From rt-comment at krbdev.mit.edu Mon Dec 1 12:10:06 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 1 Dec 2008 17:10:06 +0000 (UTC) Subject: [krbdev.mit.edu #6200] SVN Commit In-Reply-To: Message-ID: Convert many uses of sprintf to snprintf or asprintf. Commit By: ghudson Revision: 21258 Changed Files: U trunk/src/appl/bsd/forward.c U trunk/src/appl/bsd/kcmd.c U trunk/src/appl/bsd/krcp.c U trunk/src/appl/bsd/krlogin.c U trunk/src/appl/bsd/krlogind.c U trunk/src/appl/bsd/krshd.c U trunk/src/appl/bsd/login.c U trunk/src/appl/bsd/v4rcp.c U trunk/src/appl/gss-sample/gss-client.c U trunk/src/appl/gssftp/ftp/ftp.c U trunk/src/appl/gssftp/ftp/ruserpass.c U trunk/src/appl/gssftp/ftpd/ftpd.c U trunk/src/appl/libpty/getpty.c U trunk/src/appl/libpty/logwtmp.c U trunk/src/appl/sample/sserver/sserver.c U trunk/src/appl/telnet/libtelnet/auth.c U trunk/src/appl/telnet/libtelnet/enc_des.c U trunk/src/appl/telnet/libtelnet/encrypt.c U trunk/src/appl/telnet/libtelnet/forward.c U trunk/src/appl/telnet/libtelnet/kerberos.c U trunk/src/appl/telnet/libtelnet/kerberos5.c U trunk/src/appl/telnet/libtelnet/spx.c U trunk/src/appl/telnet/telnet/commands.c U trunk/src/appl/telnet/telnet/telnet.c U trunk/src/appl/telnet/telnet/utilities.c U trunk/src/appl/telnet/telnetd/slc.c U trunk/src/appl/telnet/telnetd/sys_term.c U trunk/src/clients/ksu/authorization.c U trunk/src/clients/ksu/krb_auth_su.c U trunk/src/clients/ksu/main.c U trunk/src/kadmin/cli/kadmin.c U trunk/src/kadmin/dbutil/kadm5_create.c U trunk/src/kadmin/ktutil/ktutil_funcs.c U trunk/src/kadmin/passwd/xm_kpasswd.c U trunk/src/kadmin/server/ipropd_svc.c U trunk/src/kdc/fakeka.c U trunk/src/lib/crypto/vectors.c U trunk/src/lib/krb5/krb/pkinit_apple_cert_store.c U trunk/src/lib/krb5/krb/pkinit_apple_utils.c U trunk/src/lib/krb5/krb/t_ser.c U trunk/src/lib/krb5/os/t_gifconf.c U trunk/src/lib/krb5/os/t_locate_kdc.c U trunk/src/lib/rpc/unit-test/client.c U trunk/src/lib/rpc/unit-test/server.c U trunk/src/plugins/kdb/db2/libdb2/test/dbtest.c U trunk/src/plugins/kdb/db2/libdb2/test/hash1.tests/driver2.c U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c U trunk/src/plugins/locate/python/py-locate.c U trunk/src/plugins/preauth/cksum_body/cksum_body_main.c U trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c U trunk/src/plugins/preauth/wpse/wpse_main.c U trunk/src/slave/kprop.c U trunk/src/slave/kpropd.c U trunk/src/tests/create/kdb5_mkdums.c U trunk/src/tests/gss-threads/gss-client.c U trunk/src/tests/hammer/kdc5_hammer.c U trunk/src/tests/resolve/addrinfo-test.c U trunk/src/tests/shlib/t_loader.c U trunk/src/tests/threads/t_rcache.c U trunk/src/tests/verify/kdb5_verify.c U trunk/src/util/et/t_com_err.c U trunk/src/util/ss/utils.c U trunk/src/util/support/fake-addrinfo.c U trunk/src/util/support/init-addrinfo.c From rt-comment at krbdev.mit.edu Tue Dec 2 08:12:15 2008 From: rt-comment at krbdev.mit.edu (Mark.Phalan@Sun.Com via RT) Date: Tue, 2 Dec 2008 13:12:15 +0000 (UTC) Subject: [krbdev.mit.edu #6031] krb needs better realm lookup logic In-Reply-To: Message-ID: On Wed, 2008-10-08 at 16:26 +0000, Greg Hudson via RT wrote: > Okay, I need one more thing from you: please state that Sun intends the > new code to be covered by the Sun Microsystems license from the > top-level Kerberos README file. That way we can confidently add a note > to README mentioning the files in question, to make it clear what > license is meant by "use is subject to license." Sun intends that the new code be covered by the Sun Microsystems' license from the top-level Kerberos README file (as seen below). The Copyright needs to be updated to 2008 and the modified source files should contain the following: /* * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ Thanks, -M > > Thanks. The license in question from the README file (which already > applies to a bunch of other code in Kerberos) is: > > Copyright (c) 2004 Sun Microsystems, Inc. > > Permission is hereby granted, free of charge, to any person obtaining a > copy of this software and associated documentation files (the > "Software"), to deal in the Software without restriction, including > without limitation the rights to use, copy, modify, merge, publish, > distribute, sublicense, and/or sell copies of the Software, and to > permit persons to whom the Software is furnished to do so, subject to > the following conditions: > > The above copyright notice and this permission notice shall be included > in all copies or substantial portions of the Software. > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS > OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF > MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. > IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY > CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, > TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE > SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. From rt-comment at krbdev.mit.edu Tue Dec 2 11:19:58 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Tue, 2 Dec 2008 16:19:58 +0000 (UTC) Subject: [krbdev.mit.edu #6271] gss_krb5_ccache_name memory leaks In-Reply-To: Message-ID: [Looks like I hit the wrong button on the message in the moderation queue. Refiling bug report from "Stephen Ince" manually. --Ken] The function call gss_krb5_ccache_name has a memory leak for each thread that invokes this function. It is suggested that krb5int_thread_detach_hook needs cleanup this memory. I will gladly test any fix. Steve since at openndemand.com From rt-comment at krbdev.mit.edu Tue Dec 2 11:21:24 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Tue, 2 Dec 2008 16:21:24 +0000 (UTC) Subject: [krbdev.mit.edu #6271] gss_krb5_ccache_name memory leaks In-Reply-To: Message-ID: See also the thread on the krbdev mailing list from 21 to 26 November titled "rewrite gss_krb5_ccache_name". The original problem was observed in kfw-3-2-2-final, and krb5int_thread_detach_hook is part of the Windows-specific support. From rt-comment at krbdev.mit.edu Tue Dec 2 15:08:47 2008 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 2 Dec 2008 20:08:47 +0000 (UTC) Subject: [krbdev.mit.edu #6273] SVN Commit In-Reply-To: Message-ID: testing commit handler again http://src.mit.edu/fisheye/changelog/krb5/?cs=21262 Commit By: tlyu Revision: 21262 Changed Files: A branches/commit-handler-test/aaaa/ From rt-comment at krbdev.mit.edu Tue Dec 2 15:10:24 2008 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Tue, 2 Dec 2008 20:10:24 +0000 (UTC) Subject: [krbdev.mit.edu #6274] SVN Commit In-Reply-To: Message-ID: Merge in the mskrb-crypto-iov branch at r21259 in order to move an implementation of http://k5wiki.kerberos.org/wiki/Projects/AEAD_encryption_API onto the trunk. This branch contains a subset of the commits on the mskrb-integ branch that implement the krb5 library part of the crypto IOV API. http://src.mit.edu/fisheye/changelog/krb5/?cs=21263 Commit By: hartmans Revision: 21263 Changed Files: U trunk/src/include/k5-int.h U trunk/src/include/krb5/krb5.hin U trunk/src/lib/crypto/Makefile.in A trunk/src/lib/crypto/aead.c A trunk/src/lib/crypto/aead.h U trunk/src/lib/crypto/arcfour/Makefile.in U trunk/src/lib/crypto/arcfour/arcfour-int.h U trunk/src/lib/crypto/arcfour/arcfour.c U trunk/src/lib/crypto/arcfour/arcfour.h A trunk/src/lib/crypto/arcfour/arcfour_aead.c A trunk/src/lib/crypto/crypto_length.c A trunk/src/lib/crypto/decrypt_iov.c U trunk/src/lib/crypto/des/Makefile.in A trunk/src/lib/crypto/des/d3_aead.c U trunk/src/lib/crypto/des/des_int.h U trunk/src/lib/crypto/dk/Makefile.in U trunk/src/lib/crypto/dk/checksum.c U trunk/src/lib/crypto/dk/dk.h A trunk/src/lib/crypto/dk/dk_aead.c U trunk/src/lib/crypto/enc_provider/aes.c U trunk/src/lib/crypto/enc_provider/des3.c U trunk/src/lib/crypto/enc_provider/enc_provider.h U trunk/src/lib/crypto/enc_provider/rc4.c A trunk/src/lib/crypto/encrypt_iov.c U trunk/src/lib/crypto/etypes.c U trunk/src/lib/crypto/hmac.c U trunk/src/lib/crypto/keyhash_provider/descbc.c U trunk/src/lib/crypto/keyhash_provider/hmac_md5.c U trunk/src/lib/crypto/keyhash_provider/k5_md4des.c U trunk/src/lib/crypto/keyhash_provider/k5_md5des.c U trunk/src/lib/crypto/libk5crypto.exports A trunk/src/lib/crypto/make_checksum_iov.c U trunk/src/lib/crypto/t_encrypt.c A trunk/src/lib/crypto/verify_checksum_iov.c U trunk/src/lib/krb5/os/accessor.c From rt-comment at krbdev.mit.edu Wed Dec 3 14:30:15 2008 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Wed, 3 Dec 2008 19:30:15 +0000 (UTC) Subject: [krbdev.mit.edu #6276] SVN Commit In-Reply-To: Message-ID: yet more commit handler test http://src.mit.edu/fisheye/changelog/krb5/?cs=21275 Commit By: tlyu Revision: 21275 Changed Files: A branches/commit-handler-test/aaaa/ From rt-comment at krbdev.mit.edu Thu Dec 4 09:52:47 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 14:52:47 +0000 (UTC) Subject: [krbdev.mit.edu #6277] KLCacheHasValidTickets changed behavior In-Reply-To: Message-ID: Didn't set validTickets flag on expired ticket. Vendor's priority - Serious Bug Vendor's patch - LHA-6361873-KLCacheHasValidTickets-default-to-expired From rt-comment at krbdev.mit.edu Thu Dec 4 10:13:02 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 15:13:02 +0000 (UTC) Subject: [krbdev.mit.edu #6279] kamin.local reports unknown error 43787527 In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Projects/Kerberos5.xcodeproj/project.pbxproj Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Projects/Kerberos5.xcodeproj/project.pbxproj --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Projects/Kerberos5.xcodeproj/project.pbxproj 2008-11-17 16:36:25.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Projects/Kerberos5.xcodeproj/project.pbxproj 2008-11-17 18:59:34.000000000 -0800 @@ -834,6 +834,10 @@ DE9C728D0E91B25800CDA612 /* KIMUtilities.m in Sources */ = {isa = PBXBuildFile; fileRef = DE9C728C0E91B25800CDA612 /* KIMUtilities.m */; }; DE9C72900E91B27400CDA612 /* KerberosAgentListener.m in Sources */ = {isa = PBXBuildFile; fileRef = DE9C728F0E91B27400CDA612 /* KerberosAgentListener.m */; }; DEB1EAF50E8ACDDA00E72739 /* KerberosFormatters.m in Sources */ = {isa = PBXBuildFile; fileRef = DEB1EAF40E8ACDDA00E72739 /* KerberosFormatters.m */; }; + EB11F3660ED266FC0094174E /* kadm_err.c in Sources */ = {isa = PBXBuildFile; fileRef = A196501109E711240033874C /* kadm_err.c */; }; + EB11F3670ED266FD0094174E /* kadm_err.c in Sources */ = {isa = PBXBuildFile; fileRef = A196501109E711240033874C /* kadm_err.c */; }; + EB11F3690ED267140094174E /* chpass_util_strings.c in Sources */ = {isa = PBXBuildFile; fileRef = A196500E09E711240033874C /* chpass_util_strings.c */; }; + EB11F36A0ED267140094174E /* chpass_util_strings.c in Sources */ = {isa = PBXBuildFile; fileRef = A196500E09E711240033874C /* chpass_util_strings.c */; }; EB8F82C00E55C7DA00F80A30 /* libutil1.0.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = EB8F82BF0E55C7DA00F80A30 /* libutil1.0.dylib */; }; EB8F82C20E55C80D00F80A30 /* libutil1.0.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = EB8F82BF0E55C7DA00F80A30 /* libutil1.0.dylib */; }; EB945CDB0E7940420070BB6B /* announce.c in Sources */ = {isa = PBXBuildFile; fileRef = EB945CDA0E7940420070BB6B /* announce.c */; }; @@ -10197,6 +10201,8 @@ A103A3B90E23E60400850E0F /* clnt_chpass_util.c in Sources */, A103A3BA0E23E60400850E0F /* clnt_policy.c in Sources */, A103A3BB0E23E60400850E0F /* clnt_privs.c in Sources */, + EB11F3660ED266FC0094174E /* kadm_err.c in Sources */, + EB11F3690ED267140094174E /* chpass_util_strings.c in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -10221,6 +10227,8 @@ A103A3AC0E23E5E700850E0F /* svr_iters.c in Sources */, A103A3AD0E23E5E700850E0F /* svr_policy.c in Sources */, A103A3AE0E23E5E700850E0F /* svr_principal.c in Sources */, + EB11F3670ED266FD0094174E /* kadm_err.c in Sources */, + EB11F36A0ED267140094174E /* chpass_util_strings.c in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/kadm5/clnt/client_init.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/kadm5/clnt/client_init.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/kadm5/clnt/client_init.c 2008-11-07 11:25:43.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/kadm5/clnt/client_init.c 2008-11-17 18:45:10.000000000 -0800 @@ -178,10 +178,9 @@ int code = 0; generic_ret *r; - initialize_ovk_error_table(); -/* initialize_adb_error_table(); */ - initialize_ovku_error_table(); - + add_error_table(&et_ovk_error_table); + add_error_table(&et_ovku_error_table); + if (! server_handle) { return EINVAL; } diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/server_init.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/server_init.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/server_init.c 2008-11-07 11:25:44.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/server_init.c 2008-11-17 18:44:48.000000000 -0800 @@ -186,9 +186,8 @@ return(ret); } - initialize_ovk_error_table(); -/* initialize_adb_error_table(); */ - initialize_ovku_error_table(); + add_error_table(&et_ovk_error_table); + add_error_table(&et_ovku_error_table); handle->magic_number = KADM5_SERVER_HANDLE_MAGIC; handle->struct_version = struct_version; From rt-comment at krbdev.mit.edu Thu Dec 4 10:15:47 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 15:15:47 +0000 (UTC) Subject: [krbdev.mit.edu #6280] krb5kdc crashed - possible CFSocket race In-Reply-To: Message-ID: Vendor's priority - Crash/Hang/Data Loss Vendor's patch - LHA-6353722-wait-for-cfsocket From rt-comment at krbdev.mit.edu Thu Dec 4 10:22:57 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 15:22:57 +0000 (UTC) Subject: [krbdev.mit.edu #6281] krb5_cc_cache_match In-Reply-To: Message-ID: Introduced a new function - krb5_cc_cache_match (krb5_context, krb5_principal,krb5_ccache*): Search for a matching credential cache that have the`principal' as the default principal. Vendor's priority - Other Bug Vendor's patch - LHA-6358684-cc-cache-match From rt-comment at krbdev.mit.edu Thu Dec 4 10:29:49 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 15:29:49 +0000 (UTC) Subject: [krbdev.mit.edu #6282] krb5kdc deref uninit memory on the stack on unknown principal (pk-init) In-Reply-To: Message-ID: do_as_req.c : in process_as_req memset "reply" to 0. Vendor's priority - Serious Bug Vendor's patch - LHA-6397025-dont-deref-stack-memory From rt-comment at krbdev.mit.edu Thu Dec 4 10:37:31 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 15:37:31 +0000 (UTC) Subject: [krbdev.mit.edu #6283] At Login the client is setting the renew life time to 24 hours? In-Reply-To: Message-ID: KIM - set default_renewal_lifetime if KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE flag is set. Vendor's priority - Other Bug Vendor's patch - LHA-6325227-dont-set-renewable-life From rt-comment at krbdev.mit.edu Thu Dec 4 10:46:09 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 15:46:09 +0000 (UTC) Subject: [krbdev.mit.edu #6284] memory leaks in error conditions In-Reply-To: Message-ID: If error condition occurs, some buffers won't be freed in kdc/do_as_req.c and kadmin/server/schpw.c Vendor's priority - task Vendor's patch - LHA-6331022-chpw-leak ; LHA-6331022-krb5kdc-pws-plug-memory-leak From rt-comment at krbdev.mit.edu Thu Dec 4 10:48:12 2008 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Thu, 4 Dec 2008 15:48:12 +0000 (UTC) Subject: [krbdev.mit.edu #6274] SVN Commit In-Reply-To: Message-ID: Merge r21120 from mskrb-integ Refactor code such that an AEAD provider does not need to implement the older, non-IOV SPIs. Instead, the older APIs will implement their behaviour on top of the AEAD SPIs, using the wrapper functions in aead.c. http://src.mit.edu/fisheye/changelog/krb5/?cs=21278 Commit By: hartmans Revision: 21278 Changed Files: U trunk/src/lib/crypto/aead.c U trunk/src/lib/crypto/aead.h U trunk/src/lib/crypto/crypto_length.c U trunk/src/lib/crypto/decrypt.c U trunk/src/lib/crypto/encrypt.c U trunk/src/lib/crypto/encrypt_length.c From rt-comment at krbdev.mit.edu Thu Dec 4 10:48:21 2008 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Thu, 4 Dec 2008 15:48:21 +0000 (UTC) Subject: [krbdev.mit.edu #6274] SVN Commit In-Reply-To: Message-ID: Cleanup warnings http://src.mit.edu/fisheye/changelog/krb5/?cs=21280 Commit By: