summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Merge some very simple points of divergence in the two copies of network.c ↵Ken Raeburn2009-01-142-27/+18
| | | | | | | | -- enum ordering, whitespace, duplicate macro definitions, unused code, 0 vs NULL... git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21746 dc483132-0cff-0310-8789-dd5450dbe970
* Pass s4u name and c_flags to log_tgs_req. If values are supplied, logKen Raeburn2009-01-143-5/+23
| | | | | | | | an additional message to record the name and s4u mode. Untested for lack of code to invoke these code paths. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21745 dc483132-0cff-0310-8789-dd5450dbe970
* Force tickets acquired by the kadm5 client library via passwordRuss Allbery2009-01-141-1/+5
| | | | | | | | | | | | | | | authentication to be non-forwardable and non-proxiable, overridding any [libdefaults] configuration. This may be necessary at sites that set forwardable to true by default in their krb5.conf files but disable forwardable tickets for privileged principals. Since the ticket cache acquired by the kadm5 client library is used only for kadmin operations, where forwardable is not useful or necessary, there is no reason to ever attempt to obtain forwardable or proxiable tickets here. Ticket: 6337 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21744 dc483132-0cff-0310-8789-dd5450dbe970
* Patch from Luke Howard to:Sam Hartman2009-01-1310-62/+198
| | | | | | | | | | * Accept both CFX and non-CFX tokens all the time on acceptor * Only produce an acceptor subkey if you are using cfx or dce or negotiating up to cfx Additional changes from Sam Hartman: * do not assume that the ticket key type (server key) is a valid target for negotiation: the client may not support it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21742 dc483132-0cff-0310-8789-dd5450dbe970
* /tmp/3Ken Raeburn2009-01-133-91/+39
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21741 dc483132-0cff-0310-8789-dd5450dbe970
* FreeBSD compiler errors out on an error "zero or negative size array"Ezra Peisach2009-01-131-0/+8
| | | | | | | | | | | | after setting up an array with no elements. ifdef out array declarations and code that uses it until there are entries. Affects: krb5_gss_inquire_cred_by_oid_ops and krb5_gss_set_sec_context_option_ops which would return an error in any case as here are no entries in the arrays. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21740 dc483132-0cff-0310-8789-dd5450dbe970
* Add a call to limit_string that appears to have been accidentally removedSam Hartman2009-01-121-0/+1
| | | | | | somewhere along the mskrb-integ branch git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21729 dc483132-0cff-0310-8789-dd5450dbe970
* Remove gss_export_name_object and gss_import_name_object.Sam Hartman2009-01-129-243/+0
| | | | | | | | These are not standard interfaces, are not used by our tree and were added because they might be useful but ended up not being used. The stubs in gssapi.hin remain as they were shipped with previous releases. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21728 dc483132-0cff-0310-8789-dd5450dbe970
* Patch from Luke Howard:Sam Hartman2009-01-123-7/+30
| | | | | | | | | Previously when using the kdb keytab, there was a check to confirm that the server was supported as a server and that attackers could not force an enctype downgrade. Add these to kdc_get_server_key git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21727 dc483132-0cff-0310-8789-dd5450dbe970
* Patch from Luke HowardSam Hartman2009-01-121-5/+2
| | | | | | There's a superfluous check in kdc_util.c; ad_entry is always non NULL git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21726 dc483132-0cff-0310-8789-dd5450dbe970
* Restore behavior of returning KRB5APP_ERR_BAD_INTEGRITY fromSam Hartman2009-01-121-1/+1
| | | | | | | | preauth methods. This creates a problem for Windows clients, but not doing it creates a problem for MIT clients. Today our KDC is more likely to be used with MIT clients, but we need to examine this issues in more detail. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21725 dc483132-0cff-0310-8789-dd5450dbe970
* Check the return code from krb5int_clean_hostname as the sanity ↵Zhanna Tsitkov2009-01-121-3/+7
| | | | | | verification of the hostname might fail git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21724 dc483132-0cff-0310-8789-dd5450dbe970
* Add message hash support to the replay interface, using extensionGreg Hudson2009-01-1215-43/+384
| | | | | | | | | | | | | | records (with an empty client string) to retain compatibility with old code. For rd_req, the ciphertext of the authenticator (with no ASN.1 wrapping) is hashed; for other uses of the replay cache, no message hash is used at this time. This commit adds a command-line tool for testing the replay cache but does not add any automated tests. ticket: 1201 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21723 dc483132-0cff-0310-8789-dd5450dbe970
