From raeburn at MIT.EDU Mon Dec 1 01:48:56 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Mon, 1 Dec 2008 01:48:56 -0500 (EST) Subject: svn rev #21204: trunk/src/slave/ Message-ID: <200812010648.BAA23419@drugstore.mit.edu> Commit By: raeburn Log Message: Shawn's fix for some iprop bugs, with some tweaks. Adds an alarm while waiting for kprop connection or authentication in iprop mode; on timeout, close down the active file descriptor to force us to bail out and return to the iprop main loop (which may try a full resync again next time around). Changed Files: U trunk/src/slave/kpropd.c From epeisach at MIT.EDU Mon Dec 1 07:16:34 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Mon, 1 Dec 2008 07:16:34 -0500 (EST) Subject: svn rev #21205: trunk/src/ include/ lib/krb5/ccache/ Message-ID: <200812011216.HAA27509@drugstore.mit.edu> Commit By: epeisach Log Message: Move cc_mutex code from k5-int.h - where it is globally available to cc-int.h where it is declared and used. The functions are not exported by the library - nor are they used outside lib/krb5/ccache... For cc_file.h - include cc-int.h. Changed Files: U trunk/src/include/k5-int.h U trunk/src/lib/krb5/ccache/cc-int.h U trunk/src/lib/krb5/ccache/cc_file.c From epeisach at MIT.EDU Mon Dec 1 07:22:13 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Mon, 1 Dec 2008 07:22:13 -0500 (EST) Subject: svn rev #21206: trunk/src/lib/krb5/ccache/ Message-ID: <200812011222.HAA27640@drugstore.mit.edu> Commit By: epeisach Log Message: make depend Changed Files: U trunk/src/lib/krb5/ccache/Makefile.in From hartmans at MIT.EDU Mon Dec 1 11:05:36 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:05:36 -0500 (EST) Subject: svn rev #21207: branches/ Message-ID: <200812011605.LAA00106@drugstore.mit.edu> Commit By: hartmans Log Message: Create a branch for the series of commits that define the merge of crypto iov code on the trunk in response to Projects/AEAD encryption API. These are a subset ]of the commits to the mskrb-integ branch. Changed Files: A branches/mskrb-integ-crypto-iov/ From hartmans at MIT.EDU Mon Dec 1 11:08:07 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:08:07 -0500 (EST) Subject: svn rev #21208: branches/ Message-ID: <200812011608.LAA00220@drugstore.mit.edu> Commit By: hartmans Log Message: oops I wanted a copy of the trunk not an empty directory Changed Files: D branches/mskrb-integ-crypto-iov/ From hartmans at MIT.EDU Mon Dec 1 11:09:13 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:09:13 -0500 (EST) Subject: svn rev #21209: branches/ Message-ID: <200812011609.LAA00313@drugstore.mit.edu> Commit By: hartmans Log Message: Branch trunk to record series of commits pulled from mskrb-integ to implement Projects/AEAD encryption API Changed Files: A branches/mskrb-integ-crypto-iov/ From hartmans at MIT.EDU Mon Dec 1 11:41:10 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:41:10 -0500 (EST) Subject: svn rev #21210: branches/mskrb-integ-crypto-iov/src/ include/ include/krb5/ lib/crypto/ ... Message-ID: <200812011641.LAA00919@drugstore.mit.edu> Commit By: hartmans Log Message: Beginnings of work on AEAD support in libk5crypto Changed Files: U branches/mskrb-integ-crypto-iov/src/include/k5-int.h U branches/mskrb-integ-crypto-iov/src/include/krb5/krb5.hin U branches/mskrb-integ-crypto-iov/src/lib/crypto/Makefile.in A branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c A branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/Makefile.in U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour.h A branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c A branches/mskrb-integ-crypto-iov/src/lib/crypto/crypto_length.c A branches/mskrb-integ-crypto-iov/src/lib/crypto/decrypt_iov.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/Makefile.in U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk.h A branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/aes.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/des3.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/enc_provider.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/rc4.c A branches/mskrb-integ-crypto-iov/src/lib/crypto/encrypt_iov.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/etypes.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/libk5crypto.exports A branches/mskrb-integ-crypto-iov/src/lib/crypto/make_checksum_iov.c A branches/mskrb-integ-crypto-iov/src/lib/crypto/verify_checksum_iov.c From hartmans at MIT.EDU Mon Dec 1 11:41:21 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:41:21 -0500 (EST) Subject: svn rev #21211: branches/mskrb-integ-crypto-iov/src/ include/ lib/crypto/ lib/crypto/arcfour/ ... Message-ID: <200812011641.LAA01006@drugstore.mit.edu> Commit By: hartmans Log Message: Begin work on rc4 krb5 AEAD Changed Files: U branches/mskrb-integ-crypto-iov/src/include/k5-int.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour-int.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/crypto_length.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/rc4.c From hartmans at MIT.EDU Mon Dec 1 11:41:27 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:41:27 -0500 (EST) Subject: svn rev #21212: branches/mskrb-integ-crypto-iov/src/ include/ include/krb5/ lib/crypto/ ... Message-ID: <200812011641.LAA01085@drugstore.mit.edu> Commit By: hartmans Log Message: Some work on checksum code for AEAD Changed Files: U branches/mskrb-integ-crypto-iov/src/include/k5-int.h U branches/mskrb-integ-crypto-iov/src/include/krb5/krb5.hin U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/checksum.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/hmac.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/make_checksum_iov.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/verify_checksum_iov.c From hartmans at MIT.EDU Mon Dec 1 11:41:32 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:41:32 -0500 (EST) Subject: svn rev #21213: branches/mskrb-integ-crypto-iov/src/lib/crypto/keyhash_provider/ ... Message-ID: <200812011641.LAA01165@drugstore.mit.edu> Commit By: hartmans Log Message: implement k5_hmac_md5_hash_iov Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/keyhash_provider/descbc.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/keyhash_provider/hmac_md5.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/keyhash_provider/k5_md4des.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/keyhash_provider/k5_md5des.c From hartmans at MIT.EDU Mon Dec 1 11:41:43 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:41:43 -0500 (EST) Subject: svn rev #21215: branches/mskrb-integ-crypto-iov/src/lib/crypto/ arcfour/ dk/ ... Message-ID: <200812011641.LAA01336@drugstore.mit.edu> Commit By: hartmans Log Message: preliminary implementation of krb5int_dk_{en,de}crypt_iov Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/rc4.c From hartmans at MIT.EDU Mon Dec 1 11:41:48 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:41:48 -0500 (EST) Subject: svn rev #21216: branches/mskrb-integ-crypto-iov/src/lib/crypto/ enc_provider/ ... Message-ID: <200812011641.LAA01416@drugstore.mit.edu> Commit By: hartmans Log Message: Begin work on AES IOV APIs Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/aes.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/rc4.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/hmac.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/keyhash_provider/hmac_md5.c From hartmans at MIT.EDU Mon Dec 1 11:41:53 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:41:53 -0500 (EST) Subject: svn rev #21217: branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/ ... Message-ID: <200812011641.LAA01498@drugstore.mit.edu> Commit By: hartmans Log Message: Initial implementation of krb5int_aes_decrypt_iov() Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/aes.c From hartmans at MIT.EDU Mon Dec 1 11:41:58 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:41:58 -0500 (EST) Subject: svn rev #21218: branches/mskrb-integ-crypto-iov/src/lib/crypto/ des/ enc_provider/ ... Message-ID: <200812011641.LAA01575@drugstore.mit.edu> Commit By: hartmans Log Message: Implement 3DES IOV routines Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/des/Makefile.in A branches/mskrb-integ-crypto-iov/src/lib/crypto/des/d3_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/des/des_int.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/aes.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/des3.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/rc4.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/keyhash_provider/hmac_md5.c From hartmans at MIT.EDU Mon Dec 1 11:42:03 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:42:03 -0500 (EST) Subject: svn rev #21219: branches/mskrb-integ-crypto-iov/src/ include/krb5/ lib/crypto/ ... Message-ID: <200812011642.LAA01650@drugstore.mit.edu> Commit By: hartmans Log Message: Fix some bugs in AEAD code Changed Files: U branches/mskrb-integ-crypto-iov/src/include/krb5/krb5.hin U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/crypto_length.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/aes.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/hmac.c From hartmans at MIT.EDU Mon Dec 1 11:42:08 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:42:08 -0500 (EST) Subject: svn rev #21220: branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/ Message-ID: <200812011642.LAA01727@drugstore.mit.edu> Commit By: hartmans Log Message: KRB5_CRYPTO_TYPE_CHECKSUM should be 96 bits Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c From hartmans at MIT.EDU Mon Dec 1 11:42:14 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:42:14 -0500 (EST) Subject: svn rev #21221: branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/ Message-ID: <200812011642.LAA01811@drugstore.mit.edu> Commit By: hartmans Log Message: Validate input lengths correctly for CTS ciphers Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c From hartmans at MIT.EDU Mon Dec 1 11:42:18 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:42:18 -0500 (EST) Subject: svn rev #21222: branches/mskrb-integ-crypto-iov/src/lib/crypto/ des/ dk/ enc_provider/ Message-ID: <200812011642.LAA01886@drugstore.mit.edu> Commit By: hartmans Log Message: Don't require KRB5_CRYPTO_TPYE_HEADER to come before data Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/des/d3_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/aes.c From hartmans at MIT.EDU Mon Dec 1 11:42:23 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:42:23 -0500 (EST) Subject: svn rev #21223: branches/mskrb-integ-crypto-iov/src/lib/crypto/ Message-ID: <200812011642.LAA01961@drugstore.mit.edu> Commit By: hartmans Log Message: Include padding in to be signed data Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h From hartmans at MIT.EDU Mon Dec 1 11:42:33 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:42:33 -0500 (EST) Subject: svn rev #21224: branches/mskrb-integ-crypto-iov/src/ include/ lib/crypto/ lib/krb5/os/ Message-ID: <200812011642.LAA02036@drugstore.mit.edu> Commit By: hartmans Log Message: Expose krb5_hmac_iov via accessor Changed Files: U branches/mskrb-integ-crypto-iov/src/include/k5-int.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/libk5crypto.exports U branches/mskrb-integ-crypto-iov/src/lib/krb5/os/accessor.c From hartmans at MIT.EDU Mon Dec 1 11:41:37 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:41:37 -0500 (EST) Subject: svn rev #21214: branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/ Message-ID: <200812011641.LAA01247@drugstore.mit.edu> Commit By: hartmans Log Message: preliminary implementation of krb5int_arcfour_decrypt_iov Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c From hartmans at MIT.EDU Mon Dec 1 11:42:37 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:42:37 -0500 (EST) Subject: svn rev #21225: branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/ Message-ID: <200812011642.LAA02112@drugstore.mit.edu> Commit By: hartmans Log Message: No padding for rc4 at krb5 layer Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c From hartmans at MIT.EDU Mon Dec 1 11:42:42 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:42:42 -0500 (EST) Subject: svn rev #21226: branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/ Message-ID: <200812011642.LAA02194@drugstore.mit.edu> Commit By: hartmans Log Message: For RC4, checksum is in header, not trailer Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c From hartmans at MIT.EDU Mon Dec 1 11:42:47 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:42:47 -0500 (EST) Subject: svn rev #21227: branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/ Message-ID: <200812011642.LAA02269@drugstore.mit.edu> Commit By: hartmans Log Message: Don't encrypt checksum! Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c From hartmans at MIT.EDU Mon Dec 1 11:42:51 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:42:51 -0500 (EST) Subject: svn rev #21228: branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/ Message-ID: <200812011642.LAA02344@drugstore.mit.edu> Commit By: hartmans Log Message: fix some more pointer adjustment errors Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c From hartmans at MIT.EDU Mon Dec 1 11:42:56 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:42:56 -0500 (EST) Subject: svn rev #21229: branches/mskrb-integ-crypto-iov/src/lib/crypto/ arcfour/ des/ ... Message-ID: <200812011642.LAA02419@drugstore.mit.edu> Commit By: hartmans Log Message: support KRB5_CRYPTO_TYPE_STREAM Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/des/d3_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/checksum.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/aes.c From hartmans at MIT.EDU Mon Dec 1 11:43:01 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:01 -0500 (EST) Subject: svn rev #21230: branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/ Message-ID: <200812011643.LAA02502@drugstore.mit.edu> Commit By: hartmans Log Message: cleanup Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c From hartmans at MIT.EDU Mon Dec 1 11:43:06 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:06 -0500 (EST) Subject: svn rev #21231: branches/mskrb-integ-crypto-iov/src/lib/crypto/ Message-ID: <200812011643.LAA02581@drugstore.mit.edu> Commit By: hartmans Log Message: Don't reset iov_pos to current index after reading header; found by Sam Hartman Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c From hartmans at MIT.EDU Mon Dec 1 11:43:15 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:15 -0500 (EST) Subject: svn rev #21233: branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/ ... Message-ID: <200812011643.LAA02739@drugstore.mit.edu> Commit By: hartmans Log Message: Reformat Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/des3.c From hartmans at MIT.EDU Mon Dec 1 11:43:20 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:20 -0500 (EST) Subject: svn rev #21234: branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/ Message-ID: <200812011643.LAA02814@drugstore.mit.edu> Commit By: hartmans Log Message: RC4 has a header length that includes the confounder and checksum. The trailer length is 0 Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c From hartmans at MIT.EDU Mon Dec 1 11:43:25 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:25 -0500 (EST) Subject: svn rev #21235: branches/mskrb-integ-crypto-iov/src/lib/crypto/ des/ Message-ID: <200812011643.LAA02889@drugstore.mit.edu> Commit By: hartmans Log Message: Provisional implementation of CCM mode for AES Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/des/d3_aead.c From hartmans at MIT.EDU Mon Dec 1 11:43:29 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:29 -0500 (EST) Subject: svn rev #21236: branches/mskrb-integ-crypto-iov/src/lib/crypto/ Message-ID: <200812011643.LAA02964@drugstore.mit.edu> Commit By: hartmans Log Message: Cleanup Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h From hartmans at MIT.EDU Mon Dec 1 11:43:34 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:34 -0500 (EST) Subject: svn rev #21237: branches/mskrb-integ-crypto-iov/src/lib/crypto/ Message-ID: <200812011643.LAA03039@drugstore.mit.edu> Commit By: hartmans Log Message: CTR mode and associated data do not require explicit padding in the output message Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h From hartmans at MIT.EDU Mon Dec 1 11:43:11 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:11 -0500 (EST) Subject: svn rev #21232: branches/mskrb-integ-crypto-iov/src/lib/crypto/ des/ enc_provider/ Message-ID: <200812011643.LAA02660@drugstore.mit.edu> Commit By: hartmans Log Message: Careful not to overwrite mit_des_zeroblock Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/des/d3_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/enc_provider/des3.c From hartmans at MIT.EDU Mon Dec 1 11:43:39 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:39 -0500 (EST) Subject: svn rev #21238: branches/mskrb-integ-crypto-iov/src/lib/crypto/ Message-ID: <200812011643.LAA03115@drugstore.mit.edu> Commit By: hartmans Log Message: Add some notes regarding block IOV APIs Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c From hartmans at MIT.EDU Mon Dec 1 11:43:43 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:43 -0500 (EST) Subject: svn rev #21239: branches/mskrb-integ-crypto-iov/src/lib/crypto/ arcfour/ dk/ Message-ID: <200812011643.LAA03197@drugstore.mit.edu> Commit By: hartmans Log Message: Ensure padding is initialized on return from krb5_c_encrypt_iov() Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c From hartmans at MIT.EDU Mon Dec 1 11:43:53 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:53 -0500 (EST) Subject: svn rev #21241: branches/mskrb-integ-crypto-iov/src/lib/crypto/ Message-ID: <200812011643.LAA03354@drugstore.mit.edu> Commit By: hartmans Log Message: When pad_to_boundary is set (as it is for CCM), don't pad between buffers of the same type. Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c From hartmans at MIT.EDU Mon Dec 1 11:43:58 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:58 -0500 (EST) Subject: svn rev #21242: branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/ Message-ID: <200812011643.LAA03434@drugstore.mit.edu> Commit By: hartmans Log Message: KRB5_CRYPTO_TYPE_STREAM handling code was in wrong file Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c From hartmans at MIT.EDU Mon Dec 1 11:44:17 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:44:17 -0500 (EST) Subject: svn rev #21246: branches/mskrb-integ-crypto-iov/src/lib/crypto/ Message-ID: <200812011644.LAA03748@drugstore.mit.edu> Commit By: hartmans Log Message: Cleanup code on the assumption HEADER buffer is always first Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h From hartmans at MIT.EDU Mon Dec 1 11:44:02 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:44:02 -0500 (EST) Subject: svn rev #21243: branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/ Message-ID: <200812011644.LAA03509@drugstore.mit.edu> Commit By: hartmans Log Message: cleanup Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c From hartmans at MIT.EDU Mon Dec 1 11:43:48 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:43:48 -0500 (EST) Subject: svn rev #21240: branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/ Message-ID: <200812011643.LAA03272@drugstore.mit.edu> Commit By: hartmans Log Message: Initialize PADDING buffers that are not preceeded by DATA buffers to zero length Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c From hartmans at MIT.EDU Mon Dec 1 11:44:12 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:44:12 -0500 (EST) Subject: svn rev #21245: branches/mskrb-integ-crypto-iov/src/lib/crypto/ Message-ID: <200812011644.LAA03673@drugstore.mit.edu> Commit By: hartmans Log Message: cleanup Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c From hartmans at MIT.EDU Mon Dec 1 11:44:22 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:44:22 -0500 (EST) Subject: svn rev #21247: branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/ Message-ID: <200812011644.LAA03825@drugstore.mit.edu> Commit By: hartmans Log Message: Only a single padding buffer is required Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c From hartmans at MIT.EDU Mon Dec 1 11:44:27 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:44:27 -0500 (EST) Subject: svn rev #21248: branches/mskrb-integ-crypto-iov/src/lib/crypto/ Message-ID: <200812011644.LAA03900@drugstore.mit.edu> Commit By: hartmans Log Message: Change the behaviour of KRB5_CRYPTO_TYPE_STREAM slightly: STREAM should be the concatenation of HEADER | DATA | PADDING | TRAILER (without any SIGN_ONLY buffers). When passing STREAM into decrypt, any additional SIGN_ONLY buffers should be included as input, ordered relative to the (output) DATA buffer as they were on encrypt. Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c From hartmans at MIT.EDU Mon Dec 1 11:44:46 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:44:46 -0500 (EST) Subject: svn rev #21252: branches/mskrb-integ-crypto-iov/src/lib/crypto/ des/ Message-ID: <200812011644.LAA04214@drugstore.mit.edu> Commit By: hartmans Log Message: Use return value of get/put block to indicate termination condition Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.h U branches/mskrb-integ-crypto-iov/src/lib/crypto/crypto_length.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/decrypt_iov.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/des/d3_aead.c From hartmans at MIT.EDU Mon Dec 1 11:44:31 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:44:31 -0500 (EST) Subject: svn rev #21249: branches/mskrb-integ-crypto-iov/src/ include/krb5/ lib/crypto/ ... Message-ID: <200812011644.LAA03975@drugstore.mit.edu> Commit By: hartmans Log Message: Add krb5_c_crypto_length_iov() and krb5_c_padding_length() APIs Changed Files: U branches/mskrb-integ-crypto-iov/src/include/krb5/krb5.hin U branches/mskrb-integ-crypto-iov/src/lib/crypto/crypto_length.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/libk5crypto.exports From hartmans at MIT.EDU Mon Dec 1 11:44:36 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:44:36 -0500 (EST) Subject: svn rev #21250: branches/mskrb-integ-crypto-iov/src/lib/crypto/ dk/ Message-ID: <200812011644.LAA04051@drugstore.mit.edu> Commit By: hartmans Log Message: Cleanup IOV code Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/aead.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/decrypt_iov.c U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c From hartmans at MIT.EDU Mon Dec 1 11:44:41 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:44:41 -0500 (EST) Subject: svn rev #21251: branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/ Message-ID: <200812011644.LAA04139@drugstore.mit.edu> Commit By: hartmans Log Message: Cleanup; stream processing is done now by krb5_c_decrypt_iov() Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c From hartmans at MIT.EDU Mon Dec 1 11:44:55 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:44:55 -0500 (EST) Subject: svn rev #21254: branches/mskrb-integ-crypto-iov/src/include/krb5/ Message-ID: <200812011644.LAA04366@drugstore.mit.edu> Commit By: hartmans Log Message: Add stream cryptotype Changed Files: U branches/mskrb-integ-crypto-iov/src/include/krb5/krb5.hin From hartmans at MIT.EDU Mon Dec 1 11:44:51 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:44:51 -0500 (EST) Subject: svn rev #21253: branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/ Message-ID: <200812011644.LAA04291@drugstore.mit.edu> Commit By: hartmans Log Message: Fix extern declaration Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour-int.h From hartmans at MIT.EDU Mon Dec 1 11:45:00 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:45:00 -0500 (EST) Subject: svn rev #21255: branches/mskrb-integ-crypto-iov/src/lib/crypto/ Message-ID: <200812011645.LAA04442@drugstore.mit.edu> Commit By: hartmans Log Message: type in krb5_c_crypto_length is the crypto type not the enctype Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/crypto_length.c From hartmans at MIT.EDU Mon Dec 1 11:45:10 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:45:10 -0500 (EST) Subject: svn rev #21256: branches/mskrb-integ-crypto-iov/src/lib/crypto/ Message-ID: <200812011645.LAA04528@drugstore.mit.edu> Commit By: hartmans Log Message: Update t_encrypt to do some black-box testing of the iov API Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/t_encrypt.c From hartmans at MIT.EDU Mon Dec 1 11:45:15 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:45:15 -0500 (EST) Subject: svn rev #21257: branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/ Message-ID: <200812011645.LAA04615@drugstore.mit.edu> Commit By: hartmans Log Message: Omit CTS length check Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/dk/dk_aead.c From hartmans at MIT.EDU Mon Dec 1 11:44:07 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 11:44:07 -0500 (EST) Subject: svn rev #21244: branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/ Message-ID: <200812011644.LAA03596@drugstore.mit.edu> Commit By: hartmans Log Message: cleanup Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/arcfour/arcfour_aead.c From ghudson at MIT.EDU Mon Dec 1 12:10:03 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 1 Dec 2008 12:10:03 -0500 (EST) Subject: svn rev #21258: trunk/src/ appl/bsd/ appl/gss-sample/ appl/gssftp/ftp/ appl/gssftp/ftpd/ ... Message-ID: <200812011710.MAA05127@drugstore.mit.edu> Commit By: ghudson Log Message: ticket: 6200 status: open Convert many uses of sprintf to snprintf or asprintf. Changed Files: U trunk/src/appl/bsd/forward.c U trunk/src/appl/bsd/kcmd.c U trunk/src/appl/bsd/krcp.c U trunk/src/appl/bsd/krlogin.c U trunk/src/appl/bsd/krlogind.c U trunk/src/appl/bsd/krshd.c U trunk/src/appl/bsd/login.c U trunk/src/appl/bsd/v4rcp.c U trunk/src/appl/gss-sample/gss-client.c U trunk/src/appl/gssftp/ftp/ftp.c U trunk/src/appl/gssftp/ftp/ruserpass.c U trunk/src/appl/gssftp/ftpd/ftpd.c U trunk/src/appl/libpty/getpty.c U trunk/src/appl/libpty/logwtmp.c U trunk/src/appl/sample/sserver/sserver.c U trunk/src/appl/telnet/libtelnet/auth.c U trunk/src/appl/telnet/libtelnet/enc_des.c U trunk/src/appl/telnet/libtelnet/encrypt.c U trunk/src/appl/telnet/libtelnet/forward.c U trunk/src/appl/telnet/libtelnet/kerberos.c U trunk/src/appl/telnet/libtelnet/kerberos5.c U trunk/src/appl/telnet/libtelnet/spx.c U trunk/src/appl/telnet/telnet/commands.c U trunk/src/appl/telnet/telnet/telnet.c U trunk/src/appl/telnet/telnet/utilities.c U trunk/src/appl/telnet/telnetd/slc.c U trunk/src/appl/telnet/telnetd/sys_term.c U trunk/src/clients/ksu/authorization.c U trunk/src/clients/ksu/krb_auth_su.c U trunk/src/clients/ksu/main.c U trunk/src/kadmin/cli/kadmin.c U trunk/src/kadmin/dbutil/kadm5_create.c U trunk/src/kadmin/ktutil/ktutil_funcs.c U trunk/src/kadmin/passwd/xm_kpasswd.c U trunk/src/kadmin/server/ipropd_svc.c U trunk/src/kdc/fakeka.c U trunk/src/lib/crypto/vectors.c U trunk/src/lib/krb5/krb/pkinit_apple_cert_store.c U trunk/src/lib/krb5/krb/pkinit_apple_utils.c U trunk/src/lib/krb5/krb/t_ser.c U trunk/src/lib/krb5/os/t_gifconf.c U trunk/src/lib/krb5/os/t_locate_kdc.c U trunk/src/lib/rpc/unit-test/client.c U trunk/src/lib/rpc/unit-test/server.c U trunk/src/plugins/kdb/db2/libdb2/test/dbtest.c U trunk/src/plugins/kdb/db2/libdb2/test/hash1.tests/driver2.c U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c U trunk/src/plugins/locate/python/py-locate.c U trunk/src/plugins/preauth/cksum_body/cksum_body_main.c U trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c U trunk/src/plugins/preauth/wpse/wpse_main.c U trunk/src/slave/kprop.c U trunk/src/slave/kpropd.c U trunk/src/tests/create/kdb5_mkdums.c U trunk/src/tests/gss-threads/gss-client.c U trunk/src/tests/hammer/kdc5_hammer.c U trunk/src/tests/resolve/addrinfo-test.c U trunk/src/tests/shlib/t_loader.c U trunk/src/tests/threads/t_rcache.c U trunk/src/tests/verify/kdb5_verify.c U trunk/src/util/et/t_com_err.c U trunk/src/util/ss/utils.c U trunk/src/util/support/fake-addrinfo.c U trunk/src/util/support/init-addrinfo.c From hartmans at MIT.EDU Mon Dec 1 15:57:06 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 1 Dec 2008 15:57:06 -0500 (EST) Subject: svn rev #21259: branches/mskrb-integ-crypto-iov/src/lib/crypto/ Message-ID: <200812012057.PAA08873@drugstore.mit.edu> Commit By: hartmans Log Message: des-hmac-sha1 does not support AEAD Changed Files: U branches/mskrb-integ-crypto-iov/src/lib/crypto/etypes.c From tlyu at MIT.EDU Tue Dec 2 11:57:19 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 2 Dec 2008 11:57:19 -0500 (EST) Subject: svn rev #21260: trunk/ src/lib/rpc/unit-test/ Message-ID: <200812021657.LAA24009@drugstore.mit.edu> Commit By: tlyu Log Message: add k5-platform.h for asprintf Changed Files: _U trunk/ U trunk/src/lib/rpc/unit-test/server.c From tsitkova at MIT.EDU Tue Dec 2 14:36:57 2008 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Tue, 2 Dec 2008 14:36:57 -0500 (EST) Subject: svn rev #21261: trunk/src/ lib/kdb/ util/profile/ Message-ID: <200812021936.OAA26327@drugstore.mit.edu> Commit By: tsitkova Log Message: Remove unneeded LEAN_CLIENT #define's. Changed Files: U trunk/src/lib/kdb/kdb_default.c U trunk/src/util/profile/prof_init.c From tlyu at MIT.EDU Tue Dec 2 15:08:45 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 2 Dec 2008 15:08:45 -0500 (EST) Subject: svn rev #21262: branches/commit-handler-test/ Message-ID: <200812022008.PAA26888@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21262 Commit By: tlyu Log Message: ticket: new status: resolved subject: commit handler test tags: nochange testing commit handler again Changed Files: A branches/commit-handler-test/aaaa/ From hartmans at MIT.EDU Tue Dec 2 15:10:22 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 2 Dec 2008 15:10:22 -0500 (EST) Subject: svn rev #21263: trunk/src/ include/ include/krb5/ lib/crypto/ lib/crypto/arcfour/ ... Message-ID: <200812022010.PAA26997@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21263 Commit By: hartmans Log Message: ticket: new Status: open Subject: Crypto IOV API per Projects/AEAD encryption API Merge in the mskrb-crypto-iov branch at r21259 in order to move an implementation of http://k5wiki.kerberos.org/wiki/Projects/AEAD_encryption_API onto the trunk. This branch contains a subset of the commits on the mskrb-integ branch that implement the krb5 library part of the crypto IOV API. Changed Files: U trunk/src/include/k5-int.h U trunk/src/include/krb5/krb5.hin U trunk/src/lib/crypto/Makefile.in A trunk/src/lib/crypto/aead.c A trunk/src/lib/crypto/aead.h U trunk/src/lib/crypto/arcfour/Makefile.in U trunk/src/lib/crypto/arcfour/arcfour-int.h U trunk/src/lib/crypto/arcfour/arcfour.c U trunk/src/lib/crypto/arcfour/arcfour.h A trunk/src/lib/crypto/arcfour/arcfour_aead.c A trunk/src/lib/crypto/crypto_length.c A trunk/src/lib/crypto/decrypt_iov.c U trunk/src/lib/crypto/des/Makefile.in A trunk/src/lib/crypto/des/d3_aead.c U trunk/src/lib/crypto/des/des_int.h U trunk/src/lib/crypto/dk/Makefile.in U trunk/src/lib/crypto/dk/checksum.c U trunk/src/lib/crypto/dk/dk.h A trunk/src/lib/crypto/dk/dk_aead.c U trunk/src/lib/crypto/enc_provider/aes.c U trunk/src/lib/crypto/enc_provider/des3.c U trunk/src/lib/crypto/enc_provider/enc_provider.h U trunk/src/lib/crypto/enc_provider/rc4.c A trunk/src/lib/crypto/encrypt_iov.c U trunk/src/lib/crypto/etypes.c U trunk/src/lib/crypto/hmac.c U trunk/src/lib/crypto/keyhash_provider/descbc.c U trunk/src/lib/crypto/keyhash_provider/hmac_md5.c U trunk/src/lib/crypto/keyhash_provider/k5_md4des.c U trunk/src/lib/crypto/keyhash_provider/k5_md5des.c U trunk/src/lib/crypto/libk5crypto.exports A trunk/src/lib/crypto/make_checksum_iov.c U trunk/src/lib/crypto/t_encrypt.c A trunk/src/lib/crypto/verify_checksum_iov.c U trunk/src/lib/krb5/os/accessor.c From hartmans at MIT.EDU Tue Dec 2 15:29:59 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 2 Dec 2008 15:29:59 -0500 (EST) Subject: svn rev #21264: branches/mskrb-integ/ doc/ doc/kim/html/ src/ src/appl/bsd/ src/appl/gss-sample/ ... Message-ID: <200812022029.PAA27431@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21264 Commit By: hartmans Log Message: Merge trunk at r21260 into mskrb-integ branch. Changed Files: U branches/mskrb-integ/doc/install.texinfo U branches/mskrb-integ/doc/kim/html/group__kim__ccache__iterator__reference.html U branches/mskrb-integ/doc/kim/html/group__kim__ccache__reference.html U branches/mskrb-integ/doc/kim/html/group__kim__credential__iterator__reference.html U branches/mskrb-integ/doc/kim/html/group__kim__credential__reference.html U branches/mskrb-integ/doc/kim/html/group__kim__identity__reference.html U branches/mskrb-integ/doc/kim/html/group__kim__library__reference.html U branches/mskrb-integ/doc/kim/html/group__kim__options__reference.html U branches/mskrb-integ/doc/kim/html/group__kim__preferences__reference.html U branches/mskrb-integ/doc/kim/html/group__kim__selection__hints__reference.html U branches/mskrb-integ/doc/kim/html/group__kim__string__reference.html U branches/mskrb-integ/doc/kim/html/group__kim__types__reference.html U branches/mskrb-integ/doc/kim/html/index.html U branches/mskrb-integ/doc/kim/html/kim_ccache_overview.html U branches/mskrb-integ/doc/kim/html/kim_credential_overview.html U branches/mskrb-integ/doc/kim/html/kim_identity_overview.html U branches/mskrb-integ/doc/kim/html/kim_options_overview.html U branches/mskrb-integ/doc/kim/html/kim_preferences_overview.html U branches/mskrb-integ/doc/kim/html/kim_selection_hints_overview.html U branches/mskrb-integ/doc/kim/html/kim_string_overview.html U branches/mskrb-integ/doc/kim/html/modules.html U branches/mskrb-integ/src/appl/bsd/Makefile.in U branches/mskrb-integ/src/appl/bsd/forward.c U branches/mskrb-integ/src/appl/bsd/kcmd.c U branches/mskrb-integ/src/appl/bsd/krcp.c U branches/mskrb-integ/src/appl/bsd/krlogin.c U branches/mskrb-integ/src/appl/bsd/krlogind.c U branches/mskrb-integ/src/appl/bsd/krsh.c U branches/mskrb-integ/src/appl/bsd/krshd.c U branches/mskrb-integ/src/appl/bsd/login.c U branches/mskrb-integ/src/appl/bsd/v4rcp.c U branches/mskrb-integ/src/appl/gss-sample/gss-client.c U branches/mskrb-integ/src/appl/gssftp/ftp/Makefile.in U branches/mskrb-integ/src/appl/gssftp/ftp/ftp.c U branches/mskrb-integ/src/appl/gssftp/ftp/glob.c U branches/mskrb-integ/src/appl/gssftp/ftp/ruserpass.c U branches/mskrb-integ/src/appl/gssftp/ftpd/Makefile.in U branches/mskrb-integ/src/appl/gssftp/ftpd/ftpcmd.y U branches/mskrb-integ/src/appl/gssftp/ftpd/ftpd.c U branches/mskrb-integ/src/appl/libpty/Makefile.in U branches/mskrb-integ/src/appl/libpty/getpty.c U branches/mskrb-integ/src/appl/libpty/logwtmp.c U branches/mskrb-integ/src/appl/sample/sclient/sclient.c U branches/mskrb-integ/src/appl/sample/sserver/sserver.c U branches/mskrb-integ/src/appl/simple/client/sim_client.c U branches/mskrb-integ/src/appl/telnet/libtelnet/Makefile.in U branches/mskrb-integ/src/appl/telnet/libtelnet/auth.c U branches/mskrb-integ/src/appl/telnet/libtelnet/enc_des.c U branches/mskrb-integ/src/appl/telnet/libtelnet/encrypt.c U branches/mskrb-integ/src/appl/telnet/libtelnet/forward.c U branches/mskrb-integ/src/appl/telnet/libtelnet/gettytab.c U branches/mskrb-integ/src/appl/telnet/libtelnet/kerberos.c U branches/mskrb-integ/src/appl/telnet/libtelnet/kerberos5.c U branches/mskrb-integ/src/appl/telnet/libtelnet/spx.c U branches/mskrb-integ/src/appl/telnet/telnet/commands.c U branches/mskrb-integ/src/appl/telnet/telnet/telnet.c U branches/mskrb-integ/src/appl/telnet/telnet/utilities.c U branches/mskrb-integ/src/appl/telnet/telnetd/Makefile.in U branches/mskrb-integ/src/appl/telnet/telnetd/slc.c U branches/mskrb-integ/src/appl/telnet/telnetd/sys_term.c U branches/mskrb-integ/src/clients/kdestroy/Makefile.in U branches/mskrb-integ/src/clients/kinit/Makefile.in U branches/mskrb-integ/src/clients/klist/Makefile.in U branches/mskrb-integ/src/clients/kpasswd/Makefile.in U branches/mskrb-integ/src/clients/ksu/Makefile.in U branches/mskrb-integ/src/clients/ksu/authorization.c U branches/mskrb-integ/src/clients/ksu/krb_auth_su.c U branches/mskrb-integ/src/clients/ksu/main.c U branches/mskrb-integ/src/clients/kvno/Makefile.in U branches/mskrb-integ/src/configure.in U branches/mskrb-integ/src/include/k5-buf.h U branches/mskrb-integ/src/include/k5-int.h U branches/mskrb-integ/src/include/kim/kim_ccache.h U branches/mskrb-integ/src/include/kim/kim_credential.h U branches/mskrb-integ/src/kadmin/cli/Makefile.in U branches/mskrb-integ/src/kadmin/cli/kadmin.c U branches/mskrb-integ/src/kadmin/dbutil/Makefile.in U branches/mskrb-integ/src/kadmin/dbutil/kadm5_create.c U branches/mskrb-integ/src/kadmin/ktutil/Makefile.in U branches/mskrb-integ/src/kadmin/ktutil/ktutil_funcs.c U branches/mskrb-integ/src/kadmin/passwd/xm_kpasswd.c U branches/mskrb-integ/src/kadmin/server/Makefile.in U branches/mskrb-integ/src/kadmin/server/ipropd_svc.c U branches/mskrb-integ/src/kadmin/server/server_stubs.c U branches/mskrb-integ/src/kdc/Makefile.in U branches/mskrb-integ/src/kdc/fakeka.c U branches/mskrb-integ/src/kdc/kdc_authdata.c U branches/mskrb-integ/src/kdc/kdc_preauth.c U branches/mskrb-integ/src/kdc/kdc_util.c U branches/mskrb-integ/src/kdc/kerberos_v4.c U branches/mskrb-integ/src/kim/agent/mac/KerberosAgentPrefix.pch U branches/mskrb-integ/src/kim/lib/kim.exports D branches/mskrb-integ/src/kim/lib/kim_ccache_private.h U branches/mskrb-integ/src/kim/lib/kim_credential_private.h U branches/mskrb-integ/src/kim/lib/kim_private.h U branches/mskrb-integ/src/lib/apputils/Makefile.in U branches/mskrb-integ/src/lib/crypto/Makefile.in U branches/mskrb-integ/src/lib/crypto/aes/Makefile.in U branches/mskrb-integ/src/lib/crypto/arcfour/Makefile.in U branches/mskrb-integ/src/lib/crypto/crc32/Makefile.in U branches/mskrb-integ/src/lib/crypto/des/Makefile.in U branches/mskrb-integ/src/lib/crypto/des/d3_aead.c U branches/mskrb-integ/src/lib/crypto/dk/Makefile.in U branches/mskrb-integ/src/lib/crypto/dk/dk_aead.c U branches/mskrb-integ/src/lib/crypto/enc_provider/Makefile.in U branches/mskrb-integ/src/lib/crypto/hash_provider/Makefile.in U branches/mskrb-integ/src/lib/crypto/keyhash_provider/Makefile.in U branches/mskrb-integ/src/lib/crypto/md4/Makefile.in U branches/mskrb-integ/src/lib/crypto/md5/Makefile.in U branches/mskrb-integ/src/lib/crypto/old/Makefile.in U branches/mskrb-integ/src/lib/crypto/raw/Makefile.in U branches/mskrb-integ/src/lib/crypto/sha1/Makefile.in U branches/mskrb-integ/src/lib/crypto/string_to_key.c U branches/mskrb-integ/src/lib/crypto/t_hmac.c U branches/mskrb-integ/src/lib/crypto/vectors.c U branches/mskrb-integ/src/lib/crypto/yarrow/Makefile.in U branches/mskrb-integ/src/lib/des425/Makefile.in U branches/mskrb-integ/src/lib/gssapi/Makefile.in U branches/mskrb-integ/src/lib/gssapi/generic/Makefile.in U branches/mskrb-integ/src/lib/gssapi/krb5/Makefile.in U branches/mskrb-integ/src/lib/gssapi/mechglue/Makefile.in U branches/mskrb-integ/src/lib/gssapi/mechglue/oid_ops.c U branches/mskrb-integ/src/lib/gssapi/spnego/Makefile.in U branches/mskrb-integ/src/lib/kadm5/Makefile.in U branches/mskrb-integ/src/lib/kadm5/alt_prof.c U branches/mskrb-integ/src/lib/kadm5/clnt/Makefile.in U branches/mskrb-integ/src/lib/kadm5/srv/Makefile.in U branches/mskrb-integ/src/lib/kadm5/str_conv.c U branches/mskrb-integ/src/lib/kadm5/unit-test/Makefile.in U branches/mskrb-integ/src/lib/kdb/Makefile.in U branches/mskrb-integ/src/lib/kdb/kdb_convert.c U branches/mskrb-integ/src/lib/kdb/kdb_default.c U branches/mskrb-integ/src/lib/krb5/Makefile.in U branches/mskrb-integ/src/lib/krb5/asn.1/Makefile.in U branches/mskrb-integ/src/lib/krb5/asn.1/asn1_encode.c U branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_encode.c U branches/mskrb-integ/src/lib/krb5/asn.1/asn1buf.c U branches/mskrb-integ/src/lib/krb5/asn.1/asn1buf.h U branches/mskrb-integ/src/lib/krb5/asn.1/krb5_decode.c U branches/mskrb-integ/src/lib/krb5/ccache/Makefile.in U branches/mskrb-integ/src/lib/krb5/ccache/cc-int.h U branches/mskrb-integ/src/lib/krb5/ccache/cc_file.c U branches/mskrb-integ/src/lib/krb5/keytab/Makefile.in U branches/mskrb-integ/src/lib/krb5/krb/Makefile.in U branches/mskrb-integ/src/lib/krb5/krb/auth_con.c U branches/mskrb-integ/src/lib/krb5/krb/copy_athctr.c U branches/mskrb-integ/src/lib/krb5/krb/init_ctx.c U branches/mskrb-integ/src/lib/krb5/krb/parse.c U branches/mskrb-integ/src/lib/krb5/krb/pkinit_apple_cert_store.c U branches/mskrb-integ/src/lib/krb5/krb/pkinit_apple_utils.c U branches/mskrb-integ/src/lib/krb5/krb/preauth.c U branches/mskrb-integ/src/lib/krb5/krb/preauth2.c U branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c U branches/mskrb-integ/src/lib/krb5/krb/ser_actx.c U branches/mskrb-integ/src/lib/krb5/krb/ser_auth.c U branches/mskrb-integ/src/lib/krb5/krb/srv_rcache.c U branches/mskrb-integ/src/lib/krb5/krb/t_ser.c U branches/mskrb-integ/src/lib/krb5/os/Makefile.in U branches/mskrb-integ/src/lib/krb5/os/changepw.c U branches/mskrb-integ/src/lib/krb5/os/dnssrv.c U branches/mskrb-integ/src/lib/krb5/os/hst_realm.c U branches/mskrb-integ/src/lib/krb5/os/sendto_kdc.c U branches/mskrb-integ/src/lib/krb5/os/t_gifconf.c U branches/mskrb-integ/src/lib/krb5/os/t_locate_kdc.c U branches/mskrb-integ/src/lib/krb5/rcache/Makefile.in U branches/mskrb-integ/src/lib/rpc/Makefile.in U branches/mskrb-integ/src/lib/rpc/unit-test/client.c U branches/mskrb-integ/src/lib/rpc/unit-test/server.c U branches/mskrb-integ/src/plugins/authdata/greet/greet_auth.c U branches/mskrb-integ/src/plugins/kdb/db2/Makefile.in U branches/mskrb-integ/src/plugins/kdb/db2/libdb2/test/dbtest.c U branches/mskrb-integ/src/plugins/kdb/db2/libdb2/test/hash1.tests/driver2.c U branches/mskrb-integ/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c U branches/mskrb-integ/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c U branches/mskrb-integ/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c U branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c U branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c U branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c U branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c U branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c U branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c U branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c U branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c U branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c U branches/mskrb-integ/src/plugins/locate/python/py-locate.c U branches/mskrb-integ/src/plugins/preauth/cksum_body/cksum_body_main.c U branches/mskrb-integ/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c U branches/mskrb-integ/src/plugins/preauth/wpse/wpse_main.c U branches/mskrb-integ/src/slave/Makefile.in U branches/mskrb-integ/src/slave/kprop.c U branches/mskrb-integ/src/slave/kpropd.c U branches/mskrb-integ/src/slave/kproplog.c U branches/mskrb-integ/src/tests/asn.1/Makefile.in U branches/mskrb-integ/src/tests/asn.1/ktest.c U branches/mskrb-integ/src/tests/create/Makefile.in U branches/mskrb-integ/src/tests/create/kdb5_mkdums.c U branches/mskrb-integ/src/tests/dejagnu/Makefile.in U branches/mskrb-integ/src/tests/dejagnu/config/default.exp U branches/mskrb-integ/src/tests/dejagnu/krb-root/telnet.exp U branches/mskrb-integ/src/tests/dejagnu/krb-standalone/gssftp.exp A branches/mskrb-integ/src/tests/dejagnu/krb-standalone/iprop.exp U branches/mskrb-integ/src/tests/dejagnu/krb-standalone/kadmin.exp A branches/mskrb-integ/src/tests/dejagnu/krb-standalone/kprop.exp A branches/mskrb-integ/src/tests/dejagnu/krb-standalone/pwchange.exp U branches/mskrb-integ/src/tests/dejagnu/krb-standalone/pwhist.exp U branches/mskrb-integ/src/tests/dejagnu/krb-standalone/standalone.exp A branches/mskrb-integ/src/tests/dejagnu/krb-standalone/tcp.exp U branches/mskrb-integ/src/tests/dejagnu/krb-standalone/v4gssftp.exp U branches/mskrb-integ/src/tests/gss-threads/gss-client.c U branches/mskrb-integ/src/tests/hammer/Makefile.in U branches/mskrb-integ/src/tests/hammer/kdc5_hammer.c U branches/mskrb-integ/src/tests/resolve/Makefile.in U branches/mskrb-integ/src/tests/resolve/addrinfo-test.c U branches/mskrb-integ/src/tests/shlib/Makefile.in U branches/mskrb-integ/src/tests/shlib/t_loader.c U branches/mskrb-integ/src/tests/threads/t_rcache.c U branches/mskrb-integ/src/tests/verify/Makefile.in U branches/mskrb-integ/src/tests/verify/kdb5_verify.c U branches/mskrb-integ/src/util/et/t_com_err.c U branches/mskrb-integ/src/util/profile/prof_file.c U branches/mskrb-integ/src/util/ss/utils.c U branches/mskrb-integ/src/util/support/Makefile.in U branches/mskrb-integ/src/util/support/fake-addrinfo.c U branches/mskrb-integ/src/util/support/init-addrinfo.c U branches/mskrb-integ/src/util/support/k5buf.c U branches/mskrb-integ/src/util/support/libkrb5support-fixed.exports U branches/mskrb-integ/src/util/support/t_k5buf.c From hartmans at MIT.EDU Tue Dec 2 15:30:22 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 2 Dec 2008 15:30:22 -0500 (EST) Subject: svn rev #21265: branches/mskrb-integ/src/ lib/kdb/ util/profile/ Message-ID: <200812022030.PAA27522@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21265 Commit By: hartmans Log Message: Remove unneeded LEAN_CLIENT #define's. Changed Files: U branches/mskrb-integ/src/lib/kdb/kdb_default.c U branches/mskrb-integ/src/util/profile/prof_init.c From hartmans at MIT.EDU Tue Dec 2 16:01:55 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 2 Dec 2008 16:01:55 -0500 (EST) Subject: svn rev #21266: trunk/src/ appl/telnet/telnet/ lib/crypto/ lib/crypto/arcfour/ ... Message-ID: <200812022101.QAA28123@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21266 Commit By: hartmans Log Message: make depend Changed Files: U trunk/src/appl/telnet/telnet/Makefile.in U trunk/src/lib/crypto/Makefile.in U trunk/src/lib/crypto/arcfour/Makefile.in U trunk/src/lib/crypto/des/Makefile.in U trunk/src/lib/crypto/dk/Makefile.in U trunk/src/lib/crypto/enc_provider/Makefile.in U trunk/src/lib/crypto/keyhash_provider/Makefile.in U trunk/src/lib/rpc/unit-test/Makefile.in U trunk/src/plugins/kdb/db2/libdb2/btree/Makefile.in U trunk/src/plugins/kdb/db2/libdb2/db/Makefile.in U trunk/src/plugins/kdb/db2/libdb2/hash/Makefile.in U trunk/src/plugins/kdb/db2/libdb2/mpool/Makefile.in U trunk/src/plugins/kdb/db2/libdb2/recno/Makefile.in U trunk/src/plugins/preauth/pkinit/Makefile.in From lhoward at MIT.EDU Tue Dec 2 17:26:38 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 2 Dec 2008 17:26:38 -0500 (EST) Subject: svn rev #21267: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812022226.RAA29179@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21267 Commit By: lhoward Log Message: Reorder iov_count and iov arguments; make iov_count an int Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/seal.c U branches/mskrb-integ/src/lib/gssapi/krb5/sign.c U branches/mskrb-integ/src/lib/gssapi/krb5/unseal.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c U branches/mskrb-integ/src/lib/gssapi/krb5/verify.c From lhoward at MIT.EDU Tue Dec 2 17:28:31 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 2 Dec 2008 17:28:31 -0500 (EST) Subject: svn rev #21268: branches/mskrb-integ/src/lib/gssapi/ generic/ mechglue/ Message-ID: <200812022228.RAA29271@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21268 Commit By: lhoward Log Message: Swap iov_count and iov arguments; make iov_count an int Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h U branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_unwrap_iov.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_iov.c From lhoward at MIT.EDU Tue Dec 2 17:30:34 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 2 Dec 2008 17:30:34 -0500 (EST) Subject: svn rev #21269: branches/mskrb-integ/src/lib/gssapi/ mechglue/ Message-ID: <200812022230.RAA29371@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21269 Commit By: lhoward Log Message: Add gss_wrap_aead() and gss_unwrap_aead(). Note a mechanism may implement gss_wrap_iov()/gss_unwrap_iov() and the mechglue will provide cover implementations of gss_wrap(), gss_unwrap(), gss_seal(), gss_unseal(), gss_wrap_aead() and gss_unwrap_aead(). (Note though that there is presently no cover version of gss_wrap_size_limit().) Changed Files: U branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports U branches/mskrb-integ/src/lib/gssapi/mechglue/Makefile.in A branches/mskrb-integ/src/lib/gssapi/mechglue/g_unwrap_aead.c A branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_aead.c U branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h From lhoward at MIT.EDU Tue Dec 2 17:31:13 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 2 Dec 2008 17:31:13 -0500 (EST) Subject: svn rev #21270: branches/mskrb-integ/src/lib/gssapi/spnego/ Message-ID: <200812022231.RAA29454@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21270 Commit By: lhoward Log Message: Add spnego forwarders for AEAD and IOV SPIs Changed Files: U branches/mskrb-integ/src/lib/gssapi/spnego/gssapiP_spnego.h U branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c From lhoward at MIT.EDU Tue Dec 2 23:30:39 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 2 Dec 2008 23:30:39 -0500 (EST) Subject: svn rev #21271: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812030430.XAA03422@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21271 Commit By: lhoward Log Message: Zero outbuf on error return Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/rd_priv.c From lhoward at MIT.EDU Tue Dec 2 23:51:31 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 2 Dec 2008 23:51:31 -0500 (EST) Subject: svn rev #21272: branches/mskrb-integ/src/lib/gssapi/generic/ Message-ID: <200812030451.XAA03712@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21272 Commit By: lhoward Log Message: Add GSS_C_AF_NETBIOS Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/gssapi.hin From ghudson at MIT.EDU Wed Dec 3 13:21:23 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 3 Dec 2008 13:21:23 -0500 (EST) Subject: svn rev #21273: trunk/src/ config/ Message-ID: <200812031821.NAA17533@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21273 Commit By: ghudson Log Message: Move warning flags to new variables WARN_CFLAGS and WARN_CXXFLAGS, so that users can override the debugging and optimization flags independently of the warning flags. Remove -Wconversion from the standard set of warning flags since it warns excessively on perfectly good code, and is designed to aid in conversion of code from K&R to ANSI C rather than to maintain code quality. Changed Files: U trunk/src/aclocal.m4 U trunk/src/config/pre.in From tlyu at MIT.EDU Wed Dec 3 14:30:13 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 3 Dec 2008 14:30:13 -0500 (EST) Subject: svn rev #21275: branches/commit-handler-test/ Message-ID: <200812031930.OAA19602@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21275 Commit By: tlyu Log Message: ticket: new status: resolved subject: more commit handler test tags: nochange yet more commit handler test Changed Files: A branches/commit-handler-test/aaaa/ From lhoward at MIT.EDU Wed Dec 3 18:14:51 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 3 Dec 2008 18:14:51 -0500 (EST) Subject: svn rev #21276: branches/mskrb-integ/src/lib/gssapi/generic/ Message-ID: <200812032314.SAA22696@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21276 Commit By: lhoward Log Message: Add buffer set utility functions Changed Files: A branches/mskrb-integ/src/lib/gssapi/generic/util_buffer_set.c From lhoward at MIT.EDU Thu Dec 4 01:23:36 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 4 Dec 2008 01:23:36 -0500 (EST) Subject: svn rev #21277: branches/mskrb-integ/src/include/ Message-ID: <200812040623.BAA27722@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21277 Commit By: lhoward Log Message: Make k5-plugin.h safe for multiple includes Changed Files: U branches/mskrb-integ/src/include/k5-plugin.h From hartmans at MIT.EDU Thu Dec 4 10:48:14 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 4 Dec 2008 10:48:14 -0500 (EST) Subject: svn rev #21279: trunk/src/lib/crypto/ Message-ID: <200812041548.KAA07085@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21279 Commit By: hartmans Log Message: ticket: 6274 Status: open Merge R21122 from mskrb-integ Namespace cleanup Changed Files: U trunk/src/lib/crypto/aead.c U trunk/src/lib/crypto/aead.h U trunk/src/lib/crypto/crypto_length.c U trunk/src/lib/crypto/decrypt.c U trunk/src/lib/crypto/encrypt.c U trunk/src/lib/crypto/encrypt_length.c From hartmans at MIT.EDU Thu Dec 4 10:48:09 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 4 Dec 2008 10:48:09 -0500 (EST) Subject: svn rev #21278: trunk/src/lib/crypto/ Message-ID: <200812041548.KAA07009@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21278 Commit By: hartmans Log Message: ticket: 6274 Status: open Merge r21120 from mskrb-integ Refactor code such that an AEAD provider does not need to implement the older, non-IOV SPIs. Instead, the older APIs will implement their behaviour on top of the AEAD SPIs, using the wrapper functions in aead.c. Changed Files: U trunk/src/lib/crypto/aead.c U trunk/src/lib/crypto/aead.h U trunk/src/lib/crypto/crypto_length.c U trunk/src/lib/crypto/decrypt.c U trunk/src/lib/crypto/encrypt.c U trunk/src/lib/crypto/encrypt_length.c From hartmans at MIT.EDU Thu Dec 4 10:48:19 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 4 Dec 2008 10:48:19 -0500 (EST) Subject: svn rev #21280: trunk/src/lib/crypto/ arcfour/ dk/ Message-ID: <200812041548.KAA07162@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21280 Commit By: hartmans Log Message: ticket: 6274 status: open Cleanup warnings Changed Files: U trunk/src/lib/crypto/aead.c U trunk/src/lib/crypto/arcfour/arcfour_aead.c U trunk/src/lib/crypto/crypto_length.c U trunk/src/lib/crypto/dk/dk_aead.c From hartmans at MIT.EDU Thu Dec 4 13:38:10 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 4 Dec 2008 13:38:10 -0500 (EST) Subject: svn rev #21281: branches/ Message-ID: <200812041838.NAA09622@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21281 Commit By: hartmans Log Message: A branch of the mskrb-integ code with an implementation of AES-ccm . Changed Files: A branches/aes-ccm/ From tlyu at MIT.EDU Thu Dec 4 14:34:40 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Thu, 4 Dec 2008 14:34:40 -0500 (EST) Subject: CVS report: tracking/rt/webrt/Ticket/Elements ShowMemberOf ... Message-ID: <200812041934.OAA10881@drugstore.mit.edu> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://mailman.mit.edu/pipermail/cvs-krb5/attachments/20081204/f48ec565/attachment.bat From lhoward at MIT.EDU Thu Dec 4 15:10:30 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 4 Dec 2008 15:10:30 -0500 (EST) Subject: svn rev #21282: branches/mskrb-integ/src/lib/crypto/ Message-ID: <200812042010.PAA11548@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21282 Commit By: lhoward Log Message: #6274: Treat input data as constant Changed Files: U branches/mskrb-integ/src/lib/crypto/aead.c From lhoward at MIT.EDU Thu Dec 4 15:58:32 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 4 Dec 2008 15:58:32 -0500 (EST) Subject: svn rev #21283: branches/mskrb-integ/src/lib/crypto/ Message-ID: <200812042058.PAA12339@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21283 Commit By: lhoward Log Message: Be sure to copy input data in in krb5int_c_decrypt_aead_compat() Changed Files: U branches/mskrb-integ/src/lib/crypto/aead.c From lhoward at MIT.EDU Thu Dec 4 15:59:28 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 4 Dec 2008 15:59:28 -0500 (EST) Subject: svn rev #21284: branches/mskrb-integ/src/lib/crypto/ Message-ID: <200812042059.PAA12429@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21284 Commit By: lhoward Log Message: Cleanup Changed Files: U branches/mskrb-integ/src/lib/crypto/aead.c From raeburn at MIT.EDU Thu Dec 4 17:26:57 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Thu, 4 Dec 2008 17:26:57 -0500 (EST) Subject: svn rev #21285: trunk/src/ lib/kadm5/srv/ tests/dejagnu/krb-standalone/ Message-ID: <200812042226.RAA13811@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21285 Commit By: raeburn Log Message: ticket: 5667 Fix from Marcus Watts for glob-to-regexp conversion bug. Tweaked test case to exercise the bug. Changed Files: U trunk/src/lib/kadm5/srv/svr_iters.c U trunk/src/tests/dejagnu/krb-standalone/kadmin.exp From hartmans at MIT.EDU Fri Dec 5 08:39:19 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Fri, 5 Dec 2008 08:39:19 -0500 (EST) Subject: svn rev #21286: branches/mskrb-integ/src/ include/krb5/ lib/crypto/ lib/crypto/dk/ ... Message-ID: <200812051339.IAA28785@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21286 Commit By: hartmans Log Message: Move AES CCM implementation to the aes-ccm branch and remove from this branch Changed Files: U branches/mskrb-integ/src/include/krb5/krb5.hin U branches/mskrb-integ/src/lib/crypto/cksumtypes.c U branches/mskrb-integ/src/lib/crypto/dk/Makefile.in D branches/mskrb-integ/src/lib/crypto/dk/dk_ccm.c U branches/mskrb-integ/src/lib/crypto/enc_provider/Makefile.in D branches/mskrb-integ/src/lib/crypto/enc_provider/aes_ctr.c U branches/mskrb-integ/src/lib/crypto/etypes.c U branches/mskrb-integ/src/lib/crypto/keyhash_provider/Makefile.in D branches/mskrb-integ/src/lib/crypto/keyhash_provider/aescbc.c From hartmans at MIT.EDU Fri Dec 5 09:09:40 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Fri, 5 Dec 2008 09:09:40 -0500 (EST) Subject: svn rev #21287: trunk/src/lib/crypto/ Message-ID: <200812051409.JAA29298@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21287 Commit By: hartmans Log Message: ticket: 6274 Status: resolved Merge in fix from ms-krb-integ branch to avoid modifying input data on aead_decrypt_compat Changed Files: U trunk/src/lib/crypto/aead.c From ghudson at MIT.EDU Fri Dec 5 13:30:19 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 5 Dec 2008 13:30:19 -0500 (EST) Subject: svn rev #21288: trunk/src/tests/dejagnu/krb-root/ Message-ID: <200812051830.NAA03420@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21288 Commit By: ghudson Log Message: In the rlogin tests, expect to see /bin/sh echoed back after sending /bin/sh. If we just look for a shell prompt, we can get out of sync if the login shell decides to clear the line and redisplay the prompt. (I see bash redisplaying the prompt in 30-50% of test runs; I don't know what it's thinking.) Changed Files: U trunk/src/tests/dejagnu/krb-root/rlogin.exp From ghudson at MIT.EDU Fri Dec 5 13:32:09 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 5 Dec 2008 13:32:09 -0500 (EST) Subject: svn rev #21289: trunk/src/tests/dejagnu/config/ Message-ID: <200812051832.NAA03517@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21289 Commit By: ghudson Log Message: In the dejagnu test suite utilities, use the caller's value of spawn_id in check_exit_status, rather than the global value. Changed Files: U trunk/src/tests/dejagnu/config/default.exp From tsitkova at MIT.EDU Fri Dec 5 14:59:36 2008 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Fri, 5 Dec 2008 14:59:36 -0500 (EST) Subject: svn rev #21290: trunk/src/util/profile/ Message-ID: <200812051959.OAA05232@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21290 Commit By: tsitkova Log Message: Ticket: 6286 Changed Files: U trunk/src/util/profile/prof_init.c From tsitkova at MIT.EDU Fri Dec 5 15:18:48 2008 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Fri, 5 Dec 2008 15:18:48 -0500 (EST) Subject: svn rev #21291: trunk/src/kdc/ Message-ID: <200812052018.PAA05761@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21291 Commit By: tsitkova Log Message: Ticket: 6282 Fix data initialization in process_as_req function. Changed Files: U trunk/src/kdc/do_as_req.c From tsitkova at MIT.EDU Fri Dec 5 16:02:09 2008 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Fri, 5 Dec 2008 16:02:09 -0500 (EST) Subject: svn rev #21292: trunk/src/lib/krb5/ccache/ Message-ID: <200812052102.QAA06822@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21292 Commit By: tsitkova Log Message: Ticket: 6291 When storing info into cred cache, remove any dups. Changed Files: U trunk/src/lib/krb5/ccache/ccfns.c From ghudson at MIT.EDU Fri Dec 5 16:03:26 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 5 Dec 2008 16:03:26 -0500 (EST) Subject: svn rev #21293: trunk/src/ config/ kdc/ lib/krb5/asn.1/ util/ss/ Message-ID: <200812052103.QAA06918@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21293 Commit By: ghudson Log Message: Remove some lingering Saber C cruft. Changed Files: U trunk/src/BADSYMS U trunk/src/config/winexclude.sed D trunk/src/kdc/.saberinit D trunk/src/lib/krb5/asn.1/.saberinit U trunk/src/util/ss/execute_cmd.c From lhoward at MIT.EDU Fri Dec 5 19:40:07 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 5 Dec 2008 19:40:07 -0500 (EST) Subject: svn rev #21294: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812060040.TAA11189@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21294 Commit By: lhoward Log Message: Map KRB5_KT_KVNONOTFOUND, KRB5_KT_NOTFOUND, KRB5KRB_AP_ERR_BAD_INTEGRITY to KRB5KRB_AP_WRONG_PRINC Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c From lhoward at MIT.EDU Fri Dec 5 19:52:16 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 5 Dec 2008 19:52:16 -0500 (EST) Subject: svn rev #21295: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812060052.TAA11436@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21295 Commit By: lhoward Log Message: cast away a const warning Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/serialize.c From hartmans at MIT.EDU Mon Dec 8 10:12:11 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 8 Dec 2008 10:12:11 -0500 (EST) Subject: svn rev #21296: branches/mskrb-integ/src/lib/crypto/ Message-ID: <200812081512.KAA07421@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21296 Commit By: hartmans Log Message: Use zap not memset Changed Files: U branches/mskrb-integ/src/lib/crypto/aead.c From ghudson at MIT.EDU Mon Dec 8 17:33:08 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 8 Dec 2008 17:33:08 -0500 (EST) Subject: svn rev #21297: trunk/src/ config/ Message-ID: <200812082233.RAA14250@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21297 Commit By: ghudson Log Message: Add a configure option --disable-rpath to suppress rpath flags in link lines. Useful for OS distributors and for builds which will only be used to run the test suite. Changed Files: U trunk/src/aclocal.m4 U trunk/src/config/pre.in U trunk/src/config/shlib.conf U trunk/src/krb5-config.in From tsitkova at MIT.EDU Tue Dec 9 11:09:20 2008 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Tue, 9 Dec 2008 11:09:20 -0500 (EST) Subject: svn rev #21298: trunk/src/lib/gssapi/krb5/ Message-ID: <200812091609.LAA28885@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21298 Commit By: tsitkova Log Message: Ticket: 6294 Release default credentials before exiting krb5_gss_init_sec_context routine. Changed Files: U trunk/src/lib/gssapi/krb5/init_sec_context.c From hartmans at MIT.EDU Tue Dec 9 13:07:45 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 9 Dec 2008 13:07:45 -0500 (EST) Subject: svn rev #21299: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812091807.NAA00549@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21299 Commit By: hartmans Log Message: Do not throw away error from make_seal_token_iov Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c From ghudson at MIT.EDU Tue Dec 9 14:32:01 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 9 Dec 2008 14:32:01 -0500 (EST) Subject: svn rev #21300: trunk/src/include/ Message-ID: <200812091932.OAA01655@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21300 Commit By: ghudson Log Message: Clean up some kadmind4 relics left behind in osconf.hin. Changed Files: U trunk/src/include/osconf.hin From lhoward at MIT.EDU Tue Dec 9 15:03:32 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 9 Dec 2008 15:03:32 -0500 (EST) Subject: svn rev #21301: branches/mskrb-integ/src/lib/gssapi/generic/ Message-ID: <200812092003.PAA02220@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21301 Commit By: lhoward Log Message: Assign from PADL over to MIT Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/util_buffer_set.c From lhoward at MIT.EDU Tue Dec 9 15:07:29 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 9 Dec 2008 15:07:29 -0500 (EST) Subject: svn rev #21302: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812092007.PAA02345@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21302 Commit By: lhoward Log Message: correct token header length Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c From lhoward at MIT.EDU Tue Dec 9 17:59:43 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 9 Dec 2008 17:59:43 -0500 (EST) Subject: svn rev #21303: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812092259.RAA05832@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21303 Commit By: lhoward Log Message: kg_unseal_v1_iov() should not attempt to release IOV contents Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c From lhoward at MIT.EDU Tue Dec 9 18:00:32 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 9 Dec 2008 18:00:32 -0500 (EST) Subject: svn rev #21304: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812092300.SAA05940@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21304 Commit By: lhoward Log Message: gss_krb5int_make_seal_token_v3_iov() should release IOV on error return only Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c From lhoward at MIT.EDU Tue Dec 9 19:56:10 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 9 Dec 2008 19:56:10 -0500 (EST) Subject: svn rev #21305: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812100056.TAA07442@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21305 Commit By: lhoward Log Message: fix up IOV header length calculation (again) Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c From lhoward at MIT.EDU Tue Dec 9 20:17:53 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 9 Dec 2008 20:17:53 -0500 (EST) Subject: svn rev #21306: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812100117.UAA07764@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21306 Commit By: lhoward Log Message: Fix some memory smashers in AEAD translation code Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c From lhoward at MIT.EDU Tue Dec 9 20:18:56 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 9 Dec 2008 20:18:56 -0500 (EST) Subject: svn rev #21307: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812100118.UAA07848@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21307 Commit By: lhoward Log Message: Only free IOV on error condition Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c From lhoward at MIT.EDU Tue Dec 9 22:23:27 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 9 Dec 2008 22:23:27 -0500 (EST) Subject: svn rev #21308: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812100323.WAA09354@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21308 Commit By: lhoward Log Message: plug leak Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c From lhoward at MIT.EDU Tue Dec 9 23:06:06 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 9 Dec 2008 23:06:06 -0500 (EST) Subject: svn rev #21309: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812100406.XAA09917@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21309 Commit By: lhoward Log Message: DCE token header length should include confounder Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c From lhoward at MIT.EDU Tue Dec 9 23:17:07 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 9 Dec 2008 23:17:07 -0500 (EST) Subject: svn rev #21310: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812100417.XAA10113@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21310 Commit By: lhoward Log Message: fix up token length calculation for V1 IOV unwrap Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c From lhoward at MIT.EDU Wed Dec 10 00:30:35 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 10 Dec 2008 00:30:35 -0500 (EST) Subject: svn rev #21311: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812100530.AAA11024@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21311 Commit By: lhoward Log Message: token length for V1 tokens should not include associated data (so that it is the length of an assembled STREAM; recall that associated data may not be transmitted). Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c From lhoward at MIT.EDU Wed Dec 10 23:47:53 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 10 Dec 2008 23:47:53 -0500 (EST) Subject: svn rev #21312: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812110447.XAA00368@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21312 Commit By: lhoward Log Message: Correct some length calculations Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c From lhoward at MIT.EDU Wed Dec 10 23:53:06 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 10 Dec 2008 23:53:06 -0500 (EST) Subject: svn rev #21313: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812110453.XAA00504@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21313 Commit By: lhoward Log Message: Don't include RRC in encrypted header Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c From lhoward at MIT.EDU Thu Dec 11 00:34:23 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 11 Dec 2008 00:34:23 -0500 (EST) Subject: svn rev #21314: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812110534.AAA01056@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21314 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c From lhoward at MIT.EDU Thu Dec 11 00:35:09 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 11 Dec 2008 00:35:09 -0500 (EST) Subject: svn rev #21315: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812110535.AAA01148@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21315 Commit By: lhoward Log Message: fix regression in cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c From lhoward at MIT.EDU Thu Dec 11 01:05:21 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 11 Dec 2008 01:05:21 -0500 (EST) Subject: svn rev #21316: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812110605.BAA01563@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21316 Commit By: lhoward Log Message: fix up key usage / RRC calculations Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c From lhoward at MIT.EDU Thu Dec 11 02:40:35 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 11 Dec 2008 02:40:35 -0500 (EST) Subject: svn rev #21317: branches/mskrb-integ/src/ include/ lib/crypto/ lib/krb5/os/ Message-ID: <200812110740.CAA02720@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21317 Commit By: lhoward Log Message: krb5int_hmac_iov no longer need be exposed Changed Files: U branches/mskrb-integ/src/include/k5-int.h U branches/mskrb-integ/src/lib/crypto/libk5crypto.exports U branches/mskrb-integ/src/lib/krb5/os/accessor.c From lhoward at MIT.EDU Thu Dec 11 09:02:34 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 11 Dec 2008 09:02:34 -0500 (EST) Subject: svn rev #21322: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812111402.JAA09937@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21322 Commit By: lhoward Log Message: fix some bugs with IOV CFX wrap tokens (conf_req_flag==FALSE) Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c From lhoward at MIT.EDU Thu Dec 11 08:02:37 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 11 Dec 2008 08:02:37 -0500 (EST) Subject: svn rev #21319: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812111302.IAA08928@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21319 Commit By: lhoward Log Message: For CFX with IOV APIs, do not use a PADDING buffer; instead, place EC bytes in the TRAILER or HEADER buffer (if the former is absent). This simplifies the code and more clearly reflects the different abstraction layers (PADDING represents cryptosystem padding, EC effectively eliminates PADDING). Finally, it appears that Windows requires AEAD wrap tokens to have a non-zero EC. For DCE, Windows always sends 16 (recall that DCE always pads to 16 bytes), which suggests that it is using EC to pad to the next block (even though CTS doesn't require padding). So, for DCE_STYLE, we now do the following: (a) set EC to the blocksize if the padding length is zero and (b) reflecting the underlying Windows bug, rotate by EC + RRC rather than RRC. Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c From lhoward at MIT.EDU Thu Dec 11 09:16:49 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 11 Dec 2008 09:16:49 -0500 (EST) Subject: svn rev #21323: branches/mskrb-integ/src/lib/crypto/ Message-ID: <200812111416.JAA10183@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21323 Commit By: lhoward Log Message: fix krb5_c_make_checksum_iov() to deal with truncated checksums Changed Files: U branches/mskrb-integ/src/lib/crypto/make_checksum_iov.c From hartmans at MIT.EDU Thu Dec 11 10:26:25 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 11 Dec 2008 10:26:25 -0500 (EST) Subject: svn rev #21324: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812111526.KAA11163@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21324 Commit By: hartmans Log Message: krb5_free_pac cannot be used before the data structure is initialized; use free instead Indicate that krb5_pac_parse allocates a new PAC. Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/pac.c From raeburn at MIT.EDU Thu Dec 11 16:07:08 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Thu, 11 Dec 2008 16:07:08 -0500 (EST) Subject: svn rev #21325: trunk/src/ Message-ID: <200812112107.QAA16115@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21325 Commit By: raeburn Log Message: ticket: 6297 For Sun Studio compilers, set WARN_CFLAGS to emit warning tag names and make int/ptr mixups a fatal error that will be noticed at build or "make check" time. Tested in a 32-bit build. Changed Files: U trunk/src/aclocal.m4 From lhoward at MIT.EDU Thu Dec 11 16:49:25 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 11 Dec 2008 16:49:25 -0500 (EST) Subject: svn rev #21326: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812112149.QAA16712@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21326 Commit By: lhoward Log Message: krb5_parse_name() does not need to be UTF-8 aware Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/parse.c From lhoward at MIT.EDU Thu Dec 11 16:55:34 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 11 Dec 2008 16:55:34 -0500 (EST) Subject: svn rev #21327: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812112155.QAA16860@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21327 Commit By: lhoward Log Message: Set error text for realm parse errors Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/parse.c From lhoward at MIT.EDU Thu Dec 11 16:56:51 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 11 Dec 2008 16:56:51 -0500 (EST) Subject: svn rev #21328: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812112156.QAA16951@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21328 Commit By: lhoward Log Message: set minor_status to EINVAL if required DATA buffer absent for STREAM unwrap Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c From lhoward at MIT.EDU Thu Dec 11 18:10:10 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 11 Dec 2008 18:10:10 -0500 (EST) Subject: svn rev #21329: branches/mskrb-integ/src/lib/gssapi/generic/ Message-ID: <200812112310.SAA17852@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21329 Commit By: lhoward Log Message: Comment out Solaris extensions for now Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h From raeburn at MIT.EDU Fri Dec 12 13:33:27 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Fri, 12 Dec 2008 13:33:27 -0500 (EST) Subject: svn rev #21330: trunk/src/tests/dejagnu/krb-standalone/ Message-ID: <200812121833.NAA03960@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21330 Commit By: raeburn Log Message: Accept digits and = in base64 output to flush. Changed Files: U trunk/src/tests/dejagnu/krb-standalone/gssftp.exp From lhoward at MIT.EDU Fri Dec 12 18:20:04 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:20:04 -0500 (EST) Subject: svn rev #21331: branches/mskrb-integ/src/include/ Message-ID: <200812122320.SAA10961@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21331 Commit By: lhoward Log Message: Add Windows-specific KDC errors, structures for RFC 4537 and protocol transition, new ASN.1 encoding prototypes, and bump referral maxhops to 10 Changed Files: U branches/mskrb-integ/src/include/k5-int.h From lhoward at MIT.EDU Fri Dec 12 18:20:37 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:20:37 -0500 (EST) Subject: svn rev #21332: branches/mskrb-integ/src/include/ Message-ID: <200812122320.SAA11041@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21332 Commit By: lhoward Log Message: Add KDB extensions SPI Changed Files: A branches/mskrb-integ/src/include/kdb_ext.h From lhoward at MIT.EDU Fri Dec 12 18:21:38 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:21:38 -0500 (EST) Subject: svn rev #21333: branches/mskrb-integ/src/include/krb5/ Message-ID: <200812122321.SAA11125@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21333 Commit By: lhoward Log Message: Add additional Windows checksum types, KDC flags, preauth data types, public preauth structures, DCE AP-REQ APIs, AD-IF-RELEVANT decoders Changed Files: U branches/mskrb-integ/src/include/krb5/krb5.hin From lhoward at MIT.EDU Fri Dec 12 18:22:09 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:22:09 -0500 (EST) Subject: svn rev #21334: branches/mskrb-integ/src/include/ Message-ID: <200812122322.SAA11205@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21334 Commit By: lhoward Log Message: Make KDB SPI public so plugins can be built outside source tree Changed Files: U branches/mskrb-integ/src/include/Makefile.in U branches/mskrb-integ/src/include/kdb.h From lhoward at MIT.EDU Fri Dec 12 18:23:19 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:23:19 -0500 (EST) Subject: svn rev #21335: branches/mskrb-integ/src/plugins/kdb/db2/ Message-ID: <200812122323.SAA11296@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21335 Commit By: lhoward Log Message: Update for KDB get_principal changes Changed Files: U branches/mskrb-integ/src/plugins/kdb/db2/db2_exp.c From lhoward at MIT.EDU Fri Dec 12 18:23:52 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:23:52 -0500 (EST) Subject: svn rev #21336: branches/mskrb-integ/src/config/ Message-ID: <200812122323.SAA11379@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21336 Commit By: lhoward Log Message: Add GSS_MODULE_DIR Changed Files: U branches/mskrb-integ/src/config/pre.in From lhoward at MIT.EDU Fri Dec 12 18:24:12 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:24:12 -0500 (EST) Subject: svn rev #21337: branches/mskrb-integ/src/config-files/ Message-ID: <200812122324.SAA11455@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21337 Commit By: lhoward Log Message: Add GSS mechglue runtime configuration file Changed Files: A branches/mskrb-integ/src/config-files/mech From lhoward at MIT.EDU Fri Dec 12 18:24:58 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:24:58 -0500 (EST) Subject: svn rev #21338: branches/mskrb-integ/src/lib/crypto/ keyhash_provider/ Message-ID: <200812122324.SAA11539@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21338 Commit By: lhoward Log Message: Add CKSUMTYPE_MD5_HMAC_ARCFOUR, used by Netlogon in Novell code Changed Files: U branches/mskrb-integ/src/lib/crypto/Makefile.in U branches/mskrb-integ/src/lib/crypto/cksumtypes.c U branches/mskrb-integ/src/lib/crypto/keyhash_provider/Makefile.in U branches/mskrb-integ/src/lib/crypto/keyhash_provider/keyhash_provider.h A branches/mskrb-integ/src/lib/crypto/keyhash_provider/md5_hmac.c From lhoward at MIT.EDU Fri Dec 12 18:26:06 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:26:06 -0500 (EST) Subject: svn rev #21339: branches/mskrb-integ/src/lib/kdb/ Message-ID: <200812122326.SAA11636@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21339 Commit By: lhoward Log Message: Update KDB for new APIs (db_inovke and get_principal_ext) Changed Files: U branches/mskrb-integ/src/lib/kdb/decrypt_key.c U branches/mskrb-integ/src/lib/kdb/encrypt_key.c U branches/mskrb-integ/src/lib/kdb/kdb5.c U branches/mskrb-integ/src/lib/kdb/kdb5.h U branches/mskrb-integ/src/lib/kdb/libkdb5.exports From lhoward at MIT.EDU Fri Dec 12 18:26:32 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:26:32 -0500 (EST) Subject: svn rev #21340: branches/mskrb-integ/src/lib/krb5/error_tables/ Message-ID: <200812122326.SAA11716@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21340 Commit By: lhoward Log Message: Add new KDC error codes Changed Files: U branches/mskrb-integ/src/lib/krb5/error_tables/krb5_err.et From lhoward at MIT.EDU Fri Dec 12 18:27:28 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:27:28 -0500 (EST) Subject: svn rev #21341: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812122327.SAA11800@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21341 Commit By: lhoward Log Message: Add krb5_{mk,rd}_rep_dce Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/mk_rep.c U branches/mskrb-integ/src/lib/krb5/krb/rd_rep.c From lhoward at MIT.EDU Fri Dec 12 18:28:08 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:28:08 -0500 (EST) Subject: svn rev #21343: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812122328.SAA11956@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21343 Commit By: lhoward Log Message: Add new free helpers Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/kfree.c From lhoward at MIT.EDU Fri Dec 12 18:27:50 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:27:50 -0500 (EST) Subject: svn rev #21342: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812122327.SAA11880@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21342 Commit By: lhoward Log Message: Add krb5_{en,de}code_ad_if_relevant Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/copy_auth.c From lhoward at MIT.EDU Fri Dec 12 18:28:39 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:28:39 -0500 (EST) Subject: svn rev #21344: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812122328.SAA12036@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21344 Commit By: lhoward Log Message: Add krb5_principal_compare_flags() Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/princ_comp.c From lhoward at MIT.EDU Fri Dec 12 18:29:00 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:29:00 -0500 (EST) Subject: svn rev #21345: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812122329.SAA12116@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21345 Commit By: lhoward Log Message: Ignore ADDRTYPE_NETBIOS when searching for addresses Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/addr_srch.c From lhoward at MIT.EDU Fri Dec 12 18:30:12 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:30:12 -0500 (EST) Subject: svn rev #21346: branches/mskrb-integ/src/lib/krb5/asn.1/ Message-ID: <200812122330.SAA12212@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21346 Commit By: lhoward Log Message: Add ASN.1 encoders/decoders for new Windows types Changed Files: U branches/mskrb-integ/src/lib/krb5/asn.1/asn1_decode.c U branches/mskrb-integ/src/lib/krb5/asn.1/asn1_decode.h U branches/mskrb-integ/src/lib/krb5/asn.1/asn1_encode.c U branches/mskrb-integ/src/lib/krb5/asn.1/asn1_encode.h U branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_decode.c U branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_decode.h U branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_encode.c U branches/mskrb-integ/src/lib/krb5/asn.1/krb5_decode.c U branches/mskrb-integ/src/lib/krb5/asn.1/krbasn1.h From lhoward at MIT.EDU Fri Dec 12 18:30:49 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:30:49 -0500 (EST) Subject: svn rev #21347: branches/mskrb-integ/src/lib/krb5/os/ Message-ID: <200812122330.SAA12294@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21347 Commit By: lhoward Log Message: Check for NULL context in krb5_timeofday() Changed Files: U branches/mskrb-integ/src/lib/krb5/os/timeofday.c From lhoward at MIT.EDU Fri Dec 12 18:31:16 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:31:16 -0500 (EST) Subject: svn rev #21348: branches/mskrb-integ/src/lib/krb5/os/ Message-ID: <200812122331.SAA12372@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21348 Commit By: lhoward Log Message: Plug memory leak in krb5_sname_to_principal Changed Files: U branches/mskrb-integ/src/lib/krb5/os/sn2princ.c From lhoward at MIT.EDU Fri Dec 12 18:31:31 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:31:31 -0500 (EST) Subject: svn rev #21349: branches/mskrb-integ/src/lib/krb5/os/ Message-ID: <200812122331.SAA12452@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21349 Commit By: lhoward Log Message: add krb5_set_profile() Changed Files: U branches/mskrb-integ/src/lib/krb5/os/init_os_ctx.c From lhoward at MIT.EDU Fri Dec 12 18:31:56 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:31:56 -0500 (EST) Subject: svn rev #21350: branches/mskrb-integ/src/lib/krb5/ Message-ID: <200812122331.SAA12532@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21350 Commit By: lhoward Log Message: Update exports for new APIs Changed Files: U branches/mskrb-integ/src/lib/krb5/libkrb5.exports From lhoward at MIT.EDU Fri Dec 12 18:32:28 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:32:28 -0500 (EST) Subject: svn rev #21351: branches/mskrb-integ/src/lib/kadm5/srv/ Message-ID: <200812122332.SAA12613@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21351 Commit By: lhoward Log Message: Update for name canonicalization Changed Files: U branches/mskrb-integ/src/lib/kadm5/srv/server_dict.c U branches/mskrb-integ/src/lib/kadm5/srv/svr_principal.c From lhoward at MIT.EDU Fri Dec 12 18:33:10 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:33:10 -0500 (EST) Subject: svn rev #21352: branches/mskrb-integ/src/lib/gssapi/generic/ Message-ID: <200812122333.SAA12696@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21352 Commit By: lhoward Log Message: Add GSS_C_INQ_SESSION_KEY Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/gssapi_generic.c From lhoward at MIT.EDU Fri Dec 12 18:34:09 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:34:09 -0500 (EST) Subject: svn rev #21353: branches/mskrb-integ/src/lib/gssapi/generic/ Message-ID: <200812122334.SAA12783@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21353 Commit By: lhoward Log Message: Fix bug in parsing dots vs spaces in OIDs Changed Files: A branches/mskrb-integ/src/lib/gssapi/generic/oid_ops.c From lhoward at MIT.EDU Fri Dec 12 18:56:09 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:56:09 -0500 (EST) Subject: svn rev #21354: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812122356.SAA13106@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21354 Commit By: lhoward Log Message: Support GSS_C_DCE_STYLE Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c From lhoward at MIT.EDU Fri Dec 12 18:56:33 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:56:33 -0500 (EST) Subject: svn rev #21355: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812122356.SAA13187@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21355 Commit By: lhoward Log Message: Add an assertion check Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c From lhoward at MIT.EDU Fri Dec 12 18:57:51 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:57:51 -0500 (EST) Subject: svn rev #21356: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812122357.SAA13274@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21356 Commit By: lhoward Log Message: support GSS_C_DCE_STYLE Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c From lhoward at MIT.EDU Fri Dec 12 18:58:23 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:58:23 -0500 (EST) Subject: svn rev #21357: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812122358.SAA13355@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21357 Commit By: lhoward Log Message: Add gss_complete_auth_token() Changed Files: A branches/mskrb-integ/src/lib/gssapi/mechglue/g_complete_auth_token.c From lhoward at MIT.EDU Fri Dec 12 18:58:59 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:58:59 -0500 (EST) Subject: svn rev #21358: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812122358.SAA13442@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21358 Commit By: lhoward Log Message: Add support for dynamic loading of mechanisms Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c From lhoward at MIT.EDU Fri Dec 12 18:59:35 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 18:59:35 -0500 (EST) Subject: svn rev #21359: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812122359.SAA13523@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21359 Commit By: lhoward Log Message: Add gss_inquire_cred_by_oid() Changed Files: A branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_cred_oid.c From lhoward at MIT.EDU Fri Dec 12 19:00:05 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 19:00:05 -0500 (EST) Subject: svn rev #21360: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130000.TAA13614@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21360 Commit By: lhoward Log Message: add gssspi_mech_invoke() Changed Files: A branches/mskrb-integ/src/lib/gssapi/mechglue/g_mech_invoke.c From lhoward at MIT.EDU Fri Dec 12 19:02:13 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 19:02:13 -0500 (EST) Subject: svn rev #21361: branches/mskrb-integ/src/lib/gssapi/spnego/ Message-ID: <200812130002.TAA13709@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21361 Commit By: lhoward Log Message: Build SPNEGO mechanism as a plugin (will need to be moved to plugins directory) Add NegHints support for Windows/Samba interop Changed Files: U branches/mskrb-integ/src/lib/gssapi/spnego/Makefile.in U branches/mskrb-integ/src/lib/gssapi/spnego/gssapiP_spnego.h A branches/mskrb-integ/src/lib/gssapi/spnego/mech_spnego.exports U branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c From tsitkova at MIT.EDU Fri Dec 12 19:05:34 2008 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Fri, 12 Dec 2008 19:05:34 -0500 (EST) Subject: svn rev #21362: trunk/src/lib/krb5/ccache/ccapi/ Message-ID: <200812130005.TAA13829@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21362 Commit By: tsitkova Log Message: Ticket: 6299 Fixed memory leak in krb5_stdccv3_remove. Changed Files: U trunk/src/lib/krb5/ccache/ccapi/stdcc.c From lhoward at MIT.EDU Fri Dec 12 23:01:53 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:01:53 -0500 (EST) Subject: svn rev #21363: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812130401.XAA16744@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21363 Commit By: lhoward Log Message: Add new mechanism-specific APIs Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h From lhoward at MIT.EDU Fri Dec 12 23:19:23 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:19:23 -0500 (EST) Subject: svn rev #21364: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812130419.XAA17044@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21364 Commit By: lhoward Log Message: Use symbolic token names Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c From lhoward at MIT.EDU Fri Dec 12 23:20:05 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:20:05 -0500 (EST) Subject: svn rev #21365: branches/mskrb-integ/src/lib/gssapi/generic/ Message-ID: <200812130420.XAA17079@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21365 Commit By: lhoward Log Message: Add prototypes for buffer set, OID set APIs Add token header flags Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/gssapiP_generic.h From lhoward at MIT.EDU Fri Dec 12 23:20:24 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:20:24 -0500 (EST) Subject: svn rev #21366: branches/mskrb-integ/src/lib/gssapi/generic/ Message-ID: <200812130420.XAA17106@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21366 Commit By: lhoward Log Message: Support G_VFY_TOKEN_HDR_IGNORE_SEQ_SIZE Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/util_token.c From lhoward at MIT.EDU Fri Dec 12 23:20:43 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:20:43 -0500 (EST) Subject: svn rev #21367: branches/mskrb-integ/src/lib/gssapi/generic/ Message-ID: <200812130420.XAA17133@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21367 Commit By: lhoward Log Message: Make generic APIs usable by plugins Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/Makefile.in U branches/mskrb-integ/src/lib/gssapi/generic/disp_com_err_status.c U branches/mskrb-integ/src/lib/gssapi/generic/gssapi_generic.h U branches/mskrb-integ/src/lib/gssapi/generic/util_validate.c From lhoward at MIT.EDU Fri Dec 12 23:22:07 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:22:07 -0500 (EST) Subject: svn rev #21368: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812130422.XAA17168@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21368 Commit By: lhoward Log Message: Refactor for mechglue changes. Introduce new mechanism-specific APIs: gsskrb5_extract_authz_data_from_sec_context, gss_krb5_get_subkey, gss_krb5_set_cred_rcache (from Heimdal) Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/Makefile.in U branches/mskrb-integ/src/lib/gssapi/krb5/acquire_cred.c U branches/mskrb-integ/src/lib/gssapi/krb5/canon_name.c U branches/mskrb-integ/src/lib/gssapi/krb5/delete_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/disp_status.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.hin U branches/mskrb-integ/src/lib/gssapi/krb5/import_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/indicate_mechs.c U branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/inq_cred.c U branches/mskrb-integ/src/lib/gssapi/krb5/inq_names.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c U branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/set_ccache.c From lhoward at MIT.EDU Fri Dec 12 23:23:08 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:23:08 -0500 (EST) Subject: svn rev #21370: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130423.XAA17222@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21370 Commit By: lhoward Log Message: gssint_wrap_size_limit_iov_shim() (incomplete) Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c From lhoward at MIT.EDU Fri Dec 12 23:23:33 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:23:33 -0500 (EST) Subject: svn rev #21371: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130423.XAA17251@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21371 Commit By: lhoward Log Message: Detect raw NTLM and redirect to NTLM module Support acceptor-first SPNEGO Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_glue.c From lhoward at MIT.EDU Fri Dec 12 23:24:40 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:24:40 -0500 (EST) Subject: svn rev #21372: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130424.XAA17284@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21372 Commit By: lhoward Log Message: gss_export_name_object() Changed Files: A branches/mskrb-integ/src/lib/gssapi/mechglue/g_export_name_object.c From lhoward at MIT.EDU Fri Dec 12 23:24:59 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:24:59 -0500 (EST) Subject: svn rev #21373: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130424.XAA17309@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21373 Commit By: lhoward Log Message: gssint_userok() (unused) Changed Files: A branches/mskrb-integ/src/lib/gssapi/mechglue/g_userok.c From lhoward at MIT.EDU Fri Dec 12 23:25:10 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:25:10 -0500 (EST) Subject: svn rev #21374: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130425.XAA17342@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21374 Commit By: lhoward Log Message: gssd_pname_to_uid() (unused) Changed Files: A branches/mskrb-integ/src/lib/gssapi/mechglue/gssd_pname_to_uid.c From lhoward at MIT.EDU Fri Dec 12 23:25:19 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:25:19 -0500 (EST) Subject: svn rev #21375: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130425.XAA17369@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21375 Commit By: lhoward Log Message: mech.conf now lives in config-files/mech Changed Files: D branches/mskrb-integ/src/lib/gssapi/mechglue/mech.conf From lhoward at MIT.EDU Fri Dec 12 23:25:33 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:25:33 -0500 (EST) Subject: svn rev #21376: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130425.XAA17394@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21376 Commit By: lhoward Log Message: gssspi_set_cred_option() Changed Files: A branches/mskrb-integ/src/lib/gssapi/mechglue/g_set_cred_option.c From lhoward at MIT.EDU Fri Dec 12 23:25:44 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:25:44 -0500 (EST) Subject: svn rev #21377: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130425.XAA17419@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21377 Commit By: lhoward Log Message: add buffer set API covers Changed Files: A branches/mskrb-integ/src/lib/gssapi/mechglue/g_buffer_set.c From lhoward at MIT.EDU Fri Dec 12 23:25:55 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:25:55 -0500 (EST) Subject: svn rev #21378: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130425.XAA17442@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21378 Commit By: lhoward Log Message: oid_ops.c now lives in generic/ Changed Files: D branches/mskrb-integ/src/lib/gssapi/mechglue/oid_ops.c From lhoward at MIT.EDU Fri Dec 12 23:26:08 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:26:08 -0500 (EST) Subject: svn rev #21379: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130426.XAA17465@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21379 Commit By: lhoward Log Message: gss_inquire_sec_context_by_oid() Changed Files: A branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_context_oid.c From lhoward at MIT.EDU Fri Dec 12 23:26:26 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:26:26 -0500 (EST) Subject: svn rev #21380: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130426.XAA17492@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21380 Commit By: lhoward Log Message: gss_set_sec_context_option() Changed Files: A branches/mskrb-integ/src/lib/gssapi/mechglue/g_set_context_option.c From lhoward at MIT.EDU Fri Dec 12 23:27:16 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:27:16 -0500 (EST) Subject: svn rev #21381: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130427.XAA17523@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21381 Commit By: lhoward Log Message: Remove void *context argument from mechglue SPIs Add extension SPIs Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/Makefile.in U branches/mskrb-integ/src/lib/gssapi/mechglue/g_accept_sec_context.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_acquire_cred.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_compare_name.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_context_time.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_delete_sec_context.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_dsp_status.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_exp_sec_context.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_export_name.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_imp_name.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_imp_sec_context.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_init_sec_context.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_context.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_cred.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_names.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_oid_ops.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_process_context.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_rel_cred.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_sign.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_store_cred.