summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5/krb/gc_via_tkt.c
Commit message (Collapse)AuthorAgeFilesLines
* Simplify principal access within libkrb5Greg Hudson2013-04-081-5/+4
| | | | | For conciseness, directly use fields of krb5_principal objects instead of using the accessor macros.
* Simplify TGS request constructionGreg Hudson2013-02-081-75/+6
| | | | | | | Move krb5int_make_tgs_request from gc_via_tkt.c into send_tgs.c, combine it with krb5int_make_tgs_request_ext (which nothing else called), and rename the combined function to k5_make_tgs_req. Also use a typedef for the pacb callback.
* Convert DEBUG_REFERRALS to TRACE_* frameworkW. Trevor King2012-05-231-15/+6
| | | | | | | | | The referrals debugging code under DEBUG_REFERRALS ceased building correctly at some point. Convert this debugging code to use the tracing framework instead, including adding new trace macros to k5-trace.h. ticket: 7151
* Whitespace, style changes to past two commitsGreg Hudson2011-11-231-5/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25489 dc483132-0cff-0310-8789-dd5450dbe970
* FAST TGSSam Hartman2011-11-231-5/+24
| | | | | | | | | | Implement RFC 6113 FAST TGS support. Includes library support for a varient of explicit TGS armor that has not yet been proposed within the IETF. ticket: 7026 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25488 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-101-3/+3
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust most C source files to match the new standards for copyrightGreg Hudson2011-03-091-4/+4
| | | | | | and license comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
* Trace loggingGreg Hudson2010-06-071-0/+3
| | | | | | | | | | | | | | | | Add trace logging infrastructure code, enabled by the KRB5_TRACE environment variable or the API functions krb5_set_trace_callback() or krb5_set_trace_filename(). As a start, add tracing events for: * AS-REQ client code, including FAST and preauth * TGS-REQ client code * AP-REQ and AP-REP code (client and server) * sendto_kdc * Selected ccache operations * Selected keytab operations ticket: 6737 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24118 dc483132-0cff-0310-8789-dd5450dbe970
* Remove krb5_ prefix from some static func namesZhanna Tsitkov2009-12-221-23/+24
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23483 dc483132-0cff-0310-8789-dd5450dbe970
* libkrb5 support for non-blocking AS requestsGreg Hudson2009-11-261-120/+180
| | | | | | | | | | | Merge Luke's iakerb-libkrb5-as-only branch into trunk with several bug fixes. Adds support for the krb5_init_creds APIs (same as Heimdal's) which allow AS requests to be performed via a different transport than the blocking send_to_kdc. ticket: 6586 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23358 dc483132-0cff-0310-8789-dd5450dbe970
* Fix indentation in gc_via_tkt.c which was messed up by a malformed #ifGreg Hudson2009-10-311-221/+221
| | | | | | 0 block. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23101 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-311-279/+280
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Implement s4u extensionsGreg Hudson2009-09-131-12/+58
| | | | | | | | | Merge Luke's users/lhoward/s4u branch to trunk. Implements S4U2Self and S4U2Proxy extensions. ticket: 6563 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22736 dc483132-0cff-0310-8789-dd5450dbe970
* Try decrypting using session key if subkey fails in tgs rep handlingSam Hartman2009-05-071-3/+11
| | | | | | | | | | | | | | | | | | | | | | Heimdal at least up through 1.2 incorrectly encrypts the TGS response in the session key not the subkey when a subkey is supplied. See RFC 4120 page 35. Work around this by trying decryption using the session key after the subkey fails. * decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for TGS and now needs to take keyusage * gc_via_tkt: pass in session key and appropriate usage if subkey fails. Note that the dead code to process AS responses in decode_kdc_rep is not removed by this commit. That will be removed as FAST TGS client support is integrated post 1.7. ticket: 6484 Tags: pullup Target_Version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22325 dc483132-0cff-0310-8789-dd5450dbe970
* In krb5_get_cred_via_tkt, strip the ok-as-delegate flag fromGreg Hudson2009-04-231-0/+18
| | | | | | | | | | credentials obtained using a foreign TGT, unless the TGT also has ok-as-delegate set. ticket: 6473 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22272 dc483132-0cff-0310-8789-dd5450dbe970
* Implement TGS authenticator subkey usageSam Hartman2009-02-131-3/+7
