summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Clean up a redundant assignment in libprofileGreg Hudson2012-05-131-2/+0
|
* Avoid extern inline in asn1buf.hGreg Hudson2012-05-131-2/+4
| | | | | | | | Avoid using extern inline in asn1buf.h, as there are two conflicting sets of semantics (gnu89's and C99's). gcc defaults to the gnu89 semantics, which we were using, while clang defines __GNUC__ but defaults to the C99 semantics. To simplify things, use static inline instead, like we do in k5-int.h.
* Don't stomp minor code in spnego_gss_acquire_credGreg Hudson2012-05-131-3/+3
| | | | | | | When spnego_gss_acquire_cred passes through a failure status from the mechglue, it overwrites the minor code with a call to gss_release_oid_set(). Use a temporary minor status for that and a related call.
* Remove find-missing-eol-prop and fix-eol-propGreg Hudson2012-05-122-21/+0
| | | | | Remove two Subversion-specific scripts which are no longer necessary now that the master repository is in git.
* Add a .gitgnore fileGreg Hudson2012-05-121-0/+342
|
* Null-terminate components of parsed principalsGreg Hudson2012-05-122-11/+10
| | | | | | | | | | The rewritten krb5_parse_name didn't null-terminate components or realms of principals, while the old one did. Fix the new one to do so as well. This means KRB5_PRINCIPAL_PARSE_IGNORE_REALM allocates one byte for the realm instead of leaving it as empty_data(), so we need to free the realm in build_in_tkt_name() before copying in the client realm.
* Omit start time in common AS requestsGreg Hudson2012-05-112-15/+33
| | | | | | | | | | | | | | | | | | | MIT and Heimdal KDCs ignore the start time for non-postdated ticket requests, but AD yields an error if the start time is in the KDC's future, defeating the kdc_timesync option. Omit the start time if the caller did not specify a start time offset. This change reenables the client check for too much clock skew in the KDC reply in the non-timesync configuration. That check had been unintentionally suppressed since the introduction of the get_init_creds interfaces. Adjust the t_skew test script to expect the new error behavior. Code changes from stefw@gnome.org with slight modifications. ticket: 7130 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25864 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid requiring default realm for in_tkt_serviceGreg Hudson2012-05-101-31/+17
| | | | | | | | Use the new KRB5_PRINCIPAL_PARSE_IGNORE_REALM flag when parsing in_tkt_service arguments in get_init_cred functions, since we're going to overwrite the realm anyway. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25863 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_parse_name flag to ignore realmGreg Hudson2012-05-102-1/+12
| | | | | | | | | | The flag KRB5_PRINCIPAL_PARSE_IGNORE_REALM causes krb5_parse_name to return the principal with an empty realm whether or not a realm is present in the name. ticket: 7129 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25862 dc483132-0cff-0310-8789-dd5450dbe970
* Rewrite krb5_parse_nameGreg Hudson2012-05-102-292/+186
| | | | | | | | | krb5_parse_name started out a bit unwieldy, and has become more so with the introduction of flags. Rewrite it using two passes (allocate and fill), each broken out into its own helper, and a wrapper which handles the realm flags. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25861 dc483132-0cff-0310-8789-dd5450dbe970
* Make password change work without default realmGreg Hudson2012-05-101-0/+5
| | | | | | | | | | | | This fix is not very general or clean, but is suitable for backporting because it is minimally invasive. A more comprehensive fix will follow. ticket: 7127 target_version: 1.10.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25860 dc483132-0cff-0310-8789-dd5450dbe970
* Add no-op macro for ngettext for non-NLS buildsGreg Hudson2012-05-091-0/+1
| | | | | | | r25857 (#7128) uses ngettext, which means we need a no-op macro for it when we're building without NLS support. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25859 dc483132-0cff-0310-8789-dd5450dbe970
* Constify get_init_creds string input paramsGreg Hudson2012-05-096-15/+17
