Greg Hudson [Thu, 23 Jun 2011 04:13:45 +0000 (04:13 +0000)]
Use AI_ADDRCONFIG for more efficient getaddrinfo
Add AI_ADDRCONFIG to the hint flags for every invocation of
getaddrinfo which wasn't already using it. This is often the default
behavior when no hints are specified, but we tend to specify hints a
lot, so we have to say it ourselves. AI_ADDRCONFIG causes AAAA
lookups to be skipped if the system has no public IPv6 interface
addresses, usually saving a couple of DNS queries per getaddrinfo
call and allowing DNS caching to be much more effective without the
need for negative caching.
ticket: 6923
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24978
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 23 Jun 2011 04:13:38 +0000 (04:13 +0000)]
Work around glibc getaddrinfo PTR lookups
In krb5_sname_to_principal(), we always do a forward canonicalization
using getaddrinfo() with AI_CANONNAME set. Then, we do a reverse
canonicalization with getnameinfo() if rdns isn't set to false in
libdefaults.
Current glibc (tested with eglibc 2.11.1) has the arguably buggy
behavior of doing PTR lookups in getaddrinfo() to get the canonical
name, if hints.ai_family is set to something other than AF_UNSPEC.
This behavior defeats the ability to turn off rdns. Work around this
behavior by using AF_UNSPEC in krb5_sname_to_principal() from the
start, instead of starting with AF_INET and falling back. Specify
AI_ADDRCONFIG to avoid AAAA lookups on hosts with no IPv6 addresses.
ticket: 6922
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24977
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 23 Jun 2011 04:13:32 +0000 (04:13 +0000)]
Use AI_ADDRCONFIG unconditionally in kpropd
fake-addrinfo.h ensures that AI_ADDRCONFIG is defined, so we don't
need #ifdef tests when we use it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24976
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 22 Jun 2011 23:31:36 +0000 (23:31 +0000)]
Cosmetic fixes to preauth_plugin.h from Linus Nordberg
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24975
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 22 Jun 2011 19:55:31 +0000 (19:55 +0000)]
Fix the build and doxygen markup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24974
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 22 Jun 2011 19:24:51 +0000 (19:24 +0000)]
Formatting and editorial pass over krb5.hin doxygen markup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24973
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 20 Jun 2011 16:49:00 +0000 (16:49 +0000)]
Document that e_data can be used by KDB modules internally
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24972
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 17 Jun 2011 13:44:33 +0000 (13:44 +0000)]
Convert preauth_plugin.h to new plugin framework
The preauth plugin interface was introduced in 1.6 but was never made
a public API. In preparation for making it public in 1.10, convert it
to use the new plugin framework. This will require changes to any
existing preauth plugins.
A number of symbols were renamed for namespace cleanliness, and
abstract types were introduced for module data and module per-request
data for better type safety.
On the consumer end (preauth2.c and kdc_preauth.c), this is a pretty
rough conversion. Eventually we should create proper consumer APIs
with module handles, and the flat lists of preauth types should hold
pointers to module handles rather than copies of the vtables. The
built-in preauth type handlers should then be converted to built-in
module providers linked into the consumer code (as should encrypted
challenge, since it has no external dependencies). None of this will
impact the provider API for preauth plugins, so it can wait.
ticket: 6921
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24970
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 17 Jun 2011 13:44:26 +0000 (13:44 +0000)]
Add k5_plugin_register_dyn internal API
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24969
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 13 Jun 2011 21:44:51 +0000 (21:44 +0000)]
ANSIfy the remaining K&R functions in lib/gssapi/generic
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24968
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 13 Jun 2011 18:54:33 +0000 (18:54 +0000)]
Fix old-style GSSRPC authentication
r24147 (ticket #6746) made libgssrpc ignorant of the remote address of
the kadmin socket, even when it's IPv4. This made old-style GSSAPI
authentication fail because it uses the wrong channel bindings. Fix
this problem by making clnttcp_create() get the remote address from
the socket using getpeername() if the caller doesn't provide it and
it's an IPv4 address.
