| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Active Directory returns structured policy information in the
nominally UTF-8 result string field of a password change reply. Add a
new API krb5_chpw_message() to convert a result string into a
displayable message, interpreting policy information if present.
Patch from stefw@gnome.org with changes.
ticket: 7128
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25857 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Make vfy_increds.c consistently use newer coding conventions. Also
add a copyright statement.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25848 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
As the file ccache implementation currently stands, we don't want to
turn off TC_OPENCLOSE on a file cache we're writing to, or it will be
opened read-only and stores to it will fail. Reported by Russ
Allbery.
ticket: 5126
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25847 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Factor out the core code of krb5_verify_init_creds into a helper, add
new helper functions to retrieve the list of unique host principals
from a keytab, and make krb5_verify_init_creds drive the helper once
per host principal.
Augment the test harness and test cases to better test the new
behavior. Add a k5test method to retrieve an NFS principal for the
test realm for the sake of the new test cases.
ticket: 7125
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25845 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
Now that krb5_do_preauth has many fewer moving parts, simplify its
flow control. Also remove an unused output parameter from
run_preauth_plugins.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25842 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
Turn the last two entries of the pa_types table into helper functions
which we invoke before the loop. Then, get rid of the part of the
loop which consults the pa_types table.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25841 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25840 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST
in TGS-REQs. (Previously, only AS-REQs had the name-type set in this
way.) Windows Server 2008 R2 read-only domain controllers (RODCs)
insist on having the correct name-type for the TGS principal in
TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case.
Thanks to Sebastian Galiano for reporting this bug and helping with
testing.
ticket: 7120
target_version: 1.10.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25839 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
The addition of afs3-salt processing in get_etype_info made it overly
large, so split out the pw-salt/afs3-salt processing into a separate
function. Also fix two dumb bugs.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25838 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to
track whether we're still using the default salt instead of
overloading salt.length. In preauth2.c, process afs3 salt values like
we would in krb5int_des_string_to_key, and set an s2kparams indicator
instead of overloading salt.length. Also use an s2kparams indicator
in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded
salt lengths, except for a sanity check.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25837 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Pull etype-info2, etype-info, pw-salt, and afs3-salt handling out of
the pa_types loop into a new helper function get_etype_info().
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25834 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or
pa-afs3-salt value in pa_salt(). If it's an afs3-salt, we're going to
throw away the length and use strcspn in krb5int_des_string_to_key,
which isn't safe if the value is unterminated.
ticket: 2545
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25833 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Move the last real preauth mechanism, SAM-2, from the pa_types table
to a built-in module.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25831 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25830 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Very few Python tests need kadmind, so it makes more sense to have to
turn it on than to have to turn it off.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25825 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Initialize use_count fields in krb5_preauth_request_context_init,
which is invoked before each AS request. Previously they were
initialized only in krb5_init_preauth_context, which is only invoked
once per krb5 library context.
ticket: 7119
target_version: 1.10.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25822 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
When getting initial credentials with a keytab, filter the list of
request enctypes based on the keys in the keytab.
Based on a patch from Stef Walter.
ticket: 2131
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25818 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
Use krb5_init_creds_set_keytab in krb5_get_init_creds_keytab, so that
processing added to the former will be used by the latter. This is
slightly awkward because of the way we do the use_master fallback, in
that we have to duplicate some of krb5int_get_init_creds.
Based on a patch from Stef Walter.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25817 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a clpreauth callback which gets the time of day using an offset
determined by the preauth-required error, and use it in encrypted
timestamp and encrypted challenge. This timestamp is not necessarily
authenticated, but the security consequences for those preauth mechs
are minor (and can be mitigated by turning off kdc_timesync on
clients).
Based on a patch from Stef Walter.
ticket: 7114
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25808 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
Reported by stefw@gnome.org.
ticket: 7112
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25803 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
encountered while initializing krb5 library context
ticket: 7091
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25800 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
We shouldn't peer at trans->tr_contents.data[0] if
trans->tr_contents.length is 0, even if the data field is non-null.
