summaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
...
* Don't call memset with a zero lengthKen Raeburn2011-01-121-1/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24594 dc483132-0cff-0310-8789-dd5450dbe970
* Asn.1 decode related file rearrangement. It was made based on the following ↵Zhanna Tsitkov2011-01-1110-1292/+1560
| | | | | | | | | | criteria: 1. based on functionality (for example, kdc-only code) 2. Well defined clusters of functions (fast, sam). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24593 dc483132-0cff-0310-8789-dd5450dbe970
* Tighten up the error handling in the mechglue's gss_canonicalize_name,Greg Hudson2011-01-101-32/+14
| | | | | | | | | eliminating a null pointer dereference in the (unlikely) case that allocation of out_union fails. Reported by aberry@likewise.com. ticket: 6817 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24592 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a couple of cases in the SPNEGO implementation where aGreg Hudson2011-01-101-1/+4
| | | | | | | | | half-constructed SPNEGO context could be leaked. Patch from aberry@likewise.com, slightly amended. ticket: 6816 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24591 dc483132-0cff-0310-8789-dd5450dbe970
* Don't attempt to serialize a NULL authdata context when serializing aGreg Hudson2010-12-281-2/+4
| | | | | | | | | | | GSSAPI context (most often seen with initiator contexts). Patch from aberry@likewise.com. ticket: 6675 target_version: 1.9.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24590 dc483132-0cff-0310-8789-dd5450dbe970
* Don't use a krb5 context in t_fork, since we don't set up a krb5.confGreg Hudson2010-12-281-2/+5
| | | | | | in the crypto test directory's "make check". git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24589 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate some unused variable warningsGreg Hudson2010-12-203-2/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24583 dc483132-0cff-0310-8789-dd5450dbe970
* Remove an unnecessary clause from safe_cksumtype() which served onlyGreg Hudson2010-12-161-1/+1
| | | | | | to create a theoretical (but impossible in practice) memory leak. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24581 dc483132-0cff-0310-8789-dd5450dbe970
* Ensure time() is prototyped in g_accept_sec_context.cGreg Hudson2010-12-141-0/+1
| | | | | | | | | | | | | r22736 added a call to time() in g_accept_sec_context.c. Include <time.h> to ensure that this call is correctly prototyped. Previously <time.h> was only included implicitly through <pthread.h>, which doesn't apply when thread support is disabled. ticket: 6842 tags: pullup target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24568 dc483132-0cff-0310-8789-dd5450dbe970
* memory leak in changepw.cTom Yu2010-12-141-0/+1
| | | | | | | | | | Apply patch from Marcus Watts to avoid a memory leak in changepw.c. ticket: 6841 tags: pullup target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24567 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a regression in the client-side ticket renewal code where KDCGreg Hudson2010-12-141-1/+4
| | | | | | | | | | | | options were not folded into the renewal request (most notably, the KDC_OPT_RENEWABLE flag), so we didn't request renewable renewed tickets. Add a simple test case for ticket renewal. ticket: 6838 tags: pullups target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24566 dc483132-0cff-0310-8789-dd5450dbe970
* typo in plugin-related error messageTom Yu2010-12-141-1/+1
| | | | | | | | | | Apply patch from Marcus Watts to fix error message typo. ticket: 6840 tags: pullup target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24565 dc483132-0cff-0310-8789-dd5450dbe970
* handle MS PACs that lack server checksumTom Yu2010-12-101-1/+26
| | | | | | | | | | | | | | | | | | | | | | target_version 1.9 tags: pullup Apple Mac OS X Server's Open Directory KDC issues MS PAC like authorization data that lacks a server checksum. If this checksum is missing, mark the PAC as unverfied, but allow krb5int_authdata_verify() to succeed. Filter out the unverified PAC in subsequent calls to krb5_authdata_get_attribute(). Add trace points to indicate where this behavior occurs. Thanks to Helmut Grohne for help with analysis. This bug is also Debian Bug #604925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925 This change should also get backported to krb5-1.8.x. ticket: 6839 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24564 dc483132-0cff-0310-8789-dd5450dbe970
