summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add gssrpc to pkg-config.master-krb5pkgconfigGünther Deschner2013-04-305-5/+21
| | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com>
* Add gssrpc to krb5-config.Günther Deschner2013-04-261-3/+7
| | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com>
* Add various client-authenticating PKINIT testsNalin Dahyabhai2013-04-246-0/+203
| | | | | | | | | | | | | | Add tests for non-anonymous PKINIT: * FILE: with no password * FILE: with a password * DIR: with no password * DIR: with a password * PKCS12: with no password * PKCS12: with a password * PKCS11: with a password, if soft-pkcs11.so is found via ctypes [ghudson@mit.edu: reformatted to 79 columns; removed intermediate success() calls]
* Add a script for [re]generating test PKI credsNalin Dahyabhai2013-04-241-0/+117
| | | | [ghudson@mit.edu: reformatted to limit lines to 79 columns]
* Include default DIR::file ccache in collectionGreg Hudson2013-04-222-3/+41
| | | | | | | | If the context's default ccache name is a subsidiary file of a directory collection, include that single cache in the cursor walk over the DIR type. ticket: 7172
* Fix doc buildBen Kaduk2013-04-181-0/+1
| | | | | | The addition of the KRB5_PADATA_AS_CHECKSUM macro in d7d74867952f caused the doxygen bridge to emit a new RST file. This file was not included in the API reference toctree, causing a build failure in maintainer-mode.
* Add a few comments to `PADATA types` in krb5.hinZhanna Tsitkov2013-04-181-27/+28
| | | | | Mostly, based on http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml
* Use macro for IANA assigned PA-AS-CHECKSUM numberZhanna Tsitkov2013-04-183-4/+6
| | | | | Replace numeric value '132' by the macro KRB5_PADATA_AS_CHECKSUM in preauth plugin.
* Set msg_type when decoding FAST requestsGreg Hudson2013-04-131-0/+1
| | | | | | | | | | | | An RFC 6113 KrbFastReq contains a padata sequence and a KDC-REQ-BODY, neither of which contain the msg-type field found in a KDC-REQ. So when we decode the FAST request, the resulting krb5_kdc_req structure has a msg_type of 0. Copy msg_type from the outer body, since we make use of it in further KDC processing. ticket: 7605 (new) target_version: 1.11.3 tags: pullup
* Allow config of dh_min_bits < 2048Tom Yu2013-04-122-3/+5
| | | | | | | | | | Allow configuration to override the default dh_min_bits of 2048 to 1024. Disallow configuration of dh_min_bits < 1024, but continue to default to 2048. ticket: 7602 target_version: 1.11.3 tags: pullup
* Simplify pkinit_check_dh_paramsTom Yu2013-04-121-67/+47
| | | | | | | | | | Change pkinit_check_dh_params() to take two DH* parameters, and only compare p and g, because q is fully determined by them and might be missing. Also refactor some parameter checks into check_dh_wellknown() that were previously done separately in the pkinit_process_td_dh_params() and server_check_dh().
* Ignore missing Q in dh_paramsTom Yu2013-04-121-4/+4
| | | | | | | | | Some implementations don't send the required Q value in dh_params, so allow it to be absent. ticket: 7596 target_version: 1.11.3 tags: pullup
* Simplify sendto_kdc exception handlingGreg Hudson2013-04-121-83/+25
|
* Remove sendto_kdc debugging codeGreg Hudson2013-04-125-257/+2
| | | | | It's a lot of code, and trace logging should cover most of the cases where it's useful.
