krb5.git
13 years agoFix a premature free in ss_listen()
Greg Hudson [Mon, 25 Jul 2011 15:54:36 +0000 (15:54 +0000)]
Fix a premature free in ss_listen()

The readline support change freed input just after ss_execute_line(),
but input can be used in the error block immediately following.  Free
input after the error block instead.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25046 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRewrite set_results() in prof_get.c
Greg Hudson [Mon, 25 Jul 2011 15:54:33 +0000 (15:54 +0000)]
Rewrite set_results() in prof_get.c

The new implementation should be more friendly to static analyzers.
Coverity was getting confused into thinking that profile_iterator()
had the effect of returning a freed name pointer.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25045 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRestore accessor behavior on null profiles
Greg Hudson [Mon, 25 Jul 2011 15:54:30 +0000 (15:54 +0000)]
Restore accessor behavior on null profiles

Prior to the pluggable configuration work, profile_get_values() and
friends would return PROF_NO_PROFILE if called with a null profile.
Restore that behavior.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25044 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoSimplify KDC realm initialization slightly
Greg Hudson [Mon, 25 Jul 2011 15:54:26 +0000 (15:54 +0000)]
Simplify KDC realm initialization slightly

krb5_aprof_init() can no longer return 0 with a null profile, so we
can call krb5_aprof_finish() unconditionally.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25043 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix build without KRB5_DNS_LOOKUP
Greg Hudson [Mon, 25 Jul 2011 13:46:53 +0000 (13:46 +0000)]
Fix build without KRB5_DNS_LOOKUP

Define MAX_DNS_NAMELEN unconditionally in k5-int.h as we use it
unconditionally in kdc_util.c.  Don't define it in locate_kdc.c.

Conditionalize dns_locate_server() in locate_kdc.c as its only call
site (in k5_locate_server) and its helper function (locate_srv_dns_1)
are conditional.

From Chris Hecker with minor changes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25042 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoClean up a number of variables set but not used warnings
Ezra Peisach [Sun, 24 Jul 2011 12:17:13 +0000 (12:17 +0000)]
Clean up a number of variables set but not used warnings

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25041 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoClean up the lock in gss_krb5int_import_cred
Greg Hudson [Sat, 23 Jul 2011 13:15:09 +0000 (13:15 +0000)]
Clean up the lock in gss_krb5int_import_cred

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25040 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDon't include <editline/history.h>
Greg Hudson [Fri, 22 Jul 2011 18:59:08 +0000 (18:59 +0000)]
Don't include <editline/history.h>

editline puts all of its readline compatibility declarations in
editline/readline.h, and some versions apparently don't have the
history.h symlink.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25039 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRename "ivec" to "cipher_state" in encrypt/decrypt
Greg Hudson [Fri, 22 Jul 2011 16:58:35 +0000 (16:58 +0000)]
Rename "ivec" to "cipher_state" in encrypt/decrypt

This makes the implementations match up with the prototypes, and is
more correct for enctypes like RC4 where the cipher state is not an
ivec.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25038 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix gss_set_cred_option cred creation with no name
Greg Hudson [Fri, 22 Jul 2011 16:56:36 +0000 (16:56 +0000)]
Fix gss_set_cred_option cred creation with no name

When creating a cred in the mechglue with gss_acquire_cred, the
mechanism is allowed to return no name from gss_inquire_cred.  But in
the analagous operation in gss_set_cred_option, that would result in
an error from gss_display_name.  Make the call to gss_display_name
conditional on the mechanism name being set.  Reported by Andrew
Bartlett.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25037 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix configure logic when libedit isn't present
Greg Hudson [Fri, 22 Jul 2011 16:37:00 +0000 (16:37 +0000)]
Fix configure logic when libedit isn't present

The configure script was correctly detecting that libedit was absent,
but was setting RL_CFLAGS to garbage in the process.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25036 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd libedit/readline support to ss
Greg Hudson [Fri, 22 Jul 2011 00:26:56 +0000 (00:26 +0000)]
Add libedit/readline support to ss

By default, look for libedit (using pkg-config) and use it in libss.
Alternatively, the builder can explicitly ask for GNU Readline, but
using it will break the dejagnu test suite and will also add a GPL
dependency to libss and the programs using it.

