Stefan Metzmacher [Wed, 14 Sep 2016 22:07:27 +0000 (00:07 +0200)]
kdc: use the correct kvno number for PKINIT in the AS-REP
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 18 May 2016 15:07:42 +0000 (17:07 +0200)]
kdc: add krb5plugin_windc_pac_pk_generate() hook
This allows PAC_CRENDENTIAL_INFO to be added to the PAC
when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains
an encrypted PAC_CRENDENTIAL_DATA.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(similar to Samba commit
0022ea9efb0e7809fa2d060b294320eb0479cdd2)
Gary Lockyer [Wed, 20 Sep 2017 03:35:10 +0000 (15:35 +1200)]
Align locked out account behaviour with Windows
Windows does not check the password on an account that has been locked.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andreas Schneider [Wed, 5 Sep 2018 02:49:59 +0000 (14:49 +1200)]
Fix size types
Upstream pull request:
https://github.com/heimdal/heimdal/pull/354
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(parts of cherry picked Samba commit
72979d1d60ca2eab1e7903c2e77b8cca69667691)
Andrew Bartlett [Mon, 10 Sep 2018 21:13:07 +0000 (16:13 -0500)]
lorikeet-heimdal: modernize URLs in helper scripts
We have moved some repos and have https these days
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 10 Sep 2018 21:05:40 +0000 (16:05 -0500)]
lorikeet-heimdal: import-lorikeet: Use --no-verify when importing heimdal
This allows us to import byte-for-byte files even if they have whitespace "errors".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 5 Sep 2018 02:04:44 +0000 (14:04 +1200)]
lorikeet-heimdal: apply_heimdal: Try harder to apply patches from Samba
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 5 Sep 2018 01:57:35 +0000 (13:57 +1200)]
lorikeet-heimdal: apply_heimdal: Only show the Heimdal part of the patch to cherry-pick
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 5 Sep 2018 01:45:04 +0000 (13:45 +1200)]
lorikeet-heimdal: Include Samba commit in cherry-picked patches
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 21 Feb 2014 02:58:20 +0000 (15:58 +1300)]
lorikeet-heimdal: improve apply_heimdal.sh
Andrew Bartlett [Wed, 19 Feb 2014 09:06:57 +0000 (22:06 +1300)]
lorikeet-heimdal: specify hash to heimdal import, rather than using the date
Jelmer Vernooij [Tue, 21 Dec 2010 14:17:30 +0000 (15:17 +0100)]
lorikeet-heimdal: remove obsolete script for importing from svn.
Stefan Metzmacher [Fri, 22 Aug 2008 09:57:36 +0000 (11:57 +0200)]
lorikeet-heimdal: add IMPORT-HEIMDAL.sh
I think this can be removed...
metze
Jelmer Vernooij [Fri, 26 Oct 2012 14:34:47 +0000 (06:34 -0800)]
lorikeet-heimdal: rebase-lorikeet: Explicitly use bash.
Standard sh doesn't have pushd/popd.
Andrew Tridgell [Wed, 1 Dec 2010 02:00:08 +0000 (13:00 +1100)]
lorikeet-heimdal: Add a new script to help merging patches from Samba4 to heimdal
Stefan Metzmacher [Thu, 14 Jul 2011 14:24:37 +0000 (16:24 +0200)]
lorikeet-heimdal: improve import-lorikeet.sh for the toplevel build
metze
Andrew Bartlett [Tue, 30 Nov 2010 23:54:49 +0000 (10:54 +1100)]
lorikeet-heimdal: Improve the heimdal import scripts
Stefan Metzmacher [Fri, 27 Mar 2009 06:31:11 +0000 (07:31 +0100)]
lorikeet-heimdal: add scipts to rebase and import the latest version into samba4
If you use this scripts, read them! :-)
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:58:18 +0000 (11:58 +0200)]
lorikeet-heimdal: add wrap_ex_ntlm.diff from abartlet
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:57:06 +0000 (11:57 +0200)]
lorikeet-heimdal: add HEIMDAL-LICENCE.txt
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:43:50 +0000 (11:43 +0200)]
lorikeet-heimdal: camellia-ntt GPLv2+ license
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:42:21 +0000 (11:42 +0200)]
lorikeet-heimdal: autogen.sh modifications
metze
Nicolas Williams [Mon, 27 Apr 2020 22:56:53 +0000 (17:56 -0500)]
hcrypto: Fix more warnings (rsa-ltm)
Luke Howard [Mon, 27 Apr 2020 21:38:31 +0000 (07:38 +1000)]
gss: unconditionally set certain flags in SAnon ISC
SAnon unconditionally sets the replay, sequence, confidentiality, and integrity
flags on the acceptor; do so on the initiator as well. Some indentation
cleanups are also included in this commit.
