summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove KRB5_DB_LOCKMODE_DONTBLOCK from kdb.hGreg Hudson2012-10-161-2/+0
| | | | It's wasn't used and wasn't implemented.
* Use blocking locks for policy DBGreg Hudson2012-10-161-19/+6
| | | | | | | In the db2 kdb module, use blocking locks for the policy DB as well as the principal DB. ticket: 7359
* Test in_ccache and pa_types functionalityNalin Dahyabhai2012-10-168-6/+416
| | | | | | | | | * Add a krb5int_build_conf_principals() function to allow our get/set code to directly prune out duplicate config entries. * Verify that when we specify a pa_type, it affects whether or not we will use a particular preauth plugin. * Verify that we correctly save the KDC's preauth type number, that we tried to answer, to the out_ccache.
* Add "pa_type" configuration to ccachesNalin Dahyabhai2012-10-164-0/+97
| | | | | | | | | | | | | | * When producing preauth data, keep track of the type of padata in the KDC's list of acceptable types which prompted the module to produce padata. * After obtaining credentials, store that value as a "pa_type" configuration item in the out_ccache. * Read that allowed preauth type from an in_ccache, if possible. * If we have an allowed preauth type, only call "real" modules that handle that value when filling in responder items and producing a client request. ticket: 7414 (new)
* Add an input ccache get_init_creds optionNalin Dahyabhai2012-10-166-26/+93
| | | | | | | | Add a krb5_get_init_creds_opt_set_in_ccache() function. An input ccache may hold configuration data which the client libraries can use to influence their decisions. ticket: 7413 (new)
* Regenerate man pagesBen Kaduk2012-10-1623-1054/+525
| | | | | | | Catch up to the RST content updates. Lots of .sp vertical space macros are removed, and the output engine spelles "restructuredText" correctly, now.
* Check in kadm5.acl.manBen Kaduk2012-10-161-0/+234
| | | | Somehow this man page was overlooked, previously.
* Remove nroff man pagesBen Kaduk2012-10-1636-6149/+2
| | | | | | | We generate man pages from RST sources now; they are checked into the tree in src/man/. The gen-manpages directory is no longer needed.
* More RST rename follow-upBen Kaduk2012-10-162-4/+4
| | | | | | Update conf.py for paths to man page sources and update make rules for building the man pages. Correct README files for the location of the sources.
* Avoid bit shifting in krb5.h constantsGreg Hudson2012-10-161-5/+5
| | | | | | Our traditional practice is to use hex integer literals for flag bits. Bit shifting can be dangerous because shifting into the sign bit is undefined. Convert existing bit shift expressions to hex literals.
* Handle concat OTP responder caseNathaniel McCallum2012-10-162-8/+20
|
* make dependTom Yu2012-10-155-57/+100
|
* Don't unparse principal names in process_tgs_req()Tom Yu2012-10-153-88/+104
|
* Refactor process_tgs_req() 2nd-ticket handlingTom Yu2012-10-151-95/+144
| | | | | Refactor some of the second-ticket handling and session key generation out of process_tgs_req().
* Clean up domain->realm referralsTom Yu2012-10-154-144/+91
| | | | | | | Clean up domain->realm referrals by breaking prep_reprocess_tgs_req() into smaller functions. Give the resulting functions more descriptive names. Also delete an unnecessary and almost exact copy of krb5_get_host_realm().
* Refactor process_tgs_req() service princ searchTom Yu2012-10-151-101/+91
| | | | | | The service principal database entry search logic in process_tgs_req() was excessively complex, containing questionable uses of "goto", along with deeply nested control flow. Refactor it into smaller functions.
* Move validate_tgs_request() to a separate fileTom Yu2012-10-154-334/+394
|
* Refactor validate_tgs_request()Tom Yu2012-10-151-199/+257
| | | | | | | Break validate_tgs_request() into smaller functions. Collect related checks into helper functions. As a result, some invalid requests with multiple problems can produce different error messages. This is probably not a problem for most situations.
* Move add_to_transited to a separate fileTom Yu2012-10-153-385/+420
| | | | | | | add_to_transited() is fairly large, and also fairly independent of the other contents of kdc_util.c. Move it into kdc_transit.c. Also simplifies the building of rtest by removing dependencies that kdc_util.c previously needed to satisfy undefined symbols.
* Move KDC PRNG reseed logic to a helper functionTom Yu2012-10-151-20/+29
|
* Eliminate some KDC globalsTom Yu2012-10-1515-327/+489
| | | | | | Make kdc_active_realm a local variable in every function that needs it. Pass it around in various state structures as needed. Keep the macros that reference its members remain for now.
* Don't use kdc_active_realm in kdc/rtest.cTom Yu2012-10-151-11/+9
| | | | | | | Too many parts of the KDC rely on the global variable kdc_active_realm. rtest.c doesn't actually need any of the KDC-specific information that's avaiable through kdc_active_realm, so delete references to it.
* Enforce TGS principals having 2 componentsTom Yu2012-10-151-9/+13
| | | | | | | RFC 4120 section 7.3 says that TGS principal names have two components. Make krb5_is_tgs_principal() and is_cross_tgs_principal() enforce this constraint. Code elsewhere in the KDC already checks for two components anyway.