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_verify.c U branches/mskrb-integ/src/lib/gssapi/mechglue/mechglue.h U branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h From lhoward at MIT.EDU Fri Dec 12 23:27:38 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:27:38 -0500 (EST) Subject: svn rev #21382: branches/mskrb-integ/src/lib/gssapi/ Message-ID: <200812130427.XAA17550@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21382 Commit By: lhoward Log Message: Add new APIs, cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/Makefile.in D branches/mskrb-integ/src/lib/gssapi/gss_libinit.c D branches/mskrb-integ/src/lib/gssapi/gss_libinit.h U branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports From lhoward at MIT.EDU Fri Dec 12 23:36:52 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:36:52 -0500 (EST) Subject: svn rev #21383: branches/mskrb-integ/src/lib/gssapi/ Message-ID: <200812130436.XAA17704@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21383 Commit By: lhoward Log Message: remove SPNEGO from lib/gssapi Changed Files: D branches/mskrb-integ/src/lib/gssapi/spnego/ From lhoward at MIT.EDU Fri Dec 12 23:39:12 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:39:12 -0500 (EST) Subject: svn rev #21384: branches/mskrb-integ/src/plugins/ Message-ID: <200812130439.XAA17763@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21384 Commit By: lhoward Log Message: add gssapi directory Changed Files: A branches/mskrb-integ/src/plugins/gssapi/ From lhoward at MIT.EDU Fri Dec 12 23:22:50 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:22:50 -0500 (EST) Subject: svn rev #21369: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130422.XAA17199@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21369 Commit By: lhoward Log Message: gss_import_name_object() (incomplete) Changed Files: A branches/mskrb-integ/src/lib/gssapi/mechglue/g_imp_name_object.c From lhoward at MIT.EDU Fri Dec 12 23:41:21 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:41:21 -0500 (EST) Subject: svn rev #21385: branches/mskrb-integ/src/plugins/gssapi/ spnego/ Message-ID: <200812130441.XAA17823@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21385 Commit By: lhoward Log Message: Add SPNEGO plugin (owing to SVN weirdness I have probably lost the version history here - hopefully this can be fixed when merging) Changed Files: A branches/mskrb-integ/src/plugins/gssapi/spnego/ A branches/mskrb-integ/src/plugins/gssapi/spnego/Makefile.in A branches/mskrb-integ/src/plugins/gssapi/spnego/gssapiP_spnego.h A branches/mskrb-integ/src/plugins/gssapi/spnego/mech_spnego.exports A branches/mskrb-integ/src/plugins/gssapi/spnego/spnego_mech.c From lhoward at MIT.EDU Fri Dec 12 23:42:39 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:42:39 -0500 (EST) Subject: svn rev #21386: branches/mskrb-integ/src/ Message-ID: <200812130442.XAA17872@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21386 Commit By: lhoward Log Message: Add plugins/gssapi/spnego Changed Files: U branches/mskrb-integ/src/configure.in From lhoward at MIT.EDU Fri Dec 12 23:44:12 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:44:12 -0500 (EST) Subject: svn rev #21387: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130444.XAA17909@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21387 Commit By: lhoward Log Message: cleanup deps Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/Makefile.in From lhoward at MIT.EDU Fri Dec 12 23:44:46 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:44:46 -0500 (EST) Subject: svn rev #21388: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812130444.XAA17940@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21388 Commit By: lhoward Log Message: cleanup deps Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/Makefile.in U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c From lhoward at MIT.EDU Fri Dec 12 23:45:10 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:45:10 -0500 (EST) Subject: svn rev #21389: branches/mskrb-integ/src/ Message-ID: <200812130445.XAA17971@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21389 Commit By: lhoward Log Message: Add plugins/gssapi/spnego Changed Files: U branches/mskrb-integ/src/Makefile.in From lhoward at MIT.EDU Fri Dec 12 23:46:23 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 12 Dec 2008 23:46:23 -0500 (EST) Subject: svn rev #21390: branches/mskrb-integ/src/kadmin/cli/ Message-ID: <200812130446.XAA18010@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21390 Commit By: lhoward Log Message: display canon principal Changed Files: U branches/mskrb-integ/src/kadmin/cli/kadmin.c From lhoward at MIT.EDU Sat Dec 13 00:04:09 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 00:04:09 -0500 (EST) Subject: svn rev #21391: branches/mskrb-integ/src/kdc/ Message-ID: <200812130504.AAA18230@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21391 Commit By: lhoward Log Message: Add max_dgram_reply_size Changed Files: U branches/mskrb-integ/src/kdc/extern.c U branches/mskrb-integ/src/kdc/extern.h From lhoward at MIT.EDU Sat Dec 13 00:05:27 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 00:05:27 -0500 (EST) Subject: svn rev #21392: branches/mskrb-integ/src/kdc/ Message-ID: <200812130505.AAA18274@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21392 Commit By: lhoward Log Message: Return KRB_ERR_RESPONSE_TOO_BIG if UDP response > max_dgram_reply_size Invoke KRB5_KDB_METHOD_REFRESH_POLICY method on HUP Changed Files: U branches/mskrb-integ/src/kdc/network.c From lhoward at MIT.EDU Sat Dec 13 00:11:39 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 00:11:39 -0500 (EST) Subject: svn rev #21393: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812130511.AAA18364@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21393 Commit By: lhoward Log Message: plug leak Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c From lhoward at MIT.EDU Sat Dec 13 00:21:30 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 00:21:30 -0500 (EST) Subject: svn rev #21394: branches/mskrb-integ/src/lib/gssapi/ krb5/ Message-ID: <200812130521.AAA18491@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21394 Commit By: lhoward Log Message: align subkey APIs with Heimdal Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.hin U branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports From lhoward at MIT.EDU Sat Dec 13 00:23:08 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 00:23:08 -0500 (EST) Subject: svn rev #21395: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812130523.AAA18534@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21395 Commit By: lhoward Log Message: comment out gss_krb5_set_cred_alias() for now Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c From lhoward at MIT.EDU Sat Dec 13 00:26:33 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 00:26:33 -0500 (EST) Subject: svn rev #21396: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130526.AAA18598@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21396 Commit By: lhoward Log Message: fix build error Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_glue.c From lhoward at MIT.EDU Sat Dec 13 00:28:36 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 00:28:36 -0500 (EST) Subject: svn rev #21397: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812130528.AAA18696@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21397 Commit By: lhoward Log Message: fix method signature Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h From lhoward at MIT.EDU Sat Dec 13 00:31:45 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 00:31:45 -0500 (EST) Subject: svn rev #21398: branches/mskrb-integ/src/ include/ include/krb5/ lib/krb5/krb/ Message-ID: <200812130531.AAA18836@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21398 Commit By: lhoward Log Message: s/time_t/krb5_timestamp Changed Files: U branches/mskrb-integ/src/include/k5-int.h U branches/mskrb-integ/src/include/krb5/krb5.hin U branches/mskrb-integ/src/lib/krb5/krb/pac.c From lhoward at MIT.EDU Sat Dec 13 00:34:02 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 00:34:02 -0500 (EST) Subject: svn rev #21399: branches/mskrb-integ/src/kdc/ Message-ID: <200812130534.AAA18940@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21399 Commit By: lhoward Log Message: add prototypes Changed Files: U branches/mskrb-integ/src/kdc/kdc_util.h From lhoward at MIT.EDU Sat Dec 13 02:39:37 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 02:39:37 -0500 (EST) Subject: svn rev #21400: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812130739.CAA20386@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21400 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c From lhoward at MIT.EDU Sat Dec 13 02:40:36 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 02:40:36 -0500 (EST) Subject: svn rev #21401: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812130740.CAA20426@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21401 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c From lhoward at MIT.EDU Sat Dec 13 04:36:53 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 04:36:53 -0500 (EST) Subject: svn rev #21402: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812130936.EAA24115@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21402 Commit By: lhoward Log Message: refactor mechanism specific API Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/acquire_cred.c U branches/mskrb-integ/src/lib/gssapi/krb5/copy_ccache.c U branches/mskrb-integ/src/lib/gssapi/krb5/get_tkt_flags.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c U branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c U branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/set_allowable_enctypes.c U branches/mskrb-integ/src/lib/gssapi/krb5/set_ccache.c From lhoward at MIT.EDU Sat Dec 13 04:57:57 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 04:57:57 -0500 (EST) Subject: svn rev #21403: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812130957.EAA24483@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21403 Commit By: lhoward Log Message: cleanup, add gss_krb5int_extract_authtime_from_sec_context() Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.hin U branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c From lhoward at MIT.EDU Sat Dec 13 07:57:17 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 07:57:17 -0500 (EST) Subject: svn rev #21404: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812131257.HAA26591@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21404 Commit By: lhoward Log Message: Cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c From lhoward at MIT.EDU Sat Dec 13 08:10:39 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 08:10:39 -0500 (EST) Subject: svn rev #21405: branches/mskrb-integ/src/lib/gssapi/ krb5/ Message-ID: <200812131310.IAA26830@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21405 Commit By: lhoward Log Message: save ticket times in krb5_ticket_times struct Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/context_time.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5seal.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5unseal.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c U branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports From lhoward at MIT.EDU Sat Dec 13 08:16:56 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 08:16:56 -0500 (EST) Subject: svn rev #21406: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812131316.IAA26966@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21406 Commit By: lhoward Log Message: Explicit copyrights for Novell Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c U branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c From lhoward at MIT.EDU Sat Dec 13 08:19:06 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 08:19:06 -0500 (EST) Subject: svn rev #21407: branches/mskrb-integ/src/ lib/krb5/krb/ plugins/gssapi/spnego/ Message-ID: <200812131319.IAA27053@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21407 Commit By: lhoward Log Message: Provide explicit copyright notices for Novell contributed code Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/copy_auth.c U branches/mskrb-integ/src/lib/krb5/krb/kfree.c U branches/mskrb-integ/src/lib/krb5/krb/mk_rep.c U branches/mskrb-integ/src/lib/krb5/krb/rd_rep.c U branches/mskrb-integ/src/plugins/gssapi/spnego/spnego_mech.c From lhoward at MIT.EDU Sat Dec 13 08:26:20 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 08:26:20 -0500 (EST) Subject: svn rev #21408: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812131326.IAA27212@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21408 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/acquire_cred.c U branches/mskrb-integ/src/lib/gssapi/krb5/copy_ccache.c U branches/mskrb-integ/src/lib/gssapi/krb5/get_tkt_flags.c From lhoward at MIT.EDU Sat Dec 13 08:29:34 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 08:29:34 -0500 (EST) Subject: svn rev #21409: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812131329.IAA27320@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21409 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/copy_ccache.c U branches/mskrb-integ/src/lib/gssapi/krb5/set_ccache.c From lhoward at MIT.EDU Sat Dec 13 09:13:28 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 09:13:28 -0500 (EST) Subject: svn rev #21410: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812131413.JAA27898@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21410 Commit By: lhoward Log Message: Add some missing calls to map_error() Ensure input payload buffers are copied into IOV Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_complete_auth_token.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_context_oid.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_cred_oid.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_mech_invoke.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_set_context_option.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_set_cred_option.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_unwrap_aead.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_userok.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_aead.c U branches/mskrb-integ/src/lib/gssapi/mechglue/gssd_pname_to_uid.c From lhoward at MIT.EDU Sat Dec 13 18:15:14 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 18:15:14 -0500 (EST) Subject: svn rev #21411: branches/mskrb-integ/src/lib/krb5/ Message-ID: <200812132315.SAA04333@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21411 Commit By: lhoward Log Message: don't export krb5int_utf8_normcmp Changed Files: U branches/mskrb-integ/src/lib/krb5/libkrb5.exports From lhoward at MIT.EDU Sat Dec 13 18:45:44 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 18:45:44 -0500 (EST) Subject: svn rev #21413: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812132345.SAA04834@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21413 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_aead.c From lhoward at MIT.EDU Sat Dec 13 18:45:00 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 18:45:00 -0500 (EST) Subject: svn rev #21412: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812132345.SAA04748@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21412 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_aead.c From lhoward at MIT.EDU Sat Dec 13 18:54:13 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 18:54:13 -0500 (EST) Subject: svn rev #21414: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812132354.SAA05011@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21414 Commit By: lhoward Log Message: CFX uses EC instead of PADDING; fixup STREAM code to handle this Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c From lhoward at MIT.EDU Sat Dec 13 18:57:06 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 18:57:06 -0500 (EST) Subject: svn rev #21415: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812132357.SAA05121@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21415 Commit By: lhoward Log Message: Initialize PADDING and TRAILER type/flags Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c From lhoward at MIT.EDU Sat Dec 13 19:00:58 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 19:00:58 -0500 (EST) Subject: svn rev #21416: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812140000.TAA05239@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21416 Commit By: lhoward Log Message: For CFX IOV unwrap, check PADDING is zero length. For CFX IOV wrap, initialize PADDING to zero. (EC is used for any "real" padding.) Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c From lhoward at MIT.EDU Sat Dec 13 19:03:29 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 19:03:29 -0500 (EST) Subject: svn rev #21417: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812140003.TAA05342@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21417 Commit By: lhoward Log Message: Fixup IOV CFX non-DCE case, where no PADDING buffer is used but EC is placed in TRAILER Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c From lhoward at MIT.EDU Sat Dec 13 19:13:22 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 19:13:22 -0500 (EST) Subject: svn rev #21418: branches/mskrb-integ/src/include/krb5/ Message-ID: <200812140013.TAA05522@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21418 Commit By: lhoward Log Message: remove Novell compat macros Changed Files: U branches/mskrb-integ/src/include/krb5/krb5.hin From lhoward at MIT.EDU Sat Dec 13 20:06:42 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 20:06:42 -0500 (EST) Subject: svn rev #21419: branches/mskrb-integ/src/kdc/ Message-ID: <200812140106.UAA06255@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21419 Commit By: lhoward Log Message: Make maximum datagram size configurable Changed Files: U branches/mskrb-integ/src/kdc/main.c From lhoward at MIT.EDU Sat Dec 13 20:52:48 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 20:52:48 -0500 (EST) Subject: svn rev #21420: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812140152.UAA06844@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21420 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c From lhoward at MIT.EDU Sat Dec 13 21:45:53 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 21:45:53 -0500 (EST) Subject: svn rev #21421: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812140245.VAA07504@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21421 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_rel_name.c From lhoward at MIT.EDU Sat Dec 13 21:58:58 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 13 Dec 2008 21:58:58 -0500 (EST) Subject: svn rev #21422: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812140258.VAA07711@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21422 Commit By: lhoward Log Message: implement gss_import_name_object Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_imp_name_object.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_rel_oid_set.c From lhoward at MIT.EDU Mon Dec 15 00:03:03 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 00:03:03 -0500 (EST) Subject: svn rev #21423: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812150503.AAA27788@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21423 Commit By: lhoward Log Message: Honour rlen Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/bld_princ.c From lhoward at MIT.EDU Mon Dec 15 00:08:32 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 00:08:32 -0500 (EST) Subject: svn rev #21424: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812150508.AAA27928@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21424 Commit By: lhoward Log Message: fix access violation owing to incorrect ordering Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c From lhoward at MIT.EDU Mon Dec 15 00:19:44 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 00:19:44 -0500 (EST) Subject: svn rev #21425: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812150519.AAA28121@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21425 Commit By: lhoward Log Message: dispatch mechanism specific API on OID prefixes Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c From lhoward at MIT.EDU Mon Dec 15 01:58:54 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 01:58:54 -0500 (EST) Subject: svn rev #21426: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812150658.BAA29341@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21426 Commit By: lhoward Log Message: Fix up padding calculation for DCE pre-CFX IOV case Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c From lhoward at MIT.EDU Mon Dec 15 01:59:21 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 01:59:21 -0500 (EST) Subject: svn rev #21427: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812150659.BAA29365@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21427 Commit By: lhoward Log Message: get GSS DCE acceptor working Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c From lhoward at MIT.EDU Mon Dec 15 01:59:45 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 01:59:45 -0500 (EST) Subject: svn rev #21428: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812150659.BAA29397@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21428 Commit By: lhoward Log Message: allow mechanism registration to override OID in dispatch table Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c U branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h From lhoward at MIT.EDU Mon Dec 15 02:00:49 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 02:00:49 -0500 (EST) Subject: svn rev #21429: branches/mskrb-integ/src/include/ Message-ID: <200812150700.CAA29436@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21429 Commit By: lhoward Log Message: Remove KRB5_LIBOPT_RD_REQ_TRY_HOST_SPN Changed Files: U branches/mskrb-integ/src/include/k5-int.h From lhoward at MIT.EDU Mon Dec 15 02:02:55 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 02:02:55 -0500 (EST) Subject: svn rev #21430: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812150702.CAA29479@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21430 Commit By: lhoward Log Message: integrate Novell patch to always try referrals - I have not reviewed this Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/gc_frm_kdc.c From lhoward at MIT.EDU Mon Dec 15 02:22:35 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 02:22:35 -0500 (EST) Subject: svn rev #21431: branches/mskrb-integ/src/ include/krb5/ lib/krb5/krb/ Message-ID: <200812150722.CAA29764@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21431 Commit By: lhoward Log Message: Add KRB5_GC_CANONICALIZE to allow krb5_get_credentials() to set canonicalize KDC option Changed Files: U branches/mskrb-integ/src/include/krb5/krb5.hin U branches/mskrb-integ/src/lib/krb5/krb/gc_frm_kdc.c U branches/mskrb-integ/src/lib/krb5/krb/get_creds.c U branches/mskrb-integ/src/lib/krb5/krb/int-proto.h From lhoward at MIT.EDU Mon Dec 15 02:23:04 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 02:23:04 -0500 (EST) Subject: svn rev #21432: branches/mskrb-integ/src/clients/kvno/ Message-ID: <200812150723.CAA29794@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21432 Commit By: lhoward Log Message: Add -C option to kvno to specify canonicalize KDC option Changed Files: U branches/mskrb-integ/src/clients/kvno/kvno.c From lhoward at MIT.EDU Mon Dec 15 02:39:45 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 02:39:45 -0500 (EST) Subject: svn rev #21433: branches/mskrb-integ/src/ include/krb5/ lib/krb5/ lib/krb5/krb/ Message-ID: <200812150739.CAA29999@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21433 Commit By: lhoward Log Message: Add krb5_get_init_creds_opt_set_canonicalize() Changed Files: U branches/mskrb-integ/src/include/krb5/krb5.hin U branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c U branches/mskrb-integ/src/lib/krb5/krb/gic_opt.c U branches/mskrb-integ/src/lib/krb5/libkrb5.exports From lhoward at MIT.EDU Mon Dec 15 02:40:00 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 02:40:00 -0500 (EST) Subject: svn rev #21434: branches/mskrb-integ/src/clients/kinit/ Message-ID: <200812150740.CAA00031@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21434 Commit By: lhoward Log Message: Add -C canonicalize option to kinit Changed Files: U branches/mskrb-integ/src/clients/kinit/kinit.c From lhoward at MIT.EDU Mon Dec 15 08:35:01 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 08:35:01 -0500 (EST) Subject: svn rev #21435: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812151335.IAA06568@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21435 Commit By: lhoward Log Message: Allow the canonicalize option to be set in krb5.conf to for setting the canonicalize request on AS-REQs Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c From lhoward at MIT.EDU Mon Dec 15 08:43:08 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 08:43:08 -0500 (EST) Subject: svn rev #21436: branches/mskrb-integ/src/kdc/ Message-ID: <200812151343.IAA06727@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21436 Commit By: lhoward Log Message: Integrate Novell KDC patches for authorization data and referrals Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c U branches/mskrb-integ/src/kdc/do_tgs_req.c U branches/mskrb-integ/src/kdc/kdc_authdata.c U branches/mskrb-integ/src/kdc/kdc_preauth.c U branches/mskrb-integ/src/kdc/kdc_util.c U branches/mskrb-integ/src/kdc/kdc_util.h U branches/mskrb-integ/src/kdc/policy.c From lhoward at MIT.EDU Mon Dec 15 09:38:35 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 09:38:35 -0500 (EST) Subject: svn rev #21437: branches/mskrb-integ/src/kdc/ Message-ID: <200812151438.JAA07488@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21437 Commit By: lhoward Log Message: fix warning Changed Files: U branches/mskrb-integ/src/kdc/kdc_util.c From lhoward at MIT.EDU Mon Dec 15 09:48:05 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 09:48:05 -0500 (EST) Subject: svn rev #21438: branches/mskrb-integ/src/kdc/ Message-ID: <200812151448.JAA07667@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21438 Commit By: lhoward Log Message: Cleanup and avoid potential NULL pointer dereference in error path Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c U branches/mskrb-integ/src/kdc/do_tgs_req.c From lhoward at MIT.EDU Mon Dec 15 09:50:03 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 09:50:03 -0500 (EST) Subject: svn rev #21439: branches/mskrb-integ/src/kdc/ Message-ID: <200812151450.JAA07714@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21439 Commit By: lhoward Log Message: Cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c U branches/mskrb-integ/src/kdc/do_tgs_req.c From lhoward at MIT.EDU Mon Dec 15 09:57:21 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 09:57:21 -0500 (EST) Subject: svn rev #21440: branches/mskrb-integ/src/kdc/ Message-ID: <200812151457.JAA07813@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21440 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c From lhoward at MIT.EDU Mon Dec 15 10:14:59 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 10:14:59 -0500 (EST) Subject: svn rev #21441: branches/mskrb-integ/src/kdc/ Message-ID: <200812151514.KAA08041@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21441 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c From lhoward at MIT.EDU Mon Dec 15 10:20:22 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 10:20:22 -0500 (EST) Subject: svn rev #21442: branches/mskrb-integ/src/kdc/ Message-ID: <200812151520.KAA08153@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21442 Commit By: lhoward Log Message: Cleanup Changed Files: U branches/mskrb-integ/src/kdc/kdc_util.c From lhoward at MIT.EDU Mon Dec 15 10:24:26 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 10:24:26 -0500 (EST) Subject: svn rev #21443: branches/mskrb-integ/src/kdc/ Message-ID: <200812151524.KAA08220@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21443 Commit By: lhoward Log Message: Cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c U branches/mskrb-integ/src/kdc/kdc_util.c From lhoward at MIT.EDU Mon Dec 15 10:26:18 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 10:26:18 -0500 (EST) Subject: svn rev #21444: branches/mskrb-integ/src/kdc/ Message-ID: <200812151526.KAA08267@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21444 Commit By: lhoward Log Message: Cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c From ghudson at MIT.EDU Mon Dec 15 13:24:00 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 15 Dec 2008 13:24:00 -0500 (EST) Subject: svn rev #21445: trunk/src/kadmin/dbutil/ Message-ID: <200812151824.NAA10944@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21445 Commit By: ghudson Log Message: ticket: 6303 status: open Remove loadv4/dumpv4 code in kdb5_util. (The command table entries for this code had already been commented out previously.) Changed Files: U trunk/src/kadmin/dbutil/Makefile.in D trunk/src/kadmin/dbutil/dumpv4.c U trunk/src/kadmin/dbutil/kdb5_util.M U trunk/src/kadmin/dbutil/kdb5_util.c U trunk/src/kadmin/dbutil/kdb5_util.h D trunk/src/kadmin/dbutil/loadv4.c From ghudson at MIT.EDU Mon Dec 15 13:26:48 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 15 Dec 2008 13:26:48 -0500 (EST) Subject: svn rev #21446: trunk/src/kadmin/ktutil/ Message-ID: <200812151826.NAA11049@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21446 Commit By: ghudson Log Message: ticket: 6303 status: open In ktutil, remove code for wst (write srvtab). Reimplement rst (read srvtab) as an alias for "rkt SRVTAB:filename" and include it unconditionally. Changed Files: U trunk/src/kadmin/ktutil/Makefile.in U trunk/src/kadmin/ktutil/ktutil.c U trunk/src/kadmin/ktutil/ktutil.h U trunk/src/kadmin/ktutil/ktutil_funcs.c From ghudson at MIT.EDU Mon Dec 15 13:30:31 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 15 Dec 2008 13:30:31 -0500 (EST) Subject: svn rev #21447: trunk/src/kadmin/ktutil/ Message-ID: <200812151830.NAA11182@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21447 Commit By: ghudson Log Message: ticket: 6303 status: open Remove a krb4 conditional block in ktutil_funcs.c which was missed in the previous commit. Changed Files: U trunk/src/kadmin/ktutil/ktutil_funcs.c From ghudson at MIT.EDU Mon Dec 15 13:32:45 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 15 Dec 2008 13:32:45 -0500 (EST) Subject: svn rev #21448: trunk/src/kdc/ Message-ID: <200812151832.NAA11276@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21448 Commit By: ghudson Log Message: ticket: 6303 status: open In the KDC, remove krb4 request handling support and fakeka code. Changed Files: U trunk/src/kdc/Makefile.in U trunk/src/kdc/dispatch.c D trunk/src/kdc/fakeka.M D trunk/src/kdc/fakeka.c U trunk/src/kdc/kdc_util.h D trunk/src/kdc/kerberos_v4.c U trunk/src/kdc/krb5kdc.M U trunk/src/kdc/main.c From ghudson at MIT.EDU Mon Dec 15 14:37:53 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 15 Dec 2008 14:37:53 -0500 (EST) Subject: svn rev #21449: trunk/src/clients/ kcpytkt/ kdeltkt/ kdestroy/ kinit/ klist/ ... Message-ID: <200812151937.OAA12304@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21449 Commit By: ghudson Log Message: ticket: 6303 status: open Remove krb4 support from clients. Some of the code has been simplified to remove architectural relics of the -4 and -5 options, but more simplification is likely possible, particularly in kinit. Changed Files: U trunk/src/clients/kcpytkt/Makefile.in U trunk/src/clients/kdeltkt/Makefile.in U trunk/src/clients/kdestroy/Makefile.in U trunk/src/clients/kdestroy/kdestroy.M U trunk/src/clients/kdestroy/kdestroy.c U trunk/src/clients/kinit/Makefile.in U trunk/src/clients/kinit/kinit.M U trunk/src/clients/kinit/kinit.c U trunk/src/clients/klist/Makefile.in U trunk/src/clients/klist/klist.M U trunk/src/clients/klist/klist.c U trunk/src/clients/kvno/Makefile.in U trunk/src/clients/kvno/kvno.M U trunk/src/clients/kvno/kvno.c From ghudson at MIT.EDU Mon Dec 15 15:29:04 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 15 Dec 2008 15:29:04 -0500 (EST) Subject: svn rev #21450: trunk/src/appl/bsd/ Message-ID: <200812152029.PAA13116@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21450 Commit By: ghudson Log Message: ticket: 6303 status: open Remove krb4 support in the applications. login's ability to run aklog has been preserved and made unconditional on krb4 support, since aklog can now do krb5 auth. The config variable is now named krb_run_aklog (as it was sometimes documented), not krb4_run_aklog as it previously was. Changed Files: U trunk/src/appl/bsd/Makefile.in D trunk/src/appl/bsd/compat_recv.c U trunk/src/appl/bsd/configure.in U trunk/src/appl/bsd/defines.h U trunk/src/appl/bsd/forward.c U trunk/src/appl/bsd/kcmd.c U trunk/src/appl/bsd/klogind.M U trunk/src/appl/bsd/krcp.c U trunk/src/appl/bsd/krlogin.c U trunk/src/appl/bsd/krlogind.c U trunk/src/appl/bsd/krsh.c U trunk/src/appl/bsd/krshd.c U trunk/src/appl/bsd/login.M U trunk/src/appl/bsd/login.c U trunk/src/appl/bsd/rlogin.M D trunk/src/appl/bsd/v4rcp.M D trunk/src/appl/bsd/v4rcp.c From ghudson at MIT.EDU Mon Dec 15 15:31:56 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 15 Dec 2008 15:31:56 -0500 (EST) Subject: svn rev #21451: trunk/src/appl/ gssftp/ftp/ gssftp/ftpd/ telnet/ telnet/libtelnet/ ... Message-ID: <200812152031.PAA13236@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21451 Commit By: ghudson Log Message: ticket: 6303 status: open Remove krb4 support in gssftp and telnet. Changed Files: U trunk/src/appl/gssftp/ftp/Makefile.in U trunk/src/appl/gssftp/ftp/ftp.M U trunk/src/appl/gssftp/ftp/ftp.c U trunk/src/appl/gssftp/ftp/main.c U trunk/src/appl/gssftp/ftp/secure.c U trunk/src/appl/gssftp/ftpd/Makefile.in U trunk/src/appl/gssftp/ftpd/ftpcmd.y U trunk/src/appl/gssftp/ftpd/ftpd.M U trunk/src/appl/gssftp/ftpd/ftpd.c U trunk/src/appl/telnet/configure.in U trunk/src/appl/telnet/libtelnet/Makefile.in U trunk/src/appl/telnet/libtelnet/auth-proto.h U trunk/src/appl/telnet/libtelnet/auth.c D trunk/src/appl/telnet/libtelnet/kerberos.c U trunk/src/appl/telnet/telnet/Makefile.in U trunk/src/appl/telnet/telnet/main.c U trunk/src/appl/telnet/telnetd/Makefile.in From ghudson at MIT.EDU Mon Dec 15 15:37:42 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 15 Dec 2008 15:37:42 -0500 (EST) Subject: svn rev #21452: trunk/src/ include/ lib/krb5/krb/ lib/krb5/os/ Message-ID: <200812152037.PAA13375@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21452 Commit By: ghudson Log Message: ticket: 6303 status: open Remove krb4 code in libkrb5. Changed Files: U trunk/src/include/k5-int.h U trunk/src/lib/krb5/krb/Makefile.in U trunk/src/lib/krb5/krb/conv_creds.c D trunk/src/lib/krb5/krb/v4lifetime.c U trunk/src/lib/krb5/os/Makefile.in U trunk/src/lib/krb5/os/accessor.c D trunk/src/lib/krb5/os/send524.c From ghudson at MIT.EDU Mon Dec 15 15:42:08 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 15 Dec 2008 15:42:08 -0500 (EST) Subject: svn rev #21453: trunk/src/ kadmin/passwd/unit-test/ kadmin/testing/ tests/dejagnu/ Message-ID: <200812152042.PAA13492@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21453 Commit By: ghudson Log Message: Add svn:ignore properties for some files created by dejagnu tests. Changed Files: _U trunk/src/kadmin/passwd/unit-test/ _U trunk/src/kadmin/testing/ _U trunk/src/tests/dejagnu/ From tlyu at MIT.EDU Mon Dec 15 16:04:51 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 15 Dec 2008 16:04:51 -0500 (EST) Subject: svn rev #21454: branches/commit-handler-test/ Message-ID: <200812152104.QAA13839@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21454 Commit By: tlyu Log Message: kick off anonsvn resync Changed Files: A branches/commit-handler-test/aaaaa/ From lhoward at MIT.EDU Mon Dec 15 17:47:29 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 17:47:29 -0500 (EST) Subject: svn rev #21455: branches/mskrb-integ/src/kdc/ Message-ID: <200812152247.RAA15495@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21455 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c From lhoward at MIT.EDU Mon Dec 15 17:49:01 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 17:49:01 -0500 (EST) Subject: svn rev #21456: branches/mskrb-integ/src/ include/krb5/ lib/krb5/ lib/krb5/os/ Message-ID: <200812152249.RAA15594@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21456 Commit By: lhoward Log Message: remove krb5_set_profile() Changed Files: U branches/mskrb-integ/src/include/krb5/krb5.hin U branches/mskrb-integ/src/lib/krb5/libkrb5.exports U branches/mskrb-integ/src/lib/krb5/os/init_os_ctx.c From lhoward at MIT.EDU Mon Dec 15 18:12:18 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 18:12:18 -0500 (EST) Subject: svn rev #21457: branches/mskrb-integ/src/lib/gssapi/ krb5/ Message-ID: <200812152312.SAA15960@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21457 Commit By: lhoward Log Message: Remove gss_krb5int_get_subkey() for now Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.hin U branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c U branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports From lhoward at MIT.EDU Mon Dec 15 18:51:07 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 18:51:07 -0500 (EST) Subject: svn rev #21458: branches/mskrb-integ/src/lib/gssapi/ Message-ID: <200812152351.SAA16484@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21458 Commit By: lhoward Log Message: export gss_add_buffer_set_member and gss_create_empty_buffer_set Changed Files: U branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports From lhoward at MIT.EDU Mon Dec 15 20:30:57 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 20:30:57 -0500 (EST) Subject: svn rev #21459: branches/mskrb-integ/src/kdc/ Message-ID: <200812160130.UAA17718@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21459 Commit By: lhoward Log Message: Cleanup (check for and initialize pointers to NULL) Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c From lhoward at MIT.EDU Mon Dec 15 20:39:10 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 20:39:10 -0500 (EST) Subject: svn rev #21460: branches/mskrb-integ/src/kdc/ Message-ID: <200812160139.UAA17878@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21460 Commit By: lhoward Log Message: refactor/cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c U branches/mskrb-integ/src/kdc/kdc_util.c U branches/mskrb-integ/src/kdc/kdc_util.h From lhoward at MIT.EDU Mon Dec 15 20:42:42 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 20:42:42 -0500 (EST) Subject: svn rev #21461: branches/mskrb-integ/src/kdc/ Message-ID: <200812160142.UAA17993@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21461 Commit By: lhoward Log Message: Cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c From lhoward at MIT.EDU Mon Dec 15 21:08:49 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 21:08:49 -0500 (EST) Subject: svn rev #21462: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812160208.VAA18351@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21462 Commit By: lhoward Log Message: If KDC_OPT_CANONICALIZE was set, don't expect client and server names in AS-REP to match request Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c From lhoward at MIT.EDU Mon Dec 15 21:19:25 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 21:19:25 -0500 (EST) Subject: svn rev #21463: branches/mskrb-integ/src/kdc/ Message-ID: <200812160219.VAA18539@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21463 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c From tlyu at MIT.EDU Mon Dec 15 21:50:37 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 15 Dec 2008 21:50:37 -0500 (EST) Subject: svn rev #21464: branches/commit-handler-test/ Message-ID: <200812160250.VAA24467@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21464 Commit By: tlyu Log Message: ticket: new status: resolved subject: more commit handler test tags: nochange Testing again to ensure that commit handler functionality is restored following postgresql upgrade. Changed Files: D branches/commit-handler-test/aaaaa/ From lhoward at MIT.EDU Mon Dec 15 22:27:53 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 22:27:53 -0500 (EST) Subject: svn rev #21465: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812160327.WAA25016@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21465 Commit By: lhoward Log Message: In krb5_rd_req_decrypt_tkt_part(), use the ticket or acceptor service name as a hint/optimization, but still iterate through the keytab. This means that existing servers do not need to change their code to get the new behaviour. Also, the iteration behaviour crashed owing to some incorrectly ordered statements; this is now fixed. Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c From lhoward at MIT.EDU Mon Dec 15 23:56:01 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 15 Dec 2008 23:56:01 -0500 (EST) Subject: svn rev #21466: branches/mskrb-integ/src/kdc/ Message-ID: <200812160456.XAA26090@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21466 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/kdc/kdc_util.c From lhoward at MIT.EDU Tue Dec 16 00:39:13 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 00:39:13 -0500 (EST) Subject: svn rev #21467: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812160539.AAA26613@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21467 Commit By: lhoward Log Message: Fix a crasher Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c From lhoward at MIT.EDU Tue Dec 16 01:31:26 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 01:31:26 -0500 (EST) Subject: svn rev #21468: branches/mskrb-integ/src/kdc/ Message-ID: <200812160631.BAA27247@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21468 Commit By: lhoward Log Message: Only return canonical client in AS KRB-ERROR if KDC_ERR_WRONG_REALM is the error code. This seems to align with the referrals draft and Windows 2008 behaviour. Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c From lhoward at MIT.EDU Tue Dec 16 01:32:33 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 01:32:33 -0500 (EST) Subject: svn rev #21469: branches/mskrb-integ/src/kdc/ Message-ID: <200812160632.BAA27326@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21469 Commit By: lhoward Log Message: fix compile error Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c From lhoward at MIT.EDU Tue Dec 16 01:36:52 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 01:36:52 -0500 (EST) Subject: svn rev #21470: branches/mskrb-integ/src/kdc/ Message-ID: <200812160636.BAA27496@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21470 Commit By: lhoward Log Message: Revert previous two commits: always return canonical name in error packets if canonicalize flag is set and available. Although this isn't the W2K[38] behaviour, it's more in line with Sam's suggestion that setting the canonicalize flag returns the canonical server name in successful replies (which was the W2K behaviour). Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c From lhoward at MIT.EDU Tue Dec 16 01:55:15 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 01:55:15 -0500 (EST) Subject: svn rev #21471: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812160655.BAA27774@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21471 Commit By: lhoward Log Message: Provide a shim between gss_wrap_size_limit() and gss_wrap_iov_length() for mechanisms such as NTLM that do not use padding Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c From lhoward at MIT.EDU Tue Dec 16 04:05:45 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 04:05:45 -0500 (EST) Subject: svn rev #21472: branches/mskrb-integ/src/ include/ kdc/ Message-ID: <200812160905.EAA29303@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21472 Commit By: lhoward Log Message: Allow the sign_authorization_data() backend method to return a client principal's attributes, from the decoded authorization data (in the case of a cross-realm client for which there is no local KDB entry). This is used to prevent a cross-realm protocol transition ticket being used for delegation. Changed Files: U branches/mskrb-integ/src/include/kdb_ext.h U branches/mskrb-integ/src/kdc/do_as_req.c U branches/mskrb-integ/src/kdc/do_tgs_req.c U branches/mskrb-integ/src/kdc/kdc_util.c U branches/mskrb-integ/src/kdc/kdc_util.h From lhoward at MIT.EDU Tue Dec 16 04:21:48 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 04:21:48 -0500 (EST) Subject: svn rev #21473: branches/mskrb-integ/src/kdc/ Message-ID: <200812160921.EAA00853@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21473 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c U branches/mskrb-integ/src/kdc/kdc_util.c U branches/mskrb-integ/src/kdc/kdc_util.h From lhoward at MIT.EDU Tue Dec 16 06:53:59 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 06:53:59 -0500 (EST) Subject: svn rev #21474: branches/mskrb-integ/src/ include/ kdc/ Message-ID: <200812161153.GAA03145@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21474 Commit By: lhoward Log Message: Permit sign_authorization_data() to return a krb5_db_entry representing the principal associated with the authorization data, in case that principal is not local to our realm and we need to perform additional checks (such as disabling delegation for cross-realm protocol transition) Changed Files: U branches/mskrb-integ/src/include/kdb_ext.h U branches/mskrb-integ/src/kdc/do_as_req.c U branches/mskrb-integ/src/kdc/do_tgs_req.c U branches/mskrb-integ/src/kdc/kdc_util.c U branches/mskrb-integ/src/kdc/kdc_util.h From lhoward at MIT.EDU Tue Dec 16 06:58:48 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 06:58:48 -0500 (EST) Subject: svn rev #21475: branches/mskrb-integ/src/kdc/ Message-ID: <200812161158.GAA03269@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21475 Commit By: lhoward Log Message: add some more error handling logic Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c From lhoward at MIT.EDU Tue Dec 16 07:10:05 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 07:10:05 -0500 (EST) Subject: svn rev #21476: branches/mskrb-integ/src/include/ Message-ID: <200812161210.HAA03497@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21476 Commit By: lhoward Log Message: add some comments Changed Files: U branches/mskrb-integ/src/include/kdb_ext.h From lhoward at MIT.EDU Tue Dec 16 07:16:04 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 07:16:04 -0500 (EST) Subject: svn rev #21477: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812161216.HAA03584@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21477 Commit By: lhoward Log Message: GSS_S_UNAVAILABLE is a better return value than GSS_S_BAD_MECH for GGF APIs where the desired_object OID is unknown Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c From hartmans at MIT.EDU Tue Dec 16 14:38:36 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 16 Dec 2008 14:38:36 -0500 (EST) Subject: svn rev #21478: branches/mskrb-integ/src/ appl/bsd/ appl/gssftp/ftp/ appl/gssftp/ftpd/ ... Message-ID: <200812161938.OAA09829@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21478 Commit By: hartmans Log Message: Merge trunk at R21453 into mskrb-integ. Conflicts: src/clients/kinit/kinit.c src/clients/kvno/kvno.c src/kdc/do_as_req.c src/kdc/main.c src/lib/gssapi/krb5/init_sec_context.c Changed Files: U branches/mskrb-integ/src/BADSYMS U branches/mskrb-integ/src/aclocal.m4 U branches/mskrb-integ/src/appl/bsd/Makefile.in D branches/mskrb-integ/src/appl/bsd/compat_recv.c U branches/mskrb-integ/src/appl/bsd/configure.in U branches/mskrb-integ/src/appl/bsd/defines.h U branches/mskrb-integ/src/appl/bsd/forward.c U branches/mskrb-integ/src/appl/bsd/kcmd.c U branches/mskrb-integ/src/appl/bsd/klogind.M U branches/mskrb-integ/src/appl/bsd/krcp.c U branches/mskrb-integ/src/appl/bsd/krlogin.c U branches/mskrb-integ/src/appl/bsd/krlogind.c U branches/mskrb-integ/src/appl/bsd/krsh.c U branches/mskrb-integ/src/appl/bsd/krshd.c U branches/mskrb-integ/src/appl/bsd/login.M U branches/mskrb-integ/src/appl/bsd/login.c U branches/mskrb-integ/src/appl/bsd/rlogin.M D branches/mskrb-integ/src/appl/bsd/v4rcp.M D branches/mskrb-integ/src/appl/bsd/v4rcp.c U branches/mskrb-integ/src/appl/gssftp/ftp/Makefile.in U branches/mskrb-integ/src/appl/gssftp/ftp/ftp.M U branches/mskrb-integ/src/appl/gssftp/ftp/ftp.c U branches/mskrb-integ/src/appl/gssftp/ftp/main.c U branches/mskrb-integ/src/appl/gssftp/ftp/secure.c U branches/mskrb-integ/src/appl/gssftp/ftpd/Makefile.in U branches/mskrb-integ/src/appl/gssftp/ftpd/ftpcmd.y U branches/mskrb-integ/src/appl/gssftp/ftpd/ftpd.M U branches/mskrb-integ/src/appl/gssftp/ftpd/ftpd.c U branches/mskrb-integ/src/appl/telnet/configure.in U branches/mskrb-integ/src/appl/telnet/libtelnet/Makefile.in U branches/mskrb-integ/src/appl/telnet/libtelnet/auth-proto.h U branches/mskrb-integ/src/appl/telnet/libtelnet/auth.c D branches/mskrb-integ/src/appl/telnet/libtelnet/kerberos.c U branches/mskrb-integ/src/appl/telnet/telnet/Makefile.in U branches/mskrb-integ/src/appl/telnet/telnet/main.c U branches/mskrb-integ/src/appl/telnet/telnetd/Makefile.in U branches/mskrb-integ/src/clients/kcpytkt/Makefile.in U branches/mskrb-integ/src/clients/kdeltkt/Makefile.in U branches/mskrb-integ/src/clients/kdestroy/Makefile.in U branches/mskrb-integ/src/clients/kdestroy/kdestroy.M U branches/mskrb-integ/src/clients/kdestroy/kdestroy.c U branches/mskrb-integ/src/clients/kinit/Makefile.in U branches/mskrb-integ/src/clients/kinit/kinit.M U branches/mskrb-integ/src/clients/kinit/kinit.c U branches/mskrb-integ/src/clients/klist/Makefile.in U branches/mskrb-integ/src/clients/klist/klist.M U branches/mskrb-integ/src/clients/klist/klist.c U branches/mskrb-integ/src/clients/kvno/Makefile.in U branches/mskrb-integ/src/clients/kvno/kvno.M U branches/mskrb-integ/src/clients/kvno/kvno.c U branches/mskrb-integ/src/config/pre.in U branches/mskrb-integ/src/config/shlib.conf U branches/mskrb-integ/src/config/winexclude.sed U branches/mskrb-integ/src/include/k5-int.h U branches/mskrb-integ/src/include/osconf.hin U branches/mskrb-integ/src/kadmin/dbutil/Makefile.in D branches/mskrb-integ/src/kadmin/dbutil/dumpv4.c U branches/mskrb-integ/src/kadmin/dbutil/kdb5_util.M U branches/mskrb-integ/src/kadmin/dbutil/kdb5_util.c U branches/mskrb-integ/src/kadmin/dbutil/kdb5_util.h D branches/mskrb-integ/src/kadmin/dbutil/loadv4.c U branches/mskrb-integ/src/kadmin/ktutil/Makefile.in U branches/mskrb-integ/src/kadmin/ktutil/ktutil.c U branches/mskrb-integ/src/kadmin/ktutil/ktutil.h U branches/mskrb-integ/src/kadmin/ktutil/ktutil_funcs.c D branches/mskrb-integ/src/kdc/.saberinit U branches/mskrb-integ/src/kdc/Makefile.in U branches/mskrb-integ/src/kdc/dispatch.c U branches/mskrb-integ/src/kdc/do_as_req.c D branches/mskrb-integ/src/kdc/fakeka.M D branches/mskrb-integ/src/kdc/fakeka.c U branches/mskrb-integ/src/kdc/kdc_util.h D branches/mskrb-integ/src/kdc/kerberos_v4.c U branches/mskrb-integ/src/kdc/krb5kdc.M U branches/mskrb-integ/src/kdc/main.c U branches/mskrb-integ/src/krb5-config.in U branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c D branches/mskrb-integ/src/lib/krb5/asn.1/.saberinit U branches/mskrb-integ/src/lib/krb5/ccache/ccapi/stdcc.c U branches/mskrb-integ/src/lib/krb5/ccache/ccfns.c U branches/mskrb-integ/src/lib/krb5/krb/Makefile.in U branches/mskrb-integ/src/lib/krb5/krb/conv_creds.c D branches/mskrb-integ/src/lib/krb5/krb/v4lifetime.c U branches/mskrb-integ/src/lib/krb5/os/Makefile.in U branches/mskrb-integ/src/lib/krb5/os/accessor.c D branches/mskrb-integ/src/lib/krb5/os/send524.c U branches/mskrb-integ/src/tests/dejagnu/config/default.exp U branches/mskrb-integ/src/tests/dejagnu/krb-root/rlogin.exp U branches/mskrb-integ/src/tests/dejagnu/krb-standalone/gssftp.exp U branches/mskrb-integ/src/util/profile/prof_init.c U branches/mskrb-integ/src/util/ss/execute_cmd.c From epeisach at MIT.EDU Tue Dec 16 15:15:47 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Tue, 16 Dec 2008 15:15:47 -0500 (EST) Subject: svn rev #21479: trunk/src/tests/asn.1/ Message-ID: <200812162015.PAA10419@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21479 Commit By: epeisach Log Message: Fix memory leaks in sam and ldap handler testing - there is still a leak w/ ldap Changed Files: U trunk/src/tests/asn.1/krb5_decode_test.c U trunk/src/tests/asn.1/krb5_encode_test.c U trunk/src/tests/asn.1/ktest.c U trunk/src/tests/asn.1/ktest.h From epeisach at MIT.EDU Tue Dec 16 16:27:10 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Tue, 16 Dec 2008 16:27:10 -0500 (EST) Subject: svn rev #21480: trunk/src/ kadmin/cli/ lib/kadm5/ lib/kadm5/clnt/ Message-ID: <200812162127.QAA11476@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21480 Commit By: epeisach Log Message: Add prototype for kadm5_init_iprop. FOr the client - adds a dummy argument which is ignored. Changed Files: U trunk/src/kadmin/cli/kadmin.c U trunk/src/lib/kadm5/admin.h U trunk/src/lib/kadm5/clnt/client_init.c From lhoward at MIT.EDU Tue Dec 16 17:23:47 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 17:23:47 -0500 (EST) Subject: svn rev #21481: branches/mskrb-integ/src/kdc/ Message-ID: <200812162223.RAA12223@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21481 Commit By: lhoward Log Message: Match Windows 2003 name canonicalization behaviour: the server name is always the name the client requested (unless a referral is returned) Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c U branches/mskrb-integ/src/kdc/do_tgs_req.c U branches/mskrb-integ/src/kdc/kdc_util.c U branches/mskrb-integ/src/kdc/kdc_util.h From lhoward at MIT.EDU Tue Dec 16 17:26:56 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 17:26:56 -0500 (EST) Subject: svn rev #21482: branches/mskrb-integ/src/kdc/ Message-ID: <200812162226.RAA12341@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21482 Commit By: lhoward Log Message: Back out accidental reintroduction of ENCTYPE_DES_CBC_MD5 support Changed Files: U branches/mskrb-integ/src/kdc/kdc_util.c From tlyu at MIT.EDU Tue Dec 16 17:35:46 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 16 Dec 2008 17:35:46 -0500 (EST) Subject: svn rev #21483: branches/commit-handler-test/ Message-ID: <200812162235.RAA12537@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21483 Commit By: tlyu Log Message: test commit handler Changed Files: D branches/commit-handler-test/aaaa/ From lhoward at MIT.EDU Tue Dec 16 18:01:38 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 18:01:38 -0500 (EST) Subject: svn rev #21484: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812162301.SAA12944@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21484 Commit By: lhoward Log Message: Enterprise principals imply name canonicalization, so allow different client principal in reply in this case too Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c From lhoward at MIT.EDU Tue Dec 16 18:06:45 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 18:06:45 -0500 (EST) Subject: svn rev #21485: branches/mskrb-integ/src/kdc/ Message-ID: <200812162306.SAA13079@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21485 Commit By: lhoward Log Message: remove redundant check for injection of KDC-issued authorization data Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c From lhoward at MIT.EDU Tue Dec 16 18:08:50 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 18:08:50 -0500 (EST) Subject: svn rev #21486: branches/mskrb-integ/src/clients/kinit/ Message-ID: <200812162308.SAA13175@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21486 Commit By: lhoward Log Message: fix merge issue Changed Files: U branches/mskrb-integ/src/clients/kinit/kinit.c From lhoward at MIT.EDU Tue Dec 16 18:24:47 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 18:24:47 -0500 (EST) Subject: svn rev #21487: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812162324.SAA13427@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21487 Commit By: lhoward Log Message: fix assignment/equality typo Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c From tlyu at MIT.EDU Tue Dec 16 18:52:53 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 16 Dec 2008 18:52:53 -0500 (EST) Subject: svn rev #21488: branches/commit-handler-test/ Message-ID: <200812162352.SAA13877@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21488 Commit By: tlyu Log Message: ticket: new status: resolved subject: test commit handler again tags: nochange test more commit handler changes Changed Files: A branches/commit-handler-test/aaaa/ From lhoward at MIT.EDU Tue Dec 16 19:07:58 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 19:07:58 -0500 (EST) Subject: svn rev #21489: branches/mskrb-integ/src/lib/gssapi/ generic/ krb5/ mechglue/ Message-ID: <200812170007.TAA14168@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21489 Commit By: lhoward Log Message: Remove flags field from gss_iov_buffer_desc, consolidating it into type; make SIGN_ONLY a type rather than a flag Changed Files: U branches/mskrb-integ/src/lib/gssapi/Makefile.in U branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c U branches/mskrb-integ/src/lib/gssapi/mechglue/Makefile.in U branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_unwrap_aead.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_aead.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_iov.c From lhoward at MIT.EDU Tue Dec 16 19:17:58 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 19:17:58 -0500 (EST) Subject: svn rev #21490: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812170017.TAA14374@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21490 Commit By: lhoward Log Message: Shims take internal context IDs Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_unwrap_aead.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_aead.c From lhoward at MIT.EDU Tue Dec 16 19:19:50 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 19:19:50 -0500 (EST) Subject: svn rev #21491: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812170019.TAA14462@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21491 Commit By: lhoward Log Message: Complete previous commit Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c From lhoward at MIT.EDU Tue Dec 16 19:52:16 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 16 Dec 2008 19:52:16 -0500 (EST) Subject: svn rev #21492: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812170052.TAA14965@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21492 Commit By: lhoward Log Message: fixup some header length calculations Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c From epeisach at MIT.EDU Tue Dec 16 22:42:13 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Tue, 16 Dec 2008 22:42:13 -0500 (EST) Subject: svn rev #21493: trunk/src/kadmin/server/ Message-ID: <200812170342.WAA16997@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21493 Commit By: epeisach Log Message: Move prototypes needed in multiple files to misc.h instead of declaring extern in each .c file. This will ensure that definitions are consistent. Moved prototypes include: load_badauth, setup_gss_names, krb5_iprop_prog_1, kiprop_get_adm_host_srv_name. Changed Files: U trunk/src/kadmin/server/ipropd_svc.c U trunk/src/kadmin/server/kadm_rpc_svc.c U trunk/src/kadmin/server/misc.h U trunk/src/kadmin/server/ovsec_kadmd.c From lhoward at MIT.EDU Wed Dec 17 00:28:33 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 00:28:33 -0500 (EST) Subject: svn rev #21494: branches/mskrb-integ/src/lib/gssapi/ Message-ID: <200812170528.AAA18330@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21494 Commit By: lhoward Log Message: re-adding spnego Changed Files: A branches/mskrb-integ/src/lib/gssapi/spnego/ From lhoward at MIT.EDU Wed Dec 17 00:50:46 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 00:50:46 -0500 (EST) Subject: svn rev #21495: branches/mskrb-integ/src/ lib/gssapi/ lib/gssapi/mechglue/ lib/gssapi/spnego/ ... Message-ID: <200812170550.AAA18673@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21495 Commit By: lhoward Log Message: Re-add spnego as an internal mechanism Changed Files: U branches/mskrb-integ/src/lib/gssapi/Makefile.in U branches/mskrb-integ/src/lib/gssapi/mechglue/Makefile.in U branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c A branches/mskrb-integ/src/lib/gssapi/spnego/Makefile.in A branches/mskrb-integ/src/lib/gssapi/spnego/gssapiP_spnego.h A branches/mskrb-integ/src/lib/gssapi/spnego/mech_spnego.exports A branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c D branches/mskrb-integ/src/plugins/gssapi/spnego/ From lhoward at MIT.EDU Wed Dec 17 00:53:14 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 00:53:14 -0500 (EST) Subject: svn rev #21496: branches/mskrb-integ/src/kdc/ Message-ID: <200812170553.AAA18765@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21496 Commit By: lhoward Log Message: Canonicalization was disabled for principals marked KRB5_KDB_NON_MS_PRINCIPAL. Revert this for now. Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c From lhoward at MIT.EDU Wed Dec 17 01:37:24 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 01:37:24 -0500 (EST) Subject: svn rev #21497: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812170637.BAA19362@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21497 Commit By: lhoward Log Message: correctly parse gss_krb5int_rotate_left() return code Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c From lhoward at MIT.EDU Wed Dec 17 04:04:17 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 04:04:17 -0500 (EST) Subject: svn rev #21498: branches/mskrb-integ/src/config-files/ Message-ID: <200812170904.EAA21065@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21498 Commit By: lhoward Log Message: SPNEGO no longer built dynamically Changed Files: U branches/mskrb-integ/src/config-files/mech From lhoward at MIT.EDU Wed Dec 17 04:44:20 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 04:44:20 -0500 (EST) Subject: svn rev #21499: branches/mskrb-integ/src/lib/crypto/ enc_provider/ Message-ID: <200812170944.EAA23214@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21499 Commit By: lhoward Log Message: krb5int_aes_decrypt_iov() incorrectly implemented CTS mode Changed Files: U branches/mskrb-integ/src/lib/crypto/aead.c U branches/mskrb-integ/src/lib/crypto/enc_provider/aes.c From lhoward at MIT.EDU Wed Dec 17 06:03:47 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 06:03:47 -0500 (EST) Subject: svn rev #21500: branches/mskrb-integ/src/lib/crypto/ Message-ID: <200812171103.GAA24231@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21500 Commit By: lhoward Log Message: Fix krb5_c_verify_checksum_iov() to deal with truncated checksum types correctly Changed Files: U branches/mskrb-integ/src/lib/crypto/aead.c U branches/mskrb-integ/src/lib/crypto/make_checksum_iov.c U branches/mskrb-integ/src/lib/crypto/verify_checksum_iov.c From lhoward at MIT.EDU Wed Dec 17 06:10:07 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 06:10:07 -0500 (EST) Subject: svn rev #21501: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812171110.GAA24375@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21501 Commit By: lhoward Log Message: Cleanup, fix stream support, fix conf_req_flag==FALSE support for IOV Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c From lhoward at MIT.EDU Wed Dec 17 06:17:21 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 06:17:21 -0500 (EST) Subject: svn rev #21502: branches/mskrb-integ/src/lib/gssapi/generic/ Message-ID: <200812171117.GAA24523@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21502 Commit By: lhoward Log Message: Cleanup from Metze Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h From lhoward at MIT.EDU Wed Dec 17 06:23:47 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 06:23:47 -0500 (EST) Subject: svn rev #21503: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812171123.GAA24667@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21503 Commit By: lhoward Log Message: Allow defining IOV_SHIM_EXERCISE to exercise IOV shims in mechglue for krb5 Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c From lhoward at MIT.EDU Wed Dec 17 06:24:21 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 06:24:21 -0500 (EST) Subject: svn rev #21504: branches/mskrb-integ/src/ Message-ID: <200812171124.GAA24739@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21504 Commit By: lhoward Log Message: SPNEGO no longer built as a plugin Changed Files: U branches/mskrb-integ/src/Makefile.in U branches/mskrb-integ/src/configure.in From lhoward at MIT.EDU Wed Dec 17 06:47:05 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 06:47:05 -0500 (EST) Subject: svn rev #21505: branches/mskrb-integ/src/ include/ include/krb5/ lib/krb5/krb/ Message-ID: <200812171147.GAA25071@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21505 Commit By: lhoward Log Message: Remove UTF-8/case-insensitive config file options. Instead, krb5_compare_principal_flags() takes flags for such comparisons. Changed Files: U branches/mskrb-integ/src/include/k5-int.h U branches/mskrb-integ/src/include/krb5/krb5.hin U branches/mskrb-integ/src/lib/krb5/krb/init_ctx.c U branches/mskrb-integ/src/lib/krb5/krb/princ_comp.c From lhoward at MIT.EDU Wed Dec 17 09:02:33 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 09:02:33 -0500 (EST) Subject: svn rev #21506: branches/mskrb-integ/src/lib/crypto/enc_provider/ Message-ID: <200812171402.JAA26685@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21506 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/crypto/enc_provider/aes.c From tlyu at MIT.EDU Wed Dec 17 12:01:16 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 17 Dec 2008 12:01:16 -0500 (EST) Subject: svn rev #21507: branches/commit-handler-test/ Message-ID: <200812171701.MAA29206@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21507 Commit By: tlyu Log Message: test precommit handler Changed Files: D branches/commit-handler-test/aaaa/ From tlyu at MIT.EDU Wed Dec 17 12:01:40 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 17 Dec 2008 12:01:40 -0500 (EST) Subject: svn rev #21508: branches/commit-handler-test/ Message-ID: <200812171701.MAA29291@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21508 Commit By: tlyu Log Message: test precommit handler Changed Files: A branches/commit-handler-test/aaaa/ From tlyu at MIT.EDU Wed Dec 17 12:02:35 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 17 Dec 2008 12:02:35 -0500 (EST) Subject: svn rev #21509: branches/commit-handler-test/ Message-ID: <200812171702.MAA29384@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21509 Commit By: tlyu Log Message: I am the very model of a modern log rewriting hook. test precommit handler Changed Files: D branches/commit-handler-test/aaaa/ From tlyu at MIT.EDU Wed Dec 17 13:44:41 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 17 Dec 2008 13:44:41 -0500 (EST) Subject: svn rev #21514: trunk/ doc/ Message-ID: <200812171844.NAA00821@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21514 Commit By: tlyu Log Message: test mailing diffs 5 Changed Files: _U trunk/ U trunk/doc/testdiff.txt Property changes on: trunk ___________________________________________________________________ Name: svk:merge - 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22373 304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936 dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199 dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581 f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837 + 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22375 304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936 dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199 dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581 f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837 Modified: trunk/doc/testdiff.txt =================================================================== --- trunk/doc/testdiff.txt 2008-12-17 18:40:49 UTC (rev 21513) +++ trunk/doc/testdiff.txt 2008-12-17 18:44:40 UTC (rev 21514) @@ -3,3 +3,5 @@ test test test more testing + +test test test From tlyu at MIT.EDU Wed Dec 17 13:47:00 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 17 Dec 2008 13:47:00 -0500 (EST) Subject: svn rev #21515: trunk/ doc/ Message-ID: <200812171847.NAA00951@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21515 Commit By: tlyu Log Message: test mailing diffs 6 Changed Files: _U trunk/ D trunk/doc/testdiff.txt Property changes on: trunk ___________________________________________________________________ Name: svk:merge - 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22375 304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936 dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199 dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581 f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837 + 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22377 304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936 dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199 dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581 f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837 Deleted: trunk/doc/testdiff.txt =================================================================== --- trunk/doc/testdiff.txt 2008-12-17 18:44:40 UTC (rev 21514) +++ trunk/doc/testdiff.txt 2008-12-17 18:46:59 UTC (rev 21515) @@ -1,7 +0,0 @@ -test diff functionality - -test test test - -more testing - -test test test From tlyu at MIT.EDU Wed Dec 17 15:37:08 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 17 Dec 2008 15:37:08 -0500 (EST) Subject: svn rev #21516: trunk/ doc/ Message-ID: <200812172037.PAA03161@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21516 Commit By: tlyu Log Message: another diff test Changed Files: _U trunk/ A trunk/doc/testdiff.txt Property changes on: trunk ___________________________________________________________________ Name: svk:merge - 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22377 304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936 dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199 dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581 f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837 + 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22379 304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936 dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199 dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581 f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837 Added: trunk/doc/testdiff.txt =================================================================== --- trunk/doc/testdiff.txt 2008-12-17 18:46:59 UTC (rev 21515) +++ trunk/doc/testdiff.txt 2008-12-17 20:37:07 UTC (rev 21516) @@ -0,0 +1,4 @@ +testing +foo +bar +baz From tlyu at MIT.EDU Wed Dec 17 15:37:16 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 17 Dec 2008 15:37:16 -0500 (EST) Subject: svn rev #21517: trunk/ doc/ Message-ID: <200812172037.PAA03244@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21517 Commit By: tlyu Log Message: another diff test 2 Changed Files: _U trunk/ U trunk/doc/testdiff.txt Property changes on: trunk ___________________________________________________________________ Name: svk:merge - 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22379 304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936 dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199 dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581 f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837 + 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22380 304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936 dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199 dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581 f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837 Modified: trunk/doc/testdiff.txt =================================================================== --- trunk/doc/testdiff.txt 2008-12-17 20:37:07 UTC (rev 21516) +++ trunk/doc/testdiff.txt 2008-12-17 20:37:15 UTC (rev 21517) @@ -2,3 +2,6 @@ foo bar baz + +more +here From tlyu at MIT.EDU Wed Dec 17 15:40:00 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 17 Dec 2008 15:40:00 -0500 (EST) Subject: svn rev #21518: trunk/ doc/ Message-ID: <200812172040.PAA03367@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21518 Commit By: tlyu Log Message: another diff test 3 Changed Files: _U trunk/ U trunk/doc/testdiff.txt Modified: trunk/doc/testdiff.txt =================================================================== --- trunk/doc/testdiff.txt 2008-12-17 20:37:15 UTC (rev 21517) +++ trunk/doc/testdiff.txt 2008-12-17 20:39:59 UTC (rev 21518) @@ -1,7 +1,7 @@ testing foo -bar baz more here +or something Property changes on: trunk ___________________________________________________________________ Name: svk:merge - 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22380 304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936 dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199 dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581 f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837 + 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22383 304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936 dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199 dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581 f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837 From tlyu at MIT.EDU Wed Dec 17 15:44:38 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 17 Dec 2008 15:44:38 -0500 (EST) Subject: svn rev #21519: trunk/ doc/ Message-ID: <200812172044.PAA03516@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21519 Commit By: tlyu Log Message: another diff test 4 Changed Files: _U trunk/ D trunk/doc/testdiff.txt Deleted: trunk/doc/testdiff.txt =================================================================== --- trunk/doc/testdiff.txt 2008-12-17 20:39:59 UTC (rev 21518) +++ trunk/doc/testdiff.txt 2008-12-17 20:44:37 UTC (rev 21519) @@ -1,7 +0,0 @@ -testing -foo -baz - -more -here -or something Property changes on: trunk ___________________________________________________________________ Name: svk:merge - 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22383 304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936 dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199 dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581 f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837 + 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/trunk:22385 304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/1ac:533 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/advisory:1726 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/misc:1927 7730498b-6e33-413f-85a5-9d713b9baaee:/krb5/dev/sprintf:936 dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199 dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581 f228080b-b206-47c0-aedc-518b743a947e:/krb5/dev/coverity:18 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1:1187 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/asn1-encode-tests:1181 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/ldap-patches-080218:908 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/threads-no-debug:832 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/walk-rtree:767 f8a82ec2-6512-0410-82e6-bb8077266e58:/krb5/dev/warnings:837 From hartmans at MIT.EDU Wed Dec 17 15:50:36 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Wed, 17 Dec 2008 15:50:36 -0500 (EST) Subject: svn rev #21520: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812172050.PAA03680@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21520 Commit By: hartmans Log Message: gssapi_err_krb5.c lives in the build directory not the source directory Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/Makefile.in Modified: branches/mskrb-integ/src/lib/gssapi/krb5/Makefile.in =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/Makefile.in 2008-12-17 20:44:37 UTC (rev 21519) +++ branches/mskrb-integ/src/lib/gssapi/krb5/Makefile.in 2008-12-17 20:50:35 UTC (rev 21520) @@ -85,9 +85,9 @@ $(srcdir)/util_seqnum.c \ $(srcdir)/val_cred.c \ $(srcdir)/verify.c \ - $(srcdir)/wrap_size_limit.c \ - $(srcdir)/gssapi_err_krb5.c + $(srcdir)/wrap_size_limit.c + OBJS = \ $(OUTPRE)accept_sec_context.$(OBJEXT) \ $(OUTPRE)acquire_cred.$(OBJEXT) \ From tlyu at MIT.EDU Wed Dec 17 16:05:24 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 17 Dec 2008 16:05:24 -0500 (EST) Subject: CVS report: tracking/rt-cvs commit-handler rt-cvsgate comm ... Message-ID: <200812172105.QAA03983@drugstore.mit.edu> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://mailman.mit.edu/pipermail/cvs-krb5/attachments/20081217/0f9a78c5/attachment.bat From hartmans at MIT.EDU Wed Dec 17 16:52:27 2008 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Wed, 17 Dec 2008 16:52:27 -0500 (EST) Subject: svn rev #21521: branches/mskrb-integ/ Message-ID: <200812172152.QAA04595@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21521 Commit By: hartmans Log Message: Issues for Sam to handle before trunk merge Changed Files: A branches/mskrb-integ/pre-merge-issues Added: branches/mskrb-integ/pre-merge-issues =================================================================== --- branches/mskrb-integ/pre-merge-issues 2008-12-17 20:50:35 UTC (rev 21520) +++ branches/mskrb-integ/pre-merge-issues 2008-12-17 21:52:27 UTC (rev 21521) @@ -0,0 +1,4 @@ +* audit krb5_rd_req changes with eye to cross-realm policy check +* correct behavior for KDC cross-realm policy check +* handle session key extraction +* closure on enc_padata From lhoward at MIT.EDU Wed Dec 17 17:14:33 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 17:14:33 -0500 (EST) Subject: svn rev #21522: branches/mskrb-integ/src/lib/gssapi/ Message-ID: <200812172214.RAA04923@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21522 Commit By: lhoward Log Message: Remove some exports that were only needed when we built SPNEGO as a dynamic mech Changed Files: U branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports Modified: branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports =================================================================== --- branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports 2008-12-17 21:52:27 UTC (rev 21521) +++ branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports 2008-12-17 22:14:32 UTC (rev 21522) @@ -87,14 +87,6 @@ gss_wrap_iov gss_wrap_iov_length gss_wrap_size_limit -gssint_der_length_size -gssint_get_der_length -gssint_get_mech_type -gssint_get_mechanism -gssint_get_mechanism_cred -gssint_get_modOptions -gssint_put_der_length -gssint_copy_oid_set gssspi_set_cred_option gssspi_mech_invoke krb5_gss_dbg_client_expcreds From lhoward at MIT.EDU Wed Dec 17 18:07:03 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 18:07:03 -0500 (EST) Subject: svn rev #21523: branches/mskrb-integ/src/kdc/ Message-ID: <200812172307.SAA05652@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21523 Commit By: lhoward Log Message: use isflagset to check client attributes Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-17 22:14:32 UTC (rev 21522) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-17 23:07:02 UTC (rev 21523) @@ -420,7 +420,7 @@ else clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); } - if (client.attributes & KRB5_KDB_DISALLOW_FORWARDABLE) + if (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); } if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) { From lhoward at MIT.EDU Wed Dec 17 19:01:37 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 19:01:37 -0500 (EST) Subject: svn rev #21524: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812180001.TAA06345@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21524 Commit By: lhoward Log Message: handle KDC_ERR_WRONG_REALM in krb5_get_in_tkt() Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c Modified: branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c 2008-12-17 23:07:02 UTC (rev 21523) +++ branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c 2008-12-18 00:01:36 UTC (rev 21524) @@ -514,6 +514,8 @@ int loopcount = 0; krb5_int32 do_more = 0; int use_master = 0; + int referral_count = 0; + krb5_principal_data referred_client; #if APPLE_PKINIT inTktDebug("krb5_get_in_tkt top\n"); @@ -524,7 +526,11 @@ if (ret_as_reply) *ret_as_reply = 0; - + + referred_client = *(creds->client); + referred_client.realm.data = NULL; + referred_client.realm.length = 0; + /* * Set up the basic request structure */ @@ -647,6 +653,24 @@ if (retval) goto cleanup; continue; + } else if (err_reply->error == KDC_ERR_WRONG_REALM) { + if (++referral_count > KRB5_REFERRAL_MAXHOPS || + err_reply->client == NULL || + err_reply->client->realm.length == 0) + goto cleanup; + /* Rewrite request.client with realm from error reply */ + if (referred_client.realm.data) { + krb5_free_data_contents(context, &referred_client.realm); + referred_client.realm.data = NULL; + } + retval = krb5int_copy_data_contents(context, + &err_reply->client->realm, + &referred_client.realm); + krb5_free_error(context, err_reply); + if (retval) + goto cleanup; + request.client = &referred_client; + continue; } else { retval = (krb5_error_code) err_reply->error + ERROR_TABLE_BASE_krb5; @@ -698,6 +722,8 @@ else krb5_free_kdc_rep(context, as_reply); } + if (referred_client.realm.data) + krb5_free_data_contents(context, &referred_client.realm); return (retval); } From lhoward at MIT.EDU Wed Dec 17 19:05:36 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 19:05:36 -0500 (EST) Subject: svn rev #21525: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812180005.TAA06475@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21525 Commit By: lhoward Log Message: Ignore KDC_ERR_WRONG_REALM unless canonicalization was requested, to guard against non-conforming KDCs Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c Modified: branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c 2008-12-18 00:01:36 UTC (rev 21524) +++ branches/mskrb-integ/src/lib/krb5/krb/get_in_tkt.c 2008-12-18 00:05:35 UTC (rev 21525) @@ -513,6 +513,7 @@ krb5_pa_data ** preauth_to_use = 0; int loopcount = 0; krb5_int32 do_more = 0; + int canon_flag; int use_master = 0; int referral_count = 0; krb5_principal_data referred_client; @@ -531,6 +532,10 @@ referred_client.realm.data = NULL; referred_client.realm.length = 0; + /* per referrals draft, enterprise principals imply canonicalization */ + canon_flag = ((options & KDC_OPT_CANONICALIZE) != 0) || + creds->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; + /* * Set up the basic request structure */ @@ -653,7 +658,7 @@ if (retval) goto cleanup; continue; - } else if (err_reply->error == KDC_ERR_WRONG_REALM) { + } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { if (++referral_count > KRB5_REFERRAL_MAXHOPS || err_reply->client == NULL || err_reply->client->realm.length == 0) From tlyu at MIT.EDU Wed Dec 17 20:19:18 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 17 Dec 2008 20:19:18 -0500 (EST) Subject: CVS report: tracking/rt-cvs rt-cvsgate Message-ID: <200812180119.UAA07564@drugstore.mit.edu> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://mailman.mit.edu/pipermail/cvs-krb5/attachments/20081217/98c3f452/attachment.bat From lhoward at MIT.EDU Wed Dec 17 21:38:45 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 21:38:45 -0500 (EST) Subject: svn rev #21526: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812180238.VAA08603@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21526 Commit By: lhoward Log Message: break statement was in incorrect place Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c 2008-12-18 00:05:35 UTC (rev 21525) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c 2008-12-18 02:38:43 UTC (rev 21526) @@ -198,12 +198,12 @@ md5cksum.contents, md5cksum.contents, 16); if (code != 0) goto cleanup; - break; cksum.length = ctx->cksum_size; cksum.contents = md5cksum.contents + 16 - cksum.length; memcpy(ptr + 14, cksum.contents, cksum.length); + break; case SGN_ALG_HMAC_SHA1_DES3_KD: assert(md5cksum.length == ctx->cksum_size); memcpy(ptr + 14, md5cksum.contents, md5cksum.length); From lhoward at MIT.EDU Wed Dec 17 22:29:38 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 22:29:38 -0500 (EST) Subject: svn rev #21527: branches/mskrb-integ/src/lib/ crypto/ crypto/des/ crypto/dk/ ... Message-ID: <200812180329.WAA09296@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21527 Commit By: lhoward Log Message: Add DES raw IOV support to libk5crypto, fix DES gss_wrap_iov() implementation Changed Files: U branches/mskrb-integ/src/lib/crypto/des/Makefile.in U branches/mskrb-integ/src/lib/crypto/des/des_int.h A branches/mskrb-integ/src/lib/crypto/des/f_aead.c U branches/mskrb-integ/src/lib/crypto/dk/dk_aead.c U branches/mskrb-integ/src/lib/crypto/enc_provider/Makefile.in U branches/mskrb-integ/src/lib/crypto/enc_provider/des.c U branches/mskrb-integ/src/lib/crypto/etypes.c U branches/mskrb-integ/src/lib/crypto/raw/Makefile.in U branches/mskrb-integ/src/lib/crypto/raw/raw.h A branches/mskrb-integ/src/lib/crypto/raw/raw_aead.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c Modified: branches/mskrb-integ/src/lib/crypto/des/Makefile.in =================================================================== --- branches/mskrb-integ/src/lib/crypto/des/Makefile.in 2008-12-18 02:38:43 UTC (rev 21526) +++ branches/mskrb-integ/src/lib/crypto/des/Makefile.in 2008-12-18 03:29:36 UTC (rev 21527) @@ -18,6 +18,7 @@ d3_cbc.o \ d3_aead.o \ d3_kysched.o \ + f_aead.o \ f_cbc.o \ f_cksum.o \ f_parity.o \ @@ -31,6 +32,7 @@ $(OUTPRE)d3_cbc.$(OBJEXT) \ $(OUTPRE)d3_aead.$(OBJEXT) \ $(OUTPRE)d3_kysched.$(OBJEXT) \ + $(OUTPRE)f_aead.$(OBJEXT) \ $(OUTPRE)f_cbc.$(OBJEXT) \ $(OUTPRE)f_cksum.$(OBJEXT) \ $(OUTPRE)f_parity.$(OBJEXT) \ @@ -44,6 +46,7 @@ $(srcdir)/d3_cbc.c \ $(srcdir)/d3_aead.c \ $(srcdir)/d3_kysched.c \ + $(srcdir)/f_aead.c \ $(srcdir)/f_cbc.c \ $(srcdir)/f_cksum.c \ $(srcdir)/f_parity.c \ @@ -145,6 +148,17 @@ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h des_int.h f_cbc.c \ f_tables.h +f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h f_aead.c \ + f_tables.h f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ Modified: branches/mskrb-integ/src/lib/crypto/des/des_int.h =================================================================== --- branches/mskrb-integ/src/lib/crypto/des/des_int.h 2008-12-18 02:38:43 UTC (rev 21526) +++ branches/mskrb-integ/src/lib/crypto/des/des_int.h 2008-12-18 03:29:36 UTC (rev 21527) @@ -277,7 +277,18 @@ ((enc ? krb5int_des_cbc_encrypt : krb5int_des_cbc_decrypt) \ (in, out, length, schedule, ivec), 0) +void +krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data, + unsigned long num_data, + const mit_des_key_schedule schedule, + mit_des_cblock ivec); +void +krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data, + unsigned long num_data, + const mit_des_key_schedule schedule, + mit_des_cblock ivec); + /* d3_procky.c */ extern krb5_error_code mit_des3_process_key (krb5_encrypt_block * eblock, Added: branches/mskrb-integ/src/lib/crypto/des/f_aead.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/des/f_aead.c 2008-12-18 02:38:43 UTC (rev 21526) +++ branches/mskrb-integ/src/lib/crypto/des/f_aead.c 2008-12-18 03:29:36 UTC (rev 21527) @@ -0,0 +1,192 @@ +/* + * Copyright (C) 2008 by the Massachusetts Institute of Technology. + * Copyright 1995 by Richard P. Basch. All Rights Reserved. + * Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used + * in advertising or publicity pertaining to distribution of the software + * without specific, written prior permission. Richard P. Basch, + * Lehman Brothers and M.I.T. make no representations about the suitability + * of this software for any purpose. It is provided "as is" without + * express or implied warranty. + */ + +#include "des_int.h" +#include "f_tables.h" +#include "../aead.h" + +void +krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data, + unsigned long num_data, + const mit_des_key_schedule schedule, + mit_des_cblock ivec) +{ + unsigned DES_INT32 left, right; + const unsigned DES_INT32 *kp; + const unsigned char *ip; + unsigned char *op; + struct iov_block_state input_pos, output_pos; + unsigned char iblock[MIT_DES_BLOCK_LENGTH]; + unsigned char oblock[MIT_DES_BLOCK_LENGTH]; + + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); + + /* + * Get key pointer here. This won't need to be reinitialized + */ + kp = (const unsigned DES_INT32 *)schedule; + + /* + * Initialize left and right with the contents of the initial + * vector. + */ + if (ivec != NULL) + ip = ivec; + else + ip = mit_des_zeroblock; + GET_HALF_BLOCK(left, ip); + GET_HALF_BLOCK(right, ip); + + /* + * Suitably initialized, now work the length down 8 bytes + * at a time. + */ + for (;;) { + unsigned DES_INT32 temp; + + ip = iblock; + op = oblock; + + if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data, num_data, &input_pos)) + break; + + if (input_pos.iov_pos == num_data) + break; + + GET_HALF_BLOCK(temp, ip); + left ^= temp; + GET_HALF_BLOCK(temp, ip); + right ^= temp; + + /* + * Encrypt what we have + */ + DES_DO_ENCRYPT(left, right, kp); + + /* + * Copy the results out + */ + PUT_HALF_BLOCK(left, op); + PUT_HALF_BLOCK(right, op); + + krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, &output_pos); + } + + if (ivec != NULL) + memcpy(ivec, oblock, MIT_DES_BLOCK_LENGTH); +} + +void +krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data, + unsigned long num_data, + const mit_des_key_schedule schedule, + mit_des_cblock ivec) +{ + unsigned DES_INT32 left, right; + const unsigned DES_INT32 *kp; + const unsigned char *ip; + unsigned DES_INT32 ocipherl, ocipherr; + unsigned DES_INT32 cipherl, cipherr; + unsigned char *op; + struct iov_block_state input_pos, output_pos; + unsigned char iblock[MIT_DES_BLOCK_LENGTH]; + unsigned char oblock[MIT_DES_BLOCK_LENGTH]; + + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); + + /* + * Get key pointer here. This won't need to be reinitialized + */ + kp = (const unsigned DES_INT32 *)schedule; + + /* + * Decrypting is harder than encrypting because of + * the necessity of remembering a lot more things. + * Should think about this a little more... + */ + + if (num_data == 0) + return; + + /* + * Prime the old cipher with ivec. + */ + if (ivec != NULL) + ip = ivec; + else + ip = mit_des_zeroblock; + GET_HALF_BLOCK(ocipherl, ip); + GET_HALF_BLOCK(ocipherr, ip); + + /* + * Now do this in earnest until we run out of length. + */ + for (;;) { + /* + * Read a block from the input into left and + * right. Save this cipher block for later. + */ + + if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data, num_data, &input_pos)) + break; + + if (input_pos.iov_pos == num_data) + break; + + ip = iblock; + op = oblock; + + GET_HALF_BLOCK(left, ip); + GET_HALF_BLOCK(right, ip); + cipherl = left; + cipherr = right; + + /* + * Decrypt this. + */ + DES_DO_DECRYPT(left, right, kp); + + /* + * Xor with the old cipher to get plain + * text. Output 8 or less bytes of this. + */ + left ^= ocipherl; + right ^= ocipherr; + + PUT_HALF_BLOCK(left, op); + PUT_HALF_BLOCK(right, op); + + /* + * Save current cipher block here + */ + ocipherl = cipherl; + ocipherr = cipherr; + + krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, &output_pos); + } + + if (ivec != NULL) + memcpy(ivec, oblock, MIT_DES_BLOCK_LENGTH); +} Modified: branches/mskrb-integ/src/lib/crypto/dk/dk_aead.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/dk/dk_aead.c 2008-12-18 02:38:43 UTC (rev 21526) +++ branches/mskrb-integ/src/lib/crypto/dk/dk_aead.c 2008-12-18 03:29:36 UTC (rev 21527) @@ -257,7 +257,7 @@ if (blocksize == 0) { /* Check for correct input length in CTS mode */ - if (enc->block_size != 0 && cipherlen < enc->block_size) + if (enc->block_size != 0 && cipherlen < enc->block_size) return KRB5_BAD_MSIZE; } else { /* Check that the input data is correctly padded */ Modified: branches/mskrb-integ/src/lib/crypto/enc_provider/Makefile.in =================================================================== --- branches/mskrb-integ/src/lib/crypto/enc_provider/Makefile.in 2008-12-18 02:38:43 UTC (rev 21526) +++ branches/mskrb-integ/src/lib/crypto/enc_provider/Makefile.in 2008-12-18 03:29:36 UTC (rev 21527) @@ -2,7 +2,7 @@ myfulldir=lib/crypto/enc_provider mydir=lib/crypto/enc_provider BUILDTOP=$(REL)..$(S)..$(S).. -LOCALINCLUDES = -I$(srcdir)/../des -I$(srcdir)/../arcfour -I$(srcdir)/../aes +LOCALINCLUDES = -I$(srcdir)/../des -I$(srcdir)/../arcfour -I$(srcdir)/../aes -I$(srcdir)/.. DEFS= ##DOS##BUILDTOP = ..\..\.. Modified: branches/mskrb-integ/src/lib/crypto/enc_provider/des.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/enc_provider/des.c 2008-12-18 02:38:43 UTC (rev 21526) +++ branches/mskrb-integ/src/lib/crypto/enc_provider/des.c 2008-12-18 03:29:36 UTC (rev 21527) @@ -27,6 +27,7 @@ #include "k5-int.h" #include "des_int.h" #include "enc_provider.h" +#include "aead.h" static krb5_error_code k5_des_docrypt(const krb5_keyblock *key, const krb5_data *ivec, @@ -106,6 +107,67 @@ return(0); } +static krb5_error_code +k5_des_docrypt_iov(const krb5_keyblock *key, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data, int enc) +{ + mit_des_key_schedule schedule; + size_t input_length = 0; + int i; + + /* key->enctype was checked by the caller */ + + if (key->length != 8) + return(KRB5_BAD_KEYSIZE); + + for (i = 0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; + + if (ENCRYPT_DATA_IOV(iov)) + input_length += iov->data.length; + } + + if ((input_length % 8) != 0) + return(KRB5_BAD_MSIZE); + if (ivec && (ivec->length != 8)) + return(KRB5_BAD_MSIZE); + + switch (mit_des_key_sched(key->contents, schedule)) { + case -1: + return(KRB5DES_BAD_KEYPAR); + case -2: + return(KRB5DES_WEAK_KEY); + } + + /* this has a return value, but the code always returns zero */ + if (enc) + krb5int_des_cbc_encrypt_iov(data, num_data, schedule, ivec ? ivec->data : NULL); + else + krb5int_des_cbc_decrypt_iov(data, num_data, schedule, ivec ? ivec->data : NULL); + + memset(schedule, 0, sizeof(schedule)); + + return(0); +} + +static krb5_error_code +k5_des_encrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + return k5_des_docrypt_iov(key, ivec, data, num_data, 1); +} + +static krb5_error_code +k5_des_decrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + return k5_des_docrypt_iov(key, ivec, data, num_data, 0); +} + const struct krb5_enc_provider krb5int_enc_des = { 8, 7, 8, @@ -113,5 +175,7 @@ k5_des_decrypt, k5_des_make_key, krb5int_des_init_state, - krb5int_default_free_state + krb5int_default_free_state, + k5_des_encrypt_iov, + k5_des_decrypt_iov }; Modified: branches/mskrb-integ/src/lib/crypto/etypes.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/etypes.c 2008-12-18 02:38:43 UTC (rev 21526) +++ branches/mskrb-integ/src/lib/crypto/etypes.c 2008-12-18 03:29:36 UTC (rev 21527) @@ -86,7 +86,7 @@ krb5int_des_string_to_key, NULL, /*PRF*/ 0, - NULL /*AEAD*/ }, + &krb5int_aead_raw /*AEAD*/ }, { ENCTYPE_DES3_CBC_RAW, "des3-cbc-raw", "Triple DES cbc mode raw", &krb5int_enc_des3, NULL, Modified: branches/mskrb-integ/src/lib/crypto/raw/Makefile.in =================================================================== --- branches/mskrb-integ/src/lib/crypto/raw/Makefile.in 2008-12-18 02:38:43 UTC (rev 21526) +++ branches/mskrb-integ/src/lib/crypto/raw/Makefile.in 2008-12-18 03:29:36 UTC (rev 21527) @@ -2,6 +2,7 @@ myfulldir=lib/crypto/raw mydir=lib/crypto/raw BUILDTOP=$(REL)..$(S)..$(S).. +LOCALINCLUDES = -I$(srcdir)/.. DEFS= ##DOS##BUILDTOP = ..\..\.. @@ -13,11 +14,11 @@ RUN_SETUP = @KRB5_RUN_ENV@ KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf -STLIBOBJS= raw_decrypt.o raw_encrypt.o +STLIBOBJS= raw_decrypt.o raw_encrypt.o raw_aead.o -OBJS= $(OUTPRE)raw_decrypt.$(OBJEXT) $(OUTPRE)raw_encrypt.$(OBJEXT) +OBJS= $(OUTPRE)raw_decrypt.$(OBJEXT) $(OUTPRE)raw_encrypt.$(OBJEXT) $(OUTPRE)raw_aead.$(OBJEXT) -SRCS= $(srcdir)/raw_decrypt.c $(srcdir)/raw_encrypt.c +SRCS= $(srcdir)/raw_decrypt.c $(srcdir)/raw_encrypt.c $(srcdir)/raw_aead.c ##DOS##LIBOBJS = $(OBJS) @@ -56,3 +57,13 @@ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h raw.h raw_encrypt.c +raw_aead.so raw_aead.po $(OUTPRE)raw_aead.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h raw.h raw_aead.c Modified: branches/mskrb-integ/src/lib/crypto/raw/raw.h =================================================================== --- branches/mskrb-integ/src/lib/crypto/raw/raw.h 2008-12-18 02:38:43 UTC (rev 21526) +++ branches/mskrb-integ/src/lib/crypto/raw/raw.h 2008-12-18 03:29:36 UTC (rev 21527) @@ -44,3 +44,6 @@ const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec, const krb5_data *input, krb5_data *arg_output); + +extern const struct krb5_aead_provider krb5int_aead_raw; + Added: branches/mskrb-integ/src/lib/crypto/raw/raw_aead.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/raw/raw_aead.c 2008-12-18 02:38:43 UTC (rev 21526) +++ branches/mskrb-integ/src/lib/crypto/raw/raw_aead.c 2008-12-18 03:29:36 UTC (rev 21527) @@ -0,0 +1,165 @@ +/* + * lib/crypto/raw/raw_aead.c + * + * Copyright 2008 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + + +#include "k5-int.h" +#include "raw.h" +#include "aead.h" + +#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */ + +/* AEAD */ + +static krb5_error_code +krb5int_raw_crypto_length(const struct krb5_aead_provider *aead, + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + krb5_cryptotype type, + unsigned int *length) +{ + switch (type) { + case KRB5_CRYPTO_TYPE_PADDING: + *length = enc->block_size; + break; + default: + *length = 0; + break; + } + + return 0; +} + +static krb5_error_code +krb5int_raw_encrypt_iov(const struct krb5_aead_provider *aead, + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + krb5_keyusage usage, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + krb5_error_code ret; + krb5_crypto_iov *padding; + size_t i; + unsigned int blocksize = 0; + unsigned int plainlen = 0; + unsigned int padsize = 0; + + ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &blocksize); + if (ret != 0) + return ret; + + for (i = 0; i < num_data; i++) { + krb5_crypto_iov *iov = &data[i]; + + if (iov->flags == KRB5_CRYPTO_TYPE_DATA) + plainlen += iov->data.length; + } + + if (blocksize != 0) { + /* Check that the input data is correctly padded */ + if (plainlen % blocksize) + padsize = blocksize - (plainlen % blocksize); + } + + padding = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_PADDING); + if (padsize && (padding == NULL || padding->data.length < padsize)) + return KRB5_BAD_MSIZE; + + if (padding != NULL) { + memset(padding->data.data, 0, padsize); + padding->data.length = padsize; + } + + assert(enc->encrypt_iov != NULL); + + ret = enc->encrypt_iov(key, ivec, data, num_data); /* will update ivec */ + + return ret; +} + +static krb5_error_code +krb5int_raw_decrypt_iov(const struct krb5_aead_provider *aead, + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + krb5_keyusage usage, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + krb5_error_code ret; + size_t i; + unsigned int blocksize = 0; /* careful, this is enc block size not confounder len */ + unsigned int cipherlen = 0; + + if (krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_STREAM) != NULL) { + return krb5int_c_iov_decrypt_stream(aead, enc, hash, key, + usage, ivec, data, num_data); + } + + + /* E(Confounder | Plaintext | Pad) | Checksum */ + + ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &blocksize); + if (ret != 0) + return ret; + + for (i = 0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; + + if (ENCRYPT_DATA_IOV(iov)) + cipherlen += iov->data.length; + } + + if (blocksize == 0) { + /* Check for correct input length in CTS mode */ + if (enc->block_size != 0 && cipherlen < enc->block_size) + return KRB5_BAD_MSIZE; + } else { + /* Check that the input data is correctly padded */ + if ((cipherlen % blocksize) != 0) + return KRB5_BAD_MSIZE; + } + + /* Validate header and trailer lengths */ + + /* derive the keys */ + + /* decrypt the plaintext (header | data | padding) */ + assert(enc->decrypt_iov != NULL); + + ret = enc->decrypt_iov(key, ivec, data, num_data); /* will update ivec */ + + return ret; +} + +const struct krb5_aead_provider krb5int_aead_raw = { + krb5int_raw_crypto_length, + krb5int_raw_encrypt_iov, + krb5int_raw_decrypt_iov +}; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 02:38:43 UTC (rev 21526) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 03:29:36 UTC (rev 21527) @@ -183,19 +183,6 @@ goto cleanup; } } - - /* - * For GSS_C_DCE_STYLE, the caller manages the padding, because the - * pad length is in the RPC PDU. The value of the padding may be - * uninitialized. For normal GSS, the last bytes of the decrypted - * data contain the pad length. kg_fixup_padding_iov() will find - * this and fixup the last data IOV and padding IOV appropriately. - */ - if ((ctx->gss_flags & GSS_C_DCE_STYLE) == 0) { - retval = kg_fixup_padding_iov(&code, iov, iov_count); - if (retval != GSS_S_COMPLETE) - goto cleanup; - } conflen = kg_confounder_size(context, ctx->enc); } @@ -275,6 +262,19 @@ goto cleanup; } + /* + * For GSS_C_DCE_STYLE, the caller manages the padding, because the + * pad length is in the RPC PDU. The value of the padding may be + * uninitialized. For normal GSS, the last bytes of the decrypted + * data contain the pad length. kg_fixup_padding_iov() will find + * this and fixup the last data IOV and padding IOV appropriately. + */ + if ((ctx->gss_flags & GSS_C_DCE_STYLE) == 0) { + retval = kg_fixup_padding_iov(&code, iov, iov_count); + if (retval != GSS_S_COMPLETE) + goto cleanup; + } + if (conf_state != NULL) *conf_state = (sealalg != 0xFFFF); Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-18 02:38:43 UTC (rev 21526) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-18 03:29:36 UTC (rev 21527) @@ -742,8 +742,12 @@ data->buffer.length -= relative_padlength; - padding->buffer.length += relative_padlength; - padding->buffer.value = p - relative_padlength; + /* + * We don't really know DATA and PADDING buffers are + * adjacent in memory so just set PADDING to NULL. + */ + padding->buffer.length = 0; + padding->buffer.value = NULL; return GSS_S_COMPLETE; } From lhoward at MIT.EDU Wed Dec 17 22:30:52 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 22:30:52 -0500 (EST) Subject: svn rev #21528: branches/mskrb-integ/src/lib/crypto/ raw/ Message-ID: <200812180330.WAA09385@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21528 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/crypto/etypes.c U branches/mskrb-integ/src/lib/crypto/raw/raw_aead.c Modified: branches/mskrb-integ/src/lib/crypto/etypes.