summaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
...
* Add internal prototype for krb5_preauth_supply_preauth_data(). Clean up Ezra Peisach2007-08-034-492/+521
| | | | | | | | some shadow variable warnings, make depend... ticket: 5617 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19746 dc483132-0cff-0310-8789-dd5450dbe970
* Add PKINIT supportKevin Coffman2007-08-018-22/+1335
| | | | | | | | | | | | | | | | Pull up PKINIT support onto the trunk. Changes from the version in branch users/coffman/pkinit are: - Update the preauth plugin interface version to avoid conflict with any existing plugins. - Add a pkcs11.h locally to the pkinit code rather than depending on opensc being installed. ticket: new Target_Version: 1.6.3 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19745 dc483132-0cff-0310-8789-dd5450dbe970
* Set KTFILEP field to null any time we close the fileKen Raeburn2007-07-271-0/+3
| | | | | | | ticket: 3099 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19739 dc483132-0cff-0310-8789-dd5450dbe970
* Debugged version of patch worked up with LukeKen Raeburn2007-07-275-18/+70
| | | | | | | | | | | | Adds a callback to krb5int_sendto to examine the response and indicate whether to quit the loop or not. For sendto_kdc, keep going if the returned error is "service unavailable". Updated all other callers to pass a null function pointer, which means to always break out of the loop on any response (the old behavior). ticket: 3334 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19738 dc483132-0cff-0310-8789-dd5450dbe970
* Check for null file handle in get_next.Ken Raeburn2007-07-271-0/+4
| | | | | | | | Patch from Luke Howard. ticket: 5471 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19736 dc483132-0cff-0310-8789-dd5450dbe970
* If no salt is included with the key data, set the salt length field to 0.Ken Raeburn2007-07-271-1/+2
| | | | | | | | Bug report and patch from Nalin Dahyabhai. ticket: 5545 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19733 dc483132-0cff-0310-8789-dd5450dbe970
* Pull out code for looking up the current time, comparing the offset ofKen Raeburn2007-07-204-37/+19
| | | | | | | a supplied timestamp against the configured maximum clock skew, and possibly generating an error message, into a separate routine. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19722 dc483132-0cff-0310-8789-dd5450dbe970
* Added new autogenerated file to generate-files-mac targetAlexandra Ellwood2007-07-191-1/+1
| | | | | | ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19718 dc483132-0cff-0310-8789-dd5450dbe970
* make dependKen Raeburn2007-07-131-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19710 dc483132-0cff-0310-8789-dd5450dbe970
* Missed a sprintf->snprintf switchKen Raeburn2007-07-121-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19706 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid use of unchecked sprintf in libraries. Use asprintf if theKen Raeburn2007-07-1234-273/+284
| | | | | | | output buffer is allocated according to the size of data to be written, or snprintf otherwise. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19703 dc483132-0cff-0310-8789-dd5450dbe970
* Nuke disabled support for ancient .klogin syntaxKen Raeburn2007-07-124-871/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19702 dc483132-0cff-0310-8789-dd5450dbe970
* Make error_map.h depend on ktemplate.pm tooKen Raeburn2007-07-041-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19675 dc483132-0cff-0310-8789-dd5450dbe970
* gss krb5 mech enhanced error messagesKen Raeburn2007-07-0425-48/+260
| | | | | | | | | | | | | | | | | | | | | | Save detailed error messages (usually from the krb5 library) in per-thread storage, mapping each error code to the most recently produced message for it. Return the message from display_status. Currently not implemented for a few cases where the krb5 mechanism returns a minor status code of 0, or another value different from the libkrb5 error code. Other functions are available to store a generic string or formatted message, but aren't used much at present. Tested with these errors in context establishment: * missing ccache (libkrb5 shows pathname if FILE: type) * missing keytab (libkrb5 shows pathname if FILE: type) * server principal unknown (libkrb5 shows server principal) ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19672 dc483132-0cff-0310-8789-dd5450dbe970
* Use strdupKen Raeburn2007-07-041-3/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19671 dc483132-0cff-0310-8789-dd5450dbe970
