| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A GSS krb5 error response contains a KRB-ERROR message, which is
required to have a server principal name, although few recipients
actually use it. Starting in 1.3, accept_sec_context would fail to
encode the error in the GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL case
(introduced by #1370) because cred->princ (which became
cred->name->princ in 1.8) is unset.
This problem got worse in 1.10 because we stopped setting the server
field in all cases due to the changes for #6855. In 1.11 the problem
got worse again when a misguided change to the mechglue started
discarding output tokens when the mechanism returns an error; the
mechglue should only do so when it itself causes the error.
Fix krb5 gss_accept_sec_context by unconditionally decoding the AP-REQ
and using krb5_rd_req_decoded, and then using the requested ticket
server in the KRB-ERROR message. Fix the mechglue
gss_accept_sec_context by reverting that part of commit
56feee187579905c9101b0cdbdd8c6a850adcfc9. Add a test program which
artificially induces a replay cache failure (the easiest failure we
can produce which has an associated RFC 4120 error code) and checks
that this can be communicated back to the initiator via an error
token.
ticket: 1445
target_version: 1.12
tags: pullup
|
|
|
|
|
|
|
| |
This routine is now used in the gssapi library and must be exported
as such.
ticket: 7688
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add wrappers for the JSON-oriented APIs for PKINIT responder items,
modeled after the API we provide for OTP items:
* krb5_responder_pkinit_get_challenge() returns the list of
identities for which we need PINs
* krb5_responder_pkinit_challenge_free() frees the structure that
was returned by krb5_responder_pkinit_get_challenge()
* krb5_responder_pkinit_set_answer() sets the answer to the PIN for
one of the identities
[ghudson@mit.edu: style cleanup; added comment pointing to main body
of PKINIT module]
ticket: 7680
|
|
|
|
|
|
|
| |
Add an API to duplicate keytab handles, mirroring krb5_cc_dup. Use it
to simplify the krb5 GSS acquire_cred code.
ticket: 7599 (new)
|
|
|
|
|
|
|
|
|
| |
Move internal declarations from k5-int.h to more localized headers
(like int-proto.h) where appropriate. Rename many symbols whose
prototypes were moved to use the k5_ prefix instead of krb5int_.
Remove some unused declarations or move them to the single source file
they were needed in. Remove krb5_creds_compare since it isn't used
any more.
|
|
|
|
|
|
|
| |
Rename krb5_free_ktypes to krb5_free_enctypes and add it to the public
API.
ticket: 7584
|
|
|
|
|
|
|
|
|
| |
* Add a krb5int_build_conf_principals() function to allow our get/set
code to directly prune out duplicate config entries.
* Verify that when we specify a pa_type, it affects whether or not we
will use a particular preauth plugin.
* Verify that we correctly save the KDC's preauth type number, that we
tried to answer, to the out_ccache.
|
|
|
|
|
|
|
|
| |
Add a krb5_get_init_creds_opt_set_in_ccache() function. An input
ccache may hold configuration data which the client libraries can
use to influence their decisions.
ticket: 7413 (new)
|
| |
|
| |
|
| |
|
|
|
|
|
| |
krb5_rc_resolve_full, krb5_rc_resolve_get_name, and
krb5_rc_resolve_get_type are also now used in the krb5 mech.
|
|
|
|
|
|
| |
krb5_rc_recover_or_initialize is not a public function, but is now
used by the krb5 mechanism when importing a credential. Mark it as
PRIVATE GSSAPI in the export list.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new APIs:
* krb5_get_init_creds_opt_set_responder
* krb5_responder_get_challenge
* krb5_responder_list_questions
* krb5_responder_set_answer
If a caller sets a responder, it will be invoked after preauth modules
have had a chance to review their incoming padata but before they produce
outgoing padata. The responder will be presented a set of questions with
optional challenges. The responder should then answer all questions it knows
how to handle. Both the answers and the challenges are printable UTF-8 and
may contain encoded, structured data specific to the question asked.
Add two new callbacks and one optional method to the clpreauth
interface. The new method (prep_questions) allows modules to ask questions
by setting them in the responder context using one of the new callbacks
(ask_responder_question). The other new callback (get_responder_answer) is
used by the process method to read the answers to the questions asked.
ticket: 7355 (new)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set the default credential cache name for all processes for the current
user. Currently implemented, for windows only, by setting
HKEY_CURRENT_USER\Software\MIT\Kerberos5:ccname to the specified
ccache name. This will not override the environment variable 'KRB5CCNAME'.
It will override HKEY_LOCAL_MACHINE and 'indirect' registry values.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7199 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Add a new API to determine whether any krb5 credentials are available
in the ccache collection. Add tests to t_cccol.py.
ticket: 7173 (new)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the krb5_kt_have_content API from Heimdal, which can be used to
test whether a keytab exists and contains entries. Add tests to
t_keytab.c.