ticket: 6920
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24967
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 10 Jun 2011 20:01:23 +0000 (20:01 +0000)]
Handle invalid intervals in lockout-related kadmin parameters
ticket: 6911
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24966
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 10 Jun 2011 19:33:36 +0000 (19:33 +0000)]
Start building PDF docs by default
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24965
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 10 Jun 2011 18:18:04 +0000 (18:18 +0000)]
Set LC_MESSAGES to "C" in tests which run commands
ticket: 6918
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24964
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 10 Jun 2011 18:17:59 +0000 (18:17 +0000)]
Add setlocale() calls to main functions
ticket: 6918
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24963
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 10 Jun 2011 18:17:55 +0000 (18:17 +0000)]
Generating mit-krb5 pot file
ticket: 6918
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24962
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 10 Jun 2011 18:17:37 +0000 (18:17 +0000)]
Mark up strings for translation
ticket: 6918
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 10 Jun 2011 18:17:22 +0000 (18:17 +0000)]
Add localization support to com_err
* Add compile_et arguments --textdomain and --localedir.
* Store text domain and localedir at the end of error tables.
* error_message() calls dgettext if the table has a text domain.
* add_error_table() calls bindtextdomain if the table has a localedir.
* Define N_() as no-op in generated source and mark up error messages.
* When using system compile_et, test for --textdomain support.
* Use --textdomain option when available.
* Run xgettext over generated sources in compile_et rule.
* Translate com_err results in krb5int_get_error() if com_err won't.
ticket: 6918
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24960
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 10 Jun 2011 18:17:12 +0000 (18:17 +0000)]
Add localization infrastructure
Adds build system logic, translation macros in k5-platform.h, and
bindtextdomain calls in libkrb5 initialization.
ticket: 6918
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24959
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 5 Jun 2011 22:05:04 +0000 (22:05 +0000)]
Remove static error table list in built-in com_err
_et_list has been private to error_message.c since March 2004, and
since nothing in that file ever added entries to it, it is always
NULL. As it's not doing any good, get rid of it, and rename the
dynamic error table list to "et_list", along with its type. Also
remove some old lclint annotations.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24947
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 3 Jun 2011 01:00:52 +0000 (01:00 +0000)]
Restore fallback non-referral TGS request to same realm
MIT krb5 1.2 and earlier KDCs reject TGS requests if the canonicalize
bit is set. Prior to 1.9, we used to handle this by making a
non-referral fallback request on any error, but the rewrite in 1.9
mistakenly changed the behavior so that fallback requests are only
made if the original request used the referral realm and the fallback
realm is different from the default realm. Restore the old behavior.
ticket: 6917
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24946
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 26 May 2011 18:05:49 +0000 (18:05 +0000)]
Restore krb5_get_credentials caching for referral requests
The krb5_get_credentials() rewrite for IAKERB accidentally omitted the
final step of restoring the requested realm in the output credentials.
As a result, referral entries are not cached, and the caller sees the
actual realm in (*out_creds)->server instead of the referral realm as
before. Fix this in complete() by swapping ctx->req_server into
ctx->reply_creds->server.
ticket: 6916
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24945
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 25 May 2011 21:45:40 +0000 (21:45 +0000)]
Don't assume principal components are C strings in klist -s
ticket: 6915
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24944
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 22 May 2011 02:08:37 +0000 (02:08 +0000)]
Fix multiple tl-data updates over iprop
krb5_dbe_update_tl_data() accepts a single read-only tl-data entry,
but ulog_conv_2dbentry() expects it to process a full list. Fix
ulog_conv_2dbentry() to call krb5_db2_update_tl_data() on each entry
individually, simplifying its memory management in the process.
ticket: 6913
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24937
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 20 May 2011 15:21:28 +0000 (15:21 +0000)]
Revert r5233 and mark get_age as deprecated in the DAL documentation.
We do not need to check reply retransmissions for staleness any more
than TCP needs to. A genuinely new request will have a different
nonce.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24936
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Thu, 19 May 2011 14:14:54 +0000 (14:14 +0000)]
Updated documentation for krb5_c_ and sensauth API.
