krb5.git
14 years agoIn kinit_kdb_init(), ensure that we don't return an error with the
Greg Hudson [Fri, 17 Sep 2010 15:52:23 +0000 (15:52 +0000)]
In kinit_kdb_init(), ensure that we don't return an error with the
old, freed value of *pcontext still there--that would result in a
double free.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24326 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFollow-on to r24315: remove get/set_mkey_list from export list of
Greg Hudson [Thu, 16 Sep 2010 17:38:30 +0000 (17:38 +0000)]
Follow-on to r24315: remove get/set_mkey_list from export list of
libkdb_ldap.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24324 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn the PKINIT OpenSSL crypto code, use a signed int to hold the result
Greg Hudson [Wed, 15 Sep 2010 22:43:00 +0000 (22:43 +0000)]
In the PKINIT OpenSSL crypto code, use a signed int to hold the result
of X509_get_ext_by_NID so we can detect negative return values.
Reported by nalin@redhat.com.

ticket: 6774

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24323 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhitespace
Greg Hudson [Wed, 15 Sep 2010 20:07:39 +0000 (20:07 +0000)]
Whitespace

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24322 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a license statement to the new extern.h in kinit, use an include
Greg Hudson [Wed, 15 Sep 2010 17:45:31 +0000 (17:45 +0000)]
Add a license statement to the new extern.h in kinit, use an include
blocker which does not impinge on the system's symbol namespace, and
use the recommended formatting for function prototypes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24319 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhitespace
Greg Hudson [Wed, 15 Sep 2010 17:30:17 +0000 (17:30 +0000)]
Whitespace

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24318 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFormatting fix
Greg Hudson [Wed, 15 Sep 2010 17:22:57 +0000 (17:22 +0000)]
Formatting fix

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24317 dc483132-0cff-0310-8789-dd5450dbe970

14 years agokinit: add KDB keytab support
Sam Hartman [Wed, 15 Sep 2010 17:13:41 +0000 (17:13 +0000)]
kinit: add KDB keytab support

This implements
http://k5wiki.kerberos.org/Projects/What_does_God_need_with_a_password.
If the KDB keytab is selected by command line options, then kinit will
register the KDB keytab and open the database.  This permits an
administrator to obtain tickets as a user without knowing that user's
password.

As a result kinit links against libkadm5srv and libkdb5. Discussion is
ongoing about whether this is desirable or about whether two versions
of kinit are required.

ticket: 6779

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24316 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove dead code from DAL and kdb plugins
Sam Hartman [Wed, 15 Sep 2010 17:13:34 +0000 (17:13 +0000)]
Remove dead code from DAL and kdb plugins

kdb: remove get/set_mkey_list

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24315 dc483132-0cff-0310-8789-dd5450dbe970

14 years agokdb: store mkey list in context and permit NULL mkey for kdb_dbe_decrypt_key_data
Sam Hartman [Wed, 15 Sep 2010 17:13:23 +0000 (17:13 +0000)]
kdb: store mkey list in context and permit NULL mkey for kdb_dbe_decrypt_key_data

Previously, code needed to run a loop to find the current master key,
possibly fetch a new master key list and try finding the master key
again around each key decryption.  This was not universally done;
there are cases where only the current master key was used.  In
addition, the correct ideom for decrypting key data is too complicated
and is potentially unavailable to plugins that do not have access to
the master key.  Instead, store the master key list in the dal_handle
whenever it is fetched and permit a NULL master key for
krb5_dbe_decrypt_key_data.

* Remove APIs for krb5_db_{get|set}_mkey_list
* krb5_db_fetch_mkey_list: memoize master key list in dal_handle
* krb5_db_free_mkey_list: don't free the memoized list; arrange for it to be freed later
* krb5_dbe_decrypt_key_data: Search for correct master key on NULL argument
* change call sites to take advantage

ticket: 6778

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24314 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn the PKINIT OpenSSL code, ensure that appropriate cerficiate fields
Greg Hudson [Wed, 15 Sep 2010 17:10:05 +0000 (17:10 +0000)]
In the PKINIT OpenSSL code, ensure that appropriate cerficiate fields
have been set before using ku_reject.  Patch from nalin@redhat.com.

ticket: 6775

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24313 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse correct CRL stack macros in pkinit OpenSSL code. Patch from Olaf
Greg Hudson [Wed, 15 Sep 2010 17:06:43 +0000 (17:06 +0000)]
Use correct CRL stack macros in pkinit OpenSSL code.  Patch from Olaf
Flebbe.

