Love Hornquist Astrand
1e048065c1
switch to _kdc_r_log
2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
68bd6f63e8
move PKINIT to a preauth mech too
2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
07342aa138
Add and use _kdc_set_e_text()
2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
13eeb30a1d
Create a request structure
2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
0332787e0f
Hide client name of privacy reasons
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
65254713a2
log if we have FAST PA or not
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
17d5f8d19e
make AS work with FAST
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
6c31f5a95f
free ac after its used
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
a2bcf8bbdd
break out mk_error
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
04983dfd94
Preserve outer error
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
4561012998
fix up to update kdc_db_fetch
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
79703dc3cc
memory management
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
8eb256ea00
send enc challange in KDC reply
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
7151d4e66c
partial handling of ENC-CHALLANGE
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
7d1a059f9e
comment why we add cookie
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
1fac725de4
send cookie on error and send right error message
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
30cca73765
more fast bits
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
78bef36409
include fast.c
2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
deed0642d0
Handle ticket checksum
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
bcbcc67ab7
try handle finished message, ticket processing missing
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
2f5d801156
change client access message
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
dfd7a43e44
change client access message
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
35d4b23a22
start error codes finish message
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
580b370e08
make pa-data optional
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
c6a9bdb140
spelling
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
5edb5d0275
move out generic fast packet building into fast.c
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
6a74bba8f9
move out generic fast packet building into fast.c
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
e372cc6b8a
re-shuffle to make c90 compatible
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
1af9487bff
got fetch armor key
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
a1feab396e
more ticket bits
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
d04289855e
more bits
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
96299ac2bb
no warnings
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
3b034b231d
more bits
2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
7802e24170
first drop of the AS-REQ FAST + krb-error FAST codepath
2011-07-24 20:24:34 -07:00
Love Hornquist Astrand
f2c7370609
announce fx-fast
2011-07-24 20:24:34 -07:00
Love Hörnquist Åstrand
f102ee7831
compiler warning
2011-07-24 19:56:09 -07:00
Love Hörnquist Åstrand
1124c4872d
KVNOs are krb5uint32 in RFC4120, make it so
2011-07-24 14:23:45 -07:00
Love Hörnquist Åstrand
af4aea85ae
cast to avoid size_t vs int issue
2011-07-24 13:07:07 -07:00
Love Hörnquist Åstrand
c5db78a3c2
switch to use use_strongest_server_key
...
use the same behavior as 1.4 release.
2011-07-24 10:33:28 -07:00
Stefan Metzmacher
296548d34a
kdc: pass down the delegated_proxy_principal to the verify_pac() function
...
This is needed in order to add the S4U_DELEGATION_INFO to the pac.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org >
2011-07-23 11:48:11 -07:00
Stefan Metzmacher
626d2607d5
kdc/windc_plugin.h: KRB5_WINDC_PLUGIN_MINOR 4 => 5
...
commit "heimdal Add support for extracting a particular KVNO from the database"
(f469fc6d49lha@h5l.org >
2011-07-23 11:48:11 -07:00
Stefan Metzmacher
aabb937b46
kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given
...
A service should use S4U2Self instead of S4U2Proxy.
Windows servers allow S4U2Proxy only to explicitly configured
target principals.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org >
2011-07-23 11:48:11 -07:00
Stefan Metzmacher
6cb0e81760
kdc: pass down the server hdb_entry_ex to check_constrained_delegation()
...
This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org >
2011-07-23 11:48:11 -07:00
Stefan Metzmacher
d6a56b847b
kdc: use the correct client realm in the EncTicketPart
...
With S4U2Proxy tgt->crealm might be different from tgt_name->realm.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org >
2011-07-23 11:48:11 -07:00
Love Hörnquist Åstrand
12403a31ce
sprinkle more windows files
2011-07-23 11:18:21 -07:00
Love Hörnquist Åstrand
7aaba443bc
add NTMakefile and windows directories
2011-07-17 12:16:59 -07:00
Love Hörnquist Åstrand
d756ad019a
make tests pass again
2011-06-19 11:49:33 -07:00
Stefan Metzmacher
e54d07a9b6
kdc: check and regenerate the PAC in the s4u2proxy case
...
TODO: we need to add a S4U_DELEGATION_INFO to the PAC later.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org >
2011-06-19 10:26:11 -07:00
Stefan Metzmacher
9ab4070800
kdc: pass the correct principal name for the resulting service ticket
...
Depending on S4U2Proxy the principal name for the resulting
ticket is not the principal of the client ticket.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org >
2011-06-19 10:26:11 -07:00
Stefan Metzmacher
2c031ca78c
kdc: let check_PAC() to verify the incoming server and krbtgt cheksums
...
For a normal TGS-REQ they're both signed with krbtgt key.
But for S4U2Proxy requests which ask for contrained delegation,
the keys differ.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org >
2011-06-19 10:26:11 -07:00
