From noreply at github.com Sat Feb 1 02:32:19 2020 From: noreply at github.com (Rod Widdowson) Date: Fri, 31 Jan 2020 17:32:19 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 7b8fa4: Windows: Fix type cast warning. Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 7b8fa4758c1a249f8a904c3e902d90222f9e5f89 https://github.com/heimdal/heimdal/commit/7b8fa4758c1a249f8a904c3e902d90222f9e5f89 Author: Rod Widdowson Date: 2020-02-01 (Sat, 01 Feb 2020) Changed paths: M lib/hcrypto/rand-w32.c Log Message: ----------- Windows: Fix type cast warning. Since at least SDK V6.1 HCRYPTPROV has been specified as ULONG_PTR this means that comparing or setting one with NULL causes a cast warning. Use an explicit cast from zero to that type. From noreply at github.com Tue Feb 4 07:28:38 2020 From: noreply at github.com (Luke Howard) Date: Mon, 03 Feb 2020 22:28:38 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] fd5723: gss: register GSS_KRB5_S error table Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: fd572363a58985286102ab80b4202a2190b5e712 https://github.com/heimdal/heimdal/commit/fd572363a58985286102ab80b4202a2190b5e712 Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/krb5/init.c Log Message: ----------- gss: register GSS_KRB5_S error table The Kerberos GSS mechanism specific error table in gkrb5_err.et was never registered with libkrb5, so the messages corresponding to those errors would never be available. Register them with the thread local context used by the krb5 mechanism. Commit: bf14eb29dfb967b75385d261918f92f88a99fc3d https://github.com/heimdal/heimdal/commit/bf14eb29dfb967b75385d261918f92f88a99fc3d Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/ntlm/acquire_cred.c Log Message: ----------- gss: NTLM nsi_probe returns a krb5, not gss error The nsi_probe() error code was treated as a GSS error code, rather than a krb5 error. Return a GSS error code, setting the krb5 error in minor_status. Commit: c510e6d474ecece26daf627ad7b96947bccec0c5 https://github.com/heimdal/heimdal/commit/c510e6d474ecece26daf627ad7b96947bccec0c5 Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/ntlm/acquire_cred.c Log Message: ----------- gss: don't provide domain to nsi_probe() in NTLM _gss_ntlm_accept_sec_context() does not provide the acceptor domain to nsi_probe(); for consistency, _gss_ntlm_acquire_cred_from() should do that same. Providing the acceptor domain was breaking tests. Note that the Heimdal NTLM implementation is old and has few consumers (Apple and Samba use their own implementations). Arguably we should merge the Apple implementation or remove it. Commit: 920cfc5584815a299c057ad588da4196d14813ad https://github.com/heimdal/heimdal/commit/920cfc5584815a299c057ad588da4196d14813ad Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/ntlm/crypto.c M lib/gssapi/ntlm/init_sec_context.c M lib/gssapi/ntlm/set_sec_context_option.c Log Message: ----------- gss: use _gss_ntlm_set_keys() in gss_init_sec_context() DRY: use the _gss_ntlm_set_keys() helper function to initialize the key state for both initiator and acceptor. Commit: 64d5d138a925b6e852c5dd231ff49033555e5ea2 https://github.com/heimdal/heimdal/commit/64d5d138a925b6e852c5dd231ff49033555e5ea2 Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/mech/gss_mech_switch.c Log Message: ----------- gss: mechanism optional interfaces Make mechanism interfaces that are optional in usage, optional in implementation, i.e. do not