oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
27,818 Commits 2 Branches 2 Tags
d5044abac8e60e6b78b4237b51f3751fbd3a45c2
Commit Graph

193 Commits

Author SHA1 Message Date
Nicolas Williams
487b6820f6 Revamp name canonicalization code 2015-03-24 11:49:58 -05:00
Nicolas Williams
9fbbc4cf85 Refactor capath_worker() a bit more 2015-03-16 10:40:10 -05:00
Viktor Dukhovni
cfdf6d5cbe gsskrb5: Make krb5 mech use referrals 
Modify the gss krb5 mech to always use referrals unless the
KRB5_NCRO_NO_REFERRALS flag is set.

Change-Id: I7efd873ac922a43adafa2c492703b576847a885f
 2015-03-14 16:08:32 -04:00
Nicolas Williams
8a5d50a328 krb5: do not store TGTs if GC_NO_STORE 
krb5_get_credentials_with_flags() and krb5_get_creds() do not store
obtained TGTs if the KRB5_GC_NO_STORE flag is set.

Change-Id: Ie999ec4e985463ff60e9d499c3e870880033dfa7
 2015-03-14 16:08:31 -04:00
Nicolas Williams
b84bdf213d krb5: improve comments in get_cred_kdc_capath_worker 
Change-Id: I0d47ada32fdc9f7938d69d93022f1daac80d4e88
 2015-03-14 16:08:29 -04:00
Nicolas Williams
4f074487b4 krb5: reject referrals in capath code paths 
In get_cred_kdc_capath_worker() if the credentials obtained by
get_cred_kdc_address() does not exactly match the requested service
principal discard them and return KRB5KC_ERR_S_PRINCIPAL_UNKNOWN.

Change-Id: Iaeacd07f87374f64e3a7bb860adfeb2dc9550fd1
 2015-03-14 16:08:28 -04:00
Jeffrey Altman
e13c0946f6 krb5: refactor get_cred_kdc_capath_worker 
This change adds a common out: path for all cleanup.

It also adjusts whitespace for consistency.

Change-Id: Ic90d6568a44aebc0c0adb64fad641e5420ea8e27
 2015-03-14 16:08:26 -04:00
Nicolas Williams
c37f1b3e4f krb5: Don't cache/reuse referral TGTs 
Prior to this change _krb5_get_cred_kdc_any() would include TGTs obtained
via KDC referrals in the "*ret_tgts" array returned to the caller.  The
caller typically stores these TGTs in the active credential cache.

However, referrals TGTs must not be cached or reused for any request
beyond the one it was issued for.  The referral is for a specific service
principal and the resulting TGT could include service specific AuthData.
The referral might also direct the client along a transitive path that
is specific to this service and not applicable in the general case.

This change removes the *ret_tgts parameter from get_cred_kdc_referral()
so that the obtained TGTs are never returned to its caller.   This also
prevents these TGTs from being used by any subsequent call to
get_cred_kdc_capath().

Change-Id: Iacc76c5b1639af3cf6bf277966cfd1535dd1e84d
 2015-03-14 16:08:25 -04:00
Nicolas Williams
0f1ae2d101 Use KRB5_TC_MATCH_TIMES when looking for creds 2013-09-12 12:14:39 -05:00
Jeffrey Altman
5f138a16ef libkrb5: Add missing KRB5_LIB_FUNCTION/KRB5_LIB_CALL 
KRB5_LIB_FUNCTION and KRB5_LIB_CALL are necessary even on private
functions that are exported.

Change-Id: Iccd0cfe87ff0a9d851e29890e9cb55b3ae517ce1
 2013-06-22 21:17:32 -04:00
Roland C. Dowdeswell
27dd8621fb Remove a couple of NULL deferences in lib/krb5/get_cred.c. 2012-12-03 14:10:12 +08:00
Love Hörnquist Åstrand
1c17814e6f fix memset 2012-11-17 14:12:22 -08:00
Nicolas Williams
3f86831c6c Fix earlier fix for not passing forwardable and friends in TGS-REQs 2012-03-14 23:45:31 -05:00
Nicolas Williams
f13924f267 Fix TGS client to request renewable/forwardable/proxiable if possible 
This is necessary because some applications actually need or run
    better with renewable service tickets.  kca is an example
    application; AFS tokens are also another example.
 2012-02-16 18:47:58 -06:00
Love Hörnquist Åstrand
1a1bd736c0 merge support for FAST in as-req codepath 2011-10-28 19:25:48 -07:00
Nicolas Williams
ce04492b36 Fix silly bug in krb5_get_credentials_with_flags() 2011-10-22 14:54:27 -05:00
Nicolas Williams
5c54736678 Removed "weak" option and implemented use-referrals/no-referrals 2011-10-22 14:54:26 -05:00
Nicolas Williams
f4471b11d6 Call krb5_set_error_message() and don't clobber ret in debug code 2011-10-22 14:54:25 -05:00
Nicolas Williams
9f5a43084c Cleanups: s/ENOMEM/krb5_enomem(context)/ 2011-10-22 14:54:25 -05:00
Nicolas Williams
a5e77c578e Deferred hostname canon using name canon rules 2011-10-22 14:54:13 -05:00
Love Hornquist Astrand
aaf9594429 new use of _krb5_extract_ticket 2011-07-24 20:24:38 -07:00
Love Hörnquist Åstrand
0f489b7b28 unexport krb5_init_etype, remove duplicate code 2011-06-14 21:08:52 -07:00
Nicolas Williams
2fbad6432b Initial support for default_{as, tgs}_etypes. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Love Hornquist Astrand
0879b9831a remove trailing whitespace 2011-05-21 11:57:31 -07:00
Jeffrey Altman
6850d6a65f avoid uninit variable and unreachable code warnings 
most of these warnings are not problems because of ample
use of abort() calls.  However, the large number of warnings
makes it difficult to identify real problems.  Initialize
the variables to shut up the compilers.

