[Heimdal-source-changes] [heimdal/heimdal] 32baf7: Fix TGS ticket enc-part key selection
GitHub
noreply at github.com
Mon Juli 29 23:59:55 CEST 2013
Branch: refs/heads/heimdal-1-5-branch
Home: https://github.com/heimdal/heimdal
Commit: 32baf75c3ec8aedf373ed68cc6dbd49fde664415
https://github.com/heimdal/heimdal/commit/32baf75c3ec8aedf373ed68cc6dbd49fde664415
Author: Nicolas Williams <nico at cryptonector.com>
Date: 2013-07-29 (Mon, 29 Jul 2013)
Changed paths:
M kdc/krb5tgs.c
Log Message:
-----------
Fix TGS ticket enc-part key selection
When I added support for configuring how the KDC selects session,
reply, and ticket enc-part keys I accidentally had the KDC use the
session key selection algorithm for selecting the ticket enc-part
key. This becomes a problem when using a Heimdal KDC with an MIT
KDB as the HDB backend and when the krbtgt keys are not in
strongest-to-weakest order, in which case forwardable tickets minted
by the Heimdal KDC will not be accepted by MIT KDCs with the same
KDB.
(cherry picked from commit 12cd2c9cbd1ca027a3ef9ac7ab3e79526b1348ae)
Conflicts:
kdc/krb5tgs.c
Change-Id: Iace4d27a7a4f1166efc1b858d944f0dab2587990
Commit: 50309911ba90a0c5c3881f518e16a88d59abc879
https://github.com/heimdal/heimdal/commit/50309911ba90a0c5c3881f518e16a88d59abc879
Author: Nicolas Williams <nico at cryptonector.com>
Date: 2013-07-29 (Mon, 29 Jul 2013)
Changed paths:
M kdc/krb5tgs.c
Log Message:
-----------
Fix check-des
The previous fix was incomplete. But it also finally uncovered an
old check-des problem that I'd had once and which may have gotten
papered over by changing the default of one of the *strongest* KDC
parameters. The old problem is that we were passing the wrong
enctype to _kdc_encode_reply(): we were passing the session key
enctype where the ticket enc-part key's enctype was expected.
The whole enctype being passed in is superfluous anyways. Let's
clean that up next.
Commit: ad7bb0311c41449921ab82fdcfb8545e801f6429
https://github.com/heimdal/heimdal/commit/ad7bb0311c41449921ab82fdcfb8545e801f6429
Author: Nicolas Williams <nico at cryptonector.com>
Date: 2013-07-29 (Mon, 29 Jul 2013)
Changed paths:
M kdc/krb5tgs.c
Log Message:
-----------
Rename and fix as/tgs-use-strongest-key config parameters
Different ticket session key enctype selection options should
distinguish between target principal type (krbtgt vs. not), not
between KDC request types.
Commit: fff00cc34536937974caccbb2278dab1562a5594
https://github.com/heimdal/heimdal/commit/fff00cc34536937974caccbb2278dab1562a5594
Author: Love Hornquist Astrand <lha at h5l.org>
Date: 2013-07-29 (Mon, 29 Jul 2013)
Changed paths:
M lib/krb5/krb5.conf.5
Log Message:
-----------
match code, pointed out by Sergio Gelato <Sergio.Gelato at astro.su.se>
(cherry picked from commit afa9db62ba8250d24e7e5beb0a1d91d6b2d0a85a)
Commit: 800345591daa0ec0d916fa71032b78f4c4e225c9
https://github.com/heimdal/heimdal/commit/800345591daa0ec0d916fa71032b78f4c4e225c9
Author: Nicolas Williams <nico at cryptonector.com>
Date: 2013-07-29 (Mon, 29 Jul 2013)
Changed paths:
M kdc/kerberos5.c
M lib/krb5/krb5.conf.5
Log Message:
-----------
Fix bug with use strongest session key feature
(cherry picked from commit f4f89ac8e0f8583b7a2a3413fee5526a5b137d5b)
Change-Id: I593b6ba7bdf050cc635baa463e741b584f0fa0bf
Commit: e1dd757fe13c818dfb259b540d84345d9e20f98b
https://github.com/heimdal/heimdal/commit/e1dd757fe13c818dfb259b540d84345d9e20f98b
Author: Nicolas Williams <nico at cryptonector.com>
Date: 2013-07-29 (Mon, 29 Jul 2013)
Changed paths:
M kdc/kerberos5.c
Log Message:
-----------
Check all three DES types
(cherry picked from commit 1f147f0fa66427c1976d5f88eb8bcdfe5f213287)
