summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Enable sam_challenge_2 encodersSam Hartman2010-10-013-6/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24404 dc483132-0cff-0310-8789-dd5450dbe970
* Remove support for the old pa-sam-challenge and pa-sam-responseSam Hartman2010-10-012-1020/+46
| | | | | | | | | preauth type per discussion on krbdev. The pa-sam-challenge-2 code remains in the client. preauth: remove pa-sam-challenge git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24403 dc483132-0cff-0310-8789-dd5450dbe970
* Implement k5login_directory and k5login_authoritative optionsGreg Hudson2010-10-013-85/+134
| | | | | | | | Add and document two new options for controlling k5login behavior. ticket: 6792 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24402 dc483132-0cff-0310-8789-dd5450dbe970
* Add a simple test harness for kuserok. Build it during make check butGreg Hudson2010-10-012-2/+66
| | | | | | don't run any automated tests for the moment. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24401 dc483132-0cff-0310-8789-dd5450dbe970
* A cleaner impleentation of r24399 which adds two new auth context APIsGreg Hudson2010-10-014-4/+35
| | | | | | | | | (and is therefore less suitable for backporting to 1.8) but doesn't reach inside the auth context structure in the krb5 mechanism code. ticket: 6768 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24400 dc483132-0cff-0310-8789-dd5450dbe970
* GSSAPI forwarded credentials must be encrypted in session keyGreg Hudson2010-10-011-3/+11
| | | | | | | | | | | | | | | When IAKERB support was added, the krb5_mk_req checksum function gained access to the send subkey. This caused GSSAPI forwarded credentials to be encrypted in the subkey, which violates RFC 4121 section 4.1.1 and is not accepted by Microsoft's implementation. Temporarily null out the send subkey in the auth context so that krb5_mk_ncred uses the session key instead. ticket: 6768 target_version: 1.8.4 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24399 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2010-09-303-15/+12
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24393 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2010-09-303-60/+47
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24392 dc483132-0cff-0310-8789-dd5450dbe970
* Use a different construction for defaulting ks_tuple and n_ks_tuple inGreg Hudson2010-09-301-33/+31
| | | | | | | the libkadm5 server principal routines, to avoid repeated conditional expressions. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24391 dc483132-0cff-0310-8789-dd5450dbe970
* Whitespace and minor style changesGreg Hudson2010-09-303-23/+28
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24390 dc483132-0cff-0310-8789-dd5450dbe970
* Follow-on to r24258: initialize the new k5e1 error table where weGreg Hudson2010-09-293-0/+4
| | | | | | | | initialize the krb5 error table, and add initialize_k5e1_error_table to the libkrb5 exports list for consistency with the other error tables. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24378 dc483132-0cff-0310-8789-dd5450dbe970
* make dependSam Hartman2010-09-295-4/+61
| | | | | | Add kadm5_hook test plugin to toplevel Makefile.in git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24377 dc483132-0cff-0310-8789-dd5450dbe970
* Automated tests for kadm5_hook pluginSam Hartman2010-09-297-0/+169
| | | | | | Include a k5test Python test and test plugin for the kadm5_hook interface. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24376 dc483132-0cff-0310-8789-dd5450dbe970
* kadm5_hook: new plugin interfaceSam Hartman2010-09-298-11/+451
| | | | | | | | | | | Implement http://k5wiki.kerberos.org/wiki/Projects/Kadmin_hook_interface This provides an interface that allows a plugin to track kadmin operations. This can be used for projects like the krb5-sync project. ticket: 6791 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24375 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_dbe_def_search_enctype skip key data entries with invalidGreg Hudson2010-09-281-6/+4
| | | | | | | | | | | | enctypes instead of erroring out on them. We had this behavior prior to 1.8 (more by accident than by design), but it changed as a side-effect of r23599. ticket: 6790 target_version: 1.8.4 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24370 dc483132-0cff-0310-8789-dd5450dbe970
* Use IAKERB OID header for all IAKERB messages including AP-REQLuke Howard2010-09-274-4/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24363 dc483132-0cff-0310-8789-dd5450dbe970
* Doxygen for k5-buf.hSam Hartman2010-09-271-9/+9
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24360 dc483132-0cff-0310-8789-dd5450dbe970
* kpasswd: if a credential cache is present, use FASTSam Hartman2010-09-275-27/+76
