summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Add a version check to the Python test, so that we don't try to runGreg Hudson2010-03-171-2/+11
| | | | | | k5test in Python 2.3 or below. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23812 dc483132-0cff-0310-8789-dd5450dbe970
* Merge users/raeburn/branches/network-mergeKen Raeburn2010-03-1720-2066/+473
| | | | | | | | | | Re-integrates the forked versions of network.c in kdc and kadmin/server. Server-specific initialization and SIGHUP-reset code is moved into other source files; the more generic network-servicing code is merged and moved into apputils library already used by both programs. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23811 dc483132-0cff-0310-8789-dd5450dbe970
* handle NT_SRV_INST in service principal referralsTom Yu2010-03-161-0/+1
| | | | | | | | | | | Handle NT_SRV_INST in service principal cross-realm referrals, as Windows apparently uses that instead of NT_SRV_HST for at least some service principals. ticket: 6685 target_version: 1.8.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23810 dc483132-0cff-0310-8789-dd5450dbe970
* Set up KRB5_RUN_ENV for pytests, so that Python-based tests can runTom Yu2010-03-153-2/+7
| | | | | | without first running "make install". git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23805 dc483132-0cff-0310-8789-dd5450dbe970
* Lazy history key creationGreg Hudson2010-03-112-60/+37
| | | | | | | | | | | Create kadmin/history lazily when we need it (i.e. when a password is changed on a principal with a policy) instead of whenever we open the database. Allows kadmin.local to be used as a read-only tool on non- kadmin-conformant database back ends such as the Samba bridge. ticket: 6679 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23799 dc483132-0cff-0310-8789-dd5450dbe970
* Use KRB5_CONF_ macros instead of strings in the source file for profile ↵Zhanna Tsitkov2010-03-102-6/+8
| | | | | | config attributes "default" and "logging" git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23798 dc483132-0cff-0310-8789-dd5450dbe970
* Remove vestigial include/spnego-asn1.hGreg Hudson2010-03-101-90/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23796 dc483132-0cff-0310-8789-dd5450dbe970
* Add a "make testrealm" target using the Python test framework. AsGreg Hudson2010-03-083-12/+92
| | | | | | | part of this, expose the environments in K5Realm as attributes so that test scripts can modify them. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23794 dc483132-0cff-0310-8789-dd5450dbe970
* Make python test start_in_inetd functionEzra Peisach2010-03-073-2/+5
| | | | | | | | | util/k5test.py: Fix incorrect variable used tests/dejagnu/t_inetd.c: Flush stdout after outputting "Ready!" tests/dejagnu/Makefile.in: Always compile t_inetd - even in runtest is not present git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23773 dc483132-0cff-0310-8789-dd5450dbe970
* Release the internal_name field of a SPNEGO context if it has not beenGreg Hudson2010-03-051-0/+3
| | | | | | | | | | claimed for a caller argument. ticket: 6674 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23772 dc483132-0cff-0310-8789-dd5450dbe970
* Add a Python test to run t_spnegoGreg Hudson2010-03-052-0/+11
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23771 dc483132-0cff-0310-8789-dd5450dbe970
* In post.in, add a check-pytests intermediate target for Makefile.in toGreg Hudson2010-03-051-3/+8
| | | | | | add dependencies to, for test scripts which run C test programs. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23770 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a double-free in the t_spnego test program resulting from overlyGreg Hudson2010-03-051-3/+0
| | | | | | careless cutting and pasting. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23769 dc483132-0cff-0310-8789-dd5450dbe970
* Add a message parameter to k5test's success(), to briefly indicate theGreg Hudson2010-03-053-9/+12
| | | | | | scope of test scripts. Only displayed when verbose is set. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23768 dc483132-0cff-0310-8789-dd5450dbe970
* Add IPv6 support to changepw.c (reverting r21004 since it is no longerGreg Hudson2010-03-051-7/+26
| | | | | | | | | | necessary). Patch from Submit Bose <sbose@redhat.com>. ticket: 6661 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23767 dc483132-0cff-0310-8789-dd5450dbe970
* Ignore improperly encoded signedpath AD elementsGreg Hudson2010-03-051-1/+5