ticket: 6776

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24312 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhitespace
Greg Hudson [Wed, 15 Sep 2010 16:51:31 +0000 (16:51 +0000)]
Whitespace

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24311 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix warnings in encrypt_key and decrypt_key. Avoid a segfault if NULL
Sam Hartman [Wed, 15 Sep 2010 16:40:32 +0000 (16:40 +0000)]
Fix warnings in encrypt_key and decrypt_key. Avoid a segfault if NULL
master key is passed into default decryption function.

kdb: fix warnings

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24310 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn krb5_sname_to_principal, correctly handle failures from
Greg Hudson [Wed, 15 Sep 2010 15:50:15 +0000 (15:50 +0000)]
In krb5_sname_to_principal, correctly handle failures from
krb5_build_principal.

ticket: 6777

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24309 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAllow a zero checksum type to be passed into krb5_k_verify_checksum_iov;
Luke Howard [Thu, 9 Sep 2010 15:54:32 +0000 (15:54 +0000)]
Allow a zero checksum type to be passed into krb5_k_verify_checksum_iov;
this indicates that the mandatory checksum type for the key is to be used.
This interface is necessary because there is no public interface through
which the mandatory checksum type for an encryption type can be determined.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24304 dc483132-0cff-0310-8789-dd5450dbe970

14 years agokrb5_k_make_checksum will use the mandatory checksum type if 0 is
Luke Howard [Thu, 9 Sep 2010 15:39:47 +0000 (15:39 +0000)]
krb5_k_make_checksum will use the mandatory checksum type if 0 is
passed in as the checksum type; however krb5_k_make_checksum_iov
does not support this. Add the same logic for the behaviour is
consistent.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24303 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd dummy camellia subdir to openssl back end makefile
Greg Hudson [Wed, 8 Sep 2010 17:38:22 +0000 (17:38 +0000)]
Add dummy camellia subdir to openssl back end makefile

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24299 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake depend
Greg Hudson [Wed, 8 Sep 2010 03:51:31 +0000 (03:51 +0000)]
Make depend

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24298 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDon't build the built-in Camellia block cipher code if Camellia-CCM
Greg Hudson [Wed, 8 Sep 2010 03:48:05 +0000 (03:48 +0000)]
Don't build the built-in Camellia block cipher code if Camellia-CCM
enctypes aren't enabled.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24297 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoX509_verify_cert can return without setting cert_ctx.current_cert. If
Greg Hudson [Wed, 8 Sep 2010 03:15:49 +0000 (03:15 +0000)]
X509_verify_cert can return without setting cert_ctx.current_cert.  If
it does, don't dereference a null pointer when creating the pkiDebug
message.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24296 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMerge the camellia-ccm branch to trunk. Since there are no IANA
Greg Hudson [Tue, 7 Sep 2010 17:54:15 +0000 (17:54 +0000)]
Merge the camellia-ccm branch to trunk.  Since there are no IANA
assignments for Camellia-CCM enctypes or cksumtypes yet, they are
disabled in a default build.  They can be made available by defining
(via CPPFLAGS) local-use enctype numbers for the enctypes and
cksumtypes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24295 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEnsure valid key in krb5int_yarrow_cipher_encrypt_block
Ezra Peisach [Sat, 4 Sep 2010 21:46:53 +0000 (21:46 +0000)]
Ensure valid key in krb5int_yarrow_cipher_encrypt_block

Under low memory conditions (or when testing memory allocation failures),
the key pointer will be 0 - and not initialized. Test and return failure
before deref a NULL.

ticket: 6772

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24292 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix memory leaks in kdb5_verify
Ezra Peisach [Sat, 4 Sep 2010 21:43:04 +0000 (21:43 +0000)]
Fix memory leaks in kdb5_verify

Minor leaks.  Just cleaning up code.

