summaryrefslogtreecommitdiffstats
path: root/src/kadmin/server/schpw.c
Commit message (Collapse)AuthorAgeFilesLines
* Check for malloc failure in process_chpw_requestGreg Hudson2014-03-031-2/+3
| | | | | | ticket: 7866 target_version: 1.12.2 tags: pullup
* Err codes in KRB_ERROR protocol messages are < 128Zhanna Tsitkov2013-09-231-1/+1
| | | | | | If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC. This fix is to correct the previous behavior with [0,128] range. For more information see krb5_err.et
* Fix kpasswd UDP ping-pong [CVE-2002-2443]Tom Yu2013-05-131-4/+4
| | | | | | | | | | | | | | | | | | | | The kpasswd service provided by kadmind was vulnerable to a UDP "ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless they pass some basic validation, and don't respond to our own error packets. Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong attack or UDP ping-pong attacks in general, but there is discussion leading toward narrowing the definition of CVE-1999-0103 to the echo, chargen, or other similar built-in inetd services. Thanks to Vincent Danen for alerting us to this issue. CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C ticket: 7637 (new) target_version: 1.11.3 tags: pullup
* Add and use k5memdup, k5memdup0 helpersGreg Hudson2013-02-091-4/+1
| | | | | | Add k5-int.h static functions to duplicate byte ranges, optionally with a trailing zero byte, and set an error code like k5alloc does. Use them where they would shorten existing code.
* Require IPv6 supportKen Raeburn2012-02-281-2/+0
| | | | | | | | | | | | | | The configure-time options to enable and disable IPv6 support have been deprecated for some time, but the checks for OS support were kept. This removes those checks, and unconditionally compiles in the IPv6 support. There was a configure-time test to see if the macro INET6 needed to be defined in order to enable (visibility of) OS support for IPv6, which was needed on an IRIX system we tested with. That check is retained, but the revised code is untested on IRIX. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25719 dc483132-0cff-0310-8789-dd5450dbe970
* Make verto context available to kdcpreauth modulesGreg Hudson2011-11-151-1/+1
| | | | | | | | | | | | Add an event_context callback to kdcpreauth. Adjust the internal KDC and main loop interfaces to pass around the event context, and expose it to kdcpreauth modules via the rock. ticket: 7019 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25475 dc483132-0cff-0310-8789-dd5450dbe970
* Allow password changes over NATsGreg Hudson2011-10-151-23/+8
| | | | | | | | | | | | In the kpasswd server code, don't set a remote address in the auth context before calling krb5_rd_priv, since the kpasswd protocol is well-protected against reflection attacks. This allows password changes to work in cases where a NAT has changed the client IP address as it is seen by the server. ticket: 6979 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25356 dc483132-0cff-0310-8789-dd5450dbe970
* Make dispatch() respond via a callbackGreg Hudson2011-10-031-17/+10
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25291 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-101-8/+6
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up schpw.c in kadmind a bit, making use of new k5-int.h helpersGreg Hudson2011-04-191-79/+44
| | | | | | where appropriate. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24888 dc483132-0cff-0310-8789-dd5450dbe970
* Revert r24886; it was incorrectGreg Hudson2011-04-191-4/+0
| | | | | | ticket: 6903 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24887 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leak in kpasswd server UDP error pathGreg Hudson2011-04-191-0/+4
| | | | | | | | | | | | | The dispatch() in kadmind's schpw.c could return a failure code with an allocated response container. net-server.c does not expect this and leaks the container in the UDP case. Free the container in dispatch() if we are returning an error. ticket: 6903 target_version: 1.9.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24886 dc483132-0cff-0310-8789-dd5450dbe970
