Simo Sorce [Fri, 4 Feb 2011 17:11:04 +0000 (12:11 -0500)]
Ask Samba to always return admin data.
Simo Sorce [Wed, 2 Feb 2011 17:16:52 +0000 (12:16 -0500)]
Fix plugin to build with Kerberos master tree.
Simo Sorce [Sat, 13 Feb 2010 16:22:57 +0000 (11:22 -0500)]
mit_samba: fix pac updates
The update interface is actually asymetric. We send a whole pac and receive
back only a logon info buffer. Make it clear by decoupling the input buffer
from the output buffer.
Also fix segfault if client is missing. This may happen for cross-realm
trusts where the client comes from a trusted realm.
Simo Sorce [Mon, 1 Feb 2010 21:56:36 +0000 (16:56 -0500)]
mit_samba: Implement s4u2proxy delegation
Simo Sorce [Sun, 31 Jan 2010 21:38:07 +0000 (16:38 -0500)]
mit_samba: Implement check_policy_as
Simo Sorce [Fri, 29 Jan 2010 00:41:58 +0000 (19:41 -0500)]
mit_samba: Rename functions that changed in samba
Simo Sorce [Tue, 26 Jan 2010 19:50:12 +0000 (14:50 -0500)]
mit_samba: Remove use of k5-int.h, unnecessary
Simo Sorce [Wed, 13 Jan 2010 23:37:24 +0000 (18:37 -0500)]
mit_samba: Implement pac handling code.
Simo Sorce [Thu, 14 Jan 2010 01:24:18 +0000 (20:24 -0500)]
mit_samba: Always save a copy of the principal
Fix a segfault, the original principal is needed i the pac code.
Simo Sorce [Fri, 8 Jan 2010 21:51:16 +0000 (16:51 -0500)]
mit_samba: Add stubs for db_invoke
Simo Sorce [Fri, 8 Jan 2010 16:27:29 +0000 (11:27 -0500)]
mit_samba: Add comments to each function
Samba has specific beahvior and properties.
Comment each function we do not implement or bypass explaining why we do so.
Simo Sorce [Fri, 8 Jan 2010 00:17:41 +0000 (19:17 -0500)]
mit_samba: Add iterator function
Simo Sorce [Fri, 8 Jan 2010 00:17:11 +0000 (19:17 -0500)]
mit_samba: Fix unmarshal function.
Deal with NULL extensions
Simo Sorce [Thu, 7 Jan 2010 20:35:31 +0000 (15:35 -0500)]
mit_samba: Add dummy function
When kadmin.local starts it insists on getting kadmin/history@REALM principal
key. Provide back a dummy one so that is it happy for now.
Simo Sorce [Thu, 7 Jan 2010 01:14:46 +0000 (20:14 -0500)]
mit_samba: Add more infrastructure
Using kadmin.local I managed to make it search the samba database and
find out the principal requested was not available.
Simo Sorce [Mon, 4 Jan 2010 21:02:55 +0000 (16:02 -0500)]
mit_samba: Initial samba kdb plugin
Simo Sorce [Fri, 8 Jan 2010 21:51:44 +0000 (16:51 -0500)]
Add ignore file to suppress useless stuff
ghudson [Tue, 1 Feb 2011 01:11:51 +0000 (01:11 +0000)]
ticket: 6854
subject: kadmin's ktremove can remove wrong entries when removing kvno 0
Because of 8-bit wraparound, keytabs can contain entries with kvno 0.
Because 0 is a distinguished kvno value for krb5_kt_get_entry(),
kadmin's remove_principal() winds up substituting the specified kvno
with the highest-numbered kvno of the specified principal in the
keytab. Make sure not to perform this substitution when in
specified-kvno mode.
