krb5.git
14 years agoError handling bug in krb5_init_creds_init()
Greg Hudson [Thu, 13 May 2010 18:49:20 +0000 (18:49 +0000)]
Error handling bug in krb5_init_creds_init()

Fix a bug in krb5_init_creds_init() where a freed context could be
returned to the caller in certain error cases.

ticket: 6722
tags: pullup
target_version: 1.8.2

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24020 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoNegative enctypes improperly read from keytabs
Greg Hudson [Thu, 13 May 2010 17:34:33 +0000 (17:34 +0000)]
Negative enctypes improperly read from keytabs

When reading enctypes from keytabs, we need to ntohs() the 16-bit
value we read in before sign-extending it to a 32-bit value in the
keyblock, or we run the risk of extending the wrong sign.

ticket: 6720

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24016 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake k5test.py work for builds in the source dir
Greg Hudson [Thu, 13 May 2010 16:46:50 +0000 (16:46 +0000)]
Make k5test.py work for builds in the source dir

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24015 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove krb5_get_in_tkt
Tom Yu [Wed, 12 May 2010 21:58:54 +0000 (21:58 +0000)]
Remove krb5_get_in_tkt

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24013 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoReimplement krb5_get_in_tkt_with_skey in terms of krb5_get_init_creds,
Greg Hudson [Wed, 12 May 2010 20:49:11 +0000 (20:49 +0000)]
Reimplement krb5_get_in_tkt_with_skey in terms of krb5_get_init_creds,
similar to how the password and keytab equivalents were done.

Eliminate krb5_get_in_tkt.  It's been very hard to use since we made
krb5_kdc_rep_decrypt_proc private (in krb5 1.7 the prototype was taken
out of krb5.h altogether), and it's unlikely that anything would have
used it directly in the first place.

Remove and/or simplify a lot of code depended on by krb_get_in_tkt,
including all of preauth.c.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24012 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd lockout-related performance tuning variables
Greg Hudson [Mon, 10 May 2010 22:42:04 +0000 (22:42 +0000)]
Add lockout-related performance tuning variables

The account lockout feature of krb5 1.8 came at a cost in database
accesses for principals requiring preauth, even if lockout is not
used.  Add dbmodules variables disable_last_success and
disable_lockout for the DB2 and LDAP back ends, allowing the admin to
recover the lost performance at the cost of new functionality.

(Unrelated documentation fix: document database_name as a DB2-specific
dbmodules variable instead of the realm variable it used to be.)

ticket: 6719

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24003 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake KADM5_FAIL_AUTH_COUNT_INCREMENT more robust with LDAP
Greg Hudson [Mon, 10 May 2010 22:23:57 +0000 (22:23 +0000)]
Make KADM5_FAIL_AUTH_COUNT_INCREMENT more robust with LDAP

In krb5_ldap_put_principal, use krb5_get_attributes_mask to determine
whether krbLoginFailedCount existed on the entry when it was
retrieved.  If it didn't exist, don't try to use LDAP_MOD_INCREMENT,
and don't assert an old value when not using LDAP_MOD_INCREMENT.

Also, create the krbLoginFailedCount attribute when creating new
entries.  This allows us to use LDAP_MOD_INCREMENT during the first
failed login (if the server supports it), avoiding a race condition.

ticket: 6718
target_version: 1.8.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24002 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoGeneral code consistency pass in kdb_db2.c.
Greg Hudson [Wed, 5 May 2010 17:11:39 +0000 (17:11 +0000)]
General code consistency pass in kdb_db2.c.
Removes some pointless null checks.
Frees the DB context when a DB is finalized.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23973 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdjust for removal of krb5_ldap_set_option in r23965
Tom Yu [Tue, 4 May 2010 22:00:41 +0000 (22:00 +0000)]
Adjust for removal of krb5_ldap_set_option in r23965

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23972 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoGet rid of some kdb5_util load code which is no longer useful after
Greg Hudson [Tue, 4 May 2010 19:01:16 +0000 (19:01 +0000)]
Get rid of some kdb5_util load code which is no longer useful after
the introduction of the DAL.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23971 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove some unused format string definitions from kdb5_util's dump.c
Greg Hudson [Tue, 4 May 2010 17:08:39 +0000 (17:08 +0000)]
Remove some unused format string definitions from kdb5_util's dump.c

