oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
29,688 Commits 2 Branches 2 Tags
7a19658c1f4fc4adf85bb7bea96caae5ba57b33e
Commit Graph

128 Commits

Author SHA1 Message Date
Roland C. Dowdeswell
fe426f7a28 fix type s/MUTAL/MUTUAL/ in gssapi/krb5 2021-08-07 18:54:56 +10:00
Nicolas Williams
7d50445d1b Generic: Fix warnings (fallthrough mosty) 2020-09-07 22:04:59 -05:00
Roland C. Dowdeswell
8ee86db261 Add enforce_ok_as_delegate setting 
If this flag is set to true, then GSSAPI credential delegation will
be disabled when the "ok-as-delegate" flag is not set in the service
ticket.
 2019-11-20 18:18:57 -05:00
Viktor Dukhovni
5bbe7c8dc6 Implement forwarding of leaf TGTs to selected realms. 
Refactor and enhance TGT forwarding to allow forwarding of leaf
(destination) TGTs for selected destination realms.

Enhance kinit(1) to renew non-origin realm tickets

Document delegate-destination-tgt

Use the newly implemented _krb5_mk_1cred().
 2019-10-30 16:20:58 -05:00
Nicolas Williams
1c81ddf4e2 Round #2 of scan-build warnings cleanup 2016-11-16 17:03:14 -06:00
Jeffrey Altman
5aef50c800 gss-krb5: do_delegate remove dead comment 
The check on principal type has been commented out since do_delegate()
was committed.  Remove it.

Change-Id: Id98f35471e346cb3d0e9666b7cdb6f564191e6c1
 2016-11-14 21:29:47 -06:00
Luke Howard
7b720cf61c krb5: implement draft-ietf-kitten-aes-cts-hmac-sha2-07 2016-10-08 08:17:11 +02:00
Nicolas Williams
20c1e6c9ef Rename context handle lifetime to endtime 2015-04-14 11:27:25 -05:00
Nicolas Williams
487b6820f6 Revamp name canonicalization code 2015-03-24 11:49:58 -05:00
Viktor Dukhovni
cfdf6d5cbe gsskrb5: Make krb5 mech use referrals 
Modify the gss krb5 mech to always use referrals unless the
KRB5_NCRO_NO_REFERRALS flag is set.

Change-Id: I7efd873ac922a43adafa2c492703b576847a885f
 2015-03-14 16:08:32 -04:00
Volker Lendecke
b408e93ae3 heimdal: Fix 241482 Resource leak 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
 2014-03-24 23:07:50 -05:00
Nicolas Williams
774f166e31 First attempt s/\<const gss_.*_t/gss_const_.*_t/g 2013-06-02 15:30:58 -05:00
Love Hornquist Astrand
0879b9831a remove trailing whitespace 2011-05-21 11:57:31 -07:00
Jeffrey Altman
6850d6a65f avoid uninit variable and unreachable code warnings 
most of these warnings are not problems because of ample
use of abort() calls.  However, the large number of warnings
makes it difficult to identify real problems.  Initialize
the variables to shut up the compilers.

Change-Id: I8477c11b17c7b6a7d9074c721fdd2d7303b186a8
 2011-05-17 12:02:16 -04:00
Love Hornquist Astrand
f5f9014c90 Warning fixes from Christos Zoulas 
- shadowed variables
- signed/unsigned confusion
- const lossage
- incomplete structure initializations
- unused code
 2011-04-29 20:25:05 -07:00
Love Hornquist Astrand
ec88b5d043 move _gss_DES3_get_mic_compat to after ->target is set 
Patch from Roland Dowdeswell
 2011-04-14 12:54:15 -07:00
Love Hornquist Astrand
2e31740f62 always check for error token in case of a failure 2010-11-08 13:40:01 -08:00
Andrew Bartlett
526aeef0c7 heimdal Add clock-skew handling to DCE-style GSSAPI 
The clock skew handling was previously only on properly wrapped
GSSAPI, and was skipped for DCE-style.  This allows the ASN.1 errors
from the krb5_rd_req to suggest parsing as a kerberos error packet.

Andrew Bartlett

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2010-11-08 13:36:52 -08:00
Andrew Bartlett
5cc4d5d2bd heimdal Use a seperate krb5_auth_context for the delegated credentials 
This makes it much more clear that the timestamp written here is not
used in mutual authentication.

