Luke Howard [Wed, 30 Mar 2011 08:11:53 +0000 (19:11 +1100)]
negative SASL errors are fatal
Luke Howard [Tue, 22 Mar 2011 01:44:38 +0000 (12:44 +1100)]
use draft-josefsson-gss-capsulate-01 if present
Luke Howard [Thu, 17 Mar 2011 23:12:56 +0000 (10:12 +1100)]
Revert "If we don't have a realm, use server FQDN; only portable thing we can do"
This reverts commit
9da0e79067688db69a6ea1437de2780af4fa80b7.
Luke Howard [Thu, 17 Mar 2011 23:12:53 +0000 (10:12 +1100)]
Luke Howard [Thu, 17 Mar 2011 15:40:31 +0000 (02:40 +1100)]
Luke Howard [Thu, 17 Mar 2011 15:31:00 +0000 (02:31 +1100)]
If we don't have a realm, use server FQDN; only portable thing we can do
Luke Howard [Wed, 16 Mar 2011 07:30:05 +0000 (18:30 +1100)]
don't crash if client provides NULL authid
Luke Howard [Wed, 16 Mar 2011 07:22:50 +0000 (18:22 +1100)]
autoconf
Luke Howard [Wed, 16 Mar 2011 07:14:31 +0000 (18:14 +1100)]
check for gssapi_ext.h
Luke Howard [Wed, 16 Mar 2011 07:14:01 +0000 (18:14 +1100)]
Don't favour default GSS credentials over application provided identity
Luke Howard [Thu, 20 Jan 2011 02:58:26 +0000 (13:58 +1100)]
Remove Sleepycat license from README.GS2
Luke Howard [Thu, 20 Jan 2011 02:55:17 +0000 (13:55 +1100)]
Fixed handling of channel bindings on the client side
The client side was failing to select a suitable SASL mechanism when
the application specified channel bindings, but didn't make them mandatory
to use. In such a configuration, if a non channel binding capable mechanism
was selected through "client_mech_list" SASL option, sasl_client_start
would fail. For example if the server supports both SCRAM-SHA-1[-PLUS] and
PLAIN and "client_mech_list" was set to "PLAIN", authentication would never
work. This patch fixes the problem.
The patch also cleans up the best SASL mechanism selection code to
prefer better channel bindings over SASL security layer.
Test-information:
Compiled and tested on Windows with msadm expire_mail and imapd.
Signed-off-by: Dave Cridland <dave.cridland@isode.com>
Luke Howard [Mon, 3 Jan 2011 11:46:48 +0000 (22:46 +1100)]
Don't free OID for Heimdal
Luke Howard [Mon, 3 Jan 2011 11:45:47 +0000 (22:45 +1100)]
Treat GSS_C_NO_CRED identically to GSS_C_CRED_UNAVAIL
Luke Howard [Mon, 3 Jan 2011 11:25:23 +0000 (22:25 +1100)]
Heimdal compile fix
Luke Howard [Mon, 3 Jan 2011 11:24:42 +0000 (22:24 +1100)]
Don't include gssapi_ext.h, we don't need it
Luke Howard [Fri, 22 Oct 2010 13:28:46 +0000 (00:28 +1100)]
Renumber CB-specific error codes/flags
Assigned numbers had conflicted with those assigned by maintainer
Luke Howard [Thu, 21 Oct 2010 22:10:33 +0000 (09:10 +1100)]
autoreconf
Luke Howard [Thu, 21 Oct 2010 22:10:22 +0000 (09:10 +1100)]
Remove EAP support from GSSAPI plugin
Luke Howard [Wed, 13 Oct 2010 22:05:04 +0000 (09:05 +1100)]
update for new MIT 1.9
Luke Howard [Tue, 28 Sep 2010 17:00:20 +0000 (19:00 +0200)]
fix comments for sasl_cbinding_disp_t
Luke Howard [Tue, 28 Sep 2010 16:54:04 +0000 (18:54 +0200)]
make channel binding disposition an enum
Luke Howard [Tue, 28 Sep 2010 16:01:39 +0000 (18:01 +0200)]
skip legacy SASL mechanisms if client wants CB
Luke Howard [Tue, 28 Sep 2010 15:31:07 +0000 (17:31 +0200)]
Fix CB support when client selects mechanism explicitly
Luke Howard [Tue, 28 Sep 2010 14:56:45 +0000 (16:56 +0200)]
Include channel bindings if present and the server supports
them or we are not negotiating mechanisms.