hartmans Revision: 21280 Changed Files: U trunk/src/lib/crypto/aead.c U trunk/src/lib/crypto/arcfour/arcfour_aead.c U trunk/src/lib/crypto/crypto_length.c U trunk/src/lib/crypto/dk/dk_aead.c From rt-comment at krbdev.mit.edu Thu Dec 4 10:48:16 2008 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Thu, 4 Dec 2008 15:48:16 +0000 (UTC) Subject: [krbdev.mit.edu #6274] SVN Commit In-Reply-To: Message-ID: Merge R21122 from mskrb-integ Namespace cleanup http://src.mit.edu/fisheye/changelog/krb5/?cs=21279 Commit By: hartmans Revision: 21279 Changed Files: U trunk/src/lib/crypto/aead.c U trunk/src/lib/crypto/aead.h U trunk/src/lib/crypto/crypto_length.c U trunk/src/lib/crypto/decrypt.c U trunk/src/lib/crypto/encrypt.c U trunk/src/lib/crypto/encrypt_length.c From rt-comment at krbdev.mit.edu Thu Dec 4 10:49:16 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 15:49:16 +0000 (UTC) Subject: [krbdev.mit.edu #6285] Provide SPI to switch the mach port lookup for kipc In-Reply-To: Message-ID: Provide SPI to switch the mach port lookup for kipc + Localizable.strings removed Vendor's priority - Task + Serious Bug Vendor's patch - LHA-6334108-provide-spi-for-kipc-user-switch+6324632-install- localizedstrings From rt-comment at krbdev.mit.edu Thu Dec 4 10:50:58 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 15:50:58 +0000 (UTC) Subject: [krbdev.mit.edu #6286] Allow kerberos configuration files fail with EPERM In-Reply-To: Message-ID: allow kerberos configuration files fail with EPERM too (sandbox) Vendor's priority - Serious Bug Vendor's patch - LHA-6397043-ignore-EPERM-on-config-files From rt-comment at krbdev.mit.edu Thu Dec 4 10:53:14 2008 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Thu, 4 Dec 2008 15:53:14 +0000 (UTC) Subject: [krbdev.mit.edu #6274] In-Reply-To: Message-ID: The implementation of krb5_c_decrypt based on the AEAD APIs does not treat the input argument as constant. I think you need to copy the input data before using crypto_type_stream. --Sam From rt-comment at krbdev.mit.edu Thu Dec 4 10:54:19 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 15:54:19 +0000 (UTC) Subject: [krbdev.mit.edu #6287] Provide SPI to switch the mach port lookup for kipc In-Reply-To: Message-ID: MAC specific changes Vendor's priority - task Vendor's patch - LHA-6401570-dont-call-dispatch-main-in-lib From rt-comment at krbdev.mit.edu Thu Dec 4 10:56:00 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 15:56:00 +0000 (UTC) Subject: [krbdev.mit.edu #6288] Running kinit without any arguments is a bummer In-Reply-To: Message-ID: Vendor's priority - Other Bug Vendor's patch - LHA-6364704-report-error-from-kim From rt-comment at krbdev.mit.edu Thu Dec 4 10:57:25 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 15:57:25 +0000 (UTC) Subject: [krbdev.mit.edu #6289] replay cache is insecurely handled In-Reply-To: Message-ID: replay cache is insecurely handled Vendor's priority - Security Vendor's patch - LHA-6372951-lstat-instead-of-stat From rt-comment at krbdev.mit.edu Thu Dec 4 11:02:03 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 16:02:03 +0000 (UTC) Subject: [krbdev.mit.edu #6290] KIM: Pushing authentication login window do application In-Reply-To: Message-ID: kim/agent/mac/AuthenticationController.m kim/agent/mac/SelectIdentityController.m - window settings Vendor's priority - Other Bug Vendor's patch - LHA-6052079-lower-KerberosAgent From rt-comment at krbdev.mit.edu Thu Dec 4 11:03:30 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 16:03:30 +0000 (UTC) Subject: [krbdev.mit.edu #6291] Using referrals fills the the credentials cache more entries of the same name In-Reply-To: Message-ID: Using referrals fills the the credentials cache more entries of the same name Vendor's priority - Other Bug Vendor's patch - LHA-6292632-remove-dups-before-storing-new-entries From rt-comment at krbdev.mit.edu Thu Dec 4 11:06:14 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 16:06:14 +0000 (UTC) Subject: [krbdev.mit.edu #6292] KerberosLibraries: strings_syntactically_broken_strings In-Reply-To: Message-ID: KerberosErrors/Scripts/compile_et changes Vendor's priority - Serious Bug Vendor's patch - LHA-6316816-remove-slash-from-strings From rt-comment at krbdev.mit.edu Thu Dec 4 11:07:34 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 16:07:34 +0000 (UTC) Subject: [krbdev.mit.edu #6292] KerberosLibraries: strings_syntactically_broken_strings In-Reply-To: Message-ID: Correction: Vendor's priority - Other Bug From rt-comment at krbdev.mit.edu Thu Dec 4 11:09:22 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 16:09:22 +0000 (UTC) Subject: [krbdev.mit.edu #6293] Seed: Kerberos: can't log in to external KDC In-Reply-To: Message-ID: Vendor's priority - Serious Bug Vendor's patch - LHA-6322932-make-des-work-again From rt-comment at krbdev.mit.edu Thu Dec 4 10:05:01 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 15:05:01 +0000 (UTC) Subject: [krbdev.mit.edu #6278] gssd-agent deadlock In-Reply-To: Message-ID: Vendor's priority - Serious Bug Vendor's patch - LHA-6370271-deadlock-in-com-err From rt-comment at krbdev.mit.edu Thu Dec 4 13:22:59 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:22:59 +0000 (UTC) Subject: [krbdev.mit.edu #6277] KLCacheHasValidTickets changed behavior In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_ccache.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_ccache.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_ccache.c 2008-11-07 11:24:45.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_ccache.c 2008-11-11 13:56:53.000000000 -0800 @@ -721,7 +721,7 @@ kim_boolean out_of_credentials = FALSE; kim_boolean found_valid_tgt = FALSE; kim_boolean dominant_is_tgt = FALSE; - kim_credential_state dominant_state = kim_credentials_state_valid; + kim_credential_state dominant_state = kim_credentials_state_expired; kim_credential dominant_credential = NULL; if (!err && !in_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); } From rt-comment at krbdev.mit.edu Thu Dec 4 13:37:55 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:37:55 +0000 (UTC) Subject: [krbdev.mit.edu #6280] krb5kdc crashed - possible CFSocket race In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kdc/announce.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kdc/announce.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kdc/announce.c 2008-11-10 12:59:13.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kdc/announce.c 2008-11-10 20:36:16.000000000 -0800 @@ -485,17 +485,19 @@ g_DNSSource = NULL; } - if (g_dnsRef) { - DNSServiceRefDeallocate(g_dnsRef); - g_dnsRef = NULL; - } - if (g_DNSSource) { CFSocketInvalidate(g_DNSSocket); + // work-around for + usleep(10000); CFRelease(g_DNSSocket); g_DNSSource = NULL; } + if (g_dnsRef) { + DNSServiceRefDeallocate(g_dnsRef); + g_dnsRef = NULL; + } + delete_all(); #ifdef REGISTER_SRV_RR unregister_srv_realms(); From rt-comment at krbdev.mit.edu Thu Dec 4 13:38:49 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:38:49 +0000 (UTC) Subject: [krbdev.mit.edu #6281] krb5_cc_cache_match In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Projects/krb5.pbexp Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Projects/krb5.pbexp --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Projects/krb5.pbexp 2008-11-14 10:40:47.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Projects/krb5.pbexp 2008-11-14 11:04:20.000000000 -0800 @@ -355,3 +355,4 @@ _krb5_is_config_principal _krb5_ipc_client_set_target_uid _krb5_ipc_client_clear_target +_krb5_cc_cache_match \ No newline at end of file diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/include/krb5/krb5.hin Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/include/krb5/krb5.hin --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/include/krb5/krb5.hin 2008-11-14 10:40:47.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/include/krb5/krb5.hin 2008-11-14 11:03:02.000000000 -0800 @@ -1311,6 +1311,10 @@ krb5_error_code KRB5_CALLCONV krb5_cc_unlock (krb5_context context, krb5_ccache ccache); +krb5_error_code KRB5_CALLCONV +krb5_cc_cache_match (krb5_context context, + krb5_principal client, + krb5_ccache *id); krb5_error_code KRB5_CALLCONV krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor); diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccfns.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccfns.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccfns.c 2008-11-14 10:40:47.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccfns.c 2008-11-14 11:14:36.000000000 -0800 @@ -344,3 +344,67 @@ krb5_free_cred_contents(context, &mcred); return ret; } + +/*! + * \return On failure, error code is returned and `id' is set to NULL. + * + * \param context A Kerberos 5 context + * \param client The principal to search for + * \param id the returned credential cache + * + * \brief Search for a matching credential cache that have the + * `principal' as the default principal. On success, `id' needs to be + * freed with krb5_cc_close() or krb5_cc_destroy(). + */ + +krb5_error_code KRB5_CALLCONV +krb5_cc_cache_match (krb5_context context, + krb5_principal client, + krb5_ccache *id) +{ + krb5_cccol_cursor cursor; + krb5_error_code ret; + krb5_ccache cache = NULL; + + *id = NULL; + + ret = krb5_cccol_cursor_new (context, &cursor); + if (ret) + return ret; + + while ((ret = krb5_cccol_cursor_next (context, cursor, &cache)) == 0 && cache != NULL) { + krb5_principal principal; + + ret = krb5_cc_get_principal(context, cache, &principal); + if (ret == 0) { + krb5_boolean match; + + match = krb5_principal_compare(context, principal, client); + krb5_free_principal(context, principal); + if (match) + break; + } + + krb5_cc_close(context, cache); + cache = NULL; + } + + krb5_cccol_cursor_free(context, &cursor); + + if (cache == NULL) { + char *str; + + krb5_unparse_name(context, client, &str); + + krb5_set_error_message(context, KRB5_CC_NOTFOUND, + "Principal %s not found in a " + "credential cache", + str ? str : ""); + if (str) + free(str); + return KRB5_CC_NOTFOUND; + } + *id = cache; + + return 0; +} From rt-comment at krbdev.mit.edu Thu Dec 4 13:40:13 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:40:13 +0000 (UTC) Subject: [krbdev.mit.edu #6282] krb5kdc deref uninit memory on the stack on unknown principal (pk-init) In-Reply-To: Message-ID: Crashes in de-ref of reply later when it tries to free memory, this is in the error path from non existant client principal. diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c 2008-11-22 13:06:24.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c 2008-11-22 17:37:33.000000000 -0800 @@ -105,7 +105,7 @@ ticket_reply.enc_part.ciphertext.data = 0; e_data.data = 0; encrypting_key.contents = 0; - reply.padata = 0; + memset(&reply, 0, sizeof(reply)); session_key.contents = 0; enc_tkt_reply.authorization_data = NULL; From rt-comment at krbdev.mit.edu Thu Dec 4 13:40:54 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:40:54 +0000 (UTC) Subject: [krbdev.mit.edu #6283] At Login the client is setting the renew life time to 24 hours? In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_options.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_options.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_options.c 2008-11-07 11:24:45.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_options.c 2008-11-11 17:34:02.000000000 -0800 @@ -45,7 +45,7 @@ 0, kim_default_lifetime, kim_default_renewable, -kim_default_renewal_lifetime, +0, kim_default_forwardable, kim_default_proxiable, kim_default_addressless, @@ -488,8 +488,9 @@ if (!err) { krb5_get_init_creds_opt_set_tkt_life (in_options->init_cred_options, in_options->lifetime); - krb5_get_init_creds_opt_set_renew_life (in_options->init_cred_options, - in_options->renewable ? in_options->renewal_lifetime : 0); + if (in_options->renewal_lifetime || in_options->renewable) + krb5_get_init_creds_opt_set_renew_life (in_options->init_cred_options, + in_options->renewal_lifetime); krb5_get_init_creds_opt_set_forwardable (in_options->init_cred_options, in_options->forwardable); krb5_get_init_creds_opt_set_proxiable (in_options->init_cred_options, diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences_private.h Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences_private.h --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences_private.h 2008-11-07 11:24:45.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences_private.h 2008-11-11 17:33:14.000000000 -0800 @@ -52,7 +52,6 @@ #define kim_default_lifetime 10*60*60 #define kim_default_renewable TRUE -#define kim_default_renewal_lifetime 7*24*60*60 #define kim_default_forwardable TRUE #define kim_default_proxiable TRUE #define kim_default_addressless TRUE diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/get_in_tkt.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/get_in_tkt.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/get_in_tkt.c 2008-11-07 11:25:56.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/get_in_tkt.c 2008-11-11 18:20:20.000000000 -0800 @@ -1026,7 +1026,7 @@ } else { renew_life = 0; } - if (renew_life > 0) + if (renew_life > 0 || (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)) request.kdc_options |= KDC_OPT_RENEWABLE; if (renew_life > 0) { From rt-comment at krbdev.mit.edu Thu Dec 4 13:42:44 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:42:44 +0000 (UTC) Subject: [krbdev.mit.edu #6284] memory leaks in error conditions In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/server/schpw.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/server/schpw.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/server/schpw.c 2008-11-09 17:47:50.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/server/schpw.c 2008-11-09 19:22:59.000000000 -0800 @@ -37,6 +37,7 @@ char *clientstr; size_t clen; char *cdots; + const char *errmsg = NULL; ret = 0; rep->length = 0; @@ -221,11 +222,15 @@ clen = strlen(clientstr); trunc_name(&clen, &cdots); + if (ret) + errmsg = krb5_get_error_message (context, ret); krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", inet_ntoa(sockfrom->sin_addr), (int) clen, clientstr, cdots, - ret ? krb5_get_error_message (context, ret) : "success"); + errmsg ? errmsg : "success"); krb5_free_unparsed_name(context, clientstr); + if (errmsg) + krb5_free_error_message(context, errmsg); if (ret) { if ((ret != KADM5_PASS_Q_TOOSHORT) && From rt-comment at krbdev.mit.edu Thu Dec 4 13:43:29 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:43:29 +0000 (UTC) Subject: [krbdev.mit.edu #6284] memory leaks in error conditions In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c 2008-11-09 21:03:38.