ticket: 6771

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24291 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn k5_pwqual_load(), if the last vtable initializer fails, return 0
Greg Hudson [Sat, 4 Sep 2010 14:50:27 +0000 (14:50 +0000)]
In k5_pwqual_load(), if the last vtable initializer fails, return 0
and not its exit value.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24290 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix output argument ordering and handling in k5_pwqual_load()
Greg Hudson [Fri, 3 Sep 2010 22:24:25 +0000 (22:24 +0000)]
Fix output argument ordering and handling in k5_pwqual_load()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24289 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoPrevent a double free in k5_pwqual_load()
Greg Hudson [Fri, 3 Sep 2010 22:21:39 +0000 (22:21 +0000)]
Prevent a double free in k5_pwqual_load()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24288 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoclean up memory leak and potential unused variable in crypto tests
Ezra Peisach [Fri, 3 Sep 2010 02:43:21 +0000 (02:43 +0000)]
clean up memory leak and potential unused variable in crypto tests

t_prf.c:  Ensure prfsz is set before use (not exercised in current tests)

t_short.c: Fix memory leak

ticket: 6769

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24287 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoProperly search for MANDATORY-FOR-KDC authdata elements. Reported by
Greg Hudson [Thu, 2 Sep 2010 15:35:25 +0000 (15:35 +0000)]
Properly search for MANDATORY-FOR-KDC authdata elements.  Reported by
Mike Roszkowski.

ticket: 6764
tags: pullup
target_version: 1.8.4

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24286 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoOops, pwqual_combo wasn't supposed to make it out of the plugins2
Greg Hudson [Wed, 1 Sep 2010 21:16:05 +0000 (21:16 +0000)]
Oops, pwqual_combo wasn't supposed to make it out of the plugins2
branch.  Delete it.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24285 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoPassword quality pluggable interface
Greg Hudson [Wed, 1 Sep 2010 16:40:22 +0000 (16:40 +0000)]
Password quality pluggable interface

Merge branches/plugins2 to trunk.  Adds a password quality pluggable
interface described in this project page:

http://k5wiki.kerberos.org/wiki/Projects/Password_quality_pluggable_interface

ticket: 6765

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24284 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake the new profile tcl tests work with tcl 8.3
Greg Hudson [Tue, 31 Aug 2010 21:37:51 +0000 (21:37 +0000)]
Make the new profile tcl tests work with tcl 8.3

ticket: 6761

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24282 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake relative plugin module paths be interpreted as relative to
Greg Hudson [Mon, 30 Aug 2010 16:20:34 +0000 (16:20 +0000)]
Make relative plugin module paths be interpreted as relative to
LIBDIR/krb5/plugins.

ticket: 6763

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24277 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a resource leak in the profile include support
Greg Hudson [Sun, 29 Aug 2010 22:35:41 +0000 (22:35 +0000)]
Fix a resource leak in the profile include support

ticket: 6761

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24274 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd simple automated tests for account lockout support
Greg Hudson [Sun, 29 Aug 2010 15:39:08 +0000 (15:39 +0000)]
Add simple automated tests for account lockout support

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24269 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix an account lockout error-handling regression by converting the
Greg Hudson [Sun, 29 Aug 2010 15:32:04 +0000 (15:32 +0000)]
Fix an account lockout error-handling regression by converting the
result of krb5_db_check_policy_as/tgs from a krb5_error_code to a
protocol error number.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24268 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd plugin.o to T_ETYPES_OBJS because init_ctx.o needs it now
Tom Yu [Fri, 27 Aug 2010 18:01:14 +0000 (18:01 +0000)]
Add plugin.o to T_ETYPES_OBJS because init_ctx.o needs it now

ticket: 6763

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24264 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoNew plugin infrastructure
Greg Hudson [Fri, 27 Aug 2010 04:29:11 +0000 (04:29 +0000)]
New plugin infrastructure

Merge domain-independent plugin framework code from branches/plugins2,
leaving out the password quality interface.

ticket: 6763

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24263 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd an expansion error table for libkrb5, since krb5_err.et is full
Greg Hudson [Thu, 26 Aug 2010 16:59:37 +0000 (16:59 +0000)]
Add an expansion error table for libkrb5, since krb5_err.et is full

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24258 dc483132-0cff-0310-8789-dd5450dbe970

14 years agord_req_decoded: clarify behavior in comment
Sam Hartman [Wed, 25 Aug 2010 23:31:59 +0000 (23:31 +0000)]
rd_req_decoded: clarify behavior in comment

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24257 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRevise the profile include design so that included files are
Greg Hudson [Wed, 25 Aug 2010 18:22:53 +0000 (18:22 +0000)]
Revise the profile include design so that included files are
syntactically independent of parent files.

