summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* kfw fixes: make leash ignore credentials that store config principalsTom Yu2011-12-124-0/+15
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25555 dc483132-0cff-0310-8789-dd5450dbe970
* kfw installer: don't build installer into installerTom Yu2011-12-122-46/+0
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25554 dc483132-0cff-0310-8789-dd5450dbe970
* kfw installer: purge support for old compilersTom Yu2011-12-121-194/+0
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25553 dc483132-0cff-0310-8789-dd5450dbe970
* kfw fixes: install xpprof32Tom Yu2011-12-122-4/+4
| | | | | | | | | | TODO: xpprof64! Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25552 dc483132-0cff-0310-8789-dd5450dbe970
* kfw: update copyright notice in license.rtfTom Yu2011-12-121-1/+1
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25551 dc483132-0cff-0310-8789-dd5450dbe970
* kfw: use correct message id to obtain tgt from leashTom Yu2011-12-121-1/+2
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25550 dc483132-0cff-0310-8789-dd5450dbe970
* kfw: clean out unused #defines from Lglobals.hTom Yu2011-12-121-4/+0
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25549 dc483132-0cff-0310-8789-dd5450dbe970
* kfw installer: install leash32.exeTom Yu2011-12-122-4/+4
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25548 dc483132-0cff-0310-8789-dd5450dbe970
* kfw installer: use MSVC 2010 merge modulesTom Yu2011-12-123-138/+37
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25547 dc483132-0cff-0310-8789-dd5450dbe970
* Windows leash fixes: 'make install' installs leash exesTom Yu2011-12-121-0/+1
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25546 dc483132-0cff-0310-8789-dd5450dbe970
* Windows leash64 fixes: use proper names for leash and krb5 dllsTom Yu2011-12-121-0/+6
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25545 dc483132-0cff-0310-8789-dd5450dbe970
* kfw installer: add runtime.wxi WIXINCLUDES in Makefile to fix dependenciesTom Yu2011-12-121-0/+1
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25544 dc483132-0cff-0310-8789-dd5450dbe970
* LeashView.cpp: only specify TVIF_TEXT if there is actually textTom Yu2011-12-121-1/+4
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25543 dc483132-0cff-0310-8789-dd5450dbe970
* windows ccapi: use a random challenge to authenticate ccapiserverTom Yu2011-12-121-2/+38
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25542 dc483132-0cff-0310-8789-dd5450dbe970
* windows ccapi: launch server without console by defaultTom Yu2011-12-121-5/+6
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25541 dc483132-0cff-0310-8789-dd5450dbe970
* Make ccapiserver exit if its receiveloop thread terminates for any reasonTom Yu2011-12-122-2/+10
| | | | | | | | | | This happens, for example, when the rpc endpoint is already registered by another ccapiserver process. There's no reason to leave a zombie process running that can't receive messages. ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25540 dc483132-0cff-0310-8789-dd5450dbe970
* fix warning in test_cc_credentials_iterator_next.cTom Yu2011-12-121-0/+1
| | | | | | | | include test_ccapi_iterators.h for check_cc_credentials_iterator_next ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25539 dc483132-0cff-0310-8789-dd5450dbe970
* windows ccapiserver: replace Sleep with event waitTom Yu2011-12-125-10/+52
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25538 dc483132-0cff-0310-8789-dd5450dbe970
* Corrected the name of KRB5_NT_SRV_HST macro. Added some doxygen commentsZhanna Tsitkov2011-12-121-30/+21
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25537 dc483132-0cff-0310-8789-dd5450dbe970
* Fix subkey memory leak in krb5_get_credentialsGreg Hudson2011-12-091-0/+2
| | | | | | | | | | | If a get_credentials operation requires multiple TGS requests, we need to free the subkey from previous requests before saving a new one. ticket: 7049 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25536 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leaks in FAST TGS supportGreg Hudson2011-12-092-4/+12
| | | | | | | | | | krb5int_fast_prep_req remove tgs from request->padata and needs to free it. get_creds.c needs to use a fresh FAST state for each TGS request to avoid leaking armor keys. ticket: 7026 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25535 dc483132-0cff-0310-8789-dd5450dbe970
* Actually allow null server key in krb5_pac_verifyGreg Hudson2011-12-081-3/+0
| | | | | | ticket: 7048 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
* Remove reference to krb5_anadd. Correct the name of HAVE_GETUSERSHELL flagZhanna Tsitkov2011-12-071-140/+164
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25533 dc483132-0cff-0310-8789-dd5450dbe970
* Allow null server key to krb5_pac_verifyGreg Hudson2011-12-072-6/+8
