Luke Howard [Sat, 26 Mar 2011 15:16:40 +0000 (02:16 +1100)]
in progress use DDF to serialise names
get DDF marshalling working
remove debugging statement
Luke Howard [Sun, 27 Mar 2011 22:47:48 +0000 (09:47 +1100)]
make attribute prefix a class method
Luke Howard [Sun, 27 Mar 2011 01:52:43 +0000 (12:52 +1100)]
check provider enabled before non-marshalled initializing
Luke Howard [Sat, 26 Mar 2011 15:17:39 +0000 (02:17 +1100)]
fix missing return statement in importing attributes
Luke Howard [Sat, 26 Mar 2011 03:53:57 +0000 (14:53 +1100)]
cleanup, fix uninitialized variable warning
Luke Howard [Sat, 26 Mar 2011 03:27:51 +0000 (14:27 +1100)]
comments on attribute context import
Luke Howard [Sat, 26 Mar 2011 03:19:07 +0000 (14:19 +1100)]
Include locally resolved attributes in composite name token
Luke Howard [Sat, 26 Mar 2011 00:01:07 +0000 (11:01 +1100)]
don't use C++ comments
Scott Cantor [Fri, 25 Mar 2011 13:50:38 +0000 (14:50 +0100)]
Stop setting appID to the acceptor name, adjust handling of resolver object.
Scott Cantor [Fri, 25 Mar 2011 14:06:14 +0000 (15:06 +0100)]
Use serialized values out of resolver instead of raw string values.
Luke Howard [Fri, 25 Mar 2011 12:32:15 +0000 (23:32 +1100)]
Merge branch 'master' of ssh://moonshot.suchdamage.org:822/srv/git/moonshot
Luke Howard [Fri, 25 Mar 2011 12:31:20 +0000 (23:31 +1100)]
Treat missing attribute name format as UNSPECIFIED
Patch from Scott Cantor
Luke Howard [Mon, 21 Mar 2011 13:17:53 +0000 (00:17 +1100)]
update for latest libradsec
Luke Howard [Mon, 21 Mar 2011 09:15:47 +0000 (20:15 +1100)]
trigger build by updating git
Luke Howard [Mon, 21 Mar 2011 07:15:51 +0000 (18:15 +1100)]
Heimdal cannot deal with NULL realm, so make zero-length string
Luke Howard [Mon, 21 Mar 2011 06:33:47 +0000 (17:33 +1100)]
fix pointer alias warning surfaced on FreeBSD
Luke Howard [Sun, 20 Mar 2011 10:05:28 +0000 (21:05 +1100)]
define gss_any_t for Heimdal, because it doesn't support it
Luke Howard [Sat, 19 Mar 2011 14:31:31 +0000 (01:31 +1100)]
release defaultIdentity/defaultCreds on error
Luke Howard [Fri, 18 Mar 2011 13:33:54 +0000 (00:33 +1100)]
correct pointer error in gsseap_set_cred_flag example
Luke Howard [Fri, 18 Mar 2011 13:20:42 +0000 (00:20 +1100)]
fix regression where stored creds would be required
Luke Howard [Fri, 18 Mar 2011 13:13:18 +0000 (00:13 +1100)]
Use stored identity if cached identity matches
Luke Howard [Fri, 18 Mar 2011 12:59:24 +0000 (23:59 +1100)]
don't leak defaultCreds
Luke Howard [Fri, 18 Mar 2011 12:46:31 +0000 (23:46 +1100)]
Support for reading default identity/creds from file
Heads up: it's now possible to store your default identity and
credentials in a file in your home directory, called .gss_eap_id.
See README for details. It's also valid to just store the identity
in this file without credentials.
Luke Howard [Fri, 18 Mar 2011 11:12:52 +0000 (22:12 +1100)]
unbreak Heimdal build
Luke Howard [Fri, 18 Mar 2011 06:57:18 +0000 (17:57 +1100)]
don't append "@" to login name for default identity
Luke Howard [Fri, 18 Mar 2011 06:44:50 +0000 (17:44 +1100)]
better documentation on default realm
Luke Howard [Fri, 18 Mar 2011 06:42:11 +0000 (17:42 +1100)]
derive anonymous identity directly from realm
this avoids any escaping errors
Luke Howard [Fri, 18 Mar 2011 06:16:04 +0000 (17:16 +1100)]
Name parse fixes
Distinguish between NT_EAP_NAME and NT_USER_NAME; latter will append
default EAP realm if present, former won't. Neither will append default
Kerberos realm.
