Ken Raeburn [Fri, 25 Feb 2000 20:51:59 +0000 (20:51 +0000)]
Fix off-by-one error in previous code, spotted at the last minute.
This is why things weren't working without the loopback addresses,
which showed up last in the list, after the address my client was
trying to use, thus hiding the error.
(I tried to abort the previous checkin, but cvs went ahead with it
despite the "editor session failed" report...hm.)
Ken Raeburn [Fri, 25 Feb 2000 20:46:35 +0000 (20:46 +0000)]
Patches from Alec Peterson, plus some work of my own, to let a multihomed
KDC respond to requests from the same IP address that the requests were sent
to.
**N.B. This will perform worse in the case of addresses dynamically added
and removed after the KDC has started, since it will be incapable of using
any new addresses.
I'm unclear on why the loopback interface address needs to be included in
the list of addresses. Apparently, on NetBSD-current, if it's not, packets
sent to other local addresses but over the loopback interface are queued but
not received?? Needs further investigation; could just be a NetBSD bug.
* configure.in: Invoke KRB5_SOCKADDR_SA_LEN.
* network.c: Include <sys/ioctl.h>, <syslog.h>, <net/if.h>.
(foreach_localaddr): New function, copied from
lib/krb5/os/localaddr.c. Tweaked to not exclude loopback
interface.
(NEED_SOCKETS): Define before including k5-int.h.
(n_sockets): New variable.
(setup_port): New function; creates listening udp ports given an
address.
(setup_network): Call foreach_localaddr to set up listening
sockets on each local address, so we can always respond from the
receiving address.
(listen_and_process): Use n_sockets as upper bound of loop.
Ken Raeburn [Fri, 25 Feb 2000 20:27:43 +0000 (20:27 +0000)]
Separate interface address processing from Kerberos-related functions.
* localaddr.c (foreach_localaddr): Broken out from old krb5_os_localaddr.
Iterates over all active interface addresses, invoking callback functions;
knows nothing about Kerberos.
(count_addrs, allocate, add_addr): New callback functions.
(krb5_os_localaddr): Use the above.
Tom Yu [Wed, 23 Feb 2000 05:18:48 +0000 (05:18 +0000)]
* kpasswd.0/changing.exp: Add a sleep to avoid a race with the
setup script. If this isn't here, it is possible that the initial
change of pol2's password may happen too soon.
Ken Raeburn [Mon, 21 Feb 2000 21:38:01 +0000 (21:38 +0000)]
from Bear Giles:
* alt_prof.c (krb5_read_realm_params): Permit realm supported enctypes to be
unspecified, letting the KDC produce defaults. Don't look up enctypes at all
if an error is to be returned.
Tom Yu [Sat, 19 Feb 2000 01:57:07 +0000 (01:57 +0000)]
* keytab.c (add_usage): Update usage message.
(kadmin_keytab_add): Update to deal with explicit keysalt lists.
(add_principal): Update to deal with explicit keysalt lists.
* kadmin.c (kadmin_cpw): Add support for new api.
(kadmin_parse_princ_args): Add support for new api, particularly
-keepold to keep old keys around and -e to explicitly specify
key-salt tuples.
(kadmin_addprinc_usage): Update usage accordingly.
(kadmin_addprinc): Add support for new api.
(kadmin_modprinc): Update to call new parse_princ_args reasonably.
Tom Yu [Thu, 17 Feb 2000 00:33:38 +0000 (00:33 +0000)]
* auth_gssapi.c (auth_gssapi_create): Free call_res because
xdr_authgssapi_init_res can potentially allocate memory. Perhaps
clnt_call should really deal with this, though. It is not at all
clear whether clnt_call or svc_getargs should actually end up
freeing allocated memory themselves.
* svc_auth_gssapi.c (_svcauth_gssapi): Call gssrpc_xdr_free() if
xdr_authgssapi_creds() or xdr_authgssapi_init_arg() fails.
