Ken Raeburn [Sat, 7 Oct 2006 06:10:27 +0000 (06:10 +0000)]
Check for ldap_initialize and other functions that Solaris (Mozilla-based)
LDAP does not provide, and define versions a couple of them if needed.
Based on patches from and discussions with Will Fiveash.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18665
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 7 Oct 2006 05:25:54 +0000 (05:25 +0000)]
10/3 patch from Savitha R, part 3, patch-manpages-schema.diff
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18664
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 7 Oct 2006 01:38:12 +0000 (01:38 +0000)]
whitespace
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18663
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 7 Oct 2006 01:36:50 +0000 (01:36 +0000)]
whitespace
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18662
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 7 Oct 2006 01:30:59 +0000 (01:30 +0000)]
Use const pointers for error messages.
Add some debugging hooks in the libkrb5 support.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18661
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 7 Oct 2006 01:04:01 +0000 (01:04 +0000)]
drop comma at end of enum list
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18660
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 7 Oct 2006 01:02:08 +0000 (01:02 +0000)]
Eliminate some warnings and non-gcc build problems:
- nested function
- bogus pointer casts
- C++-style comments
- unused variables
- variables of same name in nested scopes
- if condition syntax
- unused function
- use of GNU-only strndup() function
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18659
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 6 Oct 2006 23:58:43 +0000 (23:58 +0000)]
10/3 patch from Savitha R, part 2, patch-krb-schema.diff
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18658
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 6 Oct 2006 23:53:38 +0000 (23:53 +0000)]
10/3 patch from Savitha R, part 1, patch-ldap-schema.diff
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18657
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 6 Oct 2006 23:29:29 +0000 (23:29 +0000)]
schema info
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18656
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 6 Oct 2006 23:28:50 +0000 (23:28 +0000)]
remove old changelog
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18655
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 6 Oct 2006 21:43:02 +0000 (21:43 +0000)]
* src/lib/krb5/ccache/t_cccursor.c: Bugfixes from Ezra to clean up
memory leaks.
ticket: 4389
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18654
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 6 Oct 2006 21:35:50 +0000 (21:35 +0000)]
update export lists
ticket: 4389
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18653
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 6 Oct 2006 21:17:56 +0000 (21:17 +0000)]
make depend
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18652
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 5 Oct 2006 22:58:41 +0000 (22:58 +0000)]
cursor for iterating over ccaches
Some ccache back ends need per-type cursors implemented.
* src/include/k5-int.h: Declare krb5_cc_ptcursor. Update
krb5_cc_ops vector to include functions for ptcursor and some
not-yet-implemented functionality.
* src/include/krb5/krb5.hin: Prototype krb5_cccol_cursor_new,
krb5_cccol_cursor_next, krb5_cccol_cursor_free.
* src/lib/krb5/ccache/Makefile.in: Compile cccursor.c. Build
t_cccursor.
* src/lib/krb5/ccache/cccursor.c: Implementation of cursor for
iterating over ccaches.
* src/lib/krb5/ccache/ccbase.c: Add typecursor functionality for
iteration over registered ccache types.
* src/lib/krb5/ccache/cc_memory.c: Implmement per-type ccache
cursor functionality.
* src/lib/krb5/ccache/cc_mslsa.c:
* src/lib/krb5/ccache/cc_file.c:
* src/lib/krb5/ccache/ccapi/stdcc.c: Add place-holder ops vector
entries.
* src/lib/krb5/ccache/t_cccursor.c: New test of ccache cursor
functionality.
* src/lib/krb5/os/ccdefname.c (krb5int_cc_os_default_name): New
function to return the OS-specific default ccache name.
ticket: new
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18651
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Thu, 5 Oct 2006 21:28:58 +0000 (21:28 +0000)]
* kdc_preauth.c (return_padata): Allocate a padata context if not
already allocated. In the preauth_required path check will not be
called to set up the context first.
