- Kerberos Version 5, Release 1.3.5
+ Kerberos Version 5, Release 1.4
Release Notes
The MIT Kerberos Team
Unpacking the Source Distribution
---------------------------------
-The source distribution of Kerberos 5 comes in a gzipped tarfile,
-krb5-1.3.5.tar.gz. Instructions on how to extract the entire
-distribution follow.
+The source distribution of Kerberos 5 comes in a tarfile,
+krb5-1.4-signed.tar. The tarfile contains a gzipped tarfile,
+krb5-1.4.tar.gz, and its corresponding PGP signature,
+krb5-1.4.tar.gz.asc.
-If you have the GNU tar program and gzip installed, you can simply do:
+You will need the GNU gzip program, and preferably, the GNU tar
+program, to extract the source distribution.
- gtar zxpf krb5-1.3.5.tar.gz
-
-If you don't have GNU tar, you will need to get the FSF gzip
-distribution and use gzcat:
-
- gzcat krb5-1.3.5.tar.gz | tar xpf -
-
-Both of these methods will extract the sources into krb5-1.3.5/src and
-the documentation into krb5-1.3.5/doc.
+The distribution will extract into a subdirectory "krb5-1.4" of the
+current directory.
Building and Installing Kerberos 5
----------------------------------
and logging in as "guest" with password "guest".
-Major changes in 1.3.5
-----------------------
-
-* [2682] Fix ftpd hang caused by empty PASS command.
-
-* [2686] Fix double-free errors. [MITKRB5-SA-2004-002]
-
-* [2687] Fix denial-of-service vulnerability in ASN.1
- decoder. [MITKRB5-SA-2004-003]
-
-Minor changes in 1.3.5
-----------------------
-
-* [2016] Fix build problem in fake-addrinfo.h by including stdio.h so
- that sprintf() gets prototyped where needed on some platforms.
-
-* [2353] Add missing prototype for gss_krb5int_unseal_token_v3().
-
-* [2607] Fix enctype filtering and some memory leaks in MSLSA ccache.
-
-* [2608] Remove incorrect localization in MSLSA ccache which was
- resulting in crashes.
-
-* [2619] Update MSLSA ccache to support new LSA flag.
-
-* [2623] Update MSLSA ccache to reflect differences in registry layout
- between Windows client and server OSes.
-
-* [2624] Do not ignore the cache when obtaining TGTs from the MSLSA if
- the requested enctype is the NULL enctype.
-
-* [2626] Add Terminal Server compatibility for KfW.
-
-* [2627] Fix cc_mslsa thread safety.
-
-* [2634] Remove the caching of the ccache principal name from
- krb5_context.
-
-* [2643] Fix another problem with krb4 ticket backdating.
-
-* [2675] Add new WiX-based MSI installer for KfW.
-
-* [2677] Add "-c ccache" option to kvno; use consistent memory
- management to avoid crashes on Windows.
-
-* [2689] Misc MSLSA ccache fixes.
-
-* [2691] Improve documentation of ANSI C requirement.
-
-Major changes in 1.3.4
-----------------------
-
-* [2024, 2583, 2584] Fixed buffer overflows in
- krb5_aname_to_localname(). [MITKRB-SA-2004-001]
-
-Minor changes in 1.3.4
-----------------------
-
-* [957] The auth_to_local rules now allow for the client realm to be
- examined.
-
-* [2527, 2528, 2531] Keytab file names lacking a "FILE:" prefix now work
- under Windows.
-
-* [2533] Updated installer scripts for Windows.
-
-* [2534] Fixed memory leak for when an incorrect password is input to
- krb5_get_init_creds_password().
-
-* [2535] Added missing newline to dnssrv.c.
-
-* [2551, 2564] Use compile-time checks to determine endianness.
-
-* [2558] krb5_send_tgs() now correctly sets message_type after
- receiving a KRB_ERROR message.
-
-* [2561, 2574] Fixed memory allocation errors in the MSLSA ccache.
-
-* [2562] The Windows installer works around cases where DLLs cannot be
- unloaded.
-
-* [2585] Documentation correctly describes AES support in GSSAPI.
-
-Major changes in 1.3.3
-----------------------
-
-* [2284] Fixed accept_sec_context to use a replay cache in the
- GSS_C_NO_CREDENTIAL case. Reported by Cesar Garcia.
-
-* [2426] Fixed a spurious SIGPIPE that happened in the TCP sendto_kdc
- code on AIX. Thanks to Bill Dodd.
-
-* [2430] Fixed a crash in the MSLSA ccache.
-
-* [2453] The AES string-to-key function no longer returns a pointer to
- stack memory when given a password longer than 64 characters.
-
-Minor changes in 1.3.3
-----------------------
-
-* [2277] In sendto_kdc, a socket leak on connection failure was fixed.
- Thanks to Bill Dodd.
-
-* [2384] A memory leak in the TCP handling code in the KDC has been
- fixed. Thanks to Will Fiveash.
-
-* [2521] The Windows NSIS installer scripts are in the source tree.
-
-* [2522] The MSLSA ccache now supports Windows 9x.
-
-Major changes in 1.3.2
-----------------------
-
-* [2040, 1471, 2067, 2077, 2079, 2166, 2167, 2220, 2266] Support for
- AES in GSSAPI has been implemented. This corresponds to the
- in-progress work in the IETF (CFX).
-
-* [2049, 2139, 2148, 2153, 2182, 2183, 2184, 2190, 2202] Added a new
- ccache type "MSLSA:" for read-only access to the MS Windows LSA
- cache.
-
-* [982] On windows, krb5.exe now has a checkbox to request addressless
- tickets.
-
-* [2189, 2234] To avoid compatibility problems, unrecognized TGS
- options will now be ignored. Thanks to Wyllys Ingersoll for finding
- a problem with a previous fix.
-
-* [2218] 128-bit AES has been added to the default enctypes.
-
-* [2223, 2229] AES cryptosystem now chains IVs. This WILL break
- backwards compatibility for the kcmd applications, if they are using
- AES session keys. Thanks to Wyllys Ingersoll for finding a problem
- with a previous fix.
-
-Minor changes in 1.3.2
-----------------------
-
-* [1437] Applied patch from Stephen Grau so kinit returns non-zero
- status under certain failure conditions where it had previously
- returned zero.
-
-* [1586] On Windows, the krb4 CREDENTIALS structure has been changed
- to align with KfW's version of the structure.
-
-* [1613] Applied patch from Dave Shrimpton to avoid truncation of
- dates output from the kadmin CLI when long time zone names are
- used.
-
-* [1622] krshd no longer calls syslog from inside a signal handler, in
- an effort to avoid deadlocks on exit.
-
-* [1649] A com_err test program compiles properly on Darwin now.
-
-* [1692] A new configuration file tag "master_kdc" has been added to
- allow master KDCs to be designated separately from admin servers.
-
-* [1702] krb5_get_host_realm() and krb5_free_host_realm() are no
- longer marked as KRB5_PRIVATE.
-
-* [1711] Applied patch from Harry McGavran Jr to allow fake-addrinfo.h
- to compile on libc5 Linux platforms.
-
-* [1712] Applied patch from Cesar Garcia to fix lifetime computation
- in krb524 ticket conversion.
-
-* [1714] Fixed a 64-bit endianness bug in ticket starttime encoding in
- krb524d. Found by Cesar Garcia.
-
-* [1715] kadmind4 and v5passwdd are no longer installed on Mac OS X.
-
-* [1718] The krb4 library configure script now recognizes
- OpenDarwin/x86. Bug found by Rob Braun.
-
-* [1721] krb5_get_init_creds_password() no longer returns a spurious
- KRB5_REALM_UNKNOWN if DNS SRV record support is turned off.
-
-* [1730] krb_mk_auth() no longer overzealously clears the key
- schedule.
-
-* [1731] A double-free related to reading forwarded credentials has
- been fixed. Found by Joseph Galbraith.
-
-* [1770] Applied patch from Maurice Massar to fix a foreachaddr()
- problem that was causing the KDC to segfault on startup.
-
-* [1790] The Linux build uses $(CC) to create shared libraries,
- avoiding a libgcc problem when building libdb.
-
-* [1792] The lib/kadm5 unit tests now work around a Solaris 9
- pty-close bug.
-
-* [1793] The test suite works around some Tru64 and Irix RPATH
- issues, which previously could prevent tests from running on a build
- with shared libraries enabled.
-
-* [1799] kadmind supports callouts to the Apple password server.
-
-* [1893] KRB-SAFE messages from older releases can now be read
- successfully. Prior 1.3.x releases did not save the encoded
- KRB-SAFE message, and experienced problems when re-encoding. Found
- by Scooter Morris.
-
-* [1962] MS LSA tickets with short remaining lifetimes will be
- rejected in favor of retrieving tickets bypassing the LSA cache.
-
-* [1973] sendto_kdc.c now closes sockets with closesocket() instead of
- close(), avoiding a descriptor leak on Windows.
-
-* [1979] An erroneously short initial sequence number mask has been
- fixed.
-
-* [2028] KfW now displays a kinit dialog when GSS fails to find
- tickets.
-
-* [2051] Missing exports have been added to krb4_32.def on Windows.
-
-* [2058] Some problems with krb4 ticket lifetime backdating have
- fixed.
-
-* [2060] GSSAPI's idea of the default ccache is less sticky now.
-
-* [2068] The profile library includes prof-int.h before conditionals
- that rely on it.
-
-* [2084] The resolver library is no longer referenced by library code
- if not building with DNS SRV record support.
-
-* [2085] Updated Windows README file to reflect current compilation
- requirements, etc.
-
-* [2104] On Windows, only define strcasecmp and strncasecmp
- replacement macros if said functions are missing.
-
-* [2106] Return an error for unimplemented ccache functions, rather
- than calling through a null pointer.
-
-* [2118] Applied patch from Will Fiveash to use correct parameter for
- KDC TCP listening sockets.
-
-* [2144,2230] Memory management errors in the Windows gss.exe test
- client have been fixed.
-
-* [2171] krb5_locate_kpasswd() now correctly calls htons() on the
- kpasswd port number. Found by Arlene Berry.
-
-* [2180] The profile library now includes pthread.h when compiled with
- USE_PTHREADS.
-
-* [2181, 2224] A timeout has been added to gss-server, and a missing
- parameter to sign_server() has been added.
-
-* [2196] config.{guess,sub} have been updated from autoconf-2.59.
-
-* [2204] Windows gss.exe now has support for specifying credentials
- cache, as well as some minor bugfixes.
-
-* [2210] GSSAPI accept_sec_context() no longer unconditionally sets
- INTEG and CONF flags in contradiction to what the initiator sent.
-
-* [2212] The GSS sample application has some additional options to
- support testing of SSPI vs GSSAPI.
-
-* [2217] Windows gss.exe has new UI elements to support more flag
- settings.
-
-* [2225] In the gss sample client, some extraneous parameters have
- been removed from client_establish_context().
-
-* [2228] Copyright notices updated in GSS sample apps.
-
-* [2233] On Windows compiles with KRB5_KFW_COMPILE, the lib path for
- krbcc32.lib is now correct.
-
-* [2195, 2236, 2241, 2245] The Solaris 9 pty-close bug, which was
- affecting the test suite, has been worked around by hacking
- scheduler priorities. See the installation notes for details.
- Thanks to Bill Sommerfeld for some useful hints.
-
-* [2258] An incorrect memcpy() statement in fakeka has been fixed.
- Reported by David Thompson.
-
-Notes, Major Changes, and Known Bugs for 1.3.1
-----------------------------------------------
-
-* [1681] The incorrect encoding of the ETYPE-INFO2 preauthentication
- hint is no longer emitted, and the both the incorrect and the
- correct encodings of ETYPE-INFO2 are now accepted. We STRONGLY
- encourage deploying krb5-1.3.1 in preference to 1.3, especially on
- client installations, as the 1.3 release did not conform to the
- internet-draft for the revised Kerberos protocol in its encoding of
- ETYPE-INFO2.
-
-* [1683] The non-caching getaddrinfo() API on Mac OS X, which was
- causing significant slowdowns under some circumstances, has been
- worked around.
-
-Minor changes in 1.3.1
-----------------------
-
-* [1015] gss_accept_sec_context() now passes correct arguments to
- TREAD_STR() when reading options beyond the forwarded credential
- option. Thanks to Emily Ratliff.
-
-* [1365] The GSSAPI initiator credentials are no longer cached inside
- the GSSAPI library.
-
-* [1651] A buffer overflow in krb_get_admhst() has been fixed.
-
-* [1655] krb5_get_permitted_enctypes() and krb5_set_real_time() are
- now exported for use by Samba.
-
-* [1656] gss_init_sec_context() no longer leaks credentials under some
- error conditions.
-
-* [1657] krb_get_lrealm() no longer returns "ATHENA.MIT.EDU"
- inappropriately.
-
-* [1664] The crypto library no longer has bogus dependencies on
- com_err.
-
-* [1665] krb5_init_context() no longer multiply registers error tables
- when called more than once, preventing a memory leak.
-
-* [1666] The GSS_C_NT_* symbols are now exported from gssapi32.dll on
- Windows.
-
-* [1667] ms2mit now imports any tickets with supported enctypes, and
- does not import invalid tickets.
-
-* [1677] krb5_gss_register_acceptor_identity() no longer has an
- off-by-one in its memory allocation.
-
-* [1679] krb5_principal2salt is now exported on all platforms.
-
-* [1684] The file credentials cache is now supported if USE_CCAPI is
- defined, i.e., for KfM and KfW.
-
-* [1691] Documentation for the obsolete kdc_supported_enctypes config
- variable has been removed.
-
-Notes, Major Changes, and Known Bugs for 1.3
---------------------------------------------
-
-* We now install the compile_et program, so other packages can use the
- installed com_err library with their own error tables. (If you use
- our com_err code, that is; see below.)
+Major changes in 1.4
+--------------------
-* The header files we install now assume ANSI/ISO C ('89, not '99).
- We have stopped testing on SunOS 4, even with gcc. Some of our code
- now has C89-based assumptions, like free(NULL) being well defined,
- that will probably frustrate any attempts to run this code under SunOS
- 4 or other pre-C89 systems.
+* [841] Merged Athena telnetd changes for creating a new option for
+ requiring encryption.
-* Some new code, bug fixes, and cleanup for IPv6 support. Most of the
- code should support IPv6 transparently now. The RPC code (and
- therefore the admin system, which is based on it) does not yet
- support IPv6. The support for Kerberos 4 may work with IPv6 in very
- limited ways, if the address checking is turned off. The FTP client
- and server do not have support for the new protocol messages needed
- for IPv6 support (RFC 2428).
+* [1349, 2578, 2601, 2606, 2613, 2743, 2775, 2778] Add implementation
+ of the RPCSEC_GSS authentication flavor to the RPC library. Thanks
+ to Kevin Coffman and the CITI group at the University of Michigan.
-* We have upgraded to autoconf 2.52 (or later), and the syntax for
- specifying certain configuration options have changed. For example,
- autoconf 2.52 configure scripts let you specify command-line options
- like "configure CC=/some/path/foo-cc", so we have removed some of
- our old options like --with-cc in favor of this approach.
+* [2061] The kadmind4 backwards-compatibility admin server and the
+ v5passwdd backwards-compatibility password-changing server have been
+ removed.
-* The client libraries can now use TCP to connect to the KDC. This
- may be necessary when talking to Microsoft KDCs (domain controllers),
- if they issue you tickets with lots of PAC data.
+* [1303, 2740, 2755, 2781, 2782, 2812] Thread safety for
+ krb5 libraries.
-* If you have versions of the com_err or ss installed locally, you can
- use the --with-system-et and --with-system-ss configure options to
- use them rather than using the versions supplied here. Note that
- the interfaces are assumed to be similar to those we supply; in
- particular, some older, divergent versions of the com_err library
- may not work with the krb5 sources. Many configure-time variables
- can be used to help the compiler and linker find the installed
- packages; see the build documentation for details.
+* [2410] Yarrow code now uses AES.
-* The AES cryptosystem has been implemented. However, support in the
- Kerberos GSSAPI mechanism has not been written (or even fully
- specified), so it's not fully enabled. See the documentation for
- details.
+* [2678, 2802] New client commands kcpytkt and kdeltkt for Windows.
-Major changes listed by ticket ID
----------------------------------
-
-* [492] PRNG breakage on 64-bit platforms no longer an issue due to
- new PRNG implementation.
-
-* [523] Client library is now compatible with the RC4-based
- cryptosystem used by Windows 2000.
-
-* [709] krb4 long lifetime support has been implemented.
-
-* [880] krb5_gss_register_acceptor_identity() implemented (is called
- gsskrb5_register_acceptor_identity() by Heimdal).
-
-* [1087] ftpd no longer requires channel bindings, allowing easier use
- of ftp from behind a NAT.
-
-* [1156, 1209] It is now possible to use the system com_err to build
- this release.
-
-* [1174] TCP support added to client library.
-
-* [1175] TCP support added to the KDC, but is disabled by default.
-
-* [1176] autoconf-2.5x is now required by the build system.
-
-* [1184] It is now possible to use the system Berkeley/Sleepycat DB
- library to build this release.
-
-* [1189, 1251] The KfM krb4 library source base has been merged.
-
-* [1190] The default KDC master key type is now triple-DES. KDCs
- being updated may need their config files updated if they are not
- already specifying the master key type.
-
-* [1190] The default ticket lifetime and default maximum renewable
- ticket lifetime have been extended to one day and one week,
- respectively.
-
-* [1191] A new script, k5srvutil, may be used to manipulate keytabs in
- ways similar to the krb4 ksrvutil utility.
-
-* [1281] The "fakeka" program, which emulates the AFS kaserver, has
- been integrated. Thanks to Ken Hornstein.
-
-* [1343] The KDC now defaults to not answering krb4 requests.
-
-* [1344] Addressless tickets are requested by default now.
-
-* [1372] There is no longer a need to create a special keytab for
- kadmind. The legacy administration daemons "kadmind4" and
- "v5passwdd" will still require a keytab, though.
-
-* [1377, 1442, 1443] The Microsoft set-password protocol has been
- implemented. Thanks to Paul Nelson.
-
-* [1385, 1395, 1410] The krb4 protocol vulnerabilities
- [MITKRB5-SA-2003-004] have been worked around. Note that this will
- disable krb4 cross-realm functionality, as well as krb4 triple-DES
- functionality. Please see doc/krb4-xrealm.txt for details of the
- patch.
-
-* [1393] The xdrmem integer overflows [MITKRB5-SA-2003-003] have
- been fixed.
-
-* [1397] The krb5_principal buffer bounds problems
- [MITKRB5-SA-2003-005] have been fixed. Thanks to Nalin Dahyabhai.
-
-* [1415] Subsession key negotiation has been fixed to allow for
- server-selected subsession keys in the future.
-
-* [1418, 1429, 1446, 1484, 1486, 1487, 1535, 1621] The AES
- cryptosystem has been implemented. It is not usable for GSSAPI,
- though.
-
-* [1491] The client-side functionality of the krb524 library has been
- moved into the krb5 library.
-
-* [1550] SRV record support exists for Kerberos v4.
-
-* [1551] The heuristic for locating the Kerberos v4 KDC by prepending
- "kerberos." to the realm name if no config file or DNS information
- is available has been removed.
-
-* [1568, 1067] A krb524 stub library is built on Windows.
-
-Minor changes listed by ticket ID
----------------------------------
-
-* [90] default_principal_flags documented.
-
-* [175] Docs refer to appropriate example domains/IPs now.
-
-* [299] kadmin no longer complains about missing kdc.conf parameters
- when it really means krb5.conf parameters.
-
-* [318] Run-time load path for tcl is set now when linking test
- programs.
-
-* [443] --includedir honored now.
-
-* [479] unused argument in try_krb4() in login.c deleted.
-
-* [590] The des_read_pw_string() function in libdes425 has been
- aligned with the original krb4 and CNS APIs.
-
-* [608] login.krb5 handles SIGHUP more sanely now and thus avoids
- getting the session into a weird state w.r.t. job control.
-
-* [620] krb4 encrypted rcp should work a little better now. Thanks to
- Greg Hudson.
-
-* [647] libtelnet/kerberos5.c no longer uses internal include files.
-
-* [673] Weird echoing of admin password in kadmin client worked around
- by not using buffered stdio calls to read passwords.
-
-* [677] The build system has been reworked to allow the user to set
- CFLAGS, LDFLAGS, CPPFLAGS, etc. reasonably.
-
-* [680] Related to [673], rewrite krb5_prompter_posix() to no longer
- use longjmp(), thus avoiding some bugs relating to non-restoration
- of terminal settings.
-
-* [697] login.krb5 no longer zeroes out the terminal window size.
-
-* [710] decomp_ticket() in libkrb4 now looks up the local realm name
- more correctly. Thanks to Booker Bense.
-
-* [771] .rconf files are excluded from the release now.
-
-* [772] LOG_AUTHPRIV syslog facility is now usable for logging on
- systems that support it.
-
-* [844] krshd now syslogs using the LOG_AUTH facility.
-
-* [850] Berekely DB build is better integrated into the krb5 library
- build process.
-
-* [866] lib/krb5/os/localaddr.c and kdc/network.c use a common source
- for local address enumeration now.
-
-* [882] gss-client now correctly deletes the context on error.
-
-* [919] kdc/network.c problems relating to SIOCGIFCONF have been
- fixed.
-
-* [922] An overflow in the string-to-time conversion routines has been
- fixed.
-
-* [933] krb524d now handles single-DES session keys other than of type
- des-cbc-crc.
-
-* [935] des-cbc-md4 now included in default enctypes.
-
-* [939] A minor grammatical error has been fixed in a telnet client
- error message.
-
-* [953] des3 no longer failing on Windows due to SHA1 implementation
- problems.
-
-* [964] kdb_init_hist() no longer fails if master_key_enctype is not
- in supported_enctypes.
-
-* [970] A minor inconsistency in ccache.tex has been fixed.
-
-* [971] option parsing bugs rendered irrelevant by removal of unused
- gss mechanism.
+* [2688] New command mit2ms on Windows.
-* [976] make install mentioned in build documentation.
+* [2762] Merged Athena changes to allow ftpd to require encrypted
+ passwords.
-* [986] Related to [677], problems with the ordering of LDFLAGS
- initialization rendered irrelevant by use of native autoconf
- idioms.
+* [2587] Incorporate gss_krb5_set_allowable_enctypes() and
+ gss_krb5_export_lucid_sec_context(), which are needed for NFSv4,
+ from Kevin Coffman.
-* [992] Related to [677], quirks with --with-cc no longer relevant as
- AC_PROG_CC is used instead now.
+* [2841] Fix heap buffer overflow in password history
+ mechanism. [MITKRB5-SA-2004-004]
-* [999] The kdc_default_options configuration variable is now honored.
- Thanks to Emily Ratliff.
+Minor changes in 1.4
+--------------------
-* [1006] Client library, as well as KDC, now perform reasonable
- sorting of ETYPE-INFO preauthentication data.
+Please see
-* [1055] NULL pointer dereferences in code calling
- krb5_change_password() have been fixed.
+http://krbdev.mit.edu/rt/NoAuth/krb5-1.4/fixed-1.4.html
-* [1063] Initial credentials acquisition failures related to client
- host having a large number of local network interfaces should be
- fixed now.
+for a complete list.
-* [1064] Incorrect option parsing in the gssapi library is no longer
- relevant due to removal of the "v2" mechanism.
+* [249] Install example config files.
-* [1065, 1225] krb5_get_init_creds_password() should properly warn about
- password expiration.
+* [427] PATH environment variable won't be overwritten by login.krb5
+ if already set.
-* [1066] printf() argument mismatches in rpc unit tests fixed.
+* [696] Sample KDC propagation script fixed.
-* [1085] The krb5.conf manpage has been re-synchronized with other
- documentation.
+* [868] Fixed search for res_search() and friends.
-* [1102] gssapi_generic.h should now work with C++.
+* [927] Compilation on Tru64 now detects GNU linker and chooses
+ whether to use -oldstyle_liblookup accordingly.
-* [1135] The kadm5 ACL system is better documented.
+* [1044] port-sockets.h explicitly declares h_errno if the declaration
+ is missing.
-* [1136] Some documentation for the setup of cross-realm
- authentication has been added.
+* [1210] KDC cleans up some per-listener state upon process
+ termination to avoid spurious memory leak indications.
-* [1164] krb5_auth_con_gen_addrs() now properly returns errno instead
- of -1 if getpeername() fails.
+* [1335] The server side of the Horowitz password-change protocol now
+ checks for minimum password life.
-* [1173] Address-less forwardable tickets will remain address-less
- when forwarded.
+* [1345, 2730, 2757] patchlevel.h is now the master version file.
-* [1178, 1228, 1244, 1246, 1249] Test suite has been stabilized
- somewhat.
+* [1364] GNU sed is no longer required to make depend on Irix.
-* [1188] As part of the modernization of our usage of autoconf,
- AC_CONFIG_FILES is now used instead of passing a list of files to
- AC_OUTPUT.
+* [1383] SRV record support now handles "." target and adds trailing
+ dots to avoid spurious multiple hostname queries.
-* [1194] configure will no longer recurse out of the top of the source
- tree when attempting to locate the top of the source tree.
+* [1497] A memory leak in the krb5 context serializer has been fixed.
-* [1192] Documentation for the krb5 afs functionality of krb524d has
- been written.
+* [1570] Some team procedures now documented.
