summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5/krb/get_creds.c
Commit message (Collapse)AuthorAgeFilesLines
* Better fix for not using expired TGTs in TGS-REQsGreg Hudson2013-04-291-53/+91
| | | | | | | | | | | | We want to generate a KRB5_AP_ERR_TKT_EXPIRED code when the TGT is expired, like we would if we tried the TGT against the KCD. To make this work, separate the helpers for getting local and crossrealm cached TGTs. For a crossrealm TGT, match against the endtime, as there could be multiple entries. For a local TGT, find any match, but check if it's expired. The cache_code field is no longer needed after this change, so get rid of it. ticket: 6948
* Don't use expired TGTs in TGS-REQsNicolas Williams2013-04-261-8/+10
| | | | ticket: 6948
* Simplify principal access within libkrb5Greg Hudson2013-04-081-3/+3
| | | | | For conciseness, directly use fields of krb5_principal objects instead of using the accessor macros.
* Move a bunch of stuff out of k5-int.hGreg Hudson2013-03-241-1/+1
| | | | | | | | | Move internal declarations from k5-int.h to more localized headers (like int-proto.h) where appropriate. Rename many symbols whose prototypes were moved to use the k5_ prefix instead of krb5int_. Remove some unused declarations or move them to the single source file they were needed in. Remove krb5_creds_compare since it isn't used any more.
* Simplify TGS request constructionGreg Hudson2013-02-081-6/+4
| | | | | | | Move krb5int_make_tgs_request from gc_via_tkt.c into send_tgs.c, combine it with krb5int_make_tgs_request_ext (which nothing else called), and rename the combined function to k5_make_tgs_req. Also use a typedef for the pacb callback.
* Fix subkey memory leak in krb5_get_credentialsGreg Hudson2011-12-091-0/+2
| | | | | | | | | | | If a get_credentials operation requires multiple TGS requests, we need to free the subkey from previous requests before saving a new one. ticket: 7049 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25536 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leaks in FAST TGS supportGreg Hudson2011-12-091-4/+8
| | | | | | | | | | krb5int_fast_prep_req remove tgs from request->padata and needs to free it. get_creds.c needs to use a fresh FAST state for each TGS request to avoid leaking armor keys. ticket: 7026 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25535 dc483132-0cff-0310-8789-dd5450dbe970
* FAST TGSSam Hartman2011-11-231-2/+10
| | | | | | | | | | Implement RFC 6113 FAST TGS support. Includes library support for a varient of explicit TGS armor that has not yet been proposed within the IETF. ticket: 7026 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25488 dc483132-0cff-0310-8789-dd5450dbe970
* Handle TGS referrals to the same realmGreg Hudson2011-11-141-1/+8
| | | | | | | | | | | | | | | krb5 1.6 through 1.8 contained a workaround for the Active Directory behavior of returning a TGS referral to the same realm as the request. 1.9 responds to this behavior by caching the returned TGT, trying again, and detecting a referral loop. This is a partial regression of ticket #4955. Detect this case and fall back to a non-referreal request. ticket: 7016 target_version: 1.9.3 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25472 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate domain-based client realm walkGreg Hudson2011-09-281-26/+6
| | | | | | | | | | | | | | | | | For a very long time, KDCs have known how to perform a domain-based realm walk when serving requests for TGTs. (So if a KDC for A.B.C receives a request for krbtgt/X.B.C and doesn't have that principal, it can return one for krbtgt/B.C instead.) Performing the same heuristic on the client is unnecessary and inefficient in common cases. Add a new function k5_client_realm_path to walk_rtree.c which uses capaths values only, and returns a list of realms (as desired by get_creds.c) instead of TGT names. ticket: 6966 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25241 dc483132-0cff-0310-8789-dd5450dbe970
* Fix cross-realm traversal TGT requestsGreg Hudson2011-09-011-1/+1
| | | | | | | | | | | | When requesting a cross-realm TGT, use the KDC instance of the current TGT (the second data component), not the realm which the TGT came from. ticket: 6952 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25121 dc483132-0cff-0310-8789-dd5450dbe970
* Restore fallback non-referral TGS request to same realmGreg Hudson2011-06-031-12/+10
