We now have what we need in krb5_principal to implement much of RFC6680.
Now we populate those fields so that they can be accessed by GSS-API
RFC6680 name attributes functions.
The next commit should add much of the GSS-API RFC6680 name attributes
functions and functionality.
* Anonymous pkinit responses from the KDC where the name
type is not well-known (as issued by 7.5 KDCs and earlier)
are accepted by the client. There is no need for the client
to strictly enforce the name type.
* With historical_anon_pkinit = true, the kinit(1) client's
"--anonymous" option only performs anon pkinit, and does
not require an '@' prefix for the realm argument.
* With historical_anon_realm = true, the KDC issues anon
pkinit tickets with the legacy pre-7.0 "real" realm.
_krb5_principal_is_anonymous() is used outside lib/krb5 and
therefore it needs to be properly exported and its flag macros
need to be in a public header: krb5.h not krb5_locl.h.
Including krb5_locl.h from within kuser_locl.h for instance
results in build failures on Solaris.
This change renames the function and makes it part of the public
api.
Change-Id: I130d1698b10bdbd150b95e8c7d32dfc362889ce6
Add _krb5_principal_is_anonymous() private API for checking if a principal is
anonymous or not. The third argument determines whether to match authenticated
anonymous, unauthenticated anonymous, or both types of principal.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
This will shortly be removed from krb5.asn1.
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Andrew Bartlett based on work by metze to remove it from othert parts of the code
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
most of these warnings are not problems because of ample
use of abort() calls. However, the large number of warnings
makes it difficult to identify real problems. Initialize
the variables to shut up the compilers.
Change-Id: I8477c11b17c7b6a7d9074c721fdd2d7303b186a8
Where we had
IF-RELEVENT::
WIN2K-PAC
IF-RELEVENT::
SIGNED-PATH
The recursion into find_type_in_ad() for the second element would set
ret = ENOENT, and therefore the tail would set *found = FALSE, despite
the data already being found.
From Andrew Bartlett
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18922 ec53bebd-3082-4978-b11e-865c3cabbd6b
KRB5_AUTHDATA_IF_RELEVANT and KRB5_AUTHDATA_AND_OR (but have
KRB5_AUTHDATA_KDC_ISSUED commented out for now)
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16247 ec53bebd-3082-4978-b11e-865c3cabbd6b
