krb5.git
14 years agoAdd IAKERB mechanism and gss_acquire_cred_with_password
Greg Hudson [Fri, 30 Apr 2010 21:22:48 +0000 (21:22 +0000)]
Add IAKERB mechanism and gss_acquire_cred_with_password

Merge branches/iakerb to trunk.  Includes the following:

* New IAKERB mechanism.
* New gss_acquire_cred_with_password mechglue function.
* ASN.1 encoders and decoders for IAKERB structures (with tests).
* New shortcuts in gss-sample client and server.
* Tests to exercise SPNEGO and IAKERB using gss-sample application.

ticket: 6712

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23960 dc483132-0cff-0310-8789-dd5450dbe970

14 years agomemory leak in process_tgs_req in r23724
Tom Yu [Fri, 30 Apr 2010 21:10:55 +0000 (21:10 +0000)]
memory leak in process_tgs_req in r23724

Fix a KDC memory leak that was introduced by r23724 that could leak
the decoded request.

ticket: 6711
tags: pullup
target_version: 1.8.2

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23959 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a backwards check in get_cached_tgt() in the TGS code
Greg Hudson [Tue, 27 Apr 2010 09:02:48 +0000 (09:02 +0000)]
Fix a backwards check in get_cached_tgt() in the TGS code

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23945 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSquash some warnings in the old crypto API glue. Use make_data()
Greg Hudson [Mon, 26 Apr 2010 16:54:38 +0000 (16:54 +0000)]
Squash some warnings in the old crypto API glue.  Use make_data()
where appropriate so that magic fields get initialized.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23942 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a Python test script to exercise the GSS sample app
Greg Hudson [Sat, 24 Apr 2010 19:33:33 +0000 (19:33 +0000)]
Add a Python test script to exercise the GSS sample app

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23937 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a sentinel line to sim_server after the socket is ready, and use
Greg Hudson [Sat, 24 Apr 2010 19:24:36 +0000 (19:24 +0000)]
Add a sentinel line to sim_server after the socket is ready, and use
it in simple.exp in the dejagnu test suite instead of sleeping.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23936 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEliminate the use of tail -f in the dejagnu test suite. Instead, use
Greg Hudson [Sat, 24 Apr 2010 19:20:11 +0000 (19:20 +0000)]
Eliminate the use of tail -f in the dejagnu test suite.  Instead, use
the sentinel lines printed by krb5kdc and kadmind to detect when the
listening sockets are ready.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23935 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a sentinel to the sample gss-server after the socket is ready, and
Greg Hudson [Sat, 24 Apr 2010 19:12:34 +0000 (19:12 +0000)]
Add a sentinel to the sample gss-server after the socket is ready, and
use it in gssapi.exp in the dejagnu test suite instead of sleeping.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23934 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSimplify how k5test scripts get run by importing runenv by pathname
Greg Hudson [Sat, 24 Apr 2010 18:53:25 +0000 (18:53 +0000)]
Simplify how k5test scripts get run by importing runenv by pathname
(using the imp module) instead of by module name.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23933 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRun Python tests as individual rule commands (friendlier to make -k)
Greg Hudson [Sat, 24 Apr 2010 17:33:04 +0000 (17:33 +0000)]
Run Python tests as individual rule commands (friendlier to make -k)
instead of in a loop.  Build runenv.py as part of make fake-install;
it's harmless if Python is unavailable.  Import runenv later in
k5test so that we get a beter error message if make fake-install
hasn't been run.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23932 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix the actual python command to match the displayed one in the
Greg Hudson [Sat, 24 Apr 2010 16:39:49 +0000 (16:39 +0000)]
Fix the actual python command to match the displayed one in the
check-pytests-yes rule in r23913.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23931 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdapted patch from Arlene Berry to handle dlerror() returning a null
Tom Yu [Fri, 23 Apr 2010 01:30:48 +0000 (01:30 +0000)]
Adapted patch from Arlene Berry to handle dlerror() returning a null
pointer.

ticket: 6697
target_version: 1.8.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23929 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdapted patch from Jason Rogers. It wasn't complete, so this commit
Tom Yu [Fri, 23 Apr 2010 01:10:20 +0000 (01:10 +0000)]
Adapted patch from Jason Rogers.  It wasn't complete, so this commit
fixes the other instances of the 64-bit problem.

Also fix krb5_deltat_to_str(), which would previously always return an
empty string.

ticket: 6698
target_version: 1.8.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23928 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFrom Luke: fix the post-canonicalization cache check logic in
Greg Hudson [Thu, 22 Apr 2010 23:29:40 +0000 (23:29 +0000)]
From Luke: fix the post-canonicalization cache check logic in
krb5_get_credentials_for_user().