| | | | | | | | | | | | | | | MIT krb5 1.2 and earlier KDCs reject TGS requests if the canonicalize bit is set. Prior to 1.9, we used to handle this by making a non-referral fallback request on any error, but the rewrite in 1.9 mistakenly changed the behavior so that fallback requests are only made if the original request used the referral realm and the fallback realm is different from the default realm. Restore the old behavior. ticket: 6917 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24946 dc483132-0cff-0310-8789-dd5450dbe970
* Restore krb5_get_credentials caching for referral requestsGreg Hudson2011-05-261-0/+5
| | | | | | | | | | | | | | | The krb5_get_credentials() rewrite for IAKERB accidentally omitted the final step of restoring the requested realm in the output credentials. As a result, referral entries are not cached, and the caller sees the actual realm in (*out_creds)->server instead of the referral realm as before. Fix this in complete() by swapping ctx->req_server into ctx->reply_creds->server. ticket: 6916 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24945 dc483132-0cff-0310-8789-dd5450dbe970
* Resolve a few miscellaneous warningsGreg Hudson2011-03-141-2/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24703 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust most C source files to match the new standards for copyrightGreg Hudson2011-03-091-19/+12
| | | | | | and license comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
* Fix seg faulting trace log message for use of fallback realmGreg Hudson2011-02-081-1/+1
| | | | | | | | | | | The call to TRACE_TKT_CREDS_FALLBACK in get_creds.c was supplying the wrong argument, causing a crash. ticket: 6856 target_version: 1.9.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24618 dc483132-0cff-0310-8789-dd5450dbe970
* Fix Windows buildGreg Hudson2010-11-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Repair the Windows build. Tested with the prepare-on-Unix method. Some specific changes include: * Removed the IPC finalizer (no longer used after r20787) from ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency chain for the pingtest build in ccapi/test. Also updated pingtest to use the k5_ipc_stream interfaces since cci_stream is gone. * Reverted the apparently non-functional r20277. * klist -V prints just "Kerberos for Windows", since it has no access to PACKAGE_NAME and PACKAGE_VERSION from autoconf. This should be addressed correctly. * krb5, telnet, gssftp, and NIM are removed from the build. * Some files had CRLFs; these were replaced with LFs and the svn:eol-style property set on the files. Otherwise the CRLFs became CRCRLFs after the zip transfer. * Windows does not have opendir/readdir, so added Windows code to prof_parse.c for includedir. Probable fodder for a libkrb5support portability shim. ticket: 6826 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24533 dc483132-0cff-0310-8789-dd5450dbe970
* Don't fail out from krb5_get_credentials() if we can't store a ticketGreg Hudson2010-10-271-10/+4
| | | | | | | | into the ccache. ticket: 6812 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24488 dc483132-0cff-0310-8789-dd5450dbe970
* Trace loggingGreg Hudson2010-06-071-5/+28
| | | | | | | | | | | | | | | | Add trace logging infrastructure code, enabled by the KRB5_TRACE environment variable or the API functions krb5_set_trace_callback() or krb5_set_trace_filename(). As a start, add tracing events for: * AS-REQ client code, including FAST and preauth * TGS-REQ client code * AP-REQ and AP-REP code (client and server) * sendto_kdc * Selected ccache operations * Selected keytab operations ticket: 6737 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24118 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a backwards check in get_cached_tgt() in the TGS codeGreg Hudson2010-04-271-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23945 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a memory leak in get_creds.c's try_fallback_realm()Greg Hudson2010-04-211-1/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23920 dc483132-0cff-0310-8789-dd5450dbe970
* When setting up to get a TGT for the service realm in the TGS code,Greg Hudson2010-04-201-5/+5
| | | | | | | | | | | | get the cached local TGT before setting up the realm path. Prior to this change, calling krb5_get_credentials() with an empty ccache would result in KRB5_CC_NOTFOUND for a foreign server principal, but would result in KRB5_NO_TKT_IN_REALM (generated by krb5_walk_realm_tree) for a local server principal. With this change, KRB5_CC_NOTFOUND is returned in both cases. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23909 dc483132-0cff-0310-8789-dd5450dbe970
* Add KRB5_INIT_CREDS_STEP_FLAG_CONTINUE for parity with Heimdal.Greg Hudson2010-04-201-2/+2
