summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Document absolute times for 'kinit -s'Ben Kaduk2012-07-061-1/+5
| | | | | | | | | | | kinit's -s argument takes a parameter, which is first interpreted as a time interval ("deltat"), in the same format used for the -l and -r arguments. However, if that fails, the time argument is interpreted as an absolute time, in one of twelve different possible formats, some of which are subject to localization via strptime(). Explicitly listing all twelve possible interpretations is overkill, but give the user a hint that absolute times are possible at all.
* Enable all localizations in main functionsBen Kaduk2012-07-0619-23/+26
| | | | | | | | | | | | | | | Bite the bullet and pass LC_ALL to setlocale() instead of just LC_MESSAGES. Calls to setlocale() itself were introduced in fabbf9e443459e8c0161c84563690ed70c7f6a61 for ticket 6918, but only for LC_MESSAGES since only localized strings were needed and that was the most conservative option. However, klist, kadmin, and kinit (and perhaps others) would benefit from localized formats for times (i.e., LC_TIME). If potentially localized data is being sent on the wire, that is a bug that should be fixed. No such bugs are found with the current test suite, so we are comfortable enabling LC_ALL at this time. ticket: 7192
* Remove dead codeBen Kaduk2012-07-051-11/+0
| | | | | This (hair-raising) macro is not referenced anywhere in the tree, so remove it and the associated comment.
* Add ccinit and ccrefresh to .gitignoreGreg Hudson2012-07-051-0/+2
|
* Clarify diff between krb5.conf and kdc.conf filesZhanna Tsitkov2012-07-051-22/+2
|
* Simplify pkinit_server_verify_padata slightlyGreg Hudson2012-07-051-7/+2
| | | | | Eliminate the effectively unused variable tmp_as_req, and eliminate two unnecessary conditionals for freeing pointers.
* Simplify and fix pkinit_as_req_create cleanupGreg Hudson2012-07-051-11/+5
| | | | | | Avoid dereferencing a null auth_pack pointer if we run out of memory initializing info or auth_pack. Eliminate an unnecessary switch by just cleaning up all of the potentially allocated variables.
* Fix minor memory leaks in PKINIT codeGreg Hudson2012-07-051-0/+2
|
* Fix PKINIT verify_kdc_eku trace loggingGreg Hudson2012-07-051-1/+1
| | | | Test the value of the eku_accepted output parameter, not the pointer.
* Correct an error in GSSAPI initiator cred docsGreg Hudson2012-07-031-3/+3
|
* Fix typo in previous change to get_fq_hostnameTom Yu2012-07-031-1/+1
| | | | ticket: 7086
* Fix a minor memory leak in get_fq_hostnameArlene Berry2012-07-031-1/+3
| | | | ticket: 7086
* Take care with types in process_routing_update()Ben Kaduk2012-07-031-8/+11
| | | | | | | read(2) returns an ssize_t, not an int. We want to compare this value against several unsigned size_ts, so make a local copy. Also cast to int for printing; size_t can be wider than int, but these values should be small.
* Clean up const usage for supported_kdf_alg_idsBen Kaduk2012-07-032-2/+2
| | | | | The previous declaration had redundant consts and missed making the actual pointers stored in the array const.
* Pass empty string instead of NULL to printf-likeBen Kaduk2012-07-031-1/+1
|
* Remove unused variableBen Kaduk2012-07-031-2/+0
|
* Minor cleanups relating to size_t being unsignedBen Kaduk2012-07-032-2/+2
| | | | | | | | | | | In order to use -1 as a sentinel value, we should explicitly cast to make it clear what we are doing. It might be better to use a less convoluted sentinel value such as SIZE_T_MAX, though. Additionally, since size_t is unsigned and at least as wide as an int, a loop with int index variable that compares against a size_t for its termination check could become an infinite loop. Make the loop index size_t for consistency.
* Use consistent types for overflow comparisonBen Kaduk2012-07-031-1/+1
| | | | | | Unsigned long might not be 32-bits, in which case the overflow check fails for a 32-bit kdb_sno_t. Cast from -1 explicitly as a more robust check.
* Avoid unsigned/signed comparison in loop conditionBen Kaduk2012-07-031-2/+1
| | | | | | | The gid_len length is declared as an unsigned int, and loop index 'i' is a signed int. This could manifest as an infinite loop if gid_len is very large. In practice, gid_len should be small, but make 'i' the same type for consistency.
