Jeffrey Altman [Sun, 1 Feb 2004 05:40:48 +0000 (05:40 +0000)]
* Do not perform ticket importing if the initial TGT is not available
from the MSLSA krb5_ccache. This will be the case if the session key
enctype is NULL. (AllowTGTSessionKey regkey = 0)
ticket: new
target: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15994
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Sun, 1 Feb 2004 01:48:22 +0000 (01:48 +0000)]
* cc_mslsa.c: optimize the get_next logic by storing a handle to the
MS TGT in the lcc_cursor data structure
ticket:new
tags: pullup
target_version: 1.3.2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15993
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 31 Jan 2004 23:32:18 +0000 (23:32 +0000)]
* gss-misc.c: Include sys/time.h or time.h, to get struct timeval declaration
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15992
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Sat, 31 Jan 2004 09:29:13 +0000 (09:29 +0000)]
Do not export tickets from the LSA if they contain NULL session keys.
This is primarily to prevent unusable TGTs from being imported into the
MIT Credential Cache
ticket: 2153
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15991
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Sat, 31 Jan 2004 01:40:58 +0000 (01:40 +0000)]
2004-01-30 Jeffrey Altman <jaltman@mit.edu>
* cc_mslsa.c: As per extensive conversations with Doug Engert we have
concluded that MS is not specifying a complete set of domain information
when it comes to service tickets other than the initial TGT. What happens
is the client principal domain cannot be derived from the fields they
export. Code has now been added to obtain the domain from the initial
TGT and use that when constructing the client principals for all tickets.
This behavior can be turned off by setting a registry either on a per-user
or a system-wide basis:
{HKCU,HKLM}\Software\MIT\Kerberos5
PreserveInitialTicketIdentity = 0x0 (DWORD)
ticket: 2139
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15990
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Sat, 31 Jan 2004 00:46:38 +0000 (00:46 +0000)]
Add support for Addressless Ticket Checkbox. Applied patch from Doug Engert
ticket: 982
tags: pullup
target_version: 1.3.2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15989
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Sat, 31 Jan 2004 00:31:33 +0000 (00:31 +0000)]
2004-01-30 Jeffrey Altman <jaltman@mit.edu>
Update the README file to include details on the new Windows registry
key necessary to access the TGT session key when importing from MSLSA.
Also, include compatibility details regarding the gss sample client and
the Microsoft Platform SDK distributed versions.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15988
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Sat, 31 Jan 2004 00:00:51 +0000 (00:00 +0000)]
A near complete re-write of the gss sample client on windows. Supports the
current protocol implemented in the Unix gss sample applications as well as
a new User Interface making this one neat testing tool.
There are still many little kinks to get out in a future version. The sliders
for the Call Count and the Message Count do not have text strings indicating
their current value. They slide from 1 to 20. And the known Mechanism
strings should be accessible in the drop down list.
A documentation file on how to use the tool would be a good addition.
ticket: 2144
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15987
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Fri, 30 Jan 2004 23:52:07 +0000 (23:52 +0000)]
Address issues discovered while testing updated Windows gss sample client.
A Missing parameter to a sign_server call in gss-server.c and the need for
a select() call in read_all() to prevent blocking indefinitely.
ticket: new
target_version: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15986
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Fri, 30 Jan 2004 21:41:20 +0000 (21:41 +0000)]
prof-int.h should include pthread.h when USE_PTHREADS is defined
ticket: 2180
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15985
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Fri, 30 Jan 2004 21:33:16 +0000 (21:33 +0000)]
Updated for new source files in krb5
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15984
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Tue, 27 Jan 2004 06:41:26 +0000 (06:41 +0000)]
need more testing support for MS
This should allow use of the CFX_EXERCISE code to better check interoperability
of MS and MIT code with regard to future extensibility.
* init_sec_context.c (make_gss_checksum) [CFX_EXERCISE]: Don't crash on null
pointer in debugging code.
(new_connection): Disable CFX_EXERCISE unknown-token-id case detection.