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23927 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn kg_new_connection(), make sure k_cred is freed in all failure
Greg Hudson [Thu, 22 Apr 2010 20:07:08 +0000 (20:07 +0000)]
In kg_new_connection(), make sure k_cred is freed in all failure
cases.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23926 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoApply patch from Arlene Berry to cease freeing error tokens output by
Tom Yu [Thu, 22 Apr 2010 20:04:01 +0000 (20:04 +0000)]
Apply patch from Arlene Berry to cease freeing error tokens output by
accept_sec_context, allowing them to actually be sent to the
initiator.

ticket: 6696
target_version: 1.8.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23925 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEliminate a non-useful NULL check in the KDC's dispatch() function.
Greg Hudson [Thu, 22 Apr 2010 03:44:44 +0000 (03:44 +0000)]
Eliminate a non-useful NULL check in the KDC's dispatch() function.
If process_as_req or process_tgs_req return successfully, they will
always fill in *response.  (If they didn't, the subsequence
(*response)->length check would crash anyway.)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23922 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn kpasswd_sendto_msg_callback(), properly compare against the
Greg Hudson [Thu, 22 Apr 2010 03:19:34 +0000 (03:19 +0000)]
In kpasswd_sendto_msg_callback(), properly compare against the
wildcard IPv6 address instead of comparing an array address to 0.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23921 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a memory leak in get_creds.c's try_fallback_realm()
Greg Hudson [Wed, 21 Apr 2010 23:47:50 +0000 (23:47 +0000)]
Fix a memory leak in get_creds.c's try_fallback_realm()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23920 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn the kdc5_hammer test program, simplify the cleanup logic of
Greg Hudson [Wed, 21 Apr 2010 23:37:04 +0000 (23:37 +0000)]
In the kdc5_hammer test program, simplify the cleanup logic of
get_server_key.  Fixes a memory leak where the result of
krb5_get_credentials() didn't get freed if krb5_mk_req_extended()
failed.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23919 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAmend r23917 to correct some uses of *out_creds which should now use
Greg Hudson [Wed, 21 Apr 2010 23:23:09 +0000 (23:23 +0000)]
Amend r23917 to correct some uses of *out_creds which should now use
the local variable.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23918 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn the get_credentials() helper of the gss-krb5 init_sec_context code,
Greg Hudson [Wed, 21 Apr 2010 23:20:29 +0000 (23:20 +0000)]
In the get_credentials() helper of the gss-krb5 init_sec_context code,
ensure that *out_creds is only filled in on successful return.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23917 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn t_inetd, zero out l_inaddr before filling it in, as is relatively
Greg Hudson [Wed, 21 Apr 2010 23:14:49 +0000 (23:14 +0000)]
In t_inetd, zero out l_inaddr before filling it in, as is relatively
common in networking code.  Silences a Coverity defect.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23916 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoOnly create runenv.py at BUILDTOP. Fix bugs in k5test.py relating to
Tom Yu [Tue, 20 Apr 2010 22:35:42 +0000 (22:35 +0000)]
Only create runenv.py at BUILDTOP.  Fix bugs in k5test.py relating to
environment initialization, also so that "make testrealm" works again.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23913 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
Tom Yu [Tue, 20 Apr 2010 21:12:10 +0000 (21:12 +0000)]
Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
by ticket renewal.  Add a test case.

See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490

Thanks to Joel Johnson and Brian Almeida for the reports.

ticket: 6702
target_version: 1.8.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23912 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhen setting up to get a TGT for the service realm in the TGS code,
Greg Hudson [Tue, 20 Apr 2010 07:56:58 +0000 (07:56 +0000)]
When setting up to get a TGT for the service realm in the TGS code,
get the cached local TGT before setting up the realm path.

