krb5.git
13 years agoFix multiple tl-data updates over iprop
Greg Hudson [Sun, 22 May 2011 02:08:37 +0000 (02:08 +0000)]
Fix multiple tl-data updates over iprop

krb5_dbe_update_tl_data() accepts a single read-only tl-data entry,
but ulog_conv_2dbentry() expects it to process a full list.  Fix
ulog_conv_2dbentry() to call krb5_db2_update_tl_data() on each entry
individually, simplifying its memory management in the process.

ticket: 6913
target_version: 1.9.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24937 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRevert r5233 and mark get_age as deprecated in the DAL documentation.
Greg Hudson [Fri, 20 May 2011 15:21:28 +0000 (15:21 +0000)]
Revert r5233 and mark get_age as deprecated in the DAL documentation.
We do not need to check reply retransmissions for staleness any more
than TCP needs to.  A genuinely new request will have a different
nonce.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24936 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated documentation for krb5_c_ and sensauth API.
Zhanna Tsitkov [Thu, 19 May 2011 14:14:54 +0000 (14:14 +0000)]
Updated documentation for krb5_c_ and sensauth API.
Also, removed the second declaration of krb5_c_string_to_key_with_params() from string_to_key.c

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24935 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn mk_rd_cred if recv_subkey in the authentication context is NULL and the decryption...
Zhanna Tsitkov [Mon, 16 May 2011 18:36:55 +0000 (18:36 +0000)]
In mk_rd_cred if recv_subkey in the authentication context is NULL and the decryption with the session key fails, do not try to decrypt the message with the session key again.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24934 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated documentation for krb5_rd_ API
Zhanna Tsitkov [Mon, 16 May 2011 14:13:39 +0000 (14:13 +0000)]
Updated documentation for krb5_rd_ API

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24933 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDocument the lockout-related options in kadmin (modprinc -unlock and
Greg Hudson [Mon, 16 May 2011 04:20:55 +0000 (04:20 +0000)]
Document the lockout-related options in kadmin (modprinc -unlock and
addpol/modpol -maxfailure, -failurecountinterval, and
-lockoutduration), in the man page and in admin.texinfo.  Based on
text submitted by shawn.emery@oracle.com.

ticket: 6910

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24932 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn kadmin, try using get_date() for lockout-related duration inputs to
Greg Hudson [Mon, 16 May 2011 03:54:16 +0000 (03:54 +0000)]
In kadmin, try using get_date() for lockout-related duration inputs to
modpol and addpol, but still allow bare numbers of seconds since
that's what we took in 1.8 and 1.9.  Use strdur() to display
lockout-related durations in getpol.  Reported by
shawn.emery@oracle.com.

ticket: 6911

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24931 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoLink t_kgss_kernel against libkrb5support since parts of libkgss use
Greg Hudson [Sun, 15 May 2011 14:47:19 +0000 (14:47 +0000)]
Link t_kgss_kernel against libkrb5support since parts of libkgss use
zap(), which creates a dependency with non-gcc compilers.

ticket: 6909

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24930 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUse hmac-md5 checksum for PA-FOR-USER padata
Greg Hudson [Sat, 14 May 2011 14:49:00 +0000 (14:49 +0000)]
Use hmac-md5 checksum for PA-FOR-USER padata

The MS-S4U documentation specifies that hmac-md5 be used for
PA-FOR-USER checksums; we were using the mandatory checksum type for
the key.  Although some other checksum types appear to be allowed by
Active Directory KDCs, Richard Silverman reports that md5-des is not
one of them, causing S4U2Self requests to fail for DES keys.

ticket: 6912
target_version: 1.9.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24929 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated documentation for PAC API. Moved PAC type definitions into krb5.hin
Zhanna Tsitkov [Fri, 13 May 2011 12:33:52 +0000 (12:33 +0000)]
Updated documentation for PAC API. Moved PAC type definitions into krb5.hin

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24928 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated documentation for krb5_mk_ functions
Zhanna Tsitkov [Thu, 12 May 2011 16:03:22 +0000 (16:03 +0000)]
Updated documentation for krb5_mk_ functions

