Sam Hartman [Mon, 26 Feb 1996 08:36:47 +0000 (08:36 +0000)]
Use MAXDNAME for the maximum length of a domain,
*not* MAXHOSTNAMELEN, which is the maximum length
of an argument to gethostname or sethostname.
Look for arpa/nameser.h to find this constant,
defining it to 256 inf not present in an included file.
Call USE_ANAME in the configure.in, so db library is included.
Sam Hartman [Mon, 26 Feb 1996 08:35:56 +0000 (08:35 +0000)]
Use MAXDNAME for the maximum length of a domain,
*not* MAXHOSTNAMELEN, which is the maximum length
of an argument to gethostname or sethostname.
Look for arpa/nameser.h to find this constant,
defining it to 256 inf not present in an included file.
Sam Hartman [Mon, 26 Feb 1996 08:32:46 +0000 (08:32 +0000)]
Call USE_ANAME so we get the right
db libraries under Linux.
(I'm not quite sure I understand Richard's db changes,
but if I do understand them, this is correct.)
Mark Eichin [Sun, 25 Feb 1996 01:35:18 +0000 (01:35 +0000)]
With this change, lddb -old actually *works* on old dumps..
* dump.c (process_k5beta_record): encrypted keys used to have 4
byte lengths in MSB order, need to convert to 2 byte LSB order
lengths before storing. Handle primary key and alternate key.
Theodore Tso [Sat, 24 Feb 1996 23:45:13 +0000 (23:45 +0000)]
g_mechname.c (gss_add_mech_name_type): Only mark a name-type as being
non-mechanism-specific if the mechanism doesn't match the type
currently associated with the name-type.
g_init_sec_context.c (gss_init_security_context): If we are using a
mechanism-specific name, use the mechanism-specific name directly,
instead of calling __gss_internal_import() on the external form of the
name. If the mechanism_type is unspecified, use the type of the
mechanism-specific name. If the mechanism_type is specified, it must
match the type of the supplied name.
g_acquire_cred.c (gss_acquire_cred): If we are acquiring credentials
for a mechanism-specific name, use the name directly, instead of doing
an __gss_internal_import() on the name. Also, if the
desired_mechanisms oid is NULL, default to using the mechanism-type of
the mechanism-specific name.
g_compare_name.c (gss_compare_name): Add logic for comparing
mechanism-specific names.
g_accept_sec_context.c (gss_accept_sec_context): Use
__gss_convert_name_to_union_name() to take the gss_name_t returned by
the mechanism accept_sec_context(), and convert it into a
mechanism-specific union name.
g_inquire_context.c (gss_inquire_context): Removed local static
function convert_name_to_union_name(), and changed references to it
use the generalized __gss_convert_name_to_union_name() call.
g_glue.c (__gss_convert_name_to_union_name): New function which takes
gss_name_t returned by a particular mechanism, and converts it into a
gss_union_name.
g_rel_oid_set.c (gss_release_oid_set): Manually free the oids in an
OID set, since the containing structure is allocated as an array.
Ezra Peisach [Sat, 24 Feb 1996 18:47:17 +0000 (18:47 +0000)]
* mglueP.h (gss_config): Change int fields to OM_uint32 to match
arguments to procedure calls in gss_init_sec_context,
gss_accept_sec_context, and gss_display_status.
Theodore Tso [Sat, 24 Feb 1996 05:10:47 +0000 (05:10 +0000)]
gssapiP_krb5.h: Changed most krb5 gssapi functions to take a void * as
their first argument, instead of a krb5_context. Makes for a cleaner
interface to the mechanism glue layer.
k5mech.c (krb5_gss_initialize): Call name-type/mechanism registration
function so that mechanism glue layer knows whether or not a name
needs to be lazy evaluated or not.
Mark Eichin [Sat, 24 Feb 1996 00:34:56 +0000 (00:34 +0000)]
Fri Jan 12 04:37:23 1996 Mark Eichin <eichin@cygnus.com>
* cnv_tkt_skey.c (krb524_convert_tkt_skey): rather than apply fit
an extended v5 lifetime into a v4 range, give out a v4 ticket with
as much of the v5 lifetime is available "now" instead.
Mark Eichin [Sat, 24 Feb 1996 00:18:51 +0000 (00:18 +0000)]
This is the aggregate of a bunch of fixes to kadmind (after all, some people
actually use it.) Note that in admin.c, I shredded admin_add_modify and
admin_merge_dbentries, converting them to a goto-exception style, eliminating
the excessive nesting, so they were readable; having done so, admin_add_modify
turned out to be correct, and admin_merge_dbentries was "obviously" broken
in that it assigned random keys gratuitiously. Fixing this causes "modent"
to actually work, without destroying the key...
Wed Feb 21 21:26:50 1996 Mark Eichin <eichin@cygnus.com>
* srv_main.c (xprintf): handle VARARGS.
Sun Feb 18 00:08:02 1996 Mark W. Eichin <eichin@cygnus.com>
* admin.c (admin_merge_dbentries): rewrite for readability, and
fix the year old bug of modify randomizing the password field.
(admin_add_modify): rewrite for readability.
Fri Feb 9 20:11:50 1996 Mark Eichin <eichin@cygnus.com>
* srv_net.c (net_init): gethostbyname doesn't use errno,
compensate by using KRB5_ERR_BAD_HOSTNAME.
