* g_ad_tkt.c: Added support for login library to get_ad_tkt. Support is copied from Mac Kerberos4 library and conditionalized for USE_LOGIN_LIBRARY to avoid changing get_ad_tkt's behavior for non-Kerberos Login Library builds
Sam Hartman [Wed, 9 Apr 2003 18:19:18 +0000 (18:19 +0000)]
etype info handling infinite loop
If a request contains no des-cbc-crc enctype bumt des-cbc-crc or
des-cbc-md5 existis in the database then an infinite loop is created.
Fix etype info handling to avoid this.
Tom Yu [Wed, 2 Apr 2003 04:47:53 +0000 (04:47 +0000)]
don't install in-tree libdb
Don't install the in-tree libdb. This requires that libkdb,
etc. explicitly pull in the object files of the in-tree libdb if not
using the system libdb.
ticket: new
status: open
target_version: 1.3
tags: pullup
Ken Raeburn [Wed, 2 Apr 2003 00:28:32 +0000 (00:28 +0000)]
* fake-addrinfo.h (COPY_FIRST_CANONNAME) [_AIX]: Define.
(GET_HOST_BY_NAME) [_AIX]: New version for AIX version of gethostbyname_r.
(getaddrinfo) [NUMERIC_SERVICE_BROKEN]: Use "discard" as a dummy service name
instead of none at all. Don't check for unsigned value less than zero.
(getaddrinfo) [COPY_FIRST_CANONNAME]: Set any ai_canonname fields other than
the first one to null.
Ken Raeburn [Fri, 28 Mar 2003 22:59:45 +0000 (22:59 +0000)]
* kcmd.c (kcmd_connect): Log errors if a connect to port 0 is attempted.
Report port number in connection failure.
(setup_secondary_channel): Use socklen_t for socket address length.
Tom Yu [Fri, 28 Mar 2003 22:51:33 +0000 (22:51 +0000)]
* kdc_preauth.c (verify_enc_timestamp): Save decryption error, in
case we get NO_MATCHING_KEY later. This allows us to log a more
sane error if an incorrect password is used for encrypting the
enc-timestamp preauth.
ticket: 1324
status: open
target_version: 1.3
tags: pullup
* configure.in: Use KRB5_AC_NEED_BIND_8_COMPAT to check for bind 9 and higher. When bind 9 is present, BIND_8_COMPAT needs to be defined to get bind 8 types
* aclocal.m4: Define KRB5_AC_NEED_BIND_8_COMPAT to check for bind 9 and higher. When bind 9 is present, BIND_8_COMPAT needs to be defined to get bind 8 types
Sam Hartman [Mon, 17 Mar 2003 01:03:11 +0000 (01:03 +0000)]
Disable krb4 cross-realm in krb524d and krb5kdc. Provide an option to
reenable (-X) which prints a warning that you are creating a security
hole.
Remove support for generating krb4 tickets encrypted using 3DES
service keys as it is insecure. They are still accepted however.
The KDc is much more strict about accepting only tickets that it would
have issued in the current configuration. In particular if the KDC
would choose some enctype for writing a TGT, other enctypes will not
be accepted when using a TGT.
Sam Hartman [Fri, 14 Mar 2003 20:37:36 +0000 (20:37 +0000)]
Do not claim GSS_C_PROT_READY_FLAG since we don't support it
Our code does not currently support GSS_C_PROT_READY_FLAG so only
return that flag after context establishment. A potential future
addition is to support that flag and return GAP_TOKEN if the initiator
processes a message token before the final context token.
Ken Raeburn [Fri, 14 Mar 2003 19:50:00 +0000 (19:50 +0000)]
* default.exp (setup_root_shell): If we get connection refused messages,
followed by no unrecognized errors and then eof, report it as an unsupported
test.
Tom Yu [Thu, 13 Mar 2003 01:04:35 +0000 (01:04 +0000)]
* Makefile.in (AWK): Default to awk, not gawk. User can override
on make's command line if necessary. Still, only really useful
for building kerbsrc.zip, etc.
Ken Raeburn [Wed, 12 Mar 2003 04:33:30 +0000 (04:33 +0000)]
Rewrite asn1_get_tag interface to use a structure pointer rather than several
pointer variables for the returned data. Use the structure in the caller when
straightforward; in cases where macros use different but overlapping sets of
automatic scalar variables in one file, copy the values out of the structures
for now, until they can be analyzed more carefully.
* asn1_get.c (asn1_get_tag): Deleted.
(asn1_get_tag_2): Renamed from asn1_get_tag_indef, now uses a pointer to
taginfo rather than a bunch of pointer args.
(asn1_get_id, asn1_get_length): Folded into asn1_get_tag_2.
(asn1_get_sequence): Call asn1_get_tag_2.
* asn1_get.h (taginfo): New structure.
(asn1_get_tag_indef, asn1_get_tag, asn1_get_id, asn1_get_length): Declarations
deleted.
