmap which
    is sliced up at runtime.
    The bitmaps are required to have alpha channels, and it seems that
    the easiest way to generate bitmaps with alpha channels is to use
    Microsoft Paint, since the normal Unix open-source graphics tools
    do not want to output this format.
  8. @kaduk

    Remove MBCS from leash's DEFINES

    kaduk authored
    This is just enabling the use of multi-byte character set in the
    MFC library, but we do not appear to make use of this feature.
    Visual Studio 2013 gives ominous warnings that support for it may
    be removed in future versions, so quiet the build and do not
    enable the deprecated feature we are not using.
  9. @kaduk

    Fix leash crash found in some build environments

    kaduk authored
    When freeing a credentials cache name obtained from
    krb5_cc_get_full_name(), the code was using plain free()
    instead of the matching krb5_free_string().  If these routines
    are picked from different modules at runtime, the mismatch
    will cause a crash in free(), so change to using the matched
    deallocation function.
    In order to use it in leash, it must be declared in Lglobals.h and
    the function pointer symbol defined in Leash.cpp.
Commits on Apr 29, 2015
  1. @greghudson

    Remove doc/procedures.txt

    greghudson authored
    This file is out of date, and we now use the wiki for the kind of
    material it covers.  Most of the information here is covered
  2. @mmattioli @greghudson

    Update copyright in README to 2015

    mmattioli authored greghudson committed
  3. @mmattioli @greghudson

    Fix minor documentation errors

    mmattioli authored greghudson committed
    Fix typos, remove excess header underlines, and remove trailing
    [ squashed several commits, summarized commit
    ticket: 8170 (new)
    target_version: 1.13.2
Commits on Apr 27, 2015
  1. @greghudson

    Prevent requires_preauth bypass [CVE-2015-2694]

    greghudson authored
    In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
    the request is successfully verified.  In the PKINIT kdcpreauth
    module, don't respond with code 0 on empty input or an unconfigured
    realm.  Together these bugs could cause the KDC preauth framework to
    erroneously treat a request as pre-authenticated.
    In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
    support, an unauthenticated remote attacker can bypass the
    requires_preauth flag on a client principal and obtain a ciphertext
    encrypted in the principal's long-term key.  This ciphertext could be
    used to conduct an off-line dictionary attack against the user's
        CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C
    ticket: 8160 (new)
    target_version: 1.13.2
    tags: pullup
    subject: requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694]
Commits on Apr 16, 2015
  1. @greghudson

    Fix memory leak in DB2 iteration

    Pavel Jindra authored greghudson committed
    Use the correct function to free the decoded principal entry in
    [ commit message]
    ticket: 8168
    target_version: 1.13.2
    tags: pullup
Commits on Apr 15, 2015
  1. @greghudson

    Add tests for key rotation and 32-bit keytab kvnos

    greghudson authored
    In, test that kvnos no longer wrap after 255 or 32767, that
    they do wrap from 65535 to 1, and that kadmin ktrem preserves the more
    recent key after a wraparound.
    Also test edge cases of the 32-bit keytab kvno extension using
    hand-crafted keytab entries.
    ticket: 7532
  2. @greghudson

    Adjust keytab kvno workarounds

    greghudson authored
    In krb5_ktfile_get_entry(), change the pivot and fuzzy match
    workarounds for kvnos to work with the 32-bit kvno extension.  For the
    pivot logic, try to recognize kvno wraparound at boundary by looking
    at the relative timestamps and the size of the version difference.
    For the fuzzy match logic, remember the first match against the low 8
    bits of the desired kvno, but keep searching for an exact match.
    ticket: 7532
  3. @greghudson

    Implement 32-bit keytab kvno extension

    greghudson authored
    Heimdal and Shishi support a 32-bit kvno at the end of a keytab entry,
    overriding the 8-bit version if present.  Implement this in the FILE
    keytab type and document it in keytab_file_format.rst.
    ticket: 7532
  4. @greghudson

    Expand kadmin protocol kvno range

    greghudson authored
    Make xdr_krb5_kvno() use xdr_u_int() instead of xdr_u_char(), allowing
    it to marshal kvno values up to 32 bits.  This change is
    backwards-compatible because XDR uses four bytes to marshal char
    values and does no bounds checking of char values on decode.
    ticket: 7532
  5. @greghudson

    Use unsigned 16-bit type for key data kvno

    greghudson authored
    Change key_data_kvno from a signed 16-bit field to an unsigned 16-bit
    field, since negative values are never meaningful.  When adding new
    keys, wrap from 65535 to 1 to avoid using the special value 0.
    Don't bump the KDB binary version since this change is unlikely to
    affect callers.
    ticket: 7532
Commits on Apr 14, 2015
  1. @greghudson

