[Heimdal-source-changes] [heimdal/heimdal] fd5723: gss: register GSS_KRB5_S error table
Luke Howard
noreply at github.com
Tis Feb 4 07:28:38 CET 2020
Branch: refs/heads/master
Home: https://github.com/heimdal/heimdal
Commit: fd572363a58985286102ab80b4202a2190b5e712
https://github.com/heimdal/heimdal/commit/fd572363a58985286102ab80b4202a2190b5e712
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/krb5/init.c
Log Message:
-----------
gss: register GSS_KRB5_S error table
The Kerberos GSS mechanism specific error table in gkrb5_err.et was never
registered with libkrb5, so the messages corresponding to those errors would
never be available. Register them with the thread local context used by the
krb5 mechanism.
Commit: bf14eb29dfb967b75385d261918f92f88a99fc3d
https://github.com/heimdal/heimdal/commit/bf14eb29dfb967b75385d261918f92f88a99fc3d
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/ntlm/acquire_cred.c
Log Message:
-----------
gss: NTLM nsi_probe returns a krb5, not gss error
The nsi_probe() error code was treated as a GSS error code, rather than a krb5
error. Return a GSS error code, setting the krb5 error in minor_status.
Commit: c510e6d474ecece26daf627ad7b96947bccec0c5
https://github.com/heimdal/heimdal/commit/c510e6d474ecece26daf627ad7b96947bccec0c5
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/ntlm/acquire_cred.c
Log Message:
-----------
gss: don't provide domain to nsi_probe() in NTLM
_gss_ntlm_accept_sec_context() does not provide the acceptor domain to
nsi_probe(); for consistency, _gss_ntlm_acquire_cred_from() should do that
same. Providing the acceptor domain was breaking tests.
Note that the Heimdal NTLM implementation is old and has few consumers (Apple
and Samba use their own implementations). Arguably we should merge the Apple
implementation or remove it.
Commit: 920cfc5584815a299c057ad588da4196d14813ad
https://github.com/heimdal/heimdal/commit/920cfc5584815a299c057ad588da4196d14813ad
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/ntlm/crypto.c
M lib/gssapi/ntlm/init_sec_context.c
M lib/gssapi/ntlm/set_sec_context_option.c
Log Message:
-----------
gss: use _gss_ntlm_set_keys() in gss_init_sec_context()
DRY: use the _gss_ntlm_set_keys() helper function to initialize the key state
for both initiator and acceptor.
Commit: 64d5d138a925b6e852c5dd231ff49033555e5ea2
https://github.com/heimdal/heimdal/commit/64d5d138a925b6e852c5dd231ff49033555e5ea2
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/mech/gss_mech_switch.c
Log Message:
-----------
gss: mechanism optional interfaces
Make mechanism interfaces that are optional in usage, optional in
implementation, i.e. do not require them to be present when dynamically loading
a mechanism. In order to aid minimal mechanism implementation, more of these
should likely be made optional (this will require an additional check in the
mechglue to return GSS_S_UNAVAILABLE if the function pointer is NULL). This is
left as a future exercise.
Commit: d7138cfbe7b56a5447cfc86b9d6d2c8e7732c7c4
https://github.com/heimdal/heimdal/commit/d7138cfbe7b56a5447cfc86b9d6d2c8e7732c7c4
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M include/Makefile.am
M include/NTMakefile
A include/heimqueue.h
M lib/asn1/Makefile.am
R lib/asn1/asn1_queue.h
M lib/asn1/asn1parse.y
M lib/asn1/gen.c
M lib/asn1/gen_copy.c
M lib/asn1/gen_decode.c
M lib/asn1/gen_encode.c
M lib/asn1/gen_free.c
M lib/asn1/gen_glue.c
M lib/asn1/gen_length.c
M lib/asn1/gen_template.c
M lib/asn1/symbol.h
M lib/base/Makefile.am
R lib/base/heimqueue.h
Log Message:
-----------
base: make heimqueue.h a shared header
Share heimqueue.h between base and asn1, to avoid duplication of code.