| | | | | | | | | | | | | We have some reason to believe Microsoft and Heimdal are both using the authdata value 142 for different purposes, leading to failures in verify_ad_signedpath(). For better interoperability, treat such tickets as unsigned, rather than invalid. ticket: 6676 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23766 dc483132-0cff-0310-8789-dd5450dbe970
* Error out if a Python test program failsGreg Hudson2010-03-051-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23765 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up a help string in k5testGreg Hudson2010-03-041-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23764 dc483132-0cff-0310-8789-dd5450dbe970
* Python test frameworkGreg Hudson2010-03-047-1/+1159
| | | | | | | | | | | | Add a framework for writing tests in Python. Documentation is in the initial docstring of util/k5test.py. Inaugurate the framework with two test scripts, t_general.py and t_anonypkinit.py, which together test the same operations as standalone.exp from the dejagnu test suite. ticket: 6672 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23763 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some more test suite cruft:Greg Hudson2010-02-282-21/+7
| | | | | | | | | | | | | * localhostname from get_hostname was unused. * database_name is no longer used except (misleadingly) in kdb5_util output. * admin_database_name and admin_database_lockfile are no longer used. * default_domain is only used for v4->v5 principal conversion, which isn't tested. * libkadm5's init-v2.exp had a copy of get_hostname; domain and localhostname from it were unused. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23759 dc483132-0cff-0310-8789-dd5450dbe970
* On Linux platforms, use -Wl,--enable-new-dtags when linking sharedGreg Hudson2010-02-271-2/+2
| | | | | | | | | libraries and programs using them. The primary effect is to get ld to set DT_RUNPATH in addition to DT_RPATH, which in turn allows the LD_LIBRARY_PATH environment variable to override the compiled-in runpath, which is friendlier to the test framework. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23758 dc483132-0cff-0310-8789-dd5450dbe970
* doc updates for allow_weak_cryptoTom Yu2010-02-251-0/+8
| | | | | | | | | | Update documentation to be more helpful about allow_weak_crypto. ticket: 6669 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23750 dc483132-0cff-0310-8789-dd5450dbe970
* Two problems in kadm5_get_principal mask handlingGreg Hudson2010-02-241-6/+8
| | | | | | | | | | | | KADM5_MOD_NAME was being applied to entry->principal instead of entry->mod_name. KADM5_MKVNO was not being applied to entry->mkvno. Patch from Marcus Watts <mdw@umich.edu>. ticket: 6668 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23749 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some more dejagnu test suite cruft:Greg Hudson2010-02-221-26/+0
| | | | | | | * check_date was only used by the application tests. * touch was never used. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23745 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unused cruft in the dejagnu test suite's default.exp:Greg Hudson2010-02-221-471/+3
| | | | | | | | | | | | | * RLOGIN, RLOGIN_FLAGS, ROOT_PROMPT, ROOT_SHELL, check_k5login, restore_kerberos_env, setup_root_shell, setup_root_shell_noremote, setup_wrapper: No longer used now that the applications are in a separate tree. * v4_compatible_enctype: No longer used with krb4 support gone. * tail1, krb_exit: Apparently never used. * KERBEROS_SERVER: Added long ago in r5686 and removed shortly after in r5695, but the test suite support for it never got excised. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23744 dc483132-0cff-0310-8789-dd5450dbe970
* Explain the current SPNEGO initiator/acceptor design in comments. NoGreg Hudson2010-02-221-11/+66
| | | | | | code changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23743 dc483132-0cff-0310-8789-dd5450dbe970
* Fix two unrelated problems in SPNEGO which don't crop up with the krb5Greg Hudson2010-02-221-10/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | mechanism. 1. The third call to spnego_init_accept_context uses faulty logic to determine if the exchange is complete, preventing a third mech token from being sent to the acceptor if no MIC exchange is required. Follow the logic used in the second call (in init_ctx_nego), which is correct. 2. If the acceptor selects a mech other than the optimistic mech, it sets sc->mic_reqd to 1 whether or not the selected mech supports MICs (which isn't known until the mech completes). Most code outside of handle_mic checks sc->mic_reqd along with (sc->ctx_flags & GSS_C_INTEG_FLAG), but the code in acc_ctx_call_acc neglected to do so, so it could improperly delegate responsibility for deciding when the negotiation was finished to handle_mic--which never gets called if (sc->ctx_flags & GSS_C_INTEG_FLAG) is false. Fix acc_ctx_call_acc to check sc->ctx_flags so that mechs which don't support integrity protection can complete if they are selected non-optimistically. ticket: 6603 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23742 dc483132-0cff-0310-8789-dd5450dbe970
