Age | Commit message (Collapse) | Author | Files | Lines |
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23246 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23154 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23153 dc483132-0cff-0310-8789-dd5450dbe970
|
|
make reindent
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Merge Luke's users/lhoward/heimmig branch to trunk. Implements a
KDC back-end plugin which interfaces to a Heimdal HDB plugin.
ticket: 6578
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23073 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22961 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Merge Luke's users/lhoward/authdata branch to trunk. Implements GSS naming
extensions and verification of authorization data.
ticket: 6572
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22875 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Merge Luke's users/lhoward/s4u branch to trunk. Implements S4U2Self
and S4U2Proxy extensions.
ticket: 6563
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22736 dc483132-0cff-0310-8789-dd5450dbe970
|
|
ticket: 6436
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22167 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Merge fast branch at 22146 onto trunk
Implement the kerberos pre-authentication framework FAST feature per
Projects/FAST on the wiki.
ticket: 6436
Target_Version: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22149 dc483132-0cff-0310-8789-dd5450dbe970
|
|
We were losing verbose error messages when logging from the KDC because
the context passed to krb5_klog_init did not match the realm-specific
context used for most library function calls. Introduce a wrapper
function kdc_err which copies the error state from the call context
to the log context. The wrapper function also knows the program name,
which removes the need to pass argv[0] around everywhere or make up
program names.
ticket: 6408
target_version: 1.7
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22079 dc483132-0cff-0310-8789-dd5450dbe970
|
|
an additional message to record the name and s4u mode.
Untested for lack of code to invoke these code paths.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21745 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21741 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Previously when using the kdb keytab, there was a check to confirm that the server
was supported as a server and that attackers
could not force an enctype downgrade.
Add these to kdc_get_server_key
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21727 dc483132-0cff-0310-8789-dd5450dbe970
|
|
The mskrb-integ branch includes support for the following projects:
Projects/Aliases
* Projects/PAC and principal APIs
* Projects/AEAD encryption API
* Projects/GSSAPI DCE
* Projects/RFC 3244
In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions.
In the KDC it includes support for protocol transition, constrained delegation
and a new authorization data interface.
The old authorization data interface is also supported.
This commit merges the mskrb-integ branch on to the trunk.
Additional review and testing is required.
Merge commit 'mskrb-integ' into trunk
ticket: new
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
|
|
customization.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21564 dc483132-0cff-0310-8789-dd5450dbe970
|
|
ticket: 6303
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21448 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Add a test authorization data scheme, in both built-in and plugin
forms; built-in version is #ifdef'ed out. Update configury to create
the build directory for the plugin, but don't build or install it by
default.
Create the new (and normally empty) authorization data plugin
directory at install time.
Add some (normally disabled) code to log authz data from rd_req.
Fix up some comments that still refer to preauth plugins. Add some
details in comments on the API, and why it's private for now.
Make the plugin init context support work, by not passing null
pointers.
ticket: 5565
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20691 dc483132-0cff-0310-8789-dd5450dbe970
|
|
eventually release the global lock and reacquire it) and
get_principal_locked (which will retain the global lock), and change
callers to use the wrappers, so we can simplify some ugliness at the call
sites.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20195 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19025 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Change server-side preauth plugin interface to allow the plugin's
verify_padata function to return e-data to be returned to the client.
(Patch from Nalin Dahyabhai <nalin@redhat.com>)
Update sample plugins to return e-data to exercise the code.
Fix memory leak in the wpse plugin.
ticket: new
Component: krb5-kdc
Target_Version: 1.6
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18801 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Patch from Nalin Dahyabhai at Redhat to implement a preauthentication
framework based on the plugin architecture. Currently. the API is
considered internal and the header is not installed.
See src/include/krb5/preauth_plugin.h for the interface.
ticket: new
Tags: enhancement
Status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18641 dc483132-0cff-0310-8789-dd5450dbe970
|
|
The replay lookaside cache includes the sending address, but the krb5
library replay cache does not. So, if the same message arrives from
two different source addresses, it is considered a replay by the KDC.
If the client isn't receiving the replies for some reason, and the
client has multiple addresses it uses to contact different addresses
on the KDC (and trying to reach the KDC via both IPv4 and IPv6 is an
obvious such case), this can cause errors to be returned by the KDC.
* replay.c (krb5_kdc_replay_ent): Remove "addrs" field.
(MATCH): Don't check it.
(kdc_check_lookaside, kdc_insert_lookaside): Remove "from" argument.
