| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Make krb5int_random_string() function available outside ccache code.
Move it into a separate file under lib/krb5/krb hierarchy.
|
| |
|
|
|
|
|
|
|
| |
Reimplement krb5_get_host_realm, krb5_get_fallback_host_realm, and
krb5_get_default_realm in terms of the hostrealm interface. Three
built-in modules (dns, domain, and profile) implement the current
behavior.
ticket: 7687
|
| |
|
|
|
| |
localauth modules were not freed by krb5_free_context(), causing a
memory leak.
|
| |
|
|
|
|
| |
Rename krb5_try_realm_txt_rr (an internal function despite the name)
and add a context parameter. Generate trace logs when we successfully
look up a record and when a record is not found.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add wrappers for the JSON-oriented APIs for PKINIT responder items,
modeled after the API we provide for OTP items:
* krb5_responder_pkinit_get_challenge() returns the list of
identities for which we need PINs
* krb5_responder_pkinit_challenge_free() frees the structure that
was returned by krb5_responder_pkinit_get_challenge()
* krb5_responder_pkinit_set_answer() sets the answer to the PIN for
one of the identities
[ghudson@mit.edu: style cleanup; added comment pointing to main body
of PKINIT module]
ticket: 7680
|
| |
|
|
|
| |
It's a lot of code, and trace logging should cover most of the cases
where it's useful.
|
| |
|
|
|
|
|
|
|
|
|
| |
Since net-server.c now uses libverto, only sendto_kdc.c consumes cm.c.
Move stuff out of cm.c and cm.h into sendto_kdc.c and get rid of them.
Change the sendto_kdc callback (used by chpw.c) to receive the socket
descriptor instead of the entire conn_state structure, and move the
declarations into os-proto.h. struct remote_address also needs to be
in os-proto.h so that trace.c and t_trace.c can use it. k5_curtime
isn't needed since k5-platform.h now guarantees the presence of
gettimeofday().
|
| |
|
|
|
|
|
| |
Add an API to duplicate keytab handles, mirroring krb5_cc_dup. Use it
to simplify the krb5 GSS acquire_cred code.
ticket: 7599 (new)
|
| |
|
|
|
|
|
|
|
| |
Move internal declarations from k5-int.h to more localized headers
(like int-proto.h) where appropriate. Rename many symbols whose
prototypes were moved to use the k5_ prefix instead of krb5int_.
Remove some unused declarations or move them to the single source file
they were needed in. Remove krb5_creds_compare since it isn't used
any more.
|
| |
|
|
|
| |
These functions were always internal. They haven't been used since
v5passwdd was eliminated in krb5 1.4.
|
| |
|
|
|
| |
These variables were marked as internal in 1996. Two are unused and
the other is easily replaced with the macro it is initialized from.
|
| |
|
|
|
|
|
| |
Rename krb5_free_ktypes to krb5_free_enctypes and add it to the public
API.
ticket: 7584
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The preauth functions are internal to libkrb5, so use the k5_ prefix,
don't use KRB5_CALLCONV, and prototype them in int-proto.h. Also
remove krb5_do_preauth from the Unix libkrb5 export list.
Reorder the k5_preauth() and k5_preauth_tryagain() arguments for more
consistency with the clpreauth interface, and put the output padata
arguments at the end.
Rename any remaining uses of "kcontext" to "context" in preauth2.c.
|
| |
|
|
|
|
|
|
|
| |
* Add a krb5int_build_conf_principals() function to allow our get/set
code to directly prune out duplicate config entries.
* Verify that when we specify a pa_type, it affects whether or not we
will use a particular preauth plugin.
* Verify that we correctly save the KDC's preauth type number, that we
tried to answer, to the out_ccache.
|
| |
|
|
|
|
|
|
| |
Add a krb5_get_init_creds_opt_set_in_ccache() function. An input
ccache may hold configuration data which the client libraries can
use to influence their decisions.
ticket: 7413 (new)
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new APIs:
* krb5_get_init_creds_opt_set_responder
* krb5_responder_get_challenge
* krb5_responder_list_questions
* krb5_responder_set_answer
If a caller sets a responder, it will be invoked after preauth modules
have had a chance to review their incoming padata but before they produce
outgoing padata. The responder will be presented a set of questions with
optional challenges. The responder should then answer all questions it knows
how to handle. Both the answers and the challenges are printable UTF-8 and
may contain encoded, structured data specific to the question asked.