Ensure that exported names conform to draft-ietf-abfab-gss-eap-01 by
not including realm component if absent.
Conflicts:
mech_eap/util_name.c
Luke Howard [Fri, 18 Mar 2011 05:36:26 +0000 (16:36 +1100)]
Don't include @ symbol in realmless names, to conform with draft-ietf-abfab-gss-eap
Luke Howard [Fri, 18 Mar 2011 06:13:37 +0000 (17:13 +1100)]
Revert "Don't include @ symbol in realmless names, to conform with draft-ietf-abfab-gss-eap"
This reverts commit
6334d087058e30c9fb8686fd307b9c84323f2a4d.
Luke Howard [Fri, 18 Mar 2011 06:09:21 +0000 (17:09 +1100)]
don't fail reauth if there is any keytab error
Luke Howard [Fri, 18 Mar 2011 05:36:26 +0000 (16:36 +1100)]
Don't include @ symbol in realmless names, to conform with draft-ietf-abfab-gss-eap
Luke Howard [Fri, 18 Mar 2011 05:18:24 +0000 (16:18 +1100)]
cleanup previous commit
Luke Howard [Fri, 18 Mar 2011 05:16:20 +0000 (16:16 +1100)]
Go to great lengths to avoid accidentally appending the default Kerberos realm
Luke Howard [Fri, 18 Mar 2011 00:00:01 +0000 (11:00 +1100)]
don't use krb5_sname_to_principal
Luke Howard [Thu, 17 Mar 2011 23:53:49 +0000 (10:53 +1100)]
support import of GSS_KRB5_NT_PRINCIPAL_NAME
Luke Howard [Thu, 17 Mar 2011 23:53:36 +0000 (10:53 +1100)]
make inputs to gssEapImportName const
Luke Howard [Thu, 17 Mar 2011 23:49:06 +0000 (10:49 +1100)]
s/GSS_EAP_NT_PRINCIPAL_NAME/GSS_EAP_NT_EAP_NAME
Luke Howard [Thu, 17 Mar 2011 23:33:38 +0000 (10:33 +1100)]
document default_realm appdefault
Luke Howard [Thu, 17 Mar 2011 22:56:32 +0000 (09:56 +1100)]
For now, configure default realm using eap_gss appdefault
Luke Howard [Thu, 17 Mar 2011 15:50:45 +0000 (02:50 +1100)]
for now, allow default GSS EAP realm to be set
with GSSEAP_DEFAULT_REALM environment variable
Luke Howard [Thu, 17 Mar 2011 14:40:21 +0000 (01:40 +1100)]
require a realm in EAP names; don't add default Kerberos realm
Luke Howard [Thu, 17 Mar 2011 14:20:04 +0000 (01:20 +1100)]
stub implementation of gss_userok SPI
The MIT mechglue will fallback to comparing names in the absence
of a mechanism implementation of gss_userok. To avoid this and
force the mechglue to use attribute-based authorization, always
return access denied in gss_userok.
Luke Howard [Thu, 17 Mar 2011 10:34:22 +0000 (21:34 +1100)]
implement gss_inquire_mechs_for_name properly, although mechglue does
not appear to use it
Luke Howard [Thu, 17 Mar 2011 01:39:30 +0000 (12:39 +1100)]
clarify use of enctype-less OID
Luke Howard [Wed, 16 Mar 2011 14:29:59 +0000 (01:29 +1100)]
cleanup gssEapCanonicalizeOid, remove testing assert
Luke Howard [Wed, 16 Mar 2011 07:13:16 +0000 (18:13 +1100)]
don't enable GSSEAP_CREDS hack unless using default identity
Luke Howard [Wed, 16 Mar 2011 04:39:12 +0000 (15:39 +1100)]
call gssEapCanonicalizeOid, gssEapInternalizeOid is no longer public
Luke Howard [Wed, 16 Mar 2011 04:14:52 +0000 (15:14 +1100)]
refactor OID interning code
Luke Howard [Tue, 15 Mar 2011 08:48:40 +0000 (19:48 +1100)]
Fix for OpenSSH interoperability
OpenSSH requires the exported name token to include the actual OID
of the selected mechanism. We were using an OID that identified a
family of GSS EAP mechanisms. We now use the concrete OID where
possible.
