summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Disable trace test comparison for nowGreg Hudson2012-06-051-1/+2
| | | | | | The t_trace output isn't consistent from run to run. To fix "make check", disable the comparison against the reference file until we can make the output consistent.
* Fix trace log unit testGreg Hudson2012-06-042-1/+53
| | | | | | | Only use common denominator Bourne shell syntax for exporting environment variables. Don't rely on /dev/stdout working. Compare the output with a reference file to detect changes, instead of just sending it to stdout.
* Fix -DDEBUG compilation errorsHenry B. Hotz2012-06-045-3/+6
| | | | ticket: 7150
* Fail from gss_acquire_cred if we have no keytabGreg Hudson2012-06-032-0/+15
| | | | | | | | If a caller tries to acquire krb5 acceptor creds with no desired name and we have no keytab keys, fail from gss_acquire_cred instead of deferring until gss_accept_sec_context. ticket: 7159 (new)
* Use first mech's status in gss_acquire_credGreg Hudson2012-06-031-3/+11
| | | | | | | | | | | If we can't acquire creds for any mech in gss_acquire_cred, return the status of the first mech instead of the last mech, as it's more useful in the typical case (where the first mech is krb5 and the last mech is SPNEGO). This error reporting is not ideal when the user was expecting to use some mech other than krb5, but it's about as good as things were prior to #6894. ticket: 6973
* Improve error message from krb5_kt_have_contentGreg Hudson2012-06-031-2/+10
|
* Remove outdated comment in k5test.pyGreg Hudson2012-06-031-17/+0
|
* Add krb5_kt_have_content APIGreg Hudson2012-06-025-0/+43
| | | | | | | | | | | | | Add the krb5_kt_have_content API from Heimdal, which can be used to test whether a keytab exists and contains entries. Add tests to t_keytab.c. There is a deviation from Heimdal in the function signature. Heimdal's signature returns a krb5_boolean at the moment, because the Heimdal implementation actually returns a krb5_error_code. These are generally the same type anyway (int). ticket: 7158 (new)
* Tighten up error checking in t_keytab.cGreg Hudson2012-06-021-29/+16
| | | | | | | When checking for specific error codes, using CHECK() meant that we wouldn't properly fail if we got error code 0. Define and use a CHECK_ERR() to test for a specific error code, and define CHECK() in terms of it.
* Use correct profile var in krb5_get_tgs_ktypesGreg Hudson2012-06-011-1/+1
| | | | | | | | | | | In r21879, when we converted to using KRB5_CONF macros for profile variable names, we made a typo in krb5_get_tgs_ktypes and erroneously started using default_tkt_enctypes instead of default_tgs_enctypes for TGS requests. Fix the typo and return to the documented behavior. ticket: 7155 target_version: 1.10.3 tags: pullup
* Use a hash table in the KDC lookaside cacheGreg Hudson2012-05-304-110/+160
| | | | | | | Add a hash table to kdc/replay.c for fast lookup of incoming packets. Continue to keep a time-ordered linked list of all entries for fast expiry of stale entries. The preprocessor constant LOOKASIDE_HASH_SIZE can be used to change the size of the hash table.
* Add a copy of the BSD <sys/queue.h> as k5-queue.hGreg Hudson2012-05-301-0/+748
| | | | | queue.h implements various types of linked lists as cpp macros, without needing any library support.