Tue Dec 12 19:14:51 1995 Mark Eichin <eichin@cygnus.com>
* admin.c (admin_merge_dbentries): new argument mod_only, to
distinguish between add and modify.
(admin_add_modify): new argument mod_only, to distinguish between
add and modify (and pass through to admin_merge_dbentries.)
(admin_add_principal, admin_modify_principal, admin_change_opwd,
admin_change_orandpw): pass flag indicating modify or add.
Tue Sep 26 22:51:25 1995 Mark Eichin <eichin@cygnus.com>
* admin.c (admin_add_modify): copy, don't just assign, principals
to avoid double-freeing. Zero out "contents" and mod_name fields
after freeing, likewise. Free cur_dbentry and new_dbentry properly.
Tue Sep 26 02:56:41 1995 Mark Eichin <eichin@cygnus.com>
* srv_acl.c (acl_free_entries): jump the ae_next link *before*
freeing the item so we don't lose it.
Tue Sep 26 02:28:35 1995 Mark Eichin <eichin@cygnus.com>
* admin.c (admin_merge_dbentries): copy who into dbentp->mod_name
because callers will free it after successful use.
Mark Eichin [Sat, 24 Feb 1996 00:01:31 +0000 (00:01 +0000)]
* krb5.hin (krb5_x, krb5_xc): wrapper macros to test all function
pointers before calling through them (abort if null.) Simplifies
debugging on many platforms. Currently #if 1, but could be
conditionalized once we're in "production".
Richard Basch [Thu, 22 Feb 1996 04:42:42 +0000 (04:42 +0000)]
kerberos_v4.c: Better DES key validation.
main.c: Don't assume master key is DES for initializing the V4 randkey
generator; use a random key from the DES_CBC_CRC generator as the seed.
Richard Basch [Thu, 22 Feb 1996 04:23:30 +0000 (04:23 +0000)]
* kerberos_v4.c
Improve the checks that DES keys are being used.
* main.c
Do not assume that the master key is necessarily a DES key suitable
for use to initialize the V4 random key generator. Instead, after
initializing the DES_CBC_CRC generator, get a random key and use that
to seed the V4 random key generator.
Theodore Tso [Sat, 17 Feb 1996 05:07:06 +0000 (05:07 +0000)]
If the configuration file does not exist (context->profile == NULL)
return KRB5_CONFIG_CANTOPEN; if the default realm is not defined in
the configuration file, return an error message saying so. These
changes just make the diagnostic error messages more clear.
Richard Basch [Fri, 9 Feb 1996 01:05:50 +0000 (01:05 +0000)]
* pre.in
Install administrative database utilities in sbin, not admin.
Also, define $(transform) to be the sed transformation for program
installation.
Richard Basch [Fri, 9 Feb 1996 00:52:44 +0000 (00:52 +0000)]
* kinit.c
Only initialize the credentials cache if credentials were obtained.
This means you won't blow away the old cache if an incorrect password
was entered, and it also allows for the os_context time offset to be
set properly in the credentials cache.
Richard Basch [Fri, 9 Feb 1996 00:47:05 +0000 (00:47 +0000)]
* fcc.h fcc_gprin.c fcc_maybe.c fcc_skip.c fcc_sseq.c
Store the time offset from the os_context in the credentials cache.
When applications open the credentials cache, they will set the
os_context time offset if kdc_timesync is set and the os_context
time offset has not yet been set.
Note: The time offset is stored during krb5_cc_initialize, so the os_context
should be set prior to this operation.
Theodore Tso [Wed, 7 Feb 1996 05:04:58 +0000 (05:04 +0000)]
Commited new snapshot from Roland Schemers at Sun
This snapshot features a BSD-style copyright notice from Sun. It also
includes the code to parse a configuration file and then dlopen the
proper shared library. Miscellaneous cleanup in the mechglue directory.
Namespace uglieness (like get_mechanism) have been cleaned up, to use
things like __gss_get_mechanism instead.
Sam Hartman [Thu, 1 Feb 1996 05:56:27 +0000 (05:56 +0000)]
* rcp (client mode) now uses rsh -x but still supports the old encryption in
server mode.
* krshd will work in encrypting mode even when the port for stderr is null.
* rcp will work if stdin isn't not a socket, but is a pipe in remote mode
* krshd destroys forwarded credentials properly
* For rsh, the secure_message got moved to the client; if you use a new client
with an old server, you get secure_message twice, but it should be a
useful change long-term.
* Fixed typo in rcp man page.
Sam Hartman [Wed, 31 Jan 1996 22:26:17 +0000 (22:26 +0000)]
* krshd: Make sure KRB5CCNAME gets set for forward creds; code could be much cleaner.
* forward.c: give caller handle to ccache so it can be destroyed.
* krshd: destroy the ccache if it is non-null.
* krlogind: Fix call, but don't destroy cache, as
login.krb5 should do that any year now.
Richard Basch [Wed, 31 Jan 1996 00:22:23 +0000 (00:22 +0000)]
Several changes to the db rename feature.
Renaming locks the target lock file.
If the target lock file doesn't exist, create it.
Check the return value of krb5_dbm_db_set_name and set the
context accordingly if the target didn't exist.
Only unlink the source lock file if one could be computed.