summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix cross-realm traversal TGT requestsGreg Hudson2011-09-011-1/+1
| | | | | | | | | | | | When requesting a cross-realm TGT, use the KDC instance of the current TGT (the second data component), not the realm which the TGT came from. ticket: 6952 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25121 dc483132-0cff-0310-8789-dd5450dbe970
* Fix connection termination bug in sendto_kdcGreg Hudson2011-09-011-4/+4
| | | | | | | | | | | When terminating a connection, close and invalidate conn->fd so that we don't look for it in selstate on the next select or poll invocation. Looking for such an fd is harmless when using select, but results in an assertion failure when using poll. ticket: 6951 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25120 dc483132-0cff-0310-8789-dd5450dbe970
* Fix signed/unsigned warnings in testsEzra Peisach2011-08-242-2/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25113 dc483132-0cff-0310-8789-dd5450dbe970
* Remove setting a variable that is never usedEzra Peisach2011-08-191-14/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25106 dc483132-0cff-0310-8789-dd5450dbe970
* Fix rare duplicate time issue On systems with imprecise clocksSam Hartman2011-08-091-5/+18
| | | | | | | | | | | | (e.g. windows), there was as issue where microsecond rollover could conceivably cause the same time to be reported twice. Also document potential performance improvement by using thread-local storage for last_time and eliminating the mutex. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25088 dc483132-0cff-0310-8789-dd5450dbe970
* Use portable path functions when loading pluginsGreg Hudson2011-08-071-30/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25075 dc483132-0cff-0310-8789-dd5450dbe970
* For GCC compiles, use an attribute to suppress the variable set butEzra Peisach2011-07-264-22/+34
| | | | | | | | | not used warnings. Due to the nested macros, it would get very ugly to try and remove the variables. Removes ~75 warnings from the build. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25054 dc483132-0cff-0310-8789-dd5450dbe970
* Remove t_vfyincreds on make cleanEzra Peisach2011-07-261-2/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25053 dc483132-0cff-0310-8789-dd5450dbe970
* Remove declaration of static function that no longer existsEzra Peisach2011-07-251-3/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25052 dc483132-0cff-0310-8789-dd5450dbe970
* PAC_CLIENT_INFO principal names do not contain a realm, so parse themGreg Hudson2011-07-251-1/+2
| | | | | | | | | | with the KRB5_PRINCIPAL_PARSE_NO_REALM flag. Otherwise we'll wind up using the default realm (and then ignoring it) which fails if one isn't configured. ticket: 6934 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25050 dc483132-0cff-0310-8789-dd5450dbe970
* In rare circumstances, such as checksum errors, some network stacksGreg Hudson2011-07-251-5/+4
| | | | | | | | | | | | | can flag an fd for reading in select() and still block when the fd is read. Set all sockets non-blocking to prevent hangs when this occurs. (We don't actually handle the resulting EWOULDBLOCK or EAGAIN errors, so the rare cases will appear as communication failures and we will close the socket. This is already the case for TCP sockets and probably isn't a big deal.) ticket: 6933 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25048 dc483132-0cff-0310-8789-dd5450dbe970
* Fix build without KRB5_DNS_LOOKUPGreg Hudson2011-07-251-2/+2
| | | | | | | | | | | | | Define MAX_DNS_NAMELEN unconditionally in k5-int.h as we use it unconditionally in kdc_util.c. Don't define it in locate_kdc.c. Conditionalize dns_locate_server() in locate_kdc.c as its only call site (in k5_locate_server) and its helper function (locate_srv_dns_1) are conditional. From Chris Hecker with minor changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25042 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up a number of variables set but not used warningsEzra Peisach2011-07-243-10/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25041 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_init_context_profile APIGreg Hudson2011-07-203-21/+27
| | | | | | ticket: 6929 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25026 dc483132-0cff-0310-8789-dd5450dbe970
* Add support for loadable profile modulesGreg Hudson2011-07-201-3/+4
| | | | | | ticket: 6929 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25025 dc483132-0cff-0310-8789-dd5450dbe970
* make dependEzra Peisach2011-07-012-10/+22
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25007 dc483132-0cff-0310-8789-dd5450dbe970
* Don't destroy dst on error in krb5_cc_moveGreg Hudson2011-06-231-2/+0
| | | | | | | | Although destroying any partial contents of dst on error isn't a bad idea, invalidating the handle would be an incompatible change. So revert that part of r24754. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24988 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leak introduced in r24969Greg Hudson2011-06-231-0/+1
| | | | | | | The new context field plugin_base_dir wasn't being freed on context deletion. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24985 dc483132-0cff-0310-8789-dd5450dbe970
* Use AI_ADDRCONFIG for more efficient getaddrinfoGreg Hudson2011-06-233-3/+4
