Ken Raeburn [Sun, 16 May 2010 02:49:49 +0000 (02:49 +0000)]
Stop exporting some profile symbols that aren't either published in
the header or known serialization functions used by the krb5 library.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24040
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 16 May 2010 02:49:45 +0000 (02:49 +0000)]
Force hostname to lower-case for use in principal names
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24039
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 13 May 2010 18:58:43 +0000 (18:58 +0000)]
Negative enctypes improperly read from ccaches
When reading enctypes from ccaches, we need to sign-extend the 16-bit
value we read in order to properly read negative enctypes.
ticket: 6723
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24021
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 13 May 2010 18:49:20 +0000 (18:49 +0000)]
Error handling bug in krb5_init_creds_init()
Fix a bug in krb5_init_creds_init() where a freed context could be
returned to the caller in certain error cases.
ticket: 6722
tags: pullup
target_version: 1.8.2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24020
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 13 May 2010 17:34:33 +0000 (17:34 +0000)]
Negative enctypes improperly read from keytabs
When reading enctypes from keytabs, we need to ntohs() the 16-bit
value we read in before sign-extending it to a 32-bit value in the
keyblock, or we run the risk of extending the wrong sign.
ticket: 6720
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24016
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 13 May 2010 16:46:50 +0000 (16:46 +0000)]
Make k5test.py work for builds in the source dir
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24015
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 12 May 2010 21:58:54 +0000 (21:58 +0000)]
Remove krb5_get_in_tkt
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24013
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 12 May 2010 20:49:11 +0000 (20:49 +0000)]
Reimplement krb5_get_in_tkt_with_skey in terms of krb5_get_init_creds,
similar to how the password and keytab equivalents were done.
Eliminate krb5_get_in_tkt. It's been very hard to use since we made
krb5_kdc_rep_decrypt_proc private (in krb5 1.7 the prototype was taken
out of krb5.h altogether), and it's unlikely that anything would have
used it directly in the first place.
Remove and/or simplify a lot of code depended on by krb_get_in_tkt,
including all of preauth.c.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24012
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 10 May 2010 22:42:04 +0000 (22:42 +0000)]
Add lockout-related performance tuning variables
The account lockout feature of krb5 1.8 came at a cost in database
accesses for principals requiring preauth, even if lockout is not
used. Add dbmodules variables disable_last_success and
disable_lockout for the DB2 and LDAP back ends, allowing the admin to
recover the lost performance at the cost of new functionality.
(Unrelated documentation fix: document database_name as a DB2-specific
dbmodules variable instead of the realm variable it used to be.)
ticket: 6719
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24003
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 10 May 2010 22:23:57 +0000 (22:23 +0000)]
Make KADM5_FAIL_AUTH_COUNT_INCREMENT more robust with LDAP
In krb5_ldap_put_principal, use krb5_get_attributes_mask to determine
whether krbLoginFailedCount existed on the entry when it was
retrieved. If it didn't exist, don't try to use LDAP_MOD_INCREMENT,
and don't assert an old value when not using LDAP_MOD_INCREMENT.
Also, create the krbLoginFailedCount attribute when creating new
entries. This allows us to use LDAP_MOD_INCREMENT during the first
failed login (if the server supports it), avoiding a race condition.
ticket: 6718
target_version: 1.8.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24002
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 5 May 2010 17:11:39 +0000 (17:11 +0000)]
General code consistency pass in kdb_db2.c.
Removes some pointless null checks.
