Age | Commit message (Collapse) | Author | Files | Lines |
|
Handle CAMMAC contained authdata similarly to KDC-issued authdata, where
it is verified before passing to the import function.
[ghudson@mit.edu: fix memory leak and reduce copying in
extract_cammac()]
ticket: 8425
|
|
Add a new public function to set a PAC request option for an AS
request.
[ghudson@mit.edu: simplified code; made signature conform to Heimdal
function; expanded on doxygen comment; added new function to API
reference; changed code to send encoded KERB-PA-PAC-REQUEST instead
of a single octet]
ticket: 7985
|
|
In the Doxygen comments for the new APIs and types, include @version
tags indicating that they are new in 1.15, and put @param declarations
just after the brief message for consistency with other comments.
ticket: 8386
|
|
ticket: 8387 (new)
target_version: 1.14-next
tags: pullup
|
|
Add two new APIs, krb5_set_kdc_send_hook() and
krb5_set_kdc_recv_hook(), which can be used to inspect and override
messages sent to KDCs.
[ghudson@mit.edu: style and documentation changes]
ticket: 8386 (new)
|
|
A checksum type of 0 means to use the mandatory checksum type in
krb5_k_make_checksum(), krb5_k_make_checksum_iov(), and
krb5_k_verify_checksum_iov(). Extend this meaning to
krb5_k_verify_checksum() for the checksum type in the krb5_checksum
argument. This change also applies to krb5_c_verify_checksum().
Add code to t_cksums.c to test checksum verification, including with
checksum type 0 for applicable test cases.
ticket: 8375 (new)
|
|
In krb5_change_password(), krb5_set_password(), and
krb5_set_password_using_ccache(), accept the new password as a const
char * instead of a char *. Propagate this change to the necessary
internal functions.
[ghudson@mit.edu: commit message rewrite]
ticket: 8269 (new)
target_version: 1.14
tags: pullup
|
|
Remove the existing support for creating trivial cookies. Add new
functions to fast_util.c for reading and generating secure cookies.
Add new kdcpreauth callbacks "get_cookie" and "set_cookie" to allow
preauth mechs to retrieve and set cookie values.
Based on a patch by Nathaniel McCallum.
ticket: 8233 (new)
|
|
Use [out] instead of [in] for the output parameters of
krb5_c_prfplus() and krb5_c_derive_prfplus(). Also use "out" instead
of "output" for krb5_c_derive_prfplus() to match the parameter name in
the definition.
ticket: 8228
|
|
This commit permits the external use of the RFC 6113 PRF+ function.
It also adds a function to derive a key from an input key and string
using PRF+.
[ghudson@mit.edu: adjust style; avoid new C99isms; use string2data(),
empty_data(), and alloc_data() where appropriate; add some explanatory
comments; edit docstrings and commit message]
ticket: 8228 (new)
|
|
Add a new kdcpreauth callback add_auth_indicator, which adds an
authentication indicator string. This commit doesn't do anything with
the asserted authentication indicators; they are tracked in the
auth_indicators field of struct as_req_state to be used later.
ticket: 8157
|
|
ticket: 8157
|
|
Add a new kdcpreauth callback which gets the selected client key.
This callback can be used by preauth mechs which need to use the
singular reply key in a challenge sent by the KDC, now that we send
only one etype-info entry in PREAUTH_REQUIRED errors.
ticket: 8200 (new)
|
|
Bump the minor version of the kadm5_hook interface to 2 and add a
rename method. Invoke the rename method in kadm5_rename_principal()
like we do for other libkadm5srv operations.
Partly based on a patch from John Hascall.
ticket: 8171
|
|
In a TGS request, the header ticket server is usually a local or
cross-realm TGS principal, but for ticket modification requests it
doesn't have to be. Similarly, the server for an AS request is
usually a krbtgt principal, but in some cases it is not. Since the
KDC code must consider all possibilities, avoid using the name
"krbtgt" for entries which aren't necessarily TGTs.
In process_tgs_req(), rename krbtgt to header_server and tgskey to
header_key. In handle_authdata(), rename the parameters similarly and
pass NULL from process_as_req() for the header_server and header_key
parameters; the code which uses those parameters is adjusted to match.
In validate_transit_path(), rename krbtgt to header_srv.