Also, removed the second declaration of krb5_c_string_to_key_with_params() from string_to_key.c
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24935
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Mon, 16 May 2011 18:36:55 +0000 (18:36 +0000)]
In mk_rd_cred if recv_subkey in the authentication context is NULL and the decryption with the session key fails, do not try to decrypt the message with the session key again.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24934
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Mon, 16 May 2011 14:13:39 +0000 (14:13 +0000)]
Updated documentation for krb5_rd_ API
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24933
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 16 May 2011 04:20:55 +0000 (04:20 +0000)]
Document the lockout-related options in kadmin (modprinc -unlock and
addpol/modpol -maxfailure, -failurecountinterval, and
-lockoutduration), in the man page and in admin.texinfo. Based on
text submitted by shawn.emery@oracle.com.
ticket: 6910
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24932
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 16 May 2011 03:54:16 +0000 (03:54 +0000)]
In kadmin, try using get_date() for lockout-related duration inputs to
modpol and addpol, but still allow bare numbers of seconds since
that's what we took in 1.8 and 1.9. Use strdur() to display
lockout-related durations in getpol. Reported by
shawn.emery@oracle.com.
ticket: 6911
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24931
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 15 May 2011 14:47:19 +0000 (14:47 +0000)]
Link t_kgss_kernel against libkrb5support since parts of libkgss use
zap(), which creates a dependency with non-gcc compilers.
ticket: 6909
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24930
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 14 May 2011 14:49:00 +0000 (14:49 +0000)]
Use hmac-md5 checksum for PA-FOR-USER padata
The MS-S4U documentation specifies that hmac-md5 be used for
PA-FOR-USER checksums; we were using the mandatory checksum type for
the key. Although some other checksum types appear to be allowed by
Active Directory KDCs, Richard Silverman reports that md5-des is not
one of them, causing S4U2Self requests to fail for DES keys.
ticket: 6912
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24929
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Fri, 13 May 2011 12:33:52 +0000 (12:33 +0000)]
Updated documentation for PAC API. Moved PAC type definitions into krb5.hin
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24928
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Thu, 12 May 2011 16:03:22 +0000 (16:03 +0000)]
Updated documentation for krb5_mk_ functions
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24927
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 11 May 2011 06:03:09 +0000 (06:03 +0000)]
Add more missing headers in kernel subset directory. Hopefully the
whole set this time.
ticket: 6909
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24926
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 11 May 2011 04:42:59 +0000 (04:42 +0000)]
Reference libraries from the build tree when linking and
t_kgss_kernel.
ticket: 6909
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24925
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 10 May 2011 22:26:09 +0000 (22:26 +0000)]
Add more missing headers in kernel subset directory
ticket: 6909
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24924
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 10 May 2011 21:04:31 +0000 (21:04 +0000)]
Fix the header list for the kernel subset directory
ticket: 6909
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24923
dc483132-0cff-0310-8789-
dd5450dbe970
Luke Howard [Mon, 9 May 2011 22:05:48 +0000 (22:05 +0000)]
fix regression in r24853: PAC no longer exposed
Windows PAC is not AD-KDCIssued, rather it is signed with the long-term
service session key (or user-to-user key). Advertise this correctly in
the internal authorization data SPI.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24922
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 9 May 2011 18:41:03 +0000 (18:41 +0000)]
Kernel subset
Add a directory containing a "kernel subset" (context import and
message functions only) of the gss-krb5 library, with a test framework
to exercise the functionality and indicate when unknown dependencies
creep in.
ticket: 6909
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24921
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Mon, 9 May 2011 18:33:09 +0000 (18:33 +0000)]
Updated documentation for krb5_init_creds_ function family
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24920
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 9 May 2011 18:16:14 +0000 (18:16 +0000)]
Avoid calling gss_release_buffer() from the message-processing code
in lib/gssapi/krb5.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24919
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 9 May 2011 18:06:15 +0000 (18:06 +0000)]
Use internal crypto functions directly from util_crypt.c, avoiding a
dependency on the accessor.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24918
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 9 May 2011 17:28:07 +0000 (17:28 +0000)]
Delete sec context properly in gss_krb5_export_lucid_sec_context
Since r21690, gss_krb5_export_lucid_sec_context() has been passing a
union context to krb5_gss_delete_sec_context(), causing a crash as the
krb5 routine attempts to interpret a union context structure as a krb5
GSS context. Call the mechglue gss_delete_sec_context instead.