* accept_sec_context.c (krb5_gss_accept_sec_context) [CFX_EXERCISE]: Log to
/tmp/gsslog whether delegation or extra option bytes were present.
ticket: new
target_version: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15983
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 7 Jan 2004 23:24:54 +0000 (23:24 +0000)]
update for krb5-1.3.2-beta1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15978
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Wed, 7 Jan 2004 00:07:14 +0000 (00:07 +0000)]
fix typos
ticket: 2106
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15975
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Tue, 6 Jan 2004 23:21:13 +0000 (23:21 +0000)]
Add stub function implementations to support krb5_cc_remove_cred() which
would cause a null pointer dereference if called. The new KRB5_CC_NOSUPP
error is returned to indicate the lack of implementation.
ticket: 2106
target_version: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15974
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Mon, 5 Jan 2004 21:42:34 +0000 (21:42 +0000)]
Only backdate the ticket that is created. The KDC reply must contain
the time from the client's request or the client will fail its
clockskew check if the request is backdated too far.
Ticket: 2058
Target_Version: 1.3.2
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15965
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 5 Jan 2004 21:12:23 +0000 (21:12 +0000)]
* init_sec_context.c: Include auth_con.h if CFX_EXERCISE is defined.
(make_gss_checksum) [CFX_EXERCISE]: If the key enctype is aes256, insert some
stuff after the delegation slot.
(new_connection) [CFX_EXERCISE]: Don't send messages with bogus token ids.
* accept_sec_context.c (krb5_gss_accept_sec_context): Don't discard the
delegation flag; only look for a delegation if the flag is set, and only look
for delegation, not other options. Ignore any other data there.
ticket: 2079
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15964
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 5 Jan 2004 03:39:53 +0000 (03:39 +0000)]
* win-mac.h: conditionally define strcasecmp/strncasecmp macros
only if they do not already exist.
ticket: new
target_version: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15963
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 28 Dec 2003 03:57:48 +0000 (03:57 +0000)]
* configure.in: Use AC_HELP_STRING for kdc-replay-cache option info
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15962
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sun, 28 Dec 2003 03:51:47 +0000 (03:51 +0000)]
* Makefile.in (LOCAL_SUBDIRS): Fix typo in last (undocumented) change
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15961
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Wed, 24 Dec 2003 05:44:25 +0000 (05:44 +0000)]
move some basic header and function checks from lib/krb5 to include
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15960
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 22 Dec 2003 23:18:13 +0000 (23:18 +0000)]
* README: update requirements for compilation tools, DNS support
and describe new MSLSA: credential cache and how to configure
Windows to use it.
ticket: new
target_version: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15959
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 22 Dec 2003 18:24:41 +0000 (18:24 +0000)]
* dnssrv.c: wrap the entire module in #ifdef KRB5_DNS_LOOKUP to prevent
the dependency on the resolver library when DNS functionality is not
being compiled into the krb5 library.
ticket: new
target_version: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15958
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 04:39:35 +0000 (04:39 +0000)]
* fake-addrinfo.h: Include stdio.h
ticket: 2016
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15957
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 03:52:51 +0000 (03:52 +0000)]
* util_crypt.c (kg_encrypt, kg_decrypt): Input pointer now points to const.
* gssapiP_krb5.h: Declarations updated.
* util_seed.c (zeros): Now const.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15956
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 03:51:00 +0000 (03:51 +0000)]
* gssapi_generic.c (const_oids): Renamed from oids, and now const.
(oids): New macro, casts const_oids to non-const pointer for use in initializers.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15955
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 03:25:58 +0000 (03:25 +0000)]
* realm_iter.c (krb5_realm_iterator_create): Array NAMES is now const
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15954
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 03:25:05 +0000 (03:25 +0000)]
* prof_get.c (profile_iterator_create): NAMES argument points to const pointers.
* profile.hin (profile_iterator_create): Declaration updated.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15953
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 03:19:00 +0000 (03:19 +0000)]
* prompter.c (catch_signals, restore_signals): Take pointer to old signal
handler info as new argument.
(osiginfo): New typedef.
(setup_tty, restore_tty): Take pointer to old signal handler info and old
termios settings as new arguments.
