summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* In sn2princ, getaddrinfo without AI_ADDRCONFIGGreg Hudson2012-05-031-1/+1
| | | | | | | | | | | | | | | | | | When canonicalizing a principal, use AI_CANONNAME alone in the hint flags for getaddrinfo, for two reasons. First, it works around a gnu libc bug where getaddrinfo does a PTR lookup for the canonical name (we tried to work around this in r24977 bug the addition of AI_ADDRCONFIG caused the same problem as the use of AF_INET). Second, an IPv4-only host should be able create a principal for an IPv6-only host even if it can't contact the host. This does result in extra AAAA queries in the common case (IPv4-only host contacting IPv4-only service), which is unfortunate. But we need to leave that optimization up to the platform at this point. ticket: 7124 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25844 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify krb5_do_preauthGreg Hudson2012-04-301-48/+33
| | | | | | | | Now that krb5_do_preauth has many fewer moving parts, simplify its flow control. Also remove an unused output parameter from run_preauth_plugins. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25842 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of built-in preauth types tableGreg Hudson2012-04-301-103/+53
| | | | | | | | Turn the last two entries of the pa_types table into helper functions which we invoke before the loop. Then, get rid of the part of the loop which consults the pa_types table. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25841 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify preauth2 helper functions using reallocGreg Hudson2012-04-301-45/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25840 dc483132-0cff-0310-8789-dd5450dbe970
* Use correct name-type in TGS-REQs for 2008R2 RODCsTom Yu2012-04-272-12/+19
| | | | | | | | | | | | | | | | | Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST in TGS-REQs. (Previously, only AS-REQs had the name-type set in this way.) Windows Server 2008 R2 read-only domain controllers (RODCs) insist on having the correct name-type for the TGS principal in TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case. Thanks to Sebastian Galiano for reporting this bug and helping with testing. ticket: 7120 target_version: 1.10.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25839 dc483132-0cff-0310-8789-dd5450dbe970
* Split up and fix get_etype_infoGreg Hudson2012-04-271-66/+83
| | | | | | | | The addition of afs3-salt processing in get_etype_info made it overly large, so split out the pw-salt/afs3-salt processing into a separate function. Also fix two dumb bugs. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25838 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using SALT_TYPE_AFS_LENGTHGreg Hudson2012-04-2710-54/+51
| | | | | | | | | | | | In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to track whether we're still using the default salt instead of overloading salt.length. In preauth2.c, process afs3 salt values like we would in krb5int_des_string_to_key, and set an s2kparams indicator instead of overloading salt.length. Also use an s2kparams indicator in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded salt lengths, except for a sanity check. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25837 dc483132-0cff-0310-8789-dd5450dbe970
* Fix TRACE_PREAUTH_SALT format stringGreg Hudson2012-04-271-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25836 dc483132-0cff-0310-8789-dd5450dbe970
* Refactor client etype-info handling in preauth2.cGreg Hudson2012-04-271-134/+78
| | | | | | | Pull etype-info2, etype-info, pw-salt, and afs3-salt handling out of the pa_types loop into a new helper function get_etype_info(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25834 dc483132-0cff-0310-8789-dd5450dbe970
* Ensure null termination of AFS saltsGreg Hudson2012-04-271-1/+1
| | | | | | | | | | | Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or pa-afs3-salt value in pa_salt(). If it's an afs3-salt, we're going to throw away the length and use strcspn in krb5int_des_string_to_key, which isn't safe if the value is unterminated. ticket: 2545 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25833 dc483132-0cff-0310-8789-dd5450dbe970
* Make it easier to test SAM-2 client codeGreg Hudson2012-04-266-120/+407
| | | | | | | | | | | | | Add a method to the securid_sam2 plugin, built with alternate compile-time flags, which supplies a plain-text challenge to the client to be used as the OTP value. This lets us manually exercise the SAM-2 client code and a little bit of the KDC code. securid_make_sam_challenge_2_and_cksum is moved into the method- independent code and renamed. get_securid_edata_2 has its sc2b parameter removed as it was not used by the caller. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25832 dc483132-0cff-0310-8789-dd5450dbe970
* Convert SAM-2 preauth mechanism to a moduleGreg Hudson2012-04-264-371/+442
