summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Add control over session key enctype negotiationNicolas Williams2012-06-0614-60/+161
| | | | | | | | | | | | | | | | | | | Adds a principal string attribute named "session_enctypes" which can specify what enctypes the principal supports for session keys. (For what it's worth, this actually allows one to list des-cbc-md5 as a supported session key enctype, though obviously this hardly matters now.) Add a [realms] section parameter for specifying whether to assume that principals (which lack the session_enctypes attribute) support des-cbc-crc for session keys. This allows those who still need to use allow_weak_crypto=true, for whatever reason, to start reducing the number of tickets issued with des-cbc-crc session keys to clients which still give des-cbc-crc preference in their default_tgs_enctypes list. [ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored test script; documented session_enctypes attribute]
* Allow daemon debugging in k5test.pyGreg Hudson2012-06-061-6/+8
| | | | | | | Allow --debug to be used for commands which start daemons, to make it easier to debug startup issues. After debugging a daemon, the script will exit, since the daemon won't be running after the debugging session is over.
* Fix k5test.py hostname canonicalizationGreg Hudson2012-06-051-2/+1
| | | | | | | | | | r25844 (#7124) stopped using AI_ADDRCONFIG when canonicalizing hostnames in sn2princ. So we need to also stop using it in k5test.c's _get_hostname() or we could come up with a different result on a system where forward and reverse resolution via IPv4 and IPv6 produce different results. That in turn causes a t_gssapi.py test (the one using the un-canonicalized hostname) to fail, because libkrb5 looks for a different host principal than k5test.py put in the keytab.
* Fix uninitialized memory errors in t_trace.cGreg Hudson2012-06-051-1/+4
|
* Disable trace test comparison for nowGreg Hudson2012-06-051-1/+2
| | | | | | The t_trace output isn't consistent from run to run. To fix "make check", disable the comparison against the reference file until we can make the output consistent.
* Fix trace log unit testGreg Hudson2012-06-042-1/+53
| | | | | | | Only use common denominator Bourne shell syntax for exporting environment variables. Don't rely on /dev/stdout working. Compare the output with a reference file to detect changes, instead of just sending it to stdout.
* Fix -DDEBUG compilation errorsHenry B. Hotz2012-06-045-3/+6
| | | | ticket: 7150
* Fail from gss_acquire_cred if we have no keytabGreg Hudson2012-06-032-0/+15
| | | | | | | | If a caller tries to acquire krb5 acceptor creds with no desired name and we have no keytab keys, fail from gss_acquire_cred instead of deferring until gss_accept_sec_context. ticket: 7159 (new)
* Use first mech's status in gss_acquire_credGreg Hudson2012-06-031-3/+11
| | | | | | | | | | | If we can't acquire creds for any mech in gss_acquire_cred, return the status of the first mech instead of the last mech, as it's more useful in the typical case (where the first mech is krb5 and the last mech is SPNEGO). This error reporting is not ideal when the user was expecting to use some mech other than krb5, but it's about as good as things were prior to #6894. ticket: 6973
* Improve error message from krb5_kt_have_contentGreg Hudson2012-06-031-2/+10
|
* Remove outdated comment in k5test.pyGreg Hudson2012-06-031-17/+0
|
* Add krb5_kt_have_content APIGreg Hudson2012-06-026-0/+44
| | | | | | | | | | | | | Add the krb5_kt_have_content API from Heimdal, which can be used to test whether a keytab exists and contains entries. Add tests to t_keytab.c. There is a deviation from Heimdal in the function signature. Heimdal's signature returns a krb5_boolean at the moment, because the Heimdal implementation actually returns a krb5_error_code. These are generally the same type anyway (int). ticket: 7158 (new)
* Tighten up error checking in t_keytab.cGreg Hudson2012-06-021-29/+16
| | | | | | | When checking for specific error codes, using CHECK() meant that we wouldn't properly fail if we got error code 0. Define and use a CHECK_ERR() to test for a specific error code, and define CHECK() in terms of it.
* Sphinx HTML: Collapse l4 in ToC in the sidebarZhanna Tsitkov2012-06-013-13/+35
| | | | | | | Also, - resize the width of the document vs sidebar; - decrease padding in the sidebar; - mark current l2 in ToC in the sidebar.
* Use correct profile var in krb5_get_tgs_ktypesGreg Hudson2012-06-011-1/+1
| | | | | | | | | | | In r21879, when we converted to using KRB5_CONF macros for profile variable names, we made a typo in krb5_get_tgs_ktypes and erroneously started using default_tkt_enctypes instead of default_tgs_enctypes for TGS requests. Fix the typo and return to the documented behavior. ticket: 7155 target_version: 1.10.3 tags: pullup
* Use a hash table in the KDC lookaside cacheGreg Hudson2012-05-304-110/+160
| | | | | | | Add a hash table to kdc/replay.c for fast lookup of incoming packets. Continue to keep a time-ordered linked list of all entries for fast expiry of stale entries. The preprocessor constant LOOKASIDE_HASH_SIZE can be used to change the size of the hash table.