(krb5_prompter_posix): Pass the extra arguments, addresses of new automatic
variables.
(osigint, saveparm): Variables deleted.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15952
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 02:58:52 +0000 (02:58 +0000)]
* Makefile.in (STLIBOBJS, OBJS, SRCS): Don't build promptusr.c
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15951
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 02:48:23 +0000 (02:48 +0000)]
oops. actually do the #undef DEBUG
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15950
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 02:46:49 +0000 (02:46 +0000)]
* sendto_kdc.c (default_debug_handler, put, putstr): Define only if DEBUG is
defined.
(DEBUG): Don't define.
(krb5int_sendtokdc_debug_handler): Initialize to null if DEBUG is not defined.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15949
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 02:37:23 +0000 (02:37 +0000)]
* get_in_tkt.c (get_in_tkt_enctypes): Now const
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15948
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 02:28:52 +0000 (02:28 +0000)]
* arcfour.c (l40): Now const
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15947
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 02:28:09 +0000 (02:28 +0000)]
* arcfour.c (arcfour_weakkey1, arcfour_weakkey2, arcfour_weakkeys): Now const
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15946
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 20 Dec 2003 02:26:17 +0000 (02:26 +0000)]
Replace the array of 8 mit_des_cblock object 'mit_des_zeroblock' defined
locally in multiple files with one defined in f_cbc.c; make it a single element
rather than an array.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15945
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 19 Dec 2003 22:24:04 +0000 (22:24 +0000)]
* init_sec_context.c: Include k5-int.h for accessor
ticket: 2077
component: krb5-libs
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15944
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 19 Dec 2003 21:11:40 +0000 (21:11 +0000)]
* ftp.c (do_auth): Handle a return code of 335, where the authentication
exchange requires more messages.
ticket: 2062
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15943
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Fri, 19 Dec 2003 06:53:24 +0000 (06:53 +0000)]
ticket 2049
fix an incorrect level of indirection for a krb5_creds data structure.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15942
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Fri, 19 Dec 2003 05:29:32 +0000 (05:29 +0000)]
The new functions krb5int_c_mandatory_cksumtype, krb5_ser_pack_int64,
and krb5_ser_unpack_int64 are considered private. Therefore, in order
for them to be used from within gssapi they must be added to the
krb5int_accessor mechanism. This allows us to not publicize their
existence via exportation on Windows or MacOSX.
ticket: new
tags: pullup
target_version: 1.3.2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15941
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Fri, 19 Dec 2003 00:19:20 +0000 (00:19 +0000)]
* cc_retr.c: Extract the test to determine if a credential matches
a requested credential according to the specified fields into
a private function: krb5int_cc_creds_match_request()
* cc_mslsa.c: Extend the functionality of krb5_lcc_retrieve() to
perform a MS Kerberos LSA ticket request if there is no matching
credential in the cache. The MS Kerberos LSA places the following
restriction on what tickets it will place into the LSA cache:
tickets obtained by an application request for a specific
set of kerberos flags or enctype will not be cached.
Therefore, we first make a request with no flags or enctype in
the hope that we will be lucky and get the right ones anyway.
If not, we make the application's request and return that ticket
if it matches the other criteria.
Implemented a similar technique for krb5_lcc_store(). Since we
can not write to the cache, when a store request is made we
instead perform a ticket request through the lsa for a matching
credential. If we receive one, we return success. Otherwise,
we return the KRB5_CC_READONLY error.
With these changes I am now able to operate entirely with the MSLSA
ccache as the default cache provided the MS LSA credentials are
for the principal I wish to use. Obviously, one cannot change
principals while the MSLSA ccache is the default.
ticket: 2049
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15939
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 17 Dec 2003 01:11:32 +0000 (01:11 +0000)]
preliminary update for 1.3.2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15938
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Tue, 16 Dec 2003 19:21:49 +0000 (19:21 +0000)]
* conv_creds.c (krb5int_encode_v4tkt): Zero out unused parts of ticket. Use a
temorary in case krb5_int32 isn't "int".
(decode_v4tkt): Use a temorary in case krb5_int32 isn't "int".