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23970 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove some unused fields from kadm5_config_params. Bump the client
Greg Hudson [Tue, 4 May 2010 16:54:00 +0000 (16:54 +0000)]
Remove some unused fields from kadm5_config_params.  Bump the client
and server sonames.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23969 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEliminate the unused realm_dbname field from krb5_realm_params
Greg Hudson [Tue, 4 May 2010 15:58:59 +0000 (15:58 +0000)]
Eliminate the unused realm_dbname field from krb5_realm_params

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23968 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove a stray comment from r23966
Greg Hudson [Tue, 4 May 2010 05:49:39 +0000 (05:49 +0000)]
Remove a stray comment from r23966

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23967 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRefactor the kdb_db2.c code which processes db_args and profile
Greg Hudson [Tue, 4 May 2010 05:44:07 +0000 (05:44 +0000)]
Refactor the kdb_db2.c code which processes db_args and profile
variables to configure a DB context, to avoid repeating that code
three times in open/create/destroy.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23966 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove krb5_db_set_option and the associated DAL entry. It was not
Greg Hudson [Tue, 4 May 2010 04:12:24 +0000 (04:12 +0000)]
Remove krb5_db_set_option and the associated DAL entry.  It was not
used.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23965 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCorrect the DAL documentation for db_create
Greg Hudson [Mon, 3 May 2010 23:44:30 +0000 (23:44 +0000)]
Correct the DAL documentation for db_create

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23964 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEliminate some uses of variables as format strings. Based on a patch
Greg Hudson [Mon, 3 May 2010 19:42:29 +0000 (19:42 +0000)]
Eliminate some uses of variables as format strings.  Based on a patch
from Guillaume Rousse <Guillaume.Rousse@inria.fr>.

ticket: 6714

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23963 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEliminate the use of variables for format strings in kdb5_util. Many
Greg Hudson [Mon, 3 May 2010 19:02:16 +0000 (19:02 +0000)]
Eliminate the use of variables for format strings in kdb5_util.  Many
were unused, and localization will probably be done through _()
macros, not collecting all the strings together.  Elminates a number
of format-security static analysis defects.

ticket: 6714
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23962 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix some bugs in the IAKERB code discovered by Coverity. Also trim
Greg Hudson [Sat, 1 May 2010 17:53:04 +0000 (17:53 +0000)]
Fix some bugs in the IAKERB code discovered by Coverity.  Also trim
down iakerb_initiator_step() a little using krb5_data constructors
and avoiding vertical function arguments.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23961 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd IAKERB mechanism and gss_acquire_cred_with_password
Greg Hudson [Fri, 30 Apr 2010 21:22:48 +0000 (21:22 +0000)]
Add IAKERB mechanism and gss_acquire_cred_with_password

Merge branches/iakerb to trunk.  Includes the following:

* New IAKERB mechanism.
* New gss_acquire_cred_with_password mechglue function.
* ASN.1 encoders and decoders for IAKERB structures (with tests).
* New shortcuts in gss-sample client and server.
* Tests to exercise SPNEGO and IAKERB using gss-sample application.

ticket: 6712

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23960 dc483132-0cff-0310-8789-dd5450dbe970

14 years agomemory leak in process_tgs_req in r23724
Tom Yu [Fri, 30 Apr 2010 21:10:55 +0000 (21:10 +0000)]
memory leak in process_tgs_req in r23724

Fix a KDC memory leak that was introduced by r23724 that could leak
the decoded request.

ticket: 6711
tags: pullup
target_version: 1.8.2

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23959 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a backwards check in get_cached_tgt() in the TGS code
Greg Hudson [Tue, 27 Apr 2010 09:02:48 +0000 (09:02 +0000)]
Fix a backwards check in get_cached_tgt() in the TGS code

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23945 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSquash some warnings in the old crypto API glue. Use make_data()
Greg Hudson [Mon, 26 Apr 2010 16:54:38 +0000 (16:54 +0000)]
Squash some warnings in the old crypto API glue.  Use make_data()
where appropriate so that magic fields get initialized.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23942 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a Python test script to exercise the GSS sample app
Greg Hudson [Sat, 24 Apr 2010 19:33:33 +0000 (19:33 +0000)]
Add a Python test script to exercise the GSS sample app

