summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Simplify the coupling of problem to response code in recvauth_common,Greg Hudson2009-04-101-29/+9
| | | | | | eliminating a big switch statement with a dead-code default block. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22192 dc483132-0cff-0310-8789-dd5450dbe970
* Remove an unnecessary cleanup in krb5_cc_set_default_nameGreg Hudson2009-04-101-2/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22191 dc483132-0cff-0310-8789-dd5450dbe970
* Check the return value of krb5_timeofday in krb5int_populate_gic_opt.Greg Hudson2009-04-101-1/+7
| | | | | | Also initialize krb5int_populate_gic_opt's output variable. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22190 dc483132-0cff-0310-8789-dd5450dbe970
* Check return value of krb5int_copy_data_contents in preauth2.c'sGreg Hudson2009-04-101-1/+4
| | | | | | pa_salt. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22189 dc483132-0cff-0310-8789-dd5450dbe970
* kdc: handle_referral_params does not return ENOMEM errorsEzra Peisach2009-04-091-1/+1
| | | | | | | | | retval was set but never returned. ticket: 6450 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22186 dc483132-0cff-0310-8789-dd5450dbe970
* Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG,Greg Hudson2009-04-082-1/+11
| | | | | | | | | | | which requests delegation only if the ok-as-delegate ticket flag is set. ticket: 6203 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22185 dc483132-0cff-0310-8789-dd5450dbe970
* mk_safe and mk_priv require the local address to be set in the authGreg Hudson2009-04-085-54/+60
| | | | | | | | | | context; rd_safe and rd_priv require the remote address to be set. Create error codes for both kinds of missing addresses and stop trying futilely to handle the cases where they are not set. ticket: 1165 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22184 dc483132-0cff-0310-8789-dd5450dbe970
* Fall through on error returnEzra Peisach2009-04-081-3/+4
| | | | | | | | | | | | | If decoding the encoded_req_body fails, proceed goto errout instead of falling through to fast handling. Looks like a merge error. Reindented code. ticket: 6449 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22183 dc483132-0cff-0310-8789-dd5450dbe970
* When getting initial credentials with a password, try the master ifGreg Hudson2009-04-081-2/+1
| | | | | | | | | | | | preauth fails on a slave, since preauth can fail due to an out-of-date key. This removes a snippet added in r14939 which was considering only hardware preauth. ticket: 6108 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22182 dc483132-0cff-0310-8789-dd5450dbe970
* Subject k5_utf8s_to_ucs2s could deref NULL pointer..Ezra Peisach2009-04-071-3/+5
| | | | | | | | | | | Based on usage of this static function, this will never happen as results are always malloced (and checked) by caller. However, the function is already coded to handle the first argument being null - so be consistent throughout. ticket: git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22177 dc483132-0cff-0310-8789-dd5450dbe970
* CVE-2009-0846 asn1_decode_generaltime can free uninitialized pointerTom Yu2009-04-072-0/+17
| | | | | | | | | | | The asn1_decode_generaltime() function can free an uninitialized pointer if asn1buf_remove_charstring() fails. ticket: 6445 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22176 dc483132-0cff-0310-8789-dd5450dbe970
* CVE-2009-0847 asn1buf_imbed incorrect length validationTom Yu2009-04-071-2/+4
| | | | | | | | | | | | | | | | | | asn1buf_imbed() can perform pointer arithmetic that causes the "bound" pointer of the subbuffer to be less than the "next" pointer. This can lead to malloc() failure or crash. In asn1buf_imbed(), check the length before doing arithmetic to set subbuf->bound. In asn1buf_remove_octetstring() and asn1buf_remove_charstring(), check for invalid buffer pointers before executing an unsigned length check against a (casted to size_t) negative number. ticket: 6444 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22175 dc483132-0cff-0310-8789-dd5450dbe970
* CVE-2009-0844 SPNEGO can read beyond buffer endTom Yu2009-04-071-27/+24
| | | | | | | | | | | | | | | SPNEGO can read beyond the end of a buffer if the claimed DER length exceeds the number of bytes in the input buffer. This can lead to crash or information disclosure. Thanks to Apple for reporting this vulnerability and providing patches. ticket: 6443 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22174 dc483132-0cff-0310-8789-dd5450dbe970
* Apply revised patch from Apple that ensures that a REJECT token isTom Yu2009-04-071-3/+5
| | | | | | | | sent on error. ticket: 6417 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22173 dc483132-0cff-0310-8789-dd5450dbe970
* Null pointer defref in adding infoEzra Peisach2009-04-071-1/+1
| | | | | | | | | | | Clearly the code is broken - and we either never use it - or callers never pass NULL... Detected by clang static checker. ticket: 6442 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22172 dc483132-0cff-0310-8789-dd5450dbe970
* Implement KDC side of TGS FASTSam Hartman2009-04-051-3/+10
| | | | | | | | | | | Most of the KDC side of TGS FAST was already present. This adds correct generation of the reply key. ticket: 6439 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22171 dc483132-0cff-0310-8789-dd5450dbe970
