summaryrefslogtreecommitdiffstats
path: root/src/include/krb5
Commit message (Collapse)AuthorAgeFilesLines
...
* Reimplement krb5_get_in_tkt_with_skey in terms of krb5_get_init_creds,Greg Hudson2010-05-121-11/+0
| | | | | | | | | | | | | | similar to how the password and keytab equivalents were done. Eliminate krb5_get_in_tkt. It's been very hard to use since we made krb5_kdc_rep_decrypt_proc private (in krb5 1.7 the prototype was taken out of krb5.h altogether), and it's unlikely that anything would have used it directly in the first place. Remove and/or simplify a lot of code depended on by krb_get_in_tkt, including all of preauth.c. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24012 dc483132-0cff-0310-8789-dd5450dbe970
* Add IAKERB mechanism and gss_acquire_cred_with_passwordGreg Hudson2010-04-301-0/+1
| | | | | | | | | | | | | | Merge branches/iakerb to trunk. Includes the following: * New IAKERB mechanism. * New gss_acquire_cred_with_password mechglue function. * ASN.1 encoders and decoders for IAKERB structures (with tests). * New shortcuts in gss-sample client and server. * Tests to exercise SPNEGO and IAKERB using gss-sample application. ticket: 6712 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23960 dc483132-0cff-0310-8789-dd5450dbe970
* Add KRB5_INIT_CREDS_STEP_FLAG_CONTINUE for parity with Heimdal.Greg Hudson2010-04-201-4/+6
| | | | | | | | Rename KRB5_TKT_CREDS_CONTINUE to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE for consistency. Adjust init_creds context to be less confusing in light of the above. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23906 dc483132-0cff-0310-8789-dd5450dbe970
* Introduce new krb5_tkt_creds APIGreg Hudson2010-04-141-0/+96
| | | | | | | | | | | | Merged from branches/iakerb: add new asynchronous krb5_tkt_creds APIs, which allow a caller to take responsibility for transporting requests to the KDC and getting responses back. Rewrite the existing krb5_get_credentials API in terms of the new functions. Get rid of krb5_get_cred_from_kdc and friends, since they are no longer used. ticket: 6700 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23900 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_cc_dup() to make it possible to copy ccache handlesGreg Hudson2010-04-081-0/+7
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23874 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_typed_data not castable to krb5_pa_data on 64-bit MacOSXTom Yu2010-03-231-0/+13
| | | | | | | | | | | | | Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because krb5int_fast_process_error was assuming that it was safe to cast it to krb5_pa_data. It's not safe to do the cast on 64-bit MacOSX because krb5.hin uses #pragma pack on that platform. ticket: 6689 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23829 dc483132-0cff-0310-8789-dd5450dbe970
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512Greg Hudson2010-03-201-1/+1
| | | | | | | | | | | | | | | | | | | | KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data type, was used to implement PAC-less constrained delegation in krb5 1.8. Unfortunately, it was found that Microsoft was using 142 for other purposes, which could result in a ticket issued by an MIT or Heimdal KDC being rejected by a Windows Server 2008 R2 application server. Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate among a realm's KDCs, it is relatively easy to change the number, so MIT and Heimdal are both migrating to a new number. This change will cause a transitional interoperability issue when a realm mixes MIT krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal 1.3.2) KDCs, but only for constrained delegation evidence tickets. ticket: 6687 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23821 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_allow_weak_crypto APIGreg Hudson2010-01-191-0/+5
| | | | | | | | | | | | Add an API to allow apps to override the profile setting of allow_weak_crypto, so that aklog can work with krb5 1.8 out of the box until OpenAFS finishes migrating away from DES. ticket: 6645 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23663 dc483132-0cff-0310-8789-dd5450dbe970
* Bring back krb5_kt_free_entry which really does the same thing asSam Hartman2010-01-041-0/+5
