| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MSVC 2010 defines both Posix and WinSock error values so we can no longer
simply #define the Posix error values to be their WinSock counterpart.
This patch explicitly #includes <errno.h> in port-sockets.h and still
conditionally defines the Posix error values for compatibility with older
MSVC but also translates WinSock errors to Posix for MSVC 2010
compatibility.
The downside to this approach is that there are some Posix errors we
do not currently detect (e.g. EADDRINUSE) that are neither #defined nor
translated. If we use one of those in the future but fail to update
TranslateWSAGetLastError() we'll once again be in the situation that the
windows build will compile but fail to work, possibly only when some rare
error condition occurs.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7197 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, if configure did not detect dgettext(), we disabled
anything that smelled like localization, inadvertently including
setlocale(). Now that we use setlocale(LC_ALL, ""), we have
localized dates available as well as messages, so we should not
disable calls to setlocale() any more.
Since the routines from locale.h are only used in a relatively
small number of places, just include the header directly in those
files and remove it from k5-platform.h.
|
| |
|
|
|
|
|
|
|
| |
Accept UDP datagrams up to 64K in size. We should still detect when
an oversized datagram comes in by comparing against the maximum size,
but this is trivial and covers 90% of the practical issues.
ticket: 6566
status: open
|
| |
|
|
|
|
|
|
|
| |
Support acquiring GSSAPI krb5 credentials by fetching initial
credentials using the client keytab. Credentials obtained this way
will be stored in the default ccache or collection, and will be
refreshed when they are halfway to expiring.
ticket: 7189 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default client keytab is intended to be used to automatically
acquire initial credentials for client applications. The current
hardcoded default is a placeholder, and will likely change before
1.11.
Add test framework settings to ensure that a system default client
keytab doesn't interfere with tests, and to allow tests to be written
to deliberately use the default client keytab.
Add documentation about keytabs to the concepts section of the RST
docs, and describe the default client keytab there.
ticket: 7188 (new)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Also, in klist, use the appropriate libkrb5 free functions for
krb5_cc_get_full_name and krb5_unparse_name_results. Reported by
Kevin Wasserman.
ticket: 7179
|
| | |
|
| |
|
|
|
|
|
| |
Add a new API to determine whether any krb5 credentials are available
in the ccache collection. Add tests to t_cccol.py.
ticket: 7173 (new)
|
| |
|
|
|
| |
krb5int_cc_os_default_name has been unused since #6955 removed the
call to it in cccursor.c. Get rid of it.
|
| |
|
|
|
|
|
| |
Rename krb5int_count_etypes and krb5int_copy_etypes to have k5_
prefixes, and make them available outside of libkrb5 (but not part of
the public API). Add k5_etypes_contains to search an etype list, and
use it in krb5_is_permitted_enctype.
|
| |
|
|
|
| |
It's an internal function (not in krb5.h or the libkrb5 export list)
and nothing uses it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the krb5_kt_have_content API from Heimdal, which can be used to
test whether a keytab exists and contains entries. Add tests to
t_keytab.c.
There is a deviation from Heimdal in the function signature.
Heimdal's signature returns a krb5_boolean at the moment, because the
Heimdal implementation actually returns a krb5_error_code. These are
generally the same type anyway (int).
ticket: 7158 (new)
|
| |
|
|
|
| |
queue.h implements various types of linked lists as cpp macros,
without needing any library support.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The referrals debugging code under DEBUG_REFERRALS ceased building
correctly at some point. Convert this debugging code to use the
tracing framework instead, including adding new trace macros to
k5-trace.h.
ticket: 7151
|
| |
|
|
|
|
|
| |
Add the "{ptype}" trace format specifier, for principal name types.
Also document the new option in the "k5-trace.h" comments.
ticket: 7151
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The flag KRB5_PRINCIPAL_PARSE_IGNORE_REALM causes krb5_parse_name to
return the principal with an empty realm whether or not a realm is
present in the name.
ticket: 7129
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25862 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
krb5_parse_name started out a bit unwieldy, and has become more so
with the introduction of flags. Rewrite it using two passes (allocate
and fill), each broken out into its own helper, and a wrapper which
handles the realm flags.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25861 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
r25857 (#7128) uses ngettext, which means we need a no-op macro for it
when we're building without NLS support.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25859 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The get_init_creds functions take read-only string input parameters
for passwords and initial ticket services. Make these const char *
parameters instead of just char * parameters, for caller convenience.
Reported by rra@stanford.edu.
ticket: 7121
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25858 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Active Directory returns structured policy information in the
nominally UTF-8 result string field of a password change reply. Add a
new API krb5_chpw_message() to convert a result string into a
displayable message, interpreting policy information if present.
Patch from stefw@gnome.org with changes.
ticket: 7128
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25857 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25856 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Also fix the facility to make it possible to trace log without
including k5-int.h.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25852 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Factor out the core code of krb5_verify_init_creds into a helper, add
new helper functions to retrieve the list of unique host principals
from a keytab, and make krb5_verify_init_creds drive the helper once
per host principal.
