summaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
...
* Add correct error table when initializing gss-krb5Greg Hudson2010-06-211-1/+1
| | | | | | | | | | | | | | | gss_krb5int_lib_init was adding the generic GSS error table (again) instead of the krb5 error table, which could lead to crashes on library unload. This bug was introduced in krb5 1.7; the fix is also applicable there. Patch from Leonardo Chiquitto <leonardo.lists@gmail.com>. ticket: 6745 target_version: 1.8.3 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24139 dc483132-0cff-0310-8789-dd5450dbe970
* only test t_locate_kdc if known-good DNS name is presentTom Yu2010-06-181-6/+20
| | | | | | | | | | | | | | | | Running "make check" while offline or on a firewalled network may result in failure in lib/krb5/os because the invocation of t_locate_kdc requires that the DNS servers for ATHENA.MIT.EDU be reachable. Autodetect DNS utilities "dig" and "nslookup", and use them to check for existence of the known-good DNS name. Also parameterize the test so that the known-good DNS name can be overridden on the make command line. ticket: 6744 target_version: 1.8.3 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24138 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the code for krb5_append_addresses(), which was never used andGreg Hudson2010-06-111-58/+0
| | | | | | was ifdef'd out fifteen years ago in r5464. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24133 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate actx_copy_addr in auth_con.c; use krb5_copy_addr insteadGreg Hudson2010-06-111-23/+6
| | | | | | (it's exactly the same). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24132 dc483132-0cff-0310-8789-dd5450dbe970
* In yarrow.c, undefine k5-trace.h's TRACE before defining it to avoid aGreg Hudson2010-06-101-0/+1
| | | | | | conflict. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24126 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a couple of minor defects in trace.cGreg Hudson2010-06-101-3/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24124 dc483132-0cff-0310-8789-dd5450dbe970
* Stop checking the current time against the context expiration time inGreg Hudson2010-06-083-29/+3
| | | | | | | | | | | | | | | | the message wrap/unwrap functions in the krb5 GSS mech. Heimdal doesn't do it, and it generally results in poor app behavior when a ticket expires. In exchange, it doesn't provide much security benefit since it's not enforced across the board--for example, ssh sessions can persist beyond ticket expiration time since they don't use GSS to wrap payload data. (This is a continuation of r24120, which should have contained the changes to all four files.) ticket: 6739 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24121 dc483132-0cff-0310-8789-dd5450dbe970
* Stop checking the current time against the context expiration time inGreg Hudson2010-06-081-14/+0
| | | | | | | | | | | | | | | the message wrap/unwrap functions in the krb5 GSS mech. Heimdal doesn't do it, and it generally results in poor app behavior when a ticket expires. In exchange, it doesn't provide much security benefit since it's not enforced across the board--for example, ssh sessions can persist beyond ticket expiration time since they don't use GSS to wrap payload data. ticket: 6739 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24120 dc483132-0cff-0310-8789-dd5450dbe970
* make dependGreg Hudson2010-06-0735-1586/+1729
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24119 dc483132-0cff-0310-8789-dd5450dbe970
* Trace loggingGreg Hudson2010-06-0720-88/+568
| | | | | | | | | | | | | | | | Add trace logging infrastructure code, enabled by the KRB5_TRACE environment variable or the API functions krb5_set_trace_callback() or krb5_set_trace_filename(). As a start, add tracing events for: * AS-REQ client code, including FAST and preauth * TGS-REQ client code * AP-REQ and AP-REP code (client and server) * sendto_kdc * Selected ccache operations * Selected keytab operations ticket: 6737 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24118 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_enctype_to_name() APIGreg Hudson2010-06-043-3/+30
| | | | | | | | | | Add an API to return the input name, or optionally the shortest alias, of an enctype. Similar to krb5_enctype_to_string() which returns a description. ticket: 6736 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24117 dc483132-0cff-0310-8789-dd5450dbe970
* In krb5_cc_set_config, don't call krb5_cc_remove_cred; it's redundantGreg Hudson2010-05-281-4/+0
| | | | | | with the krb5_cc_remove_cred call in krb5_cc_store_cred. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24110 dc483132-0cff-0310-8789-dd5450dbe970
* make dependGreg Hudson2010-05-282-15/+12
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24109 dc483132-0cff-0310-8789-dd5450dbe970
* From Luke: make copies of S4U2Proxy authdata modules work when thereGreg Hudson2010-05-281-1/+1
| | | | | | is no S4U2Proxy authdata. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24107 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the get_masters logic in locate_srv_conf_1 which was orphanedGreg Hudson2010-05-272-63/+11
