Commit Graph

15670 Commits

Author SHA1 Message Date
Nicolas Williams
9323ca9341 Fix krb5_kuserok() ~/.k5login check for luser==root 2012-01-18 23:24:22 -06:00
Nicolas Williams
6dd66df594 Make master build on Windows
Add strtoll()/strtoull() to lib/roken
    Add stdint.h to lib/roken (Windows only)
    Add logic to detect whether to use lib/roken's stdint.h based on
        Visual Studio version
    Add include of stdint.h in generated ASN.1 code
    Export missing symbols for 64-bit integers in lib/asn1
    Export missing symbols for FAST
    Add missing sources to kdc/NTMakefile
    Fix issue in kuserok
    Fix bsearch issues
2012-01-17 12:10:14 -06:00
Roland C. Dowdeswell
74db6a120f Change #elseif to #elif.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2012-01-10 22:54:50 +01:00
Love Hornquist Astrand
0f9f9d3ab6 add strtoll.c 2012-01-10 22:54:16 +01:00
Love Hornquist Astrand
0d7d3e4ab5 allow overriding default krb5_config_file 2012-01-10 22:54:16 +01:00
Andrew Bartlett
7a89f14aa5 Revert "make paranoia check less paranoid" - check that key types strictly match
This reverts commit c25af51232 because
otherwise we could attempt to check a CKSUMTYPE_HMAC_SHA1_96_AES_256 key with a
KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 key.

Andrew Bartlett

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2012-01-10 22:54:16 +01:00
Andrew Bartlett
cdc04ce0ff make hmac-md5 the keyed checksum type for arcfour-hmac-md5
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2012-01-10 22:54:16 +01:00
Andrew Bartlett
5ce504c1fb use ETYPE_DES3_CBC_SHA1 for the verify step in verify_mic_des3
This allows a strict link between checksum types and key types to be
enforced.

Andrew Bartlett

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2012-01-10 22:54:16 +01:00
Jeffrey Altman
81db1ebce2 Correct d68aee90ed
in any case.  Both EAI_NODATA and WSANO_DATA can exist at the
same time.

Change-Id: I4378d8d3a5471a472a9b32632b0c70a1d717b951
2012-01-10 10:19:27 -05:00
Jeffrey Altman
d68aee90ed Windows: translate WSANO_DATA to HEIM_EAI_NODAT
Change-Id: I9116ab68b1f2ac4417577125df1efc5a1b42c89e
2012-01-08 17:10:01 -05:00
Russ Allbery
5ca056969a Close memory leak in the client kadmin library
kadm5_c_destroy was not freeing the kadm5_client_context, just its
contents.  Also free the context itself.

Signed-off-by: Nicolas Williams <nico@cryptonector.com>
2011-12-22 18:36:17 -06:00
Nicolas Williams
d769eced7b Plugin symbols can't have '-' in them... Also add example to krb5-plugin.7 2011-12-22 17:44:47 -06:00
Russ Allbery
911c993757 Fix reauthentication after password change in init_creds_password
When retrying authentication after a password change of an expired
password, use the new password instead of the original one.  Also,
pass in the correct length for the new password buffer to
change_password and zero the buffer that holds the new password on
function exit.

Signed-off-by: Russ Allbery <rra@stanford.edu>
Signed-off-by: Nicolas Williams <nico@cryptonector.com>
2011-12-22 14:53:08 -06:00
Nicolas Williams
223af60018 Oops, forgot to actually add krb5-plugin.7
I use a shell alias that expands to git add -uv ..., and the -u
    means new files don't get added :(
2011-12-22 14:42:05 -06:00
Nicolas Williams
25e623a957 Fix doxygen comment in krb5_aname_to_lname() 2011-12-22 11:17:42 -06:00
Nicolas Williams
672f6285ce Add doxygen docs for some plugin structs 2011-12-22 11:17:21 -06:00
Nicolas Williams
06974f27cb Add a krb5-plugin.7 manpage to document the plugin system 2011-12-21 13:59:37 -06:00
Love Hornquist Astrand
8e1b58e923 move function pointer to last argument 2011-12-15 21:48:33 -08:00
Love Hornquist Astrand
9cfc014a66 name KRB5_PLUGIN_KUSEROK "kuserok-plugin" 2011-12-15 21:46:43 -08:00
Nicolas Williams
dd05873d0c Fix regression in ASN.1 int type generation
The 64-bit integer support changed the logic for deciding when an
    INTEGER should map to a signed or unsigned 32- or 64-bit integer
    type.  The upshot is that two places where we had {0, INT_MAX}
    ranges needed to be changed to be {0, UINT_MAX}.