require them to be present when dynamically loading a mechanism. In order to aid minimal mechanism implementation, more of these should likely be made optional (this will require an additional check in the mechglue to return GSS_S_UNAVAILABLE if the function pointer is NULL). This is left as a future exercise. Commit: d7138cfbe7b56a5447cfc86b9d6d2c8e7732c7c4 https://github.com/heimdal/heimdal/commit/d7138cfbe7b56a5447cfc86b9d6d2c8e7732c7c4 Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M include/Makefile.am M include/NTMakefile A include/heimqueue.h M lib/asn1/Makefile.am R lib/asn1/asn1_queue.h M lib/asn1/asn1parse.y M lib/asn1/gen.c M lib/asn1/gen_copy.c M lib/asn1/gen_decode.c M lib/asn1/gen_encode.c M lib/asn1/gen_free.c M lib/asn1/gen_glue.c M lib/asn1/gen_length.c M lib/asn1/gen_template.c M lib/asn1/symbol.h M lib/base/Makefile.am R lib/base/heimqueue.h Log Message: ----------- base: make heimqueue.h a shared header Share heimqueue.h between base and asn1, to avoid duplication of code. Commit: 31af9ba7034fdadf6deda066af716330619a120c https://github.com/heimdal/heimdal/commit/31af9ba7034fdadf6deda066af716330619a120c Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M include/heimqueue.h M lib/gssapi/Makefile.am M lib/gssapi/NTMakefile M lib/gssapi/mech/cred.c M lib/gssapi/mech/cred.h M lib/gssapi/mech/gss_accept_sec_context.c M lib/gssapi/mech/gss_acquire_cred_from.c M lib/gssapi/mech/gss_add_cred_from.c M lib/gssapi/mech/gss_authorize_localname.c M lib/gssapi/mech/gss_compare_name.c M lib/gssapi/mech/gss_cred.c M lib/gssapi/mech/gss_delete_name_attribute.c M lib/gssapi/mech/gss_destroy_cred.c M lib/gssapi/mech/gss_display_name.c M lib/gssapi/mech/gss_display_name_ext.c M lib/gssapi/mech/gss_duplicate_cred.c M lib/gssapi/mech/gss_duplicate_name.c M lib/gssapi/mech/gss_export_name.c M lib/gssapi/mech/gss_export_name_composite.c M lib/gssapi/mech/gss_get_name_attribute.c M lib/gssapi/mech/gss_get_neg_mechs.c M lib/gssapi/mech/gss_import_name.c M lib/gssapi/mech/gss_indicate_mechs.c M lib/gssapi/mech/gss_init_sec_context.c M lib/gssapi/mech/gss_inquire_cred.c M lib/gssapi/mech/gss_inquire_cred_by_mech.c M lib/gssapi/mech/gss_inquire_cred_by_oid.c M lib/gssapi/mech/gss_inquire_mechs_for_name.c M lib/gssapi/mech/gss_inquire_name.c M lib/gssapi/mech/gss_krb5.c M lib/gssapi/mech/gss_mech_switch.c M lib/gssapi/mech/gss_mo.c M lib/gssapi/mech/gss_names.c M lib/gssapi/mech/gss_pname_to_uid.c M lib/gssapi/mech/gss_set_cred_option.c M lib/gssapi/mech/gss_set_name_attribute.c M lib/gssapi/mech/gss_set_neg_mechs.c M lib/gssapi/mech/gss_store_cred_into.c M lib/gssapi/mech/mech_locl.h M lib/gssapi/mech/mech_switch.h R lib/gssapi/mech/mechqueue.h M lib/gssapi/mech/name.h Log Message: ----------- gss: use tail queue instead of singly linked list in mechglue The GSS mechglue uses singly linked lists for mechanisms and mechanism objects, to which new entries are inserted at the head. This breaks ordering of mechanisms specified in OID sets and in /etc/gss/mech, as they will be back to front. Use a tail queue instead so that new entries are inserted at the end. Commit: 6af3ea90991eef78d518bfcb1de6de0d4e03919b https://github.com/heimdal/heimdal/commit/6af3ea90991eef78d518bfcb1de6de0d4e03919b Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/gssapi/gssapi.h M lib/gssapi/gssapi_mech.h M lib/gssapi/libgssapi-exports.def M lib/gssapi/mech/context.c M lib/gssapi/mech/cred.h M lib/gssapi/mech/gss_accept_sec_context.c