| | | | | | by r15736 when we added the master_kdc profile variable. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24106 dc483132-0cff-0310-8789-dd5450dbe970
* Get t_ser to build again after the S4U authdata branch mergeGreg Hudson2010-05-271-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24105 dc483132-0cff-0310-8789-dd5450dbe970
* FAST negotiation could erroneously succeedGreg Hudson2010-05-251-0/+1
| | | | | | | | | | | | | | When FAST negotiation is performed against an older KDC (rep->enc_part2->flags & TKT_FLG_ENC_PA_REP not set), krb5int_fast_verify_nego did not set the value of *fast_avail, causing stack garbage to be used in init_creds_step_reply. Initialize *fast_avail at the beginning of the function per coding practices. ticket: 6734 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24102 dc483132-0cff-0310-8789-dd5450dbe970
* Fix long lines and other formatting issues in fast.hGreg Hudson2010-05-241-25/+36
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24101 dc483132-0cff-0310-8789-dd5450dbe970
* Fix long lines and other formatting issues in fast.cGreg Hudson2010-05-241-56/+81
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24100 dc483132-0cff-0310-8789-dd5450dbe970
* Make signedpath authdata visible via GSS naming extsGreg Hudson2010-05-235-2/+615
| | | | | | | | | | Merge users/lhoward/signedpath-naming-exts to trunk. Adds an authdata provider which makes non-PAC S4U2Proxy signedpath authdata visible to application servers via GSS naming extensions. ticket: 6733 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24094 dc483132-0cff-0310-8789-dd5450dbe970
* Apply patch from Arlene Berry to detect and ignore a duplicateTom Yu2010-05-201-0/+12
| | | | | | | | | | | mechanism token sent in the mechListMIC field, such as sent by Windows 2000 Server. ticket: 6726 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24075 dc483132-0cff-0310-8789-dd5450dbe970
* In gss_acquire_cred_with_password() and gss_add_cred_with_password(),Greg Hudson2010-05-201-38/+23
| | | | | | | require desired_name to be set, and always honor it. This is consistent with the Sun implementation and simplifies the code. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24072 dc483132-0cff-0310-8789-dd5450dbe970
* CVE-2010-1321 GSS-API lib null pointer deref (MITKRB5-SA-2010-005)Tom Yu2010-05-191-0/+7
| | | | | | | | | | | Make krb5_gss_accept_sec_context() check for a null authenticator checksum pointer before attempting to dereference it. ticket: 6725 tags: pullup target_version: 1.8.2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24056 dc483132-0cff-0310-8789-dd5450dbe970
* When parsing a KDC or admin server string, allow the name or addressGreg Hudson2010-05-182-40/+55
| | | | | | | | | to be enclosed in brackets so that IPv6 addresses can be represented. (IPv6 addresses contain colons, which look like port separators.) ticket: 6562 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24055 dc483132-0cff-0310-8789-dd5450dbe970
* Improve the error message from kadmin when hostname resolution failsGreg Hudson2010-05-183-4/+7
| | | | | | | for the admin server. (The extended message won't be displayed by kadmin currently; that's a separate issue.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24054 dc483132-0cff-0310-8789-dd5450dbe970
* If gss_inquire_cred is called with a null credential, acquire aGreg Hudson2010-05-171-44/+13
| | | | | | | | default initiator credential and process it normally, instead of using a completely different code path (the default mechanism's inquire_cred handler). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24052 dc483132-0cff-0310-8789-dd5450dbe970
* The mechglue always passes null for desired_mechs and actual_mechsGreg Hudson2010-05-177-244/+30
| | | | | | | when invoking gss_acquire_cred and friends. Eliminate a lot of unused and untestable logic in the krb5 mech which processed those arguments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24051 dc483132-0cff-0310-8789-dd5450dbe970
* The mechglue never invokes a mech's gss_add_cred function. Remove theGreg Hudson2010-05-174-411/+1
| | | | | | | | krb5 mech's add_cred implementation and null it out in the table. (This has the effect of removing the IAKERB add_cred implementation. SPNEGO already had it nulled out.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24050 dc483132-0cff-0310-8789-dd5450dbe970
* Reformat with shorter linesKen Raeburn2010-05-161-15/+23
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24043 dc483132-0cff-0310-8789-dd5450dbe970
* Delete an old pre-Yarrow itemKen Raeburn2010-05-161-4/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24042 dc483132-0cff-0310-8789-dd5450dbe970
* Update dependenciesKen Raeburn2010-05-163-22/+34
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24041 dc483132-0cff-0310-8789-dd5450dbe970
* Stop exporting some profile symbols that aren't either published inKen Raeburn2010-05-161-27/+0
| | | | | | the header or known serialization functions used by the krb5 library. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24040 dc483132-0cff-0310-8789-dd5450dbe970
* Negative enctypes improperly read from ccachesGreg Hudson2010-05-131-1/+2