-* [1195] Example krb5.conf file modified to include all enctypes
- supported by the release.
+* [1588] Automatic rebuilding of configure scripts, etc. are only done
+ if --enable-maintainer-mode is passed to configure.
-* [1202] The KDC no longer rejects unrecognized flags.
+* [1623] Memory management in the ftp client has been cleaned up.
-* [1203] krb5_get_init_creds_keytab() no longer does a double-free.
+* [1724] DNS SRV record lookup support is unconditionally built on
+ Unix.
-* [1211] The ASN.1 code no longer passes (harmless) uninitialized
- values around.
+* [1791] Replacement for daemon() is compiled separately each time it
+ is needed, rather than ending up in the krb5 library.
-* [1212] libkadm5 now allows for persistent exclusive database locks.
+* [1806] Default to building shared libraries on most platforms that
+ support them.
-* [1217] krb5_read_password() and des_read_password() are now
- implemented via krb5_prompter_posix().
+* [1847] Fixed daemon() replacement to build on Tru64.
-* [1224] For SAM challenges, omitted optional strings are no longer
- encoded as zero-length strings.
+* [1850] Fixed some 0 vs NULL issues.
-* [1226] Client-side support for SAM hardware-based preauth
- implemented.
+* [2066] AES-only configuration now tested in test suite.
-* [1229] The keytab search logic no longer fails prematurely if an
- incorrect encryption type is found. Thanks to Wyllys Ingersoll.
+* [2219] Fixed memory leak in KDC preauth handling.
-* [1232] If the master KDC cannot be resolved, but a slave is
- reachable, the client library now returns the real error from the
- slave rather than the resolution failure from the master. Thanks to
- Ben Cox.
+* [2256] Use $(CC) rather than ld to build shared libs on Tru64 and
+ Irix.
-* [1234] Assigned numbers for SAM preauth have been corrected.
- sam-pk-for-sad implementation has been aligned.
+* [2276] Support for the non-standard enctype
+ ENCTYPE_LOCAL_DES3_HMAC_SHA1 has been removed.
-* [1237] Profile-sharing optimizations from KfM have been merged.
+* [2285] Test suite checks TCP access to KDC.
-* [1240] Windows calling conventions for krb5int_c_combine_keys() have
- been aligned.
+* [2295] Minor stylistic cleanup in gss-client.
-* [1242] Build system incompatibilities with Debian's chimeric
- autoconf installation have been worked around.
+* [2296, 2370, 2424] krb5_get_init_creds() APIs avoid multiple queries
+ to master KDC.
-* [1256] Incorrect sizes passed to memset() in combine_keys()
- operations have been corrected.
+* [2379] Remove _XOPEN_EXTENDED hack previously used for HP-UX.
-* [1260] Client credential lookup now gets new service tickets in
- preference to attempting to use expired ticketes. Thanks to Ben
- Cox.
+* [2432] Only sanity-check setutent() API if utmpx.h is not present,
+ as this was preventing recent NetBSD from configuring.
-* [1262, 1572] Sequence numbers are now unsigned; negative sequence
- numbers will be accepted for the purposes of backwards
- compatibility.
+* [2525] kvno.exe installed on Windows.
-* [1263] A heuristic for matching the incorrectly encoded sequence
- numbers emitted by Heimdal implementations has been written.
+* [2529] Fix some internal type inconsistencies in gssapi library.
-* [1284] kshd accepts connections by IPv6 now.
+* [2530] Fix KRB5_CALLCONV usage in krb5_cc_resolve().
-* [1292] kvno manpage title fixed.
+* [2537] Apply fix from John Hascall to make krb5_get_in_tkt()
+ emulation actually honor the lifetimes in the input credentials.
-* [1293] Source files no longer explicitly attempt to declare errno.
+* [2539] Create manpage for krb524d.
-* [1304] kadmind4 no longer leaves sa_flags uninitialized.
+* [2573] The rcache code no longer attempts to close a negative file
+ descriptor from a failed open.
-* [1305] Expired tickets now cause KfM to pop up a password dialog.
+* [2591] The gssapi library now requires that the initiator's channel
+ bindings match those provided by the acceptor, if the acceptor
+ provides them at all.
-* [1309] krb5_send_tgs() no longer leaks the storage associated with
- the TGS-REQ.
+* [2592] Fix some HP-UX 11 compilation issues.
-* [1310] kadm5_get_either() no longer leaks regexp library memory.
+* [2598] Fix some HP-UX 11 foreachaddr() issues.
-* [1311] Output from krb5-config no longer contains spurious uses of
- $(PURE).
+* [2600] gss_accept_sec_context() no longer leaks rcaches.
-* [1324] The KDC no longer logs an inappropriate "no matching key"
- error when an encrypted timestamp preauth password is incorrect.
+* [2603] Clean up some issues relating to use of reserved namespace in
+ k5-platform.h.
-* [1334] The KDC now returns a clockskew error when the timestamp in
- the encrypted timestamp preauth is out of bounds, rather than just
- returning a preauthentcation failure.
+* [2614] Rewrite handling of whitespace in profile library to better
+ handle whitespace around tag names.
-* [1342] gawk is no longer required for building kerbsrc.zip for the
- Windows build.
+* [2629] Fix double-negation of a preprocessor test in osconf.h.
-* [1346] gss_krb5_ccache_name() no longer attempts to return a pointer
- to freed memory.
+* [2637] krb5int_zap_data() uses SecureZeroMemory on Windows instead
+ of memset().
-* [1351] The filename globbing vulnerability [CERT VU#258721] in the
- ftp client's handling of filenames beginning with "|" or "-"
- returned from the "mget" command has been fixed.
+* [2654] krb5_get_init_creds() checks for overflow/underflow on 32-bit
+ timestamps.
-* [1352] GSS_C_PROT_READY_FLAG is no longer asserted inappropriately
- during GSSAPI context establishment.
+* [2655] krb5_get_init_creds() no longer issues requests where the
+ renew_until time precedes the expiration time.
-* [1356] krb5_gss_accept_sec_context() no longer attempts to validate
- a null credential if one is passed in.
+* [2656] krb5_get_init_creds() supports ticket_lifetime libdefault.
-* [1362] The "-a user" option to telnetd now does the right thing.
- Thanks to Nathan Neulinger.
+* [2657] Default ccache name is evaluated more lazily.
-* [1363] ksu no longer inappropriately syslogs to stderr.
+* [2661] Handle return of ai_canonname=NULL from getaddrinfo().
-* [1357] krb__get_srvtab_name() no longer leaks memory.
+* [2674] libkadm5 acl_init() API renamed to avoid conflict with MacOS
+ X acl API.
-* [1370] GSS_C_NO_CREDENTIAL now accepts any principal in the keytab.
+* [2684, 2710, 2728] Use BIND 8 parsing API when available.
-* [1373] Handling of SAM preauth no longer attempts to stuff a size_t
- into an unsigned int.
+* [2685] The profile library iterators no longer get confused when
+ modifications are made to the in-memory profile.
-* [1387] BIND versions later than 8 now supported.
+* [2694] The krb5-config script now has a manpage.
-* [1392] The getaddrinfo() wrapper should work better on AIX.
+* [2704] New ccache API flag to request only information, not actual
+ credentials.
-* [1400] If DO_TIME is not set in the auth_context, and no replay
- cache is available, no replay cache will be used.
+* [2705] Support for upcoming read/write MSLSA ccache.
-* [1406, 1108] libdb is no longer installed. If you installed
- krb5-1.3-alpha1, you should ensure that no spurious libdb is left in
- your install tree.
+* [2706] resolv.h is included when searching for res_search() and
+ friends, to account for symbol renaming.
-* [1412] ETYPE_INFO handling no longer goes into an infinite loop.
+* [2715] The install-strip make target no longer attempts to strip
+ scripts.
-* [1414] libtelnet is now built using the same library build framework
- as the rest of the tree.
+* [2718] Fix memory leak in arcfour string_to_key. Reported by
+ Derrick Schommer.
-* [1417] A minor memory leak in krb5_read_password() has been fixed.
+* [2719] Fix memory leak in rd_cred.c. Reported by Derrick Schommer.
-* [1419] A memory leak in asn1_decode_kdc_req_body() has been fixed.
+* [2725] Fix memory leak in mk_req_extended(). Reported by Derrick
+ Schommer.
-* [1435] inet_ntop() is now emulated when needed.
+* [2729] Add some new version strings for Windows.
-* [1439] krb5_free_pwd_sequences() now correctly frees the entire
- sequence of elements.
+* [2734] The ticket_lifetime libdefault now uses units of seconds by
+ default, if no units are provided.
-* [1440] errno is no longer explicitly declared.
+* [2741] The profile library's error tables aren't loaded on MacOS X.
-* [1441] kadmind should now return useful errors if an unrecognized
- version is received in a changepw request.
+* [2750] Calls to the profile library which set values no longer fail
+ if the file is not writable.
-* [1454, 1480, 1517, 1525] The etype-info2 preauth type is now
- supported.
+* [2751] The profile library has a new API to detect whether the
+ default profile is writable.
-* [1459] (KfM/KLL internal) config file resolution can now be
- prevented from accessing the user's homedir.
+* [2753] An initial C implementation of CCAPI has been done.
-* [1463] Preauth handling in the KDC has been reorganized.
+* [2754] fake-addrinfo.h includes errno.h earlier.
-* [1470] Double-free in client-side preauth code fixed.
+* [2756] The profile library calls stat() less frequently on files.
-* [1473] Ticket forwarding when the TGS and the end service have
- different enctypes should work somewhat better now.
+* [2760, 2780] The keytab implementation checks for cases where
+ fopen() can return NULL without setting errno. Reported by Roland
+ Dowdeswell.
-* [1474] ASN.1 testsuite memory management has been cleaned up a
- little to allow for memory leak checking.
+* [2770] com_err now creates valid prototypes for generated files.
+ Reported by Jeremy Allison.
-* [1476] Documentation updated to reflect default krb4 mode.
+* [2772, 2797] The krb4 library now honors the dns_fallback libdefault
+ setting.
-* [1482] RFC-1964 OIDs now provided using the suggested symbolic
- names.
+* [2776, 2779] Solaris patches exist for the pty-close race condition
+ bug. We check for these patches now checked, and don't apply the
+ priocntl hack if they are present.
-* [1483, 1528] KRB5_DEPRECATED is now false by default on all
- platforms.
+* [2783] ftpcmds.y unconditionally defines NBBY to 8.
-* [1488] The KDC will now return integrity errors if a decryption
- error is responsible for preauthentication failure.
+* [2793] locate_kdc.c can compile if KRB5_DNS_LOOKUP isn't defined,
+ though we removed the configure-time option for this.
-* [1492] The autom4te.cache directories are now deleted from the
- release tarfiles.
+* [2795] Fixed some addrinfo problems that affected Irix.
-* [1501] Writable keytabs are registered by default.
+* [2805] Windows NSIS installer script updated.
-* [1515] The check for cross-realm TGTs no longer reads past the end
- of an array.
+* [2808] Support library renamed on Windows.
-* [1518] The kdc_default_options option is now actually honored.
+* [2815] krb5-config updated to reference new support library.
-* [1519] The changepw protocol implementation in kadmind now logs
- password changes.
+* [2814, 2816] Some MSLSA ccache features depending on non-public SDK
+ features were backed out.
-* [1520] Documentation of OS-specific build options has been updated.
+* [2818] Don't create empty array for addresses in MSLSA ccache.
-* [1536] A missing prototype for krb5_db_iterate_ext() has been
- added.
+* [2832] Fix shared library build on sparc64-netbsd.
-* [1537] An incorrect path to kdc.conf show in the kdc.conf manpage
- has been fixed.
+* [2833, 2834, 2835] Add support for generating/installing debugging
+ symbols on Windows.
-* [1540] verify_as_reply() will only check the "renew-till" time
- against the "till" time if the RENEWABLE is not set in the request.
-
-* [1547] gssftpd no longer uses vfork(), as this was causing problems
- under RedHat 9.
-
-* [1549] SRV records with a value of "." are now interpreted as a lack
- of support for the protocol.
-
-* [1553] The undocumented (and confusing!) kdc_supported_enctypes
- kdc.conf variable is no longer used.
-
-* [1560] Some spurious double-colons in password prompts have been
- fixed.
-
-* [1571] The test suite tries a little harder to get a root shell.
-
-* [1573] The KfM build process now sets localstatedir=/var/db.
-
-* [1576, 1575] The client library no longer requests RENEWABLE_OK if
- the renew lifetime is greater than the ticket lifetime.
-
-* [1587] A more standard autoconf test to locate the C compiler allows
- for gcc to be found by default without additional configuration
- arguments.
-
-* [1593] Replay cache filenames are now escaped with hyphens, not
- backslashes.
-
-* [1598] MacOS 9 support removed from in-tree com_err.
-
-* [1602] Fixed a memory leak in make_ap_req_v1(). Thanks to Kent Wu.
-
-* [1604] Fixed a memory leak in krb5_gss_init_sec_context(), and an
- uninitialized memory reference in kg_unseal_v1(). Thanks to Kent
- Wu.
-
-* [1607] kerberos-iv SRV records are now documented.
-
-* [1610] Fixed AES credential delegation under GSSAPI.
-
-* [1618] ms2mit no longer inserts local addresses into tickets
- converted from the MS ccache if they began as addressless tickets.
-
-* [1619] etype_info parser (once again) accepts extra field emitted by
- Heimdal.
-
-* [1643] Some typos in kdc.conf.M have been fixed.
-
-* [1648] For consistency, leading spaces before preprocessor
- directives in profile.h have been removed.
-
---[ DELETE BEFORE RELEASE ---changes to unreleased code, etc.--- ]--
-
-* [1054] KRB-CRED messages for RC4 are encrypted now.
-
-* [1177] krb5-1-2-2-branch merged onto trunk.
-
-* [1193] Punted comment about reworking key storage architecture.
-
-* [1208] install-headers target implemented.
-
-* [1223] asn1_decode_oid, asn1_encode_oid implemented
-
-* [1248] RC4 is explicitly excluded from combine_keys.
-
-* [1276] Generated dependencies handle --without-krb4 properly now.
-
-* [1339] An inadvertent change to the krb4 get_adm_hst API (strcpy vs
- strncpy etc.) has been fixed.
-
-* [1384, 1413] Use of autoconf-2.52 in util/reconf will now cause a
- warning.
-
-* [1388] DNS support is turned on in KfM.
-
-* [1391] Fix kadmind startup failure with krb4 vuln patch.
-
-* [1409] get_ad_tkt() now prompts for password if there are no tickets
- (in KfM).
-
-* [1447] vts_long() and vts_short() work now.
-
-* [1462] KfM adds exports of set_pw calls.
-
-* [1477] compile_et output not used in err_txt.c.
-
-* [1495] KfM now exports string_to_key_with_params.
-
-* [1512, 1522] afs_string_to_key now works with etype_info2.
-
-* [1514] krb5int_populate_gic_opt returns void now.
-
-* [1521] Using an afs3 salt for an AES key no longer causes
- segfaults.
-
-* [1533] krb524.h no longer contains invalid Mac pragmas.
-
-* [1546] krb_mk_req_creds() no longer zeros the session key.
-
-* [1554] The krb4 string-to-key iteration now accounts correctly for
- the decrypt-in-place semantics of libdes425.
-
-* [1557] KerberosLoginPrivate.h is now correctly included for the use
- of __KLAllowHomeDirectoryAccess() in init_os_ctx.c (for KfM).
-
-* [1558] KfM exports the new krb524 interface.
-
-* [1563] krb__get_srvtaname() no longer returns a pointer that is
- free()d upon a subsequent call.
-
-* [1569] A debug statement has been removed from krb524init.
-
-* [1592] Document possible file rename lossage when building against
- system libdb.
-
-* [1594] Darwin gets an explicit dependency of err_txt.o on
- krb_err.c.
-
-* [1596] Calling conventions, etc. tweaked for KfW build of
- krb524.dll.
-
-* [1600] Minor tweaks to README to improve notes on IPv6, etc.
-
-* [1605] Fixed a leak of subkeys in krb5_rd_rep().
-
-* [1630] krb5_get_in_tkt_with_keytab() works now; previously borken by
- reimplementation in terms of krb5_get_init_creds().
-
-* [1642] KfM build now inherits CFLAGS and LDFLAGS from parent project.
+* [2838] Fix termination of incorrect string in telnetd.
Copyright Notice and Legal Administrivia
----------------------------------------
in respect of any properties, including, but not limited to, correctness
and fitness for purpose.
-
-
-Acknowledgements
-----------------
+---- The implementation of the RPCSEC_GSS authentication flavor in
+src/lib/rpc has the following copyright:
+
+ Copyright (c) 2000 The Regents of the University of Michigan.
+ All rights reserved.
+
+ Copyright (c) 2000 Dug Song <dugsong@UMICH.EDU>.
+ All rights reserved, all wrongs reversed.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. Neither the name of the University nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+Acknowledgments
+---------------
Appreciation Time!!!! There are far too many people to try to thank
them all; many people have contributed to the development of Kerberos
V5. This is only a partial listing....
-Thanks to Paul Vixie and the Internet Software Consortium for funding
-the work of Barry Jaspan. This funding was invaluable for the OV
-administration server integration, as well as the 1.0 release
-preparation process.
-
-Thanks to John Linn, Scott Foote, and all of the folks at OpenVision
-Technologies, Inc., who donated their administration server for use in
-the MIT release of Kerberos.
-
-Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken
-Raeburn, and all of the folks at Cygnus Support, who provided
-innumerable bug fixes and portability enhancements to the Kerberos V5
-tree. Thanks especially to Jeff Bigler, for the new user and system
-administrator's documentation.
-
-Thanks to Doug Engert from ANL for providing many bug fixes, as well
-as testing to ensure DCE interoperability.
-
-Thanks to Ken Hornstein at NRL for providing many bug fixes and
-suggestions, and for working on SAM preauthentication.
-
-Thanks to Matt Crawford at FNAL for bugfixes and enhancements.
-
-Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for
-their many suggestions and bug fixes.
+Thanks to Kevin Coffman and the CITI group at the University of
+Michigan for providing patches for implementing RPCSEC_GSS
+authentication in the RPC library.
-Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and
-providing patches for numerous buffer overruns.
+Thanks to Derrick Schommer for reporting multiple memory leaks.
-Thanks to Christopher Thompson and Marcus Watts for discovering the
-ftpd security bug.
+Thanks to Quanah Gibson-Mount of Stanford University for helping
+exercise the thread support code.
-Thanks to Paul Nelson of Thursby Software Systems for implementing the
-Microsoft set password protocol.
+[...]
Thanks to the members of the Kerberos V5 development team at MIT, both
past and present: Danilo Almeida, Jeffrey Altman, Jay Berkenbilt,
+2004-11-19 Tom Yu <tlyu@mit.edu>
+
+ * build.texinfo (Solaris 9): Document Solaris patches for pty
+ close bug.
+
2004-10-06 Ken Raeburn <raeburn@mit.edu>
* implementor.texinfo, thread-safe.txt, threads.txt: Various
as root, where @code{nnnn} is the pid of the shell whose priority
limit you wish to raise.
+Sun has released kernel patches for this race condition. Apply patch
+117171-11 for sparc, or patch 117172-11 for x86. Later revisions of
+the patches should also work. It is not necessary to run ``make
+check'' from a shell with elevated priority limits once the patch has
+been applied.
+
@node SGI Irix 5.X, Ultrix 4.2/3, Solaris 9, OS Incompatibilities
@subsection SGI Irix 5.X
+2004-12-16 Ezra Peisach <epeisach@bu.edu>
+
+ * krb5-config.in: Add krb5support library.
+
+2004-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ * Makefile.in: build/clean/install/etc kcpytkt,kdeltkt,ms2mit
+
+2004-11-19 Tom Yu <tlyu@mit.edu>
+
+ * aclocal.m4 (KRB5_AC_PRIOCNTL_HACK): Check for Solaris patch
+ 117171-11 (sparc) or 117172-11 (x86), which fixes the Solaris 9
+ bug which can cause final pty output to be on close.
+
+2004-11-18 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in (install-headers-mkdirs): Create KRB5_INCDIR/gssrpc.
+
2004-10-06 Tom Yu <tlyu@mit.edu>
* Makefile.in (INSTALLMKDIRS): Add EXAMPLEDIR.
install-headers-mkdirs:
$(srcdir)/config/mkinstalldirs $(DESTDIR)$(KRB5_INCDIR)
$(srcdir)/config/mkinstalldirs $(DESTDIR)$(KRB5_INCDIR)/gssapi
+ $(srcdir)/config/mkinstalldirs $(DESTDIR)$(KRB5_INCDIR)/gssrpc
$(srcdir)/config/mkinstalldirs $(DESTDIR)$(KRB5_INCDIR)/kerberosIV
install-headers-prerecurse: install-headers-mkdirs
clients\Makefile clients\kdestroy\Makefile \
clients\kinit\Makefile clients\klist\Makefile \
clients\kpasswd\Makefile clients\kvno\Makefile \
+ clients\kcpytkt\Makefile clients\kdeltkt\Makefile \
include\Makefile include\krb5\Makefile \
krb524\Makefile \
lib\Makefile lib\crypto\Makefile \
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##clients\kvno\Makefile: clients\kvno\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
+##DOS##clients\kcpytkt\Makefile: clients\kcpytkt\Makefile.in $(MKFDEP)
+##DOS## $(WCONFIG) config < $@.in > $@
+##DOS##clients\kdeltkt\Makefile: clients\kdeltkt\Makefile.in $(MKFDEP)
+##DOS## $(WCONFIG) config < $@.in > $@
##DOS##include\Makefile: include\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##include\krb5\Makefile: include\krb5\Makefile.in $(MKFDEP)
ZIP=zip
FILES= ./* \
clients/* clients/kdestroy/* clients/kinit/* clients/klist/* \
- clients/kpasswd/* \
+ clients/kpasswd/* clients/kcpytkt/* clients/kdeltkt/* \
config/* include/* include/kerberosIV/* \
include/krb5/* include/krb5/stock/* include/sys/* krb524/* lib/* \
lib/crypto/* lib/crypto/crc32/* lib/crypto/des/* lib/crypto/dk/* \
$(CP) windows\gss\$(OUTPRE)gss.exe "$(KRB_INSTALL_DIR)\bin\."
$(CP) appl\gss-sample\$(OUTPRE)gss-server.exe "$(KRB_INSTALL_DIR)\bin\."
$(CP) appl\gss-sample\$(OUTPRE)gss-client.exe "$(KRB_INSTALL_DIR)\bin\."
+ $(CP) windows\ms2mit\$(OUTPRE)ms2mit.exe "$(KRB_INSTALL_DIR)\bin\."
$(CP) appl\gssftp\ftp\$(OUTPRE)ftp.exe "$(KRB_INSTALL_DIR)\bin\."
$(CP) clients\kvno\$(OUTPRE)kvno.exe "$(KRB_INSTALL_DIR)\bin\."
$(CP) clients\klist\$(OUTPRE)klist.exe "$(KRB_INSTALL_DIR)\bin\."
$(CP) clients\kinit\$(OUTPRE)kinit.exe "$(KRB_INSTALL_DIR)\bin\."
$(CP) clients\kdestroy\$(OUTPRE)kdestroy.exe "$(KRB_INSTALL_DIR)\bin\."
+ $(CP) clients\kcpytkt\$(OUTPRE)kcpytkt.exe "$(KRB_INSTALL_DIR)\bin\."
+ $(CP) clients\kdeltkt\$(OUTPRE)kdeltkt.exe "$(KRB_INSTALL_DIR)\bin\."
$(CP) clients\kpasswd\$(OUTPRE)kpasswd.exe "$(KRB_INSTALL_DIR)\bin\."
@if exist "$(KRB_INSTALL_DIR)\bin\krb4_32.dll" del "$(KRB_INSTALL_DIR)\bin\krb4_32.dll"
@if exist "$(KRB_INSTALL_DIR)\lib\krb4_32.lib" del "$(KRB_INSTALL_DIR)\lib\krb4_32.lib"
dnl
dnl
AC_DEFUN([KRB5_AC_PRIOCNTL_HACK],
+[AC_REQUIRE([AC_PROG_AWK])dnl
+AC_REQUIRE([AC_LANG_COMPILER_REQUIRE])dnl
+AC_CACHE_CHECK([whether to use priocntl hack], [krb5_cv_priocntl_hack],
[case $krb5_cv_host in
*-*-solaris2.9*)
- PRIOCNTL_HACK=1
+ if test "$cross_compiling" = yes; then
+ krb5_cv_priocntl_hack=yes
+ else
+ # Solaris patch 117171-11 (sparc) or 117172-11 (x86)
+ # fixes the Solaris 9 bug where final pty output
+ # gets lost on close.
+ if showrev -p | $AWK 'BEGIN { e = 1 }
+/Patch: 11717[[12]]/ { x = index[]([$]2, "-");
+if (substr[]([$]2, x + 1, length([$]2) - x) >= 11)
+{ e = 0 } else { e = 1 } }
+END { exit e; }'; then
+ krb5_cv_priocntl_hack=no
+ else
+ krb5_cv_priocntl_hack=yes
+ fi
+ fi
;;
*)
- PRIOCNTL_HACK=0
+ krb5_cv_priocntl_hack=no
;;
-esac
+esac])
+if test "$krb5_cv_priocntl_hack" = yes; then
+ PRIOCNTL_HACK=1
+else
+ PRIOCNTL_HACK=0
+fi
AC_SUBST(PRIOCNTL_HACK)])
dnl
dnl
+2004-11-26 Sam Hartman <hartmans@mit.edu>
+
+ * ftpcmd.y: nbby should be 8 for anything platform we care about.
