diff options
Diffstat (limited to 'crypto/krb5/doc/html/_sources')
66 files changed, 1004 insertions, 174 deletions
diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt index 2435b3c3611e..b4edc7924345 100644 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt +++ b/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt @@ -460,6 +460,24 @@ This command requires the **add** and **delete** privileges. Alias: **renprinc** +.. _add_alias: + +add_alias +~~~~~~~~~ + + **add_alias** *alias_princ* *target_princ* + +Create an alias *alias_princ* pointing to *target_princ*. Aliases may +be chained (that is, *target_princ* may itself be an alias) up to a +depth of 10. + +This command requires the **add** privilege for *alias_princ* and the +**modify** privilege for *target_princ*. + +(New in release 1.22.) + +Aliases: **alias** + .. _delete_principal: delete_principal @@ -467,8 +485,8 @@ delete_principal **delete_principal** [**-force**] *principal* -Deletes the specified *principal* from the database. This command -prompts for deletion, unless the **-force** option is given. +Deletes the specified *principal* or alias from the database. This +command prompts for deletion, unless the **-force** option is given. This command requires the **delete** privilege. diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmind.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmind.rst.txt index 7e1482635d0a..bc66890def3d 100644 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmind.rst.txt +++ b/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmind.rst.txt @@ -121,6 +121,14 @@ ENVIRONMENT See :ref:`kerberos(7)` for a description of Kerberos environment variables. +As of release 1.22, kadmind supports systemd socket activation via the +LISTEN_PID and LISTEN_FDS environment variables. Sockets provided by +the caller must correspond to configured listener addresses (via the +**kadmind_listen** or **kpasswd_listen** variables or equivalents) or +they will be ignored. Any configured listener addresses that do not +correspond to caller-provided sockets will be ignored if socket +activation is used. + SEE ALSO -------- diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt index 444c58bcd967..8147e9766eee 100644 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt +++ b/crypto/krb5/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt @@ -376,6 +376,14 @@ Options: Dump types: +**alias** + principal alias information + + **aliasname** + the name of the alias + **targetname** + the target of the alias + **keydata** principal encryption key information, including actual key data (which is still encrypted in the master key) diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt index 631a0de84e50..97fbe5ed7d10 100644 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt +++ b/crypto/krb5/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt @@ -106,6 +106,13 @@ ENVIRONMENT See :ref:`kerberos(7)` for a description of Kerberos environment variables. +As of release 1.22, krb5kdc supports systemd socket activation via the +LISTEN_PID and LISTEN_FDS environment variables. Sockets provided by +the caller must correspond to configured listener addresses (via the +**kdc_listen** variable or equivalent) or they will be ignored. Any +configured listener addresses that do not correspond to +caller-provided sockets will be ignored if socket activation is used. + SEE ALSO -------- diff --git a/crypto/krb5/doc/html/_sources/admin/conf_files/kdc_conf.rst.txt b/crypto/krb5/doc/html/_sources/admin/conf_files/kdc_conf.rst.txt index 74a0a2acef98..63bdb8d48c12 100644 --- a/crypto/krb5/doc/html/_sources/admin/conf_files/kdc_conf.rst.txt +++ b/crypto/krb5/doc/html/_sources/admin/conf_files/kdc_conf.rst.txt @@ -289,14 +289,16 @@ The following tags may be specified in a [realms] subsection: **kadmind_listen** (Whitespace- or comma-separated list.) Specifies the kadmin RPC listening addresses and/or ports for the :ref:`kadmind(8)` daemon. - Each entry may be an interface address, a port number, or an - address and port number separated by a colon. If the address - contains colons, enclose it in square brackets. If no address is - specified, the wildcard address is used. If kadmind fails to bind - to any of the specified addresses, it will fail to start. The - default is to bind to the wildcard address at the port specified - in **kadmind_port**, or the standard kadmin port (749). New in - release 1.15. + Each entry may be an interface address, a port number, an address + and port number separated by a colon, or a UNIX domain socket + pathname. If the address contains colons, enclose it in square + brackets. If no address is specified, the wildcard address is + used. To disable listening for kadmin RPC connections, set this + relation to the empty string with ``kadmind_listen = ""``. If + kadmind fails to bind to any of the specified addresses, it will + fail to start. The default is to bind to the wildcard address at + the port specified in **kadmind_port**, or the standard kadmin + port (749). New in release 1.15. **kadmind_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` @@ -310,16 +312,18 @@ The following tags may be specified in a [realms] subsection: ``/.k5.REALM``, where *REALM* is the Kerberos realm. **kdc_listen** - (Whitespace- or comma-separated list.) Specifies the UDP - listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. - Each entry may be an interface address, a port number, or an - address and port number separated by a colon. If the address - contains colons, enclose it in square brackets. If no address is - specified, the wildcard address is used. If no port is specified, - the standard port (88) is used. If the KDC daemon fails to bind - to any of the specified addresses, it will fail to start. The - default is to bind to the wildcard address on the standard port. - New in release 1.15. + (Whitespace- or comma-separated list.) Specifies the listening + addresses and/or ports for the :ref:`krb5kdc(8)` daemon. Each + entry may be an interface address, a port number, an address and + port number separated by a colon, or a UNIX domain socket + pathname. If the address contains colons, enclose it in square + brackets. If no address is specified, the wildcard address is + used. If no port is specified, the standard port (88) is used. + To disable listening on UDP, set this relation to the empty string + with ``kdc_listen = ""``. If the KDC daemon fails to bind to any + of the specified addresses, it will fail to start. The default is + to bind to the wildcard address on the standard port. New in + release 1.15. **kdc_ports** (Whitespace- or comma-separated list, deprecated.) Prior to @@ -331,15 +335,10 @@ The following tags may be specified in a [realms] subsection: **kdc_tcp_listen** (Whitespace- or comma-separated list.) Specifies the TCP listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. - Each entry may be an interface address, a port number, or an - address and port number separated by a colon. If the address - contains colons, enclose it in square brackets. If no address is - specified, the wildcard address is used. If no port is specified, - the standard port (88) is used. To disable listening on TCP, set - this relation to the empty string with ``kdc_tcp_listen = ""``. - If the KDC daemon fails to bind to any of the specified addresses, - it will fail to start. The default is to bind to the wildcard - address on the standard port. New in release 1.15. + The syntax is identical to that of **kdc_listen**. To disable + listening on TCP, set this relation to the empty string with + ``kdc_tcp_listen = ""``. The default is to bind to the same + addresses and ports as for UDP. New in release 1.15. **kdc_tcp_ports** (Whitespace- or comma-separated list, deprecated.) Prior to @@ -349,15 +348,18 @@ The following tags may be specified in a [realms] subsection: **kdc_tcp_listen** if that relation is not defined. **kpasswd_listen** - (Comma-separated list.) Specifies the kpasswd listening addresses - and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be - an interface address, a port number, or an address and port number - separated by a colon. If the address contains colons, enclose it - in square brackets. If no address is specified, the wildcard - address is used. If kadmind fails to bind to any of the specified - addresses, it will fail to start. The default is to bind to the - wildcard address at the port specified in **kpasswd_port**, or the - standard kpasswd port (464). New in release 1.15. + (Comma-separated list.) Specifies the kpasswd listening + addresses and/or ports for the :ref:`kadmind(8)` daemon. Each + entry may be an interface address, a port number, an address and + port number separated by a colon, or a UNIX domain socket + pathname. If the address contains colons, enclose it in square + brackets. If no address is specified, the wildcard address is + used. To disable listening for kpasswd requests, set this + relation to the empty string with ``kpasswd_listen = ""``. If + kadmind fails to bind to any of the specified addresses, it will + fail to start. The default is to bind to the wildcard address at + the port specified in **kpasswd_port**, or the standard kpasswd + port (464). New in release 1.15. **kpasswd_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` @@ -768,8 +770,11 @@ For information about the syntax of some of these options, see be specified multiple times. **pkinit_dh_min_bits** - Specifies the minimum number of bits the KDC is willing to accept - for a client's Diffie-Hellman key. The default is 2048. + Specifies the minimum strength of Diffie-Hellman group the KDC is + willing to accept for key exchange. Valid values in order of + increasing strength are 1024, 2048, P-256, 4096, P-384, and P-521. + The default is 2048. (P-256, P-384, and P-521 are new in release + 1.22.) **pkinit_allow_upn** Specifies that the KDC is willing to accept client certificates diff --git a/crypto/krb5/doc/html/_sources/admin/conf_files/krb5_conf.rst.txt b/crypto/krb5/doc/html/_sources/admin/conf_files/krb5_conf.rst.txt index ecdf91750152..e0c7a633094e 100644 --- a/crypto/krb5/doc/html/_sources/admin/conf_files/krb5_conf.rst.txt +++ b/crypto/krb5/doc/html/_sources/admin/conf_files/krb5_conf.rst.txt @@ -35,12 +35,6 @@ or:: baz = quux } -Placing a '\*' after the closing bracket of a section name indicates -that the section is *final*, meaning that if the same section appears -within a later file specified in **KRB5_CONFIG**, it will be ignored. -A subsection can be marked as final by placing a '\*' after either the -tag name or the closing brace. - The krb5.conf file can include other files using either of the following directives at the beginning of a line:: @@ -58,6 +52,16 @@ section header. Starting in release 1.17, files are read in alphanumeric order; in previous releases, they may be read in any order. +Placing a '\*' after the closing bracket of a section name indicates +that