summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Ldap dependency for parallel buildsSam Hartman2011-11-291-0/+3
| | | | | | | | | | The ldap plugin needs to declare a dependency on the ldap library ticket: 7030 tags: pullup target_version: 1.10 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25494 dc483132-0cff-0310-8789-dd5450dbe970
* Fix --with-system-verto without pkg-configGreg Hudson2011-11-291-1/+1
| | | | | | | | | | | | If we're using the system verto and pkg-config isn't found but libverto is, set VERTO_LIBS to just -lverto as there won't be a k5ev module. ticket: 7029 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25493 dc483132-0cff-0310-8789-dd5450dbe970
* Use INSTALL_DATA to avoid marking .mo files executableSam Hartman2011-11-291-1/+1
| | | | | | ticket: new target_version: 1.10 tags: pullup subject: Use INSTALL_DATA to install message catalogues git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25492 dc483132-0cff-0310-8789-dd5450dbe970
* AC_CHECK_LIB should put -lcrypto in PKINIT_CRYPTO_IMPL_LIBS not LIBSSam Hartman2011-11-291-1/+1
| | | | | | | | | for pkinit. A similar problem exists for crypto_impl and is not addressed by this patch. ticket: new Subject: LIBS should not include PKINIT_CRYPTO_IMPL_LIBS tags: pullup target_version: 1.10 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25491 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust krb5int_decode_tgs_rep, closing a leakGreg Hudson2011-11-231-19/+20
| | | | | | | | Use current practices for parameter naming and resource cleanup. Avoid a leak of local_dec_rep (now named dec_rep) if we take a "goto cleanup" path. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25490 dc483132-0cff-0310-8789-dd5450dbe970
* Whitespace, style changes to past two commitsGreg Hudson2011-11-235-76/+84
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25489 dc483132-0cff-0310-8789-dd5450dbe970
* FAST TGSSam Hartman2011-11-237-18/+129
| | | | | | | | | | Implement RFC 6113 FAST TGS support. Includes library support for a varient of explicit TGS armor that has not yet been proposed within the IETF. ticket: 7026 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25488 dc483132-0cff-0310-8789-dd5450dbe970
* FAST: error handling and const keyblockSam Hartman2011-11-232-23/+34
| | | | | | | | | | | | krb5int_fast_process_error: Allow out_padata and retry to be null for TGS case. Refactor function to do more frees in the exit handling and to declare variables at the top. krb5int_fast_reply_key: input keyblock arguments should be const ticket: 7025 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25487 dc483132-0cff-0310-8789-dd5450dbe970
* ticket: newSam Hartman2011-11-236-59/+49
| | | | | | | | | | | | | | | | | subject: FAST PKINIT target_version: 1.10 tags: pullup Per RFC 6113 fast should use the inner request body for the pkinit checksum. We did that on the KDC; now do so on the client. Remove code that explicitly blocked pkinit under FAST. Also, use the reply key *before* the strengthen key is applied when verifying the PADATA_PKINIT_KX. Add FAST pkinit test. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25486 dc483132-0cff-0310-8789-dd5450dbe970
* Use POSIX constants instead of S_IREAD/S_IWRITEGreg Hudson2011-11-221-2/+2
| | | | | | | | S_IREAD and S_IWRITE are ancient names for S_IRUSR and S_IWUSR, and are not defined on some modern platforms (such as Android). Use the POSIX names instead. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25485 dc483132-0cff-0310-8789-dd5450dbe970
* Fix compile error in previous changeGreg Hudson2011-11-221-1/+0
| | | | | | | | | A last-minute code editing mistake crept into the previous commit; fix it. ticket: 7023 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25484 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up client-side preauth error data handlingGreg Hudson2011-11-217-116/+97
| | | | | | | | | | | | | | | | | | | | | | | | Change the clpreauth tryagain method to accept a list of pa-data, taken either from the FAST response or from decoding the e_data as either pa-data or typed-data. Also change the in_padata argument to contain just the type of the request padata rather than the whole element, since modules generally shouldn't care about the contents of their request padata (or they can remember it). In krb5int_fast_process_error, no longer re-encode FAST pa-data as typed-data for the inner error e_data, but decode traditional error e_data for all error types, and try both pa-data and typed-data encoding. In PKINIT, try all elements of the new pa-data list, since it may contain FAST elements as well as the actual PKINIT array. (Fixes an outstanding bug in FAST PKINIT.) ticket: 7023 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25483 dc483132-0cff-0310-8789-dd5450dbe970