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/etypes.c 2008-12-18 03:29:36 UTC (rev 21527) +++ branches/mskrb-integ/src/lib/crypto/etypes.c 2008-12-18 03:30:51 UTC (rev 21528) @@ -86,7 +86,7 @@ krb5int_des_string_to_key, NULL, /*PRF*/ 0, - &krb5int_aead_raw /*AEAD*/ }, + &krb5int_aead_raw }, { ENCTYPE_DES3_CBC_RAW, "des3-cbc-raw", "Triple DES cbc mode raw", &krb5int_enc_des3, NULL, Modified: branches/mskrb-integ/src/lib/crypto/raw/raw_aead.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/raw/raw_aead.c 2008-12-18 03:29:36 UTC (rev 21527) +++ branches/mskrb-integ/src/lib/crypto/raw/raw_aead.c 2008-12-18 03:30:51 UTC (rev 21528) @@ -29,8 +29,6 @@ #include "raw.h" #include "aead.h" -#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */ - /* AEAD */ static krb5_error_code From lhoward at MIT.EDU Wed Dec 17 22:39:26 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 22:39:26 -0500 (EST) Subject: svn rev #21529: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812180339.WAA09547@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21529 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 03:30:51 UTC (rev 21528) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 03:39:25 UTC (rev 21529) @@ -267,7 +267,7 @@ * pad length is in the RPC PDU. The value of the padding may be * uninitialized. For normal GSS, the last bytes of the decrypted * data contain the pad length. kg_fixup_padding_iov() will find - * this and fixup the last data IOV and padding IOV appropriately. + * this and fixup the last data IOV appropriately. */ if ((ctx->gss_flags & GSS_C_DCE_STYLE) == 0) { retval = kg_fixup_padding_iov(&code, iov, iov_count); From lhoward at MIT.EDU Wed Dec 17 22:46:59 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 22:46:59 -0500 (EST) Subject: svn rev #21530: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812180346.WAA09709@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21530 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-18 03:39:25 UTC (rev 21529) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-18 03:46:58 UTC (rev 21530) @@ -697,6 +697,7 @@ gss_iov_buffer_t data = NULL; size_t padlength, relative_padlength; unsigned char *p; + OM_uint32 minor; data = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_DATA); padding = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING); @@ -712,7 +713,7 @@ } p = (unsigned char *)padding->buffer.value; - padlength = p[0]; + padlength = p[padding->buffer.length - 1]; if (data->buffer.length + padding->buffer.length < padlength || padlength == 0) { @@ -722,10 +723,15 @@ /* * kg_tokenize_stream_iov() will place one byte of padding in the - * padding buffer, because its true value is unknown until decryption - * time. relative_padlength contains the number of bytes to compensate - * the padding and data buffers by. + * padding buffer; its true value is unknown until after decryption. * + * relative_padlength contains the number of bytes to compensate the + * padding and data buffers by; it will be zero if the caller manages + * the padding length. + * + * If the caller manages the padding length, then relative_padlength + * wil be zero. + * * eg. if the buffers are structured as follows: * * +---DATA---+-PAD-+ @@ -735,17 +741,18 @@ * after compensation they would look like: * * +-DATA--+-PAD--+ - * | ABCDE | 4444 | + * | ABCDE | NULL | * +-------+------+ */ relative_padlength = padlength - padding->buffer.length; + assert(data->buffer.length >= relative_padlength); + data->buffer.length -= relative_padlength; - /* - * We don't really know DATA and PADDING buffers are - * adjacent in memory so just set PADDING to NULL. - */ + if (padding->type & GSS_IOV_BUFFER_FLAG_ALLOCATED) + gss_release_buffer(&minor, &padding->buffer); + padding->buffer.length = 0; padding->buffer.value = NULL; From lhoward at MIT.EDU Wed Dec 17 22:54:18 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 22:54:18 -0500 (EST) Subject: svn rev #21531: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812180354.WAA09858@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21531 Commit By: lhoward Log Message: Cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c 2008-12-18 03:46:58 UTC (rev 21530) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c 2008-12-18 03:54:17 UTC (rev 21531) @@ -354,7 +354,7 @@ if (rrc != desired_rrc) goto defective; } else if (rrc != 0) { - /* Should have been rotated by kg_tokenize_stream_iov() */ + /* Should have been rotated by kg_unseal_stream_iov() */ goto defective; } Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-18 03:46:58 UTC (rev 21530) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-18 03:54:17 UTC (rev 21531) @@ -722,7 +722,7 @@ } /* - * kg_tokenize_stream_iov() will place one byte of padding in the + * kg_unseal_stream_iov() will place one byte of padding in the * padding buffer; its true value is unknown until after decryption. * * relative_padlength contains the number of bytes to compensate the From lhoward at MIT.EDU Wed Dec 17 23:03:54 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 23:03:54 -0500 (EST) Subject: svn rev #21532: branches/mskrb-integ/src/kdc/ Message-ID: <200812180403.XAA10061@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21532 Commit By: lhoward Log Message: fix logic error from merge: OK_AS_DELEGATE should propagated from server to ticket if the server is NOT a referral Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c U branches/mskrb-integ/src/kdc/kdc_util.c Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-18 03:54:17 UTC (rev 21531) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-18 04:03:53 UTC (rev 21532) @@ -121,6 +121,7 @@ krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */ unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */ char *s4u_name = NULL; + krb5_boolean is_referral; session_key.contents = NULL; @@ -264,6 +265,8 @@ if (!is_local_principal(header_enc_tkt->client)) setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM); + is_referral = is_referral_entry(kdc_context, &server); + /* Check for protocol transition */ errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client, &server, header_enc_tkt->session, kdc_time, @@ -387,7 +390,7 @@ enc_tkt_reply.times.starttime = 0; if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) && - is_referral_entry(kdc_context, &server)) { + !is_referral) { /* Ensure that we are not returning a referral */ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); } Modified: branches/mskrb-integ/src/kdc/kdc_util.c =================================================================== --- branches/mskrb-integ/src/kdc/kdc_util.c 2008-12-18 03:54:17 UTC (rev 21531) +++ branches/mskrb-integ/src/kdc/kdc_util.c 2008-12-18 04:03:53 UTC (rev 21532) @@ -2233,7 +2233,7 @@ tl_data.tl_data_contents = NULL; if (krb5_dbe_lookup_tl_data(context, server, &tl_data) == 0 && - tl_data.tl_data_contents != NULL) { + tl_data.tl_data_length != 0) { return TRUE; } From lhoward at MIT.EDU Wed Dec 17 23:05:39 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 17 Dec 2008 23:05:39 -0500 (EST) Subject: svn rev #21533: branches/mskrb-integ/src/kdc/ Message-ID: <200812180405.XAA10155@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21533 Commit By: lhoward Log Message: cleanup referral server reply name path Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-18 04:03:53 UTC (rev 21532) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-18 04:05:38 UTC (rev 21533) @@ -384,7 +384,10 @@ authtime = header_enc_tkt->times.authtime; - ticket_reply.server = request->server; /* XXX careful for realm... */ + if (is_referral) + ticket_reply.server = server.princ; + else + ticket_reply.server = request->server; /* XXX careful for realm... */ enc_tkt_reply.flags = 0; enc_tkt_reply.times.starttime = 0; @@ -680,14 +683,6 @@ goto cleanup; } - if (reply_encpart.enc_padata != NULL) { - /* - * Backend should not have returned referrals if canonicalize - * flag was absent - */ - ticket_reply.server = server.princ; - } - /* assemble any authorization data */ if (request->authorization_data.ciphertext.data != NULL) { krb5_data scratch; From lhoward at MIT.EDU Thu Dec 18 01:22:11 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 01:22:11 -0500 (EST) Subject: svn rev #21534: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812180622.BAA11880@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21534 Commit By: lhoward Log Message: Reorder initialization of SPNEGO and Kerberos mechanisms, the default mechanism must be Kerberos for backwards compatibility. Ensure that mechanisms dynamically loaded via GSS entry pointers have mech->mech_type initialized. Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c 2008-12-18 04:05:38 UTC (rev 21533) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c 2008-12-18 06:22:10 UTC (rev 21534) @@ -98,8 +98,8 @@ err = k5_mutex_finish_init(&g_mechListLock); #ifdef _GSS_STATIC_LINK + err = gss_krb5int_lib_init(); err = gss_spnegoint_lib_init(); - err = gss_krb5int_lib_init(); #endif return err; @@ -119,8 +119,8 @@ printf("gssint_mechglue_fini\n"); #endif #ifdef _GSS_STATIC_LINK + gss_spnegoint_lib_fini(); gss_krb5int_lib_fini(); - gss_spnegoint_lib_fini(); #endif k5_mutex_destroy(&g_mechSetLock); k5_mutex_destroy(&g_mechListLock); @@ -712,7 +712,7 @@ } while (0) static gss_mechanism -build_dynamicMech(void *dl) +build_dynamicMech(void *dl, const gss_OID mech_type) { gss_mechanism mech; @@ -763,6 +763,10 @@ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_wrap_iov_length); GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_complete_auth_token); + assert(mech_type != GSS_C_NO_OID); + + mech->mech_type = *(mech_type); + return mech; } @@ -848,7 +852,7 @@ aMech->mech = (*sym)(aMech->mech_type); } else { /* Try dynamic dispatch table */ - aMech->mech = build_dynamicMech(dl); + aMech->mech = build_dynamicMech(dl, aMech->mech_type); } if (aMech->mech == NULL) { (void) krb5int_close_plugin(dl); From lhoward at MIT.EDU Thu Dec 18 01:23:35 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 01:23:35 -0500 (EST) Subject: svn rev #21535: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812180623.BAA11966@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21535 Commit By: lhoward Log Message: indent cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_acquire_cred.c Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_acquire_cred.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_acquire_cred.c 2008-12-18 06:22:10 UTC (rev 21534) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_acquire_cred.c 2008-12-18 06:23:34 UTC (rev 21535) @@ -381,8 +381,8 @@ internal_name = union_name->mech_name; else { if (gssint_import_internal_name(minor_status, - &mech->mech_type, union_name, - &allocated_name) != GSS_S_COMPLETE) + &mech->mech_type, union_name, + &allocated_name) != GSS_S_COMPLETE) return (GSS_S_BAD_NAME); internal_name = allocated_name; } From lhoward at MIT.EDU Thu Dec 18 02:51:22 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 02:51:22 -0500 (EST) Subject: svn rev #21536: branches/mskrb-integ/src/kdc/ Message-ID: <200812180751.CAA13018@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21536 Commit By: lhoward Log Message: Cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c U branches/mskrb-integ/src/kdc/kdc_util.c U branches/mskrb-integ/src/kdc/kdc_util.h Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-18 06:23:34 UTC (rev 21535) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-18 07:51:21 UTC (rev 21536) @@ -265,7 +265,7 @@ if (!is_local_principal(header_enc_tkt->client)) setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM); - is_referral = is_referral_entry(kdc_context, &server); + is_referral = is_tgs_referral(kdc_context, request, &server); /* Check for protocol transition */ errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client, Modified: branches/mskrb-integ/src/kdc/kdc_util.c =================================================================== --- branches/mskrb-integ/src/kdc/kdc_util.c 2008-12-18 06:23:34 UTC (rev 21535) +++ branches/mskrb-integ/src/kdc/kdc_util.c 2008-12-18 07:51:21 UTC (rev 21536) @@ -2225,7 +2225,9 @@ } krb5_boolean -is_referral_entry(krb5_context context, krb5_db_entry *server) +is_tgs_referral(krb5_context context, + krb5_kdc_req *request, + krb5_db_entry *server) { krb5_tl_data tl_data; Modified: branches/mskrb-integ/src/kdc/kdc_util.h =================================================================== --- branches/mskrb-integ/src/kdc/kdc_util.h 2008-12-18 06:23:34 UTC (rev 21535) +++ branches/mskrb-integ/src/kdc/kdc_util.h 2008-12-18 07:51:21 UTC (rev 21536) @@ -267,7 +267,8 @@ krb5_db_entry *krbtgt); krb5_boolean -is_referral_entry(krb5_context context, +is_tgs_referral(krb5_context context, + krb5_kdc_req *request, krb5_db_entry *server); #define isflagset(flagfield, flag) (flagfield & (flag)) From lhoward at MIT.EDU Thu Dec 18 08:35:58 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 08:35:58 -0500 (EST) Subject: svn rev #21537: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812181335.IAA22001@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21537 Commit By: lhoward Log Message: Clear GSS_IOV_BUFFER_FLAG_ALLOCATED after releasing Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 07:51:21 UTC (rev 21536) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 13:35:57 UTC (rev 21537) @@ -579,8 +579,10 @@ tiov, i, toktype, toktype2); if (major_status == GSS_S_COMPLETE) *data = *tdata; - else if (tdata->type & GSS_IOV_BUFFER_FLAG_ALLOCATED) + else if (tdata->type & GSS_IOV_BUFFER_FLAG_ALLOCATED) { gss_release_buffer(NULL, &tdata->buffer); + tdata->type &= ~(GSS_IOV_BUFFER_FLAG_ALLOCATED); + } cleanup: if (tiov != NULL) Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-18 07:51:21 UTC (rev 21536) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-18 13:35:57 UTC (rev 21537) @@ -750,8 +750,10 @@ data->buffer.length -= relative_padlength; - if (padding->type & GSS_IOV_BUFFER_FLAG_ALLOCATED) + if (padding->type & GSS_IOV_BUFFER_FLAG_ALLOCATED) { gss_release_buffer(&minor, &padding->buffer); + padding->type &= ~(GSS_IOV_BUFFER_FLAG_ALLOCATED); + } padding->buffer.length = 0; padding->buffer.value = NULL; From lhoward at MIT.EDU Thu Dec 18 09:22:27 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 09:22:27 -0500 (EST) Subject: svn rev #21538: branches/mskrb-integ/src/lib/ crypto/ gssapi/krb5/ Message-ID: <200812181422.JAA22971@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21538 Commit By: lhoward Log Message: Fix GSS 3DES IOV Changed Files: U branches/mskrb-integ/src/lib/crypto/etypes.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c Modified: branches/mskrb-integ/src/lib/crypto/etypes.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/etypes.c 2008-12-18 13:35:57 UTC (rev 21537) +++ branches/mskrb-integ/src/lib/crypto/etypes.c 2008-12-18 14:22:21 UTC (rev 21538) @@ -95,7 +95,7 @@ krb5int_dk_string_to_key, NULL, /*PRF*/ 0, - NULL /*AEAD*/ }, + &krb5int_aead_raw }, { ENCTYPE_DES3_CBC_SHA1, "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1", Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-18 13:35:57 UTC (rev 21537) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-18 14:22:21 UTC (rev 21538) @@ -392,12 +392,13 @@ krb5_error_code kg_make_checksum_iov_v1(krb5_context context, krb5_cksumtype type, - int conf_req_flag, + size_t token_cksum_len, krb5_keyblock *seq, krb5_keyblock *enc, /* for conf len */ krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count, + int toktype, krb5_checksum *checksum); krb5_error_code kg_make_checksum_iov_v3(krb5_context context, Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c 2008-12-18 13:35:57 UTC (rev 21537) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c 2008-12-18 14:22:21 UTC (rev 21538) @@ -184,8 +184,9 @@ /* compute the checksum */ code = kg_make_checksum_iov_v1(context, md5cksum.checksum_type, - (k5_headerlen != 0), ctx->seq, ctx->enc, - sign_usage, iov, iov_count, &md5cksum); + ctx->cksum_size, ctx->seq, ctx->enc, + sign_usage, iov, iov_count, toktype, + &md5cksum); if (code != 0) goto cleanup; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 13:35:57 UTC (rev 21537) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 14:22:21 UTC (rev 21538) @@ -221,8 +221,9 @@ /* compute the checksum of the message */ code = kg_make_checksum_iov_v1(context, md5cksum.checksum_type, - conflen != 0, ctx->seq, ctx->enc, - sign_usage, iov, iov_count, &md5cksum); + cksum_len, ctx->seq, ctx->enc, + sign_usage, iov, iov_count, toktype, + &md5cksum); if (code != 0) { retval = GSS_S_FAILURE; goto cleanup; @@ -240,7 +241,7 @@ goto cleanup; } - cksum.length = signalg == 0 ? 8 : 16; + cksum.length = cksum_len; cksum.contents = md5cksum.contents + 16 - cksum.length; code = memcmp(cksum.contents, ptr + 14, cksum.length); Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c 2008-12-18 13:35:57 UTC (rev 21537) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c 2008-12-18 14:22:21 UTC (rev 21538) @@ -111,12 +111,13 @@ krb5_error_code kg_make_checksum_iov_v1(krb5_context context, krb5_cksumtype type, - int conf_req_flag, + size_t cksum_len, krb5_keyblock *seq, krb5_keyblock *enc, krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count, + int toktype, krb5_checksum *checksum) { krb5_error_code code; @@ -124,7 +125,7 @@ krb5_crypto_iov *kiov; size_t kiov_count; int i = 0, j; - size_t conf_len; + size_t conf_len = 0, token_header_len; header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); assert(header != NULL); @@ -135,7 +136,8 @@ return ENOMEM; /* Checksum over ( Header | Confounder | Data | Pad ) */ - conf_len = conf_req_flag ? kg_confounder_size(context, (krb5_keyblock *)enc) : 0; + if (toktype == KG_TOK_WRAP_MSG) + conf_len = kg_confounder_size(context, (krb5_keyblock *)enc); /* Checksum output */ kiov[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM; @@ -147,15 +149,17 @@ } i++; + /* Header | SND_SEQ | SGN_CKSUM | Confounder */ + token_header_len = 16 + cksum_len + conf_len; + /* Header (calculate from end because of variable length ASN.1 header) */ kiov[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; kiov[i].data.length = 8; - kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - conf_len - - 24; /* Header | SND_SEQ | SGN_CKSUM */ + kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - token_header_len; i++; /* Confounder */ - if (conf_req_flag) { + if (toktype == KG_TOK_WRAP_MSG) { kiov[i].flags = KRB5_CRYPTO_TYPE_DATA; kiov[i].data.length = conf_len; kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - conf_len; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-18 13:35:57 UTC (rev 21537) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-18 14:22:21 UTC (rev 21538) @@ -254,17 +254,17 @@ int i = 0, j; size_t kiov_count; krb5_crypto_iov *kiov; - size_t confsize; + size_t conf_len; *pkiov = NULL; *pkiov_count = 0; - confsize = kg_confounder_size(context, (krb5_keyblock *)key); + conf_len = kg_confounder_size(context, (krb5_keyblock *)key); header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); assert(header != NULL); - if (header->buffer.length < confsize) + if (header->buffer.length < conf_len) return KRB5_BAD_MSIZE; trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); @@ -283,8 +283,8 @@ /* For pre-CFX, the confounder is at the end of the GSS header */ kiov[i].flags = KRB5_CRYPTO_TYPE_DATA; - kiov[i].data.length = confsize; - kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - confsize; + kiov[i].data.length = conf_len; + kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - conf_len; i++; for (j = 0; j < iov_count; j++) { From lhoward at MIT.EDU Thu Dec 18 09:34:01 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 09:34:01 -0500 (EST) Subject: svn rev #21539: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812181434.JAA23204@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21539 Commit By: lhoward Log Message: Relax requirement padding buffer be present; if the caller knows CFX will be used, it's safe to omit. Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 14:22:21 UTC (rev 21538) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 14:33:58 UTC (rev 21539) @@ -344,11 +344,6 @@ } padding = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING); - if (padding == NULL && (ctx->gss_flags & GSS_C_DCE_STYLE) == 0) { - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); ptr = (unsigned char *)header->buffer.value; From lhoward at MIT.EDU Thu Dec 18 09:35:44 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 09:35:44 -0500 (EST) Subject: svn rev #21540: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812181435.JAA23309@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21540 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 14:33:58 UTC (rev 21539) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 14:35:43 UTC (rev 21540) @@ -555,8 +555,8 @@ } /* setup data */ - tdata->buffer.length = stream->buffer.length - theader->buffer.length - - tpadding->buffer.length - ttrailer->buffer.length; + tdata->buffer.length = stream->buffer.length - ttrailer->buffer.length - + tpadding->buffer.length - theader->buffer.length; assert(data != NULL); From lhoward at MIT.EDU Thu Dec 18 09:36:40 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 09:36:40 -0500 (EST) Subject: svn rev #21541: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812181436.JAA23393@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21541 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 14:35:43 UTC (rev 21540) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 14:36:40 UTC (rev 21541) @@ -576,7 +576,9 @@ if (major_status == GSS_S_COMPLETE) *data = *tdata; else if (tdata->type & GSS_IOV_BUFFER_FLAG_ALLOCATED) { - gss_release_buffer(NULL, &tdata->buffer); + OM_uint32 tmp; + + gss_release_buffer(&tmp, &tdata->buffer); tdata->type &= ~(GSS_IOV_BUFFER_FLAG_ALLOCATED); } From tsitkova at MIT.EDU Thu Dec 18 11:09:12 2008 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Thu, 18 Dec 2008 11:09:12 -0500 (EST) Subject: svn rev #21542: trunk/src/lib/krb5/ccache/ Message-ID: <200812181609.LAA24800@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21542 Commit By: tsitkova Log Message: Ticket: 6285 Mem leak fix Changed Files: U trunk/src/lib/krb5/ccache/ccdefault.c Modified: trunk/src/lib/krb5/ccache/ccdefault.c =================================================================== --- trunk/src/lib/krb5/ccache/ccdefault.c 2008-12-18 14:36:40 UTC (rev 21541) +++ trunk/src/lib/krb5/ccache/ccdefault.c 2008-12-18 16:09:10 UTC (rev 21542) @@ -112,7 +112,8 @@ if (!err) { krb5_cc_set_default_name (context, name); } - + + kim_identity_free (&identity); kim_string_free (&name); kim_ccache_free (&kimccache); } From tsitkova at MIT.EDU Thu Dec 18 11:21:12 2008 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Thu, 18 Dec 2008 11:21:12 -0500 (EST) Subject: svn rev #21543: trunk/src/kim/agent/mac/ Message-ID: <200812181621.LAA25020@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21543 Commit By: tsitkova Log Message: Ticket: 6290 KIM: window settings Changed Files: U trunk/src/kim/agent/mac/AuthenticationController.m U trunk/src/kim/agent/mac/SelectIdentityController.m Modified: trunk/src/kim/agent/mac/AuthenticationController.m =================================================================== --- trunk/src/kim/agent/mac/AuthenticationController.m 2008-12-18 16:09:10 UTC (rev 21542) +++ trunk/src/kim/agent/mac/AuthenticationController.m 2008-12-18 16:21:10 UTC (rev 21543) @@ -75,8 +75,8 @@ { [[self window] center]; // We need to float over the loginwindow and SecurityAgent so use its hardcoded level. - [[self window] setLevel:NSScreenSaverWindowLevel]; - + [[self window] setLevel:NSModalPanelWindowLevel]; + visibleAsSheet = NO; lifetimeFormatter.displaySeconds = NO; Modified: trunk/src/kim/agent/mac/SelectIdentityController.m =================================================================== --- trunk/src/kim/agent/mac/SelectIdentityController.m 2008-12-18 16:09:10 UTC (rev 21542) +++ trunk/src/kim/agent/mac/SelectIdentityController.m 2008-12-18 16:21:10 UTC (rev 21543) @@ -55,7 +55,7 @@ NSString *message = nil; [[self window] center]; - [[self window] setLevel:NSScreenSaverWindowLevel]; + [[self window] setLevel:NSModalPanelWindowLevel]; longTimeFormatter.displaySeconds = NO; longTimeFormatter.displayShortFormat = NO; From ghudson at MIT.EDU Thu Dec 18 13:31:20 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 18 Dec 2008 13:31:20 -0500 (EST) Subject: svn rev #21544: trunk/src/ config/ include/ kadmin/dbutil/ lib/ lib/crypto/ ... Message-ID: <200812181831.NAA27055@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21544 Commit By: ghudson Log Message: ticket: 6303 Remove krb524, lib/des425, lib/krb4, and include/kerberosIV. Remove krb4 build system references and conditionals. Move des425 header stuff referenced by des_int.h into des_int.h. Remove krb4 test cases. Changed Files: U trunk/src/Makefile.in U trunk/src/aclocal.m4 U trunk/src/config/pre.in U trunk/src/configure.in U trunk/src/include/Makefile.in D trunk/src/include/kerberosIV/ U trunk/src/kadmin/dbutil/Makefile.in U trunk/src/krb5-config.M U trunk/src/krb5-config.in D trunk/src/krb524/ U trunk/src/lib/Makefile.in U trunk/src/lib/crypto/Makefile.in U trunk/src/lib/crypto/des/Makefile.in U trunk/src/lib/crypto/des/des_int.h U trunk/src/lib/crypto/enc_provider/Makefile.in U trunk/src/lib/crypto/keyhash_provider/Makefile.in U trunk/src/lib/crypto/old/Makefile.in D trunk/src/lib/des425/ D trunk/src/lib/krb4/ U trunk/src/lib/krb5/krb/t_kerb.c U trunk/src/tests/dejagnu/Makefile.in U trunk/src/tests/dejagnu/config/default.exp U trunk/src/tests/dejagnu/krb-root/telnet.exp U trunk/src/tests/dejagnu/krb-standalone/standalone.exp D trunk/src/tests/dejagnu/krb-standalone/v4gssftp.exp D trunk/src/tests/dejagnu/krb-standalone/v4krb524d.exp D trunk/src/tests/dejagnu/krb-standalone/v4standalone.exp U trunk/src/util/depfix.pl U trunk/src/util/ss/Makefile.in Modified: trunk/src/Makefile.in =================================================================== --- trunk/src/Makefile.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/Makefile.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -9,7 +9,7 @@ # plugins/preauth/wpse # plugins/preauth/cksum_body # plugins/authdata/greet -SUBDIRS=util include lib @krb524@ kdc kadmin @ldap_plugin_dir@ slave clients \ +SUBDIRS=util include lib kdc kadmin @ldap_plugin_dir@ slave clients \ plugins/kdb/db2 \ plugins/preauth/pkinit \ appl tests \ @@ -195,7 +195,6 @@ clients\kpasswd\Makefile clients\kvno\Makefile \ clients\kcpytkt\Makefile clients\kdeltkt\Makefile \ include\Makefile \ - krb524\Makefile \ lib\Makefile lib\crypto\Makefile \ lib\crypto\crc32\Makefile lib\crypto\des\Makefile \ lib\crypto\dk\Makefile lib\crypto\enc_provider\Makefile \ @@ -205,11 +204,10 @@ lib\crypto\sha1\Makefile lib\crypto\arcfour\Makefile \ lib\crypto\md4\Makefile lib\crypto\md5\Makefile \ lib\crypto\yarrow\Makefile lib\crypto\aes\Makefile \ - lib\des425\Makefile \ lib\gssapi\Makefile lib\gssapi\generic\Makefile \ lib\gssapi\krb5\Makefile lib\gssapi\mechglue\Makefile \ lib\gssapi\spnego\Makefile \ - lib\krb4\Makefile lib\krb5\Makefile \ + lib\krb5\Makefile \ lib\krb5\asn.1\Makefile lib\krb5\ccache\Makefile \ lib\krb5\ccache\ccapi\Makefile \ lib\krb5\error_tables\Makefile \ @@ -260,8 +258,6 @@ ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##include\Makefile: include\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ -##DOS##krb524\Makefile: krb524\Makefile.in $(MKFDEP) -##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\Makefile: lib\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\Makefile: lib\crypto\Makefile.in $(MKFDEP) @@ -294,8 +290,6 @@ ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\raw\Makefile: lib\crypto\raw\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ -##DOS##lib\des425\Makefile: lib\des425\Makefile.in $(MKFDEP) -##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\gssapi\Makefile: lib\gssapi\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\gssapi\generic\Makefile: lib\gssapi\generic\Makefile.in $(MKFDEP) @@ -306,8 +300,6 @@ ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\gssapi\krb5\Makefile: lib\gssapi\krb5\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ -##DOS##lib\krb4\Makefile: lib\krb4\Makefile.in $(MKFDEP) -##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\krb5\Makefile: lib\krb5\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\krb5\asn.1\Makefile: lib\krb5\asn.1\Makefile.in $(MKFDEP) @@ -395,14 +387,14 @@ clients/* clients/kdestroy/* clients/kinit/* clients/klist/* \ clients/kpasswd/* clients/kcpytkt/* clients/kdeltkt/* \ config/* include/* include/kerberosIV/* \ - include/krb5/* include/krb5/stock/* include/sys/* krb524/* lib/* \ + include/krb5/* include/krb5/stock/* include/sys/* lib/* \ lib/crypto/* lib/crypto/crc32/* lib/crypto/des/* lib/crypto/dk/* \ lib/crypto/enc_provider/* lib/crypto/hash_provider/* \ lib/crypto/keyhash_provider/* lib/crypto/old/* lib/crypto/raw/* \ lib/crypto/sha1/* lib/crypto/arcfour/* lib/crypto/md4/* \ lib/crypto/md5/* lib/crypto/yarrow/* \ - lib/des425/* lib/gssapi/* lib/gssapi/generic/* lib/gssapi/krb5/* \ - lib/gssapi/mechglue/* lib/gssapi/spnego/* lib/krb4/* \ + lib/gssapi/* lib/gssapi/generic/* lib/gssapi/krb5/* \ + lib/gssapi/mechglue/* lib/gssapi/spnego/* \ lib/krb5/* lib/krb5/asn.1/* lib/krb5/krb/* \ lib/krb5/ccache/* lib/krb5/ccache/ccapi/* \ lib/krb5/error_tables/* \ @@ -442,12 +434,9 @@ $(INC)krb5_err.h $(ET)krb5_err.c \ $(INC)kv5m_err.h $(ET)kv5m_err.c \ $(INC)krb524_err.h $(ET)krb524_err.c \ - $(INC)/kerberosIV/kadm_err.h lib/krb4/kadm_err.c \ - $(INC)/kerberosIV/krb_err.h lib/krb4/krb_err.c \ $(PR)prof_err.h $(PR)prof_err.c \ $(GG)gssapi_err_generic.h $(GG)gssapi_err_generic.c \ - $(GK)gssapi_err_krb5.h $(GK)gssapi_err_krb5.c \ - lib/krb4/krb_err_txt.c + $(GK)gssapi_err_krb5.h $(GK)gssapi_err_krb5.c HOUT = $(INC)krb5\krb5.h $(GG)gssapi.h $(PR)profile.h @@ -502,10 +491,6 @@ $(AWK) -f $(AH) outfile=$@ $(ET)kv5m_err.et $(INC)krb524_err.h: $(AH) $(ET)krb524_err.et $(AWK) -f $(AH) outfile=$@ $(ET)krb524_err.et -$(INC)/kerberosIV/kadm_err.h: $(AH) lib/krb4/kadm_err.et - $(AWK) -f $(AH) outfile=$@ lib/krb4/kadm_err.et -$(INC)/kerberosIV/krb_err.h: $(AH) lib/krb4/krb_err.et - $(AWK) -f $(AH) outfile=$@ lib/krb4/krb_err.et $(PR)prof_err.h: $(AH) $(PR)prof_err.et $(AWK) -f $(AH) outfile=$@ $(PR)prof_err.et $(GG)gssapi_err_generic.h: $(AH) $(GG)gssapi_err_generic.et @@ -527,10 +512,6 @@ $(AWK) -f $(AC) outfile=$@ $(ET)kv5m_err.et $(ET)krb524_err.c: $(AC) $(ET)krb524_err.et $(AWK) -f $(AC) outfile=$@ $(ET)krb524_err.et -lib/krb4/kadm_err.c: $(AC) lib/krb4/kadm_err.et - $(AWK) -f $(AC) outfile=$@ lib/krb4/kadm_err.et -lib/krb4/krb_err.c: $(AC) lib/krb4/krb_err.et - $(AWK) -f $(AC) outfile=$@ lib/krb4/krb_err.et $(PR)prof_err.c: $(AC) $(PR)prof_err.et $(AWK) -f $(AC) outfile=$@ $(PR)prof_err.et $(GG)gssapi_err_generic.c: $(AC) $(GG)gssapi_err_generic.et @@ -542,10 +523,6 @@ $(CE)test2.c: $(AC) $(CE)test2.et $(AWK) -f $(AC) outfile=$@ $(CE)test2.et -lib/krb4/krb_err_txt.c: lib/krb4/krb_err.et - $(AWK) -f lib/krb4/et_errtxt.awk outfile=$@ \ - lib/krb4/krb_err.et - KRBHDEP = $(INC)krb5\krb5.hin $(INC)krb5_err.h $(INC)kdb5_err.h \ $(INC)kv5m_err.h $(INC)krb524_err.h $(INC)asn1_err.h @@ -616,8 +593,6 @@ $(CP) clients\kcpytkt\$(OUTPRE)kcpytkt.exe "$(KRB_INSTALL_DIR)\bin\." $(CP) clients\kdeltkt\$(OUTPRE)kdeltkt.exe "$(KRB_INSTALL_DIR)\bin\." $(CP) clients\kpasswd\$(OUTPRE)kpasswd.exe "$(KRB_INSTALL_DIR)\bin\." - @if exist "$(KRB_INSTALL_DIR)\bin\krb4_32.dll" del "$(KRB_INSTALL_DIR)\bin\krb4_32.dll" - @if exist "$(KRB_INSTALL_DIR)\lib\krb4_32.lib" del "$(KRB_INSTALL_DIR)\lib\krb4_32.lib" install-unix:: $(INSTALL_SCRIPT) krb5-config \ Modified: trunk/src/aclocal.m4 =================================================================== --- trunk/src/aclocal.m4 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/aclocal.m4 2008-12-18 18:31:16 UTC (rev 21544) @@ -74,7 +74,6 @@ if test -z "$LD" ; then LD=$CC; fi AC_ARG_VAR(LD,[linker command [CC]]) AC_SUBST(LDFLAGS) dnl -WITH_KRB4 dnl KRB5_AC_CHOOSE_ET dnl KRB5_AC_CHOOSE_SS dnl KRB5_AC_CHOOSE_DB dnl @@ -502,61 +501,6 @@ AC_DEFINE_UNQUOTED($ac_tr_file) $2], $3)dnl done ]) -dnl -dnl set $(KRB4) from --with-krb4=value -- WITH_KRB4 -dnl -AC_DEFUN(WITH_KRB4,[ -AC_ARG_WITH([krb4], -[ --without-krb4 omit Kerberos V4 backwards compatibility (default) - --with-krb4 use V4 libraries included with V5 - --with-krb4=KRB4DIR use preinstalled V4 libraries], -, -withval=no -)dnl -if test $withval = no; then - AC_MSG_NOTICE(no krb4 support) - KRB4_LIB= - KRB4_DEPLIB= - KRB4_INCLUDES= - KRB4_LIBPATH= - KRB_ERR_H_DEP= - krb5_cv_build_krb4_libs=no - krb5_cv_krb4_libdir= -else - AC_DEFINE([KRB5_KRB4_COMPAT], 1, [Define this if building with krb4 compat]) - if test $withval = yes; then - AC_MSG_NOTICE(enabling built in krb4 support) - KRB4_DEPLIB='$(TOPLIBD)/libkrb4$(DEPLIBEXT)' - KRB4_LIB=-lkrb4 - KRB4_INCLUDES='-I$(SRCTOP)/include/kerberosIV -I$(BUILDTOP)/include/kerberosIV' - KRB4_LIBPATH= - KRB_ERR_H_DEP='$(BUILDTOP)/include/kerberosIV/krb_err.h' - krb5_cv_build_krb4_libs=yes - krb5_cv_krb4_libdir= - else - AC_MSG_NOTICE(using preinstalled krb4 in $withval) - KRB4_LIB="-lkrb" -dnl DEPKRB4_LIB="$withval/lib/libkrb.a" - KRB4_INCLUDES="-I$withval/include" - KRB4_LIBPATH="-L$withval/lib" - KRB_ERR_H_DEP= - krb5_cv_build_krb4_libs=no - krb5_cv_krb4_libdir="$withval/lib" - fi -fi -AC_SUBST(KRB4_INCLUDES) -AC_SUBST(KRB4_LIBPATH) -AC_SUBST(KRB4_LIB) -AC_SUBST(KRB4_DEPLIB) -AC_SUBST(KRB_ERR_H_DEP) -dnl We always compile the des425 library -DES425_DEPLIB='$(TOPLIBD)/libdes425$(DEPLIBEXT)' -DES425_LIB=-ldes425 -AC_SUBST(DES425_DEPLIB) -AC_SUBST(DES425_LIB) -])dnl -dnl -dnl AC_DEFUN(KRB5_AC_CHECK_FOR_CFLAGS,[ AC_BEFORE([$0],[AC_PROG_CC]) AC_BEFORE([$0],[AC_PROG_CXX]) Modified: trunk/src/config/pre.in =================================================================== --- trunk/src/config/pre.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/config/pre.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -327,8 +327,6 @@ KDB5_DEPLIB = $(TOPLIBD)/libkdb5$(DEPLIBEXT) GSSRPC_DEPLIB = $(TOPLIBD)/libgssrpc$(DEPLIBEXT) GSS_DEPLIB = $(TOPLIBD)/libgssapi_krb5$(DEPLIBEXT) -KRB4_DEPLIB = @KRB4_DEPLIB@ # $(TOPLIBD)/libkrb4$(DEPLIBEXT) -DES425_DEPLIB = @DES425_DEPLIB@ # $(TOPLIBD)/libdes425$(DEPLIBEXT) KRB5_DEPLIB = $(TOPLIBD)/libkrb5$(DEPLIBEXT) CRYPTO_DEPLIB = $(TOPLIBD)/libk5crypto$(DEPLIBEXT) COM_ERR_DEPLIB = $(COM_ERR_DEPLIB- at COM_ERR_VERSION@) @@ -346,7 +344,6 @@ APPUTILS_DEPLIB = $(TOPLIBD)/libapputils.a KRB5_BASE_DEPLIBS = $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB) -KRB4COMPAT_DEPLIBS = $(KRB4_DEPLIB) $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS) KDB5_DEPLIBS = $(KDB5_DEPLIB) GSS_DEPLIBS = $(GSS_DEPLIB) GSSRPC_DEPLIBS = $(GSSRPC_DEPLIB) $(GSS_DEPLIBS) @@ -367,11 +364,6 @@ SS_DEPS-sys = SS_DEPS-k5 = $(BUILDTOP)/include/ss/ss.h $(BUILDTOP)/include/ss/ss_err.h -# Header file dependencies that might depend on whether krb4 support -# is compiled. - -KRB_ERR_H_DEP = @KRB_ERR_H_DEP@ - # LIBS gets substituted in... e.g. -lnsl -lsocket # GEN_LIB is -lgen if needed for regexp @@ -390,19 +382,10 @@ GSS_KRB5_LIB = -lgssapi_krb5 SUPPORT_LIB = -l$(SUPPORT_LIBNAME) -# KRB4_LIB is -lkrb4 if building --with-krb4 -# needs fixing if ever used on Mac OS X! -KRB4_LIB = @KRB4_LIB@ - -# DES425_LIB is -ldes425 if building --with-krb4 -# needs fixing if ever used on Mac OS X! -DES425_LIB = @DES425_LIB@ - # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) -KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS) KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! @@ -423,11 +406,6 @@ APPUTILS_LIB = -lapputils # -# some more stuff for --with-krb4 -KRB4_LIBPATH = @KRB4_LIBPATH@ -KRB4_INCLUDES = @KRB4_INCLUDES@ - -# # variables for --with-tcl= TCL_LIBS = @TCL_LIBS@ TCL_LIBPATH = @TCL_LIBPATH@ Modified: trunk/src/configure.in =================================================================== --- trunk/src/configure.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/configure.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -55,20 +55,6 @@ AC_ARG_ENABLE([athena], [ --enable-athena build with MIT Project Athena configuration],,) dnl -if test -z "$KRB4_LIB"; then -kadminv4="" -krb524="" -libkrb4="" -KRB4="" -else -kadminv4=kadmin.v4 -krb524=krb524 -libkrb4=lib/krb4 -KRB4=krb4 -fi -AC_SUBST(KRB4) -AC_SUBST(krb524) -dnl dnl Begin autoconf tests for the Makefiles generated out of the top-level dnl configure.in... dnl @@ -168,7 +154,6 @@ AC_SUBST(FAKEKA) KRB5_RUN_FLAGS dnl -dnl for krb524 AC_TYPE_SIGNAL dnl dnl from old include/configure.in @@ -586,15 +571,6 @@ [ --enable-athena build with MIT Project Athena configuration], AC_DEFINE(KRB5_ATHENA_COMPAT,1,[Define if MIT Project Athena default configuration should be used]),) -if test "$KRB4_LIB" = ''; then - AC_MSG_NOTICE(No Kerberos 4 compatibility) - maybe_kerberosIV= -else - AC_MSG_NOTICE(Kerberos 4 compatibility enabled) - maybe_kerberosIV=kerberosIV - AC_DEFINE(KRB5_KRB4_COMPAT,1,[Define if Kerberos V4 backwards compatibility should be supported]) -fi -AC_SUBST(maybe_kerberosIV) dnl AC_C_INLINE AH_TOP([ @@ -700,11 +676,6 @@ fi AC_SUBST(DO_TEST) dnl -DO_V4_TEST= -if test "$have_PERL" = perl -a "$have_RUNTEST" = runtest -a "$TCL_LIBS" != "" -a "$ath_compat" != ""; then - DO_V4_TEST=ok -fi -AC_SUBST(DO_V4_TEST) dnl The following are substituted into kadmin/testing/scripts/env-setup.sh RBUILD=`pwd` AC_SUBST(RBUILD) @@ -726,25 +697,6 @@ AC_CHECK_PROG(RUNTEST,runtest,runtest) AC_CHECK_PROG(PERL,perl,perl) dnl -dnl -dnl for lib/krb4 -case $krb5_cv_host in - *-apple-darwin*) - KRB_ERR_TXT= - KRB_ERR= - KRB_ERR_C=krb_err.c - ;; - *) - KRB_ERR='$(OUTPRE)krb_err.$(OBJEXT)' - KRB_ERR_TXT=krb_err_txt.c - KRB_ERR_C= - ;; -esac -AC_SUBST([KRB_ERR_TXT]) -AC_SUBST([KRB_ERR]) -AC_SUBST([KRB_ERR_C]) -dnl -dnl dnl lib/gssapi AC_CHECK_HEADER(stdint.h,[ include_stdint='awk '\''END{printf("%cinclude \n", 35);}'\'' < /dev/null'], @@ -970,13 +922,6 @@ HAVE_RUNTEST=no fi AC_SUBST(HAVE_RUNTEST) -if test "$KRB4_LIB" = ''; then - KRB4_DEJAGNU_TEST="KRBIV=0" -else - AC_MSG_RESULT(Kerberos 4 testing enabled) - KRB4_DEJAGNU_TEST="KRBIV=1" -fi -AC_SUBST(KRB4_DEJAGNU_TEST) dnl for plugins/kdb/db2 dnl @@ -1052,9 +997,6 @@ if test "$SS_VERSION" = k5 ; then K5_GEN_MAKEFILE(util/ss) fi -if test -n "$KRB4_LIB"; then - K5_GEN_MAKEFILE(lib/krb4) -fi dnl dnl ldap_plugin_dir="" @@ -1109,7 +1051,7 @@ util util/support util/profile util/send-pr - lib lib/des425 lib/kdb + lib lib/kdb lib/crypto lib/crypto/crc32 lib/crypto/des lib/crypto/dk lib/crypto/enc_provider lib/crypto/hash_provider @@ -1129,8 +1071,7 @@ lib/apputils - kdc slave krb524 config-files gen-manpages include - include/kerberosIV + kdc slave config-files gen-manpages include plugins/locate/python plugins/kdb/db2 Modified: trunk/src/include/Makefile.in =================================================================== --- trunk/src/include/Makefile.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/include/Makefile.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -1,7 +1,6 @@ thisconfigdir=.. myfulldir=include mydir=include -SUBDIRS=@maybe_kerberosIV@ BUILDTOP=$(REL).. KRB5RCTMPDIR= @KRB5_RCTMPDIR@ ##DOSBUILDTOP = .. Modified: trunk/src/kadmin/dbutil/Makefile.in =================================================================== --- trunk/src/kadmin/dbutil/Makefile.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/kadmin/dbutil/Makefile.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -2,10 +2,9 @@ myfulldir=kadmin/dbutil mydir=kadmin/dbutil BUILDTOP=$(REL)..$(S).. -DEFINES = -DKDB4_DISABLE DEFS= -LOCALINCLUDES = -I. @KRB4_INCLUDES@ -PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) +LOCALINCLUDES = -I. +PROG_LIBPATH=-L$(TOPLIBD) $(KRB5_LIBPATH) PROG_RPATH=$(KRB5_LIBDIR) KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS) @@ -17,8 +16,8 @@ all:: $(PROG) -$(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o $(PROG) $(OBJS) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB4COMPAT_LIBS) +$(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $(PROG) $(OBJS) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_BASE_LIBS) import_err.c import_err.h: $(srcdir)/import_err.et Modified: trunk/src/krb5-config.M =================================================================== --- trunk/src/krb5-config.M 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/krb5-config.M 2008-12-18 18:31:16 UTC (rev 21544) @@ -64,7 +64,6 @@ .in +.5i krb5 Kerberos 5 application gssapi GSSAPI application with Kerberos 5 bindings -krb4 Kerberos 4 application kadm-client Kadmin client kadm-server Kadmin server kdb Application that accesses the kerberos database Modified: trunk/src/krb5-config.in =================================================================== --- trunk/src/krb5-config.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/krb5-config.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -32,8 +32,6 @@ includedir=@includedir@ libdir=@libdir@ CC_LINK='@CC_LINK@' -KRB4_LIB=@KRB4_LIB@ -DES425_LIB=@DES425_LIB@ KDB5_DB_LIB=@KDB5_DB_LIB@ LDFLAGS='@LDFLAGS@' RPATH_FLAG='@RPATH_FLAG@' @@ -87,9 +85,6 @@ gssapi) library=gssapi ;; - krb4) - library=krb4 - ;; kadm-client) library=kadm_client ;; @@ -126,7 +121,6 @@ echo "Libraries:" echo " krb5 Kerberos 5 application" echo " gssapi GSSAPI application with Kerberos 5 bindings" - echo " krb4 Kerberos 4 application" echo " kadm-client Kadmin client" echo " kadm-server Kadmin server" echo " kdb Application that accesses the kerberos database" @@ -219,11 +213,6 @@ library=krb5 fi - if test $library = 'krb4'; then - lib_flags="$lib_flags $KRB4_LIB $DES425_LIB" - library=krb5 - fi - if test $library = 'krb5'; then lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB" fi Modified: trunk/src/lib/Makefile.in =================================================================== --- trunk/src/lib/Makefile.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/lib/Makefile.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -1,15 +1,14 @@ thisconfigdir=./.. myfulldir=lib mydir=lib -SUBDIRS=crypto krb5 des425 @KRB4@ gssapi rpc kdb kadm5 apputils +SUBDIRS=crypto krb5 gssapi rpc kdb kadm5 apputils BUILDTOP=$(REL).. all-unix:: -CLEANLIBS = libkrb5.a libkdb5.a libcrypto.a libgssapi_krb5.a libdes425.a \ - libkrb425.a libkadm.a libkrb4.a libcom_err.a libpty.a \ - libss.a libgssapi.a libapputils.a \ - libkrb5.so libcrypto.so libkrb4.so libdes425.so +CLEANLIBS = libkrb5.a libkdb5.a libcrypto.a libgssapi_krb5.a libkadm.a \ + libcom_err.a libpty.a ibss.a libgssapi.a libapputils.a libkrb5.so \ + libcrypto.so clean-unix:: Modified: trunk/src/lib/crypto/Makefile.in =================================================================== --- trunk/src/lib/crypto/Makefile.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/lib/crypto/Makefile.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -501,7 +501,7 @@ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - decrypt.c etypes.h + aead.h decrypt.c etypes.h decrypt_iov.so decrypt_iov.po $(OUTPRE)decrypt_iov.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -522,7 +522,7 @@ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - encrypt.c etypes.h + aead.h encrypt.c etypes.h encrypt_iov.so encrypt_iov.po $(OUTPRE)encrypt_iov.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -542,7 +542,8 @@ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h encrypt_length.c etypes.h + $(SRCTOP)/include/socket-utils.h aead.h encrypt_length.c \ + etypes.h enctype_compare.so enctype_compare.po $(OUTPRE)enctype_compare.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ Modified: trunk/src/lib/crypto/des/Makefile.in =================================================================== --- trunk/src/lib/crypto/des/Makefile.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/lib/crypto/des/Makefile.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -108,32 +108,29 @@ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - afsstring2key.c des_int.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h afsstring2key.c des_int.h d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h d3_cbc.c des_int.h \ - f_tables.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + d3_cbc.c des_int.h f_tables.h d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../aead.h \ - d3_aead.c des_int.h f_tables.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../aead.h d3_aead.c des_int.h f_tables.h d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -141,32 +138,29 @@ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - d3_kysched.c des_int.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h d3_kysched.c des_int.h f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h f_cbc.c \ - f_tables.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + des_int.h f_cbc.c f_tables.h f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h f_cksum.c \ - f_tables.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + des_int.h f_cksum.c f_tables.h f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -174,20 +168,19 @@ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h f_parity.c + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h f_parity.c f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h f_sched.c + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + des_int.h f_sched.c f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -195,10 +188,10 @@ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h f_tables.c f_tables.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h f_tables.c \ + f_tables.h key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -206,10 +199,9 @@ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h key_sched.c + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h key_sched.c weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -217,10 +209,9 @@ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h weak_key.c + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h weak_key.c string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -228,7 +219,6 @@ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h string2key.c + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h string2key.c Modified: trunk/src/lib/crypto/des/des_int.h =================================================================== --- trunk/src/lib/crypto/des/des_int.h 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/lib/crypto/des/des_int.h 2008-12-18 18:31:16 UTC (rev 21544) @@ -64,10 +64,57 @@ #ifndef KRB5_MIT_DES__ #define KRB5_MIT_DES__ -#define KRB5INT_CRYPTO_DES_INT /* skip krb4-specific DES stuff */ -#include "kerberosIV/des.h" /* for des_key_schedule, etc. */ -#undef KRB5INT_CRYPTO_DES_INT /* don't screw other inclusions of des.h */ +#if defined(__MACH__) && defined(__APPLE__) +#include +#include +#if TARGET_RT_MAC_CFM +#error "Use KfM 4.0 SDK headers for CFM compilation." +#endif +#if defined(DEPRECATED_IN_MAC_OS_X_VERSION_10_5) && !defined(KRB5_SUPRESS_DEPRECATED_WARNINGS) +#define KRB5INT_DES_DEPRECATED DEPRECATED_IN_MAC_OS_X_VERSION_10_5 +#endif +#endif /* defined(__MACH__) && defined(__APPLE__) */ +/* Macro to add deprecated attribute to DES types and functions */ +/* Currently only defined on Mac OS X 10.5 and later. */ +#ifndef KRB5INT_DES_DEPRECATED +#define KRB5INT_DES_DEPRECATED +#endif + +#include + +#if UINT_MAX >= 0xFFFFFFFFUL +#define DES_INT32 int +#define DES_UINT32 unsigned int +#else +#define DES_INT32 long +#define DES_UINT32 unsigned long +#endif + +typedef unsigned char des_cblock[8] /* crypto-block size */ +KRB5INT_DES_DEPRECATED; + +/* + * Key schedule. + * + * This used to be + * + * typedef struct des_ks_struct { + * union { DES_INT32 pad; des_cblock _;} __; + * } des_key_schedule[16]; + * + * but it would cause trouble if DES_INT32 were ever more than 4 + * bytes. The reason is that all the encryption functions cast it to + * (DES_INT32 *), and treat it as if it were DES_INT32[32]. If + * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the + * caller-allocated des_key_schedule will be overflowed by the key + * scheduling functions. We can't assume that every platform will + * have an exact 32-bit int, and nothing should be looking inside a + * des_key_schedule anyway. + */ +typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16] +KRB5INT_DES_DEPRECATED; + typedef des_cblock mit_des_cblock; typedef des_key_schedule mit_des_key_schedule; Modified: trunk/src/lib/crypto/enc_provider/Makefile.in =================================================================== --- trunk/src/lib/crypto/enc_provider/Makefile.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/lib/crypto/enc_provider/Makefile.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -51,22 +51,20 @@ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ - des.c enc_provider.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../des/des_int.h des.c enc_provider.h des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../aead.h \ - $(srcdir)/../des/des_int.h des3.c + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../aead.h $(srcdir)/../des/des_int.h des3.c aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ Modified: trunk/src/lib/crypto/keyhash_provider/Makefile.in =================================================================== --- trunk/src/lib/crypto/keyhash_provider/Makefile.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/lib/crypto/keyhash_provider/Makefile.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -65,11 +65,10 @@ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ - descbc.c keyhash_provider.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../des/des_int.h descbc.c keyhash_provider.h k5_md4des.so k5_md4des.po $(OUTPRE)k5_md4des.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -77,11 +76,10 @@ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../des/des_int.h $(srcdir)/../md4/rsa-md4.h \ - k5_md4des.c keyhash_provider.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ + $(srcdir)/../md4/rsa-md4.h k5_md4des.c keyhash_provider.h k5_md5des.so k5_md5des.po $(OUTPRE)k5_md5des.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -89,11 +87,10 @@ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../des/des_int.h $(srcdir)/../md5/rsa-md5.h \ - k5_md5des.c keyhash_provider.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ + $(srcdir)/../md5/rsa-md5.h k5_md5des.c keyhash_provider.h hmac_md5.so hmac_md5.po $(OUTPRE)hmac_md5.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ Modified: trunk/src/lib/crypto/old/Makefile.in =================================================================== --- trunk/src/lib/crypto/old/Makefile.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/lib/crypto/old/Makefile.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -45,10 +45,10 @@ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../des/des_int.h des_stringtokey.c old.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ + des_stringtokey.c old.h old_decrypt.so old_decrypt.po $(OUTPRE)old_decrypt.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ Modified: trunk/src/lib/krb5/krb/t_kerb.c =================================================================== --- trunk/src/lib/krb5/krb/t_kerb.c 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/lib/krb5/krb/t_kerb.c 2008-12-18 18:31:16 UTC (rev 21544) @@ -5,9 +5,6 @@ #include "krb5.h" #include "autoconf.h" -#ifdef KRB5_KRB4_COMPAT -#include "kerberosIV/krb.h" -#endif #include #include #include @@ -68,11 +65,9 @@ { krb5_principal princ = 0; krb5_error_code retval; -#ifndef KRB5_KRB4_COMPAT #define ANAME_SZ 40 #define INST_SZ 40 #define REALM_SZ 40 -#endif char aname[ANAME_SZ+1], inst[INST_SZ+1], realm[REALM_SZ+1]; aname[ANAME_SZ] = inst[INST_SZ] = realm[REALM_SZ] = 0; Modified: trunk/src/tests/dejagnu/Makefile.in =================================================================== --- trunk/src/tests/dejagnu/Makefile.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/tests/dejagnu/Makefile.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -7,7 +7,6 @@ KRB5_RUN_ENV= @KRB5_RUN_ENV@ PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) -KRB4_RUNTESTFLAGS=@KRB4_DEJAGNU_TEST@ SRCS=$(srcdir)/t_inetd.c @@ -47,7 +46,6 @@ sed -e 's%=\.%='`pwd`'/.%g' > site.exp echo "set KRB5_DB_MODULE_DIR {$(KRB5_DB_MODULE_DIR)}" >> site.exp echo "set PRIOCNTL_HACK @PRIOCNTL_HACK@" >> site.exp - echo set $(KRB4_RUNTESTFLAGS) | sed -e 's/=/ /' >> site.exp # +++ Dependency line eater +++ # Modified: trunk/src/tests/dejagnu/config/default.exp =================================================================== --- trunk/src/tests/dejagnu/config/default.exp 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/tests/dejagnu/config/default.exp 2008-12-18 18:31:16 UTC (rev 21544) @@ -821,7 +821,6 @@ # kadmind +4 # kpasswd +5 # (nothing) +6 -# krb524 +7 # application servers (krlogind, telnetd, krshd, ftpd, etc) +8 # iprop +9 (if enabled) # kpropd +10 @@ -1039,7 +1038,6 @@ } puts $conffile " krb4_config = $tmppwd/krb.conf" puts $conffile " krb4_realms = $tmppwd/krb.realms" - puts $conffile " krb4_srvtab = $tmppwd/v4srvtab" if { $mode == "tcp" } { puts $conffile " udp_preference_limit = 1" } @@ -1058,7 +1056,6 @@ puts $conffile " admin_server = $hostname:[expr 4 + $portbase]" puts $conffile " kpasswd_server = $hostname:[expr 5 + $portbase]" puts $conffile " default_domain = $domain" - puts $conffile " krb524_server = $hostname:[expr 7 + $portbase]" puts $conffile " database_module = foo_db2" puts $conffile " \}" puts $conffile "" @@ -1131,10 +1128,6 @@ set env(KRB5CCNAME) $tmppwd/tkt verbose "KRB5CCNAME=$env(KRB5CCNAME)" - # Direct the Kerberos programs at a local ticket file. - set env(KRBTKFILE) $tmppwd/tktv4 - verbose "KRBTKFILE=$env(KRBTKFILE)" - # Direct the Kerberos server at a cache file stored in the # temporary directory. set env(KRB5RCACHEDIR) $tmppwd @@ -1762,7 +1755,7 @@ envstack_push setup_kerberos_env kdc - spawn $KRB5KDC -r $REALMNAME -n -4 full + spawn $KRB5KDC -r $REALMNAME -n full envstack_pop set kdc_pid [exp_pid] set kdc_spawn_id $spawn_id @@ -2439,171 +2432,6 @@ } } -# kinit -# Use kinit to get a ticket. If the argument is non-zero, call pass -# at relevant points. Returns 1 on success, 0 on failure. - -proc v4kinit { name pass standalone } { - global REALMNAME - global KINIT - global spawn_id - global des3_krbtgt - - # Use kinit to get a ticket. - # - # For now always get forwardable tickets. Later when we need to make - # tests that distiguish between forwardable tickets and otherwise - # we should but another option to this proc. --proven - # - spawn $KINIT -4 $name@$REALMNAME - expect { - "Password for $name@$REALMNAME:" { - verbose "v4kinit started" - } - timeout { - fail "v4kinit" - return 0 - } - eof { - fail "v4kinit" - return 0 - } - } - send "$pass\r" - expect eof - if {$des3_krbtgt == 0} { - if ![check_exit_status v4kinit] { - return 0 - } - } else { - # Fail if kinit is successful with a des3 TGT. - set status_list [wait -i $spawn_id] - set testname v4kinit - verbose "wait -i $spawn_id returned $status_list ($testname)" - if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 1 } { - verbose -log "exit status: $status_list" - fail "$testname (exit status)" - } - } - if {$standalone} { - pass "v4kinit" - } - - return 1 -} - -proc v4kinit_kt { name keytab standalone } { - global REALMNAME - global KINIT - global spawn_id - - # Use kinit to get a ticket. - # - # For now always get forwardable tickets. Later when we need to make - # tests that distiguish between forwardable tickets and otherwise - # we should but another option to this proc. --proven - # - spawn $KINIT -4 -k -t $keytab $name@$REALMNAME - expect { - timeout { - fail "v4kinit" - return 0 - } - eof { } - } - if ![check_exit_status kinit] { - return 0 - } - - if {$standalone} { - pass "v4kinit" - } - - return 1 -} - -# List v4 tickets. -# Client and server are regular expressions. -proc v4klist { client server testname } { - global KLIST - global tmppwd - - spawn $KLIST -4 - expect { - -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Principal:\[ \]*$client.*$server\r\n" { - verbose "klist started" - } - timeout { - fail $testname - return 0 - } - eof { - fail $testname - return 0 - } - } - - expect eof - - if ![check_exit_status $testname] { - return 0 - } - pass $testname - return 1 -} - -# Destroy tickets. -proc v4kdestroy { testname } { - global KDESTROY - spawn $KDESTROY -4 - if ![check_exit_status $testname] { - return 0 - } - pass $testname - return 1 -} - -# Try to list the krb4 tickets -- there shouldn't be any ticket file. -proc v4klist_none { testname } { - global KLIST - global tmppwd - - # Double check that the ticket was destroyed. - spawn $KLIST -4 - expect { - -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*klist: You have no tickets cached.*\r\n" { - verbose "v4klist started" - pass "$testname (output)" - } - timeout { - fail "$testname (output)" - # Skip the 'wait' below, if it's taking too long. - untested "$testname (exit status)" - return 0 - } - eof { - fail "$testname (output)" - } - } - # We can't use check_exit_status, because we expect an exit status - # of 1. - expect eof - set status_list [wait -i $spawn_id] - verbose "wait -i $spawn_id returned $status_list (v4klist)" - if { [lindex $status_list 2] != 0 } { - fail "$testname (exit status)" - return 0 - } else { - if { [lindex $status_list 3] != 1 } { - fail "$testname (exit status)" - return 0 - } else { - pass "$testname (exit status)" - } - } - return 1 -} - # Set up a root shell using rlogin $hostname -l root. This is used # when testing the daemons that must be run as root, such as telnetd # or rlogind. This sets the global variables rlogin_spawn_id and Modified: trunk/src/tests/dejagnu/krb-root/telnet.exp =================================================================== --- trunk/src/tests/dejagnu/krb-root/telnet.exp 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/tests/dejagnu/krb-root/telnet.exp 2008-12-18 18:31:16 UTC (rev 21544) @@ -47,7 +47,7 @@ # we don't need to use inetd. The portbase+8 is the port to listen at. # Note that tmppwd here is a shell variable, which is set in # setup_root_shell, not a TCL variable. - send -i $rlogin_spawn_id "sh -c \"$TELNETD $args -debug -t \$tmppwd/srvtab -R $REALMNAME -L $tmppwd/login.wrap -X KERBEROS_V4 [expr 8 + $portbase]\" &\r" + send -i $rlogin_spawn_id "sh -c \"$TELNETD $args -debug -t \$tmppwd/srvtab -R $REALMNAME -L $tmppwd/login.wrap [expr 8 + $portbase]\" &\r" expect { -i $rlogin_spawn_id -re "$ROOT_PROMPT" { } Modified: trunk/src/tests/dejagnu/krb-standalone/standalone.exp =================================================================== --- trunk/src/tests/dejagnu/krb-standalone/standalone.exp 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/tests/dejagnu/krb-standalone/standalone.exp 2008-12-18 18:31:16 UTC (rev 21544) @@ -175,47 +175,6 @@ kinit_kt "foo/bar" $tmppwd/fookeytab 1 "kt kvno $vno" do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist kt foo/bar vno $vno" do_kdestroy "kdestroy foo/bar vno $vno" - - if {[info exists KRBIV] && $KRBIV && - [regexp {des-cbc-[a-z0-9-]*:v4} [lindex $supported_enctypes 0]]} { - catch "exec rm -f $tmppwd/foosrvtab" - spawn $KTUTIL - expect_after { - timeout { fail "ktutil converting keytab to srvtab" ; set ok 0 } - eof { fail "ktutil converting keytab to srvtab" ; set ok 0 } - } - expect "ktutil: " - send "rkt $tmppwd/fookeytab\r" - expect -ex "rkt $tmppwd/fookeytab\r" - expect "ktutil: " -# for debugging, just log this -# send "list\r" -# expect "ktutil: " - # - send "wst $tmppwd/foosrvtab\r" - expect -ex "wst $tmppwd/foosrvtab\r" - expect "ktutil: " -# for debugging, just log this -# send "clear\r" -# expect "ktutil: " -# send "rst $tmppwd/foosrvtab\r" -# expect "ktutil: " -# send "list\r" -# expect "ktutil: " - # okay, now quit and finish testing - send "quit\r" - expect eof - catch expect_after - if [check_exit_status "ktutil converting keytab to srvtab (vno $vno)"] { - pass "ktutil converting keytab to srvtab (vno $vno)" - do_klist_kt $tmppwd/fookeytab "klist srvtab foo/bar vno $vno" - kinit_kt "foo/bar" "SRVTAB:$tmppwd/foosrvtab" 1 "st kvno $vno" - do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist st foo/bar vno $vno" - do_kdestroy "kdestroy st foo/bar vno $vno" - } - } else { - verbose "skipping v5kinit/srvtab tests because of non-v4 enctype" - } } catch "exec rm -f $keytab" # Check that kadmin.local can actually read the correct kvno, even Deleted: trunk/src/tests/dejagnu/krb-standalone/v4gssftp.exp =================================================================== --- trunk/src/tests/dejagnu/krb-standalone/v4gssftp.exp 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/tests/dejagnu/krb-standalone/v4gssftp.exp 2008-12-18 18:31:16 UTC (rev 21544) @@ -1,508 +0,0 @@ -# Kerberos ftp test. -# This is a DejaGnu test script. -# This script tests Kerberos ftp. -# Originally written by Ian Lance Taylor, Cygnus Support, . -# Modified bye Ezra Peisach for GSSAPI support. - -# Find the programs we need. We use the binaries from the build tree -# if they exist. If they do not, then they must be in PATH. We -# expect $objdir to be .../kerberos/build/tests/dejagnu - -if ![info exists FTP] { - set FTP [findfile $objdir/../../appl/gssftp/ftp/ftp] -} - -if ![info exists FTPD] { - set FTPD [findfile $objdir/../../appl/gssftp/ftpd/ftpd] -} - -# If we do not have what is for a V4 test - return -if ![v4_compatible_enctype] { - return -} - -# A procedure to start up the ftp daemon. - -proc start_ftp_daemon { } { - global FTPD - global tmppwd - global ftpd_spawn_id - global ftpd_pid - global portbase - - # The -p argument tells it to accept a single connection, so we - # don't need to use inetd. Portbase+8 is the port to listen at. - # We rely on KRB5_KTNAME being set to the proper keyfile as there is - # no way to cleanly set it with the gssapi API. - # The -U argument tells it to use an alternate ftpusers file (using - # /dev/null will allow root to login regardless of /etc/ftpusers). - # The -a argument requires authorization, to mitigate any - # vulnerability introduced by circumventing ftpusers. - spawn $FTPD -p [expr 8 + $portbase] -a -U /dev/null -r $tmppwd/krb.conf - set ftpd_spawn_id $spawn_id - set ftpd_pid [exp_pid] - - # Give the ftp daemon a few seconds to get set up. - sleep 2 -} - -# A procedure to stop the ftp daemon. - -proc stop_ftp_daemon { } { - global ftpd_spawn_id - global ftpd_pid - - if [info exists ftpd_pid] { - catch "close -i $ftpd_spawn_id" - catch "exec kill $ftpd_pid" - catch "wait -i $ftpd_spawn_id" - unset ftpd_pid - } -} - -# Test that a file was copied correctly. -proc check_file { filename {bigfile 0}} { - if ![file exists $filename] { - verbose "$filename does not exist" - send_log "$filename does not exist\n" - return 0 - } - - set file [open $filename r] - if { [gets $file line] == -1 } { - verbose "$filename is empty" - send_log "$filename is empty\n" - close $file - return 0 - } - - if ![string match "This file is used for ftp testing." $line] { - verbose "$filename contains $line" - send_log "$filename contains $line\n" - close $file - return 0 - } - - if {$bigfile} { - # + 1 for the newline - seek $file 1048577 current - if { [gets $file line] == -1 } { - verbose "$filename is truncated" - send_log "$filename is truncated\n" - close $file - return 0 - } - - if ![string match "This file is used for ftp testing." $line] { - verbose "$filename contains $line" - send_log "$filename contains $line\n" - close $file - return 0 - } - } - - if { [gets $file line] != -1} { - verbose "$filename is too long ($line)" - send_log "$filename is too long ($line)\n" - close $file - return 0 - } - - close $file - - return 1 -} - -# -# Restore environment variables possibly set. -# -proc ftp_restore_env { } { - global env - global ftp_save_ktname - global ftp_save_ccname - - catch "unset env(KRB5_KTNAME)" - if [info exists ftp_save_ktname] { - set env(KRB5_KTNAME) $ftp_save_ktname - unset ftp_save_ktname - } - - catch "unset env(KRB5CCNAME)" - if [info exists ftp_save_ccname] { - set env(KRB5CCNAME) $ftp_save_ccname - unset ftp_save_ccname - } -} - -# Wrap the tests in a procedure, so that we can kill the daemons if -# we get some sort of error. - -proc v4ftp_test { } { - global FTP - global KEY - global REALMNAME - global hostname - global localhostname - global env - global ftpd_spawn_id - global ftpd_pid - global spawn_id - global tmppwd - global ftp_save_ktname - global ftp_save_ccname - global des3_krbtgt - global portbase - - if {$des3_krbtgt} { - return - } - # Start up the kerberos and kadmind daemons and get a srvtab and a - # ticket file. - if {![start_kerberos_daemons 0] \ - || ![add_random_key ftp/$hostname 0] \ - || ![setup_srvtab 0 ftp] \ - || ![add_kerberos_key $env(USER) 0] \ - || ![v4kinit $env(USER) $env(USER)$KEY 0]} { - return - } - - # - # Save settings of KRB5_KTNAME - # - if [info exists env(KRB5_KTNAME)] { - set ftp_save_ktname $env(KRB5_KTNAME) - } - - # - # set KRB5_KTNAME - # - set env(KRB5_KTNAME) FILE:$tmppwd/srvtab - verbose "KRB5_KTNAME=$env(KRB5_KTNAME)" - - # - # Save settings of KRB5CCNAME - # These tests fail if the krb5 cache happens to have a valid credential - # which can result from running the gssftp.exp test immediately - # preceeding these tests. - # - if [info exists env(KRB5CCNAME)] { - set ftp_save_ccname $env(KRB5CCNAME) - } - - # - # set KRB5_KTNAME - # - set env(KRB5CCNAME) FILE:$tmppwd/non-existant-cache - verbose "KRB5CCNAME=$env(KRB5CCNAME)" - - # Start the ftp daemon. - start_ftp_daemon - - # Make an ftp client connection to it. - spawn $FTP $hostname [expr 8 + $portbase] - - expect_after { - timeout { - fail "$testname (timeout)" - catch "expect_after" - return - } - eof { - fail "$testname (eof)" - catch "expect_after" - return - } - } - - set testname "ftp connection(v4)" - expect -nocase "connected to $hostname" - expect -nocase -re "$localhostname.*ftp server .version \[0-9.\]*. ready." - expect -re "Using authentication type GSSAPI; ADAT must follow" - expect "GSSAPI accepted as authentication type" - expect -re "GSSAPI error major: (Unspecified GSS|Miscellaneous) failure" - expect { - "GSSAPI error minor: Unsupported credentials cache format version number" {} - "GSSAPI error minor: No credentials cache found" {} - -re "GSSAPI error minor: Credentials cache file '.*' not found" {} - "GSSAPI error minor: Decrypt integrity check failed" {} - } - expect "GSSAPI error: initializing context" - expect "GSSAPI authentication failed" - expect -re "Using authentication type KERBEROS_V4; ADAT must follow" - expect { - "Kerberos V4 authentication succeeded" { pass "ftp authentication" } - eof { fail "ftp authentication" ; catch "expect_after" ; return } - -re "Kerberos V4 .* failed.*\r" { - fail "ftp authentication"; - send "quit\r"; catch "expect_after"; - return - } - } - expect -nocase "name ($hostname:$env(USER)): " - send "$env(USER)\r" - expect "Kerberos user $env(USER)@$REALMNAME is authorized as $env(USER)" - expect "Remote system type is UNIX." - expect "Using binary mode to transfer files." - expect "ftp> " { - pass $testname - } - - set testname "binary(v4)" - send "binary\r" - expect "ftp> " { - pass $testname - } - - set testname "status(v4)" - send "status\r" - expect -nocase "connected to $hostname." - expect "Authentication type: KERBEROS_V4" - expect "ftp> " { - pass $testname - } - - set testname "ls(v4)" - send "ls $tmppwd/ftp-test\r" - expect -re "Opening ASCII mode data connection for .*ls." - expect -re ".* $tmppwd/ftp-test" - expect "ftp> " { - pass $testname - } - - set testname "nlist(v4)" - send "nlist $tmppwd/ftp-test\r" - expect -re "Opening ASCII mode data connection for file list." - expect -re "$tmppwd/ftp-test" - expect -re ".* Transfer complete." - expect "ftp> " { - pass $testname - } - - set testname "ls missing(v4)" - send "ls $tmppwd/ftp-testmiss\r" - expect -re "Opening ASCII mode data connection for .*ls." - expect { - -re "$tmppwd/ftp-testmiss not found" {} - -re "$tmppwd/ftp-testmiss: No such file or directory" - } - expect "ftp> " { - pass $testname - } - - - set testname "get(v4)" - catch "exec rm -f $tmppwd/copy" - send "get $tmppwd/ftp-test $tmppwd/copy\r" - expect "Opening BINARY mode data connection for $tmppwd/ftp-test" - expect "Transfer complete" - expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" - expect "ftp> " - if [check_file $tmppwd/copy] { - pass $testname - } else { - fail $testname - } - - set testname "put(v4)" - catch "exec rm -f $tmppwd/copy" - send "put $tmppwd/ftp-test $tmppwd/copy\r" - expect "Opening BINARY mode data connection for $tmppwd/copy" - expect "Transfer complete" - expect -re "\[0-9\]+ bytes sent in \[0-9.e-\]+ seconds" - expect "ftp> " - if [check_file $tmppwd/copy] { - pass $testname - } else { - fail $testname - } - - set testname "cd(v4)" - send "cd $tmppwd\r" - expect "CWD command successful." - expect "ftp> " { - pass $testname - } - - set testname "lcd(v4)" - send "lcd $tmppwd\r" - expect "Local directory now $tmppwd" - expect "ftp> " { - pass $testname - } - - set testname "local get(v4)" - catch "exec rm -f $tmppwd/copy" - send "get ftp-test copy\r" - expect "Opening BINARY mode data connection for ftp-test" - expect "Transfer complete" - expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" - expect "ftp> " - if [check_file $tmppwd/copy] { - pass $testname - } else { - fail $testname - } - - set testname "big local get(v4)" - catch "exec rm -f $tmppwd/copy" - send "get bigftp-test copy\r" - expect "Opening BINARY mode data connection for bigftp-test" - expect "Transfer complete" - expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" - expect "ftp> " - if [check_file $tmppwd/copy 1] { - pass $testname - } else { - fail $testname - } - - set testname "start encryption(v4)" - send "private\r" - expect "Data channel protection level set to private" - expect "ftp> " { - pass $testname - } - - set testname "status(v4)" - send "status\r" - expect "Protection Level: private" - expect "ftp> " { - pass $testname - } - - set testname "encrypted get(v4)" - catch "exec rm -f $tmppwd/copy" - send "get ftp-test copy\r" - expect "Opening BINARY mode data connection for ftp-test" - expect "Transfer complete" - expect { - -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" {} - -re "krb_rd_priv failed for KERBEROS_V4" { - fail $testname - send "quit\r" - catch "expect_after" - return - } - } - expect "ftp> " - if [check_file $tmppwd/copy] { - pass $testname - } else { - fail $testname - } - - - # Test a large file that will overflow PBSZ size - set testname "big encrypted get(v4)" - catch "exec rm -f $tmppwd/copy" - send "get bigftp-test copy\r" - expect "Opening BINARY mode data connection for bigftp-test" - expect "Transfer complete" - expect { - -re "\[0-9\]+ bytes received in \[0-9.e+-\]+ seconds" {} - -re "krb_rd_priv failed for KERBEROS_V4" { - fail $testname - send "quit\r" - catch "expect_after" - return - } - } - expect "ftp> " - if [check_file $tmppwd/copy 1] { - pass $testname - } else { - fail $testname - } - - set testname "close(v4)" - send "close\r" - expect "Goodbye." - expect "ftp> " - set status_list [wait -i $ftpd_spawn_id] - verbose "wait -i $ftpd_spawn_id returned $status_list ($testname)" - catch "close -i $ftpd_spawn_id" - if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 0 } { - send_log "exit status: $status_list\n" - verbose "exit status: $status_list" - fail $testname - } else { - pass $testname - unset ftpd_pid - } - - set testname "quit(v4)" - send "quit\r" - expect_after - expect eof - if [check_exit_status $testname] { - pass $testname - } - -} - -run_once v4gssftp { - # Make sure .klogin is reasonable. - if ![check_k5login ftp] { - return - } - - if ![check_klogin ftp] { - return - } - - # Set up the kerberos database. - if {![get_hostname] \ - || ![setup_kerberos_files] \ - || ![setup_kerberos_env] \ - || ![setup_kerberos_db 0]} { - return - } - - # Create a file to use for ftp testing. - set file [open $tmppwd/ftp-test w] - puts $file "This file is used for ftp testing." - close $file - - # Create a large file to use for ftp testing. File needs to be - # larger that 2^20 or 1MB for PBSZ testing. - set file [open $tmppwd/bigftp-test w] - puts $file "This file is used for ftp testing.\n" - seek $file 1048576 current - puts $file "This file is used for ftp testing." - close $file - - # The ftp client will look in $HOME/.netrc for the user name to use. - # To avoid confusing the testsuite, point $HOME at a directory where - # we know there is no .netrc file. - if [info exists env(HOME)] { - set home $env(HOME) - } elseif [info exists home] { - unset home - } - set env(HOME) $tmppwd - - # Run the test. Logging in sometimes takes a while, so increase the - # timeout. - set oldtimeout $timeout - set timeout 60 - set status [catch v4ftp_test msg] - set timeout $oldtimeout - - # Shut down the kerberos daemons and the ftp daemon. - stop_kerberos_daemons - - stop_ftp_daemon - - ftp_restore_env - - # Reset $HOME, for safety in case we are going to run more tests. - if [info exists home] { - set env(HOME) $home - } else { - unset env(HOME) - } - - if { $status != 0 } { - perror "error in v4gssftp.exp: $msg" - } -} Deleted: trunk/src/tests/dejagnu/krb-standalone/v4krb524d.exp =================================================================== --- trunk/src/tests/dejagnu/krb-standalone/v4krb524d.exp 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/tests/dejagnu/krb-standalone/v4krb524d.exp 2008-12-18 18:31:16 UTC (rev 21544) @@ -1,168 +0,0 @@ -# Standalone Kerberos test. -# This is a DejaGnu test script. -# This script tests that the Kerberos tools can talk to each other. - -# This mostly just calls procedures in testsuite/config/default.exp. - -if ![info exists K524INIT] { - set K524INIT [findfile $objdir/../../krb524/k524init] -} - -if ![info exists KRB524D] { - set KRB524D [findfile $objdir/../../krb524/krb524d] -} - -if ![info exists KLIST] { - set KLIST [findfile $objdir/../../clients/klist/klist] -} - -if ![info exists KDESTROY] { - set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy] -} - -# Set up the Kerberos files and environment. -if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} { - return -} - -# If we do not have what is for a V4 test - return -if ![v4_compatible_enctype] { - return -} - -# Initialize the Kerberos database. The argument tells -# setup_kerberos_db that it is being called from here. -if ![setup_kerberos_db 1] { - return -} - -# A procedure to stop the krb524 daemon. -proc start_k524_daemon { } { - global KRB524D - global k524d_spawn_id - global k524d_pid - global REALMNAME - global portbase - - spawn $KRB524D -m -p [expr 7 + $portbase] -r $REALMNAME -nofork - set k524d_spawn_id $spawn_id - set k524d_pid [exp_pid] - - # Give the krb524d daemon a few seconds to get set up. - sleep 2 -} - -# A procedure to stop the krb524 daemon. -proc stop_k524_daemon { } { - global k524d_spawn_id - global k524d_pid - - if [info exists k524d_pid] { - catch "close -i $k524d_spawn_id" - catch "exec kill $k524d_pid" - catch "wait -i $k524d_spawn_id" - unset k524d_pid - } -} - -# We are about to start up a couple of daemon processes. We do all -# the rest of the tests inside a proc, so that we can easily kill the -# processes when the procedure ends. - -proc doit { } { - global env - global KEY - global K524INIT - # To pass spawn_id to the wait process - global spawn_id - global KLIST - global KDESTROY - global tmppwd - global REALMNAME - global des3_krbtgt - - if {$des3_krbtgt} { - return - } - # Start up the kerberos and kadmind daemons. - if ![start_kerberos_daemons 1] { - return - } - - # Add a user key and get a V5 ticket - if {![add_kerberos_key $env(USER) 0] \ - || ![kinit $env(USER) $env(USER)$KEY 0]} { - return - } - - # Start the krb524d daemon. - start_k524_daemon - - # The k524init program does not advertise anything on success - - #only failure. - spawn $K524INIT - expect { - -timeout 10 - -re "k524init: .*\r" { - fail "k524init" - return - } - eof {} - timeout {} - } - - - if ![check_exit_status "k524init"] { - return - } - pass "k524init" - - # Make sure that klist can see the ticket. - spawn $KLIST -4 - expect { - -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Principal:\[ \]*$env(USER)@$REALMNAME.*krbtgt\.$REALMNAME@$REALMNAME\r\n" { - verbose "klist started" - } - timeout { - fail "v4klist" - return - } - eof { - fail "v4klist" - return - } - } - - expect { - "\r" { } - eof { } - } - - if ![check_exit_status "klist"] { - return - } - pass "krb524d: v4klist" - - # Destroy the ticket. - spawn $KDESTROY -4 - if ![check_exit_status "kdestroy"] { - return - } - pass "krb524d: v4kdestroy" - - pass "krb524d: krb524d" -} - -set status [catch doit msg] - -stop_kerberos_daemons - -stop_k524_daemon - -if { $status != 0 } { - send_error "ERROR: error in v4krb524d.exp\n" - send_error "$msg\n" - exit 1 -} - - Deleted: trunk/src/tests/dejagnu/krb-standalone/v4standalone.exp =================================================================== --- trunk/src/tests/dejagnu/krb-standalone/v4standalone.exp 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/tests/dejagnu/krb-standalone/v4standalone.exp 2008-12-18 18:31:16 UTC (rev 21544) @@ -1,95 +0,0 @@ -# Standalone Kerberos test. -# This is a DejaGnu test script. -# This script tests that the Kerberos tools can talk to each other. - -# This mostly just calls procedures in testsuite/config/default.exp. - -# Set up the Kerberos files and environment. -if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} { - return -} - -# If we do not have what is for a V4 test - return -if ![v4_compatible_enctype] { - return -} - -# Initialize the Kerberos database. The argument tells -# setup_kerberos_db that it is being called from here. -if ![setup_kerberos_db 1] { - return -} - -# We are about to start up a couple of daemon processes. We do all -# the rest of the tests inside a proc, so that we can easily kill the -# processes when the procedure ends. - -proc check_and_destroy_v4_tix { client server } { - global REALMNAME - global des3_krbtgt - - # Skip this if we're using a des3 TGT, since that's supposed to fail. - if {$des3_krbtgt} { - return - } - # Make sure that klist can see the ticket. - if ![v4klist "$client" "$server" "v4klist"] { - return - } - - # Destroy the ticket. - if ![v4kdestroy "v4kdestroy"] { - return - } - - if ![v4klist_none "v4klist no tix 1"] { - return - } -} - -proc doit { } { - global REALMNAME - global KLIST - global KDESTROY - global KEY - global hostname - global spawn_id - global tmppwd - - # Start up the kerberos and kadmind daemons. - if ![start_kerberos_daemons 1] { - return - } - - # Use kadmin to add an host key. - if ![add_random_key host/$hostname 1] { - return - } - - # Use ksrvutil to create a srvtab entry. - if ![setup_srvtab 1] { - return - } - - # Use kinit to get a ticket. - if [v4kinit krbtest.admin adminpass$KEY 1] { - check_and_destroy_v4_tix krbtest.admin@$REALMNAME krbtgt.$REALMNAME@$REALMNAME - } - - # Use kinit with srvtab to get a ticket. - # XXX - Currently kinit doesn't support "-4 -k"! -# set shorthost [string range $hostname 0 [expr [string first . $hostname] - 1]] -# if [v4kinit_kt host.$shorthost SRVTAB:$tmppwd/srvtab 1] { -# check_and_destroy_v4_tix host.$shorthost@$REALMNAME krbtgt.$REALMNAME@$REALMNAME -# } -} - -set status [catch doit msg] - -stop_kerberos_daemons - -if { $status != 0 } { - send_error "ERROR: error in v4standalone.exp\n" - send_error "$msg\n" - exit 1 -} Modified: trunk/src/util/depfix.pl =================================================================== --- trunk/src/util/depfix.pl 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/util/depfix.pl 2008-12-18 18:31:16 UTC (rev 21544) @@ -162,10 +162,6 @@ $_ = &uniquify($_); - # Some krb4 dependencies should only be present if building with krb4 - # enabled. - s;\$\(BUILDTOP\)/include/kerberosIV/krb_err.h ;\$(KRB_ERR_H_DEP) ;g; - # Delete trailing whitespace. s; *$;;g; Modified: trunk/src/util/ss/Makefile.in =================================================================== --- trunk/src/util/ss/Makefile.in 2008-12-18 16:21:10 UTC (rev 21543) +++ trunk/src/util/ss/Makefile.in 2008-12-18 18:31:16 UTC (rev 21544) @@ -233,7 +233,7 @@ utils.c options.so options.po $(OUTPRE)options.$(OBJEXT): $(BUILDTOP)/include/ss/ss_err.h \ $(COM_ERR_DEPS) copyright.h options.c ss.h -cmd_tbl.lex.o: cmd_tbl.lex.c ct.tab.h +cmd_tbl.lex.o: cmd_tbl.lex.c ct.tab.o: $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) \ ct.tab.c ss.h ss_err.so ss_err.po $(OUTPRE)ss_err.$(OBJEXT): $(COM_ERR_DEPS) \ From ghudson at MIT.EDU Thu Dec 18 14:28:25 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 18 Dec 2008 14:28:25 -0500 (EST) Subject: svn rev #21545: trunk/doc/ Message-ID: <200812181928.OAA27829@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21545 Commit By: ghudson Log Message: ticket: 6303 Remove documentation references to krb4 functionality we no longer have. Remove the krb425 transition guide since we no longer have compatibility code to assist with a transition. Changed Files: U trunk/doc/Makefile U trunk/doc/admin.texinfo U trunk/doc/definitions.texinfo U trunk/doc/dnssrv.texinfo U trunk/doc/install.texinfo D trunk/doc/krb4-xrealm.txt D trunk/doc/krb425.texinfo D trunk/doc/old-V4-docs/ Modified: trunk/doc/Makefile =================================================================== --- trunk/doc/Makefile 2008-12-18 18:31:16 UTC (rev 21544) +++ trunk/doc/Makefile 2008-12-18 19:28:23 UTC (rev 21545) @@ -26,11 +26,8 @@ USER_GUIDE_INCLUDES=definitions.texinfo copyright.texinfo glossary.texinfo USER_GUIDE_DEPS=user-guide.texinfo $(USER_GUIDE_INCLUDES) -KRB425_INCLUDES=definitions.texinfo copyright.texinfo -KRB425_DEPS=krb425.texinfo $(KRB425_INCLUDES) - .PHONY: all -all:: admin-guide-full install-guide-full user-guide-full krb425-guide-full clean-temp-ps clean-tex +all:: admin-guide-full install-guide-full user-guide-full clean-temp-ps clean-tex .PHONY: admin-guide-full admin-guide-full:: admin-guide admin-guide-info admin-guide-html @@ -118,28 +115,6 @@ $(MANTXT) $(SRCDIR)/kadmin/passwd/kpasswd.M | $(MANHTML) > kpasswd.html $(HTML) user-guide.texinfo -.PHONY: krb425-guide-full -krb425-guide-full:: krb425-guide krb425-guide-info krb425-guide-html - -.PHONY: krb425-guide -krb425-guide:: krb425-guide.ps - -krb425-guide.ps: $(KRB425_DEPS) - $(DVI) krb425.texinfo - $(DVIPS) krb425 - -.PHONY: krb425-guide-html -krb425-guide-html:: krb425.html - -krb425.html:: $(KRB425_DEPS) - $(HTML) krb425.texinfo - -.PHONY: krb425-guide-info -krb425-guide-info:: krb425.info - -krb425.info: $(KRB425_DEPS) - $(INFO) krb425.texinfo - .PHONY: implementor.ps implementor.pdf implementor.info implementor.pdf: implementor.ps $(PSPDF) implementor.ps Modified: trunk/doc/admin.texinfo =================================================================== --- trunk/doc/admin.texinfo 2008-12-18 18:31:16 UTC (rev 21544) +++ trunk/doc/admin.texinfo 2008-12-18 19:28:23 UTC (rev 21545) @@ -502,18 +502,6 @@ code. @end ignore - at itemx krb4_srvtab -Specifies the location of the Kerberos V4 srvtab file. Default is - at value{DefaultKrb4Srvtab}. - - at itemx krb4_config -Specifies the location of hte Kerberos V4 configuration file. Default -is @value{DefaultKrb4Config}. - - at itemx krb4_realms -Specifies the location of the Kerberos V4 domain/realm translation -file. Default is @value{DefaultKrb4Realms}. - @itemx dns_lookup_kdc Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the information for @@ -637,33 +625,7 @@ that application's man pages. The application defaults specified here are overridden by those specified in the [realms] section. -A special application name (afs_krb5) is used by the krb524 service to -know whether new format AFS tokens based on Kerberos 5 can be used -rather than the older format which used a converted Kerberos 4 ticket. -The new format allows for cross-realm authentication without -introducing a security hole. It is used by default. Older AFS -servers (before OpenAFS 1.2.8) will not support the new format. If -servers in your cell do not support the new format, you will need to -add an @code{afs_krb5} relation to the @code{appdefaults} section. -The following config file shows how to disable new format AFS tickets -for the @code{afs.example.com} cell in the @code{EXAMPLE.COM} realm. - at smallexample - at group -[appdefaults] - afs_krb5 = @{ - EXAMPLE.COM = @{ - afs/afs.example.com = false - @} - @} - - at end group - at end smallexample - - - - - @node login, realms (krb5.conf), appdefaults, krb5.conf @subsection [login] @@ -675,20 +637,6 @@ Indicate whether or not to use a user's password to get V5 tickets. The default value is @value{DefaultKrb5GetTickets}. - at itemx krb4_get_tickets -Indicate whether or not to user a user's password to get V4 tickets. -The default value is @value{DefaultKrb4GetTickets}. - - at itemx krb4_convert -Indicate whether or not to use the Kerberos conversion daemon to get V4 -tickets. The default value is @value{DefaultKrb4Convert}. If this is -set to false and krb4_get_tickets is true, then login will get the V5 -tickets directly using the Kerberos V4 protocol directly. This does -not currently work with non-MIT-V4 salt types (such as the AFS3 salt -type). Note that if this is set to true and krb524d is not running, -login will hang for approximately a minute under Solaris, due to a -Solaris socket emulation bug. - @itemx krb_run_aklog Indicate whether or not to run aklog. The default value is @value{DefaultKrbRunAklog}. @@ -1493,14 +1441,8 @@ current implementation has little protection against denial-of-service attacks), the standard port number assigned for Kerberos TCP traffic is port 88. +- at end table - at itemx v4_mode -This string specifies how the KDC should respond to Kerberos 4 -packets. The possible values are none, disable, full, and nopreauth. -The default value is @value{DefaultV4Mode}. - at comment these values found in krb5/src/kdc/kerberos_v4.c in v4mode_table - at end table - @node realms (kdc.conf), pkinit kdc options, kdcdefaults, kdc.conf @subsection [realms] @@ -4353,7 +4295,6 @@ krb5_prop @value{DefaultKrbPropPort}/tcp # Kerberos slave propagation @c kpop 1109/tcp # Pop with Kerberos eklogin @value{DefaultEkloginPort}/tcp # Kerberos auth. & encrypted rlogin -krb524 @value{DefaultKrb524Port}/tcp # Kerberos 5 to 4 ticket translator @end group @end smallexample Modified: trunk/doc/definitions.texinfo =================================================================== --- trunk/doc/definitions.texinfo 2008-12-18 18:31:16 UTC (rev 21544) +++ trunk/doc/definitions.texinfo 2008-12-18 19:28:23 UTC (rev 21545) @@ -131,10 +131,6 @@ @end ignore @set DefaultKrb5GetTickets true @comment login_krb5_get_tickets - at set DefaultKrb4GetTickets false - at comment login_krb4_get_tickets - at set DefaultKrb4Convert false - at comment login_krb4_convert @set DefaultKrbRunAklog false @comment login_krb_run_aklog @set DefaultAklogPath $(prefix)/bin/aklog @@ -143,13 +139,6 @@ @comment login_accept_password @ignore -the following defaults should be consistent with the values set in -krb5/src/kdc/kerberos_v4 - at end ignore - at set DefaultV4Mode none - at comment KDC_V4_DEFAULT_MODE - - at ignore these defaults are based on code in krb5/src/aclocal.m4 @end ignore @set DefaultDNSLookupKDC true @@ -175,14 +164,6 @@ @set DefaultFTPPort 21 @set DefaultKrb524Port 4444 - at comment src/include/kerberosIV/krb.h - at set DefaultKrb4Srvtab /etc/srvtab - at comment line 131 - at set DefaultKrb4Config /etc/krb.conf - at comment KRB_CONF - at set DefaultKrb4Realms /etc/krb.realms - at comment KRB_RLM_TRANS - @comment krb5/src/lib/krb5/krb/get_in_tkt.c @set DefaultRenewLifetime 0 @set DefaultNoaddresses set Modified: trunk/doc/dnssrv.texinfo =================================================================== --- trunk/doc/dnssrv.texinfo 2008-12-18 18:31:16 UTC (rev 21544) +++ trunk/doc/dnssrv.texinfo 2008-12-18 19:28:23 UTC (rev 21545) @@ -59,10 +59,6 @@ This should list port @value{DefaultKpasswdPort} on your master KDC. It is used when a user changes her password. - at item _kerberos-iv._udp -This should refer to your KDCs that serve Kerberos version 4 requests, -if you have Kerberos v4 enabled. - @end table Be aware, however, that the DNS SRV specification requires that the Modified: trunk/doc/install.texinfo =================================================================== --- trunk/doc/install.texinfo 2008-12-18 18:31:16 UTC (rev 21544) +++ trunk/doc/install.texinfo 2008-12-18 19:28:23 UTC (rev 21545) @@ -206,9 +206,6 @@ @item How frequently you will propagate the database from the master KDC to the slave KDCs. - - at item -Whether you need backward compatibility with Kerberos V4. @end itemize @menu @@ -1184,17 +1181,6 @@ @smallexample @group -# -# Note --- if you are using Kerberos V4 and you either: -# -# (a) haven't converted all your master or slave KDCs to V5, or -# -# (b) are worried about inter-realm interoperability with other KDC's -# that are still using V4 -# -# you will need to switch the "kerberos" service to port 750 and create a -# "kerberos-sec" service on port 88. -# kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC klogin @value{DefaultKloginPort}/tcp # Kerberos authenticated rlogin @@ -1208,13 +1194,6 @@ @end group @end smallexample - at noindent As described in the comments in the above code, if your master -KDC or any of your slave KDCs is running Kerberos V4, (or if you will be -authenticating to any Kerberos V4 KDCs in another realm) you will need -to switch the port number for @code{kerberos} to 750 and create a - at code{kerberos-sec} service (tcp and udp) on port 88, so the Kerberos -V4 KDC(s) will continue to work properly. - @menu * Mac OS X Configuration:: @end menu Deleted: trunk/doc/krb4-xrealm.txt =================================================================== --- trunk/doc/krb4-xrealm.txt 2008-12-18 18:31:16 UTC (rev 21544) +++ trunk/doc/krb4-xrealm.txt 2008-12-18 19:28:23 UTC (rev 21545) @@ -1,143 +0,0 @@ -The following text was taken from the patchkit disabling cross-realm -authentication and triple-DES in krb4. - -PATCH KIT DESCRIPTION -===================== - -** FLAG DAY REQUIRED ** - -One of the things we decided to do (and must do for security reasons) -was drop support for the 3DES krb4 TGTs. Unfortunately the current -code will only accept 3DES TGTs if it issues 3DES TGTs. Since the new -code issues only DES TGTs, the old code will not understand its v4 -TGTs if the site has a 3DES key available for the krbtgt principal. -The new code will understand and accept both DES and 3DES v4 TGTs. - -So, the easiest upgrade option is to deploy the code on all KDCs at -once, being sure to deploy it on the master KDC last. Under this -scenario, a brief window exists where slaves may be able to issue -tickets that the master will not understand. However, the slaves will -understand tickets issued by the master throughout the upgrade. - -An alternate and more annoying upgrade strategy exists. At least one -max TGT life time before the upgrade, the TGT key can be changed to be -a single-des key. Since we support adding a new TGT key while -preserving the old one, this does not create an interruption in -service. Since no 3DES key is available then both the old and new -code will issue and accept DES v4 TGTs. After the upgrade, the TGT -key can again be rekeyed to add 3DES keys. This does require two TGT -key changes and creates a window where DES is used for the v5 TGT, but -creates no window in which slaves will issue TGTs the master cannot -accept. - -* What the patch does -===================== - -1) Kerberos 4 cross-realm authentication is disabled by default. A - "-X" switch is added to both krb524d and krb5kdc to enable v4 - cross-realm. This switch logs a note that a security hole has been - opened in the KDC log. We said while designing the patch, that we - were going to try to allow per-realm configuration; because of a - design problem in the kadm5 library, we could not do this without - bumping the ABI version of that library. We are unwilling to bump - an ABI version in a security patch release to get that feature, so - the configuration of v4 cross-realm is a global switch. - -2) Code responsible for v5 TGTs has been changed to require that the - enctype of the ticket service key be the same as the enctype that - would currently be issued for that kvno. This means that even if a - service has multiple keys, you cannot use a weak key to fake the - KDC into accepting tickets for that service. If you have a non-DES - TGT key, this separates keys used for v4 and v5. We actually relax - this requirement for cross-realm TGT keys (which in the new code - are only used for v5) because we cannot guarantee other Kerberos - implementations will choose keys the same way. - -3) We no longer issue 3DES v4 tickets either in the KDC or krb524d. - We add code to accept either DES or 3DES tickets for v4. None of - the attacks discovered so far can be implemented given a KDC that - accepts but does not issue 3DES tickets, so we believe that leaving - this functionality in as compatibility for a version or two is - reasonable. Note however that the attacks described do allow - successful attackers to print future tickets, so sites probably - want to rekey important keys after installing this update. Note - also that even if issuance of 3DES v4 tickets has been disabled, - outstanding tickets may be used to perform the 3DES cut-and-paste - attack. - -* Test Cases -============ - -This code is difficult to test for two reasons. First, you need a -cross-realm relationship between two KDCs. Secondly, you need a KDC -that will issue 3DES v4 tickets even though the code with the patch -applied can no longer do this. - -I propose to meet these requirements by setting up a cross-realm 3DES -key between a realm I control and the test environment. In order to -provide concrete examples of what I plan to test with the automated -tests, I assume a shared key between a realm PREPATCH.KRBTEST.COM and the -test realm PATCH. - -In all of the following tests I assume the following configuration. -A principal v4test at PREPATCH.KRBTEST.COM exists with known password and -without requiring preauthentication. The PREPATCH.KRBTEST.COM KDC will -issue v4 tickets for this principal. A principal test at PATCH exists -with known password and without requiring preauthentication. A -principal service at PATCH exists. The TGT for the PATCH realm has a -3des and des key. The shared TGT keys between PATCH and -PREPATCH.KRBTEST.COM are identical in both directions (required for v4) and -support both 3DES and DES keys. - -1) Run krb524d and krb5kdc for PATCH with no special options using a - krb5.conf without permitted_enctypes (fully permissive). - - -A) Get v4 tickets as v4test at PREPATCH.KRBTEST.COM. Confirm that kvno -4 -service at PATCH fails with an unknown principal error and logs an error -about cross-realm being denied to the PATCH KDC log. This confirms -that v4 cross-realm is not accepted. - -B) Get v5 tickets as v4test at PREPATCH.KRBTEST.COM. Confirm that krb524init --p service at PATCH fails with a prohibited by policy error, but that -klist -5 includes a ticket for service at PATCH. This confirms that v5 -cross-realm works but the krb524d denies converting such a ticket into -a cross-realm ticket. Note that the krb524init currently in the -mainline source tree will not be useful for this test because the -client denies cross-realm for the simple reason that the v4 ticket -file format is not flexible enough to support it. The krb524init in -the 1.2.x release is useful for this test. - - -2) Restart the krb5kdc and krb524d for PATCH with the -X option - enabling v4 cross-realm. - -A) Confirm that the security warning is written to kdc.log. - -B) Get v4 tickets as v4test at PREPATCH.KRBTEST.COM. Confirm that kvno -4 -service at PATCH works and leaves a service at PATCH ticket in the cache. -This confirms that v4 cross-realm works in the KDC. It also confirms -that the KDC can accept 3DES v4 TGTs. The code path for decrypting a -TGT is the same for the local realm and for foreign realms, so I don't -see a need to test local 3DES TGTs in an automated manner although I -did test it manually. - -C) Get v5 tickets as v4test at PREPATCH.KRBTEST.COM. Confirm that krb524init --p service at PATCH works. This confirms that krb524d will issue -cross-realm tickets. They're completely useless because the v4 ticket -file can't represent them, but that's not our problem today. - -3) Start the kdc and krb524d with a krb5.conf that includes - permitted_enctypes only listing des-cbc-crc. Get tickets as - test at PATCH. Restart the KDC and confirm that kvno service fails - logging an error about permitted enctypes. This confirms that if - you manage to obtain a ticket of the wrong enctype it will not be - accepted later. - -These tests do not check to make sure that 3DES tickets are not -issued by the v4 code. I'm fairly certain that is true as I've -physically remove the calls to the routine that generates 3DES tickets -from the code in both the KDC and krb524d. These tests also do not -check to make sure that cross-realm TGTs are not required to follow -the strict enctype policy. I've tested that manually but don't know -how to test that without significantly complicating the test setup. Deleted: trunk/doc/krb425.texinfo =================================================================== --- trunk/doc/krb425.texinfo 2008-12-18 18:31:16 UTC (rev 21544) +++ trunk/doc/krb425.texinfo 2008-12-18 19:28:23 UTC (rev 21545) @@ -1,322 +0,0 @@ -\input texinfo @c -*-texinfo-*- - at c Note: the above texinfo file must include the "doubleleftarrow" - at c definitions added by jcb. - at c %**start of header - at c guide - at setfilename krb425.info - at settitle Upgrading to Kerberos V5 from Kerberos V4 - at c @setchapternewpage odd @c chapter begins on next odd page - at c @setchapternewpage on @c chapter begins on next page - at c @smallbook @c Format for 7" X 9.25" paper - at c %**end of header - - at paragraphindent 0 - at iftex - at parskip 6pt plus 6pt - at end iftex - - at dircategory Kerberos - at direntry -* krb425: (krb425). Upgrading to Kerberos V5 from V4 - at end direntry - - at include definitions.texinfo - at set EDITION 1.0 - at set UPDATED May 22, 2003 - - at finalout @c don't print black warning boxes - - at titlepage - at title Upgrading to @value{PRODUCT} from Kerberos V4 - at subtitle Release: @value{RELEASE} - at subtitle Document Edition: @value{EDITION} - at subtitle Last updated: @value{UPDATED} - at author @value{COMPANY} - - at page - at vskip 0pt plus 1filll - - at end titlepage - - at node Top, Copyright, (dir), (dir) - - at ifinfo -This document describes how to convert to @value{PRODUCT} from Kerberos V4. - at end ifinfo - - at menu -* Copyright:: -* Introduction:: -* Configuration Files:: -* Upgrading KDCs:: -* Upgrading Application Servers:: -* Upgrading Client machines:: -* Firewall Considerations:: - at end menu - - at node Copyright, Introduction, Top, Top - at unnumbered Copyright - at include copyright.texinfo - - at node Introduction, Configuration Files, Copyright, Top - at chapter Introduction - -As with most software upgrades, @value{PRODUCT} is generally backward -compatible but not necessarily forward compatible. The @value{PRODUCT} -daemons can interoperate with Kerberos V4 clients, but most of the -Kerberos V4 daemons can not interoperate with Kerberos V5 clients. This -suggests the following strategy for performing the upgrade: - - at enumerate - at item - at strong{Upgrade your KDCs.