There is a deviation from Heimdal in the function signature.
Heimdal's signature returns a krb5_boolean at the moment, because the
Heimdal implementation actually returns a krb5_error_code. These are
generally the same type anyway (int).
ticket: 7158 (new)
|
|
|
|
|
|
|
|
|
|
| |
krb5_set_trace_callback and krb5_set_trace_filename were added to
krb5.h in krb5 1.9, but were mistakenly left out of the library export
lists. Add them now. Reported by Russ Allbery.
ticket: 7143
target_version: 1.10.2
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Active Directory returns structured policy information in the
nominally UTF-8 result string field of a password change reply. Add a
new API krb5_chpw_message() to convert a result string into a
displayable message, interpreting policy information if present.
Patch from stefw@gnome.org with changes.
ticket: 7128
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25857 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename krb5int_check_clockskew to krb5_check_clockskew and make it
public, in order to give kdcpreauth plugins a way to check timestamps
against the configured clock skew.
ticket: 6996
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25424 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
Rename krb5int_find_authdata to krb5_find_authdata and make it public.
ticket: 6992
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25414 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
krb5int_pac_sign was created as a private API because it is only
needed by the KDC. But it is actually used by DAL or authdata plugin
modules, not the core KDC code. Since plugin modules should not need
to consume internal libkrb5 functions, rename krb5int_pac_sign to
krb5_pac_sign and make it public.
ticket: 6974
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25325 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
| |
The interface has two built-in modules. The realm module guesses a
cache based on the server realm if it is known. The k5identity module
(Unix only) chooses a client principal based on rules in a .k5identity
file in the user's homedir.
ticket: 6957
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25158 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* krb5_cc_get_full_name retrieves the full type:name of a cache.
* krb5_cc_switch makes a cache the primary cache.
* krb5_cc_cache_match searches the collection for a client principal.
* krb5_free_string releases a string (for the krb5_cc_get_full_name
result).
All of these are from Heimdal except for krb5_free_string (Heimdal uses
krb5_xfree).
ticket: 6954
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25155 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
Also remove the erroneously added gssapi_err_krb5 error table sources.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25091 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
krb5int_c_mandatory_cksumtype, krb5int_arcfour_gsscrypt gssapi32:
gss_pname_to_uid
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
Signed-off-by: Sam Hartman <hartmans@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25086 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25079 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
ticket: 6929
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25026 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
principal name from a keytab. Used currently by vfy_increds.c (in
place of its static helper); will also be used when querying the name
of the default gss-krb5 acceptor cred.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24859 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Be more flexible about the principal names we will accept for a given
GSS acceptor name. Also add support for a new libdefaults profile
variable ignore_acceptor_hostname, which causes the hostnames of
host-based service principals to be ignored when passed by server
applications as acceptor names.
Note that we still always invoke krb5_sname_to_principal() when
importing a gss-krb5 mechanism name, even though we won't always use
the result. This is an unfortunate waste of getaddrinfo/getnameinfo
queries in some situations, but the code surgery necessary to defer
it appears too risky at this time.
The project proposal for this change is at:
http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names
ticket: 6855
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24616 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
for consistency with KFW 3.x.
ticket: 6826
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24535 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Repair the Windows build. Tested with the prepare-on-Unix method.
Some specific changes include:
* Removed the IPC finalizer (no longer used after r20787) from
ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency
chain for the pingtest build in ccapi/test. Also updated pingtest
to use the k5_ipc_stream interfaces since cci_stream is gone.
* Reverted the apparently non-functional r20277.
* klist -V prints just "Kerberos for Windows", since it has no access
to PACKAGE_NAME and PACKAGE_VERSION from autoconf. This should be
addressed correctly.
* krb5, telnet, gssftp, and NIM are removed from the build.
* Some files had CRLFs; these were replaced with LFs and the
svn:eol-style property set on the files. Otherwise the CRLFs became
CRCRLFs after the zip transfer.
* Windows does not have opendir/readdir, so added Windows code to
prof_parse.c for includedir. Probable fodder for a libkrb5support
portability shim.
ticket: 6826
target_version: 1.9
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24533 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24013 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21964 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add static ordinals to DLL exports in krb5_32.def, xpprof32.def
gssapi32.def, and krb524.def.
Not added to k5sprt32.def as all of the functions are
private.
Not added to krb4_32.def as the library is not supported
as part of KFW.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20024 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
a sandbox to permit building of pkinit code on Windows.
ticket: 5645
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19819 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
Export krb5_get_profile. Remove comment saying it should be
added and just do it.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19818 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r18922@cathode-dark-space: coffman | 2006-12-04 18:30:15 -0500
First cut at making the get_init_creds_opt structure extendable
and adding library functions to set options for preauthentication
plugins.