Nicolas Williams [Mon, 27 Apr 2020 16:07:29 +0000 (11:07 -0500)]
hcrypto: Fix leaks in test_rsa.c
Nicolas Williams [Mon, 27 Apr 2020 03:10:39 +0000 (22:10 -0500)]
hcrypto: Better RSA key generation (ltm)
Nicolas Williams [Sun, 26 Apr 2020 22:25:29 +0000 (17:25 -0500)]
hcrypto: Fix warnings in LTM
Luke Howard [Mon, 27 Apr 2020 12:38:19 +0000 (22:38 +1000)]
doc: update to draft-howard-gss-sanon-13.txt
Luke Howard [Mon, 27 Apr 2020 12:32:59 +0000 (22:32 +1000)]
gss: mask out SAnon req_flags after computing session key
In SAnon, the optional flags send in the initial context token are input into
the key derivation function. Mask out the flags we wish to ignore after (not
before) calling the key derivation function, as the initiator may not know
which flags we wish to ignore.
Luke Howard [Mon, 27 Apr 2020 08:44:02 +0000 (18:44 +1000)]
gss: fix signedness on is_initiator bitfield
In SAnon:
The is_initiator bitfield must be unsigned to avoid undefined behaviour, as
there is only a single bit defined. Thanks to Nico Williams for explaining
this.
Luke Howard [Mon, 27 Apr 2020 04:52:10 +0000 (14:52 +1000)]
gss: update SAnon for draft-howard-gss-sanon-13
draft-howard-gss-sanon-13 will move extended (RFC4757) flags from the NegoEx
metadata to an optional component of the initial context token
Luke Howard [Mon, 27 Apr 2020 05:10:29 +0000 (15:10 +1000)]
gss: don't use mechglue private header in SPNEGO
Unbreak last commit, including mech_locl.h in SPNEGO appears to break Windows
builds
Luke Howard [Mon, 27 Apr 2020 04:38:33 +0000 (14:38 +1000)]
gss: initialize output parameters in NegoEx
NegoEx failed to initialize output parameters in _gss_negoex_{init,accept}
which could lead it to crash if the underlying mechanism returned an error.
Luke Howard [Mon, 27 Apr 2020 01:15:49 +0000 (11:15 +1000)]
gss: initialize *minor in _gss_sanon_inquire_cred()
Nicolas Williams [Sun, 26 Apr 2020 05:53:29 +0000 (00:53 -0500)]
sanon: Fix flags and ctx export/import confusion
We were passing SANON flags to _gss_mg_import_rfc4121_context(), which
wants GSS flags. Meanwhile, I broke gss_inquire_context() on imported
SAnon contexts when I did my review of SAnon.
This commit fixes both issues and removes SANON_FLAG_*, which were only
ever needed because of a flag to track whether a context was locally
initiated or accepted. Now we use a separate int field of the sanon_ctx
to track whether a context was locally initiated. Once an SAnon context
is fully established, we rely on gss_inquire_context() on the rfc4121
sub-context for all metadata that isn't the initiator and acceptor names
nor the mechanism OID.
Nicolas Williams [Sun, 26 Apr 2020 05:59:08 +0000 (00:59 -0500)]
krb5: Fix warning in krb5_get_error_string()
Nicolas Williams [Sun, 26 Apr 2020 04:16:40 +0000 (23:16 -0500)]
krb5: Fix display_status() incorrect major status
Luke Howard [Mon, 30 Dec 2019 10:07:04 +0000 (21:07 +1100)]
gss: SAnon - the Simple Anonymous GSS-API mechanism
Add support for SAnon, a simple key agreement protocol that provides no
authentication of initiator or acceptor using x25519 ECDH key exchange.