Frees the DB context when a DB is finalized.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23973
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 4 May 2010 22:00:41 +0000 (22:00 +0000)]
Adjust for removal of krb5_ldap_set_option in r23965
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23972
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 4 May 2010 19:01:16 +0000 (19:01 +0000)]
Get rid of some kdb5_util load code which is no longer useful after
the introduction of the DAL.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23971
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 4 May 2010 17:08:39 +0000 (17:08 +0000)]
Remove some unused format string definitions from kdb5_util's dump.c
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23970
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 4 May 2010 16:54:00 +0000 (16:54 +0000)]
Remove some unused fields from kadm5_config_params. Bump the client
and server sonames.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23969
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 4 May 2010 15:58:59 +0000 (15:58 +0000)]
Eliminate the unused realm_dbname field from krb5_realm_params
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23968
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 4 May 2010 05:49:39 +0000 (05:49 +0000)]
Remove a stray comment from r23966
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23967
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 4 May 2010 05:44:07 +0000 (05:44 +0000)]
Refactor the kdb_db2.c code which processes db_args and profile
variables to configure a DB context, to avoid repeating that code
three times in open/create/destroy.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23966
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 4 May 2010 04:12:24 +0000 (04:12 +0000)]
Remove krb5_db_set_option and the associated DAL entry. It was not
used.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23965
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 3 May 2010 23:44:30 +0000 (23:44 +0000)]
Correct the DAL documentation for db_create
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23964
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 3 May 2010 19:42:29 +0000 (19:42 +0000)]
Eliminate some uses of variables as format strings. Based on a patch
from Guillaume Rousse <Guillaume.Rousse@inria.fr>.
ticket: 6714
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23963
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 3 May 2010 19:02:16 +0000 (19:02 +0000)]
Eliminate the use of variables for format strings in kdb5_util. Many
were unused, and localization will probably be done through _()
macros, not collecting all the strings together. Elminates a number
of format-security static analysis defects.
ticket: 6714
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23962
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 1 May 2010 17:53:04 +0000 (17:53 +0000)]
Fix some bugs in the IAKERB code discovered by Coverity. Also trim
down iakerb_initiator_step() a little using krb5_data constructors
and avoiding vertical function arguments.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23961
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 30 Apr 2010 21:22:48 +0000 (21:22 +0000)]
Add IAKERB mechanism and gss_acquire_cred_with_password
Merge branches/iakerb to trunk. Includes the following:
* New IAKERB mechanism.
* New gss_acquire_cred_with_password mechglue function.
* ASN.1 encoders and decoders for IAKERB structures (with tests).
* New shortcuts in gss-sample client and server.
* Tests to exercise SPNEGO and IAKERB using gss-sample application.
ticket: 6712
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23960
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 30 Apr 2010 21:10:55 +0000 (21:10 +0000)]
memory leak in process_tgs_req in r23724
Fix a KDC memory leak that was introduced by r23724 that could leak
the decoded request.
ticket: 6711
tags: pullup
target_version: 1.8.2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23959
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 27 Apr 2010 09:02:48 +0000 (09:02 +0000)]
Fix a backwards check in get_cached_tgt() in the TGS code
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23945
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 26 Apr 2010 16:54:38 +0000 (16:54 +0000)]
Squash some warnings in the old crypto API glue. Use make_data()
where appropriate so that magic fields get initialized.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23942
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 24 Apr 2010 19:33:33 +0000 (19:33 +0000)]
Add a Python test script to exercise the GSS sample app
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23937
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 24 Apr 2010 19:24:36 +0000 (19:24 +0000)]
Add a sentinel line to sim_server after the socket is ready, and use
it in simple.exp in the dejagnu test suite instead of sleeping.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23936
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 24 Apr 2010 19:20:11 +0000 (19:20 +0000)]
Eliminate the use of tail -f in the dejagnu test suite. Instead, use
the sentinel lines printed by krb5kdc and kadmind to detect when the
listening sockets are ready.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23935
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 24 Apr 2010 19:12:34 +0000 (19:12 +0000)]
Add a sentinel to the sample gss-server after the socket is ready, and
use it in gssapi.exp in the dejagnu test suite instead of sleeping.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23934
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 24 Apr 2010 18:53:25 +0000 (18:53 +0000)]
Simplify how k5test scripts get run by importing runenv by pathname
(using the imp module) instead of by module name.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23933
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 24 Apr 2010 17:33:04 +0000 (17:33 +0000)]
Run Python tests as individual rule commands (friendlier to make -k)
instead of in a loop. Build runenv.py as part of make fake-install;
it's harmless if Python is unavailable. Import runenv later in
k5test so that we get a beter error message if make fake-install
hasn't been run.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23932
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 24 Apr 2010 16:39:49 +0000 (16:39 +0000)]
Fix the actual python command to match the displayed one in the
check-pytests-yes rule in r23913.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23931
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 23 Apr 2010 01:30:48 +0000 (01:30 +0000)]
Adapted patch from Arlene Berry to handle dlerror() returning a null
pointer.
ticket: 6697
target_version: 1.8.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23929
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 23 Apr 2010 01:10:20 +0000 (01:10 +0000)]
Adapted patch from Jason Rogers. It wasn't complete, so this commit
fixes the other instances of the 64-bit problem.
