summaryrefslogtreecommitdiffstats
path: root/src/lib/kadm5
Commit message (Collapse)AuthorAgeFilesLines
...
* Two problems in kadm5_get_principal mask handlingGreg Hudson2010-02-241-6/+8
| | | | | | | | | | | | KADM5_MOD_NAME was being applied to entry->principal instead of entry->mod_name. KADM5_MKVNO was not being applied to entry->mkvno. Patch from Marcus Watts <mdw@umich.edu>. ticket: 6668 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23749 dc483132-0cff-0310-8789-dd5450dbe970
* Minimal support for updating history keyGreg Hudson2010-02-115-131/+113
| | | | | | | | | | | | | | | | | | Add minimal support for re-randomizing the history key: * cpw -randkey kadmin/history now works, but creates only one key. * cpw -randkey -keepold kadmin/history still fails. * libkadm5 no longer caches the history key. Performance impact is minimal since password changes are not common. * randkey no longer checks the newly randomized key against old keys, and the disabled code to do so in setkey/setv4key is gone, so now only kadm5_chpass_principal_3 accesses the password history. ticket: 6660 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23716 dc483132-0cff-0310-8789-dd5450dbe970
* Handle migration from pre-1.7 databases with master key kvno != 1Greg Hudson2010-01-281-1/+2
| | | | | | | | | | | | | | | | | | | | krb5_dbe_lookup_mkvno assumes an mkvno of 1 for entries with no explicit tl_data. We've seen at least one pre-1.7 KDB with a master kvno of 0, violating this assumption. Fix this as follows: * krb5_dbe_lookup_mkvno outputs 0 instead of 1 if no tl_data exists. * A new function krb5_dbe_get_mkvno translates this 0 value to the minimum version number in the mkey_list. (krb5_dbe_lookup_mkvno cannot do this as it doesn't take the mkey_list as a parameter.) * Call sites to krb5_dbe_lookup_mkvno are converted to krb5_dbe_get_mkvno, except for an LDAP case where it is acceptable to store 0 if the mkvno is unknown. ticket: 6650 target_version: 1.7.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23676 dc483132-0cff-0310-8789-dd5450dbe970
* Change basename of libkadm5 libraries to avoid Heimdal conflictGreg Hudson2010-01-194-2/+12
| | | | | | ticket: 6644 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23662 dc483132-0cff-0310-8789-dd5450dbe970
* Make history key exempt from permitted_enctypesGreg Hudson2010-01-141-7/+7
| | | | | | | | | | | | In kdb_init_hist, just use the first key entry in the kadmin/history entry. This makes the history key work even if the enctype is disallowed by allow_weak_crypto=false or other configuration. ticket: 6640 tags: pullup target_version: 1.8 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23657 dc483132-0cff-0310-8789-dd5450dbe970
* Restore interoperability with 1.6 addprinc -randkeyGreg Hudson2010-01-081-0/+28
| | | | | | | | | | | | | The arcfour string-to-key operation in krb5 1.7 (or later) disagrees with the dummy password used by the addprinc -randkey operation in krb5 1.6's kadmin client, because it's not valid UTF-8. Recognize the 1.6 dummy password and use a random password instead. ticket: 6626 tags: pullup target_version: 1.8 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23610 dc483132-0cff-0310-8789-dd5450dbe970
* When retrieving the kadmin/history key, accept any enctype, as theGreg Hudson2010-01-071-2/+2
| | | | | | | | | | current master key enctype may not match the one the KDB was created with. ticket: 6546 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23607 dc483132-0cff-0310-8789-dd5450dbe970
* MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referralsTom Yu2009-12-291-0/+3
| | | | | | | | | | | | | On certain error conditions, prep_reprocess_req() calls kdc_err() with a null pointer as the format string, causing a null dereference and denial of service. Legitimate protocol requests can trigger this problem. ticket: 6608 tags: pullup target_version: 1.7.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23533 dc483132-0cff-0310-8789-dd5450dbe970
* Whitespace fixes for new anonymous supportGreg Hudson2009-12-281-2/+3
| | | | | | ticket: 6607 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23528 dc483132-0cff-0310-8789-dd5450dbe970
* Anonymous support for KerberosSam Hartman2009-12-285-22/+60
