| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
| |
Do not leave anyone thinking that they might have to specify it
in the config file to get the standard behavior.
|
| | |
|
| |
|
|
|
|
|
|
| |
For Unix-like platforms, add %{username} to the path expansion
facility, expanding to the result of getpwuid on the euid.
Also, for manual testing convenience, make t_expand_path print the
result if no second argument is given.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001
CVE-2012-1015]. The cleanup code in
kdc_handle_protected_negotiation() in kdc_util.c could free an
uninitialized pointer in some error conditions involving "similar"
enctypes and a failure in krb5_c_make_checksum().
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of this
vulnerability (possibly in unpatched KDCs).
Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only
applies to the krb5-1.10 branch and doesn't affect the master branch
or releases prior to krb5-1.10.
ticket: 7225 (new)
target_version: 1.9.5
tags: pullup
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* fscanf field widths must be less than the buffer size, not equal to
it.
* Check for negative values of lengths we're going to allocate.
* Eliminate a warning in the comparison of the regexp end offset.
* process_r1_8 policy doesn't actually ignore additional values, so
get rid of the comment and inequality test suggesting that it does.
ticket: 7224 (new)
|
| | |
|
| |
|
|
| |
ticket: 7223
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This simply adds KADM5_API_VERSION_4 and various fields to the
policy structures:
- attributes (policy-ish principal attributes)
- max_life (max ticket life)
- max_renewable_life (max ticket renewable life)
- allowed_keysalts (allowed key/salt types)
- TL data (future policy extensions)
Of these only allowed_keysalts is currently implemented.
Some refactoring of TL data handling is also done.
ticket: 7223 (new)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Use a helper function add_policy_mods() in
krb5_ldap_create_password_policy() and krb5_ldap_put_password_policy()
to avoid duplicating code for each field.
|
| |
|
|
|
| |
r18750 refactored some policy fetching code into populate_policy(),
and left the old code in #if 0 blocks. Get rid of those blocks now.
|
| |
|
|
|
|
|
| |
Corrections to stuff noticed by kaduk:
* Eliminate a space before paren in a call to free().
* Use %lu for unsigned long in format strings.
* Simplify the tokens table definition.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add DEFCCNAME, DEFKTNAME, and DEFCKTNAME configure variables to
change the built-in ccache and keytab names.
* Add krb5-config options to display the built-in ccache and keytab
names.
* In the default build, use krb5-config to discover the system's
built-in ccache and keytab names and use them (if not overridden).
This can be controlled with the --with-krb5-config=PATH or
--without-krb5-config configure options.
* Make the built-in ccache name subject to parameter expansion.
ticket: 7221 (new)
|
| |
|
|
|
|
|
| |
Like default_keytab_name and default_client_keytab_name,
default_ccache_name is subject to parameter expansion.
ticket: 7220 (new)
|
| |
|
|
|
|
|
| |
Generalize the ccache collection tests in t_cccol.py to multiple kinds
of ccache tests, and rename it to avoid confusion with the lower-level
lib/krb5/ccache/t_cccol.py. Move a test from t_general.py into
t_ccache.py.
|
| |
|
|
|
|
|
|
| |
Eliminate the USE_CCAPI variant of get_from_os() which was only used
in KfM. Make get_from_os() allocate its result (wrapping the Windows
implementation so it can continue to use a fixed-size buffer).
Simplify krb5_cc_set_default_name() and krb5_cc_default_name(). Make
some minor style adjustments.
|
| |
|
|
|
|
|
| |
Make the default_keytab_name and default_client_keytab_name variables
subject to parameter expansion.
ticket: 7219 (new)
|
| |
|
|
|
|
|
|
| |
Add an adapted version of Heimdal's expand_path.c, defining
k5_expand_path_tokens() and k5_expand_path_tokens_extra(). These
functions allow template paths like %{TEMP}/krb5cc_%{uid} to be
resolved. Also add a test program to exercise the path expansion
code.
|
| |
|
|
|
| |
Before this fix the very long lines (110+ symbols) under the
preformatted text <pre> tag would be cut short in Sphinx HTML output.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Add new APIs gss_acquire_cred_from, gss_add_cred_from, and
gss_store_cred_into, which take additional argments to specify the
location of the credential storage using a key-value map, where keys
are interpreted by the mechanisms.
ticket: 7217 (new)
|
| |
|
|
|
| |
In the end the internal one is called in all cases, but it seem
cleaner to use the internal one instead of relying on the redirection.
|
| | |
|
| |
|
|
| |
The code that used it is no longer in this file.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
In combination with -k, -i will cause kinit or klist to use the
default client keytab instead of the default acceptor keytab. This
gives an easy way to figure out what default client keytab name is in
use and to get credentials using it.
ticket: 7216 (new)
|
| |
|
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7215 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Don't treat an error returned by krb5_parse_name as a cc-internal error.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7214 (new)
tags: pullup
|
| |
|
|
|
|
|
|
| |
cc_name needs to be freed in krb5_lcc_close().
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7213
|
| |
|
|
|
|
|
|
| |
Include ntstatus.h and define WIN32_NO_STATUS before including winnt.h
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7213
|
| |
|
|
|
|
|
|
|
| |
Also implement switch_to stub
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7213 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Also change parameter types to eliminate casts.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7212 (new)
tags: pullup
|
| |
|
|
|
|
|
|
| |
Easier to disable for testing.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7211 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
wshelper is clearly not intended to use unicode:
wprintf is used extensively and exclusively to write to char[] buffers and
fields in dns structs are used as explicitly ASCII text.
Signed-off-by: Alexey Melnikov <aamelnikov@gmail.com>
ticket: 7210 (new)
tags: pullup
|
| |
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7209
|
| |
|
|
|
|
|
|
|
| |
USE_CCAPI_V3 provides cccol iteration support for ccapi.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7209 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
For MSVC compatibility
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7208 (new)
tags: pullup
|
| |
|
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7207 (new)
tags: pullup
|
| |
|
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7206 (new)
tags: pullup
|
