ChangeLog revision 178825
160107Sobrien2008-01-13 Love H�rnquist �strand <lha@it.su.se> 22786Ssos 32786Ssos * test_ntlm.c: Test source name (and make the acceptor in ntlm gss 42786Ssos mech useful). 52786Ssos 62786Ssos2007-12-30 Love H�rnquist �strand <lha@it.su.se> 732822Syokota 82786Ssos * ntlm/init_sec_context.c: Don't confuse target name and source 92786Ssos name, make regressiont tests pass again. 102786Ssos 11192766Smarkm2007-12-29 Love H�rnquist �strand <lha@it.su.se> 122786Ssos 132786Ssos * ntlm: clean up name handling 142786Ssos 152786Ssos2007-12-04 Love H�rnquist �strand <lha@it.su.se> 162786Ssos 172786Ssos * ntlm/init_sec_context.c: Use credential if it was passed in. 1838140Syokota 192786Ssos * ntlm/acquire_cred.c: Check if there is initial creds with 207420Ssos _gss_ntlm_get_user_cred(). 212786Ssos 222786Ssos * ntlm/init_sec_context.c: Add _gss_ntlm_get_user_info() that 232786Ssos return the user info so it can be used by external modules. 2461118Sroberto 252786Ssos * ntlm/inquire_cred.c: use the right error code. 262786Ssos 272786Ssos * ntlm/inquire_cred.c: Return GSS_C_NO_CREDENTIAL if there is no 282786Ssos credential, ntlm have (not yet) a default credential. 292786Ssos 302786Ssos * mech/gss_release_oid_set.c: Avoid trying to deref NULL, from 312786Ssos Phil Fisher. 322786Ssos 332786Ssos2007-12-03 Love H�rnquist �strand <lha@it.su.se> 342786Ssos 352786Ssos * test_acquire_cred.c: Always try to fetch cred (even with 362786Ssos GSS_C_NO_NAME). 372786Ssos 382786Ssos2007-08-09 Love H�rnquist �strand <lha@it.su.se> 392786Ssos 402786Ssos * mech/gss_krb5.c: Readd gss_krb5_get_tkt_flags. 412786Ssos 422786Ssos2007-08-08 Love H�rnquist �strand <lha@it.su.se> 432786Ssos 442786Ssos * spnego/compat.c (_gss_spnego_internal_delete_sec_context): 452786Ssos release ctx->target_name too From Rafal Malinowski. 462786Ssos 4744160Syokota2007-07-26 Love H�rnquist �strand <lha@it.su.se> 482786Ssos 49270153Sse * mech/gss_mech_switch.c: Don't try to do dlopen if system doesn't 502786Ssos have dlopen. From Rune of Chalmers. 512786Ssos 522786Ssos2007-07-10 Love H�rnquist �strand <lha@it.su.se> 532786Ssos 542786Ssos * mech/gss_duplicate_name.c: New signature of _gss_find_mn. 552786Ssos 562786Ssos * mech/gss_init_sec_context.c: New signature of _gss_find_mn. 572786Ssos 582786Ssos * mech/gss_acquire_cred.c: New signature of _gss_find_mn. 592786Ssos 602786Ssos * mech/name.h: New signature of _gss_find_mn. 6143334Syokota 622786Ssos * mech/gss_canonicalize_name.c: New signature of _gss_find_mn. 6332822Syokota 6462420Sjoe * mech/gss_compare_name.c: New signature of _gss_find_mn. 652786Ssos 662786Ssos * mech/gss_add_cred.c: New signature of _gss_find_mn. 672786Ssos 682786Ssos * mech/gss_names.c (_gss_find_mn): Return an error code for 692786Ssos caller. 702786Ssos 712786Ssos * spnego/accept_sec_context.c: remove checks that are done by the 722786Ssos previous function. 732786Ssos 742786Ssos * Makefile.am: New library version. 7543334Syokota 7643334Syokota2007-07-04 Love H�rnquist �strand <lha@it.su.se> 772786Ssos 782786Ssos * mech/gss_oid_to_str.c: Refuse to print GSS_C_NULL_OID, from 792786Ssos Rafal Malinowski. 8043334Syokota 812786Ssos * spnego/spnego.asn1: Indent and make NegTokenInit and 825994Ssos NegTokenResp extendable. 