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c 2008-11-09 22:05:27.000000000 -0800 @@ -443,18 +443,15 @@ if(kdc_notify_pws_apple || kdc_active_realm->realm_pws_enabled){ errcode = kdc_update_pws(cname, 0, 1, server); if (errcode) { - status = "CHECK_PWS_ACCT"; - goto errout; + krb5_free_data(kdc_context, *response); + *response = NULL; + status = "CHECK_PWS_ACCT"; + goto errout; } } #endif - /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we - can use them in raw form if needed. But, we don't... */ - memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); - free(reply.enc_part.ciphertext.data); - rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply); krb5_klog_syslog(LOG_INFO, "AS_REQ (%s) %s: ISSUE: authtime %d, " @@ -475,6 +472,11 @@ errout: + /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we + can use them in raw form if needed. But, we don't... */ + memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); + free(reply.enc_part.ciphertext.data); + #ifdef APPLE_KDC_MODS /* call code to notify PWS of the failure iff not NEEDS_Preauth */ if(kdc_notify_pws_apple || kdc_active_realm->realm_pws_enabled){ From rt-comment at krbdev.mit.edu Thu Dec 4 13:44:42 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:44:42 +0000 (UTC) Subject: [krbdev.mit.edu #6285] Provide SPI to switch the mach port lookup for kipc In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5b2.orig/KerberosFramework/Common/Projects/KerberosFramework.xcodeproj/project.pbxproj Kerberos.AEP-6.5b2/KerberosFramework/Common/Projects/KerberosFramework.xcodeproj/project.pbxproj --- Kerberos.AEP-6.5b2.orig/KerberosFramework/Common/Projects/KerberosFramework.xcodeproj/project.pbxproj 2008-11-09 16:06:52.000000000 -0800 +++ Kerberos.AEP-6.5b2/KerberosFramework/Common/Projects/KerberosFramework.xcodeproj/project.pbxproj 2008-11-06 20:02:34.000000000 -0800 @@ -602,6 +602,15 @@ ); runOnlyForDeploymentPostprocessing = 1; }; + EBF664F10EBAD3910046D1CA /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = ""; + dstSubfolderSpec = 7; + files = ( + ); + runOnlyForDeploymentPostprocessing = 0; + }; /* End PBXCopyFilesBuildPhase section */ /* Begin PBXFileReference section */ @@ -1381,6 +1390,9 @@ A1FBC4E907AAF63900872683 /* Sources */, A1FBC4EC07AAF63900872683 /* Frameworks */, A1FBC50107AAF63900872683 /* ShellScript */, + EB88E9EF0EBAC9B1001E280A /* ShellScript */, + EBF664F70EBAD64A0046D1CA /* ShellScript */, + EBF664F10EBAD3910046D1CA /* CopyFiles */, A13849830A23A11900E9FC8B /* CopyFiles */, A1FBC50C07AAF63900872683 /* CopyFiles */, A1FBC50207AAF63900872683 /* CopyFiles */, @@ -1780,7 +1792,7 @@ ); runOnlyForDeploymentPostprocessing = 0; shellPath = /bin/sh; - shellScript = "INTERMEDIATES_DIR=\"${BUILT_PRODUCTS_DIR}/Kerberos5.intermediates\"\nERROR_TABLES_DIR=\"${INTERMEDIATES_DIR}/ErrorTables\"\n\n# Currently only generating InfoPlist.strings\ncp \"${ERROR_TABLES_DIR}/Localizable.strings\" \"${INTERMEDIATES_DIR}/InfoPlist.strings\"\n"; + shellScript = "INTERMEDIATES_DIR=\"${BUILT_PRODUCTS_DIR}/Kerberos5.intermediates\"\nERROR_TABLES_DIR=\"${INTERMEDIATES_DIR}/ErrorTables\"\n\n# Currently only generating InfoPlist.strings\ncp \"${ERROR_TABLES_DIR}/Localizable.strings\" \"${INTERMEDIATES_DIR}/Localizable.strings\"\n"; }; A1FBC50107AAF63900872683 /* ShellScript */ = { isa = PBXShellScriptBuildPhase; @@ -1803,6 +1815,32 @@ shellPath = /bin/sh; shellScript = "INSTALLED_EXECUTABLE=${INSTALL_PATH}/${PRODUCT_NAME}.${WRAPPER_EXTENSION}/${PRODUCT_NAME}\nUSRLIB=${DSTROOT}/usr/lib\n\n/bin/mkdir -p \"${USRLIB}\"\nfor LIBRARY in com_err des425 krb4 krb5 krb524 krb5support k5crypto gssapi_krb5\ndo\n\t/bin/rm -f \"${USRLIB}/lib${LIBRARY}.dylib\"\n\t/bin/ln -s \"${INSTALLED_EXECUTABLE}\" \"${USRLIB}/lib${LIBRARY}.dylib\"\ndone\n"; }; + EB88E9EF0EBAC9B1001E280A /* ShellScript */ = { + isa = PBXShellScriptBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + inputPaths = ( + ); + outputPaths = ( + ); + runOnlyForDeploymentPostprocessing = 0; + shellPath = /bin/sh; + shellScript = "\nINTERMEDIATES_DIR=\"${BUILT_PRODUCTS_DIR}/Kerberos5.intermediates\"\nL10NSTRINGS=${DSTROOT}/System/Library/Frameworks/Kerberos.framework/Resources/English.lproj\n\nmkdir \"${L10NSTRINGS}\"\ncp \"${INTERMEDIATES_DIR}/Localizable.strings\" \"${L10NSTRINGS}\"/\n"; + }; + EBF664F70EBAD64A0046D1CA /* ShellScript */ = { + isa = PBXShellScriptBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + inputPaths = ( + ); + outputPaths = ( + ); + runOnlyForDeploymentPostprocessing = 0; + shellPath = /bin/sh; + shellScript = "\nSRC_DIR=\"${SRCROOT}/../../Kerberos5/Sources/util/mac/\"\nHEADERS=${DSTROOT}/System/Library/Frameworks/Kerberos.framework/PrivateHeaders\n\ncp \"${SRC_DIR}/krb5-ipc.h\" \"${HEADERS}\"/\n"; + }; /* End PBXShellScriptBuildPhase section */ /* Begin PBXSourcesBuildPhase section */ diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5b2.orig/KerberosFramework/Kerberos5/Projects/krb5.pbexp Kerberos.AEP-6.5b2/KerberosFramework/Kerberos5/Projects/krb5.pbexp --- Kerberos.AEP-6.5b2.orig/KerberosFramework/Kerberos5/Projects/krb5.pbexp 2008-11-09 16:06:53.000000000 -0800 +++ Kerberos.AEP-6.5b2/KerberosFramework/Kerberos5/Projects/krb5.pbexp 2008-11-06 20:02:34.000000000 -0800 @@ -344,3 +344,5 @@ _krb5_cc_get_config _krb5_cc_set_config _krb5_is_config_principal +_krb5_ipc_client_set_target_uid +_krb5_ipc_client_clear_target diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5b2.orig/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_client.c Kerberos.AEP-6.5b2/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_client.c --- Kerberos.AEP-6.5b2.orig/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_client.c 2008-11-09 16:06:54.000000000 -0800 +++ Kerberos.AEP-6.5b2/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_client.c 2008-11-09 15:46:30.000000000 -0800 @@ -27,18 +27,44 @@ #ifndef LEAN_CLIENT #include "k5_mig_client.h" +#include "krb5-ipc.h" #include "k5_mig_request.h" #include "k5_mig_replyServer.h" #include "k5-thread.h" #include +#include #include +#include +/* ------------------------------------------------------------------------ */ /* Number of services available. Update if modifying the lists below */ #define KIPC_SERVICE_COUNT 2 +/* This struct exists to hold the per-thread connection port used for ipc + * messages to the server. Each thread is issued a separate connection + * port so that the server can distinguish between threads in the same + * application. */ + +typedef struct k5_ipc_connection { + const char *service_id; + mach_port_t port; +} *k5_ipc_connection; + +typedef struct k5_ipc_connection_info { + struct k5_ipc_connection connections[KIPC_SERVICE_COUNT]; + boolean_t server_died; + k5_ipc_stream reply_stream; +} *k5_ipc_connection_info; + +/* initializer for k5_ipc_request_port to fill in server names in TLS */ +static const char *k5_ipc_known_services[KIPC_SERVICE_COUNT] = { +"edu.mit.Kerberos.CCacheServer", +"edu.mit.Kerberos.KerberosAgent" }; + + /* ------------------------------------------------------------------------ */ /* This struct exists to store the global service port shared between all @@ -57,28 +83,64 @@ { "edu.mit.Kerberos.CCacheServer", MACH_PORT_NULL }, { "edu.mit.Kerberos.KerberosAgent", MACH_PORT_NULL } }; -/* ------------------------------------------------------------------------ */ +static int use_uid = 0; +static uid_t targetuid; -/* This struct exists to hold the per-thread connection port used for ipc - * messages to the server. Each thread is issued a separate connection - * port so that the server can distinguish between threads in the same - * application. */ +static void +clear_cache(void) +{ + k5_ipc_connection_info cinfo; + int i; + + /* assume lock is taken */ + for (i = 0; i < KIPC_SERVICE_COUNT; i++) { + if (MACH_PORT_VALID (g_service_ports[i].service_port)) { + mach_port_destroy (mach_task_self (), + g_service_ports[i].service_port); + g_service_ports[i].service_port = MACH_PORT_NULL; + } + } + + cinfo = k5_getspecific (K5_KEY_IPC_CONNECTION_INFO); + if (cinfo) { + for (i = 0; i < KIPC_SERVICE_COUNT; i++) { + if (MACH_PORT_VALID (cinfo->connections[i].port)) + mach_port_deallocate(mach_task_self(), + cinfo->connections[i].port); + cinfo->connections[i].port = MACH_PORT_NULL; + } + } +} -typedef struct k5_ipc_connection { - const char *service_id; - mach_port_t port; -} *k5_ipc_connection; -typedef struct k5_ipc_connection_info { - struct k5_ipc_connection connections[KIPC_SERVICE_COUNT]; - boolean_t server_died; - k5_ipc_stream reply_stream; -} *k5_ipc_connection_info; +void +krb5_ipc_client_set_target_uid(uid_t uid) +{ + int err; + + err = k5_mutex_lock (&g_service_ports_mutex); + if (!err) { + use_uid = 1; + targetuid = uid; + clear_cache(); + k5_mutex_unlock (&g_service_ports_mutex); + } +} + +void +krb5_ipc_client_clear_target(void) +{ + int err; + + err = k5_mutex_lock (&g_service_ports_mutex); + if (!err) { + use_uid = 0; + clear_cache(); + k5_mutex_unlock (&g_service_ports_mutex); + } +} + -/* initializer for k5_ipc_request_port to fill in server names in TLS */ -static const char *k5_ipc_known_services[KIPC_SERVICE_COUNT] = { -"edu.mit.Kerberos.CCacheServer", -"edu.mit.Kerberos.KerberosAgent" }; /* ------------------------------------------------------------------------ */ @@ -164,15 +226,7 @@ err = k5_mutex_lock (&g_service_ports_mutex); if (!err) { - int i; - - for (i = 0; i < KIPC_SERVICE_COUNT; i++) { - if (MACH_PORT_VALID (g_service_ports[i].service_port)) { - mach_port_destroy (mach_task_self (), - g_service_ports[i].service_port); - g_service_ports[i].service_port = MACH_PORT_NULL; - } - } + clear_cache(); k5_mutex_unlock (&g_service_ports_mutex); } @@ -180,6 +234,53 @@ k5_mutex_destroy (&g_service_ports_mutex); } +/* SPI */ kern_return_t +bootstrap_look_up_per_user(mach_port_t, name_t, uid_t, mach_port_t *); + + +static int +get_service_port(char *service, mach_port_t *sport) +{ + int ret; + + if (use_uid) { + mach_port_t rootbs; + + ret = task_get_bootstrap_port(mach_task_self(), &rootbs); + if (ret) + return ret; + + /* search up the namespace tree to the root */ + while (1) { + kern_return_t kr; + mach_port_t parent; + kr = bootstrap_parent(rootbs, &parent); + + if (kr == KERN_SUCCESS) { + if (parent == MACH_PORT_NULL || parent == rootbs) + break; + } else + break; + mach_port_deallocate(mach_task_self(), rootbs); + rootbs = parent; + } + + ret = bootstrap_look_up_per_user(rootbs, service, targetuid, + sport); + mach_port_deallocate(mach_task_self(), rootbs); + } else { + mach_port_t boot_port; + + ret = task_get_bootstrap_port(mach_task_self(), &boot_port); + if (ret) + return ret; + ret = bootstrap_look_up (boot_port, service, sport); + mach_port_deallocate(mach_task_self(), boot_port); + } + + return ret; +} + #pragma mark - /* ------------------------------------------------------------------------ */ @@ -195,6 +296,8 @@ boolean_t found_entry = 0; int i; + in_launch_if_necessary = 1; + if (!in_service_id ) { err = EINVAL; } if (!out_service_port) { err = EINVAL; } @@ -214,12 +317,8 @@ } if (!err && (!MACH_PORT_VALID (k5_service_port) || !in_use_cached_port)) { - mach_port_t boot_port = MACH_PORT_NULL; char *service = NULL; - /* Get our bootstrap port */ - err = task_get_bootstrap_port (mach_task_self (), &boot_port); - if (!err && !in_launch_if_necessary) { char *lookup = NULL; mach_port_t lookup_port = MACH_PORT_NULL; @@ -228,13 +327,13 @@ in_service_id, K5_MIG_LOOKUP_SUFFIX); if (w < 0) { err = ENOMEM; } + /* Use the lookup name because the service name will return + * a valid port even if the server isn't running */ if (!err) { - /* Use the lookup name because the service name will return - * a valid port even if the server isn't running */ - err = bootstrap_look_up (boot_port, lookup, &lookup_port); + err = get_service_port (lookup, &lookup_port); + free (lookup); } - free (lookup); if (MACH_PORT_VALID (lookup_port)) { mach_port_deallocate (mach_task_self (), lookup_port); } @@ -247,7 +346,8 @@ } if (!err) { - err = bootstrap_look_up (boot_port, service, &k5_service_port); + err = get_service_port (service, &k5_service_port); + free (service); if (!err && found_entry) { /* Free old port if it is valid */ @@ -259,10 +359,6 @@ g_service_ports[i].service_port = k5_service_port; } } - - free (service); - if (MACH_PORT_VALID (boot_port)) { mach_port_deallocate (mach_task_self (), - boot_port); } } if (!err) { @@ -422,19 +518,22 @@ } if (!err) { - err = k5_ipc_client_lookup_server (in_service_id, in_launch_server, - TRUE, &server_port); - } - - if (!err) { err = mach_port_allocate (mach_task_self (), MACH_PORT_RIGHT_RECEIVE, &reply_port); } while (!err && !done) { if (!err && !MACH_PORT_VALID (connection->port)) { - err = k5_ipc_client_create_client_connection (server_port, - &connection->port); + err = k5_ipc_client_lookup_server (in_service_id, in_launch_server, + try_count == 0 ? TRUE : FALSE, + &server_port); + if (err) + continue; + + err = k5_ipc_client_create_client_connection(server_port, + &connection->port); + if (err) + continue; } if (!err) { @@ -455,12 +554,7 @@ MACH_PORT_RIGHT_SEND, -1 ); connection->port = MACH_PORT_NULL; } - - /* Look up server name again without using the cached copy */ - err = k5_ipc_client_lookup_server (in_service_id, - in_launch_server, - FALSE, &server_port); - + } else { /* Talked to server, though we may have gotten an error */ done = 1; diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5b2.orig/KerberosFramework/Kerberos5/Sources/util/mac/krb5-ipc.h Kerberos.AEP-6.5b2/KerberosFramework/Kerberos5/Sources/util/mac/krb5-ipc.h --- Kerberos.AEP-6.5b2.orig/KerberosFramework/Kerberos5/Sources/util/mac/krb5-ipc.h 1969-12-31 16:00:00.000000000 -0800 +++ Kerberos.AEP-6.5b2/KerberosFramework/Kerberos5/Sources/util/mac/krb5-ipc.h 2008-11-06 20:10:38.000000000 -0800 @@ -0,0 +1,33 @@ +/* + * $Header$ + * + * Copyright 2006 Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#ifndef KRB5_IPC_CLIENT_H +#define KRB5_IPC_CLIENT_H + +void krb5_ipc_client_set_target_uid(uid_t); +void krb5_ipc_client_clear_target(void); + +#endif /* KRB5_IPC_CLIENT_H */ From rt-comment at krbdev.mit.edu Thu Dec 4 13:45:50 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:45:50 +0000 (UTC) Subject: [krbdev.mit.edu #6286] Allow kerberos configuration files fail with EPERM In-Reply-To: Message-ID: --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/util/profile/prof_init.c 2008-11-07 11:26:01.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/util/profile/prof_init.c 2008-11-22 17:23:07.000000000 -0800 @@ -42,7 +42,7 @@ for (fs = files; !PROFILE_LAST_FILESPEC(*fs); fs++) { retval = profile_open_file(*fs, &new_file); /* if this file is missing, skip to the next */ - if (retval == ENOENT || retval == EACCES) { + if (retval == ENOENT || retval == EACCES || retval == EPERM) { continue; } if (retval) { From rt-comment at krbdev.mit.edu Thu Dec 4 13:46:53 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:46:53 +0000 (UTC) Subject: [krbdev.mit.edu #6287] Provide SPI to switch the mach port lookup for kipc In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/ccapi/server/mac/ccs_os_server.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/ccapi/server/mac/ccs_os_server.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/ccapi/server/mac/ccs_os_server.c 2008-11-25 10:41:46.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/ccapi/server/mac/ccs_os_server.c 2008-11-25 15:50:29.000000000 -0800 @@ -102,7 +102,8 @@ cc_int32 ccs_os_server_listen_loop (int argc, const char *argv[]) { - return cci_check_error (k5_ipc_server_listen_loop ()); + k5_ipc_server_listen(); + dispatch_main(); } /* ------------------------------------------------------------------------ */ diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/agent/mac/KerberosAgentListener.m Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/agent/mac/KerberosAgentListener.m --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/agent/mac/KerberosAgentListener.m 2008-11-07 11:24:46.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/agent/mac/KerberosAgentListener.m 2008-11-25 15:58:01.000000000 -0800 @@ -30,43 +30,9 @@ @implementation KerberosAgentListener - at synthesize thread; - - (id) init { - self = [super init]; - if (self != nil) { - self.thread = [[NSThread alloc] initWithTarget:self selector:@selector(threadMain) object:nil]; - } - return self; -} - -static KerberosAgentListener *sharedListener = nil; - -+ (KerberosAgentListener *) sharedListener -{ - @synchronized(self) { - if (sharedListener == nil) { - [[self alloc] init]; // assignment not done here - } - } - return sharedListener; -} - -+ (id)allocWithZone:(NSZone *)zone -{ - @synchronized(self) { - if (sharedListener == nil) { - sharedListener = [super allocWithZone:zone]; - return sharedListener; // assignment and return on first allocation - } - } - return nil; //on subsequent allocation attempts return nil -} - -- (id)copyWithZone:(NSZone *)zone -{ - return self; + return [super init]; } - (id)retain @@ -74,7 +40,7 @@ return self; } -- (unsigned)retainCount +- (NSUInteger)retainCount { return UINT_MAX; //denotes an object that cannot be released } @@ -94,30 +60,7 @@ // called from main thread to start listen thread + (void) startListening { -// NSLog(@"%s %@ thread", __FUNCTION__, ([NSThread isMainThread]) ? @"main" : @"not main"); - - [[KerberosAgentListener sharedListener].thread start]; -} - -- (void) threadMain -{ - NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; - int32_t err = 0; - -// NSLog(@"%s starting up", __FUNCTION__); - - while (!err && ![self.thread isCancelled]) { - err = kim_agent_listen_loop(); - if (!err) { -// NSLog (@"%s loop resetting %@", __FUNCTION__, [[NSThread currentThread] description]); - } else { - NSLog (@"%s got error %d (%@) %@", __FUNCTION__, err, [KIMUtilities stringForLastKIMError:err], [[NSThread currentThread] description]); - err = 0; /* The server quit unexpectedly -- just try again */ - } - sleep(10); - } - - [pool release]; + return k5_ipc_server_listen(); } #pragma mark IPC handlers diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_server.