Greg Hudson [Thu, 28 Jan 2010 21:39:31 +0000 (21:39 +0000)]
Handle migration from pre-1.7 databases with master key kvno != 1
krb5_dbe_lookup_mkvno assumes an mkvno of 1 for entries with no
explicit tl_data. We've seen at least one pre-1.7 KDB with a master
kvno of 0, violating this assumption. Fix this as follows:
* krb5_dbe_lookup_mkvno outputs 0 instead of 1 if no tl_data exists.
* A new function krb5_dbe_get_mkvno translates this 0 value to the
minimum version number in the mkey_list. (krb5_dbe_lookup_mkvno
cannot do this as it doesn't take the mkey_list as a parameter.)
* Call sites to krb5_dbe_lookup_mkvno are converted to
krb5_dbe_get_mkvno, except for an LDAP case where it is acceptable
to store 0 if the mkvno is unknown.
ticket: 6650
target_version: 1.7.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23676
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 27 Jan 2010 22:17:12 +0000 (22:17 +0000)]
Update the LDAP dependencies for r23674
ticket: 6649
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23675
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 27 Jan 2010 03:52:52 +0000 (03:52 +0000)]
Get rid of kdb_ext.h and allow out-of-tree KDB plugins
Move the contents of kdb_ext.h into kdb.h, since there is no meaningful
"extensions" category of DB interfaces now that this stuff is in our
tree. Allows out-of-tree KDB plugins to be built since we install
kdb.h.
ticket: 6649
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23674
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 26 Jan 2010 22:55:07 +0000 (22:55 +0000)]
define MIN() in lib/gssapi/krb5/prf.c
Apply patch from Doug Engert to define MIN(), which was causing prf.c
to fail compilation on Solaris. (The definition was probably leaking
from sys/param.h, included indirectly somehow.)
ticket: 6648
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23673
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 26 Jan 2010 18:43:29 +0000 (18:43 +0000)]
Apply patch from Arlene Berry to plug a memory leak
ticket: 6599
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23672
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 25 Jan 2010 18:15:46 +0000 (18:15 +0000)]
In the DAL comments, document KRB5_KDB_INCLUDE_PAC, and correct the
documentation of the S4U flags to indicate that they affect PAC
generation.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23667
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 25 Jan 2010 04:12:21 +0000 (04:12 +0000)]
Document the DAL interface in comments, as an aid to module
implementors.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23666
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 19 Jan 2010 23:35:39 +0000 (23:35 +0000)]
Add krb5_allow_weak_crypto API
Add an API to allow apps to override the profile setting of
allow_weak_crypto, so that aklog can work with krb5 1.8 out of the box
until OpenAFS finishes migrating away from DES.
ticket: 6645
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23663
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 19 Jan 2010 18:44:57 +0000 (18:44 +0000)]
Change basename of libkadm5 libraries to avoid Heimdal conflict
ticket: 6644
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23662
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 19 Jan 2010 17:20:45 +0000 (17:20 +0000)]
In kinit_anonymous, fail out if we receive a password request from
kinit, instead of hanging.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23661
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 14 Jan 2010 16:09:24 +0000 (16:09 +0000)]
Make history key exempt from permitted_enctypes
In kdb_init_hist, just use the first key entry in the kadmin/history
entry. This makes the history key work even if the enctype is
disallowed by allow_weak_crypto=false or other configuration.
ticket: 6640
tags: pullup
target_version: 1.8
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23657
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 12 Jan 2010 21:59:58 +0000 (21:59 +0000)]
Add test program for decryption of overly short buffers
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23652
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 12 Jan 2010 01:07:48 +0000 (01:07 +0000)]
Use keyed checksum type for DES FAST
DES enctypes have unkeyed mandatory-to-implement checksums. Since
FAST requires a keyed checksum, we must pick something else in that
case.
ticket: 6633
target_version: 1.7
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23629
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 12 Jan 2010 01:05:37 +0000 (01:05 +0000)]
Simplify and fix FAST check for keyed checksum type
Use krb5_c_is_keyed_checksum to detect unkeyed checksums when handling
FAST requests. The old check was broken for 1.8 because
krb5_c_verify_checksum got pickier about invalid keyblocks.
ticket: 6632
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23628
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Mon, 11 Jan 2010 15:19:42 +0000 (15:19 +0000)]
Group together the funtions related to the supplying options to preauth plugin modules.
