aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2009-01-03On decrypt, the ivec should be chained from ciphertextmskrb-integSam Hartman1-2/+5
not output git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21689 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-03Patch from Luke Howard:Sam Hartman1-3/+8
Confirm that copy succeeds before freeing ticket principal. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21688 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-03Luke Howard indicates that ser_sctx.c does not account for the size of the ↵Sam Hartman1-1/+1
context times git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21687 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-03Revert "integrate Novell patch to always try referrals - I have not reviewed"Sam Hartman1-55/+11
Tom indicates he has a similar patch that has been tested. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21686 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-03Remove merge issues listSam Hartman1-4/+0
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21685 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-03git-svn managed to generate a bogus commit or otherwise get into a state ↵Sam Hartman4-18/+28
where it believed that changes had been merged onto the branch when they had in fact not been merged. This re-applies these changes. This reverts commit d2f51f02bac81d852f6f020373718d08b6abd02f. Conflicts: src/lib/crypto/Makefile.in src/lib/crypto/arcfour/Makefile.in src/lib/crypto/des/Makefile.in src/lib/crypto/enc_provider/Makefile.in src/lib/crypto/keyhash_provider/Makefile.in src/lib/krb5/krb/rd_req_dec.c git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21684 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-03fix merge errorSam Hartman1-4/+4
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21680 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-03Make dependSam Hartman36-1025/+1366
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21679 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-03Merge trunk at 21659Sam Hartman243-35356/+1951
Conflicts: src/Makefile.in src/kadmin/server/misc.h src/kdc/do_as_req.c src/kdc/do_tgs_req.c src/kdc/kdc_util.c src/kdc/kdc_util.h src/lib/crypto/Makefile.in src/lib/crypto/des/Makefile.in src/lib/crypto/enc_provider/Makefile.in src/lib/kdb/kdb5.c src/lib/krb5/krb/chk_trans.c src/lib/krb5/krb/walk_rtree.c git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21678 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-03 better application behavior although is somewhat non-intuitive.Sam Hartman2-16/+31
Set up the replay cache here because we have the server principal krb5_rd_req: Don't set server to ticket->server krb5_rd_rec_decoded: change ticket->server to the principal we actually match from the keytab; this produces git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21677 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-03If KRB5_PRINCIPAL_UNPARSE_NO_REALM is specified, don't escape the @Luke Howard1-2/+13
symbol. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21676 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02Indent fixupLuke Howard1-2/+2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21675 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02CleanupLuke Howard1-4/+2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21674 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02Fix up comment to explain why the kdb keytab is not used in the tgs case any ↵Sam Hartman1-4/+2
more git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21673 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02Handle KDC_ERR_WRONG_REALM in krb5_get_in_tkt() - needs review, notLuke Howard1-1/+38
completely tested yet git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21672 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02cleanupLuke Howard1-2/+3
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21671 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02Revert r21667, it breaks authorization data backends that need access toLuke Howard1-0/+13
the KDC key to validate signatures git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21670 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02Validate k_nprincs != 0 before passing a pointer to krbtgtLuke Howard1-2/+2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21669 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02Using the server name as a hintSam Hartman1-21/+2
is inappropriate. The server name is a security constraint. If set, it must constrain the principals that can be authenticated to; otherwise applications may get behavior that breaks security policy. It is a goal that applications need to change to take advantage of any server search. Remove dead code git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21668 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02Use kdb keytabSam Hartman1-13/+0
to look up service principal git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21667 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02KDC always assumes a serverSam Hartman1-1/+1
supports des-cbc-crc. Among other things, the test suite depends on this. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21666 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02Don't register any services with portmap.Sam Hartman1-1/+1
Works around test instability problem but not desirable for iprop git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21665 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02Layer gss_sign() on top of gss_get_mic(), gss_verify() on top ofLuke Howard15-119/+70
gss_verify_mic(), rather than the other way around. Mechanisms should export a V2 interface. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21664 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02be sure to decode enc_padataLuke Howard1-0/+1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21663 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02Only allow the AS-REP server principal to be changed if we requested andLuke Howard1-5/+15
received a TGT git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21662 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02move common macros into int-proto.hLuke Howard4-12/+6
