| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Commit 2e956074b228ff4df3b7462037ab69e4e88ffffe omitted adding a
dependency to the "all" target to force the build of the t_enctypes
test program.
ticket: 7688
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req(). It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context. This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.
Instead, use krb5_auth_con_setpermetypes on the auth context. This
list is only used for session key enctype negotiation. Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.
ticket: 7688 (new)
target_version: 1.11.4
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.
[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]
|
| |
|
|
|
|
|
| |
Make the purgekeys RPC allow self-service, like the chpass and chrand
RPCs.
ticket: 7681 (new)
|
| |
|
|
|
|
|
|
|
| |
Don't create a bunch of identically configured realms; just reuse the
same one. Remove a redundant assignment from the soft-pkcs11.so
check. Move the pkinit_identity setting from krb5.conf to kdc.conf,
since it's only used by the KDC. Add a test for trying anonymous
PKINIT when it isn't configured. Check for a specific error message
when testing restricted anonymous PKINIT.
|
| | |
|
| |
|
|
|
|
| |
Before we test authenticated PKINIT, slip in a test to check that
password-based preauthentication still works when the KDC is offering
PKINIT, but the client has no PKINIT credentials.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We now also test that the PKINIT challenge looks like we expect it to
look, that PKINIT fails if we don't provide a response or a prompter
callback, and that PKINIT succeeds with a response provided using either
the raw responder API or the PKINIT responder functions.
One thing that we don't check is which specific error code we get when
PKINIT fails: the OpenSSL and NSS versions return different error codes
(some mixture of EIO, ENOMEM, ENOENT, and KRB5KDC_ERR_PREAUTH_FAILED)
when they encounter trouble loading client credentials.
ticket: 7680
|
| |
|
|
| |
ticket: 7680
|
| |
|
|
|
|
|
|
|
| |
Add kadmin support for "addprinc -nokey", which creates a principal
with no keys, and "purgekeys -all", which deletes all keys from a
principal. The KDC was modified by #7630 to support principals
without keys.
ticket: 7679 (new)
|
| |
|
|
|
|
|
| |
Reorder (and trim) the imports in t_otp.py so that k5test is pulled in
before we try to import pyrad and multiprocessing. Otherwise
success() isn't defined in the case where we decide to skip the entire
test script.
|
| |
|
|
|
|
|
|
|
|
| |
This plugin implements the proposal for providing OTP support by
proxying requests to RADIUS. Details can be found inside the
provided documentation as well as on the project page.
http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS
ticket: 7678
|
| |
|
|
|
|
| |
ticket: 7670 (new)
tags: pullup
target_version: 1.11.4
|
| |
|
|
|
|
|
|
|
|
| |
Create a test module for the pwqual interface, and script to exercise
the built-in and test modules through kadmin.local. Also create a
test harness to display the order of pwqual modules for the current
configuration, and use it to test the plugin module ordering
guarantees.
ticket: 7665
|
| |
|
|
|
|
|
|
|
| |
When we are testing maximum renewable lifetimes, the KDC might process
the request at a later time than the request time (typically by no
more than one second). So we need to ask for a ticket lifetime longer
than the maximum renewable lifetime, not equal to it, or we risk
getting a just-barely-renewable ticket instead of a non-renewable one.
Also fix a couple of typos in comments.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a new helper to compute the renewable lifetime for AS and TGS
requests. This has some minor behavior differences:
* We only issue a renewable ticket if the renewable lifetime is greater
than the normal ticket lifetime.
* We give RENEWABLE precedence over RENEWABLE-OK in determining the
requested renewable lifetime, instead of sometimes doing the
reverse.
* We use the client's maximum renewable life for TGS requests if we
have looked up its DB entry.
* Instead of rejecting requests for renewable tickets (if the client
or server principal doesn't allow it, or a TGS request's TGT isn't
renewable), issue non-renewable tickets.
ticket: 7661 (new)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the gak_data value used by krb5_get_as_key_password, separate the
already-known password from the storage we might have allocated to put
it in, so that we no longer use an empty data buffer to determine
whether we know the password. This allows empty passwords to work via
the API.
Remove the kadm5 test which explicitly uses an empty password.
Based on a patch from Stef Walter.
ticket: 7642
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.
To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.
