summaryrefslogtreecommitdiffstats
path: root/src/lib/gssapi
Commit message (Collapse)AuthorAgeFilesLines
...
* Add Doxygen markup for gss_userok() and gss_authorize_localname()Greg Hudson2011-04-101-0/+29
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24870 dc483132-0cff-0310-8789-dd5450dbe970
* Implement gss_authorize_localname, as discussed on the kitten list,Greg Hudson2011-04-107-121/+145
| | | | | | | | | | | | | and make gss_userok a wrapper around it matching the Gnu GSS prototype. The SPI for gss_authorize_localname doesn't match the API since we have no way of representing the contents of an internal name to a mech at the moment. From r24855, r24857, r24858, r24862, r24863, r24864, r24866, r24867, and r24868 in users/lhoward/moonshot-mechglue-fixes. ticket: 6891 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24869 dc483132-0cff-0310-8789-dd5450dbe970
* When inquiring the default GSS acceptor principal, return a principalGreg Hudson2011-04-081-3/+19
| | | | | | | | name from the keytab if we can, for better compliance with GSSAPI. ticket: 6897 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24861 dc483132-0cff-0310-8789-dd5450dbe970
* Allow anonymous name to be imported with empty name bufferGreg Hudson2011-04-061-4/+11
| | | | | | | | | | | | When importing a name of type GSS_C_NT_ANONYMOUS, allow the input name buffer to be null or empty (null is translated into empty before mechanisms see it). From r24820 in users/lhoward/moonshot-mechglue-fixes. ticket: 6896 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24852 dc483132-0cff-0310-8789-dd5450dbe970
* Make dependGreg Hudson2011-04-051-0/+32
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24844 dc483132-0cff-0310-8789-dd5450dbe970
* gss_duplicate_name SPI for SPNEGOGreg Hudson2011-04-058-46/+109
| | | | | | | | | | Preserve attributes when duplicating a name, using the mechanism's implementation of gss_duplicate_name if present, or a loop over the attributes if not. ticket: 6895 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24843 dc483132-0cff-0310-8789-dd5450dbe970
* More sensical mech selection for gss_acquire_cred/accept_sec_contextGreg Hudson2011-04-042-49/+44
| | | | | | | | | | | | | | If a caller passes an empty mech set to gss_acquire_cred, get a cred for all mechs instead of just the krb5 mech, as we don't know what mechanism the cred is going to be used with (particularly in the acceptor case). As a related fix, if a caller passes a credential to gss_accept_sec_context and it does not contain a mech-specific cred for the token's mech, error out instead of using the default cred with the token's mechanism. ticket: 6894 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24840 dc483132-0cff-0310-8789-dd5450dbe970
* r24838 accidentally added a gss_duplicate_name line toGreg Hudson2011-04-041-1/+0
| | | | | | | | | build_dynamicMech(), breaking the build (since gss_duplicate_name isn't in gss_mechanism yet). Revert that part of the change. ticket: 6892 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24839 dc483132-0cff-0310-8789-dd5450dbe970
* Prevent bleed-through of mechglue symbols into loaded mechsGreg Hudson2011-04-041-54/+67
| | | | | | | | | | | When loading a mech's symbols individually, make sure the symbol we got wasn't just a mechglue symbol showing through because the mech was linked against the mechglue. From r24719 in users/lhoward/moonshot-mechglue-fixes. ticket: 6892 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24838 dc483132-0cff-0310-8789-dd5450dbe970
* Add gss_userok and gss_pname_to_uid to dynamic mech loading table.Greg Hudson2011-04-041-0/+2
| | | | | | | | From r24711 in users/lhoward/moonshot-mechglue-fixes. ticket: 6891 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24837 dc483132-0cff-0310-8789-dd5450dbe970
* Add gss_userok and gss_pname_to_uidGreg Hudson2011-04-049-70/+410
| | | | | | | | | | | | | | | Resurrect gss_userok and gss_pname_to_uid in the mechglue. Add krb5 mech implementations using krb5_kuserok and krb5_aname_to_localname, as well as mechanism-independent implementations based on name attributes. From r24710, r24715, r24717, r24731, r24732, r24733, r24734, r24735, r24747, r24816, and r24819 in users/lhoward/moonshot-mechglue-fixes, with minor edits. ticket: 6891 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24836 dc483132-0cff-0310-8789-dd5450dbe970