Prior to this change, calling krb5_get_credentials() with an empty
ccache would result in KRB5_CC_NOTFOUND for a foreign server
principal, but would result in KRB5_NO_TKT_IN_REALM (generated by
krb5_walk_realm_tree) for a local server principal.  With this change,
KRB5_CC_NOTFOUND is returned in both cases.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23909 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd KRB5_INIT_CREDS_STEP_FLAG_CONTINUE for parity with Heimdal.
Greg Hudson [Tue, 20 Apr 2010 07:38:12 +0000 (07:38 +0000)]
Add KRB5_INIT_CREDS_STEP_FLAG_CONTINUE for parity with Heimdal.
Rename KRB5_TKT_CREDS_CONTINUE to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE
 for consistency.
Adjust init_creds context to be less confusing in light of the above.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23906 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoBuild runenv.py, holding environment variable settings required for
Tom Yu [Fri, 16 Apr 2010 21:45:22 +0000 (21:45 +0000)]
Build runenv.py, holding environment variable settings required for
running programs out of the build tree during python-based tests.
Also updates shilb.conf to set RUN_VARS to make it easier to generate
this sort of thing.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23905 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIntroduce new krb5_tkt_creds API
Greg Hudson [Wed, 14 Apr 2010 14:36:32 +0000 (14:36 +0000)]
Introduce new krb5_tkt_creds API

Merged from branches/iakerb: add new asynchronous krb5_tkt_creds APIs,
which allow a caller to take responsibility for transporting requests
to the KDC and getting responses back.  Rewrite the existing
krb5_get_credentials API in terms of the new functions.  Get rid of
krb5_get_cred_from_kdc and friends, since they are no longer used.

ticket: 6700

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23900 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse krb5_get_credentials in ksu instead of krb5_get_cred_from_kdc, so
Greg Hudson [Wed, 14 Apr 2010 14:01:05 +0000 (14:01 +0000)]
Use krb5_get_credentials in ksu instead of krb5_get_cred_from_kdc, so
we can get rid of the latter.  (Also simplifies the code.)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23899 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoValidate and renew should work on non-TGT creds
Greg Hudson [Tue, 13 Apr 2010 22:57:34 +0000 (22:57 +0000)]
Validate and renew should work on non-TGT creds

The validate and renew APIs were using get_cred_from_kdc, which
always presents a TGT to get credentials.  Instead, they should
present the ticket they are trying to validate or renew.  This is
most easily done with krb5_get_cred_via_tkt().  Move the relevant
code into a new file since it now has nothing in common with the
other APIs implemented in get_creds.c.

ticket: 6699

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23891 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove krb5int_send_tgs(); it is unused as of r23358
Greg Hudson [Thu, 8 Apr 2010 20:37:11 +0000 (20:37 +0000)]
Remove krb5int_send_tgs(); it is unused as of r23358

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23881 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd krb5_cc_dup() to make it possible to copy ccache handles
Greg Hudson [Thu, 8 Apr 2010 16:39:31 +0000 (16:39 +0000)]
Add krb5_cc_dup() to make it possible to copy ccache handles

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23874 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAssume lstat in Unix code, specifically clients/ksu/ccache.c. Fix bad
Greg Hudson [Thu, 8 Apr 2010 03:15:44 +0000 (03:15 +0000)]
Assume lstat in Unix code, specifically clients/ksu/ccache.c.  Fix bad
indentation caused by an #ifdef HAVE_LSTAT block.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23870 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn testrealm.py, add ksu and kvno to the list of build directories
Greg Hudson [Sun, 4 Apr 2010 20:46:02 +0000 (20:46 +0000)]
In testrealm.py, add ksu and kvno to the list of build directories
containing programs.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23858 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix backwards flag output in krb5_init_creds_step()
Greg Hudson [Mon, 29 Mar 2010 22:08:21 +0000 (22:08 +0000)]
Fix backwards flag output in krb5_init_creds_step()

krb5_init_creds_step() is taken from Heimdal, which sets *flags to 1
for "continue" and 0 for "stop".  Unfortunately, we got it backwards
in 1.8; fix it for 1.8.1.

ticket: 6693
tags: pullup
target_version: 1.8.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23844 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAlways pass -W option to kdb5_util create in testing
Ken Raeburn [Sat, 27 Mar 2010 21:30:43 +0000 (21:30 +0000)]
Always pass -W option to kdb5_util create in testing

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23838 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn gc_frm_kdc.c, rename cur_kdc to cur_realm and nxt_kdc to nxt_realm,
Greg Hudson [Fri, 26 Mar 2010 22:43:11 +0000 (22:43 +0000)]
In gc_frm_kdc.c, rename cur_kdc to cur_realm and nxt_kdc to nxt_realm,
to make it easier to distinguish them from cur_tgt and nxt_tgt.  Make
similar name changes to lst_kdc and kdc_list, as well as the function
find_nxt_kdc().