ticket: 4377
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18650
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 5 Oct 2006 19:45:52 +0000 (19:45 +0000)]
Patch from Kevin Coffman:
- adds a function to get ccache keycount
- uses it in two places
- fixes free problem if next_cred fails
- simplifies the clearcache function by using keyctl_clear
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18649
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 5 Oct 2006 14:08:06 +0000 (14:08 +0000)]
ignore generated source-tree files
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18648
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 5 Oct 2006 14:05:40 +0000 (14:05 +0000)]
fix dependence on config.status to use correct dir
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18647
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 5 Oct 2006 13:17:59 +0000 (13:17 +0000)]
Add decode_tagged_unsigned_integer, and try to fix signed/unsigned and
long/int/int32 mixups in ASN.1 decoding. Add comments describing encoding
of key data. Don't always parenthesize safe_syncbuf arguments.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18646
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 5 Oct 2006 13:15:31 +0000 (13:15 +0000)]
set a more meaningful error message in asn1 decode failure case
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18645
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 5 Oct 2006 13:15:00 +0000 (13:15 +0000)]
export krb5_ldap_create
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18644
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Wed, 4 Oct 2006 18:40:53 +0000 (18:40 +0000)]
array before test for pointing at entry with the principal. Avoids
buffer overflow for end of list.
Detected with a hacked up version of valgrind to handle keyring syscalls.
krb5_krcc_next_cred: Move initial test if pointing past end of key
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18643
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Wed, 4 Oct 2006 10:44:28 +0000 (10:44 +0000)]
The keyring code introduced in r18638 also included tests of the KEYRING:
regardless of whether the type is registered or not in the library.
Test to see if KEYRING: is registered - and if so - run the tests on it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18642
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Tue, 3 Oct 2006 19:07:17 +0000 (19:07 +0000)]
Preauthentication Plugin Framework
Patch from Nalin Dahyabhai at Redhat to implement a preauthentication
framework based on the plugin architecture. Currently. the API is
considered internal and the header is not installed.
See src/include/krb5/preauth_plugin.h for the interface.
ticket: new
Tags: enhancement
Status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18641
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 2 Oct 2006 23:14:59 +0000 (23:14 +0000)]
configure: Depend on $(AUTOCONF_HEADER) so check-ac-syms will be happier
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18640
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 2 Oct 2006 23:14:17 +0000 (23:14 +0000)]
(AUTOCONF_HEADER): Change to match file's target name
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18639
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 2 Oct 2006 22:50:10 +0000 (22:50 +0000)]
Merge Kevin Coffman's keyring ccache branch for Linux, with some modifications:
aclocal.m4: Enable keyring ccache if the header and library are available; no
configure-time option. No error if it's not found.
ccdefname.c: Keep old default of FILE: cache, at least for now.
libkrb5.exports: Don't export krb5_krcc_ops.
ccbase.c: Only initialize krb5int_krcc_mutex if USE_KEYRING_CCACHE; destroy it
in finalization. Define INITIAL_TYPEHEAD macro (for file vs keyring), and use
it for initialization and in krb5int_cc_finalize. Re-enable freeing of
additional registered-type structures.
cc_keyring.c: Avoid calls to com_err from within library.
cc_file.c: Punt change; generate_new is badly broken, and we expect to replace
it with a new API anyways.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18638
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 2 Oct 2006 21:39:48 +0000 (21:39 +0000)]
Nuke old Saber-related stuff
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18637
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sun, 1 Oct 2006 12:05:20 +0000 (12:05 +0000)]
kdc: make_toolong_error does not initialize all fields for krb5_mk_error
network.c: make_too_long_error() fails to set the ctime and cusec elements of
the krb5_error structure. Valgrind detects errors in the asn.1 encoding
handlers in reading an unitialized value. Initialize to 0.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18635
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 30 Sep 2006 00:54:14 +0000 (00:54 +0000)]
Update expected results for krb5_get_host_realm with referral patches
installed.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18634
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 29 Sep 2006 23:07:19 +0000 (23:07 +0000)]
(get_errmsg): Check for errcode_2_string and release_errcode_string
being null function pointers.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18633
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 28 Sep 2006 19:07:19 +0000 (19:07 +0000)]
Fix AIX version of GET_HOST_BY_NAME to use TMP.ent for the result, not
the no-longer-defined my_h_ent.
ticket: 4256
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18632
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 25 Sep 2006 21:17:42 +0000 (21:17 +0000)]
Patch from Will Fiveash for "kdb5_util create" support in LDAP, modified to
drop separate port-number spec so it'll build with current sources. Not
tested because of a bug in the recent Novell patch. :-(
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18616
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Sun, 24 Sep 2006 14:30:29 +0000 (14:30 +0000)]
Implement renew credential functionality which was inadvertently
left out.
ticket: 4312
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18609
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 22 Sep 2006 21:19:16 +0000 (21:19 +0000)]
Remove now-unused 'port' fields
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18608
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 22 Sep 2006 20:57:22 +0000 (20:57 +0000)]
Misc cleanup:
Include header instead of duplicating public decls.