* Null pointer deref in kadmind [CVE-2012-1013]Richard Basch2012-05-291-1/+1
| | | | | | | | | | | | | | | | The fix for #6626 could cause kadmind to dereference a null pointer if a create-principal request contains no password but does contain the KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix name"). Only clients authorized to create principals can trigger the bug. Fix the bug by testing for a null password in check_1_6_dummy. CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C [ghudson@mit.edu: Minor style change and commit message] ticket: 7152 target_version: 1.10.2 tags: pullup
* Fix TRACE_GET_CRED_VIA_TKT_EXT format stringGreg Hudson2012-05-241-2/+2
|
* Fix S4U user identification in preauth caseGreg Hudson2012-05-241-4/+2
| | | | | | | | | | | | | | | | | | | | | | | In 1.10, encrypted timestamp became a built-in module instead of a hardcoded padata handler. This changed the behavior of krb5_get_init_creds as invoked by s4u_identify_user such that KRB5_PREAUTH_FAILED is returned instead of the gak function's error. (Module failures are not treated as hard errors, while hardcoded padata handler errors are.) Accordingly, we should look for KRB5_PREAUTH_FAILED in s4u_identify_user. On a less harmful note, the gak function was returning a protocol error code instead of a com_err code, and the caller was testing for a different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could never be returned by krb5_get_init_creds. Clean up both of those by returning KRB5_PREAUTH_FAILED from the gak function and testing for that alone. Reported by Michael Morony. ticket: 7136 target_version: 1.10.2 tags: pullup
* Convert DEBUG_REFERRALS to TRACE_* frameworkW. Trevor King2012-05-237-74/+68
| | | | | | | | | The referrals debugging code under DEBUG_REFERRALS ceased building correctly at some point. Convert this debugging code to use the tracing framework instead, including adding new trace macros to k5-trace.h. ticket: 7151
* Add tests for trace.c formattingW. Trevor King2012-05-232-2/+259
| | | | | | This improves the previously minimal test coverage of "trace.c". ticket: 7151
* Add support for "{ptype}" trace format specifierW. Trevor King2012-05-232-0/+25
| | | | | | | Add the "{ptype}" trace format specifier, for principal name types. Also document the new option in the "k5-trace.h" comments. ticket: 7151
* Document "{keytab}" trace format specifierW. Trevor King2012-05-231-0/+1
|
* Export gss_mech_krb5_wrong from libgssapi_krb5Greg Hudson2012-05-221-0/+1
| | | | | | | | | | Although there are few legitimate reasons to use gss_mech_krb5_wrong, it's declared in the public header and exported in the Windows DLL. So export it from the Unix library as well. ticket: 7148 (new) target_version: 1.10.2 tags: pullup
* Export krb5_set_trace_callback/filenameGreg Hudson2012-05-212-1/+6
| | | | | | | | | | krb5_set_trace_callback and krb5_set_trace_filename were added to krb5.h in krb5 1.9, but were mistakenly left out of the library export lists. Add them now. Reported by Russ Allbery. ticket: 7143 target_version: 1.10.2 tags: pullup
* Fix "(empty" typo in "{etypes}" handler in trace.cW. Trevor King2012-05-181-1/+1
| | | | ticket: 7137
* Fix "(null" typo in "{key}" handler in trace.cW. Trevor King2012-05-181-1/+1
| | | | ticket: 7134
* Correct the name of krb5int_trace in commentsTom Yu2012-05-171-4/+4
| | | | | | Patch from W. Trevor King. ticket: 7133
* Add missing $(LIBS) to some shared librariesTom Yu2012-05-175-5/+5
| | | | | | | | | | Add $(LIBS) to the $(SHLIB_EXPLIBS) for some shared libraries which did not previously include it, which prevented gcov from working properly in some cases. Patch from W. Trevor King. ticket: 7138
* Make mkrel work on non-master branchesTom Yu2012-05-151-3/+4
| | | | | | Appending "--" to the git checkout arguments appears to prevent it from automatically creating a local branch from the remote. Also correct the default git URL and clean up a spurious find warning.
* Update CHANGES file generation for GitTom Yu2012-05-141-1/+1
| | | | Use the correct git log invocation for generating the CHANGES file.
* Update patchlevel.h for Git repositoryTom Yu2012-05-141-2/+2
| | | | Use "master", not "trunk", as RELTAG now.
* Add missing newline to sn2princ debug messageGreg Hudson2012-05-141-1/+2
| | | | | | Patch from wking@tremily.us. ticket: 7131
* Convert util/mkrel to use git instead of svnGreg Hudson2012-05-141-26/+15
|
* Check alloc_data result in krb5int_old_encryptGreg Hudson2012-05-131-0/+2
|
* Clean up a redundant assignment in libprofileGreg Hudson2012-05-131-2/+0
|
* Avoid extern inline in asn1buf.hGreg Hudson2012-05-131-2/+4
| | | | | | | | Avoid using extern inline in asn1buf.h, as there are two conflicting sets of semantics (gnu89's and C99's). gcc defaults to the gnu89 semantics, which we were using, while clang defines __GNUC__ but defaults to the C99 semantics. To simplify things, use static inline instead, like we do in k5-int.h.
* Don't stomp minor code in spnego_gss_acquire_credGreg Hudson2012-05-131-3/+3
| | | | | | | When spnego_gss_acquire_cred passes through a failure status from the mechglue, it overwrites the minor code with a call to gss_release_oid_set(). Use a temporary minor status for that and a related call.
* Remove find-missing-eol-prop and fix-eol-propGreg Hudson2012-05-122-21/+0
| | | | | Remove two Subversion-specific scripts which are no longer necessary now that the master repository is in git.
* Null-terminate components of parsed principalsGreg Hudson2012-05-122-11/+10
| | | | | | | | | | The rewritten krb5_parse_name didn't null-terminate components or realms of principals, while the old one did. Fix the new one to do so as well. This means KRB5_PRINCIPAL_PARSE_IGNORE_REALM allocates one byte for the realm instead of leaving it as empty_data(), so we need to free the realm in build_in_tkt_name() before copying in the client realm.