| | | | | | | | | | When the KDC verifies a PAC, it doesn't really need to check the server signature, since it can't trust that anyway. Allow the caller to pass only a TGT key. ticket: 7048 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
* Add automated tests for S4U2Self and S4U2ProxyGreg Hudson2011-12-075-9/+347
| | | | | | | | | These tests mainly exercise the client-side GSSAPI code for S4U2Self and S4U2Proxy. They also exercise the KDC code for S4U2Self, but only the denial logic for S4U2Proxy since the DB2 back end doesn't support constrained delegation currently. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25531 dc483132-0cff-0310-8789-dd5450dbe970
* Allow S4U2Proxy service tickets to be cachedGreg Hudson2011-12-071-3/+1
| | | | | | | | | | Previous to this change, the GSS code avoids caching S4U2Proxy results for fear of the memory cache growing without bound, but that seems unlikely to be a serious problem. Allow these to be cached. ticket: 7047 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25530 dc483132-0cff-0310-8789-dd5450dbe970
* Allow S4U2Proxy delegated credentials to be savedGreg Hudson2011-12-078-31/+89
| | | | | | | | | | | | | | | The initial implementation of client-side S4U2Proxy support did not allow delegated proxy credentials to be stored (gss_store_cred would error out, and gss_krb5_copy_ccache would generate a non-working cache). To make this work, we save the impersonator name in a cache config variable and in a cred structure field (replacing the proxy_cred flag), and make the default principal of the proxy cache the subject principal as the caller would expect for a regular delegated cred. ticket: 7046 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970
* SA-2011-007 KDC null pointer deref in TGS handling [CVE-2011-1530]Tom Yu2011-12-063-1/+11
| | | | | | | | | | | Fix a null pointer dereference condition that could cause a denial of service. ticket: 7042 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25525 dc483132-0cff-0310-8789-dd5450dbe970
* make dependKen Raeburn2011-12-052-5/+10
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25505 dc483132-0cff-0310-8789-dd5450dbe970
* Set a default enctype for optimistic preauthGreg Hudson2011-12-041-0/+8
| | | | | | | | | | | | | | | | | | | | | | When the client application requests optimistic preauth for a preauth type which uses the password, we don't have an etype-info2 to interpret since we haven't talked to the KDC. So we need to guess an enctype, salt, and s2k parameters. In 1.9 and prior, encrypted timestamp contained code to use the first requested enctype in this case, but encrypted challenge did not. In 1.10 prior to this change, neither mechanism uses a reasonable default. Set a default enctype in krb5_init_creds_init so that all password-based preauth mechanisms will use a reasonable default in the optimistic preauth case. The default salt and s2k parameters for this case will be the principal-based default salt and the enctype-based default parameters. ticket: 7033 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25504 dc483132-0cff-0310-8789-dd5450dbe970
* Added support for loading of Krb5.ini from Windows APPDATASam Hartman2011-12-021-8/+77
| | | | | | | | | | Signed-off-by: Alexey Melnikov <aamelnikov@gmail.com> ticket: 7038 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25500 dc483132-0cff-0310-8789-dd5450dbe970
* Use LsaDeregisterLogonProcess(), not CloseHandle()Sam Hartman2011-12-021-9/+9
| | | | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7037 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25499 dc483132-0cff-0310-8789-dd5450dbe970
* Fix free ofuninitialized memory in sname_to_princSam Hartman2011-12-021-2/+3
| | | | | | | | | | | Fix free of uninitialized memory in error case introduced in 1.10 development cycle. ticket: 7036 tags: pullup Target_Version: 1.10 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25498 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_lcc_store() now ignores config credentialsSam Hartman2011-12-021-0/+9
| | | | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7035 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25497 dc483132-0cff-0310-8789-dd5450dbe970
* mk_cred: memory managementSam Hartman2011-12-021-1/+1
| | | | | | | | | | | | | | Fix for mk_cred.c: calloc() not malloc() Avoid calling free() in cleanup on uninitialized sub-ptrs if error occurs. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7034 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25496 dc483132-0cff-0310-8789-dd5450dbe970
* Added Test Coverage topicZhanna Tsitkov2011-11-302-0/+34
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25495 dc483132-0cff-0310-8789-dd5450dbe970
* Ldap dependency for parallel buildsSam Hartman2011-11-291-0/+3
| | | | | | | | | | The ldap plugin needs to declare a dependency on the ldap library ticket: 7030 tags: pullup target_version: 1.10 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25494 dc483132-0cff-0310-8789-dd5450dbe970
* Fix --with-system-verto without pkg-configGreg Hudson2011-11-291-1/+1
