oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
29,746 Commits 2 Branches 2 Tags
717ad8b04393353b51d9fd430c65e179fcdefb44
Commit Graph

430 Commits

Author SHA1 Message Date
Love Hornquist Astrand
9a21fddb70 use kdc_request_t for add_enc_pa_req 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
6319f31ecf break out KRB5_PADATA_REQ_ENC_PA_REP 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
1e048065c1 switch to _kdc_r_log 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
68bd6f63e8 move PKINIT to a preauth mech too 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
07342aa138 Add and use _kdc_set_e_text() 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
13eeb30a1d Create a request structure 2011-07-24 20:24:37 -07:00
Love Hornquist Astrand
0332787e0f Hide client name of privacy reasons 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
17d5f8d19e make AS work with FAST 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
6c31f5a95f free ac after its used 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
a2bcf8bbdd break out mk_error 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
04983dfd94 Preserve outer error 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
4561012998 fix up to update kdc_db_fetch 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
79703dc3cc memory management 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
8eb256ea00 send enc challange in KDC reply 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
7151d4e66c partial handling of ENC-CHALLANGE 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
7d1a059f9e comment why we add cookie 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
1fac725de4 send cookie on error and send right error message 2011-07-24 20:24:36 -07:00
Love Hornquist Astrand
deed0642d0 Handle ticket checksum 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
bcbcc67ab7 try handle finished message, ticket processing missing 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
35d4b23a22 start error codes finish message 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
c6a9bdb140 spelling 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
6a74bba8f9 move out generic fast packet building into fast.c 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
e372cc6b8a re-shuffle to make c90 compatible 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
1af9487bff got fetch armor key 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
a1feab396e more ticket bits 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
d04289855e more bits 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
96299ac2bb no warnings 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
3b034b231d more bits 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
7802e24170 first drop of the AS-REQ FAST + krb-error FAST codepath 2011-07-24 20:24:34 -07:00
Love Hornquist Astrand
f2c7370609 announce fx-fast 2011-07-24 20:24:34 -07:00
Love Hörnquist Åstrand
e9e4f99f01 add missing space in log message 2011-06-14 22:00:25 -07:00
Nicolas Williams
c06d5ebfda Fixes to patches that add *use-strong* parameters. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
481fe133b2 Also added preauth-use-strongest-session-key krb5.conf kdc parameter, similar to {as, tgs}-use-strongest-session-key. The latter two control ticket session key enctype selection in the AS and TGS cases, respectively, while the former controls PA-ETYPE-INFO2 enctype selection in the AS case. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
a7a8a7e95c Initial patch to add as-use-strongest-session-key and same for tgs krb5.conf parameters for the KDC. These control the session key enctype selection algorithm for the AS and TGS respectively: if TRUE then they prefer the strongest enctype supported by the client, the KDC and the target principal, else they prefer the first enctype fromt he client's list that is also supported by the KDC and the target principal. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Love Hornquist Astrand
0879b9831a remove trailing whitespace 2011-05-21 11:57:31 -07:00
Jeffrey Altman
6850d6a65f avoid uninit variable and unreachable code warnings 
most of these warnings are not problems because of ample
use of abort() calls.  However, the large number of warnings
makes it difficult to identify real problems.  Initialize
the variables to shut up the compilers.

Change-Id: I8477c11b17c7b6a7d9074c721fdd2d7303b186a8
 2011-05-17 12:02:16 -04:00
Love Hornquist Astrand
f5f9014c90 Warning fixes from Christos Zoulas 
- shadowed variables
- signed/unsigned confusion
- const lossage
- incomplete structure initializations
- unused code
 2011-04-29 20:25:05 -07:00
Andrew Bartlett
6ee82593ec heimdal Pass F_CANON down to the hdb layer for servers in AS-REP as well 
This fixes Win2003 domain logons against Samba4, which need a
canonicalised reply, and helpfully do set that flag.

Specifically, they need that realm in krbtgt/realm@realm that these
both match exactly in the reply.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Feb 17 06:40:53 CET 2011 on sn-devel-104

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2011-02-23 19:46:21 -08:00
Andrew Bartlett
10f9468f9d heimdal Return HDB_ERR_NOT_FOUND_HERE to the caller 
This means that no reply packet should be generated, but that instead
the user of the libkdc API should forward the packet to a real KDC,
that has a full database.

Andrew Bartlett

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2010-11-28 19:40:07 -08:00
Andrew Bartlett
f469fc6d49 heimdal Add support for extracting a particular KVNO from the database 
This should allow master key rollover.

(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2010-11-28 09:52:54 -08:00
Love Hornquist Astrand
c29933e1f5 set reply_key to NULL 2010-04-07 23:01:46 -07:00
Love Hornquist Astrand
dde9ae659b drop RCSID 2010-03-16 12:50:09 -07:00
Love Hornquist Astrand
f2611400b0 Set e_text for more cases 2010-03-07 02:44:25 -08:00
Asanka Herath
6f22fb3bb1 (kdc/kerberos5.c) VC isn't C99 2009-12-01 16:43:39 -05:00
Love Hornquist Astrand
a895e85526 When a TS-ENC key was verified, send the salt for that key in the reply 2009-11-22 09:51:49 -08:00
Love Hornquist Astrand
79fe41bbb9 cetype unused 2009-11-22 06:36:13 -08:00
Love Hornquist Astrand
6df0783c7e Redo client key handling for AS 
Pick the replykey to be the same as the preauth key, this allows
us to delay the picking of client key to when its needed, this
means that we can have a reply keys for PKINIT that is independant
of what keys the client have.
 2009-11-22 00:58:53 -08:00
Love Hornquist Astrand
79597c6a3a use krb5_get_error_message() 2009-11-03 23:33:50 -08:00
Love Hornquist Astrand
678f9f9f07 [HEIMDAL-533] KDC sends TGS-REP encrypted in session key not authenticator 
From RFC 4120, page 35

   In preparing the authentication header, the client can select a sub-
   session key under which the response from the Kerberos server will be
   encrypted.  If the client selects a sub-session key, care must be
   taken to ensure the randomness of the selected sub-session key.

The client library alread handle this case.

Thanks to Sam Hartman to report this though Debian
 2009-10-11 08:46:53 -07:00
Love Hornquist Astrand
c1a54a5e37 Make KRB5SignedPath less fragile, only sign trivial parts of the encTicketPart 
Sign the client and auth time (like its done in the PAC) and let that
be ehough for now. Add a Typed hole so that we don't break wireprotocol
next time.
 2009-08-12 23:05:36 +02:00