summaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
...
* Use an opaque handle in the kdcpreauth callbackGreg Hudson2011-10-052-3/+0
| | | | | | | | | | | | | | Instead of passing a request and entry to the kdcpreauth get_data callback, pass an opaque handle. Remove DB entry and key data parameters from kdcpreauth methods (but keep the request, since that's transparent). The SecurID plugin links against libkdb5 and needs access to the client DB entry. Rather than continue to pass a DB entry to kdcpreauth methods, add a get_data callback to get the client DB entry for the few plugins which might need it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300 dc483132-0cff-0310-8789-dd5450dbe970
* Fix initialization and pointer bugs in new codeGreg Hudson2011-10-041-2/+4
| | | | | | | Coverity found some minor-to-medium bugs in some recent changes; fix them. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25299 dc483132-0cff-0310-8789-dd5450dbe970
* Create e_data as pa_data in KDC interfacesGreg Hudson2011-10-043-5/+6
| | | | | | | | | | | | All current known uses of e_data are encoded as pa-data or typed-data. FAST requires that e_data be expressed as pa-data. Change the DAL and kdcpreauth interfaces so that e_data is returned as a sequence of pa-data elements. Add a preauth module flag to indicate that the sequence should be encoded as typed-data in non-FAST errors. ticket: 6969 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25298 dc483132-0cff-0310-8789-dd5450dbe970
* Improve k5_get_os_entropy for WindowsGreg Hudson2011-10-041-1/+2
| | | | | | | | When acquiring a crypto context for CryptGenRandom, pass CRYPT_VERIFYCONTEXT to indicate that we don't need access to private keys. Appears to make OS entropy work on Windows XP. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25297 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a Fortuna PRNG failure caseGreg Hudson2011-10-031-1/+3
| | | | | | | | If we don't have entropy when krb5_c_random_make_octets is called, unlock the mutex before returning an error. From kevin.wasserman@painless-security.com. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25295 dc483132-0cff-0310-8789-dd5450dbe970
* Make dispatch() respond via a callbackGreg Hudson2011-10-031-134/+191
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25291 dc483132-0cff-0310-8789-dd5450dbe970
* Windows fixes: remove unreferenced; use sizeof to compute array sizeSam Hartman2011-09-281-2/+1
| | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25272 dc483132-0cff-0310-8789-dd5450dbe970
* Windows fixes: add KRB5_CALLCONV where neededSam Hartman2011-09-283-3/+3
| | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25269 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate domain-based client realm walkGreg Hudson2011-09-282-26/+50
| | | | | | | | | | | | | | | | | For a very long time, KDCs have known how to perform a domain-based realm walk when serving requests for TGTs. (So if a KDC for A.B.C receives a request for krbtgt/X.B.C and doesn't have that principal, it can return one for krbtgt/B.C instead.) Performing the same heuristic on the client is unnecessary and inefficient in common cases. Add a new function k5_client_realm_path to walk_rtree.c which uses capaths values only, and returns a list of realms (as desired by get_creds.c) instead of TGT names. ticket: 6966 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25241 dc483132-0cff-0310-8789-dd5450dbe970
* Fix an error case in encrypted timestamp preauthGreg Hudson2011-09-271-3/+1
| | | | | | | | | If krb5_encrypt_helper returns an error, it's not the caller's responsibility to free enc_data.ciphertext, and in one case (if krb5_c_encrypt_length returns an error) it won't have been initialized. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25239 dc483132-0cff-0310-8789-dd5450dbe970
* Update dependenciesEzra Peisach2011-09-261-0/+12
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25235 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate union in net-server.c struct connectionGreg Hudson2011-09-241-105/+104
| | | | | | | | | Several of the u.tcp fields were also used for RPC connections. The overlap between u.tcp.addr_s and u.rpc.closed could confuse free_socket() into causing a null pointer dereference inside svc_getreqset(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25231 dc483132-0cff-0310-8789-dd5450dbe970
