summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove irrelevant to current code Novell copyrightZhanna Tsitkov2012-08-102-54/+0
|
* Add tests for gss_inquire_credGreg Hudson2012-08-103-3/+221
| | | | | | | | | Now that we're doing a kind of deferred credential acquisition for krb5, the behavior of gss_inquire_cred is a bit more subtle because (per RFC 2743 section 2.1.4) we have to choose a credential cache or acceptor name sooner than we would otherwise do so. Add a C program to invoke gss_acquire_cred/gss_inquire_cred and some Python tests using it.
* Rename Kerberos Concepts section in Sphinx docZhanna Tsitkov2012-08-091-2/+2
|
* Remove gss_mechanism_extSimo Sorce2012-08-085-124/+26
| | | | | | | | This function did not serve any useful purpose. Remove it and the special case it creates; move the only function it contained to the main gss_mechanism structure where it belongs. Note that the function name is preserved so that loadable modules are not affected by this change.
* Regression tests for CVE-2012-1014, CVE-2012-1015Tom Yu2012-08-073-0/+71
| | | | | | ticket: 7231 (new) target_version: 1.10.3 tags: pullup
* Add missing quote to install-windowsTom Yu2012-08-071-1/+1
| | | | | | ticket: 7230 (new) target_version: 1.10.3 tags: pullup
* Minor Sphinx html style modificationZhanna Tsitkov2012-08-071-1/+1
|
* Fix memory leak parsing name with default realmGreg Hudson2012-08-071-0/+1
| | | | | | | After 74beb75bb07e3921d10c8eec05eacb1f393e5e44, allocate_princ() allocates a one-byte realm field even if the principal doesn't have one, so if we're replacing it with the default realm, we need to free that.
* Fix HTML rendering of long-form optionsBenjamin Kaduk2012-08-062-69/+69
| | | | | | | | | | | | | | | | | | | We at present only have long-form options for configure, the scope of the change is somewhat limited. Our SmartyPants config for Sphinx causes these options to appear as prefixed with an en dash, instead of the two hyphens that demarcate the (GNU-style) long-form options. Using a different type of markup for command options could work around this, but that would be a much larger patch. Instead, apply a workaround in the markup for display purposes, which makes the source a bit more ugly but the output correct. Man page output is unaffected. This patch was automatically generated with: git grep -- -- doc/rst_source | grep -v -- --- | cut -d ':' -f 1 | uniq | xargs sed -i '' -e 's/\*\*--\([a-zA-Z]\)/**-**\\ **-\1/g' and manually reviewed for correctness. ticket: 7187
* Remove dash from man page rst sourceBen Kaduk2012-08-061-1/+1
| | | | | | | | This page gets rendered for the web with Sphinx but is also turned into the krb5_conf.5 manual page. We need to use three-hyphen em dashes for the Sphynx config, but those are a bit long for monospace terminal output. Since the dash here can easily be changed to a comma, do so, and avoid the conflict of formatting.
* Use '---' for em dashes in rst sourceBen Kaduk2012-08-063-4/+4
| | | | | | | | | Our sphinx configuration uses SmartyPants, which produces smart quotes and dashes in HTML output, using '--' for en dash and '---' for em dash. (This is also the LaTeX convention.) These points in the text are meant to be em dashes, so format them as such. Also standardize on no spaces around the dash per Chicago Manual of Style (and others).
* Turn off replay cache in krb5_verify_init_creds()Nalin Dahyabhai2012-08-061-0/+9
| | | | | | | The library isn't attempting a replay attack on itself, so any detected replays are only going to be false-positives. ticket: 7229 (new)
* Pass the actual mech oid in creds functionsSimo Sorce2012-08-062-11/+34
| | | | | | This way the mechanism handler knows what mech type is intended. This allows plugin that implement multiple mechanisms or interposer plugins to know what they are being asked to do.