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_server.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_server.c 2008-11-25 10:41:46.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_server.c 2008-11-25 15:51:00.000000000 -0800 @@ -34,14 +34,9 @@ #include #include #include +#include #include -/* Global variables for servers (used by k5_ipc_request_demux) */ -static mach_port_t g_service_port = MACH_PORT_NULL; -static mach_port_t g_notify_port = MACH_PORT_NULL; -static boolean_t g_ready_to_quit = 0; - - /* ------------------------------------------------------------------------ */ static boolean_t k5_ipc_request_demux (mach_msg_header_t *request, @@ -53,13 +48,6 @@ handled = k5_ipc_request_server (request, reply); } - /* Our session has a send right. If that goes away it's time to quit. */ - if (!handled && (request->msgh_id == MACH_NOTIFY_NO_SENDERS && - request->msgh_local_port == g_notify_port)) { - g_ready_to_quit = 1; - handled = 1; - } - /* Check here for a client death. If so remove it */ if (!handled && request->msgh_id == MACH_NOTIFY_NO_SENDERS) { kern_return_t err = KERN_SUCCESS; @@ -228,85 +216,53 @@ return err; } +static void +start_mach_service(launch_data_t obj, const char *key, void *context) +{ + dispatch_source_t source; + + if (launch_data_get_type(obj) == LAUNCH_DATA_MACHPORT) { + mach_port_t port = launch_data_get_machport(obj); + dispatch_source_mig_create(port, + K5_IPC_MAX_MSG_SIZE, + NULL, + dispatch_get_main_queue(), + k5_ipc_request_demux); + } else { + syslog(LOG_NOTICE, "%s: not a mach port", key); + } +} + #pragma mark - /* ------------------------------------------------------------------------ */ -int32_t k5_ipc_server_listen_loop (void) +int32_t k5_ipc_server_listen (void) { - /* Run the Mach IPC listen loop. - * This will call k5_ipc_server_create_client_connection for new clients - * and k5_ipc_server_request for existing clients */ - - kern_return_t err = KERN_SUCCESS; - char *service = NULL; - char *lookup = NULL; - mach_port_t lookup_port = MACH_PORT_NULL; - mach_port_t boot_port = MACH_PORT_NULL; - mach_port_t previous_notify_port = MACH_PORT_NULL; - dispatch_queue_t queue; + launch_data_t resp, tmp, msg; + + msg = launch_data_new_string(LAUNCH_KEY_CHECKIN); - - if (!err) { - err = k5_ipc_server_get_lookup_and_service_names (&lookup, &service); + resp = launch_msg(msg); + if (resp == NULL) { + syslog(LOG_NOTICE, "launch_msg(): %s", strerror(errno)); + return 1; } - if (!err) { - /* Get the bootstrap port */ - err = task_get_bootstrap_port (mach_task_self (), &boot_port); + if (launch_data_get_type(resp) == LAUNCH_DATA_ERRNO) { + errno = launch_data_get_errno(resp); + syslog(LOG_NOTICE, "launch_msg() response: %s", strerror(errno)); + return 1; } - if (!err) { - /* We are an on-demand server so our lookup port already exists. */ - err = bootstrap_check_in (boot_port, lookup, &lookup_port); - } - - if (!err) { - /* We are an on-demand server so our service port already exists. */ - err = bootstrap_check_in (boot_port, service, &g_service_port); - } - - if (!err) { - /* Create the port set that the server will listen on */ - err = mach_port_allocate (mach_task_self (), MACH_PORT_RIGHT_RECEIVE, - &g_notify_port); - } + tmp = launch_data_dict_lookup(resp, LAUNCH_JOBKEY_MACHSERVICES); - if (!err) { - /* Ask for notification when the server port has no more senders - * A send-once right != a send right so our send-once right will - * not interfere with the notification */ - err = mach_port_request_notification (mach_task_self (), g_service_port, - MACH_NOTIFY_NO_SENDERS, true, - g_notify_port, - MACH_MSG_TYPE_MAKE_SEND_ONCE, - &previous_notify_port); + if (tmp == NULL) { + syslog(LOG_NOTICE, "No mach services found!"); + } else { + launch_data_dict_iterate(tmp, start_mach_service, NULL); } - - queue = dispatch_get_main_queue(); - - dispatch_source_mig_create(g_notify_port, K5_IPC_MAX_MSG_SIZE, NULL, - queue, k5_ipc_request_demux); - dispatch_source_mig_create(lookup_port, K5_IPC_MAX_MSG_SIZE, NULL, - queue, k5_ipc_request_demux); - dispatch_source_mig_create(g_service_port, K5_IPC_MAX_MSG_SIZE, NULL, - queue, k5_ipc_request_demux); - - dispatch_main(); - - /* Clean up the ports and strings */ - if (MACH_PORT_VALID (g_notify_port)) { - mach_port_destroy (mach_task_self (), g_notify_port); - g_notify_port = MACH_PORT_NULL; - } - if (MACH_PORT_VALID (boot_port)) { - mach_port_deallocate (mach_task_self (), boot_port); - } - - free (service); - free (lookup); - - return err; + return 0; } /* ------------------------------------------------------------------------ */ @@ -366,5 +322,4 @@ void k5_ipc_server_quit (void) { - g_ready_to_quit = 1; } diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_server.h Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_server.h --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_server.h 2008-11-07 11:26:00.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_server.h 2008-11-25 15:51:15.000000000 -0800 @@ -41,8 +41,7 @@ /* Server control functions */ -/* WARNING: Currently only supports running server loop on a single thread! */ -int32_t k5_ipc_server_listen_loop (void); +int32_t k5_ipc_server_listen (void); int32_t k5_ipc_server_send_reply (mach_port_t in_reply_pipe, k5_ipc_stream in_reply_stream); From rt-comment at krbdev.mit.edu Thu Dec 4 13:54:14 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:54:14 +0000 (UTC) Subject: [krbdev.mit.edu #6288] Running kinit without any arguments is a bummer In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosClients/kinit/Sources/kinit.c Kerberos.AEP-6.5fc1/KerberosClients/kinit/Sources/kinit.c --- Kerberos.AEP-6.5fc1.orig/KerberosClients/kinit/Sources/kinit.c 2008-11-17 16:36:25.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosClients/kinit/Sources/kinit.c 2008-11-17 16:51:27.000000000 -0800 @@ -567,6 +567,16 @@ } } + if (err) { + kim_string error = NULL; + kim_error err2; + + err2 = kim_string_create_for_last_error(&error, err); + printf("kinit: %s\n", error ? error : "unknown"); + kim_string_free (&error); + } + + if (!err) { kim_credential_state state; From rt-comment at krbdev.mit.edu Thu Dec 4 13:55:10 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:55:10 +0000 (UTC) Subject: [krbdev.mit.edu #6288] Running kinit without any arguments is a bummer In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/KerberosErrors/Sources/com_err.c Kerberos.AEP-6.5fc1/KerberosFramework/KerberosErrors/Sources/com_err.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/KerberosErrors/Sources/com_err.c 2008-11-07 11:24:28.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/KerberosErrors/Sources/com_err.c 2008-11-13 15:37:31.000000000 -0800 @@ -201,6 +201,8 @@ char *message = NULL; int reentered = 0; /* some of the functions that we call may call us. */ + kim_library_init(); + if (!err) { enter_err = com_err_thread_entering_error_message (&reentered); From rt-comment at krbdev.mit.edu Thu Dec 4 13:57:04 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:57:04 +0000 (UTC) Subject: [krbdev.mit.edu #6289] replay cache is insecurely handled In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/rcache/rc_io.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/rcache/rc_io.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/rcache/rc_io.c 2008-11-20 14:26:58.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/rcache/rc_io.c 2008-11-20 14:28:08.000000000 -0800 @@ -223,7 +223,7 @@ krb5_error_code retval = 0; int do_not_unlink = 1; #ifndef NO_USERID - struct stat statb; + struct stat sb1, sb2; #endif char *dir; size_t dirlen; @@ -239,24 +239,50 @@ #ifdef NO_USERID d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600); + if (d->fd == -1) { + retval = rc_map_errno(context, errno, d->fn, "open"); + goto cleanup; + } #else - if ((d->fd = stat(d->fn, &statb)) != -1) { - uid_t me; - - me = geteuid(); - /* must be owned by this user, to prevent some security problems with - * other users modifying replay cache stufff */ - if ((statb.st_uid != me) || ((statb.st_mode & S_IFMT) != S_IFREG)) { - FREE(d->fn); - return KRB5_RC_IO_PERM; - } - d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600); + d->fd = -1; + retval = lstat(d->fn, &sb1); + if (retval != 0) { + retval = rc_map_errno(context, errno, d->fn, "lstat"); + goto cleanup; } -#endif - if (d->fd == -1) { + d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600); + if (d->fd < 0) { retval = rc_map_errno(context, errno, d->fn, "open"); goto cleanup; } + retval = fstat (d->fd, &sb2); + if (retval < 0) { + retval = rc_map_errno(context, errno, d->fn, "fstat"); + goto cleanup; + } + /* check if someone was playing with symlinks */ + if ((sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) + || (sb1.st_mode & S_IFMT) != S_IFREG) + { + retval = KRB5_RC_IO_PERM; + krb5_set_error_message(context, retval, + "rcache not a file %s", d->fn); + goto cleanup; + } + /* check that non other can read/write/execute the file */ + if (sb1.st_mode & 077) { + krb5_set_error_message(context, retval, "Insecure file mode " + "for replay cache file %s", d->fn); + return KRB5_RC_IO_UNKNOWN; + } + /* owned by me */ + if (sb1.st_uid != geteuid()) { + retval = KRB5_RC_IO_PERM; + krb5_set_error_message(context, retval, "rcache not owned by %d", + (int)geteuid()); + goto cleanup; + } +#endif set_cloexec_fd(d->fd); do_not_unlink = 0; From rt-comment at krbdev.mit.edu Thu Dec 4 13:59:03 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:59:03 +0000 (UTC) Subject: [krbdev.mit.edu #6291] Using referrals fills the the credentials cache more entries of the same name In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccfns.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccfns.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccfns.c 2008-11-24 21:29:39.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccfns.c 2008-11-24 21:51:32.000000000 -0800 @@ -68,6 +68,9 @@ krb5_error_code ret; krb5_ticket *tkt; krb5_principal s1, s2; + + /* remove any dups */ + krb5_cc_remove_cred(context, cache, 0, creds); ret = cache->ops->store(context, cache, creds); if (ret) return ret; @@ -83,6 +86,8 @@ s2 = tkt->server; if (!krb5_principal_compare(context, s1, s2)) { creds->server = s2; + /* remove any dups */ + krb5_cc_remove_cred(context, cache, 0, creds); ret = cache->ops->store(context, cache, creds); creds->server = s1; } From rt-comment at krbdev.mit.edu Thu Dec 4 13:58:10 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 18:58:10 +0000 (UTC) Subject: [krbdev.mit.edu #6290] KIM: Pushing authentication login window do application In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5b2.orig/KerberosFramework/Kerberos5/Sources/kim/agent/mac/AuthenticationController.m Kerberos.AEP-6.5b2/KerberosFramework/Kerberos5/Sources/kim/agent/mac/AuthenticationController.m --- Kerberos.AEP-6.5b2.orig/KerberosFramework/Kerberos5/Sources/kim/agent/mac/AuthenticationController.m 2008-10-24 14:11:20.000000000 -0700 +++ Kerberos.AEP-6.5b2/KerberosFramework/Kerberos5/Sources/kim/agent/mac/AuthenticationController.m 2008-10-31 00:22:52.000000000 -0700 @@ -75,7 +75,7 @@ { [[self window] center]; // We need to float over the loginwindow and SecurityAgent so use its hardcoded level. - [[self window] setLevel:NSScreenSaverWindowLevel]; + [[self window] setLevel:NSModalPanelWindowLevel]; visibleAsSheet = NO; diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5b2.orig/KerberosFramework/Kerberos5/Sources/kim/agent/mac/SelectIdentityController.m Kerberos.AEP-6.5b2/KerberosFramework/Kerberos5/Sources/kim/agent/mac/SelectIdentityController.m --- Kerberos.AEP-6.5b2.orig/KerberosFramework/Kerberos5/Sources/kim/agent/mac/SelectIdentityController.m 2008-10-24 14:11:20.000000000 -0700 +++ Kerberos.AEP-6.5b2/KerberosFramework/Kerberos5/Sources/kim/agent/mac/SelectIdentityController.m 2008-10-31 00:22:50.000000000 -0700 @@ -56,7 +56,7 @@ NSString *message = nil; [[self window] center]; - [[self window] setLevel:NSScreenSaverWindowLevel]; + [[self window] setLevel:NSModalPanelWindowLevel]; longTimeFormatter.displaySeconds = NO; longTimeFormatter.displayShortFormat = NO; From rt-comment at krbdev.mit.edu Thu Dec 4 14:00:15 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 19:00:15 +0000 (UTC) Subject: [krbdev.mit.edu #6292] KerberosLibraries: strings_syntactically_broken_strings In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/KerberosErrors/Scripts/compile_et Kerberos.AEP-6.5fc1/KerberosFramework/KerberosErrors/Scripts/compile_et --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/KerberosErrors/Scripts/compile_et 2008-11-07 11:24:28.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/KerberosErrors/Scripts/compile_et 2008-11-09 17:38:18.000000000 -0800 @@ -204,8 +204,7 @@ my $errorCode = $errorCodes[$i]; if ($errorCode eq "error_code" || $errorCode eq "ec") { my $arguments = $errorCodes[$i+1]; - $arguments =~ s/\s*\\\s*\n\s*/ /g; # get rid of newlines preceded by backslash - $arguments =~ s/\s*\n\s*/ /g; # get rid of newlines + $arguments =~ s/\s*\\?\s*\n\s*/ /g; # get rid of newlines if ($arguments =~ /^\s*(\w+)\s*,\s*"([^"]*)"\s*$/) { my $errorNameString = $1; my $messageString = $2; From rt-comment at krbdev.mit.edu Thu Dec 4 14:01:33 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 19:01:33 +0000 (UTC) Subject: [krbdev.mit.edu #6293] Seed: Kerberos: can't log in to external KDC In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/crypto/enc_provider/des.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/crypto/enc_provider/des.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/crypto/enc_provider/des.c 2008-11-21 20:27:44.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/crypto/enc_provider/des.c 2008-11-21 21:42:27.000000000 -0800 @@ -124,13 +124,6 @@ const unsigned char *ip; size_t i, len, movedData; -#if 0 - if (key->length != 8) - return(KRB5_BAD_KEYSIZE); -#endif - if (length != 8) - return(KRB5_BAD_KEYSIZE); - memcpy(buf, ivec, sizeof(buf)); /* @@ -140,31 +133,30 @@ ip = (const unsigned char *)in; len = length; while (len > 0) { - for (i = 0; i < len && i < 8; i++) - buf[i] ^= (*ip++); - len -= i; - - /* - * Encrypt what we have - */ - - ret = CCCrypt(kCCEncrypt, - kCCAlgorithmDES, - kCCOptionECBMode, - key, - 8, - NULL, - buf, - sizeof(buf), - buf, - sizeof(buf), - &movedData); - if (ret) - return(KRB5_CRYPTO_INTERNAL); + for (i = 0; i < len && i < 8; i++) + buf[i] ^= (*ip++); + len -= i; + + /* + * Encrypt what we have + */ + + ret = CCCrypt(kCCEncrypt, + kCCAlgorithmDES, + kCCOptionECBMode, + key, + 8, + NULL, + buf, + sizeof(buf), + buf, + sizeof(buf), + &movedData); + if (ret) + return(KRB5_CRYPTO_INTERNAL); } memcpy(out, buf, sizeof(buf)); - #if 0 return right & 0xFFFFFFFFUL; #endif From rt-comment at krbdev.mit.edu Thu Dec 4 14:27:50 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 19:27:50 +0000 (UTC) Subject: [krbdev.mit.edu #6288] Running kinit without any arguments is a bummer In-Reply-To: Message-ID: The patch LHA-6370271-deadlock-in-com-err.patch is unrelated to this bug From rt-comment at krbdev.mit.edu Thu Dec 4 14:56:12 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 4 Dec 2008 19:56:12 +0000 (UTC) Subject: [krbdev.mit.edu #6238] Apple patch: KDC send announcements of realms on startup In-Reply-To: Message-ID: This patch also needs patches from #6243 and #6280. From rt-comment at krbdev.mit.edu Thu Dec 4 15:01:18 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 20:01:18 +0000 (UTC) Subject: [krbdev.mit.edu #6288] Running kinit without any arguments is a bummer In-Reply-To: Message-ID: updated CC list From rt-comment at krbdev.mit.edu Thu Dec 4 15:02:01 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 20:02:01 +0000 (UTC) Subject: [krbdev.mit.edu #6277] KLCacheHasValidTickets changed behavior In-Reply-To: Message-ID: updated CC list From rt-comment at krbdev.mit.edu Thu Dec 4 15:02:15 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 20:02:15 +0000 (UTC) Subject: [krbdev.mit.edu #6293] Seed: Kerberos: can't log in to external KDC In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/crypto/enc_provider/des.