* Catch up to RST move/renameBen Kaduk2012-10-151-20/+42
| | | | | | | | Change the make rules for the directory structure. Update the RST sources which include other RST sources for the loss of the krb_ prefix. ticket: 7409
* Make rules for building NOTICE from RSTBen Kaduk2012-10-151-5/+20
| | | | | | | | | | | | | | | | | | | | Sphinx-build wants to scan over all the sources in the source dir, and its text output engine does not handle the spanning row cells used in some of our fancy tables, so it will crash if we attempt to generate text output from our full suite of documents. We could work around this by attempting to just compile the one source file as an additional argument to sphinx-build, but this seems to insist on producing an index.txt as well as a notice.txt. Furthermore, we cannot use the same conf.py as in rst_composite because the paths substitutions are not available with just the minimal contents of rst_notice. Make a copy and remove the irrelevant parts, for now, changing only the master_doc field as appropriate. For the HTML build, we use the standard |copy| macro from isonum.txt to get the unicode copyright symbol glyph, but for ASCII output we prefer to just use the literal "(C)". ticket: 7407
* Set pointers to NULL after freeing themZhanna Tsitkov2012-10-152-0/+2
|
* Bump libkdb5 API and DAL versionsGreg Hudson2012-10-152-3/+3
| | | | | | We made two sets of incompatible changes to the DAL and libkdb5 API during development for 1.11 (master key list simplification and policy extensions), so increment the appropriate version numbers.
* Wait for correct message in t_iprop.pyGreg Hudson2012-10-151-2/+1
| | | | | | | | | The message "Got incremental updates from the master" precedes actually replaying the updates on the slave. Instead look for "Incremental updates:" (the statistics message), which happens just after the updates are replayed. Also, we don't need to import time now that we're not sleeping.
* Add a -C flag to klist to also show config entriesNalin Dahyabhai2012-10-151-12/+54
|
* Use hex escaping for non-printable trace dataNalin Dahyabhai2012-10-151-3/+42
| | | | | | When adding {str}, {lenstr}, or {data} to trace output, scan for bytes which might be non-printable, and add them as hex-escaped versions of themselves if any are found.
* Export krb5_cc_move()Nalin Dahyabhai2012-10-152-0/+2
|
* Correct type mismatches for get_as_key callbacksNalin Dahyabhai2012-10-152-2/+4
|
* Handle anonymous-as-signed-data-with-no-signersNalin Dahyabhai2012-10-151-27/+28
| | | | | Update to generate and consume signed-data with no signer-info, which we need for anonymous PKINIT.
* Make sure that pkinit_octetstring_hkdf() inits NSSNalin Dahyabhai2012-10-151-0/+15
| | | | | Create an NSS context for use when performing KDF, so that the tests, which call into the function directly, will work.
* Don't try to free an uninitialized keyblockNalin Dahyabhai2012-10-151-2/+0
|
* Sanity-check loading keys and certs from PEM filesNalin Dahyabhai2012-10-151-0/+15
| | | | | Print a debug message if we're unable to locate the matching private key for a certificate when we've just loaded both of them from PEM files.
* Reset the prompt_types list after calling prompterNalin Dahyabhai2012-10-151-0/+1
| | | | | Reset the prompt_types list immediately after the prompter callback returns, as is done everywhere else.
* Add responder support to preauth_otpNathaniel McCallum2012-10-154-18/+704
|
* Migrate to non-destructive tokeninfo selectionNathaniel McCallum2012-10-151-148/+191
|
* Move forward tokeninfo filteringNathaniel McCallum2012-10-151-63/+81
|
* Move pa_data encoding into a separate functionNathaniel McCallum2012-10-151-39/+45
|
* Eliminate races in t_iprop.pyGreg Hudson2012-10-131-15/+31
| | | | | | | | | | | | | After we start kpropd, read about the initial full dump before making changes on the master. Avoid prodding kpropd for this read (by shifting responsibility for the initial prod to the caller) since kpropd doesn't sleep before its first request. When waiting for sync, note whether we got a full propagation and match that up with our expectations. Use a long polling interval so kpropd doesn't wake up on its own and confuse the test script with an extra incremental update.
* Don't use void * arithmetic in interposed_oidGreg Hudson2012-10-131-1/+2
|
* Make t_iprop.py faster and more robustGreg Hudson2012-10-123-32/+80
| | | | | | | | | | | | | | | Catch SIGUSR1 in iprop-mode kpropd so that we can use it to interrupt sleeps and make kpropd do an iprop request immediately. In k5test.py, add prod_kpropd and read_from_kpropd methods to allow test scripts to send a SIGUSR1 to kpropd and to read its stdout/stderr output; also allow the test script to specify additional arguments when starting kpropd. In t_iprop.py, start kpropd with -d and, instead of sleeping, read kpropd output until we see an indication that kpropd is in sync with the master. To avoid delays, prod kpropd before waiting for sync and after a completed full prop.
* Fix a couple of typosNalin Dahyabhai2012-10-121-2/+2
|
* Add responder support to preauth_encts/preauth_ecNathaniel McCallum2012-10-122-0/+26
|
* Add responder support to get_as_key()Nathaniel McCallum2012-10-129-9/+70
| | | | | This follows the design laid out on the project page: http://k5wiki.kerberos.org/wiki/Projects/Password_response_item
* Allow null inputs to response item functionsNathaniel McCallum2012-10-121-2/+14
|
* Fix cast regexp in C style checkerGreg Hudson2012-10-111-1/+1
| | | | | | | In check_cast, we want to match cast operators with or without spaces after the closing paren, and then check for spaces after we match. Also, per the comment, we want to match potential cast operators followed by an open paren.
* Fix slow kprop dejagnu testGreg Hudson2012-10-103-6/+4
| | | | | | | | | Fix kpropd -S -t to actually exit after processing one connection (it was breaking out of the switch statement, not the while loop). Use the -t when invoking kpropd from the dejagnu test framework; previously it was unnecessary because kpropd -S -d exited after one connection. Clear up some confusion in the kprop.exp comments about whether kpropd is expected to exit.
generated by cgit (git 2.34.1) at 2025-09-28 03:31:32 +0000