* kdc_util.h (kdc_check_lookaside, kdc_insert_lookaside): Update decls.
* dispatch.c (dispatch): Update calls.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17970 dc483132-0cff-0310-8789-dd5450dbe970
|
|
of places where it's actually needed. Update dependencies.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17898 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16788 dc483132-0cff-0310-8789-dd5450dbe970
|
|
reenable (-X) which prints a warning that you are creating a security
hole.
Remove support for generating krb4 tickets encrypted using 3DES
service keys as it is insecure. They are still accepted however.
The KDc is much more strict about accepting only tickets that it would
have issued in the current configuration. In particular if the KDC
would choose some enctype for writing a TGT, other enctypes will not
be accepted when using a TGT.
Ticket: 1385
Target_Version: 1.3
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15286 dc483132-0cff-0310-8789-dd5450dbe970
|
|
kdc_free_lookaside() instead of per realm one - which has been
freed by time invoked.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15113 dc483132-0cff-0310-8789-dd5450dbe970
|
|
realm_tcp_ports data, kdc_realmlist, close the replay cache, and
free the lookaside cache.
* network.c (FREE_SET_DATA): Do not free a NULL pointer.
* replay.c, kdc_util.h: Add kdc_free_lookaside() to clear the lookaside
cache on shutdown - to search for memory leaks.
* rtest.c (main): Do not allocate or free a NULL pointer.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15080 dc483132-0cff-0310-8789-dd5450dbe970
|
|
* kdc_util.h (ADDRTYPE2FAMILY): New macro.
* do_as_req.c (process_as_req): Use inet_ntop instead of inet_ntoa.
* do_tgs_req.c (process_tgs_req): Ditto.
* dispatch.c (dispatch): Fix inet_ntop code, and use it always.
* kerberos_v4.c (process_v4): Check address family before copying out an IPv4
address. Log if not IPv4, but continue.
* network.c (set_sa_port): New function.
(setup_port): Use it. Combine IPv4 and IPv6 paths; IPv6 still disabled for
now. Modify supplied sockaddr instead of making a copy.
(process_packet): SADDR is now sockaddr_storage. Use socket-utils macros
instead of casting. Enable the IPv6 code.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14602 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Change caller.
* kdc_util.h (process_packet): Delete declaration.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14597 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14596 dc483132-0cff-0310-8789-dd5450dbe970
|
|
* do_as_req.c (process_as_req): Ditto.
* do_tgs_req.c (process_tgs_req): Ditto.
* kerberos_v4.c (process_v4): Remove arg "is_secondary"; update callers.
* kdc_util.h (dispatch, process_as_req, process_tgs_req, process_v4): Update
prototypes.
* main.c (init_realm): Remove unused variable.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14585 dc483132-0cff-0310-8789-dd5450dbe970
|
|
containing a list of enctypes, given a number and list of
enctypes.
(rep_etypes2str): New function; construct a string indicating all
three enctypes associated with a KDC reply.
* kdc_util.h: Add prototypes for ktypes2str() and
rep_etypes2str().
* do_as_req.c (process_as_req): Call ktypes2str() and
rep_etypes2str() as appropriate.
* do_tgs_req.c (process_tgs_req): Call ktypes2str() and
rep_etypes2str() as appropriate.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13389 dc483132-0cff-0310-8789-dd5450dbe970
|
|
policy.h: Don't use macros PROTOTYPE or KRB5_PROTOTYPE.
* kerberos_v4.c (req_act_vno): Delete variable definition.
(kerberos_v4): Don't set it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13161 dc483132-0cff-0310-8789-dd5450dbe970
|
|
* kerberos_v4.c: Do not shadow progname and more variables.
* rtest.c (make_princ): Declare static.
* sock2p.c: Include kdc_util.h for prototypes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13064 dc483132-0cff-0310-8789-dd5450dbe970
|
|
(inet_ntop): Define if system doesn't provide it.
(sockaddr2p): New function.
* Makefile.in (SRCS, OBJS): Add sock2p.
* kdc_util.h (inet_ntop, sockaddr2p): Declare them.
* network.c (add_fd): New function. Reallocate udp_port_fds array as needed
here.
(setup_port): Use add_fd to record new sockets. Use inet_ntop unconditionally.
Disable ipv6 support until process_packet and friends will support it.
