summaryrefslogtreecommitdiffstats
path: root/src/include
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove orphaned Apple PKINIT supportGreg Hudson2012-04-265-763/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25830 dc483132-0cff-0310-8789-dd5450dbe970
* Use etypes from keytab in krb5_gic_keytabGreg Hudson2012-04-191-0/+4
| | | | | | | | | | | When getting initial credentials with a keytab, filter the list of request enctypes based on the keys in the keytab. Based on a patch from Stef Walter. ticket: 2131 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25818 dc483132-0cff-0310-8789-dd5450dbe970
* Add Doxygen markup to API functions that were introduced in 1.9 releaseZhanna Tsitkov2012-04-191-0/+26
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25814 dc483132-0cff-0310-8789-dd5450dbe970
* Add Doxygen markup to API functions that were introduced in 1.10 releaseZhanna Tsitkov2012-04-171-0/+15
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25810 dc483132-0cff-0310-8789-dd5450dbe970
* Allow preauth mechs to work with clock skewGreg Hudson2012-04-172-0/+29
| | | | | | | | | | | | | | | Add a clpreauth callback which gets the time of day using an offset determined by the preauth-required error, and use it in encrypted timestamp and encrypted challenge. This timestamp is not necessarily authenticated, but the security consequences for those preauth mechs are minor (and can be mitigated by turning off kdc_timesync on clients). Based on a patch from Stef Walter. ticket: 7114 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25808 dc483132-0cff-0310-8789-dd5450dbe970
* Document kadm5_hook chpass randomize-key behaviorGreg Hudson2012-04-161-0/+1
| | | | | | | kadmind's randkey operation invokes the kadm5_hook chpass method with a null newpass parameter, which wasn't documented. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25805 dc483132-0cff-0310-8789-dd5450dbe970
* If trace logging facility is enabled, report misconfiguration errors ↵Zhanna Tsitkov2012-04-021-0/+4
| | | | | | | | encountered while initializing krb5 library context ticket: 7091 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25800 dc483132-0cff-0310-8789-dd5450dbe970
* Fix up krb5.hin Doxygen markup somewhatGreg Hudson2012-03-271-21/+34
| | | | | | | | | | * Put everything in an enclosing group, so it gets captured even without EXTRACT_ALL. * Make sure there's documentation for all constants referenced by other markup. * Fix references to the PAC constants. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25789 dc483132-0cff-0310-8789-dd5450dbe970
* Only store master mey list in DAL handleGreg Hudson2012-03-211-15/+4
| | | | | | | | | | | | | | r24314 (#6778) created a hybrid owernship model for the master key list, with one virtual copy stored in the DAL handle and one provided to the caller of krb5_db_fetch_mkey_list. Replace this with a model where only the DAL handle owns the list, and a caller can get access to an alias pointer with a new function krb5_db_mkey_list_alias(). Functions which previously accepted the master key list as an input parameter now expect to find it in the DAL handle. Patch by Will Fiveash <will.fiveash@oracle.com>. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25781 dc483132-0cff-0310-8789-dd5450dbe970
* Remove admin_keytab references in code and docsGreg Hudson2012-03-041-1/+0
| | | | | | | | | The admin keytab hasn't been needed or used by kadmind since 1.4 (except possibly by legacy admin daemons which we no longer ship). Eliminate remaining references to it in code, test cases, and documentation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25729 dc483132-0cff-0310-8789-dd5450dbe970
* Require IPv6 supportKen Raeburn2012-02-283-12/+3
| | | | | | | | | | | | | | The configure-time options to enable and disable IPv6 support have been deprecated for some time, but the checks for OS support were kept. This removes those checks, and unconditionally compiles in the IPv6 support. There was a configure-time test to see if the macro INET6 needed to be defined in order to enable (visibility of) OS support for IPv6, which was needed on an IRIX system we tested with. That check is retained, but the revised code is untested on IRIX. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25719 dc483132-0cff-0310-8789-dd5450dbe970
* Data-driven ASN.1 decoderGreg Hudson2012-02-111-2/+3
| | | | | | | | | | | | | | | | | | Add a general ASN.1 decoder implementation in asn1_encode.c using the same data structures as the encoder (augmented where necessary), and use it to define decoder functions in asn1_k_encode.c. Add a boolean type to atype_info, as it is needed for the pa_pac_req decoder. For the moment, just #if out the old decoder functions; they and their support code can be cleaned up later after a a few remaining utility functions are addressed. Changes to encoder and decoder interfaces are minimized, but there are two small ones. ldap_seqof_key_data has a kvno field added, and some of the decoder logic is pushed up into the caller. The safe_with_body decoder now outputs an allocated krb5_data * instead of a krb5_data with aliases into the input buffer. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25693 dc483132-0cff-0310-8789-dd5450dbe970
* Minimize draft9 PKINIT code by removing dead codeGreg Hudson2012-02-112-26/+3
