summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* WhitespaceGreg Hudson2010-09-151-26/+29
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24318 dc483132-0cff-0310-8789-dd5450dbe970
* Formatting fixGreg Hudson2010-09-151-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24317 dc483132-0cff-0310-8789-dd5450dbe970
* kinit: add KDB keytab supportSam Hartman2010-09-156-6/+103
| | | | | | | | | | | | | | | | | This implements http://k5wiki.kerberos.org/Projects/What_does_God_need_with_a_password. If the KDB keytab is selected by command line options, then kinit will register the KDB keytab and open the database. This permits an administrator to obtain tickets as a user without knowing that user's password. As a result kinit links against libkadm5srv and libkdb5. Discussion is ongoing about whether this is desirable or about whether two versions of kinit are required. ticket: 6779 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24316 dc483132-0cff-0310-8789-dd5450dbe970
* Remove dead code from DAL and kdb pluginsSam Hartman2010-09-159-143/+0
| | | | | | kdb: remove get/set_mkey_list git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24315 dc483132-0cff-0310-8789-dd5450dbe970
* kdb: store mkey list in context and permit NULL mkey for ↵Sam Hartman2010-09-1513-250/+114
| | | | | | | | | | | | | | | | | | | | | | | | kdb_dbe_decrypt_key_data Previously, code needed to run a loop to find the current master key, possibly fetch a new master key list and try finding the master key again around each key decryption. This was not universally done; there are cases where only the current master key was used. In addition, the correct ideom for decrypting key data is too complicated and is potentially unavailable to plugins that do not have access to the master key. Instead, store the master key list in the dal_handle whenever it is fetched and permit a NULL master key for krb5_dbe_decrypt_key_data. * Remove APIs for krb5_db_{get|set}_mkey_list * krb5_db_fetch_mkey_list: memoize master key list in dal_handle * krb5_db_free_mkey_list: don't free the memoized list; arrange for it to be freed later * krb5_dbe_decrypt_key_data: Search for correct master key on NULL argument * change call sites to take advantage ticket: 6778 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24314 dc483132-0cff-0310-8789-dd5450dbe970
* In the PKINIT OpenSSL code, ensure that appropriate cerficiate fieldsGreg Hudson2010-09-151-0/+2
| | | | | | | | have been set before using ku_reject. Patch from nalin@redhat.com. ticket: 6775 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24313 dc483132-0cff-0310-8789-dd5450dbe970
* Use correct CRL stack macros in pkinit OpenSSL code. Patch from OlafGreg Hudson2010-09-151-3/+3
| | | | | | | | Flebbe. ticket: 6776 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24312 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2010-09-151-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24311 dc483132-0cff-0310-8789-dd5450dbe970
* Fix warnings in encrypt_key and decrypt_key. Avoid a segfault if NULLSam Hartman2010-09-152-6/+10
| | | | | | | | master key is passed into default decryption function. kdb: fix warnings git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24310 dc483132-0cff-0310-8789-dd5450dbe970
* In krb5_sname_to_principal, correctly handle failures fromGreg Hudson2010-09-151-2/+2
| | | | | | | | krb5_build_principal. ticket: 6777 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24309 dc483132-0cff-0310-8789-dd5450dbe970
* Allow a zero checksum type to be passed into krb5_k_verify_checksum_iov;Luke Howard2010-09-091-0/+6
| | | | | | | | this indicates that the mandatory checksum type for the key is to be used. This interface is necessary because there is no public interface through which the mandatory checksum type for an encryption type can be determined. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24304 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_k_make_checksum will use the mandatory checksum type if 0 isLuke Howard2010-09-091-0/+6
| | | | | | | | passed in as the checksum type; however krb5_k_make_checksum_iov does not support this. Add the same logic for the behaviour is consistent. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24303 dc483132-0cff-0310-8789-dd5450dbe970
* Add dummy camellia subdir to openssl back end makefileGreg Hudson2010-09-081-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24299 dc483132-0cff-0310-8789-dd5450dbe970
* Make dependGreg Hudson2010-09-0855-1306/+1756
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24298 dc483132-0cff-0310-8789-dd5450dbe970
* Don't build the built-in Camellia block cipher code if Camellia-CCMGreg Hudson2010-09-082-0/+10
| | | | | | enctypes aren't enabled. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24297 dc483132-0cff-0310-8789-dd5450dbe970
* X509_verify_cert can return without setting cert_ctx.current_cert. IfGreg Hudson2010-09-081-2/+5
| | | | | | | it does, don't dereference a null pointer when creating the pkiDebug message. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24296 dc483132-0cff-0310-8789-dd5450dbe970