* Use bswap16 and bswap32 on NetBSDKen Raeburn2010-02-201-2/+14
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23741 dc483132-0cff-0310-8789-dd5450dbe970
* Update dependenciesKen Raeburn2010-02-206-34/+55
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23740 dc483132-0cff-0310-8789-dd5450dbe970
* Move array decl from mixed within code down into the block where it'sKen Raeburn2010-02-201-8/+11
| | | | | | actually used, for C90 compliance. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23739 dc483132-0cff-0310-8789-dd5450dbe970
* Update export list for 2007 plugin interface changeKen Raeburn2010-02-201-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23738 dc483132-0cff-0310-8789-dd5450dbe970
* Move array decl from mixed within code down into the block where it'sKen Raeburn2010-02-201-8/+11
| | | | | | actually used, for C90 compliance. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23737 dc483132-0cff-0310-8789-dd5450dbe970
* Make plugins/cksum_body more likely to build, and remove the empty srcGreg Hudson2010-02-191-2/+2
| | | | | | directory within. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23736 dc483132-0cff-0310-8789-dd5450dbe970
* The TGS code was not freeing authdata. This is an old leak which wasGreg Hudson2010-02-181-2/+3
| | | | | | | | | | | made more evident in 1.8 by the addition of ad-signedpath authdata appearing in most tickets issued through the TGS path. ticket: 6659 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23735 dc483132-0cff-0310-8789-dd5450dbe970
* Fix cipher state chaining in OpenSSL back endGreg Hudson2010-02-183-61/+90
| | | | | | | | | | | | | | | | | | | | Make cipher state chaining work in the OpenSSL back end for des, des3, and arcfour enc providers. Subtleties: * DES and DES3 have checks to avoid clobbering ivec with uninitialized data if there is no data to encrypt. * Arcfour saves the OpenSSL cipher context across calls. To protect against a caller improperly copying the state (which happens to work with other enc providers), a loopback pointer is used, as in GSSAPI. * EVP_EncryptFinal_ex is unnecessary with stream ciphers and would interfere with cipher state chaining if it did anything, so just remove it. ticket: 6665 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23734 dc483132-0cff-0310-8789-dd5450dbe970
* Add display statements for the encrypted tokens generated by t_encryptGreg Hudson2010-02-171-0/+24
| | | | | | so that its output can be compared between different back ends. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23733 dc483132-0cff-0310-8789-dd5450dbe970
* validator.py is a tool to validate kerb configuration files. Zhanna Tsitkov2010-02-175-0/+378
| | | | | | | | | First, the configuration file is parsed (confparser.py) and validated against formating errors (such as mismatching brackets) Then the list of the allowed configuration attributes is compiled from k5-int.h and rules.yml Finally, the kerb configuration file is validated against the list of the allowed strings. If the error, or something that validator does not understand, is found the warning is issued in the tree-like form indicating the layer where the problem has occurred. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23732 dc483132-0cff-0310-8789-dd5450dbe970
* update mkrel to deal with changed source layoutTom Yu2010-02-161-2/+8
| | | | | | | | | | | Update mkrel so it deals somewhat better with removed src/lib/des425, NOTICES, etc. ticket: 6663 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23726 dc483132-0cff-0310-8789-dd5450dbe970
* MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of serviceTom Yu2010-02-163-1/+8
| | | | | | | | | | | | | Code introduced in krb5-1.7 can cause an assertion failure if a KDC-REQ is internally inconsistent, specifically if the ASN.1 tag doesn't match the msg_type field. Thanks to Emmanuel Bouillon (NATO C3 Agency) for discovering and reporting this vulnerability. ticket: 6662 tags: pullup target_version: 1.8 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23724 dc483132-0cff-0310-8789-dd5450dbe970
* Remove another remnant of krb4Ken Raeburn2010-02-151-86/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23723 dc483132-0cff-0310-8789-dd5450dbe970