| | | | | | | | | | | | | | | Add AI_ADDRCONFIG to the hint flags for every invocation of getaddrinfo which wasn't already using it. This is often the default behavior when no hints are specified, but we tend to specify hints a lot, so we have to say it ourselves. AI_ADDRCONFIG causes AAAA lookups to be skipped if the system has no public IPv6 interface addresses, usually saving a couple of DNS queries per getaddrinfo call and allowing DNS caching to be much more effective without the need for negative caching. ticket: 6923 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24978 dc483132-0cff-0310-8789-dd5450dbe970
* Work around glibc getaddrinfo PTR lookupsGreg Hudson2011-06-231-8/+1
| | | | | | | | | | | | | | | | | | | In krb5_sname_to_principal(), we always do a forward canonicalization using getaddrinfo() with AI_CANONNAME set. Then, we do a reverse canonicalization with getnameinfo() if rdns isn't set to false in libdefaults. Current glibc (tested with eglibc 2.11.1) has the arguably buggy behavior of doing PTR lookups in getaddrinfo() to get the canonical name, if hints.ai_family is set to something other than AF_UNSPEC. This behavior defeats the ability to turn off rdns. Work around this behavior by using AF_UNSPEC in krb5_sname_to_principal() from the start, instead of starting with AF_INET and falling back. Specify AI_ADDRCONFIG to avoid AAAA lookups on hosts with no IPv6 addresses. ticket: 6922 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24977 dc483132-0cff-0310-8789-dd5450dbe970
* Convert preauth_plugin.h to new plugin frameworkGreg Hudson2011-06-178-242/+220
| | | | | | | | | | | | | | | | | | | | | | | | The preauth plugin interface was introduced in 1.6 but was never made a public API. In preparation for making it public in 1.10, convert it to use the new plugin framework. This will require changes to any existing preauth plugins. A number of symbols were renamed for namespace cleanliness, and abstract types were introduced for module data and module per-request data for better type safety. On the consumer end (preauth2.c and kdc_preauth.c), this is a pretty rough conversion. Eventually we should create proper consumer APIs with module handles, and the flat lists of preauth types should hold pointers to module handles rather than copies of the vtables. The built-in preauth type handlers should then be converted to built-in module providers linked into the consumer code (as should encrypted challenge, since it has no external dependencies). None of this will impact the provider API for preauth plugins, so it can wait. ticket: 6921 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24970 dc483132-0cff-0310-8789-dd5450dbe970
* Add k5_plugin_register_dyn internal APIGreg Hudson2011-06-173-27/+68
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24969 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-1016-86/+94
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* Add localization infrastructureGreg Hudson2011-06-102-1/+3
| | | | | | | | | Adds build system logic, translation macros in k5-platform.h, and bindtextdomain calls in libkrb5 initialization. ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24959 dc483132-0cff-0310-8789-dd5450dbe970
* Restore fallback non-referral TGS request to same realmGreg Hudson2011-06-031-12/+10
| | | | | | | | | | | | | | | MIT krb5 1.2 and earlier KDCs reject TGS requests if the canonicalize bit is set. Prior to 1.9, we used to handle this by making a non-referral fallback request on any error, but the rewrite in 1.9 mistakenly changed the behavior so that fallback requests are only made if the original request used the referral realm and the fallback realm is different from the default realm. Restore the old behavior. ticket: 6917 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24946 dc483132-0cff-0310-8789-dd5450dbe970
* Restore krb5_get_credentials caching for referral requestsGreg Hudson2011-05-261-0/+5
| | | | | | | | | | | | | | | The krb5_get_credentials() rewrite for IAKERB accidentally omitted the final step of restoring the requested realm in the output credentials. As a result, referral entries are not cached, and the caller sees the actual realm in (*out_creds)->server instead of the referral realm as before. Fix this in complete() by swapping ctx->req_server into ctx->reply_creds->server. ticket: 6916 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24945 dc483132-0cff-0310-8789-dd5450dbe970
* In mk_rd_cred if recv_subkey in the authentication context is NULL and the ↵Zhanna Tsitkov2011-05-161-23/+42
| | | | | | decryption with the session key fails, do not try to decrypt the message with the session key again. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24934 dc483132-0cff-0310-8789-dd5450dbe970
* Use hmac-md5 checksum for PA-FOR-USER padataGreg Hudson2011-05-141-8/+2
| | | | | | | | | | | | | | The MS-S4U documentation specifies that hmac-md5 be used for PA-FOR-USER checksums; we were using the mandatory checksum type for the key. Although some other checksum types appear to be allowed by Active Directory KDCs, Richard Silverman reports that md5-des is not one of them, causing S4U2Self requests to fail for DES keys. ticket: 6912 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24929 dc483132-0cff-0310-8789-dd5450dbe970
* Updated documentation for PAC API. Moved PAC type definitions into krb5.hinZhanna Tsitkov2011-05-131-8/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24928 dc483132-0cff-0310-8789-dd5450dbe970