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15936
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 15 Dec 2003 20:56:47 +0000 (20:56 +0000)]
* k5-platform.h (SIZE_MAX): Provide default definition if stdint.h doesn't
define it.
ticket: 2040
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15929
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Mon, 15 Dec 2003 20:14:56 +0000 (20:14 +0000)]
make depend
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15928
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 15 Dec 2003 17:54:40 +0000 (17:54 +0000)]
* win-mac.h: source code written to the C99 standard assumes there
are standard definitions for the MAX sizes of C types including
size_t. The MAX preprocessor variables are declared in limits.h
but limits.h is not included by any of the other header files.
We will therefore include it via win-mac.h. We must also add a
declaration of SIZE_MAX (for size_t) because Microsoft does not
provide one.
ticket: 2040
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15927
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 15 Dec 2003 16:16:28 +0000 (16:16 +0000)]
* add missing ChangeLog entry
ticket: 1471
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15926
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 15 Dec 2003 16:15:30 +0000 (16:15 +0000)]
* k5-platform.h: apply casts (unsigned char) to the assignments from
64-bit ints to unsigned char fields to avoid warnings
ticket: 1471
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15925
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 15 Dec 2003 15:55:15 +0000 (15:55 +0000)]
* cc_msla.c: Enable purging of the MS Kerberos LSA cache when the TGT
has expired. This will force the LSA to get a new TGT instead of
returning the expired version.
ticket: 2049
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15924
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Mon, 15 Dec 2003 15:51:41 +0000 (15:51 +0000)]
krb524 subdirectory does not get fully cleaned due to change introduced by 1491
* Makefile.in (clean-unix): Clean up more files now that STLIBOBS
is not used (introduced in 1491). Some files were missed.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15923
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 15 Dec 2003 13:58:10 +0000 (13:58 +0000)]
* when initiating an enumeration of the ccache contents perform
a fetch of the TGT. This will trigger an update request by
the MS LSA on Windows 2000 and XP which is perfectly willing
to allow TGTs to expire.
ticket: 2049
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15922
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Sun, 14 Dec 2003 15:31:10 +0000 (15:31 +0000)]
move prof-int.h to be the first include file in order to obtain
platform specific preprocessor variables used to selectively
import other header files
ticket: 2068
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15921
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Sat, 13 Dec 2003 19:51:16 +0000 (19:51 +0000)]
* krb4_32.def: Remove exports from KfM not yet compiled in KfW
krb_ad_tkt, krb_pw_tkt, kuserok, tkt_string, FSp_xxx
* krb5_32.def: Add exports of private functions necessary for
building new gssapi32.dll:
krb5int_c_mandatory_cksumtype ; PRIVATE GSSAPI k5-int.h
krb5_ser_pack_int64 ; PRIVATE GSSAPI k5-int.h
krb5_ser_unpack_int64 ; PRIVATE GSSAPI k5-int.h
ticket: 2067
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15920
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Sat, 13 Dec 2003 19:13:42 +0000 (19:13 +0000)]
* Makefile.in: Remove extraneous spaces ..
ticket: 2049
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15919
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Sat, 13 Dec 2003 19:11:34 +0000 (19:11 +0000)]
* Makefile.in: remove extraneous spaces from ##WIN32## commented
defines for MSLSA_OBJ and MSLSA_SRC
ticket: 2049
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15918
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Dec 2003 18:16:57 +0000 (18:16 +0000)]
Gets a bit closer, still not working..
* ftpcmd.y (getline): Allow "AUTH" as an unprotected command.
* ftpd.c (login): Fix checks for accept_sec_context status. Only send back one
message in the CONTINUE_NEEDED case.
(with_gss_error_text): New function, split out from reply_gss_error.
(reply_gss_error): Call it.
(reply_gss_error_1): New function.
(log_gss_error, log_gss_error_1): New functions.
(login): Call log_gss_error instead of syslog on error from gss_display_name.
ticket: 2062
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15917
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Dec 2003 17:35:13 +0000 (17:35 +0000)]
* aclocal.m4 (WITH_CC): Drop -Wno-comment, since we don't support SunOS 4 any longer
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15916
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Dec 2003 07:32:01 +0000 (07:32 +0000)]
* default.exp (passes): Add an AES-only pass.
