PATH_SEP is declared on Windows to be ";" and not ":"
by include/config.h.w32.
lib/base/context.c and lib/hx509.c must not override an existing
setting. Otherwise, file lists cannot be separated and will be
treated as a single file name.
Change-Id: I5521188faca36e41fbae95fbb8942970eab261c8
ea90ca8666 ("Move some infra bits of
lib/krb5/ to lib/base/ (2)") inappropriately altered the declaration
of the "ldebug" macro which stores the switches passed to "link.exe".
There is no "/RELEASE" switch and the "/DEBUG" switch instructs the
linker to produce files containing debug symbols (.pdb) which are
required for generating the Windows assemblies.
This change restores the prior behavior.
Change-Id: I61b8fd4759ba84671858f7c8275dbd25af1638e6
KRB5_USE_PATH_TOKENS cannot be used within lib/base as its value
is declared in lib/krb5/krb5.h. Declare HEIM_BASE_USE_PATH_TOKENS
in lib/base/baselocl.h and test for it in
heim_config_parse_file_multi().
By conditionalizing heim_config_parse_file_multi() behavior on
KRB5_USE_PATH_TOKENS heim_expand_path_tokens() is not executed
and open() is called on a path without token substitution. As a
result open() always fails with ENOENT.
Change-Id: I29dc018bc560519b76314232b2d51f53bde6313c
libtommath 1.2.0 c403b66082
("hcrypto: import libtommath v1.2.0") needs more from stdint.h
than what Heimdal previously declared. Add more integer type
declarations and integer MIN/MAX macros.
Also, on Windows declare 64-bit integers using __int64 as
"long long" is not supported as 64-bit type across all visual
studio compiler versions.
Change-Id: I944bedc67bcb26374ffb30eb3dfd7c6108a98fc3
When a function is assigned to a function pointer that is declared
with a particular calling convention, then the assigned function
must be declared with that calling convention as well. Otherwise,
kaboom!!!
The following functions are fixed by this change:
kuser/kx509.c
validate1()
add1_2chain()
lib/base/log.c
log_syslog()
close_syslog()
log_file()
close_file()
lib/gssapi/mech/context.c
gss_set_log_function()
lib/krb5/kx509.c
certs_export_func()
Change-Id: Ib68abf739e3385e98136fa4e4f5a0240e9fce033
Some pacman packages are now being compressed with the ZST algorithm,
but pacman can't handle that unless we first install `zstd`. This
commit does that.
SAnon unconditionally sets the replay, sequence, confidentiality, and integrity
flags on the acceptor; do so on the initiator as well. Some indentation
cleanups are also included in this commit.
In SAnon, the optional flags send in the initial context token are input into
the key derivation function. Mask out the flags we wish to ignore after (not
before) calling the key derivation function, as the initiator may not know
which flags we wish to ignore.
In SAnon:
The is_initiator bitfield must be unsigned to avoid undefined behaviour, as
there is only a single bit defined. Thanks to Nico Williams for explaining
this.
We were passing SANON flags to _gss_mg_import_rfc4121_context(), which
wants GSS flags. Meanwhile, I broke gss_inquire_context() on imported
SAnon contexts when I did my review of SAnon.
This commit fixes both issues and removes SANON_FLAG_*, which were only
ever needed because of a flag to track whether a context was locally
initiated or accepted. Now we use a separate int field of the sanon_ctx
to track whether a context was locally initiated. Once an SAnon context
is fully established, we rely on gss_inquire_context() on the rfc4121
sub-context for all metadata that isn't the initiator and acceptor names
nor the mechanism OID.
Add support for SAnon, a simple key agreement protocol that provides no
authentication of initiator or acceptor using x25519 ECDH key exchange.
See doc/standardization/draft-howard-gss-sanon-xx.txt for a protocol
description.
The X25519 implementation comes from libsodium. Explicit copyright
notices have been added to each file as well as some portability changes
(e.g. align.h).
Just like krb5.conf, but hx509.conf, with all the same default locations
on Windows, OS X, and elsewhere, and HX509_CONFIG as the environment
variable equivalent of KRB5_CONFIG.
Fix for issue #486 based on a patch by Nico Williams.
A GSS-API acceptor can return an error token to be sent to the initiator. Our
SPNEGO implementation discarded these when sending a SPNEGO reject response.
This patch fixes the SPNEGO acceptor to convey those in the SPNEGO response.
The SPNEGO initiator is also updated to not bail out early on receiving a
SPNEGO reject response from the acceptor, but instead pass the response token
(if any) to gss_init_sec_context(). A reject response with no response token
will continue to return an error.
Reduce the number of trials when generating RSA keys by calling
mp_prime_rabin_miller_trials() with the number of desired bits.
See libtom/libtommath#482.
gss_release_cred_by_mech() was previously used by SPNEGO's implementation of
gss_set_neg_mechs(). This is now implemented in the mechanism glue. As we never
shipped gss_release_cred_by_mech(), it is safe to remove it and its exported
symbol.
SPNEGO was already using union creds. Now make the mechglue know about
it, delete all of the cred-related SPNEGO stubs that are now not called
(lib/gssapi/spnego/cred_stubs.c), and implement gss_get/set_neg_mechs()
by storing the OID set in the union cred.
This commit was essentially authored as much if not more by Luke Howard
<lukeh at padl.com> as much as by the listed author.
gss_add_oid_set_member() should according to RFC2744 add a copy of the OID to
the set; the current implementation just stored a pointer (which may not be
stable). As we have _gss_intern_oid(), call that before adding.