| | | | | | | Move the last real preauth mechanism, SAM-2, from the pa_types table to a built-in module. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25831 dc483132-0cff-0310-8789-dd5450dbe970
* Remove orphaned Apple PKINIT supportGreg Hudson2012-04-2618-4898/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25830 dc483132-0cff-0310-8789-dd5450dbe970
* Add kadmin ACL enforcement testsGreg Hudson2012-04-262-0/+351
| | | | | | | | | Add a Python script to test the enforcement of kadm5.acl specifications, including wildcards and restrictions. ticket: 7097 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25828 dc483132-0cff-0310-8789-dd5450dbe970
* Allow clearpolicy restriction for kadmin addprincGreg Hudson2012-04-261-4/+5
| | | | | | | | | | Although the kadmin client never generates a KADM5_POLICY_CLR mask bit with addprinc, the bit will be set if a kadm5.acl line imposes the -clearpolicy restriction. Relax the sanity checking in kadm5_create_principal_3 to allow KADM5_POLICY_CLR as long as KADM5_POLICY is not also set. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25827 dc483132-0cff-0310-8789-dd5450dbe970
* Add k5test.py helpers for running kadminGreg Hudson2012-04-262-11/+32
| | | | | | | | Add K5Realm.prep_kadmin() to create a ccache and K5Realm.run_kadmin() to run a kadmin query using it. Modify t_stringattr.py to use these helpers instead of its own. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25826 dc483132-0cff-0310-8789-dd5450dbe970
* Flip the default of start_kadmind in k5test.pyGreg Hudson2012-04-2621-40/+35
| | | | | | | Very few Python tests need kadmind, so it makes more sense to have to turn it on than to have to turn it off. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25825 dc483132-0cff-0310-8789-dd5450dbe970
* Clear preauth use counts for each AS requestGreg Hudson2012-04-251-0/+1
| | | | | | | | | | | | | Initialize use_count fields in krb5_preauth_request_context_init, which is invoked before each AS request. Previously they were initialized only in krb5_init_preauth_context, which is only invoked once per krb5 library context. ticket: 7119 target_version: 1.10.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25822 dc483132-0cff-0310-8789-dd5450dbe970
* Add KRB5_TRACE test caseGreg Hudson2012-04-241-1/+19
| | | | | | | | | In t_general.py, run kinit with KRB5_TRACE enabled and make sure we see some basic strings in the resulting file. ticket: 7113 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25821 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust t_general.py organizationGreg Hudson2012-04-241-21/+21
| | | | | | | | | Move some tests out of the multipass_realms loop since they aren't enctype-dependent. Fix the success message not to mention kvno wrapping. Don't start kadmind in the multipass_realms loop since we don't use it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25820 dc483132-0cff-0310-8789-dd5450dbe970
* Try all history keys to decrypt password historyGreg Hudson2012-04-246-46/+186
| | | | | | | | | | | | | A database created prior to 1.3 will have multiple password history keys, and kadmin prior to 1.8 won't necessarily choose the first one. So if there are multiple keys, we have to try them all. If none of the keys can decrypt a password history entry, don't fail the password change operation; it's not worth it without positive evidence of password reuse. ticket: 7099 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25819 dc483132-0cff-0310-8789-dd5450dbe970
* Use etypes from keytab in krb5_gic_keytabGreg Hudson2012-04-193-1/+128
| | | | | | | | | | | When getting initial credentials with a keytab, filter the list of request enctypes based on the keys in the keytab. Based on a patch from Stef Walter. ticket: 2131 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25818 dc483132-0cff-0310-8789-dd5450dbe970
* Unify krb5_get_init_creds_keytab code pathsGreg Hudson2012-04-194-15/+55
| | | | | | | | | | | Use krb5_init_creds_set_keytab in krb5_get_init_creds_keytab, so that processing added to the former will be used by the latter. This is slightly awkward because of the way we do the use_master fallback, in that we have to duplicate some of krb5int_get_init_creds. Based on a patch from Stef Walter. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25817 dc483132-0cff-0310-8789-dd5450dbe970
* Return kinit output in k5test's K5Realm.kinitGreg Hudson2012-04-191-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25816 dc483132-0cff-0310-8789-dd5450dbe970
* Add keytab kinit test casesGreg Hudson2012-04-193-11/+30
| | | | | | | | | | Create a test script for keytab-related tests. Move the kvno wrapping test there from t_general.py, and augment it to better match what's in standalone.exp. Add tests for kinit with keytab, including kinit with the most-preferred enctype missing from the keytab (which currently fails). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25815 dc483132-0cff-0310-8789-dd5450dbe970
* Add Doxygen markup to API functions that were introduced in 1.9 releaseZhanna Tsitkov2012-04-191-0/+26