+ The previous test broke on Debian BSD, so the test has been
+ removed.
+
+2004-11-03 Tom Yu <tlyu@mit.edu>
+
+ * ftpcmd.y (getline): Merge Athena change to reject MICed
+ password.
+
+ * ftpd.M: Document '-E'.
+
+ * ftpd.c (main): Merge Athena's '-E' changes to prohibit
+ unencrypted passwords.
+
2004-09-22 Tom Yu <tlyu@mit.edu>
* Makefile.in (ftpd): Use UTIL_LIB.
$(KRB_ERR_H_DEP) $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
$(srcdir)/../arpa/ftp.h
$(OUTPRE)getdtablesize.$(OBJEXT): $(srcdir)/../../bsd/getdtablesize.c
+$(OUTPRE)setenv.$(OBJEXT): $(srcdir)/../../bsd/setenv.c
#endif
#ifndef NBBY
-#ifdef linux
#define NBBY 8
#endif
-#ifdef __pyrsoft
-#ifdef MIPSEB
-#define NBBY 8
-#endif
-#endif
-#endif
static struct sockaddr_in host_port;
extern int timeout;
extern int maxtimeout;
extern int pdata;
+extern int authlevel;
extern char hostname[], remotehost[];
extern char proctitle[];
extern char *globerr;
}
#endif /* GSSAPI */
/* Other auth types go here ... */
+
+ /* A password should never be MICed, but the CNS ftp
+ * client and the pre-6/98 Krb5 client did this if you
+ * authenticated but didn't encrypt.
+ */
+ if (authlevel && mic && !strncmp(s, "PASS", 4)) {
+ lreply(530, "There is a problem with your ftp client. Password refused.");
+ reply(530, "Enable encryption before logging in, or update your ftp program.");
+ *s = 0;
+ return s;
+ }
+
}
#if defined KRB5_KRB4_COMPAT || defined GSSAPI /* or other auth types */
else { /* !auth_type */
ftpd \- DARPA Internet File Transfer Protocol server
.SH SYNOPSIS
.B ftpd
-[\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB\-l\fP]
-[\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP]
+[\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP]
+[\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP]
[\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP]
[\fB\-r\fP \fIrealm-file\fP] [\fB\-s\fP \fIsrvtab\fP]
[\fB\-w\fP{\fBip\fP|\fImaxhostlen\fP[\fB,\fP{\fBstriplocal\fP|\fBnostriplocal\fP}]}]
.B \-d
Debugging information is written to the syslog. (Identical to -v)
.TP
+.B \-E
+Don't allow passwords to be typed across unencrypted connections.
+.TP
.B \-l
Each
.IR ftp (1)
extern char *optarg;
extern int optopt;
#ifdef KRB5_KRB4_COMPAT
- char *option_string = "AaCcdlp:r:s:T:t:U:u:vw:";
+ char *option_string = "AaCcdElp:r:s:T:t:U:u:vw:";
#else /* !KRB5_KRB4_COMPAT */
- char *option_string = "AaCcdlp:r:T:t:U:u:vw:";
+ char *option_string = "AaCcdElp:r:T:t:U:u:vw:";
#endif /* KRB5_KRB4_COMPAT */
ftpusers = _PATH_FTPUSERS_DEFAULT;
debug = 1;
break;
+ case 'E':
+ if (!authlevel)
+ authlevel = AUTHLEVEL_AUTHENTICATE;
+ break;
+
case 'l':
logging ++;
break;
+2004-12-20 Tom Yu <tlyu@mit.edu>
+
+ * kerberos.c (kerberos4_status): Null-terminate the correct
+ string. Reported by Marcin Garski.
+
+2004-11-15 Tom Yu <tlyu@mit.edu>
+
+ * auth-proto.h, auth.c: Merge Athena changes for requiring
+ encrypted connections.
+
2004-06-04 Ken Raeburn <raeburn@mit.edu>
* Makefile.in (LIBBASE): Renamed from LIB.
void auth_is (unsigned char *, int);
void auth_reply (unsigned char *, int);
void auth_finished (Authenticator *, int);
-int auth_wait (char *);
+void auth_wait (char *);
+int auth_check (char *);
int auth_must_encrypt (void);
void auth_disable_name (char *);
void auth_gen_printsub (unsigned char *, int, unsigned char *, unsigned int);
int auth_debug_mode = 0;
int auth_has_failed = 0;
int auth_enable_encrypt = 0;
+int auth_client_non_unix = 0;
static char *Name = "Noname";
static int Server = 0;
static Authenticator *authenticated = 0;
authenticating = 1;
while (ap->type) {
if (i_support & ~i_wont_support & typemask(ap->type)) {
- if (auth_debug_mode) {
- printf(">>>%s: Sending type %d %d\r\n",
- Name, ap->type, ap->way);
+ if (ap->type == AUTHTYPE_KERBEROS_V4 ||
+ !auth_client_non_unix) {
+ if (auth_debug_mode) {
+ printf(">>>%s: Sending type %d %d\r\n",
+ Name, ap->type, ap->way);
+ }
+ *e++ = ap->type;
+ *e++ = ap->way;
}
- *e++ = ap->type;
- *e++ = ap->way;
}
++ap;
}
+ if (auth_client_non_unix) {
+ ap = authenticators;
+ while (ap->type) {
+ if (i_support & ~i_wont_support & typemask(ap->type)) {
+ *e++ = ap->type;
+ *e++ = ap->way;
+ }
+ ++ap;
+ }
+ }
*e++ = IAC;
*e++ = SE;
net_write(str_request, e - str_request);
auth_finished(0, AUTH_REJECT);
}
- int
+ void
auth_wait(name)
char *name;
{
printf(">>>%s: in auth_wait.\r\n", Name);
if (Server && !authenticating)
- return(0);
+ return;
(void) signal(SIGALRM, auth_intr);
alarm(30);
break;
alarm(0);
(void) signal(SIGALRM, SIG_DFL);
+}
+ int
+auth_check(name)
+ char *name;
+{
/*
* Now check to see if the user is valid or not
*/
if (UserNameRequested) {
/* the name buffer comes from telnetd/telnetd{-ktd}.c */
strncpy(kname, UserNameRequested, 255);
- name[255] = '\0';
+ kname[255] = '\0';
}
if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
+2004-11-15 Tom Yu <tlyu@mit.edu>
+
+ * ext.h: New variable "must_encrypt".
+
+ * telnetd.8: Update for changed command-line options.
+
+ * telnetd.c (getterminaltype): Merge Athena changes to require
+ encrypted connections.
+
+ * utility.c (ttsuck): Merge Athena changes to work around some
+ client timing bugs.
+
2004-09-22 Tom Yu <tlyu@mit.edu>
* Makefile.in (telnetd): Use UTIL_LIB.
extern int pty, net;
extern int SYNCHing; /* we are in TELNET SYNCH mode */
+#ifdef ENCRYPTION
+extern int must_encrypt;
+#endif
+
extern void
_termstat (void),
add_slc (int, int, int),
.SH SYNOPSIS
.B /usr/libexec/telnetd
[\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
-[\fB\-edebug\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
+[\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
[\fB\-S\fP \fItos\fP] [\fB\-U\fP] [\fB\-X\fP \fIauthtype\fP]
[\fB\-w\fP [\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP]]]
.B ptydata
Displays data written to the pty.
.TP
+.B encrypt
+Enables encryption debugging code.
+.TP
.B exercise
Has not been implemented yet.
.RE
in
.IR socket (2)).
.TP
-.B \-edebug
-If
+.B \-e
+This option causes
.B telnetd
-has been compiled with support for data encryption, then the
-.B edebug
-option may be used to enable encryption debugging code.
+to refuse unencrypted connections.
.TP
.B \-h
Disables the printing of host-specific information before login has been
'D', ':',
#endif
#ifdef ENCRYPTION
- 'e', ':',
+ 'e',
#endif
#if defined(CRAY) && defined(NEWINIT)
'I', ':',
diagnostic |= TD_PTYDATA;
} else if (!strcmp(optarg, "options")) {
diagnostic |= TD_OPTIONS;
+ } else if (!strcmp(optarg, "encrypt")) {
+ extern int encrypt_debug_mode;
+ encrypt_debug_mode = 1;
} else {
usage();
/* NOT REACHED */
#ifdef ENCRYPTION
case 'e':
- if (strcmp(optarg, "debug") == 0) {
- extern int encrypt_debug_mode;
- encrypt_debug_mode = 1;
- break;
- }
- usage();
- /* NOTREACHED */
+ must_encrypt = 1;
break;
#endif /* ENCRYPTION */
static void encrypt_failure()
{
- char *lerror_message =
- "Encryption was not successfully negotiated. Goodbye.\r\n\r\n";
+ char *lerror_message;
+
+ if (auth_must_encrypt())
+ lerror_message = "Encryption was not successfully negotiated. Goodbye.\r\n\r\n";
+ else
+ lerror_message = "Unencrypted connection refused. Goodbye.\r\n\r\n";
netputs(lerror_message);
netflush();
settimer(baseline);
#if defined(AUTHENTICATION)
+ ttsuck();
/*
* Handle the Authentication option before we do anything else.
*/
while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
ttloop();
if (his_state_is_will(TELOPT_AUTHENTICATION)) {
- retval = auth_wait(name);
+ auth_wait(name);
}
#endif
if (his_state_is_will(TELOPT_ENCRYPT)) {
encrypt_wait();
}
- if (auth_must_encrypt()) {
+ if (must_encrypt || auth_must_encrypt()) {
time_t timeout = time(0) + 60;
if (my_state_is_dont(TELOPT_ENCRYPT) ||
- my_state_is_wont(TELOPT_ENCRYPT))
+ my_state_is_wont(TELOPT_ENCRYPT) ||
+ his_state_is_wont(TELOPT_AUTHENTICATION))
encrypt_failure();
- if (!EncryptStartInput() || !EncryptStartOutput())
- encrypt_failure();
+ while (!EncryptStartInput()) {
+ if (time (0) > timeout)
+ encrypt_failure();
+ ttloop();
+ }
+
+ while (!EncryptStartOutput()) {
+ if (time (0) > timeout)
+ encrypt_failure();
+ ttloop();
+ }
while (!encrypt_is_encrypting()) {
if (time(0) > timeout)
}
}
}
- return(retval);
+#ifdef AUTHENTICATION
+ return(auth_check(name));
+#else
+ return(-1);
+#endif
} /* end of getterminaltype */
static void
}
} /* end of ttloop */
+/*
+ * ttsuck - This is a horrible kludge to deal with a bug in
+ * HostExplorer. HostExplorer thinks it knows how to do krb5 auth, but
+ * it doesn't really. So if you offer it krb5 as an auth choice before
+ * krb4, it will sabotage the connection. So we peek ahead into the
+ * input stream to see if the client is a UNIX client, and then
+ * (later) offer krb5 first only if it is. Since no Mac/PC telnet
+ * clients do auto switching between krb4 and krb5 like the UNIX
+ * client does, it doesn't matter what order they see the choices in
+ * (except for HostExplorer).
+ *
+ * It is actually not possible to do this without looking ahead into
+ * the input stream: the client and server both try to begin
+ * auth/encryption negotiation as soon as possible, so if we let the
+ * server process things normally, it will already have sent the list
+ * of supported auth types before seeing the NEW-ENVIRON option. If
+ * you change the code to hold off sending the list of supported auth
+ * types until after it knows whether or not the remote side supports
+ * NEW-ENVIRON, then the auth negotiation and encryption negotiation
+ * race conditions won't interact properly, and encryption negotiation
+ * will reliably fail.
+ */
+
+ void
+ttsuck()
+{
+ extern int auth_client_non_unix;
+ int nread;
+ struct timeval tv;
+ fd_set fds;
+ char *p, match[] = {IAC, WILL, TELOPT_NEW_ENVIRON};
+
+ if (nfrontp-nbackp) {
+ netflush();
+ }
+ tv.tv_sec = 1;
+ tv.tv_usec = 0;
+ FD_SET(net, &fds);
+
+ while (select(net + 1, &fds, NULL, NULL, &tv) == 1)
+ {
+ nread = read(net, netibuf + ncc, sizeof(netibuf) - ncc);
+ if (nread <= 0)
+ break;
+ ncc += nread;
+ }
+
+ auth_client_non_unix = 1;
+ for (p = netibuf; p < netibuf + ncc; p++)
+ {
+ if (!memcmp(p, match, sizeof(match)))
+ {
+ auth_client_non_unix = 0;
+ break;
+ }
+ }
+
+ if (ncc > 0)
+ telrcv();
+}
+
/*
* Check a descriptor to see if out of band data exists on it.
*/
+2004-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ * Makefile.in: output status info for kcpytkt, kdeltkt
+
2004-08-20 Jeffrey Altman <jaltman@mit.edu>
* Add kcpytkt and kdeltkt directories
@echo Making all in clients\kvno
cd ..\kvno
$(MAKE) -$(MFLAGS)
+ @echo Making all in clients\kcpytkt
cd ..\kcpytkt
$(MAKE) -$(MFLAGS)
+ @echo Making all in clients\kdeltkt
cd ..\kdeltkt
$(MAKE) -$(MFLAGS)
cd ..
@echo Making clean in clients\kvno
cd ..\kvno
$(MAKE) -$(MFLAGS) clean
+ @echo Making clean in clients\kcpytkt
cd ..\kcpytkt
$(MAKE) -$(MFLAGS) clean
+ @echo Making clean in clients\kdeltkt
cd ..\kdeltkt
$(MAKE) -$(MFLAGS) clean
cd ..
+2004-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ * Makefile.in: correct the makefile to build kdeltkt, not kvno
+
2004-08-19 Jeffrey Altman <jaltman@mit.edu>
* kdeltkt.c, kdeltkt.M: Create a new application.
thisconfigdir=./..
-myfulldir=clients/kvno
+myfulldir=clients/kdeltkt
mydir=kvno
BUILDTOP=$(REL)..$(S)..
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
-all-unix:: kvno
-all-windows:: $(OUTPRE)kvno.exe
+all-unix:: kdeltkt
+all-windows:: $(OUTPRE)kdeltkt.exe
all-mac::
-kvno: kvno.o $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o $@ kvno.o $(KRB4COMPAT_LIBS)
+kdeltkt: kdeltkt.o $(KRB4COMPAT_DEPLIBS)
+ $(CC_LINK) -o $@ kdeltkt.o $(KRB4COMPAT_LIBS)
-$(OUTPRE)kvno.exe: $(OUTPRE)kvno.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.obj $(KLIB) $(CLIB)
+$(OUTPRE)kdeltkt.exe: $(OUTPRE)kdeltkt.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.obj $(KLIB) $(CLIB)
link $(EXE_LINKOPTS) /out:$@ $**
clean-unix::
- $(RM) kvno.o kvno
+ $(RM) kdeltkt.o kdeltkt
install-unix::
- for f in kvno; do \
+ for f in kdeltkt; do \
$(INSTALL_PROGRAM) $$f \
$(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \
$(INSTALL_DATA) $(srcdir)/$$f.M \
+2004-12-17 Jeffrey Altman <jaltman@mit.edu>
+
+ * win-pre.in: add -debug switch to LOPTS if DEBUG_SYMBOLS
+
+2004-12-17 Ken Raeburn <raeburn@mit.edu>
+
+ * shlib.conf (*-*-netbsd*): Use -fPIC instead of -fpic, which
+ won't work on sparc64 at least.
+
+2004-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ * win-pre.in; optionally build debug symbols for release builds
+ and rename krb5support_32.dll to k5sprt32.dll
+
+2004-11-19 Tom Yu <tlyu@mit.edu>
+
+ * pre.in (KRB5_INCSUBDIRS): Add KRB5_INCDIR/gssrpc.
+
2004-10-06 Tom Yu <tlyu@mit.edu>
* pre.in (datadir, EXAMPLEDIR): Add directory for examples.
KRB5_INCDIR = @includedir@
KRB5_INCSUBDIRS = \
$(KRB5_INCDIR)/gssapi \
- $(KRB5_INCDIR)/kerberosIV
+ $(KRB5_INCDIR)/kerberosIV \
+ $(KRB5_INCDIR)/gssrpc
#
# Macros used by the KADM5 (OV-based) unit test system.
;;
*-*-netbsd*)
- PICFLAGS=-fpic
+ PICFLAGS=-fPIC
SHLIBVEXT='.so.$(LIBMAJOR).$(LIBMINOR)'
SHLIBEXT=.so
LDCOMBINE='ld -Bshareable'
# CCOPTS2 was for non-DLL compiles (EXEs, for example)
#
!ifdef NODEBUG
+!ifdef DEBUG_SYMBOL
+CCOPTS=/ZI $(CCOPTS)
+LOPTS=$(LOPTS) -debug
+!endif
CCOPTS=/Os /MD $(CCOPTS)
LOPTS=$(LOPTS)
!else
PLIB=$(BUILDTOP)\lib\$(OUTPRE)xpprof32.lib
KLIB=$(BUILDTOP)\lib\$(OUTPRE)krb5_32.lib
K4LIB=$(BUILDTOP)\lib\$(OUTPRE)krb4_32.lib
-SLIB=$(BUILDTOP)\lib\$(OUTPRE)krb5support_32.lib
+SLIB=$(BUILDTOP)\lib\$(OUTPRE)k5sprt32.lib
GLIB=$(BUILDTOP)\lib\$(OUTPRE)gssapi32.lib
WLIB=
+2004-12-08 Ken Raeburn <raeburn@mit.edu>
+
+ * k5-int.h (KRB5INT_ACCESS_STRUCT_VERSION): Bump to 9.
+ (struct _krb5int_access): Add function pointer field use_dns_kdc.
+
+2004-10-29 Ken Raeburn <raeburn@mit.edu>
+
+ * fake-addrinfo.h: Include errno.h earlier.
+
2004-10-28 Ken Raeburn <raeburn@mit.edu>
* k5-thread.h (return_after_yield, k5_mutex_lock) [__GNUC__]: Add
#include "k5-thread.h"
#include <stdio.h> /* for sprintf */
+#include <errno.h>
#ifdef S_SPLINT_S
/*@-incondefs@*/
}
#ifdef NEED_FAKE_GETNAMEINFO
-#include <errno.h>
static inline int
fake_getnameinfo (const struct sockaddr *sa, socklen_t len,
char *host, socklen_t hostlen,
}
#endif
-#include <errno.h>
#if defined(HAVE_FAKE_GETADDRINFO) || defined(NEED_FAKE_GETNAMEINFO)
static inline
/* To keep happy libraries which are (for now) accessing internal stuff */
/* Make sure to increment by one when changing the struct */
-#define KRB5INT_ACCESS_STRUCT_VERSION 8
+#define KRB5INT_ACCESS_STRUCT_VERSION 9
#ifndef ANAME_SZ
struct ktext; /* from krb.h, for krb524 support */
const char *protocol,
struct srv_dns_entry **answers);
void (*free_srv_dns_data)(struct srv_dns_entry *);
+ int (*use_dns_kdc)(krb5_context);
/* krb4 compatibility stuff -- may be null if not enabled */
krb5_int32 (*krb_life_to_time)(krb5_int32, int);
fi
if test $library = 'krb5'; then
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $LIBS $GEN_LIB"
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lkrb5support -lcom_err $LIBS $GEN_LIB"
fi
echo $lib_flags
-krb5support32.def
+k5sprt32.def
+2004-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ *.cvsignore, Makefile.in: rename krb5support32.def to k5sprt32.def
+
2004-09-24 Tom Yu <tlyu@mit.edu>
* Makefile.in (RCFLAGS): Add -I$(SRCTOP) to get patchlevel.h.
##MIT##MITLIBS=$(VS_LIB)
##MIT##MITFLAGS=-I$(VS_INC) /DVERSERV=1
-SLIBS = $(BUILDTOP)\util\support\$(OUTPRE)krb5support_32.lib
+SLIBS = $(BUILDTOP)\util\support\$(OUTPRE)k5sprt32.lib
CLIBS = $(BUILDTOP)\util\et\$(OUTPRE)comerr.lib
PLIBS = $(BUILDTOP)\util\profile\$(OUTPRE)profile.lib
KLIBS = krb5\$(OUTPRE)krb5.lib crypto\$(OUTPRE)crypto.lib \
GLIBS = gssapi\$(OUTPRE)gssapi.lib
K4LIBS = krb4\$(OUTPRE)krb4.lib
-SDEF = krb5support32.def
+SDEF = k5sprt32.def
CDEF = comerr32.def
PDEF = xpprof32.def
KDEF = krb5_32.def
+2004-11-17 Ken Raeburn <raeburn@mit.edu>
+
+ * prng.c (do_yarrow_init): Move mutex initialization here.
+ (krb5int_prng_init): Don't do it here.
+
+2004-11-15 Sam Hartman <hartmans@mit.edu>
+
+ * t_prng.expected t_prng.reseedtest-expected : Update expected
+ PRNG test output and confirm that reseeds and gates happen correctly.
+
+2004-10-29 Ken Raeburn <raeburn@mit.edu>
+
+ * prng.c (yarrow_lock): Rename to krb5int_yarrow_lock via macro,
+ and change to be non-static.
+ (krb5int_prng_init): Call do_yarrow_init here.
+ (krb5_c_random_add_entropy): Don't call it here. Don't lock the
+ mutex, either.
+ (krb5_c_random_make_octets): Don't lock the mutex.
+
2004-06-16 Ken Raeburn <raeburn@mit.edu>
* Makefile.in (MAC_SUBDIRS): Don't set.
