summaryrefslogtreecommitdiffstats
path: root/src/kdc/kdc_authdata.c
Commit message (Collapse)AuthorAgeFilesLines
* Fix minor KDC memory leaksproxymechGreg Hudson2013-03-261-15/+9
| | | | | Fix some small memory leaks which happen only in rare failure conditions. Reported by Will Fiveash <will.fiveash@oracle.com>.
* Make krb5_find_authdata publicGreg Hudson2011-10-251-5/+2
| | | | | | | | | | Rename krb5int_find_authdata to krb5_find_authdata and make it public. ticket: 6992 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25414 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-101-5/+4
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust most C source files to match the new standards for copyrightGreg Hudson2011-03-091-4/+1
| | | | | | and license comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_get_error_message cannot return NULL, and returns "Success" onGreg Hudson2010-11-011-12/+8
| | | | | | error code 0. Simplify some overly paranoid code accordingly. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24489 dc483132-0cff-0310-8789-dd5450dbe970
* CVE-2010-1322 KDC uninitialized pointer crash in authorization data handling ↵Tom Yu2010-10-051-4/+4
| | | | | | | | | | | | | | | | | | | (MITKRB5-SA-2010-006) When the KDC receives certain TGS-REQ messages, it may dereference an uninitialized pointer while processing authorization data, causing a crash, or in rare cases, unauthorized information disclosure, ticket modification, or execution of arbitrary code. The crash may be triggered by legitimate requests. Correctly implement the filtering of authorization data items to avoid leaving uninitialized pointers when omitting items. ticket: 6797 tags: pullup target_version: 1.8.4 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24429 dc483132-0cff-0310-8789-dd5450dbe970
* Properly search for MANDATORY-FOR-KDC authdata elements. Reported byGreg Hudson2010-09-021-1/+1
| | | | | | | | | | Mike Roszkowski. ticket: 6764 tags: pullup target_version: 1.8.4 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24286 dc483132-0cff-0310-8789-dd5450dbe970
* Add sign_authdata to the DAL table with a corresponding libkdb5 API,Greg Hudson2010-07-121-14/+7
| | | | | | | | | replacing the SIGN_AUTH_DATA method of db_invoke. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24182 dc483132-0cff-0310-8789-dd5450dbe970
* Use KRB5_PLUGIN_OP_NOTSUPP uniformly as the error code for operationsGreg Hudson2010-07-031-1/+1
| | | | | | | | | | not supported by a KDB module. (Previously KRB5_KDB_DBTYPE_NOSUP was used in some cases and KRB5_PLUGIN_OP_NOTSUPP in others.) ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24170 dc483132-0cff-0310-8789-dd5450dbe970
* Ignore improperly encoded signedpath AD elementsGreg Hudson2010-03-051-1/+5
| | | | | | | | | | | | | We have some reason to believe Microsoft and Heimdal are both using the authdata value 142 for different purposes, leading to failures in verify_ad_signedpath(). For better interoperability, treat such tickets as unsigned, rather than invalid. ticket: 6676 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23766 dc483132-0cff-0310-8789-dd5450dbe970
* Fix cross-realm handling of AD-SIGNEDPATHGreg Hudson2010-02-051-7/+7
| | | | | | | | | | | | | | | Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT. Previously we were avoiding it when answering a cross-realm client, which was wrong. Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present). ticket: 6655 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23697 dc483132-0cff-0310-8789-dd5450dbe970
* Whitespace fixes for new anonymous supportGreg Hudson2009-12-281-3/+4
| | | | | | ticket: 6607 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23528 dc483132-0cff-0310-8789-dd5450dbe970
* Anonymous support for KerberosSam Hartman2009-12-281-2/+6
| | | | | | | | | | | | | | | | | | | | | | This ticket implements Project/Anonymous pkinit from k5wiki. Provides support for completely anonymous principals and untested client support for realm-exposed anonymous authentication. * Introduce kinit -n * Introduce kadmin -n * krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache * No longer generate ad-initial-verified-cas in pkinit * Fix pkinit interactions with non-TGT authentication Merge remote branch 'anonymous' into trunk Conflicts: src/lib/krb5/krb/gic_opt.c ticket: 6607 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
* For the moment, test for nullity of pointers returned by k5allocGreg Hudson2009-11-211-1/+1
| | | | | | instead of result codes, to make Coverity happy. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23298 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up some open-parenthesis problems, and reindentTom Yu2009-11-161-51/+50
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23246 dc483132-0cff-0310-8789-dd5450dbe970
* Constrained delegation without PAC supportGreg Hudson2009-11-141-59/+625
| | | | | | | | | | | Merge Luke's users/lhoward/s4u2proxy branch to trunk. Implements a Heimdal-compatible mechanism for allowing constrained delegation without back-end support for PACs. Back-end support exists in LDAP only (via a new krbAllowedToDelegateTo attribute), not DB2. ticket: 6580 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23160 dc483132-0cff-0310-8789-dd5450dbe970
