summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* kfw installer: use MSVC 2010 merge modulesTom Yu2011-12-123-138/+37
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25547 dc483132-0cff-0310-8789-dd5450dbe970
* Windows leash fixes: 'make install' installs leash exesTom Yu2011-12-121-0/+1
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25546 dc483132-0cff-0310-8789-dd5450dbe970
* Windows leash64 fixes: use proper names for leash and krb5 dllsTom Yu2011-12-121-0/+6
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25545 dc483132-0cff-0310-8789-dd5450dbe970
* kfw installer: add runtime.wxi WIXINCLUDES in Makefile to fix dependenciesTom Yu2011-12-121-0/+1
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25544 dc483132-0cff-0310-8789-dd5450dbe970
* LeashView.cpp: only specify TVIF_TEXT if there is actually textTom Yu2011-12-121-1/+4
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25543 dc483132-0cff-0310-8789-dd5450dbe970
* windows ccapi: use a random challenge to authenticate ccapiserverTom Yu2011-12-121-2/+38
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25542 dc483132-0cff-0310-8789-dd5450dbe970
* windows ccapi: launch server without console by defaultTom Yu2011-12-121-5/+6
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25541 dc483132-0cff-0310-8789-dd5450dbe970
* Make ccapiserver exit if its receiveloop thread terminates for any reasonTom Yu2011-12-122-2/+10
| | | | | | | | | | This happens, for example, when the rpc endpoint is already registered by another ccapiserver process. There's no reason to leave a zombie process running that can't receive messages. ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25540 dc483132-0cff-0310-8789-dd5450dbe970
* fix warning in test_cc_credentials_iterator_next.cTom Yu2011-12-121-0/+1
| | | | | | | | include test_ccapi_iterators.h for check_cc_credentials_iterator_next ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25539 dc483132-0cff-0310-8789-dd5450dbe970
* windows ccapiserver: replace Sleep with event waitTom Yu2011-12-125-10/+52
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25538 dc483132-0cff-0310-8789-dd5450dbe970
* Corrected the name of KRB5_NT_SRV_HST macro. Added some doxygen commentsZhanna Tsitkov2011-12-121-30/+21
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25537 dc483132-0cff-0310-8789-dd5450dbe970
* Fix subkey memory leak in krb5_get_credentialsGreg Hudson2011-12-091-0/+2
| | | | | | | | | | | If a get_credentials operation requires multiple TGS requests, we need to free the subkey from previous requests before saving a new one. ticket: 7049 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25536 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leaks in FAST TGS supportGreg Hudson2011-12-092-4/+12
| | | | | | | | | | krb5int_fast_prep_req remove tgs from request->padata and needs to free it. get_creds.c needs to use a fresh FAST state for each TGS request to avoid leaking armor keys. ticket: 7026 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25535 dc483132-0cff-0310-8789-dd5450dbe970
* Actually allow null server key in krb5_pac_verifyGreg Hudson2011-12-081-3/+0
| | | | | | ticket: 7048 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
* Remove reference to krb5_anadd. Correct the name of HAVE_GETUSERSHELL flagZhanna Tsitkov2011-12-071-140/+164
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25533 dc483132-0cff-0310-8789-dd5450dbe970
* Allow null server key to krb5_pac_verifyGreg Hudson2011-12-072-6/+8
| | | | | | | | | | When the KDC verifies a PAC, it doesn't really need to check the server signature, since it can't trust that anyway. Allow the caller to pass only a TGT key. ticket: 7048 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
* Add automated tests for S4U2Self and S4U2ProxyGreg Hudson2011-12-075-9/+347
| | | | | | | | | These tests mainly exercise the client-side GSSAPI code for S4U2Self and S4U2Proxy. They also exercise the KDC code for S4U2Self, but only the denial logic for S4U2Proxy since the DB2 back end doesn't support constrained delegation currently. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25531 dc483132-0cff-0310-8789-dd5450dbe970
* Allow S4U2Proxy service tickets to be cachedGreg Hudson2011-12-071-3/+1
| | | | | | | | | | Previous to this change, the GSS code avoids caching S4U2Proxy results for fear of the memory cache growing without bound, but that seems unlikely to be a serious problem. Allow these to be cached. ticket: 7047 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25530 dc483132-0cff-0310-8789-dd5450dbe970
* Allow S4U2Proxy delegated credentials to be savedGreg Hudson2011-12-078-31/+89
| | | | | | | | | | | | | | | The initial implementation of client-side S4U2Proxy support did not allow delegated proxy credentials to be stored (gss_store_cred would error out, and gss_krb5_copy_ccache would generate a non-working cache). To make this work, we save the impersonator name in a cache config variable and in a cred structure field (replacing the proxy_cred flag), and make the default principal of the proxy cache the subject principal as the caller would expect for a regular delegated cred. ticket: 7046 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970
* SA-2011-007 KDC null pointer deref in TGS handling [CVE-2011-1530]Tom Yu2011-12-063-1/+11
| | | | | | | | | | | Fix a null pointer dereference condition that could cause a denial of service. ticket: 7042 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25525 dc483132-0cff-0310-8789-dd5450dbe970
* make dependKen Raeburn2011-12-052-5/+10