ticket: 6761

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24256 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCorrect a comment
Greg Hudson [Tue, 24 Aug 2010 22:57:40 +0000 (22:57 +0000)]
Correct a comment

ticket: 6761

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24255 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn the LDAP KDB module's populate_krb5_db_entry, fix the checks for
Greg Hudson [Tue, 24 Aug 2010 22:45:37 +0000 (22:45 +0000)]
In the LDAP KDB module's populate_krb5_db_entry, fix the checks for
the KDB_PRINC_EXPIRE_TIME_ATTR and KDB_PWD_EXPIRE_TIME_ATTR flags so
that they properly succeed when the flags are set.  Bug report from
Rob Crittenden, patch from nalin@redhat.com.

ticket: 6762

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24254 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoadd profile include support
Greg Hudson [Tue, 24 Aug 2010 21:52:32 +0000 (21:52 +0000)]
add profile include support

Add support for "include" and "includedir" directives in profile files.
See http://k5wiki.kerberos.org/wiki/Projects/Profile_Includes for more
details.

ticket: 6761

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24253 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFail properly when profile can't be accessed
Greg Hudson [Mon, 23 Aug 2010 22:03:25 +0000 (22:03 +0000)]
Fail properly when profile can't be accessed

Make profile_init() return EACCESS or EPERM if one of those errors was
encountered when failing to open any of the specified profile files.
This causes krb5_init_os_context() to fail properly when krb5.conf is
unreadable, instead of treating that situation like a nonexistent
krb5.conf.

The library will continue to soldier on if one profile file is
readable and another is not.  This is deliberate as of r14116, whether
or not it's a good idea.

ticket: 6760

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24250 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAllow krb5_gss_register_acceptor_identity to unset keytab name
Greg Hudson [Thu, 19 Aug 2010 16:38:30 +0000 (16:38 +0000)]
Allow krb5_gss_register_acceptor_identity to unset keytab name

krb5_gss_register_acceptor_identity sets a mutex-locked global (not
thread-specific) variable containing a keytab name.  This change
allows the variable to be unset by passing a null value.

A more elegant long-term solution to the problem is Heimdal's
gss_krb5_import_cred function.

ticket: 6758

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24242 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd GIC option for password/account expiration callback
Greg Hudson [Thu, 12 Aug 2010 17:41:41 +0000 (17:41 +0000)]
Add GIC option for password/account expiration callback

Add a new GIC option to specify a callback to receive password and
account expiration times found in an AS reply.

See also:
http://k5wiki.kerberos.org/wiki/Projects/Password_expiration_API

ticket: 6755

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24241 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn AS replies, set the key-expiration field to the minimum of account
Greg Hudson [Thu, 12 Aug 2010 17:39:09 +0000 (17:39 +0000)]
In AS replies, set the key-expiration field to the minimum of account
and password expiration time as specified in RFC 4120.  Reported by
Mary Cushion <mary@eiger.demon.co.uk>.

ticket: 2032

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24240 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCorrect the documentation for the start_kadmind keyword in k5test.py
Greg Hudson [Thu, 12 Aug 2010 17:15:17 +0000 (17:15 +0000)]
Correct the documentation for the start_kadmind keyword in k5test.py

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24239 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove two unused source files in lib/gssapi/generic
Greg Hudson [Thu, 12 Aug 2010 14:28:13 +0000 (14:28 +0000)]
Remove two unused source files in lib/gssapi/generic

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24238 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMove the password expiry warning code out of
Greg Hudson [Tue, 10 Aug 2010 19:02:23 +0000 (19:02 +0000)]
Move the password expiry warning code out of
krb5_get_init_creds_password() into a helper function.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24237 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse xdr_int32 instead of xdr_u_int in xdr_krb5_enctype(), since
Greg Hudson [Mon, 26 Jul 2010 18:19:49 +0000 (18:19 +0000)]
Use xdr_int32 instead of xdr_u_int in xdr_krb5_enctype(), since
enctypes are signed 32-bit values.  Wire representation does not
change.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24211 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix XDR decoding of large values in xdr_u_int
Greg Hudson [Mon, 26 Jul 2010 18:18:57 +0000 (18:18 +0000)]
Fix XDR decoding of large values in xdr_u_int

Our ancient RPC value internally decodes 32-bit wire values into a
signed long, which is then casted to the appropriate type.
xdr_u_int() contains a check intended to catch wire values that don't
fit into a u_int on platforms with 16-ints, but on platforms with
64-bit longs it was failing on values of 2^31 or larger because the
sign-extended value appeared larger than UINT_MAX.  Fix the check by
casting the value to uint32_t before comparing.