ticket: 6931

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25035 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoBetter workaround for profile test module
Greg Hudson [Thu, 21 Jul 2011 21:04:24 +0000 (21:04 +0000)]
Better workaround for profile test module

Ken pointed out that we have a libnodeps.in for just this case, so use
it instead of a dummy SHLIB_RDIRS.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25034 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoSet SHLIB_RDIRS in profile test module build
Greg Hudson [Thu, 21 Jul 2011 20:41:20 +0000 (20:41 +0000)]
Set SHLIB_RDIRS in profile test module build

The test module has no dependencies, but SHLIB_RDIRS must be set or
the commands in shlib.conf can produce syntax errors.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25033 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix dependencies of test_load in profile library
Greg Hudson [Thu, 21 Jul 2011 20:41:16 +0000 (20:41 +0000)]
Fix dependencies of test_load in profile library

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25032 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix profile_abandon() management lib_handle lock
Greg Hudson [Thu, 21 Jul 2011 18:17:38 +0000 (18:17 +0000)]
Fix profile_abandon() management lib_handle lock

It wasn't unlocking the mutex after decrementing the refcount and
wasn't destroying the mutex before freeing the handle.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25031 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix name initialization in gss_krb5int_import_cred
Greg Hudson [Wed, 20 Jul 2011 22:40:46 +0000 (22:40 +0000)]
Fix name initialization in gss_krb5int_import_cred

If we're going to fake up a name, we have to initialize its lock.  It
might be better to use kg_init_name(), but we don't have a context on
hand.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25030 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix memory leak of accprinc in kg_accept_krb5()
Greg Hudson [Wed, 20 Jul 2011 20:44:31 +0000 (20:44 +0000)]
Fix memory leak of accprinc in kg_accept_krb5()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25029 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoCorrected older typo
Zhanna Tsitkov [Wed, 20 Jul 2011 19:47:11 +0000 (19:47 +0000)]
Corrected older typo

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25028 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDocument loadable profile modules
Greg Hudson [Wed, 20 Jul 2011 19:14:38 +0000 (19:14 +0000)]
Document loadable profile modules

ticket: 6929

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25027 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd krb5_init_context_profile API
Greg Hudson [Wed, 20 Jul 2011 19:14:34 +0000 (19:14 +0000)]
Add krb5_init_context_profile API

ticket: 6929

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25026 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd support for loadable profile modules
Greg Hudson [Wed, 20 Jul 2011 19:14:28 +0000 (19:14 +0000)]
Add support for loadable profile modules

ticket: 6929

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25025 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd libprofile support for vtable-backed profiles
Greg Hudson [Wed, 20 Jul 2011 19:14:20 +0000 (19:14 +0000)]
Add libprofile support for vtable-backed profiles

ticket: 6929

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25024 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdded documentation for krb5_decode_authdata_container and krb5_encode_authdata_conta...
Zhanna Tsitkov [Wed, 20 Jul 2011 16:48:25 +0000 (16:48 +0000)]
Added documentation for krb5_decode_authdata_container and krb5_encode_authdata_container API functions

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25023 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd automated tests for krb5_gss_import_cred
Greg Hudson [Wed, 20 Jul 2011 05:12:10 +0000 (05:12 +0000)]
Add automated tests for krb5_gss_import_cred

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25022 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix process list spew in verbose kadmin tests
Greg Hudson [Mon, 18 Jul 2011 15:10:47 +0000 (15:10 +0000)]
Fix process list spew in verbose kadmin tests

Set PS_PID to "ps uwwp" so we display only the process we're trying to
point out, and not the whole process table.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25021 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDeclare gmt_mktime before use
Ken Raeburn [Sun, 17 Jul 2011 17:51:35 +0000 (17:51 +0000)]
Declare gmt_mktime before use

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25020 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix the problem with a wildcard in typedefs
Zhanna Tsitkov [Tue, 12 Jul 2011 15:56:46 +0000 (15:56 +0000)]
Fix the problem with a wildcard in typedefs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25019 dc483132-0cff-0310-8789-dd5450dbe970

13 years agouse timegm() for krb5int_gmt_mktime() when available
Tom Yu [Mon, 11 Jul 2011 17:53:25 +0000 (17:53 +0000)]
use timegm() for krb5int_gmt_mktime() when available

Use timegm() if it is available, so that krb5int_gmt_mktime()
functions correctly on systems configured with a "right"
(leap-second-aware) time zone.  It is arguably an OS bug if a "right"
time zone can be configured on a system that lacks timegm().

