oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
29,418 Commits 2 Branches 2 Tags
00e0475ce2bcb861c6765989e3a954d48cad20f4
Commit Graph

406 Commits

Author SHA1 Message Date
Jeffrey Altman
71fb56309c _kdc_find_etype consolidation 
The 'use_strongest_session_key' block and its alternate should
have similar behavior except for the order in which the enctype
lists are processed.  This patchset attempts to consolidate the
exit processing and ensure that the inner loop enctype and key
validation is the same.

Bugs fixed:

1. In the 'use_strongest_session_key' case, the _kdc_is_weak_exception()
   test was applied during the client enctype loop which is only
   processed for acceptable enctypes.   This test is moved to the
   local supported enctypes loop so as not to filter out weak keys
   when the service principal has an explicit exception.

2. In the 'use_strongest_session_key' case, the possibility of an
   enctype having keys with more than one salt was excluded.

3. In the 'use_strongest_session_key' case, the 'key' variable was
   not reset to NULL within each loop of the client enctype list.

4. In the '!use_strongest_session_key' case, the default salt test
   and is_preauth was inconsistent with the 'use_strongest_session_key'
   block.

With this consolidation, if no enctype is selected and the service
principal is permitted to use 1DES, then 1DES is selected.  It doesn't
matter whether 'use_strongest_session_key' is in use or not.

Change-Id: Ib57264fc8bc23df64c70d39b4f6de48beeb54739
 2013-07-27 20:02:16 -04:00
Nicolas Williams
1826106ff4 When asking for the strongest key, get it right 2013-07-27 17:29:54 -05:00
Nicolas Williams
1f147f0fa6 Check all three DES types 2013-07-27 16:51:01 -05:00
Nicolas Williams
f4f89ac8e0 Fix bug with use strongest session key feature 2013-07-27 03:21:12 -05:00
Love Hornquist Astrand
bf69625424 spelling 2013-07-19 00:26:28 +02:00
Love Hornquist Astrand
a21f1f384a We always say we support FAST/enc-pa-rep 2013-07-19 00:24:43 +02:00
Love Hornquist Astrand
efe81b12ef allow the non preauth case again 2013-07-11 15:56:04 +02:00
Roland C. Dowdeswell
0da84c0c3a Add require-pwchange flag to HDB and honour it if present in mit-db:. 2012-02-27 10:19:54 +00:00
Roland C. Dowdeswell
e8779d5d4a Add -Wshadow and deal with the warnings. 2012-02-21 11:17:55 +00:00
Nicolas Williams
c757eb7fb0 Rename and fix as/tgs-use-strongest-key config parameters 
Different ticket session key enctype selection options should
    distinguish between target principal type (krbtgt vs. not), not
    between KDC request types.
 2011-11-25 17:21:04 -06:00
Nicolas Williams
c9609cdb37 Initial patch for dealing with AD x-realm key rollover 
AD issues x-realm TGTs with kvno 0.  On key x-realm trust key change
    we need to be able to try current and previous keys for trust, else
    we will have some failures.
 2011-11-15 21:53:33 -06:00
Nicolas Williams
3bebbe5323 Fixes to make Heimdal -Wall -Werror clean 
These fixes make developer mode build, at least on Ubuntu.
 2011-11-02 21:42:08 -05:00
Love Hörnquist Åstrand
1a1bd736c0 merge support for FAST in as-req codepath 2011-10-28 19:25:48 -07:00
Stefan Metzmacher
83a22ce18f kdc: pass down HDB_F_FOR_AS_REQ and HDB_F_FOR_TGS_REQ to the hdb layer 
metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-30 11:56:46 -07:00
Love Hörnquist Åstrand
61f69ea5b1 spelling 2011-07-24 22:36:27 -07:00
Love Hörnquist Åstrand
5a31cf1a52 spelling 2011-07-24 22:36:21 -07:00
Love Hörnquist Åstrand
46f285bcc9 encode fast state in the fast cookie 2011-07-24 21:16:42 -07:00
Love Hörnquist Åstrand
721c5634d5 make compile after rebase 2011-07-24 20:24:39 -07:00
Love Hörnquist Åstrand
6b942e6ec2 free fast cookie 2011-07-24 20:24:39 -07:00
Love Hornquist Astrand
b00f1ceeb9 should use hide_client_names 2011-07-24 20:24:39 -07:00
Love Hornquist Astrand
57b96a269e different logging 2011-07-24 20:24:38 -07:00
Love Hornquist Astrand
b6e56322f3 Check if message too large 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
035afb17db use et, ek from r-> 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
4d63c98125 Break out PAC generation 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
94157d4410 dont pass req buffer to _kdc_encode_reply 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
b8c168e565 check return length 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
9a21fddb70 use kdc_request_t for add_enc_pa_req 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
6319f31ecf break out KRB5_PADATA_REQ_ENC_PA_REP 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
1e048065c1 switch to _kdc_r_log 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
68bd6f63e8 move PKINIT to a preauth mech too 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
07342aa138 Add and use _kdc_set_e_text() 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
13eeb30a1d Create a request structure 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
0332787e0f Hide client name of privacy reasons 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
17d5f8d19e make AS work with FAST 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
6c31f5a95f free ac after its used 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
a2bcf8bbdd break out mk_error 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
04983dfd94 Preserve outer error 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
4561012998 fix up to update kdc_db_fetch 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
79703dc3cc memory management 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
8eb256ea00 send enc challange in KDC reply 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
7151d4e66c partial handling of ENC-CHALLANGE 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
7d1a059f9e comment why we add cookie 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
1fac725de4 send cookie on error and send right error message 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
deed0642d0 Handle ticket checksum 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
bcbcc67ab7 try handle finished message, ticket processing missing 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
35d4b23a22 start error codes finish message 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
c6a9bdb140 spelling 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
6a74bba8f9 move out generic fast packet building into fast.c 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
e372cc6b8a re-shuffle to make c90 compatible 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
1af9487bff got fetch armor key 2011-07-24 20:24:35 -07:00