It seems that we need to restart in order to be able to query the contents of the the LSA cache, even if the only contents of the LSA cache are what we put there, and even if the Microsoft klist.exe correctly reports the presence of tickets in the LSA cache. ticket: 8176 (new) queue: kfw tags: pullup target_version: 1.13.3
When looping over principals, check the i-th entry instead of looking at the 0-th entry each time through the loop. This would only affect cases when multiple ticket entries were returned from the LSA, the first one did not have a valid principal name, but some other one did. It is expected that all of the returned ticket entries will always have a valid client principal name, so this is unlikely to cause any functional difference. ticket: 8177 (new) queue: kfw tags: pullup target_version: 1.13.3
Shortcut keys such as these (in the ACCELERATORS entry in the resource file) are what let users type, e.g., ctrl-t to get to the "get tickets" dialog directly from the main frame. We had shortcut keys for all the other buttons already, so add these to complete the set. The make default and change password functionality were already available using keyboard-only interfaces via the ribbon access keys (tap alt, then letters to walk through the tree of controls), but the two forms of keyboard access are implemented differently. ticket: 7442 tags: pullup target_version: 1.13.3
The MFC Ribbon implementation is not very accessible (e.g., to screen reading software), whereas the windows ribbon provides essentially the same functionality and good integration with screen reading software, including the built-in Windows Narrator. Remove the RT_RIBBON_XML resource from the resource file and replace it with an inclusion of the generated kfwribbon.rc file. Also remove the ribbon1.mfcribbon-ms ribbon description from the res/ directory. Add the appropriate dependency relation in the Makefile. LeashUIApplication implements the IUIUApplication interfaces. It appears to be difficult to cleanly tear down the underlying IUIFramework and ribbon, since the WM_DESTROY event is handled by the parent MFC window, which will not call IUIFramework::Destroy(). Manually inserting a call to IUIFramework::Destroy() in the shutdown handling of the MFC classes is difficult, since the WM_DESTROY message is handled by a different window than where the ribbon is initialized, and the MFC framework will attempt to access window objects corresponding to the UI Ribbon resources after they are destroyed, which raises exceptions. It seems best to just go without destroying the IUIFramework, since its lifecycle matches that of the application and there will be no leaks during the application lifecycle. LeashUICommandHandler implements the IUICommandHandler interfaces, passing messages through to the existing MFC handlers, though the default values for the various checkbox controls must be duplicated. The (MFC) CMainFrame creates and maintains a handle to the LeashUIApplication associated with the ribbon it creates, so that it can query the height of the ribbon and redraw when the LeashUIApplication signals that the ribbon size has changed. Record that the added object files depend on kfwribbon.h, so that the XML markup is compiled sufficiently early in the build.
The standard windows library ribbon interface is either constructed at runtime or specified in an XML file. Since we have a static set of functionality in our ribbon, it is simplest to just use the XML file. This should duplicate the interfaces currently provided by the MFC ribbon, though the menu items in the file menu are slightly taller than they used to be. Use uicc.exe to compile the XML to the binary format and produce a kfwribon.rc resource file and kfwribbon.h header.
This is the content from homelarge.bmp split up into the separate component images, since the windows ribbon has the (more sane) interface of using a separate resource for each graphic, instead of expecting them all in a single bitmap which is sliced up at runtime. The bitmaps are required to have alpha channels, and it seems that the easiest way to generate bitmaps with alpha channels is to use Microsoft Paint, since the normal Unix open-source graphics tools do not want to output this format.
This is just enabling the use of multi-byte character set in the MFC library, but we do not appear to make use of this feature. Visual Studio 2013 gives ominous warnings that support for it may be removed in future versions, so quiet the build and do not enable the deprecated feature we are not using.
When freeing a credentials cache name obtained from krb5_cc_get_full_name(), the code was using plain free() instead of the matching krb5_free_string(). If these routines are picked from different modules at runtime, the mismatch will cause a crash in free(), so change to using the matched deallocation function. In order to use it in leash, it must be declared in Lglobals.h and the function pointer symbol defined in Leash.cpp.