* Fix the sole case in process_chpw_request() where a return could occurTom Yu2011-04-131-2/+12
| | | | | | | | | | | | | | without allocating the data pointer in the response. This prevents a later free() of an invalid pointer in kill_tcp_or_rpc_connection(). Also initialize rep->data to NULL in process_chpw_request() and clean up *response in dispatch() as an additional precaution. ticket: 6899 tags: pullup target_version: 1.9.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24878 dc483132-0cff-0310-8789-dd5450dbe970
* In r21175 (on the mskrb branch, merged in r21690) the result codes forGreg Hudson2011-03-291-2/+3
| | | | | | | | | | | | | | password quality and other errors were accidentally reversed. Fix them so that password quality errors generate a "soft" failure and other errors generate a "hard" failure, as Heimdal and Microsoft do. Also recognize KADM5_PASS_Q_GENERIC (added in 1.9) as a password quality error. ticket: 6888 target_version: 1.9.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24755 dc483132-0cff-0310-8789-dd5450dbe970
* Add missing KRB5_USE_INET6 ifdefs around some bits of IPv6 code whichGreg Hudson2011-02-091-0/+2
| | | | | | | | didn't have them. From aberry@likewise.com. ticket: 6857 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24620 dc483132-0cff-0310-8789-dd5450dbe970
* Merge users/raeburn/branches/network-mergeKen Raeburn2010-03-171-0/+59
| | | | | | | | | | Re-integrates the forked versions of network.c in kdc and kadmin/server. Server-specific initialization and SIGHUP-reset code is moved into other source files; the more generic network-servicing code is merged and moved into apputils library already used by both programs. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23811 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-311-215/+216
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Start to phase out krb5_xfree macro, which just casts its argument toKen Raeburn2009-01-281-5/+5
| | | | | | | | | | | char* and calls free. Replace most uses, outside of the LDAP KDB plugin, which doesn't build on my test system of the moment because of version dependencies. Add one explicit cast to make the change warning-neutral (under gcc 4.0.1 on Mac OS X 10.5.6). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21812 dc483132-0cff-0310-8789-dd5450dbe970
* Adapted patch from Apple: in kadmind's process_chpw_request, make sureGreg Hudson2009-01-221-2/+7
| | | | | | | | | to free error message strings. ticket: 6284 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21776 dc483132-0cff-0310-8789-dd5450dbe970
* Merge mskrb-integ onto trunkSam Hartman2009-01-031-99/+142
| | | | | | | | | | | | | | | | | | | | | | | | The mskrb-integ branch includes support for the following projects: Projects/Aliases * Projects/PAC and principal APIs * Projects/AEAD encryption API * Projects/GSSAPI DCE * Projects/RFC 3244 In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions. In the KDC it includes support for protocol transition, constrained delegation and a new authorization data interface. The old authorization data interface is also supported. This commit merges the mskrb-integ branch on to the trunk. Additional review and testing is required. Merge commit 'mskrb-integ' into trunk ticket: new status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
* Use strlcpy instead of strcpy in many placesGreg Hudson2008-10-241-17/+30
| | | | | | | ticket: 6200 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20919 dc483132-0cff-0310-8789-dd5450dbe970
* Check for malloc failureKen Raeburn2008-08-061-0/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20615 dc483132-0cff-0310-8789-dd5450dbe970
* Fix various minor format-string issuesKen Raeburn2008-06-031-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20356 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid unchecked sprintf in some KDC-side programsKen Raeburn2007-07-121-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19705 dc483132-0cff-0310-8789-dd5450dbe970
* MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslogTom Yu2007-04-031-2/+7
| | | | | | | | | | | | | | | | Fix MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog. * src/lib/krb5/krb/get_in_tkt.c (krb5_klog_syslog): Use vsnprintf if available. Everything else: use precision fields on "%s" specifiers to truncate logged strings, in case someone doesn't have vsnprintf. ticket: new target_version: 1.6.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19395 dc483132-0cff-0310-8789-dd5450dbe970
* Partial merge from Novell LDAP integration branch, not including theKen Raeburn2006-04-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | actual LDAP bits: * include/kdb.h (krb5_db_entry_new): Add MASK field indicating what's changed. (KRB5_KDB_SRV_TYPE_*): New macros indicating which type of service is accessing the database. * lib/kadm5/srv/svr_principal.c: Set mask field. * lib/kadm5/srv/server_misc.c, server_init.c: Pass service type to krb5_db_open. * kadmin/dbutil/kdb5_stash.c (kdb5_stash): Pass service type to krb5_db_open. * kadmin/dbutil/kdb5_util.c (open_db_and_mkey): Pass service type to krb5_db_open. * kdc/main.c (init_realm): Pass service type to krb5_db_open. * lib/kadm5/srv/svr_principal.c: Set mask field. * kadmin/dbutil/dump.c (load_db): Pass service type to krb5_db_open. * lib/kdb/kdb5.h (KRB5_KDB_SRV_TYPE_*): New macros. * lib/kdb/err_handle.{c,h}: Deleted. * lib/kadm5/clnt/err_handle.{c,h}: Deleted. (krb5_db_clr_error): Declaration deleted. * lib/kdb/Makefile.in, lib/kadm5/clnt/Makefile.in: Don't build them. * lib/kdb/kdb5.c, lib/kadm5/clnt, lib/kadm5/srv: Use new error-message API. * kdc/do_tgs_req.c (process_tgs_req): Use new error-message API. * kdc/kdc_preauth.c (check_padata) * kdc/do_as_req.c (process_as_req): * kdc/main.c (init_realm): * kadmin/server/ovsec_kadmd.c (main, do_schpw): * schpw.c (process_chpw_request): * kadmin/server/server_stubs.c: * kadmin/cli/kadmin.c (extended_com_err_fn): New function. (kadmin_startup): Tell com_err library to use it, for kadmin.local. * lib/kdb/libkdb5.exports: Don't export krb5_db_clr_error. * lib/kdb/Makefile.in: (SRCS, STLIBOBJS): Don't build err_handle.c. * lib/kdb/kdb5.c (kdb_load_library): Don't pass argument to init_library. (krb5_db_clr_error): Function deleted. * lib/kdb/kdb5.h (struct _kdb_vftabl): Remove argument from init_library field. * lib/kadm5/logger.c (krb5_klog_init): Save the krb5_context pointer. (klog_com_err_proc): Use it, and call new error-message API. * lib/kadm5/srv/svr_principal.c: Use new error-message API. * kadmin/dbutil/kdb5_util.c (extended_com_err_fn): New function. (main): Tell com_err library to use it. * plugins/kdb/db2: Use new error-message APIs and updated DAL interface. * lib/kadm5/kadm_rpc.h: Delete err_str fields. * lib/kadm5/kadm_rpc_xdr.c: Don't process them. * kadmin/server/server_stubs.c: Don't use ret.err_str field. * include/k5-thread.h (k5_key_t): Deleted unused values. * lib/kdb/kdb5.h (KDB_MODULE_SECTION): Change db_modules to dbmodules. (KDB_MODULE_DEF_SECTION): New macro. * tests/Makefile.in (krb5.conf): Rename db_modules to dbmodules. * tests/dejagnu/config/default.exp (setup_krb5_conf): Likewise. * kadmin/testing/proto/krb5.conf.proto: Likewise. * lib/kdb/libkdb5.exports: Do export krb5_def_store_mkey. * lib/kadm5/admin.h (KADM5_CPW_FUNCTION, KADM5_RANDKEY_USED): New macros. (struct _kadm5_config_params): New field kpasswd_server. * lib/krb5/error_tables/kdb5_err.et (KRB5_KDB_SERVER_INTERNAL_ERR): New error code. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17899 dc483132-0cff-0310-8789-dd5450dbe970
* Instead of arbitrary division of headers into include and include/krb5, withKen Raeburn2006-03-111-1/+1
| | | | | | | | | | | | include directives sometimes using krb5/foo.h and sometimes using foo.h, and -I options always given for both directories in both source and build trees, push include/krb5/* up a level and drop the krb5 directory (except, for the moment, the change log). Updated #include directives, -I options, and dependencies accordingly, and deleted one or two bits of old, unused code that was noticed in the process. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17730 dc483132-0cff-0310-8789-dd5450dbe970