8343334Syokota 842786Ssos2007-06-21 Love H�rnquist �strand <lha@it.su.se> 852786Ssos 862786Ssos * ntlm/inquire_cred.c: Implement _gss_ntlm_inquire_cred. 872786Ssos 882786Ssos * mech/gss_display_status.c: Provide message for GSS_S_COMPLETE. 896045Ssos 9043334Syokota * mech/context.c: If the canned string is "", its no use to the 912786Ssos user, make it fall back to the default error string. 922786Ssos 932786Ssos2007-06-20 Love H�rnquist �strand <lha@it.su.se> 942786Ssos 9518194Ssos * mech/gss_display_name.c (gss_display_name): no name -> 962786Ssos fail. From Rafal Malinswski. 972786Ssos 9874119Sache * spnego/accept_sec_context.c: Wrap name in a spnego_name instead 992786Ssos of just a copy of the underlaying object. From Rafal Malinswski. 1002786Ssos 1012786Ssos * spnego/accept_sec_context.c: Handle underlaying mech not 1022786Ssos returning mn. 1032786Ssos 1042786Ssos * mech/gss_accept_sec_context.c: Handle underlaying mech not 1052786Ssos returning mn. 1062786Ssos 1072786Ssos * spnego/accept_sec_context.c: Make sure src_name is always set to 10874119Sache GSS_C_NO_NAME when returning. 1096851Ssos 11043334Syokota * krb5/acquire_cred.c (acquire_acceptor_cred): don't claim 11143334Syokota everything is well on failure. From Phil Fisher. 11243334Syokota 11343334Syokota * mech/gss_duplicate_name.c: catch error (and ignore it) 11443334Syokota 115 * ntlm/init_sec_context.c: Use heim_ntlm_calculate_ntlm2_sess. 116 117 * mech/gss_accept_sec_context.c: Only wrap the delegated cred if 118 we got a delegated mech cred. From Rafal Malinowski. 119 120 * spnego/accept_sec_context.c: Only wrap the delegated cred if we 121 are going to return it to the consumer. From Rafal Malinowski. 122 123 * spnego/accept_sec_context.c: Fixed memory leak pointed out by 124 Rafal Malinowski, also while here moved to use NegotiationToken 125 for decoding. 126 1272007-06-18 Love H�rnquist �strand <lha@it.su.se> 128 129 * krb5/prf.c (_gsskrb5_pseudo_random): add missing break. 130 131 * krb5/release_name.c: Set *minor_status unconditionallty, its 132 done later anyway. 133 134 * spnego/accept_sec_context.c: Init get_mic to 0. 135 136 * mech/gss_set_cred_option.c: Free memory in failure case, found 137 by beam. 138 139 * mech/gss_inquire_context.c: Handle mech_type being NULL. 140 141 * mech/gss_inquire_cred_by_mech.c: Handle cred_name being NULL. 142 143 * mech/gss_krb5.c: Free memory in error case, found by beam. 144 1452007-06-12 Love H�rnquist �strand <lha@it.su.se> 146 147 * ntlm/inquire_context.c: Use ctx->gssflags for flags. 148 149 * krb5/display_name.c: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY, this is 150 not ment for machine consumption. 151 1522007-06-09 Love H�rnquist �strand <lha@it.su.se> 153 154 * ntlm/digest.c (kdc_alloc): free memory on failure, pointed out 155 by Rafal Malinowski. 156 157 * ntlm/digest.c (kdc_destroy): free context when done, pointed out 158 by Rafal Malinowski. 159 160 * spnego/context_stubs.c (_gss_spnego_display_name): if input_name 161 is null, fail. From Rafal Malinowski. 162 1632007-06-04 Love H�rnquist �strand <lha@it.su.se> 164 165 * ntlm/digest.c: Free memory when done. 166 1672007-06-02 Love H�rnquist �strand <lha@it.su.se> 168 169 * test_ntlm.c: Test both with and without keyex. 