Greg Hudson [Fri, 5 Dec 2008 18:30:18 +0000 (18:30 +0000)]
In the rlogin tests, expect to see /bin/sh echoed back after sending
/bin/sh. If we just look for a shell prompt, we can get out of sync
if the login shell decides to clear the line and redisplay the prompt.
(I see bash redisplaying the prompt in 30-50% of test runs; I don't
know what it's thinking.)
Sam Hartman [Thu, 4 Dec 2008 15:48:08 +0000 (15:48 +0000)]
Merge r21120 from mskrb-integ
Refactor code such that an AEAD provider does not need to implement the
older, non-IOV SPIs. Instead, the older APIs will implement their
behaviour on top of the AEAD SPIs, using the wrapper functions in
aead.c.
Greg Hudson [Wed, 3 Dec 2008 18:21:22 +0000 (18:21 +0000)]
Move warning flags to new variables WARN_CFLAGS and WARN_CXXFLAGS, so
that users can override the debugging and optimization flags
independently of the warning flags.
Remove -Wconversion from the standard set of warning flags since it
warns excessively on perfectly good code, and is designed to aid in
conversion of code from K&R to ANSI C rather than to maintain code
quality.
Sam Hartman [Tue, 2 Dec 2008 20:10:20 +0000 (20:10 +0000)]
Crypto IOV API per Projects/AEAD encryption API
Merge in the mskrb-crypto-iov branch at r21259 in order to move an
implementation of
http://k5wiki.kerberos.org/wiki/Projects/AEAD_encryption_API onto the
trunk. This branch contains a subset of the commits on the
mskrb-integ branch that implement the krb5 library part of the crypto
IOV API.
Ezra Peisach [Mon, 1 Dec 2008 12:16:33 +0000 (12:16 +0000)]
Move cc_mutex code from k5-int.h - where it is globally available to cc-int.h
where it is declared and used. The functions are not exported by the library -
nor are they used outside lib/krb5/ccache... For cc_file.h - include cc-int.h.
Ken Raeburn [Mon, 1 Dec 2008 06:48:54 +0000 (06:48 +0000)]
Shawn's fix for some iprop bugs, with some tweaks
Adds an alarm while waiting for kprop connection or authentication in
iprop mode; on timeout, close down the active file descriptor to force
us to bail out and return to the iprop main loop (which may try a full
resync again next time around).
Ken Raeburn [Mon, 24 Nov 2008 21:06:20 +0000 (21:06 +0000)]
Simplify memory management a bit in places, by allocating and freeing
separately, instead of reallocating arrays of pointers to themselves
be reallocated. Do a better job of initializing arrays of which we
only use a variable-sized part.
Use a temp var instead of lots of long macro invocations.
Fix some overrun-by-one errors in buffer copying.
Clean up some possible leaks.
Ken Raeburn [Mon, 17 Nov 2008 21:34:48 +0000 (21:34 +0000)]
Set krb4 and priocntl flags via site.exp instead of command line
Update set of files to clean out at test suite startup, or when
deleting the database.
Improve support for setting up slave test environment. Don't set
KRB5_KDC_PROFILE except in KDC master and slave environments. Create
distinct env.sh and env.csh files for different configurations. Move
kpropd setup proc into common initialization.
Add incremental propagation test: Create new kiprop/$host principal,
update kproplog test for the new data. "Propagate" the master
database to the slave, add a new principal, start up kpropd, watch for
the "OK" message, and check to see if the new principal exists on the
slave.
Zhanna Tsitkov [Mon, 17 Nov 2008 21:04:06 +0000 (21:04 +0000)]
Lite Client - the following calls are server-side functions:
decode_krb5_authenticator,
krb5_auth_con_getauthenticator,
krb5_copy_authenticator,
krb5_ser_authenticator_init
Take them out for the Lite CLient.
Ken Raeburn [Mon, 10 Nov 2008 22:43:21 +0000 (22:43 +0000)]
Generate separate master-KDC and slave-KDC config files, with
different names for the database files. (Slave config files unused as
yet.) Ensure that the master-KDC environment is used when running
kadmin.local or kdb5_util. Define and use a new proc for deleting all
KDC database and keytab files.
Set KPASSWD in default.exp.
Run kadmin, pwchange, pwhist, gssftp, telnet, v4gssftp tests only once each.
Ken Raeburn [Mon, 10 Nov 2008 18:27:42 +0000 (18:27 +0000)]
Delete the pass (one of twelve) that does all KDC exchanges with TCP;
add a test case that sets that up and runs kinit.
Add a new support proc that allows running a test only once despite
multiple passes; use it for the tcp and iprop tests.
According to one totally unscientific measurement, this reduces the
tests/dejagnu tests run from ~4200 to ~3800, and cuts over 8% off the
run time of those tests, without IMNSHO reducing the effectiveness of
the testing.
Ken Raeburn [Wed, 5 Nov 2008 17:47:00 +0000 (17:47 +0000)]
Only look for IPv4 addresses for the kpasswd server. This is just a
workaround for other parts of the code failing to cope with IPv6
addresses, and won't work in an IPv6-only environment; the problem
should still be fixed for real.
Greg Hudson [Wed, 5 Nov 2008 17:08:47 +0000 (17:08 +0000)]
Rename krb5int_buf_cstr to krb5int_buf_data, since k5bufs can be used
for binary data as well as C string data. The buffer will always have
a null byte at krb5int_buf_len bytes regardless of whether it contains
C string data.