* Fix krb5_dbe_get_strings error handlingGreg Hudson2011-09-241-8/+12
| | | | | | | The old error handling was incorrect in the case where a strdup() call returns NULL but realloc() returns non-NULL. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25230 dc483132-0cff-0310-8789-dd5450dbe970
* Don't use accessor in encrypted challengeGreg Hudson2011-09-242-17/+7
| | | | | | | Now that the encrypted challenge code is linked into libkrb5 and the KDC, it's unnecessary to use the accessor there. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25229 dc483132-0cff-0310-8789-dd5450dbe970
* Recast encrypted challenge as linked built-insGreg Hudson2011-09-234-3/+200
| | | | | | | | Since it has no external dependencies, split up encrypted preauth into clpreauth and kdcpreauth chunks and link them directly into the consumers. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25227 dc483132-0cff-0310-8789-dd5450dbe970
* Support special salt type in default krb5_dbe_cpwGreg Hudson2011-09-221-0/+36
| | | | | | | | | | | | | | | This change allows the "special" salt type to be used in supported_enctypes or in the argument to kadmin's cpw -e. If used, kadmind will pick a salt consisting of 64 random bits represented as 16 printable ASCII characters. The use of random explicit salts creates some interoperability issues and is not generally recommended, but can be useful for interop testing, as a workaround for obscure bugs, or to increase the difficulty of brute-force password searches in situations where none of the interoperability issues apply. ticket: 6964 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25226 dc483132-0cff-0310-8789-dd5450dbe970
* Improve mk_safe/mk_priv cleanup slightlyGreg Hudson2011-09-222-12/+16
| | | | | | | In both functions, initialize outbuf on error, and avoid putting pointers into it before we reach the successful return stage. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25225 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2011-09-213-77/+80
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25224 dc483132-0cff-0310-8789-dd5450dbe970
* Fix string attribute unit testsGreg Hudson2011-09-213-6/+14
| | | | | | | Wrap t_stringattr in a very minimal Python test script so that libkdb5 can find the DB2 module to allocate memory. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25223 dc483132-0cff-0310-8789-dd5450dbe970
* * New implementation to map a gss name to localnameSam Hartman2011-09-216-75/+106
| | | | | | | | | | | | | | | | * Write gss_pname_to_uid in terms of gss_localname; suppress on win32 * Add test for gss_pname_to_uid indirectly testing gss_localname * gss_localname is the SPI, not gss_pname_to_uid * fix some const gss_OID->gss_const_oid Signed-off-by: Sam Hartman <hartmans@painless-security.com> gss_localname: map gss name to localname git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25222 dc483132-0cff-0310-8789-dd5450dbe970
* If the client offers the alg agility KDF, use itSam Hartman2011-09-211-1/+1
| | | | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> pkinit: changes to call alg-agility KDF git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25218 dc483132-0cff-0310-8789-dd5450dbe970
* Add stubs for new pkinit encodersGreg Hudson2011-09-211-1/+19
| | | | | | | | The new pkinit encoders for hash agility are in the library export list (whereas older encoders are invoked via the accessor), so we need to provide stubs for them if we're building without pkinit support. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25216 dc483132-0cff-0310-8789-dd5450dbe970
* Add kadmin functionality for string attributesGreg Hudson2011-09-2110-0/+278
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25215 dc483132-0cff-0310-8789-dd5450dbe970
* Add KRB5_TL_STRING_ATTRS and libkdb5 accessorsGreg Hudson2011-09-215-1/+287
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25214 dc483132-0cff-0310-8789-dd5450dbe970
* Fix asn.1 encoder build without PKINIT supportGreg Hudson2011-09-211-51/+52
| | | | | | | Move all of the added PKINIT hash agility stuff inside the #ifndef DISABLE_PKINIT block. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25213 dc483132-0cff-0310-8789-dd5450dbe970
* Make ASN.1 code build without PKINIT supportGreg Hudson2011-09-191-23/+23