See doc/standardization/draft-howard-gss-sanon-xx.txt for a protocol
description.
Luke Howard [Mon, 30 Dec 2019 10:07:04 +0000 (21:07 +1100)]
hcrypto: Add X25519
The X25519 implementation comes from libsodium. Explicit copyright
notices have been added to each file as well as some portability changes
(e.g. align.h).
Nicolas Williams [Sat, 25 Apr 2020 22:19:25 +0000 (17:19 -0500)]
gss: Fix some test leaks
Nicolas Williams [Sat, 25 Apr 2020 00:04:50 +0000 (19:04 -0500)]
spnego: Also use mechglue names
Nicolas Williams [Sat, 25 Apr 2020 00:05:07 +0000 (19:05 -0500)]
Revert "travis: Use ccache to speed up builds"
This reverts commit
37dee9bbc3cefdbe772ef68881f54ac743fd8715, which did
not help speed up Travis-CI builds.
Nicolas Williams [Fri, 24 Apr 2020 22:38:02 +0000 (17:38 -0500)]
travis: Use ccache to speed up builds
Nicolas Williams [Fri, 24 Apr 2020 02:47:28 +0000 (21:47 -0500)]
travis: Show valgrind output in log
This might cause logs to get large. We might need to post the logs to
some URI.
Nicolas Williams [Fri, 24 Apr 2020 01:54:50 +0000 (20:54 -0500)]
travis: Allow CI config to make check-valgrind
Setting MAKE_CHECK_SUFFIX=-valgrind in the environment will cause Travis
to make check-valgrind.
Nicolas Williams [Fri, 24 Apr 2020 01:45:02 +0000 (20:45 -0500)]
kadmin: fix leak
Nicolas Williams [Fri, 24 Apr 2020 01:44:32 +0000 (20:44 -0500)]
roken: fix valgrind leak noise
Nicolas Williams [Thu, 23 Apr 2020 23:31:14 +0000 (18:31 -0500)]
hx509: Fix hx509_context_free() leak
Nicolas Williams [Thu, 23 Apr 2020 19:30:42 +0000 (14:30 -0500)]
Move error functions from krb5 to base
Nicolas Williams [Thu, 23 Apr 2020 18:26:25 +0000 (13:26 -0500)]
Move lib/krb5/error_string.c to lib/base/
This commit contains only renames.
Nicolas Williams [Tue, 3 Mar 2020 21:24:46 +0000 (15:24 -0600)]
Move KDC audit functionality to lib/base/
Nicolas Williams [Tue, 3 Mar 2020 04:33:07 +0000 (22:33 -0600)]
hx509: Add hx509.conf support
Just like krb5.conf, but hx509.conf, with all the same default locations
on Windows, OS X, and elsewhere, and HX509_CONFIG as the environment
variable equivalent of KRB5_CONFIG.
Nicolas Williams [Tue, 3 Mar 2020 04:26:17 +0000 (22:26 -0600)]
Move more config file code from krb5 to base
Nicolas Williams [Tue, 3 Mar 2020 21:28:54 +0000 (15:28 -0600)]
com_err: make error_table_name() thread-safe
Luke Howard [Tue, 21 Apr 2020 23:35:14 +0000 (09:35 +1000)]
gss: pass mechanism error tokens through SPNEGO
Fix for issue #486 based on a patch by Nico Williams.
A GSS-API acceptor can return an error token to be sent to the initiator. Our
SPNEGO implementation discarded these when sending a SPNEGO reject response.
This patch fixes the SPNEGO acceptor to convey those in the SPNEGO response.
The SPNEGO initiator is also updated to not bail out early on receiving a
SPNEGO reject response from the acceptor, but instead pass the response token
(if any) to gss_init_sec_context(). A reject response with no response token
will continue to return an error.
Luke Howard [Sun, 12 Apr 2020 10:39:16 +0000 (20:39 +1000)]
hcrypto: trim number of trials in prime number generation
Reduce the number of trials when generating RSA keys by calling
mp_prime_rabin_miller_trials() with the number of desired bits.
See libtom/libtommath#482.
