summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5
Commit message (Collapse)AuthorAgeFilesLines
...
* Follow-on to r24258: initialize the new k5e1 error table where weGreg Hudson2010-09-293-0/+4
| | | | | | | | initialize the krb5 error table, and add initialize_k5e1_error_table to the libkrb5 exports list for consistency with the other error tables. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24378 dc483132-0cff-0310-8789-dd5450dbe970
* kadm5_hook: new plugin interfaceSam Hartman2010-09-291-1/+2
| | | | | | | | | | | Implement http://k5wiki.kerberos.org/wiki/Projects/Kadmin_hook_interface This provides an interface that allows a plugin to track kadmin operations. This can be used for projects like the krb5-sync project. ticket: 6791 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24375 dc483132-0cff-0310-8789-dd5450dbe970
* kpasswd: if a credential cache is present, use FASTSam Hartman2010-09-272-0/+24
| | | | | | | | | | | | | | | | If a credentials cache is available, use it as an armor cache to enable FAST negotiation for kpasswd. This requires an attacker to attack both the user's long-term key for the old password as well as the ticket used for the armor cache in order to attack the password change. Depending on how the armor ticket is obtained, this may provide limited value. However, it provides users an easy option if they are concerned about their current password. Users can kinit with one principal to help protect changing the password of another principal. * krb5_get_init_creds_opt_set_fast_ccache: new API to set fast ccache based on a krb5_ccache object rather than a resolvable string * kpasswd: always open the current credential cache even if not needed for determining the principal. If the cache has tickets, use it as an armor cache. * tests/dejagnu/krb-standalone/kadmin.exp: Arrange to test new code path ticket: 6786 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24359 dc483132-0cff-0310-8789-dd5450dbe970
* Add gss_krb5_import_credGreg Hudson2010-09-271-0/+1
| | | | | | | | | | | | Add gss_krb5_import_cred from Heimdal; allows krb5 creds to be acquired from a keytab or ccache into a GSSAPI credential without using global process or thread variables. Merged from the users/lhoward/import-cred branch. ticket: 6785 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24356 dc483132-0cff-0310-8789-dd5450dbe970
* In krb5_sname_to_principal, correctly handle failures fromGreg Hudson2010-09-151-2/+2
| | | | | | | | krb5_build_principal. ticket: 6777 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24309 dc483132-0cff-0310-8789-dd5450dbe970
* Make dependGreg Hudson2010-09-089-476/+625
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24298 dc483132-0cff-0310-8789-dd5450dbe970
* Merge the camellia-ccm branch to trunk. Since there are no IANAGreg Hudson2010-09-072-0/+13
| | | | | | | | | assignments for Camellia-CCM enctypes or cksumtypes yet, they are disabled in a default build. They can be made available by defining (via CPPFLAGS) local-use enctype numbers for the enctypes and cksumtypes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24295 dc483132-0cff-0310-8789-dd5450dbe970
* Password quality pluggable interfaceGreg Hudson2010-09-012-1/+2
| | | | | | | | | | | Merge branches/plugins2 to trunk. Adds a password quality pluggable interface described in this project page: http://k5wiki.kerberos.org/wiki/Projects/Password_quality_pluggable_interface ticket: 6765 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24284 dc483132-0cff-0310-8789-dd5450dbe970
* Make relative plugin module paths be interpreted as relative toGreg Hudson2010-08-301-2/+35
| | | | | | | | LIBDIR/krb5/plugins. ticket: 6763 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24277 dc483132-0cff-0310-8789-dd5450dbe970
* Add plugin.o to T_ETYPES_OBJS because init_ctx.o needs it nowTom Yu2010-08-271-1/+1
| | | | | | ticket: 6763 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24264 dc483132-0cff-0310-8789-dd5450dbe970
* New plugin infrastructureGreg Hudson2010-08-275-0/+381
| | | | | | | | | Merge domain-independent plugin framework code from branches/plugins2, leaving out the password quality interface. ticket: 6763 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24263 dc483132-0cff-0310-8789-dd5450dbe970