| | | | | | | | | | | | | | | | If a credentials cache is available, use it as an armor cache to enable FAST negotiation for kpasswd. This requires an attacker to attack both the user's long-term key for the old password as well as the ticket used for the armor cache in order to attack the password change. Depending on how the armor ticket is obtained, this may provide limited value. However, it provides users an easy option if they are concerned about their current password. Users can kinit with one principal to help protect changing the password of another principal. * krb5_get_init_creds_opt_set_fast_ccache: new API to set fast ccache based on a krb5_ccache object rather than a resolvable string * kpasswd: always open the current credential cache even if not needed for determining the principal. If the cache has tickets, use it as an armor cache. * tests/dejagnu/krb-standalone/kadmin.exp: Arrange to test new code path ticket: 6786 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24359 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify acquire_accept_cred very slightly, avoiding some long linesGreg Hudson2010-09-271-7/+6
| | | | | | and repeated macro calls. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24357 dc483132-0cff-0310-8789-dd5450dbe970
* Add gss_krb5_import_credGreg Hudson2010-09-2715-296/+659
| | | | | | | | | | | | Add gss_krb5_import_cred from Heimdal; allows krb5 creds to be acquired from a keytab or ccache into a GSSAPI credential without using global process or thread variables. Merged from the users/lhoward/import-cred branch. ticket: 6785 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24356 dc483132-0cff-0310-8789-dd5450dbe970
* Initialize kdb5_ldap_util's context with kadm5_init_krb5_context, likeGreg Hudson2010-09-221-1/+1
| | | | | | | kdb5_util does, in order to get the KDC profile settings as well as the regular krb5 profile settings. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24337 dc483132-0cff-0310-8789-dd5450dbe970
* relicense Sun RPC to 3-clause BSD-styleTom Yu2010-09-2253-1222/+1334
| | | | | | | | | Per e-mail from Wim Coekaerts, Oracle America authorizes the relicensing of Sun RPC to 3-clause BSD-style. ticket: 6784 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24336 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust the k5login man page to have a slightly more neutral toneGreg Hudson2010-09-201-12/+11
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24335 dc483132-0cff-0310-8789-dd5450dbe970
* Slight revisions to create_workers() in the KDC:Greg Hudson2010-09-191-6/+9
| | | | | | | | | * Use calloc() to allocate the pids array; squashes a Coverity false positive. * Don't leak the pids array in worker processes. * Use consistent terminology in comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24329 dc483132-0cff-0310-8789-dd5450dbe970
* KDC worker processes featureGreg Hudson2010-09-177-13/+168
| | | | | | | | | | Add support for a krb5kdc -w option which causes the KDC to spawn worker processes which can process requests in parallel. See also: http://k5wiki.kerberos.org/wiki/Projects/Parallel_KDC ticket: 6783 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24328 dc483132-0cff-0310-8789-dd5450dbe970
* Add an extra arguments parameter to k5test's realm.start_kdc()Greg Hudson2010-09-171-4/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24327 dc483132-0cff-0310-8789-dd5450dbe970
* In kinit_kdb_init(), ensure that we don't return an error with theGreg Hudson2010-09-171-1/+3
| | | | | | | old, freed value of *pcontext still there--that would result in a double free. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24326 dc483132-0cff-0310-8789-dd5450dbe970
* Follow-on to r24315: remove get/set_mkey_list from export list ofGreg Hudson2010-09-161-2/+0
| | | | | | libkdb_ldap. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24324 dc483132-0cff-0310-8789-dd5450dbe970
* In the PKINIT OpenSSL crypto code, use a signed int to hold the resultGreg Hudson2010-09-151-3/+3
| | | | | | | | | of X509_get_ext_by_NID so we can detect negative return values. Reported by nalin@redhat.com. ticket: 6774 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24323 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2010-09-153-25/+29
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24322 dc483132-0cff-0310-8789-dd5450dbe970
* Add a license statement to the new extern.h in kinit, use an includeGreg Hudson2010-09-151-6/+35
| | | | | | | blocker which does not impinge on the system's symbol namespace, and use the recommended formatting for function prototypes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24319 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2010-09-151-26/+29
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24318 dc483132-0cff-0310-8789-dd5450dbe970
* Formatting fixGreg Hudson2010-09-151-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24317 dc483132-0cff-0310-8789-dd5450dbe970
* kinit: add KDB keytab supportSam Hartman2010-09-156-6/+103
| | | | | | | | | | | | | | | | | This implements http://k5wiki.kerberos.org/Projects/What_does_God_need_with_a_password. If the KDB keytab is selected by command line options, then kinit will register the KDB keytab and open the database. This permits an administrator to obtain tickets as a user without knowing that user's password. As a result kinit links against libkadm5srv and libkdb5. Discussion is ongoing about whether this is desirable or about whether two versions of kinit are required. ticket: 6779 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24316 dc483132-0cff-0310-8789-dd5450dbe970
