Add support for the "rxkad-kdf" protocol for deriving rxkad session keys
from non-DES Kerberos session keys. This allows rxkad to be used in
realms where the KDC is unwilling or unable to issue tickets with
single-DES session keys.
This fixes a segfault if the _kdc_db_fetch function does not find
the entry in the database (the entry pointer will be NULL if entry
is not found).
Signed-off-by: Samuel Cabrero <scabrero@zentyal.com>
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
RFC6112 provides a method of computing a session key when the PKINIT DH
is used, and mandates it for anonymous pkinit. The session key is computed
using KRB-FX-CF2 from the reply key and a random key chosen by the kdc.
The random key is provided to the client, which is supposed to verify
that the session key was computed this way.
rfc6112 requires kdcs implementing anonymous PKINIT to include an
empty PKINIT-KX padata in PREAUTH_REQUIRED messages.
Including this improves compatibility with MIT kerberos.
The KDC Option and Ticket Flag for the anonymous extension were changed
from 14 to 16 due to a conflict with S4U2Proxy in version 11 of the anonymous
draft (now RFC6112). Fix the definitions
A comparison of (len > len + 1) is permitted to be optimized out
as dead code because it can't be true. Overflowing is an exceptional
condition that results in undefined behavior. The correct conditional
is (len == SIZE_MAX) when len is size_t.
Change-Id: Ia5586556a973d9fa5228430c4304ea9792c996bb
When running as a service under systemd, kadmin cannot successfully use
setpgid(). The call fails with EPERM. Do not treat this as a fatal
error; instead, allow kadmind to continue starting up.
Provide a new internal function called get_switched() to encapsulate
the algorithm for selecting a credential cache when the selected
ccache type supports switching. There is no change in behavior for
UNIX which always calls krb5_cc_new_unique(). However, on Windows
alternate behavior is provided when the ccache type is API or MSLSA.
For the API ccache the default ccache name is stored in the Windows
registry which is shared across all logon sessions belonging to a
user. For users that are members of the Administrators group this
includes both the UAC restricted and elevated sessions sharing the
same desktop. It is very disconcerting when the elevated session obtains
credentials for the same client principal as the restricted session
and then all apps in the restricted session lose access to their
credential cache. For Windows, the API credential caches are named
after the principal that is stored within them. It provides for a
better end user experience.
For the MSLSA ccache tickets belonging to multiple principals are
all stored within the MSLSA ccache. As a result, all attempts to
switch ccache names default back to the one and only one name.
Change-Id: I7865cd044cff01ff38ab107ec0961e42788fa073
Now that test_fx checks 1DES keys, we need to call allow_weak_crypto on
the test's context.
Without this fix, "make check" was failing with the following error:
lt-test_fx: krb5_crypto_init: Encryption type des-cbc-crc not
supported
