heimdal

Author	SHA1	Message	Date
Nicolas Williams	167849d621	kdc: Replace token validator plugin system	2026-01-18 19:06:16 -06:00
Nicolas Williams	cbe156d927	Use OpenSSL 3.x _only_ and implement RFC 8636 - No more OpenSSL 1.x support - Remove 1DES and 3DES - Remove NETLOGON, NTLM (client and 'digest' service)	2026-01-18 19:06:16 -06:00
Nicolas Williams	7439820618	hcrypto, otp: Remove hcrypto and otp! We must switch to OpenSSL 3.x, and getting lib/hcrypto to provide OpenSSL 3.x APIs is too large an undertaking. Plus the hcrypto backend is not safe, not secure (probably has timing leaks galore), and no one has the resources to make it a world-class crypto library, so it just has to go.	2026-01-18 16:09:31 -06:00
Nicolas Williams	567704f20e	httpkadmind: Add -A option for async HDB writes	2026-01-18 16:09:31 -06:00
Nicolas Williams	1bc19c6c04	kdc: Fix NULL deref	2026-01-18 16:09:30 -06:00
Nicolas Williams	2a69918515	kdc: Quiet some MSVC false positive warnings	2026-01-18 16:08:40 -06:00
Nicolas Williams	52e805f3f9	kdc: Session key enctype selection needs to check the service supported enctypes	2026-01-18 16:08:40 -06:00
Ivan Korytov	5cf652bf35	kdc: Fix memory leak of encrypted preauthentication data Deallocate r->ek.encrypted_pa_data after response was sent to client. Signed-off-by: Ivan Korytov <korytovip@basealt.ru> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>	2025-10-09 12:33:43 -04:00
Stefan Metzmacher	50067e8171	kdc: clear et->flags.ok_as_delegate if cross-realm krbtgt does not have it Signed-off-by: Stefan Metzmacher <metze@samba.org>	2025-04-16 10:27:45 -04:00
Stefan Metzmacher	225d1c4c0e	kdc: Constrained delegation requires a local delegating server BUG: https://bugzilla.samba.org/show_bug.cgi?id=15837 Signed-off-by: Stefan Metzmacher <metze@samba.org>	2025-04-16 10:27:19 -04:00
Stefan Metzmacher	c0f63fba5c	kdc: KRB5_ANON_REALM needs 'const Realm' Signed-off-by: Stefan Metzmacher <metze@samba.org>	2025-04-16 10:25:39 -04:00
Jo Sutton	6b08c05258	kdc: Enforce hardware authentication for accounts requiring it Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>	2024-07-06 16:08:56 -04:00
Jeffrey Altman	c753ed5b7f	kdc: APPLE disable enable-pkinit by default as documented commit `4d48b172ab` ("add pkinit configration for btmm") introduced automatic configuration of the 'pkinit_kdc_identity' and 'pkinit_kdc_friendly_name' on macOS but also modified the default for the 'enable_pkinit' setting such that pkinit is enabled on all __APPLE__ platforms overriding the [kdc] enable-pkinit setting obtained from the configuration. This change modifies the enable-pkinit behavior on __APPLE__ platforms to match those on every other platform. __APPLE__ platforms will continue to auto-configure the [kdc] pkinit_identity and [kdc] pkinit_anchors if they are not specified in the configuration.	2024-06-16 23:27:37 -04:00
Jeffrey Altman	2d89b4c27c	kdc: -Wcalloc-transposed args warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]. Swap the args.	2024-06-04 06:22:37 -04:00
Daria Phoebe Brashear	d8c10e68a6	kdc: per-target CPPFLAGS do not have an _AM in the variable name when microhttpd is present, bx509d does not build because the automake-emitted makefile is wrong	2024-05-20 22:04:21 -04:00
Nicolas Williams	2e94b7855c	doc: Clarify kdc --ports / [kdc] ports (fix #1223 )	2024-01-16 11:28:35 -06:00
Joseph Sutton	597b59dfb7	kdc: Return NEVER_VALID error code if ticket will never be valid This matches the error generated by Windows. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2024-01-09 16:06:06 -06:00
Stefan Metzmacher	baf1930b6a	kdc: don't fail salt_fastuser_crypto with r->req.req_body.cname == NULL for TGS-REQ	2024-01-09 16:06:06 -06:00
Joseph Sutton	4de8b3564e	kdc: Fix leak with PK-INIT-Win2k Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2024-01-09 16:06:06 -06:00
Joseph Sutton	71fd391036	kdc: Fix spelling Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2024-01-09 16:06:06 -06:00
Taylor R Campbell	19505537fd	Ensure all calls to rk_dns_lookup are headed by a block_dns check. Exception: In lib/kafs/common.c, we don't have a krb5_context in which to check.	2024-01-08 10:22:02 -06:00
Taylor R Campbell	fd77c4000d	Ensure all calls to getaddrinfo are headed by a block_dns check. If block_dns is set, call getaddrinfo with AI_NUMERICHOST set and AI_CANONNAME clear. Some paths may not have set AI_CANONNAME, but it's easier to audit this way when the getaddrinfo prelude is uniform across call sites, and the compiler can optimize it away.	2024-01-08 10:22:02 -06:00
Joseph Sutton	0e9e1a4f31	kdc: Make parameter const Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-11-28 21:37:56 -05:00
Joseph Sutton	ffac143401	kdc: Finish incomplete log message Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-11-28 21:37:56 -05:00
