aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2009-12-09Fix some formatting issuesfast-negotiateGreg Hudson13-146/+168
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23461 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Restart the loop after changing the service we're contactingSam Hartman1-1/+2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23424 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02fix line lengthSam Hartman1-1/+2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23423 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Both in the previous trunk code and in the fast negotiation code, ↵Sam Hartman1-65/+89
referrals and pre-authentication did not work correctly. In particular, the set of preauthentication mechanisms that had been used in the preauth context, the initial set of mechanisms to try, the fast state, and the negotiated state were not reset whenever the realm changed. Refactor handling of init_creds loop restarts. There are three cases where the loop starts up: at init_creds_init time, when negotiation needs to restart (fast detected or negotiation not supported), or when referrals cause the realm to change. Factor out as much code as possible to be common in these cases. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23422 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02While developing the fast negotiation changes, the get_in_tkt code wasSam Hartman2-49/+157
reorganized to be more maintainable and asynchronous. This commit forward ports old changes found in users/hartmans/fast-negotiate to the new architecture. All the changes were ported at once rather than porting each individual change. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23421 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Variables needed by fast negotiation in the init creds contextSam Hartman1-0/+3
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23420 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Don't upgrade to FAST if already using FASTSam Hartman1-0/+2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23419 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Implement upgrade to FAST when the KDC supports FAST. Implement fallSam Hartman2-2/+22
back to no negotiation when the KDC doesn't appear to support it. In order to do this control flow for get_init_creds is changed significantly. A comment in the diff explains the logic. * Move preauth_request_init into loop * move preauth gic option handling into loop * New function krb5int_upgrade_to_fast_p * New fast state flag: KRB5INT_FAST_ARMOR_AVAIL git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23418 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02If FAST is available and an armor ticket is supplied, use it; otherwise do ↵Sam Hartman2-6/+28
not unless KRB5_FAST_REQUIRED is set * KRB5_FAST_REQUIRED: new FAST flag * krb5int_fast_as_armor: examine negotiation state As a result of this change cross-realm armor tickets will generally not be used unless KRB5_FAST_REQUIRED is set in the gic_options. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23417 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Store configuration information about whether FAST is available in the ↵Sam Hartman3-4/+8
ccache based on FAST negotiation git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23416 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Initialize creds to 0Sam Hartman1-1/+2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23415 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Use krb5_get_init_creds_opt_set_out_ccache to set the output ccache for kinit.Sam Hartman1-12/+16
Support this function in krb5_get_init_creds git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23414 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02AddSam Hartman4-6/+85
krb5_get_init_creds_opt_{set_fast_flags|get_fast_flags|set_out_ccache} git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23413 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Implement KDC side of protected negotiation:Sam Hartman6-21/+103
* Move return_enc_padata so reply key is available * Include checksum of reply if requested * export encode_krb5_checksum so we can call it from the KDC git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23412 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02fix warningSam Hartman1-1/+1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23411 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Remove constants from fast.c now that they are in krb5.hSam Hartman1-3/+0
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23410 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02As and TGS path: cliam to support FAST negotiation in ticket flag; ↵Sam Hartman4-16/+20
restructure enc_padata path to prepare for additional padata git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23409 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Constants for FAST negotiationSam Hartman1-2/+4
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23408 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02krb5_k_make_checksum: 0 cksumtype means use mandatory cksum for given enctypeSam Hartman1-0/+9
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23407 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Implement fast negotiation per discussion with LarrySam Hartman2-0/+48
This implementation is sloppy in that it always includes the padata requesting reply checksum even though that will interact badly with some of our older KDCs. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23406 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Expose {decode,encode}_krb5_checksumSam Hartman4-0/+16
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23405 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02fix signed vs unsigned warningSam Hartman1-1/+1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23404 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Integrate Apple APIs for storing configuration parameters in a ccacheSam Hartman5-2/+182
* krb5_cc_get_config: get a config parameter from a ccache * krb5_cc_set_config: set a configuration parameter in a ccache * krb5_is_config_principal: should this principal be skipped during ccache iteration * klist: skip config principals ticket: 6206 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23403 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-02Branch trunk for fast negotiation branchSam Hartman0-0/+0
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23402 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-01Reindent and removed krb5_ prefix from static func nameZhanna Tsitkov1-67/+67
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23398 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-01Fix AES IOV decryption of small messagesGreg Hudson1-13/+8