* Omit start time in common AS requestsGreg Hudson2012-05-112-15/+33
| | | | | | | | | | | | | | | | | | | MIT and Heimdal KDCs ignore the start time for non-postdated ticket requests, but AD yields an error if the start time is in the KDC's future, defeating the kdc_timesync option. Omit the start time if the caller did not specify a start time offset. This change reenables the client check for too much clock skew in the KDC reply in the non-timesync configuration. That check had been unintentionally suppressed since the introduction of the get_init_creds interfaces. Adjust the t_skew test script to expect the new error behavior. Code changes from stefw@gnome.org with slight modifications. ticket: 7130 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25864 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid requiring default realm for in_tkt_serviceGreg Hudson2012-05-101-31/+17
| | | | | | | | Use the new KRB5_PRINCIPAL_PARSE_IGNORE_REALM flag when parsing in_tkt_service arguments in get_init_cred functions, since we're going to overwrite the realm anyway. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25863 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_parse_name flag to ignore realmGreg Hudson2012-05-102-1/+12
| | | | | | | | | | The flag KRB5_PRINCIPAL_PARSE_IGNORE_REALM causes krb5_parse_name to return the principal with an empty realm whether or not a realm is present in the name. ticket: 7129 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25862 dc483132-0cff-0310-8789-dd5450dbe970
* Rewrite krb5_parse_nameGreg Hudson2012-05-102-292/+186
| | | | | | | | | krb5_parse_name started out a bit unwieldy, and has become more so with the introduction of flags. Rewrite it using two passes (allocate and fill), each broken out into its own helper, and a wrapper which handles the realm flags. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25861 dc483132-0cff-0310-8789-dd5450dbe970
* Make password change work without default realmGreg Hudson2012-05-101-0/+5
| | | | | | | | | | | | This fix is not very general or clean, but is suitable for backporting because it is minimally invasive. A more comprehensive fix will follow. ticket: 7127 target_version: 1.10.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25860 dc483132-0cff-0310-8789-dd5450dbe970
* Add no-op macro for ngettext for non-NLS buildsGreg Hudson2012-05-091-0/+1
| | | | | | | r25857 (#7128) uses ngettext, which means we need a no-op macro for it when we're building without NLS support. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25859 dc483132-0cff-0310-8789-dd5450dbe970
* Constify get_init_creds string input paramsGreg Hudson2012-05-096-15/+17
| | | | | | | | | | | | The get_init_creds functions take read-only string input parameters for passwords and initial ticket services. Make these const char * parameters instead of just char * parameters, for caller convenience. Reported by rra@stanford.edu. ticket: 7121 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25858 dc483132-0cff-0310-8789-dd5450dbe970
* Add API to interpret changepw result stringsGreg Hudson2012-05-099-14/+398
| | | | | | | | | | | | | Active Directory returns structured policy information in the nominally UTF-8 result string field of a password change reply. Add a new API krb5_chpw_message() to convert a result string into a displayable message, interpreting policy information if present. Patch from stefw@gnome.org with changes. ticket: 7128 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25857 dc483132-0cff-0310-8789-dd5450dbe970
* Constify krb5int_utf8_normalize input parameterGreg Hudson2012-05-092-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25856 dc483132-0cff-0310-8789-dd5450dbe970
* First pass at PKINIT client trace logsGreg Hudson2012-05-084-25/+156
| | | | | | Trace basic decisions about PKINIT client protocol processing. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25855 dc483132-0cff-0310-8789-dd5450dbe970
* Improve traced error messages from PKINIT clientGreg Hudson2012-05-082-2/+9
| | | | | | | | If we have no configured PKINIT client identity, or if we fail to create a certificate chain, set a reasonable error code (not EINVAL or ENOMEM) and a useful error message to appear in trace log output. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25854 dc483132-0cff-0310-8789-dd5450dbe970
* Improve display of error code 0 in trace outputGreg Hudson2012-05-081-1/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25853 dc483132-0cff-0310-8789-dd5450dbe970
* Use variadic macros to simplify k5-trace.hGreg Hudson2012-05-082-216/+221
| | | | | | | Also fix the facility to make it possible to trace log without including k5-int.h. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25852 dc483132-0cff-0310-8789-dd5450dbe970
* Modernize style in vfy_increds.cGreg Hudson2012-05-031-96/+104
| | | | | | | Make vfy_increds.c consistently use newer coding conventions. Also add a copyright statement. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25848 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-28 03:36:35 +0000