Ken Raeburn [Tue, 26 Aug 2003 16:27:55 +0000 (16:27 +0000)]
* aclocal.m4 (WITH_CCOPTS, WITH_CPPOPTS, WITH_LINKER, WITH_LDOPTS,
KRB5_INIT_CCOPTS, WITH_CC_DEPRECATED_ARG): Deleted.
(CONFIG_RULES): Do the non-useless parts directly here.
(V5_SET_TOPDIR): Work quietly.
(WITH_KRB4): Use AC_MSG_NOTICE.
Ken Raeburn [Thu, 21 Aug 2003 08:28:48 +0000 (08:28 +0000)]
* dnssrv.c: New file; split out DNS SRV RR query support...
* locate_kdc.c: ...from here. Always compile in the calls.
* Makefile.in (STLIBOBJS, OBJS, SRCS): Add it.
Ken Raeburn [Thu, 21 Aug 2003 03:55:53 +0000 (03:55 +0000)]
Make things work on IRIX again
* fake-addrinfo.h (inline): Move definitions further up, before first use. Do
use __inline__ for gcc without c99 support.
(GET_SERV_BY_NAME) [!GETSERVBYNAME_R_RETURNS_INT]: Fix invocation for IRIX
definition.
* socket-utils.h: Include port-sockets.h to get a definition for struct
sockaddr_storage.
Ken Raeburn [Thu, 21 Aug 2003 01:50:02 +0000 (01:50 +0000)]
First cut at adding local caching to the getaddrinfo support. Still needs work
* fake-addrinfo.h: Delete the unused WRAP_GETNAMEINFO support.
(HAVE_GETADDRINFO) [__APPLE__ && __MACH__]: Don't undefine.
(FAI_CACHE) [__APPLE__ && __MACH__]: Define.
(system_getaddrinfo, system_freeaddrinfo, system_getnameinfo): New functions.
(gaiptr, faiptr, gniptr): Variables deleted. Change references to use the
system_* functions above.
(getaddrinfo, freeaddrinfo) [FAI_CACHE]: Define as macros to the my_fake_*
versions.
(protoname, socktypename, familyname): Use caller-supplied buffers instead of
local static buffers.
(debug_dump_getaddrinfo_args): Provide a buffer.
(NEED_FAKE_GETNAMEINFO): Define if HAVE_GETADDRINFO is not defined.
(inline): Rework macros to test for C99 and IRIX.
(NEED_FAKE_GETADDRINFO): Define if FAI_CACHE is defined.
(fai_add_entry) [KRB5_USE_INET6]: Support IPv6.
(CACHE_ENTRY_LIFETIME): New macro.
(struct face, struct fac): New types.
(fac): New static variable.
(plant_face, find_face): New functions.
(fai_add_hosts_by_name) [FAI_CACHE]: Check the cache before looking up the
hostname. Add the looked-up host info to the cache.
(fake_getaddrinfo): Call GET_SERV_BY_NAME instead of conditionally calling
getservbyname or getservbyname_r. Don't pass AF_INET to
fai_add_hosts_by_name.
(fake_getnameinfo): Define only if NEED_FAKE_GETNAMEINFO is defined.
(gai_strerror): Define if either HAVE_FAKE_GETADDRINFO or NEED_FAKE_GETNAMEINFO
is defined.
(getaddrinfo): Do define function if FAI_CACHE is defined.
(getnameinfo): Define only if NEED_FAKE_GETNAMEINFO is defined.
Tom Yu [Tue, 12 Aug 2003 02:18:55 +0000 (02:18 +0000)]
* cnv_tkt_skey.c (krb524_convert_tkt_skey): Call krb_create_ticket
instead of local version. Remove local version of
krb_create_ticket. This file no longer gets included into a
krb524 library, so accessing internal functions isn't that big of
an issue anymore.
Tom Yu [Fri, 8 Aug 2003 20:38:55 +0000 (20:38 +0000)]
get_init_creds_password: DNS SRV off causes bogus REALM_UNKNOWN
* gic_pwd.c (krb5_get_init_creds_password): If DNS SRV support is
turned off, the second call to get_init_creds() will fail with
KRB5_REALM_UNKNOWN under certain circumstances. If that happens,
return the error from the first call to get_init_creds(), which
will be more useful to the user.
ticket: new
target_version: 1.3.2
tags: pullup
component: krb5-libs
krb5_get_host_realm and krb5_free_host_realm should not be labeled as KRB5_PRIVATE.
They are required for many applications including OpenAFS and UMich's Kx509. 1.2.8
had them public but the change was never reflected on the trunk.