No functional changes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23837 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoStraighten the if-ladder in encrypted challenge's process_preauth,
Greg Hudson [Thu, 25 Mar 2010 03:08:12 +0000 (03:08 +0000)]
Straighten the if-ladder in encrypted challenge's process_preauth,
making it clearer that control drops through if one of the first
couple of steps fails.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23836 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoApply patch from Arlene Berry to not use freed memory in
Tom Yu [Tue, 23 Mar 2010 22:00:13 +0000 (22:00 +0000)]
Apply patch from Arlene Berry to not use freed memory in
gss_import_sec_context in some error paths.

ticket: 6678
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23834 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO
Tom Yu [Tue, 23 Mar 2010 18:53:52 +0000 (18:53 +0000)]
MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO

The SPNEGO implementation in krb5-1.7 and later could crash due to
assertion failure when receiving some sorts of invalid GSS-API tokens.

ticket: 6690
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23832 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInclude t_spengno.o in list of OBJS so make clean will remove
Ezra Peisach [Tue, 23 Mar 2010 14:08:23 +0000 (14:08 +0000)]
Include t_spengno.o in list of OBJS so make clean will remove

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23831 dc483132-0cff-0310-8789-dd5450dbe970

14 years agokrb5_typed_data not castable to krb5_pa_data on 64-bit MacOSX
Tom Yu [Tue, 23 Mar 2010 06:09:02 +0000 (06:09 +0000)]
krb5_typed_data not castable to krb5_pa_data on 64-bit MacOSX

Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because
krb5int_fast_process_error was assuming that it was safe to cast it to
krb5_pa_data.  It's not safe to do the cast on 64-bit MacOSX because
krb5.hin uses #pragma pack on that platform.

ticket: 6689
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23829 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoChange KRB5_AUTHDATA_SIGNTICKET from 142 to 512
Greg Hudson [Sat, 20 Mar 2010 03:50:06 +0000 (03:50 +0000)]
Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512

KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data
type, was used to implement PAC-less constrained delegation in krb5
1.8.  Unfortunately, it was found that Microsoft was using 142 for
other purposes, which could result in a ticket issued by an MIT or
Heimdal KDC being rejected by a Windows Server 2008 R2 application
server.  Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate
among a realm's KDCs, it is relatively easy to change the number, so
MIT and Heimdal are both migrating to a new number.  This change will
cause a transitional interoperability issue when a realm mixes MIT
krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal
1.3.2) KDCs, but only for constrained delegation evidence tickets.

ticket: 6687
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23821 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDocument the ticket_lifetime libdefaults setting (which was added in
Greg Hudson [Fri, 19 Mar 2010 16:17:05 +0000 (16:17 +0000)]
Document the ticket_lifetime libdefaults setting (which was added in
r16656, #2656).  Based on a patch from nalin@redhat.com.

ticket: 6680
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23820 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix the kpasswd fallback from the ccache principal name to the
Greg Hudson [Thu, 18 Mar 2010 17:37:31 +0000 (17:37 +0000)]
Fix the kpasswd fallback from the ccache principal name to the
username in the case where the ccache doesn't exist.

ticket: 6683
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23819 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInclude int-proto.h in mk_req_ext.c for krb5int_validate_times
Greg Hudson [Thu, 18 Mar 2010 17:17:31 +0000 (17:17 +0000)]
Include int-proto.h in mk_req_ext.c for krb5int_validate_times
declaration.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23818 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUntabify
Ken Raeburn [Thu, 18 Mar 2010 02:45:57 +0000 (02:45 +0000)]
Untabify

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23817 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCopyright notice
Ken Raeburn [Thu, 18 Mar 2010 02:44:41 +0000 (02:44 +0000)]
Copyright notice

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23816 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhen checking for KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT, don't
Greg Hudson [Wed, 17 Mar 2010 21:10:10 +0000 (21:10 +0000)]
When checking for KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT, don't
dereference options if it's NULL.

ticket: 6681
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23815 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd more verbosity when the -V option to kinit is specified. Based on
Greg Hudson [Wed, 17 Mar 2010 20:16:32 +0000 (20:16 +0000)]
Add more verbosity when the -V option to kinit is specified.  Based on
a patch from Jeff Blaine <jblaine@kickflop.net>.

ticket: 6684

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23814 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix the Python version check to use constructs available in older
Greg Hudson [Wed, 17 Mar 2010 19:34:48 +0000 (19:34 +0000)]
Fix the Python version check to use constructs available in older
versions of Python.  (python --version was added in 2.5.)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23813 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a version check to the Python test, so that we don't try to run
Greg Hudson [Wed, 17 Mar 2010 19:11:09 +0000 (19:11 +0000)]
Add a version check to the Python test, so that we don't try to run
k5test in Python 2.3 or below.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23812 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMerge users/raeburn/branches/network-merge
Ken Raeburn [Wed, 17 Mar 2010 06:00:56 +0000 (06:00 +0000)]
Merge users/raeburn/branches/network-merge