* auth_gssapi_misc.c (xdr_authgssapi_creds):
(xdr_authgssapi_init_arg):
(xdr_authgssapi_init_res): Revert prior change. The caller should
be the one dealing. Additionally, it was probably wrong to
unconditionally free the object regardless of whether the mode is
XDR_DECODE.
(auth_gssapi_unwrap_data): Use temp_xdrs rather than in_xdrs to
force XDR_FREE operation.
Danilo Almeida [Wed, 16 Feb 2000 21:11:07 +0000 (21:11 +0000)]
* kinit.c: Nicer usage message. Better checking for illegal
options. Do not output error when doing Kerberos 4 if we will be
trying 524 afterwards. Add hooks for future support for
specifying the Kerberos 4 cache name. Fix GET_PROGNAME macro to
properly return program name under Win32. Re-indent, turning
spaces that should be tabs into tabs.
* kinit.M: Document new Kerberos 4 kinit behavior.
Ken Raeburn [Wed, 16 Feb 2000 18:29:50 +0000 (18:29 +0000)]
* preauth2.c (pa_sam): In send-encrypted-sad mode, check for magic salt length
and generate a salt from the principal name if found; use the password and salt
to generate a key. Provide timestamp if nonce is zero, regardless of preauth
mode. (Patch from Chas Williams.)
Ken Raeburn [Wed, 16 Feb 2000 08:35:46 +0000 (08:35 +0000)]
* localaddr.c (krb5_os_localaddr): Dynamically grow buffer used for SIOCGIFCONF
until it appears to have been big enough. Dynamically grow internal address
pointer array as needed.
Tom Yu [Tue, 15 Feb 2000 05:12:30 +0000 (05:12 +0000)]
* svc.c (xprt_register): Zero out xports after allocating
* auth_gssapi_misc.c (xdr_authgssapi_creds):
(xdr_authgssapi_init_arg):
(xdr_authgssapi_init_res):
(auth_gssapi_unwrap_data): If xdr_gss_buf or xdr_bytes fails, call
again with XDR_FREE set so that allocated memory doesn't leak.
Tom Yu [Mon, 14 Feb 2000 00:07:10 +0000 (00:07 +0000)]
Add client-side stubs and functions with additional capabilities to
take key_salt_tuples and optionally keep old keys around. Add
server-side functionality for setkey with key_salt_tuple and "keepold"
functionality. Update rpc stubs and xdr functions/headers
appropriately.
Tom Yu [Tue, 8 Feb 2000 05:28:12 +0000 (05:28 +0000)]
* api.1/lock.exp: Since a "wait" directive to the command list of
the lock_test procedures does not wait for any synchronization,
change lock9 to acquire and release a lock before the "wait"
directive in order to avoid a race condition where lock9 spawns
the ./lock-test but the program has not opened the database prior
to lock9_1 acquiring a permanent lock. This was causing
difficult-to-reproduce failures.
Tom Yu [Mon, 7 Feb 2000 23:51:13 +0000 (23:51 +0000)]
* config/unix.exp: Call send_error instead of fail to prevent
referencing variables not yet set up by the test framework.
* lib/helpers.exp: Call kinit and kdestroy with the -5 flag to
deal with new program behavior. Also call perror rather than
error to avoid spewing a stack trace.
Ken Raeburn [Mon, 7 Feb 2000 10:32:45 +0000 (10:32 +0000)]
* gic_pwd.c (krb5_get_as_key_password): If the as_key enctype is already set to
the correct type, do continue and ask for the password anyways. (Patch from
Chas Williams, PR krb5-libs/730.)
* preauth2.c (pa_sam): If no sam_flags were set, return KRB5_PREAUTH_BAD_TYPE,
because we don't currently handle that case.
* preauth2.c (pa_sam): Remove unused variable use_sam_key.
(SAMDATA): Cast first result to int, which is what sprintf needs.
(pa_salt): Delete unused variable ret.
Ken Raeburn [Mon, 7 Feb 2000 10:22:58 +0000 (10:22 +0000)]
* kdc_preauth.c (get_preauth_hint_list): Log a message if preauth is required
but no preauth types are available.
