oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
30,509 Commits 2 Branches 2 Tags
aa3355e3bf2afa4e984387bf77bcc339c3750ce6
Commit Graph

30509 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Joseph Sutton
4a23cd5e23 lib/krb5: Make parameters to PAC functions 'const' 
This allows these functions to be used with PACs obtained from KDC
accessor functions such as kdc_request_get_pac().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2022-03-08 18:58:01 +11:00
Stefan Metzmacher
7d103f8657 hdb: Fix crashes with WRONG_REALM 
With HDB_ERR_WRONG_REALM the backend needs to expose the
principal, so we should not free the entry otherwise
the main kdc code will crash.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2022-03-04 10:24:01 +11:00
Jeffrey Altman
19b337a0fb lib/asn1: new ASN1 objects require new exports 
free_KERB_AD_RESTRICTION_ENTRY
encode_KERB_AD_RESTRICTION_ENTRY
decode_KERB_AD_RESTRICTION_ENTRY
length_KERB_AD_RESTRICTION_ENTRY
copy_KERB_AD_RESTRICTION_ENTRY

free_PA_KERB_KEY_LIST_REP
encode_PA_KERB_KEY_LIST_REP
decode_PA_KERB_KEY_LIST_REP
length_PA_KERB_KEY_LIST_REP
copy_PA_KERB_KEY_LIST_REP

free_PA_KERB_KEY_LIST_REQ
encode_PA_KERB_KEY_LIST_REQ
decode_PA_KERB_KEY_LIST_REQ
length_PA_KERB_KEY_LIST_REQ
copy_PA_KERB_KEY_LIST_REQ

free_PA_PAC_OPTIONS
encode_PA_PAC_OPTIONS
decode_PA_PAC_OPTIONS
length_PA_PAC_OPTIONS
copy_PA_PAC_OPTIONS

free_PA_S4U_X509_USER
encode_PA_S4U_X509_USER
decode_PA_S4U_X509_USER
length_PA_S4U_X509_USER
copy_PA_S4U_X509_USER

Change-Id: I4ccbfcec64572b41878062e50a61de3f92fdf593
 2022-03-03 12:05:14 -05:00
Jeffrey Altman
a8b2986b48 lib/krb5: make/copy principal init output to NULL 
Initialize output principal pointer to NULL in case of failure.

Change-Id: Iaf7b204d33ddf28cdbadcceac2cb8a96ac0bdd94
 2022-03-03 09:55:46 -05:00
Luke Howard
25fae63097 tests: update test KDC plugin for new PAC plugin signatures 
Fixes regression introduced in 11d8a053.
 2022-03-03 10:16:12 +11:00
Stefan Metzmacher
d4ac17d6d0 krb5: add new values and definitions from MS-KILE/MS-SFU 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2022-03-03 10:13:42 +11:00
Luke Howard
50fb794ef1 lib/krb5: re-allow data->length == 0 in krb5_pac_add_buffer() 
PAC_TYPE_CLIENT_CLAIMS_INFO and PAC_TYPE_DEVICE_CLAIMS_INFO are
of zero length unless any claims are actually defined.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Closes: #969
 2022-03-03 10:12:40 +11:00
Luke Howard
89cf441e8d Revert "lib/krb5: re-allow data->length == 0 in krb5_pac_add_buffer()" 
This reverts commit f3301fc94c.
 2022-03-03 10:11:32 +11:00
Stefan Metzmacher
f3301fc94c lib/krb5: re-allow data->length == 0 in krb5_pac_add_buffer() 
PAC_TYPE_CLIENT_CLAIMS_INFO and PAC_TYPE_DEVICE_CLAIMS_INFO are
of zero length unless any claims are actually defined.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2022-03-03 10:10:57 +11:00
Luke Howard
df655cecd1 kdc: allow audit plugins to influence return code 
Honor the return code of _kdc_audit_request(), propagating if non-zero. Note
that this is principally intended to allow the audit plugin to return
HDB_ERR_NOT_FOUND_HERE, which influences whether the KDC sends an error reply
or not. If the audit plugin also wishes to rewrite r->error_code, it must do so
separately.

Closes: #964
 2022-03-03 10:10:37 +11:00
Stefan Metzmacher
8495f63bc3 kdc: provide kdc_request_get_explicit_armor_{clientdb,client,pac}() 
_kdc_fast_check_armor_pac() already checks the PAC of the armor,
but it should also remember it if it's an TGS-REQ with explicit armor.