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23937 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a sentinel line to sim_server after the socket is ready, and use
Greg Hudson [Sat, 24 Apr 2010 19:24:36 +0000 (19:24 +0000)]
Add a sentinel line to sim_server after the socket is ready, and use
it in simple.exp in the dejagnu test suite instead of sleeping.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23936 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEliminate the use of tail -f in the dejagnu test suite. Instead, use
Greg Hudson [Sat, 24 Apr 2010 19:20:11 +0000 (19:20 +0000)]
Eliminate the use of tail -f in the dejagnu test suite.  Instead, use
the sentinel lines printed by krb5kdc and kadmind to detect when the
listening sockets are ready.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23935 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a sentinel to the sample gss-server after the socket is ready, and
Greg Hudson [Sat, 24 Apr 2010 19:12:34 +0000 (19:12 +0000)]
Add a sentinel to the sample gss-server after the socket is ready, and
use it in gssapi.exp in the dejagnu test suite instead of sleeping.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23934 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSimplify how k5test scripts get run by importing runenv by pathname
Greg Hudson [Sat, 24 Apr 2010 18:53:25 +0000 (18:53 +0000)]
Simplify how k5test scripts get run by importing runenv by pathname
(using the imp module) instead of by module name.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23933 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRun Python tests as individual rule commands (friendlier to make -k)
Greg Hudson [Sat, 24 Apr 2010 17:33:04 +0000 (17:33 +0000)]
Run Python tests as individual rule commands (friendlier to make -k)
instead of in a loop.  Build runenv.py as part of make fake-install;
it's harmless if Python is unavailable.  Import runenv later in
k5test so that we get a beter error message if make fake-install
hasn't been run.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23932 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix the actual python command to match the displayed one in the
Greg Hudson [Sat, 24 Apr 2010 16:39:49 +0000 (16:39 +0000)]
Fix the actual python command to match the displayed one in the
check-pytests-yes rule in r23913.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23931 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdapted patch from Arlene Berry to handle dlerror() returning a null
Tom Yu [Fri, 23 Apr 2010 01:30:48 +0000 (01:30 +0000)]
Adapted patch from Arlene Berry to handle dlerror() returning a null
pointer.

ticket: 6697
target_version: 1.8.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23929 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdapted patch from Jason Rogers. It wasn't complete, so this commit
Tom Yu [Fri, 23 Apr 2010 01:10:20 +0000 (01:10 +0000)]
Adapted patch from Jason Rogers.  It wasn't complete, so this commit
fixes the other instances of the 64-bit problem.

Also fix krb5_deltat_to_str(), which would previously always return an
empty string.

ticket: 6698
target_version: 1.8.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23928 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFrom Luke: fix the post-canonicalization cache check logic in
Greg Hudson [Thu, 22 Apr 2010 23:29:40 +0000 (23:29 +0000)]
From Luke: fix the post-canonicalization cache check logic in
krb5_get_credentials_for_user().

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23927 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn kg_new_connection(), make sure k_cred is freed in all failure
Greg Hudson [Thu, 22 Apr 2010 20:07:08 +0000 (20:07 +0000)]
In kg_new_connection(), make sure k_cred is freed in all failure
cases.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23926 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoApply patch from Arlene Berry to cease freeing error tokens output by
Tom Yu [Thu, 22 Apr 2010 20:04:01 +0000 (20:04 +0000)]
Apply patch from Arlene Berry to cease freeing error tokens output by
accept_sec_context, allowing them to actually be sent to the
initiator.

