summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5/ccache
Commit message (Collapse)AuthorAgeFilesLines
...
* 2004-02-02 Jeffrey Altman <jaltman@mit.edu>Jeffrey Altman2004-02-032-1/+22
| | | | | | | | | | | | | | | | | | * cc_msla.c: GetMSCacheTicketFromCacheInfo() uses the tktinfo->TicketFlags as the value to assign to TicketRequest->TicketFlags. This field is blindly inserted into the kdc-options[0] field of the TGS_REQ. If there are bits such as TRANSIT_POLICY_CHECKED in the TicketFlags, this will result in an unknown TGS_OPTION being processed by the KDC. This has been fixed by mapping the Ticket Flags to KDC options. We only map Forwardable, Forwarded, Proxiable, and Renewable. The others should not be used. ticket: 2190 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16013 dc483132-0cff-0310-8789-dd5450dbe970
* * cc_mslsa.c: the MSLSA code was crashing on Pismere machines whenJeffrey Altman2004-02-022-10/+36
| | | | | | | | | | | | | | | | | | | | logging on with cross realm credentials. On these machines there are 8 tickets within the LSA cache from two different realms. One of the krbtgt/CLIENT-REALM@CLIENT-REALM tickets (not the Initial ticket but a Forwarded ticket) is inaccessible to the ms2mit.exe and leash32.exe processes. The attempt to access the ticket returns a SubStatus code of STATUS_LOGON_FAILURE (0xC000006DL) which is supposed to mean that the logon attempt was invalid due to bad authentication information. kerbtray has no problem listing this ticket. The other seven tickets in the cache including the Initial Ticket are accessible. Modified krb5_lcc_next_cred() to skip to the next ticket if an attempt to read a single ticket fails. ticket: 2184 tags: pullup target_version: 1.3.2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15997 dc483132-0cff-0310-8789-dd5450dbe970
* * cc_mslsa.c: optimize the get_next logic by storing a handle to theJeffrey Altman2004-02-012-18/+30
| | | | | | | | | | MS TGT in the lcc_cursor data structure ticket:new tags: pullup target_version: 1.3.2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15993 dc483132-0cff-0310-8789-dd5450dbe970
* Do not export tickets from the LSA if they contain NULL session keys.Jeffrey Altman2004-01-312-6/+19
| | | | | | | | | | This is primarily to prevent unusable TGTs from being imported into the MIT Credential Cache ticket: 2153 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15991 dc483132-0cff-0310-8789-dd5450dbe970
* 2004-01-30 Jeffrey Altman <jaltman@mit.edu>Jeffrey Altman2004-01-312-20/+98
| | | | | | | | | | | | | | | | | | | | * cc_mslsa.c: As per extensive conversations with Doug Engert we have concluded that MS is not specifying a complete set of domain information when it comes to service tickets other than the initial TGT. What happens is the client principal domain cannot be derived from the fields they export. Code has now been added to obtain the domain from the initial TGT and use that when constructing the client principals for all tickets. This behavior can be turned off by setting a registry either on a per-user or a system-wide basis: {HKCU,HKLM}\Software\MIT\Kerberos5 PreserveInitialTicketIdentity = 0x0 (DWORD) ticket: 2139 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15990 dc483132-0cff-0310-8789-dd5450dbe970
* fix typosJeffrey Altman2004-01-073-5/+5
| | | | | | | ticket: 2106 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15975 dc483132-0cff-0310-8789-dd5450dbe970
* Add stub function implementations to support krb5_cc_remove_cred() whichJeffrey Altman2004-01-064-4/+52
| | | | | | | | | | | would cause a null pointer dereference if called. The new KRB5_CC_NOSUPP error is returned to indicate the lack of implementation. ticket: 2106 target_version: 1.3.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15974 dc483132-0cff-0310-8789-dd5450dbe970
* ticket 2049Jeffrey Altman2003-12-192-5/+12
| | | | | | fix an incorrect level of indirection for a krb5_creds data structure. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15942 dc483132-0cff-0310-8789-dd5450dbe970
* * cc_retr.c: Extract the test to determine if a credential matchesJeffrey Altman2003-12-193-37/+217
