oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
30,661 Commits 2 Branches 2 Tags
666ee41759920ead6013386da28b5a831e11fedf
Commit Graph

30661 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nicolas Williams
953d944242 gss: Remove useless grep from check-context 2022-03-09 10:22:06 -06:00
Joseph Sutton
d5ad04a7f3 kdc: Add function to add encrypted padata 
Since plugins no longer have a way of accessing the 'ek' member of the
request structure, this function provides a way for a plugin to add
encrypted padata to the response.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2022-03-08 18:58:17 +11:00
Joseph Sutton
4a23cd5e23 lib/krb5: Make parameters to PAC functions 'const' 
This allows these functions to be used with PACs obtained from KDC
accessor functions such as kdc_request_get_pac().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2022-03-08 18:58:01 +11:00
Stefan Metzmacher
7d103f8657 hdb: Fix crashes with WRONG_REALM 
With HDB_ERR_WRONG_REALM the backend needs to expose the
principal, so we should not free the entry otherwise
the main kdc code will crash.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2022-03-04 10:24:01 +11:00
Jeffrey Altman
19b337a0fb lib/asn1: new ASN1 objects require new exports 
free_KERB_AD_RESTRICTION_ENTRY
encode_KERB_AD_RESTRICTION_ENTRY
decode_KERB_AD_RESTRICTION_ENTRY
length_KERB_AD_RESTRICTION_ENTRY
copy_KERB_AD_RESTRICTION_ENTRY

free_PA_KERB_KEY_LIST_REP
encode_PA_KERB_KEY_LIST_REP
decode_PA_KERB_KEY_LIST_REP
length_PA_KERB_KEY_LIST_REP
copy_PA_KERB_KEY_LIST_REP

free_PA_KERB_KEY_LIST_REQ
encode_PA_KERB_KEY_LIST_REQ
decode_PA_KERB_KEY_LIST_REQ
length_PA_KERB_KEY_LIST_REQ
copy_PA_KERB_KEY_LIST_REQ

free_PA_PAC_OPTIONS
encode_PA_PAC_OPTIONS
decode_PA_PAC_OPTIONS
length_PA_PAC_OPTIONS
copy_PA_PAC_OPTIONS

free_PA_S4U_X509_USER
encode_PA_S4U_X509_USER
decode_PA_S4U_X509_USER
length_PA_S4U_X509_USER
copy_PA_S4U_X509_USER

Change-Id: I4ccbfcec64572b41878062e50a61de3f92fdf593
 2022-03-03 12:05:14 -05:00
Jeffrey Altman
a8b2986b48 lib/krb5: make/copy principal init output to NULL 
Initialize output principal pointer to NULL in case of failure.

Change-Id: Iaf7b204d33ddf28cdbadcceac2cb8a96ac0bdd94
 2022-03-03 09:55:46 -05:00
Luke Howard
25fae63097 tests: update test KDC plugin for new PAC plugin signatures 
Fixes regression introduced in 11d8a053.
 2022-03-03 10:16:12 +11:00
Stefan Metzmacher
d4ac17d6d0 krb5: add new values and definitions from MS-KILE/MS-SFU 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2022-03-03 10:13:42 +11:00
Luke Howard
50fb794ef1 lib/krb5: re-allow data->length == 0 in krb5_pac_add_buffer() 
PAC_TYPE_CLIENT_CLAIMS_INFO and PAC_TYPE_DEVICE_CLAIMS_INFO are
of zero length unless any claims are actually defined.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Closes: #969
 2022-03-03 10:12:40 +11:00
Luke Howard
89cf441e8d Revert "lib/krb5: re-allow data->length == 0 in krb5_pac_add_buffer()" 
This reverts commit f3301fc94c.
 2022-03-03 10:11:32 +11:00
Stefan Metzmacher
f3301fc94c lib/krb5: re-allow data->length == 0 in krb5_pac_add_buffer() 
PAC_TYPE_CLIENT_CLAIMS_INFO and PAC_TYPE_DEVICE_CLAIMS_INFO are
of zero length unless any claims are actually defined.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2022-03-03 10:10:57 +11:00
Luke Howard
df655cecd1 kdc: allow audit plugins to influence return code 
Honor the return code of _kdc_audit_request(), propagating if non-zero. Note
that this is principally intended to allow the audit plugin to return
HDB_ERR_NOT_FOUND_HERE, which influences whether the KDC sends an error reply
or not. If the audit plugin also wishes to rewrite r->error_code, it must do so
separately.

Closes: #964
 2022-03-03 10:10:37 +11:00
Stefan Metzmacher
8495f63bc3 kdc: provide kdc_request_get_explicit_armor_{clientdb,client,pac}() 
_kdc_fast_check_armor_pac() already checks the PAC of the armor,
but it should also remember it if it's an TGS-REQ with explicit armor.