This does *not* include a compatibility function to work like
Heimdal's krb5_get_init_creds_opt_set_pkinit() function.
Hopefully, the test code that doesn't belong in kinit.c is
obvious.
r18929@cathode-dark-space: coffman | 2006-12-07 10:01:20 -0500
Remove extra "user_id" parameter.
Add function which duplicates the Heimdal interface (if we can agree on
what the matching attribute names should be).
r18934@cathode-dark-space: coffman | 2006-12-08 15:28:03 -0500
Update to use the simplified interface for krb5_get_init_creds_opt_set_pa()
Add code in kinit to process "-X" options as preauth options and pass
them along.
r18936@cathode-dark-space: coffman | 2006-12-11 12:04:26 -0500
Move prototypes for get_init_creds_opt_get_pa() and
krb5_get_init_creds_opt_free_pa() into the
preauth_plugin.h header rather than krb5.hin.
ticket: new
status: open
component: krb5-libs
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19127 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(private) and krb5_server_decrypt_ticket_keytab (public). These
functions take a krb5_ticket as input and decrypt it using the provided
key data. The public function is useful for higher level application
protocols such a TLS-KRB5 and AFS RX-KRB5 which exchange a service
but do not use the AP-REQ/AP-REP messages.
This commit also adds new functionality to kvno which permits kvno
when provided a keytab as input to verify whether or not the keytab
contains a key that can successfully decrypt the obtains service ticket.
ticket: 5349
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19062 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
krb5_get_init_creds_opt_set_change_password_prompt is a new
gic option that permits the prompter code to be skipped
when the password has expired. This option is meant to
be used by credential managers such as NetIDMgr and
Kerberos.app that have their own built in password change
dialogs.
This patch adds the new function, exports it on Windows,
and makes use of it within the Krb5 identity provider
for NetIDMgr.
The patch is written to ensure that no changes to the
krb5_get_init_creds_opt structure are required and
to ensure that the default behavior, prompting, is
maintained.
The export lists for UNIX and KFM must still be updated.
The function prototype was committed as part of ticket 3642.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18954 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
function to fetch ops vector given ccache prefix string.
(krb5_cc_new_unique): New function to generate a new unique
ccache of a given type.
* src/include/krb5/krb5.hin: Prototype for krb5_cc_new_unique().
* src/lib/krb5/libkrb5.exports:
* src/lib/krb5_32.def: Add krb5_cc_new_unique().
ticket: 3091
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18857 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
| |
ticket: 4389
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18653 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tickets.
We do not yet accept tickets in which the server name changes.
* krb5_sname_to_principal: If there is no domain realm mapping return null realm
*krb5_get_cred_via_tkt: New behavior as described below
1) the referrals case:
- check for TGT for initial realm
- if a remote realm was specified (which must have happened via a
domain_realm mapping), obtain a TGT for it the standard way and
start with that.
- use client realm for server if not specified
- iterate through this loop:
- request ticket with referrals turned on
- if that fails:
- if this was the first request, punt to non-referrals case
- otherwise, retry once without referrals turned on then terminate
either way
- if it works, either use the service ticket or follow the referral path
- if loop count exceeded, hardfail
2) the nonreferrals case
- this is mostly the old walk_realm_tree TGT-finding (which allows
limited shortcut referrals per 4120) followed by a standard tgs-req.
- originally requested principal is used for this, although if we were
handed something without a realm, determine a fallback realm based on
DNS TXT records or a truncation of the domain name.
ticket: 2652
Owner: amb
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18598 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
| |
* src/lib/krb5/libkrb5.exports: Export krb5_copy_context.
* src/lib/krb5/krb/init_ctx.c (krb5_copy_context): Fix malloc
argument for nctx. Handle null default_ccname case.
ticket: 2856
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18229 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17780 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add krb5_c_prf, a function that implements the RFC 3961 PRF.
As part of this change, the krb5_init_keyblock and krb5 free routines
move to libk5crypto. Public stubs remain in libkrb5, but the actual
implementation is an internal interface in libk5crypto
ticket: new
Tags: enhancement
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17219 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function simply reports whether or not ENABLE_THREADS was specified
at compile time. It is meant to be used by applications which need to
know whether or not multithread libraries must be initialized OR
whether or not calls to Kerberos library functions from multi-threaded
applications must be protected by an application global mutex.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17003 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
ticket: new
target_version: 1.4
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16960 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and krb5_ser_unpack_int64 are considered private. Therefore, in order
for them to be used from within gssapi they must be added to the
krb5int_accessor mechanism. This allows us to not publicize their
existence via exportation on Windows or MacOSX.
ticket: new
tags: pullup
target_version: 1.3.2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15941 dc483132-0cff-0310-8789-dd5450dbe970
|