This bug, in combination with a poor choice of types in
kadm_rpc_xdr.c's xdr_krb5_enctype(), prevented negative enctype values
from being transported properly in kadmin's change_password command
result.

ticket: 6753

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24210 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAddendum to r24200: fix kdb5_ldap_util call site of
Greg Hudson [Wed, 21 Jul 2010 20:37:51 +0000 (20:37 +0000)]
Addendum to r24200: fix kdb5_ldap_util call site of
krb5_ldap_lib_init.

ticket: 6749

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24201 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRevert the part of r24157 which added the dal_version argument to the
Greg Hudson [Wed, 21 Jul 2010 19:01:35 +0000 (19:01 +0000)]
Revert the part of r24157 which added the dal_version argument to the
init_library interface.  Instead use the already existing maj_ver
field of the DAL vtable to detect incompatibilities.  Since maj_ver
is a short int, use an incrementing number instead of a date for the
major version.

ticket: 6749

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24200 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoGet the kdb_hdb module to compile again. Probably still buggy,
Greg Hudson [Tue, 20 Jul 2010 08:52:41 +0000 (08:52 +0000)]
Get the kdb_hdb module to compile again.  Probably still buggy,
particularly around the master key logic.

ticket: 6749

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24193 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn kdb5_util's kdb5_ldap_create(), add back the assignment of
Greg Hudson [Mon, 19 Jul 2010 10:05:13 +0000 (10:05 +0000)]
In kdb5_util's kdb5_ldap_create(), add back the assignment of
rblock.key which was erroneously removed in r24162.

ticket: 6749

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24192 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAllow Microsoft HMAC-MD5 checksum types to use non-RC4 keys
Greg Hudson [Mon, 19 Jul 2010 05:01:45 +0000 (05:01 +0000)]
Allow Microsoft HMAC-MD5 checksum types to use non-RC4 keys

In PAC signatures, the hmac-md5 checksum type can be used with AES
keys.  Make this work by removing the enc field from the hmac-md5 and
md5-hmac checksum types, and adding a check in
krb5int_hmacmd5_checksum() for a null key or a key which is longer
than the hash block size (64 bytes for MD5).  The checksum algorithm
only uses the key bits; it does invoke the cipher.

The checksum type names are kind of wrong, but we'll leave them alone
for compatibility.  The descriptions are updated.

ticket: 6751
target_version: 1.8.3
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24191 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn the DAL documentation, describe how a module can supply referral
Greg Hudson [Mon, 19 Jul 2010 04:30:47 +0000 (04:30 +0000)]
In the DAL documentation, describe how a module can supply referral
encrypted padata.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24190 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd check_allowed_to_delegate to the DAL with a corresponding libkdb5
Greg Hudson [Thu, 15 Jul 2010 04:18:00 +0000 (04:18 +0000)]
Add check_allowed_to_delegate to the DAL with a corresponding libkdb5
API, replacing the last method (CHECK_ALLOWED_TO_DELEGATE) of
db_invoke.  Remove db_invoke since it no longer has any methods.

ticket: 6749

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24189 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAddendum to r24182: Fix a comment referencing the db_invoke
Greg Hudson [Thu, 15 Jul 2010 03:17:08 +0000 (03:17 +0000)]
Addendum to r24182: Fix a comment referencing the db_invoke
SIGN_DB_AUTHDATA method.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24188 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd refresh_config to the DAL with a corresponding libkdb5 API,
Greg Hudson [Thu, 15 Jul 2010 03:12:57 +0000 (03:12 +0000)]
Add refresh_config to the DAL with a corresponding libkdb5 API,
replacing the REFRESH_POLICY method of db_invoke.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24187 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAddendum to r24185: make audit_as_req return void, since it's an
Greg Hudson [Tue, 13 Jul 2010 16:09:01 +0000 (16:09 +0000)]
Addendum to r24185: make audit_as_req return void, since it's an
informational method and we're not going to do anything with the
result.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24186 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd audit_as_req to the DAL with a corresponding libkdb5 API,
Greg Hudson [Tue, 13 Jul 2010 15:53:23 +0000 (15:53 +0000)]
Add audit_as_req to the DAL with a corresponding libkdb5 API,
replacing the AUDIT_AS_REQ method of db_invoke.  Remove the
AUDIT_TGS_REQ method of db_invoke without adding a replacement, as
there was no KDC support for it.  (It can be added at a later time if
necessary.)