(This fix leaves behind a very minor bug where "ktrem principal 0"
returns silently, instead of producing an error message like it
normally would, if principal exists in the keytab but not at kvno 0.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24611
dc483132-0cff-0310-8789-
dd5450dbe970
tlyu [Wed, 26 Jan 2011 19:48:16 +0000 (19:48 +0000)]
Restore KRB5_CALLCONV_WRONG attribute to krb5_auth_con_getrcache.
It was incorrectly removed in r24600.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24606
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Wed, 26 Jan 2011 18:23:23 +0000 (18:23 +0000)]
ticket: 6851
When building PKINIT against OpenSSL 1.0 or later, use the CMS APIs for
better interoperability. From nalin@redhat.com.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24605
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 25 Jan 2011 05:20:07 +0000 (05:20 +0000)]
ticket: 6323
Make principal renaming work in libkadm5srv by converting to explicit
salts as necessary. Add a principal rename command to the client.
(The RPC infrastructure was already present.)
Adapted from patches submitted by mdw@umich.edu and lha@apple.com.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24604
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 25 Jan 2011 00:23:48 +0000 (00:23 +0000)]
ticket: 6852
subject: Make gss_krb5_set_allowable_enctypes work for the acceptor
target_version: 1.9.1
tags: pullup
With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
can choose an enctype for the acceptor subkey other than the one in
the keytab. If the resulting security context will be exported and
re-imported by another gss-krb5 implementation (such as one in the
kernel), the acceptor needs a way to restrict the set of negotiated
enctypes to those supported by the other implementation. We had that
functionality for the initiator already in the form of
gss_krb5_set_allowable_enctypes; this change makes it work for the
acceptor as well.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24603
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Fri, 21 Jan 2011 18:09:56 +0000 (18:09 +0000)]
Add a trace log event for unrecognized enctypes in a profile enctype
list.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24602
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Fri, 21 Jan 2011 05:00:53 +0000 (05:00 +0000)]
ticket: 6849
subject: Fix edge case in LDAP last_admin_unlock processing
target_version: 1.9.1
tags: pullup
In the LDAP KDB module, set appropriate flags when zeroing
entry->fail_auth_count due to an administrative unlock.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24601
dc483132-0cff-0310-8789-
dd5450dbe970
tsitkova [Wed, 19 Jan 2011 16:49:41 +0000 (16:49 +0000)]
Where missing, add the argument's names to the function signatures.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24600
dc483132-0cff-0310-8789-
dd5450dbe970
tsitkova [Tue, 18 Jan 2011 21:54:58 +0000 (21:54 +0000)]
Renamed static function krb5_rd_safe_basic into rd_safe_basic to avoid confusion with API
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24599
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 18 Jan 2011 17:51:58 +0000 (17:51 +0000)]
In t_expire_warn.py, put the hashbang line at the top, instead of
after the copyright comments.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24598
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 18 Jan 2011 17:03:54 +0000 (17:03 +0000)]
Update copyright year in prototype sources.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24597
dc483132-0cff-0310-8789-
dd5450dbe970
tsitkova [Thu, 13 Jan 2011 15:32:47 +0000 (15:32 +0000)]
Doxygen style re-formating of the existing comments.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24596
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Wed, 12 Jan 2011 23:31:58 +0000 (23:31 +0000)]
In krb5_set_realm():
* Return EINVAL and ENOMEM correctly.
* Accept an empty realm instead of returning EINVAL.
* Wrap a long line.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24595
dc483132-0cff-0310-8789-
dd5450dbe970
raeburn [Wed, 12 Jan 2011 22:00:40 +0000 (22:00 +0000)]
Don't call memset with a zero length.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24594
dc483132-0cff-0310-8789-
dd5450dbe970
tsitkova [Tue, 11 Jan 2011 20:00:52 +0000 (20:00 +0000)]
Asn.1 decode related file rearrangement. It was made based on the following criteria:
1. based on functionality (for example, kdc-only code)
