| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Release the cc_config_in and cc_config_out fields of a
krb5_init_creds_context when freeing the context.
ticket: 7428 (new)
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
Add an internal json function to make it easier to detect if an object
is empty, and use it to avoid creating a ccache config entry for
preauth module config data if there isn't any to save.
ticket: 7427 (new)
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Move where we record the selected preauth type so that we never record
an informational preauth type, only a real one.
ticket: 7422 (new)
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
For the responder callback signature, put the closure argument just
after the context, and use KRB5_CALLCONV. These changes make the
signature consistent with most other libkrb5 callbacks.
ticket: 7419 (new)
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
Some recently added test programs under lib/krb5 didn't have their
source files added to the appropriate Makefile.in variables, and
weren't getting dependencies as a result.
ticket: 7418 (new)
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
| |
ticket: 7417 (new)
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
* Save the vendor name of the token we used to create the challenge.
* If we saved the name of a token vendor previously, prune out any
tokeninfos which contain different vendor names.
ticket: 7416 (new)
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
Commit bc096a77ffdab283d77c2e0fc1fdd15b9f77eb41 altered the internal
contracts relating to salts, but neglected to adjust the sam2 preauth
code to match. Do that now.
ticket: 7415 (new)
target_version: 1.11
tags: pullup
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* Read a "pa_config_data" item from an in_ccache, if provided, and add a
callback which client preauth plugins can use to retrieve a string
value from it that's keyed by a string.
* Add a callback which client preauth plugins can use to provide string
key/value pairs to be stored in the ccache.
* Moves the definition of (struct krb5_clpreauth_rock_st) from k5-int.h
to init_creds_ctx.h to try to reduce the number of files that will
need to include k5-json.h to understand k5_json_value.
|
| |
|
|
|
|
|
|
|
| |
* Add a krb5int_build_conf_principals() function to allow our get/set
code to directly prune out duplicate config entries.
* Verify that when we specify a pa_type, it affects whether or not we
will use a particular preauth plugin.
* Verify that we correctly save the KDC's preauth type number, that we
tried to answer, to the out_ccache.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* When producing preauth data, keep track of the type of padata in the
KDC's list of acceptable types which prompted the module to produce
padata.
* After obtaining credentials, store that value as a "pa_type"
configuration item in the out_ccache.
* Read that allowed preauth type from an in_ccache, if possible.
* If we have an allowed preauth type, only call "real" modules that
handle that value when filling in responder items and producing a
client request.
ticket: 7414 (new)
|
| |
|
|
|
|
|
|
| |
Add a krb5_get_init_creds_opt_set_in_ccache() function. An input
ccache may hold configuration data which the client libraries can
use to influence their decisions.
ticket: 7413 (new)
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This follows the design laid out on the project page:
http://k5wiki.kerberos.org/wiki/Projects/Password_response_item
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The Camellia enctypes and cksumtypes have received IANA assignments.
Add #defines using those assignments to krb5.h, remove the CAMELLIA
conditional, and enable testing code as appropriate.
The Camellia draft has not received an RFC number yet, so there is no
Doxygen markup for the enctype and cksumtype #defines. That can be
added once the RFC number is known.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new APIs:
* krb5_get_init_creds_opt_set_responder
* krb5_responder_get_challenge
* krb5_responder_list_questions
* krb5_responder_set_answer
If a caller sets a responder, it will be invoked after preauth modules
have had a chance to review their incoming padata but before they produce
outgoing padata. The responder will be presented a set of questions with
optional challenges. The responder should then answer all questions it knows
how to handle. Both the answers and the challenges are printable UTF-8 and
may contain encoded, structured data specific to the question asked.