Re-integrates the forked versions of network.c in kdc and
kadmin/server.  Server-specific initialization and SIGHUP-reset code
is moved into other source files; the more generic network-servicing
code is merged and moved into apputils library already used by both
programs.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23811 dc483132-0cff-0310-8789-dd5450dbe970

14 years agohandle NT_SRV_INST in service principal referrals
Tom Yu [Tue, 16 Mar 2010 19:14:33 +0000 (19:14 +0000)]
handle NT_SRV_INST in service principal referrals

Handle NT_SRV_INST in service principal cross-realm referrals, as
Windows apparently uses that instead of NT_SRV_HST for at least some
service principals.

ticket: 6685
target_version: 1.8.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23810 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSet up KRB5_RUN_ENV for pytests, so that Python-based tests can run
Tom Yu [Mon, 15 Mar 2010 18:53:02 +0000 (18:53 +0000)]
Set up KRB5_RUN_ENV for pytests, so that Python-based tests can run
without first running "make install".

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23805 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoLazy history key creation
Greg Hudson [Thu, 11 Mar 2010 17:05:24 +0000 (17:05 +0000)]
Lazy history key creation

Create kadmin/history lazily when we need it (i.e. when a password is
changed on a principal with a policy) instead of whenever we open the
database.  Allows kadmin.local to be used as a read-only tool on non-
kadmin-conformant database back ends such as the Samba bridge.

ticket: 6679

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23799 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse KRB5_CONF_ macros instead of strings in the source file for profile config attrib...
Zhanna Tsitkov [Wed, 10 Mar 2010 20:45:12 +0000 (20:45 +0000)]
Use KRB5_CONF_ macros instead of strings in the source file for profile config attributes "default" and "logging"

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23798 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove vestigial include/spnego-asn1.h
Greg Hudson [Wed, 10 Mar 2010 19:30:58 +0000 (19:30 +0000)]
Remove vestigial include/spnego-asn1.h

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23796 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a "make testrealm" target using the Python test framework. As
Greg Hudson [Mon, 8 Mar 2010 04:39:08 +0000 (04:39 +0000)]
Add a "make testrealm" target using the Python test framework.  As
part of this, expose the environments in K5Realm as attributes so
that test scripts can modify them.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23794 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake python test start_in_inetd function
Ezra Peisach [Sun, 7 Mar 2010 20:01:36 +0000 (20:01 +0000)]
Make python test start_in_inetd function

util/k5test.py: Fix incorrect variable used
tests/dejagnu/t_inetd.c: Flush stdout after outputting "Ready!"
tests/dejagnu/Makefile.in: Always compile t_inetd - even in runtest is not
    present

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23773 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRelease the internal_name field of a SPNEGO context if it has not been
Greg Hudson [Fri, 5 Mar 2010 20:35:26 +0000 (20:35 +0000)]
Release the internal_name field of a SPNEGO context if it has not been
claimed for a caller argument.

ticket: 6674
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23772 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a Python test to run t_spnego
Greg Hudson [Fri, 5 Mar 2010 20:33:37 +0000 (20:33 +0000)]
Add a Python test to run t_spnego

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23771 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn post.in, add a check-pytests intermediate target for Makefile.in to
Greg Hudson [Fri, 5 Mar 2010 20:32:40 +0000 (20:32 +0000)]
In post.in, add a check-pytests intermediate target for Makefile.in to
add dependencies to, for test scripts which run C test programs.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23770 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a double-free in the t_spnego test program resulting from overly
Greg Hudson [Fri, 5 Mar 2010 20:31:13 +0000 (20:31 +0000)]
Fix a double-free in the t_spnego test program resulting from overly
careless cutting and pasting.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23769 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a message parameter to k5test's success(), to briefly indicate the
Greg Hudson [Fri, 5 Mar 2010 19:30:32 +0000 (19:30 +0000)]
Add a message parameter to k5test's success(), to briefly indicate the
scope of test scripts.  Only displayed when verbose is set.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23768 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd IPv6 support to changepw.c (reverting r21004 since it is no longer
Greg Hudson [Fri, 5 Mar 2010 19:19:42 +0000 (19:19 +0000)]
Add IPv6 support to changepw.c (reverting r21004 since it is no longer
necessary).  Patch from Submit Bose <sbose@redhat.com>.

