summaryrefslogtreecommitdiffstats
path: root/src/lib/gssapi
Commit message (Collapse)AuthorAgeFilesLines
* New SPI call to import creds by oidSimo Sorce2012-09-143-2/+20
| | | | | | This extension makes it possible for an interposer to know which interposed mechanism the mechglue intended to use when multiple mechanisms are being interposed by the same plugin.
* New SPI call to import a name by mech oidSimo Sorce2012-09-144-11/+40
| | | | | | This extension makes it possible for an interposer to know which interposed mechanism the mechglue intended to use when multiple mechanisms are being interposed by the same plugin.
* New SPI call to import a context by oidSimo Sorce2012-09-143-3/+19
| | | | | | This extension makes it possible for an interposer to know which interposed mechanism the mechglue intended to use when multiple mechanisms are being interposed by the same plugin.
* Check creds to select mech in accept_sec_contextSimo Sorce2012-09-141-4/+23
|
* Distinguish between requested and selected oidsSimo Sorce2012-09-1414-120/+239
| | | | | | | | | | | | | | | | | Pick the right set of OIDs to use in mechglue functions. We have 3 oids to care for: The desired/requested oid, it can be a valid oid or a special interposer oid used to avoid looping back to an interposer plugin when the interposer wants to access a local mechanism. The selected_oid, that is the actual oid of the mechanism we are going to use, it could be an interposer oid. The public oid, which normally is the same as the desired/requested oid except when a special interposer oid is used by an interposer. FIXME: Set the right mech_type on contexts - issue with accept_sec_context, how to fallback to local mechanism ? - may need to use magic fallback error
* Add function to return the Public OIDSimo Sorce2012-09-132-0/+23
| | | | | | | | Special care needs to be taken to avoid returning special interposer plugin OIDs to user applications. The public OID is the OID that should be returned to users of the GSSAPI. This is not the same as the internal OID which could be a special interposer plugin OID.
* Add function to get the mechanism type to useSimo Sorce2012-09-132-0/+56
| | | | | | | This is needed since gssint_get_mechanism(NULL) now can return an interposer mechanism, and then mech->mech_type will not point to the right mechanism type, but to the interposer plugin OID. Also for special interposer OIDs we need to use the real mechanism type when the passed in oid is special.
* Never return interposers OIDsSimo Sorce2012-09-131-3/+8
| | | | | | This function is used to return te reply for gss_indicate_mechs(), and we do not want applications to see interposer mechs, they should never be exposed directly to apps.
* Add interposer plugin type loaderSimo Sorce2012-09-132-0/+282
| | | | | | Also initialialize any interposer plugin as soon as configuration is loaded from the file. This is to insure interposer are configured before actual mechanisms they may want to interpose are.
* Allow to define an interposer in the conf fileSimo Sorce2012-09-132-6/+38
|
* Avoid memory leaks on error conditionSimo Sorce2012-09-131-4/+5
|
* Unregister error message key on library unloadBen Kaduk2012-09-121-0/+1
| | | | | | | | | | | | | | | Revision fcdd2de1 added the K5_KEY_GSS_KRB5_ERROR_MESSAGE key, and registered it in the gssapi library initialization routine, but did not unregister it in the libary finalization routine. When the library is unloaded and reloaded in the same process, this leads to an assertion failure, since we check that destructors_set[keynum] is zero (no destructor set) when registering a key in util/support/threads.c. Unregister the key on library cleanup to resolve the error. ticket: 7353 target_version: 1.10.4 tags: pullup
* make dependGreg Hudson2012-09-122-0/+48
|
* Add SPNEGO support for GSS cred export and importGreg Hudson2012-09-112-1/+51
| | | | ticket: 7354
* Add krb5 support for GSS cred export and importGreg Hudson2012-09-115-0/+1117
| | | | | | | Using the new internal JSON support to implement serialization and unserialization of krb5 GSS credentials. ticket: 7354
* Introduce gss_export_cred and gss_import_credGreg Hudson2012-09-116-0/+314
| | | | | | | | Add gss_export_cred and gss_import_cred mechglue functions to serialize and unserialize GSSAPI credential handles. Mechanism implementations and tests will follow. ticket: 7354 (new)
* Add support for GSS_C_NT_COMPOSITE_EXPORTLuke Howard2012-08-317-62/+78
| | | | ticket: 7347 (new)
* Fix memory leak in gss_add_credGreg Hudson2012-08-301-0/+3
| | | | | The most recent commit to g_acquire_cred.c allocates an OID set to pass to the mech, but never releases it. Fix that.