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | a requested credential according to the specified fields into a private function: krb5int_cc_creds_match_request() * cc_mslsa.c: Extend the functionality of krb5_lcc_retrieve() to perform a MS Kerberos LSA ticket request if there is no matching credential in the cache. The MS Kerberos LSA places the following restriction on what tickets it will place into the LSA cache: tickets obtained by an application request for a specific set of kerberos flags or enctype will not be cached. Therefore, we first make a request with no flags or enctype in the hope that we will be lucky and get the right ones anyway. If not, we make the application's request and return that ticket if it matches the other criteria. Implemented a similar technique for krb5_lcc_store(). Since we can not write to the cache, when a store request is made we instead perform a ticket request through the lsa for a matching credential. If we receive one, we return success. Otherwise, we return the KRB5_CC_READONLY error. With these changes I am now able to operate entirely with the MSLSA ccache as the default cache provided the MS LSA credentials are for the principal I wish to use. Obviously, one cannot change principals while the MSLSA ccache is the default. ticket: 2049 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15939 dc483132-0cff-0310-8789-dd5450dbe970
* make dependKen Raeburn2003-12-151-27/+29
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15928 dc483132-0cff-0310-8789-dd5450dbe970
* * cc_msla.c: Enable purging of the MS Kerberos LSA cache when the TGTJeffrey Altman2003-12-152-6/+11
| | | | | | | | | has expired. This will force the LSA to get a new TGT instead of returning the expired version. ticket: 2049 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15924 dc483132-0cff-0310-8789-dd5450dbe970
* * when initiating an enumeration of the ccache contents performJeffrey Altman2003-12-152-0/+13
| | | | | | | | | | a fetch of the TGT. This will trigger an update request by the MS LSA on Windows 2000 and XP which is perfectly willing to allow TGTs to expire. ticket: 2049 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15922 dc483132-0cff-0310-8789-dd5450dbe970
* * Makefile.in: Remove extraneous spaces ..Jeffrey Altman2003-12-131-0/+5
| | | | | | ticket: 2049 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15919 dc483132-0cff-0310-8789-dd5450dbe970
* * Makefile.in: remove extraneous spaces from ##WIN32## commentedJeffrey Altman2003-12-131-2/+2
| | | | | | | | defines for MSLSA_OBJ and MSLSA_SRC ticket: 2049 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15918 dc483132-0cff-0310-8789-dd5450dbe970
* * Makefile.in: Move ##WIN32## constructs from insideTom Yu2003-12-132-9/+12
| | | | | | | | | | backslash-continued lists, as it was breaking them. Move explicit dependency information from under automatic dependencies. ticket: 2049 component: krb5-libs git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15894 dc483132-0cff-0310-8789-dd5450dbe970
* * Added new krb5_ccache type "MSLSA" for Windows only.Jeffrey Altman2003-12-124-1/+1302
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new ccache type provides an interface for the MIT krb5_cc api functions to be used to access the contents of the MS Kerberos LSA cache. The ccache type is read-only because the MS Kerberos LSA does not allow third party applications to insert credentials into the cache. The primary motivation of this work was to encapsulate the complex operations necessary to manipulate the MS Kerberos LSA. The code was far from trivial and was often implemented incorrectly. Worse still was the fact that each version of Windows since W2K modified the use of the LSA API. The code which was originally donated in the form of ms2mit.c had many memory and handle leaks which were acceptable for a one time application such as ms2mit.c. Unfortunately, this code has started to appear in many other applications: KfW's Leash, the AFS Wake systray tool, and others. By using the new MSLSA ccache the implementation of ms2mit.c went from 890 lines to 50 lines of code and comments. All that is necessary is for the MSLSA ccache to be resolved and for its contents to be copied with krb5_cc_copy_creds to the default ccache. The MSLSA ccache implements all of the functions of a ccache except those which would be used to store data into the ccache. When a write attempt is performed the new error KRB5_CC_READONLY is returned. The residual portion of the MSLSA ccache name is current ignored but preserved. If you ask for ccache "MSLSA:myname" you will be given access to the LSA cache for the current Logon Session. If you later ask for the name of the ccache you will be returned the same name. In the future, the residual might be used to provide information necessary to identify a specific logon session whose cache it is desired to access. If this is ever done, the applications which use it will have to possess the SeTcbPrivilege privilege. Using KfW's Leash it is now possible to set the Krb5 credential cache to "MSLSA:" and use it to monitor the contents of the MS Kerberos LSA cache. As part of adding this functionality, krb5_32.dll is not linked against the "secur32.lib" library as the Lsa security sdk routines are stored in the SECUR32.DLL file. ticket: 2049 target_version: 1.3.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15886 dc483132-0cff-0310-8789-dd5450dbe970