| | | | | | | | | | | | The get_init_creds functions take read-only string input parameters for passwords and initial ticket services. Make these const char * parameters instead of just char * parameters, for caller convenience. Reported by rra@stanford.edu. ticket: 7121 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25858 dc483132-0cff-0310-8789-dd5450dbe970
* Add API to interpret changepw result stringsGreg Hudson2012-05-0910-14/+399
| | | | | | | | | | | | | Active Directory returns structured policy information in the nominally UTF-8 result string field of a password change reply. Add a new API krb5_chpw_message() to convert a result string into a displayable message, interpreting policy information if present. Patch from stefw@gnome.org with changes. ticket: 7128 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25857 dc483132-0cff-0310-8789-dd5450dbe970
* Constify krb5int_utf8_normalize input parameterGreg Hudson2012-05-092-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25856 dc483132-0cff-0310-8789-dd5450dbe970
* First pass at PKINIT client trace logsGreg Hudson2012-05-084-25/+156
| | | | | | Trace basic decisions about PKINIT client protocol processing. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25855 dc483132-0cff-0310-8789-dd5450dbe970
* Improve traced error messages from PKINIT clientGreg Hudson2012-05-082-2/+9
| | | | | | | | If we have no configured PKINIT client identity, or if we fail to create a certificate chain, set a reasonable error code (not EINVAL or ENOMEM) and a useful error message to appear in trace log output. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25854 dc483132-0cff-0310-8789-dd5450dbe970
* Improve display of error code 0 in trace outputGreg Hudson2012-05-081-1/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25853 dc483132-0cff-0310-8789-dd5450dbe970
* Use variadic macros to simplify k5-trace.hGreg Hudson2012-05-082-216/+221
| | | | | | | Also fix the facility to make it possible to trace log without including k5-int.h. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25852 dc483132-0cff-0310-8789-dd5450dbe970
* Process param/defname node for "#define". Zhanna Tsitkov2012-05-053-4/+27
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25851 dc483132-0cff-0310-8789-dd5450dbe970
* For typedef documents in Sphinx do not add short description to the titlesZhanna Tsitkov2012-05-052-30/+14
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25850 dc483132-0cff-0310-8789-dd5450dbe970
* Add generalized definition of krb5_ui_4 and krb5_int32 to the documentation ↵Zhanna Tsitkov2012-05-053-1/+24
| | | | | | for better cross-referencing. Do not include internal structure krb5_cc_ops into Sphinx documentation git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25849 dc483132-0cff-0310-8789-dd5450dbe970
* Modernize style in vfy_increds.cGreg Hudson2012-05-031-96/+104
| | | | | | | Make vfy_increds.c consistently use newer coding conventions. Also add a copyright statement. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25848 dc483132-0cff-0310-8789-dd5450dbe970
* Make verify_init_creds work with existing ccacheGreg Hudson2012-05-031-7/+0
| | | | | | | | | | | As the file ccache implementation currently stands, we don't want to turn off TC_OPENCLOSE on a file cache we're writing to, or it will be opened read-only and stores to it will fail. Reported by Russ Allbery. ticket: 5126 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25847 dc483132-0cff-0310-8789-dd5450dbe970
* The new version of Doxygen (1.7.6.1) produces different xml output around ↵Zhanna Tsitkov2012-05-031-1/+3
| | | | | | the <initializer> node. Adopt the script to the change. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25846 dc483132-0cff-0310-8789-dd5450dbe970
* Try all host keys by default in vfy_incredsGreg Hudson2012-05-035-90/+239
| | | | | | | | | | | | | | | Factor out the core code of krb5_verify_init_creds into a helper, add new helper functions to retrieve the list of unique host principals from a keytab, and make krb5_verify_init_creds drive the helper once per host principal. Augment the test harness and test cases to better test the new behavior. Add a k5test method to retrieve an NFS principal for the test realm for the sake of the new test cases. ticket: 7125 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25845 dc483132-0cff-0310-8789-dd5450dbe970
