summaryrefslogtreecommitdiffstats
path: root/src/include/krb5
Commit message (Collapse)AuthorAgeFilesLines
* Replace "First introduced" with concise "New"Zhanna Tsitkov2013-03-251-37/+37
|
* Remove stray include in localauth_plugin.hGreg Hudson2013-03-111-1/+0
| | | | | This unnecessary include was causing build failures on some systems by making libkrb5 sources depend on gssapi.h.
* Add localauth pluggable interfaceGreg Hudson2013-03-091-0/+139
| | | | | | | | Add a new pluggable interface for local authorization, and replace the existing krb5_aname_to_localname and krb5_kuserok implementations with implementations based on the pluggable interface. ticket: 7583 (new)
* Add krb5_free_enctypes APIGreg Hudson2013-02-271-0/+13
| | | | | | | Rename krb5_free_ktypes to krb5_free_enctypes and add it to the public API. ticket: 7584
* Correct typo in krb5_responder_context_st descrZhanna Tsitkov2013-01-141-3/+4
| | | | responder_get_challenge() meant to be krb5_responder_get_challenge()
* Flesh out responder context doxygen markupGreg Hudson2013-01-111-0/+30
|
* Use [out] more sparingly in doxygen markupGreg Hudson2013-01-111-107/+107
| | | | | | | | | In krb5.hin doxygen markup, only use [out] or [in,out] when a function changes the entire value of what the parameter points to, not when the function mutates a larger object (especially an abstract object). Also remove a couple of incorrect [in] annotations, change a few parameter descriptions to be more consistent, and fix one typo.
* Better doxygen markup for RESPONDER_QUESTION_OTPZhanna Tsitkov2013-01-111-21/+23
| | | | | | Doxygen and, consequently, Sphinx gets confused with the KRB5_RESPONDER_QUESTION_OTP comment layout. Also, mark the output parameter of krb5_responder_set_answer().
* Make clpreauth flags function optionalGreg Hudson2012-12-191-3/+5
| | | | | | | | With one exception (KRB5_PADATA_PKINIT_KX), every padata type processed by a clpreauth module is now a real preauthentication type. Reduce the amount of boilerplate required for a clpreauth module by making the flags method optional if all of the preauth types advertised by the module are real.
* Separate clpreauth and kdcpreauth interfacesGreg Hudson2012-12-193-597/+678
| | | | | | | Since there is no overlap between the clpreauth and kdcpreauth interface declarations, there's no particular reason to combine them into one header. For backward compatibility and convenience, leave behind a preauth_plugin.h which includes both.
* Update comments for RFC 3244 kpasswd extensionsBen Kaduk2012-12-111-3/+4
| | | | | | | | | Remove the inaccurate comments "unused" and replace them with more useful representations of what they mean. ticket: 7490 (new) tags: pullup target_version: 1.11
* Document key usage assigned number conflictZhanna Tsitkov2012-11-301-11/+10
| | | | | | | | | | | | | | | | Document the fact that the key usage type 26 is used by both KBKRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST and KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST, while 27 - by KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY and KRB5_KEYUSAGE_PA_SAM_RESPONSE. Also, since KRB5_KEYUSAGE_PA_REFERRAL is not actually used in MIT Kerberos code and is not defined in the latest referrals draft (http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-15) mark it as "unused". ticket: 7474 tags: pullup target_version: 1.11
