oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
28,978 Commits 2 Branches 2 Tags
d519094117961a7df6dd8f2c5e97303d3fc9ae8c
Commit Graph

28978 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nicolas Williams
d519094117 hxtool: fix leak 2019-12-04 13:40:28 -06:00
Nicolas Williams
4f8577a988 hxtool: add cert type: https-negotiate-server 2019-12-04 13:40:28 -06:00
Nicolas Williams
f9a0e8f076 roken: add rkbase64 noinst program 
This will be useful in tests.
 2019-12-04 13:40:28 -06:00
Nicolas Williams
982ba80b6e roken: fix leak in roken_detach_prep() 2019-12-04 13:40:28 -06:00
Roland C. Dowdeswell
8c5d2f7cc4 kuser/kx509.c: Fix add1_2chain. 2019-11-26 13:38:17 -06:00
Roland C. Dowdeswell
62d13ebf28 lib/krb5/kx509.c: fix memory leak in an error case. 2019-11-26 13:38:17 -06:00
Roland C. Dowdeswell
9265c1ce54 Fix windows build 
In 0cc708ba36, we removed the definition of id-ms-client-authentication
without a corresponding removal from lib/asn1/libasn1-exports.def.

Maybe we should generate lib*-exports.def?
 2019-11-21 09:56:29 -05:00
Roland C. Dowdeswell
8ee86db261 Add enforce_ok_as_delegate setting 
If this flag is set to true, then GSSAPI credential delegation will
be disabled when the "ok-as-delegate" flag is not set in the service
ticket.
 2019-11-20 18:18:57 -05:00
Roland C. Dowdeswell
b5449e6c97 disable test_cc on Windows 2019-11-20 18:14:44 -05:00
Roland C. Dowdeswell
8b20d436d9 disable test-detach on Windows 2019-11-20 18:14:44 -05:00
Roland C. Dowdeswell
3b828e23e7 Don't build the docs on appveyor 2019-11-20 18:14:44 -05:00
Roland C. Dowdeswell
69dd82d33e Stop stuttering in libkrb5-exports.def.in 2019-11-20 18:14:44 -05:00
Roland C. Dowdeswell
cd297eb462 Declare variables at the beginning of a block. 
Looks like this fixes the Appveyor build.
 2019-11-20 18:14:44 -05:00
Roland C. Dowdeswell
01126367d3 w32-check-exported-symbols: Eliminate perl warning 
This will become fatal in the next version of Perl, so we need
to eliminate it now.
 2019-11-20 18:14:44 -05:00
Roland C. Dowdeswell
06f3507c77 Update .gitignore to catch more test remains 2019-11-20 18:14:44 -05:00
Nicolas Williams
4500a14f95 hx509: Show query expression parse errors 2019-11-19 23:00:41 -06:00
Nicolas Williams
a40d4056bd asn1: Add der_find_or_parse_heim_oid() 2019-11-19 23:00:41 -06:00
Nicolas Williams
944eae82cf asn1: Remove alias of id-kp-clientAuth 2019-11-19 23:00:41 -06:00
Nicolas Williams
c1841f2f67 gssapi: Import elric1's gss-token 2019-11-19 23:00:41 -06:00
Nicolas Williams
56c5f5909e roken: Add rkvis program for test scripts 
This will help programs that need to URL-escape strings.

Also, this changes `do_hvis()` to not fallback on `do_svis()` for chars in
`extra` -- that `do_hvis()` was doing that seems like an oversight.  Christos
Zoulas, of NetBSD, agrees.  `do_hvis()` still falls back on `do_svis()` for
characters not in the RFC 1808 / 3986 to-be-escaped set *and* characters not in
the `extra` set -- that much seems to have been the intent.
 2019-11-19 22:33:20 -06:00
Nicolas Williams
4981cfc420 roken: base64: set errno on decode errors 2019-11-18 17:28:32 -06:00
Roland C. Dowdeswell
a8b749685c include <sys/exec_elf.h> if it's available. 
This fixes the auxval logic on NetBSD.
 2019-11-18 14:20:19 -06:00
Nicolas Williams
ba5bb07495 krb5: disable automatic kx509 by default 2019-11-13 18:42:28 -06:00
Roland C. Dowdeswell
84ffa22c93 Add an "EFILE:" target for logging. 
This target will write to a file IFF it exists.
 2019-11-10 17:47:36 -05:00
Roland C. Dowdeswell
e44c680d8e Make logging path definitions subject to token expansion. 2019-11-10 17:47:36 -05:00
Roland C. Dowdeswell
0c869176f4 Define a token expansion for %{strftime:<string>}. 2019-11-10 17:47:36 -05:00
Roland C. Dowdeswell
3c7da79838 derived keys: ensure that princ is correct 
We copy the princ in the hdb_entry so that if it is later used, it
will reflect what we want.
 2019-11-07 20:11:55 -05:00
Nicolas Williams
a2650ef20b kx509: Fix uninitalized ret var use 2019-11-06 19:51:21 -06:00
Nicolas Williams
fce3f16859 hx509: Add hx509_ca_tbs_get_name() 
This is so we can check if a TBS gets an empty subject name, then refuse
to issue the certificate if it doesn't also have at least one SAN.
 2019-11-06 19:51:21 -06:00
Viktor Dukhovni
12826c9586 Handle partial writes on non-blocking sockets 
Now that we're using krb5_net_write() with non-blocking sockets in
ipropd_master, we MUST correctly account for partial writes.

