| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Make the default_keytab_name and default_client_keytab_name variables
subject to parameter expansion.
ticket: 7219 (new)
|
| |
|
|
|
|
|
|
| |
Add an adapted version of Heimdal's expand_path.c, defining
k5_expand_path_tokens() and k5_expand_path_tokens_extra(). These
functions allow template paths like %{TEMP}/krb5cc_%{uid} to be
resolved. Also add a test program to exercise the path expansion
code.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Add new APIs gss_acquire_cred_from, gss_add_cred_from, and
gss_store_cred_into, which take additional argments to specify the
location of the credential storage using a key-value map, where keys
are interpreted by the mechanisms.
ticket: 7217 (new)
|
| |
|
|
|
| |
In the end the internal one is called in all cases, but it seem
cleaner to use the internal one instead of relying on the redirection.
|
| |
|
|
| |
The code that used it is no longer in this file.
|
| |
|
|
|
|
|
|
|
| |
Don't treat an error returned by krb5_parse_name as a cc-internal error.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7214 (new)
tags: pullup
|
| |
|
|
|
|
|
|
| |
cc_name needs to be freed in krb5_lcc_close().
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7213
|
| |
|
|
|
|
|
|
| |
Include ntstatus.h and define WIN32_NO_STATUS before including winnt.h
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7213
|
| |
|
|
|
|
|
|
|
| |
Also implement switch_to stub
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7213 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Also change parameter types to eliminate casts.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7212 (new)
tags: pullup
|
| |
|
|
|
|
|
|
| |
Easier to disable for testing.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7211 (new)
|
| |
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7209
|
| |
|
|
|
|
|
|
|
| |
USE_CCAPI_V3 provides cccol iteration support for ccapi.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7209 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
For MSVC compatibility
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7208 (new)
tags: pullup
|
| |
|
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7207 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
MSVC memory tracking tools do '#define free(p) _dbg_free(...)'.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7205 (new)
tags: pullup
|
| |
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7203 (new)
tags: pullup
|
| |
|
|
|
| |
The most recent change could leak memory when trying to parse an
invalid principal because of a failure to use the cleanup handler.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Set the default credential cache name for all processes for the current
user. Currently implemented, for windows only, by setting
HKEY_CURRENT_USER\Software\MIT\Kerberos5:ccname to the specified
ccache name. This will not override the environment variable 'KRB5CCNAME'.
It will override HKEY_LOCAL_MACHINE and 'indirect' registry values.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7199 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
krb5_stdccv3_switch_to() calls cc_ccache_set_default().
krb5_stdccv3_resolve() checks for NULL or empty residual and calls
cc_context_get_default_ccache_name() in those cases.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7198 (new)
tags: pullup
|
| |
|
|
|
|
|
|
| |
If the directory for a DIR ccache doesn't exist yet, try to create it
(but not its parents) with mode 700. Exercise this in test scripts by
not pre-creating directories.
ticket: 7196 (new)
|
| |
|
|
|
|
|
|
|
| |
In gssint_import_internal_name, don't map the minor code from
mech->gss_duplicate_name if it returned successfully. Fixes an
"unexpected non-zero minor status" error reported by SAP's gsstest
when it invokes gss_canonicalize_name().
ticket: 7194 (new)
|
| |
|
|
|
|
| |
Commit f609e5caff410cc8f71db7d95b4da219541437db accidentally omitted
the check for extra realm separators, leading to an assertion error
when parsing x@y@z or similar. Restore the check.
|
| |
|
|
|
| |
This (hair-raising) macro is not referenced anywhere in the tree,
so remove it and the associated comment.
|
| |
|
|
| |
ticket: 7086
|
| |
|
|
| |
ticket: 7086
|
| |
|
|
|
|
|
| |
read(2) returns an ssize_t, not an int. We want to compare this
value against several unsigned size_ts, so make a local copy.
