summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Redesign ASN.1 encoder engine, removing field_infoGreg Hudson2012-01-244-1718/+1373
| | | | | | | | | | | | | | | | | | | | | Replace the "field" half of the ASN.1 encoder machinery with several new struct atype_info types (offset, counted, and int_immediate) and a new counted_type machinery used exclusively for object/integer pairs. This change eliminates the two-way entanglement between atypes and fields, and makes the encoder more independent of RFC 4120 ASN.1 conventions. Defining sequences with the preprocessor macros is now slightly more cumbersome; we need to define a type for each field and then string them together with an array of struct atype_info *. But it's not so bad, and hopefully we can auto-generate some of this soon. *_optional functions now return a bitmask of sequence field offsets not present in the C type. This will need some more attention before we add decoding support to the engine, since it means sequence fields no longer know whether they are optional or not. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25657 dc483132-0cff-0310-8789-dd5450dbe970
* kadmin.local.8 belongs in ADMIN_mandirSam Hartman2012-01-131-1/+1
| | | | | | | | | | Install kadmin.local.8 in ADMIN_MANDIR not CLIENT_MANDIR ticket: 7073 tags: pullup target_version: 1.10 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25654 dc483132-0cff-0310-8789-dd5450dbe970
* Add shadow manpages for k5login.5 and k5identity.5Tom Yu2012-01-134-14/+133
| | | | | | | | | | | | Add shadow manpages dot.k5login and dot.k5identity for k5login.5 and k5identity.5. Stop generating .k5login.5 and .k5identity.5 from sphinx (these will be taken care of by make install in src/man). Add generated k5identity.5. Add SYNOPSIS sections to k5login.5 and k5identity.5 to make it more clear that the filenames start with a dot. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25653 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify integer loading in ASN.1 encodingGreg Hudson2012-01-132-41/+34
| | | | | | | Instead of defining an auxiliary load function for each integer type, just use its size and signedness to decide how to load it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25651 dc483132-0cff-0310-8789-dd5450dbe970
* Add PKINIT decoder testsGreg Hudson2012-01-135-0/+484
| | | | | | | | | | | Add tests to krb5_decode_test.c for PKINIT types. Where the decoders do not match the encoders, include comments and hand-generated encodings which work with the decoder. Add a comment to asn1_k_encode.c documenting inconsistencies between the draft 9 PA-PK-AS-REQ spec and our encoder results. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25650 dc483132-0cff-0310-8789-dd5450dbe970
* Fix spurious clock skew caused by gak_fct delayGreg Hudson2012-01-111-5/+4
| | | | | | | | | | | | | | | | | | | In get_in_tkt.c, a time offset is computed between the KDC's auth_time and the current system time after the reply is decrypted. Time may have elapsed between these events because of a gak_fct invocation which blocks on user input. The resulting spurious time offset can cause subsequent TGS-REQs to fail and can also cause the end time of the next AS request to be in the past (issue #889) in cases where the old ccache is opened to find the default principal. Use the system time, without offset, for the request time of an AS request, for more predictable kinit behavior. Use this request time, rather than the current time, when computing the clock skew after the reply is decrypted. ticket: 7063 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25644 dc483132-0cff-0310-8789-dd5450dbe970
* Fix an allocation size bug in ASN.1 testsGreg Hudson2012-01-101-6/+3
| | | | | | | ktest_make_sample_pa_pk_as_req_draft9 was allocating the wrong size of objects for the trustedCertifiers array. Fix it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25638 dc483132-0cff-0310-8789-dd5450dbe970
* Use DEFTAGGEDTYPE for FAST choice typesGreg Hudson2012-01-101-5/+10
| | | | | | | | | | | | | pa_fx_fast_request and pa_fx_fast_reply are defined in RFC 6113 as extensible choice types with only one choice, which means they encode as another type with a [0] tag wrapper. Use DEFTAGGEDTYPE to add this wrapper instead of DEFFIELDTYPE/FIELDOF_ENCODEAS, and add a comment describing why. After this change, all uses of DEFFIELDYPE are for dataptr/lenptr types or just simple offset transformations on the base pointer. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25635 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify asn1_decode_kdc_dh_key_infoGreg Hudson2012-01-101-6/+2
| | | | | | | | | Due to some lingering confusion, the last commit changing asn1_decode_kdc_dh_key_info was correct but overly complicated (and contained an incorrect comment). Change it to just use get_lenfield for subjectPublicKey. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25634 dc483132-0cff-0310-8789-dd5450dbe970
* Make dh_key_info encoder and decoder symmetricGreg Hudson2012-01-095-61/+42
