Ken Raeburn [Thu, 26 Feb 2004 04:35:09 +0000 (04:35 +0000)]
* rcp.exp (stop_rsh_daemon): Check for any output before eof, causing any such
info to be dumped into the debug log.
* rsh.exp (stop_rsh_daemon): Likewise.
Ken Raeburn [Thu, 26 Feb 2004 04:19:23 +0000 (04:19 +0000)]
* default.exp (passes): Add "mode=udp" to existing pass specifications. Add a
new pass which does AES and "mode=tcp".
(setup_kerberos_files, setup_krb5_conf): Check global var "mode" and use it to
force UDP or TCP communication between client and KDC. Also, have clients try
another random port where we don't expect anything to be listening.
Ken Raeburn [Thu, 26 Feb 2004 03:43:00 +0000 (03:43 +0000)]
* network.c (setup_a_tcp_listener): Call setreuseaddr before calling bind.
(setup_tcp_listener_ports): Don't call setreuseaddr. Log info about socket
option IPV6_V6ONLY in unsupported and success cases.
Sam Hartman [Tue, 24 Feb 2004 21:07:22 +0000 (21:07 +0000)]
Remove ENCTYPE_LOCAL_DES3_HMAC_SHA1
Previously, MIT had support for a version of the des3 enctype with a
32-bit length prepended to encrypted data. Remove that support. This
is non-standard and is no longer needed even at MIT.
Ken Raeburn [Tue, 17 Feb 2004 23:36:41 +0000 (23:36 +0000)]
* afsstring2key.c (krb5_afs_encrypt): Drop EDFLAG as an argument, make it local
instead, since we always pass 0.
(afs_crypt): Call changed.
(krb5_afs_crypt_setkey, krb5_afs_encrypt): Use memcpy.
Ken Raeburn [Sat, 14 Feb 2004 00:31:35 +0000 (00:31 +0000)]
* aclocal.m4 (TRY_PEER_INT): Deleted.
(KRB5_GETPEERNAME_ARGS): Map the getpeername arg types to the corresponding
getsockname arg types.
(KRB5_GETSOCKNAME_ARGS): If nothing matches, assume struct sockaddr and
socklen_t.
Ken Raeburn [Fri, 13 Feb 2004 23:40:08 +0000 (23:40 +0000)]
* t_encrypt.c (compare_results): New function.
(main): Use it to check decryption results against the original plaintext. When
testing with cipher state, encrypt and then decrypt (and verify) two messages.
* Makefile.in (t_encrypt$(EXEEXT)): Depend on CRYPTO_DEPLIB.
Ken Raeburn [Fri, 13 Feb 2004 23:38:57 +0000 (23:38 +0000)]
* dk_decrypt.c (krb5_dk_decrypt_maybe_trunc_hmac): New argument IVEC_MODE. If
clear, same old behavior. If set, copy out next to last block for CTS.
(krb5_dk_decrypt, krb5int_aes_dk_decrypt): Pass extra argument.
* dk_encrypt.c (krb5int_aes_dk_encrypt): For IV, copy out next to last block for
CTS.
Tom Yu [Fri, 13 Feb 2004 03:19:30 +0000 (03:19 +0000)]
priocntl workaround for Solaris 9 pty-close bug
Implement gross hack to use priocntl to work around the Solaris 9
pty-close bug. Run expect at a higher class "FX" priority than
spawned processes, which run at a lower class "FX" priority. "make
check" needs to start from a process which has FX priority >= 30 and
FX priority limit >= 30. Thanks to Bill Sommerfeld for the hints.
Tom Yu [Thu, 12 Feb 2004 18:28:01 +0000 (18:28 +0000)]
Tru64 and Irix have RPATH issues for test suite
Implement hack for faking up _RLD_ROOT with a shadow of the directory
tree up to the installed "lib" directory. This helps with running
tests on Tru64 and Irix.
Ken Raeburn [Tue, 10 Feb 2004 04:35:14 +0000 (04:35 +0000)]
* ser_sctx.c (kg_oid_externalize): Check for errors.
