summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* kadmin's ktremove can remove wrong entries when removing kvno 0Greg Hudson2011-02-011-1/+2
| | | | | | | | | | | | | | | | | Because of 8-bit wraparound, keytabs can contain entries with kvno 0. Because 0 is a distinguished kvno value for krb5_kt_get_entry(), kadmin's remove_principal() winds up substituting the specified kvno with the highest-numbered kvno of the specified principal in the keytab. Make sure not to perform this substitution when in specified-kvno mode. (This fix leaves behind a very minor bug where "ktrem principal 0" returns silently, instead of producing an error message like it normally would, if principal exists in the keytab but not at kvno 0.) ticket: 6854 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24611 dc483132-0cff-0310-8789-dd5450dbe970
* Restore KRB5_CALLCONV_WRONG attribute to krb5_auth_con_getrcacheTom Yu2011-01-261-1/+1
| | | | | | It was incorrectly removed in r24600. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24606 dc483132-0cff-0310-8789-dd5450dbe970
* When building PKINIT against OpenSSL 1.0 or later, use the CMS APIs forGreg Hudson2011-01-261-46/+93
| | | | | | | | better interoperability. From nalin@redhat.com. ticket: 6851 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24605 dc483132-0cff-0310-8789-dd5450dbe970
* Make principal renaming work in libkadm5srv by converting to explicitGreg Hudson2011-01-256-15/+163
| | | | | | | | | | | salts as necessary. Add a principal rename command to the client. (The RPC infrastructure was already present.) Adapted from patches submitted by mdw@umich.edu and lha@apple.com. ticket: 6323 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24604 dc483132-0cff-0310-8789-dd5450dbe970
* Make gss_krb5_set_allowable_enctypes work for the acceptorGreg Hudson2011-01-251-0/+9
| | | | | | | | | | | | | | | | | | With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor can choose an enctype for the acceptor subkey other than the one in the keytab. If the resulting security context will be exported and re-imported by another gss-krb5 implementation (such as one in the kernel), the acceptor needs a way to restrict the set of negotiated enctypes to those supported by the other implementation. We had that functionality for the initiator already in the form of gss_krb5_set_allowable_enctypes; this change makes it work for the acceptor as well. ticket: 6852 target_version: 1.9.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24603 dc483132-0cff-0310-8789-dd5450dbe970
* Add a trace log event for unrecognized enctypes in a profile enctypeGreg Hudson2011-01-214-7/+14
| | | | | | list. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24602 dc483132-0cff-0310-8789-dd5450dbe970
* Fix edge case in LDAP last_admin_unlock processingGreg Hudson2011-01-211-0/+1
| | | | | | | | | | | In the LDAP KDB module, set appropriate flags when zeroing entry->fail_auth_count due to an administrative unlock. ticket: 6849 target_version: 1.9.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24601 dc483132-0cff-0310-8789-dd5450dbe970
* Where missing, add the argument's names to the function signaturesZhanna Tsitkov2011-01-191-252/+422
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24600 dc483132-0cff-0310-8789-dd5450dbe970
* Renamed static function krb5_rd_safe_basic into rd_safe_basic to avoid ↵Zhanna Tsitkov2011-01-181-5/+5
| | | | | | confusion with API git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24599 dc483132-0cff-0310-8789-dd5450dbe970
* In t_expire_warn.py, put the hashbang line at the top, instead ofGreg Hudson2011-01-181-1/+2
| | | | | | after the copyright comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24598 dc483132-0cff-0310-8789-dd5450dbe970
* Update copyright year in prototype sourcesGreg Hudson2011-01-182-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24597 dc483132-0cff-0310-8789-dd5450dbe970
* Doxygen style re-formating of the existing commentsZhanna Tsitkov2011-01-131-124/+120
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24596 dc483132-0cff-0310-8789-dd5450dbe970
* In krb5_set_realm():Greg Hudson2011-01-121-4/+5
| | | | | | | | * Return EINVAL and ENOMEM correctly. * Accept an empty realm instead of returning EINVAL. * Wrap a long line. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24595 dc483132-0cff-0310-8789-dd5450dbe970