* In sn2princ, getaddrinfo without AI_ADDRCONFIGGreg Hudson2012-05-031-1/+1
| | | | | | | | | | | | | | | | | | When canonicalizing a principal, use AI_CANONNAME alone in the hint flags for getaddrinfo, for two reasons. First, it works around a gnu libc bug where getaddrinfo does a PTR lookup for the canonical name (we tried to work around this in r24977 bug the addition of AI_ADDRCONFIG caused the same problem as the use of AF_INET). Second, an IPv4-only host should be able create a principal for an IPv6-only host even if it can't contact the host. This does result in extra AAAA queries in the common case (IPv4-only host contacting IPv4-only service), which is unfortunate. But we need to leave that optimization up to the platform at this point. ticket: 7124 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25844 dc483132-0cff-0310-8789-dd5450dbe970
* Clarify profile pluggable interface documentationGreg Hudson2012-05-022-3/+11
| | | | | | | Explain how profile plugin modules integrate with libkrb5, since it's a bit different than usual. Also fix a broken note. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25843 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify krb5_do_preauthGreg Hudson2012-04-301-48/+33
| | | | | | | | Now that krb5_do_preauth has many fewer moving parts, simplify its flow control. Also remove an unused output parameter from run_preauth_plugins. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25842 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of built-in preauth types tableGreg Hudson2012-04-301-103/+53
| | | | | | | | Turn the last two entries of the pa_types table into helper functions which we invoke before the loop. Then, get rid of the part of the loop which consults the pa_types table. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25841 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify preauth2 helper functions using reallocGreg Hudson2012-04-301-45/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25840 dc483132-0cff-0310-8789-dd5450dbe970
* Use correct name-type in TGS-REQs for 2008R2 RODCsTom Yu2012-04-272-12/+19
| | | | | | | | | | | | | | | | | Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST in TGS-REQs. (Previously, only AS-REQs had the name-type set in this way.) Windows Server 2008 R2 read-only domain controllers (RODCs) insist on having the correct name-type for the TGS principal in TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case. Thanks to Sebastian Galiano for reporting this bug and helping with testing. ticket: 7120 target_version: 1.10.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25839 dc483132-0cff-0310-8789-dd5450dbe970
* Split up and fix get_etype_infoGreg Hudson2012-04-271-66/+83
| | | | | | | | The addition of afs3-salt processing in get_etype_info made it overly large, so split out the pw-salt/afs3-salt processing into a separate function. Also fix two dumb bugs. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25838 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using SALT_TYPE_AFS_LENGTHGreg Hudson2012-04-2710-54/+51
| | | | | | | | | | | | In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to track whether we're still using the default salt instead of overloading salt.length. In preauth2.c, process afs3 salt values like we would in krb5int_des_string_to_key, and set an s2kparams indicator instead of overloading salt.length. Also use an s2kparams indicator in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded salt lengths, except for a sanity check. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25837 dc483132-0cff-0310-8789-dd5450dbe970
* Fix TRACE_PREAUTH_SALT format stringGreg Hudson2012-04-271-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25836 dc483132-0cff-0310-8789-dd5450dbe970
* Draft initial credentials API documentationTom Yu2012-04-272-0/+60
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25835 dc483132-0cff-0310-8789-dd5450dbe970
* Refactor client etype-info handling in preauth2.cGreg Hudson2012-04-271-134/+78
| | | | | | | Pull etype-info2, etype-info, pw-salt, and afs3-salt handling out of the pa_types loop into a new helper function get_etype_info(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25834 dc483132-0cff-0310-8789-dd5450dbe970
* Ensure null termination of AFS saltsGreg Hudson2012-04-271-1/+1
| | | | | | | | | | | Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or pa-afs3-salt value in pa_salt(). If it's an afs3-salt, we're going to throw away the length and use strcspn in krb5int_des_string_to_key, which isn't safe if the value is unterminated. ticket: 2545 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25833 dc483132-0cff-0310-8789-dd5450dbe970
* Make it easier to test SAM-2 client codeGreg Hudson2012-04-266-120/+407
| | | | | | | | | | | | | Add a method to the securid_sam2 plugin, built with alternate compile-time flags, which supplies a plain-text challenge to the client to be used as the OTP value. This lets us manually exercise the SAM-2 client code and a little bit of the KDC code. securid_make_sam_challenge_2_and_cksum is moved into the method- independent code and renamed. get_securid_edata_2 has its sc2b parameter removed as it was not used by the caller. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25832 dc483132-0cff-0310-8789-dd5450dbe970
* Convert SAM-2 preauth mechanism to a moduleGreg Hudson2012-04-264-371/+442
| | | | | | | Move the last real preauth mechanism, SAM-2, from the pa_types table to a built-in module. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25831 dc483132-0cff-0310-8789-dd5450dbe970
* Remove orphaned Apple PKINIT supportGreg Hudson2012-04-2618-4898/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25830 dc483132-0cff-0310-8789-dd5450dbe970
* Rearrange navigation buttons in the HTML headerZhanna Tsitkov2012-04-261-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25829 dc483132-0cff-0310-8789-dd5450dbe970
* Add kadmin ACL enforcement testsGreg Hudson2012-04-262-0/+351
| | | | | | | | | Add a Python script to test the enforcement of kadm5.acl specifications, including wildcards and restrictions. ticket: 7097 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25828 dc483132-0cff-0310-8789-dd5450dbe970
* Allow clearpolicy restriction for kadmin addprincGreg Hudson2012-04-261-4/+5
| | | | | | | | | | Although the kadmin client never generates a KADM5_POLICY_CLR mask bit with addprinc, the bit will be set if a kadm5.acl line imposes the -clearpolicy restriction. Relax the sanity checking in kadm5_create_principal_3 to allow KADM5_POLICY_CLR as long as KADM5_POLICY is not also set. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25827 dc483132-0cff-0310-8789-dd5450dbe970
* Add k5test.py helpers for running kadminGreg Hudson2012-04-262-11/+32
| | | | | | | | Add K5Realm.prep_kadmin() to create a ccache and K5Realm.run_kadmin() to run a kadmin query using it. Modify t_stringattr.py to use these helpers instead of its own. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25826 dc483132-0cff-0310-8789-dd5450dbe970
* Flip the default of start_kadmind in k5test.pyGreg Hudson2012-04-2621-40/+35
| | | | | | | Very few Python tests need kadmind, so it makes more sense to have to turn it on than to have to turn it off. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25825 dc483132-0cff-0310-8789-dd5450dbe970
* Minor cleanup (mostly to remove the "Contents" section titles)Zhanna Tsitkov2012-04-255-22/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25824 dc483132-0cff-0310-8789-dd5450dbe970
* Use "agogo" HTML theme (with some modifications) for the Sphinx ↵Zhanna Tsitkov2012-04-253-9/+112
| | | | | | documentation. Do not show the ReST source files git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25823 dc483132-0cff-0310-8789-dd5450dbe970
* Clear preauth use counts for each AS requestGreg Hudson2012-04-251-0/+1
| | | | | | | | | | | | | Initialize use_count fields in krb5_preauth_request_context_init, which is invoked before each AS request. Previously they were initialized only in krb5_init_preauth_context, which is only invoked once per krb5 library context. ticket: 7119 target_version: 1.10.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25822 dc483132-0cff-0310-8789-dd5450dbe970
* Add KRB5_TRACE test caseGreg Hudson2012-04-241-1/+19
| | | | | | | | | In t_general.py, run kinit with KRB5_TRACE enabled and make sure we see some basic strings in the resulting file. ticket: 7113 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25821 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-10-03 10:23:18 +0000