summaryrefslogtreecommitdiff
path: root/lib/krb5_wrap
Commit message (Collapse)AuthorAgeFilesLines
* lib:krb5_wrap: Fix debug statements when princ_s is NULLAndreas Schneider2023-04-271-4/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In file included from source4/include/includes.h:61, from lib/krb5_wrap/krb5_samba.c:23: lib/krb5_wrap/krb5_samba.c: In function ‘smb_krb5_kt_seek_and_delete_old_entries’: lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=] 200 | && (dbgtext body) ) | ~^~~~~~~~~~~~~ lib/krb5_wrap/krb5_samba.c:1753:25: note: in expansion of macro ‘DEBUG’ 1753 | DEBUG(5, (__location__ ": Saving previous (kvno %d) " | ^~~~~ lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=] 200 | && (dbgtext body) ) | ~^~~~~~~~~~~~~ lib/krb5_wrap/krb5_samba.c:1763:25: note: in expansion of macro ‘DEBUG’ 1763 | DEBUG(5, (__location__ ": Saving entry with kvno [%d] " | ^~~~~ lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=] 200 | && (dbgtext body) ) | ~^~~~~~~~~~~~~ lib/krb5_wrap/krb5_samba.c:1769:17: note: in expansion of macro ‘DEBUG’ 1769 | DEBUG(5, (__location__ ": Found old entry for principal: %s " | ^~~~~ lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=] 200 | && (dbgtext body) ) | ~^~~~~~~~~~~~~ lib/krb5_wrap/krb5_samba.c:1787:17: note: in expansion of macro ‘DEBUG’ 1787 | DEBUG(5, (__location__ ": removed old entry for principal: " | ^~~~~ Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib:krb5_wrap: Fix code spellingAndreas Schneider2023-04-032-18/+18
| | | | | | | | | | Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 3 04:53:05 UTC 2023 on atb-devel-224
* CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption typesStefan Metzmacher2022-12-131-2/+0
| | | | | | | | | | | We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*Stefan Metzmacher2022-12-131-4/+0
| | | | | | | | | | aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5: Detect support for krb5_const_pac typeJoseph Sutton2022-11-082-1/+30
| | | | | | | | | | | We can't unconditionally assume (as we did in third_party/heimdal_build/wscript_configure) that Heimdal has this type, since we may have an older system Heimdal that lacks it. We must also check whether krb5_pac_get_buffer() is usable with krb5_const_pac, and declare krb5_const_pac as a non-const typedef if not. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib/krb5_wrap: add explicit keep_old_kvno/enctype_only args to ↵Stefan Metzmacher2022-10-272-3/+23
| | | | | | | smb_krb5_kt_seek_and_delete_old_entries() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib/krb5_wrap: document the enctype argument of ↵Stefan Metzmacher2022-10-271-0/+2
| | | | | | | smb_krb5_kt_seek_and_delete_old_entries() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib/krb5_wrap: remove unused keep_old_entries argument from ↵Stefan Metzmacher2022-10-272-15/+3
| | | | | | | smb_krb5_kt_seek_and_delete_old_entries() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib/krb5_wrap: remove unused keep_old_entries argument from ↵Stefan Metzmacher2022-10-272-8/+4
| | | | | | | smb_krb5_kt_add_entry() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* krb5: Add compatability for krb5_const_pac typeJoseph Sutton2022-10-211-0/+4
| | | | | | | | This allows this type to be used in Samba in the future for both Kerberos implementations Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* lib:krb5_wrap: Add helper functions to make krb5_data structureJoseph Sutton2022-10-052-0/+35
| | | | | | | These will be used in following commits. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib:krb5_wrap: Use case-sensitive comparison against 'krbtgt'Joseph Sutton2022-10-051-1/+1
| | | | | | | | This matches the other comparisons against krbtgt, kadmin, etc., which are all case-sensitive. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib:krb5: Change memset() to BURN_PTR_SIZE()Pavel Filipenský2022-08-261-1/+1
| | | | Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()Joseph Sutton2022-07-271-1/+1
| | | | | | | | | | | | | The error code passed in will be an offset from ERROR_TABLE_BASE_krb5, so we need to subtract that before creating the error. Heimdal does this internally, so it isn't needed there. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib:krb5_wrap: Add debug to ads_krb5_cli_get_ticket()Samuel Cabrero2022-07-121-0/+4
| | | | Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:winbind: Improve debug message to print service in smb_krb5_renew_ticket()Samuel Cabrero2022-07-121-1/+2
| | | | Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib:krb5_wrap: Add const to parameters for smb_krb5_create_key_from_string()Joseph Sutton2022-06-142-4/+4
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib:krb5_wrap: Implement smb_krb5_principal_is_tgs()Andreas Schneider2022-03-172-0/+31
| | | | | | | | This will be used later and allows to remove static implementations. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* krb5-mit: Enable S4U client support for MIT buildIsaac Boukris2022-03-042-2/+192
| | | | | | Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* lib:krb5_wrap: Fix wrong debug message and use newer debug macroSamuel Cabrero2022-02-231-1/+4
| | | | | Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib:krb5_wrap: Improve debug message and use newer debug macroSamuel Cabrero2022-02-231-1/+1
| | | | | Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib:krb_wrap: Add missing error check in smb_krb5_salt_principal_str()Andreas Schneider2021-12-151-0/+5
| | | | | | | Found by covscan. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib/krb5_wrap: Fix missing error check in new salt codeAndrew Bartlett2021-10-231-3/+3
| | | | | | | | | | | | | | CID 1492905: Control flow issues (DEADCODE) This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
* dsdb: Allow special chars like "@" in samAccountName when generating the saltAndrew Bartlett2021-10-202-36/+169
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
* krb5_wrap: remove unused codePavel Filipenský2021-07-272-207/+0
| | | | | | | | | Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Tue Jul 27 10:09:03 UTC 2021 on sn-devel-184
* lib:krb5_wrap: Check the format string of krb5_warnx()Andreas Schneider2021-02-011-1/+2
| | | | | | | error: format string is not a string literal [-Werror,-Wformat-nonliteral] Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Restrict GSSAPI query to the krb5 mechanismSimo Sorce2020-09-301-2/+10
| | | | | | | | | | | Otherwise GSSAPI will consult other mechanisms if available and we can only cope with krb5 credentials here. Signed-off-by: Simo Sorce <idra@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Sep 30 20:45:23 UTC 2020 on sn-devel-184
* krb5_wrap: map KRB5_REALM_UNKNOWN to NT_STATUS_NO_SUCH_DOMAINStefan Metzmacher2020-02-101-0/+1
| | | | | | | | | | This is much better than mapping it to NT_STATUS_UNSUCCESSFUL. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Feb 10 17:59:34 UTC 2020 on sn-devel-184
* krb5_wrap: map KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN to ↵Stefan Metzmacher2020-02-101-1/+1
| | | | | | | | | | | | NT_STATUS_INVALID_COMPUTER_NAME KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN is already mapped to NT_STATUS_INVALID_ACCOUNT_NAME and we need a way to distinguish between client and server principal at the NTSTATUS layer too. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* krb5_wrap: move source3/libads/krb5_errs.c to lib/krb5_wrap/krb5_errs.cStefan Metzmacher2020-02-103-2/+131
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib/krb5_wrap: prefer new enctyptes in ms_suptypes_to_ietf_enctypes()Stefan Metzmacher2020-02-101-3/+7
| | | | | | | | | This is currently not critical as we only use keytabs only as acceptor, but in future we'll also use them for kinit() and there we should prefer the newest type. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* krb5-wrap: deal with different krb5_trace_info struct flavors (earlier MIT ↵Günther Deschner2020-01-241-0/+6
| | | | | | | | | | | | | | krb5 releases) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14252 Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Jan 24 20:38:53 UTC 2020 on sn-devel-184
* lib/krb5_wrap: Remove unused smb_krb5_get_allowed_weak_crypto()Andrew Bartlett2019-12-112-52/+0
| | | | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Isaac Boukris <iboukris@samba.org> Autobuild-User(master): Isaac Boukris <iboukris@samba.org> Autobuild-Date(master): Wed Dec 11 22:18:47 UTC 2019 on sn-devel-184
