summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Fix TRACE_GET_CRED_VIA_TKT_EXT format stringGreg Hudson2012-05-241-2/+2
|
* Fix S4U user identification in preauth caseGreg Hudson2012-05-241-4/+2
| | | | | | | | | | | | | | | | | | | | | | | In 1.10, encrypted timestamp became a built-in module instead of a hardcoded padata handler. This changed the behavior of krb5_get_init_creds as invoked by s4u_identify_user such that KRB5_PREAUTH_FAILED is returned instead of the gak function's error. (Module failures are not treated as hard errors, while hardcoded padata handler errors are.) Accordingly, we should look for KRB5_PREAUTH_FAILED in s4u_identify_user. On a less harmful note, the gak function was returning a protocol error code instead of a com_err code, and the caller was testing for a different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could never be returned by krb5_get_init_creds. Clean up both of those by returning KRB5_PREAUTH_FAILED from the gak function and testing for that alone. Reported by Michael Morony. ticket: 7136 target_version: 1.10.2 tags: pullup
* Convert DEBUG_REFERRALS to TRACE_* frameworkW. Trevor King2012-05-237-74/+68
| | | | | | | | | The referrals debugging code under DEBUG_REFERRALS ceased building correctly at some point. Convert this debugging code to use the tracing framework instead, including adding new trace macros to k5-trace.h. ticket: 7151
* Add tests for trace.c formattingW. Trevor King2012-05-232-2/+259
| | | | | | This improves the previously minimal test coverage of "trace.c". ticket: 7151
* Add support for "{ptype}" trace format specifierW. Trevor King2012-05-232-0/+25
| | | | | | | Add the "{ptype}" trace format specifier, for principal name types. Also document the new option in the "k5-trace.h" comments. ticket: 7151
* Document "{keytab}" trace format specifierW. Trevor King2012-05-231-0/+1
|
* Export gss_mech_krb5_wrong from libgssapi_krb5Greg Hudson2012-05-221-0/+1
| | | | | | | | | | Although there are few legitimate reasons to use gss_mech_krb5_wrong, it's declared in the public header and exported in the Windows DLL. So export it from the Unix library as well. ticket: 7148 (new) target_version: 1.10.2 tags: pullup
* Export krb5_set_trace_callback/filenameGreg Hudson2012-05-212-1/+6
| | | | | | | | | | krb5_set_trace_callback and krb5_set_trace_filename were added to krb5.h in krb5 1.9, but were mistakenly left out of the library export lists. Add them now. Reported by Russ Allbery. ticket: 7143 target_version: 1.10.2 tags: pullup
* Fix "(empty" typo in "{etypes}" handler in trace.cW. Trevor King2012-05-181-1/+1
| | | | ticket: 7137
* Fix "(null" typo in "{key}" handler in trace.cW. Trevor King2012-05-181-1/+1
| | | | ticket: 7134
* Correct the name of krb5int_trace in commentsTom Yu2012-05-171-4/+4
| | | | | | Patch from W. Trevor King. ticket: 7133
* Add missing $(LIBS) to some shared librariesTom Yu2012-05-175-5/+5
| | | | | | | | | | Add $(LIBS) to the $(SHLIB_EXPLIBS) for some shared libraries which did not previously include it, which prevented gcov from working properly in some cases. Patch from W. Trevor King. ticket: 7138
* Make mkrel work on non-master branchesTom Yu2012-05-151-3/+4
| | | | | | Appending "--" to the git checkout arguments appears to prevent it from automatically creating a local branch from the remote. Also correct the default git URL and clean up a spurious find warning.
* Update CHANGES file generation for GitTom Yu2012-05-141-1/+1
| | | | Use the correct git log invocation for generating the CHANGES file.
* Update patchlevel.h for Git repositoryTom Yu2012-05-141-2/+2
| | | | Use "master", not "trunk", as RELTAG now.
* Add missing newline to sn2princ debug messageGreg Hudson2012-05-141-1/+2
| | | | | | Patch from wking@tremily.us. ticket: 7131
* Convert util/mkrel to use git instead of svnGreg Hudson2012-05-141-26/+15
|
* Check alloc_data result in krb5int_old_encryptGreg Hudson2012-05-131-0/+2
|
* Clean up a redundant assignment in libprofileGreg Hudson2012-05-131-2/+0
|
* Avoid extern inline in asn1buf.hGreg Hudson2012-05-131-2/+4
| | | | | | | | Avoid using extern inline in asn1buf.h, as there are two conflicting sets of semantics (gnu89's and C99's). gcc defaults to the gnu89 semantics, which we were using, while clang defines __GNUC__ but defaults to the C99 semantics. To simplify things, use static inline instead, like we do in k5-int.h.
* Don't stomp minor code in spnego_gss_acquire_credGreg Hudson2012-05-131-3/+3
| | | | | | | When spnego_gss_acquire_cred passes through a failure status from the mechglue, it overwrites the minor code with a call to gss_release_oid_set(). Use a temporary minor status for that and a related call.
