summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5
Commit message (Collapse)AuthorAgeFilesLines
...
* Handle concat OTP responder caseNathaniel McCallum2012-10-161-8/+11
|
* make dependTom Yu2012-10-151-7/+8
|
* Use hex escaping for non-printable trace dataNalin Dahyabhai2012-10-151-3/+42
| | | | | | When adding {str}, {lenstr}, or {data} to trace output, scan for bytes which might be non-printable, and add them as hex-escaped versions of themselves if any are found.
* Export krb5_cc_move()Nalin Dahyabhai2012-10-151-0/+1
|
* Correct type mismatches for get_as_key callbacksNalin Dahyabhai2012-10-152-2/+4
|
* Add responder support to preauth_otpNathaniel McCallum2012-10-152-18/+575
|
* Migrate to non-destructive tokeninfo selectionNathaniel McCallum2012-10-151-148/+191
|
* Move forward tokeninfo filteringNathaniel McCallum2012-10-151-63/+81
|
* Move pa_data encoding into a separate functionNathaniel McCallum2012-10-151-39/+45
|
* Fix a couple of typosNalin Dahyabhai2012-10-121-2/+2
|
* Add responder support to preauth_encts/preauth_ecNathaniel McCallum2012-10-122-0/+26
|
* Add responder support to get_as_key()Nathaniel McCallum2012-10-126-8/+55
| | | | | This follows the design laid out on the project page: http://k5wiki.kerberos.org/wiki/Projects/Password_response_item
* Allow null inputs to response item functionsNathaniel McCallum2012-10-121-2/+14
|
* Fix argument order when calling the responderNathaniel McCallum2012-10-101-2/+2
|
* De-conditionalize Camellia codeGreg Hudson2012-10-092-4/+0
| | | | | | | | | | The Camellia enctypes and cksumtypes have received IANA assignments. Add #defines using those assignments to krb5.h, remove the CAMELLIA conditional, and enable testing code as appropriate. The Camellia draft has not received an RFC number yet, so there is no Doxygen markup for the enctype and cksumtype #defines. That can be added once the RFC number is known.
* Untabify preauth_sam2.cGreg Hudson2012-10-081-17/+17
|
* make dependGreg Hudson2012-09-121-0/+11
|
* Do not retrieve zero-length credsBen Kaduk2012-09-111-2/+4
| | | | | | | | | | | In the MSLSA cache, if we get back a zero-length ticket, don't accept it as success; continue on to try and get an acceptable ticket. ticket: 7349 (new) subject: SapGUI sometimes crashes on new session with MSLSA cache target_version: 1.10.4 tags: pullup
* Add responder feature for initial cred exchangesNathaniel McCallum2012-09-119-5/+475
| | | | | | | | | | | | | | | | | | | | | | | Add new APIs: * krb5_get_init_creds_opt_set_responder * krb5_responder_get_challenge * krb5_responder_list_questions * krb5_responder_set_answer If a caller sets a responder, it will be invoked after preauth modules have had a chance to review their incoming padata but before they produce outgoing padata. The responder will be presented a set of questions with optional challenges. The responder should then answer all questions it knows how to handle. Both the answers and the challenges are printable UTF-8 and may contain encoded, structured data specific to the question asked. Add two new callbacks and one optional method to the clpreauth interface. The new method (prep_questions) allows modules to ask questions by setting them in the responder context using one of the new callbacks (ask_responder_question). The other new callback (get_responder_answer) is used by the process method to read the answers to the questions asked. ticket: 7355 (new)
* Support kdc_timesync offsets in memory ccacheNate Rosenblum2012-08-311-0/+22
| | | | | | | | | | | | | When using v4 file credentials caches, client clock skew offsets obtained when running with the kdc_timesync option set are persisted in the ccache. This allows the offsets to be used across separate contexts, e.g. when obtaining credentials using krb5 interfaces and subsequently importing those credentials for use in gssapi. This patch adds similar support for memory credentials caches. [ghudson@mit.edu: Minor style corrections.] ticket: 7346 (new)
* Improve error translation for CCAPIv3 routinesBen Kaduk2012-08-291-8/+9
| | | | | | | | | We can't mix the KRB5 and CC error constants; standardize on the CC ones and translate appropriately. ticket: 7339 (new) target_version: 1.10.4 tags: pullup
* Set fCachesTicket=TRUE when no credentialsKevin Wasserman2012-08-241-1/+2
| | | | | | | | | | | | It is not really clear this is correct, but neither was the previous behavior. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7255 (new) queue: kfw target_version: 1.10.4 tags: pullup
* Do not be over-restrictive in the presence of UACKevin Wasserman2012-08-241-39/+4
| | | | | | | | | | | | | | | | | | We used to explicitly check if a process was UAC-limited and deny all access to the TGT in that case; however, this makes the MSLSA cache effectively useless. Do not try to outsmart UAC, and let it do its own checking -- this allows UAC-limited access to the MSLSA ccache, which should mean read-write access to service tickets, and write-only access to the TGT. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> [kaduk@mit.edu: delete instead of comment out, move comment.] ticket: 7254 (new) queue: kfw target_version: 1.10.4 tags: pullup
* Fix portability, printf bugs in preauth_otp.cGreg Hudson2012-08-241-3/+1
| | | | | | unistd.h is not available on Windows and isn't needed for this file, so don't include it. Two arguments to asprintf in choose_token() were reversed.
* Remove unused struct and switch_to stubsKevin Wasserman2012-08-231-11/+1
| | | | | | | | | | | Only one mslsa ccache is supported, so switch_to is not needed. Likewise, struct krb5int_lcc_iterator is unneccesary. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7236 (new) target_version: 1.10.4 tags: pullup
* Run "make depend"Tom Yu2012-08-232-10/+49
|
* Fix minor Makefile.in typos for make dependTom Yu2012-08-231-0/+1
| | | | | Fix minor typos in lib/krb5/krb/Makefile.in and tests/gssapi/Makefile.in so that "make depend" will work.
