| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
The LDAP debug level option (#7551) causes a build failure with the
Solaris LDAP library, which does not have LDAP_OPT_DEBUG_LEVEL.
ticket: 7870 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
| |
Make unconditional use of <stdint.h> and fixed-width types such as
uint32_t. k5-plugin.h doesn't use any special integer types, so
remove the conditional include block there. Nothing uses
INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now.
|
| |
|
|
|
|
|
|
|
|
| |
The built-in word list is not long enough for all of the libdb2 tests
to run properly. Revert d21a86e47a7cda29225013e08d060095b94b2ee7 and
go back to using the system dictionary if we find one. However, omit
any lines from the chosen word list which contain non-alphabetical
characters.
ticket: 7860
|
| |
|
|
|
|
|
|
|
| |
The optimizer in gcc 4.8.1 (but not the current gcc head revision)
breaks the queue.h CIRCLEQ macros, apparently due to an overzealous
strict aliasing deduction. Use TAILQ macros in the libdb2 mpool code
instead.
ticket: 7860
|
| |
|
|
|
|
|
|
|
| |
The system dictionary may contain entries with punctuation, which can
confuse the shell. It's more predictable to always use the word list
from the source tree.
ticket: 7860
status: open
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Start the process of deprecating krb5-send-pr. In practice, it causes
frustration for some users, and free-form email is good enough for
most bug reports.
Continue to install krb5-send-pr for now, but plan to remove it from
the tree in the future, probably replaced by a script that instructs
the user to send email manually.
ticket: 5566
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In krb5_ldap_initialize, don't just blat the LDAP error into the
extended message; give an indication of which LDAP operation we were
trying to do and show what parameters we gave to it.
(Also, krb5_set_error_message can handle a null context argument, so
don't bother to check before calling.)
ticket: 7739 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
| |
When we allocate space for an array of key_data structures, make sure
we allocate at least one, so we don't spuriously fail on platforms
where malloc(0) returns NULL. Where we use malloc, use k5calloc
instead. Where we use krb5_db_alloc or realloc, just allocate an
extra entry.
|
| |
|
|
|
| |
Wherever we use k5alloc with a multiplication in the size parameter,,
use the new k5calloc helper function instead.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Check return values of read() and write(). Avoid some unsigned
comparisons. Cast a ptrdiff_t value to int for use with %d in a
format string.
[ghudson@mit.edu: rewrap long lines; fix one more warning; commit
message]
|
| |
|
|
|
|
|
|
| |
In a static build, linking dbtest could fail on platforms where libdb2
depends on krb5support (platforms without a native mkstemp). Reported
by Gilles Espinasse <g.esp@free.fr>.
ticket: 7651
|
| |
|
|
|
|
|
|
|
| |
Provide default values in pre.in for PROG_LIBPATH, PROG_RPATH,
SHLIB_DIRS, SHLIB_RDIRS, and STOBJLISTS so that they don't have to be
specified in the common case. Rename KRB5_RUN_ENV and KRB5_RUN_VARS
to RUN_SETUP (already the most commonly used name) and RUN_VARS. Make
sure to use DEFINES for local defines (not DEFS). Remove some other
unnecessary makefile content.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Locking and unlocking a non-recursive mutex is a simple memory
operation and should not fail on any reasonable platform with correct
usage. A pthread mutex can return EDEADLK on lock or EPERM on unlock,
or EINVAL if the mutex is uninitialized, but all of these conditions
would reflect serious bugs in the calling code.
Change the k5_mutex_lock and k5_mutex_unlock wrappers to return void
and adjust all call sites. Propagate this change through
k5_cc_mutex_lock and k5_cc_mutex_unlock as well.
|
| |
|
|
|
|
| |
The locking wrapper for audit_as_req used the wrong function
signature, which was harmless but produced a couple of warnings. Fix
it.
|
| |
|
|
|
|
|
| |
If we cannot open the LDAP password file or cannot find the bind DN in
it, include the filename and DN in the error message.
ticket: 7632
|
| |
|
|
|
|
| |
There's no need to check whether the file exists and is readable
before opening it, and setting an extended error message which is just
strerror_r() of the errno value isn't useful.
|
| |
|
|
| |
entry must be initialized before all code which can jump to cleanup.
|
| |
|
|
|
| |
Initialize policy_dn in krb5_ldap_create_password_policy; free values
unconditionally in all ldap_pwd_policy.c cleanup handlers.
|
| | |
|
| |
|
|
|
| |
Initialize policy_dn since we clean it up. Also free it
unconditionally.
|
| |
|
|
|
| |
For easier static analysis, make sure that krb5_decode_princ_entry
always sets *entry_ptr to a valid entry or NULL.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
If db_args is non-null but empty, status could be returned without
being initialized; gcc with optimization correctly warns about this,
causing a build failure. (This bug was introduced by
0b1dc2f93da4c860dd27f1ac997617b712dff383 which was pushed after the
1.11 release branch, so it isn't in any release.)
|
| |
|
|
| |
ticket: 7585
|
| |
|
|
|
|
| |
Rename the krb5int_buf_ family of functions to use the k5_ prefix for
brevity. Reformat some k5buf implementation code to match current
practices.
|
| |
|
|
|
|
| |
Add k5-int.h static functions to duplicate byte ranges, optionally
with a trailing zero byte, and set an error code like k5alloc does.