* Recognize IAKERB mech in krb5_gss_display_statusGreg Hudson2011-11-211-1/+2
| | | | | | | | | | | | Minor status codes were not displaying properly when originated from the IAKERB mech, because of a safety check on mech_type. From Ralf Haferkamp <rhafer@suse.de>. ticket: 7020 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25482 dc483132-0cff-0310-8789-dd5450dbe970
* Fix failure interval of 0 in LDAP lockout codeGreg Hudson2011-11-202-3/+4
| | | | | | | | | | | | | | | | A failure count interval of 0 caused krb5_ldap_lockout_check_policy to pass the lockout check (but didn't cause a reset of the failure count in krb5_ldap_lockout_audit). It should be treated as forever, as in the DB2 back end. This bug is the previously unknown cause of the assertion failure fixed in CVE-2011-1528. ticket: 7021 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25480 dc483132-0cff-0310-8789-dd5450dbe970
* Improve documentation in preauth_plugin.hGreg Hudson2011-11-191-6/+15
| | | | | | | | | | Also declare the verto_context structure to ensure that it is has the proper scope when used as the return type of the event_context callback. ticket: 7019 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25479 dc483132-0cff-0310-8789-dd5450dbe970
* Fix k5test error message for missing runenv.pyGreg Hudson2011-11-151-1/+1
| | | | | | | "make fake-install" no longer exists, so tell the developer to run "make runenv.py" instead. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25477 dc483132-0cff-0310-8789-dd5450dbe970
* Make verto context available to kdcpreauth modulesGreg Hudson2011-11-158-13/+31
| | | | | | | | | | | | Add an event_context callback to kdcpreauth. Adjust the internal KDC and main loop interfaces to pass around the event context, and expose it to kdcpreauth modules via the rock. ticket: 7019 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25475 dc483132-0cff-0310-8789-dd5450dbe970
* Update verto to 0.2.2 releaseGreg Hudson2011-11-1511-381/+939
| | | | | | | | | | | | | Update verto sources to 0.2.2 release versions. verto_reinitialize() now has a return value; check it in kdc/main.c. Store verto-libev.c alongside verto-k5ev.c to make it easy to diff corresponding versions when updating. ticket: 7018 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25474 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify and fix kdcpreauth request_body callbackGreg Hudson2011-11-147-30/+53
| | | | | | | | | | | | | | | | | | | Alter the contract for the kdcpreauth request_body callback so that it returns an alias to the encoded body instead of a fresh copy. At the beginning of AS request processing, save a copy of the encoded request body, or the encoded inner request body for FAST requests. Previously the request_body callback would re-encode the request structure, which in some cases has been modified by the AS request code. No kdcpreauth modules currently use the request_body callback, but PKINIT will need to start using it in order to handle FAST requests correctly. ticket: 7017 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25473 dc483132-0cff-0310-8789-dd5450dbe970
* Handle TGS referrals to the same realmGreg Hudson2011-11-142-1/+11
| | | | | | | | | | | | | | | krb5 1.6 through 1.8 contained a workaround for the Active Directory behavior of returning a TGS referral to the same realm as the request. 1.9 responds to this behavior by caching the returned TGT, trying again, and detecting a referral loop. This is a partial regression of ticket #4955. Detect this case and fall back to a non-referreal request. ticket: 7016 target_version: 1.9.3 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25472 dc483132-0cff-0310-8789-dd5450dbe970
* Add consistency check for plugin interface namesGreg Hudson2011-11-132-2/+7
| | | | | | | Add an assertion to ensure that the interface_names table in plugin.c is updated when a new pluggable interface is added. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25471 dc483132-0cff-0310-8789-dd5450dbe970
* Add plugin interface_names entry for ccselectGreg Hudson2011-11-121-1/+2
| | | | | | | | | | | | When the ccselect pluggable interface was added, the interface_names table wasn't updated, so configuring modules for it wouldn't work. Add it now. ticket: 7015 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25470 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid looping when preauth can't be generatedGreg Hudson2011-11-114-5/+16
