summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5/krb
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix sam2 client preauth after salt changesGreg Hudson2012-10-181-2/+3
| | | | | | | | | | Commit bc096a77ffdab283d77c2e0fc1fdd15b9f77eb41 altered the internal contracts relating to salts, but neglected to adjust the sam2 preauth code to match. Do that now. ticket: 7415 (new) target_version: 1.11 tags: pullup
* make dependGreg Hudson2012-10-171-33/+35
|
* Add "pa_config_data" configuration to ccachesNalin Dahyabhai2012-10-174-1/+183
| | | | | | | | | | | * Read a "pa_config_data" item from an in_ccache, if provided, and add a callback which client preauth plugins can use to retrieve a string value from it that's keyed by a string. * Add a callback which client preauth plugins can use to provide string key/value pairs to be stored in the ccache. * Moves the definition of (struct krb5_clpreauth_rock_st) from k5-int.h to init_creds_ctx.h to try to reduce the number of files that will need to include k5-json.h to understand k5_json_value.
* Test in_ccache and pa_types functionalityNalin Dahyabhai2012-10-164-0/+403
| | | | | | | | | * Add a krb5int_build_conf_principals() function to allow our get/set code to directly prune out duplicate config entries. * Verify that when we specify a pa_type, it affects whether or not we will use a particular preauth plugin. * Verify that we correctly save the KDC's preauth type number, that we tried to answer, to the out_ccache.
* Add "pa_type" configuration to ccachesNalin Dahyabhai2012-10-163-0/+85
| | | | | | | | | | | | | | * When producing preauth data, keep track of the type of padata in the KDC's list of acceptable types which prompted the module to produce padata. * After obtaining credentials, store that value as a "pa_type" configuration item in the out_ccache. * Read that allowed preauth type from an in_ccache, if possible. * If we have an allowed preauth type, only call "real" modules that handle that value when filling in responder items and producing a client request. ticket: 7414 (new)
* Add an input ccache get_init_creds optionNalin Dahyabhai2012-10-161-0/+15
| | | | | | | | Add a krb5_get_init_creds_opt_set_in_ccache() function. An input ccache may hold configuration data which the client libraries can use to influence their decisions. ticket: 7413 (new)
* Handle concat OTP responder caseNathaniel McCallum2012-10-161-8/+11
|
* make dependTom Yu2012-10-151-7/+8
|
* Correct type mismatches for get_as_key callbacksNalin Dahyabhai2012-10-152-2/+4
|
* Add responder support to preauth_otpNathaniel McCallum2012-10-151-18/+572
|
* Migrate to non-destructive tokeninfo selectionNathaniel McCallum2012-10-151-148/+191
|
* Move forward tokeninfo filteringNathaniel McCallum2012-10-151-63/+81
|
* Move pa_data encoding into a separate functionNathaniel McCallum2012-10-151-39/+45
|
* Fix a couple of typosNalin Dahyabhai2012-10-121-2/+2
|
* Add responder support to preauth_encts/preauth_ecNathaniel McCallum2012-10-122-0/+26
|
* Add responder support to get_as_key()Nathaniel McCallum2012-10-126-8/+55
| | | | | This follows the design laid out on the project page: http://k5wiki.kerberos.org/wiki/Projects/Password_response_item
* Allow null inputs to response item functionsNathaniel McCallum2012-10-121-2/+14
|
* Fix argument order when calling the responderNathaniel McCallum2012-10-101-2/+2
|
* De-conditionalize Camellia codeGreg Hudson2012-10-092-4/+0
| | | | | | | | | | The Camellia enctypes and cksumtypes have received IANA assignments. Add #defines using those assignments to krb5.h, remove the CAMELLIA conditional, and enable testing code as appropriate. The Camellia draft has not received an RFC number yet, so there is no Doxygen markup for the enctype and cksumtype #defines. That can be added once the RFC number is known.