170 171 * ntlm/digest.c: If we didn't set session key, don't expect one 172 back. 173 174 * test_ntlm.c: Set keyex flag and calculate session key. 175 1762007-05-31 Love H�rnquist �strand <lha@it.su.se> 177 178 * spnego/accept_sec_context.c: Use the return value before is 179 overwritten by later calls. From Rafal Malinowski 180 181 * krb5/release_cred.c: Give an minor_status argument to 182 gss_release_oid_set. From Rafal Malinowski 183 1842007-05-30 Love H�rnquist �strand <lha@it.su.se> 185 186 * ntlm/accept_sec_context.c: Catch errors and return the up the 187 stack. 188 189 * test_kcred.c: more testing of lifetimes 190 1912007-05-17 Love H�rnquist �strand <lha@it.su.se> 192 193 * Makefile.am: Drop the gss oid_set function for the krb5 mech, 194 use the mech glue versions instead. Pointed out by Rafal 195 Malinowski. 196 197 * krb5: Use gss oid_set functions from mechglue 198 1992007-05-14 Love H�rnquist �strand <lha@it.su.se> 200 201 * ntlm/accept_sec_context.c: Set session key only if we are 202 returned a session key. Found by David Love. 203 2042007-05-13 Love H�rnquist �strand <lha@it.su.se> 205 206 * krb5/prf.c: switched MIN to min to make compile on solaris, 207 pointed out by David Love. 208 2092007-05-09 Love H�rnquist �strand <lha@it.su.se> 210 211 * krb5/inquire_cred_by_mech.c: Fill in all of the variables if 212 they are passed in. Pointed out by Phil Fisher. 213 2142007-05-08 Love H�rnquist �strand <lha@it.su.se> 215 216 * krb5/inquire_cred.c: Fix copy and paste error, bug spotted by 217 from Phil Fisher. 218 219 * mech: dont keep track of gc_usage, just figure it out at 220 gss_inquire_cred() time 221 222 * mech/gss_mech_switch.c (add_builtin): ok for 223 __gss_mech_initialize() to return NULL 224 225 * test_kcred.c: more correct tests 226 227 * spnego/cred_stubs.c (gss_inquire_cred*): wrap the name with a 228 spnego_name. 229 230 * ntlm/inquire_cred.c: make ntlm gss_inquire_cred fail for now, 231 need to find default cred and friends. 232 233 * krb5/inquire_cred_by_mech.c: reimplement 234 2352007-05-07 Love H�rnquist �strand <lha@it.su.se> 236 237 * ntlm/acquire_cred.c: drop unused variable. 238 239 * ntlm/acquire_cred.c: Reimplement. 240 241 * Makefile.am: add ntlm/digest.c 242 243 * ntlm: split out backend ntlm server processing 244 2452007-04-24 Love H�rnquist �strand <lha@it.su.se> 246 247 * ntlm/delete_sec_context.c (_gss_ntlm_delete_sec_context): free 248 credcache when done 249 2502007-04-22 Love H�rnquist �strand <lha@it.su.se> 251 252 * ntlm/init_sec_context.c: ntlm-key credential entry is prefix with @ 253 254 * ntlm/init_sec_context.c (get_user_ccache): pick up the ntlm 255 creds from the krb5 credential cache. 256 2572007-04-21 Love H�rnquist �strand <lha@it.su.se> 258 259 * ntlm/delete_sec_context.c: free the key stored in the context 260 261 * ntlm/ntlm.h: switch password for a key 262 263 * test_oid.c: Switch oid to one that is exported. 264 2652007-04-20 Love H�rnquist �strand <lha@it.su.se> 266 267 * ntlm/init_sec_context.c: move where hash is calculated to make 268 it easier to add ccache support. 269 270 * Makefile.am: Add version-script.map to EXTRA_DIST. 271 2722007-04-19 Love H�rnquist �strand <lha@it.su.se> 273 274 * Makefile.am: Unconfuse newer versions of automake that doesn't 275 know the diffrence between depenences and setting variables. foo: 276 vs foo=. 277 278 * test_ntlm.c: delete sec context when done. 279 280 * version-script.map: export more symbols. 