Luke Howard [Sun, 12 Apr 2020 08:38:00 +0000 (18:38 +1000)]
hcrypto: make libtommath v1.2.0 work with Heimdal
Luke Howard [Sun, 12 Apr 2020 08:37:13 +0000 (18:37 +1000)]
hcrypto: import libtommath v1.2.0
Nicolas Williams [Wed, 22 Apr 2020 00:51:55 +0000 (19:51 -0500)]
Properly implement neg_mechs & GM_USE_MG_CRED (fix)
Nicolas Williams [Wed, 22 Apr 2020 00:51:16 +0000 (19:51 -0500)]
Better support for "non-standard" GSS mechs (fix)
Luke Howard [Sun, 19 Apr 2020 23:29:22 +0000 (09:29 +1000)]
gss: remove gss_release_cred_by_mech()
gss_release_cred_by_mech() was previously used by SPNEGO's implementation of
gss_set_neg_mechs(). This is now implemented in the mechanism glue. As we never
shipped gss_release_cred_by_mech(), it is safe to remove it and its exported
symbol.
Nicolas Williams [Sun, 19 Apr 2020 03:15:00 +0000 (22:15 -0500)]
Properly implement neg_mechs & GM_USE_MG_CRED
SPNEGO was already using union creds. Now make the mechglue know about
it, delete all of the cred-related SPNEGO stubs that are now not called
(lib/gssapi/spnego/cred_stubs.c), and implement gss_get/set_neg_mechs()
by storing the OID set in the union cred.
This commit was essentially authored as much if not more by Luke Howard
<lukeh at padl.com> as much as by the listed author.
Luke Howard [Tue, 21 Apr 2020 04:54:18 +0000 (14:54 +1000)]
gss: intern OID before adding to OID set
gss_add_oid_set_member() should according to RFC2744 add a copy of the OID to
the set; the current implementation just stored a pointer (which may not be
stable). As we have _gss_intern_oid(), call that before adding.
Nicolas Williams [Sun, 19 Apr 2020 02:32:45 +0000 (21:32 -0500)]
Add gss_duplicate_oid_set()
Nicolas Williams [Fri, 17 Apr 2020 03:53:22 +0000 (22:53 -0500)]
Better support for "non-standard" GSS mechs
If an initial security context token doesn't have a standard header per
RFC2743 then try all mechanisms until one succeeds or all fail.
We still try to guess NTLMSSP, raw Kerberos, and SPNEGO, from tasting
the initial security context token.
Luke Howard [Fri, 17 Apr 2020 01:11:43 +0000 (11:11 +1000)]
gss: fix gss_decapsulate_token() return codes
gss_decapsulate_token() should return GSS_S_BAD_MECH if the mechanism did not
match the expected one, and GSS_S_DEFECTIVE_TOKEN if the token could not be
parsed for some other reason, rather than GSS_S_FAILURE in both cases
Luke Howard [Tue, 14 Apr 2020 02:36:09 +0000 (12:36 +1000)]
gss: GSS_KRB5_IMPORT_RFC4121_CONTEXT_X / _gss_mg_import_rfc4121_context()
Add a new private interface (accessed through _gss_mg_import_rfc4121_context())
through which a skeletal krb5 mechanism context can be created, suitable for
RFC4121 message protection and PRF services.
Luke Howard [Thu, 16 Apr 2020 07:20:43 +0000 (07:20 +0000)]
gss: honor allocated_ctx in gss_{exchange,query}_meta_data
The NegoEx gss_{exchange,query}_meta_data functions set allocated_ctx but never
did anything with it. Use it to determine whether we should free the context
handle on error.
Luke Howard [Thu, 16 Apr 2020 07:19:35 +0000 (07:19 +0000)]
gss: free user keytab before resolving system keytab
get_client_keytab() leaked the user keytab if it resolved but we could not find
the client principal. Free it before trying the system keytab.
Luke Howard [Thu, 16 Apr 2020 07:13:16 +0000 (07:13 +0000)]
gss: don't leak client_cred in test_context
Don't leak client credential handle in test_context.
Luke Howard [Tue, 14 Apr 2020 02:34:44 +0000 (12:34 +1000)]
gss: allow source/target to be null on export/import
Allow the source and target names to be NULL when exporting or importing a
security context for the krb5 mechanism. This will be used in the future to
support skeletal contexts that only provide RFC4121 message protection
services.