Commit: 31af9ba7034fdadf6deda066af716330619a120c
https://github.com/heimdal/heimdal/commit/31af9ba7034fdadf6deda066af716330619a120c
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M include/heimqueue.h
M lib/gssapi/Makefile.am
M lib/gssapi/NTMakefile
M lib/gssapi/mech/cred.c
M lib/gssapi/mech/cred.h
M lib/gssapi/mech/gss_accept_sec_context.c
M lib/gssapi/mech/gss_acquire_cred_from.c
M lib/gssapi/mech/gss_add_cred_from.c
M lib/gssapi/mech/gss_authorize_localname.c
M lib/gssapi/mech/gss_compare_name.c
M lib/gssapi/mech/gss_cred.c
M lib/gssapi/mech/gss_delete_name_attribute.c
M lib/gssapi/mech/gss_destroy_cred.c
M lib/gssapi/mech/gss_display_name.c
M lib/gssapi/mech/gss_display_name_ext.c
M lib/gssapi/mech/gss_duplicate_cred.c
M lib/gssapi/mech/gss_duplicate_name.c
M lib/gssapi/mech/gss_export_name.c
M lib/gssapi/mech/gss_export_name_composite.c
M lib/gssapi/mech/gss_get_name_attribute.c
M lib/gssapi/mech/gss_get_neg_mechs.c
M lib/gssapi/mech/gss_import_name.c
M lib/gssapi/mech/gss_indicate_mechs.c
M lib/gssapi/mech/gss_init_sec_context.c
M lib/gssapi/mech/gss_inquire_cred.c
M lib/gssapi/mech/gss_inquire_cred_by_mech.c
M lib/gssapi/mech/gss_inquire_cred_by_oid.c
M lib/gssapi/mech/gss_inquire_mechs_for_name.c
M lib/gssapi/mech/gss_inquire_name.c
M lib/gssapi/mech/gss_krb5.c
M lib/gssapi/mech/gss_mech_switch.c
M lib/gssapi/mech/gss_mo.c
M lib/gssapi/mech/gss_names.c
M lib/gssapi/mech/gss_pname_to_uid.c
M lib/gssapi/mech/gss_set_cred_option.c
M lib/gssapi/mech/gss_set_name_attribute.c
M lib/gssapi/mech/gss_set_neg_mechs.c
M lib/gssapi/mech/gss_store_cred_into.c
M lib/gssapi/mech/mech_locl.h
M lib/gssapi/mech/mech_switch.h
R lib/gssapi/mech/mechqueue.h
M lib/gssapi/mech/name.h
Log Message:
-----------
gss: use tail queue instead of singly linked list in mechglue
The GSS mechglue uses singly linked lists for mechanisms and mechanism objects,
to which new entries are inserted at the head. This breaks ordering of
mechanisms specified in OID sets and in /etc/gss/mech, as they will be back to
front. Use a tail queue instead so that new entries are inserted at the end.
Commit: 6af3ea90991eef78d518bfcb1de6de0d4e03919b
https://github.com/heimdal/heimdal/commit/6af3ea90991eef78d518bfcb1de6de0d4e03919b
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/gssapi/gssapi.h
M lib/gssapi/gssapi_mech.h
M lib/gssapi/libgssapi-exports.def
M lib/gssapi/mech/context.c
M lib/gssapi/mech/cred.h
M lib/gssapi/mech/gss_accept_sec_context.c
M lib/gssapi/mech/gss_acquire_cred_from.c
M lib/gssapi/mech/gss_cred.c
M lib/gssapi/mech/gss_init_sec_context.c
M lib/gssapi/mech/gss_mech_switch.c
M lib/gssapi/version-script.map
M lib/krb5/libkrb5-exports.def.in
M lib/krb5/version-script.map
Log Message:
-----------
gss: merge enhanced Apple mechglue logging
Add _gss_mg_log() and friends for logging from within the mechanism glue and
SPNEGO. These APIs wrap around the libkrb5 logging APIs.
Commit: 8478dd1c88846f71fc66683be46e03b42b16da39
https://github.com/heimdal/heimdal/commit/8478dd1c88846f71fc66683be46e03b42b16da39
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/gssapi_mech.h
M lib/gssapi/mech/gss_export_name.c
M lib/gssapi/mech/gss_get_name_attribute.c
M lib/gssapi/mech/gss_init_sec_context.c
M lib/gssapi/mech/gss_names.c
M lib/gssapi/mech/name.h
Log Message:
-----------
gss: merge Apple name helper APIs
Add helper APIs to the mechanism glue from the Apple implementation.
gss_mg_export_name() can be used by a mechanism to create an exported name
(this is used by the future SAnon implementation). _gss_mech_import_name()
allows the mechanism to pass in a list of parsing functions for specific name
tiypes. This commit only adds support to the mechanism glue itself.