Also fix krb5_deltat_to_str(), which would previously always return an
empty string.
ticket: 6698
target_version: 1.8.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23928
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 22 Apr 2010 23:29:40 +0000 (23:29 +0000)]
From Luke: fix the post-canonicalization cache check logic in
krb5_get_credentials_for_user().
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23927
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 22 Apr 2010 20:07:08 +0000 (20:07 +0000)]
In kg_new_connection(), make sure k_cred is freed in all failure
cases.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23926
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 22 Apr 2010 20:04:01 +0000 (20:04 +0000)]
Apply patch from Arlene Berry to cease freeing error tokens output by
accept_sec_context, allowing them to actually be sent to the
initiator.
ticket: 6696
target_version: 1.8.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23925
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 22 Apr 2010 03:44:44 +0000 (03:44 +0000)]
Eliminate a non-useful NULL check in the KDC's dispatch() function.
If process_as_req or process_tgs_req return successfully, they will
always fill in *response. (If they didn't, the subsequence
(*response)->length check would crash anyway.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23922
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 22 Apr 2010 03:19:34 +0000 (03:19 +0000)]
In kpasswd_sendto_msg_callback(), properly compare against the
wildcard IPv6 address instead of comparing an array address to 0.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23921
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 21 Apr 2010 23:47:50 +0000 (23:47 +0000)]
Fix a memory leak in get_creds.c's try_fallback_realm()
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23920
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 21 Apr 2010 23:37:04 +0000 (23:37 +0000)]
In the kdc5_hammer test program, simplify the cleanup logic of
get_server_key. Fixes a memory leak where the result of
krb5_get_credentials() didn't get freed if krb5_mk_req_extended()
failed.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23919
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 21 Apr 2010 23:23:09 +0000 (23:23 +0000)]
Amend r23917 to correct some uses of *out_creds which should now use
the local variable.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23918
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 21 Apr 2010 23:20:29 +0000 (23:20 +0000)]
In the get_credentials() helper of the gss-krb5 init_sec_context code,
ensure that *out_creds is only filled in on successful return.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23917
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 21 Apr 2010 23:14:49 +0000 (23:14 +0000)]
In t_inetd, zero out l_inaddr before filling it in, as is relatively
common in networking code. Silences a Coverity defect.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23916
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 20 Apr 2010 22:35:42 +0000 (22:35 +0000)]
Only create runenv.py at BUILDTOP. Fix bugs in k5test.py relating to
environment initialization, also so that "make testrealm" works again.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23913
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 20 Apr 2010 21:12:10 +0000 (21:12 +0000)]
Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
by ticket renewal. Add a test case.
See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490
Thanks to Joel Johnson and Brian Almeida for the reports.
ticket: 6702
target_version: 1.8.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23912
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 20 Apr 2010 07:56:58 +0000 (07:56 +0000)]
When setting up to get a TGT for the service realm in the TGS code,
get the cached local TGT before setting up the realm path.
Prior to this change, calling krb5_get_credentials() with an empty
ccache would result in KRB5_CC_NOTFOUND for a foreign server
principal, but would result in KRB5_NO_TKT_IN_REALM (generated by
krb5_walk_realm_tree) for a local server principal. With this change,
KRB5_CC_NOTFOUND is returned in both cases.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23909
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 20 Apr 2010 07:38:12 +0000 (07:38 +0000)]
Add KRB5_INIT_CREDS_STEP_FLAG_CONTINUE for parity with Heimdal.
Rename KRB5_TKT_CREDS_CONTINUE to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE
for consistency.
Adjust init_creds context to be less confusing in light of the above.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23906
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 16 Apr 2010 21:45:22 +0000 (21:45 +0000)]
Build runenv.py, holding environment variable settings required for
running programs out of the build tree during python-based tests.