* fix logic errorsSam Hartman2009-04-042-2/+2
| | | | | | ticket: 6436 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22170 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust the logic in rule_an_to_ln to avoid a "can't happen" case ofGreg Hudson2009-04-031-5/+7
| | | | | | | strchr returning null when searching for a character we know is there. Also properly return ENOMEM if we fail to allocate selstring. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22169 dc483132-0cff-0310-8789-dd5450dbe970
* Handle authdata encrypted in subkeySam Hartman2009-04-031-0/+7
| | | | | | | | | | | | RFC 4120 requires that if a subkey is present in the TGS request that authorization data be encrypted in the subkey. Our KDC did not handle this correctly. ticket: 6438 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22168 dc483132-0cff-0310-8789-dd5450dbe970
* Merge fast branch at 22166 onto trunkSam Hartman2009-04-0320-67/+288
| | | | | | ticket: 6436 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22167 dc483132-0cff-0310-8789-dd5450dbe970
* Unfortunately, pre-1.7 krshd fails to support keyed checksums becauseSam Hartman2009-04-034-2/+6
| | | | | | | | | | | | | | | | it uses the wrong API and wrong key usage. So, if the auth_context has an explicit checksum type set, then respect that. kcmd sets such a checksum type. Also, because other applications may have the same problem, allow the config file variable if set to override the default checksum. * kcmd.c: Force use of rsa_md5 * init_ctx.c: do not default to md5 * mk_req_ext.c: allow auth_context to override ticket: 1624 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22160 dc483132-0cff-0310-8789-dd5450dbe970
* Fix krshd and krlogind to use krb5_c_verify_checksumTom Yu2009-04-022-20/+29
| | | | | | ticket: 1624 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22159 dc483132-0cff-0310-8789-dd5450dbe970
* Use the preferred checksum for non-DES keys in the kdc_req path andSam Hartman2009-04-013-10/+23
| | | | | | | | | | | | all the time in the ap_req checksum path. This breaks code to support DCE versions prior to 1.1 but uses the correct checksum for protocol compatibility. ticket: 1624 Target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22154 dc483132-0cff-0310-8789-dd5450dbe970
* Make FAST changes build when pkinit is disabledTom Yu2009-03-314-19/+23
| | | | | | ticket: 6436 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22153 dc483132-0cff-0310-8789-dd5450dbe970
* mark export grade RC4 as weakSam Hartman2009-03-311-1/+2
| | | | | | | | | | Set the weak enctype flag on the 40-bit RC4. ticket: 6437 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22152 dc483132-0cff-0310-8789-dd5450dbe970
* Initialize request state in the TGS pathSam Hartman2009-03-311-0/+5
| | | | | | ticket: 6436 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22151 dc483132-0cff-0310-8789-dd5450dbe970
* make dependSam Hartman2009-03-314-32/+49
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22150 dc483132-0cff-0310-8789-dd5450dbe970
* Implement FAST from draft-ietf-krb-wg-preauth-frameworkSam Hartman2009-03-3134-60/+2272
| | | | | | | | | | | | Merge fast branch at 22146 onto trunk Implement the kerberos pre-authentication framework FAST feature per Projects/FAST on the wiki. ticket: 6436 Target_Version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22149 dc483132-0cff-0310-8789-dd5450dbe970
* in send_tgs.c:Sam Hartman2009-03-311-1/+1
| | | | | | | | Encrypt using local_subkey not *subkey ticket: 6393 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22148 dc483132-0cff-0310-8789-dd5450dbe970
* Add PAC and principal parsing test casesGreg Hudson2009-03-304-2/+756
| | | | | | | | From Heimdal, ported by Luke, further modified by me. ticket: 6435 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22147 dc483132-0cff-0310-8789-dd5450dbe970
* Update kdb5_util man page for mkey migration projectWill Fiveash2009-03-251-7/+18
| | | | | | | | | | | | Updated the kdb5_util command man page to include documentation on new subcommands added as a result of the Master Key Migration project. Ticket: 6432 Version_Reported: 1.7 Target_Version: 1.7 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22114 dc483132-0cff-0310-8789-dd5450dbe970
* Revert r21880 which included k5-int.h in several pkinit source files.Greg Hudson2009-03-245-19/+20
| | | | | | | | Instead, move the pkinit-specific KRB5_CONF macros to pkinit.h, and add duplicate definitions of the non-pkinit-specific macros used by the pkinit code. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22113 dc483132-0cff-0310-8789-dd5450dbe970
* Install kadmin and kdb headersGreg Hudson2009-03-205-0/+28
| | | | | | | | | | | | | | Add disclaimers to the kadmin and kdb headers about the weaker stability commitments we make for their APIs, and install them for the benefit of users who can tolerate such instability. (The kadmin interface is the real goal here, but the kadmin header includes kdb.h so we need to install both.) ticket: 6431 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22112 dc483132-0cff-0310-8789-dd5450dbe970
* Fix error handling issue in ASN.1 decoderGreg Hudson2009-03-171-1/+2
| | | | | | | | | | | In asn1_k_decode.c, check the return value of end_sequence_of_no_tagvars_helper. ticket: 6427 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22107 dc483132-0cff-0310-8789-dd5450dbe970