M lib/gssapi/mech/gss_acquire_cred_from.c M lib/gssapi/mech/gss_cred.c M lib/gssapi/mech/gss_init_sec_context.c M lib/gssapi/mech/gss_mech_switch.c M lib/gssapi/version-script.map M lib/krb5/libkrb5-exports.def.in M lib/krb5/version-script.map Log Message: ----------- gss: merge enhanced Apple mechglue logging Add _gss_mg_log() and friends for logging from within the mechanism glue and SPNEGO. These APIs wrap around the libkrb5 logging APIs. Commit: 8478dd1c88846f71fc66683be46e03b42b16da39 https://github.com/heimdal/heimdal/commit/8478dd1c88846f71fc66683be46e03b42b16da39 Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/gssapi_mech.h M lib/gssapi/mech/gss_export_name.c M lib/gssapi/mech/gss_get_name_attribute.c M lib/gssapi/mech/gss_init_sec_context.c M lib/gssapi/mech/gss_names.c M lib/gssapi/mech/name.h Log Message: ----------- gss: merge Apple name helper APIs Add helper APIs to the mechanism glue from the Apple implementation. gss_mg_export_name() can be used by a mechanism to create an exported name (this is used by the future SAnon implementation). _gss_mech_import_name() allows the mechanism to pass in a list of parsing functions for specific name tiypes. This commit only adds support to the mechanism glue itself. Commit: e69c2a8111defda5983e95b5efe820406f297674 https://github.com/heimdal/heimdal/commit/e69c2a8111defda5983e95b5efe820406f297674 Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/Makefile.am M lib/gssapi/NTMakefile M lib/gssapi/gssapi/gssapi.h M lib/gssapi/mech/gss_destroy_cred.c Log Message: ----------- gss: expose gss_destroy_cred() Build and export gss_destroy_cred(). This permanently destroys the credential, rather than releasing a handle to it. Commit: 340cc3f0929ecfeba848b638237d5a25bd96f21f https://github.com/heimdal/heimdal/commit/340cc3f0929ecfeba848b638237d5a25bd96f21f Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/mech/gss_init_sec_context.c Log Message: ----------- gss: make krb5 default GSS mech earlier in path Defensively default to GSS_KRB5_MECHANISM on all calls to gss_init_sec_context() if mech_type is GSS_C_NO_OID (rather than only on the first call). Commit: e80248ed363b11c64d4577f94fb65cdb6712ef5d https://github.com/heimdal/heimdal/commit/e80248ed363b11c64d4577f94fb65cdb6712ef5d Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/mech/gss_accept_sec_context.c M lib/gssapi/mech/gss_acquire_cred_from.c M lib/gssapi/mech/gss_add_cred_from.c M lib/gssapi/mech/gss_store_cred_into.c Log Message: ----------- gss: add some missing GM_USE_MG_CRED checks GM_USE_MG_CRED allows a mechanism glue credential to be used by a mechanism without additional wrapping. Although no extant mechanisms use this flag, the flag had sporadic support in the mechanism glue already. In the interest of consistency, add missing GM_USE_MG_CRED checks. If this functionality is not desired, then all checks should be removed. Commit: ae5c60286a06e72997e88b694823e23fa1805693 https://github.com/heimdal/heimdal/commit/ae5c60286a06e72997e88b694823e23fa1805693 Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/ntlm/release_name.c M lib/gssapi/spnego/accept_sec_context.c M lib/gssapi/spnego/context_stubs.c M lib/gssapi/spnego/cred_stubs.c M lib/gssapi/spnego/init_sec_context.c M lib/gssapi/spnego/spnego_locl.h Log Message: ----------- gss: remove SPNEGO name wrappers Wrapping GSS names at the SPNEGO level serves no purpose; remove it and return mechglue