| | | | | | | | Move asn1_decode_kdf_alg_id and asn1_decode_sequence_of_kdf_alg_id inside the #ifndef DISABLE_PKINIT block; otherwise they reference a nonexistent asn1_decode_kdf_alg_id_ptr when PKINIT is disabled. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25211 dc483132-0cff-0310-8789-dd5450dbe970
* Formatting fixesGreg Hudson2011-09-196-234/+250
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25209 dc483132-0cff-0310-8789-dd5450dbe970
* Add KRB5_CALLCONV to krb5_init_context_profile definition in init_ctx.c ↵Sam Hartman2011-09-191-1/+1
| | | | | | | | | Remove extraneous 'p' Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@debian.org> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25203 dc483132-0cff-0310-8789-dd5450dbe970
* __func__ -> __FUNCTION__ in #ifdef DEBUG blocks in util_errmap.cSam Hartman2011-09-191-2/+2
| | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@debian.org> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25200 dc483132-0cff-0310-8789-dd5450dbe970
* On Windows, parse mechanism info from Registry instead of mech fileSam Hartman2011-09-191-169/+351
| | | | | | | | | | | Currently the code parses @sysconfdir@/gss/mech as a set of GSS mechanisms to dynamically load. On Windows this should come from the registry. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@debian.org> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25198 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the ticket from the pkinit-alg-agility KDF function, to matchSam Hartman2011-09-191-1/+0
| | | | | | | | | agreed changes to the IETF specification. Includes removing a parameter from the KDF function, removing the ticket from the ASN.1 encoder, and updating the test code. Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25197 dc483132-0cff-0310-8789-dd5450dbe970
* Asn1_encode: indicate DER compressed form without tag or length as inputSam Hartman2011-09-191-0/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25196 dc483132-0cff-0310-8789-dd5450dbe970
* Implement encoding and decoding for supportedKDFs and kdfIDSam Hartman2011-09-194-36/+108
| | | | | | pkinit: ASN.1 encoders and decoders for new KDF git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25195 dc483132-0cff-0310-8789-dd5450dbe970
* * Extend auth_packSam Hartman2011-09-192-0/+11
| | | | | | | | | | * extend dh_rep * add krb5_free_octet_data * extend pkinit free functions pkinit: add supportedKDFs and kdfID to structures git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25194 dc483132-0cff-0310-8789-dd5450dbe970
* Added underlying ASN.1 structures for pkinit algorithm agilitySam Hartman2011-09-192-3/+37
| | | | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> tested-by: Sam Hartman <hartmans@debian.org> fixes-from: Sam Hartman <hartmans@debian.org> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25190 dc483132-0cff-0310-8789-dd5450dbe970
* In pkinit_crypto_openssl.c, modified pkinit_octetstring2key() toSam Hartman2011-09-191-0/+1
| | | | | | | | | | | | eliminate a possible memory leak in the error path, where the key_block->length was set to zero but the key_block->contents were not freed. Also, changed calloc() call to a malloc() call to avoid allocating up to 8 times as much buffer space as needed. In keyblocks.c, modified kr5_free_keyblock_contents() to set the key->length to zero after the key->contents have been freed. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25189 dc483132-0cff-0310-8789-dd5450dbe970
* In order for asn1_encode_oid to be called from DEFLENFNTYPE it needsSam Hartman2011-09-192-2/+2
| | | | | | | | to take void * like all the other string encoders. asn1_encode_oid: take void not asn1_octet git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25188 dc483132-0cff-0310-8789-dd5450dbe970
* asn1_encode.{c,h}: support DEFOCTETWRAPTYPESam Hartman2011-09-192-6/+16
| | | | | | | | | Support a way of defining a type that indicates that the DER encoding of some other type is wrapped inside an octet string in a produced encoding. To support this, support encoding of tagged things where the class is not constructed; in this case it will be primitive. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25187 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a typo in r25026Greg Hudson2011-09-151-6/+6
