summaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix gss_set_cred_option cred creation with no nameGreg Hudson2011-07-221-6/+8
| | | | | | | | | | | When creating a cred in the mechglue with gss_acquire_cred, the mechanism is allowed to return no name from gss_inquire_cred. But in the analagous operation in gss_set_cred_option, that would result in an error from gss_display_name. Make the call to gss_display_name conditional on the mechanism name being set. Reported by Andrew Bartlett. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25037 dc483132-0cff-0310-8789-dd5450dbe970
* Fix name initialization in gss_krb5int_import_credGreg Hudson2011-07-201-0/+6
| | | | | | | | If we're going to fake up a name, we have to initialize its lock. It might be better to use kg_init_name(), but we don't have a context on hand. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25030 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leak of accprinc in kg_accept_krb5()Greg Hudson2011-07-201-2/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25029 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_init_context_profile APIGreg Hudson2011-07-204-21/+28
| | | | | | ticket: 6929 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25026 dc483132-0cff-0310-8789-dd5450dbe970
* Add support for loadable profile modulesGreg Hudson2011-07-201-3/+4
| | | | | | ticket: 6929 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25025 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify and fix chpass_util error generationGreg Hudson2011-07-061-34/+20
| | | | | | | | | | | | | | If a principal has no associated kadm5 policy, we may still get password quality errors from a module (KDB or pwqual). There was a bug in the error generation for this case which caused only a generic error to be returned. Also use snprintf() instead of multiple string operations to compose errors. From Simo Sorce <ssorce@redhat.com>. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25014 dc483132-0cff-0310-8789-dd5450dbe970
* C90 doesn't allow commas at the ends of enumeration listsKen Raeburn2011-07-011-1/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25012 dc483132-0cff-0310-8789-dd5450dbe970
* isspace should only get unsigned-char values or EOFKen Raeburn2011-07-011-2/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25010 dc483132-0cff-0310-8789-dd5450dbe970
* make dependEzra Peisach2011-07-017-85/+55
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25007 dc483132-0cff-0310-8789-dd5450dbe970
* Get static linking working again, mostlyGreg Hudson2011-06-282-45/+45
| | | | | | | | | | | | | | | | | | | Static linking (#6510) broke when lockout support was added because the DB2 plugin became dependent on libkadm5srv_mit for XDR functions. Also, static linking was extensively broken in combination with LDAP support. Fix these problems. Afer these fixes, the test suite fails in the FAST tests because there's no static build support for dynamic preauth plugins, which means there's no encrypted challenge. (And unlike the pkinit tests, the test suite doesn't conditionalize on the presence of the encrypted challenge plugin, because we always build it.) This will fix itself if and when encrypted challenge becomes linked into the consumers, or static build support is added for preauth plugins. ticket: 6914 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24996 dc483132-0cff-0310-8789-dd5450dbe970
* Make fewer db lookups in kadm5_create_principal_3Greg Hudson2011-06-241-19/+10
| | | | | | | | By creating the password history entry earlier in the function, we can avoid the need to look up the principal entry twice just to save a copy of the key data. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24990 dc483132-0cff-0310-8789-dd5450dbe970
* Use zapfree in krb5_free_key_data_contents()Greg Hudson2011-06-241-6/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24989 dc483132-0cff-0310-8789-dd5450dbe970
* Don't destroy dst on error in krb5_cc_moveGreg Hudson2011-06-231-2/+0
| | | | | | | | Although destroying any partial contents of dst on error isn't a bad idea, invalidating the handle would be an incompatible change. So revert that part of r24754. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24988 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a minor memory leak in the pwqual loaderGreg Hudson2011-06-231-0/+1
| | | | | | | k5_pwqual_free_handles() wasn't freeing the container structure for each handle. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24986 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leak introduced in r24969Greg Hudson2011-06-231-0/+1