* Add a copy of the BSD <sys/queue.h> as k5-queue.hGreg Hudson2012-05-303-2/+752
| | | | | queue.h implements various types of linked lists as cpp macros, without needing any library support.
* Null pointer deref in kadmind [CVE-2012-1013]Richard Basch2012-05-291-1/+1
| | | | | | | | | | | | | | | | The fix for #6626 could cause kadmind to dereference a null pointer if a create-principal request contains no password but does contain the KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix name"). Only clients authorized to create principals can trigger the bug. Fix the bug by testing for a null password in check_1_6_dummy. CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C [ghudson@mit.edu: Minor style change and commit message] ticket: 7152 target_version: 1.10.2 tags: pullup
* Fix TRACE_GET_CRED_VIA_TKT_EXT format stringGreg Hudson2012-05-241-2/+2
|
* Fix S4U user identification in preauth caseGreg Hudson2012-05-241-4/+2
| | | | | | | | | | | | | | | | | | | | | | | In 1.10, encrypted timestamp became a built-in module instead of a hardcoded padata handler. This changed the behavior of krb5_get_init_creds as invoked by s4u_identify_user such that KRB5_PREAUTH_FAILED is returned instead of the gak function's error. (Module failures are not treated as hard errors, while hardcoded padata handler errors are.) Accordingly, we should look for KRB5_PREAUTH_FAILED in s4u_identify_user. On a less harmful note, the gak function was returning a protocol error code instead of a com_err code, and the caller was testing for a different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could never be returned by krb5_get_init_creds. Clean up both of those by returning KRB5_PREAUTH_FAILED from the gak function and testing for that alone. Reported by Michael Morony. ticket: 7136 target_version: 1.10.2 tags: pullup
* Convert DEBUG_REFERRALS to TRACE_* frameworkW. Trevor King2012-05-237-74/+68
| | | | | | | | | The referrals debugging code under DEBUG_REFERRALS ceased building correctly at some point. Convert this debugging code to use the tracing framework instead, including adding new trace macros to k5-trace.h. ticket: 7151
* Add tests for trace.c formattingW. Trevor King2012-05-232-2/+259
| | | | | | This improves the previously minimal test coverage of "trace.c". ticket: 7151
* Add support for "{ptype}" trace format specifierW. Trevor King2012-05-232-0/+25
| | | | | | | Add the "{ptype}" trace format specifier, for principal name types. Also document the new option in the "k5-trace.h" comments. ticket: 7151
* Document "{keytab}" trace format specifierW. Trevor King2012-05-231-0/+1
|
* Modified the Sphinx HTML page layoutZhanna Tsitkov2012-05-233-38/+106
| | | | | 1. The Feedback button is moved into the footer; 2. The default page/doc width are set to 960px;
* Export gss_mech_krb5_wrong from libgssapi_krb5Greg Hudson2012-05-221-0/+1
| | | | | | | | | | Although there are few legitimate reasons to use gss_mech_krb5_wrong, it's declared in the public header and exported in the Windows DLL. So export it from the Unix library as well. ticket: 7148 (new) target_version: 1.10.2 tags: pullup
* Make doc/coding-style point to wiki pageTom Yu2012-05-221-564/+3
| | | | | | | The old doc/coding-style file was out of date; replace its content with a pointer to the wiki page. ticket: 7147 (new)
* Export krb5_set_trace_callback/filenameGreg Hudson2012-05-212-1/+6
| | | | | | | | | | krb5_set_trace_callback and krb5_set_trace_filename were added to krb5.h in krb5 1.9, but were mistakenly left out of the library export lists. Add them now. Reported by Russ Allbery. ticket: 7143 target_version: 1.10.2 tags: pullup
* Fix "(empty" typo in "{etypes}" handler in trace.cW. Trevor King2012-05-181-1/+1
| | | | ticket: 7137
* Fix "(null" typo in "{key}" handler in trace.cW. Trevor King2012-05-181-1/+1
| | | | ticket: 7134
* Correct the name of krb5int_trace in commentsTom Yu2012-05-171-4/+4
| | | | | | Patch from W. Trevor King. ticket: 7133
* Add missing $(LIBS) to some shared librariesTom Yu2012-05-175-5/+5
| | | | | | | | | | Add $(LIBS) to the $(SHLIB_EXPLIBS) for some shared libraries which did not previously include it, which prevented gcov from working properly in some cases. Patch from W. Trevor King. ticket: 7138
* Remove mention of util/autoconfTom Yu2012-05-171-14/+8
| | | | | | | | | We no longer use our own customized version of autoconf, so remove mentions of the src/util/autoconf directory where that used to be. Reported by W. Trevor King. ticket: 7139 (new)
* Make mkrel work on non-master branchesTom Yu2012-05-151-3/+4
| | | | | | Appending "--" to the git checkout arguments appears to prevent it from automatically creating a local branch from the remote. Also correct the default git URL and clean up a spurious find warning.