Do not change the semantics of the sign_authdata DAL method at this
time, but more accurately document the krbtgt and krbtgt_key
parameters.
|
|
Remove the server authdata interface declarations from authdata.h and
the code to load and invoke old KDC authdata modules. Add code to
load and invoke authdata modules using the new kdcauthdata pluggable
interface.
|
|
Add a pluggable interface for KDC authdata using the current plugin
infrastructure, mirroring the KDC functionality of authdata_plugin.h.
Like the old interface, this one isn't yet public.
|
|
libk5crypto functions generally use "const krb5_keyblock *" for input
keyblocks. Do this in krb5_c_fx_cf2_simple() for caller convenience.
[ghudson@mit.edu: expanded commit message]
ticket: 8062 (new)
|
|
Add four new public APIs for wrapping error messages:
krb5_prepend_error_message, krb5_vprepend_error_message,
krb5_wrap_error_message, and krb5_vwrap_error_message. The first two
functions are from Heimdal and allow a prefix to be added to the
existing message for a code. The latter two functions also allow the
code to be changed.
[ghudson@mit.edu: rename krb5_prepend_error_message2 to
krb5_wrap_error_message; clarify doxygen comments and put them in the
proper form; implement krb5_prepend_error_message in terms of
krb5_wrap_error_message; fix leak and null context handling in
krb5_wrap_error_message; rewrite commit message]
ticket: 8046 (new)
|
|
Stop processing the KRB5_TC_OPENCLOSE flag in cc_file.c; always reopen
the file instead. This will be replaced with more efficient cursor
handling. Also remove some unused KRB5_TC_OPENCLOSE macros in scc.h.
|
|
ticket: 7880
target_version: 1.13.1
tags: pullup
|
|
Make unconditional use of <stdint.h> and fixed-width types such as
uint32_t. k5-plugin.h doesn't use any special integer types, so
remove the conditional include block there. Nothing uses
INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now.
|
|
Document the lifetime and caching behavior of the
krb5_cc_default_name() return value. Document that
krb5_cc_set_default_name() may be called with NULL to purge the cached
value. Correct a typo in the krb5_cc_default() summary and explicitly
reference krb5_cc_default_name().
ticket: 7775 (new)
target_version: 1.12
tags: pullup
|
|
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit
The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.
The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC
request and request ID, KDC reply, primary and derived ticket and their
ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
validated, local policy violation and protocol constraints, and KDC status
message.
Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.
Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.
For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.
The new Audit system is build-time enabled and run-time pluggable.
[kaduk@mit.edu: remove potential KDC crashes, minor reordering]
ticket: 7712
target_version: 1.12
|
|
Some text mistakenly referred to password quality plugin.
|
|
ticket: 7687 (new)
|
|
Add wrappers for the JSON-oriented APIs for PKINIT responder items,
modeled after the API we provide for OTP items:
* krb5_responder_pkinit_get_challenge() returns the list of
identities for which we need PINs
* krb5_responder_pkinit_challenge_free() frees the structure that
was returned by krb5_responder_pkinit_get_challenge()
* krb5_responder_pkinit_set_answer() sets the answer to the PIN for
one of the identities
[ghudson@mit.edu: style cleanup; added comment pointing to main body
of PKINIT module]
ticket: 7680
|
|
Use the list of deferred identity prompts and warnings, which we have
after calling pkinit_identity_initialize(), to build a list of questions
to supply to responder callbacks.
Before calling pkinit_identity_prompt() to actually load identities that
are protected, save any passwords and PINs which a responder callback
may have supplied.
Because pkinit_client_prep_questions() can be called multiple times, and
we don't want to try to load all of our identities each of those times,
take some steps to ensure that we only call pkinit_identity_initialize()
and pkinit_identity_prompt() once per request.
ticket: 7680
|
|
For the user-to-user case, document that callers should pass a server
principal to krb5_rd_req. For the keytab case, more accurately
document which keytab keys are tried against the ticket.
ticket: 7641 (new)
target_version: 1.11.3
tags: pullup
|
|
Add a new have_client_keys callback to the kdcpreauth interface,
allowing modules to efficiently check whether the client DB entry has
any keys matching the request enctypes.
ticket: 7630
|
|
Mostly, based on
http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml
|
|
Replace numeric value '132' by the macro KRB5_PADATA_AS_CHECKSUM
in preauth plugin.