281 282 * Makefile.am: add version script if ld supports it 283 284 * version-script.map: add version script if ld supports it 285 2862007-04-18 Love H�rnquist �strand <lha@it.su.se> 287 288 * Makefile.am: test_acquire_cred need test_common.[ch] 289 290 * test_acquire_cred.c: add more test options. 291 292 * krb5/external.c: add GSS_KRB5_CCACHE_NAME_X 293 294 * gssapi/gssapi_krb5.h: add GSS_KRB5_CCACHE_NAME_X 295 296 * krb5/set_sec_context_option.c: refactor code, implement 297 GSS_KRB5_CCACHE_NAME_X 298 299 * mech/gss_krb5.c: reimplement gss_krb5_ccache_name 300 3012007-04-17 Love H�rnquist �strand <lha@it.su.se> 302 303 * spnego/cred_stubs.c: Need to import spnego name before we can 304 use it as a gss_name_t. 305 306 * test_acquire_cred.c: use this test as part of the regression 307 suite. 308 309 * mech/gss_acquire_cred.c (gss_acquire_cred): dont init 310 cred->gc_mc every time in the loop. 311 3122007-04-15 Love H�rnquist �strand <lha@it.su.se> 313 314 * Makefile.am: add test_common.h 315 3162007-02-16 Love H�rnquist �strand <lha@it.su.se> 317 318 * gss_acquire_cred.3: Add link for 319 gsskrb5_register_acceptor_identity. 320 3212007-02-08 Love H�rnquist �strand <lha@it.su.se> 322 323 * krb5/copy_ccache.c: Try to leak less memory in the failure case. 324 3252007-01-31 Love H�rnquist �strand <lha@it.su.se> 326 327 * mech/gss_display_status.c: Use right printf formater. 328 329 * test_*.[ch]: split out the error printing function and try to 330 return better errors 331 3322007-01-30 Love H�rnquist �strand <lha@it.su.se> 333 334 * krb5/init_sec_context.c: revert 1.75: (init_auth): only turn on 335 GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it. 336 337 This is because Kerberos always support INT|CONF, matches behavior 338 with MS and MIT. The creates problems for the GSS-SPNEGO mech. 339 3402007-01-24 Love H�rnquist �strand <lha@it.su.se> 341 342 * krb5/prf.c: constrain desired_output_len 343 344 * krb5/external.c (krb5_mech): add _gsskrb5_pseudo_random 345 346 * mech/gss_pseudo_random.c: Catch error from underlaying mech on 347 failure. 348 349 * Makefile.am: Add krb5/prf.c 350 351 * krb5/prf.c: gss_pseudo_random for krb5 352 353 * test_context.c: Checks for gss_pseudo_random. 354 355 * krb5/gkrb5_err.et: add KG_INPUT_TOO_LONG 356 357 * Makefile.am: Add mech/gss_pseudo_random.c 358 359 * gssapi/gssapi.h: try to load pseudo_random 360 361 * mech/gss_mech_switch.c: try to load pseudo_random 362 363 * mech/gss_pseudo_random.c: Add gss_pseudo_random. 364 365 * gssapi_mech.h: Add hook for gm_pseudo_random. 366 3672007-01-17 Love H�rnquist �strand <lha@it.su.se> 368 369 * test_context.c: Don't assume bufer from gss_display_status is 370 ok. 371 372 * mech/gss_wrap_size_limit.c: Reset out variables. 373 374 * mech/gss_wrap.c: Reset out variables. 375 376 * mech/gss_verify_mic.c: Reset out variables. 377 378 * mech/gss_utils.c: Reset out variables. 379 380 * mech/gss_release_oid_set.c: Reset out variables. 381 382 * mech/gss_release_cred.c: Reset out variables. 383 384 * mech/gss_release_buffer.c: Reset variables. 385 386 * mech/gss_oid_to_str.c: Reset out variables. 387 388 * mech/gss_inquire_sec_context_by_oid.c: Fix reset out variables. 389 390 * mech/gss_mech_switch.c: Reset out variables. 391 392 * mech/gss_inquire_sec_context_by_oid.c: Reset out variables. 393 394 * mech/gss_inquire_names_for_mech.c: Reset out variables. 