Luke Howard [Wed, 16 Mar 2011 04:19:09 +0000 (15:19 +1100)]
Revert "Fix for OpenSSH interoperability"
This reverts commit
3dcac77927965ec56eb76d865b44a8b2bee4594b.
Luke Howard [Wed, 16 Mar 2011 04:18:32 +0000 (15:18 +1100)]
Fix for OpenSSH interoperability
OpenSSH requires the exported name token to include the actual OID
of the selected mechanism. We were using an OID that identified a
family of GSS EAP mechanisms. We now use the concrete OID where
possible.
Conflicts:
mech_eap/util_name.c
Luke Howard [Tue, 15 Mar 2011 14:06:57 +0000 (01:06 +1100)]
Add -Werror to CFLAGS
Luke Howard [Tue, 15 Mar 2011 07:56:27 +0000 (18:56 +1100)]
add a testing path for setting initiator credentials
requires GSSEAP_DEBUG to be defined, set environment variable
GSSEAP_CREDS to password
Luke Howard [Tue, 15 Mar 2011 08:55:08 +0000 (19:55 +1100)]
correct buffer length check when importing name
Luke Howard [Tue, 15 Mar 2011 08:25:49 +0000 (19:25 +1100)]
pass glue context to defrostAttrContext
Luke Howard [Tue, 15 Mar 2011 06:17:49 +0000 (17:17 +1100)]
Define AC_GNU_SOURCE to avoid Linux compile warnings
Luke Howard [Tue, 15 Mar 2011 06:14:49 +0000 (17:14 +1100)]
plug leak in previous commit
Luke Howard [Tue, 15 Mar 2011 06:12:14 +0000 (17:12 +1100)]
Ensure credentials are initialized before calling initBegin()
Luke Howard [Tue, 15 Mar 2011 03:04:21 +0000 (14:04 +1100)]
include stdarg.h for vasprintf
Luke Howard [Tue, 15 Mar 2011 03:00:54 +0000 (14:00 +1100)]
fix unused parameter warning when building without reauth
Luke Howard [Tue, 15 Mar 2011 02:05:32 +0000 (13:05 +1100)]
Don't specify -g -O in Makefile.am, configure does it for us
Luke Howard [Tue, 15 Mar 2011 02:00:26 +0000 (13:00 +1100)]
Merge branch 'tlv'
Luke Howard [Tue, 15 Mar 2011 01:57:57 +0000 (12:57 +1100)]
cleanup unused parameter warnings
Luke Howard [Tue, 15 Mar 2011 01:19:11 +0000 (12:19 +1100)]
Merge branch 'master' into tlv
Conflicts:
mech_eap/README
mech_eap/accept_sec_context.c
Luke Howard [Tue, 15 Mar 2011 01:14:04 +0000 (12:14 +1100)]
remove -fno-strict-aliasing and -Wunused-parameter
Luke Howard [Sun, 13 Mar 2011 22:46:16 +0000 (09:46 +1100)]
don't leak RADIUS response packet
Luke Howard [Sat, 12 Mar 2011 07:58:34 +0000 (18:58 +1100)]
remove trailing space
Luke Howard [Sat, 12 Mar 2011 07:58:34 +0000 (18:58 +1100)]
remove trailing space
Luke Howard [Sat, 12 Mar 2011 03:50:46 +0000 (14:50 +1100)]
HEADS UP: move dictionary file to $prefix/etc/raddb/dictionary
instead of $prefix/share/freeradius/dictionary on advice from
Alan DeKok
Luke Howard [Sat, 12 Mar 2011 07:46:13 +0000 (18:46 +1100)]
don't free RADIUS context before packet
Luke Howard [Sat, 12 Mar 2011 07:46:13 +0000 (18:46 +1100)]
don't free RADIUS context before packet
Luke Howard [Sat, 12 Mar 2011 04:59:44 +0000 (15:59 +1100)]
Don't promote bindings unwrap failure to GSS_S_BAD_BINDINGS
Luke Howard [Sat, 12 Mar 2011 04:19:25 +0000 (15:19 +1100)]
Merge branch 'master' into tlv
Luke Howard [Sat, 12 Mar 2011 04:18:50 +0000 (15:18 +1100)]
Luke Howard [Sat, 12 Mar 2011 03:50:46 +0000 (14:50 +1100)]
HEADS UP: move dictionary file to $prefix/etc/raddb/dictionary
instead of $prefix/share/freeradius/dictionary on advice from
Alan DeKok
Luke Howard [Sat, 12 Mar 2011 03:44:35 +0000 (14:44 +1100)]
Cleanup builds without reauth
Sam Hartman [Fri, 11 Mar 2011 19:53:22 +0000 (14:53 -0500)]
util_radius: radius only permits 253 octets
There is an off by one error because MAX_STR_LEN from freeradius has a pad byte.