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/crypto/enc_provider/des.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/crypto/enc_provider/des.c 2008-11-21 20:27:44.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/crypto/enc_provider/des.c 2008-11-21 21:42:27.000000000 -0800 @@ -124,13 +124,6 @@ const unsigned char *ip; size_t i, len, movedData; -#if 0 - if (key->length != 8) - return(KRB5_BAD_KEYSIZE); -#endif - if (length != 8) - return(KRB5_BAD_KEYSIZE); - memcpy(buf, ivec, sizeof(buf)); /* @@ -140,31 +133,30 @@ ip = (const unsigned char *)in; len = length; while (len > 0) { - for (i = 0; i < len && i < 8; i++) - buf[i] ^= (*ip++); - len -= i; - - /* - * Encrypt what we have - */ - - ret = CCCrypt(kCCEncrypt, - kCCAlgorithmDES, - kCCOptionECBMode, - key, - 8, - NULL, - buf, - sizeof(buf), - buf, - sizeof(buf), - &movedData); - if (ret) - return(KRB5_CRYPTO_INTERNAL); + for (i = 0; i < len && i < 8; i++) + buf[i] ^= (*ip++); + len -= i; + + /* + * Encrypt what we have + */ + + ret = CCCrypt(kCCEncrypt, + kCCAlgorithmDES, + kCCOptionECBMode, + key, + 8, + NULL, + buf, + sizeof(buf), + buf, + sizeof(buf), + &movedData); + if (ret) + return(KRB5_CRYPTO_INTERNAL); } memcpy(out, buf, sizeof(buf)); - #if 0 return right & 0xFFFFFFFFUL; #endif From rt-comment at krbdev.mit.edu Thu Dec 4 15:02:45 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 20:02:45 +0000 (UTC) Subject: [krbdev.mit.edu #6293] Seed: Kerberos: can't log in to external KDC In-Reply-To: Message-ID: Updated CC list From rt-comment at krbdev.mit.edu Thu Dec 4 15:03:35 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 20:03:35 +0000 (UTC) Subject: [krbdev.mit.edu #6292] KerberosLibraries: strings_syntactically_broken_strings In-Reply-To: Message-ID: updated CC list From rt-comment at krbdev.mit.edu Thu Dec 4 15:05:16 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 4 Dec 2008 20:05:16 +0000 (UTC) Subject: [krbdev.mit.edu #6279] kamin.local reports unknown error 43787527 In-Reply-To: Message-ID: updated CC list From rt-comment at krbdev.mit.edu Thu Dec 4 15:11:34 2008 From: rt-comment at krbdev.mit.edu (Luke Howard via RT) Date: Thu, 4 Dec 2008 20:11:34 +0000 (UTC) Subject: [krbdev.mit.edu #6274] In-Reply-To: Message-ID: should be fixed in r21282 On 05/12/2008, at 2:52 AM, Sam Hartman wrote: > > The implementation of krb5_c_decrypt based on the AEAD APIs does not > treat the input argument as constant. I think you need to copy the > input data before using crypto_type_stream. > > --Sam > > -- www.padl.com | www.fghr.net From rt-comment at krbdev.mit.edu Thu Dec 4 15:15:25 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 4 Dec 2008 20:15:25 +0000 (UTC) Subject: [krbdev.mit.edu #6212] Apple patch for Common Crypto In-Reply-To: Message-ID: See also patch to #6293. From rt-comment at krbdev.mit.edu Thu Dec 4 15:32:34 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 4 Dec 2008 20:32:34 +0000 (UTC) Subject: [krbdev.mit.edu #6227] Apple LW_net_trans.patch make KDC rescan network after 30 seconds In-Reply-To: Message-ID: Patch no longer used. From rt-comment at krbdev.mit.edu Thu Dec 4 17:24:15 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Thu, 4 Dec 2008 22:24:15 +0000 (UTC) Subject: [krbdev.mit.edu #6283] At Login the client is setting the renew life time to 24 hours? In-Reply-To: Message-ID: I'm not sure how this patch fixes a bug where ticket renewal times are 24 hours. KIM (and KLL, which this code was copied from) is hardcoding a default of 7 days. So while this patch does get rid of a duplicate default value, I am concerned that it is not actually fixing the bug described in the subject line. Also as far as code readability goes, I'd like to see the kim_default_renewal_lifetime macro remain in the code and be set to 0 with a comment explaining that the krb5 libraries treat a renewable lifetime of 0 as "use the default renewal lifetime" when KDC_OPT_RENEWABLE is set. The patch just sets a 0 in the initializer structure with no explanation as to what it means. This increases the likelihood that future programmers will break the code while trying to modify its behavior. From rt-comment at krbdev.mit.edu Thu Dec 4 17:26:59 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 4 Dec 2008 22:26:59 +0000 (UTC) Subject: [krbdev.mit.edu #5667] SVN Commit In-Reply-To: Message-ID: Fix from Marcus Watts for glob-to-regexp conversion bug. Tweaked test case to exercise the bug. http://src.mit.edu/fisheye/changelog/krb5/?cs=21285 Commit By: raeburn Revision: 21285 Changed Files: U trunk/src/lib/kadm5/srv/svr_iters.c U trunk/src/tests/dejagnu/krb-standalone/kadmin.exp From rt-comment at krbdev.mit.edu Thu Dec 4 23:34:12 2008 From: rt-comment at krbdev.mit.edu (Love Hornquist Astrand via RT) Date: Fri, 5 Dec 2008 04:34:12 +0000 (UTC) Subject: [krbdev.mit.edu #6283] At Login the client is setting the renew life time to 24 hours? In-Reply-To: Message-ID: On purpose to fix the problem in the subject line, just make sure that the tools behavied consistantly. I have no comment about the readablity. From rt-comment at krbdev.mit.edu Fri Dec 5 09:09:43 2008 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Fri, 5 Dec 2008 14:09:43 +0000 (UTC) Subject: [krbdev.mit.edu #6274] SVN Commit In-Reply-To: Message-ID: Merge in fix from ms-krb-integ branch to avoid modifying input data on aead_decrypt_compat http://src.mit.edu/fisheye/changelog/krb5/?cs=21287 Commit By: hartmans Revision: 21287 Changed Files: U trunk/src/lib/crypto/aead.c From rt-comment at krbdev.mit.edu Fri Dec 5 14:59:45 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Fri, 5 Dec 2008 19:59:45 +0000 (UTC) Subject: [krbdev.mit.edu #6286] SVN Commit In-Reply-To: Message-ID: http://src.mit.edu/fisheye/changelog/krb5/?cs=21290 Commit By: tsitkova Revision: 21290 Changed Files: U trunk/src/util/profile/prof_init.c From rt-comment at krbdev.mit.edu Fri Dec 5 15:18:50 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Fri, 5 Dec 2008 20:18:50 +0000 (UTC) Subject: [krbdev.mit.edu #6282] SVN Commit In-Reply-To: Message-ID: Fix data initialization in process_as_req function. http://src.mit.edu/fisheye/changelog/krb5/?cs=21291 Commit By: tsitkova Revision: 21291 Changed Files: U trunk/src/kdc/do_as_req.c From rt-comment at krbdev.mit.edu Fri Dec 5 13:12:40 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Fri, 5 Dec 2008 18:12:40 +0000 (UTC) Subject: [krbdev.mit.edu #6278] gssd-agent deadlock In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/KerberosErrors/Sources/com_err.c Kerberos.AEP-6.5fc1/KerberosFramework/KerberosErrors/Sources/com_err.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/KerberosErrors/Sources/com_err.c 2008-11-07 11:24:28.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/KerberosErrors/Sources/com_err.c 2008-11-13 15:37:31.000000000 -0800 @@ -201,6 +201,8 @@ char *message = NULL; int reentered = 0; /* some of the functions that we call may call us. */ + kim_library_init(); + if (!err) { enter_err = com_err_thread_entering_error_message (&reentered); From rt-comment at krbdev.mit.edu Fri Dec 5 16:02:11 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Fri, 5 Dec 2008 21:02:11 +0000 (UTC) Subject: [krbdev.mit.edu #6291] SVN Commit In-Reply-To: Message-ID: When storing info into cred cache, remove any dups. http://src.mit.edu/fisheye/changelog/krb5/?cs=21292 Commit By: tsitkova Revision: 21292 Changed Files: U trunk/src/lib/krb5/ccache/ccfns.c From rt-comment at krbdev.mit.edu Fri Dec 5 18:16:05 2008 From: rt-comment at krbdev.mit.edu (Love Hornquist Astrand via RT) Date: Fri, 5 Dec 2008 23:16:05 +0000 (UTC) Subject: [krbdev.mit.edu #6291] Using referrals fills the the credentials cache more entries of the same name In-Reply-To: Message-ID: you're aware that this doesn't work for credential caches that doesn't support deletions (like the mit FILE cred cache if i remember correctly). From rt-comment at krbdev.mit.edu Mon Dec 8 15:21:04 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Mon, 8 Dec 2008 20:21:04 +0000 (UTC) Subject: [krbdev.mit.edu #6294] gss-api - mutex_lock problem In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/init_sec_context.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/init_sec_context.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/init_sec_context.c 2008-12-04 14:14:02.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/init_sec_context.c 2008-12-04 14:25:28.000000000 -0800 @@ -905,6 +905,8 @@ } kerr = k5_mutex_lock(&cred->lock); if (kerr) { + if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) + krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); krb5_free_context(context); *minor_status = kerr; return GSS_S_FAILURE; From rt-comment at krbdev.mit.edu Mon Dec 8 15:24:34 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Mon, 8 Dec 2008 20:24:34 +0000 (UTC) Subject: [krbdev.mit.edu #6295] Memory leak in KIM identity object In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccdefault.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccdefault.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccdefault.c 2008-11-07 11:25:51.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccdefault.c 2008-12-04 14:31:16.000000000 -0800 @@ -113,6 +113,7 @@ krb5_cc_set_default_name (context, name); } + kim_identity_free (&identity); kim_string_free (&name); kim_ccache_free (&kimccache); } From rt-comment at krbdev.mit.edu Tue Dec 9 11:09:24 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Tue, 9 Dec 2008 16:09:24 +0000 (UTC) Subject: [krbdev.mit.edu #6294] SVN Commit In-Reply-To: Message-ID: Release default credentials before exiting krb5_gss_init_sec_context routine. http://src.mit.edu/fisheye/changelog/krb5/?cs=21298 Commit By: tsitkova Revision: 21298 Changed Files: U trunk/src/lib/gssapi/krb5/init_sec_context.c From rt-comment at krbdev.mit.edu Tue Dec 9 16:14:09 2008 From: rt-comment at krbdev.mit.edu (mispeled via RT) Date: Tue, 9 Dec 2008 21:14:09 +0000 (UTC) Subject: [krbdev.mit.edu #6296] test test test In-Reply-To: Message-ID: test inbound mail feed From rt-comment at krbdev.mit.edu Tue Dec 9 16:21:30 2008 From: rt-comment at krbdev.mit.edu (The RT System itself via RT) Date: Tue, 9 Dec 2008 21:21:30 +0000 (UTC) Subject: [krbdev.mit.edu #6297] "make check" fails due to rb5_cc_new_unique() on 64-bit Solaris SPARC under Sun Studio In-Reply-To: Message-ID: >From krb5-bugs-incoming-bounces at PCH.mit.edu Tue Dec 9 21:21:29 2008 Return-Path: X-Original-To: krb5-send-pr-nospam1 at krbdev.mit.edu Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 779AECCC93; Tue, 9 Dec 2008 21:21:29 +0000 (UTC) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id mB9LLTn4005010; Tue, 9 Dec 2008 16:21:29 -0500 Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id mB9LKBWd004794 for ; Tue, 9 Dec 2008 16:20:11 -0500 Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id mB9LK99j024436 for ; Tue, 9 Dec 2008 16:20:09 -0500 (EST) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu at ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id mB9LK8n6023960 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Tue, 9 Dec 2008 16:20:08 -0500 (EST) Received: (from tlyu at localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id mB9LK8ds029694; Tue, 9 Dec 2008 16:20:08 -0500 (EST) Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id mB85AtQO001334 for ; Mon, 8 Dec 2008 00:10:55 -0500 Received: from mit.edu (M24-004-BARRACUDA-2.MIT.EDU [18.7.7.112]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id mB85AndN011663 for ; Mon, 8 Dec 2008 00:10:49 -0500 (EST) Received: from cpmx.mail.saic.com (cpmx.mail.saic.com [139.121.17.160]) by mit.edu (Spam Firewall) with ESMTP id CB00513CFABC for ; Mon, 8 Dec 2008 00:10:27 -0500 (EST) Received: from 0599-ITS-SMS01 ([139.121.21.144] [139.121.21.144]) by cpmx.mail.saic.com with ESMTP id BT-MMP-1878426 for krb5-bugs at mit.edu; Sun, 7 Dec 2008 21:10:23 -0800 X-AuditID: 8b79118b-aa3c3ba000002a1c-94-493cac3fcf1f Received: from mx2.west.saic.com (unknown [139.121.21.144]) by 0599-ITS-SMS01 (Symantec Mail Security) with ESMTP id 404F020131 for ; Sun, 7 Dec 2008 21:10:23 -0800 (PST) X-SAIC-EXTERNAL-IP: [59.167.195.66] Received: from eth3395.vic.adsl.internode.on.net (HELO pan.teratext.saic.com.au) ([59.167.195.66]) by mx2.west.saic.com with ESMTP; 07 Dec 2008 21:10:22 -0800 Received: from atlas.teratext.com.au (atlas.teratext.saic.com.au [192.168.0.13]) by pan.teratext.saic.com.au (Postfix) with ESMTP id 8969DA4F1D for ; Mon, 8 Dec 2008 16:10:20 +1100 (EST) Received: by atlas.teratext.com.au (Postfix, from userid 231) id 7185031821; Mon, 8 Dec 2008 16:10:20 +1100 (EST) To: krb5-bugs at MIT.EDU From: msf at teratext.com.au X-send-pr-version: 3.99 Date: Mon, 8 Dec 2008 16:10:20 +1100 (EST) X-Brightmail-Tracker: AAAAAA== X-Spam-Score: 0.00 X-Spam-Score: 1.50 X-Spam-Level: * (1.50) X-Spam-Flag: NO X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 Message-ID: Lines: 78 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Tue, 09 Dec 2008 16:20:36 -0500 X-BeenThere: krb5-bugs-incoming at mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: msf at teratext.com.au Sender: krb5-bugs-incoming-bounces at PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu >Submitter-Id: msf >Originator: Michael Fuller >Organization: SAIC Pty Ltd (Australia) >Confidential: no >Synopsis: "make check" fails due to rb5_cc_new_unique() on 64-bit Solaris SPARC under Sun Studio >Severity: serious >Priority: medium >Category: test >Class: sw-bug >Release: 1.6.3 >Environment: System: SunOS atlas 5.10 Generic_118833-24 sun4u sparc SUNW,Sun-Fire-880 Architecture: sun4 >Description: "make check" fails due to a crash in src/lib/krb5/ccache/t_cc. The failure in krb5-1.6.3/src/lib/krb5/ccache/t_cc.c occurs in or near test code that was re-enabled and re-worked in v1.6.3 as part of the introduction of the new krb5_cc_new_unique() API function. The failure occurs in 64-bit mode on SPARC Solaris under Sun Studio (5.8). The failure does not occur on 32-bit SPARC Solaris under Sun Studio (5.8). The failure does not occur on 64-bit x86-64 Solaris under gcc (3.4.3). >How-To-Repeat: Configure and build the 1.6.3 release in 64-bit mode on a SPARC Solaris box using Sun Studio 5.8, then run "make check": src/lib/krb5/ccache/t_cc will crash. bash% uname -a SunOS atlas 5.10 Generic_118833-24 sun4u sparc SUNW,Sun-Fire-880 bash% cc -V cc: Sun C 5.8 Patch 121015-04 2007/01/10 ` bash% export PATH=/usr/ccs/bin:$PATH bash% export PATH=/opt/SUNWspro/bin:$PATH bash% configure --prefix=/tmp/krb5-1.6.3-CC CC=cc CFLAGS=-xarch=v9 1> ,configure 2>&1 bash% make 1> ,make 2>&1 bash% sudo make install 1> ,make-install 2>&1 bash% export PATH=/tmp/krb5-1.6.3-CC/sbin:$PATH bash% export PATH=/tmp/krb5-1.6.3-CC/bin:$PATH bash% export LD_LIBRARY_PATH=/tmp/krb5-1.6.3-CC/lib:$LD_LIBRARY_PATH bash% make check 1> ,make-check 2>&1 bash% tail -100 < ,make-check | head -22 making check in lib/krb5/ccache... cc -I../../../include -I./../../../include -I./ccapi -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1 -xarch=v9 -D_REENTRANT -c t_cc.c "t_cc.c", line 140: warning: implicit function declaration: strdup "t_cc.c", line 140: warning: improper pointer/integer combination: op "=" "t_cc.c", line 303: warning: argument #2 is incompatible with prototype: prototype: pointer to struct _krb5_cc_ops {} : "../../../include/krb5/krb5.h", line 2068 argument : pointer to const struct _krb5_cc_ops {} "t_cc.c", line 308: warning: argument #2 is incompatible with prototype: prototype: pointer to struct _krb5_cc_ops {} : "../../../include/krb5/krb5.h", line 2068 argument : pointer to const struct _krb5_cc_ops {} "t_cc.c", line 314: warning: argument #2 is incompatible with prototype: prototype: pointer to struct _krb5_cc_ops {} : "../../../include/krb5/krb5.h", line 2068 argument : pointer to const struct _krb5_cc_ops {} "t_cc.c", line 320: warning: argument #2 is incompatible with prototype: prototype: pointer to struct _krb5_cc_ops {} : "../../../include/krb5/krb5.h", line 2068 argument : pointer to const struct _krb5_cc_ops {} cc -L../../../lib -R/tmp/krb5-1.6.3-CC/lib -xarch=v9 -o t_cc t_cc.o -lkrb5 -lk5crypto -lcom_err -lkrb5support -lresolv -lsocket -lnsl KRB5_CONFIG=./t_krb5.conf ; export KRB5_CONFIG ;\ LD_LIBRARY_PATH=`echo -L../../../lib | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; ./t_cc Testing miscellaneous error conditions *** Error code 139 make: Fatal error: Command failed for target `check-unix' >Fix: The bug may be in the test case itself (but I don't think so); There may be a 64-bit problem in the new krb5_cc_new_unique() code, or there may be a straight bug that is not exposed on all architectures/compiler combinations. (Or there may be a bug in Sun Studio 5.8, of course.) From rt-comment at krbdev.mit.edu Tue Dec 9 16:44:59 2008 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 9 Dec 2008 21:44:59 +0000 (UTC) Subject: [krbdev.mit.edu #6297] "make check" fails due to rb5_cc_new_unique() on 64-bit Solaris SPARC under Sun Studio In-Reply-To: Message-ID: "The RT System itself via RT" writes: > bash% tail -100 < ,make-check | head -22 > making check in lib/krb5/ccache... > cc -I../../../include -I./../../../include -I./ccapi -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1 -xarch=v9 -D_REENTRANT -c t_cc.c > "t_cc.c", line 140: warning: implicit function declaration: strdup > "t_cc.c", line 140: warning: improper pointer/integer combination: op "=" Does adding an inclusion of to the beginning of that file help? From rt-comment at krbdev.mit.edu Tue Dec 9 16:46:11 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Tue, 9 Dec 2008 21:46:11 +0000 (UTC) Subject: [krbdev.mit.edu #6297] "make check" fails due to rb5_cc_new_unique() on 64-bit Solaris SPARC under Sun Studio In-Reply-To: Message-ID: On Dec 8, 2008, Michael Fuller wrote: > making check in lib/krb5/ccache... > cc -I../../../include -I./../../../include -I./ccapi - > DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1 -xarch=v9 -D_REENTRANT -c t_cc.c > "t_cc.c", line 140: warning: implicit function declaration: strdup > "t_cc.c", line 140: warning: improper pointer/integer combination: > op "=" In 64-bit mode, where the implicit "int" return type is a 32-bit value and the real return value is a 64-bit value, yes, this will cause problems. In the string.h header on my system, defining _REENTRANT appears to be one of the ways to get the declaration for strdup() to be used. I'm using: cc: Sun C 5.9 SunOS_sparc 2007/05/03 What does it take under 5.8? Ken From rt-comment at krbdev.mit.edu Tue Dec 9 17:07:42 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Tue, 9 Dec 2008 22:07:42 +0000 (UTC) Subject: [krbdev.mit.edu #6297] "make check" fails due to rb5_cc_new_unique() on 64-bit Solaris SPARC under Sun Studio In-Reply-To: Message-ID: On Dec 9, 2008, at 16:44, Tom Yu via RT wrote: > "The RT System itself via RT" writes: > >> bash% tail -100 < ,make-check | head -22 >> making check in lib/krb5/ccache... >> cc -I../../../include -I./../../../include -I./ccapi - >> DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1 -xarch=v9 -D_REENTRANT -c >> t_cc.c >> "t_cc.c", line 140: warning: implicit function declaration: strdup >> "t_cc.c", line 140: warning: improper pointer/integer combination: >> op "=" > > Does adding an inclusion of to the beginning of that file > help? Oh, oops, I didn't notice we weren't including string.h in that release... Ken From rt-comment at krbdev.mit.edu Tue Dec 9 17:41:24 2008 From: rt-comment at krbdev.mit.edu (Michael Fuller via RT) Date: Tue, 9 Dec 2008 22:41:24 +0000 (UTC) Subject: [krbdev.mit.edu #6297] "make check" fails due to rb5_cc_new_unique() on 64-bit Solaris SPARC under Sun Studio In-Reply-To: Message-ID: >> bash% tail -100 < ,make-check | head -22 >> making check in lib/krb5/ccache... >> cc -I../../../include -I./../../../include -I./ccapi -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1 -xarch=v9 -D_REENTRANT -c t_cc.c >> "t_cc.c", line 140: warning: implicit function declaration: strdup >> "t_cc.c", line 140: warning: improper pointer/integer combination: op "=" > > Does adding an inclusion of to the beginning of that file help? Yes, it does; the above warnings disappear and the test no longer crashes: [...] making check in lib/krb5/ccache... cc -I../../../include -I./../../../include -I./ccapi -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1 -xarch=v9 -D_REENTRANT -c t_cc.c "t_cc.c", line 304: warning: argument #2 is incompatible with prototype: prototype: pointer to struct _krb5_cc_ops {} : "../../../include/krb5/krb5.h", line 2068 argument : pointer to const struct _krb5_cc_ops {} "t_cc.c", line 309: warning: argument #2 is incompatible with prototype: prototype: pointer to struct _krb5_cc_ops {} : "../../../include/krb5/krb5.h", line 2068 argument : pointer to const struct _krb5_cc_ops {} "t_cc.c", line 315: warning: argument #2 is incompatible with prototype: prototype: pointer to struct _krb5_cc_ops {} : "../../../include/krb5/krb5.h", line 2068 argument : pointer to const struct _krb5_cc_ops {} "t_cc.c", line 321: warning: argument #2 is incompatible with prototype: prototype: pointer to struct _krb5_cc_ops {} : "../../../include/krb5/krb5.h", line 2068 argument : pointer to const struct _krb5_cc_ops {} cc -L../../../lib -R/tmp/krb5-1.6.3-CC/lib -xarch=v9 -o t_cc t_cc.o -lkrb5 -lk5crypto -lcom_err -lkrb5support -lresolv -lsocket -lnsl KRB5_CONFIG=./t_krb5.conf ; export KRB5_CONFIG ;\ LD_LIBRARY_PATH=`echo -L../../../lib | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; ./t_cc Testing miscellaneous error conditions Starting test on /tmp/cctest.28984 Test on /tmp/cctest.28984 passed Skiping KEYRING: test - unregistered type Starting test on MEMORY:/tmp/cctest.28984 Test on MEMORY:/tmp/cctest.28984 passed Starting test on FILE:/tmp/cctest.28984 Test on FILE:/tmp/cctest.28984 passed [...] Thanks; Regards, Michael From rt-comment at krbdev.mit.edu Thu Dec 11 12:56:50 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 11 Dec 2008 17:56:50 +0000 (UTC) Subject: [krbdev.mit.edu #2873] test suite delays too much In-Reply-To: Message-ID: Revision 21064 helps this a bit, by deleting one pass, and causing some tests to be run only in one of the passes. More work is needed though. From rt-comment at krbdev.mit.edu Thu Dec 11 13:03:18 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 11 Dec 2008 18:03:18 +0000 (UTC) Subject: [krbdev.mit.edu #1453] don't serialize DNS queries and KDC communication In-Reply-To: Message-ID: see also notes at http://mailman.mit.edu/pipermail/krbdev/2007-May/005927.html From rt-comment at krbdev.mit.edu Thu Dec 11 15:41:47 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 11 Dec 2008 20:41:47 +0000 (UTC) Subject: [krbdev.mit.edu #6297] "make check" fails due to rb5_cc_new_unique() on 64-bit Solaris SPARC under Sun Studio In-Reply-To: Message-ID: Already works on the trunk, should be fixed in 1.7. From rt-comment at krbdev.mit.edu Thu Dec 11 16:07:11 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 11 Dec 2008 21:07:11 +0000 (UTC) Subject: [krbdev.mit.edu #6297] SVN Commit In-Reply-To: Message-ID: For Sun Studio compilers, set WARN_CFLAGS to emit warning tag names and make int/ptr mixups a fatal error that will be noticed at build or "make check" time. Tested in a 32-bit build. http://src.mit.edu/fisheye/changelog/krb5/?cs=21325 Commit By: raeburn Revision: 21325 Changed Files: U trunk/src/aclocal.m4 From rt-comment at krbdev.mit.edu Fri Dec 12 14:58:42 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Fri, 12 Dec 2008 19:58:42 +0000 (UTC) Subject: [krbdev.mit.edu #6298] KIM vs no-config In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences.c 2008-11-07 11:24:45.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences.c 2008-12-09 14:47:57.000000000 -0800 @@ -440,21 +440,23 @@ kim_identity identity = NULL; err = kim_os_identity_create_for_username (&default_identity); - - if (!err) { + /* lets ignore that we don't have a default id because we might not know our default realm */ + if (err == 0) { + err = kim_os_preferences_get_identity_for_key (kim_preference_key_client_identity, default_identity, &identity); - } + + if (!err) { + kim_identity_free (&in_preferences->client_identity); + in_preferences->client_identity = identity; + identity = NULL; + } - if (!err) { - kim_identity_free (&in_preferences->client_identity); - in_preferences->client_identity = identity; - identity = NULL; - } - - kim_identity_free (&default_identity); - kim_identity_free (&identity); + kim_identity_free (&default_identity); + kim_identity_free (&identity); + } else + err = 0; } if (!err) { From rt-comment at krbdev.mit.edu Fri Dec 12 15:07:35 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Fri, 12 Dec 2008 20:07:35 +0000 (UTC) Subject: [krbdev.mit.edu #6299] krb5_stdccv3_remove mem leak In-Reply-To: Message-ID: Mem leak in ccapi/stdcc.c Vendor's patch - LHA-6431228-krb5_stdccv3_remove-leaks.patch From rt-comment at krbdev.mit.edu Fri Dec 12 15:09:14 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Fri, 12 Dec 2008 20:09:14 +0000 (UTC) Subject: [krbdev.mit.edu #6299] krb5_stdccv3_remove mem leak In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccapi/stdcc.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccapi/stdcc.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccapi/stdcc.c 2008-12-08 14:02:55.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/ccache/ccapi/stdcc.c 2008-12-09 11:52:11.000000000 -0800 @@ -851,6 +851,8 @@ } if (err == ccIteratorEnd) { err = ccErrCredentialsNotFound; } + if (iterator) cc_credentials_iterator_release (iterator); + if (!err) { cache_changed (); } From rt-comment at krbdev.mit.edu Fri Dec 12 15:27:34 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Fri, 12 Dec 2008 20:27:34 +0000 (UTC) Subject: [krbdev.mit.edu #6300] krb5_get_init_creds_password hangs as DNS time-out is too long In-Reply-To: Message-ID: Krb DNS timeout is too long with many services Related issues 4114: no mechanism for timing out DNS lookups 1511: reconsider structure of code for locating and contacting kdc, krb524d, kpasswd 1453: don't serialize DNS queries and KDC communication From rt-comment at krbdev.mit.edu Fri Dec 12 15:42:24 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Fri, 12 Dec 2008 20:42:24 +0000 (UTC) Subject: [krbdev.mit.edu #6301] Need better err msg for "kinit -k" In-Reply-To: Message-ID: kinit -k gives uninformative error msg when keytab does not have a server-supported enctype. From rt-comment at krbdev.mit.edu Fri Dec 12 16:06:03 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Fri, 12 Dec 2008 21:06:03 +0000 (UTC) Subject: [krbdev.mit.edu #6302] kadmind mem leaks In-Reply-To: Message-ID: Multiple mem leaks in kadmin/server/server_stubs.c From rt-comment at krbdev.mit.edu Mon Dec 15 13:13:58 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 15 Dec 2008 18:13:58 +0000 (UTC) Subject: [krbdev.mit.edu #6303] Remove krb4 support In-Reply-To: Message-ID: Per http://k5wiki.kerberos.org/wiki/Projects/Remove_krb4 we will be removing most krb4 code in the tree. From rt-comment at krbdev.mit.edu Mon Dec 15 21:41:21 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Tue, 16 Dec 2008 02:41:21 +0000 (UTC) Subject: [krbdev.mit.edu #6299] SVN Commit In-Reply-To: Message-ID: Fixed memory leak in krb5_stdccv3_remove. http://src.mit.edu/fisheye/changelog/krb5/?cs=21362 Commit By: tsitkova Revision: 21362 Changed Files: U trunk/src/lib/krb5/ccache/ccapi/stdcc.c From rt-comment at krbdev.mit.edu Mon Dec 15 21:44:45 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 16 Dec 2008 02:44:45 +0000 (UTC) Subject: [krbdev.mit.edu #6303] SVN Commit In-Reply-To: Message-ID: Remove loadv4/dumpv4 code in kdb5_util. (The command table entries for this code had already been commented out previously.) http://src.mit.edu/fisheye/changelog/krb5/?cs=21445 Commit By: ghudson Revision: 21445 Changed Files: U trunk/src/kadmin/dbutil/Makefile.in D trunk/src/kadmin/dbutil/dumpv4.c U trunk/src/kadmin/dbutil/kdb5_util.M U trunk/src/kadmin/dbutil/kdb5_util.c U trunk/src/kadmin/dbutil/kdb5_util.h D trunk/src/kadmin/dbutil/loadv4.c From rt-comment at krbdev.mit.edu Mon Dec 15 21:44:47 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 16 Dec 2008 02:44:47 +0000 (UTC) Subject: [krbdev.mit.edu #6303] SVN Commit In-Reply-To: Message-ID: In ktutil, remove code for wst (write srvtab). Reimplement rst (read srvtab) as an alias for "rkt SRVTAB:filename" and include it unconditionally. http://src.mit.edu/fisheye/changelog/krb5/?cs=21446 Commit By: ghudson Revision: 21446 Changed Files: U trunk/src/kadmin/ktutil/Makefile.in U trunk/src/kadmin/ktutil/ktutil.c U trunk/src/kadmin/ktutil/ktutil.h U trunk/src/kadmin/ktutil/ktutil_funcs.c From rt-comment at krbdev.mit.edu Mon Dec 15 21:44:49 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 16 Dec 2008 02:44:49 +0000 (UTC) Subject: [krbdev.mit.edu #6303] SVN Commit In-Reply-To: Message-ID: Remove a krb4 conditional block in ktutil_funcs.c which was missed in the previous commit. http://src.mit.edu/fisheye/changelog/krb5/?cs=21447 Commit By: ghudson Revision: 21447 Changed Files: U trunk/src/kadmin/ktutil/ktutil_funcs.c From rt-comment at krbdev.mit.edu Mon Dec 15 21:44:51 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 16 Dec 2008 02:44:51 +0000 (UTC) Subject: [krbdev.mit.edu #6303] SVN Commit In-Reply-To: Message-ID: In the KDC, remove krb4 request handling support and fakeka code. http://src.mit.edu/fisheye/changelog/krb5/?cs=21448 Commit By: ghudson Revision: 21448 Changed Files: U trunk/src/kdc/Makefile.in U trunk/src/kdc/dispatch.c D trunk/src/kdc/fakeka.M D trunk/src/kdc/fakeka.c U trunk/src/kdc/kdc_util.h D trunk/src/kdc/kerberos_v4.c U trunk/src/kdc/krb5kdc.M U trunk/src/kdc/main.c From rt-comment at krbdev.mit.edu Mon Dec 15 21:44:54 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 16 Dec 2008 02:44:54 +0000 (UTC) Subject: [krbdev.mit.edu #6303] SVN Commit In-Reply-To: Message-ID: Remove krb4 support from clients. Some of the code has been simplified to remove architectural relics of the -4 and -5 options, but more simplification is likely possible, particularly in kinit. http://src.mit.edu/fisheye/changelog/krb5/?cs=21449 Commit By: ghudson Revision: 21449 Changed Files: U trunk/src/clients/kcpytkt/Makefile.in U trunk/src/clients/kdeltkt/Makefile.in U trunk/src/clients/kdestroy/Makefile.in U trunk/src/clients/kdestroy/kdestroy.M U trunk/src/clients/kdestroy/kdestroy.c U trunk/src/clients/kinit/Makefile.in U trunk/src/clients/kinit/kinit.M U trunk/src/clients/kinit/kinit.c U trunk/src/clients/klist/Makefile.in U trunk/src/clients/klist/klist.M U trunk/src/clients/klist/klist.c U trunk/src/clients/kvno/Makefile.in U trunk/src/clients/kvno/kvno.M U trunk/src/clients/kvno/kvno.c From rt-comment at krbdev.mit.edu Mon Dec 15 21:44:58 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 16 Dec 2008 02:44:58 +0000 (UTC) Subject: [krbdev.mit.edu #6303] SVN Commit In-Reply-To: Message-ID: Remove krb4 support in gssftp and telnet. http://src.mit.edu/fisheye/changelog/krb5/?cs=21451 Commit By: ghudson Revision: 21451 Changed Files: U trunk/src/appl/gssftp/ftp/Makefile.in U trunk/src/appl/gssftp/ftp/ftp.M U trunk/src/appl/gssftp/ftp/ftp.c U trunk/src/appl/gssftp/ftp/main.c U trunk/src/appl/gssftp/ftp/secure.c U trunk/src/appl/gssftp/ftpd/Makefile.in U trunk/src/appl/gssftp/ftpd/ftpcmd.y U trunk/src/appl/gssftp/ftpd/ftpd.M U trunk/src/appl/gssftp/ftpd/ftpd.c U trunk/src/appl/telnet/configure.in U trunk/src/appl/telnet/libtelnet/Makefile.in U trunk/src/appl/telnet/libtelnet/auth-proto.h U trunk/src/appl/telnet/libtelnet/auth.c D trunk/src/appl/telnet/libtelnet/kerberos.c U trunk/src/appl/telnet/telnet/Makefile.in U trunk/src/appl/telnet/telnet/main.c U trunk/src/appl/telnet/telnetd/Makefile.in From rt-comment at krbdev.mit.edu Mon Dec 15 21:45:01 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 16 Dec 2008 02:45:01 +0000 (UTC) Subject: [krbdev.mit.edu #6303] SVN Commit In-Reply-To: Message-ID: Remove krb4 code in libkrb5. http://src.mit.edu/fisheye/changelog/krb5/?cs=21452 Commit By: ghudson Revision: 21452 Changed Files: U trunk/src/include/k5-int.h U trunk/src/lib/krb5/krb/Makefile.in U trunk/src/lib/krb5/krb/conv_creds.c D trunk/src/lib/krb5/krb/v4lifetime.c