Commit Graph

2078 Commits

Author SHA1 Message Date
Nicolas Williams
0de18bdb5f Add missing lib/gssapi/test_add_store_cred.c 2015-04-01 20:28:31 -05:00
Nicolas Williams
f73c4edf69 Fix gss_store_cred() 2015-03-24 11:50:01 -05:00
Nicolas Williams
df41d53c67 Fix gss_add_cred() (krb5)
gss_add_cred() with GSS_C_NO_CREDENTIAL as the input_cred_handle should
act like gss_acquire_cred() with desired_mechs containing just the
desired_mech.
2015-03-24 11:50:01 -05:00
Nicolas Williams
533578e726 Make gss_store_cred() work 2015-03-24 11:50:00 -05:00
Nicolas Williams
487b6820f6 Revamp name canonicalization code 2015-03-24 11:49:58 -05:00
Jeffrey Altman
902aa4ee02 tests on Windows
Modify the NTMakefile rules for tests so that a failed test does
not prevent subsequent tests from being executed.

Change-Id: I9595ad4a1527feae7c402241bf06ab21a0b76d4a
2015-03-21 15:44:48 -04:00
Viktor Dukhovni
cfdf6d5cbe gsskrb5: Make krb5 mech use referrals
Modify the gss krb5 mech to always use referrals unless the
KRB5_NCRO_NO_REFERRALS flag is set.

Change-Id: I7efd873ac922a43adafa2c492703b576847a885f
2015-03-14 16:08:32 -04:00
Viktor Dukhovni
fca6363307 Drop delegated creds when target is NULL
In gsskrb5_accept_delegated_token() it is wrong to store the delegated
credentials in the default ccache by default.  When the caller does not
provide a target credential handle, we just do nothing and return success.

Test the return value of gsskrb5_accept_delegated_token() against
GSS_S_COMPLETE, rather than 0.
2015-03-10 03:07:29 +00:00
Viktor Dukhovni
ca052eadd5 Fix gss_inquire_cred_by_mech.
Delegated or other explicit credentials were mishandled, the code only
worked correctly when processing default credentials.  In particular
this caused root's default credential cache to be accessed when accepting
delegated credentials in SSH:

    ssh_gssapi_accept_ctx() ->
        ssh_gssapi_getclient() ->
	    gss_inquire_cred_by_mech()

When /tmp/krb5cc_0 contained expired tickets, cascaded credentials
stopped working for non-root users!
2015-03-10 03:07:29 +00:00
Jelmer Vernooij
70e43e9808 Fix some typos. 2014-04-25 02:42:17 +02:00
Volker Lendecke
b408e93ae3 heimdal: Fix 241482 Resource leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2014-03-24 23:07:50 -05:00
Andreas Schneider
cfc398d32e s4-heimdal: Remove the execute flag of cfx.c.
The scripts which are extracting debuginfo are looking for files with
the executable bit and find cfx.c which isn't a executable.
2014-03-24 23:07:49 -05:00
Love Hörnquist Åstrand
923246a66e clean files 2014-02-16 11:51:25 -08:00
Love Hörnquist Åstrand
01dbfac96f fix warnings 2014-02-14 19:45:46 -08:00
Luke Howard
788d39b3ce set m->gm_mech.gm_name 2014-01-04 16:31:01 +11:00
Luke Howard
4ff005a6a4 gm_mech_oid must be set
mechanism credentials created by dynamically loaded mechanisms do not work
because the gm_mech_oid field is unset for such mechanisms (instead, only
gm_mech.gm_mech_oid is).
2014-01-04 15:58:10 +11:00
Nicolas Williams
fdcb8f3862 Fix callers of heim_ntlm_encode_type3; make build 2013-11-20 01:20:01 -06:00
Nicolas Williams
7d45909537 Fix krb5's gss_pseudo_random() (n is big-endian)
The first enctype RFC3961 prf output length's bytes are correct because
the little- and big-endian representations of unsigned zero are the
same.  The second block of output was wrong because the counter was not
being encoded as big-endian.

This change could break applications.  But those applications would not
have been interoperating with other implementations anyways (in
particular: MIT's).
2013-10-30 14:26:15 -05:00
Jeffrey Altman
8fe301c692 Include krb5-private.h in gssapi/ntlm/crypto.c
Instead of locally defining prototypes for private functions
_krb5_crc_update and _krb5_crc_init_table simply include
krb5-private.h.

Change-Id: Ia7931f8df2e68eb038d112797edfd456ffcdd23a
2013-06-22 21:17:18 -04:00
Love Hornquist Astrand
4227e45a58 Merge branch 'nico/gss_constify' 2013-06-03 21:51:10 -07:00
Love Hornquist Astrand
060474df16 quel 64bit warnings, fixup implicit encoding for template, fix spelling 2013-06-03 21:46:20 -07:00
Nicolas Williams
774f166e31 First attempt s/\<const gss_.*_t/gss_const_.*_t/g 2013-06-02 15:30:58 -05:00
Love Hornquist Astrand
617f4b7bd5 use the exteral delete sec context that will locked the mutex 2013-04-29 11:08:46 -07:00
Love Hornquist Astrand
58ff480763 rewrite send to kdc to be more agressive, try kdcs in paralell and easier to configure behavior 2013-02-10 19:02:52 -08:00
Marco Molteni
8cc9326f64 Document some GSS-API functions and fix some spelling errors. No code changes.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2012-09-27 14:26:29 -07:00
Roland C. Dowdeswell
be5afdbf7f Make concurrent builds work.
To stop the errors when building concurrently, we make a number of
changes:

        1.  stop including generated files in *_SOURCES,

        2.  make *-protos.h and *-private.h depend on the *_SOURCES,

        3.  make all objects depend on *-{protos,private}.h,

        4.  in a few places change dir/header.h to $(srcdir)/dir/header.h,

This appears to work for me with make -j16 on a 4-way box.
2012-08-08 00:04:04 +01:00
Russ Allbery
39460d0045 Remove duplicate __gss_krb5_mechanism_oid_desc definition
__gss_krb5_mechanism_oid_desc is now defined in gssapi/gssapi_oid.h,
so remove the definition in gssapi/gssapi_krb5.h in favor of including
that header.