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24185 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd check_policy_as and check_policy_tgs to the DAL table with
Greg Hudson [Tue, 13 Jul 2010 00:53:46 +0000 (00:53 +0000)]
Add check_policy_as and check_policy_tgs to the DAL table with
corresponding libkdb5 APIs, replacing the CHECK_POLICY_AS and
CHECK_POLICY_TGS methods of db_invoke.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24184 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd check_transited_realms to the DAL table with a corresponding
Greg Hudson [Mon, 12 Jul 2010 18:53:54 +0000 (18:53 +0000)]
Add check_transited_realms to the DAL table with a corresponding
libkdb5 API, replacing the CHECK_TRANSITED_REALMS method of db_invoke.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24183 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd sign_authdata to the DAL table with a corresponding libkdb5 API,
Greg Hudson [Mon, 12 Jul 2010 18:33:05 +0000 (18:33 +0000)]
Add sign_authdata to the DAL table with a corresponding libkdb5 API,
replacing the SIGN_AUTH_DATA method of db_invoke.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24182 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAddendum to r24180: make sure osa_adb_get_policy sets its output
Greg Hudson [Fri, 9 Jul 2010 12:25:50 +0000 (12:25 +0000)]
Addendum to r24180: make sure osa_adb_get_policy sets its output
parameter in all cases, per coding standards.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24181 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoImprove output variable handling of osa_adb_get_policy() in the db2
Greg Hudson [Fri, 9 Jul 2010 01:22:38 +0000 (01:22 +0000)]
Improve output variable handling of osa_adb_get_policy() in the db2
KDB module, and close some unlikely memory leaks.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24180 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a memory leak in libkadm5clnt's get_init_creds()
Greg Hudson [Thu, 8 Jul 2010 23:51:24 +0000 (23:51 +0000)]
Fix a memory leak in libkadm5clnt's get_init_creds()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24179 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCreate a KRB5_KDB_FLAG_ALIAS_OK to control whether plugin modules
Greg Hudson [Thu, 8 Jul 2010 23:34:35 +0000 (23:34 +0000)]
Create a KRB5_KDB_FLAG_ALIAS_OK to control whether plugin modules
should return in-realm aliases.  Set it where appropriate, and use it
in the LDAP module instead of intuiting the result based on other
flags.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24178 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a missing break in the parsing of krb5kdc's -P option. Reported
Greg Hudson [Wed, 7 Jul 2010 20:52:06 +0000 (20:52 +0000)]
Add a missing break in the parsing of krb5kdc's -P option.  Reported
by nalin@redhat.com.

ticket: 6750
target_version: 1.8.3
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24176 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove count parameters from get_principal, put_principal,
Greg Hudson [Tue, 6 Jul 2010 21:53:23 +0000 (21:53 +0000)]
Remove count parameters from get_principal, put_principal,
free_principal, delete_principal, and get_policy.  Make get_principal
allocate the DB entry container.  Fold krb5_db_get_principal_ext into
krb5_db_get_principal.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24175 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFollow-on to r24168: in kdb5_ldap_util, indirect through
Greg Hudson [Sun, 4 Jul 2010 18:34:04 +0000 (18:34 +0000)]
Follow-on to r24168: in kdb5_ldap_util, indirect through
krb5_db_store_master_key instead of using the (now removed) default
implementation directly.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24174 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn kdb5.c, simplify the code for getting the profile config section
Greg Hudson [Sat, 3 Jul 2010 19:56:17 +0000 (19:56 +0000)]
In kdb5.c, simplify the code for getting the profile config section

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24173 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove assertions for non-nullity of init_module and fini_module in
Greg Hudson [Sat, 3 Jul 2010 19:25:00 +0000 (19:25 +0000)]
Remove assertions for non-nullity of init_module and fini_module in
kdb5.c for consistency with other uses of mandatory vtable functions.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24172 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake the APIs for iterate, get_master_key_list, set_master_key_list,
Greg Hudson [Sat, 3 Jul 2010 19:22:08 +0000 (19:22 +0000)]
Make the APIs for iterate, get_master_key_list, set_master_key_list,
and promote_db return KRB5_PLUGIN_OP_NOTSUPP if the KDB module does
not implement them, avoiding the need for stub default
implementations.

ticket: 6749

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24171 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse KRB5_PLUGIN_OP_NOTSUPP uniformly as the error code for operations
Greg Hudson [Sat, 3 Jul 2010 19:02:41 +0000 (19:02 +0000)]
Use KRB5_PLUGIN_OP_NOTSUPP uniformly as the error code for operations
not supported by a KDB module.  (Previously KRB5_KDB_DBTYPE_NOSUP was
used in some cases and KRB5_PLUGIN_OP_NOTSUPP in others.)