} This must be done first, so that -interactions with the Kerberos database, whether by Kerberos V5 clients -or by Kerberos V4 clients, will succeed. - - at item - at strong{Upgrade your servers.} This must be done before upgrading -client machines, so that the servers are able to respond to both -Kerberos V5 and Kerberos V4 queries. - - at item - at strong{Upgrade your client machines.} Do this only after your KDCs and -application servers are upgraded, so that all of your Kerberos V5 -clients will be talking to Kerberos V5 daemons. - at end enumerate - - at node Configuration Files, Upgrading KDCs, Introduction, Top - at chapter Configuration Files - -The Kerberos @code{krb5.conf} and KDC @code{kdc.conf} configuration -files allow additional tags for Kerberos V4 compatibility. - - at menu -* krb5.conf:: -* kdc.conf:: - at end menu - - at node krb5.conf, kdc.conf, Configuration Files, Configuration Files - at section krb5.conf - -If you used the defaults, both when you installed Kerberos V4 and when -you installed @value{PRODUCT}, you should not need to include any of -these tags. However, some or all of them may be necessary for -nonstandard installations. - - at menu -* libdefaults:: -* realms (krb5.conf):: -* AFS and the Appdefaults Section:: - at end menu - - at node libdefaults, realms (krb5.conf), krb5.conf, krb5.conf - at subsection [libdefaults] - -In the [libdefaults] section, the following additional tags may be used: - - at table @b - at item krb4_srvtab -Specifies the location of the Kerberos V4 srvtab file. Default is - at value{DefaultKrb4Srvtab}. - - at item krb4_config -Specifies the location of the Kerberos V4 configuration file. Default -is @value{DefaultKrb4Config}. - - at item krb4_realms -Specifies the location of the Kerberos V4 domain/realm translation -file. Default is @value{DefaultKrb4Realms}. - at end table - - at node realms (krb5.conf), AFS and the Appdefaults Section, libdefaults, krb5.conf - at subsection [realms] - -In the [realms] section, the following Kerberos V4 tags may be used: - at table @b - at itemx default_domain -Identifies the default domain for hosts in this realm. This is needed -for translating V4 principal names (which do not contain a domain name) -to V5 principal names. The default is your Kerberos realm name, -converted to lower case. - - at itemx v4_instance_convert -This subsection allows the administrator to configure exceptions to the -default_domain mapping rule. It contains V4 instances (tag name) which -should be translated to some specific hostname (tag value) as the second -component in a Kerberos V5 principal name. - - at itemx v4_realm -This relation allows the administrator to configure a different -realm name to be used when converting V5 principals to V4 -ones. This should only be used when running separate V4 and V5 -realms, with some external means of password sychronization -between the realms. - - at end table - - at node AFS and the Appdefaults Section, , realms (krb5.conf), krb5.conf - at subsection AFS and the Appdefaults Section - -Many Kerberos 4 sites also run the Andrew File System (AFS). - -Modern AFS servers (OpenAFS > 1.2.8) support the AFS 2b token format. -This allows AFS to use Kerberos 5 tickets rather than version 4 -tickets, enabling cross-realm authentication. By default, the - at file{krb524d} service will issue the new AFS 2b tokens. If you are -using old AFS servers, you will need to disable these new tokens. -Please see the documentation of the @code{appdefaults} section of - at file{krb5.conf} in the Kerberos Administration guide. - - - - at node kdc.conf, , krb5.conf, Configuration Files - at section kdc.conf - -Because Kerberos V4 requires a different type of salt for the encryption -type, you will need to change the @code{supported_enctypes} line in the -[realms] section to: - - at smallexample -supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 - at end smallexample - -This is the only change needed to the @code{kdc.conf} file. - - at node Upgrading KDCs, Upgrading Application Servers, Configuration Files, Top - at chapter Upgrading KDCs - -To convert your KDCs from Kerberos V4 to @value{PRODUCT}, do the -following: - - at enumerate - at item -Install @value{PRODUCT} on each KDC, according to the instructions in -the @value{PRODUCT} Installation Guide, up to the point where it tells -you to create the database. - - at item -Find the @code{kadmind} (V4) daemon process on the master KDC and kill -it. This will prevent changes to the Kerberos database while you -convert the database to the new Kerberos V5 format. - - at item -Create a dump of the V4 database in the directory where your V5 database -will reside by issuing the command: - - at smallexample -% kdb_util dump @value{ROOTDIR}/var/krb5kdc/v4-dump - at end smallexample - - at item -Load the V4 dump into a Kerberos V5 database, by issuing the command: - - at smallexample -% kdb5_util load_v4 v4-dump - at end smallexample - - at item -Create a Kerberos V5 stash file, if desired, by issuing the command: - - at smallexample -% kdb5_util stash - at end smallexample - - at item -Proceed with the rest of the @value{PRODUCT} installation as described -in the @value{PRODUCT} Installation Guide. When you get to the section -that tells you to start the @code{krb5kdc} and @code{kadmind} daemons, -first find and kill the Kerberos V4 @code{kerberos} daemon on each of -the KDCs. Then start the @code{krb5kdc} and @code{kadmind} daemons as -You will need to specify an argument to the @code{-4} command line option to enable Kerberos 4 compatibility. -See the @code{krb5kdc} man page for details. -directed. Finally, start the Kerberos V5 to V4 ticket translator -daemon, @code{krb524d}, by issuing the command: - - at smallexample -% @value{ROOTDIR}/sbin/krb524d -m > /dev/null & - at end smallexample - -If you have a stash file and you start the @code{krb5kdc} and - at code{kadmind} daemons at boot time, you should add the above line to -your @code{/etc/rc} (or @code{/etc/rc.local}) file on each KDC. - at end enumerate - - at node Upgrading Application Servers, Upgrading Client machines, Upgrading KDCs, Top - at chapter Upgrading Application Servers - -Install @value{PRODUCT} on each application server, according to the -instructions in the @value{PRODUCT} Installation Guide, with the -following exceptions: - - at itemize @bullet - at item -In the file @code{/etc/services}, add or edit the lines described in the - at value{PRODUCT} Installation Guide, with the following exception: - -in place of: - - at smallexample - at group -kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC -kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC - at end group - at end smallexample - - at noindent -add instead: - - at smallexample - at group -kerberos-sec @value{DefaultPort}/udp kdc # Kerberos V5 KDC -kerberos-sec @value{DefaultPort}/tcp kdc # Kerberos V5 KDC - at end group - at end smallexample - - at item -Convert your Kerberos V4 srvtab file to Kerberos V5 keytab file as -follows: - - at smallexample - at group - at b{#} @value{ROOTDIR}/sbin/ktutil - at b{ktutil:} rst /etc/krb-srvtab - at b{ktutil:} wkt /etc/krb5.keytab - at b{ktutil:} q - at b{#} - at end group - at end smallexample - at end itemize - - at node Upgrading Client machines, Firewall Considerations, Upgrading Application Servers, Top - at chapter Upgrading Client machines - -Install @value{PRODUCT} on each client machine, according to the -instructions in the @value{PRODUCT} Installation Guide. - -Tell your users to add the appropriate directory to their paths. On -UNIX machines, this will probably be @code{@value{BINDIR}}. - -Note that if you upgrade your client machines before all of your -application servers are upgraded, your users will need to use the -Kerberos V4 programs to connect to application servers that are still -running Kerberos V4. (The one exception is the UNIX version of - at value{PRODUCT} telnet, which can connect to a Kerberos V4 and Kerberos -V5 application servers.) Users can use either the Kerberos V4 or - at value{PRODUCT} programs to connect to Kerberos V5 servers. - - at node Firewall Considerations, , Upgrading Client machines, Top - at chapter Firewall Considerations - - at value{PRODUCT} uses port @value{DefaultPort}, which is the port -assigned by the IETF, for KDC requests. Kerberos V4 used port - at value{DefaultSecondPort}. If your users will need to get to any KDCs -outside your firewall, you will need to allow TCP and UDP requests on -port @value{DefaultPort} for your users to get to off-site Kerberos V5 -KDCs, and on port @value{DefaultSecondPort} for your users to get to -off-site Kerberos V4 KDCs. - - at contents - at c second page break makes sure right-left page alignment works right - at c with a one-page toc, even though we don't have setchapternewpage odd. - at c end of texinfo file - at bye From lhoward at MIT.EDU Thu Dec 18 17:55:55 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 17:55:55 -0500 (EST) Subject: svn rev #21546: branches/mskrb-integ/src/kdc/ Message-ID: <200812182255.RAA00829@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21546 Commit By: lhoward Log Message: AD always canonicalizes the client realm in the AS-REQ case Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c Modified: branches/mskrb-integ/src/kdc/do_as_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-18 19:28:23 UTC (rev 21545) +++ branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-18 22:55:54 UTC (rev 21546) @@ -112,7 +112,7 @@ char *cname = 0, *sname = 0; const char *fromstring = 0; unsigned int c_flags = 0, s_flags = 0; - krb5_principal_data server_princ; + krb5_principal_data server_princ, client_princ; char ktypestr[128]; char rep_etypestr[128]; char fromstringbuf[70]; @@ -133,6 +133,7 @@ session_key.contents = 0; enc_tkt_reply.authorization_data = NULL; memset(&server_princ, 0, sizeof(server_princ)); + memset(&client_princ, 0, sizeof(client_princ)); ktypes2str(ktypestr, sizeof(ktypestr), request->nktypes, request->ktype); @@ -313,9 +314,12 @@ enc_tkt_reply.session = &session_key; if (isflagset(c_flags, KRB5_KDB_FLAG_CANONICALIZE)) - enc_tkt_reply.client = client.princ; + client_princ = *(client.princ); else - enc_tkt_reply.client = request->client; + client_princ = *(request->client); + /* The realm is always canonicalized */ + client_princ.realm = *(krb5_princ_realm(context, client.princ)); + enc_tkt_reply.client = &client_princ; enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */ From lhoward at MIT.EDU Thu Dec 18 18:14:34 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 18:14:34 -0500 (EST) Subject: svn rev #21547: branches/mskrb-integ/src/kdc/ Message-ID: <200812182314.SAA01147@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21547 Commit By: lhoward Log Message: remove extraneous initialization Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c Modified: branches/mskrb-integ/src/kdc/do_as_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-18 22:55:54 UTC (rev 21546) +++ branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-18 23:14:28 UTC (rev 21547) @@ -132,8 +132,6 @@ session_key.contents = 0; enc_tkt_reply.authorization_data = NULL; - memset(&server_princ, 0, sizeof(server_princ)); - memset(&client_princ, 0, sizeof(client_princ)); ktypes2str(ktypestr, sizeof(ktypestr), request->nktypes, request->ktype); From lhoward at MIT.EDU Thu Dec 18 18:49:26 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 18:49:26 -0500 (EST) Subject: svn rev #21548: branches/mskrb-integ/src/kdc/ Message-ID: <200812182349.SAA01658@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21548 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c Modified: branches/mskrb-integ/src/kdc/do_as_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-18 23:14:28 UTC (rev 21547) +++ branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-18 23:49:24 UTC (rev 21548) @@ -286,12 +286,13 @@ * still be issued a ticket granting ticket. */ if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) && - !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) + !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { server_princ = *(server.princ); - else + } else { server_princ = *(request->server); - /* The realm is always canonicalized */ - server_princ.realm = *(krb5_princ_realm(context, server.princ)); + /* The realm is always canonicalized */ + server_princ.realm = *(krb5_princ_realm(context, server.princ)); + } ticket_reply.server = &server_princ; enc_tkt_reply.flags = 0; @@ -311,12 +312,13 @@ setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE); enc_tkt_reply.session = &session_key; - if (isflagset(c_flags, KRB5_KDB_FLAG_CANONICALIZE)) + if (isflagset(c_flags, KRB5_KDB_FLAG_CANONICALIZE)) { client_princ = *(client.princ); - else + } else { client_princ = *(request->client); - /* The realm is always canonicalized */ - client_princ.realm = *(krb5_princ_realm(context, client.princ)); + /* The realm is always canonicalized */ + client_princ.realm = *(krb5_princ_realm(context, client.princ)); + } enc_tkt_reply.client = &client_princ; enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */ From lhoward at MIT.EDU Thu Dec 18 20:39:45 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 20:39:45 -0500 (EST) Subject: svn rev #21549: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812190139.UAA03085@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21549 Commit By: lhoward Log Message: Fix a bunch of warnings Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/disp_status.c U branches/mskrb-integ/src/lib/gssapi/krb5/export_name.c U branches/mskrb-integ/src/lib/gssapi/krb5/export_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.hin U branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5seal.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5unseal.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c U branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -350,7 +350,7 @@ krb5_keyblock **seq) { krb5_error_code code; - int i; + unsigned int i; switch(subkey->enctype) { case ENCTYPE_DES_CBC_MD5: @@ -410,7 +410,7 @@ krb5_context context; unsigned char *ptr, *ptr2; char *sptr; - long tmp; + OM_uint32 tmp; size_t md5len; int bigend; krb5_gss_cred_id_t cred = 0; @@ -570,7 +570,7 @@ if ((code = krb5_auth_con_init(context, &auth_context))) { major_status = GSS_S_FAILURE; - save_error_info(code, context); + save_error_info((OM_uint32)code, context); goto fail; } if (cred->rcache) { @@ -950,7 +950,7 @@ krb5_free_ticket(context, ticket); /* Done with ticket */ { - krb5_ui_4 seq_temp; + krb5_int32 seq_temp; krb5_auth_con_getremoteseqnumber(context, auth_context, &seq_temp); ctx->seq_recv = seq_temp; } @@ -981,7 +981,7 @@ if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) { unsigned char * ptr3; - krb5_ui_4 seq_temp; + krb5_int32 seq_temp; int cfx_generate_subkey; if (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE)) Modified: branches/mskrb-integ/src/lib/gssapi/krb5/disp_status.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/disp_status.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/disp_status.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -46,7 +46,7 @@ char *get_error_message(OM_uint32 minor_code) { gsserrmap *p = k5_getspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE); - char *msg = 0; + char *msg = NULL; #ifdef DEBUG fprintf(stderr, "%s(%lu, p=%p)", __func__, (unsigned long) minor_code, (void *) p); @@ -61,7 +61,7 @@ } } if (msg == 0) - msg = error_message(minor_code); + msg = (char *)error_message((krb5_error_code)minor_code); #ifdef DEBUG fprintf(stderr, " -> %p/%s\n", (void *) msg, msg); #endif @@ -134,7 +134,7 @@ fprintf(stderr, "%s(%lu, ctx=%p)\n", __func__, (unsigned long) minor_code, (void *)ctx); #endif - s = krb5_get_error_message(ctx, minor_code); + s = (char *)krb5_get_error_message(ctx, (krb5_error_code)minor_code); #ifdef DEBUG fprintf(stderr, "%s(%lu, ctx=%p) saving: %s\n", __func__, (unsigned long) minor_code, (void *)ctx, s); @@ -142,7 +142,7 @@ save_error_string(minor_code, s); /* The get_error_message call above resets the error message in ctx. Put it back, in case we make this call again *sigh*. */ - krb5_set_error_message(ctx, minor_code, "%s", s); + krb5_set_error_message(ctx, (krb5_error_code)minor_code, "%s", s); krb5_free_error_message(ctx, s); } void krb5_gss_delete_error_info(void *p) Modified: branches/mskrb-integ/src/lib/gssapi/krb5/export_name.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/export_name.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/export_name.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -35,7 +35,8 @@ krb5_context context; krb5_error_code code; size_t length; - char *str, *cp; + char *str; + unsigned char *cp; if (minor_status) *minor_status = 0; @@ -61,7 +62,7 @@ &str))) { if (minor_status) *minor_status = code; - save_error_info(code, context); + save_error_info((OM_uint32)code, context); krb5_free_context(context); return(GSS_S_FAILURE); } Modified: branches/mskrb-integ/src/lib/gssapi/krb5/export_sec_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/export_sec_context.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/export_sec_context.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -95,7 +95,7 @@ error_out: if (retval != GSS_S_COMPLETE) if (kret != 0 && context != 0) - save_error_info(kret, context); + save_error_info((OM_uint32)kret, context); if (obuffer && bufsize) { memset(obuffer, 0, bufsize); xfree(obuffer); Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-19 01:39:42 UTC (rev 21549) @@ -889,6 +889,8 @@ OM_uint32 krb5int_gss_use_kdc_context(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t); +krb5_error_code krb5_gss_use_kdc_context(void); + #define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH 9 #define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x09" Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.hin =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.hin 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.hin 2008-12-19 01:39:42 UTC (rev 21549) @@ -268,10 +268,10 @@ OM_uint32 KRB5_CALLCONV -gsskrb5_extract_authz_data_set_from_sec_context(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int ad_type, - gss_buffer_t ad_data); +gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + int ad_type, + gss_buffer_t ad_data); OM_uint32 KRB5_CALLCONV gss_krb5_set_cred_rcache(OM_uint32 *minor_status, Modified: branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -483,7 +483,7 @@ krb5_context context) { krb5_error_code code; - int i; + size_t i; if (ctx->proto > 0) { return GSS_S_COMPLETE; /* CFX handles acceptor_subkey directly */ @@ -859,7 +859,7 @@ if (code) goto fail; if (krb_error->error) - code = krb_error->error + ERROR_TABLE_BASE_krb5; + code = (krb5_error_code)krb_error->error + ERROR_TABLE_BASE_krb5; else code = 0; krb5_free_error(context, krb_error); Modified: branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -254,7 +254,8 @@ { OM_uint32 major_status; krb5_gss_ctx_id_rec *ctx; - int ad_type = 0, i; + int ad_type = 0; + size_t i; unsigned char *cp; *data_set = GSS_C_NO_BUFFER_SET; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5seal.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5seal.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5seal.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -79,7 +79,7 @@ * we plan to write out to the token. * tlen is the length of the token * including header. */ - unsigned conflen=0, tmsglen, tlen, msglen; + unsigned int conflen=0, tmsglen, tlen, msglen; unsigned char *t, *ptr; unsigned char *plain; unsigned char pad; @@ -246,8 +246,8 @@ /* create the seq_num */ - if ((code = kg_make_seq_num(context, seq, direction?0:0xff, *seqnum, - ptr+14, ptr+6))) { + if ((code = kg_make_seq_num(context, seq, direction?0:0xff, + (krb5_ui_4)*seqnum, ptr+14, ptr+6))) { xfree (plain); xfree(t); return(code); Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -159,7 +159,7 @@ memset(plain.data + message->length, 'x', ec); memcpy(plain.data + message->length + ec, outbuf, 16); - cipher.ciphertext.data = outbuf + 16; + cipher.ciphertext.data = (char *)outbuf + 16; cipher.ciphertext.length = bufsize - 16; cipher.enctype = key->enctype; err = krb5_c_encrypt(context, key, key_usage, 0, &plain, &cipher); @@ -339,7 +339,7 @@ return GSS_S_DEFECTIVE_TOKEN; } if ((ptr[2] & FLAG_SENDER_IS_ACCEPTOR) != acceptor_flag) { - *minor_status = G_BAD_DIRECTION; + *minor_status = (OM_uint32)G_BAD_DIRECTION; return GSS_S_BAD_SIG; } @@ -390,7 +390,7 @@ be larger than the plaintext size. */ cipher.enctype = key->enctype; cipher.ciphertext.length = bodysize - 16; - cipher.ciphertext.data = ptr + 16; + cipher.ciphertext.data = (char *)ptr + 16; plain.length = bodysize - 16; plain.data = malloc(plain.length); if (plain.data == NULL) @@ -404,7 +404,7 @@ /* Don't use bodysize here! Use the fact that cipher.ciphertext.length has been adjusted to the correct length. */ - althdr = plain.data + plain.length - 16; + althdr = (unsigned char *)plain.data + plain.length - 16; if (load_16_be(althdr) != KG2_TOK_WRAP_MSG || althdr[2] != ptr[2] || althdr[3] != ptr[3] @@ -433,7 +433,7 @@ store_16_be(0, ptr+4); store_16_be(0, ptr+6); plain.length = bodysize-ec; - plain.data = ptr; + plain.data = (char *)ptr; if (!gss_krb5int_rotate_left(ptr, bodysize-ec, 16)) goto no_mem; sum.length = ec; @@ -500,7 +500,7 @@ } else if (toktype == KG_TOK_DEL_CTX) { if (load_16_be(ptr) != KG2_TOK_DEL_CTX) goto defective; - message_buffer = &empty_message; + message_buffer = (gss_buffer_t)&empty_message; goto verify_mic_1; } else { goto defective; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unseal.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5unseal.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unseal.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -165,7 +165,7 @@ /* decode the message, if SEAL */ if (toktype == KG_TOK_SEAL_MSG) { - int tmsglen = bodysize-(14+cksum_len); + size_t tmsglen = bodysize-(14+cksum_len); if (sealalg != 0xffff) { if ((plain = (unsigned char *) xmalloc(tmsglen)) == NULL) { *minor_status = ENOMEM; @@ -463,11 +463,11 @@ message_buffer->value = NULL; message_buffer->length = 0; } - *minor_status = G_BAD_DIRECTION; + *minor_status = (OM_uint32)G_BAD_DIRECTION; return(GSS_S_BAD_SIG); } - retval = g_order_check(&(ctx->seqstate), seqnum); + retval = g_order_check(&(ctx->seqstate), (gssint_uint64)seqnum); /* success or ordering violation */ Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -378,7 +378,7 @@ if (ctx->proto == 0) code = kg_unseal_v1_iov(context, minor_status, ctx, iov, iov_count, - (ptr - (unsigned char *)header->buffer.value), + (size_t)(ptr - (unsigned char *)header->buffer.value), conf_state, qop_state, toktype); else code = gss_krb5int_unseal_v3_iov(context, minor_status, ctx, iov, iov_count, @@ -436,7 +436,7 @@ goto cleanup; } - tiov = (gss_iov_buffer_desc *)calloc(iov_count + 2, sizeof(gss_iov_buffer_desc)); + tiov = (gss_iov_buffer_desc *)calloc((size_t)iov_count + 2, sizeof(gss_iov_buffer_desc)); if (tiov == NULL) { code = ENOMEM; goto cleanup; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -94,14 +94,14 @@ } }; -OM_uint32 +static OM_uint32 krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, const gss_ctx_id_t context_handle, const gss_OID desired_object, gss_buffer_set_t *data_set) { krb5_gss_ctx_id_rec *ctx; - int i; + size_t i; if (minor_status == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE; @@ -148,7 +148,7 @@ } krb5_gss_inquire_cred_by_oid_ops[] = { }; -OM_uint32 +static OM_uint32 krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status, const gss_cred_id_t cred_handle, const gss_OID desired_object, @@ -156,7 +156,7 @@ { OM_uint32 major_status = GSS_S_FAILURE; krb5_gss_cred_id_t cred; - int i; + size_t i; if (minor_status == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE; @@ -171,7 +171,7 @@ *data_set = GSS_C_NO_BUFFER_SET; if (cred_handle == GSS_C_NO_CREDENTIAL) { - *minor_status = KRB5_NOCREDS_SUPPLIED; + *minor_status = (OM_uint32)KRB5_NOCREDS_SUPPLIED; return GSS_S_NO_CRED; } @@ -205,13 +205,13 @@ } krb5_gss_set_sec_context_option_ops[] = { }; -OM_uint32 +static OM_uint32 krb5_gss_set_sec_context_option (OM_uint32 *minor_status, gss_ctx_id_t *context_handle, const gss_OID desired_object, const gss_buffer_t value) { - int i; + size_t i; if (minor_status == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE; @@ -272,14 +272,14 @@ } }; -OM_uint32 +static OM_uint32 krb5_gssspi_set_cred_option(OM_uint32 *minor_status, gss_cred_id_t cred_handle, const gss_OID desired_object, const gss_buffer_t value) { OM_uint32 major_status = GSS_S_FAILURE; - int i; + size_t i; if (minor_status == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE; @@ -287,7 +287,7 @@ *minor_status = 0; if (cred_handle == GSS_C_NO_CREDENTIAL) { - *minor_status = KRB5_NOCREDS_SUPPLIED; + *minor_status = (OM_uint32)KRB5_NOCREDS_SUPPLIED; return GSS_S_NO_CRED; } @@ -338,13 +338,13 @@ } }; -OM_uint32 +static OM_uint32 krb5_gssspi_mech_invoke (OM_uint32 *minor_status, const gss_OID desired_mech, const gss_OID desired_object, gss_buffer_t value) { - int i; + size_t i; if (minor_status == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -72,7 +72,8 @@ krb5_gss_ctx_id_t ctx = (krb5_gss_ctx_id_t)context_handle; void *lctx = NULL; unsigned char *cp; - int version, i; + unsigned int version = 0; + size_t i; gss_buffer_desc rep; /* Assume failure */ Modified: branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c 2008-12-18 23:49:24 UTC (rev 21548) +++ branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c 2008-12-19 01:39:42 UTC (rev 21549) @@ -99,7 +99,7 @@ return EINVAL; } oid->length = ibuf; - oid->elements = malloc(ibuf); + oid->elements = malloc((size_t)ibuf); if (oid->elements == 0) { free(oid); return ENOMEM; @@ -570,8 +570,8 @@ ctx->krb_times.renew_till = (krb5_timestamp) ibuf; (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->krb_flags = (krb5_flags) ibuf; - (void) (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_send, &bp, &remain); - kret = (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_recv, &bp, &remain); + (void) (*kaccess.krb5_ser_unpack_int64)((krb5_int64 *)&ctx->seq_send, &bp, &remain); + kret = (*kaccess.krb5_ser_unpack_int64)((krb5_int64 *)&ctx->seq_recv, &bp, &remain); if (kret) { free(ctx); return kret; From lhoward at MIT.EDU Thu Dec 18 20:49:22 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 20:49:22 -0500 (EST) Subject: svn rev #21550: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812190149.UAA03265@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21550 Commit By: lhoward Log Message: fix some warnings Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_acquire_cred.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_compare_name.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_glue.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_imp_name_object.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_cred_oid.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_iov.c U branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_acquire_cred.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_acquire_cred.c 2008-12-19 01:39:42 UTC (rev 21549) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_acquire_cred.c 2008-12-19 01:49:20 UTC (rev 21550) @@ -397,6 +397,8 @@ else if (cred_usage == GSS_C_BOTH) time_req = (acceptor_time_req > initiator_time_req) ? acceptor_time_req : initiator_time_req; + else + time_req = 0; status = mech->gss_acquire_cred(minor_status, internal_name, time_req, Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_compare_name.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_compare_name.c 2008-12-19 01:39:42 UTC (rev 21549) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_compare_name.c 2008-12-19 01:49:20 UTC (rev 21550) @@ -72,7 +72,7 @@ { OM_uint32 major_status, temp_minor; gss_union_name_t union_name1, union_name2; - gss_mechanism mech; + gss_mechanism mech = NULL; gss_name_t internal_name; major_status = val_comp_name_args(minor_status, @@ -114,6 +114,10 @@ if ((union_name1->mech_name == 0) || (union_name2->mech_name == 0)) /* should never happen */ return (GSS_S_BAD_NAME); + if (!mech) + return (GSS_S_BAD_MECH); + if (!mech->gss_compare_name) + return (GSS_S_UNAVAILABLE); major_status = mech->gss_compare_name(minor_status, union_name1->mech_name, union_name2->mech_name, @@ -190,6 +194,10 @@ if (major_status != GSS_S_COMPLETE) return (GSS_S_COMPLETE); /* return complete, but not equal */ + if (!mech) + return (GSS_S_BAD_MECH); + if (!mech->gss_compare_name) + return (GSS_S_UNAVAILABLE); major_status = mech->gss_compare_name(minor_status, union_name1->mech_name, internal_name, name_equal); Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_glue.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_glue.c 2008-12-19 01:39:42 UTC (rev 21549) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_glue.c 2008-12-19 01:49:20 UTC (rev 21550) @@ -51,7 +51,7 @@ /* p points to the beginning of the buffer */ unsigned char *p = *buf; int length, new_length; - int octets; + unsigned int octets; if (buf_len < 1) return (-1); Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_imp_name_object.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_imp_name_object.c 2008-12-19 01:39:42 UTC (rev 21549) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_imp_name_object.c 2008-12-19 01:49:20 UTC (rev 21550) @@ -74,7 +74,7 @@ gss_name_t internal_name = GSS_C_NO_NAME; OM_uint32 tmp, major_status = GSS_S_FAILURE; gss_OID_set mechlist = GSS_C_NO_OID_SET; - int i; + size_t i; major_status = val_imp_name_object_args(minor_status, input_name, Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c 2008-12-19 01:39:42 UTC (rev 21549) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c 2008-12-19 01:49:20 UTC (rev 21550) @@ -313,7 +313,7 @@ build_mechSet(void) { gss_mech_info mList; - int i; + size_t i; size_t count; gss_OID curItem; Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_cred_oid.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_cred_oid.c 2008-12-19 01:39:42 UTC (rev 21549) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_cred_oid.c 2008-12-19 01:49:20 UTC (rev 21550) @@ -39,7 +39,7 @@ gss_buffer_set_t *dst, const gss_buffer_set_t src) { - int i; + size_t i; OM_uint32 status; if (src == GSS_C_NO_BUFFER_SET) Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c 2008-12-19 01:39:42 UTC (rev 21549) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c 2008-12-19 01:49:20 UTC (rev 21550) @@ -98,7 +98,7 @@ assert(mech->gss_wrap_iov_length); status = mech->gss_wrap_iov_length(minor_status, context_handle, - conf_req_flag, qop_req, + conf_req_flag, (gss_qop_t)qop_req, NULL, iov, sizeof(iov)/sizeof(iov[0])); if (status != GSS_S_COMPLETE) { @@ -132,7 +132,7 @@ iov[3].buffer.value = (unsigned char *)output_message_buffer->value + offset; status = mech->gss_wrap_iov(minor_status, context_handle, - conf_req_flag, qop_req, conf_state, + conf_req_flag, (gss_qop_t)qop_req, conf_state, iov, sizeof(iov)/sizeof(iov[0])); if (status != GSS_S_COMPLETE) { OM_uint32 minor; Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_iov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_iov.c 2008-12-19 01:39:42 UTC (rev 21549) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_iov.c 2008-12-19 01:49:20 UTC (rev 21550) @@ -184,7 +184,7 @@ int iov_count; { OM_uint32 status = GSS_S_COMPLETE; - size_t i; + int i; if (minor_status) *minor_status = 0; Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h 2008-12-19 01:39:42 UTC (rev 21549) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h 2008-12-19 01:49:20 UTC (rev 21550) @@ -104,6 +104,8 @@ /* it to initialize the GSSAPI library */ int gssint_mechglue_initialize_library(void); +OM_uint32 gssint_get_mech_type_oid(gss_OID OID, gss_buffer_t token); + /* * This is the definition of the mechs_array struct, which is used to * define the mechs array table. This table is used to indirectly From lhoward at MIT.EDU Thu Dec 18 20:50:25 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 18 Dec 2008 20:50:25 -0500 (EST) Subject: svn rev #21551: branches/mskrb-integ/src/lib/gssapi/spnego/ Message-ID: <200812190150.UAA03354@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21551 Commit By: lhoward Log Message: fix some warnings Changed Files: U branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c Modified: branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c 2008-12-19 01:49:20 UTC (rev 21550) +++ branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c 2008-12-19 01:50:24 UTC (rev 21551) @@ -3250,7 +3250,7 @@ unsigned char *ptr = *buf; int ret = -1; /* pessimists, assume failure ! */ unsigned int encoded_len; - int tmplen = 0; + unsigned int tmplen = 0; *outlen = 0; if (buflen > 1 && *ptr == tag) { From lhoward at MIT.EDU Fri Dec 19 09:45:10 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 19 Dec 2008 09:45:10 -0500 (EST) Subject: svn rev #21552: branches/mskrb-integ/src/kdc/ Message-ID: <200812191445.JAA15914@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21552 Commit By: lhoward Log Message: don't return TGS referrals if canonicalize flag unset Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c U branches/mskrb-integ/src/kdc/kdc_util.c U branches/mskrb-integ/src/kdc/kdc_util.h Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-19 01:50:24 UTC (rev 21551) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-19 14:45:08 UTC (rev 21552) @@ -195,18 +195,9 @@ nprincs = 1; if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) { setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE); + setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); } - /* - * TGS-REP canonicalization matches Windows 2003 rather - * than Windows 2000. This means that we should indicate - * to the backend to always return referrals by setting - * KDB_FLAG_CANONICALIZE, and we should also always - * return the requested SPN in the reply regardless of - * whether KDC_OPT_CANONICALIZE was set or not. - */ - setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); - errcode = krb5_db_get_principal_ext(kdc_context, request->server, s_flags, @@ -265,7 +256,8 @@ if (!is_local_principal(header_enc_tkt->client)) setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM); - is_referral = is_tgs_referral(kdc_context, request, &server); + is_referral = isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) && + krb5_is_tgs_principal(server.princ); /* Check for protocol transition */ errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client, @@ -300,11 +292,11 @@ * Get the key for the second ticket, and decrypt it. */ if ((errcode = kdc_get_server_key(request->second_ticket[st_idx], - c_flags, - &st_client, - &st_nprincs, - &st_sealing_key, - &st_srv_kvno))) { + c_flags, + &st_client, + &st_nprincs, + &st_sealing_key, + &st_srv_kvno))) { status = "2ND_TKT_SERVER"; goto cleanup; } Modified: branches/mskrb-integ/src/kdc/kdc_util.c =================================================================== --- branches/mskrb-integ/src/kdc/kdc_util.c 2008-12-19 01:50:24 UTC (rev 21551) +++ branches/mskrb-integ/src/kdc/kdc_util.c 2008-12-19 14:45:08 UTC (rev 21552) @@ -439,7 +439,7 @@ } retval = krb5_dbe_find_enctype(kdc_context, server, ticket->enc_part.enctype, -1, - ticket->enc_part.kvno, &server_key); + (krb5_int32)ticket->enc_part.kvno, &server_key); if (retval) goto errout; if (!server_key) { @@ -739,7 +739,7 @@ /* Note that the second test here is an unsigned comparison, so the first half (or a cast) is also required. */ - assert(nlst < 0 || nlst < sizeof(next)); + assert(nlst < 0 || nlst < (int)sizeof(next)); if ((nlst < 0 || next[nlst] != '.') && (next[0] != '/') && (pl = subrealm(exp, realm))) { @@ -1119,7 +1119,7 @@ lastlevel = tag; if (levels == level) { /* in our context-dependent class, is this the one we're looking for ? */ - if (tag == field) { + if (tag == (int)field) { /* return length and data */ astream++; savelen = *astream; @@ -2224,20 +2224,3 @@ return 0; } -krb5_boolean -is_tgs_referral(krb5_context context, - krb5_kdc_req *request, - krb5_db_entry *server) -{ - krb5_tl_data tl_data; - - tl_data.tl_data_type = KRB5_TL_SVR_REFERRAL_DATA; - tl_data.tl_data_contents = NULL; - - if (krb5_dbe_lookup_tl_data(context, server, &tl_data) == 0 && - tl_data.tl_data_length != 0) { - return TRUE; - } - - return FALSE; -} Modified: branches/mskrb-integ/src/kdc/kdc_util.h =================================================================== --- branches/mskrb-integ/src/kdc/kdc_util.h 2008-12-19 01:50:24 UTC (rev 21551) +++ branches/mskrb-integ/src/kdc/kdc_util.h 2008-12-19 14:45:08 UTC (rev 21552) @@ -266,11 +266,6 @@ krb5_db_entry *server, krb5_db_entry *krbtgt); -krb5_boolean -is_tgs_referral(krb5_context context, - krb5_kdc_req *request, - krb5_db_entry *server); - #define isflagset(flagfield, flag) (flagfield & (flag)) #define setflag(flagfield, flag) (flagfield |= (flag)) #define clear(flagfield, flag) (flagfield &= ~(flag)) From epeisach at MIT.EDU Fri Dec 19 12:14:17 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Fri, 19 Dec 2008 12:14:17 -0500 (EST) Subject: svn rev #21553: trunk/src/lib/krb5/krb/ Message-ID: <200812191714.MAA18027@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21553 Commit By: epeisach Log Message: Signed/unsigned fix. The function is called with a sizeof - so unsigned is fine. Changed Files: U trunk/src/lib/krb5/krb/chk_trans.c Modified: trunk/src/lib/krb5/krb/chk_trans.c =================================================================== --- trunk/src/lib/krb5/krb/chk_trans.c 2008-12-19 14:45:08 UTC (rev 21552) +++ trunk/src/lib/krb5/krb/chk_trans.c 2008-12-19 17:14:16 UTC (rev 21553) @@ -137,7 +137,7 @@ } static krb5_error_code -maybe_join (krb5_data *last, krb5_data *buf, int bufsiz) +maybe_join (krb5_data *last, krb5_data *buf, unsigned int bufsiz) { if (buf->length == 0) return 0; From lhoward at MIT.EDU Fri Dec 19 20:51:21 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 19 Dec 2008 20:51:21 -0500 (EST) Subject: svn rev #21554: branches/mskrb-integ/src/kdc/ Message-ID: <200812200151.UAA21973@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21554 Commit By: lhoward Log Message: back out r21552 for now pending some answers regarding Windows referral behaviour. The comment from the Novell patch (which was presumably based on my research) suggests that Windows 2003 always returns referrals regardless of the setting of the canonicalize flag. As Windows XP clients do not appear to set the canonicalize flag in TGS-REQs, I'm concerned about breaking cross-forest authentication by changing this. If it turns out we need this behaviour then Novell can change their backend to implicitly set KRB5_KDB_FLAG_CANONICALIZE if KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is unset. I can't empirically test this behaviour against Windows 2003 as I only have 2008 setup now, and it appears to have yet again different behaviour (which I also have some outstanding questions on). Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-19 17:14:16 UTC (rev 21553) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-20 01:51:19 UTC (rev 21554) @@ -195,9 +195,18 @@ nprincs = 1; if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) { setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE); - setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); } + /* + * TGS-REP canonicalization matches Windows 2003 rather + * than Windows 2000. This means that we should indicate + * to the backend to always return referrals by setting + * KDB_FLAG_CANONICALIZE, and we should also always + * return the requested SPN in the reply regardless of + * whether KDC_OPT_CANONICALIZE was set or not. + */ + setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); + errcode = krb5_db_get_principal_ext(kdc_context, request->server, s_flags, @@ -256,8 +265,8 @@ if (!is_local_principal(header_enc_tkt->client)) setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM); - is_referral = isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) && - krb5_is_tgs_principal(server.princ); + is_referral = krb5_is_tgs_principal(server.princ) && + !krb5_principal_compare(kdc_context, tgs_server, server.princ); /* Check for protocol transition */ errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client, From lhoward at MIT.EDU Fri Dec 19 21:11:59 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 19 Dec 2008 21:11:59 -0500 (EST) Subject: svn rev #21555: branches/mskrb-integ/src/kdc/ Message-ID: <200812200211.VAA22109@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21555 Commit By: lhoward Log Message: OK, back out r21552, we should never return referrals if canonicalize flag was unset. If the backend wants to violate this it should do it itself. Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-20 01:51:19 UTC (rev 21554) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-20 02:11:58 UTC (rev 21555) @@ -195,18 +195,9 @@ nprincs = 1; if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) { setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE); + setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); } - /* - * TGS-REP canonicalization matches Windows 2003 rather - * than Windows 2000. This means that we should indicate - * to the backend to always return referrals by setting - * KDB_FLAG_CANONICALIZE, and we should also always - * return the requested SPN in the reply regardless of - * whether KDC_OPT_CANONICALIZE was set or not. - */ - setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); - errcode = krb5_db_get_principal_ext(kdc_context, request->server, s_flags, From lhoward at MIT.EDU Sun Dec 21 00:04:50 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sun, 21 Dec 2008 00:04:50 -0500 (EST) Subject: svn rev #21556: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812210504.AAA09766@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21556 Commit By: lhoward Log Message: If a mechanism does not implement gss_seal/gss_unseal, then layer mechglue shims on top of gss_wrap_aead/gss_unwrap_aead first, then gss_wrap_iov/gss_unwrap_iov. This allows a mechanism to implement gss_wrap_aead and not gss_seal/gss_wrap_iov, as well as consolidating the shim code. Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_unwrap_aead.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_aead.c U branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c 2008-12-20 02:11:58 UTC (rev 21555) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c 2008-12-21 05:04:47 UTC (rev 21556) @@ -66,84 +66,6 @@ return (GSS_S_COMPLETE); } -static OM_uint32 -gssint_seal_iov_shim(gss_mechanism mech, - OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req, - gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer) -{ - gss_iov_buffer_desc iov[4]; - OM_uint32 status; - size_t offset; - - iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; - iov[0].buffer.value = NULL; - iov[0].buffer.length = 0; - - iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; - iov[1].buffer = *input_message_buffer; - - iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING; - iov[2].buffer.value = NULL; - iov[2].buffer.length = 0; - - iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER; - iov[3].buffer.value = NULL; - iov[3].buffer.length = 0; - - assert(mech->gss_wrap_iov_length); - - status = mech->gss_wrap_iov_length(minor_status, context_handle, - conf_req_flag, (gss_qop_t)qop_req, - NULL, iov, - sizeof(iov)/sizeof(iov[0])); - if (status != GSS_S_COMPLETE) { - map_error(minor_status, mech); - return status; - } - - output_message_buffer->length = iov[0].buffer.length + - iov[1].buffer.length + - iov[2].buffer.length + - iov[3].buffer.length; - output_message_buffer->value = malloc(output_message_buffer->length); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - offset = 0; - - iov[0].buffer.value = (unsigned char *)output_message_buffer->value + offset; - offset += iov[0].buffer.length; - - iov[1].buffer.value = (unsigned char *)output_message_buffer->value + offset; - offset += iov[1].buffer.length; - - memcpy(iov[1].buffer.value, input_message_buffer->value, iov[1].buffer.length); - - iov[2].buffer.value = (unsigned char *)output_message_buffer->value + offset; - offset += iov[2].buffer.length; - - iov[3].buffer.value = (unsigned char *)output_message_buffer->value + offset; - - status = mech->gss_wrap_iov(minor_status, context_handle, - conf_req_flag, (gss_qop_t)qop_req, conf_state, - iov, sizeof(iov)/sizeof(iov[0])); - if (status != GSS_S_COMPLETE) { - OM_uint32 minor; - - map_error(minor_status, mech); - gss_release_buffer(&minor, output_message_buffer); - } - - return status; -} - OM_uint32 KRB5_CALLCONV gss_seal (minor_status, context_handle, @@ -194,18 +116,20 @@ output_message_buffer); if (status != GSS_S_COMPLETE) map_error(minor_status, mech); - } else if (mech->gss_wrap_iov && mech->gss_wrap_iov_length) { - status = gssint_seal_iov_shim(mech, - minor_status, - ctx->internal_ctx_id, - conf_req_flag, - qop_req, - input_message_buffer, - conf_state, - output_message_buffer); + } else if (mech->gss_wrap_aead || + (mech->gss_wrap_iov && mech->gss_wrap_iov_length)) { + status = gssint_wrap_aead(mech, + minor_status, + ctx, + conf_req_flag, + (gss_qop_t)qop_req, + GSS_C_NO_BUFFER, + input_message_buffer, + conf_state, + output_message_buffer); } else status = GSS_S_UNAVAILABLE; - + return(status); } /* EXPORT DELETE END */ Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c 2008-12-20 02:11:58 UTC (rev 21555) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c 2008-12-21 05:04:47 UTC (rev 21556) @@ -28,43 +28,6 @@ #include "mglueP.h" -static OM_uint32 -gssint_unseal_iov_shim(gss_mechanism mech, - OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state) -{ - OM_uint32 status; - gss_iov_buffer_desc iov[2]; - - iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM; - iov[0].buffer = *input_message_buffer; - - iov[1].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE; - iov[1].buffer.value = NULL; - iov[1].buffer.length = 0; - - assert(mech->gss_unwrap_iov); - - status = mech->gss_unwrap_iov(minor_status, context_handle, conf_state, - qop_state, iov, sizeof(iov)/sizeof(iov[0])); - if (status == GSS_S_COMPLETE) - *output_message_buffer = iov[1].buffer; - else { - OM_uint32 tmp; - - map_error(minor_status, mech); - - if (iov[1].type & GSS_IOV_BUFFER_FLAG_ALLOCATED) - gss_release_buffer(&tmp, &iov[1].buffer); - } - - return status; -} - OM_uint32 KRB5_CALLCONV gss_unseal (minor_status, context_handle, @@ -112,7 +75,6 @@ * select the approprate underlying mechanism routine and * call it. */ - ctx = (gss_union_ctx_id_t) context_handle; mech = gssint_get_mechanism (ctx->mech_type); @@ -126,14 +88,15 @@ qop_state); if (status != GSS_S_COMPLETE) map_error(minor_status, mech); - } else if (mech->gss_unwrap_iov) { - status = gssint_unseal_iov_shim(mech, - minor_status, - ctx->internal_ctx_id, - input_message_buffer, - output_message_buffer, - conf_state, - (gss_qop_t *)qop_state); + } else if (mech->gss_unwrap_aead || mech->gss_unwrap_iov) { + status = gssint_unwrap_aead(mech, + minor_status, + ctx, + input_message_buffer, + GSS_C_NO_BUFFER, + output_message_buffer, + conf_state, + (gss_qop_t *)qop_state); } else status = GSS_S_UNAVAILABLE; Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_unwrap_aead.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_unwrap_aead.c 2008-12-20 02:11:58 UTC (rev 21555) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_unwrap_aead.c 2008-12-21 05:04:47 UTC (rev 21556) @@ -62,14 +62,14 @@ } static OM_uint32 -gssint_wrap_aead_iov_shim(gss_mechanism mech, - OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t input_assoc_buffer, - gss_buffer_t output_payload_buffer, - int *conf_state, - gss_qop_t *qop_state) +gssint_unwrap_aead_iov_shim(gss_mechanism mech, + OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + gss_buffer_t input_message_buffer, + gss_buffer_t input_assoc_buffer, + gss_buffer_t output_payload_buffer, + int *conf_state, + gss_qop_t *qop_state) { OM_uint32 status; gss_iov_buffer_desc iov[3]; @@ -85,7 +85,7 @@ i++; } - iov[i].type = GSS_IOV_BUFFER_TYPE_DATA; + iov[i].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE; iov[i].buffer.value = NULL; iov[i].buffer.length = 0; i++; @@ -94,14 +94,65 @@ status = mech->gss_unwrap_iov(minor_status, context_handle, conf_state, qop_state, iov, i); - if (status != GSS_S_COMPLETE) + if (status == GSS_S_COMPLETE) { + *output_payload_buffer = iov[i - 1].buffer; + } else { + OM_uint32 minor; + map_error(minor_status, mech); - *output_payload_buffer = iov[i - 1].buffer; + if (iov[i - 1].type & GSS_IOV_BUFFER_FLAG_ALLOCATED) { + gss_release_buffer(&minor, &iov[i - 1].buffer); + iov[i - 1].type &= ~(GSS_IOV_BUFFER_FLAG_ALLOCATED); + } + } return status; } +OM_uint32 +gssint_unwrap_aead (gss_mechanism mech, + OM_uint32 *minor_status, + gss_union_ctx_id_t ctx, + gss_buffer_t input_message_buffer, + gss_buffer_t input_assoc_buffer, + gss_buffer_t output_payload_buffer, + int *conf_state, + gss_qop_t *qop_state) +{ + OM_uint32 status; + + assert(mech != NULL); + assert(ctx != NULL); + + /* EXPORT DELETE START */ + + if (mech->gss_unwrap_aead) { + status = mech->gss_unwrap_aead(minor_status, + ctx->internal_ctx_id, + input_message_buffer, + input_assoc_buffer, + output_payload_buffer, + conf_state, + qop_state); + if (status != GSS_S_COMPLETE) + map_error(minor_status, mech); + } else if (mech->gss_unwrap_iov) { + status = gssint_unwrap_aead_iov_shim(mech, + minor_status, + ctx->internal_ctx_id, + input_message_buffer, + input_assoc_buffer, + output_payload_buffer, + conf_state, + qop_state); + } else + status = GSS_S_UNAVAILABLE; + /* EXPORT DELETE END */ + + return (status); +} + OM_uint32 KRB5_CALLCONV gss_unwrap_aead (minor_status, context_handle, @@ -118,7 +169,6 @@ int *conf_state; gss_qop_t *qop_state; { - /* EXPORT DELETE START */ OM_uint32 status; gss_union_ctx_id_t ctx; @@ -135,38 +185,14 @@ * select the approprate underlying mechanism routine and * call it. */ - ctx = (gss_union_ctx_id_t) context_handle; mech = gssint_get_mechanism (ctx->mech_type); - if (mech) { - if (mech->gss_unwrap_aead) { - status = mech->gss_unwrap_aead( - minor_status, - ctx->internal_ctx_id, - input_message_buffer, - input_assoc_buffer, - output_payload_buffer, - conf_state, - qop_state); - if (status != GSS_S_COMPLETE) - map_error(minor_status, mech); - } else if (mech->gss_unwrap_iov) { - status = gssint_wrap_aead_iov_shim(mech, - minor_status, - ctx->internal_ctx_id, - input_message_buffer, - input_assoc_buffer, - output_payload_buffer, - conf_state, - qop_state); - } else - status = GSS_S_UNAVAILABLE; - - return(status); - } - /* EXPORT DELETE END */ - - return (GSS_S_BAD_MECH); + if (!mech) + return (GSS_S_BAD_MECH); + + return gssint_unwrap_aead(mech, minor_status, context_handle, + input_message_buffer, input_assoc_buffer, + output_payload_buffer, conf_state, qop_state); } Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_aead.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_aead.c 2008-12-20 02:11:58 UTC (rev 21555) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_wrap_aead.c 2008-12-21 05:04:47 UTC (rev 21556) @@ -176,6 +176,52 @@ return status; } +OM_uint32 +gssint_wrap_aead (gss_mechanism mech, + OM_uint32 *minor_status, + gss_union_ctx_id_t ctx, + int conf_req_flag, + gss_qop_t qop_req, + gss_buffer_t input_assoc_buffer, + gss_buffer_t input_payload_buffer, + int *conf_state, + gss_buffer_t output_message_buffer) +{ + /* EXPORT DELETE START */ + OM_uint32 status; + + assert(ctx != NULL); + assert(mech != NULL); + + if (mech->gss_wrap_aead) { + status = mech->gss_wrap_aead(minor_status, + ctx->internal_ctx_id, + conf_req_flag, + qop_req, + input_assoc_buffer, + input_payload_buffer, + conf_state, + output_message_buffer); + if (status != GSS_S_COMPLETE) + map_error(minor_status, mech); + } else if (mech->gss_wrap_iov && mech->gss_wrap_iov_length) { + status = gssint_wrap_aead_iov_shim(mech, + minor_status, + ctx->internal_ctx_id, + conf_req_flag, + qop_req, + input_assoc_buffer, + input_payload_buffer, + conf_state, + output_message_buffer); + } else + status = GSS_S_UNAVAILABLE; + + /* EXPORT DELETE END */ + + return status; +} + OM_uint32 KRB5_CALLCONV gss_wrap_aead (minor_status, context_handle, @@ -194,11 +240,9 @@ int * conf_state; gss_buffer_t output_message_buffer; { - /* EXPORT DELETE START */ - OM_uint32 status; + gss_mechanism mech; gss_union_ctx_id_t ctx; - gss_mechanism mech; status = val_wrap_aead_args(minor_status, context_handle, conf_req_flag, qop_req, @@ -211,40 +255,13 @@ * select the approprate underlying mechanism routine and * call it. */ - - ctx = (gss_union_ctx_id_t) context_handle; + ctx = (gss_union_ctx_id_t)context_handle; mech = gssint_get_mechanism (ctx->mech_type); - - if (mech) { - if (mech->gss_wrap_aead) { - status = mech->gss_wrap_aead( - minor_status, - ctx->internal_ctx_id, - conf_req_flag, - qop_req, - input_assoc_buffer, - input_payload_buffer, - conf_state, - output_message_buffer); - if (status != GSS_S_COMPLETE) - map_error(minor_status, mech); - } else if (mech->gss_wrap_iov && mech->gss_wrap_iov_length) { - status = gssint_wrap_aead_iov_shim(mech, - minor_status, - ctx->internal_ctx_id, - conf_req_flag, - qop_req, - input_assoc_buffer, - input_payload_buffer, - conf_state, - output_message_buffer); - } else - status = GSS_S_UNAVAILABLE; - - return(status); - } - /* EXPORT DELETE END */ - - return (GSS_S_BAD_MECH); -} + if (!mech) + return (GSS_S_BAD_MECH); + return gssint_wrap_aead(mech, minor_status, context_handle, + conf_req_flag, qop_req, + input_assoc_buffer, input_payload_buffer, + conf_state, output_message_buffer); +} Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h 2008-12-20 02:11:58 UTC (rev 21555) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h 2008-12-21 05:04:47 UTC (rev 21556) @@ -630,6 +630,27 @@ unsigned int /* max_len */ ); +OM_uint32 +gssint_wrap_aead (gss_mechanism, /* mech */ + OM_uint32 *, /* minor_status */ + gss_union_ctx_id_t, /* ctx */ + int, /* conf_req_flag */ + gss_qop_t, /* qop_req_flag */ + gss_buffer_t, /* input_assoc_buffer */ + gss_buffer_t, /* input_payload_buffer */ + int *, /* conf_state */ + gss_buffer_t); /* output_message_buffer */ +OM_uint32 +gssint_unwrap_aead (gss_mechanism, /* mech */ + OM_uint32 *, /* minor_status */ + gss_union_ctx_id_t, /* ctx */ + gss_buffer_t, /* input_message_buffer */ + gss_buffer_t, /* input_assoc_buffer */ + gss_buffer_t, /* output_payload_buffer */ + int *, /* conf_state */ + gss_qop_t *); /* qop_state */ + + /* Use this to map an error code that was returned from a mech operation; the mech will be asked to produce the associated error messages. From lhoward at MIT.EDU Sun Dec 21 00:31:40 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sun, 21 Dec 2008 00:31:40 -0500 (EST) Subject: svn rev #21557: branches/mskrb-integ/src/ include/krb5/ lib/krb5/ lib/krb5/krb/ Message-ID: <200812210531.AAA10155@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21557 Commit By: lhoward Log Message: Replace krb5_{en,de}code_ad_if_relevant with more general purpose krb5_{en,de}code_authdata_container APIs Changed Files: U branches/mskrb-integ/src/include/krb5/krb5.hin U branches/mskrb-integ/src/lib/krb5/krb/copy_auth.c U branches/mskrb-integ/src/lib/krb5/libkrb5.exports Modified: branches/mskrb-integ/src/include/krb5/krb5.hin =================================================================== --- branches/mskrb-integ/src/include/krb5/krb5.hin 2008-12-21 05:04:47 UTC (rev 21556) +++ branches/mskrb-integ/src/include/krb5/krb5.hin 2008-12-21 05:31:38 UTC (rev 21557) @@ -891,13 +891,6 @@ #define LR_TYPE_INTERPRETATION_MASK 0x7fff -/* definitions for ad_type fields. */ -#define AD_TYPE_EXTERNAL 0x4000 -#define AD_TYPE_REGISTERED 0x2000 - -#define AD_TYPE_FIELD_TYPE_MASK 0x1fff -#define AD_TYPE_INTERNAL_MASK 0x3fff - /* definitions for msec direction bit for KRB_SAFE, KRB_PRIV */ #define MSEC_DIRBIT 0x8000 #define MSEC_VAL_MASK 0x7fff @@ -2507,11 +2500,13 @@ krb5_clear_error_message (krb5_context); krb5_error_code KRB5_CALLCONV -krb5_decode_ad_if_relevant(krb5_context context, +krb5_decode_authdata_container(krb5_context context, + krb5_authdatatype type, const krb5_authdata *if_relevant, krb5_authdata ***authdata); krb5_error_code KRB5_CALLCONV -krb5_encode_ad_if_relevant(krb5_context context, +krb5_encode_authdata_container(krb5_context context, + krb5_authdatatype type, krb5_authdata * const*authdata, krb5_authdata ***if_relevant_p); Modified: branches/mskrb-integ/src/lib/krb5/krb/copy_auth.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/copy_auth.c 2008-12-21 05:04:47 UTC (rev 21556) +++ branches/mskrb-integ/src/lib/krb5/krb/copy_auth.c 2008-12-21 05:31:38 UTC (rev 21557) @@ -109,18 +109,21 @@ } krb5_error_code KRB5_CALLCONV -krb5_decode_ad_if_relevant(krb5_context context, const krb5_authdata *if_relevant, krb5_authdata ***authdata) +krb5_decode_authdata_container(krb5_context context, + krb5_authdatatype type, + const krb5_authdata *container, + krb5_authdata ***authdata) { krb5_error_code code; krb5_data data; *authdata = NULL; - if (if_relevant->ad_type != KRB5_AUTHDATA_IF_RELEVANT) + if ((container->ad_type & AD_TYPE_FIELD_TYPE_MASK) != type) return EINVAL; - data.length = if_relevant->length; - data.data = (char *)if_relevant->contents; + data.length = container->length; + data.data = (char *)container->contents; code = decode_krb5_authdata(&data, authdata); if (code) @@ -130,27 +133,30 @@ } krb5_error_code KRB5_CALLCONV -krb5_encode_ad_if_relevant(krb5_context context, krb5_authdata *const*authdata, krb5_authdata ***if_relevant_p) +krb5_encode_authdata_container(krb5_context context, + krb5_authdatatype type, + krb5_authdata *const*authdata, + krb5_authdata ***container) { krb5_error_code code; krb5_data *data; krb5_authdata ad_datum; krb5_authdata *ad_data[2]; - *if_relevant_p = NULL; + *container = NULL; code = encode_krb5_authdata((krb5_authdata * const *)authdata, &data); if (code) return code; - ad_datum.ad_type = KRB5_AUTHDATA_IF_RELEVANT; + ad_datum.ad_type = type & AD_TYPE_FIELD_TYPE_MASK;; ad_datum.length = data->length; ad_datum.contents = (unsigned char *)data->data; ad_data[0] = &ad_datum; ad_data[1] = NULL; - code = krb5_copy_authdata(context, ad_data, if_relevant_p); + code = krb5_copy_authdata(context, ad_data, container); krb5_free_data(context, data); Modified: branches/mskrb-integ/src/lib/krb5/libkrb5.exports =================================================================== --- branches/mskrb-integ/src/lib/krb5/libkrb5.exports 2008-12-21 05:04:47 UTC (rev 21556) +++ branches/mskrb-integ/src/lib/krb5/libkrb5.exports 2008-12-21 05:31:38 UTC (rev 21557) @@ -173,7 +173,7 @@ krb5_copy_ticket krb5_create_secure_file krb5_crypto_us_timeofday -krb5_decode_ad_if_relevant +krb5_decode_authdata_container krb5_decode_kdc_rep krb5_decode_ticket krb5_decrypt_tkt_part @@ -182,7 +182,7 @@ krb5_defkeyname krb5_deltat_to_string krb5_do_preauth -krb5_encode_ad_if_relevant +krb5_encode_authdata_container krb5_encode_kdc_rep krb5_encrypt_helper krb5_encrypt_tkt_part From lhoward at MIT.EDU Sun Dec 21 00:57:46 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sun, 21 Dec 2008 00:57:46 -0500 (EST) Subject: svn rev #21558: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812210557.AAA10520@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21558 Commit By: lhoward Log Message: Fix incorrect ordering of acceptor_key_cksumtype and cred_rcache in kg_ctx_internalize() Serialize/deserialize context (ticket) authorization data Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c 2008-12-21 05:31:38 UTC (rev 21557) +++ branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c 2008-12-21 05:57:45 UTC (rev 21558) @@ -278,11 +278,13 @@ * ... for acceptor_subkey * krb5_int32 for acceptor_key_cksumtype * krb5_int32 for cred_rcache + * krb5_int32 for number of elements in authdata array + * ... for authdata array * krb5_int32 for trailer. */ kret = EINVAL; if ((ctx = (krb5_gss_ctx_id_rec *) arg)) { - required = 17*sizeof(krb5_int32); + required = 18*sizeof(krb5_int32); required += 2*sizeof(krb5_int64); required += sizeof(ctx->seed); @@ -340,6 +342,16 @@ KV5M_KEYBLOCK, (krb5_pointer) ctx->acceptor_subkey, &required); + if (!kret && ctx->authdata) { + krb5_int32 i; + + for (i = 0; !kret && ctx->authdata[i]; i++) { + kret = krb5_size_opaque(kcontext, + KV5M_AUTHDATA, + (krb5_pointer)ctx->authdata[i], + &required); + } + } if (!kret) *sizep += required; } @@ -486,6 +498,25 @@ if (!kret) kret = krb5_ser_pack_int32((krb5_int32) ctx->cred_rcache, &bp, &remain); + if (!kret) { + int i = 0; + + if (ctx->authdata) { + for (; ctx->authdata[i]; i++) + ; + } + /* authdata count */ + kret = krb5_ser_pack_int32(i, &bp, &remain); + if (!kret && ctx->authdata) { + /* authdata */ + for (i = 0; !kret && ctx->authdata[i]; i++) + kret = krb5_externalize_opaque(kcontext, + KV5M_AUTHDATA, + ctx->authdata[i], + &bp, + &remain); + } + } /* trailer */ if (!kret) kret = krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain); @@ -662,11 +693,31 @@ } if (!kret) kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->acceptor_subkey_cksumtype = ibuf; + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->cred_rcache = ibuf; + /* authdata */ if (!kret) kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->acceptor_subkey_cksumtype = ibuf; + if (!kret) { + krb5_int32 nadata = ibuf, i; + if (nadata > 0) { + ctx->authdata = (krb5_authdata **)calloc((size_t)nadata + 1, + sizeof(krb5_authdata *)); + if (ctx->authdata == NULL) { + kret = ENOMEM; + } else { + for (i = 0; !kret && i < nadata; i++) + kret = krb5_internalize_opaque(kcontext, + KV5M_AUTHDATA, + (krb5_pointer *)&ctx->authdata[i], + &bp, + &remain); + } + } + } /* Get trailer */ if (!kret) kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); From lhoward at MIT.EDU Sun Dec 21 00:59:04 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sun, 21 Dec 2008 00:59:04 -0500 (EST) Subject: svn rev #21559: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812210559.AAA10601@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21559 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c 2008-12-21 05:57:45 UTC (rev 21558) +++ branches/mskrb-integ/src/lib/gssapi/krb5/ser_sctx.c 2008-12-21 05:59:03 UTC (rev 21559) @@ -499,7 +499,7 @@ kret = krb5_ser_pack_int32((krb5_int32) ctx->cred_rcache, &bp, &remain); if (!kret) { - int i = 0; + krb5_int32 i = 0; if (ctx->authdata) { for (; ctx->authdata[i]; i++) From lhoward at MIT.EDU Sun Dec 21 17:32:36 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sun, 21 Dec 2008 17:32:36 -0500 (EST) Subject: svn rev #21560: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812212232.RAA00402@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21560 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/copy_auth.c Modified: branches/mskrb-integ/src/lib/krb5/krb/copy_auth.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/copy_auth.c 2008-12-21 05:59:03 UTC (rev 21559) +++ branches/mskrb-integ/src/lib/krb5/krb/copy_auth.c 2008-12-21 22:32:36 UTC (rev 21560) @@ -149,7 +149,7 @@ if (code) return code; - ad_datum.ad_type = type & AD_TYPE_FIELD_TYPE_MASK;; + ad_datum.ad_type = type & AD_TYPE_FIELD_TYPE_MASK; ad_datum.length = data->length; ad_datum.contents = (unsigned char *)data->data; From lhoward at MIT.EDU Sun Dec 21 17:57:29 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sun, 21 Dec 2008 17:57:29 -0500 (EST) Subject: svn rev #21561: branches/mskrb-integ/src/lib/gssapi/spnego/ Message-ID: <200812212257.RAA00757@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21561 Commit By: lhoward Log Message: cleanup error handling Changed Files: U branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c Modified: branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c 2008-12-21 22:32:36 UTC (rev 21560) +++ branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c 2008-12-21 22:57:28 UTC (rev 21561) @@ -195,7 +195,7 @@ }; const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0; -static int make_NegHints(gss_cred_id_t, gss_buffer_t *); +static int make_NegHints(OM_uint32 *, gss_cred_id_t, gss_buffer_t *); static int put_neg_hints(unsigned char **, gss_buffer_t, unsigned int); static OM_uint32 acc_ctx_hints(OM_uint32 *, gss_ctx_id_t *, gss_cred_id_t, @@ -1038,7 +1038,8 @@ #define HOST_PREFIX_LEN (sizeof(HOST_PREFIX) - 1) static int -make_NegHints(gss_cred_id_t cred, gss_buffer_t *outbuf) +make_NegHints(OM_uint32 *minor_status, + gss_cred_id_t cred, gss_buffer_t *outbuf) { char hostname[5 + MAXHOSTNAMELEN + 1]; gss_buffer_desc hintNameBuf; @@ -1046,7 +1047,7 @@ gss_name_t hintKerberosName; gss_OID hintNameType; OM_uint32 major_status; - OM_uint32 minor_status; + OM_uint32 minor; unsigned int tlen = 0; unsigned int hintNameSize = 0; unsigned int negHintsSize = 0; @@ -1056,7 +1057,7 @@ *outbuf = GSS_C_NO_BUFFER; if (cred != GSS_C_NO_CREDENTIAL) { - major_status = gss_inquire_cred(&minor_status, + major_status = gss_inquire_cred(minor_status, cred, &hintName, NULL, @@ -1070,13 +1071,14 @@ /* this breaks mutual authentication but Samba relies on it */ if (gethostname(hostname + HOST_PREFIX_LEN, sizeof(hostname) - HOST_PREFIX_LEN - 1) != 0) { + *minor_status = errno; return (GSS_S_FAILURE); } hintNameBuf.value = hostname; hintNameBuf.length = strlen(hostname); - major_status = gss_import_name(&minor_status, + major_status = gss_import_name(minor_status, &hintNameBuf, GSS_C_NT_HOSTBASED_SERVICE, &hintName); @@ -1088,25 +1090,25 @@ hintNameBuf.value = NULL; hintNameBuf.length = 0; - major_status = gss_canonicalize_name(&minor_status, + major_status = gss_canonicalize_name(minor_status, hintName, (gss_OID)&gss_mech_krb5_oid, &hintKerberosName); if (major_status != GSS_S_COMPLETE) { - gss_release_name(&minor_status, &hintName); + gss_release_name(&minor, &hintName); return (major_status); } - gss_release_name(&minor_status, &hintName); + gss_release_name(&minor, &hintName); - major_status = gss_display_name(&minor_status, + major_status = gss_display_name(minor_status, hintKerberosName, &hintNameBuf, &hintNameType); if (major_status != GSS_S_COMPLETE) { - gss_release_name(&minor_status, &hintName); + gss_release_name(&minor, &hintName); return (major_status); } - gss_release_name(&minor_status, &hintKerberosName); + gss_release_name(&minor, &hintKerberosName); /* * Now encode the name hint into a NegHints ASN.1 type @@ -1123,19 +1125,21 @@ negHintsSize = tlen; t = (unsigned char *)malloc(tlen); - if (t == NULL) + if (t == NULL) { + *minor_status = ENOMEM; goto errout; + } ptr = t; *ptr++ = CONTEXT | 0x00; /* hintName identifier */ if (gssint_put_der_length(hintNameSize, - &ptr, tlen - (int)(ptr-t))) + &ptr, tlen - (int)(ptr-t))) goto errout; *ptr++ = GENERAL_STRING; if (gssint_put_der_length(hintNameBuf.length, - &ptr, tlen - (int)(ptr-t))) + &ptr, tlen - (int)(ptr-t))) goto errout; memcpy(ptr, hintNameBuf.value, hintNameBuf.length); @@ -1143,6 +1147,7 @@ *outbuf = (gss_buffer_t)malloc(sizeof(gss_buffer_desc)); if (*outbuf == NULL) { + *minor_status = ENOMEM; goto errout; } (*outbuf)->value = (void *)t; @@ -1150,6 +1155,7 @@ t = NULL; /* don't free */ + *minor_status = 0; major_status = GSS_S_COMPLETE; errout: @@ -1157,7 +1163,7 @@ free(t); } - gss_release_buffer(&minor_status, &hintNameBuf); + gss_release_buffer(&minor, &hintNameBuf); return (major_status); } @@ -1200,7 +1206,7 @@ } } - ret = make_NegHints(cred, mechListMIC); + ret = make_NegHints(minor_status, cred, mechListMIC); if (ret != GSS_S_COMPLETE) { goto cleanup; } From raeburn at MIT.EDU Sun Dec 21 22:12:21 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Sun, 21 Dec 2008 22:12:21 -0500 (EST) Subject: svn rev #21562: trunk/src/slave/ Message-ID: <200812220312.WAA04078@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21562 Commit By: raeburn Log Message: Improvements from Shawn Emery: an extra-verbose mode. Changed Files: U trunk/src/slave/kproplog.c Modified: trunk/src/slave/kproplog.c =================================================================== --- trunk/src/slave/kproplog.c 2008-12-21 22:57:28 UTC (rev 21561) +++ trunk/src/slave/kproplog.c 2008-12-22 03:12:19 UTC (rev 21562) @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -28,77 +28,340 @@ static void usage() { - (void) fprintf(stderr, _("\nUsage: %s [-h] [-v] [-e num]\n\n"), + (void) fprintf(stderr, _("\nUsage: %s [-h] [-v] [-v] [-e num]\n\n"), progname); exit(1); } /* + * Print the attribute flags of principal in human readable form. + */ +static void +print_flags(unsigned int flags) +{ + unsigned int i; + static char *prflags[] = { + "DISALLOW_POSTDATED", /* 0x00000001 */ + "DISALLOW_FORWARDABLE", /* 0x00000002 */ + "DISALLOW_TGT_BASED", /* 0x00000004 */ + "DISALLOW_RENEWABLE", /* 0x00000008 */ + "DISALLOW_PROXIABLE", /* 0x00000010 */ + "DISALLOW_DUP_SKEY", /* 0x00000020 */ + "DISALLOW_ALL_TIX", /* 0x00000040 */ + "REQUIRES_PRE_AUTH", /* 0x00000080 */ + "REQUIRES_HW_AUTH", /* 0x00000100 */ + "REQUIRES_PWCHANGE", /* 0x00000200 */ + "UNKNOWN_0x00000400", /* 0x00000400 */ + "UNKNOWN_0x00000800", /* 0x00000800 */ + "DISALLOW_SVR", /* 0x00001000 */ + "PWCHANGE_SERVICE", /* 0x00002000 */ + "SUPPORT_DESMD5", /* 0x00004000 */ + "NEW_PRINC", /* 0x00008000 */ + }; + + for (i = 0; i < sizeof (prflags) / sizeof (char *); i++) { + if (flags & (krb5_flags) 1 << i) + printf("\t\t\t%s\n", prflags[i]); + } +} + +/* + * Display time information. + */ +static void +print_time(unsigned int *timep) +{ + if (*timep == 0L) + printf("\t\t\tNone\n"); + else { + time_t ltime = *timep; + printf("\t\t\t%s", ctime(<ime)); + } +} + +/* + * Display string in hex primitive. + */ +static void +print_hex(const char *tag, utf8str_t *str) +{ + unsigned int i; + unsigned int len; + + len = str->utf8str_t_len; + + (void) printf("\t\t\t%s(%d): 0x", tag, len); + for (i = 0; i < len; i++) { + printf("%02x", (krb5_octet) str->utf8str_t_val[i]); + } + (void) printf("\n"); +} + +/* + * Display string primitive. + */ +static void +print_str(const char *tag, utf8str_t *str) +{ + char *dis; + unsigned int len; + + /* + 1 for null byte */ + len = str->utf8str_t_len + 1; + dis = (char *) malloc(len); + + if (!dis) { + (void) fprintf(stderr, _("\nCouldn't allocate memory")); + exit(1); + } + + (void) snprintf(dis, len, "%s", str->utf8str_t_val); + + (void) printf("\t\t\t%s(%d): %s\n", tag, len - 1, dis); + + free(dis); +} + +/* + * Display data components. + */ +static void +print_data(const char *tag, kdbe_data_t *data) +{ + + (void) printf("\t\t\tmagic: 0x%x\n", data->k_magic); + + (void) print_str(tag, &data->k_data); +} + +/* + * Display the principal components. + */ +static void +print_princ(kdbe_princ_t *princ) +{ + int i, len; + kdbe_data_t *data; + + print_str("realm", &princ->k_realm); + + len = princ->k_components.k_components_len; + data = princ->k_components.k_components_val; + + for (i = 0; i < len; i++, data++) { + + print_data("princ", data); + } +} + +/* + * Display individual key. + */ +static void +print_key(kdbe_key_t *k) +{ + unsigned int i; + utf8str_t *str; + + printf("\t\t\tver: %d\n", k->k_ver); + + printf("\t\t\tkvno: %d\n", k->k_kvno); + + for (i = 0; i < k->k_enctype.k_enctype_len; i++) { + printf("\t\t\tenc type: 0x%x\n", + k->k_enctype.k_enctype_val[i]); + } + + str = k->k_contents.k_contents_val; + for (i = 0; i < k->k_contents.k_contents_len; i++, str++) { + print_hex("key", str); + } +} + +/* + * Display all key data. + */ +static void +print_keydata(kdbe_key_t *keys, unsigned int len) +{ + unsigned int i; + + for (i = 0; i < len; i++, keys++) { + print_key(keys); + } +} + +/* + * Display TL item. + */ +static void +print_tl(kdbe_tl_t *tl) +{ + int i, len; + + printf("\t\t\ttype: 0x%x\n", tl->tl_type); + + len = tl->tl_data.tl_data_len; + + printf("\t\t\tvalue(%d): 0x", len); + for (i = 0; i < len; i++) { + printf("%02x", (krb5_octet) tl->tl_data.tl_data_val[i]); + } + printf("\n"); +} + +/* + * Display TL data items. + */ +static void +print_tldata(kdbe_tl_t *tldata, int len) +{ + int i; + + printf("\t\t\titems: %d\n", len); + + for (i = 0; i < len; i++, tldata++) { + print_tl(tldata); + } +} + +/* * Print the individual types if verbose mode was specified. + * If verbose-verbose then print types along with respective values. */ static void -print_attr(kdbe_attr_type_t type) +print_attr(kdbe_val_t *val, int vverbose) { - switch (type) { + switch (val->av_type) { case AT_ATTRFLAGS: (void) printf(_("\t\tAttribute flags\n")); + if (vverbose) { + print_flags(val->kdbe_val_t_u.av_attrflags); + } break; case AT_MAX_LIFE: (void) printf(_("\t\tMaximum ticket life\n")); + if (vverbose) { + print_time(&val->kdbe_val_t_u.av_max_life); + } break; case AT_MAX_RENEW_LIFE: (void) printf(_("\t\tMaximum renewable life\n")); + if (vverbose) { + print_time(&val->kdbe_val_t_u.av_max_renew_life); + } break; case AT_EXP: (void) printf(_("\t\tPrincipal expiration\n")); + if (vverbose) { + print_time(&val->kdbe_val_t_u.av_exp); + } break; case AT_PW_EXP: (void) printf(_("\t\tPassword expiration\n")); + if (vverbose) { + print_time(&val->kdbe_val_t_u.av_pw_exp); + } break; case AT_LAST_SUCCESS: (void) printf(_("\t\tLast successful auth\n")); + if (vverbose) { + print_time(&val->kdbe_val_t_u.av_last_success); + } break; case AT_LAST_FAILED: (void) printf(_("\t\tLast failed auth\n")); + if (vverbose) { + print_time(&val->kdbe_val_t_u.av_last_failed); + } break; case AT_FAIL_AUTH_COUNT: (void) printf(_("\t\tFailed passwd attempt\n")); + if (vverbose) { + (void) printf("\t\t\t%d\n", + val->kdbe_val_t_u.av_fail_auth_count); + } break; case AT_PRINC: (void) printf(_("\t\tPrincipal\n")); + if (vverbose) { + print_princ(&val->kdbe_val_t_u.av_princ); + } break; case AT_KEYDATA: (void) printf(_("\t\tKey data\n")); + if (vverbose) { + print_keydata( + val->kdbe_val_t_u.av_keydata.av_keydata_val, + val->kdbe_val_t_u.av_keydata.av_keydata_len); + } break; case AT_TL_DATA: (void) printf(_("\t\tTL data\n")); + if (vverbose) { + print_tldata( + val->kdbe_val_t_u.av_tldata.av_tldata_val, + val->kdbe_val_t_u.av_tldata.av_tldata_len); + } break; case AT_LEN: (void) printf(_("\t\tLength\n")); + if (vverbose) { + (void) printf("\t\t\t%d\n", + val->kdbe_val_t_u.av_len); + } break; + case AT_PW_LAST_CHANGE: + (void) printf(_("\t\tPassword last changed\n")); + if (vverbose) { + print_time(&val->kdbe_val_t_u.av_pw_last_change); + } + break; case AT_MOD_PRINC: (void) printf(_("\t\tModifying principal\n")); + if (vverbose) { + print_princ(&val->kdbe_val_t_u.av_mod_princ); + } break; case AT_MOD_TIME: (void) printf(_("\t\tModification time\n")); + if (vverbose) { + print_time(&val->kdbe_val_t_u.av_mod_time); + } break; case AT_MOD_WHERE: (void) printf(_("\t\tModified where\n")); + if (vverbose) { + print_str("where", + &val->kdbe_val_t_u.av_mod_where); + } break; - case AT_PW_LAST_CHANGE: - (void) printf(_("\t\tPassword last changed\n")); - break; case AT_PW_POLICY: (void) printf(_("\t\tPassword policy\n")); + if (vverbose) { + print_str("policy", + &val->kdbe_val_t_u.av_pw_policy); + } break; case AT_PW_POLICY_SWITCH: (void) printf(_("\t\tPassword policy switch\n")); + if (vverbose) { + (void) printf("\t\t\t%d\n", + val->kdbe_val_t_u.av_pw_policy_switch); + } break; case AT_PW_HIST_KVNO: (void) printf(_("\t\tPassword history KVNO\n")); + if (vverbose) { + (void) printf("\t\t\t%d\n", + val->kdbe_val_t_u.av_pw_hist_kvno); + } break; case AT_PW_HIST: (void) printf(_("\t\tPassword history\n")); + if (vverbose) { + (void) printf("\t\t\tPW history elided\n"); + } break; } /* switch */ @@ -107,7 +370,7 @@ * Print the update entry information */ static void -print_update(kdb_hlog_t *ulog, uint32_t entry, bool_t verbose) +print_update(kdb_hlog_t *ulog, uint32_t entry, unsigned int verbose) { XDR xdrs; uint32_t start_sno, i, j, indx; @@ -182,8 +445,8 @@ if (verbose) for (j = 0; j < upd.kdb_update.kdbe_t_len; j++) - print_attr( - upd.kdb_update.kdbe_t_val[j].av_type); + print_attr(&upd.kdb_update.kdbe_t_val[j], + verbose > 1 ? 1 : 0); xdr_free(xdr_kdb_incr_update_t, (char *)&upd); free(dbprinc); @@ -194,7 +457,7 @@ main(int argc, char **argv) { int c; - bool_t verbose = FALSE; + unsigned int verbose = 0; bool_t headeronly = FALSE; uint32_t entry = 0; krb5_context context; @@ -222,7 +485,7 @@ entry = atoi(optarg); break; case 'v': - verbose = TRUE; + verbose++; break; default: usage(); From raeburn at MIT.EDU Sun Dec 21 22:49:32 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Sun, 21 Dec 2008 22:49:32 -0500 (EST) Subject: svn rev #21563: trunk/src/slave/ Message-ID: <200812220349.WAA04575@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21563 Commit By: raeburn Log Message: Some cleanup from Shawn Emery: Use INITIAL_TIMER macros instead of hardcoding values; reset 'gfd' when turning off the alarm. Changed Files: U trunk/src/slave/kpropd.c Modified: trunk/src/slave/kpropd.c =================================================================== --- trunk/src/slave/kpropd.c 2008-12-22 03:12:19 UTC (rev 21562) +++ trunk/src/slave/kpropd.c 2008-12-22 03:49:30 UTC (rev 21563) @@ -458,7 +458,7 @@ fprintf(stderr, "doit: setting resync alarm to 5s\n"); signal(SIGALRM, resync_alarm); gfd = fd; - if (alarm(5) != 0) { + if (alarm(INITIAL_TIMER) != 0) { if (debug) { fprintf(stderr, _("%s: alarm already set\n"), progname); @@ -508,6 +508,7 @@ * Turn off alarm upon successful authentication from master. */ alarm(0); + gfd = -1; if (!authorized_principal(kpropd_context, client, etype)) { char *name; From raeburn at MIT.EDU Sun Dec 21 23:40:44 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Sun, 21 Dec 2008 23:40:44 -0500 (EST) Subject: svn rev #21564: trunk/src/kdc/ Message-ID: <200812220440.XAA05249@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21564 Commit By: raeburn Log Message: Collect ticket-request logging calls together in one place for easier customization. Changed Files: U trunk/src/kdc/do_as_req.c U trunk/src/kdc/do_tgs_req.c U trunk/src/kdc/kdc_util.c U trunk/src/kdc/kdc_util.h Modified: trunk/src/kdc/do_as_req.c =================================================================== --- trunk/src/kdc/do_as_req.c 2008-12-22 03:49:30 UTC (rev 21563) +++ trunk/src/kdc/do_as_req.c 2008-12-22 04:40:39 UTC (rev 21564) @@ -84,11 +84,9 @@ register int i; krb5_timestamp until, rtime; char *cname = 0, *sname = 0; - const char *fromstring = 0; - char ktypestr[128]; - char rep_etypestr[128]; - char fromstringbuf[70]; void *pa_context = NULL; + int did_log = 0; + const char *emsg = 0; #if APPLE_PKINIT asReqDebug("process_as_req top realm %s name %s\n", @@ -102,15 +100,6 @@ session_key.contents = 0; enc_tkt_reply.authorization_data = NULL; - ktypes2str(ktypestr, sizeof(ktypestr), - request->nktypes, request->ktype); - - fromstring = inet_ntop(ADDRTYPE2FAMILY (from->address->addrtype), - from->address->contents, - fromstringbuf, sizeof(fromstringbuf)); - if (!fromstring) - fromstring = ""; - if (!request->client) { status = "NULL_CLIENT"; errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; @@ -436,14 +425,8 @@ memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); free(reply.enc_part.ciphertext.data); - rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply); - krb5_klog_syslog(LOG_INFO, - "AS_REQ (%s) %s: ISSUE: authtime %d, " - "%s, %s for %s", - ktypestr, - fromstring, authtime, - rep_etypestr, - cname, sname); + log_as_req(from, request, &reply, cname, sname, authtime, 0, 0, 0); + did_log = 1; #ifdef KRBCONF_KDC_MODIFIES_KDB /* @@ -454,30 +437,27 @@ update_client = 1; #endif /* KRBCONF_KDC_MODIFIES_KDB */ + goto egress; + errout: + assert (status != 0); + /* fall through */ + +egress: if (pa_context) free_padata_context(kdc_context, &pa_context); - if (status) { - const char * emsg = 0; - if (errcode) - emsg = krb5_get_error_message (kdc_context, errcode); + if (errcode) + emsg = krb5_get_error_message(kdc_context, errcode); - krb5_klog_syslog(LOG_INFO, "AS_REQ (%s) %s: %s: %s for %s%s%s", - ktypestr, - fromstring, status, - cname ? cname : "", - sname ? sname : "", - errcode ? ", " : "", - errcode ? emsg : ""); - if (errcode) - krb5_free_error_message (kdc_context, emsg); + if (status) { + log_as_req(from, request, &reply, cname, sname, 0, + status, errcode, emsg); + did_log = 1; } if (errcode) { - int got_err = 0; if (status == 0) { - status = krb5_get_error_message (kdc_context, errcode); - got_err = 1; + status = emsg; } errcode -= ERROR_TABLE_BASE_krb5; if (errcode < 0 || errcode > 128) @@ -485,11 +465,10 @@ errcode = prepare_error_as(request, errcode, &e_data, response, status); - if (got_err) { - krb5_free_error_message (kdc_context, status); - status = 0; - } + status = 0; } + if (emsg) + krb5_free_error_message(kdc_context, emsg); if (enc_tkt_reply.authorization_data != NULL) krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data); @@ -531,7 +510,7 @@ } krb5_free_data_contents(kdc_context, &e_data); - + assert(did_log != 0); return errcode; } Modified: trunk/src/kdc/do_tgs_req.c =================================================================== --- trunk/src/kdc/do_tgs_req.c 2008-12-22 03:49:30 UTC (rev 21563) +++ trunk/src/kdc/do_tgs_req.c 2008-12-22 04:40:39 UTC (rev 21564) @@ -1,7 +1,7 @@ /* * kdc/do_tgs_req.c * - * Copyright 1990,1991,2001,2007 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2001,2007,2008 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -49,7 +49,7 @@ krb5_boolean *, int *); static krb5_error_code prepare_error_tgs (krb5_kdc_req *, krb5_ticket *, - int, const char *, krb5_data **, + int, krb5_data **, const char *); /*ARGSUSED*/ @@ -75,8 +75,7 @@ krb5_timestamp until, rtime; krb5_keyblock encrypting_key; krb5_key_data *server_key; - char *cname = 0, *sname = 0, *tmp = 0; - const char *fromstring = 0; + char *cname = 0, *sname = 0, *altcname = 0; krb5_last_req_entry *nolrarray[2], nolrentry; /* krb5_address *noaddrarray[1]; */ krb5_enctype useenctype; @@ -84,9 +83,7 @@ register int i; int firstpass = 1; const char *status = 0; - char ktypestr[128]; - char rep_etypestr[128]; - char fromstringbuf[70]; + const char *emsg = NULL; session_key.contents = 0; @@ -94,8 +91,6 @@ if (retval) return retval; - ktypes2str(ktypestr, sizeof(ktypestr), - request->nktypes, request->ktype); /* * setup_server_realm() sets up the global realm-specific data pointer. */ @@ -104,12 +99,6 @@ return retval; } - fromstring = inet_ntop(ADDRTYPE2FAMILY(from->address->addrtype), - from->address->contents, - fromstringbuf, sizeof(fromstringbuf)); - if (!fromstring) - fromstring = ""; - if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) { status = "UNPARSING SERVER"; goto cleanup; @@ -423,8 +412,8 @@ KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY, 0, &request->authorization_data, &scratch))) { - status = "AUTH_ENCRYPT_FAIL"; free(scratch.data); + status = "AUTH_ENCRYPT_FAIL"; goto cleanup; } @@ -515,7 +504,7 @@ enc_tkt_reply.transited.tr_contents.data, tdots); else { - const char *emsg = krb5_get_error_message(kdc_context, errcode); + emsg = krb5_get_error_message(kdc_context, errcode); krb5_klog_syslog (LOG_ERR, "unexpected error checking transit from " "'%s' to '%s' via '%.*s%s': %s", @@ -525,6 +514,7 @@ enc_tkt_reply.transited.tr_contents.data, tdots, emsg); krb5_free_error_message(kdc_context, emsg); + emsg = NULL; } } else krb5_klog_syslog (LOG_INFO, "not checking transit path"); @@ -551,19 +541,13 @@ krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2; krb5_principal client2 = t2enc->client; if (!krb5_principal_compare(kdc_context, request->server, client2)) { - if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) - tmp = 0; - if (tmp != NULL) - limit_string(tmp); + if ((errcode = krb5_unparse_name(kdc_context, client2, &altcname))) + altcname = 0; + if (altcname != NULL) + limit_string(altcname); - krb5_klog_syslog(LOG_INFO, - "TGS_REQ %s: 2ND_TKT_MISMATCH: " - "authtime %d, %s for %s, 2nd tkt client %s", - fromstring, authtime, - cname ? cname : "", - sname ? sname : "", - tmp ? tmp : ""); errcode = KRB5KDC_ERR_SERVER_NOMATCH; + status = "2ND_TKT_MISMATCH"; goto cleanup; } @@ -661,27 +645,16 @@ free(reply.enc_part.ciphertext.data); cleanup: - if (status) { - const char * emsg = NULL; - if (!errcode) - rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply); - if (errcode) - emsg = krb5_get_error_message (kdc_context, errcode); - krb5_klog_syslog(LOG_INFO, - "TGS_REQ (%s) %s: %s: authtime %d, " - "%s%s %s for %s%s%s", - ktypestr, - fromstring, status, authtime, - !errcode ? rep_etypestr : "", - !errcode ? "," : "", - cname ? cname : "", - sname ? sname : "", - errcode ? ", " : "", - errcode ? emsg : ""); - if (errcode) - krb5_free_error_message (kdc_context, emsg); + assert(status != NULL); + if (errcode) + emsg = krb5_get_error_message (kdc_context, errcode); + log_tgs_req(from, request, &reply, cname, sname, altcname, authtime, + status, errcode, emsg); + if (errcode) { + krb5_free_error_message (kdc_context, emsg); + emsg = NULL; } - + if (errcode) { int got_err = 0; if (status == 0) { @@ -693,7 +666,7 @@ errcode = KRB_ERR_GENERIC; retval = prepare_error_tgs(request, header_ticket, errcode, - fromstring, response, status); + response, status); if (got_err) { krb5_free_error_message (kdc_context, status); status = 0; @@ -722,7 +695,7 @@ static krb5_error_code prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error, - const char *ident, krb5_data **response, const char *status) + krb5_data **response, const char *status) { krb5_error errpkt; krb5_error_code retval; @@ -813,7 +786,6 @@ } else if (*nprincs == 1) { /* Found it! */ krb5_principal tmpprinc; - char *sname; tmp = *krb5_princ_realm(kdc_context, *pl2); krb5_princ_set_realm(kdc_context, *pl2, @@ -827,15 +799,7 @@ krb5_free_principal(kdc_context, request->server); request->server = tmpprinc; - if (krb5_unparse_name(kdc_context, request->server, &sname)) { - krb5_klog_syslog(LOG_INFO, - "TGS_REQ: issuing alternate TGT"); - } else { - limit_string(sname); - krb5_klog_syslog(LOG_INFO, - "TGS_REQ: issuing TGT %s", sname); - free(sname); - } + log_tgs_alt_tgt(request->server); krb5_free_realm_tree(kdc_context, plist); return; } Modified: trunk/src/kdc/kdc_util.c =================================================================== --- trunk/src/kdc/kdc_util.c 2008-12-22 03:49:30 UTC (rev 21563) +++ trunk/src/kdc/kdc_util.c 2008-12-22 04:40:39 UTC (rev 21564) @@ -1602,3 +1602,123 @@ return get_principal_locked (kcontext, search_for, entries, nentries, more); } + +/* Main logging routines for ticket requests. + + There are a few simple cases -- unparseable requests mainly -- + where messages are logged otherwise, but once a ticket request can + be decoded in some basic way, these routines are used for logging + the details. */ + +/* "status" is null to indicate success. */ +/* Someday, pass local address/port as well. */ +void +log_as_req(const krb5_fulladdr *from, + krb5_kdc_req *request, krb5_kdc_rep *reply, + const char *cname, const char *sname, + krb5_timestamp authtime, + const char *status, krb5_error_code errcode, const char *emsg) +{ + const char *fromstring = 0; + char fromstringbuf[70]; + char ktypestr[128]; + const char *cname2 = cname ? cname : ""; + const char *sname2 = sname ? sname : ""; + + fromstring = inet_ntop(ADDRTYPE2FAMILY (from->address->addrtype), + from->address->contents, + fromstringbuf, sizeof(fromstringbuf)); + if (!fromstring) + fromstring = ""; + ktypes2str(ktypestr, sizeof(ktypestr), + request->nktypes, request->ktype); + + if (status == NULL) { + /* success */ + char rep_etypestr[128]; + rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply); + krb5_klog_syslog(LOG_INFO, + "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s", + ktypestr, fromstring, authtime, + rep_etypestr, cname2, sname2); + } else { + /* fail */ + krb5_klog_syslog(LOG_INFO, "AS_REQ (%s) %s: %s: %s for %s%s%s", + ktypestr, fromstring, status, + cname2, sname2, emsg ? ", " : "", emsg ? emsg : ""); + } +#if 0 + /* Sun (OpenSolaris) version would probably something like this. + The client and server names passed can be null, unlike in the + logging routines used above. Note that a struct in_addr is + used, but the real address could be an IPv6 address. */ + audit_krb5kdc_as_req(some in_addr *, (in_port_t)from->port, 0, + cname, sname, errcode); +#endif +} + +/* Here "status" must be non-null. Error code + KRB5KDC_ERR_SERVER_NOMATCH is handled specially. */ +void +log_tgs_req(const krb5_fulladdr *from, + krb5_kdc_req *request, krb5_kdc_rep *reply, + const char *cname, const char *sname, const char *altcname, + krb5_timestamp authtime, + const char *status, krb5_error_code errcode, const char *emsg) +{ + char ktypestr[128]; + const char *fromstring = 0; + char fromstringbuf[70]; + char rep_etypestr[128]; + + fromstring = inet_ntop(ADDRTYPE2FAMILY(from->address->addrtype), + from->address->contents, + fromstringbuf, sizeof(fromstringbuf)); + if (!fromstring) + fromstring = ""; + ktypes2str(ktypestr, sizeof(ktypestr), request->nktypes, request->ktype); + if (!errcode) + rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply); + else + rep_etypestr[0] = 0; + + /* Differences: server-nomatch message logs 2nd ticket's client + name (useful), and doesn't log ktypestr (probably not + important). */ + if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) + krb5_klog_syslog(LOG_INFO, + "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s", + ktypestr, + fromstring, status, authtime, + rep_etypestr, + !errcode ? "," : "", + cname ? cname : "", + sname ? sname : "", + errcode ? ", " : "", + errcode ? emsg : ""); + else + krb5_klog_syslog(LOG_INFO, + "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s", + fromstring, status, authtime, + cname ? cname : "", + sname ? sname : "", + altcname ? altcname : ""); + + /* OpenSolaris: audit_krb5kdc_tgs_req(...) or + audit_krb5kdc_tgs_req_2ndtktmm(...) */ +} + +void +log_tgs_alt_tgt(krb5_principal p) +{ + char *sname; + if (krb5_unparse_name(kdc_context, p, &sname)) { + krb5_klog_syslog(LOG_INFO, + "TGS_REQ: issuing alternate TGT"); + } else { + limit_string(sname); + krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing TGT %s", sname); + free(sname); + } + /* OpenSolaris: audit_krb5kdc_tgs_req_alt_tgt(...) */ +} Modified: trunk/src/kdc/kdc_util.h =================================================================== --- trunk/src/kdc/kdc_util.h 2008-12-22 03:49:30 UTC (rev 21563) +++ trunk/src/kdc/kdc_util.h 2008-12-22 04:40:39 UTC (rev 21564) @@ -188,6 +188,21 @@ krb5_const_principal search_for, krb5_db_entry *entries, int *nentries, krb5_boolean *more); +void +log_as_req(const krb5_fulladdr *from, + krb5_kdc_req *request, krb5_kdc_rep *reply, + const char *cname, const char *sname, + krb5_timestamp authtime, + const char *status, krb5_error_code errcode, const char *emsg); +void +log_tgs_req(const krb5_fulladdr *from, + krb5_kdc_req *request, krb5_kdc_rep *reply, + const char *cname, const char *sname, const char *altcname, + krb5_timestamp authtime, + const char *status, krb5_error_code errcode, const char *emsg); +void log_tgs_alt_tgt(krb5_principal p); + + #define isflagset(flagfield, flag) (flagfield & (flag)) #define setflag(flagfield, flag) (flagfield |= (flag)) #define clear(flagfield, flag) (flagfield &= ~(flag)) From lhoward at MIT.EDU Mon Dec 22 21:39:53 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 22 Dec 2008 21:39:53 -0500 (EST) Subject: svn rev #21565: branches/mskrb-integ/src/kdc/ Message-ID: <200812230239.VAA26089@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21565 Commit By: lhoward Log Message: Cleanup Changed Files: U branches/mskrb-integ/src/kdc/kdc_preauth.c Modified: branches/mskrb-integ/src/kdc/kdc_preauth.c =================================================================== --- branches/mskrb-integ/src/kdc/kdc_preauth.c 2008-12-22 04:40:39 UTC (rev 21564) +++ branches/mskrb-integ/src/kdc/kdc_preauth.c 2008-12-23 02:39:51 UTC (rev 21565) @@ -371,7 +371,7 @@ { void **preauth_plugins_ftables; struct krb5plugin_preauth_server_ftable_v1 *ftable; - int module_count, i, j, k; + size_t module_count, i, j, k; void *plugin_context; preauth_server_init_proc server_init_proc = NULL; char **kdc_realm_names = NULL; @@ -429,7 +429,7 @@ krb5int_free_plugin_dir_data(preauth_plugins_ftables); return ENOMEM; } - for (i = 0; i < kdc_numrealms; i++) { + for (i = 0; i < (size_t)kdc_numrealms; i++) { kdc_realm_names[i] = kdc_realmlist[i]->realm_name; } kdc_realm_names[i] = NULL; From lhoward at MIT.EDU Mon Dec 22 21:55:04 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 22 Dec 2008 21:55:04 -0500 (EST) Subject: svn rev #21566: branches/mskrb-integ/src/ include/krb5/ kdc/ Message-ID: <200812230255.VAA26335@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21566 Commit By: lhoward Log Message: Consolidate authorization data handling interface. Both AS-REQ and TGS-REQ paths call handle_authdata(). There is a new V1 callback that provides some additional arguments. Copying TGT authorization data to new tickets as well as the existing Novell DB sign_auth_data method are both implemented as static authdata systems. Both V0 and V1 plugins are supported. Changed Files: U branches/mskrb-integ/src/include/krb5/authdata_plugin.h U branches/mskrb-integ/src/kdc/do_as_req.c U branches/mskrb-integ/src/kdc/do_tgs_req.c U branches/mskrb-integ/src/kdc/kdc_authdata.c U branches/mskrb-integ/src/kdc/kdc_util.c U branches/mskrb-integ/src/kdc/kdc_util.h Modified: branches/mskrb-integ/src/include/krb5/authdata_plugin.h =================================================================== --- branches/mskrb-integ/src/include/krb5/authdata_plugin.h 2008-12-23 02:39:51 UTC (rev 21565) +++ branches/mskrb-integ/src/include/krb5/authdata_plugin.h 2008-12-23 02:55:02 UTC (rev 21566) @@ -108,4 +108,53 @@ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply); } krb5plugin_authdata_ftable_v0; + +typedef struct krb5plugin_authdata_ftable_v1 { + /* Not-usually-visible name. */ + char *name; + + /* + * Per-plugin initialization/cleanup. The init function is called + * by the KDC when the plugin is loaded, and the fini function is + * called before the plugin is unloaded. Both are optional. + */ + krb5_error_code (*init_proc)(krb5_context, void **); + void (*fini_proc)(krb5_context, void *); + /* + * Actual authorization data handling function. If this field + * holds a null pointer, this mechanism will be skipped, and the + * init/fini functions will not be run. + * + * This function should only modify the field + * enc_tkt_reply->authorization_data. All other values should be + * considered inputs only. And, it should *modify* the field, not + * overwrite it and assume that there are no other authdata + * plugins in use. + * + * Memory management: authorization_data is a malloc-allocated, + * null-terminated sequence of malloc-allocated pointers to + * authorization data structures. This plugin code currently + * assumes the libraries, KDC, and plugin all use the same malloc + * pool, which may be a problem if/when we get the KDC code + * running on Windows. + * + * If this function returns a non-zero error code, a message + * is logged, but no other action is taken. Other authdata + * plugins will be called, and a response will be sent to the + * client (barring other problems). + */ + krb5_error_code (*authdata_proc)(krb5_context, + unsigned int flags, + krb5_const_principal reply_client, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + struct _krb5_db_entry_new *tgs, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply); +} krb5plugin_authdata_ftable_v1; + #endif /* KRB5_AUTHDATA_PLUGIN_H_INCLUDED */ Modified: branches/mskrb-integ/src/kdc/do_as_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-23 02:39:51 UTC (rev 21565) +++ branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-23 02:55:02 UTC (rev 21566) @@ -296,6 +296,8 @@ ticket_reply.server = &server_princ; enc_tkt_reply.flags = 0; + enc_tkt_reply.times.authtime = authtime; + setflag(enc_tkt_reply.flags, TKT_FLG_INITIAL); /* It should be noted that local policy may affect the */ @@ -323,8 +325,6 @@ enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */ - enc_tkt_reply.times.authtime = kdc_time; - if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) { setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED); setflag(enc_tkt_reply.flags, TKT_FLG_INVALID); @@ -498,30 +498,21 @@ reply_encpart.times.authtime = authtime = kdc_time; reply_encpart.caddrs = enc_tkt_reply.caddrs; - errcode = sign_authorization_data(kdc_context, - 0, - reply.client, - &client, - &server, - &server, - &client_keyblock, - &server_keyblock, - authtime, - NULL, - &enc_tkt_reply.authorization_data, - NULL, - NULL); + reply_encpart.enc_padata = NULL; + + /* Fetch the padata info to be returned (do this before + authdata to handle possible replacement of reply key */ + errcode = return_padata(kdc_context, &client, req_pkt, request, + &reply, client_key, &client_keyblock, &pa_context); if (errcode) { - status = "SIGN_AUTH_DATA"; + status = "KDC_RETURN_PADATA"; goto errout; } - /* Add any additional auth data - XXX need to consolidate plugin interfaces */ - errcode = handle_authdata(kdc_context, &client, req_pkt, request, &enc_tkt_reply); - if (errcode) { - krb5_klog_syslog(LOG_INFO, "AS_REQ : handle_authdata (%d)", errcode); - } - reply_encpart.enc_padata = NULL; +#if APPLE_PKINIT + asReqDebug("process_as_req reply realm %s name %s\n", + reply.client->realm.data, reply.client->data->data); +#endif /* APPLE_PKINIT */ errcode = return_svr_referral_data(kdc_context, &server, &reply_encpart); @@ -530,27 +521,31 @@ goto errout; } - /* moved here because we need authorization data in ticket_reply */ - errcode = krb5_encrypt_tkt_part(kdc_context, &server_keyblock, &ticket_reply); + errcode = handle_authdata(kdc_context, + c_flags, + reply.client, + &client, + &server, + &server, + &client_keyblock, + &server_keyblock, + req_pkt, + request, + NULL, /* enc_tkt_request */ + &enc_tkt_reply); if (errcode) { - status = "ENCRYPTING_TICKET"; + krb5_klog_syslog(LOG_INFO, "AS_REQ : handle_authdata (%d)", errcode); + status = "HANDLE_AUTHDATA"; goto errout; } - ticket_reply.enc_part.kvno = server_key->key_data_kvno; - /* Fetch the padata info to be returned */ - errcode = return_padata(kdc_context, &client, req_pkt, request, - &reply, client_key, &client_keyblock, &pa_context); + errcode = krb5_encrypt_tkt_part(kdc_context, &server_keyblock, &ticket_reply); if (errcode) { - status = "KDC_RETURN_PADATA"; + status = "ENCRYPTING_TICKET"; goto errout; } + ticket_reply.enc_part.kvno = server_key->key_data_kvno; -#if APPLE_PKINIT - asReqDebug("process_as_req reply realm %s name %s\n", - reply.client->realm.data, reply.client->data->data); -#endif /* APPLE_PKINIT */ - /* now encode/encrypt the response */ reply.enc_part.enctype = client_keyblock.enctype; Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-23 02:39:51 UTC (rev 21565) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-23 02:55:02 UTC (rev 21566) @@ -614,58 +614,27 @@ c_nprincs = 0; } } + } - /* - * Check whether KDC issued authorization data should be included. - * A server can explicitly disable the inclusion of authorization - * data by setting the KRB5_KDB_NO_AUTH_DATA_REQUIRED flag on its - * principal entry. Otherwise authorization data will be included - * if it was present in the TGT, the client is from another realm - * or protocol transition/constrained delegation was used. - * - * We permit sign_authorization_data() to return a krb5_db_entry - * representing the principal associated with the authorization - * data, in case that principal is not local to our realm and we - * need to perform additional checks (such as disabling delegation - * for cross-realm protocol transition below). - */ - if (header_enc_tkt->authorization_data != NULL || - isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM) || - isflagset(c_flags, KRB5_KDB_FLAGS_S4U)) { - krb5_db_entry ad_entry; - int ad_nprincs = 0; + enc_tkt_reply.authorization_data = NULL; - errcode = sign_authorization_data(kdc_context, - c_flags, - isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ? - for_user->user : header_enc_tkt->client, - (c_nprincs != 0) ? &client : NULL, - &server, - &krbtgt, - NULL, /* ticket reply key not relevant */ - &encrypting_key, /* U2U or server key */ - header_enc_tkt->times.authtime, - header_enc_tkt->authorization_data, - &kdc_issued_auth_data, - &ad_entry, - &ad_nprincs); - if (errcode) { - status = "SIGN_AUTH_DATA"; - goto cleanup; - } - if (ad_nprincs != 0) { - if (isflagset(ad_entry.