* Update CHANGES file generation for GitTom Yu2012-05-141-1/+1
| | | | Use the correct git log invocation for generating the CHANGES file.
* Update patchlevel.h for Git repositoryTom Yu2012-05-141-2/+2
| | | | Use "master", not "trunk", as RELTAG now.
* Add missing newline to sn2princ debug messageGreg Hudson2012-05-141-1/+2
| | | | | | Patch from wking@tremily.us. ticket: 7131
* Convert util/mkrel to use git instead of svnGreg Hudson2012-05-141-26/+15
|
* Check alloc_data result in krb5int_old_encryptGreg Hudson2012-05-131-0/+2
|
* Clean up a redundant assignment in libprofileGreg Hudson2012-05-131-2/+0
|
* Avoid extern inline in asn1buf.hGreg Hudson2012-05-131-2/+4
| | | | | | | | Avoid using extern inline in asn1buf.h, as there are two conflicting sets of semantics (gnu89's and C99's). gcc defaults to the gnu89 semantics, which we were using, while clang defines __GNUC__ but defaults to the C99 semantics. To simplify things, use static inline instead, like we do in k5-int.h.
* Don't stomp minor code in spnego_gss_acquire_credGreg Hudson2012-05-131-3/+3
| | | | | | | When spnego_gss_acquire_cred passes through a failure status from the mechglue, it overwrites the minor code with a call to gss_release_oid_set(). Use a temporary minor status for that and a related call.
* Remove find-missing-eol-prop and fix-eol-propGreg Hudson2012-05-122-21/+0
| | | | | Remove two Subversion-specific scripts which are no longer necessary now that the master repository is in git.
* Add a .gitgnore fileGreg Hudson2012-05-121-0/+342
|
* Null-terminate components of parsed principalsGreg Hudson2012-05-122-11/+10
| | | | | | | | | | The rewritten krb5_parse_name didn't null-terminate components or realms of principals, while the old one did. Fix the new one to do so as well. This means KRB5_PRINCIPAL_PARSE_IGNORE_REALM allocates one byte for the realm instead of leaving it as empty_data(), so we need to free the realm in build_in_tkt_name() before copying in the client realm.
* Omit start time in common AS requestsGreg Hudson2012-05-112-15/+33
| | | | | | | | | | | | | | | | | | | MIT and Heimdal KDCs ignore the start time for non-postdated ticket requests, but AD yields an error if the start time is in the KDC's future, defeating the kdc_timesync option. Omit the start time if the caller did not specify a start time offset. This change reenables the client check for too much clock skew in the KDC reply in the non-timesync configuration. That check had been unintentionally suppressed since the introduction of the get_init_creds interfaces. Adjust the t_skew test script to expect the new error behavior. Code changes from stefw@gnome.org with slight modifications. ticket: 7130 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25864 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid requiring default realm for in_tkt_serviceGreg Hudson2012-05-101-31/+17
| | | | | | | | Use the new KRB5_PRINCIPAL_PARSE_IGNORE_REALM flag when parsing in_tkt_service arguments in get_init_cred functions, since we're going to overwrite the realm anyway. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25863 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_parse_name flag to ignore realmGreg Hudson2012-05-102-1/+12
| | | | | | | | | | The flag KRB5_PRINCIPAL_PARSE_IGNORE_REALM causes krb5_parse_name to return the principal with an empty realm whether or not a realm is present in the name. ticket: 7129 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25862 dc483132-0cff-0310-8789-dd5450dbe970
* Rewrite krb5_parse_nameGreg Hudson2012-05-102-292/+186
| | | | | | | | | krb5_parse_name started out a bit unwieldy, and has become more so with the introduction of flags. Rewrite it using two passes (allocate and fill), each broken out into its own helper, and a wrapper which handles the realm flags. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25861 dc483132-0cff-0310-8789-dd5450dbe970
* Make password change work without default realmGreg Hudson2012-05-101-0/+5
| | | | | | | | | | | | This fix is not very general or clean, but is suitable for backporting because it is minimally invasive. A more comprehensive fix will follow. ticket: 7127 target_version: 1.10.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25860 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-28 02:15:24 +0000