| | | | | | | | | | | | | | | | The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9, which is fortunate because it doesn't work (see issue #7072). Instead, it passes both kinds of PKINIT replies through decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack. So, remove the unused broken pa_pk_as_rep_draft9 decoder. For pa_pk_as_req_draft9, we only use two of the fields on encode and only one of those on decode. So, get rid of the unused fields and the krb5_trusted_ca structure, and reduce the encoder and decoder sequences to the minimum necessary fields. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970
* Revert r25669 pending clarification of goals and API reviewTom Yu2012-02-031-3/+0
| | | | | | | New APIs of this sort should be discussed, and the goals motivating the change clarified. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25670 dc483132-0cff-0310-8789-dd5450dbe970
* Added a new trace logging message TRACE_PROFILE_ERR to improve the ↵Zhanna Tsitkov2012-02-031-0/+3
| | | | | | | | | | diagnostics of the potential misconfiguration. Added profile_get_(string/integer/boolean)_nodef functions to the profile library to get the typed values from the configuration files (without setting these values to the defaults). Used TRACE_PROFILE_ERR for the configuration diagnostics in krb5_init_context_profile API. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25669 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unneeded kdcRealm field in PKINIT structureGreg Hudson2012-01-081-1/+0
| | | | | | | | krb5_pk_authenticator_draft9 had a kdcRealm field which was set by the client code but never encoded or decoded. Remove it. Eliminating this field exposed a bug in auth_pack_draft9_optional; fix that. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25624 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unneeded accessor fieldsGreg Hudson2012-01-071-29/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25620 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unused structures and encodersGreg Hudson2012-01-072-72/+4
| | | | | | | | | | | krb5_alt_method was added in r6604 but never supported. krb5_pwd_data became unused when the Sandia kadmin system was replaced. krb5_pa_server_referral_data and krb5_pa_svr_referral_data were added in r21690 with internally-visible encoders which nothing uses. Leave behind structure declarations in krb5.hin for API compatibility. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25619 dc483132-0cff-0310-8789-dd5450dbe970
* Remove SAM encoders and structuresGreg Hudson2012-01-071-135/+0
| | | | | | | | r24403 removed the old SAM support, but left behind the structures, free functions, and ASN.1 encoders/decoders. Remove those now. (SAM-2 support is still present.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25618 dc483132-0cff-0310-8789-dd5450dbe970
* Convert all remaining macro-coded ASN.1 encodersGreg Hudson2012-01-062-9/+9
| | | | | | | | | | | Use data-driven encoders for all of the remaining types which still used macros (primarily PKINIT types), and get rid of the macros. Do not change any encoding behavior, but add some comments where behavior differs from the spec. DEFFNTYPE is now unused except for the kdc_req_body hack. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25617 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unused functions (older API residue) krb5_realm_iterator* and ↵Zhanna Tsitkov2012-01-041-14/+0
| | | | | | krb5_free_realm_string git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25606 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using krb5_typed_data structure typeGreg Hudson2011-12-213-21/+8
| | | | | | | | | | | | Use the krb5_pa_data structure type when encoding or decoding TYPED-DATA. Leave the krb5_typed_data structure definition in krb5.h with a comment saying not to use it. Remove krb5_free_typed_data (which was never declared in krb5.h). Remove some vestigial accessor stuff related to PKINIT encoding and decoding TYPED-DATA, which was unneeded since r25483. Bump the accessor structure version to 19 accordingly. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25601 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using krb5_octet_dataGreg Hudson2011-12-212-35/+28
| | | | | | | | For consistency with the rest of the code base, make PKINIT use krb5_data as a pointer/length container. Leave krb5_octet_data and krb5_free_octet_data behind for API compatibility. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25600 dc483132-0cff-0310-8789-dd5450dbe970
* Corrected the name of KRB5_NT_SRV_HST macro. Added some doxygen commentsZhanna Tsitkov2011-12-121-30/+21
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25537 dc483132-0cff-0310-8789-dd5450dbe970
* Allow null server key to krb5_pac_verifyGreg Hudson2011-12-071-3/+3
| | | | | | | | | | When the KDC verifies a PAC, it doesn't really need to check the server signature, since it can't trust that anyway. Allow the caller to pass only a TGT key. ticket: 7048 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
* Allow S4U2Proxy delegated credentials to be savedGreg Hudson2011-12-071-0/+3
