| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
If a caller tries to acquire krb5 initiator creds with no desired name
and we have no credentials in the cache collection, fail from
gss_acquire_cred intead of deferring until gss_init_sec_context.
ticket: 7160
|
| |
|
|
|
|
|
| |
Add a new API to determine whether any krb5 credentials are available
in the ccache collection. Add tests to t_cccol.py.
ticket: 7173 (new)
|
| |
|
|
|
| |
krb5int_cc_os_default_name has been unused since #6955 removed the
call to it in cccursor.c. Get rid of it.
|
| |
|
|
|
|
|
| |
The default realm could be leaked if the principal had the wrong
number of components. Reported by Russ Allbery.
ticket: 7161
|
| |
|
|
|
|
|
|
| |
The big_endian flag in krb5_gss_ctx_id_rec is there for
interoperability with a really ancient implementation which we believe
is no longer in use. Get rid of it and the code to handle it.
ticket: 7166 (new)
|
| |
|
|
|
|
|
| |
Rename krb5int_count_etypes and krb5int_copy_etypes to have k5_
prefixes, and make them available outside of libkrb5 (but not part of
the public API). Add k5_etypes_contains to search an etype list, and
use it in krb5_is_permitted_enctype.
|
| |
|
|
|
| |
It's an internal function (not in krb5.h or the libkrb5 export list)
and nothing uses it.
|
| |
|
|
|
|
|
|
| |
#7125 took out the copy of the krb5_verify_init_creds server argument
but left in the corresponding free, so it was freeing a caller-owned
principal. Reported by Russ Allbery.
ticket: 7162
|
| |
|
|
|
|
| |
Attempt to choose tracing inputs in t_trace.c which will produce
consistent output across platforms and logins. Re-enable the
comparison against the reference file.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
|
| | |
|
| |
|
|
|
|
| |
The t_trace output isn't consistent from run to run. To fix "make
check", disable the comparison against the reference file until we can
make the output consistent.
|
| |
|
|
|
|
|
| |
Only use common denominator Bourne shell syntax for exporting
environment variables. Don't rely on /dev/stdout working. Compare
the output with a reference file to detect changes, instead of just
sending it to stdout.
|
| |
|
|
| |
ticket: 7150
|
| |
|
|
|
|
|
|
| |
If a caller tries to acquire krb5 acceptor creds with no desired name
and we have no keytab keys, fail from gss_acquire_cred instead of
deferring until gss_accept_sec_context.
ticket: 7159 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
If we can't acquire creds for any mech in gss_acquire_cred, return the
status of the first mech instead of the last mech, as it's more useful
in the typical case (where the first mech is krb5 and the last mech is
SPNEGO). This error reporting is not ideal when the user was
expecting to use some mech other than krb5, but it's about as good as
things were prior to #6894.
ticket: 6973
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the krb5_kt_have_content API from Heimdal, which can be used to
test whether a keytab exists and contains entries. Add tests to
t_keytab.c.
There is a deviation from Heimdal in the function signature.
Heimdal's signature returns a krb5_boolean at the moment, because the
Heimdal implementation actually returns a krb5_error_code. These are
generally the same type anyway (int).
ticket: 7158 (new)
|
| |
|
|
|
|
|
| |
When checking for specific error codes, using CHECK() meant that we
wouldn't properly fail if we got error code 0. Define and use a
CHECK_ERR() to test for a specific error code, and define CHECK() in
terms of it.
|
| |
|
|
|
|
|
|
|
|
|
| |
In r21879, when we converted to using KRB5_CONF macros for profile
variable names, we made a typo in krb5_get_tgs_ktypes and erroneously
started using default_tkt_enctypes instead of default_tgs_enctypes for
TGS requests. Fix the typo and return to the documented behavior.
ticket: 7155
target_version: 1.10.3
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.
CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
[ghudson@mit.edu: Minor style change and commit message]
ticket: 7152
target_version: 1.10.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In 1.10, encrypted timestamp became a built-in module instead of a
hardcoded padata handler. This changed the behavior of
krb5_get_init_creds as invoked by s4u_identify_user such that
KRB5_PREAUTH_FAILED is returned instead of the gak function's error.
(Module failures are not treated as hard errors, while hardcoded
padata handler errors are.) Accordingly, we should look for
KRB5_PREAUTH_FAILED in s4u_identify_user.
On a less harmful note, the gak function was returning a protocol
error code instead of a com_err code, and the caller was testing for a
different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could
never be returned by krb5_get_init_creds. Clean up both of those by
returning KRB5_PREAUTH_FAILED from the gak function and testing for
that alone.
Reported by Michael Morony.
ticket: 7136
target_version: 1.10.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
The referrals debugging code under DEBUG_REFERRALS ceased building
correctly at some point. Convert this debugging code to use the
tracing framework instead, including adding new trace macros to
k5-trace.h.
ticket: 7151
|
| |
|
|
|
|
| |
This improves the previously minimal test coverage of "trace.c".
ticket: 7151
|
| |
|
|
|
|
|
| |
Add the "{ptype}" trace format specifier, for principal name types.
Also document the new option in the "k5-trace.h" comments.
ticket: 7151
|
| |
|
|
|
|
|
|
|
|
| |
Although there are few legitimate reasons to use gss_mech_krb5_wrong,
it's declared in the public header and exported in the Windows DLL.