Augment the test harness and test cases to better test the new
behavior. Add a k5test method to retrieve an NFS principal for the
test realm for the sake of the new test cases.
ticket: 7125
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25845 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to
track whether we're still using the default salt instead of
overloading salt.length. In preauth2.c, process afs3 salt values like
we would in krb5int_des_string_to_key, and set an s2kparams indicator
instead of overloading salt.length. Also use an s2kparams indicator
in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded
salt lengths, except for a sanity check.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25837 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25836 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25830 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
When getting initial credentials with a keytab, filter the list of
request enctypes based on the keys in the keytab.
Based on a patch from Stef Walter.
ticket: 2131
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25818 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25814 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25810 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a clpreauth callback which gets the time of day using an offset
determined by the preauth-required error, and use it in encrypted
timestamp and encrypted challenge. This timestamp is not necessarily
authenticated, but the security consequences for those preauth mechs
are minor (and can be mitigated by turning off kdc_timesync on
clients).
Based on a patch from Stef Walter.
ticket: 7114
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25808 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
kadmind's randkey operation invokes the kadm5_hook chpass method with
a null newpass parameter, which wasn't documented.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25805 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
encountered while initializing krb5 library context
ticket: 7091
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25800 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
* Put everything in an enclosing group, so it gets captured even
without EXTRACT_ALL.
* Make sure there's documentation for all constants referenced by
other markup.
* Fix references to the PAC constants.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25789 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
r24314 (#6778) created a hybrid owernship model for the master key
list, with one virtual copy stored in the DAL handle and one provided
to the caller of krb5_db_fetch_mkey_list. Replace this with a model
where only the DAL handle owns the list, and a caller can get access
to an alias pointer with a new function krb5_db_mkey_list_alias().
Functions which previously accepted the master key list as an input
parameter now expect to find it in the DAL handle.
Patch by Will Fiveash <will.fiveash@oracle.com>.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25781 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
The admin keytab hasn't been needed or used by kadmind since 1.4
(except possibly by legacy admin daemons which we no longer ship).
Eliminate remaining references to it in code, test cases, and
documentation.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25729 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The configure-time options to enable and disable IPv6 support have
been deprecated for some time, but the checks for OS support were
kept. This removes those checks, and unconditionally compiles in the
IPv6 support.
There was a configure-time test to see if the macro INET6 needed to be
defined in order to enable (visibility of) OS support for IPv6, which
was needed on an IRIX system we tested with. That check is retained,
but the revised code is untested on IRIX.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25719 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a general ASN.1 decoder implementation in asn1_encode.c using the
same data structures as the encoder (augmented where necessary), and
use it to define decoder functions in asn1_k_encode.c. Add a boolean
type to atype_info, as it is needed for the pa_pac_req decoder. For
the moment, just #if out the old decoder functions; they and their
support code can be cleaned up later after a a few remaining utility
functions are addressed.
Changes to encoder and decoder interfaces are minimized, but there are
two small ones. ldap_seqof_key_data has a kvno field added, and some
of the decoder logic is pushed up into the caller. The safe_with_body
decoder now outputs an allocated krb5_data * instead of a krb5_data
with aliases into the input buffer.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25693 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9,
which is fortunate because it doesn't work (see issue #7072).
Instead, it passes both kinds of PKINIT replies through
decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in
alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack.
So, remove the unused broken pa_pk_as_rep_draft9 decoder.
For pa_pk_as_req_draft9, we only use two of the fields on encode and
only one of those on decode. So, get rid of the unused fields and
the krb5_trusted_ca structure, and reduce the encoder and decoder
sequences to the minimum necessary fields.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
New APIs of this sort should be discussed, and the goals motivating
the change clarified.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25670 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
diagnostics of the potential misconfiguration.
Added profile_get_(string/integer/boolean)_nodef functions to the profile library to get the typed values from the configuration
files (without setting these values to the defaults).
Used TRACE_PROFILE_ERR for the configuration diagnostics in krb5_init_context_profile API.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25669 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
krb5_pk_authenticator_draft9 had a kdcRealm field which was set by the
client code but never encoded or decoded. Remove it. Eliminating this
field exposed a bug in auth_pack_draft9_optional; fix that.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25624 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25620 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
krb5_alt_method was added in r6604 but never supported. krb5_pwd_data
became unused when the Sandia kadmin system was replaced.
krb5_pa_server_referral_data and krb5_pa_svr_referral_data were added
in r21690 with internally-visible encoders which nothing uses.
Leave behind structure declarations in krb5.hin for API compatibility.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25619 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
r24403 removed the old SAM support, but left behind the structures,
free functions, and ASN.1 encoders/decoders. Remove those now.
(SAM-2 support is still present.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25618 dc483132-0cff-0310-8789-dd5450dbe970
|
