aboutsummaryrefslogtreecommitdiff
path: root/src/lib
AgeCommit message (Collapse)AuthorFilesLines
2010-06-08Stop checking the current time against the context expiration time inGreg Hudson1-14/+0
the message wrap/unwrap functions in the krb5 GSS mech. Heimdal doesn't do it, and it generally results in poor app behavior when a ticket expires. In exchange, it doesn't provide much security benefit since it's not enforced across the board--for example, ssh sessions can persist beyond ticket expiration time since they don't use GSS to wrap payload data. ticket: 6739 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24120 dc483132-0cff-0310-8789-dd5450dbe970
2010-06-07make dependGreg Hudson35-1586/+1729
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24119 dc483132-0cff-0310-8789-dd5450dbe970
2010-06-07Trace loggingGreg Hudson20-88/+568
Add trace logging infrastructure code, enabled by the KRB5_TRACE environment variable or the API functions krb5_set_trace_callback() or krb5_set_trace_filename(). As a start, add tracing events for: * AS-REQ client code, including FAST and preauth * TGS-REQ client code * AP-REQ and AP-REP code (client and server) * sendto_kdc * Selected ccache operations * Selected keytab operations ticket: 6737 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24118 dc483132-0cff-0310-8789-dd5450dbe970
2010-06-04Add krb5_enctype_to_name() APIGreg Hudson3-3/+30
Add an API to return the input name, or optionally the shortest alias, of an enctype. Similar to krb5_enctype_to_string() which returns a description. ticket: 6736 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24117 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-28In krb5_cc_set_config, don't call krb5_cc_remove_cred; it's redundantGreg Hudson1-4/+0
with the krb5_cc_remove_cred call in krb5_cc_store_cred. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24110 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-28make dependGreg Hudson2-15/+12
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24109 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-28From Luke: make copies of S4U2Proxy authdata modules work when thereGreg Hudson1-1/+1
is no S4U2Proxy authdata. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24107 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-27Remove the get_masters logic in locate_srv_conf_1 which was orphanedGreg Hudson2-63/+11
by r15736 when we added the master_kdc profile variable. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24106 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-27Get t_ser to build again after the S4U authdata branch mergeGreg Hudson1-2/+2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24105 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-25FAST negotiation could erroneously succeedGreg Hudson1-0/+1
When FAST negotiation is performed against an older KDC (rep->enc_part2->flags & TKT_FLG_ENC_PA_REP not set), krb5int_fast_verify_nego did not set the value of *fast_avail, causing stack garbage to be used in init_creds_step_reply. Initialize *fast_avail at the beginning of the function per coding practices. ticket: 6734 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24102 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-24Fix long lines and other formatting issues in fast.hGreg Hudson1-25/+36
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24101 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-24Fix long lines and other formatting issues in fast.cGreg Hudson1-56/+81
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24100 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-23Make signedpath authdata visible via GSS naming extsGreg Hudson5-2/+615
Merge users/lhoward/signedpath-naming-exts to trunk. Adds an authdata provider which makes non-PAC S4U2Proxy signedpath authdata visible to application servers via GSS naming extensions. ticket: 6733 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24094 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-20Apply patch from Arlene Berry to detect and ignore a duplicateTom Yu1-0/+12
mechanism token sent in the mechListMIC field, such as sent by Windows 2000 Server. ticket: 6726 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24075 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-20In gss_acquire_cred_with_password() and gss_add_cred_with_password(),Greg Hudson1-38/+23
require desired_name to be set, and always honor it. This is consistent with the Sun implementation and simplifies the code. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24072 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-19CVE-2010-1321 GSS-API lib null pointer deref (MITKRB5-SA-2010-005)Tom Yu1-0/+7
Make krb5_gss_accept_sec_context() check for a null authenticator checksum pointer before attempting to dereference it. ticket: 6725 tags: pullup target_version: 1.8.2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24056 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-18When parsing a KDC or admin server string, allow the name or addressGreg Hudson2-40/+55
to be enclosed in brackets so that IPv6 addresses can be represented. (IPv6 addresses contain colons, which look like port separators.) ticket: 6562 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24055 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-18Improve the error message from kadmin when hostname resolution failsGreg Hudson3-4/+7
for the admin server. (The extended message won't be displayed by kadmin currently; that's a separate issue.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24054 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-17If gss_inquire_cred is called with a null credential, acquire aGreg Hudson1-44/+13
default initiator credential and process it normally, instead of using a completely different code path (the default mechanism's inquire_cred handler). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24052 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-17The mechglue always passes null for desired_mechs and actual_mechsGreg Hudson7-244/+30
when invoking gss_acquire_cred and friends. Eliminate a lot of unused and untestable logic in the krb5 mech which processed those arguments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24051 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-17The mechglue never invokes a mech's gss_add_cred function. Remove theGreg Hudson4-411/+1
krb5 mech's add_cred implementation and null it out in the table. (This has the effect of removing the IAKERB add_cred implementation. SPNEGO already had it nulled out.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24050 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-16Reformat with shorter linesKen Raeburn1-15/+23
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24043 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-16Delete an old pre-Yarrow itemKen Raeburn1-4/+0
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24042 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-16Update dependenciesKen Raeburn3-22/+34
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24041 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-16Stop exporting some profile symbols that aren't either published inKen Raeburn1-27/+0
the header or known serialization functions used by the krb5 library. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24040 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-13Negative enctypes improperly read from ccachesGreg Hudson1-1/+2
When reading enctypes from ccaches, we need to sign-extend the 16-bit value we read in order to properly read negative enctypes. ticket: 6723 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24021 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-13Error handling bug in krb5_init_creds_init()Greg Hudson1-4/+5