* Use RFC 5587 const types for draft-josefsson-gss-capsulate APIsLuke Howard2011-04-034-13/+13
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24821 dc483132-0cff-0310-8789-dd5450dbe970
* Allow absolute paths for mechglue libraries. From r24736 inGreg Hudson2011-04-011-1/+5
| | | | | | users/lhoward/moonshot-mechglue/fixes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24781 dc483132-0cff-0310-8789-dd5450dbe970
* Implement draft-josefsson-gss-capsulateGreg Hudson2011-04-016-0/+169
| | | | | | | | | | | Add gss_encapsulate_token(), gss_decapsulate_token(), and gss_oid_equal() APIs, which are already present in Heimdal and Shishi. From r24737, r24738, and r24740 in users/lhoward/moonshot-mechglue-fixes. ticket: 6890 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24780 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a precedence error in g_make_token_header() which caused it toGreg Hudson2011-03-251-2/+2
| | | | | | | | write the wrong length when no token type is passed. (From r24739 in users/lhoward/moonshot-mechglue-fixes.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24745 dc483132-0cff-0310-8789-dd5450dbe970
* Although it can't actually happen, make it more explicit that we won'tGreg Hudson2011-03-111-1/+2
| | | | | | | | | dereference a null mech in the cleanup handler of the mechglue's gss_accept_sec_context. ticket: 6813 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24701 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust most C source files to match the new standards for copyrightGreg Hudson2011-03-0950-211/+77
| | | | | | and license comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a memory leak independently found by Tim Pozdeev and Arlene BerryTom Yu2011-03-081-0/+1
| | | | | | | | | | This change should be pulled up to the 1.8 and 1.7 branches as well. ticket: 6844 tags: pullup target_version: 1.9.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24693 dc483132-0cff-0310-8789-dd5450dbe970
* SPNEGO's accept_sec_context and init_sec_context produce a null contextGreg Hudson2011-03-081-2/+6
| | | | | | | | | | | on error, so it needs to silently succeed when deleting a null context. It was instead passing the null context along to the mechglue which would produce an error, causing a leak of the mechglue's union context wrapper. Reported by aberry@likewise.com. ticket: 6863 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24692 dc483132-0cff-0310-8789-dd5450dbe970
* Make dependGreg Hudson2011-02-253-264/+217
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24662 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a memory leak introduced in r23926 where k_cred was not freed onGreg Hudson2011-02-221-30/+24
| | | | | | | | | | | successful return from kg_new_connection(). Reported by Julien Chaffraix. ticket: 6800 target_version: 1.9.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24646 dc483132-0cff-0310-8789-dd5450dbe970
* Don't leak the mechanism internal context when we get an error in theGreg Hudson2011-02-221-1/+6
| | | | | | | | | | mechglue's gss_accept_sec_context. From aberry@likewise.com. ticket: 6813 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24645 dc483132-0cff-0310-8789-dd5450dbe970
* In kg_acceptor_princ, make Coverity happy by using a different test toGreg Hudson2011-02-141-1/+1
| | | | | | determine if we should set (*princ_out)->type. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24638 dc483132-0cff-0310-8789-dd5450dbe970
* Improve acceptor name flexibilityGreg Hudson2011-02-077-58/+207
| | | | | | | | | | | | | | | | | | | | | | Be more flexible about the principal names we will accept for a given GSS acceptor name. Also add support for a new libdefaults profile variable ignore_acceptor_hostname, which causes the hostnames of host-based service principals to be ignored when passed by server applications as acceptor names. Note that we still always invoke krb5_sname_to_principal() when importing a gss-krb5 mechanism name, even though we won't always use the result. This is an unfortunate waste of getaddrinfo/getnameinfo queries in some situations, but the code surgery necessary to defer it appears too risky at this time. The project proposal for this change is at: http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names ticket: 6855 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24616 dc483132-0cff-0310-8789-dd5450dbe970