the section is *final*, meaning that if the same section appears +again later, it will be ignored. A subsection can be marked as final +by placing a '\*' after either the tag name or the closing brace. A +relation can be marked as final by placing a '\*' after the tag name. +Prior to release 1.22, only sections and subsections can be marked as +final, and the flag only causes values to be ignored if they appear in +later files specified in **KRB5_CONFIG**, not if they appear later +within the same file or an included file. + The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section @@ -221,6 +225,12 @@ The libdefaults section may contain any of the following relations: data), and anything the fake KDC sends will not be trusted without verification using some secret that it won't know. +**dns_lookup_realm** + Indicate whether DNS TXT records should be used to map hostnames + to realm names for hostnames not listed in the [domain_realm] + section, and to determine the default realm if **default_realm** + is not set. The default value is false. + **dns_uri_lookup** Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm, if they are not listed in the @@ -362,6 +372,15 @@ The libdefaults section may contain any of the following relations: (:ref:`duration` string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0. +**request_timeout** + (:ref:`duration` string.) Sets the maximum total time for KDC and + password change requests. This timeout does not affect the + intervals between requests, so setting a low timeout may result in + fewer requests being attempted and/or some servers not being + contacted. A value of 0 indicates no specific maximum, in which + case requests will time out if no server responds after several + tries. The default value is 0. (New in release 1.22.) + **spake_preauth_groups** A whitespace or comma-separated list of words which specifies the groups allowed for SPAKE preauthentication. The possible values @@ -511,20 +530,21 @@ following tags may be specified in the realm's subsection: been set to ``FILE:/tmp/my_proxy.pem``. **kdc** - The name or address of a host running a KDC for that realm. An - optional port number, separated from the hostname by a colon, may - be included. If the name or address contains colons (for example, - if it is an IPv6 address), enclose it in square brackets to + The name or address of a host running a KDC for the realm, or a + UNIX domain socket path of a locally running KDC. An optional + port number, separated from the hostname by a colon, may be + included. If the name or address contains colons (for example, if + it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. **kpasswd_server** - Points to the server where all the password changes are performed. - If there is no such entry, DNS will be queried (unless forbidden - by **dns_lookup_kdc**). Finally, port 464 on the **admin_server** - host will be tried. + The location of the password change server for the realm, using + the same syntax as **kdc**. If there is no such entry, DNS will + be queried (unless forbidden by **dns_lookup_kdc**). Finally, + port 464 on the **admin_server** host will be tried. **master_kdc** The name for **primary_kdc** prior to release 1.19. Its value is @@ -538,6 +558,10 @@ following tags may be specified in the realm's subsection: the updated database has not been propagated to the replica servers yet. New in release 1.19. +**sitename** + Specifies the name of the host's site for the purpose of DNS-based + KDC discovery for this realm. New in release 1.22. + **v4_instance_convert** This subsection allows the administrator to configure exceptions to the **default_domain** mapping rule. It contains V4 instances @@ -1028,8 +1052,10 @@ information for PKINIT is as follows: a particular smard card reader or token if there is more than one available. ``certid=`` and/or ``certlabel=`` may be specified to force the selection of a particular certificate on the device. - See the **pkinit_cert_match** configuration option for more ways - to select a particular certificate to use for PKINIT. + Specifier values must not contain colon characters, as colons are + always treated as separators. See the **pkinit_cert_match** + configuration option for more ways to select a particular + certificate to use for PKINIT. **ENV:**\ *envvar* *envvar* specifies the name of an environment variable which has @@ -1128,9 +1154,10 @@ PKINIT krb5.conf options option is not recommended. **pkinit_dh_min_bits** - Specifies the size of the Diffie-Hellman key the client will - attempt to use. The acceptable values are 1024, 2048, and 4096. - The default is 2048. + Specifies the group of the Diffie-Hellman key the client will + attempt to use. The acceptable values are 1024, 2048, P-256, + 4096, P-384, and P-521. The default is 2048. (P-256, P-384, and + P-521 are new in release 1.22.) **pkinit_identities** Specifies the location(s) to be used to find the user's X.509 diff --git a/crypto/krb5/doc/html/_sources/admin/conf_ldap.rst.txt b/crypto/krb5/doc/html/_sources/admin/conf_ldap.rst.txt index 65542c1a4e42..908dfd1e7e09 100644 --- a/crypto/krb5/doc/html/_sources/admin/conf_ldap.rst.txt +++ b/crypto/krb5/doc/html/_sources/admin/conf_ldap.rst.txt @@ -112,9 +112,10 @@ Configuring Kerberos with OpenLDAP back-end details. With the LDAP back end it is possible to provide aliases for principal -entries. Currently we provide no administrative utilities for -creating aliases, so it must be done by direct manipulation of the -LDAP entries. +entries. Beginning in release 1.22, aliases can be added with the +kadmin **add_alias** command, but it is also possible (in release 1.7 +or later) to provide aliases through direct manipulation of the LDAP +entries. An entry with aliases contains multiple values of the *krbPrincipalName* attribute. Since LDAP attribute values are not diff --git a/crypto/krb5/doc/html/_sources/admin/database.rst.txt b/crypto/krb5/doc/html/_sources/admin/database.rst.txt index 2fd07242a0f7..685ec272f4b0 100644 --- a/crypto/krb5/doc/html/_sources/admin/database.rst.txt +++ b/crypto/krb5/doc/html/_sources/admin/database.rst.txt @@ -93,6 +93,10 @@ To view the attributes of a principal, use the kadmin` To generate a listing of principals, use the kadmin **list_principals** command. +To give a principal additional names, use the kadmin **add_alias** +command to create aliases to the principal (new in release 1.22). +Aliases can be removed with the **delete_principal** command. + .. _policies: diff --git a/crypto/krb5/doc/html/_sources/admin/realm_config.rst.txt b/crypto/krb5/doc/html/_sources/admin/realm_config.rst.txt index 9f5ad5074650..32c5b9cf11ee 100644 --- a/crypto/krb5/doc/html/_sources/admin/realm_config.rst.txt +++ b/crypto/krb5/doc/html/_sources/admin/realm_config.rst.txt @@ -196,6 +196,13 @@ using the **kdc**, **master_kdc**, **admin_server**, and explicit server locations, providing SRV records will still benefit unconfigured clients, and be useful for other sites. +Clients can be configured with the **sitename** realm variable (new in +release 1.22). If a site name is set, the client first attempts SRV +record lookups with ".*sitename*._sites" inserted after the service +and protocol name and before the Kerberos realm. Site-specific +records may indicate servers more proximal to the client, allowing for +faster access. + .. _kdc_discovery: @@ -244,6 +251,9 @@ URI lookups are enabled by default, and can be disabled by setting precedence over SRV lookups, falling back to SRV lookups if no URI records are found. +The **sitename** variable in the :ref:`realms` section of +:ref:`krb5.conf(5)` applies to URI lookups as well as SRV lookups. + .. _db_prop: diff --git a/crypto/krb5/doc/html/_sources/appdev/gssapi.rst.txt b/crypto/krb5/doc/html/_sources/appdev/gssapi.rst.txt index 339fd6c7c155..b58f4122bca5 100644 --- a/crypto/krb5/doc/html/_sources/appdev/gssapi.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/gssapi.rst.txt @@ -424,6 +424,42 @@ set. If the library does not support the query, gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**. +Channel binding behavior and GSS_C_CHANNEL_BOUND_FLAG +----------------------------------------------------- + +GSSAPI channel bindings can be used to limit the scope of a context +establishment token to a particular protected channel or endpoint, +such as a TLS channel or server certificate. Channel bindings can be +supplied via the *input_chan_bindings* parameter to either +gss_init_sec_context() or gss_accept_sec_context(). + +If both the initiator and acceptor of a GSSAPI exchange supply +matching channel bindings, **GSS_C_CHANNEL_BOUND_FLAG** will be +included in the gss_accept_sec_context() *ret_flags* result. If +either the initiator or acceptor (or both) do not supply channel +bindings, the exchange will succeed, but **GSS_C_CHANNEL_BOUND_FLAG** +will not be included in the return flags. If the acceptor and +initiator both inlude channel bindings but they do not match, the +exchange will fail. + +If **GSS_C_CHANNEL_BOUND_FLAG** is included in the *req_flags* +parameter of gss_init_sec_context(), the initiator will add the +Microsoft KERB_AP_OPTIONS_CBT extension to the Kerberos authenticator. +This extension requests that the acceptor strictly enforce channel +bindings, causing the exchange to fail if the acceptor supplies +channel bindings and the initiator does not. The KERB_AP_OPTIONS_CBT +extension will also be included if the +**client_aware_channel_bindings** variable is set to ``true`` in +:ref:`libdefaults`. + +Prior to release 1.19, **GSS_C_CHANNEL_BOUND_FLAG** is not +implemented, and the exchange will fail if the acceptor supply channel +bindings and the initiator does not (but not vice versa). Between +releases 1.19 and 1.21, **GSS_C_CHANNEL_BOUND_FLAG** is not recognized +as an initiator flag, so **client_aware_channel_bindings** is the only +way to cause KERB_AP_OPTIONS_CBT to be included. + + AEAD message wrapping --------------------- diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/index.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/index.rst.txt index d12be47c3ce1..648dc2ed9933 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/index.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/index.rst.txt @@ -25,6 +25,7 @@ Frequently used public interfaces krb5_change_password.rst krb5_chpw_message.rst krb5_expand_hostname.rst + krb5_free_config_files.rst krb5_free_context.rst krb5_free_error_message.rst krb5_free_principal.rst @@ -33,6 +34,7 @@ Frequently used public interfaces krb5_get_error_message.rst krb5_get_host_realm.rst krb5_get_credentials.rst + krb5_get_default_config_files.rst krb5_get_fallback_host_realm.rst krb5_get_init_creds_keytab.rst krb5_get_init_creds_opt_alloc.rst diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_anonymous_principal.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_anonymous_principal.rst.txt index 0b715e119a0d..658eb36e5a6e 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_anonymous_principal.