* Clarify the SPNEGO NegHints code and plug two cases where half-createdGreg Hudson2010-02-131-25/+19
| | | | | | context could be leaked. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23722 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify the SPNEGO neg_mechs intersection logic a bit usingGreg Hudson2010-02-121-7/+6
| | | | | | gss_test_oid_set_member. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23717 dc483132-0cff-0310-8789-dd5450dbe970
* Minimal support for updating history keyGreg Hudson2010-02-115-131/+113
| | | | | | | | | | | | | | | | | | Add minimal support for re-randomizing the history key: * cpw -randkey kadmin/history now works, but creates only one key. * cpw -randkey -keepold kadmin/history still fails. * libkadm5 no longer caches the history key. Performance impact is minimal since password changes are not common. * randkey no longer checks the newly randomized key against old keys, and the disabled code to do so in setkey/setv4key is gone, so now only kadm5_chpass_principal_3 accesses the password history. ticket: 6660 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23716 dc483132-0cff-0310-8789-dd5450dbe970
* Implement gss_set_neg_mechsGreg Hudson2010-02-1011-83/+570
| | | | | | | | | | | | | | | | | Implement gss_set_neg_mechs in SPNEGO by intersecting the provided mech set with the mechanisms available in the union credential. As we now need space to hold the mech set, the SPNEGO credential is now a structure and not just a mechglue credential. t_spnego.c is a test program which exercises the new logic. Like the other GSSAPI tests, it is not run as part of "make check" at this time. ticket: 6658 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23715 dc483132-0cff-0310-8789-dd5450dbe970
* Followon fixes to r23712:Greg Hudson2010-02-105-9/+14
| | | | | | | | | | | | | | | | * A few formatting fixes. * Fix unlikely leak in kdc_handle_protected_negotiation: if add_pa_data_element with copy == FALSE fails, it's still the caller's responsibility to free pa.contents. * Fix pre-existing (since r23465) leak of reply_encpart.enc_padata in process_as_req. * Call add_pa_data_element with copy == TRUE in return_referral_enc_padata since we are passing memory owned by the database entry. ticket: 6656 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23714 dc483132-0cff-0310-8789-dd5450dbe970
* krb5int_fast_free_state segfaults if state is nullSam Hartman2010-02-091-0/+2
| | | | | | | | | | | | | krb5int_fast_free_state fails if state is null. INstead it should simply return Reorganization of the get_init_creds logic has created situations where the init_creds loop can fail between the time when the context is initialized and the fast state is initialized. ticket: 6657 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23713 dc483132-0cff-0310-8789-dd5450dbe970
* enc_padata can include empty sequenceSam Hartman2010-02-095-84/+61
| | | | | | | | | | | | | | | | | There are two issues with return_enc_padata. 1) It often will return an empty sequence of enc_padata rather than not including the field 2) FAST negotiation is double supported in the referral tgs path and not supported in the non-referral path Rewrite the return_enc_padata logic to: * Split out referral interactions with kdb into its own function * Use add_pa_data_element ticket: 6656 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23712 dc483132-0cff-0310-8789-dd5450dbe970
* Consistently place $(LDFLAGS) after $(SHLIB_EXPFLAGS) when buildingGreg Hudson2010-02-051-13/+12
| | | | | | | | | | | | | shared libraries. Previously we sometimes failing to use $(LDFLAGS) at all, and at other times were putting it before $(SHLIB_EXPFLAGS) where it could pick up tree-internal libraries from outside the build tree. ticket: 6643 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23699 dc483132-0cff-0310-8789-dd5450dbe970
* Apply patch from Arlene Berry to handle the case where a mechanismTom Yu2010-02-051-2/+10
| | | | | | | | | | | implements set_cred_option but does not implement the requested option. ticket: 6601 tags: pullup target_version: 1.8 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23698 dc483132-0cff-0310-8789-dd5450dbe970
* Fix cross-realm handling of AD-SIGNEDPATHGreg Hudson2010-02-053-7/+19
| | | | | | | | | | | | | | | Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT. Previously we were avoiding it when answering a cross-realm client, which was wrong. Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present). ticket: 6655 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23697 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-10-04 00:47:37 +0000