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24927 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd more missing headers in kernel subset directory. Hopefully the
Greg Hudson [Wed, 11 May 2011 06:03:09 +0000 (06:03 +0000)]
Add more missing headers in kernel subset directory.  Hopefully the
whole set this time.

ticket: 6909

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24926 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoReference libraries from the build tree when linking and
Greg Hudson [Wed, 11 May 2011 04:42:59 +0000 (04:42 +0000)]
Reference libraries from the build tree when linking and
t_kgss_kernel.

ticket: 6909

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24925 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd more missing headers in kernel subset directory
Greg Hudson [Tue, 10 May 2011 22:26:09 +0000 (22:26 +0000)]
Add more missing headers in kernel subset directory

ticket: 6909

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24924 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix the header list for the kernel subset directory
Greg Hudson [Tue, 10 May 2011 21:04:31 +0000 (21:04 +0000)]
Fix the header list for the kernel subset directory

ticket: 6909

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24923 dc483132-0cff-0310-8789-dd5450dbe970

13 years agofix regression in r24853: PAC no longer exposed
Luke Howard [Mon, 9 May 2011 22:05:48 +0000 (22:05 +0000)]
fix regression in r24853: PAC no longer exposed

Windows PAC is not AD-KDCIssued, rather it is signed with the long-term
service session key (or user-to-user key). Advertise this correctly in
the internal authorization data SPI.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24922 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoKernel subset
Greg Hudson [Mon, 9 May 2011 18:41:03 +0000 (18:41 +0000)]
Kernel subset

Add a directory containing a "kernel subset" (context import and
message functions only) of the gss-krb5 library, with a test framework
to exercise the functionality and indicate when unknown dependencies
creep in.

ticket: 6909

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24921 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated documentation for krb5_init_creds_ function family
Zhanna Tsitkov [Mon, 9 May 2011 18:33:09 +0000 (18:33 +0000)]
Updated documentation for  krb5_init_creds_ function family

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24920 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAvoid calling gss_release_buffer() from the message-processing code
Greg Hudson [Mon, 9 May 2011 18:16:14 +0000 (18:16 +0000)]
Avoid calling gss_release_buffer() from the message-processing code
in lib/gssapi/krb5.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24919 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUse internal crypto functions directly from util_crypt.c, avoiding a
Greg Hudson [Mon, 9 May 2011 18:06:15 +0000 (18:06 +0000)]
Use internal crypto functions directly from util_crypt.c, avoiding a
dependency on the accessor.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24918 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDelete sec context properly in gss_krb5_export_lucid_sec_context
Greg Hudson [Mon, 9 May 2011 17:28:07 +0000 (17:28 +0000)]
Delete sec context properly in gss_krb5_export_lucid_sec_context

Since r21690, gss_krb5_export_lucid_sec_context() has been passing a
union context to krb5_gss_delete_sec_context(), causing a crash as the
krb5 routine attempts to interpret a union context structure as a krb5
GSS context.  Call the mechglue gss_delete_sec_context instead.

ticket: 6908
target_version: 1.9.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24917 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated documentation: added usage example for krb5_tkt_creds family, removed "(unuse...
Zhanna Tsitkov [Thu, 5 May 2011 18:43:49 +0000 (18:43 +0000)]
Updated documentation: added usage example for krb5_tkt_creds family, removed "(unused)" string from the comments and other cleanup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24913 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAPI documentation: added a usage example for krb5_verify_init_creds function family
Zhanna Tsitkov [Tue, 3 May 2011 14:25:11 +0000 (14:25 +0000)]
API documentation: added a usage example for krb5_verify_init_creds function family

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24912 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoEliminate a redundant initialization in cm_init_selstate() in
Greg Hudson [Tue, 3 May 2011 10:13:21 +0000 (10:13 +0000)]
Eliminate a redundant initialization in cm_init_selstate() in
sendto_kdc.c.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24911 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated API documentation with the comments mostly related to verify and convert...
Zhanna Tsitkov [Tue, 3 May 2011 01:58:07 +0000 (01:58 +0000)]
Updated API documentation with the comments mostly related to verify and  convert routines

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24910 dc483132-0cff-0310-8789-dd5450dbe970