Add two new callbacks and one optional method to the clpreauth
interface. The new method (prep_questions) allows modules to ask questions
by setting them in the responder context using one of the new callbacks
(ask_responder_question). The other new callback (get_responder_answer) is
used by the process method to read the answers to the questions asked.
ticket: 7355 (new)
|
| |
|
|
|
|
|
| |
Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE,
PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more
thorough testing, add support for generating test encodings using
asn1c for sample objects (currently only for the OTP types).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add DEFCCNAME, DEFKTNAME, and DEFCKTNAME configure variables to
change the built-in ccache and keytab names.
* Add krb5-config options to display the built-in ccache and keytab
names.
* In the default build, use krb5-config to discover the system's
built-in ccache and keytab names and use them (if not overridden).
This can be controlled with the --with-krb5-config=PATH or
--without-krb5-config configure options.
* Make the built-in ccache name subject to parameter expansion.
ticket: 7221 (new)
|
| |
|
|
|
|
|
|
| |
Add an adapted version of Heimdal's expand_path.c, defining
k5_expand_path_tokens() and k5_expand_path_tokens_extra(). These
functions allow template paths like %{TEMP}/krb5cc_%{uid} to be
resolved. Also add a test program to exercise the path expansion
code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default client keytab is intended to be used to automatically
acquire initial credentials for client applications. The current
hardcoded default is a placeholder, and will likely change before
1.11.
Add test framework settings to ensure that a system default client
keytab doesn't interfere with tests, and to allow tests to be written
to deliberately use the default client keytab.
Add documentation about keytabs to the concepts section of the RST
docs, and describe the default client keytab there.
ticket: 7188 (new)
|
| |
|
|
|
|
|
| |
Add a new API to determine whether any krb5 credentials are available
in the ccache collection. Add tests to t_cccol.py.
ticket: 7173 (new)
|
| |
|
|
|
|
|
| |
Rename krb5int_count_etypes and krb5int_copy_etypes to have k5_
prefixes, and make them available outside of libkrb5 (but not part of
the public API). Add k5_etypes_contains to search an etype list, and
use it in krb5_is_permitted_enctype.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the krb5_kt_have_content API from Heimdal, which can be used to
test whether a keytab exists and contains entries. Add tests to
t_keytab.c.
There is a deviation from Heimdal in the function signature.
Heimdal's signature returns a krb5_boolean at the moment, because the
Heimdal implementation actually returns a krb5_error_code. These are
generally the same type anyway (int).
ticket: 7158 (new)
|
| |
|
|
|
|
|
|
|
|
| |
krb5_set_trace_callback and krb5_set_trace_filename were added to
krb5.h in krb5 1.9, but were mistakenly left out of the library export
lists. Add them now. Reported by Russ Allbery.
ticket: 7143
target_version: 1.10.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Active Directory returns structured policy information in the
nominally UTF-8 result string field of a password change reply. Add a
new API krb5_chpw_message() to convert a result string into a
displayable message, interpreting policy information if present.
Patch from stefw@gnome.org with changes.
ticket: 7128
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25857 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to
track whether we're still using the default salt instead of
overloading salt.length. In preauth2.c, process afs3 salt values like
we would in krb5int_des_string_to_key, and set an s2kparams indicator
instead of overloading salt.length. Also use an s2kparams indicator
in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded
salt lengths, except for a sanity check.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25837 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
New APIs of this sort should be discussed, and the goals motivating
the change clarified.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25670 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
diagnostics of the potential misconfiguration.
Added profile_get_(string/integer/boolean)_nodef functions to the profile library to get the typed values from the configuration
files (without setting these values to the defaults).
Used TRACE_PROFILE_ERR for the configuration diagnostics in krb5_init_context_profile API.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25669 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
krb5_alt_method was added in r6604 but never supported. krb5_pwd_data
became unused when the Sandia kadmin system was replaced.
krb5_pa_server_referral_data and krb5_pa_svr_referral_data were added
in r21690 with internally-visible encoders which nothing uses.
Leave behind structure declarations in krb5.hin for API compatibility.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25619 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
r24403 removed the old SAM support, but left behind the structures,
free functions, and ASN.1 encoders/decoders. Remove those now.
