summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Move KDC PRNG reseed logic to a helper functionTom Yu2012-10-151-20/+29
|
* Eliminate some KDC globalsTom Yu2012-10-1515-327/+489
| | | | | | Make kdc_active_realm a local variable in every function that needs it. Pass it around in various state structures as needed. Keep the macros that reference its members remain for now.
* Don't use kdc_active_realm in kdc/rtest.cTom Yu2012-10-151-11/+9
| | | | | | | Too many parts of the KDC rely on the global variable kdc_active_realm. rtest.c doesn't actually need any of the KDC-specific information that's avaiable through kdc_active_realm, so delete references to it.
* Enforce TGS principals having 2 componentsTom Yu2012-10-151-9/+13
| | | | | | | RFC 4120 section 7.3 says that TGS principal names have two components. Make krb5_is_tgs_principal() and is_cross_tgs_principal() enforce this constraint. Code elsewhere in the KDC already checks for two components anyway.
* Catch up to RST move/renameBen Kaduk2012-10-151-20/+42
| | | | | | | | Change the make rules for the directory structure. Update the RST sources which include other RST sources for the loss of the krb_ prefix. ticket: 7409
* Make rules for building NOTICE from RSTBen Kaduk2012-10-151-5/+20
| | | | | | | | | | | | | | | | | | | | Sphinx-build wants to scan over all the sources in the source dir, and its text output engine does not handle the spanning row cells used in some of our fancy tables, so it will crash if we attempt to generate text output from our full suite of documents. We could work around this by attempting to just compile the one source file as an additional argument to sphinx-build, but this seems to insist on producing an index.txt as well as a notice.txt. Furthermore, we cannot use the same conf.py as in rst_composite because the paths substitutions are not available with just the minimal contents of rst_notice. Make a copy and remove the irrelevant parts, for now, changing only the master_doc field as appropriate. For the HTML build, we use the standard |copy| macro from isonum.txt to get the unicode copyright symbol glyph, but for ASCII output we prefer to just use the literal "(C)". ticket: 7407
* Set pointers to NULL after freeing themZhanna Tsitkov2012-10-152-0/+2
|
* Bump libkdb5 API and DAL versionsGreg Hudson2012-10-152-3/+3
| | | | | | We made two sets of incompatible changes to the DAL and libkdb5 API during development for 1.11 (master key list simplification and policy extensions), so increment the appropriate version numbers.
* Wait for correct message in t_iprop.pyGreg Hudson2012-10-151-2/+1
| | | | | | | | | The message "Got incremental updates from the master" precedes actually replaying the updates on the slave. Instead look for "Incremental updates:" (the statistics message), which happens just after the updates are replayed. Also, we don't need to import time now that we're not sleeping.
* Add a -C flag to klist to also show config entriesNalin Dahyabhai2012-10-151-12/+54
|
* Use hex escaping for non-printable trace dataNalin Dahyabhai2012-10-151-3/+42
| | | | | | When adding {str}, {lenstr}, or {data} to trace output, scan for bytes which might be non-printable, and add them as hex-escaped versions of themselves if any are found.
* Export krb5_cc_move()Nalin Dahyabhai2012-10-152-0/+2
|
* Correct type mismatches for get_as_key callbacksNalin Dahyabhai2012-10-152-2/+4
|
* Handle anonymous-as-signed-data-with-no-signersNalin Dahyabhai2012-10-151-27/+28
| | | | | Update to generate and consume signed-data with no signer-info, which we need for anonymous PKINIT.
* Make sure that pkinit_octetstring_hkdf() inits NSSNalin Dahyabhai2012-10-151-0/+15
| | | | | Create an NSS context for use when performing KDF, so that the tests, which call into the function directly, will work.
* Don't try to free an uninitialized keyblockNalin Dahyabhai2012-10-151-2/+0
|
* Sanity-check loading keys and certs from PEM filesNalin Dahyabhai2012-10-151-0/+15
| | | | | Print a debug message if we're unable to locate the matching private key for a certificate when we've just loaded both of them from PEM files.