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) - clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); - - krb5_db_free_principal(kdc_context, &ad_entry, ad_nprincs); - - if (ad_nprincs != 1) { - status = "NON_UNIQUE_AUTH_DATA_PRINCIPAL"; - errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - goto cleanup; - } - } - } + errcode = handle_authdata(kdc_context, + c_flags, + isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ? + for_user->user : header_enc_tkt->client, + (c_nprincs != 0) ? &client : NULL, + &server, + &krbtgt, + NULL, /* ticket reply key not relevant here */ + &encrypting_key, /* U2U or server key */ + pkt, + request, + header_enc_tkt, + &enc_tkt_reply); + if (errcode) { + krb5_klog_syslog(LOG_INFO, "TGS_REQ : handle_authdata (%d)", errcode); + status = "HANDLE_AUTHDATA"; + goto cleanup; } errcode = return_svr_referral_data(kdc_context, @@ -675,46 +644,6 @@ goto cleanup; } - /* assemble any authorization data */ - if (request->authorization_data.ciphertext.data != NULL) { - krb5_data scratch; - - scratch.length = request->authorization_data.ciphertext.length; - if (!(scratch.data = - malloc(request->authorization_data.ciphertext.length))) { - status = "AUTH_NOMEM"; - errcode = ENOMEM; - goto cleanup; - } - - if ((errcode = krb5_c_decrypt(kdc_context, - header_ticket->enc_part2->session, - KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY, - 0, &request->authorization_data, - &scratch))) { - status = "AUTH_ENCRYPT_FAIL"; - free(scratch.data); - goto cleanup; - } - - /* scratch now has the authorization data, so we decode it */ - errcode = decode_krb5_authdata(&scratch, &(request->unenc_authdata)); - free(scratch.data); - if (errcode) { - status = "AUTH_DECODE"; - goto cleanup; - } - - if ((errcode = - concat_authorization_data(kdc_issued_auth_data, - request->unenc_authdata, - &enc_tkt_reply.authorization_data))) { - status = "CONCAT_AUTH"; - goto cleanup; - } - } else - enc_tkt_reply.authorization_data = kdc_issued_auth_data; - enc_tkt_reply.session = &session_key; if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && is_local_principal(header_enc_tkt->client)) Modified: branches/mskrb-integ/src/kdc/kdc_authdata.c =================================================================== --- branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 02:39:51 UTC (rev 21565) +++ branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 02:55:02 UTC (rev 21566) @@ -2,6 +2,7 @@ * kdc/kdc_authdata.c * * Copyright (C) 2007 Apple Inc. All Rights Reserved. + * Copyright (C) 2008 by the Massachusetts Institute of Technology. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -42,109 +43,95 @@ static const char *objdirs[] = { LIBDIR "/krb5/plugins/authdata", NULL }; #endif -typedef krb5_error_code (*authdata_proc) +/* MIT Kerberos 1.6 (V0) authdata plugin callback */ +typedef krb5_error_code (*authdata_proc_0) (krb5_context, krb5_db_entry *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part * enc_tkt_reply); - +/* MIT Kerberos 1.7 (V1) authdata plugin callback */ +typedef krb5_error_code (*authdata_proc_1) + (krb5_context, unsigned int flags, + krb5_const_principal reply_client, + krb5_db_entry *client, krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply); typedef krb5_error_code (*init_proc) (krb5_context, void **); typedef void (*fini_proc) (krb5_context, void *); +/* Internal authdata system for copying TGS-REQ authdata to ticket */ +static krb5_error_code handle_request_authdata + (krb5_context context, + unsigned int flags, + krb5_const_principal reply_client, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply); + +/* Internal authdata system for handling KDC-issued authdata */ +static krb5_error_code handle_tgt_authdata + (krb5_context context, + unsigned int flags, + krb5_const_principal reply_client, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply); + typedef struct _krb5_authdata_systems { const char *name; +#define AUTHDATA_SYSTEM_UNKNOWN -1 +#define AUTHDATA_SYSTEM_V0 0 +#define AUTHDATA_SYSTEM_V1 1 int type; +#define AUTHDATA_FLAG_CRITICAL 0x1 int flags; void *plugin_context; init_proc init; fini_proc fini; - authdata_proc handle_authdata; + union { + authdata_proc_1 v1; + authdata_proc_0 v0; + } handle_authdata; } krb5_authdata_systems; -#undef GREET_PREAUTH - -#ifdef GREET_PREAUTH -static krb5_error_code -greet_init(krb5_context ctx, void **blob) -{ - *blob = "hello"; - return 0; -} - -static void -greet_fini(krb5_context ctx, void *blob) -{ -} - -static krb5_error_code -greet_authdata(krb5_context ctx, krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part * enc_tkt_reply) -{ -#define GREET_SIZE (20) - - char *p; - krb5_authdata *a; - size_t count; - krb5_authdata **new_ad; - - krb5_klog_syslog (LOG_DEBUG, "in greet_authdata"); - - p = calloc(1, GREET_SIZE); - a = calloc(1, sizeof(*a)); - - if (p == NULL || a == NULL) { - free(p); - free(a); - return ENOMEM; - } - strlcpy(p, "hello", GREET_SIZE); - a->magic = KV5M_AUTHDATA; - a->ad_type = -42; - a->length = GREET_SIZE; - a->contents = p; - if (enc_tkt_reply->authorization_data == 0) { - count = 0; - } else { - for (count = 0; enc_tkt_reply->authorization_data[count] != 0; count++) - ; - } - new_ad = realloc(enc_tkt_reply->authorization_data, - (count+2) * sizeof(krb5_authdata *)); - if (new_ad == NULL) { - free(p); - free(a); - return ENOMEM; - } - enc_tkt_reply->authorization_data = new_ad; - new_ad[count] = a; - new_ad[count+1] = NULL; - return 0; -} -#endif - static krb5_authdata_systems static_authdata_systems[] = { -#ifdef GREET_PREAUTH - { "greeting", 0, 0, 0, greet_init, greet_fini, greet_authdata }, -#endif - { "[end]", -1,} + { "tgs_req", AUTHDATA_SYSTEM_V1, AUTHDATA_FLAG_CRITICAL, NULL, NULL, NULL, { handle_request_authdata } }, + { "tgt", AUTHDATA_SYSTEM_V1, AUTHDATA_FLAG_CRITICAL, NULL, NULL, NULL, { handle_tgt_authdata } }, }; static krb5_authdata_systems *authdata_systems; static int n_authdata_systems; static struct plugin_dir_handle authdata_plugins; +/* Load both v0 and v1 authdata plugins */ krb5_error_code load_authdata_plugins(krb5_context context) { - void **authdata_plugins_ftables = NULL; - struct krb5plugin_authdata_ftable_v0 *ftable = NULL; + void **authdata_plugins_ftables_v0 = NULL; + void **authdata_plugins_ftables_v1 = NULL; size_t module_count; - int i, k; + size_t i, k; init_proc server_init_proc = NULL; + krb5_error_code code; /* Attempt to load all of the authdata plugins we can find. */ PLUGIN_DIR_INIT(&authdata_plugins); @@ -156,40 +143,56 @@ } /* Get the method tables provided by the loaded plugins. */ - authdata_plugins_ftables = NULL; + authdata_plugins_ftables_v0 = NULL; + authdata_plugins_ftables_v1 = NULL; n_authdata_systems = 0; + if (krb5int_get_plugin_dir_data(&authdata_plugins, + "authdata_server_1", + &authdata_plugins_ftables_v1, &context->err) != 0 || + krb5int_get_plugin_dir_data(&authdata_plugins, "authdata_server_0", - &authdata_plugins_ftables, &context->err) != 0) { - return KRB5_PLUGIN_NO_HANDLE; + &authdata_plugins_ftables_v0, &context->err) != 0) { + code = KRB5_PLUGIN_NO_HANDLE; + goto cleanup; } /* Count the valid modules. */ module_count = sizeof(static_authdata_systems) / sizeof(static_authdata_systems[0]); - if (authdata_plugins_ftables != NULL) { - for (i = 0; authdata_plugins_ftables[i] != NULL; i++) { - ftable = authdata_plugins_ftables[i]; - if ((ftable->authdata_proc != NULL)) { + + if (authdata_plugins_ftables_v1 != NULL) { + struct krb5plugin_authdata_ftable_v1 *ftable; + + for (i = 0; authdata_plugins_ftables_v1[i] != NULL; i++) { + ftable = authdata_plugins_ftables_v1[i]; + if (ftable->authdata_proc != NULL) module_count++; - } } } + + if (authdata_plugins_ftables_v0 != NULL) { + struct krb5plugin_authdata_ftable_v0 *ftable; + for (i = 0; authdata_plugins_ftables_v0[i] != NULL; i++) { + ftable = authdata_plugins_ftables_v0[i]; + if (ftable->authdata_proc != NULL) + module_count++; + } + } + /* Build the complete list of supported authdata options, and * leave room for a terminator entry. */ authdata_systems = calloc(module_count + 1, sizeof(krb5_authdata_systems)); if (authdata_systems == NULL) { - krb5int_free_plugin_dir_data(authdata_plugins_ftables); - return ENOMEM; + code = ENOMEM; + goto cleanup; } /* Add the locally-supplied mechanisms to the dynamic list first. */ for (i = 0, k = 0; i < sizeof(static_authdata_systems) / sizeof(static_authdata_systems[0]); i++) { - if (static_authdata_systems[i].type == -1) - break; authdata_systems[k] = static_authdata_systems[i]; /* Try to initialize the authdata system. If it fails, we'll remove it * from the list of systems we'll be using. */ @@ -202,13 +205,15 @@ k++; } - /* Now add the dynamically-loaded mechanisms to the list. */ - if (authdata_plugins_ftables != NULL) { - for (i = 0; authdata_plugins_ftables[i] != NULL; i++) { + /* Add dynamically loaded V1 plugins */ + if (authdata_plugins_ftables_v1 != NULL) { + struct krb5plugin_authdata_ftable_v1 *ftable; + + for (i = 0; authdata_plugins_ftables_v1[i] != NULL; i++) { krb5_error_code initerr; void *pctx = NULL; - ftable = authdata_plugins_ftables[i]; + ftable = authdata_plugins_ftables_v1[i]; if ((ftable->authdata_proc == NULL)) { continue; } @@ -229,19 +234,66 @@ } authdata_systems[k].name = ftable->name; + authdata_systems[k].type = AUTHDATA_SYSTEM_V1; authdata_systems[k].init = server_init_proc; authdata_systems[k].fini = ftable->fini_proc; - authdata_systems[k].handle_authdata = ftable->authdata_proc; + authdata_systems[k].handle_authdata.v1 = ftable->authdata_proc; authdata_systems[k].plugin_context = pctx; k++; } - krb5int_free_plugin_dir_data(authdata_plugins_ftables); } + + /* Add dynamically loaded V0 plugins */ + if (authdata_plugins_ftables_v0 != NULL) { + struct krb5plugin_authdata_ftable_v0 *ftable; + + for (i = 0; authdata_plugins_ftables_v0[i] != NULL; i++) { + krb5_error_code initerr; + void *pctx = NULL; + + ftable = authdata_plugins_ftables_v0[i]; + if ((ftable->authdata_proc == NULL)) { + continue; + } + server_init_proc = ftable->init_proc; + if ((server_init_proc != NULL) && + ((initerr = (*server_init_proc)(context, &pctx)) != 0)) { + const char *emsg; + emsg = krb5_get_error_message(context, initerr); + if (emsg) { + krb5_klog_syslog(LOG_ERR, + "authdata %s failed to initialize: %s", + ftable->name, emsg); + krb5_free_error_message(context, emsg); + } + memset(&authdata_systems[k], 0, sizeof(authdata_systems[k])); + + continue; + } + + authdata_systems[k].name = ftable->name; + authdata_systems[k].type = AUTHDATA_SYSTEM_V0; + authdata_systems[k].init = server_init_proc; + authdata_systems[k].fini = ftable->fini_proc; + authdata_systems[k].handle_authdata.v0 = ftable->authdata_proc; + authdata_systems[k].plugin_context = pctx; + k++; + } + } + n_authdata_systems = k; /* Add the end-of-list marker. */ authdata_systems[k].name = "[end]"; - authdata_systems[k].type = -1; - return 0; + authdata_systems[k].type = AUTHDATA_SYSTEM_UNKNOWN; + code = 0; + +cleanup: + if (authdata_plugins_ftables_v1 != NULL) + krb5int_free_plugin_dir_data(authdata_plugins_ftables_v1); + if (authdata_plugins_ftables_v0 != NULL) + krb5int_free_plugin_dir_data(authdata_plugins_ftables_v0); + + return code; } krb5_error_code @@ -264,35 +316,277 @@ return 0; } +/* Merge authdata. If copy == 0, in_authdata is invalid on return */ +static krb5_error_code +merge_authdata (krb5_context context, + krb5_authdata **in_authdata, + krb5_authdata ***out_authdata, + int copy) +{ + size_t i, nadata = 0; + krb5_authdata **authdata = *out_authdata; + + if (in_authdata == NULL || in_authdata[0] == NULL) + return 0; + + if (authdata != NULL) { + for (nadata = 0; authdata[nadata] != NULL; nadata++) + ; + } + + for (i = 0; in_authdata[i] != NULL; i++) + ; + + authdata = (krb5_authdata **)realloc(*out_authdata, + ((nadata + i + 1) * sizeof(krb5_authdata *))); + if (authdata == NULL) + return ENOMEM; + + if (copy) { + krb5_error_code code; + krb5_authdata **tmp; + + code = krb5_copy_authdata(context, in_authdata, &tmp); + if (code != 0) + return code; + + in_authdata = tmp; + } + + for (i = 0; in_authdata[i] != NULL; i++) + authdata[nadata + i] = in_authdata[i]; + + authdata[nadata + i] = NULL; + + free(in_authdata); + + *out_authdata = authdata; + + return 0; +} + +/* Handle copying TGS-REQ authorization data into reply */ +static krb5_error_code +handle_request_authdata (krb5_context context, + unsigned int flags, + krb5_const_principal reply_client, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply) +{ + krb5_error_code code; + krb5_data scratch; + + if (request->msg_type != KRB5_TGS_REQ || + request->authorization_data.ciphertext.data == NULL) + return 0; + + assert(enc_tkt_request != NULL); + + scratch.length = request->authorization_data.ciphertext.length; + scratch.data = malloc(scratch.length); + if (scratch.data == NULL) + return ENOMEM; + + code = krb5_c_decrypt(context, + enc_tkt_request->session, + KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY, + 0, &request->authorization_data, + &scratch); + if (code != 0) { + free(scratch.data); + return code; + } + + /* scratch now has the authorization data, so we decode it, and make + * it available to subsequent authdata plugins */ + code = decode_krb5_authdata(&scratch, &request->unenc_authdata); + if (code != 0) { + free(scratch.data); + return code; + } + + free(scratch.data); + + code = merge_authdata(context, request->unenc_authdata, + &enc_tkt_reply->authorization_data, TRUE /* copy */); + + return code; +} + +/* Handle backend-managed authorization data */ +static krb5_error_code +handle_tgt_authdata (krb5_context context, + unsigned int flags, + krb5_const_principal reply_client, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply) +{ + krb5_error_code code; + krb5_authdata **db_authdata = NULL; + krb5_db_entry ad_entry; + int ad_nprincs = 0; + krb5_boolean tgs_req = (request->msg_type == KRB5_TGS_REQ); + + /* + * Check whether KDC issued authorization data should be included. + * A server can explicitly disable the inclusion of authorization + * data by setting the KRB5_KDB_NO_AUTH_DATA_REQUIRED flag on its + * principal entry. Otherwise authorization data will be included + * if it was present in the TGT, the client is from another realm + * or protocol transition/constrained delegation was used, or, in + * the AS-REQ case, if the pre-auth data indicated the PAC should + * be absent. + * + * We permit sign_authorization_data() to return a krb5_db_entry + * representing the principal associated with the authorization + * data, in case that principal is not local to our realm and we + * need to perform additional checks (such as disabling delegation + * for cross-realm protocol transition below). + */ + if (tgs_req) { + assert(enc_tkt_request != NULL); + + if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED)) + return 0; + + if (enc_tkt_request->authorization_data == NULL && + !isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM | KRB5_KDB_FLAGS_S4U)) + return 0; + + assert(enc_tkt_reply->times.authtime == enc_tkt_request->times.authtime); + } else { + if (!isflagset(flags, KRB5_KDB_FLAG_INCLUDE_PAC)) + return 0; + } + + /* + * If the backend does not implement the sign authdata method, then + * just copy the TGT authorization data into the reply, except for + * the constrained delegation case (which requires special handling + * because it will promote untrusted auth data to KDC issued auth + * data; this requires backend-specific code) + * + * Presently this interface does not support using request auth data + * to influence (eg. possibly restrict) the reply auth data. + */ + code = sign_db_authdata(context, + flags, + reply_client, + client, + server, + krbtgt, + client_key, + server_key, /* U2U or server key */ + enc_tkt_reply->times.authtime, + tgs_req ? enc_tkt_request->authorization_data : NULL, + &db_authdata, + &ad_entry, + &ad_nprincs); + if (code == KRB5_KDB_DBTYPE_NOSUP) { + assert(ad_nprincs == 0); + assert(db_authdata == NULL); + + if (isflagset(flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) + return KRB5KDC_ERR_POLICY; + + if (tgs_req) + return merge_authdata(context, enc_tkt_request->authorization_data, + &enc_tkt_reply->authorization_data, TRUE); + } + + if (ad_nprincs != 0) { + if (tgs_req && + isflagset(ad_entry.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) + clear(enc_tkt_reply->flags, TKT_FLG_FORWARDABLE); + + krb5_db_free_principal(context, &ad_entry, ad_nprincs); + + if (ad_nprincs != 1) { + if (db_authdata != NULL) + krb5_free_authdata(context, db_authdata); + return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; + } + } + + if (db_authdata != NULL) { + code = merge_authdata(context, db_authdata, + &enc_tkt_reply->authorization_data, + FALSE); + if (code != 0) + krb5_free_authdata(context, db_authdata); + } + + return code; +} + krb5_error_code -handle_authdata (krb5_context context, krb5_db_entry *client, - krb5_data *req_pkt, krb5_kdc_req *request, +handle_authdata (krb5_context context, + unsigned int flags, + krb5_const_principal reply_client, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_request, krb5_enc_tkt_part *enc_tkt_reply) { - krb5_error_code retval = 0; + krb5_error_code code = 0; int i; - const char *emsg; -#if 0 - krb5_klog_syslog (LOG_DEBUG, "handling authdata"); -#endif - + assert(enc_tkt_reply->authorization_data == NULL); for (i = 0; i < n_authdata_systems; i++) { const krb5_authdata_systems *asys = &authdata_systems[i]; - if (asys->handle_authdata && asys->type != -1) { - retval = asys->handle_authdata(context, client, req_pkt, - request, enc_tkt_reply); - if (retval) { - emsg = krb5_get_error_message (context, retval); - krb5_klog_syslog (LOG_INFO, - "authdata (%s) handling failure: %s", - asys->name, emsg); - krb5_free_error_message (context, emsg); - } else { - krb5_klog_syslog (LOG_DEBUG, ".. .. ok"); - } + + switch (asys->type) { + case AUTHDATA_SYSTEM_V0: + /* V0 was only in AS-REQ code path */ + if (request->msg_type != KRB5_AS_REQ) + continue; + + code = asys->handle_authdata.v0(context, client, req_pkt, + request, enc_tkt_reply); + break; + case AUTHDATA_SYSTEM_V1: + code = asys->handle_authdata.v1(context, flags, reply_client, + client, server, krbtgt, + client_key, server_key, + req_pkt, request, enc_tkt_request, + enc_tkt_reply); + default: + code = 0; + break; } + if (code != 0) { + const char *emsg; + + emsg = krb5_get_error_message (context, code); + krb5_klog_syslog (LOG_INFO, + "authdata (%s) handling failure: %s", + asys->name, emsg); + krb5_free_error_message (context, emsg); + + if (asys->flags & AUTHDATA_FLAG_CRITICAL) + break; + } } - return 0; + return code; } + Modified: branches/mskrb-integ/src/kdc/kdc_util.c =================================================================== --- branches/mskrb-integ/src/kdc/kdc_util.c 2008-12-23 02:39:51 UTC (rev 21565) +++ branches/mskrb-integ/src/kdc/kdc_util.c 2008-12-23 02:55:02 UTC (rev 21566) @@ -1669,27 +1669,27 @@ } krb5_error_code -sign_authorization_data(krb5_context context, - unsigned int flags, - krb5_const_principal client_princ, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_timestamp authtime, - krb5_authdata **auth_data, - krb5_authdata ***ret_auth_data, - krb5_db_entry *ad_entry, - int *ad_nprincs) +sign_db_authdata (krb5_context context, + unsigned int flags, + krb5_const_principal client_princ, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_timestamp authtime, + krb5_authdata **tgs_authdata, + krb5_authdata ***ret_authdata, + krb5_db_entry *ad_entry, + int *ad_nprincs) { - krb5_error_code code; - kdb_sign_auth_data_req req; - kdb_sign_auth_data_rep rep; - krb5_data req_data; - krb5_data rep_data; + krb5_error_code code; + kdb_sign_auth_data_req req; + kdb_sign_auth_data_rep rep; + krb5_data req_data; + krb5_data rep_data; - *ret_auth_data = NULL; + *ret_authdata = NULL; if (ad_entry != NULL) { assert(ad_nprincs != NULL); memset(ad_entry, 0, sizeof(*ad_entry)); @@ -1707,7 +1707,7 @@ req.client_key = client_key; req.server_key = server_key; req.authtime = authtime; - req.auth_data = auth_data; + req.auth_data = tgs_authdata; rep.entry = ad_entry; rep.nprincs = 0; @@ -1722,25 +1722,10 @@ KRB5_KDB_METHOD_SIGN_AUTH_DATA, &req_data, &rep_data); - if (code == KRB5_KDB_DBTYPE_NOSUP) { - /* - * If the backend does not implement the sign auth data - * method, then we just copy the authorization data into - * the response, except for the constrained delegation - * case (which requires special handling because it will - * promote untrusted auth data to KDC issued auth data; - * this requires backend specific code) - */ - if (isflagset(flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) - code = KRB5KDC_ERR_POLICY; - else - code = krb5_copy_authdata(context, auth_data, ret_auth_data); - } else { - *ret_auth_data = rep.auth_data; - if (ad_nprincs != NULL) - *ad_nprincs = rep.nprincs; - } + *ret_authdata = rep.auth_data; + *ad_nprincs = rep.nprincs; + return code; } Modified: branches/mskrb-integ/src/kdc/kdc_util.h =================================================================== --- branches/mskrb-integ/src/kdc/kdc_util.h 2008-12-23 02:39:51 UTC (rev 21565) +++ branches/mskrb-integ/src/kdc/kdc_util.h 2008-12-23 02:55:02 UTC (rev 21566) @@ -176,9 +176,19 @@ krb5_error_code load_authdata_plugins(krb5_context context); krb5_error_code unload_authdata_plugins(krb5_context context); -krb5_error_code handle_authdata (krb5_context context, krb5_db_entry *client, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply); +krb5_error_code +handle_authdata (krb5_context context, + unsigned int flags, + krb5_const_principal reply_client, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply); /* replay.c */ krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **); @@ -201,11 +211,11 @@ krb5_error_code return_svr_referral_data (krb5_context context, - krb5_db_entry *server, - krb5_enc_kdc_rep_part *reply_encpart); + krb5_db_entry *server, + krb5_enc_kdc_rep_part *reply_encpart); -krb5_error_code sign_authorization_data - (krb5_context context, +krb5_error_code sign_db_authdata + (krb5_context context, unsigned int flags, krb5_const_principal client_princ, krb5_db_entry *client, @@ -214,8 +224,8 @@ krb5_keyblock *client_key, krb5_keyblock *server_key, krb5_timestamp authtime, - krb5_authdata **tgs_auth_data, - krb5_authdata ***ret_auth_data, + krb5_authdata **tgs_authdata, + krb5_authdata ***ret_authdata, krb5_db_entry *ad_entry, int *ad_nprincs); From lhoward at MIT.EDU Mon Dec 22 21:58:36 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 22 Dec 2008 21:58:36 -0500 (EST) Subject: svn rev #21567: branches/mskrb-integ/src/kdc/ Message-ID: <200812230258.VAA26443@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21567 Commit By: lhoward Log Message: fix a missing return for KRB5_KDB_DBTYPE_NOSUP/AS-REQ Changed Files: U branches/mskrb-integ/src/kdc/kdc_authdata.c Modified: branches/mskrb-integ/src/kdc/kdc_authdata.c =================================================================== --- branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 02:55:02 UTC (rev 21566) +++ branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 02:58:35 UTC (rev 21567) @@ -506,6 +506,8 @@ if (tgs_req) return merge_authdata(context, enc_tkt_request->authorization_data, &enc_tkt_reply->authorization_data, TRUE); + else + return 0; } if (ad_nprincs != 0) { From lhoward at MIT.EDU Mon Dec 22 22:22:29 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 22 Dec 2008 22:22:29 -0500 (EST) Subject: svn rev #21568: branches/mskrb-integ/src/kdc/ Message-ID: <200812230322.WAA26834@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21568 Commit By: lhoward Log Message: add missing break statement Changed Files: U branches/mskrb-integ/src/kdc/kdc_authdata.c Modified: branches/mskrb-integ/src/kdc/kdc_authdata.c =================================================================== --- branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 02:58:35 UTC (rev 21567) +++ branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 03:22:28 UTC (rev 21568) @@ -571,6 +571,7 @@ client_key, server_key, req_pkt, request, enc_tkt_request, enc_tkt_reply); + break; default: code = 0; break; From lhoward at MIT.EDU Mon Dec 22 22:30:05 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 22 Dec 2008 22:30:05 -0500 (EST) Subject: svn rev #21569: branches/mskrb-integ/src/plugins/authdata/greet/ Message-ID: <200812230330.WAA26997@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21569 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/plugins/authdata/greet/greet_auth.c Modified: branches/mskrb-integ/src/plugins/authdata/greet/greet_auth.c =================================================================== --- branches/mskrb-integ/src/plugins/authdata/greet/greet_auth.c 2008-12-23 03:22:28 UTC (rev 21568) +++ branches/mskrb-integ/src/plugins/authdata/greet/greet_auth.c 2008-12-23 03:30:04 UTC (rev 21569) @@ -69,7 +69,7 @@ a->magic = KV5M_AUTHDATA; a->ad_type = -42; a->length = GREET_SIZE; - a->contents = p; + a->contents = (unsigned char *)p; if (enc_tkt_reply->authorization_data == 0) { count = 0; } else { From lhoward at MIT.EDU Mon Dec 22 22:55:05 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 22 Dec 2008 22:55:05 -0500 (EST) Subject: svn rev #21570: branches/mskrb-integ/src/kdc/ Message-ID: <200812230355.WAA27352@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21570 Commit By: lhoward Log Message: cleanup/refactor Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c U branches/mskrb-integ/src/kdc/do_tgs_req.c U branches/mskrb-integ/src/kdc/kdc_authdata.c U branches/mskrb-integ/src/kdc/kdc_util.h Modified: branches/mskrb-integ/src/kdc/do_as_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-23 03:30:04 UTC (rev 21569) +++ branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-23 03:55:04 UTC (rev 21570) @@ -523,7 +523,6 @@ errcode = handle_authdata(kdc_context, c_flags, - reply.client, &client, &server, &server, @@ -531,6 +530,7 @@ &server_keyblock, req_pkt, request, + NULL, /* for_user_princ */ NULL, /* enc_tkt_request */ &enc_tkt_reply); if (errcode) { Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-23 03:30:04 UTC (rev 21569) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-23 03:55:04 UTC (rev 21570) @@ -618,10 +618,14 @@ enc_tkt_reply.authorization_data = NULL; + if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && + is_local_principal(header_enc_tkt->client)) + enc_tkt_reply.client = for_user->user; + else + enc_tkt_reply.client = header_enc_tkt->client; + errcode = handle_authdata(kdc_context, c_flags, - isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ? - for_user->user : header_enc_tkt->client, (c_nprincs != 0) ? &client : NULL, &server, &krbtgt, @@ -629,6 +633,7 @@ &encrypting_key, /* U2U or server key */ pkt, request, + for_user ? for_user->user : NULL, header_enc_tkt, &enc_tkt_reply); if (errcode) { @@ -645,11 +650,6 @@ } enc_tkt_reply.session = &session_key; - if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && - is_local_principal(header_enc_tkt->client)) - enc_tkt_reply.client = for_user->user; - else - enc_tkt_reply.client = header_enc_tkt->client; enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */ Modified: branches/mskrb-integ/src/kdc/kdc_authdata.c =================================================================== --- branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 03:30:04 UTC (rev 21569) +++ branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 03:55:04 UTC (rev 21570) @@ -52,13 +52,13 @@ /* MIT Kerberos 1.7 (V1) authdata plugin callback */ typedef krb5_error_code (*authdata_proc_1) (krb5_context, unsigned int flags, - krb5_const_principal reply_client, krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, krb5_keyblock *client_key, krb5_keyblock *server_key, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_request, krb5_enc_tkt_part *enc_tkt_reply); typedef krb5_error_code (*init_proc) @@ -70,7 +70,6 @@ static krb5_error_code handle_request_authdata (krb5_context context, unsigned int flags, - krb5_const_principal reply_client, krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, @@ -78,6 +77,7 @@ krb5_keyblock *server_key, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_request, krb5_enc_tkt_part *enc_tkt_reply); @@ -85,7 +85,6 @@ static krb5_error_code handle_tgt_authdata (krb5_context context, unsigned int flags, - krb5_const_principal reply_client, krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, @@ -93,6 +92,7 @@ krb5_keyblock *server_key, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_request, krb5_enc_tkt_part *enc_tkt_reply); @@ -369,7 +369,6 @@ static krb5_error_code handle_request_authdata (krb5_context context, unsigned int flags, - krb5_const_principal reply_client, krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, @@ -377,6 +376,7 @@ krb5_keyblock *server_key, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_request, krb5_enc_tkt_part *enc_tkt_reply) { @@ -424,7 +424,6 @@ static krb5_error_code handle_tgt_authdata (krb5_context context, unsigned int flags, - krb5_const_principal reply_client, krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, @@ -432,6 +431,7 @@ krb5_keyblock *server_key, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_request, krb5_enc_tkt_part *enc_tkt_reply) { @@ -440,6 +440,7 @@ krb5_db_entry ad_entry; int ad_nprincs = 0; krb5_boolean tgs_req = (request->msg_type == KRB5_TGS_REQ); + krb5_const_principal actual_client; /* * Check whether KDC issued authorization data should be included. @@ -474,6 +475,16 @@ } /* + * We have this special case for protocol transition, because for + * cross-realm protocol transition the ticket reply client will + * not be changed until the final hop. + */ + if (isflagset(flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) + actual_client = for_user_princ; + else + actual_client = enc_tkt_reply->client; + + /* * If the backend does not implement the sign authdata method, then * just copy the TGT authorization data into the reply, except for * the constrained delegation case (which requires special handling @@ -485,7 +496,7 @@ */ code = sign_db_authdata(context, flags, - reply_client, + actual_client, client, server, krbtgt, @@ -538,7 +549,6 @@ krb5_error_code handle_authdata (krb5_context context, unsigned int flags, - krb5_const_principal reply_client, krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, @@ -546,6 +556,7 @@ krb5_keyblock *server_key, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_request, krb5_enc_tkt_part *enc_tkt_reply) { @@ -566,10 +577,11 @@ request, enc_tkt_reply); break; case AUTHDATA_SYSTEM_V1: - code = asys->handle_authdata.v1(context, flags, reply_client, + code = asys->handle_authdata.v1(context, flags, client, server, krbtgt, client_key, server_key, - req_pkt, request, enc_tkt_request, + req_pkt, request, for_user_princ, + enc_tkt_request, enc_tkt_reply); break; default: Modified: branches/mskrb-integ/src/kdc/kdc_util.h =================================================================== --- branches/mskrb-integ/src/kdc/kdc_util.h 2008-12-23 03:30:04 UTC (rev 21569) +++ branches/mskrb-integ/src/kdc/kdc_util.h 2008-12-23 03:55:04 UTC (rev 21570) @@ -179,7 +179,6 @@ krb5_error_code handle_authdata (krb5_context context, unsigned int flags, - krb5_const_principal reply_client, krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, @@ -187,6 +186,7 @@ krb5_keyblock *server_key, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_request, krb5_enc_tkt_part *enc_tkt_reply); From lhoward at MIT.EDU Mon Dec 22 22:56:29 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 22 Dec 2008 22:56:29 -0500 (EST) Subject: svn rev #21571: branches/mskrb-integ/src/kdc/ Message-ID: <200812230356.WAA27433@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21571 Commit By: lhoward Log Message: cleanup: use krb5_boolean instead of int Changed Files: U branches/mskrb-integ/src/kdc/kdc_authdata.c Modified: branches/mskrb-integ/src/kdc/kdc_authdata.c =================================================================== --- branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 03:55:04 UTC (rev 21570) +++ branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 03:56:28 UTC (rev 21571) @@ -321,7 +321,7 @@ merge_authdata (krb5_context context, krb5_authdata **in_authdata, krb5_authdata ***out_authdata, - int copy) + krb5_boolean copy) { size_t i, nadata = 0; krb5_authdata **authdata = *out_authdata; From lhoward at MIT.EDU Mon Dec 22 22:59:27 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 22 Dec 2008 22:59:27 -0500 (EST) Subject: svn rev #21572: branches/mskrb-integ/src/kdc/ Message-ID: <200812230359.WAA27534@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21572 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/kdc/kdc_authdata.c Modified: branches/mskrb-integ/src/kdc/kdc_authdata.c =================================================================== --- branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 03:56:28 UTC (rev 21571) +++ branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 03:59:26 UTC (rev 21572) @@ -450,7 +450,7 @@ * if it was present in the TGT, the client is from another realm * or protocol transition/constrained delegation was used, or, in * the AS-REQ case, if the pre-auth data indicated the PAC should - * be absent. + * be present. * * We permit sign_authorization_data() to return a krb5_db_entry * representing the principal associated with the authorization @@ -522,7 +522,7 @@ } if (ad_nprincs != 0) { - if (tgs_req && + if (isflagset(flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && isflagset(ad_entry.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) clear(enc_tkt_reply->flags, TKT_FLG_FORWARDABLE); From lhoward at MIT.EDU Tue Dec 23 00:25:27 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 00:25:27 -0500 (EST) Subject: svn rev #21573: branches/mskrb-integ/src/lib/gssapi/ generic/ krb5/ Message-ID: <200812230525.AAA28577@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21573 Commit By: lhoward Log Message: For GSS_C_INQ_SESSION_KEY, annotate session key with Kerberos encryption type Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c U branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c Modified: branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h 2008-12-23 03:59:26 UTC (rev 21572) +++ branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h 2008-12-23 05:25:25 UTC (rev 21573) @@ -70,7 +70,11 @@ (OM_uint32 * /*minor_status*/, gss_buffer_set_t * /*buffer_set*/); -/* returns buffer set with the first member containing session key */ +/* + * Returns a buffer set with the first member containing the + * session key for SSPI compatibility. The optional second + * member contains an OID identifying the session key type. + */ GSS_DLLIMP extern gss_OID GSS_C_INQ_SESSION_KEY; OM_uint32 KRB5_CALLCONV gss_inquire_sec_context_by_oid Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-23 03:59:26 UTC (rev 21572) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-23 05:25:25 UTC (rev 21573) @@ -971,4 +971,8 @@ #define save_error_info krb5_gss_save_error_info extern void krb5_gss_delete_error_info(void *p); +/* Prefix concatenated with Kerberos encryption type */ +#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10 +#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID "\052\206\110\206\367\022\001\002\002\004" + #endif /* _GSSAPIP_KRB5_H_ */ Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c 2008-12-23 03:59:26 UTC (rev 21572) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c 2008-12-23 05:25:25 UTC (rev 21573) @@ -103,6 +103,10 @@ * The OID of the proposed standard krb5 v2 mechanism is: * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2) * krb5v2(3) = 1.2.840.113554.1.2.3 + * Provisionally reserved for Kerberos session key algorithm + * identifiers is: + * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2) + * krb5(2) krb5_enctype(4) = 1.2.840.113554.1.2.2.4 * */ Modified: branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c 2008-12-23 03:59:26 UTC (rev 21572) +++ branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c 2008-12-23 05:25:25 UTC (rev 21573) @@ -234,15 +234,60 @@ { krb5_gss_ctx_id_rec *ctx; krb5_keyblock *key; - gss_buffer_desc rep; + gss_buffer_desc keyvalue, keyinfo; + OM_uint32 major_status, minor; + unsigned char oid_buf[GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + 6]; + unsigned char *op; + size_t nbytes; + int oenctype, enctype, i; ctx = (krb5_gss_ctx_id_rec *) context_handle; key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey; - rep.value = key->contents; - rep.length = key->length; + keyvalue.value = key->contents; + keyvalue.length = key->length; + enctype = key->enctype; - return generic_gss_add_buffer_set_member(minor_status, &rep, data_set); + major_status = generic_gss_add_buffer_set_member(minor_status, &keyvalue, data_set); + if (GSS_ERROR(major_status)) { + gss_release_buffer_set(&minor, data_set); + return major_status; + } + + /* Construct the OID 1.2.840.113554.1.2.2.4. */ + memcpy(oid_buf, GSS_KRB5_SESSION_KEY_ENCTYPE_OID, + GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH); + + nbytes = 0; + oenctype = enctype; + while (enctype) { + nbytes++; + enctype >>= 7; + } + enctype = oenctype; + op = oid_buf + GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + nbytes; + i = -1; + while (enctype) { + op[i] = (unsigned char)enctype & 0x7f; + if (i != -1) + op[i] |= 0x80; + i--; + enctype >>= 7; + } + + keyinfo.value = oid_buf; + keyinfo.length = GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + nbytes; + assert(keyinfo.length <= sizeof(oid_buf)); + + major_status = generic_gss_add_buffer_set_member(minor_status, &keyinfo, data_set); + if (GSS_ERROR(major_status)) { + assert(*data_set != GSS_C_NO_BUFFER_SET); + memset((*data_set)->elements[0].value, 0, (*data_set)->elements[0].length); + gss_release_buffer_set(&minor, data_set); + return major_status; + } + + return GSS_S_COMPLETE; } OM_uint32 From lhoward at MIT.EDU Tue Dec 23 00:27:15 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 00:27:15 -0500 (EST) Subject: svn rev #21574: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812230527.AAA28667@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21574 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c 2008-12-23 05:25:25 UTC (rev 21573) +++ branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c 2008-12-23 05:27:14 UTC (rev 21574) @@ -239,14 +239,13 @@ unsigned char oid_buf[GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + 6]; unsigned char *op; size_t nbytes; - int oenctype, enctype, i; + int enctype, i; ctx = (krb5_gss_ctx_id_rec *) context_handle; key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey; keyvalue.value = key->contents; keyvalue.length = key->length; - enctype = key->enctype; major_status = generic_gss_add_buffer_set_member(minor_status, &keyvalue, data_set); if (GSS_ERROR(major_status)) { @@ -259,12 +258,12 @@ GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH); nbytes = 0; - oenctype = enctype; + enctype = key->enctype; while (enctype) { nbytes++; enctype >>= 7; } - enctype = oenctype; + enctype = key->enctype; op = oid_buf + GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + nbytes; i = -1; while (enctype) { From lhoward at MIT.EDU Tue Dec 23 00:29:18 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 00:29:18 -0500 (EST) Subject: svn rev #21575: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812230529.AAA28760@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21575 Commit By: lhoward Log Message: remove gsskrb5_get_subkey() Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-23 05:27:14 UTC (rev 21574) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-23 05:29:17 UTC (rev 21575) @@ -920,14 +920,6 @@ OM_uint32 gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); -#if 0 -#define GSS_KRB5_GET_SUBKEY_OID_LENGTH 9 -#define GSS_KRB5_GET_SUBKEY_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x06" - -OM_uint32 -gss_krb5int_get_subkey(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); -#endif - #define GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH 9 #define GSS_KRB5_SET_CRED_RCACHE_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x0d" Modified: branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c 2008-12-23 05:27:14 UTC (rev 21574) +++ branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c 2008-12-23 05:29:17 UTC (rev 21575) @@ -189,43 +189,7 @@ return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE); } -#if 0 OM_uint32 -gss_krb5int_get_subkey( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_OID desired_object, - gss_buffer_set_t *data_set) -{ - OM_uint32 major_status; - krb5_error_code code; - krb5_gss_ctx_id_rec *ctx; - krb5_keyblock *key, *outkey; - gss_buffer_desc rep; - - ctx = (krb5_gss_ctx_id_rec *) context_handle; - key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey; - - code = krb5_copy_keyblock(ctx->k5_context, key, &outkey); - if (code) { - *minor_status = code; - return GSS_S_FAILURE; - } - - rep.value = &outkey; - rep.length = sizeof(outkey); - - major_status = generic_gss_add_buffer_set_member(minor_status, &rep, data_set); - if (GSS_ERROR(major_status)) { - krb5_free_keyblock(ctx->k5_context, outkey); - return major_status; - } - - return GSS_S_COMPLETE; -} -#endif - -OM_uint32 gss_krb5int_inq_session_key( OM_uint32 *minor_status, const gss_ctx_id_t context_handle, Modified: branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2008-12-23 05:27:14 UTC (rev 21574) +++ branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2008-12-23 05:29:17 UTC (rev 21575) @@ -78,13 +78,7 @@ {GSS_KRB5_INQ_SESSION_KEY_OID_LENGTH, GSS_KRB5_INQ_SESSION_KEY_OID}, gss_krb5int_inq_session_key }, -#if 0 { - {GSS_KRB5_GET_SUBKEY_OID_LENGTH, GSS_KRB5_GET_SUBKEY_OID}, - gss_krb5int_get_subkey - }, -#endif - { {GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID}, gss_krb5int_export_lucid_sec_context }, @@ -819,48 +813,6 @@ return major_status; } -#if 0 -OM_uint32 -gsskrb5_get_subkey( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - krb5_keyblock **key) -{ - static const gss_OID_desc const req_oid = { - GSS_KRB5_GET_SUBKEY_OID_LENGTH, - GSS_KRB5_GET_SUBKEY_OID }; - OM_uint32 major_status; - gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; - - if (minor_status == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; - - if (key == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; - - major_status = gss_inquire_sec_context_by_oid(minor_status, - context_handle, - (const gss_OID)&req_oid, - &data_set); - if (major_status != GSS_S_COMPLETE) - return major_status; - - if (data_set == GSS_C_NO_BUFFER_SET || - data_set->count != 1 || - data_set->elements[0].length != sizeof(*key)) { - return GSS_S_FAILURE; - } - - *key = *((krb5_keyblock **)data_set->elements[0].value); - - gss_release_buffer_set(minor_status, &data_set); - - *minor_status = 0; - - return GSS_S_COMPLETE; -} -#endif - /* * This API should go away and be replaced with an accessor * into a gss_name_t. From lhoward at MIT.EDU Tue Dec 23 01:05:17 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 01:05:17 -0500 (EST) Subject: svn rev #21576: branches/mskrb-integ/src/lib/gssapi/ generic/ krb5/ Message-ID: <200812230605.BAA29257@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21576 Commit By: lhoward Log Message: Cleanup, add generic_gss_oid_compose()/generic_gss_oid_decompose() helpers Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/gssapiP_generic.h U branches/mskrb-integ/src/lib/gssapi/generic/oid_ops.c U branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c U branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c Modified: branches/mskrb-integ/src/lib/gssapi/generic/gssapiP_generic.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/generic/gssapiP_generic.h 2008-12-23 05:29:17 UTC (rev 21575) +++ branches/mskrb-integ/src/lib/gssapi/generic/gssapiP_generic.h 2008-12-23 06:05:15 UTC (rev 21576) @@ -261,6 +261,22 @@ gss_buffer_t, /* oid_str */ gss_OID *); /* oid */ +OM_uint32 +generic_gss_oid_compose( + OM_uint32 *, /* minor_status */ + const char *, /* prefix */ + size_t, /* prefix_len */ + int, /* suffix */ + gss_OID_desc *); /* oid */ + +OM_uint32 +generic_gss_oid_decompose( + OM_uint32 *, /* minor_status */ + const char *, /*prefix */ + size_t, /* prefix_len */ + gss_OID_desc *, /* oid */ + int *); /* suffix */ + int gssint_mecherrmap_init(void); void gssint_mecherrmap_destroy(void); OM_uint32 gssint_mecherrmap_map(OM_uint32 minor, const gss_OID_desc *oid); Modified: branches/mskrb-integ/src/lib/gssapi/generic/oid_ops.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/generic/oid_ops.c 2008-12-23 05:29:17 UTC (rev 21575) +++ branches/mskrb-integ/src/lib/gssapi/generic/oid_ops.c 2008-12-23 06:05:15 UTC (rev 21576) @@ -403,6 +403,92 @@ return(GSS_S_FAILURE); } +/* Compose an OID of a prefix and an integer suffix */ +OM_uint32 +generic_gss_oid_compose( + OM_uint32 *minor_status, + const char *prefix, + size_t prefix_len, + int suffix, + gss_OID_desc *oid) +{ + int osuffix, i; + size_t nbytes; + unsigned char *op; + + if (oid == GSS_C_NO_OID) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + if (oid->length < prefix_len) { + *minor_status = ERANGE; + return GSS_S_FAILURE; + } + + memcpy(oid->elements, prefix, prefix_len); + + nbytes = 0; + osuffix = suffix; + while (suffix) { + nbytes++; + suffix >>= 7; + } + suffix = osuffix; + + if (oid->length < prefix_len + nbytes) { + *minor_status = ERANGE; + return GSS_S_FAILURE; + } + + op = oid->elements + prefix_len + nbytes; + i = -1; + while (suffix) { + op[i] = (unsigned char)suffix & 0x7f; + if (i != -1) + op[i] |= 0x80; + i--; + suffix >>= 7; + } + + oid->length = prefix_len + nbytes; + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +generic_gss_oid_decompose( + OM_uint32 *minor_status, + const char *prefix, + size_t prefix_len, + gss_OID_desc *oid, + int *suffix) +{ + size_t i, slen; + unsigned char *op; + + if (oid->length < prefix_len || + memcmp(oid->elements, prefix, prefix_len) != 0) { + return GSS_S_BAD_MECH; + } + + op = oid->elements + prefix_len; + + *suffix = 0; + + slen = oid->length - prefix_len; + + for (i = 0; i < slen; i++) { + *suffix = (*suffix << 7) | (op[i] & 0x7f); + if (i + 1 != slen && (op[i] & 0x80) == 0) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + } + + return GSS_S_COMPLETE; +} + /* * Copyright 1993 by OpenVision Technologies, Inc. * @@ -480,3 +566,4 @@ return (major); } + Modified: branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c 2008-12-23 05:29:17 UTC (rev 21575) +++ branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c 2008-12-23 06:05:15 UTC (rev 21576) @@ -201,9 +201,7 @@ gss_buffer_desc keyvalue, keyinfo; OM_uint32 major_status, minor; unsigned char oid_buf[GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + 6]; - unsigned char *op; - size_t nbytes; - int enctype, i; + gss_OID_desc oid; ctx = (krb5_gss_ctx_id_rec *) context_handle; key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey; @@ -212,45 +210,37 @@ keyvalue.length = key->length; major_status = generic_gss_add_buffer_set_member(minor_status, &keyvalue, data_set); - if (GSS_ERROR(major_status)) { - gss_release_buffer_set(&minor, data_set); - return major_status; - } + if (GSS_ERROR(major_status)) + goto cleanup; - /* Construct the OID 1.2.840.113554.1.2.2.4. */ - memcpy(oid_buf, GSS_KRB5_SESSION_KEY_ENCTYPE_OID, - GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH); + oid.elements = oid_buf; + oid.length = sizeof(oid_buf); - nbytes = 0; - enctype = key->enctype; - while (enctype) { - nbytes++; - enctype >>= 7; - } - enctype = key->enctype; - op = oid_buf + GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + nbytes; - i = -1; - while (enctype) { - op[i] = (unsigned char)enctype & 0x7f; - if (i != -1) - op[i] |= 0x80; - i--; - enctype >>= 7; - } + major_status = generic_gss_oid_compose(minor_status, + GSS_KRB5_SESSION_KEY_ENCTYPE_OID, + GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH, + key->enctype, + &oid); + if (GSS_ERROR(major_status)) + goto cleanup; - keyinfo.value = oid_buf; - keyinfo.length = GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + nbytes; - assert(keyinfo.length <= sizeof(oid_buf)); + keyinfo.value = oid.elements; + keyinfo.length = oid.length; major_status = generic_gss_add_buffer_set_member(minor_status, &keyinfo, data_set); - if (GSS_ERROR(major_status)) { - assert(*data_set != GSS_C_NO_BUFFER_SET); - memset((*data_set)->elements[0].value, 0, (*data_set)->elements[0].length); + if (GSS_ERROR(major_status)) + goto cleanup; + + return GSS_S_COMPLETE; + +cleanup: + if (*data_set != GSS_C_NO_BUFFER_SET) { + if ((*data_set)->count != 0) + memset((*data_set)->elements[0].value, 0, (*data_set)->elements[0].length); gss_release_buffer_set(&minor, data_set); - return major_status; } - return GSS_S_COMPLETE; + return major_status; } OM_uint32 @@ -264,32 +254,21 @@ krb5_gss_ctx_id_rec *ctx; int ad_type = 0; size_t i; - unsigned char *cp; *data_set = GSS_C_NO_BUFFER_SET; ctx = (krb5_gss_ctx_id_rec *) context_handle; - major_status = GSS_S_FAILURE; - *minor_status = ENOENT; - - /* Determine authorization data type from DER encoded OID suffix */ - cp = desired_object->elements; - cp += GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH; - - for (i = 0; - i < desired_object->length - GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH; - i++) - { - ad_type = (ad_type << 7) | (cp[i] & 0x7f); - if ((cp[i] & 0x80) == 0) - break; - /* XXX should we return an error if there is another arc */ + major_status = generic_gss_oid_decompose(minor_status, + GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID, + GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH, + desired_object, + &ad_type); + if (major_status != GSS_S_COMPLETE || ad_type == 0) { + *minor_status = ENOENT; + return GSS_S_FAILURE; } - if (ad_type == 0) - return GSS_S_FAILURE; - if (ctx->authdata != NULL) { for (i = 0; ctx->authdata[i] != NULL; i++) { if (ctx->authdata[i]->ad_type == ad_type) { @@ -298,8 +277,8 @@ ad_data.length = ctx->authdata[i]->length; ad_data.value = ctx->authdata[i]->contents; - major_status = generic_gss_add_buffer_set_member( - minor_status, &ad_data, data_set); + major_status = generic_gss_add_buffer_set_member(minor_status, + &ad_data, data_set); if (GSS_ERROR(major_status)) break; } Modified: branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2008-12-23 05:29:17 UTC (rev 21575) +++ branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2008-12-23 06:05:15 UTC (rev 21576) @@ -619,47 +619,25 @@ { unsigned char oid_buf[GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH + 6]; gss_OID_desc req_oid; - OM_uint32 major_status; + OM_uint32 major_status, minor; gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; - int oversion, i; - unsigned char *op; - OM_uint32 nbytes; if (kctx == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE; *kctx = NULL; - /* - * This absolutely horrible code is used to DER encode the - * requested authorization data type into the last element - * of the request OID. Oh for an ASN.1 library... - */ - - memcpy(oid_buf, GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID, - GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH); - - nbytes = 0; - oversion = version; - while (version) { - nbytes++; - version >>= 7; - } - version = oversion; - op = oid_buf + GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH + nbytes; - i = -1; - while (version) { - op[i] = (unsigned char)version & 0x7f; - if (i != -1) - op[i] |= 0x80; - i--; - version >>= 7; - } - req_oid.elements = oid_buf; - req_oid.length = GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH + nbytes; - assert(req_oid.length <= sizeof(oid_buf)); + req_oid.length = sizeof(oid_buf); + major_status = generic_gss_oid_compose(minor_status, + GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID, + GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, + (int)version, + &req_oid); + if (GSS_ERROR(major_status)) + return major_status; + major_status = gss_inquire_sec_context_by_oid(minor_status, *context_handle, &req_oid, @@ -682,7 +660,7 @@ (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); *context_handle = GSS_C_NO_CONTEXT; - generic_gss_release_buffer_set(&nbytes, &data_set); + generic_gss_release_buffer_set(&minor, &data_set); return GSS_S_COMPLETE; } @@ -828,43 +806,21 @@ unsigned char oid_buf[GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH + 6]; OM_uint32 major_status; gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET; - int oad_type, i; - unsigned char *op; - OM_uint32 nbytes; if (ad_data == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE; - /* - * This absolutely horrible code is used to DER encode the - * requested authorization data type into the last element - * of the request OID. Oh for an ASN.1 library... - */ - - memcpy(oid_buf, GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID, - GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH); - - nbytes = 0; - oad_type = ad_type; - while (ad_type) { - nbytes++; - ad_type >>= 7; - } - ad_type = oad_type; - op = oid_buf + GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH + nbytes; - i = -1; - while (ad_type) { - op[i] = (unsigned char)ad_type & 0x7f; - if (i != -1) - op[i] |= 0x80; - i--; - ad_type >>= 7; - } - req_oid.elements = oid_buf; - req_oid.length = GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH + nbytes; - assert(req_oid.length <= sizeof(oid_buf)); + req_oid.length = sizeof(oid_buf); + major_status = generic_gss_oid_compose(minor_status, + GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID, + GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH, + ad_type, + &req_oid); + if (GSS_ERROR(major_status)) + return major_status; + major_status = gss_inquire_sec_context_by_oid(minor_status, context_handle, (const gss_OID)&req_oid, Modified: branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c 2008-12-23 05:29:17 UTC (rev 21575) +++ branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c 2008-12-23 06:05:15 UTC (rev 21576) @@ -52,7 +52,7 @@ static krb5_error_code make_external_lucid_ctx_v1( krb5_gss_ctx_id_rec * gctx, - unsigned int version, + int version, void **out_ptr); @@ -71,9 +71,7 @@ OM_uint32 retval; krb5_gss_ctx_id_t ctx = (krb5_gss_ctx_id_t)context_handle; void *lctx = NULL; - unsigned char *cp; - unsigned int version = 0; - size_t i; + int version = 0; gss_buffer_desc rep; /* Assume failure */ @@ -81,20 +79,14 @@ *minor_status = 0; *data_set = GSS_C_NO_BUFFER_SET; - /* Determine authorization data type from DER encoded OID suffix */ - cp = desired_object->elements; - cp += GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH; + retval = generic_gss_oid_decompose(minor_status, + GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID, + GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, + desired_object, + &version); + if (GSS_ERROR(retval)) + return retval; - for (i = 0; - i < desired_object->length - GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH; - i++) - { - version = (version << 7) | (cp[i] & 0x7f); - if ((cp[i] & 0x80) == 0) - break; - /* XXX should we return an error if there is another arc */ - } - /* Externalize a structure of the right version */ switch (version) { case 1: @@ -194,7 +186,7 @@ static krb5_error_code make_external_lucid_ctx_v1( krb5_gss_ctx_id_rec * gctx, - unsigned int version, + int version, void **out_ptr) { gss_krb5_lucid_context_v1_t *lctx = NULL; From lhoward at MIT.EDU Tue Dec 23 01:14:39 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 01:14:39 -0500 (EST) Subject: svn rev #21577: branches/mskrb-integ/src/lib/gssapi/generic/ Message-ID: <200812230614.BAA29457@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21577 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h Modified: branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h 2008-12-23 06:05:15 UTC (rev 21576) +++ branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h 2008-12-23 06:14:38 UTC (rev 21577) @@ -70,13 +70,6 @@ (OM_uint32 * /*minor_status*/, gss_buffer_set_t * /*buffer_set*/); -/* - * Returns a buffer set with the first member containing the - * session key for SSPI compatibility. The optional second - * member contains an OID identifying the session key type. - */ -GSS_DLLIMP extern gss_OID GSS_C_INQ_SESSION_KEY; - OM_uint32 KRB5_CALLCONV gss_inquire_sec_context_by_oid (OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, @@ -138,6 +131,13 @@ #define GSS_C_IDENTIFY_FLAG 0x2000 #define GSS_C_EXTENDED_ERROR_FLAG 0x4000 +/* + * Returns a buffer set with the first member containing the + * session key for SSPI compatibility. The optional second + * member contains an OID identifying the session key type. + */ +GSS_DLLIMP extern gss_OID GSS_C_INQ_SESSION_KEY; + OM_uint32 KRB5_CALLCONV gss_complete_auth_token (OM_uint32 *minor_status, const gss_ctx_id_t context_handle, From lhoward at MIT.EDU Tue Dec 23 08:18:16 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 08:18:16 -0500 (EST) Subject: svn rev #21578: branches/mskrb-integ/src/kdc/ Message-ID: <200812231318.IAA06148@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21578 Commit By: lhoward Log Message: Pass TGT session key to handle_authdata() for TGS-REP Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-23 06:14:38 UTC (rev 21577) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-23 13:18:15 UTC (rev 21578) @@ -629,7 +629,8 @@ (c_nprincs != 0) ? &client : NULL, &server, &krbtgt, - NULL, /* ticket reply key not relevant here */ + subkey != NULL ? subkey : + header_ticket->enc_part2->session, &encrypting_key, /* U2U or server key */ pkt, request, From lhoward at MIT.EDU Tue Dec 23 17:48:39 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 17:48:39 -0500 (EST) Subject: svn rev #21579: branches/mskrb-integ/src/lib/gssapi/spnego/ Message-ID: <200812232248.RAA13478@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21579 Commit By: lhoward Log Message: remove cruft Changed Files: U branches/mskrb-integ/src/lib/gssapi/spnego/gssapiP_spnego.h U branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c Modified: branches/mskrb-integ/src/lib/gssapi/spnego/gssapiP_spnego.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/spnego/gssapiP_spnego.h 2008-12-23 13:18:15 UTC (rev 21578) +++ branches/mskrb-integ/src/lib/gssapi/spnego/gssapiP_spnego.h 2008-12-23 22:48:38 UTC (rev 21579) @@ -341,9 +341,6 @@ const gss_buffer_t value ); -#define GSS_SPNEGO_UPDATED_OID_LENGTH 9 -#define GSS_SPNEGO_UPDATED_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05" - #ifdef _GSS_STATIC_LINK int gss_spnegoint_lib_init(void); void gss_spnegoint_lib_fini(void); Modified: branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c 2008-12-23 13:18:15 UTC (rev 21578) +++ branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c 2008-12-23 22:48:38 UTC (rev 21579) @@ -992,8 +992,6 @@ return ret; } /* init_sec_context */ -static const gss_OID_desc gss_spnego_updated_oid = - { GSS_SPNEGO_UPDATED_OID_LENGTH, GSS_SPNEGO_UPDATED_OID }; /* We don't want to import KRB5 headers here */ static const gss_OID_desc gss_mech_krb5_oid = { 9, "\052\206\110\206\367\022\001\002\002" }; From lhoward at MIT.EDU Tue Dec 23 17:50:20 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 17:50:20 -0500 (EST) Subject: svn rev #21580: branches/mskrb-integ/src/lib/gssapi/ generic/ krb5/ Message-ID: <200812232250.RAA13579@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21580 Commit By: lhoward Log Message: Move mechanism extension OIDs from PADL arc to 1.2.840.113554.1.2.2.5 Move algorithm OID arc from PADL arc to 1.2.840.113554.1.2.2.4 Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/gssapi_generic.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c Modified: branches/mskrb-integ/src/lib/gssapi/generic/gssapi_generic.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/generic/gssapi_generic.c 2008-12-23 22:48:38 UTC (rev 21579) +++ branches/mskrb-integ/src/lib/gssapi/generic/gssapi_generic.c 2008-12-23 22:50:19 UTC (rev 21580) @@ -120,8 +120,8 @@ * to that gss_OID_desc. */ - /* GSS_C_INQ_SESSION_KEY */ - {9, "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"}, + /* GSS_C_INQ_SESSION_KEY 1.2.840.113554.1.2.2.5.5 */ + {11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"}, }; /* Here are the constants which point to the static structure above. Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-23 22:48:38 UTC (rev 21579) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-23 22:50:19 UTC (rev 21580) @@ -818,8 +818,8 @@ * These take unglued krb5-mech-specific contexts. */ -#define GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH 9 -#define GSS_KRB5_GET_TKT_FLAGS_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x02" +#define GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH 11 +#define GSS_KRB5_GET_TKT_FLAGS_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x02" OM_uint32 KRB5_CALLCONV gss_krb5int_get_tkt_flags (OM_uint32 *minor_status, @@ -827,8 +827,8 @@ const gss_OID desired_object, gss_buffer_set_t *data_set); -#define GSS_KRB5_COPY_CCACHE_OID_LENGTH 9 -#define GSS_KRB5_COPY_CCACHE_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x01" +#define GSS_KRB5_COPY_CCACHE_OID_LENGTH 11 +#define GSS_KRB5_COPY_CCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x01" OM_uint32 KRB5_CALLCONV gss_krb5int_copy_ccache (OM_uint32 *minor_status, @@ -836,8 +836,8 @@ const gss_OID desired_oid, const gss_buffer_t value); -#define GSS_KRB5_CCACHE_NAME_OID_LENGTH 9 -#define GSS_KRB5_CCACHE_NAME_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x0a" +#define GSS_KRB5_CCACHE_NAME_OID_LENGTH 11 +#define GSS_KRB5_CCACHE_NAME_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0a" struct krb5_gss_ccache_name_req { const char *name; @@ -850,8 +850,8 @@ const gss_OID, const gss_buffer_t); -#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 9 -#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x08" +#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 11 +#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08" struct krb5_gss_set_allowable_enctypes_req { OM_uint32 num_ktypes; @@ -864,8 +864,8 @@ const gss_OID desired_oid, const gss_buffer_t value); -#define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH 9 -#define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x07" +#define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH 11 +#define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07" OM_uint32 gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status, @@ -873,8 +873,8 @@ const gss_OID desired_object, gss_buffer_set_t *data_set); -#define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH 9 -#define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x0b" +#define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH 11 +#define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0b" OM_uint32 gss_krb5int_free_lucid_sec_context(OM_uint32 *, const gss_OID, @@ -883,22 +883,22 @@ extern k5_mutex_t kg_kdc_flag_mutex; krb5_error_code krb5_gss_init_context (krb5_context *ctxp); -#define GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH 9 -#define GSS_KRB5_USE_KDC_CONTEXT_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x0c" +#define GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH 11 +#define GSS_KRB5_USE_KDC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c" OM_uint32 krb5int_gss_use_kdc_context(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t); krb5_error_code krb5_gss_use_kdc_context(void); -#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH 9 -#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x09" +#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH 11 +#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x09" OM_uint32 gss_krb5int_register_acceptor_identity(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t); -#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 9 -#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x03" +#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 11 +#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x03" OM_uint32 gss_krb5int_extract_authz_data_from_sec_context(OM_uint32 *minor_status, @@ -907,27 +907,27 @@ gss_buffer_set_t *ad_data); #if 0 -#define GSS_KRB5_SET_ACCEPTOR_ALIAS_OID_LENGTH 9 -#define GSS_KRB5_SET_ACCEPTOR_ALIAS_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04" +#define GSS_KRB5_SET_ACCEPTOR_ALIAS_OID_LENGTH 11 +#define GSS_KRB5_SET_ACCEPTOR_ALIAS_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04" OM_uint32 gss_krb5int_set_cred_alias(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); #endif -#define GSS_KRB5_INQ_SESSION_KEY_OID_LENGTH 9 -#define GSS_KRB5_INQ_SESSION_KEY_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05" +#define GSS_KRB5_INQ_SESSION_KEY_OID_LENGTH 11 +#define GSS_KRB5_INQ_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" OM_uint32 gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); -#define GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH 9 -#define GSS_KRB5_SET_CRED_RCACHE_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x0d" +#define GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH 11 +#define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0d" OM_uint32 gss_krb5int_set_cred_rcache(OM_uint32 *, gss_cred_id_t, const gss_OID, const gss_buffer_t); -#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 9 -#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2b\x06\x01\x04\x01\xa9\x4a\x13\x0e" +#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11 +#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0e" OM_uint32 gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *, @@ -965,6 +965,6 @@ /* Prefix concatenated with Kerberos encryption type */ #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10 -#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID "\052\206\110\206\367\022\001\002\002\004" +#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04" #endif /* _GSSAPIP_KRB5_H_ */ Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c 2008-12-23 22:48:38 UTC (rev 21579) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c 2008-12-23 22:50:19 UTC (rev 21580) @@ -107,7 +107,9 @@ * identifiers is: * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2) * krb5(2) krb5_enctype(4) = 1.2.840.113554.1.2.2.4 - * + * Provisionally reserved for Kerberos mechanism-specific APIs: + * iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2) + * krb5(2) krb5_gssapi_ext(5) = 1.2.840.113554.1.2.2.5 */ /* From lhoward at MIT.EDU Tue Dec 23 18:16:27 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 18:16:27 -0500 (EST) Subject: svn rev #21581: branches/mskrb-integ/src/clients/kinit/ Message-ID: <200812232316.SAA13951@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21581 Commit By: lhoward Log Message: Add -E option for parsing enterprise principal names. Changed Files: U branches/mskrb-integ/src/clients/kinit/kinit.c Modified: branches/mskrb-integ/src/clients/kinit/kinit.c =================================================================== --- branches/mskrb-integ/src/clients/kinit/kinit.c 2008-12-23 22:50:19 UTC (rev 21580) +++ branches/mskrb-integ/src/clients/kinit/kinit.c 2008-12-23 23:16:26 UTC (rev 21581) @@ -124,6 +124,7 @@ krb5_gic_opt_pa_data *pa_opts; int canonicalize; + int enterprise; }; struct k5_data @@ -148,6 +149,7 @@ { "proxiable", 0, NULL, 'p' }, { "noaddresses", 0, NULL, 'A' }, { "canonicalize", 0, NULL, 'C' }, + { "enterprise", 0, NULL, 'E' }, { NULL, 0, NULL, 0 } }; @@ -162,17 +164,19 @@ #define USAGE_BREAK "\n\t" #ifdef GETOPT_LONG -#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable" -#define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable" -#define USAGE_LONG_ADDRESSES " | --addresses | --noaddresses" -#define USAGE_LONG_CANONICALiZE " | --canonicalize" +#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable" +#define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable" +#define USAGE_LONG_ADDRESSES " | --addresses | --noaddresses" +#define USAGE_LONG_CANONICALIZE " | --canonicalize" +#define USAGE_LONG_ENTERPRISE " | --enterprise" #define USAGE_BREAK_LONG USAGE_BREAK #else -#define USAGE_LONG_FORWARDABLE "" -#define USAGE_LONG_PROXIABLE "" -#define USAGE_LONG_ADDRESSES "" +#define USAGE_LONG_FORWARDABLE "" +#define USAGE_LONG_PROXIABLE "" +#define USAGE_LONG_ADDRESSES "" #define USAGE_LONG_CANONICALIZE "" -#define USAGE_BREAK_LONG "" +#define USAGE_LONG_ENTERPRISE "" +#define USAGE_BREAK_LONG "" #endif fprintf(stderr, "Usage: %s [-V] " @@ -187,6 +191,8 @@ USAGE_BREAK_LONG "[-C" USAGE_LONG_CANONICALIZE "] " USAGE_BREAK + "[-E" USAGE_LONG_ENTERPRISE "] " + USAGE_BREAK "[-v] [-R] " "[-k [-t keytab_file]] " "[-c cachename] " @@ -210,6 +216,7 @@ fprintf(stderr, "\t-v validate\n"); fprintf(stderr, "\t-R renew\n"); fprintf(stderr, "\t-C canonicalize\n"); + fprintf(stderr, "\t-E client is enterprise principal name\n"); fprintf(stderr, "\t-k use keytab\n"); fprintf(stderr, "\t-t filename of keytab to use\n"); fprintf(stderr, "\t-c Kerberos 5 cache name\n"); @@ -271,7 +278,7 @@ int errflg = 0; int i; - while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:C")) + while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:CE")) != -1) { switch (i) { case 'V': @@ -366,6 +373,9 @@ case 'C': opts->canonicalize = 1; break; + case 'E': + opts->enterprise = 1; + break; case '4': fprintf(stderr, "Kerberos 4 is no longer supported\n"); exit(3); @@ -414,6 +424,7 @@ struct k5_data* k5; { krb5_error_code code = 0; + int flags = opts->enterprise ? KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0; code = krb5_init_context(&k5->ctx); if (code) { @@ -441,8 +452,8 @@ if (opts->principal_name) { /* Use specified name */ - if ((code = krb5_parse_name(k5->ctx, opts->principal_name, - &k5->me))) { + if ((code = krb5_parse_name_flags(k5->ctx, opts->principal_name, + flags, &k5->me))) { com_err(progname, code, "when parsing name %s", opts->principal_name); return 0; @@ -472,8 +483,8 @@ fprintf(stderr, "Unable to identify user\n"); return 0; } - if ((code = krb5_parse_name(k5->ctx, name, - &k5->me))) + if ((code = krb5_parse_name_flags(k5->ctx, name, + flags, &k5->me))) { com_err(progname, code, "when parsing name %s", name); From lhoward at MIT.EDU Tue Dec 23 19:41:05 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 19:41:05 -0500 (EST) Subject: svn rev #21582: branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ Message-ID: <200812240041.TAA15073@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21582 Commit By: lhoward Log Message: update for SPI changes Changed Files: U branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h U branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c Modified: branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h =================================================================== --- branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h 2008-12-23 23:16:26 UTC (rev 21581) +++ branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h 2008-12-24 00:41:02 UTC (rev 21582) @@ -89,7 +89,7 @@ krb5_error_code krb5_ldap_get_principal(krb5_context , krb5_const_principal , - krb5_db_entry *,int *, krb5_boolean *); + unsigned int, krb5_db_entry *,int *, krb5_boolean *); krb5_error_code krb5_ldap_delete_principal(krb5_context, krb5_const_principal, int *); Modified: branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c =================================================================== --- branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2008-12-23 23:16:26 UTC (rev 21581) +++ branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2008-12-24 00:41:02 UTC (rev 21582) @@ -74,9 +74,10 @@ */ krb5_error_code -krb5_ldap_get_principal(context, searchfor, entries, nentries, more) +krb5_ldap_get_principal(context, searchfor, flags, entries, nentries, more) krb5_context context; krb5_const_principal searchfor; + unsigned int flags; krb5_db_entry *entries; /* filled in */ int *nentries; /* how much room/how many found */ krb5_boolean *more; /* are there more? */ From lhoward at MIT.EDU Tue Dec 23 22:32:59 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 22:32:59 -0500 (EST) Subject: svn rev #21583: branches/mskrb-integ/src/lib/gssapi/ generic/ krb5/ Message-ID: <200812240332.WAA17193@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21583 Commit By: lhoward Log Message: s/GSS_C_INQ_SESSION_KEY/GSS_C_INQ_SSPI_SESSION_KEY/ Changed Files: U branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h U branches/mskrb-integ/src/lib/gssapi/generic/gssapi_generic.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c U branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports Modified: branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h 2008-12-24 00:41:02 UTC (rev 21582) +++ branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h 2008-12-24 03:32:57 UTC (rev 21583) @@ -136,7 +136,7 @@ * session key for SSPI compatibility. The optional second * member contains an OID identifying the session key type. */ -GSS_DLLIMP extern gss_OID GSS_C_INQ_SESSION_KEY; +GSS_DLLIMP extern gss_OID GSS_C_INQ_SSPI_SESSION_KEY; OM_uint32 KRB5_CALLCONV gss_complete_auth_token (OM_uint32 *minor_status, Modified: branches/mskrb-integ/src/lib/gssapi/generic/gssapi_generic.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/generic/gssapi_generic.c 2008-12-24 00:41:02 UTC (rev 21582) +++ branches/mskrb-integ/src/lib/gssapi/generic/gssapi_generic.c 2008-12-24 03:32:57 UTC (rev 21583) @@ -120,7 +120,7 @@ * to that gss_OID_desc. */ - /* GSS_C_INQ_SESSION_KEY 1.2.840.113554.1.2.2.5.5 */ + /* GSS_C_INQ_SSPI_SESSION_KEY 1.2.840.113554.1.2.2.5.5 */ {11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"}, }; @@ -151,5 +151,5 @@ GSS_DLLIMP gss_OID GSS_C_NT_EXPORT_NAME = oids+6; gss_OID gss_nt_exported_name = oids+6; -GSS_DLLIMP gss_OID GSS_C_INQ_SESSION_KEY = oids+7; +GSS_DLLIMP gss_OID GSS_C_INQ_SSPI_SESSION_KEY = oids+7; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-24 00:41:02 UTC (rev 21582) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-24 03:32:57 UTC (rev 21583) @@ -914,8 +914,8 @@ gss_krb5int_set_cred_alias(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); #endif -#define GSS_KRB5_INQ_SESSION_KEY_OID_LENGTH 11 -#define GSS_KRB5_INQ_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" +#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11 +#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" OM_uint32 gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); Modified: branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2008-12-24 00:41:02 UTC (rev 21582) +++ branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2008-12-24 03:32:57 UTC (rev 21583) @@ -75,7 +75,7 @@ gss_krb5int_extract_authz_data_from_sec_context }, { - {GSS_KRB5_INQ_SESSION_KEY_OID_LENGTH, GSS_KRB5_INQ_SESSION_KEY_OID}, + {GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH, GSS_KRB5_INQ_SSPI_SESSION_KEY_OID}, gss_krb5int_inq_session_key }, { Modified: branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports =================================================================== --- branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports 2008-12-24 00:41:02 UTC (rev 21582) +++ branches/mskrb-integ/src/lib/gssapi/libgssapi_krb5.exports 2008-12-24 03:32:57 UTC (rev 21583) @@ -1,4 +1,4 @@ -GSS_C_INQ_SESSION_KEY +GSS_C_INQ_SSPI_SESSION_KEY GSS_C_NT_ANONYMOUS GSS_C_NT_EXPORT_NAME GSS_C_NT_HOSTBASED_SERVICE From lhoward at MIT.EDU Tue Dec 23 22:38:32 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 22:38:32 -0500 (EST) Subject: svn rev #21584: branches/mskrb-integ/src/include/krb5/ Message-ID: <200812240338.WAA17329@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21584 Commit By: lhoward Log Message: update for changed interface Changed Files: U branches/mskrb-integ/src/include/krb5/authdata_plugin.h Modified: branches/mskrb-integ/src/include/krb5/authdata_plugin.h =================================================================== --- branches/mskrb-integ/src/include/krb5/authdata_plugin.h 2008-12-24 03:32:57 UTC (rev 21583) +++ branches/mskrb-integ/src/include/krb5/authdata_plugin.h 2008-12-24 03:38:31 UTC (rev 21584) @@ -145,7 +145,6 @@ */ krb5_error_code (*authdata_proc)(krb5_context, unsigned int flags, - krb5_const_principal reply_client, struct _krb5_db_entry_new *client, struct _krb5_db_entry_new *server, struct _krb5_db_entry_new *tgs, @@ -153,6 +152,7 @@ krb5_keyblock *server_key, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_request, krb5_enc_tkt_part *enc_tkt_reply); } krb5plugin_authdata_ftable_v1; From lhoward at MIT.EDU Tue Dec 23 22:40:57 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 23 Dec 2008 22:40:57 -0500 (EST) Subject: svn rev #21585: branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ Message-ID: <200812240340.WAA17433@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21585 Commit By: lhoward Log Message: fix a build error Changed Files: U branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c Modified: branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c =================================================================== --- branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2008-12-24 03:38:31 UTC (rev 21584) +++ branches/mskrb-integ/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2008-12-24 03:40:56 UTC (rev 21585) @@ -254,7 +254,7 @@ SETUP_CONTEXT(); /* get the principal info */ - if ((st=krb5_ldap_get_principal(context, searchfor, &entries, nentries, &more)) != 0 || *nentries == 0) + if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entries, nentries, &more)) != 0 || *nentries == 0) goto cleanup; if (((st=krb5_get_princ_type(context, &entries, &(ptype))) != 0) || From lhoward at MIT.EDU Wed Dec 24 00:57:43 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 24 Dec 2008 00:57:43 -0500 (EST) Subject: svn rev #21586: branches/mskrb-integ/src/ include/krb5/ lib/krb5/krb/ Message-ID: <200812240557.AAA19041@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21586 Commit By: lhoward Log Message: s/KRB5_PRINCIPAL_PARSE_MUST_REALM/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM Changed Files: U branches/mskrb-integ/src/include/krb5/krb5.hin U branches/mskrb-integ/src/lib/krb5/krb/parse.c Modified: branches/mskrb-integ/src/include/krb5/krb5.hin =================================================================== --- branches/mskrb-integ/src/include/krb5/krb5.hin 2008-12-24 03:40:56 UTC (rev 21585) +++ branches/mskrb-integ/src/include/krb5/krb5.hin 2008-12-24 05:57:41 UTC (rev 21586) @@ -1608,9 +1608,9 @@ (krb5_context, const char *, krb5_principal * ); -#define KRB5_PRINCIPAL_PARSE_NO_REALM 1 -#define KRB5_PRINCIPAL_PARSE_MUST_REALM 2 -#define KRB5_PRINCIPAL_PARSE_ENTERPRISE 4 +#define KRB5_PRINCIPAL_PARSE_NO_REALM 0x1 +#define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 0x2 +#define KRB5_PRINCIPAL_PARSE_ENTERPRISE 0x4 krb5_error_code KRB5_CALLCONV krb5_parse_name_flags (krb5_context, const char *, @@ -1625,9 +1625,9 @@ krb5_const_principal, char **, unsigned int *); -#define KRB5_PRINCIPAL_UNPARSE_SHORT 1 -#define KRB5_PRINCIPAL_UNPARSE_NO_REALM 2 -#define KRB5_PRINCIPAL_UNPARSE_DISPLAY 4 +#define KRB5_PRINCIPAL_UNPARSE_SHORT 0x1 +#define KRB5_PRINCIPAL_UNPARSE_NO_REALM 0x2 +#define KRB5_PRINCIPAL_UNPARSE_DISPLAY 0x4 krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags (krb5_context, krb5_const_principal, Modified: branches/mskrb-integ/src/lib/krb5/krb/parse.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/parse.c 2008-12-24 03:40:56 UTC (rev 21585) +++ branches/mskrb-integ/src/lib/krb5/krb/parse.c 2008-12-24 05:57:41 UTC (rev 21586) @@ -157,7 +157,7 @@ * realm will be empty. */ if (!parsed_realm) { - if (flags & KRB5_PRINCIPAL_PARSE_MUST_REALM) { + if (flags & KRB5_PRINCIPAL_PARSE_REQUIRE_REALM) { krb5_set_error_message(context, KRB5_PARSE_MALFORMED, "Principal %s is missing required realm", name); krb5_xfree(principal->data); From lhoward at MIT.EDU Wed Dec 24 02:45:19 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 24 Dec 2008 02:45:19 -0500 (EST) Subject: svn rev #21587: branches/mskrb-integ/src/clients/kinit/ Message-ID: <200812240745.CAA20343@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21587 Commit By: lhoward Log Message: Set client principal name correctly with canonicalization Changed Files: U branches/mskrb-integ/src/clients/kinit/kinit.c Modified: branches/mskrb-integ/src/clients/kinit/kinit.c =================================================================== --- branches/mskrb-integ/src/clients/kinit/kinit.c 2008-12-24 05:57:41 UTC (rev 21586) +++ branches/mskrb-integ/src/clients/kinit/kinit.c 2008-12-24 07:45:18 UTC (rev 21587) @@ -655,7 +655,8 @@ goto cleanup; } - code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me); + code = krb5_cc_initialize(k5->ctx, k5->cc, + opts->canonicalize ? my_creds.client : k5->me); if (code) { com_err(progname, code, "when initializing cache %s", opts->k5_cache_name?opts->k5_cache_name:""); From ghudson at MIT.EDU Wed Dec 24 11:51:34 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 24 Dec 2008 11:51:34 -0500 (EST) Subject: svn rev #21588: trunk/ src/config-files/ src/lib/krb5/os/ Message-ID: <200812241651.LAA28495@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21588 Commit By: ghudson Log Message: ticket: 6031 Add a new fallback host-to-realm heuristic to try the components of the hostname as domains. The heuristic is off by default and is controlled by the realm_try_domains variable under libdefaults. Based on a patch submitted by Mark Phalan from Sun. Changed Files: U trunk/README U trunk/src/config-files/krb5.conf.M U trunk/src/lib/krb5/os/hst_realm.c Modified: trunk/README =================================================================== --- trunk/README 2008-12-24 07:45:18 UTC (rev 21587) +++ trunk/README 2008-12-24 16:51:33 UTC (rev 21588) @@ -425,6 +425,10 @@ slave/kpropd_rpc.c slave/kproplog.c +and marked portions of the following files: + + lib/krb5/os/hst_realm.c + are subject to the following license: Copyright (c) 2004 Sun Microsystems, Inc. Modified: trunk/src/config-files/krb5.conf.M =================================================================== --- trunk/src/config-files/krb5.conf.M 2008-12-24 07:45:18 UTC (rev 21587) +++ trunk/src/config-files/krb5.conf.M 2008-12-24 16:51:33 UTC (rev 21588) @@ -201,6 +201,16 @@ General flag controlling the use of DNS for Kerberos information. If both of the preceding options are specified, this option has no effect. +.IP realm_try_domains +Indicate whether a host's domain components should be used to +determine the Kerberos realm of the host. The value of this variable +is an integer: -1 means not to search, 0 means to try the host's +domain itself, 1 means to also try the domain's immediate parent, and +so forth. The library's usual mechanism for locating Kerberos realms +is used to determine whether a domain is a valid realm--which may +involve consulting DNS if dns_lookup_kdc is set. The default is not +to search domain components. + .IP extra_addresses This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs. The addresses should Modified: trunk/src/lib/krb5/os/hst_realm.c =================================================================== --- trunk/src/lib/krb5/os/hst_realm.c 2008-12-24 07:45:18 UTC (rev 21587) +++ trunk/src/lib/krb5/os/hst_realm.c 2008-12-24 16:51:33 UTC (rev 21588) @@ -78,6 +78,10 @@ #include "fake-addrinfo.h" +static krb5_error_code +domain_heuristic(krb5_context context, const char *domain, + char **realm, int limit); + #ifdef KRB5_DNS_LOOKUP #include "dnsglue.h" @@ -334,7 +338,7 @@ krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata, char ***realmsp) { char **retrealms; - char *default_realm, *realm, *cp, *temp_realm; + char *realm, *cp; krb5_error_code retval; char local_host[MAXDNAME+1], host[MAXDNAME+1]; @@ -348,71 +352,71 @@ krb5int_clean_hostname(context, host, local_host, sizeof local_host); - /* Scan hostname for DNS realm, and save as last-ditch realm - assumption. */ - cp = local_host; -#ifdef DEBUG_REFERRALS - printf(" local_host: %s\n",local_host); -#endif - realm = default_realm = (char *)NULL; - temp_realm = 0; - while (cp && !default_realm) { - if (*cp == '.') { - cp++; - if (default_realm == (char *)NULL) { - /* If nothing else works, use the host's domain */ - default_realm = cp; - } - } else { - cp = strchr(cp, '.'); - } + /* + * Try looking up a _kerberos. TXT record in DNS. This + * heuristic is turned off by default since, in the absence of + * secure DNS, it can allow an attacker to control the realm used + * for a host. + */ + realm = (char *)NULL; +#ifdef KRB5_DNS_LOOKUP + if (_krb5_use_dns_realm(context)) { + cp = local_host; + do { + retval = krb5_try_realm_txt_rr("_kerberos", cp, &realm); + cp = strchr(cp,'.'); + if (cp) + cp++; + } while (retval && cp && cp[0]); } -#ifdef DEBUG_REFERRALS - printf(" done finding DNS-based default realm: >%s<\n",default_realm); -#endif +#endif /* KRB5_DNS_LOOKUP */ -#ifdef KRB5_DNS_LOOKUP + /* + * Next try searching the domain components as realms. This + * heuristic is also turned off by default. If DNS lookups for + * KDCs are enabled (as they are by default), an attacker could + * control which domain component is used as the realm for a host. + */ if (realm == (char *)NULL) { - int use_dns = _krb5_use_dns_realm(context); - if ( use_dns ) { - /* - * Since this didn't appear in our config file, try looking - * it up via DNS. Look for a TXT records of the form: - * - * _kerberos. - * - */ - cp = local_host; - do { - retval = krb5_try_realm_txt_rr("_kerberos", cp, &realm); - cp = strchr(cp,'.'); - if (cp) - cp++; - } while (retval && cp && cp[0]); - } + int limit; + errcode_t code; + + code = profile_get_integer(context->profile, "libdefaults", + "realm_try_domains", 0, -1, &limit); + if (code == 0) { + retval = domain_heuristic(context, local_host, &realm, limit); + if (retval) + return retval; + } } -#endif /* KRB5_DNS_LOOKUP */ - + /* + * The next fallback--and the first one to apply with default + * configuration--is to use the upper-cased parent domain of the + * hostname, regardless of whether we can actually look it up as a + * realm. + */ if (realm == (char *)NULL) { - if (default_realm != (char *)NULL) { - /* We are defaulting to the realm of the host */ - if (!(cp = strdup(default_realm))) - return ENOMEM; - realm = cp; - - /* Assume the realm name is upper case */ + cp = strchr(local_host, '.'); + if (cp) { + if (!(realm = strdup(cp + 1))) + return ENOMEM; for (cp = realm; *cp; cp++) if (islower((int) (*cp))) *cp = toupper((int) *cp); - } else { - /* We are defaulting to the local realm */ - retval = krb5_get_default_realm(context, &realm); - if (retval) { - return retval; - } - } + } } + + /* + * The final fallback--used when the fully-qualified hostname has + * only one component--is to use the local default realm. + */ + if (realm == (char *)NULL) { + retval = krb5_get_default_realm(context, &realm); + if (retval) + return retval; + } + if (!(retrealms = (char **)calloc(2, sizeof(*retrealms)))) { if (realm != (char *)NULL) free(realm); @@ -488,3 +492,70 @@ #endif return 0; } + +/* + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + +/* + * Walk through the components of a domain. At each stage determine + * if a KDC can be located for that domain. Return a realm + * corresponding to the upper-cased domain name for which a KDC was + * found or NULL if no KDC was found. Stop searching after limit + * labels have been removed from the domain (-1 means don't search at + * all, 0 means try only the full domain itself, 1 means also try the + * parent domain, etc.) or when we reach a parent with only one label. + */ +static krb5_error_code +domain_heuristic(krb5_context context, const char *domain, + char **realm, int limit) +{ + krb5_error_code retval = 0, r; + struct addrlist alist; + krb5_data drealm; + char *cp = NULL; + char *fqdn = NULL; + + *realm = NULL; + if (limit < 0) + return 0; + + memset(&drealm, 0, sizeof (drealm)); + if (!(fqdn = strdup(domain))) { + retval = ENOMEM; + goto cleanup; + } + + /* Upper case the domain (for use as a realm) */ + for (cp = fqdn; *cp; cp++) + if (islower((int)(*cp))) + *cp = toupper((int)*cp); + + /* Search up to limit parents, as long as we have multiple labels. */ + cp = fqdn; + while (limit-- >= 0 && strchr(cp, '.') != NULL) { + + drealm.length = strlen(cp); + drealm.data = cp; + + /* Find a kdc based on this part of the domain name. */ + r = krb5_locate_kdc(context, &drealm, &alist, 0, SOCK_DGRAM, 0); + if (!r) { /* Found a KDC! */ + krb5int_free_addrlist(&alist); + if (!(*realm = strdup(cp))) { + retval = ENOMEM; + goto cleanup; + } + break; + } + + cp = strchr(cp, '.'); + cp++; + } + +cleanup: + if (fqdn) + free(fqdn); + return retval; +} From ghudson at MIT.EDU Wed Dec 24 13:48:03 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 24 Dec 2008 13:48:03 -0500 (EST) Subject: svn rev #21589: trunk/src/ include/ include/krb5/ lib/krb5/krb/ lib/krb5/os/ ... Message-ID: <200812241848.NAA00211@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21589 Commit By: ghudson Log Message: Clean up krb5_get_fallback_host_realm in two respects: 1. It isn't exported from libkrb5 (and no one seems to complain about that). So give it a krb5int_ name and move its declaration to k5-int.h. Also stop exporting it from the collected client lib. 2. It returned a list of realms, but its only caller assumes that the list contains exactly one realm. So just make it return a single realm. Changed Files: U trunk/src/include/k5-int.h U trunk/src/include/krb5/krb5.hin U trunk/src/lib/krb5/krb/gc_frm_kdc.c U trunk/src/lib/krb5/os/hst_realm.c U trunk/src/util/collected-client-lib/libcollected.exports Modified: trunk/src/include/k5-int.h =================================================================== --- trunk/src/include/k5-int.h 2008-12-24 16:51:33 UTC (rev 21588) +++ trunk/src/include/k5-int.h 2008-12-24 18:48:00 UTC (rev 21589) @@ -538,6 +538,10 @@ struct addrlist *, enum locate_service_type svc, int sockettype, int family); +krb5_error_code +krb5int_get_fallback_host_realm (krb5_context, krb5_data *hdata, + char **realmp); + /* new encryption provider api */ struct krb5_enc_provider { Modified: trunk/src/include/krb5/krb5.hin =================================================================== --- trunk/src/include/krb5/krb5.hin 2008-12-24 16:51:33 UTC (rev 21588) +++ trunk/src/include/krb5/krb5.hin 2008-12-24 18:48:00 UTC (rev 21589) @@ -2099,10 +2099,6 @@ (krb5_context, const char *, char *** ); -krb5_error_code KRB5_CALLCONV krb5_get_fallback_host_realm - (krb5_context, - krb5_data *, - char *** ); krb5_error_code KRB5_CALLCONV krb5_free_host_realm (krb5_context, char * const * ); Modified: trunk/src/lib/krb5/krb/gc_frm_kdc.c =================================================================== --- trunk/src/lib/krb5/krb/gc_frm_kdc.c 2008-12-24 16:51:33 UTC (rev 21588) +++ trunk/src/lib/krb5/krb/gc_frm_kdc.c 2008-12-24 18:48:00 UTC (rev 21589) @@ -787,7 +787,7 @@ krb5_principal client, server, supplied_server, out_supplied_server; krb5_creds tgtq, cc_tgt, *tgtptr, *referral_tgts[KRB5_REFERRAL_MAXHOPS]; krb5_boolean old_use_conf_ktypes; - char **hrealms; + char *hrealm; unsigned int referral_count, i; /* @@ -1021,23 +1021,22 @@ */ if (krb5_is_referral_realm(&supplied_server->realm)) { if (server->length >= 2) { - retval=krb5_get_fallback_host_realm(context, &server->data[1], - &hrealms); + retval=krb5int_get_fallback_host_realm(context, &server->data[1], + &hrealm); if (retval) goto cleanup; #if 0 DPRINTF(("gc_from_kdc: using fallback realm of %s\n", - hrealms[0])); + hrealm)); #endif krb5_free_data_contents(context,&in_cred->server->realm); - server->realm.data=hrealms[0]; - server->realm.length=strlen(hrealms[0]); - free(hrealms); + server->realm.data=hrealm; + server->realm.length=strlen(hrealm); } else { /* * Problem case: Realm tagged for referral but apparently not * in a / format that - * krb5_get_fallback_host_realm can deal with. + * krb5int_get_fallback_host_realm can deal with. */ DPRINTF(("gc_from_kdc: referral specified " "but no fallback realm avaiable!\n")); Modified: trunk/src/lib/krb5/os/hst_realm.c =================================================================== --- trunk/src/lib/krb5/os/hst_realm.c 2008-12-24 16:51:33 UTC (rev 21588) +++ trunk/src/lib/krb5/os/hst_realm.c 2008-12-24 18:48:00 UTC (rev 21589) @@ -335,9 +335,9 @@ */ krb5_error_code KRB5_CALLCONV -krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata, char ***realmsp) +krb5int_get_fallback_host_realm(krb5_context context, krb5_data *hdata, + char **realmp) { - char **retrealms; char *realm, *cp; krb5_error_code retval; char local_host[MAXDNAME+1], host[MAXDNAME+1]; @@ -417,16 +417,7 @@ return retval; } - if (!(retrealms = (char **)calloc(2, sizeof(*retrealms)))) { - if (realm != (char *)NULL) - free(realm); - return ENOMEM; - } - - retrealms[0] = realm; - retrealms[1] = 0; - - *realmsp = retrealms; + *realmp = realm; return 0; } Modified: trunk/src/util/collected-client-lib/libcollected.exports =================================================================== --- trunk/src/util/collected-client-lib/libcollected.exports 2008-12-24 16:51:33 UTC (rev 21588) +++ trunk/src/util/collected-client-lib/libcollected.exports 2008-12-24 18:48:00 UTC (rev 21589) @@ -177,7 +177,6 @@ krb5_read_password krb5_aname_to_localname krb5_get_host_realm -krb5_get_fallback_host_realm krb5_free_host_realm krb5_auth_con_genaddrs krb5_set_real_time From lhoward at MIT.EDU Thu Dec 25 17:43:45 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Thu, 25 Dec 2008 17:43:45 -0500 (EST) Subject: svn rev #21590: branches/mskrb-integ/src/ include/krb5/ kdc/ lib/gssapi/krb5/ ... Message-ID: <200812252243.RAA23806@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21590 Commit By: lhoward Log Message: Fix some warnings Changed Files: U branches/mskrb-integ/src/include/krb5/krb5.hin U branches/mskrb-integ/src/kdc/kdc_authdata.c U branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c U branches/mskrb-integ/src/lib/krb5/krb/chk_trans.c U branches/mskrb-integ/src/lib/krb5/krb/gc_frm_kdc.c U branches/mskrb-integ/src/lib/krb5/krb/mk_cred.c U branches/mskrb-integ/src/lib/krb5/krb/rd_rep.c U branches/mskrb-integ/src/lib/krb5/krb/walk_rtree.c Modified: branches/mskrb-integ/src/include/krb5/krb5.hin =================================================================== --- branches/mskrb-integ/src/include/krb5/krb5.hin 2008-12-24 18:48:00 UTC (rev 21589) +++ branches/mskrb-integ/src/include/krb5/krb5.hin 2008-12-25 22:43:41 UTC (rev 21590) @@ -1583,7 +1583,7 @@ (krb5_context, krb5_auth_context, const krb5_data *, - krb5_int32 *); + krb5_ui_4 *); krb5_error_code KRB5_CALLCONV krb5_mk_error (krb5_context, const krb5_error *, Modified: branches/mskrb-integ/src/kdc/kdc_authdata.c =================================================================== --- branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-24 18:48:00 UTC (rev 21589) +++ branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-25 22:43:41 UTC (rev 21590) @@ -337,8 +337,12 @@ for (i = 0; in_authdata[i] != NULL; i++) ; - authdata = (krb5_authdata **)realloc(*out_authdata, - ((nadata + i + 1) * sizeof(krb5_authdata *))); + if (authdata == NULL) { + authdata = (krb5_authdata **)calloc(i + 1, sizeof(krb5_authdata *)); + } else { + authdata = (krb5_authdata **)realloc(authdata, + ((nadata + i + 1) * sizeof(krb5_authdata *))); + } if (authdata == NULL) return ENOMEM; @@ -573,16 +577,16 @@ if (request->msg_type != KRB5_AS_REQ) continue; - code = asys->handle_authdata.v0(context, client, req_pkt, - request, enc_tkt_reply); + code = (*asys->handle_authdata.v0)(context, client, req_pkt, + request, enc_tkt_reply); break; case AUTHDATA_SYSTEM_V1: - code = asys->handle_authdata.v1(context, flags, - client, server, krbtgt, - client_key, server_key, - req_pkt, request, for_user_princ, - enc_tkt_request, - enc_tkt_reply); + code = (*asys->handle_authdata.v1)(context, flags, + client, server, krbtgt, + client_key, server_key, + req_pkt, request, for_user_princ, + enc_tkt_request, + enc_tkt_reply); break; default: code = 0; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c 2008-12-24 18:48:00 UTC (rev 21589) +++ branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c 2008-12-25 22:43:41 UTC (rev 21590) @@ -261,7 +261,7 @@ krb5_gss_ctx_id_rec *ctx = 0; krb5_timestamp now; krb5_principal name = NULL; - krb5_int32 nonce = 0; + krb5_ui_4 nonce = 0; krb5_data ap_rep; OM_uint32 major_status = GSS_S_FAILURE; Modified: branches/mskrb-integ/src/lib/krb5/krb/chk_trans.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/chk_trans.c 2008-12-24 18:48:00 UTC (rev 21589) +++ branches/mskrb-integ/src/lib/krb5/krb/chk_trans.c 2008-12-25 22:43:41 UTC (rev 21590) @@ -137,7 +137,7 @@ } static krb5_error_code -maybe_join (krb5_data *last, krb5_data *buf, int bufsiz) +maybe_join (krb5_data *last, krb5_data *buf, size_t bufsiz) { if (buf->length == 0) return 0; Modified: branches/mskrb-integ/src/lib/krb5/krb/gc_frm_kdc.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/gc_frm_kdc.c 2008-12-24 18:48:00 UTC (rev 21589) +++ branches/mskrb-integ/src/lib/krb5/krb/gc_frm_kdc.c 2008-12-25 22:43:41 UTC (rev 21590) @@ -932,7 +932,7 @@ */ if (old_use_conf_ktypes || context->tgs_ktype_count == 0) goto cleanup; - for (i = 0; i < context->tgs_ktype_count; i++) { + for (i = 0; i < (signed)context->tgs_ktype_count; i++) { if ((*out_cred)->keyblock.enctype == context->tgs_ktypes[i]) { /* Found an allowable etype, so we're done */ goto cleanup; Modified: branches/mskrb-integ/src/lib/krb5/krb/mk_cred.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/mk_cred.c 2008-12-24 18:48:00 UTC (rev 21589) +++ branches/mskrb-integ/src/lib/krb5/krb/mk_cred.c 2008-12-25 22:43:41 UTC (rev 21590) @@ -174,13 +174,15 @@ /* * Allocate memory for a NULL terminated list of tickets. */ - for (ncred = 0; ppcreds[ncred]; ncred++); + for (ncred = 0; ppcreds[ncred]; ncred++) + ; if ((pcred = (krb5_cred *)calloc(1, sizeof(krb5_cred))) == NULL) return ENOMEM; if ((pcred->tickets - = (krb5_ticket **)calloc(ncred+1, sizeof(krb5_ticket *))) == NULL) { + = (krb5_ticket **)calloc((size_t)ncred+1, + sizeof(krb5_ticket *))) == NULL) { free(pcred); return ENOMEM; } Modified: branches/mskrb-integ/src/lib/krb5/krb/rd_rep.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/rd_rep.c 2008-12-24 18:48:00 UTC (rev 21589) +++ branches/mskrb-integ/src/lib/krb5/krb/rd_rep.c 2008-12-25 22:43:41 UTC (rev 21590) @@ -144,7 +144,7 @@ krb5_error_code KRB5_CALLCONV krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_int32 *nonce) + const krb5_data *inbuf, krb5_ui_4 *nonce) { krb5_error_code retval; krb5_ap_rep * reply; Modified: branches/mskrb-integ/src/lib/krb5/krb/walk_rtree.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/walk_rtree.c 2008-12-24 18:48:00 UTC (rev 21589) +++ branches/mskrb-integ/src/lib/krb5/krb/walk_rtree.c 2008-12-25 22:43:41 UTC (rev 21590) @@ -248,7 +248,7 @@ } } /* end of if use hierarchical method */ - if (!(rettree = (krb5_principal *)calloc(links+2, + if (!