| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
| |
In krb5_auth_con_initivector and mk_priv/rd_priv, stop assuming that
the enctype's block size is the size of the cipher state. Instead,
make and discard a cipher state to get the size.
ticket: 7561
target_version: 1.11.1
tags: pullup
|
|
|
|
|
| |
Reformat and simplify dump.c code according to current coding
standards. No functional changes except for some error messages.
|
|
|
|
|
|
|
| |
When dumping, use a common iterator function to unpack the dump_args
structure, unparse and filter the principal name, and convert master
keys. Add helper functions to dump and load the "octets or -1" format
used for optional binary fields in the current dump format.
|
|
|
|
|
|
| |
Without changing anything (except to make a few internal functions
static), reorder dump.c to bottom-up order so that forward function
declarations aren't needed.
|
|
|
|
|
|
|
| |
Get rid of the code to dump and load -b6 and -old format dump files.
Loading these versions hasn't worked since at least 1.3.
ticket: 7564 (new)
|
|
|
|
|
|
|
|
| |
Move the existing dump/load tests from t_general.py to a new script
t_dump.py. Add additional tests using pre-created dumpfiles, to
exercise the -r18, -r13, -b7, and -ov formats.
bigredbutton: whitespace
|
|
|
|
|
|
| |
kadm5_create_principal now uses a random key if passed a null
password, so we don't need a multi-step process to create admin
principals when creating a database any more.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some versions of clang report an uninitialized variable warning (which
we treat as an error) in process_k5beta_record. Due to the if-ladder
style of the function, uninitialized tmpint values can be copied
around in certain error cases, although the garbage values would be
ultimately ignored. As a minimal fix, initialize the tmpint
variables.
ticket: 7560 (new)
target_version: 1.11.1
tags: pullup
|
|
|
|
|
|
| |
Make dec_password a static function in ldap_service_stash.c and remove
some impedance mismatch with krb5_ldap_readpassword() by making it
operate on C strings and return a krb5_error_code.
|
| |
|
|
|
|
|
|
| |
layout.html unneccesarily copied code from the parent
agogo/layout.html content block just to alter the sidebar. Override
various subblocks of the sidebar instead.
|
|
|
|
|
|
| |
Move style settings that were previously in layout.html to kerb.css.
Rename kerb.css kerb.css_t, making it a template, to allow
parameterized style settings to remain parameterized.
|
|
|
|
|
|
|
|
|
| |
The accesskey for the "search" link conflicted with the one for the
"contents" link.
ticket: 7559 (new)
target_version: 1.11.1
tags: pullup
|
|
|
|
|
|
|
|
| |
There were multiple misplaced semicolons, etc.
ticket: 7558 (new)
target_version: 1.11.1
tags: pullup
|
|
|
|
|
|
|
|
|
|
| |
A </h1> end tag was incorrectly written as <h1>. Also adjust style
settings so that the resulting computed style remains the same for
div.rel.
ticket: 7557 (new)
target_version: 1.11.1
tags: pullup
|
|
|
|
|
|
|
|
| |
The LDAP KDB module has some code to interpret {FILE} values in stash
files, and set the service_cert_path/pass fields in the ldap context.
But there was no code to actually use those values to do client cert
authentication, so it wasn't useful. Remove the partial
implementation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In fake-addrinfo.c, the COPY_FIRST_CANONNAME logic erroneously assumes
that h_name is the same as h_aliases[0]. Look at h_name before
h_aliases for an FQDN, since h_name is normally the
forward-canonicalized name and h_aliases are not.
[ghudson@mit.edu: rewrote commit message]
ticket: 7556 (new)
|
|
|
|
|
|
|
|
|
| |
Commit c072b059ecff257e7600be0e86869decd135d422 did not have the
intended effect because, at the point where is_referral is set,
request->server has already been modified to contain server->princ.
ticket: 7555
status: open
|
|
|
|
|
|
|
|
|
| |
A server response which is a cross-realm TGT is not a referral if it
was directly requested by the client. Misclassifying such a response
as a referral means we don't mirror the request's name type, which has
been observed to break older Java clients.
ticket: 7555 (new)
|
| |
|
|
|
|
|
|
| |
Use the oerr parameter to fetch the existing message. Stop handling
oerr == 0, since no call sites were using it. Free the old error
message before returning.
|
|
|
|
|
|
|
| |
Add a DB option in the LDAP KDB module to turn on debugging messages.
Adapted from a patch by Zoran Pericic <zpericic@inet.hr>.
ticket: 7551 (new)
|
|
|
|
|
|
|
|
|
|
| |
krb5_ldap_open and krb5_ldap_create contain two large, almost
identical blocks of DB option processing code. Factor it out into a
new function krb5_ldap_parse_db_params in ldap_misc.c, and simplify
the factored-out code. Create a helper function to add server entries
and use it to simplify krb5_ldap_read_server_params as well as DB
option parsing. Since the new DB option helper uses isspace instead
of isblank, we no longer require portability goop for isblank.
|
|
|
|
|
|
|
|
|
| |
kproplog currently assumes that an iprop log is full once it has
circled--which is true right now but will need to change for
hierarchical slaves. Avoid this assumption by using the correct
index modulus in print_update whether or not the log is full.
