summaryrefslogtreecommitdiffstats
path: root/src/include
Commit message (Collapse)AuthorAgeFilesLines
...
* Convert all remaining macro-coded ASN.1 encodersGreg Hudson2012-01-062-9/+9
| | | | | | | | | | | Use data-driven encoders for all of the remaining types which still used macros (primarily PKINIT types), and get rid of the macros. Do not change any encoding behavior, but add some comments where behavior differs from the spec. DEFFNTYPE is now unused except for the kdc_req_body hack. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25617 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unused functions (older API residue) krb5_realm_iterator* and ↵Zhanna Tsitkov2012-01-041-14/+0
| | | | | | krb5_free_realm_string git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25606 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using krb5_typed_data structure typeGreg Hudson2011-12-213-21/+8
| | | | | | | | | | | | Use the krb5_pa_data structure type when encoding or decoding TYPED-DATA. Leave the krb5_typed_data structure definition in krb5.h with a comment saying not to use it. Remove krb5_free_typed_data (which was never declared in krb5.h). Remove some vestigial accessor stuff related to PKINIT encoding and decoding TYPED-DATA, which was unneeded since r25483. Bump the accessor structure version to 19 accordingly. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25601 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using krb5_octet_dataGreg Hudson2011-12-212-35/+28
| | | | | | | | For consistency with the rest of the code base, make PKINIT use krb5_data as a pointer/length container. Leave krb5_octet_data and krb5_free_octet_data behind for API compatibility. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25600 dc483132-0cff-0310-8789-dd5450dbe970
* Corrected the name of KRB5_NT_SRV_HST macro. Added some doxygen commentsZhanna Tsitkov2011-12-121-30/+21
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25537 dc483132-0cff-0310-8789-dd5450dbe970
* Allow null server key to krb5_pac_verifyGreg Hudson2011-12-071-3/+3
| | | | | | | | | | When the KDC verifies a PAC, it doesn't really need to check the server signature, since it can't trust that anyway. Allow the caller to pass only a TGT key. ticket: 7048 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
* Allow S4U2Proxy delegated credentials to be savedGreg Hudson2011-12-071-0/+3
| | | | | | | | | | | | | | | The initial implementation of client-side S4U2Proxy support did not allow delegated proxy credentials to be stored (gss_store_cred would error out, and gss_krb5_copy_ccache would generate a non-working cache). To make this work, we save the impersonator name in a cache config variable and in a cred structure field (replacing the proxy_cred flag), and make the default principal of the proxy cache the subject principal as the caller would expect for a regular delegated cred. ticket: 7046 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up client-side preauth error data handlingGreg Hudson2011-11-212-7/+13
| | | | | | | | | | | | | | | | | | | | | | | | Change the clpreauth tryagain method to accept a list of pa-data, taken either from the FAST response or from decoding the e_data as either pa-data or typed-data. Also change the in_padata argument to contain just the type of the request padata rather than the whole element, since modules generally shouldn't care about the contents of their request padata (or they can remember it). In krb5int_fast_process_error, no longer re-encode FAST pa-data as typed-data for the inner error e_data, but decode traditional error e_data for all error types, and try both pa-data and typed-data encoding. In PKINIT, try all elements of the new pa-data list, since it may contain FAST elements as well as the actual PKINIT array. (Fixes an outstanding bug in FAST PKINIT.) ticket: 7023 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25483 dc483132-0cff-0310-8789-dd5450dbe970
* Improve documentation in preauth_plugin.hGreg Hudson2011-11-191-6/+15
| | | | | | | | | | Also declare the verto_context structure to ensure that it is has the proper scope when used as the return type of the event_context callback. ticket: 7019 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25479 dc483132-0cff-0310-8789-dd5450dbe970
* Make verto context available to kdcpreauth modulesGreg Hudson2011-11-152-1/+6
| | | | | | | | | | | | Add an event_context callback to kdcpreauth. Adjust the internal KDC and main loop interfaces to pass around the event context, and expose it to kdcpreauth modules via the rock. ticket: 7019 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25475 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify and fix kdcpreauth request_body callbackGreg Hudson2011-11-141-8/+5