* Change flow control in krb5_gss_import_name to better match currentGreg Hudson2011-02-041-95/+60
| | | | | | coding practices. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24613 dc483132-0cff-0310-8789-dd5450dbe970
* Remove an unnecessary statement in acquire_init_cred(). We never setGreg Hudson2011-02-031-7/+1
| | | | | | an acceptor name different from desired_princ. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24612 dc483132-0cff-0310-8789-dd5450dbe970
* Make gss_krb5_set_allowable_enctypes work for the acceptorGreg Hudson2011-01-251-0/+9
| | | | | | | | | | | | | | | | | | With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor can choose an enctype for the acceptor subkey other than the one in the keytab. If the resulting security context will be exported and re-imported by another gss-krb5 implementation (such as one in the kernel), the acceptor needs a way to restrict the set of negotiated enctypes to those supported by the other implementation. We had that functionality for the initiator already in the form of gss_krb5_set_allowable_enctypes; this change makes it work for the acceptor as well. ticket: 6852 target_version: 1.9.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24603 dc483132-0cff-0310-8789-dd5450dbe970
* Don't call memset with a zero lengthKen Raeburn2011-01-121-1/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24594 dc483132-0cff-0310-8789-dd5450dbe970
* Tighten up the error handling in the mechglue's gss_canonicalize_name,Greg Hudson2011-01-101-32/+14
| | | | | | | | | eliminating a null pointer dereference in the (unlikely) case that allocation of out_union fails. Reported by aberry@likewise.com. ticket: 6817 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24592 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a couple of cases in the SPNEGO implementation where aGreg Hudson2011-01-101-1/+4
| | | | | | | | | half-constructed SPNEGO context could be leaked. Patch from aberry@likewise.com, slightly amended. ticket: 6816 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24591 dc483132-0cff-0310-8789-dd5450dbe970
* Don't attempt to serialize a NULL authdata context when serializing aGreg Hudson2010-12-281-2/+4
| | | | | | | | | | | GSSAPI context (most often seen with initiator contexts). Patch from aberry@likewise.com. ticket: 6675 target_version: 1.9.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24590 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate some unused variable warningsGreg Hudson2010-12-202-1/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24583 dc483132-0cff-0310-8789-dd5450dbe970
* Ensure time() is prototyped in g_accept_sec_context.cGreg Hudson2010-12-141-0/+1
| | | | | | | | | | | | | r22736 added a call to time() in g_accept_sec_context.c. Include <time.h> to ensure that this call is correctly prototyped. Previously <time.h> was only included implicitly through <pthread.h>, which doesn't apply when thread support is disabled. ticket: 6842 tags: pullup target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24568 dc483132-0cff-0310-8789-dd5450dbe970
* Add comment noting that RFC 4121 appears to omit RC4-HMAC from theTom Yu2010-12-072-0/+4
| | | | | | | | | list of "not-newer" enctypes, even though RFC 4757 effectively treats it as one. Suggested by Derrick Brashear. ticket: 6835 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24563 dc483132-0cff-0310-8789-dd5450dbe970
* update dependenciesKen Raeburn2010-12-051-0/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24561 dc483132-0cff-0310-8789-dd5450dbe970
* Install gssapi_ext.h on Windows. Include gssapi_ext.h in the headerGreg Hudson2010-11-301-1/+2
| | | | | | | | files considered by def-check.pl in verify-calling-conventions-gssapi. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24537 dc483132-0cff-0310-8789-dd5450dbe970
* Use for loops for recursion in the Windows build, cutting down on theGreg Hudson2010-11-285-37/+7
| | | | | | | | | verbiage in Makefile.in files. For correctness of output, every Makefile.in mydir= definition is changed to use $(S) instead of /. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24536 dc483132-0cff-0310-8789-dd5450dbe970