ticket: 6908
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24917
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Thu, 5 May 2011 18:43:49 +0000 (18:43 +0000)]
Updated documentation: added usage example for krb5_tkt_creds family, removed "(unused)" string from the comments and other cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24913
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 3 May 2011 14:25:11 +0000 (14:25 +0000)]
API documentation: added a usage example for krb5_verify_init_creds function family
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24912
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 3 May 2011 10:13:21 +0000 (10:13 +0000)]
Eliminate a redundant initialization in cm_init_selstate() in
sendto_kdc.c.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24911
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 3 May 2011 01:58:07 +0000 (01:58 +0000)]
Updated API documentation with the comments mostly related to verify and convert routines
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24910
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 2 May 2011 20:57:23 +0000 (20:57 +0000)]
modernize doc/Makefile somewhat
Modernize doc/Makefile somewhat so that it can run more usefully on
modern non-Athena machines.
ticket: 6906
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24909
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 2 May 2011 20:45:38 +0000 (20:45 +0000)]
Add poll support to sendto_kdc.c so that it can work in processes with
large numbers of open files. Move krb5int_cm_call_select() to a
separate file so that the poll support doesn't interfere with
net-server.c's continuing use of select.
ticket: 6905
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24908
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 2 May 2011 15:37:38 +0000 (15:37 +0000)]
r24899 moved the declarations of krb5int_mk_chpw_req and related
functions from k5-int.h to int-proto.h. The removal of those
declarations from k5-int.h was accidentally omitted from the commit;
commit it now.
ticket: 6893
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24907
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Sun, 1 May 2011 23:35:42 +0000 (23:35 +0000)]
Updated documentation of krb5_copy_ , krb5_free_ and krb5_kt_ functions
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24906
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Thu, 28 Apr 2011 16:32:51 +0000 (16:32 +0000)]
Updated the documentation for API related to the credentials caches and their collections
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24905
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Thu, 28 Apr 2011 15:43:45 +0000 (15:43 +0000)]
Properly release resources in krb5_copy_authenticator()
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24904
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 27 Apr 2011 22:09:29 +0000 (22:09 +0000)]
The MIT krb5 and Heimdal implementations of
gss_krb5_export_lucid_sec_context error on version arguments other
than 1, so the version negotiation described in the function
documentation would not be backward-compatible. Change the docs so
that the caller can assume the returned structure is of the requested
version, but the caller will be responsible for retrying with lower
version numbers on error. (Unfortunately, Heimdal and MIT return
different error codes, and MIT's is in a currently-unpublished header,
so we can't document the error code for unknown versions.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24903
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 27 Apr 2011 17:12:07 +0000 (17:12 +0000)]
Make krb5_os_init_context compile again after r24901
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24902
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 27 Apr 2011 15:58:49 +0000 (15:58 +0000)]
Remove worthless call to krb5_cc_set_default_name in krb5_os_init_context
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24901
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 25 Apr 2011 22:01:47 +0000 (22:01 +0000)]
Correctly set the expiration field of impersonated credentials in
kg_compose_deleg_cred(), so we can find them in the cache in
init_sec_context. From aberry@likewise.com.
ticket: 6902
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24900
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 25 Apr 2011 17:28:42 +0000 (17:28 +0000)]
Refactor krb5int_rd_chpw_rep() and make it properly handle both framed
and unframed KRB-ERROR messages. Eliminate krb5int_rd_setpw_rep() and
krb5int_setpw_result_code_string() by making the chpw versions of
those functions handle RFC 3244 replies.
ticket: 6893
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24899
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 25 Apr 2011 16:44:16 +0000 (16:44 +0000)]
Do not reference krb5_chpw_result_code_string in
krb5_change_password() documentation, as it is not a public function.
Do not falsely claim that the result_code_string parameter is unused.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24898
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Fri, 22 Apr 2011 19:37:32 +0000 (19:37 +0000)]
Close comment in #endif for KRB5_DEPRECATED to avoid warning of
/* in open comment.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24894
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Fri, 22 Apr 2011 14:13:59 +0000 (14:13 +0000)]
Documented V4/V5 convertion and some credential cache API functions. Marked krb5_cc_gen_new() as deprecated
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24893
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 21 Apr 2011 16:54:31 +0000 (16:54 +0000)]
Remove kg_map_toktype(), as the call sites were removed in r21742
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24892
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 20 Apr 2011 15:48:20 +0000 (15:48 +0000)]
Documented krb5_auth_con_ API family
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24891
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 20 Apr 2011 14:40:49 +0000 (14:40 +0000)]
Install k5login(5) as well as .k5login(5)
Since there is conflicting precedent as to whether dotfile man pages
should be installed with or without the leading dot, install the
.k5login man page both ways.