|
|
Add an API to duplicate keytab handles, mirroring krb5_cc_dup. Use it
to simplify the krb5 GSS acquire_cred code.
ticket: 7599 (new)
|
|
|
|
This unnecessary include was causing build failures on some systems by
making libkrb5 sources depend on gssapi.h.
|
|
Add a new pluggable interface for local authorization, and replace the
existing krb5_aname_to_localname and krb5_kuserok implementations with
implementations based on the pluggable interface.
ticket: 7583 (new)
|
|
Rename krb5_free_ktypes to krb5_free_enctypes and add it to the public
API.
ticket: 7584
|
|
responder_get_challenge() meant to be krb5_responder_get_challenge()
|
|
|
|
In krb5.hin doxygen markup, only use [out] or [in,out] when a function
changes the entire value of what the parameter points to, not when the
function mutates a larger object (especially an abstract object).
Also remove a couple of incorrect [in] annotations, change a few
parameter descriptions to be more consistent, and fix one typo.
|
|
Doxygen and, consequently, Sphinx gets confused with the
KRB5_RESPONDER_QUESTION_OTP comment layout.
Also, mark the output parameter of krb5_responder_set_answer().
|
|
With one exception (KRB5_PADATA_PKINIT_KX), every padata type
processed by a clpreauth module is now a real preauthentication type.
Reduce the amount of boilerplate required for a clpreauth module by
making the flags method optional if all of the preauth types
advertised by the module are real.
|
|
Since there is no overlap between the clpreauth and kdcpreauth
interface declarations, there's no particular reason to combine them
into one header. For backward compatibility and convenience, leave
behind a preauth_plugin.h which includes both.
|
|
Remove the inaccurate comments "unused" and replace them with
more useful representations of what they mean.
ticket: 7490 (new)
tags: pullup
target_version: 1.11
|
|
Document the fact that the key usage type 26 is used by both
KBKRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST and
KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST, while 27 - by
KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY and KRB5_KEYUSAGE_PA_SAM_RESPONSE.
Also, since KRB5_KEYUSAGE_PA_REFERRAL is not actually used in MIT Kerberos
code and is not defined in the latest referrals draft
(http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-15)
mark it as "unused".
ticket: 7474
tags: pullup
target_version: 1.11
|
|
A few places were using the standard C /* comment */ form, but
this is rendered poorly by doxygen through to our Sphinx bridge.
Use the special /**< comment */ form to get doxygen-specific behavior.
If the standard C comment form is used, the full comment (including
start and end markers) is included in the value of the macro, and
Sphinx then tries to treat the end of the comment as the start of
inline markup with no corresponding end-string, which is a warning.
Using the doxygen form of the comment, the contents of the comment
are put in a separate paragraph block, which is inserted in the
body of the generated RST document.
The markup for krb5_rd_priv() had a line that ended with an @c
markup statement without a symbol following it. This confused
doxygen into not parsing any more of the comment. The beginning
of the next line is a macro identifier with markup to auto-linkify it.
In RST, it is not possible to have a link and a terminal font on the
same text, so removing the @c is the appropriate fix.
There are also eleven deprecated functions which are replaced by
the krb5_c_* family of functions. However, referring to this class
of functions as the "krb5_c_" class of functions results in Sphinx
attempting to interpret this statement as a link to a label elsewhere
in the document, and no such label exists. To avoid this warning, use
"krb5_c_*" to refer to the class of functions, which is arguably
more correct anyways.
ticket: 7447
tags: pullup
target_version: 1.11
|
|
Our doxygen-to-sphinx documentation bridge only processes typedefs
and not structure definitions, since we almost universally use
typedefs for our data structures. krb5_trace_info is the sole
exception, so bring it into the fold.
While here, flesh out the comment a bit more.
ticket: 7447
tags: pullup
target_version: 1.11
|
|
More specifically, document that this new API was first
introduced in 1.11
ticket: 7460
|
|
Avoid using asterix characters in the documentation for
krb5_unparse_ext_name, since they get intepreted as markdown
punctuation when translated to RST.
ticket: 7452 (new)
target_version: 1.11
tags: pullup
|
|
An RFC number has been assigned for the Camellia draft. Add Doxygen
markup to the enctype and cksumtype constants pointing to the
informational RFC.
|