Sam Hartman [Tue, 9 Aug 2011 20:07:39 +0000 (20:07 +0000)]
Windows fixes for gss-client.c
close(s) -> closesocket(s)
#include "port-sockets.h" (for closesocket())
#include "winsock.h" -> #include "winsock2.h" for consistency with port-sockets.h
call WSAStartup() before using sockets functions on Windows
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25089 dc483132-0cff-0310-8789-dd5450dbe970
Sam Hartman [Tue, 9 Aug 2011 20:07:34 +0000 (20:07 +0000)]
Fix rare duplicate time issue On systems with imprecise clocks
(e.g. windows), there was as issue where microsecond rollover could
conceivably cause the same time to be reported twice. Also document
potential performance improvement by using thread-local storage for
last_time and eliminating the mutex.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25088 dc483132-0cff-0310-8789-dd5450dbe970
Greg Hudson [Mon, 8 Aug 2011 18:27:15 +0000 (18:27 +0000)]
Fix accidental KDC use of replay cache
r24464 (ticket #6804) intended to remove the KDC replay cache by
eliminating all of the USE_RCACHE code, but it had the unintended side
effect of causing krb5_rd_req_decoded to use the default server
rcache. Using this cache is much less efficient because it is opened
and re-read for each request.
Set appropriate flags on the auth context to disable replay cache use
for TGS requests altogether.
Greg Hudson [Sun, 7 Aug 2011 01:12:28 +0000 (01:12 +0000)]
Add internal APIs for portable path manipulation
k5_path_split separates a path into dirname and basename.
k5_path_join joins two paths.
k5_path_isabs determines if a path is absolute.
All three functions follow the Python path function semantics.
Currently the test module doesn't run in the Windows build, but the
Windows path semantics are tested in the Unix build using specially
built objects.
Zhanna Tsitkov [Wed, 3 Aug 2011 17:50:23 +0000 (17:50 +0000)]
Added kadmin_local and krb5kdc admin programs to Sphinx doc tree.
Changed the reference labels in krb5/kdc.conf files for them to appear properly in the man pages.
Greg Hudson [Wed, 3 Aug 2011 03:41:35 +0000 (03:41 +0000)]
Fix several krb5.conf doc inconsistencies
ldap_servers was incorrectly documented as ldap_server in the admin
guide. realm_try_domains and preferred_preauth_types were documented
in the man page but not the admin guide.
krb5_calculate_checksum() and krb5_verify_checksum(), both deprecated,
construct invalid keyblocks and pass them to the real functions, which
used to work but now doesn't. Try harder to construct valid keyblocks
or pass NULL if there's no key.
Due to an apparent merge bug, KRB5_TL_DB_ARGS was defined in a
SECURID conditional block, and several source files worked around the
problem by defining the constant themselves or defining SECURID. Move
the definition and remove the workarounds.
For GCC compiles, use an attribute to suppress the variable set but
not used warnings. Due to the nested macros, it would get very ugly
to try and remove the variables.
PAC_CLIENT_INFO principal names do not contain a realm, so parse them
with the KRB5_PRINCIPAL_PARSE_NO_REALM flag. Otherwise we'll wind up
using the default realm (and then ignoring it) which fails if one
isn't configured.
In rare circumstances, such as checksum errors, some network stacks
can flag an fd for reading in select() and still block when the fd is
read. Set all sockets non-blocking to prevent hangs when this occurs.
(We don't actually handle the resulting EWOULDBLOCK or EAGAIN errors,
so the rare cases will appear as communication failures and we will
close the socket. This is already the case for TCP sockets and
probably isn't a big deal.)
If profile_open_file() discovers a shared tree for the file, but
encounters an error when updating it, dereference the data and return
a null profile rather than returning an error and a newly broken file
object. Otherwise we'd leak the returned file object in
profile_init().
The readline support change freed input just after ss_execute_line(),
but input can be used in the error block immediately following. Free
input after the error block instead.
The new implementation should be more friendly to static analyzers.
Coverity was getting confused into thinking that profile_iterator()
had the effect of returning a freed name pointer.
Prior to the pluggable configuration work, profile_get_values() and
friends would return PROF_NO_PROFILE if called with a null profile.
Restore that behavior.
Define MAX_DNS_NAMELEN unconditionally in k5-int.h as we use it
unconditionally in kdc_util.c. Don't define it in locate_kdc.c.
Conditionalize dns_locate_server() in locate_kdc.c as its only call
site (in k5_locate_server) and its helper function (locate_srv_dns_1)
are conditional.
Fix gss_set_cred_option cred creation with no name
When creating a cred in the mechglue with gss_acquire_cred, the
mechanism is allowed to return no name from gss_inquire_cred. But in
the analagous operation in gss_set_cred_option, that would result in
an error from gss_display_name. Make the call to gss_display_name
conditional on the mechanism name being set. Reported by Andrew
Bartlett.
By default, look for libedit (using pkg-config) and use it in libss.
Alternatively, the builder can explicitly ask for GNU Readline, but
using it will break the dejagnu test suite and will also add a GPL
dependency to libss and the programs using it.
Tom Yu [Mon, 11 Jul 2011 17:53:25 +0000 (17:53 +0000)]
use timegm() for krb5int_gmt_mktime() when available
Use timegm() if it is available, so that krb5int_gmt_mktime()
functions correctly on systems configured with a "right"
(leap-second-aware) time zone. It is arguably an OS bug if a "right"
time zone can be configured on a system that lacks timegm().
Due to a current lack of evidence of affected systems, the additional
workaround of replacing gmtime() with a version that always ignores
leap seconds is deferred.
If a principal has no associated kadm5 policy, we may still get
password quality errors from a module (KDB or pwqual). There was a
bug in the error generation for this case which caused only a generic
error to be returned.
Also use snprintf() instead of multiple string operations to compose
errors.
Zhanna Tsitkov [Wed, 29 Jun 2011 18:30:51 +0000 (18:30 +0000)]
Added "Realm configuration decisions" and "Incremental database propagation" sections.
Updated some cross-file references
Restored kadm5.acl s option in "Privileges" section
Greg Hudson [Tue, 28 Jun 2011 14:07:07 +0000 (14:07 +0000)]
Get static linking working again, mostly
Static linking (#6510) broke when lockout support was added because
the DB2 plugin became dependent on libkadm5srv_mit for XDR functions.
Also, static linking was extensively broken in combination with LDAP
support. Fix these problems.
Afer these fixes, the test suite fails in the FAST tests because
there's no static build support for dynamic preauth plugins, which
means there's no encrypted challenge. (And unlike the pkinit tests,
the test suite doesn't conditionalize on the presence of the encrypted
challenge plugin, because we always build it.) This will fix itself
if and when encrypted challenge becomes linked into the consumers, or
static build support is added for preauth plugins.
Greg Hudson [Mon, 27 Jun 2011 21:07:20 +0000 (21:07 +0000)]
Add a missing call in t_kgss_user.c
The userland side of the gss kernel subset tests was missing a call to
read_iov_token() at the end of the operation sequence. This mistake
caused a race condition where the child could either exit successfully
(if it finished send_iov_token() before the parent closed its end of
the pipe) or could fail with an EPIPE error from write().
Zhanna Tsitkov [Mon, 27 Jun 2011 14:49:44 +0000 (14:49 +0000)]
Removed 'viewcode' extension from the conf.py as not-required for the "minimal" build (i.e. build without Complete API and datatype reference section).
Added README file for sphinx-build.
projects / thirdparty / krb5.git / log