| | | | | | | The new context field plugin_base_dir wasn't being freed on context deletion. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24985 dc483132-0cff-0310-8789-dd5450dbe970
* Use AI_ADDRCONFIG for more efficient getaddrinfoGreg Hudson2011-06-235-5/+7
| | | | | | | | | | | | | | | Add AI_ADDRCONFIG to the hint flags for every invocation of getaddrinfo which wasn't already using it. This is often the default behavior when no hints are specified, but we tend to specify hints a lot, so we have to say it ourselves. AI_ADDRCONFIG causes AAAA lookups to be skipped if the system has no public IPv6 interface addresses, usually saving a couple of DNS queries per getaddrinfo call and allowing DNS caching to be much more effective without the need for negative caching. ticket: 6923 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24978 dc483132-0cff-0310-8789-dd5450dbe970
* Work around glibc getaddrinfo PTR lookupsGreg Hudson2011-06-231-8/+1
| | | | | | | | | | | | | | | | | | | In krb5_sname_to_principal(), we always do a forward canonicalization using getaddrinfo() with AI_CANONNAME set. Then, we do a reverse canonicalization with getnameinfo() if rdns isn't set to false in libdefaults. Current glibc (tested with eglibc 2.11.1) has the arguably buggy behavior of doing PTR lookups in getaddrinfo() to get the canonical name, if hints.ai_family is set to something other than AF_UNSPEC. This behavior defeats the ability to turn off rdns. Work around this behavior by using AF_UNSPEC in krb5_sname_to_principal() from the start, instead of starting with AF_INET and falling back. Specify AI_ADDRCONFIG to avoid AAAA lookups on hosts with no IPv6 addresses. ticket: 6922 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24977 dc483132-0cff-0310-8789-dd5450dbe970
* Convert preauth_plugin.h to new plugin frameworkGreg Hudson2011-06-178-242/+220
| | | | | | | | | | | | | | | | | | | | | | | | The preauth plugin interface was introduced in 1.6 but was never made a public API. In preparation for making it public in 1.10, convert it to use the new plugin framework. This will require changes to any existing preauth plugins. A number of symbols were renamed for namespace cleanliness, and abstract types were introduced for module data and module per-request data for better type safety. On the consumer end (preauth2.c and kdc_preauth.c), this is a pretty rough conversion. Eventually we should create proper consumer APIs with module handles, and the flat lists of preauth types should hold pointers to module handles rather than copies of the vtables. The built-in preauth type handlers should then be converted to built-in module providers linked into the consumer code (as should encrypted challenge, since it has no external dependencies). None of this will impact the provider API for preauth plugins, so it can wait. ticket: 6921 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24970 dc483132-0cff-0310-8789-dd5450dbe970
* Add k5_plugin_register_dyn internal APIGreg Hudson2011-06-173-27/+68
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24969 dc483132-0cff-0310-8789-dd5450dbe970
* ANSIfy the remaining K&R functions in lib/gssapi/genericGreg Hudson2011-06-132-26/+15
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24968 dc483132-0cff-0310-8789-dd5450dbe970
* Fix old-style GSSRPC authenticationGreg Hudson2011-06-131-3/+10
| | | | | | | | | | | | | | | r24147 (ticket #6746) made libgssrpc ignorant of the remote address of the kadmin socket, even when it's IPv4. This made old-style GSSAPI authentication fail because it uses the wrong channel bindings. Fix this problem by making clnttcp_create() get the remote address from the socket using getpeername() if the caller doesn't provide it and it's an IPv4 address. ticket: 6920 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24967 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-1036-323/+355
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* Add localization infrastructureGreg Hudson2011-06-102-1/+3
| | | | | | | | | Adds build system logic, translation macros in k5-platform.h, and bindtextdomain calls in libkrb5 initialization. ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24959 dc483132-0cff-0310-8789-dd5450dbe970
* Restore fallback non-referral TGS request to same realmGreg Hudson2011-06-031-12/+10