(start_kerberos_daemons): Check for error "No principal in keytab matches
desired name".
(dump_db): New proc, for debugging.
(spawn_xterm): Add GSSCLIENT to list of exported variables.
ticket: 2066
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15915
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Dec 2003 07:27:03 +0000 (07:27 +0000)]
* telnet.exp: Skip tests if no DES key types are enabled
ticket: 2066
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15914
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Dec 2003 07:22:15 +0000 (07:22 +0000)]
* gssftp.exp (ftp_test): Look for "GSSAPI authentication failed" error
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15913
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Dec 2003 07:10:10 +0000 (07:10 +0000)]
don't limit enctype lists at init time
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15912
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Dec 2003 07:07:23 +0000 (07:07 +0000)]
Add 64-bit sequence number support. Do sequence number ordering tests relative
to the initial value rather than absolute. Support tokens without pseudo-ASN.1
wrappers. Don't restrict enctype lists. Implement CFX token support.
With CFX_EXERCISE defined, use random padding, random rotates, and bogus
initial tokens, to exercise the associated code paths.
ticket: 2040
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15911
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Dec 2003 06:35:15 +0000 (06:35 +0000)]
add get_name callback for kdb keytab type, for debugging
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15910
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Dec 2003 06:30:21 +0000 (06:30 +0000)]
ignore extra lines output when debugging code enabled
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15909
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Dec 2003 06:28:35 +0000 (06:28 +0000)]
Add platform-dependent 64-bit and inline-function support via new header
k5-platform.h. Add 64-bit serializer support. [Not needed for ticket 1471,
but needed for 2040 and annoying to check in separately.]
Add to (internal for now) crypto API a function to get the mandatory checksum
type associated with an enctype.
New support for server-generated subkey, selected via an auth_context flag.
ticket: 1471
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15908
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sat, 13 Dec 2003 01:28:08 +0000 (01:28 +0000)]
* an_to_ln.c (krb5_aname_to_localname): Don't write one byte past
the end of a string. Found by Christopher Nebergall.
ticket: 2024
component: krb5-libs
version_reported: 1.3.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15895
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sat, 13 Dec 2003 01:20:56 +0000 (01:20 +0000)]
* Makefile.in: Move ##WIN32## constructs from inside
backslash-continued lists, as it was breaking them. Move explicit
dependency information from under automatic dependencies.
ticket: 2049
component: krb5-libs
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15894
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Fri, 12 Dec 2003 22:22:36 +0000 (22:22 +0000)]
* Added new krb5_ccache type "MSLSA" for Windows only.
This new ccache type provides an interface for the MIT krb5_cc api
functions to be used to access the contents of the MS Kerberos LSA
cache. The ccache type is read-only because the MS Kerberos LSA
does not allow third party applications to insert credentials into
the cache.
The primary motivation of this work was to encapsulate the complex
operations necessary to manipulate the MS Kerberos LSA. The code
was far from trivial and was often implemented incorrectly. Worse
still was the fact that each version of Windows since W2K modified
the use of the LSA API.
The code which was originally donated in the form of ms2mit.c had
many memory and handle leaks which were acceptable for a one time
application such as ms2mit.c. Unfortunately, this code has started
to appear in many other applications: KfW's Leash, the AFS Wake
systray tool, and others.
By using the new MSLSA ccache the implementation of ms2mit.c went
from 890 lines to 50 lines of code and comments. All that is necessary
is for the MSLSA ccache to be resolved and for its contents to be
copied with krb5_cc_copy_creds to the default ccache.
The MSLSA ccache implements all of the functions of a ccache except
those which would be used to store data into the ccache. When a
write attempt is performed the new error KRB5_CC_READONLY is returned.
The residual portion of the MSLSA ccache name is current ignored
but preserved. If you ask for ccache "MSLSA:myname" you will be
given access to the LSA cache for the current Logon Session. If
you later ask for the name of the ccache you will be returned the
same name. In the future, the residual might be used to provide
information necessary to identify a specific logon session whose
cache it is desired to access. If this is ever done, the applications
which use it will have to possess the SeTcbPrivilege privilege.
