Zhanna Tsitkov [Wed, 27 Apr 2011 15:58:49 +0000 (15:58 +0000)]
Remove worthless call to krb5_cc_set_default_name in krb5_os_init_context
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24901
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 25 Apr 2011 22:01:47 +0000 (22:01 +0000)]
Correctly set the expiration field of impersonated credentials in
kg_compose_deleg_cred(), so we can find them in the cache in
init_sec_context. From aberry@likewise.com.
ticket: 6902
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24900
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 25 Apr 2011 17:28:42 +0000 (17:28 +0000)]
Refactor krb5int_rd_chpw_rep() and make it properly handle both framed
and unframed KRB-ERROR messages. Eliminate krb5int_rd_setpw_rep() and
krb5int_setpw_result_code_string() by making the chpw versions of
those functions handle RFC 3244 replies.
ticket: 6893
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24899
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 25 Apr 2011 16:44:16 +0000 (16:44 +0000)]
Do not reference krb5_chpw_result_code_string in
krb5_change_password() documentation, as it is not a public function.
Do not falsely claim that the result_code_string parameter is unused.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24898
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Fri, 22 Apr 2011 19:37:32 +0000 (19:37 +0000)]
Close comment in #endif for KRB5_DEPRECATED to avoid warning of
/* in open comment.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24894
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Fri, 22 Apr 2011 14:13:59 +0000 (14:13 +0000)]
Documented V4/V5 convertion and some credential cache API functions. Marked krb5_cc_gen_new() as deprecated
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24893
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 21 Apr 2011 16:54:31 +0000 (16:54 +0000)]
Remove kg_map_toktype(), as the call sites were removed in r21742
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24892
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 20 Apr 2011 15:48:20 +0000 (15:48 +0000)]
Documented krb5_auth_con_ API family
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24891
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 20 Apr 2011 14:40:49 +0000 (14:40 +0000)]
Install k5login(5) as well as .k5login(5)
Since there is conflicting precedent as to whether dotfile man pages
should be installed with or without the leading dot, install the
.k5login man page both ways.
ticket: 6904
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24890
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 19 Apr 2011 18:16:17 +0000 (18:16 +0000)]
Missed in r24888: remove the process_chpw_request() prototype from
misc.h as it is now a static function.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24889
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 19 Apr 2011 18:13:41 +0000 (18:13 +0000)]
Clean up schpw.c in kadmind a bit, making use of new k5-int.h helpers
where appropriate.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24888
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 19 Apr 2011 16:46:37 +0000 (16:46 +0000)]
Revert r24886; it was incorrect
ticket: 6903
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24887
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 19 Apr 2011 16:37:19 +0000 (16:37 +0000)]
Fix memory leak in kpasswd server UDP error path
The dispatch() in kadmind's schpw.c could return a failure code with
an allocated response container. net-server.c does not expect this
and leaks the container in the UDP case. Free the container in
dispatch() if we are returning an error.
ticket: 6903
target_version: 1.9.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24886
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 16 Apr 2011 18:10:23 +0000 (18:10 +0000)]
Handle null OID values in gss_oid_equal()
ticket: 6890
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24885
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 16 Apr 2011 17:30:38 +0000 (17:30 +0000)]
Check mech_type as well as mech_name in gssint_import_internal_name(),
for the sake of static analyzers. (Also, since this is an internal
function, it can be called on a half-constructed MN; checking the type
alone would be insufficient.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24884
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 16 Apr 2011 14:05:22 +0000 (14:05 +0000)]
Fix a code path where mech could be used uninitialized in
gss_accept_sec_context after r24645.
ticket: 6813
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24883
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 16 Apr 2011 13:57:47 +0000 (13:57 +0000)]
Revert r24826. Export krb5int_nfold from libk5crypto and link t_nfold
against libk5crypto, matching the approach used in most other library
unit tests.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24882
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 13 Apr 2011 18:43:37 +0000 (18:43 +0000)]
Fix the sole case in process_chpw_request() where a return could occur
without allocating the data pointer in the response. This prevents a
later free() of an invalid pointer in kill_tcp_or_rpc_connection().
Also initialize rep->data to NULL in process_chpw_request() and clean
up *response in dispatch() as an additional precaution.
ticket: 6899
tags: pullup
target_version: 1.9.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24878
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 13 Apr 2011 15:15:56 +0000 (15:15 +0000)]
Remove pointer validation code from the gss krb5 mech
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24877
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 12 Apr 2011 18:35:31 +0000 (18:35 +0000)]
In krb5_gss_display_status, correct the sense of the
g_make_string_buffer test, and return GSS_S_FAILURE if it fails.