13 years agomodernize doc/Makefile somewhat
Tom Yu [Mon, 2 May 2011 20:57:23 +0000 (20:57 +0000)]
modernize doc/Makefile somewhat

Modernize doc/Makefile somewhat so that it can run more usefully on
modern non-Athena machines.

ticket: 6906
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24909 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd poll support to sendto_kdc.c so that it can work in processes with
Greg Hudson [Mon, 2 May 2011 20:45:38 +0000 (20:45 +0000)]
Add poll support to sendto_kdc.c so that it can work in processes with
large numbers of open files.  Move krb5int_cm_call_select() to a
separate file so that the poll support doesn't interfere with
net-server.c's continuing use of select.

ticket: 6905

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24908 dc483132-0cff-0310-8789-dd5450dbe970

13 years agor24899 moved the declarations of krb5int_mk_chpw_req and related
Greg Hudson [Mon, 2 May 2011 15:37:38 +0000 (15:37 +0000)]
r24899 moved the declarations of krb5int_mk_chpw_req and related
functions from k5-int.h to int-proto.h.  The removal of those
declarations from k5-int.h was accidentally omitted from the commit;
commit it now.

ticket: 6893

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24907 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated documentation of krb5_copy_ , krb5_free_ and krb5_kt_ functions
Zhanna Tsitkov [Sun, 1 May 2011 23:35:42 +0000 (23:35 +0000)]
Updated documentation of krb5_copy_ , krb5_free_ and krb5_kt_ functions

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24906 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated the documentation for API related to the credentials caches and their collections
Zhanna Tsitkov [Thu, 28 Apr 2011 16:32:51 +0000 (16:32 +0000)]
Updated the documentation for API related to the credentials caches and their collections

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24905 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoProperly release resources in krb5_copy_authenticator()
Zhanna Tsitkov [Thu, 28 Apr 2011 15:43:45 +0000 (15:43 +0000)]
Properly release resources in krb5_copy_authenticator()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24904 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoThe MIT krb5 and Heimdal implementations of
Greg Hudson [Wed, 27 Apr 2011 22:09:29 +0000 (22:09 +0000)]
The MIT krb5 and Heimdal implementations of
gss_krb5_export_lucid_sec_context error on version arguments other
than 1, so the version negotiation described in the function
documentation would not be backward-compatible.  Change the docs so
that the caller can assume the returned structure is of the requested
version, but the caller will be responsible for retrying with lower
version numbers on error.  (Unfortunately, Heimdal and MIT return
different error codes, and MIT's is in a currently-unpublished header,
so we can't document the error code for unknown versions.)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24903 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake krb5_os_init_context compile again after r24901
Greg Hudson [Wed, 27 Apr 2011 17:12:07 +0000 (17:12 +0000)]
Make krb5_os_init_context compile again after r24901

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24902 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRemove worthless call to krb5_cc_set_default_name in krb5_os_init_context
Zhanna Tsitkov [Wed, 27 Apr 2011 15:58:49 +0000 (15:58 +0000)]
Remove worthless call to  krb5_cc_set_default_name in krb5_os_init_context

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24901 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoCorrectly set the expiration field of impersonated credentials in
Greg Hudson [Mon, 25 Apr 2011 22:01:47 +0000 (22:01 +0000)]
Correctly set the expiration field of impersonated credentials in
kg_compose_deleg_cred(), so we can find them in the cache in
init_sec_context.  From aberry@likewise.com.

ticket: 6902

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24900 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRefactor krb5int_rd_chpw_rep() and make it properly handle both framed
Greg Hudson [Mon, 25 Apr 2011 17:28:42 +0000 (17:28 +0000)]
Refactor krb5int_rd_chpw_rep() and make it properly handle both framed
and unframed KRB-ERROR messages.  Eliminate krb5int_rd_setpw_rep() and
krb5int_setpw_result_code_string() by making the chpw versions of
those functions handle RFC 3244 replies.