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_anonymous_principal.rst.txt @@ -39,7 +39,7 @@ This function returns constant storage that must not be freed. .. .. seealso:: - #KRB5_ANONYMOUS_PRINCSTR + KRB5_ANONYMOUS_PRINCSTR diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_anonymous_realm.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_anonymous_realm.rst.txt index ec3cc4e3108e..f2d1b5f5540f 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_anonymous_realm.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_anonymous_realm.rst.txt @@ -39,7 +39,7 @@ This function returns constant storage that must not be freed. .. .. seealso:: - #KRB5_ANONYMOUS_REALMSTR + KRB5_ANONYMOUS_REALMSTR diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_genaddrs.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_genaddrs.rst.txt index f61c23185316..d84399972211 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_genaddrs.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_genaddrs.rst.txt @@ -40,16 +40,16 @@ This function sets the local and/or remote addresses in *auth_context* based on - - #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR Generate local address. + - KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR Generate local address. - - #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR Generate remote address. + - KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR Generate remote address. - - #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR Generate local address and port. + - KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR Generate local address and port. - - #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR Generate remote address and port. + - KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR Generate remote address and port. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_getflags.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_getflags.rst.txt index db9020e2d30b..e7a9fbc1b9cf 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_getflags.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_getflags.rst.txt @@ -34,16 +34,16 @@ krb5_auth_con_getflags - Retrieve flags from a krb5_auth_context structure. Valid values for *flags* are: - - #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps + - KRB5_AUTH_CONTEXT_DO_TIME Use timestamps - - #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps + - KRB5_AUTH_CONTEXT_RET_TIME Save timestamps - - #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers + - KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers - - #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers + - KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalseqnumber.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalseqnumber.rst.txt index 0b340a3fb521..957f89755033 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalseqnumber.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalseqnumber.rst.txt @@ -32,7 +32,7 @@ krb5_auth_con_getlocalseqnumber - Retrieve the local sequence number from an au -Retrieve the local sequence number from *auth_context* and return it in *seqnumber* . The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in *auth_context* for this function to be useful. +Retrieve the local sequence number from *auth_context* and return it in *seqnumber* . The KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in *auth_context* for this function to be useful. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremoteseqnumber.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremoteseqnumber.rst.txt index 8f2a7ffdb486..61bcef6583b3 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremoteseqnumber.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremoteseqnumber.rst.txt @@ -32,7 +32,7 @@ krb5_auth_con_getremoteseqnumber - Retrieve the remote sequence number from an -Retrieve the remote sequence number from *auth_context* and return it in *seqnumber* . The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in *auth_context* for this function to be useful. +Retrieve the remote sequence number from *auth_context* and return it in *seqnumber* . The KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in *auth_context* for this function to be useful. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_init.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_init.rst.txt index 9f61f30be4e6..58bec34929f6 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_init.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_init.rst.txt @@ -34,7 +34,7 @@ This function creates an authentication context to hold configuration and state -By default, flags for the context are set to enable the use of the replay cache (#KRB5_AUTH_CONTEXT_DO_TIME), but not sequence numbers. Use krb5_auth_con_setflags() to change the flags. +By default, flags for the context are set to enable the use of the replay cache (KRB5_AUTH_CONTEXT_DO_TIME), but not sequence numbers. Use krb5_auth_con_setflags() to change the flags. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_setflags.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_setflags.rst.txt index d8cb6e71c5d0..e376185e987b 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_setflags.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_auth_con_setflags.rst.txt @@ -34,16 +34,16 @@ krb5_auth_con_setflags - Set a flags field in a krb5_auth_context structure. Valid values for *flags* are: - - #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps + - KRB5_AUTH_CONTEXT_DO_TIME Use timestamps - - #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps + - KRB5_AUTH_CONTEXT_RET_TIME Save timestamps - - #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers + - KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers - - #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers + - KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length_iov.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length_iov.rst.txt index cb4d18d1db0e..238d04e9ca55 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length_iov.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length_iov.rst.txt @@ -34,7 +34,7 @@ krb5_c_crypto_length_iov - Fill in lengths for header, trailer and padding in a -Padding is set to the actual padding required based on the provided *data* buffers. Typically this API is used after setting up the data buffers and #KRB5_CRYPTO_TYPE_SIGN_ONLY buffers, but before actually allocating header, trailer and padding. +Padding is set to the actual padding required based on the provided *data* buffers. Typically this API is used after setting up the data buffers and KRB5_CRYPTO_TYPE_SIGN_ONLY buffers, but before actually allocating header, trailer and padding. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_encrypt.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_encrypt.rst.txt index b67a8db61b24..d3a12af8df76 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_encrypt.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_encrypt.rst.txt @@ -38,7 +38,7 @@ krb5_c_encrypt - Encrypt data using a key (operates on keyblock). -This function encrypts the data block *input* and stores the outputinto *output* . The actual encryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. +This function encrypts the data block *input* and stores the output into *output* . The actual encryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum_iov.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum_iov.rst.txt index fe1d921cc039..b152676fbac3 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum_iov.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum_iov.rst.txt @@ -38,7 +38,7 @@ krb5_c_make_checksum_iov - Fill in a checksum element in IOV array (operates on -Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in *data* . Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified. +Create a checksum in the KRB5_CRYPTO_TYPE_CHECKSUM element over KRB5_CRYPTO_TYPE_DATA and KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in *data* . Only the KRB5_CRYPTO_TYPE_CHECKSUM region is modified. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum_iov.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum_iov.rst.txt index 237c01f1779a..639fc882ca08 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum_iov.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum_iov.rst.txt @@ -40,7 +40,7 @@ krb5_c_verify_checksum_iov - Validate a checksum element in IOV array (operates -Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY regions in the iov. +Confirm that the checksum in the KRB5_CRYPTO_TYPE_CHECKSUM element is a valid checksum of the KRB5_CRYPTO_TYPE_DATA and KRB5_CRYPTO_TYPE_SIGN_ONLY regions in the iov. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_cc_cache_match.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_cc_cache_match.rst.txt index 3e01accab529..2c56506902d5 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_cc_cache_match.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_cc_cache_match.rst.txt @@ -22,7 +22,7 @@ krb5_cc_cache_match - Find a credential cache with a specified client principal :retval: - 0 Success - - KRB5_CC_NOTFOUND None + - KRB5_CC_NOTFOUND .. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_cc_retrieve_cred.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_cc_retrieve_cred.rst.txt index 3674f97dd9d5..22413b5cfbe1 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_cc_retrieve_cred.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_cc_retrieve_cred.rst.txt @@ -46,34 +46,34 @@ Valid values for *flags* are: - - #KRB5_TC_MATCH_TIMES The requested lifetime must be at least as great as in *mcreds* . + - KRB5_TC_MATCH_TIMES The requested lifetime must be at least as great as in *mcreds* . - - #KRB5_TC_MATCH_IS_SKEY The *is_skey* field much match exactly. + - KRB5_TC_MATCH_IS_SKEY The *is_skey* field much match exactly. - - #KRB5_TC_MATCH_FLAGS Flags set in *mcreds* must be set. + - KRB5_TC_MATCH_FLAGS Flags set in *mcreds* must be set. - - #KRB5_TC_MATCH_TIMES_EXACT The requested lifetime must match exactly. + - KRB5_TC_MATCH_TIMES_EXACT The requested lifetime must match exactly. - - #KRB5_TC_MATCH_FLAGS_EXACT Flags must match exactly. + - KRB5_TC_MATCH_FLAGS_EXACT Flags must match exactly. - - #KRB5_TC_MATCH_AUTHDATA The authorization data must match. + - KRB5_TC_MATCH_AUTHDATA The authorization data must match. - - #KRB5_TC_MATCH_SRV_NAMEONLY Only the name portion of the principal name must match, not the realm. + - KRB5_TC_MATCH_SRV_NAMEONLY Only the name portion of the principal name must match, not the realm. - - #KRB5_TC_MATCH_2ND_TKT The second tickets must match. + - KRB5_TC_MATCH_2ND_TKT The second tickets must match. - - #KRB5_TC_MATCH_KTYPE The encryption key types must match. + - KRB5_TC_MATCH_KTYPE The encryption key types must match. - - #KRB5_TC_SUPPORTED_KTYPES Check all matching entries that have any supported encryption type and return the one with the encryption type listed earliest. + - KRB5_TC_SUPPORTED_KTYPES Check all matching entries that have any supported encryption type and return the one with the encryption type listed earliest. Use krb5_free_cred_contents() to free *creds* when it is no longer needed. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_change_password.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_change_password.rst.txt index 05a3eb9512bd..8d4691790ee1 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_change_password.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_change_password.rst.txt @@ -48,19 +48,19 @@ The possible values of the output *result_code* are: - - #KRB5_KPASSWD_SUCCESS (0) - success + - KRB5_KPASSWD_SUCCESS (0) - success - - #KRB5_KPASSWD_MALFORMED (1) - Malformed request error + - KRB5_KPASSWD_MALFORMED (1) - Malformed request error - - #KRB5_KPASSWD_HARDERROR (2) - Server error + - KRB5_KPASSWD_HARDERROR (2) - Server error - - #KRB5_KPASSWD_AUTHERROR (3) - Authentication error + - KRB5_KPASSWD_AUTHERROR (3) - Authentication error - - #KRB5_KPASSWD_SOFTERROR (4) - Password change rejected + - KRB5_KPASSWD_SOFTERROR (4) - Password change rejected diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_free_config_files.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_free_config_files.rst.txt new file mode 100644 index 000000000000..620fe7e232ef --- /dev/null +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_free_config_files.rst.txt @@ -0,0 +1,44 @@ +krb5_free_config_files - Free a list allocated by krb5_get_default_config_files() +=================================================================================== + +.. + +.. c:function:: void krb5_free_config_files(char ** filenames) + +.. + + +:param: + + **[in]** **filenames** - Configuration filename list + + +.. + + + +.. + + + + + + + + + + + + + + +.. + + + + +.. note:: + + New in 1.22 + + diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.rst.txt index bfda237f445f..939faad6a8cc 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.rst.txt @@ -49,7 +49,7 @@ krb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message. -Get a TGT for use at the remote host *rhost* and format it into a KRB-CRED message. If *rhost* is NULL and *server* is of type #KRB5_NT_SRV_HST, the second component of *server* will be used. +Get a TGT for use at the remote host *rhost* and format it into a KRB-CRED message. If *rhost* is NULL and *server* is of type KRB5_NT_SRV_HST, the second component of *server* will be used. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_credentials.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_credentials.rst.txt index 7a72b39af08f..b4fbcd69b0e7 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_credentials.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_credentials.rst.txt @@ -45,16 +45,16 @@ Use *ccache* or a TGS exchange to get a service ticket matching *in_creds* . Valid values for *options* are: - - #KRB5_GC_CACHED Search only credential cache for the ticket + - KRB5_GC_CACHED Search only credential cache for the ticket - - #KRB5_GC_USER_USER Return a user to user authentication ticket + - KRB5_GC_USER_USER Return a user to user authentication ticket *in_creds* must be non-null. *in_creds->client* and *in_creds->server* must be filled in to specify the client and the server respectively. If any authorization data needs to be requested for the service ticket (such as restrictions on how the ticket can be used), specify it in *in_creds->authdata* ; otherwise set *in_creds->authdata* to NULL. The session key type is specified in *in_creds->keyblock.enctype* , if it is nonzero. -The expiration date is specified in *in_creds->times.endtime* . The KDC may return tickets with an earlier expiration date. If *in_creds->times.endtime* is set to 0, the latest possible expiration date will be requested. +If *in_creds->times.endtime* is specified, it is used as the requested expiration date if a TGS request is made. If *in_creds->times.endtime* is set to 0, the latest possible expiration date will be requested. The KDC or cache may return a ticket with an earlier expiration date. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_default_config_files.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_default_config_files.rst.txt new file mode 100644 index 000000000000..292eed4c82f0 --- /dev/null +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_default_config_files.rst.txt @@ -0,0 +1,52 @@ +krb5_get_default_config_files - Return a list of default configuration filenames. +=================================================================================== + +.. + +.. c:function:: krb5_error_code krb5_get_default_config_files(char *** filenames) + +.. + + +:param: + + **[out]** **filenames** - Configuration filename list + + +.. + + + +.. + + + + + + + +Fill in *filenames* with a null-terminated list of configuration files which will be read by krb5_init_context() in the current process environment. + + + +Use krb5_free_config_files() to free *filenames* when it is no longer needed. + + + + + + + + + + +.. + + + + +.. note:: + + New in 1.22 + + diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.rst.txt index 77e9fa04d7e6..203e9c71c37d 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.rst.txt @@ -34,7 +34,7 @@ krb5_get_init_creds_opt_set_fast_flags - Set FAST flags in initial credential o The following flag values are valid: - - #KRB5_FAST_REQUIRED - Require FAST to be used + - KRB5_FAST_REQUIRED - Require FAST to be used diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_prompt_types.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_prompt_types.rst.txt index 4cf9748c4dd4..39156ca153af 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_prompt_types.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_get_prompt_types.rst.txt @@ -18,7 +18,7 @@ krb5_get_prompt_types - Get prompt types array from a context. :return: - - Pointer to an array of prompt types corresponding to the prompter's prompts arguments. Each type has one of the following values: #KRB5_PROMPT_TYPE_PASSWORD #KRB5_PROMPT_TYPE_NEW_PASSWORD #KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN #KRB5_PROMPT_TYPE_PREAUTH + - Pointer to an array of prompt types corresponding to the prompter's prompts arguments. Each type has one of the following values: KRB5_PROMPT_TYPE_PASSWORD KRB5_PROMPT_TYPE_NEW_PASSWORD KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN KRB5_PROMPT_TYPE_PREAUTH .. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_init_context_profile.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_init_context_profile.rst.txt index d92f0995af6e..3afab4fecf75 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_init_context_profile.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_init_context_profile.rst.txt @@ -35,10 +35,10 @@ Create a context structure, optionally using a specified profile and initializat - - #KRB5_INIT_CONTEXT_SECURE Ignore environment variables + - KRB5_INIT_CONTEXT_SECURE Ignore environment variables - - #KRB5_INIT_CONTEXT_KDC Use KDC configuration if creating profile + - KRB5_INIT_CONTEXT_KDC Use KDC configuration if creating profile diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.rst.txt index 4f4255104170..f4258e38832d 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.rst.txt @@ -42,7 +42,7 @@ This function constructs the next KDC request in an initial credential exchange, -If more requests are needed, *flags* will be set to #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in *out* . If no more requests are needed, *flags* will not contain #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and *out* will be empty. +If more requests are needed, *flags* will be set to KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in *out* . If no more requests are needed, *flags* will not contain KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and *out* will be empty. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum_iov.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum_iov.rst.txt index a25d8ec13510..3f4cb6b5f860 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum_iov.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum_iov.rst.txt @@ -38,7 +38,7 @@ krb5_k_make_checksum_iov - Fill in a checksum element in IOV array (operates on -Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in *data* . Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified. +Create a checksum in the KRB5_CRYPTO_TYPE_CHECKSUM element over KRB5_CRYPTO_TYPE_DATA and KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in *data* . Only the KRB5_CRYPTO_TYPE_CHECKSUM region is modified. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum_iov.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum_iov.rst.txt index af4cffee62c9..e364a76cbe0e 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum_iov.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum_iov.rst.txt @@ -40,7 +40,7 @@ krb5_k_verify_checksum_iov - Validate a checksum element in IOV array (operates -Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY regions in the iov. +Confirm that the checksum in the KRB5_CRYPTO_TYPE_CHECKSUM element is a valid checksum of the KRB5_CRYPTO_TYPE_DATA and KRB5_CRYPTO_TYPE_SIGN_ONLY regions in the iov. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_ncred.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_ncred.rst.txt index 7a074b6d2c04..e7e88aebc1e9 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_ncred.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_ncred.rst.txt @@ -49,11 +49,11 @@ The local and remote addresses in *auth_context* are optional; if either is spec -If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in *auth_context* , the timestamp used for the KRB-CRED message is stored in *rdata_out* . +If the KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If KRB5_AUTH_CONTEXT_RET_TIME is set in *auth_context* , the timestamp used for the KRB-CRED message is stored in *rdata_out* . -If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the *auth_context* local sequence number is included in the KRB-CRED message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in *rdata_out* . +If either KRB5_AUTH_CONTEXT_DO_SEQUENCE or KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the *auth_context* local sequence number is included in the KRB-CRED message and then incremented. If KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in *rdata_out* . @@ -81,7 +81,7 @@ The message will be encrypted using the send subkey of *auth_context* if it is p .. note:: - The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . + The *rdata_out* argument is required if the KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_priv.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_priv.rst.txt index 0d9922ecb2af..6046a9dbab4b 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_priv.