* Add comment noting that RFC 4121 appears to omit RC4-HMAC from theTom Yu2010-12-072-0/+4
| | | | | | | | | list of "not-newer" enctypes, even though RFC 4757 effectively treats it as one. Suggested by Derrick Brashear. ticket: 6835 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24563 dc483132-0cff-0310-8789-dd5450dbe970
* update dependenciesKen Raeburn2010-12-058-63/+91
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24561 dc483132-0cff-0310-8789-dd5450dbe970
* Implement restrict_anonymous_to_tgt realm flagGreg Hudson2010-12-012-0/+8
| | | | | | | | | | | | | Implement a new realm flag to reject ticket requests from anonymous principals to any principal other than the local TGT. Allows FAST to be deployed using anonymous tickets as armor in realms where the set of authenticatable users must be constrained. ticket: 6829 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24547 dc483132-0cff-0310-8789-dd5450dbe970
* SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)Greg Hudson2010-11-3011-71/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix multiple checksum handling bugs, as described in: CVE-2010-1324 CVE-2010-1323 CVE-2010-4020 CVE-2010-4021 * Return the correct (keyed) checksums as the mandatory checksum type for DES enctypes. * Restrict simplified-profile checksums to their corresponding etypes. * Add internal checks to reduce the risk of stream ciphers being used with simplified-profile key derivation or other algorithms relying on the block encryption primitive. * Use the mandatory checksum type for the PKINIT KDC signature, instead of the first-listed keyed checksum. * Use the mandatory checksum type when sending KRB-SAFE messages by default, instead of the first-listed keyed checksum. * Use the mandatory checksum type for the t_kperf test program. * Use the mandatory checksum type (without additional logic) for the FAST request checksum. * Preserve the existing checksum choices (unkeyed checksums for DES enctypes) for the authenticator checksum, using explicit logic. * Ensure that SAM checksums received from the KDC are keyed. * Ensure that PAC checksums are keyed. ticket: 6827 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24538 dc483132-0cff-0310-8789-dd5450dbe970
* Install gssapi_ext.h on Windows. Include gssapi_ext.h in the headerGreg Hudson2010-11-301-1/+2
| | | | | | | | files considered by def-check.pl in verify-calling-conventions-gssapi. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24537 dc483132-0cff-0310-8789-dd5450dbe970
* Use for loops for recursion in the Windows build, cutting down on theGreg Hudson2010-11-2869-788/+74
| | | | | | | | | verbiage in Makefile.in files. For correctness of output, every Makefile.in mydir= definition is changed to use $(S) instead of /. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24536 dc483132-0cff-0310-8789-dd5450dbe970
* Supply static ordinals for new symbols in gssapi32.def and krb5_32.def,Greg Hudson2010-11-262-182/+182
| | | | | | | | for consistency with KFW 3.x. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24535 dc483132-0cff-0310-8789-dd5450dbe970
* Fix how gssapi.h is rebuilt on Windows; accidentally omitted fromGreg Hudson2010-11-251-0/+4
| | | | | | | | r24533. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24534 dc483132-0cff-0310-8789-dd5450dbe970
* Fix Windows buildGreg Hudson2010-11-2552-310/+460
