]>
git.ipfire.org Git - thirdparty/krb5.git/log
Sam Hartman [Sat, 3 Jan 2009 21:43:18 +0000 (21:43 +0000)]
On decrypt, the ivec should be chained from ciphertext
not output
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21689
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Sat, 3 Jan 2009 21:43:14 +0000 (21:43 +0000)]
Patch from Luke Howard:
Confirm that copy succeeds before freeing ticket principal.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21688
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Sat, 3 Jan 2009 21:43:09 +0000 (21:43 +0000)]
Luke Howard indicates that ser_sctx.c does not account for the size of the context times
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21687
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Sat, 3 Jan 2009 21:43:04 +0000 (21:43 +0000)]
Revert "integrate Novell patch to always try referrals - I have not reviewed"
Tom indicates he has a similar patch that has been tested.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21686
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Sat, 3 Jan 2009 20:22:50 +0000 (20:22 +0000)]
Remove merge issues list
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21685
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Sat, 3 Jan 2009 20:22:35 +0000 (20:22 +0000)]
git-svn managed to generate a bogus commit or otherwise get into a state where it believed that changes had been merged onto the branch
when they had in fact not been merged.
This re-applies these changes.
This reverts commit
d2f51f02bac81d852f6f020373718d08b6abd02f .
Conflicts:
src/lib/crypto/Makefile.in
src/lib/crypto/arcfour/Makefile.in
src/lib/crypto/des/Makefile.in
src/lib/crypto/enc_provider/Makefile.in
src/lib/crypto/keyhash_provider/Makefile.in
src/lib/krb5/krb/rd_req_dec.c
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21684
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Sat, 3 Jan 2009 03:01:10 +0000 (03:01 +0000)]
fix merge error
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21680
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Sat, 3 Jan 2009 03:00:58 +0000 (03:00 +0000)]
Make depend
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21679
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Sat, 3 Jan 2009 03:00:25 +0000 (03:00 +0000)]
Merge trunk at 21659
Conflicts:
src/Makefile.in
src/kadmin/server/misc.h
src/kdc/do_as_req.c
src/kdc/do_tgs_req.c
src/kdc/kdc_util.c
src/kdc/kdc_util.h
src/lib/crypto/Makefile.in
src/lib/crypto/des/Makefile.in
src/lib/crypto/enc_provider/Makefile.in
src/lib/kdb/kdb5.c
src/lib/krb5/krb/chk_trans.c
src/lib/krb5/krb/walk_rtree.c
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21678
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Sat, 3 Jan 2009 01:28:31 +0000 (01:28 +0000)]
better application behavior although is somewhat non-intuitive.
Set up the replay cache here because we have the server principal
krb5_rd_req: Don't set server to ticket->server
krb5_rd_rec_decoded: change ticket->server to the principal we actually match from the keytab; this produces
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21677
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sat, 3 Jan 2009 01:28:18 +0000 (01:28 +0000)]
If KRB5_PRINCIPAL_UNPARSE_NO_REALM is specified, don't escape the @
symbol.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21676
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 2 Jan 2009 23:59:17 +0000 (23:59 +0000)]
Indent fixup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21675
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 2 Jan 2009 23:55:50 +0000 (23:55 +0000)]
Cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21674
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 2 Jan 2009 23:55:49 +0000 (23:55 +0000)]
Fix up comment to explain why the kdb keytab is not used in the tgs case any more
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21673
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 2 Jan 2009 23:53:55 +0000 (23:53 +0000)]
Handle KDC_ERR_WRONG_REALM in krb5_get_in_tkt() - needs review, not
completely tested yet
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21672
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 2 Jan 2009 22:48:16 +0000 (22:48 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21671
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 2 Jan 2009 21:55:20 +0000 (21:55 +0000)]
Revert r21667, it breaks authorization data backends that need access to
the KDC key to validate signatures
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21670
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 2 Jan 2009 21:50:54 +0000 (21:50 +0000)]
Validate k_nprincs != 0 before passing a pointer to krbtgt
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21669
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 2 Jan 2009 20:35:22 +0000 (20:35 +0000)]
Using the server name as a hint
is inappropriate. The server name is a security constraint.
If set, it must constrain the principals
that can be authenticated to; otherwise applications may get behavior that breaks security policy.
It is a goal that applications need to change to take advantage of any server search.
Remove dead code
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21668
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 2 Jan 2009 20:14:49 +0000 (20:14 +0000)]
Use kdb keytab
to look up service principal
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21667
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 2 Jan 2009 20:14:40 +0000 (20:14 +0000)]
KDC always assumes a server
supports des-cbc-crc.
Among other things, the test suite depends on this.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21666
dc483132 -0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 2 Jan 2009 19:12:32 +0000 (19:12 +0000)]
Don't register any services with portmap.
