summaryrefslogtreecommitdiffstats
path: root/src/kdc
Commit message (Collapse)AuthorAgeFilesLines
...
* Apple PKINIT patch commitAlexandra Ellwood2008-05-304-0/+874
| | | | | | | | | | | | | Commit of Apple PKINIT patches under "APPLE_PKINIT" preprocessor symbol. Long term goal is to merge these patches with the pkinit preauth plugin which does not currently have support for Mac OS X crypto libraries or the exported functions used by Back To My Mac. ticket: new status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20346 dc483132-0cff-0310-8789-dd5450dbe970
* (more) After malloc/realloc/calloc/strdup/asprintf failures, useKen Raeburn2008-04-301-5/+5
| | | | | | | | ENOMEM explicitly instead of reading it from errno. This may make static analysis tools less confused about when we return zero vs nonzero values. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20313 dc483132-0cff-0310-8789-dd5450dbe970
* Coverity CID 101: Fix minor bounds check errorKen Raeburn2008-03-291-1/+1
| | | | | | | | | | Coverity CID 101: Fix minor bounds check error. ticket: new target_version: 1.6.4 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20296 dc483132-0cff-0310-8789-dd5450dbe970
* Fix MITKRB5-SA-2008-001 on trunk. Patch differs from the released oneKen Raeburn2008-03-183-55/+48
| | | | | | | | for 1.6 because of code divergence. ticket: 5919 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20280 dc483132-0cff-0310-8789-dd5450dbe970
* Wrap krb5_db_get_principal function with get_principal (which willKen Raeburn2007-12-226-16/+50
| | | | | | | | | eventually release the global lock and reacquire it) and get_principal_locked (which will retain the global lock), and change callers to use the wrappers, so we can simplify some ugliness at the call sites. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20195 dc483132-0cff-0310-8789-dd5450dbe970
* Rename krb4_sendto to set_response since that's what it doesKen Raeburn2007-12-191-4/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20193 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unused args to krb4_sendto and unused global. Use byte-order macros ↵Ken Raeburn2007-12-191-20/+14
| | | | | | defined elsewhere git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20192 dc483132-0cff-0310-8789-dd5450dbe970
* Remove excess parameters in formatting log callsKen Raeburn2007-12-191-14/+12
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20191 dc483132-0cff-0310-8789-dd5450dbe970
* Make some stuff static that we don't need accessible outside kerberos_v4.cKen Raeburn2007-12-191-5/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20190 dc483132-0cff-0310-8789-dd5450dbe970
* Set close-on-exec flag in most places where file descriptors areKen Raeburn2007-10-222-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | opened in our libraries (in case another application thread spawns a new process) and in the KDC programs (in case a plugin library spawns a new process). Checked calls to: open fopen THREEPARAMOPEN mkstemp socket accept dup dup2 pipe. In: util lib plugins kdc kadmin/server krb524. The various programs are less critical than the libraries, as any well-written plugin that spawns a new process should close all file descriptors it doesn't need to communicate with the new process. This approach also isn't bulletproof, as the call to set the close-on-exec flag is necessarily a separate call from creating the file descriptor, and the fork call could happen in between them. So plugins should be careful regardless of this patch; it will only reduce the window of potential lossage should a plugin be poorly written. (AFAIK there are currently no plugins that spawn processes where this would be a problem.) Update dependencies. ticket: 5561 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20143 dc483132-0cff-0310-8789-dd5450dbe970
* Check dependencies for fakeka.cKen Raeburn2007-10-221-0/+15
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20142 dc483132-0cff-0310-8789-dd5450dbe970
* Reject socket fds > FD_SETSIZEKen Raeburn2007-10-181-0/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20127 dc483132-0cff-0310-8789-dd5450dbe970
* Log port number with IPV6_V6ONLY socket option status.Ken Raeburn2007-10-091-4/+12
| | | | | | Recognize and ignore Appletalk address type. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20108 dc483132-0cff-0310-8789-dd5450dbe970
* make dependKen Raeburn2007-08-161-49/+56
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19832 dc483132-0cff-0310-8789-dd5450dbe970
* Add PKINIT supportKevin Coffman2007-08-012-57/+101