Due to a current lack of evidence of affected systems, the additional
workaround of replacing gmtime() with a version that always ignores
leap seconds is deferred.

ticket: 6928

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25018 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix make clean in gss-kernel-lib
Greg Hudson [Mon, 11 Jul 2011 17:50:53 +0000 (17:50 +0000)]
Fix make clean in gss-kernel-lib

List kernel_gss.c in EXTRADEPSRCS instead of SRCS so that it doesn't
get removed by "make clean" along with the copied source files.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25017 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdded documentation for cred cache (un)lock, checksum and crypto length APIs
Zhanna Tsitkov [Mon, 11 Jul 2011 17:45:21 +0000 (17:45 +0000)]
Added documentation for cred cache (un)lock, checksum and crypto length APIs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25016 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoExclude files from src/plugins subdirectory as input source files for Doxygen
Zhanna Tsitkov [Thu, 7 Jul 2011 13:06:29 +0000 (13:06 +0000)]
Exclude files from src/plugins subdirectory as input source files for Doxygen

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25015 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoSimplify and fix chpass_util error generation
Greg Hudson [Wed, 6 Jul 2011 16:33:27 +0000 (16:33 +0000)]
Simplify and fix chpass_util error generation

If a principal has no associated kadm5 policy, we may still get
password quality errors from a module (KDB or pwqual).  There was a
bug in the error generation for this case which caused only a generic
error to be returned.

Also use snprintf() instead of multiple string operations to compose
errors.

From Simo Sorce <ssorce@redhat.com>.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25014 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdded a new section "declaration" to the "types" template
Zhanna Tsitkov [Tue, 5 Jul 2011 18:51:43 +0000 (18:51 +0000)]
Added a new section "declaration" to the "types" template

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25013 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoC90 doesn't allow commas at the ends of enumeration lists
Ken Raeburn [Fri, 1 Jul 2011 03:27:01 +0000 (03:27 +0000)]
C90 doesn't allow commas at the ends of enumeration lists

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25012 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAlways include fake-addrinfo.h when using getaddrinfo and friends
Ken Raeburn [Fri, 1 Jul 2011 03:26:58 +0000 (03:26 +0000)]
Always include fake-addrinfo.h when using getaddrinfo and friends

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25011 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoisspace should only get unsigned-char values or EOF
Ken Raeburn [Fri, 1 Jul 2011 03:26:53 +0000 (03:26 +0000)]
isspace should only get unsigned-char values or EOF

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25010 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDon't pass unsupported -n option to t_rcache
Ken Raeburn [Fri, 1 Jul 2011 03:26:50 +0000 (03:26 +0000)]
Don't pass unsupported -n option to t_rcache

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25009 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDisplay default values in usage message
Ken Raeburn [Fri, 1 Jul 2011 03:26:46 +0000 (03:26 +0000)]
Display default values in usage message

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25008 dc483132-0cff-0310-8789-dd5450dbe970

13 years agomake depend
Ezra Peisach [Fri, 1 Jul 2011 00:29:10 +0000 (00:29 +0000)]
make depend

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25007 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdded "Installing and configuring UNIX client machines" section
Zhanna Tsitkov [Thu, 30 Jun 2011 18:22:44 +0000 (18:22 +0000)]
Added "Installing and configuring UNIX client machines" section

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25006 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdded Install KDC section from the Kerberos V5 Installation Guide.
Zhanna Tsitkov [Thu, 30 Jun 2011 16:13:44 +0000 (16:13 +0000)]
Added Install KDC section from the Kerberos V5 Installation Guide.
Updated some cross-referencing.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25005 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdded "UNIX Application Servers" section.
Zhanna Tsitkov [Wed, 29 Jun 2011 20:15:19 +0000 (20:15 +0000)]
Added  "UNIX Application Servers" section.
Added the actual source file for "Incremental database propagation" section.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25004 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdded "Realm configuration decisions" and "Incremental database propagation" sections.
Zhanna Tsitkov [Wed, 29 Jun 2011 18:30:51 +0000 (18:30 +0000)]
Added "Realm configuration decisions" and "Incremental database propagation"  sections.
Updated some cross-file references
Restored kadm5.acl s option  in "Privileges" section