* Untabify preauth_sam2.cGreg Hudson2012-10-081-17/+17
|
* make dependGreg Hudson2012-09-121-0/+11
|
* Add responder feature for initial cred exchangesNathaniel McCallum2012-09-118-5/+471
| | | | | | | | | | | | | | | | | | | | | | | Add new APIs: * krb5_get_init_creds_opt_set_responder * krb5_responder_get_challenge * krb5_responder_list_questions * krb5_responder_set_answer If a caller sets a responder, it will be invoked after preauth modules have had a chance to review their incoming padata but before they produce outgoing padata. The responder will be presented a set of questions with optional challenges. The responder should then answer all questions it knows how to handle. Both the answers and the challenges are printable UTF-8 and may contain encoded, structured data specific to the question asked. Add two new callbacks and one optional method to the clpreauth interface. The new method (prep_questions) allows modules to ask questions by setting them in the responder context using one of the new callbacks (ask_responder_question). The other new callback (get_responder_answer) is used by the process method to read the answers to the questions asked. ticket: 7355 (new)
* Fix portability, printf bugs in preauth_otp.cGreg Hudson2012-08-241-3/+1
| | | | | | unistd.h is not available on Windows and isn't needed for this file, so don't include it. Two arguments to asprintf in choose_token() were reversed.
* Run "make depend"Tom Yu2012-08-231-1/+13
|
* Fix minor Makefile.in typos for make dependTom Yu2012-08-231-0/+1
| | | | | Fix minor typos in lib/krb5/krb/Makefile.in and tests/gssapi/Makefile.in so that "make depend" will work.
* Add otp client preauth pluginNathaniel McCallum2012-08-235-0/+581
| | | | | | | Implements the client side of RFC 6560. Not all features are implemented, but it should work for the most common cases. ticket: 7242 (new)
* Add ASN.1 support for OTPGreg Hudson2012-08-231-0/+65
| | | | | | | Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE, PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more thorough testing, add support for generating test encodings using asn1c for sample objects (currently only for the OTP types).
* Fix memory leak parsing name with default realmGreg Hudson2012-08-071-0/+1
| | | | | | | After 74beb75bb07e3921d10c8eec05eacb1f393e5e44, allocate_princ() allocates a one-byte realm field even if the principal doesn't have one, so if we're replacing it with the default realm, we need to free that.
* Turn off replay cache in krb5_verify_init_creds()Nalin Dahyabhai2012-08-061-0/+9
| | | | | | | The library isn't attempting a replay attack on itself, so any detected replays are only going to be false-positives. ticket: 7229 (new)
* kfw add preauth_sam2 to OBJS for windows buildKevin Wasserman2012-07-161-0/+1
| | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7203 (new) tags: pullup
* Fix error handling in allocate_princ()Greg Hudson2012-07-131-2/+4
| | | | | The most recent change could leak memory when trying to parse an invalid principal because of a failure to use the cleanup handler.
* Reject extra realm separators in principal namesGreg Hudson2012-07-081-0/+2
| | | | | | Commit f609e5caff410cc8f71db7d95b4da219541437db accidentally omitted the check for extra realm separators, leading to an assertion error when parsing x@y@z or similar. Restore the check.
* Remove dead codeBen Kaduk2012-07-051-11/+0
| | | | | This (hair-raising) macro is not referenced anywhere in the tree, so remove it and the associated comment.
* Check sort_enctypes return value in gic_keytabGreg Hudson2012-07-021-2/+3
|
* Include all default etypes in gic_keytab requestsGreg Hudson2012-07-021-26/+30
| | | | | | | | | | | Revert 18b02f3e839c007fff54fc9b693f479b7563ec73 in the KDC. Instead, when making an initial request with a keytab, transmit the whole default_tkt_enctypes list, but sorted with the enctypes we have in the keytab first. That way the KDC should prefer enctypes which we have keys for (for both reply key and session key), but the other enctypes are still available for use as ticket session keys. ticket: 7190
* Simplify bld_princ.cGreg Hudson2012-06-211-66/+20
|
* Remove orphaned KfM codeGreg Hudson2012-06-211-5/+0
|
* Rename and add to etype utility functionsGreg Hudson2012-06-078-31/+27
| | | | | | | Rename krb5int_count_etypes and krb5int_copy_etypes to have k5_ prefixes, and make them available outside of libkrb5 (but not part of the public API). Add k5_etypes_contains to search an etype list, and use it in krb5_is_permitted_enctype.
* Remove krb5_is_permitted_enctype_extGreg Hudson2012-06-071-32/+0
| | | | | It's an internal function (not in krb5.h or the libkrb5 export list) and nothing uses it.