* Follow "off-path" TGT referralsTom Yu2009-01-091-21/+189
| | | | | | | ticket: 5627 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21720 dc483132-0cff-0310-8789-dd5450dbe970
* Remove conflict marker; restore broken copyright lineKen Raeburn2009-01-091-2/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21719 dc483132-0cff-0310-8789-dd5450dbe970
* kdb/keytab.c: map KRB5_KDB_NO_MATCHING_KEY to KRB5_KT_KVNONOTFOUND.Sam Hartman2009-01-071-0/+2
| | | | | | | At least in cases other than tgts, this code handles its own enctype matching, so kvno not found is the only thing that produces the no matching key error. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21718 dc483132-0cff-0310-8789-dd5450dbe970
* Don't create include/kerberosIV on installationKen Raeburn2009-01-072-2/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21717 dc483132-0cff-0310-8789-dd5450dbe970
* Add support for referral null realms and use the default realm as ↵Sam Hartman2009-01-061-2/+10
| | | | | | | | krb5_rd_req_extended does ticket: 5954 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21716 dc483132-0cff-0310-8789-dd5450dbe970
* Remove ksu's own implementation of krb5_verify_init_creds now that it is not ↵Sam Hartman2009-01-061-122/+0
| | | | | | | | | used ticket: 5954 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21715 dc483132-0cff-0310-8789-dd5450dbe970
* Ksu should call krb5_verify_init_creds instead of using its own function.Sam Hartman2009-01-061-7/+13
| | | | | | | | | This was prompted by a desire for ksu to work without a domain_realm mapping for the local server, but the duplication of code is bad anyway. ticket: 5954 Status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21714 dc483132-0cff-0310-8789-dd5450dbe970
* Set RELTAIL back to "trunk"Tom Yu2009-01-061-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21713 dc483132-0cff-0310-8789-dd5450dbe970
* Patch from Luke HowardSam Hartman2009-01-062-39/+30
| | | | | | to make an explicit call to check the ACL for s4u delegations rather than relying on tl-data. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21712 dc483132-0cff-0310-8789-dd5450dbe970
* be a little looser in checking for tail outputKen Raeburn2009-01-061-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21711 dc483132-0cff-0310-8789-dd5450dbe970
* remove unused fileKen Raeburn2009-01-061-190/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21710 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up many error-condition leaks of the server handle in theGreg Hudson2009-01-061-83/+46
| | | | | | kadmind server stubs. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21709 dc483132-0cff-0310-8789-dd5450dbe970
* In kadmin, remove a bunch of checks for handle being NULL (some old,Greg Hudson2009-01-061-41/+41
| | | | | | | some introduced by the last rev) when it is known from context that handle is not NULL. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21708 dc483132-0cff-0310-8789-dd5450dbe970
* Fix capitalizationSam Hartman2009-01-062-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21707 dc483132-0cff-0310-8789-dd5450dbe970
* Oops. Don't include openssl install paths from my local machine.Ken Raeburn2009-01-051-19/+3
| | | | | | | | Thanks to Ezra for noticing so quickly. ticket: 6315 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21706 dc483132-0cff-0310-8789-dd5450dbe970
* include string.hKen Raeburn2009-01-051-0/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21705 dc483132-0cff-0310-8789-dd5450dbe970
* fix missed var renameKen Raeburn2009-01-051-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21704 dc483132-0cff-0310-8789-dd5450dbe970
* Define SWAP16 if not already definedKen Raeburn2009-01-051-0/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21703 dc483132-0cff-0310-8789-dd5450dbe970
* No C++ style comments in C code pleaseKen Raeburn2009-01-051-4/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21702 dc483132-0cff-0310-8789-dd5450dbe970
* move generated dependencies out of Makefile.inKen Raeburn2009-01-05207-7120/+7012
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Move automatically-generated dependencies into separate files in the source tree, and take the data out of Makefile.in. Keep the "make depend" rules for stripping out the dependencies from Makefile.in, in case some optional directories were missed, but everything that builds on my UNIX build has been converted. (Converting a directory just requires creating an empty "deps" file so that config.status can build the makefile, and then later running "make depend" in that directory to get the correct content for it.) Change configure scripts to incorporate the "deps" file when building each Makefile. This change requires the existence of a file "deps" in each source directory where we build a makefile, even if there are no sources for which to compute dependencies; a switch to GNU make would let us conditionalize that, but we can assess that later. Update dependencies for the generate Makefile itself to list the deps file. This will also require some minor tweaking of the Windows build, to make it incorporate the new deps file. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21701 dc483132-0cff-0310-8789-dd5450dbe970