ticket: 6661
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23767 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIgnore improperly encoded signedpath AD elements
Greg Hudson [Fri, 5 Mar 2010 17:45:46 +0000 (17:45 +0000)]
Ignore improperly encoded signedpath AD elements

We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_ad_signedpath().  For better interoperability, treat such
tickets as unsigned, rather than invalid.

ticket: 6676
target_version: 1.8.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23766 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoError out if a Python test program fails
Greg Hudson [Fri, 5 Mar 2010 04:18:51 +0000 (04:18 +0000)]
Error out if a Python test program fails

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23765 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoClean up a help string in k5test
Greg Hudson [Thu, 4 Mar 2010 21:37:20 +0000 (21:37 +0000)]
Clean up a help string in k5test

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23764 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoPython test framework
Greg Hudson [Thu, 4 Mar 2010 21:24:54 +0000 (21:24 +0000)]
Python test framework

Add a framework for writing tests in Python.  Documentation is in the
initial docstring of util/k5test.py.  Inaugurate the framework with
two test scripts, t_general.py and t_anonypkinit.py, which together
test the same operations as standalone.exp from the dejagnu test
suite.

ticket: 6672

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23763 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove some more test suite cruft:
Greg Hudson [Sun, 28 Feb 2010 20:32:00 +0000 (20:32 +0000)]
Remove some more test suite cruft:
* localhostname from get_hostname was unused.
* database_name is no longer used except (misleadingly) in kdb5_util
  output.
* admin_database_name and admin_database_lockfile are no longer used.
* default_domain is only used for v4->v5 principal conversion, which
  isn't tested.
* libkadm5's init-v2.exp had a copy of get_hostname; domain and
  localhostname from it were unused.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23759 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoOn Linux platforms, use -Wl,--enable-new-dtags when linking shared
Greg Hudson [Sat, 27 Feb 2010 09:49:32 +0000 (09:49 +0000)]
On Linux platforms, use -Wl,--enable-new-dtags when linking shared
libraries and programs using them.  The primary effect is to get ld to
set DT_RUNPATH in addition to DT_RPATH, which in turn allows the
LD_LIBRARY_PATH environment variable to override the compiled-in
runpath, which is friendlier to the test framework.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23758 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUpdated documentation with information about --with-crypto-impl=IMPL configuration...
Zhanna Tsitkov [Thu, 25 Feb 2010 21:16:16 +0000 (21:16 +0000)]
Updated documentation  with information about --with-crypto-impl=IMPL configuration flag

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23752 dc483132-0cff-0310-8789-dd5450dbe970

14 years agodoc updates for allow_weak_crypto
Tom Yu [Thu, 25 Feb 2010 20:09:45 +0000 (20:09 +0000)]
doc updates for allow_weak_crypto

Update documentation to be more helpful about allow_weak_crypto.

ticket: 6669
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23750 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoTwo problems in kadm5_get_principal mask handling
Greg Hudson [Wed, 24 Feb 2010 18:57:08 +0000 (18:57 +0000)]
Two problems in kadm5_get_principal mask handling

KADM5_MOD_NAME was being applied to entry->principal instead of
entry->mod_name.  KADM5_MKVNO was not being applied to entry->mkvno.
Patch from Marcus Watts <mdw@umich.edu>.

ticket: 6668
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23749 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove some more dejagnu test suite cruft:
Greg Hudson [Mon, 22 Feb 2010 18:27:55 +0000 (18:27 +0000)]
Remove some more dejagnu test suite cruft:
  * check_date was only used by the application tests.
  * touch was never used.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23745 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove some unused cruft in the dejagnu test suite's default.exp:
Greg Hudson [Mon, 22 Feb 2010 18:12:51 +0000 (18:12 +0000)]
Remove some unused cruft in the dejagnu test suite's default.exp:
  * RLOGIN, RLOGIN_FLAGS, ROOT_PROMPT, ROOT_SHELL, check_k5login,
    restore_kerberos_env, setup_root_shell, setup_root_shell_noremote,
    setup_wrapper: No longer used now that the applications are in a
    separate tree.
  * v4_compatible_enctype: No longer used with krb4 support gone.
  * tail1, krb_exit: Apparently never used.
  * KERBEROS_SERVER: Added long ago in r5686 and removed shortly after
    in r5695, but the test suite support for it never got excised.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23744 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoExplain the current SPNEGO initiator/acceptor design in comments. No
Greg Hudson [Mon, 22 Feb 2010 16:10:05 +0000 (16:10 +0000)]
Explain the current SPNEGO initiator/acceptor design in comments.  No
code changes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23743 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix two unrelated problems in SPNEGO which don't crop up with the krb5
Greg Hudson [Mon, 22 Feb 2010 04:52:30 +0000 (04:52 +0000)]
Fix two unrelated problems in SPNEGO which don't crop up with the krb5
mechanism.