| | | | | | | | | | | | | | | | | Implement support for use of a subkey in the TGS req. This is needed by FAST TGS support. The interface to krb5_send_tgs changed in order to gain a subkey output parameter. Since this is a private interface it was renamed to krb5int_send_tgs and removed from the export list. * send_tgs.c: generate a subkey and return to caller * decode_kdc_rep.c: Use subkey keyusage * gc_via_tkt.c: pass in subkey to decode_kdc_rep * send_tgs.c: use subkey for encrypting authorization data ticket: 6393 tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21993 dc483132-0cff-0310-8789-dd5450dbe970
* In krb5_kdcrep2creds, call the correct free function when cleaning upGreg Hudson2009-01-301-2/+2
| | | | | | the keyblock, and clean up the keyblock if krb5_copy_data fails. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21840 dc483132-0cff-0310-8789-dd5450dbe970
* Start to phase out krb5_xfree macro, which just casts its argument toKen Raeburn2009-01-281-1/+1
| | | | | | | | | | | char* and calls free. Replace most uses, outside of the LDAP KDB plugin, which doesn't build on my test system of the moment because of version dependencies. Add one explicit cast to make the change warning-neutral (under gcc 4.0.1 on Mac OS X 10.5.6). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21812 dc483132-0cff-0310-8789-dd5450dbe970
* Merge mskrb-integ onto trunkSam Hartman2009-01-031-6/+0
| | | | | | | | | | | | | | | | | | | | | | | | The mskrb-integ branch includes support for the following projects: Projects/Aliases * Projects/PAC and principal APIs * Projects/AEAD encryption API * Projects/GSSAPI DCE * Projects/RFC 3244 In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions. In the KDC it includes support for protocol transition, constrained delegation and a new authorization data interface. The old authorization data interface is also supported. This commit merges the mskrb-integ branch on to the trunk. Additional review and testing is required. Merge commit 'mskrb-integ' into trunk ticket: new status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
* malloc+memset(,0,) -> callocKen Raeburn2008-08-071-3/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20630 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_get_cred_via_tkt() should null out_cred on errorsTom Yu2008-07-151-0/+1
| | | | | | | | | | | | | Helper function krb5_kdcrep2creds(), called from krb5_get_cred_via_tkt(), should null its output pointer after freeing allocated memory, to avoid returning an invalid pointer. ticket: new tags: pullup target_version: 1.6.4 component: krb5-libs git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20527 dc483132-0cff-0310-8789-dd5450dbe970
* fix possible buffer overrun in handling generic-error returnKen Raeburn2008-04-181-2/+3
| | | | | | | | | | | | | | | | | | | Jeff Altman reported this, based on a crash seen in KfW in the wild. The krb5_data handle used to describe the message field returned by the KDC is not null-terminated, but we use a "%s" format to incorporate it into an error message string. In the right circumstances, garbage bytes can be pulled into the string, or a memory fault may result. However, as this is in the error-reporting part of the client-side code for fetching new credentials, it's a relatively minor DoS attack only, not a serious security exposure. Should be fixed in the next releases, though. ticket: new target_version: 1.6.5 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20304 dc483132-0cff-0310-8789-dd5450dbe970
* If error is KDC_ERR_S_PRINCIPAL_UNKNOWN, report the server nameKen Raeburn2007-07-041-0/+14
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19666 dc483132-0cff-0310-8789-dd5450dbe970
* Define and use some inline helper functions for comparing data and authdata ↵Ken Raeburn2007-05-101-10/+5
| | | | | | | | structures, instead of open-coding checks of multiple fields everywhere. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19544 dc483132-0cff-0310-8789-dd5450dbe970
* * src/lib/krb5/krb/gc_via_tkt.c (check_reply_server): New functionTom Yu2006-11-301-20/+62
| | | | | | | | | | | | | | | to check server principal in reply. Ensures that the reply is self-consistent, allows rewrites if canonicalization is requested, and allows limited rewrites of TGS principals if canonicalization is not requested. (krb5_get_cred_via_tkt): Move server principal checks into check_reply_server(). ticket: 3322 target_version: 1.6 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18879 dc483132-0cff-0310-8789-dd5450dbe970
* Remove all unused variable warnings from treeEzra Peisach2006-10-151-0/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18712 dc483132-0cff-0310-8789-dd5450dbe970