Don't use C99-style "//" comments.
Reformat a bit to krb5 tree normal style.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18607
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 22 Sep 2006 20:29:24 +0000 (20:29 +0000)]
New patch from Savitha, for new principal key storage format in LDAP
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18606
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 22 Sep 2006 19:24:44 +0000 (19:24 +0000)]
no c++-style comments
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18605
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Thu, 21 Sep 2006 21:49:41 +0000 (21:49 +0000)]
KFW 3.1 Beta 2 NetIDMgr Changes
source for (1.1.0.1)
- Updated documentation with additional information and fixed errors.
nidmgr32.dll (1.1.0.1)
- Fixed a deadlock in the configuration provider that may cause
NetIDMgr to deadlock on load.
- Prevent the configuration provider handle list from getting
corrupted in the event of a plug-in freeing a handle twice.
- Add more parameter validation for the configuration provider.
- If a plug-in is only partially registered (only some of the entries
were set in the registry), the completion of the registration didn't
complete successfully, leaving the plug-in in an unusable state.
This has been fixed. Plug-ins will now successfully complete
registration once they are loaded for the first time, assuming the
correct resources are present in the module.
- Fixed notifications for setting a default identity. Notifications
were not being properly sent out resulting in the credentials window
not being updated when the default identity changed.
- Changes to the API for type safety.
- Handling of binary data fields was changed to support validation and
comparison.
- Data types that do not support KCDB_CBSIZE_AUTO now check for and
report an error if it is specified.
- Password fields in the new credentials dialog will trim leading and
trailing whitespace before using a user-entered value.
- Change password action will no longer be disabled if no identity is
selected. An identity selection control is present in the dialog
making this restriction unnecessary.
- When renewing credentials, error messages will be suppressed if the
renewal was for an identity and the identity does not have any
identity credentials associated with it.
- Error messages that are related to credentials acquisition or
password changes will now display the name of the identity that the
error applies to.
- Automatic renewals now renews all identities that have credentials
associated with them instead of just the default identity.
- Fixed a bug where error messages did not have a default button which
can be invoked with the return key or the space bar.
- The new credentials window will force itself to the top. This can
be disabled via a registry setting, but is on by default.
- Fixed the sort order in the new credentials tabs to respect sort
hints provided by plug-ins.
- If a new credentials operation fails, the password fields will be
cleared.
- Once a new credentials operation starts, the controls for specifying
the identity and password and any other custom prompts will be
disabled until the operation completes.
- Notifications during the new credentials operation now supply a
handle to the proper data structures as documented.
- Hyperlinks in the new credentials dialog now support markup that
will prevent the dialog from switching to the credentials type panel
when the link is activated.
- If there are too many buttons added by plug-ins in the new
credentials dialog, they will be resized to accomodate all of them.
- The options button in the new credentials dialog will be disabled
while a new credentials operation is in progress.
- The 'about' dialog retains the original copyright strings included
in the resource.
- Multiple modal dialogs are now supported. Only the topmost one will
be active. Once it is closed, the other dialogs will gain focus in
turn. This allows for error messages to be displayed from other
modal dialogs.
- The hypertext window supports italics.
krb4cred.dll (1.1.0.1)
- Fixed a bug where the plug-in would attempt to free a handle twice.
- Fixed a handle leak.
- Changed the facility name used for event reporting to match the
credentials type name.
krb5cred.dll (1.1.0.1)
- Fixed handling of expired passwords. If the password for an
identity is found to have expired at the time a new credentials
acquisition is in progress, the user will be given an opportunity to
change the password. If this is successful, the new credentials
operation will continue with the new password.
