[Heimdal-source-changes] [heimdal/heimdal] f468c2: Use actual Ticket to construct AP-REQ

GitHub noreply at github.com
Fre Apr 14 01:11:54 CEST 2017 

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: f468c2fed1006b1a779e0bffe7e3d7d8af535972
      https://github.com/heimdal/heimdal/commit/f468c2fed1006b1a779e0bffe7e3d7d8af535972
  Author: Viktor Dukhovni <viktor at twosigma.com>
  Date:   2017-04-13 (Thu, 13 Apr 2017)

  Changed paths:
    M lib/krb5/build_ap_req.c

  Log Message:
  -----------
  Use actual Ticket to construct AP-REQ

When the cred passed krb5_build_ap_req() has a different name for the actual
ticket (e.g., because the entry came from a ccache with an alias name as the
entry name) then we were putting a Ticket on the wire with the name from the
cred rather than from the Ticket in the cred.  We don't think this is intended
or desirable.  The server should see the Ticket _exactly_ as minted by the KDC.

Perhaps AP-REQ should have used an OCTET STRING to contain the Ticket given that
Ticket is a PDU, which would make a byte-for-byte copy trivial, but as it is it
uses Ticket instead.  Therefore this commit has it decode the Ticket from the
cred and then C struct assign that value to the AP-REP's ticket field -- this
then copies the Ticket as exactly as vended.


  Commit: 10f3ab0f2abd6509db7eb8972d870c2fb39aecca
      https://github.com/heimdal/heimdal/commit/10f3ab0f2abd6509db7eb8972d870c2fb39aecca
  Author: Viktor Dukhovni <viktor at twosigma.com>
  Date:   2017-04-13 (Thu, 13 Apr 2017)

  Changed paths:
    M lib/krb5/get_cred.c

  Log Message:
  -----------
  Never store TGT "aliases"

When obtaining a remote TGT krbtgt/REALM2 at REALM2, an intermediate
cross-realm TGT obtained for krbtgt/REALM2 at REALM1 is not equivalent
to the TGT we seek, and must not be stored under its name.


  Commit: a4fb8984dd496b70adee48e71df856eb9be7712b
      https://github.com/heimdal/heimdal/commit/a4fb8984dd496b70adee48e71df856eb9be7712b
  Author: Viktor Dukhovni <viktor at twosigma.com>
  Date:   2017-04-13 (Thu, 13 Apr 2017)

  Changed paths:
    M lib/krb5/get_cred.c

  Log Message:
  -----------
  Do not ignore realm when checking for expected ticket or referral


  Commit: 1c6e1d5b1a32a34ba0881e615ca5df566fd64549
      https://github.com/heimdal/heimdal/commit/1c6e1d5b1a32a34ba0881e615ca5df566fd64549
  Author: Viktor Dukhovni <viktor at twosigma.com>
  Date:   2017-04-13 (Thu, 13 Apr 2017)

  Changed paths:
    M lib/krb5/get_cred.c

  Log Message:
  -----------
  Improve referral processing for TGTs

When using referrals to obtain krbtgt/A at B we're really looking for a
path to krbtgt/B first, and only then a ticket for krbtgt/A.


Compare: https://github.com/heimdal/heimdal/compare/b1e699103f08...1c6e1d5b1a32

More information about the Heimdal-source-changes mailing list