* Don't call memset with a zero lengthKen Raeburn2011-01-121-1/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24594 dc483132-0cff-0310-8789-dd5450dbe970
* Asn.1 decode related file rearrangement. It was made based on the following ↵Zhanna Tsitkov2011-01-1110-1292/+1560
| | | | | | | | | | criteria: 1. based on functionality (for example, kdc-only code) 2. Well defined clusters of functions (fast, sam). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24593 dc483132-0cff-0310-8789-dd5450dbe970
* Tighten up the error handling in the mechglue's gss_canonicalize_name,Greg Hudson2011-01-101-32/+14
| | | | | | | | | eliminating a null pointer dereference in the (unlikely) case that allocation of out_union fails. Reported by aberry@likewise.com. ticket: 6817 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24592 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a couple of cases in the SPNEGO implementation where aGreg Hudson2011-01-101-1/+4
| | | | | | | | | half-constructed SPNEGO context could be leaked. Patch from aberry@likewise.com, slightly amended. ticket: 6816 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24591 dc483132-0cff-0310-8789-dd5450dbe970
* Don't attempt to serialize a NULL authdata context when serializing aGreg Hudson2010-12-281-2/+4
| | | | | | | | | | | GSSAPI context (most often seen with initiator contexts). Patch from aberry@likewise.com. ticket: 6675 target_version: 1.9.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24590 dc483132-0cff-0310-8789-dd5450dbe970
* Don't use a krb5 context in t_fork, since we don't set up a krb5.confGreg Hudson2010-12-281-2/+5
| | | | | | in the crypto test directory's "make check". git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24589 dc483132-0cff-0310-8789-dd5450dbe970
* Document rdns libdefault settingTom Yu2010-12-201-1/+8
| | | | | | | | ticket: 6794 tags: pullup target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24584 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate some unused variable warningsGreg Hudson2010-12-204-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24583 dc483132-0cff-0310-8789-dd5450dbe970
* Remove an unnecessary clause from safe_cksumtype() which served onlyGreg Hudson2010-12-161-1/+1
| | | | | | to create a theoretical (but impossible in practice) memory leak. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24581 dc483132-0cff-0310-8789-dd5450dbe970
* Ensure time() is prototyped in g_accept_sec_context.cGreg Hudson2010-12-141-0/+1
| | | | | | | | | | | | | r22736 added a call to time() in g_accept_sec_context.c. Include <time.h> to ensure that this call is correctly prototyped. Previously <time.h> was only included implicitly through <pthread.h>, which doesn't apply when thread support is disabled. ticket: 6842 tags: pullup target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24568 dc483132-0cff-0310-8789-dd5450dbe970
* memory leak in changepw.cTom Yu2010-12-141-0/+1
| | | | | | | | | | Apply patch from Marcus Watts to avoid a memory leak in changepw.c. ticket: 6841 tags: pullup target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24567 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a regression in the client-side ticket renewal code where KDCGreg Hudson2010-12-143-1/+21
| | | | | | | | | | | | options were not folded into the renewal request (most notably, the KDC_OPT_RENEWABLE flag), so we didn't request renewable renewed tickets. Add a simple test case for ticket renewal. ticket: 6838 tags: pullups target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24566 dc483132-0cff-0310-8789-dd5450dbe970
* typo in plugin-related error messageTom Yu2010-12-141-1/+1
| | | | | | | | | | Apply patch from Marcus Watts to fix error message typo. ticket: 6840 tags: pullup target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24565 dc483132-0cff-0310-8789-dd5450dbe970
* handle MS PACs that lack server checksumTom Yu2010-12-102-1/+32
| | | | | | | | | | | | | | | | | | | | | | target_version 1.9 tags: pullup Apple Mac OS X Server's Open Directory KDC issues MS PAC like authorization data that lacks a server checksum. If this checksum is missing, mark the PAC as unverfied, but allow krb5int_authdata_verify() to succeed. Filter out the unverified PAC in subsequent calls to krb5_authdata_get_attribute(). Add trace points to indicate where this behavior occurs. Thanks to Helmut Grohne for help with analysis. This bug is also Debian Bug #604925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925 This change should also get backported to krb5-1.8.x. ticket: 6839 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24564 dc483132-0cff-0310-8789-dd5450dbe970
