| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Fix three Windows-specific argument type errors, including a crash bug
in the default replay cache type. Change the compiler flags to treat
several argument type warnings as errors.
The replay cache bug was reported by Thomas Wagner.
(cherry picked from commit 65b21aee6ab5e7d0851302b98647261c15c71c96)
ticket: 9005
version_fixed: 1.19.2
|
|
Field testing of dns_canonicalize_hostname=fallback (ticket 8911)
revealed more disruptive edge cases than anticipated. Many were fixed
by ticket 8930, but host-based GSS initiator names were recently
discovered to not work, and one other edge case could not be resolved
without a change to external code.
Restore the default to true for now. Set the value to fallback in the
test suite, to continue testing the desired configuration and to avoid
restoring tests/resolve.
(cherry picked from commit 15f8c4fd7d62d07ea2759a7b6d684c000430559e)
ticket: 8973
version_fixed: 1.19
|
|
[ghudson@mit.edu: whitespace changes; reverted man page change]
ticket: 8957 (new)
|
|
Address all warnings issued by "python -Werror::DeprecationWarning"
in the test suite and doc build, as of Python 3.8.2.
|
|
Use "primary_kdc" and "iprop_ulogsize" as the preferred names of the
two relations. Fall back to the old keys if the new ones are not set.
ticket: 8921
|
|
This change should mitigate some of the pain caused by the rdns=true
default (generally associated with unwanted PTR records that cannot
easily be changed), with a minimum of fallout.
Update the documentation and tests accordingly. In test environments,
disable qualify_shortname and use the uncanonicalized system hostname
(lowercased) to match the initial sn2princ result.
ticket: 8911 (new)
|
|
Correct comment spelling errors detected using codespell.
Reported by Jens Schleusener.
|
|
|
|
If the linker erroneously runs the libkrb5 finalizer after the
libcom_err finalizer, the consequent remove_error_table() calls could
crash due to accessing a destroyed mutex or an invalid et_list
pointer. Add an unsynchronized check on finalized in
remove_error_table(), and set et_list to null in com_err_terminate()
after destroying the list.
[ghudson@mit.edu: minimized code hanges; rewrote comment and commit
message]
ticket: 8890 (new)
|
|
Delete the old C/yacc/lex sources for mk_cmds.
|
|
Commit cbdbc8d00d31344fafe00e0fdf984e04e631f7c4 checked for
__GLIBC__PREREQ instead of __GLIBC_PREREQ, thus accidentally reverting
the workaround introduced in commit
bf5953c549a6d279977df69ffe89b2ba51460eaf. Fix the typo.
ticket: 8880
|
|
Commit bf5953c549a6d279977df69ffe89b2ba51460eaf caused a build failure
on non-glibc Linux build environments. Change the conditionalization
so that __GLIBC_PREREQ will only be used if it is defined.
[ghudson@mit.edu: simplified conditionals; rewrote commit message]
ticket: 8880 (new)
tags: pullup
target_version: 1.18-next
|
|
For consistency with Heimdal and simplicity of server configuration,
do not check the transited field in krb5_rd_req() if the
transited-policy-checked flag is set in the ticket.
Add a cross-realm test using the gcred and rdreq harnesses to test
server transited processing. Also fix the KDC capaths case so that
the client actually doesn't know the path to the server realm. In
k5test.py, adjust _cfg_merge() to remove keys mapped to None in the
second dictionary (instead of mapping them to None in the result), so
that deleting whole sections works. Remove the corresponding check
for None in _write_cfg_section() as it is no longer needed.
ticket: 8870 (new)
tags: pullup
target_version: 1.18
|
|
permitted_enctypes was initially intended only to restrict the
processing of AP requests (and was later applied to KDB key data
searches so that the KDC wouldn't issue a ticket it would refuse to
accept). Because the documentation was never clear about its scope,
many configurations assume that permitted_enctypes also applies to
clients.
In light of the existing configurations, take the simple way out and
use permitted_enctypes as the default for default_tkt_enctypes and
default_tgs_enctypes. Update the documentation, add a test to
explicitly check the new behavior, and remove now-unnecessary
configuration from the test suite.
[ghudson@mit.edu: unrolled helper function; edited documentation and
commit message; simplified test case]
ticket: 8869 (new)
tags: pullup
target_version: 1.18
|
|
If return_trace=True is specified when running a command in a Python
test, collect the trace output and return it in a tuple with the
regular output.
|
|
After commit 95830231758de259abbbccedbac01613f578768a, the
documentation cannot be built with Python 2. Run make with
"PYTHON=python3" to ensure that we use Python 3.
|
|
When DNS forward canonicalization is turned off or fails, qualify
single-component hostnames with the first DNS search domain. Add the
qualify_shortname relation to override this suffix.
For one of the tests we need to disable qualification, which is
accomplished with an empty value. Adjust k5test.py to correctly emit
empty values when writing profiles.
ticket: 8855 (new)
|
|
|
|
When building against glibc 2.24 or earlier, suppress calls to
dlclose() to prevent the assertion failure "_dl_close: Assertion
`map->l_init_called' failed" at process exit. We need this workaround
to enable automated tests that load GSSAPI modules.
ticket: 7135
|
|
If the environment variable GSS_MECH_CONFIG is set (and the process is
not privileged), read it instead of /etc/gss/mech or files within
/etc/gss/mech.d.
Set GSS_MECH_CONFIG in test frameworks so that system configuration
does not interfere with tests.
Fix documentation to indicate that the default mech config file is in
sysconfdir, not necessarily /etc.
ticket: 8833 (new)
|
|
If a daemon exits early and we detect it with check_daemon(), avoid
trying to terminate it again as the process entry will have been
reaped. Check all daemons on successful exit and exit with an error
if any daemons exited early.
