Age | Commit message (Collapse) | Author | Files | Lines |
|
The initial implementation of IAKERB in MIT krb5 mistakenly used
draft-zhu-ws-kerb instead of draft-kitten-ietf-iakerb, and
additionally used the wrong ASN.1 tag value for the target-realm field
of the IAKERB-HEADER sequence. Correct the following aspects of the
protocol implementation:
* Require and use framing on all messages, not just the initial
context token.
* Use extension value 2 for the finish message instead of 1.
* Use key usage value 41 instead of 42 for the finish message
checksum.
* Use UTF8String (12) for target-realm instead of OCTET STRING (4).
With these changes, the IAKERB implementation is interoperable with
other krb5 implementations, but not with the implementation before
these changes.
ticket: 9123 (new)
|
|
Remove all of the AD-SIGNEDPATH code. Instead, issue a signed minimal
PAC in all tickets and require a valid PAC to be present in all
tickets presented for S4U operations. Remove the get_authdata_info()
and sign_authdata() DAL methods, and add an issue_pac() method to
allow the KDB to add or copy buffers to the PAC. Add a disable_pac
realm flag.
Microsoft revised the S4U2Proxy rules for forwardable tickets. All
S4U2Proxy operations require forwardable evidence tickets, but
S4U2Self should issue a forwardable ticket if the requesting service
has no ok-to-auth-as-delegate bit but also no constrained delegation
privileges for traditional S4U2Proxy. Implement these rules,
extending the check_allowed_to_delegate() DAL method so that the KDC
can ask if a principal has any delegation privileges.
Combine the KRB5_KDB_FLAG_ISSUE_PAC and
KRB5_FLAG_CLIENT_REFERRALS_ONLY flags into KRB5_KDB_FLAG_CLIENT.
Rename the KRB5_KDB_FLAG_CANONICALIZE flag to
KRB5_KDB_FLAG_REFERRAL_OK, and only pass it to get_principal() for
lookup operations that can use a realm referral.
For consistency with Active Directory, honor the no-auth-data-required
server principal flag for S4U2Proxy but not for S4U2Self. Previously
we did the reverse.
ticket: 9044 (new)
|
|
|
|
Add a new internal header k5-spake.h. Add ASN.1 encoder and decoder
functions and an internal free function for SPAKE types. Add ASN.1
tests and asn1c test vectors the new types.
The additions to to make-vectors.c use C99 designated initializers in
order to initialize unions. This is okay since make-vectors.c is only
compiled as part of "make test-vectors" and not as part of the regular
build.
|
|
Add an internal type declaration, ASN.1 encoder and decoder functions,
an internal free function, and ASN.1 tests for krb5_secure_cookie.
The reference DER encoding was constructed by hand.
To save on space, we don't use context tags, and use an integer rather
than a KerberosTime for the timestamp. The timestamp is stored in a
time_t; this requires a bugfix to the 64-bit case in
asn1_encode.c:store_int().
[ghudson@mit.edu: reference encoding; decode test; minor adustments to
free functions; added comments; alterations for space savings; commit
message]
|
|
Add internal type declarations for krb5_verifier_mac and krb5_cammac.
Add ASN.1 encoder and decoder functions and an internal free function
for krb5_cammac. Add ASN.1 tests for krb5_cammac as well as asn1c
test vectors for Verifier and AD-CAMMAC.
|
|
Handle encoding and decoding [MS-KKDCP] proxy messages, including
handling of the additional length bytes. Early versions of [MS-KKDCP]
incorrectly omit that the size of the proxied message is prepended to
the proxied message, as it is when we're using plain TCP, before
encoding the proxy-message structure. This is fixed at least as of
version 2.1 of the spec.
[nalin@redhat.com: add tests]
ticket: 7929
|
|
Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE,
PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more
thorough testing, add support for generating test encodings using
asn1c for sample objects (currently only for the OTP types).
|
|
This is a cosmetic change to reintroduce some space characters that
cff6ea939f061d17a5742a04b8eeb2905c1813dc removed, e.g. between the tag
and the length or short value.
|
|
Modify the trval output slightly so that the reference trval output
files don't containing trailing whitespace, to make them friendlier to
our git hooks. (The pkinit and ldap trval reference files now contain
a leading blank line, which isn't very elegant, but avoiding that
requires too much Makefile.in complexity.) Also correct a typo.
|
|
Use encode_run() for pa_data and etype_info tests.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25743 dc483132-0cff-0310-8789-dd5450dbe970
|
|
ticket: 7092
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25725 dc483132-0cff-0310-8789-dd5450dbe970
|
|
krb5_alt_method was added in r6604 but never supported. krb5_pwd_data
became unused when the Sandia kadmin system was replaced.
krb5_pa_server_referral_data and krb5_pa_svr_referral_data were added
in r21690 with internally-visible encoders which nothing uses.