| | | | | | | A stray "p" was added to krb5_init_context_profile() inside a _WIN32 block. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25180 dc483132-0cff-0310-8789-dd5450dbe970
* Split signal setup into loop_setup_signals()Greg Hudson2011-09-141-21/+22
| | | | | | | In the KDC, set up signals in the worker process child after forking from the monitor process. From npmccallum@redhat.com. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25176 dc483132-0cff-0310-8789-dd5450dbe970
* Reinitialize verto after creating worker childGreg Hudson2011-09-141-3/+9
| | | | | | | Also mark fd events as reinitiable so they survive the fork. From npmccallum@redhat.com. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25175 dc483132-0cff-0310-8789-dd5450dbe970
* Fix verto-k5ev.h dependencies for system libvertoGreg Hudson2011-09-141-16/+16
| | | | | | | | | When we build with the internal verto, we include verto-k5ev.h in order to create loops. When we build with the system verto, we don't include that header file. Add depfix logic and pre.in variables to avoid depending on verto-k5ev.h for a system verto build. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25173 dc483132-0cff-0310-8789-dd5450dbe970
* Fix verto.h dependencies for system libvertoGreg Hudson2011-09-091-16/+16
| | | | | | | | When we have conditionally built bundled source, we need logic in depfix.pl and variables in pre.in to avoid depending on the bundled verto.h in generated dependencies. Add that logic for verto. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25170 dc483132-0cff-0310-8789-dd5450dbe970
* Fix some error-handling bugs in cc_dir.cGreg Hudson2011-09-071-4/+9
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25168 dc483132-0cff-0310-8789-dd5450dbe970
* Change how bundled libverto is linkedGreg Hudson2011-09-061-0/+7
| | | | | | | | | Give libverto-k5ev a header file. When using the internal verto library, link against -lverto-k5ev and use verto_default_k5ev() instead of verto_default(), bypassing the module loading logic and making static builds possible. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25166 dc483132-0cff-0310-8789-dd5450dbe970
* Fix several bugs in gss-krb5 inq_credGreg Hudson2011-09-061-8/+9
| | | | | | | | | cred could be used uninitialized if krb5_timeofday() failed. defcred had the wrong type. kg_cred_resolve() should be used instead of krb5_gss_validate_cred() to do delayed name/ccache resolution and get a lock. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25164 dc483132-0cff-0310-8789-dd5450dbe970
* Newer GCCs optimizer catches a variable used without initializationEzra Peisach2011-09-062-463/+849
| | | | | | in the bison library code. Use a GCC pragma to suppress. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25163 dc483132-0cff-0310-8789-dd5450dbe970
* Make gss-krb5 use cache collectionGreg Hudson2011-09-056-83/+149
| | | | | | | | | | | | | | | | For default credentials, defer ccache resolution until we need the information. If this happens in init_sec_context when we have the target principal in hand, use krb5_cc_select() to pick a cache. If the target principal is not known, use the default cache. For credentials with a specified principal, use krb5_cc_cache_match() to find the cache. If no cache is found and a password is specified, create a new cache within the collection to hold the new credentials, if the default cache type supports a collection. ticket: 6958 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25160 dc483132-0cff-0310-8789-dd5450dbe970
* Refactor gss-krb5 acquire_init_credGreg Hudson2011-09-051-224/+237
| | | | | | | | These changes have no functional impact, but will allow the GSSAPI changes for credential selection to be made with a minimum of code movement. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25159 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_cc_select() API and pluggable interfaceGreg Hudson2011-09-0510-1/+565
| | | | | | | | | | | The interface has two built-in modules. The realm module guesses a cache based on the server realm if it is known. The k5identity module (Unix only) chooses a client principal based on rules in a .k5identity file in the user's homedir. ticket: 6957 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25158 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-27 02:42:18 +0000