names directly. This required a small change to the NTLM mechanism to allow NULL names to be passed to its release name function. Commit: 4fb6a6adc9d5593079e37addb40fd80834df77b4 https://github.com/heimdal/heimdal/commit/4fb6a6adc9d5593079e37addb40fd80834df77b4 Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M doc/setup.texi A doc/standardisation/draft-zhu-negoex-04.txt M include/Makefile.am M lib/gssapi/Makefile.am M lib/gssapi/NTMakefile M lib/gssapi/gssapi/gssapi_oid.h M lib/gssapi/gssapi/gssapi_spnego.h M lib/gssapi/gssapi_mech.h M lib/gssapi/krb5/external.c M lib/gssapi/libgssapi-exports.def M lib/gssapi/mech/context.c M lib/gssapi/mech/gss_init_sec_context.c M lib/gssapi/mech/gss_inquire_cred.c M lib/gssapi/mech/gss_mech_switch.c M lib/gssapi/mech/gss_oid.c M lib/gssapi/mech/gss_utils.c A lib/gssapi/mech/gssspi_exchange_meta_data.c A lib/gssapi/mech/gssspi_query_mechanism_info.c A lib/gssapi/mech/gssspi_query_meta_data.c M lib/gssapi/mech/mech_locl.h M lib/gssapi/mech/utils.h M lib/gssapi/ntlm/external.c M lib/gssapi/oid.txt M lib/gssapi/spnego/accept_sec_context.c M lib/gssapi/spnego/compat.c M lib/gssapi/spnego/context_stubs.c M lib/gssapi/spnego/cred_stubs.c M lib/gssapi/spnego/external.c M lib/gssapi/spnego/init_sec_context.c A lib/gssapi/spnego/negoex_ctx.c A lib/gssapi/spnego/negoex_err.et A lib/gssapi/spnego/negoex_locl.h A lib/gssapi/spnego/negoex_util.c M lib/gssapi/spnego/spnego.asn1 M lib/gssapi/spnego/spnego_locl.h M lib/gssapi/test_context.c A lib/gssapi/test_negoex_mech.c M lib/gssapi/version-script.map M tests/bin/setup-env.in M tests/gss/Makefile.am M tests/gss/check-gssmask.in A tests/gss/check-negoex.in M tests/gss/check-ntlm.in M tests/gss/check-spnego.in A tests/gss/mech.in Log Message: ----------- gss: port NegoEx implementation from MIT An implementation of draft-zhu-negoex-04 for MIT Kerberos was developed in 2011. This has been recently integrated, with many fixes from Greg Hudson. This commit ports it to Heimdal. The implementation has been interoperability tested with MIT Kerberos and Windows, using the GSS EAP mechanism developed as part of the Moonshot project. The SPNEGO code was also updated to import the state machine from Apple which improves mechListMIC processing and avoids discarding initial context tokens generated during mechanism probing, that can be used for optimistic tokens. Finally, to aid in testing, the GSS-API mechanism glue configuration file can be changed using the environment variable GSS_MECH_CONFIG. This environment variable name, along with the format of the configuration file, is compatible with MIT (although it would be difficult for a single mechanism binary to support both implementations). Commit: 044c1c6b6346ebaf8f472ef297b36e52dfef42fd https://github.com/heimdal/heimdal/commit/044c1c6b6346ebaf8f472ef297b36e52dfef42fd Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/spnego/accept_sec_context.c Log Message: ----------- gss: don't generate mechListMIC in SPNEGO if it is safe to omit it Commit: 3e69aacbe24bfcdc65a5949f239ef19826d10438 https://github.com/heimdal/heimdal/commit/3e69aacbe24bfcdc65a5949f239ef19826d10438 Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/Makefile.am M lib/gssapi/spnego/accept_sec_context.c M lib/gssapi/spnego/spnego.asn1 Log Message: ----------- gss: harmonize SPNEGO with [MS-SPNG] In [MS-SPNG], the Microsoft extension is defined as NegTokenInit2 rather than NegTokenInitWin. Harmonize