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21661 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-02In an AS-REP, only canonicalize the server name if we are returning aLuke Howard1-14/+8
TGT, and the client requested one git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21660 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01Set KRB5_KDB_FLAG_PKINIT flag, AD backends need this to returnLuke Howard1-0/+3
PAC_CREDENTIAL_DATA git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21658 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01Refactor by adding find_pa_data() helperLuke Howard2-19/+25
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21657 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01Use KRB5_PRINCIPAL_UNPARSE_NO_REALM for the logon name; cleanupLuke Howard1-9/+9
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21656 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01Only add FD to sstate.rfds if add_XXX_fd() succeedsLuke Howard1-11/+13
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21655 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01Keep krb5_gss_glue.c just for mechanism-specific API; move the rest intoLuke Howard2-492/+488
gssapi_krb5.c. That way, a vendor can build krb5_gss_glue.c as libgssapi_krb5.so, the mechglue as libgssapi.so, and the rest of the Kerberos mech as mech_krb5.so (this is essentially what Novell did). git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21654 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01Back out r2164[78]; although the mech_invoke abstraction is superfluousLuke Howard6-37/+247
when building mech_krb5 today, it will help anyone that wants to correctly build it dynamically. (By correctly, I mean that mechanism-specific API should go in libgssapi_krb5 and the mechanism itself in mech_krb5; one cannot assume that one can link against loadable modules on all platforms. I notice in OpenSolaris Sun link against mech_krb5 directly to get mech-specific API, but this won't work on Darwin.) git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21653 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01remove superfluous commentLuke Howard1-2/+0
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21652 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01remove cruftLuke Howard1-25/+0
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21651 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01fix regression in last commit (use correct OID for inquiring sessionLuke Howard1-9/+7
key) git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21650 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01gssspi_mech_invoke() is superfluous for mech_krb5, it's only useful forLuke Howard5-193/+30
mechanisms that are dynamically loaded (in which case the mechanism would provide a separate library with mechanism-specific APIs that wrapped gsspi_mech_invoke()) git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21649 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01Restore old gss_krb5_ccache_name() implementation, it does not need toLuke Howard3-68/+8
be indirected through gssspi_mech_invoke() git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21648 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01Don't add a socket to sstate.rfds until add_XXX_fd() has returnedLuke Howard1-20/+25
successfully, as otherwise it will contain a dangling FD reference git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21647 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01Wrap gss_seal/gss_unseal (V1) on gss_wrap/gss_unrwap (V2), rather thanLuke Howard10-95/+43
the other way around. Mechanisms should export V2 interfaces. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21646 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-01Use tgs_ktypes rather than permitted_enctypes for client-side EtypeListLuke Howard1-14/+15
Don't send EtypeList unless most preferred enctype is different to ticket session key enctype git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21645 dc483132-0cff-0310-8789-dd5450dbe970
2008-12-31CleanupLuke Howard1-5/+1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21643 dc483132-0cff-0310-8789-dd5450dbe970
2008-12-31skip over KRB5_CRYPTO_TYPE_EMPTY buffers when translating IOVLuke Howard1-0/+6
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21641 dc483132-0cff-0310-8789-dd5450dbe970
2008-12-31Correctly distinguish between initiator and acceptor subkey checksumLuke Howard5-59/+104
lengths, in case they may be different (if a stronger CFX enctype was negotiated by RFC 4537) Fix kg_translate_iov_v3() to handle EC correctly when a trailer is present CFX header validation was broken: we were comparing the plaintext copy to itself rather than the copy in the trailer. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21640 dc483132-0cff-0310-8789-dd5450dbe970
2008-12-30Previously, we tested explicitly for KRB5_KDB_PWCHANGE_SERVICE whenLuke Howard2-12/+13
disabling AS-REP canonicalization, because in Windows kadmin/changepw is an alias for the TGS. This was to avoid a client asking for a changepw service ticket getting a TGT by setting the canonicalize flag, something particularly problematic for a user who is only allowed to reset an expired password. The correct fix, however, is to disable AS-REP server name canonicalization for any alias of the TGS (unless the user is requesting a TGT, in which case we enable it, because that allows us to deal with realm aliases for Windows interop). git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21638 dc483132-0cff-0310-8789-dd5450dbe970
2008-12-29cleanupLuke Howard1-4/+7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21630 dc483132-0cff-0310-8789-dd5450dbe970
2008-12-29Don't omit ticket session key enctypes when negotiating enctypesLuke Howard1-5/+2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21629 dc483132-0cff-0310-8789-dd5450dbe970
2008-12-29don't return enc-pa-data if canon flag unsetLuke Howard1-5/+7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21628 dc483132-0cff-0310-8789-dd5450dbe970
2008-12-29Cleanup kg_make_confounder() somewhatLuke Howard1-12/+5
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21626 dc483132-0cff-0310-8789-dd5450dbe970
2008-12-28fix a logic error introduced in r21615Luke Howard1-7/+4
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21617 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit v1.1 at 2024-09-17 14:55:41 +0000