oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
28,954 Commits 2 Branches 2 Tags
e44c680d8efbb20ab1980e604178eb9d0d38cdcb
Commit Graph

79 Commits

Author SHA1 Message Date
Luke Howard
e0bb9c10ca gssapi: credential store extensions (#451) 
Implement the GSS-API credential store API extensions defined by MIT here:

https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions

Note: we kill off gss_acquire_cred_ext() here. This was never a public API,
although mechanisms could have implemented it and I briefly used it in my
BrowserID prototype mechanism. gss_acquire_cred_ext_from() occupies the place
in the dispatch table where gss_acquire_cred_ext() used to, but this structure
was never visible outside Heimdal (i.e. it is only used by internal
mechanisms);

(Mechanisms that need to accept arbitrary key/value dictionaries from
applications should now implement gss_acquire_cred_from().)
 2019-01-03 14:38:39 -06:00
Nicolas Williams
b0a357429d Fix warning in lib/gssapi/test_context.c 2018-12-28 01:09:38 -06:00
Simon Wilkinson
07b3e6fd74 Allow zero-length encrypt IOVs in _krb5_evp_encrypt_iov_cts() 
The iovec encryption code doesn't handle 0 length iovecs correctly.
Instead of just skipping them, _krb5_evp_encrypt_iov_cts() will spin
on the 0 length iovec.

Modify the _krb5_evp_iov_cursor_expand helper so that iovec expansion
simply skips 0 length iovecs, and make _krb5_evp_iov_cursor_nextcrypt
do the same.

Original bug report and tests from Andrew Bartlett <abartlet@samba.org>
 2018-09-18 19:23:31 -04:00
Jeffrey Altman
02ea07f93d gssapi: remove dead code 
Remove assignment of a variable to itself.

Identified by AppChecker.

Change-Id: I94012849d8200dc91394a8548e72c61404d7e5b6
 2017-04-29 01:06:00 -04:00
Luke Howard
33ce593b6d gss_wrap/gss_unwrap_aead implementation 
Signed-off-by: Nicolas Williams <nico@twosigma.com>
 2016-02-05 18:01:15 -06:00
Luke Howard
f5b4ef3ed8 gssapi: plug leak in test_context IOV test 2015-12-09 19:05:11 +11:00
Nicolas Williams
420c080a8f Can't use deleg creds with SPNEGO (test_context) 
It isn't possible to use non-default credentials to init a context with
a mechanism for which the credential doesn't have an element.  That's
exactly what was happening here.  The code was left commented out to
describe how one might use SPNEGO with delegated credentials:
store them with gss_store_cred(), then acquire them back.
 2015-04-17 10:55:47 -05:00
Nicolas Williams
5d50d06845 Better test workaround for NTLM bug 2015-04-16 19:53:22 -05:00
Nicolas Williams
d6a7d14fc5 Workaround bugs exposed by test_context changes 
Bugs exposed by 61720a0:

 - test_context --client-name=... --mech-type=ntlm ... fails;

 - gss_acquire_cred() with desired_mech=NTLM and
   desired_name==GSS_C_NO_NAME fails;

 - gss_init_sec_context() with non-default cred handle calls the
   mechanism even when the given cred handle has no element for the
   requencet mechanism.

tests/gss/check-ntlm works by accident: gss_acquire_cred() with
desired_mechs==GSS_C_NO_OID_SET succeeds mostly because there are
Kerberos credentials available, and then the subsequent
gss_init_sec_context() call works because of the third bug described
above.
 2015-04-16 18:42:51 -05:00
Nicolas Williams
61720a0177 Improve test_context, add mech oid set 2015-04-15 12:27:40 -05:00
Jelmer Vernooij
70e43e9808 Fix some typos. 2014-04-25 02:42:17 +02:00
Roland C. Dowdeswell
e8779d5d4a Add -Wshadow and deal with the warnings. 2012-02-21 11:17:55 +00:00
Love Hornquist Astrand
58ea513056 fix error message 2011-05-21 12:11:04 -07:00
Love Hornquist Astrand
0879b9831a remove trailing whitespace 2011-05-21 11:57:31 -07:00
Luke Howard
79ff133ae9 make gss_acquire_cred_ext private 2011-05-20 14:31:08 +02:00
Luke Howard
48719d5651 shim acquire_cred_with_password SPI into acquire_cred_ext 2011-05-14 17:00:55 +02:00
Luke Howard
dfba868910 Merge branch 'master' into lukeh/acquire-cred-ex-moonshot-integ 
Conflicts:
	lib/gssapi/Makefile.am
	lib/gssapi/mech/gss_acquire_cred_with_password.c
	lib/gssapi/test_context.c
	lib/gssapi/version-script.map
 2011-05-14 16:48:49 +02:00
Luke Howard
2a8dc252b6 add gss_acquire_cred_with_password test to test_context 2011-05-14 16:26:14 +02:00
Luke Howard
3069d80734 Merge branch 'master' into lukeh/acquire-cred-ex 2011-05-14 14:56:16 +02:00
Luke Howard
02cf28e20b implement gss_acquire_cred_ex with password support 
add missing SPIs to gss_mech_switch

