summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-11-08 01:48:35 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:25:21 -0500
commitf722b0743811a4a5caf5288fa901cc8f683b9ffd (patch)
tree3aaa2473a79fc58ad937723b67510f4bf0d0cc6a /source4/heimdal/kdc
parente10791a36451da82906cd7cec66c7a54802353b5 (diff)
downloadsamba-f722b0743811a4a5caf5288fa901cc8f683b9ffd.tar.gz
samba-f722b0743811a4a5caf5288fa901cc8f683b9ffd.tar.bz2
samba-f722b0743811a4a5caf5288fa901cc8f683b9ffd.zip
r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in favour of a more tasteful replacement.
Remove kerberos_verify.c, as we don't need that code any more. Replace with code for using the new krb5_rd_req_ctx() borrowed from Heimdal's accecpt_sec_context.c Andrew Bartlett (This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r--source4/heimdal/kdc/kerberos5.c13
-rwxr-xr-xsource4/heimdal/kdc/pkinit.c38
2 files changed, 42 insertions, 9 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 19287b31cc..84c16190f9 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: kerberos5.c,v 1.223 2006/10/17 02:16:29 lha Exp $");
+RCSID("$Id: kerberos5.c,v 1.224 2006/11/04 17:05:28 lha Exp $");
#define MAX_TIME ((time_t)((1U << 31) - 1))
@@ -1063,13 +1063,14 @@ _kdc_as_rep(krb5_context context,
free_PA_ENC_TS_ENC(&p);
if (abs(kdc_time - p.patimestamp) > context->max_skew) {
char client_time[100];
-
+
krb5_format_time(context, p.patimestamp,
client_time, sizeof(client_time), TRUE);
- ret = KRB5KRB_AP_ERR_SKEW;
- kdc_log(context, config, 0,
- "Too large time skew, client time %s is out by %u > %u seconds -- %s",
+ ret = KRB5KRB_AP_ERR_SKEW;
+ kdc_log(context, config, 0,
+ "Too large time skew, "
+ "client time %s is out by %u > %u seconds -- %s",
client_time,
(unsigned)abs(kdc_time - p.patimestamp),
context->max_skew,
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index e3d77c0621..1a300cce3e 100755
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: pkinit.c,v 1.72 2006/10/24 17:51:33 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.73 2006/11/07 17:24:57 lha Exp $");
#ifdef PKINIT
@@ -528,8 +528,10 @@ _kdc_pk_rd_padata(krb5_context context,
&eContent,
&signer_certs);
if (ret) {
- kdc_log(context, config, 0,
- "PK-INIT failed to verify signature %d", ret);
+ char *s = hx509_get_error_string(kdc_identity->hx509ctx, ret);
+ krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d",
+ s, ret);
+ free(s);
goto out;
}
@@ -1376,6 +1378,36 @@ _kdc_pk_initialize(krb5_context context,
return ret;
}
+ {
+ hx509_query *q;
+ hx509_cert cert;
+
+ ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
+ if (ret) {
+ krb5_warnx(context, "PKINIT: out of memory");
+ return ENOMEM;
+ }
+
+ hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+ hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+
+ ret = hx509_certs_find(kdc_identity->hx509ctx,
+ kdc_identity->certs,
+ q,
+ &cert);
+ hx509_query_free(kdc_identity->hx509ctx, q);
+ if (ret == 0) {
+ if (hx509_cert_check_eku(kdc_identity->hx509ctx, cert,
+ oid_id_pkkdcekuoid(), 0))
+ krb5_warnx(context, "WARNING Found KDC certificate "
+ "is missing the PK-INIT KDC EKU, this is bad for "
+ "interoperability.");
+ hx509_cert_free(cert);
+ } else
+ krb5_warnx(context, "PKINIT: failed to find a signing "
+ "certifiate with a public key");
+ }
+
ret = krb5_config_get_bool_default(context,
NULL,
FALSE,