| | | | | | | | | | | | | | | | Pull up PKINIT support onto the trunk. Changes from the version in branch users/coffman/pkinit are: - Update the preauth plugin interface version to avoid conflict with any existing plugins. - Add a pkcs11.h locally to the pkinit code rather than depending on opensc being installed. ticket: new Target_Version: 1.6.3 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19745 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid unchecked sprintf in some KDC-side programsKen Raeburn2007-07-123-19/+18
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19705 dc483132-0cff-0310-8789-dd5450dbe970
* Attach format attributes to declarations of various message-formattingKen Raeburn2007-06-291-3/+7
| | | | | | | | | | | | | routines under gcc. In a couple of routines, hard-code the preference for using the vsnprintf paths instead of list-of-int-arguments hacks now that we're assuming vsnprintf is available in other places. Installed headers affected: com_err.h (com_err, com_err_va) ss.h (ss_error) krb5.h (krb5_set_error_message, krb5_vset_error_message) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19653 dc483132-0cff-0310-8789-dd5450dbe970
* Define and use some inline helper functions for comparing data and authdata ↵Ken Raeburn2007-05-102-30/+17
| | | | | | | | structures, instead of open-coding checks of multiple fields everywhere. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19544 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unused macrosKen Raeburn2007-05-101-4/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19543 dc483132-0cff-0310-8789-dd5450dbe970
* Move the code for queueing an outgoing response on a TCP stream into a separateKen Raeburn2007-04-271-13/+13
| | | | | | function. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19535 dc483132-0cff-0310-8789-dd5450dbe970
* Don't use sendmsg/recvmsg paths if CMSG_SPACE isn't definedKen Raeburn2007-04-201-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19510 dc483132-0cff-0310-8789-dd5450dbe970
* update copyrightKen Raeburn2007-04-131-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19459 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up usage message a littleKen Raeburn2007-04-131-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19453 dc483132-0cff-0310-8789-dd5450dbe970
* use IP(V6)_PKTINFO in KDC for UDP socketsKen Raeburn2007-04-071-42/+343
| | | | | | | | | | | | | | | | | | | | | | | | | As Denis Vlasenko pointed out in ticket 3306, using IP(V6)_PKTINFO to get or set the local address in UDP communications instead of allocating one socket for each address seen at startup will behave better in environments where the addresses may change while the KDC is running, or in certain unusual network configurations. The patch from Denis was specific to Linux (didn't do IPV6_PKTINFO if IP_PKTINFO wasn't defined). I've reworked it a fair amount, and tested the results briefly on Mac OS X (which has IPV6_PKTINFO but not IP_PKTINFO) and Linux (which has both). With this change, on systems like Linux supporting both socket options, the KDC should be able to use just two UDP sockets, one for IPv4 and one for IPv6. (And if we turned off IPV6_V6ONLY, we might do with one.) Filed as a separate ticket, because Denis's complaint and patch in 3306 cover the RPC code as well. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19408 dc483132-0cff-0310-8789-dd5450dbe970
* MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslogTom Yu2007-04-032-6/+21
| | | | | | | | | | | | | | | | Fix MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog. * src/lib/krb5/krb/get_in_tkt.c (krb5_klog_syslog): Use vsnprintf if available. Everything else: use precision fields on "%s" specifiers to truncate logged strings, in case someone doesn't have vsnprintf. ticket: new target_version: 1.6.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19395 dc483132-0cff-0310-8789-dd5450dbe970
* Delete more stuff for 'clean' and 'distclean' targetsKen Raeburn2007-03-021-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19198 dc483132-0cff-0310-8789-dd5450dbe970
* * kdc_util.h (CONVERT_INTO_DB, CONVERT_OUTOF_DB): Unused macros deletedKen Raeburn2007-01-021-4/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19025 dc483132-0cff-0310-8789-dd5450dbe970
* Merge r18962 to trunk, with minor tweaks; ready to merge to 1.6 branchKen Raeburn2006-12-201-2/+6
| | | | | | | | | Changes fix up some sample names used, remove some options described from certain commands, and fix filling in man pages. ticket: 5116 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19000 dc483132-0cff-0310-8789-dd5450dbe970
* Return edata from non-"PA_REQUIRED" preauth typesKevin Coffman2006-12-011-15/+47
| | | | | | | | | | | | | | | | | | * src/kdc/kdc_preauth.c (check_padata) Return e-data from any failing preauth module. Save the e-data and return value from the first failing module. If a subsequent module marked as PA_REQUIRED fails, return its e-data and error instead. * src/kdc/kdc_preauth.c (load_preauth_plugins) Quiet compiler warning by setting pointer to NULL. ticket: new Target_Version: 1.6 tags: pullup Component: krb5-kdc git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18895 dc483132-0cff-0310-8789-dd5450dbe970