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25814 dc483132-0cff-0310-8789-dd5450dbe970
* Add Doxygen markup to API functions that were introduced in 1.10 releaseZhanna Tsitkov2012-04-171-0/+15
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25810 dc483132-0cff-0310-8789-dd5450dbe970
* Allow preauth mechs to work with clock skewGreg Hudson2012-04-178-29/+124
| | | | | | | | | | | | | | | Add a clpreauth callback which gets the time of day using an offset determined by the preauth-required error, and use it in encrypted timestamp and encrypted challenge. This timestamp is not necessarily authenticated, but the security consequences for those preauth mechs are minor (and can be mitigated by turning off kdc_timesync on clients). Based on a patch from Stef Walter. ticket: 7114 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25808 dc483132-0cff-0310-8789-dd5450dbe970
* Add clock skew testsGreg Hudson2012-04-173-1/+46
| | | | | | | Add a KDC option (-T) to run with a time offset, and use that to test kdc_timesync behavior. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25807 dc483132-0cff-0310-8789-dd5450dbe970
* Document kadm5_hook chpass randomize-key behaviorGreg Hudson2012-04-161-0/+1
| | | | | | | kadmind's randkey operation invokes the kadm5_hook chpass method with a null newpass parameter, which wasn't documented. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25805 dc483132-0cff-0310-8789-dd5450dbe970
* Fix documention of unconfigured rsthml buildTom Yu2012-04-111-1/+1
| | | | | | | It's necessary to specify srcdir=. on the command line when building rsthtml in an unconfigured tree. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25804 dc483132-0cff-0310-8789-dd5450dbe970
* Fix trace logging initializationGreg Hudson2012-04-051-1/+1
| | | | | | | | Reported by stefw@gnome.org. ticket: 7112 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25803 dc483132-0cff-0310-8789-dd5450dbe970
* Fix app tag choices for decoding EncASRepPartGreg Hudson2012-04-051-1/+1
| | | | | | | | | | When decoding an AS-REP enc part, we should accept app tags 26 (the bogus one we generate) and 25 (the correct value). We were accepting 26 and 24. Bug report and fix by stefw@gnome.org. ticket: 7111 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25802 dc483132-0cff-0310-8789-dd5450dbe970
* Fix password reuse check with cpw -keepoldGreg Hudson2012-04-041-0/+3
| | | | | | | | | | | | | | | | | When we check for password reuse, only compare keys with the most recent kvno against history entries, or else we will always fail with -keepold. This bug primarily affects rollover of cross-realm TGT principals, which typically use password-derived keys and may have an associated password policy such as "default". Bug report and candidate fix (taken with a slight modification) by Nicolas Williams. ticket: 7110 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25801 dc483132-0cff-0310-8789-dd5450dbe970
* If trace logging facility is enabled, report misconfiguration errors ↵Zhanna Tsitkov2012-04-022-29/+51
| | | | | | | | encountered while initializing krb5 library context ticket: 7091 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25800 dc483132-0cff-0310-8789-dd5450dbe970
* Make cross-TGT key rollover work from AD to MITGreg Hudson2012-04-022-45/+175
| | | | | | | | | | | | | | | | | Active Directory always issues cross-realm tickets without a kvno, which we see as kvno 0. When we see that, try the highest kvno (as we already do) and then a few preceding kvnos so that key rollover of the AD->MIT cross TGT can work. Add new helpers kdc_rd_ap_req, which takes the place of a couple of steps from kdc_process_tgs_req, and find_server_key, which takes the place of some of the end steps of kdc_get_server_key. Code changes by Nicolas Williams. Test cases by me. ticket: 7109 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25799 dc483132-0cff-0310-8789-dd5450dbe970
* Fix data handling in rd_req_decoded_optGreg Hudson2012-03-311-3/+3
| | | | | | | | | We shouldn't peer at trans->tr_contents.data[0] if trans->tr_contents.length is 0, even if the data field is non-null. Harmless as long as the ASN.1 decoder uses null data fields for empty krb5_data values, but still wrong. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25797 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid malloc(0) in ASN.1 bytestring decodeGreg Hudson2012-03-311-0/+2
| | | | | | | In k5_asn1_decode_bytestring, just leave *str_out as NULL if len is 0, instead of calling malloc(0) and possibly returning a spurious ENOMEM. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25796 dc483132-0cff-0310-8789-dd5450dbe970
* Add doc target with configured path substitutionsGreg Hudson2012-03-281-2/+20
| | | | | | | | | | Add a new target "substhtml" in src/doc to create HTML documentation with configured paths, suitable for installation by an OS package. The build target generates a file named paths.py containing the directory substitutions, copies it into the rst_composite directory, and instructs conf.py to use it with the "pathsubs" tag. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25795 dc483132-0cff-0310-8789-dd5450dbe970