* fix regression in r24853: PAC no longer exposedLuke Howard2011-05-091-1/+1
| | | | | | | | Windows PAC is not AD-KDCIssued, rather it is signed with the long-term service session key (or user-to-user key). Advertise this correctly in the internal authorization data SPI. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24922 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate a redundant initialization in cm_init_selstate() inGreg Hudson2011-05-031-1/+0
| | | | | | sendto_kdc.c. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24911 dc483132-0cff-0310-8789-dd5450dbe970
* Add poll support to sendto_kdc.c so that it can work in processes withGreg Hudson2011-05-024-131/+262
| | | | | | | | | | large numbers of open files. Move krb5int_cm_call_select() to a separate file so that the poll support doesn't interfere with net-server.c's continuing use of select. ticket: 6905 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24908 dc483132-0cff-0310-8789-dd5450dbe970
* Properly release resources in krb5_copy_authenticator()Zhanna Tsitkov2011-04-281-3/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24904 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_os_init_context compile again after r24901Greg Hudson2011-04-271-11/+9
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24902 dc483132-0cff-0310-8789-dd5450dbe970
* Remove worthless call to krb5_cc_set_default_name in krb5_os_init_contextZhanna Tsitkov2011-04-271-3/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24901 dc483132-0cff-0310-8789-dd5450dbe970
* Refactor krb5int_rd_chpw_rep() and make it properly handle both framedGreg Hudson2011-04-253-349/+165
| | | | | | | | | | and unframed KRB-ERROR messages. Eliminate krb5int_rd_setpw_rep() and krb5int_setpw_result_code_string() by making the chpw versions of those functions handle RFC 3244 replies. ticket: 6893 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24899 dc483132-0cff-0310-8789-dd5450dbe970
* Documentation updates. Mostly GIC relatedZhanna Tsitkov2011-04-121-9/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24875 dc483132-0cff-0310-8789-dd5450dbe970
* Correctly recognize non-iterable keytabs in k5_kt_get_principal()Greg Hudson2011-04-081-1/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24860 dc483132-0cff-0310-8789-dd5450dbe970
* Add k5_kt_get_principal, an internal krb5 interface to try to get aGreg Hudson2011-04-083-23/+35
| | | | | | | | principal name from a keytab. Used currently by vfy_increds.c (in place of its static helper); will also be used when querying the name of the default gss-krb5 acceptor cred. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24859 dc483132-0cff-0310-8789-dd5450dbe970
* In the authdata framework, determine which authdata sources to queryGreg Hudson2011-04-071-3/+18
| | | | | | | based on the module's usage flags. From r24794 in users/lhoward/moonshot-mechglue-fixes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24853 dc483132-0cff-0310-8789-dd5450dbe970
* Make dependGreg Hudson2011-04-051-2/+14
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24844 dc483132-0cff-0310-8789-dd5450dbe970
* Include krb5_libinit.h always, since we call krb5int_initialize_library alwaysKen Raeburn2011-04-031-3/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24828 dc483132-0cff-0310-8789-dd5450dbe970
* Factor out the address checks in krb5_rd_safe and krb5_rd_priv intoGreg Hudson2011-04-024-171/+105
| | | | | | a new function k5_privsafe_check_addrs. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24806 dc483132-0cff-0310-8789-dd5450dbe970
* In libkrb5, move krb5int_auth_con_chkseqnum to a new file privsafe.c,Greg Hudson2011-04-026-170/+203
| | | | | | | renamed to k5_privsafe_check_seqnum. Declare it in int-proto.h rather than k5-int.h. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24805 dc483132-0cff-0310-8789-dd5450dbe970
* When doing S4U2Self for the anon principal, use the server realmLuke Howard2011-04-021-4/+12
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24793 dc483132-0cff-0310-8789-dd5450dbe970
* s4u2proxy_set_attribute should only return EPERM for its own attributeLuke Howard2011-04-011-8/+2
| | | | | | Failure to do this breaks other attribute providers' set_attribute() git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24775 dc483132-0cff-0310-8789-dd5450dbe970
* In krb5_cc_move if something went wrong, free the dst credential cacheZhanna Tsitkov2011-03-291-2/+8
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24754 dc483132-0cff-0310-8789-dd5450dbe970
* If the new configuration data that is passed to krb5_cc_set_config is NULL, ↵Zhanna Tsitkov2011-03-291-45/+51
| | | | | | | | just remove the old configuration. Moved short krb5_cc_set_config usage example from krb5.hin into the separate file. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24753 dc483132-0cff-0310-8789-dd5450dbe970
* Static function names should not have krb5_ prefixZhanna Tsitkov2011-03-291-12/+14
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24751 dc483132-0cff-0310-8789-dd5450dbe970
* Use first principal in keytab when verifying credsGreg Hudson2011-03-284-25/+171
| | | | | | | | | | In krb5_verify_init_creds(), use the first principal in the keytab to verify the credentials instead of the result of krb5_sname_to_principal(). Also add tests. ticket: 6887 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24749 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-27 15:41:54 +0000