* Don't free caller's principal in vfy_incredsGreg Hudson2012-06-061-1/+0
| | | | | | | | #7125 took out the copy of the krb5_verify_init_creds server argument but left in the corresponding free, so it was freeing a caller-owned principal. Reported by Russ Allbery. ticket: 7162
* Use correct profile var in krb5_get_tgs_ktypesGreg Hudson2012-06-011-1/+1
| | | | | | | | | | | In r21879, when we converted to using KRB5_CONF macros for profile variable names, we made a typo in krb5_get_tgs_ktypes and erroneously started using default_tkt_enctypes instead of default_tgs_enctypes for TGS requests. Fix the typo and return to the documented behavior. ticket: 7155 target_version: 1.10.3 tags: pullup
* Fix S4U user identification in preauth caseGreg Hudson2012-05-241-4/+2
| | | | | | | | | | | | | | | | | | | | | | | In 1.10, encrypted timestamp became a built-in module instead of a hardcoded padata handler. This changed the behavior of krb5_get_init_creds as invoked by s4u_identify_user such that KRB5_PREAUTH_FAILED is returned instead of the gak function's error. (Module failures are not treated as hard errors, while hardcoded padata handler errors are.) Accordingly, we should look for KRB5_PREAUTH_FAILED in s4u_identify_user. On a less harmful note, the gak function was returning a protocol error code instead of a com_err code, and the caller was testing for a different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could never be returned by krb5_get_init_creds. Clean up both of those by returning KRB5_PREAUTH_FAILED from the gak function and testing for that alone. Reported by Michael Morony. ticket: 7136 target_version: 1.10.2 tags: pullup
* Convert DEBUG_REFERRALS to TRACE_* frameworkW. Trevor King2012-05-232-21/+6
| | | | | | | | | The referrals debugging code under DEBUG_REFERRALS ceased building correctly at some point. Convert this debugging code to use the tracing framework instead, including adding new trace macros to k5-trace.h. ticket: 7151
* Null-terminate components of parsed principalsGreg Hudson2012-05-122-11/+10
| | | | | | | | | | The rewritten krb5_parse_name didn't null-terminate components or realms of principals, while the old one did. Fix the new one to do so as well. This means KRB5_PRINCIPAL_PARSE_IGNORE_REALM allocates one byte for the realm instead of leaving it as empty_data(), so we need to free the realm in build_in_tkt_name() before copying in the client realm.
* Omit start time in common AS requestsGreg Hudson2012-05-111-5/+9
| | | | | | | | | | | | | | | | | | | MIT and Heimdal KDCs ignore the start time for non-postdated ticket requests, but AD yields an error if the start time is in the KDC's future, defeating the kdc_timesync option. Omit the start time if the caller did not specify a start time offset. This change reenables the client check for too much clock skew in the KDC reply in the non-timesync configuration. That check had been unintentionally suppressed since the introduction of the get_init_creds interfaces. Adjust the t_skew test script to expect the new error behavior. Code changes from stefw@gnome.org with slight modifications. ticket: 7130 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25864 dc483132-0cff-0310-8789-dd5450dbe970
* Avoid requiring default realm for in_tkt_serviceGreg Hudson2012-05-101-31/+17
| | | | | | | | Use the new KRB5_PRINCIPAL_PARSE_IGNORE_REALM flag when parsing in_tkt_service arguments in get_init_cred functions, since we're going to overwrite the realm anyway. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25863 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_parse_name flag to ignore realmGreg Hudson2012-05-101-1/+5
| | | | | | | | | | The flag KRB5_PRINCIPAL_PARSE_IGNORE_REALM causes krb5_parse_name to return the principal with an empty realm whether or not a realm is present in the name. ticket: 7129 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25862 dc483132-0cff-0310-8789-dd5450dbe970
* Rewrite krb5_parse_nameGreg Hudson2012-05-101-285/+176
| | | | | | | | | krb5_parse_name started out a bit unwieldy, and has become more so with the introduction of flags. Rewrite it using two passes (allocate and fill), each broken out into its own helper, and a wrapper which handles the realm flags. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25861 dc483132-0cff-0310-8789-dd5450dbe970
* Make password change work without default realmGreg Hudson2012-05-101-0/+5
| | | | | | | | | | | | This fix is not very general or clean, but is suitable for backporting because it is minimally invasive. A more comprehensive fix will follow. ticket: 7127 target_version: 1.10.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25860 dc483132-0cff-0310-8789-dd5450dbe970
* Constify get_init_creds string input paramsGreg Hudson2012-05-094-9/+9
| | | | | | | | | | | | The get_init_creds functions take read-only string input parameters for passwords and initial ticket services. Make these const char * parameters instead of just char * parameters, for caller convenience. Reported by rra@stanford.edu. ticket: 7121 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25858 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-28 16:55:22 +0000