Greg Hudson [Wed, 5 Nov 2008 16:09:22 +0000 (16:09 +0000)]
Replace strcpy/strcat/sprintf uses in a couple of sample code files
with strncpy/strncat. Since this is sample code, we can't rely on
build system support for asprintf/strlcpy/strlcat.
Ken Raeburn [Mon, 3 Nov 2008 18:41:33 +0000 (18:41 +0000)]
If we're not making asn1buf_insert_octet an inline function, then make
asn1buf_size, asn1buf_ensure_space, and asn1buf_expand static in
asn1buf.c, for better optimization.
Recode asn1buf_ensure_space to directly return the result of asn1buf_expand.
Don't check for NULL before malloc/realloc in asn1buf_expand.
Removed unnecessary code that was resetting options whenever the
array changes in the background. The problem is that any external
change to the ticket list will cause this to happen, even when the
options dialog is open.
Direct callers such as kinit need command line prompts.
Do not automatically prompt (via krb5 or gssapi calls)
unless the caller has loaded GUI libraries.
Note that if preauth is turned on the password may be removed for
other reasons. This is because preauth failing can mean several
things. Better to always remove it than have the user sometimes
get stuck though.
Justin Anderson [Wed, 29 Oct 2008 19:36:06 +0000 (19:36 +0000)]
KerberosAgent hangs changing pw for passwordless identities
Trying to change the password for an identity which only uses non-password authentication methods left KerberosAgent with a spinning progress indicator. Problem was with auth sheet not being ended.
Greg Hudson [Tue, 28 Oct 2008 20:28:52 +0000 (20:28 +0000)]
The last change to plugins.c erroneously passes a size_t as a field
width to asprintf. Address the signed/unsigned warning cleanup using
a cast instead.
Greg Hudson [Tue, 28 Oct 2008 20:21:50 +0000 (20:21 +0000)]
Eliminate use of strcpy/strcat/sprintf in wconfig.c. Use memcpy since
we cannot rely on libkrb5support to give us the good stuff. Also fix
up (to some extent) an assumption that size_t == int.
errors.c should localize the incoming format string, not
the string produced by vasprintf. The format string is
constant and thus can be added to a localization table,
whereas the output string is not.
Note that this change depends on error_message also
localizing error table strings (which it does for KfM
already).
Ken Raeburn [Sat, 25 Oct 2008 07:03:11 +0000 (07:03 +0000)]
partial rewrite of the ASN.1 encoders
Instead of a pile of macros generating code, that have to be threaded
together in just the right way to get a valid ASN.1 encoding, we now
have a pile of macros for defining data structures describing the
objects and the ASN.1 types they should be encoded as, which
structures are interpreted by recursive invocations of an encoder
engine; there should be somewhat less rope for accidentally creating
invalid encodings. The new macros are commented in asn1_k_encode.c.
Putting most of the work into the encoder engine also reduces the code
size (in one configuration, including LDAP-KDB and PKINIT encoders,
code size went from 37K to <16K, though 10K of tables were added, and
the PKINIT encoders are still open-coded).
Some encoder interfaces have been revised to be more regular -- all
now take one pointer to const argument (no two-input encoders, no
pointer-to-non-const-pointer-to-const). A few encoders were
eliminated or disabled because they were neither used nor exported
from the library.
The LDAP-KDB encoder has been converted, but the PKINIT encoders have
not as there are no regression tests for them currently.
There is still plenty of room for improvement; some notes on specific
ideas have been added.
String encoding primitives have been combined to reduce code size. A
primitive for encoding bit strings has been added.
Some miscellaneous warnings in the decoders have been cleaned up.
A new dejagnu test case is added that ensures that KRB-SAFE messages
get exercised.
Ken Raeburn [Sat, 25 Oct 2008 05:58:13 +0000 (05:58 +0000)]
More regression tests for ASN.1 encoders
Export encode_krb5_sam_response_2 and encode_krb5_enc_sam_response_enc_2
via accessor. Add encode tests for encode_krb5_sam_key,
_enc_sam_response_enc, _predicted_sam_response, _sam_response_2,
_enc_sam_response_enc_2.
krb5_build_principal_ext walks off beginning of array
On error, krb5_build_principal_ext walks off the beginning of the
array by using i-- in a conditional when it should be using --i
(so that it actually compares the value of i that will be used
below).
krb5_build_principal_va does not allocate krb5_principal
krb5_build_principal_va does not allocate the outer krb5_principal,
making it useless for generating krb5_principals which can be freed
with krb5_free_principal. Added krb5_build_principal_alloc_va which
allocates the krb5_principal.
Added krb5int_build_principal_alloc_va which is used by KIM to avoid
code duplication. KIM's kim_identity_create_from_components takes
the first component as an argument because principals with no
components cannot be represented with the KIM UI. Modified KIM
to use this new API.
Tom Yu [Wed, 22 Oct 2008 21:17:07 +0000 (21:17 +0000)]
Fix previous commit by adding "extern" to header declarations for
SPNEGO mechanism OID stuff. It was causing tentative definition
issues on the Mac. (where there are constraints about common-block
symbols)
projects / thirdparty / krb5.git / log