Also remove a piece of Python 2.5 compatibility code which is no
longer relevant with Python 3.
|
|
In parse_quoted_string(), only process an escape sequence if there is
a second character after the backlash, to avoid reading past the
terminating zero byte. Reported by Lutz Justen.
ticket: 8825 (new)
tags: pullup
target_version: 1.17-next
target_version: 1.16-next
|
|
In k5test.py, if a daemon process exits before we terminate it,
display the exit status. If a daemon process generates output beyond
the sentinel, display the output before terminating the process.
|
|
Remove the Mac parts of the ccapi code, as ccapi is now only used in
the Windows build. Remove util/mac.
[ghudson@mit.edu: rewrote commit message]
|
|
Commit e23d24beacb73581bbf4351250f3955e6fd44361 missed some Python
scripts, in part because of the "PYTHON = python" line in
src/Makefile.in from commit 7be2ef2b6c8c491781251a5023db48d7690f5fa8.
Remove that line and convert the remaining scripts. Also fix the
check-pytests-no warning to mention Python 3 instead of Python 2.5.
|
|
|
|
|
|
Commit e23d24beacb73581bbf4351250f3955e6fd44361 did not convert
t_otp.py or paste-kdcproxy.py. Convert t_otp.py to Python3. Rewrite
paste-kdcproxy.py using wsgiref from the standard Python library to
avoid the Paste dependency.
ticket: 8818 (new)
tags: pullup
target_version: 1.17-next
|
|
Coverity models strerror() as a function which cannot accept negative
values, even though it has defined behavior on all integers.
k5_get_error() contains code to call strerror_r() and strerror() if
its fptr global is unset, which isn't an expected case in practice.
To silence a large number of Coverity false positives, just return a
fixed string if fptr is null.
|
|
Move http links to https where appropriate. Update links which have
moved. Remove a couple of links which no longer work and have no
obvious replacement. Remove a link from a comment in the German
translation which does not appear to be related to the message.
[ghudson@mit.edu: adjusted changes; rewrote commit message]
|
|
|
|
Remove the CRC exercise code, since CRC is DES-only.
ticket: 8808
|
|
In preparation for removing single-DES support, remove the v4 and afs3
salt types. The afs3 salt type could only be used with single-DES
keys, and the v4 salt type was only useful for single-DES keys from
krb4 databases.
[ghudson@mit.edu: wrote commit message]
ticket: 8808
|
|
ticket: 8800
|
|
On systems with secure_getenv() (glibc 2.17+) use it directly. For
the fallback implementation, check the current process uids and gids
in a library initializer, looking at the saved uid and gid where
possible. Include a comment about more aggressive approaches to
detecting elevated privilege.
ticket: 8800 (new)
|
|
This utility has not been maintained with encryption types and salt
changes, which suggests it is unused.
|
|
autotools plans to drop support for the name configure.in.
(automake's NEWS file expresses plans to drop support for it in
autoconf 2.0; autoconf added a warning in commit
560f16b52d3d3db1536d9ca5b863ce9b1a5c9e35, indicating in the commit
message that support will be dropped in a future version.)
ticket: 8788 (new)
|
|
In the LDAP KDB module, fix an empty initializer. In the SPAKE
edwards25519 code, use autoconf tests to determine whether to use the
64-bit code. In the SPAKE update_thash() function, make sure the
types of the conditional expression results match exactly. In
libkrb5support, link against zap.o now that k5buf.o can use zap() (as
of commit 8ee8246c14702dc03b02e31b9fb5b7c2bb674bfb).
[ghudson@mit.edu: squashed commits; rewrote commit message; adjusted
autoconf tests; minor code changes]
ticket: 8769 (new)
tags: pullup
target_version: 1.17
|
|
Regenerate dependency files and mit-krb5.pot. Regenerate man pages
and NOTICE with python-sphinx 1.6.7. Regenerate deltat.c with bison
3.0.4. Update config.guess and config.sub from upstream (commit
2fa97a8a0ed37bec720bd118d65e674cebf50404).
|
|
readline() is careful not to read more bytes from fd 0 than it has to.
Do the same in the dummy libss readline() by disabling stdin
buffering.
ticket: 8745
|
|
ticket: 8738 (new)
|
|
Reported by Bean Zhang.
|
|
|
|
Fix additional memory leaks detected by a newer asan (clang version
6.0.0) in test programs.
|
|
With Python 3, sys.stdout.write() of a partial line followed by
sys.stdin.readline() does not display the partial line. Add explicit
flushes to make prompts visible in k5test.py.
ticket: 8710
|
|
It's been policy for a while now not to create "dead hunks" like
these. A great deal of this code simply doesn't work because it
hasn't been kept up-to-date, and may never have worked. Eliminate
these dead hunks along with the complexity to support them.
|
|
Look for python3 in configure.in and verify that we got it. Convert
test code to conform to Python 3.
ticket: 8710 (new)
|
|
The executable "python" has traditionally been Python 2, but is
becoming more ambiguous as operating systems transition towards Python
3. Look for "python2" in the path in preference to "python", and
check that what we found isn't Python 3.
Remove the "#!/usr/bin/python" headers at the start of Python test
scripts since we run them explicitly under python, not as executables.
Execute paste-kdcproxy.py via sys.executable in t_proxy.py so that it
doesn't need a #!/usr/bin/python header.
ticket: 8709 (new)
|
|
'register' is a reserved and unused keyword in C++17 so having it
present in the public headers presents a a compatibility issue. Also
in C the 'register' keyword is mostly obsolete, so remove all uses of
it.
[ghudson@mit.edu: adjusted style of some of the affected lines]
|
|
ticket: 8687
|
