From 25860eac35980ab0d8d786fe1d06ced26a04d2db Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Thu, 21 Sep 2006 01:48:50 +0000 Subject: Set the canonicalize flag in TGS requests and accept cross-realm referral tickets. We do not yet accept tickets in which the server name changes. * krb5_sname_to_principal: If there is no domain realm mapping return null realm *krb5_get_cred_via_tkt: New behavior as described below 1) the referrals case: - check for TGT for initial realm - if a remote realm was specified (which must have happened via a domain_realm mapping), obtain a TGT for it the standard way and start with that. - use client realm for server if not specified - iterate through this loop: - request ticket with referrals turned on - if that fails: - if this was the first request, punt to non-referrals case - otherwise, retry once without referrals turned on then terminate either way - if it works, either use the service ticket or follow the referral path - if loop count exceeded, hardfail 2) the nonreferrals case - this is mostly the old walk_realm_tree TGT-finding (which allows limited shortcut referrals per 4120) followed by a standard tgs-req. - originally requested principal is used for this, although if we were handed something without a realm, determine a fallback realm based on DNS TXT records or a truncation of the domain name. ticket: 2652 Owner: amb git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18598 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/k5-int.h | 17 +++++++++++++++++ src/include/krb5/krb5.hin | 22 ++++++++++++++++++++-- 2 files changed, 37 insertions(+), 2 deletions(-) (limited to 'src/include') diff --git a/src/include/k5-int.h b/src/include/k5-int.h index a55fea7a4..46f4e03e3 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -1893,4 +1893,21 @@ extern int krb5int_prng_init(void); #define krb5_copy_error_state(CTX, OCTX) \ krb5int_set_error(&(CTX)->errinfo, (OCTX)->errinfo.code, "%s", (OCTX)->errinfo.msg) +/* + * Referral definitions, debugging hooks, and subfunctions. + */ +#define KRB5_REFERRAL_MAXHOPS 5 +/* #define DEBUG_REFERRALS */ + +#ifdef DEBUG_REFERRALS +void krb5int_dbgref_dump_principal(char *, krb5_principal); +#endif + +/* Common hostname-parsing code. */ +krb5_error_code KRB5_CALLCONV krb5int_clean_hostname + (krb5_context, + const char *, + char *, + size_t); + #endif /* _KRB5_INT_H */ diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 23f93c7a9..418a21c0a 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -259,6 +259,16 @@ typedef const krb5_principal_data *krb5_const_principal; ? (princ)->data + (i) \ : NULL) +/* + * Constants for realm referrals. + */ +#define KRB5_REFERRAL_REALM "" + +/* + * Referral-specific functions. + */ +krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(krb5_data *); + /* * end "base-defs.h" */ @@ -554,6 +564,9 @@ krb5_error_code KRB5_CALLCONV #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID 26 #define KRB5_KEYUSAGE_PA_SAM_RESPONSE 27 +/* Defined in KDC referrals draft */ +#define KRB5_KEYUSAGE_PA_REFERRAL 26 /* XXX note conflict with above */ + krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype (krb5_enctype ktype); krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype @@ -690,7 +703,7 @@ krb5_error_code krb5_decrypt_data /* #define KDC_OPT_RESERVED 0x00080000 */ /* #define KDC_OPT_RESERVED 0x00040000 */ #define KDC_OPT_REQUEST_ANONYMOUS 0x00020000 -/* #define KDC_OPT_RESERVED 0x00010000 */ +#define KDC_OPT_CANONICALIZE 0x00010000 /* #define KDC_OPT_RESERVED 0x00008000 */ /* #define KDC_OPT_RESERVED 0x00004000 */ /* #define KDC_OPT_RESERVED 0x00002000 */ @@ -873,7 +886,8 @@ krb5_error_code krb5_decrypt_data #define KRB5_PADATA_SAM_RESPONSE 13 /* draft challenge system response */ #define KRB5_PADATA_PK_AS_REQ 14 /* PKINIT */ #define KRB5_PADATA_PK_AS_REP 15 /* PKINIT */ -#define KRB5_PADATA_ETYPE_INFO2 19 +#define KRB5_PADATA_ETYPE_INFO2 19 +#define KRB5_PADATA_REFERRAL 25 /* draft referral system */ #define KRB5_PADATA_SAM_CHALLENGE_2 30 /* draft challenge system, updated */ #define KRB5_PADATA_SAM_RESPONSE_2 31 /* draft challenge system, updated */ @@ -2242,6 +2256,10 @@ krb5_error_code KRB5_CALLCONV krb5_get_host_realm (krb5_context, const char *, char *** ); +krb5_error_code KRB5_CALLCONV krb5_get_fallback_host_realm + (krb5_context, + krb5_data *, + char *** ); krb5_error_code KRB5_CALLCONV krb5_free_host_realm (krb5_context, char * const * ); -- cgit