* Some handy debugging code for gssapi errors in credential acquisition; ↵Ken Raeburn2007-07-041-0/+44
| | | | | | currently disabled git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19667 dc483132-0cff-0310-8789-dd5450dbe970
* If error is KDC_ERR_S_PRINCIPAL_UNKNOWN, report the server nameKen Raeburn2007-07-041-0/+14
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19666 dc483132-0cff-0310-8789-dd5450dbe970
* In file-not-found case, report the filename soughtKen Raeburn2007-07-041-4/+17
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19665 dc483132-0cff-0310-8789-dd5450dbe970
* Remove debugging message accidentally left inKen Raeburn2007-07-041-1/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19664 dc483132-0cff-0310-8789-dd5450dbe970
* Save a detailed message for FCC_NOFILE including the file nameKen Raeburn2007-07-041-2/+13
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19663 dc483132-0cff-0310-8789-dd5450dbe970
* Tell Emacs to use C mode for this fileKen Raeburn2007-07-031-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19660 dc483132-0cff-0310-8789-dd5450dbe970
* Define a localtime_r wrapper around localtime if the system doesn'tKen Raeburn2007-06-291-7/+17
| | | | | | | | provide localtime_r, instead of handling it in-line. Check for error indication from localtime_r. Call localtime_r only once instead of each time around the loop. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19655 dc483132-0cff-0310-8789-dd5450dbe970
* Attach format attributes to declarations of various message-formattingKen Raeburn2007-06-292-20/+23
| | | | | | | | | | | | | routines under gcc. In a couple of routines, hard-code the preference for using the vsnprintf paths instead of list-of-int-arguments hacks now that we're assuming vsnprintf is available in other places. Installed headers affected: com_err.h (com_err, com_err_va) ss.h (ss_error) krb5.h (krb5_set_error_message, krb5_vset_error_message) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19653 dc483132-0cff-0310-8789-dd5450dbe970
* fix MITKRB5-SA-2007-004 [CVE-2007-2442/VU#356961, CVE-2007-2443/VU#365313]Tom Yu2007-06-262-5/+8
| | | | | | | | | | | | | | | CVE-2007-2442/VU#356961: The RPC library can free an uninitialized pointer. This may lead to execution of arbitrary code. CVE-2007-2443/VU#365313: The RPC library can write past the end of a stack buffer. This may (but is unlikely to) lead to execution of arbitrary code. ticket: new target_version: 1.6.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19636 dc483132-0cff-0310-8789-dd5450dbe970
* Move (BSD-licensed) mkstemp from libdb2 to libkrb5support, and renameKen Raeburn2007-06-201-4/+0
| | | | | | | | | | | | | the function to krb5int_mkstemp. Generate the symbol export list for libkrb5support at build time. Declare krb5int_mkstemp in k5-platform.h. Change cc_file.c to use mkstemp unconditionally. Make libdb2.so (built for testing only) link against the libkrb5support, and use krb5int_mkstemp if mkstemp is not available. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19600 dc483132-0cff-0310-8789-dd5450dbe970
* set svn:eol-style to native for *.[ch]Ken Raeburn2007-06-201-94/+94
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19596 dc483132-0cff-0310-8789-dd5450dbe970
* provide asprintf functionality for internal useKen Raeburn2007-06-201-3/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I plan to use asprintf in some gssapi error-message management routines, so let's make sure we have the functionality available, implementing it locally if necessary. This implementation assumes vsnprintf is available, an assumption that the support library is already making at the moment. Since this implementation requires calling vsnprintf potentially multiple times with the same va_list, use va_copy if it's available, or provide a hack version (which should work okay if va_list is a scalar or array type that requires no other special handling, and if va_end does nothing interesting, which is usually the case) if the compiler doesn't provide it. I also changed a couple bits of code to use asprintf, to make sure we exercise our implementation in testing. (C99 requires vsnprintf and va_copy; vasprintf is a GNU/BSD extension, but an oh so useful one....) * configure.in: Check for va_copy, or if va_list objects can be simply assigned. Define HAS_VA_COPY and CAN_COPY_VA_LIST as appropriate. * include/k5-platform.h: Define a va_copy macro if the compiler doesn't provide it. * include/k5-platform.h: If vsnprintf isn't available from the OS, abort compilation. If vasprintf isn't available from the OS, provide k5_{v,}asprintf based on vsnprintf and define {v,}asprintf macros. * lib/krb5/keytab/t_keytab.c (do_test): Use asprintf. * util/support/errors.c (krb5int_vset_error): Use asprintf unconditionally. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19595 dc483132-0cff-0310-8789-dd5450dbe970
