From rt-comment at krbdev.mit.edu  Mon Aug  4 14:22:54 2008
From: rt-comment at krbdev.mit.edu (Roland C. Dowdeswell via RT)
Date: Mon, 4 Aug 2008 14:22:54 -0400 (EDT)
Subject: [krbdev.mit.edu #6058] kadm5_setkey_principal does not validate
	keyblocks. 
In-Reply-To: <rt-6058@krbdev.mit.edu>
Message-ID: <rt-6058-27791.16.0176591348316@krbdev.mit.edu>

Looks like kadm5_setkey_principal() and krb5_kt_add_entry() do not
validate the length of the keys that are in the krb5_keyblocks
passed in.

This will allow you to set invalid keys in either the Kerberos DB
or in keytabs.  From a quick code perusal, it seemed that if you
set a key in the DB of aes256-cts but with a key length of 16 then
the KDC will simply use aes128-cts.  This seems a little wrong.

The attached patch defines krb5_c_valid_keyblock() which returns
false if:

	1.  the magic number is incorrect,

	2.  the encryption type can't be found, or

	3.  the key length does not correspond to the encryption
	    type.

This is by no means a complete solution, as in a more perfect world,
one would want to define some extra error codes and return something
a little more precise than a boolean value.

But it does at least prevent programming mistakes from inserting
inappropriate keys into the DB.

It should also be called from a lot more locations rather than just
these two.

Index: lib/crypto/Makefile.in
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/lib/crypto/Makefile.in,v
retrieving revision 1.1.1.2
diff -u -b -U10 -r1.1.1.2 Makefile.in
--- lib/crypto/Makefile.in	26 Sep 2006 20:29:54 -0000	1.1.1.2
+++ lib/crypto/Makefile.in	1 Aug 2008 17:15:53 -0000
@@ -55,20 +55,21 @@
 	nfold.o			\
 	old_api_glue.o		\
 	pbkdf2.o		\
 	prng.o			\
 	state.o \
 	string_to_cksumtype.o	\
 	string_to_enctype.o	\
 	string_to_key.o		\
 	valid_cksumtype.o	\
 	valid_enctype.o		\
+	valid_keyblock.o	\
 	verify_checksum.o
 
 OBJS=\
 	$(OUTPRE)block_size.$(OBJEXT)		\
 	$(OUTPRE)checksum_length.$(OBJEXT)	\
 	$(OUTPRE)cksumtype_to_string.$(OBJEXT)	\
 	$(OUTPRE)cksumtypes.$(OBJEXT)		\
 	$(OUTPRE)coll_proof_cksum.$(OBJEXT)	\
 	$(OUTPRE)combine_keys.$(OBJEXT)	\
 	$(OUTPRE)crypto_libinit.$(OBJEXT)	\
@@ -88,20 +89,21 @@
 	$(OUTPRE)nfold.$(OBJEXT)		\
 	$(OUTPRE)old_api_glue.$(OBJEXT)		\
 	$(OUTPRE)pbkdf2.$(OBJEXT)		\
 	$(OUTPRE)prng.$(OBJEXT)			\
 	$(OUTPRE)state.$(OBJEXT) \
 	$(OUTPRE)string_to_cksumtype.$(OBJEXT)	\
 	$(OUTPRE)string_to_enctype.$(OBJEXT)	\
 	$(OUTPRE)string_to_key.$(OBJEXT)	\
 	$(OUTPRE)valid_cksumtype.$(OBJEXT)	\
 	$(OUTPRE)valid_enctype.$(OBJEXT)	\
+	$(OUTPRE)valid_keyblock.$(OBJEXT)	\
 	$(OUTPRE)verify_checksum.$(OBJEXT)
 
 SRCS=\
 	$(srcdir)/block_size.c		\
 	$(srcdir)/checksum_length.c	\
 	$(srcdir)/cksumtype_to_string.c	\
 	$(srcdir)/cksumtypes.c		\
 	$(srcdir)/coll_proof_cksum.c	\
 	$(srcdir)/combine_keys.c	\
 	$(srcdir)/crypto_libinit.c	\
@@ -120,21 +122,21 @@
 	$(srcdir)/mandatory_sumtype.c	\
 	$(srcdir)/nfold.c		\
 	$(srcdir)/old_api_glue.c	\
 	$(srcdir)/pbkdf2.c	\
 	$(srcdir)/prng.c		\
 	$(srcdir)/state.c \
 	$(srcdir)/string_to_cksumtype.c	\
 	$(srcdir)/string_to_enctype.c	\
 	$(srcdir)/string_to_key.c	\
 	$(srcdir)/valid_cksumtype.c	\
-	$(srcdir)/valid_enctype.c	\
+	$(srcdir)/valid_keyblock.c	\
 	$(srcdir)/verify_checksum.c
 
 
 LIBBASE=k5crypto
 LIBMAJOR=3
 LIBMINOR=0
 LIBINITFUNC=cryptoint_initialize_library
 LIBFINIFUNC=cryptoint_cleanup_library
 RELDIR=crypto
 
@@ -538,20 +540,26 @@
   $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
   $(SRCTOP)/include/krb5/kdb.h etypes.h
 valid_cksumtype.so valid_cksumtype.po $(OUTPRE)valid_cksumtype.$(OBJEXT): valid_cksumtype.c \
   $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
   $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-thread.h $(BUILDTOP)/include/krb5.h \
   $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
   $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
   cksumtypes.h
 valid_enctype.so valid_enctype.po $(OUTPRE)valid_enctype.$(OBJEXT): valid_enctype.c $(SRCTOP)/include/k5-int.h \
+  $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+  $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
+  $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(SRCTOP)/include/krb5/kdb.h etypes.h
+valid_keyblock.so valid_keyblock.po $(OUTPRE)valid_keyblock.$(OBJEXT): valid_keyblock.c $(SRCTOP)/include/k5-int.h \
   $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
   $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
   $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
   $(SRCTOP)/include/krb5/kdb.h etypes.h
 verify_checksum.so verify_checksum.po $(OUTPRE)verify_checksum.$(OBJEXT): verify_checksum.c \
   $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
   $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-thread.h $(BUILDTOP)/include/krb5.h \
   $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
Index: lib/crypto/libk5crypto.exports
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/lib/crypto/libk5crypto.exports,v
retrieving revision 1.1.1.1
diff -u -b -U10 -r1.1.1.1 libk5crypto.exports
--- lib/crypto/libk5crypto.exports	28 Mar 2005 21:43:21 -0000	1.1.1.1
+++ lib/crypto/libk5crypto.exports	1 Aug 2008 17:17:05 -0000
@@ -26,20 +26,21 @@
 krb5_c_make_checksum
 krb5_c_make_random_key
 krb5_c_random_add_entropy
 krb5_c_random_make_octets
 krb5_c_random_os_entropy
 krb5_c_random_seed
 krb5_c_string_to_key
 krb5_c_string_to_key_with_params
 krb5_c_valid_cksumtype
 krb5_c_valid_enctype
+krb5_c_valid_keyblock
 krb5_c_verify_checksum
 krb5_calculate_checksum
 krb5_checksum_size
 krb5_cksumtype_to_string
 krb5_cksumtypes_length
 krb5_cksumtypes_list
 krb5_decrypt
 krb5_decrypt_data
 krb5_derive_key
 krb5_derive_random
Index: lib/crypto/valid_keyblock.c
===================================================================
RCS file: lib/crypto/valid_keyblock.c
diff -N lib/crypto/valid_keyblock.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ lib/crypto/valid_keyblock.c	1 Aug 2008 17:16:39 -0000
@@ -0,0 +1,28 @@
+
+#include "k5-int.h"
+#include "etypes.h"
+
+krb5_boolean KRB5_CALLCONV
+krb5_c_valid_keyblock(krb5_keyblock k)
+{
+    int i;
+    const struct krb5_enc_provider *enc;
+
+    if (k.magic != KV5M_KEYBLOCK)
+	return(0);
+
+    for (i=0; i<krb5_enctypes_length; i++) {
+	if (krb5_enctypes_list[i].etype == k.enctype)
+	    break;
+    }
+
+    if (i == krb5_enctypes_length)
+	return(0);
+
+    enc = krb5_enctypes_list[i].enc;
+
+    if (k.length != enc->keylength)
+	return(0);
+
+    return(1);
+}
Index: lib/kadm5/srv/svr_principal.c
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/lib/kadm5/srv/svr_principal.c,v
retrieving revision 1.4
diff -u -b -U10 -r1.4 svr_principal.c
--- lib/kadm5/srv/svr_principal.c	26 Sep 2006 20:50:37 -0000	1.4
+++ lib/kadm5/srv/svr_principal.c	1 Aug 2008 17:35:51 -0000
@@ -1687,20 +1687,23 @@
     CHECK_HANDLE(server_handle);
 
     if (principal == NULL || keyblocks == NULL)
 	return EINVAL;
     if (hist_princ && /* this will be NULL when initializing the databse */
 	((krb5_principal_compare(handle->context,
 				 principal, hist_princ)) == TRUE))
 	return KADM5_PROTECT_PRINCIPAL;
 
     for (i = 0; i < n_keys; i++) {
+	if (!krb5_c_valid_keyblock(keyblocks[i]))
+	    return EINVAL;
+
 	for (j = i+1; j < n_keys; j++) {
 	    if ((ret = krb5_c_enctype_compare(handle->context,
 					      keyblocks[i].enctype,
 					      keyblocks[j].enctype,
 					      &similar)))
 		return(ret);
 	    if (similar) {
 		if (n_ks_tuple) {
 		    if (ks_tuple[i].ks_salttype == ks_tuple[j].ks_salttype)
 			return KADM5_SETKEY_DUP_ENCTYPES;
Index: lib/krb5/keytab/ktadd.c
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/lib/krb5/keytab/ktadd.c,v
retrieving revision 1.1.1.1
diff -u -b -U10 -r1.1.1.1 ktadd.c
--- lib/krb5/keytab/ktadd.c	28 Mar 2005 21:43:35 -0000	1.1.1.1
+++ lib/krb5/keytab/ktadd.c	1 Aug 2008 17:43:07 -0000
@@ -25,15 +25,18 @@
  * 
  *
  * krb5_kt_add_entry()
  */
 
 #include "k5-int.h"
 
 krb5_error_code KRB5_CALLCONV
 krb5_kt_add_entry (krb5_context context, krb5_keytab id, krb5_keytab_entry *entry)
 {
+    if (!krb5_c_valid_keyblock(entry->key))
+	return EINVAL;	/* XXXrcd: bad error code, choose another one. */
+
     if (id->ops->add)
 	return (*id->ops->add)(context, id, entry);
     else
 	return KRB5_KT_NOWRITE;
 }
Index: include/krb5.hin
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/include/krb5.hin,v
retrieving revision 1.1.1.2
diff -u -b -U10 -r1.1.1.2 krb5.hin
--- include/krb5.hin	26 Sep 2006 20:29:10 -0000	1.1.1.2
+++ include/krb5.hin	1 Aug 2008 17:19:04 -0000
@@ -542,20 +542,22 @@
 #define KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV		24
 
 /* Defined in hardware preauth draft */
 
 #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM	25
 #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID	26
 #define KRB5_KEYUSAGE_PA_SAM_RESPONSE		27
 
 krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype
 	(krb5_enctype ktype);
+krb5_boolean KRB5_CALLCONV krb5_c_valid_keyblock
+	(krb5_keyblock key);
 krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype
 	(krb5_cksumtype ctype);
 krb5_boolean KRB5_CALLCONV krb5_c_is_coll_proof_cksum
 	(krb5_cksumtype ctype);
 krb5_boolean KRB5_CALLCONV krb5_c_is_keyed_cksum
 	(krb5_cksumtype ctype);
 
 #if KRB5_PRIVATE
 /* Use the above four instead.  */
 krb5_boolean KRB5_CALLCONV valid_enctype


From rt-comment at krbdev.mit.edu  Tue Aug  5 03:55:22 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Tue, 5 Aug 2008 03:55:22 -0400 (EDT)
Subject: [krbdev.mit.edu #6062] better handling of close-on-exec race 
In-Reply-To: <rt-6062@krbdev.mit.edu>
Message-ID: <rt-6062-27849.10.6703154748718@krbdev.mit.edu>

Newer Linux kernels (and I guess glibc versions) are getting support  
for having new file descriptors have the close-on-exec flag set from  
the start, eliminating the race condition.  We probably want a similar  
fix -- wrappers for open, fopen, accept, and so on, that use these  
hooks if present, and otherwise perform the traditional operation and  
then set close-on-exec as quickly as possible.

Begin forwarded message:

> From: Andrew Bartlett <abartlet at samba.org>
> Date: August 4, 2008 19:58:46 EDT
> To: Love Hörnquist Åstrand <lha at kth.se>
> Cc: heimdal-discuss <heimdal-discuss at sics.se>
> Subject: Re: [Heimdal-source-changes] heimdal r23441 - trunk/heimdal/ 
> lib/roken
> Reply-To: heimdal-discuss at sics.se, Andrew Bartlett  
> <abartlet at samba.org>
> X-Spam-Score: 0.13
>
> On Mon, 2008-07-28 at 08:26 +0100, Love Hörnquist Åstrand wrote:
>> 28 jul 2008 kl. 01.15 skrev Andrew Bartlett:
>>
>>> On Sun, 2008-07-27 at 14:05 +0200, lha at it.su.se wrote:
>>>> Author: lha
>>>> Name: Love Hrnquist strand
>>>> Date: 2008-07-27 14:05:11 +0200 (Sun, 27 Jul 2008)
>>>> Repository: heimdal
>>>> Repository Path:/afs/su.se/services/svn/heimdal
>>>> New Revision: 23441
>>>>
>>>> Added:
>>>>  trunk/heimdal/lib/roken/cloexec.c
>>>> Log:
>>>> Wrapper function for close on exec().
>>>
>>> Is this really the right way to do this?
>>>
>>> Given that recent Linux has a completely race-free way of handling
>>> this,
>>> shouldn't this be added to a roken version of open(), emulated on
>>> other
>>> systems?
>>
>> We need to to do it for socket/fopen/opendir too, and I rather not
>> sprinkle that 5 lines all over the place.
>>
>> That said, we should pass in O_CLOEXEC to open(2) calls too (just  
>> like
>> we do with O_BINARY).
>>
>> Thanks for point O_CLOEXEC out, I had totally missed that.
>
> Just to keep you busy, this should summarise all the calls and the way
> they have been adjusted to avoid this race:
>
> http://udrepper.livejournal.com/20407.html
>
> Andrew Bartlett
> -- 
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Red Hat Inc.




From rt-comment at krbdev.mit.edu  Tue Aug  5 14:06:32 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Tue, 5 Aug 2008 14:06:32 -0400 (EDT)
Subject: [krbdev.mit.edu #6062] better handling of close-on-exec race 
In-Reply-To: <rt-6062@krbdev.mit.edu>
Message-ID: <rt-6062-27850.14.8069379360981@krbdev.mit.edu>

For most programs, the race condition isn't much of an issue, because we'd have to have a 
multithreaded program (or one doing funny things in signal handlers) that can spawn a user-
controlled or at least user-accessible process at a point where extra file descriptors are open.  
So it needn't be high priority.

The developer systems we're using now aren't new enough to have support for the syscall 
changes, so we can't actually test the use of the new syscalls without building a custom 
configuration.  However, we could certainly build and use the wrapper routines now and update 
them later.