* Fix how gssapi.h is rebuilt on Windows; accidentally omitted fromGreg Hudson2010-11-251-0/+4
| | | | | | | | r24533. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24534 dc483132-0cff-0310-8789-dd5450dbe970
* Fix Windows buildGreg Hudson2010-11-2515-44/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Repair the Windows build. Tested with the prepare-on-Unix method. Some specific changes include: * Removed the IPC finalizer (no longer used after r20787) from ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency chain for the pingtest build in ccapi/test. Also updated pingtest to use the k5_ipc_stream interfaces since cci_stream is gone. * Reverted the apparently non-functional r20277. * klist -V prints just "Kerberos for Windows", since it has no access to PACKAGE_NAME and PACKAGE_VERSION from autoconf. This should be addressed correctly. * krb5, telnet, gssftp, and NIM are removed from the build. * Some files had CRLFs; these were replaced with LFs and the svn:eol-style property set on the files. Otherwise the CRLFs became CRCRLFs after the zip transfer. * Windows does not have opendir/readdir, so added Windows code to prof_parse.c for includedir. Probable fodder for a libkrb5support portability shim. ticket: 6826 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24533 dc483132-0cff-0310-8789-dd5450dbe970
* Add a kg_encrypt_inplace() utility function to the krb5 GSS mech, andGreg Hudson2010-10-266-101/+108
| | | | | | | | | | use it where we do in-place encryption of checksums in the non-CFX seal tokens with raw DES enctypes. Avoids a harmless but incorrect in-place memcpy(). ticket: 6770 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24485 dc483132-0cff-0310-8789-dd5450dbe970
* Set *conf_state on successful return fromGreg Hudson2010-10-261-0/+2
| | | | | | | | | | | gss_krb5int_make_seal_token_v3_iov, fixing a case where it wasn't always set by gss_wrap_iov. Patch from aberry@likewise.com. ticket: 6809 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24483 dc483132-0cff-0310-8789-dd5450dbe970
* When we create a temporary memory ccache for use within aGreg Hudson2010-10-255-3/+10
| | | | | | | | | | | krb5_gss_cred_id_rec, set a flag to indicate that the ccache should be destroyed rather than closed. Patch from aberry@likewise.com. ticket: 6787 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24482 dc483132-0cff-0310-8789-dd5450dbe970
* Use safer output parameter handling inGreg Hudson2010-10-251-2/+4
| | | | | | | | | | krb5_gss_acquire_cred_impersonate_name and its subsidiary helpers. ticket: 6796 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24481 dc483132-0cff-0310-8789-dd5450dbe970
* In acquire_init_cred in the GSS krb5 mech, don't intern cred->name,Greg Hudson2010-10-251-4/+2
| | | | | | | | | | | since it's not used as an output parameter. Fixes a memory leak. Reported by aberry@likewise.com. ticket: 6793 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24480 dc483132-0cff-0310-8789-dd5450dbe970
* Plug a memory leak in gss_indicate_mechsGreg Hudson2010-10-091-1/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24447 dc483132-0cff-0310-8789-dd5450dbe970
* In gss_indicate_mechs, avoid setting the output pointer until successGreg Hudson2010-10-081-17/+17
| | | | | | is guaranteed. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24445 dc483132-0cff-0310-8789-dd5450dbe970
* In gss_inquire_attrs_for_mech, remove the assumption that mech_attrsGreg Hudson2010-10-081-1/+2
| | | | | | != NULL in a particular error case. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24444 dc483132-0cff-0310-8789-dd5450dbe970
* Remove duplicate code block in spnego_gss_set_cred_option()Greg Hudson2010-10-081-17/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24443 dc483132-0cff-0310-8789-dd5450dbe970
* Correct a miscarriage of justice committed by the style policeGreg Hudson2010-10-061-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24437 dc483132-0cff-0310-8789-dd5450dbe970
* Merge users/lhoward/sasl-gs2 to trunkGreg Hudson2010-10-0613-1/+1096
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24436 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-28 06:35:19 +0000