| | | | | | | krb5_free_keytab_entry_contents per discussion on krbdev in order to avoid breaking samba builds. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23581 dc483132-0cff-0310-8789-dd5450dbe970
* No comma at end of enumerator listKen Raeburn2009-12-311-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23548 dc483132-0cff-0310-8789-dd5450dbe970
* Whitespace fixes for new anonymous supportGreg Hudson2009-12-281-10/+9
| | | | | | ticket: 6607 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23528 dc483132-0cff-0310-8789-dd5450dbe970
* Anonymous support for KerberosSam Hartman2009-12-281-5/+30
| | | | | | | | | | | | | | | | | | | | | | This ticket implements Project/Anonymous pkinit from k5wiki. Provides support for completely anonymous principals and untested client support for realm-exposed anonymous authentication. * Introduce kinit -n * Introduce kadmin -n * krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache * No longer generate ad-initial-verified-cas in pkinit * Fix pkinit interactions with non-TGT authentication Merge remote branch 'anonymous' into trunk Conflicts: src/lib/krb5/krb/gic_opt.c ticket: 6607 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
* On Luke's advice, remove krb5_init_creds_store_creds. It is not aGreg Hudson2009-12-151-4/+0
| | | | | | | Heimdal API and its functionality is covered by krb5_get_init_creds_opt_set_out_ccache. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23469 dc483132-0cff-0310-8789-dd5450dbe970
* fast negotiation projecSam Hartman2009-12-141-8/+53
| | | | | | | | | | | | | | | | Merge branches/fast-negotiate into trunk. This implements http://k5wiki.kerberos.org/wiki/Projects/Fast_negotiation Additional changes: * krb5_c_make_checksum with checksum type 0 uses mandatory checksum for given key enctype Conflicts: src/lib/crypto/krb/make_checksum.c ticket: 6595 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23465 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_key versions of the auth context key accessors, and use themGreg Hudson2009-11-271-0/+9
| | | | | | to simplify the gss-krb5 code a little bit. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23372 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_k_prf, the krb5_key version of krb5_c_prfGreg Hudson2009-11-271-0/+3
| | | | | | ticket: 6576 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23365 dc483132-0cff-0310-8789-dd5450dbe970
* libkrb5 support for non-blocking AS requestsGreg Hudson2009-11-261-0/+52
| | | | | | | | | | | Merge Luke's iakerb-libkrb5-as-only branch into trunk with several bug fixes. Adds support for the krb5_init_creds APIs (same as Heimdal's) which allow AS requests to be performed via a different transport than the blocking send_to_kdc. ticket: 6586 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23358 dc483132-0cff-0310-8789-dd5450dbe970
* Put krb5_auth_con_set_req_cksumtype back in the public API, since itGreg Hudson2009-11-191-0/+4
| | | | | | is needed by the BSD applications which will be unbundled in 1.8. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23292 dc483132-0cff-0310-8789-dd5450dbe970
* Reindent include directory, reformatting prototypes as necessary.Greg Hudson2009-11-144-1838/+1539
| | | | | | | Exclude include/gssrpc due to its Sun origin and k5-platform.h due to macros too hairy for emacs c-mode to handle. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23180 dc483132-0cff-0310-8789-dd5450dbe970
* Constrained delegation without PAC supportGreg Hudson2009-11-141-0/+3
| | | | | | | | | | | Merge Luke's users/lhoward/s4u2proxy branch to trunk. Implements a Heimdal-compatible mechanism for allowing constrained delegation without back-end support for PACs. Back-end support exists in LDAP only (via a new krbAllowedToDelegateTo attribute), not DB2. ticket: 6580 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23160 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-313-46/+46
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Heimdal DB bridge plugin for KDC back endGreg Hudson2009-10-271-0/+1
| | | | | | | | | Merge Luke's users/lhoward/heimmig branch to trunk. Implements a KDC back-end plugin which interfaces to a Heimdal HDB plugin. ticket: 6578 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23073 dc483132-0cff-0310-8789-dd5450dbe970
* Increment authdata SPI to V2 (V1 was experimental) to accountLuke Howard2009-10-211-3/+3