(rettree = (krb5_principal *)calloc((size_t)links+2, sizeof(krb5_principal)))) { return ENOMEM; } From lhoward at MIT.EDU Fri Dec 26 00:19:38 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 00:19:38 -0500 (EST) Subject: svn rev #21591: branches/mskrb-integ/src/ include/ include/krb5/ lib/krb5/asn.1/ ... Message-ID: <200812260519.AAA28422@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21591 Commit By: lhoward Log Message: Implement RFC 4537 in libkrb5. If the AP_OPTS_ETYPE_NEGOTIATION flag is passed to krb5_mk_req(), then a EtypeList constructed from the auth_context or krb5 context list of permitted enctypes will be sent. AP_OPTS_ETYPE_NEGOTIATION will be returned by krb5_rd_req() in ap_req_options if a subkey of a different enctype should be negotiated. AP_OPTS_ETYPE_NEGOTIATION is only valid with mutual authentication. Changed Files: U branches/mskrb-integ/src/include/k5-int.h U branches/mskrb-integ/src/include/krb5/krb5.hin U branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_decode.c U branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_encode.c U branches/mskrb-integ/src/lib/krb5/asn.1/krb5_decode.c U branches/mskrb-integ/src/lib/krb5/krb/auth_con.c U branches/mskrb-integ/src/lib/krb5/krb/auth_con.h U branches/mskrb-integ/src/lib/krb5/krb/gen_subkey.c U branches/mskrb-integ/src/lib/krb5/krb/kfree.c U branches/mskrb-integ/src/lib/krb5/krb/mk_rep.c U branches/mskrb-integ/src/lib/krb5/krb/mk_req_ext.c U branches/mskrb-integ/src/lib/krb5/krb/rd_rep.c U branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c Modified: branches/mskrb-integ/src/include/k5-int.h =================================================================== --- branches/mskrb-integ/src/include/k5-int.h 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/include/k5-int.h 2008-12-26 05:19:33 UTC (rev 21591) @@ -315,7 +315,7 @@ /* RFC 4537 */ typedef struct _krb5_etype_list { - unsigned int length; + int length; krb5_enctype *etypes; } krb5_etype_list; @@ -1230,6 +1230,8 @@ (krb5_context, krb5_pa_server_referral_data * ); void KRB5_CALLCONV krb5_free_pa_pac_req (krb5_context, krb5_pa_pac_req * ); +void KRB5_CALLCONV krb5_free_etype_list + (krb5_context, krb5_etype_list * ); /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */ #include "com_err.h" @@ -1566,6 +1568,9 @@ krb5_error_code encode_krb5_pa_pac_req (const krb5_pa_pac_req * , krb5_data **); +krb5_error_code encode_krb5_etype_list + (const krb5_etype_list * , krb5_data **); + /************************************************************************* * End of prototypes for krb5_encode.c *************************************************************************/ @@ -1722,6 +1727,9 @@ krb5_error_code decode_krb5_pa_pac_req (const krb5_data *, krb5_pa_pac_req **); +krb5_error_code decode_krb5_etype_list + (const krb5_data *, krb5_etype_list **); + struct _krb5_key_data; /* kdb.h */ struct ldap_seqof_key_data { @@ -1892,7 +1900,8 @@ krb5_error_code krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context, - krb5_keyblock * /* Old keyblock, not new! */); + krb5_keyblock * /* Old keyblock, not new! */, + krb5_enctype); /* set and change password helpers */ @@ -2413,6 +2422,11 @@ krb5_error_code krb5_generate_subkey (krb5_context, const krb5_keyblock *, krb5_keyblock **); +krb5_error_code krb5_generate_subkey_extended + (krb5_context, + const krb5_keyblock *, + krb5_enctype, + krb5_keyblock **); krb5_error_code krb5_generate_seq_number (krb5_context, const krb5_keyblock *, krb5_ui_4 *); Modified: branches/mskrb-integ/src/include/krb5/krb5.hin =================================================================== --- branches/mskrb-integ/src/include/krb5/krb5.hin 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/include/krb5/krb5.hin 2008-12-26 05:19:33 UTC (rev 21591) @@ -838,10 +838,10 @@ /* #define AP_OPTS_RESERVED 0x00000010 */ /* #define AP_OPTS_RESERVED 0x00000008 */ /* #define AP_OPTS_RESERVED 0x00000004 */ -/* #define AP_OPTS_RESERVED 0x00000002 */ -#define AP_OPTS_USE_SUBKEY 0x00000001 +#define AP_OPTS_ETYPE_NEGOTIATION 0x00000002 +#define AP_OPTS_USE_SUBKEY 0x00000001 -#define AP_OPTS_WIRE_MASK 0xfffffff0 +#define AP_OPTS_WIRE_MASK 0xfffffff0 /* definitions for ad_type fields. */ #define AD_TYPE_RESERVED 0x8000 @@ -2502,13 +2502,13 @@ krb5_error_code KRB5_CALLCONV krb5_decode_authdata_container(krb5_context context, krb5_authdatatype type, - const krb5_authdata *if_relevant, + const krb5_authdata *container, krb5_authdata ***authdata); krb5_error_code KRB5_CALLCONV krb5_encode_authdata_container(krb5_context context, krb5_authdatatype type, krb5_authdata * const*authdata, - krb5_authdata ***if_relevant_p); + krb5_authdata ***container); /* * Windows PAC Modified: branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_decode.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_decode.c 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_decode.c 2008-12-26 05:19:33 UTC (rev 21591) @@ -1226,6 +1226,15 @@ cleanup(); } +asn1_error_code asn1_decode_etype_list(asn1buf *buf, krb5_etype_list *val) +{ + setup(); + { begin_structure(); + end_structure(); + } + cleanup(); +} + #ifndef DISABLE_PKINIT /* PKINIT */ Modified: branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_encode.c 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_encode.c 2008-12-26 05:19:33 UTC (rev 21591) @@ -1173,6 +1173,10 @@ DEFSEQTYPE(pa_pac_request, krb5_pa_pac_req, pa_pac_request_fields, 0); #endif +/* RFC 4537 */ +DEFFIELDTYPE(etype_list, krb5_etype_list, + FIELDOF_SEQOF_INT32(krb5_etype_list, int32_ptr, etypes, length, -1)); + /* Exported complete encoders -- these produce a krb5_data with the encoding in the correct byte order. */ @@ -1237,6 +1241,7 @@ MAKE_FULL_ENCODER(encode_krb5_pa_for_user, pa_for_user); MAKE_FULL_ENCODER(encode_krb5_pa_svr_referral_data, pa_svr_referral_data); MAKE_FULL_ENCODER(encode_krb5_pa_server_referral_data, pa_server_referral_data); +MAKE_FULL_ENCODER(encode_krb5_etype_list, etype_list); @@ -1244,7 +1249,6 @@ - #ifndef DISABLE_PKINIT /* * PKINIT Modified: branches/mskrb-integ/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/asn.1/krb5_decode.c 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/lib/krb5/asn.1/krb5_decode.c 2008-12-26 05:19:33 UTC (rev 21591) @@ -987,6 +987,17 @@ cleanup(free); } +krb5_error_code decode_krb5_etype_list(const krb5_data *code, krb5_etype_list **rep) +{ + setup_buf_only(); + alloc_field(*rep, krb5_etype_list); + + retval = asn1_decode_sequence_of_enctype(&buf, &(*rep)->length, &(*rep)->etypes); + if (retval) clean_return(retval); + + cleanup(free); +} + #ifndef DISABLE_PKINIT krb5_error_code decode_krb5_pa_pk_as_req(const krb5_data *code, krb5_pa_pk_as_req **rep) { Modified: branches/mskrb-integ/src/lib/krb5/krb/auth_con.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/auth_con.c 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/lib/krb5/krb/auth_con.c 2008-12-26 05:19:33 UTC (rev 21591) @@ -34,8 +34,9 @@ (*auth_context)->req_cksumtype = context->default_ap_req_sumtype; (*auth_context)->safe_cksumtype = context->default_safe_sumtype; - (*auth_context) -> checksum_func = NULL; + (*auth_context)->checksum_func = NULL; (*auth_context)->checksum_func_data = NULL; + (*auth_context)->negotiated_etype = ENCTYPE_NULL; (*auth_context)->magic = KV5M_AUTH_CONTEXT; return 0; } Modified: branches/mskrb-integ/src/lib/krb5/krb/auth_con.h =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/auth_con.h 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/lib/krb5/krb/auth_con.h 2008-12-26 05:19:33 UTC (rev 21591) @@ -21,8 +21,9 @@ krb5_pointer i_vector; /* mk_priv, rd_priv only */ krb5_rcache rcache; krb5_enctype * permitted_etypes; /* rd_req */ - krb5_mk_req_checksum_func checksum_func; - void *checksum_func_data; + krb5_mk_req_checksum_func checksum_func; + void *checksum_func_data; + krb5_enctype negotiated_etype; }; Modified: branches/mskrb-integ/src/lib/krb5/krb/gen_subkey.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/gen_subkey.c 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/lib/krb5/krb/gen_subkey.c 2008-12-26 05:19:33 UTC (rev 21591) @@ -40,7 +40,10 @@ } krb5_error_code -krb5_generate_subkey(krb5_context context, const krb5_keyblock *key, krb5_keyblock **subkey) +krb5_generate_subkey_extended(krb5_context context, + const krb5_keyblock *key, + krb5_enctype enctype, + krb5_keyblock **subkey) { krb5_error_code retval; krb5_data seed; @@ -52,10 +55,16 @@ if ((*subkey = (krb5_keyblock *) malloc(sizeof(krb5_keyblock))) == NULL) return(ENOMEM); - if ((retval = krb5_c_make_random_key(context, key->enctype, *subkey))) { + if ((retval = krb5_c_make_random_key(context, enctype, *subkey))) { krb5_xfree(*subkey); return(retval); } return(0); } + +krb5_error_code +krb5_generate_subkey(krb5_context context, const krb5_keyblock *key, krb5_keyblock **subkey) +{ + return krb5_generate_subkey_extended(context, key, key->enctype, subkey); +} Modified: branches/mskrb-integ/src/lib/krb5/krb/kfree.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/kfree.c 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/lib/krb5/krb/kfree.c 2008-12-26 05:19:33 UTC (rev 21591) @@ -799,3 +799,13 @@ krb5_xfree(req); } +void KRB5_CALLCONV +krb5_free_etype_list(krb5_context context, + krb5_etype_list *etypes) +{ + if (etypes != NULL) { + if (etypes->etypes != NULL) + krb5_xfree(etypes->etypes); + krb5_xfree(etypes); + } +} Modified: branches/mskrb-integ/src/lib/krb5/krb/mk_rep.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/mk_rep.c 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/lib/krb5/krb/mk_rep.c 2008-12-26 05:19:33 UTC (rev 21591) @@ -95,8 +95,11 @@ if (dce_style) repl.subkey = NULL; else if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) { + assert(auth_context->negotiated_etype != ENCTYPE_NULL); + retval = krb5int_generate_and_save_subkey (context, auth_context, - auth_context->keyblock); + auth_context->keyblock, + auth_context->negotiated_etype); if (retval) return retval; repl.subkey = auth_context->send_subkey; Modified: branches/mskrb-integ/src/lib/krb5/krb/mk_req_ext.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/mk_req_ext.c 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/lib/krb5/krb/mk_req_ext.c 2008-12-26 05:19:33 UTC (rev 21591) @@ -64,16 +64,25 @@ returns system errors */ +static krb5_error_code +make_etype_list(krb5_context context, + krb5_enctype *permitted_etypes, + krb5_enctype tkt_enctype, + krb5_authdata ***authdata); + static krb5_error_code krb5_generate_authenticator (krb5_context, krb5_authenticator *, krb5_principal, krb5_checksum *, krb5_keyblock *, - krb5_ui_4, krb5_authdata ** ); + krb5_ui_4, krb5_authdata **, + krb5_enctype *permitted_etypes, + krb5_enctype tkt_enctype); krb5_error_code krb5int_generate_and_save_subkey (krb5_context context, krb5_auth_context auth_context, - krb5_keyblock *keyblock) + krb5_keyblock *keyblock, + krb5_enctype enctype) { /* Provide some more fodder for random number code. This isn't strong cryptographically; the point here is not @@ -92,7 +101,8 @@ if (auth_context->send_subkey) krb5_free_keyblock(context, auth_context->send_subkey); - if ((retval = krb5_generate_subkey(context, keyblock, &auth_context->send_subkey))) + if ((retval = krb5_generate_subkey_extended(context, keyblock, enctype, + &auth_context->send_subkey))) return retval; if (auth_context->recv_subkey) @@ -116,18 +126,23 @@ krb5_checksum checksum; krb5_checksum *checksump = 0; krb5_auth_context new_auth_context; + krb5_enctype *permitted_etypes = NULL; krb5_ap_req request; krb5_data *scratch = 0; krb5_data *toutbuf; request.ap_options = ap_req_options & AP_OPTS_WIRE_MASK; - request.authenticator.ciphertext.data = 0; + request.authenticator.ciphertext.data = NULL; request.ticket = 0; if (!in_creds->ticket.length) return(KRB5_NO_TKT_SUPPLIED); + if ((ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) && + !(ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) + return(EINVAL); + /* we need a native ticket */ if ((retval = decode_krb5_ticket(&(in_creds)->ticket, &request.ticket))) return(retval); @@ -174,7 +189,8 @@ if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) { retval = krb5int_generate_and_save_subkey (context, *auth_context, - &in_creds->keyblock); + &in_creds->keyblock, + in_creds->keyblock.enctype); if (retval) goto cleanup; } @@ -205,12 +221,23 @@ goto cleanup_cksum; } + if (ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) { + if ((*auth_context)->permitted_etypes == NULL) { + retval = krb5_get_permitted_enctypes(context, &permitted_etypes); + if (retval) + goto cleanup_cksum; + } else + permitted_etypes = (*auth_context)->permitted_etypes; + } + if ((retval = krb5_generate_authenticator(context, (*auth_context)->authentp, - (in_creds)->client, checksump, + in_creds->client, checksump, (*auth_context)->send_subkey, (*auth_context)->local_seq_number, - (in_creds)->authdata))) + in_creds->authdata, + permitted_etypes, + in_creds->keyblock.enctype))) goto cleanup_cksum; /* encode the authenticator */ @@ -223,7 +250,6 @@ */ (*auth_context)->authentp->client = NULL; (*auth_context)->authentp->checksum = NULL; - (*auth_context)->authentp->authorization_data = NULL; /* call the encryption routine */ if ((retval = krb5_encrypt_helper(context, &in_creds->keyblock, @@ -242,6 +268,9 @@ free(checksump->contents); cleanup: + if (permitted_etypes && + permitted_etypes != (*auth_context)->permitted_etypes) + krb5_xfree(permitted_etypes); if (request.ticket) krb5_free_ticket(context, request.ticket); if (request.authenticator.ciphertext.data) { @@ -261,7 +290,9 @@ krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, krb5_principal client, krb5_checksum *cksum, krb5_keyblock *key, krb5_ui_4 seq_number, - krb5_authdata **authorization) + krb5_authdata **authorization, + krb5_enctype *permitted_etypes, + krb5_enctype tkt_enctype) { krb5_error_code retval; @@ -274,7 +305,114 @@ } else authent->subkey = 0; authent->seq_number = seq_number; - authent->authorization_data = authorization; + authent->authorization_data = NULL; + if (authorization != NULL) { + retval = krb5_copy_authdata(context, authorization, + &authent->authorization_data); + if (retval) + return retval; + } + if (permitted_etypes != NULL) { + retval = make_etype_list(context, permitted_etypes, tkt_enctype, + &authent->authorization_data); + if (retval) + return retval; + } + return(krb5_us_timeofday(context, &authent->ctime, &authent->cusec)); } + +/* RFC 4537 */ +static krb5_error_code +make_etype_list(krb5_context context, + krb5_enctype *permitted_etypes, + krb5_enctype tkt_enctype, + krb5_authdata ***authdata) +{ + krb5_error_code code; + krb5_etype_list etypes; + krb5_data *enc_etype_list; + krb5_data *ad_if_relevant; + krb5_authdata *etype_adata[2], etype_adatum, **adata; + int i; + + etypes.etypes = permitted_etypes; + + for (etypes.length = 0; + etypes.etypes[etypes.length] != ENCTYPE_NULL; + etypes.length++) + ; + + /* + * RFC 4537: + * If the enctype of the ticket session key is included in the enctype + * list sent by the client, it SHOULD be the last on the list. + */ + for (i = 0; i < etypes.length; i++) { + if (etypes.etypes[i] == tkt_enctype) { + krb5_enctype etype; + + etype = etypes.etypes[etypes.length - 1]; + etypes.etypes[etypes.length - 1] = tkt_enctype; + etypes.etypes[i] = etype; + break; + } + } + + code = encode_krb5_etype_list(&etypes, &enc_etype_list); + if (code) { + return code; + } + + etype_adatum.magic = KV5M_AUTHDATA; + etype_adatum.ad_type = KRB5_AUTHDATA_ETYPE_NEGOTIATION; + etype_adatum.length = enc_etype_list->length; + etype_adatum.contents = (krb5_octet *)enc_etype_list->data; + + etype_adata[0] = &etype_adatum; + etype_adata[1] = NULL; + + /* Wrap in AD-IF-RELEVANT container */ + code = encode_krb5_authdata(etype_adata, &ad_if_relevant); + if (code) { + krb5_free_data(context, enc_etype_list); + return code; + } + + krb5_free_data(context, enc_etype_list); + + adata = *authdata; + if (adata == NULL) { + adata = (krb5_authdata **)calloc(2, sizeof(krb5_authdata *)); + i = 0; + } else { + for (i = 0; adata[i] != NULL; i++) + ; + + adata = (krb5_authdata **)realloc(*authdata, + (i + 2) * sizeof(krb5_authdata *)); + } + if (adata == NULL) { + krb5_free_data(context, ad_if_relevant); + return ENOMEM; + } + + adata[i] = (krb5_authdata *)malloc(sizeof(krb5_authdata)); + if (adata[i] == NULL) { + krb5_free_data(context, ad_if_relevant); + return ENOMEM; + } + adata[i]->magic = KV5M_AUTHDATA; + adata[i]->ad_type = KRB5_AUTHDATA_IF_RELEVANT; + adata[i]->length = ad_if_relevant->length; + adata[i]->contents = (krb5_octet *)ad_if_relevant->data; + krb5_xfree(ad_if_relevant); /* contents owned by adata[i] */ + + adata[i + 1] = NULL; + + *authdata = adata; + + return 0; +} + Modified: branches/mskrb-integ/src/lib/krb5/krb/rd_rep.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/rd_rep.c 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/lib/krb5/krb/rd_rep.c 2008-12-26 05:19:33 UTC (rev 21591) @@ -129,6 +129,8 @@ krb5_free_keyblock(context, auth_context->send_subkey); auth_context->send_subkey = NULL; } + /* not used for anything yet */ + auth_context->negotiated_etype = (*repl)->subkey->enctype; } /* Get remote sequence number */ Modified: branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c 2008-12-25 22:43:41 UTC (rev 21590) +++ branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c 2008-12-26 05:19:33 UTC (rev 21591) @@ -62,6 +62,19 @@ static krb5_error_code decrypt_authenticator (krb5_context, const krb5_ap_req *, krb5_authenticator **, int); +static krb5_error_code +decode_etype_list(krb5_context context, + const krb5_authenticator *authp, + krb5_enctype **desired_etypes, + int *desired_etypes_len); +static krb5_error_code +negotiate_etype(krb5_context context, + const krb5_enctype *desired_etypes, + int desired_etypes_len, + int mandatory_etypes_index, + const krb5_enctype *permitted_etypes, + int permitted_etypes_len, + krb5_enctype *negotiated_etype); krb5_error_code krb5int_check_clockskew(krb5_context context, krb5_timestamp date) @@ -172,8 +185,13 @@ krb5_ticket **ticket, int check_valid_flag) { krb5_error_code retval = 0; - krb5_principal_data princ_data; - + krb5_principal_data princ_data; + krb5_enctype *desired_etypes = NULL; + int desired_etypes_len = 0; + int rfc4537_etypes_len = 0; + krb5_enctype *permitted_etypes = NULL; + int permitted_etypes_len = 0; + req->ticket->enc_part2 = NULL; if (server && krb5_is_referral_realm(&server->realm)) { char *realm; @@ -340,126 +358,59 @@ } } - /* check if the various etypes are permitted */ + /* read RFC 4537 etype list from sender */ + retval = decode_etype_list(context, + (*auth_context)->authentp, + &desired_etypes, + &rfc4537_etypes_len); + if (retval != 0) + goto cleanup; - if ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) { - /* no etype check needed */; - } else if ((*auth_context)->permitted_etypes == NULL) { - int etype; - size_t size_etype_enc = 3 * sizeof(krb5_enctype); /* upto three types */ - size_t size_etype_bool = 3 * sizeof(krb5_boolean); - krb5_etypes_permitted etypes; - memset(&etypes, 0, sizeof etypes); + if (desired_etypes == NULL) + desired_etypes = (krb5_enctype *)calloc(4, sizeof(krb5_enctype)); + else + desired_etypes = (krb5_enctype *)realloc(desired_etypes, + (rfc4537_etypes_len + 4) * + sizeof(krb5_enctype)); + if (desired_etypes == NULL) { + retval = ENOMEM; + goto cleanup; + } - etypes.etype = (krb5_enctype*) malloc(size_etype_enc); - if (etypes.etype == NULL) { - retval = ENOMEM; - goto cleanup; - } - etypes.etype_ok = (krb5_boolean*) malloc(size_etype_bool); - if (etypes.etype_ok == NULL) { - retval = ENOMEM; - free(etypes.etype); - goto cleanup; - } - memset(etypes.etype, 0, size_etype_enc); - memset(etypes.etype_ok, 0, size_etype_bool); + desired_etypes_len = rfc4537_etypes_len; - etypes.etype[etypes.etype_count++] = req->ticket->enc_part.enctype; - etypes.etype[etypes.etype_count++] = req->ticket->enc_part2->session->enctype; - if ((*auth_context)->authentp->subkey) { - etypes.etype[etypes.etype_count++] = (*auth_context)->authentp->subkey->enctype; - } + if ((*auth_context)->authentp->subkey != NULL) + desired_etypes[desired_etypes_len++] = (*auth_context)->authentp->subkey->enctype; + desired_etypes[desired_etypes_len++] = req->ticket->enc_part2->session->enctype; + desired_etypes[desired_etypes_len++] = req->ticket->enc_part.enctype; + desired_etypes[desired_etypes_len] = ENCTYPE_NULL; - retval = krb5_is_permitted_enctype_ext(context, &etypes); - -#if 0 - /* check against the default set */ - if ((!krb5_is_permitted_enctype(context, - etype = req->ticket->enc_part.enctype)) || - (!krb5_is_permitted_enctype(context, - etype = req->ticket->enc_part2->session->enctype)) || - (((*auth_context)->authentp->subkey) && - !krb5_is_permitted_enctype(context, - etype = (*auth_context)->authentp->subkey->enctype))) { -#endif - if (retval == 0 /* all etypes are not permitted */ || - (!etypes.etype_ok[0] || !etypes.etype_ok[1] || - (((*auth_context)->authentp->subkey) && !etypes.etype_ok[etypes.etype_count-1]))) { - char enctype_name[30]; - retval = KRB5_NOPERM_ETYPE; - - if (!etypes.etype_ok[0]) { - etype = etypes.etype[1]; - } else if (!etypes.etype_ok[1]) { - etype = etypes.etype[1]; - } else { - etype = etypes.etype[2]; - } - free(etypes.etype); - free(etypes.etype_ok); - - if (krb5_enctype_to_string(etype, enctype_name, sizeof(enctype_name)) == 0) - krb5_set_error_message(context, retval, - "Encryption type %s not permitted", - enctype_name); - goto cleanup; + if (((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) == 0) { + if ((*auth_context)->permitted_etypes != NULL) { + permitted_etypes = (*auth_context)->permitted_etypes; + } else { + retval = krb5_get_permitted_enctypes(context, &permitted_etypes); + if (retval != 0) + goto cleanup; } - free(etypes.etype); - free(etypes.etype_ok); + for (permitted_etypes_len = 0; + permitted_etypes[permitted_etypes_len] != ENCTYPE_NULL; + permitted_etypes_len++) + ; } else { - /* check against the set in the auth_context */ - int i; - - for (i=0; (*auth_context)->permitted_etypes[i]; i++) - if ((*auth_context)->permitted_etypes[i] == - req->ticket->enc_part.enctype) - break; - if (!(*auth_context)->permitted_etypes[i]) { - char enctype_name[30]; - retval = KRB5_NOPERM_ETYPE; - if (krb5_enctype_to_string(req->ticket->enc_part.enctype, - enctype_name, sizeof(enctype_name)) == 0) - krb5_set_error_message(context, retval, - "Encryption type %s not permitted", - enctype_name); - goto cleanup; - } - - for (i=0; (*auth_context)->permitted_etypes[i]; i++) - if ((*auth_context)->permitted_etypes[i] == - req->ticket->enc_part2->session->enctype) - break; - if (!(*auth_context)->permitted_etypes[i]) { - char enctype_name[30]; - retval = KRB5_NOPERM_ETYPE; - if (krb5_enctype_to_string(req->ticket->enc_part2->session->enctype, - enctype_name, sizeof(enctype_name)) == 0) - krb5_set_error_message(context, retval, - "Encryption type %s not permitted", - enctype_name); - goto cleanup; - } - - if ((*auth_context)->authentp->subkey) { - for (i=0; (*auth_context)->permitted_etypes[i]; i++) - if ((*auth_context)->permitted_etypes[i] == - (*auth_context)->authentp->subkey->enctype) - break; - if (!(*auth_context)->permitted_etypes[i]) { - char enctype_name[30]; - retval = KRB5_NOPERM_ETYPE; - if (krb5_enctype_to_string((*auth_context)->authentp->subkey->enctype, - enctype_name, - sizeof(enctype_name)) == 0) - krb5_set_error_message(context, retval, - "Encryption type %s not permitted", - enctype_name); - goto cleanup; - } - } + permitted_etypes = NULL; + permitted_etypes_len = 0; } + /* check if the various etypes are permitted */ + retval = negotiate_etype(context, + desired_etypes, desired_etypes_len, + rfc4537_etypes_len, + permitted_etypes, permitted_etypes_len, + &(*auth_context)->negotiated_etype); + if (retval != 0) + goto cleanup; + (*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number; if ((*auth_context)->authentp->subkey) { if ((retval = krb5_copy_keyblock(context, @@ -498,11 +449,20 @@ if (ticket) if ((retval = krb5_copy_ticket(context, req->ticket, ticket))) goto cleanup; - if (ap_req_options) + if (ap_req_options) { *ap_req_options = req->ap_options; + if ((*auth_context)->negotiated_etype != (*auth_context)->keyblock->enctype) + *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION; + } + retval = 0; cleanup: + if (desired_etypes != NULL) + krb5_xfree(desired_etypes); + if (permitted_etypes != NULL && + permitted_etypes != (*auth_context)->permitted_etypes) + krb5_xfree(permitted_etypes); if (server == &princ_data) krb5_free_default_realm(context, princ_data.realm.data); if (retval) { @@ -581,3 +541,124 @@ } #endif +static krb5_error_code +negotiate_etype(krb5_context context, + const krb5_enctype *desired_etypes, + int desired_etypes_len, + int mandatory_etypes_index, + const krb5_enctype *permitted_etypes, + int permitted_etypes_len, + krb5_enctype *negotiated_etype) +{ + int i, j; + + *negotiated_etype = ENCTYPE_NULL; + + for (i = mandatory_etypes_index; i < desired_etypes_len; i++) { + krb5_boolean permitted = FALSE; + + for (j = 0; j < permitted_etypes_len; j++) { + if (desired_etypes[i] == permitted_etypes[j]) { + permitted = TRUE; + break; + } + } + + if (permitted == FALSE) { + char enctype_name[30]; + + if (krb5_enctype_to_string(desired_etypes[i], + enctype_name, + sizeof(enctype_name)) == 0) + krb5_set_error_message(context, KRB5_NOPERM_ETYPE, + "Encryption type %s not permitted", + enctype_name); + return KRB5_NOPERM_ETYPE; + } + } + + for (j = 0; j < permitted_etypes_len; j++) { + for (i = 0; i < desired_etypes_len; i++) { + if (desired_etypes[i] == permitted_etypes[j]) { + *negotiated_etype = permitted_etypes[j]; + return 0; + } + } + } + + /*NOTREACHED*/ + return KRB5_NOPERM_ETYPE; +} + +static krb5_error_code +decode_etype_list(krb5_context context, + const krb5_authenticator *authp, + krb5_enctype **desired_etypes, + int *desired_etypes_len) +{ + krb5_error_code code; + krb5_authdata **ad_if_relevant = NULL; + krb5_authdata *etype_adata = NULL; + krb5_etype_list *etype_list = NULL; + int i, j; + krb5_data data; + + *desired_etypes = NULL; + + if (authp->authorization_data == NULL) + return 0; + + /* + * RFC 4537 says that ETYPE_NEGOTIATION auth data should be wrapped + * in AD_IF_RELEVANT, but we handle the case where it is mandatory. + */ + for (i = 0; authp->authorization_data[i] != NULL; i++) { + switch (authp->authorization_data[i]->ad_type) { + case KRB5_AUTHDATA_IF_RELEVANT: + code = krb5_decode_authdata_container(context, + KRB5_AUTHDATA_IF_RELEVANT, + authp->authorization_data[i], + &ad_if_relevant); + if (code != 0) + continue; + + for (j = 0; ad_if_relevant[j] != NULL; j++) { + if (ad_if_relevant[j]->ad_type == KRB5_AUTHDATA_ETYPE_NEGOTIATION) { + etype_adata = ad_if_relevant[j]; + break; + } + } + if (etype_adata == NULL) { + krb5_free_authdata(context, ad_if_relevant); + ad_if_relevant = NULL; + } + break; + case KRB5_AUTHDATA_ETYPE_NEGOTIATION: + etype_adata = authp->authorization_data[i]; + break; + default: + break; + } + if (etype_adata != NULL) + break; + } + + if (etype_adata == NULL) + return 0; + + data.data = (char *)etype_adata->contents; + data.length = etype_adata->length; + + code = decode_krb5_etype_list(&data, &etype_list); + if (code == 0) { + *desired_etypes = etype_list->etypes; + *desired_etypes_len = etype_list->length; + krb5_xfree(etype_list); + } + + if (ad_if_relevant != NULL) + krb5_free_authdata(context, ad_if_relevant); + + return code; +} + From lhoward at MIT.EDU Fri Dec 26 00:20:57 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 00:20:57 -0500 (EST) Subject: svn rev #21592: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812260520.AAA28517@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21592 Commit By: lhoward Log Message: Add RFC 4537 support to GSS-API. Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c 2008-12-26 05:19:33 UTC (rev 21591) +++ branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c 2008-12-26 05:20:55 UTC (rev 21592) @@ -343,52 +343,6 @@ return major_status; } -static krb5_error_code -kg_derive_keys(krb5_context context, - krb5_keyblock *subkey, - krb5_keyblock **enc, - krb5_keyblock **seq) -{ - krb5_error_code code; - unsigned int i; - - switch(subkey->enctype) { - case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES_CBC_CRC: - subkey->enctype = ENCTYPE_DES_CBC_RAW; - - /* fill in the encryption descriptors */ - - code = krb5_copy_keyblock(context, subkey, enc); - if (code) - return code; - - for (i=0; i<(*enc)->length; i++) - /*SUPPRESS 113*/ - (*enc)->contents[i] ^= 0xf0; - - goto copy_subkey_to_seq; - - case ENCTYPE_DES3_CBC_SHA1: - subkey->enctype = ENCTYPE_DES3_CBC_RAW; - - /* fill in the encryption descriptors */ - default: - code = krb5_copy_keyblock(context, subkey, enc); - if (code) - return code; - - copy_subkey_to_seq: - code = krb5_copy_keyblock(context, subkey, seq); - if (code) - return code; - - break; - } - - return 0; -} - static OM_uint32 kg_accept_krb5(minor_status, context_handle, verifier_cred_handle, input_token, @@ -440,6 +394,7 @@ krb5int_access kaccess; int cred_rcache = 0; int no_encap = 0; + krb5_flags ap_req_options = 0; code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); if (code) { @@ -586,7 +541,7 @@ } if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ, - cred->keytab, NULL, &ticket))) { + cred->keytab, &ap_req_options, &ticket))) { major_status = GSS_S_FAILURE; goto fail; } @@ -897,53 +852,17 @@ goto fail; } - ctx->proto = 0; - switch(ctx->subkey->enctype) { - case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES_CBC_CRC: - ctx->signalg = SGN_ALG_DES_MAC_MD5; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_DES; - break; - case ENCTYPE_DES3_CBC_SHA1: - ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; - ctx->cksum_size = 20; - ctx->sealalg = SEAL_ALG_DES3KD; - break; - case ENCTYPE_ARCFOUR_HMAC: - ctx->signalg = SGN_ALG_HMAC_MD5 ; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_MICROSOFT_RC4; - break; - default: - ctx->signalg = -1; - ctx->sealalg = -1; - ctx->proto = 1; - code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype, - &ctx->cksumtype); - if (code) { - major_status = GSS_S_FAILURE; - goto fail; - } - code = krb5_c_checksum_length(context, ctx->cksumtype, - &ctx->cksum_size); - if (code) { - major_status = GSS_S_FAILURE; - goto fail; - } - ctx->have_acceptor_subkey = 0; - break; - } - + ctx->enc = NULL; + ctx->seq = NULL; + ctx->have_acceptor_subkey = 0; /* DCE_STYLE implies acceptor_subkey */ if ((ctx->gss_flags & GSS_C_DCE_STYLE) == 0) { - code = kg_derive_keys(context, ctx->subkey, &ctx->enc, &ctx->seq); + code = kg_setup_keys(context, ctx, ctx->subkey, &ctx->cksumtype); if (code) { major_status = GSS_S_FAILURE; goto fail; } } - ctx->krb_times = ticket->enc_part2->times; /* struct copy */ ctx->krb_flags = ticket->enc_part2->flags; @@ -984,7 +903,8 @@ krb5_int32 seq_temp; int cfx_generate_subkey; - if (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE)) + if (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE) || + (ap_req_options & AP_OPTS_ETYPE_NEGOTIATION)) cfx_generate_subkey = CFX_ACCEPTOR_SUBKEY; else cfx_generate_subkey = 0; @@ -1019,27 +939,20 @@ major_status = GSS_S_FAILURE; goto fail; } - code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, - ctx->acceptor_subkey->enctype, - &ctx->acceptor_subkey_cksumtype); - if (code) { - major_status = GSS_S_FAILURE; - goto fail; - } ctx->have_acceptor_subkey = 1; - } - /* the reply token hasn't been sent yet, but that's ok. */ - if (ctx->gss_flags & GSS_C_DCE_STYLE) { - assert(ctx->have_acceptor_subkey); - assert(ctx->enc == NULL && ctx->seq == NULL); - - code = kg_derive_keys(context, ctx->acceptor_subkey, &ctx->enc, &ctx->seq); + code = kg_setup_keys(context, ctx, ctx->acceptor_subkey, + &ctx->acceptor_subkey_cksumtype); if (code) { major_status = GSS_S_FAILURE; goto fail; } + } + /* the reply token hasn't been sent yet, but that's ok. */ + if (ctx->gss_flags & GSS_C_DCE_STYLE) { + assert(ctx->have_acceptor_subkey); + /* in order to force acceptor subkey to be used, don't set PROT_READY */ /* Raw AP-REP is returned */ Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-26 05:19:33 UTC (rev 21591) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-26 05:20:55 UTC (rev 21592) @@ -262,6 +262,12 @@ krb5_keyblock *key, unsigned char *seed); +krb5_error_code +kg_setup_keys(krb5_context context, + krb5_gss_ctx_id_rec *ctx, + krb5_keyblock *subkey, + krb5_cksumtype *cksumtype); + int kg_confounder_size (krb5_context context, krb5_keyblock *key); krb5_error_code kg_make_confounder (krb5_context context, Modified: branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c 2008-12-26 05:19:33 UTC (rev 21591) +++ branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c 2008-12-26 05:20:55 UTC (rev 21592) @@ -328,7 +328,7 @@ mk_req_flags = AP_OPTS_USE_SUBKEY; if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) - mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED; + mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_ETYPE_NEGOTIATION; code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags, checksum_data, k_cred, &ap_req); @@ -385,168 +385,6 @@ } /* - * setup_enc - * - * Fill in the encryption descriptors. Called after AP-REQ is made. - */ -static OM_uint32 -setup_enc( - OM_uint32 *minor_status, - krb5_gss_ctx_id_rec *ctx, - krb5_context context) -{ - krb5_error_code code; - unsigned int i; - krb5int_access kaccess; - - code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); - if (code) - goto fail; - - ctx->have_acceptor_subkey = 0; - ctx->proto = 0; - ctx->cksumtype = 0; - switch(ctx->subkey->enctype) { - case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES_CBC_MD4: - case ENCTYPE_DES_CBC_CRC: - ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW; - ctx->signalg = SGN_ALG_DES_MAC_MD5; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_DES; - - /* The encryption key is the session key XOR - 0xf0f0f0f0f0f0f0f0. */ - if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) - goto fail; - - for (i=0; ienc->length; i++) - ctx->enc->contents[i] ^= 0xf0; - - goto copy_subkey_to_seq; - - case ENCTYPE_DES3_CBC_SHA1: - /* MIT extension */ - ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW; - ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; - ctx->cksum_size = 20; - ctx->sealalg = SEAL_ALG_DES3KD; - - copy_subkey: - code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc); - if (code) - goto fail; - copy_subkey_to_seq: - code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq); - if (code) { - krb5_free_keyblock (context, ctx->enc); - goto fail; - } - break; - - case ENCTYPE_ARCFOUR_HMAC: - /* Microsoft extension */ - ctx->signalg = SGN_ALG_HMAC_MD5 ; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ; - - goto copy_subkey; - - default: - /* Fill some fields we shouldn't be using on this path - with garbage. */ - ctx->signalg = -10; - ctx->sealalg = -10; - - ctx->proto = 1; - code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype, - &ctx->cksumtype); - if (code) - goto fail; - code = krb5_c_checksum_length(context, ctx->cksumtype, - &ctx->cksum_size); - if (code) - goto fail; - goto copy_subkey; - } - *minor_status = 0; - return GSS_S_COMPLETE; -fail: - *minor_status = code; - return GSS_S_FAILURE; -} - -static OM_uint32 -setup_enc_dce( - krb5_error_code *minor_status, - krb5_gss_ctx_id_rec *ctx, - krb5_context context) -{ - krb5_error_code code; - size_t i; - - if (ctx->proto > 0) { - return GSS_S_COMPLETE; /* CFX handles acceptor_subkey directly */ - } - - assert(ctx->have_acceptor_subkey && ctx->acceptor_subkey); - - if (ctx->enc != NULL) { - krb5_free_keyblock(context, ctx->enc); - ctx->enc = NULL; - } - if (ctx->seq != NULL) { - krb5_free_keyblock(context, ctx->seq); - ctx->seq = NULL; - } - - switch(ctx->acceptor_subkey->enctype) { - case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES_CBC_MD4: - case ENCTYPE_DES_CBC_CRC: - ctx->acceptor_subkey->enctype = ENCTYPE_DES_CBC_RAW; - - /* The encryption key is the session key XOR - 0xf0f0f0f0f0f0f0f0. */ - if ((code = krb5_copy_keyblock(context, ctx->acceptor_subkey, &ctx->enc))) - goto fail; - - for (i=0; ienc->length; i++) - ctx->enc->contents[i] ^= 0xf0; - - goto copy_acceptor_subkey_to_seq; - - case ENCTYPE_DES3_CBC_SHA1: - /* MIT extension */ - ctx->acceptor_subkey->enctype = ENCTYPE_DES3_CBC_RAW; - - copy_acceptor_subkey: - code = krb5_copy_keyblock (context, ctx->acceptor_subkey, &ctx->enc); - if (code) - goto fail; - copy_acceptor_subkey_to_seq: - code = krb5_copy_keyblock (context, ctx->acceptor_subkey, &ctx->seq); - if (code) { - krb5_free_keyblock (context, ctx->enc); - goto fail; - } - break; - - case ENCTYPE_ARCFOUR_HMAC: - /* Microsoft extension */ - goto copy_acceptor_subkey; - default: - assert(0); - break; - } - *minor_status = 0; - return GSS_S_COMPLETE; -fail: - *minor_status = code; - return GSS_S_FAILURE; -} - -/* * new_connection * * Do the grunt work of setting up a new context. @@ -691,12 +529,16 @@ &ctx->subkey); } - major_status = setup_enc(minor_status, ctx, context); - if (k_cred) { krb5_free_creds(context, k_cred); - k_cred = 0; + k_cred = NULL; } + ctx->enc = NULL; + ctx->seq = NULL; + ctx->have_acceptor_subkey = 0; + code = kg_setup_keys(context, ctx, ctx->subkey, &ctx->cksumtype); + if (code != 0) + goto fail; /* at this point, the context is constructed and valid, hence, releaseable */ @@ -893,21 +735,24 @@ (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto); - if ((ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE)) && - ap_rep_data->subkey) { + if (ap_rep_data->subkey != NULL && + (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE) || + ap_rep_data->subkey->enctype != ctx->subkey->enctype)) { /* Keep acceptor's subkey. */ ctx->have_acceptor_subkey = 1; code = krb5_copy_keyblock(context, ap_rep_data->subkey, &ctx->acceptor_subkey); - if (code) + if (code) { + krb5_free_ap_rep_enc_part(context, ap_rep_data); goto fail; - code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, - ctx->acceptor_subkey->enctype, - &ctx->acceptor_subkey_cksumtype); - if (code) - goto fail; + } + code = kg_setup_keys(context, ctx, ctx->acceptor_subkey, + &ctx->acceptor_subkey_cksumtype); + if (code) { + krb5_free_ap_rep_enc_part(context, ap_rep_data); + goto fail; + } } - /* free the ap_rep_data */ krb5_free_ap_rep_enc_part(context, ap_rep_data); @@ -920,10 +765,6 @@ output_token->value = outbuf.data; output_token->length = outbuf.length; - - major_status = setup_enc_dce(&code, ctx, context); - if (major_status != GSS_S_COMPLETE) - goto fail; } /* set established */ Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c 2008-12-26 05:19:33 UTC (rev 21591) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c 2008-12-26 05:20:55 UTC (rev 21592) @@ -421,9 +421,14 @@ gss_headerlen = gss_padlen = gss_trailerlen = 0; if (ctx->proto == 1) { - krb5_enctype enctype = ctx->enc->enctype; + krb5_enctype enctype; size_t ec; + if (ctx->have_acceptor_subkey) + enctype = ctx->acceptor_subkey->enctype; + else + enctype = ctx->enc->enctype; + code = krb5_c_crypto_length(context, enctype, conf_req_flag ? KRB5_CRYPTO_TYPE_TRAILER : KRB5_CRYPTO_TYPE_CHECKSUM, Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c 2008-12-26 05:19:33 UTC (rev 21591) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c 2008-12-26 05:20:55 UTC (rev 21592) @@ -82,6 +82,7 @@ unsigned short tok_id; krb5_checksum sum; krb5_keyblock *key; + krb5_cksumtype cksumtype; assert(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0); assert(ctx->big_endian == 0); @@ -96,8 +97,10 @@ : KG_USAGE_ACCEPTOR_SIGN)); if (ctx->have_acceptor_subkey) { key = ctx->acceptor_subkey; + cksumtype = ctx->acceptor_subkey_cksumtype; } else { key = ctx->enc; + cksumtype = ctx->cksumtype; } #ifdef CFX_EXERCISE @@ -133,7 +136,7 @@ return ENOMEM; /* Get size of ciphertext. */ - bufsize = 16 + krb5_encrypt_size (plain.length, ctx->enc->enctype); + bufsize = 16 + krb5_encrypt_size (plain.length, key->enctype); /* Allocate space for header plus encrypted data. */ outbuf = malloc(bufsize); if (outbuf == NULL) { @@ -238,7 +241,7 @@ sum.contents = outbuf + 16 + message2->length; sum.length = ctx->cksum_size; - err = krb5_c_make_checksum(context, ctx->cksumtype, key, + err = krb5_c_make_checksum(context, cksumtype, key, key_usage, &plain, &sum); zap(plain.data, plain.length); free(plain.data); @@ -311,6 +314,7 @@ krb5_error_code err; krb5_boolean valid; krb5_keyblock *key; + krb5_cksumtype cksumtype; assert(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0); assert(ctx->big_endian == 0); @@ -360,8 +364,10 @@ value in that case, though, so we can just ignore the flag. */ if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) { key = ctx->acceptor_subkey; + cksumtype = ctx->acceptor_subkey_cksumtype; } else { key = ctx->enc; + cksumtype = ctx->cksumtype; } if (toktype == KG_TOK_WRAP_MSG) { @@ -442,7 +448,7 @@ return GSS_S_BAD_SIG; } sum.contents = ptr+bodysize-ec; - sum.checksum_type = ctx->cksumtype; + sum.checksum_type = cksumtype; err = krb5_c_verify_checksum(context, key, key_usage, &plain, &sum, &valid); if (err) @@ -479,7 +485,7 @@ memcpy(plain.data + message_buffer->length, ptr, 16); sum.length = bodysize - 16; sum.contents = ptr + 16; - sum.checksum_type = ctx->cksumtype; + sum.checksum_type = cksumtype; err = krb5_c_verify_checksum(context, key, key_usage, &plain, &sum, &valid); free(plain.data); Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c 2008-12-26 05:19:33 UTC (rev 21591) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c 2008-12-26 05:20:55 UTC (rev 21592) @@ -54,6 +54,7 @@ size_t rrc = 0; size_t gss_headerlen, gss_trailerlen; krb5_keyblock *key; + krb5_cksumtype cksumtype; size_t data_length, assoc_data_length; assert(toktype != KG_TOK_WRAP_MSG || ctx->enc != NULL); @@ -69,8 +70,10 @@ : KG_USAGE_ACCEPTOR_SIGN)); if (ctx->have_acceptor_subkey) { key = ctx->acceptor_subkey; + cksumtype = ctx->acceptor_subkey_cksumtype; } else { key = ctx->enc; + cksumtype = ctx->cksumtype; } kg_iov_msglen(iov, iov_count, &data_length, &assoc_data_length); @@ -230,7 +233,7 @@ } store_64_be(ctx->seq_send, outbuf + 8); - code = kg_make_checksum_iov_v3(context, ctx->cksumtype, + code = kg_make_checksum_iov_v3(context, cksumtype, rrc, key, key_usage, iov, iov_count); if (code != 0) @@ -286,6 +289,7 @@ krb5_keyblock *key; gssint_uint64 seqnum; krb5_boolean valid; + krb5_cksumtype cksumtype; assert(toktype != KG_TOK_WRAP_MSG || ctx->enc != 0); assert(ctx->big_endian == 0); @@ -328,8 +332,10 @@ if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) { key = ctx->acceptor_subkey; + cksumtype = ctx->acceptor_subkey_cksumtype; } else { key = ctx->enc; + cksumtype = ctx->cksumtype; } if (toktype == KG_TOK_WRAP_MSG) { @@ -392,7 +398,7 @@ store_16_be(0, ptr + 4); store_16_be(0, ptr + 6); - code = kg_verify_checksum_iov_v3(context, ctx->cksumtype, rrc, + code = kg_verify_checksum_iov_v3(context, cksumtype, rrc, key, key_usage, iov, iov_count, &valid); if (code != 0 || valid == FALSE) { @@ -411,7 +417,7 @@ goto defective; seqnum = load_64_be(ptr + 8); - code = kg_verify_checksum_iov_v3(context, ctx->cksumtype, 0, + code = kg_verify_checksum_iov_v3(context, cksumtype, 0, key, key_usage, iov, iov_count, &valid); if (code != 0 || valid == FALSE) { Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-26 05:19:33 UTC (rev 21591) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-26 05:20:55 UTC (rev 21592) @@ -54,6 +54,87 @@ #include #endif +krb5_error_code +kg_setup_keys(krb5_context context, + krb5_gss_ctx_id_rec *ctx, + krb5_keyblock *subkey, + krb5_cksumtype *cksumtype) +{ + krb5_error_code code; + unsigned int i; + krb5int_access kaccess; + + assert(ctx != NULL); + assert(subkey != NULL); + + *cksumtype = 0; + ctx->proto = 0; + + code = krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION); + if (code != 0) + return code; + + if (ctx->enc != NULL) { + krb5_free_keyblock(context, ctx->enc); + ctx->enc = NULL; + } + code = krb5_copy_keyblock(context, subkey, &ctx->enc); + if (code != 0) + return code; + + if (ctx->seq != NULL) { + krb5_free_keyblock(context, ctx->seq); + ctx->seq = NULL; + } + code = krb5_copy_keyblock(context, subkey, &ctx->seq); + if (code != 0) + return code; + + switch (subkey->enctype) { + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_CRC: + ctx->enc->enctype = ENCTYPE_DES_CBC_RAW; + ctx->seq->enctype = ENCTYPE_DES_CBC_RAW; + ctx->signalg = SGN_ALG_DES_MAC_MD5; + ctx->cksum_size = 8; + ctx->sealalg = SEAL_ALG_DES; + + for (i = 0; i < ctx->enc->length; i++) + /*SUPPRESS 113*/ + ctx->enc->contents[i] ^= 0xF0; + break; + case ENCTYPE_DES3_CBC_SHA1: + ctx->enc->enctype = ENCTYPE_DES3_CBC_RAW; + ctx->seq->enctype = ENCTYPE_DES3_CBC_RAW; + ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; + ctx->cksum_size = 20; + ctx->sealalg = SEAL_ALG_DES3KD; + break; + case ENCTYPE_ARCFOUR_HMAC: + ctx->signalg = SGN_ALG_HMAC_MD5; + ctx->cksum_size = 8; + ctx->sealalg = SEAL_ALG_MICROSOFT_RC4; + break; + default: + ctx->signalg = -1; + ctx->sealalg = -1; + ctx->proto = 1; + + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, subkey->enctype, + cksumtype); + if (code != 0) + return code; + + code = krb5_c_checksum_length(context, *cksumtype, &ctx->cksum_size); + if (code != 0) + return code; + break; + } + + return 0; +} + int kg_confounder_size(context, key) krb5_context context; From lhoward at MIT.EDU Fri Dec 26 00:24:00 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 00:24:00 -0500 (EST) Subject: svn rev #21593: branches/mskrb-integ/src/lib/krb5/asn.1/ Message-ID: <200812260524.AAA28618@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21593 Commit By: lhoward Log Message: remove redundant code Changed Files: U branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_decode.c Modified: branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_decode.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_decode.c 2008-12-26 05:20:55 UTC (rev 21592) +++ branches/mskrb-integ/src/lib/krb5/asn.1/asn1_k_decode.c 2008-12-26 05:23:59 UTC (rev 21593) @@ -1226,15 +1226,6 @@ cleanup(); } -asn1_error_code asn1_decode_etype_list(asn1buf *buf, krb5_etype_list *val) -{ - setup(); - { begin_structure(); - end_structure(); - } - cleanup(); -} - #ifndef DISABLE_PKINIT /* PKINIT */ From lhoward at MIT.EDU Fri Dec 26 00:58:19 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 00:58:19 -0500 (EST) Subject: svn rev #21594: branches/aes-ccm/src/lib/crypto/dk/ Message-ID: <200812260558.AAA29111@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21594 Commit By: lhoward Log Message: fix a signed-ness issue Changed Files: U branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c Modified: branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c =================================================================== --- branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c 2008-12-26 05:23:59 UTC (rev 21593) +++ branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c 2008-12-26 05:58:18 UTC (rev 21594) @@ -149,7 +149,7 @@ size_t num_data) { krb5_error_code ret; - unsigned char constantdata[K5CLENGTH]; + unsigned char constantdata[K5CLENGTH], *headerdata; krb5_data d1; krb5_crypto_iov *header, *trailer, *sign_data = NULL; krb5_keyblock kc; @@ -216,9 +216,10 @@ if (adata_len != 0) flags |= CCM_FLAG_ADATA; - header->data.data[0] = flags; + headerdata = header->data.data; + headerdata[0] = flags; - nonce.data = &header->data.data[1]; + nonce.data = &headerdata[1]; nonce.length = CCM_NONCE_LENGTH; if (iv != NULL) { @@ -239,9 +240,9 @@ goto cleanup; } - header->data.data[13] = (payload_len >> 16) & 0xFF; - header->data.data[14] = (payload_len >> 8 ) & 0xFF; - header->data.data[15] = (payload_len ) & 0xFF; + headerdata[13] = (payload_len >> 16) & 0xFF; + headerdata[14] = (payload_len >> 8 ) & 0xFF; + headerdata[15] = (payload_len ) & 0xFF; sign_data = (krb5_crypto_iov *)calloc(num_data + 1, sizeof(krb5_crypto_iov)); if (sign_data == NULL) { @@ -359,7 +360,7 @@ size_t num_data) { krb5_error_code ret; - unsigned char constantdata[K5CLENGTH]; + unsigned char constantdata[K5CLENGTH], *headerdata; krb5_data d1; krb5_crypto_iov *header, *trailer, *sign_data = NULL; krb5_keyblock kc; @@ -424,8 +425,9 @@ if (header->data.length < enc->block_size) return KRB5_BAD_MSIZE; - flags = header->data.data[0]; + headerdata = (unsigned char *)header->data.data; + flags = headerdata[0]; if ((flags & CCM_FLAG_RESERVED) != 0) { return KRB5_BAD_MSIZE; } @@ -442,9 +444,9 @@ return KRB5_BAD_MSIZE; } - payload_len = (header->data.data[13] << 16); - payload_len |= (header->data.data[14] << 8 ); - payload_len |= (header->data.data[15] ); + payload_len = (headerdata[13] << 16); + payload_len |= (headerdata[14] << 8 ); + payload_len |= (headerdata[15] ); if (payload_len > actual_payload_len) return KRB5_BAD_MSIZE; @@ -511,7 +513,7 @@ } memcpy(&ivec.data[1], iv->data, iv->length); } else - memcpy(&ivec.data[1], &header->data.data[1], CCM_NONCE_LENGTH); /* Copy in nonce */ + memcpy(&ivec.data[1], &headerdata[1], CCM_NONCE_LENGTH); /* Copy in nonce */ memset(&ivec.data[1 + CCM_NONCE_LENGTH], 0, CCM_COUNTER_LENGTH); /* Set counter to zero */ /* Decrypt checksum from trailer */ From lhoward at MIT.EDU Fri Dec 26 01:17:57 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 01:17:57 -0500 (EST) Subject: svn rev #21595: branches/aes-ccm/src/lib/crypto/dk/ Message-ID: <200812260617.BAA29429@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21595 Commit By: lhoward Log Message: Reorder SIGN_ONLY before DATA to comply with CCM spec Changed Files: U branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c Modified: branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c =================================================================== --- branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c 2008-12-26 05:58:18 UTC (rev 21594) +++ branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c 2008-12-26 06:17:57 UTC (rev 21595) @@ -153,7 +153,7 @@ krb5_data d1; krb5_crypto_iov *header, *trailer, *sign_data = NULL; krb5_keyblock kc; - size_t i; + size_t i, num_sign_data = 0; unsigned int header_len = 0; unsigned int trailer_len = 0; unsigned int payload_len = 0; @@ -207,7 +207,7 @@ } } - if (header != &data[0] || header->data.length < enc->block_size) + if (header->data.length < enc->block_size) return KRB5_BAD_MSIZE; /* RFC 5116 5.3, format flags octet */ @@ -216,10 +216,10 @@ if (adata_len != 0) flags |= CCM_FLAG_ADATA; - headerdata = header->data.data; + headerdata = (unsigned char *)header->data.data; headerdata[0] = flags; - nonce.data = &headerdata[1]; + nonce.data = (char *)&headerdata[1]; nonce.length = CCM_NONCE_LENGTH; if (iv != NULL) { @@ -250,17 +250,28 @@ goto cleanup; } - sign_data[0] = *header; + sign_data[num_sign_data++] = *header; /* Include length of associated data in CBC-MAC */ - sign_data[1].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; - sign_data[1].data.data = adata_len_buf; - sign_data[1].data.length = sizeof(adata_len_buf); - ret = encode_a_len(&sign_data[1].data, adata_len); + sign_data[num_sign_data].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; + sign_data[num_sign_data].data.data = adata_len_buf; + sign_data[num_sign_data].data.length = sizeof(adata_len_buf); + ret = encode_a_len(&sign_data[num_sign_data].data, adata_len); if (ret != 0) goto cleanup; + num_sign_data++; - memcpy(&sign_data[2], &data[1], (num_data - 1) * sizeof(krb5_crypto_iov)); + /* Reorder input IOV so SIGN_ONLY data is before DATA */ + for (i = 0; i < num_data; i++) { + if (data[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY) + sign_data[num_sign_data++] = data[i]; + } + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_HEADER && + data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + sign_data[num_sign_data++] = data[i]; + } + assert(num_sign_data == num_data + 1); d1.data = (char *)constantdata; d1.length = K5CLENGTH; @@ -302,7 +313,7 @@ goto cleanup; } - ret = krb5int_c_make_checksum_iov(keyhash, &kc, usage, sign_data, num_data + 1, &cksum); + ret = krb5int_c_make_checksum_iov(keyhash, &kc, usage, sign_data, num_sign_data, &cksum); if (ret != 0) goto cleanup; @@ -364,7 +375,7 @@ krb5_data d1; krb5_crypto_iov *header, *trailer, *sign_data = NULL; krb5_keyblock kc; - size_t i; + size_t i, num_sign_data = 0; unsigned int header_len = 0; unsigned int trailer_len = 0; unsigned int actual_adata_len = 0, actual_payload_len = 0; @@ -457,15 +468,16 @@ goto cleanup; } - sign_data[0] = *header; + sign_data[num_sign_data++] = *header; /* Include length of associated data in CBC-MAC */ - sign_data[1].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; - sign_data[1].data.data = adata_len_buf; - sign_data[1].data.length = sizeof(adata_len_buf); - ret = encode_a_len(&sign_data[1].data, actual_adata_len); + sign_data[num_sign_data].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; + sign_data[num_sign_data].data.data = adata_len_buf; + sign_data[num_sign_data].data.length = sizeof(adata_len_buf); + ret = encode_a_len(&sign_data[num_sign_data].data, actual_adata_len); if (ret != 0) goto cleanup; + num_sign_data++; d1.data = (char *)constantdata; d1.length = K5CLENGTH; @@ -537,9 +549,19 @@ goto cleanup; } - memcpy(&sign_data[2], &data[1], (num_data - 1) * sizeof(krb5_crypto_iov)); + /* Reorder input IOV so SIGN_ONLY data is before DATA */ + for (i = 0; i < num_data; i++) { + if (data[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY) + sign_data[num_sign_data++] = data[i]; + } + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_HEADER && + data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + sign_data[num_sign_data++] = data[i]; + } + assert(num_sign_data == num_data + 1); - ret = krb5int_c_make_checksum_iov(keyhash, &kc, usage, sign_data, num_data + 1, &cksum); + ret = krb5int_c_make_checksum_iov(keyhash, &kc, usage, sign_data, num_sign_data, &cksum); if (ret != 0) goto cleanup; From lhoward at MIT.EDU Fri Dec 26 01:56:56 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 01:56:56 -0500 (EST) Subject: svn rev #21596: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812260656.BAA29936@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21596 Commit By: lhoward Log Message: plug some leaks Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c U branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c 2008-12-26 06:17:57 UTC (rev 21595) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c 2008-12-26 06:56:55 UTC (rev 21596) @@ -633,7 +633,7 @@ new_cf->dl_handle = template->dl_handle; /* copy mech so we can rewrite canonical mechanism OID */ - new_cf->mech = (gss_mechanism)malloc(sizeof(struct gss_config)); + new_cf->mech = (gss_mechanism)calloc(1, sizeof(struct gss_config)); if (new_cf->mech == NULL) { releaseMechInfo(&new_cf); return ENOMEM; @@ -643,6 +643,8 @@ new_cf->mech->mech_type = *(template->mech_type); new_cf->mech_type = &new_cf->mech->mech_type; new_cf->priority = template->priority; + new_cf->freeMech = 1; + new_cf->freeMechOID = 0; new_cf->next = NULL; if (template->kmodName != NULL) { @@ -774,11 +776,26 @@ freeMechList(void) { gss_mech_info cf, next_cf; + OM_uint32 minor; for (cf = g_mechList; cf != NULL; cf = next_cf) { next_cf = cf->next; - free(cf->uLibName); - free(cf->mechNameStr); + if (cf->kmodName != NULL) + free(cf->kmodName); + if (cf->uLibName != NULL) + free(cf->uLibName); + if (cf->mechNameStr != NULL) + free(cf->mechNameStr); + if (cf->optionStr != NULL) + free(cf->optionStr); + if (cf->mech_type != GSS_C_NO_OID && cf->freeMechOID) + generic_gss_release_oid(&minor, &cf->mech_type); + if (cf->mech != NULL && cf->freeMech) + free(cf->mech); + if (cf->mech_ext != NULL && cf->freeMech) + free(cf->mech_ext); + if (cf->dl_handle != NULL) + (void) krb5int_close_plugin(cf->dl_handle); free(cf); } } @@ -853,6 +870,7 @@ } else { /* Try dynamic dispatch table */ aMech->mech = build_dynamicMech(dl, aMech->mech_type); + aMech->freeMech = 1; } if (aMech->mech == NULL) { (void) krb5int_close_plugin(dl); @@ -1030,8 +1048,7 @@ aMech = searchMechList(mechOid); if (aMech && aMech->mech) { - free(mechOid->elements); - free(mechOid); + generic_gss_release_oid(&minor, &mechOid); continue; } @@ -1044,8 +1061,7 @@ * If that's all, then this is a corrupt entry. Skip it. */ if (! *sharedLib) { - free(mechOid->elements); - free(mechOid); + generic_gss_release_oid(&minor, &mechOid); continue; } @@ -1139,22 +1155,21 @@ aMech->optionStr = strdup(modOptions); /* the oid is already set */ - free(mechOid->elements); - free(mechOid); + generic_gss_release_oid(&minor, &mechOid); continue; } /* adding a new entry */ - aMech = malloc(sizeof (struct gss_mech_config)); + aMech = calloc(1, sizeof (struct gss_mech_config)); if (aMech == NULL) { - free(mechOid->elements); - free(mechOid); + generic_gss_release_oid(&minor, &mechOid); continue; } - (void) memset(aMech, 0, sizeof (struct gss_mech_config)); aMech->mech_type = mechOid; aMech->uLibName = strdup(sharedPath); aMech->mechNameStr = strdup(oidStr); + aMech->freeMech = 0; + aMech->freeMechOID = 1; /* check if any memory allocations failed - bad news */ if (aMech->uLibName == NULL || aMech->mechNameStr == NULL) { @@ -1162,8 +1177,7 @@ free(aMech->uLibName); if (aMech->mechNameStr) free(aMech->mechNameStr); - free(mechOid->elements); - free(mechOid); + generic_gss_release_oid(&minor, &mechOid); free(aMech); continue; } Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h 2008-12-26 06:17:57 UTC (rev 21595) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h 2008-12-26 06:56:55 UTC (rev 21596) @@ -512,6 +512,8 @@ gss_mechanism mech; /* mechanism initialization struct */ gss_mechanism_ext mech_ext; /* extensions */ int priority; /* mechanism preference order */ + int freeMech; /* free mech table */ + int freeMechOID; /* free mech OID */ struct gss_mech_config *next; /* next element in the list */ } *gss_mech_info; From lhoward at MIT.EDU Fri Dec 26 05:22:46 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 05:22:46 -0500 (EST) Subject: svn rev #21597: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812261022.FAA04329@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21597 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c U branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c 2008-12-26 06:56:55 UTC (rev 21596) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c 2008-12-26 10:22:45 UTC (rev 21597) @@ -644,7 +644,6 @@ new_cf->mech_type = &new_cf->mech->mech_type; new_cf->priority = template->priority; new_cf->freeMech = 1; - new_cf->freeMechOID = 0; new_cf->next = NULL; if (template->kmodName != NULL) { @@ -788,7 +787,7 @@ free(cf->mechNameStr); if (cf->optionStr != NULL) free(cf->optionStr); - if (cf->mech_type != GSS_C_NO_OID && cf->freeMechOID) + if (cf->mech_type != &cf->mech->mech_type) generic_gss_release_oid(&minor, &cf->mech_type); if (cf->mech != NULL && cf->freeMech) free(cf->mech); @@ -1169,7 +1168,6 @@ aMech->uLibName = strdup(sharedPath); aMech->mechNameStr = strdup(oidStr); aMech->freeMech = 0; - aMech->freeMechOID = 1; /* check if any memory allocations failed - bad news */ if (aMech->uLibName == NULL || aMech->mechNameStr == NULL) { Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h 2008-12-26 06:56:55 UTC (rev 21596) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h 2008-12-26 10:22:45 UTC (rev 21597) @@ -513,7 +513,6 @@ gss_mechanism_ext mech_ext; /* extensions */ int priority; /* mechanism preference order */ int freeMech; /* free mech table */ - int freeMechOID; /* free mech OID */ struct gss_mech_config *next; /* next element in the list */ } *gss_mech_info; From lhoward at MIT.EDU Fri Dec 26 05:48:25 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 05:48:25 -0500 (EST) Subject: svn rev #21598: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812261048.FAA04687@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21598 Commit By: lhoward Log Message: reformat Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/mk_req_ext.c Modified: branches/mskrb-integ/src/lib/krb5/krb/mk_req_ext.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/mk_req_ext.c 2008-12-26 10:22:45 UTC (rev 21597) +++ branches/mskrb-integ/src/lib/krb5/krb/mk_req_ext.c 2008-12-26 10:48:24 UTC (rev 21598) @@ -346,8 +346,9 @@ /* * RFC 4537: - * If the enctype of the ticket session key is included in the enctype - * list sent by the client, it SHOULD be the last on the list. + * + * If the enctype of the ticket session key is included in the enctype + * list sent by the client, it SHOULD be the last on the list; */ for (i = 0; i < etypes.length; i++) { if (etypes.etypes[i] == tkt_enctype) { From lhoward at MIT.EDU Fri Dec 26 05:51:29 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 05:51:29 -0500 (EST) Subject: svn rev #21599: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812261051.FAA04796@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21599 Commit By: lhoward Log Message: Obey RFC 4537 more literally: if EtypeList auth data is present, don't negotiate the enctype of the ticket session key (but do negotiate the AP-REQ subkey, if present). See comments in diff for more details about this potentially self-contradictory behaviour. Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c Modified: branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c 2008-12-26 10:48:24 UTC (rev 21598) +++ branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c 2008-12-26 10:51:28 UTC (rev 21599) @@ -379,10 +379,38 @@ desired_etypes_len = rfc4537_etypes_len; - if ((*auth_context)->authentp->subkey != NULL) + /* + * RFC 4537: + * + * If the EtypeList is present and the server prefers an enctype from + * the client's enctype list over that of the AP-REQ authenticator + * subkey (if that is present) or the service ticket session key, the + * server MUST create a subkey using that enctype. This negotiated + * subkey is sent in the subkey field of AP-REP message, and it is then + * used as the protocol key or base key [RFC3961] for subsequent + * communication. + * + * If the enctype of the ticket session key is included in the enctype + * list sent by the client, it SHOULD be the last on the list; + * otherwise, this enctype MUST NOT be negotiated if it was not included + * in the list. + * + * The second paragraph does appear to contradict the first with respect + * to whether it is legal to negotiate the ticket session key type if it + * is absent in the EtypeList. A literal reading suggests that we can use + * the AP-REQ subkey enctype. Also a client has no way of distinguishing + * a server that does not RFC 4537 from one that has chosen the same + * enctype as the ticket session key for the acceptor subkey, surely. + */ + + if ((*auth_context)->authentp->subkey != NULL) { desired_etypes[desired_etypes_len++] = (*auth_context)->authentp->subkey->enctype; - desired_etypes[desired_etypes_len++] = req->ticket->enc_part2->session->enctype; - desired_etypes[desired_etypes_len++] = req->ticket->enc_part.enctype; + } + if (rfc4537_etypes_len == 0) { + /* If EtypeList was present, omit the ticket session key enctypes */ + desired_etypes[desired_etypes_len++] = req->ticket->enc_part2->session->enctype; + desired_etypes[desired_etypes_len++] = req->ticket->enc_part.enctype; + } desired_etypes[desired_etypes_len] = ENCTYPE_NULL; if (((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) == 0) { @@ -411,6 +439,8 @@ if (retval != 0) goto cleanup; + assert((*auth_context)->negotiated_etype != ENCTYPE_NULL); + (*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number; if ((*auth_context)->authentp->subkey) { if ((retval = krb5_copy_keyblock(context, @@ -554,6 +584,7 @@ *negotiated_etype = ENCTYPE_NULL; + /* mandatory segment of desired_etypes must be permitted */ for (i = mandatory_etypes_index; i < desired_etypes_len; i++) { krb5_boolean permitted = FALSE; @@ -577,6 +608,10 @@ } } + /* + * permitted_etypes is ordered from most to least preferred; + * find first desired_etype that matches. + */ for (j = 0; j < permitted_etypes_len; j++) { for (i = 0; i < desired_etypes_len; i++) { if (desired_etypes[i] == permitted_etypes[j]) { From lhoward at MIT.EDU Fri Dec 26 06:48:37 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 06:48:37 -0500 (EST) Subject: svn rev #21600: branches/aes-ccm/src/lib/crypto/dk/ Message-ID: <200812261148.GAA05491@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21600 Commit By: lhoward Log Message: cleanup Changed Files: U branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c Modified: branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c =================================================================== --- branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c 2008-12-26 10:51:28 UTC (rev 21599) +++ branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c 2008-12-26 11:48:37 UTC (rev 21600) @@ -56,10 +56,12 @@ * * Kc = DK(base-key, usage | 0xCC) * + * Again as required by the CCM specification, SIGN_DATA is processed before + * DATA for the purpose of checksumming. + * * Because the base keys are compatible with RFC 3962, the two encryption * types defined here (ENCTYPE_AES128_CCM_128 and ENCTYPE_AES256_CCM_128) - * are most useful in conjunction with a cryptosystem negotiation protocol - * such as RFC 4537. + * are most useful in conjunction with RFC 4537. */ #define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */ @@ -267,11 +269,9 @@ sign_data[num_sign_data++] = data[i]; } for (i = 0; i < num_data; i++) { - if (data[i].flags != KRB5_CRYPTO_TYPE_HEADER && - data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + if (data[i].flags == KRB5_CRYPTO_TYPE_DATA) sign_data[num_sign_data++] = data[i]; } - assert(num_sign_data == num_data + 1); d1.data = (char *)constantdata; d1.length = K5CLENGTH; @@ -555,11 +555,9 @@ sign_data[num_sign_data++] = data[i]; } for (i = 0; i < num_data; i++) { - if (data[i].flags != KRB5_CRYPTO_TYPE_HEADER && - data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + if (data[i].flags == KRB5_CRYPTO_TYPE_DATA) sign_data[num_sign_data++] = data[i]; } - assert(num_sign_data == num_data + 1); ret = krb5int_c_make_checksum_iov(keyhash, &kc, usage, sign_data, num_sign_data, &cksum); if (ret != 0) From lhoward at MIT.EDU Fri Dec 26 07:06:54 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 07:06:54 -0500 (EST) Subject: svn rev #21601: branches/aes-ccm/src/lib/crypto/enc_provider/ Message-ID: <200812261206.HAA05779@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21601 Commit By: lhoward Log Message: correctly initialize counter blocks' flags field Changed Files: U branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c Modified: branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c =================================================================== --- branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-26 11:48:37 UTC (rev 21600) +++ branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-26 12:06:54 UTC (rev 21601) @@ -29,6 +29,8 @@ #include "aes.h" #include "../aead.h" +#define CCM_COUNTER_LENGTH 3 + static void xorblock(unsigned char *out, const unsigned char *in) { int z; @@ -62,7 +64,7 @@ else memset(ctr, 0, BLOCK_SIZE); - ctr[0] &= 0x7; + ctr[0] = CCM_COUNTER_LENGTH - 1; /* q=3 */ blockno = (ctr[13] << 16); blockno |= (ctr[14] << 8 ); @@ -120,7 +122,7 @@ else memset(ctr, 0, BLOCK_SIZE); - ctr[0] &= 0x7; + ctr[0] = CCM_COUNTER_LENGTH - 1; /* q=3 */ blockno = (ctr[13] << 16); blockno |= (ctr[14] << 8 ); From lhoward at MIT.EDU Fri Dec 26 17:15:19 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 17:15:19 -0500 (EST) Subject: svn rev #21602: branches/mskrb-integ/src/lib/ gssapi/krb5/ krb5/krb/ Message-ID: <200812262215.RAA13684@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21602 Commit By: lhoward Log Message: krb5_rd_req() now sets AP_OPTS_USE_SUBKEY if an acceptor subkey was negotiated by RFC 4537; AP_OPTS_ETYPE_NEGOTIATION is always set if RFC 4537 was used. This allows an application to distinguish the case where RFC 4537 was used but the enctype was not upgraded. (Previously, AP_OPTS_USE_SUBKEY was never be set by krb5_rd_req().) Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c U branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c 2008-12-26 12:06:54 UTC (rev 21601) +++ branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c 2008-12-26 22:15:18 UTC (rev 21602) @@ -904,7 +904,7 @@ int cfx_generate_subkey; if (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE) || - (ap_req_options & AP_OPTS_ETYPE_NEGOTIATION)) + (ap_req_options & AP_OPTS_USE_SUBKEY)) cfx_generate_subkey = CFX_ACCEPTOR_SUBKEY; else cfx_generate_subkey = 0; Modified: branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c 2008-12-26 12:06:54 UTC (rev 21601) +++ branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c 2008-12-26 22:15:18 UTC (rev 21602) @@ -480,9 +480,11 @@ if ((retval = krb5_copy_ticket(context, req->ticket, ticket))) goto cleanup; if (ap_req_options) { - *ap_req_options = req->ap_options; + *ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK; + if (rfc4537_etypes_len != 0) + *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION; if ((*auth_context)->negotiated_etype != (*auth_context)->keyblock->enctype) - *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION; + *ap_req_options |= AP_OPTS_USE_SUBKEY; } retval = 0; From lhoward at MIT.EDU Fri Dec 26 18:00:29 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 18:00:29 -0500 (EST) Subject: svn rev #21603: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812262300.SAA14257@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21603 Commit By: lhoward Log Message: confounder is 8 bytes long for rc4-hmac Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-26 22:15:18 UTC (rev 21602) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-26 23:00:28 UTC (rev 21603) @@ -162,9 +162,14 @@ size_t blocksize; krb5_data lrandom; - code = krb5_c_block_size(context, key->enctype, &blocksize); - if (code) - return(code); + /* We special case rc4*/ + if (key->enctype == ENCTYPE_ARCFOUR_HMAC) { + blocksize = 8; + } else { + code = krb5_c_block_size(context, key->enctype, &blocksize); + if (code) + return(code); + } lrandom.length = blocksize; lrandom.data = (char *)buf; From lhoward at MIT.EDU Fri Dec 26 18:54:51 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 18:54:51 -0500 (EST) Subject: svn rev #21604: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812262354.SAA14926@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21604 Commit By: lhoward Log Message: Add support for ENCTYPE_ARCFOUR_HMAC_EXP Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unseal.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_seqnum.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unseal.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5unseal.c 2008-12-26 23:00:28 UTC (rev 21603) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unseal.c 2008-12-26 23:54:50 UTC (rev 21604) @@ -171,7 +171,7 @@ *minor_status = ENOMEM; return(GSS_S_FAILURE); } - if (ctx->enc->enctype == ENCTYPE_ARCFOUR_HMAC) { + if (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4) { unsigned char bigend_seqnum[4]; krb5_keyblock *enc_key; int i; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-26 23:00:28 UTC (rev 21603) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-26 23:54:50 UTC (rev 21604) @@ -146,7 +146,7 @@ /* decode the message, if SEAL */ if (toktype == KG_TOK_WRAP_MSG) { if (sealalg != 0xFFFF) { - if (ctx->enc->enctype == ENCTYPE_ARCFOUR_HMAC) { + if (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4) { unsigned char bigend_seqnum[4]; krb5_keyblock *enc_key; size_t i; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-26 23:00:28 UTC (rev 21603) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-26 23:54:50 UTC (rev 21604) @@ -112,6 +112,7 @@ ctx->sealalg = SEAL_ALG_DES3KD; break; case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_ARCFOUR_HMAC_EXP: ctx->signalg = SGN_ALG_HMAC_MD5; ctx->cksum_size = 8; ctx->sealalg = SEAL_ALG_MICROSOFT_RC4; @@ -143,7 +144,8 @@ krb5_error_code code; size_t blocksize; /* We special case rc4*/ - if (key->enctype == ENCTYPE_ARCFOUR_HMAC) + if (key->enctype == ENCTYPE_ARCFOUR_HMAC || + key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) return 8; code = krb5_c_block_size(context, key->enctype, &blocksize); if (code) @@ -163,7 +165,8 @@ krb5_data lrandom; /* We special case rc4*/ - if (key->enctype == ENCTYPE_ARCFOUR_HMAC) { + if (key->enctype == ENCTYPE_ARCFOUR_HMAC || + key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { blocksize = 8; } else { code = krb5_c_block_size(context, key->enctype, &blocksize); @@ -264,6 +267,8 @@ return code; } +const char const kg_arcfour_l40[] = "fortybits"; + krb5_error_code kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage, const unsigned char *kd_data, size_t kd_data_len, @@ -274,7 +279,9 @@ krb5_data input, output; krb5int_access kaccess; krb5_keyblock seq_enc_key, usage_key; - unsigned char t[4]; + unsigned char t[14]; + size_t i = 0; + int exportable = (longterm_key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP); usage_key.length = longterm_key->length; usage_key.contents = malloc(usage_key.length); @@ -290,18 +297,24 @@ if (code) goto cleanup_arcfour; - t[0] = ms_usage &0xff; - t[1] = (ms_usage>>8) & 0xff; - t[2] = (ms_usage>>16) & 0xff; - t[3] = (ms_usage>>24) & 0xff; + if (exportable) { + memcpy(t, kg_arcfour_l40, sizeof(kg_arcfour_l40)); + i += sizeof(kg_arcfour_l40); + } + t[i++] = ms_usage &0xff; + t[i++] = (ms_usage>>8) & 0xff; + t[i++] = (ms_usage>>16) & 0xff; + t[i++] = (ms_usage>>24) & 0xff; input.data = (void *) &t; - input.length = 4; + input.length = i; output.data = (void *) usage_key.contents; output.length = usage_key.length; code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider, longterm_key, 1, &input, &output); if (code) goto cleanup_arcfour; + if (exportable) + memset(usage_key.contents + 7, 0xab, 9); input.data = ( void *) kd_data; input.length = kd_data_len; @@ -628,7 +641,9 @@ krb5_data input, output; krb5int_access kaccess; krb5_keyblock seq_enc_key, usage_key; - unsigned char t[4]; + unsigned char t[14]; + size_t i = 0; + int exportable = (longterm_key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP); krb5_crypto_iov *kiov = NULL; size_t kiov_count = 0; @@ -646,18 +661,24 @@ if (code) goto cleanup_arcfour; - t[0] = ms_usage &0xff; - t[1] = (ms_usage>>8) & 0xff; - t[2] = (ms_usage>>16) & 0xff; - t[3] = (ms_usage>>24) & 0xff; + if (exportable) { + memcpy(t, kg_arcfour_l40, sizeof(kg_arcfour_l40)); + i += sizeof(kg_arcfour_l40); + } + t[i++] = ms_usage &0xff; + t[i++] = (ms_usage>>8) & 0xff; + t[i++] = (ms_usage>>16) & 0xff; + t[i++] = (ms_usage>>24) & 0xff; input.data = (void *) &t; - input.length = 4; + input.length = i; output.data = (void *) usage_key.contents; output.length = usage_key.length; code = (*kaccess.krb5_hmac) (kaccess.md5_hash_provider, longterm_key, 1, &input, &output); if (code) goto cleanup_arcfour; + if (exportable) + memset(usage_key.contents + 7, 0xab, 9); input.data = ( void *) kd_data; input.length = kd_data_len; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_seqnum.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_seqnum.c 2008-12-26 23:00:28 UTC (rev 21603) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_seqnum.c 2008-12-26 23:54:50 UTC (rev 21604) @@ -44,7 +44,8 @@ plain[5] = direction; plain[6] = direction; plain[7] = direction; - if (key->enctype == ENCTYPE_ARCFOUR_HMAC ) { + if (key->enctype == ENCTYPE_ARCFOUR_HMAC || + key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { /* Yes, Microsoft used big-endian sequence number.*/ plain[0] = (seqnum>>24) & 0xff; plain[1] = (seqnum>>16) & 0xff; @@ -76,7 +77,8 @@ krb5_error_code code; unsigned char plain[8]; - if (key->enctype == ENCTYPE_ARCFOUR_HMAC) { + if (key->enctype == ENCTYPE_ARCFOUR_HMAC || + key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { code = kg_arcfour_docrypt (key, 0, cksum, 8, buf, 8, @@ -93,7 +95,8 @@ return((krb5_error_code) KG_BAD_SEQ); *direction = plain[4]; - if (key->enctype == ENCTYPE_ARCFOUR_HMAC) { + if (key->enctype == ENCTYPE_ARCFOUR_HMAC || + key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { *seqnum = (plain[3]|(plain[2]<<8) | (plain[1]<<16)| (plain[0]<<24)); } else { *seqnum = ((plain[0]) | From lhoward at MIT.EDU Fri Dec 26 19:49:00 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Fri, 26 Dec 2008 19:49:00 -0500 (EST) Subject: svn rev #21605: branches/aes-ccm/src/lib/crypto/dk/ Message-ID: <200812270049.TAA15629@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21605 Commit By: lhoward Log Message: Support 64-bit adata lengths Changed Files: U branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c Modified: branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c =================================================================== --- branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c 2008-12-26 23:54:50 UTC (rev 21604) +++ branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c 2008-12-27 00:48:57 UTC (rev 21605) @@ -103,14 +103,16 @@ } static krb5_error_code -encode_a_len(krb5_data *a, unsigned int adata_len) +encode_a_len(krb5_data *a, krb5_ui_8 adata_len) { size_t len; unsigned char *p; - if (adata_len > (1 << 16) - (1 << 8)) + if (adata_len > (1LL << 32)) + len = 10; + else if (adata_len > (1LL << 16) - (1LL << 8)) len = 6; - else if (adata_len > 0) + else if (adata_len) len = 2; else len = 0; @@ -133,6 +135,18 @@ p[4] = (adata_len >> 8 ) & 0xFF; p[5] = (adata_len ) & 0xFF; break; + case 10: + p[0] = 0xFF; + p[1] = 0xFF; + p[2] = (adata_len >> 56) & 0xFF; + p[3] = (adata_len >> 48) & 0xFF; + p[4] = (adata_len >> 40) & 0xFF; + p[5] = (adata_len >> 32) & 0xFF; + p[6] = (adata_len >> 24) & 0xFF; + p[7] = (adata_len >> 16) & 0xFF; + p[8] = (adata_len >> 8 ) & 0xFF; + p[9] = (adata_len ) & 0xFF; + break; } a->length = len; @@ -159,7 +173,7 @@ unsigned int header_len = 0; unsigned int trailer_len = 0; unsigned int payload_len = 0; - unsigned int adata_len = 0; + krb5_ui_8 adata_len = 0; unsigned char flags = 0; krb5_data nonce, cksum, ivec; krb5_cksumtype cksumtype; @@ -378,7 +392,8 @@ size_t i, num_sign_data = 0; unsigned int header_len = 0; unsigned int trailer_len = 0; - unsigned int actual_adata_len = 0, actual_payload_len = 0; + krb5_ui_8 actual_adata_len = 0; + unsigned int actual_payload_len = 0; unsigned int payload_len = 0; unsigned char flags = 0; krb5_data cksum, ivec; From lhoward at MIT.EDU Sat Dec 27 00:34:18 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 27 Dec 2008 00:34:18 -0500 (EST) Subject: svn rev #21606: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812270534.AAA18944@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21606 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-27 00:48:57 UTC (rev 21605) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-27 05:34:18 UTC (rev 21606) @@ -54,6 +54,8 @@ #include #endif +const char const kg_arcfour_l40[] = "fortybits"; + krb5_error_code kg_setup_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, @@ -267,8 +269,6 @@ return code; } -const char const kg_arcfour_l40[] = "fortybits"; - krb5_error_code kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage, const unsigned char *kd_data, size_t kd_data_len, From lhoward at MIT.EDU Sat Dec 27 00:38:54 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 27 Dec 2008 00:38:54 -0500 (EST) Subject: svn rev #21607: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812270538.AAA19068@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21607 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c 2008-12-27 05:34:18 UTC (rev 21606) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c 2008-12-27 05:38:53 UTC (rev 21607) @@ -221,9 +221,7 @@ goto cleanup; if (conf_req_flag) { - switch (ctx->sealalg) { - case SEAL_ALG_MICROSOFT_RC4: - { + if (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4) { unsigned char bigend_seqnum[4]; krb5_keyblock *enc_key; size_t i; @@ -246,21 +244,15 @@ bigend_seqnum, 4, iov, iov_count); krb5_free_keyblock(context, enc_key); - if (code != 0) - goto cleanup; - - break; - } - default: + } else { code = kg_encrypt_iov(context, ctx->proto, ((ctx->gss_flags & GSS_C_DCE_STYLE) != 0), 0 /*EC*/, 0 /*RRC*/, ctx->enc, KG_USAGE_SEAL, NULL, iov, iov_count); - if (code != 0) - goto cleanup; - break; } + if (code != 0) + goto cleanup; } ctx->seq_send++; From lhoward at MIT.EDU Sat Dec 27 00:40:19 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 27 Dec 2008 00:40:19 -0500 (EST) Subject: svn rev #21608: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812270540.AAA19164@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21608 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-27 05:38:53 UTC (rev 21607) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c 2008-12-27 05:40:18 UTC (rev 21608) @@ -270,7 +270,8 @@ * data contain the pad length. kg_fixup_padding_iov() will find * this and fixup the last data IOV appropriately. */ - if ((ctx->gss_flags & GSS_C_DCE_STYLE) == 0) { + if (toktype == KG_TOK_WRAP_MSG && + (ctx->gss_flags & GSS_C_DCE_STYLE) == 0) { retval = kg_fixup_padding_iov(&code, iov, iov_count); if (retval != GSS_S_COMPLETE) goto cleanup; From lhoward at MIT.EDU Sat Dec 27 18:13:06 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 27 Dec 2008 18:13:06 -0500 (EST) Subject: svn rev #21609: branches/mskrb-integ/src/lib/crypto/ Message-ID: <200812272313.SAA03057@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21609 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/lib/crypto/hmac.c Modified: branches/mskrb-integ/src/lib/crypto/hmac.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/hmac.c 2008-12-27 05:40:18 UTC (rev 21608) +++ branches/mskrb-integ/src/lib/crypto/hmac.c 2008-12-27 23:13:05 UTC (rev 21609) @@ -129,7 +129,7 @@ krb5_error_code krb5int_hmac_iov(const struct krb5_hash_provider *hash, const krb5_keyblock *key, - const krb5_crypto_iov *data, size_t num_data, krb5_data *output) + const krb5_crypto_iov *data, size_t num_data, krb5_data *output) { krb5_data *sign_data; size_t num_sign_data; @@ -143,6 +143,7 @@ if (SIGN_IOV(iov)) num_sign_data++; } + /* XXX cleanup to avoid alloc */ sign_data = (krb5_data *)calloc(num_sign_data, sizeof(krb5_data)); if (sign_data == NULL) From lhoward at MIT.EDU Sat Dec 27 18:35:08 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 27 Dec 2008 18:35:08 -0500 (EST) Subject: svn rev #21610: branches/mskrb-integ/src/ include/ lib/gssapi/spnego/ lib/krb5/os/ Message-ID: <200812272335.SAA03380@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21610 Commit By: lhoward Log Message: Export krb5int_clean_hostname through kaccess so that SPNEGO mech can use it, rather than gethostname(), to construct NegHints Changed Files: U branches/mskrb-integ/src/include/k5-int.h U branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c U branches/mskrb-integ/src/lib/krb5/os/accessor.c Modified: branches/mskrb-integ/src/include/k5-int.h =================================================================== --- branches/mskrb-integ/src/include/k5-int.h 2008-12-27 23:13:05 UTC (rev 21609) +++ branches/mskrb-integ/src/include/k5-int.h 2008-12-27 23:35:06 UTC (rev 21610) @@ -1991,6 +1991,7 @@ struct srv_dns_entry **answers); void (*free_srv_dns_data)(struct srv_dns_entry *); int (*use_dns_kdc)(krb5_context); + krb5_error_code (*clean_hostname)(krb5_context, const char *, char *, size_t); /* krb4 compatibility stuff -- may be null if not enabled */ krb5_int32 (*krb_life_to_time)(krb5_int32, int); @@ -2005,7 +2006,7 @@ /* Used for KDB LDAP back end. */ krb5_error_code - (*asn1_ldap_encode_sequence_of_keys) (ldap_seqof_key_data *val, + (*asn1_ldap_encode_sequence_of_keys) (const ldap_seqof_key_data *val, krb5_data **code); krb5_error_code @@ -2083,6 +2084,7 @@ (const krb5_sam_response_2 *rep, krb5_data **code); krb5_error_code (*encode_krb5_enc_sam_response_enc_2) (const krb5_enc_sam_response_enc_2 *rep, krb5_data **code); + } krb5int_access; #define KRB5INT_ACCESS_VERSION \ Modified: branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c 2008-12-27 23:13:05 UTC (rev 21609) +++ branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c 2008-12-27 23:35:06 UTC (rev 21610) @@ -1039,7 +1039,6 @@ make_NegHints(OM_uint32 *minor_status, gss_cred_id_t cred, gss_buffer_t *outbuf) { - char hostname[5 + MAXHOSTNAMELEN + 1]; gss_buffer_desc hintNameBuf; gss_name_t hintName; gss_name_t hintKerberosName; @@ -1064,12 +1063,22 @@ if (major_status != GSS_S_COMPLETE) return (major_status); } else { - memcpy(hostname, HOST_PREFIX, HOST_PREFIX_LEN); + krb5_error_code code; + krb5int_access kaccess; + char hostname[HOST_PREFIX_LEN + MAXHOSTNAMELEN + 1] = HOST_PREFIX; + code = krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION); + if (code != 0) { + *minor_status = code; + return (GSS_S_FAILURE); + } + /* this breaks mutual authentication but Samba relies on it */ - if (gethostname(hostname + HOST_PREFIX_LEN, - sizeof(hostname) - HOST_PREFIX_LEN - 1) != 0) { - *minor_status = errno; + code = (*kaccess.clean_hostname)(NULL, NULL, + &hostname[HOST_PREFIX_LEN], + MAXHOSTNAMELEN); + if (code != 0) { + *minor_status = code; return (GSS_S_FAILURE); } Modified: branches/mskrb-integ/src/lib/krb5/os/accessor.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/os/accessor.c 2008-12-27 23:13:05 UTC (rev 21609) +++ branches/mskrb-integ/src/lib/krb5/os/accessor.c 2008-12-27 23:35:06 UTC (rev 21610) @@ -67,6 +67,7 @@ SC (free_srv_dns_data, krb5int_free_srv_dns_data), SC (use_dns_kdc, _krb5_use_dns_kdc), #undef SC + S (clean_hostname, krb5int_clean_hostname), S (krb_life_to_time, 0), S (krb_time_to_life, 0), From lhoward at MIT.EDU Sat Dec 27 19:02:12 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 27 Dec 2008 19:02:12 -0500 (EST) Subject: svn rev #21611: branches/mskrb-integ/src/lib/gssapi/mechglue/ Message-ID: <200812280002.TAA03814@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21611 Commit By: lhoward Log Message: It appears OK, at least for the Kerberos mechanism, for gss_inquire_cred() to return GSS_C_NO_NAME in *name, rather than causing the entire function to return an error. We had some code that depended on this. Changed Files: U branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_cred.c Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_cred.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_cred.c 2008-12-27 23:35:06 UTC (rev 21610) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_inq_cred.c 2008-12-28 00:02:10 UTC (rev 21611) @@ -143,7 +143,9 @@ */ if(name != NULL) { - if ((gss_import_name(&temp_minor_status, + if (union_cred->auxinfo.name.length == 0) { + *name = GSS_C_NO_NAME; + } else if ((gss_import_name(&temp_minor_status, &union_cred->auxinfo.name, union_cred->auxinfo.name_type, name) != GSS_S_COMPLETE) || From lhoward at MIT.EDU Sat Dec 27 19:09:54 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 27 Dec 2008 19:09:54 -0500 (EST) Subject: svn rev #21612: branches/mskrb-integ/src/lib/gssapi/spnego/ Message-ID: <200812280009.TAA03975@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21612 Commit By: lhoward Log Message: Improve error handling Changed Files: U branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c Modified: branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c 2008-12-28 00:02:10 UTC (rev 21611) +++ branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c 2008-12-28 00:09:53 UTC (rev 21612) @@ -942,7 +942,6 @@ req_flags, &mechtok_out, send_token, output_token) < 0) { - ret = GSS_S_FAILURE; } } else if (send_token != NO_TOKEN_SEND) { @@ -1040,7 +1039,7 @@ gss_cred_id_t cred, gss_buffer_t *outbuf) { gss_buffer_desc hintNameBuf; - gss_name_t hintName; + gss_name_t hintName = GSS_C_NO_NAME; gss_name_t hintKerberosName; gss_OID hintNameType; OM_uint32 major_status; @@ -1062,7 +1061,9 @@ NULL); if (major_status != GSS_S_COMPLETE) return (major_status); - } else { + } + + if (hintName == GSS_C_NO_NAME) { krb5_error_code code; krb5int_access kaccess; char hostname[HOST_PREFIX_LEN + MAXHOSTNAMELEN + 1] = HOST_PREFIX; @@ -1215,6 +1216,7 @@ ret = make_NegHints(minor_status, cred, mechListMIC); if (ret != GSS_S_COMPLETE) { + *return_token = NO_TOKEN_SEND; goto cleanup; } @@ -1555,7 +1557,7 @@ OM_uint32 *time_rec, gss_cred_id_t *delegated_cred_handle) { - OM_uint32 ret, tmpret, tmpmin, negState; + OM_uint32 ret, tmpmin, negState; send_token_flag return_token; gss_buffer_t mechtok_in, mic_in, mic_out; gss_buffer_desc mechtok_out = GSS_C_EMPTY_BUFFER; @@ -1652,6 +1654,10 @@ cleanup: if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { /* For acceptor-sends-first send a tokenInit */ + int tmpret; + + assert(sc != NULL); + if (sendTokenInit) { tmpret = make_spnego_tokenInit_msg(sc, 1, @@ -1666,9 +1672,8 @@ return_token, output_token); } - if (tmpret != GSS_S_COMPLETE) { - ret = tmpret; - } + if (tmpret < 0) + ret = GSS_S_FAILURE; } if (ret == GSS_S_COMPLETE) { *context_handle = (gss_ctx_id_t)sc->ctx_handle; From lhoward at MIT.EDU Sat Dec 27 19:59:42 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 27 Dec 2008 19:59:42 -0500 (EST) Subject: svn rev #21613: branches/mskrb-integ/src/include/ Message-ID: <200812280059.TAA06704@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21613 Commit By: lhoward Log Message: reorder presently unused verify_iov arguments to make more sense (hash after iov) Changed Files: U branches/mskrb-integ/src/include/k5-int.h Modified: branches/mskrb-integ/src/include/k5-int.h =================================================================== --- branches/mskrb-integ/src/include/k5-int.h 2008-12-28 00:09:53 UTC (rev 21612) +++ branches/mskrb-integ/src/include/k5-int.h 2008-12-28 00:59:40 UTC (rev 21613) @@ -627,9 +627,9 @@ krb5_error_code (*verify_iov) (const krb5_keyblock *key, krb5_keyusage keyusage, const krb5_data *ivec, - const krb5_data *input, const krb5_crypto_iov *data, size_t num_data, + const krb5_data *hash, krb5_boolean *valid); }; From lhoward at MIT.EDU Sat Dec 27 20:05:19 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 27 Dec 2008 20:05:19 -0500 (EST) Subject: svn rev #21614: branches/mskrb-integ/src/lib/crypto/ Message-ID: <200812280105.UAA06849@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21614 Commit By: lhoward Log Message: Update for revised function signature Changed Files: U branches/mskrb-integ/src/lib/crypto/verify_checksum_iov.c Modified: branches/mskrb-integ/src/lib/crypto/verify_checksum_iov.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/verify_checksum_iov.c 2008-12-28 00:59:40 UTC (rev 21613) +++ branches/mskrb-integ/src/lib/crypto/verify_checksum_iov.c 2008-12-28 01:05:18 UTC (rev 21614) @@ -60,8 +60,8 @@ if (krb5_cksumtypes_list[i].keyhash && krb5_cksumtypes_list[i].keyhash->verify_iov) return((*(krb5_cksumtypes_list[i].keyhash->verify_iov))(key, usage, 0, + data, num_data, &checksum->data, - data, num_data, valid)); /* otherwise, make the checksum again, and compare */ From lhoward at MIT.EDU Sat Dec 27 20:06:11 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sat, 27 Dec 2008 20:06:11 -0500 (EST) Subject: svn rev #21615: branches/mskrb-integ/src/lib/crypto/ Message-ID: <200812280106.UAA06930@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21615 Commit By: lhoward Log Message: Add a compatibility layer for new cryptosystems such as CCM that do not implement the hash and verify methods, but do implement hash_iov and veirfy_iov. This is similar to what we've done at for encryption callbacks. Changed Files: U branches/mskrb-integ/src/lib/crypto/make_checksum.c U branches/mskrb-integ/src/lib/crypto/verify_checksum.c Modified: branches/mskrb-integ/src/lib/crypto/make_checksum.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/make_checksum.c 2008-12-28 01:05:18 UTC (rev 21614) +++ branches/mskrb-integ/src/lib/crypto/make_checksum.c 2008-12-28 01:06:10 UTC (rev 21615) @@ -63,7 +63,10 @@ if (krb5_cksumtypes_list[i].keyhash) { /* check if key is compatible */ + const struct krb5_keyhash_provider *keyhash; + keyhash = krb5_cksumtypes_list[i].keyhash; + if (krb5_cksumtypes_list[i].keyed_etype) { for (e1=0; e1hash))(key, usage, 0, input, &data); + if (keyhash->hash == NULL) { + krb5_crypto_iov iov[1]; + + iov[0].flags = KRB5_CRYPTO_TYPE_DATA; + iov[0].data = *input; + + assert(keyhash->hash_iov != NULL); + + ret = (*keyhash->hash_iov)(key, usage, 0, iov, 1, &data); + } else { + ret = (*keyhash->hash)(key, usage, 0, input, &data); + } } else if (krb5_cksumtypes_list[i].flags & KRB5_CKSUMFLAG_DERIVE) { ret = krb5_dk_make_checksum(krb5_cksumtypes_list[i].hash, key, usage, input, &data); Modified: branches/mskrb-integ/src/lib/crypto/verify_checksum.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/verify_checksum.c 2008-12-28 01:05:18 UTC (rev 21614) +++ branches/mskrb-integ/src/lib/crypto/verify_checksum.c 2008-12-28 01:06:10 UTC (rev 21615) @@ -51,11 +51,26 @@ indata.length = cksum->length; indata.data = (char *) cksum->contents; - if (krb5_cksumtypes_list[i].keyhash && - krb5_cksumtypes_list[i].keyhash->verify) - return((*(krb5_cksumtypes_list[i].keyhash->verify))(key, usage, 0, data, - &indata, valid)); + if (krb5_cksumtypes_list[i].keyhash) { + const struct krb5_keyhash_provider *keyhash; + keyhash = krb5_cksumtypes_list[i].keyhash; + + if (keyhash->verify == NULL) { + krb5_crypto_iov iov[1]; + + iov[0].flags = KRB5_CRYPTO_TYPE_DATA; + iov[0].data = *data; + + assert(keyhash->verify_iov != NULL); + + ret = (*keyhash->verify_iov)(key, usage, 0, iov, 1, &indata, valid); + } else { + ret = (*keyhash->verify)(key, usage, 0, data, &indata, valid); + } + return(ret); + } + /* otherwise, make the checksum again, and compare */ if ((ret = krb5_c_checksum_length(context, cksum->checksum_type, &hashsize))) From lhoward at MIT.EDU Sun Dec 28 07:40:14 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sun, 28 Dec 2008 07:40:14 -0500 (EST) Subject: svn rev #21616: branches/aes-ccm/src/lib/crypto/ dk/ enc_provider/ Message-ID: <200812281240.HAA16511@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21616 Commit By: lhoward Log Message: At the possible expense of some performance, completely parameterized CCM implementation so different values of n and q can be chosen by changing the crypto_length() implementation. Also, HEADER now only contains the nonce rather than the B0 (which can be reasembled on decryption from Flags | HEADER | Payload length) Changed Files: U branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c U branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c Modified: branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c =================================================================== --- branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c 2008-12-28 01:06:10 UTC (rev 21615) +++ branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c 2008-12-28 12:40:13 UTC (rev 21616) @@ -71,9 +71,6 @@ #define CCM_FLAG_ADATA 0x40 #define CCM_FLAG_RESERVED 0x80 -#define CCM_NONCE_LENGTH 12 -#define CCM_COUNTER_LENGTH 3 - static krb5_error_code krb5int_ccm_crypto_length(const struct krb5_aead_provider *aead, const struct krb5_enc_provider *enc, @@ -81,11 +78,9 @@ krb5_cryptotype type, unsigned int *length) { - assert(enc->block_size >= 16); - switch (type) { case KRB5_CRYPTO_TYPE_HEADER: - *length = 16; + *length = 12; /* RFC 5116 5.3 */ break; case KRB5_CRYPTO_TYPE_PADDING: *length = 0; /* CTR mode requires no padding */ @@ -154,38 +149,118 @@ return 0; } +/* + * format_B0() allows the tradeoff between nonce and payload length to + * be parameterized by replacing the crypto_length() callback + */ static krb5_error_code +format_B0(krb5_data *B0, /* B0 */ + krb5_data *nonce, /* N */ + size_t trailer_len, /* t */ + krb5_ui_8 adata_len, /* a */ + krb5_ui_8 payload_len) /* Q */ +{ + unsigned char flags; + unsigned char *p; + krb5_octet q, i = 0; + + if (B0->length != 16) + return KRB5_BAD_MSIZE; + + /* SP800-38C A.1: Length Requirements */ + + /* t is an elements of {4, 6, 8, 10, 12, 14, 16} */ + if (trailer_len % 2 || + (trailer_len < 4 || trailer_len > 16)) + return KRB5_BAD_MSIZE; + + /* n is an element of {7, 8, 9, 10, 11, 12, 13} */ + if (nonce->length < 7 || nonce->length > 13) + return KRB5_BAD_MSIZE; + + q = 15 - nonce->length; + + /* P consists of fewer than 2^(8q) octets */ + if (payload_len >= (1UL << (8 * q))) + return KRB5_BAD_MSIZE; + + /* SP800-38C A.1: Formatting of the Control Information and the Nonce */ + flags = q - 1; + flags |= (((trailer_len - 2) / 2) << 3); + if (adata_len != 0) + flags |= CCM_FLAG_ADATA; + + p = (unsigned char *)B0->data; + p[i++] = flags; + + memcpy(&p[i], nonce->data, nonce->length); + i += nonce->length; + + for (; i < B0->length; i++) { + register krb5_octet s; + + s = (q - (i - nonce->length)) * 8; + + p[i] = (payload_len >> s) & 0xFF; + } + + return 0; +} + +/* + * format_Ctr0 is parameterized by extracting the flags octet from B0 + */ +static krb5_error_code +format_Ctr0(krb5_data *Ctr0, krb5_data *B0) +{ + krb5_octet n; /* nonce length */ + krb5_octet q; /* counter length */ + + assert(B0->length == 16); + + q = (B0->data[0] & CCM_FLAG_MASK_Q) + 1; + + Ctr0->data[0] = q - 1; + + n = 15 - q; + + assert(n >= 7 && n <= 13); + + memcpy(&Ctr0->data[1], &B0->data[1], n); + memset(&Ctr0->data[1 + n], 0, q); + + return 0; +} + +static krb5_error_code krb5int_ccm_encrypt_iov(const struct krb5_aead_provider *aead, const struct krb5_enc_provider *enc, const struct krb5_hash_provider *hash, const krb5_keyblock *key, krb5_keyusage usage, - const krb5_data *iv, + const krb5_data *ivec, krb5_crypto_iov *data, size_t num_data) { krb5_error_code ret; - unsigned char constantdata[K5CLENGTH], *headerdata; + unsigned char constantdata[K5CLENGTH]; krb5_data d1; krb5_crypto_iov *header, *trailer, *sign_data = NULL; krb5_keyblock kc; size_t i, num_sign_data = 0; unsigned int header_len = 0; unsigned int trailer_len = 0; - unsigned int payload_len = 0; - krb5_ui_8 adata_len = 0; - unsigned char flags = 0; - krb5_data nonce, cksum, ivec; + size_t payload_len = 0; + size_t adata_len = 0; + krb5_data cksum, counter; krb5_cksumtype cksumtype; const struct krb5_cksumtypes *keyhash; char adata_len_buf[6]; + unsigned char B0[16], Ctr[16]; kc.contents = NULL; kc.length = 0; - ivec.data = NULL; - ivec.length = 0; - cksum.data = NULL; cksum.length = 0; @@ -194,7 +269,7 @@ return ret; header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER); - if (header == NULL) + if (header == NULL || header->data.length < header_len) return KRB5_BAD_MSIZE; ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &trailer_len); @@ -223,56 +298,32 @@ } } - if (header->data.length < enc->block_size) - return KRB5_BAD_MSIZE; - - /* RFC 5116 5.3, format flags octet */ - flags = CCM_COUNTER_LENGTH - 1; /* q=3 */ - flags |= (((trailer_len - 2) / 2) << 3); - if (adata_len != 0) - flags |= CCM_FLAG_ADATA; + header->data.length = header_len; - headerdata = (unsigned char *)header->data.data; - headerdata[0] = flags; - - nonce.data = (char *)&headerdata[1]; - nonce.length = CCM_NONCE_LENGTH; - - if (iv != NULL) { - /* iv should be NONCE | COUNTER */ - if (iv->length != nonce.length) { - ret = KRB5_BAD_MSIZE; - goto cleanup; - } - memcpy(nonce.data, iv->data, iv->length); - } else { - ret = krb5_c_random_make_octets(/* XXX */ NULL, &nonce); - if (ret != 0) - goto cleanup; - } - - if (payload_len > 0xFFFFFF) { - ret = KRB5_BAD_MSIZE; + ret = krb5_c_random_make_octets(/* XXX */ NULL, &header->data); + if (ret != 0) goto cleanup; - } - headerdata[13] = (payload_len >> 16) & 0xFF; - headerdata[14] = (payload_len >> 8 ) & 0xFF; - headerdata[15] = (payload_len ) & 0xFF; - sign_data = (krb5_crypto_iov *)calloc(num_data + 1, sizeof(krb5_crypto_iov)); if (sign_data == NULL) { ret = ENOMEM; goto cleanup; } - sign_data[num_sign_data++] = *header; + sign_data[num_sign_data].flags = KRB5_CRYPTO_TYPE_HEADER; + sign_data[num_sign_data].data.data = (char *)B0; + sign_data[num_sign_data].data.length = sizeof(B0); + ret = format_B0(&sign_data[num_sign_data].data, &header->data, trailer_len, + (krb5_ui_8)adata_len, (krb5_ui_8)payload_len); + if (ret != 0) + goto cleanup; + num_sign_data++; /* Include length of associated data in CBC-MAC */ sign_data[num_sign_data].