Also updates shilb.conf to set RUN_VARS to make it easier to generate
this sort of thing.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23905
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 14 Apr 2010 14:36:32 +0000 (14:36 +0000)]
Introduce new krb5_tkt_creds API
Merged from branches/iakerb: add new asynchronous krb5_tkt_creds APIs,
which allow a caller to take responsibility for transporting requests
to the KDC and getting responses back. Rewrite the existing
krb5_get_credentials API in terms of the new functions. Get rid of
krb5_get_cred_from_kdc and friends, since they are no longer used.
ticket: 6700
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23900
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 14 Apr 2010 14:01:05 +0000 (14:01 +0000)]
Use krb5_get_credentials in ksu instead of krb5_get_cred_from_kdc, so
we can get rid of the latter. (Also simplifies the code.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23899
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 13 Apr 2010 22:57:34 +0000 (22:57 +0000)]
Validate and renew should work on non-TGT creds
The validate and renew APIs were using get_cred_from_kdc, which
always presents a TGT to get credentials. Instead, they should
present the ticket they are trying to validate or renew. This is
most easily done with krb5_get_cred_via_tkt(). Move the relevant
code into a new file since it now has nothing in common with the
other APIs implemented in get_creds.c.
ticket: 6699
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23891
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 8 Apr 2010 20:37:11 +0000 (20:37 +0000)]
Remove krb5int_send_tgs(); it is unused as of r23358
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23881
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 8 Apr 2010 16:39:31 +0000 (16:39 +0000)]
Add krb5_cc_dup() to make it possible to copy ccache handles
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23874
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 8 Apr 2010 03:15:44 +0000 (03:15 +0000)]
Assume lstat in Unix code, specifically clients/ksu/ccache.c. Fix bad
indentation caused by an #ifdef HAVE_LSTAT block.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23870
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 4 Apr 2010 20:46:02 +0000 (20:46 +0000)]
In testrealm.py, add ksu and kvno to the list of build directories
containing programs.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23858
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 29 Mar 2010 22:08:21 +0000 (22:08 +0000)]
Fix backwards flag output in krb5_init_creds_step()
krb5_init_creds_step() is taken from Heimdal, which sets *flags to 1
for "continue" and 0 for "stop". Unfortunately, we got it backwards
in 1.8; fix it for 1.8.1.
ticket: 6693
tags: pullup
target_version: 1.8.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23844
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 27 Mar 2010 21:30:43 +0000 (21:30 +0000)]
Always pass -W option to kdb5_util create in testing
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23838
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 26 Mar 2010 22:43:11 +0000 (22:43 +0000)]
In gc_frm_kdc.c, rename cur_kdc to cur_realm and nxt_kdc to nxt_realm,
to make it easier to distinguish them from cur_tgt and nxt_tgt. Make
similar name changes to lst_kdc and kdc_list, as well as the function
find_nxt_kdc().
No functional changes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23837
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 25 Mar 2010 03:08:12 +0000 (03:08 +0000)]
Straighten the if-ladder in encrypted challenge's process_preauth,
making it clearer that control drops through if one of the first
couple of steps fails.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23836
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 22:00:13 +0000 (22:00 +0000)]
Apply patch from Arlene Berry to not use freed memory in
gss_import_sec_context in some error paths.
ticket: 6678
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23834
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 18:53:52 +0000 (18:53 +0000)]
MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO
The SPNEGO implementation in krb5-1.7 and later could crash due to
assertion failure when receiving some sorts of invalid GSS-API tokens.
ticket: 6690
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23832
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Tue, 23 Mar 2010 14:08:23 +0000 (14:08 +0000)]
Include t_spengno.o in list of OBJS so make clean will remove
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23831
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 06:09:02 +0000 (06:09 +0000)]
krb5_typed_data not castable to krb5_pa_data on 64-bit MacOSX
Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because
krb5int_fast_process_error was assuming that it was safe to cast it to
krb5_pa_data. It's not safe to do the cast on 64-bit MacOSX because
krb5.hin uses #pragma pack on that platform.