Reported by snambakam@likewise.com.
ticket: 6898
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24876
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 12 Apr 2011 13:36:15 +0000 (13:36 +0000)]
Documentation updates. Mostly GIC related
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24875
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 11 Apr 2011 22:23:47 +0000 (22:23 +0000)]
Shuffle around some gss-krb5 entry points to eliminate four mostly
content-free source files and better separate IOV stuff from non-IOV
stuff.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24874
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 10 Apr 2011 16:37:01 +0000 (16:37 +0000)]
Add Doxygen markup for gss_userok() and gss_authorize_localname()
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24870
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 10 Apr 2011 15:42:11 +0000 (15:42 +0000)]
Implement gss_authorize_localname, as discussed on the kitten list,
and make gss_userok a wrapper around it matching the Gnu GSS
prototype. The SPI for gss_authorize_localname doesn't match the API
since we have no way of representing the contents of an internal name
to a mech at the moment. From r24855, r24857, r24858, r24862, r24863,
r24864, r24866, r24867, and r24868 in
users/lhoward/moonshot-mechglue-fixes.
ticket: 6891
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24869
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 8 Apr 2011 17:47:01 +0000 (17:47 +0000)]
When inquiring the default GSS acceptor principal, return a principal
name from the keytab if we can, for better compliance with GSSAPI.
ticket: 6897
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24861
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 8 Apr 2011 17:45:07 +0000 (17:45 +0000)]
Correctly recognize non-iterable keytabs in k5_kt_get_principal()
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24860
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 8 Apr 2011 16:50:13 +0000 (16:50 +0000)]
Add k5_kt_get_principal, an internal krb5 interface to try to get a
principal name from a keytab. Used currently by vfy_increds.c (in
place of its static helper); will also be used when querying the name
of the default gss-krb5 acceptor cred.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24859
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 7 Apr 2011 15:20:37 +0000 (15:20 +0000)]
In the authdata framework, determine which authdata sources to query
based on the module's usage flags. From r24794 in
users/lhoward/moonshot-mechglue-fixes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24853
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 6 Apr 2011 20:06:50 +0000 (20:06 +0000)]
Allow anonymous name to be imported with empty name buffer
When importing a name of type GSS_C_NT_ANONYMOUS, allow the input name
buffer to be null or empty (null is translated into empty before
mechanisms see it).
From r24820 in users/lhoward/moonshot-mechglue-fixes.
ticket: 6896
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24852
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 6 Apr 2011 19:44:07 +0000 (19:44 +0000)]
Documentation updates
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24851
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 5 Apr 2011 22:15:41 +0000 (22:15 +0000)]
Make depend
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24844
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 5 Apr 2011 22:10:00 +0000 (22:10 +0000)]
gss_duplicate_name SPI for SPNEGO
Preserve attributes when duplicating a name, using the mechanism's
implementation of gss_duplicate_name if present, or a loop over
the attributes if not.
ticket: 6895
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24843
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Apr 2011 23:06:09 +0000 (23:06 +0000)]
More sensical mech selection for gss_acquire_cred/accept_sec_context
If a caller passes an empty mech set to gss_acquire_cred, get a cred
for all mechs instead of just the krb5 mech, as we don't know what
mechanism the cred is going to be used with (particularly in the
acceptor case). As a related fix, if a caller passes a credential to
gss_accept_sec_context and it does not contain a mech-specific cred
for the token's mech, error out instead of using the default cred with
the token's mechanism.
ticket: 6894
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24840
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Apr 2011 20:57:59 +0000 (20:57 +0000)]
r24838 accidentally added a gss_duplicate_name line to
build_dynamicMech(), breaking the build (since gss_duplicate_name
isn't in gss_mechanism yet). Revert that part of the change.
ticket: 6892
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24839
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Apr 2011 20:11:08 +0000 (20:11 +0000)]
Prevent bleed-through of mechglue symbols into loaded mechs
When loading a mech's symbols individually, make sure the symbol we
got wasn't just a mechglue symbol showing through because the mech
was linked against the mechglue. From r24719 in
users/lhoward/moonshot-mechglue-fixes.
ticket: 6892
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24838
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Apr 2011 20:04:54 +0000 (20:04 +0000)]
Add gss_userok and gss_pname_to_uid to dynamic mech loading table.