* Set the canonicalize flag in TGS requests and accept cross-realm referral ↵Sam Hartman2006-09-211-8/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | tickets. We do not yet accept tickets in which the server name changes. * krb5_sname_to_principal: If there is no domain realm mapping return null realm *krb5_get_cred_via_tkt: New behavior as described below 1) the referrals case: - check for TGT for initial realm - if a remote realm was specified (which must have happened via a domain_realm mapping), obtain a TGT for it the standard way and start with that. - use client realm for server if not specified - iterate through this loop: - request ticket with referrals turned on - if that fails: - if this was the first request, punt to non-referrals case - otherwise, retry once without referrals turned on then terminate either way - if it works, either use the service ticket or follow the referral path - if loop count exceeded, hardfail 2) the nonreferrals case - this is mostly the old walk_realm_tree TGT-finding (which allows limited shortcut referrals per 4120) followed by a standard tgs-req. - originally requested principal is used for this, although if we were handed something without a realm, determine a fallback realm based on DNS TXT records or a truncation of the domain name. ticket: 2652 Owner: amb git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18598 dc483132-0cff-0310-8789-dd5450dbe970
* Initial enhanced error message support, similar to what I sent toKen Raeburn2006-03-261-0/+27
| | | | | | | | | | | | | | | | krbdev except for some function renaming (krb5_free_error was already in use, so added _message to everything), and the context is allowed to be NULL (in which case we fall back to error_message() and storing no strings) to simplify some code. Low-level routines in the support library, using a private data structure; higher-level routines in libkrb5, using a krb5_context. Added error info strings to the KRB_ERR_GENERIC case in gc_via_tkt.c and the python sample service location plugin. Added code to kinit and kvno to look up and display the strings. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17776 dc483132-0cff-0310-8789-dd5450dbe970
* protoizeKen Raeburn2002-09-031-13/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14812 dc483132-0cff-0310-8789-dd5450dbe970
* * walk_rtree.c (krb5_walk_realm_tree): Do not try to free const char *Ezra Peisach2001-08-081-1/+1
| | | | | | | | | | | | | | * mk_safe.c (krb5_mk_safe_basic): Do not declare local_addr and remote_addr const and then cast the attribute away. * mk_req_ext.c (krb5_generate_authenticator): Static function - remove const attribute from cksum pointer. * gc_via_tkt.c (krb5_get_cred_via_tkt): Cast unsigned integer krb5_error error_value to signed before adding ERROR_TABLE_BASE_krb5. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13677 dc483132-0cff-0310-8789-dd5450dbe970
* copyright notice updates from 1.1 branchKen Raeburn1999-09-241-1/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11853 dc483132-0cff-0310-8789-dd5450dbe970
* Windows/NT integration (V1_0_WIN32_BRANCH merge)Richard Basch1997-02-061-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9788 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leak; free enctypes after useTheodore Tso1996-02-281-7/+10
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7566 dc483132-0cff-0310-8789-dd5450dbe970
* get_creds.c: Only match on enctype if in_creds.keyblockSam Hartman1996-01-251-1/+10
| | | | | | | | | | has non-null enctype. (I.E. implement as documented) gc_via_tkt.c: If the in_creds.keyblock.enctype !=0 then don't call send_tgs with a null ktypes paramater; instead, explicitally allow only increds.keyblock.enctype. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7385 dc483132-0cff-0310-8789-dd5450dbe970
* * gc_via_tkt.c (krb5_kdcrep2creds): Set is_skey so get_creds won'tTom Yu1996-01-221-1/+1
| | | | | | | break trying to match is_skey in the ccache. This way we won't end up with many copies of user-to-user tickets. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7348 dc483132-0cff-0310-8789-dd5450dbe970
* * krbconfig.c: Removed the krb5_clockskew variableTheodore Tso1995-11-081-2/+1
| | | | | | | | | | | | | * srv_rcache.c (krb5_get_server_rcache): * rd_safe.c (krb5_rd_safe): * rd_req_dec.c (krb5_rd_req_decoded): * rd_priv.c (krb5_rd_priv): * rd_cred.c (krb5_rd_cred): * gc_via_tkt.c (krb5_get_cred_via_tkt): * get_in_tkt.c (verify_as_reply): Replace use of krb5_clockskew with context->clockskew. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7063 dc483132-0cff-0310-8789-dd5450dbe970
* Only check the returned starttime to make sure it matches theTheodore Tso1995-09-291-1/+2
| | | | | | requested starttime if we requested a postdated ticket. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6885 dc483132-0cff-0310-8789-dd5450dbe970