Commit: e69c2a8111defda5983e95b5efe820406f297674
https://github.com/heimdal/heimdal/commit/e69c2a8111defda5983e95b5efe820406f297674
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/Makefile.am
M lib/gssapi/NTMakefile
M lib/gssapi/gssapi/gssapi.h
M lib/gssapi/mech/gss_destroy_cred.c
Log Message:
-----------
gss: expose gss_destroy_cred()
Build and export gss_destroy_cred(). This permanently destroys the credential,
rather than releasing a handle to it.
Commit: 340cc3f0929ecfeba848b638237d5a25bd96f21f
https://github.com/heimdal/heimdal/commit/340cc3f0929ecfeba848b638237d5a25bd96f21f
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/mech/gss_init_sec_context.c
Log Message:
-----------
gss: make krb5 default GSS mech earlier in path
Defensively default to GSS_KRB5_MECHANISM on all calls to
gss_init_sec_context() if mech_type is GSS_C_NO_OID (rather than only on the
first call).
Commit: e80248ed363b11c64d4577f94fb65cdb6712ef5d
https://github.com/heimdal/heimdal/commit/e80248ed363b11c64d4577f94fb65cdb6712ef5d
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/mech/gss_accept_sec_context.c
M lib/gssapi/mech/gss_acquire_cred_from.c
M lib/gssapi/mech/gss_add_cred_from.c
M lib/gssapi/mech/gss_store_cred_into.c
Log Message:
-----------
gss: add some missing GM_USE_MG_CRED checks
GM_USE_MG_CRED allows a mechanism glue credential to be used by a mechanism
without additional wrapping. Although no extant mechanisms use this flag, the
flag had sporadic support in the mechanism glue already. In the interest of
consistency, add missing GM_USE_MG_CRED checks. If this functionality is not
desired, then all checks should be removed.
Commit: ae5c60286a06e72997e88b694823e23fa1805693
https://github.com/heimdal/heimdal/commit/ae5c60286a06e72997e88b694823e23fa1805693
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/ntlm/release_name.c
M lib/gssapi/spnego/accept_sec_context.c
M lib/gssapi/spnego/context_stubs.c
M lib/gssapi/spnego/cred_stubs.c
M lib/gssapi/spnego/init_sec_context.c
M lib/gssapi/spnego/spnego_locl.h
Log Message:
-----------
gss: remove SPNEGO name wrappers
Wrapping GSS names at the SPNEGO level serves no purpose; remove it and return
mechglue names directly. This required a small change to the NTLM mechanism to
allow NULL names to be passed to its release name function.
Commit: 4fb6a6adc9d5593079e37addb40fd80834df77b4
https://github.com/heimdal/heimdal/commit/4fb6a6adc9d5593079e37addb40fd80834df77b4
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M doc/setup.texi
A doc/standardisation/draft-zhu-negoex-04.txt
M include/Makefile.am
M lib/gssapi/Makefile.am
M lib/gssapi/NTMakefile
M lib/gssapi/gssapi/gssapi_oid.h
M lib/gssapi/gssapi/gssapi_spnego.h
M lib/gssapi/gssapi_mech.h
M lib/gssapi/krb5/external.c
M lib/gssapi/libgssapi-exports.def
M lib/gssapi/mech/context.c
M lib/gssapi/mech/gss_init_sec_context.c
M lib/gssapi/mech/gss_inquire_cred.c
M lib/gssapi/mech/gss_mech_switch.c
M lib/gssapi/mech/gss_oid.c
M lib/gssapi/mech/gss_utils.c
A lib/gssapi/mech/gssspi_exchange_meta_data.c
A lib/gssapi/mech/gssspi_query_mechanism_info.c
A lib/gssapi/mech/gssspi_query_meta_data.c
M lib/gssapi/mech/mech_locl.h
M lib/gssapi/mech/utils.h
M lib/gssapi/ntlm/external.c
M lib/gssapi/oid.txt
M lib/gssapi/spnego/accept_sec_context.c
M lib/gssapi/spnego/compat.c
M lib/gssapi/spnego/context_stubs.c
M lib/gssapi/spnego/cred_stubs.c
M lib/gssapi/spnego/external.c
M lib/gssapi/spnego/init_sec_context.c
A lib/gssapi/spnego/negoex_ctx.c
A lib/gssapi/spnego/negoex_err.et
A lib/gssapi/spnego/negoex_locl.h
A lib/gssapi/spnego/negoex_util.c
M lib/gssapi/spnego/spnego.asn1
M lib/gssapi/spnego/spnego_locl.h
M lib/gssapi/test_context.c
A lib/gssapi/test_negoex_mech.c
M lib/gssapi/version-script.map
M tests/bin/setup-env.in
M tests/gss/Makefile.am
M tests/gss/check-gssmask.in
A tests/gss/check-negoex.in
M tests/gss/check-ntlm.in
M tests/gss/check-spnego.in
A tests/gss/mech.in
Log Message:
-----------
gss: port NegoEx implementation from MIT
An implementation of draft-zhu-negoex-04 for MIT Kerberos was developed in
2011. This has been recently integrated, with many fixes from Greg Hudson. This
commit ports it to Heimdal. The implementation has been interoperability tested
with MIT Kerberos and Windows, using the GSS EAP mechanism developed as part of
the Moonshot project.