| | | | | | | | | | | | | | | | | If we receive a PREAUTH_REQUIRED error and fail to generate any real preauthentication, error out immediately instead of continuing to generate non-preauthenticated requests until we hit the loop count. There is a lot of room to generate a more meaningful error about why we failed to generate preauth (although in many cases the answer may be too complicated to explain in an error message), but that requires more radical restructuring of the preauth framework. ticket: 6430 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25469 dc483132-0cff-0310-8789-dd5450dbe970
* Fix com_err.h dependencies in gss-kernel-libGreg Hudson2011-11-113-46/+55
| | | | | | | | | | | | | | | make check was failing in util/gss-kernel-lib due to dependencies when the build is configured with --with-system-et, because depfix.pl wasn't smart enough to substitute the dependency on com_err.h in the current directory. Make depfix.pl smarter, and adjust COM_ERR_DEPS to be com_err.h in gss-kernel-lib when building with the bundled com_err. ticket: 7014 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25468 dc483132-0cff-0310-8789-dd5450dbe970
* Remove -v from the preset valgrind flagsGreg Hudson2011-11-111-1/+1
| | | | | | | | Verbose output from valgrind is rarely needed and makes it harder to find errors and leaks in the output. When it is needed, it's easier to add it in than to take it out. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25467 dc483132-0cff-0310-8789-dd5450dbe970
* Added the note to the trace API functions that they have higher priority ↵Zhanna Tsitkov2011-11-091-2/+8
| | | | | | than the KRB5_TRACE env variable git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25466 dc483132-0cff-0310-8789-dd5450dbe970
* Fix warnings and version check for NSS pkinitGreg Hudson2011-11-072-7/+5
| | | | | | | | | | From nalin@redhat.com. ticket: 6999 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25445 dc483132-0cff-0310-8789-dd5450dbe970
* Fix month/year units in getdateGreg Hudson2011-11-061-1/+2
| | | | | | | | | | | | | getdate strings like "1 month" or "next year" would fail some of the time, depending on the value of stack garbage, because DSTcorrect() doesn't set *error on success and RelativeMonth() doesn't initialize error. Make DSTcorrect() responsible for setting *error in all cases. ticket: 7003 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25444 dc483132-0cff-0310-8789-dd5450dbe970
* Improve verto and libev documentationGreg Hudson2011-11-052-0/+10
| | | | | | | | | | | | | NOTICE was missing the copyright statement for verto (it's not quite the same as other Red Hat licenses). util/verto had no README file, and neither the verto nor k5ev README contained pointers to the upstream project pages. ticket: 7002 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25443 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up more stuff in make cleanGreg Hudson2011-11-048-9/+12
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25437 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of fake-installGreg Hudson2011-11-0425-65/+38
| | | | | | | | | Instead, use $(BUILDTOP)/plugins as the plugin base for tests. For each real plugin module, create a link in the parent directory if we're doing a shared-library build--so built KDB modules can be found in plugins/kdb, preauth modules in plugins/preauth, etc.. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25436 dc483132-0cff-0310-8789-dd5450dbe970
* Add cross-realm support to "make testrealm"Greg Hudson2011-11-042-3/+12
| | | | | | | Allow "make testrealm CROSSNUM=N" to make N fully-connected realms for cross-realm testing convenience. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25435 dc483132-0cff-0310-8789-dd5450dbe970
* Exit on error in kadmind kprop childGreg Hudson2011-11-041-2/+2
| | | | | | | | | | | | When we fork from kadmind to dump the database and kprop to an iprop slave, if we encounter an error in the child process we should exit rather than returning to the main loop. ticket: 7000 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25433 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of periods in Python test success messagesGreg Hudson2011-11-0318-19/+19
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25432 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up realms as we go in t_crossrealm.pyGreg Hudson2011-11-031-0/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25431 dc483132-0cff-0310-8789-dd5450dbe970
* Fix typos in k5test.pyGreg Hudson2011-11-031-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25430 dc483132-0cff-0310-8789-dd5450dbe970
* Add cross-realm tests to python test frameworkGreg Hudson2011-11-033-0/+192
| | | | | | | | Add a cross_realms function to k5test.py to generate several linked realms. Add a test script t_crossrealm.py to exercise six different cross-realm scenarios. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25429 dc483132-0cff-0310-8789-dd5450dbe970
