summaryrefslogtreecommitdiffstats
path: root/src/include
Commit message (Collapse)AuthorAgeFilesLines
* Add new api to Sphinx doc; doc introduced versionZhanna Tsitkov2012-09-111-1/+9
|
* Add internal JSON encoding and decoding supportGreg Hudson2012-09-112-0/+198
| | | | Add JSON support based loosely on Heimdal's heimbase code.
* Add internal base64 encoding and decoding supportGreg Hudson2012-09-111-0/+52
| | | | Add base64 support based on Heimdal's libroken base64 code.
* Add responder feature for initial cred exchangesNathaniel McCallum2012-09-113-1/+115
| | | | | | | | | | | | | | | | | | | | | | | Add new APIs: * krb5_get_init_creds_opt_set_responder * krb5_responder_get_challenge * krb5_responder_list_questions * krb5_responder_set_answer If a caller sets a responder, it will be invoked after preauth modules have had a chance to review their incoming padata but before they produce outgoing padata. The responder will be presented a set of questions with optional challenges. The responder should then answer all questions it knows how to handle. Both the answers and the challenges are printable UTF-8 and may contain encoded, structured data specific to the question asked. Add two new callbacks and one optional method to the clpreauth interface. The new method (prep_questions) allows modules to ask questions by setting them in the responder context using one of the new callbacks (ask_responder_question). The other new callback (get_responder_answer) is used by the process method to read the answers to the questions asked. ticket: 7355 (new)
* Add zapfreestr() helper to k5-int.hGreg Hudson2012-09-101-0/+10
| | | | | | Since zapfree(str, strlen(str)) won't work for possibly-null values of str, add a helper zapfreestr() which only calls strlen() if the string value is non-null.
* Doc newly introduced padata types for OTP supportZhanna Tsitkov2012-08-231-7/+6
| | | | | Remove KRB5_PADATA_OTP_CONFIRM pre-authentication data (padata) type as it is marked as OBSOLETE in RFC 6560.
* Add otp client preauth pluginNathaniel McCallum2012-08-232-0/+11
| | | | | | | Implements the client side of RFC 6560. Not all features are implemented, but it should work for the most common cases. ticket: 7242 (new)
* Add ASN.1 support for OTPGreg Hudson2012-08-231-0/+75
| | | | | | | Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE, PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more thorough testing, add support for generating test encodings using asn1c for sample objects (currently only for the OTP types).
* Further fixes for WSA/Posix error translationKevin Wasserman2012-08-031-2/+42
| | | | | | | | | | | | | | Don't translate '0' (no error). Handle WSAEAFNOSUPPORT and WSAEINVAL. Add Posix->WSA translation. Add default translation for unrecognized errors. [ghudson@mit.edu: Merged with master and adjusted comments.] Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7228 (new) tags: pullup
* Constify krb5_string_to_keysalts()'s string argNicolas Williams2012-07-301-3/+3
|
* Policy extensions + new policy: allowed ks typesNicolas Williams2012-07-301-0/+15
| | | | | | | | | | | | | | | | | This simply adds KADM5_API_VERSION_4 and various fields to the policy structures: - attributes (policy-ish principal attributes) - max_life (max ticket life) - max_renewable_life (max ticket renewable life) - allowed_keysalts (allowed key/salt types) - TL data (future policy extensions) Of these only allowed_keysalts is currently implemented. Some refactoring of TL data handling is also done. ticket: 7223 (new)
* Support changing the built-in ccache/keytab namesGreg Hudson2012-07-242-4/+3
| | | | | | | | | | | | | | * Add DEFCCNAME, DEFKTNAME, and DEFCKTNAME configure variables to change the built-in ccache and keytab names. * Add krb5-config options to display the built-in ccache and keytab names. * In the default build, use krb5-config to discover the system's built-in ccache and keytab names and use them (if not overridden). This can be controlled with the --with-krb5-config=PATH or --without-krb5-config configure options. * Make the built-in ccache name subject to parameter expansion. ticket: 7221 (new)
* Add default_ccache_name profile variableGreg Hudson2012-07-241-0/+1
| | | | | | | Like default_keytab_name and default_client_keytab_name, default_ccache_name is subject to parameter expansion. ticket: 7220 (new)
* Add token expansion for keytab namesGreg Hudson2012-07-241-2/+2
| | | | | | | Make the default_keytab_name and default_client_keytab_name variables subject to parameter expansion. ticket: 7219 (new)
* Doc introduced version for krb5_kt_client_defaultZhanna Tsitkov2012-07-161-0/+2
|
* Remove DISABLE_TRACING from windows buildKevin Wasserman2012-07-161-1/+0
| | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7215 (new) tags: pullup
* KFW win-mac.h fixesKevin Wasserman2012-07-161-0/+6