ticket: 6904
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24890
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 19 Apr 2011 18:16:17 +0000 (18:16 +0000)]
Missed in r24888: remove the process_chpw_request() prototype from
misc.h as it is now a static function.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24889
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 19 Apr 2011 18:13:41 +0000 (18:13 +0000)]
Clean up schpw.c in kadmind a bit, making use of new k5-int.h helpers
where appropriate.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24888
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 19 Apr 2011 16:46:37 +0000 (16:46 +0000)]
Revert r24886; it was incorrect
ticket: 6903
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24887
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 19 Apr 2011 16:37:19 +0000 (16:37 +0000)]
Fix memory leak in kpasswd server UDP error path
The dispatch() in kadmind's schpw.c could return a failure code with
an allocated response container. net-server.c does not expect this
and leaks the container in the UDP case. Free the container in
dispatch() if we are returning an error.
ticket: 6903
target_version: 1.9.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24886
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 16 Apr 2011 18:10:23 +0000 (18:10 +0000)]
Handle null OID values in gss_oid_equal()
ticket: 6890
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24885
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 16 Apr 2011 17:30:38 +0000 (17:30 +0000)]
Check mech_type as well as mech_name in gssint_import_internal_name(),
for the sake of static analyzers. (Also, since this is an internal
function, it can be called on a half-constructed MN; checking the type
alone would be insufficient.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24884
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 16 Apr 2011 14:05:22 +0000 (14:05 +0000)]
Fix a code path where mech could be used uninitialized in
gss_accept_sec_context after r24645.
ticket: 6813
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24883
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 16 Apr 2011 13:57:47 +0000 (13:57 +0000)]
Revert r24826. Export krb5int_nfold from libk5crypto and link t_nfold
against libk5crypto, matching the approach used in most other library
unit tests.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24882
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 13 Apr 2011 18:43:37 +0000 (18:43 +0000)]
Fix the sole case in process_chpw_request() where a return could occur
without allocating the data pointer in the response. This prevents a
later free() of an invalid pointer in kill_tcp_or_rpc_connection().
Also initialize rep->data to NULL in process_chpw_request() and clean
up *response in dispatch() as an additional precaution.
ticket: 6899
tags: pullup
target_version: 1.9.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24878
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 13 Apr 2011 15:15:56 +0000 (15:15 +0000)]
Remove pointer validation code from the gss krb5 mech
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24877
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 12 Apr 2011 18:35:31 +0000 (18:35 +0000)]
In krb5_gss_display_status, correct the sense of the
g_make_string_buffer test, and return GSS_S_FAILURE if it fails.
Reported by snambakam@likewise.com.
ticket: 6898
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24876
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 12 Apr 2011 13:36:15 +0000 (13:36 +0000)]
Documentation updates. Mostly GIC related
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24875
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 11 Apr 2011 22:23:47 +0000 (22:23 +0000)]
Shuffle around some gss-krb5 entry points to eliminate four mostly
content-free source files and better separate IOV stuff from non-IOV
stuff.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24874
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 10 Apr 2011 16:37:01 +0000 (16:37 +0000)]
Add Doxygen markup for gss_userok() and gss_authorize_localname()
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24870
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 10 Apr 2011 15:42:11 +0000 (15:42 +0000)]
Implement gss_authorize_localname, as discussed on the kitten list,
and make gss_userok a wrapper around it matching the Gnu GSS
prototype. The SPI for gss_authorize_localname doesn't match the API
since we have no way of representing the contents of an internal name
to a mech at the moment. From r24855, r24857, r24858, r24862, r24863,
r24864, r24866, r24867, and r24868 in
users/lhoward/moonshot-mechglue-fixes.
ticket: 6891
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24869
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 8 Apr 2011 17:47:01 +0000 (17:47 +0000)]
When inquiring the default GSS acceptor principal, return a principal
name from the keytab if we can, for better compliance with GSSAPI.
ticket: 6897
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24861
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 8 Apr 2011 17:45:07 +0000 (17:45 +0000)]
Correctly recognize non-iterable keytabs in k5_kt_get_principal()
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24860
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 8 Apr 2011 16:50:13 +0000 (16:50 +0000)]
Add k5_kt_get_principal, an internal krb5 interface to try to get a
principal name from a keytab. Used currently by vfy_increds.c (in
place of its static helper); will also be used when querying the name
of the default gss-krb5 acceptor cred.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24859
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 7 Apr 2011 15:20:37 +0000 (15:20 +0000)]
In the authdata framework, determine which authdata sources to query
based on the module's usage flags. From r24794 in
users/lhoward/moonshot-mechglue-fixes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24853
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 6 Apr 2011 20:06:50 +0000 (20:06 +0000)]
Allow anonymous name to be imported with empty name buffer
When importing a name of type GSS_C_NT_ANONYMOUS, allow the input name
buffer to be null or empty (null is translated into empty before
mechanisms see it).