| | | | | | | | | | | | | | | The initial implementation of client-side S4U2Proxy support did not allow delegated proxy credentials to be stored (gss_store_cred would error out, and gss_krb5_copy_ccache would generate a non-working cache). To make this work, we save the impersonator name in a cache config variable and in a cred structure field (replacing the proxy_cred flag), and make the default principal of the proxy cache the subject principal as the caller would expect for a regular delegated cred. ticket: 7046 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up client-side preauth error data handlingGreg Hudson2011-11-212-7/+13
| | | | | | | | | | | | | | | | | | | | | | | | Change the clpreauth tryagain method to accept a list of pa-data, taken either from the FAST response or from decoding the e_data as either pa-data or typed-data. Also change the in_padata argument to contain just the type of the request padata rather than the whole element, since modules generally shouldn't care about the contents of their request padata (or they can remember it). In krb5int_fast_process_error, no longer re-encode FAST pa-data as typed-data for the inner error e_data, but decode traditional error e_data for all error types, and try both pa-data and typed-data encoding. In PKINIT, try all elements of the new pa-data list, since it may contain FAST elements as well as the actual PKINIT array. (Fixes an outstanding bug in FAST PKINIT.) ticket: 7023 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25483 dc483132-0cff-0310-8789-dd5450dbe970
* Improve documentation in preauth_plugin.hGreg Hudson2011-11-191-6/+15
| | | | | | | | | | Also declare the verto_context structure to ensure that it is has the proper scope when used as the return type of the event_context callback. ticket: 7019 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25479 dc483132-0cff-0310-8789-dd5450dbe970
* Make verto context available to kdcpreauth modulesGreg Hudson2011-11-152-1/+6
| | | | | | | | | | | | Add an event_context callback to kdcpreauth. Adjust the internal KDC and main loop interfaces to pass around the event context, and expose it to kdcpreauth modules via the rock. ticket: 7019 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25475 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify and fix kdcpreauth request_body callbackGreg Hudson2011-11-141-8/+5
| | | | | | | | | | | | | | | | | | | Alter the contract for the kdcpreauth request_body callback so that it returns an alias to the encoded body instead of a fresh copy. At the beginning of AS request processing, save a copy of the encoded request body, or the encoded inner request body for FAST requests. Previously the request_body callback would re-encode the request structure, which in some cases has been modified by the AS request code. No kdcpreauth modules currently use the request_body callback, but PKINIT will need to start using it in order to handle FAST requests correctly. ticket: 7017 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25473 dc483132-0cff-0310-8789-dd5450dbe970
* Handle TGS referrals to the same realmGreg Hudson2011-11-141-0/+3
| | | | | | | | | | | | | | | krb5 1.6 through 1.8 contained a workaround for the Active Directory behavior of returning a TGS referral to the same realm as the request. 1.9 responds to this behavior by caching the returned TGT, trying again, and detecting a referral loop. This is a partial regression of ticket #4955. Detect this case and fall back to a non-referreal request. ticket: 7016 target_version: 1.9.3 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25472 dc483132-0cff-0310-8789-dd5450dbe970
* Add consistency check for plugin interface namesGreg Hudson2011-11-131-1/+2
| | | | | | | Add an assertion to ensure that the interface_names table in plugin.c is updated when a new pluggable interface is added. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25471 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid looping when preauth can't be generatedGreg Hudson2011-11-111-1/+1
| | | | | | | | | | | | | | | | | If we receive a PREAUTH_REQUIRED error and fail to generate any real preauthentication, error out immediately instead of continuing to generate non-preauthenticated requests until we hit the loop count. There is a lot of room to generate a more meaningful error about why we failed to generate preauth (although in many cases the answer may be too complicated to explain in an error message), but that requires more radical restructuring of the preauth framework. ticket: 6430 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25469 dc483132-0cff-0310-8789-dd5450dbe970
* Added the note to the trace API functions that they have higher priority ↵Zhanna Tsitkov2011-11-091-2/+8
| | | | | | than the KRB5_TRACE env variable git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25466 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_check_clockskew publicGreg Hudson2011-10-312-1/+15
| | | | | | | | | | | | Rename krb5int_check_clockskew to krb5_check_clockskew and make it public, in order to give kdcpreauth plugins a way to check timestamps against the configured clock skew. ticket: 6996 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25424 dc483132-0cff-0310-8789-dd5450dbe970
* Fix format string for TRACE_INIT_CREDS_SERVICEGreg Hudson2011-10-261-1/+1
| | | | | | | | | | This should also be pulled up to 1.10. ticket: 6993 tags: pullup target_version: 1.9.2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25417 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_find_authdata publicGreg Hudson2011-10-252-6/+21