| | | | | | | | | | | | | | | | | | | Alter the contract for the kdcpreauth request_body callback so that it returns an alias to the encoded body instead of a fresh copy. At the beginning of AS request processing, save a copy of the encoded request body, or the encoded inner request body for FAST requests. Previously the request_body callback would re-encode the request structure, which in some cases has been modified by the AS request code. No kdcpreauth modules currently use the request_body callback, but PKINIT will need to start using it in order to handle FAST requests correctly. ticket: 7017 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25473 dc483132-0cff-0310-8789-dd5450dbe970
* Handle TGS referrals to the same realmGreg Hudson2011-11-141-0/+3
| | | | | | | | | | | | | | | krb5 1.6 through 1.8 contained a workaround for the Active Directory behavior of returning a TGS referral to the same realm as the request. 1.9 responds to this behavior by caching the returned TGT, trying again, and detecting a referral loop. This is a partial regression of ticket #4955. Detect this case and fall back to a non-referreal request. ticket: 7016 target_version: 1.9.3 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25472 dc483132-0cff-0310-8789-dd5450dbe970
* Add consistency check for plugin interface namesGreg Hudson2011-11-131-1/+2
| | | | | | | Add an assertion to ensure that the interface_names table in plugin.c is updated when a new pluggable interface is added. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25471 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid looping when preauth can't be generatedGreg Hudson2011-11-111-1/+1
| | | | | | | | | | | | | | | | | If we receive a PREAUTH_REQUIRED error and fail to generate any real preauthentication, error out immediately instead of continuing to generate non-preauthenticated requests until we hit the loop count. There is a lot of room to generate a more meaningful error about why we failed to generate preauth (although in many cases the answer may be too complicated to explain in an error message), but that requires more radical restructuring of the preauth framework. ticket: 6430 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25469 dc483132-0cff-0310-8789-dd5450dbe970
* Added the note to the trace API functions that they have higher priority ↵Zhanna Tsitkov2011-11-091-2/+8
| | | | | | than the KRB5_TRACE env variable git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25466 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_check_clockskew publicGreg Hudson2011-10-312-1/+15
| | | | | | | | | | | | Rename krb5int_check_clockskew to krb5_check_clockskew and make it public, in order to give kdcpreauth plugins a way to check timestamps against the configured clock skew. ticket: 6996 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25424 dc483132-0cff-0310-8789-dd5450dbe970
* Fix format string for TRACE_INIT_CREDS_SERVICEGreg Hudson2011-10-261-1/+1
| | | | | | | | | | This should also be pulled up to 1.10. ticket: 6993 tags: pullup target_version: 1.9.2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25417 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_find_authdata publicGreg Hudson2011-10-252-6/+21
| | | | | | | | | | Rename krb5int_find_authdata to krb5_find_authdata and make it public. ticket: 6992 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25414 dc483132-0cff-0310-8789-dd5450dbe970
* Refactor salt computation into libkdb5Greg Hudson2011-10-241-0/+6
| | | | | | | Add a new API krb5_dbe_compute_salt() to determine the salt for a key data entry, and use it in the three places we currently compute salts. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25410 dc483132-0cff-0310-8789-dd5450dbe970
* Ensure termination in Windows vsnprintf wrapperGreg Hudson2011-10-181-1/+3
| | | | | | | | | | | | | | | The Windows _vsnprintf does not terminate its output buffer in the overflow case. Make sure we do that in the wrapper. Reported by Chris Hecker. (Not an issue for KfW 3.2 since we weren't using snprintf in 1.6.x except in Unix-specific code.) ticket: 6980 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25367 dc483132-0cff-0310-8789-dd5450dbe970
* Make reindentTom Yu2011-10-172-17/+16
| | | | | | | Also fix pkinit_crypto_nss.c struct initializers and add parens to a ternary operator in do_as_req.c for better indentation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25362 dc483132-0cff-0310-8789-dd5450dbe970
* Install krb5/preauth_plugin.hGreg Hudson2011-10-151-0/+1
| | | | | | | | | | The clpreauth and kdcpreauth pluggable interfaces are public as of krb5 1.10. Install the header so that preauth modules can be built outside of the krb5 source tree. ticket: 6977 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25353 dc483132-0cff-0310-8789-dd5450dbe970
* Rename PAC type constants to avoid conflictsGreg Hudson2011-10-151-7/+7
| | | | | | | | Since the PAC type constants are now exposed in krb5.h, give them a KRB5_ prefix so they don't conflict with similar PAC type constants in other packages, like Samba. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25352 dc483132-0cff-0310-8789-dd5450dbe970