Also, removed krb5int_ prefix from the names of some static functions in gic_opt.c.s
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23625
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sun, 10 Jan 2010 04:31:51 +0000 (04:31 +0000)]
(memory leak)
ktest_make_sample_ad_signedpath_data: Do not initialize client field twice.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23624
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Sun, 10 Jan 2010 02:12:55 +0000 (02:12 +0000)]
Move krb5_authdata_export_authdata into the separate file for better code modularity
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23623
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sat, 9 Jan 2010 16:02:13 +0000 (16:02 +0000)]
krb5int_pbkdf2_hmac_sha1 fails to set enctype on keyblock
krb5int_pbkdf2_hmac_sha1 fails to set enctype on a termporary keyblock
- resulting in valgrind picking up on a conditional branch w/ unset
value. Initialize value.
ticket: 6630
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23622
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Fri, 8 Jan 2010 19:53:34 +0000 (19:53 +0000)]
Fix t_locate_kdc.c test program after r23613 when krb5_ prefix was removed from the names of the static functions in locate_kdc.c
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23614
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Fri, 8 Jan 2010 19:35:40 +0000 (19:35 +0000)]
Move kdc related functionality from pac.c into pac_sign.c
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23613
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Fri, 8 Jan 2010 14:54:04 +0000 (14:54 +0000)]
krb5int_dk_string_to_key fails to set enctype
Failure to set the enctype before invoking krb5_k_create_key results in
potential memory leak.
ticket: 6628
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23612
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Fri, 8 Jan 2010 03:43:37 +0000 (03:43 +0000)]
Set enctype in crypto_tests to prevent memory leaks
The key caching is causing memory leaks if enctype is not set as the
enctype specific cleanup handlers are not called.
ticket: 6627
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23611
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 8 Jan 2010 02:43:21 +0000 (02:43 +0000)]
Restore interoperability with 1.6 addprinc -randkey
The arcfour string-to-key operation in krb5 1.7 (or later) disagrees
with the dummy password used by the addprinc -randkey operation in
krb5 1.6's kadmin client, because it's not valid UTF-8. Recognize the
1.6 dummy password and use a random password instead.
ticket: 6626
tags: pullup
target_version: 1.8
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23610
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Fri, 8 Jan 2010 02:12:24 +0000 (02:12 +0000)]
yarrow code does not initialize keyblock enctype and uses unitialized value
The yarrow code uses a keyblock that is partially initialized. This results
in krb5_k_free_key trying to look up the enctype to call the free handler.
One of the valgrind reports: (there are several paths)
==26701== Conditional jump or move depends on uninitialised value(s)
==26701== at 0x40E9AF0: find_enctype (etypes.h:81)
==26701== by 0x40E9C9E: krb5_k_free_key (key.c:91)
==26701== by 0x40D641A: krb5int_yarrow_cipher_init (ycipher.c:49)
==26701== by 0x40D593A: yarrow_gate_locked (yarrow.c:578)
==26701== by 0x40D5349: krb5int_yarrow_output_Block (yarrow.c:423)
==26701== by 0x40D581B: yarrow_output_locked (yarrow.c:553)
==26701== by 0x40D5667: krb5int_yarrow_output (yarrow.c:513)
==26701== by 0x40EBD2D: krb5_c_random_make_octets (prng.c:112)
==26701== by 0x40D4119: krb5int_old_encrypt (old_aead.c:97)
==26701== by 0x40E9696: krb5_k_encrypt_iov (encrypt_iov.c:42)
==26701== by 0x8049554: main (t_encrypt.c:206)
==26701==
ticket: 6625
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23609
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Fri, 8 Jan 2010 01:51:19 +0000 (01:51 +0000)]
krb5int_derive_key results in cache with uninitialized values
krb5int_derive_key creates a temporary keyblock to add to the derived cache.
krb5_k_free_key will iterate over the derived keys and for ones with cache will
lookup the enctype for the key_cleanup handler.