From r24711 in users/lhoward/moonshot-mechglue-fixes.
ticket: 6891
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24837
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Apr 2011 15:59:35 +0000 (15:59 +0000)]
Add gss_userok and gss_pname_to_uid
Resurrect gss_userok and gss_pname_to_uid in the mechglue. Add krb5
mech implementations using krb5_kuserok and krb5_aname_to_localname,
as well as mechanism-independent implementations based on name
attributes.
From r24710, r24715, r24717, r24731, r24732, r24733, r24734, r24735,
r24747, r24816, and r24819 in users/lhoward/moonshot-mechglue-fixes,
with minor edits.
ticket: 6891
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24836
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Mon, 4 Apr 2011 14:59:22 +0000 (14:59 +0000)]
Documentation updates
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24835
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Apr 2011 23:21:59 +0000 (23:21 +0000)]
CoreFoundation is no longer used for UCS2 conversions
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24834
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Apr 2011 23:21:56 +0000 (23:21 +0000)]
Drop some redundant autoconf tests
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24833
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Apr 2011 23:21:52 +0000 (23:21 +0000)]
Don't check for stdarg.h
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24832
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Apr 2011 23:21:46 +0000 (23:21 +0000)]
Don't test HAVE_STDARG_H, just assume it
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24831
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 3 Apr 2011 22:16:53 +0000 (22:16 +0000)]
In t_fortuna.c, use a static buffer in head_tail_test, and use %f for
a double argument, not %lf.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24830
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Apr 2011 22:10:03 +0000 (22:10 +0000)]
Don't allocate over 2MB on the stack; sparc-netbsd3.0 default stack
limit is 2MB.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24829
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Apr 2011 21:54:32 +0000 (21:54 +0000)]
Include krb5_libinit.h always, since we call krb5int_initialize_library always
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24828
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 3 Apr 2011 12:34:43 +0000 (12:34 +0000)]
Revert r24815 and the RTLD_NODELETE part of r24744, which was
committed by accident.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24827
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 3 Apr 2011 12:31:13 +0000 (12:31 +0000)]
Avoid using crypto_int.h in t_nfold.c for convenience on Solaris; just
prototype krb5int_nfold instead.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24826
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 3 Apr 2011 12:26:23 +0000 (12:26 +0000)]
destest.c no longer needs crypto_int.h
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24825
dc483132-0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 3 Apr 2011 08:02:53 +0000 (08:02 +0000)]
Use RFC 5587 const types for draft-josefsson-gss-capsulate APIs
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24821
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Apr 2011 06:48:45 +0000 (06:48 +0000)]
Only use RTLD_NODELETE if it's available
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24815
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 2 Apr 2011 18:27:50 +0000 (18:27 +0000)]
Factor out the address checks in krb5_rd_safe and krb5_rd_priv into
a new function k5_privsafe_check_addrs.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24806
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 2 Apr 2011 17:30:45 +0000 (17:30 +0000)]
In libkrb5, move krb5int_auth_con_chkseqnum to a new file privsafe.c,
renamed to k5_privsafe_check_seqnum. Declare it in int-proto.h rather
than k5-int.h.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24805
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 2 Apr 2011 16:37:00 +0000 (16:37 +0000)]
Add PADL license to collected licenses
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24804
dc483132-0cff-0310-8789-
dd5450dbe970
Luke Howard [Sat, 2 Apr 2011 06:41:44 +0000 (06:41 +0000)]
When doing S4U2Self for the anon principal, use the server realm
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24793
dc483132-0cff-0310-8789-
dd5450dbe970
Luke Howard [Sat, 2 Apr 2011 06:41:31 +0000 (06:41 +0000)]
typo fix
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24792
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 1 Apr 2011 19:36:50 +0000 (19:36 +0000)]
Allow absolute paths for mechglue libraries. From r24736 in
users/lhoward/moonshot-mechglue/fixes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24781
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 1 Apr 2011 19:34:57 +0000 (19:34 +0000)]
Implement draft-josefsson-gss-capsulate
Add gss_encapsulate_token(), gss_decapsulate_token(), and
gss_oid_equal() APIs, which are already present in Heimdal and Shishi.
From r24737, r24738, and r24740 in
users/lhoward/moonshot-mechglue-fixes.
ticket: 6890
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24780
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 1 Apr 2011 18:38:10 +0000 (18:38 +0000)]
Fix a potential uninitialized free in prepare_error_as()
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24779
dc483132-0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 1 Apr 2011 05:56:46 +0000 (05:56 +0000)]
only reset greeting if provided attribute is urn:greet:greeting
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24776
dc483132-0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 1 Apr 2011 05:56:33 +0000 (05:56 +0000)]
s4u2proxy_set_attribute should only return EPERM for its own attribute
Failure to do this breaks other attribute providers' set_attribute()
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24775
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 29 Mar 2011 22:44:30 +0000 (22:44 +0000)]
In r21175 (on the mskrb branch, merged in r21690) the result codes for
password quality and other errors were accidentally reversed. Fix
them so that password quality errors generate a "soft" failure and
other errors generate a "hard" failure, as Heimdal and Microsoft do.