* skip all modules in plugin if init function failsKevin Coffman2006-11-291-4/+16
| | | | | | | | | | | | | If the plugin initialization function fails, skip all modules in the plugin, not just the first. Also, print the error message from the plugin if supplied. ticket: new Target_Version: 1.6 Tags: pullup Component: krb5-kdc git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18873 dc483132-0cff-0310-8789-dd5450dbe970
* allow server preauth plugin verify_padata function to return e-dataKevin Coffman2006-11-133-12/+40
| | | | | | | | | | | | | | | | | Change server-side preauth plugin interface to allow the plugin's verify_padata function to return e-data to be returned to the client. (Patch from Nalin Dahyabhai <nalin@redhat.com>) Update sample plugins to return e-data to exercise the code. Fix memory leak in the wpse plugin. ticket: new Component: krb5-kdc Target_Version: 1.6 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18801 dc483132-0cff-0310-8789-dd5450dbe970
* Modify the preath plugin interface so that a plugin's context isKevin Coffman2006-11-011-45/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | global to all the modules within a plugin. Also, change the client-side interface so that the preauth plugin context (once created) lives the lifetime of a krb5_context. This will allow future changes that can set plugin parameters. The client side request context lives the lifetime of a call to krb5_get_init_creds(). Make the sample preauth plugins buildable outside the source tree. Fix minor memory leak in sort_krb5_padata_sequence(). Add a prototype for krb5_do_preauth_tryagain() and change the plugin interface. Incorporates fixes from Nalin Dahyabhai <nalin@redhat.com> for leaks of the function table pointers (rt #4566) and fix KDC crash (rt #4567) ticket: 4566 ticket: 4567 ticket: 4587 Target_Version: 1.6 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18754 dc483132-0cff-0310-8789-dd5450dbe970
* latest Novell ldap patches and kdb5_util dump support for ldapWill Fiveash2006-10-301-0/+3
| | | | | | | | | | | | I've applied Novell's latest patches for their LDAP KDB plugin. I've also implemented and tested support for kdb5_util dump using the LDAP KDB plugin. I also added a Sun copyright on files that I've modified. ticket: new Target_Version: krb5-1.6 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18750 dc483132-0cff-0310-8789-dd5450dbe970
* Free v4mode when done with itKen Raeburn2006-10-141-0/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18702 dc483132-0cff-0310-8789-dd5450dbe970
* Use $(VALGRIND) when running programs using $(KRB5_RUN_ENV) orKen Raeburn2006-10-131-1/+1
| | | | | | | | | | | | | | | | | | $(RUN_SETUP). Replaces old hack with MAYBE_VALGRIND added to RUN_ENV in a way that would break in some of the tests. Set VALGRIND in site.exp in tests/dejagnu. (Not used yet.) Runs some shell scripts under valgrind, rather than changing them to run only the executables under valgrind; this is mostly okay, just creates lots of extra log data, and requires --trace-children=yes. This should work for any instrumentation program invocation that gets followed immediately by the name and argument list for the program being instrumented. For example, VALGRIND="env LD_PRELOAD=..." should work, though I haven't tested it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18699 dc483132-0cff-0310-8789-dd5450dbe970
* Use 'const' with krb5_get_error_messageKen Raeburn2006-10-132-8/+8
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18697 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate some warnings: missing "const", unused variables, successKen Raeburn2006-10-131-7/+5
| | | | | | | case in load_preauth_plugins was missing a return value (which isn't checked anyways). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18696 dc483132-0cff-0310-8789-dd5450dbe970
* * preauth_plugin.h: Don't use an enum in a public apiSam Hartman2006-10-131-10/+10
| | | | | | | | | | | | | * kdc_preauth.c (get_etype_info): Rename get_entry_data to avoid shadowing (get_etype_info2): likewise (return_etype_info): likewise (return_pw_salt): likewise (get_entry_data): Update prototype not to use enum in a API ticket: 4377 tatus: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18695 dc483132-0cff-0310-8789-dd5450dbe970
* Patch to split client plugin from server pluginSam Hartman2006-10-131-24/+24
| | | | | | | ticket: 4377 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18693 dc483132-0cff-0310-8789-dd5450dbe970
* (add_to_transited): Change the current logic to keep all array referencesKen Raeburn2006-10-121-15/+25