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25505 dc483132-0cff-0310-8789-dd5450dbe970
* Set a default enctype for optimistic preauthGreg Hudson2011-12-041-0/+8
| | | | | | | | | | | | | | | | | | | | | | When the client application requests optimistic preauth for a preauth type which uses the password, we don't have an etype-info2 to interpret since we haven't talked to the KDC. So we need to guess an enctype, salt, and s2k parameters. In 1.9 and prior, encrypted timestamp contained code to use the first requested enctype in this case, but encrypted challenge did not. In 1.10 prior to this change, neither mechanism uses a reasonable default. Set a default enctype in krb5_init_creds_init so that all password-based preauth mechanisms will use a reasonable default in the optimistic preauth case. The default salt and s2k parameters for this case will be the principal-based default salt and the enctype-based default parameters. ticket: 7033 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25504 dc483132-0cff-0310-8789-dd5450dbe970
* Added support for loading of Krb5.ini from Windows APPDATASam Hartman2011-12-021-8/+77
| | | | | | | | | | Signed-off-by: Alexey Melnikov <aamelnikov@gmail.com> ticket: 7038 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25500 dc483132-0cff-0310-8789-dd5450dbe970
* Use LsaDeregisterLogonProcess(), not CloseHandle()Sam Hartman2011-12-021-9/+9
| | | | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7037 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25499 dc483132-0cff-0310-8789-dd5450dbe970
* Fix free ofuninitialized memory in sname_to_princSam Hartman2011-12-021-2/+3
| | | | | | | | | | | Fix free of uninitialized memory in error case introduced in 1.10 development cycle. ticket: 7036 tags: pullup Target_Version: 1.10 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25498 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_lcc_store() now ignores config credentialsSam Hartman2011-12-021-0/+9
| | | | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7035 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25497 dc483132-0cff-0310-8789-dd5450dbe970
* mk_cred: memory managementSam Hartman2011-12-021-1/+1
| | | | | | | | | | | | | | Fix for mk_cred.c: calloc() not malloc() Avoid calling free() in cleanup on uninitialized sub-ptrs if error occurs. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7034 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25496 dc483132-0cff-0310-8789-dd5450dbe970
* Added Test Coverage topicZhanna Tsitkov2011-11-302-0/+34
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25495 dc483132-0cff-0310-8789-dd5450dbe970
* Ldap dependency for parallel buildsSam Hartman2011-11-291-0/+3
| | | | | | | | | | The ldap plugin needs to declare a dependency on the ldap library ticket: 7030 tags: pullup target_version: 1.10 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25494 dc483132-0cff-0310-8789-dd5450dbe970
* Fix --with-system-verto without pkg-configGreg Hudson2011-11-291-1/+1
| | | | | | | | | | | | If we're using the system verto and pkg-config isn't found but libverto is, set VERTO_LIBS to just -lverto as there won't be a k5ev module. ticket: 7029 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25493 dc483132-0cff-0310-8789-dd5450dbe970
* Use INSTALL_DATA to avoid marking .mo files executableSam Hartman2011-11-291-1/+1
| | | | | | ticket: new target_version: 1.10 tags: pullup subject: Use INSTALL_DATA to install message catalogues git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25492 dc483132-0cff-0310-8789-dd5450dbe970
* AC_CHECK_LIB should put -lcrypto in PKINIT_CRYPTO_IMPL_LIBS not LIBSSam Hartman2011-11-291-1/+1
| | | | | | | | | for pkinit. A similar problem exists for crypto_impl and is not addressed by this patch. ticket: new Subject: LIBS should not include PKINIT_CRYPTO_IMPL_LIBS tags: pullup target_version: 1.10 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25491 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust krb5int_decode_tgs_rep, closing a leakGreg Hudson2011-11-231-19/+20
| | | | | | | | Use current practices for parameter naming and resource cleanup. Avoid a leak of local_dec_rep (now named dec_rep) if we take a "goto cleanup" path. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25490 dc483132-0cff-0310-8789-dd5450dbe970
* Whitespace, style changes to past two commitsGreg Hudson2011-11-235-76/+84
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25489 dc483132-0cff-0310-8789-dd5450dbe970
* FAST TGSSam Hartman2011-11-237-18/+129
| | | | | | | | | | Implement RFC 6113 FAST TGS support. Includes library support for a varient of explicit TGS armor that has not yet been proposed within the IETF. ticket: 7026 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25488 dc483132-0cff-0310-8789-dd5450dbe970
* FAST: error handling and const keyblockSam Hartman2011-11-232-23/+34
| | | | | | | | | | | | krb5int_fast_process_error: Allow out_padata and retry to be null for TGS case. Refactor function to do more frees in the exit handling and to declare variables at the top. krb5int_fast_reply_key: input keyblock arguments should be const ticket: 7025 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25487 dc483132-0cff-0310-8789-dd5450dbe970
* ticket: newSam Hartman2011-11-236-59/+49
| | | | | | | | | | | | | | | | | subject: FAST PKINIT target_version: 1.10 tags: pullup Per RFC 6113 fast should use the inner request body for the pkinit checksum. We did that on the KDC; now do so on the client. Remove code that explicitly blocked pkinit under FAST. Also, use the reply key *before* the strengthen key is applied when verifying the PADATA_PKINIT_KX. Add FAST pkinit test. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25486 dc483132-0cff-0310-8789-dd5450dbe970
