summaryrefslogtreecommitdiffstats
path: root/src/kdc/fast_util.c
Commit message (Collapse)AuthorAgeFilesLines
* Support FAST hide-client-names optionGreg Hudson2013-09-031-0/+6
| | | | | | | | In the KDC, if we see the hide-client-names option, identify the client as the anonymous principal in KDC-REP and KRB-ERROR responses. The actual client name is present in encrypted FAST elements. ticket: 7700 (new)
* Set msg_type when decoding FAST requestsGreg Hudson2013-04-131-0/+1
| | | | | | | | | | | | An RFC 6113 KrbFastReq contains a padata sequence and a KDC-REQ-BODY, neither of which contain the msg-type field found in a KDC-REQ. So when we decode the FAST request, the resulting krb5_kdc_req structure has a msg_type of 0. Copy msg_type from the outer body, since we make use of it in further KDC processing. ticket: 7605 (new) target_version: 1.11.3 tags: pullup
* Add and use k5memdup, k5memdup0 helpersGreg Hudson2013-02-091-7/+4
| | | | | | Add k5-int.h static functions to duplicate byte ranges, optionally with a trailing zero byte, and set an error code like k5alloc does. Use them where they would shorten existing code.
* Remove inoperative null checks in KDC codeGreg Hudson2012-12-201-3/+1
| | | | | | | | | In prepare_error_tgs, kdc_free_rstate, and kdc_fast_handle_error, remove unnecessary null checks. The callers avoid passing null states, and in each case we've already dereferenced the pointer earlier. Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>. ticket: 7511
* Eliminate some KDC globalsTom Yu2012-10-151-7/+25
| | | | | | Make kdc_active_realm a local variable in every function that needs it. Pass it around in various state structures as needed. Keep the macros that reference its members remain for now.
* Simplify and fix kdcpreauth request_body callbackGreg Hudson2011-11-141-2/+18
| | | | | | | | | | | | | | | | | | | Alter the contract for the kdcpreauth request_body callback so that it returns an alias to the encoded body instead of a fresh copy. At the beginning of AS request processing, save a copy of the encoded request body, or the encoded inner request body for FAST requests. Previously the request_body callback would re-encode the request structure, which in some cases has been modified by the AS request code. No kdcpreauth modules currently use the request_body callback, but PKINIT will need to start using it in order to handle FAST requests correctly. ticket: 7017 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25473 dc483132-0cff-0310-8789-dd5450dbe970
* Use an opaque handle in the kdcpreauth callbackGreg Hudson2011-10-051-2/+0
| | | | | | | | | | | | | | Instead of passing a request and entry to the kdcpreauth get_data callback, pass an opaque handle. Remove DB entry and key data parameters from kdcpreauth methods (but keep the request, since that's transparent). The SecurID plugin links against libkdb5 and needs access to the client DB entry. Rather than continue to pass a DB entry to kdcpreauth methods, add a get_data callback to get the client DB entry for the few plugins which might need it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-101-13/+18
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* KDC memory leak of reply padata for FAST repliesGreg Hudson2011-03-171-0/+1
| | | | | | | | | | | | kdc_fast_response_handle_padata() replaces rep->padata, causing the old value to be leaked. As a minimal fix, free the old value of rep->padata before replacing it. ticket: 6885 target_version: 1.9.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24724 dc483132-0cff-0310-8789-dd5450dbe970
* KDC memory leak in FAST error pathGreg Hudson2011-03-171-13/+6
| | | | | | | | | | | | | | When kdc_fast_handle_error() produces a FAST-encoded error, it puts it into err->e_data and it never gets freed (since in the non-FAST case, err->e_data contains aliased pointers). Fix this by storing the encoded error in an output variable which is placed into the error's e_data by the caller and then freed. ticket: 6884 target_version: 1.9.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24722 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust most C source files to match the new standards for copyrightGreg Hudson2011-03-091-2/+1
| | | | | | and license comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
* MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of serviceTom Yu2010-02-161-1/+1
| | | | | | | | | | | | | Code introduced in krb5-1.7 can cause an assertion failure if a KDC-REQ is internally inconsistent, specifically if the ASN.1 tag doesn't match the msg_type field. Thanks to Emmanuel Bouillon (NATO C3 Agency) for discovering and reporting this vulnerability. ticket: 6662 tags: pullup target_version: 1.8 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23724 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify and fix FAST check for keyed checksum typeGreg Hudson2010-01-121-15/+4
| | | | | | | | | | | | Use krb5_c_is_keyed_checksum to detect unkeyed checksums when handling FAST requests. The old check was broken for 1.8 because krb5_c_verify_checksum got pickier about invalid keyblocks. ticket: 6632 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23628 dc483132-0cff-0310-8789-dd5450dbe970
* fast negotiation projecSam Hartman2009-12-141-1/+1
| | | | | | | | | | | | | | | | Merge branches/fast-negotiate into trunk. This implements http://k5wiki.kerberos.org/wiki/Projects/Fast_negotiation Additional changes: * krb5_c_make_checksum with checksum type 0 uses mandatory checksum for given key enctype Conflicts: src/lib/crypto/krb/make_checksum.c ticket: 6595 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23465 dc483132-0cff-0310-8789-dd5450dbe970
* Fix memory leakSam Hartman2009-11-301-1/+2
| | | | | | ticket: 6585 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23384 dc483132-0cff-0310-8789-dd5450dbe970
* KDC MUST NOT accept ap-request armor in FAST TGSSam Hartman2009-11-241-0/+5
| | | | | | | | | | | | | | | Per the latest preauth framework spec, the working group has decided to forbid ap-request armor in the TGS request because of security problems with that armor type. This commit was tested against an implementation of FAST TGS client to confirm that if explicit armor is sent, the request is rejected. ticket: 6585 target_version: 1.7.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23325 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up some open-parenthesis problems, and reindentTom Yu2009-11-161-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23246 dc483132-0cff-0310-8789-dd5450dbe970
* Post-great-reindent check. Part IZhanna Tsitkov2009-11-121-45/+58
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23151 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-311-227/+228
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Require fast_req checksum to be keyedSam Hartman2009-04-141-1/+19
| | | | | | | | | | Since the fast_req checksum is unencrypted, a keyed checksum type needs to be used. ticket: 6461 Target_Version: 1.7 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22210 dc483132-0cff-0310-8789-dd5450dbe970
* fix logic errorsSam Hartman2009-04-041-1/+1
| | | | | | ticket: 6436 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22170 dc483132-0cff-0310-8789-dd5450dbe970
* Merge fast branch at 22166 onto trunkSam Hartman2009-04-031-10/+77
| | | | | | ticket: 6436 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22167 dc483132-0cff-0310-8789-dd5450dbe970
* Implement FAST from draft-ietf-krb-wg-preauth-frameworkSam Hartman2009-03-311-0/+398
Merge fast branch at 22146 onto trunk Implement the kerberos pre-authentication framework FAST feature per Projects/FAST on the wiki. ticket: 6436 Target_Version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22149 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2024-06-22 11:06:40 +0000