| | | | | | | | | | | | | | | MIT krb5 1.2 and earlier KDCs reject TGS requests if the canonicalize bit is set. Prior to 1.9, we used to handle this by making a non-referral fallback request on any error, but the rewrite in 1.9 mistakenly changed the behavior so that fallback requests are only made if the original request used the referral realm and the fallback realm is different from the default realm. Restore the old behavior. ticket: 6917 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24946 dc483132-0cff-0310-8789-dd5450dbe970
* Restore krb5_get_credentials caching for referral requestsGreg Hudson2011-05-261-0/+5
| | | | | | | | | | | | | | | The krb5_get_credentials() rewrite for IAKERB accidentally omitted the final step of restoring the requested realm in the output credentials. As a result, referral entries are not cached, and the caller sees the actual realm in (*out_creds)->server instead of the referral realm as before. Fix this in complete() by swapping ctx->req_server into ctx->reply_creds->server. ticket: 6916 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24945 dc483132-0cff-0310-8789-dd5450dbe970
* Fix multiple tl-data updates over ipropGreg Hudson2011-05-221-35/+8
| | | | | | | | | | | | | krb5_dbe_update_tl_data() accepts a single read-only tl-data entry, but ulog_conv_2dbentry() expects it to process a full list. Fix ulog_conv_2dbentry() to call krb5_db2_update_tl_data() on each entry individually, simplifying its memory management in the process. ticket: 6913 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24937 dc483132-0cff-0310-8789-dd5450dbe970
* Updated documentation for krb5_c_ and sensauth API.Zhanna Tsitkov2011-05-191-9/+0
| | | | | | Also, removed the second declaration of krb5_c_string_to_key_with_params() from string_to_key.c git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24935 dc483132-0cff-0310-8789-dd5450dbe970
* In mk_rd_cred if recv_subkey in the authentication context is NULL and the ↵Zhanna Tsitkov2011-05-161-23/+42
| | | | | | decryption with the session key fails, do not try to decrypt the message with the session key again. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24934 dc483132-0cff-0310-8789-dd5450dbe970
* Use hmac-md5 checksum for PA-FOR-USER padataGreg Hudson2011-05-141-8/+2
| | | | | | | | | | | | | | The MS-S4U documentation specifies that hmac-md5 be used for PA-FOR-USER checksums; we were using the mandatory checksum type for the key. Although some other checksum types appear to be allowed by Active Directory KDCs, Richard Silverman reports that md5-des is not one of them, causing S4U2Self requests to fail for DES keys. ticket: 6912 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24929 dc483132-0cff-0310-8789-dd5450dbe970
* Updated documentation for PAC API. Moved PAC type definitions into krb5.hinZhanna Tsitkov2011-05-131-8/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24928 dc483132-0cff-0310-8789-dd5450dbe970
* fix regression in r24853: PAC no longer exposedLuke Howard2011-05-091-1/+1
| | | | | | | | Windows PAC is not AD-KDCIssued, rather it is signed with the long-term service session key (or user-to-user key). Advertise this correctly in the internal authorization data SPI. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24922 dc483132-0cff-0310-8789-dd5450dbe970
* Kernel subsetGreg Hudson2011-05-091-0/+5
| | | | | | | | | | | Add a directory containing a "kernel subset" (context import and message functions only) of the gss-krb5 library, with a test framework to exercise the functionality and indicate when unknown dependencies creep in. ticket: 6909 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24921 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid calling gss_release_buffer() from the message-processing codeGreg Hudson2011-05-092-15/+6
| | | | | | in lib/gssapi/krb5. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24919 dc483132-0cff-0310-8789-dd5450dbe970
* Use internal crypto functions directly from util_crypt.c, avoiding aGreg Hudson2011-05-091-17/+4
| | | | | | dependency on the accessor. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24918 dc483132-0cff-0310-8789-dd5450dbe970
* Delete sec context properly in gss_krb5_export_lucid_sec_contextGreg Hudson2011-05-091-1/+1
| | | | | | | | | | | | | Since r21690, gss_krb5_export_lucid_sec_context() has been passing a union context to krb5_gss_delete_sec_context(), causing a crash as the krb5 routine attempts to interpret a union context structure as a krb5 GSS context. Call the mechglue gss_delete_sec_context instead. ticket: 6908 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24917 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate a redundant initialization in cm_init_selstate() inGreg Hudson2011-05-031-1/+0
