oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
24,914 Commits 2 Branches 2 Tags
6df0783c7eef0984b712792a25dd2f5a39f8f337
Commit Graph

1355 Commits

Author SHA1 Message Date
Love Hornquist Astrand
6df0783c7e Redo client key handling for AS 
Pick the replykey to be the same as the preauth key, this allows
us to delay the picking of client key to when its needed, this
means that we can have a reply keys for PKINIT that is independant
of what keys the client have.
 2009-11-22 00:58:53 -08:00
Love Hornquist Astrand
dd67212157 add disable btmm support 2009-11-22 00:29:36 -08:00
Love Hornquist Astrand
847161193c constify pkinit conf 2009-11-22 00:28:33 -08:00
Love Hornquist Astrand
4d48b172ab add pkinit configration for btmm 2009-11-22 00:28:13 -08:00
Love Hornquist Astrand
72fbb8714f make pkinit non optional 2009-11-22 00:27:45 -08:00
Love Hornquist Astrand
010e7a9f5f announce realm via bonjour 2009-11-22 00:27:14 -08:00
Love Hornquist Astrand
71c6fa48f6 bonjour_announce 2009-11-22 00:26:57 -08:00
Love Hornquist Astrand
dbb5002e68 generic digest service 2009-11-22 00:26:32 -08:00
Love Hornquist Astrand
74cce43c8c make open log generic 2009-11-22 00:26:15 -08:00
Love Hornquist Astrand
04c3fc9882 add support for sandbox 2009-11-22 00:25:56 -08:00
Love Hornquist Astrand
b02039ae30 have require_hwauth 2009-11-22 00:25:31 -08:00
Love Hornquist Astrand
c5fffce8db abstract out adding dbinfo 2009-11-22 00:24:55 -08:00
Love Hornquist Astrand
b05756994b drop krb5_get_err_text 2009-11-04 20:03:55 -08:00
Love Hornquist Astrand
aa292cd80b use krb5_get_error_message() 2009-11-03 23:51:11 -08:00
Love Hornquist Astrand
97dd51a2da use krb5_get_error_message() 2009-11-03 23:50:45 -08:00
Love Hornquist Astrand
c01177976c use krb5_warn 2009-11-03 23:49:04 -08:00
Love Hornquist Astrand
79597c6a3a use krb5_get_error_message() 2009-11-03 23:33:50 -08:00
Love Hornquist Astrand
600b435d06 Spelling 
From Luke Howard
 2009-10-19 09:32:15 -07:00
Love Hornquist Astrand
91fd0b2f17 Spelling 
From Luke Howard
 2009-10-19 09:32:10 -07:00
Love Hornquist Astrand
678f9f9f07 [HEIMDAL-533] KDC sends TGS-REP encrypted in session key not authenticator 
From RFC 4120, page 35

   In preparing the authentication header, the client can select a sub-
   session key under which the response from the Kerberos server will be
   encrypted.  If the client selects a sub-session key, care must be
   taken to ensure the randomness of the selected sub-session key.

The client library alread handle this case.