This will allow the kdc pac hooks to generate a compound identity PAC
with PAC_TYPE_DEVICE_INFO.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Closes: #967
 2022-03-03 10:10:29 +11:00
Stefan Metzmacher
11d8a053f5 kdc-plugin: also pass astgs_request_t to the pac related functions 
This is more consistent and allows the pac hooks to be more flexible.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2022-03-03 09:58:48 +11:00
Nicolas Williams
419610aa14 kdc: HDB max_life/max_renew == 0 -> unlimited 2022-02-15 20:16:29 -06:00
Nicolas Williams
5682be7704 roken: Test time add/sub overflow prot. 2022-02-15 20:16:29 -06:00
Nicolas Williams
fe8d4f2883 roken: Overflow prot. timeval add/sub 2022-02-15 20:12:25 -06:00
Nicolas Williams
1193bd5e74 roken: Add time_add()/time_sub() with overflow prot. 2022-02-15 20:11:37 -06:00
Nicolas Williams
9ae9902249 cf: Check if time_t is signed 2022-02-15 17:01:00 -06:00
Nicolas Williams
92d5b74c05 cf: Import AX_CHECK_SIGNED() autoconf macro 2022-02-15 17:00:19 -06:00
Nicolas Williams
e7e2c7a145 kdc: Honor "unlimited" max_life/max_renew 2022-02-15 16:56:27 -06:00
Nicolas Williams
2c8a078bcf bx509d: Do not leak temp ccaches 2022-02-14 21:07:47 -06:00
Nicolas Williams
61607fa6ea asn1: Add a GitHub Markdown manual (more) 2022-02-14 21:07:47 -06:00
Nicolas Williams
dda9aa2535 asn1: Add a GitHub Markdown manual (moar) 2022-02-14 00:05:28 -06:00
Nicolas Williams
0929561de3 Update badges at bottom of README.md 2022-02-12 15:00:59 -06:00
Nicolas Williams
a894fc4527 asn1: Add a GitHub Markdown manual 2022-02-12 15:00:59 -06:00
Nicolas Williams
47432b907b krb5: Fix leak in krb5_set_config() 
We were leaking context->configured_default_cc_name.
 2022-02-11 16:02:27 -06:00
Nicolas Williams
6923b822b8 krb5: Fix leaks in test_cc.c 2022-02-11 16:02:27 -06:00
Nicolas Williams
deb0c7f940 uu_server: Fix a few leaks 2022-02-11 15:19:58 -06:00
Nicolas Williams
c3ea1ac37e kafs: Fix OS X build (warning/error) 2022-02-11 15:17:32 -06:00
Nicolas Williams
6b39972113 krb5: Fix acc_move() crash (CCAPI) 2022-02-11 15:13:13 -06:00
Nicolas Williams
b92cf79543 Revert "osx: Never load OS X CCAPI while testing" 
This reverts commit 79d87af910.
 2022-02-11 15:13:13 -06:00
Nicolas Williams
88d0102c82 GitHub: Fix OS X make install step 2022-02-11 15:13:13 -06:00
Nicolas Williams
23462018e3 GitHub: Document how to get a shell on OS X runner 2022-02-11 15:13:13 -06:00
Nicolas Williams
e9c0adf11e GitHub: Run OS X build on pushes to osx-build 2022-02-11 15:13:13 -06:00
Nicolas Williams
454dc82a99 GitHub: Build with debug on OS X 2022-02-11 15:13:13 -06:00
Nicolas Williams
7b3a993236 roken: do not override system network address functions 
Roken functions rk_copyhostent(), rk_freeaddrinfo(), rk_freehostent()
rk_getaddrinfo(), rk_getipnodebyaddr(),  rk_getipnodebyname(), and
rk_getnameinfo() should never be built without the "rk_" prefix.  Doing
so overrides the system provided functions of the same name when they
exist.
 2022-02-10 12:37:01 -06:00
Nicolas Williams
add605ee58 tests: cat messages.log in gss/check-basic trap 2022-02-10 00:57:31 -06:00
Nicolas Williams
848c21b9b9 tests: Kill kdc harder when failing 2022-02-10 00:57:31 -06:00
Nicolas Williams
79d87af910 osx: Never load OS X CCAPI while testing 2022-02-10 00:56:44 -06:00
Nicolas Williams
66e1a8baf2 osx: Disable GCD deprecation warning 2022-02-09 23:49:40 -06:00
Nicolas Williams
1da235c9c3 osx: Avoid blocking the KDC in KEYCHAIN in tests 
If a client tries to use PKINIT we can block in the OS X keychain if no
anchors are configured.
 2022-02-09 23:49:40 -06:00
Nicolas Williams
584a2d3a2b krb5: Fix error clobbering in test_cc 2022-02-01 15:54:31 -06:00
Nicolas Williams
f06657ff64 krb5: Make more cc configs non-critical 
MSLSA can't handle cc configs.
 2022-02-01 15:54:31 -06:00
Nicolas Williams
13cb84d465 GitHub: Skip check-tester in valgrind build 2022-02-01 13:38:48 -06:00
Luke Howard
69973757ce gss: remove gss_get_instance() 2022-01-30 14:20:05 -05:00
Jeffrey Altman
301b7ce711 Revert "asn1: Fix Windows build" 
This reverts commit ff4033eb59.
 2022-01-29 00:15:59 -05:00
Jeffrey Altman
543b94637f more dealloc functions require HEIM_CALLCONV 
Change-Id: I68168a387c088b45e2572d5c982d33dfe0aa38a8
 2022-01-29 00:15:59 -05:00
Luke Howard
6340602ddc base: ensure HEIM_CALLCONV used for all dealloc functions 
Fixes regression introduced in 917e1604.
 2022-01-29 14:29:37 +11:00
Luke Howard
87e96b97bd kdc: fix warning in kdc_array_iterate() 
Do not call return in a function returning void.
 2022-01-29 10:26:54 +11:00
Luke Howard
144caf67fa kdc: add wrappers for heimbase object accessors 
Add libkdc wrappers for heimbase object accessors so plugins can use audit and
request attribute APIs without consuming libheimbase. Exposed API surface is
minimal and is limited to reading array collections, and reading/creating base
and custom types.
 2022-01-28 17:24:57 -06:00
Luke Howard
917e16049a base: make heim_alloc deallocator use HEIM_CALLCONV 2022-01-28 17:24:57 -06:00