| | | | | | sendto_kdc.c. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24911 dc483132-0cff-0310-8789-dd5450dbe970
* Add poll support to sendto_kdc.c so that it can work in processes withGreg Hudson2011-05-024-131/+262
| | | | | | | | | | large numbers of open files. Move krb5int_cm_call_select() to a separate file so that the poll support doesn't interfere with net-server.c's continuing use of select. ticket: 6905 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24908 dc483132-0cff-0310-8789-dd5450dbe970
* Properly release resources in krb5_copy_authenticator()Zhanna Tsitkov2011-04-281-3/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24904 dc483132-0cff-0310-8789-dd5450dbe970
* The MIT krb5 and Heimdal implementations ofGreg Hudson2011-04-271-23/+6
| | | | | | | | | | | | | gss_krb5_export_lucid_sec_context error on version arguments other than 1, so the version negotiation described in the function documentation would not be backward-compatible. Change the docs so that the caller can assume the returned structure is of the requested version, but the caller will be responsible for retrying with lower version numbers on error. (Unfortunately, Heimdal and MIT return different error codes, and MIT's is in a currently-unpublished header, so we can't document the error code for unknown versions.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24903 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_os_init_context compile again after r24901Greg Hudson2011-04-271-11/+9
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24902 dc483132-0cff-0310-8789-dd5450dbe970
* Remove worthless call to krb5_cc_set_default_name in krb5_os_init_contextZhanna Tsitkov2011-04-271-3/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24901 dc483132-0cff-0310-8789-dd5450dbe970
* Correctly set the expiration field of impersonated credentials inGreg Hudson2011-04-251-1/+1
| | | | | | | | | kg_compose_deleg_cred(), so we can find them in the cache in init_sec_context. From aberry@likewise.com. ticket: 6902 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24900 dc483132-0cff-0310-8789-dd5450dbe970
* Refactor krb5int_rd_chpw_rep() and make it properly handle both framedGreg Hudson2011-04-253-349/+165
| | | | | | | | | | and unframed KRB-ERROR messages. Eliminate krb5int_rd_setpw_rep() and krb5int_setpw_result_code_string() by making the chpw versions of those functions handle RFC 3244 replies. ticket: 6893 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24899 dc483132-0cff-0310-8789-dd5450dbe970
* Remove kg_map_toktype(), as the call sites were removed in r21742Greg Hudson2011-04-212-28/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24892 dc483132-0cff-0310-8789-dd5450dbe970
* Handle null OID values in gss_oid_equal()Greg Hudson2011-04-161-0/+3
| | | | | | ticket: 6890 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24885 dc483132-0cff-0310-8789-dd5450dbe970
* Check mech_type as well as mech_name in gssint_import_internal_name(),Greg Hudson2011-04-161-1/+2
| | | | | | | | for the sake of static analyzers. (Also, since this is an internal function, it can be called on a half-constructed MN; checking the type alone would be insufficient.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24884 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a code path where mech could be used uninitialized inGreg Hudson2011-04-161-1/+1
| | | | | | | | gss_accept_sec_context after r24645. ticket: 6813 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24883 dc483132-0cff-0310-8789-dd5450dbe970
* Revert r24826. Export krb5int_nfold from libk5crypto and link t_nfoldGreg Hudson2011-04-163-8/+5
| | | | | | | against libk5crypto, matching the approach used in most other library unit tests. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24882 dc483132-0cff-0310-8789-dd5450dbe970
* Remove pointer validation code from the gss krb5 mechGreg Hudson2011-04-1335-809/+35
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24877 dc483132-0cff-0310-8789-dd5450dbe970
* In krb5_gss_display_status, correct the sense of theGreg Hudson2011-04-121-5/+6
| | | | | | | | | g_make_string_buffer test, and return GSS_S_FAILURE if it fails. Reported by snambakam@likewise.com. ticket: 6898 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24876 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-27 10:27:10 +0000