summaryrefslogtreecommitdiffstats
path: root/src/include/krb5
Commit message (Collapse)AuthorAgeFilesLines
* Document that krb5_get_error_message() never returns NULLGreg Hudson2010-10-051-1/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24430 dc483132-0cff-0310-8789-dd5450dbe970
* Constify the name field of a kadm5_hook vtable, since it holds aGreg Hudson2010-10-051-1/+1
| | | | | | string literal. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24426 dc483132-0cff-0310-8789-dd5450dbe970
* Add a name field to the pwqual plugin vtable and log pwqual moduleGreg Hudson2010-10-051-0/+1
| | | | | | rejections. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24425 dc483132-0cff-0310-8789-dd5450dbe970
* Document kadm5_hook interfaceSam Hartman2010-10-051-0/+20
| | | | | | | | * krb5.conf * admin.texinfo * kadm5_hook_plugin.h: document initvt requirement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24422 dc483132-0cff-0310-8789-dd5450dbe970
* A cleaner impleentation of r24399 which adds two new auth context APIsGreg Hudson2010-10-011-0/+6
| | | | | | | | | (and is therefore less suitable for backporting to 1.8) but doesn't reach inside the auth context structure in the krb5 mechanism code. ticket: 6768 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24400 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2010-09-301-18/+17
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24392 dc483132-0cff-0310-8789-dd5450dbe970
* Whitespace and minor style changesGreg Hudson2010-09-301-8/+11
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24390 dc483132-0cff-0310-8789-dd5450dbe970
* kadm5_hook: new plugin interfaceSam Hartman2010-09-291-0/+126
| | | | | | | | | | | Implement http://k5wiki.kerberos.org/wiki/Projects/Kadmin_hook_interface This provides an interface that allows a plugin to track kadmin operations. This can be used for projects like the krb5-sync project. ticket: 6791 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24375 dc483132-0cff-0310-8789-dd5450dbe970
* kpasswd: if a credential cache is present, use FASTSam Hartman2010-09-271-0/+17
| | | | | | | | | | | | | | | | If a credentials cache is available, use it as an armor cache to enable FAST negotiation for kpasswd. This requires an attacker to attack both the user's long-term key for the old password as well as the ticket used for the armor cache in order to attack the password change. Depending on how the armor ticket is obtained, this may provide limited value. However, it provides users an easy option if they are concerned about their current password. Users can kinit with one principal to help protect changing the password of another principal. * krb5_get_init_creds_opt_set_fast_ccache: new API to set fast ccache based on a krb5_ccache object rather than a resolvable string * kpasswd: always open the current credential cache even if not needed for determining the principal. If the cache has tickets, use it as an armor cache. * tests/dejagnu/krb-standalone/kadmin.exp: Arrange to test new code path ticket: 6786 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24359 dc483132-0cff-0310-8789-dd5450dbe970
* Password quality pluggable interfaceGreg Hudson2010-09-011-0/+109
| | | | | | | | | | | Merge branches/plugins2 to trunk. Adds a password quality pluggable interface described in this project page: http://k5wiki.kerberos.org/wiki/Projects/Password_quality_pluggable_interface ticket: 6765 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24284 dc483132-0cff-0310-8789-dd5450dbe970
* New plugin infrastructureGreg Hudson2010-08-271-0/+48
| | | | | | | | | Merge domain-independent plugin framework code from branches/plugins2, leaving out the password quality interface. ticket: 6763 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24263 dc483132-0cff-0310-8789-dd5450dbe970
* Add GIC option for password/account expiration callbackGreg Hudson2010-08-121-0/+44
| | | | | | | | | | | | Add a new GIC option to specify a callback to receive password and account expiration times found in an AS reply. See also: http://k5wiki.kerberos.org/wiki/Projects/Password_expiration_API ticket: 6755 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24241 dc483132-0cff-0310-8789-dd5450dbe970
* Trace loggingGreg Hudson2010-06-071-0/+34
| | | | | | | | | | | | | | | | Add trace logging infrastructure code, enabled by the KRB5_TRACE environment variable or the API functions krb5_set_trace_callback() or krb5_set_trace_filename(). As a start, add tracing events for: * AS-REQ client code, including FAST and preauth * TGS-REQ client code * AP-REQ and AP-REP code (client and server) * sendto_kdc * Selected ccache operations * Selected keytab operations ticket: 6737 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24118 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_enctype_to_name() APIGreg Hudson2010-06-041-0/+2
| | | | | | | | | | Add an API to return the input name, or optionally the shortest alias, of an enctype. Similar to krb5_enctype_to_string() which returns a description. ticket: 6736 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24117 dc483132-0cff-0310-8789-dd5450dbe970