Ken Raeburn [Fri, 25 Jul 2003 15:37:57 +0000 (15:37 +0000)]
use new config file tag for master KDC
We want to avoid making extra attempts to contact the "master" KDC, in the case
where the password appears to be incorrect according to one KDC but we think
maybe the master KDC could have a newer password, if there isn't actually a
master KDC. Currently the admin_server tag is overloaded for kadmin and
password changing. So, don't use it as a filter on the KDC list; instead, look
for master_kdc as an independent list.
(See also ticket 1511 re contacting the master twice if it's first in the
regular KDC list.)
Doc updates still needed.
* locate_kdc.c (krb5_locate_kdc): Always pass 0 to locate_server as the
get_masters argument. Instead, if get_masters is set, look up "master_kdc" in
the config file instead of "kdc".
ticket: new
target_version: 1.3.2
tags: pullup
status: open
Tom Yu [Tue, 22 Jul 2003 22:22:39 +0000 (22:22 +0000)]
* README: Revert previous change, as it was in error; socklen_t
was introduced in Aug 2001 Platform SDK, and the actual problem
reported was very probably a compilation environment
misconfiguration.
Sam Hartman [Tue, 22 Jul 2003 21:34:57 +0000 (21:34 +0000)]
Always register the file ccache in the set of registered ops. The
resolve code may also find it as the default ops on some platforms,
but this will not cause problems.
Ken Raeburn [Tue, 22 Jul 2003 19:09:32 +0000 (19:09 +0000)]
Change crypto "provider" structures to hold numeric values instead of function
pointers for key sizes, block sizes, etc., when the values are always constant
for each encryption or hash mechanism.
Ken Raeburn [Tue, 22 Jul 2003 17:53:10 +0000 (17:53 +0000)]
Don't combine encrypt and decrypt code paths.
Zap key schedule when done.
* des3.c (validate_and_schedule): Split out from old k5_des3_docrypt.
(k5_des3_encrypt, k5_des3_decrypt): Call it, and krb5int_des3_cbc_encrypt or
_decrypt, instead of k5_des3_docrypt. Zap key schedules before returning.
Ken Raeburn [Tue, 22 Jul 2003 15:19:55 +0000 (15:19 +0000)]
* f_cbc.c (krb5int_des_cbc_decrypt): Move declarations that were after
statements after flattening blocks is previous change.
* d3_cbc.c (krb5int_des3_cbc_decrypt): Likewise.
* init_ets.c (krb5_init_ets): Only initialize error tables once -
so that init_conext/free_context loops do not result in memory
leaks.
I did not implement the remove error table functions - as a system
installed com_err library might not support remove_error_table that
exists in our trees com_err library.
Functional changes:
(1) do not restrict ourselves to DES-CBC-CRC instead support any
ticket with an enctype we support. as of this date (rev 1.3)
this includes all but RC4-MD4.
(2) do not accept invalid tickets
(3) when attempting to retrieve tickets do not specify either the
enctype or cache options (if possible). doing so will force a
TGS request and prevent the results from being stored into the
cache.
(4) when the LSA cache contains a TGT which has expired Microsoft will
not perform a new TGS request until the cache has been purged.
Instead the expired ticket continues to be used along with its
embedded authorization data. When PURGE_ENABLED is defined, if the
tickets are expired, the cache will be purged before requesting
new tickets, else we ignore the contents of the cache and force
a new TGS request.
(5) when the LSA cache is empty do not abort. On XP or 2003, use
the SecurityLogonSessionData to determine the Realm (UserDnsDomain
in MS-speak) and request an appropriate TGT. On 2000, check the
Registry for the HKCU\"Volatile Environment":"USERDNSDOMAIN"
instead. This will allow ms2mit to be used to repopulate the
LSA cache. If the current session is not Kerberos authenticated
an appropriate error message will be generated.
Code changes:
(1) several memory leaks plugged
(2) several support functions copied from the Leashw32.dll sources
(3) get_STRING_from_registry() uses the ANSI versions of the Registry
functions and should at a later date be converted to use the
Unicode versions.
Notes: an ms2mit.exe based on the Leash_import() function
should be considered. Leash_import() not only imports the TGT from
the LSA but also performs the krb524 conversion and AFS token retrieval.
Of course, that version of ms2mit.exe could not exist within the krb5
source tree.
Tom Yu [Thu, 17 Jul 2003 20:50:36 +0000 (20:50 +0000)]
Remove kg_release_defcred and caching of default credential. Rewrite
krb5_gss_init_sec_context() while we're at it to make defcred-related
changes easier, and as a side effect, fix some error condition memory
leaks.