#include "yarrow.h"
static Yarrow_CTX y_ctx;
static int inited, init_error;
-static k5_mutex_t yarrow_lock = K5_MUTEX_PARTIAL_INITIALIZER;
+#define yarrow_lock krb5int_yarrow_lock
+k5_mutex_t yarrow_lock = K5_MUTEX_PARTIAL_INITIALIZER;
/* Helper function to estimate entropy based on sample length
* and where it comes from.
return (0);
}
+static void do_yarrow_init(void);
int krb5int_prng_init(void)
{
- return k5_mutex_finish_init(&yarrow_lock);
+ do_yarrow_init();
+ if (init_error)
+ return KRB5_CRYPTO_INTERNAL;
+ return 0;
}
static void do_yarrow_init(void)
unsigned i;
int yerr;
+ yerr = k5_mutex_finish_init(&yarrow_lock);
+ if (yerr) {
+ init_error = yerr;
+ return;
+ }
+
yerr = krb5int_yarrow_init (&y_ctx, NULL);
if ((yerr != YARROW_OK) && (yerr != YARROW_NOT_SEEDED)) {
init_error = yerr;
if (yerr)
return yerr;
/* Now, finally, feed in the data. */
- yerr = k5_mutex_lock(&yarrow_lock);
- if (yerr)
- return yerr;
- if (!inited)
- do_yarrow_init();
- if (init_error) {
- k5_mutex_unlock(&yarrow_lock);
- return KRB5_CRYPTO_INTERNAL;
- }
yerr = krb5int_yarrow_input (&y_ctx, randsource,
data->data, data->length,
entropy_estimate (randsource, data->length));
- k5_mutex_unlock(&yarrow_lock);
if (yerr != YARROW_OK)
- return (KRB5_CRYPTO_INTERNAL);
+ return (KRB5_CRYPTO_INTERNAL);
return (0);
}
{
int yerr;
assert (inited);
- yerr = k5_mutex_lock(&yarrow_lock);
- if (yerr)
- return yerr;
yerr = krb5int_yarrow_output (&y_ctx, data->data, data->length);
if (yerr == YARROW_NOT_SEEDED) {
yerr = krb5int_yarrow_reseed (&y_ctx, YARROW_SLOW_POOL);
if (yerr == YARROW_OK)
yerr = krb5int_yarrow_output (&y_ctx, data->data, data->length);
}
- k5_mutex_unlock(&yarrow_lock);
if ( yerr != YARROW_OK)
return (KRB5_CRYPTO_INTERNAL);
return(0);
-18086b1e91f730facb2d6e1b
-c562653b24814eb3651b1e68301a3c14b96302bb
-6d017f7aef74662ed8dd51eef14281eaad223298db370bfaca
-30c04231cb3de404e4b8a5359a74066fd963291d7986be835834ab07870c097682a953bfff38784780eef844de47fb36c34f8e034c96cfa64d9cb5decee472138236e9fb79e9fe1fba6b7757b970f22477d167832206900473f09f3e8c822db6d9a8273340ed6743d99638d6cf192d821b6f33d23278b1a929f303a80865c426d01add11b2f2416babd13e70b44d8eeb731c09c7163af9d1a23cbe20ddb08b0f67ecaa2eed511263a67e9c12e59ef113f0b9e4e4e140b43896078a7571c61826ba099b3dd8c4b096a9785b4434e97ea99e662ba6fdb60a41547ccae4c67d3e1f3ef515198e91f009c75c9e80fda90d13ee29d8aad5d87cc2437ce60e6ce55700837fb0815bfd2495f8aa1a33fe67c1ae28a885506a78ca6257f5a5f2a8042e28680acc83b1aecb3a9cb51911126f2f0deaf14fcfa5f165e9a5c3f8f2d1c3f4683b2d75927a7bc802d63b680a5e22768cc0439854ccd49e58a002794f541bddd6ef6fbd4f9869843a72d0ae9d438c90353a46c0c9863a16b1de206c717ab7ce6ea6f648a38efa12b70bbe3388b35adec7a789ea98de217520d7d6ce699841e17e5946bf5a8b3c7a2c3e2d6767422baf3159ff08d913ec78011ab7d34bc24af26c24a8d46f7261c7705a7b270e27590c29583c659a0df8dada4e7a0532f115040165d18f74a55a4f39bb1dcfd865e94a488ca910cc447e121b2a19450239e75d24
+d2f8fbd707a8ece5cb11a02f
+eb4cb6e06236ea1c0529f7acbfca8d78cb85bb1d
+a244005ae870604342b0386025874ec4306c1dd483c118621b
+63e6408afdf9fd225839a7afcc6da6ae494fb4f82bd21ea06bb17ca0848bdae8cea671f545aac52699951caba960c536024b4102f47d61d61fd7b17582a4cf50ba7d215062558f71483249e079689893f3bf25def7f45f9e852281269904d401d6719e3115f6410088c6c5171e878494362684d2116633bb9ea8d9ed5faec73cb076c44d5d639bc2c8ae3de54f0e1e092d5ea439e607e9cd73053bbdf40723f5b48f298fdeeef845e22e06f2f6362fc67fba366e638a7988999d456dcc3d53b23388d685620a7c446d28cd94b13049761b64779db5412e78ac4bab2aacf103fd1b9ceb7213d43710d6a46fd4223fa20e0a68d3e16a82cbadea650ba815dc9ee99b4eb8e2acdac866a05d90ab9de3246db0560fb4b36633bb642c3ea9bf358937dda743f9cef1148791c2cac58995b8eb8fdb1c0cce1686e04ebef5ae7aae36691faafbe8920d3c013f125b687eb019faefa70fc750c52e2e2e33f426824bf1da31268a9bb8d9501f2290375755f8bf77b46639346b4011b78ce9d81105c7791ec5991a2f1eab037488b604df1a21c5c4e36a7c76dca5884d36e30fe8d30d0e7d93fab72062219390655eace2b434b0e2cd21ec9c5a8aa13e783afadcdf386fc43b960c518acb38d7e3da2f67695c1c1c25c4f251b40f4c2e42e89f6f642c32e66159f6ce24aa910fb5d95e3a899a4de5efcf570996e1a662d14362b65d00524df79cd56be93bd572526e4dfd1cf9f7586bc021105cf5456b28c1f45a6d354d000a113e15f64aa0b5253830c07afc8fa47b58dbba8bbae1645b2093035f2387036229dec6f7141b444b8bb7d0382a742bd5c746ba2d7af3af1cadb2dd90bda87d5daed2d2eebd243c7b2d06955d0cc7fe1061d4cfa3b061aaeb97084d9f9a7ec9dbe9e642f4f090d57b5ea1bd8b393f00896d3dc7089e1fc4c2fed7336c2a8c6d119a682c6cc4ae1ccedd30292f2c5570bf4d6287ce8e20b8b34e7fc38e87273f588cd33b8c913defaee5f6bf8fdeda72531c845a6f97a84d5e9b9a6497d4c48614dee7693df35faedc008fded852be8d4bffd475476336e54ed48a827b99d3f0e39019a40d43aef5ae522ec6e280f6a8e7d2713f3c3188bed2476a84af5a5afefa0fa178ed07de0e073693e8790f8bbd0cf9183e48f140b556e723565c382cf7a4c186748189a14e603e4ac70e2b80c266334231207721d16d834a973b48cfec584620624686603cfd66d55dbf8dd8eccd99d85f041c624ec3a7bec314af95d2313afd43cc5cc19249cf85b7ab0b5a4530b597341e7477b249fef1a07eb0d8fa790e9bce752e8b2f7086e98ab44751e0a1b37f29682ce67c0de7a2fd036f26ed719fc343bbf49432aec651d884c99c24d5943c747f7ec3b48d4c2236a8cb6151794daeda073774cc88ff121fdd423b81ef2f34c8f281ca2e5366faee87ff7a623484f2937cc0680ed76ead32b43cb6c67a21f8089b435f38a404d267397c6435cfac16591a3573d9e92f8c4a8028719c22662b903ddb16e08ea7bb2d6b8938c06bdddb4d174c7f2c5d812ed3a34ba8859a1ae841b3b9d5522372018c9aa55b048df826f05a087f185808cb66899f320783a1c4aa2dcd5f2665405ba7e5726e122b67559a39da30956e49fe7711d1b2506e159c5ea42ce0a1ad497220ee3b3e5ebcb73db975bd08e8be56e5f4533b8295b10d4b0fef466de6540f8fe10530c9716d83a12f5ffbba5b4dbc50ed89388d04e7a15d3d9d251041ed5303efa2525bc62a5aeb821f7838676811784584534be8a7fc667f09c3fe1bbf7d0aad29324f562086ecb8326829413867
-7a2f63cdd9b0bfae94b75ee554be49ff8e7bc82e
+fd543f42aded9bd725c9b05682cd0f504c1b33d1
de 7c f0 c5 6a 37 0b 34 f4 0c 3a 19 31 eb 66 f1
ae 5f c6 a3 64 3f 2e a9 76 e1 87 93 df b6 94 86
bd 96 57 3f 31 e6 88 8c
-512
+1290
+2004-11-22 Ken Raeburn <raeburn@mit.edu>
+
+ * yarrow.c (yarrow_input_maybe_locking): Renamed from
+ yarrow_input_maybe_locking, made static. New argument indicates
+ whether or not to do locking.
+ (krb5int_yarrow_input): New wrapper function.
+ (yarrow_input_locked): New wrapper function.
+ (Yarrow_detect_fork): Call yarrow_input_locked.
+
+2004-11-15 Sam Hartman <hartmans@mit.edu>
+
+ * ycipher.h: Use AES256 not 3des
+
+2004-11-01 Ken Raeburn <raeburn@mit.edu>
+
+ * yarrow.c (krb5int_yarrow_input, krb5int_yarrow_final): Don't
+ check for forking here.
+ (yarrow_output_locked): Split out from krb5int_yarrow_output,
+ without locking.
+ (krb5int_yarrow_output): Do locking and call yarrow_output_locked.
+ (yarrow_gate_locked): New function; uses yarrow_output_locked.
+ (krb5int_yarrow_output_Block): Use yarrow_gate_locked.
+
+2004-10-29 Ken Raeburn <raeburn@mit.edu>
+
+ * ylock.h: Include k5-thread.h.
+ (krb5int_yarrow_lock): Declare.
+ (LOCK, UNLOCK): Define as macros using the k5_mutex_ macros.
+
2004-06-04 Ken Raeburn <raeburn@mit.edu>
* yarrow.c (yarrow_str_error): Now const.
PRNG state */
#ifdef YARROW_DETECT_FORK
+static int
+yarrow_input_locked( Yarrow_CTX* y, unsigned source_id,
+ const void *sample,
+ size_t size, size_t entropy_bits );
+
static int Yarrow_detect_fork(Yarrow_CTX *y)
{
pid_t newpid;
* Then we reseed. This doesn't really increase entropy, but does make the
* streams distinct assuming we already have good entropy*/
y->pid = newpid;
- TRY (krb5int_yarrow_input (y, 0, &newpid,
- sizeof (newpid), 0));
- TRY (krb5int_yarrow_input (y, 0, &newpid,
- sizeof (newpid), 0));
- TRY (krb5int_yarrow_reseed (y, YARROW_FAST_POOL));
- }
+ TRY (yarrow_input_locked (y, 0, &newpid,
+ sizeof (newpid), 0));
+ TRY (yarrow_input_locked (y, 0, &newpid,
+ sizeof (newpid), 0));
+ TRY (krb5int_yarrow_reseed (y, YARROW_FAST_POOL));
+ }
CATCH:
EXCEP_RET;
EXCEP_RET;
}
-YARROW_DLL
-int krb5int_yarrow_input( Yarrow_CTX* y, unsigned source_id,
- const void* sample,
- size_t size, size_t entropy_bits )
+static
+int yarrow_input_maybe_locking( Yarrow_CTX* y, unsigned source_id,
+ const void* sample,
+ size_t size, size_t entropy_bits,
+ int do_lock )
{
EXCEP_DECL;
int ret;
size_t estimate;
if (!y) { THROW( YARROW_BAD_ARG ); }
- TRY( Yarrow_detect_fork( y ) );
if (source_id >= y->num_sources) { THROW( YARROW_BAD_SOURCE ); }
THROW( YARROW_BAD_SOURCE );
}
- TRY( LOCK() );
- locked = 1;
+ if (do_lock) {
+ TRY( LOCK() );
+ locked = 1;
+ }
/* hash in the sample */
EXCEP_RET;
}
+YARROW_DLL
+int krb5int_yarrow_input( Yarrow_CTX* y, unsigned source_id,
+ const void* sample,
+ size_t size, size_t entropy_bits )
+{
+ return yarrow_input_maybe_locking(y, source_id, sample, size,
+ entropy_bits, 1);
+}
+
+static int
+yarrow_input_locked( Yarrow_CTX* y, unsigned source_id,
+ const void *sample,
+ size_t size, size_t entropy_bits )
+{
+ return yarrow_input_maybe_locking(y, source_id, sample, size,
+ entropy_bits, 0);
+}
+
YARROW_DLL
int krb5int_yarrow_new_source(Yarrow_CTX* y, unsigned* source_id)
{
if (y->out_count >= y->Pg)
{
y->out_count = 0;
- TRY( krb5int_yarrow_gate( y ) );
+ TRY( yarrow_gate_locked( y ) );
/* require new seed after reaching gates_limit */
EXCEP_RET;
}
+static int yarrow_output_locked(Yarrow_CTX*, void*, size_t);
+
YARROW_DLL
int krb5int_yarrow_output( Yarrow_CTX* y, void* out, size_t size )
{
EXCEP_DECL;
- int locked = 0;
+ TRY( LOCK() );
+ TRY( yarrow_output_locked(y, out, size));
+CATCH:
+ UNLOCK();
+ EXCEP_RET;
+}
+
+static
+int yarrow_output_locked( Yarrow_CTX* y, void* out, size_t size )
+{
+ EXCEP_DECL;
size_t left;
char* outp;
size_t use;
left = size;
outp = out;
- TRY( LOCK() );
-
if (y->out_left > 0)
{
use = min(left, y->out_left);
}
CATCH:
- if ( locked ) { TRY( UNLOCK() ); }
+ EXCEP_RET;
+}
+
+static int yarrow_gate_locked(Yarrow_CTX* y)
+{
+ EXCEP_DECL;
+ byte new_K[CIPHER_KEY_SIZE];
+
+ if (!y) { THROW( YARROW_BAD_ARG ); }
+ TRACE( printf( "GATE[" ); );
+
+ /* K <- Next k bits of PRNG output */
+
+ TRY( yarrow_output_locked(y, new_K, CIPHER_KEY_SIZE) );
+ mem_copy(y->K, new_K, CIPHER_KEY_SIZE);
+
+ /* need to resetup the key schedule as the key has changed */
+
+ TRY (krb5int_yarrow_cipher_init(&y->cipher, y->K));
+
+ CATCH:
+ TRACE( printf( "]," ); );
+ mem_zero(new_K, sizeof(new_K));
EXCEP_RET;
}
int locked = 0;
if (!y) { THROW( YARROW_BAD_ARG ); }
- TRY( Yarrow_detect_fork(y) );
TRY( LOCK() );
locked = 1;
* call the enc_provider function to get the info.
*/
-#define yarrow_enc_provider krb5int_enc_des3
+#define yarrow_enc_provider krb5int_enc_aes256
-#define CIPHER_BLOCK_SIZE 8
-#define CIPHER_KEY_SIZE 21
+#define CIPHER_BLOCK_SIZE 16
+#define CIPHER_KEY_SIZE 32
#if defined( YARROW_NO_MATHLIB )
/* see macros at end for functions evaluated */
-#define POW_CIPHER_KEY_SIZE 72057594037927936.0
-#define POW_CIPHER_BLOCK_SIZE 18446744073709551616.0
+#define POW_CIPHER_KEY_SIZE 115792089237316195423570985008687907853269984665640564039457584007913129639936.0
+#define POW_CIPHER_BLOCK_SIZE 340282366920938463463374607431768211456.0
#endif
* and YARROW_LOCKING on failure
*/
-
+#if 0
static int LOCK( void ) { return (YARROW_OK); }
static int UNLOCK( void ) { return (YARROW_OK); }
+#else
+#include "k5-thread.h"
+extern k5_mutex_t krb5int_yarrow_lock;
+#define LOCK() (k5_mutex_lock(&krb5int_yarrow_lock) ? YARROW_LOCKING : YARROW_OK)
+#define UNLOCK() (k5_mutex_unlock(&krb5int_yarrow_lock) ? YARROW_LOCKING : YARROW_OK)
+#endif
#endif /* YLOCK_H */
+2004-12-20 Tom Yu <tlyu@mit.edu>
+
+ * svr_principal.c (add_to_history): Rewrite somewhat, using
+ temporary variables to make things somewhat more readable. Fix
+ buffer overflow case where the next pointer points into
+ unallocated space but resizing wasn't done, i.e., when someone
+ decreases the policy history count to the exact "right" number.
+ Fix some memory leaks. To avoid losing entries, shift some
+ entries forward after growing the array.
+
2004-08-21 Tom Yu <tlyu@mit.edu>
* libkadm5srv.exports: Update for previous renaming.
* array where the next element should be written, and must be [0,
* adb->old_key_len).
*/
-#define KADM_MOD(x) (x + adb->old_key_next) % adb->old_key_len
static kadm5_ret_t add_to_history(krb5_context context,
osa_princ_ent_t adb,
kadm5_policy_ent_t pol,
osa_pw_hist_ent *pw)
{
osa_pw_hist_ent *histp;
- int i;
+ uint32_t nhist;
+ unsigned int i, knext, nkeys;
+ nhist = pol->pw_history_num;
/* A history of 1 means just check the current password */
- if (pol->pw_history_num == 1)
+ if (nhist <= 1)
return 0;
+ nkeys = adb->old_key_len;
+ knext = adb->old_key_next;
/* resize the adb->old_keys array if necessary */
- if (adb->old_key_len < pol->pw_history_num-1) {
+ if (nkeys + 1 < nhist) {
if (adb->old_keys == NULL) {
adb->old_keys = (osa_pw_hist_ent *)
- malloc((adb->old_key_len + 1) * sizeof (osa_pw_hist_ent));
+ malloc((nkeys + 1) * sizeof (osa_pw_hist_ent));
} else {
adb->old_keys = (osa_pw_hist_ent *)
realloc(adb->old_keys,
- (adb->old_key_len + 1) * sizeof (osa_pw_hist_ent));
+ (nkeys + 1) * sizeof (osa_pw_hist_ent));
}
if (adb->old_keys == NULL)
return(ENOMEM);
- memset(&adb->old_keys[adb->old_key_len],0,sizeof(osa_pw_hist_ent));
- adb->old_key_len++;
- } else if (adb->old_key_len > pol->pw_history_num-1) {
+ memset(&adb->old_keys[nkeys], 0, sizeof(osa_pw_hist_ent));
+ nkeys = ++adb->old_key_len;
+ /*
+ * To avoid losing old keys, shift forward each entry after
+ * knext.
+ */
+ for (i = nkeys - 1; i > knext; i--) {
+ adb->old_keys[i] = adb->old_keys[i - 1];
+ }
+ memset(&adb->old_keys[knext], 0, sizeof(osa_pw_hist_ent));
+ } else if (nkeys + 1 > nhist) {
/*
* The policy must have changed! Shrink the array.
* Can't simply realloc() down, since it might be wrapped.
* where N = pw_history_num - 1 is the length of the
* shortened list. Matt Crawford, FNAL
*/
+ /*
+ * M = adb->old_key_len, N = pol->pw_history_num - 1
+ *
+ * tmp[0] .. tmp[N-1] = old[(knext-N)%M] .. old[(knext-1)%M]
+ */
int j;
- histp = (osa_pw_hist_ent *)
- malloc((pol->pw_history_num - 1) * sizeof (osa_pw_hist_ent));
- if (histp) {
- for (i = 0; i < pol->pw_history_num - 1; i++) {
- /* We need the number we use the modulus operator on to be
- positive, so after subtracting pol->pw_history_num-1, we
- add back adb->old_key_len. */
- j = KADM_MOD(i - (pol->pw_history_num - 1) + adb->old_key_len);
- histp[i] = adb->old_keys[j];
+ osa_pw_hist_t tmp;
+
+ tmp = (osa_pw_hist_ent *)
+ malloc((nhist - 1) * sizeof (osa_pw_hist_ent));
+ if (tmp == NULL)
+ return ENOMEM;
+ for (i = 0; i < nhist - 1; i++) {
+ /*
+ * Add nkeys once before taking remainder to avoid
+ * negative values.
+ */
+ j = (i + nkeys + knext - (nhist - 1)) % nkeys;
+ tmp[i] = adb->old_keys[j];
+ }
+ /* Now free the ones we don't keep (the oldest ones) */
+ for (i = 0; i < nkeys - (nhist - 1); i++) {
+ j = (i + nkeys + knext) % nkeys;
+ histp = &adb->old_keys[j];
+ for (j = 0; j < histp->n_key_data; j++) {
+ krb5_free_key_data_contents(context, &histp->key_data[j]);
}
- /* Now free the ones we don't keep (the oldest ones) */
- for (i = 0; i < adb->old_key_len - (pol->pw_history_num - 1); i++)
- for (j = 0; j < adb->old_keys[KADM_MOD(i)].n_key_data; j++)
- krb5_free_key_data_contents(context,
- &adb->old_keys[KADM_MOD(i)].key_data[j]);
- free((void *)adb->old_keys);
- adb->old_keys = histp;
- adb->old_key_len = pol->pw_history_num - 1;
- adb->old_key_next = 0;
- } else {
- return(ENOMEM);
+ free(histp->key_data);
}
+ free((void *)adb->old_keys);
+ adb->old_keys = tmp;
+ nkeys = adb->old_key_len = nhist - 1;
+ knext = adb->old_key_next = 0;
}
+ /*
+ * If nhist decreased since the last password change, and nkeys+1
+ * is less than the previous nhist, it is possible for knext to
+ * index into unallocated space. This condition would not be
+ * caught by the resizing code above.
+ */
+ if (knext + 1 > nkeys)
+ knext = adb->old_key_next = 0;
/* free the old pw history entry if it contains data */
- histp = &adb->old_keys[adb->old_key_next];
+ histp = &adb->old_keys[knext];
for (i = 0; i < histp->n_key_data; i++)
krb5_free_key_data_contents(context, &histp->key_data[i]);
-
+ free(histp->key_data);
+
/* store the new entry */
- adb->old_keys[adb->old_key_next] = *pw;
+ adb->old_keys[knext] = *pw;
/* update the next pointer */
- if (++adb->old_key_next == pol->pw_history_num-1)
- adb->old_key_next = 0;
+ if (++adb->old_key_next == nhist - 1)
+ adb->old_key_next = 0;
return(0);
}
-#undef KADM_MOD
#ifdef USE_PASSWORD_SERVER
+2004-12-08 Ken Raeburn <raeburn@mit.edu>
+
+ * RealmsConfig-glue.c (krb_get_krbhst): Check if DNS should be
+ used for getting KDC names before actually using it.
+
2004-07-16 Ken Raeburn <raeburn@mit.edu>
* macsock.c: Deleted.
if (err)
break;
- realmdat.data = realm;
- realmdat.length = strlen(realm);
- err = k5.make_srv_query_realm(&realmdat, "_kerberos-iv", "_udp", &srv);
- if (err)
- break;
+ if (k5.use_dns_kdc(krb5__krb4_context)) {
+ realmdat.data = realm;
+ realmdat.length = strlen(realm);
+ err = k5.make_srv_query_realm(&realmdat, "_kerberos-iv", "_udp",
+ &srv);
+ if (err)
+ break;
- if (srv == 0)
- break;
+ if (srv == 0)
+ break;
- if (dnscache.srv)
- k5.free_srv_dns_data(dnscache.srv);
- dnscache.srv = srv;
- strncpy(dnscache.realm, realm, REALM_SZ);
- dnscache.when = now;
- goto get_from_dnscache;
+ if (dnscache.srv)
+ k5.free_srv_dns_data(dnscache.srv);
+ dnscache.srv = srv;
+ strncpy(dnscache.realm, realm, REALM_SZ);
+ dnscache.when = now;
+ goto get_from_dnscache;
+ }
} while (0);
#endif
return KFAILURE;
+2004-12-16 Jeffrey Altman <jaltman@mit.edu>
+ * cc_mslsa.c:
+ Temporarily deactivate support for KerbSubmitTicketMessage
+ and KerbQueryTicketCacheEx2Message until the new Platform SDK
+ becomes publicly available.
+
+2004-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_mslsa.c:
+ - Activate support for KerbSubmitTicketMessage
+ - Activate support for KerbQueryTicketCacheEx2Message
+ - Add locale support for regions which use MultiByte characters
+
+2004-11-19 Ken Raeburn <raeburn@mit.edu>
+
+ * cc_mslsa.c (MSCredToMITCred): Don't create an empty array for
+ addresses, just use a null pointer now.
+
2004-10-07 Jeffrey Altman <jaltman@mit.edu>
* cc_mslsa.c: Fix the forced setting of the Initial Ticket Flag
on Win2000 and add it to XP and 2003 SP1
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
* OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*
- * Implementation of microsoft windows lsa credentials cache
+ * Implementation of microsoft windows lsa read-only credentials cache
*/
#ifdef _WIN32
#define MAX_MSPRINC_SIZE 1024
/* THREAD SAFETY
- * The functions is_windows_2000(), is_windows_xp(),
- * does_retrieve_ticket_cache_ticket() and does_query_ticket_cache_ex2()
- * contain static variables to cache the responses of the tests being
- * performed. There is no harm in the test being performed more than
- * once since the result will always be the same.
+ * The functions is_windows_2000(), is_windows_xp(), and
+ * does_retrieve_ticket_cache_ticket() contain static variables to cache
+ * the responses of the tests being performed. There is no harm in the
+ * test being performed more than once since the result will always be the
+ * same.
*/
static BOOL
GetCPInfo(CP_ACP, &CodePageInfo);
- if (CodePageInfo.MaxCharSize > 1)
+ if (CodePageInfo.MaxCharSize > 1) {
// Only supporting non-Unicode strings
- return FALSE;
+ int reqLen = WideCharToMultiByte(CP_ACP, 0, (LPCWSTR) lpInputString, -1,
+ NULL, 0, NULL, NULL);
+ if ( reqLen > nOutStringLen)
+ {
+ return FALSE;
+ } else {
+ WideCharToMultiByte(CP_ACP, 0, (LPCWSTR) lpInputString, -1,
+ lpszOutputString, nOutStringLen, NULL, NULL);
+ }
+ }
else if (((LPBYTE) lpInputString)[1] == '\0')
{
// Looks like unicode, better translate it
}
else
lstrcpyA(lpszOutputString, (LPSTR) lpInputString);
+
return TRUE;
} // UnicodeToANSI
static VOID
WINAPI
-ANSIToUnicode(LPSTR lpInputString, LPTSTR lpszOutputString, int nOutStringLen)
+ANSIToUnicode(LPSTR lpInputString, LPTSTR lpszOutputString, int nOutStringLen)
{
CPINFO CodePageInfo;
GetCPInfo(CP_ACP, &CodePageInfo);
- if (CodePageInfo.MaxCharSize > 1)
- // It must already be a Unicode string
- return;
- else if (((LPBYTE) lpInputString)[1] != '\0')
+ if (CodePageInfo.MaxCharSize > 1 || ((LPBYTE) lpInputString)[1] != '\0')
{
- // Looks like ANSI, better translate it
+ // Looks like ANSI or MultiByte, better translate it
MultiByteToWideChar(CP_ACP, 0, (LPCSTR) lpInputString, -1,
(LPWSTR) lpszOutputString, nOutStringLen);
}
}
}
-static void
+static BOOL
UnicodeStringToMITPrinc(UNICODE_STRING *service, WCHAR *realm, krb5_context context,
- krb5_principal *principal)
+ krb5_principal *principal)
{
WCHAR princbuf[512];
char aname[512];
princbuf[service->Length/sizeof(WCHAR)]=0;
wcscat(princbuf, L"@");
wcscat(princbuf, realm);
- UnicodeToANSI(princbuf, aname, sizeof(aname));
- krb5_parse_name(context, aname, principal);
+ if (UnicodeToANSI(princbuf, aname, sizeof(aname))) {
+ krb5_parse_name(context, aname, principal);
+ return TRUE;
+ }
+ return FALSE;
}
-static void
+static BOOL
KerbExternalNameToMITPrinc(KERB_EXTERNAL_NAME *msprinc, WCHAR *realm, krb5_context context,
- krb5_principal *principal)
+ krb5_principal *principal)
{
WCHAR princbuf[512],tmpbuf[128];
char aname[512];
}
wcscat(princbuf, L"@");
wcscat(princbuf, realm);
- UnicodeToANSI(princbuf, aname, sizeof(aname));
- krb5_parse_name(context, aname, principal);
+ if (UnicodeToANSI(princbuf, aname, sizeof(aname))) {
+ krb5_parse_name(context, aname, principal);
+ return TRUE;
+ }
+ return FALSE;
}
static time_t
// now that this is being done within the library it won't break krb5_free_data()
krb5_copy_data(context, &tmpdata, &newdata);
memcpy(ticket, newdata, sizeof(krb5_data));
+ krb5_xfree(newdata);
}
/*
}
-static void
+static BOOL
MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, UNICODE_STRING ClientRealm,
krb5_context context, krb5_creds *creds)
{
// construct Client Principal
wcsncpy(wrealm, ClientRealm.Buffer, ClientRealm.Length/sizeof(WCHAR));
wrealm[ClientRealm.Length/sizeof(WCHAR)]=0;
- KerbExternalNameToMITPrinc(msticket->ClientName, wrealm, context, &creds->client);
+ if (!KerbExternalNameToMITPrinc(msticket->ClientName, wrealm, context, &creds->client))
+ return FALSE;
// construct Service Principal
wcsncpy(wrealm, msticket->DomainName.Buffer,
msticket->DomainName.Length/sizeof(WCHAR));
wrealm[msticket->DomainName.Length/sizeof(WCHAR)]=0;
- KerbExternalNameToMITPrinc(msticket->ServiceName, wrealm, context, &creds->server);
+ if (!KerbExternalNameToMITPrinc(msticket->ServiceName, wrealm, context, &creds->server))
+ return FALSE;
MSSessionKeyToMITKeyblock(&msticket->SessionKey, context,
&creds->keyblock);
MSFlagsToMITFlags(msticket->TicketFlags, &creds->ticket_flags);
creds->times.starttime=FileTimeToUnixTime(&msticket->StartTime);
creds->times.endtime=FileTimeToUnixTime(&msticket->EndTime);
creds->times.renew_till=FileTimeToUnixTime(&msticket->RenewUntil);
-
- /* MS Tickets are addressless. MIT requires an empty address
- * not a NULL list of addresses.