1. The third call to spnego_init_accept_context uses faulty logic to
determine if the exchange is complete, preventing a third mech token
from being sent to the acceptor if no MIC exchange is required.
Follow the logic used in the second call (in init_ctx_nego), which is
correct.

2. If the acceptor selects a mech other than the optimistic mech, it
sets sc->mic_reqd to 1 whether or not the selected mech supports MICs
(which isn't known until the mech completes).  Most code outside of
handle_mic checks sc->mic_reqd along with (sc->ctx_flags &
GSS_C_INTEG_FLAG), but the code in acc_ctx_call_acc neglected to do
so, so it could improperly delegate responsibility for deciding when
the negotiation was finished to handle_mic--which never gets called if
(sc->ctx_flags & GSS_C_INTEG_FLAG) is false.  Fix acc_ctx_call_acc to
check sc->ctx_flags so that mechs which don't support integrity
protection can complete if they are selected non-optimistically.

ticket: 6603
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23742 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse bswap16 and bswap32 on NetBSD
Ken Raeburn [Sat, 20 Feb 2010 07:37:13 +0000 (07:37 +0000)]
Use bswap16 and bswap32 on NetBSD

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23741 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUpdate dependencies
Ken Raeburn [Sat, 20 Feb 2010 04:26:53 +0000 (04:26 +0000)]
Update dependencies

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23740 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMove array decl from mixed within code down into the block where it's
Ken Raeburn [Sat, 20 Feb 2010 04:26:50 +0000 (04:26 +0000)]
Move array decl from mixed within code down into the block where it's
actually used, for C90 compliance.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23739 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUpdate export list for 2007 plugin interface change
Ken Raeburn [Sat, 20 Feb 2010 04:26:47 +0000 (04:26 +0000)]
Update export list for 2007 plugin interface change

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23738 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMove array decl from mixed within code down into the block where it's
Ken Raeburn [Sat, 20 Feb 2010 04:26:43 +0000 (04:26 +0000)]
Move array decl from mixed within code down into the block where it's
actually used, for C90 compliance.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23737 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake plugins/cksum_body more likely to build, and remove the empty src
Greg Hudson [Fri, 19 Feb 2010 17:06:58 +0000 (17:06 +0000)]
Make plugins/cksum_body more likely to build, and remove the empty src
directory within.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23736 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoThe TGS code was not freeing authdata. This is an old leak which was
Greg Hudson [Thu, 18 Feb 2010 18:49:11 +0000 (18:49 +0000)]
The TGS code was not freeing authdata.  This is an old leak which was
made more evident in 1.8 by the addition of ad-signedpath authdata
appearing in most tickets issued through the TGS path.

ticket: 6659
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23735 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix cipher state chaining in OpenSSL back end
Greg Hudson [Thu, 18 Feb 2010 18:04:47 +0000 (18:04 +0000)]
Fix cipher state chaining in OpenSSL back end

Make cipher state chaining work in the OpenSSL back end for des, des3,
and arcfour enc providers.  Subtleties:

* DES and DES3 have checks to avoid clobbering ivec with uninitialized
  data if there is no data to encrypt.
* Arcfour saves the OpenSSL cipher context across calls.  To protect
  against a caller improperly copying the state (which happens to work
  with other enc providers), a loopback pointer is used, as in GSSAPI.
* EVP_EncryptFinal_ex is unnecessary with stream ciphers and would
  interfere with cipher state chaining if it did anything, so just
  remove it.

ticket: 6665
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23734 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd display statements for the encrypted tokens generated by t_encrypt
Greg Hudson [Wed, 17 Feb 2010 20:27:22 +0000 (20:27 +0000)]
Add display statements for the encrypted tokens generated by t_encrypt
so that its output can be compared between different back ends.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23733 dc483132-0cff-0310-8789-dd5450dbe970

14 years agovalidator.py is a tool to validate kerb configuration files.
Zhanna Tsitkov [Wed, 17 Feb 2010 16:09:43 +0000 (16:09 +0000)]
validator.py is a tool to validate kerb configuration files.
First, the configuration file is parsed (confparser.py) and validated against formating errors (such as mismatching brackets)
Then the list of the allowed configuration attributes is compiled from k5-int.h and rules.yml
Finally, the kerb configuration file is validated against the list of the allowed strings.
If the error, or something that validator does not understand, is found the warning is issued in the tree-like form indicating the layer where the problem has occurred.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23732 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoupdate mkrel to deal with changed source layout
Tom Yu [Tue, 16 Feb 2010 22:41:27 +0000 (22:41 +0000)]
update mkrel to deal with changed source layout