From rt-comment at krbdev.mit.edu  Tue Aug  5 15:28:32 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 5 Aug 2008 15:28:32 -0400 (EDT)
Subject: [krbdev.mit.edu #3930] CCAPI server must be able to distinguish
	context handles from other server instances 
In-Reply-To: <rt-3930@krbdev.mit.edu>
Message-ID: <rt-3930-27856.13.5421744789381@krbdev.mit.edu>

Fixed by new CCAPI implementation.  Tracked by server identifiers (UUID).

From rt-comment at krbdev.mit.edu  Tue Aug  5 15:31:07 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 5 Aug 2008 15:31:07 -0400 (EDT)
Subject: [krbdev.mit.edu #3929] support lazy launching of ccapi server 
In-Reply-To: <rt-3929@krbdev.mit.edu>
Message-ID: <rt-3929-27860.8.05316026874188@krbdev.mit.edu>

Fixed in new CCAPI implementation.  OS support must implement

cc_int32 cci_os_ipc (
                      cc_int32      in_launch_server,
                     cci_stream_t  in_request_stream,
                     cci_stream_t *out_reply_stream);

where in_launch_server determines whether or not the server is launched if not already running.

From rt-comment at krbdev.mit.edu  Tue Aug  5 15:36:07 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Tue, 5 Aug 2008 15:36:07 -0400 (EDT)
Subject: [krbdev.mit.edu #5468] delete kadmin v1 support 
In-Reply-To: <rt-5468@krbdev.mit.edu>
Message-ID: <rt-5468-27868.3.90860824140752@krbdev.mit.edu>

Sent query to krbdev list 2008-08-04 (see http://mailman.mit.edu/pipermail/krbdev/2008-
August/thread.html#6816) asking if anyone is using the ovsec_ or v1 kadm5_ APIs.

From rt-comment at krbdev.mit.edu  Tue Aug  5 15:39:52 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 5 Aug 2008 15:39:52 -0400 (EDT)
Subject: [krbdev.mit.edu #3933] CCAPI client library reconnection support 
In-Reply-To: <rt-3933@krbdev.mit.edu>
Message-ID: <rt-3933-27871.0.279708190732748@krbdev.mit.edu>

Resolved by new CCAPI implementation.

From rt-comment at krbdev.mit.edu  Tue Aug  5 15:42:59 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 5 Aug 2008 15:42:59 -0400 (EDT)
Subject: [krbdev.mit.edu #3931] CCAPI context and ccache change times must be
	stored by the client 
In-Reply-To: <rt-3931@krbdev.mit.edu>
Message-ID: <rt-3931-27873.6.11362632749696@krbdev.mit.edu>

Resolved by new CCAPI implementation.  Change time is a mutex-protected global in the client 
library and the context is a client library-side object.

From rt-comment at krbdev.mit.edu  Tue Aug  5 15:44:34 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 5 Aug 2008 15:44:34 -0400 (EDT)
Subject: [krbdev.mit.edu #3932] CCAPI should use a cc_handle not implemented
	as a pointer 
In-Reply-To: <rt-3932@krbdev.mit.edu>
Message-ID: <rt-3932-27875.0.889924860421445@krbdev.mit.edu>

Fixed in new CCAPI implementation.  Uses UUIDs instead of pointers.

From rt-comment at krbdev.mit.edu  Tue Aug  5 15:45:16 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 5 Aug 2008 15:45:16 -0400 (EDT)
Subject: [krbdev.mit.edu #3934] Implement CCAPI blocking calls 
In-Reply-To: <rt-3934@krbdev.mit.edu>
Message-ID: <rt-3934-27877.3.72688432747509@krbdev.mit.edu>

Fixed in new CCAPI implementation. 

From rt-comment at krbdev.mit.edu  Tue Aug  5 15:45:48 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 5 Aug 2008 15:45:48 -0400 (EDT)
Subject: [krbdev.mit.edu #3935] CCAPI implement locking 
In-Reply-To: <rt-3935@krbdev.mit.edu>
Message-ID: <rt-3935-27879.0.243961339801686@krbdev.mit.edu>

Fixed in new CCAPI implementation.  Locks are advisory so they do not have to time out.

From rt-comment at krbdev.mit.edu  Tue Aug  5 15:46:47 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 5 Aug 2008 15:46:47 -0400 (EDT)
Subject: [krbdev.mit.edu #2939] unified CCAPI implementation 
In-Reply-To: <rt-2939@krbdev.mit.edu>
Message-ID: <rt-2939-27881.6.69973837983278@krbdev.mit.edu>

New CCAPI implementation complete.  Currently platform-specific code implemented for Mac 
OS X and Windows.

From rt-comment at krbdev.mit.edu  Tue Aug  5 16:57:36 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Tue, 5 Aug 2008 16:57:36 -0400 (EDT)
Subject: [krbdev.mit.edu #1255] Delete kadmin/passwd 
In-Reply-To: <rt-1255@krbdev.mit.edu>
Message-ID: <rt-1255-27882.18.3187578165801@krbdev.mit.edu>

The only tests using kadmin/passwd are the kadmin/passwd unit tests.  We could easily excise 
that subtree, but some of the tests aren't duplicated elsewhere (changing to same password, 
password in dictionary, character class requirements).

From rt-comment at krbdev.mit.edu  Tue Aug  5 18:15:42 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Tue, 5 Aug 2008 18:15:42 -0400 (EDT)
Subject: [krbdev.mit.edu #6063] SVN Commit 
In-Reply-To: <rt-6063@krbdev.mit.edu>
Message-ID: <rt-6063-27883.8.28761729488427@krbdev.mit.edu>


Fix off-by-one error in checking that socket file descriptor numbers
are in range suitable for an fd_set.  Also, don't do the check if we
should someday happen to get compiled on Windows.
Commit By: raeburn



Revision: 20606
Changed Files:
U   trunk/src/kdc/network.c


From rt-comment at krbdev.mit.edu  Tue Aug  5 20:05:55 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Tue, 5 Aug 2008 20:05:55 -0400 (EDT)
Subject: [krbdev.mit.edu #6064] SVN Commit 
In-Reply-To: <rt-6064@krbdev.mit.edu>
Message-ID: <rt-6064-27888.0.717506572439319@krbdev.mit.edu>


After an allocation failure, free up the previously allocated array
elements by counting back down to zero, not continuing to count up
until we hit zero.
Commit By: raeburn



Revision: 20608
Changed Files:
U   trunk/src/lib/krb5/krb/get_in_tkt.c


From rt-comment at krbdev.mit.edu  Wed Aug  6 11:51:55 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Wed, 6 Aug 2008 11:51:55 -0400 (EDT)
Subject: [krbdev.mit.edu #6065] SVN Commit 
In-Reply-To: <rt-6065@krbdev.mit.edu>
Message-ID: <rt-6065-27893.12.146688444375@krbdev.mit.edu>


Don't free automatic storage after sending database.
Commit By: raeburn



Revision: 20611
Changed Files:
U   trunk/src/slave/kprop.c


From rt-comment at krbdev.mit.edu  Wed Aug  6 18:12:23 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Wed, 6 Aug 2008 18:12:23 -0400 (EDT)
Subject: [krbdev.mit.edu #6066] SVN Commit 
In-Reply-To: <rt-6066@krbdev.mit.edu>
Message-ID: <rt-6066-27898.0.624655956237561@krbdev.mit.edu>


With one big known exception having to do with exiting processes, I
think we've shaken out most of the thread-related bugs that this code
is going to catch in the existing code.  It adds a lot of runtime
code, so disable it for now, it can be enabled again for testing new
changes.
Commit By: raeburn



Revision: 20625
Changed Files:
U   trunk/src/include/k5-thread.h


From rt-comment at krbdev.mit.edu  Thu Aug  7 16:03:34 2008
From: rt-comment at krbdev.mit.edu (william.fiveash@sun.com via RT)
Date: Thu, 7 Aug 2008 16:03:34 -0400 (EDT)
Subject: [krbdev.mit.edu #194] a stash file is not a keytab 
In-Reply-To: <rt-194@krbdev.mit.edu>
Message-ID: <rt-194-27902.18.3777815446651@krbdev.mit.edu>

Ken,
I committed a test to verify that the new mkey stash code is backwards
compat with old format stash files.  See the latest changeset on the
mkey_keytab branch.  Let me know if that looks good, I'm assuming that
branch can be merged in after that.

--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/

From rt-comment at krbdev.mit.edu  Mon Aug 11 11:08:16 2008
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Mon, 11 Aug 2008 11:08:16 -0400 (EDT)
Subject: [krbdev.mit.edu #5605] SVN Commit 
In-Reply-To: <rt-5605@krbdev.mit.edu>
Message-ID: <rt-5605-27905.7.83075935283954@krbdev.mit.edu>


pull up r20570 from trunk

 r20570 at cathode-dark-space:  jaltman | 2008-07-23 10:38:27 -0400
 ticket: 5605
 tags: pullup
 
 cw_handle_header_msg():
 
 The behavior of the HDN_ENDTRACK notification has changed slightly on
 Vista.  HDM_GETITEMRECT, when used while handling HDN_ENDTRACK, returns
 the item extents that were there prior to the user starting the resizing
 operation.  Earlier it would return the extents that resulted from the
 resizing operation.
 
 This resulted in a visual update problem on Windows Vista/2008
 in the NIM Advanced View.
 
 
 


Commit By: tlyu



Revision: 20638
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/windows/identity/ui/credwnd.c


From rt-comment at krbdev.mit.edu  Mon Aug 11 11:08:32 2008
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Mon, 11 Aug 2008 11:08:32 -0400 (EDT)
Subject: [krbdev.mit.edu #6046] SVN Commit 
In-Reply-To: <rt-6046@krbdev.mit.edu>
Message-ID: <rt-6046-27908.11.6798782821959@krbdev.mit.edu>


pull up r20571 from trunk

 r20571 at cathode-dark-space:  jaltman | 2008-07-23 10:44:50 -0400
 ticket: 6046
 tags: pullup
 
  	
 
 The /src/windows/identity/plugins/common/dynimport.{c,h} files are used
 by the NIM Kerberos v5 plug-ins for run-time dynamic linking.  They
 currently do not declare or import the following functions:
 
 krb5_get_error_message()
 krb5_free_error_message()
 krb5_clear_error_message()
 
 This patch adds declarations and definitions required for locating these
 functions.  Relies on the addition of these functions to the prototype
 list in the Pismere loadfuncs-krb5.h.  See ticket 6045.
 
 
 


Commit By: tlyu



Revision: 20639
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/windows/identity/plugins/common/dynimport.c
U   branches/krb5-1-6/src/windows/identity/plugins/common/dynimport.h


From rt-comment at krbdev.mit.edu  Mon Aug 11 11:08:46 2008
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Mon, 11 Aug 2008 11:08:46 -0400 (EDT)
Subject: [krbdev.mit.edu #5745] SVN Commit 
In-Reply-To: <rt-5745@krbdev.mit.edu>
Message-ID: <rt-5745-27911.11.1344262406444@krbdev.mit.edu>


pull up r20572 from trunk

 r20572 at cathode-dark-space:  jaltman | 2008-07-23 11:04:26 -0400
 ticket: 5745
 tags: pullup
 
 This patch modifies the NIM Kerberos v5 plug-in to use the 
 krb5_get_error_message() function to look up the error string 
 if the call to krb5_get_init_creds_password() fails. If the call 
 to krb5_get_error_message() fails, the caller will failover to 
 the previous method of looking up a suitable error message based 
 on the error code.
 
 


Commit By: tlyu



Revision: 20640
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/windows/identity/plugins/krb5/krb5funcs.c
U   branches/krb5-1-6/src/windows/identity/plugins/krb5/krb5funcs.h
U   branches/krb5-1-6/src/windows/identity/plugins/krb5/krb5newcreds.c
U   branches/krb5-1-6/src/windows/identity/plugins/krb5/krbcred.h


From rt-comment at krbdev.mit.edu  Mon Aug 11 11:09:01 2008
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Mon, 11 Aug 2008 11:09:01 -0400 (EDT)
Subject: [krbdev.mit.edu #6047] SVN Commit 
In-Reply-To: <rt-6047@krbdev.mit.edu>
Message-ID: <rt-6047-27913.10.2906165326228@krbdev.mit.edu>


pull up r20573 from trunk

 r20573 at cathode-dark-space:  jaltman | 2008-07-23 11:09:15 -0400
 ticket: 6047
 tags: pullup
 
 The NIM error reporting functions (in src/windows/identity/kherr ) keep
 track of the the error message with the highest severity level that was
 reported for a specific error reporting context.  However, if another
 error message of the same severity is reported, the error message being
 tracked will be updated to be the newly received error.
 
 The user will often only be notified of the error message that was
 tracked for a specific operation.  Therefore, tracking the last message
 with the highest priority has the unfortunate side-effect of not
 reporting the cause of a failure.
 
 This patch changes the condition for updating the tracked error message
 to be the first message with the highest severity.
 
 


Commit By: tlyu



Revision: 20641
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/windows/identity/kherr/kherr.c


From rt-comment at krbdev.mit.edu  Mon Aug 11 17:32:21 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Mon, 11 Aug 2008 17:32:21 -0400 (EDT)
Subject: [krbdev.mit.edu #194] a stash file is not a keytab 
In-Reply-To: <rt-194@krbdev.mit.edu>
Message-ID: <rt-194-27914.10.9805631222602@krbdev.mit.edu>

Looks good, please go ahead and merge it to the trunk.

From rt-comment at krbdev.mit.edu  Tue Aug 12 16:10:04 2008
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 12 Aug 2008 16:10:04 -0400 (EDT)
Subject: [krbdev.mit.edu #6070] update DES code copyright notices 
In-Reply-To: <rt-6070@krbdev.mit.edu>
Message-ID: <rt-6070-27942.3.65472540065632@krbdev.mit.edu>

DES code written by Dennis Ferguson has an "interesting" copyright.  Dennis has generously 
donated this code to MIT, so update the copyright notices to reflect this.

From rt-comment at krbdev.mit.edu  Tue Aug 12 16:17:15 2008
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 12 Aug 2008 16:17:15 -0400 (EDT)
Subject: [krbdev.mit.edu #6070] SVN Commit 
In-Reply-To: <rt-6070@krbdev.mit.edu>
Message-ID: <rt-6070-27945.5.25455754792596@krbdev.mit.edu>


Update copyright notices to reflect donation of DES implementation by
Dennis Ferguson.

Commit By: tlyu



Revision: 20642
Changed Files:
_U  trunk/
U   trunk/src/lib/crypto/des/f_cbc.c
U   trunk/src/lib/crypto/des/f_cksum.c
U   trunk/src/lib/crypto/des/f_sched.c
U   trunk/src/lib/crypto/des/f_tables.c
U   trunk/src/lib/crypto/des/f_tables.h
U   trunk/src/lib/des425/pcbc_encrypt.c


From rt-comment at krbdev.mit.edu  Tue Aug 12 16:21:18 2008
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 12 Aug 2008 16:21:18 -0400 (EDT)
Subject: [krbdev.mit.edu #1026] non-MIT-style-licensed code in krb5 libs
	(Blame Canada!) 
In-Reply-To: <rt-1026@krbdev.mit.edu>
Message-ID: <rt-1026-27949.7.18759916413866@krbdev.mit.edu>

krb4/DNR.c is gone.