ticket: 6689
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23829
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 20 Mar 2010 03:50:06 +0000 (03:50 +0000)]
Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data
type, was used to implement PAC-less constrained delegation in krb5
1.8. Unfortunately, it was found that Microsoft was using 142 for
other purposes, which could result in a ticket issued by an MIT or
Heimdal KDC being rejected by a Windows Server 2008 R2 application
server. Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate
among a realm's KDCs, it is relatively easy to change the number, so
MIT and Heimdal are both migrating to a new number. This change will
cause a transitional interoperability issue when a realm mixes MIT
krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal
1.3.2) KDCs, but only for constrained delegation evidence tickets.
ticket: 6687
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23821
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 19 Mar 2010 16:17:05 +0000 (16:17 +0000)]
Document the ticket_lifetime libdefaults setting (which was added in
r16656, #2656). Based on a patch from nalin@redhat.com.
ticket: 6680
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23820
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 18 Mar 2010 17:37:31 +0000 (17:37 +0000)]
Fix the kpasswd fallback from the ccache principal name to the
username in the case where the ccache doesn't exist.
ticket: 6683
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23819
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 18 Mar 2010 17:17:31 +0000 (17:17 +0000)]
Include int-proto.h in mk_req_ext.c for krb5int_validate_times
declaration.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23818
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 18 Mar 2010 02:45:57 +0000 (02:45 +0000)]
Untabify
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23817
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 18 Mar 2010 02:44:41 +0000 (02:44 +0000)]
Copyright notice
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23816
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 17 Mar 2010 21:10:10 +0000 (21:10 +0000)]
When checking for KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT, don't
dereference options if it's NULL.
ticket: 6681
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23815
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 17 Mar 2010 20:16:32 +0000 (20:16 +0000)]
Add more verbosity when the -V option to kinit is specified. Based on
a patch from Jeff Blaine <jblaine@kickflop.net>.
ticket: 6684
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23814
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 17 Mar 2010 19:34:48 +0000 (19:34 +0000)]
Fix the Python version check to use constructs available in older
versions of Python. (python --version was added in 2.5.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23813
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 17 Mar 2010 19:11:09 +0000 (19:11 +0000)]
Add a version check to the Python test, so that we don't try to run
k5test in Python 2.3 or below.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23812
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Wed, 17 Mar 2010 06:00:56 +0000 (06:00 +0000)]
Merge users/raeburn/branches/network-merge
Re-integrates the forked versions of network.c in kdc and
kadmin/server. Server-specific initialization and SIGHUP-reset code
is moved into other source files; the more generic network-servicing
code is merged and moved into apputils library already used by both
programs.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23811
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 16 Mar 2010 19:14:33 +0000 (19:14 +0000)]
handle NT_SRV_INST in service principal referrals
Handle NT_SRV_INST in service principal cross-realm referrals, as
Windows apparently uses that instead of NT_SRV_HST for at least some
service principals.
ticket: 6685
target_version: 1.8.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23810
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 15 Mar 2010 18:53:02 +0000 (18:53 +0000)]
Set up KRB5_RUN_ENV for pytests, so that Python-based tests can run
without first running "make install".
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23805
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 11 Mar 2010 17:05:24 +0000 (17:05 +0000)]
Lazy history key creation
Create kadmin/history lazily when we need it (i.e. when a password is
changed on a principal with a policy) instead of whenever we open the
database. Allows kadmin.local to be used as a read-only tool on non-
kadmin-conformant database back ends such as the Samba bridge.
ticket: 6679
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23799
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 10 Mar 2010 20:45:12 +0000 (20:45 +0000)]
Use KRB5_CONF_ macros instead of strings in the source file for profile config attributes "default" and "logging"
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23798
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 10 Mar 2010 19:30:58 +0000 (19:30 +0000)]
Remove vestigial include/spnego-asn1.h
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23796
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 8 Mar 2010 04:39:08 +0000 (04:39 +0000)]
Add a "make testrealm" target using the Python test framework. As
part of this, expose the environments in K5Realm as attributes so
that test scripts can modify them.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23794
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sun, 7 Mar 2010 20:01:36 +0000 (20:01 +0000)]
Make python test start_in_inetd function
util/k5test.py: Fix incorrect variable used
tests/dejagnu/t_inetd.c: Flush stdout after outputting "Ready!"