Only store 253 bytes of AVP at a time.
Sam Hartman [Fri, 11 Mar 2011 02:35:49 +0000 (21:35 -0500)]
Fix macro errors in tlv
util.h: state cannot be a macro argument and a referenced structure member
init_sec_context.c: do not reference Kerberos context if reauth not enabled
Luke Howard [Thu, 10 Mar 2011 06:34:04 +0000 (17:34 +1100)]
fallback to paircreate() if dictionary lookup fails
Luke Howard [Thu, 10 Mar 2011 06:23:59 +0000 (17:23 +1100)]
remove stuff about RADIUS attribute release, it's wrong
Luke Howard [Thu, 10 Mar 2011 05:01:02 +0000 (16:01 +1100)]
use directional GSS token types
Luke Howard [Thu, 10 Mar 2011 02:07:46 +0000 (13:07 +1100)]
more notes in README
Luke Howard [Thu, 10 Mar 2011 01:36:36 +0000 (12:36 +1100)]
future-proof: allow multiple round trip Kerberos exchanges at acceptor
Luke Howard [Wed, 9 Mar 2011 15:46:02 +0000 (02:46 +1100)]
remove SM_FLAG_RESTART
Luke Howard [Wed, 9 Mar 2011 14:32:25 +0000 (01:32 +1100)]
remove SM_FLAG_STOP_EVAL, unused
Luke Howard [Wed, 9 Mar 2011 14:30:37 +0000 (01:30 +1100)]
formatting cleanup
Luke Howard [Wed, 9 Mar 2011 14:30:09 +0000 (01:30 +1100)]
add an extra assert
Luke Howard [Wed, 9 Mar 2011 14:27:48 +0000 (01:27 +1100)]
if reauth token marked critical, don't allow EAP fallback
Luke Howard [Wed, 9 Mar 2011 14:24:32 +0000 (01:24 +1100)]
update README
Luke Howard [Wed, 9 Mar 2011 14:22:09 +0000 (01:22 +1100)]
add some more assertion checks
Luke Howard [Wed, 9 Mar 2011 14:12:25 +0000 (01:12 +1100)]
delegate output token criticality to handler
Luke Howard [Wed, 9 Mar 2011 13:53:53 +0000 (00:53 +1100)]
if client fails reauth, allow it to retry EAP
Luke Howard [Wed, 9 Mar 2011 13:53:44 +0000 (00:53 +1100)]
don't leak Kerberos context if reauth not supported
Luke Howard [Wed, 9 Mar 2011 13:52:28 +0000 (00:52 +1100)]
cleanup formatting
Luke Howard [Wed, 9 Mar 2011 13:43:25 +0000 (00:43 +1100)]
remove __attribute__((__unused__)) for now until we have a portable solution
Luke Howard [Wed, 9 Mar 2011 13:39:47 +0000 (00:39 +1100)]
Always request mutual on reauth to even out number of round trips
Luke Howard [Wed, 9 Mar 2011 05:34:55 +0000 (16:34 +1100)]
implement preliminary acceptor name exchange
Luke Howard [Wed, 9 Mar 2011 04:31:48 +0000 (15:31 +1100)]
Allow for graceful restart if acceptor ignores reauth token
Luke Howard [Wed, 9 Mar 2011 02:46:49 +0000 (13:46 +1100)]
use macros for state accessors