| | | | | | for additional krbtgt key parameter. This was at Sam's suggestion. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22958 dc483132-0cff-0310-8789-dd5450dbe970
* Implement new APIs to allow improved crypto performanceGreg Hudson2009-10-191-0/+69
| | | | | | | | | | | Merge branches/enc-perf to trunk. Adds the krb5_key opaque type, the krb5_k_* APIs to use them, and caching of derived keys when krb5_k_* functions are used. Updates the krb5 auth context and GSS id-rec to use krb5_keys. ticket: 6576 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22944 dc483132-0cff-0310-8789-dd5450dbe970
* Implement GSS naming extensions and authdata verificationGreg Hudson2009-10-092-6/+191
| | | | | | | | | Merge Luke's users/lhoward/authdata branch to trunk. Implements GSS naming extensions and verification of authorization data. ticket: 6572 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22875 dc483132-0cff-0310-8789-dd5450dbe970
* Implement s4u extensionsGreg Hudson2009-09-131-0/+9
| | | | | | | | | Merge Luke's users/lhoward/s4u branch to trunk. Implements S4U2Self and S4U2Proxy extensions. ticket: 6563 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22736 dc483132-0cff-0310-8789-dd5450dbe970
* Implement FAST from draft-ietf-krb-wg-preauth-frameworkSam Hartman2009-03-312-7/+55
| | | | | | | | | | | | Merge fast branch at 22146 onto trunk Implement the kerberos pre-authentication framework FAST feature per Projects/FAST on the wiki. ticket: 6436 Target_Version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22149 dc483132-0cff-0310-8789-dd5450dbe970
* Implement KRB-FX_CF2Sam Hartman2009-03-161-0/+15
| | | | | | | | | | Draft-ietf-krb-wg-preauth-framework defines a function KRB-FX-CF2 that combines two keys of arbitrary enctype. Implement this function as an exported API. ticket: 6421 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22094 dc483132-0cff-0310-8789-dd5450dbe970
* Make a working krb5_copy_error_messageGreg Hudson2009-03-111-0/+3
| | | | | | | | | | | | The krb5_copy_error_state macro wasn't used, didn't work, and didn't need to be a macro. Replace it with an exported API function named krb5_copy_error_message. ticket: 6407 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22078 dc483132-0cff-0310-8789-dd5450dbe970
* Include authenticator and ticket authdata in gss-apiSam Hartman2009-02-261-0/+8
| | | | | | | | | | | | | | | Currently, the GSS-API routines for handling authdata only extract the authorization data from the ticket, not that from the authenticator. This is incorrect. Introduce a new function krb5_merge_authadata to merge two authdata arrays into a newly allocated result array. Use this function in accept_sec_context.c to include both sets of authdata. ticket: 6400 Target_version: 1.7 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22056 dc483132-0cff-0310-8789-dd5450dbe970
* Merge mskrb-integ onto trunkSam Hartman2009-01-032-17/+216
| | | | | | | | | | | | | | | | | | | | | | | | The mskrb-integ branch includes support for the following projects: Projects/Aliases * Projects/PAC and principal APIs * Projects/AEAD encryption API * Projects/GSSAPI DCE * Projects/RFC 3244 In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions. In the KDC it includes support for protocol transition, constrained delegation and a new authorization data interface. The old authorization data interface is also supported. This commit merges the mskrb-integ branch on to the trunk. Additional review and testing is required. Merge commit 'mskrb-integ' into trunk ticket: new status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
* Revert r21589, and export krb5_get_fallback_host_realm insteadGreg Hudson2008-12-291-0/+4
| | | | | | | | | | | | | | Rationale: Zephyr and AFS both use the Kerberos realm name as the name of the service realm (AFS realm or Zephyr galaxy). AFS can grab the Kerberos realm from the ticket being aklogged, but Zephyr is not necessarily getting credentials at all (you could be sending an unauthenticated message), and currently finds its answer by looking up the realm of the server host. Although we can't currently provide an accurate result for this lookup in the presence of referrals, we do need to provide enough tools to get as good of an answer as libzephyr could have gotten before referrals went in. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21631 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up krb5_get_fallback_host_realm in two respects:Greg Hudson2008-12-241-4/+0