* Add otp client preauth pluginNathaniel McCallum2012-08-235-0/+581
| | | | | | | Implements the client side of RFC 6560. Not all features are implemented, but it should work for the most common cases. ticket: 7242 (new)
* Add ASN.1 support for OTPGreg Hudson2012-08-234-17/+190
| | | | | | | Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE, PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more thorough testing, add support for generating test encodings using asn1c for sample objects (currently only for the OTP types).
* Remove obsolete function krb5_secure_config_filesZhanna Tsitkov2012-08-143-27/+0
|
* Fix memory leak parsing name with default realmGreg Hudson2012-08-071-0/+1
| | | | | | | After 74beb75bb07e3921d10c8eec05eacb1f393e5e44, allocate_princ() allocates a one-byte realm field even if the principal doesn't have one, so if we're replacing it with the default realm, we need to free that.
* Turn off replay cache in krb5_verify_init_creds()Nalin Dahyabhai2012-08-061-0/+9
| | | | | | | The library isn't attempting a replay attack on itself, so any detected replays are only going to be false-positives. ticket: 7229 (new)
* Add %{username} token to path expansionGreg Hudson2012-08-012-2/+26
| | | | | | | | For Unix-like platforms, add %{username} to the path expansion facility, expanding to the result of getpwuid on the euid. Also, for manual testing convenience, make t_expand_path print the result if no second argument is given.
* Minor fixes to expand_path.cGreg Hudson2012-07-251-35/+24
| | | | | | | Corrections to stuff noticed by kaduk: * Eliminate a space before paren in a call to free(). * Use %lu for unsigned long in format strings. * Simplify the tokens table definition.
* Support changing the built-in ccache/keytab namesGreg Hudson2012-07-244-12/+4
| | | | | | | | | | | | | | * Add DEFCCNAME, DEFKTNAME, and DEFCKTNAME configure variables to change the built-in ccache and keytab names. * Add krb5-config options to display the built-in ccache and keytab names. * In the default build, use krb5-config to discover the system's built-in ccache and keytab names and use them (if not overridden). This can be controlled with the --with-krb5-config=PATH or --without-krb5-config configure options. * Make the built-in ccache name subject to parameter expansion. ticket: 7221 (new)
* Add default_ccache_name profile variableGreg Hudson2012-07-241-1/+10
| | | | | | | Like default_keytab_name and default_client_keytab_name, default_ccache_name is subject to parameter expansion. ticket: 7220 (new)
* Rearrange ccdefname.c slightlyGreg Hudson2012-07-241-91/+53
| | | | | | | | Eliminate the USE_CCAPI variant of get_from_os() which was only used in KfM. Make get_from_os() allocate its result (wrapping the Windows implementation so it can continue to use a fixed-size buffer). Simplify krb5_cc_set_default_name() and krb5_cc_default_name(). Make some minor style adjustments.
* Add token expansion for keytab namesGreg Hudson2012-07-241-56/+44
| | | | | | | Make the default_keytab_name and default_client_keytab_name variables subject to parameter expansion. ticket: 7219 (new)
* Add internal path expansion functionsGreg Hudson2012-07-245-4/+577
| | | | | | | | Add an adapted version of Heimdal's expand_path.c, defining k5_expand_path_tokens() and k5_expand_path_tokens_extra(). These functions allow template paths like %{TEMP}/krb5cc_%{uid} to be resolved. Also add a test program to exercise the path expansion code.
* krb5_stdccv3_get_principal error handling fixupKevin Wasserman2012-07-161-1/+3
| | | | | | | | | Don't treat an error returned by krb5_parse_name as a cc-internal error. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7214 (new) tags: pullup
* fix leak in cc_mslsa.cKevin Wasserman2012-07-161-0/+2
| | | | | | | | cc_name needs to be freed in krb5_lcc_close(). Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7213
* Fix macro redefinition warnings in cc_mslsa.cKevin Wasserman2012-07-161-1/+2
| | | | | | | | Include ntstatus.h and define WIN32_NO_STATUS before including winnt.h Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7213
* Implement cccol iterators for mslsaKevin Wasserman2012-07-161-7/+61
| | | | | | | | | Also implement switch_to stub Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7213 (new) tags: pullup
* MSLSA Don't use lstrcpy on ANSI stringsKevin Wasserman2012-07-161-11/+3
| | | | | | | | | Also change parameter types to eliminate casts. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7212 (new) tags: pullup
* Build lib/krb5/ccache/ccapi on Windows onlyKevin Wasserman2012-07-161-0/+1
| | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7209
* Define USE_CCAPI_V3 in krb5/ccache on windowsKevin Wasserman2012-07-162-1/+1
| | | | | | | | | USE_CCAPI_V3 provides cccol iteration support for ccapi. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7209 (new) tags: pullup
* Rename 'free' -> 'free_func' in asn1_encode.c/.hKevin Wasserman2012-07-162-3/+3
| | | | | | | | | MSVC memory tracking tools do '#define free(p) _dbg_free(...)'. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7205 (new) tags: pullup
* kfw add preauth_sam2 to OBJS for windows buildKevin Wasserman2012-07-161-0/+1
| | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7203 (new) tags: pullup
* Fix error handling in allocate_princ()Greg Hudson2012-07-131-2/+4
| | | | | The most recent change could leak memory when trying to parse an invalid principal because of a failure to use the cleanup handler.
* Replace // comment in ccdefname.cGreg Hudson2012-07-131-1/+1
|
generated by cgit (git 2.34.1) at 2025-09-26 21:24:20 +0000