* set eol-style and mime-type propertiesKen Raeburn2007-06-191-677/+677
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19594 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_walk_realm_tree leaks in capaths caseTom Yu2007-06-181-0/+3
| | | | | | | | | | | | | | | Markus Moeller reports a leak in krb5_get_credentials() which was then traced down to profile strings leaking from within krb5_walk_realm_tree(). A pointer to a profile string was getting overwritten without the string being freed when *cap_nodes[0] == '.'. Fix is to free the string prior to overwriting the pointer if the pointer is non-null. ticket: new target_version: 1.6.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19582 dc483132-0cff-0310-8789-dd5450dbe970
* Move CCAPI sources to krb5 repositoryAlexandra Ellwood2007-05-312-3/+3
| | | | | | | ticket: new status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19564 dc483132-0cff-0310-8789-dd5450dbe970
* don't check for readability resolving SRVTAB: keytabKen Raeburn2007-05-311-7/+0
| | | | | | | | | | | Greg Hudson has pointed out that the FILE: and SRVTAB: keytab types differ in when they report errors for files not existing. The implementations of ANY: floating around cope better if they consistently accept names of files that aren't present, and report the error later when fetching information. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19563 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unused macroKen Raeburn2007-05-231-3/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19558 dc483132-0cff-0310-8789-dd5450dbe970
* Change struct _krb5_context.os_context into a single element instead of array[1]Ken Raeburn2007-05-2110-43/+40
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19554 dc483132-0cff-0310-8789-dd5450dbe970
* Fix various gcc warnings about pointer target signedness and qualifiersKen Raeburn2007-05-1011-36/+54
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19548 dc483132-0cff-0310-8789-dd5450dbe970
* Rewrite weak key check to use a small custom struct instead of wedgingKen Raeburn2007-05-101-10/+12
| | | | | | | data into krb5_data, and use the array size rather than a sentinel for loop control. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19547 dc483132-0cff-0310-8789-dd5450dbe970
* We're requiring that 'inline' work nowadays, so don't conditionalize its useKen Raeburn2007-05-101-7/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19546 dc483132-0cff-0310-8789-dd5450dbe970
* Use new comparison inline fnKen Raeburn2007-05-101-3/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19545 dc483132-0cff-0310-8789-dd5450dbe970
* Define and use some inline helper functions for comparing data and authdata ↵Ken Raeburn2007-05-107-65/+27
| | | | | | | | structures, instead of open-coding checks of multiple fields everywhere. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19544 dc483132-0cff-0310-8789-dd5450dbe970
* k5-int.h, gic_opt.cJeffrey Altman2007-05-021-2/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The krb5_get_init_creds_password() and krb5_get_init_creds_keytab() functions permit the gic_opts parameter to be NULL. This is not taken into account when testing the value with the macros krb5_gic_opt_is_extended() and krb5_gic_opt_is_shadowed(). Nor is it taken into account within krb5int_gic_opte_copy() which is called by krb5int_gic_opt_to_opte() when the input parameter is not a krb5_gic_opt_ext structure. This commit makes two changes: (1) it modifies the macros to ensure that the value is non-NULL before evaluation. (2) it modifies krb5int_gic_opte_copy() to avoid copying the original values with memcpy() when the input is NULL. In addition, the code was audited to ensure that the flag KRB5_GET_INIT_CREDS_OPT_SHADOWED is properly set and that when it is set, that the allocated krb5_gic_opt_ext structure is freed by krb5_get_init_creds_password() and krb5_get_init_creds_keytab(). ticket: 5552 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19537 dc483132-0cff-0310-8789-dd5450dbe970
* rd_req_decoded needs to deal with referral realmsSam Hartman2007-04-291-5/+21