ticket: 6696
target_version: 1.8.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23925 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEliminate a non-useful NULL check in the KDC's dispatch() function.
Greg Hudson [Thu, 22 Apr 2010 03:44:44 +0000 (03:44 +0000)]
Eliminate a non-useful NULL check in the KDC's dispatch() function.
If process_as_req or process_tgs_req return successfully, they will
always fill in *response.  (If they didn't, the subsequence
(*response)->length check would crash anyway.)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23922 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn kpasswd_sendto_msg_callback(), properly compare against the
Greg Hudson [Thu, 22 Apr 2010 03:19:34 +0000 (03:19 +0000)]
In kpasswd_sendto_msg_callback(), properly compare against the
wildcard IPv6 address instead of comparing an array address to 0.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23921 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a memory leak in get_creds.c's try_fallback_realm()
Greg Hudson [Wed, 21 Apr 2010 23:47:50 +0000 (23:47 +0000)]
Fix a memory leak in get_creds.c's try_fallback_realm()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23920 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn the kdc5_hammer test program, simplify the cleanup logic of
Greg Hudson [Wed, 21 Apr 2010 23:37:04 +0000 (23:37 +0000)]
In the kdc5_hammer test program, simplify the cleanup logic of
get_server_key.  Fixes a memory leak where the result of
krb5_get_credentials() didn't get freed if krb5_mk_req_extended()
failed.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23919 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAmend r23917 to correct some uses of *out_creds which should now use
Greg Hudson [Wed, 21 Apr 2010 23:23:09 +0000 (23:23 +0000)]
Amend r23917 to correct some uses of *out_creds which should now use
the local variable.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23918 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn the get_credentials() helper of the gss-krb5 init_sec_context code,
Greg Hudson [Wed, 21 Apr 2010 23:20:29 +0000 (23:20 +0000)]
In the get_credentials() helper of the gss-krb5 init_sec_context code,
ensure that *out_creds is only filled in on successful return.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23917 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn t_inetd, zero out l_inaddr before filling it in, as is relatively
Greg Hudson [Wed, 21 Apr 2010 23:14:49 +0000 (23:14 +0000)]
In t_inetd, zero out l_inaddr before filling it in, as is relatively
common in networking code.  Silences a Coverity defect.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23916 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoOnly create runenv.py at BUILDTOP. Fix bugs in k5test.py relating to
Tom Yu [Tue, 20 Apr 2010 22:35:42 +0000 (22:35 +0000)]
Only create runenv.py at BUILDTOP.  Fix bugs in k5test.py relating to
environment initialization, also so that "make testrealm" works again.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23913 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
Tom Yu [Tue, 20 Apr 2010 21:12:10 +0000 (21:12 +0000)]
Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
by ticket renewal.  Add a test case.

See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490

Thanks to Joel Johnson and Brian Almeida for the reports.

ticket: 6702
target_version: 1.8.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23912 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhen setting up to get a TGT for the service realm in the TGS code,
Greg Hudson [Tue, 20 Apr 2010 07:56:58 +0000 (07:56 +0000)]
When setting up to get a TGT for the service realm in the TGS code,
get the cached local TGT before setting up the realm path.

Prior to this change, calling krb5_get_credentials() with an empty
ccache would result in KRB5_CC_NOTFOUND for a foreign server
principal, but would result in KRB5_NO_TKT_IN_REALM (generated by
krb5_walk_realm_tree) for a local server principal.  With this change,
KRB5_CC_NOTFOUND is returned in both cases.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23909 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd KRB5_INIT_CREDS_STEP_FLAG_CONTINUE for parity with Heimdal.
Greg Hudson [Tue, 20 Apr 2010 07:38:12 +0000 (07:38 +0000)]
Add KRB5_INIT_CREDS_STEP_FLAG_CONTINUE for parity with Heimdal.
Rename KRB5_TKT_CREDS_CONTINUE to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE
 for consistency.
Adjust init_creds context to be less confusing in light of the above.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23906 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoBuild runenv.py, holding environment variable settings required for
Tom Yu [Fri, 16 Apr 2010 21:45:22 +0000 (21:45 +0000)]
Build runenv.py, holding environment variable settings required for
running programs out of the build tree during python-based tests.
Also updates shilb.conf to set RUN_VARS to make it easier to generate
this sort of thing.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23905 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIntroduce new krb5_tkt_creds API
Greg Hudson [Wed, 14 Apr 2010 14:36:32 +0000 (14:36 +0000)]
Introduce new krb5_tkt_creds API

Merged from branches/iakerb: add new asynchronous krb5_tkt_creds APIs,
which allow a caller to take responsibility for transporting requests
to the KDC and getting responses back.  Rewrite the existing
krb5_get_credentials API in terms of the new functions.  Get rid of
krb5_get_cred_from_kdc and friends, since they are no longer used.

ticket: 6700

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23900 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse krb5_get_credentials in ksu instead of krb5_get_cred_from_kdc, so
Greg Hudson [Wed, 14 Apr 2010 14:01:05 +0000 (14:01 +0000)]
Use krb5_get_credentials in ksu instead of krb5_get_cred_from_kdc, so
we can get rid of the latter.  (Also simplifies the code.)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23899 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoValidate and renew should work on non-TGT creds
Greg Hudson [Tue, 13 Apr 2010 22:57:34 +0000 (22:57 +0000)]
Validate and renew should work on non-TGT creds

