oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
26,361 Commits 2 Branches 2 Tags
4b92552c1e2faa96481033cf70a54ed2214fafe5
Commit Graph

1019 Commits

Author SHA1 Message Date
Luke Howard
4b92552c1e remove krb5 authorize_localname impl, there's no krb5_kuserok 2011-05-13 00:46:14 +02:00
Luke Howard
8687bab419 correct switched order of pname_to_uid/authorize_localname 2011-05-13 00:41:18 +02:00
Luke Howard
f1aa972bb8 fix trailing comma 2011-05-12 13:04:59 +02:00
Luke Howard
e128b0ca01 Merge branch 'master' into lukeh/moonshot 
Conflicts:
	lib/gssapi/krb5/external.c
	lib/libedit/src/vi.c
 2011-05-12 13:04:55 +02:00
Love Hornquist Astrand
59f4918ef0 set the CFXSentByAcceptor flag, patch from Jaideep Padhye 2011-04-29 20:34:42 -07:00
Love Hornquist Astrand
f5f9014c90 Warning fixes from Christos Zoulas 
- shadowed variables
- signed/unsigned confusion
- const lossage
- incomplete structure initializations
- unused code
 2011-04-29 20:25:05 -07:00
Love Hornquist Astrand
523d84b417 return error from lower layer 2011-04-14 12:54:16 -07:00
Love Hornquist Astrand
6f5b93fc8b return error from lower layer 2011-04-14 12:54:16 -07:00
Love Hornquist Astrand
ec88b5d043 move _gss_DES3_get_mic_compat to after ->target is set 
Patch from Roland Dowdeswell
 2011-04-14 12:54:15 -07:00
Luke Howard
0d7bc0c549 remove user_ok from gss_authorize_localname 2011-04-09 13:41:51 +10:00
Luke Howard
bac9c34172 authorize_localname SPI now includes nametype 2011-04-09 11:34:19 +10:00
Luke Howard
6c6e483e00 gss_authorize_localname implementation 2011-04-08 10:58:57 +10:00
Luke Howard
6ec5011d48 Merge branch 'master' into lukeh/moonshot 2011-04-08 09:05:36 +10:00
Love Hornquist Astrand
3d36172090 allow keytab specifiction to gsskrb5_register_acceptor_identity 2011-04-07 07:15:28 -07:00
Luke Howard
ca48b27fe7 add _gsskrb5_pname_to_uid implementation 2011-03-20 23:31:32 +11:00
Luke Howard
0dff021161 add krb5 glue for userok 2011-03-20 20:57:24 +11:00
Derrick Brashear
c5d0acb859 Correct "not newer" etypes per RFC 4121 
Section 1 of RFC 4121 describes behavior which
    applies when using "newer" etypes, then goes on in
    table form to list etypes which are not newer.
    While it specifies it is ok to use new token formats
    when both initiator and acceptor are known to handle them,
    this code makes no such verification, and encoded an
    incorrect set of etypes as "not newer". Correct the list.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2011-02-24 19:22:25 -08:00
Love Hornquist Astrand
7e1ba19fda setup cfx context, found by Jaideep Padhye 2011-02-02 21:37:26 -08:00
Andrew Tridgell
9e1d467534 s4-heimdal: implement KERB_AP_ERR_TYPE_SKEW_RECOVERY 
this e_data field in a kerberos error packet tells windows to do clock
skew recovery.

See [MS-KILE] 2.2.1 KERB-ERROR-DATA

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2011-01-30 11:26:31 -08:00
Luke Howard
21c5987018 Rename GSS_IOV_BUFFER_TYPE_FLAG to GSS_IOV_BUFFER_FLAG 
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2011-01-03 13:22:57 +01:00
Love Hornquist Astrand
2038d6f56e don't whine when principal is not found in cache, also, use krb5_cc function to make it not hit the network 2010-11-29 09:31:07 -08:00
Love Hornquist Astrand
5dcf0753f4 fill in all mo that make sense for now 2010-11-25 23:52:43 -08:00
Love Hornquist Astrand
6ca842c5b7 gss_indicate_mechs_by_attrs 2010-11-25 21:40:25 -08:00
Love Hornquist Astrand
c1069f8a36 add _gss_oid_name_table 2010-11-25 20:20:03 -08:00
Love Hornquist Astrand
bdc9112651 add missing symbols 2010-11-25 18:36:55 -08:00
Love Hornquist Astrand
dbeeb18a53 generate oids using table 2010-11-25 18:32:33 -08:00
Love Hornquist Astrand
2e31740f62 always check for error token in case of a failure 2010-11-08 13:40:01 -08:00
Andrew Bartlett
526aeef0c7 heimdal Add clock-skew handling to DCE-style GSSAPI 
The clock skew handling was previously only on properly wrapped
GSSAPI, and was skipped for DCE-style.  This allows the ASN.1 errors
from the krb5_rd_req to suggest parsing as a kerberos error packet.

