5cc4d5d2bd
heimdal Use a seperate krb5_auth_context for the delegated credentials
...
This makes it much more clear that the timestamp written here is not
used in mutual authentication.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org >
2010-10-02 20:47:12 -07:00
5dcc605f6b
Fix calling conventions for Windows
2010-08-20 13:14:10 -04:00
083b8b63ee
oids no longer compare to GSS_C_NO_OID
2010-07-22 23:21:44 -07:00
1021099f3d
rename external so that they can be included in array and struct initializer
2010-07-22 20:47:04 -07:00
2b1645aa08
catch error from as.*printf
2010-05-30 13:44:41 -07:00
a7e8f05c9b
Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
...
This was introduced by checking the Kerberos 5 checksum as a
alternative to the 8003 checksum.
Thanks to MIT Kerberos and Shawn Emery for forwarding this issue
2010-05-26 11:53:31 -05:00
9f5772050b
Match old code and use krb5_sname_to_principal on the imported name for acquire cred.
...
Reported by Jan Rekorajski
2009-12-13 22:55:36 -08:00
5b7780b997
use krb5_auth_con_getremoteseqnumber
2009-12-04 21:35:18 -08:00
c402cda0a4
use krb5_auth_con_getremoteseqnumber
2009-12-04 21:30:06 -08:00
5a23717814
use krb5_auth_con_getremoteseqnumber
2009-12-04 21:29:48 -08:00
75a61b8842
krb5_build_authenticator is private
2009-10-05 22:09:23 -07:00
a132ffe757
Simplify krb5_build_authenticator and unexport
2009-10-05 19:52:28 -07:00
9e13b309d9
use krb5_make_principal
2009-10-04 11:29:43 -07:00
914417c5c8
Remove unused structure
2009-09-19 13:55:34 -07:00
103cc941eb
gssapi/krb5: set cred_handle in _gsskrb5_import_cred
...
metze
Signed-off-by: Love Hornquist Astrand <lha@h5l.org >
2009-09-18 14:29:50 -07:00
8f376895ae
drop export symbol
2009-08-29 08:51:00 -07:00
2f1a370cd3
hack for gss-wrap-iov to it work
...
Signed-off-by: Love Hornquist Astrand <lha@h5l.org >
2009-08-28 13:31:12 -07:00
74538fc2af
Plug memory leak in prf function
2009-08-27 18:30:28 -07:00
6c3f3fafa3
Don't leak kerberos credentials when trying dns canon
2009-08-27 18:30:28 -07:00
1999c85670
Make mech glue layer aware of composite mechs that uses mech glue layer credentials
...
This make it possible to use krb5/ntlm credentials with SPNEGO.
Needs some more work to avoid double fetching credentials.
2009-08-27 12:12:44 -07:00
d18cdee577
don't reset EC
2009-08-26 22:52:26 -07:00
559103b218
if not trailer set, init EC to 0
2009-08-26 21:40:07 -07:00
40a6abd116
gsskrb5: make the check for dcestyle and conf_req_flag == 0 more explicit
...
metze
Signed-off-by: Love Hornquist Astrand <lha@h5l.org >
2009-08-25 23:34:38 -07:00
560cb0c132
gsskrb5: fix ec and padding handling in _gssapi_unwrap_cfx_iov()
...
metze
Signed-off-by: Love Hornquist Astrand <lha@h5l.org >
2009-08-25 23:34:38 -07:00
76f0fb9170
gsskrb5: fix ec and padding handling in _gssapi_wrap_cfx_iov()
...
metze
Signed-off-by: Love Hornquist Astrand <lha@h5l.org >
2009-08-25 23:34:38 -07:00
f286dd5d64
gsskrb5: fix _gssapi_wrap_iov_length_cfx() - there's more than just krb5 overhead...
...
metze
Signed-off-by: Love Hornquist Astrand <lha@h5l.org >
2009-08-25 23:34:38 -07:00
1a0423fd3d
gsskrb5: make _gk_allocate_buffer() non static
...
metze
Signed-off-by: Love Hornquist Astrand <lha@h5l.org >
2009-08-25 23:34:38 -07:00
60725fd2f5
gsskrb5: add _gk_verify_buffers()
...
metze
Signed-off-by: Love Hornquist Astrand <lha@h5l.org >
2009-08-25 23:34:37 -07:00
6618ca5ffc
switch to EVP_MD_CTX_create() and thus make smaller
2009-08-21 07:22:49 -07:00
56f90c5b19
switch to EVP_MD_CTX_create() and thus make smaller
2009-08-21 07:16:28 -07:00
f465930be7
switch to EVP_MD_CTX_create() and thus make smaller
2009-08-21 07:16:19 -07:00
dfd40e4403
switch to EVP_MD_CTX_create() and thus make smaller
2009-08-21 07:16:09 -07:00
03cb3aa56b
use EVP_MD_CTX_create
2009-08-20 17:13:09 -07:00
88d55a1d06
Make compile for weak crypto global (HEIM_WEAK_CRYPTO) and use it for GSSAPI too
2009-08-17 18:06:42 +02:00
fc702a97f5
switch to use EVP interface instead of old crypto interface
2009-08-17 17:30:59 +02:00
62433c844c
switch to use EVP interface instead of old crypto interface
2009-08-17 16:02:45 +02:00
fcfa32b0b9
Use constant time memcmp
2009-08-17 12:04:51 +02:00
42cec58cb4
switch to use EVP interface instead of old crypto interface
2009-08-17 11:43:24 +02:00
ddb54ca483
switch to use EVP interface instead of old MDX_ style interface
2009-08-17 10:16:13 +02:00
13c3b9b1c6
switch to use EVP interface instead of old MDX_ style interface
2009-08-17 10:15:31 +02:00
639e93d436
switch to use EVP interface instead of old MDX_ style interface
2009-08-17 10:14:24 +02:00
3ef05891ee
switch to use EVP interface instead of old MDX_ style interface
2009-08-17 10:13:04 +02:00
ddb8230917
switch to use EVP interface instead of old MDX_ style interface
2009-08-17 10:10:42 +02:00
6ac304d156
Use min() instead of MIN()
2009-08-14 20:05:36 +02:00
95993f222c
Fix order of flags, passes regression test now
2009-08-05 13:42:34 +02:00
0ede7ac561
Pass down the use-dce-style flag instead of the while gssapi krb5 context
2009-08-05 12:00:07 +02:00
ab9e5d13ec
gsskrb5: try to be compatible with windows for gss_wrap* and cfx
...
The good thing is that windows and heimdal both use EC=0
in the non DCE_STYLE case, so we need the windows compat hack
only in DCE_STYLE mode.
metze
Signed-off-by: Love Hornquist Astrand <lha@h5l.org >
2009-08-04 20:22:05 +02:00
0297d047a4
gsskrb5: add support for DCE_STYLE and des and des3 keys
...
Only the des keys are tested as windows doesn't support des3
metze
Signed-off-by: Love Hornquist Astrand <lha@h5l.org >
2009-08-04 20:21:20 +02:00
fa502c6648
Add support for gss_{import,export}_cred() as requested by metze
...
Works for krb5 and SPNEGO mechanisms. Kerberos credentials are passed as
credential cache names, or if there are memory based credentials, inband in the protocol. This means that the credentials buffers must be keep secret.
As documented by IBM (they have the wrong prototype though)
and GGF (GSS-API Extensions) back in 2001
2009-07-29 13:36:02 +02:00
565236c603
Add store-cred to the dispatch table
2009-07-28 09:50:05 +02:00
Andrew Bartlett