summaryrefslogtreecommitdiffstats
path: root/src/lib/gssapi/spnego
Commit message (Collapse)AuthorAgeFilesLines
* make dependGreg Hudson2013-03-241-4/+3
|
* make dependGreg Hudson2013-01-101-1/+1
| | | | | Mostly this gets rid of the trailing space on line 2 after bb76891f5386526bdf91bc790c614fc9296cb5fa.
* Separate clpreauth and kdcpreauth interfacesGreg Hudson2012-12-191-2/+2
| | | | | | | Since there is no overlap between the clpreauth and kdcpreauth interface declarations, there's no particular reason to combine them into one header. For backward compatibility and convenience, leave behind a preauth_plugin.h which includes both.
* Fix various integer issuesGreg Hudson2012-12-101-3/+3
| | | | | | | | | | | | | | | In kdc_util.c and spnego_mech.c, error returns from ASN.1 length functions could be ignored because they were assigned to unsigned values. In spnego_mech.c, two buffer size checks could be rewritten to reduce the likelihood of pointer overflow. In dump.c and kdc_preauth.c, calloc() could be used to simplify the code and avoid multiplication overflow. In pkinit_clnt.c, the wrong value was checked for a null result from malloc(), and the code could be simplified. Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>. ticket: 7488
* Add SPNEGO support for GSS cred export and importGreg Hudson2012-09-112-1/+51
| | | | ticket: 7354
* Use gssalloc in more parts of GSSAPIGreg Hudson2012-08-111-6/+6
| | | | | | | | | Fix some GSSAPI buffer allocations which were missed in 800358b1790ef82710af0b6021c6ff2dca2b0de7: gss_export_sec_context, gss_display_name, and IAKERB and SPNEGO token construction. ticket: 7233 (new) tags: pullup
* Remove gss_mechanism_extSimo Sorce2012-08-081-5/+0
| | | | | | | | This function did not serve any useful purpose. Remove it and the special case it creates; move the only function it contained to the main gss_mechanism structure where it belongs. Note that the function name is preserved so that loadable modules are not affected by this change.
* Always consider desired_mechs empty in spnego (2)Simo Sorce2012-08-061-9/+7
| | | | | | | | Follow previous change to add_cred_from. The only case where the spnego gss_*_cred_* functions can be called with specific OIDs is if the mechglue calls spnego with the spengo oid, which we never want to loop on anyway. So always consider it as null, it's the correct behavior with current semantics.
* Always consider desired_mechs empty in spnegoSimo Sorce2012-08-031-18/+4
| | | | | | | The only case where the spnego gss_aquire_cred function can be called with specific OIDs is if the mechglue calls spenego with the spengo oid, which we never want to loop on anyway. So always consider it as null, it's the correct behavior with current semantics.
* Implement credential store support in spnegoSimo Sorce2012-07-202-15/+55
|
* Don't use syslog / LOG_DEBUG when they don't existKevin Wasserman2012-07-161-1/+1
| | | | | | | Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> ticket: 7207 (new) tags: pullup
* Fix -DDEBUG compilation errorsHenry B. Hotz2012-06-041-0/+1
| | | | ticket: 7150
* Don't stomp minor code in spnego_gss_acquire_credGreg Hudson2012-05-131-3/+3
| | | | | | | When spnego_gss_acquire_cred passes through a failure status from the mechglue, it overwrites the minor code with a call to gss_release_oid_set(). Use a temporary minor status for that and a related call.