* Misc Mac cleanupsKeith Vetter1995-09-291-21/+35
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6881 dc483132-0cff-0310-8789-dd5450dbe970
* sendauth.c (krb5_sendauth): Make sure the scratch credentialsTheodore Tso1995-09-161-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | structure may have possible been used be freed.. rd_safe.c (krb5_rd_safe_basic): Fall through to the cleanup code at the end, to make sure the decoded message in message is freed. rd_req_dec.c (krb5_rd_req_decoded): Use krb5_copy_keyblock to copy authent->subkey to auth_context->remote_subkey. Keeping them separate avoids aliasing problems. mk_req_ext.c (krb5_generate_authenticator): Fix memory leak. Don't bash authent->subkey with key after carefully copying it using krb5_copy_keyblock! recvauth.c (krb5_recvauth): krb5_get_server_rcache() already opens the rcache; doing it again merely causes a memory leak. gen_subkey.c (krb5_generate_subkey): Eliminate memory leak. krb5_init_random_key() does its own allocation of the keyblock. gc_via_tkt.c (krb5_kdcrep2creds): Fix memory leak. srv_rcache.c (krb5_get_server_rcache): Fix memory leak. rd_safe.c (krb5_rd_safe_basic): Fix memory leak. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6797 dc483132-0cff-0310-8789-dd5450dbe970
* Reintegrate Macintosh changesEzra Peisach1995-09-121-41/+27
| | | | | | | | t_ser.c: Work around an optimizer bug in gcc under OSF/1 2.1. The timeofday calls were left in the stage as described in the ChangeLog git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6766 dc483132-0cff-0310-8789-dd5450dbe970
* Mac Beta 1 submissionKeith Vetter1995-09-111-27/+41
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6749 dc483132-0cff-0310-8789-dd5450dbe970
* * decode_kdc.c, decrypt_tk.c, encode_kdc.c, encrypt_tk.c, gc_frm_kdc.cChris Provenzano1995-09-061-3/+1
| | | | | | | | | | | * gc_via_tkt.c, get_in_tkt.c, in_tkt_ktb.c, in_tkt_pwd.c, in_tkt_sky.c * init_ctx.c, kdc_rep_dc.c, mk_cred.c, mk_priv.c, mk_rep.c * mk_req_ext.c, rd_cred.c, rd_priv.c, rd_rep.c, rd_req_dec.c, * send_tgs.c, ser_ctx.c, ser_eblk.c, ser_key.c, t_ser.c: Remove krb5_enctype references, and replace with krb5_keytype where appropriate git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6687 dc483132-0cff-0310-8789-dd5450dbe970
* get_in_tkt.c (krb5_get_in_tkt): If kdc_settime is enabled, then setTheodore Tso1995-09-021-38/+26
| | | | | | | | | | | | | | | the time_offset fields from the returned ticket's authtime value. init_ctx.c (krb5_init_context): Initialize new fields in krb5_context (clockskew, kdc_req_sumtype, and kdc_default_options). gc_via_tkt.c (krb5_get_cred_via_tkt): Perform the necessary sanity checking on the KDC response to make sure we detect tampering. send_tgs.c (krb5_send_tgs): Set the expected nonce in the response structure. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6653 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up gcc -Wall flamesTheodore Tso1995-06-081-21/+22
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5981 dc483132-0cff-0310-8789-dd5450dbe970
* Fix syntax error in freeing of keyblockEzra Peisach1995-05-251-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5871 dc483132-0cff-0310-8789-dd5450dbe970
* On an error, free the keyblockTheodore Tso1995-05-241-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5868 dc483132-0cff-0310-8789-dd5450dbe970
* * send_tgs.c (krb5_send_tgs()), gc_via_tkt.c (krb5_get_cred_via_tkt()):Chris Provenzano1995-04-281-4/+0
| | | | | | Removed krb5_cksumtype argument. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5595 dc483132-0cff-0310-8789-dd5450dbe970
* * gc_via_tgt.c, and gc_2tgt.c : Removed.Chris Provenzano1995-04-271-26/+32
| | | | | | | | * Makefile.in, gc_via_tkt.c, gc_frm_kdc.c, and, int-proto.h : Replaced get_cred_via_tgt() and get_cred_via_2tgt() with more general function get_cred_via_tkt(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5532 dc483132-0cff-0310-8789-dd5450dbe970
* * Makefile.in : Added gc_via_tkt.c and removed get_fcreds.cChris Provenzano1995-04-261-0/+234
* auth_con.c (krb5_auth_con_setaddrs()) : Fixed so it allocates space and copies addresses, not just pointer. * mk_cred.c: Completely rewritten from sources donated by asriniva. * rd_cred.c: Completely rewritten from sources donated by asriniva. * mk_priv.c (krb5_mk_priv()), mk_safe.c (krb5_mk_safe()), rd_priv.c (krb5_rd_priv()), and rd_safe (krb5_rd_safe()) : Try using a subkey before using the session key for encryption. * recvauth.c (krb5_recvauth()): Don't close the rcache on success. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5489 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2024-06-09 21:05:29 +0000