| | | | | | | | | | | | 1. It isn't exported from libkrb5 (and no one seems to complain about that). So give it a krb5int_ name and move its declaration to k5-int.h. Also stop exporting it from the collected client lib. 2. It returned a list of realms, but its only caller assumes that the list contains exactly one realm. So just make it return a single realm. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21589 dc483132-0cff-0310-8789-dd5450dbe970
* Crypto IOV API per Projects/AEAD encryption APISam Hartman2008-12-021-0/+57
| | | | | | | | | | | | | | Merge in the mskrb-crypto-iov branch at r21259 in order to move an implementation of http://k5wiki.kerberos.org/wiki/Projects/AEAD_encryption_API onto the trunk. This branch contains a subset of the commits on the mskrb-integ branch that implement the krb5 library part of the crypto IOV API. ticket: new Status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21263 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_build_principal_va does not allocate krb5_principalAlexandra Ellwood2008-10-241-1/+7
| | | | | | | | | | | | | | | | | krb5_build_principal_va does not allocate the outer krb5_principal, making it useless for generating krb5_principals which can be freed with krb5_free_principal. Added krb5_build_principal_alloc_va which allocates the krb5_principal. Added krb5int_build_principal_alloc_va which is used by KIM to avoid code duplication. KIM's kim_identity_create_from_components takes the first component as an argument because principals with no components cannot be represented with the KIM UI. Modified KIM to use this new API. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20918 dc483132-0cff-0310-8789-dd5450dbe970
* Merge 1.7 work on auxiliary ccache functions necessary for KIM. Adds ↵Justin Anderson2008-09-221-0/+25
| | | | | | | | | | | krb5_cc_lock/unlock, krb5_cccol_lock/unlock, krb5_cc_last_change_time, krb5_cccol_last_change_time, krb5_cc_move, and adds pertype cursor support to some cache types Locking functions work the same as the CCAPI cc_ccache_lock / cc_context_lock functions, though not as read/write locks. ticket: 6124 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20743 dc483132-0cff-0310-8789-dd5450dbe970
* Incorporate Apple's patchKen Raeburn2008-08-251-0/+111
| | | | | | | | | | | | | | | | | | | | | | Add a test authorization data scheme, in both built-in and plugin forms; built-in version is #ifdef'ed out. Update configury to create the build directory for the plugin, but don't build or install it by default. Create the new (and normally empty) authorization data plugin directory at install time. Add some (normally disabled) code to log authz data from rd_req. Fix up some comments that still refer to preauth plugins. Add some details in comments on the API, and why it's private for now. Make the plugin init context support work, by not passing null pointers. ticket: 5565 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20691 dc483132-0cff-0310-8789-dd5450dbe970
* Changes to krb5_kt_default_name changed the krb5 ABI. RevertedAlexandra Ellwood2008-07-081-1/+1
| | | | | | | | | API prototype change and added a temporary variable to avoid casting problems. ticket: 5432 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20502 dc483132-0cff-0310-8789-dd5450dbe970
* Apple PKINIT patch commitAlexandra Ellwood2008-05-301-0/+9
| | | | | | | | | | | | | Commit of Apple PKINIT patches under "APPLE_PKINIT" preprocessor symbol. Long term goal is to merge these patches with the pkinit preauth plugin which does not currently have support for Mac OS X crypto libraries or the exported functions used by Back To My Mac. ticket: new status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20346 dc483132-0cff-0310-8789-dd5450dbe970
* Implement KRB5_ATTR_DEPRECATED for WindowsKen Raeburn2007-08-281-0/+2
| | | | | | ticket: 2836 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19890 dc483132-0cff-0310-8789-dd5450dbe970
* For gcc 4.x, add sentinel attribute to krb5_build_principalKen Raeburn2007-08-271-1/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19888 dc483132-0cff-0310-8789-dd5450dbe970