| | | | | | | | | | | | If we're using the system verto and pkg-config isn't found but libverto is, set VERTO_LIBS to just -lverto as there won't be a k5ev module. ticket: 7029 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25493 dc483132-0cff-0310-8789-dd5450dbe970
* Use INSTALL_DATA to avoid marking .mo files executableSam Hartman2011-11-291-1/+1
| | | | | | ticket: new target_version: 1.10 tags: pullup subject: Use INSTALL_DATA to install message catalogues git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25492 dc483132-0cff-0310-8789-dd5450dbe970
* AC_CHECK_LIB should put -lcrypto in PKINIT_CRYPTO_IMPL_LIBS not LIBSSam Hartman2011-11-291-1/+1
| | | | | | | | | for pkinit. A similar problem exists for crypto_impl and is not addressed by this patch. ticket: new Subject: LIBS should not include PKINIT_CRYPTO_IMPL_LIBS tags: pullup target_version: 1.10 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25491 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust krb5int_decode_tgs_rep, closing a leakGreg Hudson2011-11-231-19/+20
| | | | | | | | Use current practices for parameter naming and resource cleanup. Avoid a leak of local_dec_rep (now named dec_rep) if we take a "goto cleanup" path. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25490 dc483132-0cff-0310-8789-dd5450dbe970
* Whitespace, style changes to past two commitsGreg Hudson2011-11-235-76/+84
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25489 dc483132-0cff-0310-8789-dd5450dbe970
* FAST TGSSam Hartman2011-11-237-18/+129
| | | | | | | | | | Implement RFC 6113 FAST TGS support. Includes library support for a varient of explicit TGS armor that has not yet been proposed within the IETF. ticket: 7026 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25488 dc483132-0cff-0310-8789-dd5450dbe970
* FAST: error handling and const keyblockSam Hartman2011-11-232-23/+34
| | | | | | | | | | | | krb5int_fast_process_error: Allow out_padata and retry to be null for TGS case. Refactor function to do more frees in the exit handling and to declare variables at the top. krb5int_fast_reply_key: input keyblock arguments should be const ticket: 7025 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25487 dc483132-0cff-0310-8789-dd5450dbe970
* ticket: newSam Hartman2011-11-236-59/+49
| | | | | | | | | | | | | | | | | subject: FAST PKINIT target_version: 1.10 tags: pullup Per RFC 6113 fast should use the inner request body for the pkinit checksum. We did that on the KDC; now do so on the client. Remove code that explicitly blocked pkinit under FAST. Also, use the reply key *before* the strengthen key is applied when verifying the PADATA_PKINIT_KX. Add FAST pkinit test. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25486 dc483132-0cff-0310-8789-dd5450dbe970
* Use POSIX constants instead of S_IREAD/S_IWRITEGreg Hudson2011-11-221-2/+2
| | | | | | | | S_IREAD and S_IWRITE are ancient names for S_IRUSR and S_IWUSR, and are not defined on some modern platforms (such as Android). Use the POSIX names instead. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25485 dc483132-0cff-0310-8789-dd5450dbe970
* Fix compile error in previous changeGreg Hudson2011-11-221-1/+0
| | | | | | | | | A last-minute code editing mistake crept into the previous commit; fix it. ticket: 7023 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25484 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up client-side preauth error data handlingGreg Hudson2011-11-217-116/+97
| | | | | | | | | | | | | | | | | | | | | | | | Change the clpreauth tryagain method to accept a list of pa-data, taken either from the FAST response or from decoding the e_data as either pa-data or typed-data. Also change the in_padata argument to contain just the type of the request padata rather than the whole element, since modules generally shouldn't care about the contents of their request padata (or they can remember it). In krb5int_fast_process_error, no longer re-encode FAST pa-data as typed-data for the inner error e_data, but decode traditional error e_data for all error types, and try both pa-data and typed-data encoding. In PKINIT, try all elements of the new pa-data list, since it may contain FAST elements as well as the actual PKINIT array. (Fixes an outstanding bug in FAST PKINIT.) ticket: 7023 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25483 dc483132-0cff-0310-8789-dd5450dbe970
* Recognize IAKERB mech in krb5_gss_display_statusGreg Hudson2011-11-211-1/+2
| | | | | | | | | | | | Minor status codes were not displaying properly when originated from the IAKERB mech, because of a safety check on mech_type. From Ralf Haferkamp <rhafer@suse.de>. ticket: 7020 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25482 dc483132-0cff-0310-8789-dd5450dbe970
* Formating fixes and update per rev#25480Zhanna Tsitkov2011-11-212-84/+78
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25481 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-29 07:09:42 +0000