[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: MS kerb drafts
Here are a couple of small diffs so far.. you may want
to wait until I've finished this before integrating, but
I mightn't have time to work on this for a few weeks.
- check returned principal's after calling db_fetch();
if not local, return KDC_ERROR_WRONG_REALM (not
tested yet)
- let backend canonicalize principal name
- add KRB5_NT_X500_PRINCIPAL to lib/asn1/k5.asn1
- add AuthorizationData to hdb_entry
- add WRONG_REALM to krb5_err.et
cheers,
-- Luke
diff -r -u heimdal-0.4e.orig/kdc/kerberos5.c heimdal-0.4e/kdc/kerberos5.c
--- heimdal-0.4e.orig/kdc/kerberos5.c Mon Jun 18 14:08:37 2001
+++ heimdal-0.4e/kdc/kerberos5.c Sun Oct 7 16:30:16 2001
@@ -477,6 +477,15 @@
goto out;
}
+ if (!krb5_realm_compare(context, client_princ, client->principal) &&
+ !f.canonicalize) {
+ kdc_log(0, "WRONG_REALM -- %s", client_name);
+ ret = KDC_ERROR_WRONG_REALM;
+ goto out;
+ }
+ krb5_free_principal(context, client_princ);
+ krb5_copy_principal(context, client->principal, &client_princ);
+
ret = db_fetch(server_princ, &server);
if(ret){
kdc_log(0, "UNKNOWN -- %s: %s", server_name,
@@ -484,6 +493,15 @@
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
+ if (!krb5_realm_compare(context, server_princ, server->principal) &&
+ !f.canonicalize) {
+ kdc_log(0, "WRONG_REALM -- %s", server_name);
+ ret = KDC_ERROR_WRONG_REALM;
+ goto out;
+ }
+
+ krb5_free_principal(context, server_princ);
+ krb5_copy_principal(context, server->principal, &server_princ);
ret = check_flags(client, client_name, server, server_name, TRUE);
if(ret)
@@ -1389,6 +1407,9 @@
goto out2;
}
+ krb5_free_principal(context, princ);
+ krb5_copy_principal(context, krbtgt->principal, &princ);
+
if(ap_req.ticket.enc_part.kvno &&
*ap_req.ticket.enc_part.kvno != krbtgt->kvno){
char *p;
@@ -1594,7 +1615,11 @@
kdc_log(0, "TGS-REQ %s from %s for %s", cpn, from, spn);
server_lookup:
ret = db_fetch(sp, &server);
-
+ /*
+ * XXX not sure what to do here, I think krbtgt is always
+ * a well known principal so name canonicalization referrals
+ * are unnecessary
+ */
if(ret){
Realm req_rlm, new_rlm;
krb5_realm *realms;
@@ -1633,9 +1658,15 @@
if (ret == ENOENT)
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
- }
+ } else {
+ krb5_free_principal(context, sp);
+ krb5_copy_principal(context, server->principal, &sp);
+ }
ret = db_fetch(cp, &client);
+ krb5_free_principal(context, cp);
+ krb5_copy_principal(context, client->principal, &cp);
+
if(ret)
kdc_log(1, "Client not found in database: %s: %s",
cpn, krb5_get_err_text(context, ret));
diff -r -u heimdal-0.4e.orig/lib/asn1/k5.asn1 heimdal-0.4e/lib/asn1/k5.asn1
--- heimdal-0.4e.orig/lib/asn1/k5.asn1 Mon May 14 16:12:13 2001
+++ heimdal-0.4e/lib/asn1/k5.asn1 Thu Oct 4 17:39:16 2001
@@ -10,7 +10,8 @@
KRB5_NT_SRV_HST(3), -- Service with host name as instance
KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
KRB5_NT_UID(5), -- Unique ID
- KRB5_NT_X500_PRINCIPAL(6) -- PKINIT
+ KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
+ KRB5_NT_ENTERPRISE_PRINCIPAL(10) -- Windows 2000
}
-- message types
diff -r -u heimdal-0.4e.orig/lib/hdb/hdb.asn1 heimdal-0.4e/lib/hdb/hdb.asn1
--- heimdal-0.4e.orig/lib/hdb/hdb.asn1 Fri Jun 22 00:54:53 2001
+++ heimdal-0.4e/lib/hdb/hdb.asn1 Thu Oct 4 17:17:58 2001
@@ -2,7 +2,7 @@
HDB DEFINITIONS ::=
BEGIN
-IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
+IMPORTS AuthorizationData, EncryptionKey, KerberosTime, Principal FROM krb5;
HDB_DB_FORMAT INTEGER ::= 2 -- format of database,
-- update when making changes
@@ -64,7 +64,8 @@
max-renew[9] INTEGER OPTIONAL,
flags[10] HDBFlags,
etypes[11] SEQUENCE OF INTEGER OPTIONAL,
- generation[12] GENERATION OPTIONAL
+ generation[12] GENERATION OPTIONAL,
+ authorization-data[13] AuthorizationData OPTIONAL
}
END
diff -r -u heimdal-0.4e.orig/lib/krb5/krb5_err.et heimdal-0.4e/lib/krb5/krb5_err.et
--- heimdal-0.4e.orig/lib/krb5/krb5_err.et Thu Apr 6 10:41:37 2000
+++ heimdal-0.4e/lib/krb5/krb5_err.et Sun Oct 7 13:44:10 2001
@@ -77,6 +77,10 @@
error_code KEY_TOO_WEAK, "Key too weak"
error_code CERTIFICATE_MISMATCH, "Certificate mismatch"
prefix KRB5_AP_ERR
+error_code NO_TGT, "No ticket granting ticket"
+prefix KDC_ERROR
+error_code WRONG_REALM, "Realm not local to KDC"
+prefix KRB5_AP_ERR
error_code USER_TO_USER_REQUIRED, "User to user required"
prefix KDC_ERROR
error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate"
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com