AES messages never need to be padded because the confounder ensures that the plaintext is at least one block long. Remove a check in krb5int_dk_decrypt_iov which was rejecting short AES messages because it didn't count the header length. ticket: 6589 tags: pullup target_version: 1.7.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23397 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-01Make krb5int_c_decrypt_aead_compat more efficient by building theGreg Hudson1-23/+41
buffers explicitly rather than using stream decryption. Sidesteps some machinery and avoids copying the output. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23396 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-01Fix the usage fallback in krb5int_arcfour_decrypt_iov. Factor out IOVGreg Hudson1-25/+29
encryption with a keyblock since this makes four uses of it in one file. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23395 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-30Mark and reindent tests, with some exclusionsTom Yu33-3608/+3644
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23394 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-30ReindentZhanna Tsitkov3-74/+55
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23393 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-30Mark and reindent util/supportTom Yu19-1249/+1274
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23392 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-30Remove some stray tabsGreg Hudson1-4/+4
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23391 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-30Use aead_dk instead of aead_old for des-hmac-sha1, since it usesGreg Hudson1-1/+1
dk_encrypt. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23390 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-30Fix ivec chaining for DES iov encryptionGreg Hudson1-2/+5
krb5int_des_cbc_decrypt_iov was using a plaintext block to update the ivec. Fix it to use the last cipher block, borrowing from the corresponding des3 function. The impact of this bug is not serious since ivec chaining is not typically used with IOV encryption in 1.7. ticket: 6588 tags: pullup target_version: 1.7.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23389 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-30Add an AEAD provider for enctypes which use krb5_old_encrypt andGreg Hudson6-17/+245
krb5_old_decrypt; this makes every enctype have an AEAD provider. To make this work, expose make_unkeyed_checksum_iov to other files (under the name krb5int_hash_iov) and make krb5int_c_padding_length take into account the header length. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23388 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-30In the des enc_provider decrypt_iov function, count header blocks asGreg Hudson1-1/+1
well as data and padding blocks when checking for correctly padded input. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23387 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-30Make the crc32 hash provider correctly chain multiple input buffers,Greg Hudson5-12/+13
so that it returns the same result if you pass it one big buffer or many small buffers containing the same data. To do this, change the contract of mit_crc32 so that the cksum parameter is in-out. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23386 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-30Stream decryption is handled in krb5_k_decrypt_iov; remove someGreg Hudson2-12/+0
lingering checks in the dk and raw aead providers from before that was introduced. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23385 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-30Fix memory leakSam Hartman1-1/+2
ticket: 6585 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23384 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-30Terminate the loop in find_authdata_1 if we get an error in one of theGreg Hudson1-1/+1
iterations. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23382 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-29Remove the non-iov entry point introduced in r23378, since it's easyGreg Hudson6-70/+13
to use the iov entry point at both call sites. Rename the iov entry point to remove the "_iov" suffix since it's no longer needed to disambiguate. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23381 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-29Avoid using strncpy in the production of the arcfour salt because itGreg Hudson1-4/+3
produces a (spurious) Coverity defect. Fix a memory leak in krb5int_arcfour_encrypt. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23380 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-29Add do-while(0) around multi-statement macros in f_tables.h for moreGreg Hudson1-44/+48
consistent and elegant emacs auto-formatting. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23379 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-28Create functional internal interfaces to allow GSSAPI to performGreg Hudson8-147/+143
arcfour encryption of GSS tokens. This factors out derivation of the usage and encryption keys, and removes the need for the provider structures to be visible to all of krb5 via k5-int.h. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23378 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-28Clean up the arcfour token encryption and decryption functions byGreg Hudson3-404/+272
making use of newer convenience functions and by factoring out the derivation of the usage and encryption keys. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23377 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-28Add a convenience inline function in k5-int.h to initialize aGreg Hudson1-0/+13
krb5_data structure with allocated memory. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23376 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-28Mark and reindent lib/cryptoGreg Hudson173-7792/+7932
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23374 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-27Add krb5_key versions of the auth context key accessors, and use themGreg Hudson4-29/+51
to simplify the gss-krb5 code a little bit. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23372 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-27Allow null keys to be referenced (a no-op) for simpler "copying" ofGreg Hudson1-1/+2
keys which might or might not exist. Consistent with allowing freeing of null keys. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23371 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-27Export krb5_k_reference_key since it's part of the public APIGreg Hudson1-0/+1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23370 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit v1.1 at 2024-07-08 17:25:10 +0000