oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
31,094 Commits 4 Branches 2 Tags
dedeea1b6ad6c476a02fd491e4fbab48791c6f30
Commit Graph

2148 Commits

Author SHA1 Message Date
Nicolas Williams 7dec4d7f02 bx509d: Stop taking unnecessary flock (fix #1308) 2026-01-22 22:26:10 -06:00
Joseph Sutton 86b20d9544 kdc: Always apply maximum ticket lifetime and renew time when non-NULL 
This allows a lifetime of zero to work.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2026-01-22 11:39:05 -06:00
Nicolas Williams 1faea3ffcf kdc: Make MAX_TIME INT32_MAX always 
This just to be consistent with a likely coming change to make
HDB_entry's max_life signed.  68 years is long enough.
 2026-01-22 00:02:05 -06:00
Nicolas Williams c1c0be207e kdc: Get altsecid_gss_preauth_authorize building 2026-01-22 00:02:05 -06:00
Nicolas Williams 112a82dd25 kdc: Fix memset_s() calls (fix #1296) 2026-01-20 16:05:36 -06:00
Taylor R Campbell 5589cf96c7 Sprinkle const and rk_UNCONST throughout the tests. 2026-01-18 19:06:17 -06:00
Taylor R Campbell adeae8336c kdc: Sprinkle const and rk_UNCONST. 2026-01-18 19:06:17 -06:00
Taylor R Campbell 29a791f8f4 kdc: rk_UNCONST for literal shell.version. 
I assume this is used read-only by ASN1_MALLOC_ENCODE.
 2026-01-18 19:06:17 -06:00
Taylor R Campbell 294ab3ae5d kdc: Sprinkle rk_UNCONST. 2026-01-18 19:06:17 -06:00
Taylor R Campbell 3c2b7b865b kdc: Note strict aliasing violations. 2026-01-18 19:06:17 -06:00
Nicolas Williams 167849d621 kdc: Replace token validator plugin system 2026-01-18 19:06:16 -06:00
Nicolas Williams cbe156d927 Use OpenSSL 3.x _only_ and implement RFC 8636 
- No more OpenSSL 1.x support
 - Remove 1DES and 3DES
 - Remove NETLOGON, NTLM (client and 'digest' service)
 2026-01-18 19:06:16 -06:00
Nicolas Williams 7439820618 hcrypto, otp: Remove hcrypto and otp! 
We must switch to OpenSSL 3.x, and getting lib/hcrypto to provide
OpenSSL 3.x APIs is too large an undertaking.  Plus the hcrypto backend
is not safe, not secure (probably has timing leaks galore), and no one
has the resources to make it a world-class crypto library, so it just
has to go.
 2026-01-18 16:09:31 -06:00
Nicolas Williams 567704f20e httpkadmind: Add -A option for async HDB writes 2026-01-18 16:09:31 -06:00
Nicolas Williams 1bc19c6c04 kdc: Fix NULL deref 2026-01-18 16:09:30 -06:00
Nicolas Williams 2a69918515 kdc: Quiet some MSVC false positive warnings 2026-01-18 16:08:40 -06:00
Nicolas Williams 52e805f3f9 kdc: Session key enctype selection needs to check the service supported enctypes 2026-01-18 16:08:40 -06:00
Ivan Korytov 5cf652bf35 kdc: Fix memory leak of encrypted preauthentication data 
Deallocate r->ek.encrypted_pa_data after response was sent to client.

Signed-off-by: Ivan Korytov <korytovip@basealt.ru>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
 2025-10-09 12:33:43 -04:00
Stefan Metzmacher 50067e8171 kdc: clear et->flags.ok_as_delegate if cross-realm krbtgt does not have it 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2025-04-16 10:27:45 -04:00
Stefan Metzmacher 225d1c4c0e kdc: Constrained delegation requires a local delegating server 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15837

Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2025-04-16 10:27:19 -04:00
Stefan Metzmacher c0f63fba5c kdc: KRB5_ANON_REALM needs 'const Realm' 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2025-04-16 10:25:39 -04:00
Jo Sutton 6b08c05258 kdc: Enforce hardware authentication for accounts requiring it 
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
 2024-07-06 16:08:56 -04:00
Jeffrey Altman c753ed5b7f kdc: APPLE disable enable-pkinit by default as documented 
commit 4d48b172ab ("add pkinit
configration for btmm") introduced automatic configuration of
the 'pkinit_kdc_identity' and 'pkinit_kdc_friendly_name' on macOS
but also modified the default for the 'enable_pkinit' setting
such that pkinit is enabled on all __APPLE__ platforms overriding
the [kdc] enable-pkinit setting obtained from the configuration.

This change modifies the enable-pkinit behavior on __APPLE__ platforms
to match those on every other platform.  __APPLE__ platforms will
continue to auto-configure the [kdc] pkinit_identity and
[kdc] pkinit_anchors if they are not specified in the configuration.
 2024-06-16 23:27:37 -04:00
Jeffrey Altman 2d89b4c27c kdc: -Wcalloc-transposed args 
warning: 'calloc' sizes specified with 'sizeof' in the earlier argument
and not in the later argument [-Wcalloc-transposed-args].