Harmless as long as the ASN.1 decoder uses null data fields for empty
krb5_data values, but still wrong.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25797 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r24241 (#6755) introduced a bug where if the KDC sends a LastReq entry
containing an account expiry time, we send a prompter warning for
password expiry even if there was no entry containing a password
expiry time. Typically, this results in the message "Warning: Your
password will expire in less than one hour on Thu Jan 1 12:00:00
1970".
Fix this by explicitly checking for pw_exp == 0 in warn_pw_expiry()
after we've gotten past the conditional for invoking the callback.
ticket: 7098
target_version: 1.9.4
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25730 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a general ASN.1 decoder implementation in asn1_encode.c using the
same data structures as the encoder (augmented where necessary), and
use it to define decoder functions in asn1_k_encode.c. Add a boolean
type to atype_info, as it is needed for the pa_pac_req decoder. For
the moment, just #if out the old decoder functions; they and their
support code can be cleaned up later after a a few remaining utility
functions are addressed.
Changes to encoder and decoder interfaces are minimized, but there are
two small ones. ldap_seqof_key_data has a kvno field added, and some
of the decoder logic is pushed up into the caller. The safe_with_body
decoder now outputs an allocated krb5_data * instead of a krb5_data
with aliases into the input buffer.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25693 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
New APIs of this sort should be discussed, and the goals motivating
the change clarified.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25670 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
diagnostics of the potential misconfiguration.
Added profile_get_(string/integer/boolean)_nodef functions to the profile library to get the typed values from the configuration
files (without setting these values to the defaults).
Used TRACE_PROFILE_ERR for the configuration diagnostics in krb5_init_context_profile API.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25669 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
Recent versions of gcc can generate a maybe-uninitialized warning from
bison output instead of a regular uninitialized warning. Suppress
both. Fix from nalin@redhat.com.
ticket: 7080
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25665 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In get_in_tkt.c, a time offset is computed between the KDC's auth_time
and the current system time after the reply is decrypted. Time may
have elapsed between these events because of a gak_fct invocation
which blocks on user input. The resulting spurious time offset can
cause subsequent TGS-REQs to fail and can also cause the end time of
the next AS request to be in the past (issue #889) in cases where the
old ccache is opened to find the default principal.
Use the system time, without offset, for the request time of an AS
request, for more predictable kinit behavior. Use this request time,
rather than the current time, when computing the clock skew after the
reply is decrypted.
ticket: 7063
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25644 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
krb5_alt_method was added in r6604 but never supported. krb5_pwd_data
became unused when the Sandia kadmin system was replaced.
krb5_pa_server_referral_data and krb5_pa_svr_referral_data were added
in r21690 with internally-visible encoders which nothing uses.
Leave behind structure declarations in krb5.hin for API compatibility.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25619 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
r24403 removed the old SAM support, but left behind the structures,
free functions, and ASN.1 encoders/decoders. Remove those now.
(SAM-2 support is still present.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25618 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Use the krb5_pa_data structure type when encoding or decoding
TYPED-DATA. Leave the krb5_typed_data structure definition in krb5.h
with a comment saying not to use it. Remove krb5_free_typed_data
(which was never declared in krb5.h). Remove some vestigial accessor
stuff related to PKINIT encoding and decoding TYPED-DATA, which was
unneeded since r25483. Bump the accessor structure version to 19
accordingly.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25601 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If krb5_server_decrypt_ticket_keytab doesn't find a key of the
appropriate enctype in an iterable keytab, it returns 0 (without
decrypting the ticket) due to a misplaced initialization of retval.