| | | | | | | | | | | | | | | | | | | | | | This ticket implements Project/Anonymous pkinit from k5wiki. Provides support for completely anonymous principals and untested client support for realm-exposed anonymous authentication. * Introduce kinit -n * Introduce kadmin -n * krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache * No longer generate ad-initial-verified-cas in pkinit * Fix pkinit interactions with non-TGT authentication Merge remote branch 'anonymous' into trunk Conflicts: src/lib/krb5/krb/gic_opt.c ticket: 6607 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
* Check return value of gethostname in krb5_klog_initGreg Hudson2009-11-231-2/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23313 dc483132-0cff-0310-8789-dd5450dbe970
* Consolidate Makefile variables now that we have only a single globalGreg Hudson2009-11-228-273/+271
| | | | | | | | | | | | | configure script: $(SRCTOP) --> $(top_srcdir) $(srcdir)/$(thisconfigdir) --> $(top_srcdir) $(thisconfigdir) --> $(BUILDTOP) $(myfulldir) --> $(mydir) ticket: 6583 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23308 dc483132-0cff-0310-8789-dd5450dbe970
* In _kadm5_init_any on error - if we created a cache entry, destroy itEzra Peisach2009-11-221-0/+8
| | | | | | (parallel to kadm5_destroy code). Also - free config_params. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23300 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up some memory leaks by releasing contextEzra Peisach2009-11-222-1/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23299 dc483132-0cff-0310-8789-dd5450dbe970
* Memory leak in _kadm5_init_any introduced with ipropdEzra Peisach2009-11-211-0/+2
| | | | | | | | Fix minor memory leak introduced by the ipropd integration. ticket: 6582 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23296 dc483132-0cff-0310-8789-dd5450dbe970
* Correct argument to kadm5_get_principal is a pointer to a struct - notEzra Peisach2009-11-201-2/+6
| | | | | | | | | a pointer to a pointer.... Does not really matter as the field is not used - this test program expects a failer. Clean up memory leaks by freeing principal and releasing context. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23295 dc483132-0cff-0310-8789-dd5450dbe970
* The size of kadm5_server_handle_rec differs between the client andEzra Peisach2009-11-202-4/+11
| | | | | | | server code. Valgrind picked up on access past end of allocated structure. Include proper internal header in client/server test. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23294 dc483132-0cff-0310-8789-dd5450dbe970
* minor reindentZhanna Tsitkov2009-11-181-24/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23286 dc483132-0cff-0310-8789-dd5450dbe970
* Reindent and manually restore some BSD-style files that wereTom Yu2009-11-045-256/+259
| | | | | | previously incorrectly marked as krb5-style. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23126 dc483132-0cff-0310-8789-dd5450dbe970
* Reindent after making fixes for emacs-23Tom Yu2009-11-031-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23123 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-3137-5953/+5972
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Rename api.3 to api.current in the libkadm5 unit tests. This way theGreg Hudson2009-10-2917-0/+0
| | | | | | | main body of tests won't have to be moved every time the current API version of libkadm5 changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23087 dc483132-0cff-0310-8789-dd5450dbe970
* Heimdal DB bridge plugin for KDC back endGreg Hudson2009-10-271-1/+3
| | | | | | | | | Merge Luke's users/lhoward/heimmig branch to trunk. Implements a KDC back-end plugin which interfaces to a Heimdal HDB plugin. ticket: 6578 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23073 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the libkadm5 api.2 unit tests which don't pertain to the cpol,Greg Hudson2009-10-2614-6600/+0
| | | | | | mpol, or gpol operations. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23043 dc483132-0cff-0310-8789-dd5450dbe970
* Account lockoutGreg Hudson2009-10-2535-36/+8672