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Repair the Windows build. Tested with the prepare-on-Unix method. Some specific changes include: * Removed the IPC finalizer (no longer used after r20787) from ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency chain for the pingtest build in ccapi/test. Also updated pingtest to use the k5_ipc_stream interfaces since cci_stream is gone. * Reverted the apparently non-functional r20277. * klist -V prints just "Kerberos for Windows", since it has no access to PACKAGE_NAME and PACKAGE_VERSION from autoconf. This should be addressed correctly. * krb5, telnet, gssftp, and NIM are removed from the build. * Some files had CRLFs; these were replaced with LFs and the svn:eol-style property set on the files. Otherwise the CRLFs became CRCRLFs after the zip transfer. * Windows does not have opendir/readdir, so added Windows code to prof_parse.c for includedir. Probable fodder for a libkrb5support portability shim. ticket: 6826 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24533 dc483132-0cff-0310-8789-dd5450dbe970
* Update krb5_gic_opt_private and related code to reflect the change ofTom Yu2010-11-231-1/+1
| | | | | | | | | krb5_expire_callback_func from a function typedef to a function pointer typedef. This was causing segfaults. ticket: 6825 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24532 dc483132-0cff-0310-8789-dd5450dbe970
* Export krb5_tkt_creds_getGreg Hudson2010-11-231-0/+1
| | | | | | | | | | krb5_tkt_creds_get was overlooked in the export list; add it. ticket: 6824 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24528 dc483132-0cff-0310-8789-dd5450dbe970
* Suppress building camellia-gen in "make check" for now (it has a buildGreg Hudson2010-11-211-1/+2
| | | | | | | issue on Solaris which will go away when Camellia support becomes unconditional). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24525 dc483132-0cff-0310-8789-dd5450dbe970
* Implement Camellia-CTS-CMAC instead of Camellia-CCMGreg Hudson2010-11-2038-1515/+2449
| | | | | | | | | | | Replace the Camellia-CCM enctypes with Camellia-CTS-CMAC. Still not compiled in by default since we don't have enctype assignments yet. ticket: 6822 target_verion: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24524 dc483132-0cff-0310-8789-dd5450dbe970
* Include <openssl/des.h> in the OpenSSL back end's weak_key.c for theGreg Hudson2010-11-091-0/+1
| | | | | | DES_is_weak_key prototype. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24512 dc483132-0cff-0310-8789-dd5450dbe970
* Use size_t to hold set counts in net-server.cGreg Hudson2010-11-031-9/+9
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24506 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_get_error_message cannot return NULL, and returns "Success" onGreg Hudson2010-11-013-11/+6
| | | | | | error code 0. Simplify some overly paranoid code accordingly. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24489 dc483132-0cff-0310-8789-dd5450dbe970
* Don't fail out from krb5_get_credentials() if we can't store a ticketGreg Hudson2010-10-271-10/+4
| | | | | | | | into the ccache. ticket: 6812 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24488 dc483132-0cff-0310-8789-dd5450dbe970
* FILE keytabs have been able to handle write operations since krb5 1.7,Greg Hudson2010-10-261-31/+12
| | | | | | | | | | as an apparently unintended side effect of r20594. Clean up the code by combining the identical resolve functions for FILE and WRFILE, and removing the code to set up a WRFILE default keytab name in kadmin.c. Also fixes a slight display bug; k5test.py needs to be adjusted to expect the correct output. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24487 dc483132-0cff-0310-8789-dd5450dbe970
* Add a kg_encrypt_inplace() utility function to the krb5 GSS mech, andGreg Hudson2010-10-266-101/+108
| | | | | | | | | | use it where we do in-place encryption of checksums in the non-CFX seal tokens with raw DES enctypes. Avoids a harmless but incorrect in-place memcpy(). ticket: 6770 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24485 dc483132-0cff-0310-8789-dd5450dbe970
* Set *conf_state on successful return fromGreg Hudson2010-10-261-0/+2
| | | | | | | | | | | gss_krb5int_make_seal_token_v3_iov, fixing a case where it wasn't always set by gss_wrap_iov. Patch from aberry@likewise.com. ticket: 6809 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24483 dc483132-0cff-0310-8789-dd5450dbe970
* When we create a temporary memory ccache for use within aGreg Hudson2010-10-255-3/+10
| | | | | | | | | | | krb5_gss_cred_id_rec, set a flag to indicate that the ccache should be destroyed rather than closed. Patch from aberry@likewise.com. ticket: 6787 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24482 dc483132-0cff-0310-8789-dd5450dbe970