Luke Howard [Thu, 16 Apr 2020 00:44:04 +0000 (10:44 +1000)]
gss: fix typo regression in setting minor_status
_gss_secure_release_buffer_set() patch changed minor_status to 0, not
*minor_status as correct. No behavioural change as
_gss_secure_release_buffer_set() would have set it anyway, but obviously this
was unintentional.
Nicolas Williams [Wed, 15 Apr 2020 23:48:26 +0000 (18:48 -0500)]
Improve coverage script a bit
Luke Howard [Wed, 15 Apr 2020 06:20:06 +0000 (16:20 +1000)]
gss: use _gss_secure_release_buffer_[set]
Use new helper APIs for securely zeroing and releasing buffers and buffer sets.
Luke Howard [Wed, 15 Apr 2020 06:11:42 +0000 (16:11 +1000)]
gss: add _gss_secure_release_buffer_set()
Add _gss_secure_release_buffer_set() helper function for zeroing buffer set
contents before release.
Luke Howard [Wed, 15 Apr 2020 05:59:01 +0000 (15:59 +1000)]
gss: add _gss_secure_release_buffer()
Add _gss_secure_release_buffer() helper function that zeros buffer
Luke Howard [Tue, 14 Apr 2020 02:37:56 +0000 (12:37 +1000)]
krb5: allow NULL authenticator in krb5_auth_con_free()
When freeing an auth context, allow the authenticator to be NULL. Useful for
freeing partially allocated authentication context.
Nicolas Williams [Wed, 15 Apr 2020 01:48:19 +0000 (20:48 -0500)]
Fix Coveralls badge to master branch
Nicolas Williams [Wed, 15 Apr 2020 00:23:39 +0000 (19:23 -0500)]
Recover coverage data on more files
Luke Howard [Tue, 14 Apr 2020 22:58:27 +0000 (08:58 +1000)]
krb5: always zero elastic storage
Elastic storage (returned from krb5_storage_emem()) often contains secret keys.
Ensure memory is zeroed on free using memset_s() rather than memset().
Nicolas Williams [Tue, 14 Apr 2020 22:03:05 +0000 (17:03 -0500)]
Add Coveralls badge to README.md
Nicolas Williams [Tue, 14 Apr 2020 10:04:00 +0000 (05:04 -0500)]
Send coverage data from Travis to Coveralls
Luke Howard [Tue, 14 Apr 2020 10:21:09 +0000 (20:21 +1000)]
krb5: use memset_s() in krb5_free_keyblock_contents()
krb5_free_keyblock_contents() should use memset_s() to ensure that the key is
zero'd before freeing
Luke Howard [Tue, 14 Apr 2020 10:02:59 +0000 (20:02 +1000)]
gss: check for replays in test_context
Add GSS_C_REPLAY_FLAG to the default set of flags in test_context.
Luke Howard [Tue, 14 Apr 2020 07:27:55 +0000 (17:27 +1000)]
gss: don't use heim_assert() in test_context
Use errx() rather than heim_assert() in test_context
Luke Howard [Tue, 14 Apr 2020 04:46:32 +0000 (14:46 +1000)]
gss: make gss_compare_name comply with RFC2743
Anonymous names should always compare FALSE in GSS_Compare_name(). If the names
are being compared at the mechglue layer then we should check for
GSS_C_NT_ANONYMOUS.
Luke Howard [Tue, 14 Apr 2020 02:33:25 +0000 (12:33 +1000)]
gss: add tests for importing and exporting contexts
Add the --export-import-context flag to test_context, for validating that
security contexts round-trip through GSS_Export_sec_context() and
GSS_Import_sec_context().
Luke Howard [Tue, 14 Apr 2020 02:36:55 +0000 (12:36 +1000)]
gss: allow gss_set_sec_context_option() to allocate a context
The prototype for gss_set_sec_context_option() allows it to return a new
context, however this was not implemented. This functionality is required by
GSS_KRB5_IMPORT_RFC4121_CONTEXT_X.
Luke Howard [Mon, 13 Apr 2020 10:53:35 +0000 (20:53 +1000)]
gss: add support for gss_duplicate_cred() in SPNEGO
The SPNEGO dispatch table does not include gss_duplicate_cred(). It can call
directly into the mechglue because a SPNEGO credential is a mechglue
credential.