Works around test instability problem
but not desirable for iprop
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21665
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 2 Jan 2009 08:16:27 +0000 (08:16 +0000)]
Layer gss_sign() on top of gss_get_mic(), gss_verify() on top of
gss_verify_mic(), rather than the other way around. Mechanisms should
export a V2 interface.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21664
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 2 Jan 2009 07:47:40 +0000 (07:47 +0000)]
be sure to decode enc_padata
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21663
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 2 Jan 2009 07:38:51 +0000 (07:38 +0000)]
Only allow the AS-REP server principal to be changed if we requested and
received a TGT
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21662
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 2 Jan 2009 07:34:10 +0000 (07:34 +0000)]
move common macros into int-proto.h
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21661
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 2 Jan 2009 07:27:20 +0000 (07:27 +0000)]
In an AS-REP, only canonicalize the server name if we are returning a
TGT, and the client requested one
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21660
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 22:34:05 +0000 (22:34 +0000)]
Set KRB5_KDB_FLAG_PKINIT flag, AD backends need this to return
PAC_CREDENTIAL_DATA
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21658
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 22:33:18 +0000 (22:33 +0000)]
Refactor by adding find_pa_data() helper
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21657
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 10:36:32 +0000 (10:36 +0000)]
Use KRB5_PRINCIPAL_UNPARSE_NO_REALM for the logon name; cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21656
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 06:17:22 +0000 (06:17 +0000)]
Only add FD to sstate.rfds if add_XXX_fd() succeeds
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21655
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 03:04:24 +0000 (03:04 +0000)]
Keep krb5_gss_glue.c just for mechanism-specific API; move the rest into
gssapi_krb5.c.
That way, a vendor can build krb5_gss_glue.c as libgssapi_krb5.so, the
mechglue as libgssapi.so, and the rest of the Kerberos mech as
mech_krb5.so (this is essentially what Novell did).
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21654
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 02:56:15 +0000 (02:56 +0000)]
Back out r2164[78]; although the mech_invoke abstraction is superfluous
when building mech_krb5 today, it will help anyone that wants to
correctly build it dynamically.
(By correctly, I mean that mechanism-specific API should go in
libgssapi_krb5 and the mechanism itself in mech_krb5; one cannot assume
that one can link against loadable modules on all platforms. I notice in
OpenSolaris Sun link against mech_krb5 directly to get mech-specific
API, but this won't work on Darwin.)
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21653
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 02:05:21 +0000 (02:05 +0000)]
remove superfluous comment
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21652
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 02:03:12 +0000 (02:03 +0000)]
remove cruft
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21651
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 02:02:37 +0000 (02:02 +0000)]
fix regression in last commit (use correct OID for inquiring session
key)
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21650
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 01:58:04 +0000 (01:58 +0000)]
gssspi_mech_invoke() is superfluous for mech_krb5, it's only useful for
mechanisms that are dynamically loaded (in which case the mechanism
would provide a separate library with mechanism-specific APIs that
wrapped gsspi_mech_invoke())
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21649
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 01:44:25 +0000 (01:44 +0000)]
Restore old gss_krb5_ccache_name() implementation, it does not need to
be indirected through gssspi_mech_invoke()
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21648
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 01:23:23 +0000 (01:23 +0000)]
Don't add a socket to sstate.rfds until add_XXX_fd() has returned
successfully, as otherwise it will contain a dangling FD reference
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21647
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 00:39:10 +0000 (00:39 +0000)]
Wrap gss_seal/gss_unseal (V1) on gss_wrap/gss_unrwap (V2), rather than
the other way around. Mechanisms should export V2 interfaces.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21646
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 1 Jan 2009 00:29:47 +0000 (00:29 +0000)]
Use tgs_ktypes rather than permitted_enctypes for client-side EtypeList
Don't send EtypeList unless most preferred enctype is different to
ticket session key enctype
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21645
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Wed, 31 Dec 2008 05:01:45 +0000 (05:01 +0000)]
Cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21643
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Wed, 31 Dec 2008 01:19:44 +0000 (01:19 +0000)]
skip over KRB5_CRYPTO_TYPE_EMPTY buffers when translating IOV
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21641
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Wed, 31 Dec 2008 01:13:42 +0000 (01:13 +0000)]
Correctly distinguish between initiator and acceptor subkey checksum
lengths, in case they may be different (if a stronger CFX enctype was
negotiated by RFC 4537)
Fix kg_translate_iov_v3() to handle EC correctly when a trailer is
present
CFX header validation was broken: we were comparing the plaintext copy
to itself rather than the copy in the trailer.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21640
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 30 Dec 2008 12:28:36 +0000 (12:28 +0000)]
Previously, we tested explicitly for KRB5_KDB_PWCHANGE_SERVICE when
disabling AS-REP canonicalization, because in Windows kadmin/changepw is
an alias for the TGS. This was to avoid a client asking for a changepw
service ticket getting a TGT by setting the canonicalize flag, something
particularly problematic for a user who is only allowed to reset an
expired password.