* Reimplement krb5_get_in_tkt_with_skey in terms of krb5_get_init_creds,Greg Hudson2010-05-121-11/+0
| | | | | | | | | | | | | | similar to how the password and keytab equivalents were done. Eliminate krb5_get_in_tkt. It's been very hard to use since we made krb5_kdc_rep_decrypt_proc private (in krb5 1.7 the prototype was taken out of krb5.h altogether), and it's unlikely that anything would have used it directly in the first place. Remove and/or simplify a lot of code depended on by krb_get_in_tkt, including all of preauth.c. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24012 dc483132-0cff-0310-8789-dd5450dbe970
* Add IAKERB mechanism and gss_acquire_cred_with_passwordGreg Hudson2010-04-301-0/+1
| | | | | | | | | | | | | | Merge branches/iakerb to trunk. Includes the following: * New IAKERB mechanism. * New gss_acquire_cred_with_password mechglue function. * ASN.1 encoders and decoders for IAKERB structures (with tests). * New shortcuts in gss-sample client and server. * Tests to exercise SPNEGO and IAKERB using gss-sample application. ticket: 6712 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23960 dc483132-0cff-0310-8789-dd5450dbe970
* Add KRB5_INIT_CREDS_STEP_FLAG_CONTINUE for parity with Heimdal.Greg Hudson2010-04-201-4/+6
| | | | | | | | Rename KRB5_TKT_CREDS_CONTINUE to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE for consistency. Adjust init_creds context to be less confusing in light of the above. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23906 dc483132-0cff-0310-8789-dd5450dbe970
* Introduce new krb5_tkt_creds APIGreg Hudson2010-04-141-0/+96
| | | | | | | | | | | | Merged from branches/iakerb: add new asynchronous krb5_tkt_creds APIs, which allow a caller to take responsibility for transporting requests to the KDC and getting responses back. Rewrite the existing krb5_get_credentials API in terms of the new functions. Get rid of krb5_get_cred_from_kdc and friends, since they are no longer used. ticket: 6700 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23900 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_cc_dup() to make it possible to copy ccache handlesGreg Hudson2010-04-081-0/+7
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23874 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_typed_data not castable to krb5_pa_data on 64-bit MacOSXTom Yu2010-03-231-0/+13
| | | | | | | | | | | | | Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because krb5int_fast_process_error was assuming that it was safe to cast it to krb5_pa_data. It's not safe to do the cast on 64-bit MacOSX because krb5.hin uses #pragma pack on that platform. ticket: 6689 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23829 dc483132-0cff-0310-8789-dd5450dbe970
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512Greg Hudson2010-03-201-1/+1
| | | | | | | | | | | | | | | | | | | | KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data type, was used to implement PAC-less constrained delegation in krb5 1.8. Unfortunately, it was found that Microsoft was using 142 for other purposes, which could result in a ticket issued by an MIT or Heimdal KDC being rejected by a Windows Server 2008 R2 application server. Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate among a realm's KDCs, it is relatively easy to change the number, so MIT and Heimdal are both migrating to a new number. This change will cause a transitional interoperability issue when a realm mixes MIT krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal 1.3.2) KDCs, but only for constrained delegation evidence tickets. ticket: 6687 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23821 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_allow_weak_crypto APIGreg Hudson2010-01-191-0/+5
| | | | | | | | | | | | Add an API to allow apps to override the profile setting of allow_weak_crypto, so that aklog can work with krb5 1.8 out of the box until OpenAFS finishes migrating away from DES. ticket: 6645 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23663 dc483132-0cff-0310-8789-dd5450dbe970
* Bring back krb5_kt_free_entry which really does the same thing asSam Hartman2010-01-041-0/+5
| | | | | | | krb5_free_keytab_entry_contents per discussion on krbdev in order to avoid breaking samba builds. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23581 dc483132-0cff-0310-8789-dd5450dbe970
* No comma at end of enumerator listKen Raeburn2009-12-311-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23548 dc483132-0cff-0310-8789-dd5450dbe970
* Whitespace fixes for new anonymous supportGreg Hudson2009-12-281-10/+9
| | | | | | ticket: 6607 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23528 dc483132-0cff-0310-8789-dd5450dbe970
* Anonymous support for KerberosSam Hartman2009-12-281-5/+30
| | | | | | | | | | | | | | | | | | | | | | This ticket implements Project/Anonymous pkinit from k5wiki. Provides support for completely anonymous principals and untested client support for realm-exposed anonymous authentication. * Introduce kinit -n * Introduce kadmin -n * krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache * No longer generate ad-initial-verified-cas in pkinit * Fix pkinit interactions with non-TGT authentication Merge remote branch 'anonymous' into trunk Conflicts: src/lib/krb5/krb/gic_opt.c ticket: 6607 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
