summaryrefslogtreecommitdiffstats
path: root/src/lib/gssapi/mechglue
Commit message (Collapse)AuthorAgeFilesLines
* New SPI call to import creds by oidSimo Sorce2012-09-143-2/+20
| | | | | | This extension makes it possible for an interposer to know which interposed mechanism the mechglue intended to use when multiple mechanisms are being interposed by the same plugin.
* New SPI call to import a name by mech oidSimo Sorce2012-09-144-11/+40
| | | | | | This extension makes it possible for an interposer to know which interposed mechanism the mechglue intended to use when multiple mechanisms are being interposed by the same plugin.
* New SPI call to import a context by oidSimo Sorce2012-09-143-3/+19
| | | | | | This extension makes it possible for an interposer to know which interposed mechanism the mechglue intended to use when multiple mechanisms are being interposed by the same plugin.
* Check creds to select mech in accept_sec_contextSimo Sorce2012-09-141-4/+23
|
* Distinguish between requested and selected oidsSimo Sorce2012-09-1414-120/+239
| | | | | | | | | | | | | | | | | Pick the right set of OIDs to use in mechglue functions. We have 3 oids to care for: The desired/requested oid, it can be a valid oid or a special interposer oid used to avoid looping back to an interposer plugin when the interposer wants to access a local mechanism. The selected_oid, that is the actual oid of the mechanism we are going to use, it could be an interposer oid. The public oid, which normally is the same as the desired/requested oid except when a special interposer oid is used by an interposer. FIXME: Set the right mech_type on contexts - issue with accept_sec_context, how to fallback to local mechanism ? - may need to use magic fallback error
* Add function to return the Public OIDSimo Sorce2012-09-132-0/+23
| | | | | | | | Special care needs to be taken to avoid returning special interposer plugin OIDs to user applications. The public OID is the OID that should be returned to users of the GSSAPI. This is not the same as the internal OID which could be a special interposer plugin OID.
* Add function to get the mechanism type to useSimo Sorce2012-09-132-0/+56
| | | | | | | This is needed since gssint_get_mechanism(NULL) now can return an interposer mechanism, and then mech->mech_type will not point to the right mechanism type, but to the interposer plugin OID. Also for special interposer OIDs we need to use the real mechanism type when the passed in oid is special.
* Never return interposers OIDsSimo Sorce2012-09-131-3/+8
| | | | | | This function is used to return te reply for gss_indicate_mechs(), and we do not want applications to see interposer mechs, they should never be exposed directly to apps.
* Add interposer plugin type loaderSimo Sorce2012-09-132-0/+282
| | | | | | Also initialialize any interposer plugin as soon as configuration is loaded from the file. This is to insure interposer are configured before actual mechanisms they may want to interpose are.
* Allow to define an interposer in the conf fileSimo Sorce2012-09-132-6/+38
|
* Avoid memory leaks on error conditionSimo Sorce2012-09-131-4/+5
|
* make dependGreg Hudson2012-09-121-0/+16
|
* Introduce gss_export_cred and gss_import_credGreg Hudson2012-09-114-0/+300
| | | | | | | | Add gss_export_cred and gss_import_cred mechglue functions to serialize and unserialize GSSAPI credential handles. Mechanism implementations and tests will follow. ticket: 7354 (new)
* Add support for GSS_C_NT_COMPOSITE_EXPORTLuke Howard2012-08-311-1/+1
| | | | ticket: 7347 (new)
* Fix memory leak in gss_add_credGreg Hudson2012-08-301-0/+3
| | | | | The most recent commit to g_acquire_cred.c allocates an OID set to pass to the mech, but never releases it. Fix that.
* Use gssalloc in more parts of GSSAPIGreg Hudson2012-08-112-2/+2
| | | | | | | | | Fix some GSSAPI buffer allocations which were missed in 800358b1790ef82710af0b6021c6ff2dca2b0de7: gss_export_sec_context, gss_display_name, and IAKERB and SPNEGO token construction. ticket: 7233 (new) tags: pullup
* Remove gss_mechanism_extSimo Sorce2012-08-083-110/+24
| | | | | | | | This function did not serve any useful purpose. Remove it and the special case it creates; move the only function it contained to the main gss_mechanism structure where it belongs. Note that the function name is preserved so that loadable modules are not affected by this change.