* Hide gak_fct interface and arguments in clpreauthGreg Hudson2011-10-152-47/+45
| | | | | | | | | | | | | | | | | | | | | | Remove the gak_fct, gak_data, salt, s2kparams, and as_key arguments of krb5_clpreauth_process_fn and krb5_clpreauth_tryagain_fn. To replace them, add two callbacks: one which gets the AS key using the previously selected etype-info2 information, and a second which lets the module replace the AS key with one it has computed. This changes limits module flexibility in a few ways. Modules cannot check whether the AS key was already obtained before asking for it, and they cannot use the etype-info2 salt and s2kparams for purposes other than getting the password-based AS key. It is believed that of existing preauth mechanisms, only SAM-2 preauth needs more flexibility than the new interfaces provide, and as an internal legacy mechanism it can cheat. Future mechanisms should be okay since the current IETF philosophy is that etype-info2 information should not be used for other purposes. ticket: 6976 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25351 dc483132-0cff-0310-8789-dd5450dbe970
* Make kdcpreauth edata method respond via callbackGreg Hudson2011-10-151-10/+20
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25348 dc483132-0cff-0310-8789-dd5450dbe970
* Add new header gssapi_alloc.hSam Hartman2011-10-141-1/+1
| | | | | | | | | | | | | | | Contains allocator methods for use with mechanisms and mechglues for allocations that must be made in one module but freed in another. On windows, an allocation made in one module cannot safely be freed in another using the usual c runtime malloc/free; runtime dll mismatch will cause heap corruption in that case. But it is safe to instead directly use HeapAlloc()/HeapFree() specifying the default process heap. For now, this header is not public. If it becomes public strncpy will need to be used instead of strlcpy. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25330 dc483132-0cff-0310-8789-dd5450dbe970
* Removed unused macrosZhanna Tsitkov2011-10-141-7/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25328 dc483132-0cff-0310-8789-dd5450dbe970
* Fix the doxygen comments for krb5_pac_signZhanna Tsitkov2011-10-121-6/+6
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25326 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_pac_sign publicGreg Hudson2011-10-122-9/+21
| | | | | | | | | | | | krb5int_pac_sign was created as a private API because it is only needed by the KDC. But it is actually used by DAL or authdata plugin modules, not the core KDC code. Since plugin modules should not need to consume internal libkrb5 functions, rename krb5int_pac_sign to krb5_pac_sign and make it public. ticket: 6974 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25325 dc483132-0cff-0310-8789-dd5450dbe970
* Documentation pass over preauth_plugin.hGreg Hudson2011-10-121-38/+37
| | | | | | No functional changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25324 dc483132-0cff-0310-8789-dd5450dbe970
* Add get_string, free_string kdcpreauth callbacksGreg Hudson2011-10-061-0/+10
| | | | | | | | String attributes should be useful to preauth modules without having to link against libkdb5. Add a callback to make client string attributes accessible to modules. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25318 dc483132-0cff-0310-8789-dd5450dbe970
* Ditch fast_factor.h since it contains only stubsGreg Hudson2011-10-061-45/+0
| | | | | | | | Leave a comment behind where we called fast_set_kdc_verified(). Remove the call to fast_kdc_replace_reply_key() since it's wrong (encrypted challenge doesn't replace the reply key in that sense). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25317 dc483132-0cff-0310-8789-dd5450dbe970
* Use type-safe callbacks in preauth interfaceGreg Hudson2011-10-062-117/+63
| | | | | | | | | | | | | | | Replace the generic get_data functions in clpreauth and kdcpreauth with structures containing callback functions. Each structure has a minor version number to allow adding new callbacks. For simplicity, the new fast armor key callbacks return aliases, which is how we would supply the armor key as a function parameter. The new client keys callback is paired with a free_keys callback to reduce the amount of cleanup code needed in modules. ticket: 6971 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25315 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5int_gettimeofday to k5sprt for platforms w/o native gettimeofdaySam Hartman2011-10-051-0/+5
| | | | | | | | | | Microsecond accuracy on _WIN32, but only one second accuracy on other, AFAIK purely hypothetical, platforms that lack native gettimeofday. Shamelessly cribbed from Heimdal. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25310 dc483132-0cff-0310-8789-dd5450dbe970
* Fix incorrect formatting of KDF fields, no substantive changeSam Hartman2011-10-051-2/+2