DES implementation has been generously donated to MIT by Dennis Ferguson.  (see #6070)


From rt-comment at krbdev.mit.edu  Wed Aug 13 15:49:59 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Wed, 13 Aug 2008 15:49:59 -0400 (EDT)
Subject: [krbdev.mit.edu #6074] SVN Commit 
In-Reply-To: <rt-6074@krbdev.mit.edu>
Message-ID: <rt-6074-27959.10.9103883205196@krbdev.mit.edu>


KfM RC4 string to key function expects password to be valid UTF8

Commit By: lxs



Revision: 20650
Changed Files:
U   trunk/src/kadmin/cli/kadmin.c
U   trunk/src/lib/crypto/arcfour/arcfour_s2k.c


From rt-comment at krbdev.mit.edu  Wed Aug 13 15:52:29 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Wed, 13 Aug 2008 15:52:29 -0400 (EDT)
Subject: [krbdev.mit.edu #6075] SVN Commit 
In-Reply-To: <rt-6075@krbdev.mit.edu>
Message-ID: <rt-6075-27962.17.1883801005995@krbdev.mit.edu>


Commit By: lxs



Revision: 20651
Changed Files:
U   trunk/src/lib/kadm5/logger.c


From rt-comment at krbdev.mit.edu  Wed Aug 13 19:32:20 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Wed, 13 Aug 2008 19:32:20 -0400 (EDT)
Subject: [krbdev.mit.edu #6076] SVN Commit 
In-Reply-To: <rt-6076@krbdev.mit.edu>
Message-ID: <rt-6076-27965.15.3308162939017@krbdev.mit.edu>


If --disable-pkinit is given at configure time, don't build the PKINIT
plugin.

If the PKINIT plugin is not going to be built, define DISABLE_PKINIT.

If DISABLE_PKINIT is defined, don't build the PKINIT-related ASN.1
encoding and decoding routines, and fill their slots in the accessor
function table with null pointers.

Tweak the accessor table initialization to use conditionally-varying
macros rather than conditionally selecting between two blocks of
invocations of fixed macros.

Commit By: raeburn



Revision: 20652
Changed Files:
U   trunk/src/configure.in
U   trunk/src/lib/krb5/asn.1/asn1_k_decode.c
U   trunk/src/lib/krb5/asn.1/asn1_k_encode.c
U   trunk/src/lib/krb5/os/accessor.c


From rt-comment at krbdev.mit.edu  Thu Aug 14 00:44:52 2008
From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT)
Date: Thu, 14 Aug 2008 00:44:52 -0400 (EDT)
Subject: [krbdev.mit.edu #6077] SVN Commit 
In-Reply-To: <rt-6077@krbdev.mit.edu>
Message-ID: <rt-6077-27968.9.01552277693803@krbdev.mit.edu>


In krb5_fcc_resolve, on malloc failure, the data->lock mutex needs to
be destroyed. Unfortunately, this is done with the mutex is still locked. When thread debugging code is enabled, this results in aeg fault. 

Also - in krb5_fcc_generate_new, a strdup failure would result in the
krb5int_cc_file_mutex being unlocked twice.

[I have a modified version of valgrind in which I can signal after a
certain number of mallocs for it to fail - I vary the allocation
number from 1300 to 0 - and see what breaks - some memory leaks will
be fixed separately]


Commit By: epeisach



Revision: 20653
Changed Files:
U   trunk/src/lib/krb5/ccache/cc_file.c


From rt-comment at krbdev.mit.edu  Thu Aug 14 08:41:40 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Thu, 14 Aug 2008 08:41:40 -0400 (EDT)
Subject: [krbdev.mit.edu #6078] destroying locked mutex 
In-Reply-To: <rt-6078@krbdev.mit.edu>
Message-ID: <rt-6078-27971.16.4030172868113@krbdev.mit.edu>

We should check NetBSD results more often; they're currently reporting  
assertion failures in the thread library for a lot of our test  
programs, though the core files I've looked at so far aren't giving me  
terribly useful stack traces.  Here's one example from a program run  
under gdb with no particular environment setup:

(gdb) run ATHENA.MIT.EDU
Starting program: /usr/home/krbsnap/autobuild-shared/ 
work-20080814.0500/krb5-current/src/lib/krb5/os/t_locate_kdc  
ATHENA.MIT.EDU
t_locate_kdc: Error detected by libpthread: Destroying locked mutex.
Detected by file "/home/builds/ab/netbsd-3-0-RELEASE/src/lib/ 
libpthread/pthread_mutex.c", line 135, function "pthread_mutex_destroy".
See pthread(3) for information.

Program received signal SIGABRT, Aborted.
[Switching to LWP 1]
0x000000016022d860 in kill () from /usr/lib/libc.so.12
(gdb) bt
#0  0x000000016022d860 in kill () from /usr/lib/libc.so.12
#1  0x00000001601e4968 in pthread__errorfunc () from /usr/lib/ 
libpthread.so.0
#2  0x00000001601dfd38 in pthread_mutex_destroy ()
    from /usr/lib/libpthread.so.0
#3  0x00000001600f3ebc in profile_free_file_data (data=0x120020200)
     at prof_file.c:602
#4  0x00000001600f334c in profile_dereference_data (data=0x120020200)
     at prof_file.c:547
#5  0x00000001600f3be4 in profile_free_file (prf=0x12001c0e0)
     at prof_file.c:570
#6  0x00000001600f4328 in profile_close_file (prf=0x12001c0e0)
     at prof_file.c:613
#7  0x00000001600eff54 in profile_open_file (filespec=0x120020200 "",
     ret_prof=0x1ffffea00) at prof_file.c:297
#8  0x00000001600f8c0c in profile_init (files=0x0,  
ret_profile=0x12001a048)
     at prof_init.c:43
#9  0x00000001600e5164 in os_init_paths (ctx=0x12001a000, kdc=0)
     at init_os_ctx.c:343
#10 0x00000001600e5214 in krb5_os_init_context (ctx=0x12001a000, kdc=6)
     at init_os_ctx.c:397



From rt-comment at krbdev.mit.edu  Thu Aug 14 20:38:53 2008
From: rt-comment at krbdev.mit.edu (william.fiveash@sun.com via RT)
Date: Thu, 14 Aug 2008 20:38:53 -0400 (EDT)
Subject: [krbdev.mit.edu #194] SVN Commit 
In-Reply-To: <rt-194@krbdev.mit.edu>
Message-ID: <rt-194-27975.0.304924846461958@krbdev.mit.edu>


a stash file is not a keytab

Note, this is the commit for the associated Krb Consortium project:
Projects/Masterkey Keytab Stash

Commit By: wfiveash



Revision: 20661
Changed Files:
U   trunk/src/configure.in
U   trunk/src/include/k5-int.h
U   trunk/src/include/kdb.h
U   trunk/src/kadmin/dbutil/dump.c
U   trunk/src/kadmin/dbutil/kdb5_create.c
U   trunk/src/kadmin/dbutil/kdb5_stash.c
U   trunk/src/kadmin/dbutil/kdb5_util.M
U   trunk/src/kadmin/dbutil/kdb5_util.c
U   trunk/src/kdc/main.c
U   trunk/src/lib/kadm5/admin.h
U   trunk/src/lib/kadm5/alt_prof.c
U   trunk/src/lib/kadm5/srv/server_kdb.c
U   trunk/src/lib/kadm5/unit-test/api.2/init-v2.exp
U   trunk/src/lib/kdb/kdb5.c
U   trunk/src/lib/kdb/kdb5.h
U   trunk/src/lib/kdb/kdb_default.c
U   trunk/src/lib/krb5/keytab/kt_file.c
U   trunk/src/lib/krb5/keytab/kt_memory.c
U   trunk/src/lib/krb5/keytab/kt_srvtab.c
U   trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
U   trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
U   trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c
U   trunk/src/tests/Makefile.in
U   trunk/src/tests/create/kdb5_mkdums.c
A   trunk/src/tests/mkeystash_compat/
U   trunk/src/tests/verify/kdb5_verify.c


From rt-comment at krbdev.mit.edu  Fri Aug 15 18:17:17 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Fri, 15 Aug 2008 18:17:17 -0400 (EDT)
Subject: [krbdev.mit.edu #6080] SVN Commit 
In-Reply-To: <rt-6080@krbdev.mit.edu>
Message-ID: <rt-6080-27976.7.04528094811643@krbdev.mit.edu>


kipc is not necessarily built

Commit By: lxs



Revision: 20663
Changed Files:
U   trunk/src/kim/lib/kim_ccache.c
U   trunk/src/kim/lib/mac/kim_os_identity.c


From rt-comment at krbdev.mit.edu  Fri Aug 15 18:19:15 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Fri, 15 Aug 2008 18:19:15 -0400 (EDT)
Subject: [krbdev.mit.edu #6081] SVN Commit 
In-Reply-To: <rt-6081@krbdev.mit.edu>
Message-ID: <rt-6081-27979.6.04515016155595@krbdev.mit.edu>


Still refer to Windows by OS macro because KfW builds do not set
USE_CCAPI.

Commit By: lxs



Revision: 20664
Changed Files:
U   trunk/src/lib/krb5/ccache/ccapi/stdcc.c
U   trunk/src/lib/krb5/ccache/ccapi/stdcc.h
U   trunk/src/lib/krb5/ccache/ccapi/stdcc_util.c
U   trunk/src/lib/krb5/ccache/ccapi/stdcc_util.h


From rt-comment at krbdev.mit.edu  Tue Aug 19 12:43:28 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 19 Aug 2008 12:43:28 -0400 (EDT)
Subject: [krbdev.mit.edu #6055] SVN Commit 
In-Reply-To: <rt-6055@krbdev.mit.edu>
Message-ID: <rt-6055-27987.9.30417382234985@krbdev.mit.edu>


Modified hints APIs to be a single API that takes string keys.
Removed error object.
Changed error message API to use thread specific data.
Split out debugging API into separate files.

Commit By: lxs



Revision: 20670
Changed Files:
U   trunk/src/include/k5-thread.h
U   trunk/src/include/kim/kim_ccache.h
U   trunk/src/include/kim/kim_credential.h
U   trunk/src/include/kim/kim_error.h
U   trunk/src/include/kim/kim_identity.h
U   trunk/src/include/kim/kim_options.h
U   trunk/src/include/kim/kim_preferences.h
U   trunk/src/include/kim/kim_selection_hints.h
U   trunk/src/include/kim/kim_string.h
U   trunk/src/include/kim/kim_types.h
U   trunk/src/kim/agent/mac/Identities.m
U   trunk/src/kim/lib/kim.exports
U   trunk/src/kim/lib/kim_ccache.c
U   trunk/src/kim/lib/kim_credential.c
A   trunk/src/kim/lib/kim_debug.c
A   trunk/src/kim/lib/kim_debug_private.h
U   trunk/src/kim/lib/kim_error.c
U   trunk/src/kim/lib/kim_error_code.et
U   trunk/src/kim/lib/kim_error_private.h
U   trunk/src/kim/lib/kim_library.c
U   trunk/src/kim/lib/kim_library_private.h
U   trunk/src/kim/lib/kim_options.c
U   trunk/src/kim/lib/kim_preferences.c
U   trunk/src/kim/lib/kim_private.h
U   trunk/src/kim/lib/kim_selection_hints.c
A   trunk/src/kim/lib/mac/kim_os_debug.c
U   trunk/src/kim/lib/mac/kim_os_library.c
U   trunk/src/kim/lib/mac/kim_os_preferences.c
U   trunk/src/kim/lib/mac/kim_os_selection_hints.c
U   trunk/src/kim/test/test_kim_common.c
U   trunk/src/kim/test/test_kim_identity.c
U   trunk/src/kim/test/test_kim_preferences.c


From rt-comment at krbdev.mit.edu  Tue Aug 19 12:44:56 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 19 Aug 2008 12:44:56 -0400 (EDT)
Subject: [krbdev.mit.edu #6055] SVN Commit 
In-Reply-To: <rt-6055@krbdev.mit.edu>
Message-ID: <rt-6055-27988.2.30881877320165@krbdev.mit.edu>


Build system support for KIM functions.

Commit By: lxs



Revision: 6468
Changed Files:
U   trunk/KerberosFramework/Kerberos5/Projects/Kerberos5.xcodeproj/project.pbxproj


From rt-comment at krbdev.mit.edu  Tue Aug 19 12:49:25 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 19 Aug 2008 12:49:25 -0400 (EDT)
Subject: [krbdev.mit.edu #6055] SVN Commit 
In-Reply-To: <rt-6055@krbdev.mit.edu>
Message-ID: <rt-6055-27989.1.19834472036267@krbdev.mit.edu>


Fixed export list for new hints functions
and fixed calls to set error message.

Commit By: lxs



Revision: 20671
Changed Files:
U   trunk/src/kim/lib/kim.exports
U   trunk/src/kim/lib/kim_ccache.c
U   trunk/src/kim/lib/kim_identity.c


From rt-comment at krbdev.mit.edu  Tue Aug 19 16:09:30 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 19 Aug 2008 16:09:30 -0400 (EDT)
Subject: [krbdev.mit.edu #6055] SVN Commit 
In-Reply-To: <rt-6055@krbdev.mit.edu>
Message-ID: <rt-6055-27990.6.77103093901927@krbdev.mit.edu>


Get KerberosAgent building again after KIM changes.

Commit By: lxs



Revision: 20673
Changed Files:
U   trunk/src/kim/agent/mac/Identities.h
U   trunk/src/kim/agent/mac/Identities.m
U   trunk/src/kim/agent/mac/KerberosAgentPrefix.pch
U   trunk/src/kim/lib/kim.exports


From rt-comment at krbdev.mit.edu  Tue Aug 19 17:05:04 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Tue, 19 Aug 2008 17:05:04 -0400 (EDT)
Subject: [krbdev.mit.edu #6083] SVN Commit 
In-Reply-To: <rt-6083@krbdev.mit.edu>
Message-ID: <rt-6083-27991.9.10466025194431@krbdev.mit.edu>


Assigned to Ken for review.

Commit By: lxs



Revision: 20674
Changed Files:
U   trunk/src/util/profile/prof_parse.c


From rt-comment at krbdev.mit.edu  Tue Aug 19 19:07:21 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Tue, 19 Aug 2008 19:07:21 -0400 (EDT)
Subject: [krbdev.mit.edu #6076] SVN Commit 
In-Reply-To: <rt-6076@krbdev.mit.edu>
Message-ID: <rt-6076-27994.11.5947648192039@krbdev.mit.edu>


Fix broken build -- conditionalize some stuff on DISABLE_PKINIT that I
missed last time.

Commit By: raeburn



Revision: 20675
Changed Files:
U   trunk/src/lib/krb5/asn.1/krb5_decode.c
U   trunk/src/lib/krb5/asn.1/krb5_encode.c


From rt-comment at krbdev.mit.edu  Wed Aug 20 12:04:28 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Wed, 20 Aug 2008 12:04:28 -0400 (EDT)
Subject: [krbdev.mit.edu #6086] dump wrong-endian krb5 gssapi mech support 
In-Reply-To: <rt-6086@krbdev.mit.edu>
Message-ID: <rt-6086-28002.1.12079133462679@krbdev.mit.edu>

The krb5 mechanism code in our gssapi library has support for an acceptor to interact with an 
initiator that uses big-endian encoding for some integer values, contrary to the spec (RFC 
1964).  It looks like this is for backwards compatibility with versions of the mechanism 
implemented by OpenVision prior to the 1.0 beta 4 release.  (From the logs in subversion, the 
update to support both byte orders was checked in before beta4.)