- */
- creds->addresses = (krb5_address **)malloc(sizeof(krb5_address *));
- memset(creds->addresses, 0, sizeof(krb5_address *));
+ creds->addresses = NULL;
MSTicketToMITTicket(msticket, context, &creds->ticket);
+ return TRUE;
}
-#ifdef HAVE_CACHE_INFO_EX2
-/* CacheInfoEx2ToMITCred is used when we do not need the real ticket */
-static void
-CacheInfoEx2ToMITCred(KERB_TICKET_CACHE_INFO_EX2 *info,
- krb5_context context, krb5_creds *creds)
-{
- WCHAR wrealm[128];
- ZeroMemory(creds, sizeof(krb5_creds));
- creds->magic=KV5M_CREDS;
-
- // construct Client Principal
- wcsncpy(wrealm, info->ClientRealm.Buffer, info->ClientRealm.Length/sizeof(WCHAR));
- wrealm[info->ClientRealm.Length/sizeof(WCHAR)]=0;
- UnicodeStringToMITPrinc(&info->ClientName, wrealm, context, &creds->client);
-
- // construct Service Principal
- wcsncpy(wrealm, info->ServerRealm.Buffer,
- info->ServerRealm.Length/sizeof(WCHAR));
- wrealm[info->ServerRealm.Length/sizeof(WCHAR)]=0;
- UnicodeStringToMITPrinc(&info->ServerName, wrealm, context, &creds->server);
-
- creds->keyblock.magic = KV5M_KEYBLOCK;
- creds->keyblock.enctype = info->SessionKeyType;
- creds->ticket_flags = info->TicketFlags;
- MSFlagsToMITFlags(info->TicketFlags, &creds->ticket_flags);
- creds->times.starttime=FileTimeToUnixTime(&info->StartTime);
- creds->times.endtime=FileTimeToUnixTime(&info->EndTime);
- creds->times.renew_till=FileTimeToUnixTime(&info->RenewTime);
-
- /* MS Tickets are addressless. MIT requires an empty address
- * not a NULL list of addresses.
- */
- creds->addresses = (krb5_address **)malloc(sizeof(krb5_address *));
- memset(creds->addresses, 0, sizeof(krb5_address *));
-}
-#endif /* HAVE_CACHE_INFO_EX2 */
-
static BOOL
PackageConnectLookup(HANDLE *pLogonHandle, ULONG *pPackageId)
{
return fCachesTicket;
}
-#ifdef HAVE_CACHE_INFO_EX2
-static BOOL
-does_query_ticket_cache_ex2 (void)
-{
- static BOOL fChecked = FALSE;
- static BOOL fEx2Response = FALSE;
-
- if (!fChecked)
- {
- NTSTATUS Status = 0;
- NTSTATUS SubStatus = 0;
- HANDLE LogonHandle;
- ULONG PackageId;
- ULONG RequestSize;
- PKERB_QUERY_TKT_CACHE_REQUEST pCacheRequest = NULL;
- PKERB_QUERY_TKT_CACHE_EX2_RESPONSE pCacheResponse = NULL;
- ULONG ResponseSize;
-
- RequestSize = sizeof(*pCacheRequest) + 1;
-
- if (!PackageConnectLookup(&LogonHandle, &PackageId))
- return FALSE;
-
- pCacheRequest = (PKERB_QUERY_TKT_CACHE_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize);
- if (!pCacheRequest) {
- CloseHandle(LogonHandle);
- return FALSE;
- }
-
- pCacheRequest->MessageType = KerbQueryTicketCacheEx2Message;
- pCacheRequest->LogonId.LowPart = 0;
- pCacheRequest->LogonId.HighPart = 0;
-
- Status = LsaCallAuthenticationPackage( LogonHandle,
- PackageId,
- pCacheRequest,
- RequestSize,
- &pCacheResponse,
- &ResponseSize,
- &SubStatus
- );
-
- LocalFree(pCacheRequest);
- CloseHandle(LogonHandle);
-
- if (!(FAILED(Status) || FAILED(SubStatus))) {
- LsaFreeReturnBuffer(pCacheResponse);
- fEx2Response = TRUE;
- }
- fChecked = TRUE;
- }
-
- return fEx2Response;
-}
-#endif /* HAVE_CACHE_INFO_EX2 */
-
static DWORD
ConcatenateUnicodeStrings(UNICODE_STRING *pTarget, UNICODE_STRING Source1, UNICODE_STRING Source2)
{
return TRUE;
}
-#ifdef KERB_SUBMIT_TICKET
-static BOOL
-KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId,
- krb5_context context, krb5_creds *cred)
-{
- NTSTATUS Status = 0;
- NTSTATUS SubStatus = 0;
- KERB_SUBMIT_TKT_REQUEST * pSubmitRequest;
- DWORD dwRequestLen;
- krb5_auth_context auth_context;
- krb5_keyblock * keyblock = 0;
- krb5_replay_data replaydata;
- krb5_data * krb_cred = 0;
- krb5_error_code rc;
-
- if (krb5_auth_con_init(context, &auth_context)) {
- return FALSE;
- }
-
- if (krb5_auth_con_setflags(context, auth_context,
- KRB5_AUTH_CONTEXT_RET_TIME)) {
- return FALSE;
- }
-
- krb5_auth_con_getsendsubkey(context, auth_context, &keyblock);
- if (keyblock == NULL)
- krb5_auth_con_getkey(context, auth_context, &keyblock);
-#ifdef TESTING
- /* do not use this code unless testing the LSA */
- if (keyblock == NULL) {
- keyblock = (krb5_keyblock *)malloc(sizeof(krb5_keyblock));
- keyblock->enctype = ENCTYPE_ARCFOUR_HMAC;
- keyblock->length = 16;
- keyblock->contents = (krb5_octet *)malloc(16);
- keyblock->contents[0] = 0xde;
- keyblock->contents[1] = 0xad;
- keyblock->contents[2] = 0xbe;
- keyblock->contents[3] = 0xef;
- keyblock->contents[4] = 0xfe;
- keyblock->contents[5] = 0xed;
- keyblock->contents[6] = 0xf0;
- keyblock->contents[7] = 0xd;
- keyblock->contents[8] = 0xde;
- keyblock->contents[9] = 0xad;
- keyblock->contents[10] = 0xbe;
- keyblock->contents[11] = 0xef;
- keyblock->contents[12] = 0xfe;
- keyblock->contents[13] = 0xed;
- keyblock->contents[14] = 0xf0;
- keyblock->contents[15] = 0xd;
- krb5_auth_con_setsendsubkey(context, auth_context, keyblock);
- }
-#endif
- rc = krb5_mk_1cred(context, auth_context, cred, &krb_cred, &replaydata);
- if (rc) {
- krb5_auth_con_free(context, auth_context);
- if (keyblock)
- krb5_free_keyblock(context, keyblock);
- if (krb_cred)
- krb5_free_data(context, krb_cred);
- return FALSE;
- }
-
- dwRequestLen = sizeof(KERB_SUBMIT_TKT_REQUEST) + krb_cred->length + (keyblock ? keyblock->length : 0);
-
- pSubmitRequest = (PKERB_SUBMIT_TKT_REQUEST)malloc(dwRequestLen);
- memset(pSubmitRequest, 0, dwRequestLen);
-
- pSubmitRequest->MessageType = KerbSubmitTicketMessage;
- pSubmitRequest->LogonId.LowPart = 0;
- pSubmitRequest->LogonId.HighPart = 0;
- pSubmitRequest->Flags = 0;
-
- if (keyblock) {
- pSubmitRequest->Key.KeyType = keyblock->enctype;
- pSubmitRequest->Key.Length = keyblock->length;
- pSubmitRequest->Key.Offset = sizeof(KERB_SUBMIT_TKT_REQUEST)+krb_cred->length;
- } else {
- pSubmitRequest->Key.KeyType = ENCTYPE_NULL;
- pSubmitRequest->Key.Length = 0;
- pSubmitRequest->Key.Offset = 0;
- }
- pSubmitRequest->KerbCredSize = krb_cred->length;
- pSubmitRequest->KerbCredOffset = sizeof(KERB_SUBMIT_TKT_REQUEST);
- memcpy(((CHAR *)pSubmitRequest)+sizeof(KERB_SUBMIT_TKT_REQUEST),
- krb_cred->data, krb_cred->length);
- if (keyblock)
- memcpy(((CHAR *)pSubmitRequest)+sizeof(KERB_SUBMIT_TKT_REQUEST)+krb_cred->length,
- keyblock->contents, keyblock->length);
- krb5_free_data(context, krb_cred);
-
- Status = LsaCallAuthenticationPackage( LogonHandle,
- PackageId,
- pSubmitRequest,
- dwRequestLen,
- NULL,
- NULL,
- &SubStatus
- );
- free(pSubmitRequest);
- if (keyblock)
- krb5_free_keyblock(context, keyblock);
- krb5_auth_con_free(context, auth_context);
-
- if (FAILED(Status) || FAILED(SubStatus)) {
- return FALSE;
- }
- return TRUE;
-}
-#endif /* KERB_SUBMIT_TICKET */
-
/*
* A simple function to determine if there is an exact match between two tickets
* We rely on the fact that the external tickets contain the raw Kerberos ticket.
return FALSE;
}
-#ifdef HAVE_CACHE_INFO_EX2
-static BOOL
-GetQueryTktCacheResponseEX2( HANDLE LogonHandle, ULONG PackageId,
- PKERB_QUERY_TKT_CACHE_EX2_RESPONSE * ppResponse)
-{
- NTSTATUS Status = 0;
- NTSTATUS SubStatus = 0;
-
- KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;
- PKERB_QUERY_TKT_CACHE_EX2_RESPONSE pQueryResponse = NULL;
- ULONG ResponseSize;
-
- CacheRequest.MessageType = KerbQueryTicketCacheEx2Message;
- CacheRequest.LogonId.LowPart = 0;
- CacheRequest.LogonId.HighPart = 0;
-
- Status = LsaCallAuthenticationPackage(
- LogonHandle,
- PackageId,
- &CacheRequest,
- sizeof(CacheRequest),
- &pQueryResponse,
- &ResponseSize,
- &SubStatus
- );
-
- if ( !(FAILED(Status) || FAILED(SubStatus)) ) {
- *ppResponse = pQueryResponse;
- return TRUE;
- }
-
- return FALSE;
-}
-#endif /* HAVE_CACHE_INFO_EX2 */
-
static BOOL
GetMSCacheTicketFromMITCred( HANDLE LogonHandle, ULONG PackageId,
krb5_context context, krb5_creds *creds,
*/
if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_initial )
(*ticket)->TicketFlags |= KERB_TICKET_FLAGS_initial;
- return(TRUE);
+ return(TRUE);
}
static BOOL
LocalFree(pTicketRequest);
- if (FAILED(Status) || FAILED(SubStatus))
- return(FALSE);
-
- /* otherwise return ticket */
- *ticket = &(pTicketResponse->Ticket);
-
- /* set the initial flag if we were attempting to retrieve one
- * because Windows won't necessarily return the initial ticket
- * to us.
- */
- if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_initial )
- (*ticket)->TicketFlags |= KERB_TICKET_FLAGS_initial;
-
- return(TRUE);
-
-}
-
-#ifdef HAVE_CACHE_INFO_EX2
-static BOOL
-GetMSCacheTicketFromCacheInfoEX2( HANDLE LogonHandle, ULONG PackageId,
- PKERB_TICKET_CACHE_INFO_EX2 tktinfo, PKERB_EXTERNAL_TICKET *ticket)
-{
- NTSTATUS Status = 0;
- NTSTATUS SubStatus = 0;
- ULONG RequestSize;
- PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL;
- PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL;
- ULONG ResponseSize;
-
- RequestSize = sizeof(*pTicketRequest) + tktinfo->ServerName.Length;
-
- pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize);
- if (!pTicketRequest)
- return FALSE;
-
- pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage;
- pTicketRequest->LogonId.LowPart = 0;
- pTicketRequest->LogonId.HighPart = 0;
- pTicketRequest->TargetName.Length = tktinfo->ServerName.Length;
- pTicketRequest->TargetName.MaximumLength = tktinfo->ServerName.Length;
- pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1);
- memcpy(pTicketRequest->TargetName.Buffer,tktinfo->ServerName.Buffer, tktinfo->ServerName.Length);
- pTicketRequest->CacheOptions = KERB_RETRIEVE_TICKET_CACHE_TICKET;
- pTicketRequest->EncryptionType = tktinfo->SessionKeyType;
- pTicketRequest->TicketFlags = 0;
- if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_forwardable )
- pTicketRequest->TicketFlags |= KDC_OPT_FORWARDABLE;
- if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_forwarded )
- pTicketRequest->TicketFlags |= KDC_OPT_FORWARDED;
- if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_proxiable )
- pTicketRequest->TicketFlags |= KDC_OPT_PROXIABLE;
- if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_renewable )
- pTicketRequest->TicketFlags |= KDC_OPT_RENEWABLE;
-
- Status = LsaCallAuthenticationPackage(
- LogonHandle,
- PackageId,
- pTicketRequest,
- RequestSize,
- &pTicketResponse,
- &ResponseSize,
- &SubStatus
- );
-
- LocalFree(pTicketRequest);
-
if (FAILED(Status) || FAILED(SubStatus))
return(FALSE);
return(TRUE);
}
-#endif /* HAVE_CACHE_INFO_EX2 */
static krb5_error_code KRB5_CALLCONV krb5_lcc_close
(krb5_context, krb5_ccache id);
union {
PKERB_QUERY_TKT_CACHE_RESPONSE w2k;
PKERB_QUERY_TKT_CACHE_EX_RESPONSE xp;
-#ifdef HAVE_CACHE_INFO_EX2
- PKERB_QUERY_TKT_CACHE_EX2_RESPONSE ex2;
-#endif /* HAVE_CACHE_INFO_EX2 */
} response;
unsigned int index;
PKERB_EXTERNAL_TICKET mstgt;
HANDLE LogonHandle;
ULONG PackageId;
KERB_EXTERNAL_TICKET *msticket;
+ krb5_error_code retval = KRB5_OK;
if (!is_windows_2000())
return KRB5_FCC_NOFILE;
-#ifdef COMMENT
- /* In at least one case on Win2003 it appears that it is possible
- * for the logon session to be authenticated via NTLM and yet for
- * there to be Kerberos credentials obtained by the LSA on behalf
- * of the logged in user. Therefore, we are removing this test
- * which was meant to avoid the need to perform GetMSTGT() when
- * there was no possibility of credentials being found.
- */
- if (!IsKerberosLogon())
- return KRB5_FCC_NOFILE;
-#endif
-
if (!PackageConnectLookup(&LogonHandle, &PackageId))
return KRB5_FCC_NOFILE;
if (GetMSTGT(context, data->LogonHandle, data->PackageId, &msticket, FALSE)) {
/* convert the ticket */
krb5_creds creds;
- MSCredToMITCred(msticket, msticket->DomainName, context, &creds);
+ if (!MSCredToMITCred(msticket, msticket->DomainName, context, &creds))
+ retval = KRB5_FCC_INTERNAL;
LsaFreeReturnBuffer(msticket);
- krb5_copy_principal(context, creds.client, &data->princ);
+ if (retval == KRB5_OK)
+ krb5_copy_principal(context, creds.client, &data->princ);
krb5_free_cred_contents(context,&creds);
} else if (!does_retrieve_ticket_cache_ticket()) {
krb5_xfree(data->cc_name);
* if cache is non-existent/unusable
*/
*id = lid;
- return KRB5_OK;
+ return retval;
}
/*
if (id) {
data = (krb5_lcc_data *) id->data;
- return PurgeAllTickets(data->LogonHandle, data->PackageId) ? KRB5_OK : KRB5_FCC_INTERNAL;
- }
+ return PurgeAllTickets(data->LogonHandle, data->PackageId) ? KRB5_OK : KRB5_FCC_INTERNAL;
+ }
return KRB5_FCC_INTERNAL;
}
return KRB5_CC_NOTFOUND;
}
-#ifdef HAVE_CACHE_INFO_EX2
- if ( does_query_ticket_cache_ex2() ) {
- if ( !GetQueryTktCacheResponseEX2(data->LogonHandle, data->PackageId, &lcursor->response.ex2) ) {
- LsaFreeReturnBuffer(lcursor->mstgt);
- free(lcursor);
- *cursor = 0;
- return KRB5_FCC_INTERNAL;
- }
- } else
-#endif /* HAVE_CACHE_INFO_EX2 */
if ( is_windows_xp() ) {
if ( !GetQueryTktCacheResponseXP(data->LogonHandle, data->PackageId, &lcursor->response.xp) ) {
LsaFreeReturnBuffer(lcursor->mstgt);
data = (krb5_lcc_data *)id->data;
next_cred:
-#ifdef HAVE_CACHE_INFO_EX2
- if ( does_query_ticket_cache_ex2() ) {
- if ( lcursor->index >= lcursor->response.ex2->CountOfTickets ) {
- if (retval == KRB5_OK)
- return KRB5_CC_END;
- else {
- LsaFreeReturnBuffer(lcursor->mstgt);
- LsaFreeReturnBuffer(lcursor->response.ex2);
- free(*cursor);
- *cursor = 0;
- return retval;
- }
- }
-
- if ( data->flags & KRB5_TC_NOTICKET ) {
- CacheInfoEx2ToMITCred( &lcursor->response.ex2->Tickets[lcursor->index++],
- context, creds);
- return KRB5_OK;
- } else {
- if (!GetMSCacheTicketFromCacheInfoEX2(data->LogonHandle, data->PackageId,
- &lcursor->response.ex2->Tickets[lcursor->index++],&msticket)) {
- retval = KRB5_FCC_INTERNAL;
- goto next_cred;
- }
- }
- } else
-#endif /* HAVE_CACHE_INFO_EX2 */
if ( is_windows_xp() ) {
if ( lcursor->index >= lcursor->response.xp->CountOfTickets ) {
if (retval == KRB5_OK)
}
/* convert the ticket */
-#ifdef HAVE_CACHE_INFO_EX2
- if ( does_query_ticket_cache_ex2() ) {
- MSCredToMITCred(msticket, lcursor->response.ex2->Tickets[lcursor->index-1].ClientRealm, context, creds);
- } else
-#endif /* HAVE_CACHE_INFO_EX2 */
if ( is_windows_xp() ) {
- MSCredToMITCred(msticket, lcursor->response.xp->Tickets[lcursor->index-1].ClientRealm, context, creds);
+ if (!MSCredToMITCred(msticket, lcursor->response.xp->Tickets[lcursor->index-1].ClientRealm, context, creds))
+ retval = KRB5_FCC_INTERNAL;
} else {
- MSCredToMITCred(msticket, lcursor->mstgt->DomainName, context, creds);
+ if (!MSCredToMITCred(msticket, lcursor->mstgt->DomainName, context, creds))
+ retval = KRB5_FCC_INTERNAL;
}
LsaFreeReturnBuffer(msticket);
- return KRB5_OK;
+ return retval;
}
/*
if ( lcursor ) {
LsaFreeReturnBuffer(lcursor->mstgt);
-#ifdef HAVE_CACHE_INFO_EX2
- if ( does_query_ticket_cache_ex2() )
- LsaFreeReturnBuffer(lcursor->response.ex2);
- else
-#endif /* HAVE_CACHE_INFO_EX2 */
if ( is_windows_xp() )
LsaFreeReturnBuffer(lcursor->response.xp);
else
krb5_lcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ)
{
krb5_lcc_data *data = (krb5_lcc_data *)id->data;
- krb5_error_code kret = KRB5_OK;
if (!is_windows_2000())
return KRB5_FCC_NOFILE;
if (GetMSTGT(context, data->LogonHandle, data->PackageId, &msticket, FALSE)) {
/* convert the ticket */
krb5_creds creds;
- MSCredToMITCred(msticket, msticket->DomainName, context, &creds);
+ if (!MSCredToMITCred(msticket, msticket->DomainName, context, &creds))
+ {
+ LsaFreeReturnBuffer(msticket);
+ return KRB5_FCC_INTERNAL;
+ }
LsaFreeReturnBuffer(msticket);
krb5_copy_principal(context, creds.client, &data->princ);
if ( !kret )
goto cleanup;
-
-
/* if not, obtain a ticket using the request flags and enctype even though it may not
* be stored in the LSA cache for future use.
*/
if ( PreserveInitialTicketIdentity() )
GetMSTGT(context, data->LogonHandle, data->PackageId, &mstgt, FALSE);
- MSCredToMITCred(msticket, mstgt ? mstgt->DomainName : msticket->DomainName, context, &fetchcreds);
+ if (!MSCredToMITCred(msticket, mstgt ? mstgt->DomainName : msticket->DomainName, context, &fetchcreds))
+ {
+ kret = KRB5_FCC_INTERNAL;
+ goto cleanup;
+ }
} else {
/* We can obtain the correct client realm for a ticket by walking the
* cache contents until we find the matching service ticket.
mstmp = 0;
}
- MSCredToMITCred(msticket, mstmp ? pResponse->Tickets[i].ClientRealm : msticket->DomainName, context, &fetchcreds);
+ if (!MSCredToMITCred(msticket, mstmp ? pResponse->Tickets[i].ClientRealm : msticket->DomainName, context, &fetchcreds))
+ {
+ LsaFreeReturnBuffer(pResponse);
+ kret = KRB5_FCC_INTERNAL;
+ goto cleanup;
+ }
LsaFreeReturnBuffer(pResponse);
}
if (!is_windows_2000())
return KRB5_FCC_NOFILE;
-#ifdef KERB_SUBMIT_TICKET
- /* we can use the new KerbSubmitTicketMessage to store the ticket */
- if (KerbSubmitTicket( data->LogonHandle, data->PackageId, context, creds ))
- return KRB5_OK;
-#endif /* KERB_SUBMIT_TICKET */
-
/* If not, lets try to obtain a matching ticket from the KDC */
if ( creds->ticket_flags != 0 && creds->keyblock.enctype != 0 ) {
/* if not, we must try to get a ticket without specifying any flags or etypes */
+2004-11-26 Ken Raeburn <raeburn@mit.edu>
+
+ * kt_file.c (krb5_ktfile_wresolve): Initialize mutex here too.
+
+2004-11-23 Ken Raeburn <raeburn@mit.edu>
+
+ * kt_file.c (struct _krb5_ktfile_data): Add mutex and buffer.
+ (KTFILEBUFP, KTLOCK, KTUNLOCK, KTCHECKLOCK): New macros.
+ (krb5_ktfile_resolve): Initialize mutex.
+ (krb5_ktfile_close): Zap data buffer before freeing.
+ (krb5_ktfile_get_entry, krb5_ktfile_start_seq_get,
+ krb5_ktfile_get_next, krb5_ktfile_end_get, krb5_ktfile_add,
+ krb5_ktfile_remove): Lock and unlock the mutex.
+ (krb5_ktfileint_open): Check that the mutex is locked. Set the
+ stdio buffer to the new buffer in the ktfile data.
+ (krb5_ktfileint_write_entry, krb5_ktfileint_find_slot): Check that
+ the mutex is locked. Don't call setbuf. Flush the stdio buffer
+ after writing.
+
+2004-11-23 Tom Yu <tlyu@mit.edu>
+
+ * kt_file.c (krb5_ktfileint_open): Update previous change by
+ explicitly setting errno=0 prior to calling fopen(). Also, return
+ EMFILE, not ENFILE, for compatibility with Solaris 8, which does
+ set errno when out of file descriptors.
+
+2004-11-19 Tom Yu <tlyu@mit.edu>
+
+ * kt_file.c (krb5_ktfileint_open): Patch from Roland Dowdeswell to
+ return ENFILE when fopen() returns NULL but doesn't set errno.