* Update doxygen markup in krb5.hinBen Kaduk2012-11-271-20/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A few places were using the standard C /* comment */ form, but this is rendered poorly by doxygen through to our Sphinx bridge. Use the special /**< comment */ form to get doxygen-specific behavior. If the standard C comment form is used, the full comment (including start and end markers) is included in the value of the macro, and Sphinx then tries to treat the end of the comment as the start of inline markup with no corresponding end-string, which is a warning. Using the doxygen form of the comment, the contents of the comment are put in a separate paragraph block, which is inserted in the body of the generated RST document. The markup for krb5_rd_priv() had a line that ended with an @c markup statement without a symbol following it. This confused doxygen into not parsing any more of the comment. The beginning of the next line is a macro identifier with markup to auto-linkify it. In RST, it is not possible to have a link and a terminal font on the same text, so removing the @c is the appropriate fix. There are also eleven deprecated functions which are replaced by the krb5_c_* family of functions. However, referring to this class of functions as the "krb5_c_" class of functions results in Sphinx attempting to interpret this statement as a link to a label elsewhere in the document, and no such label exists. To avoid this warning, use "krb5_c_*" to refer to the class of functions, which is arguably more correct anyways. ticket: 7447 tags: pullup target_version: 1.11
* Make krb5_trace_info a typedefBen Kaduk2012-11-271-5/+11
| | | | | | | | | | | | | Our doxygen-to-sphinx documentation bridge only processes typedefs and not structure definitions, since we almost universally use typedefs for our data structures. krb5_trace_info is the sole exception, so bring it into the fold. While here, flesh out the comment a bit more. ticket: 7447 tags: pullup target_version: 1.11
* Document krb5_get_init_creds_opt_set_in_ccacheZhanna Tsitkov2012-11-261-0/+2
| | | | | | | More specifically, document that this new API was first introduced in 1.11 ticket: 7460
* Reword krb5_unparse_name_ext doxygen markupGreg Hudson2012-11-201-5/+6
| | | | | | | | | | Avoid using asterix characters in the documentation for krb5_unparse_ext_name, since they get intepreted as markdown punctuation when translated to RST. ticket: 7452 (new) target_version: 1.11 tags: pullup
* Add Doxygen markup for Camellia enctype constantsGreg Hudson2012-11-161-4/+4
| | | | | | An RFC number has been assigned for the Camellia draft. Add Doxygen markup to the enctype and cksumtype constants pointing to the informational RFC.
* Correctly document krb5_unparse_name_extGreg Hudson2012-10-251-7/+13
| | | | | | ticket: 7431 target_version: 1.11 tags: pullup
* Add loop() kdcpreauth methodNathaniel McCallum2012-10-231-1/+12
| | | | | | | | [ghudson@mit.edu: avoid verto.h header dependency; minor fixes] ticket: 7426 (new) target_version: 1.11 tags: pullup
* Fix verto_ctx declaration in preauth_plugin.hGreg Hudson2012-10-231-1/+1
| | | | | | ticket: 7425 (new) target_version: 1.11 tags: pullup
* Correct typo in krb5_rd_req documentationGreg Hudson2012-10-231-1/+1
| | | | ticket: 7421
* Alter responder function signature for consistencyGreg Hudson2012-10-231-3/+3
| | | | | | | | | | For the responder callback signature, put the closure argument just after the context, and use KRB5_CALLCONV. These changes make the signature consistent with most other libkrb5 callbacks. ticket: 7419 (new) target_version: 1.11 tags: pullup
* Don't expose binary format in preauth otpNathaniel McCallum2012-10-191-1/+0
| | | | | | ticket: 7417 (new) target_version: 1.11 tags: pullup
* Add "pa_config_data" configuration to ccachesNalin Dahyabhai2012-10-171-0/+16
| | | | | | | | | | | * Read a "pa_config_data" item from an in_ccache, if provided, and add a callback which client preauth plugins can use to retrieve a string value from it that's keyed by a string. * Add a callback which client preauth plugins can use to provide string key/value pairs to be stored in the ccache. * Moves the definition of (struct krb5_clpreauth_rock_st) from k5-int.h to init_creds_ctx.h to try to reduce the number of files that will need to include k5-json.h to understand k5_json_value.