* krb5: move disabling dns-canon to lower level init callsIsaac Boukris2019-11-271-0/+6
| | | | | | | | | | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Isaac Boukris <iboukris@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Nov 27 12:24:16 UTC 2019 on sn-devel-184
* lib:krb5_wrap: Do not create a temporary file for MEMORY keytabsAndreas Schneider2019-10-121-11/+8
| | | | | | | | | | | | | The autobuild cleanup script fails with: The tree has 3 new uncommitted files!!! git clean -n Would remove MEMORY:tmp_smb_creds_SK98Lv Would remove MEMORY:tmp_smb_creds_kornU6 Would remove MEMORY:tmp_smb_creds_ljR828 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* krb5_wrap: let smb_krb5_parse_name() accept enterprise principalsStefan Metzmacher2019-09-241-0/+5
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* krb5_wrap: smb_krb5_kinit_password_ccache() should always use the ↵Stefan Metzmacher2019-09-241-2/+0
| | | | | | | | | | | | | | | canonicalized principal We should always use krb5_get_init_creds_opt_set_canonicalize() and krb5_get_init_creds_opt_set_win2k() for heimdal and expect the client principal to be changed. There's no reason to have a different logic between MIT and Heimdal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* lib/krb5_wrap: Fix leaking using mkstempNoel Power2019-07-031-2/+5
| | | | | | | | commit: 8b92539997a9df8e0d217790fd82fc8f59ea50cc introduced a leak by replacing mktemp with mkstemp (mkstemp returns an open fd) Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib/krb5_wrap: clang: Fix warning: Null pointer passed as an argumentNoel Power2019-07-011-1/+1
| | | | | | | | | | | Fixes: lib/krb5_wrap/krb5_samba.c:3241:3: warning: Null pointer passed as an argument to a 'nonnull' parameter <--[clang] memcpy(gss_cksum + 28, in_data->data, orig_length); ^ Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* lib/krb5_wrap: clang: Fix warning: Call to function 'mktemp' is insecureNoel Power2019-07-011-1/+1
| | | | | | | | | | | Fixes: lib/krb5_wrap/krb5_samba.c:2012:2: warning: Call to function 'mktemp' is insecure as it always creates or uses insecure temporary file. Use 'mkstemp' instead <--[clang] mktemp(tmp_name); ^~~~~~ Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* krb5_wrap: Only use the required md4 headerAndreas Schneider2019-02-271-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* Fix typo and remove the sun and the cloudsSwen Schillig2019-01-101-1/+1
| | | | | | | | | Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jan 10 06:14:27 CET 2019 on sn-devel-144
* Fix typos and ban the rams from sambatdb-1.3.17Swen Schillig2019-01-101-1/+1
| | | | | | Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>
* lib: Add kerberos tracingSwen Schillig2018-12-191-8/+10
| | | | | | | | Add krb5 tracing to samba krb5 wrapper. Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org>
* Add MIT kerberos tracing capabilitySwen Schillig2018-12-192-0/+41
| | | | | | | | | | | | | HEIMDAL kerberos offers already tracing via a logging facility through smb_krb5_init_context(). MIT kerberos offers to register a callback via krb5_set_trace_callback with which tracing information can be routed to a common logging facility. This is now integrated into smb_krb5_init_context_basic() offering the same functionality for both kerberos fragrances. Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org>
* krb5_wrap: Fix bit shiftingAndreas Schneider2018-12-191-1/+1
| | | | | | | | | | | lib/krb5_wrap/enctype_convert.c:93:27: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Gary Lockyer <gary@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Dec 19 12:40:40 CET 2018 on sn-devel-144
* krb5_samba: Fix checking for config.h #define in krb5_samba.hAndreas Schneider2018-12-161-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* krb5_wrap: Use #ifdef instead of #if for config.h definitionsAndreas Schneider2018-11-281-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* krb5_wrap: Fix a typoVolker Lendecke2018-11-281-1/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Nov 28 21:15:31 CET 2018 on sn-devel-144
* krb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm()Volker Lendecke2018-11-282-10/+12
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
View Lorry Controller Status