oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
26,193 Commits 2 Branches 2 Tags
9e1d467534abf97a0409d9af6ac8ea89c0e9555d
Commit Graph

88 Commits

Author SHA1 Message Date
Andrew Tridgell
9e1d467534 s4-heimdal: implement KERB_AP_ERR_TYPE_SKEW_RECOVERY 
this e_data field in a kerberos error packet tells windows to do clock
skew recovery.

See [MS-KILE] 2.2.1 KERB-ERROR-DATA

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2011-01-30 11:26:31 -08:00
Asanka Herath
5dcc605f6b Fix calling conventions for Windows 2010-08-20 13:14:10 -04:00
Love Hornquist Astrand
2b1645aa08 catch error from as.*printf 2010-05-30 13:44:41 -07:00
Love Hornquist Astrand
a7e8f05c9b Check the GSS-API checksum exists before trying to use it [CVE-2010-1321] 
This was introduced by checking the Kerberos 5 checksum as a
alternative to the 8003 checksum.

Thanks to MIT Kerberos and Shawn Emery for forwarding this issue
 2010-05-26 11:53:31 -05:00
Love Hornquist Astrand
5b7780b997 use krb5_auth_con_getremoteseqnumber 2009-12-04 21:35:18 -08:00
Love Hornquist Astrand
fa502c6648 Add support for gss_{import,export}_cred() as requested by metze 
Works for krb5 and SPNEGO mechanisms. Kerberos credentials are passed as
credential cache names, or if there are memory based credentials, inband in the protocol. This means that the credentials buffers must be keep secret.

As documented by IBM (they have the wrong prototype though)
and GGF (GSS-API Extensions) back in 2001
 2009-07-29 13:36:02 +02:00
Love Hörnquist Åstrand
de5f912e02 Contributed by Andrew Bartlett: 
When Samba4's 'fake' GSSAPI client contacts Windows 2008, and does not
request AP_MUTUAL_REQUIRED, it does not elicit a response packet.

We had previously assumed it was unconditional.  Samba3 didn't mind
very much, but Samba4's samba3-like client did, and the behaviour
differed to Win2008 behaviour.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25328 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-15 22:18:00 +00:00
Love Hörnquist Åstrand
c99b2003e2 Implement gss_wrap_iov, gss_unwrap_iov for CFX type encryption types. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25286 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-06-22 17:56:41 +00:00
Love Hörnquist Åstrand
cae7efb522 Make KRB5KRB_AP_ERR_TKT_NYV trigger error_token too. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25128 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-04-16 08:31:15 +00:00
Love Hörnquist Åstrand
06e0f0d12f use krb5_cc_new_unique, use constants for cache types 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25051 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-04-03 04:05:59 +00:00
Love Hörnquist Åstrand
269a7a057b flatten include headers 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24382 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-25 00:35:00 +00:00
Love Hörnquist Åstrand
9586101a49 use the krb5_crypto directly, skipping some per packet calculation, make cfx handling simpler 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24067 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-12-11 04:52:10 +00:00
Love Hörnquist Åstrand
d4f5c19c1d make IS_CFX a more_flag 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24057 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-12-11 04:50:22 +00:00
Love Hörnquist Åstrand
6937d41a02 remove trailing whitespace 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23815 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 09:21:03 +00:00
Love Hörnquist Åstrand
e172367898 switch to utf8 encoding of all files 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23814 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 08:53:55 +00:00
Love Hörnquist Åstrand
70a00b7fab Only send KRB_ERROR token when there is clock skew, limits when we 
send KRB-ERROR for non-MUTUAL tokens.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23541 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-08-16 22:59:26 +00:00
Love Hörnquist Åstrand
a48756092c If there is a initiator subkey, copy that to acceptor subkey to match 
windows behavior. From Metze.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23528 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-08-14 23:29:40 +00:00
Love Hörnquist Åstrand
f9dc9da0a9 No reply in non-MUTUAL mode, but we don't know that its non-MUTUAL 
mode yet, thats inside the 8003 checksum.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23433 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 18:44:26 +00:00
Love Hörnquist Åstrand
d847a7a67f Reset minor_status to 0. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23431 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 18:41:36 +00:00
Love Hörnquist Åstrand
9ca267f328 Always return GSS_S_CONTINUE_NEEDED, pointed out from Metze. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23430 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 18:41:16 +00:00
Love Hörnquist Åstrand
39fe446983 Support parsing KRB-ERROR passed back from windows server when the time is out of sync, modify krb5_cc_[sg]et_config interface to handle principals too, add tests for this 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23420 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 18:37:48 +00:00
Love Hörnquist Åstrand
dde69289ca Explain why we don't destroy the ccache. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20199 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-02-07 22:36:39 +00:00
Love Hörnquist Åstrand
00bcd44370 Switch from using a specific error message context in the TLS to have 
a whole krb5_context in TLS. This have some interestion side-effekts
for the configruration setting options since they operate on
per-thread basis now.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19031 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-11-13 18:02:57 +00:00
Love Hörnquist Åstrand
3dced0866c (gsskrb5_acceptor_start): use krb5_rd_req_ctx 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18930 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-11-07 14:52:05 +00:00
Love Hörnquist Åstrand
8051eadfb4 (gsskrb5_accept_delegated_token): need to free ccache 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18895 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-10-25 04:19:45 +00:00
Love Hörnquist Åstrand
dfa6f7b248 reference all include files using krb5/ 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18334 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-10-07 22:16:04 +00:00
Love Hörnquist Åstrand
67b56ea02a indent comment 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18208 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-10-02 21:18:42 +00:00
Love Hörnquist Åstrand
7d573742a1 Merge of the acceptor part from the samba patch by Stefan Metzmacher 
and Andrew Bartlet.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18152 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-09-22 14:52:11 +00:00
Love Hörnquist Åstrand
24397fd675 reimplement gsskrb5_register_acceptor_identity 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17847 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-07-20 02:28:37 +00:00
Love Hörnquist Åstrand
2cdda8a767 (_gsskrb5_accept_sec_context): use GSS_C_NO_NAME 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17826 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-07-10 18:28:22 +00:00
Love Hörnquist Åstrand
03567db502 make gss_name_t an opaque type 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17736 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-06-29 07:27:26 +00:00
Love Hörnquist Åstrand
ee09f98c15 Rename local include file, remove global files. 
Stop exposing global gssapi symbols.
Rename gss_context_id_t and gss_cred_id_t to local names.
Remove SPNEGO code, its now in its own gssapi module.
Add mechglue inquire functions.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17697 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-06-28 08:54:04 +00:00
Love Hörnquist Åstrand
dd796d90c2 (gsskrb5_is_cfx): always set is_cfx. From Andrew Abartlet. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17523 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-05-09 07:16:39 +00:00
Love Hörnquist Åstrand
e4f39fc8ae Use gss_krb5_import_cred 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16294 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2005-11-25 15:57:35 +00:00
Love Hörnquist Åstrand
2a0d1e1d88 (gsskrb5_accept_delegated_token): rewrite to use gss_krb5_import_ccache 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16280 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2005-11-02 08:55:19 +00:00
Love Hörnquist Åstrand
9ae8bc983a Prefix Der_class with ASN1_C_ to avoid problems with system 
headerfiles that pollute the name space.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15264 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2005-05-29 15:13:10 +00:00
Love Hörnquist Åstrand
d0443e2058 prefix all sequence symbols with _, they are not part of the GSS-API api. By comment from Wynn Wilkes <wynnw@vintela.com> 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14989 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2005-04-27 17:51:27 +00:00
Love Hörnquist Åstrand
e743a6ca8a break out the processing of the delegated credential to a separate 
function to make error handling easier, move the credential handling
to after other setup is done