Based on a patch from Richard Basch <basch@alum.mit.edu>.
|
|
|
|
|
|
| |
ticket: 7553
target_version: 1.11.1
tags: pullup
|
|
|
|
| |
[ghudson@mit.edu: simplify slightly]
|
|
|
|
|
|
| |
Check the ulog pointer, which is a little more direct, rather than the
ulogfd field. (ulogfd is currently initialized to 0 prior to
ulog_map; we could fix that instead, but this feels simpler.)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The db2 DB is not power-fail safe. There's no point trying to
replay an incompletely committed entry from the ulog at kadmind
startup time. For that matter, even if the db2 DB was power-fail
safe there'd be no point replaying an uncommitted entry from the
ulog as the libkadm5srv app (nor any client of it, as in the case of
kadmind) will not have received any notice of success -- it'd be
wrong to complete that operation later when the user thought it'd
failed.
[ghudson@mit.edu: merge with master, adjust comment]
ticket: 7552 (new)
|
|
|
|
|
|
|
|
| |
Since iprop cannot carry policy changes, force a full resync to happen
each time a policy change occurs. Based on a patch from
Richard Basch <basch@alum.mit.edu>.
ticket: 7522
|
|
|
|
|
|
|
| |
In k5test.py, allow run_kadminl to take an environment argument. In
t_iprop.py, perform some queries on the slaves after each propagation
to spot-check that it got modifications from master. Use a helper
function to check serial numbers for conciseness.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the master iprop log is reinitialized to serial number 0, slaves
will need to take a full dump--but after that happens, we need to know
whether the slave has taken that full dump, we we don't offering full
dumps indefinitely.
So, record a timestamp in kdb_last_time when we reinitialize the log
header, and compare the slave timestamp to kdb_last_time whenever it
has the current serial number, even if it's 0. Test this by
performing a propagation with sno 0 in t_iprop.py and detecting
whether kpropd gets a second UPDATE_FULL_RESYNC_NEEDED response from
kadmind.
ticket: 7550 (new)
|
|
|
|
|
| |
ulog_get_entries had an unreachable branch which was removed during
de-indentation.
|
|
|
|
|
|
|
|
|
|
|
| |
Add a helper predicate to determine whether to log operations. In the
predicate, check if the ulog is actually mapped. Use a single cleanup
label in krb5_db_put_principal. Use a cleanup label in
krb5_db_delete_principal instead of releasing resources individually
at each exit point. Avoid locking and unlocking the ulog if we're not
logging (although it would be a no-op).
Based on a patch from Nico Williams <nico@cryptonector.com>.
|
|
|
|
|
|
|
|
|
| |
The error message was missing a newline, and the exit behavior causes
the database to be destroyed.
ticket: 7370
target_version: 1.11.1
tags: pullup
|
|
|
|
|
|
|
|
| |
This reverts commit 87634edc472cebde4a37d002b7006ed38a1b25c2.
That commit is not neutral with respect to the rendering of the HTML,
and causes the version built with the logo to look unacceptably
disordered.
|
| |
|
|
|
|
|
|
|
| |
Read realm parameters directly from the profile in the KDC's
init_realm(), getting rid of the intermediate krb5_realm_params
structure. Then get rid of krb5_realm_params and
krb5_read_realm_params, since nothing else uses it.
|
|
|
|
|
|
| |
Stop using macros to refer to kdc_realm_t fields, as they could
conflict with structure field names for the same. Leave behind the
kdc_context and tgs_server macros for now.
|
|
|
|
|
|
|
| |
krb5_realm_params is only consumed by the KDC (everything else uses
kadm5_config_params), so only needs to contain fields used by the KDC.
Get rid of everything else. Also get rid of realm_profile, which is
read in by KDC code but never used (and was never set anyway).
|
|
|
|
|
|
| |
In some cases Doxygen xml output does not provide accurate classification
of the various C-types, thus preventing the full documentation x-referencing.
Give some hints to the Doxy/RST bridge.
|
|
|
|
| |
responder_get_challenge() meant to be krb5_responder_get_challenge()
|
|
|
|
|
|
| |
Get rid of K&R-style function headers, format code and comments
consistently according to current conventions, rename some variables
using idiomatic names, and de-indent some nested control blocks.
|
| |
|
|
|
|
|
|
|
|
|
| |
In krb5.hin doxygen markup, only use [out] or [in,out] when a function
changes the entire value of what the parameter points to, not when the
function mutates a larger object (especially an abstract object).
Also remove a couple of incorrect [in] annotations, change a few
parameter descriptions to be more consistent, and fix one typo.
|
| |
|
|
|
|
|
|
| |
Doxygen and, consequently, Sphinx gets confused with the
KRB5_RESPONDER_QUESTION_OTP comment layout.
Also, mark the output parameter of krb5_responder_set_answer().
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Remove some unnecessary optimizations to reduce code complexity. Get
rid of krb5_match_config_pattern in favor of a simpler helper function
in do_tgs_req_c. Get rid of KRB5_CONF_ASTERISK and just use "*"
instead. Use a helper function to combine [kdcdefaults] and realm
subsection values of variables, and don't bother adding leading and
trailing spaces. Consistently use the names "hostbased" and
"no_referral" to refer to variable values (with a "realm_" prefix for
structures which currently use it).
|