Unfortunatly, there isn't a keyblock init function that does not allocate the
keyblock - as I suspect this problem will appear in other places.
The valgrind log of this problem is:
==7281== Conditional jump or move depends on uninitialised value(s)
==7281== at 0x40E9AE8: find_enctype (etypes.h:81)
==7281== by 0x40E9C96: krb5_k_free_key (key.c:91)
==7281== by 0x40E9C52: krb5_k_free_key (key.c:86)
==7281== by 0x40EBB00: krb5_c_prf (prf.c:87)
==7281== by 0x40E7B1B: prf_plus (cf2.c:77)
==7281== by 0x40E7CE6: krb5_c_fx_cf2_simple (cf2.c:125)
==7281== by 0x804899C: main (t_cf2.c:70)
==7281==
with memory leaks.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23608
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 7 Jan 2010 20:57:02 +0000 (20:57 +0000)]
When retrieving the kadmin/history key, accept any enctype, as the
current master key enctype may not match the one the KDB was created
with.
ticket: 6546
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23607
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Thu, 7 Jan 2010 19:17:55 +0000 (19:17 +0000)]
Move krb5_auth_con_getauthenticator into copy_athctr.c as a better logical location
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23606
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Thu, 7 Jan 2010 18:35:15 +0000 (18:35 +0000)]
Revert change to Makefile.in that ended up not being needed
ticket: 6624
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23605
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Thu, 7 Jan 2010 18:32:20 +0000 (18:32 +0000)]
automated tests for anonymous pkinit
Implement tests for anonymous pkinit. A certificate and private key
are checked in; these tests will stop working in 2023.
Note that r23602 needs to be pulled up before this ticket.
ticket: 6624
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23604
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Thu, 7 Jan 2010 18:32:15 +0000 (18:32 +0000)]
Always treat anonymous as preauth required
Always treat the WELLKNOWN/ANONYMOUS principal as requiring pre-authentication. The anonymous draft depends on a pre-auth exchange to invoke pkinit.
ticket: 6623
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23603
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 7 Jan 2010 17:26:58 +0000 (17:26 +0000)]
Make preauth_module_dir override, rather than supplement, the
built-in path list, to avoid problems with running the same preauth
module twice.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23602
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 7 Jan 2010 17:07:36 +0000 (17:07 +0000)]
Use a distinct pass/fail string for kinit_fast so its failures can be
distinguished from kinit's.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23601
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Thu, 7 Jan 2010 14:52:11 +0000 (14:52 +0000)]
Add miising files from rev #23593
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23600
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 6 Jan 2010 23:44:04 +0000 (23:44 +0000)]
Make krb5_dbe_def_search_enctype more consistent about when it returns
KRB5_KDB_NO_PERMITTED_KEY. Now it will return that error if it sees
any non-permitted enctypes which match the search criteria.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23599
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 6 Jan 2010 23:25:53 +0000 (23:25 +0000)]
Move copyright and other notices to NOTICE
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23598
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 6 Jan 2010 23:14:14 +0000 (23:14 +0000)]
Don't return KRB5_KDB_NO_PERMITTED_KEY from
krb5_dbe_def_search_enctype if we previously returned results (i.e. if
*start > 0).
ticket: 6622
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23597
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 6 Jan 2010 21:56:02 +0000 (21:56 +0000)]
Divide copy_auth.c into three files based on the functionality. Namely,
1. copy/merge authdata
2. KDC related encode authdata
3. decode authdata
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23593
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 6 Jan 2010 18:39:18 +0000 (18:39 +0000)]
Since krb5int_validate_times is used only inside krb dir do not export it and move its prototype into int-proto.h
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23592
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 5 Jan 2010 21:20:15 +0000 (21:20 +0000)]
Rename krb5_validate_times into krb5int_validate_times as it is internal function
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23591
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 5 Jan 2010 21:11:03 +0000 (21:11 +0000)]
Rename krb5int_tgtname into krb5_tgtname as an internal function
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23590
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 5 Jan 2010 04:48:57 +0000 (04:48 +0000)]
Update trunk for post-1.8-branch
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23589
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 5 Jan 2010 04:37:07 +0000 (04:37 +0000)]
README, copyright, patchlevel for krb5-1.8 branch
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23587
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 5 Jan 2010 02:47:58 +0000 (02:47 +0000)]
disable weak crypto by default
Set allow_weak_crypto=false by default. Set default master key
enctype to sha256. Adjust test suite to compensate.