ticket: 6893

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24899 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDo not reference krb5_chpw_result_code_string in
Greg Hudson [Mon, 25 Apr 2011 16:44:16 +0000 (16:44 +0000)]
Do not reference krb5_chpw_result_code_string in
krb5_change_password() documentation, as it is not a public function.
Do not falsely claim that the result_code_string parameter is unused.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24898 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoClose comment in #endif for KRB5_DEPRECATED to avoid warning of
Ezra Peisach [Fri, 22 Apr 2011 19:37:32 +0000 (19:37 +0000)]
Close comment in #endif for KRB5_DEPRECATED to avoid warning of
/* in open comment.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24894 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDocumented V4/V5 convertion and some credential cache API functions. Marked krb5_cc_g...
Zhanna Tsitkov [Fri, 22 Apr 2011 14:13:59 +0000 (14:13 +0000)]
Documented V4/V5 convertion and some credential cache API functions. Marked krb5_cc_gen_new() as deprecated

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24893 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRemove kg_map_toktype(), as the call sites were removed in r21742
Greg Hudson [Thu, 21 Apr 2011 16:54:31 +0000 (16:54 +0000)]
Remove kg_map_toktype(), as the call sites were removed in r21742

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24892 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDocumented krb5_auth_con_ API family
Zhanna Tsitkov [Wed, 20 Apr 2011 15:48:20 +0000 (15:48 +0000)]
Documented krb5_auth_con_ API family

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24891 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoInstall k5login(5) as well as .k5login(5)
Greg Hudson [Wed, 20 Apr 2011 14:40:49 +0000 (14:40 +0000)]
Install k5login(5) as well as .k5login(5)

Since there is conflicting precedent as to whether dotfile man pages
should be installed with or without the leading dot, install the
.k5login man page both ways.

ticket: 6904

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24890 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMissed in r24888: remove the process_chpw_request() prototype from
Greg Hudson [Tue, 19 Apr 2011 18:16:17 +0000 (18:16 +0000)]
Missed in r24888: remove the process_chpw_request() prototype from
misc.h as it is now a static function.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24889 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoClean up schpw.c in kadmind a bit, making use of new k5-int.h helpers
Greg Hudson [Tue, 19 Apr 2011 18:13:41 +0000 (18:13 +0000)]
Clean up schpw.c in kadmind a bit, making use of new k5-int.h helpers
where appropriate.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24888 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRevert r24886; it was incorrect
Greg Hudson [Tue, 19 Apr 2011 16:46:37 +0000 (16:46 +0000)]
Revert r24886; it was incorrect

ticket: 6903

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24887 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix memory leak in kpasswd server UDP error path
Greg Hudson [Tue, 19 Apr 2011 16:37:19 +0000 (16:37 +0000)]
Fix memory leak in kpasswd server UDP error path

The dispatch() in kadmind's schpw.c could return a failure code with
an allocated response container.  net-server.c does not expect this
and leaks the container in the UDP case.  Free the container in
dispatch() if we are returning an error.

ticket: 6903
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24886 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoHandle null OID values in gss_oid_equal()
Greg Hudson [Sat, 16 Apr 2011 18:10:23 +0000 (18:10 +0000)]
Handle null OID values in gss_oid_equal()

ticket: 6890

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24885 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoCheck mech_type as well as mech_name in gssint_import_internal_name(),
Greg Hudson [Sat, 16 Apr 2011 17:30:38 +0000 (17:30 +0000)]
Check mech_type as well as mech_name in gssint_import_internal_name(),
for the sake of static analyzers.  (Also, since this is an internal
function, it can be called on a half-constructed MN; checking the type
alone would be insufficient.)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24884 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix a code path where mech could be used uninitialized in
Greg Hudson [Sat, 16 Apr 2011 14:05:22 +0000 (14:05 +0000)]
Fix a code path where mech could be used uninitialized in
gss_accept_sec_context after r24645.

ticket: 6813

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24883 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRevert r24826. Export krb5int_nfold from libk5crypto and link t_nfold
Greg Hudson [Sat, 16 Apr 2011 13:57:47 +0000 (13:57 +0000)]
Revert r24826.  Export krb5int_nfold from libk5crypto and link t_nfold
against libk5crypto, matching the approach used in most other library
unit tests.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24882 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix the sole case in process_chpw_request() where a return could occur
Tom Yu [Wed, 13 Apr 2011 18:43:37 +0000 (18:43 +0000)]
Fix the sole case in process_chpw_request() where a return could occur
without allocating the data pointer in the response.  This prevents a
later free() of an invalid pointer in kill_tcp_or_rpc_connection().