| | | | | | | | | When reading enctypes from ccaches, we need to sign-extend the 16-bit value we read in order to properly read negative enctypes. ticket: 6723 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24021 dc483132-0cff-0310-8789-dd5450dbe970
* Error handling bug in krb5_init_creds_init()Greg Hudson2010-05-131-4/+5
| | | | | | | | | | | Fix a bug in krb5_init_creds_init() where a freed context could be returned to the caller in certain error cases. ticket: 6722 tags: pullup target_version: 1.8.2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24020 dc483132-0cff-0310-8789-dd5450dbe970
* Negative enctypes improperly read from keytabsGreg Hudson2010-05-131-3/+2
| | | | | | | | | | When reading enctypes from keytabs, we need to ntohs() the 16-bit value we read in before sign-extending it to a 32-bit value in the keyblock, or we run the risk of extending the wrong sign. ticket: 6720 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24016 dc483132-0cff-0310-8789-dd5450dbe970
* Remove krb5_get_in_tktTom Yu2010-05-121-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24013 dc483132-0cff-0310-8789-dd5450dbe970
* Reimplement krb5_get_in_tkt_with_skey in terms of krb5_get_init_creds,Greg Hudson2010-05-125-1142/+53
| | | | | | | | | | | | | | similar to how the password and keytab equivalents were done. Eliminate krb5_get_in_tkt. It's been very hard to use since we made krb5_kdc_rep_decrypt_proc private (in krb5 1.7 the prototype was taken out of krb5.h altogether), and it's unlikely that anything would have used it directly in the first place. Remove and/or simplify a lot of code depended on by krb_get_in_tkt, including all of preauth.c. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24012 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unused fields from kadm5_config_params. Bump the clientGreg Hudson2010-05-044-10/+2
| | | | | | and server sonames. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23969 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate the unused realm_dbname field from krb5_realm_paramsGreg Hudson2010-05-042-6/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23968 dc483132-0cff-0310-8789-dd5450dbe970
* Remove krb5_db_set_option and the associated DAL entry. It was notGreg Hudson2010-05-041-16/+0
| | | | | | used. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23965 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate some uses of variables as format strings. Based on a patchGreg Hudson2010-05-031-8/+1
| | | | | | | | from Guillaume Rousse <Guillaume.Rousse@inria.fr>. ticket: 6714 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23963 dc483132-0cff-0310-8789-dd5450dbe970
* Fix some bugs in the IAKERB code discovered by Coverity. Also trimGreg Hudson2010-05-013-28/+18
| | | | | | | down iakerb_initiator_step() a little using krb5_data constructors and avoiding vertical function arguments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23961 dc483132-0cff-0310-8789-dd5450dbe970
* Add IAKERB mechanism and gss_acquire_cred_with_passwordGreg Hudson2010-04-3029-305/+2542
| | | | | | | | | | | | | | Merge branches/iakerb to trunk. Includes the following: * New IAKERB mechanism. * New gss_acquire_cred_with_password mechglue function. * ASN.1 encoders and decoders for IAKERB structures (with tests). * New shortcuts in gss-sample client and server. * Tests to exercise SPNEGO and IAKERB using gss-sample application. ticket: 6712 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23960 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a backwards check in get_cached_tgt() in the TGS codeGreg Hudson2010-04-271-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23945 dc483132-0cff-0310-8789-dd5450dbe970
* Squash some warnings in the old crypto API glue. Use make_data()Greg Hudson2010-04-261-42/+20
| | | | | | where appropriate so that magic fields get initialized. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23942 dc483132-0cff-0310-8789-dd5450dbe970
* Adapted patch from Jason Rogers. It wasn't complete, so this commitTom Yu2010-04-231-10/+0
| | | | | | | | | | | | | fixes the other instances of the 64-bit problem. Also fix krb5_deltat_to_str(), which would previously always return an empty string. ticket: 6698 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23928 dc483132-0cff-0310-8789-dd5450dbe970
* From Luke: fix the post-canonicalization cache check logic inGreg Hudson2010-04-221-5/+11
| | | | | | krb5_get_credentials_for_user(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23927 dc483132-0cff-0310-8789-dd5450dbe970
* In kg_new_connection(), make sure k_cred is freed in all failureGreg Hudson2010-04-221-3/+2
| | | | | | cases. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23926 dc483132-0cff-0310-8789-dd5450dbe970
* Apply patch from Arlene Berry to cease freeing error tokens output byTom Yu2010-04-221-3/+0
| | | | | | | | | | | accept_sec_context, allowing them to actually be sent to the initiator. ticket: 6696 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23925 dc483132-0cff-0310-8789-dd5450dbe970
* In kpasswd_sendto_msg_callback(), properly compare against theGreg Hudson2010-04-221-1/+2
| | | | | | wildcard IPv6 address instead of comparing an array address to 0. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23921 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-29 05:50:48 +0000