* Add an expansion error table for libkrb5, since krb5_err.et is fullGreg Hudson2010-08-262-5/+43
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24258 dc483132-0cff-0310-8789-dd5450dbe970
* rd_req_decoded: clarify behavior in commentSam Hartman2010-08-251-1/+8
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24257 dc483132-0cff-0310-8789-dd5450dbe970
* Add GIC option for password/account expiration callbackGreg Hudson2010-08-126-24/+227
| | | | | | | | | | | | Add a new GIC option to specify a callback to receive password and account expiration times found in an AS reply. See also: http://k5wiki.kerberos.org/wiki/Projects/Password_expiration_API ticket: 6755 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24241 dc483132-0cff-0310-8789-dd5450dbe970
* Move the password expiry warning code out ofGreg Hudson2010-08-101-84/+92
| | | | | | krb5_get_init_creds_password() into a helper function. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24237 dc483132-0cff-0310-8789-dd5450dbe970
* DAL improvementsGreg Hudson2010-07-021-0/+1
| | | | | | | | | | | | | | | | | | | Add KRB5_KDB_API_VERSION to allow callers to adjust to incompatible changes in libkdb; to be kept in sync with the libkdb major version, which is bumped to 5 in anticipation of other changes. Add KRB5_KDB_DAL_VERSION to allow database modules to detect when they are mismatched with the KDB version. Since KDB modules are often developed concurrently with trunk code, this is defined to be the date of the last incompatible DAL change. The DAL version is passed to the init_library DAL function; the module should check it against the value of KRB5_KDB_DAL_VERSION it was compiled with and return KRB5_KDB_DBTYPE_MISMATCH if it doesn't match. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24157 dc483132-0cff-0310-8789-dd5450dbe970
* Make OFFLINE!=no work againTom Yu2010-06-211-6/+9
| | | | | | ticket: 6744 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24140 dc483132-0cff-0310-8789-dd5450dbe970
* only test t_locate_kdc if known-good DNS name is presentTom Yu2010-06-181-6/+20
| | | | | | | | | | | | | | | | Running "make check" while offline or on a firewalled network may result in failure in lib/krb5/os because the invocation of t_locate_kdc requires that the DNS servers for ATHENA.MIT.EDU be reachable. Autodetect DNS utilities "dig" and "nslookup", and use them to check for existence of the known-good DNS name. Also parameterize the test so that the known-good DNS name can be overridden on the make command line. ticket: 6744 target_version: 1.8.3 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24138 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the code for krb5_append_addresses(), which was never used andGreg Hudson2010-06-111-58/+0
| | | | | | was ifdef'd out fifteen years ago in r5464. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24133 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate actx_copy_addr in auth_con.c; use krb5_copy_addr insteadGreg Hudson2010-06-111-23/+6
| | | | | | (it's exactly the same). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24132 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a couple of minor defects in trace.cGreg Hudson2010-06-101-3/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24124 dc483132-0cff-0310-8789-dd5450dbe970
* make dependGreg Hudson2010-06-078-803/+871
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24119 dc483132-0cff-0310-8789-dd5450dbe970
* Trace loggingGreg Hudson2010-06-0720-88/+568
| | | | | | | | | | | | | | | | Add trace logging infrastructure code, enabled by the KRB5_TRACE environment variable or the API functions krb5_set_trace_callback() or krb5_set_trace_filename(). As a start, add tracing events for: * AS-REQ client code, including FAST and preauth * TGS-REQ client code * AP-REQ and AP-REP code (client and server) * sendto_kdc * Selected ccache operations * Selected keytab operations ticket: 6737 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24118 dc483132-0cff-0310-8789-dd5450dbe970
* In krb5_cc_set_config, don't call krb5_cc_remove_cred; it's redundantGreg Hudson2010-05-281-4/+0
| | | | | | with the krb5_cc_remove_cred call in krb5_cc_store_cred. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24110 dc483132-0cff-0310-8789-dd5450dbe970
* make dependGreg Hudson2010-05-281-0/+12