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24170 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove return value from void function
Ken Raeburn [Sat, 3 Jul 2010 15:23:45 +0000 (15:23 +0000)]
Remove return value from void function

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24169 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove store_master_key from the DAL table, and implement
Greg Hudson [Fri, 2 Jul 2010 20:16:21 +0000 (20:16 +0000)]
Remove store_master_key from the DAL table, and implement
krb5_store_master_key in terms of krb5_store_master_key_list.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24168 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake krb5_db_free_principal and krb5_db_free_mkey_list return void.
Greg Hudson [Fri, 2 Jul 2010 19:18:12 +0000 (19:18 +0000)]
Make krb5_db_free_principal and krb5_db_free_mkey_list return void.
Remove the stale prototype for krb5_db_free_master_key.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24167 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove verify_master_key from the DAL table, as well as its associated
Greg Hudson [Fri, 2 Jul 2010 19:09:20 +0000 (19:09 +0000)]
Remove verify_master_key from the DAL table, as well as its associated
libkdb5 interface.  Callers can (and mostly already do) use
krb5_fetch_mkey_list to verify master keyblocks.  Adjust tests/create,
tests/verify, and kdb5_util dump to do so.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24166 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove db_ and similar prefixes from DAL function names, for
Greg Hudson [Fri, 2 Jul 2010 17:58:41 +0000 (17:58 +0000)]
Remove db_ and similar prefixes from DAL function names, for
consistency.  Follow suit inside the DB2 and LDAP modules.  (No change
to the caller-facing libkdb5 APIs.)

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24165 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRename krb5_dbekd_encrypt_key_data and krb5_dbekd_decrypt_key_data to
Greg Hudson [Fri, 2 Jul 2010 17:33:44 +0000 (17:33 +0000)]
Rename krb5_dbekd_encrypt_key_data and krb5_dbekd_decrypt_key_data to
just use the krb5_dbe prefix.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24164 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove setup_master_key_name from the DAL table as it was not used
Greg Hudson [Fri, 2 Jul 2010 17:18:46 +0000 (17:18 +0000)]
Remove setup_master_key_name from the DAL table as it was not used

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24163 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove the set_master_key and get_master_key DAL interfaces and their
Greg Hudson [Fri, 2 Jul 2010 17:13:40 +0000 (17:13 +0000)]
Remove the set_master_key and get_master_key DAL interfaces and their
corresponding libkdb5 APIs, as they were not productively used.  In
kdb5_ldap_util, stop using the realm data's mkey field as a container
to communicate the master key to static helper functions, since the
field no longer exists.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24162 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFollow-up to r24157: return correctly from krb5_ldap_lib_init() if
Greg Hudson [Fri, 2 Jul 2010 16:59:33 +0000 (16:59 +0000)]
Follow-up to r24157: return correctly from krb5_ldap_lib_init() if
there is no version mismatch.

ticket: 6749

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24161 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFollow-on to r24157: pass KRB5_KDB_DAL_VERSION to krb5_ldap_lib_init()
Greg Hudson [Fri, 2 Jul 2010 14:41:26 +0000 (14:41 +0000)]
Follow-on to r24157: pass KRB5_KDB_DAL_VERSION to krb5_ldap_lib_init()
in kdb5_ldap_util.c.

ticket: 6749

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24160 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove errcode_2_string and release_errcode_string from the DAL table,
Greg Hudson [Fri, 2 Jul 2010 14:19:39 +0000 (14:19 +0000)]
Remove errcode_2_string and release_errcode_string from the DAL table,
and stop using them in kdb5.c.  Modules can simply set error messages
in the krb5 context on error.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24159 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove db_supported_realms and db_free_supported_realms from the DAL
Greg Hudson [Fri, 2 Jul 2010 14:08:20 +0000 (14:08 +0000)]
Remove db_supported_realms and db_free_supported_realms from the DAL
table, and remove the corresponding libkdb5 interfaces (which don't
seem to have been in the library export table).