(asn1_get_tag_2): Declare.
* asn1_decode.c (setup): Declare only a taginfo variable.
(asn1class, construction, tagnum, length): New macros.
(tag): Call asn1_get_tag_2.
* asn1_k_decode.c (next_tag, get_eoc, apptag, end_sequence_of,
end_sequence_of_no_tagvars, asn1_decode_krb5_flags): Call asn1_get_tag_2; if no
error, copy out values into scalar variables.
(asn1_decode_ticket): Call asn1_get_tag_2.
* asn1buf.c (asn1buf_skiptail): Call asn1_get_tag_2.
* krb5_decode.c (check_apptag, next_tag, get_eoc): Call asn1_get_tag_2; if no
error, copy out values into scalar variables.
(decode_krb5_enc_kdc_rep_part): Call asn1_get_tag_2.
Ken Raeburn [Sat, 8 Mar 2003 20:50:54 +0000 (20:50 +0000)]
Yet another attempt at cross-directory dependencies. Seems to fix the parallel
build, and hasn't broken the out-of-date case so far as I can tell, so far...
Added a bunch of comments describing the cases that need to be handled.
* Makefile.in ($(BUILDTOP)/include/gssapi/gssapi.h, generic/gssapi.h,
generic/gssapi_err_generic.h, krb5/gssapi_err_krb5.h): Comment out old rules
and dependencies; depend on all-recurse and supply a no-op rule.
* c_ustime.c: Removed Mac OS 9 code. * ccdefname.c: Conditionalize on USE_CCAPI and not TARGET_OS_MAC so Darwin builds work. * init_os_ctx.c: Modified to use DEFAULT_SECURE_PROFILE_PATH and DEFAULT_PROFILE_PATH for KfM homedir-relative config files. * read_pwd.c: Cast to remove const warnings. * timeofday.c: Do the same thing on the Mac as on Unix
* CCache-glue.c: Added prototypes for deprecated functions. Made internal functions static. Removed unused CoreServices include. Changed TICKET_GRANTING_TICKET to new macro: KRB_TICKET_GRANTING_TICKET. * change_password.c: Added check of inputs to krb_change_password so we don't crash on bad inputs. Call des_string_to_key not mit_password_to_key on all platforms because we don't want to prompt for a password. * FSp-glue.c: Added prototypes for deprecated functions. Changed to use KfM's FSSpecToPOSIXPath which correctly handles FSSpecs where the file does not exist. * g_in_tkt.c: Added explanatory comments. Made TARGET_OS_MAC sections a little smaller and easier to read. * g_pw_in_tkt.c: Only prompt when we are not using the login library. This is so that Darwin builds do prompt but KfM builds don't. * g_svc_in_tkt.c, g_tkt_svc.c: Changed to use KRB_TICKET_GRANTING_TICKET. * kadm_net.c: Use autoconf variable krb5_sigtype instead of sigtype, which doesn't seem to be defined on Mac OS X. * krb4int.h, RealmsConfig-glue.c: Removed krb_get_stk(). * rd_req.c: Added #ifdef KRB4_USE_KEYTAB to avoid unused variable warning when KRB4_USE_KEYTAB is not defined. * sendauth.c: Fixed warnings with casts
* disp_com_err_status.c, gssapi_generic.h: Removed Mac header goober. * gssapiP_generic.h, gssapi.hin: Removed macintosh check because we don't build on OS 9 anymore. * gssapi.hin: Removed enumsalwaysint because there are no typed enums in this header. Removed duplicate CFM-68K magic
* gss_libinit.c: Removed Mac header goober. Fixed USE_HARDCODED_FALLBACK_ERROR_TABLES macro used by KfM. * gss_libinit.h: do not use the same multiple include protection macro as krb5_libinit.h. Changed to GSSAPI_LIBINIT_H
* mac_des_glue.c, des.c, enc_dec.c, key_sched.c, str_to_key.c: Move KfM des functions into their own file. They are all deprecated on KfM and shouldn't even get built on stock krb5 builds. * read_passwd.c: Added warning comment that des_read_pw_string is an exported function on KfM, so we should not change its ABI
* krb5.h: Removed enumsalwaysint because there are no typed enums in this header. * k5-int.h: Removed Mac OS header goober. Added prototype for os_get_default_config_files which will be used by KfM's preference APIs (KFM needs to get the secure default files as well as the normal ones). Moved profile.h inclusion higher so it gets included before this function and thus its types are defined (the reason I put it where I did was there is another config file function next to it)
* osconf.h: Added DEFAULT_SECURE_PROFILE_PATH so that KfM will only search paths that start with ~/ (homedir-based) when getting an insecure context. This is the same as DEFAULT_PROFILE_PATH on all other platforms, which allows us to avoid more references to TARGET_OS_MAC in krb5 sources
