Skip to content
Commits on Apr 3, 2009
  1. Implement strengthen key

    hartmans committed Apr 3, 2009
    Per ietf-krb-wg discussion, the reply key mechanism is being replaced
    with a strengthen key mechanism.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22166 dc483132-0cff-0310-8789-dd5450dbe970
  2. Advertize FAST in supported preauth types

    hartmans committed Apr 3, 2009
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22165 dc483132-0cff-0310-8789-dd5450dbe970
  3. Implement test forr ad-fx-armor

    hartmans committed Apr 3, 2009
    Implement a test program to replace the TGT in the ccache with a
    ticket with the ad-fx-armor authorization data.  This can be used to
    confirm that a KDC honors this authorization data.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22164 dc483132-0cff-0310-8789-dd5450dbe970
  4. Implement KDC side cookie handling

    hartmans committed Apr 3, 2009
    Return a constant cookie in errors to indicate that clients should
    continue their conversations.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22163 dc483132-0cff-0310-8789-dd5450dbe970
  5. Implement PRF for RC4 enctypes

    hartmans committed Apr 3, 2009
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22162 dc483132-0cff-0310-8789-dd5450dbe970
  6. Client-side cookie support

    hartmans committed Apr 3, 2009
    Echo the pa-fx-cookie back to the KDC.
    No need to store cookie padata in the state structure; removed.
    If cookie is not present and FAST is being used, do not retry after error.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22161 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Apr 1, 2009
  1. TGS error path can end up with null state if it fails too soon. In

    hartmans committed Apr 1, 2009
    this case do not call into FAST.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22158 dc483132-0cff-0310-8789-dd5450dbe970
  2. Initialize request state in the TGS path.

    hartmans committed Apr 1, 2009
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22157 dc483132-0cff-0310-8789-dd5450dbe970
  3. Fix memory management errors detected through static analysis; thanks…

    hartmans committed Apr 1, 2009
    … Greg Hudson.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22156 dc483132-0cff-0310-8789-dd5450dbe970
  4. fast_options is a KerberosFlags not an int32

    hartmans committed Apr 1, 2009
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22155 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Mar 26, 2009
  1. When FAST is enabled, do not use encrypted timestamp

    hartmans committed Mar 26, 2009
    pre-authentication.  FAST mandates encrypted challenge.  Encrypted
    timestamp ends up using the raw client key in the AS reply.  Also, if
    encrypted timestamp is enabled, it is preferred to any plugin.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22146 dc483132-0cff-0310-8789-dd5450dbe970
  2. Implement Encrypted Challenge fast factor

    hartmans committed Mar 26, 2009
    Implement the encrypted challenge fast factor.  As part of this,
    expose an interface for a preauth method to request the FAST armor
    key.
    
    * plugins/preauth/encrypted_challenge: new plugin
    * include/krb5/krb5.hin: constants (keyusages) for encrypted challenge
    * include/k5-int.h krb5/os/accessor.c: expose interfaces needed by encrypted challenge
    * kdc/kdc_preauth.c lib/krb5/krb/preauth2.c include/krb5/preauth_plugin.h: interface for
              fast armor key
    * kdc/do_as_req.c: make fast state available to preauth
    * lib/krb5/krb/get_in_tkt.c: initialize etype based on etype of AS reply
    *  lib/krb5/krb/preauth2.c: Etype given to plugins tracked the same way as etype used internally
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22145 dc483132-0cff-0310-8789-dd5450dbe970
  3. Reject non-armor ticket use of AD-FX-ARMOR

    hartmans committed Mar 26, 2009
    Reject tickets or authenticators that have AD-FX-ARMOR and are used
    with the TGS per draft-ietf-krb-wg-preauth-framework.
    
    * kdc_util.c find authdata and reject
    * krb5.hin include constant
    * libkrb5.exports: export krb5int_find_authdata
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22144 dc483132-0cff-0310-8789-dd5450dbe970
  4. FAST response only when FAST in use

    hartmans committed Mar 26, 2009
    Client should expect a FAST response only when fast is being ussed.
    krb5int_fast_process_response now returns success if FAST is not in use.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22143 dc483132-0cff-0310-8789-dd5450dbe970
  5. KDC TGS FAST support

    hartmans committed Mar 26, 2009
    * Correct TGS armor key handling
    * Use appropriate checksum type  for FAST responses from KDC
    * FAST response handling for TGS replies and errors
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22142 dc483132-0cff-0310-8789-dd5450dbe970
  6. KDC handling of FAST response

    hartmans committed Mar 26, 2009
    Integrate FAST response handling into AS reply and error paths.  Ad
    support for encrypting and generating PA_FX_FAST_REPLY.  Use that
    support in the AS.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22141 dc483132-0cff-0310-8789-dd5450dbe970
  7. FAST encrypted response for client

    hartmans committed Mar 26, 2009
    Implement routine to decrypt FAST response.  Use this in
    process_error.  Implement new krb5int_fast_process_response to process
    FAST in an AS-REP or TGS-rep.  Call that routine from
    krb5_get_init_creds.
    Add a new error code for FAST required but not supported.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22140 dc483132-0cff-0310-8789-dd5450dbe970
  8. Do not include cookie in outer padata on client

    hartmans committed Mar 26, 2009
    If the cookie is going to be present in the inner padata then
    krb5int_fast_process_error is the wrong place to emit it.
    Instead it should be added to the padata in the preauth loop.
    This patch removes it from the outer padata.
    In addition, it is easier if the cookie is stored as a pa_data on the client rather than a krb5_data.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22139 dc483132-0cff-0310-8789-dd5450dbe970
  9. Remove FAST finish checksum

    hartmans committed Mar 26, 2009
    Per discussion on ietf-krb-wg, the checksum is unnecessary if a nonce
    is included in the response .  For this to be secure, the cookie needs
    to be inner padata when FAST is used.
    