395 396 * mech/gss_inquire_cred_by_oid.c: Reset out variables. 397 398 * mech/gss_inquire_cred_by_oid.c: Reset out variables. 399 400 * mech/gss_inquire_cred_by_mech.c: Reset out variables. 401 402 * mech/gss_inquire_cred.c: Reset out variables, fix memory leak. 403 404 * mech/gss_inquire_context.c: Reset out variables. 405 406 * mech/gss_init_sec_context.c: Zero out outbuffer on failure. 407 408 * mech/gss_import_name.c: Reset out variables. 409 410 * mech/gss_import_name.c: Reset out variables. 411 412 * mech/gss_get_mic.c: Reset out variables. 413 414 * mech/gss_export_name.c: Reset out variables. 415 416 * mech/gss_encapsulate_token.c: Reset out variables. 417 418 * mech/gss_duplicate_oid.c: Reset out variables. 419 420 * mech/gss_duplicate_oid.c: Reset out variables. 421 422 * mech/gss_duplicate_name.c: Reset out variables. 423 424 * mech/gss_display_status.c: Reset out variables. 425 426 * mech/gss_display_name.c: Reset out variables. 427 428 * mech/gss_delete_sec_context.c: Reset out variables using propper 429 macros. 430 431 * mech/gss_decapsulate_token.c: Reset out variables using propper 432 macros. 433 434 * mech/gss_add_cred.c: Reset out variables. 435 436 * mech/gss_acquire_cred.c: Reset out variables. 437 438 * mech/gss_accept_sec_context.c: Reset out variables using propper 439 macros. 440 441 * mech/gss_init_sec_context.c: Reset out variables. 442 443 * mech/mech_locl.h (_mg_buffer_zero): new macro that zaps a 444 gss_buffer_t 445 4462007-01-16 Love H�rnquist �strand <lha@it.su.se> 447 448 * mech: sprinkel _gss_mg_error 449 450 * mech/gss_display_status.c (gss_display_status): use 451 _gss_mg_get_error to fetch the error from underlaying mech, if it 452 failes, let do the regular dance for GSS-CODE version and a 453 generic print-the-error code for MECH-CODE. 454 455 * mech/gss_oid_to_str.c: Don't include the NUL in the length of 456 the string. 457 458 * mech/context.h: Protoypes for _gss_mg_. 459 460 * mech/context.c: Glue to catch the error from the lower gss-api 461 layer and save that for later so gss_display_status() can show the 462 error. 463 464 * gss.c: Detect NTLM. 465 4662007-01-11 Love H�rnquist �strand <lha@it.su.se> 467 468 * mech/gss_accept_sec_context.c: spelling 469 4702007-01-04 Love H�rnquist �strand <lha@it.su.se> 471 472 * Makefile.am: Include build (private) prototypes header files. 473 474 * Makefile.am (ntlmsrc): add ntlm/ntlm-private.h 475 4762006-12-28 Love H�rnquist �strand <lha@it.su.se> 477 478 * ntlm/accept_sec_context.c: Pass signseal argument to 479 _gss_ntlm_set_key. 480 481 * ntlm/init_sec_context.c: Pass signseal argument to 482 _gss_ntlm_set_key. 483 484 * ntlm/crypto.c (_gss_ntlm_set_key): add signseal argument 485 486 * test_ntlm.c: add ntlmv2 test 487 488 * ntlm/ntlm.h: break out struct ntlmv2_key; 489 490 * ntlm/crypto.c (_gss_ntlm_set_key): set ntlm v2 keys. 491 492 * ntlm/accept_sec_context.c: Set dummy ntlmv2 keys and Check TI. 493 494 * ntlm/ntlm.h: NTLMv2 keys. 495 496 * ntlm/crypto.c: NTLMv2 sign and verify. 497 4982006-12-20 Love H�rnquist �strand <lha@it.su.se> 499 500 * ntlm/accept_sec_context.c: Don't send targetinfo now. 501 502 * ntlm/init_sec_context.c: Build ntlmv2 answer buffer. 503 504 * ntlm/init_sec_context.c: Leak less memory. 505 506 * ntlm/init_sec_context.c: Announce that we support key exchange. 