ticket: 6621
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23586
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 4 Jan 2010 21:45:23 +0000 (21:45 +0000)]
Install encrypted_challenge plugin during fake-install
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23585
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Jan 2010 21:22:00 +0000 (21:22 +0000)]
Add preauth_module_dir support to the KDC preauth module loader
(should have been part of r23531). Most or all of this logic should
be moved into the plugin code or a layer above it, after the branch.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23584
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Mon, 4 Jan 2010 19:59:25 +0000 (19:59 +0000)]
Anonymous documentation
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23583
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Mon, 4 Jan 2010 19:59:20 +0000 (19:59 +0000)]
Other changes in this ticket guarantee that the padata argument to
return callbacks is non-null; don't check for null in pkinit_srv.c.
ticket: 6607
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23582
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Mon, 4 Jan 2010 19:59:16 +0000 (19:59 +0000)]
Bring back krb5_kt_free_entry which really does the same thing as
krb5_free_keytab_entry_contents per discussion on krbdev in order to
avoid breaking samba builds.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23581
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Mon, 4 Jan 2010 19:59:12 +0000 (19:59 +0000)]
Test FAST authentication during each pass
Because a new principal is added to the database, the iprop test
expected output is updated.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23580
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Mon, 4 Jan 2010 19:59:03 +0000 (19:59 +0000)]
Fix documentation of armor cache based on fast negotiation project
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23579
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 4 Jan 2010 19:34:33 +0000 (19:34 +0000)]
kdc_supported_enctypes does nothing; eradicate mentions thereof
kdc_supported_enctypes does nothing. Remove all mention of it from
documentation and test suites.
ticket: 6620
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23578
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Jan 2010 17:00:23 +0000 (17:00 +0000)]
Don't accept AS replies encrypted in enctypes other than the ones we
asked for.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23577
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Mon, 4 Jan 2010 06:22:41 +0000 (06:22 +0000)]
For the better code modularity keep some "free" routines closer to the resource allocators. Also, reindent cleanup in the touched files
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23576
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Jan 2010 23:41:49 +0000 (23:41 +0000)]
Update dependencies
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23575
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Jan 2010 23:39:12 +0000 (23:39 +0000)]
Enable caching of key-derived context info such as key schedules from
one encryption operation to another. Use a new function in the
enc_provider structure for cleanup. Implement caching of aes_ctx
values.