The validate and renew APIs were using get_cred_from_kdc, which
always presents a TGT to get credentials.  Instead, they should
present the ticket they are trying to validate or renew.  This is
most easily done with krb5_get_cred_via_tkt().  Move the relevant
code into a new file since it now has nothing in common with the
other APIs implemented in get_creds.c.

ticket: 6699

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23891 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove krb5int_send_tgs(); it is unused as of r23358
Greg Hudson [Thu, 8 Apr 2010 20:37:11 +0000 (20:37 +0000)]
Remove krb5int_send_tgs(); it is unused as of r23358

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23881 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd krb5_cc_dup() to make it possible to copy ccache handles
Greg Hudson [Thu, 8 Apr 2010 16:39:31 +0000 (16:39 +0000)]
Add krb5_cc_dup() to make it possible to copy ccache handles

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23874 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAssume lstat in Unix code, specifically clients/ksu/ccache.c. Fix bad
Greg Hudson [Thu, 8 Apr 2010 03:15:44 +0000 (03:15 +0000)]
Assume lstat in Unix code, specifically clients/ksu/ccache.c.  Fix bad
indentation caused by an #ifdef HAVE_LSTAT block.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23870 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn testrealm.py, add ksu and kvno to the list of build directories
Greg Hudson [Sun, 4 Apr 2010 20:46:02 +0000 (20:46 +0000)]
In testrealm.py, add ksu and kvno to the list of build directories
containing programs.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23858 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix backwards flag output in krb5_init_creds_step()
Greg Hudson [Mon, 29 Mar 2010 22:08:21 +0000 (22:08 +0000)]
Fix backwards flag output in krb5_init_creds_step()

krb5_init_creds_step() is taken from Heimdal, which sets *flags to 1
for "continue" and 0 for "stop".  Unfortunately, we got it backwards
in 1.8; fix it for 1.8.1.

ticket: 6693
tags: pullup
target_version: 1.8.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23844 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAlways pass -W option to kdb5_util create in testing
Ken Raeburn [Sat, 27 Mar 2010 21:30:43 +0000 (21:30 +0000)]
Always pass -W option to kdb5_util create in testing

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23838 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn gc_frm_kdc.c, rename cur_kdc to cur_realm and nxt_kdc to nxt_realm,
Greg Hudson [Fri, 26 Mar 2010 22:43:11 +0000 (22:43 +0000)]
In gc_frm_kdc.c, rename cur_kdc to cur_realm and nxt_kdc to nxt_realm,
to make it easier to distinguish them from cur_tgt and nxt_tgt.  Make
similar name changes to lst_kdc and kdc_list, as well as the function
find_nxt_kdc().

No functional changes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23837 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoStraighten the if-ladder in encrypted challenge's process_preauth,
Greg Hudson [Thu, 25 Mar 2010 03:08:12 +0000 (03:08 +0000)]
Straighten the if-ladder in encrypted challenge's process_preauth,
making it clearer that control drops through if one of the first
couple of steps fails.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23836 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoApply patch from Arlene Berry to not use freed memory in
Tom Yu [Tue, 23 Mar 2010 22:00:13 +0000 (22:00 +0000)]
Apply patch from Arlene Berry to not use freed memory in
gss_import_sec_context in some error paths.

ticket: 6678
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23834 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO
Tom Yu [Tue, 23 Mar 2010 18:53:52 +0000 (18:53 +0000)]
MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO

The SPNEGO implementation in krb5-1.7 and later could crash due to
assertion failure when receiving some sorts of invalid GSS-API tokens.

ticket: 6690
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23832 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInclude t_spengno.o in list of OBJS so make clean will remove
Ezra Peisach [Tue, 23 Mar 2010 14:08:23 +0000 (14:08 +0000)]
Include t_spengno.o in list of OBJS so make clean will remove

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23831 dc483132-0cff-0310-8789-dd5450dbe970

14 years agokrb5_typed_data not castable to krb5_pa_data on 64-bit MacOSX
Tom Yu [Tue, 23 Mar 2010 06:09:02 +0000 (06:09 +0000)]
krb5_typed_data not castable to krb5_pa_data on 64-bit MacOSX

Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because
krb5int_fast_process_error was assuming that it was safe to cast it to
krb5_pa_data.  It's not safe to do the cast on 64-bit MacOSX because
krb5.hin uses #pragma pack on that platform.

ticket: 6689
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23829 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoChange KRB5_AUTHDATA_SIGNTICKET from 142 to 512
Greg Hudson [Sat, 20 Mar 2010 03:50:06 +0000 (03:50 +0000)]
Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512

KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data
type, was used to implement PAC-less constrained delegation in krb5
1.8.  Unfortunately, it was found that Microsoft was using 142 for
other purposes, which could result in a ticket issued by an MIT or
Heimdal KDC being rejected by a Windows Server 2008 R2 application
server.  Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate
among a realm's KDCs, it is relatively easy to change the number, so
MIT and Heimdal are both migrating to a new number.  This change will
cause a transitional interoperability issue when a realm mixes MIT
krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal
1.3.2) KDCs, but only for constrained delegation evidence tickets.

ticket: 6687
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23821 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDocument the ticket_lifetime libdefaults setting (which was added in
Greg Hudson [Fri, 19 Mar 2010 16:17:05 +0000 (16:17 +0000)]
Document the ticket_lifetime libdefaults setting (which was added in
r16656, #2656).  Based on a patch from nalin@redhat.com.

ticket: 6680
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23820 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix the kpasswd fallback from the ccache principal name to the
Greg Hudson [Thu, 18 Mar 2010 17:37:31 +0000 (17:37 +0000)]
Fix the kpasswd fallback from the ccache principal name to the
username in the case where the ccache doesn't exist.

ticket: 6683
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23819 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInclude int-proto.h in mk_req_ext.c for krb5int_validate_times
Greg Hudson [Thu, 18 Mar 2010 17:17:31 +0000 (17:17 +0000)]
Include int-proto.h in mk_req_ext.c for krb5int_validate_times
declaration.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23818 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUntabify
Ken Raeburn [Thu, 18 Mar 2010 02:45:57 +0000 (02:45 +0000)]
Untabify

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23817 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCopyright notice
Ken Raeburn [Thu, 18 Mar 2010 02:44:41 +0000 (02:44 +0000)]
Copyright notice

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23816 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhen checking for KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT, don't
Greg Hudson [Wed, 17 Mar 2010 21:10:10 +0000 (21:10 +0000)]
When checking for KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT, don't
dereference options if it's NULL.

ticket: 6681
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23815 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd more verbosity when the -V option to kinit is specified. Based on
Greg Hudson [Wed, 17 Mar 2010 20:16:32 +0000 (20:16 +0000)]
Add more verbosity when the -V option to kinit is specified.  Based on
a patch from Jeff Blaine <jblaine@kickflop.net>.

ticket: 6684

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23814 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix the Python version check to use constructs available in older
Greg Hudson [Wed, 17 Mar 2010 19:34:48 +0000 (19:34 +0000)]
Fix the Python version check to use constructs available in older
versions of Python.  (python --version was added in 2.5.)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23813 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a version check to the Python test, so that we don't try to run
Greg Hudson [Wed, 17 Mar 2010 19:11:09 +0000 (19:11 +0000)]
Add a version check to the Python test, so that we don't try to run
k5test in Python 2.3 or below.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23812 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMerge users/raeburn/branches/network-merge
Ken Raeburn [Wed, 17 Mar 2010 06:00:56 +0000 (06:00 +0000)]
Merge users/raeburn/branches/network-merge

Re-integrates the forked versions of network.c in kdc and
kadmin/server.  Server-specific initialization and SIGHUP-reset code
is moved into other source files; the more generic network-servicing
code is merged and moved into apputils library already used by both
programs.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23811 dc483132-0cff-0310-8789-dd5450dbe970

14 years agohandle NT_SRV_INST in service principal referrals
Tom Yu [Tue, 16 Mar 2010 19:14:33 +0000 (19:14 +0000)]
handle NT_SRV_INST in service principal referrals

Handle NT_SRV_INST in service principal cross-realm referrals, as
Windows apparently uses that instead of NT_SRV_HST for at least some
service principals.

ticket: 6685
target_version: 1.8.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23810 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSet up KRB5_RUN_ENV for pytests, so that Python-based tests can run
Tom Yu [Mon, 15 Mar 2010 18:53:02 +0000 (18:53 +0000)]
Set up KRB5_RUN_ENV for pytests, so that Python-based tests can run
without first running "make install".