(process_packet): Ignore ECONNREFUSED when reading UDP packets. Fill in port
field of faddr properly, dependent on address family. Use sockaddr2p when
logging source address.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12109 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12103 dc483132-0cff-0310-8789-dd5450dbe970
|
|
const to allow passing a const krb5_fulladdr * and keeping the compiler happy.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12102 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11853 dc483132-0cff-0310-8789-dd5450dbe970
|
|
(kdc_insert_lookaside): Add code to originating address of packet,
as krb4 initial ticket requests don't contain an address. This
would cause a subtle problem wherein two simultaneous krb4 initial
ticket requests for the same principal originating from different
addresses would result in both replies containing the same
address.
* kdc_util.h: Modify prototype for lookaside functions.
* dispatch.c (dispatch): Update to new calling conventions of the
lookaside functions.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10713 dc483132-0cff-0310-8789-dd5450dbe970
|
|
is used in several files.
* main.c (get_realm_port): Removed unused function.
(setup_server_realm): Moved prototype to kdc_util.h
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10182 dc483132-0cff-0310-8789-dd5450dbe970
|
|
limit_string() to make sure the length of cname and sname
are reasonable.
* kdc_util.c (limit_string): New function which limits the strings
that will end up in log files to "reasonable" lengths.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10091 dc483132-0cff-0310-8789-dd5450dbe970
|
|
* kdc_preauth.c (return_padata): New function which calls out to each preauth
type to see if it is necessary to return preauth data or not.
(return_pw_salt): New function responsible for returning the
KRB5_PW_SALT preauth information.
* do_as_req.c (process_as_req): Move creation of the PW_SALT
preauthentication step into kdc_preauth.c. Call return_pdata()
which is responsible for all padata info which is returned by
the KDC in the KRB_AS_REP message.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7103 dc483132-0cff-0310-8789-dd5450dbe970
|
|
etype_info preauth hint to the client.
* kdc_util.c (get_salt_from_key): Added new function which determines
the salting information from the krb5_key_data structure.
* main.c (kdc_initialize_rcache): Replace use of krb5_clockskew with
context->clockskew.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7073 dc483132-0cff-0310-8789-dd5450dbe970
|
|
dbentry_has_key_for_enctype(), dbentry_supports_enctype(), and
select_session_keytype().
* kdc_preauth.c: Added support for the ENC_TIMESTAMP preauthentication
scheme.
* do_tgs_req.c (process_tgs_req): Fixed the keytype/enctype selection
criteria for the server key, and the ticket session key.
* do_as_req.c (process_as_req): Added calls to the kdc preauthentication
verification routines. Fixed the keytype/enctype selection
criteria for the client key, the server key, and the ticket
session key.
* main.c (finish_realm): Make sure all parts of the realm structure are
freed properly.
(main): Free the kcontext krb5_context.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7058 dc483132-0cff-0310-8789-dd5450dbe970
|
|
main.c (initialize_realms): Massive revamp of how the network ports
are setup. The default port list for a realm is read from
[kdcdefaults]/kdc_ports from the kdc.conf file. For each realm, a
list of ports can be specified in [realms]/<realm>/kdc_ports.
extern.h (kdc_realm_t): Remove realm_pport and realm_sport, and added
realm_ports.
do_tgs_req.c (process_tgs_req):
do_as_req.c (process_as_req):
dispatch.c (dispatch): Pass the portnumber of the incoming request down
to process_as_req and process_tgs_req, instead of the boolean
"is_secondary".
kerberos_v4.c (kerb_get_principal, kerberos_v4): Fix gcc -Wall flames,
by fixing signed vs. unsigned types.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6937 dc483132-0cff-0310-8789-dd5450dbe970
|
|
a pointer to const string to a non-const type. Make this change consistant
throughout the sources.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6657 dc483132-0cff-0310-8789-dd5450dbe970
|
|
routines.
do_as_req.c (process_as_req): Move preauthentication code to
kdc_preauth.c, for better modularity.
do_as_req.c (prepare_error_as): Add new argument to this function so
that the e_data field may be passed in and included in the KRB_ERROR
messsage which is passed back to the user.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6656 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6287 dc483132-0cff-0310-8789-dd5450dbe970
|
|
kerb_get_principal, check_princ, v4_klog
network.c (process_packet): Make prog a const char *
main.c: Add prototypes for find_realm_data, setup_server_realm, usage,
request_exit, setup_signal_handlers, initialize_realms, finish_realms.
kdc_util.h: Add prototypes for against_local_policy_as,
against_local_policy_tgs, validate_as_request, validate_tgs_request,
fetch_asn1_field, kdc_initialize_rcache, process_packet.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6274 dc483132-0cff-0310-8789-dd5450dbe970
|