summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5/krb
Commit message (Collapse)AuthorAgeFilesLines
...
* Modernize send_tgs.cGreg Hudson2013-02-081-245/+190
| | | | | Bring send_tgs.c up to date with current coding practices. No functional changes.
* Replace i_vector with cstate in auth contextGreg Hudson2013-02-076-95/+50
| | | | | Use a proper cipher state in the auth context structure, and free it when the auth context is freed. Simplify mk_priv/rd_priv accordingly.
* Desupport krb5_auth_con_setivectorGreg Hudson2013-02-071-2/+6
| | | | ticket: 7565 (new)
* Make kprop/kpropd work with RC4 session keyGreg Hudson2013-02-073-20/+19
| | | | | | | | | | In krb5_auth_con_initivector and mk_priv/rd_priv, stop assuming that the enctype's block size is the size of the cipher state. Instead, make and discard a cipher state to get the size. ticket: 7561 target_version: 1.11.1 tags: pullup
* make dependGreg Hudson2013-01-101-2/+2
| | | | | Mostly this gets rid of the trailing space on line 2 after bb76891f5386526bdf91bc790c614fc9296cb5fa.
* Rename ccache configuration macrosZhanna Tsitkov2013-01-092-6/+6
| | | | | KRB5_CONF_ prefix should be used for the krb5/kdc.conf parameters. Use KRB5_CC_CONF_ prefix for cache configuration variables.
* Delete timestamp_to_sfstring sprintf fallbackTom Yu2012-12-221-9/+0
| | | | | | | | | | | The final fallback for krb5_timestamp_to_sfstring() is an explicit European date-order format string passed to sprintf(). This can be confused with a conventional US date format. Because we attempt to build a strftime() replacement anyway, and we try passing some unambiguous ISO 8601 date and time formats to strftime(), remove this final fallback. ticket: 7518 (new)
* Add more formats to krb5_timestamp_to_sfstringTom Yu2012-12-221-1/+6
| | | | | | | | | | | | | krb5_timestamp_to_string() can produce ambiguous dates. The final fallback, "%d/%m/%Y %R", contains a European order date format that can be confused with a US date format. Add some additional strftime() format strings, including locale-dependent formats and some ISO 8601 formats. Remove the hardcoded strftime() format that had an ambiguous date order. ticket: 7458 target_version: 1.11 tags: pullup
* Use krb5_init_creds_context as clpreauth rockGreg Hudson2012-12-225-234/+160
| | | | | | | | | | | | | | The clpreauth rock had become a collection of alias pointers into the init_creds context structure. Get rid of it and just pass the context (suitably casted) to clpreauth modules. Simplify the signatures of k5_preauth(), k5_preauth_tryagain(), process_pa_data(), and fill_response_items() by referencing fields from the init_creds context. Since we can't use the non-nullity of rock->selected_preauth_type to determine whether to record the selected preauth type, k5_preauth now reports it in an output parameter, and get_in_tkt.c decides whether or not to record it.
* Initialize ret in process_pa_dataGreg Hudson2012-12-211-1/+1
| | | | | | | If the for loop never consults any preauth modules and must_preauth is false, we might never set ret, so we need to initialize it. The bug was introduced in 5c23bce0e8d3328bb36bc85ee10cfac486b8ae9b and is detected by some versions of gcc with -O2.
* Simplify k5test.py environmentsGreg Hudson2012-12-203-57/+50
| | | | | | | | | | | | | | The initial k5test.py design, copied from the dejagnu suite, is to create config files and environments for four expected roles: client, server, master, and slave. This approach exaggerates the complexity of the common case, where the configurations don't need to vary, and limits us to having just one slave for kprop/iprop tests. Instead, create just one configuration by default, and add a special_env() method which sets up a differently configured environment for the few test cases which need one. The run_as_*() methods are collapsed into just run(), which accepts an optional argument for the environment returned by special_env().
* Pass through module errors when preauthenticatingGreg Hudson2012-12-203-18/+26
| | | | | | | | | | | | If we are responding to a KDC_ERR_PREAUTH_REQUIRED and cannot preauthenticate, report the error from the first real preauth type we tried. k5_preauth() now accepts a boolean input indicating that it must succeed on a real preauth type, instead of returning a boolean saying whether or not it did. ticket: 7517 (new)
* Rename internal preauth functionsGreg Hudson2012-12-193-101/+118
| | | | | | | | | | | | The preauth functions are internal to libkrb5, so use the k5_ prefix, don't use KRB5_CALLCONV, and prototype them in int-proto.h. Also remove krb5_do_preauth from the Unix libkrb5 export list. Reorder the k5_preauth() and k5_preauth_tryagain() arguments for more consistency with the clpreauth interface, and put the output padata arguments at the end. Rename any remaining uses of "kcontext" to "context" in preauth2.c.