Update mkrel so it deals somewhat better with removed src/lib/des425,
NOTICES, etc.

ticket: 6663
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23726 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service
Tom Yu [Tue, 16 Feb 2010 22:10:17 +0000 (22:10 +0000)]
MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service

Code introduced in krb5-1.7 can cause an assertion failure if a
KDC-REQ is internally inconsistent, specifically if the ASN.1 tag
doesn't match the msg_type field.  Thanks to Emmanuel Bouillon (NATO
C3 Agency) for discovering and reporting this vulnerability.

ticket: 6662
tags: pullup
target_version: 1.8

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23724 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove another remnant of krb4
Ken Raeburn [Mon, 15 Feb 2010 01:49:19 +0000 (01:49 +0000)]
Remove another remnant of krb4

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23723 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoClarify the SPNEGO NegHints code and plug two cases where half-created
Greg Hudson [Sat, 13 Feb 2010 18:39:37 +0000 (18:39 +0000)]
Clarify the SPNEGO NegHints code and plug two cases where half-created
context could be leaked.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23722 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSimplify the SPNEGO neg_mechs intersection logic a bit using
Greg Hudson [Fri, 12 Feb 2010 19:18:17 +0000 (19:18 +0000)]
Simplify the SPNEGO neg_mechs intersection logic a bit using
gss_test_oid_set_member.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23717 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMinimal support for updating history key
Greg Hudson [Thu, 11 Feb 2010 16:07:08 +0000 (16:07 +0000)]
Minimal support for updating history key

Add minimal support for re-randomizing the history key:

* cpw -randkey kadmin/history now works, but creates only one key.
* cpw -randkey -keepold kadmin/history still fails.
* libkadm5 no longer caches the history key.  Performance impact
  is minimal since password changes are not common.
* randkey no longer checks the newly randomized key against old keys,
  and the disabled code to do so in setkey/setv4key is gone, so now
  only kadm5_chpass_principal_3 accesses the password history.

ticket: 6660
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23716 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoImplement gss_set_neg_mechs
Greg Hudson [Wed, 10 Feb 2010 23:44:18 +0000 (23:44 +0000)]
Implement gss_set_neg_mechs

Implement gss_set_neg_mechs in SPNEGO by intersecting the provided
mech set with the mechanisms available in the union credential.  As
we now need space to hold the mech set, the SPNEGO credential is now
a structure and not just a mechglue credential.

t_spnego.c is a test program which exercises the new logic.  Like the
other GSSAPI tests, it is not run as part of "make check" at this
time.

ticket: 6658
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23715 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFollowon fixes to r23712:
Greg Hudson [Wed, 10 Feb 2010 01:55:36 +0000 (01:55 +0000)]
Followon fixes to r23712:
* A few formatting fixes.
* Fix unlikely leak in kdc_handle_protected_negotiation: if
  add_pa_data_element with copy == FALSE fails, it's still the
  caller's responsibility to free pa.contents.
* Fix pre-existing (since r23465) leak of reply_encpart.enc_padata in
  process_as_req.
* Call add_pa_data_element with copy == TRUE in
  return_referral_enc_padata since we are passing memory owned by the
  database entry.

ticket: 6656

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23714 dc483132-0cff-0310-8789-dd5450dbe970

14 years agokrb5int_fast_free_state segfaults if state is null
Sam Hartman [Tue, 9 Feb 2010 19:15:12 +0000 (19:15 +0000)]
krb5int_fast_free_state segfaults if state is null

krb5int_fast_free_state fails if state is null.  INstead it should
simply return Reorganization of the get_init_creds logic has created
situations where the init_creds loop can fail between the time when
the context is initialized and the fast state is initialized.

ticket: 6657
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23713 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoenc_padata can include empty sequence
Sam Hartman [Tue, 9 Feb 2010 19:15:07 +0000 (19:15 +0000)]
enc_padata can include empty sequence

There are two issues with return_enc_padata.
1)  It often will return an empty sequence of enc_padata rather than not including the field
2) FAST negotiation is double supported in the referral tgs path and not supported in the non-referral path

Rewrite the return_enc_padata logic to:

* Split  out referral interactions with kdb into its own function
* Use add_pa_data_element

ticket: 6656
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23712 dc483132-0cff-0310-8789-dd5450dbe970