| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
We want to generate a KRB5_AP_ERR_TKT_EXPIRED code when the TGT is
expired, like we would if we tried the TGT against the KCD. To make
this work, separate the helpers for getting local and crossrealm
cached TGTs. For a crossrealm TGT, match against the endtime, as
there could be multiple entries. For a local TGT, find any match, but
check if it's expired. The cache_code field is no longer needed after
this change, so get rid of it.
ticket: 6948
|
|
|
|
| |
ticket: 6948
|
|
|
|
|
| |
For conciseness, directly use fields of krb5_principal objects instead
of using the accessor macros.
|
|
|
|
|
|
|
|
|
| |
Move internal declarations from k5-int.h to more localized headers
(like int-proto.h) where appropriate. Rename many symbols whose
prototypes were moved to use the k5_ prefix instead of krb5int_.
Remove some unused declarations or move them to the single source file
they were needed in. Remove krb5_creds_compare since it isn't used
any more.
|
|
|
|
|
|
|
| |
Move krb5int_make_tgs_request from gc_via_tkt.c into send_tgs.c,
combine it with krb5int_make_tgs_request_ext (which nothing else
called), and rename the combined function to k5_make_tgs_req. Also
use a typedef for the pacb callback.
|
|
|
|
|
|
|
|
|
|
|
| |
If a get_credentials operation requires multiple TGS requests, we need
to free the subkey from previous requests before saving a new one.
ticket: 7049
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25536 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
krb5int_fast_prep_req remove tgs from request->padata and needs to
free it. get_creds.c needs to use a fresh FAST state for each TGS
request to avoid leaking armor keys.
ticket: 7026
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25535 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
Implement RFC 6113 FAST TGS support.
Includes library support for a varient of explicit TGS armor that has not yet been proposed within the IETF.
ticket: 7026
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25488 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
krb5 1.6 through 1.8 contained a workaround for the Active Directory
behavior of returning a TGS referral to the same realm as the request.
1.9 responds to this behavior by caching the returned TGT, trying
again, and detecting a referral loop. This is a partial regression of
ticket #4955. Detect this case and fall back to a non-referreal
request.
ticket: 7016
target_version: 1.9.3
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25472 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For a very long time, KDCs have known how to perform a domain-based
realm walk when serving requests for TGTs. (So if a KDC for A.B.C
receives a request for krbtgt/X.B.C and doesn't have that principal,
it can return one for krbtgt/B.C instead.) Performing the same
heuristic on the client is unnecessary and inefficient in common
cases.
Add a new function k5_client_realm_path to walk_rtree.c which uses
capaths values only, and returns a list of realms (as desired by
get_creds.c) instead of TGT names.
ticket: 6966
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25241 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
When requesting a cross-realm TGT, use the KDC instance of the current
TGT (the second data component), not the realm which the TGT came
from.
ticket: 6952
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25121 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MIT krb5 1.2 and earlier KDCs reject TGS requests if the canonicalize
bit is set. Prior to 1.9, we used to handle this by making a
non-referral fallback request on any error, but the rewrite in 1.9
mistakenly changed the behavior so that fallback requests are only
made if the original request used the referral realm and the fallback
realm is different from the default realm. Restore the old behavior.
ticket: 6917
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24946 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The krb5_get_credentials() rewrite for IAKERB accidentally omitted the
final step of restoring the requested realm in the output credentials.
As a result, referral entries are not cached, and the caller sees the
actual realm in (*out_creds)->server instead of the referral realm as
before. Fix this in complete() by swapping ctx->req_server into
ctx->reply_creds->server.
ticket: 6916
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24945 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24703 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
and license comments.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
| |
The call to TRACE_TKT_CREDS_FALLBACK in get_creds.c was supplying the
wrong argument, causing a crash.
ticket: 6856
target_version: 1.9.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24618 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Repair the Windows build. Tested with the prepare-on-Unix method.
Some specific changes include:
* Removed the IPC finalizer (no longer used after r20787) from
ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency
chain for the pingtest build in ccapi/test. Also updated pingtest
to use the k5_ipc_stream interfaces since cci_stream is gone.
* Reverted the apparently non-functional r20277.
* klist -V prints just "Kerberos for Windows", since it has no access
to PACKAGE_NAME and PACKAGE_VERSION from autoconf. This should be
addressed correctly.
* krb5, telnet, gssftp, and NIM are removed from the build.
* Some files had CRLFs; these were replaced with LFs and the
svn:eol-style property set on the files. Otherwise the CRLFs became
CRCRLFs after the zip transfer.
* Windows does not have opendir/readdir, so added Windows code to
prof_parse.c for includedir. Probable fodder for a libkrb5support
portability shim.
ticket: 6826
target_version: 1.9
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24533 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
into the ccache.
ticket: 6812
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24488 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add trace logging infrastructure code, enabled by the KRB5_TRACE
environment variable or the API functions krb5_set_trace_callback()
or krb5_set_trace_filename(). As a start, add tracing events for:
* AS-REQ client code, including FAST and preauth
* TGS-REQ client code
* AP-REQ and AP-REP code (client and server)
* sendto_kdc
* Selected ccache operations
* Selected keytab operations
ticket: 6737
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24118 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23945 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23920 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
get the cached local TGT before setting up the realm path.