- Prevent the new credentials dialog from switching to the Kerberos 5
credentials panel during a password change.
- Prompts that were cached indefinitely will now have a limited
lifetime. Prompt caches that were created using prior versions of
the plug-in will automatically expire.
- Multistrings in the resource files were converted to CSV to protect
them against a bug in Visual Studio 2005 which corrupted
multistrings.
- Added handling of and reporting WinSock errors that are returned
from the Kerberos 5 libraries.
- Fixed uninitialized variables.
- The username and realm that is entered when selecting an identity
will be trimmed of leading and trailing whitespace.
- Changed the facility name used for event reporting to match the
credentials type name.
ticket: new
component: windows
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18604
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Thu, 21 Sep 2006 16:18:26 +0000 (16:18 +0000)]
NSIS installer - update for Win2K NetIDMgr
Install the Win2K specific binaries for NetIDMgr on Win2K
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18603
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Thu, 21 Sep 2006 15:54:05 +0000 (15:54 +0000)]
oops, make sure we install from the correct source file
on Windows 2000
ticket: 4309
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18602
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Thu, 21 Sep 2006 14:58:40 +0000 (14:58 +0000)]
wix installer - win2k compatibility for netidmgr
Install the special win2k version of nidmgr32.dll
on Windows 2000 systems.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18601
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Thu, 21 Sep 2006 02:43:12 +0000 (02:43 +0000)]
windows thread support frees thread local storage after TlsSetValue
threads.c: The return value of TlsSetValue is non-zero on
success. As a result of misinterpreting the
return value, the memory set in TLS is then freed.
A subsequent call to TlsGetValue returns the
invalid pointer.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18600
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Thu, 21 Sep 2006 01:48:50 +0000 (01:48 +0000)]
Set the canonicalize flag in TGS requests and accept cross-realm referral tickets.
We do not yet accept tickets in which the server name changes.
* krb5_sname_to_principal: If there is no domain realm mapping return null realm
*krb5_get_cred_via_tkt: New behavior as described below
1) the referrals case:
- check for TGT for initial realm
- if a remote realm was specified (which must have happened via a
domain_realm mapping), obtain a TGT for it the standard way and
start with that.
- use client realm for server if not specified
- iterate through this loop:
- request ticket with referrals turned on
- if that fails:
- if this was the first request, punt to non-referrals case
- otherwise, retry once without referrals turned on then terminate
either way
- if it works, either use the service ticket or follow the referral path
- if loop count exceeded, hardfail
2) the nonreferrals case
- this is mostly the old walk_realm_tree TGT-finding (which allows
limited shortcut referrals per 4120) followed by a standard tgs-req.
- originally requested principal is used for this, although if we were
handed something without a realm, determine a fallback realm based on
DNS TXT records or a truncation of the domain name.
ticket: 2652
Owner: amb
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18598
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Wed, 20 Sep 2006 01:30:25 +0000 (01:30 +0000)]
* kdb_ldap.h: If BUILD_WITH_BROKEN_LDAP is defined, skip version checks
ticket: 4292
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18595
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Tue, 19 Sep 2006 22:40:09 +0000 (22:40 +0000)]
Bad loop logic in krb5_mcc_generate_new
krb5_mcc_generate_new() Error in loop caused first item in the list to not
get checked the second time through scanning for duplicates.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18594
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 18 Sep 2006 23:58:56 +0000 (23:58 +0000)]
whitespace
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18593
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 18 Sep 2006 23:51:50 +0000 (23:51 +0000)]
Savitha's patches for:
- LDAP URI support for specifying server and port
- support for ldapi interface
- updated to newer LDAP APIs
- updated documentation
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18592
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 16 Sep 2006 01:59:15 +0000 (01:59 +0000)]
* kdb5.c (kdb_load_library): Make error message a little more accurate.
(get_errmsg): New function. Uses errcode_2_string and release_errcode_string
functions to copy out an error message from the plugin and store it locally,
if the error code supplied is nonzero. Changed other uses of plugin functions
to call get_errmsg on returning.