(return_sam_data): Fix typo in figuring length of data to XOR when merging
keys.
Ken Raeburn [Mon, 7 Feb 2000 04:15:58 +0000 (04:15 +0000)]
Frank Cusack's patches, first two sets. Should be no incompatible changes,
except perhaps for a client talking to both a new and old KDC? Several
improvements to guard against replay attacks when hardware preauth is in use,
though they require re-enabling the USE_RCACHE code, which I haven't done yet.
Several changes of mine for silencing a few compiler warnings, and adding some
debugging log messages while I track what's going on with the preauth code.
Ken Raeburn [Mon, 7 Feb 2000 00:18:02 +0000 (00:18 +0000)]
Frank Cusack changes, set 1, diffs 1-3 of 4
Rename "sam_passcode" field to "sam_sad". Add data to predicted-sam-response
structure, in part to (prepare to) help with replay detection.
Fix some memory allocation problems.
Danilo Almeida [Fri, 4 Feb 2000 21:26:02 +0000 (21:26 +0000)]
* kinit.c: Major revamp to support Kerberos 4 compatibility. Code
restructured to allow changes to support Kerberos 4 or Kerberos 5
only operation depending on whether dynamic libraries are
avialable. Explicit documentation and support files to make it
easy to do this will be forthcoming.
* Makefile.in: On Windows, use getopt.lib instead of getopt.obj,
and add support for getopt_long.
Danilo Almeida [Fri, 4 Feb 2000 21:24:18 +0000 (21:24 +0000)]
* klist.c: Major revamp to support Kerberos 4 compatibility. Code
restructured to allow changes to support Kerberos 4 or Kerberos 5
only operation depending on whether dynamic libraries are
avialable. Explicit documentation and support files to make it
easy to do this will be forthcoming.
Danilo Almeida [Fri, 4 Feb 2000 21:23:59 +0000 (21:23 +0000)]
* kdestroy.c: Major revamp to support Kerberos 4 compatibility. Code
restructured to allow changes to support Kerberos 4 or Kerberos 5
only operation depending on whether dynamic libraries are
avialable. Explicit documentation and support files to make it
easy to do this will be forthcoming.
Danilo Almeida [Fri, 4 Feb 2000 20:14:56 +0000 (20:14 +0000)]
* getopt.c, getopt_long.c, getopt.h: Update to latest BSD code
found (from NetBSD).
* Makefile.in: Build getopt.lib which includes getopt.obj and
getopt_long.obj.
Danilo Almeida [Tue, 1 Feb 2000 20:49:25 +0000 (20:49 +0000)]
* gss-client.c, gss-server.c, gss-misc.c: Include Windows headers
instead of Unix headers under Windows.
* gss-server.c (usage): Fix usage info to reflect that service_name is
required.
* gss-misc.c (read_all, write_all): Change write to send and read
to recv for portability.
(gettimeofday): Add an implementation of gettimeofday() for
Windows.
Ezra Peisach [Sat, 29 Jan 2000 00:56:34 +0000 (00:56 +0000)]
* kts_g_ent.c, ktsrvtab.h (krb5_ktsrvtab_get_entry): Change the
third argument to krb5_const_principal (from krb5_principal) to
agree with krb5_kts_ops entries.
Ken Raeburn [Thu, 27 Jan 2000 22:02:58 +0000 (22:02 +0000)]
Don't use obsolete autoconf macros. Fix up output formatting a little.
Rewrote tcl config handling to extract info from installed tclConfig.sh.
Configure-time option to control IPv6 configuration.
Configure-time option to enable DNS lookups.
Ken Raeburn [Thu, 27 Jan 2000 00:56:27 +0000 (00:56 +0000)]
* k5-int.h [!NEED_SOCKETS]: Declare (but do not define) struct sockaddr if
SOCK_DGRAM hasn't been defined yet.
(krb5_locate_srv_conf, krb5_locate_srv_dns): Declare.
(struct krb5_keytypes, struct krb5_cksumtypes): enc, hash, and keyhash provider
structures pointed to are now const.
projects / thirdparty / krb5.git / log