* Conditionalize po subdir on msgfmt, not dgetextGreg Hudson2011-11-011-2/+6
| | | | | | | | | | | | The presence of dgettext in libc or libintl doesn't imply that msgfmt is installed, so conditionalize building the po subdir on whether msgfmt is installed. ticket: 6997 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25425 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_check_clockskew publicGreg Hudson2011-10-319-7/+23
| | | | | | | | | | | | Rename krb5int_check_clockskew to krb5_check_clockskew and make it public, in order to give kdcpreauth plugins a way to check timestamps against the configured clock skew. ticket: 6996 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25424 dc483132-0cff-0310-8789-dd5450dbe970
* Use zero-filled states for all async ops in KDCGreg Hudson2011-10-283-30/+10
| | | | | | | | | There have been a couple of uninitialized field bugs in the restructured KDC code, partly because compilers can't find these bugs as easily as they can find uninitialized local variable bugs. Use zero-filled state structures to make this type of bug less likely. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25422 dc483132-0cff-0310-8789-dd5450dbe970
* Initialize typed_e_data in as_req_stateGreg Hudson2011-10-281-0/+1
| | | | | | | | | | | | | | The typed_e_data field in struct as_req_state was not properly initialized, causing the KDC to sometimes respond with typed-data e_data for a preauth-required error when the client sends no padata. This bug was masked with recent clients, which send a KRB5_ENCPADATA_REQ_ENC_PA_REP padata. ticket: 6995 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25419 dc483132-0cff-0310-8789-dd5450dbe970
* Fix intermediate key length in hmac-md5 checksumGreg Hudson2011-10-281-1/+1
| | | | | | | | | | | | When using hmac-md5, the intermediate key length is the output of the hash function (128 bits), not the input key length. Relevant if the input key is not an RC4 key. ticket: 6994 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25418 dc483132-0cff-0310-8789-dd5450dbe970
* Fix format string for TRACE_INIT_CREDS_SERVICEGreg Hudson2011-10-261-1/+1
| | | | | | | | | | This should also be pulled up to 1.10. ticket: 6993 tags: pullup target_version: 1.9.2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25417 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_find_authdata publicGreg Hudson2011-10-2511-56/+51
| | | | | | | | | | Rename krb5int_find_authdata to krb5_find_authdata and make it public. ticket: 6992 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25414 dc483132-0cff-0310-8789-dd5450dbe970
* Refactor salt computation into libkdb5Greg Hudson2011-10-247-204/+124
| | | | | | | Add a new API krb5_dbe_compute_salt() to determine the salt for a key data entry, and use it in the three places we currently compute salts. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25410 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unneeded stuff from util directoryZhanna Tsitkov2011-10-2110-197/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25398 dc483132-0cff-0310-8789-dd5450dbe970
* fix tar invocation in mkrelTom Yu2011-10-211-4/+5
| | | | | | | | | | | | | Fix the tar invocation in mkrel so that it defaults to using "tar" as the tar program rather than "gtar". This should probably be pulled up to at least 1.9 and 1.8 as well. ticket: 6989 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25395 dc483132-0cff-0310-8789-dd5450dbe970
* Fix handling of null edata method in KDC preauthGreg Hudson2011-10-201-1/+1
| | | | | | | | | | | | Correctly include an empty padata value if a KDC preauth system has no get_edata method. This bug prevented the KDC from indicating FAST support in preauth-required errors. ticket: 6988 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25385 dc483132-0cff-0310-8789-dd5450dbe970
* Fix krb5_cc_set_configGreg Hudson2011-10-201-8/+6
| | | | | | | | | | | | | | | krb5_cc_set_config has been non-functional since r24753 on cache types which don't support removal of credential entries. Fix it by only calling krb5_cc_remove_cred if data is NULL, since krb5_cc_store_cred will do it anyway in the positive case. Also fix an old memory leak in an uncommon error case. ticket: 6987 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25384 dc483132-0cff-0310-8789-dd5450dbe970
* SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529]Tom Yu2011-10-183-2/+25
| | | | | | | | | | | Fix null pointer dereference and assertion failure conditions that could cause a denial of service. ticket: 6981 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25368 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-29 19:49:53 +0000