* Define KRB5_ATTR_DEPRECATED (and undef at end of file) and attach itKen Raeburn2007-08-271-7/+15
| | | | | | | | | | | | to the function declarations enabled by KRB5_DEPRECATED. Definition depends on having GCC version 3.2.3 or later. (Earlier versions may have supported it, but that's what I found docs for. Windows compiler support coming later, based on Jeff's suggestions.) ticket: 2836 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19887 dc483132-0cff-0310-8789-dd5450dbe970
* Add PKINIT supportKevin Coffman2007-08-012-128/+274
| | | | | | | | | | | | | | | | Pull up PKINIT support onto the trunk. Changes from the version in branch users/coffman/pkinit are: - Update the preauth plugin interface version to avoid conflict with any existing plugins. - Add a pkcs11.h locally to the pkinit code rather than depending on opensc being installed. ticket: new Target_Version: 1.6.3 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19745 dc483132-0cff-0310-8789-dd5450dbe970
* Attach format attributes to declarations of various message-formattingKen Raeburn2007-06-291-3/+11
| | | | | | | | | | | | | routines under gcc. In a couple of routines, hard-code the preference for using the vsnprintf paths instead of list-of-int-arguments hacks now that we're assuming vsnprintf is available in other places. Installed headers affected: com_err.h (com_err, com_err_va) ss.h (ss_error) krb5.h (krb5_set_error_message, krb5_vset_error_message) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19653 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_kt_default_name should take an unsized lengthEzra Peisach2007-02-051-1/+1
| | | | | | | | | | The internal code to krb5_kt_default_name was casting the length to size_t. Change prototype to take an unsigned - which makes sense in how the code uses it. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19144 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_kt_get_type should return const char *. Ezra Peisach2007-02-051-1/+1
| | | | | | | | | | | | The code returns a pointer to static structures. Just to enforce the assumption that users can not change the returned data. Change prototype of krb5_kt_get_type to return const char *. The other changes are to clean up warnings - no change in code - usage assumed const. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19143 dc483132-0cff-0310-8789-dd5450dbe970
* get_init_creds_opt extensibilityTom Yu2007-01-302-1/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | r18922@cathode-dark-space: coffman | 2006-12-04 18:30:15 -0500 First cut at making the get_init_creds_opt structure extendable and adding library functions to set options for preauthentication plugins. This does *not* include a compatibility function to work like Heimdal's krb5_get_init_creds_opt_set_pkinit() function. Hopefully, the test code that doesn't belong in kinit.c is obvious. r18929@cathode-dark-space: coffman | 2006-12-07 10:01:20 -0500 Remove extra "user_id" parameter. Add function which duplicates the Heimdal interface (if we can agree on what the matching attribute names should be). r18934@cathode-dark-space: coffman | 2006-12-08 15:28:03 -0500 Update to use the simplified interface for krb5_get_init_creds_opt_set_pa() Add code in kinit to process "-X" options as preauth options and pass them along. r18936@cathode-dark-space: coffman | 2006-12-11 12:04:26 -0500 Move prototypes for get_init_creds_opt_get_pa() and krb5_get_init_creds_opt_free_pa() into the preauth_plugin.h header rather than krb5.hin. ticket: new status: open component: krb5-libs git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19127 dc483132-0cff-0310-8789-dd5450dbe970
* Include stdarg.h, and don't conditionalize declarations of functions withKen Raeburn2007-01-201-5/+1
| | | | | | va_list arguments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19087 dc483132-0cff-0310-8789-dd5450dbe970
* Mark as C source for Emacs mode selectionKen Raeburn2007-01-201-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19084 dc483132-0cff-0310-8789-dd5450dbe970
* Don't define KRB5_PRIVATE, since it's not tested any moreKen Raeburn2007-01-201-4/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19083 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-27 00:30:12 +0000