* 2003-11-26 Jeffrey Altman <jaltman@mit.edu>Jeffrey Altman2003-12-082-0/+33
| | | | | | | | | | | * cc_default.c: Add support for Leash Kinit Dialog on Windows to krb5int_c_default() ticket: 2028 target_version: 1.3.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15870 dc483132-0cff-0310-8789-dd5450dbe970
* * cc_file.c (krb5_fcc_store_int32, krb5_fcc_store_ui_4, krb5_fcc_store_ui_2)Ken Raeburn2003-08-262-51/+6
| | | | | | | (krb5_fcc_store_octet): Remove gratuitous conditionalizing of casts on USE_STDIO, left over from merge. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15797 dc483132-0cff-0310-8789-dd5450dbe970
* Always register the file ccache in the set of registered ops. TheSam Hartman2003-07-222-2/+14
| | | | | | | | | | | resolve code may also find it as the default ops on some platforms, but this will not cause problems. ticket: 1684 owner: lxs status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15716 dc483132-0cff-0310-8789-dd5450dbe970
* delete ##WIN16## lines from makefilesKen Raeburn2003-07-174-3/+9
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15691 dc483132-0cff-0310-8789-dd5450dbe970
* make-depend updatesKen Raeburn2003-05-241-27/+27
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15490 dc483132-0cff-0310-8789-dd5450dbe970
* * stdcc.h, stdcc_util.h: Removed Mac header gooberAlexandra Ellwood2003-03-063-4/+8
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15257 dc483132-0cff-0310-8789-dd5450dbe970
* * ccdefault.c: Remove Mac header goober and include k5-int.h after ↵Alexandra Ellwood2003-03-062-2/+8
| | | | | | KerberosLoginPrivate.h git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15256 dc483132-0cff-0310-8789-dd5450dbe970
* Use markers in Makefile.in rather than rules in configure.in to indicate whenKen Raeburn2003-01-102-0/+7
| | | | | | | | to use the lib.in and libobj.in makefile fragments. Pushing this per-directory info into Makefile.in will make it a little easier to work on combining configure scripts for multiple directories. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15107 dc483132-0cff-0310-8789-dd5450dbe970
* More const for ops tablesKen Raeburn2003-01-085-6/+11
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15096 dc483132-0cff-0310-8789-dd5450dbe970
* More const for ops tablesKen Raeburn2003-01-085-6/+10
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15094 dc483132-0cff-0310-8789-dd5450dbe970
* Make ccache and rcache ops tables constKen Raeburn2003-01-082-2/+6
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15092 dc483132-0cff-0310-8789-dd5450dbe970
* protoizeKen Raeburn2002-09-039-302/+88
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14820 dc483132-0cff-0310-8789-dd5450dbe970
* * Makefile.in: Revert $(S)=>/ change, for Windows supportKen Raeburn2002-08-294-3/+11
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14786 dc483132-0cff-0310-8789-dd5450dbe970
* Ignore a bunch of files generated by building in the source tree, excludingKen Raeburn2002-08-291-0/+1
| | | | | | | | | those covered by CVSROOT/cvsignore patterns. Static UNIX build only, at the moment, may need updates for other configurations. (Second try; this time, deal with the cases where "cvs add"/"cvs ci" choked on previously deleted versions numbered 5.x.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14785 dc483132-0cff-0310-8789-dd5450dbe970
* Change $(S)=>/ and $(U)=>.. globallyKen Raeburn2002-08-234-3/+11
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14761 dc483132-0cff-0310-8789-dd5450dbe970
* * cc_file.c (ALLOC): Use calloc, not malloc.Ken Raeburn2002-08-152-2/+15
| | | | | | | (krb5_fcc_read_principal): Check bounds on number of components before calling ALLOC. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14724 dc483132-0cff-0310-8789-dd5450dbe970
* * t_cc.c: Remove references to STDIO ccacheTom Yu2002-08-152-7/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14723 dc483132-0cff-0310-8789-dd5450dbe970
* missed an entryKen Raeburn2002-08-151-0/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14718 dc483132-0cff-0310-8789-dd5450dbe970