    * kdc/fast.c: when constructing fast responses  include the nonce
    * lib/krb5/krb/fast.c: generate a random nonce for each time a fast request is constructed
    * add nonce field to fast_response
    * remove checksum field from fast_finished
    * Look for cookie as inner padata when FAST is used
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22138 dc483132-0cff-0310-8789-dd5450dbe970
  10. do_as_req: decode kdc_req_body

    hartmans committed Mar 26, 2009
    Pull the kdc_req_body out of the ASN.1 packet and pass in to be
    checksummed; the code previously incorrectly passed in the entire
    kdc_req.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22137 dc483132-0cff-0310-8789-dd5450dbe970
  11. Set status when kdc_find_fast fails in do_as_req.c

    hartmans committed Mar 26, 2009
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22136 dc483132-0cff-0310-8789-dd5450dbe970
  12. ap-request armor handling for KDC

    hartmans committed Mar 26, 2009
    Implement support for ap-request armor handling in the KDC FAST routines.
    
    * export needed decoders and free functions from libkrb5
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22135 dc483132-0cff-0310-8789-dd5450dbe970
  13. Implement client AS armor

    hartmans committed Mar 26, 2009
    * fast_armor_ap_request: generate ap_request armor
    * krb5int_fast_as_armor: parse GIC options and request armor
    * krb5_get_init_creds: call
    * krb5_get_init_creds_opt_set_fast_ccache_name: API to indicate where armor credentials are found
    * krb5_free_fast_armored_req: implement
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22134 dc483132-0cff-0310-8789-dd5450dbe970
  14. default to not retrying after error in client preauth loop

    hartmans committed Mar 26, 2009
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22133 dc483132-0cff-0310-8789-dd5450dbe970
  15. Integrate fast in KDC AS errors

    hartmans committed Mar 26, 2009
    Call kdc_fast_handle_error from prepare_as_error Also, decode either
    td or pa sequence in e_data and feed into fast's idea of a pa
    sequence.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22132 dc483132-0cff-0310-8789-dd5450dbe970
  16. Client AS-req error handling for FAST

    hartmans committed Mar 26, 2009
    Find and decode the fast_response and fx_error.
    Pull out padata and re-encode as typed-data
    
    * Implement krb5_free_typed_data
    * implement error handling logic in krb5int_fast_handle_error
    * Implement krb5int_find_pa_data
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22131 dc483132-0cff-0310-8789-dd5450dbe970
  17. Implement free_fast_response and free_fast_finished

    hartmans committed Mar 26, 2009
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22130 dc483132-0cff-0310-8789-dd5450dbe970
  18. Implement KDC side FAST response

    hartmans committed Mar 26, 2009
    Implement generation of fast_response, partial finish and fx_error.
    Add reply key to state.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22129 dc483132-0cff-0310-8789-dd5450dbe970
  19. Free the request in process_as_req for parallelism with TGS case. Thi…

    hartmans committed Mar 26, 2009
    …s permits the FAST code to free the outer request if FAST is in use.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22128 dc483132-0cff-0310-8789-dd5450dbe970
  20. Some fast free functions

    hartmans committed Mar 26, 2009
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22127 dc483132-0cff-0310-8789-dd5450dbe970
  21. Integrate FAST in to client AS sending

    hartmans committed Mar 26, 2009
    Functions to generate  FAST request and to manage client fast state.  Integrate into client  AS req loop.
    
    Most of this is stub code although the integration points and arguments should be correct.
    
    * Call into fast to prepare the request body.  If FAST is being used,
    this may end up hiding the names in the future in the outer request.
    
    * Call into FAST to prepare the request before sending.  This will
    generate the FAST padata  and return an encoded outer request.
    
    * Call into fast to handle error replies, potentially extracting
    padata and information on whether to continue processing.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22126 dc483132-0cff-0310-8789-dd5450dbe970
  22. Integrate FAST into AS and TGS

    hartmans committed Mar 26, 2009
    Integrate calls to lookup FAST padata into the AS and TGS paths.
    kdc_util needs to return a pointer to the pa-tgs-req padata for the
    fast checksum.
    
    This code does not generate fast responses or errors yet.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22125 dc483132-0cff-0310-8789-dd5450dbe970
  23. Function to parse FAST for KDC requests

    hartmans committed Mar 26, 2009
    * Add fast_util to KDC
    * export fast_req decoder from libkrb5
    * Function to find a fast request, extract and use inner body
    * functions to free and create kdc_request_state
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22124 dc483132-0cff-0310-8789-dd5450dbe970
  24. defines for fast padata assignments

    hartmans committed Mar 26, 2009
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22123 dc483132-0cff-0310-8789-dd5450dbe970
  25. Add kdc_state field to krb5_kdc_req

    hartmans committed Mar 26, 2009
    Add a kdc_state field to track internal state in handling a request.
    The current usage is to pass FAST information to pre-authentication
    plugins.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22122 dc483132-0cff-0310-8789-dd5450dbe970
Something went wrong with that request. Please try again.