* Merge the camellia-ccm branch to trunk. Since there are no IANAGreg Hudson2010-09-0763-333/+6298
| | | | | | | | | assignments for Camellia-CCM enctypes or cksumtypes yet, they are disabled in a default build. They can be made available by defining (via CPPFLAGS) local-use enctype numbers for the enctypes and cksumtypes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24295 dc483132-0cff-0310-8789-dd5450dbe970
* Ensure valid key in krb5int_yarrow_cipher_encrypt_blockEzra Peisach2010-09-041-0/+6
| | | | | | | | | | Under low memory conditions (or when testing memory allocation failures), the key pointer will be 0 - and not initialized. Test and return failure before deref a NULL. ticket: 6772 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24292 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leaks in kdb5_verifyEzra Peisach2010-09-041-0/+2
| | | | | | | | Minor leaks. Just cleaning up code. ticket: 6771 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24291 dc483132-0cff-0310-8789-dd5450dbe970
* In k5_pwqual_load(), if the last vtable initializer fails, return 0Greg Hudson2010-09-041-0/+1
| | | | | | and not its exit value. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24290 dc483132-0cff-0310-8789-dd5450dbe970
* Fix output argument ordering and handling in k5_pwqual_load()Greg Hudson2010-09-033-7/+9
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24289 dc483132-0cff-0310-8789-dd5450dbe970
* Prevent a double free in k5_pwqual_load()Greg Hudson2010-09-031-0/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24288 dc483132-0cff-0310-8789-dd5450dbe970
* clean up memory leak and potential unused variable in crypto testsEzra Peisach2010-09-032-0/+5
| | | | | | | | | | t_prf.c: Ensure prfsz is set before use (not exercised in current tests) t_short.c: Fix memory leak ticket: 6769 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24287 dc483132-0cff-0310-8789-dd5450dbe970
* Properly search for MANDATORY-FOR-KDC authdata elements. Reported byGreg Hudson2010-09-021-1/+1
| | | | | | | | | | Mike Roszkowski. ticket: 6764 tags: pullup target_version: 1.8.4 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24286 dc483132-0cff-0310-8789-dd5450dbe970
* Password quality pluggable interfaceGreg Hudson2010-09-0119-367/+988
| | | | | | | | | | | Merge branches/plugins2 to trunk. Adds a password quality pluggable interface described in this project page: http://k5wiki.kerberos.org/wiki/Projects/Password_quality_pluggable_interface ticket: 6765 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24284 dc483132-0cff-0310-8789-dd5450dbe970
* Make the new profile tcl tests work with tcl 8.3Greg Hudson2010-08-311-4/+4
| | | | | | ticket: 6761 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24282 dc483132-0cff-0310-8789-dd5450dbe970
* Make relative plugin module paths be interpreted as relative toGreg Hudson2010-08-301-2/+35
| | | | | | | | LIBDIR/krb5/plugins. ticket: 6763 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24277 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a resource leak in the profile include supportGreg Hudson2010-08-291-5/+8
| | | | | | ticket: 6761 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24274 dc483132-0cff-0310-8789-dd5450dbe970
* Add simple automated tests for account lockout supportGreg Hudson2010-08-292-0/+49
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24269 dc483132-0cff-0310-8789-dd5450dbe970
* Fix an account lockout error-handling regression by converting theGreg Hudson2010-08-291-11/+23
| | | | | | | result of krb5_db_check_policy_as/tgs from a krb5_error_code to a protocol error number. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24268 dc483132-0cff-0310-8789-dd5450dbe970
* Add plugin.o to T_ETYPES_OBJS because init_ctx.o needs it nowTom Yu2010-08-271-1/+1
| | | | | | ticket: 6763 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24264 dc483132-0cff-0310-8789-dd5450dbe970
* New plugin infrastructureGreg Hudson2010-08-278-0/+549
| | | | | | | | | Merge domain-independent plugin framework code from branches/plugins2, leaving out the password quality interface. ticket: 6763 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24263 dc483132-0cff-0310-8789-dd5450dbe970
* Add an expansion error table for libkrb5, since krb5_err.et is fullGreg Hudson2010-08-264-11/+55
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24258 dc483132-0cff-0310-8789-dd5450dbe970
* rd_req_decoded: clarify behavior in commentSam Hartman2010-08-251-1/+8
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24257 dc483132-0cff-0310-8789-dd5450dbe970
* Revise the profile include design so that included files areGreg Hudson2010-08-253-16/+54
| | | | | | | | syntactically independent of parent files. ticket: 6761 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24256 dc483132-0cff-0310-8789-dd5450dbe970
* Correct a commentGreg Hudson2010-08-241-2/+2
| | | | | | ticket: 6761 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24255 dc483132-0cff-0310-8789-dd5450dbe970
* In the LDAP KDB module's populate_krb5_db_entry, fix the checks forGreg Hudson2010-08-241-2/+2