+
2004-06-22 Ken Raeburn <raeburn@mit.edu>
* kt_file.c (krb5_ktf_keytab_externalize,
typedef struct _krb5_ktfile_data {
char *name; /* Name of the file */
FILE *openf; /* open file, if any. */
+ char iobuf[BUFSIZ]; /* so we can zap it later */
int version; /* Version number of keytab */
+ k5_mutex_t lock; /* Protect openf, version */
} krb5_ktfile_data;
/*
#define KTPRIVATE(id) ((krb5_ktfile_data *)(id)->data)
#define KTFILENAME(id) (((krb5_ktfile_data *)(id)->data)->name)
#define KTFILEP(id) (((krb5_ktfile_data *)(id)->data)->openf)
+#define KTFILEBUFP(id) (((krb5_ktfile_data *)(id)->data)->iobuf)
#define KTVERSION(id) (((krb5_ktfile_data *)(id)->data)->version)
+#define KTLOCK(id) k5_mutex_lock(&((krb5_ktfile_data *)(id)->data)->lock)
+#define KTUNLOCK(id) k5_mutex_unlock(&((krb5_ktfile_data *)(id)->data)->lock)
+#define KTCHECKLOCK(id) k5_mutex_assert_locked(&((krb5_ktfile_data *)(id)->data)->lock)
extern const struct _krb5_kt_ops krb5_ktf_ops;
extern const struct _krb5_kt_ops krb5_ktf_writable_ops;
krb5_ktfile_resolve(krb5_context context, const char *name, krb5_keytab *id)
{
krb5_ktfile_data *data;
+ krb5_error_code err;
if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL)
return(ENOMEM);
return(ENOMEM);
}
+ err = k5_mutex_init(&data->lock);
+ if (err) {
+ krb5_xfree(*id);
+ return err;
+ }
+
if ((data->name = (char *)calloc(strlen(name) + 1, sizeof(char))) == NULL) {
+ k5_mutex_destroy(&data->lock);
krb5_xfree(data);
krb5_xfree(*id);
return(ENOMEM);
*/
{
krb5_xfree(KTFILENAME(id));
+ zap(KTFILEBUFP(id), BUFSIZ);
+ k5_mutex_destroy(&((krb5_ktfile_data *)id->data)->lock);
krb5_xfree(id->data);
id->ops = 0;
krb5_xfree(id);
*/
krb5_error_code KRB5_CALLCONV
-krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, krb5_const_principal principal, krb5_kvno kvno, krb5_enctype enctype, krb5_keytab_entry *entry)
+krb5_ktfile_get_entry(krb5_context context, krb5_keytab id,
+ krb5_const_principal principal, krb5_kvno kvno,
+ krb5_enctype enctype, krb5_keytab_entry *entry)
{
krb5_keytab_entry cur_entry, new_entry;
krb5_error_code kerror = 0;
krb5_boolean similar;
int kvno_offset = 0;
+ kerror = KTLOCK(id);
+ if (kerror)
+ return kerror;
+
/* Open the keyfile for reading */
- if ((kerror = krb5_ktfileint_openr(context, id)))
+ if ((kerror = krb5_ktfileint_openr(context, id))) {
+ KTUNLOCK(id);
return(kerror);
+ }
/*
* For efficiency and simplicity, we'll use a while true that
}
if (kerror) {
(void) krb5_ktfileint_close(context, id);
+ KTUNLOCK(id);
krb5_kt_free_entry(context, &cur_entry);
return kerror;
}
if ((kerror = krb5_ktfileint_close(context, id)) != 0) {
+ KTUNLOCK(id);
krb5_kt_free_entry(context, &cur_entry);
return kerror;
}
+ KTUNLOCK(id);
*entry = cur_entry;
return 0;
}
krb5_error_code retval;
long *fileoff;
- if ((retval = krb5_ktfileint_openr(context, id)))
+ retval = KTLOCK(id);
+ if (retval)
return retval;
+ if ((retval = krb5_ktfileint_openr(context, id))) {
+ KTUNLOCK(id);
+ return retval;
+ }
+
if (!(fileoff = (long *)malloc(sizeof(*fileoff)))) {
krb5_ktfileint_close(context, id);
+ KTUNLOCK(id);
return ENOMEM;
}
*fileoff = ftell(KTFILEP(id));
*cursorp = (krb5_kt_cursor)fileoff;
+ KTUNLOCK(id);
return 0;
}
krb5_keytab_entry cur_entry;
krb5_error_code kerror;
- if (fseek(KTFILEP(id), *fileoff, 0) == -1)
+ kerror = KTLOCK(id);
+ if (kerror)
+ return kerror;
+ if (fseek(KTFILEP(id), *fileoff, 0) == -1) {
+ KTUNLOCK(id);
return KRB5_KT_END;
- if ((kerror = krb5_ktfileint_read_entry(context, id, &cur_entry)))
+ }
+ if ((kerror = krb5_ktfileint_read_entry(context, id, &cur_entry))) {
+ KTUNLOCK(id);
return kerror;
+ }
*fileoff = ftell(KTFILEP(id));
*entry = cur_entry;
+ KTUNLOCK(id);
return 0;
}
krb5_error_code KRB5_CALLCONV
krb5_ktfile_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor)
{
+ krb5_error_code kerror;
+
krb5_xfree(*cursor);
- return krb5_ktfileint_close(context, id);
+ KTLOCK(id);
+ kerror = krb5_ktfileint_close(context, id);
+ KTUNLOCK(id);
+ return kerror;
}
/*
krb5_ktfile_wresolve(krb5_context context, const char *name, krb5_keytab *id)
{
krb5_ktfile_data *data;
+ krb5_error_code err;
if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL)
return(ENOMEM);
return(ENOMEM);
}
+ err = k5_mutex_init(&data->lock);
+ if (err) {
+ krb5_xfree(*id);
+ return err;
+ }
+
if ((data->name = (char *)calloc(strlen(name) + 1, sizeof(char))) == NULL) {
+ k5_mutex_destroy(&data->lock);
krb5_xfree(data);
krb5_xfree(*id);
return(ENOMEM);
{
krb5_error_code retval;
- if ((retval = krb5_ktfileint_openw(context, id)))
+ retval = KTLOCK(id);
+ if (retval)
return retval;
- if (fseek(KTFILEP(id), 0, 2) == -1)
+ if ((retval = krb5_ktfileint_openw(context, id))) {
+ KTUNLOCK(id);
+ return retval;
+ }
+ if (fseek(KTFILEP(id), 0, 2) == -1) {
+ KTUNLOCK(id);
return KRB5_KT_END;
+ }
retval = krb5_ktfileint_write_entry(context, id, entry);
krb5_ktfileint_close(context, id);
+ KTUNLOCK(id);
return retval;
}
krb5_error_code kerror;
krb5_int32 delete_point;
+ kerror = KTLOCK(id);
+ if (kerror)
+ return kerror;
+
if ((kerror = krb5_ktfileint_openw(context, id))) {
+ KTUNLOCK(id);
return kerror;
}
if (kerror) {
(void) krb5_ktfileint_close(context, id);
+ KTUNLOCK(id);
return kerror;
}
} else {
kerror = krb5_ktfileint_close(context, id);
}
-
+ KTUNLOCK(id);
return kerror;
}
krb5_kt_vno kt_vno;
int writevno = 0;
+ KTCHECKLOCK(id);
+ errno = 0;
KTFILEP(id) = fopen(KTFILENAME(id),
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
fopen_mode_rbplus : fopen_mode_rb);
if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) {
/* try making it first time around */
krb5_create_secure_file(context, KTFILENAME(id));
+ errno = 0;
KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
if (!KTFILEP(id))
- return errno;
+ return errno ? errno : EMFILE;
writevno = 1;
} else /* some other error */
- return errno;
+ return errno ? errno : EMFILE;
}
if ((kerror = krb5_lock_file(context, fileno(KTFILEP(id)), mode))) {
(void) fclose(KTFILEP(id));
return kerror;
}
/* assume ANSI or BSD-style stdio */
- setbuf(KTFILEP(id), NULL);
+ setbuf(KTFILEP(id), KTFILEBUFP(id));
/* get the vno and verify it */
if (writevno) {
{
krb5_error_code kerror;
+ KTCHECKLOCK(id);
if (!KTFILEP(id))
return 0;
kerror = krb5_unlock_file(context, fileno(KTFILEP(id)));
krb5_int32 len;
char iobuf[BUFSIZ];
+ KTCHECKLOCK(id);
if (fseek(KTFILEP(id), delete_point, SEEK_SET)) {
return errno;
}
char *tmpdata;
krb5_data *princ;
+ KTCHECKLOCK(id);
memset(ret_entry, 0, sizeof(krb5_keytab_entry));
ret_entry->magic = KV5M_KEYTAB_ENTRY;
krb5_int32 size_needed;
krb5_int32 commit_point;
int i;
- char iobuf[BUFSIZ];
+ KTCHECKLOCK(id);
retval = krb5_ktfileint_size_entry(context, entry, &size_needed);
if (retval)
return retval;
if (retval)
return retval;
- setbuf(KTFILEP(id), iobuf);
-
/* fseek to synchronise buffered I/O on the key table. */
-
+ /* XXX Without the weird setbuf crock, can we get rid of this now? */
if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
{
return errno;
if (!xfwrite(&count, sizeof(count), 1, KTFILEP(id))) {
abend:
- setbuf(KTFILEP(id), 0);
return KRB5_KT_IOERR;
}
size = krb5_princ_realm(context, entry->principal)->length;
}
if (!xfwrite(entry->key.contents, sizeof(krb5_octet),
entry->key.length, KTFILEP(id))) {
- memset(iobuf, 0, sizeof(iobuf));
- setbuf(KTFILEP(id), 0);
- return KRB5_KT_IOERR;
+ goto abend;
}
+ if (fflush(KTFILEP(id)))
+ goto abend;
+
retval = krb5_sync_disk_file(context, KTFILEP(id));
- (void) memset(iobuf, 0, sizeof(iobuf));
- setbuf(KTFILEP(id), 0);
if (retval) {
return retval;
if (!xfwrite(&size_needed, sizeof(size_needed), 1, KTFILEP(id))) {
goto abend;
}
+ if (fflush(KTFILEP(id)))
+ goto abend;
retval = krb5_sync_disk_file(context, KTFILEP(id));
return retval;
krb5_boolean found = FALSE;
char iobuf[BUFSIZ];
+ KTCHECKLOCK(id);
/*
* Skip over file version number
*/
/*
* Hit the end of file, reserve this slot.
*/
- setbuf(KTFILEP(id), 0);
size = 0;
/* fseek to synchronise buffered I/O on the key table. */
-
+ /* XXX Without the weird setbuf hack, can we nuke this now? */
if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
{
return errno;
* Make sure we zero any trailing data.
*/
zero_point = ftell(KTFILEP(id));
- setbuf(KTFILEP(id), iobuf);
while ((size = xfread(iobuf, 1, sizeof(iobuf), KTFILEP(id)))) {
if (size != sizeof(iobuf)) {
remainder = size % sizeof(krb5_int32);
memset(iobuf, 0, (size_t) size);
xfwrite(iobuf, 1, (size_t) size, KTFILEP(id));
+ fflush(KTFILEP(id));
if (feof(KTFILEP(id))) {
break;
}
}
}
- setbuf(KTFILEP(id), 0);
if (fseek(KTFILEP(id), zero_point, SEEK_SET)) {
return errno;
}
+2004-12-08 Ken Raeburn <raeburn@mit.edu>
+
+ * accessor.c (krb5int_accessor): Set new field use_dns_kdc.
+
+2004-12-06 Tom Yu <tlyu@mit.edu>
+
+ * locate_kdc.c (krb5_locate_srv_dns_1): Don't compile if
+ KRB5_DNS_LOOKUP is not defined.
+
+2004-11-19 Ken Raeburn <raeburn@mit.edu>
+
+ * locate_kdc.c (krb5int_add_host_to_list): If debugging, log the
+ requested family and socket type. If AI_NUMERICSERV is defined,
+ set it in ai_flags. If getaddrinfo returns an error with
+ debugging enabled, log the error.
+ (krb5_locate_srv_conf_1): When logging an error from
+ add_host_to_list, include the corresponding error string.
+
+ * t_locate_kdc.c: Include port-sockets.h, instead of sys/socket.h,
+ netdb.h, netinet/in.h, and arpa/inet.h.
+ * Makefile.in ($(OUTPRE)t_locate_kdc.exe): New target.
+
2004-10-20 Ken Raeburn <raeburn@mit.edu>
* locate_kdc.c: Include stdarg.h.
$(CC_LINK) $(ALL_CFLAGS) -o t_locate_kdc t_locate_kdc.o \
$(KRB5_BASE_LIBS)
t_locate_kdc.o: t_locate_kdc.c locate_kdc.c
+$(OUTPRE)t_locate_kdc.exe: $(OUTPRE)t_locate_kdc.obj \
+ $(OUTPRE)dnssrv.obj $(OUTPRE)dnsglue.obj \
+ $(KLIB) $(PLIB) $(CLIB) $(SLIB)
+ link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib $(DNSLIBS)
LCLINT=lclint
LCLINTOPTS= -warnposix \
t_an_to_ln.so t_an_to_ln.po $(OUTPRE)t_an_to_ln.$(OBJEXT): t_an_to_ln.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS)
t_gifconf.so t_gifconf.po $(OUTPRE)t_gifconf.$(OBJEXT): t_gifconf.c
-t_locate_kdc.so t_locate_kdc.po $(OUTPRE)t_locate_kdc.$(OBJEXT): t_locate_kdc.c $(COM_ERR_DEPS) \
- locate_kdc.c $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/port-sockets.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/socket-utils.h \
+t_locate_kdc.so t_locate_kdc.po $(OUTPRE)t_locate_kdc.$(OBJEXT): t_locate_kdc.c $(SRCTOP)/include/port-sockets.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(COM_ERR_DEPS) \
+ locate_kdc.c $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/socket-utils.h \
$(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
$(BUILDTOP)/include/krb5.h $(BUILDTOP)/include/profile.h \
#ifdef KRB5_DNS_LOOKUP
internals_temp.make_srv_query_realm = krb5int_make_srv_query_realm;
internals_temp.free_srv_dns_data = krb5int_free_srv_dns_data;
+ internals_temp.use_dns_kdc = _krb5_use_dns_kdc;
#else
internals_temp.make_srv_query_realm = 0;
internals_temp.free_srv_dns_data = 0;
+ internals_temp.use_dns_kdc = 0;
#endif
#ifdef KRB5_KRB4_COMPAT
internals_temp.krb_life_to_time = krb5int_krb_life_to_time;
int err;
char portbuf[10], secportbuf[10];
- Tprintf ("adding hostname %s, ports %d,%d\n", hostname,
- ntohs (port), ntohs (secport));
+ Tprintf ("adding hostname %s, ports %d,%d, family %d, socktype %d\n",
+ hostname, ntohs (port), ntohs (secport),
+ family, socktype);
memset(&hint, 0, sizeof(hint));
hint.ai_family = family;
hint.ai_socktype = socktype;
+#ifdef AI_NUMERICSERV
+ hint.ai_flags = AI_NUMERICSERV;
+#endif
sprintf(portbuf, "%d", ntohs(port));
sprintf(secportbuf, "%d", ntohs(secport));
err = getaddrinfo (hostname, portbuf, &hint, &addrs);
- if (err)
+ if (err) {
+ Tprintf ("\tgetaddrinfo(\"%s\", \"%s\", ...)\n\treturns %d: %s\n",
+ hostname, portbuf, err, gai_strerror (err));
return translate_ai_error (err);
+ }
anext = 0;
for (a = addrs; a != 0 && err == 0; a = anext) {
anext = a->ai_next;
SOCK_STREAM, family);
}
if (code) {
- Tprintf ("error %d returned from add_host_to_list\n", code);
+ Tprintf ("error %d (%s) returned from add_host_to_list\n", code,
+ error_message (code));
if (hostlist)
profile_free_list (hostlist);
if (masterlist)
}
#endif
+#ifdef KRB5_DNS_LOOKUP
static krb5_error_code
krb5_locate_srv_dns_1 (const krb5_data *realm,
const char *service,
(strcmp("_tcp", protocol)
? SOCK_DGRAM
: SOCK_STREAM), family);
- if (code)
+ if (code) {
break;
+ }
if (entry == head) {
free(entry->host);
free(entry);
krb5int_free_srv_dns_data(head);
return code;
}
+#endif
/*
* Wrapper function for the two backends
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
+#include "port-sockets.h"
#include <com_err.h>
#define TEST
+2004-11-18 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in (install-unix): Install into KRB5_INCDIR/gssrpc,
+ rather than just KRB5_INCDIR.
+
2004-10-25 Tom Yu <tlyu@mit.edu>
* auth_gss.c (authgss_get_private_data): New function.
install-unix::
for i in $(SRC_HDRS); do \
- (set -x; $(INSTALL_DATA) $(srcdir)/$$i $(DESTDIR)$(KRB5_INCDIR)$(S)$$i) ; \
+ (set -x; $(INSTALL_DATA) $(srcdir)/$$i $(DESTDIR)$(KRB5_INCDIR)$(S)gssrpc$(S)$$i) ; \
done
for i in $(BUILD_HDRS); do \
- (set -x; $(INSTALL_DATA) $$i $(DESTDIR)$(KRB5_INCDIR)$(S)$$i) ; \
+ (set -x; $(INSTALL_DATA) $$i $(DESTDIR)$(KRB5_INCDIR)$(S)gssrpc$(S)$$i) ; \
done
BUILD_HDRS = types.h
#
_GSS_KRB5_NT_PRINCIPAL_NAME
+
+#
+# GSS-API krb5 symbols from gssapi_krb5.h
+#
+
+_gss_mech_krb5
+_gss_mech_krb5_old
+_gss_mech_set_krb5
+_gss_mech_set_krb5_both
+_gss_mech_set_krb5_old
+
+_gss_nt_krb5_name
+_gss_nt_krb5_principal
+_krb5_gss_oid_array
refType = 4;
sourceTree = "<group>";
};
+ A14E78E90725B12A00A025E3 = {
+ fileRef = F517327003F1B65901120114;
+ isa = PBXBuildFile;
+ settings = {
+ };
+ };
A166BCC3040D36F8004AA618 = {
fileEncoding = 4;
isa = PBXFileReference;
DYLIB_CURRENT_VERSION = 1;
GCC_PRECOMPILE_PREFIX_HEADER = YES;
GCC_PREFIX_HEADER = ../Sources/mac/MacOSX/Headers/Kerberos5Prefix.h;
- HEADER_SEARCH_PATHS = "$(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include";
+ HEADER_SEARCH_PATHS = "$(SRCROOT)/../Sources/lib/crypto/des $(SRCROOT)/../Sources/include $(SRCROOT)/../Sources/include/krb5 $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include/krb5";
LIBRARY_STYLE = STATIC;
PRODUCT_NAME = KerberosDES;
REZ_EXECUTABLE = YES;
buildActionMask = 2147483647;
files = (
A1AB1DEF05DDC40100526345,
+ A14E78E90725B12A00A025E3,
);
isa = PBXHeadersBuildPhase;
runOnlyForDeploymentPostprocessing = 0;
DYLIB_CURRENT_VERSION = 1;
GCC_PRECOMPILE_PREFIX_HEADER = YES;
GCC_PREFIX_HEADER = ../Sources/mac/MacOSX/Headers/Kerberos5Prefix.h;
- HEADER_SEARCH_PATHS = "$(SRCROOT)/../../Common/Headers $(SRCROOT)/../../KerberosErrors/Headers/Kerberos $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include";
+ HEADER_SEARCH_PATHS = "$(SRCROOT)/../../Common/Headers $(SRCROOT)/../../KerberosErrors/Headers/Kerberos $(SRCROOT)/../Sources/include $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include/krb5";
LIBRARY_STYLE = STATIC;
PRODUCT_NAME = KerberosProfile;
REZ_EXECUTABLE = YES;
DYLIB_CURRENT_VERSION = 1;
GCC_PRECOMPILE_PREFIX_HEADER = YES;
GCC_PREFIX_HEADER = ../Sources/mac/MacOSX/Headers/Kerberos5Prefix.h;
- HEADER_SEARCH_PATHS = "$(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/ErrorTables $(SRCROOT)/../../Common/Headers $(SRCROOT)/../../KerberosErrors/Headers $(SRCROOT)/../../KerberosDebug/Headers $(SRCROOT)/../../KerberosErrors/Headers/Kerberos $(SRCROOT)/../../CredentialsCache/Headers $(SRCROOT)/../../CredentialsCache/Headers/Kerberos $(SRCROOT)/../../KerberosLogin/Headers $(SRCROOT)/../../KerberosLogin/Headers/Kerberos";
+ HEADER_SEARCH_PATHS = "$(SRCROOT)/../Sources/include $(SRCROOT)/../Sources/include/krb5 $(SRCROOT)/../Sources/include/kerberosIV $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include/krb5 $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/ErrorTables $(SRCROOT)/../../Common/Headers $(SRCROOT)/../../KerberosErrors/Headers $(SRCROOT)/../../KerberosDebug/Headers $(SRCROOT)/../../KerberosErrors/Headers/Kerberos $(SRCROOT)/../../CredentialsCache/Headers $(SRCROOT)/../../CredentialsCache/Headers/Kerberos $(SRCROOT)/../../KerberosLogin/Headers $(SRCROOT)/../../KerberosLogin/Headers/Kerberos";
LIBRARY_STYLE = STATIC;
PRODUCT_NAME = Kerberos4;
REZ_EXECUTABLE = YES;
DYLIB_CURRENT_VERSION = 1;
GCC_PRECOMPILE_PREFIX_HEADER = YES;
GCC_PREFIX_HEADER = ../Sources/mac/MacOSX/Headers/Kerberos5Prefix.h;
- HEADER_SEARCH_PATHS = "$(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include $(SRCROOT)/../Sources/include $(SRCROOT)/../../KerberosErrors/Headers $(SRCROOT)/../../KerberosErrors/Headers/Kerberos $(SRCROOT)/../../CredentialsCache/Headers $(SRCROOT)/../../CredentialsCache/Headers/Kerberos $(SRCROOT)/../../KerberosLogin/Headers $(SRCROOT)/../../KerberosLogin/Headers/Kerberos";
+ HEADER_SEARCH_PATHS = "$(SRCROOT)/../Sources/ $(SRCROOT)/../Sources/include $(SRCROOT)/../Sources/include/krb5 $(SRCROOT)/../Sources/lib/crypto/aes $(SRCROOT)/../Sources/lib/crypto $(SRCROOT)/../Sources/lib/crypto/arcfour $(SRCROOT)/../Sources/lib/crypto/enc_provider $(SRCROOT)/../Sources/lib/crypto/crc32 $(SRCROOT)/../Sources/lib/crypto/des $(SRCROOT)/../Sources/lib/crypto/dk $(SRCROOT)/../Sources/lib/crypto/hash_provider $(SRCROOT)/../Sources/lib/crypto/keyhash_provider $(SRCROOT)/../Sources/lib/crypto/md4 $(SRCROOT)/../Sources/lib/crypto/md5 $(SRCROOT)/../Sources/lib/crypto/old $(SRCROOT)/../Sources/lib/crypto/raw $(SRCROOT)/../Sources/lib/crypto/sha1 $(SRCROOT)/../Sources/lib/crypto/yarrow $(SRCROOT)/../Sources/lib/krb5/os $(SRCROOT)/../Sources/lib/krb5/keytab $(SRCROOT)/../Sources/lib/krb5/rcache $(SRCROOT)/../Sources/lib/krb5/ccache $(SRCROOT)/../Sources/lib/krb5/ccache/ccapi $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include/krb5 $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/ErrorTables $(SRCROOT)/../Sources/include $(SRCROOT)/../../KerberosErrors/Headers $(SRCROOT)/../../KerberosErrors/Headers/Kerberos $(SRCROOT)/../../CredentialsCache/Headers $(SRCROOT)/../../CredentialsCache/Headers/Kerberos $(SRCROOT)/../../KerberosLogin/Headers $(SRCROOT)/../../KerberosLogin/Headers/Kerberos";
LIBRARY_STYLE = STATIC;
PRODUCT_NAME = Kerberos5;
REZ_EXECUTABLE = YES;
DYLIB_CURRENT_VERSION = 1;
GCC_PRECOMPILE_PREFIX_HEADER = YES;
GCC_PREFIX_HEADER = ../Sources/mac/MacOSX/Headers/Kerberos5Prefix.h;
- HEADER_SEARCH_PATHS = "$(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include $(SRCROOT)/../../KerberosErrors/Headers $(SRCROOT)/../../KerberosErrors/Headers/Kerberos";
+ HEADER_SEARCH_PATHS = "$(SRCROOT)/../Sources/include $(SRCROOT)/../Sources/include/krb5 $(SRCROOT)/../Sources/lib/gssapi $(SRCROOT)/../Sources/lib/gssapi/krb5 $(SRCROOT)/../Sources/lib/gssapi/generic $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/ErrorTables $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include/krb5 $(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/include/gssapi $(SRCROOT)/../../KerberosErrors/Headers $(SRCROOT)/../../KerberosErrors/Headers/Kerberos";
LIBRARY_STYLE = STATIC;
PRODUCT_NAME = GSS;
REZ_EXECUTABLE = YES;
_profile_init_path
_FSp_profile_init
_FSp_profile_init_path
+_profile_is_writable
+_profile_is_modified
_profile_flush
+_profile_flush_to_file
+_profile_flush_to_buffer
+_profile_free_buffer
_profile_abandon
_profile_release
_profile_get_values
#define KRB5_MAJOR_RELEASE 1
#define KRB5_MINOR_RELEASE 4
#define KRB5_PATCHLEVEL 0
-#define KRB5_RELTAIL "prerelease"
+#define KRB5_RELTAIL "beta3"
/* #undef KRB5_RELDATE */
-/* #undef KRB5_RELTAG */
+#define KRB5_RELTAG "krb5-1-4-beta3"
+2004-11-15 Tom Yu <tlyu@mit.edu>
+
+ * telnet.exp (telnet_test): Work around possible race condition
+ with client's resetting of terminal mode when returning from
+ interactive command mode. Test whether requiring encryption
+ works.