(krb5_db_errcode2string): Deleted.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18591
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 16 Sep 2006 01:49:52 +0000 (01:49 +0000)]
Update dependencies
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18590
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 16 Sep 2006 01:32:40 +0000 (01:32 +0000)]
Move RPC header files to include/gssrpc, which we copy to them at
build time, and which is the only place we use them from anyways.
Update Makefile references and dependencies.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18589
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 16 Sep 2006 01:25:12 +0000 (01:25 +0000)]
Export krb5_ldap_release_errcode_string
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18588
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 15 Sep 2006 22:57:09 +0000 (22:57 +0000)]
Make it easier to ignore additional directories, like, oh, say, local
install paths for OpenLDAP.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18587
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Wed, 13 Sep 2006 20:30:23 +0000 (20:30 +0000)]
whitespace
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18584
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Tue, 12 Sep 2006 00:25:34 +0000 (00:25 +0000)]
whitespace
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18583
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Tue, 12 Sep 2006 00:20:01 +0000 (00:20 +0000)]
whitespace
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18582
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 7 Sep 2006 22:16:45 +0000 (22:16 +0000)]
* Makefile.in (krb5/krb5.h): Wrap the content in macro test for
multiple-inclusion protection.
ticket: 3522
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18571
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Wed, 6 Sep 2006 20:31:54 +0000 (20:31 +0000)]
Make database plugin responsible for releasing the error-message string, so
that we can use the krb5_get_error_message interface internally.
* kdb5.h: Add release_errcode_string field to the interface.
* db2_exp.c, ldap_exp.c: Initialize it.
* ldap_misc.c: Use krb5_get/free_error_message for error message strings.
* kdb_ldap.h: Declare krb5_ldap_release_errcode_string.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18565
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Wed, 6 Sep 2006 19:54:06 +0000 (19:54 +0000)]
whitespace
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18564
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Wed, 6 Sep 2006 17:15:12 +0000 (17:15 +0000)]
comment formatting for 80 columns
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18563
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Tue, 5 Sep 2006 21:54:47 +0000 (21:54 +0000)]
(prof_get_integer_def, prof_get_string_def): New functions: check specified
config section in the profile, then the default section, then fall back to
passed default value (for integer only). Set error string on error.
(krb5_ldap_read_server_params): Use them, instead of explicitly doubling each
profile_get call.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18562
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Tue, 5 Sep 2006 18:47:29 +0000 (18:47 +0000)]
windows ccache and keytab file paths without a prefix
ktbase.c, ccbase.c: When a file path is specified without
the prefix we must infer the use of the "FILE" prefix.
However, we were setting the prefix including the colon
separator when the separator should have been ignored.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18561
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 1 Sep 2006 02:51:38 +0000 (02:51 +0000)]
Reject old OpenLDAP versions with bugs tickled by this code.
Clean up some warnings during the build.
* ldap_misc.c (strptime) [NEED_STRPTIME_PROTO]: Declare, conditionally.
(krb5_ldap_errcode_2_string): Return string, not error code, to fit with DAL
interface spec.
* kdb_ldap.h: Error out for OpenLDAP versions before 2.2.24.
(LDAP_DEPRECATED): Define; openldap-2.3.27 defaults to undefined.
(krb5_ldap_lib_init): Prototype.
(krb5_get_policydn): Declare.
(krb5_ldap_errcode_2_string): Fix return type.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18558
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 31 Aug 2006 22:12:36 +0000 (22:12 +0000)]
(krb5_ldap_destroy_policy): krb5_ldap_delete_policy takes a mask arg, not pointer-to
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18557
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 31 Aug 2006 22:08:45 +0000 (22:08 +0000)]
Declare get_date() used from kadmin cli code.