| | | | | | | | | | | | Merge Luke's users/lhoward/lockout2 branch to trunk. Implements account lockout policies for preauth-using principals using existing principal metadata fields and new policy fields. The kadmin API version is bumped from 2 to 3 to compatibly extend the policy_ent_rec structure. ticket: 6577 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970
* Remove adb.h as it is not used in the source treeEzra Peisach2009-10-181-134/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22911 dc483132-0cff-0310-8789-dd5450dbe970
* Move destest to builtin/des, because it depends on overriding someTom Yu2009-10-104-29/+38
| | | | | | | | internals. Make depend. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22877 dc483132-0cff-0310-8789-dd5450dbe970
* Fix kadm5 unit test modified in r22782Greg Hudson2009-09-241-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22784 dc483132-0cff-0310-8789-dd5450dbe970
* Improve the mechanism used for addprinc -randkey. In the kadminGreg Hudson2009-09-212-13/+24
| | | | | | | | server, if the password is null when creating a principal, treat that as a request for a random key. In the kadmin client, try using the new method for random key creation and then fall back to the old one. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22782 dc483132-0cff-0310-8789-dd5450dbe970
* Re-run make depend without autoconf.h in the source treeGreg Hudson2009-09-164-116/+109
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22775 dc483132-0cff-0310-8789-dd5450dbe970
* Crypto modularity proj.: Move prf and random-to-key ops from backend to krbZhanna Tsitkov2009-09-164-109/+116
| | | | | | bigredbutton: whitespace git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22769 dc483132-0cff-0310-8789-dd5450dbe970
* Implement s4u extensionsGreg Hudson2009-09-131-3/+9
| | | | | | | | | Merge Luke's users/lhoward/s4u branch to trunk. Implements S4U2Self and S4U2Proxy extensions. ticket: 6563 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22736 dc483132-0cff-0310-8789-dd5450dbe970
* use perror instead of error in kadm5 test suiteTom Yu2009-08-282-39/+39
| | | | | | | | | | | Use "perror" instead of "error" to ensure that framework error conditions actually cause "make check" to report failure. ticket: 6553 target_version: 1.7.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22648 dc483132-0cff-0310-8789-dd5450dbe970
* Update a kadm5 testing library function which was callingGreg Hudson2009-08-281-1/+2
| | | | | | | | | | kadm5_get_principal without a mask argment. This was causing many lib/kadm5 tests to fail, but the failures weren't being recorded properly, so "make check" was still exiting successfully. ticket: 6544 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22646 dc483132-0cff-0310-8789-dd5450dbe970
* update dependenciesKen Raeburn2009-08-211-10/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22571 dc483132-0cff-0310-8789-dd5450dbe970
* Bump sonames of libkadm5 libraries, since r22527 changed their ABIsGreg Hudson2009-08-172-2/+2
| | | | | | ticket: 6547 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22528 dc483132-0cff-0310-8789-dd5450dbe970
* Modify kadm5 initializers to accept krb5 contextsGreg Hudson2009-08-179-54/+65
| | | | | | | | | | Add krb5_context parameters to all kadm5 initialization functions. This allows extended error information to be retrieved by the caller when an error is returned. ticket: 6547 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22527 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unused variables resulting from r22521, and also remove theGreg Hudson2009-08-173-38/+0
| | | | | | | | unused file svr_misc_free.c. ticket: 6544 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22523 dc483132-0cff-0310-8789-dd5450dbe970
* Remove kadmin v1 API supportGreg Hudson2009-08-1341-9403/+261
| | | | | | | | | | | | | | | The kadmin v1 API and the even older ovsec_kadm_* API were legacy when kadmin was first incorporated in 1996, and compatibility with them is no longer believed to be necessary. The uninstalled kadmin/passwd has been removed (since it used the ovsec API). The test suite has been updated to use the v2 API where appropriate, and the parts specifically designed to test the old API have been excised. ticket: 6544 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22521 dc483132-0cff-0310-8789-dd5450dbe970
* Convert all uses of strtok() in libraries to strtok_r() for threadGreg Hudson2009-08-101-3/+4
