summaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove setting a variable that is never usedEzra Peisach2011-08-191-14/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25106 dc483132-0cff-0310-8789-dd5450dbe970
* Fix call to gss_inquire_cred from spnego_gss_acquire_cred_impersonate_nameGreg Hudson2011-08-111-13/+11
| | | | | | | | | | | If desired_mechs is NULL (this should never happen when invoked from the MIT mechglue), we call gss_inquire_cred to get a list of mechs. This call needs to pass a union cred handle, not the SPNEGO handle we got as input. Reported by aberry@likewise.com. ticket: 6945 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25098 dc483132-0cff-0310-8789-dd5450dbe970
* Fix major status handling in gss_acquire_credGreg Hudson2011-08-111-0/+1
| | | | | | | | | | | If we have at least one cred element after the mech loop, reset major before continuing on, or we could mistakenly return a failure status from the last mech (and free the returned creds). Reported by aberry@likewise.com. ticket: 6944 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25097 dc483132-0cff-0310-8789-dd5450dbe970
* Correctly dereference cred_handle when assigning to spcred inGreg Hudson2011-08-111-1/+1
| | | | | | | | | | spnego_gss_set_cred_option. Reported by aberry@likewise.com. ticket: 6943 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25096 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2011-08-097-97/+6
| | | | | | Also remove the erroneously added gssapi_err_krb5 error table sources. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25091 dc483132-0cff-0310-8789-dd5450dbe970
* call gssint_mecherrmap_init() from gssint_mechglue_init()Sam Hartman2011-08-091-0/+1
| | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25090 dc483132-0cff-0310-8789-dd5450dbe970
* Fix rare duplicate time issue On systems with imprecise clocksSam Hartman2011-08-091-5/+18
| | | | | | | | | | | | (e.g. windows), there was as issue where microsecond rollover could conceivably cause the same time to be reported twice. Also document potential performance improvement by using thread-local storage for last_time and eliminating the mutex. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25088 dc483132-0cff-0310-8789-dd5450dbe970
* Use KRB5_CALLCONV for all gss mechanism functions. Also wrap #include ↵Sam Hartman2011-08-0943-269/+365
| | | | | | | | | <unistd.h> with #ifdef HAVE_UNISTD_H in g_authorize_localname.c Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25087 dc483132-0cff-0310-8789-dd5450dbe970
* Added functions to export tables krb5_32:Sam Hartman2011-08-092-0/+4
| | | | | | | | | | krb5int_c_mandatory_cksumtype, krb5int_arcfour_gsscrypt gssapi32: gss_pname_to_uid Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25086 dc483132-0cff-0310-8789-dd5450dbe970
* Add 'const' to fix mismatched parameter warningsSam Hartman2011-08-092-2/+2
| | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25085 dc483132-0cff-0310-8789-dd5450dbe970
* Compile fix for WIN32 implementation of k5_get_os_entropy: declare ↵Sam Hartman2011-08-091-1/+1
| | | | | | | | | HCRYPTPROV provider Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25084 dc483132-0cff-0310-8789-dd5450dbe970
* Updated OBJS and SRCS in lib/crypto/krb/Makefile.inSam Hartman2011-08-091-2/+17
| | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25083 dc483132-0cff-0310-8789-dd5450dbe970
* Fixed typo in des OBJS: des_keys.c. -> des_keysSam Hartman2011-08-091-1/+1
| | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25081 dc483132-0cff-0310-8789-dd5450dbe970
* Fix name of krb5_init_context_profile in krb5_32.defGreg Hudson2011-08-091-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25079 dc483132-0cff-0310-8789-dd5450dbe970
* Use portable path functions when loading pluginsGreg Hudson2011-08-071-30/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25075 dc483132-0cff-0310-8789-dd5450dbe970
* Legacy checksum APIs usually failGreg Hudson2011-07-261-9/+35
| | | | | | | | | | | | | krb5_calculate_checksum() and krb5_verify_checksum(), both deprecated, construct invalid keyblocks and pass them to the real functions, which used to work but now doesn't. Try harder to construct valid keyblocks or pass NULL if there's no key. ticket: 6939 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25059 dc483132-0cff-0310-8789-dd5450dbe970
* Define KRB5_TL_DB_ARGS unconditionally in kdb.hGreg Hudson2011-07-261-5/+0
| | | | | | | | | Due to an apparent merge bug, KRB5_TL_DB_ARGS was defined in a SECURID conditional block, and several source files worked around the problem by defining the constant themselves or defining SECURID. Move the definition and remove the workarounds. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25055 dc483132-0cff-0310-8789-dd5450dbe970
* For GCC compiles, use an attribute to suppress the variable set butEzra Peisach2011-07-264-22/+34
| | | | | | | | | not used warnings. Due to the nested macros, it would get very ugly to try and remove the variables. Removes ~75 warnings from the build. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25054 dc483132-0cff-0310-8789-dd5450dbe970
* Remove t_vfyincreds on make cleanEzra Peisach2011-07-261-2/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25053 dc483132-0cff-0310-8789-dd5450dbe970
* Remove declaration of static function that no longer existsEzra Peisach2011-07-251-3/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25052 dc483132-0cff-0310-8789-dd5450dbe970
* PAC_CLIENT_INFO principal names do not contain a realm, so parse themGreg Hudson2011-07-251-1/+2