* Verify return code from krb5_db_set_mkey_listZhanna Tsitkov2009-03-162-5/+12
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22100 dc483132-0cff-0310-8789-dd5450dbe970
* make dependSam Hartman2009-03-167-110/+155
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22098 dc483132-0cff-0310-8789-dd5450dbe970
* Implement tests for authdata functionsSam Hartman2009-03-163-2/+114
| | | | | | | | | Implement some test cases for krb5_merge_authdata and krb5int_find_authdata ticket: 6422 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22097 dc483132-0cff-0310-8789-dd5450dbe970
* Implement krb5int_find_authdataSam Hartman2009-03-161-0/+89
| | | | | | | | | Implement a function to find all instances of a particular ad_type in ticket or authenticator authdata. ticket: 6422 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22096 dc483132-0cff-0310-8789-dd5450dbe970
* Implement test cases for CF2Sam Hartman2009-03-168-2/+147
| | | | | | | | | | Implement a simple program to call KRB-FX-CF2 and print the resulting keys. Add to regression tests. Also, use the PRF testing application to confirm that CF2 generates consistent keys if called by hand. ticket: 6421 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22095 dc483132-0cff-0310-8789-dd5450dbe970
* Implement KRB-FX_CF2Sam Hartman2009-03-165-0/+187
| | | | | | | | | | Draft-ietf-krb-wg-preauth-framework defines a function KRB-FX-CF2 that combines two keys of arbitrary enctype. Implement this function as an exported API. ticket: 6421 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22094 dc483132-0cff-0310-8789-dd5450dbe970
* Call kdb_set_mkey_list from the KDCSam Hartman2009-03-162-1/+2
| | | | | | | | | | | In order for the kdb keytab to be used from within the KDC, the KDC needs to set the master key list in the context. ticket: 6424 Target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22093 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_auth_con_free should support freeing a null auth_context without segfaultSam Hartman2009-03-161-0/+2
| | | | | | | | If the input auth_con is NULL, return success. ticket: 6423 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22092 dc483132-0cff-0310-8789-dd5450dbe970
* Add LDAP back end support for canonical name attributeGreg Hudson2009-03-154-7/+78
| | | | | | | | | | | | | Add a krbCanonicalName attribute to the schema. When looking up a principal, if the canonical name is set and does not match the requested name, then return the entry only if canonicalization was requested, and use the entry's canonical name. ticket: 6420 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22090 dc483132-0cff-0310-8789-dd5450dbe970
* CVE-2009-0845 SPNEGO can dereference a null pointerTom Yu2009-03-131-1/+2
| | | | | | | | | | | | acc_ctx_new() can return an error condition without establishing a SPNEGO context structure. This can cause a null pointer dereference in cleanup code in spnego_gss_accept_sec_context(). ticket: 6417 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22084 dc483132-0cff-0310-8789-dd5450dbe970
* Use correct salt for canonicalized principalsGreg Hudson2009-03-131-1/+23
| | | | | | | | | | | | In cases where the salt is derived from the client principal, use the canonicalized principal received from the KDC to determine the salt. Further changes are probably required for some preauth cases. ticket: 6415 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22083 dc483132-0cff-0310-8789-dd5450dbe970
* Better fix: Delay setting 'outbuf' until after the header buffer mightKen Raeburn2009-03-121-3/+2
| | | | | | | | | | have been allocated locally, and set it in both code paths instead of just the confidentiality-requested code path. ticket: 6412 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22082 dc483132-0cff-0310-8789-dd5450dbe970
* crash using library-allocated storage for header in wrap_iovKen Raeburn2009-03-121-2/+3
| | | | | | | | | | | When allocating storage for the header buffer, update the internal output buffer pointer as well. ticket: 6412 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22081 dc483132-0cff-0310-8789-dd5450dbe970
* Report verbose error messages from KDCGreg Hudson2009-03-115-128/+142
| | | | | | | | | | | | | | | | We were losing verbose error messages when logging from the KDC because the context passed to krb5_klog_init did not match the realm-specific context used for most library function calls. Introduce a wrapper function kdc_err which copies the error state from the call context to the log context. The wrapper function also knows the program name, which removes the need to pass argv[0] around everywhere or make up program names. ticket: 6408 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22079 dc483132-0cff-0310-8789-dd5450dbe970
* Make a working krb5_copy_error_messageGreg Hudson2009-03-114-3/+18
| | | | | | | | | | | | The krb5_copy_error_state macro wasn't used, didn't work, and didn't need to be a macro. Replace it with an exported API function named krb5_copy_error_message. ticket: 6407 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22078 dc483132-0cff-0310-8789-dd5450dbe970
* Make Lite Client lib link againZhanna Tsitkov2009-03-111-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22077 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-10-09 18:39:29 +0000