I think it's time to delete that code.  Getting rid of the conditionals will clean up the 
accept_sec_context, wrap and unwrap code.

From rt-comment at krbdev.mit.edu  Wed Aug 20 14:46:53 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Wed, 20 Aug 2008 14:46:53 -0400 (EDT)
Subject: [krbdev.mit.edu #6087] SVN Commit 
In-Reply-To: <rt-6087@krbdev.mit.edu>
Message-ID: <rt-6087-28003.19.4204145631036@krbdev.mit.edu>


Clients watching a ccache or the cache collection
should get a notification when the ccache is destroyed.

Commit By: lxs



Revision: 20678
Changed Files:
U   trunk/src/ccapi/server/ccs_cache_collection.c
U   trunk/src/ccapi/server/ccs_ccache.c
U   trunk/src/ccapi/server/ccs_ccache.h


From rt-comment at krbdev.mit.edu  Wed Aug 20 14:58:12 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Wed, 20 Aug 2008 14:58:12 -0400 (EDT)
Subject: [krbdev.mit.edu #6088] SVN Commit 
In-Reply-To: <rt-6088@krbdev.mit.edu>
Message-ID: <rt-6088-28006.9.91316140705997@krbdev.mit.edu>


Commit By: lxs



Revision: 20679
Changed Files:
U   trunk/src/ccapi/server/ccs_cache_collection.c
U   trunk/src/ccapi/server/ccs_ccache.c
A   trunk/src/ccapi/server/ccs_os_notify.h
A   trunk/src/ccapi/server/mac/ccs_os_notify.c
U   trunk/src/include/CredentialsCache.h


From rt-comment at krbdev.mit.edu  Wed Aug 20 15:38:49 2008
From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT)
Date: Wed, 20 Aug 2008 15:38:49 -0400 (EDT)
Subject: [krbdev.mit.edu #6090] k5_mutex_destroy calls pthread_mutex_destroy
	with mutex locked 
In-Reply-To: <rt-6090@krbdev.mit.edu>
Message-ID: <rt-6090-28012.3.0025879863355@krbdev.mit.edu>

Detected with the development version of valgrind in which helgrind
actually works.

It complains that calls to pthread_mutex_destroy were made w/ the mutex
locked - which is a no-no. It returns EBUSY which according to the man
page means" The implementation has detected an attempt to destroy the
object referenced by mutex while it is locked or referenced"

Sure enough there is a logic bug in the macro k5_mutex_destroy.  The use
of "&&" in the following:

k5_mutex_lock(M) && ((M)->loc_last = K5_DEBUG_LOC, k5_mutex_unlock(M)),  \
k5_os_mutex_destroy(&(M)->os))


k5_mutex_lock will return 0 on success. Therefore the rest of the
expression is not evaluated - and the mutex will not be unlocked!!

! before the lock request solves the problem:

===================================================================
--- k5-thread.h (revision 20676)
+++ k5-thread.h (working copy)
@@ -693,7 +694,7 @@
 #define k5_mutex_destroy(M)                    \
        (k5_os_mutex_assert_unlocked(&(M)->os), \
         krb5int_mutex_report_stats(M),         \
-        k5_mutex_lock(M) && ((M)->loc_last = K5_DEBUG_LOC,
k5_mutex_unlock(M)),
 \
+        !k5_mutex_lock(M) && ((M)->loc_last = K5_DEBUG_LOC,
k5_mutex_unlock(M))
, \
         k5_os_mutex_destroy(&(M)->os))

 #if __GNUC__ >= 4


From rt-comment at krbdev.mit.edu  Wed Aug 20 15:55:16 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Wed, 20 Aug 2008 15:55:16 -0400 (EDT)
Subject: [krbdev.mit.edu #6090] k5_mutex_destroy calls
	pthread_mutex_destroy with mutex locked 
In-Reply-To: <rt-6090@krbdev.mit.edu>
Message-ID: <rt-6090-28013.19.5729340106661@krbdev.mit.edu>

On Aug 20, 2008, at 15:38, Ezra Peisach via RT wrote:
> Detected with the development version of valgrind in which helgrind
> actually works.

Yeah, I was looking at that in the context of a NetBSD build that was  
reporting errors; the NetBSD thread support does these sorts of checks  
automatically and blows up if you mess it up.  I was going to change  
"&&" to "||" but adding "!" works too. :)

(Weirdly enough, though, the build *stopped* failing when we fixed a  
bug in the snapshot process and started testing today's code instead  
of something from last month.  I'm not sure what's up with that.)

Ken


From rt-comment at krbdev.mit.edu  Wed Aug 20 16:02:50 2008
From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT)
Date: Wed, 20 Aug 2008 16:02:50 -0400 (EDT)
Subject: [krbdev.mit.edu #6090] k5_mutex_destroy calls
	pthread_mutex_destroy with mutex locked
In-Reply-To: <rt-6090@krbdev.mit.edu>
Message-ID: <rt-6090-28014.8.75091981123617@krbdev.mit.edu>

Ken Raeburn via RT wrote:
>
> (Weirdly enough, though, the build *stopped* failing when we fixed a  
> bug in the snapshot process and started testing today's code instead  
> of something from last month.  I'm not sure what's up with that.)
>
>   
You did turn off thread debugging recently... Maybe that was related....
> Ken
>
>   



From rt-comment at krbdev.mit.edu  Wed Aug 20 17:09:23 2008
From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT)
Date: Wed, 20 Aug 2008 17:09:23 -0400 (EDT)
Subject: [krbdev.mit.edu #6091] SVN Commit 
In-Reply-To: <rt-6091@krbdev.mit.edu>
Message-ID: <rt-6091-28057.7.42109716946537@krbdev.mit.edu>


All changes are under LEAN_CLIENT macro. Application server functionality is disabled.
 

Commit By: tsitkova



Revision: 20680
Changed Files:
U   trunk/src/lib/gssapi/gss_libinit.c
U   trunk/src/lib/gssapi/krb5/accept_sec_context.c
U   trunk/src/lib/gssapi/krb5/acquire_cred.c
U   trunk/src/lib/gssapi/krb5/add_cred.c
U   trunk/src/lib/gssapi/krb5/export_sec_context.c
U   trunk/src/lib/gssapi/krb5/gssapiP_krb5.h
U   trunk/src/lib/gssapi/krb5/krb5_gss_glue.c
U   trunk/src/lib/gssapi/krb5/rel_cred.c
U   trunk/src/lib/gssapi/mechglue/g_accept_sec_context.c
U   trunk/src/lib/gssapi/mechglue/g_exp_sec_context.c
U   trunk/src/lib/gssapi/mechglue/g_imp_sec_context.c
U   trunk/src/lib/gssapi/spnego/gssapiP_spnego.h
U   trunk/src/lib/gssapi/spnego/spnego_mech.c
U   trunk/src/lib/kdb/kdb_default.c
U   trunk/src/lib/krb5/keytab/kt_file.c
U   trunk/src/lib/krb5/keytab/kt_memory.c
U   trunk/src/lib/krb5/keytab/kt_srvtab.c
U   trunk/src/lib/krb5/keytab/ktadd.c
U   trunk/src/lib/krb5/keytab/ktbase.c
U   trunk/src/lib/krb5/keytab/ktdefault.c
U   trunk/src/lib/krb5/keytab/ktfns.c
U   trunk/src/lib/krb5/keytab/ktfr_entry.c
U   trunk/src/lib/krb5/keytab/ktremove.c
U   trunk/src/lib/krb5/keytab/read_servi.c
U   trunk/src/lib/krb5/krb/gic_keytab.c
U   trunk/src/lib/krb5/krb/gic_pwd.c
U   trunk/src/lib/krb5/krb/in_tkt_sky.c
U   trunk/src/lib/krb5/krb/rd_req.c
U   trunk/src/lib/krb5/krb/rd_req_dec.c
U   trunk/src/lib/krb5/krb/ser_ctx.c
U   trunk/src/lib/krb5/krb/srv_dec_tkt.c
U   trunk/src/lib/krb5/krb5_libinit.c
U   trunk/src/lib/krb5/os/accessor.c
U   trunk/src/util/collected-client-lib/libcollected.exports
U   trunk/src/util/profile/prof_init.c


From rt-comment at krbdev.mit.edu  Fri Aug 22 11:20:26 2008
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Fri, 22 Aug 2008 11:20:26 -0400 (EDT)
Subject: [krbdev.mit.edu #6020] GSSAPI application server side support for
	authdata generated by authdata plugins 
In-Reply-To: <rt-6020@krbdev.mit.edu>
Message-ID: <rt-6020-28121.17.1173914416631@krbdev.mit.edu>

Function names are prefixed with "apple_", which should change.  Many
aspects appear to be cut-and-pasted from the lucid context support,
including comment blocks.  Also, the interface is highly specific to the
"if-relevant" authorization data rather than being more generic.

From rt-comment at krbdev.mit.edu  Fri Aug 22 11:36:40 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Fri, 22 Aug 2008 11:36:40 -0400 (EDT)
Subject: [krbdev.mit.edu #6093] SVN Commit 
In-Reply-To: <rt-6093@krbdev.mit.edu>
Message-ID: <rt-6093-28134.11.0822642835071@krbdev.mit.edu>


Commit By: lxs



Revision: 20684
Changed Files:
A   trunk/src/kim/lib/kim-lite.exports
U   trunk/src/kim/lib/kim_ccache.c
U   trunk/src/kim/lib/kim_credential.c


From rt-comment at krbdev.mit.edu  Fri Aug 22 12:44:33 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Fri, 22 Aug 2008 12:44:33 -0400 (EDT)
Subject: [krbdev.mit.edu #6094] SVN Commit 
In-Reply-To: <rt-6094@krbdev.mit.edu>
Message-ID: <rt-6094-28137.6.40075543040687@krbdev.mit.edu>


Need to destroy the mach ports instead of deallocating because
we requested notifications on the port so just deallocating 
won't actually destroy the port.  Also deallocate any port
which was previously registered for notifications.

Commit By: lxs



Revision: 20688
Changed Files:
U   trunk/src/ccapi/lib/mac/ccapi_os_ipc.c


From rt-comment at krbdev.mit.edu  Mon Aug 25 13:41:10 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Mon, 25 Aug 2008 13:41:10 -0400 (EDT)
Subject: [krbdev.mit.edu #6090] SVN Commit 
In-Reply-To: <rt-6090@krbdev.mit.edu>
Message-ID: <rt-6090-28174.13.2141441952651@krbdev.mit.edu>


Fix sense of test of lock call preparing to update debug info in
k5_mutex_destroy.
Thanks, Ezra.
Commit By: raeburn



Revision: 20690
Changed Files:
U   trunk/src/include/k5-thread.h


From rt-comment at krbdev.mit.edu  Mon Aug 25 15:43:19 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Mon, 25 Aug 2008 15:43:19 -0400 (EDT)
Subject: [krbdev.mit.edu #5565] SVN Commit 
In-Reply-To: <rt-5565@krbdev.mit.edu>
Message-ID: <rt-5565-28179.18.2458625834649@krbdev.mit.edu>


Incorporate Apple's patch.

Add a test authorization data scheme, in both built-in and plugin
forms; built-in version is #ifdef'ed out.  Update configury to create
the build directory for the plugin, but don't build or install it by
default.

Create the new (and normally empty) authorization data plugin
directory at install time.

Add some (normally disabled) code to log authz data from rd_req.

Fix up some comments that still refer to preauth plugins.  Add some
details in comments on the API, and why it's private for now.

Make the plugin init context support work, by not passing null
pointers.

Commit By: raeburn



Revision: 20691
Changed Files:
U   trunk/src/Makefile.in
U   trunk/src/config/pre.in
U   trunk/src/configure.in
A   trunk/src/include/krb5/authdata_plugin.h
U   trunk/src/include/osconf.hin
U   trunk/src/kdc/Makefile.in
U   trunk/src/kdc/do_as_req.c
A   trunk/src/kdc/kdc_authdata.c
U   trunk/src/kdc/kdc_util.h
U   trunk/src/kdc/main.c
U   trunk/src/lib/krb5/krb/rd_req_dec.c
A   trunk/src/plugins/authdata/
A   trunk/src/plugins/authdata/greet/
A   trunk/src/plugins/authdata/greet/Makefile.in
A   trunk/src/plugins/authdata/greet/greet.exports
A   trunk/src/plugins/authdata/greet/greet_auth.c


From rt-comment at krbdev.mit.edu  Mon Aug 25 15:46:19 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Mon, 25 Aug 2008 15:46:19 -0400 (EDT)
Subject: [krbdev.mit.edu #5565] krb5kdc.M is confused about keytype 
In-Reply-To: <rt-5565@krbdev.mit.edu>
Message-ID: <rt-5565-28180.3.57797714241769@krbdev.mit.edu>

Ugh, that checkin message should've been attached to 5655, not 5565.

From rt-comment at krbdev.mit.edu  Mon Aug 25 15:47:46 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Mon, 25 Aug 2008 15:47:46 -0400 (EDT)
Subject: [krbdev.mit.edu #5655] authorization-data plugin support in KDC 
In-Reply-To: <rt-5655@krbdev.mit.edu>
Message-ID: <rt-5655-28182.18.4997788592821@krbdev.mit.edu>

Patch checked in, with some changes.
Log message accidentally attached to ticket 5565 instead. :-(

From rt-comment at krbdev.mit.edu  Mon Aug 25 16:11:26 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Mon, 25 Aug 2008 16:11:26 -0400 (EDT)
Subject: [krbdev.mit.edu #5565] SVN Commit 
In-Reply-To: <rt-5565@krbdev.mit.edu>
Message-ID: <rt-5565-28186.9.91847660469169@krbdev.mit.edu>


Update description of -k option: From the code it appears the default
is des-cbc-crc, and it applies to entering passwords with -m.

Commit By: raeburn



Revision: 20692
Changed Files:
U   trunk/src/kdc/krb5kdc.M


From rt-comment at krbdev.mit.edu  Mon Aug 25 16:25:56 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Mon, 25 Aug 2008 16:25:56 -0400 (EDT)
Subject: [krbdev.mit.edu #6096] Reduce warnings 
In-Reply-To: <rt-6096@krbdev.mit.edu>
Message-ID: <rt-6096-28187.4.30382525402983@krbdev.mit.edu>

Building krb5 produces a large number of false positive warnings.  Reduce these warnings.


From rt-comment at krbdev.mit.edu  Mon Aug 25 16:28:00 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Mon, 25 Aug 2008 16:28:00 -0400 (EDT)
Subject: [krbdev.mit.edu #6097] WIN32 SOCKET != int in krb5 lib 
In-Reply-To: <rt-6097@krbdev.mit.edu>
Message-ID: <rt-6097-28189.0.43350284273437@krbdev.mit.edu>

The sendauth/recvauth interfaces (and lower-level routines like krb5_write_message) take a 
krb5_pointer argument that's handled as int* internally to find the file descriptor.

1) For Windows, we should be using SOCKET* probably.  (Cf. ticket 6041.)
2) We might want to update the published prototypes to use pointers to real types; the fd 
handle shouldn't be opaque in this interface.

#1 would presumably be an ABI change on 64-bit Windows, but the current version may well be 
unusable, I'm not sure...