    We need to tweak the integer type mapping logic to have a bias for
    unsigned integer types.  Unsigned is better.
2011-12-15 14:37:09 -06:00
Nicolas Williams
4630ef1bdc Fix kuserok.c:check_owner_file(), make tests/kdc/check-authz run 2011-12-14 18:01:35 -06:00
Love Hornquist Astrand
477738a80d try w/o FAST if the KDC doesnt seem to handle it 2011-12-14 08:46:05 -08:00
Love Hörnquist Åstrand
2be0f1a1a4 check that we don't use negative size for arrays 2011-12-13 21:52:05 -08:00
Love Hörnquist Åstrand
2a551314a6 don't use negative size 2011-12-13 21:51:48 -08:00
Nicolas Williams
a222521e68 64-bit build fixes for ASN.1 compiler 64-bit integer support 2011-12-13 13:03:57 -06:00
Love Hornquist Astrand
449fb4775e check length of TESTuint64 2011-12-12 23:13:56 -08:00
Love Hornquist Astrand
80fd2959b9 check length of TESTuint64 2011-12-12 23:13:47 -08:00
Love Hornquist Astrand
9a4f8c3da7 add missing dependency 2011-12-12 23:11:21 -08:00
Love Hornquist Astrand
b91258ccdc better naming 2011-12-12 22:49:25 -08:00
Love Hornquist Astrand
a11ca3cb1b add rk_getpwnam_r 2011-12-12 21:55:06 -08:00
Love Hornquist Astrand
d453899462 split user and dir, use rk_getpwnam_r 2011-12-12 21:53:41 -08:00
Love Hornquist Astrand
167084b3e7 ident 2011-12-12 21:28:52 -08:00
Nicolas Williams
19d378f44d Add 64-bit integer support to ASN.1 compiler
ASN.1 INTEGERs will now compile to C int64_t or uint64_t, depending
    on whether the constraint ranges include numbers that cannot be
    represented in 32-bit ints and whether they include negative
    numbers.

    Template backend support included.  check-template is now built with
    --template, so we know we're testing it.

    Tests included.
2011-12-12 20:01:20 -06:00
Andrew Bartlett
0e7437ba2e HEIMDAL: Supply krb5_context to _krb5_internal_hmac to allow logging
Without this, log messages from any abort are not printed to
the samba logs.

Andrew Bartlett

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2011-12-11 21:45:15 -08:00
Nicolas Williams
35e28dcd5d Fix incomplete sentence in krb5.conf.5 2011-12-10 14:27:46 -06:00
Nicolas Williams
27ba7a5982 Address code review comments (use .Xr and .Pa macros in krb5.conf.5) 2011-12-10 14:06:16 -06:00
Nicolas Williams
3109770484 Address code review comments (use _krb5_homedir_access()) 2011-12-10 14:06:09 -06:00
Nicolas Williams
8e04b6dce2 Address code review comments (use krb5_enomem()) 2011-12-10 14:05:35 -06:00
Nicolas Williams
abd065be02 Add a test for krb5_kuserok() 2011-12-08 13:34:02 -06:00
Nicolas Williams
b9f8e6d956 Add DENY rule for krb5_kuserok() and update manpage 2011-12-08 13:34:02 -06:00
Nicolas Williams
8e63cff2cc Document krb5_kuserok() configuration parameters 2011-12-08 13:34:01 -06:00
Nicolas Williams
ad7e54d698 Generalize token expansion to allow for context-specific tokens 2011-12-08 13:33:37 -06:00
Nicolas Williams
6aec02f979 Make krb5_kuserok() pluggable and add features (including MIT config compat) 2011-12-08 13:33:36 -06:00
Nicolas Williams
cfe7f6312a Improve _krb5_plugin_run_f() 2011-12-08 13:33:36 -06:00
Love Hörnquist Åstrand
01884ebf2f fix argument order 2011-12-03 13:24:15 -08:00
Love Hörnquist Åstrand
fdeb7b2318 fix sizeof 2011-12-03 13:02:28 -08:00
Nicolas Williams
89bae59b49 Fix error clobbering bug and code review comments 2011-12-02 01:04:22 -06:00
Nicolas Williams
da14596f0e Add a test for aname2lname 2011-12-02 01:03:31 -06:00
Nicolas Williams
f468ed4759 Make krb5_aname_to_localname() use the libheimbase binary search functions 2011-12-02 01:03:08 -06:00
Nicolas Williams
aea02876e7 Initial aname2lname plugin patch based on code from Love
Included is a default plugin that searches a sorted text file where
    every line is of the form:
	<unparsed-principal>[<whitespace><username>]
    If the username is missing in a matching line then an error is
    returned.  If a matching line is not found then the next plugin will
    be allowed to run, if any.
2011-12-02 00:58:26 -06:00