* Remove find-missing-eol-prop and fix-eol-propGreg Hudson2012-05-122-21/+0
| | | | | Remove two Subversion-specific scripts which are no longer necessary now that the master repository is in git.
* Null-terminate components of parsed principalsGreg Hudson2012-05-122-11/+10
| | | | | | | | | | The rewritten krb5_parse_name didn't null-terminate components or realms of principals, while the old one did. Fix the new one to do so as well. This means KRB5_PRINCIPAL_PARSE_IGNORE_REALM allocates one byte for the realm instead of leaving it as empty_data(), so we need to free the realm in build_in_tkt_name() before copying in the client realm.
* Omit start time in common AS requestsGreg Hudson2012-05-112-15/+33
| | | | | | | | | | | | | | | | | | | MIT and Heimdal KDCs ignore the start time for non-postdated ticket requests, but AD yields an error if the start time is in the KDC's future, defeating the kdc_timesync option. Omit the start time if the caller did not specify a start time offset. This change reenables the client check for too much clock skew in the KDC reply in the non-timesync configuration. That check had been unintentionally suppressed since the introduction of the get_init_creds interfaces. Adjust the t_skew test script to expect the new error behavior. Code changes from stefw@gnome.org with slight modifications. ticket: 7130 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25864 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid requiring default realm for in_tkt_serviceGreg Hudson2012-05-101-31/+17
| | | | | | | | Use the new KRB5_PRINCIPAL_PARSE_IGNORE_REALM flag when parsing in_tkt_service arguments in get_init_cred functions, since we're going to overwrite the realm anyway. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25863 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_parse_name flag to ignore realmGreg Hudson2012-05-102-1/+12
| | | | | | | | | | The flag KRB5_PRINCIPAL_PARSE_IGNORE_REALM causes krb5_parse_name to return the principal with an empty realm whether or not a realm is present in the name. ticket: 7129 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25862 dc483132-0cff-0310-8789-dd5450dbe970
* Rewrite krb5_parse_nameGreg Hudson2012-05-102-292/+186
| | | | | | | | | krb5_parse_name started out a bit unwieldy, and has become more so with the introduction of flags. Rewrite it using two passes (allocate and fill), each broken out into its own helper, and a wrapper which handles the realm flags. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25861 dc483132-0cff-0310-8789-dd5450dbe970
* Make password change work without default realmGreg Hudson2012-05-101-0/+5
| | | | | | | | | | | | This fix is not very general or clean, but is suitable for backporting because it is minimally invasive. A more comprehensive fix will follow. ticket: 7127 target_version: 1.10.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25860 dc483132-0cff-0310-8789-dd5450dbe970
* Add no-op macro for ngettext for non-NLS buildsGreg Hudson2012-05-091-0/+1
| | | | | | | r25857 (#7128) uses ngettext, which means we need a no-op macro for it when we're building without NLS support. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25859 dc483132-0cff-0310-8789-dd5450dbe970
* Constify get_init_creds string input paramsGreg Hudson2012-05-096-15/+17
| | | | | | | | | | | | The get_init_creds functions take read-only string input parameters for passwords and initial ticket services. Make these const char * parameters instead of just char * parameters, for caller convenience. Reported by rra@stanford.edu. ticket: 7121 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25858 dc483132-0cff-0310-8789-dd5450dbe970
* Add API to interpret changepw result stringsGreg Hudson2012-05-099-14/+398
| | | | | | | | | | | | | Active Directory returns structured policy information in the nominally UTF-8 result string field of a password change reply. Add a new API krb5_chpw_message() to convert a result string into a displayable message, interpreting policy information if present. Patch from stefw@gnome.org with changes. ticket: 7128 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25857 dc483132-0cff-0310-8789-dd5450dbe970
* Constify krb5int_utf8_normalize input parameterGreg Hudson2012-05-092-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25856 dc483132-0cff-0310-8789-dd5450dbe970
* First pass at PKINIT client trace logsGreg Hudson2012-05-084-25/+156
| | | | | | Trace basic decisions about PKINIT client protocol processing. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25855 dc483132-0cff-0310-8789-dd5450dbe970
* Improve traced error messages from PKINIT clientGreg Hudson2012-05-082-2/+9
| | | | | | | | If we have no configured PKINIT client identity, or if we fail to create a certificate chain, set a reasonable error code (not EINVAL or ENOMEM) and a useful error message to appear in trace log output. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25854 dc483132-0cff-0310-8789-dd5450dbe970
* Improve display of error code 0 in trace outputGreg Hudson2012-05-081-1/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25853 dc483132-0cff-0310-8789-dd5450dbe970
* Use variadic macros to simplify k5-trace.hGreg Hudson2012-05-082-216/+221
| | | | | | | Also fix the facility to make it possible to trace log without including k5-int.h. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25852 dc483132-0cff-0310-8789-dd5450dbe970
* Modernize style in vfy_increds.cGreg Hudson2012-05-031-96/+104
| | | | | | | Make vfy_increds.c consistently use newer coding conventions. Also add a copyright statement. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25848 dc483132-0cff-0310-8789-dd5450dbe970
* Make verify_init_creds work with existing ccacheGreg Hudson2012-05-031-7/+0