with the specification. Commit: 161f846d7629b05e2a5cdbeb9dd7008df5b511ff https://github.com/heimdal/heimdal/commit/161f846d7629b05e2a5cdbeb9dd7008df5b511ff Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/Makefile.am M lib/gssapi/spnego/accept_sec_context.c M lib/gssapi/spnego/init_sec_context.c M lib/gssapi/spnego/spnego.asn1 Log Message: ----------- gss: harmonize negState with RFC 4178 RFC 4178 4.2.2 uses the field name negState rather than negResult in NegTokenResp, to denote the negotiation state. Harmonize with this, also replacing the underscores in accept-completed and accepet-incomplete to match the RFC. Commit: 5d1a33f780c4644bb6399e8812ca10208f218225 https://github.com/heimdal/heimdal/commit/5d1a33f780c4644bb6399e8812ca10208f218225 Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/spnego/compat.c Log Message: ----------- gss: don't explicitly reorder krb5 to front of spnego Previously krb5 was tried explicitly, but now the internal mech list is reordered so that krb5 is first, this should no longer be required. This permits an application to specify another mechanism as preferred over krb5 using gss_set_neg_mechs(). Commit: 921d528d8bc2e90ee9bc790e7a4e1dc012fac4f3 https://github.com/heimdal/heimdal/commit/921d528d8bc2e90ee9bc790e7a4e1dc012fac4f3 Author: Luke Howard Date: 2020-02-04 (Tue, 04 Feb 2020) Changed paths: M lib/gssapi/gssapi/gssapi_oid.h M lib/gssapi/mech/gss_oid.c M lib/gssapi/oid.txt M lib/gssapi/spnego/compat.c Log Message: ----------- gss: add mechanism-force-mechListMIC hook to SPNEGO NTLM erroneously requires a mechListMIC at the SPNEGO layer if an internal MIC in the NTLM protocol was used. Add a private interface between SPNEGO and the Samba NTLM mechanism to allow the mechanism to signal that a mechListMIC is required even if it otherwise would not be. This interface is the same as that supported by MIT. Note that only the Samba NTLM mechanism currently implements this feature, it is not implemented by the Heimdal NTLM mechanism (which does not support NTLM authenticate message MICs). Compare: https://github.com/heimdal/heimdal/compare/7b8fa4758c1a...921d528d8bc2 From noreply at github.com Tue Feb 11 08:49:38 2020 From: noreply at github.com (Isaac Boukris) Date: Mon, 10 Feb 2020 23:49:38 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 839b07: tgs-req: strip forwardable and proxiable if the se... Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 839b073facd2aecda6740224d73e560bc79965dc https://github.com/heimdal/heimdal/commit/839b073facd2aecda6740224d73e560bc79965dc Author: Isaac Boukris Date: 2020-02-11 (Tue, 11 Feb 2020) Changed paths: M kdc/krb5tgs.c M tests/kdc/check-kdc.in Log Message: ----------- tgs-req: strip forwardable and proxiable if the server is disallowed From noreply at github.com Tue Feb 11 08:51:17 2020 From: noreply at github.com (Isaac Boukris) Date: Mon, 10 Feb 2020 23:51:17 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] bc216a: tgs-req: strip forwardable and proxiable if the se... Message-ID: Branch: refs/heads/heimdal-7-1-branch Home: https://github.com/heimdal/heimdal Commit: bc216adeb6020d9f094036e5bbf63e8460d445e5 https://github.com/heimdal/heimdal/commit/bc216adeb6020d9f094036e5bbf63e8460d445e5 Author: Isaac Boukris Date: 2020-02-11 (Tue, 11 Feb 2020) Changed paths: M kdc/krb5tgs.c M tests/kdc/check-kdc.in Log Message: ----------- tgs-req: strip forwardable and proxiable if the server is disallowed