* Add comment noting that RFC 4121 appears to omit RC4-HMAC from theTom Yu2010-12-072-0/+4
| | | | | | | | | list of "not-newer" enctypes, even though RFC 4757 effectively treats it as one. Suggested by Derrick Brashear. ticket: 6835 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24563 dc483132-0cff-0310-8789-dd5450dbe970
* update dependenciesKen Raeburn2010-12-059-63/+93
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24561 dc483132-0cff-0310-8789-dd5450dbe970
* Test for key rollover for TGT, including purging old keysTom Yu2010-12-032-0/+47
| | | | | | | | ticket: 1219 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24555 dc483132-0cff-0310-8789-dd5450dbe970
* Implement restrict_anonymous_to_tgt realm flagGreg Hudson2010-12-019-7/+71
| | | | | | | | | | | | | Implement a new realm flag to reject ticket requests from anonymous principals to any principal other than the local TGT. Allows FAST to be deployed using anonymous tickets as armor in realms where the set of authenticatable users must be constrained. ticket: 6829 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24547 dc483132-0cff-0310-8789-dd5450dbe970
* Install kadm5_hook_plugin.hSam Hartman2010-11-301-0/+1
| | | | | | | | | | Install the kadm5 hook plugin header ticket: 6828 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24539 dc483132-0cff-0310-8789-dd5450dbe970
* SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)Greg Hudson2010-11-3012-81/+82
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix multiple checksum handling bugs, as described in: CVE-2010-1324 CVE-2010-1323 CVE-2010-4020 CVE-2010-4021 * Return the correct (keyed) checksums as the mandatory checksum type for DES enctypes. * Restrict simplified-profile checksums to their corresponding etypes. * Add internal checks to reduce the risk of stream ciphers being used with simplified-profile key derivation or other algorithms relying on the block encryption primitive. * Use the mandatory checksum type for the PKINIT KDC signature, instead of the first-listed keyed checksum. * Use the mandatory checksum type when sending KRB-SAFE messages by default, instead of the first-listed keyed checksum. * Use the mandatory checksum type for the t_kperf test program. * Use the mandatory checksum type (without additional logic) for the FAST request checksum. * Preserve the existing checksum choices (unkeyed checksums for DES enctypes) for the authenticator checksum, using explicit logic. * Ensure that SAM checksums received from the KDC are keyed. * Ensure that PAC checksums are keyed. ticket: 6827 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24538 dc483132-0cff-0310-8789-dd5450dbe970
* Install gssapi_ext.h on Windows. Include gssapi_ext.h in the headerGreg Hudson2010-11-302-1/+3
| | | | | | | | files considered by def-check.pl in verify-calling-conventions-gssapi. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24537 dc483132-0cff-0310-8789-dd5450dbe970
* Use for loops for recursion in the Windows build, cutting down on theGreg Hudson2010-11-28145-1082/+189
| | | | | | | | | verbiage in Makefile.in files. For correctness of output, every Makefile.in mydir= definition is changed to use $(S) instead of /. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24536 dc483132-0cff-0310-8789-dd5450dbe970
* Supply static ordinals for new symbols in gssapi32.def and krb5_32.def,Greg Hudson2010-11-262-182/+182
| | | | | | | | for consistency with KFW 3.x. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24535 dc483132-0cff-0310-8789-dd5450dbe970
* Fix how gssapi.h is rebuilt on Windows; accidentally omitted fromGreg Hudson2010-11-251-0/+4
| | | | | | | | r24533. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24534 dc483132-0cff-0310-8789-dd5450dbe970
* Fix Windows buildGreg Hudson2010-11-2582-2050/+2191