* (NO_FILE): New macro. All functions changed to test or assign it rather thanKen Raeburn2002-08-152-96/+89
| | | | | | | | | | | | -1 or (FILE*)NULL. (krb5_fcc_read_keyblock, krb5_fcc_read_data): Rewrite bounds check. (BINARY_MODE): Always define. (setvbuf) [!HAVE_SETVBUF]: Define as macro using setbuf. (krb5_fcc_open_file): Change file descriptor variable to "f" and combine newly matching stdio and file sections. Use setvbuf instead of checking whether to use setbuf. Fix bug in merge. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14717 dc483132-0cff-0310-8789-dd5450dbe970
* Combine file and stdio ccache implementations into one source file; selectionKen Raeburn2002-08-155-2165/+650
| | | | | | is now at compile time, rather than FILE: vs STDIO: prefix. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14715 dc483132-0cff-0310-8789-dd5450dbe970
* * cc_stdio.c (krb5_fcc_next_cred): Use a krb5_error_code to hol the returnKen Raeburn2002-08-142-17/+26
| | | | | | | | | | value from krb5_fcc_interpret. (krb5_fcc_get_principal): Initialize return-value variable. (krb5_fcc_initialize): Likewise. (krb5_fcc_interpret): Change retval to a krb5_error_code. Reorder cases for consistency with cc_file.c. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14714 dc483132-0cff-0310-8789-dd5450dbe970
* tweak commentsKen Raeburn2002-08-141-2/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14713 dc483132-0cff-0310-8789-dd5450dbe970
* Miscellaneous additional shuffling (variable renaming or reordering, whitespaceKen Raeburn2002-08-103-152/+80
| | | | | | | changes, deleting unused code, adding or removing braces) to make cc_file.c and cc_stdio.c more similar. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14700 dc483132-0cff-0310-8789-dd5450dbe970
* (krb5_fcc_data): Rename "fd" to "file"; change all usesKen Raeburn2002-08-101-44/+44
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14699 dc483132-0cff-0310-8789-dd5450dbe970
* Change non-external "scc" uses to "fcc".Ken Raeburn2002-08-101-176/+156
| | | | | | | (krb5_fcc_data): Rename from krb5_scc_data; reorder some fields. (krb5_fcc_close_file): Never call fflush on a read-only file. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14698 dc483132-0cff-0310-8789-dd5450dbe970
* whitespaceKen Raeburn2002-08-091-167/+87
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14697 dc483132-0cff-0310-8789-dd5450dbe970
* "krb5 v5" is redundant (in comment)Ken Raeburn2002-08-091-4/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14696 dc483132-0cff-0310-8789-dd5450dbe970
* whitespaceKen Raeburn2002-08-091-89/+81
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14695 dc483132-0cff-0310-8789-dd5450dbe970
* rename krb5_scc_<fn> and krb5_scc_cursor to use krb5_fcc_ insteadKen Raeburn2002-08-092-260/+261
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14694 dc483132-0cff-0310-8789-dd5450dbe970
* hide method functions we don't need to call directlyKen Raeburn2002-08-093-175/+180
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14693 dc483132-0cff-0310-8789-dd5450dbe970
* update dependenciesKen Raeburn2002-07-131-10/+20
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14637 dc483132-0cff-0310-8789-dd5450dbe970
* Put # for cpp directives in first columnKen Raeburn2002-07-092-1/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14624 dc483132-0cff-0310-8789-dd5450dbe970
* * winccld.c: Include k5-int.h to get hidden ops struct.Tom Yu2002-06-206-8/+36
| | | | | | | | | | | | | | | | | [pullup from 1-2-2-branch] 2002-06-20 Alexandra Ellwood <lxs@mit.edu> * stdcc.h: Added prototype for krb5_stdcc_shutdown. * stdcc.h, stdcc_util.h, stdcc_util.c: Updated Mac OS X headers to new framework layout * stdcc.c: Removed unused variables and fixed macros to reduce warnings [pullups from 1-2-2-branch] git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14550 dc483132-0cff-0310-8789-dd5450dbe970
* * Makefile.in: Build cc accessor functions on WindowsTom Yu2002-06-204-5/+28
| | | | | | | | | | | | | | | | | * ccdefault.c: updated to new KLL function name * ccdefault.c: swapped include of KerberosLoginPrivate with k5-int.h to avoid problems with including CoreServices.h after profile.h and krb.h * ccdefault.c: Updated Mac OS X headers to new framework layout * ccdefops.c: created #define for USE_CCAPI now that both Mac OS 9 and Mac OS 10 use ccapi. [pullups from 1-2-2-branch] git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14549 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-28 16:27:44 +0000