* Make clpreauth flags function optionalGreg Hudson2012-12-195-28/+2
| | | | | | | | With one exception (KRB5_PADATA_PKINIT_KX), every padata type processed by a clpreauth module is now a real preauthentication type. Reduce the amount of boilerplate required for a clpreauth module by making the flags method optional if all of the preauth types advertised by the module are real.
* Use a proper consumer interface for clpreauthGreg Hudson2012-12-191-419/+359
| | | | | | | | In preauth2.c, use wrapper functions for calls to clpreauth functions. Get rid of the expanded-out module table, instead using a helper function to find the handle for a preauth type. Replace use counts with a list of previously processed pa types. Check for pa type conflicts when loading clpreauth modules.
* Separate clpreauth and kdcpreauth interfacesGreg Hudson2012-12-196-205/+205
| | | | | | | Since there is no overlap between the clpreauth and kdcpreauth interface declarations, there's no particular reason to combine them into one header. For backward compatibility and convenience, leave behind a preauth_plugin.h which includes both.
* Save extended messages across fallback to masterGreg Hudson2012-12-192-33/+28
| | | | | | In krb5_get_init_creds_password and krb5_get_init_creds_keytab, save the extended error before retrying against the master KDC, and restore that state if returning the error from the original request.
* Add functions to save and restore error stateGreg Hudson2012-12-192-0/+37
|
* Style cleanup for internal error handlingGreg Hudson2012-12-192-36/+39
| | | | | | | Fix style issues in kerrs.c and errors.c. Rename error handling functions to use shorter k5_ prefix. Eliminate an inoperable krb5int_set_error() call in gic_opte_alloc and convert the other call to use krb5_set_error_message().
* Use an empty challenge for the password questionGreg Hudson2012-12-131-1/+1
| | | | | | | | | | | If a question's challenge is NULL, it is unnecessarily difficult for a responder callback to detect whether it was asked. So it's better to use an empty challenge when there is no challenge data to communicate. Do this for the "password" question. ticket: 7499 (new) target_version: 1.11 tags: pullup
* Build fixes for windowsBen Kaduk2012-12-051-3/+3
| | | | | | | | | | | | Add entries to OBJS and SRCS as well as STLIBOBJS. Use KRB5_CALLCONV at function definition as well as declaration. Declare missing variable in _WIN32-conditional code. ticket: 7479 (new) tags: pullup target_version: 1.11
* Add Camellia enctypes to default enctype listsGreg Hudson2012-11-141-0/+1
| | | | | | | | | | | | Add camellia256-cts-cmas and camellia128-cts-cmac to the default permitted_enctypes, default_tkt_enctypes, and default_tgs_enctypes lists, to simplify deployment of Camellia. The new enctypes still aren't on supported_enctypes, so won't be in the set of long-term keys for principals without administrator intervention. ticket: 7446 (new) target_version: 1.11 tags: pullup
* Don't leak new fields of krb5_init_creds_contextGreg Hudson2012-10-241-0/+2
| | | | | | | | | Release the cc_config_in and cc_config_out fields of a krb5_init_creds_context when freeing the context. ticket: 7428 (new) target_version: 1.11 tags: pullup
* Don't save empty cc_config_out in ccacheGreg Hudson2012-10-241-1/+2
| | | | | | | | | | Add an internal json function to make it easier to detect if an object is empty, and use it to avoid creating a ccache config entry for preauth module config data if there isn't any to save. ticket: 7427 (new) target_version: 1.11 tags: pullup
* Only record real selected preauth typeGreg Hudson2012-10-231-3/+3
| | | | | | | | | Move where we record the selected preauth type so that we never record an informational preauth type, only a real one. ticket: 7422 (new) target_version: 1.11 tags: pullup
* Alter responder function signature for consistencyGreg Hudson2012-10-231-2/+2
| | | | | | | | | | For the responder callback signature, put the closure argument just after the context, and use KRB5_CALLCONV. These changes make the signature consistent with most other libkrb5 callbacks. ticket: 7419 (new) target_version: 1.11 tags: pullup
* Add dependencies for some test programsGreg Hudson2012-10-212-1/+61
| | | | | | | | | | Some recently added test programs under lib/krb5 didn't have their source files added to the appropriate Makefile.in variables, and weren't getting dependencies as a result. ticket: 7418 (new) target_version: 1.11 tags: pullup