So export it from the Unix library as well.
ticket: 7148 (new)
target_version: 1.10.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
krb5_set_trace_callback and krb5_set_trace_filename were added to
krb5.h in krb5 1.9, but were mistakenly left out of the library export
lists. Add them now. Reported by Russ Allbery.
ticket: 7143
target_version: 1.10.2
tags: pullup
|
| |
|
|
| |
ticket: 7137
|
| |
|
|
| |
ticket: 7134
|
| |
|
|
|
|
| |
Patch from W. Trevor King.
ticket: 7133
|
| |
|
|
|
|
|
|
|
|
| |
Add $(LIBS) to the $(SHLIB_EXPLIBS) for some shared libraries which
did not previously include it, which prevented gcov from working
properly in some cases.
Patch from W. Trevor King.
ticket: 7138
|
| |
|
|
|
|
| |
Patch from wking@tremily.us.
ticket: 7131
|
| | |
|
| |
|
|
|
|
|
|
| |
Avoid using extern inline in asn1buf.h, as there are two conflicting
sets of semantics (gnu89's and C99's). gcc defaults to the gnu89
semantics, which we were using, while clang defines __GNUC__ but
defaults to the C99 semantics. To simplify things, use static inline
instead, like we do in k5-int.h.
|
| |
|
|
|
|
|
| |
When spnego_gss_acquire_cred passes through a failure status from the
mechglue, it overwrites the minor code with a call to
gss_release_oid_set(). Use a temporary minor status for that and a
related call.
|
| |
|
|
|
|
|
|
|
|
| |
The rewritten krb5_parse_name didn't null-terminate components or
realms of principals, while the old one did. Fix the new one to do so
as well.
This means KRB5_PRINCIPAL_PARSE_IGNORE_REALM allocates one byte for
the realm instead of leaving it as empty_data(), so we need to free
the realm in build_in_tkt_name() before copying in the client realm.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MIT and Heimdal KDCs ignore the start time for non-postdated ticket
requests, but AD yields an error if the start time is in the KDC's
future, defeating the kdc_timesync option. Omit the start time if the
caller did not specify a start time offset.
This change reenables the client check for too much clock skew in the
KDC reply in the non-timesync configuration. That check had been
unintentionally suppressed since the introduction of the
get_init_creds interfaces. Adjust the t_skew test script to expect
the new error behavior.
Code changes from stefw@gnome.org with slight modifications.
ticket: 7130
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25864 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
Use the new KRB5_PRINCIPAL_PARSE_IGNORE_REALM flag when parsing
in_tkt_service arguments in get_init_cred functions, since we're going
to overwrite the realm anyway.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25863 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
The flag KRB5_PRINCIPAL_PARSE_IGNORE_REALM causes krb5_parse_name to
return the principal with an empty realm whether or not a realm is
present in the name.
ticket: 7129
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25862 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
krb5_parse_name started out a bit unwieldy, and has become more so
with the introduction of flags. Rewrite it using two passes (allocate
and fill), each broken out into its own helper, and a wrapper which
handles the realm flags.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25861 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This fix is not very general or clean, but is suitable for backporting
because it is minimally invasive. A more comprehensive fix will
follow.
ticket: 7127
target_version: 1.10.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25860 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The get_init_creds functions take read-only string input parameters
for passwords and initial ticket services. Make these const char *
parameters instead of just char * parameters, for caller convenience.
Reported by rra@stanford.edu.
ticket: 7121
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25858 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Active Directory returns structured policy information in the
nominally UTF-8 result string field of a password change reply. Add a
new API krb5_chpw_message() to convert a result string into a
displayable message, interpreting policy information if present.
Patch from stefw@gnome.org with changes.
ticket: 7128
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25857 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25856 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25853 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Make vfy_increds.c consistently use newer coding conventions. Also
add a copyright statement.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25848 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
As the file ccache implementation currently stands, we don't want to
turn off TC_OPENCLOSE on a file cache we're writing to, or it will be
opened read-only and stores to it will fail. Reported by Russ
Allbery.
ticket: 5126
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25847 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Factor out the core code of krb5_verify_init_creds into a helper, add
new helper functions to retrieve the list of unique host principals
from a keytab, and make krb5_verify_init_creds drive the helper once
per host principal.
Augment the test harness and test cases to better test the new
behavior. Add a k5test method to retrieve an NFS principal for the
test realm for the sake of the new test cases.
ticket: 7125
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25845 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When canonicalizing a principal, use AI_CANONNAME alone in the hint
flags for getaddrinfo, for two reasons. First, it works around a gnu
libc bug where getaddrinfo does a PTR lookup for the canonical name
(we tried to work around this in r24977 bug the addition of
AI_ADDRCONFIG caused the same problem as the use of AF_INET). Second,
an IPv4-only host should be able create a principal for an IPv6-only
host even if it can't contact the host.
This does result in extra AAAA queries in the common case (IPv4-only
host contacting IPv4-only service), which is unfortunate. But we need
to leave that optimization up to the platform at this point.
ticket: 7124
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25844 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
Now that krb5_do_preauth has many fewer moving parts, simplify its
flow control. Also remove an unused output parameter from
run_preauth_plugins.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25842 dc483132-0cff-0310-8789-dd5450dbe970
|
