oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
28,559 Commits 2 Branches 2 Tags
2f3f88e53a83a1033ec57b51b85aad3a88fa5b10
Commit Graph

1696 Commits

Author SHA1 Message Date
Love Hornquist Astrand
7d1a059f9e comment why we add cookie 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
1fac725de4 send cookie on error and send right error message 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
30cca73765 more fast bits 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
78bef36409 include fast.c 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
deed0642d0 Handle ticket checksum 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
bcbcc67ab7 try handle finished message, ticket processing missing 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
2f5d801156 change client access message 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
dfd7a43e44 change client access message 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
35d4b23a22 start error codes finish message 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
580b370e08 make pa-data optional 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
c6a9bdb140 spelling 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
5edb5d0275 move out generic fast packet building into fast.c 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
6a74bba8f9 move out generic fast packet building into fast.c 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
e372cc6b8a re-shuffle to make c90 compatible 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
1af9487bff got fetch armor key 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
a1feab396e more ticket bits 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
d04289855e more bits 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
96299ac2bb no warnings 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
3b034b231d more bits 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
7802e24170 first drop of the AS-REQ FAST + krb-error FAST codepath 2011-07-24 20:24:34 -07:00
Love Hornquist Astrand
f2c7370609 announce fx-fast 2011-07-24 20:24:34 -07:00
Love Hörnquist Åstrand
f102ee7831 compiler warning 2011-07-24 19:56:09 -07:00
Love Hörnquist Åstrand
1124c4872d KVNOs are krb5uint32 in RFC4120, make it so 2011-07-24 14:23:45 -07:00
Love Hörnquist Åstrand
af4aea85ae cast to avoid size_t vs int issue 2011-07-24 13:07:07 -07:00
Love Hörnquist Åstrand
c5db78a3c2 switch to use use_strongest_server_key 
use the same behavior as 1.4 release.
 2011-07-24 10:33:28 -07:00
Stefan Metzmacher
296548d34a kdc: pass down the delegated_proxy_principal to the verify_pac() function 
This is needed in order to add the S4U_DELEGATION_INFO to the pac.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Stefan Metzmacher
626d2607d5 kdc/windc_plugin.h: KRB5_WINDC_PLUGIN_MINOR 4 => 5 
commit "heimdal Add support for extracting a particular KVNO from the database"
(f469fc6d49 in heimdal/master
 and 9b5e304ccedc8f0f7ce2342e4d9c621417dd1c1e in samba/master)
changed the windc_plugin interface, so we need to change the
version number.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Stefan Metzmacher
aabb937b46 kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given 
A service should use S4U2Self instead of S4U2Proxy.

Windows servers allow S4U2Proxy only to explicitly configured
target principals.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Stefan Metzmacher
6cb0e81760 kdc: pass down the server hdb_entry_ex to check_constrained_delegation() 
This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Stefan Metzmacher
d6a56b847b kdc: use the correct client realm in the EncTicketPart 
With S4U2Proxy tgt->crealm might be different from tgt_name->realm.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Love Hörnquist Åstrand
12403a31ce sprinkle more windows files 2011-07-23 11:18:21 -07:00
Love Hörnquist Åstrand
7aaba443bc add NTMakefile and windows directories 2011-07-17 12:16:59 -07:00
Love Hörnquist Åstrand
d756ad019a make tests pass again 2011-06-19 11:49:33 -07:00
Stefan Metzmacher
e54d07a9b6 kdc: check and regenerate the PAC in the s4u2proxy case 
TODO: we need to add a S4U_DELEGATION_INFO to the PAC later.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-19 10:26:11 -07:00
Stefan Metzmacher
9ab4070800 kdc: pass the correct principal name for the resulting service ticket 
Depending on S4U2Proxy the principal name for the resulting
ticket is not the principal of the client ticket.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-19 10:26:11 -07:00
Stefan Metzmacher
2c031ca78c kdc: let check_PAC() to verify the incoming server and krbtgt cheksums 
For a normal TGS-REQ they're both signed with krbtgt key.
But for S4U2Proxy requests which ask for contrained delegation,
the keys differ.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-19 10:26:11 -07:00
Love Hörnquist Åstrand
e9e4f99f01 add missing space in log message 2011-06-14 22:00:25 -07:00
Nicolas Williams
f93a56f931 Set improved enctypes parameter defaults to better match the RFC. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
c06d5ebfda Fixes to patches that add *use-strong* parameters. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
8ada355954 Forgot to default use_strongest_server_key... 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
76a192b906 Forgot to default preauth_use_strongest_session_key... 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
256cf6ea12 This patch adds support for a use-strongest-server-key krb5.conf kdc parameter that controls how the KDC (AS and TGS) selects a long-term key from a service principal's HDB entry. If TRUE the KDC picks the strongest supported key from the service principal's current keyset. If FALSE the KDC picks the first supported key from the service principal's current keyset. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
481fe133b2 Also added preauth-use-strongest-session-key krb5.conf kdc parameter, similar to {as, tgs}-use-strongest-session-key. The latter two control ticket session key enctype selection in the AS and TGS cases, respectively, while the former controls PA-ETYPE-INFO2 enctype selection in the AS case. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
a7a8a7e95c Initial patch to add as-use-strongest-session-key and same for tgs krb5.conf parameters for the KDC. These control the session key enctype selection algorithm for the AS and TGS respectively: if TRUE then they prefer the strongest enctype supported by the client, the KDC and the target principal, else they prefer the first enctype fromt he client's list that is also supported by the KDC and the target principal. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Love Hornquist Astrand
0879b9831a remove trailing whitespace 2011-05-21 11:57:31 -07:00
Thomas Klausner
db8e287e41 Use "Fl Fl" for long options. 
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2011-05-21 11:54:14 -07:00
Jeffrey Altman
6850d6a65f avoid uninit variable and unreachable code warnings 
most of these warnings are not problems because of ample
use of abort() calls.  However, the large number of warnings
makes it difficult to identify real problems.  Initialize
the variables to shut up the compilers.

Change-Id: I8477c11b17c7b6a7d9074c721fdd2d7303b186a8
 2011-05-17 12:02:16 -04:00
Love Hornquist Astrand
657297a738 clean the last bits of KRB4 support in KDC 2011-05-07 11:44:15 -07:00
Love Hornquist Astrand
b1909b2daa Fixes from NetBSD via Thomas Klausner and Roland C. Dowdeswell 2011-05-04 21:31:10 -07:00
Love Hornquist Astrand
9a1a5e5da6 Mandoc and spelling fixes from Thomas Klausner 2011-04-29 20:37:33 -07:00