Also initialize rep->data to NULL in process_chpw_request() and clean
up *response in dispatch() as an additional precaution.

ticket: 6899
tags: pullup
target_version: 1.9.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24878 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRemove pointer validation code from the gss krb5 mech
Greg Hudson [Wed, 13 Apr 2011 15:15:56 +0000 (15:15 +0000)]
Remove pointer validation code from the gss krb5 mech

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24877 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn krb5_gss_display_status, correct the sense of the
Greg Hudson [Tue, 12 Apr 2011 18:35:31 +0000 (18:35 +0000)]
In krb5_gss_display_status, correct the sense of the
g_make_string_buffer test, and return GSS_S_FAILURE if it fails.
Reported by snambakam@likewise.com.

ticket: 6898

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24876 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDocumentation updates. Mostly GIC related
Zhanna Tsitkov [Tue, 12 Apr 2011 13:36:15 +0000 (13:36 +0000)]
Documentation updates. Mostly GIC related

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24875 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoShuffle around some gss-krb5 entry points to eliminate four mostly
Greg Hudson [Mon, 11 Apr 2011 22:23:47 +0000 (22:23 +0000)]
Shuffle around some gss-krb5 entry points to eliminate four mostly
content-free source files and better separate IOV stuff from non-IOV
stuff.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24874 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd Doxygen markup for gss_userok() and gss_authorize_localname()
Greg Hudson [Sun, 10 Apr 2011 16:37:01 +0000 (16:37 +0000)]
Add Doxygen markup for gss_userok() and gss_authorize_localname()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24870 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoImplement gss_authorize_localname, as discussed on the kitten list,
Greg Hudson [Sun, 10 Apr 2011 15:42:11 +0000 (15:42 +0000)]
Implement gss_authorize_localname, as discussed on the kitten list,
and make gss_userok a wrapper around it matching the Gnu GSS
prototype.  The SPI for gss_authorize_localname doesn't match the API
since we have no way of representing the contents of an internal name
to a mech at the moment.  From r24855, r24857, r24858, r24862, r24863,
r24864, r24866, r24867, and r24868 in
users/lhoward/moonshot-mechglue-fixes.

ticket: 6891

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24869 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoWhen inquiring the default GSS acceptor principal, return a principal
Greg Hudson [Fri, 8 Apr 2011 17:47:01 +0000 (17:47 +0000)]
When inquiring the default GSS acceptor principal, return a principal
name from the keytab if we can, for better compliance with GSSAPI.

ticket: 6897

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24861 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoCorrectly recognize non-iterable keytabs in k5_kt_get_principal()
Greg Hudson [Fri, 8 Apr 2011 17:45:07 +0000 (17:45 +0000)]
Correctly recognize non-iterable keytabs in k5_kt_get_principal()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24860 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd k5_kt_get_principal, an internal krb5 interface to try to get a
Greg Hudson [Fri, 8 Apr 2011 16:50:13 +0000 (16:50 +0000)]
Add k5_kt_get_principal, an internal krb5 interface to try to get a
principal name from a keytab.  Used currently by vfy_increds.c (in
place of its static helper); will also be used when querying the name
of the default gss-krb5 acceptor cred.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24859 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn the authdata framework, determine which authdata sources to query
Greg Hudson [Thu, 7 Apr 2011 15:20:37 +0000 (15:20 +0000)]
In the authdata framework, determine which authdata sources to query
based on the module's usage flags.  From r24794 in
users/lhoward/moonshot-mechglue-fixes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24853 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAllow anonymous name to be imported with empty name buffer
Greg Hudson [Wed, 6 Apr 2011 20:06:50 +0000 (20:06 +0000)]
Allow anonymous name to be imported with empty name buffer

When importing a name of type GSS_C_NT_ANONYMOUS, allow the input name
buffer to be null or empty (null is translated into empty before
mechanisms see it).