* Post-great-reindent check. Part IZhanna Tsitkov2009-11-121-51/+59
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23151 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-311-314/+314
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Heimdal DB bridge plugin for KDC back endGreg Hudson2009-10-271-1/+8
| | | | | | | | | Merge Luke's users/lhoward/heimmig branch to trunk. Implements a KDC back-end plugin which interfaces to a Heimdal HDB plugin. ticket: 6578 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23073 dc483132-0cff-0310-8789-dd5450dbe970
* remove some unneeded extensions from the Novell backend authdata SPILuke Howard2009-10-211-29/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22961 dc483132-0cff-0310-8789-dd5450dbe970
* Increment authdata SPI to V2 (V1 was experimental) to account for additionalLuke Howard2009-10-211-3/+3
| | | | | | krbtgt key parameter. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22959 dc483132-0cff-0310-8789-dd5450dbe970
* Increment authdata SPI to V2 (V1 was experimental) to accountLuke Howard2009-10-211-24/+24
| | | | | | for additional krbtgt key parameter. This was at Sam's suggestion. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22958 dc483132-0cff-0310-8789-dd5450dbe970
* Implement GSS naming extensions and authdata verificationGreg Hudson2009-10-091-21/+26
| | | | | | | | | Merge Luke's users/lhoward/authdata branch to trunk. Implements GSS naming extensions and verification of authorization data. ticket: 6572 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22875 dc483132-0cff-0310-8789-dd5450dbe970
* Implement s4u extensionsGreg Hudson2009-09-131-0/+9
| | | | | | | | | Merge Luke's users/lhoward/s4u branch to trunk. Implements S4U2Self and S4U2Proxy extensions. ticket: 6563 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22736 dc483132-0cff-0310-8789-dd5450dbe970
* Remove spurious assertion in handle_authdataGreg Hudson2009-05-221-1/+0
| | | | | | | | | | | | | In handle_authdata in the KDC, remove a spurious assertion (added in r21566 on the mskrb-integ branch) that authdata starts out empty. authdata can be legitimately added by check_padata, which precedes handle_authdata, and this happens with pkinit. ticket: 6492 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22360 dc483132-0cff-0310-8789-dd5450dbe970
* Add a comment to the r22168 change since it's not obvious why we'reGreg Hudson2009-05-201-0/+11
| | | | | | decrypting authdata that way. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22358 dc483132-0cff-0310-8789-dd5450dbe970
* Handle authdata encrypted in subkeySam Hartman2009-04-031-0/+7
| | | | | | | | | | | | RFC 4120 requires that if a subkey is present in the TGS request that authorization data be encrypted in the subkey. Our KDC did not handle this correctly. ticket: 6438 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22168 dc483132-0cff-0310-8789-dd5450dbe970
* Merge mskrb-integ onto trunkSam Hartman2009-01-031-112/+427
| | | | | | | | | | | | | | | | | | | | | | | | The mskrb-integ branch includes support for the following projects: Projects/Aliases * Projects/PAC and principal APIs * Projects/AEAD encryption API * Projects/GSSAPI DCE * Projects/RFC 3244 In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions. In the KDC it includes support for protocol transition, constrained delegation and a new authorization data interface. The old authorization data interface is also supported. This commit merges the mskrb-integ branch on to the trunk. Additional review and testing is required. Merge commit 'mskrb-integ' into trunk ticket: new status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
* Apply a patch from Apple to correct a few memory leaksGreg Hudson2008-11-031-5/+2
| | | | | | ticket: 6201 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20958 dc483132-0cff-0310-8789-dd5450dbe970
* Use strlcpy instead of strcpy in many placesGreg Hudson2008-10-241-1/+1
| | | | | | | ticket: 6200 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20919 dc483132-0cff-0310-8789-dd5450dbe970
* Fix resource leakKen Raeburn2008-08-281-0/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20701 dc483132-0cff-0310-8789-dd5450dbe970
* Incorporate Apple's patchKen Raeburn2008-08-251-0/+298
Add a test authorization data scheme, in both built-in and plugin forms; built-in version is #ifdef'ed out. Update configury to create the build directory for the plugin, but don't build or install it by default. Create the new (and normally empty) authorization data plugin directory at install time. Add some (normally disabled) code to log authz data from rd_req. Fix up some comments that still refer to preauth plugins. Add some details in comments on the API, and why it's private for now. Make the plugin init context support work, by not passing null pointers. ticket: 5565 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20691 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2024-09-28 08:38:07 +0000