| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
Rename krb5int_find_authdata to krb5_find_authdata and make it public.
ticket: 6992
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25414 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
ticket: 6918
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
and license comments.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
error code 0. Simplify some overly paranoid code accordingly.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24489 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(MITKRB5-SA-2010-006)
When the KDC receives certain TGS-REQ messages, it may dereference an
uninitialized pointer while processing authorization data, causing a
crash, or in rare cases, unauthorized information disclosure, ticket
modification, or execution of arbitrary code. The crash may be
triggered by legitimate requests.
Correctly implement the filtering of authorization data items to avoid
leaving uninitialized pointers when omitting items.
ticket: 6797
tags: pullup
target_version: 1.8.4
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24429 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
Mike Roszkowski.
ticket: 6764
tags: pullup
target_version: 1.8.4
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24286 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
| |
replacing the SIGN_AUTH_DATA method of db_invoke.
ticket: 6749
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24182 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
not supported by a KDB module. (Previously KRB5_KDB_DBTYPE_NOSUP was
used in some cases and KRB5_PLUGIN_OP_NOTSUPP in others.)
ticket: 6749
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24170 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_ad_signedpath(). For better interoperability, treat such
tickets as unsigned, rather than invalid.
ticket: 6676
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23766 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT.
Previously we were avoiding it when answering a cross-realm client,
which was wrong.
Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust
the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present).
ticket: 6655
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23697 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
ticket: 6607
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23528 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This ticket implements Project/Anonymous pkinit from k5wiki. Provides
support for completely anonymous principals and untested client
support for realm-exposed anonymous authentication.
* Introduce kinit -n
* Introduce kadmin -n
* krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache
* No longer generate ad-initial-verified-cas in pkinit
* Fix pkinit interactions with non-TGT authentication
Merge remote branch 'anonymous' into trunk
Conflicts:
src/lib/krb5/krb/gic_opt.c
ticket: 6607
Tags: enhancement
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
instead of result codes, to make Coverity happy.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23298 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23246 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
| |
Merge Luke's users/lhoward/s4u2proxy branch to trunk. Implements a
Heimdal-compatible mechanism for allowing constrained delegation
without back-end support for PACs. Back-end support exists in LDAP
only (via a new krbAllowedToDelegateTo attribute), not DB2.
ticket: 6580
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23160 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23151 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
make reindent
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
| |
Merge Luke's users/lhoward/heimmig branch to trunk. Implements a
KDC back-end plugin which interfaces to a Heimdal HDB plugin.
ticket: 6578
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23073 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22961 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
krbtgt key parameter.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22959 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
for additional krbtgt key parameter. This was at Sam's suggestion.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22958 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
| |
Merge Luke's users/lhoward/authdata branch to trunk. Implements GSS naming
extensions and verification of authorization data.
ticket: 6572
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22875 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
| |
Merge Luke's users/lhoward/s4u branch to trunk. Implements S4U2Self
and S4U2Proxy extensions.
ticket: 6563
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22736 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In handle_authdata in the KDC, remove a spurious assertion (added in
r21566 on the mskrb-integ branch) that authdata starts out empty.
authdata can be legitimately added by check_padata, which precedes
handle_authdata, and this happens with pkinit.
ticket: 6492
tags: pullup
target_version: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22360 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
decrypting authdata that way.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22358 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 4120 requires that if a subkey is present in the TGS request that
authorization data be encrypted in the subkey. Our KDC did not handle
this correctly.
ticket: 6438
target_version: 1.7
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22168 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mskrb-integ branch includes support for the following projects:
Projects/Aliases
* Projects/PAC and principal APIs
* Projects/AEAD encryption API
* Projects/GSSAPI DCE
* Projects/RFC 3244
In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions.
In the KDC it includes support for protocol transition, constrained delegation
and a new authorization data interface.
The old authorization data interface is also supported.
This commit merges the mskrb-integ branch on to the trunk.
Additional review and testing is required.
Merge commit 'mskrb-integ' into trunk
ticket: new
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
ticket: 6201
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20958 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
| |
ticket: 6200
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20919 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20701 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Add a test authorization data scheme, in both built-in and plugin
forms; built-in version is #ifdef'ed out. Update configury to create
the build directory for the plugin, but don't build or install it by
default.
Create the new (and normally empty) authorization data plugin
directory at install time.
Add some (normally disabled) code to log authz data from rd_req.
Fix up some comments that still refer to preauth plugins. Add some
details in comments on the API, and why it's private for now.
Make the plugin init context support work, by not passing null
pointers.
ticket: 5565
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20691 dc483132-0cff-0310-8789-dd5450dbe970
|