* Always consider desired_mechs empty in spnego (2)Simo Sorce2012-08-061-9/+7
| | | | | | | | Follow previous change to add_cred_from. The only case where the spnego gss_*_cred_* functions can be called with specific OIDs is if the mechglue calls spnego with the spengo oid, which we never want to loop on anyway. So always consider it as null, it's the correct behavior with current semantics.
* Doc "version introduced" for some kdc.conf tagsZhanna Tsitkov2012-08-061-76/+79
| | | | | Also, move [logging] section documentation after [dbmodules] documentation.
* Clarify example in kadm5.acl documentZhanna Tsitkov2012-08-061-4/+4
|
* Reuse code to free gss_mech_info structureSimo Sorce2012-08-051-21/+4
|
* Announce myself as a member of the Kerberos TeamBenjamin Kaduk2012-08-031-0/+1
|
* Add "feedback" button to the header in Sphinx HTMLZhanna Tsitkov2012-08-031-1/+2
|
* Always consider desired_mechs empty in spnegoSimo Sorce2012-08-031-18/+4
| | | | | | | The only case where the spnego gss_aquire_cred function can be called with specific OIDs is if the mechglue calls spenego with the spengo oid, which we never want to loop on anyway. So always consider it as null, it's the correct behavior with current semantics.
* Make gss_ctx_id_t truly opaqueSimo Sorce2012-08-035-6/+6
| | | | | | This allows us to still use it for type safety in the APIs while at the same time prevent code from trying to dereference internal_ctx_id by mistake.
* Remove "Synopsis" from .k5login .k5identity docsZhanna Tsitkov2012-08-032-10/+0
|
* Produce man page for kadm5.aclZhanna Tsitkov2012-08-031-0/+1
|
* Cross-reference to kadm5.acl in documentationZhanna Tsitkov2012-08-035-269/+13
|
* New documention for kadm5.aclZhanna Tsitkov2012-08-032-3/+139
|
* Further fixes for WSA/Posix error translationKevin Wasserman2012-08-031-2/+42
| | | | | | | | | | | | | | Don't translate '0' (no error). Handle WSAEAFNOSUPPORT and WSAEINVAL. Add Posix->WSA translation. Add default translation for unrecognized errors. [ghudson@mit.edu: Merged with master and adjusted comments.] Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7228 (new) tags: pullup
* Fix malformed Parameter Expansion table in docsZhanna Tsitkov2012-08-021-2/+1
|
* Fix oid set construction in gss_inquire_cred()Kevin Wasserman2012-08-021-22/+10
| | | | | | | | | | | Use gssapi calls to construct the oid sets. It is not safe on windows to use malloc to hand-construct the set and then call gss_release_oid_set() to clean it up. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7227 (new) tags: pullup
* Minor correction of [realms] text of kdc.confZhanna Tsitkov2012-08-021-6/+5
|
* Change default client keytab nameGreg Hudson2012-08-024-5/+170
| | | | | | | Change the default client keytab name, if not overridden at build time, to FILE:$localstatedir/krb5/user/%{euid}/client.keytab. Introduce a second file from the autoconf archives in order to recursively expand $localstatedir within configure.in.
* Fix default substitution of ccache/keytab namesGreg Hudson2012-08-023-4/+10
| | | | | | | | | Tie up some loose ends in substitution of the default ccache/keytab names after 688a2702d2045abf5f99acfb59f3f372391e5be4: * Fix the substhtml target in src/doc/Makefile.in * Don't add FILE: when substituting the default keytab and client keytab names, as the defaults already have it.
* Grammar and spellingBenjamin Kaduk2012-08-011-5/+5
|
* Our kadmind uses its assigned port by defaultBenjamin Kaduk2012-08-011-1/+1
| | | | | Do not leave anyone thinking that they might have to specify it in the config file to get the standard behavior.
* Explain memory allocation policy in oid_ops.cGreg Hudson2012-08-011-0/+7
|
* Add %{username} token to path expansionGreg Hudson2012-08-013-2/+27
| | | | | | | | For Unix-like platforms, add %{username} to the path expansion facility, expanding to the result of getpwuid on the euid. Also, for manual testing convenience, make t_expand_path print the result if no second argument is given.