Change-Id: I8477c11b17c7b6a7d9074c721fdd2d7303b186a8
 2011-05-17 12:02:16 -04:00
Love Hornquist Astrand
f5f9014c90 Warning fixes from Christos Zoulas 
- shadowed variables
- signed/unsigned confusion
- const lossage
- incomplete structure initializations
- unused code
 2011-04-29 20:25:05 -07:00
Love Hornquist Astrand
42f9c644cf Also try key usage 8 for tgs-rep subkey 
If the is Windows 2000 DC, we need to retry with key usage 8 when doing ARCFOUR.

Thanks to Andrew and Tridge that helped me debug this using their systems.
 2010-11-29 11:19:24 -08:00
Love Hornquist Astrand
c6d0dea6be remove dup prototype, fix the ok_as_delegate protocol 2010-11-25 11:21:05 -08:00
Asanka C. Herath
35ac353f73 Add forward declaration of get_cred_kdc_capth() 2010-11-24 15:33:14 -05:00
Love Hornquist Astrand
6184422fef compare the value of the client realm now that it might not be the same pointer 
fixes the check-delegate test that the new direct hop patch broke
 2010-11-01 13:46:56 -07:00
Love Hornquist Astrand
a16f7ea0ab add missing 
prototype
 2010-10-31 01:09:24 -07:00
Asanka C. Herath
a73d30e619 get_cred_kdc_capath() always try direct cross-realm first 2010-10-31 01:04:27 -07:00
Asanka Herath
5dcc605f6b Fix calling conventions for Windows 2010-08-20 13:14:10 -04:00
Love Hornquist Astrand
4a6a9d026b Plug double frees, patch orignally from Matthias Dieter Wallnöfer 2010-06-29 08:12:55 -07:00
Love Hornquist Astrand
03262460dd use krb5_principal_is_krbtgt 2010-03-07 01:01:32 -08:00
Love Hornquist Astrand
687db64c56 Patch from Secure Endpoints/Asanka Herath for windows support 2009-12-21 08:45:28 +01:00
Love Hornquist Astrand
dab6e078b2 more logging, track kdc offset better 2009-11-22 12:24:58 -08:00
Love Hornquist Astrand
ae56d6eede unused variable 2009-11-17 15:51:41 -08:00
Love Hornquist Astrand
316fc6ff8f Simplify subkey usage for tgs-req, don't rewrite tgs-rep-sub-key keyuage for arcfour, its correct 2009-11-15 21:31:25 -08:00
Love Hornquist Astrand
977acdd84d Always send subkey and assume reply is encrypted using subkey 2009-10-11 09:12:01 -07:00
Love Hornquist Astrand
8e08aa0a15 Use krb5_free_keyblock() 2009-10-11 08:45:51 -07:00
Love Hornquist Astrand
57b40643b9 use server name for referral decision 2009-10-06 07:38:29 -07:00
Love Hornquist Astrand
6d1d17efed don't canonicalize names that are short then 2 name element 
Since KDC will probably guess wrong on them, and doing
afs@CLIENT-REALM have too large change of actually working.
 2009-10-05 22:07:47 -07:00
Love Hornquist Astrand
753e2cc925 Check that enctypes are valid/enabled before trying to request them 2009-10-05 19:17:11 -07:00
Love Hornquist Astrand
dc31556b7d use krb5_generate_subkey_extended 2009-10-04 11:12:43 -07:00
Love Hornquist Astrand
9211c47a30 Deprecate krb5_get_cred_from_kdc{,_opt} since they are replacement functions 2009-07-17 20:38:32 -07:00
Love Hornquist Astrand
80021f5e05 Make get_cred_kdc_any a private function. 2009-07-17 20:36:42 -07:00
Love Hornquist Astrand
de5110c05a (krb5_get_kdc_cred): make sure that out_creds points to NULL on failure 2009-07-16 23:54:54 -07:00
Love Hörnquist Åstrand
942a821fab remove RCSID 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25171 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-05-04 06:17:40 +00:00
Love Hörnquist Åstrand
6adab55480 rename S4U2SELF to FOR_USER 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25046 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-04-03 04:04:54 +00:00