This adds a new backend for libhcrypto: the OpenSSL backend.
Now libhcrypto has these backends:
- hcrypto itself (i.e., the algorithms coded in lib/hcrypto)
- Common Crypto (OS X)
- PKCS#11 (specifically for Solaris, but not Solaris-specific)
- Windows CNG (Windows)
- OpenSSL (generic)
The ./configure --with-openssl=... option no longer disables the use of
hcrypto. Instead it enables the use of OpenSSL as a (and the default)
backend in libhcrypto. The libhcrypto framework is now always used.
OpenSSL should no longer be used directly within Heimdal, except in the
OpenSSL hcrypto backend itself, and files where elliptic curve (EC)
crypto is needed.
Because libhcrypto's EC support is incomplete, we can only use OpenSSL
for EC. Currently that means separating all EC-using code so that it
does not use hcrypto, thus the libhx509/hxtool and PKINIT EC code has
been moved out of the files it used to be in.
This is needed so that the NTLM GSS mechanism can have a meaningful
concept of default credential (the NTLM key for the default domain found
in the ccache).
Provide a new internal function called get_switched() to encapsulate
the algorithm for selecting a credential cache when the selected
ccache type supports switching. There is no change in behavior for
UNIX which always calls krb5_cc_new_unique(). However, on Windows
alternate behavior is provided when the ccache type is API or MSLSA.
For the API ccache the default ccache name is stored in the Windows
registry which is shared across all logon sessions belonging to a
user. For users that are members of the Administrators group this
includes both the UAC restricted and elevated sessions sharing the
same desktop. It is very disconcerting when the elevated session obtains
credentials for the same client principal as the restricted session
and then all apps in the restricted session lose access to their
credential cache. For Windows, the API credential caches are named
after the principal that is stored within them. It provides for a
better end user experience.
For the MSLSA ccache tickets belonging to multiple principals are
all stored within the MSLSA ccache. As a result, all attempts to
switch ccache names default back to the one and only one name.
Change-Id: I7865cd044cff01ff38ab107ec0961e42788fa073
When PAM is configured to use a user_realm that is different from the
default realm, do likewise in kinit with bare user names or the default
principal computed from the login name.
Similarly, when using a keytab, if no realm is specified find the most
suitable match in the keytab file.
Nicolas Williams