| | | | | | safety. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22513 dc483132-0cff-0310-8789-dd5450dbe970
* Get "make depend" to work in an unbuilt source tree, since bad depsGreg Hudson2009-08-033-0/+6
| | | | | | | | files can make it difficult to build the tree. To do this, make the depends target depend on generated header files and on header file copies or links into the main include directory. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22486 dc483132-0cff-0310-8789-dd5450dbe970
* Don't build the kadm5/unit-test test programs during "make all"; buildGreg Hudson2009-06-081-4/+0
| | | | | | | | them during "make check" via test dependencies for consistency with the way we handle other test programs. (Also means we don't need libraries to be linkable until later in the build process.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22404 dc483132-0cff-0310-8789-dd5450dbe970
* kadmind is parsing acls good deref NULL pointer on errorEzra Peisach2009-06-061-13/+17
| | | | | | | | | | | | In kadm5int_acl_parse_line, if you setup an acl w/ restrictions (i.e. the four argument acl format) - but have an error parsing the first few fields, acle is NULLed out, and is then derefed. This adds a conditional and indents according to the krb5 c-style... ticket: 6509 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22403 dc483132-0cff-0310-8789-dd5450dbe970
* kadm5int_acl_parse_restrictions could ref uninitialized variableEzra Peisach2009-06-061-1/+1
| | | | | | | | | | The variable sp is never initialized. If the first argument to the function is null, the code falls through to freeing sp if valid. However, sp is never set. ticket: 6508 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22402 dc483132-0cff-0310-8789-dd5450dbe970
* Allow more than 10 past keys to be stored by a policyGreg Hudson2009-05-073-75/+2
| | | | | | | | | | | Remove the arbitrary limit of 10 past keys in policies. We were not taking advantage of that limit in any other code. ticket: 6482 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22323 dc483132-0cff-0310-8789-dd5450dbe970
* Move KRB5_KDB_OK_AS_DELEGATE from kdb_ext.h to kdb.h. Add kadminGreg Hudson2009-04-271-0/+3
| | | | | | | | | | | support for the flag. In the KDC, remove the restriction on returning the flag on cross-realm TGTs since there is now a defined meaning for that (it allows ok-as-delegate to be honored on the foreign realm's service tickets). ticket: 5596 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22281 dc483132-0cff-0310-8789-dd5450dbe970
* make installed headers C++-safeKen Raeburn2009-04-251-0/+14
| | | | | | | | | | | | Now that we're installing the kadm5 headers, they should be C++-safe like the others. Wrap the content in 'extern "C"' if compiling as C++. New test program to verify. ticket: 6477 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22280 dc483132-0cff-0310-8789-dd5450dbe970
* Install kadmin and kdb headersGreg Hudson2009-03-202-0/+16
| | | | | | | | | | | | | | Add disclaimers to the kadmin and kdb headers about the weaker stability commitments we make for their APIs, and install them for the benefit of users who can tolerate such instability. (The kadmin interface is the real goal here, but the kadmin header includes kdb.h so we need to install both.) ticket: 6431 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22112 dc483132-0cff-0310-8789-dd5450dbe970
* Do not assume sizeof(bool_t) == sizeof(krb5_boolean)Ezra Peisach2009-02-061-3/+26
| | | | | | | | | | | | | bool_t is defined as int, krb5_boolean as unsigned int. These are similar size but someone someday might change the krb5_boolean. Instead of passing a krb5_boolean * to xdr_bool, implement xdr_krb5_boolean which keeps the different types separate. This cleans up a number of warnings. ticket: 6374 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21906 dc483132-0cff-0310-8789-dd5450dbe970
* include omitted system header string.hKen Raeburn2009-02-051-0/+1
| | | | | | | | | | | Sun cc warns about some of the string functions being undeclared in several source files. So, include string.h there. ticket: 6365 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21889 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-27 01:19:10 +0000