Swap the args.
 2024-06-04 06:22:37 -04:00
Daria Phoebe Brashear d8c10e68a6 kdc: per-target CPPFLAGS do not have an _AM in the variable name 
when microhttpd is present, bx509d does not build because the
automake-emitted makefile is wrong
 2024-05-20 22:04:21 -04:00
Nicolas Williams 2e94b7855c doc: Clarify kdc --ports / [kdc] ports (fix #1223) 2024-01-16 11:28:35 -06:00
Joseph Sutton 597b59dfb7 kdc: Return NEVER_VALID error code if ticket will never be valid 
This matches the error generated by Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2024-01-09 16:06:06 -06:00
Stefan Metzmacher baf1930b6a kdc: don't fail salt_fastuser_crypto with r->req.req_body.cname == NULL for TGS-REQ 2024-01-09 16:06:06 -06:00
Joseph Sutton 4de8b3564e kdc: Fix leak with PK-INIT-Win2k 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2024-01-09 16:06:06 -06:00
Joseph Sutton 71fd391036 kdc: Fix spelling 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2024-01-09 16:06:06 -06:00
Taylor R Campbell 19505537fd Ensure all calls to rk_dns_lookup are headed by a block_dns check. 
Exception: In lib/kafs/common.c, we don't have a krb5_context in
which to check.
 2024-01-08 10:22:02 -06:00
Taylor R Campbell fd77c4000d Ensure all calls to getaddrinfo are headed by a block_dns check. 
If block_dns is set, call getaddrinfo with AI_NUMERICHOST set and
AI_CANONNAME clear.

Some paths may not have set AI_CANONNAME, but it's easier to audit
this way when the getaddrinfo prelude is uniform across call sites,
and the compiler can optimize it away.
 2024-01-08 10:22:02 -06:00
Joseph Sutton 0e9e1a4f31 kdc: Make parameter const 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-11-28 21:37:56 -05:00
Joseph Sutton ffac143401 kdc: Finish incomplete log message 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-11-28 21:37:56 -05:00
Joseph Sutton 9ba687cf22 kdc: Fix log message 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-11-28 21:37:56 -05:00
Joseph Sutton 68b475fa2e kdc: Finish incomplete warning message 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-11-28 21:37:56 -05:00
Joseph Sutton 079088e543 kdc: Fix incorrect log message 
‘list.len’ can be equal to zero.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-11-28 21:37:56 -05:00
Joseph Sutton fbe89adf27 kdc: Fix spelling of error and log messages 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-11-28 21:34:35 -05:00
Joseph Sutton 560c9da844 kdc: Fix code spelling 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-11-28 21:34:35 -05:00
Joseph Sutton 9f05c65981 kdc: Specify client time in FAST inner KRB-ERROR 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-11-02 20:19:54 -05:00
Joseph Sutton 5de5e5f7f6 kdc: Use NULL to assign to pointers 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-11-02 20:19:54 -05:00
Joseph Sutton f8ba91164c kdc: Don’t use uninitialized variable 
The call to free_KDCDHKeyInfo(), further down, could have caused heap
corruption.

Found by Coverity (Samba CID 1544611).

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-11-02 20:19:54 -05:00
Joseph Sutton 6f73fd8206 kdc: Remove pointer cast 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-11-02 20:19:54 -05:00
Nicolas Williams 2a38fa17b5 kdc: Add global disable_pac config param 2023-06-23 13:44:13 -05:00
Nicolas Williams 66445f4341 httpkadmind: Add auth-data-reqd attribute 2023-06-23 13:44:13 -05:00
Nicolas Williams 27cdf81995 kdc: Honor no-auth-data-reqd on cross-real TGTs 
Nowadays we use PACs instead of AD-SIGNEDPATH, so we want a PAC on every
TGT, but we don't necessarily want PACs on cross-realm TGTs.

Specifically, we don't interop well yet with AD when issuing cross-realm
TGTs with AD realms as the destination realm (see #1091).
 2023-06-23 13:44:13 -05:00
Joseph Sutton da9cad2047 kdc: Overwrite ‘error_code’ only if we have an actual error 
‘r->error_code’ might have been set earlier, and we don’t want to
overwrite it with a successful error code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-06-20 18:02:15 -05:00
Joseph Sutton 243207f10a kdc: Ensure that we emit a non-zero error code 
If ‘r->error_code’ was zero, we would turn it into an ERR_GENERIC error
and return that to the client. Now we return the actual error code
instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-06-20 18:02:15 -05:00
Joseph Sutton af0b70fcc2 kdc: Fix discarded qualifiers warning 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-06-20 18:02:15 -05:00
Joseph Sutton 043b0d02c1 kdc: Don’t abort if krb5_generate_random_keyblock() fails 
There are a few reasons that this function could fail (e.g., failure to
allocate memory) besides random number generation being unavailable. No
other caller abort()s on failure like this.

Furthermore, krb5_generate_random_block(), which is called by
krb5_generate_random_keyblock(), already aborts if random generation
fails.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-06-20 18:02:15 -05:00