U trunk/src/lib/krb5/os/Makefile.in U trunk/src/lib/krb5/os/accessor.c D trunk/src/lib/krb5/os/send524.c From rt-comment at krbdev.mit.edu Mon Dec 15 21:44:56 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 16 Dec 2008 02:44:56 +0000 (UTC) Subject: [krbdev.mit.edu #6303] SVN Commit In-Reply-To: Message-ID: Remove krb4 support in the applications. login's ability to run aklog has been preserved and made unconditional on krb4 support, since aklog can now do krb5 auth. The config variable is now named krb_run_aklog (as it was sometimes documented), not krb4_run_aklog as it previously was. http://src.mit.edu/fisheye/changelog/krb5/?cs=21450 Commit By: ghudson Revision: 21450 Changed Files: U trunk/src/appl/bsd/Makefile.in D trunk/src/appl/bsd/compat_recv.c U trunk/src/appl/bsd/configure.in U trunk/src/appl/bsd/defines.h U trunk/src/appl/bsd/forward.c U trunk/src/appl/bsd/kcmd.c U trunk/src/appl/bsd/klogind.M U trunk/src/appl/bsd/krcp.c U trunk/src/appl/bsd/krlogin.c U trunk/src/appl/bsd/krlogind.c U trunk/src/appl/bsd/krsh.c U trunk/src/appl/bsd/krshd.c U trunk/src/appl/bsd/login.M U trunk/src/appl/bsd/login.c U trunk/src/appl/bsd/rlogin.M D trunk/src/appl/bsd/v4rcp.M D trunk/src/appl/bsd/v4rcp.c From rt-comment at krbdev.mit.edu Mon Dec 15 21:50:39 2008 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 16 Dec 2008 02:50:39 +0000 (UTC) Subject: [krbdev.mit.edu #6304] SVN Commit In-Reply-To: Message-ID: Testing again to ensure that commit handler functionality is restored following postgresql upgrade. http://src.mit.edu/fisheye/changelog/krb5/?cs=21464 Commit By: tlyu Revision: 21464 Changed Files: D branches/commit-handler-test/aaaaa/ From rt-comment at krbdev.mit.edu Tue Dec 16 13:08:30 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:08:30 +0000 (UTC) Subject: [krbdev.mit.edu #6283] At Login the client is setting the renew life time to 24 hours? In-Reply-To: Message-ID: Commented, passing back to Zhanna. From rt-comment at krbdev.mit.edu Tue Dec 16 13:15:29 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:15:29 +0000 (UTC) Subject: [krbdev.mit.edu #1306] Need to rearchitect libraries to better support popup login dialogs In-Reply-To: Message-ID: Passing to Zhanna. This bug is about the fact that we use krb5int_cc_default as the krb5 hook to call into KIM/LEASH to get tickets. This issue no longer affects GSSAPI. The GSSAPI hooks were cleaned up in a previous release. Fixing this requires non-trivial architectural work to krb5 sources. From rt-comment at krbdev.mit.edu Tue Dec 16 13:26:37 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:26:37 +0000 (UTC) Subject: [krbdev.mit.edu #1800] "-passwordserver" introduces global and is specific to Apple In-Reply-To: Message-ID: Passing KfM bugs to Zhanna. From rt-comment at krbdev.mit.edu Tue Dec 16 13:28:12 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:28:12 +0000 (UTC) Subject: [krbdev.mit.edu #2890] use kqueue to detect edu.mit.Kerberos file changing In-Reply-To: Message-ID: Passing bugs to Zhanna. This bug is marked for 1.7 but I do not believe we have promised it to anyone for 1.7 (nor has it been on the feature lists for 1.7). Fixing it does greatly reduce the amount of filesystem polling we do. From rt-comment at krbdev.mit.edu Tue Dec 16 13:29:59 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:29:59 +0000 (UTC) Subject: [krbdev.mit.edu #3216] kdb5_util man page says dbname is required for the load command In-Reply-To: Message-ID: Passing documentation bug to Tom. I believe this bug was originally reported by a vendor. From rt-comment at krbdev.mit.edu Tue Dec 16 13:30:49 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:30:49 +0000 (UTC) Subject: [krbdev.mit.edu #3217] move strlen out of loop to improve performance In-Reply-To: Message-ID: Passing to Tom. Bug originally reported by vendor using a static analysis tool. From rt-comment at krbdev.mit.edu Tue Dec 16 13:34:03 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:34:03 +0000 (UTC) Subject: [krbdev.mit.edu #3884] Canceling the prompter does not break out of the MAX_IN_TKT_LOOPS loop In-Reply-To: Message-ID: I believe this has already been fixed. At the very least it refers to code that no longer exists. From rt-comment at krbdev.mit.edu Tue Dec 16 13:39:56 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:39:56 +0000 (UTC) Subject: [krbdev.mit.edu #6233] Apple patch to instal newsyslog config In-Reply-To: Message-ID: Specific to Apple's build system. Note that this patch will only cleanly apply if the sandboxing patches (also specific to Apple build system) are already applied. Since the patch is to a KfM-specific file there's no reason to not take this other than that it clutters up our build system. Passing to Zhanna. From rt-comment at krbdev.mit.edu Tue Dec 16 13:41:13 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:41:13 +0000 (UTC) Subject: [krbdev.mit.edu #6235] install target for KerberosLite In-Reply-To: Message-ID: Specific to Apple's build system. Note that this patch will only cleanly apply if the sandboxing patches (also specific to Apple build system) are already applied. Since the patch is to a KfM-specific file there's no reason to not take this other than that it clutters up our build system. Passing to Zhanna. From rt-comment at krbdev.mit.edu Tue Dec 16 13:43:07 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:43:07 +0000 (UTC) Subject: [krbdev.mit.edu #6235] install target for KerberosLite In-Reply-To: Message-ID: [lxs - Tue Dec 16 13:41:13 2008]: > Note that this patch will only cleanly apply if the sandboxing > patches (also specific to Apple build system) are already applied. > paste-o Does not depend on any other patches. From rt-comment at krbdev.mit.edu Tue Dec 16 13:51:40 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:51:40 +0000 (UTC) Subject: [krbdev.mit.edu #6277] KLCacheHasValidTickets changed behavior In-Reply-To: Message-ID: I'm concerned that this patch does not fix the underlying problem with this function. The patch changes the default return value from valid to expired. However the code below is *supposed* to catch all non-valid ticket conditions. I'm not disputing that there is a real bug here, but changing the default return value is probably just masking the real bug where one of the non- valid ticket conditions is not being detected by the logic. In particular using this method of fixing the bug may mean that KIM returns that tickets are expired when they are invalid for some other reason (need validation/not yet valid). Would it be possible to get a description of the state of the ccache when KLCacheHasValidTickets returned that tickets were valid even though they weren't? I looked for a regression test flagged with this bug number and didn't see one. From rt-comment at krbdev.mit.edu Tue Dec 16 13:59:46 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:59:46 +0000 (UTC) Subject: [krbdev.mit.edu #6290] KIM: Pushing authentication login window do application In-Reply-To: Message-ID: Just take this one. Passing to Zhanna. From rt-comment at krbdev.mit.edu Tue Dec 16 14:01:16 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 19:01:16 +0000 (UTC) Subject: [krbdev.mit.edu #6295] Memory leak in KIM identity object In-Reply-To: Message-ID: Just take this one. Passing to Zhanna. From rt-comment at krbdev.mit.edu Tue Dec 16 14:04:47 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 19:04:47 +0000 (UTC) Subject: [krbdev.mit.edu #6298] KIM vs no-config In-Reply-To: Message-ID: Need to look at the side effects of having the identity in the preferences being NULL and fix any places where the code doesn't handle this case. Basically just look at all the places in the code where KIM looks up the identity in the preferences and make sure it handles NULL there. Once that has been verified just take this patch. Passing to Zhanna. From rt-comment at krbdev.mit.edu Tue Dec 16 18:52:58 2008 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 16 Dec 2008 23:52:58 +0000 (UTC) Subject: [krbdev.mit.edu #6305] SVN Commit In-Reply-To: Message-ID: test more commit handler changes http://src.mit.edu/fisheye/changelog/krb5/?cs=21488 Commit By: tlyu Revision: 21488 Changed Files: A branches/commit-handler-test/aaaa/ From rt-comment at krbdev.mit.edu Tue Dec 16 13:59:05 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Tue, 16 Dec 2008 18:59:05 +0000 (UTC) Subject: [krbdev.mit.edu #6278] gssd-agent deadlock In-Reply-To: Message-ID: This is the wrong way of fixing this bug. kim_library_init() just registers KIM's error tables using a pthread-once call. I would like to understand the deadlock this patch is intended to fix. There are multiple mutexes involved (one for the error table array and one for KIM's copy of the framework cfbundle). However it's not obvious to me from just looking at the patch what the deadlock is. I don't see a regression test tagged with this bug number. From rt-comment at krbdev.mit.edu Wed Dec 17 17:51:33 2008 From: rt-comment at krbdev.mit.edu (Alexandra Ellwood via RT) Date: Wed, 17 Dec 2008 22:51:33 +0000 (UTC) Subject: [krbdev.mit.edu #6278] gssd-agent deadlock In-Reply-To: Message-ID: This should be fixed by moving the CFBundle code in kim_os_string.c into the support library under non-KIM names. Then this code will no longer call into KIM initializers and cannot deadlock error_message(). Passing to Zhanna. From rt-comment at krbdev.mit.edu Thu Dec 18 10:42:02 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 18 Dec 2008 15:42:02 +0000 (UTC) Subject: [krbdev.mit.edu #1306] Need to rearchitect libraries to better support popup login dialogs In-Reply-To: Message-ID: Requires re-architecturing From rt-comment at krbdev.mit.edu Thu Dec 18 11:09:16 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 18 Dec 2008 16:09:16 +0000 (UTC) Subject: [krbdev.mit.edu #6285] SVN Commit In-Reply-To: Message-ID: Mem leak fix http://src.mit.edu/fisheye/changelog/krb5/?cs=21542 Commit By: tsitkova Revision: 21542 Changed Files: U trunk/src/lib/krb5/ccache/ccdefault.c From rt-comment at krbdev.mit.edu Thu Dec 18 11:21:18 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 18 Dec 2008 16:21:18 +0000 (UTC) Subject: [krbdev.mit.edu #6290] SVN Commit In-Reply-To: Message-ID: KIM: window settings http://src.mit.edu/fisheye/changelog/krb5/?cs=21543 Commit By: tsitkova Revision: 21543 Changed Files: U trunk/src/kim/agent/mac/AuthenticationController.m U trunk/src/kim/agent/mac/SelectIdentityController.m From rt-comment at krbdev.mit.edu Thu Dec 18 11:30:11 2008 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Thu, 18 Dec 2008 16:30:11 +0000 (UTC) Subject: [krbdev.mit.edu #6278] gssd-agent deadlock In-Reply-To: Message-ID: Assigning to Ken From rt-comment at krbdev.mit.edu Thu Dec 18 13:31:23 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Thu, 18 Dec 2008 18:31:23 +0000 (UTC) Subject: [krbdev.mit.edu #6303] SVN Commit In-Reply-To: Message-ID: Remove krb524, lib/des425, lib/krb4, and include/kerberosIV. Remove krb4 build system references and conditionals. Move des425 header stuff referenced by des_int.h into des_int.h. Remove krb4 test cases. http://src.mit.edu/fisheye/changelog/krb5/?cs=21544 Commit By: ghudson Revision: 21544 Changed Files: U trunk/src/Makefile.in U trunk/src/aclocal.m4 U trunk/src/config/pre.in U trunk/src/configure.in U trunk/src/include/Makefile.in D trunk/src/include/kerberosIV/ U trunk/src/kadmin/dbutil/Makefile.in U trunk/src/krb5-config.M U trunk/src/krb5-config.in D trunk/src/krb524/ U trunk/src/lib/Makefile.in U trunk/src/lib/crypto/Makefile.in U trunk/src/lib/crypto/des/Makefile.in U trunk/src/lib/crypto/des/des_int.h U trunk/src/lib/crypto/enc_provider/Makefile.in U trunk/src/lib/crypto/keyhash_provider/Makefile.in U trunk/src/lib/crypto/old/Makefile.in D trunk/src/lib/des425/ D trunk/src/lib/krb4/ U trunk/src/lib/krb5/krb/t_kerb.c U trunk/src/tests/dejagnu/Makefile.in U trunk/src/tests/dejagnu/config/default.exp U trunk/src/tests/dejagnu/krb-root/telnet.exp U trunk/src/tests/dejagnu/krb-standalone/standalone.exp D trunk/src/tests/dejagnu/krb-standalone/v4gssftp.exp D trunk/src/tests/dejagnu/krb-standalone/v4krb524d.exp D trunk/src/tests/dejagnu/krb-standalone/v4standalone.exp U trunk/src/util/depfix.pl U trunk/src/util/ss/Makefile.in From rt-comment at krbdev.mit.edu Thu Dec 18 14:28:26 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Thu, 18 Dec 2008 19:28:26 +0000 (UTC) Subject: [krbdev.mit.edu #6303] SVN Commit In-Reply-To: Message-ID: Remove documentation references to krb4 functionality we no longer have. Remove the krb425 transition guide since we no longer have compatibility code to assist with a transition. http://src.mit.edu/fisheye/changelog/krb5/?cs=21545 Commit By: ghudson Revision: 21545 Changed Files: U trunk/doc/Makefile U trunk/doc/admin.texinfo U trunk/doc/definitions.texinfo U trunk/doc/dnssrv.texinfo U trunk/doc/install.texinfo D trunk/doc/krb4-xrealm.txt D trunk/doc/krb425.texinfo D trunk/doc/old-V4-docs/ From rt-comment at krbdev.mit.edu Tue Dec 23 12:20:37 2008 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 23 Dec 2008 17:20:37 +0000 (UTC) Subject: [krbdev.mit.edu #6307] test test test send-pr In-Reply-To: Message-ID: testing send-pr and mail gateways From rt-comment at krbdev.mit.edu Tue Dec 23 12:23:11 2008 From: rt-comment at krbdev.mit.edu ( Jorgen Wahlsten via RT) Date: Tue, 23 Dec 2008 17:23:11 +0000 (UTC) Subject: [krbdev.mit.edu #6308] Alignment problem in resolver test In-Reply-To: Message-ID: Hello! In compiling krb5, version 1.6.3, I ran into a core dump (bus error) during 'gmake check' on a Solaris 2.10/Sun Fire T200 build system, when it tried to run tests/resolve/resolve. It seems there is an alignment problem with the automatic 'addrcopy' variable in src/tests/resolve/resolve.c. I forced it to align (and execute successfully) after the change below. I figured this was an easier test, than changing the code to use an in_addr struct -- which is perhaps a more "correct" fix. Thanks /Jorgen Wahlsten ============================== cut here ============================== --- resolve.c~ 2003-07-22 14:02:34.000000000 -0400 +++ resolve.c 2008-12-23 10:09:31.475658000 -0500 @@ -77,7 +77,11 @@ { char myname[MAXHOSTNAMELEN+1]; char *ptr; - char addrcopy[4]; + /* char addrcopy[4]; */ + union { + char addrcopy[4]; + int make_me_aligned; + } u; struct hostent *host; int quiet = 0; @@ -123,10 +127,10 @@ printf("Host address: %d.%d.%d.