[Heimdal-source-changes] [heimdal/heimdal] f468c2: Use actual Ticket to construct AP-REQ
GitHub
noreply at github.com
Fre Apr 14 01:11:54 CEST 2017
Branch: refs/heads/master
Home: https://github.com/heimdal/heimdal
Commit: f468c2fed1006b1a779e0bffe7e3d7d8af535972
https://github.com/heimdal/heimdal/commit/f468c2fed1006b1a779e0bffe7e3d7d8af535972
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: 2017-04-13 (Thu, 13 Apr 2017)
Changed paths:
M lib/krb5/build_ap_req.c
Log Message:
-----------
Use actual Ticket to construct AP-REQ
When the cred passed krb5_build_ap_req() has a different name for the actual
ticket (e.g., because the entry came from a ccache with an alias name as the
entry name) then we were putting a Ticket on the wire with the name from the
cred rather than from the Ticket in the cred. We don't think this is intended
or desirable. The server should see the Ticket _exactly_ as minted by the KDC.
Perhaps AP-REQ should have used an OCTET STRING to contain the Ticket given that
Ticket is a PDU, which would make a byte-for-byte copy trivial, but as it is it
uses Ticket instead. Therefore this commit has it decode the Ticket from the
cred and then C struct assign that value to the AP-REP's ticket field -- this
then copies the Ticket as exactly as vended.
Commit: 10f3ab0f2abd6509db7eb8972d870c2fb39aecca
https://github.com/heimdal/heimdal/commit/10f3ab0f2abd6509db7eb8972d870c2fb39aecca
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: 2017-04-13 (Thu, 13 Apr 2017)
Changed paths:
M lib/krb5/get_cred.c
Log Message:
-----------
Never store TGT "aliases"
When obtaining a remote TGT krbtgt/REALM2 at REALM2, an intermediate
cross-realm TGT obtained for krbtgt/REALM2 at REALM1 is not equivalent
to the TGT we seek, and must not be stored under its name.
Commit: a4fb8984dd496b70adee48e71df856eb9be7712b
https://github.com/heimdal/heimdal/commit/a4fb8984dd496b70adee48e71df856eb9be7712b
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: 2017-04-13 (Thu, 13 Apr 2017)
Changed paths:
M lib/krb5/get_cred.c
Log Message:
-----------
Do not ignore realm when checking for expected ticket or referral
Commit: 1c6e1d5b1a32a34ba0881e615ca5df566fd64549
https://github.com/heimdal/heimdal/commit/1c6e1d5b1a32a34ba0881e615ca5df566fd64549
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: 2017-04-13 (Thu, 13 Apr 2017)
Changed paths:
M lib/krb5/get_cred.c
Log Message:
-----------
Improve referral processing for TGTs
When using referrals to obtain krbtgt/A at B we're really looking for a
path to krbtgt/B first, and only then a ticket for krbtgt/A.
Compare: https://github.com/heimdal/heimdal/compare/b1e699103f08...1c6e1d5b1a32
More information about the Heimdal-source-changes
mailing list