Prior to this change, calling krb5_get_credentials() with an empty
ccache would result in KRB5_CC_NOTFOUND for a foreign server
principal, but would result in KRB5_NO_TKT_IN_REALM (generated by
krb5_walk_realm_tree) for a local server principal. With this change,
KRB5_CC_NOTFOUND is returned in both cases.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23909 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
Rename KRB5_TKT_CREDS_CONTINUE to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE
for consistency.
Adjust init_creds context to be less confusing in light of the above.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23906 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merged from branches/iakerb: add new asynchronous krb5_tkt_creds APIs,
which allow a caller to take responsibility for transporting requests
to the KDC and getting responses back. Rewrite the existing
krb5_get_credentials API in terms of the new functions. Get rid of
krb5_get_cred_from_kdc and friends, since they are no longer used.
ticket: 6700
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23900 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The validate and renew APIs were using get_cred_from_kdc, which
always presents a TGT to get credentials. Instead, they should
present the ticket they are trying to validate or renew. This is
most easily done with krb5_get_cred_via_tkt(). Move the relevant
code into a new file since it now has nothing in common with the
other APIs implemented in get_creds.c.
ticket: 6699
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23891 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23483 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
make reindent
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22791 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22790 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
| |
* Use the current coding practice for output parameters.
* Rename the helper function krb5_get_credentials_core to
krb5int_construct_matching_creds and document it.
* Don't fail out if we fail to cache intermediate tgts.
* Simplify conditional logic and variable handling. ncreds is now
always a temporary holder for the resulting credentials.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22787 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
| |
Merge Luke's users/lhoward/s4u branch to trunk. Implements S4U2Self
and S4U2Proxy extensions.
ticket: 6563
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22736 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
unicode, windows code
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21875 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
| |
char* and calls free.
Replace most uses, outside of the LDAP KDB plugin, which doesn't build
on my test system of the moment because of version dependencies. Add
one explicit cast to make the change warning-neutral (under gcc 4.0.1
on Mac OS X 10.5.6).
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21812 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mskrb-integ branch includes support for the following projects:
Projects/Aliases
* Projects/PAC and principal APIs
* Projects/AEAD encryption API
* Projects/GSSAPI DCE
* Projects/RFC 3244
In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions.
In the KDC it includes support for protocol transition, constrained delegation
and a new authorization data interface.
The old authorization data interface is also supported.
This commit merges the mskrb-integ branch on to the trunk.
Additional review and testing is required.
Merge commit 'mskrb-integ' into trunk
ticket: new
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix various memory leaks that show up mostly in error cases (e.g.,
failure to allocate one small object, and then we forget to free
another one).
ticket: new
target_version: 1.6.4
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20481 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
Instead, just assume we do have a working C compiler.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17969 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
| |
obtain a set of credentials for the caller. the
krb5_cc_store_cred() call is to optimize performance
for future calls. Ignore any errors, since the credentials
are still valid even if we fail to store them in the cache.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17201 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
service tickets in krb5_get_credentials.
Ticket: 1260
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15106 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14812 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
FAR/NEAR specs
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13786 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13775 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
supported, return an error; can't satisfy both TC_SUPPORTED_KTYPES and
TC_MATCH_KTYPE that way. Delete unused arguments CCACHE and OUT_CREDS; fix
callers.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12636 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* get_in_tkt.c (_krb5_conf_boolean): Declare as taking a const char *
* str_conv.c (krb5_timestamp_to_string): Work around gcc's warning
that %c format in strftime might return only two digits for the
year.
* mk_safe.c, rd_rep.c, send_tgs.c: Remove unused goto label.
* kdc_rep_dc.c (krb5_kdc_rep_decrypt_proc): Remove code with no
effect.
* init_ctx.c: Make krb5_brand[] look used.
* chpw.c, decode_kdc.c, decrypt_tk.c, enc_helper.c, get_creds.c,
get_in_tkt.c, gic_keytab.c, gic_pwd.c, preauth2.c, vfy_increds.c:
Add parentheses around assignment used as truth value
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12483 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
send_tgs.c: Remove unused variable.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12457 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12442 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11853 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* init_ctx.c (get_profile_etype_list): Update name of the des3 entry in the
default etype list.
* init_ctx.c (get_profile_etype_list): New argument DESONLY; if set, ignore any
ktype values other than NULL, DES_CBC_CRC, and DES_CBC_MD5.
(krb5_get_default_in_tkt_ktypes, krb5_get_tgs_ktypes): Set it.
(krb5_get_permitted_enctypes): Don't set it.
* fwd_tgt.c (krb5_fwd_tgt_creds): Use KRB5_TC_SUPPORTED_KTYPES when calling
krb5_cc_retrieve_cred.
* gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Ditto.
* get_creds.c (krb5_get_credentials_core): Set that flag.
(krb5_get_credentials): Check for KRB5_CC_NOT_KTYPE error return.
* t_ser.c (main): Disable eblock serialization test, since the code it tests
was disabled nearly a year ago.
* str_conv.c (krb5_timestamp_to_sfstring): Don't pass extra argument to
sprintf.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11779 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
| |
trying to dereference it, in case lower-level routine failed to assign
a value to it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11619 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11001 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9843 dc483132-0cff-0310-8789-dd5450dbe970
|