* Add an input ccache get_init_creds optionNalin Dahyabhai2012-10-161-0/+19
| | | | | | | | Add a krb5_get_init_creds_opt_set_in_ccache() function. An input ccache may hold configuration data which the client libraries can use to influence their decisions. ticket: 7413 (new)
* Avoid bit shifting in krb5.h constantsGreg Hudson2012-10-161-5/+5
| | | | | | Our traditional practice is to use hex integer literals for flag bits. Bit shifting can be dangerous because shifting into the sign bit is undefined. Convert existing bit shift expressions to hex literals.
* Handle concat OTP responder caseNathaniel McCallum2012-10-161-0/+9
|
* Add responder support to preauth_otpNathaniel McCallum2012-10-151-0/+126
|
* Add responder support to get_as_key()Nathaniel McCallum2012-10-122-0/+13
| | | | | This follows the design laid out on the project page: http://k5wiki.kerberos.org/wiki/Projects/Password_response_item
* De-conditionalize Camellia codeGreg Hudson2012-10-091-0/+4
| | | | | | | | | | The Camellia enctypes and cksumtypes have received IANA assignments. Add #defines using those assignments to krb5.h, remove the CAMELLIA conditional, and enable testing code as appropriate. The Camellia draft has not received an RFC number yet, so there is no Doxygen markup for the enctype and cksumtype #defines. That can be added once the RFC number is known.
* Add new api to Sphinx doc; doc introduced versionZhanna Tsitkov2012-09-111-1/+9
|
* Add responder feature for initial cred exchangesNathaniel McCallum2012-09-112-1/+107
| | | | | | | | | | | | | | | | | | | | | | | Add new APIs: * krb5_get_init_creds_opt_set_responder * krb5_responder_get_challenge * krb5_responder_list_questions * krb5_responder_set_answer If a caller sets a responder, it will be invoked after preauth modules have had a chance to review their incoming padata but before they produce outgoing padata. The responder will be presented a set of questions with optional challenges. The responder should then answer all questions it knows how to handle. Both the answers and the challenges are printable UTF-8 and may contain encoded, structured data specific to the question asked. Add two new callbacks and one optional method to the clpreauth interface. The new method (prep_questions) allows modules to ask questions by setting them in the responder context using one of the new callbacks (ask_responder_question). The other new callback (get_responder_answer) is used by the process method to read the answers to the questions asked. ticket: 7355 (new)
* Doc newly introduced padata types for OTP supportZhanna Tsitkov2012-08-231-7/+6
| | | | | Remove KRB5_PADATA_OTP_CONFIRM pre-authentication data (padata) type as it is marked as OBSOLETE in RFC 6560.
* Add otp client preauth pluginNathaniel McCallum2012-08-231-0/+5
| | | | | | | Implements the client side of RFC 6560. Not all features are implemented, but it should work for the most common cases. ticket: 7242 (new)
* Doc introduced version for krb5_kt_client_defaultZhanna Tsitkov2012-07-161-0/+2
|
* Add krb5_kt_client_default APIGreg Hudson2012-07-021-0/+16
| | | | | | | | | | | | | | | | The default client keytab is intended to be used to automatically acquire initial credentials for client applications. The current hardcoded default is a placeholder, and will likely change before 1.11. Add test framework settings to ensure that a system default client keytab doesn't interfere with tests, and to allow tests to be written to deliberately use the default client keytab. Add documentation about keytabs to the concepts section of the RST docs, and describe the default client keytab there. ticket: 7188 (new)
* Correct and clarify keytab API documentationGreg Hudson2012-06-291-12/+12
|
* Document how to free krb5_cc_get_full_name resultGreg Hudson2012-06-201-0/+2
| | | | | | | | Also, in klist, use the appropriate libkrb5 free functions for krb5_cc_get_full_name and krb5_unparse_name_results. Reported by Kevin Wasserman. ticket: 7179
* Document version for new API functionsZhanna Tsitkov2012-06-151-0/+4
|
* Add krb5_cccol_have_content APIGreg Hudson2012-06-151-0/+11
| | | | | | | Add a new API to determine whether any krb5 credentials are available in the ccache collection. Add tests to t_cccol.py. ticket: 7173 (new)
* Add krb5_kt_have_content APIGreg Hudson2012-06-021-0/+12