* Fix an unlikely memory leak in r25591Greg Hudson2011-12-271-1/+1
| | | | | | ticket: 6936 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25604 dc483132-0cff-0310-8789-dd5450dbe970
* Do mech fallback for first SPNEGO context tokenGreg Hudson2011-12-161-8/+37
| | | | | | | | | | | | | | | | When producing the first SPNEGO security context token, if the first mechanism's init_sec_context fails, fall back to a later mechanism. This fixes a regression in 1.10 for SPNEGO initiators using non-krb5 credentials. The identity selection work causes errors to be deferred from krb5's acquire_cred in some cases, which means SPNEGO doesn't see an error until it tries the krb5 init_sec_context. ticket: 6936 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25591 dc483132-0cff-0310-8789-dd5450dbe970
* Verify acceptor's mech in SPNEGO initiatorGreg Hudson2011-12-162-78/+44
| | | | | | | | | | | | | | In spnego_gss_ctx_id_rec, store the set of negotiable mechanisms as well as the currently selected internal_mech, which becomes an alias into mech_set. In init_ctx_reselect, locate the acceptor's counter- proposal in sc->mech_set and consider the token defective if it is not found. ticket: 7053 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25590 dc483132-0cff-0310-8789-dd5450dbe970
* make dependTom Yu2011-10-141-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25344 dc483132-0cff-0310-8789-dd5450dbe970
* Fix style issues in r25087Greg Hudson2011-08-292-136/+136
| | | | | | | | | | | * Function names should be at the beginning of lines in definitions. * Changes should not create lines >79 characters. * Continuation lines should align after left parens when appropriate. Also, krb5_gss_accept_sec_context_ext and acquire_accept_cred are not gss mechanism functions and should not have been tagged. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25116 dc483132-0cff-0310-8789-dd5450dbe970
* Fix call to gss_inquire_cred from spnego_gss_acquire_cred_impersonate_nameGreg Hudson2011-08-111-13/+11
| | | | | | | | | | | If desired_mechs is NULL (this should never happen when invoked from the MIT mechglue), we call gss_inquire_cred to get a list of mechs. This call needs to pass a union cred handle, not the SPNEGO handle we got as input. Reported by aberry@likewise.com. ticket: 6945 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25098 dc483132-0cff-0310-8789-dd5450dbe970
* Correctly dereference cred_handle when assigning to spcred inGreg Hudson2011-08-111-1/+1
| | | | | | | | | | spnego_gss_set_cred_option. Reported by aberry@likewise.com. ticket: 6943 target_version: 1.9.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25096 dc483132-0cff-0310-8789-dd5450dbe970
* Use KRB5_CALLCONV for all gss mechanism functions. Also wrap #include ↵Sam Hartman2011-08-092-96/+96
| | | | | | | | | <unistd.h> with #ifdef HAVE_UNISTD_H in g_authorize_localname.c Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com> Signed-off-by: Sam Hartman <hartmans@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25087 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-101-5/+10
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* gss_duplicate_name SPI for SPNEGOGreg Hudson2011-04-052-0/+26
| | | | | | | | | | Preserve attributes when duplicating a name, using the mechanism's implementation of gss_duplicate_name if present, or a loop over the attributes if not. ticket: 6895 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24843 dc483132-0cff-0310-8789-dd5450dbe970
* Add gss_userok and gss_pname_to_uidGreg Hudson2011-04-041-0/+2
| | | | | | | | | | | | | | | Resurrect gss_userok and gss_pname_to_uid in the mechglue. Add krb5 mech implementations using krb5_kuserok and krb5_aname_to_localname, as well as mechanism-independent implementations based on name attributes. From r24710, r24715, r24717, r24731, r24732, r24733, r24734, r24735, r24747, r24816, and r24819 in users/lhoward/moonshot-mechglue-fixes, with minor edits. ticket: 6891 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24836 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust most C source files to match the new standards for copyrightGreg Hudson2011-03-091-2/+0
| | | | | | and license comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
* SPNEGO's accept_sec_context and init_sec_context produce a null contextGreg Hudson2011-03-081-2/+6