2. Well defined clusters of functions (fast, sam).
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24593
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Mon, 10 Jan 2011 20:32:56 +0000 (20:32 +0000)]
ticket: 6817
Tighten up the error handling in the mechglue's gss_canonicalize_name,
eliminating a null pointer dereference in the (unlikely) case that
allocation of out_union fails. Reported by aberry@likewise.com.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24592
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Mon, 10 Jan 2011 18:25:36 +0000 (18:25 +0000)]
ticket: 6816
Fix a couple of cases in the SPNEGO implementation where a
half-constructed SPNEGO context could be leaked. Patch from
aberry@likewise.com, slightly amended.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24591
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 28 Dec 2010 18:27:17 +0000 (18:27 +0000)]
ticket: 6675
target_version: 1.9.1
tags: pullup
Don't attempt to serialize a NULL authdata context when serializing a
GSSAPI context (most often seen with initiator contexts). Patch from
aberry@likewise.com.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24590
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 28 Dec 2010 17:27:15 +0000 (17:27 +0000)]
Don't use a krb5 context in t_fork, since we don't set up a krb5.conf
in the crypto test directory's "make check".
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24589
dc483132-0cff-0310-8789-
dd5450dbe970
tlyu [Mon, 20 Dec 2010 22:52:35 +0000 (22:52 +0000)]
ticket: 6794
tags: pullup
target_version: 1.9
Document rdns libdefault setting.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24584
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Mon, 20 Dec 2010 17:48:06 +0000 (17:48 +0000)]
Eliminate some unused variable warnings.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24583
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Thu, 16 Dec 2010 05:07:24 +0000 (05:07 +0000)]
Remove an unnecessary clause from safe_cksumtype() which served only
to create a theoretical (but impossible in practice) memory leak.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24581
dc483132-0cff-0310-8789-
dd5450dbe970
tlyu [Wed, 15 Dec 2010 19:14:37 +0000 (19:14 +0000)]
update acknowledgments
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24575
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 14 Dec 2010 18:46:46 +0000 (18:46 +0000)]
ticket: 6842
subject: Ensure time() is prototyped in g_accept_sec_context.c
tags: pullup
target_version: 1.9
r22736 added a call to time() in g_accept_sec_context.c. Include
<time.h> to ensure that this call is correctly prototyped. Previously
<time.h> was only included implicitly through <pthread.h>, which
doesn't apply when thread support is disabled.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24568
dc483132-0cff-0310-8789-
dd5450dbe970
tlyu [Tue, 14 Dec 2010 17:34:48 +0000 (17:34 +0000)]
ticket: 6841
subject: memory leak in changepw.c
tags: pullup
target_version: 1.9
Apply patch from Marcus Watts to avoid a memory leak in changepw.c.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24567
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 14 Dec 2010 17:28:38 +0000 (17:28 +0000)]
ticket: 6838
tags: pullups
target_version: 1.9
Fix a regression in the client-side ticket renewal code where KDC
options were not folded into the renewal request (most notably, the
KDC_OPT_RENEWABLE flag), so we didn't request renewable renewed
tickets. Add a simple test case for ticket renewal.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24566
dc483132-0cff-0310-8789-
dd5450dbe970
tlyu [Tue, 14 Dec 2010 17:24:21 +0000 (17:24 +0000)]
ticket: 6840
subject: typo in plugin-related error message
tags: pullup
target_version: 1.9
Apply patch from Marcus Watts to fix error message typo.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24565
dc483132-0cff-0310-8789-
dd5450dbe970
tlyu [Fri, 10 Dec 2010 01:06:26 +0000 (01:06 +0000)]
ticket: 6839
subject: handle MS PACs that lack server checksum
target_version 1.9
tags: pullup
Apple Mac OS X Server's Open Directory KDC issues MS PAC like
authorization data that lacks a server checksum. If this checksum is
missing, mark the PAC as unverfied, but allow
krb5int_authdata_verify() to succeed. Filter out the unverified PAC
in subsequent calls to krb5_authdata_get_attribute(). Add trace
points to indicate where this behavior occurs.