* Pass the actual mech oid in creds functionsSimo Sorce2012-08-062-11/+34
| | | | | | This way the mechanism handler knows what mech type is intended. This allows plugin that implement multiple mechanisms or interposer plugins to know what they are being asked to do.
* Reuse code to free gss_mech_info structureSimo Sorce2012-08-051-21/+4
|
* Make gss_ctx_id_t truly opaqueSimo Sorce2012-08-035-6/+6
| | | | | | This allows us to still use it for type safety in the APIs while at the same time prevent code from trying to dereference internal_ctx_id by mistake.
* Fix oid set construction in gss_inquire_cred()Kevin Wasserman2012-08-021-22/+10
| | | | | | | | | | | Use gssapi calls to construct the oid sets. It is not safe on windows to use malloc to hand-construct the set and then call gss_release_oid_set() to clean it up. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7227 (new) tags: pullup
* Introduce credential store extensionsSimo Sorce2012-07-203-32/+210
| | | | | | | | | Add new APIs gss_acquire_cred_from, gss_add_cred_from, and gss_store_cred_into, which take additional argments to specify the location of the credential storage using a key-value map, where keys are interpreted by the mechanisms. ticket: 7217 (new)
* In g_oid_ops.c, remove an unneeded declarationSimo Sorce2012-07-181-3/+0
| | | | The code that used it is no longer in this file.
* Avoid mapping GSSAPI minor code on successGreg Hudson2012-07-081-1/+2
| | | | | | | | | In gssint_import_internal_name, don't map the minor code from mech->gss_duplicate_name if it returned successfully. Fixes an "unexpected non-zero minor status" error reported by SAP's gsstest when it invokes gss_canonicalize_name(). ticket: 7194 (new)
* Use first mech's status in gss_acquire_credGreg Hudson2012-06-031-3/+11
| | | | | | | | | | | If we can't acquire creds for any mech in gss_acquire_cred, return the status of the first mech instead of the last mech, as it's more useful in the typical case (where the first mech is krb5 and the last mech is SPNEGO). This error reporting is not ideal when the user was expecting to use some mech other than krb5, but it's about as good as things were prior to #6894. ticket: 6973
* Initialize gss_get_name_attribute output buffersGreg Hudson2012-02-141-0/+8
| | | | | | | | | | | | GSS functions which accept gss_buffer_t output arguments should initialize those buffers to empty on startup (see gss_wrap, for instance). Do so for gss_get_name_attribute in the mechglue. ticket: 7089 target_version: 1.10.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25700 dc483132-0cff-0310-8789-dd5450dbe970
* make dependTom Yu2011-10-141-325/+331
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25344 dc483132-0cff-0310-8789-dd5450dbe970
* Use gssalloc memory management where appropriateSam Hartman2011-10-145-6/+6
| | | | | | | | | | gss_buffer_t may be freed in a different module from where they are allocated so it is not safe to use strdup/malloc/calloc/free. similarly, gss_OID_set need to use gssalloc functions. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25332 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify gss_indicate_mechs() by using generic_gss_copy_oid_setSam Hartman2011-10-141-52/+3
| | | | | | | | | ...instead of hand-duplicating all the logic therein. Also makes the switch to using gssalloc functions with oid_sets easier. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25329 dc483132-0cff-0310-8789-dd5450dbe970
* Initialize localname on error in gss_localnameGreg Hudson2011-10-061-4/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25316 dc483132-0cff-0310-8789-dd5450dbe970
* Windows fixes: remove unreferenced; use sizeof to compute array sizeSam Hartman2011-09-281-2/+1
| | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25272 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2011-09-212-66/+68
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25224 dc483132-0cff-0310-8789-dd5450dbe970
* * New implementation to map a gss name to localnameSam Hartman2011-09-213-56/+75
| | | | | | | | | | | | | | | | * Write gss_pname_to_uid in terms of gss_localname; suppress on win32 * Add test for gss_pname_to_uid indirectly testing gss_localname * gss_localname is the SPI, not gss_pname_to_uid * fix some const gss_OID->gss_const_oid Signed-off-by: Sam Hartman <hartmans@painless-security.com> gss_localname: map gss name to localname git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25222 dc483132-0cff-0310-8789-dd5450dbe970
* Formatting fixesGreg Hudson2011-09-191-203/+219
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25209 dc483132-0cff-0310-8789-dd5450dbe970
* On Windows, parse mechanism info from Registry instead of mech fileSam Hartman2011-09-191-169/+351