The correct fix, however, is to disable AS-REP server name
canonicalization for any alias of the TGS (unless the user is requesting
a TGT, in which case we enable it, because that allows us to deal with
realm aliases for Windows interop).
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21638
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Mon, 29 Dec 2008 14:49:04 +0000 (14:49 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21630
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Mon, 29 Dec 2008 14:40:52 +0000 (14:40 +0000)]
Don't omit ticket session key enctypes when negotiating enctypes
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21629
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Mon, 29 Dec 2008 13:54:47 +0000 (13:54 +0000)]
don't return enc-pa-data if canon flag unset
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21628
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Mon, 29 Dec 2008 13:16:03 +0000 (13:16 +0000)]
Cleanup kg_make_confounder() somewhat
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21626
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 28 Dec 2008 12:52:19 +0000 (12:52 +0000)]
fix a logic error introduced in r21615
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21617
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 28 Dec 2008 01:06:10 +0000 (01:06 +0000)]
Add a compatibility layer for new cryptosystems such as CCM that do not
implement the hash and verify methods, but do implement hash_iov and
veirfy_iov. This is similar to what we've done at for encryption
callbacks.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21615
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 28 Dec 2008 01:05:18 +0000 (01:05 +0000)]
Update for revised function signature
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21614
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 28 Dec 2008 00:59:40 +0000 (00:59 +0000)]
reorder presently unused verify_iov arguments to make more sense (hash
after iov)
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21613
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 28 Dec 2008 00:09:53 +0000 (00:09 +0000)]
Improve error handling
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21612
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 28 Dec 2008 00:02:10 +0000 (00:02 +0000)]
It appears OK, at least for the Kerberos mechanism, for
gss_inquire_cred() to return GSS_C_NO_NAME in *name, rather than causing
the entire function to return an error. We had some code that depended
on this.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21611
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sat, 27 Dec 2008 23:35:06 +0000 (23:35 +0000)]
Export krb5int_clean_hostname through kaccess so that SPNEGO mech can
use it, rather than gethostname(), to construct NegHints
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21610
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sat, 27 Dec 2008 23:13:05 +0000 (23:13 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21609
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sat, 27 Dec 2008 05:40:18 +0000 (05:40 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21608
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sat, 27 Dec 2008 05:38:53 +0000 (05:38 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21607
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sat, 27 Dec 2008 05:34:18 +0000 (05:34 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21606
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 26 Dec 2008 23:54:50 +0000 (23:54 +0000)]
Add support for ENCTYPE_ARCFOUR_HMAC_EXP
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21604
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 26 Dec 2008 23:00:28 +0000 (23:00 +0000)]
confounder is 8 bytes long for rc4-hmac
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21603
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 26 Dec 2008 22:15:18 +0000 (22:15 +0000)]
krb5_rd_req() now sets AP_OPTS_USE_SUBKEY if an acceptor subkey was
negotiated by RFC 4537; AP_OPTS_ETYPE_NEGOTIATION is always set if RFC
4537 was used. This allows an application to distinguish the case where
RFC 4537 was used but the enctype was not upgraded.
(Previously, AP_OPTS_USE_SUBKEY was never be set by krb5_rd_req().)
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21602
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 26 Dec 2008 10:51:28 +0000 (10:51 +0000)]
Obey RFC 4537 more literally: if EtypeList auth data is present, don't
negotiate the enctype of the ticket session key (but do negotiate the
AP-REQ subkey, if present).
See comments in diff for more details about this potentially
self-contradictory behaviour.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21599
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 26 Dec 2008 10:48:24 +0000 (10:48 +0000)]
reformat
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21598
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 26 Dec 2008 10:22:45 +0000 (10:22 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21597
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 26 Dec 2008 06:56:55 +0000 (06:56 +0000)]
plug some leaks
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21596
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 26 Dec 2008 05:23:59 +0000 (05:23 +0000)]
remove redundant code
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21593
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 26 Dec 2008 05:20:55 +0000 (05:20 +0000)]
Add RFC 4537 support to GSS-API
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21592
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Fri, 26 Dec 2008 05:19:33 +0000 (05:19 +0000)]
Implement RFC 4537 in libkrb5. If the AP_OPTS_ETYPE_NEGOTIATION flag is
passed to krb5_mk_req(), then a EtypeList constructed from the
auth_context or krb5 context list of permitted enctypes will be sent.