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24158 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDAL improvements
Greg Hudson [Fri, 2 Jul 2010 03:23:21 +0000 (03:23 +0000)]
DAL improvements

Add KRB5_KDB_API_VERSION to allow callers to adjust to incompatible
changes in libkdb; to be kept in sync with the libkdb major version,
which is bumped to 5 in anticipation of other changes.

Add KRB5_KDB_DAL_VERSION to allow database modules to detect when they
are mismatched with the KDB version.  Since KDB modules are often
developed concurrently with trunk code, this is defined to be the date
of the last incompatible DAL change.  The DAL version is passed to the
init_library DAL function; the module should check it against the value
of KRB5_KDB_DAL_VERSION it was compiled with and return
KRB5_KDB_DBTYPE_MISMATCH if it doesn't match.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24157 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn kpropd, when getting a wildcard address to listen on, try IPv6
Greg Hudson [Thu, 1 Jul 2010 16:56:22 +0000 (16:56 +0000)]
In kpropd, when getting a wildcard address to listen on, try IPv6
explicitly (with AI_ADDRCONFIG specified where available, to avoid
IPv6 on hosts with no IPv6 interface) and then fall back to IPv4.
Only set IPV6_V6ONLY on the listener socket if the resulting address
is IPv6.

Note: we have mostly confirmed that OpenBSD does not have dual-stack
support, meaning that it would be better to open separate IPv4 and
IPv6 listener sockets, as we do in krb5kdc and kadmind.
Unfortunately, the complicated iprop retry-and-backoff logic makes
this less than straightforward.

ticket: 6686

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24156 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFactor out a common socket creation sequence in net-server.c, which
Greg Hudson [Wed, 30 Jun 2010 16:45:47 +0000 (16:45 +0000)]
Factor out a common socket creation sequence in net-server.c, which
happens to coincide with what setup_a_rpc_listener does.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24153 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEliminate warnings in net-server.c
Greg Hudson [Wed, 30 Jun 2010 16:11:33 +0000 (16:11 +0000)]
Eliminate warnings in net-server.c

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24152 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoImprove coding style conformance in net-server.c
Greg Hudson [Wed, 30 Jun 2010 16:03:22 +0000 (16:03 +0000)]
Improve coding style conformance in net-server.c

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24151 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a bug in r24147 where svctcp_create() was passing the wrong length
Greg Hudson [Sat, 26 Jun 2010 17:37:20 +0000 (17:37 +0000)]
Fix a bug in r24147 where svctcp_create() was passing the wrong length
argument to bind(), causing it to fail on Solaris.

ticket: 6746

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24148 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake kadmin work over IPv6
Greg Hudson [Sat, 26 Jun 2010 03:32:55 +0000 (03:32 +0000)]
Make kadmin work over IPv6

Make gssrpc work over IPv6 TCP sockets provided that the client
creates and connects/binds the sockets and doesn't query their
addresses or use bindresvport().  Make kadmin work within those
constraints and handle IPv6.  Specific changes:

* Make svctcp_create() able to extract the port from an IPv6 socket,
  using a new helper function getport().
* Make clnttcp_create() handle a null raddr value if *sockp is set.
* Make kadm5_get_service_name() use getaddrinfo() to canonicalize the
  admin server name.
* Make libkadm5clnt's init_any() responsible for connecting its socket
  using a new helper function connect_to_server(), which uses
  getaddrinfo instead of gethostbyname.  Pass a null address to
  clnttcp_create().
* Make libapputil's net-server.c set up IPv6 as well as IPv4 listener
  ports for RPC connections.
* Adjust the error code expected in a libkadm5 unit test.

ticket: 6746

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24147 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdjust function names and declarations in libkadm5's client_init.c; in
Greg Hudson [Fri, 25 Jun 2010 22:26:04 +0000 (22:26 +0000)]
Adjust function names and declarations in libkadm5's client_init.c; in
particular, avoid the use of library namespace prefixes for static
helper functions.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24146 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSimplify the iprop conditionalization of _kadm5_init_any()
Greg Hudson [Fri, 25 Jun 2010 22:14:53 +0000 (22:14 +0000)]
Simplify the iprop conditionalization of _kadm5_init_any()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24145 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove some dead code in kdb5_stash() left behind by r24142
Greg Hudson [Tue, 22 Jun 2010 13:09:58 +0000 (13:09 +0000)]
Remove some dead code in kdb5_stash() left behind by r24142

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24144 dc483132-0cff-0310-8789-dd5450dbe970