krb5.git/src/lib, branch gss_cs MIT Kerberos patches Add way to specify rcache when acquiring creds 2014-01-14T20:11:54+00:00 Simo Sorce simo@redhat.com 2013-12-27T00:05:34+00:00 5d3c7091d401b0a562131dee8fa210d416b441df The "rcache" URN can specify a cache type and name to be used with the credentials being acquired. Signed-off-by: Simo Sorce <simo@redhat.com> 
The "rcache" URN can specify a cache type and name to be used with
the credentials being acquired.

Signed-off-by: Simo Sorce <simo@redhat.com>
Fix uninitialized warning in client_init.c 2013-12-21T15:08:06+00:00 Greg Hudson ghudson@mit.edu 2013-12-21T15:08:06+00:00 815565f918f2c64c59561dbe37efc251ddb67c22 ticket: 7800 
ticket: 7800
Allow realm in kadm5_init service names 2013-12-21T05:06:22+00:00 Greg Hudson ghudson@mit.edu 2013-12-19T18:33:33+00:00 5341cfde2b3e607e294bb0d057dc3540172a8b1b Previously, if you passed a service name with a realm part to a kadm5_init function, you would get a KRB5_PARSE_MALFORMED error because the code would internally append its own '@realm' suffix before parsing the name. Fix this as follows: Change gic_iter so instead of producing a full service name, it produces a krb5_principal which is taken from the cred it acquires. Pass the client and full service name around as principals, rather than strings, and use the gss_nt_krb5_principal name type to import them in setup_gss(). Don't append a realm to the input service name; instead, pass the input service name directly to the gic functions (which do not need a realm in the service name and will ignore the realm if one is present). For the INIT_CREDS case, parse the input service name with KRB5_PRINCIPAL_PARSE_IGNORE_REALM and then set the realm. ticket: 7800 
Previously, if you passed a service name with a realm part to a
kadm5_init function, you would get a KRB5_PARSE_MALFORMED error
because the code would internally append its own '@realm' suffix
before parsing the name.  Fix this as follows:

Change gic_iter so instead of producing a full service name, it
produces a krb5_principal which is taken from the cred it acquires.
Pass the client and full service name around as principals, rather
than strings, and use the gss_nt_krb5_principal name type to import
them in setup_gss().  Don't append a realm to the input service name;
instead, pass the input service name directly to the gic functions
(which do not need a realm in the service name and will ignore the
realm if one is present).  For the INIT_CREDS case, parse the input
service name with KRB5_PRINCIPAL_PARSE_IGNORE_REALM and then set the
realm.

ticket: 7800
Simplify libkadm5 client realm initialization 2013-12-21T05:06:22+00:00 Greg Hudson ghudson@mit.edu 2013-12-19T17:22:47+00:00 33b06596be92f7d8458ac6b136f092e235dec834 The "realm" variable in init_any is used only to fill in the realm of the service principal in gic_iter(). The service principal realm should always be the realm we looked up config parameters for, so we can supply that realm to get_init_creds() unconditionally and eliminate the case where we use the client principal realm. Also get rid of an outdated comment and an #if 0 block we will never need again, and use SNPRINTF_OVERFLOW to check the snprintf result. 
The "realm" variable in init_any is used only to fill in the realm of
the service principal in gic_iter().  The service principal realm
should always be the realm we looked up config parameters for, so we
can supply that realm to get_init_creds() unconditionally and
eliminate the case where we use the client principal realm.

Also get rid of an outdated comment and an #if 0 block we will never
need again, and use SNPRINTF_OVERFLOW to check the snprintf result.
make depend 2013-12-21T04:13:57+00:00 Greg Hudson ghudson@mit.edu 2013-12-21T04:13:57+00:00 f5d5fa24c6c58b54349351beaea8220f5ca0f3ef 






Avoid keyctl purge in keyring ccache tests
2013-12-21T04:10:03+00:00

Greg Hudson
ghudson@mit.edu

2013-12-20T20:19:06+00:00

94da4584645475272abec6259d1666e34bd59594

keyctl purge was added in keyutils 1.5 (released in March 2011).  Use
keyctl unlink to clean up keys instead, as it is more universal.

ticket: 7810
target_version: 1.12.1
tags: pullup





keyctl purge was added in keyutils 1.5 (released in March 2011).  Use
keyctl unlink to clean up keys instead, as it is more universal.

ticket: 7810
target_version: 1.12.1
tags: pullup







Set an error message when keyring get_princ fails
2013-12-21T04:10:03+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-12-05T18:54:09+00:00

c25fc42e8eac7350209df61e4a7b9960d17755ca

When attempting to use a keyring cache that doesn't exist, set an error
message when we fail to read a principal name, as we do when we return
the same error code when using a file ccache.

[ghudson: removed unnecessary check for d->name nullity.]

ticket: 7809
target_version: 1.12.1
tags: pullup





When attempting to use a keyring cache that doesn't exist, set an error
message when we fail to read a principal name, as we do when we return
the same error code when using a file ccache.

[ghudson: removed unnecessary check for d->name nullity.]

ticket: 7809
target_version: 1.12.1
tags: pullup







Fix typo that broke 'make clean'
2013-12-20T16:06:19+00:00

Zhanna Tsitkov
tsitkova@mit.edu

2013-12-20T16:06:19+00:00

28633f186a943721b6948875ca85a4a34bc87da4

Missing $





Missing $







Add a test program for krb5_copy_context
2013-12-18T21:56:52+00:00

Greg Hudson
ghudson@mit.edu

2013-12-18T18:08:25+00:00

b78c3c8c5025aec870d20472f80d4a652062f921

This test program isn't completely proof against the kind of mistakes
we've made with krb5_copy_context in the past, but it at least
exercises krb5_copy_context and can detect some kinds of bugs.

ticket: 7807





This test program isn't completely proof against the kind of mistakes
we've made with krb5_copy_context in the past, but it at least
exercises krb5_copy_context and can detect some kinds of bugs.

ticket: 7807







Fix krb5_copy_context
2013-12-18T21:56:52+00:00

Greg Hudson
ghudson@mit.edu

2013-12-18T20:03:03+00:00

c452644d91d57d8b05ef396a029e34d0c7a48920

krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists.  Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs.  Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.

ticket: 7807 (new)
target_version: 1.12.1
tags: pullup





krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists.  Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs.  Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.

ticket: 7807 (new)
target_version: 1.12.1
tags: pullup