+
2004-03-14 Ken Raeburn <raeburn@mit.edu>
* rlogin.exp (start_rlogin_daemon, rlogin_test): Use portbase to
# A procedure to start up the telnet daemon.
-proc start_telnet_daemon { } {
+proc start_telnet_daemon { args } {
global REALMNAME
global TELNETD
global LOGINKRB5
# we don't need to use inetd. The portbase+8 is the port to listen at.
# Note that tmppwd here is a shell variable, which is set in
# setup_root_shell, not a TCL variable.
- send -i $rlogin_spawn_id "sh -c \"$TELNETD -debug -t \$tmppwd/srvtab -R $REALMNAME -L $tmppwd/login.wrap -X KERBEROS_V4 [expr 8 + $portbase]\" &\r"
+ send -i $rlogin_spawn_id "sh -c \"$TELNETD $args -debug -t \$tmppwd/srvtab -R $REALMNAME -L $tmppwd/login.wrap -X KERBEROS_V4 [expr 8 + $portbase]\" &\r"
expect {
-i $rlogin_spawn_id
-re "$ROOT_PROMPT" { }
set testname "simple telnet"
expect {
- "ogin:" {
+ "ogin: " {
pass $testname
}
}
set testname "telnet command mode"
send "\035"
expect {
- "telnet>" {
+ "telnet> " {
pass $testname
}
}
}
set testname "back to command mode"
+
+ # For some reason, the telnet client doesn't necessarily reset the
+ # terminal mode back to raw after exiting command mode.
+ # Kick it somewhat by sending a CR.
+ send "\r"
+ expect "ogin: "
+
send "\035"
expect {
- "telnet>" {
+ "telnet> " {
pass $testname
}
}
}
expect_after
+ catch "expect eof"
# We can't use check_exit_status, because we expect an exit status
# of 1.
# Move back to telnet command mode and check the encryption status.
set testname "encryption status"
send "\035"
- expect "telnet>"
+ expect "telnet> "
send "status\r"
expect {
-re "Currently encrypting output with DES_CFB64.*Currently decrypting input with DES_CFB64" {
expect "Connection closed by foreign host.\r"
expect_after
+ catch "expect eof"
# We can't use check_exit_status, because we expect an exit status
# of 1.
# The telnet daemon should have stopped, but we have no easy way
# of checking whether it actually did. Kill it just in case.
stop_telnet_daemon
+
+ set testname "reject unencrypted telnet"
+ # Check rejection of unencrypted client when encryption is required
+ start_telnet_daemon -e
+
+ # unencrypted, unauthenticated
+ spawn $TELNET -- $hostname -[expr 8 + $portbase]
+ expect_after {
+ timeout {
+ fail $testname
+ catch "expect_after"
+ return
+ }
+ eof {
+ fail $testname
+ catch "expect_after"
+ return
+ }
+ }
+
+ expect {
+ -re "Unencrypted connection refused.*\n" {
+ pass $testname
+ }
+ }
+ catch "expect_after"
+ catch "expect eof"
+ catch wait
+
+ # The telnet daemon should have stopped, but we have no easy way
+ # of checking whether it actually did. Kill it just in case.
+ stop_telnet_daemon
}
# Run the test. Logging in sometimes takes a while, so increase the
+2004-12-20 Tom Yu <tlyu@mit.edu>
+
+ * pwhist.exp: New file. Perform some sanity checking on password
+ history mechanism, including erroneous loss of history when
+ growing the history array. Also tries to trigger some known
+ buffer overflows and memory leaks.
+
2004-03-14 Ken Raeburn <raeburn@mit.edu>
* gssapi.exp (run_client, doit): Use portbase to compute all port
--- /dev/null
+# password history tests
+
+# one *non-interactive* kadmin.local request
+proc onerq { rq pname str {flags ""} } {
+ global REALMNAME
+ global KADMIN_LOCAL
+
+ spawn $KADMIN_LOCAL -r $REALMNAME -q "$rq $flags $pname"
+ expect_after {
+ timeout {
+ verbose "kadmin.local $rq $flags $pname timed out"
+ catch expect_after
+ kill [exp_pid]
+ close
+ expect eof
+ wait
+ return 0
+ } eof {
+ verbose "kadmin.local $rq $flags $pname got EOF"
+ catch expect_after
+ wait
+ return 0
+ }
+ }
+ expect $str
+ expect_after
+ expect eof
+ wait
+ return 1
+}
+
+proc addprinc { pname pw } {
+ global REALMNAME
+
+ return [onerq addprinc $pname \
+ "Principal \"$pname@$REALMNAME\" created." "-pw $pw"]
+}
+
+proc delprinc { pname } {
+ global REALMNAME
+ return [onerq delprinc $pname \
+ "Principal \"$pname@$REALMNAME\" deleted." "-force"]
+}
+
+proc cpw { pname pw } {
+ global REALMNAME
+
+ return [onerq cpw $pname \
+ "Password for \"$pname@$REALMNAME\" changed." "-pw $pw"]
+}
+
+proc modprinc { pname flags } {
+ global REALMNAME
+
+ return [onerq modprinc $pname \
+ "Principal \"$pname@$REALMNAME\" modified." $flags]
+}
+
+proc addpol { pname } {
+ if ![onerq addpol $pname ""] {
+ return 0
+ }
+ return [onerq getpol $pname "Policy: $pname"]
+}
+
+proc delpol { pname } {
+ onerq delpol $pname "" -force
+ return [onerq getpol $pname \
+ "Policy does not exist while retrieving policy \"$pname\"."]
+}
+
+proc modpol { pname flags } {
+ return [onerq modpol $pname "" $flags]
+}
+
+# Mandatory command must return true.
+# Issues a break in its parent on failure.
+proc mustrun { cmd } {
+ if ![eval $cmd] {
+ perror "mandatory command failed: $cmd"
+ uplevel break
+ }
+}
+
+# Fail test if command fails.
+# Issues a break in its parent on failure.
+proc chkpass { cmd } {
+ upvar test test
+ if ![eval $cmd] {
+ verbose "unexpected failure: $cmd"
+ fail $test
+ uplevel break
+ }
+}
+
+# Fail test if command succeeds.
+# Issues a break in its parent on failure.
+proc chkfail { cmd } {
+ upvar test test
+ if [eval $cmd] {
+ verbose "unexpected success: $cmd"
+ fail $test
+ uplevel break
+ }
+}
+
+# wrapper to run command (actually usually sequence of commands)
+#
+# If any part of CMD throws an exception, set failall, otherwise pass.
+# If failall is already true, report unresolved.
+proc wraptest { test cmd } {
+ upvar failall failall
+ if $failall {
+ unresolved $test
+ return
+ }
+ if [catch $cmd] {
+ set failall 1
+ } else {
+ pass $test
+ }
+}
+
+# Set up the kerberos database.
+if {![get_hostname] \
+ || ![setup_kerberos_files] \
+ || ![setup_kerberos_env] \
+ || ![setup_kerberos_db 0]} {
+ return
+}
+
+set failall 0
+wraptest "nkeys=1, nhist=3" {
+ mustrun { addpol crashpol }
+ mustrun { modpol crashpol "-history 3"}
+ mustrun { addprinc crash 1111 }
+ mustrun { modprinc crash "-policy crashpol" }
+ chkpass { cpw crash 2222 }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 1111 }
+}
+verbose {old_keys [ 1111 ->[] ]}
+
+# The following will result in reading/writing past array bounds if
+# add_to_history() is not patched.
+#
+# NOTE: A pass from this test does not mean the bug isn't present;
+# check with Purify, valgrind, etc.
+wraptest "array bounds ok on nkeys=1, nhist 3->2" {
+ mustrun { modpol crashpol "-history 2" }
+ chkpass { cpw crash 3333 }
+}
+verbose {old_keys [ ->2222 ]}
+
+wraptest "verify nhist=2" {
+ mustrun { delprinc crash }
+ mustrun { addprinc crash 1111 }
+ mustrun { modprinc crash "-policy crashpol" }
+ chkpass { cpw crash 2222 }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 1111 }
+}
+verbose {old_keys [ ->1111 ]}
+
+# The following will fail if growing the history array causes an extra
+# key to be lost due to failure to shift entries.
+wraptest "grow nhist 2->3" {
+ mustrun { modpol crashpol "-history 3" }
+ chkpass { cpw crash 3333 }
+ chkfail { cpw crash 3333 }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 1111 }
+}
+verbose {old_keys [ 2222 ->1111 ]}
+
+wraptest "grow nhist 3->4" {
+ mustrun { modpol crashpol "-history 4" }
+ chkfail { cpw crash 3333 }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 1111 }
+ chkpass { cpw crash 4444 }
+ chkfail { cpw crash 3333 }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 1111 }
+}
+verbose {old_keys [ 2222 3333 ->1111 ]}
+wraptest "shrink nhist 4->3" {
+ mustrun { modpol crashpol "-history 3" }
+ chkfail { cpw crash 4444 }
+ chkfail { cpw crash 3333 }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 1111 }
+ chkpass { cpw crash 5555 }
+}
+verbose {old_keys [ 4444 ->3333 ]}
+wraptest "verify nhist=3" {
+ chkfail { cpw crash 5555 }
+ chkfail { cpw crash 4444 }
+ chkfail { cpw crash 3333 }
+ chkpass { cpw crash 2222 }
+}
+verbose {old_keys [ ->4444 5555 ]}
+wraptest "shrink nhist 3->2" {
+ mustrun { modpol crashpol "-history 2" }
+ chkfail { cpw crash 2222 }
+ chkfail { cpw crash 5555 }
+ chkfail { cpw crash 4444 }
+ chkpass { cpw crash 3333 }
+}
+verbose {old_keys [ ->2222 ]}
+
+delprinc crash
+delpol crashpol
+
+stop_kerberos_daemons
+2004-10-31 Tom Yu <tlyu@mit.edu>
+
+ * mkrel: Rework quoting for RELTAIL check. Don't check RELTAIL if
+ doing a "-current" snapshot.
+
2004-09-24 Tom Yu <tlyu@mit.edu>
* mkrel: Rework somewhat to handle patchlevel.h being the new
+2004-11-05 Ken Raeburn <raeburn@mit.edu>
+
+ * et_h.awk: Declare initialize_*_error_table as taking no
+ arguments.
+ * et_h.pl: Regenerated.
+
2004-10-07 Tom Yu <tlyu@mit.edu>
* et_c.awk, et_h.awk: Fix off-by-one error.
print "" > outfile
print "#if !defined(_WIN32)" > outfile
print "/* for compatibility with older versions... */" > outfile
- print "extern void initialize_" table_name "_error_table () /*@modifies internalState@*/;" > outfile
+ print "extern void initialize_" table_name "_error_table (void) /*@modifies internalState@*/;" > outfile
print "#else" > outfile
print "#define initialize_" table_name "_error_table()" > outfile
print "#endif" > outfile
&Pick('>', $outfile) &&
(print $fh 'extern void initialize_' . $table_name .
- '_error_table () /*@modifies internalState@*/;');
+ '_error_table (void) /*@modifies internalState@*/;');
&Pick('>', $outfile) &&
(print $fh '#else');
&Pick('>', $outfile) &&
if test "$KRB5_RELTAG" != $reltag; then
echo "WARNING: patchlevel.h '$KRB5_RELTAG' != $reltag"
fi
- if test "$KRB5_MAJOR_RELEASE" != $relmajor || \
- test "$KRB5_MINOR_RELEASE" != $relminor || \
- test "$KRB5_PATCHLEVEL" != $relpatch || \
- test "$KRB5_RELTAIL" != $reltail; then
+ if test "$KRB5_MAJOR_RELEASE" != "$relmajor" || \
+ test "$KRB5_MINOR_RELEASE" != "$relminor" || \
+ test "$KRB5_PATCHLEVEL" != "$relpatch" || \
+ ( test -n "$reltail" && \
+ test "$KRB5_RELTAIL" != "$reltail" ); then
echo "WARNING: patchlevel.h $KRB5_MAJOR_RELEASE.$KRB5_MINOR_RELEASE.$KRB5_PATCHLEVEL${KRB5_RELTAIL+-$KRB5_RELTAIL} != $relmajor.$relminor.$relpatch${reltail+-$reltail}"
fi
+2004-12-14 Ken Raeburn <raeburn@mit.edu>
+
+ * prof_tree.c (profile_node_iterator): When the iterator has a
+ current file, lock it, and unlock it before changing it or
+ returning.
+
+2004-11-04 Alexandra Ellwood <lxs@mit.edu>
+
+ * prof_init.c, profile.hin: added profile_is_modified
+ and profile_is_writable so that callers can check to see
+ if profile_release() will fail before calling it.
+
+2004-11-04 Alexandra Ellwood <lxs@mit.edu>
+
+ * prof_set.c: profile calls which set values should not fail
+ if file is not writable. You can now write to a different
+ file with profile_flush_to_file() or buffer with
+ profile_flush_to_buffer().
+
+2004-10-30 Ken Raeburn <raeburn@mit.edu>
+
+ * prof_int.h (STAT_ONCE_PER_SECOND): Define.
+ (struct _prf_data_t) [STAT_ONCE_PER_SECOND]: New field LAST_STAT.
+ * prof_file.c (scan_shared_trees_locked,
+ scan_shared_trees_unlocked): Redefine to do nothing for now.
+ (profile_update_file_data) [STAT_ONCE_PER_SECOND]: If the current
+ time is the same time as the last stat of the file, just return;
+ otherwise, save away the current time.
+
2004-10-26 Ken Raeburn <raeburn@mit.edu>
Permit exporting profile file data into a buffer.
static void profile_free_file_data(prf_data_t);
+#if 0
+
#define scan_shared_trees_locked() \
{ \
prf_data_t d; \
k5_mutex_unlock(&g_shared_trees_mutex); \
}
+#else
+
+#define scan_shared_trees_locked() { ; }
+#define scan_shared_trees_unlocked() { ; }
+
+#endif
+
static int rw_access(const_profile_filespec_t filespec)
{
#ifdef HAVE_ACCESS
errcode_t retval;
#ifdef HAVE_STAT
struct stat st;
+#ifdef STAT_ONCE_PER_SECOND
+ time_t now;
+#endif
#endif
FILE *f;
return retval;
#ifdef HAVE_STAT
+#ifdef STAT_ONCE_PER_SECOND
+ now = time(0);
+ if (now == data->last_stat) {
+ k5_mutex_unlock(&data->lock);
+ return 0;
+ }
+#endif
if (stat(data->filespec, &st)) {
retval = errno;
k5_mutex_unlock(&data->lock);
return retval;
}
+#ifdef STAT_ONCE_PER_SECOND
+ data->last_stat = now;
+#endif
if (st.st_mtime == data->timestamp) {
k5_mutex_unlock(&data->lock);
return 0;
return retval;
}
+errcode_t KRB5_CALLCONV
+profile_is_writable(profile_t profile, int *writable)
+{
+ if (!profile || profile->magic != PROF_MAGIC_PROFILE)
+ return PROF_MAGIC_PROFILE;
+
+ if (!writable)
+ return EINVAL;
+
+ if (profile->first_file)
+ *writable = (profile->first_file->data->flags & PROFILE_FILE_RW);
+
+ return 0;
+}
+
+errcode_t KRB5_CALLCONV
+profile_is_modified(profile_t profile, int *modified)
+{
+ if (!profile || profile->magic != PROF_MAGIC_PROFILE)
+ return PROF_MAGIC_PROFILE;
+
+ if (!modified)
+ return EINVAL;
+
+ if (profile->first_file)
+ *modified = (profile->first_file->data->flags & PROFILE_FILE_DIRTY);
+
+ return 0;
+}
+
errcode_t KRB5_CALLCONV
profile_flush(profile_t profile)
{
#include "com_err.h"
#include "profile.h"
+#define STAT_ONCE_PER_SECOND
+
#if defined(_WIN32)
#define SIZEOF_INT 4
#define SIZEOF_SHORT 2
k5_mutex_t lock;
char *comment;
struct profile_node *root;
+#ifdef STAT_ONCE_PER_SECOND
+ time_t last_stat;
+#endif
time_t timestamp; /* time tree was last updated from file */
int flags; /* r/w, dirty */
int upd_serial; /* incremented when data changes */
file = profile->first_file;
- if (!(file->data->flags & PROFILE_FILE_RW))
- return PROF_READ_ONLY;
-
retval = profile_lock_global();
if (retval)
return retval;
* If the file has changed, then the node pointer is invalid,
* so we'll have search the file again looking for it.
*/
+ if (iter->file) {
+ retval = k5_mutex_lock(&iter->file->data->lock);
+ if (retval)
+ return retval;
+ }
if (iter->node && (iter->file->data->upd_serial != iter->file_serial)) {
iter->flags &= ~PROFILE_ITER_FINAL_SEEN;
skip_num = iter->num;
iter->node = 0;
}
- if (iter->node && iter->node->magic != PROF_MAGIC_NODE)
+ if (iter->node && iter->node->magic != PROF_MAGIC_NODE) {
+ if (iter->file)
+ k5_mutex_unlock(&iter->file->data->lock);
return PROF_MAGIC_NODE;
+ }
get_new_file:
if (iter->node == 0) {
if (iter->file == 0 ||
(iter->flags & PROFILE_ITER_FINAL_SEEN)) {
+ if (iter->file)
+ k5_mutex_unlock(&iter->file->data->lock);
profile_node_iterator_free(iter_p);
if (ret_node)
*ret_node = 0;
*ret_value =0;
return 0;
}
+ k5_mutex_unlock(&iter->file->data->lock);
if ((retval = profile_update_file(iter->file))) {
if (retval == ENOENT || retval == EACCES) {
/* XXX memory leak? */
iter->file = iter->file->next;
+ if (iter->file) {
+ retval = k5_mutex_lock(&iter->file->data->lock);
+ if (retval) {
+ profile_node_iterator_free(iter_p);
+ return retval;
+ }
+ }
skip_num = 0;
retval = 0;
goto get_new_file;
return retval;
}
}
+ retval = k5_mutex_lock(&iter->file->data->lock);
+ if (retval) {
+ profile_node_iterator_free(iter_p);
+ return retval;
+ }
iter->file_serial = iter->file->data->upd_serial;
/*
* Find the section to list if we are a LIST_SECTION,
iter->flags |= PROFILE_ITER_FINAL_SEEN;
}
if (!section) {
+ k5_mutex_unlock(&iter->file->data->lock);
iter->file = iter->file->next;
+ if (iter->file) {
+ retval = k5_mutex_lock(&iter->file->data->lock);
+ if (retval) {
+ profile_node_iterator_free(iter_p);
+ return retval;
+ }
+ }
skip_num = 0;
goto get_new_file;
}
}
iter->num++;
if (!p) {
+ k5_mutex_unlock(&iter->file->data->lock);
iter->file = iter->file->next;
+ if (iter->file) {
+ retval = k5_mutex_lock(&iter->file->data->lock);
+ if (retval) {
+ profile_node_iterator_free(iter_p);
+ return retval;
+ }
+ }
iter->node = 0;
skip_num = 0;
goto get_new_file;
}
+ k5_mutex_unlock(&iter->file->data->lock);
if ((iter->node = p->next) == NULL)
iter->file = iter->file->next;
if (ret_node)
void KRB5_CALLCONV profile_free_buffer
(profile_t profile, char *buf);
+long KRB5_CALLCONV profile_is_writable
+ (profile_t profile, int *writable);
+long KRB5_CALLCONV profile_is_modified
+ (profile_t profile, int *modified);
+
void KRB5_CALLCONV profile_abandon
(profile_t profile);
+2004-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ * Makefile.in: rename krb5support_32.dll to k5sprt32.dll
+
2004-10-25 Ken Raeburn <raeburn@mit.edu>
* libkrb5support.exports: Export krb5int_fac, _lock_fac,
RELDIR=../util/support
##DOS##BUILDTOP = ..\..
-##DOS##LIBNAME=$(OUTPRE)krb5support_32.lib
+##DOS##LIBNAME=$(OUTPRE)k5sprt32.lib
##DOS##XTRA=
-##DOS##OBJFILE=$(OUTPRE)krb5support_32.lst
+##DOS##OBJFILE=$(OUTPRE)k5sprt32.lst
SED = sed
+2004-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ * version.rc: rename krb5support.dll to k5sprt32.dll
+
2004-09-30 Jeffrey Altman <jaltman@mit.edu>
* version.rc: Add pismere condition resource strings
+2004-12-18 Jeffrey Altman <jaltman@mit.edu>
+
+* kfw-fixed.nsi:
+ Add "Debug Symbols" as a new category. It defaults to on
+ in debug builds and off in release builds.
+
+2004-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+* kfw-fixed.nsi
+ Add kcpytkt.exe, kdeltkt.exe, k5sprt32.dll, mit2ms.exe
+
2004-09-17 Jeffrey Altman <jaltman@mit.edu>
* kfw-fixed.nsi:
LangString DESC_secClient ${LANG_ENGLISH} "Client: Allows you to utilize MIT Kerberos from your Windows PC."
+ LangString DESC_secDebug ${LANG_ENGLISH} "Debug Symbols: Used for debugging problems with MIT Kerberos for Windows"
+
LangString DESC_secSDK ${LANG_ENGLISH} "SDK: Allows you to build MIT Kerberos aware applications."
LangString DESC_secDocs ${LANG_ENGLISH} "Documentation: Release Notes and User Manuals."