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_priv.rst.txt @@ -44,11 +44,11 @@ The local address in *auth_context* must be set, and is used to form the sender -If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , a timestamp is included in the KRB-PRIV message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in *auth_context* , a timestamp is included in the KRB-PRIV message and is stored in *rdata_out* . +If the KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , a timestamp is included in the KRB-PRIV message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If KRB5_AUTH_CONTEXT_RET_TIME is set in *auth_context* , a timestamp is included in the KRB-PRIV message and is stored in *rdata_out* . -If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the *auth_context* local sequence number is included in the KRB-PRIV message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in *rdata_out* . +If either KRB5_AUTH_CONTEXT_DO_SEQUENCE or KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the *auth_context* local sequence number is included in the KRB-PRIV message and then incremented. If KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in *rdata_out* . @@ -72,7 +72,7 @@ Use krb5_free_data_contents() to free *der_out* when it is no longer needed. .. note:: - The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . + The *rdata_out* argument is required if the KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_rep.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_rep.rst.txt index 29091a1bf13c..4b94141039a9 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_rep.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_rep.rst.txt @@ -36,7 +36,7 @@ This function fills in *outbuf* with an AP-REP message using information from *a -If the flags in *auth_context* indicate that a sequence number should be used (either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE) and the local sequence number in *auth_context* is 0, a new number will be generated with krb5_generate_seq_number(). +If the flags in *auth_context* indicate that a sequence number should be used (either KRB5_AUTH_CONTEXT_DO_SEQUENCE or KRB5_AUTH_CONTEXT_RET_SEQUENCE) and the local sequence number in *auth_context* is 0, a new number will be generated with krb5_generate_seq_number(). diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_req_extended.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_req_extended.rst.txt index 532af9775589..d29a37616df6 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_req_extended.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_req_extended.rst.txt @@ -40,13 +40,13 @@ krb5_mk_req_extended - Create a KRB_AP_REQ message using supplied credentials. Valid *ap_req_options* are: - - #AP_OPTS_USE_SESSION_KEY - Use the session key when creating the request used for user to user authentication. + - AP_OPTS_USE_SESSION_KEY - Use the session key when creating the request used for user to user authentication. - - #AP_OPTS_MUTUAL_REQUIRED - Request a mutual authentication packet from the receiver. + - AP_OPTS_MUTUAL_REQUIRED - Request a mutual authentication packet from the receiver. - - #AP_OPTS_USE_SUBKEY - Generate a subsession key from the current session key obtained from the credentials. + - AP_OPTS_USE_SUBKEY - Generate a subsession key from the current session key obtained from the credentials. This function creates a KRB_AP_REQ message using supplied credentials *in_creds* . *auth_context* may point to an existing auth context or to NULL, in which case a new one will be created. If *in_data* is non-null, a checksum of it will be included in the authenticator contained in the KRB_AP_REQ message. Use krb5_free_data_contents() to free *outbuf* when it is no longer needed. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_safe.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_safe.rst.txt index f9a67be4ee11..1526e7d4071e 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_safe.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_safe.rst.txt @@ -48,11 +48,11 @@ The local address in *auth_context* must be set, and is used to form the sender -If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , a timestamp is included in the KRB-SAFE message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in *auth_context* , a timestamp is included in the KRB-SAFE message and is stored in *rdata_out* . +If the KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , a timestamp is included in the KRB-SAFE message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If KRB5_AUTH_CONTEXT_RET_TIME is set in *auth_context* , a timestamp is included in the KRB-SAFE message and is stored in *rdata_out* . -If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the *auth_context* local sequence number is included in the KRB-SAFE message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in *rdata_out* . +If either KRB5_AUTH_CONTEXT_DO_SEQUENCE or KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the *auth_context* local sequence number is included in the KRB-SAFE message and then incremented. If KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in *rdata_out* . @@ -76,7 +76,7 @@ Use krb5_free_data_contents() to free *der_out* when it is no longer needed. .. note:: - The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . + The *rdata_out* argument is required if the KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_pac_add_buffer.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_pac_add_buffer.rst.txt index 4c153c2332b3..bfdcea7b78e9 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_pac_add_buffer.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_pac_add_buffer.rst.txt @@ -40,25 +40,25 @@ This function adds a buffer of type *type* and contents *data* to *pac* if there The valid values of *type* is one of the following: - - #KRB5_PAC_LOGON_INFO - Logon information + - KRB5_PAC_LOGON_INFO - Logon information - - #KRB5_PAC_CREDENTIALS_INFO - Credentials information + - KRB5_PAC_CREDENTIALS_INFO - Credentials information - - #KRB5_PAC_SERVER_CHECKSUM - Server checksum + - KRB5_PAC_SERVER_CHECKSUM - Server checksum - - #KRB5_PAC_PRIVSVR_CHECKSUM - KDC checksum + - KRB5_PAC_PRIVSVR_CHECKSUM - KDC checksum - - #KRB5_PAC_CLIENT_INFO - Client name and ticket information + - KRB5_PAC_CLIENT_INFO - Client name and ticket information - - #KRB5_PAC_DELEGATION_INFO - Constrained delegation information + - KRB5_PAC_DELEGATION_INFO - Constrained delegation information - - #KRB5_PAC_UPN_DNS_INFO - User principal name and DNS information + - KRB5_PAC_UPN_DNS_INFO - User principal name and DNS information diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_parse_name_flags.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_parse_name_flags.rst.txt index 68cbc7c53b91..af762ce29aad 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_parse_name_flags.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_parse_name_flags.rst.txt @@ -43,16 +43,16 @@ Similar to krb5_parse_name(), this function converts a single-string representat The following flags are valid: - - #KRB5_PRINCIPAL_PARSE_NO_REALM - no realm must be present in *name* + - KRB5_PRINCIPAL_PARSE_NO_REALM - no realm must be present in *name* - - #KRB5_PRINCIPAL_PARSE_REQUIRE_REALM - realm must be present in *name* + - KRB5_PRINCIPAL_PARSE_REQUIRE_REALM - realm must be present in *name* - - #KRB5_PRINCIPAL_PARSE_ENTERPRISE - create single-component enterprise principal + - KRB5_PRINCIPAL_PARSE_ENTERPRISE - create single-component enterprise principal - - #KRB5_PRINCIPAL_PARSE_IGNORE_REALM - ignore realm if present in *name* + - KRB5_PRINCIPAL_PARSE_IGNORE_REALM - ignore realm if present in *name* If **KRB5_PRINCIPAL_PARSE_NO_REALM** or **KRB5_PRINCIPAL_PARSE_IGNORE_REALM** is specified in *flags* , the realm of the new principal will be empty. Otherwise, the default realm for *context* will be used if *name* does not specify a realm. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_principal_compare_flags.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_principal_compare_flags.rst.txt index df8fc5bdbf7d..d384ea103cd3 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_principal_compare_flags.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_principal_compare_flags.rst.txt @@ -36,16 +36,16 @@ krb5_principal_compare_flags - Compare two principals with additional flags. Valid flags are: - - #KRB5_PRINCIPAL_COMPARE_IGNORE_REALM - ignore realm component + - KRB5_PRINCIPAL_COMPARE_IGNORE_REALM - ignore realm component - - #KRB5_PRINCIPAL_COMPARE_ENTERPRISE - UPNs as real principals + - KRB5_PRINCIPAL_COMPARE_ENTERPRISE - UPNs as real principals - - #KRB5_PRINCIPAL_COMPARE_CASEFOLD case-insensitive + - KRB5_PRINCIPAL_COMPARE_CASEFOLD case-insensitive - - #KRB5_PRINCIPAL_COMPARE_UTF8 - treat principals as UTF-8 + - KRB5_PRINCIPAL_COMPARE_UTF8 - treat principals as UTF-8 diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_cred.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_cred.rst.txt index 556a26047162..e36cfd459b05 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_cred.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_cred.rst.txt @@ -60,7 +60,7 @@ Use krb5_free_tgt_creds() to free *creds_out* when it is no longer needed. .. note:: - The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* .` + The *rdata_out* argument is required if the KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* .` diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_priv.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_priv.rst.txt index f2690f41eadc..0fd56df8f2a9 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_priv.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_priv.rst.txt @@ -44,11 +44,11 @@ If *auth_context* has a remote address set, the address will be used to verify t -If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in *auth_context* , the sequence number of the KRB-PRIV message is checked against the remote sequence number field of *auth_context* . Otherwise, the sequence number is not used. +If the KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in *auth_context* , the sequence number of the KRB-PRIV message is checked against the remote sequence number field of *auth_context* . Otherwise, the sequence number is not used. -If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , then the timestamp in the message is verified to be within the permitted clock skew of the current time, and the message is checked against an in-memory replay cache to detect reflections or replays. +If the KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , then the timestamp in the message is verified to be within the permitted clock skew of the current time, and the message is checked against an in-memory replay cache to detect reflections or replays. @@ -72,7 +72,7 @@ Use krb5_free_data_contents() to free *userdata_out* when it is no longer needed .. note:: - The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . + The *rdata_out* argument is required if the KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_req.