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25003 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDocument preauth krb5.conf options in rst docs
Greg Hudson [Wed, 29 Jun 2011 17:03:19 +0000 (17:03 +0000)]
Document preauth krb5.conf options in rst docs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25002 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix typo in preauth plugin krb5.conf docs
Greg Hudson [Wed, 29 Jun 2011 17:03:16 +0000 (17:03 +0000)]
Fix typo in preauth plugin krb5.conf docs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25001 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated list of the permissions - added "p/P" and removed "s/S"
Zhanna Tsitkov [Wed, 29 Jun 2011 16:29:34 +0000 (16:29 +0000)]
Updated list of the permissions - added "p/P" and removed "s/S"

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25000 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd instructions for adding the API reference documentation to Sphinx Kerberos docume...
Zhanna Tsitkov [Tue, 28 Jun 2011 17:36:52 +0000 (17:36 +0000)]
Add instructions for adding the API reference documentation to Sphinx Kerberos documentation project

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24997 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoGet static linking working again, mostly
Greg Hudson [Tue, 28 Jun 2011 14:07:07 +0000 (14:07 +0000)]
Get static linking working again, mostly

Static linking (#6510) broke when lockout support was added because
the DB2 plugin became dependent on libkadm5srv_mit for XDR functions.
Also, static linking was extensively broken in combination with LDAP
support.  Fix these problems.

Afer these fixes, the test suite fails in the FAST tests because
there's no static build support for dynamic preauth plugins, which
means there's no encrypted challenge.  (And unlike the pkinit tests,
the test suite doesn't conditionalize on the presence of the encrypted
challenge plugin, because we always build it.)  This will fix itself
if and when encrypted challenge becomes linked into the consumers, or
static build support is added for preauth plugins.

ticket: 6914

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24996 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoEnable and fix warnings in util/gss-kernel-lib
Greg Hudson [Mon, 27 Jun 2011 22:23:23 +0000 (22:23 +0000)]
Enable and fix warnings in util/gss-kernel-lib

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24995 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake kgss test processes run in lock-step
Greg Hudson [Mon, 27 Jun 2011 22:23:18 +0000 (22:23 +0000)]
Make kgss test processes run in lock-step

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24994 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd a missing call in t_kgss_user.c
Greg Hudson [Mon, 27 Jun 2011 21:07:20 +0000 (21:07 +0000)]
Add a missing call in t_kgss_user.c

The userland side of the gss kernel subset tests was missing a call to
read_iov_token() at the end of the operation sequence.  This mistake
caused a race condition where the child could either exit successfully
(if it finished send_iov_token() before the parent closed its end of
the pipe) or could fail with an EPIPE error from write().

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24993 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRemoved 'viewcode' extension from the conf.py as not-required for the "minimal" build...
Zhanna Tsitkov [Mon, 27 Jun 2011 14:49:44 +0000 (14:49 +0000)]
Removed 'viewcode' extension from the conf.py as not-required for the "minimal" build (i.e. build without Complete API and datatype reference section).
Added README file for sphinx-build.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24992 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDocument built-in modules for clpreauth/kdcpreauth
Greg Hudson [Sun, 26 Jun 2011 14:28:26 +0000 (14:28 +0000)]
Document built-in modules for clpreauth/kdcpreauth

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24991 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake fewer db lookups in kadm5_create_principal_3
Greg Hudson [Fri, 24 Jun 2011 20:12:28 +0000 (20:12 +0000)]
Make fewer db lookups in kadm5_create_principal_3

By creating the password history entry earlier in the function, we can
avoid the need to look up the principal entry twice just to save a
copy of the key data.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24990 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUse zapfree in krb5_free_key_data_contents()
Greg Hudson [Fri, 24 Jun 2011 20:12:24 +0000 (20:12 +0000)]
Use zapfree in krb5_free_key_data_contents()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24989 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDon't destroy dst on error in krb5_cc_move
Greg Hudson [Thu, 23 Jun 2011 19:50:04 +0000 (19:50 +0000)]
Don't destroy dst on error in krb5_cc_move