* Reset the prompt_types list after calling prompterNalin Dahyabhai2012-10-151-0/+1
| | | | | Reset the prompt_types list immediately after the prompter callback returns, as is done everywhere else.
* Add responder support to preauth_otpNathaniel McCallum2012-10-154-18/+704
|
* Migrate to non-destructive tokeninfo selectionNathaniel McCallum2012-10-151-148/+191
|
* Move forward tokeninfo filteringNathaniel McCallum2012-10-151-63/+81
|
* Move pa_data encoding into a separate functionNathaniel McCallum2012-10-151-39/+45
|
* Eliminate races in t_iprop.pyGreg Hudson2012-10-131-15/+31
| | | | | | | | | | | | | After we start kpropd, read about the initial full dump before making changes on the master. Avoid prodding kpropd for this read (by shifting responsibility for the initial prod to the caller) since kpropd doesn't sleep before its first request. When waiting for sync, note whether we got a full propagation and match that up with our expectations. Use a long polling interval so kpropd doesn't wake up on its own and confuse the test script with an extra incremental update.
* Don't use void * arithmetic in interposed_oidGreg Hudson2012-10-131-1/+2
|
* Make t_iprop.py faster and more robustGreg Hudson2012-10-123-32/+80
| | | | | | | | | | | | | | | Catch SIGUSR1 in iprop-mode kpropd so that we can use it to interrupt sleeps and make kpropd do an iprop request immediately. In k5test.py, add prod_kpropd and read_from_kpropd methods to allow test scripts to send a SIGUSR1 to kpropd and to read its stdout/stderr output; also allow the test script to specify additional arguments when starting kpropd. In t_iprop.py, start kpropd with -d and, instead of sleeping, read kpropd output until we see an indication that kpropd is in sync with the master. To avoid delays, prod kpropd before waiting for sync and after a completed full prop.
* Fix a couple of typosNalin Dahyabhai2012-10-121-2/+2
|
* Add responder support to preauth_encts/preauth_ecNathaniel McCallum2012-10-122-0/+26
|
* Add responder support to get_as_key()Nathaniel McCallum2012-10-129-9/+70
| | | | | This follows the design laid out on the project page: http://k5wiki.kerberos.org/wiki/Projects/Password_response_item
* Allow null inputs to response item functionsNathaniel McCallum2012-10-121-2/+14
|
* Fix cast regexp in C style checkerGreg Hudson2012-10-111-1/+1
| | | | | | | In check_cast, we want to match cast operators with or without spaces after the closing paren, and then check for spaces after we match. Also, per the comment, we want to match potential cast operators followed by an open paren.
* Fix slow kprop dejagnu testGreg Hudson2012-10-103-6/+4
| | | | | | | | | Fix kpropd -S -t to actually exit after processing one connection (it was breaking out of the switch statement, not the while loop). Use the -t when invoking kpropd from the dejagnu test framework; previously it was unnecessary because kpropd -S -d exited after one connection. Clear up some confusion in the kprop.exp comments about whether kpropd is expected to exit.
* Fix argument order when calling the responderNathaniel McCallum2012-10-101-2/+2
|
* De-conditionalize Camellia codeGreg Hudson2012-10-0930-221/+42
| | | | | | | | | | The Camellia enctypes and cksumtypes have received IANA assignments. Add #defines using those assignments to krb5.h, remove the CAMELLIA conditional, and enable testing code as appropriate. The Camellia draft has not received an RFC number yet, so there is no Doxygen markup for the enctype and cksumtype #defines. That can be added once the RFC number is known.
* Untabify preauth_sam2.cGreg Hudson2012-10-081-17/+17
|
* Remove iprop dejagnu testGreg Hudson2012-10-081-236/+0
| | | | | | | Both the Python and dejagnu iprop tests are slow since they use sleeps to give kpropd time to do its work (although we can fix this with some work). Since the Python tests cover the same ground as the dejagnu tests, we don't need both.