Using KfW's Leash it is now possible to set the Krb5 credential
cache to "MSLSA:" and use it to monitor the contents of the
MS Kerberos LSA cache.
As part of adding this functionality, krb5_32.dll is not linked
against the "secur32.lib" library as the Lsa security sdk routines
are stored in the SECUR32.DLL file.
ticket: 2049
target_version: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15886
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Thu, 11 Dec 2003 23:23:32 +0000 (23:23 +0000)]
Remove cvsignore files
Ticket: 2061
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15881
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Thu, 11 Dec 2003 23:14:06 +0000 (23:14 +0000)]
Remove kadmind4 and v5passwdd
Per email to kerberos-announce remove kadmind4 and v5passwdd from the distribution.
Ticket: new
Tags: enhancement
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15880
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Thu, 11 Dec 2003 22:17:27 +0000 (22:17 +0000)]
Added kg_sync_ccache_name(), kg_get_ccache_name, and kg_set_ccache_name() and rewrote gss_krb5_ccache_name() and added a call to kg_sync_ccache_name() to acquire_init_cred() to fix a bug where on systems with multiple ccaches that GSSAPI gets stuck on the ccache that was default when it launched
ticket: 2060
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15879
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Thu, 11 Dec 2003 22:12:35 +0000 (22:12 +0000)]
Note that krb4 expiration needs to be more conservative than krb5
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15878
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 8 Dec 2003 21:53:30 +0000 (21:53 +0000)]
Add exports for functions exported by KfM
ticket: 2051
target_version: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15871
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 8 Dec 2003 20:24:33 +0000 (20:24 +0000)]
2003-11-26 Jeffrey Altman <jaltman@mit.edu>
* cc_default.c: Add support for Leash Kinit Dialog on Windows to
krb5int_c_default()
ticket: 2028
target_version: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15870
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 8 Dec 2003 20:17:00 +0000 (20:17 +0000)]
Add support for conditional inclusion of flags when building as part of
KfW. The only flag defined at this time is USE_LEASH which is defined
to allow GSSAPI32.DLL to enable the use of Leash Kinit dialogs when
there are no tickets
ticket: 2028
target_version: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15869
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sat, 6 Dec 2003 00:39:23 +0000 (00:39 +0000)]
work around Solaris 9 pty-close bug
Create a LD_PRELOAD object, exitsleep, that will sleep for a short
time prior to calling the real exit() function. This attempts to work
around a Solaris 9 kernel bug where output will get lost if it is
written to a pty immediately prior to the pty close.
ticket: new
component: krb5-build
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15864
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Tue, 25 Nov 2003 18:36:08 +0000 (18:36 +0000)]
Updated project to reflect changes in source files
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15850
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 30 Oct 2003 23:34:07 +0000 (23:34 +0000)]
initial sequence number mask short by 4 bits
* gen_seqnum.c (krb5_generate_seq_number): Fix mask; was short by
4 bits.
ticket: new
version_reported: 1.3.1
target_version: 1.3.2
component: krb5-libs
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15849
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Mon, 27 Oct 2003 19:59:22 +0000 (19:59 +0000)]
* sendto_kdc.c: Sockets must be closed with closesocket() instead
of close() for proper socket deallocation on systems which do
not use file descriptors for sockets. i.e., Windows.
ticket: 1973
target_version: 1.3.2
tags: pullup
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15844
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Tue, 21 Oct 2003 22:20:48 +0000 (22:20 +0000)]
Because of the failure of Windows 2000 and Windows XP to perform proper
ticket expiration time management, the MS Kerberos LSA will return
tickets to a calling application with lifetimes as short as one second.
Tickets with lifetimes less than five minutes can cause problems for
most apps. Tickets with lifetimes less than 20 minutes will trigger the
Leash ticket lifetime warnings.