507 508 * ntlm/init_sec_context.c: Add NTLM_NEG_NTLM2_SESSION, NTLMv2 509 session security (disable because missing sign and seal). 510 5112006-12-19 Love H�rnquist �strand <lha@it.su.se> 512 513 * ntlm/accept_sec_context.c: split RC4 send and recv keystreams 514 515 * ntlm/init_sec_context.c: split RC4 send and recv keystreams 516 517 * ntlm/ntlm.h: split RC4 send and recv keystreams 518 519 * ntlm/crypto.c: Implement SEAL. 520 521 * ntlm/crypto.c: move gss_wrap/gss_unwrap here 522 523 * test_context.c: request INT and CONF from the gss layer, test 524 get and verify MIC. 525 526 * ntlm/ntlm.h: add crypto bits. 527 528 * ntlm/accept_sec_context.c: Save session master key. 529 530 * Makefile.am: Move get and verify mic to the same file (crypto.c) 531 since they share code. 532 533 * ntlm/crypto.c: Move get and verify mic to the same file since 534 they share code, implement NTLM v1 and dummy signatures. 535 536 * ntlm/init_sec_context.c: pass on GSS_C_CONF_FLAG and 537 GSS_C_INTEG_FLAG, save the session master key 538 539 * spnego/accept_sec_context.c: try using gss_accept_sec_context() 540 on the opportunistic token instead of guessing the acceptor name 541 and do gss_acquire_cred, this make SPNEGO work like before. 542 5432006-12-18 Love H�rnquist �strand <lha@it.su.se> 544 545 * ntlm/init_sec_context.c: Calculate the NTLM version 1 "master" 546 key. 547 548 * spnego/accept_sec_context.c: Resurect negHints for the acceptor 549 sends first packet. 550 551 * Makefile.am: Add "windows" versions of the NegTokenInitWin and 552 friends. 553 554 * test_context.c: add --wrapunwrap flag 555 556 * spnego/compat.c: move _gss_spnego_indicate_mechtypelist() to 557 compat.c, use the sequence types of MechTypeList, make 558 add_mech_type() static. 559 560 * spnego/accept_sec_context.c: move 561 _gss_spnego_indicate_mechtypelist() to compat.c 562 563 * Makefile.am: Generate sequence code for MechTypeList 564 565 * spnego: check that the generated acceptor mechlist is acceptable too 566 567 * spnego/init_sec_context.c: Abstract out the initiator filter 568 function, it will be needed for the acceptor too. 569 570 * spnego/accept_sec_context.c: Abstract out the initiator filter 571 function, it will be needed for the acceptor too. Remove negHints. 572 573 * test_context.c: allow asserting return mech 574 575 * ntlm/accept_sec_context.c: add _gss_ntlm_allocate_ctx 576 577 * ntlm/acquire_cred.c: Check that the KDC seem to there and 578 answering us, we can't do better then that wen checking if we will 579 accept the credential. 580 581 * ntlm/get_mic.c: return GSS_S_UNAVAILABLE 582 583 * mech/utils.h: add _gss_free_oid, reverse of _gss_copy_oid 584 585 * mech/gss_utils.c: add _gss_free_oid, reverse of _gss_copy_oid 586 587 * spnego/spnego.asn1: Its very sad, but NegHints its are not part 588 of the NegTokenInit, this makes SPNEGO acceptor life a lot harder. 589 590 * spnego: try harder to handle names better. handle missing 591 acceptor and initator creds better (ie dont propose/accept mech 592 that there are no credentials for) split NegTokenInit and 593 NegTokenResp in acceptor 594 5952006-12-16 Love H�rnquist �strand <lha@it.su.se> 596 597 * ntlm/import_name.c: Allocate the buffer from the right length. 