From r24820 in users/lhoward/moonshot-mechglue-fixes.
ticket: 6896
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24852
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 6 Apr 2011 19:44:07 +0000 (19:44 +0000)]
Documentation updates
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24851
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 5 Apr 2011 22:15:41 +0000 (22:15 +0000)]
Make depend
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24844
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 5 Apr 2011 22:10:00 +0000 (22:10 +0000)]
gss_duplicate_name SPI for SPNEGO
Preserve attributes when duplicating a name, using the mechanism's
implementation of gss_duplicate_name if present, or a loop over
the attributes if not.
ticket: 6895
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24843
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Apr 2011 23:06:09 +0000 (23:06 +0000)]
More sensical mech selection for gss_acquire_cred/accept_sec_context
If a caller passes an empty mech set to gss_acquire_cred, get a cred
for all mechs instead of just the krb5 mech, as we don't know what
mechanism the cred is going to be used with (particularly in the
acceptor case). As a related fix, if a caller passes a credential to
gss_accept_sec_context and it does not contain a mech-specific cred
for the token's mech, error out instead of using the default cred with
the token's mechanism.
ticket: 6894
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24840
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Apr 2011 20:57:59 +0000 (20:57 +0000)]
r24838 accidentally added a gss_duplicate_name line to
build_dynamicMech(), breaking the build (since gss_duplicate_name
isn't in gss_mechanism yet). Revert that part of the change.
ticket: 6892
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24839
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Apr 2011 20:11:08 +0000 (20:11 +0000)]
Prevent bleed-through of mechglue symbols into loaded mechs
When loading a mech's symbols individually, make sure the symbol we
got wasn't just a mechglue symbol showing through because the mech
was linked against the mechglue. From r24719 in
users/lhoward/moonshot-mechglue-fixes.
ticket: 6892
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24838
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Apr 2011 20:04:54 +0000 (20:04 +0000)]
Add gss_userok and gss_pname_to_uid to dynamic mech loading table.
From r24711 in users/lhoward/moonshot-mechglue-fixes.
ticket: 6891
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24837
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Apr 2011 15:59:35 +0000 (15:59 +0000)]
Add gss_userok and gss_pname_to_uid
Resurrect gss_userok and gss_pname_to_uid in the mechglue. Add krb5
mech implementations using krb5_kuserok and krb5_aname_to_localname,
as well as mechanism-independent implementations based on name
attributes.
From r24710, r24715, r24717, r24731, r24732, r24733, r24734, r24735,
r24747, r24816, and r24819 in users/lhoward/moonshot-mechglue-fixes,
with minor edits.
ticket: 6891
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24836
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Mon, 4 Apr 2011 14:59:22 +0000 (14:59 +0000)]
Documentation updates
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24835
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Apr 2011 23:21:59 +0000 (23:21 +0000)]
CoreFoundation is no longer used for UCS2 conversions
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24834
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Apr 2011 23:21:56 +0000 (23:21 +0000)]
Drop some redundant autoconf tests
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24833
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Apr 2011 23:21:52 +0000 (23:21 +0000)]
Don't check for stdarg.h
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24832
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Apr 2011 23:21:46 +0000 (23:21 +0000)]
Don't test HAVE_STDARG_H, just assume it
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24831
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 3 Apr 2011 22:16:53 +0000 (22:16 +0000)]
In t_fortuna.c, use a static buffer in head_tail_test, and use %f for
a double argument, not %lf.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24830
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Apr 2011 22:10:03 +0000 (22:10 +0000)]
Don't allocate over 2MB on the stack; sparc-netbsd3.0 default stack
limit is 2MB.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24829
dc483132-0cff-0310-8789-
dd5450dbe970