This bug causes kinit -k to claim "keytab entry valid" when it
shouldn't. Reported by mark@mproehl.net.
ticket: 7051
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25584 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
If a get_credentials operation requires multiple TGS requests, we need
to free the subkey from previous requests before saving a new one.
ticket: 7049
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25536 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
krb5int_fast_prep_req remove tgs from request->padata and needs to
free it. get_creds.c needs to use a fresh FAST state for each TGS
request to avoid leaking armor keys.
ticket: 7026
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25535 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
ticket: 7048
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
When the KDC verifies a PAC, it doesn't really need to check the
server signature, since it can't trust that anyway. Allow the caller
to pass only a TGT key.
ticket: 7048
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25505 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the client application requests optimistic preauth for a preauth
type which uses the password, we don't have an etype-info2 to
interpret since we haven't talked to the KDC. So we need to guess an
enctype, salt, and s2k parameters. In 1.9 and prior, encrypted
timestamp contained code to use the first requested enctype in this
case, but encrypted challenge did not. In 1.10 prior to this change,
neither mechanism uses a reasonable default.
Set a default enctype in krb5_init_creds_init so that all
password-based preauth mechanisms will use a reasonable default in the
optimistic preauth case. The default salt and s2k parameters for this
case will be the principal-based default salt and the enctype-based
default parameters.
ticket: 7033
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25504 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix for mk_cred.c: calloc() not malloc()
Avoid calling free() in cleanup on uninitialized sub-ptrs if error occurs.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7034
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25496 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
Use current practices for parameter naming and resource cleanup.
Avoid a leak of local_dec_rep (now named dec_rep) if we take a "goto
cleanup" path.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25490 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25489 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
Implement RFC 6113 FAST TGS support.
Includes library support for a varient of explicit TGS armor that has not yet been proposed within the IETF.
ticket: 7026
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25488 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
krb5int_fast_process_error: Allow out_padata and retry to be null for
TGS case. Refactor function to do more frees in the exit handling and
to declare variables at the top.
krb5int_fast_reply_key: input keyblock arguments should be const
ticket: 7025
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25487 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
subject: FAST PKINIT
target_version: 1.10
tags: pullup
Per RFC 6113 fast should use the inner request body for the pkinit
checksum. We did that on the KDC; now do so on the client. Remove
code that explicitly blocked pkinit under FAST.
Also, use the reply key *before* the strengthen key is applied when
verifying the PADATA_PKINIT_KX.
Add FAST pkinit test.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25486 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
A last-minute code editing mistake crept into the previous commit; fix
it.
ticket: 7023
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25484 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the clpreauth tryagain method to accept a list of pa-data,
taken either from the FAST response or from decoding the e_data as
either pa-data or typed-data. Also change the in_padata argument to
contain just the type of the request padata rather than the whole
element, since modules generally shouldn't care about the contents of
their request padata (or they can remember it).
In krb5int_fast_process_error, no longer re-encode FAST pa-data as
typed-data for the inner error e_data, but decode traditional error
e_data for all error types, and try both pa-data and typed-data
encoding.
In PKINIT, try all elements of the new pa-data list, since it may
contain FAST elements as well as the actual PKINIT array. (Fixes an
outstanding bug in FAST PKINIT.)
ticket: 7023
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25483 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
krb5 1.6 through 1.8 contained a workaround for the Active Directory
behavior of returning a TGS referral to the same realm as the request.
1.9 responds to this behavior by caching the returned TGT, trying
again, and detecting a referral loop. This is a partial regression of
ticket #4955. Detect this case and fall back to a non-referreal
request.
ticket: 7016
target_version: 1.9.3
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25472 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Add an assertion to ensure that the interface_names table in plugin.c
is updated when a new pluggable interface is added.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25471 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When the ccselect pluggable interface was added, the interface_names
table wasn't updated, so configuring modules for it wouldn't work.
Add it now.
ticket: 7015
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25470 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we receive a PREAUTH_REQUIRED error and fail to generate any real
preauthentication, error out immediately instead of continuing to
generate non-preauthenticated requests until we hit the loop count.
There is a lot of room to generate a more meaningful error about why
we failed to generate preauth (although in many cases the answer may
be too complicated to explain in an error message), but that requires
more radical restructuring of the preauth framework.
ticket: 6430
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25469 dc483132-0cff-0310-8789-dd5450dbe970
|