The SPNEGO code was also updated to import the state machine from Apple which
improves mechListMIC processing and avoids discarding initial context tokens
generated during mechanism probing, that can be used for optimistic tokens.
Finally, to aid in testing, the GSS-API mechanism glue configuration file can
be changed using the environment variable GSS_MECH_CONFIG. This environment
variable name, along with the format of the configuration file, is compatible
with MIT (although it would be difficult for a single mechanism binary to
support both implementations).
Commit: 044c1c6b6346ebaf8f472ef297b36e52dfef42fd
https://github.com/heimdal/heimdal/commit/044c1c6b6346ebaf8f472ef297b36e52dfef42fd
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/spnego/accept_sec_context.c
Log Message:
-----------
gss: don't generate mechListMIC in SPNEGO if it is safe to omit it
Commit: 3e69aacbe24bfcdc65a5949f239ef19826d10438
https://github.com/heimdal/heimdal/commit/3e69aacbe24bfcdc65a5949f239ef19826d10438
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/Makefile.am
M lib/gssapi/spnego/accept_sec_context.c
M lib/gssapi/spnego/spnego.asn1
Log Message:
-----------
gss: harmonize SPNEGO with [MS-SPNG]
In [MS-SPNG], the Microsoft extension is defined as NegTokenInit2 rather than
NegTokenInitWin. Harmonize with the specification.
Commit: 161f846d7629b05e2a5cdbeb9dd7008df5b511ff
https://github.com/heimdal/heimdal/commit/161f846d7629b05e2a5cdbeb9dd7008df5b511ff
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/Makefile.am
M lib/gssapi/spnego/accept_sec_context.c
M lib/gssapi/spnego/init_sec_context.c
M lib/gssapi/spnego/spnego.asn1
Log Message:
-----------
gss: harmonize negState with RFC 4178
RFC 4178 4.2.2 uses the field name negState rather than negResult in
NegTokenResp, to denote the negotiation state. Harmonize with this, also
replacing the underscores in accept-completed and accepet-incomplete to match
the RFC.
Commit: 5d1a33f780c4644bb6399e8812ca10208f218225
https://github.com/heimdal/heimdal/commit/5d1a33f780c4644bb6399e8812ca10208f218225
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/spnego/compat.c
Log Message:
-----------
gss: don't explicitly reorder krb5 to front of spnego
Previously krb5 was tried explicitly, but now the internal mech list is
reordered so that krb5 is first, this should no longer be required. This
permits an application to specify another mechanism as preferred over krb5
using gss_set_neg_mechs().
Commit: 921d528d8bc2e90ee9bc790e7a4e1dc012fac4f3
https://github.com/heimdal/heimdal/commit/921d528d8bc2e90ee9bc790e7a4e1dc012fac4f3
Author: Luke Howard <lukeh at padl.com>
Date: 2020-02-04 (Tue, 04 Feb 2020)
Changed paths:
M lib/gssapi/gssapi/gssapi_oid.h
M lib/gssapi/mech/gss_oid.c
M lib/gssapi/oid.txt
M lib/gssapi/spnego/compat.c
Log Message:
-----------
gss: add mechanism-force-mechListMIC hook to SPNEGO
NTLM erroneously requires a mechListMIC at the SPNEGO layer if an internal MIC
in the NTLM protocol was used. Add a private interface between SPNEGO and the
Samba NTLM mechanism to allow the mechanism to signal that a mechListMIC is
required even if it otherwise would not be.
This interface is the same as that supported by MIT.
Note that only the Samba NTLM mechanism currently implements this feature, it
is not implemented by the Heimdal NTLM mechanism (which does not support NTLM
authenticate message MICs).
Compare: https://github.com/heimdal/heimdal/compare/7b8fa4758c1a...921d528d8bc2
More information about the Heimdal-source-changes
mailing list