* Fix KDC heap corruption vuln [CVE-2012-1015]Tom Yu2012-08-013-1/+6
| | | | | | | | | | | | | | | | | | | | Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001 CVE-2012-1015]. The cleanup code in kdc_handle_protected_negotiation() in kdc_util.c could free an uninitialized pointer in some error conditions involving "similar" enctypes and a failure in krb5_c_make_checksum(). Additionally, adjust the handling of "similar" enctypes to avoid advertising enctypes that could lead to inadvertent triggering of this vulnerability (possibly in unpatched KDCs). Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only applies to the krb5-1.10 branch and doesn't affect the master branch or releases prior to krb5-1.10. ticket: 7225 (new) target_version: 1.9.5 tags: pullup
* Doc the need to restart KDC if kdc.conf changedZhanna Tsitkov2012-08-011-0/+2
|
* Updated logs URL for #krbdev channelZhanna Tsitkov2012-08-011-4/+10
|
* Fix edge-case bugs in kdb5_util loadGreg Hudson2012-07-312-16/+25
| | | | | | | | | | | * fscanf field widths must be less than the buffer size, not equal to it. * Check for negative values of lengths we're going to allocate. * Eliminate a warning in the comparison of the regexp end offset. * process_r1_8 policy doesn't actually ignore additional values, so get rid of the comment and inequality test suggesting that it does. ticket: 7224 (new)
* Revert an out-of-scope change in policy extensionsGreg Hudson2012-07-311-1/+1
|
* Add LDAP back end support for policy extensionsGreg Hudson2012-07-303-2/+127
| | | | ticket: 7223
* Constify krb5_string_to_keysalts()'s string argNicolas Williams2012-07-304-15/+17
|
* Policy extensions + new policy: allowed ks typesNicolas Williams2012-07-3035-220/+996
| | | | | | | | | | | | | | | | | This simply adds KADM5_API_VERSION_4 and various fields to the policy structures: - attributes (policy-ish principal attributes) - max_life (max ticket life) - max_renewable_life (max ticket renewable life) - allowed_keysalts (allowed key/salt types) - TL data (future policy extensions) Of these only allowed_keysalts is currently implemented. Some refactoring of TL data handling is also done. ticket: 7223 (new)
* Fix ugly ladder in src/kadmin/cli/kadmin.cNicolas Williams2012-07-301-144/+112
|
* De-indent process_k5beta6_record()Nicolas Williams2012-07-301-247/+210
|
* Remove eDirectory support code in LDAP KDB moduleGreg Hudson2012-07-2921-5157/+23
|
* Factor out LDAP policy marshallingGreg Hudson2012-07-261-32/+55
| | | | | | Use a helper function add_policy_mods() in krb5_ldap_create_password_policy() and krb5_ldap_put_password_policy() to avoid duplicating code for each field.
* Remove obsolete code in ldap_pwd_policy.cGreg Hudson2012-07-261-36/+0
| | | | | r18750 refactored some policy fetching code into populate_policy(), and left the old code in #if 0 blocks. Get rid of those blocks now.
* Minor fixes to expand_path.cGreg Hudson2012-07-251-35/+24
| | | | | | | Corrections to stuff noticed by kaduk: * Eliminate a space before paren in a call to free(). * Use %lu for unsigned long in format strings. * Simplify the tokens table definition.
* Support changing the built-in ccache/keytab namesGreg Hudson2012-07-2420-48/+142
| | | | | | | | | | | | | | * Add DEFCCNAME, DEFKTNAME, and DEFCKTNAME configure variables to change the built-in ccache and keytab names. * Add krb5-config options to display the built-in ccache and keytab names. * In the default build, use krb5-config to discover the system's built-in ccache and keytab names and use them (if not overridden). This can be controlled with the --with-krb5-config=PATH or --without-krb5-config configure options. * Make the built-in ccache name subject to parameter expansion. ticket: 7221 (new)
generated by cgit (git 2.34.1) at 2024-11-19 00:07:36 +0000