Use them where they would shorten existing code.
|
| |
|
|
|
|
| |
Make dec_password a static function in ldap_service_stash.c and remove
some impedance mismatch with krb5_ldap_readpassword() by making it
operate on C strings and return a krb5_error_code.
|
| |
|
|
|
|
|
|
| |
The LDAP KDB module has some code to interpret {FILE} values in stash
files, and set the service_cert_path/pass fields in the ldap context.
But there was no code to actually use those values to do client cert
authentication, so it wasn't useful. Remove the partial
implementation.
|
| |
|
|
|
|
| |
Use the oerr parameter to fetch the existing message. Stop handling
oerr == 0, since no call sites were using it. Free the old error
message before returning.
|
| |
|
|
|
|
|
| |
Add a DB option in the LDAP KDB module to turn on debugging messages.
Adapted from a patch by Zoran Pericic <zpericic@inet.hr>.
ticket: 7551 (new)
|
| |
|
|
|
|
|
|
|
|
| |
krb5_ldap_open and krb5_ldap_create contain two large, almost
identical blocks of DB option processing code. Factor it out into a
new function krb5_ldap_parse_db_params in ldap_misc.c, and simplify
the factored-out code. Create a helper function to add server entries
and use it to simplify krb5_ldap_read_server_params as well as DB
option parsing. Since the new DB option helper uses isspace instead
of isblank, we no longer require portability goop for isblank.
|
| |
|
|
|
| |
Mostly this gets rid of the trailing space on line 2 after
bb76891f5386526bdf91bc790c614fc9296cb5fa.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated
policy.
In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.
ticket: 7385
|
| |
|
|
|
|
|
|
|
|
|
| |
populate_krb5_db_entry() performs a subsidiary LDAP search to load the
password policy, which it uses to update the pw_expiration field.
This has some minimal value (it causes pw_expiration values in
principals to auto-update whenever the pw_max_life field of a policy
changes), but it's complicated, expensive, and inconsistent with the
DB2 back end. Get rid of it.
ticket: 7535 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
Correct three cases where the wrong expression was checked to see if
an allocation function returned null.
[ghudson@mit.edu: commit message, patch splitting]
ticket: 7534
target_version: 1.11.1
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
An error case in __bt_first would deference a null pointer. This is
an old upstream BDB bug. Use a separate variable to hold the result
of mpool_get() until it has been checked. Reported by Nickolai
Zeldovich <nickolai@csail.mit.edu>.
ticket: 7511
|
| |
|
|
|
|
| |
Nothing was using KRB5_KDB_SRV_TYPE_PASSWD, so get rid of it.
(kpasswdd is part of kadmind and interacts with the KDB using
KRB5_KDB_SRV_TYPE_ADMIN.)
|
| | |
|
| |
|
|
|
|
| |
ldap_realm.c had some code intended to handle a
krbTicketPolicyReference from a krbRealmContainer object, but there
wasn't enough of it to ever do anything. Remove it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Outside of krb5_ldap_read_krbcontainer_params and
krb5_ldap_create_krbcontainer, no fields of
krb5_ldap_krbcontainer_params were used except for the DN. There was
code to create a krbTicketPolicyReference attribute (which would fail
because the schema doesn't allow that attribute, and was never
exercised because kdb5_ldap_util would never set the parameter) and to
read fields like max ticket life from the referenced ticket policy,
but those fields were never used.
Eliminate the structure and just store the container DN in
krb5_ldap_context. Continue creating the container object when
creating a realm (by calling krb5_ldap_create_krbcontainer
unconditionally; it now exits successfully if the container already
exists), but don't ever read it.
|
| |
|
|
|
|
| |
krb5_ldap_put_principal contained some conditionals for the case where
entry->princ is NULL, but only after entry->princ was dereferenced
unconditionally. It's not necessary to handle this case, so don't.
|
| | |
|
| |
|
|
|
|
|
| |
Since there is no overlap between the clpreauth and kdcpreauth
interface declarations, there's no particular reason to combine them
into one header. For backward compatibility and convenience, leave
behind a preauth_plugin.h which includes both.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify ldap_filter_correct() to quote special characters for DN
strings as well as filters, since it is already used to quote a DN
string in krb5_ldap_name_to_policydn() and there's no harm in
over-quoting. In krb5_ldap_put_principal(), quote the unparsed
principal name for use in DNs we choose. In
krb5_ldap_create_password_policy(), use the policy name for the CN of
the policy entry instead of the (possibly quoted) first element of the
DN.
Adapted from a patch by Jim Shi <hanmao_shi@apple.com>.
ticket: 7296
|
| |
|
|
|
|
| |
The old man pages are gone, so we can't install them anymore.
Also clean up install and install-unix targets that were installing
the old man pages by hand.
|
| |
|
|
|
|
|
| |
In the db2 kdb module, use blocking locks for the policy DB as well as
the principal DB.
ticket: 7359
|
| |
|
|
|
|
|
| |
We generate man pages from RST sources now; they are checked into
the tree in src/man/.
The gen-manpages directory is no longer needed.
|
| |
|
|
|
| |
This function wasn't used anywhere. Also remove the declaration for
osa_adb_close_policy(), which doesn't exist.
|