| | | | | | | | | | Rename krb5int_find_authdata to krb5_find_authdata and make it public. ticket: 6992 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25414 dc483132-0cff-0310-8789-dd5450dbe970
* Refactor salt computation into libkdb5Greg Hudson2011-10-241-0/+6
| | | | | | | Add a new API krb5_dbe_compute_salt() to determine the salt for a key data entry, and use it in the three places we currently compute salts. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25410 dc483132-0cff-0310-8789-dd5450dbe970
* Ensure termination in Windows vsnprintf wrapperGreg Hudson2011-10-181-1/+3
| | | | | | | | | | | | | | | The Windows _vsnprintf does not terminate its output buffer in the overflow case. Make sure we do that in the wrapper. Reported by Chris Hecker. (Not an issue for KfW 3.2 since we weren't using snprintf in 1.6.x except in Unix-specific code.) ticket: 6980 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25367 dc483132-0cff-0310-8789-dd5450dbe970
* Make reindentTom Yu2011-10-172-17/+16
| | | | | | | Also fix pkinit_crypto_nss.c struct initializers and add parens to a ternary operator in do_as_req.c for better indentation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25362 dc483132-0cff-0310-8789-dd5450dbe970
* Install krb5/preauth_plugin.hGreg Hudson2011-10-151-0/+1
| | | | | | | | | | The clpreauth and kdcpreauth pluggable interfaces are public as of krb5 1.10. Install the header so that preauth modules can be built outside of the krb5 source tree. ticket: 6977 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25353 dc483132-0cff-0310-8789-dd5450dbe970
* Rename PAC type constants to avoid conflictsGreg Hudson2011-10-151-7/+7
| | | | | | | | Since the PAC type constants are now exposed in krb5.h, give them a KRB5_ prefix so they don't conflict with similar PAC type constants in other packages, like Samba. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25352 dc483132-0cff-0310-8789-dd5450dbe970
* Hide gak_fct interface and arguments in clpreauthGreg Hudson2011-10-152-47/+45
| | | | | | | | | | | | | | | | | | | | | | Remove the gak_fct, gak_data, salt, s2kparams, and as_key arguments of krb5_clpreauth_process_fn and krb5_clpreauth_tryagain_fn. To replace them, add two callbacks: one which gets the AS key using the previously selected etype-info2 information, and a second which lets the module replace the AS key with one it has computed. This changes limits module flexibility in a few ways. Modules cannot check whether the AS key was already obtained before asking for it, and they cannot use the etype-info2 salt and s2kparams for purposes other than getting the password-based AS key. It is believed that of existing preauth mechanisms, only SAM-2 preauth needs more flexibility than the new interfaces provide, and as an internal legacy mechanism it can cheat. Future mechanisms should be okay since the current IETF philosophy is that etype-info2 information should not be used for other purposes. ticket: 6976 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25351 dc483132-0cff-0310-8789-dd5450dbe970
* Make kdcpreauth edata method respond via callbackGreg Hudson2011-10-151-10/+20
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25348 dc483132-0cff-0310-8789-dd5450dbe970
* Add new header gssapi_alloc.hSam Hartman2011-10-141-1/+1
| | | | | | | | | | | | | | | Contains allocator methods for use with mechanisms and mechglues for allocations that must be made in one module but freed in another. On windows, an allocation made in one module cannot safely be freed in another using the usual c runtime malloc/free; runtime dll mismatch will cause heap corruption in that case. But it is safe to instead directly use HeapAlloc()/HeapFree() specifying the default process heap. For now, this header is not public. If it becomes public strncpy will need to be used instead of strlcpy. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25330 dc483132-0cff-0310-8789-dd5450dbe970
* Removed unused macrosZhanna Tsitkov2011-10-141-7/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25328 dc483132-0cff-0310-8789-dd5450dbe970
* Fix the doxygen comments for krb5_pac_signZhanna Tsitkov2011-10-121-6/+6
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25326 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_pac_sign publicGreg Hudson2011-10-122-9/+21
| | | | | | | | | | | | krb5int_pac_sign was created as a private API because it is only needed by the KDC. But it is actually used by DAL or authdata plugin modules, not the core KDC code. Since plugin modules should not need to consume internal libkrb5 functions, rename krb5int_pac_sign to krb5_pac_sign and make it public. ticket: 6974 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25325 dc483132-0cff-0310-8789-dd5450dbe970
* Documentation pass over preauth_plugin.hGreg Hudson2011-10-121-38/+37
| | | | | | No functional changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25324 dc483132-0cff-0310-8789-dd5450dbe970
* Add get_string, free_string kdcpreauth callbacksGreg Hudson2011-10-061-0/+10
| | | | | | | | String attributes should be useful to preauth modules without having to link against libkdb5. Add a callback to make client string attributes accessible to modules. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25318 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-01-08 11:46:02 +0000