Although destroying any partial contents of dst on error isn't a bad
idea, invalidating the handle would be an incompatible change.  So
revert that part of r24754.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24988 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix a minor memory leak in kadmin
Greg Hudson [Thu, 23 Jun 2011 19:26:01 +0000 (19:26 +0000)]
Fix a minor memory leak in kadmin

kadmin_getprinc() was using the variable "canon" for two purposes.
After r22785, canon wasn't freed between constructions, so the first
value was leaked.  Fix by using separate variables for separate
strings.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24987 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix a minor memory leak in the pwqual loader
Greg Hudson [Thu, 23 Jun 2011 19:25:58 +0000 (19:25 +0000)]
Fix a minor memory leak in the pwqual loader

k5_pwqual_free_handles() wasn't freeing the container structure for
each handle.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24986 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix memory leak introduced in r24969
Greg Hudson [Thu, 23 Jun 2011 19:25:55 +0000 (19:25 +0000)]
Fix memory leak introduced in r24969

The new context field plugin_base_dir wasn't being freed on context
deletion.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24985 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix multiple libkdb_ldap memory leaks
Greg Hudson [Thu, 23 Jun 2011 19:25:51 +0000 (19:25 +0000)]
Fix multiple libkdb_ldap memory leaks

* krb5_ldap_policydn_to_name wasn't freeing rdn, and was using the
  wrong function to free dn, in the HAVE_LDAP_STR2DN CASE.
* populate_krb5_db_entry wasn't freeing the tl_data generated from
  ber_tl_data.
* populate_krb5_db_entry was using the wrong function to free
  a password policy when finding pw_max_life.
* krb5_ldap_put_principal wasn't freeing ber_tl_data.
* krb5_update_tl_kadm_data had a bad contract.  Change the contract
  to be more like krb5_dbe_update_mod_princ_data and simplify its
  memory management.

ticket: 6924

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24984 dc483132-0cff-0310-8789-dd5450dbe970

13 years agodoxy.py is a translator from Doxygen xml output into the restructuredText format.
Zhanna Tsitkov [Thu, 23 Jun 2011 19:03:34 +0000 (19:03 +0000)]
doxy.py is a translator from Doxygen xml output into the restructuredText format.
The generated output may be used in Sphinx documentation project for the complete API and data type reference.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24983 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDocument clpreauth/kdcpreauth module configuration
Greg Hudson [Thu, 23 Jun 2011 16:26:34 +0000 (16:26 +0000)]
Document clpreauth/kdcpreauth module configuration

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24982 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoInitial commit of the Sphinx documentation source.
Zhanna Tsitkov [Thu, 23 Jun 2011 14:59:45 +0000 (14:59 +0000)]
Initial commit of the Sphinx documentation source.
One can build Sphinx documentation set in the html format by calling:
sphinx-build sourcedir builddir

For example:
sphinx-build ./rst_source /tmp/build

Note: This commit does not include the "Complete Reference - API and datatypes". This results into partial disabling of the function cross-referencing enhancement in the generated documentation.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24981 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdate kpropd provisos in install guide
Greg Hudson [Thu, 23 Jun 2011 14:41:53 +0000 (14:41 +0000)]
Update kpropd provisos in install guide

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24980 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoSeparate license and non-license comment in kpropd
Greg Hudson [Thu, 23 Jun 2011 14:41:48 +0000 (14:41 +0000)]
Separate license and non-license comment in kpropd

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24979 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUse AI_ADDRCONFIG for more efficient getaddrinfo
Greg Hudson [Thu, 23 Jun 2011 04:13:45 +0000 (04:13 +0000)]
Use AI_ADDRCONFIG for more efficient getaddrinfo

Add AI_ADDRCONFIG to the hint flags for every invocation of
getaddrinfo which wasn't already using it.  This is often the default
behavior when no hints are specified, but we tend to specify hints a
lot, so we have to say it ourselves.  AI_ADDRCONFIG causes AAAA
lookups to be skipped if the system has no public IPv6 interface
addresses, usually saving a couple of DNS queries per getaddrinfo
call and allowing DNS caching to be much more effective without the
need for negative caching.

ticket: 6923

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24978 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoWork around glibc getaddrinfo PTR lookups
Greg Hudson [Thu, 23 Jun 2011 04:13:38 +0000 (04:13 +0000)]
Work around glibc getaddrinfo PTR lookups

In krb5_sname_to_principal(), we always do a forward canonicalization
using getaddrinfo() with AI_CANONNAME set.  Then, we do a reverse
canonicalization with getnameinfo() if rdns isn't set to false in
libdefaults.