Thanks to Helmut Grohne for help with analysis. This bug is also
Debian Bug #604925:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925
This change should also get backported to krb5-1.8.x.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24564
dc483132-0cff-0310-8789-
dd5450dbe970
tlyu [Tue, 7 Dec 2010 23:45:15 +0000 (23:45 +0000)]
ticket: 6835
Add comment noting that RFC 4121 appears to omit RC4-HMAC from the
list of "not-newer" enctypes, even though RFC 4757 effectively treats
it as one. Suggested by Derrick Brashear.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24563
dc483132-0cff-0310-8789-
dd5450dbe970
raeburn [Sun, 5 Dec 2010 20:16:17 +0000 (20:16 +0000)]
update dependencies
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24561
dc483132-0cff-0310-8789-
dd5450dbe970
tlyu [Fri, 3 Dec 2010 12:34:53 +0000 (12:34 +0000)]
ticket: 1219
target_version: 1.9
tags: pullup
Test for key rollover for TGT, including purging old keys.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24555
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Wed, 1 Dec 2010 22:36:38 +0000 (22:36 +0000)]
ticket: 6829
Correct typo in admin documentation for restrict_anonymous_to_tgt.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24550
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Wed, 1 Dec 2010 20:01:46 +0000 (20:01 +0000)]
ticket: 6829
subject: Implement restrict_anonymous_to_tgt realm flag
target_version: 1.9
tags: pullup
Implement a new realm flag to reject ticket requests from anonymous
principals to any principal other than the local TGT. Allows FAST to
be deployed using anonymous tickets as armor in realms where the set
of authenticatable users must be constrained.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24547
dc483132-0cff-0310-8789-
dd5450dbe970
hartmans [Tue, 30 Nov 2010 22:46:54 +0000 (22:46 +0000)]
ticket: 6828
Subject: Install kadm5_hook_plugin.h
target_version: 1.9
tags: pullup
Install the kadm5 hook plugin header
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24539
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 30 Nov 2010 21:20:49 +0000 (21:20 +0000)]
ticket: 6827
subject: SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
Fix multiple checksum handling bugs, as described in:
CVE-2010-1324
CVE-2010-1323
CVE-2010-4020
CVE-2010-4021
* Return the correct (keyed) checksums as the mandatory checksum type
for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
with simplified-profile key derivation or other algorithms relying
on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24538
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 30 Nov 2010 17:46:10 +0000 (17:46 +0000)]
ticket: 6826
Install gssapi_ext.h on Windows. Include gssapi_ext.h in the header
files considered by def-check.pl in verify-calling-conventions-gssapi.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24537
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Sun, 28 Nov 2010 01:36:42 +0000 (01:36 +0000)]
ticket: 6826
Use for loops for recursion in the Windows build, cutting down on the
verbiage in Makefile.in files. For correctness of output, every
Makefile.in mydir= definition is changed to use $(S) instead of /.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24536
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Fri, 26 Nov 2010 16:37:14 +0000 (16:37 +0000)]
ticket: 6826
Supply static ordinals for new symbols in gssapi32.def and krb5_32.def,
for consistency with KFW 3.x.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24535
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Thu, 25 Nov 2010 20:34:06 +0000 (20:34 +0000)]
ticket: 6826
Fix how gssapi.h is rebuilt on Windows; accidentally omitted from
r24533.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24534
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Thu, 25 Nov 2010 20:28:30 +0000 (20:28 +0000)]
ticket: 6826
subject: Fix Windows build
target_version: 1.9
tags: pullup
Repair the Windows build. Tested with the prepare-on-Unix method.
Some specific changes include:
* Removed the IPC finalizer (no longer used after r20787) from
ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency
chain for the pingtest build in ccapi/test. Also updated pingtest
to use the k5_ipc_stream interfaces since cci_stream is gone.