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24109 dc483132-0cff-0310-8789-dd5450dbe970
* From Luke: make copies of S4U2Proxy authdata modules work when thereGreg Hudson2010-05-281-1/+1
| | | | | | is no S4U2Proxy authdata. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24107 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the get_masters logic in locate_srv_conf_1 which was orphanedGreg Hudson2010-05-272-63/+11
| | | | | | by r15736 when we added the master_kdc profile variable. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24106 dc483132-0cff-0310-8789-dd5450dbe970
* Get t_ser to build again after the S4U authdata branch mergeGreg Hudson2010-05-271-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24105 dc483132-0cff-0310-8789-dd5450dbe970
* FAST negotiation could erroneously succeedGreg Hudson2010-05-251-0/+1
| | | | | | | | | | | | | | When FAST negotiation is performed against an older KDC (rep->enc_part2->flags & TKT_FLG_ENC_PA_REP not set), krb5int_fast_verify_nego did not set the value of *fast_avail, causing stack garbage to be used in init_creds_step_reply. Initialize *fast_avail at the beginning of the function per coding practices. ticket: 6734 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24102 dc483132-0cff-0310-8789-dd5450dbe970
* Fix long lines and other formatting issues in fast.hGreg Hudson2010-05-241-25/+36
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24101 dc483132-0cff-0310-8789-dd5450dbe970
* Fix long lines and other formatting issues in fast.cGreg Hudson2010-05-241-56/+81
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24100 dc483132-0cff-0310-8789-dd5450dbe970
* Make signedpath authdata visible via GSS naming extsGreg Hudson2010-05-235-2/+615
| | | | | | | | | | Merge users/lhoward/signedpath-naming-exts to trunk. Adds an authdata provider which makes non-PAC S4U2Proxy signedpath authdata visible to application servers via GSS naming extensions. ticket: 6733 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24094 dc483132-0cff-0310-8789-dd5450dbe970
* When parsing a KDC or admin server string, allow the name or addressGreg Hudson2010-05-181-33/+23
| | | | | | | | | to be enclosed in brackets so that IPv6 addresses can be represented. (IPv6 addresses contain colons, which look like port separators.) ticket: 6562 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24055 dc483132-0cff-0310-8789-dd5450dbe970
* Update dependenciesKen Raeburn2010-05-161-22/+12
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24041 dc483132-0cff-0310-8789-dd5450dbe970
* Stop exporting some profile symbols that aren't either published inKen Raeburn2010-05-161-27/+0
| | | | | | the header or known serialization functions used by the krb5 library. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24040 dc483132-0cff-0310-8789-dd5450dbe970
* Negative enctypes improperly read from ccachesGreg Hudson2010-05-131-1/+2
| | | | | | | | | When reading enctypes from ccaches, we need to sign-extend the 16-bit value we read in order to properly read negative enctypes. ticket: 6723 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24021 dc483132-0cff-0310-8789-dd5450dbe970
* Error handling bug in krb5_init_creds_init()Greg Hudson2010-05-131-4/+5
| | | | | | | | | | | Fix a bug in krb5_init_creds_init() where a freed context could be returned to the caller in certain error cases. ticket: 6722 tags: pullup target_version: 1.8.2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24020 dc483132-0cff-0310-8789-dd5450dbe970
* Negative enctypes improperly read from keytabsGreg Hudson2010-05-131-3/+2
| | | | | | | | | | When reading enctypes from keytabs, we need to ntohs() the 16-bit value we read in before sign-extending it to a 32-bit value in the keyblock, or we run the risk of extending the wrong sign. ticket: 6720 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24016 dc483132-0cff-0310-8789-dd5450dbe970
* Reimplement krb5_get_in_tkt_with_skey in terms of krb5_get_init_creds,Greg Hudson2010-05-125-1142/+53
| | | | | | | | | | | | | | similar to how the password and keytab equivalents were done. Eliminate krb5_get_in_tkt. It's been very hard to use since we made krb5_kdc_rep_decrypt_proc private (in krb5 1.7 the prototype was taken out of krb5.h altogether), and it's unlikely that anything would have used it directly in the first place. Remove and/or simplify a lot of code depended on by krb_get_in_tkt, including all of preauth.c. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24012 dc483132-0cff-0310-8789-dd5450dbe970