From rt-comment at krbdev.mit.edu  Mon Aug 25 16:28:11 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Mon, 25 Aug 2008 16:28:11 -0400 (EDT)
Subject: [krbdev.mit.edu #6096] Reduce warnings 
In-Reply-To: <rt-6096@krbdev.mit.edu>
Message-ID: <rt-6096-28192.16.5437951234784@krbdev.mit.edu>

Assigning to Ken to review.

From rt-comment at krbdev.mit.edu  Mon Aug 25 17:10:01 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Mon, 25 Aug 2008 17:10:01 -0400 (EDT)
Subject: [krbdev.mit.edu #6099] AD-MANDATORY-FOR-KDC, AD-IF-RELEVANT, etc 
In-Reply-To: <rt-6099@krbdev.mit.edu>
Message-ID: <rt-6099-28196.2.82147005412376@krbdev.mit.edu>

Our code (library, KDC) should be parsing and processing at least the authorization data 
container types, even if we don't understand any real authz types yet.

We should also provide library helper routines for constructing or breaking apart these 
container types' encoded forms.

From rt-comment at krbdev.mit.edu  Mon Aug 25 16:27:04 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Mon, 25 Aug 2008 16:27:04 -0400 (EDT)
Subject: [krbdev.mit.edu #6096] Reduce warnings 
In-Reply-To: <rt-6096@krbdev.mit.edu>
Message-ID: <rt-6096-28188.17.5320657809454@krbdev.mit.edu>

Index: KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences.c	(working copy)
@@ -289,12 +289,14 @@
             err = kim_identity_compare (in_identity, identity, &found);
             
             if (!err && found) {
+                kim_error terr = KIM_NO_ERROR;
                 kim_count new_count = io_favorite_identities->count - 1;
+                
                 memmove (&io_favorite_identities->identities[i], 
                          &io_favorite_identities->identities[i + 1],
                          (new_count - i) * sizeof (*io_favorite_identities->identities));
                 
-                kim_error terr = kim_favorite_identities_resize (io_favorite_identities, new_count);
+                terr = kim_favorite_identities_resize (io_favorite_identities, new_count);
                 if (terr) {
                     kim_debug_printf ("failed to resize list to %d.  Continuing.", new_count);
                 }
Index: KerberosFramework/Kerberos5/Sources/kim/lib/mac/kim_os_string.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/kim/lib/mac/kim_os_string.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/kim/lib/mac/kim_os_string.c	(working copy)
@@ -35,12 +35,13 @@
 {
     typedef TextEncoding (*GetApplicationTextEncodingProcPtr) (void);
     GetApplicationTextEncodingProcPtr GetApplicationTextEncodingPtr = NULL;
+    CFBundleRef carbonBundle = NULL;
     
     if (kim_os_library_caller_is_server ()) {
         return kCFStringEncodingUTF8;  /* server only does UTF8 */
     }
     
-    CFBundleRef carbonBundle = CFBundleGetBundleWithIdentifier (CFSTR ("com.apple.Carbon"));
+    carbonBundle = CFBundleGetBundleWithIdentifier (CFSTR ("com.apple.Carbon"));
     if (carbonBundle != NULL && CFBundleIsExecutableLoaded (carbonBundle)) {
         GetApplicationTextEncodingPtr = (GetApplicationTextEncodingProcPtr) CFBundleGetFunctionPointerForName (carbonBundle,
                                                                                                                CFSTR ("GetApplicationTextEncoding"));
Index: KerberosFramework/Kerberos5/Sources/include/k5-thread.h
===================================================================
--- KerberosFramework/Kerberos5/Sources/include/k5-thread.h	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/include/k5-thread.h	(working copy)
@@ -117,7 +117,7 @@
    // Returns error if key out of bounds, or the pointer table can't
    // be allocated.  A call to k5_key_register must have happened first.
    // This may trigger the calling of pthread_setspecific on POSIX.
-   int k5_setspecific(k5_key_t, void *);
+   int k5_setspecific(k5_key_t, const void *);
    // Called in library termination code.
    // Trashes data in all threads, calling the registered destructor
    // (but calling it from the current thread).
@@ -746,7 +746,7 @@
 #define k5_key_delete	krb5int_key_delete
 extern int k5_key_register(k5_key_t, void (*)(void *));
 extern void *k5_getspecific(k5_key_t);
-extern int k5_setspecific(k5_key_t, void *);
+extern int k5_setspecific(k5_key_t, const void *);
 extern int k5_key_delete(k5_key_t);
 
 extern int  KRB5_CALLCONV krb5int_mutex_alloc  (k5_mutex_t **);
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/coll_proof_cksum.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/coll_proof_cksum.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/coll_proof_cksum.c	(working copy)
@@ -30,7 +30,7 @@
 krb5_boolean KRB5_CALLCONV
 krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype)
 {
-    int i;
+    unsigned int i;
 
     for (i=0; i<krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == ctype)
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/keyed_cksum.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/keyed_cksum.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/keyed_cksum.c	(working copy)
@@ -30,7 +30,7 @@
 krb5_boolean KRB5_CALLCONV
 krb5_c_is_keyed_cksum(krb5_cksumtype ctype)
 {
-    int i;
+    unsigned int i;
 
     for (i=0; i<krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == ctype) {
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/cksumtypes.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/cksumtypes.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/cksumtypes.c	(working copy)
@@ -94,5 +94,5 @@
       &krb5int_hash_sha1, 12 },
 };
 
-const int krb5_cksumtypes_length =
+const unsigned int krb5_cksumtypes_length =
 sizeof(krb5_cksumtypes_list)/sizeof(struct krb5_cksumtypes);
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/hmac.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/hmac.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/hmac.c	(working copy)
@@ -44,7 +44,7 @@
 {
     size_t hashsize, blocksize;
     unsigned char *xorkey, *ihash;
-    int i;
+    unsigned int i;
     krb5_data *hashin, hashout;
     krb5_error_code ret;
 
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/cksumtype_to_string.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/cksumtype_to_string.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/cksumtype_to_string.c	(working copy)
@@ -30,7 +30,7 @@
 krb5_error_code KRB5_CALLCONV
 krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char *buffer, size_t buflen)
 {
-    int i;
+    unsigned int i;
 
     for (i=0; i<krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == cksumtype) {
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/cksumtypes.h
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/cksumtypes.h	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/cksumtypes.h	(working copy)
@@ -27,4 +27,4 @@
 #include "k5-int.h"
 
 extern const struct krb5_cksumtypes krb5_cksumtypes_list[];
-extern const int krb5_cksumtypes_length;
+extern const unsigned int krb5_cksumtypes_length;
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/string_to_cksumtype.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/string_to_cksumtype.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/string_to_cksumtype.c	(working copy)
@@ -30,7 +30,7 @@
 krb5_error_code KRB5_CALLCONV
 krb5_string_to_cksumtype(char *string, krb5_cksumtype *cksumtypep)
 {
-    int i;
+    unsigned int i;
 
     for (i=0; i<krb5_cksumtypes_length; i++) {
 	if (strcasecmp(krb5_cksumtypes_list[i].in_string, string) == 0) {
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/enc_provider/aes.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/enc_provider/aes.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/enc_provider/aes.c	(working copy)
@@ -28,6 +28,13 @@
 #include "enc_provider.h"
 #include "aes.h"
 
+krb5_error_code
+krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+		    const krb5_data *input, krb5_data *output);
+krb5_error_code
+krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+		    const krb5_data *input, krb5_data *output);
+
 #if 0
 aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]);
 aes_rval aes_enc_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx[1]);
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/make_checksum.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/make_checksum.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/make_checksum.c	(working copy)
@@ -34,7 +34,8 @@
 		     const krb5_keyblock *key, krb5_keyusage usage,
 		     const krb5_data *input, krb5_checksum *cksum)
 {
-    int i, e1, e2;
+    unsigned int i;
+    int e1, e2;
     krb5_data data;
     krb5_error_code ret;
     size_t cksumlen;
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/checksum_length.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/checksum_length.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/checksum_length.c	(working copy)
@@ -31,7 +31,7 @@
 krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype,
 		       size_t *length)
 {
-    int i;
+    unsigned int i;
 
     for (i=0; i<krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == cksumtype)
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/pbkdf2.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/pbkdf2.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/pbkdf2.c	(working copy)
@@ -42,7 +42,7 @@
 static int debug_hmac = 0;
 
 static void printd (const char *descr, krb5_data *d) {
-    int i, j;
+    unsigned int i, j;
     const int r = 16;
 
     printf("%s:", descr);
@@ -77,7 +77,7 @@
 {
     unsigned char ibytes[4];
     size_t tlen;
-    int j, k;
+    unsigned int j, k;
     krb5_keyblock pdata;
     krb5_data sdata;
     krb5_data out;
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/sha1/shs.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/sha1/shs.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/sha1/shs.c	(working copy)
@@ -243,7 +243,8 @@
 void shsUpdate(SHS_INFO *shsInfo, const SHS_BYTE *buffer, unsigned int count)
 {
     SHS_LONG tmp;
-    int dataCount, canfill;
+    unsigned int dataCount;
+    int canfill;
     SHS_LONG *lp;
 
     /* Update bitcount */
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/keyhash_provider/k5_md4des.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/keyhash_provider/k5_md4des.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/keyhash_provider/k5_md4des.c	(working copy)
@@ -48,7 +48,7 @@
     krb5_MD4_CTX ctx;
     unsigned char conf[CONFLENGTH];
     unsigned char xorkey[8];
-    int i;
+    unsigned int i;
     mit_des_key_schedule schedule;
 
     if (key->length != 8)
@@ -111,7 +111,7 @@
     krb5_MD4_CTX ctx;
     unsigned char plaintext[CONFLENGTH+RSA_MD4_CKSUM_LENGTH];
     unsigned char xorkey[8];
-    int i;
+    unsigned int i;
     mit_des_key_schedule schedule;
     int compathash = 0;
 
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/keyhash_provider/k5_md5des.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/keyhash_provider/k5_md5des.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/keyhash_provider/k5_md5des.c	(working copy)
@@ -48,7 +48,7 @@
     krb5_MD5_CTX ctx;
     unsigned char conf[CONFLENGTH];
     unsigned char xorkey[8];
-    int i;
+    unsigned int i;
     mit_des_key_schedule schedule;
 
     if (key->length != 8)
@@ -110,7 +110,7 @@
     krb5_MD5_CTX ctx;
     unsigned char plaintext[CONFLENGTH+RSA_MD5_CKSUM_LENGTH];
     unsigned char xorkey[8];
-    int i;
+    unsigned int i;
     mit_des_key_schedule schedule;
     int compathash = 0;
 
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/verify_checksum.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/verify_checksum.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/verify_checksum.c	(working copy)
@@ -32,7 +32,7 @@
 		       krb5_keyusage usage, const krb5_data *data,
 		       const krb5_checksum *cksum, krb5_boolean *valid)
 {
-    int i;
+    unsigned int i;
     size_t hashsize;
     krb5_error_code ret;
     krb5_data indata;
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/valid_cksumtype.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/valid_cksumtype.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/valid_cksumtype.c	(working copy)
@@ -30,7 +30,7 @@
 krb5_boolean KRB5_CALLCONV
 krb5_c_valid_cksumtype(krb5_cksumtype ctype)
 {
-    int i;
+    unsigned int i;
 
     for (i=0; i<krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == ctype)
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/des/weak_key.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/des/weak_key.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/des/weak_key.c	(working copy)
@@ -73,7 +73,7 @@
 int
 mit_des_is_weak_key(mit_des_cblock key)
 {
-    int i;
+    unsigned int i;
     const mit_des_cblock *weak_p = weak;
 
     for (i = 0; i < (sizeof(weak)/sizeof(mit_des_cblock)); i++) {
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/des/string2key.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/des/string2key.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/des/string2key.c	(working copy)
@@ -40,7 +40,7 @@
 	krb5_ui_4 ui[4];
 	mit_des_cblock cb;
     } temp;
-    int i;
+    unsigned int i;
     krb5_ui_4 x, y, z;
     unsigned char *p;
     des_key_schedule sched;
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/des/f_parity.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/des/f_parity.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/des/f_parity.c	(working copy)
@@ -23,7 +23,7 @@
 void
 mit_des_fixup_key_parity(mit_des_cblock key)
 {
-    int i;
+    unsigned int i;
     for (i=0; i<sizeof(mit_des_cblock); i++) 
       {
 	key[i] &= 0xfe;
@@ -41,7 +41,7 @@
 int
 mit_des_check_key_parity(mit_des_cblock key)
 {
-    int i;
+    unsigned int i;
     
     for (i=0; i<sizeof(mit_des_cblock); i++) 
       {
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/hash_provider/hash_crc32.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/hash_provider/hash_crc32.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/hash_provider/hash_crc32.c	(working copy)
@@ -33,7 +33,7 @@
 	      krb5_data *output)
 {
     unsigned long c, cn;
-    int i;
+    unsigned int i;
     
     if (output->length != CRC32_CKSUM_LENGTH)
 	return(KRB5_CRYPTO_INTERNAL);
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/hash_provider/hash_sha1.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/hash_provider/hash_sha1.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/hash_provider/hash_sha1.c	(working copy)
@@ -33,7 +33,7 @@
 	     krb5_data *output)
 {
     SHS_INFO ctx;
-    int i;
+    unsigned int i;
 
     if (output->length != SHS_DIGESTSIZE)
 	return(KRB5_CRYPTO_INTERNAL);
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/hash_provider/hash_md4.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/hash_provider/hash_md4.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/hash_provider/hash_md4.c	(working copy)
@@ -33,7 +33,7 @@
 	    krb5_data *output)
 {
     krb5_MD4_CTX ctx;
-    int i;
+    unsigned int i;
 
     if (output->length != RSA_MD4_CKSUM_LENGTH)
 	return(KRB5_CRYPTO_INTERNAL);
Index: KerberosFramework/Kerberos5/Sources/lib/crypto/hash_provider/hash_md5.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/crypto/hash_provider/hash_md5.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/crypto/hash_provider/hash_md5.c	(working copy)
@@ -33,7 +33,7 @@
 	    krb5_data *output)
 {
     krb5_MD5_CTX ctx;
-    int i;
+    unsigned int i;
 
     if (output->length != RSA_MD5_CKSUM_LENGTH)
 	return(KRB5_CRYPTO_INTERNAL);
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/copy_ccache.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/copy_ccache.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/copy_ccache.c	(working copy)
@@ -6,7 +6,7 @@
      gss_cred_id_t cred_handle;
      krb5_ccache out_ccache;
 {
-   OM_uint32 stat;
+   OM_uint32 major_status;
    krb5_gss_cred_id_t k5creds;
    krb5_cc_cursor cursor;
    krb5_creds creds;
@@ -14,9 +14,9 @@
    krb5_context context;
 