Therefore, roken net_write() called from krb5_net_write() now
returns the number of bytes written when the socket error was
EWOULDBLOCK (or EAGAIN).

Also, fix potential issue on Windows, where errno was used instead
of rk_SOCKET_ERRNO whether or not we used _write() or send().
 2019-11-06 20:27:58 -05:00
Nicolas Williams
9ca5d710f9 hx509: fix hx509_request_get_eku() 2019-11-04 14:11:40 -06:00
Jeffrey Altman
efb27f15ac Windows: update default timestamping service 
The Verisign and Symantec timestamping services have been shutdown.
Switch to the Digicert service which replaced the Symantec services
as of 31 Oct 2019.

  http://timestamp.digicert.com

Change-Id: I365e6c3698b8fc99b18e8d1e5a54ce3519f3c5eb
 2019-11-02 21:14:00 -04:00
Nicolas Williams
0cc708ba36 kx509: add time-to-live for kx509 -t option 
It's useful to check for having so many seconds left in useful
credential lifetime.
 2019-11-02 18:49:42 -05:00
Nicolas Williams
94bf464f8d krb5: Add krb5_ticket_get_times() 2019-11-02 18:49:42 -05:00
Nicolas Williams
66cde3e580 hx509: Fix hx509_request_get_exts() 2019-11-02 18:49:42 -05:00
Nicolas Williams
35c91324ed hx509: Add hx509_get_instance() 2019-11-02 18:49:42 -05:00
Nicolas Williams
427751a204 hxtool: Add "acert" (assert cert contents) command 
This will prove useful in testing kx509.
 2019-11-02 18:49:42 -05:00
Nicolas Williams
6612090ba0 hx509: Export missing symbols 2019-11-02 18:49:42 -05:00
Nicolas Williams
ddbc36d86b hx509: Store priv keys first in PEM stores 
Most consumers of PEM files don't care about the order in which private
keys and certificates are stored.  However, Postfix does care when
multiple EE certs (and chains) are stored in a file, in which case it
requires that private keys come before their certificates.
 2019-11-02 18:49:42 -05:00
Nicolas Williams
7dc134e410 krb5: Move krb5_plugin_load_t typedef to header 2019-11-02 18:49:42 -05:00
Nicolas Williams
ec858b3a46 ipc: Get socket dir via secure_getenv() 
Using /var/run means needing privilege to run.
 2019-11-02 18:49:42 -05:00
Nicolas Williams
b54107ee2b asn1: Add more EKU OIDs from RFC7299, OpenSSL 2019-11-02 18:37:13 -05:00
Nicolas Williams
ed1f900cfb asn1: Add some missing OIDs from RFC5280 2019-11-02 18:37:13 -05:00
Nicolas Williams
db35aeb5be asn1: Fix OID resolution bug 2019-11-02 18:37:13 -05:00
Nicolas Williams
f717c7344b gss: Fix double-free in acquire_from 2019-10-30 21:18:08 -05:00
Roland C. Dowdeswell
ba65039586 Lightly document derived key namespaces 2019-10-30 16:31:51 -05:00
Viktor Dukhovni
5bbe7c8dc6 Implement forwarding of leaf TGTs to selected realms. 
Refactor and enhance TGT forwarding to allow forwarding of leaf
(destination) TGTs for selected destination realms.

Enhance kinit(1) to renew non-origin realm tickets

Document delegate-destination-tgt

Use the newly implemented _krb5_mk_1cred().
 2019-10-30 16:20:58 -05:00
Roland C. Dowdeswell
d81118cc1f Implement krb5_mk_{1,n}cred 2019-10-30 16:20:58 -05:00
Roland C. Dowdeswell
2e0366b7a0 Teach make-proto.pl about #define \-continuation. 2019-10-30 16:20:58 -05:00
Roland C. Dowdeswell
a86e1076a0 Ignore tags files and *_asn1_oid.x 2019-10-30 18:16:34 +00:00