In calls, delete the second argument that get_date doesn't take.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18556
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 31 Aug 2006 21:30:30 +0000 (21:30 +0000)]
Remove or conditionalize unused variables
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18555
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 31 Aug 2006 21:17:34 +0000 (21:17 +0000)]
Patches from Will Fiveash to allow for configuration and building on
Solaris. Tested (configured & built) on RHEL 4 and Solaris 10. One
minor bugfix added.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18554
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Wed, 30 Aug 2006 19:44:54 +0000 (19:44 +0000)]
* shlib.conf (*-*-linux*): Use LDFLAGS in LDCOMBINE
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18553
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Wed, 30 Aug 2006 00:10:54 +0000 (00:10 +0000)]
Some mechanical changes (mostly whitespace, like indentation levels)
to match up better with MIT coding style.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18552
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Tue, 29 Aug 2006 22:54:46 +0000 (22:54 +0000)]
Some mechanical changes (mainly whitespace) to match up better with
MIT coding style.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18551
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Tue, 29 Aug 2006 20:41:50 +0000 (20:41 +0000)]
Rename KRB5_KDB_PLUGIN_OP_NOTSUPP to KRB5_PLUGIN_OP_NOTSUPP and move to krb5 table
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18550
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Tue, 29 Aug 2006 20:13:27 +0000 (20:13 +0000)]
whitespace
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18549
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Tue, 29 Aug 2006 19:52:38 +0000 (19:52 +0000)]
Patch from Savitha R:
ldap_util
1. Kdb5_ldap_util interface
Removed supp enctypes, suppsalttypes from create realm and modify
realm since they are currently not used
2. memset passwd strings to zero when not used any more
3. Using krb5_sname_to_principal in place of gethostbyname while
creating the kadmin principal with hostname.
libkdb_ldap
1. Added mandatory functions which were missing in the LDAP plug-in
2. Error handling changes - Setting the error message in the
kerberos context when decryption of the service passwd fails or
connection to the LDAP server fails during initialization.
Additional changes:
libkdb_ldap: Link against com_err library, to provide error_message().
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18548
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Wed, 23 Aug 2006 22:58:02 +0000 (22:58 +0000)]
make depend
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18519
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Wed, 23 Aug 2006 22:56:29 +0000 (22:56 +0000)]
Merge Todd's TCP changepw support, with a few fixups
* include/cm.h (state_strings, enum conn_states, struct incoming_krb5_message,
struct conn_state): Moved here from lib/krb5/os/sendto_kdc.c.
(stuct sendto_callback_info): New type.
* lib/krb5/os/sendto_kdc.c (set_conn_state_msg_length): New function.
(setup_connection): Deleted argument message_len_buf. Don't store message
length; call set_conn_state_msg_length instead.
(start_connection): New arguments callback_info and callback_buffer. Invoke
callback function if any, and set message length on success.
(maybe_send): New arguments callback_info and callback_buffer; pass them to
start_connection.
(krb5int_sendto): New arguments callback_info, remoteaddr, remoteaddrlen. If
callback info is provided, allocate per-connection buffers, and pass them to
maybe_send. On cleanup, invoke the cleanup callback function if any.
(krb5_sendto_kdc): Update krb5int_sendto call.
* include/k5-int.h (struct sendto_callback_info): Add forward declaration.
(krb5int_sendto, struct _krb5int_access.sendto_udp): Update for new signature.
* lib/krb5/os/send524 (krb5int_524_sendto_kdc): Update krb5int_sendto call.
* lib/krb4/send_to_kdc.c (krb5int_send_to_kdc_addr): Update sendto_udp call.
* lib/krb5/os/changepw.c (struct sendto_callback_context): New type.
(krb5_locate_kpasswd): New argument useTcp, used to select socket type in
krb5int_locate_server call.
(kpasswd_sendto_msg_cleanup, kpasswd_sendto_msg_callback): New functions.
(krb5_change_set_password): Call krb5int_sendto with callbacks, instead of
managing the exchange here. On RESPONSE_TOO_BIG error, try again with TCP
only.
