| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
For conciseness, directly use fields of krb5_principal objects instead
of using the accessor macros.
|
| |
|
|
|
|
| |
Don't just build it.
ticket: 7601
|
| |
|
|
| |
Also some other small changes and the copyright date range.
|
| |
|
|
| |
Missed when converting the old nroff man pages.
|
| |
|
|
| |
Otherwise they escape into the release tarball.
|
| |
|
|
|
| |
Correctly check whether the next argument is NULL in the while loop
which parses store elements.
|
| |
|
|
|
|
|
| |
Add an API to duplicate keytab handles, mirroring krb5_cc_dup. Use it
to simplify the krb5 GSS acquire_cred code.
ticket: 7599 (new)
|
| |
|
|
|
|
|
|
| |
Modify t_credstore.c to be more flexible and adjust t_gssapi.py
accordingly. Add a test to t_client_keytab.py which acquire creds
using a programmatically specified client keytab.
ticket: 7598
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new credential store extensions added support for specifying a
specific ccache name and also a specific keytab to be used for accepting
security contexts, but did not add a way to specify a client keytab
to be used in conjunction with the Keytab initiation support added also
in 1.11
This patch introduces a new URN named client_keytab through which a
specific client_keytab can be set when calling gss_acquire_cred_from()
and Keytab Initiation will use that keytab to initialize credentials.
[ghudson@mit.edu: minor C style fix]
ticket: 7598 (new)
|
| |
|
|
| |
Obtained from Debian.
|
| | |
|
| | |
|
| |
|
|
|
| |
Get rid of unnecessary null checks before freeing values in
libkrb5support's plugin code.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
fclose() might overwrite the errno value from fprintf, causing us to
return success when we shouldn't. Record the errno value at the time
of the fprintf failure.
|
| |
|
|
|
|
| |
There's no need to check whether the file exists and is readable
before opening it, and setting an extended error message which is just
strerror_r() of the errno value isn't useful.
|
| |
|
|
|
|
| |
Use empty_data(), alloc_data(), and make_data() in some appropriate
places. This has the side effect of initializing the krb5_data magic
field, which can placate debugging tools.
|
| |
|
|
|
|
| |
In krb5int_dk_cmac_encrypt, cksum wasn't used. In
krb5int_dk_cmac_decrypt, cksum needs to be initialized since we clean
it up.
|
| |
|
|
| |
entry must be initialized before all code which can jump to cleanup.
|
| |
|
|
|
| |
Initialize policy_dn in krb5_ldap_create_password_policy; free values
unconditionally in all ldap_pwd_policy.c cleanup handlers.
|
| | |
|
| |
|
|
|
| |
Initialize policy_dn since we clean it up. Also free it
unconditionally.
|
| |
|
|
|
| |
For easier static analysis, make sure that krb5_decode_princ_entry
always sets *entry_ptr to a valid entry or NULL.
|
| | |
|
| |
|
|
|
| |
If we fail to allocate setptr, don't close ret, since we've already
done so.
|
| |
|
|
|
| |
If we fail to get the client principal when constructing the
stack-allocated creds structure, don't double-free creds.server.
|
| |
|
|
|
| |
Fix some small memory leaks which happen only in rare failure
conditions. Reported by Will Fiveash <will.fiveash@oracle.com>.
|
| |
|
|
|
|
|
| |
If we fail to write the pid to the pid file, we should still close the
file before returning from write_pid_file(). The consequences of this
bug are trivial because kadmin is just going to exit regardless.
Reported by Will Fiveash <will.fiveash@oracle.com>.
|
| |
|
|
|
|
|
|
|
|
| |
When the bundled libverto was updated from 0.2.2 to 0.2.5,
verto_set_flags should have been added to libverto.exports along with
the other new functions.
ticket: 7594 (new)
target_version: 1.11.2
tags: pullup
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code was correctly selecting the mechanism to execute, but it was
improperly setting the mechanism type of the internal context when the
selected mechanism was that of an interposer and vice versa.