Commit: 2a5a96d60ec464e831274fda3e3b6653de96196f
https://github.com/heimdal/heimdal/commit/2a5a96d60ec464e831274fda3e3b6653de96196f
Author: Nicolas Williams <nico at cryptonector.com>
Date: 2013-07-29 (Mon, 29 Jul 2013)
Changed paths:
M kdc/kerberos5.c
Log Message:
-----------
When asking for the strongest key, get it right
(cherry picked from commit 1826106ff4befe3e7dffc18692e40bd244c0d8d8)
Commit: a2d0f8e3ee350f7db48d7bcd6eed775ff1ace6e4
https://github.com/heimdal/heimdal/commit/a2d0f8e3ee350f7db48d7bcd6eed775ff1ace6e4
Author: Jeffrey Altman <jaltman at secure-endpoints.com>
Date: 2013-07-29 (Mon, 29 Jul 2013)
Changed paths:
M kdc/kerberos5.c
Log Message:
-----------
_kdc_find_etype consolidation
The 'use_strongest_session_key' block and its alternate should
have similar behavior except for the order in which the enctype
lists are processed. This patchset attempts to consolidate the
exit processing and ensure that the inner loop enctype and key
validation is the same.
Bugs fixed:
1. In the 'use_strongest_session_key' case, the _kdc_is_weak_exception()
test was applied during the client enctype loop which is only
processed for acceptable enctypes. This test is moved to the
local supported enctypes loop so as not to filter out weak keys
when the service principal has an explicit exception.
2. In the 'use_strongest_session_key' case, the possibility of an
enctype having keys with more than one salt was excluded.
3. In the 'use_strongest_session_key' case, the 'key' variable was
not reset to NULL within each loop of the client enctype list.
4. In the '!use_strongest_session_key' case, the default salt test
and is_preauth was inconsistent with the 'use_strongest_session_key'
block.
With this consolidation, if no enctype is selected and the service
principal is permitted to use 1DES, then 1DES is selected. It doesn't
matter whether 'use_strongest_session_key' is in use or not.
Change-Id: Ib57264fc8bc23df64c70d39b4f6de48beeb54739
(cherry picked from commit 8f2d779663f4b1245cd53c3a593be94f5a616513)
Commit: 20090f7ba301453fc32bceda90125d043ff9210f
https://github.com/heimdal/heimdal/commit/20090f7ba301453fc32bceda90125d043ff9210f
Author: Jeffrey Altman <jaltman at secure-endpoints.com>
Date: 2013-07-29 (Mon, 29 Jul 2013)
Changed paths:
M kdc/kerberos5.c
Log Message:
-----------
_kdc_find_etype: do not return success if ret_key != NULL
If _kdc_find_etype() is being called with 'ret_key' != NULL, the
caller is attempting to find an actual principal key. If 'ret_key'
is NULL then it is seeking a session key type. Only return an enctype
that is not in the principal key list unless 'ret_key' is NULL.
As part of this change remove 'clientbest' and the associated
logic as it is both unnecessary and can produce an enctype for
which the key cannot be returned.
Change-Id: Iba319e95fc1eac139f00b0cce20e1249482d2c6f
(cherry picked from commit 95f2abc1168f7050edc20af13f3f31ffd6fb8e69)
Commit: 33a3a172ad3cf53764388efb8767ce5793b49a41
https://github.com/heimdal/heimdal/commit/33a3a172ad3cf53764388efb8767ce5793b49a41
Author: Jeffrey Altman <jaltman at secure-endpoints.com>
Date: 2013-07-29 (Mon, 29 Jul 2013)
Changed paths:
M kdc/misc.c
Log Message:
-----------
apply weak key exceptions to _kdc_get_preferred_key
As part of the keytype validity checks within _kdc_get_preferred_key
_kdc_is_weak_exception must be used to permit the afs/* principals
to have only DES in the key list.
Change-Id: I70801ce9b8c4d3f057542541ce11e06d195efd52
(cherry picked from commit 002a5acbf01efc2596a41b7685f03822b3895216)
Compare: https://github.com/heimdal/heimdal/compare/74ab0b29ebd1...33a3a172ad3c
More information about the Heimdal-source-changes
mailing list