| | | | | | | | Rename KRB5_TKT_CREDS_CONTINUE to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE for consistency. Adjust init_creds context to be less confusing in light of the above. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23906 dc483132-0cff-0310-8789-dd5450dbe970
* Introduce new krb5_tkt_creds APIGreg Hudson2010-04-141-75/+1105
| | | | | | | | | | | | Merged from branches/iakerb: add new asynchronous krb5_tkt_creds APIs, which allow a caller to take responsibility for transporting requests to the KDC and getting responses back. Rewrite the existing krb5_get_credentials API in terms of the new functions. Get rid of krb5_get_cred_from_kdc and friends, since they are no longer used. ticket: 6700 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23900 dc483132-0cff-0310-8789-dd5450dbe970
* Validate and renew should work on non-TGT credsGreg Hudson2010-04-131-151/+0
| | | | | | | | | | | | | The validate and renew APIs were using get_cred_from_kdc, which always presents a TGT to get credentials. Instead, they should present the ticket they are trying to validate or renew. This is most easily done with krb5_get_cred_via_tkt(). Move the relevant code into a new file since it now has nothing in common with the other APIs implemented in get_creds.c. ticket: 6699 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23891 dc483132-0cff-0310-8789-dd5450dbe970
* Remove krb5_ prefix from some static func namesZhanna Tsitkov2009-12-221-16/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23483 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-311-157/+157
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a braino in r22790Greg Hudson2009-09-281-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22791 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a few problems introduced by r22787Greg Hudson2009-09-281-6/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22790 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up krb5_get_credentials:Greg Hudson2009-09-251-60/+54
| | | | | | | | | | | * Use the current coding practice for output parameters. * Rename the helper function krb5_get_credentials_core to krb5int_construct_matching_creds and document it. * Don't fail out if we fail to cache intermediate tgts. * Simplify conditional logic and variable handling. ncreds is now always a temporary holder for the resulting credentials. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22787 dc483132-0cff-0310-8789-dd5450dbe970
* Implement s4u extensionsGreg Hudson2009-09-131-19/+50
| | | | | | | | | Merge Luke's users/lhoward/s4u branch to trunk. Implements S4U2Self and S4U2Proxy extensions. ticket: 6563 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22736 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unnecessary pointer casts in args to free,memcpy,memset,memchr except ↵Ken Raeburn2009-02-021-3/+3
| | | | | | unicode, windows code git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21875 dc483132-0cff-0310-8789-dd5450dbe970
* Start to phase out krb5_xfree macro, which just casts its argument toKen Raeburn2009-01-281-2/+2
| | | | | | | | | | | char* and calls free. Replace most uses, outside of the LDAP KDB plugin, which doesn't build on my test system of the moment because of version dependencies. Add one explicit cast to make the change warning-neutral (under gcc 4.0.1 on Mac OS X 10.5.6). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21812 dc483132-0cff-0310-8789-dd5450dbe970
* Merge mskrb-integ onto trunkSam Hartman2009-01-031-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | The mskrb-integ branch includes support for the following projects: Projects/Aliases * Projects/PAC and principal APIs * Projects/AEAD encryption API * Projects/GSSAPI DCE * Projects/RFC 3244 In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions. In the KDC it includes support for protocol transition, constrained delegation and a new authorization data interface. The old authorization data interface is also supported. This commit merges the mskrb-integ branch on to the trunk. Additional review and testing is required. Merge commit 'mskrb-integ' into trunk ticket: new status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
* misc memory leaksKen Raeburn2008-06-271-2/+6
| | | | | | | | | | | | Fix various memory leaks that show up mostly in error cases (e.g., failure to allocate one small object, and then we forget to free another one). ticket: new target_version: 1.6.4 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20481 dc483132-0cff-0310-8789-dd5450dbe970
* Don't test HAVE_C_STRUCTURE_ASSIGNMENT.Ken Raeburn2006-04-291-4/+0
| | | | | | Instead, just assume we do have a working C compiler. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17969 dc483132-0cff-0310-8789-dd5450dbe970