Joseph Sutton	9ba687cf22	kdc: Fix log message Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-11-28 21:37:56 -05:00
Joseph Sutton	68b475fa2e	kdc: Finish incomplete warning message Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-11-28 21:37:56 -05:00
Joseph Sutton	079088e543	kdc: Fix incorrect log message ‘list.len’ can be equal to zero. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-11-28 21:37:56 -05:00
Joseph Sutton	fbe89adf27	kdc: Fix spelling of error and log messages Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-11-28 21:34:35 -05:00
Joseph Sutton	560c9da844	kdc: Fix code spelling Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-11-28 21:34:35 -05:00
Joseph Sutton	9f05c65981	kdc: Specify client time in FAST inner KRB-ERROR Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-11-02 20:19:54 -05:00
Joseph Sutton	5de5e5f7f6	kdc: Use NULL to assign to pointers Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-11-02 20:19:54 -05:00
Joseph Sutton	f8ba91164c	kdc: Don’t use uninitialized variable The call to free_KDCDHKeyInfo(), further down, could have caused heap corruption. Found by Coverity (Samba CID 1544611). Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-11-02 20:19:54 -05:00
Joseph Sutton	6f73fd8206	kdc: Remove pointer cast Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-11-02 20:19:54 -05:00
Nicolas Williams	2a38fa17b5	kdc: Add global disable_pac config param	2023-06-23 13:44:13 -05:00
Nicolas Williams	66445f4341	httpkadmind: Add auth-data-reqd attribute	2023-06-23 13:44:13 -05:00
Nicolas Williams	27cdf81995	kdc: Honor no-auth-data-reqd on cross-real TGTs Nowadays we use PACs instead of AD-SIGNEDPATH, so we want a PAC on every TGT, but we don't necessarily want PACs on cross-realm TGTs. Specifically, we don't interop well yet with AD when issuing cross-realm TGTs with AD realms as the destination realm (see #1091).	2023-06-23 13:44:13 -05:00
Joseph Sutton	da9cad2047	kdc: Overwrite ‘error_code’ only if we have an actual error ‘r->error_code’ might have been set earlier, and we don’t want to overwrite it with a successful error code. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-06-20 18:02:15 -05:00
Joseph Sutton	243207f10a	kdc: Ensure that we emit a non-zero error code If ‘r->error_code’ was zero, we would turn it into an ERR_GENERIC error and return that to the client. Now we return the actual error code instead. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-06-20 18:02:15 -05:00
Joseph Sutton	af0b70fcc2	kdc: Fix discarded qualifiers warning Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-06-20 18:02:15 -05:00
Joseph Sutton	043b0d02c1	kdc: Don’t abort if krb5_generate_random_keyblock() fails There are a few reasons that this function could fail (e.g., failure to allocate memory) besides random number generation being unavailable. No other caller abort()s on failure like this. Furthermore, krb5_generate_random_block(), which is called by krb5_generate_random_keyblock(), already aborts if random generation fails. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-06-20 18:02:15 -05:00
Joseph Sutton	43a4c01126	kdc: Fix missing space in log messages Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-06-20 18:02:15 -05:00
Joseph Sutton	4a699f2450	kdc: Remove trailing space from log message Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-06-20 18:02:15 -05:00
Joseph Sutton	cb69ce4382	kdc: Remove trailing space from log message Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-06-20 18:02:15 -05:00
Joseph Sutton	d83802e2d4	kdc: Fix log message typo	2023-06-20 18:02:15 -05:00
Robert Manner	56d97563f0	kcm,kdc/config.c: detect too big max_request sizes (>= 64 MB)	2023-06-20 12:57:28 -05:00
Taylor R Campbell	796e420c11	libkrb5, libkdc: Constify salted s2k default iterator counts. These externs should really be in a .h file shared by definition and usage sites so the C compiler can verify that they match.	2023-06-20 12:19:48 -05:00
Joseph Sutton	1b954faeeb	kdc: Pass in HDB_F_ARMOR_PRINCIPAL when fetching armor ticket client principal Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-06-13 17:41:21 -05:00
Joseph Sutton	cf6b216868	kdc: Have caller pass HDB_F_FOR_TGS_REQ into _kdc_fast_check_armor_pac() We shall soon want to use this function for AS-REQs as well as TGS-REQs. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>	2023-06-13 17:41:21 -05:00
Stefan Metzmacher	df848bfd97	kdc: don't announce KRB5_PADATA_GSS unless gss_preauth is enabled BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273 Signed-off-by: Stefan Metzmacher <metze@samba.org>	2023-06-12 12:41:02 -05:00
Stefan Metzmacher	eb388539ec	kdc: don't announce KRB5_PADATA_PKINIT_KX unless anonymous is allowed BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273 Signed-off-by: Stefan Metzmacher <metze@samba.org>	2023-06-12 12:41:02 -05:00

1 2 3 4 5 ...

2138 Commits