AP_OPTS_ETYPE_NEGOTIATION will be returned by krb5_rd_req() in
ap_req_options if a subkey of a different enctype should be negotiated.
AP_OPTS_ETYPE_NEGOTIATION is only valid with mutual authentication.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21591
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Thu, 25 Dec 2008 22:43:41 +0000 (22:43 +0000)]
Fix some warnings
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21590
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Wed, 24 Dec 2008 07:45:18 +0000 (07:45 +0000)]
Set client principal name correctly with canonicalization
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21587
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Wed, 24 Dec 2008 05:57:41 +0000 (05:57 +0000)]
s/KRB5_PRINCIPAL_PARSE_MUST_REALM/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21586
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Wed, 24 Dec 2008 03:40:56 +0000 (03:40 +0000)]
fix a build error
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21585
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Wed, 24 Dec 2008 03:38:31 +0000 (03:38 +0000)]
update for changed interface
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21584
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Wed, 24 Dec 2008 03:32:57 +0000 (03:32 +0000)]
s/GSS_C_INQ_SESSION_KEY/GSS_C_INQ_SSPI_SESSION_KEY/
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21583
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Wed, 24 Dec 2008 00:41:02 +0000 (00:41 +0000)]
update for SPI changes
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21582
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 23:16:26 +0000 (23:16 +0000)]
Add -E option for parsing enterprise principal names
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21581
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 22:50:19 +0000 (22:50 +0000)]
Move mechanism extension OIDs from PADL arc to 1.2.840.113554.1.2.2.5
Move algorithm OID arc from PADL arc to 1.2.840.113554.1.2.2.4
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21580
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 22:48:38 +0000 (22:48 +0000)]
remove cruft
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21579
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 13:18:15 +0000 (13:18 +0000)]
Pass TGT session key to handle_authdata() for TGS-REP
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21578
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 06:14:38 +0000 (06:14 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21577
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 06:05:15 +0000 (06:05 +0000)]
Cleanup, add generic_gss_oid_compose()/generic_gss_oid_decompose()
helpers
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21576
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 05:29:17 +0000 (05:29 +0000)]
remove gsskrb5_get_subkey()
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21575
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 05:27:14 +0000 (05:27 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21574
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 05:25:25 +0000 (05:25 +0000)]
For GSS_C_INQ_SESSION_KEY, annotate session key with Kerberos encryption
type
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21573
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 03:59:26 +0000 (03:59 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21572
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 03:56:28 +0000 (03:56 +0000)]
cleanup: use krb5_boolean instead of int
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21571
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 03:55:04 +0000 (03:55 +0000)]
cleanup/refactor
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21570
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 03:30:04 +0000 (03:30 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21569
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 03:22:28 +0000 (03:22 +0000)]
add missing break statement
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21568
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 02:58:35 +0000 (02:58 +0000)]
fix a missing return for KRB5_KDB_DBTYPE_NOSUP/AS-REQ
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21567
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 02:55:02 +0000 (02:55 +0000)]
Consolidate authorization data handling interface. Both AS-REQ and
TGS-REQ paths call handle_authdata(). There is a new V1 callback that
provides some additional arguments.
Copying TGT authorization data to new tickets as well as the existing
Novell DB sign_auth_data method are both implemented as static authdata
systems.
Both V0 and V1 plugins are supported.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21566
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Tue, 23 Dec 2008 02:39:51 +0000 (02:39 +0000)]
Cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21565
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 21 Dec 2008 22:57:28 +0000 (22:57 +0000)]
cleanup error handling
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21561
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 21 Dec 2008 22:32:36 +0000 (22:32 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21560
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 21 Dec 2008 05:59:03 +0000 (05:59 +0000)]
cleanup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21559
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 21 Dec 2008 05:57:45 +0000 (05:57 +0000)]
Fix incorrect ordering of acceptor_key_cksumtype and cred_rcache in
kg_ctx_internalize()
Serialize/deserialize context (ticket) authorization data
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21558
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 21 Dec 2008 05:31:38 +0000 (05:31 +0000)]
Replace krb5_{en,de}code_ad_if_relevant with more general purpose
krb5_{en,de}code_authdata_container APIs
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21557
dc483132 -0cff-0310-8789-
dd5450dbe970
Luke Howard [Sun, 21 Dec 2008 05:04:47 +0000 (05:04 +0000)]
If a mechanism does not implement gss_seal/gss_unseal, then layer
mechglue shims on top of gss_wrap_aead/gss_unwrap_aead first, then
gss_wrap_iov/gss_unwrap_iov. This allows a mechanism to implement
gss_wrap_aead and not gss_seal/gss_wrap_iov, as well as consolidating
the shim code.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21556
dc483132 -0cff-0310-8789-
dd5450dbe970
projects / thirdparty / krb5.git / log