| | | | | | | | | | | | The dh_key_info encoder expects subjectPublicKey to contain the contents of a bit string, but the decoder outputs the DER encoding of the bit string including tag. The PKINIT client code expects this, so everything works, but the encoder and decoder should be symmetric. Change the decoder to process the bit string (adding a bit string decoding primitive) and modify the PKINIT client code to expect only the bit string contents. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25626 dc483132-0cff-0310-8789-dd5450dbe970
* install sphinx-generated manpagesTom Yu2012-01-0943-11/+6736
| | | | | | | | | | | | | | | | | Install sphinx-generated manpages. Original nroff manpages remain for reference until proofreading is complete. Modify doc/rst_source/conf.py to better deal with shadow manpages -- sphinx will now build k5login.5 instead of .k5login.5, and kadmin.1 instead of both kadmin.1 and kadmin.local.8. Proofreaders should ensure that the original nroff manpages (and associated Makefile rules) are deleted once their reST format equivalents have been proofread. ticket: 7064 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25625 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unneeded kdcRealm field in PKINIT structureGreg Hudson2012-01-085-8/+1
| | | | | | | | krb5_pk_authenticator_draft9 had a kdcRealm field which was set by the client code but never encoded or decoded. Remove it. Eliminating this field exposed a bug in auth_pack_draft9_optional; fix that. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25624 dc483132-0cff-0310-8789-dd5450dbe970
* Fix PKINIT serverDHNonce encodingGreg Hudson2012-01-083-10/+3
| | | | | | | | | | | Use an explicit tag for serverDHNonce, as specified in RFC 4556, rather than the implicit tag we historically used. This bug had no practical effect (and creates no interoperability issues) because we never generate a serverDHNonce. ticket: 7061 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25623 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up the asn1 encoder designGreg Hudson2012-01-083-226/+227
| | | | | | | | | | | | | | | | | Now that the PKINIT types have been converted and atype_fn has only one use, we can more easily modify the encoder so that any object can be encoded without its tag, which makes for a cleaner design. The basic building block is now krb5int_asn1_encode_type, which encodes the contents of a function and returns its tag information to the caller. atype_fn now has its own structure, and the encoder function it references follows the semantics of krb5int_asn1_encode_type. atype_opaque is now atype_der and goes with a new corresponding field type (field_der); stored DER encodings are parsed to separate the tag from the content. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25622 dc483132-0cff-0310-8789-dd5450dbe970
* Convert securid module edata methodGreg Hudson2012-01-071-4/+9
| | | | | | | | | | | | r25348 made modified the edata method of the kdcpreauth interface to be async-capable, but neglected to convert the securid_sam2 module's edata function. Do that now. ticket: 7060 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25621 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unneeded accessor fieldsGreg Hudson2012-01-076-52/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25620 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unused structures and encodersGreg Hudson2012-01-0718-592/+4
| | | | | | | | | | | krb5_alt_method was added in r6604 but never supported. krb5_pwd_data became unused when the Sandia kadmin system was replaced. krb5_pa_server_referral_data and krb5_pa_svr_referral_data were added in r21690 with internally-visible encoders which nothing uses. Leave behind structure declarations in krb5.hin for API compatibility. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25619 dc483132-0cff-0310-8789-dd5450dbe970
* Remove SAM encoders and structuresGreg Hudson2012-01-0716-889/+0
| | | | | | | | r24403 removed the old SAM support, but left behind the structures, free functions, and ASN.1 encoders/decoders. Remove those now. (SAM-2 support is still present.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25618 dc483132-0cff-0310-8789-dd5450dbe970
* Convert all remaining macro-coded ASN.1 encodersGreg Hudson2012-01-068-1026/+311
| | | | | | | | | | | Use data-driven encoders for all of the remaining types which still used macros (primarily PKINIT types), and get rid of the macros. Do not change any encoding behavior, but add some comments where behavior differs from the spec. DEFFNTYPE is now unused except for the kdc_req_body hack. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25617 dc483132-0cff-0310-8789-dd5450dbe970
* Add support for CHOICE in ASN.1 encoderGreg Hudson2012-01-062-0/+50
| | | | | | | | Add a new field type where the length offset indicates a distinguisher and the data offset indicates a union address. The field's type is an atype_choice containing a seq_info indexed by the distinguisher. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25616 dc483132-0cff-0310-8789-dd5450dbe970
* Factor out length retrieval in ASN.1 encoderGreg Hudson2012-01-061-71/+54
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25615 dc483132-0cff-0310-8789-dd5450dbe970
* Support implicit context tags in ASN.1 fieldsGreg Hudson2012-01-064-356/+418