| | | | | | | | | | | * Fix handling of null realm in krb5_rd_req_decoded; now we treat a null realm as a default realm there, as we do in the keytab code. ticket: new Target_Version: 1.6.2 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19536 dc483132-0cff-0310-8789-dd5450dbe970
* race condition in referrals fallbackTom Yu2007-04-251-0/+1
| | | | | | | | | | | | | | | | | * src/lib/krb5/krb/gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): During referrals fallback, set *tgts to NULL after freeing. This avoids returning a pointer to freed memory when the first call to do_traversal() obtains some TGTs and the subsequent krb5_cc_retrieve_cred() of the final-hop TGT succeeds (due to some other thread or process storing that TGT into the ccache), causing second do_traversal() call (which would re-initialize *tgts) to not execute. Race condition found during KfW-3.2 testing. ticket: new target_version: 1.6.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19526 dc483132-0cff-0310-8789-dd5450dbe970
* Add the new kadm5srv function krb5_get_principal_keys to the export listRuss Allbery2007-04-161-0/+1
| | | | | | | | | | Build a separate copy of kadmin/cli/keytab.c for kadmin.local that exposes the -norandkey flag in a way that doesn't require the compiler support -c and -o at the same time. Ticket: 914 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19475 dc483132-0cff-0310-8789-dd5450dbe970
* Add support for extracting existing keys from the KDC with kadmin.local.Russ Allbery2007-04-162-0/+65
| | | | | | | | | | Adds a -norandkey option to the ktadd command only in kadmin.local, and adds a new function to the libkadm5srv library that kadmin.local can call. There is no protocol or network access to this function. Ticket: 914 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19474 dc483132-0cff-0310-8789-dd5450dbe970
* Revert previous change; krb5int_cm_call_select is used by the KDC, and shouldKen Raeburn2007-04-131-7/+8
| | | | | | | | | return when interrupted by a signal. Instead, check for EINTR in service_fds and call krb5int_cm_call_select again. ticket: 5440 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19457 dc483132-0cff-0310-8789-dd5450dbe970
* Produce a more informative error message for KDC_UNREACH with KDC not respondingKen Raeburn2007-04-131-2/+11
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19456 dc483132-0cff-0310-8789-dd5450dbe970
* Provide more detailed error message for 'client not found in kdb'Ken Raeburn2007-04-131-0/+17
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19455 dc483132-0cff-0310-8789-dd5450dbe970
* If select returns EINTR, recompute the expiration time and call it againKen Raeburn2007-04-131-1/+5
| | | | | | | ticket: 5440 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19452 dc483132-0cff-0310-8789-dd5450dbe970
* EAI_NODATA deprecated, not always definedKen Raeburn2007-04-092-2/+11
| | | | | | | | | | | | | | | | Brian Kantor reports (on the kerberos@mit list today) that krb5-1.6 doesn't build on FreeBSD 6.1 because they've done away with EAI_NODATA, which was removed from the getaddrinfo API in RFC 3943. This patch conditionalizes two tests for EAI_NODATA on the macro being defined, and also adds handling for EAI_OVERFLOW, a new error code added in RFC 3943. ticket: new tags: pullup target_version: 1.6.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19410 dc483132-0cff-0310-8789-dd5450dbe970
* service location plugin returning no addresses handled incorrectlyKen Raeburn2007-04-051-18/+18
| | | | | | | | | | | | | | If a locate plugin (e.g., the Python sample plugin and script, when given realm BOBO.MIT.EDU) returns no error but no addresses, the library won't report an error, but will try to make contact, and eventually crash with a null pointer dereference. Fix: If a plugin returns a value other than PLUGIN_NO_HANDLE, including success, continue into the code that checks for an empty address list. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19399 dc483132-0cff-0310-8789-dd5450dbe970
* MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslogTom Yu2007-04-031-3/+7
| | | | | | | | | | | | | | | | Fix MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog. * src/lib/krb5/krb/get_in_tkt.c (krb5_klog_syslog): Use vsnprintf if available. Everything else: use precision fields on "%s" specifiers to truncate logged strings, in case someone doesn't have vsnprintf. ticket: new target_version: 1.6.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19395 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-01-17 19:40:43 +0000