From r24820 in users/lhoward/moonshot-mechglue-fixes.

ticket: 6896

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24852 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDocumentation updates
Zhanna Tsitkov [Wed, 6 Apr 2011 19:44:07 +0000 (19:44 +0000)]
Documentation updates

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24851 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake depend
Greg Hudson [Tue, 5 Apr 2011 22:15:41 +0000 (22:15 +0000)]
Make depend

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24844 dc483132-0cff-0310-8789-dd5450dbe970

13 years agogss_duplicate_name SPI for SPNEGO
Greg Hudson [Tue, 5 Apr 2011 22:10:00 +0000 (22:10 +0000)]
gss_duplicate_name SPI for SPNEGO

Preserve attributes when duplicating a name, using the mechanism's
implementation of gss_duplicate_name if present, or a loop over
the attributes if not.

ticket: 6895

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24843 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMore sensical mech selection for gss_acquire_cred/accept_sec_context
Greg Hudson [Mon, 4 Apr 2011 23:06:09 +0000 (23:06 +0000)]
More sensical mech selection for gss_acquire_cred/accept_sec_context

If a caller passes an empty mech set to gss_acquire_cred, get a cred
for all mechs instead of just the krb5 mech, as we don't know what
mechanism the cred is going to be used with (particularly in the
acceptor case).  As a related fix, if a caller passes a credential to
gss_accept_sec_context and it does not contain a mech-specific cred
for the token's mech, error out instead of using the default cred with
the token's mechanism.

ticket: 6894

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24840 dc483132-0cff-0310-8789-dd5450dbe970

13 years agor24838 accidentally added a gss_duplicate_name line to
Greg Hudson [Mon, 4 Apr 2011 20:57:59 +0000 (20:57 +0000)]
r24838 accidentally added a gss_duplicate_name line to
build_dynamicMech(), breaking the build (since gss_duplicate_name
isn't in gss_mechanism yet).  Revert that part of the change.

ticket: 6892

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24839 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoPrevent bleed-through of mechglue symbols into loaded mechs
Greg Hudson [Mon, 4 Apr 2011 20:11:08 +0000 (20:11 +0000)]
Prevent bleed-through of mechglue symbols into loaded mechs

When loading a mech's symbols individually, make sure the symbol we
got wasn't just a mechglue symbol showing through because the mech
was linked against the mechglue.  From r24719 in
users/lhoward/moonshot-mechglue-fixes.

ticket: 6892

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24838 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd gss_userok and gss_pname_to_uid to dynamic mech loading table.
Greg Hudson [Mon, 4 Apr 2011 20:04:54 +0000 (20:04 +0000)]
Add gss_userok and gss_pname_to_uid to dynamic mech loading table.
From r24711 in users/lhoward/moonshot-mechglue-fixes.

ticket: 6891

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24837 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd gss_userok and gss_pname_to_uid
Greg Hudson [Mon, 4 Apr 2011 15:59:35 +0000 (15:59 +0000)]
Add gss_userok and gss_pname_to_uid

Resurrect gss_userok and gss_pname_to_uid in the mechglue.  Add krb5
mech implementations using krb5_kuserok and krb5_aname_to_localname,
as well as mechanism-independent implementations based on name
attributes.

From r24710, r24715, r24717, r24731, r24732, r24733, r24734, r24735,
r24747, r24816, and r24819 in users/lhoward/moonshot-mechglue-fixes,
with minor edits.

ticket: 6891

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24836 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDocumentation updates
Zhanna Tsitkov [Mon, 4 Apr 2011 14:59:22 +0000 (14:59 +0000)]
Documentation updates

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24835 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoCoreFoundation is no longer used for UCS2 conversions
Ken Raeburn [Sun, 3 Apr 2011 23:21:59 +0000 (23:21 +0000)]
CoreFoundation is no longer used for UCS2 conversions

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24834 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDrop some redundant autoconf tests
Ken Raeburn [Sun, 3 Apr 2011 23:21:56 +0000 (23:21 +0000)]
Drop some redundant autoconf tests

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24833 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDon't check for stdarg.h
Ken Raeburn [Sun, 3 Apr 2011 23:21:52 +0000 (23:21 +0000)]
Don't check for stdarg.h