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23805 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoLazy history key creation
Greg Hudson [Thu, 11 Mar 2010 17:05:24 +0000 (17:05 +0000)]
Lazy history key creation

Create kadmin/history lazily when we need it (i.e. when a password is
changed on a principal with a policy) instead of whenever we open the
database.  Allows kadmin.local to be used as a read-only tool on non-
kadmin-conformant database back ends such as the Samba bridge.

ticket: 6679

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23799 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse KRB5_CONF_ macros instead of strings in the source file for profile config attrib...
Zhanna Tsitkov [Wed, 10 Mar 2010 20:45:12 +0000 (20:45 +0000)]
Use KRB5_CONF_ macros instead of strings in the source file for profile config attributes "default" and "logging"

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23798 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove vestigial include/spnego-asn1.h
Greg Hudson [Wed, 10 Mar 2010 19:30:58 +0000 (19:30 +0000)]
Remove vestigial include/spnego-asn1.h

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23796 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a "make testrealm" target using the Python test framework. As
Greg Hudson [Mon, 8 Mar 2010 04:39:08 +0000 (04:39 +0000)]
Add a "make testrealm" target using the Python test framework.  As
part of this, expose the environments in K5Realm as attributes so
that test scripts can modify them.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23794 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake python test start_in_inetd function
Ezra Peisach [Sun, 7 Mar 2010 20:01:36 +0000 (20:01 +0000)]
Make python test start_in_inetd function

util/k5test.py: Fix incorrect variable used
tests/dejagnu/t_inetd.c: Flush stdout after outputting "Ready!"
tests/dejagnu/Makefile.in: Always compile t_inetd - even in runtest is not
    present

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23773 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRelease the internal_name field of a SPNEGO context if it has not been
Greg Hudson [Fri, 5 Mar 2010 20:35:26 +0000 (20:35 +0000)]
Release the internal_name field of a SPNEGO context if it has not been
claimed for a caller argument.

ticket: 6674
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23772 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a Python test to run t_spnego
Greg Hudson [Fri, 5 Mar 2010 20:33:37 +0000 (20:33 +0000)]
Add a Python test to run t_spnego

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23771 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn post.in, add a check-pytests intermediate target for Makefile.in to
Greg Hudson [Fri, 5 Mar 2010 20:32:40 +0000 (20:32 +0000)]
In post.in, add a check-pytests intermediate target for Makefile.in to
add dependencies to, for test scripts which run C test programs.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23770 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a double-free in the t_spnego test program resulting from overly
Greg Hudson [Fri, 5 Mar 2010 20:31:13 +0000 (20:31 +0000)]
Fix a double-free in the t_spnego test program resulting from overly
careless cutting and pasting.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23769 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a message parameter to k5test's success(), to briefly indicate the
Greg Hudson [Fri, 5 Mar 2010 19:30:32 +0000 (19:30 +0000)]
Add a message parameter to k5test's success(), to briefly indicate the
scope of test scripts.  Only displayed when verbose is set.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23768 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd IPv6 support to changepw.c (reverting r21004 since it is no longer
Greg Hudson [Fri, 5 Mar 2010 19:19:42 +0000 (19:19 +0000)]
Add IPv6 support to changepw.c (reverting r21004 since it is no longer
necessary).  Patch from Submit Bose <sbose@redhat.com>.

ticket: 6661
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23767 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIgnore improperly encoded signedpath AD elements
Greg Hudson [Fri, 5 Mar 2010 17:45:46 +0000 (17:45 +0000)]
Ignore improperly encoded signedpath AD elements

We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_ad_signedpath().  For better interoperability, treat such
tickets as unsigned, rather than invalid.

ticket: 6676
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23766 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoError out if a Python test program fails
Greg Hudson [Fri, 5 Mar 2010 04:18:51 +0000 (04:18 +0000)]
Error out if a Python test program fails

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23765 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoClean up a help string in k5test
Greg Hudson [Thu, 4 Mar 2010 21:37:20 +0000 (21:37 +0000)]
Clean up a help string in k5test

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23764 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoPython test framework
Greg Hudson [Thu, 4 Mar 2010 21:24:54 +0000 (21:24 +0000)]
Python test framework

Add a framework for writing tests in Python.  Documentation is in the
initial docstring of util/k5test.py.  Inaugurate the framework with
two test scripts, t_general.py and t_anonypkinit.py, which together
test the same operations as standalone.exp from the dejagnu test
suite.