    /* validate the cred handle */
-   stat = krb5_gss_validate_cred(minor_status, cred_handle);
-   if (stat)
-       return(stat);
+   major_status = krb5_gss_validate_cred(minor_status, cred_handle);
+   if (major_status)
+       return(major_status);
    
    k5creds = (krb5_gss_cred_id_t) cred_handle;
    code = k5_mutex_lock(&k5creds->lock);
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/init_sec_context.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/init_sec_context.c	(working copy)
@@ -359,7 +359,7 @@
    krb5_context context)
 {
    krb5_error_code code;
-   int i;
+   unsigned int i;
    krb5int_access kaccess;
 
    code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/disp_status.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/disp_status.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/disp_status.c	(working copy)
@@ -43,10 +43,10 @@
 }
 #include "error_map.h"
 #include <stdio.h>
-char *get_error_message(OM_uint32 minor_code)
+const char *get_error_message(OM_uint32 minor_code)
 {
     gsserrmap *p = k5_getspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE);
-    char *msg = 0;
+    const char *msg = 0;
 #ifdef DEBUG
     fprintf(stderr, "%s(%lu, p=%p)", __func__, (unsigned long) minor_code,
 	    (void *) p);
@@ -104,7 +104,7 @@
 #endif
     return ret;
 }
-void save_error_string(OM_uint32 minor_code, char *msg)
+void save_error_string(OM_uint32 minor_code, const char *msg)
 {
     char *s = strdup(msg);
     if (s) {
@@ -128,7 +128,7 @@
 }
 void krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx)
 {
-    char *s;
+    const char *s;
 
 #ifdef DEBUG
     fprintf(stderr, "%s(%lu, ctx=%p)\n", __func__,
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/import_sec_context.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/import_sec_context.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/import_sec_context.c	(working copy)
@@ -60,7 +60,7 @@
 	krb5_ser_context_init, krb5_ser_auth_context_init,
 	krb5_ser_ccache_init, krb5_ser_rcache_init, krb5_ser_keytab_init,
     };
-    int i;
+    unsigned int i;
 
     for (i = 0; i < sizeof(fns)/sizeof(fns[0]); i++)
 	if ((code = (fns[i])(context)) != 0)
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/util_seed.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/util_seed.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/util_seed.c	(working copy)
@@ -35,7 +35,7 @@
 {
    krb5_error_code code;
    krb5_keyblock *tmpkey;
-   int i;
+   unsigned int i;
 
    code = krb5_copy_keyblock(context, key, &tmpkey);
    if (code)
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/krb5_gss_glue.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/krb5_gss_glue.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/krb5_gss_glue.c	(working copy)
@@ -439,9 +439,8 @@
 };
 #endif
 
-#if 1
+extern gss_mechanism *krb5_gss_get_mech_configs(void);
 #define gssint_get_mech_configs krb5_gss_get_mech_configs
-#endif
 
 gss_mechanism *
 gssint_get_mech_configs(void)
@@ -729,7 +728,7 @@
 static OM_uint32
 k5glue_inquire_context(ctx, minor_status, context_handle, initiator_name, acceptor_name,
 		    lifetime_rec, mech_type, ret_flags,
-		    locally_initiated, open)
+		    locally_initiated, opened)
     void *ctx;
      OM_uint32 *minor_status;
      gss_ctx_id_t context_handle;
@@ -739,12 +738,12 @@
      gss_OID *mech_type;
      OM_uint32 *ret_flags;
      int *locally_initiated;
-     int *open;
+     int *opened;
 {
    return(krb5_gss_inquire_context(minor_status, context_handle,
 				   initiator_name, acceptor_name, lifetime_rec,
 				   mech_type, ret_flags, locally_initiated,
-				   open));
+				   opened));
 }
 
 static OM_uint32
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapiP_krb5.h	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapiP_krb5.h	(working copy)
@@ -691,10 +691,10 @@
 
 /* For error message handling.  */
 /* Returns a shared string, not a private copy!  */
-extern char *
+extern const char *
 krb5_gss_get_error_message(OM_uint32 minor_code);
 extern void
-krb5_gss_save_error_string(OM_uint32 minor_code, char *msg);
+krb5_gss_save_error_string(OM_uint32 minor_code, const char *msg);
 extern void
 krb5_gss_save_error_message(OM_uint32 minor_code, const char *format, ...)
 #if !defined(__cplusplus) && (__GNUC__ > 2)
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/set_ccache.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/set_ccache.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/set_ccache.c	(working copy)
@@ -37,10 +37,10 @@
 	const char *name;
 	const char **out_name;
 {
-    char *old_name = NULL;
+    const char *old_name = NULL;
     OM_uint32 err = 0;
     OM_uint32 minor = 0;
-    char *gss_out_name;
+    const char *gss_out_name;
 
     err = gssint_initialize_library();
     if (err) {
@@ -73,7 +73,7 @@
 	if (err == 0) {
 	    err = minor;
 	}
-	free(gss_out_name);
+	free((char *) gss_out_name);
 	gss_out_name = NULL;
     }
 
@@ -84,7 +84,7 @@
     }
     
     if (old_name != NULL) {
-        free (old_name);
+        free ((char *) old_name);
     }
     
     *minor_status = err;
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/k5seal.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/k5seal.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/k5seal.c	(working copy)
@@ -61,7 +61,7 @@
 		    int signalg,
 		    size_t cksum_size,
 		    int sealalg,
-		    int encrypt,
+		    int do_encrypt,
 		    int toktype,
 		    int bigend,
 		    gss_OID oid)
@@ -85,10 +85,10 @@
     krb5_keyusage sign_usage = KG_USAGE_SIGN;
 
 
-    assert((!encrypt) || (toktype == KG_TOK_SEAL_MSG));
+    assert((!do_encrypt) || (toktype == KG_TOK_SEAL_MSG));
     /* create the token buffer */
     /* Do we need confounder? */
-    if (encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG)))
+    if (do_encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG)))
       conflen = kg_confounder_size(context, enc);
     else conflen = 0;
 
@@ -124,7 +124,7 @@
     ptr[1] = (signalg >> 8) & 0xff;
 
     /* 2..3 SEAL_ALG or Filler */
-    if ((toktype == KG_TOK_SEAL_MSG) && encrypt) {
+    if ((toktype == KG_TOK_SEAL_MSG) && do_encrypt) {
       ptr[2] = sealalg & 0xff;
       ptr[3] = (sealalg >> 8) & 0xff;
     } else {
@@ -252,7 +252,7 @@
       return(code);
     }
 
-    if (encrypt) {
+    if (do_encrypt) {
       switch(sealalg) {
       case SEAL_ALG_MICROSOFT_RC4:
 	{
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/acquire_cred.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/acquire_cred.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/acquire_cred.c	(working copy)
@@ -179,7 +179,7 @@
       if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
 	 (void) krb5_kt_close(context, kt);
 	 if (code == KRB5_KT_NOTFOUND) {
-	     char *errstr = krb5_get_error_message(context, code);
+	     const char *errstr = krb5_get_error_message(context, code);
 	     krb5_set_error_message(context, KG_KEYTAB_NOMATCH, "%s", errstr);
 	     krb5_free_error_message(context, errstr);
 	     *minor_status = KG_KEYTAB_NOMATCH;
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/set_allowable_enctypes.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/set_allowable_enctypes.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/set_allowable_enctypes.c	(working copy)
@@ -64,7 +64,7 @@
 				   OM_uint32 num_ktypes,
 				   krb5_enctype *ktypes)
 {
-    int i;
+    unsigned int i;
     krb5_enctype * new_ktypes;
     OM_uint32 major_status;
     krb5_gss_cred_id_t cred;
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/inq_context.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/inq_context.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/inq_context.c	(working copy)
@@ -25,7 +25,7 @@
 OM_uint32
 krb5_gss_inquire_context(minor_status, context_handle, initiator_name, 
 			 acceptor_name, lifetime_rec, mech_type, ret_flags,
-			 locally_initiated, open)
+			 locally_initiated, opened)
      OM_uint32 *minor_status;
      gss_ctx_id_t context_handle;
      gss_name_t *initiator_name;
@@ -34,12 +34,12 @@
      gss_OID *mech_type;
      OM_uint32 *ret_flags;
      int *locally_initiated;
-     int *open;
+     int *opened;
 {
    krb5_context context;
    krb5_error_code code;
    krb5_gss_ctx_id_rec *ctx;
-   krb5_principal init, accept;
+   krb5_principal initiator, acceptor;
    krb5_timestamp now;
    krb5_deltat lifetime;
 
@@ -61,8 +61,8 @@
       return(GSS_S_NO_CONTEXT);
    }
 
-   init = NULL;
-   accept = NULL;
+   initiator = NULL;
+   acceptor = NULL;
    context = ctx->k5_context;
 
    if ((code = krb5_timeofday(context, &now))) {
@@ -77,13 +77,13 @@
    if (initiator_name) {
       if ((code = krb5_copy_principal(context, 
 				      ctx->initiate?ctx->here:ctx->there,
-				      &init))) {
+				      &initiator))) {
 	 *minor_status = code;
 	 save_error_info(*minor_status, context);
 	 return(GSS_S_FAILURE);
       }
-      if (! kg_save_name((gss_name_t) init)) {
-	 krb5_free_principal(context, init);
+      if (! kg_save_name((gss_name_t) initiator)) {
+	 krb5_free_principal(context, initiator);
 	 *minor_status = (OM_uint32) G_VALIDATE_FAILED;
 	 return(GSS_S_FAILURE);
       }
@@ -92,17 +92,17 @@
    if (acceptor_name) {
       if ((code = krb5_copy_principal(context, 
 				      ctx->initiate?ctx->there:ctx->here,
-				      &accept))) {
-	 if (init) krb5_free_principal(context, init);
+				      &acceptor))) {
+	 if (initiator) krb5_free_principal(context, initiator);
 	 *minor_status = code;
 	 save_error_info(*minor_status, context);
 	 return(GSS_S_FAILURE);
       }
-      if (! kg_save_name((gss_name_t) accept)) {
-	 krb5_free_principal(context, accept);
-	 if (init) {
-	    kg_delete_name((gss_name_t) init);
-	    krb5_free_principal(context, init);
+      if (! kg_save_name((gss_name_t) acceptor)) {
+	 krb5_free_principal(context, acceptor);
+	 if (initiator) {
+	    kg_delete_name((gss_name_t) initiator);
+	    krb5_free_principal(context, initiator);
 	 }
 	 *minor_status = (OM_uint32) G_VALIDATE_FAILED;
 	 return(GSS_S_FAILURE);
@@ -110,10 +110,10 @@
    }
 
    if (initiator_name)
-      *initiator_name = (gss_name_t) init;
+      *initiator_name = (gss_name_t) initiator;
 
    if (acceptor_name)
-      *acceptor_name = (gss_name_t) accept;
+      *acceptor_name = (gss_name_t) acceptor;
 
    if (lifetime_rec)
       *lifetime_rec = lifetime;
@@ -127,8 +127,8 @@
    if (locally_initiated)
       *locally_initiated = ctx->initiate;
 
-   if (open)
-      *open = ctx->established;
+   if (opened)
+      *opened = ctx->established;
 
    *minor_status = 0;
    return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/accept_sec_context.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/accept_sec_context.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/accept_sec_context.c	(working copy)
@@ -236,7 +236,7 @@
    int bigend;
    krb5_gss_cred_id_t cred = 0;
    krb5_data ap_rep, ap_req;
-   int i;
+   unsigned int i;
    krb5_error_code code;
    krb5_address addr, *paddr;
    krb5_authenticator *authdat = 0;
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/gss_libinit.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/gss_libinit.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/gss_libinit.c	(working copy)
@@ -3,6 +3,7 @@
 #include "gssapi_err_generic.h"
 #include "gssapi_err_krb5.h"
 #include "gssapiP_krb5.h"
+#include "gssapiP_generic.h"
 
 #include "gss_libinit.h"
 #include "k5-platform.h"
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/g_initialize.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/g_initialize.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/g_initialize.c	(working copy)
@@ -146,7 +146,7 @@
 OM_uint32 *minorStatus;
 gss_OID_set *mechSet;
 {
-	int i, j;
+	unsigned int i, j;
 	gss_OID curItem;
 
 	/* Initialize outputs. */
@@ -232,7 +232,7 @@
 static void
 free_mechSet(void)
 {
-	int i;
+	unsigned int i;
 
 	if (g_mechSet.count != 0) {
 		for (i = 0; i < g_mechSet.count; i++)
@@ -415,7 +415,7 @@
 
 	/* ensure we have fresh data */
 	if (k5_mutex_lock(&g_mechListLock) != 0)
-		return GSS_S_FAILURE;
+		return NULL;
 	updateMechList();
 	aMech = searchMechList(oid);
 	(void) k5_mutex_unlock(&g_mechListLock);
@@ -579,7 +579,7 @@
 		return NULL;
 
 	if (k5_mutex_lock(&g_mechListLock) != 0)
-		return GSS_S_FAILURE;
+		return NULL;
 	/* check if the mechanism is already loaded */
 	if ((aMech = searchMechList(oid)) != NULL && aMech->mech) {
 		(void) k5_mutex_unlock(&g_mechListLock);
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/g_acquire_cred.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/g_acquire_cred.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/g_acquire_cred.c	(working copy)
@@ -145,7 +145,7 @@
     gss_OID_set mechs;
     gss_OID_desc default_OID;
     gss_mechanism mech;
-    int i;
+    unsigned int i;
     gss_union_cred_t creds;
 
     major = val_acq_cred_args(minor_status,
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/g_rel_oid_set.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/g_rel_oid_set.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/g_rel_oid_set.c	(working copy)
@@ -39,19 +39,19 @@
 OM_uint32 *		minor_status;
 gss_OID_set *		set;
 {
-    OM_uint32 index;
+    OM_uint32 i;
     gss_OID oid;
     if (minor_status)
 	*minor_status = 0;
 
-    if (set ==NULL)
+    if (set == NULL)
 	return GSS_S_COMPLETE;
 
     if (*set == GSS_C_NULL_OID_SET)
 	return(GSS_S_COMPLETE);
 
-    for (index=0; index<(*set)->count; index++) {
-      oid = &(*set)->elements[index];
+    for (i=0; i<(*set)->count; i++) {
+      oid = &(*set)->elements[i];
       free(oid->elements);
     }
     free((*set)->elements);
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/g_inq_context.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/g_inq_context.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/g_inq_context.c	(working copy)
@@ -41,7 +41,7 @@
     gss_OID *mech_type,
     OM_uint32 *ctx_flags,
     int *locally_initiated,
-    int *open)
+    int *opened)
 {
 
     /* Initialize outputs. */
@@ -73,27 +73,15 @@
 /* Last argument new for V2 */
 OM_uint32 KRB5_CALLCONV
 gss_inquire_context(
-	    minor_status,
-	    context_handle,
-	    src_name,
-	    targ_name,
-	    lifetime_rec,
-	    mech_type,
-	    ctx_flags,
-	    locally_initiated,
-	    open)
-
-OM_uint32 *	minor_status;
-gss_ctx_id_t	context_handle;
-gss_name_t *	src_name;
-gss_name_t *	targ_name;
-OM_uint32 *	lifetime_rec;
-gss_OID *	mech_type;
-OM_uint32 *	ctx_flags;
-int *           locally_initiated;
-int *		open;
-
-
+	    OM_uint32 *minor_status,
+	    gss_ctx_id_t context_handle,
+	    gss_name_t *src_name,
+	    gss_name_t *targ_name,
+	    OM_uint32 *lifetime_rec,
+	    gss_OID *mech_type,
+	    OM_uint32 *ctx_flags,
+	    int *locally_initiated,
+	    int *opened)
 {
     gss_union_ctx_id_t	ctx;
     gss_mechanism	mech;
@@ -105,7 +93,7 @@
 			      src_name, targ_name,
 			      lifetime_rec,
 			      mech_type, ctx_flags,
-			      locally_initiated, open);
+			      locally_initiated, opened);
     if (status != GSS_S_COMPLETE)
 	return (status);
 