* Build against Python 2.5 as well as 2.3. Long term, should use python-configKen Raeburn2009-01-053-2/+9
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21700 dc483132-0cff-0310-8789-dd5450dbe970
* fix minor comment typosKen Raeburn2009-01-051-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21699 dc483132-0cff-0310-8789-dd5450dbe970
* fix merge of new openldap noticeKen Raeburn2009-01-051-3/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21698 dc483132-0cff-0310-8789-dd5450dbe970
* ifdef out unused functions that are also missing prototypes.Ezra Peisach2009-01-051-0/+2
| | | | | | krb5int_utf8_islower and krb5int_utf8_isupper. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21697 dc483132-0cff-0310-8789-dd5450dbe970
* Include ucdata/ucdata.h for missing prototypesEzra Peisach2009-01-051-0/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21696 dc483132-0cff-0310-8789-dd5450dbe970
* Include strings.h for memset prototypeEzra Peisach2009-01-052-0/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21695 dc483132-0cff-0310-8789-dd5450dbe970
* Remove support for setting a client flag indicating pkinit is used on the db ↵Sam Hartman2009-01-031-3/+0
| | | | | | | | | | | entry. I'm reasonably sure that this would belong in a pkinit plugin not in do_as_req.c. Also, the flag should be documented to indicate what it means--client attempted pkinit? Client succeeded in using pkinit? I also wonder whether you want a mechanism for a db plugin to figure out all the padata or fast factors that a request is using. Note that this flag will need to be added back by at least one vendor. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21694 dc483132-0cff-0310-8789-dd5450dbe970
* xrealm_non_transitive not trust_non_transitiveSam Hartman2009-01-032-4/+4
| | | | | | | | | | Kerberos does not imply trust in the existence of a cross-realm key. Trust is implied when a foreign principal is placed on an ACL: the remote realm is trusted to authenticate that principal and is trusted not to confuse one principal with another. Keep terminology consistent. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21693 dc483132-0cff-0310-8789-dd5450dbe970
* Remove flags that do not correspond to behavior we supportSam Hartman2009-01-031-4/+0
| | | | | | | non_ms_principal would need to be phrased in terms of what behavior is being changed, not client OS. The pkinit flag would need to be better documented git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21692 dc483132-0cff-0310-8789-dd5450dbe970
* KDB API should not be publicSam Hartman2009-01-031-3/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21691 dc483132-0cff-0310-8789-dd5450dbe970
* Merge mskrb-integ onto trunkSam Hartman2009-01-03271-4617/+58990
| | | | | | | | | | | | | | | | | | | | | | | | The mskrb-integ branch includes support for the following projects: Projects/Aliases * Projects/PAC and principal APIs * Projects/AEAD encryption API * Projects/GSSAPI DCE * Projects/RFC 3244 In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions. In the KDC it includes support for protocol transition, constrained delegation and a new authorization data interface. The old authorization data interface is also supported. This commit merges the mskrb-integ branch on to the trunk. Additional review and testing is required. Merge commit 'mskrb-integ' into trunk ticket: new status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
* With no more fakeka, we don't need the --enable-fakeka optionKen Raeburn2009-01-031-8/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21683 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unused AC_SUBSTsKen Raeburn2009-01-031-2/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21682 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unused variablesKen Raeburn2009-01-033-20/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21681 dc483132-0cff-0310-8789-dd5450dbe970
* Rewrite walk_rtree.c to handle hierarchical traversal better and to beTom Yu2009-01-023-309/+468
| | | | | | | | less convoluted. Update test cases. ticket: 5947 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21659 dc483132-0cff-0310-8789-dd5450dbe970
* Set auth_context's rcache to NULL after destroying and before callingTom Yu2008-12-311-1/+1
| | | | | | | krb5_auth_con_free, to avoid crashing when krb5_rc_close tries to run using a destroyed rcache handle. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21644 dc483132-0cff-0310-8789-dd5450dbe970
* I don't know what it was that someone else didn't know, but it doesn'tKen Raeburn2008-12-311-5/+3
| | | | | | belong in the copyright header. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21642 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-10-14 18:14:19 +0000