* Reverted the apparently non-functional r20277.
* klist -V prints just "Kerberos for Windows", since it has no access
to PACKAGE_NAME and PACKAGE_VERSION from autoconf. This should be
addressed correctly.
* krb5, telnet, gssftp, and NIM are removed from the build.
* Some files had CRLFs; these were replaced with LFs and the
svn:eol-style property set on the files. Otherwise the CRLFs became
CRCRLFs after the zip transfer.
* Windows does not have opendir/readdir, so added Windows code to
prof_parse.c for includedir. Probable fodder for a libkrb5support
portability shim.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24533
dc483132-0cff-0310-8789-
dd5450dbe970
tlyu [Tue, 23 Nov 2010 23:51:50 +0000 (23:51 +0000)]
ticket: 6825
Update krb5_gic_opt_private and related code to reflect the change of
krb5_expire_callback_func from a function typedef to a function
pointer typedef. This was causing segfaults.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24532
dc483132-0cff-0310-8789-
dd5450dbe970
tlyu [Tue, 23 Nov 2010 23:51:45 +0000 (23:51 +0000)]
update acknowledgments
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24531
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 23 Nov 2010 18:50:12 +0000 (18:50 +0000)]
Set svn:eol-style on some Windows files and remove the CRs from their
repository representations.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24530
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 23 Nov 2010 04:50:40 +0000 (04:50 +0000)]
ticket: 6825
subject: Add missing KRB5_CALLCONV in callback declaration
target_version: 1.9
tags: pullup
krb5_get_init_creds_opt_set_expire_callback was correctly tagged with
KRB5_CALLCONV but the corresponding callback type was not. Add that
in.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24529
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 23 Nov 2010 04:41:08 +0000 (04:41 +0000)]
ticket: 6824
subject: Export krb5_tkt_creds_get
target_version: 1.9
tags: pullup
krb5_tkt_creds_get was overlooked in the export list; add it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24528
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Mon, 22 Nov 2010 03:58:15 +0000 (03:58 +0000)]
ticket: 6823
Correct typo in r24526.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24527
dc483132-0cff-0310-8789-
dd5450dbe970
hartmans [Mon, 22 Nov 2010 03:33:22 +0000 (03:33 +0000)]
ticket: 6823
subject: getdate.y: declare yyparse
target_version: 1.9
tags: pullup
At least on lucid, byacc doesn't declare yyparse, which creates
problems because lucid treats calls to unprototyped functions as
errors.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24526
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Sun, 21 Nov 2010 17:35:49 +0000 (17:35 +0000)]
Suppress building camellia-gen in "make check" for now (it has a build
issue on Solaris which will go away when Camellia support becomes
unconditional).
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24525
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Sat, 20 Nov 2010 00:31:46 +0000 (00:31 +0000)]
ticket: 6822
subject: Implement Camellia-CTS-CMAC instead of Camellia-CCM
target_verion: 1.9
tags: pullup
Replace the Camellia-CCM enctypes with Camellia-CTS-CMAC. Still not
compiled in by default since we don't have enctype assignments yet.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24524
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 16 Nov 2010 02:54:26 +0000 (02:54 +0000)]
ticket: 6820
subject: Read KDC profile settings in kpropd
target_version: 1.9
tags: pullup
kpropd can modify the KDB with ulog_replay(), so it should read the
KDC profile settings in case the KDB configuration is in there.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24519
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 16 Nov 2010 02:30:16 +0000 (02:30 +0000)]
ticket: 6819
subject: Handle referral realm in kprop client principal
target_version: 1.9
tags: pullup
kprop uses krb5_sname_to_principal() to determine its client
principal. If the local hostname cannot be mapped to a realm based on
the profile's domain_realm section, krb5_sname_to_principal() will (as
of 1.6) return a principal with the referral realm (""), which does
not work in a client principal. Handle this by substituting the
default realm.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24518
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 16 Nov 2010 00:12:52 +0000 (00:12 +0000)]
Fix a typo in install.texinfo.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24517