(SAM-2 support is still present.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25618 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
Add test cases for ASN.1 types which didn't previously have them.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25610 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
krb5_free_realm_string
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25606 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Use the krb5_pa_data structure type when encoding or decoding
TYPED-DATA. Leave the krb5_typed_data structure definition in krb5.h
with a comment saying not to use it. Remove krb5_free_typed_data
(which was never declared in krb5.h). Remove some vestigial accessor
stuff related to PKINIT encoding and decoding TYPED-DATA, which was
unneeded since r25483. Bump the accessor structure version to 19
accordingly.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25601 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Rename krb5int_check_clockskew to krb5_check_clockskew and make it
public, in order to give kdcpreauth plugins a way to check timestamps
against the configured clock skew.
ticket: 6996
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25424 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
Rename krb5int_find_authdata to krb5_find_authdata and make it public.
ticket: 6992
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25414 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25328 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
krb5int_pac_sign was created as a private API because it is only
needed by the KDC. But it is actually used by DAL or authdata plugin
modules, not the core KDC code. Since plugin modules should not need
to consume internal libkrb5 functions, rename krb5int_pac_sign to
krb5_pac_sign and make it public.
ticket: 6974
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25325 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
All current known uses of e_data are encoded as pa-data or typed-data.
FAST requires that e_data be expressed as pa-data. Change the DAL and
kdcpreauth interfaces so that e_data is returned as a sequence of
pa-data elements. Add a preauth module flag to indicate that the
sequence should be encoded as typed-data in non-FAST errors.
ticket: 6969
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25298 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
* extend dh_rep
* add krb5_free_octet_data
* extend pkinit free functions
pkinit: add supportedKDFs and kdfID to structures
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25194 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Margaret Wasserman <mrw@painless-security.com>
tested-by: Sam Hartman <hartmans@debian.org>
fixes-from: Sam Hartman <hartmans@debian.org>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25190 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
The interface has two built-in modules. The realm module guesses a
cache based on the server realm if it is known. The k5identity module
(Unix only) chooses a client principal based on rules in a .k5identity
file in the user's homedir.
ticket: 6957
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25158 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* krb5_cc_get_full_name retrieves the full type:name of a cache.
* krb5_cc_switch makes a cache the primary cache.
* krb5_cc_cache_match searches the collection for a client principal.
* krb5_free_string releases a string (for the krb5_cc_get_full_name
result).
All of these are from Heimdal except for krb5_free_string (Heimdal uses
krb5_xfree).
ticket: 6954
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25155 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
ticket: 6929
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25026 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The preauth plugin interface was introduced in 1.6 but was never made
a public API. In preparation for making it public in 1.10, convert it
to use the new plugin framework. This will require changes to any
existing preauth plugins.
A number of symbols were renamed for namespace cleanliness, and
abstract types were introduced for module data and module per-request
data for better type safety.
On the consumer end (preauth2.c and kdc_preauth.c), this is a pretty
rough conversion. Eventually we should create proper consumer APIs
with module handles, and the flat lists of preauth types should hold
pointers to module handles rather than copies of the vtables. The
built-in preauth type handlers should then be converted to built-in
module providers linked into the consumer code (as should encrypted
challenge, since it has no external dependencies). None of this will
impact the provider API for preauth plugins, so it can wait.
ticket: 6921
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24970 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
principal name from a keytab. Used currently by vfy_increds.c (in
place of its static helper); will also be used when querying the name
of the default gss-krb5 acceptor cred.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24859 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Restructure the locate_kdc and sendto_kdc code to defer getaddrinfo
calls until we need the answer. This requires many changes:
* struct addrlist is now called struct serverlist, and is declared in
os-proto.h instead of k5-int.h. It contains an array of struct
server_entry structures which can hold either a name or an address.
(Address entries are used for locate_kdc module results.)
* The connection state list is now a linked list, and holds address
information directly instead of using a struct addrinfo (this
simplifies memory management). Each connection entry contains a
callback buffer (previously stored in a separate array) and an index
into the server list.
* The {addrstate} trace formatting primitive is no longer needed, and
has been replaced by {connstate}. There is also a new tracing event
for resolving hostnames.
* locate_server, locate_kdc, free_serverlist, and sendto get their
prefixes changed from krb5int_ to k5_ as their prototypes were being
adjusted anyway. The family argument is gone from the locate
functions as it was never productively used. k5_sendto now receives
the socket types of interest.
* krb5_sendto_kdc will now pass a 0 socktype to k5_locate_kdc if both
socket types are wanted. There were some allowances for this in
locate but this was never previously done. In order to be
conservative when invoking locate modules, we always pass an
explicit socktype, thus calling lookup twice (as we did before,
albeit with a separate init/fini cycle) in the common case. When
creating hostname entries in serverlist from profile configuration,
we preserve the 0 value of socktype, and later create both TCP and
UDP addresses from the getaddrinfo results when the host is
resolved.
* Some accessor functions previously used by libkrb4 have been removed
as they impinged upon this work.
ticket: 6868
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24635 dc483132-0cff-0310-8789-dd5450dbe970
|