Based on a bug report and patch from nalin@redhat.com.
ticket: 7639
target_version: 1.11.3
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Provide default values in pre.in for PROG_LIBPATH, PROG_RPATH,
SHLIB_DIRS, SHLIB_RDIRS, and STOBJLISTS so that they don't have to be
specified in the common case. Rename KRB5_RUN_ENV and KRB5_RUN_VARS
to RUN_SETUP (already the most commonly used name) and RUN_VARS. Make
sure to use DEFINES for local defines (not DEFS). Remove some other
unnecessary makefile content.
|
| |
|
|
| |
ticket: 7635 (new)
|
| |
|
|
|
|
| |
The test, as submitted, included a copy/paste error which caused it to
test PKINIT using unencrypted PKCS12 bundles twice, and to not test a
DIR: location containing unencrypted PEM-formatted keys at all.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add tests for non-anonymous PKINIT:
* FILE: with no password
* FILE: with a password
* DIR: with no password
* DIR: with a password
* PKCS12: with no password
* PKCS12: with a password
* PKCS11: with a password, if soft-pkcs11.so is found via ctypes
[ghudson@mit.edu: reformatted to 79 columns; removed intermediate
success() calls]
|
| |
|
|
| |
[ghudson@mit.edu: reformatted to limit lines to 79 columns]
|
| |
|
|
|
| |
Correctly check whether the next argument is NULL in the while loop
which parses store elements.
|
| |
|
|
|
|
|
|
| |
Modify t_credstore.c to be more flexible and adjust t_gssapi.py
accordingly. Add a test to t_client_keytab.py which acquire creds
using a programmatically specified client keytab.
ticket: 7598
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Create a test module, program, and script to exercise the
krb5_aname_to_localname and krb5_k5userok functions as well as the
localauth pluggable interface.
ticket: 7583
|
| |
|
|
|
|
|
|
|
| |
Use $(COMMON_DEPS) instead of $(COMMON_DEPLIBS) for dependencies; the
latter appears to be a typo. Fixes build when using "make -j".
ticket: 7587 (new)
target_version: 1.11.2
tags: pullup
|
| |
|
|
| |
ticket: 7585
|
| |
|
|
|
|
| |
Create a K5Realm.kprop_port method so test scripts can invoke kprop
usefully, and create a simple Python test script exercising the same
kprop functionality as the dejagnu suite's kprop.exp.
|
| |
|
|
|
|
|
|
| |
Move the existing dump/load tests from t_general.py to a new script
t_dump.py. Add additional tests using pre-created dumpfiles, to
exercise the -r18, -r13, -b7, and -ov formats.
bigredbutton: whitespace
|
| |
|
|
|
|
|
|
|
|
| |
krb5_ldap_open and krb5_ldap_create contain two large, almost
identical blocks of DB option processing code. Factor it out into a
new function krb5_ldap_parse_db_params in ldap_misc.c, and simplify
the factored-out code. Create a helper function to add server entries
and use it to simplify krb5_ldap_read_server_params as well as DB
option parsing. Since the new DB option helper uses isspace instead
of isblank, we no longer require portability goop for isblank.
|
| |
|
|
|
|
|
|
| |
Since iprop cannot carry policy changes, force a full resync to happen
each time a policy change occurs. Based on a patch from
Richard Basch <basch@alum.mit.edu>.
ticket: 7522
|
| |
|
|
|
|
|
| |
In k5test.py, allow run_kadminl to take an environment argument. In
t_iprop.py, perform some queries on the slaves after each propagation
to spot-check that it got modifications from master. Use a helper
function to check serial numbers for conciseness.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the master iprop log is reinitialized to serial number 0, slaves
will need to take a full dump--but after that happens, we need to know
whether the slave has taken that full dump, we we don't offering full
dumps indefinitely.
So, record a timestamp in kdb_last_time when we reinitialize the log
header, and compare the slave timestamp to kdb_last_time whenever it
has the current serial number, even if it's 0. Test this by
performing a propagation with sno 0 in t_iprop.py and detecting
whether kpropd gets a second UPDATE_FULL_RESYNC_NEEDED response from
kadmind.
ticket: 7550 (new)
|
| |
|
|
|
|
| |
host_based_services and no_host_referral are allowed to have multiple
relations in each place they appear, so alter a couple of the test
cases to exercise that.
|
| | |
|
| |
|
|
|
|
|
| |
Test the KDC host-based referral support in t_referral.py, using a new
harness to call krb5_get_credentials with a specified server name
type. Also use this new harness for the #7483 regression test, to
avoid relying on an undocumented kvno extension.
|
| |
|
|
|
| |
Mostly this gets rid of the trailing space on line 2 after
bb76891f5386526bdf91bc790c614fc9296cb5fa.
|
| |
|
|
|
|
| |
Add tests to t_policy.py for password quality enforcement, password
history (apart from the existing #7099 regression test), and for
references to nonexistent policies.
|
| |
|
|
|
| |
Create a combined script for policy-related tests, and fold in the
existing lockout, password history, and allowed-keysalts tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated
policy.
In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.
ticket: 7385
|
| |
|
|
|
| |
KRB5_CONF_ prefix should be used for the krb5/kdc.conf parameters.
Use KRB5_CC_CONF_ prefix for cache configuration variables.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Neither function correctly handled OIDs whose second arc exceeds 47
(theoretically possible if the first arc is 2). gss_str_to_oid had
additional problems: it used scanf, it didn't consistently protect
against read overrun if the input buffer wasn't null-terminated, and
it could get confused by + or - characters in the first two arcs. Fix
gss_oid_to_str and rewrite gss_str_to_oid.
Also add a test program.
ticket: 7524 (new)
|