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; sign_data[num_sign_data].data.data = adata_len_buf; sign_data[num_sign_data].data.length = sizeof(adata_len_buf); - ret = encode_a_len(&sign_data[num_sign_data].data, adata_len); + ret = encode_a_len(&sign_data[num_sign_data].data, (krb5_ui_8)adata_len); if (ret != 0) goto cleanup; num_sign_data++; @@ -331,27 +382,27 @@ if (ret != 0) goto cleanup; - /* Setup counter */ - ivec.data = malloc(enc->block_size); - if (ivec.data == NULL) { - ret = ENOMEM; - goto cleanup; + /* Initialize first counter block */ + if (ivec == NULL) { + counter.length = sizeof(Ctr); + counter.data = (char *)Ctr; + + ret = format_Ctr0(&counter, &sign_data[0].data); + if (ret != 0) + goto cleanup; + + ivec = &counter; } - ivec.length = enc->block_size; - ivec.data[0] = flags; - memcpy(&ivec.data[1], nonce.data, nonce.length); /* Copy in nonce */ - memset(&ivec.data[1 + nonce.length], 0, CCM_COUNTER_LENGTH); /* Set counter to zero */ - trailer->data.length = trailer_len; /* Encrypt checksum and place in trailer */ - ret = enc->encrypt(&kc, &ivec, &cksum, &trailer->data); + ret = enc->encrypt(&kc, ivec, &cksum, &trailer->data); if (ret != 0) goto cleanup; /* Don't encrypt B0 (header), but encrypt everything else */ - ret = enc->encrypt_iov(&kc, &ivec, data, num_data); + ret = enc->encrypt_iov(&kc, ivec, data, num_data); if (ret != 0) goto cleanup; @@ -363,10 +414,6 @@ if (cksum.data != NULL) { free(cksum.data); } - if (ivec.data != NULL) { - zap(ivec.data, ivec.length); - free(ivec.data); - } if (sign_data != NULL) { free(sign_data); } @@ -380,33 +427,29 @@ const struct krb5_hash_provider *hash, const krb5_keyblock *key, krb5_keyusage usage, - const krb5_data *iv, + const krb5_data *ivec, krb5_crypto_iov *data, size_t num_data) { krb5_error_code ret; - unsigned char constantdata[K5CLENGTH], *headerdata; + unsigned char constantdata[K5CLENGTH]; krb5_data d1; krb5_crypto_iov *header, *trailer, *sign_data = NULL; krb5_keyblock kc; size_t i, num_sign_data = 0; unsigned int header_len = 0; unsigned int trailer_len = 0; - krb5_ui_8 actual_adata_len = 0; - unsigned int actual_payload_len = 0; - unsigned int payload_len = 0; - unsigned char flags = 0; - krb5_data cksum, ivec; + size_t adata_len = 0; + size_t payload_len = 0; + krb5_data cksum, counter; krb5_cksumtype cksumtype; const struct krb5_cksumtypes *keyhash; char adata_len_buf[6]; + unsigned char B0[16], Ctr[16]; kc.contents = NULL; kc.length = 0; - ivec.data = NULL; - ivec.length = 0; - cksum.data = NULL; cksum.length = 0; @@ -415,7 +458,7 @@ return ret; header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER); - if (header == NULL || header != &data[0]) + if (header == NULL || header->data.length != header_len) return KRB5_BAD_MSIZE; ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &trailer_len); @@ -431,10 +474,10 @@ switch (iov->flags) { case KRB5_CRYPTO_TYPE_DATA: - actual_payload_len += iov->data.length; + payload_len += iov->data.length; break; case KRB5_CRYPTO_TYPE_SIGN_ONLY: - actual_adata_len += iov->data.length; + adata_len += iov->data.length; break; case KRB5_CRYPTO_TYPE_PADDING: if (iov->data.length != 0) @@ -445,51 +488,26 @@ } } - if (actual_payload_len > 0xFFFFFF) - return KRB5_BAD_MSIZE; - - if (header->data.length < enc->block_size) - return KRB5_BAD_MSIZE; - - headerdata = (unsigned char *)header->data.data; - - flags = headerdata[0]; - if ((flags & CCM_FLAG_RESERVED) != 0) { - return KRB5_BAD_MSIZE; - } - if ((flags & CCM_FLAG_MASK_Q) != CCM_COUNTER_LENGTH - 1) { - /* Check q=3 */ - return KRB5_BAD_MSIZE; - } - if ((unsigned int)(flags & CCM_FLAG_MASK_T) >> 3 != (trailer->data.length - 2) / 2) { - /* Check bits 3-5 contain (trailer_len-2)/2 */ - return KRB5_BAD_MSIZE; - } - if ((flags & CCM_FLAG_ADATA) != (actual_adata_len ? CCM_FLAG_ADATA : 0)) { - /* Check that AData flag matches presence of associated data */ - return KRB5_BAD_MSIZE; - } - - payload_len = (headerdata[13] << 16); - payload_len |= (headerdata[14] << 8 ); - payload_len |= (headerdata[15] ); - - if (payload_len > actual_payload_len) - return KRB5_BAD_MSIZE; - sign_data = (krb5_crypto_iov *)calloc(num_data + 1, sizeof(krb5_crypto_iov)); if (sign_data == NULL) { ret = ENOMEM; goto cleanup; } - sign_data[num_sign_data++] = *header; + sign_data[num_sign_data].flags = KRB5_CRYPTO_TYPE_HEADER; + sign_data[num_sign_data].data.data = (char *)B0; + sign_data[num_sign_data].data.length = sizeof(B0); + ret = format_B0(&sign_data[num_sign_data].data, &header->data, trailer_len, + (krb5_ui_8)adata_len, (krb5_ui_8)payload_len); + if (ret != 0) + goto cleanup; + num_sign_data++; /* Include length of associated data in CBC-MAC */ sign_data[num_sign_data].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; sign_data[num_sign_data].data.data = adata_len_buf; sign_data[num_sign_data].data.length = sizeof(adata_len_buf); - ret = encode_a_len(&sign_data[num_sign_data].data, actual_adata_len); + ret = encode_a_len(&sign_data[num_sign_data].data, (krb5_ui_8)adata_len); if (ret != 0) goto cleanup; num_sign_data++; @@ -524,32 +542,25 @@ } cksum.length = trailer_len; - /* Setup counter */ - ivec.data = malloc(enc->block_size); - if (ivec.data == NULL) { - ret = ENOMEM; - goto cleanup; - } - ivec.length = enc->block_size; + /* Initialize first counter block */ + if (ivec == NULL) { + counter.length = sizeof(Ctr); + counter.data = (char *)Ctr; - ivec.data[0] = flags; - if (iv != NULL) { - if (iv->length != CCM_NONCE_LENGTH) { - ret = KRB5_BAD_MSIZE; + ret = format_Ctr0(&counter, &sign_data[0].data); + if (ret != 0) goto cleanup; - } - memcpy(&ivec.data[1], iv->data, iv->length); - } else - memcpy(&ivec.data[1], &headerdata[1], CCM_NONCE_LENGTH); /* Copy in nonce */ - memset(&ivec.data[1 + CCM_NONCE_LENGTH], 0, CCM_COUNTER_LENGTH); /* Set counter to zero */ + ivec = &counter; + } + /* Decrypt checksum from trailer */ - ret = enc->decrypt(&kc, &ivec, &trailer->data, &trailer->data); + ret = enc->decrypt(&kc, ivec, &trailer->data, &trailer->data); if (ret != 0) goto cleanup; /* Don't decrypt B0 (header), but decrypt everything else */ - ret = enc->decrypt_iov(&kc, &ivec, data, num_data); + ret = enc->decrypt_iov(&kc, ivec, data, num_data); if (ret != 0) goto cleanup; @@ -592,10 +603,6 @@ if (cksum.data != NULL) { free(cksum.data); } - if (ivec.data != NULL) { - zap(ivec.data, ivec.length); - free(ivec.data); - } if (sign_data != NULL) { free(sign_data); } Modified: branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c =================================================================== --- branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-28 01:06:10 UTC (rev 21615) +++ branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-28 12:40:13 UTC (rev 21616) @@ -29,6 +29,8 @@ #include "aes.h" #include "../aead.h" +#define CCM_FLAG_MASK_Q 0x07 + #define CCM_COUNTER_LENGTH 3 static void xorblock(unsigned char *out, const unsigned char *in) @@ -38,6 +40,9 @@ out[z] ^= in[z]; } +/* + * ivec must be a correctly formatted counter block per SP800-38C A.3 + */ static krb5_error_code krb5int_aes_encrypt_ctr_iov(const krb5_keyblock *key, const krb5_data *ivec, @@ -46,7 +51,8 @@ { aes_ctx ctx; unsigned char ctr[BLOCK_SIZE]; - size_t blockno; + register krb5_octet q, i; + krb5_ui_8 blockno; struct iov_block_state input_pos, output_pos; if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) @@ -59,17 +65,25 @@ input_pos.ignore_header = output_pos.ignore_header = 1; input_pos.pad_to_boundary = output_pos.pad_to_boundary = 1; - if (ivec != NULL) + if (ivec != NULL) { + if (ivec->length != BLOCK_SIZE || (ivec->data[0] & ~(CCM_FLAG_MASK_Q))) + return KRB5_BAD_MSIZE; + memcpy(ctr, ivec->data, BLOCK_SIZE); - else + } else { memset(ctr, 0, BLOCK_SIZE); + ctr[0] = CCM_COUNTER_LENGTH - 1; /* default q=3 from RFC 5116 5.3 */ + } + q = ctr[0] + 1; - ctr[0] = CCM_COUNTER_LENGTH - 1; /* q=3 */ + assert(q >= 2 && q <= 8); - blockno = (ctr[13] << 16); - blockno |= (ctr[14] << 8 ); - blockno |= (ctr[15] ); + for (i = 0, blockno = 0; i < q; i++) { + register int s = (q - i - 1) * 8; + blockno |= ctr[16 - q + i] << s; + } + for (;;) { unsigned char plain[BLOCK_SIZE]; unsigned char ectr[BLOCK_SIZE]; @@ -85,9 +99,11 @@ blockno++; - ctr[13] = (blockno >> 16) & 0xFF; - ctr[14] = (blockno >> 8 ) & 0xFF; - ctr[15] = (blockno ) & 0xFF; + for (i = 0; i < q; i++) { + register int s = (q - i - 1) * 8; + + ctr[16 - q + i] = (blockno >> s) & 0xFF; + } } if (ivec != NULL) @@ -104,7 +120,8 @@ { aes_ctx ctx; unsigned char ctr[BLOCK_SIZE]; - size_t blockno = 0; + register krb5_octet q, i; + krb5_ui_8 blockno; struct iov_block_state input_pos, output_pos; if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) @@ -117,17 +134,25 @@ input_pos.ignore_header = output_pos.ignore_header = 1; input_pos.pad_to_boundary = output_pos.pad_to_boundary = 1; - if (ivec != NULL) + if (ivec != NULL) { + if (ivec->length != BLOCK_SIZE || (ivec->data[0] & ~(CCM_FLAG_MASK_Q))) + return KRB5_BAD_MSIZE; + memcpy(ctr, ivec->data, BLOCK_SIZE); - else + } else { memset(ctr, 0, BLOCK_SIZE); + ctr[0] = CCM_COUNTER_LENGTH - 1; /* default q=3 from RFC 5116 5.3 */ + } + q = ctr[0] + 1; - ctr[0] = CCM_COUNTER_LENGTH - 1; /* q=3 */ + assert(q >= 2 && q <= 8); - blockno = (ctr[13] << 16); - blockno |= (ctr[14] << 8 ); - blockno |= (ctr[15] ); + for (i = 0, blockno = 0; i < q; i++) { + register krb5_octet s = (q - i - 1) * 8; + blockno |= ctr[16 - q + i] << s; + } + for (;;) { unsigned char ectr[BLOCK_SIZE]; unsigned char cipher[BLOCK_SIZE]; @@ -143,9 +168,11 @@ blockno++; - ctr[13] = (blockno >> 16) & 0xFF; - ctr[14] = (blockno >> 8 ) & 0xFF; - ctr[15] = (blockno ) & 0xFF; + for (i = 0; i < q; i++) { + register krb5_octet s = (q - i - 1) * 8; + + ctr[16 - q + i] = (blockno >> s) & 0xFF; + } } if (ivec != NULL) From lhoward at MIT.EDU Sun Dec 28 07:52:20 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sun, 28 Dec 2008 07:52:20 -0500 (EST) Subject: svn rev #21617: branches/mskrb-integ/src/lib/crypto/ Message-ID: <200812281252.HAA16713@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21617 Commit By: lhoward Log Message: fix a logic error introduced in r21615 Changed Files: U branches/mskrb-integ/src/lib/crypto/verify_checksum.c Modified: branches/mskrb-integ/src/lib/crypto/verify_checksum.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/verify_checksum.c 2008-12-28 12:40:13 UTC (rev 21616) +++ branches/mskrb-integ/src/lib/crypto/verify_checksum.c 2008-12-28 12:52:19 UTC (rev 21617) @@ -56,19 +56,16 @@ keyhash = krb5_cksumtypes_list[i].keyhash; - if (keyhash->verify == NULL) { + if (keyhash->verify == NULL && keyhash->verify_iov != NULL) { krb5_crypto_iov iov[1]; iov[0].flags = KRB5_CRYPTO_TYPE_DATA; iov[0].data = *data; - assert(keyhash->verify_iov != NULL); - - ret = (*keyhash->verify_iov)(key, usage, 0, iov, 1, &indata, valid); - } else { - ret = (*keyhash->verify)(key, usage, 0, data, &indata, valid); + return (*keyhash->verify_iov)(key, usage, 0, iov, 1, &indata, valid); + } else if (keyhash->verify != NULL) { + return (*keyhash->verify)(key, usage, 0, data, &indata, valid); } - return(ret); } /* otherwise, make the checksum again, and compare */ From lhoward at MIT.EDU Sun Dec 28 08:04:15 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sun, 28 Dec 2008 08:04:15 -0500 (EST) Subject: svn rev #21618: branches/aes-ccm/src/lib/crypto/enc_provider/ Message-ID: <200812281304.IAA16916@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21618 Commit By: lhoward Log Message: cleanup Changed Files: U branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c Modified: branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c =================================================================== --- branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-28 12:52:19 UTC (rev 21617) +++ branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-28 13:04:14 UTC (rev 21618) @@ -33,13 +33,48 @@ #define CCM_COUNTER_LENGTH 3 -static void xorblock(unsigned char *out, const unsigned char *in) +static inline void xorblock(unsigned char *out, const unsigned char *in) { int z; for (z = 0; z < BLOCK_SIZE; z++) out[z] ^= in[z]; } +/* Get the current counter block number from the IV */ +static inline void getctrblockno(krb5_ui_8 *pblockno, + const unsigned char ctr[BLOCK_SIZE]) +{ + register krb5_octet q, i; + krb5_ui_8 blockno; + + q = ctr[0] + 1; + + assert(q >= 2 && q <= 8); + + for (i = 0, blockno = 0; i < q; i++) { + register int s = (q - i - 1) * 8; + + blockno |= ctr[16 - q + i] << s; + } + + *pblockno = blockno; +} + +/* Store the current counter block number in the IV */ +static inline void putctrblockno(krb5_ui_8 blockno, + unsigned char ctr[BLOCK_SIZE]) +{ + register krb5_octet q, i; + + q = ctr[0] + 1; + + for (i = 0; i < q; i++) { + register int s = (q - i - 1) * 8; + + ctr[16 - q + i] = (blockno >> s) & 0xFF; + } +} + /* * ivec must be a correctly formatted counter block per SP800-38C A.3 */ @@ -51,7 +86,6 @@ { aes_ctx ctx; unsigned char ctr[BLOCK_SIZE]; - register krb5_octet q, i; krb5_ui_8 blockno; struct iov_block_state input_pos, output_pos; @@ -74,16 +108,9 @@ memset(ctr, 0, BLOCK_SIZE); ctr[0] = CCM_COUNTER_LENGTH - 1; /* default q=3 from RFC 5116 5.3 */ } - q = ctr[0] + 1; - assert(q >= 2 && q <= 8); + getctrblockno(&blockno, ctr); - for (i = 0, blockno = 0; i < q; i++) { - register int s = (q - i - 1) * 8; - - blockno |= ctr[16 - q + i] << s; - } - for (;;) { unsigned char plain[BLOCK_SIZE]; unsigned char ectr[BLOCK_SIZE]; @@ -97,13 +124,7 @@ xorblock(plain, ectr); krb5int_c_iov_put_block(data, num_data, (unsigned char *)plain, BLOCK_SIZE, &output_pos); - blockno++; - - for (i = 0; i < q; i++) { - register int s = (q - i - 1) * 8; - - ctr[16 - q + i] = (blockno >> s) & 0xFF; - } + putctrblockno(++blockno, ctr); } if (ivec != NULL) @@ -120,7 +141,6 @@ { aes_ctx ctx; unsigned char ctr[BLOCK_SIZE]; - register krb5_octet q, i; krb5_ui_8 blockno; struct iov_block_state input_pos, output_pos; @@ -143,16 +163,9 @@ memset(ctr, 0, BLOCK_SIZE); ctr[0] = CCM_COUNTER_LENGTH - 1; /* default q=3 from RFC 5116 5.3 */ } - q = ctr[0] + 1; - assert(q >= 2 && q <= 8); + getctrblockno(&blockno, ctr); - for (i = 0, blockno = 0; i < q; i++) { - register krb5_octet s = (q - i - 1) * 8; - - blockno |= ctr[16 - q + i] << s; - } - for (;;) { unsigned char ectr[BLOCK_SIZE]; unsigned char cipher[BLOCK_SIZE]; @@ -166,13 +179,7 @@ xorblock(cipher, ectr); krb5int_c_iov_put_block(data, num_data, (unsigned char *)cipher, BLOCK_SIZE, &output_pos); - blockno++; - - for (i = 0; i < q; i++) { - register krb5_octet s = (q - i - 1) * 8; - - ctr[16 - q + i] = (blockno >> s) & 0xFF; - } + putctrblockno(++blockno, ctr); } if (ivec != NULL) From tlyu at MIT.EDU Sun Dec 28 14:55:54 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Sun, 28 Dec 2008 14:55:54 -0500 (EST) Subject: svn rev #21619: trunk/src/lib/krb5/rcache/ Message-ID: <200812281955.OAA21681@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21619 Commit By: tlyu Log Message: whitespace Changed Files: U trunk/src/lib/krb5/rcache/rc-int.h U trunk/src/lib/krb5/rcache/rc_base.c U trunk/src/lib/krb5/rcache/rc_base.h U trunk/src/lib/krb5/rcache/rc_conv.c U trunk/src/lib/krb5/rcache/rc_dfl.c U trunk/src/lib/krb5/rcache/rc_dfl.h U trunk/src/lib/krb5/rcache/rc_io.c U trunk/src/lib/krb5/rcache/rc_io.h U trunk/src/lib/krb5/rcache/rc_none.c U trunk/src/lib/krb5/rcache/rcdef.c U trunk/src/lib/krb5/rcache/rcfns.c U trunk/src/lib/krb5/rcache/ser_rc.c Modified: trunk/src/lib/krb5/rcache/rc-int.h =================================================================== --- trunk/src/lib/krb5/rcache/rc-int.h 2008-12-28 13:04:14 UTC (rev 21618) +++ trunk/src/lib/krb5/rcache/rc-int.h 2008-12-28 19:55:52 UTC (rev 21619) @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/rc-int.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +23,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * * + * * This file contains constant and function declarations used in the * file-based replay cache routines. */ @@ -46,25 +47,25 @@ krb5_magic magic; char *type; krb5_error_code (KRB5_CALLCONV *init) - (krb5_context, krb5_rcache,krb5_deltat); /* create */ + (krb5_context, krb5_rcache,krb5_deltat); /* create */ krb5_error_code (KRB5_CALLCONV *recover) - (krb5_context, krb5_rcache); /* open */ + (krb5_context, krb5_rcache); /* open */ krb5_error_code (KRB5_CALLCONV *recover_or_init) - (krb5_context, krb5_rcache,krb5_deltat); + (krb5_context, krb5_rcache,krb5_deltat); krb5_error_code (KRB5_CALLCONV *destroy) - (krb5_context, krb5_rcache); + (krb5_context, krb5_rcache); krb5_error_code (KRB5_CALLCONV *close) - (krb5_context, krb5_rcache); + (krb5_context, krb5_rcache); krb5_error_code (KRB5_CALLCONV *store) - (krb5_context, krb5_rcache,krb5_donot_replay *); + (krb5_context, krb5_rcache,krb5_donot_replay *); krb5_error_code (KRB5_CALLCONV *expunge) - (krb5_context, krb5_rcache); + (krb5_context, krb5_rcache); krb5_error_code (KRB5_CALLCONV *get_span) - (krb5_context, krb5_rcache,krb5_deltat *); + (krb5_context, krb5_rcache,krb5_deltat *); char *(KRB5_CALLCONV *get_name) - (krb5_context, krb5_rcache); + (krb5_context, krb5_rcache); krb5_error_code (KRB5_CALLCONV *resolve) - (krb5_context, krb5_rcache, char *); + (krb5_context, krb5_rcache, char *); }; typedef struct _krb5_rc_ops krb5_rc_ops; Modified: trunk/src/lib/krb5/rcache/rc_base.c =================================================================== --- trunk/src/lib/krb5/rcache/rc_base.c 2008-12-28 13:04:14 UTC (rev 21618) +++ trunk/src/lib/krb5/rcache/rc_base.c 2008-12-28 19:55:52 UTC (rev 21619) @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_base.c * @@ -6,7 +7,6 @@ * */ - /* * Base "glue" functions for the replay cache. */ @@ -35,29 +35,29 @@ struct krb5_rc_typelist *t, *t_next; k5_mutex_destroy(&rc_typelist_lock); for (t = typehead; t != &krb5_rc_typelist_dfl; t = t_next) { - t_next = t->next; - free(t); + t_next = t->next; + free(t); } } krb5_error_code krb5_rc_register_type(krb5_context context, - const krb5_rc_ops *ops) + const krb5_rc_ops *ops) { struct krb5_rc_typelist *t; krb5_error_code err; err = k5_mutex_lock(&rc_typelist_lock); if (err) - return err; + return err; for (t = typehead;t && strcmp(t->ops->type,ops->type);t = t->next) - ; + ; if (t) { - k5_mutex_unlock(&rc_typelist_lock); - return KRB5_RC_TYPE_EXISTS; + k5_mutex_unlock(&rc_typelist_lock); + return KRB5_RC_TYPE_EXISTS; } t = (struct krb5_rc_typelist *) malloc(sizeof(struct krb5_rc_typelist)); if (t == NULL) { - k5_mutex_unlock(&rc_typelist_lock); - return KRB5_RC_MALLOC; + k5_mutex_unlock(&rc_typelist_lock); + return KRB5_RC_MALLOC; } t->next = typehead; t->ops = ops; @@ -67,18 +67,18 @@ } krb5_error_code krb5_rc_resolve_type(krb5_context context, krb5_rcache *id, - char *type) + char *type) { struct krb5_rc_typelist *t; krb5_error_code err; err = k5_mutex_lock(&rc_typelist_lock); if (err) - return err; + return err; for (t = typehead;t && strcmp(t->ops->type,type);t = t->next) - ; + ; if (!t) { - k5_mutex_unlock(&rc_typelist_lock); - return KRB5_RC_TYPE_NOTFOUND; + k5_mutex_unlock(&rc_typelist_lock); + return KRB5_RC_TYPE_NOTFOUND; } /* allocate *id? nah */ (*id)->ops = t->ops; @@ -95,18 +95,18 @@ { char *s; if ((s = getenv("KRB5RCACHETYPE"))) - return s; + return s; else - return "dfl"; + return "dfl"; } char * krb5_rc_default_name(krb5_context context) { char *s; if ((s = getenv("KRB5RCACHENAME"))) - return s; + return s; else - return (char *) 0; + return (char *) 0; } krb5_error_code @@ -115,18 +115,18 @@ krb5_error_code retval; if (!(*id = (krb5_rcache )malloc(sizeof(**id)))) - return KRB5_RC_MALLOC; + return KRB5_RC_MALLOC; - if ((retval = krb5_rc_resolve_type(context, id, - krb5_rc_default_type(context)))) { - FREE(*id); - return retval; + if ((retval = krb5_rc_resolve_type(context, id, + krb5_rc_default_type(context)))) { + FREE(*id); + return retval; } - if ((retval = krb5_rc_resolve(context, *id, - krb5_rc_default_name(context)))) { - k5_mutex_destroy(&(*id)->lock); - FREE(*id); - return retval; + if ((retval = krb5_rc_resolve(context, *id, + krb5_rc_default_name(context)))) { + k5_mutex_destroy(&(*id)->lock); + FREE(*id); + return retval; } (*id)->magic = KV5M_RCACHE; return retval; @@ -141,31 +141,30 @@ unsigned int diff; if (!(residual = strchr(string_name,':'))) - return KRB5_RC_PARSE; - + return KRB5_RC_PARSE; + diff = residual - string_name; if (!(type = malloc(diff + 1))) - return KRB5_RC_MALLOC; + return KRB5_RC_MALLOC; (void) strncpy(type, string_name, diff); type[residual - string_name] = '\0'; if (!(*id = (krb5_rcache) malloc(sizeof(**id)))) { - FREE(type); - return KRB5_RC_MALLOC; + FREE(type); + return KRB5_RC_MALLOC; } if ((retval = krb5_rc_resolve_type(context, id,type))) { - FREE(type); - FREE(*id); - return retval; + FREE(type); + FREE(*id); + return retval; } FREE(type); if ((retval = krb5_rc_resolve(context, *id,residual + 1))) { - k5_mutex_destroy(&(*id)->lock); - FREE(*id); - return retval; + k5_mutex_destroy(&(*id)->lock); + FREE(*id); + return retval; } (*id)->magic = KV5M_RCACHE; return retval; } - Modified: trunk/src/lib/krb5/rcache/rc_base.h =================================================================== --- trunk/src/lib/krb5/rcache/rc_base.h 2008-12-28 13:04:14 UTC (rev 21618) +++ trunk/src/lib/krb5/rcache/rc_base.h 2008-12-28 19:55:52 UTC (rev 21619) @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_base.h * Modified: trunk/src/lib/krb5/rcache/rc_conv.c =================================================================== --- trunk/src/lib/krb5/rcache/rc_conv.c 2008-12-28 13:04:14 UTC (rev 21618) +++ trunk/src/lib/krb5/rcache/rc_conv.c 2008-12-28 19:55:52 UTC (rev 21619) @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_conv.c * @@ -6,7 +7,6 @@ * */ - /* * An implementation for the default replay cache type. */ @@ -16,23 +16,23 @@ #include "rc_base.h" /* -Local stuff: - krb5_auth_to_replay(context, krb5_tkt_authent *auth,krb5_donot_replay *rep) + Local stuff: + krb5_auth_to_replay(context, krb5_tkt_authent *auth,krb5_donot_replay *rep) given auth, take important information and make rep; return -1 if failed */ krb5_error_code krb5_auth_to_rep(krb5_context context, krb5_tkt_authent *auth, krb5_donot_replay *rep) { - krb5_error_code retval; - rep->cusec = auth->authenticator->cusec; - rep->ctime = auth->authenticator->ctime; - if ((retval = krb5_unparse_name(context, auth->ticket->server, &rep->server))) - return retval; /* shouldn't happen */ - if ((retval = krb5_unparse_name(context, auth->authenticator->client, - &rep->client))) { - FREE(rep->server); - return retval; /* shouldn't happen. */ - } - return 0; + krb5_error_code retval; + rep->cusec = auth->authenticator->cusec; + rep->ctime = auth->authenticator->ctime; + if ((retval = krb5_unparse_name(context, auth->ticket->server, &rep->server))) + return retval; /* shouldn't happen */ + if ((retval = krb5_unparse_name(context, auth->authenticator->client, + &rep->client))) { + FREE(rep->server); + return retval; /* shouldn't happen. */ + } + return 0; } Modified: trunk/src/lib/krb5/rcache/rc_dfl.c =================================================================== --- trunk/src/lib/krb5/rcache/rc_dfl.c 2008-12-28 13:04:14 UTC (rev 21618) +++ trunk/src/lib/krb5/rcache/rc_dfl.c 2008-12-28 19:55:52 UTC (rev 21619) @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_dfl.c * @@ -6,7 +7,6 @@ * */ - /* * An implementation for the default replay cache type. */ @@ -22,23 +22,23 @@ */ /* -Local stuff: + Local stuff: -static int hash(krb5_donot_replay *rep, int hsize) + static int hash(krb5_donot_replay *rep, int hsize) returns hash value of *rep, between 0 and hsize - 1 -HASHSIZE + HASHSIZE size of hash table (constant), can be preset -static int cmp(krb5_donot_replay *old, krb5_donot_replay *new, krb5_deltat t) + static int cmp(krb5_donot_replay *old, krb5_donot_replay *new, krb5_deltat t) compare old and new; return CMP_REPLAY or CMP_HOHUM -static int alive(krb5_context, krb5_donot_replay *new, krb5_deltat t) + static int alive(krb5_context, krb5_donot_replay *new, krb5_deltat t) see if new is still alive; return CMP_EXPIRED or CMP_HOHUM -CMP_MALLOC, CMP_EXPIRED, CMP_REPLAY, CMP_HOHUM + CMP_MALLOC, CMP_EXPIRED, CMP_REPLAY, CMP_HOHUM return codes from cmp(), alive(), and store() -struct dfl_data + struct dfl_data data stored in this cache type, namely "dfl" -struct authlist + struct authlist multilinked list of reps -static int rc_store(context, krb5_rcache id, krb5_donot_replay *rep) + static int rc_store(context, krb5_rcache id, krb5_donot_replay *rep) store rep in cache id; return CMP_REPLAY if replay, else CMP_MALLOC/CMP_HOHUM */ @@ -83,10 +83,10 @@ cmp(krb5_donot_replay *old, krb5_donot_replay *new1, krb5_deltat t) { if ((old->cusec == new1->cusec) && /* most likely to distinguish */ - (old->ctime == new1->ctime) && - (strcmp(old->client, new1->client) == 0) && - (strcmp(old->server, new1->server) == 0)) /* always true */ - return CMP_REPLAY; + (old->ctime == new1->ctime) && + (strcmp(old->client, new1->client) == 0) && + (strcmp(old->server, new1->server) == 0)) /* always true */ + return CMP_REPLAY; return CMP_HOHUM; } @@ -94,10 +94,10 @@ alive(krb5_int32 mytime, krb5_donot_replay *new1, krb5_deltat t) { if (mytime == 0) - return CMP_HOHUM; /* who cares? */ + return CMP_HOHUM; /* who cares? */ /* I hope we don't have to worry about overflow */ if (new1->ctime + t < mytime) - return CMP_EXPIRED; + return CMP_EXPIRED; return CMP_HOHUM; } @@ -128,7 +128,7 @@ static int rc_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep, - krb5_int32 now) + krb5_int32 now) { struct dfl_data *t = (struct dfl_data *)id->data; unsigned int rephash; @@ -137,34 +137,34 @@ rephash = hash(rep, t->hsize); for (ta = t->h[rephash]; ta; ta = ta->nh) { - switch(cmp(&ta->rep, rep, t->lifespan)) - { - case CMP_REPLAY: - return CMP_REPLAY; - case CMP_HOHUM: - if (alive(now, &ta->rep, t->lifespan) == CMP_EXPIRED) - t->nummisses++; - else - t->numhits++; - break; - default: - ; /* wtf? */ - } + switch(cmp(&ta->rep, rep, t->lifespan)) + { + case CMP_REPLAY: + return CMP_REPLAY; + case CMP_HOHUM: + if (alive(now, &ta->rep, t->lifespan) == CMP_EXPIRED) + t->nummisses++; + else + t->numhits++; + break; + default: + ; /* wtf? */ + } } if (!(ta = (struct authlist *) malloc(sizeof(struct authlist)))) - return CMP_MALLOC; + return CMP_MALLOC; ta->na = t->a; t->a = ta; ta->nh = t->h[rephash]; t->h[rephash] = ta; ta->rep = *rep; if (!(ta->rep.client = strdup(rep->client))) { - FREE(ta); - return CMP_MALLOC; + FREE(ta); + return CMP_MALLOC; } if (!(ta->rep.server = strdup(rep->server))) { - FREE(ta->rep.client); - FREE(ta); - return CMP_MALLOC; + FREE(ta->rep.client); + FREE(ta); + return CMP_MALLOC; } return CMP_HOHUM; @@ -178,14 +178,14 @@ krb5_error_code KRB5_CALLCONV krb5_rc_dfl_get_span(krb5_context context, krb5_rcache id, - krb5_deltat *lifespan) + krb5_deltat *lifespan) { krb5_error_code err; struct dfl_data *t; err = k5_mutex_lock(&id->lock); if (err) - return err; + return err; t = (struct dfl_data *) id->data; *lifespan = t->lifespan; k5_mutex_unlock(&id->lock); @@ -202,12 +202,12 @@ /* default to clockskew from the context */ #ifndef NOIOSTUFF if ((retval = krb5_rc_io_creat(context, &t->d, &t->name))) { - return retval; + return retval; } if ((krb5_rc_io_write(context, &t->d, - (krb5_pointer) &t->lifespan, sizeof(t->lifespan)) - || krb5_rc_io_sync(context, &t->d))) { - return KRB5_RC_IO; + (krb5_pointer) &t->lifespan, sizeof(t->lifespan)) + || krb5_rc_io_sync(context, &t->d))) { + return KRB5_RC_IO; } #endif return 0; @@ -220,7 +220,7 @@ retval = k5_mutex_lock(&id->lock); if (retval) - return retval; + return retval; retval = krb5_rc_dfl_init_locked(context, id, lifespan); k5_mutex_unlock(&id->lock); return retval; @@ -235,13 +235,13 @@ FREE(t->h); if (t->name) - FREE(t->name); + FREE(t->name); while ((q = t->a)) { - t->a = q->na; - FREE(q->rep.client); - FREE(q->rep.server); - FREE(q); + t->a = q->na; + FREE(q->rep.client); + FREE(q->rep.server); + FREE(q); } #ifndef NOIOSTUFF (void) krb5_rc_io_close(context, &t->d); @@ -256,7 +256,7 @@ krb5_error_code retval; retval = k5_mutex_lock(&id->lock); if (retval) - return retval; + return retval; krb5_rc_dfl_close_no_free(context, id); k5_mutex_unlock(&id->lock); k5_mutex_destroy(&id->lock); @@ -269,7 +269,7 @@ { #ifndef NOIOSTUFF if (krb5_rc_io_destroy(context, &((struct dfl_data *) (id->data))->d)) - return KRB5_RC_IO; + return KRB5_RC_IO; #endif return krb5_rc_dfl_close(context, id); } @@ -282,22 +282,22 @@ /* allocate id? no */ if (!(t = (struct dfl_data *) calloc(1, sizeof(struct dfl_data)))) - return KRB5_RC_MALLOC; + return KRB5_RC_MALLOC; id->data = (krb5_pointer) t; if (name) { - t->name = strdup(name); - if (!t->name) { - retval = KRB5_RC_MALLOC; - goto cleanup; - } + t->name = strdup(name); + if (!t->name) { + retval = KRB5_RC_MALLOC; + goto cleanup; + } } else - t->name = 0; + t->name = 0; t->numhits = t->nummisses = 0; t->hsize = HASHSIZE; /* no need to store---it's memory-only */ t->h = (struct authlist **) malloc(t->hsize*sizeof(struct authlist *)); if (!t->h) { - retval = KRB5_RC_MALLOC; - goto cleanup; + retval = KRB5_RC_MALLOC; + goto cleanup; } memset(t->h, 0, t->hsize*sizeof(struct authlist *)); t->a = (struct authlist *) 0; @@ -309,11 +309,11 @@ cleanup: if (t) { - if (t->name) - krb5_xfree(t->name); - if (t->h) - krb5_xfree(t->h); - krb5_xfree(t); + if (t->name) + krb5_xfree(t->name); + if (t->h) + krb5_xfree(t->h); + krb5_xfree(t); } return retval; } @@ -326,20 +326,20 @@ *rep = NULL; if (rp) { - if (rp->client) - free(rp->client); + if (rp->client) + free(rp->client); - if (rp->server) - free(rp->server); - rp->client = NULL; - rp->server = NULL; - free(rp); + if (rp->server) + free(rp->server); + rp->client = NULL; + rp->server = NULL; + free(rp); } } static krb5_error_code krb5_rc_io_fetch(krb5_context context, struct dfl_data *t, - krb5_donot_replay *rep, int maxlen) + krb5_donot_replay *rep, int maxlen) { int len2; unsigned int len; @@ -348,60 +348,60 @@ rep->client = rep->server = 0; retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) &len2, - sizeof(len2)); + sizeof(len2)); if (retval) - return retval; + return retval; if ((len2 <= 0) || (len2 >= maxlen)) - return KRB5_RC_IO_EOF; + return KRB5_RC_IO_EOF; len = len2; rep->client = malloc (len); if (!rep->client) - return KRB5_RC_MALLOC; + return KRB5_RC_MALLOC; retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) rep->client, len); if (retval) - goto errout; + goto errout; - retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) &len2, - sizeof(len2)); + retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) &len2, + sizeof(len2)); if (retval) - goto errout; + goto errout; if ((len2 <= 0) || (len2 >= maxlen)) { - retval = KRB5_RC_IO_EOF; - goto errout; + retval = KRB5_RC_IO_EOF; + goto errout; } len = len2; rep->server = malloc (len); if (!rep->server) { - retval = KRB5_RC_MALLOC; - goto errout; + retval = KRB5_RC_MALLOC; + goto errout; } retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) rep->server, len); if (retval) - goto errout; + goto errout; retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) &rep->cusec, - sizeof(rep->cusec)); + sizeof(rep->cusec)); if (retval) - goto errout; + goto errout; retval = krb5_rc_io_read(context, &t->d, (krb5_pointer) &rep->ctime, - sizeof(rep->ctime)); + sizeof(rep->ctime)); if (retval) - goto errout; + goto errout; return 0; errout: if (rep->client) - krb5_xfree(rep->client); + krb5_xfree(rep->client); if (rep->server) - krb5_xfree(rep->server); + krb5_xfree(rep->server); rep->client = rep->server = 0; return retval; } @@ -425,7 +425,7 @@ krb5_int32 now; if ((retval = krb5_rc_io_open(context, &t->d, t->name))) { - return retval; + return retval; } t->recovering = 1; @@ -434,50 +434,50 @@ rep = NULL; if (krb5_rc_io_read(context, &t->d, (krb5_pointer) &t->lifespan, - sizeof(t->lifespan))) { - retval = KRB5_RC_IO; - goto io_fail; + sizeof(t->lifespan))) { + retval = KRB5_RC_IO; + goto io_fail; } if (!(rep = (krb5_donot_replay *) malloc(sizeof(krb5_donot_replay)))) { - retval = KRB5_RC_MALLOC; - goto io_fail; + retval = KRB5_RC_MALLOC; + goto io_fail; } rep->client = NULL; rep->server = NULL; if (krb5_timeofday(context, &now)) - now = 0; + now = 0; /* now read in each auth_replay and insert into table */ for (;;) { - if (krb5_rc_io_mark(context, &t->d)) { - retval = KRB5_RC_IO; - goto io_fail; - } + if (krb5_rc_io_mark(context, &t->d)) { + retval = KRB5_RC_IO; + goto io_fail; + } - retval = krb5_rc_io_fetch(context, t, rep, (int) max_size); + retval = krb5_rc_io_fetch(context, t, rep, (int) max_size); - if (retval == KRB5_RC_IO_EOF) - break; - else if (retval != 0) - goto io_fail; + if (retval == KRB5_RC_IO_EOF) + break; + else if (retval != 0) + goto io_fail; - if (alive(now, rep, t->lifespan) != CMP_EXPIRED) { - if (rc_store(context, id, rep, now) == CMP_MALLOC) { - retval = KRB5_RC_MALLOC; goto io_fail; - } - } else { - expired_entries++; - } - /* - * free fields allocated by rc_io_fetch - */ - FREE(rep->server); - FREE(rep->client); - rep->server = 0; - rep->client = 0; + if (alive(now, rep, t->lifespan) != CMP_EXPIRED) { + if (rc_store(context, id, rep, now) == CMP_MALLOC) { + retval = KRB5_RC_MALLOC; goto io_fail; + } + } else { + expired_entries++; + } + /* + * free fields allocated by rc_io_fetch + */ + FREE(rep->server); + FREE(rep->client); + rep->server = 0; + rep->client = 0; } retval = 0; krb5_rc_io_unmark(context, &t->d); @@ -488,9 +488,9 @@ io_fail: krb5_rc_free_entry(context, &rep); if (retval) - krb5_rc_io_close(context, &t->d); + krb5_rc_io_close(context, &t->d); else if (expired_entries > EXCESSREPS) - retval = krb5_rc_dfl_expunge_locked(context, id); + retval = krb5_rc_dfl_expunge_locked(context, id); t->recovering = 0; return retval; @@ -503,7 +503,7 @@ krb5_error_code ret; ret = k5_mutex_lock(&id->lock); if (ret) - return ret; + return ret; ret = krb5_rc_dfl_recover_locked(context, id); k5_mutex_unlock(&id->lock); return ret; @@ -511,23 +511,23 @@ krb5_error_code KRB5_CALLCONV krb5_rc_dfl_recover_or_init(krb5_context context, krb5_rcache id, - krb5_deltat lifespan) + krb5_deltat lifespan) { krb5_error_code retval; retval = k5_mutex_lock(&id->lock); if (retval) - return retval; + return retval; retval = krb5_rc_dfl_recover_locked(context, id); if (retval) - retval = krb5_rc_dfl_init_locked(context, id, lifespan); + retval = krb5_rc_dfl_init_locked(context, id, lifespan); k5_mutex_unlock(&id->lock); return retval; } static krb5_error_code krb5_rc_io_store(krb5_context context, struct dfl_data *t, - krb5_donot_replay *rep) + krb5_donot_replay *rep) { unsigned int clientlen, serverlen, len; char *buf, *ptr; @@ -536,10 +536,10 @@ clientlen = strlen(rep->client) + 1; serverlen = strlen(rep->server) + 1; len = sizeof(clientlen) + clientlen + sizeof(serverlen) + serverlen + - sizeof(rep->cusec) + sizeof(rep->ctime); + sizeof(rep->cusec) + sizeof(rep->ctime); buf = malloc(len); if (buf == 0) - return KRB5_RC_MALLOC; + return KRB5_RC_MALLOC; ptr = buf; memcpy(ptr, &clientlen, sizeof(clientlen)); ptr += sizeof(clientlen); memcpy(ptr, rep->client, clientlen); ptr += clientlen; @@ -564,19 +564,19 @@ ret = krb5_timeofday(context, &now); if (ret) - return ret; + return ret; ret = k5_mutex_lock(&id->lock); if (ret) - return ret; + return ret; switch(rc_store(context, id, rep, now)) { case CMP_MALLOC: - k5_mutex_unlock(&id->lock); - return KRB5_RC_MALLOC; + k5_mutex_unlock(&id->lock); + return KRB5_RC_MALLOC; case CMP_REPLAY: - k5_mutex_unlock(&id->lock); - return KRB5KRB_AP_ERR_REPEAT; + k5_mutex_unlock(&id->lock); + return KRB5KRB_AP_ERR_REPEAT; case 0: break; default: /* wtf? */ ; } @@ -584,24 +584,24 @@ #ifndef NOIOSTUFF ret = krb5_rc_io_store(context, t, rep); if (ret) { - k5_mutex_unlock(&id->lock); - return ret; + k5_mutex_unlock(&id->lock); + return ret; } #endif /* Shall we automatically expunge? */ if (t->nummisses > t->numhits + EXCESSREPS) { - ret = krb5_rc_dfl_expunge_locked(context, id); - k5_mutex_unlock(&id->lock); - return ret; + ret = krb5_rc_dfl_expunge_locked(context, id); + k5_mutex_unlock(&id->lock); + return ret; } #ifndef NOIOSTUFF else { - if (krb5_rc_io_sync(context, &t->d)) { - k5_mutex_unlock(&id->lock); - return KRB5_RC_IO; - } + if (krb5_rc_io_sync(context, &t->d)) { + k5_mutex_unlock(&id->lock); + return KRB5_RC_IO; + } } #endif k5_mutex_unlock(&id->lock); @@ -621,24 +621,24 @@ krb5_int32 now; if (krb5_timestamp(context, &now)) - now = 0; + now = 0; for (q = &t->a; *q; q = qt) { - qt = &(*q)->na; - if (alive(now, &(*q)->rep, t->lifespan) == CMP_EXPIRED) { - FREE((*q)->rep.client); - FREE((*q)->rep.server); - FREE(*q); - *q = *qt; /* why doesn't this feel right? */ - } + qt = &(*q)->na; + if (alive(now, &(*q)->rep, t->lifespan) == CMP_EXPIRED) { + FREE((*q)->rep.client); + FREE((*q)->rep.server); + FREE(*q); + *q = *qt; /* why doesn't this feel right? */ + } } for (i = 0; i < t->hsize; i++) - t->h[i] = (struct authlist *) 0; + t->h[i] = (struct authlist *) 0; for (r = t->a; r; r = r->na) { - i = hash(&r->rep, t->hsize); - rt = t->h[i]; - t->h[i] = r; - r->nh = rt; + i = hash(&r->rep, t->hsize); + rt = t->h[i]; + t->h[i] = r; + r->nh = rt; } return 0; #else @@ -649,22 +649,22 @@ krb5_deltat lifespan = t->lifespan; /* save original lifespan */ if (! t->recovering) { - name = t->name; - t->name = 0; /* Clear name so it isn't freed */ - (void) krb5_rc_dfl_close_no_free(context, id); - retval = krb5_rc_dfl_resolve(context, id, name); - free(name); - if (retval) - return retval; - retval = krb5_rc_dfl_recover_locked(context, id); - if (retval) - return retval; - t = (struct dfl_data *)id->data; /* point to recovered cache */ + name = t->name; + t->name = 0; /* Clear name so it isn't freed */ + (void) krb5_rc_dfl_close_no_free(context, id); + retval = krb5_rc_dfl_resolve(context, id, name); + free(name); + if (retval) + return retval; + retval = krb5_rc_dfl_recover_locked(context, id); + if (retval) + return retval; + t = (struct dfl_data *)id->data; /* point to recovered cache */ } tmp = (krb5_rcache) malloc(sizeof(*tmp)); if (!tmp) - return ENOMEM; + return ENOMEM; retval = krb5_rc_resolve_type(context, &tmp, "dfl"); if (retval) { free(tmp); @@ -677,7 +677,7 @@ if (retval) goto cleanup; for (q = t->a; q; q = q->na) { - if (krb5_rc_io_store(context, (struct dfl_data *)tmp->data, &q->rep)) { + if (krb5_rc_io_store(context, (struct dfl_data *)tmp->data, &q->rep)) { retval = KRB5_RC_IO; goto cleanup; } @@ -691,7 +691,7 @@ if (krb5_rc_io_move(context, &t->d, &((struct dfl_data *)tmp->data)->d)) goto cleanup; retval = 0; - cleanup: +cleanup: (void) krb5_rc_dfl_close(context, tmp); return retval; #endif @@ -703,7 +703,7 @@ krb5_error_code ret; ret = k5_mutex_lock(&id->lock); if (ret) - return ret; + return ret; ret = krb5_rc_dfl_expunge_locked(context, id); k5_mutex_unlock(&id->lock); return ret; Modified: trunk/src/lib/krb5/rcache/rc_dfl.h =================================================================== --- trunk/src/lib/krb5/rcache/rc_dfl.h 2008-12-28 13:04:14 UTC (rev 21618) +++ trunk/src/lib/krb5/rcache/rc_dfl.h 2008-12-28 19:55:52 UTC (rev 21619) @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_dfl.h * @@ -13,44 +14,43 @@ #ifndef KRB5_RC_DFL_H #define KRB5_RC_DFL_H -krb5_error_code KRB5_CALLCONV krb5_rc_dfl_init - (krb5_context, - krb5_rcache, - krb5_deltat); -krb5_error_code KRB5_CALLCONV krb5_rc_dfl_recover - (krb5_context, - krb5_rcache); +krb5_error_code KRB5_CALLCONV krb5_rc_dfl_init + (krb5_context, + krb5_rcache, + krb5_deltat); +krb5_error_code KRB5_CALLCONV krb5_rc_dfl_recover + (krb5_context, + krb5_rcache); krb5_error_code KRB5_CALLCONV krb5_rc_dfl_recover_or_init - (krb5_context, krb5_rcache, krb5_deltat); -krb5_error_code KRB5_CALLCONV krb5_rc_dfl_destroy - (krb5_context, - krb5_rcache); -krb5_error_code KRB5_CALLCONV krb5_rc_dfl_close - (krb5_context, - krb5_rcache); -krb5_error_code KRB5_CALLCONV krb5_rc_dfl_store - (krb5_context, - krb5_rcache, - krb5_donot_replay *); -krb5_error_code KRB5_CALLCONV krb5_rc_dfl_expunge - (krb5_context, - krb5_rcache); -krb5_error_code KRB5_CALLCONV krb5_rc_dfl_get_span - (krb5_context, - krb5_rcache, - krb5_deltat *); -char * KRB5_CALLCONV krb5_rc_dfl_get_name - (krb5_context, - krb5_rcache); -krb5_error_code KRB5_CALLCONV krb5_rc_dfl_resolve - (krb5_context, - krb5_rcache, - char *); + (krb5_context, krb5_rcache, krb5_deltat); +krb5_error_code KRB5_CALLCONV krb5_rc_dfl_destroy + (krb5_context, + krb5_rcache); +krb5_error_code KRB5_CALLCONV krb5_rc_dfl_close + (krb5_context, + krb5_rcache); +krb5_error_code KRB5_CALLCONV krb5_rc_dfl_store + (krb5_context, + krb5_rcache, + krb5_donot_replay *); +krb5_error_code KRB5_CALLCONV krb5_rc_dfl_expunge + (krb5_context, + krb5_rcache); +krb5_error_code KRB5_CALLCONV krb5_rc_dfl_get_span + (krb5_context, + krb5_rcache, + krb5_deltat *); +char * KRB5_CALLCONV krb5_rc_dfl_get_name + (krb5_context, + krb5_rcache); +krb5_error_code KRB5_CALLCONV krb5_rc_dfl_resolve + (krb5_context, + krb5_rcache, + char *); krb5_error_code krb5_rc_dfl_close_no_free - (krb5_context, - krb5_rcache); -void krb5_rc_free_entry - (krb5_context, - krb5_donot_replay **); + (krb5_context, + krb5_rcache); +void krb5_rc_free_entry + (krb5_context, + krb5_donot_replay **); #endif - Modified: trunk/src/lib/krb5/rcache/rc_io.c =================================================================== --- trunk/src/lib/krb5/rcache/rc_io.c 2008-12-28 13:04:14 UTC (rev 21618) +++ trunk/src/lib/krb5/rcache/rc_io.c 2008-12-28 19:55:52 UTC (rev 21619) @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_io.c * @@ -6,7 +7,6 @@ * */ - /* * I/O functions for the replay cache default implementation. */ @@ -17,7 +17,7 @@ # define PATH_SEPARATOR "/" #endif -#define KRB5_RC_VNO 0x0501 /* krb5, rcache v 1 */ +#define KRB5_RC_VNO 0x0501 /* krb5, rcache v 1 */ #if HAVE_SYS_STAT_H #include @@ -52,17 +52,17 @@ if (!(dir = getenv("KRB5RCACHEDIR"))) { #if defined(_WIN32) - if (!(dir = getenv("TEMP"))) - if (!(dir = getenv("TMP"))) - dir = "C:"; + if (!(dir = getenv("TEMP"))) + if (!(dir = getenv("TMP"))) + dir = "C:"; #else - if (!(dir = getenv("TMPDIR"))) { + if (!(dir = getenv("TMPDIR"))) { #ifdef RCTMPDIR - dir = RCTMPDIR; + dir = RCTMPDIR; #else - dir = "/tmp"; + dir = "/tmp"; #endif - } + } #endif } return dir; @@ -85,17 +85,17 @@ memset(&stbuf, 0, sizeof(stbuf)); if (asprintf(&d->fn, "%s%skrb5_RCXXXXXX", - dir, PATH_SEPARATOR) < 0) { - d->fn = NULL; - return KRB5_RC_IO_MALLOC; + dir, PATH_SEPARATOR) < 0) { + d->fn = NULL; + return KRB5_RC_IO_MALLOC; } d->fd = mkstemp(d->fn); if (d->fd == -1) { - /* - * This return value is deliberate because d->fd == -1 causes - * caller to go into errno interpretation code. - */ - return 0; + /* + * This return value is deliberate because d->fd == -1 causes + * caller to go into errno interpretation code. + */ + return 0; } #if HAVE_SYS_STAT_H /* @@ -104,18 +104,18 @@ */ retval = fstat(d->fd, &stbuf); if (retval) { - krb5_set_error_message(context, retval, - "Cannot fstat replay cache file %s: %s", - d->fn, strerror(errno)); - return KRB5_RC_IO_UNKNOWN; + krb5_set_error_message(context, retval, + "Cannot fstat replay cache file %s: %s", + d->fn, strerror(errno)); + return KRB5_RC_IO_UNKNOWN; } if (stbuf.st_mode & 077) { - krb5_set_error_message(context, retval, - "Insecure mkstemp() file mode " - "for replay cache file %s; " - "try running this program " - "with umask 077 ", d->fn); - return KRB5_RC_IO_UNKNOWN; + krb5_set_error_message(context, retval, + "Insecure mkstemp() file mode " + "for replay cache file %s; " + "try running this program " + "with umask 077 ", d->fn); + return KRB5_RC_IO_UNKNOWN; } #endif return 0; @@ -127,7 +127,7 @@ static krb5_error_code rc_map_errno (krb5_context context, int e, const char *fn, - const char *operation) + const char *operation) { switch (e) { case EFBIG: @@ -135,25 +135,25 @@ case EDQUOT: #endif case ENOSPC: - return KRB5_RC_IO_SPACE; + return KRB5_RC_IO_SPACE; case EIO: - return KRB5_RC_IO_IO; + return KRB5_RC_IO_IO; case EPERM: case EACCES: case EROFS: case EEXIST: - krb5_set_error_message(context, KRB5_RC_IO_PERM, - "Cannot %s replay cache file %s: %s", - operation, fn, strerror(e)); - return KRB5_RC_IO_PERM; + krb5_set_error_message(context, KRB5_RC_IO_PERM, + "Cannot %s replay cache file %s: %s", + operation, fn, strerror(e)); + return KRB5_RC_IO_PERM; default: - krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN, - "Cannot %s replay cache: %s", - operation, strerror(e)); - return KRB5_RC_IO_UNKNOWN; + krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN, + "Cannot %s replay cache: %s", + operation, strerror(e)); + return KRB5_RC_IO_UNKNOWN; } } @@ -169,55 +169,55 @@ GETDIR; if (fn && *fn) { - if (asprintf(&d->fn, "%s%s%s", dir, PATH_SEPARATOR, *fn) < 0) - return KRB5_RC_IO_MALLOC; - unlink(d->fn); - d->fd = THREEPARAMOPEN(d->fn, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | - O_BINARY, 0600); + if (asprintf(&d->fn, "%s%s%s", dir, PATH_SEPARATOR, *fn) < 0) + return KRB5_RC_IO_MALLOC; + unlink(d->fn); + d->fd = THREEPARAMOPEN(d->fn, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | + O_BINARY, 0600); } else { - retval = krb5_rc_io_mkstemp(context, d, dir); - if (retval) - goto cleanup; - if (d->fd != -1 && fn) { - *fn = strdup(d->fn + dirlen); - if (*fn == NULL) { - free(d->fn); - return KRB5_RC_IO_MALLOC; - } - } + retval = krb5_rc_io_mkstemp(context, d, dir); + if (retval) + goto cleanup; + if (d->fd != -1 && fn) { + *fn = strdup(d->fn + dirlen); + if (*fn == NULL) { + free(d->fn); + return KRB5_RC_IO_MALLOC; + } + } } if (d->fd == -1) { - retval = rc_map_errno(context, errno, d->fn, "create"); - if (retval == KRB5_RC_IO_PERM) - do_not_unlink = 1; - goto cleanup; + retval = rc_map_errno(context, errno, d->fn, "create"); + if (retval == KRB5_RC_IO_PERM) + do_not_unlink = 1; + goto cleanup; } set_cloexec_fd(d->fd); retval = krb5_rc_io_write(context, d, (krb5_pointer)&rc_vno, - sizeof(rc_vno)); + sizeof(rc_vno)); if (retval) - goto cleanup; + goto cleanup; retval = krb5_rc_io_sync(context, d); - cleanup: +cleanup: if (retval) { - if (d->fn) { - if (!do_not_unlink) - (void) unlink(d->fn); - FREE(d->fn); - d->fn = NULL; - } - if (d->fd != -1) { - (void) close(d->fd); - } + if (d->fn) { + if (!do_not_unlink) + (void) unlink(d->fn); + FREE(d->fn); + d->fn = NULL; + } + if (d->fd != -1) { + (void) close(d->fd); + } } return retval; } static krb5_error_code krb5_rc_io_open_internal(krb5_context context, krb5_rc_iostuff *d, char *fn, - char* full_pathname) + char* full_pathname) { krb5_int16 rc_vno; krb5_error_code retval = 0; @@ -230,54 +230,54 @@ GETDIR; if (full_pathname) { - if (!(d->fn = strdup(full_pathname))) - return KRB5_RC_IO_MALLOC; + if (!(d->fn = strdup(full_pathname))) + return KRB5_RC_IO_MALLOC; } else { - if (asprintf(&d->fn, "%s%s%s", dir, PATH_SEPARATOR, fn) < 0) - return KRB5_RC_IO_MALLOC; + if (asprintf(&d->fn, "%s%s%s", dir, PATH_SEPARATOR, fn) < 0) + return KRB5_RC_IO_MALLOC; } #ifdef NO_USERID d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600); #else if ((d->fd = stat(d->fn, &statb)) != -1) { - uid_t me; + uid_t me; - me = geteuid(); - /* must be owned by this user, to prevent some security problems with - * other users modifying replay cache stufff */ - if ((statb.st_uid != me) || ((statb.st_mode & S_IFMT) != S_IFREG)) { - FREE(d->fn); - return KRB5_RC_IO_PERM; - } - d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600); + me = geteuid(); + /* must be owned by this user, to prevent some security problems with + * other users modifying replay cache stufff */ + if ((statb.st_uid != me) || ((statb.st_mode & S_IFMT) != S_IFREG)) { + FREE(d->fn); + return KRB5_RC_IO_PERM; + } + d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600); } #endif if (d->fd == -1) { - retval = rc_map_errno(context, errno, d->fn, "open"); - goto cleanup; + retval = rc_map_errno(context, errno, d->fn, "open"); + goto cleanup; } set_cloexec_fd(d->fd); do_not_unlink = 0; retval = krb5_rc_io_read(context, d, (krb5_pointer) &rc_vno, - sizeof(rc_vno)); + sizeof(rc_vno)); if (retval) - goto cleanup; + goto cleanup; if (ntohs(rc_vno) != KRB5_RC_VNO) - retval = KRB5_RCACHE_BADVNO; + retval = KRB5_RCACHE_BADVNO; - cleanup: +cleanup: if (retval) { - if (d->fn) { - if (!do_not_unlink) - (void) unlink(d->fn); - FREE(d->fn); - d->fn = NULL; - } - if (d->fd >= 0) - (void) close(d->fd); + if (d->fn) { + if (!do_not_unlink) + (void) unlink(d->fn); + FREE(d->fn); + d->fn = NULL; + } + if (d->fd >= 0) + (void) close(d->fd); } return retval; } @@ -290,7 +290,7 @@ krb5_error_code krb5_rc_io_move(krb5_context context, krb5_rc_iostuff *new1, - krb5_rc_iostuff *old) + krb5_rc_iostuff *old) { #if defined(_WIN32) || defined(__CYGWIN__) char *new_fn = NULL; @@ -334,29 +334,29 @@ old->fd = -1; if (rename(old_fn, new_fn) == -1) { /* MUST be atomic! */ - retval = KRB5_RC_IO_UNKNOWN; - goto cleanup; + retval = KRB5_RC_IO_UNKNOWN; + goto cleanup; } retval = krb5_rc_io_open_internal(context, new1, 0, new_fn); if (retval) - goto cleanup; + goto cleanup; if (lseek(new1->fd, offset, SEEK_SET) == -1) { - retval = KRB5_RC_IO_UNKNOWN; - goto cleanup; + retval = KRB5_RC_IO_UNKNOWN; + goto cleanup; } - cleanup: +cleanup: free(new_fn); free(old_fn); return retval; #else char *fn = NULL; if (rename(old->fn, new1->fn) == -1) /* MUST be atomic! */ - return KRB5_RC_IO_UNKNOWN; + return KRB5_RC_IO_UNKNOWN; fn = new1->fn; - new1->fn = NULL; /* avoid clobbering */ + new1->fn = NULL; /* avoid clobbering */ (void) krb5_rc_io_close(context, new1); new1->fn = fn; new1->fd = dup(old->fd); @@ -367,32 +367,32 @@ krb5_error_code krb5_rc_io_write(krb5_context context, krb5_rc_iostuff *d, krb5_pointer buf, - unsigned int num) + unsigned int num) { if (write(d->fd, (char *) buf, num) == -1) - switch(errno) - { + switch(errno) + { #ifdef EDQUOT - case EDQUOT: + case EDQUOT: #endif - case EFBIG: - case ENOSPC: - krb5_set_error_message (context, KRB5_RC_IO_SPACE, - "Can't write to replay cache: %s", - strerror(errno)); - return KRB5_RC_IO_SPACE; - case EIO: - krb5_set_error_message (context, KRB5_RC_IO_IO, - "Can't write to replay cache: %s", - strerror(errno)); - return KRB5_RC_IO_IO; - case EBADF: - default: - krb5_set_error_message (context, KRB5_RC_IO_UNKNOWN, - "Can't write to replay cache: %s", - strerror(errno)); - return KRB5_RC_IO_UNKNOWN; - } + case EFBIG: + case ENOSPC: + krb5_set_error_message (context, KRB5_RC_IO_SPACE, + "Can't write to replay cache: %s", + strerror(errno)); + return KRB5_RC_IO_SPACE; + case EIO: + krb5_set_error_message (context, KRB5_RC_IO_IO, + "Can't write to replay cache: %s", + strerror(errno)); + return KRB5_RC_IO_IO; + case EBADF: + default: + krb5_set_error_message (context, KRB5_RC_IO_UNKNOWN, + "Can't write to replay cache: %s", + strerror(errno)); + return KRB5_RC_IO_UNKNOWN; + } return 0; } @@ -405,38 +405,38 @@ #endif #endif if (fsync(d->fd) == -1) { - switch(errno) - { - case EBADF: return KRB5_RC_IO_UNKNOWN; - case EIO: return KRB5_RC_IO_IO; - default: - krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN, - "Cannot sync replay cache file: %s", - strerror(errno)); - return KRB5_RC_IO_UNKNOWN; - } + switch(errno) + { + case EBADF: return KRB5_RC_IO_UNKNOWN; + case EIO: return KRB5_RC_IO_IO; + default: + krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN, + "Cannot sync replay cache file: %s", + strerror(errno)); + return KRB5_RC_IO_UNKNOWN; + } } return 0; } krb5_error_code krb5_rc_io_read(krb5_context context, krb5_rc_iostuff *d, krb5_pointer buf, - unsigned int num) + unsigned int num) { int count; if ((count = read(d->fd, (char *) buf, num)) == -1) - switch(errno) - { - case EIO: return KRB5_RC_IO_IO; - case EBADF: - default: - krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN, - "Can't read from replay cache: %s", - strerror(errno)); - return KRB5_RC_IO_UNKNOWN; - } + switch(errno) + { + case EIO: return KRB5_RC_IO_IO; + case EBADF: + default: + krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN, + "Can't read from replay cache: %s", + strerror(errno)); + return KRB5_RC_IO_UNKNOWN; + } if (count < 0 || (unsigned int)count != num) - return KRB5_RC_IO_EOF; + return KRB5_RC_IO_EOF; return 0; } @@ -444,13 +444,13 @@ krb5_rc_io_close(krb5_context context, krb5_rc_iostuff *d) { if (d->fn != NULL) { - FREE(d->fn); - d->fn = NULL; + FREE(d->fn); + d->fn = NULL; } if (d->fd != -1) { - if (close(d->fd) == -1) /* can't happen */ - return KRB5_RC_IO_UNKNOWN; - d->fd = -1; + if (close(d->fd) == -1) /* can't happen */ + return KRB5_RC_IO_UNKNOWN; + d->fd = -1; } return 0; } @@ -459,27 +459,27 @@ krb5_rc_io_destroy(krb5_context context, krb5_rc_iostuff *d) { if (unlink(d->fn) == -1) - switch(errno) - { - case EIO: - krb5_set_error_message(context, KRB5_RC_IO_IO, - "Can't destroy replay cache: %s", - strerror(errno)); - return KRB5_RC_IO_IO; - case EPERM: - case EBUSY: - case EROFS: - krb5_set_error_message(context, KRB5_RC_IO_PERM, - "Can't destroy replay cache: %s", - strerror(errno)); - return KRB5_RC_IO_PERM; - case EBADF: - default: - krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN, - "Can't destroy replay cache: %s", - strerror(errno)); - return KRB5_RC_IO_UNKNOWN; - } + switch(errno) + { + case EIO: + krb5_set_error_message(context, KRB5_RC_IO_IO, + "Can't destroy replay cache: %s", + strerror(errno)); + return KRB5_RC_IO_IO; + case EPERM: + case EBUSY: + case EROFS: + krb5_set_error_message(context, KRB5_RC_IO_PERM, + "Can't destroy replay cache: %s", + strerror(errno)); + return KRB5_RC_IO_PERM; + case EBADF: + default: + krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN, + "Can't destroy replay cache: %s", + strerror(errno)); + return KRB5_RC_IO_UNKNOWN; + } return 0; } @@ -503,7 +503,7 @@ struct stat statb; if (fstat(d->fd, &statb) == 0) - return statb.st_size; + return statb.st_size; else - return 0; + return 0; } Modified: trunk/src/lib/krb5/rcache/rc_io.h =================================================================== --- trunk/src/lib/krb5/rcache/rc_io.h 2008-12-28 13:04:14 UTC (rev 21618) +++ trunk/src/lib/krb5/rcache/rc_io.h 2008-12-28 19:55:52 UTC (rev 21619) @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_io.h * @@ -27,44 +28,44 @@ /* first argument is always iostuff for result file */ -krb5_error_code krb5_rc_io_creat - (krb5_context, - krb5_rc_iostuff *, - char **); -krb5_error_code krb5_rc_io_open - (krb5_context, - krb5_rc_iostuff *, - char *); -krb5_error_code krb5_rc_io_move - (krb5_context, - krb5_rc_iostuff *, - krb5_rc_iostuff *); -krb5_error_code krb5_rc_io_write - (krb5_context, - krb5_rc_iostuff *, - krb5_pointer, - unsigned int); -krb5_error_code krb5_rc_io_read - (krb5_context, - krb5_rc_iostuff *, - krb5_pointer, - unsigned int); -krb5_error_code krb5_rc_io_close - (krb5_context, - krb5_rc_iostuff *); -krb5_error_code krb5_rc_io_destroy - (krb5_context, - krb5_rc_iostuff *); -krb5_error_code krb5_rc_io_mark - (krb5_context, - krb5_rc_iostuff *); -krb5_error_code krb5_rc_io_unmark - (krb5_context, - krb5_rc_iostuff *); +krb5_error_code krb5_rc_io_creat + (krb5_context, + krb5_rc_iostuff *, + char **); +krb5_error_code krb5_rc_io_open + (krb5_context, + krb5_rc_iostuff *, + char *); +krb5_error_code krb5_rc_io_move + (krb5_context, + krb5_rc_iostuff *, + krb5_rc_iostuff *); +krb5_error_code krb5_rc_io_write + (krb5_context, + krb5_rc_iostuff *, + krb5_pointer, + unsigned int); +krb5_error_code krb5_rc_io_read + (krb5_context, + krb5_rc_iostuff *, + krb5_pointer, + unsigned int); +krb5_error_code krb5_rc_io_close + (krb5_context, + krb5_rc_iostuff *); +krb5_error_code krb5_rc_io_destroy + (krb5_context, + krb5_rc_iostuff *); +krb5_error_code krb5_rc_io_mark + (krb5_context, + krb5_rc_iostuff *); +krb5_error_code krb5_rc_io_unmark + (krb5_context, + krb5_rc_iostuff *); krb5_error_code krb5_rc_io_sync - (krb5_context, - krb5_rc_iostuff *); + (krb5_context, + krb5_rc_iostuff *); long krb5_rc_io_size - (krb5_context, - krb5_rc_iostuff *); + (krb5_context, + krb5_rc_iostuff *); #endif Modified: trunk/src/lib/krb5/rcache/rc_none.c =================================================================== --- trunk/src/lib/krb5/rcache/rc_none.c 2008-12-28 13:04:14 UTC (rev 21618) +++ trunk/src/lib/krb5/rcache/rc_none.c 2008-12-28 19:55:52 UTC (rev 21619) @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_none.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +23,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * * + * * replay cache no-op implementation */ @@ -42,10 +43,10 @@ { return 0; } -#define krb5_rc_none_recover krb5_rc_none_noargs -#define krb5_rc_none_destroy krb5_rc_none_noargs -#define krb5_rc_none_close krb5_rc_none_noargs -#define krb5_rc_none_expunge krb5_rc_none_noargs +#define krb5_rc_none_recover krb5_rc_none_noargs +#define krb5_rc_none_destroy krb5_rc_none_noargs +#define krb5_rc_none_close krb5_rc_none_noargs +#define krb5_rc_none_expunge krb5_rc_none_noargs static krb5_error_code KRB5_CALLCONV krb5_rc_none_store(krb5_context ctx, krb5_rcache rc, krb5_donot_replay *r) Modified: trunk/src/lib/krb5/rcache/rcdef.c =================================================================== --- trunk/src/lib/krb5/rcache/rcdef.c 2008-12-28 13:04:14 UTC (rev 21618) +++ trunk/src/lib/krb5/rcache/rcdef.c 2008-12-28 19:55:52 UTC (rev 21619) @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rcdef.c * @@ -32,18 +33,17 @@ #include "rc_dfl.h" const krb5_rc_ops krb5_rc_dfl_ops = - { - 0, - "dfl", - krb5_rc_dfl_init, - krb5_rc_dfl_recover, - krb5_rc_dfl_recover_or_init, - krb5_rc_dfl_destroy, - krb5_rc_dfl_close, - krb5_rc_dfl_store, - krb5_rc_dfl_expunge, - krb5_rc_dfl_get_span, - krb5_rc_dfl_get_name, - krb5_rc_dfl_resolve - } -; +{ + 0, + "dfl", + krb5_rc_dfl_init, + krb5_rc_dfl_recover, + krb5_rc_dfl_recover_or_init, + krb5_rc_dfl_destroy, + krb5_rc_dfl_close, + krb5_rc_dfl_store, + krb5_rc_dfl_expunge, + krb5_rc_dfl_get_span, + krb5_rc_dfl_get_name, + krb5_rc_dfl_resolve +}; Modified: trunk/src/lib/krb5/rcache/rcfns.c =================================================================== --- trunk/src/lib/krb5/rcache/rcfns.c 2008-12-28 13:04:14 UTC (rev 21618) +++ trunk/src/lib/krb5/rcache/rcfns.c 2008-12-28 19:55:52 UTC (rev 21619) @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rcfns.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -39,7 +40,7 @@ krb5_error_code KRB5_CALLCONV krb5_rc_recover_or_initialize (krb5_context context, krb5_rcache id, - krb5_deltat span) + krb5_deltat span) { return krb5_x(id->ops->recover_or_init,(context, id, span)); } @@ -64,7 +65,7 @@ krb5_error_code KRB5_CALLCONV krb5_rc_store (krb5_context context, krb5_rcache id, - krb5_donot_replay *dontreplay) + krb5_donot_replay *dontreplay) { return krb5_x((id)->ops->store,(context, id, dontreplay)); } @@ -77,7 +78,7 @@ krb5_error_code KRB5_CALLCONV krb5_rc_get_lifespan (krb5_context context, krb5_rcache id, - krb5_deltat *spanp) + krb5_deltat *spanp) { return krb5_x((id)->ops->get_span,(context, id, spanp)); } Modified: trunk/src/lib/krb5/rcache/ser_rc.c =================================================================== --- trunk/src/lib/krb5/rcache/ser_rc.c 2008-12-28 13:04:14 UTC (rev 21618) +++ trunk/src/lib/krb5/rcache/ser_rc.c 2008-12-28 19:55:52 UTC (rev 21619) @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/ser_rc.c * @@ -33,167 +34,167 @@ /* * Routines to deal with externalizing krb5_rcache. - * krb5_rcache_size(); - * krb5_rcache_externalize(); - * krb5_rcache_internalize(); + * krb5_rcache_size(); + * krb5_rcache_externalize(); + * krb5_rcache_internalize(); */ static krb5_error_code krb5_rcache_size - (krb5_context, krb5_pointer, size_t *); + (krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_rcache_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); + (krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_rcache_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); + (krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* * Serialization entry for this type. */ static const krb5_ser_entry krb5_rcache_ser_entry = { - KV5M_RCACHE, /* Type */ - krb5_rcache_size, /* Sizer routine */ - krb5_rcache_externalize, /* Externalize routine */ - krb5_rcache_internalize /* Internalize routine */ + KV5M_RCACHE, /* Type */ + krb5_rcache_size, /* Sizer routine */ + krb5_rcache_externalize, /* Externalize routine */ + krb5_rcache_internalize /* Internalize routine */ }; /* - * krb5_rcache_size() - Determine the size required to externalize - * this krb5_rcache variant. + * krb5_rcache_size() - Determine the size required to externalize + * this krb5_rcache variant. */ static krb5_error_code krb5_rcache_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_rcache rcache; - size_t required; + krb5_error_code kret; + krb5_rcache rcache; + size_t required; kret = EINVAL; if ((rcache = (krb5_rcache) arg)) { - /* - * Saving FILE: variants of krb5_rcache requires at minimum: - * krb5_int32 for KV5M_RCACHE - * krb5_int32 for length of rcache name. - * krb5_int32 for KV5M_RCACHE - */ - required = sizeof(krb5_int32) * 3; - if (rcache->ops && rcache->ops->type) - required += (strlen(rcache->ops->type)+1); + /* + * Saving FILE: variants of krb5_rcache requires at minimum: + * krb5_int32 for KV5M_RCACHE + * krb5_int32 for length of rcache name. + * krb5_int32 for KV5M_RCACHE + */ + required = sizeof(krb5_int32) * 3; + if (rcache->ops && rcache->ops->type) + required += (strlen(rcache->ops->type)+1); - /* - * The rcache name is formed as follows: - * : - */ - required += strlen(krb5_rc_get_name(kcontext, rcache)); + /* + * The rcache name is formed as follows: + * : + */ + required += strlen(krb5_rc_get_name(kcontext, rcache)); - kret = 0; - *sizep += required; + kret = 0; + *sizep += required; } return(kret); } /* - * krb5_rcache_externalize() - Externalize the krb5_rcache. + * krb5_rcache_externalize() - Externalize the krb5_rcache. */ static krb5_error_code krb5_rcache_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_rcache rcache; - size_t required; - krb5_octet *bp; - size_t remain; - char *rcname; - size_t namelen; - char *fnamep; + krb5_error_code kret; + krb5_rcache rcache; + size_t required; + krb5_octet *bp; + size_t remain; + char *rcname; + size_t namelen; + char *fnamep; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((rcache = (krb5_rcache) arg)) { - kret = ENOMEM; - if (!krb5_rcache_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_RCACHE, &bp, &remain); + kret = ENOMEM; + if (!krb5_rcache_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_RCACHE, &bp, &remain); - /* Calculate the length of the name */ - namelen = (rcache->ops && rcache->ops->type) ? - strlen(rcache->ops->type)+1 : 0; - fnamep = krb5_rc_get_name(kcontext, rcache); - namelen += (strlen(fnamep)+1); + /* Calculate the length of the name */ + namelen = (rcache->ops && rcache->ops->type) ? + strlen(rcache->ops->type)+1 : 0; + fnamep = krb5_rc_get_name(kcontext, rcache); + namelen += (strlen(fnamep)+1); - if (rcache->ops && rcache->ops->type) { - if (asprintf(&rcname, "%s:%s", rcache->ops->type, fnamep) < 0) - rcname = NULL; - } else - rcname = strdup(fnamep); + if (rcache->ops && rcache->ops->type) { + if (asprintf(&rcname, "%s:%s", rcache->ops->type, fnamep) < 0) + rcname = NULL; + } else + rcname = strdup(fnamep); - if (rcname) { - /* Put the length of the file name */ - (void) krb5_ser_pack_int32((krb5_int32) strlen(rcname), - &bp, &remain); - - /* Put the name */ - (void) krb5_ser_pack_bytes((krb5_octet *) rcname, - strlen(rcname), - &bp, &remain); + if (rcname) { + /* Put the length of the file name */ + (void) krb5_ser_pack_int32((krb5_int32) strlen(rcname), + &bp, &remain); - /* Put the trailer */ - (void) krb5_ser_pack_int32(KV5M_RCACHE, &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - free(rcname); - } - } + /* Put the name */ + (void) krb5_ser_pack_bytes((krb5_octet *) rcname, + strlen(rcname), + &bp, &remain); + + /* Put the trailer */ + (void) krb5_ser_pack_int32(KV5M_RCACHE, &bp, &remain); + kret = 0; + *buffer = bp; + *lenremain = remain; + free(rcname); + } + } } return(kret); } /* - * krb5_rcache_internalize() - Internalize the krb5_rcache. + * krb5_rcache_internalize() - Internalize the krb5_rcache. */ static krb5_error_code krb5_rcache_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_rcache rcache; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - char *rcname; + krb5_error_code kret; + krb5_rcache rcache; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + char *rcname; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_RCACHE) { - kret = ENOMEM; + kret = ENOMEM; - /* Get the length of the rcache name */ - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + /* Get the length of the rcache name */ + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && - (rcname = (char *) malloc((size_t) (ibuf+1))) && - !(kret = krb5_ser_unpack_bytes((krb5_octet *) rcname, - (size_t) ibuf, - &bp, &remain))) { - rcname[ibuf] = '\0'; - if (!(kret = krb5_rc_resolve_full(kcontext, &rcache, rcname))) { - (void) krb5_rc_recover(kcontext, rcache); - if (!kret && - !(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)) && - (ibuf == KV5M_RCACHE)) { - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) rcache; - } - else - krb5_rc_close(kcontext, rcache); - } - free(rcname); - } + if (!kret && + (rcname = (char *) malloc((size_t) (ibuf+1))) && + !(kret = krb5_ser_unpack_bytes((krb5_octet *) rcname, + (size_t) ibuf, + &bp, &remain))) { + rcname[ibuf] = '\0'; + if (!(kret = krb5_rc_resolve_full(kcontext, &rcache, rcname))) { + (void) krb5_rc_recover(kcontext, rcache); + if (!kret && + !(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)) && + (ibuf == KV5M_RCACHE)) { + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) rcache; + } + else + krb5_rc_close(kcontext, rcache); + } + free(rcname); + } } return(kret); } From lhoward at MIT.EDU Sun Dec 28 17:41:10 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Sun, 28 Dec 2008 17:41:10 -0500 (EST) Subject: svn rev #21620: branches/aes-ccm/src/lib/crypto/enc_provider/ Message-ID: <200812282241.RAA23671@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21620 Commit By: lhoward Log Message: Return KRB5_CRYPTO_INTERNAL if counter wraps around Changed Files: U branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c Modified: branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c =================================================================== --- branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-28 19:55:52 UTC (rev 21619) +++ branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-28 22:41:09 UTC (rev 21620) @@ -31,7 +31,7 @@ #define CCM_FLAG_MASK_Q 0x07 -#define CCM_COUNTER_LENGTH 3 +#define CCM_DEFAULT_COUNTER_LEN 3 /* default q=3 from RFC 5116 5.3 */ static inline void xorblock(unsigned char *out, const unsigned char *in) { @@ -52,7 +52,7 @@ assert(q >= 2 && q <= 8); for (i = 0, blockno = 0; i < q; i++) { - register int s = (q - i - 1) * 8; + register krb5_octet s = (q - i - 1) * 8; blockno |= ctr[16 - q + i] << s; } @@ -69,12 +69,15 @@ q = ctr[0] + 1; for (i = 0; i < q; i++) { - register int s = (q - i - 1) * 8; + register krb5_octet s = (q - i - 1) * 8; ctr[16 - q + i] = (blockno >> s) & 0xFF; } } +/* Maximum number of invocations with a given nonce and key */ +#define maxblocks(q) (1UL << (8 * q)) + /* * ivec must be a correctly formatted counter block per SP800-38C A.3 */ @@ -106,7 +109,7 @@ memcpy(ctr, ivec->data, BLOCK_SIZE); } else { memset(ctr, 0, BLOCK_SIZE); - ctr[0] = CCM_COUNTER_LENGTH - 1; /* default q=3 from RFC 5116 5.3 */ + ctr[0] = CCM_DEFAULT_COUNTER_LEN - 1; } getctrblockno(&blockno, ctr); @@ -115,6 +118,9 @@ unsigned char plain[BLOCK_SIZE]; unsigned char ectr[BLOCK_SIZE]; + if (blockno >= maxblocks(ctr[0] + 1)) + return KRB5_CRYPTO_INTERNAL; + if (!krb5int_c_iov_get_block((unsigned char *)plain, BLOCK_SIZE, data, num_data, &input_pos)) break; @@ -161,7 +167,7 @@ memcpy(ctr, ivec->data, BLOCK_SIZE); } else { memset(ctr, 0, BLOCK_SIZE); - ctr[0] = CCM_COUNTER_LENGTH - 1; /* default q=3 from RFC 5116 5.3 */ + ctr[0] = CCM_DEFAULT_COUNTER_LEN - 1; } getctrblockno(&blockno, ctr); @@ -170,6 +176,9 @@ unsigned char ectr[BLOCK_SIZE]; unsigned char cipher[BLOCK_SIZE]; + if (blockno >= maxblocks(ctr[0] + 1)) + return KRB5_CRYPTO_INTERNAL; + if (!krb5int_c_iov_get_block((unsigned char *)cipher, BLOCK_SIZE, data, num_data, &input_pos)) break; From epeisach at MIT.EDU Sun Dec 28 22:36:59 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Sun, 28 Dec 2008 22:36:59 -0500 (EST) Subject: svn rev #21621: trunk/src/slave/ Message-ID: <200812290336.WAA27114@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21621 Commit By: epeisach Log Message: Handle a number of warnings - including missing prototype, paraenthesis in conditionals, unused function removal, unused variable removal. Changed Files: U trunk/src/slave/kpropd.c Modified: trunk/src/slave/kpropd.c =================================================================== --- trunk/src/slave/kpropd.c 2008-12-28 22:41:09 UTC (rev 21620) +++ trunk/src/slave/kpropd.c 2008-12-29 03:36:57 UTC (rev 21621) @@ -249,7 +249,7 @@ exit(ret); } -void resync_alarm(int sn) +static void resync_alarm(int sn) { close (gfd); if (debug) @@ -639,8 +639,9 @@ params.realm = def_realm; if (master_svc_princstr == NULL) { - if (retval = kadm5_get_kiprop_host_srv_name(kpropd_context, - def_realm, &master_svc_princstr)) { + if ((retval = kadm5_get_kiprop_host_srv_name(kpropd_context, + def_realm, + &master_svc_princstr))) { com_err(progname, retval, _("%s: unable to get kiprop host based " "service name for realm %s\n"), @@ -652,7 +653,7 @@ /* * Set cc to the default credentials cache */ - if (retval = krb5_cc_default(kpropd_context, &cc)) { + if ((retval = krb5_cc_default(kpropd_context, &cc))) { com_err(progname, retval, _("while opening default " "credentials cache")); @@ -682,8 +683,8 @@ } /* XXX Memory leak: Old r->data value. */ } - if (retval = krb5_unparse_name(kpropd_context, iprop_svc_principal, - &iprop_svc_princstr)) { + if ((retval = krb5_unparse_name(kpropd_context, iprop_svc_principal, + &iprop_svc_princstr))) { com_err(progname, retval, _("while canonicalizing principal name")); krb5_free_principal(kpropd_context, iprop_svc_principal); @@ -950,7 +951,7 @@ free(iprop_svc_princstr); if (master_svc_princstr) free(master_svc_princstr); - if (retval = krb5_cc_close(kpropd_context, cc)) { + if ((retval = krb5_cc_close(kpropd_context, cc))) { com_err(progname, retval, _("while closing default ccache")); exit(1); @@ -984,17 +985,6 @@ return (btime); } - -static char * -copy_leading_substring(char *src, size_t len) -{ - char *result; - result = malloc((len + 1) * sizeof(char)); - (void) strncpy(result, src, len+1); - result[len] = 0; - return result; -} - static void kpropd_com_err_proc(whoami, code, fmt, args) const char *whoami; @@ -1669,7 +1659,6 @@ const char *realm, char **host_service_name) { - kadm5_ret_t ret; char *name; char *host; From epeisach at MIT.EDU Sun Dec 28 23:45:37 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Sun, 28 Dec 2008 23:45:37 -0500 (EST) Subject: svn rev #21622: trunk/src/plugins/kdb/ldap/ldap_util/ Message-ID: <200812290445.XAA27963@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21622 Commit By: epeisach Log Message: subject: krb4 removal missed ldap kdb plugin directory ticket: new The krb4 removal failed to change the makefile in ldap kdb plugin directory. Changed Files: U trunk/src/plugins/kdb/ldap/ldap_util/Makefile.in Modified: trunk/src/plugins/kdb/ldap/ldap_util/Makefile.in =================================================================== --- trunk/src/plugins/kdb/ldap/ldap_util/Makefile.in 2008-12-29 03:36:57 UTC (rev 21621) +++ trunk/src/plugins/kdb/ldap/ldap_util/Makefile.in 2008-12-29 04:45:36 UTC (rev 21622) @@ -4,7 +4,7 @@ BUILDTOP=$(REL)..$(S)..$(S)..$(S).. DEFINES = -DKDB4_DISABLE DEFS= -LOCALINCLUDES = -I. @KRB4_INCLUDES@ -I$(srcdir)/../libkdb_ldap -I$(SRCTOP)/lib/kdb +LOCALINCLUDES = -I. -I$(srcdir)/../libkdb_ldap -I$(SRCTOP)/lib/kdb PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) PROG_RPATH=$(KRB5_LIBDIR) #KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS) @@ -17,9 +17,9 @@ all:: $(PROG) -$(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB4COMPAT_DEPLIBS) $(GETDATE) +$(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) $(CC_LINK) -o $(PROG) $(OBJS) $(GETDATE) \ - $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB4COMPAT_LIBS) + $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_BASE_LIBS) install:: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) From lhoward at MIT.EDU Mon Dec 29 00:55:27 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 29 Dec 2008 00:55:27 -0500 (EST) Subject: svn rev #21623: branches/aes-ccm/src/lib/crypto/enc_provider/ Message-ID: <200812290555.AAA28829@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21623 Commit By: lhoward Log Message: fix an order of operations bug Changed Files: U branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c Modified: branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c =================================================================== --- branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-29 04:45:36 UTC (rev 21622) +++ branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-29 05:55:26 UTC (rev 21623) @@ -76,7 +76,7 @@ } /* Maximum number of invocations with a given nonce and key */ -#define maxblocks(q) (1UL << (8 * q)) +#define maxblocks(q) (1UL << (8 * (q))) /* * ivec must be a correctly formatted counter block per SP800-38C A.3 From lhoward at MIT.EDU Mon Dec 29 01:01:43 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 29 Dec 2008 01:01:43 -0500 (EST) Subject: svn rev #21624: branches/aes-ccm/src/lib/crypto/enc_provider/ Message-ID: <200812290601.BAA28976@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21624 Commit By: lhoward Log Message: cleanup Changed Files: U branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c Modified: branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c =================================================================== --- branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-29 05:55:26 UTC (rev 21623) +++ branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-29 06:01:42 UTC (rev 21624) @@ -244,7 +244,7 @@ } static krb5_error_code -k5_aes_make_key(const krb5_data *randombits, krb5_keyblock *key) +k5_aes_make_key_ctr(const krb5_data *randombits, krb5_keyblock *key) { if (key->length != 16 && key->length != 32) return(KRB5_BAD_KEYSIZE); @@ -258,14 +258,14 @@ } static krb5_error_code -krb5int_aes_init_state (const krb5_keyblock *key, krb5_keyusage usage, - krb5_data *state) +krb5int_aes_init_state_ctr (const krb5_keyblock *key, krb5_keyusage usage, + krb5_data *state) { - state->length = 16; - state->data = (void *) malloc(16); + state->length = BLOCK_SIZE; + state->data = calloc(1, state->length); if (state->data == NULL) return ENOMEM; - memset(state->data, 0, state->length); + state->data[0] = CCM_DEFAULT_COUNTER_LEN - 1; return 0; } @@ -274,8 +274,8 @@ 16, 16, krb5int_aes_encrypt_ctr, krb5int_aes_decrypt_ctr, - k5_aes_make_key, - krb5int_aes_init_state, + k5_aes_make_key_ctr, + krb5int_aes_init_state_ctr, krb5int_default_free_state, krb5int_aes_encrypt_ctr_iov, krb5int_aes_decrypt_ctr_iov @@ -286,8 +286,8 @@ 32, 32, krb5int_aes_encrypt_ctr, krb5int_aes_decrypt_ctr, - k5_aes_make_key, - krb5int_aes_init_state, + k5_aes_make_key_ctr, + krb5int_aes_init_state_ctr, krb5int_default_free_state, krb5int_aes_encrypt_ctr_iov, krb5int_aes_decrypt_ctr_iov From epeisach at MIT.EDU Mon Dec 29 07:36:33 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Mon, 29 Dec 2008 07:36:33 -0500 (EST) Subject: svn rev #21625: trunk/src/plugins/kdb/ldap/ldap_util/ Message-ID: <200812291236.HAA07524@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21625 Commit By: epeisach Log Message: Add prototype for usage. Change invocation of usage to db_usage when using an argument. Include adm_proto.h for prototype for krb5_keysalt_iterate. Changed Files: U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h Modified: trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c =================================================================== --- trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c 2008-12-29 06:01:42 UTC (rev 21624) +++ trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c 2008-12-29 12:36:31 UTC (rev 21625) @@ -87,6 +87,7 @@ #include #include #include +#include #include "kdb5_ldap_util.h" #include "kdb5_ldap_list.h" #include @@ -2004,7 +2005,7 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) { char **slist = NULL; - int num_entry_printed = 0, i = 0; + unsigned int num_entry_printed = 0, i = 0; /* Print the Realm Attributes on the standard output */ printf("%25s: %-50s\n", "Realm Name", global_params.realm); Modified: trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c =================================================================== --- trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c 2008-12-29 06:01:42 UTC (rev 21624) +++ trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c 2008-12-29 12:36:31 UTC (rev 21625) @@ -104,7 +104,7 @@ * This function prints the usage of kdb5_ldap_util, which is * the LDAP configuration utility. */ -void usage() +void usage(void) { fprintf(stderr, "Usage: " "kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n" @@ -420,7 +420,6 @@ * we will print the help corresponding to the sub-command. */ if (print_help_message) { - char *cmd_name = cmd_argv[0]; free(cmd_argv); cmd_argv = NULL; usage(); Modified: trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h =================================================================== --- trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h 2008-12-29 06:01:42 UTC (rev 21624) +++ trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h 2008-12-29 12:36:31 UTC (rev 21625) @@ -63,10 +63,10 @@ extern int exit_status; extern krb5_context util_context; -extern void usage(); +extern void usage(void); extern void db_usage(int); -#define ARG_VAL (--argc > 0 ? (koptarg = *(++argv)) : (char *)(usage(MAIN_HELP), NULL)) +#define ARG_VAL (--argc > 0 ? (koptarg = *(++argv)) : (char *)(db_usage(MAIN_HELP), NULL)) /* Following are the bitmaps that indicate which of the options among -D, -w, -h, -p & -t * were specified on the command line. From lhoward at MIT.EDU Mon Dec 29 08:16:04 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 29 Dec 2008 08:16:04 -0500 (EST) Subject: svn rev #21626: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812291316.IAA08045@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21626 Commit By: lhoward Log Message: Cleanup kg_make_confounder() somewhat Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-29 12:36:31 UTC (rev 21625) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-29 13:16:03 UTC (rev 21626) @@ -162,21 +162,14 @@ krb5_keyblock *key; unsigned char *buf; { - krb5_error_code code; - size_t blocksize; + int confsize; krb5_data lrandom; - /* We special case rc4*/ - if (key->enctype == ENCTYPE_ARCFOUR_HMAC || - key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { - blocksize = 8; - } else { - code = krb5_c_block_size(context, key->enctype, &blocksize); - if (code) - return(code); - } + confsize = kg_confounder_size(context, key); + if (confsize < 0) + return KRB5_BAD_MSIZE; - lrandom.length = blocksize; + lrandom.length = confsize; lrandom.data = (char *)buf; return(krb5_c_random_make_octets(context, &lrandom)); From epeisach at MIT.EDU Mon Dec 29 08:37:22 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Mon, 29 Dec 2008 08:37:22 -0500 (EST) Subject: svn rev #21627: trunk/src/lib/kdb/ Message-ID: <200812291337.IAA08355@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21627 Commit By: epeisach Log Message: Create a private header file for local functions missing prototypes. Fix a number of warnning suggesting parenthesis. Fix a signed/unsigned warning. Update dependencies. Changed Files: U trunk/src/lib/kdb/Makefile.in U trunk/src/lib/kdb/kdb5.c A trunk/src/lib/kdb/kdb5int.h U trunk/src/lib/kdb/kdb_log.c Modified: trunk/src/lib/kdb/Makefile.in =================================================================== --- trunk/src/lib/kdb/Makefile.in 2008-12-29 13:16:03 UTC (rev 21626) +++ trunk/src/lib/kdb/Makefile.in 2008-12-29 13:37:20 UTC (rev 21627) @@ -86,7 +86,7 @@ $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - adb_err.h kdb5.c kdb5.h + adb_err.h kdb5.c kdb5.h kdb5int.h encrypt_key.so encrypt_key.po $(OUTPRE)encrypt_key.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -172,7 +172,7 @@ $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - kdb5.h kdb_log.c + kdb5.h kdb5int.h kdb_log.c keytab.so keytab.po $(OUTPRE)keytab.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ Modified: trunk/src/lib/kdb/kdb5.c =================================================================== --- trunk/src/lib/kdb/kdb5.c 2008-12-29 13:16:03 UTC (rev 21626) +++ trunk/src/lib/kdb/kdb5.c 2008-12-29 13:37:20 UTC (rev 21627) @@ -38,6 +38,7 @@ #include "kdb5.h" #include #include "kdb_log.h" +#include "kdb5int.h" /* Currently DB2 policy related errors are exported from DAL. But other databases should set_err function to return string. */ @@ -1109,7 +1110,7 @@ upd->kdb_princ_name.utf8str_t_val = princ_name; upd->kdb_princ_name.utf8str_t_len = strlen(princ_name); - if (status = ulog_add_update(kcontext, upd)) + if ((status = ulog_add_update(kcontext, upd))) goto err_lock; upd++; } Added: trunk/src/lib/kdb/kdb5int.h =================================================================== --- trunk/src/lib/kdb/kdb5int.h 2008-12-29 13:16:03 UTC (rev 21626) +++ trunk/src/lib/kdb/kdb5int.h 2008-12-29 13:37:20 UTC (rev 21627) @@ -0,0 +1,44 @@ +/* + * lib/kdb5/kdb5int.h + * + * Copyright (C) 2008 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * Private header file for the kdb5 library for internal functions + */ + +#ifndef __KDB5INT_H__ +#define __KDB5INT_H__ + +#include "kdb5.h" + +krb5_error_code +krb5int_put_principal_no_log(krb5_context kcontext, + krb5_db_entry *entries, int *nentries); + +krb5_error_code +krb5int_delete_principal_no_log(krb5_context kcontext, + krb5_principal search_for, + int *nentries); + +#endif /* __KDB5INT_H__ */ Modified: trunk/src/lib/kdb/kdb_log.c =================================================================== --- trunk/src/lib/kdb/kdb_log.c 2008-12-29 13:16:03 UTC (rev 21626) +++ trunk/src/lib/kdb/kdb_log.c 2008-12-29 13:37:20 UTC (rev 21627) @@ -16,6 +16,7 @@ #include #include "kdb5.h" #include "kdb_log.h" +#include "kdb5int.h" /* * This modules includes all the necessary functions that create and @@ -73,7 +74,7 @@ (pagesize-1)) & (~(pagesize-1)); size = end - start; - if (retval = msync((caddr_t)start, size, MS_SYNC)) { + if ((retval = msync((caddr_t)start, size, MS_SYNC))) { return (retval); } @@ -186,10 +187,10 @@ recsize = sizeof (kdb_ent_header_t) + upd_size; if (recsize > ulog->kdb_block) { - if (retval = ulog_resize(ulog, ulogentries, ulogfd, recsize)) { - /* Resize element array failed */ - return (retval); - } + if ((retval = ulog_resize(ulog, ulogentries, ulogfd, recsize))) { + /* Resize element array failed */ + return (retval); + } } cur_sno = ulog->kdb_last_sno; @@ -227,7 +228,7 @@ if (!xdr_kdb_incr_update_t(&xdrs, upd)) return (KRB5_LOG_CONV); - if (retval = ulog_sync_update(ulog, indx_log)) + if ((retval = ulog_sync_update(ulog, indx_log))) return (retval); if (ulog->kdb_num < ulogentries) @@ -280,7 +281,7 @@ ulog->kdb_state = KDB_STABLE; - if (retval = ulog_sync_update(ulog, indx_log)) + if ((retval = ulog_sync_update(ulog, indx_log))) return (retval); ulog_sync_header(ulog); @@ -370,8 +371,8 @@ (upd->kdb_princ_name.utf8str_t_len + 1)); dbprincstr[upd->kdb_princ_name.utf8str_t_len] = 0; - if (retval = krb5_parse_name(context, dbprincstr, - &dbprinc)) { + if ((retval = krb5_parse_name(context, dbprincstr, + &dbprinc))) { goto cleanup; } @@ -398,7 +399,7 @@ (void) memset(entry, 0, sizeof (krb5_db_entry)); - if (retval = ulog_conv_2dbentry(context, entry, upd, 1)) + if ((retval = ulog_conv_2dbentry(context, entry, upd, 1))) goto cleanup; retval = krb5int_put_principal_no_log(context, entry, @@ -441,7 +442,7 @@ { XDR xdrs; krb5_error_code retval = 0; - int i; + unsigned int i; kdb_ent_header_t *indx_log; kdb_incr_update_t *upd = NULL; kdb_incr_result_t *incr_ret = NULL; From lhoward at MIT.EDU Mon Dec 29 08:54:50 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 29 Dec 2008 08:54:50 -0500 (EST) Subject: svn rev #21628: branches/mskrb-integ/src/kdc/ Message-ID: <200812291354.IAA08617@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21628 Commit By: lhoward Log Message: don't return enc-pa-data if canon flag unset Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-29 13:37:20 UTC (rev 21627) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-29 13:54:47 UTC (rev 21628) @@ -643,11 +643,13 @@ goto cleanup; } - errcode = return_svr_referral_data(kdc_context, - &server, &reply_encpart); - if (errcode) { - status = "KDC_RETURN_ENC_PADATA"; - goto cleanup; + if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) { + errcode = return_svr_referral_data(kdc_context, + &server, &reply_encpart); + if (errcode) { + status = "KDC_RETURN_ENC_PADATA"; + goto cleanup; + } } enc_tkt_reply.session = &session_key; From lhoward at MIT.EDU Mon Dec 29 09:40:53 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 29 Dec 2008 09:40:53 -0500 (EST) Subject: svn rev #21629: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200812291440.JAA09390@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21629 Commit By: lhoward Log Message: Don't omit ticket session key enctypes when negotiating enctypes. Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c Modified: branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c 2008-12-29 13:54:47 UTC (rev 21628) +++ branches/mskrb-integ/src/lib/krb5/krb/rd_req_dec.c 2008-12-29 14:40:52 UTC (rev 21629) @@ -406,11 +406,8 @@ if ((*auth_context)->authentp->subkey != NULL) { desired_etypes[desired_etypes_len++] = (*auth_context)->authentp->subkey->enctype; } - if (rfc4537_etypes_len == 0) { - /* If EtypeList was present, omit the ticket session key enctypes */ - desired_etypes[desired_etypes_len++] = req->ticket->enc_part2->session->enctype; - desired_etypes[desired_etypes_len++] = req->ticket->enc_part.enctype; - } + desired_etypes[desired_etypes_len++] = req->ticket->enc_part2->session->enctype; + desired_etypes[desired_etypes_len++] = req->ticket->enc_part.enctype; desired_etypes[desired_etypes_len] = ENCTYPE_NULL; if (((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) == 0) { From lhoward at MIT.EDU Mon Dec 29 09:49:05 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 29 Dec 2008 09:49:05 -0500 (EST) Subject: svn rev #21630: branches/mskrb-integ/src/kdc/ Message-ID: <200812291449.JAA09543@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21630 Commit By: lhoward Log Message: cleanup Changed Files: U branches/mskrb-integ/src/kdc/do_tgs_req.c Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-29 14:40:52 UTC (rev 21629) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-29 14:49:04 UTC (rev 21630) @@ -121,7 +121,7 @@ krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */ unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */ char *s4u_name = NULL; - krb5_boolean is_referral; + krb5_boolean is_referral = FALSE; session_key.contents = NULL; @@ -256,8 +256,11 @@ if (!is_local_principal(header_enc_tkt->client)) setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM); - is_referral = krb5_is_tgs_principal(server.princ) && - !krb5_principal_compare(kdc_context, tgs_server, server.princ); + if (krb5_is_tgs_principal(server.princ) && + !krb5_principal_compare(kdc_context, tgs_server, server.princ)) { + assert(!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)); + is_referral = TRUE; + } /* Check for protocol transition */ errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client, @@ -643,7 +646,7 @@ goto cleanup; } - if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) { + if (is_referral && isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) { errcode = return_svr_referral_data(kdc_context, &server, &reply_encpart); if (errcode) { From ghudson at MIT.EDU Mon Dec 29 12:12:57 2008 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 29 Dec 2008 12:12:57 -0500 (EST) Subject: svn rev #21631: trunk/src/ include/ include/krb5/ lib/krb5/ lib/krb5/krb/ lib/krb5/os/ ... Message-ID: <200812291712.MAA11434@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21631 Commit By: ghudson Log Message: Revert r21589, and export krb5_get_fallback_host_realm instead. Rationale: Zephyr and AFS both use the Kerberos realm name as the name of the service realm (AFS realm or Zephyr galaxy). AFS can grab the Kerberos realm from the ticket being aklogged, but Zephyr is not necessarily getting credentials at all (you could be sending an unauthenticated message), and currently finds its answer by looking up the realm of the server host. Although we can't currently provide an accurate result for this lookup in the presence of referrals, we do need to provide enough tools to get as good of an answer as libzephyr could have gotten before referrals went in. Changed Files: U trunk/src/include/k5-int.h U trunk/src/include/krb5/krb5.hin U trunk/src/lib/krb5/krb/gc_frm_kdc.c U trunk/src/lib/krb5/libkrb5.exports U trunk/src/lib/krb5/os/hst_realm.c U trunk/src/util/collected-client-lib/libcollected.exports Modified: trunk/src/include/k5-int.h =================================================================== --- trunk/src/include/k5-int.h 2008-12-29 14:49:04 UTC (rev 21630) +++ trunk/src/include/k5-int.h 2008-12-29 17:12:54 UTC (rev 21631) @@ -538,10 +538,6 @@ struct addrlist *, enum locate_service_type svc, int sockettype, int family); -krb5_error_code -krb5int_get_fallback_host_realm (krb5_context, krb5_data *hdata, - char **realmp); - /* new encryption provider api */ struct krb5_enc_provider { Modified: trunk/src/include/krb5/krb5.hin =================================================================== --- trunk/src/include/krb5/krb5.hin 2008-12-29 14:49:04 UTC (rev 21630) +++ trunk/src/include/krb5/krb5.hin 2008-12-29 17:12:54 UTC (rev 21631) @@ -2099,6 +2099,10 @@ (krb5_context, const char *, char *** ); +krb5_error_code KRB5_CALLCONV krb5_get_fallback_host_realm + (krb5_context, + krb5_data *, + char *** ); krb5_error_code KRB5_CALLCONV krb5_free_host_realm (krb5_context, char * const * ); Modified: trunk/src/lib/krb5/krb/gc_frm_kdc.c =================================================================== --- trunk/src/lib/krb5/krb/gc_frm_kdc.c 2008-12-29 14:49:04 UTC (rev 21630) +++ trunk/src/lib/krb5/krb/gc_frm_kdc.c 2008-12-29 17:12:54 UTC (rev 21631) @@ -787,7 +787,7 @@ krb5_principal client, server, supplied_server, out_supplied_server; krb5_creds tgtq, cc_tgt, *tgtptr, *referral_tgts[KRB5_REFERRAL_MAXHOPS]; krb5_boolean old_use_conf_ktypes; - char *hrealm; + char **hrealms; unsigned int referral_count, i; /* @@ -1021,22 +1021,23 @@ */ if (krb5_is_referral_realm(&supplied_server->realm)) { if (server->length >= 2) { - retval=krb5int_get_fallback_host_realm(context, &server->data[1], - &hrealm); + retval=krb5_get_fallback_host_realm(context, &server->data[1], + &hrealms); if (retval) goto cleanup; #if 0 DPRINTF(("gc_from_kdc: using fallback realm of %s\n", - hrealm)); + hrealms[0])); #endif krb5_free_data_contents(context,&in_cred->server->realm); - server->realm.data=hrealm; - server->realm.length=strlen(hrealm); + server->realm.data=hrealms[0]; + server->realm.length=strlen(hrealms[0]); + free(hrealms); } else { /* * Problem case: Realm tagged for referral but apparently not * in a / format that - * krb5int_get_fallback_host_realm can deal with. + * krb5_get_fallback_host_realm can deal with. */ DPRINTF(("gc_from_kdc: referral specified " "but no fallback realm avaiable!\n")); Modified: trunk/src/lib/krb5/libkrb5.exports =================================================================== --- trunk/src/lib/krb5/libkrb5.exports 2008-12-29 14:49:04 UTC (rev 21630) +++ trunk/src/lib/krb5/libkrb5.exports 2008-12-29 17:12:54 UTC (rev 21631) @@ -262,6 +262,7 @@ krb5_get_default_in_tkt_ktypes krb5_get_default_realm krb5_get_error_message +krb5_get_fallback_host_realm krb5_get_host_realm krb5_get_in_tkt krb5_get_in_tkt_with_keytab Modified: trunk/src/lib/krb5/os/hst_realm.c =================================================================== --- trunk/src/lib/krb5/os/hst_realm.c 2008-12-29 14:49:04 UTC (rev 21630) +++ trunk/src/lib/krb5/os/hst_realm.c 2008-12-29 17:12:54 UTC (rev 21631) @@ -335,9 +335,9 @@ */ krb5_error_code KRB5_CALLCONV -krb5int_get_fallback_host_realm(krb5_context context, krb5_data *hdata, - char **realmp) +krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata, char ***realmsp) { + char **retrealms; char *realm, *cp; krb5_error_code retval; char local_host[MAXDNAME+1], host[MAXDNAME+1]; @@ -417,7 +417,16 @@ return retval; } - *realmp = realm; + if (!(retrealms = (char **)calloc(2, sizeof(*retrealms)))) { + if (realm != (char *)NULL) + free(realm); + return ENOMEM; + } + + retrealms[0] = realm; + retrealms[1] = 0; + + *realmsp = retrealms; return 0; } Modified: trunk/src/util/collected-client-lib/libcollected.exports =================================================================== --- trunk/src/util/collected-client-lib/libcollected.exports 2008-12-29 14:49:04 UTC (rev 21630) +++ trunk/src/util/collected-client-lib/libcollected.exports 2008-12-29 17:12:54 UTC (rev 21631) @@ -177,6 +177,7 @@ krb5_read_password krb5_aname_to_localname krb5_get_host_realm +krb5_get_fallback_host_realm krb5_free_host_realm krb5_auth_con_genaddrs krb5_set_real_time From epeisach at MIT.EDU Mon Dec 29 12:39:30 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Mon, 29 Dec 2008 12:39:30 -0500 (EST) Subject: svn rev #21632: trunk/src/lib/rpc/ Message-ID: <200812291739.MAA11870@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21632 Commit By: epeisach Log Message: Add gssrpcint.h to contain prototype for gssrpcint_printf. Include gcc printf attribute if supported. Include header file and fix up some of the debugging printf arguments. Changed Files: U trunk/src/lib/rpc/Makefile.in U trunk/src/lib/rpc/auth_gssapi.c U trunk/src/lib/rpc/auth_gssapi_misc.c A trunk/src/lib/rpc/gssrpcint.h U trunk/src/lib/rpc/svc_auth_gssapi.c Modified: trunk/src/lib/rpc/Makefile.in =================================================================== --- trunk/src/lib/rpc/Makefile.in 2008-12-29 17:12:54 UTC (rev 21631) +++ trunk/src/lib/rpc/Makefile.in 2008-12-29 17:39:29 UTC (rev 21632) @@ -282,7 +282,7 @@ $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \ $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \ $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \ - $(SRCTOP)/include/krb5.h auth_gssapi.c + $(SRCTOP)/include/krb5.h auth_gssapi.c gssrpcint.h auth_gssapi_misc.so auth_gssapi_misc.po $(OUTPRE)auth_gssapi_misc.$(OBJEXT): \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \ @@ -290,7 +290,7 @@ $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \ $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \ $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \ - $(SRCTOP)/include/gssrpc/xdr.h auth_gssapi_misc.c + $(SRCTOP)/include/gssrpc/xdr.h auth_gssapi_misc.c gssrpcint.h bindresvport.so bindresvport.po $(OUTPRE)bindresvport.$(OBJEXT): \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \ @@ -495,7 +495,7 @@ $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \ $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \ $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/krb5.h \ - svc_auth_gssapi.c + gssrpcint.h svc_auth_gssapi.c svc_raw.so svc_raw.po $(OUTPRE)svc_raw.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/gssrpc/auth.h \ $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \ Modified: trunk/src/lib/rpc/auth_gssapi.c =================================================================== --- trunk/src/lib/rpc/auth_gssapi.c 2008-12-29 17:12:54 UTC (rev 21631) +++ trunk/src/lib/rpc/auth_gssapi.c 2008-12-29 17:39:29 UTC (rev 21632) @@ -16,6 +16,8 @@ #include #include +#include "gssrpcint.h" + #ifdef __CODECENTER__ #define DEBUG_GSSAPI 1 #endif Modified: trunk/src/lib/rpc/auth_gssapi_misc.c =================================================================== --- trunk/src/lib/rpc/auth_gssapi_misc.c 2008-12-29 17:12:54 UTC (rev 21631) +++ trunk/src/lib/rpc/auth_gssapi_misc.c 2008-12-29 17:39:29 UTC (rev 21632) @@ -9,6 +9,8 @@ #include #include +#include "gssrpcint.h" + #ifdef __CODECENTER__ #define DEBUG_GSSAPI 1 #endif @@ -181,7 +183,7 @@ putc ('\n', stderr); if (misc_debug_gssapi) gssrpcint_printf("GSS-API authentication error %s: %*s\n", - m, msg.length, msg.value); + m, msg.length, (char *) msg.value); (void) gss_release_buffer(&minor_stat, &msg); if (!msg_ctx) Added: trunk/src/lib/rpc/gssrpcint.h =================================================================== --- trunk/src/lib/rpc/gssrpcint.h 2008-12-29 17:12:54 UTC (rev 21631) +++ trunk/src/lib/rpc/gssrpcint.h 2008-12-29 17:39:29 UTC (rev 21632) @@ -0,0 +1,39 @@ +/* + * lib/rpc/gssrpcint.h + * + * Copyright (C) 2008 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * <<< Description >>> + */ + +#ifndef __GSSRPCINT_H__ +#define __GSSRPCINT_H__ + +extern void gssrpcint_printf(const char *format, ...) +#if !defined(__cplusplus) && (__GNUC__ > 2) + __attribute__((__format__(__printf__, 1, 2))) +#endif + ; + +#endif /* __GSSRPCINT_H__ */ Modified: trunk/src/lib/rpc/svc_auth_gssapi.c =================================================================== --- trunk/src/lib/rpc/svc_auth_gssapi.c 2008-12-29 17:12:54 UTC (rev 21631) +++ trunk/src/lib/rpc/svc_auth_gssapi.c 2008-12-29 17:39:29 UTC (rev 21632) @@ -24,6 +24,8 @@ #include #endif +#include "gssrpcint.h" + #ifdef GSSAPI_KRB5 /* This is here for the krb5_error_code typedef and the KRB5KRB_AP_WRONG_PRINC #define.