* Use reference substitutions for paths in docsGreg Hudson2012-03-284-10/+10
| | | | | | | | | | | | For the default doc build (used for the web site and release tarball), substitute path variables with links to the paths table in mitK5defaults.rst, using symbolic names for the link text. The substitution of kdcdir for man pages is slightly altered as a side-effect of this commit. Regenerate the man pages to match. The rendered man pages are unchanged. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25794 dc483132-0cff-0310-8789-dd5450dbe970
* Edit defaults page in documentationGreg Hudson2012-03-281-1/+3
| | | | | | | | Eliminate unused values and OS-specific stuff. Reformat tables. Add a path substitution for sysconfdir to be used in the default config file path. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25793 dc483132-0cff-0310-8789-dd5450dbe970
* Move rstman build target to man directoryGreg Hudson2012-03-282-13/+19
| | | | | | | rstman makes more sense in man than in doc, so move it there. Remove the rstman target from the top-level doc Makefile to avoid confusion. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25792 dc483132-0cff-0310-8789-dd5450dbe970
* Automate RST HTML generation with doxygen infoGreg Hudson2012-03-284-1670/+45
| | | | | | | | | In src/doc/Makefile.in, create an "rsthtml" target for generating release tarball/web site HTML docs in doc/rst_html. For now, eliminate support for the bridge to the Doxygen HTML output; just generate XML output with Doxygen and convert it to RST format. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25791 dc483132-0cff-0310-8789-dd5450dbe970
* Fix up gssapi_ext.h Doxygen markup somewhatGreg Hudson2012-03-271-8/+10
| | | | | | | | * Bring formatting for gss_userok and gss_authorize_localname into conformance. * Bring parameter markup for gss_localname into conformance. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25790 dc483132-0cff-0310-8789-dd5450dbe970
* Fix up krb5.hin Doxygen markup somewhatGreg Hudson2012-03-271-21/+34
| | | | | | | | | | * Put everything in an enclosing group, so it gets captured even without EXTRACT_ALL. * Make sure there's documentation for all constants referenced by other markup. * Fix references to the PAC constants. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25789 dc483132-0cff-0310-8789-dd5450dbe970
* Remove krb5-send-pr man pageGreg Hudson2012-03-241-231/+0
| | | | | | | | | | The license on the krb5-send-pr man page was incompatible with the rest of our documentation, and the content is questionably up to date (krb5-send-pr still exists, but we don't use GNATS any more, and free-form mail to krb5-bugs is equally acceptable at this point). Get rid of it for now. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25788 dc483132-0cff-0310-8789-dd5450dbe970
* Install path-substituted man pagesGreg Hudson2012-03-2347-6501/+7225
| | | | | | | | | | | | | | Introduce src/doc/Makefile.in, which will eventually subsume doc/Makefile (but will still pull sources from doc). In the rstman target there, create man pages with symbolic path references (like @SBINDIR@). In man/Makefile.in, substitute the path references with the configured paths before installing. Man pages generated from RST source are now checked into the source tree under the name filename.man. This lets us use a single implicit .man.sub rule for the path substitutions. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25786 dc483132-0cff-0310-8789-dd5450dbe970
* Suppress some gcc uninitialized variable warningsGreg Hudson2012-03-223-3/+5
| | | | | | | | ticket: 7107 gcc 4.6.2 reportedly finds some spurious maybe-uninitialized warnings. Suppress them. Patch from Eray Aslan with some adjustment. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25783 dc483132-0cff-0310-8789-dd5450dbe970
* Only store master mey list in DAL handleGreg Hudson2012-03-2118-151/+118
| | | | | | | | | | | | | | r24314 (#6778) created a hybrid owernship model for the master key list, with one virtual copy stored in the DAL handle and one provided to the caller of krb5_db_fetch_mkey_list. Replace this with a model where only the DAL handle owns the list, and a caller can get access to an alias pointer with a new function krb5_db_mkey_list_alias(). Functions which previously accepted the master key list as an input parameter now expect to find it in the DAL handle. Patch by Will Fiveash <will.fiveash@oracle.com>. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25781 dc483132-0cff-0310-8789-dd5450dbe970
* Make localedir work in build with autoconf 2.5xGreg Hudson2012-03-191-0/+6
| | | | | | | | | | | autoconf 2.5x does not define localedir, so we have to detect that and do it ourselves. ticket: 7095 target_version: 1.10.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25777 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-28 19:43:54 +0000