Using Greg's performance tests from the derived-key caching work, on a
2.8GHz Xeon, I see 1 million AES-128 encryptions of 16 bytes improved
by 5-6%; encryptions of 1024 bytes and checksums are not significantly
affected.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23574
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sun, 3 Jan 2010 23:12:19 +0000 (23:12 +0000)]
Fix a case where krb5int_aes_decrypt was trying to encrypt a block
instead of decrypting it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23573
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sun, 3 Jan 2010 15:14:51 +0000 (15:14 +0000)]
krb5_gss_acquire_cred will deref garbage pointer if actual_mechs is NULL
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23572
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sun, 3 Jan 2010 14:27:02 +0000 (14:27 +0000)]
Initialize variables in case of error path winds up freeing stack garbage
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23571
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Jan 2010 03:00:24 +0000 (03:00 +0000)]
Ignore some routing messages indicating changes that don't affect our
set of local addresses.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23570
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 3 Jan 2010 03:00:19 +0000 (03:00 +0000)]
Remove old 'full' arg to KDC that should've gone away with '-4'
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23569
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sun, 3 Jan 2010 00:19:53 +0000 (00:19 +0000)]
Some unsigned/signed warning cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23568
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 2 Jan 2010 02:35:40 +0000 (02:35 +0000)]
Use krb5int_count_etypes in rd_req_decoded_opt
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23567
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Sat, 2 Jan 2010 02:16:23 +0000 (02:16 +0000)]
Test -P options to kdc and kadmind to write out a pid file. Verify contents of
pid file match pid of executable.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23566
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 1 Jan 2010 23:20:56 +0000 (23:20 +0000)]
Factor out copying and counting of zero-terminated enctype lists into
a new file src/lib/krb5/krb/etype_list.c.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23565
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 1 Jan 2010 22:34:29 +0000 (22:34 +0000)]
Update copyright year in prototype sources
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23564
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Fri, 1 Jan 2010 16:41:04 +0000 (16:41 +0000)]
Change db_args from being a global to only defined in the function
that uses it. This removes a warning of shadowed variable names. Change
several functions to static when limited to main.c
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23563
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Fri, 1 Jan 2010 13:00:08 +0000 (13:00 +0000)]
Add gcc printf attribute for kdc_err prototype
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23562
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Fri, 1 Jan 2010 12:58:42 +0000 (12:58 +0000)]
Unsigned/signed cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23561
dc483132-0cff-0310-8789-
dd5450dbe970
Russ Allbery [Fri, 1 Jan 2010 05:09:57 +0000 (05:09 +0000)]
Add a new -P option to krb5kdc and kadmind which, if given, specifies
the path to which to write the PID file of the daemon after it finishes
initializing.
Ticket: 6618
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23560
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Thu, 31 Dec 2009 23:18:16 +0000 (23:18 +0000)]
Free tinfo at end - so program runs with new memory leaks
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23559
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Thu, 31 Dec 2009 23:13:56 +0000 (23:13 +0000)]
Remove tests for functions that we do not conditionalize on. Most deprecated
from breakoff of apps.
Specifically, do not test for:
gethostbyname2 getifaddrs pthread_mutex_lock sched_yield ftime strstr
timezone umask waitpid sem_init sem_trywait daemon
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23558
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Thu, 31 Dec 2009 22:49:52 +0000 (22:49 +0000)]
Declare function as static to avoid compiler warning on missing prototypes
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23557
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Thu, 31 Dec 2009 22:48:19 +0000 (22:48 +0000)]
Remove $(TOBJS) for make clean
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23556
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Thu, 31 Dec 2009 22:25:11 +0000 (22:25 +0000)]
Use krb5_free_default_realm instead of free on the results of
krb5_get_default_realm().
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23555
dc483132-0cff-0310-8789-
dd5450dbe970
Russ Allbery [Thu, 31 Dec 2009 04:21:34 +0000 (04:21 +0000)]
Fix spelling and hyphen errors in man pages
Fix spelling errors in man pages detected by Debian's Lintian program.
Also escape some -'s that are intended to be literal ASCII dashes and
not Unicode hyphens so that groff won't change them into true hyphens.