*/ @@ -403,7 +405,7 @@ break; PRINTF(("accept_sec_context returned 0x%x 0x%x wrong-princ=%#x\n", - call_res.gss_major, call_res.gss_minor, KRB5KRB_AP_WRONG_PRINC)); + call_res.gss_major, call_res.gss_minor, (int) KRB5KRB_AP_WRONG_PRINC)); if (call_res.gss_major == GSS_S_COMPLETE || call_res.gss_major == GSS_S_CONTINUE_NEEDED) { /* server_creds was right, set it! */ @@ -950,7 +952,7 @@ in_buf.value = names[i].name; in_buf.length = strlen(in_buf.value) + 1; - PRINTF(("svcauth_gssapi_set_names: importing %s\n", in_buf.value)); + PRINTF(("svcauth_gssapi_set_names: importing %s\n", names[i].name)); gssstat = gss_import_name(&minor_stat, &in_buf, names[i].type, &server_name_list[i]); From lhoward at MIT.EDU Mon Dec 29 17:33:28 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Mon, 29 Dec 2008 17:33:28 -0500 (EST) Subject: svn rev #21633: branches/aes-ccm/src/lib/crypto/ dk/ enc_provider/ Message-ID: <200812292233.RAA16432@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21633 Commit By: lhoward Log Message: Support init_state for CCM Changed Files: U branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c U branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c Modified: branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c =================================================================== --- branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c 2008-12-29 17:39:29 UTC (rev 21632) +++ branches/aes-ccm/src/lib/crypto/dk/dk_ccm.c 2008-12-29 22:33:27 UTC (rev 21633) @@ -300,9 +300,19 @@ header->data.length = header_len; - ret = krb5_c_random_make_octets(/* XXX */ NULL, &header->data); - if (ret != 0) - goto cleanup; + if (ivec != NULL) { + if (ivec->length != 16 || + ivec->data[0] & ~(CCM_FLAG_MASK_Q) || + 15 - (unsigned)ivec->data[0] != header_len) { + ret = KRB5_BAD_MSIZE; + goto cleanup; + } + memcpy(header->data.data, &ivec->data[1], header_len); + } else { + ret = krb5_c_random_make_octets(/* XXX */ NULL, &header->data); + if (ret != 0) + goto cleanup; + } sign_data = (krb5_crypto_iov *)calloc(num_data + 1, sizeof(krb5_crypto_iov)); if (sign_data == NULL) { Modified: branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c =================================================================== --- branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-29 17:39:29 UTC (rev 21632) +++ branches/aes-ccm/src/lib/crypto/enc_provider/aes_ctr.c 2008-12-29 22:33:27 UTC (rev 21633) @@ -261,11 +261,36 @@ krb5int_aes_init_state_ctr (const krb5_keyblock *key, krb5_keyusage usage, krb5_data *state) { - state->length = BLOCK_SIZE; - state->data = calloc(1, state->length); + krb5_data nonce; + unsigned int n, q; + krb5_error_code code; + + code = krb5_c_crypto_length(NULL, key->enctype, KRB5_CRYPTO_TYPE_HEADER, &n); + if (code != 0) + return code; + + assert(n >= 7 && n <= 13); + + state->length = 16; + state->data = malloc(state->length); if (state->data == NULL) return ENOMEM; - state->data[0] = CCM_DEFAULT_COUNTER_LEN - 1; + + q = 15 - n; + state->data[0] = q - 1; + + nonce.data = &state->data[1]; + nonce.length = n; + + code = krb5_c_random_make_octets(NULL, &nonce); + if (code != 0) { + free(state->data); + state->data = NULL; + return code; + } + + memset(&state->data[1 + n], 0, q); + return 0; } From epeisach at MIT.EDU Mon Dec 29 17:41:28 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Mon, 29 Dec 2008 17:41:28 -0500 (EST) Subject: svn rev #21634: trunk/src/kadmin/dbutil/ Message-ID: <200812292241.RAA16640@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21634 Commit By: epeisach Log Message: Fix up warning of suggested parens in assignment in conditional. Changed Files: U trunk/src/kadmin/dbutil/kdb5_create.c Modified: trunk/src/kadmin/dbutil/kdb5_create.c =================================================================== --- trunk/src/kadmin/dbutil/kdb5_create.c 2008-12-29 22:33:27 UTC (rev 21633) +++ trunk/src/kadmin/dbutil/kdb5_create.c 2008-12-29 22:41:27 UTC (rev 21634) @@ -281,9 +281,9 @@ /* } */ if (log_ctx && log_ctx->iproprole) { - if (retval = ulog_map(util_context, global_params.iprop_logfile, - global_params.iprop_ulogsize, FKCOMMAND, - db5util_db_args)) { + if ((retval = ulog_map(util_context, global_params.iprop_logfile, + global_params.iprop_ulogsize, FKCOMMAND, + db5util_db_args))) { com_err(argv[0], retval, _("while creating update log")); exit_status++; From epeisach at MIT.EDU Mon Dec 29 18:01:16 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Mon, 29 Dec 2008 18:01:16 -0500 (EST) Subject: svn rev #21635: trunk/src/lib/kadm5/ Message-ID: <200812292301.SAA16996@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21635 Commit By: epeisach Log Message: Signed/unsigned fixes and remove unused variable Changed Files: U trunk/src/lib/kadm5/alt_prof.c U trunk/src/lib/kadm5/logger.c Modified: trunk/src/lib/kadm5/alt_prof.c =================================================================== --- trunk/src/lib/kadm5/alt_prof.c 2008-12-29 22:41:27 UTC (rev 21634) +++ trunk/src/lib/kadm5/alt_prof.c 2008-12-29 23:01:15 UTC (rev 21635) @@ -142,7 +142,7 @@ { static const char *const yes[] = { "y", "yes", "true", "t", "1", "on" }; static const char *const no[] = { "n", "no", "false", "f", "nil", "0", "off" }; - int i; + unsigned int i; for (i = 0; i < sizeof(yes)/sizeof(yes[0]); i++) if (!strcasecmp(string, yes[i])) { @@ -250,7 +250,7 @@ { krb5_error_code kret; char **values; - int i, lastidx; + int lastidx; if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { for (lastidx=0; values[lastidx]; lastidx++); Modified: trunk/src/lib/kadm5/logger.c =================================================================== --- trunk/src/lib/kadm5/logger.c 2008-12-29 22:41:27 UTC (rev 21634) +++ trunk/src/lib/kadm5/logger.c 2008-12-29 23:01:15 UTC (rev 21635) @@ -569,7 +569,7 @@ { "LOCAL7", LOG_LOCAL7 }, #endif /* LOG_LOCAL7 */ }; - int j; + unsigned int j; for (j = 0; j < sizeof(facilities)/sizeof(facilities[0]); j++) if (!strcasecmp(cp2, facilities[j].name)) { From raeburn at MIT.EDU Tue Dec 30 00:42:06 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 30 Dec 2008 00:42:06 -0500 (EST) Subject: svn rev #21636: trunk/src/slave/ Message-ID: <200812300542.AAA22323@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21636 Commit By: raeburn Log Message: If full resync fails, go into backoff mode. Changed Files: U trunk/src/slave/kpropd.c Modified: trunk/src/slave/kpropd.c =================================================================== --- trunk/src/slave/kpropd.c 2008-12-29 23:01:15 UTC (rev 21635) +++ trunk/src/slave/kpropd.c 2008-12-30 05:42:04 UTC (rev 21636) @@ -826,6 +826,7 @@ syslog(LOG_WARNING, _("kpropd: Full resync, invalid return.")); frdone = 0; + backoff_cnt++; } else frdone = 1; break; From raeburn at MIT.EDU Tue Dec 30 00:45:07 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 30 Dec 2008 00:45:07 -0500 (EST) Subject: svn rev #21637: trunk/src/slave/ Message-ID: <200812300545.AAA22446@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21637 Commit By: raeburn Log Message: Change kpropd_com_err_proc to prototype style, add format attribute. Changed Files: U trunk/src/slave/kpropd.c Modified: trunk/src/slave/kpropd.c =================================================================== --- trunk/src/slave/kpropd.c 2008-12-30 05:42:04 UTC (rev 21636) +++ trunk/src/slave/kpropd.c 2008-12-30 05:45:06 UTC (rev 21637) @@ -987,11 +987,20 @@ } static void -kpropd_com_err_proc(whoami, code, fmt, args) - const char *whoami; - long code; - const char *fmt; - va_list args; +kpropd_com_err_proc(const char *whoami, + long code, + const char *fmt, + va_list args) +#if !defined(__cplusplus) && (__GNUC__ > 2) + __attribute__((__format__(__printf__, 3, 0))) +#endif + ; + +static void +kpropd_com_err_proc(const char *whoami, + long code, + const char *fmt, + va_list args) { char error_buf[8096]; From lhoward at MIT.EDU Tue Dec 30 07:28:37 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 30 Dec 2008 07:28:37 -0500 (EST) Subject: svn rev #21638: branches/mskrb-integ/src/kdc/ Message-ID: <200812301228.HAA29272@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21638 Commit By: lhoward Log Message: Previously, we tested explicitly for KRB5_KDB_PWCHANGE_SERVICE when disabling AS-REP canonicalization, because in Windows kadmin/changepw is an alias for the TGS. This was to avoid a client asking for a changepw service ticket getting a TGT by setting the canonicalize flag, something particularly problematic for a user who is only allowed to reset an expired password. The correct fix, however, is to disable AS-REP server name canonicalization for any alias of the TGS (unless the user is requesting a TGT, in which case we enable it, because that allows us to deal with realm aliases for Windows interop). Changed Files: U branches/mskrb-integ/src/kdc/do_as_req.c U branches/mskrb-integ/src/kdc/do_tgs_req.c Modified: branches/mskrb-integ/src/kdc/do_as_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-30 05:45:06 UTC (rev 21637) +++ branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-30 12:28:36 UTC (rev 21638) @@ -281,16 +281,20 @@ } /* - * Turn off canonicalization for changepw service; if it is an - * alias for the TGS, then a client with an expired key could - * still be issued a ticket granting ticket. + * Turn off canonicalization for services that are aliases of + * the TGS, such as (in Windows) the changepw service. */ - if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) && - !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { + if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) && + krb5_is_tgs_principal(server.princ) && + !krb5_is_tgs_principal(request->server)) { + clear(s_flags, KRB5_KDB_FLAG_CANONICALIZE); + } + + if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) { server_princ = *(server.princ); } else { server_princ = *(request->server); - /* The realm is always canonicalized */ + /* The realm is always canonicalized in Windows */ server_princ.realm = *(krb5_princ_realm(context, server.princ)); } ticket_reply.server = &server_princ; Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c =================================================================== --- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-30 05:45:06 UTC (rev 21637) +++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-30 12:28:36 UTC (rev 21638) @@ -121,7 +121,7 @@ krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */ unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */ char *s4u_name = NULL; - krb5_boolean is_referral = FALSE; + krb5_boolean is_referral; session_key.contents = NULL; @@ -256,11 +256,8 @@ if (!is_local_principal(header_enc_tkt->client)) setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM); - if (krb5_is_tgs_principal(server.princ) && - !krb5_principal_compare(kdc_context, tgs_server, server.princ)) { - assert(!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)); - is_referral = TRUE; - } + is_referral = krb5_is_tgs_principal(server.princ) && + !krb5_principal_compare(kdc_context, tgs_server, server.princ); /* Check for protocol transition */ errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client, From epeisach at MIT.EDU Tue Dec 30 09:04:51 2008 From: epeisach at MIT.EDU (epeisach@MIT.EDU) Date: Tue, 30 Dec 2008 09:04:51 -0500 (EST) Subject: svn rev #21639: trunk/src/lib/rpc/ Message-ID: <200812301404.JAA00479@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21639 Commit By: epeisach Log Message: Signed/unsigned fixes Changed Files: U trunk/src/lib/rpc/clnt_perror.c U trunk/src/lib/rpc/clnt_simple.c Modified: trunk/src/lib/rpc/clnt_perror.c =================================================================== --- trunk/src/lib/rpc/clnt_perror.c 2008-12-30 12:28:36 UTC (rev 21638) +++ trunk/src/lib/rpc/clnt_perror.c 2008-12-30 14:04:51 UTC (rev 21639) @@ -233,7 +233,7 @@ char * clnt_sperrno(enum clnt_stat stat) { - int i; + unsigned int i; for (i = 0; i < sizeof(rpc_errlist)/sizeof(struct rpc_errtab); i++) { if (rpc_errlist[i].status == stat) { @@ -339,7 +339,7 @@ static char * auth_errmsg(enum auth_stat stat) { - int i; + unsigned int i; for (i = 0; i < sizeof(auth_errlist)/sizeof(struct auth_errtab); i++) { if (auth_errlist[i].status == stat) { Modified: trunk/src/lib/rpc/clnt_simple.c =================================================================== --- trunk/src/lib/rpc/clnt_simple.c 2008-12-30 12:28:36 UTC (rev 21638) +++ trunk/src/lib/rpc/clnt_simple.c 2008-12-30 14:04:51 UTC (rev 21639) @@ -51,7 +51,9 @@ static struct callrpc_private { CLIENT *client; SOCKET socket; - int oldprognum, oldversnum, valid; + rpcprog_t oldprognum; + rpcvers_t oldversnum; + int valid; char *oldhost; } *callrpc_private; From lhoward at MIT.EDU Tue Dec 30 20:13:45 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 30 Dec 2008 20:13:45 -0500 (EST) Subject: svn rev #21640: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812310113.UAA08882@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21640 Commit By: lhoward Log Message: Correctly distinguish between initiator and acceptor subkey checksum lengths, in case they may be different (if a stronger CFX enctype was negotiated by RFC 4537) Fix kg_translate_iov_v3() to handle EC correctly when a trailer is present CFX header validation was broken: we were comparing the plaintext copy to itself rather than the copy in the trailer. Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c U branches/mskrb-integ/src/lib/gssapi/krb5/wrap_size_limit.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c 2008-12-30 14:04:51 UTC (rev 21639) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c 2008-12-31 01:13:42 UTC (rev 21640) @@ -419,7 +419,7 @@ if (ctx->have_acceptor_subkey) enctype = ctx->acceptor_subkey->enctype; else - enctype = ctx->enc->enctype; + enctype = ctx->subkey->enctype; code = krb5_c_crypto_length(context, enctype, conf_req_flag ? Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c 2008-12-30 14:04:51 UTC (rev 21639) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c 2008-12-31 01:13:42 UTC (rev 21640) @@ -84,7 +84,6 @@ krb5_keyblock *key; krb5_cksumtype cksumtype; - assert(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0); assert(ctx->big_endian == 0); acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR; @@ -99,9 +98,10 @@ key = ctx->acceptor_subkey; cksumtype = ctx->acceptor_subkey_cksumtype; } else { - key = ctx->enc; + key = ctx->subkey; cksumtype = ctx->cksumtype; } + assert(key != NULL); #ifdef CFX_EXERCISE { @@ -184,6 +184,7 @@ #endif } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) { krb5_data plain; + size_t cksumsize; /* Here, message is the application-supplied data; message2 is what goes into the output token. They may be the same, or @@ -197,10 +198,13 @@ if (plain.data == NULL) return ENOMEM; - if (ctx->cksum_size > 0xffff) - abort(); + err = krb5_c_checksum_length(context, cksumtype, &cksumsize); + if (err) + goto error; - bufsize = 16 + message2->length + ctx->cksum_size; + assert(cksumsize <= 0xffff); + + bufsize = 16 + message2->length + cksumsize; outbuf = malloc(bufsize); if (outbuf == NULL) { free(plain.data); @@ -239,7 +243,7 @@ memcpy(outbuf + 16, message2->value, message2->length); sum.contents = outbuf + 16 + message2->length; - sum.length = ctx->cksum_size; + sum.length = cksumsize; err = krb5_c_make_checksum(context, cksumtype, key, key_usage, &plain, &sum); @@ -250,9 +254,9 @@ zap(outbuf,bufsize); goto error; } - if (sum.length != ctx->cksum_size) + if (sum.length != cksumsize) abort(); - memcpy(outbuf + 16 + message2->length, sum.contents, ctx->cksum_size); + memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize); krb5_free_checksum_contents(context, &sum); sum.contents = 0; /* Now that we know we're actually generating the token... */ @@ -267,7 +271,7 @@ store_16_be(rrc, outbuf+6); #endif /* Fix up EC field. */ - store_16_be(ctx->cksum_size, outbuf+4); + store_16_be(cksumsize, outbuf+4); } else { store_16_be(0xffff, outbuf+6); } @@ -316,7 +320,6 @@ krb5_keyblock *key; krb5_cksumtype cksumtype; - assert(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0); assert(ctx->big_endian == 0); assert(ctx->proto == 1); @@ -366,9 +369,10 @@ key = ctx->acceptor_subkey; cksumtype = ctx->acceptor_subkey_cksumtype; } else { - key = ctx->enc; + key = ctx->subkey; cksumtype = ctx->cksumtype; } + assert(key != NULL); if (toktype == KG_TOK_WRAP_MSG) { if (load_16_be(ptr) != KG2_TOK_WRAP_MSG) @@ -425,6 +429,12 @@ message_buffer->value = NULL; } } else { + size_t cksumsize; + + err = krb5_c_checksum_length(context, cksumtype, &cksumsize); + if (err) + goto error; + /* no confidentiality */ if (conf_state) *conf_state = 0; @@ -443,7 +453,7 @@ if (!gss_krb5int_rotate_left(ptr, bodysize-ec, 16)) goto no_mem; sum.length = ec; - if (sum.length != ctx->cksum_size) { + if (sum.length != cksumsize) { *minor_status = 0; return GSS_S_BAD_SIG; } Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c 2008-12-30 14:04:51 UTC (rev 21639) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c 2008-12-31 01:13:42 UTC (rev 21640) @@ -57,8 +57,8 @@ krb5_cksumtype cksumtype; size_t data_length, assoc_data_length; - assert(toktype != KG_TOK_WRAP_MSG || ctx->enc != NULL); assert(ctx->big_endian == 0); + assert(ctx->proto == 1); acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR; key_usage = (toktype == KG_TOK_WRAP_MSG @@ -72,9 +72,11 @@ key = ctx->acceptor_subkey; cksumtype = ctx->acceptor_subkey_cksumtype; } else { - key = ctx->enc; + key = ctx->subkey; cksumtype = ctx->cksumtype; } + assert(key != NULL); + assert(cksumtype != 0); kg_iov_msglen(iov, iov_count, &data_length, &assoc_data_length); @@ -179,15 +181,18 @@ ctx->seq_send++; } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) { - assert(ctx->cksum_size <= 0xFFFF); - tok_id = KG2_TOK_WRAP_MSG; wrap_with_checksum: gss_headerlen = 16; - gss_trailerlen = ctx->cksum_size; + code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_CHECKSUM, &gss_trailerlen); + if (code != 0) + goto cleanup; + + assert(gss_trailerlen <= 0xFFFF); + if (trailer == NULL) { rrc = gss_trailerlen; gss_headerlen += gss_trailerlen; @@ -243,7 +248,7 @@ if (toktype == KG_TOK_WRAP_MSG) { /* Fix up EC field */ - store_16_be(ctx->cksum_size, outbuf + 4); + store_16_be(gss_trailerlen, outbuf + 4); /* Fix up RRC field */ store_16_be(rrc, outbuf + 6); } @@ -290,8 +295,8 @@ gssint_uint64 seqnum; krb5_boolean valid; krb5_cksumtype cksumtype; + int conf_flag = 0; - assert(toktype != KG_TOK_WRAP_MSG || ctx->enc != 0); assert(ctx->big_endian == 0); assert(ctx->proto == 1); @@ -334,28 +339,44 @@ key = ctx->acceptor_subkey; cksumtype = ctx->acceptor_subkey_cksumtype; } else { - key = ctx->enc; + key = ctx->subkey; cksumtype = ctx->cksumtype; } + assert(key != NULL); + if (toktype == KG_TOK_WRAP_MSG) { + unsigned int k5_trailerlen; + if (load_16_be(ptr) != KG2_TOK_WRAP_MSG) goto defective; + conf_flag = ((ptr[2] & FLAG_WRAP_CONFIDENTIAL) != 0); if (ptr[3] != 0xFF) goto defective; ec = load_16_be(ptr + 4); rrc = load_16_be(ptr + 6); seqnum = load_64_be(ptr + 8); + code = krb5_c_crypto_length(context, key->enctype, + conf_flag ? KRB5_CRYPTO_TYPE_TRAILER : + KRB5_CRYPTO_TYPE_CHECKSUM, + &k5_trailerlen); + if (code != 0) { + *minor_status = code; + return GSS_S_FAILURE; + } + /* Deal with RRC */ if (trailer == NULL) { - size_t desired_rrc; + size_t desired_rrc = k5_trailerlen; - if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) - desired_rrc = 16 /* E(Header) */ + ctx->cksum_size; - else - desired_rrc = ctx->cksum_size; + if (conf_flag) { + desired_rrc += 16; /* E(Header) */ + if ((ctx->gss_flags & GSS_C_DCE_STYLE) == 0) + desired_rrc += ec; + } + /* According to MS, we only need to deal with a fixed RRC for DCE */ if (rrc != desired_rrc) goto defective; @@ -364,7 +385,7 @@ goto defective; } - if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) { + if (conf_flag) { unsigned char *althdr; /* Decrypt */ @@ -378,7 +399,10 @@ } /* Validate header integrity */ - althdr = (unsigned char *)header->buffer.value; + if (trailer == NULL) + althdr = (unsigned char *)header->buffer.value + 16 + ec; + else + althdr = (unsigned char *)trailer->buffer.value + ec; if (load_16_be(althdr) != KG2_TOK_WRAP_MSG || althdr[2] != ptr[2] @@ -391,7 +415,7 @@ /* caller should have fixed up padding */ } else { /* Verify checksum: note EC is checksum size here, not padding */ - if (ec != ctx->cksum_size) + if (ec != k5_trailerlen) goto defective; /* Zero EC, RRC before computing checksum */ @@ -436,7 +460,7 @@ *minor_status = 0; if (conf_state != NULL) - *conf_state = ((ptr[2] & FLAG_WRAP_CONFIDENTIAL) != 0); + *conf_state = conf_flag; return code; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-30 14:04:51 UTC (rev 21639) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-31 01:13:42 UTC (rev 21640) @@ -128,11 +128,6 @@ cksumtype); if (code != 0) return code; - - code = krb5_c_checksum_length(context, *cksumtype, &ctx->cksum_size); - if (code != 0) - return code; - break; } return 0; @@ -417,7 +412,6 @@ unsigned int k5_headerlen = 0, k5_trailerlen = 0; size_t gss_headerlen, gss_trailerlen; krb5_error_code code; - size_t actual_rrc; *pkiov = NULL; *pkiov_count = 0; @@ -436,15 +430,17 @@ if (code != 0) return code; - /* Determine the actual RRC after compensating for Windows bug */ - actual_rrc = dce_style ? ec + rrc : rrc; - /* Check header and trailer sizes */ gss_headerlen = 16 /* GSS-Header */ + k5_headerlen; /* Kerb-Header */ gss_trailerlen = ec + 16 /* E(GSS-Header) */ + k5_trailerlen; /* Kerb-Trailer */ /* If we're caller without a trailer, we must rotate by trailer length */ if (trailer == NULL) { + size_t actual_rrc = rrc; + + if (dce_style) + actual_rrc += ec; /* compensate for Windows bug */ + if (actual_rrc != gss_trailerlen) return KRB5_BAD_MSIZE; @@ -464,15 +460,11 @@ return ENOMEM; /* - * For CFX, place the krb5 header after the GSS header, offset - * by the real rotation count which, owing to a bug in Windows, - * is actually EC + RRC for DCE_STYLE. + * The krb5 header is located at the end of the GSS header. */ kiov[i].flags = KRB5_CRYPTO_TYPE_HEADER; kiov[i].data.length = k5_headerlen; - kiov[i].data.data = (char *)header->buffer.value + 16; - if (trailer == NULL) - kiov[i].data.data += actual_rrc; + kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - k5_headerlen; i++; for (j = 0; j < iov_count; j++) { @@ -482,26 +474,26 @@ i++; } + /* + * The EC and encrypted GSS header are placed in the trailer, which may + * be rotated directly after the plaintext header if no trailer buffer + * is provided. + */ kiov[i].flags = KRB5_CRYPTO_TYPE_DATA; - if (trailer == NULL) { - kiov[i].data.length = (actual_rrc - rrc) + 16; /* EC for DCE | E(Header) */ + kiov[i].data.length = ec + 16; /* E(Header) */ + if (trailer == NULL) kiov[i].data.data = (char *)header->buffer.value + 16; - } else { - kiov[i].data.length = 16; /* E(Header) */ + else kiov[i].data.data = (char *)trailer->buffer.value; - } i++; /* - * For CFX, place the krb5 trailer in the GSS trailer or, if - * rotating, after the encrypted copy of the krb5 header. + * The krb5 trailer is placed after the encrypted copy of the + * krb5 header (which may be in the GSS header or trailer). */ kiov[i].flags = KRB5_CRYPTO_TYPE_TRAILER; kiov[i].data.length = k5_trailerlen; - if (trailer == NULL) - kiov[i].data.data = (char *)header->buffer.value + 16 + actual_rrc - k5_trailerlen; - else - kiov[i].data.data = (char *)trailer->buffer.value + 16; /* E(Header) */ + kiov[i].data.data = kiov[i - 1].data.data + ec + 16; /* E(Header) */ i++; *pkiov = kiov; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/wrap_size_limit.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/wrap_size_limit.c 2008-12-30 14:04:51 UTC (rev 21639) +++ branches/mskrb-integ/src/lib/gssapi/krb5/wrap_size_limit.c 2008-12-31 01:13:42 UTC (rev 21640) @@ -111,9 +111,15 @@ /* No pseudo-ASN.1 wrapper overhead, so no sequence length and OID. */ OM_uint32 sz = req_output_size; + /* Token header: 16 octets. */ if (conf_req_flag) { - while (sz > 0 && krb5_encrypt_size(sz, ctx->enc->enctype) + 16 > req_output_size) + krb5_enctype enctype; + + enctype = ctx->have_acceptor_subkey ? ctx->acceptor_subkey->enctype + : ctx->subkey->enctype; + + while (sz > 0 && krb5_encrypt_size(sz, enctype) + 16 > req_output_size) sz--; /* Allow for encrypted copy of header. */ if (sz > 16) @@ -129,11 +135,24 @@ sz = 0; #endif } else { + krb5_cksumtype cksumtype; + krb5_error_code err; + size_t cksumsize; + + cksumtype = ctx->have_acceptor_subkey ? ctx->acceptor_subkey_cksumtype + : ctx->cksumtype; + + err = krb5_c_checksum_length(ctx->k5_context, cksumtype, &cksumsize); + if (err) { + *minor_status = err; + return GSS_S_FAILURE; + } + /* Allow for token header and checksum. */ - if (sz < 16 + ctx->cksum_size) + if (sz < 16 + cksumsize) sz = 0; else - sz -= (16 + ctx->cksum_size); + sz -= (16 + cksumsize); } *max_input_size = sz; From lhoward at MIT.EDU Tue Dec 30 20:19:45 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Tue, 30 Dec 2008 20:19:45 -0500 (EST) Subject: svn rev #21641: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200812310119.UAA09019@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21641 Commit By: lhoward Log Message: skip over KRB5_CRYPTO_TYPE_EMPTY buffers when translating IOV Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-31 01:13:42 UTC (rev 21640) +++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-31 01:19:44 UTC (rev 21641) @@ -376,6 +376,9 @@ for (j = 0; j < iov_count; j++) { kiov[i].flags = kg_translate_flag_iov(iov[j].type); + if (kiov[i].flags == KRB5_CRYPTO_TYPE_EMPTY) + continue; + kiov[i].data.length = iov[j].buffer.length; kiov[i].data.data = (char *)iov[j].buffer.value; i++; @@ -469,6 +472,9 @@ for (j = 0; j < iov_count; j++) { kiov[i].flags = kg_translate_flag_iov(iov[j].type); + if (kiov[i].flags == KRB5_CRYPTO_TYPE_EMPTY) + continue; + kiov[i].data.length = iov[j].buffer.length; kiov[i].data.data = (char *)iov[j].buffer.value; i++; From raeburn at MIT.EDU Tue Dec 30 20:58:50 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 30 Dec 2008 20:58:50 -0500 (EST) Subject: svn rev #21642: trunk/src/lib/crypto/keyhash_provider/ Message-ID: <200812310158.UAA09605@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21642 Commit By: raeburn Log Message: I don't know what it was that someone else didn't know, but it doesn't belong in the copyright header. Changed Files: U trunk/src/lib/crypto/keyhash_provider/hmac_md5.c Modified: trunk/src/lib/crypto/keyhash_provider/hmac_md5.c =================================================================== --- trunk/src/lib/crypto/keyhash_provider/hmac_md5.c 2008-12-31 01:19:44 UTC (rev 21641) +++ trunk/src/lib/crypto/keyhash_provider/hmac_md5.c 2008-12-31 01:58:49 UTC (rev 21642) @@ -1,9 +1,7 @@ /* * lib/crypto/keyhash_provider/hmac_md5.c * -(I don't know) -. - * Copyright2001 by the Massachusetts Institute of Technology. + * Copyright 2001 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -26,8 +24,8 @@ * or implied warranty. * * -* Implementation of the Microsoft hmac-md5 checksum type. -* Implemented based on draft-brezak-win2k-krb-rc4-hmac-03 + * Implementation of the Microsoft hmac-md5 checksum type. + * Implemented based on draft-brezak-win2k-krb-rc4-hmac-03 */ #include "k5-int.h" From lhoward at MIT.EDU Wed Dec 31 00:01:46 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 31 Dec 2008 00:01:46 -0500 (EST) Subject: svn rev #21643: branches/mskrb-integ/src/lib/crypto/keyhash_provider/ Message-ID: <200812310501.AAA11824@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21643 Commit By: lhoward Log Message: Cleanup Changed Files: U branches/mskrb-integ/src/lib/crypto/keyhash_provider/md5_hmac.c Modified: branches/mskrb-integ/src/lib/crypto/keyhash_provider/md5_hmac.c =================================================================== --- branches/mskrb-integ/src/lib/crypto/keyhash_provider/md5_hmac.c 2008-12-31 01:58:49 UTC (rev 21642) +++ branches/mskrb-integ/src/lib/crypto/keyhash_provider/md5_hmac.c 2008-12-31 05:01:45 UTC (rev 21643) @@ -1,8 +1,6 @@ /* * lib/crypto/keyhash_provider/md5_hmac.c * -(I don't know) -. * Copyright2001 by the Massachusetts Institute of Technology. * All Rights Reserved. * @@ -25,9 +23,7 @@ * this software for any purpose. It is provided "as is" without express * or implied warranty. * - * -* Implementation of the Microsoft hmac-md5 checksum type. -* Implemented based on draft-brezak-win2k-krb-rc4-hmac-03 + * Implementation of Microsoft KERB_CHECKSUM_MD5_HMAC */ #include "k5-int.h" From tlyu at MIT.EDU Wed Dec 31 12:25:26 2008 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 31 Dec 2008 12:25:26 -0500 (EST) Subject: svn rev #21644: trunk/src/appl/simple/client/ Message-ID: <200812311725.MAA22796@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21644 Commit By: tlyu Log Message: Set auth_context's rcache to NULL after destroying and before calling krb5_auth_con_free, to avoid crashing when krb5_rc_close tries to run using a destroyed rcache handle. Changed Files: U trunk/src/appl/simple/client/sim_client.c Modified: trunk/src/appl/simple/client/sim_client.c =================================================================== --- trunk/src/appl/simple/client/sim_client.c 2008-12-31 05:01:45 UTC (rev 21643) +++ trunk/src/appl/simple/client/sim_client.c 2008-12-31 17:25:25 UTC (rev 21644) @@ -330,7 +330,7 @@ com_err(progname, retval, "while deleting replay cache"); exit(1); } - + krb5_auth_con_setrcache(context, auth_context, NULL); krb5_auth_con_free(context, auth_context); krb5_free_context(context); From lhoward at MIT.EDU Wed Dec 31 19:29:50 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 31 Dec 2008 19:29:50 -0500 (EST) Subject: svn rev #21645: branches/mskrb-integ/src/lib/krb5/krb/ Message-ID: <200901010029.TAA28176@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21645 Commit By: lhoward Log Message: Use tgs_ktypes rather than permitted_enctypes for client-side EtypeList Don't send EtypeList unless most preferred enctype is different to ticket session key enctype Changed Files: U branches/mskrb-integ/src/lib/krb5/krb/mk_req_ext.c Modified: branches/mskrb-integ/src/lib/krb5/krb/mk_req_ext.c =================================================================== --- branches/mskrb-integ/src/lib/krb5/krb/mk_req_ext.c 2008-12-31 17:25:25 UTC (rev 21644) +++ branches/mskrb-integ/src/lib/krb5/krb/mk_req_ext.c 2009-01-01 00:29:47 UTC (rev 21645) @@ -66,7 +66,7 @@ static krb5_error_code make_etype_list(krb5_context context, - krb5_enctype *permitted_etypes, + krb5_enctype *desired_etypes, krb5_enctype tkt_enctype, krb5_authdata ***authdata); @@ -75,7 +75,7 @@ krb5_authenticator *, krb5_principal, krb5_checksum *, krb5_keyblock *, krb5_ui_4, krb5_authdata **, - krb5_enctype *permitted_etypes, + krb5_enctype *desired_etypes, krb5_enctype tkt_enctype); krb5_error_code @@ -126,7 +126,7 @@ krb5_checksum checksum; krb5_checksum *checksump = 0; krb5_auth_context new_auth_context; - krb5_enctype *permitted_etypes = NULL; + krb5_enctype *desired_etypes = NULL; krb5_ap_req request; krb5_data *scratch = 0; @@ -223,11 +223,11 @@ if (ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) { if ((*auth_context)->permitted_etypes == NULL) { - retval = krb5_get_permitted_enctypes(context, &permitted_etypes); + retval = krb5_get_tgs_ktypes(context, in_creds->server, &desired_etypes); if (retval) goto cleanup_cksum; } else - permitted_etypes = (*auth_context)->permitted_etypes; + desired_etypes = (*auth_context)->permitted_etypes; } if ((retval = krb5_generate_authenticator(context, @@ -236,7 +236,7 @@ (*auth_context)->send_subkey, (*auth_context)->local_seq_number, in_creds->authdata, - permitted_etypes, + desired_etypes, in_creds->keyblock.enctype))) goto cleanup_cksum; @@ -268,9 +268,9 @@ free(checksump->contents); cleanup: - if (permitted_etypes && - permitted_etypes != (*auth_context)->permitted_etypes) - krb5_xfree(permitted_etypes); + if (desired_etypes && + desired_etypes != (*auth_context)->permitted_etypes) + krb5_xfree(desired_etypes); if (request.ticket) krb5_free_ticket(context, request.ticket); if (request.authenticator.ciphertext.data) { @@ -291,7 +291,7 @@ krb5_principal client, krb5_checksum *cksum, krb5_keyblock *key, krb5_ui_4 seq_number, krb5_authdata **authorization, - krb5_enctype *permitted_etypes, + krb5_enctype *desired_etypes, krb5_enctype tkt_enctype) { krb5_error_code retval; @@ -313,8 +313,9 @@ if (retval) return retval; } - if (permitted_etypes != NULL) { - retval = make_etype_list(context, permitted_etypes, tkt_enctype, + /* Only send EtypeList if we prefer another enctype to tkt_enctype */ + if (desired_etypes != NULL && desired_etypes[0] != tkt_enctype) { + retval = make_etype_list(context, desired_etypes, tkt_enctype, &authent->authorization_data); if (retval) return retval; @@ -326,7 +327,7 @@ /* RFC 4537 */ static krb5_error_code make_etype_list(krb5_context context, - krb5_enctype *permitted_etypes, + krb5_enctype *desired_etypes, krb5_enctype tkt_enctype, krb5_authdata ***authdata) { @@ -337,7 +338,7 @@ krb5_authdata *etype_adata[2], etype_adatum, **adata; int i; - etypes.etypes = permitted_etypes; + etypes.etypes = desired_etypes; for (etypes.length = 0; etypes.etypes[etypes.length] != ENCTYPE_NULL; From lhoward at MIT.EDU Wed Dec 31 19:39:14 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 31 Dec 2008 19:39:14 -0500 (EST) Subject: svn rev #21646: branches/mskrb-integ/src/lib/gssapi/ krb5/ mechglue/ spnego/ Message-ID: <200901010039.TAA28363@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21646 Commit By: lhoward Log Message: Wrap gss_seal/gss_unseal (V1) on gss_wrap/gss_unrwap (V2), rather than the other way around. Mechanisms should export V2 interfaces. Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c U branches/mskrb-integ/src/lib/gssapi/krb5/seal.c U branches/mskrb-integ/src/lib/gssapi/krb5/unseal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c U branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h U branches/mskrb-integ/src/lib/gssapi/spnego/gssapiP_spnego.h U branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-01-01 00:29:47 UTC (rev 21645) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-01-01 00:39:10 UTC (rev 21646) @@ -547,25 +547,6 @@ int* /* qop_state */ ); -OM_uint32 krb5_gss_seal -(OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - int, /* qop_req */ - gss_buffer_t, /* input_message_buffer */ - int*, /* conf_state */ - gss_buffer_t /* output_message_buffer */ -); - -OM_uint32 krb5_gss_unseal -(OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int*, /* conf_state */ - int* /* qop_state */ -); - OM_uint32 krb5_gss_display_status (OM_uint32*, /* minor_status */ OM_uint32, /* status_value */ Modified: branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-01 00:29:47 UTC (rev 21645) +++ branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-01 00:39:10 UTC (rev 21646) @@ -386,8 +386,8 @@ NULL, NULL, #else - krb5_gss_seal, - krb5_gss_unseal, + krb5_gss_wrap, + krb5_gss_unwrap, #endif krb5_gss_display_status, krb5_gss_indicate_mechs, Modified: branches/mskrb-integ/src/lib/gssapi/krb5/seal.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/seal.c 2009-01-01 00:29:47 UTC (rev 21645) +++ branches/mskrb-integ/src/lib/gssapi/krb5/seal.c 2009-01-01 00:39:10 UTC (rev 21646) @@ -27,23 +27,6 @@ * $Id$ */ -OM_uint32 -krb5_gss_seal(minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - int conf_req_flag; - int qop_req; - gss_buffer_t input_message_buffer; - int *conf_state; - gss_buffer_t output_message_buffer; -{ - return(kg_seal(minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, KG_TOK_SEAL_MSG)); -} - /* V2 interface */ OM_uint32 krb5_gss_wrap(minor_status, context_handle, conf_req_flag, Modified: branches/mskrb-integ/src/lib/gssapi/krb5/unseal.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/unseal.c 2009-01-01 00:29:47 UTC (rev 21645) +++ branches/mskrb-integ/src/lib/gssapi/krb5/unseal.c 2009-01-01 00:39:10 UTC (rev 21646) @@ -27,22 +27,6 @@ * $Id$ */ -OM_uint32 -krb5_gss_unseal(minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state) - OM_uint32 *minor_status; - gss_ctx_id_t context_handle; - gss_buffer_t input_message_buffer; - gss_buffer_t output_message_buffer; - int *conf_state; - int *qop_state; -{ - return(kg_unseal(minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, KG_TOK_SEAL_MSG)); -} - /* V2 interface */ OM_uint32 krb5_gss_unwrap(minor_status, context_handle, Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c 2009-01-01 00:29:47 UTC (rev 21645) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_initialize.c 2009-01-01 00:39:10 UTC (rev 21646) @@ -731,8 +731,8 @@ GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_context_time); GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_sign); GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_verify); - GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_seal); - GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_unseal); + GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_wrap); + GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_unwrap); GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_display_status); GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_indicate_mechs); GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_compare_name); Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c 2009-01-01 00:29:47 UTC (rev 21645) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c 2009-01-01 00:39:10 UTC (rev 21646) @@ -23,17 +23,17 @@ */ /* - * glue routine for gss_seal + * glue routine for gss_wrap */ #include "mglueP.h" static OM_uint32 -val_seal_args( +val_wrap_args( OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, - int qop_req, + gss_qop_t qop_req, gss_buffer_t input_message_buffer, int *conf_state, gss_buffer_t output_message_buffer) @@ -67,7 +67,7 @@ } OM_uint32 KRB5_CALLCONV -gss_seal (minor_status, +gss_wrap (minor_status, context_handle, conf_req_flag, qop_req, @@ -78,7 +78,7 @@ OM_uint32 * minor_status; gss_ctx_id_t context_handle; int conf_req_flag; -int qop_req; +gss_qop_t qop_req; gss_buffer_t input_message_buffer; int * conf_state; gss_buffer_t output_message_buffer; @@ -89,7 +89,7 @@ gss_union_ctx_id_t ctx; gss_mechanism mech; - status = val_seal_args(minor_status, context_handle, + status = val_wrap_args(minor_status, context_handle, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer); @@ -105,8 +105,8 @@ mech = gssint_get_mechanism (ctx->mech_type); if (mech) { - if (mech->gss_seal) { - status = mech->gss_seal( + if (mech->gss_wrap) { + status = mech->gss_wrap( minor_status, ctx->internal_ctx_id, conf_req_flag, @@ -138,7 +138,7 @@ } OM_uint32 KRB5_CALLCONV -gss_wrap (minor_status, +gss_seal (minor_status, context_handle, conf_req_flag, qop_req, @@ -149,15 +149,15 @@ OM_uint32 * minor_status; gss_ctx_id_t context_handle; int conf_req_flag; -gss_qop_t qop_req; +int qop_req; gss_buffer_t input_message_buffer; int * conf_state; gss_buffer_t output_message_buffer; { - return gss_seal(minor_status, (gss_ctx_id_t)context_handle, - conf_req_flag, (int) qop_req, - (gss_buffer_t)input_message_buffer, conf_state, + return gss_wrap(minor_status, context_handle, + conf_req_flag, (gss_qop_t) qop_req, + input_message_buffer, conf_state, output_message_buffer); } Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c 2009-01-01 00:29:47 UTC (rev 21645) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c 2009-01-01 00:39:10 UTC (rev 21646) @@ -23,13 +23,13 @@ */ /* - * glue routine gss_unseal + * glue routine gss_unwrap */ #include "mglueP.h" OM_uint32 KRB5_CALLCONV -gss_unseal (minor_status, +gss_unwrap (minor_status, context_handle, input_message_buffer, output_message_buffer, @@ -41,7 +41,7 @@ gss_buffer_t input_message_buffer; gss_buffer_t output_message_buffer; int * conf_state; -int * qop_state; +gss_qop_t * qop_state; { /* EXPORT DELETE START */ @@ -79,8 +79,8 @@ mech = gssint_get_mechanism (ctx->mech_type); if (mech) { - if (mech->gss_unseal) { - status = mech->gss_unseal(minor_status, + if (mech->gss_unwrap) { + status = mech->gss_unwrap(minor_status, ctx->internal_ctx_id, input_message_buffer, output_message_buffer, @@ -109,7 +109,7 @@ } OM_uint32 KRB5_CALLCONV -gss_unwrap (minor_status, +gss_unseal (minor_status, context_handle, input_message_buffer, output_message_buffer, @@ -121,10 +121,10 @@ gss_buffer_t input_message_buffer; gss_buffer_t output_message_buffer; int * conf_state; -gss_qop_t * qop_state; +int * qop_state; { - return (gss_unseal(minor_status, (gss_ctx_id_t)context_handle, - (gss_buffer_t)input_message_buffer, - output_message_buffer, conf_state, (int *) qop_state)); + return (gss_unwrap(minor_status, context_handle, + input_message_buffer, + output_message_buffer, conf_state, (gss_qop_t *) qop_state)); } Modified: branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h 2009-01-01 00:29:47 UTC (rev 21645) +++ branches/mskrb-integ/src/lib/gssapi/mechglue/mglueP.h 2009-01-01 00:39:10 UTC (rev 21646) @@ -200,24 +200,24 @@ gss_buffer_t, /* token_buffer */ int* /* qop_state */ ); - OM_uint32 (*gss_seal) + OM_uint32 (*gss_wrap) ( OM_uint32*, /* minor_status */ gss_ctx_id_t, /* context_handle */ int, /* conf_req_flag */ - int, /* qop_req */ + gss_qop_t, /* qop_req */ gss_buffer_t, /* input_message_buffer */ int*, /* conf_state */ gss_buffer_t /* output_message_buffer */ ); - OM_uint32 (*gss_unseal) + OM_uint32 (*gss_unwrap) ( OM_uint32*, /* minor_status */ gss_ctx_id_t, /* context_handle */ gss_buffer_t, /* input_message_buffer */ gss_buffer_t, /* output_message_buffer */ int*, /* conf_state */ - int* /* qop_state */ + gss_qop_t* /* qop_state */ ); OM_uint32 (*gss_display_status) ( Modified: branches/mskrb-integ/src/lib/gssapi/spnego/gssapiP_spnego.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/spnego/gssapiP_spnego.h 2009-01-01 00:29:47 UTC (rev 21645) +++ branches/mskrb-integ/src/lib/gssapi/spnego/gssapiP_spnego.h 2009-01-01 00:39:10 UTC (rev 21646) @@ -225,22 +225,22 @@ gss_OID_set * /* name_types */ ); -OM_uint32 spnego_gss_unseal +OM_uint32 spnego_gss_unwrap ( OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int *conf_state, - int *qop_state + gss_qop_t *qop_state ); -OM_uint32 spnego_gss_seal +OM_uint32 spnego_gss_wrap ( OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, - int qop_req, + gss_qop_t qop_req, gss_buffer_t input_message_buffer, int *conf_state, gss_buffer_t output_message_buffer Modified: branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c 2009-01-01 00:29:47 UTC (rev 21645) +++ branches/mskrb-integ/src/lib/gssapi/spnego/spnego_mech.c 2009-01-01 00:39:10 UTC (rev 21646) @@ -223,8 +223,8 @@ spnego_gss_context_time, /* gss_context_time */ spnego_gss_sign, /* gss_sign */ spnego_gss_verify, /* gss_verify */ - spnego_gss_seal, /* gss_seal */ - spnego_gss_unseal, /* gss_unseal */ + spnego_gss_wrap, /* gss_wrap */ + spnego_gss_unwrap, /* gss_unwrap */ spnego_gss_display_status, NULL, /* gss_indicate_mechs */ spnego_gss_compare_name, @@ -1863,16 +1863,16 @@ } OM_uint32 -spnego_gss_unseal( +spnego_gss_unwrap( OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int *conf_state, - int *qop_state) + gss_qop_t *qop_state) { OM_uint32 ret; - ret = gss_unseal(minor_status, + ret = gss_unwrap(minor_status, context_handle, input_message_buffer, output_message_buffer, @@ -1883,17 +1883,17 @@ } OM_uint32 -spnego_gss_seal( +spnego_gss_wrap( OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, - int qop_req, + gss_qop_t qop_req, gss_buffer_t input_message_buffer, int *conf_state, gss_buffer_t output_message_buffer) { OM_uint32 ret; - ret = gss_seal(minor_status, + ret = gss_wrap(minor_status, context_handle, conf_req_flag, qop_req, From lhoward at MIT.EDU Wed Dec 31 20:23:24 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 31 Dec 2008 20:23:24 -0500 (EST) Subject: svn rev #21647: branches/mskrb-integ/src/kadmin/server/ Message-ID: <200901010123.UAA28923@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21647 Commit By: lhoward Log Message: Don't add a socket to sstate.rfds until add_XXX_fd() has returned successfully, as otherwise it will contain a dangling FD reference Changed Files: U branches/mskrb-integ/src/kadmin/server/network.c Modified: branches/mskrb-integ/src/kadmin/server/network.c =================================================================== --- branches/mskrb-integ/src/kadmin/server/network.c 2009-01-01 00:39:10 UTC (rev 21646) +++ branches/mskrb-integ/src/kadmin/server/network.c 2009-01-01 01:23:23 UTC (rev 21647) @@ -436,14 +436,16 @@ conn->u.rpc.transp = svctcp_create(sock, 0, 0); if (conn->u.rpc.transp == NULL) { - krb5_klog_syslog(LOG_ERR, "Cannot create RPC service, continuing."); + krb5_klog_syslog(LOG_ERR, "Cannot create RPC service: %s; continuing", + strerror(errno)); delete_fd(conn); return NULL; } if (!svc_register(conn->u.rpc.transp, svc->prognum, svc->versnum, svc->dispatch, IPPROTO_TCP)) { - krb5_klog_syslog(LOG_ERR, "Cannot register RPC service, continuing."); + krb5_klog_syslog(LOG_ERR, "Cannot register RPC service: %s; continuing", + strerror(errno)); delete_fd(conn); return NULL; } @@ -629,26 +631,28 @@ /* Sockets are created, prepare to listen on them. */ if (s4 >= 0) { - FD_SET(s4, &sstate.rfds); - if (s4 >= sstate.max) - sstate.max = s4 + 1; - if (add_tcp_listener_fd(data, s4) == 0) + if (add_tcp_listener_fd(data, s4) == NULL) close(s4); - else + else { + FD_SET(s4, &sstate.rfds); + if (s4 >= sstate.max) + sstate.max = s4 + 1; krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", s4, paddr((struct sockaddr *)&sin4)); + } } #ifdef KRB5_USE_INET6 if (s6 >= 0) { - FD_SET(s6, &sstate.rfds); - if (s6 >= sstate.max) - sstate.max = s6 + 1; - if (add_tcp_listener_fd(data, s6) == 0) { + if (add_tcp_listener_fd(data, s6) == NULL) { close(s6); s6 = -1; - } else + } else { + FD_SET(s6, &sstate.rfds); + if (s6 >= sstate.max) + sstate.max = s6 + 1; krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", s6, paddr((struct sockaddr *)&sin6)); + } if (s4 < 0) krb5_klog_syslog(LOG_INFO, "assuming IPv6 socket accepts IPv4"); @@ -680,14 +684,15 @@ if (s4 < 0) return -1; else { - FD_SET(s4, &sstate.rfds); - if (s4 >= sstate.max) - sstate.max = s4 + 1; - if (add_rpc_listener_fd(data, &svc, s4) == 0) + if (add_rpc_listener_fd(data, &svc, s4) == NULL) close(s4); - else + else { + FD_SET(s4, &sstate.rfds); + if (s4 >= sstate.max) + sstate.max = s4 + 1; krb5_klog_syslog(LOG_INFO, "listening on fd %d: rpc %s", s4, paddr((struct sockaddr *)&sin4)); + } } } FD_ZERO(&rpc_listenfds); @@ -804,9 +809,6 @@ return 1; } } - FD_SET (sock, &sstate.rfds); - if (sock >= sstate.max) - sstate.max = sock + 1; krb5_klog_syslog (LOG_INFO, "listening on fd %d: udp %s%s", sock, paddr((struct sockaddr *)addr), pktinfo ? " (pktinfo)" : ""); @@ -814,6 +816,9 @@ close(sock); return 1; } + FD_SET (sock, &sstate.rfds); + if (sock >= sstate.max) + sstate.max = sock + 1; } return 0; } From lhoward at MIT.EDU Wed Dec 31 20:44:26 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 31 Dec 2008 20:44:26 -0500 (EST) Subject: svn rev #21648: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200901010144.UAA29235@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21648 Commit By: lhoward Log Message: Restore old gss_krb5_ccache_name() implementation, it does not need to be indirected through gssspi_mech_invoke() Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c U branches/mskrb-integ/src/lib/gssapi/krb5/set_ccache.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-01-01 01:23:23 UTC (rev 21647) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-01-01 01:44:25 UTC (rev 21648) @@ -823,20 +823,6 @@ const gss_OID desired_oid, const gss_buffer_t value); -#define GSS_KRB5_CCACHE_NAME_OID_LENGTH 11 -#define GSS_KRB5_CCACHE_NAME_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0a" - -struct krb5_gss_ccache_name_req { - const char *name; - const char *out_name; -}; - -OM_uint32 KRB5_CALLCONV gss_krb5int_ccache_name - (OM_uint32 *minor_status, - const gss_OID, - const gss_OID, - const gss_buffer_t); - #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 11 #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08" Modified: branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-01 01:23:23 UTC (rev 21647) +++ branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-01 01:44:25 UTC (rev 21648) @@ -319,10 +319,6 @@ gss_krb5int_register_acceptor_identity }, { - {GSS_KRB5_CCACHE_NAME_OID_LENGTH, GSS_KRB5_CCACHE_NAME_OID}, - gss_krb5int_ccache_name - }, - { {GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID}, gss_krb5int_free_lucid_sec_context }, @@ -694,40 +690,6 @@ } OM_uint32 KRB5_CALLCONV -gss_krb5_ccache_name( - OM_uint32 *minor_status, - const char *name, - const char **out_name) -{ - static const gss_OID_desc const req_oid = { - GSS_KRB5_CCACHE_NAME_OID_LENGTH, - GSS_KRB5_CCACHE_NAME_OID }; - OM_uint32 major_status; - struct krb5_gss_ccache_name_req req; - gss_buffer_desc req_buffer; - - if (out_name == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; - - *out_name = NULL; - - req.name = name; - req.out_name = NULL; - - req_buffer.length = sizeof(req); - req_buffer.value = &req; - - major_status = gssspi_mech_invoke(minor_status, - (const gss_OID)gss_mech_krb5, - (const gss_OID)&req_oid, - &req_buffer); - - *out_name = req.out_name; - - return major_status; -} - -OM_uint32 KRB5_CALLCONV gss_krb5_free_lucid_sec_context( OM_uint32 *minor_status, void *kctx) Modified: branches/mskrb-integ/src/lib/gssapi/krb5/set_ccache.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/set_ccache.c 2009-01-01 01:23:23 UTC (rev 21647) +++ branches/mskrb-integ/src/lib/gssapi/krb5/set_ccache.c 2009-01-01 01:44:25 UTC (rev 21648) @@ -32,16 +32,15 @@ #include "gssapiP_krb5.h" OM_uint32 KRB5_CALLCONV -gss_krb5int_ccache_name(OM_uint32 *minor_status, - const gss_OID desired_mech, - const gss_OID desired_object, - gss_buffer_t value) +gss_krb5_ccache_name(minor_status, name, out_name) + OM_uint32 *minor_status; + const char *name; + const char **out_name; { char *old_name = NULL; OM_uint32 err = 0; OM_uint32 minor = 0; char *gss_out_name; - struct krb5_gss_ccache_name_req *req; err = gss_krb5int_initialize_library(); if (err) { @@ -49,16 +48,9 @@ return GSS_S_FAILURE; } - assert(value->length == sizeof(*req)); - - if (value->length != sizeof(*req)) - return GSS_S_FAILURE; - - req = (struct krb5_gss_ccache_name_req *)value->value; - gss_out_name = k5_getspecific(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME); - if (req->out_name) { + if (out_name) { const char *tmp_name = NULL; if (!err) { @@ -73,7 +65,7 @@ don't free up any storage (leave old_name NULL). */ if (!err) - kg_set_ccache_name (&err, req->name); + kg_set_ccache_name (&err, name); minor = k5_setspecific(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, gss_out_name); if (minor) { @@ -86,8 +78,8 @@ } if (!err) { - if (req->out_name != NULL) { - req->out_name = gss_out_name; + if (out_name) { + *out_name = gss_out_name; } } From lhoward at MIT.EDU Wed Dec 31 20:58:05 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 31 Dec 2008 20:58:05 -0500 (EST) Subject: svn rev #21649: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200901010158.UAA29458@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21649 Commit By: lhoward Log Message: gssspi_mech_invoke() is superfluous for mech_krb5, it's only useful for mechanisms that are dynamically loaded (in which case the mechanism would provide a separate library with mechanism-specific APIs that wrapped gsspi_mech_invoke()) Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/acquire_cred.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c U branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/acquire_cred.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/acquire_cred.c 2009-01-01 01:44:25 UTC (rev 21648) +++ branches/mskrb-integ/src/lib/gssapi/krb5/acquire_cred.c 2009-01-01 01:58:04 UTC (rev 21649) @@ -97,11 +97,8 @@ static char *krb5_gss_keytab = NULL; /* Heimdal calls this gsskrb5_register_acceptor_identity. */ -OM_uint32 -gss_krb5int_register_acceptor_identity(OM_uint32 *minor_status, - const gss_OID desired_mech, - const gss_OID desired_object, - gss_buffer_t value) +OM_uint32 KRB5_CALLCONV +krb5_gss_register_acceptor_identity(const char *keytab) { char *new, *old; int err; @@ -110,10 +107,10 @@ if (err != 0) return GSS_S_FAILURE; - if (value->value == NULL) - return GSS_S_FAILURE; + if (keytab == NULL) + return GSS_S_CALL_INACCESSIBLE_READ; - new = strdup((char *)value->value); + new = strdup(keytab); if (new == NULL) return GSS_S_FAILURE; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-01-01 01:44:25 UTC (rev 21648) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-01-01 01:58:04 UTC (rev 21649) @@ -806,7 +806,7 @@ */ #define GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH 11 -#define GSS_KRB5_GET_TKT_FLAGS_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x02" +#define GSS_KRB5_GET_TKT_FLAGS_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x01" OM_uint32 KRB5_CALLCONV gss_krb5int_get_tkt_flags (OM_uint32 *minor_status, @@ -815,7 +815,7 @@ gss_buffer_set_t *data_set); #define GSS_KRB5_COPY_CCACHE_OID_LENGTH 11 -#define GSS_KRB5_COPY_CCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x01" +#define GSS_KRB5_COPY_CCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x02" OM_uint32 KRB5_CALLCONV gss_krb5int_copy_ccache (OM_uint32 *minor_status, @@ -824,7 +824,7 @@ const gss_buffer_t value); #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 11 -#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08" +#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x03" struct krb5_gss_set_allowable_enctypes_req { OM_uint32 num_ktypes; @@ -838,7 +838,7 @@ const gss_buffer_t value); #define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH 11 -#define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07" +#define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04" OM_uint32 gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status, @@ -846,32 +846,10 @@ const gss_OID desired_object, gss_buffer_set_t *data_set); -#define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH 11 -#define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0b" +/* 1.2.840.113554.1.2.2.5.5 reserved for GSS_C_INQ_SSPI_SESSION_KEY */ -OM_uint32 -gss_krb5int_free_lucid_sec_context(OM_uint32 *, const gss_OID, - const gss_OID, gss_buffer_t); - -extern k5_mutex_t kg_kdc_flag_mutex; -krb5_error_code krb5_gss_init_context (krb5_context *ctxp); - -#define GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH 11 -#define GSS_KRB5_USE_KDC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c" - -OM_uint32 krb5int_gss_use_kdc_context(OM_uint32 *, const gss_OID, - const gss_OID, gss_buffer_t); - -krb5_error_code krb5_gss_use_kdc_context(void); - -#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH 11 -#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x09" - -OM_uint32 -gss_krb5int_register_acceptor_identity(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t); - #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 11 -#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x03" +#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06" OM_uint32 gss_krb5int_extract_authz_data_from_sec_context(OM_uint32 *minor_status, @@ -879,28 +857,20 @@ const gss_OID desired_object, gss_buffer_set_t *ad_data); -#if 0 -#define GSS_KRB5_SET_ACCEPTOR_ALIAS_OID_LENGTH 11 -#define GSS_KRB5_SET_ACCEPTOR_ALIAS_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04" - -OM_uint32 -gss_krb5int_set_cred_alias(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); -#endif - #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11 -#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" +#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07" OM_uint32 gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); #define GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH 11 -#define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0d" +#define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08" OM_uint32 gss_krb5int_set_cred_rcache(OM_uint32 *, gss_cred_id_t, const gss_OID, const gss_buffer_t); #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11 -#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0e" +#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x09" OM_uint32 gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *, @@ -916,6 +886,10 @@ OM_uint32 gss_krb5int_initialize_library(void); void gss_krb5int_cleanup_library(void); +extern k5_mutex_t kg_kdc_flag_mutex; +krb5_error_code krb5_gss_init_context (krb5_context *ctxp); +krb5_error_code krb5_gss_use_kdc_context(void); + /* For error message handling. */ /* Returns a shared string, not a private copy! */ extern char * Modified: branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c 2009-01-01 01:44:25 UTC (rev 21648) +++ branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c 2009-01-01 01:58:04 UTC (rev 21649) @@ -987,25 +987,19 @@ } #ifndef _WIN32 -OM_uint32 -krb5int_gss_use_kdc_context(OM_uint32 *minor_status, - const gss_OID desired_mech, - const gss_OID desired_object, - gss_buffer_t value) +krb5_error_code +krb5_gss_use_kdc_context() { - OM_uint32 err; + krb5_error_code err; - *minor_status = 0; - err = gss_krb5int_initialize_library(); if (err) - return err; - *minor_status = k5_mutex_lock(&kg_kdc_flag_mutex); - if (*minor_status) { - return GSS_S_FAILURE; - } + return err; + err = k5_mutex_lock(&kg_kdc_flag_mutex); + if (err) + return err; kdc_flag = 1; k5_mutex_unlock(&kg_kdc_flag_mutex); - return GSS_S_COMPLETE; + return 0; } #endif Modified: branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-01 01:44:25 UTC (rev 21648) +++ branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-01 01:58:04 UTC (rev 21649) @@ -307,61 +307,6 @@ return GSS_S_UNAVAILABLE; } -/* - * gssspi_mech_invoke() methods - */ -static struct { - gss_OID_desc oid; - OM_uint32 (*func)(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t); -} krb5_gssspi_mech_invoke_ops[] = { - { - {GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID}, - gss_krb5int_register_acceptor_identity - }, - { - {GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID}, - gss_krb5int_free_lucid_sec_context - }, - { - {GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH, GSS_KRB5_USE_KDC_CONTEXT_OID}, - krb5int_gss_use_kdc_context - } -}; - -static OM_uint32 -krb5_gssspi_mech_invoke (OM_uint32 *minor_status, - const gss_OID desired_mech, - const gss_OID desired_object, - gss_buffer_t value) -{ - size_t i; - - if (minor_status == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; - - *minor_status = 0; - - if (desired_mech == GSS_C_NO_OID) - return GSS_S_BAD_MECH; - - if (desired_object == GSS_C_NO_OID) - return GSS_S_CALL_INACCESSIBLE_READ; - - for (i = 0; i < sizeof(krb5_gssspi_mech_invoke_ops)/ - sizeof(krb5_gssspi_mech_invoke_ops[0]); i++) { - if (g_OID_prefix_equal(desired_object, &krb5_gssspi_mech_invoke_ops[i].oid)) { - return (*krb5_gssspi_mech_invoke_ops[i].func)(minor_status, - desired_mech, - desired_object, - value); - } - } - - *minor_status = EINVAL; - - return GSS_S_UNAVAILABLE; -} - static struct gss_config krb5_mechanism = { { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID }, NULL, @@ -413,7 +358,7 @@ krb5_gss_inquire_cred_by_oid, krb5_gss_set_sec_context_option, krb5_gssspi_set_cred_option, - krb5_gssspi_mech_invoke, + NULL, /* mech_invoke */ NULL, /* wrap_aead */ NULL, /* unwrap_aead */ krb5_gss_wrap_iov, @@ -689,70 +634,6 @@ return major_status; } -OM_uint32 KRB5_CALLCONV -gss_krb5_free_lucid_sec_context( - OM_uint32 *minor_status, - void *kctx) -{ - static const gss_OID_desc const req_oid = { - GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH, - GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID }; - OM_uint32 major_status; - gss_buffer_desc req_buffer; - - req_buffer.length = sizeof(kctx); - req_buffer.value = kctx; - - major_status = gssspi_mech_invoke(minor_status, - (const gss_OID)gss_mech_krb5, - (const gss_OID)&req_oid, - &req_buffer); - - return major_status; -} - -OM_uint32 KRB5_CALLCONV -krb5_gss_register_acceptor_identity(const char *keytab) -{ - static const gss_OID_desc const req_oid = { - GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH, - GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID }; - OM_uint32 major_status; - OM_uint32 minor_status; - gss_buffer_desc req_buffer; - - req_buffer.length = strlen(keytab); - req_buffer.value = (char *)keytab; - - major_status = gssspi_mech_invoke(&minor_status, - (const gss_OID)gss_mech_krb5, - (const gss_OID)&req_oid, - &req_buffer); - - return major_status; -} - -krb5_error_code -krb5_gss_use_kdc_context(void) -{ - static const gss_OID_desc const req_oid = { - GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH, - GSS_KRB5_USE_KDC_CONTEXT_OID }; - OM_uint32 major_status; - OM_uint32 minor_status; - gss_buffer_desc req_buffer; - - req_buffer.length = 0; - req_buffer.value = NULL; - - major_status = gssspi_mech_invoke(&minor_status, - (const gss_OID)gss_mech_krb5, - (const gss_OID)&req_oid, - &req_buffer); - - return major_status; -} - /* * This API should go away and be replaced with an accessor * into a gss_name_t. Modified: branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c 2009-01-01 01:44:25 UTC (rev 21648) +++ branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c 2009-01-01 01:58:04 UTC (rev 21649) @@ -124,28 +124,19 @@ * Frees the storage associated with an * exported lucid context structure. */ -OM_uint32 -gss_krb5int_free_lucid_sec_context( +OM_uint32 KRB5_CALLCONV +gss_krb5_free_lucid_sec_context( OM_uint32 *minor_status, - const gss_OID desired_mech, - const gss_OID desired_object, - gss_buffer_t value) + void *kctx) { OM_uint32 retval; krb5_error_code kret = 0; int version; - void *kctx; /* Assume failure */ retval = GSS_S_FAILURE; *minor_status = 0; - kctx = value->value; - if (!kctx) { - kret = EINVAL; - goto error_out; - } - /* Verify pointer is valid lucid context */ if (! kg_validate_lucidctx_id(kctx)) { kret = G_VALIDATE_FAILED; From lhoward at MIT.EDU Wed Dec 31 21:02:38 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 31 Dec 2008 21:02:38 -0500 (EST) Subject: svn rev #21650: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200901010202.VAA29581@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21650 Commit By: lhoward Log Message: fix regression in last commit (use correct OID for inquiring session key) Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-01-01 01:58:04 UTC (rev 21649) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-01-01 02:02:37 UTC (rev 21650) @@ -846,8 +846,12 @@ const gss_OID desired_object, gss_buffer_set_t *data_set); -/* 1.2.840.113554.1.2.2.5.5 reserved for GSS_C_INQ_SSPI_SESSION_KEY */ +#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11 +#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" +OM_uint32 +gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); + #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 11 #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06" @@ -857,20 +861,14 @@ const gss_OID desired_object, gss_buffer_set_t *ad_data); -#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11 -#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07" - -OM_uint32 -gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); - #define GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH 11 -#define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08" +#define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07" OM_uint32 gss_krb5int_set_cred_rcache(OM_uint32 *, gss_cred_id_t, const gss_OID, const gss_buffer_t); #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11 -#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x09" +#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08" OM_uint32 gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *, From lhoward at MIT.EDU Wed Dec 31 21:03:13 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 31 Dec 2008 21:03:13 -0500 (EST) Subject: svn rev #21651: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200901010203.VAA29663@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21651 Commit By: lhoward Log Message: remove cruft Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-01 02:02:37 UTC (rev 21650) +++ branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-01 02:03:12 UTC (rev 21651) @@ -713,32 +713,7 @@ return major_status; } -#if 0 OM_uint32 KRB5_CALLCONV -gss_krb5_set_cred_alias( - OM_uint32 *minor_status, - gss_cred_id_t cred, - krb5_principal *aliases) -{ - static const gss_OID_desc const req_oid = { - GSS_KRB5_SET_ACCEPTOR_ALIAS_OID_LENGTH, - GSS_KRB5_SET_ACCEPTOR_ALIAS_OID }; - OM_uint32 major_status; - gss_buffer_desc req_buffer; - - req_buffer.length = sizeof(aliases); - req_buffer.value = aliases; - - major_status = gssspi_set_cred_option(minor_status, - cred, - (const gss_OID)&req_oid, - &req_buffer); - - return major_status; -} -#endif - -OM_uint32 KRB5_CALLCONV gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, krb5_timestamp *authtime) From lhoward at MIT.EDU Wed Dec 31 21:05:22 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 31 Dec 2008 21:05:22 -0500 (EST) Subject: svn rev #21652: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200901010205.VAA29764@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21652 Commit By: lhoward Log Message: remove superfluous comment Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c 2009-01-01 02:03:12 UTC (rev 21651) +++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c 2009-01-01 02:05:21 UTC (rev 21652) @@ -411,8 +411,6 @@ *minor_status = 0; return GSS_S_BAD_SIG; } - - /* caller should have fixed up padding */ } else { /* Verify checksum: note EC is checksum size here, not padding */ if (ec != k5_trailerlen) From lhoward at MIT.EDU Wed Dec 31 21:56:17 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 31 Dec 2008 21:56:17 -0500 (EST) Subject: svn rev #21653: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200901010256.VAA00449@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21653 Commit By: lhoward Log Message: Back out r2164[78]; although the mech_invoke abstraction is superfluous when building mech_krb5 today, it will help anyone that wants to correctly build it dynamically. (By correctly, I mean that mechanism-specific API should go in libgssapi_krb5 and the mechanism itself in mech_krb5; one cannot assume that one can link against loadable modules on all platforms. I notice in OpenSolaris Sun link against mech_krb5 directly to get mech-specific API, but this won't work on Darwin.) Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/acquire_cred.c U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h U branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c U branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c U branches/mskrb-integ/src/lib/gssapi/krb5/set_ccache.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/acquire_cred.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/acquire_cred.c 2009-01-01 02:05:21 UTC (rev 21652) +++ branches/mskrb-integ/src/lib/gssapi/krb5/acquire_cred.c 2009-01-01 02:56:15 UTC (rev 21653) @@ -97,8 +97,11 @@ static char *krb5_gss_keytab = NULL; /* Heimdal calls this gsskrb5_register_acceptor_identity. */ -OM_uint32 KRB5_CALLCONV -krb5_gss_register_acceptor_identity(const char *keytab) +OM_uint32 +gss_krb5int_register_acceptor_identity(OM_uint32 *minor_status, + const gss_OID desired_mech, + const gss_OID desired_object, + gss_buffer_t value) { char *new, *old; int err; @@ -107,10 +110,10 @@ if (err != 0) return GSS_S_FAILURE; - if (keytab == NULL) - return GSS_S_CALL_INACCESSIBLE_READ; + if (value->value == NULL) + return GSS_S_FAILURE; - new = strdup(keytab); + new = strdup((char *)value->value); if (new == NULL) return GSS_S_FAILURE; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-01-01 02:05:21 UTC (rev 21652) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-01-01 02:56:15 UTC (rev 21653) @@ -823,14 +823,34 @@ const gss_OID desired_oid, const gss_buffer_t value); +#define GSS_KRB5_CCACHE_NAME_OID_LENGTH 11 +#define GSS_KRB5_CCACHE_NAME_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x03" + +struct krb5_gss_ccache_name_req { + const char *name; + const char **out_name; +}; + +OM_uint32 KRB5_CALLCONV gss_krb5int_ccache_name + (OM_uint32 *minor_status, + const gss_OID, + const gss_OID, + const gss_buffer_t); + #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 11 -#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x03" +#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04" struct krb5_gss_set_allowable_enctypes_req { OM_uint32 num_ktypes; krb5_enctype *ktypes; }; +#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11 +#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" + +OM_uint32 +gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); + OM_uint32 KRB5_CALLCONV gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, gss_cred_id_t cred, @@ -838,7 +858,7 @@ const gss_buffer_t value); #define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH 11 -#define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04" +#define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06" OM_uint32 gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status, @@ -846,14 +866,32 @@ const gss_OID desired_object, gss_buffer_set_t *data_set); -#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11 -#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" +#define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH 11 +#define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07" OM_uint32 -gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); +gss_krb5int_free_lucid_sec_context(OM_uint32 *, const gss_OID, + const gss_OID, gss_buffer_t); +extern k5_mutex_t kg_kdc_flag_mutex; +krb5_error_code krb5_gss_init_context (krb5_context *ctxp); + +#define GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH 11 +#define GSS_KRB5_USE_KDC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08" + +OM_uint32 krb5int_gss_use_kdc_context(OM_uint32 *, const gss_OID, + const gss_OID, gss_buffer_t); + +krb5_error_code krb5_gss_use_kdc_context(void); + +#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH 11 +#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x09" + +OM_uint32 +gss_krb5int_register_acceptor_identity(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t); + #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 11 -#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06" +#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0a" OM_uint32 gss_krb5int_extract_authz_data_from_sec_context(OM_uint32 *minor_status, @@ -862,13 +900,13 @@ gss_buffer_set_t *ad_data); #define GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH 11 -#define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07" +#define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0b" OM_uint32 gss_krb5int_set_cred_rcache(OM_uint32 *, gss_cred_id_t, const gss_OID, const gss_buffer_t); #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11 -#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08" +#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c" OM_uint32 gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *, @@ -884,10 +922,6 @@ OM_uint32 gss_krb5int_initialize_library(void); void gss_krb5int_cleanup_library(void); -extern k5_mutex_t kg_kdc_flag_mutex; -krb5_error_code krb5_gss_init_context (krb5_context *ctxp); -krb5_error_code krb5_gss_use_kdc_context(void); - /* For error message handling. */ /* Returns a shared string, not a private copy! */ extern char * Modified: branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c 2009-01-01 02:05:21 UTC (rev 21652) +++ branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c 2009-01-01 02:56:15 UTC (rev 21653) @@ -987,19 +987,25 @@ } #ifndef _WIN32 -krb5_error_code -krb5_gss_use_kdc_context() +OM_uint32 +krb5int_gss_use_kdc_context(OM_uint32 *minor_status, + const gss_OID desired_mech, + const gss_OID desired_object, + gss_buffer_t value) { - krb5_error_code err; + OM_uint32 err; + *minor_status = 0; + err = gss_krb5int_initialize_library(); if (err) - return err; - err = k5_mutex_lock(&kg_kdc_flag_mutex); - if (err) - return err; + return err; + *minor_status = k5_mutex_lock(&kg_kdc_flag_mutex); + if (*minor_status) { + return GSS_S_FAILURE; + } kdc_flag = 1; k5_mutex_unlock(&kg_kdc_flag_mutex); - return 0; + return GSS_S_COMPLETE; } #endif Modified: branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-01 02:05:21 UTC (rev 21652) +++ branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-01 02:56:15 UTC (rev 21653) @@ -307,6 +307,65 @@ return GSS_S_UNAVAILABLE; } +/* + * gssspi_mech_invoke() methods + */ +static struct { + gss_OID_desc oid; + OM_uint32 (*func)(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t); +} krb5_gssspi_mech_invoke_ops[] = { + { + {GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID}, + gss_krb5int_register_acceptor_identity + }, + { + {GSS_KRB5_CCACHE_NAME_OID_LENGTH, GSS_KRB5_CCACHE_NAME_OID}, + gss_krb5int_ccache_name + }, + { + {GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID}, + gss_krb5int_free_lucid_sec_context + }, + { + {GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH, GSS_KRB5_USE_KDC_CONTEXT_OID}, + krb5int_gss_use_kdc_context + } +}; + +static OM_uint32 +krb5_gssspi_mech_invoke (OM_uint32 *minor_status, + const gss_OID desired_mech, + const gss_OID desired_object, + gss_buffer_t value) +{ + size_t i; + + if (minor_status == NULL) + return GSS_S_CALL_INACCESSIBLE_WRITE; + + *minor_status = 0; + + if (desired_mech == GSS_C_NO_OID) + return GSS_S_BAD_MECH; + + if (desired_object == GSS_C_NO_OID) + return GSS_S_CALL_INACCESSIBLE_READ; + + for (i = 0; i < sizeof(krb5_gssspi_mech_invoke_ops)/ + sizeof(krb5_gssspi_mech_invoke_ops[0]); i++) { + if (g_OID_prefix_equal(desired_object, &krb5_gssspi_mech_invoke_ops[i].oid)) { + return (*krb5_gssspi_mech_invoke_ops[i].func)(minor_status, + desired_mech, + desired_object, + value); + } + } + + *minor_status = EINVAL; + + return GSS_S_UNAVAILABLE; +} + static struct gss_config krb5_mechanism = { { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID }, NULL, @@ -358,7 +417,7 @@ krb5_gss_inquire_cred_by_oid, krb5_gss_set_sec_context_option, krb5_gssspi_set_cred_option, - NULL, /* mech_invoke */ + krb5_gssspi_mech_invoke, NULL, /* wrap_aead */ NULL, /* unwrap_aead */ krb5_gss_wrap_iov, @@ -634,6 +693,97 @@ return major_status; } +OM_uint32 KRB5_CALLCONV +gss_krb5_ccache_name( + OM_uint32 *minor_status, + const char *name, + const char **out_name) +{ + static const gss_OID_desc const req_oid = { + GSS_KRB5_CCACHE_NAME_OID_LENGTH, + GSS_KRB5_CCACHE_NAME_OID }; + OM_uint32 major_status; + struct krb5_gss_ccache_name_req req; + gss_buffer_desc req_buffer; + + req.name = name; + req.out_name = out_name; + + req_buffer.length = sizeof(req); + req_buffer.value = &req; + + major_status = gssspi_mech_invoke(minor_status, + (const gss_OID)gss_mech_krb5, + (const gss_OID)&req_oid, + &req_buffer); + + return major_status; +} + +OM_uint32 KRB5_CALLCONV +gss_krb5_free_lucid_sec_context( + OM_uint32 *minor_status, + void *kctx) +{ + static const gss_OID_desc const req_oid = { + GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH, + GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID }; + OM_uint32 major_status; + gss_buffer_desc req_buffer; + + req_buffer.length = sizeof(kctx); + req_buffer.value = kctx; + + major_status = gssspi_mech_invoke(minor_status, + (const gss_OID)gss_mech_krb5, + (const gss_OID)&req_oid, + &req_buffer); + + return major_status; +} + +OM_uint32 KRB5_CALLCONV +krb5_gss_register_acceptor_identity(const char *keytab) +{ + static const gss_OID_desc const req_oid = { + GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH, + GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID }; + OM_uint32 major_status; + OM_uint32 minor_status; + gss_buffer_desc req_buffer; + + req_buffer.length = strlen(keytab); + req_buffer.value = (char *)keytab; + + major_status = gssspi_mech_invoke(&minor_status, + (const gss_OID)gss_mech_krb5, + (const gss_OID)&req_oid, + &req_buffer); + + return major_status; +} + +krb5_error_code +krb5_gss_use_kdc_context(void) +{ + static const gss_OID_desc const req_oid = { + GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH, + GSS_KRB5_USE_KDC_CONTEXT_OID }; + OM_uint32 major_status; + OM_uint32 minor_status; + gss_buffer_desc req_buffer; + + req_buffer.length = 0; + req_buffer.value = NULL; + + major_status = gssspi_mech_invoke(&minor_status, + (const gss_OID)gss_mech_krb5, + (const gss_OID)&req_oid, + &req_buffer); + + return major_status; +} + /* * This API should go away and be replaced with an accessor * into a gss_name_t. Modified: branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c 2009-01-01 02:05:21 UTC (rev 21652) +++ branches/mskrb-integ/src/lib/gssapi/krb5/lucid_context.c 2009-01-01 02:56:15 UTC (rev 21653) @@ -124,19 +124,28 @@ * Frees the storage associated with an * exported lucid context structure. */ -OM_uint32 KRB5_CALLCONV -gss_krb5_free_lucid_sec_context( +OM_uint32 +gss_krb5int_free_lucid_sec_context( OM_uint32 *minor_status, - void *kctx) + const gss_OID desired_mech, + const gss_OID desired_object, + gss_buffer_t value) { OM_uint32 retval; krb5_error_code kret = 0; int version; + void *kctx; /* Assume failure */ retval = GSS_S_FAILURE; *minor_status = 0; + kctx = value->value; + if (!kctx) { + kret = EINVAL; + goto error_out; + } + /* Verify pointer is valid lucid context */ if (! kg_validate_lucidctx_id(kctx)) { kret = G_VALIDATE_FAILED; Modified: branches/mskrb-integ/src/lib/gssapi/krb5/set_ccache.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/set_ccache.c 2009-01-01 02:05:21 UTC (rev 21652) +++ branches/mskrb-integ/src/lib/gssapi/krb5/set_ccache.c 2009-01-01 02:56:15 UTC (rev 21653) @@ -32,15 +32,16 @@ #include "gssapiP_krb5.h" OM_uint32 KRB5_CALLCONV -gss_krb5_ccache_name(minor_status, name, out_name) - OM_uint32 *minor_status; - const char *name; - const char **out_name; +gss_krb5int_ccache_name(OM_uint32 *minor_status, + const gss_OID desired_mech, + const gss_OID desired_object, + gss_buffer_t value) { char *old_name = NULL; OM_uint32 err = 0; OM_uint32 minor = 0; char *gss_out_name; + struct krb5_gss_ccache_name_req *req; err = gss_krb5int_initialize_library(); if (err) { @@ -48,9 +49,16 @@ return GSS_S_FAILURE; } + assert(value->length == sizeof(*req)); + + if (value->length != sizeof(*req)) + return GSS_S_FAILURE; + + req = (struct krb5_gss_ccache_name_req *)value->value; + gss_out_name = k5_getspecific(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME); - if (out_name) { + if (req->out_name) { const char *tmp_name = NULL; if (!err) { @@ -65,7 +73,7 @@ don't free up any storage (leave old_name NULL). */ if (!err) - kg_set_ccache_name (&err, name); + kg_set_ccache_name (&err, req->name); minor = k5_setspecific(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, gss_out_name); if (minor) { @@ -78,8 +86,8 @@ } if (!err) { - if (out_name) { - *out_name = gss_out_name; + if (req->out_name) { + *(req->out_name) = gss_out_name; } } From lhoward at MIT.EDU Wed Dec 31 22:04:25 2008 From: lhoward at MIT.EDU (lhoward@MIT.EDU) Date: Wed, 31 Dec 2008 22:04:25 -0500 (EST) Subject: svn rev #21654: branches/mskrb-integ/src/lib/gssapi/krb5/ Message-ID: <200901010304.WAA00610@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=21654 Commit By: lhoward Log Message: Keep krb5_gss_glue.c just for mechanism-specific API; move the rest into gssapi_krb5.c. That way, a vendor can build krb5_gss_glue.c as libgssapi_krb5.so, the mechglue as libgssapi.so, and the rest of the Kerberos mech as mech_krb5.so (this is essentially what Novell did). Changed Files: U branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c U branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c 2009-01-01 02:56:15 UTC (rev 21653) +++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c 2009-01-01 03:04:24 UTC (rev 21654) @@ -82,6 +82,7 @@ /* For declaration of krb5_ser_context_init */ #include "k5-int.h" #include "gssapiP_krb5.h" +#include "mglueP.h" /** exported constants defined in gssapi_krb5{,_nx}.h **/ @@ -304,3 +305,490 @@ return GSS_S_COMPLETE; } +#define g_OID_prefix_equal(o1, o2) \ + (((o1)->length >= (o2)->length) && \ + (memcmp((o1)->elements, (o2)->elements, (o2)->length) == 0)) + +/* + * gss_inquire_sec_context_by_oid() methods + */ +static struct { + gss_OID_desc oid; + OM_uint32 (*func)(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); +} krb5_gss_inquire_sec_context_by_oid_ops[] = { + { + {GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH, GSS_KRB5_GET_TKT_FLAGS_OID}, + gss_krb5int_get_tkt_flags + }, + { + {GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID}, + gss_krb5int_extract_authz_data_from_sec_context + }, + { + {GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH, GSS_KRB5_INQ_SSPI_SESSION_KEY_OID}, + gss_krb5int_inq_session_key + }, + { + {GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID}, + gss_krb5int_export_lucid_sec_context + }, + { + {GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID}, + gss_krb5int_extract_authtime_from_sec_context + } +}; + +static OM_uint32 +krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + krb5_gss_ctx_id_rec *ctx; + size_t i; + + if (minor_status == NULL) + return GSS_S_CALL_INACCESSIBLE_WRITE; + + *minor_status = 0; + + if (desired_object == GSS_C_NO_OID) + return GSS_S_CALL_INACCESSIBLE_READ; + + if (data_set == NULL) + return GSS_S_CALL_INACCESSIBLE_WRITE; + + *data_set = GSS_C_NO_BUFFER_SET; + + if (!kg_validate_ctx_id(context_handle)) + return GSS_S_NO_CONTEXT; + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + + if (!ctx->established) + return GSS_S_NO_CONTEXT; + + for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/ + sizeof(krb5_gss_inquire_sec_context_by_oid_ops[0]); i++) { + if (g_OID_prefix_equal(desired_object, &krb5_gss_inquire_sec_context_by_oid_ops[i].oid)) { + return (*krb5_gss_inquire_sec_context_by_oid_ops[i].func)(minor_status, + context_handle, + desired_object, + data_set); + } + } + + *minor_status = EINVAL; + + return GSS_S_UNAVAILABLE; +} + +/* + * gss_inquire_cred_by_oid() methods + */ +static struct { + gss_OID_desc oid; + OM_uint32 (*func)(OM_uint32 *, const gss_cred_id_t, const gss_OID, gss_buffer_set_t *); +} krb5_gss_inquire_cred_by_oid_ops[] = { +}; + +static OM_uint32 +krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status, + const gss_cred_id_t cred_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + OM_uint32 major_status = GSS_S_FAILURE; + krb5_gss_cred_id_t cred; + size_t i; + + if (minor_status == NULL) + return GSS_S_CALL_INACCESSIBLE_WRITE; + + *minor_status = 0; + + if (desired_object == GSS_C_NO_OID) + return GSS_S_CALL_INACCESSIBLE_READ; + + if (data_set == NULL) + return GSS_S_CALL_INACCESSIBLE_WRITE; + + *data_set = GSS_C_NO_BUFFER_SET; + if (cred_handle == GSS_C_NO_CREDENTIAL) { + *minor_status = (OM_uint32)KRB5_NOCREDS_SUPPLIED; + return GSS_S_NO_CRED; + } + + major_status = krb5_gss_validate_cred(minor_status, cred_handle); + if (GSS_ERROR(major_status)) + return major_status; + + cred = (krb5_gss_cred_id_t) cred_handle; + + for (i = 0; i < sizeof(krb5_gss_inquire_cred_by_oid_ops)/ + sizeof(krb5_gss_inquire_cred_by_oid_ops[0]); i++) { + if (g_OID_prefix_equal(desired_object, &krb5_gss_inquire_cred_by_oid_ops[i].oid)) { + return (*krb5_gss_inquire_cred_by_oid_ops[i].func)(minor_status, + cred_handle, + desired_object, + data_set); + } + } + + *minor_status = EINVAL; + + return GSS_S_UNAVAILABLE; +} + +/* + * gss_set_sec_context_option() methods + */ +static struct { + gss_OID_desc oid; + OM_uint32 (*func)(OM_uint32 *, gss_ctx_id_t *, const gss_OID, const gss_buffer_t); +} krb5_gss_set_sec_context_option_ops[] = { +}; + +static OM_uint32 +krb5_gss_set_sec_context_option (OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_OID desired_object, + const gss_buffer_t value) +{ + size_t i; + + if (minor_status == NULL) + return GSS_S_CALL_INACCESSIBLE_WRITE; + + *minor_status = 0; + + if (context_handle == NULL) + return GSS_S_CALL_INACCESSIBLE_READ; + + if (desired_object == GSS_C_NO_OID) + return GSS_S_CALL_INACCESSIBLE_READ; + + if (*context_handle != GSS_C_NO_CONTEXT) { + krb5_gss_ctx_id_rec *ctx; + + if (!kg_validate_ctx_id(*context_handle)) + return GSS_S_NO_CONTEXT; + + ctx = (krb5_gss_ctx_id_rec *) context_handle; + + if (!ctx->established) + return GSS_S_NO_CONTEXT; + } + + for (i = 0; i < sizeof(krb5_gss_set_sec_context_option_ops)/ + sizeof(krb5_gss_set_sec_context_option_ops[0]); i++) { + if (g_OID_prefix_equal(desired_object, &krb5_gss_set_sec_context_option_ops[i].oid)) { + return (*krb5_gss_set_sec_context_option_ops[i].func)(minor_status, + context_handle, + desired_object, + value); + } + } + + *minor_status = EINVAL; + + return GSS_S_UNAVAILABLE; +} + +/* + * gssspi_set_cred_option() methods + */ +static struct { + gss_OID_desc oid; + OM_uint32 (*func)(OM_uint32 *, gss_cred_id_t, const gss_OID, const gss_buffer_t); +} krb5_gssspi_set_cred_option_ops[] = { + { + {GSS_KRB5_COPY_CCACHE_OID_LENGTH, GSS_KRB5_COPY_CCACHE_OID}, + gss_krb5int_copy_ccache + }, + { + {GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID}, + gss_krb5int_set_allowable_enctypes + }, + { + {GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH, GSS_KRB5_SET_CRED_RCACHE_OID}, + gss_krb5int_set_cred_rcache + } +}; + +static OM_uint32 +krb5_gssspi_set_cred_option(OM_uint32 *minor_status, + gss_cred_id_t cred_handle, + const gss_OID desired_object, + const gss_buffer_t value) +{ + OM_uint32 major_status = GSS_S_FAILURE; + size_t i; + + if (minor_status == NULL) + return GSS_S_CALL_INACCESSIBLE_WRITE; + + *minor_status = 0; + + if (cred_handle == GSS_C_NO_CREDENTIAL) { + *minor_status = (OM_uint32)KRB5_NOCREDS_SUPPLIED; + return GSS_S_NO_CRED; + } + + if (desired_object == GSS_C_NO_OID) + return GSS_S_CALL_INACCESSIBLE_READ; + + major_status = krb5_gss_validate_cred(minor_status, cred_handle); + if (GSS_ERROR(major_status)) + return major_status; + + for (i = 0; i < sizeof(krb5_gssspi_set_cred_option_ops)/ + sizeof(krb5_gssspi_set_cred_option_ops[0]); i++) { + if (g_OID_prefix_equal(desired_object, &krb5_gssspi_set_cred_option_ops[i].oid)) { + return (*krb5_gssspi_set_cred_option_ops[i].func)(minor_status, + cred_handle, + desired_object, + value); + } + } + + *minor_status = EINVAL; + + return GSS_S_UNAVAILABLE; +} + +/* + * gssspi_mech_invoke() methods + */ +static struct { + gss_OID_desc oid; + OM_uint32 (*func)(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t); +} krb5_gssspi_mech_invoke_ops[] = { + { + {GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID}, + gss_krb5int_register_acceptor_identity + }, + { + {GSS_KRB5_CCACHE_NAME_OID_LENGTH, GSS_KRB5_CCACHE_NAME_OID}, + gss_krb5int_ccache_name + }, + { + {GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID}, + gss_krb5int_free_lucid_sec_context + }, + { + {GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH, GSS_KRB5_USE_KDC_CONTEXT_OID}, + krb5int_gss_use_kdc_context + } +}; + +static OM_uint32 +krb5_gssspi_mech_invoke (OM_uint32 *minor_status, + const gss_OID desired_mech, + const gss_OID desired_object, + gss_buffer_t value) +{ + size_t i; + + if (minor_status == NULL) + return GSS_S_CALL_INACCESSIBLE_WRITE; + + *minor_status = 0; + + if (desired_mech == GSS_C_NO_OID) + return GSS_S_BAD_MECH; + + if (desired_object == GSS_C_NO_OID) + return GSS_S_CALL_INACCESSIBLE_READ; + + for (i = 0; i < sizeof(krb5_gssspi_mech_invoke_ops)/ + sizeof(krb5_gssspi_mech_invoke_ops[0]); i++) { + if (g_OID_prefix_equal(desired_object, &krb5_gssspi_mech_invoke_ops[i].oid)) { + return (*krb5_gssspi_mech_invoke_ops[i].func)(minor_status, + desired_mech, + desired_object, + value); + } + } + + *minor_status = EINVAL; + + return GSS_S_UNAVAILABLE; +} + +static struct gss_config krb5_mechanism = { + { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID }, + NULL, + krb5_gss_acquire_cred, + krb5_gss_release_cred, + krb5_gss_init_sec_context, +#ifdef LEAN_CLIENT + NULL, +#else + krb5_gss_accept_sec_context, +#endif + krb5_gss_process_context_token, + krb5_gss_delete_sec_context, + krb5_gss_context_time, + krb5_gss_sign, + krb5_gss_verify, +#ifdef IOV_SHIM_EXERCISE + NULL, + NULL, +#else + krb5_gss_wrap, + krb5_gss_unwrap, +#endif + krb5_gss_display_status, + krb5_gss_indicate_mechs, + krb5_gss_compare_name, + krb5_gss_display_name, + krb5_gss_import_name, + krb5_gss_release_name, + krb5_gss_inquire_cred, + krb5_gss_add_cred, +#ifdef LEAN_CLIENT + NULL, + NULL, +#else + krb5_gss_export_sec_context, + krb5_gss_import_sec_context, +#endif + krb5_gss_inquire_cred_by_mech, + krb5_gss_inquire_names_for_mech, + krb5_gss_inquire_context, + krb5_gss_internal_release_oid, + krb5_gss_wrap_size_limit, + krb5_gss_export_name, + NULL, /* store_cred */ + NULL, /* import_name_object */ + NULL, /* export_name_object */ + krb5_gss_inquire_sec_context_by_oid, + krb5_gss_inquire_cred_by_oid, + krb5_gss_set_sec_context_option, + krb5_gssspi_set_cred_option, + krb5_gssspi_mech_invoke, + NULL, /* wrap_aead */ + NULL, /* unwrap_aead */ + krb5_gss_wrap_iov, + krb5_gss_unwrap_iov, + krb5_gss_wrap_iov_length, + NULL, /* complete_auth_token */ +}; + + +#ifdef _GSS_STATIC_LINK +#include "mglueP.h" +static int gss_krb5mechglue_init(void) +{ + struct gss_mech_config mech_krb5; + + memset(&mech_krb5, 0, sizeof(mech_krb5)); + mech_krb5.mech = &krb5_mechanism; + mech_krb5.mechNameStr = "kerberos_v5"; + mech_krb5.mech_type = (gss_OID)gss_mech_krb5; + + gssint_register_mechinfo(&mech_krb5); + + mech_krb5.mechNameStr = "kerberos_v5_old"; + mech_krb5.mech_type = (gss_OID)gss_mech_krb5_old; + gssint_register_mechinfo(&mech_krb5); + + mech_krb5.mechNameStr = "mskrb"; + mech_krb5.mech_type = (gss_OID)gss_mech_krb5_wrong; + gssint_register_mechinfo(&mech_krb5); + + return 0; +} +#else +MAKE_INIT_FUNCTION(gss_krb5int_lib_init); +MAKE_FINI_FUNCTION(gss_krb5int_lib_fini); + +gss_mechanism KRB5_CALLCONV +gss_mech_initialize(void) +{ + return &krb5_mechanism; +} +#endif /* _GSS_STATIC_LINK */ + +int gss_krb5int_lib_init(void) +{ + int err; + +#ifdef SHOW_INITFINI_FUNCS + printf("gss_krb5int_lib_init\n"); +#endif + + add_error_table(&et_ggss_error_table); + +#ifndef LEAN_CLIENT + err = k5_mutex_finish_init(&gssint_krb5_keytab_lock); + if (err) + return err; +#endif /* LEAN_CLIENT */ + err = k5_key_register(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, free); + if (err) + return err; + err = k5_key_register(K5_KEY_GSS_KRB5_CCACHE_NAME, free); + if (err) + return err; + err = k5_key_register(K5_KEY_GSS_KRB5_ERROR_MESSAGE, + krb5_gss_delete_error_info); + if (err) + return err; +#ifndef _WIN32 + err = k5_mutex_finish_init(&kg_kdc_flag_mutex); + if (err) + return err; + err = k5_mutex_finish_init(&kg_vdb.mutex); + if (err) + return err; +#endif +#ifdef _GSS_STATIC_LINK + err = gss_krb5mechglue_init(); + if (err) + return err; +#endif + + return 0; +} + +void gss_krb5int_lib_fini(void) +{ +#ifndef _GSS_STATIC_LINK + if (!INITIALIZER_RAN(gss_krb5int_lib_init) || PROGRAM_EXITING()) { +# ifdef SHOW_INITFINI_FUNCS + printf("gss_krb5int_lib_fini: skipping\n"); +# endif + return; + } +#endif +#ifdef SHOW_INITFINI_FUNCS + printf("gss_krb5int_lib_fini\n"); +#endif + remove_error_table(&et_k5g_error_table); + + k5_key_delete(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME); + k5_key_delete(K5_KEY_GSS_KRB5_CCACHE_NAME); + k5_mutex_destroy(&kg_vdb.mutex); +#ifndef _WIN32 + k5_mutex_destroy(&kg_kdc_flag_mutex); +#endif +#ifndef LEAN_CLIENT + k5_mutex_destroy(&gssint_krb5_keytab_lock); +#endif /* LEAN_CLIENT */ +} + +#ifdef _GSS_STATIC_LINK +extern OM_uint32 gssint_lib_init(void); +#endif + +OM_uint32 gss_krb5int_initialize_library (void) +{ +#ifdef _GSS_STATIC_LINK + return gssint_mechglue_initialize_library(); +#else + return CALL_INIT_FUNCTION(gss_krb5int_lib_init); +#endif +} + Modified: branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c =================================================================== --- branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-01 02:56:15 UTC (rev 21653) +++ branches/mskrb-integ/src/lib/gssapi/krb5/krb5_gss_glue.c 2009-01-01 03:04:24 UTC (rev 21654) @@ -53,499 +53,7 @@ */ #include "gssapiP_krb5.h" -#include "mglueP.h" -#define g_OID_prefix_equal(o1, o2) \ - (((o1)->length >= (o2)->length) && \ - (memcmp((o1)->elements, (o2)->elements, (o2)->length) == 0)) - -/* - * gss_inquire_sec_context_by_oid() methods - */ -static struct { - gss_OID_desc oid; - OM_uint32 (*func)(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); -} krb5_gss_inquire_sec_context_by_oid_ops[] = { - { - {GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH, GSS_KRB5_GET_TKT_FLAGS_OID}, - gss_krb5int_get_tkt_flags - }, - { - {GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID}, - gss_krb5int_extract_authz_data_from_sec_context - }, - { - {GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH, GSS_KRB5_INQ_SSPI_SESSION_KEY_OID}, - gss_krb5int_inq_session_key - }, - { - {GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID}, - gss_krb5int_export_lucid_sec_context - }, - { - {GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID}, - gss_krb5int_extract_authtime_from_sec_context - } -}; - -static OM_uint32 -krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_OID desired_object, - gss_buffer_set_t *data_set) -{ - krb5_gss_ctx_id_rec *ctx; - size_t i; - - if (minor_status == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; - - *minor_status = 0; - - if (desired_object == GSS_C_NO_OID) - return GSS_S_CALL_INACCESSIBLE_READ; - - if (data_set == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; - - *data_set = GSS_C_NO_BUFFER_SET; - - if (!kg_validate_ctx_id(context_handle)) - return GSS_S_NO_CONTEXT; - - ctx = (krb5_gss_ctx_id_rec *) context_handle; - - if (!ctx->established) - return GSS_S_NO_CONTEXT; - - for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/ - sizeof(krb5_gss_inquire_sec_context_by_oid_ops[0]); i++) { - if (g_OID_prefix_equal(desired_object, &krb5_gss_inquire_sec_context_by_oid_ops[i].oid)) { - return (*krb5_gss_inquire_sec_context_by_oid_ops[i].func)(minor_status, - context_handle, - desired_object, - data_set); - } - } - - *minor_status = EINVAL; - - return GSS_S_UNAVAILABLE; -} - -/* - * gss_inquire_cred_by_oid() methods - */ -static struct { - gss_OID_desc oid; - OM_uint32 (*func)(OM_uint32 *, const gss_cred_id_t, const gss_OID, gss_buffer_set_t *); -} krb5_gss_inquire_cred_by_oid_ops[] = { -}; - -static OM_uint32 -krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status, - const gss_cred_id_t cred_handle, - const gss_OID desired_object, - gss_buffer_set_t *data_set) -{ - OM_uint32 major_status = GSS_S_FAILURE; - krb5_gss_cred_id_t cred; - size_t i; - - if (minor_status == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; - - *minor_status = 0; - - if (desired_object == GSS_C_NO_OID) - return GSS_S_CALL_INACCESSIBLE_READ; - - if (data_set == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; - - *data_set = GSS_C_NO_BUFFER_SET; - if (cred_handle == GSS_C_NO_CREDENTIAL) { - *minor_status = (OM_uint32)KRB5_NOCREDS_SUPPLIED; - return GSS_S_NO_CRED; - } - - major_status = krb5_gss_validate_cred(minor_status, cred_handle); - if (GSS_ERROR(major_status)) - return major_status; - - cred = (krb5_gss_cred_id_t) cred_handle; - - for (i = 0; i < sizeof(krb5_gss_inquire_cred_by_oid_ops)/ - sizeof(krb5_gss_inquire_cred_by_oid_ops[0]); i++) { - if (g_OID_prefix_equal(desired_object, &krb5_gss_inquire_cred_by_oid_ops[i].oid)) { - return (*krb5_gss_inquire_cred_by_oid_ops[i].func)(minor_status, - cred_handle, - desired_object, - data_set); - } - } - - *minor_status = EINVAL; - - return GSS_S_UNAVAILABLE; -} - -/* - * gss_set_sec_context_option() methods - */ -static struct { - gss_OID_desc oid; - OM_uint32 (*func)(OM_uint32 *, gss_ctx_id_t *, const gss_OID, const gss_buffer_t); -} krb5_gss_set_sec_context_option_ops[] = { -}; - -static OM_uint32 -krb5_gss_set_sec_context_option (OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - const gss_OID desired_object, - const gss_buffer_t value) -{ - size_t i; - - if (minor_status == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; - - *minor_status = 0; - - if (context_handle == NULL) - return GSS_S_CALL_INACCESSIBLE_READ; - - if (desired_object == GSS_C_NO_OID) - return GSS_S_CALL_INACCESSIBLE_READ; - - if (*context_handle != GSS_C_NO_CONTEXT) { - krb5_gss_ctx_id_rec *ctx; - - if (!kg_validate_ctx_id(*context_handle)) - return GSS_S_NO_CONTEXT; - - ctx = (krb5_gss_ctx_id_rec *) context_handle; - - if (!ctx->established) - return GSS_S_NO_CONTEXT; - } - - for (i = 0; i < sizeof(krb5_gss_set_sec_context_option_ops)/ - sizeof(krb5_gss_set_sec_context_option_ops[0]); i++) { - if (g_OID_prefix_equal(desired_object, &krb5_gss_set_sec_context_option_ops[i].oid)) { - return (*krb5_gss_set_sec_context_option_ops[i].func)(minor_status, - context_handle, - desired_object, - value); - } - } - - *minor_status = EINVAL; - - return GSS_S_UNAVAILABLE; -} - -/* - * gssspi_set_cred_option() methods - */ -static struct { - gss_OID_desc oid; - OM_uint32 (*func)(OM_uint32 *, gss_cred_id_t, const gss_OID, const gss_buffer_t); -} krb5_gssspi_set_cred_option_ops[] = { - { - {GSS_KRB5_COPY_CCACHE_OID_LENGTH, GSS_KRB5_COPY_CCACHE_OID}, - gss_krb5int_copy_ccache - }, - { - {GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID}, - gss_krb5int_set_allowable_enctypes - }, - { - {GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH, GSS_KRB5_SET_CRED_RCACHE_OID}, - gss_krb5int_set_cred_rcache - } -}; - -static OM_uint32 -krb5_gssspi_set_cred_option(OM_uint32 *minor_status, - gss_cred_id_t cred_handle, - const gss_OID desired_object, - const gss_buffer_t value) -{ - OM_uint32 major_status = GSS_S_FAILURE; - size_t i; - - if (minor_status == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; - - *minor_status = 0; - - if (cred_handle == GSS_C_NO_CREDENTIAL) { - *minor_status = (OM_uint32)KRB5_NOCREDS_SUPPLIED; - return GSS_S_NO_CRED; - } - - if (desired_object == GSS_C_NO_OID) - return GSS_S_CALL_INACCESSIBLE_READ; - - major_status = krb5_gss_validate_cred(minor_status, cred_handle); - if (GSS_ERROR(major_status)) - return major_status; - - for (i = 0; i < sizeof(krb5_gssspi_set_cred_option_ops)/ - sizeof(krb5_gssspi_set_cred_option_ops[0]); i++) { - if (g_OID_prefix_equal(desired_object, &krb5_gssspi_set_cred_option_ops[i].oid)) { - return (*krb5_gssspi_set_cred_option_ops[i].func)(minor_status, - cred_handle, - desired_object, - value); - } - } - - *minor_status = EINVAL; - - return GSS_S_UNAVAILABLE; -} - -/* - * gssspi_mech_invoke() methods - */ -static struct { - gss_OID_desc oid; - OM_uint32 (*func)(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t); -} krb5_gssspi_mech_invoke_ops[] = { - { - {GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID}, - gss_krb5int_register_acceptor_identity - }, - { - {GSS_KRB5_CCACHE_NAME_OID_LENGTH, GSS_KRB5_CCACHE_NAME_OID}, - gss_krb5int_ccache_name - }, - { - {GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID}, - gss_krb5int_free_lucid_sec_context - }, - { - {GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH, GSS_KRB5_USE_KDC_CONTEXT_OID}, - krb5int_gss_use_kdc_context - } -}; - -static OM_uint32 -krb5_gssspi_mech_invoke (OM_uint32 *minor_status, - const gss_OID desired_mech, - const gss_OID desired_object, - gss_buffer_t value) -{ - size_t i; - - if (minor_status == NULL) - return GSS_S_CALL_INACCESSIBLE_WRITE; - - *minor_status = 0; - - if (desired_mech == GSS_C_NO_OID) - return GSS_S_BAD_MECH; - - if (desired_object == GSS_C_NO_OID) - return GSS_S_CALL_INACCESSIBLE_READ; - - for (i = 0; i < sizeof(krb5_gssspi_mech_invoke_ops)/ - sizeof(krb5_gssspi_mech_invoke_ops[0]); i++) { - if (g_OID_prefix_equal(desired_object, &krb5_gssspi_mech_invoke_ops[i].oid)) { - return (*krb5_gssspi_mech_invoke_ops[i].func)(minor_status, - desired_mech, - desired_object, - value); - } - } - - *minor_status = EINVAL; - - return GSS_S_UNAVAILABLE; -} - -static struct gss_config krb5_mechanism = { - { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID }, - NULL, - krb5_gss_acquire_cred, - krb5_gss_release_cred, - krb5_gss_init_sec_context, -#ifdef LEAN_CLIENT - NULL, -#else - krb5_gss_accept_sec_context, -#endif - krb5_gss_process_context_token, - krb5_gss_delete_sec_context, - krb5_gss_context_time, - krb5_gss_sign, - krb5_gss_verify, -#ifdef IOV_SHIM_EXERCISE - NULL, - NULL, -#else - krb5_gss_wrap, - krb5_gss_unwrap, -#endif - krb5_gss_display_status, - krb5_gss_indicate_mechs, - krb5_gss_compare_name, - krb5_gss_display_name, - krb5_gss_import_name, - krb5_gss_release_name, - krb5_gss_inquire_cred, - krb5_gss_add_cred, -#ifdef LEAN_CLIENT - NULL, - NULL, -#else - krb5_gss_export_sec_context, - krb5_gss_import_sec_context, -#endif - krb5_gss_inquire_cred_by_mech, - krb5_gss_inquire_names_for_mech, - krb5_gss_inquire_context, - krb5_gss_internal_release_oid, - krb5_gss_wrap_size_limit, - krb5_gss_export_name, - NULL, /* store_cred */ - NULL, /* import_name_object */ - NULL, /* export_name_object */ - krb5_gss_inquire_sec_context_by_oid, - krb5_gss_inquire_cred_by_oid, - krb5_gss_set_sec_context_option, - krb5_gssspi_set_cred_option, - krb5_gssspi_mech_invoke, - NULL, /* wrap_aead */ - NULL, /* unwrap_aead */ - krb5_gss_wrap_iov, - krb5_gss_unwrap_iov, - krb5_gss_wrap_iov_length, - NULL, /* complete_auth_token */ -}; - - -#ifdef _GSS_STATIC_LINK -#include "mglueP.h" -static int gss_krb5mechglue_init(void) -{ - struct gss_mech_config mech_krb5; - - memset(&mech_krb5, 0, sizeof(mech_krb5)); - mech_krb5.mech = &krb5_mechanism; - mech_krb5.mechNameStr = "kerberos_v5"; - mech_krb5.mech_type = (gss_OID)gss_mech_krb5; - - gssint_register_mechinfo(&mech_krb5); - - mech_krb5.mechNameStr = "kerberos_v5_old"; - mech_krb5.mech_type = (gss_OID)gss_mech_krb5_old; - gssint_register_mechinfo(&mech_krb5); - - mech_krb5.mechNameStr = "mskrb"; - mech_krb5.mech_type = (gss_OID)gss_mech_krb5_wrong; - gssint_register_mechinfo(&mech_krb5); - - return 0; -} -#else -MAKE_INIT_FUNCTION(gss_krb5int_lib_init); -MAKE_FINI_FUNCTION(gss_krb5int_lib_fini); - -gss_mechanism KRB5_CALLCONV -gss_mech_initialize(void) -{ - return &krb5_mechanism; -} -#endif /* _GSS_STATIC_LINK */ - -int gss_krb5int_lib_init(void) -{ - int err; - -#ifdef SHOW_INITFINI_FUNCS - printf("gss_krb5int_lib_init\n"); -#endif - - add_error_table(&et_ggss_error_table); - -#ifndef LEAN_CLIENT - err = k5_mutex_finish_init(&gssint_krb5_keytab_lock); - if (err) - return err; -#endif /* LEAN_CLIENT */ - err = k5_key_register(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, free); - if (err) - return err; - err = k5_key_register(K5_KEY_GSS_KRB5_CCACHE_NAME, free); - if (err) - return err; - err = k5_key_register(K5_KEY_GSS_KRB5_ERROR_MESSAGE, - krb5_gss_delete_error_info); - if (err) - return err; -#ifndef _WIN32 - err = k5_mutex_finish_init(&kg_kdc_flag_mutex); - if (err) - return err; - err = k5_mutex_finish_init(&kg_vdb.mutex); - if (err) - return err; -#endif -#ifdef _GSS_STATIC_LINK - err = gss_krb5mechglue_init(); - if (err) - return err; -#endif - - return 0; -} - -void gss_krb5int_lib_fini(void) -{ -#ifndef _GSS_STATIC_LINK - if (!INITIALIZER_RAN(gss_krb5int_lib_init) || PROGRAM_EXITING()) { -# ifdef SHOW_INITFINI_FUNCS - printf("gss_krb5int_lib_fini: skipping\n"); -# endif - return; - } -#endif -#ifdef SHOW_INITFINI_FUNCS - printf("gss_krb5int_lib_fini\n"); -#endif - remove_error_table(&et_k5g_error_table); - - k5_key_delete(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME); - k5_key_delete(K5_KEY_GSS_KRB5_CCACHE_NAME); - k5_mutex_destroy(&kg_vdb.mutex); -#ifndef _WIN32 - k5_mutex_destroy(&kg_kdc_flag_mutex); -#endif -#ifndef LEAN_CLIENT - k5_mutex_destroy(&gssint_krb5_keytab_lock); -#endif /* LEAN_CLIENT */ -} - -#ifdef _GSS_STATIC_LINK -extern OM_uint32 gssint_lib_init(void); -#endif - -OM_uint32 gss_krb5int_initialize_library (void) -{ -#ifdef _GSS_STATIC_LINK - return gssint_mechglue_initialize_library(); -#else - return CALL_INIT_FUNCTION(gss_krb5int_lib_init); -#endif -} - -/* - * Mechanism specific API shims below - */ - OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags( OM_uint32 *minor_status,