Andrew Bartlett

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2010-10-02 20:47:12 -07:00
Asanka Herath
5dcc605f6b Fix calling conventions for Windows 2010-08-20 13:14:10 -04:00
Love Hornquist Astrand
c402cda0a4 use krb5_auth_con_getremoteseqnumber 2009-12-04 21:30:06 -08:00
Love Hornquist Astrand
75a61b8842 krb5_build_authenticator is private 2009-10-05 22:09:23 -07:00
Love Hornquist Astrand
a132ffe757 Simplify krb5_build_authenticator and unexport 2009-10-05 19:52:28 -07:00
Love Hornquist Astrand
9e13b309d9 use krb5_make_principal 2009-10-04 11:29:43 -07:00
Love Hornquist Astrand
6c3f3fafa3 Don't leak kerberos credentials when trying dns canon 2009-08-27 18:30:28 -07:00
Love Hornquist Astrand
8b71d0b93f Prefer the realm of the user when doing referrals style ISC krb5-get-creds 
The the realm of the user's principal and prefer that when doing a lookup.
This code still need to be smarter can cache the "initial value" -> positive result
to avoid roundtrips to the KDC.
 2009-07-17 15:43:19 -07:00
Love Hörnquist Åstrand
c99b2003e2 Implement gss_wrap_iov, gss_unwrap_iov for CFX type encryption types. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25286 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-06-22 17:56:41 +00:00
Love Hörnquist Åstrand
9e9258e2b8 comment out unsupported options 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25183 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-05-06 19:02:03 +00:00
Love Hörnquist Åstrand
269a7a057b flatten include headers 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24382 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-25 00:35:00 +00:00
Love Hörnquist Åstrand
9586101a49 use the krb5_crypto directly, skipping some per packet calculation, make cfx handling simpler 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24067 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-12-11 04:52:10 +00:00
Love Hörnquist Åstrand
9c1460fe80 dont need cfx flag here 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24058 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-12-11 04:50:38 +00:00
Love Hörnquist Åstrand
d4f5c19c1d make IS_CFX a more_flag 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24057 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-12-11 04:50:22 +00:00
Love Hörnquist Åstrand
2d85294ede Default to use the username as passed in by the user. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23843 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-14 15:27:42 +00:00
Love Hörnquist Åstrand
6937d41a02 remove trailing whitespace 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23815 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 09:21:03 +00:00
Love Hörnquist Åstrand
e172367898 switch to utf8 encoding of all files 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23814 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 08:53:55 +00:00
Love Hörnquist Åstrand
227aca963e Avoid dns canonlisation for hosts, until we know what client credential we are going to use, and when we know that, lets check if the user really want to use canonlision, XXX should be able to configure per target realm too 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23678 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-08-25 02:34:24 +00:00
Love Hörnquist Åstrand
84199f34d1 provide slightly better error codes 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23537 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-08-16 22:58:41 +00:00
Love Hörnquist Åstrand
3b3ffff06d Only strip DELEG_FLAG if there is a realm setting, simplify the 
GSS_C_DELEG_POLICY_FLAG handling.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23527 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-08-14 23:29:29 +00:00
Love Hörnquist Åstrand
c69717db61 If we used GSS_C_DELEG_POLICY_FLAG, trust KDC, still trust realm configuration. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23481 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-08-11 09:57:56 +00:00
Love Hörnquist Åstrand
e0168633ea Break on failure 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23422 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 18:38:29 +00:00
Love Hörnquist Åstrand
39fe446983 Support parsing KRB-ERROR passed back from windows server when the time is out of sync, modify krb5_cc_[sg]et_config interface to handle principals too, add tests for this 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23420 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 18:37:48 +00:00
Love Hörnquist Åstrand
d4d7d06749 realm-config > 0 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23404 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 18:30:35 +00:00
Love Hörnquist Åstrand
c2442955f0 Check for realm-config in the ccache configuration, and use that. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23400 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 18:28:59 +00:00
Love Hörnquist Åstrand
1ef0828640 Match the orignal patch I got from metze, seems that DCE-STYLE is even 
more weirer then what I though when I merged the patch.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23388 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-25 09:07:49 +00:00
Love Hörnquist Åstrand
eec537e94b restore flags after mk_rep is done. Prompted by comments from metze 
and abartlet.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23387 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-25 08:23:32 +00:00
Love Hörnquist Åstrand
aad8c2b04d krb5: just don't force, but allow the flags when GSS_CF_NO_CI_FLAGS is given 
From Stefan Metzmacher

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23330 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-06-27 12:01:23 +00:00
Love Hörnquist Åstrand
9972ce7b46 Don't add asn1 wrapping to token when using DCE_STYLE. 
Patch from Stefan Metze.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23255 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-06-03 05:29:21 +00:00
Love Hörnquist Åstrand
2d405842ad (init_auth): use right variable to detect if we want to free or not. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22671 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-03-09 23:57:54 +00:00
Love Hörnquist Åstrand
27a3ca100e Add flag to not add gss-api INT|CONF to the negotiation 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22655 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-02-26 12:40:35 +00:00
Love Hörnquist Åstrand
5fed824f37 its vs it\'s etc. From Bjorn Sandell 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22071 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-11-14 20:04:50 +00:00