* lib/krb5/krb/chpw.c (krb5int_rd_chpw_rep): If length is wrong, check if a
buggy server sent a KRB_ERROR.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18518
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Wed, 23 Aug 2006 16:33:58 +0000 (16:33 +0000)]
Update auxiliary version number for NetIDMgr
ticket: 4172
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18499
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Wed, 23 Aug 2006 02:28:05 +0000 (02:28 +0000)]
* install NetIDMgr plug-in sample as part of SDK
* install netidmgr.exe (win2000 version)
ticket: 4172
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18498
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Wed, 23 Aug 2006 02:18:00 +0000 (02:18 +0000)]
* newcredwnd.c - erase the password field on error
during new credential acquisition
ticket: 4172
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18497
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Wed, 23 Aug 2006 02:17:12 +0000 (02:17 +0000)]
* Fix auto-registration of plug-in modules
if there is no plug-in list specified
ticket: 4172
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18496
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Wed, 23 Aug 2006 02:15:52 +0000 (02:15 +0000)]
* Makefile - do not etag the Win2000 version of
the NetIDMgr.exe
ticket: 4172
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18495
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Tue, 22 Aug 2006 22:12:15 +0000 (22:12 +0000)]
improvements to netidmgr dialogs
* ensure that buttons are disabled while
actions are in process
* allow plug-ins to specify italic text
* fix some documentation
* reformat langres.rc
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18494
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 21 Aug 2006 20:31:51 +0000 (20:31 +0000)]
clean up mkrel patchlevel.h editing etc
* src/util/mkrel: Be more careful editing KRB5_RELDATE. Delete
'$ac_config_fragdir' autoconf droppings.
ticket: new
tags: pullup
target_version: 1.5.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18475
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Thu, 17 Aug 2006 01:21:00 +0000 (01:21 +0000)]
NetIDMgr Credential Provider Sample Code and Documentation
This commit provides a template for a Network Identity Manager
Credential Provider. It doesn't provide any real functionality
but it does provide all of the functions that need to be specified
and filled in as part of the process of producing a NetIdMgr plug-in.
This code should be pulled up to 1.4.x for inclusion in the KFW 3.1
SDK as well as to 1.5.x.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18464
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Wed, 16 Aug 2006 21:01:43 +0000 (21:01 +0000)]
cc_err_xlate: Updated error mappings to generate the same errors as ccapiv2.
stdccv3_setup: Don't translate errors since cc_err_xlate isn't idempotent.
krb5_stdccv3_resolve: Don't fail if we can't open the ccache.
ticket: 3936
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18458
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Tue, 15 Aug 2006 23:45:54 +0000 (23:45 +0000)]
* kdb5_ldap_realm.c (kdb5_ldap_create): In assertion test of hardcoded char
array sizes, test against the size we actually need.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18449
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Tue, 15 Aug 2006 23:43:27 +0000 (23:43 +0000)]
* kdb_default.c (krb5_def_store_mkey): If the file can't be opened, construct
an error message that includes the file's name.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18448
dc483132-0cff-0310-8789-
dd5450dbe970
Russ Allbery [Tue, 15 Aug 2006 22:49:57 +0000 (22:49 +0000)]
Set datarootdir in each Makefile to make Autoconf 2.60 happier
Ticket: 3965
Component: krb5-build
Version_Reported: 1.5
Tags: pullup
Target_Version: 1.5.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18444
dc483132-0cff-0310-8789-
dd5450dbe970
Russ Allbery [Tue, 15 Aug 2006 22:27:17 +0000 (22:27 +0000)]
Document prerequisites for make check
Document the prerequisites for running make check, since some of them are
a bit surprising.
Ticket: new
Component: krb5-doc
Tags: pullup
Version_Reported: 1.5
Target_Version: 1.5.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18441
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 15 Aug 2006 19:27:08 +0000 (19:27 +0000)]
* src/clients/ksu/main.c (sweep_up): Don't check return value of
krb5_seteuid(0), as it is not harmful for it to fail, and it will
fail after setuid(target_user). Correct error message.
ticket: 4137
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18438
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 8 Aug 2006 19:26:40 +0000 (19:26 +0000)]
fix MITKRB5-SA-2006-001: multiple local privilege escalation vulnerabilities
* src/appl/gssftp/ftpd/ftpd.c (getdatasock, passive):
* src/appl/bsd/v4rcp.c (main):
* src/appl/bsd/krcp.c (main):
* src/appl/bsd/krshd.c (doit):
* src/appl/bsd/login.c (main):
* src/clients/ksu/main.c (sweep_up):
* src/lib/krb4/kuserok.c (kuserok): Check return values from
setuid() and related functions to avoid privilege escalation
vulnerabilities. Fixes MITKRB5-SA-2006-001. [CVE-2006-3083,
VU#580124, CVE-2006-3084, VU#401660]
ticket: new
target_version: 1.5.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18420
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 7 Aug 2006 23:33:39 +0000 (23:33 +0000)]
* src/lib/gssapi/mechglue/mglueP.h: Add loopback field to opaque
structs of gss_ctx_id_t, gss_name_t, gss_cred_id_t to catch some
application programming errors. Add new macro GSSINT_CHK_LOOP()
which returns non-zero if loopback field doesn't point to itself.