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_req.rst.txt index e5b9d73cc5d1..6a52fa16abb6 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_req.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_req.rst.txt @@ -82,7 +82,7 @@ Various other checks are performed on the decoded data, including cross-realm po -On success the authenticator, subkey, and remote sequence number of the request are stored in *auth_context* . If the #AP_OPTS_MUTUAL_REQUIRED bit is set, the local sequence number is XORed with the remote sequence number in the request. +On success the authenticator, subkey, and remote sequence number of the request are stored in *auth_context* . If the AP_OPTS_MUTUAL_REQUIRED bit is set, the local sequence number is XORed with the remote sequence number in the request. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_safe.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_safe.rst.txt index 5166c5501de6..4cf2307cdc80 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_safe.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_safe.rst.txt @@ -44,11 +44,11 @@ If *auth_context* has a remote address set, the address will be used to verify t -If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in *auth_context* , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of *auth_context* . Otherwise, the sequence number is not used. +If the KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in *auth_context* , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of *auth_context* . Otherwise, the sequence number is not used. -If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , then the timestamp in the message is verified to be within the permitted clock skew of the current time, and the message is checked against an in-memory replay cache to detect reflections or replays. +If the KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , then the timestamp in the message is verified to be within the permitted clock skew of the current time, and the message is checked against an in-memory replay cache to detect reflections or replays. @@ -72,7 +72,7 @@ Use krb5_free_data_contents() to free *userdata_out* when it is no longer needed .. note:: - The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . + The *rdata_out* argument is required if the KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_sendauth.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_sendauth.rst.txt index 40ef384b5bfe..b1059b09e920 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_sendauth.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_sendauth.rst.txt @@ -32,7 +32,7 @@ krb5_sendauth - Client function for sendauth protocol. **[out]** **error** - If non-null, contains KRB_ERROR message returned from server - **[out]** **rep_result** - If non-null and *ap_req_options* is #AP_OPTS_MUTUAL_REQUIRED, contains the result of mutual authentication exchange + **[out]** **rep_result** - If non-null and *ap_req_options* is AP_OPTS_MUTUAL_REQUIRED, contains the result of mutual authentication exchange **[out]** **out_creds** - If non-null, the retrieved credentials diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_set_password.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_set_password.rst.txt index ff80c966ad41..3e7ef2ce64f0 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_set_password.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_set_password.rst.txt @@ -29,7 +29,7 @@ krb5_set_password - Set a password for a principal using specified credentials. :retval: - - 0 Success and result_code is set to #KRB5_KPASSWD_SUCCESS. + - 0 Success and result_code is set to KRB5_KPASSWD_SUCCESS. :return: diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_sname_match.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_sname_match.rst.txt index c37500068263..21785890f667 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_sname_match.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_sname_match.rst.txt @@ -32,7 +32,7 @@ krb5_sname_match - Test whether a principal matches a matching principal. -If *matching* is NULL, return TRUE. If *matching* is not a matching principal, return the value of krb5_principal_compare(context, matching, princ). +If *matching* is NULL, return TRUE. If *matching* is not a matching principal, return the value of krb5_principal_compare(context, matching,princ). diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_sname_to_principal.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_sname_to_principal.rst.txt index 6dd15ddbb338..f6e167995bee 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_sname_to_principal.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_sname_to_principal.rst.txt @@ -49,11 +49,11 @@ The *type* can be one of the following: - - #KRB5_NT_SRV_HST canonicalizes the host name before looking up the realm and generating the principal. + - KRB5_NT_SRV_HST canonicalizes the host name before looking up the realm and generating the principal. - - #KRB5_NT_UNKNOWN accepts the hostname as given, and does not canonicalize it. + - KRB5_NT_UNKNOWN accepts the hostname as given, and does not canonicalize it. Use krb5_free_principal to free *ret_princ* when it is no longer needed. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_step.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_step.rst.txt index 919f47c7770e..53759557ee3b 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_step.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_step.rst.txt @@ -42,7 +42,7 @@ This function constructs the next KDC request for a TGS exchange, allowing the c -If more requests are needed, *flags* will be set to #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in *out* . If no more requests are needed, *flags* will not contain #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and *out* will be empty. +If more requests are needed, *flags* will be set to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in *out* . If no more requests are needed, *flags* will not contain KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and *out* will be empty. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags.rst.txt index dce935314128..6ae0b40f9718 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags.rst.txt @@ -43,13 +43,13 @@ Similar to krb5_unparse_name(), this function converts a krb5_principal structur The following flags are valid: - - #KRB5_PRINCIPAL_UNPARSE_SHORT - omit realm if it is the local realm + - KRB5_PRINCIPAL_UNPARSE_SHORT - omit realm if it is the local realm - - #KRB5_PRINCIPAL_UNPARSE_NO_REALM - omit realm + - KRB5_PRINCIPAL_UNPARSE_NO_REALM - omit realm - - #KRB5_PRINCIPAL_UNPARSE_DISPLAY - do not quote special characters + - KRB5_PRINCIPAL_UNPARSE_DISPLAY - do not quote special characters Use krb5_free_unparsed_name() to free *name* when it is no longer needed. diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/macros/ADDRTYPE_DIRECTIONAL.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/macros/ADDRTYPE_DIRECTIONAL.rst.txt new file mode 100644 index 000000000000..678730ab5529 --- /dev/null +++ b/crypto/krb5/doc/html/_sources/appdev/refs/macros/ADDRTYPE_DIRECTIONAL.rst.txt @@ -0,0 +1,17 @@ +.. highlight:: c + +.. _ADDRTYPE-DIRECTIONAL-data: + +ADDRTYPE_DIRECTIONAL +==================== + +.. +.. data:: ADDRTYPE_DIRECTIONAL +.. + + + + +=========================== ====================== +``ADDRTYPE_DIRECTIONAL`` ``0x0003`` +=========================== ====================== diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/macros/ADDRTYPE_UNIXSOCK.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/macros/ADDRTYPE_UNIXSOCK.rst.txt new file mode 100644 index 000000000000..052f6cf49adb --- /dev/null +++ b/crypto/krb5/doc/html/_sources/appdev/refs/macros/ADDRTYPE_UNIXSOCK.rst.txt @@ -0,0 +1,17 @@ +.. highlight:: c + +.. _ADDRTYPE-UNIXSOCK-data: + +ADDRTYPE_UNIXSOCK +================= + +.. +.. data:: ADDRTYPE_UNIXSOCK +.. + + + + +======================== ====================== +``ADDRTYPE_UNIXSOCK`` ``(0x8000 | 0x0001)`` +======================== ====================== diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/macros/AP_OPTS_CBT_FLAG.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/macros/AP_OPTS_CBT_FLAG.rst.txt new file mode 100644 index 000000000000..e056aeac383b --- /dev/null +++ b/crypto/krb5/doc/html/_sources/appdev/refs/macros/AP_OPTS_CBT_FLAG.rst.txt @@ -0,0 +1,17 @@ +.. highlight:: c + +.. _AP-OPTS-CBT-FLAG-data: + +AP_OPTS_CBT_FLAG +================ + +.. +.. data:: AP_OPTS_CBT_FLAG +.. + + + + +======================= ====================== +``AP_OPTS_CBT_FLAG`` ``0x00000004 /* include KERB_AP_OPTIONS_CBT */`` +======================= ====================== diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FINISHED.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FINISHED.rst.txt new file mode 100644 index 000000000000..d074e040f001 --- /dev/null +++ b/crypto/krb5/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FINISHED.rst.txt @@ -0,0 +1,17 @@ +.. highlight:: c + +.. _KRB5-KEYUSAGE-FINISHED-data: + +KRB5_KEYUSAGE_FINISHED +====================== + +.. +.. data:: KRB5_KEYUSAGE_FINISHED +.. + + + + +============================= ====================== +``KRB5_KEYUSAGE_FINISHED`` ``41`` +============================= ====================== diff --git a/crypto/krb5/doc/html/_sources/appdev/refs/macros/index.rst.txt b/crypto/krb5/doc/html/_sources/appdev/refs/macros/index.rst.txt index 45fe160d7fb1..c1bda5c6c417 100644 --- a/crypto/krb5/doc/html/_sources/appdev/refs/macros/index.rst.txt +++ b/crypto/krb5/doc/html/_sources/appdev/refs/macros/index.rst.txt @@ -9,6 +9,7 @@ Public ADDRTYPE_ADDRPORT.rst ADDRTYPE_CHAOS.rst + ADDRTYPE_DIRECTIONAL.rst ADDRTYPE_DDP.rst ADDRTYPE_INET.rst ADDRTYPE_INET6.rst @@ -17,11 +18,13 @@ Public ADDRTYPE_IS_LOCAL.rst ADDRTYPE_NETBIOS.rst ADDRTYPE_XNS.rst + ADDRTYPE_UNIXSOCK.rst AD_TYPE_EXTERNAL.rst AD_TYPE_FIELD_TYPE_MASK.rst AD_TYPE_REGISTERED.rst AD_TYPE_RESERVED.rst AP_OPTS_ETYPE_NEGOTIATION.rst + AP_OPTS_CBT_FLAG.rst AP_OPTS_MUTUAL_REQUIRED.rst AP_OPTS_RESERVED.rst AP_OPTS_USE_SESSION_KEY.rst @@ -177,6 +180,7 @@ Public KRB5_KEYUSAGE_GSS_TOK_MIC.rst KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.rst KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.rst + KRB5_KEYUSAGE_FINISHED.rst KRB5_KEYUSAGE_IAKERB_FINISHED.rst KRB5_KEYUSAGE_KDC_REP_TICKET.rst KRB5_KEYUSAGE_KRB_CRED_ENCPART.rst diff --git a/crypto/krb5/doc/html/_sources/build/options2configure.rst.txt b/crypto/krb5/doc/html/_sources/build/options2configure.rst.txt index e879b18bd2ef..98e02ba3e96e 100644 --- a/crypto/krb5/doc/html/_sources/build/options2configure.rst.txt +++ b/crypto/krb5/doc/html/_sources/build/options2configure.rst.txt @@ -284,6 +284,9 @@ Optional features given, it controls the -fsanitize compilation flag value (the