@@ -132,7 +120,7 @@
 			NULL,
 			ctx_flags,
 			locally_initiated,
-			open);
+			opened);
 
     if (status != GSS_S_COMPLETE) {
 	map_error(minor_status, mech);
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/oid_ops.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/oid_ops.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/mechglue/oid_ops.c	(working copy)
@@ -310,7 +310,7 @@
     long	numbuf;
     long	onumbuf;
     OM_uint32	nbytes;
-    int		index;
+    int		i;
     unsigned char *op;
 
     if (minor_status != NULL)
@@ -412,12 +412,12 @@
 		}
 		numbuf = onumbuf;
 		op += nbytes;
-		index = -1;
+		i = -1;
 		while (numbuf) {
-		    op[index] = (unsigned char) numbuf & 0x7f;
-		    if (index != -1)
-			op[index] |= 0x80;
-		    index--;
+		    op[i] = (unsigned char) numbuf & 0x7f;
+		    if (i != -1)
+			op[i] |= 0x80;
+		    i--;
 		    numbuf >>= 7;
 		}
 		while (isdigit(*bp))
@@ -466,7 +466,7 @@
     gss_OID_set_desc *copy;
     OM_uint32 minor = 0;
     OM_uint32 major = GSS_S_COMPLETE;
-    OM_uint32 index;
+    OM_uint32 i;
 
     if (minor_status != NULL)
 	*minor_status = 0;
@@ -492,9 +492,9 @@
     }
     copy->count = oidset->count;
 
-    for (index = 0; index < copy->count; index++) {
-	gss_OID_desc *out = &copy->elements[index];
-	gss_OID_desc *in = &oidset->elements[index];
+    for (i = 0; i < copy->count; i++) {
+	gss_OID_desc *out = &copy->elements[i];
+	gss_OID_desc *in = &oidset->elements[i];
 
 	if ((out->elements = (void *) malloc(in->length)) == NULL) {
 	    major = GSS_S_FAILURE;
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/spnego/gssapiP_spnego.h
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/spnego/gssapiP_spnego.h	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/spnego/gssapiP_spnego.h	(working copy)
@@ -307,7 +307,7 @@
 	gss_OID		*mech_type,
 	OM_uint32	*ctx_flags,
 	int		*locally_initiated,
-	int		*open
+	int		*opened
 );
 
 OM_uint32 spnego_gss_wrap_size_limit
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/spnego/spnego_mech.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/spnego/spnego_mech.c	(working copy)
@@ -205,9 +205,8 @@
 	&spnego_mechanism, NULL
 };
 
-#if 1
+extern gss_mechanism *spnego_gss_get_mech_configs(void);
 #define gssint_get_mech_configs spnego_gss_get_mech_configs
-#endif
 
 gss_mechanism *
 gssint_get_mech_configs(void)
@@ -1580,7 +1579,7 @@
 			gss_OID		*mech_type,
 			OM_uint32	*ctx_flags,
 			int		*locally_initiated,
-			int		*open)
+			int		*opened)
 {
 	OM_uint32 ret = GSS_S_COMPLETE;
 
@@ -1592,7 +1591,7 @@
 				mech_type,
 				ctx_flags,
 				locally_initiated,
-				open);
+				opened);
 
 	return (ret);
 }
@@ -1696,35 +1695,35 @@
 	gss_name_t name, gss_cred_usage_t usage,
 	gss_cred_id_t *creds, gss_OID_set *rmechs)
 {
-	int		i;
+	unsigned int	i;
 	int		found = 0;
-	OM_uint32 stat = GSS_S_COMPLETE, tmpmin;
+	OM_uint32 major_status = GSS_S_COMPLETE, tmpmin;
 	gss_OID_set mechs, goodmechs;
 
-	stat = gss_indicate_mechs(minor_status, &mechs);
+	major_status = gss_indicate_mechs(minor_status, &mechs);
 
-	if (stat != GSS_S_COMPLETE) {
-		return (stat);
+	if (major_status != GSS_S_COMPLETE) {
+		return (major_status);
 	}
 
-	stat = gss_create_empty_oid_set(minor_status, rmechs);
+	major_status = gss_create_empty_oid_set(minor_status, rmechs);
 
-	if (stat != GSS_S_COMPLETE) {
+	if (major_status != GSS_S_COMPLETE) {
 		(void) gss_release_oid_set(minor_status, &mechs);
-		return (stat);
+		return (major_status);
 	}
 
-	for (i = 0; i < mechs->count && stat == GSS_S_COMPLETE; i++) {
+	for (i = 0; i < mechs->count && major_status == GSS_S_COMPLETE; i++) {
 		if ((mechs->elements[i].length
 		    != spnego_mechanism.mech_type.length) ||
 		    memcmp(mechs->elements[i].elements,
 			spnego_mechanism.mech_type.elements,
 			spnego_mechanism.mech_type.length)) {
 
-			stat = gss_add_oid_set_member(minor_status,
-					    &mechs->elements[i],
-					    rmechs);
-			if (stat == GSS_S_COMPLETE)
+			major_status = gss_add_oid_set_member(minor_status,
+							      &mechs->elements[i],
+							      rmechs);
+			if (major_status == GSS_S_COMPLETE)
 				found++;
 		}
 	}
@@ -1734,17 +1733,18 @@
 	 * trim the list of mechanisms down to only those
 	 * for which the creds are valid.
 	 */
-	if (found > 0 && stat == GSS_S_COMPLETE && creds != NULL) {
-		stat = gss_acquire_cred(minor_status,
-			name, GSS_C_INDEFINITE, *rmechs, usage, creds,
-			&goodmechs, NULL);
+	if (found > 0 && major_status == GSS_S_COMPLETE && creds != NULL) {
+		major_status = gss_acquire_cred(minor_status,
+						name, GSS_C_INDEFINITE, 
+						*rmechs, usage, creds,
+						&goodmechs, NULL);
 
 		/*
 		 * Drop the old list in favor of the new
 		 * "trimmed" list.
 		 */
 		(void) gss_release_oid_set(&tmpmin, rmechs);
-		if (stat == GSS_S_COMPLETE) {
+		if (major_status == GSS_S_COMPLETE) {
 			(void) gssint_copy_oid_set(&tmpmin,
 					goodmechs, rmechs);
 			(void) gss_release_oid_set(&tmpmin, &goodmechs);
@@ -1752,14 +1752,14 @@
 	}
 
 	(void) gss_release_oid_set(&tmpmin, &mechs);
-	if (found == 0 || stat != GSS_S_COMPLETE) {
+	if (found == 0 || major_status != GSS_S_COMPLETE) {
 		*minor_status = ERR_SPNEGO_NO_MECHS_AVAILABLE;
 		map_errcode(minor_status);
-		if (stat == GSS_S_COMPLETE)
-			stat = GSS_S_FAILURE;
+		if (major_status == GSS_S_COMPLETE)
+			major_status = GSS_S_FAILURE;
 	}
 
-	return (stat);
+	return (major_status);
 }
 
 /* following are token creation and reading routines */
@@ -1939,7 +1939,7 @@
 put_mech_set(gss_OID_set mechSet, gss_buffer_t buf)
 {
 	unsigned char *ptr;
-	int i;
+	unsigned int i;
 	unsigned int tlen, ilen;
 
 	tlen = ilen = 0;
@@ -2236,7 +2236,7 @@
 	gss_OID returned_mech;
 	OM_uint32 status;
 	int present;
-	int i;
+	unsigned int i;
 
 	for (i = 0; i < mechset->count; i++) {
 		gss_test_oid_set_member(minor_status, &mechset->elements[i],
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/generic/util_buffer.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/generic/util_buffer.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/generic/util_buffer.c	(working copy)
@@ -31,9 +31,7 @@
    make sure that buffer is consistent (release'able) when this
    function exits, no matter what the exit value */
 
-int g_make_string_buffer(str, buffer)
-     const char *str;
-     gss_buffer_t buffer;
+int g_make_string_buffer(const char *str, gss_buffer_t buffer)
 {
    buffer->length = strlen(str);
 
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/generic/gssapiP_generic.h
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/generic/gssapiP_generic.h	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/generic/gssapiP_generic.h	(working copy)
@@ -255,6 +255,8 @@
 	    gss_OID *		/* oid */
 	   );
 
+int gssint_mecherrmap_init(void);
+void gssint_mecherrmap_destroy(void);
 OM_uint32 gssint_mecherrmap_map(OM_uint32 minor, const gss_OID_desc *oid);
 int gssint_mecherrmap_get(OM_uint32 minor, gss_OID mech_oid,
 			  OM_uint32 *mech_minor);
Index: KerberosFramework/Kerberos5/Sources/lib/gssapi/generic/util_errmap.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/gssapi/generic/util_errmap.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/gssapi/generic/util_errmap.c	(working copy)
@@ -102,7 +102,7 @@
 	{ "{ 1 2 840 48018 1 2 2 }", "krb5-microsoft" },
 	{ "{ 1 3 6 1 5 5 2 }", "spnego" },
     };
-    int i;
+    unsigned int i;
 
     fprintf(f, "%lu@", (unsigned long) value.code);
 
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/asn1buf.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/asn1buf.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/asn1buf.c	(working copy)
@@ -167,7 +167,7 @@
 asn1_error_code asn1buf_insert_octetstring(asn1buf *buf, const unsigned int len, const krb5_octet *s)
 {
   asn1_error_code retval;
-  int length;
+  unsigned int length;
 
   retval = asn1buf_ensure_space(buf,len);
   if(retval) return retval;
@@ -179,7 +179,7 @@
 asn1_error_code asn1buf_insert_charstring(asn1buf *buf, const unsigned int len, const char *s)
 {
   asn1_error_code retval;
-  int length;
+  unsigned int length;
 
   retval = asn1buf_ensure_space(buf,len);
   if(retval) return retval;
@@ -198,7 +198,7 @@
 
 asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len, asn1_octet **s)
 {
-  int i;
+  unsigned int i;
 
   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
   if (len == 0) {
@@ -216,7 +216,7 @@
 
 asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len, char **s)
 {
-  int i;
+  unsigned int i;
 
   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
   if (len == 0) {
@@ -247,7 +247,7 @@
 
 asn1_error_code asn12krb5_buf(const asn1buf *buf, krb5_data **code)
 {
-  int i;
+  unsigned int i;
   *code = (krb5_data*)calloc(1,sizeof(krb5_data));
   if(*code == NULL) return ENOMEM;
   (*code)->magic = KV5M_DATA;
@@ -284,7 +284,7 @@
     strcpy(*s,"<EMPTY>");
   }else{
     unsigned int length = asn1buf_len(buf);
-    int i;
+    unsigned int i;
 
     *s = calloc(length+1, sizeof(char));
     if(*s == NULL) return ENOMEM;
@@ -338,7 +338,7 @@
 }
 
 #undef asn1buf_free
-int asn1buf_free(const asn1buf *buf)
+unsigned int asn1buf_free(const asn1buf *buf)
 {
   if(buf == NULL || buf->base == NULL) return 0;
   else return buf->bound - buf->next + 1;
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/ldap_key_seq.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/ldap_key_seq.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/ldap_key_seq.c	(working copy)
@@ -325,7 +325,6 @@
     asn1_get_tag_2(&subbuf, &t);
     /* Salt */
     if (t.tagnum == 0) {
-	int buflen;
 	asn1buf slt;
 	unsigned long keytype;
 	int keylen;
@@ -353,7 +352,6 @@
 
     /* Key */
     {
-	int buflen;
 	asn1buf kbuf;
 	long lval;
 	int ival;
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/asn1buf.h
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/asn1buf.h	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/asn1buf.h	(working copy)
@@ -22,14 +22,14 @@
    ? 0 \
    : ((buf)->bound - (buf)->base + 1))
 
-int asn1buf_free
+unsigned int asn1buf_free
 	(const asn1buf *buf);
 /* requires  *buf is allocated
    effects   Returns the number of unused, allocated octets in *buf. */
 #define asn1buf_free(buf) \
   (((buf) == NULL || (buf)->base == NULL) \
-   ? 0 \
-   : ((buf)->bound - (buf)->next + 1))
+   ? 0U \
+   : (unsigned int)((buf)->bound - (buf)->next + 1))
 
 
 asn1_error_code asn1buf_ensure_space
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/asn1_decode.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/asn1_decode.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/asn1_decode.c	(working copy)
@@ -25,6 +25,7 @@
  */
 
 /* ASN.1 primitive decoders */
+#include "k5-int.h" /* for krb5int_gmt_mktime */
 #include "asn1_decode.h"
 #include "asn1_get.h"
 #include <stdio.h>
@@ -55,14 +56,12 @@
 #define cleanup()\
 return 0
 
-extern time_t krb5int_gmt_mktime (struct tm *);
-
 asn1_error_code asn1_decode_integer(asn1buf *buf, long int *val)
 {
   setup();
   asn1_octet o;
   long n = 0; /* initialize to keep gcc happy */
-  int i;
+  unsigned int i;
 
   tag(ASN1_INTEGER);
 
@@ -87,7 +86,7 @@
   setup();
   asn1_octet o;
   unsigned long n;
-  int i;
+  unsigned int i;
 
   tag(ASN1_INTEGER);
 
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/asn1_k_decode.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/asn1_k_decode.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/asn.1/asn1_k_decode.c	(working copy)
@@ -502,7 +502,7 @@
   asn1_error_code retval;
   asn1_octet unused, o;
   taginfo t;
-  int i;
+  unsigned int i;
   krb5_flags f=0;
   unsigned int length;
 
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/os/localaddr.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/os/localaddr.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/os/localaddr.c	(working copy)
@@ -1335,6 +1335,9 @@
 }
 
 krb5_error_code
+krb5int_local_addresses(krb5_context context, krb5_address ***addr);
+
+krb5_error_code
 krb5int_local_addresses(krb5_context context, krb5_address ***addr)
 {
     return get_localaddrs(context, addr, 0);
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/os/gen_rname.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/os/gen_rname.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/os/gen_rname.c	(working copy)
@@ -35,7 +35,7 @@
 krb5_gen_replay_name(krb5_context context, const krb5_address *address, const char *uniq, char **string)
 {
     char * tmp;
-    int i;
+    unsigned int i;
     unsigned int len;
 
     len = strlen(uniq) + (address->length * 2) + 1;
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/os/sendto_kdc.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/os/sendto_kdc.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/os/sendto_kdc.c	(working copy)
@@ -1087,7 +1087,7 @@
 
     e = 0;
     while (selstate->nfds > 0) {
-	int i;
+	unsigned int i;
 
 	e = krb5int_cm_call_select(selstate, seltemp, &selret);
 	if (e == EINTR)
@@ -1102,7 +1102,7 @@
 	    return 0;
 
 	/* Got something on a socket, process it.  */
-	for (i = 0; i <= selstate->max && selret > 0 && i < n_conns; i++) {
+	for (i = 0; i <= (unsigned int)selstate->max && selret > 0 && i < n_conns; i++) {
 	    int ssflags;
 
 	    if (conns[i].fd == INVALID_SOCKET)
@@ -1185,7 +1185,8 @@
 		int (*msg_handler)(krb5_context, const krb5_data *, void *),
 		void *msg_handler_data)
 {
-    int i, pass;
+    unsigned int i;
+    int pass;
     int delay_this_pass = 2;
     krb5_error_code retval;
     struct conn_state *conns;
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/os/changepw.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/os/changepw.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/os/changepw.c	(working copy)
@@ -50,6 +50,11 @@
     krb5_data 		ap_req;
 };
 