tests/dejagnu/Makefile.in: Always compile t_inetd - even in runtest is not
present
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23773
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 5 Mar 2010 20:35:26 +0000 (20:35 +0000)]
Release the internal_name field of a SPNEGO context if it has not been
claimed for a caller argument.
ticket: 6674
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23772
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 5 Mar 2010 20:33:37 +0000 (20:33 +0000)]
Add a Python test to run t_spnego
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23771
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 5 Mar 2010 20:32:40 +0000 (20:32 +0000)]
In post.in, add a check-pytests intermediate target for Makefile.in to
add dependencies to, for test scripts which run C test programs.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23770
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 5 Mar 2010 20:31:13 +0000 (20:31 +0000)]
Fix a double-free in the t_spnego test program resulting from overly
careless cutting and pasting.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23769
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 5 Mar 2010 19:30:32 +0000 (19:30 +0000)]
Add a message parameter to k5test's success(), to briefly indicate the
scope of test scripts. Only displayed when verbose is set.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23768
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 5 Mar 2010 19:19:42 +0000 (19:19 +0000)]
Add IPv6 support to changepw.c (reverting r21004 since it is no longer
necessary). Patch from Submit Bose <sbose@redhat.com>.
ticket: 6661
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23767
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 5 Mar 2010 17:45:46 +0000 (17:45 +0000)]
Ignore improperly encoded signedpath AD elements
We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_ad_signedpath(). For better interoperability, treat such
tickets as unsigned, rather than invalid.
ticket: 6676
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23766
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 5 Mar 2010 04:18:51 +0000 (04:18 +0000)]
Error out if a Python test program fails
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23765
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 4 Mar 2010 21:37:20 +0000 (21:37 +0000)]
Clean up a help string in k5test
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23764
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 4 Mar 2010 21:24:54 +0000 (21:24 +0000)]
Python test framework
Add a framework for writing tests in Python. Documentation is in the
initial docstring of util/k5test.py. Inaugurate the framework with
two test scripts, t_general.py and t_anonypkinit.py, which together
test the same operations as standalone.exp from the dejagnu test
suite.
ticket: 6672
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23763
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 28 Feb 2010 20:32:00 +0000 (20:32 +0000)]
Remove some more test suite cruft:
* localhostname from get_hostname was unused.
* database_name is no longer used except (misleadingly) in kdb5_util
output.
* admin_database_name and admin_database_lockfile are no longer used.
* default_domain is only used for v4->v5 principal conversion, which
isn't tested.
* libkadm5's init-v2.exp had a copy of get_hostname; domain and
localhostname from it were unused.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23759
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 27 Feb 2010 09:49:32 +0000 (09:49 +0000)]
On Linux platforms, use -Wl,--enable-new-dtags when linking shared
libraries and programs using them. The primary effect is to get ld to
set DT_RUNPATH in addition to DT_RPATH, which in turn allows the
LD_LIBRARY_PATH environment variable to override the compiled-in
runpath, which is friendlier to the test framework.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23758
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Thu, 25 Feb 2010 21:16:16 +0000 (21:16 +0000)]
Updated documentation with information about --with-crypto-impl=IMPL configuration flag
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23752
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 25 Feb 2010 20:09:45 +0000 (20:09 +0000)]
doc updates for allow_weak_crypto
Update documentation to be more helpful about allow_weak_crypto.
ticket: 6669
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23750
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 24 Feb 2010 18:57:08 +0000 (18:57 +0000)]
Two problems in kadm5_get_principal mask handling
KADM5_MOD_NAME was being applied to entry->principal instead of
entry->mod_name. KADM5_MKVNO was not being applied to entry->mkvno.
Patch from Marcus Watts <mdw@umich.edu>.
ticket: 6668
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23749
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 22 Feb 2010 18:27:55 +0000 (18:27 +0000)]
Remove some more dejagnu test suite cruft:
* check_date was only used by the application tests.
* touch was never used.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23745
dc483132-0cff-0310-8789-
dd5450dbe970