* des.h, krb.h: Removed deprecated KfM functions. They will be exported but not in the headers to discourage new callers. Removed enumsalwaysint because there are no typed enums in this header. * des.h: Made afs_string_to_key public on all platforms. (OpenAFS folk think this is okay.) * krb.h, prot.h: Made KRB_TICKET_GRANTING_TICKET public and removed non-public TICKET_GRANTING_TICKET because this macro is used in lots of places by KfM, including some clients. Made krb__get_srvtabname non-private because it is used by KEYFILE. * kadm.h: moved definition of MAXHOSTNAMELEN below the inclusion of other headers so that if it gets defined by those other headers or headers they include, we don't get a redefinition error (this happens on Mac OS X)
* cnv_tkt_skey.c, conv_creds.c, conv_princ.c, encode.c, sendmsg.c: Removed Mac-specific includes. * conv_creds.c: If we are on the Mac and using the CCAPI, set the string_to_key type to MIT. * krb524.h: Removed enumsalwaysint because there are no enums in this header. Also include krb524_err with <> because on Mac OS X both are public headers and should not be included with "". * Makefile.in: set KRB524_PRIVATE while building so that Darwin builds see these prototypes. Otherwise the Darwin build will fail
The prefix file for KfM 5.0. This file has all the #defines for Mac OS X which are normally specified by -Dfoo on the command line by the krb5 build system. Since KfM uses Project Builder, we specify them here
* profile.hin, prof_file.c (profile_flush_file_data): Stop copying the resource fork. We stopped writing resources to the krb5 configuration in KfM 4.5.x. In KfM 5.0 will no longer read preferences from the resource fork so we can destroy it on copy. * prof-int.h: No longer include MoreFiles. Removed framework style includes for Kerberos headers. * prof_FSp_glue.c, prof_init.c, profile.hin: Moved Mac FSSpec-based functions into a separate file so they will only be built with KfM. These functions will be exported but not in the headers because they are deprecated
* com_err.c, com_err.h, error_message.c, et_c.awk, et_h.awk: Removed Mac OS 9-specific code. * et_h.awk: define compat macro for init_foo_err_table so that it gets defined to nothing on the Mac
Tom Yu [Thu, 6 Mar 2003 01:36:51 +0000 (01:36 +0000)]
* acquire_cred.c (krb5_gss_register_acceptor_identity): New
function. Allows global override of default keytab for
gss_acquire_cred() purposes.
(acquire_accept_cred): Implement override.
Ken Raeburn [Wed, 5 Mar 2003 03:03:04 +0000 (03:03 +0000)]
Clean up PBKDF2 interface. Add s2k-params to string-to-key interface, except
no new decl in krb5.h yet; rename changed s2k functions to use krb5int_ prefix.
Add AES to etype table. Delete some unused declarations.
Ken Raeburn [Wed, 5 Mar 2003 01:20:50 +0000 (01:20 +0000)]
* compat_recv.c: Only include krb.h if KRB5_KRB4_COMPAT.
(krb_v4_recvauth, krb5_compat_recvauth, krb5_compat_recvauth_version): Define
only if KRB5_KRB4_COMPAT.
* krlogind.c: Include krb.h only if KRB5_KRB4_COMPAT.
(v4_kdata, v4_schedule): Define only if KRB5_KRB4_COMPAT.
(recvauth) [!KRB5_KRB4_COMPAT]: Skip v4 stuff and call krb5_recvauth_version.
Sam Hartman [Tue, 4 Mar 2003 20:45:32 +0000 (20:45 +0000)]
GSS_C_NO_CREDENTIAL should accept any principal
If a context is accepted with GSS_C_NO_CREDENTIAL or if a credential
is acquired with GSS_C_NO_NAME as the acceptor name then allow any
principal in the keytab to be used as the acceptor name.
This means that gss_inquire_cred can return GSS_C_NO_NAME from a
credential.
ticket: new
Tags: enhancement
cc: nicolas.williams@sun.com
cc: krbdev@mit.edu
Ken Raeburn [Mon, 3 Mar 2003 22:00:30 +0000 (22:00 +0000)]
* pbkdf2.c (F): Now takes krb5_data for password and salt.
(krb5int_pbkdf2, krb5int_pbkdf2_hmac_sha1, krb5int_pbkdf2_hmac_sha1_128,
krb5int_pbkdf2_hmac_sha1_256): Likewise, and for output also.
* vectors.c (test_pbkdf2): Calls updated.
(main): Run pbkdf2 tests.
Tom Yu [Mon, 3 Mar 2003 07:09:46 +0000 (07:09 +0000)]
Remove ADD_DEF and uses thereof, and move the appropriate symbols to
AC_DEFINE'ed things or to Makefile.in files. Remove explicit settings
of CPPFLAGS. These allow CPPFLAGS to be a user parameter. Also, add
CFLAGS to the CC_LINK variables, so they can control usage of the
compiler to link programs.
projects / thirdparty / krb5.git / log