Also cast to int for printing; size_t can be wider than int, but
these values should be small.
|
| |
|
|
|
|
| |
Unsigned long might not be 32-bits, in which case the overflow check
fails for a 32-bit kdb_sno_t. Cast from -1 explicitly as a more
robust check.
|
| |
|
|
|
|
|
| |
The gid_len length is declared as an unsigned int, and loop
index 'i' is a signed int. This could manifest as an infinite
loop if gid_len is very large. In practice, gid_len should be small,
but make 'i' the same type for consistency.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The %*s format takes two arguments, a precision length/width and
an actual string; the length is specified as a signed integer.
The size_t length field of the gss_buffer_desc type is an unsigned
type, which must be cast or otherwise converted to a signed type
to match the format string expectations.
I do not think that the length will approach SIZE_T_MAX in practice,
due to buffer constraints, so do not include handling for the
edge case.
There is a '%zu' format string for printing size_ts, but it is not
available everywhere (e.g., AIX). Instead, use the
unsigned long long abomination.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The warning is
../../../../krb5/src/lib/krb5/os/cm.c:43: warning: no previous prototype for 'k5
_getcurtime'
which occurs because
int k5_getcurtime(struct timeval *tvp)
is defined (and used) in cm.c but there is no forward declaration.
Include the os-proto.h (internal) header which declares this function
to eliminate the warning. k5_getcurtime() is the first declaration in
cm.c, so there is not an ABI concern.
The only other consumer of k5_getcurtime(), sendto_kdc.c, already includes
os-proto.h, so this issue is purely cosmetic.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Revert 18b02f3e839c007fff54fc9b693f479b7563ec73 in the KDC. Instead,
when making an initial request with a keytab, transmit the whole
default_tkt_enctypes list, but sorted with the enctypes we have in the
keytab first. That way the KDC should prefer enctypes which we have
keys for (for both reply key and session key), but the other enctypes
are still available for use as ticket session keys.
ticket: 7190
|
| |
|
|
|
|
|
|
|
| |
Support acquiring GSSAPI krb5 credentials by fetching initial
credentials using the client keytab. Credentials obtained this way
will be stored in the default ccache or collection, and will be
refreshed when they are halfway to expiring.
ticket: 7189 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default client keytab is intended to be used to automatically
acquire initial credentials for client applications. The current
hardcoded default is a placeholder, and will likely change before
1.11.
Add test framework settings to ensure that a system default client
keytab doesn't interfere with tests, and to allow tests to be written
to deliberately use the default client keytab.
Add documentation about keytabs to the concepts section of the RST
docs, and describe the default client keytab there.
ticket: 7188 (new)
|
| |
|
|
|
|
|
|
|
|
| |
In the regular krb5 code path, only get a default krb5 cred for the
initial token, since we don't need the cred for mutual_auth anyway.
In the IAKERB mechanism, cache the default cred in iakerb_ctx_id_rec
so we don't have to construct it again for each token. Also, get an
IAKERB default cred, not a regular krb5 cred (a bug which is harmless
now, but becomes more of a problem with keytab initiation changes).
|
| |
|
|
|
|
|
| |
The tgt_expire field is used to store non-TGT expiry times in a couple
of cases: when the ccache has no TGT, and after we've obtained a cred
for the target service. Rename it to just "expire" to be less
misleading.
|
| |
|
|
|
| |
Avoid rereading the ccache in order to find the impersonator config
entry. Instead, check each entry as we scan through the first time.
|
| |
|
|
|
| |
The password is always zero-terminated, so we can store it as a char *
instead of a krb5_data.
|
| |
|
|
|
|
|
|
|
|
| |
If read_primary_file() fails with an error other than ENOENT, abort
cache resolution rather than dereferencing a null pointer. Reported
by Oliver Loch.
ticket: 7185
target_version: 1.10.3
tags: pullup
|
| |
|
|
|
|
| |
struct acquire_cred_args was used purely to pass arguments to
acquire_cred (a static function), and had no advantages for that
purpose over positional arguments.
|
| |
|
|
|
|
|
| |
krb5_is_config_principal should be invoked on creds.server, not
creds.client.
ticket: 7173
|
| | |
|
| | |
|