Instead of accepting whatever tickets are returned by MS LSA from the
cache, if the ticket lifetime is less than 20 minutes force a retrieval
operation bypassing the LSA ticket cache.
ticket: 1962
target_version: 1.3.2
tags: pullup
owner: jaltman@mit.edu
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15843
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Tue, 21 Oct 2003 20:21:16 +0000 (20:21 +0000)]
removed deleted files from project
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15842
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Fri, 17 Oct 2003 21:32:58 +0000 (21:32 +0000)]
Updated to work with Xcode
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15841
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 17 Oct 2003 02:32:31 +0000 (02:32 +0000)]
* api.1/lock.exp: Work around a race condition in the Solaris 9
pty implementation: output sent to a pty slave immediately before
last close/exit can get lost on the way to the master. This is
Sun bug #
4927647. The workaround consists of changing the tests
to always make lock-test wait to read a character prior to
exiting, so any output prior to the "wait" directive will not get
lost.
ticket: 1792
tags: pullup
target_version: 1.3.2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15840
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 8 Oct 2003 23:53:23 +0000 (23:53 +0000)]
Save encoded KRB-SAFE-BODY to avoid problems caused by re-encoding it.
Also, handle correctly implemented RFC 1510 KRB-SAFE i.e., checksummed
over KRB-SAFE-BODY only.
ticket: 1893
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15831
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 29 Sep 2003 20:45:50 +0000 (20:45 +0000)]
Add missing ChangeLog entry for krb.h:1.51
ticket: 1586
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15829
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 27 Sep 2003 00:16:16 +0000 (00:16 +0000)]
Add --enable-maintainer-mode option to configure, and prevent rebuilding of
include/krb5/autoconf.h.in and */configure if it's not enabled. Anything else
we should only rebuild in maintainer mode?
* aclocal.m4 (KRB5_AC_MAINTAINER_MODE): New macro.
(CONFIG_RULES): Invoke it.
* config/post.in (configure): Make configure depend on configure.in and
aclocal.m4 only if maintainer mode is enabled.
* include/Makefile.in ($(srcdir)/krb5/autoconf.h.in): Depend on autoconf.stmp
only if maintainer mode is enabled.
ticket: 1588
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15825
dc483132-0cff-0310-8789-
dd5450dbe970
Jeffrey Altman [Tue, 23 Sep 2003 18:46:25 +0000 (18:46 +0000)]
Modify the declaration of the CREDENTIALS structure to support the additional
address field used on Windows.
ticket: 1586
status: open
owner: jaltman@mit.edu
target_version: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15820
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Sep 2003 04:17:08 +0000 (04:17 +0000)]
Oops, naughty naughty. Use $(CC), not gcc
ticket: 1790
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15819
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Sep 2003 04:16:10 +0000 (04:16 +0000)]
* shlib.conf (*-*-linux*): Use gcc for linking shared libraries, and -Wl to
pass linker flags in, so gcc can supply the necessary support libraries.
ticket: 1790
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15818
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 13 Sep 2003 03:33:14 +0000 (03:33 +0000)]
Alpha OSF build fails because daemon() tries to call setpgrp because
it doesn't know setsid is available. It's using autoconf.h, but no
longer using the defines set in lib/krb5/posix/Makefile.
* configure.in: Check for setsid() and <paths.h>.
ticket: 1847
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15817
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Sep 2003 22:12:07 +0000 (22:12 +0000)]
Apply patch from Cesar Garcia to fix lifetime computation in 524
ticket conversion.
ticket: 1712
tags: pullup
version_reported: 1.3.1
target_version: 1.3.2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15808
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Tue, 2 Sep 2003 18:37:12 +0000 (18:37 +0000)]
kill() might overwrite errno. Save it beforehand
ticket: 1799
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15806
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Tue, 2 Sep 2003 18:14:37 +0000 (18:14 +0000)]
Fixed handling of krb5_net_write() failing (need to call waitpid() on child even if we kill it)
ticket: 1799
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15805
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Tue, 2 Sep 2003 15:43:10 +0000 (15:43 +0000)]
Fixed comment (part of adding Apple Password Server support)
ticket: 1799
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15804
dc483132-0cff-0310-8789-
dd5450dbe970
Alexandra Ellwood [Tue, 2 Sep 2003 15:32:50 +0000 (15:32 +0000)]
Added Apple password server support
ticket: 1799
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15803
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 30 Aug 2003 01:55:40 +0000 (01:55 +0000)]
While libc5 isn't one of our supported configurations, this is a simple enough
change. It should be in the 1.4 release. (Next 1.3.x release? I don't know.)