* Import and complete Greg Hudson's iprop testNicolas Williams2012-10-082-0/+140
| | | | ticket: 7374
* Prep k5test.py for iprop (add start_kpropd(), ...)Nicolas Williams2012-10-081-6/+42
| | | | | | | Add a start_kpropd() method to K5Realm and make start_kadmind() use the kadmind -p, -K, and -F options. ticket: 7378
* krb5_db_delete_principal() can fail to unlock ulogNicolas Williams2012-10-081-1/+3
| | | | | | Not really: only when the KDB backend lacks a delete method. Still. ticket: 7403
* Remove an old, incorrect comment in kpropd.cNicolas Williams2012-10-081-9/+0
| | | | | | | We absolutely do not want a parking brake on the kprop protocol as described in the comment being removed. Instead the kprop command should be fixed so it doesn't die on error (assuming it even still does or ever did, neither of which I've checked).
* Send kpropd debug msgs to stderrNicolas Williams2012-10-081-4/+5
|
* Fix a minor race in kdb5_util loadNicolas Williams2012-10-053-37/+65
| | | | | | | | | | | | | | | | | | | If a kdb5_util load gets killed between rename()ing the new KDB file into place and resetting the iprop ulog then the ulog can reflect the pre-load state, which will almost certainly be incorrect. This matters because we want to impose a timeout on full resyncs in kpropd when iprop dictates that a full resync is needed, and the simplest timeout scheme involves signaling the kdb5_util load process. But also, we want no such races in general. The fix is simple: re-initialize the ulog before renaming the new KDB file into place, then proceed as usual. If the ulog is not properly updated at the end of the load it will at least always result in subsequent iprop get updates operations always indicating that a full resync is required. ticket: 7399
* Make kadmind iprop never return UPDATE_BUSYNicolas Williams2012-10-051-11/+1
| | | | | | | | | | | | | | | Currently kadmind allows slaves to poll for updates as often as they like, but not within 10s of the last update. This means that iprop will appear to fail to synchronize the KDC at any site whose master KDC processes at least one write transaction every 10 seconds consistently. The original intention must have been to throttle iprop clients (slave KDCs) that poll too often. But UPDATE_BUSY as implemented is not that, and implementing a throttle would be difficult (requires keeping state in a table) and mostly useless (admins can manage their poll timers just fine without a throttle in kadmind). ticket: 7369
* Remove MAX_ULOGENTRIESNicolas Williams2012-10-052-4/+1
| | | | | | | | | | | If a master KDC uses only a 64-bit libkadm5srv then there is no reason to impose any limit on ulog size: the practical maximum will be given by the filesystem and available storage space. Even when using a 32-bit libkadm5srv the maximum practical ulog size will be found easily enough when mmap() fails. ticket: 7368
* Add -R option to kproplog to force full resyncsNicolas Williams2012-10-051-4/+25
| | | | ticket: 7375
* Fix policy refcount corruption race in dumpNicolas Williams2012-10-051-10/+10
| | | | ticket: 7384
* Sync iprop header in kdb5_util dumpNicolas Williams2012-10-051-0/+10
| | | | [ghudson@mit.edu: split out from previous commit]
* kdb5_util load needs iprop safety netNicolas Williams2012-10-051-15/+36
| | | | ticket: 7370
* Deprecate kpropd -S optionNicolas Williams2012-10-051-1/+12
| | | | ticket: 7376
* Add -p, -F, -K options to kadmindNicolas Williams2012-10-052-14/+34
| | | | | | | | | | | | New options: -p path-to-kdb5_util -K path-to-kprop -F dump-file These are needed for testing without first having to install. ticket: 7372
* ipropd_svc.c DPRINT improvementsNicolas Williams2012-10-051-13/+34
| | | | Make DPRINT a varargs macro and add some new debug prints.
generated by cgit (git 2.34.1) at 2025-09-25 18:28:30 +0000