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 16 Nov 2010 00:12:38 +0000 (00:12 +0000)]
The iprop dejagnu test had some deceptive commented-out debugging code
(it would set up the user to run kpropd in the master environment
instead of the slave environment). Make it more useful.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24516
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Mon, 15 Nov 2010 15:24:37 +0000 (15:24 +0000)]
Correct a minor error in the k5test documentation.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24515
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 9 Nov 2010 23:24:31 +0000 (23:24 +0000)]
Include <openssl/des.h> in the OpenSSL back end's weak_key.c for the
DES_is_weak_key prototype.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24512
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Sat, 6 Nov 2010 00:02:13 +0000 (00:02 +0000)]
ticket: 6814
After a failed kdb5_util load, make a subsequent load operation work
by removing the remnant temporary files after obtaining a lock. To
make this safe, the private contract for temporary DB creation and
promotion had to be altered, along with many of the DB2 internal
helper functions.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24511
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Thu, 4 Nov 2010 21:27:03 +0000 (21:27 +0000)]
Further kdb_db2 code cleanup: make gen_dbsuffix return a
krb5_error_code to simplify error handling in callers, and discard the
db_lf_time field which was set but never used.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24510
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Thu, 4 Nov 2010 17:20:30 +0000 (17:20 +0000)]
Remove a stray spawn_shell in the iprop dejagnu tests.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24509
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Wed, 3 Nov 2010 17:32:11 +0000 (17:32 +0000)]
Simplify kdb_db2's open_db() a little further, avoiding a suspicious
switch fallthrough.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24508
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Wed, 3 Nov 2010 16:43:49 +0000 (16:43 +0000)]
Avoid running off the end of the spares array in db2's page_to_oaddr()
in unrealistically large databases.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24507
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Wed, 3 Nov 2010 16:42:05 +0000 (16:42 +0000)]
Use size_t to hold set counts in net-server.c.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24506
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 2 Nov 2010 17:21:28 +0000 (17:21 +0000)]
Clean up the DB2 KDB module code a bit, making it more conformant with
current coding practices. Mostly namespace changes, but also simplify
krb5_db2_destroy().
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24505
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Mon, 1 Nov 2010 15:19:00 +0000 (15:19 +0000)]
krb5_get_error_message cannot return NULL, and returns "Success" on
error code 0. Simplify some overly paranoid code accordingly.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24489
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Wed, 27 Oct 2010 17:05:05 +0000 (17:05 +0000)]
ticket: 6812
Don't fail out from krb5_get_credentials() if we can't store a ticket
into the ccache.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24488
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 26 Oct 2010 19:36:58 +0000 (19:36 +0000)]
FILE keytabs have been able to handle write operations since krb5 1.7,
as an apparently unintended side effect of r20594. Clean up the code
by combining the identical resolve functions for FILE and WRFILE, and
removing the code to set up a WRFILE default keytab name in kadmin.c.
Also fixes a slight display bug; k5test.py needs to be adjusted to
expect the correct output.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24487
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 26 Oct 2010 17:34:41 +0000 (17:34 +0000)]
ticket: 6811
subject: Mark Camellia-CCM code as experimental
target_version: 1.9
tags: pullup
Add a comment noting that the Camellia-CCM code in 1.9 is
experimental.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24486
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 26 Oct 2010 17:18:22 +0000 (17:18 +0000)]
ticket: 6770
Add a kg_encrypt_inplace() utility function to the krb5 GSS mech, and
use it where we do in-place encryption of checksums in the non-CFX
seal tokens with raw DES enctypes. Avoids a harmless but incorrect
in-place memcpy().