Also recognize KADM5_PASS_Q_GENERIC (added in 1.9) as a password
quality error.
ticket: 6888
target_version: 1.9.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24755
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 29 Mar 2011 18:52:22 +0000 (18:52 +0000)]
In krb5_cc_move if something went wrong, free the dst credential cache
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24754
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 29 Mar 2011 16:22:05 +0000 (16:22 +0000)]
If the new configuration data that is passed to krb5_cc_set_config is NULL, just remove the old configuration.
Moved short krb5_cc_set_config usage example from krb5.hin into the separate file.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24753
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 29 Mar 2011 15:19:41 +0000 (15:19 +0000)]
Updated the documentation for the krb5_ error_message function family.
Created the directory doc/doxy_examples/ to hold examples used in the doxygen documentation.
Added usage example for the krb5_get/set/free_error_message functions
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24752
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 29 Mar 2011 15:10:00 +0000 (15:10 +0000)]
Static function names should not have krb5_ prefix
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24751
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 28 Mar 2011 23:35:54 +0000 (23:35 +0000)]
Remove the weak key checks from the builtin rc4 enc provider. There
is no standards support for avoiding RC4 weak keys, so rejecting them
causes periodic failures. Heimdal and Microsoft do not check for weak
keys. Attacks based on these weak keys are probably thwarted by the
use of a confounder, and even if not, the reduction in work factor is
not terribly significant for 128-bit keys.
ticket: 6886
target_version: 1.9.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24750
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 28 Mar 2011 17:05:54 +0000 (17:05 +0000)]
Use first principal in keytab when verifying creds
In krb5_verify_init_creds(), use the first principal in the keytab
to verify the credentials instead of the result of
krb5_sname_to_principal(). Also add tests.
ticket: 6887
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24749
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Mon, 28 Mar 2011 15:04:27 +0000 (15:04 +0000)]
Documentation update. Mostly related to _kt_ and _cc_ routines
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24748
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 25 Mar 2011 15:50:06 +0000 (15:50 +0000)]
Fix a precedence error in g_make_token_header() which caused it to
write the wrong length when no token type is passed.
(From r24739 in users/lhoward/moonshot-mechglue-fixes.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24745
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 25 Mar 2011 15:46:03 +0000 (15:46 +0000)]
Set better error messages when plugins fail to load.
(From r24741 in users/lhowards/moonshot-mechglue-fixes.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24744
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 24 Mar 2011 01:24:42 +0000 (01:24 +0000)]
Fix DAL documentation to recommend using krb5_db_get_context() and
krb5_db_set_context() instead of directly accessing
context->dal_handle->db_context (which requires internal headers).
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24743
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sat, 19 Mar 2011 15:06:21 +0000 (15:06 +0000)]
Update dependencies
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24730
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Fri, 18 Mar 2011 21:29:23 +0000 (21:29 +0000)]
Minor clean-up in krb5.hin
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24729
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Fri, 18 Mar 2011 20:48:06 +0000 (20:48 +0000)]
Move doxygen comments from source to header. Updated comments and added some usage examples.
Affected functions: krb5_cc_get_config, krb5_cc_set_config, krb5_is_config_principal
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24728
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 18 Mar 2011 19:12:33 +0000 (19:12 +0000)]
Reinstate the line wrapping of the copyright notice in krb5.hin, and
fix the format of the header comment.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24727
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Fri, 18 Mar 2011 18:16:32 +0000 (18:16 +0000)]
Added usage examples to the krb5_build_principal function family
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24726
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 18 Mar 2011 00:04:22 +0000 (00:04 +0000)]
Use a helper function to clarify prepare_error_as() in the KDC
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24725
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 17 Mar 2011 22:10:44 +0000 (22:10 +0000)]
KDC memory leak of reply padata for FAST replies
kdc_fast_response_handle_padata() replaces rep->padata, causing the
old value to be leaked. As a minimal fix, free the old value of
rep->padata before replacing it.