| | | | | | | | | | | | | | | | | | | | | Add a field_info bit (the 32nd bit of the bitfields) indicating whether the context tag is implicit, and support it in encode_a_field. Adjust all field-generating macros and invocations to include the new bit (always 0 for the moment). For atype_tagged_thing, narrow the construction field to six bits and add an implicit bit. We could remove the construction field if it weren't for DEFOCTETWRAPPEDTYPE abusing atype_tagged_thing a little bit, since (normal) explicit tags are always constructed and implicit tag construction is computed from the base type. Given how rarely implicit tagging is used, it might be nice to have separate _IMPLICIT macros rather than an extra argument to every field. But we already have separate _OPT macros for optional fields and FIELDOF_STRING vs. FIELDOF_STRINGL, so we start to get a combinatoric explosion in the number of macros. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25614 dc483132-0cff-0310-8789-dd5450dbe970
* Support ASN.1 encoding without the outer tagGreg Hudson2012-01-061-113/+135
| | | | | | | | | | | | | | | | In order to support implicit tagging, make it possible to ASN.1-encode a value without its outer tag, instead remembering the construction bit of the omitted tag. A cleaner design would be to have separate functions for encoding a value's contents and its tag. However, we can't do that for atype_fn or atype_opaque, and the possible indirections between types and fields mean we want to stay at the "encode everything" level for as long as possible to allow implicit tagging of the largest possible subset of types. If we can get rid of atype_fn, we may be able to switch to the cleaner design with some adjustments to atype_opaque. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25613 dc483132-0cff-0310-8789-dd5450dbe970
* Use content-only ASN.1 primitivesGreg Hudson2012-01-063-339/+245
| | | | | | | | | | | | | | | As part of implicit tag support, rework ASN.1 encoding primitives so that they encode only content, not tags. Combine primitives which become identical with this change. The new atype_primitive type invokes a primitive encoder and adds a tag. atype_fn_len is split into atype_string and atype_opaque, both of which are hardcoded to use asn1_encode_bytestring. For the encoders still using macros, create asn1_addprimitive, asn1_addinteger, and asn1_addstring macros which call the primitive encoder function and add a tag. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25612 dc483132-0cff-0310-8789-dd5450dbe970
* Make ASN.1 struct atype_info more extensibleGreg Hudson2012-01-062-115/+161
| | | | | | | | | | Instead of including all of the possible type fields in struct atype_info, use a pointer to a type-specific structure. This might save a little space, but more importantly, if we get to the point of exposing this stuff across plugin APIs, it allows ASN.1 type information to be extensible via defining new atype_type values. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25611 dc483132-0cff-0310-8789-dd5450dbe970
* Add missing test cases for ASN.1 typesGreg Hudson2012-01-0610-3/+446
| | | | | | Add test cases for ASN.1 types which didn't previously have them. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25610 dc483132-0cff-0310-8789-dd5450dbe970
* Add test cases for PKINIT ASN.1 encodersGreg Hudson2012-01-068-15/+751
| | | | | | | | | | | | Do not add decode tests, because those would trip some bugs in the decoders, and we can't safely fix some of those bugs without interop testing. Encode tests are sufficient to detect when we unintentionally change the output of the encoders. Fix trval2() not to use the context shortcut on primitive context tags. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25609 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify and reformat ASN.1 test codeGreg Hudson2012-01-069-1754/+1191
| | | | | | Use abort-on-error memory allocation to reduce failure handling. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25608 dc483132-0cff-0310-8789-dd5450dbe970
* Fix asn1_encode_subject_pk_info without paramsGreg Hudson2012-01-061-2/+4
| | | | | | | | r20923 inadvertently broke asn1_encode_subject_pk_info in the case where algorithm.parameters.length == 0. Fortunately this case never happens, but fix it anyway. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25607 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unused functions (older API residue) krb5_realm_iterator* and ↵Zhanna Tsitkov2012-01-047-174/+1
| | | | | | krb5_free_realm_string git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25606 dc483132-0cff-0310-8789-dd5450dbe970
* Fix implicit declaration in ksu for some buildsGreg Hudson2011-12-281-0/+1
| | | | | | | | | ksu's setenv implementation needs to include <string.h> for memcpy. Patch from basch@alum.mit.edu. ticket: 7057 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25605 dc483132-0cff-0310-8789-dd5450dbe970
* Fix an unlikely memory leak in r25591Greg Hudson2011-12-271-1/+1
| | | | | | ticket: 6936 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25604 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using krb5_typed_data structure typeGreg Hudson2011-12-2118-94/+37