| | | | | | | | | | | | | | | | kfw: add int16_t, uint16_t typedefs to win-mac.h uint16_t is used in chpw.c include stdlib.h, crtdbg.h in win-mac.h Allows leak-tracking using built-in msvc tools on windows. crtdbg.h needs to come _after_ stdlib.h, but _before_ checking for strdup. Define DEBUG and CRTDBG_MAP_ALLOC for full tracking. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7204 (new) tags: pullup
* Correct comments in port-sockets.hGreg Hudson2012-07-121-23/+20
|
* Add krb5int_cc_user_set_default_nameKevin Wasserman2012-07-111-0/+3
| | | | | | | | | | | | | Set the default credential cache name for all processes for the current user. Currently implemented, for windows only, by setting HKEY_CURRENT_USER\Software\MIT\Kerberos5:ccname to the specified ccache name. This will not override the environment variable 'KRB5CCNAME'. It will override HKEY_LOCAL_MACHINE and 'indirect' registry values. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7199 (new) tags: pullup
* Translate WinSock errors to Posix counterpartsKevin Wasserman2012-07-111-1/+35
| | | | | | | | | | | | | | | | | | | | | MSVC 2010 defines both Posix and WinSock error values so we can no longer simply #define the Posix error values to be their WinSock counterpart. This patch explicitly #includes <errno.h> in port-sockets.h and still conditionally defines the Posix error values for compatibility with older MSVC but also translates WinSock errors to Posix for MSVC 2010 compatibility. The downside to this approach is that there are some Posix errors we do not currently detect (e.g. EADDRINUSE) that are neither #defined nor translated. If we use one of those in the future but fail to update TranslateWSAGetLastError() we'll once again be in the situation that the windows build will compile but fail to work, possibly only when some rare error condition occurs. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7197 (new) tags: pullup
* Allow using locales when gettext is absentBen Kaduk2012-07-061-5/+3
| | | | | | | | | | | Previously, if configure did not detect dgettext(), we disabled anything that smelled like localization, inadvertently including setlocale(). Now that we use setlocale(LC_ALL, ""), we have localized dates available as well as messages, so we should not disable calls to setlocale() any more. Since the routines from locale.h are only used in a relatively small number of places, just include the header directly in those files and remove it from k5-platform.h.
* Increase MAX_DGRAM_SIZEGreg Hudson2012-07-021-1/+1
| | | | | | | | | Accept UDP datagrams up to 64K in size. We should still detect when an oversized datagram comes in by comparing against the maximum size, but this is trivial and covers 90% of the practical issues. ticket: 6566 status: open
* Add client keytab initiation supportGreg Hudson2012-07-021-0/+1
| | | | | | | | | Support acquiring GSSAPI krb5 credentials by fetching initial credentials using the client keytab. Credentials obtained this way will be stored in the default ccache or collection, and will be refreshed when they are halfway to expiring. ticket: 7189 (new)
* Add krb5_kt_client_default APIGreg Hudson2012-07-023-0/+22
| | | | | | | | | | | | | | | | The default client keytab is intended to be used to automatically acquire initial credentials for client applications. The current hardcoded default is a placeholder, and will likely change before 1.11. Add test framework settings to ensure that a system default client keytab doesn't interfere with tests, and to allow tests to be written to deliberately use the default client keytab. Add documentation about keytabs to the concepts section of the RST docs, and describe the default client keytab there. ticket: 7188 (new)
* Correct and clarify keytab API documentationGreg Hudson2012-06-291-12/+12
|
* Simplify bld_princ.cGreg Hudson2012-06-211-9/+0
|
* Remove orphaned KfM codeGreg Hudson2012-06-2112-3495/+0
|
* Document how to free krb5_cc_get_full_name resultGreg Hudson2012-06-201-0/+2
| | | | | | | | Also, in klist, use the appropriate libkrb5 free functions for krb5_cc_get_full_name and krb5_unparse_name_results. Reported by Kevin Wasserman. ticket: 7179
* Document version for new API functionsZhanna Tsitkov2012-06-151-0/+4
|
* Add krb5_cccol_have_content APIGreg Hudson2012-06-151-0/+11
| | | | | | | Add a new API to determine whether any krb5 credentials are available in the ccache collection. Add tests to t_cccol.py. ticket: 7173 (new)
* Remove krb5int_cc_os_default_nameGreg Hudson2012-06-111-3/+0
| | | | | krb5int_cc_os_default_name has been unused since #6955 removed the call to it in cccursor.c. Get rid of it.
* Rename and add to etype utility functionsGreg Hudson2012-06-071-0/+6
| | | | | | | Rename krb5int_count_etypes and krb5int_copy_etypes to have k5_ prefixes, and make them available outside of libkrb5 (but not part of the public API). Add k5_etypes_contains to search an etype list, and use it in krb5_is_permitted_enctype.
* Remove krb5_is_permitted_enctype_extGreg Hudson2012-06-071-10/+0
| | | | | It's an internal function (not in krb5.h or the libkrb5 export list) and nothing uses it.