ticket: 6885
target_version: 1.9.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24724
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 17 Mar 2011 22:08:22 +0000 (22:08 +0000)]
Don't leak the default realm name when initializing the default realm
in the KDC.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24723
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 17 Mar 2011 20:02:01 +0000 (20:02 +0000)]
KDC memory leak in FAST error path
When kdc_fast_handle_error() produces a FAST-encoded error, it puts it
into err->e_data and it never gets freed (since in the non-FAST case,
err->e_data contains aliased pointers). Fix this by storing the
encoded error in an output variable which is placed into the error's
e_data by the caller and then freed.
ticket: 6884
target_version: 1.9.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24722
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 15 Mar 2011 21:47:19 +0000 (21:47 +0000)]
KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
Fix a double-free condition in the KDC that can occur during an
AS-REQ when PKINIT is enabled.
ticket: 6881
tags: pullup
target_version: 1.9.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24705
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 15 Mar 2011 19:02:32 +0000 (19:02 +0000)]
Remove the Yarrow copyright notice since the code is gone
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24704
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 14 Mar 2011 20:34:59 +0000 (20:34 +0000)]
Resolve a few miscellaneous warnings
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24703
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 14 Mar 2011 19:12:18 +0000 (19:12 +0000)]
Remove two headers accidentally left behind in r24677
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24702
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 11 Mar 2011 17:53:18 +0000 (17:53 +0000)]
Although it can't actually happen, make it more explicit that we won't
dereference a null mech in the cleanup handler of the mechglue's
gss_accept_sec_context.
ticket: 6813
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24701
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 11 Mar 2011 17:47:21 +0000 (17:47 +0000)]
Fix NSS PBKDF2 in the v4 salt (i.e. empty salt) case
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24700
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 11 Mar 2011 04:20:17 +0000 (04:20 +0000)]
Move the des and AFS string-to-key implementations into lib/crypto/krb,
since they aren't standard crypto primitives. Revise the module SPI
accordingly. Add tests for AFS string-to-key to t_str2key.c to replace
the ones in the (now defunct) t_afss2k.c.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24699
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 11 Mar 2011 04:17:42 +0000 (04:17 +0000)]
Fix a couple of key import modes in the NSS module, although they don't
seem to matter a lot.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24698
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 9 Mar 2011 21:50:47 +0000 (21:50 +0000)]
Remove ser_eblk.c, which has been unused since r11001 (October 1998)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24697
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 9 Mar 2011 21:47:51 +0000 (21:47 +0000)]
Add one-line descriptions in the filename comments to prototype.[ch]
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24696
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 9 Mar 2011 21:46:07 +0000 (21:46 +0000)]
Adjust most C source files to match the new standards for copyright
and license comments.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 9 Mar 2011 21:42:08 +0000 (21:42 +0000)]
Add a script and Makefile target to check for violations of the
recently added standards for copyright and license comments.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24694
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 8 Mar 2011 20:53:55 +0000 (20:53 +0000)]
Fix a memory leak independently found by Tim Pozdeev and Arlene Berry
This change should be pulled up to the 1.8 and 1.7 branches as well.
ticket: 6844
tags: pullup
target_version: 1.9.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24693
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 8 Mar 2011 19:34:31 +0000 (19:34 +0000)]
SPNEGO's accept_sec_context and init_sec_context produce a null context
on error, so it needs to silently succeed when deleting a null context.
It was instead passing the null context along to the mechglue which
would produce an error, causing a leak of the mechglue's union context
wrapper. Reported by aberry@likewise.com.
ticket: 6863
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24692
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 8 Mar 2011 17:22:20 +0000 (17:22 +0000)]
prototype/getopt.c hasn't been updated in quite some time and we don't
really need it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24691
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sun, 6 Mar 2011 16:33:47 +0000 (16:33 +0000)]
Update dependencies
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24690
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sun, 6 Mar 2011 13:30:35 +0000 (13:30 +0000)]
Fix up signed/unsigned warnings in this directory. There are still
a few more - but these were the obvious ones.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24689
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sun, 6 Mar 2011 13:29:54 +0000 (13:29 +0000)]
Clean up memory leaks at end of program. No leaks now on success
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24688
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sun, 6 Mar 2011 13:29:05 +0000 (13:29 +0000)]
On make clean remove test programs and object files. In lib/krb5/krb
make depend as a test program was missed from the source list.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24687
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 5 Mar 2011 19:16:28 +0000 (19:16 +0000)]
Add test vectors from RFC 3961 for DES and DES3 to t_str2key.c. Fix
OpenSSL module handling of salts in its DES string-to-key.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24686
dc483132-0cff-0310-8789-
dd5450dbe970