| | | | | | | | | | | Currently the code parses @sysconfdir@/gss/mech as a set of GSS mechanisms to dynamically load. On Windows this should come from the registry. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@debian.org> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25198 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate the mechglue union cred auxinfo fieldGreg Hudson2011-09-058-242/+65
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25152 dc483132-0cff-0310-8789-dd5450dbe970
* Reindent per krb5-batch-reindent.el.Ken Raeburn2011-09-042-15/+15
| | | | | | | Some minor reformatting added in places to avoid exceeding 80 columns. Used Emacs 22.1 built-in C mode. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25144 dc483132-0cff-0310-8789-dd5450dbe970
* Fix style issues in r25087Greg Hudson2011-08-292-3/+3
| | | | | | | | | | | * Function names should be at the beginning of lines in definitions. * Changes should not create lines >79 characters. * Continuation lines should align after left parens when appropriate. Also, krb5_gss_accept_sec_context_ext and acquire_accept_cred are not gss mechanism functions and should not have been tagged. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25116 dc483132-0cff-0310-8789-dd5450dbe970
* Fix major status handling in gss_acquire_credGreg Hudson2011-08-111-0/+1
| | | | | | | | | | | If we have at least one cred element after the mech loop, reset major before continuing on, or we could mistakenly return a failure status from the last mech (and free the returned creds). Reported by aberry@likewise.com. ticket: 6944 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25097 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2011-08-091-1/+1
| | | | | | Also remove the erroneously added gssapi_err_krb5 error table sources. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25091 dc483132-0cff-0310-8789-dd5450dbe970
* call gssint_mecherrmap_init() from gssint_mechglue_init()Sam Hartman2011-08-091-0/+1
| | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25090 dc483132-0cff-0310-8789-dd5450dbe970
* Use KRB5_CALLCONV for all gss mechanism functions. Also wrap #include ↵Sam Hartman2011-08-096-64/+66
| | | | | | | | | <unistd.h> with #ifdef HAVE_UNISTD_H in g_authorize_localname.c Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25087 dc483132-0cff-0310-8789-dd5450dbe970
* Fix gss_set_cred_option cred creation with no nameGreg Hudson2011-07-221-6/+8
| | | | | | | | | | | When creating a cred in the mechglue with gss_acquire_cred, the mechanism is allowed to return no name from gss_inquire_cred. But in the analagous operation in gss_set_cred_option, that would result in an error from gss_display_name. Make the call to gss_display_name conditional on the mechanism name being set. Reported by Andrew Bartlett. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25037 dc483132-0cff-0310-8789-dd5450dbe970
* make dependEzra Peisach2011-07-011-8/+8
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25007 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-101-49/+44
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* Handle null OID values in gss_oid_equal()Greg Hudson2011-04-161-0/+3
| | | | | | ticket: 6890 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24885 dc483132-0cff-0310-8789-dd5450dbe970
* Check mech_type as well as mech_name in gssint_import_internal_name(),Greg Hudson2011-04-161-1/+2
| | | | | | | | for the sake of static analyzers. (Also, since this is an internal function, it can be called on a half-constructed MN; checking the type alone would be insufficient.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24884 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a code path where mech could be used uninitialized inGreg Hudson2011-04-161-1/+1
| | | | | | | | gss_accept_sec_context after r24645. ticket: 6813 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24883 dc483132-0cff-0310-8789-dd5450dbe970
* Implement gss_authorize_localname, as discussed on the kitten list,Greg Hudson2011-04-104-104/+109
| | | | | | | | | | | | | and make gss_userok a wrapper around it matching the Gnu GSS prototype. The SPI for gss_authorize_localname doesn't match the API since we have no way of representing the contents of an internal name to a mech at the moment. From r24855, r24857, r24858, r24862, r24863, r24864, r24866, r24867, and r24868 in users/lhoward/moonshot-mechglue-fixes. ticket: 6891 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24869 dc483132-0cff-0310-8789-dd5450dbe970
* Allow anonymous name to be imported with empty name bufferGreg Hudson2011-04-061-4/+11
| | | | | | | | | | | | When importing a name of type GSS_C_NT_ANONYMOUS, allow the input name buffer to be null or empty (null is translated into empty before mechanisms see it). From r24820 in users/lhoward/moonshot-mechglue-fixes. ticket: 6896 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24852 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-27 11:32:27 +0000