ticket: 6672

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23763 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove some more test suite cruft:
Greg Hudson [Sun, 28 Feb 2010 20:32:00 +0000 (20:32 +0000)]
Remove some more test suite cruft:
* localhostname from get_hostname was unused.
* database_name is no longer used except (misleadingly) in kdb5_util
  output.
* admin_database_name and admin_database_lockfile are no longer used.
* default_domain is only used for v4->v5 principal conversion, which
  isn't tested.
* libkadm5's init-v2.exp had a copy of get_hostname; domain and
  localhostname from it were unused.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23759 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoOn Linux platforms, use -Wl,--enable-new-dtags when linking shared
Greg Hudson [Sat, 27 Feb 2010 09:49:32 +0000 (09:49 +0000)]
On Linux platforms, use -Wl,--enable-new-dtags when linking shared
libraries and programs using them.  The primary effect is to get ld to
set DT_RUNPATH in addition to DT_RPATH, which in turn allows the
LD_LIBRARY_PATH environment variable to override the compiled-in
runpath, which is friendlier to the test framework.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23758 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUpdated documentation with information about --with-crypto-impl=IMPL configuration...
Zhanna Tsitkov [Thu, 25 Feb 2010 21:16:16 +0000 (21:16 +0000)]
Updated documentation  with information about --with-crypto-impl=IMPL configuration flag

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23752 dc483132-0cff-0310-8789-dd5450dbe970

14 years agodoc updates for allow_weak_crypto
Tom Yu [Thu, 25 Feb 2010 20:09:45 +0000 (20:09 +0000)]
doc updates for allow_weak_crypto

Update documentation to be more helpful about allow_weak_crypto.

ticket: 6669
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23750 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoTwo problems in kadm5_get_principal mask handling
Greg Hudson [Wed, 24 Feb 2010 18:57:08 +0000 (18:57 +0000)]
Two problems in kadm5_get_principal mask handling

KADM5_MOD_NAME was being applied to entry->principal instead of
entry->mod_name.  KADM5_MKVNO was not being applied to entry->mkvno.
Patch from Marcus Watts <mdw@umich.edu>.

ticket: 6668
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23749 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove some more dejagnu test suite cruft:
Greg Hudson [Mon, 22 Feb 2010 18:27:55 +0000 (18:27 +0000)]
Remove some more dejagnu test suite cruft:
  * check_date was only used by the application tests.
  * touch was never used.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23745 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove some unused cruft in the dejagnu test suite's default.exp:
Greg Hudson [Mon, 22 Feb 2010 18:12:51 +0000 (18:12 +0000)]
Remove some unused cruft in the dejagnu test suite's default.exp:
  * RLOGIN, RLOGIN_FLAGS, ROOT_PROMPT, ROOT_SHELL, check_k5login,
    restore_kerberos_env, setup_root_shell, setup_root_shell_noremote,
    setup_wrapper: No longer used now that the applications are in a
    separate tree.
  * v4_compatible_enctype: No longer used with krb4 support gone.
  * tail1, krb_exit: Apparently never used.
  * KERBEROS_SERVER: Added long ago in r5686 and removed shortly after
    in r5695, but the test suite support for it never got excised.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23744 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoExplain the current SPNEGO initiator/acceptor design in comments. No
Greg Hudson [Mon, 22 Feb 2010 16:10:05 +0000 (16:10 +0000)]
Explain the current SPNEGO initiator/acceptor design in comments.  No
code changes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23743 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix two unrelated problems in SPNEGO which don't crop up with the krb5
Greg Hudson [Mon, 22 Feb 2010 04:52:30 +0000 (04:52 +0000)]
Fix two unrelated problems in SPNEGO which don't crop up with the krb5
mechanism.

1. The third call to spnego_init_accept_context uses faulty logic to
determine if the exchange is complete, preventing a third mech token
from being sent to the acceptor if no MIC exchange is required.
Follow the logic used in the second call (in init_ctx_nego), which is
correct.

2. If the acceptor selects a mech other than the optimistic mech, it
sets sc->mic_reqd to 1 whether or not the selected mech supports MICs
(which isn't known until the mech completes).  Most code outside of
handle_mic checks sc->mic_reqd along with (sc->ctx_flags &
GSS_C_INTEG_FLAG), but the code in acc_ctx_call_acc neglected to do
so, so it could improperly delegate responsibility for deciding when
the negotiation was finished to handle_mic--which never gets called if
(sc->ctx_flags & GSS_C_INTEG_FLAG) is false.  Fix acc_ctx_call_acc to
check sc->ctx_flags so that mechs which don't support integrity
protection can complete if they are selected non-optimistically.

ticket: 6603
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23742 dc483132-0cff-0310-8789-dd5450dbe970