This will allow the kdc pac hooks to generate a compound identity PAC
with PAC_TYPE_DEVICE_INFO.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Closes: #967
 2022-03-03 10:10:29 +11:00
Stefan Metzmacher
11d8a053f5 kdc-plugin: also pass astgs_request_t to the pac related functions 
This is more consistent and allows the pac hooks to be more flexible.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2022-03-03 09:58:48 +11:00
Nicolas Williams
419610aa14 kdc: HDB max_life/max_renew == 0 -> unlimited 2022-02-15 20:16:29 -06:00
Nicolas Williams
5682be7704 roken: Test time add/sub overflow prot. 2022-02-15 20:16:29 -06:00
Nicolas Williams
fe8d4f2883 roken: Overflow prot. timeval add/sub 2022-02-15 20:12:25 -06:00
Nicolas Williams
1193bd5e74 roken: Add time_add()/time_sub() with overflow prot. 2022-02-15 20:11:37 -06:00
Nicolas Williams
9ae9902249 cf: Check if time_t is signed 2022-02-15 17:01:00 -06:00
Nicolas Williams
92d5b74c05 cf: Import AX_CHECK_SIGNED() autoconf macro 2022-02-15 17:00:19 -06:00
Nicolas Williams
e7e2c7a145 kdc: Honor "unlimited" max_life/max_renew 2022-02-15 16:56:27 -06:00
Nicolas Williams
2c8a078bcf bx509d: Do not leak temp ccaches 2022-02-14 21:07:47 -06:00
Nicolas Williams
61607fa6ea asn1: Add a GitHub Markdown manual (more) 2022-02-14 21:07:47 -06:00
Nicolas Williams
dda9aa2535 asn1: Add a GitHub Markdown manual (moar) 2022-02-14 00:05:28 -06:00
Nicolas Williams
0929561de3 Update badges at bottom of README.md 2022-02-12 15:00:59 -06:00
Nicolas Williams
a894fc4527 asn1: Add a GitHub Markdown manual 2022-02-12 15:00:59 -06:00
Nicolas Williams
47432b907b krb5: Fix leak in krb5_set_config() 
We were leaking context->configured_default_cc_name.
 2022-02-11 16:02:27 -06:00
Nicolas Williams
6923b822b8 krb5: Fix leaks in test_cc.c 2022-02-11 16:02:27 -06:00
Nicolas Williams
deb0c7f940 uu_server: Fix a few leaks 2022-02-11 15:19:58 -06:00
Nicolas Williams
c3ea1ac37e kafs: Fix OS X build (warning/error) 2022-02-11 15:17:32 -06:00
Nicolas Williams
6b39972113 krb5: Fix acc_move() crash (CCAPI) 2022-02-11 15:13:13 -06:00
Nicolas Williams
b92cf79543 Revert "osx: Never load OS X CCAPI while testing" 
This reverts commit 79d87af910.
 2022-02-11 15:13:13 -06:00
Nicolas Williams
88d0102c82 GitHub: Fix OS X make install step 2022-02-11 15:13:13 -06:00
Nicolas Williams
23462018e3 GitHub: Document how to get a shell on OS X runner 2022-02-11 15:13:13 -06:00
Nicolas Williams
e9c0adf11e GitHub: Run OS X build on pushes to osx-build 2022-02-11 15:13:13 -06:00
Nicolas Williams
454dc82a99 GitHub: Build with debug on OS X 2022-02-11 15:13:13 -06:00
Nicolas Williams
7b3a993236 roken: do not override system network address functions 
Roken functions rk_copyhostent(), rk_freeaddrinfo(), rk_freehostent()
rk_getaddrinfo(), rk_getipnodebyaddr(),  rk_getipnodebyname(), and
rk_getnameinfo() should never be built without the "rk_" prefix.  Doing
so overrides the system provided functions of the same name when they
exist.
 2022-02-10 12:37:01 -06:00
Nicolas Williams
add605ee58 tests: cat messages.log in gss/check-basic trap 2022-02-10 00:57:31 -06:00
Nicolas Williams
848c21b9b9 tests: Kill kdc harder when failing 2022-02-10 00:57:31 -06:00
Nicolas Williams
79d87af910 osx: Never load OS X CCAPI while testing 2022-02-10 00:56:44 -06:00
Nicolas Williams
66e1a8baf2 osx: Disable GCD deprecation warning 2022-02-09 23:49:40 -06:00
Nicolas Williams
1da235c9c3 osx: Avoid blocking the KDC in KEYCHAIN in tests 
If a client tries to use PKINIT we can block in the OS X keychain if no
anchors are configured.
 2022-02-09 23:49:40 -06:00
Nicolas Williams
584a2d3a2b krb5: Fix error clobbering in test_cc 2022-02-01 15:54:31 -06:00
Nicolas Williams
f06657ff64 krb5: Make more cc configs non-critical 
MSLSA can't handle cc configs.
 2022-02-01 15:54:31 -06:00
Nicolas Williams
13cb84d465 GitHub: Skip check-tester in valgrind build 2022-02-01 13:38:48 -06:00
Luke Howard
69973757ce gss: remove gss_get_instance() 2022-01-30 14:20:05 -05:00
Jeffrey Altman
301b7ce711 Revert "asn1: Fix Windows build" 
This reverts commit ff4033eb59.
 2022-01-29 00:15:59 -05:00
Jeffrey Altman
543b94637f more dealloc functions require HEIM_CALLCONV 
Change-Id: I68168a387c088b45e2572d5c982d33dfe0aa38a8
 2022-01-29 00:15:59 -05:00
Luke Howard
6340602ddc base: ensure HEIM_CALLCONV used for all dealloc functions 
Fixes regression introduced in 917e1604.
 2022-01-29 14:29:37 +11:00
Luke Howard
87e96b97bd kdc: fix warning in kdc_array_iterate() 
Do not call return in a function returning void.
 2022-01-29 10:26:54 +11:00