gss-proxy.git/proxy/src, branch master-strerror gssproxy wip repository use strerror_r instead of strerror. 2013-11-21T15:31:19+00:00 Günther Deschner gdeschner@redhat.com 2013-11-21T15:29:19+00:00 a104e1c2c3f67c3532333bb9651d3e7f879870f3 Signed-off-by: Günther Deschner <gdeschner@redhat.com> 
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
use gp_strerror where strerror was used. 2013-11-21T15:31:19+00:00 Günther Deschner gdeschner@redhat.com 2013-11-21T15:25:51+00:00 ce93b1511fc5c12eeadc04492f2281838cb3aa7d Signed-off-by: Günther Deschner <gdeschner@redhat.com> 
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
util: add gp_strerror() function. 2013-11-21T15:31:19+00:00 Günther Deschner gdeschner@redhat.com 2013-11-21T15:25:18+00:00 93db6a9bd2f8e91405f5ee068ed5c72d59f6b4eb Currently it only calls back into strerror(). Signed-off-by: Günther Deschner <gdeschner@redhat.com> 
Currently it only calls back into strerror().

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Use secure_getenv in client and mechglue module 2013-11-21T12:48:25+00:00 Simo Sorce simo@redhat.com 2013-11-20T16:58:22+00:00 23f4ee4359d10f66e1938ce6b1d92d3cc77865ff proxymehc.so may be used in setuid binaries so follow best security practices and use secure_getenv() if available. Fallback to poorman emulation when secure_getenv() is not available. Resolves: https://fedorahosted.org/gss-proxy/ticket/110 Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
proxymehc.so may be used in setuid binaries so follow best security
practices and use secure_getenv() if available.
Fallback to poorman emulation when secure_getenv() is not available.

Resolves: https://fedorahosted.org/gss-proxy/ticket/110

Reviewed-by: Günther Deschner <gdeschner@redhat.com>
creds: Allow admins to define only client creds 2013-11-20T14:50:12+00:00 Simo Sorce simo@redhat.com 2013-11-16T23:54:28+00:00 a272091dfd568cb96738cc96ea01bbf7f24ee62c When a service is configured with cred_usage = initiate it is ok to allow only client credentials to be defined. Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
When a service is configured with cred_usage = initiate it is
ok to allow only client credentials to be defined.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>
config: Do not modify const strings 2013-11-20T14:48:45+00:00 Simo Sorce simo@redhat.com 2013-11-16T22:08:06+00:00 1d78d1af3da7eeb15aa1f054b740f31a12f48f31 Take a copy here, the option string is const and strtok_r() is not a safe function as it may change the string it manipulates. Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
Take a copy here, the option string is const and strtok_r() is not a safe
function as it may change the string it manipulates.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>
server: Implement flag filtering enforcement 2013-11-20T14:26:08+00:00 Simo Sorce simo@redhat.com 2013-11-16T22:09:45+00:00 3df6ac81f4a6d8cf6ff514e7d7f2cbe58840c393 Resolves: https://fedorahosted.org/gss-proxy/ticket/109 Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
Resolves: https://fedorahosted.org/gss-proxy/ticket/109

Reviewed-by: Günther Deschner <gdeschner@redhat.com>
config: Add code to source flag filters 2013-11-20T14:25:12+00:00 Simo Sorce simo@redhat.com 2013-11-16T22:01:24+00:00 6a096c0a0a37d2fa9e0b03edce05929a7d98f390 2 New configuration options are made available: - filter_flags - enforce_flags Any GSS Flags listed in the filter_flags option is forcibly filtered out before a gss_init_sec_context() call is invoked. Any GSS Flags listed in the enforce_flags option is forcibly added to the list of flags requested by a gss_init_sec_context() call is invoked. Flags can be either literals or numeric and must be preceded by the sign + (to add to the list) or - (to remove from the list). Resolves: https://fedorahosted.org/gss-proxy/ticket/109 Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
2 New configuration options are made available:
- filter_flags
- enforce_flags

Any GSS Flags listed in the filter_flags option is forcibly filtered
out before a gss_init_sec_context() call is invoked.
Any GSS Flags listed in the enforce_flags option is forcibly added
to the list of flags requested by a gss_init_sec_context() call is
invoked.

Flags can be either literals or numeric and must be preceded by the
sign + (to add to the list) or - (to remove from the list).

Resolves: https://fedorahosted.org/gss-proxy/ticket/109

Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Try impersonation even when a name is not provided 2013-11-20T13:37:03+00:00 Simo Sorce simo@redhat.com 2013-11-14T01:03:53+00:00 32b1d5aa0497c4e3677b4575cc7e299590df5618 In some cases a name may not be provided, still try to perform impersonation if the service is configured that way. Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
In some cases a name may not be provided, still try to perform
impersonation if the service is configured that way.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Autoinitialize creds on init_sec_context 2013-11-20T13:36:57+00:00 Simo Sorce simo@redhat.com 2013-11-14T00:54:27+00:00 591fad86aba3520a76eaf75aa0fd5e585fac94a5 If the remote client tries to initialize the context without first acquiring credentials, try to acquire appropriate credentials if the service allows it. Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
If the remote client tries to initialize the context without first
acquiring credentials, try to acquire appropriate credentials if
the service allows it.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>