default is "address"). +**-**\ **-enable-ossfuzz** + Enable building fuzzing targets with OSS-Fuzz build support. + Optional packages ----------------- diff --git a/crypto/krb5/doc/html/_sources/copyright.rst.txt b/crypto/krb5/doc/html/_sources/copyright.rst.txt index 85ecebece00f..da8e62cc2a83 100644 --- a/crypto/krb5/doc/html/_sources/copyright.rst.txt +++ b/crypto/krb5/doc/html/_sources/copyright.rst.txt @@ -1,7 +1,7 @@ Copyright ========= -Copyright |copy| 1985-2024 by the Massachusetts Institute of +Copyright |copy| 1985-2025 by the Massachusetts Institute of Technology and its contributors. All rights reserved. See :ref:`mitK5license` for additional copyright and license diff --git a/crypto/krb5/doc/html/_sources/formats/cookie.rst.txt b/crypto/krb5/doc/html/_sources/formats/cookie.rst.txt index e32365daa6f2..3c7d0b03cf3c 100644 --- a/crypto/krb5/doc/html/_sources/formats/cookie.rst.txt +++ b/crypto/krb5/doc/html/_sources/formats/cookie.rst.txt @@ -1,3 +1,5 @@ +.. highlight:: abnf + KDC cookie format ================= @@ -42,7 +44,9 @@ principal name with realm, marshalled according to :rfc:`1964` section 2.1.1. The plain text of the encrypted part of a cookie is the DER encoding -of the following ASN.1 type:: +of the following ASN.1 type: + +.. code-block:: bnf SecureCookie ::= SEQUENCE { time INTEGER, @@ -63,17 +67,27 @@ SPAKE cookie format (version 1) ------------------------------- Inside the SecureCookie wrapper, a data value of type 151 contains -state for SPAKE pre-authentication. This data is the concatenation of -the following: - -* a two-byte big-endian version number with the value 1 -* a two-byte big-endian stage number -* a four-byte big-endian group number -* a four-byte big-endian length and data for the SPAKE value -* a four-byte big-endian length and data for the transcript hash -* zero or more second factor records, each consisting of: - - a four-byte big-endian second-factor type - - a four-byte big-endian length and data +state for SPAKE pre-authentication. This data has the following +binary format with big-endian integer encoding: + +.. code-block:: bnf + + cookie ::= + version (16 bits) [with the value 1] + stage number (16 bits) + group number (32 bits) + SPAKE value length (32 bits) + SPAKE value + transcript hash length (32 bits) + transcript hash + second factor record 1 (factor-record) + second factor record 2 (factor-record) + ... + + factor-record ::= + second factor type (32 bits) + second factor data length (32 bits) + second factor data The stage value is 0 if the cookie was sent with a challenge message. Otherwise it is 1 for the first encdata message sent by the KDC during diff --git a/crypto/krb5/doc/html/_sources/formats/database_formats.rst.txt b/crypto/krb5/doc/html/_sources/formats/database_formats.rst.txt new file mode 100644 index 000000000000..fca5979c1f00 --- /dev/null +++ b/crypto/krb5/doc/html/_sources/formats/database_formats.rst.txt @@ -0,0 +1,459 @@ +Kerberos Database (KDB) Formats +=============================== + +Dump format +----------- + +Files created with the :ref:`kdb5_util(8)` **dump** command begin with +a versioned header "kdb5_util load_dump version 7". This version has +been in use since MIT krb5 release 1.11; some previous versions are +supported but are not described here. + +Each subsequent line of the dump file contains one or more +tab-separated fields describing either a principal entry or a policy +entry. The fields of a principal entry line are: + +* the word "princ" +* the string "38" (this was originally a length field) +* the length of the principal name in string form +* the decimal number of tag-length data elements +* the decimal number of key-data elements +* the string "0" (this was originally an extension length field) +* the principal name in string form +* the principal attributes as a decimal number; when converted to + binary, the bits from least significant to most significant are: + + - disallow_postdated + - disallow_forwardable + - disallow_tgt_based + - disallow_renewable + - disallow_proxiable + - disallow_dup_skey + - disallow_all_tix + - requires_preauth + - requires_hwauth + - requires_pwchange + - disallow_svr + - pwchange_service + - support_desmd5 + - new_princ + - ok_as_delegate + - ok_to_auth_as_delegate + - no_auth_data_required + - lockdown_keys + +* the maximum ticket lifetime, as a decimal number of seconds +* the maximum renewable ticket lifetime, as a decimal number of seconds +* the principal expiration time, as a decimal POSIX timestamp +* the password expiration time, as a decimal POSIX timestamp +* the last successful authentication time, as a decimal POSIX + timestamp +* the last failed authentication time, as a decimal POSIX timestamp +* the decimal number of failed authentications since the last + successful authentication time +* for each tag-length data value: + + - the tag value in decimal + - the length in decimal + - the data as a lowercase hexadecimal byte string, or "-1" if the length is 0 + +* for each key-data element: + + - the string "2" if this element has non-normal salt type, "1" + otherwise + - the key version number of this element + - the encryption type + - the length of the encrypted key value + - the encrypted key as a lowercase hexadecimal byte string + - if this element has non-normal salt type: + + - the salt type + - the length of the salt data + - the salt data as a lowercase hexadecimal byte string, or the + string "-1" if the salt data length is 0 + +* the string "-1;" (this was originally an extension field) + +The fields of a policy entry line are: + +* the string "policy" +* the policy name +* the minimum password lifetime as a decimal number of seconds +* the maximum password lifetime as a decimal number of seconds +* the minimum password length, in decimal +* the minimum number of character classes, in decimal +* the number of historical keys to be stored, in decimal +* the policy reference count (no longer used) +* the maximum number of failed authentications before lockout +* the time interval after which the failed authentication count is + reset, as a decimal number of seconds +* the lockout duration, as a decimal number of seconds +* the required principal attributes, in decimal (currently unenforced) +* the maximum ticket lifetime as a decimal number of seconds + (currently unenforced) +* the maximum renewable lifetime as a decimal number of seconds + (currently unenforced) +* the allowed key/salt types, or "-" if unrestricted +* the number of tag-length values +* for each tag-length data value: + + - the tag value in decimal + - the length in decimal + - the data as a lowercase hexadecimal byte string, or "-1" if the + length is 0 + + +Tag-length data formats +----------------------- + +The currently defined tag-length data types are: + +* (1) last password change: a four-byte little-endian POSIX timestamp + giving the last password change time +* (2) last modification data: a four-byte little-endian POSIX + timestamp followed by a zero-terminated principal name in string + form, giving the time of the last principal change and the principal + who performed it +* (3) kadmin data: the XDR encoding of a per-principal kadmin data + record (see below) +* (8) master key version: a two-byte little-endian integer containing + the master key version used to encrypt this principal's key data +* (9) active kvno: see below +* (10) master key auxiliary data: see below +* (11) string attributes: one or more iterations of a zero-terminated + string key followed by a zero-terminated string value +* (12) alias target principal: a zero-terminated principal name in + string form +* (255) LDAP object information: see below +* (768) referral padata: a DER-encoded PA-SVR-REFERRAL-DATA to be sent + to a TGS-REQ client within encrypted padata (see Appendix A of + :rfc:`1606`) +* (1792) last admin unlock: a four-byte little-endian POSIX timestamp + giving the time of the last administrative account unlock +* (32767) database arguments: a zero-terminated key=value string (may + appear multiple times); used by the kadmin protocol to + communicate -x arguments to kadmind + +Per-principal kadmin data +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Per-principal kadmin data records use a modified XDR encoding of the +kadmin_data type defined as follows: + +.. code-block:: c + + struct key_data { + int numfields; + unsigned int kvno; + int enctype; + int salttype; + unsigned int keylen; + unsigned int saltlen; + opaque key<>; + opaque salt<>; + }; + + struct hist_entry { + key_data keys<>; + }; + + struct kadmin_data { + int version_number; + nullstring policy; + int aux_attributes; + unsigned int old_key_next; + unsigned int admin_history_kvno; + hist_entry old_keysets<>; + }; + +The type "nullstring" uses a custom string encoder where the length +field is zero or the string length plus one; a length of zero +indicates that no policy object is specified for the principal. The +field "version_number" contains 0x12345C01. The aux_attributes field +contains the bit 0x800 if a policy object is associated with the +principal. + +Within a key_data record, numfields is 2 if the key data has +non-normal salt type, 1 otherwise. + +Active kvno and master key auxiliary data +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +These types only appear in the entry of the master key principal +(K/M). They use little-endian binary integer encoding. + +The active kvno table determines which master key version is active +for a given timestamp. It uses the following binary format: + +.. code-block:: bnf + + active-key-version-table ::= + version (16 bits) [with the value 1] + version entry 1 (key-version-entry) + version entry 2 (key-version-entry) + ... + + key-version-entry ::= + key version (16 bits) + timestamp (32 bits) [when this key version becomes active] + +The master key auxiliary data record contains copies of the current +master key encrypted in each older master key. It uses the following +binary format: + +.. code-block:: bnf + + master-key-aux ::= + version (16 bits) [with the value 1] + key entry 1 (key-entry) + key entry 2 (key-entry) + ... + + key-entry ::= + old master key version (16 bits) + latest master key version (16 bits) + latest master key encryption type (16 bits) + encrypted key length (16 bits) + encrypted key contents + +LDAP object information +~~~~~~~~~~~~~~~~~~~~~~~ + +This type appears in principal entries retrieved with the LDAP KDB +module. The value uses the following binary format, using big-endian +integer encoding: + +.. code-block:: bnf + + ldap-principal-data ::= + record 1 (ldap-tl-data) + record 2 (ldap-tl-data) + ... + + ldap-tl-data ::= + type (8 bits) + length (16 bits) + data + +The currently defined ldap-tl-data types are (all integers are +big-endian): + +* (1) principal type: 16 bits containing the value 1, indicating that + the LDAP object containing the principal entry is a standalone + principal object +* (2) principal count: 16 bits