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24832 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDon't test HAVE_STDARG_H, just assume it
Ken Raeburn [Sun, 3 Apr 2011 23:21:46 +0000 (23:21 +0000)]
Don't test HAVE_STDARG_H, just assume it

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24831 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn t_fortuna.c, use a static buffer in head_tail_test, and use %f for
Greg Hudson [Sun, 3 Apr 2011 22:16:53 +0000 (22:16 +0000)]
In t_fortuna.c, use a static buffer in head_tail_test, and use %f for
a double argument, not %lf.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24830 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDon't allocate over 2MB on the stack; sparc-netbsd3.0 default stack
Ken Raeburn [Sun, 3 Apr 2011 22:10:03 +0000 (22:10 +0000)]
Don't allocate over 2MB on the stack; sparc-netbsd3.0 default stack
limit is 2MB.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24829 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoInclude krb5_libinit.h always, since we call krb5int_initialize_library always
Ken Raeburn [Sun, 3 Apr 2011 21:54:32 +0000 (21:54 +0000)]
Include krb5_libinit.h always, since we call krb5int_initialize_library always

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24828 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRevert r24815 and the RTLD_NODELETE part of r24744, which was
Greg Hudson [Sun, 3 Apr 2011 12:34:43 +0000 (12:34 +0000)]
Revert r24815 and the RTLD_NODELETE part of r24744, which was
committed by accident.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24827 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAvoid using crypto_int.h in t_nfold.c for convenience on Solaris; just
Greg Hudson [Sun, 3 Apr 2011 12:31:13 +0000 (12:31 +0000)]
Avoid using crypto_int.h in t_nfold.c for convenience on Solaris; just
prototype krb5int_nfold instead.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24826 dc483132-0cff-0310-8789-dd5450dbe970

13 years agodestest.c no longer needs crypto_int.h
Greg Hudson [Sun, 3 Apr 2011 12:26:23 +0000 (12:26 +0000)]
destest.c no longer needs crypto_int.h

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24825 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUse RFC 5587 const types for draft-josefsson-gss-capsulate APIs
Luke Howard [Sun, 3 Apr 2011 08:02:53 +0000 (08:02 +0000)]
Use RFC 5587 const types for draft-josefsson-gss-capsulate APIs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24821 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoOnly use RTLD_NODELETE if it's available
Ken Raeburn [Sun, 3 Apr 2011 06:48:45 +0000 (06:48 +0000)]
Only use RTLD_NODELETE if it's available

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24815 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFactor out the address checks in krb5_rd_safe and krb5_rd_priv into
Greg Hudson [Sat, 2 Apr 2011 18:27:50 +0000 (18:27 +0000)]
Factor out the address checks in krb5_rd_safe and krb5_rd_priv into
a new function k5_privsafe_check_addrs.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24806 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn libkrb5, move krb5int_auth_con_chkseqnum to a new file privsafe.c,
Greg Hudson [Sat, 2 Apr 2011 17:30:45 +0000 (17:30 +0000)]
In libkrb5, move krb5int_auth_con_chkseqnum to a new file privsafe.c,
renamed to k5_privsafe_check_seqnum.  Declare it in int-proto.h rather
than k5-int.h.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24805 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd PADL license to collected licenses
Greg Hudson [Sat, 2 Apr 2011 16:37:00 +0000 (16:37 +0000)]
Add PADL license to collected licenses

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24804 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoWhen doing S4U2Self for the anon principal, use the server realm
Luke Howard [Sat, 2 Apr 2011 06:41:44 +0000 (06:41 +0000)]
When doing S4U2Self for the anon principal, use the server realm

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24793 dc483132-0cff-0310-8789-dd5450dbe970

13 years agotypo fix
Luke Howard [Sat, 2 Apr 2011 06:41:31 +0000 (06:41 +0000)]
typo fix

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24792 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAllow absolute paths for mechglue libraries. From r24736 in
Greg Hudson [Fri, 1 Apr 2011 19:36:50 +0000 (19:36 +0000)]
Allow absolute paths for mechglue libraries.  From r24736 in
users/lhoward/moonshot-mechglue/fixes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24781 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoImplement draft-josefsson-gss-capsulate
Greg Hudson [Fri, 1 Apr 2011 19:34:57 +0000 (19:34 +0000)]
Implement draft-josefsson-gss-capsulate