* the purpose of the krb5_get_credentials call is toJeffrey Altman2005-04-251-2/+9
| | | | | | | | | | | obtain a set of credentials for the caller. the krb5_cc_store_cred() call is to optimize performance for future calls. Ignore any errors, since the credentials are still valid even if we fail to store them in the cache. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17201 dc483132-0cff-0310-8789-dd5450dbe970
* Patch to get new service tickets in preference to using expiredSam Hartman2003-01-101-1/+7
| | | | | | | | service tickets in krb5_get_credentials. Ticket: 1260 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15106 dc483132-0cff-0310-8789-dd5450dbe970
* protoizeKen Raeburn2002-09-031-52/+20
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14812 dc483132-0cff-0310-8789-dd5450dbe970
* Danilo also says we can get rid of _MSDOS (Win16) tests, and explicit ↵Ken Raeburn2001-10-061-2/+2
| | | | | | FAR/NEAR specs git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13786 dc483132-0cff-0310-8789-dd5450dbe970
* Danilo says we can get rid of the DLLIMP stuff nowKen Raeburn2001-10-041-5/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13775 dc483132-0cff-0310-8789-dd5450dbe970
* * get_creds.c (krb5_get_credentials_core): If the supplied enctype is notKen Raeburn2000-08-291-7/+18
| | | | | | | | supported, return an error; can't satisfy both TC_SUPPORTED_KTYPES and TC_MATCH_KTYPE that way. Delete unused arguments CCACHE and OUT_CREDS; fix callers. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12636 dc483132-0cff-0310-8789-dd5450dbe970
* * t_walk_rtree.c (main): Declare as returning intEzra Peisach2000-06-301-3/+3
| | | | | | | | | | | | | | | | | | | | | * get_in_tkt.c (_krb5_conf_boolean): Declare as taking a const char * * str_conv.c (krb5_timestamp_to_string): Work around gcc's warning that %c format in strftime might return only two digits for the year. * mk_safe.c, rd_rep.c, send_tgs.c: Remove unused goto label. * kdc_rep_dc.c (krb5_kdc_rep_decrypt_proc): Remove code with no effect. * init_ctx.c: Make krb5_brand[] look used. * chpw.c, decode_kdc.c, decrypt_tk.c, enc_helper.c, get_creds.c, get_in_tkt.c, gic_keytab.c, gic_pwd.c, preauth2.c, vfy_increds.c: Add parentheses around assignment used as truth value git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12483 dc483132-0cff-0310-8789-dd5450dbe970
* * conv_princ.c, get_creds.c, get_in_tkt.c, mk_rep.c, parse.c,Ezra Peisach2000-06-291-2/+0
| | | | | | send_tgs.c: Remove unused variable. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12457 dc483132-0cff-0310-8789-dd5450dbe970
* pullup from 1.2 branchKen Raeburn2000-06-271-0/+21
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12442 dc483132-0cff-0310-8789-dd5450dbe970
* copyright notice updates from 1.1 branchKen Raeburn1999-09-241-1/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11853 dc483132-0cff-0310-8789-dd5450dbe970
* from 1.1 branch:Ken Raeburn1999-09-011-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | * init_ctx.c (get_profile_etype_list): Update name of the des3 entry in the default etype list. * init_ctx.c (get_profile_etype_list): New argument DESONLY; if set, ignore any ktype values other than NULL, DES_CBC_CRC, and DES_CBC_MD5. (krb5_get_default_in_tkt_ktypes, krb5_get_tgs_ktypes): Set it. (krb5_get_permitted_enctypes): Don't set it. * fwd_tgt.c (krb5_fwd_tgt_creds): Use KRB5_TC_SUPPORTED_KTYPES when calling krb5_cc_retrieve_cred. * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Ditto. * get_creds.c (krb5_get_credentials_core): Set that flag. (krb5_get_credentials): Check for KRB5_CC_NOT_KTYPE error return. * t_ser.c (main): Disable eblock serialization test, since the code it tests was disabled nearly a year ago. * str_conv.c (krb5_timestamp_to_sfstring): Don't pass extra argument to sprintf. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11779 dc483132-0cff-0310-8789-dd5450dbe970
* Intialize out_creds pointer to 0 and then check whether it is 0 beforeDanilo Almeida1999-08-041-4/+5
| | | | | | | trying to dereference it, in case lower-level routine failed to assign a value to it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11619 dc483132-0cff-0310-8789-dd5450dbe970
* pull up 3des implementation from the marc-3des branchMarc Horowitz1998-10-301-6/+101
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11001 dc483132-0cff-0310-8789-dd5450dbe970
* get_creds.c: export krb5_get_credentials_renew, krb5_get_credentials_validateRichard Basch1997-02-111-4/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9843 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2024-06-21 20:06:54 +0000