* Use POSIX constants instead of S_IREAD/S_IWRITEGreg Hudson2011-11-221-2/+2
| | | | | | | | S_IREAD and S_IWRITE are ancient names for S_IRUSR and S_IWUSR, and are not defined on some modern platforms (such as Android). Use the POSIX names instead. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25485 dc483132-0cff-0310-8789-dd5450dbe970
* Fix compile error in previous changeGreg Hudson2011-11-221-1/+0
| | | | | | | | | A last-minute code editing mistake crept into the previous commit; fix it. ticket: 7023 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25484 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up client-side preauth error data handlingGreg Hudson2011-11-217-116/+97
| | | | | | | | | | | | | | | | | | | | | | | | Change the clpreauth tryagain method to accept a list of pa-data, taken either from the FAST response or from decoding the e_data as either pa-data or typed-data. Also change the in_padata argument to contain just the type of the request padata rather than the whole element, since modules generally shouldn't care about the contents of their request padata (or they can remember it). In krb5int_fast_process_error, no longer re-encode FAST pa-data as typed-data for the inner error e_data, but decode traditional error e_data for all error types, and try both pa-data and typed-data encoding. In PKINIT, try all elements of the new pa-data list, since it may contain FAST elements as well as the actual PKINIT array. (Fixes an outstanding bug in FAST PKINIT.) ticket: 7023 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25483 dc483132-0cff-0310-8789-dd5450dbe970
* Recognize IAKERB mech in krb5_gss_display_statusGreg Hudson2011-11-211-1/+2
| | | | | | | | | | | | Minor status codes were not displaying properly when originated from the IAKERB mech, because of a safety check on mech_type. From Ralf Haferkamp <rhafer@suse.de>. ticket: 7020 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25482 dc483132-0cff-0310-8789-dd5450dbe970
* Formating fixes and update per rev#25480Zhanna Tsitkov2011-11-212-84/+78
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25481 dc483132-0cff-0310-8789-dd5450dbe970
* Fix failure interval of 0 in LDAP lockout codeGreg Hudson2011-11-202-3/+4
| | | | | | | | | | | | | | | | A failure count interval of 0 caused krb5_ldap_lockout_check_policy to pass the lockout check (but didn't cause a reset of the failure count in krb5_ldap_lockout_audit). It should be treated as forever, as in the DB2 back end. This bug is the previously unknown cause of the assertion failure fixed in CVE-2011-1528. ticket: 7021 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25480 dc483132-0cff-0310-8789-dd5450dbe970
* Improve documentation in preauth_plugin.hGreg Hudson2011-11-191-6/+15
| | | | | | | | | | Also declare the verto_context structure to ensure that it is has the proper scope when used as the return type of the event_context callback. ticket: 7019 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25479 dc483132-0cff-0310-8789-dd5450dbe970
* Document --with-system-verto in rst docsGreg Hudson2011-11-181-0/+18
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25478 dc483132-0cff-0310-8789-dd5450dbe970
* Fix k5test error message for missing runenv.pyGreg Hudson2011-11-151-1/+1
| | | | | | | "make fake-install" no longer exists, so tell the developer to run "make runenv.py" instead. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25477 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust "make check" constraints in rst docsGreg Hudson2011-11-151-3/+8
| | | | | | | | Recopy the text from the texinfo build docs into the rst version, describing --disable-rpath and avoiding an erroneous reference to make fake-install. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25476 dc483132-0cff-0310-8789-dd5450dbe970
* Make verto context available to kdcpreauth modulesGreg Hudson2011-11-158-13/+31
| | | | | | | | | | | | Add an event_context callback to kdcpreauth. Adjust the internal KDC and main loop interfaces to pass around the event context, and expose it to kdcpreauth modules via the rock. ticket: 7019 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25475 dc483132-0cff-0310-8789-dd5450dbe970
* Update verto to 0.2.2 releaseGreg Hudson2011-11-1511-381/+939
| | | | | | | | | | | | | Update verto sources to 0.2.2 release versions. verto_reinitialize() now has a return value; check it in kdc/main.c. Store verto-libev.c alongside verto-k5ev.c to make it easy to diff corresponding versions when updating. ticket: 7018 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25474 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify and fix kdcpreauth request_body callbackGreg Hudson2011-11-147-30/+53
| | | | | | | | | | | | | | | | | | | Alter the contract for the kdcpreauth request_body callback so that it returns an alias to the encoded body instead of a fresh copy. At the beginning of AS request processing, save a copy of the encoded request body, or the encoded inner request body for FAST requests. Previously the request_body callback would re-encode the request structure, which in some cases has been modified by the AS request code. No kdcpreauth modules currently use the request_body callback, but PKINIT will need to start using it in order to handle FAST requests correctly. ticket: 7017 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25473 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-30 08:54:32 +0000