| | | | | | | | | | | on error, so it needs to silently succeed when deleting a null context. It was instead passing the null context along to the mechglue which would produce an error, causing a leak of the mechglue's union context wrapper. Reported by aberry@likewise.com. ticket: 6863 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24692 dc483132-0cff-0310-8789-dd5450dbe970
* Make dependGreg Hudson2011-02-251-4/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24662 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a couple of cases in the SPNEGO implementation where aGreg Hudson2011-01-101-1/+4
| | | | | | | | | half-constructed SPNEGO context could be leaked. Patch from aberry@likewise.com, slightly amended. ticket: 6816 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24591 dc483132-0cff-0310-8789-dd5450dbe970
* Use for loops for recursion in the Windows build, cutting down on theGreg Hudson2010-11-281-1/+1
| | | | | | | | | verbiage in Makefile.in files. For correctness of output, every Makefile.in mydir= definition is changed to use $(S) instead of /. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24536 dc483132-0cff-0310-8789-dd5450dbe970
* Fix Windows buildGreg Hudson2010-11-252-4/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Repair the Windows build. Tested with the prepare-on-Unix method. Some specific changes include: * Removed the IPC finalizer (no longer used after r20787) from ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency chain for the pingtest build in ccapi/test. Also updated pingtest to use the k5_ipc_stream interfaces since cci_stream is gone. * Reverted the apparently non-functional r20277. * klist -V prints just "Kerberos for Windows", since it has no access to PACKAGE_NAME and PACKAGE_VERSION from autoconf. This should be addressed correctly. * krb5, telnet, gssftp, and NIM are removed from the build. * Some files had CRLFs; these were replaced with LFs and the svn:eol-style property set on the files. Otherwise the CRLFs became CRCRLFs after the zip transfer. * Windows does not have opendir/readdir, so added Windows code to prof_parse.c for includedir. Probable fodder for a libkrb5support portability shim. ticket: 6826 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24533 dc483132-0cff-0310-8789-dd5450dbe970
* Remove duplicate code block in spnego_gss_set_cred_option()Greg Hudson2010-10-081-17/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24443 dc483132-0cff-0310-8789-dd5450dbe970
* Merge users/lhoward/sasl-gs2 to trunkGreg Hudson2010-10-062-1/+126
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24436 dc483132-0cff-0310-8789-dd5450dbe970
* Use gss_set_cred_option instead of (undeclared) gssspi_set_cred_optionKen Raeburn2010-10-021-4/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24410 dc483132-0cff-0310-8789-dd5450dbe970
* Add gss_krb5_import_credGreg Hudson2010-09-272-3/+23
| | | | | | | | | | | | Add gss_krb5_import_cred from Heimdal; allows krb5 creds to be acquired from a keytab or ccache into a GSSAPI credential without using global process or thread variables. Merged from the users/lhoward/import-cred branch. ticket: 6785 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24356 dc483132-0cff-0310-8789-dd5450dbe970
* Make dependGreg Hudson2010-09-081-3/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24298 dc483132-0cff-0310-8789-dd5450dbe970
* make dependGreg Hudson2010-06-071-4/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24119 dc483132-0cff-0310-8789-dd5450dbe970
* Apply patch from Arlene Berry to detect and ignore a duplicateTom Yu2010-05-201-0/+12
| | | | | | | | | | | mechanism token sent in the mechListMIC field, such as sent by Windows 2000 Server. ticket: 6726 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24075 dc483132-0cff-0310-8789-dd5450dbe970
* Add IAKERB mechanism and gss_acquire_cred_with_passwordGreg Hudson2010-04-302-0/+76
| | | | | | | | | | | | | | Merge branches/iakerb to trunk. Includes the following: * New IAKERB mechanism. * New gss_acquire_cred_with_password mechglue function. * ASN.1 encoders and decoders for IAKERB structures (with tests). * New shortcuts in gss-sample client and server. * Tests to exercise SPNEGO and IAKERB using gss-sample application. ticket: 6712 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23960 dc483132-0cff-0310-8789-dd5450dbe970
* MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGOTom Yu2010-03-231-22/+16