This file is out of date, and we now use the wiki for the kind of material it covers. Most of the information here is covered http://k5wiki.kerberos.org/wiki/Committer_resources
In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until the request is successfully verified. In the PKINIT kdcpreauth module, don't respond with code 0 on empty input or an unconfigured realm. Together these bugs could cause the KDC preauth framework to erroneously treat a request as pre-authenticated. CVE-2015-2694: In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C ticket: 8160 (new) target_version: 1.13.2 tags: pullup subject: requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694]
In t_keytab.py, test that kvnos no longer wrap after 255 or 32767, that they do wrap from 65535 to 1, and that kadmin ktrem preserves the more recent key after a wraparound. Also test edge cases of the 32-bit keytab kvno extension using hand-crafted keytab entries. ticket: 7532
In krb5_ktfile_get_entry(), change the pivot and fuzzy match workarounds for kvnos to work with the 32-bit kvno extension. For the pivot logic, try to recognize kvno wraparound at boundary by looking at the relative timestamps and the size of the version difference. For the fuzzy match logic, remember the first match against the low 8 bits of the desired kvno, but keep searching for an exact match. ticket: 7532
Make xdr_krb5_kvno() use xdr_u_int() instead of xdr_u_char(), allowing it to marshal kvno values up to 32 bits. This change is backwards-compatible because XDR uses four bytes to marshal char values and does no bounds checking of char values on decode. ticket: 7532
Change key_data_kvno from a signed 16-bit field to an unsigned 16-bit field, since negative values are never meaningful. When adding new keys, wrap from 65535 to 1 to avoid using the special value 0. Don't bump the KDB binary version since this change is unlikely to affect callers. ticket: 7532
krb5_ldap_get_value() takes a pointer to int, and should not be passed a pointer to any integral type which might have a different width. Use an intermediate variable for each call. The erroneous calls in ldap_misc.c were passing pointers to int32_t, which is harmless on all common platforms. The calls in ldap_tkt_policy.c were passing pointers to long; on big-endian LP64 platforms, the result would be written to the high 32 bits of the long value. ticket: 8166 target_version: 1.13.2 tags: pullup
In gssapi_generic.c, struct mech_attr_info_desc included some gss_buffer_desc members whose length fields were never used. Additionally, the STRING_BUFFER() macro's computation of the (unused) length fields was incorrect, causing warnings in some versions of clang. Remove the problematic STRING_BUFFER() macro and adjust the array and generic_gss_display_mech_attr() accordingly.
When resetting the ulog header or initializing it from a dump file kdb_last_t value, instead of setting kdb_num to 0, create a dummy entry for the last_sno value so that we can remember its timestamp. With this change, a slave no longer needs to perform two full resyncs after an upstream header initialization. Dummy entries are never transmitted to downstream slaves because the iprop protocol never transmits the kdb_first_sno update; if one is somehow transmitted, the slave will ignore it because it doesn't have the kdb_commit flag set. reset_header() is renamed to reset_ulog(), takes a kdb_log_context parameter, and is responsible for syncing the header. sync_update() now returns void and aborts if msync() fails, just like sync_header(). A new helper set_dummy() writes a dummy entry and sets the ulog to point to it. Adjust kproplog to recognize and display dummy entries. Adjust t_ulog.c and t_iprop.py for the new behavior. In t_iprop.py, remove a kpropd -t test which became redundant with the previous test. ticket: 8164 (new)
If kpropd is asked to run just once, don't exit after starting a full resync; we want to wait for the fullprop child to process the request, and then request incremental updates afterwards. Also don't exit from do_standalone() in the fullprop child, in case multiple full resyncs are required to get the database up to date. Document the -t flag in kpropd.rst. ticket: 8161
When kpropd operates in iprop mode, full resyncs are handled by a child process. After a full resync, we want to poll for incremental updates, as the dump we received may have come from a pre-existing dump file which was not current. To make this polling happen promptly, signal the parent process from the child process after a dump is received. With this change, t_iprop.py no longer has to prod kpropd after a full resync occurs, so remove that logic. ticket: 8161
Augment the LDAP KDB module tests to include client principal aliases as well as server principal aliases. Also revise the server principal alias tests to include an AS-REQ case. (This requires adjusting the subsequent test not to assume a ccache containing a TGT.)
The current principal rename procedure does not work with the LDAP KDB module, instead having the effect of deleting the principal. The fix is not easy and requires amending the DAL (see issue #8065). For now, detect LDAP and error out when a rename operation is attempted. ticket: 8162 (new) target_version: 1.13.2 tags: pullup
The CAMMAC authorization data container requires a checksum over the encrypted part of the issued ticket, with the CAMMAC contents substituted for the authdata field. For this to work, we must finalize the non-authdata fields of the encrypted ticket part before adding authdata. Call handle_authdata() after checking and modifying the transited field and potentially setting the transited-policy-checked flag. Also remove a redundant and inoperative conditional change to enc_tkt_reply.times.starttime which happens after the ticket is encrypted. We do the same thing right after setting up the ticket times.