    Fix LDAP ticket policies on big-endian LP64

    greghudson authored
    krb5_ldap_get_value() takes a pointer to int, and should not be passed
    a pointer to any integral type which might have a different width.
    Use an intermediate variable for each call.
    The erroneous calls in ldap_misc.c were passing pointers to int32_t,
    which is harmless on all common platforms.  The calls in
    ldap_tkt_policy.c were passing pointers to long; on big-endian LP64
    platforms, the result would be written to the high 32 bits of the long
    ticket: 8166
    target_version: 1.13.2
    tags: pullup
  2. @tlyu

    Remove STRING_BUFFER() macro in gssapi_generic.c

    tlyu authored
    In gssapi_generic.c, struct mech_attr_info_desc included some
    gss_buffer_desc members whose length fields were never used.
    Additionally, the STRING_BUFFER() macro's computation of the (unused)
    length fields was incorrect, causing warnings in some versions of
    clang.  Remove the problematic STRING_BUFFER() macro and adjust the
    array and generic_gss_display_mech_attr() accordingly.
Commits on Apr 13, 2015
  1. @greghudson

    Avoid unnecessary iprop full resyncs after resets

    greghudson authored
    When resetting the ulog header or initializing it from a dump file
    kdb_last_t value, instead of setting kdb_num to 0, create a dummy
    entry for the last_sno value so that we can remember its timestamp.
    With this change, a slave no longer needs to perform two full resyncs
    after an upstream header initialization.  Dummy entries are never
    transmitted to downstream slaves because the iprop protocol never
    transmits the kdb_first_sno update; if one is somehow transmitted, the
    slave will ignore it because it doesn't have the kdb_commit flag set.
    reset_header() is renamed to reset_ulog(), takes a kdb_log_context
    parameter, and is responsible for syncing the header.  sync_update()
    now returns void and aborts if msync() fails, just like sync_header().
    A new helper set_dummy() writes a dummy entry and sets the ulog to
    point to it.
    Adjust kproplog to recognize and display dummy entries.  Adjust
    t_ulog.c and for the new behavior.  In, remove a
    kpropd -t test which became redundant with the previous test.
    ticket: 8164 (new)
  2. @greghudson

    Add kpropd -t iprop-mode tests

    greghudson authored
    Add a run_kpropd_once() method to K5Realm(), and add tests to for the cases where no updates are needed, where
    incremental updates are needed, and where a full resync is needed
    followed by a poll for updates.
    ticket: 8161
  3. @greghudson

    Document kpropd -t and fix it in iprop mode

    greghudson authored
    If kpropd is asked to run just once, don't exit after starting a full
    resync; we want to wait for the fullprop child to process the request,
    and then request incremental updates afterwards.  Also don't exit from
    do_standalone() in the fullprop child, in case multiple full resyncs
    are required to get the database up to date.
    Document the -t flag in kpropd.rst.
    ticket: 8161
  4. @greghudson

    In kpropd, poll after finishing resync

    greghudson authored
    When kpropd operates in iprop mode, full resyncs are handled by a
    child process.  After a full resync, we want to poll for incremental
    updates, as the dump we received may have come from a pre-existing
    dump file which was not current.  To make this polling happen
    promptly, signal the parent process from the child process after a
    dump is received.
    With this change, no longer has to prod kpropd after a full
    resync occurs, so remove that logic.
    ticket: 8161
  5. @greghudson

    Add tests for client principal aliases

    greghudson authored
    Augment the LDAP KDB module tests to include client principal aliases
    as well as server principal aliases.  Also revise the server principal
    alias tests to include an AS-REQ case.  (This requires adjusting the
    subsequent test not to assume a ccache containing a TGT.)
Commits on Apr 2, 2015
  1. @greghudson

    Make all Python test scripts executable

    greghudson authored
    For the convenience of developers manually running Python test
    scripts, set the executable bits on all of them, and make sure the
    first line is always "#!/usr/bin/python".
    ticket: 8163
Commits on Apr 1, 2015
  1. @greghudson

    Disable principal renames for LDAP

    greghudson authored
    The current principal rename procedure does not work with the LDAP KDB
    module, instead having the effect of deleting the principal.  The fix
    is not easy and requires amending the DAL (see issue #8065).  For now,
    detect LDAP and error out when a rename operation is attempted.
    ticket: 8162 (new)
    target_version: 1.13.2
    tags: pullup
Commits on Mar 19, 2015
  1. @greghudson

    Process TGS authdata after transited in KDC

    greghudson authored
    The CAMMAC authorization data container requires a checksum over the
    encrypted part of the issued ticket, with the CAMMAC contents
    substituted for the authdata field.  For this to work, we must
    finalize the non-authdata fields of the encrypted ticket part before
    adding authdata.  Call handle_authdata() after checking and modifying
    the transited field and potentially setting the
    transited-policy-checked flag.
    Also remove a redundant and inoperative conditional change to
    enc_tkt_reply.times.starttime which happens after the ticket is
    encrypted.  We do the same thing right after setting up the ticket
Something went wrong with that request. Please try again.