| | | | | | | | | | | | Use the krb5_pa_data structure type when encoding or decoding TYPED-DATA. Leave the krb5_typed_data structure definition in krb5.h with a comment saying not to use it. Remove krb5_free_typed_data (which was never declared in krb5.h). Remove some vestigial accessor stuff related to PKINIT encoding and decoding TYPED-DATA, which was unneeded since r25483. Bump the accessor structure version to 19 accordingly. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25601 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using krb5_octet_dataGreg Hudson2011-12-2118-214/+242
| | | | | | | | For consistency with the rest of the code base, make PKINIT use krb5_data as a pointer/length container. Leave krb5_octet_data and krb5_free_octet_data behind for API compatibility. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25600 dc483132-0cff-0310-8789-dd5450dbe970
* Table of Contents.hhc -> Table_of_Contents.hhcGreg Hudson2011-12-202-2/+2
| | | | | | | | | Avoid using spaces in filenames as it makes searching the source tree less convenient on Unix. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25598 dc483132-0cff-0310-8789-dd5450dbe970
* Fix make depend in unbuilt build treeGreg Hudson2011-12-173-0/+17
| | | | | | | Add dependency rules so that "make depend" succeeds from a fresh build tree. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25593 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid using itertools.permutations in k5testGreg Hudson2011-12-171-2/+2
| | | | | | | | | | k5test is only supposed to require Python 2.4, but cross_realms uses itertools.permutations which is new in 2.6. Use a list display instead. ticket: 7054 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25592 dc483132-0cff-0310-8789-dd5450dbe970
* Do mech fallback for first SPNEGO context tokenGreg Hudson2011-12-161-8/+37
| | | | | | | | | | | | | | | | When producing the first SPNEGO security context token, if the first mechanism's init_sec_context fails, fall back to a later mechanism. This fixes a regression in 1.10 for SPNEGO initiators using non-krb5 credentials. The identity selection work causes errors to be deferred from krb5's acquire_cred in some cases, which means SPNEGO doesn't see an error until it tries the krb5 init_sec_context. ticket: 6936 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25591 dc483132-0cff-0310-8789-dd5450dbe970
* Verify acceptor's mech in SPNEGO initiatorGreg Hudson2011-12-162-78/+44
| | | | | | | | | | | | | | In spnego_gss_ctx_id_rec, store the set of negotiable mechanisms as well as the currently selected internal_mech, which becomes an alias into mech_set. In init_ctx_reselect, locate the acceptor's counter- proposal in sc->mech_set and consider the token defective if it is not found. ticket: 7053 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25590 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_server_decrypt_ticket_keytab wrongly succeedsGreg Hudson2011-12-131-2/+1
| | | | | | | | | | | | If krb5_server_decrypt_ticket_keytab doesn't find a key of the appropriate enctype in an iterable keytab, it returns 0 (without decrypting the ticket) due to a misplaced initialization of retval. This bug causes kinit -k to claim "keytab entry valid" when it shouldn't. Reported by mark@mproehl.net. ticket: 7051 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25584 dc483132-0cff-0310-8789-dd5450dbe970
* kfw leash: fix bad data in get tickets dialog when -autoinit specifiedTom Yu2011-12-121-5/+5
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25583 dc483132-0cff-0310-8789-dd5450dbe970
* kfw leash help: fix/add aliases for command helpTom Yu2011-12-122-2/+8
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25582 dc483132-0cff-0310-8789-dd5450dbe970
* kfw: remove line breaks from html to fix table of contents generationTom Yu2011-12-1219-104/+52
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25581 dc483132-0cff-0310-8789-dd5450dbe970
* kfw installer: install leash help file (leash.chm)Tom Yu2011-12-122-11/+1
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25580 dc483132-0cff-0310-8789-dd5450dbe970
* kfw: "make install" installs htmlhelp (leash.chm)Tom Yu2011-12-121-0/+1
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25579 dc483132-0cff-0310-8789-dd5450dbe970
* kfw: use html help in leashTom Yu2011-12-122-10/+1
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25578 dc483132-0cff-0310-8789-dd5450dbe970
* kfw: leash htmlhelp file sourceTom Yu2011-12-12114-1/+4534
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25577 dc483132-0cff-0310-8789-dd5450dbe970
* kfw installer: add site-local.wxiTom Yu2011-12-121-0/+106
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25576 dc483132-0cff-0310-8789-dd5450dbe970
* kfw installer: leash32.pdb->leash.pdbTom Yu2011-12-121-2/+1
| | | | | | ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25575 dc483132-0cff-0310-8789-dd5450dbe970
* kfw: "make install" also installs pdbsTom Yu2011-12-121-0/+19
| | | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7050 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25574 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-28 17:27:02 +0000