* Add control over session key enctype negotiationNicolas Williams2012-06-063-0/+6
| | | | | | | | | | | | | | | | | | | Adds a principal string attribute named "session_enctypes" which can specify what enctypes the principal supports for session keys. (For what it's worth, this actually allows one to list des-cbc-md5 as a supported session key enctype, though obviously this hardly matters now.) Add a [realms] section parameter for specifying whether to assume that principals (which lack the session_enctypes attribute) support des-cbc-crc for session keys. This allows those who still need to use allow_weak_crypto=true, for whatever reason, to start reducing the number of tickets issued with des-cbc-crc session keys to clients which still give des-cbc-crc preference in their default_tgs_enctypes list. [ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored test script; documented session_enctypes attribute]
* Add krb5_kt_have_content APIGreg Hudson2012-06-021-0/+12
| | | | | | | | | | | | | Add the krb5_kt_have_content API from Heimdal, which can be used to test whether a keytab exists and contains entries. Add tests to t_keytab.c. There is a deviation from Heimdal in the function signature. Heimdal's signature returns a krb5_boolean at the moment, because the Heimdal implementation actually returns a krb5_error_code. These are generally the same type anyway (int). ticket: 7158 (new)
* Add a copy of the BSD <sys/queue.h> as k5-queue.hGreg Hudson2012-05-301-0/+748
| | | | | queue.h implements various types of linked lists as cpp macros, without needing any library support.
* Fix TRACE_GET_CRED_VIA_TKT_EXT format stringGreg Hudson2012-05-241-2/+2
|
* Convert DEBUG_REFERRALS to TRACE_* frameworkW. Trevor King2012-05-232-6/+47
| | | | | | | | | The referrals debugging code under DEBUG_REFERRALS ceased building correctly at some point. Convert this debugging code to use the tracing framework instead, including adding new trace macros to k5-trace.h. ticket: 7151
* Add support for "{ptype}" trace format specifierW. Trevor King2012-05-231-0/+1
| | | | | | | Add the "{ptype}" trace format specifier, for principal name types. Also document the new option in the "k5-trace.h" comments. ticket: 7151
* Document "{keytab}" trace format specifierW. Trevor King2012-05-231-0/+1
|
* Add krb5_parse_name flag to ignore realmGreg Hudson2012-05-101-0/+7
| | | | | | | | | | The flag KRB5_PRINCIPAL_PARSE_IGNORE_REALM causes krb5_parse_name to return the principal with an empty realm whether or not a realm is present in the name. ticket: 7129 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25862 dc483132-0cff-0310-8789-dd5450dbe970
* Rewrite krb5_parse_nameGreg Hudson2012-05-101-7/+10
| | | | | | | | | krb5_parse_name started out a bit unwieldy, and has become more so with the introduction of flags. Rewrite it using two passes (allocate and fill), each broken out into its own helper, and a wrapper which handles the realm flags. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25861 dc483132-0cff-0310-8789-dd5450dbe970
* Add no-op macro for ngettext for non-NLS buildsGreg Hudson2012-05-091-0/+1
| | | | | | | r25857 (#7128) uses ngettext, which means we need a no-op macro for it when we're building without NLS support. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25859 dc483132-0cff-0310-8789-dd5450dbe970
* Constify get_init_creds string input paramsGreg Hudson2012-05-092-6/+8
| | | | | | | | | | | | The get_init_creds functions take read-only string input parameters for passwords and initial ticket services. Make these const char * parameters instead of just char * parameters, for caller convenience. Reported by rra@stanford.edu. ticket: 7121 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25858 dc483132-0cff-0310-8789-dd5450dbe970
* Add API to interpret changepw result stringsGreg Hudson2012-05-091-0/+26
| | | | | | | | | | | | | Active Directory returns structured policy information in the nominally UTF-8 result string field of a password change reply. Add a new API krb5_chpw_message() to convert a result string into a displayable message, interpreting policy information if present. Patch from stefw@gnome.org with changes. ticket: 7128 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25857 dc483132-0cff-0310-8789-dd5450dbe970
* Constify krb5int_utf8_normalize input parameterGreg Hudson2012-05-091-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25856 dc483132-0cff-0310-8789-dd5450dbe970
* Use variadic macros to simplify k5-trace.hGreg Hudson2012-05-082-216/+221
| | | | | | | Also fix the facility to make it possible to trace log without including k5-int.h. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25852 dc483132-0cff-0310-8789-dd5450dbe970
* Try all host keys by default in vfy_incredsGreg Hudson2012-05-031-15/+16
| | | | | | | | | | | | | | | Factor out the core code of krb5_verify_init_creds into a helper, add new helper functions to retrieve the list of unique host principals from a keytab, and make krb5_verify_init_creds drive the helper once per host principal. Augment the test harness and test cases to better test the new behavior. Add a k5test method to retrieve an NFS principal for the test realm for the sake of the new test cases. ticket: 7125 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25845 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using SALT_TYPE_AFS_LENGTHGreg Hudson2012-04-272-6/+2
| | | | | | | | | | | | In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to track whether we're still using the default salt instead of overloading salt.length. In preauth2.c, process afs3 salt values like we would in krb5int_des_string_to_key, and set an s2kparams indicator instead of overloading salt.length. Also use an s2kparams indicator in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded salt lengths, except for a sanity check. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25837 dc483132-0cff-0310-8789-dd5450dbe970
* Fix TRACE_PREAUTH_SALT format stringGreg Hudson2012-04-271-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25836 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-02-17 05:01:08 +0000