| | | | | | | | | | | The SPNEGO implementation in krb5-1.7 and later could crash due to assertion failure when receiving some sorts of invalid GSS-API tokens. ticket: 6690 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23832 dc483132-0cff-0310-8789-dd5450dbe970
* Release the internal_name field of a SPNEGO context if it has not beenGreg Hudson2010-03-051-0/+3
| | | | | | | | | | claimed for a caller argument. ticket: 6674 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23772 dc483132-0cff-0310-8789-dd5450dbe970
* Explain the current SPNEGO initiator/acceptor design in comments. NoGreg Hudson2010-02-221-11/+66
| | | | | | code changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23743 dc483132-0cff-0310-8789-dd5450dbe970
* Fix two unrelated problems in SPNEGO which don't crop up with the krb5Greg Hudson2010-02-221-10/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | mechanism. 1. The third call to spnego_init_accept_context uses faulty logic to determine if the exchange is complete, preventing a third mech token from being sent to the acceptor if no MIC exchange is required. Follow the logic used in the second call (in init_ctx_nego), which is correct. 2. If the acceptor selects a mech other than the optimistic mech, it sets sc->mic_reqd to 1 whether or not the selected mech supports MICs (which isn't known until the mech completes). Most code outside of handle_mic checks sc->mic_reqd along with (sc->ctx_flags & GSS_C_INTEG_FLAG), but the code in acc_ctx_call_acc neglected to do so, so it could improperly delegate responsibility for deciding when the negotiation was finished to handle_mic--which never gets called if (sc->ctx_flags & GSS_C_INTEG_FLAG) is false. Fix acc_ctx_call_acc to check sc->ctx_flags so that mechs which don't support integrity protection can complete if they are selected non-optimistically. ticket: 6603 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23742 dc483132-0cff-0310-8789-dd5450dbe970
* Clarify the SPNEGO NegHints code and plug two cases where half-createdGreg Hudson2010-02-131-25/+19
| | | | | | context could be leaked. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23722 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify the SPNEGO neg_mechs intersection logic a bit usingGreg Hudson2010-02-121-7/+6
| | | | | | gss_test_oid_set_member. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23717 dc483132-0cff-0310-8789-dd5450dbe970
* Implement gss_set_neg_mechsGreg Hudson2010-02-102-81/+205
| | | | | | | | | | | | | | | | | Implement gss_set_neg_mechs in SPNEGO by intersecting the provided mech set with the mechanisms available in the union credential. As we now need space to hold the mech set, the SPNEGO credential is now a structure and not just a mechglue credential. t_spnego.c is a test program which exercises the new logic. Like the other GSSAPI tests, it is not run as part of "make check" at this time. ticket: 6658 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23715 dc483132-0cff-0310-8789-dd5450dbe970
* Add a set_cred_option handler for SPNEGO which forwards to theGreg Hudson2009-12-212-1/+25
| | | | | | | | | | | | underlying mechanism. Fixes SPNEGO credential delegation in 1.7 and copying of SPNEGO initiator creds in both 1.7 and trunk. Patch provided by nalin@redhat.com. ticket: 6594 target_version: 1.7.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23482 dc483132-0cff-0310-8789-dd5450dbe970
* Add GSS extensions to store credentials, generate random bitsGreg Hudson2009-12-172-0/+30
| | | | | | | | | Merge /users/lhoward/gssextras-no-cqa to trunk. Adds gss_pseudo_random and gss_store_cred. ticket: 6597 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23479 dc483132-0cff-0310-8789-dd5450dbe970
* Consolidate Makefile variables now that we have only a single globalGreg Hudson2009-11-222-13/+11
| | | | | | | | | | | | | configure script: $(SRCTOP) --> $(top_srcdir) $(srcdir)/$(thisconfigdir) --> $(top_srcdir) $(thisconfigdir) --> $(BUILDTOP) $(myfulldir) --> $(mydir) ticket: 6583 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23308 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-311-5/+5
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Move destest to builtin/des, because it depends on overriding someTom Yu2009-10-101-6/+7
| | | | | | | | internals. Make depend. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22877 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-26 17:40:20 +0000