Add two new callbacks and one optional method to the clpreauth
interface. The new method (prep_questions) allows modules to ask questions
by setting them in the responder context using one of the new callbacks
(ask_responder_question). The other new callback (get_responder_answer) is
used by the process method to read the answers to the questions asked.
ticket: 7355 (new)
|
| |
|
|
|
|
| |
unistd.h is not available on Windows and isn't needed for this file,
so don't include it. Two arguments to asprintf in choose_token() were
reversed.
|
| | |
|
| |
|
|
|
| |
Fix minor typos in lib/krb5/krb/Makefile.in and
tests/gssapi/Makefile.in so that "make depend" will work.
|
| |
|
|
|
|
|
| |
Implements the client side of RFC 6560. Not all features are
implemented, but it should work for the most common cases.
ticket: 7242 (new)
|
| |
|
|
|
|
|
| |
Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE,
PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more
thorough testing, add support for generating test encodings using
asn1c for sample objects (currently only for the OTP types).
|
| |
|
|
|
|
|
| |
After 74beb75bb07e3921d10c8eec05eacb1f393e5e44, allocate_princ()
allocates a one-byte realm field even if the principal doesn't have
one, so if we're replacing it with the default realm, we need to free
that.
|
| |
|
|
|
|
|
| |
The library isn't attempting a replay attack on itself, so any detected
replays are only going to be false-positives.
ticket: 7229 (new)
|
| |
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7203 (new)
tags: pullup
|
| |
|
|
|
| |
The most recent change could leak memory when trying to parse an
invalid principal because of a failure to use the cleanup handler.
|
| |
|
|
|
|
| |
Commit f609e5caff410cc8f71db7d95b4da219541437db accidentally omitted
the check for extra realm separators, leading to an assertion error
when parsing x@y@z or similar. Restore the check.
|
| |
|
|
|
| |
This (hair-raising) macro is not referenced anywhere in the tree,
so remove it and the associated comment.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Revert 18b02f3e839c007fff54fc9b693f479b7563ec73 in the KDC. Instead,
when making an initial request with a keytab, transmit the whole
default_tkt_enctypes list, but sorted with the enctypes we have in the
keytab first. That way the KDC should prefer enctypes which we have
keys for (for both reply key and session key), but the other enctypes
are still available for use as ticket session keys.
ticket: 7190
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Rename krb5int_count_etypes and krb5int_copy_etypes to have k5_
prefixes, and make them available outside of libkrb5 (but not part of
the public API). Add k5_etypes_contains to search an etype list, and
use it in krb5_is_permitted_enctype.
|
| |
|
|
|
| |
It's an internal function (not in krb5.h or the libkrb5 export list)
and nothing uses it.
|
| |
|
|
|
|
|
|
| |
#7125 took out the copy of the krb5_verify_init_creds server argument
but left in the corresponding free, so it was freeing a caller-owned
principal. Reported by Russ Allbery.
ticket: 7162
|
| |
|
|
|
|
|
|
|
|
|
| |
In r21879, when we converted to using KRB5_CONF macros for profile
variable names, we made a typo in krb5_get_tgs_ktypes and erroneously
started using default_tkt_enctypes instead of default_tgs_enctypes for
TGS requests. Fix the typo and return to the documented behavior.
ticket: 7155
target_version: 1.10.3
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In 1.10, encrypted timestamp became a built-in module instead of a
hardcoded padata handler. This changed the behavior of
krb5_get_init_creds as invoked by s4u_identify_user such that
KRB5_PREAUTH_FAILED is returned instead of the gak function's error.
(Module failures are not treated as hard errors, while hardcoded
padata handler errors are.) Accordingly, we should look for
KRB5_PREAUTH_FAILED in s4u_identify_user.
On a less harmful note, the gak function was returning a protocol
error code instead of a com_err code, and the caller was testing for a
different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could
never be returned by krb5_get_init_creds. Clean up both of those by
returning KRB5_PREAUTH_FAILED from the gak function and testing for
that alone.
Reported by Michael Morony.
ticket: 7136
target_version: 1.10.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
The referrals debugging code under DEBUG_REFERRALS ceased building
correctly at some point. Convert this debugging code to use the
tracing framework instead, including adding new trace macros to
k5-trace.h.
ticket: 7151
|