+krb5_error_code KRB5_CALLCONV
+krb5_change_set_password(krb5_context context, krb5_creds *creds, char *newpw,
+			 krb5_principal set_password_for,
+			 int *result_code, krb5_data *result_code_string,
+			 krb5_data *result_string);
 
 /*
  * Wrapper function for the two backends
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/rcache/rc_io.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/rcache/rc_io.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/rcache/rc_io.c	(working copy)
@@ -442,7 +442,7 @@
 				   strerror(errno));
 	    return KRB5_RC_IO_UNKNOWN;
 	}
-    if (count != num)
+    if (count < 0 || (unsigned int)count != num)
 	return KRB5_RC_IO_EOF;
     return 0;
 }
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccdefault.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccdefault.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccdefault.c	(working copy)
@@ -90,7 +90,7 @@
             /* This function tries to get tickets and put them in the specified 
             cache, however, if the cache does not exist, it may choose to put 
             them elsewhere (ie: the system default) so we set that here */
-            char * ccdefname = krb5_cc_default_name (context);
+            const char * ccdefname = krb5_cc_default_name (context);
             if (!ccdefname || strcmp (ccdefname, outCacheName) != 0) {
                 krb5_cc_set_default_name (context, outCacheName);
             }
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/krb/ser_ctx.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/krb/ser_ctx.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/krb/ser_ctx.c	(working copy)
@@ -170,7 +170,7 @@
     size_t		required;
     krb5_octet		*bp;
     size_t		remain;
-    int			i;
+    unsigned int	i;
 
     required = 0;
     bp = *buffer;
@@ -333,7 +333,7 @@
     krb5_int32		ibuf;
     krb5_octet		*bp;
     size_t		remain;
-    int			i;
+    unsigned int	i;
 
     bp = *buffer;
     remain = *lenremain;
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/krb/pkinit_apple_cert_store.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/krb/pkinit_apple_cert_store.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/krb/pkinit_apple_cert_store.c	(working copy)
@@ -261,6 +261,7 @@
     SecIdentityRef idRef = NULL;
     OSStatus ortn;
     CFDictionaryRef theDict = NULL;
+    CFStringRef cfPrinc = NULL;
     krb5_error_code ourRtn = 0;
     
     if(principal == NULL) {
@@ -274,8 +275,8 @@
     }
     
     /* Entry in the dictionary for specified principal? */
-    CFStringRef cfPrinc = CFStringCreateWithCString(NULL, principal, 
-	kCFStringEncodingASCII);
+    cfPrinc = CFStringCreateWithCString(NULL, principal, 
+                                        kCFStringEncodingASCII);
     issuerSerial = (CFDataRef)CFDictionaryGetValue(theDict, cfPrinc);
     CFRelease(cfPrinc);
     if(issuerSerial == NULL) {
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/krb/pkinit_apple_utils.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/krb/pkinit_apple_utils.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/krb/pkinit_apple_utils.c	(working copy)
@@ -158,6 +158,7 @@
     krb5_ui_4 len;
     krb5_int32 rtn = 0;
     krb5_ui_4 dex;
+    uint8 *cp = NULL;
     
     if((cdata->Length == 0) || (cdata->Data == NULL)) {
 	*i = 0;
@@ -168,7 +169,7 @@
 	return ASN1_BAD_LENGTH;
     }
     
-    uint8 *cp = cdata->Data;
+    cp = cdata->Data;
     for(dex=0; dex<len; dex++) {
 	rtn = (rtn << 8) | *cp++;
     }
@@ -291,6 +292,7 @@
     krb5_timestamp kts,
     char **str)		    /* mallocd and RETURNED */
 {
+    char *outStr = NULL;
     time_t gmt_time = kts;
     struct tm *utc = gmtime(&gmt_time);
     if (utc == NULL ||
@@ -299,7 +301,7 @@
 	utc->tm_min > 59 || utc->tm_sec > 59) {
 	return ASN1_BAD_GMTIME;
     }
-    char *outStr = (char *)malloc(16);
+    outStr = (char *)malloc(16);
     if(outStr == NULL) {
 	return ENOMEM;
     }
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/krb/gc_frm_kdc.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/krb/gc_frm_kdc.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/krb/gc_frm_kdc.c	(working copy)
@@ -788,7 +788,7 @@
     krb5_creds tgtq, cc_tgt, *tgtptr, *referral_tgts[KRB5_REFERRAL_MAXHOPS];
     krb5_boolean old_use_conf_ktypes;
     char **hrealms;
-    int referral_count, i;
+    unsigned int referral_count, i;
 
     /* 
      * Set up client and server pointers.  Make a fresh and modifyable
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/krb/srv_rcache.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/krb/srv_rcache.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/krb/srv_rcache.c	(working copy)
@@ -41,7 +41,7 @@
     char *cachename = 0, *cachetype;
     char tmp[4];
     krb5_error_code retval;
-    int p, i;
+    unsigned int p, i;
     unsigned int len;
 
 #ifdef HAVE_GETEUID
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/krb/preauth2.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/krb/preauth2.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/krb/preauth2.c	(working copy)
@@ -1773,7 +1773,8 @@
 		krb5_preauth_client_rock *get_data_rock,
 		krb5_gic_opt_ext *opte)
 {
-    int h, i, j, out_pa_list_size;
+    unsigned int h;
+    int i, j, out_pa_list_size;
     int seen_etype_info2 = 0;
     krb5_pa_data *out_pa = NULL, **out_pa_list = NULL;
     krb5_data scratch;
Index: KerberosFramework/Kerberos5/Sources/lib/krb5/krb/str_conv.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/lib/krb5/krb/str_conv.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/lib/krb5/krb/str_conv.c	(working copy)
@@ -251,7 +251,7 @@
 	"%x %X",		/* locale-dependent short format	*/
 	"%d/%m/%Y %R"		/* dd/mm/yyyy hh:mm			*/
     };
-    static const int sftime_format_table_nents =
+    static const unsigned int sftime_format_table_nents =
 	sizeof(sftime_format_table)/sizeof(sftime_format_table[0]);
 
 #ifdef HAVE_LOCALTIME_R
Index: KerberosFramework/Kerberos5/Sources/util/support/threads.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/util/support/threads.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/util/support/threads.c	(working copy)
@@ -171,6 +171,7 @@
 static struct tsd_block tsd_if_single;
 # define GET_NO_PTHREAD_TSD()	(&tsd_if_single)
 #else
+int krb5int_pthread_loaded (void);
 int krb5int_pthread_loaded (void)
 {
     return 1;
@@ -252,7 +253,7 @@
     return t->values[keynum];
 }
 
-int k5_setspecific (k5_key_t keynum, void *value)
+int k5_setspecific (k5_key_t keynum, const void *value)
 {
     struct tsd_block *t;
     int err;
@@ -614,6 +615,8 @@
 }
 #undef krb5int_mutex_report_stats
 void KRB5_CALLCONV
+krb5int_mutex_report_stats(k5_mutex_t *m);
+void KRB5_CALLCONV
 krb5int_mutex_report_stats(k5_mutex_t *m)
 {
 }
Index: KerberosFramework/Kerberos5/Sources/util/support/gmt_mktime.c
===================================================================
--- KerberosFramework/Kerberos5/Sources/util/support/gmt_mktime.c	(revision 20689)
+++ KerberosFramework/Kerberos5/Sources/util/support/gmt_mktime.c	(working copy)
@@ -2,6 +2,7 @@
 
 #include <stdio.h>
 #include "autoconf.h"
+#include "k5-int.h"
 
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>


From rt-comment at krbdev.mit.edu  Wed Aug 27 12:36:16 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Wed, 27 Aug 2008 12:36:16 -0400 (EDT)
Subject: [krbdev.mit.edu #6096] SVN Commit 
In-Reply-To: <rt-6096@krbdev.mit.edu>
Message-ID: <rt-6096-28206.10.2038688872224@krbdev.mit.edu>


Based on patch from lxs, with some changes:

Add several new gcc warning flags, used in the KfM build process.

Put declarations before code.

Fix a bunch of signed/unsigned type mixes, mostly by changing variable
types to unsigned int.

Fix constness in handling name of default ccache name.

Make sure functions get declared with prototypes:
krb5int_pthread_loaded krb5int_gmt_mktime krb5int_aes_encrypt
krb5int_aes_decrypt gssint_mecherrmap_init gssint_mecherramp_get.

Don't shadow global names: stat accept index open encrypt.  Fix
variable shadowing in LDAP ASN.1 support.

Don't define unused krb5int_local_addresses.
Don't export internal krb5_change_set_password.
Fix error return indications from gssint_oid_to_mech.

Create and use k5-gmt_mktime.h to provide one global declaration of
krb5int_gmt_mktime, needed before we've generated krb5.h on some
platforms.

Not incorporated from initial patch: const changes in function
signatures.
Commit By: raeburn



Revision: 20697
Changed Files:
_U  trunk/
U   trunk/src/aclocal.m4
A   trunk/src/include/k5-gmt_mktime.h
U   trunk/src/include/k5-int.h
U   trunk/src/include/k5-thread.h
U   trunk/src/kim/lib/kim_preferences.c
U   trunk/src/kim/lib/mac/kim_os_string.c
U   trunk/src/lib/crypto/checksum_length.c
U   trunk/src/lib/crypto/cksumtype_to_string.c
U   trunk/src/lib/crypto/cksumtypes.c
U   trunk/src/lib/crypto/cksumtypes.h
U   trunk/src/lib/crypto/coll_proof_cksum.c
U   trunk/src/lib/crypto/des/f_parity.c
U   trunk/src/lib/crypto/des/string2key.c
U   trunk/src/lib/crypto/des/weak_key.c
U   trunk/src/lib/crypto/hash_provider/hash_crc32.c
U   trunk/src/lib/crypto/hash_provider/hash_md4.c
U   trunk/src/lib/crypto/hash_provider/hash_md5.c
U   trunk/src/lib/crypto/hash_provider/hash_sha1.c
U   trunk/src/lib/crypto/hmac.c
U   trunk/src/lib/crypto/keyed_cksum.c
U   trunk/src/lib/crypto/keyhash_provider/k5_md4des.c
U   trunk/src/lib/crypto/keyhash_provider/k5_md5des.c
U   trunk/src/lib/crypto/make_checksum.c
U   trunk/src/lib/crypto/pbkdf2.c
U   trunk/src/lib/crypto/sha1/shs.c
U   trunk/src/lib/crypto/string_to_cksumtype.c
U   trunk/src/lib/crypto/valid_cksumtype.c
U   trunk/src/lib/crypto/verify_checksum.c
U   trunk/src/lib/gssapi/generic/gssapiP_generic.h
U   trunk/src/lib/gssapi/generic/util_buffer.c
U   trunk/src/lib/gssapi/generic/util_errmap.c
U   trunk/src/lib/gssapi/gss_libinit.c
U   trunk/src/lib/gssapi/krb5/accept_sec_context.c
U   trunk/src/lib/gssapi/krb5/copy_ccache.c
U   trunk/src/lib/gssapi/krb5/import_sec_context.c
U   trunk/src/lib/gssapi/krb5/init_sec_context.c
U   trunk/src/lib/gssapi/krb5/inq_context.c
U   trunk/src/lib/gssapi/krb5/k5seal.c
U   trunk/src/lib/gssapi/krb5/krb5_gss_glue.c
U   trunk/src/lib/gssapi/krb5/set_allowable_enctypes.c
U   trunk/src/lib/gssapi/krb5/util_seed.c
U   trunk/src/lib/gssapi/mechglue/g_acquire_cred.c
U   trunk/src/lib/gssapi/mechglue/g_initialize.c
U   trunk/src/lib/gssapi/mechglue/g_inq_context.c
U   trunk/src/lib/gssapi/mechglue/g_rel_oid_set.c
U   trunk/src/lib/gssapi/mechglue/mglueP.h
U   trunk/src/lib/gssapi/mechglue/oid_ops.c
U   trunk/src/lib/gssapi/spnego/gssapiP_spnego.h
U   trunk/src/lib/gssapi/spnego/spnego_mech.c
U   trunk/src/lib/krb5/asn.1/asn1_decode.c
U   trunk/src/lib/krb5/asn.1/asn1_k_decode.c
U   trunk/src/lib/krb5/asn.1/asn1buf.c
U   trunk/src/lib/krb5/asn.1/asn1buf.h
U   trunk/src/lib/krb5/asn.1/ldap_key_seq.c
U   trunk/src/lib/krb5/ccache/ccdefault.c
U   trunk/src/lib/krb5/krb/gc_frm_kdc.c
U   trunk/src/lib/krb5/krb/pkinit_apple_cert_store.c
U   trunk/src/lib/krb5/krb/pkinit_apple_utils.c
U   trunk/src/lib/krb5/krb/preauth2.c
U   trunk/src/lib/krb5/krb/ser_ctx.c
U   trunk/src/lib/krb5/krb/srv_rcache.c
U   trunk/src/lib/krb5/krb/str_conv.c
U   trunk/src/lib/krb5/libkrb5.exports
U   trunk/src/lib/krb5/os/changepw.c
U   trunk/src/lib/krb5/os/gen_rname.c
U   trunk/src/lib/krb5/os/localaddr.c
U   trunk/src/lib/krb5/os/sendto_kdc.c
U   trunk/src/lib/krb5/rcache/rc_io.c
U   trunk/src/util/support/gmt_mktime.c


From rt-comment at krbdev.mit.edu  Wed Aug 27 18:32:04 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Wed, 27 Aug 2008 18:32:04 -0400 (EDT)
Subject: [krbdev.mit.edu #6101] SVN Commit 
In-Reply-To: <rt-6101@krbdev.mit.edu>
Message-ID: <rt-6101-28210.19.437726462095@krbdev.mit.edu>


If DISABLE_IPROP is defined at compile time, don't listen for
connections and don't register the service.  (Doesn't currently
disable compilation of all of the code.)
Commit By: raeburn



Revision: 20699
Changed Files:
U   trunk/src/kadmin/server/ovsec_kadmd.c


From rt-comment at krbdev.mit.edu  Thu Aug 28 12:37:45 2008
From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT)
Date: Thu, 28 Aug 2008 12:37:45 -0400 (EDT)
Subject: [krbdev.mit.edu #6055] SVN Commit 
In-Reply-To: <rt-6055@krbdev.mit.edu>
Message-ID: <rt-6055-28215.3.22731584852839@krbdev.mit.edu>


Additional code for KerberosAgent.  Checking in so Justin can work on it.

Commit By: lxs



Revision: 20700
Changed Files:
U   trunk/src/kim/agent/mac/Identities.h
U   trunk/src/kim/agent/mac/Identities.m
U   trunk/src/kim/agent/mac/resources/English.lproj/Authentication.xib
U   trunk/src/kim/agent/mac/resources/English.lproj/SelectIdentity.xib


From rt-comment at krbdev.mit.edu  Thu Aug 28 14:11:57 2008
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Thu, 28 Aug 2008 14:11:57 -0400 (EDT)
Subject: [krbdev.mit.edu #6103] SVN Commit 
In-Reply-To: <rt-6103@krbdev.mit.edu>
Message-ID: <rt-6103-28216.14.2452759536197@krbdev.mit.edu>


Don't leak file descriptors in error cases.
Remove limit from length of passwords.
Commit By: raeburn



Revision: 20702
Changed Files:
U   trunk/src/lib/kadm5/srv/svr_principal.c