!insertmacro ReplaceDLL "${KFW_BIN_DIR}\kpasswd.exe" "$INSTDIR\bin\kpasswd.exe" "$INSTDIR"
!insertmacro ReplaceDLL "${KFW_BIN_DIR}\kvno.exe" "$INSTDIR\bin\kvno.exe" "$INSTDIR"
!insertmacro ReplaceDLL "${KFW_BIN_DIR}\krb5_32.dll" "$INSTDIR\bin\krb5_32.dll" "$INSTDIR"
+ !insertmacro ReplaceDLL "${KFW_BIN_DIR}\k5sprt32.dll" "$INSTDIR\bin\k5sprt32.dll" "$INSTDIR"
!insertmacro ReplaceDLL "${KFW_BIN_DIR}\krb524.dll" "$INSTDIR\bin\krb524.dll" "$INSTDIR"
!insertmacro ReplaceDLL "${KFW_BIN_DIR}\krbcc32.dll" "$INSTDIR\bin\krbcc32.dll" "$INSTDIR"
!insertmacro ReplaceDLL "${KFW_BIN_DIR}\krbcc32s.exe" "$INSTDIR\bin\krbcc32s.exe" "$INSTDIR"
!endif
!insertmacro ReplaceDLL "${KFW_BIN_DIR}\leashw32.dll" "$INSTDIR\bin\leashw32.dll" "$INSTDIR"
!insertmacro ReplaceDLL "${KFW_BIN_DIR}\ms2mit.exe" "$INSTDIR\bin\ms2mit.exe" "$INSTDIR"
+ !insertmacro ReplaceDLL "${KFW_BIN_DIR}\mit2ms.exe" "$INSTDIR\bin\mit2ms.exe" "$INSTDIR"
+ !insertmacro ReplaceDLL "${KFW_BIN_DIR}\kcpytkt.exe" "$INSTDIR\bin\kcpytkt.exe" "$INSTDIR"
+ !insertmacro ReplaceDLL "${KFW_BIN_DIR}\kdeltkt.exe" "$INSTDIR\bin\kdeltkt.exe" "$INSTDIR"
!insertmacro ReplaceDLL "${KFW_BIN_DIR}\wshelp32.dll" "$INSTDIR\bin\wshelp32.dll" "$INSTDIR"
!insertmacro ReplaceDLL "${KFW_BIN_DIR}\xpprof32.dll" "$INSTDIR\bin\xpprof32.dll" "$INSTDIR"
!ifdef DEBUG
- File "${KFW_BIN_DIR}\aklog.pdb"
- File "${KFW_BIN_DIR}\comerr32.pdb"
- File "${KFW_BIN_DIR}\gss.pdb"
- File "${KFW_BIN_DIR}\gss-client.pdb"
- File "${KFW_BIN_DIR}\gss-server.pdb"
- File "${KFW_BIN_DIR}\gssapi32.pdb"
- File "${KFW_BIN_DIR}\k524init.pdb"
- File "${KFW_BIN_DIR}\kclnt32.pdb"
- File "${KFW_BIN_DIR}\kdestroy.pdb"
- File "${KFW_BIN_DIR}\kinit.pdb"
- File "${KFW_BIN_DIR}\klist.pdb"
- File "${KFW_BIN_DIR}\kpasswd.pdb"
- File "${KFW_BIN_DIR}\kvno.pdb"
- File "${KFW_BIN_DIR}\krb5_32.pdb"
- File "${KFW_BIN_DIR}\krb524.pdb"
- File "${KFW_BIN_DIR}\krbcc32.pdb"
- File "${KFW_BIN_DIR}\krbcc32s.pdb"
- File "${KFW_BIN_DIR}\krbv4w32.pdb"
- File "${KFW_BIN_DIR}\leashw32.pdb"
- File "${KFW_BIN_DIR}\leash32.pdb"
- File "${KFW_BIN_DIR}\ms2mit.pdb"
- File "${KFW_BIN_DIR}\wshelp32.pdb"
- File "${KFW_BIN_DIR}\xpprof32.pdb"
-
!IFDEF CL_1400
!insertmacro ReplaceDLL "${SYSTEMDIR}\msvcr80d.dll" "$INSTDIR\bin\msvcr80d.dll" "$INSTDIR"
- File "${SYSTEMDIR}\msvcr80d.pdb"
!insertmacro ReplaceDLL "${SYSTEMDIR}\msvcp80d.dll" "$INSTDIR\bin\msvcp80d.dll" "$INSTDIR"
- File "${SYSTEMDIR}\msvcp80d.pdb"
!insertmacro ReplaceDLL "${SYSTEMDIR}\mfc80d.dll" "$INSTDIR\bin\mfc80d.dll" "$INSTDIR"
- File "${SYSTEMDIR}\mfc80d.pdb"
!insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80CHS.DLL" "$INSTDIR\bin\MFC80CHS.DLL" "$INSTDIR"
!insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80CHT.DLL" "$INSTDIR\bin\MFC80CHT.DLL" "$INSTDIR"
!insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80DEU.DLL" "$INSTDIR\bin\MFC80DEU.DLL" "$INSTDIR"
!ELSE
!IFDEF CL_1310
!insertmacro ReplaceDLL "${SYSTEMDIR}\msvcr71d.dll" "$INSTDIR\bin\msvcr71d.dll" "$INSTDIR"
- File "${SYSTEMDIR}\msvcr71d.pdb"
!insertmacro ReplaceDLL "${SYSTEMDIR}\msvcp71d.dll" "$INSTDIR\bin\msvcp71d.dll" "$INSTDIR"
- File "${SYSTEMDIR}\msvcp71d.pdb"
!insertmacro ReplaceDLL "${SYSTEMDIR}\mfc71d.dll" "$INSTDIR\bin\mfc71d.dll" "$INSTDIR"
- File "${SYSTEMDIR}\mfc71d.pdb"
!insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71CHS.DLL" "$INSTDIR\bin\MFC71CHS.DLL" "$INSTDIR"
!insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71CHT.DLL" "$INSTDIR\bin\MFC71CHT.DLL" "$INSTDIR"
!insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71DEU.DLL" "$INSTDIR\bin\MFC71DEU.DLL" "$INSTDIR"
!ELSE
!IFDEF CL_1300
!insertmacro ReplaceDLL "${SYSTEMDIR}\msvcr70d.dll" "$INSTDIR\bin\msvcr70d.dll" "$INSTDIR"
- File "${SYSTEMDIR}\msvcr70d.pdb"
!insertmacro ReplaceDLL "${SYSTEMDIR}\msvcp70d.dll" "$INSTDIR\bin\msvcp70d.dll" "$INSTDIR"
- File "${SYSTEMDIR}\msvcp70d.pdb"
!insertmacro ReplaceDLL "${SYSTEMDIR}\mfc70d.dll" "$INSTDIR\bin\mfc70d.dll" "$INSTDIR"
- File "${SYSTEMDIR}\mfc70d.pdb"
!insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70CHS.DLL" "$INSTDIR\bin\MFC70CHS.DLL" "$INSTDIR"
!insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70CHT.DLL" "$INSTDIR\bin\MFC70CHT.DLL" "$INSTDIR"
!insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70DEU.DLL" "$INSTDIR\bin\MFC70DEU.DLL" "$INSTDIR"
!insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70KOR.DLL" "$INSTDIR\bin\MFC70KOR.DLL" "$INSTDIR"
!ELSE
!insertmacro ReplaceDLL "${SYSTEMDIR}\mfc42d.dll" "$INSTDIR\bin\mfc42d.dll" "$INSTDIR"
- File "${SYSTEMDIR}\mfc42d.pdb"
!insertmacro ReplaceDLL "${SYSTEMDIR}\msvcp60d.dll" "$INSTDIR\bin\msvcp60d.dll" "$INSTDIR"
- File "${SYSTEMDIR}\msvcp60d.pdb"
!insertmacro ReplaceDLL "${SYSTEMDIR}\msvcrtd.dll" "$INSTDIR\bin\msvcrtd.dll" "$INSTDIR"
- File "${SYSTEMDIR}\msvcrtd.pdb"
!ENDIF
!ENDIF
!ENDIF
WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kvno" "Flags" 0x408
WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\ms2mit" "Flags" 0x408
WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\mit2ms" "Flags" 0x408
+ WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\mit2ms" "Flags" 0x408
WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kcpytkt" "Flags" 0x408
WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kdeltkt" "Flags" 0x408
WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\k95" "Flags" 0x408
SectionEnd
+Section "Debug Symbols" secDebug
+
+ SetOutPath "$INSTDIR\bin"
+ File "${KFW_BIN_DIR}\aklog.pdb"
+ File "${KFW_BIN_DIR}\comerr32.pdb"
+ File "${KFW_BIN_DIR}\gss.pdb"
+ File "${KFW_BIN_DIR}\gss-client.pdb"
+ File "${KFW_BIN_DIR}\gss-server.pdb"
+ File "${KFW_BIN_DIR}\gssapi32.pdb"
+ File "${KFW_BIN_DIR}\k524init.pdb"
+ File "${KFW_BIN_DIR}\kclnt32.pdb"
+ File "${KFW_BIN_DIR}\kdestroy.pdb"
+ File "${KFW_BIN_DIR}\kinit.pdb"
+ File "${KFW_BIN_DIR}\klist.pdb"
+ File "${KFW_BIN_DIR}\kpasswd.pdb"
+ File "${KFW_BIN_DIR}\kvno.pdb"
+ File "${KFW_BIN_DIR}\krb5_32.pdb"
+ File "${KFW_BIN_DIR}\k5sprt32.pdb"
+ File "${KFW_BIN_DIR}\krb524.pdb"
+ File "${KFW_BIN_DIR}\krbcc32.pdb"
+ File "${KFW_BIN_DIR}\krbcc32s.pdb"
+ File "${KFW_BIN_DIR}\krbv4w32.pdb"
+ File "${KFW_BIN_DIR}\leashw32.pdb"
+ File "${KFW_BIN_DIR}\leash32.pdb"
+ File "${KFW_BIN_DIR}\ms2mit.pdb"
+ File "${KFW_BIN_DIR}\mit2ms.pdb"
+ File "${KFW_BIN_DIR}\kcpytkt.pdb"
+ File "${KFW_BIN_DIR}\kdeltkt.pdb"
+ File "${KFW_BIN_DIR}\wshelp32.pdb"
+ File "${KFW_BIN_DIR}\xpprof32.pdb"
+
+!IFDEF DEBUG
+!IFDEF CL_1400
+ File "${SYSTEMDIR}\msvcr80d.pdb"
+ File "${SYSTEMDIR}\msvcp80d.pdb"
+ File "${SYSTEMDIR}\mfc80d.pdb"
+!ELSE
+!IFDEF CL_1310
+ File "${SYSTEMDIR}\msvcr71d.pdb"
+ File "${SYSTEMDIR}\msvcp71d.pdb"
+ File "${SYSTEMDIR}\mfc71d.pdb"
+!ELSE
+!IFDEF CL_1300
+ File "${SYSTEMDIR}\msvcr70d.pdb"
+ File "${SYSTEMDIR}\msvcp70d.pdb"
+ File "${SYSTEMDIR}\mfc70d.pdb"
+!ELSE
+ File "${SYSTEMDIR}\mfc42d.pdb"
+ File "${SYSTEMDIR}\msvcp60d.pdb"
+ File "${SYSTEMDIR}\msvcrtd.pdb"
+!ENDIF
+!ENDIF
+!ENDIF
+!ENDIF
+
+SectionEnd
+
;----------------------
; Kerberos for Windows SDK
Section "KfW SDK" secSDK
no_remove_uninstaller:
contInstall:
+ ; Never install debug symbols unless explicitly selected, except in DEBUG mode
+!IFNDEF DEBUG
+ SectionGetFlags ${secDebug} $0
+ IntOp $0 $0 & ${SECTION_OFF}
+ SectionSetFlags ${secDebug} $0
+!ELSE
+ SectionGetFlags ${secDebug} $0
+ IntOp $0 $0 | ${SF_SELECTED}
+ SectionSetFlags ${secDebug} $0
+!ENDIF
+
; Our logic should be like this.
; 1) If no KfW components are installed, we do a clean install with default options. (Client/Docs)
; 2) If existing modules are installed, we keep them selected
!insertmacro MUI_DESCRIPTION_TEXT ${secClient} $(DESC_secClient)
!insertmacro MUI_DESCRIPTION_TEXT ${secSDK} $(DESC_secSDK)
!insertmacro MUI_DESCRIPTION_TEXT ${secDocs} $(DESC_secDocs)
+ !insertmacro MUI_DESCRIPTION_TEXT ${secDebug} $(DESC_secDebug)
!insertmacro MUI_FUNCTION_DESCRIPTION_END
;--------------------------------
Delete /REBOOTOK "$INSTDIR\bin\kpasswd.exe"
Delete /REBOOTOK "$INSTDIR\bin\kvno.exe"
Delete /REBOOTOK "$INSTDIR\bin\krb5_32.dll"
+ Delete /REBOOTOK "$INSTDIR\bin\k5sprt32.dll"
Delete /REBOOTOK "$INSTDIR\bin\krb524.dll"
Delete /REBOOTOK "$INSTDIR\bin\krbcc32.dll"
Delete /REBOOTOK "$INSTDIR\bin\krbcc32s.exe"
!endif
Delete /REBOOTOK "$INSTDIR\bin\leashw32.dll"
Delete /REBOOTOK "$INSTDIR\bin\ms2mit.exe"
+ Delete /REBOOTOK "$INSTDIR\bin\mit2ms.exe"
+ Delete /REBOOTOK "$INSTDIR\bin\kcpytkt.exe"
+ Delete /REBOOTOK "$INSTDIR\bin\kdeltkt.exe"
Delete /REBOOTOK "$INSTDIR\bin\wshelp32.dll"
Delete /REBOOTOK "$INSTDIR\bin\xpprof32.dll"
-!IFDEF DEBUG
Delete /REBOOTOK "$INSTDIR\bin\aklog.pdb"
Delete /REBOOTOK "$INSTDIR\bin\comerr32.pdb"
Delete /REBOOTOK "$INSTDIR\bin\gss.pdb"
Delete /REBOOTOK "$INSTDIR\bin\kpasswd.pdb"
Delete /REBOOTOK "$INSTDIR\bin\kvno.pdb"
Delete /REBOOTOK "$INSTDIR\bin\krb5_32.pdb"
+ Delete /REBOOTOK "$INSTDIR\bin\k5sprt32.pdb"
Delete /REBOOTOK "$INSTDIR\bin\krb524.pdb"
Delete /REBOOTOK "$INSTDIR\bin\krbcc32.pdb"
Delete /REBOOTOK "$INSTDIR\bin\krbcc32s.pdb"
Delete /REBOOTOK "$INSTDIR\bin\krbv4w32.pdb"
Delete /REBOOTOK "$INSTDIR\bin\leashw32.pdb"
Delete /REBOOTOK "$INSTDIR\bin\ms2mit.pdb"
+ Delete /REBOOTOK "$INSTDIR\bin\mit2ms.pdb"
+ Delete /REBOOTOK "$INSTDIR\bin\kcpytkt.pdb"
+ Delete /REBOOTOK "$INSTDIR\bin\kdeltkt.pdb"
Delete /REBOOTOK "$INSTDIR\bin\wshelp32.pdb"
Delete /REBOOTOK "$INSTDIR\bin\xpprof32.pdb"
+!IFDEF DEBUG
!IFDEF CL_1400
Delete /REBOOTOK "$INSTDIR\bin\msvcr80d.dll"
Delete /REBOOTOK "$INSTDIR\bin\msvcr80d.pdb"
+2004-12-18 Jeffrey Altman <jaltman@mit.edu>
+
+ Add Debug Symbols as an optional install feature for
+ release builds of KFW
+
+2004-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ Add kcpytkt.exe, kdeltkt.exe, k5sprt32.dll mit2ms.exe
+
+ Update to Wix 2.1 installer
+
2004-09-16 Jeffrey Altman <jaltman@mit.edu>
Remove trailing slash from PATH
<?include lang\config_$(var.BuildLang).wxi?>
+ <!-- Parameters for the features containing debug symbols -->
+ <?ifdef DebugSyms?>
+ <?ifdef Debug?>
+ <?define DebugSymInstallDefault="followParent"?>
+ <?define DebugSymLowLevel="30"?>
+ <?define DebugSymHighLevel="130"?>
+ <?else?>
+ <?define DebugSymInstallDefault="followParent"?>
+ <?define DebugSymLowLevel="130"?>
+ <?define DebugSymHighLevel="130"?>
+ <?endif?>
+ <?endif?>
+
<!-- Configuration macros -->
<?ifndef LeashAfsStatus?>
<?define LeashAfsStatus="1"?>
Description="$(loc.KerberosClientDesc)"
InstallDefault="local"
Title="$(loc.KerberosClientTitle)"
- FollowParent="yes"
Level="30">
+ <?ifdef DebugSyms?>
+ <Feature
+ Id="feaKfwClientDebug"
+ AllowAdvertise="no"
+ Description="$(loc.StrKerberosClientDebugDesc)"
+ Display="expand"
+ InstallDefault="$(var.DebugSymInstallDefault)"
+ Level="$(var.DebugSymLowLevel)"
+ Title="$(loc.StrKerberosClientDebugTitle)">
+ <ComponentRef Id="cmf_bin_debug"/>
+ </Feature>
+ <?endif?>
+
<ComponentRef Id="cmf_aklog_exe" />
<ComponentRef Id="cmf_comerr32_dll" />
<ComponentRef Id="cmf_gss_exe" />
<ComponentRef Id="cmf_k524init_exe" />
<ComponentRef Id="cmf_kclnt32_dll" />
<ComponentRef Id="cmf_kdestroy_exe" />
+ <ComponentRef Id="cmf_kcpytkt_exe" />
+ <ComponentRef Id="cmf_kdeltkt_exe" />
<ComponentRef Id="cmf_kinit_exe" />
<ComponentRef Id="cmf_klist_exe" />
<ComponentRef Id="cmf_kpasswd_exe" />
<ComponentRef Id="cmf_kvno_exe" />
<ComponentRef Id="cmf_krb5_32_dll" />
+ <ComponentRef Id="cmf_k5sprt32_dll" />
<ComponentRef Id="cmf_krb524_dll" />
<ComponentRef Id="cmf_krbcc32_dll" />
<ComponentRef Id="cmf_krbcc32s_exe" />
<ComponentRef Id="rcm_leashdll_17" />
<ComponentRef Id="cmf_ms2mit_exe" />
+ <ComponentRef Id="cmf_mit2ms_exe" />
<ComponentRef Id="cmf_wshelp32_dll" />
<ComponentRef Id="cmf_xpprof32_dll" />
- <?ifdef Debug?>
- <ComponentRef Id="cmf_bin_debug"/>
- <?endif?>
-
<ComponentRef Id="cmf_psapi_dll" />
<?ifndef Debug?>
<Registry Id="reg_ts_kdestroy_0" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kdestroy" Action="createKeyAndRemoveKeyOnUninstall" />
<Registry Id="reg_ts_kdestroy_1" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kdestroy" Name="Flags" Type="integer" Value="1032" />
</Component>
+ <Component Id="cmf_kcpytkt_exe" Guid="6B20E57C-0033-4dcf-B3C9-74ED0B2CF46E" DiskId="1">
+ <File Id="fil_kcpytkt_exe" LongName="kcpytkt.exe" Name="kcpytkt.exe" KeyPath="yes" />
+ <Registry Id="reg_ts_kcpytkt_0" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kcpytkt" Action="createKeyAndRemoveKeyOnUninstall" />
+ <Registry Id="reg_ts_kcpytkt_1" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kcpytkt" Name="Flags" Type="integer" Value="1032" />
+ </Component>
+ <Component Id="cmf_kdeltkt_exe" Guid="C7528C87-9B61-439a-8EA8-AD4BE3D758F9" DiskId="1">
+ <File Id="fil_kdeltkt_exe" LongName="kdeltkt.exe" Name="kdeltkt.exe" KeyPath="yes" />
+ <Registry Id="reg_ts_kdeltkt_0" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kdeltkt" Action="createKeyAndRemoveKeyOnUninstall" />
+ <Registry Id="reg_ts_kdeltkt_1" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kdeltkt" Name="Flags" Type="integer" Value="1032" />
+ </Component>
<Component Id="cmf_kinit_exe" Guid="80643A09-EF28-4714-BC62-B64FC5B17CAA" DiskId="1">
<File Id="fil_kinit_exe" LongName="kinit.exe" Name="kinit.exe" KeyPath="yes" />
<Registry Id="reg_ts_kinit_0" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kinit" Action="createKeyAndRemoveKeyOnUninstall" />
<File Id="fil_krb5_32_dll" LongName="krb5_32.dll" Name="krb5_32.dll" KeyPath="yes" />
<Environment Id="env_kclient_path" Action="set" Name="PATH" Part="last" System="yes" Value="[KERBEROSDIR]bin" />
</Component>
+ <Component Id="cmf_k5sprt32_dll" Guid="F2381331-9201-4c02-866F-2038676771D4" DiskId="1">
+ <File Id="fil_k5sprt32_dll" LongName="k5sprt32.dll" Name="k5sprt32.dll" />
+ </Component>
<Component Id="cmf_krb524_dll" Guid="98685874-A9AA-4BC5-9830-271D9CF52C17" DiskId="1">
<File Id="fil_krb524_dll" LongName="krb524.dll" Name="krb524.dll" KeyPath="yes" />
</Component>
<Registry Id="reg_ts_ms2mit_0" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\ms2mit" Action="createKeyAndRemoveKeyOnUninstall" />
<Registry Id="reg_ts_ms2mit_1" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\ms2mit" Name="Flags" Type="integer" Value="1032" />
</Component>
+ <Component Id="cmf_mit2ms_exe" Guid="4F487781-5B55-48c1-A3FA-8BC6ECA4FEA1" DiskId="1">
+ <File Id="fil_mit2ms_exe" LongName="mit2ms.exe" Name="mit2ms.exe" KeyPath="yes" />
+ <Registry Id="reg_ts_mit2ms_0" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\mit2ms" Action="createKeyAndRemoveKeyOnUninstall" />
+ <Registry Id="reg_ts_mit2ms_1" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\mit2ms" Name="Flags" Type="integer" Value="1032" />
+ </Component>
<Component Id="cmf_wshelp32_dll" Guid="B9D9F5F1-CA93-4F56-B6F8-343F21484CDE" DiskId="1">
<File Id="fil_wshelp32_dll" LongName="wshelp32.dll" Name="wshelp32.dll" KeyPath="yes" />
</Component>
<File Id="fil_k524init_pdb" LongName="k524init.pdb" Name="k524init.pdb" />
<File Id="fil_kclnt32_pdb" LongName="kclnt32.pdb" Name="kclnt32.pdb" />
<File Id="fil_kdestroy_pdb" LongName="kdestroy.pdb" Name="kdestroy.pdb" />
+ <File Id="fil_kcpytkt_pdb" LongName="kcpytkt.pdb" Name="kcpytkt.pdb" />
+ <File Id="fil_kdeltkt_pdb" LongName="kdeltkt.pdb" Name="kdeltkt.pdb" />
<File Id="fil_kinit_pdb" LongName="kinit.pdb" Name="kinit.pdb" />
<File Id="fil_klist_pdb" LongName="klist.pdb" Name="klist.pdb" />
<File Id="fil_kpasswd_pdb" LongName="kpasswd.pdb" Name="kpasswd.pdb" />
<File Id="fil_kvno_pdb" LongName="kvno.pdb" Name="kvno.pdb" />
<File Id="fil_krb5_32_pdb" LongName="krb5_32.pdb" Name="krb5_32.pdb" KeyPath="yes" />
+ <File Id="fil_k5sprt32_pdb" LongName="k5sprt32.pdb" Name="k5sprt32.pdb" />
<File Id="fil_krb524_pdb" LongName="krb524.pdb" Name="krb524.pdb" />
<File Id="fil_krbcc32_pdb" LongName="krbcc32.pdb" Name="krbcc32.pdb" />
<File Id="fil_krbcc32s_pdb" LongName="krbcc32s.pdb" Name="krbcc32s.pdb" />
<File Id="fil_leash32_pdb" LongName="leash32.pdb" Name="leash32.pdb" />
<File Id="fil_leashw32_pdb" LongName="leashw32.pdb" Name="leashw32.pdb" />
<File Id="fil_ms2mit_pdb" LongName="ms2mit.pdb" Name="ms2mit.pdb" />
+ <File Id="fil_mit2ms_pdb" LongName="mit2ms.pdb" Name="mit2ms.pdb" />
<File Id="fil_wshelp32_pdb" LongName="wshelp32.pdb" Name="wshelp32.pdb" />
<File Id="fil_xpprof32_pdb" LongName="xpprof32.pdb" Name="xpprof32.pdb" />
</Component>
</Directory>
<Directory Id="ProgramMenuFolder">
- <Directory Id="dirShortcut" LongName="$(loc.ProductName)" Name="$(loc.ProductNameShort)">
+ <Directory Id="dirShortcut" LongName="$(loc.ProductName)" Name="KFW">
</Directory>
</Directory>
<Directory Id="StartupFolder">
+2004-12-18 Jeffrey Altman <jaltman@mit.edu>
+
+ Add Debug Symbols as an optional install feature for
+ release builds of KFW2004-08-20 Jeffrey Altman <jaltman@mit.edu>
+
+2004-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ Update for WiX 2.1 installer
+
2004-08-20 Asanka Herath <asanka@mit.edu>
New WiX 2.0 MSI for KFW
\ No newline at end of file
-->
<String Id="ProductName">Kerberos for Windows</String>
- <String Id="ProductNameShort">Kerberos</String>
+ <String Id="ProductNameShort">KFW</String>
<String Id="ProductMIT">MIT</String>
<String Id="ProductDebug">Debug/Checked</String>
<String Id="ProductBeta">Beta</String>
<String Id="KerberosClientTitle">Client</String>
<String Id="KerberosClientDesc">Kerberos client utilities, libraries and documentation</String>
+ <String Id="StrKerberosClientDebugTitle">Debug symbols</String>
+ <String Id="StrKerberosClientDebugDesc">Debugging symbols for Kerberos for Windows components.</String>
+
<String Id="KerberosSDKTitle">SDK</String>
<String Id="KerberosSDKDesc">Libraries and header files for developing software with Kerberos</String>
<String Id="IE501Required">Kerberos for Windows requires Microsoft Internet Explorer version 5.01 or higher. Please resolve this and run the installer again.</String>
<String Id="ARPComments">Build of</String>
-
+
</WixLocalization>
\ No newline at end of file
<!-- TargetDir should point to build target directory and must end with
a backslash. If not specified, assume we are in TargetDir\install -->
- <?define TargetDir="d:\work\kfwbins\"?>
+ <?define TargetDir="c:\temp\kfw\kfw-2.6.6-alpha\"?>
<!-- ConfigDir should point to directory containing configuration files
(krb5.ini, krb.con, krbrealm.con) to be bundled with the installer.
The directory name should end with a backslash. -->
- <?define ConfigDir="$(env.SystemRoot)\"?>
+ <?define ConfigDir="c:\temp\kfw\kfw-2.5-extra\sample-config\"?>
<!-- VersionMajor, VersionMinor and VersionPatch must all be specified, or
none should be specified (in which case, the defaults will be
<!-- At most one of the following could be defined and must correspond
to the type of build performed. -->
- <!-- <?define Debug?> -->
- <?define Release?>
-
+ <?define Debug?>
+ <!-- <?define Release?> -->
+
+ <!-- We are including debug symbols anyway. Undefine this for a leaner installer without debug syms. -->
+ <?define DebugSyms?>
+
<!-- Optional defines -->
- <!-- <?define Beta=""?> --> <!-- Numeric Beta identifier -->
+ <?define Beta="1"?> <!-- Numeric Beta identifier -->
<!-- <?define OldHelp?> --> <!-- Specifies the use of the old leash32.hlp file
instead of the new leash32.chm file -->
<?ifndef VersionMajor?>
<?define VersionMajor="2"?>
<?define VersionMinor="6"?>
- <?define VersionPatch="0001"?>
+ <?define VersionPatch="6"?>
<?else?>
<?if Not ($(var.VersionMinor) And $(var.VersionPatch))?>
<?error VersionMajor, VersionMinor and VersionPatch should be specified together?>
#if !defined(_WIN32)
#error not win32??
#else
-#define K5_ORIGINAL_NAME "krb5support32.dll\0"
+#define K5_ORIGINAL_NAME "k5sprt32.dll\0"
#endif
#endif /* support */
projects / krb5.git / commitdiff