* Dynamically expand timeout when TCP connectsNathaniel McCallum2013-04-121-1/+27
| | | | | | | | | | | Wait ten seconds for a TCP connection to succeed or fail before moving on. During this wait time, other TCP connections will be serviced if we already initiated them, but no new TCP connections will be created and no UDP packets will be retransmitted. [ghudson@mit.edu: minor adjustments; commit message] ticket: 7604 (new)
* Use millisecond timeouts in sendto_kdc.cNathaniel McCallum2013-04-121-68/+51
| | | | | | | | | | Replace the end_time field of struct select_state with an endtime argument to cm_select_or_poll, expressed in milliseconds since the epoch. Add a helper function to get the current time in that format. Use a millisecond interval argument to service_fds for consistency. [ghudson@mit.edu: fix overflow issue in get_curtime_ms; service_fds interval argument change; log message]
* Get rid of cm.c and cm.hGreg Hudson2013-04-1211-275/+137
| | | | | | | | | | | Since net-server.c now uses libverto, only sendto_kdc.c consumes cm.c. Move stuff out of cm.c and cm.h into sendto_kdc.c and get rid of them. Change the sendto_kdc callback (used by chpw.c) to receive the socket descriptor instead of the entire conn_state structure, and move the declarations into os-proto.h. struct remote_address also needs to be in os-proto.h so that trace.c and t_trace.c can use it. k5_curtime isn't needed since k5-platform.h now guarantees the presence of gettimeofday().
* Trace log with a subset of struct conn_stateGreg Hudson2013-04-126-87/+93
| | | | | | | In struct conn_state, collect together the fields for the remote address and put them in a substructure. Pass this substructure to trace logging macros instead of the entire conn_state structure, so that trace.c doesn't have to know about the whole structure.
* Tighten up fixed buffer usage in hst_realm.cGreg Hudson2013-04-101-9/+10
| | | | Avoid or notice truncations, rather than letting them happen silently.
* Allow numeric addresses as service hostnamesGreg Hudson2013-04-091-47/+66
| | | | | | | | | | | | | | | | Since krb5 1.3, krb5_get_host_realm (and therefore krb5_sname_to_principal) has refused hostnames which appear to be numeric addresses--with the exception of 1.6, which was ignoring errors from clean_hostname. In specialized environments, it may be desirable to use IP addresses in service principal names, and there's no compelling reason for us to get in the way of that. Move the numeric address check out of k5_clean_hostname into a new helper function, and simply skip the domain-based mechanisms if it returns true. Factor out the [domain_realm] search into a second new helper function to make it easier to skip. ticket: 7603 (new)
* Update hst_realm.c coding styleGreg Hudson2013-04-092-347/+236
| | | | | Bring this file up to date with current coding style. No functional changes, except some trace logs were removed.
* Initialize outpos in krb5int_utf8_normalizeGreg Hudson2013-04-091-3/+1
| | | | | | | | After k5memdup0 was slightly modified in 31124ffb81e8c0935403a9fdc169dead5ecaa777, some older versions of gcc complain about outpos being possibly used before it is initialized. This can't actually happen, but we can silence the error and also simplify how outpos is initialized.
* Avoid passing null pointers to memcpy/memcmpGreg Hudson2013-04-0821-65/+76
| | | | | | | | | | | | | | | By a strict reading of the C standard, memcpy and memcmp have undefined behavior if their pointer arguments aren't valid object pointers, even if the length argument is 0. Compilers are becoming more aggressive about breaking code with undefined behavior, so we should try to avoid it when possible. In a krb5_data object, we frequently use NULL as the data value when the length is 0. Accordingly, we should avoid copying from or comparing the data field of a length-0 krb5_data object. Add checks to our wrapper functions (like data_eq and k5_memdup) and to code which works with possibly-empty krb5_data objects. In a few places, use wrapper functions to simplify the code rather than adding checks.
* Simplify principal access within libkrb5Greg Hudson2013-04-0828-200/+144
| | | | | For conciseness, directly use fields of krb5_principal objects instead of using the accessor macros.
* Install krb5-config man pageBen Kaduk2013-04-031-0/+2
| | | | | | Don't just build it. ticket: 7601
* Regen man pages to pick up krb5-configBen Kaduk2013-04-0325-53/+235
| | | | Also some other small changes and the copyright date range.
* Add a krb5-config man pageBen Kaduk2013-04-034-2/+89
| | | | Missed when converting the old nroff man pages.
* Clean up python bytecode from doc buildBen Kaduk2013-04-021-1/+2
| | | | Otherwise they escape into the release tarball.
* Fix typo in t_credstore.cGreg Hudson2013-04-021-1/+1
| | | | | Correctly check whether the next argument is NULL in the while loop which parses store elements.