| | | | | | | | | | with the KRB5_PRINCIPAL_PARSE_NO_REALM flag. Otherwise we'll wind up using the default realm (and then ignoring it) which fails if one isn't configured. ticket: 6934 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25050 dc483132-0cff-0310-8789-dd5450dbe970
* In rare circumstances, such as checksum errors, some network stacksGreg Hudson2011-07-251-5/+4
| | | | | | | | | | | | | can flag an fd for reading in select() and still block when the fd is read. Set all sockets non-blocking to prevent hangs when this occurs. (We don't actually handle the resulting EWOULDBLOCK or EAGAIN errors, so the rare cases will appear as communication failures and we will close the socket. This is already the case for TCP sockets and probably isn't a big deal.) ticket: 6933 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25048 dc483132-0cff-0310-8789-dd5450dbe970
* Fix build without KRB5_DNS_LOOKUPGreg Hudson2011-07-251-2/+2
| | | | | | | | | | | | | Define MAX_DNS_NAMELEN unconditionally in k5-int.h as we use it unconditionally in kdc_util.c. Don't define it in locate_kdc.c. Conditionalize dns_locate_server() in locate_kdc.c as its only call site (in k5_locate_server) and its helper function (locate_srv_dns_1) are conditional. From Chris Hecker with minor changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25042 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up a number of variables set but not used warningsEzra Peisach2011-07-245-14/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25041 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up the lock in gss_krb5int_import_credGreg Hudson2011-07-231-12/+15
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25040 dc483132-0cff-0310-8789-dd5450dbe970
* Rename "ivec" to "cipher_state" in encrypt/decryptGreg Hudson2011-07-222-8/+8
| | | | | | | | This makes the implementations match up with the prototypes, and is more correct for enctypes like RC4 where the cipher state is not an ivec. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25038 dc483132-0cff-0310-8789-dd5450dbe970
* Fix gss_set_cred_option cred creation with no nameGreg Hudson2011-07-221-6/+8
| | | | | | | | | | | When creating a cred in the mechglue with gss_acquire_cred, the mechanism is allowed to return no name from gss_inquire_cred. But in the analagous operation in gss_set_cred_option, that would result in an error from gss_display_name. Make the call to gss_display_name conditional on the mechanism name being set. Reported by Andrew Bartlett. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25037 dc483132-0cff-0310-8789-dd5450dbe970
* Fix name initialization in gss_krb5int_import_credGreg Hudson2011-07-201-0/+6
| | | | | | | | If we're going to fake up a name, we have to initialize its lock. It might be better to use kg_init_name(), but we don't have a context on hand. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25030 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leak of accprinc in kg_accept_krb5()Greg Hudson2011-07-201-2/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25029 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_init_context_profile APIGreg Hudson2011-07-204-21/+28
| | | | | | ticket: 6929 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25026 dc483132-0cff-0310-8789-dd5450dbe970
* Add support for loadable profile modulesGreg Hudson2011-07-201-3/+4
| | | | | | ticket: 6929 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25025 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify and fix chpass_util error generationGreg Hudson2011-07-061-34/+20
| | | | | | | | | | | | | | If a principal has no associated kadm5 policy, we may still get password quality errors from a module (KDB or pwqual). There was a bug in the error generation for this case which caused only a generic error to be returned. Also use snprintf() instead of multiple string operations to compose errors. From Simo Sorce <ssorce@redhat.com>. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25014 dc483132-0cff-0310-8789-dd5450dbe970
* C90 doesn't allow commas at the ends of enumeration listsKen Raeburn2011-07-011-1/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25012 dc483132-0cff-0310-8789-dd5450dbe970
* isspace should only get unsigned-char values or EOFKen Raeburn2011-07-011-2/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25010 dc483132-0cff-0310-8789-dd5450dbe970
* make dependEzra Peisach2011-07-017-85/+55
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25007 dc483132-0cff-0310-8789-dd5450dbe970
* Get static linking working again, mostlyGreg Hudson2011-06-282-45/+45
| | | | | | | | | | | | | | | | | | | Static linking (#6510) broke when lockout support was added because the DB2 plugin became dependent on libkadm5srv_mit for XDR functions. Also, static linking was extensively broken in combination with LDAP support. Fix these problems. Afer these fixes, the test suite fails in the FAST tests because there's no static build support for dynamic preauth plugins, which means there's no encrypted challenge. (And unlike the pkinit tests, the test suite doesn't conditionalize on the presence of the encrypted challenge plugin, because we always build it.) This will fix itself if and when encrypted challenge becomes linked into the consumers, or static build support is added for preauth plugins. ticket: 6914 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24996 dc483132-0cff-0310-8789-dd5450dbe970
* Make fewer db lookups in kadm5_create_principal_3Greg Hudson2011-06-241-19/+10
| | | | | | | | By creating the password history entry earlier in the function, we can avoid the need to look up the principal entry twice just to save a copy of the key data. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24990 dc483132-0cff-0310-8789-dd5450dbe970