* Run "make depend"Tom Yu2012-08-231-0/+15
|
* Clean up k5buf_to_gss helperGreg Hudson2012-08-232-5/+3
| | | | | | | k5buf_to_gss was used in only one place (generic_gss_oid_to_str), where we want to include the terminating null byte in the GSS buffer. Remove that assumption from the helper, and instead explicitly append the null byte to the buffer before translating.
* Use gssalloc in krb5_gss_export_nameGreg Hudson2012-08-111-1/+1
| | | | | | | krb5_gss_export_name uses malloc to construct a gss_buffer_desc value, and should use gssalloc_malloc instead. ticket: 7233
* Use gssalloc in more parts of GSSAPIGreg Hudson2012-08-115-11/+13
| | | | | | | | | Fix some GSSAPI buffer allocations which were missed in 800358b1790ef82710af0b6021c6ff2dca2b0de7: gss_export_sec_context, gss_display_name, and IAKERB and SPNEGO token construction. ticket: 7233 (new) tags: pullup
* Add debug mode to gssapi_alloc.hGreg Hudson2012-08-113-23/+79
| | | | | | | | | | Because the gssalloc macros are normally equivalent to malloc and free on Unix, we cannot use the full test suite to find cases where we allocate with malloc and free with gssalloc_free or vice versa. Provide a way to test for this kind of bug (if only in a special build configuration) by supporting a DEBUG_GSSALLOC symbol, which causes the gssalloc wrappers to be deliberately incompatible with malloc and free.
* Remove gss_mechanism_extSimo Sorce2012-08-085-124/+26
| | | | | | | | This function did not serve any useful purpose. Remove it and the special case it creates; move the only function it contained to the main gss_mechanism structure where it belongs. Note that the function name is preserved so that loadable modules are not affected by this change.
* Pass the actual mech oid in creds functionsSimo Sorce2012-08-062-11/+34
| | | | | | This way the mechanism handler knows what mech type is intended. This allows plugin that implement multiple mechanisms or interposer plugins to know what they are being asked to do.
* Always consider desired_mechs empty in spnego (2)Simo Sorce2012-08-061-9/+7
| | | | | | | | Follow previous change to add_cred_from. The only case where the spnego gss_*_cred_* functions can be called with specific OIDs is if the mechglue calls spnego with the spengo oid, which we never want to loop on anyway. So always consider it as null, it's the correct behavior with current semantics.
* Reuse code to free gss_mech_info structureSimo Sorce2012-08-051-21/+4
|
* Always consider desired_mechs empty in spnegoSimo Sorce2012-08-031-18/+4
| | | | | | | The only case where the spnego gss_aquire_cred function can be called with specific OIDs is if the mechglue calls spenego with the spengo oid, which we never want to loop on anyway. So always consider it as null, it's the correct behavior with current semantics.
* Make gss_ctx_id_t truly opaqueSimo Sorce2012-08-035-6/+6
| | | | | | This allows us to still use it for type safety in the APIs while at the same time prevent code from trying to dereference internal_ctx_id by mistake.