* Fix some bugs in the IAKERB code discovered by Coverity. Also trimGreg Hudson2010-05-011-0/+2
| | | | | | | down iakerb_initiator_step() a little using krb5_data constructors and avoiding vertical function arguments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23961 dc483132-0cff-0310-8789-dd5450dbe970
* Add IAKERB mechanism and gss_acquire_cred_with_passwordGreg Hudson2010-04-307-2/+129
| | | | | | | | | | | | | | Merge branches/iakerb to trunk. Includes the following: * New IAKERB mechanism. * New gss_acquire_cred_with_password mechglue function. * ASN.1 encoders and decoders for IAKERB structures (with tests). * New shortcuts in gss-sample client and server. * Tests to exercise SPNEGO and IAKERB using gss-sample application. ticket: 6712 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23960 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a backwards check in get_cached_tgt() in the TGS codeGreg Hudson2010-04-271-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23945 dc483132-0cff-0310-8789-dd5450dbe970
* Adapted patch from Jason Rogers. It wasn't complete, so this commitTom Yu2010-04-231-10/+0
| | | | | | | | | | | | | fixes the other instances of the 64-bit problem. Also fix krb5_deltat_to_str(), which would previously always return an empty string. ticket: 6698 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23928 dc483132-0cff-0310-8789-dd5450dbe970
* From Luke: fix the post-canonicalization cache check logic inGreg Hudson2010-04-221-5/+11
| | | | | | krb5_get_credentials_for_user(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23927 dc483132-0cff-0310-8789-dd5450dbe970
* In kpasswd_sendto_msg_callback(), properly compare against theGreg Hudson2010-04-221-1/+2
| | | | | | wildcard IPv6 address instead of comparing an array address to 0. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23921 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a memory leak in get_creds.c's try_fallback_realm()Greg Hudson2010-04-211-1/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23920 dc483132-0cff-0310-8789-dd5450dbe970
* When setting up to get a TGT for the service realm in the TGS code,Greg Hudson2010-04-201-5/+5
| | | | | | | | | | | | get the cached local TGT before setting up the realm path. Prior to this change, calling krb5_get_credentials() with an empty ccache would result in KRB5_CC_NOTFOUND for a foreign server principal, but would result in KRB5_NO_TKT_IN_REALM (generated by krb5_walk_realm_tree) for a local server principal. With this change, KRB5_CC_NOTFOUND is returned in both cases. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23909 dc483132-0cff-0310-8789-dd5450dbe970
* Add KRB5_INIT_CREDS_STEP_FLAG_CONTINUE for parity with Heimdal.Greg Hudson2010-04-203-14/+11
| | | | | | | | Rename KRB5_TKT_CREDS_CONTINUE to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE for consistency. Adjust init_creds context to be less confusing in light of the above. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23906 dc483132-0cff-0310-8789-dd5450dbe970
* Introduce new krb5_tkt_creds APIGreg Hudson2010-04-145-1486/+1110
| | | | | | | | | | | | Merged from branches/iakerb: add new asynchronous krb5_tkt_creds APIs, which allow a caller to take responsibility for transporting requests to the KDC and getting responses back. Rewrite the existing krb5_get_credentials API in terms of the new functions. Get rid of krb5_get_cred_from_kdc and friends, since they are no longer used. ticket: 6700 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23900 dc483132-0cff-0310-8789-dd5450dbe970
* Validate and renew should work on non-TGT credsGreg Hudson2010-04-133-151/+197
| | | | | | | | | | | | | The validate and renew APIs were using get_cred_from_kdc, which always presents a TGT to get credentials. Instead, they should present the ticket they are trying to validate or renew. This is most easily done with krb5_get_cred_via_tkt(). Move the relevant code into a new file since it now has nothing in common with the other APIs implemented in get_creds.c. ticket: 6699 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23891 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-28 00:48:38 +0000