Luke Howard [Mon, 13 Apr 2020 10:51:44 +0000 (20:51 +1000)]
gss: remove superfluous SPNEGO cred wrappers
SPNEGO credentials are mechglue credentials. SPNEGO credential wrapper
functions can be replaced with direct calls into the mechglue, unless a
specific check is required to avoid infinite recursion (as is the case where
the mechglue enumerates all mechanism when passed a null credential handle).
Luke Howard [Mon, 13 Apr 2020 03:53:44 +0000 (13:53 +1000)]
gss: fix test_acquire_cred usage description
Luke Howard [Thu, 9 Apr 2020 12:51:30 +0000 (22:51 +1000)]
gss: fix downlevel Windows interop regression
The recent changes to SPNEGO removed support for GSS_C_PEER_HAS_UPDATED_SPNEGO,
through which the Kerberos mechanism could indicate to SPNEGO that the peer did
not suffer from SPNEGO conformance bugs present in some versions of Windows.*
This patch restores this workaround, documented in [MS-SPNG] Appendix A <7>
Section 3.1.5.1. Whilst improving interoperability with these admittedly now
unsupported versions of Windows, it does introduce a risk that Kerberos with
pre-AES ciphers could be negotiated in lieu of a stronger and more preferred
mechanism.
Note: this patch inverts the mechanism interface from
GSS_C_PEER_HAS_UPDATED_SPNEGO to GSS_C_INQ_PEER_HAS_BUGGY_SPNEGO, so that new
mechanisms (which did not ship with these older versions of Windows) are not
required to implement it.
* Windows 2000, Windows 2003, and Windows XP
Luke Howard [Sun, 12 Apr 2020 23:42:29 +0000 (09:42 +1000)]
gss: remove GSS_C_MA_AUTH_INIT_ANON from krb5 mech
Pending integration of #551, the krb5 mechanism does not support
GSS_C_ANON_FLAG. Remove the GSS_C_MA_AUTH_INIT_ANON mechanism attribute until
such time it does.
Luke Howard [Tue, 7 Apr 2020 02:39:43 +0000 (12:39 +1000)]
gss: order SPNEGO proposed mechs by req_flags
Sort the list of mechanisms proposed by the initiator so that mechanisms are
preferred by their advertised support for GSS flags. For example, if
GSS_C_MUTUAL_FLAG is requested, a mechanism that offers GSS_C_MA_AUTH_TARG will
be preferred over one that doesn't. The flag/mechanism attribute combinations
are also assigned a weight (mutual trumps anonymous, for example).
Luke Howard [Tue, 7 Apr 2020 03:49:27 +0000 (13:49 +1000)]
roken: add mergesort_r()
Add mergesort_r() as a stable sort function that can be used by other
components of Heimdal. Note that there is no standardized prototype for this
function, however it appears that both FreeBSD and glibc would adopt the glibc
convention (where the private data argument appears last). See:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214248
Luke Howard [Sat, 11 Apr 2020 00:04:43 +0000 (10:04 +1000)]
gss: __gss_c_attr_stream_sizes_oid_desc declspec
__gss_c_attr_stream_sizes_oid_desc was tagged with GSSAPI_LIB_FUNCTION instead
of GSSAPI_LIB_VARIABLE; whilst the macro expansion is identical, fix for
cleanliness
Luke Howard [Sat, 11 Apr 2020 00:02:09 +0000 (10:02 +1000)]
gss: fix copy/paste error in gss_destroy_cred()
gss_destroy_cred() was missing a calling convention, instead had the import
declaration twice
Nicolas Williams [Wed, 18 Mar 2020 18:37:13 +0000 (13:37 -0500)]
Expand tokens in gss cred store "ccache" value
This is needed so that sshd and such can get make practical use of the
"ccache" key in GSS cred stores.
This commit only changes the store path, not the acquisition path.
Nicolas Williams [Wed, 18 Mar 2020 05:43:01 +0000 (00:43 -0500)]
List FILE collection even when KRB5CCNAME is a sub
Setting KRB5CCNAME=/tmp/krb5cc_${UID}+${princ} should not prevent
listing the FILE collection.
Nicolas Williams [Wed, 18 Mar 2020 00:46:37 +0000 (19:46 -0500)]
hcrypto: Fix Makefile build race