| | | | | | | | | | in bounds, assuming that what would've been next[-1] would not be '.'. I haven't fully reexamined the logic, but this seems consistent with the actual current behavior, and the existing test cases. Also, factored out code for copying a string from a krb5_data to a char*. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18688 dc483132-0cff-0310-8789-dd5450dbe970
* Add bounds-checking assertions before automatic array referenceKen Raeburn2006-10-111-0/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18677 dc483132-0cff-0310-8789-dd5450dbe970
* Don't segfault if a preauth plugin module fails to loadKevin Coffman2006-10-101-1/+2
| | | | | | | | | | | Move the zeroing of the errinfo struct before the call to krb5int_open_plugin_dirs() to prevent segfault in the case where a plugin fails to load. (For example if there are unresolved symbols.) ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18671 dc483132-0cff-0310-8789-dd5450dbe970
* make dependTom Yu2006-10-061-27/+32
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18652 dc483132-0cff-0310-8789-dd5450dbe970
* * kdc_preauth.c (return_padata): Allocate a padata context if notSam Hartman2006-10-051-0/+3
| | | | | | | | | | already allocated. In the preauth_required path check will not be called to set up the context first. ticket: 4377 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18650 dc483132-0cff-0310-8789-dd5450dbe970
* Preauthentication Plugin FrameworkSam Hartman2006-10-036-61/+702
| | | | | | | | | | | | | Patch from Nalin Dahyabhai at Redhat to implement a preauthentication framework based on the plugin architecture. Currently. the API is considered internal and the header is not installed. See src/include/krb5/preauth_plugin.h for the interface. ticket: new Tags: enhancement Status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18641 dc483132-0cff-0310-8789-dd5450dbe970
* kdc: make_toolong_error does not initialize all fields for krb5_mk_errorEzra Peisach2006-10-011-0/+2
| | | | | | | | | | | network.c: make_too_long_error() fails to set the ctime and cusec elements of the krb5_error structure. Valgrind detects errors in the asn.1 encoding handlers in reading an unitialized value. Initialize to 0. ticket: new tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18635 dc483132-0cff-0310-8789-dd5450dbe970
* Savitha's patches for:Ken Raeburn2006-09-181-6/+2
| | | | | | | | | - LDAP URI support for specifying server and port - support for ldapi interface - updated to newer LDAP APIs - updated documentation git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18592 dc483132-0cff-0310-8789-dd5450dbe970
* Apply patch from Michael Calmer to fix some uninitialized variablesTom Yu2006-08-021-0/+2
| | | | | | | | | | | | | | | | | | | | | | * src/appl/gssftp/ftpd/ftpd.c (auth_data): Initialize stat_maj, accept_maj, acquire_maj. * src/appl/telnet/libtelnet/kerberos5.c (kerberos5_send): Intialize rdata. * src/kdc/do_tgs_req.c (process_tgs_req): Initialize magic and tr_contents.magic. * src/lib/krb5/asn.1/krb5_decode.c (decode_krb5_safe_with_body): Initialize tmpbody.magic. * src/plugins/kdb/db2/libdb2/hash/dbm.c (kdb2_fetch) (kdb2_firstkey, kdb2_nextkey): Initialize dsize. ticket: 3904 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18404 dc483132-0cff-0310-8789-dd5450dbe970
* Merge remaining changes from LDAP integration branchKen Raeburn2006-07-181-1/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | svn+ssh://svn.mit.edu/krb5/branches/ldap-integ@18333. * plugins/kdb/ldap: New directory. * aclocal.m4 (WITH_LDAP): New macro. (CONFIG_RULES): Invoke it. * configure.in: Test ldap option, maybe configure and generate makefiles for new directories, and set and substitute ldap_plugin_dir. * Makefile.in (SUBDIRS): Add @ldap_plugin_dir@. * kdc/krb5kdc.M, kadmin/server/kadmind.M, kadmin/cli/kadmin.M, config-files/krb5.conf.M: Document LDAP changes (new options, config file entries, etc). * lib/kdb/kdb5.c (kdb_load_library): Put more info in error message. * lib/kadm5/admin.h (KADM5_CPW_FUNCTION, KADM5_RANDKEY_USED, KADM5_CONFIG_PASSWD_SERVER): New macros, disabled for now. (struct _kadm5_config_params): New field kpasswd_server, commented out for now. * lib/krb5/error_tables/kdb5_err.et: Add error codes KRB5_KDB_ACCESS_ERROR, KRB5_KDB_INTERNAL_ERROR, KRB5_KDB_CONSTRAINT_VIOLATION. ticket: 2935 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18334 dc483132-0cff-0310-8789-dd5450dbe970
* * kerberos_v4.c: Don't include kdc.h.Ken Raeburn2006-06-292-20/+14
| | | | | | | | | | (kerberos_v4, kerb_err_reply): Replace uses of S_AD_SZ with sizeof(struct sockaddr_in). (kerb_get_principal): Delete fourth argument MAXN, which was always 1. Callers updated. * Makefile.in: Updated dependencies. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18275 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-29 02:46:38 +0000