Current glibc (tested with eglibc 2.11.1) has the arguably buggy
behavior of doing PTR lookups in getaddrinfo() to get the canonical
name, if hints.ai_family is set to something other than AF_UNSPEC.
This behavior defeats the ability to turn off rdns.  Work around this
behavior by using AF_UNSPEC in krb5_sname_to_principal() from the
start, instead of starting with AF_INET and falling back.  Specify
AI_ADDRCONFIG to avoid AAAA lookups on hosts with no IPv6 addresses.

ticket: 6922

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24977 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUse AI_ADDRCONFIG unconditionally in kpropd
Greg Hudson [Thu, 23 Jun 2011 04:13:32 +0000 (04:13 +0000)]
Use AI_ADDRCONFIG unconditionally in kpropd

fake-addrinfo.h ensures that AI_ADDRCONFIG is defined, so we don't
need #ifdef tests when we use it.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24976 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoCosmetic fixes to preauth_plugin.h from Linus Nordberg
Greg Hudson [Wed, 22 Jun 2011 23:31:36 +0000 (23:31 +0000)]
Cosmetic fixes to preauth_plugin.h from Linus Nordberg

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24975 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix the build and doxygen markup
Zhanna Tsitkov [Wed, 22 Jun 2011 19:55:31 +0000 (19:55 +0000)]
Fix the build and doxygen markup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24974 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFormatting and editorial pass over krb5.hin doxygen markup
Greg Hudson [Wed, 22 Jun 2011 19:24:51 +0000 (19:24 +0000)]
Formatting and editorial pass over krb5.hin doxygen markup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24973 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDocument that e_data can be used by KDB modules internally
Greg Hudson [Mon, 20 Jun 2011 16:49:00 +0000 (16:49 +0000)]
Document that e_data can be used by KDB modules internally

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24972 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoConvert preauth_plugin.h to new plugin framework
Greg Hudson [Fri, 17 Jun 2011 13:44:33 +0000 (13:44 +0000)]
Convert preauth_plugin.h to new plugin framework

The preauth plugin interface was introduced in 1.6 but was never made
a public API.  In preparation for making it public in 1.10, convert it
to use the new plugin framework.  This will require changes to any
existing preauth plugins.

A number of symbols were renamed for namespace cleanliness, and
abstract types were introduced for module data and module per-request
data for better type safety.

On the consumer end (preauth2.c and kdc_preauth.c), this is a pretty
rough conversion.  Eventually we should create proper consumer APIs
with module handles, and the flat lists of preauth types should hold
pointers to module handles rather than copies of the vtables.  The
built-in preauth type handlers should then be converted to built-in
module providers linked into the consumer code (as should encrypted
challenge, since it has no external dependencies).  None of this will
impact the provider API for preauth plugins, so it can wait.

ticket: 6921

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24970 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd k5_plugin_register_dyn internal API
Greg Hudson [Fri, 17 Jun 2011 13:44:26 +0000 (13:44 +0000)]
Add k5_plugin_register_dyn internal API

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24969 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoANSIfy the remaining K&R functions in lib/gssapi/generic
Greg Hudson [Mon, 13 Jun 2011 21:44:51 +0000 (21:44 +0000)]
ANSIfy the remaining K&R functions in lib/gssapi/generic

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24968 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix old-style GSSRPC authentication
Greg Hudson [Mon, 13 Jun 2011 18:54:33 +0000 (18:54 +0000)]
Fix old-style GSSRPC authentication

r24147 (ticket #6746) made libgssrpc ignorant of the remote address of
the kadmin socket, even when it's IPv4.  This made old-style GSSAPI
authentication fail because it uses the wrong channel bindings.  Fix
this problem by making clnttcp_create() get the remote address from
the socket using getpeername() if the caller doesn't provide it and
it's an IPv4 address.