Luke Howard [Tue, 28 Sep 2010 10:34:38 +0000 (12:34 +0200)]
cleanup
Luke Howard [Tue, 28 Sep 2010 10:34:00 +0000 (12:34 +0200)]
cleanup
Luke Howard [Tue, 28 Sep 2010 07:55:49 +0000 (09:55 +0200)]
remove incorrect assertion
Luke Howard [Mon, 27 Sep 2010 21:05:25 +0000 (23:05 +0200)]
add some comments
Luke Howard [Mon, 27 Sep 2010 21:04:35 +0000 (23:04 +0200)]
Empty authnid means GSS_C_NO_NAME
Luke Howard [Mon, 27 Sep 2010 20:54:56 +0000 (22:54 +0200)]
do SASL name canon, whatever it does, before GSS name import
Luke Howard [Mon, 27 Sep 2010 20:44:25 +0000 (22:44 +0200)]
note about name canon
Luke Howard [Mon, 27 Sep 2010 20:33:56 +0000 (22:33 +0200)]
more cleanup
Luke Howard [Mon, 27 Sep 2010 20:22:42 +0000 (22:22 +0200)]
more cleanup
Luke Howard [Mon, 27 Sep 2010 20:21:45 +0000 (22:21 +0200)]
cleanup
Luke Howard [Mon, 27 Sep 2010 19:45:00 +0000 (21:45 +0200)]
cleanup
Luke Howard [Mon, 27 Sep 2010 19:37:24 +0000 (21:37 +0200)]
clean up credential selection
Luke Howard [Mon, 27 Sep 2010 18:02:39 +0000 (20:02 +0200)]
Only ask for password if we can't get creds
Luke Howard [Mon, 27 Sep 2010 17:33:23 +0000 (19:33 +0200)]
fix off-by-one in very confusing mech ordering code
Luke Howard [Mon, 27 Sep 2010 16:55:40 +0000 (18:55 +0200)]
don't care about returned mech from GSS accept/init
Luke Howard [Mon, 27 Sep 2010 15:08:58 +0000 (17:08 +0200)]
disable OID check to get IAKERB to work
Luke Howard [Mon, 27 Sep 2010 15:08:45 +0000 (17:08 +0200)]
for mechs that support GSS_C_MA_AUTH_INIT_INIT, use default prompts
Luke Howard [Mon, 27 Sep 2010 14:48:48 +0000 (16:48 +0200)]
add hostname argument to sample server
Luke Howard [Mon, 27 Sep 2010 12:36:26 +0000 (14:36 +0200)]
more tolerant mechlist parsing
Luke Howard [Mon, 27 Sep 2010 12:29:15 +0000 (14:29 +0200)]
again don't release constant OIDs
Luke Howard [Mon, 27 Sep 2010 12:25:21 +0000 (14:25 +0200)]
don't free OID
Luke Howard [Mon, 27 Sep 2010 12:20:12 +0000 (14:20 +0200)]
New SASL_BADBINDING error code; cleanup error handling
Luke Howard [Mon, 27 Sep 2010 12:13:30 +0000 (14:13 +0200)]
cleanup
Luke Howard [Mon, 27 Sep 2010 11:14:14 +0000 (13:14 +0200)]
cleanup
Luke Howard [Mon, 27 Sep 2010 10:59:06 +0000 (12:59 +0200)]
cleanups to minimise merging hassle
Luke Howard [Mon, 27 Sep 2010 10:58:57 +0000 (12:58 +0200)]
add _init files
Luke Howard [Mon, 27 Sep 2010 10:43:10 +0000 (12:43 +0200)]
add .gitignore
Luke Howard [Mon, 27 Sep 2010 10:42:51 +0000 (12:42 +0200)]
Add GS2 plugin
Luke Howard [Mon, 27 Sep 2010 10:42:40 +0000 (12:42 +0200)]
Refactor channel binding code
Luke Howard [Mon, 27 Sep 2010 01:15:52 +0000 (03:15 +0200)]
more work on CB
Luke Howard [Mon, 27 Sep 2010 01:02:45 +0000 (03:02 +0200)]
cleanup
Luke Howard [Mon, 27 Sep 2010 00:59:52 +0000 (02:59 +0200)]
cleanup
Luke Howard [Mon, 27 Sep 2010 00:59:06 +0000 (02:59 +0200)]
reformat
Luke Howard [Mon, 27 Sep 2010 00:57:53 +0000 (02:57 +0200)]
avoid legacy mechs if we require CB
Luke Howard [Mon, 27 Sep 2010 00:48:17 +0000 (02:48 +0200)]
cleanup
Luke Howard [Mon, 27 Sep 2010 00:26:10 +0000 (02:26 +0200)]
complete moving logic to server
Luke Howard [Sun, 26 Sep 2010 23:54:20 +0000 (01:54 +0200)]
move CB validation into libsasl
Luke Howard [Sun, 26 Sep 2010 22:46:41 +0000 (00:46 +0200)]
Add GS2 mech code
Luke Howard [Sun, 26 Sep 2010 22:41:50 +0000 (00:41 +0200)]
move more CB selection logic to libsasl
Luke Howard [Sun, 26 Sep 2010 22:23:39 +0000 (00:23 +0200)]
cleanup
Luke Howard [Sun, 26 Sep 2010 18:02:21 +0000 (20:02 +0200)]
cleanup channel bindings logic
Luke Howard [Sun, 26 Sep 2010 17:40:46 +0000 (19:40 +0200)]
refactor gs2 plus logic a bit
Luke Howard [Sun, 26 Sep 2010 15:34:00 +0000 (17:34 +0200)]
cleanup
Luke Howard [Sun, 26 Sep 2010 15:31:28 +0000 (17:31 +0200)]
cleanup
Luke Howard [Sun, 26 Sep 2010 15:25:43 +0000 (17:25 +0200)]
add readme
Luke Howard [Sun, 26 Sep 2010 15:23:17 +0000 (17:23 +0200)]
don't blow away text->mechanism
Luke Howard [Sun, 26 Sep 2010 15:17:37 +0000 (17:17 +0200)]
check for rfc5587 before building gs2
Luke Howard [Sun, 26 Sep 2010 15:17:23 +0000 (17:17 +0200)]
release mech OID - XXX is this right?