Add gss_encapsulate_token(), gss_decapsulate_token(), and
gss_oid_equal() APIs, which are already present in Heimdal and Shishi.
From r24737, r24738, and r24740 in
users/lhoward/moonshot-mechglue-fixes.

ticket: 6890

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24780 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix a potential uninitialized free in prepare_error_as()
Greg Hudson [Fri, 1 Apr 2011 18:38:10 +0000 (18:38 +0000)]
Fix a potential uninitialized free in prepare_error_as()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24779 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoonly reset greeting if provided attribute is urn:greet:greeting
Luke Howard [Fri, 1 Apr 2011 05:56:46 +0000 (05:56 +0000)]
only reset greeting if provided attribute is urn:greet:greeting

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24776 dc483132-0cff-0310-8789-dd5450dbe970

13 years agos4u2proxy_set_attribute should only return EPERM for its own attribute
Luke Howard [Fri, 1 Apr 2011 05:56:33 +0000 (05:56 +0000)]
s4u2proxy_set_attribute should only return EPERM for its own attribute

Failure to do this breaks other attribute providers' set_attribute()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24775 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn r21175 (on the mskrb branch, merged in r21690) the result codes for
Greg Hudson [Tue, 29 Mar 2011 22:44:30 +0000 (22:44 +0000)]
In r21175 (on the mskrb branch, merged in r21690) the result codes for
password quality and other errors were accidentally reversed.  Fix
them so that password quality errors generate a "soft" failure and
other errors generate a "hard" failure, as Heimdal and Microsoft do.
Also recognize KADM5_PASS_Q_GENERIC (added in 1.9) as a password
quality error.

ticket: 6888
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24755 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn krb5_cc_move if something went wrong, free the dst credential cache
Zhanna Tsitkov [Tue, 29 Mar 2011 18:52:22 +0000 (18:52 +0000)]
In krb5_cc_move if something went wrong, free the dst credential cache

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24754 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIf the new configuration data that is passed to krb5_cc_set_config is NULL, just...
Zhanna Tsitkov [Tue, 29 Mar 2011 16:22:05 +0000 (16:22 +0000)]
If the new configuration data that is passed to krb5_cc_set_config is NULL, just remove the old configuration.
Moved short krb5_cc_set_config usage example from krb5.hin into the separate file.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24753 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdated the documentation for the krb5_ error_message function family.
Zhanna Tsitkov [Tue, 29 Mar 2011 15:19:41 +0000 (15:19 +0000)]
Updated the documentation for the krb5_ error_message function family.
Created the directory  doc/doxy_examples/ to hold examples used in the doxygen documentation.
Added usage example for the krb5_get/set/free_error_message functions

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24752 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoStatic function names should not have krb5_ prefix
Zhanna Tsitkov [Tue, 29 Mar 2011 15:10:00 +0000 (15:10 +0000)]
Static function names should not have  krb5_ prefix

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24751 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRemove the weak key checks from the builtin rc4 enc provider. There
Greg Hudson [Mon, 28 Mar 2011 23:35:54 +0000 (23:35 +0000)]
Remove the weak key checks from the builtin rc4 enc provider.  There
is no standards support for avoiding RC4 weak keys, so rejecting them
causes periodic failures.  Heimdal and Microsoft do not check for weak
keys.  Attacks based on these weak keys are probably thwarted by the
use of a confounder, and even if not, the reduction in work factor is
not terribly significant for 128-bit keys.

ticket: 6886
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24750 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUse first principal in keytab when verifying creds
Greg Hudson [Mon, 28 Mar 2011 17:05:54 +0000 (17:05 +0000)]
Use first principal in keytab when verifying creds

In krb5_verify_init_creds(), use the first principal in the keytab
to verify the credentials instead of the result of
krb5_sname_to_principal().  Also add tests.

ticket: 6887

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24749 dc483132-0cff-0310-8789-dd5450dbe970