* Improve printf handling of size_t argsBen Kaduk2012-07-022-4/+5
| | | | | | | | | | | | | | | The %*s format takes two arguments, a precision length/width and an actual string; the length is specified as a signed integer. The size_t length field of the gss_buffer_desc type is an unsigned type, which must be cast or otherwise converted to a signed type to match the format string expectations. I do not think that the length will approach SIZE_T_MAX in practice, due to buffer constraints, so do not include handling for the edge case. There is a '%zu' format string for printing size_ts, but it is not available everywhere (e.g., AIX). Instead, use the unsigned long long abomination.
* Resolve no-previous-prototype warning in os/cm.cBen Kaduk2012-07-021-0/+1
| | | | | | | | | | | | | | | The warning is ../../../../krb5/src/lib/krb5/os/cm.c:43: warning: no previous prototype for 'k5 _getcurtime' which occurs because int k5_getcurtime(struct timeval *tvp) is defined (and used) in cm.c but there is no forward declaration. Include the os-proto.h (internal) header which declares this function to eliminate the warning. k5_getcurtime() is the first declaration in cm.c, so there is not an ABI concern. The only other consumer of k5_getcurtime(), sendto_kdc.c, already includes os-proto.h, so this issue is purely cosmetic.
* Increase MAX_DGRAM_SIZEGreg Hudson2012-07-021-1/+1
| | | | | | | | | Accept UDP datagrams up to 64K in size. We should still detect when an oversized datagram comes in by comparing against the maximum size, but this is trivial and covers 90% of the practical issues. ticket: 6566 status: open
* Add krb5_kt_client_default to krb5_32.defGreg Hudson2012-07-021-0/+1
|
* Fix kdc_free_lookaside() krb5_context usageGreg Hudson2012-07-021-1/+1
| | | | | Use the provided krb5_context, not kdc_context, which isn't valid when kdc_free_lookaside() is called.
* Comment fall-throughs in iakerb switch statementGreg Hudson2012-07-021-0/+2
|
* Fix minor memory leaks in acquire_cred.cGreg Hudson2012-07-021-4/+4
|
* Check sort_enctypes return value in gic_keytabGreg Hudson2012-07-021-2/+3
|
* Minor rst markup fixZhanna Tsitkov2012-07-023-6/+6
|
* Include all default etypes in gic_keytab requestsGreg Hudson2012-07-022-40/+30
| | | | | | | | | | | Revert 18b02f3e839c007fff54fc9b693f479b7563ec73 in the KDC. Instead, when making an initial request with a keytab, transmit the whole default_tkt_enctypes list, but sorted with the enctypes we have in the keytab first. That way the KDC should prefer enctypes which we have keys for (for both reply key and session key), but the other enctypes are still available for use as ticket session keys. ticket: 7190
* Add client keytab initiation supportGreg Hudson2012-07-0214-231/+767
| | | | | | | | | Support acquiring GSSAPI krb5 credentials by fetching initial credentials using the client keytab. Credentials obtained this way will be stored in the default ccache or collection, and will be refreshed when they are halfway to expiring. ticket: 7189 (new)
* Document GSSAPI name type behaviorGreg Hudson2012-07-021-24/+59
| | | | | | Separate out the general interpretation of GSSAPI name types by the krb5 mechanism from the specific behavior of host-based and principal name types when used as acceptor names.
* Add krb5_kt_client_default APIGreg Hudson2012-07-0217-2/+164
| | | | | | | | | | | | | | | | The default client keytab is intended to be used to automatically acquire initial credentials for client applications. The current hardcoded default is a placeholder, and will likely change before 1.11. Add test framework settings to ensure that a system default client keytab doesn't interfere with tests, and to allow tests to be written to deliberately use the default client keytab. Add documentation about keytabs to the concepts section of the RST docs, and describe the default client keytab there. ticket: 7188 (new)
* Get default cred only once in gss-krb5 initiatorGreg Hudson2012-07-022-42/+41
| | | | | | | | | | In the regular krb5 code path, only get a default krb5 cred for the initial token, since we don't need the cred for mutual_auth anyway. In the IAKERB mechanism, cache the default cred in iakerb_ctx_id_rec so we don't have to construct it again for each token. Also, get an IAKERB default cred, not a regular krb5 cred (a bug which is harmless now, but becomes more of a problem with keytab initiation changes).