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Repair the Windows build. Tested with the prepare-on-Unix method. Some specific changes include: * Removed the IPC finalizer (no longer used after r20787) from ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency chain for the pingtest build in ccapi/test. Also updated pingtest to use the k5_ipc_stream interfaces since cci_stream is gone. * Reverted the apparently non-functional r20277. * klist -V prints just "Kerberos for Windows", since it has no access to PACKAGE_NAME and PACKAGE_VERSION from autoconf. This should be addressed correctly. * krb5, telnet, gssftp, and NIM are removed from the build. * Some files had CRLFs; these were replaced with LFs and the svn:eol-style property set on the files. Otherwise the CRLFs became CRCRLFs after the zip transfer. * Windows does not have opendir/readdir, so added Windows code to prof_parse.c for includedir. Probable fodder for a libkrb5support portability shim. ticket: 6826 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24533 dc483132-0cff-0310-8789-dd5450dbe970
* Update krb5_gic_opt_private and related code to reflect the change ofTom Yu2010-11-232-2/+2
| | | | | | | | | krb5_expire_callback_func from a function typedef to a function pointer typedef. This was causing segfaults. ticket: 6825 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24532 dc483132-0cff-0310-8789-dd5450dbe970
* Set svn:eol-style on some Windows files and remove the CRs from theirGreg Hudson2010-11-234-263/+260
| | | | | | repository representations. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24530 dc483132-0cff-0310-8789-dd5450dbe970
* Add missing KRB5_CALLCONV in callback declarationGreg Hudson2010-11-231-4/+4
| | | | | | | | | | | | krb5_get_init_creds_opt_set_expire_callback was correctly tagged with KRB5_CALLCONV but the corresponding callback type was not. Add that in. ticket: 6825 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24529 dc483132-0cff-0310-8789-dd5450dbe970
* Export krb5_tkt_creds_getGreg Hudson2010-11-231-0/+1
| | | | | | | | | | krb5_tkt_creds_get was overlooked in the export list; add it. ticket: 6824 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24528 dc483132-0cff-0310-8789-dd5450dbe970
* Correct typo in r24526Greg Hudson2010-11-221-1/+1
| | | | | | ticket: 6823 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24527 dc483132-0cff-0310-8789-dd5450dbe970
* getdate.y: declare yyparseSam Hartman2010-11-221-0/+1
| | | | | | | | | | | | At least on lucid, byacc doesn't declare yyparse, which creates problems because lucid treats calls to unprototyped functions as errors. ticket: 6823 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24526 dc483132-0cff-0310-8789-dd5450dbe970
* Suppress building camellia-gen in "make check" for now (it has a buildGreg Hudson2010-11-211-1/+2
| | | | | | | issue on Solaris which will go away when Camellia support becomes unconditional). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24525 dc483132-0cff-0310-8789-dd5450dbe970
* Implement Camellia-CTS-CMAC instead of Camellia-CCMGreg Hudson2010-11-2043-1552/+2486
| | | | | | | | | | | Replace the Camellia-CCM enctypes with Camellia-CTS-CMAC. Still not compiled in by default since we don't have enctype assignments yet. ticket: 6822 target_verion: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24524 dc483132-0cff-0310-8789-dd5450dbe970
* Read KDC profile settings in kpropdGreg Hudson2010-11-161-1/+3
| | | | | | | | | | | kpropd can modify the KDB with ulog_replay(), so it should read the KDC profile settings in case the KDB configuration is in there. ticket: 6820 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24519 dc483132-0cff-0310-8789-dd5450dbe970
* Handle referral realm in kprop client principalGreg Hudson2010-11-161-3/+17
| | | | | | | | | | | | | | | kprop uses krb5_sname_to_principal() to determine its client principal. If the local hostname cannot be mapped to a realm based on the profile's domain_realm section, krb5_sname_to_principal() will (as of 1.6) return a principal with the referral realm (""), which does not work in a client principal. Handle this by substituting the default realm. ticket: 6819 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24518 dc483132-0cff-0310-8789-dd5450dbe970
* The iprop dejagnu test had some deceptive commented-out debugging codeGreg Hudson2010-11-161-0/+1
| | | | | | | (it would set up the user to run kpropd in the master environment instead of the slave environment). Make it more useful. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24516 dc483132-0cff-0310-8789-dd5450dbe970
* Correct a minor error in the k5test documentationGreg Hudson2010-11-151-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24515 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-10-02 15:12:52 +0000