| | | | | | | | | | | | | Add the krb5_kt_have_content API from Heimdal, which can be used to test whether a keytab exists and contains entries. Add tests to t_keytab.c. There is a deviation from Heimdal in the function signature. Heimdal's signature returns a krb5_boolean at the moment, because the Heimdal implementation actually returns a krb5_error_code. These are generally the same type anyway (int). ticket: 7158 (new)
* Add krb5_parse_name flag to ignore realmGreg Hudson2012-05-101-0/+7
| | | | | | | | | | The flag KRB5_PRINCIPAL_PARSE_IGNORE_REALM causes krb5_parse_name to return the principal with an empty realm whether or not a realm is present in the name. ticket: 7129 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25862 dc483132-0cff-0310-8789-dd5450dbe970
* Rewrite krb5_parse_nameGreg Hudson2012-05-101-7/+10
| | | | | | | | | krb5_parse_name started out a bit unwieldy, and has become more so with the introduction of flags. Rewrite it using two passes (allocate and fill), each broken out into its own helper, and a wrapper which handles the realm flags. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25861 dc483132-0cff-0310-8789-dd5450dbe970
* Constify get_init_creds string input paramsGreg Hudson2012-05-091-5/+6
| | | | | | | | | | | | The get_init_creds functions take read-only string input parameters for passwords and initial ticket services. Make these const char * parameters instead of just char * parameters, for caller convenience. Reported by rra@stanford.edu. ticket: 7121 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25858 dc483132-0cff-0310-8789-dd5450dbe970
* Add API to interpret changepw result stringsGreg Hudson2012-05-091-0/+26
| | | | | | | | | | | | | Active Directory returns structured policy information in the nominally UTF-8 result string field of a password change reply. Add a new API krb5_chpw_message() to convert a result string into a displayable message, interpreting policy information if present. Patch from stefw@gnome.org with changes. ticket: 7128 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25857 dc483132-0cff-0310-8789-dd5450dbe970
* Try all host keys by default in vfy_incredsGreg Hudson2012-05-031-15/+16
| | | | | | | | | | | | | | | Factor out the core code of krb5_verify_init_creds into a helper, add new helper functions to retrieve the list of unique host principals from a keytab, and make krb5_verify_init_creds drive the helper once per host principal. Augment the test harness and test cases to better test the new behavior. Add a k5test method to retrieve an NFS principal for the test realm for the sake of the new test cases. ticket: 7125 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25845 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using SALT_TYPE_AFS_LENGTHGreg Hudson2012-04-271-6/+1
| | | | | | | | | | | | In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to track whether we're still using the default salt instead of overloading salt.length. In preauth2.c, process afs3 salt values like we would in krb5int_des_string_to_key, and set an s2kparams indicator instead of overloading salt.length. Also use an s2kparams indicator in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded salt lengths, except for a sanity check. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25837 dc483132-0cff-0310-8789-dd5450dbe970
* Add Doxygen markup to API functions that were introduced in 1.9 releaseZhanna Tsitkov2012-04-191-0/+26
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25814 dc483132-0cff-0310-8789-dd5450dbe970
* Add Doxygen markup to API functions that were introduced in 1.10 releaseZhanna Tsitkov2012-04-171-0/+15
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25810 dc483132-0cff-0310-8789-dd5450dbe970
* Allow preauth mechs to work with clock skewGreg Hudson2012-04-171-0/+18
| | | | | | | | | | | | | | | Add a clpreauth callback which gets the time of day using an offset determined by the preauth-required error, and use it in encrypted timestamp and encrypted challenge. This timestamp is not necessarily authenticated, but the security consequences for those preauth mechs are minor (and can be mitigated by turning off kdc_timesync on clients). Based on a patch from Stef Walter. ticket: 7114 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25808 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-01-07 11:55:33 +0000