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24485
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 26 Oct 2010 16:41:38 +0000 (16:41 +0000)]
Make k5-buf.h comments consistent with coding style.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24484
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Tue, 26 Oct 2010 14:17:38 +0000 (14:17 +0000)]
ticket: 6809
target_version: 1.9
tags: pullup
Set *conf_state on successful return from
gss_krb5int_make_seal_token_v3_iov, fixing a case where it wasn't
always set by gss_wrap_iov. Patch from aberry@likewise.com.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24483
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Mon, 25 Oct 2010 21:55:54 +0000 (21:55 +0000)]
ticket: 6787
target_version: 1.9
tags: pullup
When we create a temporary memory ccache for use within a
krb5_gss_cred_id_rec, set a flag to indicate that the ccache should be
destroyed rather than closed. Patch from aberry@likewise.com.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24482
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Mon, 25 Oct 2010 20:17:54 +0000 (20:17 +0000)]
ticket: 6796
target_version: 1.9
tags: pullup
Use safer output parameter handling in
krb5_gss_acquire_cred_impersonate_name and its subsidiary helpers.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24481
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Mon, 25 Oct 2010 19:37:03 +0000 (19:37 +0000)]
ticket: 6793
target_version: 1.9
tags: pullup
In acquire_init_cred in the GSS krb5 mech, don't intern cred->name,
since it's not used as an output parameter. Fixes a memory leak.
Reported by aberry@likewise.com.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24480
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Sun, 24 Oct 2010 14:39:41 +0000 (14:39 +0000)]
Whitespace.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24479
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Sun, 24 Oct 2010 14:25:07 +0000 (14:25 +0000)]
Whitespace.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24478
dc483132-0cff-0310-8789-
dd5450dbe970
raeburn [Sat, 23 Oct 2010 22:26:10 +0000 (22:26 +0000)]
Fix adjustment of counter.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24477
dc483132-0cff-0310-8789-
dd5450dbe970
raeburn [Sat, 23 Oct 2010 22:26:07 +0000 (22:26 +0000)]
Declare xdr_purgekeys_arg.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24476
dc483132-0cff-0310-8789-
dd5450dbe970
raeburn [Sat, 23 Oct 2010 22:26:04 +0000 (22:26 +0000)]
Declare kadmin_purgekeys.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24475
dc483132-0cff-0310-8789-
dd5450dbe970
raeburn [Sat, 23 Oct 2010 22:26:01 +0000 (22:26 +0000)]
Declare krb5_set_error_message_fl.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24474
dc483132-0cff-0310-8789-
dd5450dbe970
raeburn [Sat, 23 Oct 2010 22:25:58 +0000 (22:25 +0000)]
Include k5-int.h for function declarations.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24473
dc483132-0cff-0310-8789-
dd5450dbe970
raeburn [Sat, 23 Oct 2010 22:25:55 +0000 (22:25 +0000)]
In profile-reading performance test, print microseconds not milliseconds.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24472
dc483132-0cff-0310-8789-
dd5450dbe970
raeburn [Sat, 23 Oct 2010 22:25:51 +0000 (22:25 +0000)]
Try harder to retain the "brand" string in the shared library.
Make the brand array non-static, and actually use the value in (the
infrequently-called) krb5_init_secure_context.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24471
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Sat, 23 Oct 2010 00:38:17 +0000 (00:38 +0000)]
ticket: 6810
subject: Better libk5crypto NSS fork safety
target_version: 1.9
tags: pullup
Use SECMOD_RestartModules() from the forthcoming NSS 3.12.9 release to
make the libk5crypto back end work after a fork. Add a test program
to exercise fork detection in the NSS back end. Add a configure-time
version check to ensure that we're using NSS 3.12.9 or later.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24470
dc483132-0cff-0310-8789-
dd5450dbe970
ghudson [Fri, 22 Oct 2010 00:01:56 +0000 (00:01 +0000)]
Make it possible to override CRYPTO_IMPL_CFLAGS and CRYPTO_IMPL_LIBS at
make time.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24469
dc483132-0cff-0310-8789-
dd5450dbe970