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
2012-04-05 22:55:01 -07:00
Roland C. Dowdeswell
e8779d5d4a Add -Wshadow and deal with the warnings. 2012-02-21 11:17:55 +00:00
Roland C. Dowdeswell
cc47c8fa7b Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix issues.
We turn on a few extra warnings and fix the fallout that occurs
when building with --enable-developer.  Note that we get different
warnings on different machines and so this will be a work in
progress.  So far, we have built on NetBSD/amd64 5.99.64 (which
uses gcc 4.5.3) and Ubuntu 10.04.3 LTS (which uses gcc 4.4.3).

Notably, we fixed

	1.  a lot of missing structure initialisers,

	2.  unchecked return values for functions that glibc
	    marks as __attribute__((warn-unused-result)),

	3.  made minor modifications to slc and asn1_compile
	    which can generate code which generates warnings,
	    and

	4.  a few stragglers here and there.

We turned off the extended warnings for many programs in appl/ as
they are nearing the end of their useful lifetime, e.g.  rsh, rcp,
popper, ftp and telnet.

Interestingly, glibc's strncmp() macro needed to be worked around
whereas the function calls did not.

We have not yet tried this on 32 bit platforms, so there will be
a few more warnings when we do.
2012-02-20 19:45:41 +00:00
Andrew Bartlett
5ce504c1fb use ETYPE_DES3_CBC_SHA1 for the verify step in verify_mic_des3
This allows a strict link between checksum types and key types to be
enforced.

Andrew Bartlett

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2012-01-10 22:54:16 +01:00
Love Hornquist Astrand
623bd64f0c use sl_did_you_mean 2011-11-22 12:18:48 -08:00
Love Hornquist Astrand
f2319c2458 better help on unknown command 2011-11-22 11:00:51 -08:00
Nicolas Williams
40a7d4b62f More fixes for -Werror (GCC 4.6 catches more stuff) 2011-11-02 23:20:55 -05:00
Luke Howard
f48061bda7 check localname attr authenticated 2011-10-08 12:23:25 +11:00
Luke Howard
07777511d1 implement gss_localname 2011-10-08 12:15:09 +11:00
Love Hörnquist Åstrand
24332f87a0 no more krb4 2011-08-10 09:22:52 -07:00
Love Hörnquist Åstrand
f1c1e1bc6e remove used variables 2011-07-24 20:05:05 -07:00
Love Hörnquist Åstrand
8060a561db switch to KRB5_ENCTYPE 2011-07-24 16:02:22 -07:00
Linus Nordberg
2e35198908 Add version-script.map to _DEPENDENCIES.
Added to 11 out of 14 directories with map files.  Not lib/ntlm,
lib/hcrypto and kdc which have the map file as an explicit dependency
to _OBBJECTS.

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
2011-07-24 14:07:59 -07:00
Love Hörnquist Åstrand
f60ec15834 partly unify enctype/keytype since there is only enctypes 2011-07-24 14:03:08 -07:00
Love Hörnquist Åstrand
8f2294e1f9 switch order of type and GSSAPI_LIB_VARIABLE 2011-07-24 13:00:36 -07:00
Love Hörnquist Åstrand
052c5767fd fixup type for GSS_C_ATTR_LOCAL_LOGIN_USER 2011-07-24 12:47:55 -07:00
Love Hörnquist Åstrand
12403a31ce sprinkle more windows files 2011-07-23 11:18:21 -07:00
Love Hornquist Astrand
ed91d4c9e3 Mac compat 2011-07-22 11:50:30 -07:00
Jeffrey Altman
c13deafcce Synchronize Windows export list with Unix
Change-Id: Ic0ee3d1f4b49761fbd2676f4f9562f1bf906e382
2011-07-21 11:50:45 -04:00
Jeffrey Altman
27cc30d38e GSS_C_ATTR_LOCAL_LOGIN_USER
Be consistent with other GSSAPI global variables.  GSS_C_ATTR_LOCAL_LOGIN_USER
becomes a macro in gssapi.h that refers to an exported variable
__gss_c_attr_local_login_user

Change-Id: I2661d74cd0f760780f75b35f92d6b4f9112080dc
2011-07-21 11:46:15 -04:00
Love Hörnquist Åstrand
7aaba443bc add NTMakefile and windows directories 2011-07-17 12:16:59 -07:00
ghudson@MIT.EDU
3c725a465e Initialize zero before using it in unwrap_des().
Heimdal since fc702a97f5 (August 2009)
can't process DES wrap tokens unless the stack garbage in the zero
array happens to be all zeros.

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
2011-06-13 21:18:07 -07:00
Love Hornquist Astrand
3564726537 support NT_USER_NAME for real 2011-05-22 13:02:08 -07:00
Love Hornquist Astrand
9dc505a721 cred is no longer a name, handle that 2011-05-22 13:01:32 -07:00