Leave behind structure declarations in krb5.hin for API compatibility.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25619 dc483132-0cff-0310-8789-dd5450dbe970
|
|
r24403 removed the old SAM support, but left behind the structures,
free functions, and ASN.1 encoders/decoders. Remove those now.
(SAM-2 support is still present.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25618 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Add test cases for ASN.1 types which didn't previously have them.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25610 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Merge branches/iakerb to trunk. Includes the following:
* New IAKERB mechanism.
* New gss_acquire_cred_with_password mechglue function.
* ASN.1 encoders and decoders for IAKERB structures (with tests).
* New shortcuts in gss-sample client and server.
* Tests to exercise SPNEGO and IAKERB using gss-sample application.
ticket: 6712
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23960 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Merge Luke's users/lhoward/s4u2proxy branch to trunk. Implements a
Heimdal-compatible mechanism for allowing constrained delegation
without back-end support for PACs. Back-end support exists in LDAP
only (via a new krbAllowedToDelegateTo attribute), not DB2.
ticket: 6580
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23160 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Merge Luke's users/lhoward/authdata branch to trunk. Implements GSS naming
extensions and verification of authorization data.
ticket: 6572
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22875 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Merge Luke's users/lhoward/s4u branch to trunk. Implements S4U2Self
and S4U2Proxy extensions.
ticket: 6563
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22736 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Export encode_krb5_sam_response_2 and encode_krb5_enc_sam_response_enc_2
via accessor. Add encode tests for encode_krb5_sam_key,
_enc_sam_response_enc, _predicted_sam_response, _sam_response_2,
_enc_sam_response_enc_2.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20922 dc483132-0cff-0310-8789-dd5450dbe970
|
|
form.
Also, if a etype_info fails to decode, skip it rather than failing to
process the AS reply.
Ticket: 1681
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15723 dc483132-0cff-0310-8789-dd5450dbe970
|
|
decoders.
Ticket: 1454
Status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15393 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Previously, a string of length zero was transmitted.
ticket: 1224
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14974 dc483132-0cff-0310-8789-dd5450dbe970
|
|
negative lr_type field.
* krb5_decode_test.c: Fix enc_kdc_rep_part tests to trully handle
a negative lr_type in a krb5_last_req_entry structure. If
KRB5_GENEROUS_LR_TYPE is defined, do a backwards compatibility
test as well.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12609 dc483132-0cff-0310-8789-dd5450dbe970
|
|
krb5_encode_test.c: Pass trval type hints to trval2() so that
datastructures get properly decoded.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11136 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7775 dc483132-0cff-0310-8789-dd5450dbe970
|
|
encoders and decoders.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7062 dc483132-0cff-0310-8789-dd5450dbe970
|
|
krb5_encode_test.c (main): Add tests for encode_krb5_{etype_info,alt_method}
ktest_equal.c (ktest_equal_krb5_alt_method,
ktest_equal_krb5_etype_info_entry,
ktest_equal_krb5_etype_info) New functions to test
{encode,decode}_krb5_{etype_info,alt_method}.
ktest.c (ktest_make_sample_etype_info_entry,
ktest_make_sample_etype_info,
ktest_make_sample_alt_method,
ktest_destroy_etype_info_entry, ktest_destroy_etype_info):
New functions to test {encode,decode}_krb5_{etype_info,alt_method}.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6607 dc483132-0cff-0310-8789-dd5450dbe970
|
|
krb5_decode_test.c (main): Add tests for decode_krb5_padata_sequence().
ktest.c (ktest_make_sample_empty_pa_data_array): New function which creates
an empty pa_data array.
trval.c: Various -Wall cleanups.
Makefile.in (trval): Add rule to build the standalone trval program.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6594 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5454 dc483132-0cff-0310-8789-dd5450dbe970
|
|
(The changes to the hex values have been hand checked to make sure
they are correct.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5432 dc483132-0cff-0310-8789-dd5450dbe970
|
|
something we're going to want to check to make sure they're actually
correct.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4612 dc483132-0cff-0310-8789-dd5450dbe970
|
|
ASN.1 unparser found in trval.c. This routine will attempt to decode
the ASN.1 data stream and display it in a logical format for a human
being to decipher.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4611 dc483132-0cff-0310-8789-dd5450dbe970
|