Fix a bug in krb5_init_creds_init() where a freed context could be returned to the caller in certain error cases. ticket: 6722 tags: pullup target_version: 1.8.2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24020 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-13Negative enctypes improperly read from keytabsGreg Hudson1-3/+2
When reading enctypes from keytabs, we need to ntohs() the 16-bit value we read in before sign-extending it to a 32-bit value in the keyblock, or we run the risk of extending the wrong sign. ticket: 6720 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24016 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-12Remove krb5_get_in_tktTom Yu1-1/+1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24013 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-12Reimplement krb5_get_in_tkt_with_skey in terms of krb5_get_init_creds,Greg Hudson5-1142/+53
similar to how the password and keytab equivalents were done. Eliminate krb5_get_in_tkt. It's been very hard to use since we made krb5_kdc_rep_decrypt_proc private (in krb5 1.7 the prototype was taken out of krb5.h altogether), and it's unlikely that anything would have used it directly in the first place. Remove and/or simplify a lot of code depended on by krb_get_in_tkt, including all of preauth.c. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24012 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-04Remove some unused fields from kadm5_config_params. Bump the clientGreg Hudson4-10/+2
and server sonames. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23969 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-04Eliminate the unused realm_dbname field from krb5_realm_paramsGreg Hudson2-6/+1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23968 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-04Remove krb5_db_set_option and the associated DAL entry. It was notGreg Hudson1-16/+0
used. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23965 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-03Eliminate some uses of variables as format strings. Based on a patchGreg Hudson1-8/+1
from Guillaume Rousse <Guillaume.Rousse@inria.fr>. ticket: 6714 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23963 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-01Fix some bugs in the IAKERB code discovered by Coverity. Also trimGreg Hudson3-28/+18
down iakerb_initiator_step() a little using krb5_data constructors and avoiding vertical function arguments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23961 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-30Add IAKERB mechanism and gss_acquire_cred_with_passwordGreg Hudson29-305/+2542
Merge branches/iakerb to trunk. Includes the following: * New IAKERB mechanism. * New gss_acquire_cred_with_password mechglue function. * ASN.1 encoders and decoders for IAKERB structures (with tests). * New shortcuts in gss-sample client and server. * Tests to exercise SPNEGO and IAKERB using gss-sample application. ticket: 6712 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23960 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-27Fix a backwards check in get_cached_tgt() in the TGS codeGreg Hudson1-3/+3
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23945 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-26Squash some warnings in the old crypto API glue. Use make_data()Greg Hudson1-42/+20
where appropriate so that magic fields get initialized. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23942 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-23Adapted patch from Jason Rogers. It wasn't complete, so this commitTom Yu1-10/+0
fixes the other instances of the 64-bit problem. Also fix krb5_deltat_to_str(), which would previously always return an empty string. ticket: 6698 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23928 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-22From Luke: fix the post-canonicalization cache check logic inGreg Hudson1-5/+11
krb5_get_credentials_for_user(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23927 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-22In kg_new_connection(), make sure k_cred is freed in all failureGreg Hudson1-3/+2
cases. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23926 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-22Apply patch from Arlene Berry to cease freeing error tokens output byTom Yu1-3/+0
accept_sec_context, allowing them to actually be sent to the initiator. ticket: 6696 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23925 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-22In kpasswd_sendto_msg_callback(), properly compare against theGreg Hudson1-1/+2
wildcard IPv6 address instead of comparing an array address to 0. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23921 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-21Fix a memory leak in get_creds.c's try_fallback_realm()Greg Hudson1-1/+3
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23920 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-21Amend r23917 to correct some uses of *out_creds which should now useGreg Hudson1-3/+2
the local variable. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23918 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-21In the get_credentials() helper of the gss-krb5 init_sec_context code,Greg Hudson1-2/+8
ensure that *out_creds is only filled in on successful return. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23917 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-20When setting up to get a TGT for the service realm in the TGS code,Greg Hudson1-5/+5
get the cached local TGT before setting up the realm path. Prior to this change, calling krb5_get_credentials() with an empty ccache would result in KRB5_CC_NOTFOUND for a foreign server principal, but would result in KRB5_NO_TKT_IN_REALM (generated by krb5_walk_realm_tree) for a local server principal. With this change, KRB5_CC_NOTFOUND is returned in both cases. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23909 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-20Add KRB5_INIT_CREDS_STEP_FLAG_CONTINUE for parity with Heimdal.Greg Hudson3-14/+11
Rename KRB5_TKT_CREDS_CONTINUE to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE for consistency. Adjust init_creds context to be less confusing in light of the above. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23906 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-14Introduce new krb5_tkt_creds APIGreg Hudson5-1486/+1110
Merged from branches/iakerb: add new asynchronous krb5_tkt_creds APIs, which allow a caller to take responsibility for transporting requests to the KDC and getting responses back. Rewrite the existing krb5_get_credentials API in terms of the new functions. Get rid of krb5_get_cred_from_kdc and friends, since they are no longer used. ticket: 6700 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23900 dc483132-0cff-0310-8789-dd5450dbe970
2010-04-13Validate and renew should work on non-TGT credsGreg Hudson3-151/+197
The validate and renew APIs were using get_cred_from_kdc, which always presents a TGT to get credentials. Instead, they should present the ticket they are trying to validate or renew. This is most easily done with krb5_get_cred_via_tkt(). Move the relevant code into a new file since it now has nothing in common with the other APIs implemented in get_creds.c. ticket: 6699 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23891 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit v1.1 at 2024-08-04 00:25:15 +0000