* On Luke's advice, remove krb5_init_creds_store_creds. It is not aGreg Hudson2009-12-151-4/+0
| | | | | | | Heimdal API and its functionality is covered by krb5_get_init_creds_opt_set_out_ccache. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23469 dc483132-0cff-0310-8789-dd5450dbe970
* fast negotiation projecSam Hartman2009-12-141-8/+53
| | | | | | | | | | | | | | | | Merge branches/fast-negotiate into trunk. This implements http://k5wiki.kerberos.org/wiki/Projects/Fast_negotiation Additional changes: * krb5_c_make_checksum with checksum type 0 uses mandatory checksum for given key enctype Conflicts: src/lib/crypto/krb/make_checksum.c ticket: 6595 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23465 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_key versions of the auth context key accessors, and use themGreg Hudson2009-11-271-0/+9
| | | | | | to simplify the gss-krb5 code a little bit. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23372 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_k_prf, the krb5_key version of krb5_c_prfGreg Hudson2009-11-271-0/+3
| | | | | | ticket: 6576 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23365 dc483132-0cff-0310-8789-dd5450dbe970
* libkrb5 support for non-blocking AS requestsGreg Hudson2009-11-261-0/+52
| | | | | | | | | | | Merge Luke's iakerb-libkrb5-as-only branch into trunk with several bug fixes. Adds support for the krb5_init_creds APIs (same as Heimdal's) which allow AS requests to be performed via a different transport than the blocking send_to_kdc. ticket: 6586 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23358 dc483132-0cff-0310-8789-dd5450dbe970
* Put krb5_auth_con_set_req_cksumtype back in the public API, since itGreg Hudson2009-11-191-0/+4
| | | | | | is needed by the BSD applications which will be unbundled in 1.8. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23292 dc483132-0cff-0310-8789-dd5450dbe970
* Reindent include directory, reformatting prototypes as necessary.Greg Hudson2009-11-144-1838/+1539
| | | | | | | Exclude include/gssrpc due to its Sun origin and k5-platform.h due to macros too hairy for emacs c-mode to handle. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23180 dc483132-0cff-0310-8789-dd5450dbe970
* Constrained delegation without PAC supportGreg Hudson2009-11-141-0/+3
| | | | | | | | | | | Merge Luke's users/lhoward/s4u2proxy branch to trunk. Implements a Heimdal-compatible mechanism for allowing constrained delegation without back-end support for PACs. Back-end support exists in LDAP only (via a new krbAllowedToDelegateTo attribute), not DB2. ticket: 6580 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23160 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-313-46/+46
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Heimdal DB bridge plugin for KDC back endGreg Hudson2009-10-271-0/+1
| | | | | | | | | Merge Luke's users/lhoward/heimmig branch to trunk. Implements a KDC back-end plugin which interfaces to a Heimdal HDB plugin. ticket: 6578 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23073 dc483132-0cff-0310-8789-dd5450dbe970
* Increment authdata SPI to V2 (V1 was experimental) to accountLuke Howard2009-10-211-3/+3
| | | | | | for additional krbtgt key parameter. This was at Sam's suggestion. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22958 dc483132-0cff-0310-8789-dd5450dbe970
* Implement new APIs to allow improved crypto performanceGreg Hudson2009-10-191-0/+69
| | | | | | | | | | | Merge branches/enc-perf to trunk. Adds the krb5_key opaque type, the krb5_k_* APIs to use them, and caching of derived keys when krb5_k_* functions are used. Updates the krb5 auth context and GSS id-rec to use krb5_keys. ticket: 6576 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22944 dc483132-0cff-0310-8789-dd5450dbe970
* Implement GSS naming extensions and authdata verificationGreg Hudson2009-10-092-6/+191
| | | | | | | | | Merge Luke's users/lhoward/authdata branch to trunk. Implements GSS naming extensions and verification of authorization data. ticket: 6572 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22875 dc483132-0cff-0310-8789-dd5450dbe970
* Implement s4u extensionsGreg Hudson2009-09-131-0/+9
| | | | | | | | | Merge Luke's users/lhoward/s4u branch to trunk. Implements S4U2Self and S4U2Proxy extensions. ticket: 6563 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22736 dc483132-0cff-0310-8789-dd5450dbe970
* Implement FAST from draft-ietf-krb-wg-preauth-frameworkSam Hartman2009-03-312-7/+55
| | | | | | | | | | | | Merge fast branch at 22146 onto trunk Implement the kerberos pre-authentication framework FAST feature per Projects/FAST on the wiki. ticket: 6436 Target_Version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22149 dc483132-0cff-0310-8789-dd5450dbe970
* Implement KRB-FX_CF2Sam Hartman2009-03-161-0/+15