* Use zapfree in krb5_free_key_data_contents()Greg Hudson2011-06-241-6/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24989 dc483132-0cff-0310-8789-dd5450dbe970
* Don't destroy dst on error in krb5_cc_moveGreg Hudson2011-06-231-2/+0
| | | | | | | | Although destroying any partial contents of dst on error isn't a bad idea, invalidating the handle would be an incompatible change. So revert that part of r24754. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24988 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a minor memory leak in the pwqual loaderGreg Hudson2011-06-231-0/+1
| | | | | | | k5_pwqual_free_handles() wasn't freeing the container structure for each handle. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24986 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leak introduced in r24969Greg Hudson2011-06-231-0/+1
| | | | | | | The new context field plugin_base_dir wasn't being freed on context deletion. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24985 dc483132-0cff-0310-8789-dd5450dbe970
* Use AI_ADDRCONFIG for more efficient getaddrinfoGreg Hudson2011-06-235-5/+7
| | | | | | | | | | | | | | | Add AI_ADDRCONFIG to the hint flags for every invocation of getaddrinfo which wasn't already using it. This is often the default behavior when no hints are specified, but we tend to specify hints a lot, so we have to say it ourselves. AI_ADDRCONFIG causes AAAA lookups to be skipped if the system has no public IPv6 interface addresses, usually saving a couple of DNS queries per getaddrinfo call and allowing DNS caching to be much more effective without the need for negative caching. ticket: 6923 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24978 dc483132-0cff-0310-8789-dd5450dbe970
* Work around glibc getaddrinfo PTR lookupsGreg Hudson2011-06-231-8/+1
| | | | | | | | | | | | | | | | | | | In krb5_sname_to_principal(), we always do a forward canonicalization using getaddrinfo() with AI_CANONNAME set. Then, we do a reverse canonicalization with getnameinfo() if rdns isn't set to false in libdefaults. Current glibc (tested with eglibc 2.11.1) has the arguably buggy behavior of doing PTR lookups in getaddrinfo() to get the canonical name, if hints.ai_family is set to something other than AF_UNSPEC. This behavior defeats the ability to turn off rdns. Work around this behavior by using AF_UNSPEC in krb5_sname_to_principal() from the start, instead of starting with AF_INET and falling back. Specify AI_ADDRCONFIG to avoid AAAA lookups on hosts with no IPv6 addresses. ticket: 6922 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24977 dc483132-0cff-0310-8789-dd5450dbe970
* Convert preauth_plugin.h to new plugin frameworkGreg Hudson2011-06-178-242/+220
| | | | | | | | | | | | | | | | | | | | | | | | The preauth plugin interface was introduced in 1.6 but was never made a public API. In preparation for making it public in 1.10, convert it to use the new plugin framework. This will require changes to any existing preauth plugins. A number of symbols were renamed for namespace cleanliness, and abstract types were introduced for module data and module per-request data for better type safety. On the consumer end (preauth2.c and kdc_preauth.c), this is a pretty rough conversion. Eventually we should create proper consumer APIs with module handles, and the flat lists of preauth types should hold pointers to module handles rather than copies of the vtables. The built-in preauth type handlers should then be converted to built-in module providers linked into the consumer code (as should encrypted challenge, since it has no external dependencies). None of this will impact the provider API for preauth plugins, so it can wait. ticket: 6921 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24970 dc483132-0cff-0310-8789-dd5450dbe970
* Add k5_plugin_register_dyn internal APIGreg Hudson2011-06-173-27/+68
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24969 dc483132-0cff-0310-8789-dd5450dbe970
* ANSIfy the remaining K&R functions in lib/gssapi/genericGreg Hudson2011-06-132-26/+15
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24968 dc483132-0cff-0310-8789-dd5450dbe970
* Fix old-style GSSRPC authenticationGreg Hudson2011-06-131-3/+10
| | | | | | | | | | | | | | | r24147 (ticket #6746) made libgssrpc ignorant of the remote address of the kadmin socket, even when it's IPv4. This made old-style GSSAPI authentication fail because it uses the wrong channel bindings. Fix this problem by making clnttcp_create() get the remote address from the socket using getpeername() if the caller doesn't provide it and it's an IPv4 address. ticket: 6920 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24967 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-1036-323/+355
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* Add localization infrastructureGreg Hudson2011-06-102-1/+3
| | | | | | | | | Adds build system logic, translation macros in k5-platform.h, and bindtextdomain calls in libkrb5 initialization. ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24959 dc483132-0cff-0310-8789-dd5450dbe970
* Restore fallback non-referral TGS request to same realmGreg Hudson2011-06-031-12/+10
| | | | | | | | | | | | | | | MIT krb5 1.2 and earlier KDCs reject TGS requests if the canonicalize bit is set. Prior to 1.9, we used to handle this by making a non-referral fallback request on any error, but the rewrite in 1.9 mistakenly changed the behavior so that fallback requests are only made if the original request used the referral realm and the fallback realm is different from the default realm. Restore the old behavior. ticket: 6917 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24946 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-28 22:00:06 +0000