Luke Howard [Sun, 26 Sep 2010 14:22:31 +0000 (16:22 +0200)]
cleanup
Luke Howard [Sun, 26 Sep 2010 14:04:33 +0000 (16:04 +0200)]
cleanup
Luke Howard [Sun, 26 Sep 2010 13:59:31 +0000 (15:59 +0200)]
remove autogenerated foo
Luke Howard [Sun, 26 Sep 2010 13:54:32 +0000 (15:54 +0200)]
autoreconf
Luke Howard [Sun, 26 Sep 2010 13:47:40 +0000 (15:47 +0200)]
reorder
Luke Howard [Sun, 26 Sep 2010 13:46:42 +0000 (15:46 +0200)]
cleanup
Luke Howard [Sun, 26 Sep 2010 11:08:40 +0000 (13:08 +0200)]
namespace clenaup
Luke Howard [Sun, 26 Sep 2010 11:08:19 +0000 (13:08 +0200)]
reorder
Luke Howard [Sun, 26 Sep 2010 11:07:09 +0000 (13:07 +0200)]
fix gs2_save_cbindings off by two error
Luke Howard [Sun, 26 Sep 2010 11:00:18 +0000 (13:00 +0200)]
back out unused header change
Luke Howard [Sun, 26 Sep 2010 10:37:15 +0000 (12:37 +0200)]
return error code in sample to caller
Luke Howard [Sun, 26 Sep 2010 10:33:52 +0000 (12:33 +0200)]
use snprintf
Luke Howard [Sun, 26 Sep 2010 10:25:35 +0000 (12:25 +0200)]
remove cruft
Luke Howard [Sun, 26 Sep 2010 10:10:09 +0000 (12:10 +0200)]
disallow proxying if no GSS channel bindings
Luke Howard [Sun, 26 Sep 2010 09:48:16 +0000 (11:48 +0200)]
don't acquire cred with empty password
Luke Howard [Sun, 26 Sep 2010 09:37:16 +0000 (11:37 +0200)]
add cb test
Luke Howard [Sun, 26 Sep 2010 09:36:58 +0000 (11:36 +0200)]
cleanup, get cb working
Luke Howard [Sun, 26 Sep 2010 09:14:46 +0000 (11:14 +0200)]
fix unescaping nits
Luke Howard [Sun, 26 Sep 2010 09:14:15 +0000 (11:14 +0200)]
remove plugin backreferences, we can do it ourselves
Luke Howard [Sun, 26 Sep 2010 08:59:37 +0000 (10:59 +0200)]
cleanup, escape authizd
Luke Howard [Sun, 26 Sep 2010 00:53:58 +0000 (02:53 +0200)]
hopefully fix CB logic
Luke Howard [Sat, 25 Sep 2010 23:18:06 +0000 (01:18 +0200)]
gs2_is_plus_mech() for checking CB mech
Luke Howard [Sat, 25 Sep 2010 23:10:57 +0000 (01:10 +0200)]
use gss_indicate_mechs_by_attrs to select mechs
Luke Howard [Sat, 25 Sep 2010 22:40:27 +0000 (00:40 +0200)]
cleanup, put backreference to SASL plug in library
Luke Howard [Sat, 25 Sep 2010 22:17:49 +0000 (00:17 +0200)]
some work on channel bindings, prob still wrong
Luke Howard [Sat, 25 Sep 2010 21:35:58 +0000 (23:35 +0200)]
don't include non-std hdr flag in cbindings
Luke Howard [Sat, 25 Sep 2010 21:28:16 +0000 (23:28 +0200)]
if mech supports mutual auth, assert it