* Fix oid set construction in gss_inquire_cred()Kevin Wasserman2012-08-021-22/+10
| | | | | | | | | | | Use gssapi calls to construct the oid sets. It is not safe on windows to use malloc to hand-construct the set and then call gss_release_oid_set() to clean it up. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7227 (new) tags: pullup
* Explain memory allocation policy in oid_ops.cGreg Hudson2012-08-011-0/+7
|
* Implement credential store support in spnegoSimo Sorce2012-07-202-15/+55
|
* Implement credential store support for krb5 mechSimo Sorce2012-07-206-27/+263
|
* Introduce credential store extensionsSimo Sorce2012-07-205-32/+269
| | | | | | | | | Add new APIs gss_acquire_cred_from, gss_add_cred_from, and gss_store_cred_into, which take additional argments to specify the location of the credential storage using a key-value map, where keys are interpreted by the mechanisms. ticket: 7217 (new)
* Use internal release function in oid_ops.cSimo Sorce2012-07-181-1/+1
| | | | | In the end the internal one is called in all cases, but it seem cleaner to use the internal one instead of relying on the redirection.
* In g_oid_ops.c, remove an unneeded declarationSimo Sorce2012-07-181-3/+0
| | | | The code that used it is no longer in this file.
* define USE_HEAPALLOC in gssapi_alloc.hKevin Wasserman2012-07-161-4/+7
| | | | | | | | Easier to disable for testing. Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7211 (new)
* __func__ -> __FUNCTION__ in disp_status.cKevin Wasserman2012-07-161-4/+4
| | | | | | | | | For MSVC compatibility Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7208 (new) tags: pullup
* Don't use syslog / LOG_DEBUG when they don't existKevin Wasserman2012-07-161-1/+1
| | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7207 (new) tags: pullup
* Avoid mapping GSSAPI minor code on successGreg Hudson2012-07-081-1/+2
| | | | | | | | | In gssint_import_internal_name, don't map the minor code from mech->gss_duplicate_name if it returned successfully. Fixes an "unexpected non-zero minor status" error reported by SAP's gsstest when it invokes gss_canonicalize_name(). ticket: 7194 (new)
* Comment fall-throughs in iakerb switch statementGreg Hudson2012-07-021-0/+2
|
* Fix minor memory leaks in acquire_cred.cGreg Hudson2012-07-021-4/+4
|
* Add client keytab initiation supportGreg Hudson2012-07-026-223/+395
| | | | | | | | | Support acquiring GSSAPI krb5 credentials by fetching initial credentials using the client keytab. Credentials obtained this way will be stored in the default ccache or collection, and will be refreshed when they are halfway to expiring. ticket: 7189 (new)
* Get default cred only once in gss-krb5 initiatorGreg Hudson2012-07-022-42/+41
| | | | | | | | | | In the regular krb5 code path, only get a default krb5 cred for the initial token, since we don't need the cred for mutual_auth anyway. In the IAKERB mechanism, cache the default cred in iakerb_ctx_id_rec so we don't have to construct it again for each token. Also, get an IAKERB default cred, not a regular krb5 cred (a bug which is harmless now, but becomes more of a problem with keytab initiation changes).
* Rename gss-krb5 cred tgt_expire fieldGreg Hudson2012-06-277-11/+11
| | | | | | | The tgt_expire field is used to store non-TGT expiry times in a couple of cases: when the ccache has no TGT, and after we've obtained a cred for the target service. Rename it to just "expire" to be less misleading.
* Scan ccache more efficiently in gss_acquire_credGreg Hudson2012-06-271-28/+25
| | | | | Avoid rereading the ccache in order to find the impersonator config entry. Instead, check each entry as we scan through the first time.
* Simplify password storage in krb5_gss_cred_id_recGreg Hudson2012-06-275-17/+12
| | | | | The password is always zero-terminated, so we can store it as a char * instead of a krb5_data.
* Simplify acquire_cred.cGreg Hudson2012-06-221-109/+48
| | | | | | struct acquire_cred_args was used purely to pass arguments to acquire_cred (a static function), and had no advantages for that purpose over positional arguments.
* Remove orphaned KfM codeGreg Hudson2012-06-211-63/+2
|
* Fail from gss_acquire_cred if we have no credsGreg Hudson2012-06-151-0/+8
| | | | | | | | If a caller tries to acquire krb5 initiator creds with no desired name and we have no credentials in the cache collection, fail from gss_acquire_cred intead of deferring until gss_init_sec_context. ticket: 7160
generated by cgit (git 2.34.1) at 2025-09-27 05:21:22 +0000