Age | Commit message (Collapse) | Author | Files | Lines |
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23461 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23424 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23423 dc483132-0cff-0310-8789-dd5450dbe970
|
|
referrals and pre-authentication did not work correctly.
In particular, the set of preauthentication mechanisms that had been used in the preauth context, the initial set of mechanisms to try, the fast state, and the negotiated state were not reset whenever the realm changed.
Refactor handling of init_creds loop restarts. There are three cases
where the loop starts up: at init_creds_init time, when negotiation
needs to restart (fast detected or negotiation not supported), or when
referrals cause the realm to change. Factor out as much code as
possible to be common in these cases.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23422 dc483132-0cff-0310-8789-dd5450dbe970
|
|
reorganized to be more maintainable and asynchronous. This commit
forward ports old changes found in users/hartmans/fast-negotiate to
the new architecture. All the changes were ported at once rather than
porting each individual change.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23421 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23420 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23419 dc483132-0cff-0310-8789-dd5450dbe970
|
|
back to no negotiation when the KDC doesn't appear to support it.
In order to do this control flow for get_init_creds is changed significantly.
A comment in the diff explains the logic.
* Move preauth_request_init into loop
* move preauth gic option handling into loop
* New function krb5int_upgrade_to_fast_p
* New fast state flag: KRB5INT_FAST_ARMOR_AVAIL
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23418 dc483132-0cff-0310-8789-dd5450dbe970
|
|
not unless KRB5_FAST_REQUIRED is set
* KRB5_FAST_REQUIRED: new FAST flag
* krb5int_fast_as_armor: examine negotiation state
As a result of this change cross-realm armor tickets will generally
not be used unless KRB5_FAST_REQUIRED is set in the gic_options.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23417 dc483132-0cff-0310-8789-dd5450dbe970
|
|
ccache based on FAST negotiation
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23416 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23415 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Support this function in krb5_get_init_creds
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23414 dc483132-0cff-0310-8789-dd5450dbe970
|
|
krb5_get_init_creds_opt_{set_fast_flags|get_fast_flags|set_out_ccache}
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23413 dc483132-0cff-0310-8789-dd5450dbe970
|
|
* Move return_enc_padata so reply key is available
* Include checksum of reply if requested
* export encode_krb5_checksum so we can call it from the KDC
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23412 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23411 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23410 dc483132-0cff-0310-8789-dd5450dbe970
|
|
restructure enc_padata path to prepare for additional padata
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23409 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23408 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23407 dc483132-0cff-0310-8789-dd5450dbe970
|
|
This implementation is sloppy in that it always includes the padata
requesting reply checksum even though that will interact badly with some of our older KDCs.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23406 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23405 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23404 dc483132-0cff-0310-8789-dd5450dbe970
|
|
* krb5_cc_get_config: get a config parameter from a ccache
* krb5_cc_set_config: set a configuration parameter in a ccache
* krb5_is_config_principal: should this principal be skipped during ccache iteration
* klist: skip config principals
ticket: 6206
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23403 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23402 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23398 dc483132-0cff-0310-8789-dd5450dbe970
|
|
AES messages never need to be padded because the confounder ensures
that the plaintext is at least one block long. Remove a check in
krb5int_dk_decrypt_iov which was rejecting short AES messages because
it didn't count the header length.
ticket: 6589
tags: pullup
target_version: 1.7.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23397 dc483132-0cff-0310-8789-dd5450dbe970
|
|
buffers explicitly rather than using stream decryption. Sidesteps
some machinery and avoids copying the output.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23396 dc483132-0cff-0310-8789-dd5450dbe970
|
|
encryption with a keyblock since this makes four uses of it in one
file.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23395 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23394 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23393 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23392 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23391 dc483132-0cff-0310-8789-dd5450dbe970
|
|
dk_encrypt.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23390 dc483132-0cff-0310-8789-dd5450dbe970
|
|
krb5int_des_cbc_decrypt_iov was using a plaintext block to update the
ivec. Fix it to use the last cipher block, borrowing from the
corresponding des3 function. The impact of this bug is not serious
since ivec chaining is not typically used with IOV encryption in 1.7.
ticket: 6588
tags: pullup
target_version: 1.7.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23389 dc483132-0cff-0310-8789-dd5450dbe970
|
|
krb5_old_decrypt; this makes every enctype have an AEAD provider. To
make this work, expose make_unkeyed_checksum_iov to other files (under
the name krb5int_hash_iov) and make krb5int_c_padding_length take into
account the header length.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23388 dc483132-0cff-0310-8789-dd5450dbe970
|
|
well as data and padding blocks when checking for correctly padded
input.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23387 dc483132-0cff-0310-8789-dd5450dbe970
|
|
so that it returns the same result if you pass it one big buffer or
many small buffers containing the same data. To do this, change the
contract of mit_crc32 so that the cksum parameter is in-out.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23386 dc483132-0cff-0310-8789-dd5450dbe970
|
|
lingering checks in the dk and raw aead providers from before that
was introduced.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23385 dc483132-0cff-0310-8789-dd5450dbe970
|
|
ticket: 6585
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23384 dc483132-0cff-0310-8789-dd5450dbe970
|
|
iterations.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23382 dc483132-0cff-0310-8789-dd5450dbe970
|
|
to use the iov entry point at both call sites. Rename the iov entry
point to remove the "_iov" suffix since it's no longer needed to
disambiguate.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23381 dc483132-0cff-0310-8789-dd5450dbe970
|
|
produces a (spurious) Coverity defect. Fix a memory leak in
krb5int_arcfour_encrypt.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23380 dc483132-0cff-0310-8789-dd5450dbe970
|
|
consistent and elegant emacs auto-formatting.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23379 dc483132-0cff-0310-8789-dd5450dbe970
|
|
arcfour encryption of GSS tokens. This factors out derivation of
the usage and encryption keys, and removes the need for the provider
structures to be visible to all of krb5 via k5-int.h.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23378 dc483132-0cff-0310-8789-dd5450dbe970
|
|
making use of newer convenience functions and by factoring out the
derivation of the usage and encryption keys.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23377 dc483132-0cff-0310-8789-dd5450dbe970
|
|
krb5_data structure with allocated memory.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23376 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23374 dc483132-0cff-0310-8789-dd5450dbe970
|
|
to simplify the gss-krb5 code a little bit.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23372 dc483132-0cff-0310-8789-dd5450dbe970
|
|
keys which might or might not exist. Consistent with allowing freeing
of null keys.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23371 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23370 dc483132-0cff-0310-8789-dd5450dbe970
|