* * misc.h, misc.c (schpw_util_wrapper): Rename fromTom Yu2005-10-121-2/+2
| | | | | | | | | | | | | | | | | | | chpass_util_wrapper to make functionality a little more obvious. * schpw.c (process_chpw_request): Update for rename of chpass_util_wrapper. * misc.c (randkey_principal_wrapper_3, schpw_util_wrapper) (chpass_principal_wrapper_3): Update for check_min_life. * misc.h, misc.c (check_min_life): Change to take return error string from KADM5_PASS_TOOSOON, adapted from patch from Shawn Emery. ticket: 3092 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17417 dc483132-0cff-0310-8789-dd5450dbe970
* Delete definitions of unused macros NEED_SOCKETS and NEED_LOWLEVEL_IOKen Raeburn2005-04-131-1/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17177 dc483132-0cff-0310-8789-dd5450dbe970
* * misc.c, misc.h: New function check_min_life(), containing commonTom Yu2004-10-271-2/+2
| | | | | | | | | | | | | code from wrapper functions. New function chpass_util_wrapper(), which does min_life checking prior to calling kadm5_chpass_principal_util(). * schpw.c (process_chpw_request): Call chpass_util_wrapper(). ticket: 1335 component: krb5-admin git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16841 dc483132-0cff-0310-8789-dd5450dbe970
* * schpw.c (process_chpw_request): Log chpw requestsTom Yu2003-05-271-1/+14
| | | | | | | | ticket: 1519 tags: pullup status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15502 dc483132-0cff-0310-8789-dd5450dbe970
* * schpw.c (process_chpw_request): Return KRB5_KPASSWD_BAD_VERSION if theKen Raeburn2003-05-171-1/+1
| | | | | | | | | version number isn't 1. ticket: 1441 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15456 dc483132-0cff-0310-8789-dd5450dbe970
* * schpw.c (process_chpw_request): Use GETSOCKNAME_ARG3_TYPEEzra Peisach2001-10-261-1/+5
| | | | | | instead of int as argument to getsockname(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13862 dc483132-0cff-0310-8789-dd5450dbe970
* * misc.c, server_stubs.c: Nuke rcsidEzra Peisach2001-07-011-0/+2
| | | | | | | | | | | * misc.h: Add prototypes for kadm_1 and process_chpw_request. * ovsec_kadmd.c: Include misc.h and remove prototype for process_chpw_request and kadm_1. * kadm_rpc_svc.c, schpw.c: Include misc.h for prototypes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13537 dc483132-0cff-0310-8789-dd5450dbe970
* * ovsec_kadmd.c: Change prototype for process_chpw_requestEzra Peisach2001-06-221-4/+5
| | | | | | | | | prototype argument from sin to sockin. Get rid of global params variable. * schpw.c: Change function declaration as well. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13489 dc483132-0cff-0310-8789-dd5450dbe970
* * misc.c, schpw.c: Cleanup assignments in conditionalsEzra Peisach2001-06-041-17/+28
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13268 dc483132-0cff-0310-8789-dd5450dbe970
* pullup from 1.2-beta4Ken Raeburn2000-07-011-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12497 dc483132-0cff-0310-8789-dd5450dbe970
* * schpw.c (process_chpw_request): Cast to krb5_octet * instead ofEzra Peisach1998-07-201-3/+3
| | | | | | | | char * for krb5_address.contents type. This is a char * to unsigned char * warning fix. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10711 dc483132-0cff-0310-8789-dd5450dbe970
* * schpw.c (process_chpw_request): Free memory of allocated forEzra Peisach1998-02-251-0/+4
| | | | | | | | | local address. * ovsec_kadmd.c (do_schpw): Call krb5_kt_close to free memory allocated in keytab routines. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10474 dc483132-0cff-0310-8789-dd5450dbe970
* * schpw.c: New file. Support for Cygnus chpw.Tom Yu1998-01-211-0/+372
[oops forgot this earlier] git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10359 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-26 12:31:47 +0000