* Don't expose binary format in preauth otpNathaniel McCallum2012-10-191-1/+2
| | | | | | ticket: 7417 (new) target_version: 1.11 tags: pullup
* Use config storage for client OTP token selectionNalin Dahyabhai2012-10-181-0/+90
| | | | | | | | | | * Save the vendor name of the token we used to create the challenge. * If we saved the name of a token vendor previously, prune out any tokeninfos which contain different vendor names. ticket: 7416 (new) target_version: 1.11 tags: pullup
* Fix sam2 client preauth after salt changesGreg Hudson2012-10-181-2/+3
| | | | | | | | | | Commit bc096a77ffdab283d77c2e0fc1fdd15b9f77eb41 altered the internal contracts relating to salts, but neglected to adjust the sam2 preauth code to match. Do that now. ticket: 7415 (new) target_version: 1.11 tags: pullup
* make dependGreg Hudson2012-10-171-33/+35
|
* Add "pa_config_data" configuration to ccachesNalin Dahyabhai2012-10-174-1/+183
| | | | | | | | | | | * Read a "pa_config_data" item from an in_ccache, if provided, and add a callback which client preauth plugins can use to retrieve a string value from it that's keyed by a string. * Add a callback which client preauth plugins can use to provide string key/value pairs to be stored in the ccache. * Moves the definition of (struct krb5_clpreauth_rock_st) from k5-int.h to init_creds_ctx.h to try to reduce the number of files that will need to include k5-json.h to understand k5_json_value.
* Test in_ccache and pa_types functionalityNalin Dahyabhai2012-10-164-0/+403
| | | | | | | | | * Add a krb5int_build_conf_principals() function to allow our get/set code to directly prune out duplicate config entries. * Verify that when we specify a pa_type, it affects whether or not we will use a particular preauth plugin. * Verify that we correctly save the KDC's preauth type number, that we tried to answer, to the out_ccache.
* Add "pa_type" configuration to ccachesNalin Dahyabhai2012-10-163-0/+85
| | | | | | | | | | | | | | * When producing preauth data, keep track of the type of padata in the KDC's list of acceptable types which prompted the module to produce padata. * After obtaining credentials, store that value as a "pa_type" configuration item in the out_ccache. * Read that allowed preauth type from an in_ccache, if possible. * If we have an allowed preauth type, only call "real" modules that handle that value when filling in responder items and producing a client request. ticket: 7414 (new)
* Add an input ccache get_init_creds optionNalin Dahyabhai2012-10-161-0/+15
| | | | | | | | Add a krb5_get_init_creds_opt_set_in_ccache() function. An input ccache may hold configuration data which the client libraries can use to influence their decisions. ticket: 7413 (new)
* Handle concat OTP responder caseNathaniel McCallum2012-10-161-8/+11
|
* make dependTom Yu2012-10-151-7/+8
|
* Correct type mismatches for get_as_key callbacksNalin Dahyabhai2012-10-152-2/+4
|
* Add responder support to preauth_otpNathaniel McCallum2012-10-151-18/+572
|
* Migrate to non-destructive tokeninfo selectionNathaniel McCallum2012-10-151-148/+191
|
* Move forward tokeninfo filteringNathaniel McCallum2012-10-151-63/+81
|
* Move pa_data encoding into a separate functionNathaniel McCallum2012-10-151-39/+45
|
* Fix a couple of typosNalin Dahyabhai2012-10-121-2/+2
|
* Add responder support to preauth_encts/preauth_ecNathaniel McCallum2012-10-122-0/+26
|
* Add responder support to get_as_key()Nathaniel McCallum2012-10-126-8/+55
| | | | | This follows the design laid out on the project page: http://k5wiki.kerberos.org/wiki/Projects/Password_response_item
* Allow null inputs to response item functionsNathaniel McCallum2012-10-121-2/+14
|
* Fix argument order when calling the responderNathaniel McCallum2012-10-101-2/+2
|
* De-conditionalize Camellia codeGreg Hudson2012-10-092-4/+0
| | | | | | | | | | The Camellia enctypes and cksumtypes have received IANA assignments. Add #defines using those assignments to krb5.h, remove the CAMELLIA conditional, and enable testing code as appropriate. The Camellia draft has not received an RFC number yet, so there is no Doxygen markup for the enctype and cksumtype #defines. That can be added once the RFC number is known.
* Untabify preauth_sam2.cGreg Hudson2012-10-081-17/+17
|
* make dependGreg Hudson2012-09-121-0/+11
|
generated by cgit (git 2.34.1) at 2025-09-25 19:05:41 +0000