Thanks to Sam Hartman to report this though Debian
 2009-10-11 08:46:53 -07:00
Matthias Dieter Wallnöfer
8457216616 heimdal kerberos - fix memory leak (free the plugin list always - not only in error cases) 
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2009-10-03 11:13:09 -07:00
Love Hornquist Astrand
a5b04fe4b5 If et.authorization_data is not allocated, make it so. 
Patch from Johan Gadsjö
 2009-09-29 23:28:47 -07:00
Love Hornquist Astrand
af61cd2eb4 Use hx509_context that build from krb5_context 2009-09-29 13:13:32 -07:00
Love Hornquist Astrand
2ec7e6b4fa Use hx509_context that build from krb5_context 2009-09-29 13:13:21 -07:00
Love Hornquist Astrand
e27f40b032 update usage for _krb5_pk_load_id 2009-09-29 11:28:51 -07:00
Love Hornquist Astrand
7fbe96b164 Paranoid in checking that we parsed the complete buffer 2009-09-29 08:26:17 -07:00
Love Hornquist Astrand
6fada85f78 if the UDP packet is truncated, return too packet large 2009-09-16 16:06:11 -07:00
Love Hornquist Astrand
6061cb5ee7 use max_request_str instead of max_request 2009-09-16 16:00:47 -07:00
Love Hornquist Astrand
984dd76fda switch to EVP_MD_CTX_create() and thus make smaller 2009-08-21 07:15:06 -07:00
Love Hornquist Astrand
ec01d69f73 switch to use EVP interface instead of old crypto interface 2009-08-17 10:45:21 +02:00
Love Hornquist Astrand
c57fcae29a switch to use EVP interface instead of old MDX_ style interface 2009-08-16 20:35:40 +02:00
Love Hornquist Astrand
729a13a985 switch to use EVP interface instead of old MDX_ style interface 2009-08-16 20:10:41 +02:00
Love Hornquist Astrand
4378f084ef Switch to EVP_MD digest 2009-08-16 11:58:03 +02:00
Love Hornquist Astrand
c1a54a5e37 Make KRB5SignedPath less fragile, only sign trivial parts of the encTicketPart 
Sign the client and auth time (like its done in the PAC) and let that
be ehough for now. Add a Typed hole so that we don't break wireprotocol
next time.
 2009-08-12 23:05:36 +02:00
Love Hornquist Astrand
013fb45a7f Make the send e_text on time skew error default to make it work with windows clients. 2009-08-04 20:19:44 +02:00
Andrew Bartlett
f8c121b282 Add support for user principal names in certificates [HEIMDAL-602] 
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ.  (This was a TODO in
the Heimdal KDC)

The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
 2009-08-04 09:34:58 +02:00
Love Hornquist Astrand
09f64eb7c5 Free ent on failure [CID-171] 2009-07-30 09:59:23 +02:00
Love Hornquist Astrand
1ca716bbc7 Free buf on random generator error [CID-177] 2009-07-30 07:42:12 +02:00
Love Hornquist Astrand
9b710bed81 store is never read again 2009-07-29 22:37:58 +02:00
Love Hornquist Astrand
5d152d70eb Indent 2009-07-16 22:56:59 -07:00
Love Hornquist Astrand
3634423f36 Allow specifying runing user and chroot() enviroment 
Allow the admin to switch the user the kdc is running under and
specify the chroot() directory to run in.

Please note you need a very special setup to get this working.
 2009-07-16 22:15:26 -07:00
Love Hörnquist Åstrand
2076c1c93e Add PAC to the first entry in the array since Windows and samba3 expects it there. 
The problem was found by Matthieu Patou, whom also created the first
patch which I changed to look what the current code looks like.

History is tracked in [HEIMDAL-582].

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25338 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-16 18:28:56 +00:00
Love Hörnquist Åstrand
97b8122bc6 Report HDB_AUTH_SUCCESS for PK-INIT too. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25308 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 04:34:18 +00:00
Love Hörnquist Åstrand
7829e74641 Provide auth_status to backend. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25307 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 04:33:06 +00:00
Love Hörnquist Åstrand
d3de015b79 Check locked-out flag for client and server. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25306 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 04:32:56 +00:00
Love Hörnquist Åstrand
8e2e176812 make compile 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25305 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 04:27:09 +00:00
Love Hörnquist Åstrand
5136167f15 if client delegates to itself, that ok 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25304 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 04:26:57 +00:00
Love Hörnquist Åstrand
90de65f2be If backend implements ->hdb_check_constrained_delegation, use it for processing. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25303 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 04:26:39 +00:00
Love Hörnquist Åstrand
868bd2dd69 sync check flags 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25300 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 04:26:00 +00:00
Love Hörnquist Åstrand
deef966478 sync check flags 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25299 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 04:25:46 +00:00