diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-11-08 01:48:35 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:25:21 -0500 |
commit | f722b0743811a4a5caf5288fa901cc8f683b9ffd (patch) | |
tree | 3aaa2473a79fc58ad937723b67510f4bf0d0cc6a /source4/heimdal/kdc | |
parent | e10791a36451da82906cd7cec66c7a54802353b5 (diff) | |
download | samba-f722b0743811a4a5caf5288fa901cc8f683b9ffd.tar.gz samba-f722b0743811a4a5caf5288fa901cc8f683b9ffd.tar.bz2 samba-f722b0743811a4a5caf5288fa901cc8f683b9ffd.zip |
r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in favour of a more tasteful replacement.
Remove kerberos_verify.c, as we don't need that code any more.
Replace with code for using the new krb5_rd_req_ctx() borrowed from
Heimdal's accecpt_sec_context.c
Andrew Bartlett
(This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 13 | ||||
-rwxr-xr-x | source4/heimdal/kdc/pkinit.c | 38 |
2 files changed, 42 insertions, 9 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 19287b31cc..84c16190f9 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c,v 1.223 2006/10/17 02:16:29 lha Exp $"); +RCSID("$Id: kerberos5.c,v 1.224 2006/11/04 17:05:28 lha Exp $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -1063,13 +1063,14 @@ _kdc_as_rep(krb5_context context, free_PA_ENC_TS_ENC(&p); if (abs(kdc_time - p.patimestamp) > context->max_skew) { char client_time[100]; - + krb5_format_time(context, p.patimestamp, client_time, sizeof(client_time), TRUE); - ret = KRB5KRB_AP_ERR_SKEW; - kdc_log(context, config, 0, - "Too large time skew, client time %s is out by %u > %u seconds -- %s", + ret = KRB5KRB_AP_ERR_SKEW; + kdc_log(context, config, 0, + "Too large time skew, " + "client time %s is out by %u > %u seconds -- %s", client_time, (unsigned)abs(kdc_time - p.patimestamp), context->max_skew, diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index e3d77c0621..1a300cce3e 100755 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: pkinit.c,v 1.72 2006/10/24 17:51:33 lha Exp $"); +RCSID("$Id: pkinit.c,v 1.73 2006/11/07 17:24:57 lha Exp $"); #ifdef PKINIT @@ -528,8 +528,10 @@ _kdc_pk_rd_padata(krb5_context context, &eContent, &signer_certs); if (ret) { - kdc_log(context, config, 0, - "PK-INIT failed to verify signature %d", ret); + char *s = hx509_get_error_string(kdc_identity->hx509ctx, ret); + krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d", + s, ret); + free(s); goto out; } @@ -1376,6 +1378,36 @@ _kdc_pk_initialize(krb5_context context, return ret; } + { + hx509_query *q; + hx509_cert cert; + + ret = hx509_query_alloc(kdc_identity->hx509ctx, &q); + if (ret) { + krb5_warnx(context, "PKINIT: out of memory"); + return ENOMEM; + } + + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); + + ret = hx509_certs_find(kdc_identity->hx509ctx, + kdc_identity->certs, + q, + &cert); + hx509_query_free(kdc_identity->hx509ctx, q); + if (ret == 0) { + if (hx509_cert_check_eku(kdc_identity->hx509ctx, cert, + oid_id_pkkdcekuoid(), 0)) + krb5_warnx(context, "WARNING Found KDC certificate " + "is missing the PK-INIT KDC EKU, this is bad for " + "interoperability."); + hx509_cert_free(cert); + } else + krb5_warnx(context, "PKINIT: failed to find a signing " + "certifiate with a public key"); + } + ret = krb5_config_get_bool_default(context, NULL, FALSE, |