* src/lib/gssapi/mechglue/g_accept_sec_context.c
(gss_accept_sec_context):
* src/lib/gssapi/mechglue/g_acquire_cred.c (gss_add_cred)
(gss_acquire_cred):
* src/lib/gssapi/mechglue/g_delete_sec_context.c
(gss_delete_sec_context):
* src/lib/gssapi/mechglue/g_glue.c
(gssint_convert_name_to_union_name):
* src/lib/gssapi/mechglue/g_imp_name.c (gss_import_name):
* src/lib/gssapi/mechglue/g_imp_sec_context.c
(gss_import_sec_context):
* src/lib/gssapi/mechglue/g_init_sec_context.c
(gss_init_sec_context): Set loopback pointers.
* src/lib/gssapi/mechglue/g_delete_sec_context.c
(gss_delete_sec_context):
* src/lib/gssapi/mechglue/g_rel_cred.c (gss_release_cred):
* src/lib/gssapi/mechglue/g_rel_name.c (gss_release_name): Call
GSSINT_CHK_LOOP() to validate loopback pointer.
ticket: 4063
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18417
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 2 Aug 2006 20:51:50 +0000 (20:51 +0000)]
Apply patch from Michael Calmer to fix some uninitialized variables
* src/appl/gssftp/ftpd/ftpd.c (auth_data): Initialize stat_maj,
accept_maj, acquire_maj.
* src/appl/telnet/libtelnet/kerberos5.c (kerberos5_send):
Intialize rdata.
* src/kdc/do_tgs_req.c (process_tgs_req): Initialize magic and
tr_contents.magic.
* src/lib/krb5/asn.1/krb5_decode.c (decode_krb5_safe_with_body):
Initialize tmpbody.magic.
* src/plugins/kdb/db2/libdb2/hash/dbm.c (kdb2_fetch)
(kdb2_firstkey, kdb2_nextkey): Initialize dsize.
ticket: 3904
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18404
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 1 Aug 2006 21:09:43 +0000 (21:09 +0000)]
* src/lib/gssapi/mechglue/g_initialize.c (gss_release_oid): Call
gssint_initialize_library to ensure mutex is initialized.
ticket: 4088
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18397
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Tue, 25 Jul 2006 20:29:43 +0000 (20:29 +0000)]
Changed GSSAPI opaque types (gss_name_t, gss_cred_id_t, gss_ctx_id_t) from
void* to pointers to opaque structs. This change removed some casts and
introduced or changed a bunch of other casts to suppress warnings.
krb5_gss_accept_sec_context(): Fixed a bug found by the above changes
where krb5_gss_release_cred() was being called with the wrong argument 2
(gss_cred_id_t instead of gss_cred_id_t*).
ticket: 4057
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18396
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Tue, 25 Jul 2006 18:51:54 +0000 (18:51 +0000)]
gss_canonicalize_name(): Added parens to remove
warning from if statement.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18395
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Tue, 25 Jul 2006 17:58:25 +0000 (17:58 +0000)]
Removed unused Metrowerks compiler support.
(Since there's no universal binary support for CodeWarrior there's
no point in having this here.)
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18394
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Tue, 25 Jul 2006 17:56:18 +0000 (17:56 +0000)]
Switched from "#pragma options align" to "#pragma pack".
Removed Metrowerks "#pragma import" since other framework
headers don't specify it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18392
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Tue, 25 Jul 2006 13:59:30 +0000 (13:59 +0000)]
Windows - fix kfwlogon for Windows 2000
Windows 2000 does not support the ability to generate SIDs
from symbolic names.
Add more debugging and error condition checks.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18387
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 24 Jul 2006 20:39:31 +0000 (20:39 +0000)]
commit again without using patch to apply the diff
ticket: 4048
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18382
dc483132-0cff-0310-8789-
dd5450dbe970