| | | | | | | | | | Draft-ietf-krb-wg-preauth-framework defines a function KRB-FX-CF2 that combines two keys of arbitrary enctype. Implement this function as an exported API. ticket: 6421 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22094 dc483132-0cff-0310-8789-dd5450dbe970
* Make a working krb5_copy_error_messageGreg Hudson2009-03-111-0/+3
| | | | | | | | | | | | The krb5_copy_error_state macro wasn't used, didn't work, and didn't need to be a macro. Replace it with an exported API function named krb5_copy_error_message. ticket: 6407 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22078 dc483132-0cff-0310-8789-dd5450dbe970
* Include authenticator and ticket authdata in gss-apiSam Hartman2009-02-261-0/+8
| | | | | | | | | | | | | | | Currently, the GSS-API routines for handling authdata only extract the authorization data from the ticket, not that from the authenticator. This is incorrect. Introduce a new function krb5_merge_authadata to merge two authdata arrays into a newly allocated result array. Use this function in accept_sec_context.c to include both sets of authdata. ticket: 6400 Target_version: 1.7 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22056 dc483132-0cff-0310-8789-dd5450dbe970
* Merge mskrb-integ onto trunkSam Hartman2009-01-032-17/+216
| | | | | | | | | | | | | | | | | | | | | | | | The mskrb-integ branch includes support for the following projects: Projects/Aliases * Projects/PAC and principal APIs * Projects/AEAD encryption API * Projects/GSSAPI DCE * Projects/RFC 3244 In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions. In the KDC it includes support for protocol transition, constrained delegation and a new authorization data interface. The old authorization data interface is also supported. This commit merges the mskrb-integ branch on to the trunk. Additional review and testing is required. Merge commit 'mskrb-integ' into trunk ticket: new status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
* Revert r21589, and export krb5_get_fallback_host_realm insteadGreg Hudson2008-12-291-0/+4
| | | | | | | | | | | | | | Rationale: Zephyr and AFS both use the Kerberos realm name as the name of the service realm (AFS realm or Zephyr galaxy). AFS can grab the Kerberos realm from the ticket being aklogged, but Zephyr is not necessarily getting credentials at all (you could be sending an unauthenticated message), and currently finds its answer by looking up the realm of the server host. Although we can't currently provide an accurate result for this lookup in the presence of referrals, we do need to provide enough tools to get as good of an answer as libzephyr could have gotten before referrals went in. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21631 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up krb5_get_fallback_host_realm in two respects:Greg Hudson2008-12-241-4/+0
| | | | | | | | | | | | 1. It isn't exported from libkrb5 (and no one seems to complain about that). So give it a krb5int_ name and move its declaration to k5-int.h. Also stop exporting it from the collected client lib. 2. It returned a list of realms, but its only caller assumes that the list contains exactly one realm. So just make it return a single realm. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21589 dc483132-0cff-0310-8789-dd5450dbe970
* Crypto IOV API per Projects/AEAD encryption APISam Hartman2008-12-021-0/+57
| | | | | | | | | | | | | | Merge in the mskrb-crypto-iov branch at r21259 in order to move an implementation of http://k5wiki.kerberos.org/wiki/Projects/AEAD_encryption_API onto the trunk. This branch contains a subset of the commits on the mskrb-integ branch that implement the krb5 library part of the crypto IOV API. ticket: new Status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21263 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_build_principal_va does not allocate krb5_principalAlexandra Ellwood2008-10-241-1/+7
| | | | | | | | | | | | | | | | | krb5_build_principal_va does not allocate the outer krb5_principal, making it useless for generating krb5_principals which can be freed with krb5_free_principal. Added krb5_build_principal_alloc_va which allocates the krb5_principal. Added krb5int_build_principal_alloc_va which is used by KIM to avoid code duplication. KIM's kim_identity_create_from_components takes the first component as an argument because principals with no components cannot be represented with the KIM UI. Modified KIM to use this new API. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20918 dc483132-0cff-0310-8789-dd5450dbe970
* Merge 1.7 work on auxiliary ccache functions necessary for KIM. Adds ↵Justin Anderson2008-09-221-0/+25
| | | | | | | | | | | krb5_cc_lock/unlock, krb5_cccol_lock/unlock, krb5_cc_last_change_time, krb5_cccol_last_change_time, krb5_cc_move, and adds pertype cursor support to some cache types Locking functions work the same as the CCAPI cc_ccache_lock / cc_context_lock functions, though not as read/write locks. ticket: 6124 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20743 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-01-08 01:45:39 +0000