The LIB_ASN1 definition instructs the library objects to access
exported DATA symbols as internal symbols.
Change-Id: Ifbc80a4e3c357cb323f7763c116101ae495b11df
oid_resolution.obj does not depend upon $(LIBASN1_OBJ) object
files. It depends upon the generated .x files produced by
asn1_compile.exe when building $(gen_files_xxx). Create a
new list of those dependencies explicitly for oid_resolution.obj.
Change-Id: I09a4dc9efb7a84e68da939b6a3ec5f55354c02ee
Build without Win32.mak, and using Universal C Runtime (UCRT)
windows: Check for APPVER, not VCVER for UCRT
When deciding whether UCRT is used (and thus no CRT merge modules), check for
Windows 10 rather than the version of Visual Studio, as we may be building with
an older SDK.
Add some notes about the KDC plugin API contract, and require plugins to
explicitly indicate which version of the API they support (remove the macro
alias for the current version).
r->canon_client_princ is always an alias to r->client->entry.principal in the
AS, but use it for consistency with the TGS. (In the TGS, it may also come from
te PAC.)
Move the Services for User (SFU/S4U) implementation -- protocol transition and
constrained delegation -- into its own compilation unit, with an interface that
only takes an astgs_request_t, so it can be easily factored out into a plugin
module in the future.
This refactoring is also careful to update all client names in the request
structure after the SFU/S4U validation has successfully completed.
Instead of having distinct preauth success/failure events for different
mechanisms, have a single event; the mechanism can be disambiguated by querying
the HDB_REQUEST_KV_PA_NAME key.
Note: there is still an explicit event for long-term key-based success/failure
in order to help the backend implement lockout.
Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
than in each mechanism. Success is still audited in the mechanism to allow
client pre-authentication success to be noted even if something subsequent
(e.g. encoding a reply, memory allocation) fails. The generic catch-all for
success remains.
Use of the C99 'restrict' keyword was introduced by
be708ca3cf
("gsskrb5: Add simple name attributes support")
Change-Id: I8272f595af53741ee7c59750bb2d388faeb01f8f
ASTGS_REQUEST_DESC_COMMON_ELEMENTS should not terminate in a semi-colon;
the consuming structure should include it. This is consistent with
HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS. This fixes the build on Windows.
Annotate libkdc APIs with KDC_LIB_{CALL,FUNCTION} to ensure correct calling
convention and optimized DLL importing on Windows.
Ensure Windows and libtool export tables are consistent.
Now heim_audit_addkv() correctly supports multiple values, the other functions
that (by design) replace existing values with a single value should use the
heim_audit_setkv prefix.
A subsequent commit could add variants that support multiple values for
non-string types.
Build without Win32.mak, and using Universal C Runtime (UCRT)
windows: Check for APPVER, not VCVER for UCRT
When deciding whether UCRT is used (and thus no CRT merge modules), check for
Windows 10 rather than the version of Visual Studio, as we may be building with
an older SDK.
787d9ceec9 ("check for db6/db.h")
added a check for the db6 header defining HAVE_DB6_DB_H but failed
to add a check for existence of db_create() in the libdb-6 library.
Previously, if heim_audit_vaddkv() was called multiple times, values would be
concatenated; since changing the request kv type to a dictionary, only the most
recently set value was preserved.
Fix this by promoting multi-valued values to an array of values, which is
visualized in the same manner as it was prior to b1dcc1a4.
Rename the "windc" plugin API to the more general "kdc" plugin API, for two
reasons: the Heimdal KDC uses the Windows PAC even when not emulating a domain
controller, and the plugin API has accreted methods that are not specific to
emulating a domain controller (such as referral_policy and finalize_reply).
Allow the windc plugin to also implement an audit callback. As part of this
change, both the HDB and windc audit function signatures are changed to return
void.
Active Directory/Samba-specific referral policy should be implemented by a
windc plugin, not in the main KDC code. It looks like it probably isn't
necessary at all if Samba wishes to bypass Heimdal's referral handling.
This reverts commit 6f0cafa6cf.
Add a referral policy hook to the TGS as a more elegant way of resolving
referral detection for Samba). The hook can either rewrite the server_princ in
the request, or it can return an error to disable built-in referral processing.