Andrew Bartlett

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2010-11-08 13:36:52 -08:00
Andrew Bartlett
5cc4d5d2bd heimdal Use a seperate krb5_auth_context for the delegated credentials 
This makes it much more clear that the timestamp written here is not
used in mutual authentication.

Andrew Bartlett

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2010-10-02 20:47:12 -07:00
Asanka Herath
5dcc605f6b Fix calling conventions for Windows 2010-08-20 13:14:10 -04:00
Love Hornquist Astrand
083b8b63ee oids no longer compare to GSS_C_NO_OID 2010-07-22 23:21:44 -07:00
Love Hornquist Astrand
1021099f3d rename external so that they can be included in array and struct initializer 2010-07-22 20:47:04 -07:00
Love Hornquist Astrand
2b1645aa08 catch error from as.*printf 2010-05-30 13:44:41 -07:00
Love Hornquist Astrand
a7e8f05c9b Check the GSS-API checksum exists before trying to use it [CVE-2010-1321] 
This was introduced by checking the Kerberos 5 checksum as a
alternative to the 8003 checksum.

Thanks to MIT Kerberos and Shawn Emery for forwarding this issue
 2010-05-26 11:53:31 -05:00
Love Hornquist Astrand
9f5772050b Match old code and use krb5_sname_to_principal on the imported name for acquire cred. 
Reported by Jan Rekorajski
 2009-12-13 22:55:36 -08:00
Love Hornquist Astrand
5b7780b997 use krb5_auth_con_getremoteseqnumber 2009-12-04 21:35:18 -08:00
Love Hornquist Astrand
c402cda0a4 use krb5_auth_con_getremoteseqnumber 2009-12-04 21:30:06 -08:00
Love Hornquist Astrand
5a23717814 use krb5_auth_con_getremoteseqnumber 2009-12-04 21:29:48 -08:00
Love Hornquist Astrand
75a61b8842 krb5_build_authenticator is private 2009-10-05 22:09:23 -07:00
Love Hornquist Astrand
a132ffe757 Simplify krb5_build_authenticator and unexport 2009-10-05 19:52:28 -07:00
Love Hornquist Astrand
9e13b309d9 use krb5_make_principal 2009-10-04 11:29:43 -07:00
Love Hornquist Astrand
914417c5c8 Remove unused structure 2009-09-19 13:55:34 -07:00
Stefan Metzmacher
103cc941eb gssapi/krb5: set cred_handle in _gsskrb5_import_cred 
metze

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2009-09-18 14:29:50 -07:00
Love Hornquist Astrand
8f376895ae drop export symbol 2009-08-29 08:51:00 -07:00
Stefan Metzmacher
2f1a370cd3 hack for gss-wrap-iov to it work 
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2009-08-28 13:31:12 -07:00
Love Hornquist Astrand
74538fc2af Plug memory leak in prf function 2009-08-27 18:30:28 -07:00
Love Hornquist Astrand
6c3f3fafa3 Don't leak kerberos credentials when trying dns canon 2009-08-27 18:30:28 -07:00
Love Hornquist Astrand
1999c85670 Make mech glue layer aware of composite mechs that uses mech glue layer credentials 
This make it possible to use krb5/ntlm credentials with SPNEGO.
Needs some more work to avoid double fetching credentials.
 2009-08-27 12:12:44 -07:00
Love Hornquist Astrand
d18cdee577 don't reset EC 2009-08-26 22:52:26 -07:00
Love Hornquist Astrand
559103b218 if not trailer set, init EC to 0 2009-08-26 21:40:07 -07:00