* Remove dead code from DAL and kdb pluginsSam Hartman2010-09-159-143/+0
| | | | | | kdb: remove get/set_mkey_list git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24315 dc483132-0cff-0310-8789-dd5450dbe970
* kdb: store mkey list in context and permit NULL mkey for ↵Sam Hartman2010-09-1513-250/+114
| | | | | | | | | | | | | | | | | | | | | | | | kdb_dbe_decrypt_key_data Previously, code needed to run a loop to find the current master key, possibly fetch a new master key list and try finding the master key again around each key decryption. This was not universally done; there are cases where only the current master key was used. In addition, the correct ideom for decrypting key data is too complicated and is potentially unavailable to plugins that do not have access to the master key. Instead, store the master key list in the dal_handle whenever it is fetched and permit a NULL master key for krb5_dbe_decrypt_key_data. * Remove APIs for krb5_db_{get|set}_mkey_list * krb5_db_fetch_mkey_list: memoize master key list in dal_handle * krb5_db_free_mkey_list: don't free the memoized list; arrange for it to be freed later * krb5_dbe_decrypt_key_data: Search for correct master key on NULL argument * change call sites to take advantage ticket: 6778 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24314 dc483132-0cff-0310-8789-dd5450dbe970
* In the PKINIT OpenSSL code, ensure that appropriate cerficiate fieldsGreg Hudson2010-09-151-0/+2
| | | | | | | | have been set before using ku_reject. Patch from nalin@redhat.com. ticket: 6775 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24313 dc483132-0cff-0310-8789-dd5450dbe970
* Use correct CRL stack macros in pkinit OpenSSL code. Patch from OlafGreg Hudson2010-09-151-3/+3
| | | | | | | | Flebbe. ticket: 6776 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24312 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2010-09-151-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24311 dc483132-0cff-0310-8789-dd5450dbe970
* Fix warnings in encrypt_key and decrypt_key. Avoid a segfault if NULLSam Hartman2010-09-152-6/+10
| | | | | | | | master key is passed into default decryption function. kdb: fix warnings git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24310 dc483132-0cff-0310-8789-dd5450dbe970
* In krb5_sname_to_principal, correctly handle failures fromGreg Hudson2010-09-151-2/+2
| | | | | | | | krb5_build_principal. ticket: 6777 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24309 dc483132-0cff-0310-8789-dd5450dbe970
* Allow a zero checksum type to be passed into krb5_k_verify_checksum_iov;Luke Howard2010-09-091-0/+6
| | | | | | | | this indicates that the mandatory checksum type for the key is to be used. This interface is necessary because there is no public interface through which the mandatory checksum type for an encryption type can be determined. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24304 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_k_make_checksum will use the mandatory checksum type if 0 isLuke Howard2010-09-091-0/+6
| | | | | | | | passed in as the checksum type; however krb5_k_make_checksum_iov does not support this. Add the same logic for the behaviour is consistent. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24303 dc483132-0cff-0310-8789-dd5450dbe970
* Add dummy camellia subdir to openssl back end makefileGreg Hudson2010-09-081-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24299 dc483132-0cff-0310-8789-dd5450dbe970
* Make dependGreg Hudson2010-09-0855-1306/+1756
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24298 dc483132-0cff-0310-8789-dd5450dbe970
* Don't build the built-in Camellia block cipher code if Camellia-CCMGreg Hudson2010-09-082-0/+10
| | | | | | enctypes aren't enabled. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24297 dc483132-0cff-0310-8789-dd5450dbe970
* X509_verify_cert can return without setting cert_ctx.current_cert. IfGreg Hudson2010-09-081-2/+5
| | | | | | | it does, don't dereference a null pointer when creating the pkiDebug message. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24296 dc483132-0cff-0310-8789-dd5450dbe970
* Merge the camellia-ccm branch to trunk. Since there are no IANAGreg Hudson2010-09-0763-333/+6298
| | | | | | | | | assignments for Camellia-CCM enctypes or cksumtypes yet, they are disabled in a default build. They can be made available by defining (via CPPFLAGS) local-use enctype numbers for the enctypes and cksumtypes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24295 dc483132-0cff-0310-8789-dd5450dbe970
* Ensure valid key in krb5int_yarrow_cipher_encrypt_blockEzra Peisach2010-09-041-0/+6
| | | | | | | | | | Under low memory conditions (or when testing memory allocation failures), the key pointer will be 0 - and not initialized. Test and return failure before deref a NULL. ticket: 6772 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24292 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leaks in kdb5_verifyEzra Peisach2010-09-041-0/+2
| | | | | | | | Minor leaks. Just cleaning up code. ticket: 6771 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24291 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-10-01 23:40:52 +0000