| | | | | | | | | | the KDB_PRINC_EXPIRE_TIME_ATTR and KDB_PWD_EXPIRE_TIME_ATTR flags so that they properly succeed when the flags are set. Bug report from Rob Crittenden, patch from nalin@redhat.com. ticket: 6762 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24254 dc483132-0cff-0310-8789-dd5450dbe970
* add profile include supportGreg Hudson2010-08-244-14/+166
| | | | | | | | | | Add support for "include" and "includedir" directives in profile files. See http://k5wiki.kerberos.org/wiki/Projects/Profile_Includes for more details. ticket: 6761 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24253 dc483132-0cff-0310-8789-dd5450dbe970
* Fail properly when profile can't be accessedGreg Hudson2010-08-231-4/+9
| | | | | | | | | | | | | | | | Make profile_init() return EACCESS or EPERM if one of those errors was encountered when failing to open any of the specified profile files. This causes krb5_init_os_context() to fail properly when krb5.conf is unreadable, instead of treating that situation like a nonexistent krb5.conf. The library will continue to soldier on if one profile file is readable and another is not. This is deliberate as of r14116, whether or not it's a good idea. ticket: 6760 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24250 dc483132-0cff-0310-8789-dd5450dbe970
* Allow krb5_gss_register_acceptor_identity to unset keytab nameGreg Hudson2010-08-192-10/+8
| | | | | | | | | | | | | krb5_gss_register_acceptor_identity sets a mutex-locked global (not thread-specific) variable containing a keytab name. This change allows the variable to be unset by passing a null value. A more elegant long-term solution to the problem is Heimdal's gss_krb5_import_cred function. ticket: 6758 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24242 dc483132-0cff-0310-8789-dd5450dbe970
* Add GIC option for password/account expiration callbackGreg Hudson2010-08-128-24/+273
| | | | | | | | | | | | Add a new GIC option to specify a callback to receive password and account expiration times found in an AS reply. See also: http://k5wiki.kerberos.org/wiki/Projects/Password_expiration_API ticket: 6755 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24241 dc483132-0cff-0310-8789-dd5450dbe970
* In AS replies, set the key-expiration field to the minimum of accountGreg Hudson2010-08-121-1/+12
| | | | | | | | | and password expiration time as specified in RFC 4120. Reported by Mary Cushion <mary@eiger.demon.co.uk>. ticket: 2032 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24240 dc483132-0cff-0310-8789-dd5450dbe970
* Correct the documentation for the start_kadmind keyword in k5test.pyGreg Hudson2010-08-121-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24239 dc483132-0cff-0310-8789-dd5450dbe970
* Remove two unused source files in lib/gssapi/genericGreg Hudson2010-08-122-118/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24238 dc483132-0cff-0310-8789-dd5450dbe970
* Move the password expiry warning code out ofGreg Hudson2010-08-101-84/+92
| | | | | | krb5_get_init_creds_password() into a helper function. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24237 dc483132-0cff-0310-8789-dd5450dbe970
* Use xdr_int32 instead of xdr_u_int in xdr_krb5_enctype(), sinceGreg Hudson2010-07-261-1/+1
| | | | | | | enctypes are signed 32-bit values. Wire representation does not change. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24211 dc483132-0cff-0310-8789-dd5450dbe970
* Fix XDR decoding of large values in xdr_u_intGreg Hudson2010-07-261-1/+1
| | | | | | | | | | | | | | | | | | | Our ancient RPC value internally decodes 32-bit wire values into a signed long, which is then casted to the appropriate type. xdr_u_int() contains a check intended to catch wire values that don't fit into a u_int on platforms with 16-ints, but on platforms with 64-bit longs it was failing on values of 2^31 or larger because the sign-extended value appeared larger than UINT_MAX. Fix the check by casting the value to uint32_t before comparing. This bug, in combination with a poor choice of types in kadm_rpc_xdr.c's xdr_krb5_enctype(), prevented negative enctype values from being transported properly in kadmin's change_password command result. ticket: 6753 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24210 dc483132-0cff-0310-8789-dd5450dbe970
* Addendum to r24200: fix kdb5_ldap_util call site ofGreg Hudson2010-07-211-1/+1
| | | | | | | | krb5_ldap_lib_init. ticket: 6749 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24201 dc483132-0cff-0310-8789-dd5450dbe970
* Revert the part of r24157 which added the dal_version argument to theGreg Hudson2010-07-217-20/+19
| | | | | | | | | | | init_library interface. Instead use the already existing maj_ver field of the DAL vtable to detect incompatibilities. Since maj_ver is a short int, use an incrementing number instead of a date for the major version. ticket: 6749 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24200 dc483132-0cff-0310-8789-dd5450dbe970
* Get the kdb_hdb module to compile again. Probably still buggy,Greg Hudson2010-07-204-293/+161
| | | | | | | | particularly around the master key logic. ticket: 6749 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24193 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-10-05 03:08:21 +0000