ticket: 6920
target_version: 1.9.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24967 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoHandle invalid intervals in lockout-related kadmin parameters
Greg Hudson [Fri, 10 Jun 2011 20:01:23 +0000 (20:01 +0000)]
Handle invalid intervals in lockout-related kadmin parameters

ticket: 6911

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24966 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoStart building PDF docs by default
Tom Yu [Fri, 10 Jun 2011 19:33:36 +0000 (19:33 +0000)]
Start building PDF docs by default

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24965 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoSet LC_MESSAGES to "C" in tests which run commands
Greg Hudson [Fri, 10 Jun 2011 18:18:04 +0000 (18:18 +0000)]
Set LC_MESSAGES to "C" in tests which run commands

ticket: 6918

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24964 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd setlocale() calls to main functions
Greg Hudson [Fri, 10 Jun 2011 18:17:59 +0000 (18:17 +0000)]
Add setlocale() calls to main functions

ticket: 6918

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24963 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoGenerating mit-krb5 pot file
Greg Hudson [Fri, 10 Jun 2011 18:17:55 +0000 (18:17 +0000)]
Generating mit-krb5 pot file

ticket: 6918

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24962 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMark up strings for translation
Greg Hudson [Fri, 10 Jun 2011 18:17:37 +0000 (18:17 +0000)]
Mark up strings for translation

ticket: 6918

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd localization support to com_err
Greg Hudson [Fri, 10 Jun 2011 18:17:22 +0000 (18:17 +0000)]
Add localization support to com_err

* Add compile_et arguments --textdomain and --localedir.
* Store text domain and localedir at the end of error tables.
* error_message() calls dgettext if the table has a text domain.
* add_error_table() calls bindtextdomain if the table has a localedir.
* Define N_() as no-op in generated source and mark up error messages.
* When using system compile_et, test for --textdomain support.
* Use --textdomain option when available.
* Run xgettext over generated sources in compile_et rule.
* Translate com_err results in krb5int_get_error() if com_err won't.

ticket: 6918

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24960 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd localization infrastructure
Greg Hudson [Fri, 10 Jun 2011 18:17:12 +0000 (18:17 +0000)]
Add localization infrastructure

Adds build system logic, translation macros in k5-platform.h, and
bindtextdomain calls in libkrb5 initialization.

ticket: 6918

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24959 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRemove static error table list in built-in com_err
Greg Hudson [Sun, 5 Jun 2011 22:05:04 +0000 (22:05 +0000)]
Remove static error table list in built-in com_err

_et_list has been private to error_message.c since March 2004, and
since nothing in that file ever added entries to it, it is always
NULL.  As it's not doing any good, get rid of it, and rename the
dynamic error table list to "et_list", along with its type.  Also
remove some old lclint annotations.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24947 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRestore fallback non-referral TGS request to same realm
Greg Hudson [Fri, 3 Jun 2011 01:00:52 +0000 (01:00 +0000)]
Restore fallback non-referral TGS request to same realm

MIT krb5 1.2 and earlier KDCs reject TGS requests if the canonicalize
bit is set.  Prior to 1.9, we used to handle this by making a
non-referral fallback request on any error, but the rewrite in 1.9
mistakenly changed the behavior so that fallback requests are only
made if the original request used the referral realm and the fallback
realm is different from the default realm.  Restore the old behavior.

ticket: 6917
target_version: 1.9.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24946 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRestore krb5_get_credentials caching for referral requests
Greg Hudson [Thu, 26 May 2011 18:05:49 +0000 (18:05 +0000)]
Restore krb5_get_credentials caching for referral requests

The krb5_get_credentials() rewrite for IAKERB accidentally omitted the
final step of restoring the requested realm in the output credentials.
As a result, referral entries are not cached, and the caller sees the
actual realm in (*out_creds)->server instead of the referral realm as
before.  Fix this in complete() by swapping ctx->req_server into
ctx->reply_creds->server.