%d\n", UC(ptr[0]), UC(ptr[1]), UC(ptr[2]), UC(ptr[3])); - memcpy(addrcopy, ptr, 4); + memcpy(u.addrcopy, ptr, 4); /* Convert back to full name */ - if((host = gethostbyaddr(addrcopy, 4, AF_INET)) == NULL) { + if((host = gethostbyaddr(u.addrcopy, 4, AF_INET)) == NULL) { fprintf(stderr, "Error looking up IP address - fatal\n"); exit(2); } ============================== cut here ============================== From rt-comment at krbdev.mit.edu Tue Dec 23 12:32:01 2008 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 23 Dec 2008 17:32:01 +0000 (UTC) Subject: [krbdev.mit.edu #6307] test test test send-pr In-Reply-To: Message-ID: test reply From rt-comment at krbdev.mit.edu Wed Dec 24 11:51:36 2008 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Wed, 24 Dec 2008 16:51:36 +0000 (UTC) Subject: [krbdev.mit.edu #6031] SVN Commit In-Reply-To: Message-ID: Add a new fallback host-to-realm heuristic to try the components of the hostname as domains. The heuristic is off by default and is controlled by the realm_try_domains variable under libdefaults. Based on a patch submitted by Mark Phalan from Sun. http://src.mit.edu/fisheye/changelog/krb5/?cs=21588 Commit By: ghudson Revision: 21588 Changed Files: U trunk/README U trunk/src/config-files/krb5.conf.M U trunk/src/lib/krb5/os/hst_realm.c From rt-comment at krbdev.mit.edu Sat Dec 27 08:48:25 2008 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Sat, 27 Dec 2008 13:48:25 +0000 (UTC) Subject: [krbdev.mit.edu #6308] Alignment problem in resolver test In-Reply-To: Message-ID: Hi, Why do you believe you need to use a struct in_addr? Every man page for gethostbyaddr takes a char * - and the alignment is then I suppose compiler specific... You did not indicate a compiler version - is this gcc or Sun's compiler? I do not have access to solaris 2.10 - but what does the manpage on gethostbyaddr say? What does the prototype in /usr/include/netdb.h indicate? I suspect that the problem is not in our code - but something in the OS library. Is this a known issue with Solaris? Now scanning the krb5 code - I see one other place in which gethostaddr is used without a struct (gssapi code) - but it would appear that it is using malloc - which should be suitably aligned for any variable type... So - I guess we need to know what is broken - the compiler, the library, or our code... Coding a work around without understanding the problem is probably not best. Perhaps you can give us more information... Ezra From rt-comment at krbdev.mit.edu Sat Dec 27 15:17:36 2008 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Sat, 27 Dec 2008 20:17:36 +0000 (UTC) Subject: [krbdev.mit.edu #6308] Alignment problem in resolver test In-Reply-To: Message-ID: Okay - I have been able to reproduce the problem on one MIT's solaris machines - but only when using gcc.... This is gcc version 3.4.3 on a machine running Solaris 10 3/05 s10_74L2a SPARC. I modified the code to allow me to vary the alignment of the memory. Sure enough, gethostbyaddr segfaults in the nss library. Now - why is this only w/ gcc and not sunsoft's compiler - I could not tell you. Looking at the opensolaris library source for libnss - I do see that there is a path where the pointer to the char * is assigned a struct in_addr *. See IN6_INADDR_TO_V4MAPPED macro in /usr/include/netinet/in.h. The error does not appear to be an optimization issue... Now - why is gcc screwing up? I will need to investigate... I will have to look at the assembly code to see what is going on.... So - can you please confirm that your problem is observed w/ gcc? Ezra From rt-comment at krbdev.mit.edu Sun Dec 28 23:45:39 2008 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Mon, 29 Dec 2008 04:45:39 +0000 (UTC) Subject: [krbdev.mit.edu #6309] SVN Commit In-Reply-To: Message-ID: The krb4 removal failed to change the makefile in ldap kdb plugin directory. http://src.mit.edu/fisheye/changelog/krb5/?cs=21622 Commit By: epeisach Revision: 21622 Changed Files: U trunk/src/plugins/kdb/ldap/ldap_util/Makefile.in From rt-comment at krbdev.mit.edu Tue Dec 30 11:42:39 2008 From: rt-comment at krbdev.mit.edu ( Jorgen Wahlsten via RT) Date: Tue, 30 Dec 2008 16:42:39 +0000 (UTC) Subject: [krbdev.mit.edu #6308] Alignment problem in resolver test In-Reply-To: Message-ID: Hello Ezra. Yes, I used a 32-bit compiled gcc 4.1.1. I do not have Sun's C compiler and can not verify that it is working with it, but if it's important for you to verify that it is working with Sun's C compiler, I can try to get it. Let me know. If I turn on optimization (-O2 or -O3) the program works, while using -O0/-O1 the program still core dumps. Compiling resolve.c as a 32-bit binary or a 64-bit binary does not seem to matter. It core dumps no matter what. I was thinking this had something to do with automatic variable alignment, and therefore changed: char myname[MAXHOSTNAMELEN+1] to char myname[MAXHOSTNAMELEN+8] (MAXHOSTNAMELEN is defined as 256 in netdb.h), which makes the program work again (not core dump). For what it's worth, I think Sun's C compiler *always* aligns the automatic variables on 8-byte boundaries, while GCC tries to fit the addrcopy[4] into the "padding" of myname[256+1] (7 bytes padding?), as an optimization. It does seem strange that this is done *without* optimization though. Regardless, of the differences between Sun's C compiler and GCC, I would be inclined to agree with you that this is a solaris C library bug, that is being triggered by using GCC in this particular case. As for my comment about using an in_addr pointer, I think I merely looked at the EXAMPLE section in the solaris 2.10 gethostbyaddr man page. There is also a NOTE in that man page about INET_ADDR. Let me know if you want to any additional information. Thanks, Jorgen On Sat, Dec 27, 2008 at 3:17 PM, Ezra Peisach via RT < rt-comment at krbdev.mit.edu> wrote: > Okay - I have been able to reproduce the problem on one MIT's solaris > machines - but only when using gcc.... > > This is gcc version 3.4.3 on a machine running Solaris 10 3/05 > s10_74L2a SPARC. > > I modified the code to allow me to vary the alignment of the memory. > Sure enough, gethostbyaddr segfaults in the nss library. > > Now - why is this only w/ gcc and not sunsoft's compiler - I could not > tell you. > > Looking at the opensolaris library source for libnss - I do see that > there is a path where the pointer to the char * is assigned a struct > in_addr *. > > See IN6_INADDR_TO_V4MAPPED macro in /usr/include/netinet/in.h. > > The error does not appear to be an optimization issue... > > Now - why is gcc screwing up? I will need to investigate... I will have > to look at the assembly code to see what is going on.... > > So - can you please confirm that your problem is observed w/ gcc? > Ezra > -- _______________________________________________________________________ Jorgen Wahlsten -- http://www.wahlsten.com/ AIM: JorgenWahlsten YIM: jorgenwahlsten ICQ: 171198501 From rt-comment at krbdev.mit.edu Tue Dec 30 11:42:39 2008 From: rt-comment at krbdev.mit.edu ( Jorgen Wahlsten via RT) Date: Tue, 30 Dec 2008 16:42:39 +0000 (UTC) Subject: [krbdev.mit.edu #6308] Alignment problem in resolver test In-Reply-To: Message-ID: Hello Ezra. Yes, I used a 32-bit compiled gcc 4.1.1. I do not have Sun's C compiler and can not verify that it is working with it, but if it's important for you to verify that it is working with Sun's C compiler, I can try to get it. Let me know. If I turn on optimization (-O2 or -O3) the program works, while using -O0/-O1 the program still core dumps. Compiling resolve.c as a 32-bit binary or a 64-bit binary does not seem to matter. It core dumps no matter what. I was thinking this had something to do with automatic variable alignment, and therefore changed: char myname[MAXHOSTNAMELEN+1] to char myname[MAXHOSTNAMELEN+8] (MAXHOSTNAMELEN is defined as 256 in netdb.h), which makes the program work again (not core dump). For what it's worth, I think Sun's C compiler *always* aligns the automatic variables on 8-byte boundaries, while GCC tries to fit the addrcopy[4] into the "padding" of myname[256+1] (7 bytes padding?), as an optimization. It does seem strange that this is done *without* optimization though. Regardless, of the differences between Sun's C compiler and GCC, I would be inclined to agree with you that this is a solaris C library bug, that is being triggered by using GCC in this particular case. As for my comment about using an in_addr pointer, I think I merely looked at the EXAMPLE section in the solaris 2.10 gethostbyaddr man page. There is also a NOTE in that man page about INET_ADDR. Let me know if you want to any additional information. Thanks, Jorgen On Sat, Dec 27, 2008 at 3:17 PM, Ezra Peisach via RT < rt-comment at krbdev.mit.edu> wrote: > Okay - I have been able to reproduce the problem on one MIT's solaris > machines - but only when using gcc.... > > This is gcc version 3.4.3 on a machine running Solaris 10 3/05 > s10_74L2a SPARC. > > I modified the code to allow me to vary the alignment of the memory. > Sure enough, gethostbyaddr segfaults in the nss library. > > Now - why is this only w/ gcc and not sunsoft's compiler - I could not > tell you. > > Looking at the opensolaris library source for libnss - I do see that > there is a path where the pointer to the char * is assigned a struct > in_addr *. > > See IN6_INADDR_TO_V4MAPPED macro in /usr/include/netinet/in.h. > > The error does not appear to be an optimization issue... > > Now - why is gcc screwing up? I will need to investigate... I will have > to look at the assembly code to see what is going on.... > > So - can you please confirm that your problem is observed w/ gcc? > Ezra > -- _______________________________________________________________________ Jorgen Wahlsten -- http://www.wahlsten.com/ AIM: JorgenWahlsten YIM: jorgenwahlsten ICQ: 171198501 From rt-comment at krbdev.mit.edu Tue Dec 30 12:02:24 2008 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Tue, 30 Dec 2008 17:02:24 +0000 (UTC) Subject: [krbdev.mit.edu #6308] Alignment problem in resolver test In-Reply-To: Message-ID: Great - thanks for the insight... I will try to code around it next week... Ezra Jorgen Wahlsten via RT wrote: > Hello Ezra. > > Yes, I used a 32-bit compiled gcc 4.1.1. > > I do not have Sun's C compiler and can not verify that it is working with > it, but if it's important for you to verify that it is working with Sun's C > compiler, I can try to get it. Let me know. > > If I turn on optimization (-O2 or -O3) the program works, while using > -O0/-O1 the program still core dumps. > > Compiling resolve.c as a 32-bit binary or a 64-bit binary does not seem to > matter. It core dumps no matter what. > > I was thinking this had something to do with automatic variable alignment, > and therefore changed: > > char myname[MAXHOSTNAMELEN+1] > > to > > char myname[MAXHOSTNAMELEN+8] > > (MAXHOSTNAMELEN is defined as 256 in netdb.h), > > which makes the program work again (not core dump). > > For what it's worth, I think Sun's C compiler *always* aligns the automatic > variables on 8-byte boundaries, while GCC tries to fit the addrcopy[4] into > the "padding" of myname[256+1] (7 bytes padding?), as an optimization. It > does seem strange that this is done *without* optimization though. > > Regardless, of the differences between Sun's C compiler and GCC, I would be > inclined to agree with you that this is a solaris C library bug, that is > being triggered by using GCC in this particular case. > > As for my comment about using an in_addr pointer, I think I merely looked at > the EXAMPLE section in the solaris 2.10 gethostbyaddr man page. There is > also a NOTE in that man page about INET_ADDR. > > Let me know if you want to any additional information. > > Thanks, > Jorgen > > > > > On Sat, Dec 27, 2008 at 3:17 PM, Ezra Peisach via RT < > rt-comment at krbdev.mit.edu> wrote: > > >> Okay - I have been able to reproduce the problem on one MIT's solaris >> machines - but only when using gcc.... >> >> This is gcc version 3.4.3 on a machine running Solaris 10 3/05 >> s10_74L2a SPARC. >> >> I modified the code to allow me to vary the alignment of the memory. >> Sure enough, gethostbyaddr segfaults in the nss library. >> >> Now - why is this only w/ gcc and not sunsoft's compiler - I could not >> tell you. >> >> Looking at the opensolaris library source for libnss - I do see that >> there is a path where the pointer to the char * is assigned a struct >> in_addr *. >> >> See IN6_INADDR_TO_V4MAPPED macro in /usr/include/netinet/in.h. >> >> The error does not appear to be an optimization issue... >> >> Now - why is gcc screwing up? I will need to investigate... I will have >> to look at the assembly code to see what is going on.... >> >> So - can you please confirm that your problem is observed w/ gcc? >> Ezra >> >> > > > > From rt-comment at krbdev.mit.edu Tue Dec 30 13:43:15 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Tue, 30 Dec 2008 18:43:15 +0000 (UTC) Subject: [krbdev.mit.edu #6308] Alignment problem in resolver test In-Reply-To: Message-ID: On Dec 30, 2008, at 11:42, Jorgen Wahlsten via RT wrote: > For what it's worth, I think Sun's C compiler *always* aligns the > automatic > variables on 8-byte boundaries, while GCC tries to fit the > addrcopy[4] into > the "padding" of myname[256+1] (7 bytes padding?), as an > optimization. It > does seem strange that this is done *without* optimization though. I worked on GCC in a past job, so please forgive a brief diversion: It's not an optimization you'd turn on or off. The "optimization" is built into the code that decides how the stack frame is laid out. A char array doesn't need any special alignment, so myname[] doesn't have padding, it just ends, with the following byte probably at an odd address; since addrcopy[] is also a char array without special alignment needs, it's allowed to be put there. > Regardless, of the differences between Sun's C compiler and GCC, I > would be > inclined to agree with you that this is a solaris C library bug, > that is > being triggered by using GCC in this particular case. > > As for my comment about using an in_addr pointer, I think I merely > looked at > the EXAMPLE section in the solaris 2.10 gethostbyaddr man page. > There is > also a NOTE in that man page about INET_ADDR. The POSIX spec I just pulled up says the address argument points to an address, not a bunch of bytes, and in particular, > The addr argument of gethostbyaddr() shall be an in_addr structure > when type is AF_INET. (Presumably they meant the pointed-to thing.) So, converting it to an actual in_addr would probably be the right fix (though it leaves us with IPv6 support still missing in those places). Ken From rt-comment at krbdev.mit.edu Tue Dec 30 14:32:31 2008 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Tue, 30 Dec 2008 19:32:31 +0000 (UTC) Subject: [krbdev.mit.edu #6308] Alignment problem in resolver test In-Reply-To: Message-ID: Ken, With regards to alignment - I believe that is why the "fix" to use a union would force an alignment. I will use an in_addr to ensure alignment. As I indicated in my initial analysis - there is one other place gethostbyaddr is used w/o a struct in_addr - but the memory is malloced. I am correct that malloc will return an alignment that is compatible w/ any structure - right? Ezra From rt-comment at krbdev.mit.edu Tue Dec 30 14:42:29 2008 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 30 Dec 2008 19:42:29 +0000 (UTC) Subject: [krbdev.mit.edu #6308] Alignment problem in resolver test In-Reply-To: Message-ID: "Ezra Peisach via RT" writes: > As I indicated in my initial analysis - there is one other place > gethostbyaddr is used w/o a struct in_addr - but the memory is > malloced. I am correct that malloc will return an alignment that is > compatible w/ any structure - right? It's defined to return memory with an alignment suitable for any object. From rt-comment at krbdev.mit.edu Tue Dec 30 14:47:30 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Tue, 30 Dec 2008 19:47:30 +0000 (UTC) Subject: [krbdev.mit.edu #6308] Alignment problem in resolver test In-Reply-To: Message-ID: On Dec 30, 2008, at 14:32, Ezra Peisach via RT wrote: > With regards to alignment - I believe that is why the "fix" to use a > union would force an alignment. I will use an in_addr to ensure > alignment. > As I indicated in my initial analysis - there is one other place > gethostbyaddr is used w/o a struct in_addr - but the memory is > malloced. I am correct that malloc will return an alignment that is > compatible w/ any structure - right? To the best of my knowledge, yes, it'll have to be aligned well enough. Ken From rt-comment at krbdev.mit.edu Tue Dec 30 14:58:07 2008 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Tue, 30 Dec 2008 19:58:07 +0000 (UTC) Subject: [krbdev.mit.edu #6310] minor mem leaks in iprop code In-Reply-To: Message-ID: Just noting for the record: There are some unlikely paths in the kdb_convert.c code that may leak memory. I've marked a few with "XXX" in comments. Shawn said (12/14) that he would file a CR at Sun and take a look. From rt-comment at krbdev.mit.edu Wed Dec 31 11:56:42 2008 From: rt-comment at krbdev.mit.edu (Mark.Phalan@Sun.Com via RT) Date: Wed, 31 Dec 2008 16:56:42 +0000 (UTC) Subject: [krbdev.mit.edu #6311] kadmin utilites could support better command line editing In-Reply-To: Message-ID: libtecla provides a enhanced command history and editing function for use by applications. This would be useful for kadmin since it has a interactive mode through which users provide commands to kadmin. libtecla would provide command tab-completion, line editing etc. Attached is a patch which adds libtecla support to libss (used by ktutil,kadmin/kadmin.local). The patch currently doesn't change the build system. The code here is a direct port from OpenSolaris where we use a static build system. My auto* foo is weak... Included in the patch is an update the the license the contributed code is under.