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25301 dc483132-0cff-0310-8789-dd5450dbe970
* Use an opaque handle in the kdcpreauth callbackGreg Hudson2011-10-053-32/+22
| | | | | | | | | | | | | | Instead of passing a request and entry to the kdcpreauth get_data callback, pass an opaque handle. Remove DB entry and key data parameters from kdcpreauth methods (but keep the request, since that's transparent). The SecurID plugin links against libkdb5 and needs access to the client DB entry. Rather than continue to pass a DB entry to kdcpreauth methods, add a get_data callback to get the client DB entry for the few plugins which might need it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300 dc483132-0cff-0310-8789-dd5450dbe970
* Create e_data as pa_data in KDC interfacesGreg Hudson2011-10-042-12/+26
| | | | | | | | | | | | All current known uses of e_data are encoded as pa-data or typed-data. FAST requires that e_data be expressed as pa-data. Change the DAL and kdcpreauth interfaces so that e_data is returned as a sequence of pa-data elements. Add a preauth module flag to indicate that the sequence should be encoded as typed-data in non-FAST errors. ticket: 6969 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25298 dc483132-0cff-0310-8789-dd5450dbe970
* Make kdcpreauth verify respond via callbackGreg Hudson2011-10-031-4/+9
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25294 dc483132-0cff-0310-8789-dd5450dbe970
* Make dispatch() respond via a callbackGreg Hudson2011-10-031-6/+5
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25291 dc483132-0cff-0310-8789-dd5450dbe970
* Moved Windows specific include files to src/windows/includeSam Hartman2011-09-2811-3468/+0
| | | | | | | | Updated Windows specific Makefiles to search for header files in src/windows/include Signed-off-by: Alexey Melnikov <aamelnikov@gmail.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25279 dc483132-0cff-0310-8789-dd5450dbe970
* Enabled unconditional build of kfwlogon on WindowsSam Hartman2011-09-285-0/+2431
| | | | | | | | Removed dependency on KFW, as it is now a part of the same build. Signed-off-by: Alexey Melnikov <aamelnikov@gmail.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25258 dc483132-0cff-0310-8789-dd5450dbe970
* Moved LoadFuncs/UnloadFuncs() to windows/libSam Hartman2011-09-281-0/+41
| | | | | | Signed-off-by: Alexey Melnikov <aamelnikov@gmail.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25257 dc483132-0cff-0310-8789-dd5450dbe970
* Added leashdll/wshelper related files from KFWSam Hartman2011-09-285-0/+996
| | | | | | From: Alexey Melnikov <alexey.melnikov@isode.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25243 dc483132-0cff-0310-8789-dd5450dbe970
* win-mac.h additions for windows buildSam Hartman2011-09-281-1/+1
| | | | | | | | | windows implementation of k5_get_os_entropy() Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@debian.org> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25242 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate domain-based client realm walkGreg Hudson2011-09-281-0/+4
| | | | | | | | | | | | | | | | | For a very long time, KDCs have known how to perform a domain-based realm walk when serving requests for TGTs. (So if a KDC for A.B.C receives a request for krbtgt/X.B.C and doesn't have that principal, it can return one for krbtgt/B.C instead.) Performing the same heuristic on the client is unnecessary and inefficient in common cases. Add a new function k5_client_realm_path to walk_rtree.c which uses capaths values only, and returns a list of realms (as desired by get_creds.c) instead of TGT names. ticket: 6966 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25241 dc483132-0cff-0310-8789-dd5450dbe970
* Make the comments usable by DoxygenZhanna Tsitkov2011-09-261-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25237 dc483132-0cff-0310-8789-dd5450dbe970
* Don't use accessor in encrypted challengeGreg Hudson2011-09-241-12/+1
| | | | | | | Now that the encrypted challenge code is linked into libkrb5 and the KDC, it's unnecessary to use the accessor there. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25229 dc483132-0cff-0310-8789-dd5450dbe970
* Recast encrypted challenge as linked built-insGreg Hudson2011-09-231-0/+86
| | | | | | | | Since it has no external dependencies, split up encrypted preauth into clpreauth and kdcpreauth chunks and link them directly into the consumers. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25227 dc483132-0cff-0310-8789-dd5450dbe970
* Add kadmin functionality for string attributesGreg Hudson2011-09-211-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25215 dc483132-0cff-0310-8789-dd5450dbe970
* Add KRB5_TL_STRING_ATTRS and libkdb5 accessorsGreg Hudson2011-09-211-0/+34
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25214 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-29 00:35:45 +0000