ticket: 6916
target_version: 1.9.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24945 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDon't assume principal components are C strings in klist -s
Greg Hudson [Wed, 25 May 2011 21:45:40 +0000 (21:45 +0000)]
Don't assume principal components are C strings in klist -s

ticket: 6915

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24944 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix multiple tl-data updates over iprop
Greg Hudson [Sun, 22 May 2011 02:08:37 +0000 (02:08 +0000)]
Fix multiple tl-data updates over iprop

krb5_dbe_update_tl_data() accepts a single read-only tl-data entry,
but ulog_conv_2dbentry() expects it to process a full list.  Fix
ulog_conv_2dbentry() to call krb5_db2_update_tl_data() on each entry
individually, simplifying its memory management in the process.

ticket: 6913
target_version: 1.9.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24937 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRevert r5233 and mark get_age as deprecated in the DAL documentation.
Greg Hudson [Fri, 20 May 2011 15:21:28 +0000 (15:21 +0000)]
Revert r5233 and mark get_age as deprecated in the DAL documentation.
We do not need to check reply retransmissions for staleness any more
than TCP needs to.  A genuinely new request will have a different
nonce.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24936 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated documentation for krb5_c_ and sensauth API.
Zhanna Tsitkov [Thu, 19 May 2011 14:14:54 +0000 (14:14 +0000)]
Updated documentation for krb5_c_ and sensauth API.
Also, removed the second declaration of krb5_c_string_to_key_with_params() from string_to_key.c

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24935 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn mk_rd_cred if recv_subkey in the authentication context is NULL and the decryption...
Zhanna Tsitkov [Mon, 16 May 2011 18:36:55 +0000 (18:36 +0000)]
In mk_rd_cred if recv_subkey in the authentication context is NULL and the decryption with the session key fails, do not try to decrypt the message with the session key again.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24934 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated documentation for krb5_rd_ API
Zhanna Tsitkov [Mon, 16 May 2011 14:13:39 +0000 (14:13 +0000)]
Updated documentation for krb5_rd_ API

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24933 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDocument the lockout-related options in kadmin (modprinc -unlock and
Greg Hudson [Mon, 16 May 2011 04:20:55 +0000 (04:20 +0000)]
Document the lockout-related options in kadmin (modprinc -unlock and
addpol/modpol -maxfailure, -failurecountinterval, and
-lockoutduration), in the man page and in admin.texinfo.  Based on
text submitted by shawn.emery@oracle.com.

ticket: 6910

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24932 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn kadmin, try using get_date() for lockout-related duration inputs to
Greg Hudson [Mon, 16 May 2011 03:54:16 +0000 (03:54 +0000)]
In kadmin, try using get_date() for lockout-related duration inputs to
modpol and addpol, but still allow bare numbers of seconds since
that's what we took in 1.8 and 1.9.  Use strdur() to display
lockout-related durations in getpol.  Reported by
shawn.emery@oracle.com.

ticket: 6911

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24931 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoLink t_kgss_kernel against libkrb5support since parts of libkgss use
Greg Hudson [Sun, 15 May 2011 14:47:19 +0000 (14:47 +0000)]
Link t_kgss_kernel against libkrb5support since parts of libkgss use
zap(), which creates a dependency with non-gcc compilers.

ticket: 6909

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24930 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUse hmac-md5 checksum for PA-FOR-USER padata
Greg Hudson [Sat, 14 May 2011 14:49:00 +0000 (14:49 +0000)]
Use hmac-md5 checksum for PA-FOR-USER padata

The MS-S4U documentation specifies that hmac-md5 be used for
PA-FOR-USER checksums; we were using the mandatory checksum type for
the key.  Although some other checksum types appear to be allowed by
Active Directory KDCs, Richard Silverman reports that md5-des is not
one of them, causing S4U2Self requests to fail for DES keys.

ticket: 6912
target_version: 1.9.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24929 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated documentation for PAC API. Moved PAC type definitions into krb5.hin
Zhanna Tsitkov [Fri, 13 May 2011 12:33:52 +0000 (12:33 +0000)]
Updated documentation for PAC API. Moved PAC type definitions into krb5.hin

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24928 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated documentation for krb5_mk_ functions
Zhanna Tsitkov [Thu, 12 May 2011 16:03:22 +0000 (16:03 +0000)]
Updated documentation for krb5_mk_ functions

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24927 dc483132-0cff-0310-8789-dd5450dbe970