* Try harder to make keytab-based AS requests workGreg Hudson2012-07-012-4/+20
| | | | | | | | | | | | | | | | | | | When making a keytab-based AS request, a client has to choose between sending its reply key enctype preference list (the enctypes it has in the keytab) and its session key enctype preference list (all of the enctypes it supports). Heimdal and MIT krb5 1.11 clients send the reply key preference list. If this list doesn't overlap with the server principal keys (say, because the krbtgt principal has only a DES key), then the AS request will fail. Try to make this work by making the KDC optimistically pick the first permitted enctype in the request as the session key, even though it can't be certain that other KDCs in the realm support that enctype. Make sure to exercise this case in t_keytab.py by doing a multipass keytab kinit test. ticket: 7190 (new)
* Remove an outdated reference to DES in klist helpGreg Hudson2012-06-291-1/+1
|
* Correct and clarify keytab API documentationGreg Hudson2012-06-291-12/+12
|
* Rename gss-krb5 cred tgt_expire fieldGreg Hudson2012-06-277-11/+11
| | | | | | | The tgt_expire field is used to store non-TGT expiry times in a couple of cases: when the ccache has no TGT, and after we've obtained a cred for the target service. Rename it to just "expire" to be less misleading.
* Scan ccache more efficiently in gss_acquire_credGreg Hudson2012-06-271-28/+25
| | | | | Avoid rereading the ccache in order to find the impersonator config entry. Instead, check each entry as we scan through the first time.
* Simplify password storage in krb5_gss_cred_id_recGreg Hudson2012-06-275-17/+12
| | | | | The password is always zero-terminated, so we can store it as a char * instead of a krb5_data.
* Clarify module names in host_configGreg Hudson2012-06-261-2/+5
| | | | | Explicitly state that a module name will usually be the same as the shared object name, but doesn't have to be.
* Fix another plugin example in host_configGreg Hudson2012-06-251-1/+1
|
* Restore some spaces in trvalTom Yu2012-06-254-790/+790
| | | | | | This is a cosmetic change to reintroduce some space characters that cff6ea939f061d17a5742a04b8eeb2905c1813dc removed, e.g. between the tag and the length or short value.
* Correctly document module setting in host_configGreg Hudson2012-06-251-5/+6
| | | | | The module variable must take the form modname:path, which was not reflected in the example or described in the text.
* Fix crash on invalid DIR ccache primary fileGreg Hudson2012-06-251-2/+2
| | | | | | | | | | If read_primary_file() fails with an error other than ENOENT, abort cache resolution rather than dereferencing a null pointer. Reported by Oliver Loch. ticket: 7185 target_version: 1.10.3 tags: pullup
* Eliminate trailing whitespace in trval outputGreg Hudson2012-06-225-1254/+1259
| | | | | | | | Modify the trval output slightly so that the reference trval output files don't containing trailing whitespace, to make them friendlier to our git hooks. (The pkinit and ldap trval reference files now contain a leading blank line, which isn't very elegant, but avoiding that requires too much Makefile.in complexity.) Also correct a typo.
* Simplify acquire_cred.cGreg Hudson2012-06-221-109/+48
| | | | | | struct acquire_cred_args was used purely to pass arguments to acquire_cred (a static function), and had no advantages for that purpose over positional arguments.
* Fix config check in krb5_cccol_have_contentGreg Hudson2012-06-221-1/+1
| | | | | | | krb5_is_config_principal should be invoked on creds.server, not creds.client. ticket: 7173
* Limit size of lookaside cacheGreg Hudson2012-06-221-14/+25
| | | | | | | | Add a preprocessor constant LOOKASIDE_MAX_SIZE (defaulting to 10MB) which limits the total size of the lookaside cache entries. Purge stale entries in kdc_insert_lookaside instead of kdc_check_lookaside, and when doing so, continue purging non-stale entries until the total cache size (including the new entry) is within the size constraint.
* Flatten KDC lookaside cache entriesGreg Hudson2012-06-221-9/+11
| | | | | Use krb5_data structures instead of pointers in the entry structure, reducing the number of memory allocations.
* Handle PKINIT DH replies with no certsGreg Hudson2012-06-221-1/+8
| | | | | | | | | | | | | | | If a PKINIT Diffie-Hellman reply contains no certificates in the SignedData object, that may be because the signer certificate was a trust anchor as transmitted to the KDC. Heimdal's KDC, for instance, filters client trust anchors out of the returned set of certificates. Match against idctx->trustedCAs and idctx->intermediateCAs to handle this case. This fix only works with OpenSSL 1.0 or later; when built against OpenSSL 0.9.x, the client will still require a cert in the reply. Code changes suggested by nalin@redhat.com. ticket: 7183
generated by cgit (git 2.34.1) at 2025-09-27 13:44:46 +0000