* fake-addrinfo.h (WRAP_GETADDRINFO, COPY_FIRST_CANONNAME): Don't define on
Linux unless HAVE_GETADDRINFO is defined, for libc5 compatibility.
ticket: 1711
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15802
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 30 Aug 2003 01:09:41 +0000 (01:09 +0000)]
Copy and build daemon.c in whatever directories need it, instead of building it
into the krb5 library.
* aclocal.m4 (KRB5_AC_NEED_DAEMON): New macro.
* appl/bsd/configure.in, kadmin/configure.in, kdc/configure.in,
krb524/configure.in, slave/configure.in: Use it. Don't directly check if
prototype for daemon() is needed.
* kadmin/server/Makefile.in (OBJS), kadmin/v5passwdd/Makefile.in (SERV_OBJS),
kdc/Makefile.in (OBJS, fakeka), krb524/Makefile.in (SERVER_OBJS),
slave/Makefile.in (SERVEROBJS): Use LIBOBJS.
* config/post.in (daemon.c): New rule for copying daemon.c locally
from lib/krb5/posix.
ticket: 1791
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15801
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Fri, 29 Aug 2003 07:09:48 +0000 (07:09 +0000)]
krshd hangs in linux nightly testing
A typical stack trace:
#0 0xffffe002 in ?? ()
#1 0x420da75f in syslog () from /lib/tls/libc.so.6
#2 0x0804ad06 in cleanup (signumber=15) at krshd.c:567
#3 <signal handler called>
#4 0xffffe000 in ?? ()
#5 0x4202774e in sigaction () from /lib/tls/libc.so.6
#6 0x0804ac82 in cleanup (signumber=1) at krshd.c:548
#7 <signal handler called>
#8 0xffffe002 in ?? ()
#9 0x4202774e in sigaction () from /lib/tls/libc.so.6
#10 0x420daa21 in vsyslog () from /lib/tls/libc.so.6
#11 0x420da75f in syslog () from /lib/tls/libc.so.6
#12 0x0804b670 in doit (f=3, fromp=0xbfffda50) at krshd.c:1313
#13 0x0804ab87 in main (argc=11, argv=0xbfffdb34) at krshd.c:459
#14 0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6
Yes, we're calling syslog from inside a signal handler. Yes, this is
bad. And from some poking about that I did earlier, it appears that
there's some locking code in vsyslog which may be deadlocking in the
nested call. And this usually seems to happen when logging the "shell
process completed" message.
This is a quick patch to switch off the signal handlers before logging
that message. I suspect the breakage happens earlier, though, so this
might not fix the bug, just maybe move it around a little.
* krshd.c (ignore_signals): Split out from cleanup().
(doit): Call it when the shell process has completed, before calling syslog.
ticket: new
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15800
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Wed, 27 Aug 2003 01:10:56 +0000 (01:10 +0000)]
In my tests (2GHz P4 Linux, 5 minutes, no pre-existing replay cache), this gets
about a 10% speedup adding entries to an already open replay cache.
* rc_dfl.c (alive): Take a timestamp argument instead of the context, and don't
check the current time here. All callers changed to pass in the current time.
(rc_store): Take a timestamp argument. All callers changed to pass in the
current time.
ticket: 1784
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15799
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Tue, 26 Aug 2003 22:20:16 +0000 (22:20 +0000)]
* krb5.hin (struct _krb5_donot_replay, krb5_rc_default, krb5_rc_resolve_type)
(krb5_rc_resolve_full, krb5_rc_get_type, krb5_rc_default_type)
(krb5_rc_default_name, krb5_auth_to_rep): Private declarations moved...
* k5-int.h: ...to here.
ticket: 1784
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15798
dc483132-0cff-0310-8789-
dd5450dbe970