(kg_oid_internalize): Check for errors. Free allocated storage on error.
(kg_queue_externalize): Check for errorrs.
(kg_queue_internalize): Check for errors. Free allocated storage on error.
(kg_ctx_size): Update for new context data.
(kg_ctx_externalize): Update for new context data. Check for error storing
trailer.
(kg_ctx_internalize): Update for new context data. Check for errors in a few
more cases.
Sam Hartman [Fri, 6 Feb 2004 21:12:21 +0000 (21:12 +0000)]
Enable aes128-cts for client
Currently we support aes128-cts but do not enable it by default. It
looks like interoperability problems will be created by this decision.
So add aes128-cts to the default list of enctypes for client
configuration and for permitted_enctypes.
Jeffrey Altman [Fri, 6 Feb 2004 19:48:12 +0000 (19:48 +0000)]
2004-02-06 Jeffrey Altman <jaltman@mit.edu>
* Add new UI components to the gss.exe client
to support the use of GSS_C_SEQUENCE_FLAG or to
disable the use of either GSS_C_MUTUAL_FLAG or
GSS_C_REPLAY_FLAG
Jeffrey Altman [Fri, 6 Feb 2004 19:05:47 +0000 (19:05 +0000)]
2004-02-06 Jeffrey Altman <jaltman@mit.edu>
* Add new command line switches to the gss-client
to support the use of GSS_C_SEQUENCE_FLAG or to
disable the use of either GSS_C_MUTUAL_FLAG or
GSS_C_REPLAY_FLAG
Jeffrey Altman [Fri, 6 Feb 2004 07:00:51 +0000 (07:00 +0000)]
2004-02-05 Jeffrey Altman <jaltman@mit.edu>
* gssapiP_krb5.h: remove KG_IMPLFLAGS macro
* init_sec_context.c (init_sec_context): Expand KG_IMPLFLAGS
macro with previous macro definition
* accept_sec_context.c (accept_sec_context): Replace KG_IMPLFLAGS
macro with new definition. As per 1964 the INTEG and CONF flags
are supposed to indicate the availability of the services in
the client. By applying the previous definition of KG_IMPLFLAGS
the INTEG and CONF flags are always on. This can be a problem
because some clients such as Microsoft's Kerberos SSPI allow
CONF and INTEG to be used independently. By forcing the flags
on, we would end up with inconsist state with the client.
Jeffrey Altman [Wed, 4 Feb 2004 17:28:00 +0000 (17:28 +0000)]
Remove reference to the ntstatus.h header in cc_mslsa.c
This header is not present in the August 2001 Platform SDK which is
the current minimum SDK version.
Jeffrey Altman [Tue, 3 Feb 2004 00:50:43 +0000 (00:50 +0000)]
2004-02-02 Jeffrey Altman <jaltman@mit.edu>
* cc_msla.c:
GetMSCacheTicketFromCacheInfo() uses the tktinfo->TicketFlags as the
value to assign to TicketRequest->TicketFlags. This field is blindly
inserted into the kdc-options[0] field of the TGS_REQ. If there are
bits such as TRANSIT_POLICY_CHECKED in the TicketFlags, this will result
in an unknown TGS_OPTION being processed by the KDC.
This has been fixed by mapping the Ticket Flags to KDC options.
We only map Forwardable, Forwarded, Proxiable, and Renewable. The others
should not be used.
Jeffrey Altman [Mon, 2 Feb 2004 17:40:19 +0000 (17:40 +0000)]
* cc_mslsa.c: the MSLSA code was crashing on Pismere machines when
logging on with cross realm credentials. On these machines there are
8 tickets within the LSA cache from two different realms. One of the
krbtgt/CLIENT-REALM@CLIENT-REALM tickets (not the Initial ticket but
a Forwarded ticket) is inaccessible to the ms2mit.exe and leash32.exe
processes. The attempt to access the ticket returns a SubStatus code
of STATUS_LOGON_FAILURE (0xC000006DL) which is supposed to mean that
the logon attempt was invalid due to bad authentication information.
kerbtray has no problem listing this ticket. The other seven tickets
in the cache including the Initial Ticket are accessible. Modified
krb5_lcc_next_cred() to skip to the next ticket if an attempt to read
a single ticket fails.