s/acquire_cred_ex/acquire_cred_ext/g
 2011-04-16 11:06:24 +02:00
Love Hornquist Astrand
d8b5246607 catch error from gsskrb5_register_acceptor_identity 2011-04-14 12:54:16 -07:00
Asanka C. Herath
7ba01bda98 Deal with possibly non-const initializers 2010-12-02 01:18:03 -05:00
Love Hornquist Astrand
1021099f3d rename external so that they can be included in array and struct initializer 2010-07-22 20:47:04 -07:00
Love Hornquist Astrand
01a1e1baef check that gss_krb5_set_allowable_enctypes works 2009-11-30 17:19:13 -08:00
Stefan Metzmacher
2f1a370cd3 hack for gss-wrap-iov to it work 
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2009-08-28 13:31:12 -07:00
Love Hornquist Astrand
45cfe3f971 Fix server context client context order to match callee 2009-08-27 18:30:28 -07:00
Love Hornquist Astrand
1999c85670 Make mech glue layer aware of composite mechs that uses mech glue layer credentials 
This make it possible to use krb5/ntlm credentials with SPNEGO.
Needs some more work to avoid double fetching credentials.
 2009-08-27 12:12:44 -07:00
Love Hornquist Astrand
32ee735d73 drop RCSID 2009-08-26 23:15:35 -07:00
Love Hornquist Astrand
a2820df666 spelling 2009-08-26 22:53:38 -07:00
Love Hornquist Astrand
ebb2e72c61 make error message more unique 2009-08-26 22:43:25 -07:00
Love Hornquist Astrand
022e7d4319 Return unwrapped delegated credentials if the actual mech is not the called mech 
Assumes that pseudo mechs are are of how mechglue credentails look like and
return credentials like that.

Pointed out on krbdev by Nicolas Williams
 2009-08-26 22:32:50 -07:00
Stefan Metzmacher
03998aeccb gsskrb5: fix test_context. after gss_wrap_iov changes 
metze

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2009-08-25 23:34:38 -07:00
Love Hornquist Astrand
fa502c6648 Add support for gss_{import,export}_cred() as requested by metze 
Works for krb5 and SPNEGO mechanisms. Kerberos credentials are passed as
credential cache names, or if there are memory based credentials, inband in the protocol. This means that the credentials buffers must be keep secret.

As documented by IBM (they have the wrong prototype though)
and GGF (GSS-API Extensions) back in 2001
 2009-07-29 13:36:02 +02:00
Love Hörnquist Åstrand
c99b2003e2 Implement gss_wrap_iov, gss_unwrap_iov for CFX type encryption types. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25286 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-06-22 17:56:41 +00:00
Love Hörnquist Åstrand
67ae620a5d no conf_state test, no wrap-ex test 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24995 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-03-29 09:04:10 +00:00
Love Hörnquist Åstrand
a50bf41078 test gss_wrap_iov 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24786 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-02-22 23:26:48 +00:00
Love Hörnquist Åstrand
e3a51ec732 test conf state 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24785 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-02-22 23:26:37 +00:00
Love Hörnquist Åstrand
76dbf57e30 add gsspi_ntml.h 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24551 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-30 16:49:16 +00:00
Love Hörnquist Åstrand
0357e392d4 indent 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24401 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-25 00:38:09 +00:00
Love Hörnquist Åstrand
925f30f3f2 test free(NULL) 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24400 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-25 00:37:59 +00:00
Love Hörnquist Åstrand
e81ddb40d7 flatten includes 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24388 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-25 00:35:58 +00:00
Love Hörnquist Åstrand
d8b8a85def fix header files 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24379 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-25 00:34:29 +00:00
Love Hörnquist Åstrand
6937d41a02 remove trailing whitespace 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23815 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 09:21:03 +00:00
Love Hörnquist Åstrand
e172367898 switch to utf8 encoding of all files 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23814 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 08:53:55 +00:00
Love Hörnquist Åstrand
abf2e95bdf add missing flag policy-delegate 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23533 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-08-16 22:58:04 +00:00
Love Hörnquist Åstrand
dfb1db9505 delegate policy 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23486 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-08-11 09:58:24 +00:00
Love Hörnquist Åstrand
04b69a4a76 add GSS_C_DELEG_POLICY_FLAG 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23482 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-08-11 09:58:01 +00:00
Love Hörnquist Åstrand
a826abbbbc check max looops 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23425 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 18:39:39 +00:00
Love Hörnquist Åstrand
39fe446983 Support parsing KRB-ERROR passed back from windows server when the time is out of sync, modify krb5_cc_[sg]et_config interface to handle principals too, add tests for this 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23420 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 18:37:48 +00:00
Love Hörnquist Åstrand
ef1b20b339 check for creds 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23405 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 18:30:56 +00:00