RealmsConfig-glue.c: Don't fail when krb5.conf is valid and krb.conf isn't. Also, don't assert v4 realm is in profile unless that realm is a valid v4 realm
Rewrote krb_get_lrealm to correctly handle the v4 realms section in the profile and to return KFAILURE in the absence of any config (instead of returning ATHENA.MIT.EDU)
Tom Yu [Thu, 10 Jul 2003 22:53:02 +0000 (22:53 +0000)]
* acquire_cred.c (acquire_init_cred): Close the ccache if
krb5_cc_set_flags() fails, as krb5int_cc_default succeeds even if
the file is not there, but krb5_cc_set_flags will fail in turning
off OPENCLOSE mode if the file can't be opened. Thanks to Kent Wu.
krb_prof_get_nth() no longer assumes that its retlen argument is correct (call strcpy instead of strncpy) because this argument is a guess for some callers (eg: krb_get_admhst())
Ken Raeburn [Fri, 4 Jul 2003 20:49:06 +0000 (20:49 +0000)]
darwin build can't compile util/et test program
The autoconf tests correctly determine that sys_nerr exists, and that
no declaration is needed. The test_et.c code checks the wrong condition,
though, and the system header declaration of sys_nerr conflicts with the
one in that source file. (The native one is const.)
* test_et.c: Conditionalize sys_nerr declaration on NEED_SYS_ERRLIST, not
HAVE_SYS_ERRLIST.
Ken Raeburn [Fri, 27 Jun 2003 20:36:24 +0000 (20:36 +0000)]
This change fixes the problem in the ss directory. It probably won't
get into our 1.3 release, but perhaps in a patch release afterwards.
I'll look and see where else things are getting needlessly rebuilt....
* Makefile.in (HDRS): Remove mit-sipb-copyright.h.
(includes): Depend on copied version of the headers, not local versions. Don't
do any copying; instead, move the copying commands to new targets for each
header.
($(HDRDIR)/timestamp): New target; create the directory here if needed.
(clean-unix): Remove the timestamp file.
Tom Yu [Wed, 25 Jun 2003 21:10:48 +0000 (21:10 +0000)]
clean up ftp client gss memory management
* ftp.c (do_auth): Call gss_release_buffer() on send_tok
immediately after sending it. Call gss_release_name() on
target_name at outer_loop instead of inside the loop.
Tom Yu [Tue, 24 Jun 2003 02:29:47 +0000 (02:29 +0000)]
apply patch from jaltman:
* ms2mit.c: Windows Credentials are addressless. Do not store the
credentials in the MIT cache with addresses since they do not
contain addresses in the encrypted portion of the credential.
Instead generate a valid empty address list.
Tom Yu [Fri, 20 Jun 2003 03:24:07 +0000 (03:24 +0000)]
Delete references to --with-system-db from README
* build.texinfo (HPUX): Fix typo.
(Options to Configure): Note that --with-system-db is unsupported,
concerning possible lossage with loading dumpfiles.
Tom Yu [Tue, 17 Jun 2003 01:00:45 +0000 (01:00 +0000)]
Update for krb5-1.3-beta4. Fix note on [999]. Move notes re
addressless tickets and NAT-friendliness to "major changes". Still
need to fill out the TODO for IPv6.
Ken Raeburn [Mon, 16 Jun 2003 19:02:01 +0000 (19:02 +0000)]
* ftp.c (recvrequest): Add new argument indicating whether "-" and "|..."
special treatment should be disabled.
* ftp_var.h (recvrequest): Update declaration.
* cmds.c (remglob, ls, mls): Pass 0 as the extra argument.
(mget): Pass 1.
(getit): Pass 1 iff only one filename was supplied.
Tom Yu [Fri, 13 Jun 2003 22:30:59 +0000 (22:30 +0000)]
* server_kdb.c (kdb_init_hist): Force history principal's key to
be of the same enctype as the master key, as searches for it later
on explicitly specify the enctype.
Tom Yu [Fri, 13 Jun 2003 21:43:07 +0000 (21:43 +0000)]
libgss leaks, UMRs
* init_sec_context.c (krb5_gss_init_sec_context): Free
default_enctypes to avoid leaking returned value from
krb5_get_tgs_ktypes.
* k5unseal.c (kg_unseal_v1): Explicitly set token.value to NULL if
token.length == 0, to avoid spurious uninitialized memory
references when calling memcpy() with a zero length.
ticket: new
target_version: 1.3
tags: pullup
component: krb5-libs
cc: Kent_Wu@trendmicro.com
* error_table.h, et_c.awk, et_c.pl, et_h.awk, et_c.awk: Removed Mac OS support because it prevents darwin builds from getting com error strings via the initialize_*_error_table function
projects / thirdparty / krb5.git / log