| | | | | | | | | | | As the file ccache implementation currently stands, we don't want to turn off TC_OPENCLOSE on a file cache we're writing to, or it will be opened read-only and stores to it will fail. Reported by Russ Allbery. ticket: 5126 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25847 dc483132-0cff-0310-8789-dd5450dbe970
* Try all host keys by default in vfy_incredsGreg Hudson2012-05-035-90/+239
| | | | | | | | | | | | | | | Factor out the core code of krb5_verify_init_creds into a helper, add new helper functions to retrieve the list of unique host principals from a keytab, and make krb5_verify_init_creds drive the helper once per host principal. Augment the test harness and test cases to better test the new behavior. Add a k5test method to retrieve an NFS principal for the test realm for the sake of the new test cases. ticket: 7125 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25845 dc483132-0cff-0310-8789-dd5450dbe970
* In sn2princ, getaddrinfo without AI_ADDRCONFIGGreg Hudson2012-05-031-1/+1
| | | | | | | | | | | | | | | | | | When canonicalizing a principal, use AI_CANONNAME alone in the hint flags for getaddrinfo, for two reasons. First, it works around a gnu libc bug where getaddrinfo does a PTR lookup for the canonical name (we tried to work around this in r24977 bug the addition of AI_ADDRCONFIG caused the same problem as the use of AF_INET). Second, an IPv4-only host should be able create a principal for an IPv6-only host even if it can't contact the host. This does result in extra AAAA queries in the common case (IPv4-only host contacting IPv4-only service), which is unfortunate. But we need to leave that optimization up to the platform at this point. ticket: 7124 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25844 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify krb5_do_preauthGreg Hudson2012-04-301-48/+33
| | | | | | | | Now that krb5_do_preauth has many fewer moving parts, simplify its flow control. Also remove an unused output parameter from run_preauth_plugins. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25842 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of built-in preauth types tableGreg Hudson2012-04-301-103/+53
| | | | | | | | Turn the last two entries of the pa_types table into helper functions which we invoke before the loop. Then, get rid of the part of the loop which consults the pa_types table. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25841 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify preauth2 helper functions using reallocGreg Hudson2012-04-301-45/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25840 dc483132-0cff-0310-8789-dd5450dbe970
* Use correct name-type in TGS-REQs for 2008R2 RODCsTom Yu2012-04-272-12/+19
| | | | | | | | | | | | | | | | | Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST in TGS-REQs. (Previously, only AS-REQs had the name-type set in this way.) Windows Server 2008 R2 read-only domain controllers (RODCs) insist on having the correct name-type for the TGS principal in TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case. Thanks to Sebastian Galiano for reporting this bug and helping with testing. ticket: 7120 target_version: 1.10.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25839 dc483132-0cff-0310-8789-dd5450dbe970
* Split up and fix get_etype_infoGreg Hudson2012-04-271-66/+83
| | | | | | | | The addition of afs3-salt processing in get_etype_info made it overly large, so split out the pw-salt/afs3-salt processing into a separate function. Also fix two dumb bugs. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25838 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using SALT_TYPE_AFS_LENGTHGreg Hudson2012-04-2710-54/+51
| | | | | | | | | | | | In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to track whether we're still using the default salt instead of overloading salt.length. In preauth2.c, process afs3 salt values like we would in krb5int_des_string_to_key, and set an s2kparams indicator instead of overloading salt.length. Also use an s2kparams indicator in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded salt lengths, except for a sanity check. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25837 dc483132-0cff-0310-8789-dd5450dbe970
* Fix TRACE_PREAUTH_SALT format stringGreg Hudson2012-04-271-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25836 dc483132-0cff-0310-8789-dd5450dbe970
* Refactor client etype-info handling in preauth2.cGreg Hudson2012-04-271-134/+78
| | | | | | | Pull etype-info2, etype-info, pw-salt, and afs3-salt handling out of the pa_types loop into a new helper function get_etype_info(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25834 dc483132-0cff-0310-8789-dd5450dbe970
* Ensure null termination of AFS saltsGreg Hudson2012-04-271-1/+1
| | | | | | | | | | | Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or pa-afs3-salt value in pa_salt(). If it's an afs3-salt, we're going to throw away the length and use strcspn in krb5int_des_string_to_key, which isn't safe if the value is unterminated. ticket: 2545 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25833 dc483132-0cff-0310-8789-dd5450dbe970
* Make it easier to test SAM-2 client codeGreg Hudson2012-04-266-120/+407
| | | | | | | | | | | | | Add a method to the securid_sam2 plugin, built with alternate compile-time flags, which supplies a plain-text challenge to the client to be used as the OTP value. This lets us manually exercise the SAM-2 client code and a little bit of the KDC code. securid_make_sam_challenge_2_and_cksum is moved into the method- independent code and renamed. get_securid_edata_2 has its sc2b parameter removed as it was not used by the caller. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25832 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-26 18:21:25 +0000