When an interposer is involved the internal context is that of the
interposer, so the mechanism type of the context needs to be the
interposer oid. Conversely, when an interposer re-enters gssapi and
presents a token with a special oid, the mechanism called is the real
mechanism, and the context returned is a real mechanism context. In
this case the mechanism type of the context needs to be that of the
real mechanism.
ticket: 7592
target_version: 1.11.2
tags: pullup
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Move internal declarations from k5-int.h to more localized headers
(like int-proto.h) where appropriate. Rename many symbols whose
prototypes were moved to use the k5_ prefix instead of krb5int_.
Remove some unused declarations or move them to the single source file
they were needed in. Remove krb5_creds_compare since it isn't used
any more.
|
| |
|
|
|
| |
These functions were always internal. They haven't been used since
v5passwdd was eliminated in krb5 1.4.
|
| |
|
|
|
| |
These variables were marked as internal in 1996. Two are unused and
the other is easily replaced with the macro it is initialized from.
|
| |
|
|
| |
Based on a patch from Xi Wang <xi@mit.edu>.
|
| |
|
|
|
|
|
|
|
|
|
| |
FreeBSD has not emitted a.out binaries by default for a very long
time; elf is the standard.
Take sparc64 conditional for PICFLAGS from downstream.
Enable "new" dtags (supported since FreeBSD 5.0) -- this
prevents rpath entries in libraries from taking precedence over
LD_LIBRARY_PATH, useful for testing.
|
| |
|
|
|
|
|
|
|
|
|
| |
If an iprop slave tries to load a dump from the master and it fails,
reset the ulog header so we take another full dump, instead of
reporting that the slave is current when it isn't. Reported by
Richard Basch <basch@alum.mit.edu>.
ticket: 7588
target_version: 1.11.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
Supply a callack to PEM_read_bio_PrivateKey() using the prompter to
request a password for encrypted PEM data. Otherwise OpenSSL will use
the controlling terminal.
[ghudson@mit.edu: minor style cleanup, commit message]
ticket: 7590
|
| | |
|
| |
|
|
|
|
| |
The caller of kg_unseal_v1 passes a gss_qop_t * for the qop_state
parameter, so make it use that type instead of an int *. Noted by
David Benjamin <davidben@mit.edu>.
|
| |
|
|
|
|
|
| |
Commit 0780e46fc13dbafa177525164997cd204cc50b51 matched a %ld format
string with the integer 0, which is an int rather than a long. Just
put 0 in the format string instead. Noted by David Benjamin
<davidben@mit.edu>.
|
| |
|
|
|
|
|
|
| |
Found by clang's warnings.
ticket: 7591 (new)
target_version: 1.11.2
tags: pullup
|
| |
|
|
| |
Caught by ASan.
|
| |
|
|
|
|
| |
If krb5_init_context fails, use a null context for getting the error
message, not a context we haven't yet initialized. Observed by David
Benjamin <davidben@mit.edu> using clang.
|
| |
|
|
|
|
|
|
| |
If db_args is non-null but empty, status could be returned without
being initialized; gcc with optimization correctly warns about this,
causing a build failure. (This bug was introduced by
0b1dc2f93da4c860dd27f1ac997617b712dff383 which was pushed after the
1.11 release branch, so it isn't in any release.)
|
| |
|
|
|
|
|
|
|
|
|
| |
k5srvutil is a little more convenient to use for rolling keys than
kadmin is. When migrating off 1DES, though, it may be desirable to
explicitly specify the desired keysalts. This adds an option, -e, to
k5srvutil to specify desired keysalts.
[ghudson@mit.edu: style fix; make whitespace in keysalt list work]
ticket: 7589 (new)
|
| |
|
|
|
| |
This unnecessary include was causing build failures on some systems by
making libkrb5 sources depend on gssapi.h.
|
| |
|
|
|
|
|
|
| |
Create a test module, program, and script to exercise the
krb5_aname_to_localname and krb5_k5userok functions as well as the
localauth pluggable interface.
ticket: 7583
|