ticket: 6616
component: krb5-doc
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23554
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 31 Dec 2009 04:07:03 +0000 (04:07 +0000)]
NetBSD 5.0.1 uses an OpenSSL snapshot that describes itself as 0.9.9,
and has the EVP_PKEY_decrypt API change that was already being worked
around for OpenSSL 1.0.0. Work around it for 0.9.9 too.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23553
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 31 Dec 2009 03:37:40 +0000 (03:37 +0000)]
format %p wants void*
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23552
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 31 Dec 2009 03:37:37 +0000 (03:37 +0000)]
Initialize hash_iov, in case of premature error exit
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23551
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 31 Dec 2009 03:37:34 +0000 (03:37 +0000)]
Convert C++ style comments into traditional C comments
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23550
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 31 Dec 2009 03:37:30 +0000 (03:37 +0000)]
No comma at end of enumerator list
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23549
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Thu, 31 Dec 2009 01:32:00 +0000 (01:32 +0000)]
No comma at end of enumerator list
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23548
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Wed, 30 Dec 2009 23:03:48 +0000 (23:03 +0000)]
Include os-proto.h for _krb5_conf_boolean prototype before declaration
of function. (gcc warning)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23547
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 30 Dec 2009 19:53:16 +0000 (19:53 +0000)]
Move krb5int_get_domain_realm_mapping into kdc_util.c as this function is a helper in kdc code
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23546
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 30 Dec 2009 19:39:35 +0000 (19:39 +0000)]
Eliminate the krb5_set_default_in_tkt_ktypes and
krb5_set_default_tgs_ktypes during context initialization, as they
weren't doing anything.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23545
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 29 Dec 2009 20:30:29 +0000 (20:30 +0000)]
Create a separate file for krb5_copy_context for better code modularity
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23538
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 29 Dec 2009 20:08:42 +0000 (20:08 +0000)]
Combine the related code into one file
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23537
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 29 Dec 2009 18:03:31 +0000 (18:03 +0000)]
Remove an inoperable error check in return_pkinit_kx
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23536
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 29 Dec 2009 16:41:08 +0000 (16:41 +0000)]
Functions in enc_helper.c serve different code blocks. Split them
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23535
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 29 Dec 2009 02:42:51 +0000 (02:42 +0000)]
MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referrals
On certain error conditions, prep_reprocess_req() calls kdc_err() with
a null pointer as the format string, causing a null dereference and
denial of service. Legitimate protocol requests can trigger this
problem.
ticket: 6608
tags: pullup
target_version: 1.7.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23533
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 28 Dec 2009 20:13:39 +0000 (20:13 +0000)]
Add dejagnu test suite support for finding the preauth modules in the
fake install. Not yet tested, except to verify that it doesn't break
the existing test suite.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23532
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 28 Dec 2009 19:59:10 +0000 (19:59 +0000)]
Add a new profile variable preauth_module_dir, which specifies
directories to look for preauth plugins in prior to the hardcoded
locations. Undocumented for now since, like db_module_dir, this is
mostly intended for the test suite.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23531
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 28 Dec 2009 19:25:09 +0000 (19:25 +0000)]
Move krb5_get_profile back to init_os_ctx.c for now and revert r23519.
At this time we link t_etypes against init_ctx.so during "make check",
which breaks if init_ctx contains reference to the profile library.
More general solutions to this problem are under discussion.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23530
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 28 Dec 2009 18:03:31 +0000 (18:03 +0000)]
Whitespace fixes for new anonymous support
ticket: 6607
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23528
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Mon, 28 Dec 2009 17:15:30 +0000 (17:15 +0000)]
Anonymous support for Kerberos
This ticket implements Project/Anonymous pkinit from k5wiki. Provides
support for completely anonymous principals and untested client
support for realm-exposed anonymous authentication.
* Introduce kinit -n
* Introduce kadmin -n
* krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache
* No longer generate ad-initial-verified-cas in pkinit
* Fix pkinit interactions with non-TGT authentication
Merge remote branch 'anonymous' into trunk
Conflicts:
src/lib/krb5/krb/gic_opt.c
ticket: 6607
Tags: enhancement
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 28 Dec 2009 00:47:40 +0000 (00:47 +0000)]
Remove libpty references
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23525
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 28 Dec 2009 00:21:20 +0000 (00:21 +0000)]
The "comment" field of prf_data_t was never actually set nor used, so
delete it and all references.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23524
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 28 Dec 2009 00:21:16 +0000 (00:21 +0000)]
Performance testing programs for krb5_init_context and profile data fetch
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23523
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 28 Dec 2009 00:21:13 +0000 (00:21 +0000)]
Fixing minorly grammatical bad
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23522
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 28 Dec 2009 00:21:10 +0000 (00:21 +0000)]
Note last real update was a while back; delete listings of libraries no longer in tree
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23521
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 28 Dec 2009 00:21:06 +0000 (00:21 +0000)]
allow testing when offline
Define new make variable OFFLINE to "no"; if it's set to "yes", skip
the testing of t_locate_kdc, which requires access to mit.edu SRV
records.
ticket: 6606
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23520
dc483132-0cff-0310-8789-
dd5450dbe970
projects / krb5.git / log