* Add krb5_kt_dup API and use it in two placesGreg Hudson2013-04-016-25/+34
| | | | | | | Add an API to duplicate keytab handles, mirroring krb5_cc_dup. Use it to simplify the krb5 GSS acquire_cred code. ticket: 7599 (new)
* Add gss_import_cred_from client keytab testGreg Hudson2013-04-013-54/+63
| | | | | | | | Modify t_credstore.c to be more flexible and adjust t_gssapi.py accordingly. Add a test to t_client_keytab.py which acquire creds using a programmatically specified client keytab. ticket: 7598
* Add support for client keytab from cred storeSimo Sorce2013-04-012-10/+44
| | | | | | | | | | | | | | | | The new credential store extensions added support for specifying a specific ccache name and also a specific keytab to be used for accepting security contexts, but did not add a way to specify a client keytab to be used in conjunction with the Keytab initiation support added also in 1.11 This patch introduces a new URN named client_keytab through which a specific client_keytab can be set when calling gss_acquire_cred_from() and Keytab Initiation will use that keytab to initialize credentials. [ghudson@mit.edu: minor C style fix] ticket: 7598 (new)
* Fix copy/pasto in ksu error messageBen Kaduk2013-03-291-1/+1
| | | | Obtained from Debian.
* Fix warnings in tests/gss-threadsGreg Hudson2013-03-293-17/+16
|
* Reformat tests/gss-threadsGreg Hudson2013-03-294-662/+632
|
* Free unconditionally in plugins.cGreg Hudson2013-03-291-8/+8
| | | | | Get rid of unnecessary null checks before freeing values in libkrb5support's plugin code.
* Fix zap size in confounder checksum mk_xorkeyGreg Hudson2013-03-291-1/+1
|
* Fix typo in ktest_make_sample_auth_packGreg Hudson2013-03-291-1/+1
|
* Fix errno hygiene in kadmind write_pid_fileGreg Hudson2013-03-291-3/+3
| | | | | | fclose() might overwrite the errno value from fprintf, causing us to return success when we shouldn't. Record the errno value at the time of the fprintf failure.
* Simplify krb5_ldap_readpasswordGreg Hudson2013-03-291-19/+2
| | | | | | There's no need to check whether the file exists and is readable before opening it, and setting an extended error message which is just strerror_r() of the errno value isn't useful.
* Using k5-int.h data helpers for some functionsGreg Hudson2013-03-293-21/+14
| | | | | | Use empty_data(), alloc_data(), and make_data() in some appropriate places. This has the side effect of initializing the krb5_data magic field, which can placate debugging tools.
* Clean up cksum handling in CMAC token functionsGreg Hudson2013-03-291-3/+1
| | | | | | In krb5int_dk_cmac_encrypt, cksum wasn't used. In krb5int_dk_cmac_decrypt, cksum needs to be initialized since we clean it up.
* Fix kdb_ldap_create_principal cleanupGreg Hudson2013-03-281-2/+2
| | | | entry must be initialized before all code which can jump to cleanup.
* Fix more password_policy cleanup codeGreg Hudson2013-03-281-11/+6
| | | | | Initialize policy_dn in krb5_ldap_create_password_policy; free values unconditionally in all ldap_pwd_policy.c cleanup handlers.
* Get rid of krb5_xfreeGreg Hudson2013-03-284-30/+27
|
* Fix krb5_ldap_put_password_policy cleanupGreg Hudson2013-03-281-3/+2
| | | | | Initialize policy_dn since we clean it up. Also free it unconditionally.
* Init output parameter of krb5_decode_princ_entryGreg Hudson2013-03-281-0/+2
| | | | | For easier static analysis, make sure that krb5_decode_princ_entry always sets *entry_ptr to a valid entry or NULL.
* Fix unused assignment in mechglue loadConfigFileGreg Hudson2013-03-281-1/+1
|
* Fix an error case in krb5int_fcc_new_uniqueGreg Hudson2013-03-281-1/+0
| | | | | If we fail to allocate setptr, don't close ret, since we've already done so.
* Fix an error case in krb5_sendauthGreg Hudson2013-03-281-3/+1
| | | | | If we fail to get the client principal when constructing the stack-allocated creds structure, don't double-free creds.server.
generated by cgit (git 2.34.1) at 2024-05-01 05:39:20 +0000