containing the number of + krbPrincipalName values in the LDAP object +* (3) user DN: the string representation of the distinguished name of + the LDAP object +* (5) attribute mask: 16 bits indicating which Kerberos-specific LDAP + attributes are present in the LDAP object (see below) +* (7) link DN: the string representation of the distinguished name of + an LDAP object this object is linked to; may appear multiple times + +When converted to binary, the attribute mask bits, from least +significant to most significant, correspond to the following LDAP +attributes: + +* krbMaxTicketLife +* krbMaxRenewableAge +* krbTicketFlags +* krbPrincipalExpiration +* krbTicketPolicyReference +* krbPrincipalAuthInd +* krbPwdPolicyReference +* krbPasswordExpiration +* krbPrincipalKey +* krbLastPwdChange +* krbExtraData +* krbLastSuccessfulAuth +* krbLastFailedAuth +* krbLoginFailedCount +* krbLastAdminUnlock +* krbPwdHistory + + +Alias principal entries +----------------------- + +To allow aliases to be represented in dump files and within the +incremental update protocol, the krb5 database library supports the +concept of an alias principal entry. An alias principal entry +contains an alias target principal in its tag-length data, has its +attributes set to disallow_all_tix, and has zero or empty values for +all other fields. The database glue library recognizes alias entries +and iteratively looks up the alias target up to a depth of 10 chained +aliases. (Added in release 1.22.) + + +DB2 principal and policy formats +-------------------------------- + +The DB2 KDB module uses the string form of a principal name, with zero +terminator, as a lookup key for principal entries. Principal entry +values use the following binary format with little-endian integer +encoding: + +.. code-block:: bnf + + db2-principal-entry ::= + len (16 bits) [always has the value 38] + attributes (32 bits) + max ticket lifetime (32 bits) + max renewable lifetime (32 bits) + principal expiration timestamp (32 bits) + password expiration timestamp (32 bits) + last successful authentication timestamp (32 bits) + last failed authentication timestamp (32 bits) + failed authentication counter (32 bits) + number of tag-length elements (16 bits) + number of key-data elements (16 bits) + length of string-form principal with zero terminator (16 bits) + string-form principal with zero terminator + tag-length entry 1 (tag-length-data) + tag-length entry 2 (tag-length-data) + ... + key-data entry 1 (key-data) + key-data entry 2 (key-data) + ... + + tag-length-data ::= + type tag (16 bits) + data length (16 bits) + data + + key-data ::= + salt indicator (16 bits) [1 for default salt, 2 otherwise] + key version (16 bits) + encryption type (16 bits) + encrypted key length (16 bits) + encrypted key + salt type (16 bits) [omitted if salt indicator is 1] + salt data length (16 bits) [omitted if salt indicator is 1] + salt data [omitted if salt indicator is 1] + +DB2 policy entries reside in a separate database file. The lookup key +is the policy name with zero terminator. Policy entry values use a +modified XDR encoding of the policy type defined as follows: + +.. code-block:: c + + struct tl_data { + int type; + opaque data<>; + tl_data *next; + }; + + struct policy { + int version_number; + unsigned int min_life; + unsigned int max_pw_life; + unsigned int min_length; + unsigned int min_classes; + unsigned int history_num; + unsigned int refcount; + unsigned int max_fail; + unsigned int failcount_interval; + unsigned int lockout_duration; + unsigned int attributes; + unsigned int max_ticket_life; + unsigned int max_renewable_life; + nullstring allowed_keysalts; + int n_tl_data; + tl_data *tag_length_data; + }; + +The type "nullstring" uses the same custom encoder as in the +per-principal kadmin data. + +The field "version_number" contains 0x12345D01, 0x12345D02, or +0x12345D03 for versions 1, 2, and 3 respectively. Versions 1 and 2 +omit the fields "attributes" through "tag_length_data". Version 1 +also omits the fields "max_fail" through "lockout_duration". Encoding +uses the lowest version that can represent the policy entry. + +The field "refcount" is no longer used and its value is ignored. + + +LMDB principal and policy formats +--------------------------------- + +In the LMDB KDB module, principal entries are stored in the +"principal" database within the main LMDB environment (typically named +"principal.mdb"), with the exception of lockout-related fields which +are stored in the "lockout" table of the lockout LMDB environment +(typically named "principal.lockout.mdb"). For both databases the key +is the principal name in string form, with no zero terminator. Values +in the "principal" database use the following binary format with +little-endian integer encoding: + +.. code-block:: bnf + + lmdb-principal-entry ::= + attributes (32 bits) + max ticket lifetime (32 bits) + max renewable lifetime (32 bits) + principal expiration timestamp (32 bits) + password expiration timestamp (32 bits) + number of tag-length elements (16 bits) + number of key-data elements (16 bits) + tag-length entry 1 (tag-length-data) + tag-length entry 2 (tag-length-data) + ... + key-data entry 1 (key-data) + key-data entry 2 (key-data) + ... + + tag-length-data ::= + type tag (16 bits) + data length (16 bits) + data value + + key-data ::= + salt indicator (16 bits) [1 for default salt, 2 otherwise] + key version (16 bits) + encryption type (16 bits) + encrypted key length (16 bits) + encrypted key + salt type (16 bits) [omitted if salt indicator is 1] + salt data length (16 bits) [omitted if salt indicator is 1] + salt data [omitted if salt indicator is 1] + +Values in the "lockout" database have the following binary format with +little-endian integer encoding: + +.. code-block:: bnf + + lmdb-lockout-entry ::= + last successful authentication timestamp (32 bits) + last failed authentication timestamp (32 bits) + failed authentication counter (32 bits) + +In the "policy" database, the lookup key is the policy name with no +zero terminator. Values in this database use the following binary +format with little-endian integer encoding: + +.. code-block:: bnf + + lmdb-policy-entry ::= + minimum password lifetime (32 bits) + maximum password lifetime (32 bits) + minimum password length (32 bits) + minimum character classes (32 bits) + number of historical keys (32 bits) + maximum failed authentications before lockout (32 bits) + time interval to reset failed authentication counter (32 bits) + lockout duration (32 bits) + required principal attributes (32 bits) [currently unenforced] + maximum ticket lifetime (32 bits) [currently unenforced] + maximum renewable lifetime (32 bits) [currently unenforced] + allowed key/salt type specification length [32 bits] + allowed key/salt type specification + number of tag-length values (16 bits) + tag-length entry 1 (tag-length-data) + tag-length entry 2 (tag-length-data) + ... + + tag-length-data ::= + type tag (16 bits) + data length (16 bits) + data value diff --git a/crypto/krb5/doc/html/_sources/formats/index.rst.txt b/crypto/krb5/doc/html/_sources/formats/index.rst.txt index 47dea12fcf6b..819b839de8aa 100644 --- a/crypto/krb5/doc/html/_sources/formats/index.rst.txt +++ b/crypto/krb5/doc/html/_sources/formats/index.rst.txt @@ -9,3 +9,4 @@ Protocols and file formats rcache_file_format cookie freshness_token + database_formats diff --git a/crypto/krb5/doc/html/_sources/mitK5features.rst.txt b/crypto/krb5/doc/html/_sources/mitK5features.rst.txt index 10effcf175cf..e260e8e08343 100644 --- a/crypto/krb5/doc/html/_sources/mitK5features.rst.txt +++ b/crypto/krb5/doc/html/_sources/mitK5features.rst.txt @@ -19,8 +19,8 @@ Quick facts License - :ref:`mitK5license` Releases: - - Latest stable: https://web.mit.edu/kerberos/krb5-1.20/ - - Supported: https://web.mit.edu/kerberos/krb5-1.19/ + - Latest stable: https://web.mit.edu/kerberos/krb5-1.22/ + - Supported: https://web.mit.edu/kerberos/krb5-1.21/ - Release cycle: approximately 12 months Supported platforms \/ OS distributions: @@ -685,6 +685,69 @@ Release 1.21 - Improved the test framework's detection of memory errors in daemon processes when used with asan. +Release 1.22 + +* User experience: + + - The libdefaults configuration variable "request_timeout" can be + set to limit the total timeout for KDC requests. When making a + KDC request, the client will now wait indefinitely (or until the + request timeout has elapsed) on a KDC which accepts a TCP + connection, without contacting any additional KDCs. Clients will + make fewer DNS queries in some configurations. + + - The realm configuration variable "sitename" can be set to cause + the client to query site-specific DNS records when making KDC + requests. + +* Administrator experience: + + - Principal aliases are supported in the DB2 and LMDB KDB modules + and in the kadmin protocol. (The LDAP KDB module has supported + aliases since release 1.7.) + + - UNIX domain sockets are supported for the Kerberos and kpasswd + protocols. + + - systemd socket activation is supported for krb5kdc and kadmind. + +* Developer experience: + + - KDB modules can be be implemented in terms of other modules using + the new krb5_db_load_module() function. + + - The profile library supports the modification of empty profiles + and the copying of modified profiles, making it possible to + construct an in-memory profile and pass it to + krb5_init_context_profile(). + + - GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to + gss_init_sec_context() to request strict enforcement of channel + bindings by the acceptor. + +* Protocol evolution: + + - The PKINIT preauth module supports elliptic curve client + certificates, ECDH key exchange, and the Microsoft paChecksum2 + field. + + - The IAKERB implementation has been changed to comply with the most + recent draft standard and to support realm discovery. + + - Message-Authenticator is supported in the RADIUS implementation + used by the OTP kdcpreauth module. + +* Code quality: + + - Removed old-style function declarations, to accomodate compilers + which have removed support for them. + + - Added OSS-Fuzz to the project's continuous integration + infrastructure. + + - Rewrote the GSS per-message token parsing code for improved + safety. + `Pre-authentication mechanisms` - PW-SALT :rfc:`4120#section-5.2.7.3` diff --git a/crypto/krb5/doc/html/_sources/user/user_commands/kinit.rst.txt b/crypto/krb5/doc/html/_sources/user/user_commands/kinit.rst.txt index 5b105e35a5ae..d947e83cc637 100644 --- a/crypto/krb5/doc/html/_sources/user/user_commands/kinit.rst.txt +++ b/crypto/krb5/doc/html/_sources/user/user_commands/kinit.rst.txt @@ -193,10 +193,6 @@ OPTIONS **X509_anchors**\ =\ *value* specify where to find trusted X509 anchor information - **flag_RSA_PROTOCOL**\ [**=yes**] - specify use of RSA, rather than the default Diffie-Hellman - protocol - **disable_freshness**\ [**=yes**] disable sending freshness tokens (for testing purposes only) |