Jeffrey Altman [Sun, 1 Feb 2004 05:40:48 +0000 (05:40 +0000)]
* Do not perform ticket importing if the initial TGT is not available
from the MSLSA krb5_ccache. This will be the case if the session key
enctype is NULL. (AllowTGTSessionKey regkey = 0)
Jeffrey Altman [Sat, 31 Jan 2004 09:29:13 +0000 (09:29 +0000)]
Do not export tickets from the LSA if they contain NULL session keys.
This is primarily to prevent unusable TGTs from being imported into the
MIT Credential Cache
Jeffrey Altman [Sat, 31 Jan 2004 01:40:58 +0000 (01:40 +0000)]
2004-01-30 Jeffrey Altman <jaltman@mit.edu>
* cc_mslsa.c: As per extensive conversations with Doug Engert we have
concluded that MS is not specifying a complete set of domain information
when it comes to service tickets other than the initial TGT. What happens
is the client principal domain cannot be derived from the fields they
export. Code has now been added to obtain the domain from the initial
TGT and use that when constructing the client principals for all tickets.
This behavior can be turned off by setting a registry either on a per-user
or a system-wide basis:
Jeffrey Altman [Sat, 31 Jan 2004 00:00:51 +0000 (00:00 +0000)]
A near complete re-write of the gss sample client on windows. Supports the
current protocol implemented in the Unix gss sample applications as well as
a new User Interface making this one neat testing tool.
There are still many little kinks to get out in a future version. The sliders
for the Call Count and the Message Count do not have text strings indicating
their current value. They slide from 1 to 20. And the known Mechanism
strings should be accessible in the drop down list.
A documentation file on how to use the tool would be a good addition.
Jeffrey Altman [Fri, 30 Jan 2004 23:52:07 +0000 (23:52 +0000)]
Address issues discovered while testing updated Windows gss sample client.
A Missing parameter to a sign_server call in gss-server.c and the need for
a select() call in read_all() to prevent blocking indefinitely.
Jeffrey Altman [Tue, 6 Jan 2004 23:21:13 +0000 (23:21 +0000)]
Add stub function implementations to support krb5_cc_remove_cred() which
would cause a null pointer dereference if called. The new KRB5_CC_NOSUPP
error is returned to indicate the lack of implementation.
Sam Hartman [Mon, 5 Jan 2004 21:42:34 +0000 (21:42 +0000)]
Only backdate the ticket that is created. The KDC reply must contain
the time from the client's request or the client will fail its
clockskew check if the request is backdated too far.
Ken Raeburn [Mon, 5 Jan 2004 21:12:23 +0000 (21:12 +0000)]
* init_sec_context.c: Include auth_con.h if CFX_EXERCISE is defined.
(make_gss_checksum) [CFX_EXERCISE]: If the key enctype is aes256, insert some
stuff after the delegation slot.
(new_connection) [CFX_EXERCISE]: Don't send messages with bogus token ids.
* accept_sec_context.c (krb5_gss_accept_sec_context): Don't discard the
delegation flag; only look for a delegation if the flag is set, and only look
for delegation, not other options. Ignore any other data there.
Jeffrey Altman [Mon, 22 Dec 2003 18:24:41 +0000 (18:24 +0000)]
* dnssrv.c: wrap the entire module in #ifdef KRB5_DNS_LOOKUP to prevent
the dependency on the resolver library when DNS functionality is not
being compiled into the krb5 library.
Ken Raeburn [Sat, 20 Dec 2003 03:19:00 +0000 (03:19 +0000)]
* prompter.c (catch_signals, restore_signals): Take pointer to old signal
handler info as new argument.
(osiginfo): New typedef.
(setup_tty, restore_tty): Take pointer to old signal handler info and old
termios settings as new arguments.
(krb5_prompter_posix): Pass the extra arguments, addresses of new automatic
variables.
(osigint, saveparm): Variables deleted.
projects / thirdparty / krb5.git / log