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14764 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2005-04-10 15:01:21 +00:00
Luke Howard
cdddef90f9 allow client to indicate that subkey should be used 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14445 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2005-01-05 02:32:05 +00:00
Love Hörnquist Åstrand
7055cb55cc (send_accept): use _gss_spnego_require_mechlist_mic to figure out if 
we need to send MechList


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13693 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2004-04-07 14:22:44 +00:00
Love Hörnquist Åstrand
503d84b4f9 (gsskrb5_register_acceptor_identity): allow reseting to default keytab 
by passing in NULL as identity.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13689 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2004-04-05 20:17:26 +00:00
Love Hörnquist Åstrand
384bd1719c (gsskrb5_is_cfx): krb5_keyblock->keytype is an enctype, not keytype 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13687 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2004-04-05 19:22:01 +00:00
Love Hörnquist Åstrand
2cd2a26a21 remove unused variable 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13686 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2004-04-05 14:53:53 +00:00
Love Hörnquist Åstrand
3e8096a511 use ASN1_MALLOC_ENCODE 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13685 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2004-04-05 13:57:33 +00:00
Love Hörnquist Åstrand
fb53d3762e handle acceptor asserted subkey 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13519 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2004-03-14 16:31:02 +00:00
Love Hörnquist Åstrand
912dfa6eee (spnego_accept_sec_context): make sure the length of the choice 
element doesn't overrun us


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13445 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2004-03-07 14:26:20 +00:00
Love Hörnquist Åstrand
b10b3f845a use krb5_auth_con_addflags 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13190 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2003-12-07 17:14:09 +00:00
Love Hörnquist Åstrand
3882d8ca5f Don't require timestamp to be set on delegated token, its already 
protected by the outer token (and windows doesn't alway send it)
Pointed out by Zi-Bin Yang <zbyang@decru.com> on heimdal-discuss


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13128 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2003-11-22 22:42:16 +00:00
Love Hörnquist Åstrand
63904d7af3 (gsskrb5_accept_sec_context): set sequence number when not requesting 
mutual auth
From: Luke Howard <lukeh@PADL.COM>


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12839 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2003-09-17 04:20:33 +00:00
Love Hörnquist Åstrand
1448ad988f SPNEGO doesn't include gss wrapping on SubsequentContextToken like the 
Kerberos 5 mech does.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12802 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2003-09-09 10:54:09 +00:00