* Use safer output parameter handling inGreg Hudson2010-10-251-2/+4
| | | | | | | | | | krb5_gss_acquire_cred_impersonate_name and its subsidiary helpers. ticket: 6796 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24481 dc483132-0cff-0310-8789-dd5450dbe970
* In acquire_init_cred in the GSS krb5 mech, don't intern cred->name,Greg Hudson2010-10-251-4/+2
| | | | | | | | | | | since it's not used as an output parameter. Fixes a memory leak. Reported by aberry@likewise.com. ticket: 6793 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24480 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2010-10-241-1/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24479 dc483132-0cff-0310-8789-dd5450dbe970
* Declare xdr_purgekeys_argKen Raeburn2010-10-231-0/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24476 dc483132-0cff-0310-8789-dd5450dbe970
* Include k5-int.h for function declarationsKen Raeburn2010-10-231-0/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24473 dc483132-0cff-0310-8789-dd5450dbe970
* Try harder to retain the "brand" string in the shared libraryKen Raeburn2010-10-232-5/+14
| | | | | | | Make the brand array non-static, and actually use the value in (the infrequently-called) krb5_init_secure_context. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24471 dc483132-0cff-0310-8789-dd5450dbe970
* Better libk5crypto NSS fork safetyGreg Hudson2010-10-233-6/+124
| | | | | | | | | | | | | Use SECMOD_RestartModules() from the forthcoming NSS 3.12.9 release to make the libk5crypto back end work after a fork. Add a test program to exercise fork detection in the NSS back end. Add a configure-time version check to ensure that we're using NSS 3.12.9 or later. ticket: 6810 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24470 dc483132-0cff-0310-8789-dd5450dbe970
* Make it possible to override CRYPTO_IMPL_CFLAGS and CRYPTO_IMPL_LIBS atGreg Hudson2010-10-229-9/+20
| | | | | | make time. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24469 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2010-10-131-5/+7
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24454 dc483132-0cff-0310-8789-dd5450dbe970
* Fix leaks in get_init_creds interfaceSam Hartman2010-10-131-3/+9
| | | | | | | | | | | | | | | | | In Debian Bug 598032, Bastian Blank points out that there are two leaks in the get_init_creds interface: * Free ctx->request->padata after sending the KDC request so it is not overwritten the next time around the loop. * If options is NULL passed into krb5_get_init_creds_init, then set up a non-extended options structure so that krb5_get_init_creds_free will free the options. ticket: 6801 target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24452 dc483132-0cff-0310-8789-dd5450dbe970
* When returning KRB5_KT_NOTFOUND from krb5_ktfile_get_entry, set anGreg Hudson2010-10-111-1/+8
| | | | | | extended error message indicating which principal was not found. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24448 dc483132-0cff-0310-8789-dd5450dbe970
* Plug a memory leak in gss_indicate_mechsGreg Hudson2010-10-091-1/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24447 dc483132-0cff-0310-8789-dd5450dbe970
* Encoding cleanup: curly quotes to ASCII quotes, and some ISO-8859-1Tom Yu2010-10-0840-40/+40
| | | | | | files to UTF-8. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24446 dc483132-0cff-0310-8789-dd5450dbe970
* In gss_indicate_mechs, avoid setting the output pointer until successGreg Hudson2010-10-081-17/+17
| | | | | | is guaranteed. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24445 dc483132-0cff-0310-8789-dd5450dbe970
* In gss_inquire_attrs_for_mech, remove the assumption that mech_attrsGreg Hudson2010-10-081-1/+2
| | | | | | != NULL in a particular error case. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24444 dc483132-0cff-0310-8789-dd5450dbe970
* Remove duplicate code block in spnego_gss_set_cred_option()Greg Hudson2010-10-081-17/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24443 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-28 00:02:47 +0000