598 5992006-12-15 Love H�rnquist �strand <lha@it.su.se> 600 601 * ntlm/init_sec_context.c (init_sec_context): Tell the other side 602 what domain we think we are talking to. 603 604 * ntlm/delete_sec_context.c: free username and password 605 606 * ntlm/release_name.c (_gss_ntlm_release_name): free name. 607 608 * ntlm/import_name.c (_gss_ntlm_import_name): add support for 609 GSS_C_NT_HOSTBASED_SERVICE names 610 611 * ntlm/ntlm.h: Add ntlm_name. 612 613 * test_context.c: allow testing of ntlm. 614 615 * gssapi_mech.h: add __gss_ntlm_initialize 616 617 * ntlm/accept_sec_context.c (handle_type3): verify that the kdc 618 approved of the ntlm exchange too 619 620 * mech/gss_mech_switch.c: Add the builtin ntlm mech 621 622 * test_ntlm.c: NTLM test app. 623 624 * mech/gss_accept_sec_context.c: Add detection of NTLMSSP. 625 626 * gssapi/gssapi.h: add ntlm mech oid 627 628 * ntlm/external.c: Switch OID to the ms ntlmssp oid 629 630 * Makefile.am: Add ntlm gss-api module. 631 632 * ntlm/accept_sec_context.c: Catch more error errors. 633 634 * ntlm/accept_sec_context.c: Check after a credential to use. 635 6362006-12-14 Love H�rnquist �strand <lha@it.su.se> 637 638 * krb5/set_sec_context_option.c (GSS_KRB5_SET_DEFAULT_REALM_X): 639 don't fail on success. Bug report from Stefan Metzmacher. 640 6412006-12-13 Love H�rnquist �strand <lha@it.su.se> 642 643 * krb5/init_sec_context.c (init_auth): only turn on 644 GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it. 645 From Stefan Metzmacher. 646 6472006-12-11 Love H�rnquist �strand <lha@it.su.se> 648 649 * Makefile.am (libgssapi_la_OBJECTS): depends on gssapi_asn1.h 650 spnego_asn1.h. 651 6522006-11-20 Love H�rnquist �strand <lha@it.su.se> 653 654 * krb5/acquire_cred.c: Make krb5_get_init_creds_opt_free take a 655 context argument. 656 6572006-11-16 Love H�rnquist �strand <lha@it.su.se> 658 659 * test_context.c: Test that token keys are the same, return 660 actual_mech. 661 6622006-11-15 Love H�rnquist �strand <lha@it.su.se> 663 664 * spnego/spnego_locl.h: Make bitfields unsigned, add maybe_open. 665 666 * spnego/accept_sec_context.c: Use ASN.1 encoder functions to 667 encode CHOICE structure now that we can handle it. 668 669 * spnego/init_sec_context.c: Use ASN.1 encoder functions to encode 670 CHOICE structure now that we can handle it. 671 672 * spnego/accept_sec_context.c (_gss_spnego_accept_sec_context): 673 send back ad accept_completed when the security context is ->open, 674 w/o this the client doesn't know that the server have completed 675 the transaction. 676 677 * test_context.c: Add delegate flag and check that the delegated 678 cred works. 679 680 * spnego/init_sec_context.c: Keep track of the opportunistic token 681 in the inital message, it might be a complete gss-api context, in 682 that case we'll get back accept_completed without any token. With 683 this change, krb5 w/o mutual authentication works. 684 685 * spnego/accept_sec_context.c: Use ASN.1 encoder functions to 686 encode CHOICE structure now that we can handle it. 687 688 * spnego/accept_sec_context.c: Filter out SPNEGO from the out 689 supported mechs list and make sure we don't select that for the 690 preferred mechamism. 691 6922006-11-14 Love H�rnquist �strand <lha@it.su.se> 693 694 * mech/gss_init_sec_context.c (_gss_mech_cred_find): break out the 695 cred finding to its own function 696 697 * krb5/wrap.c: Better error strings, from Andrew Bartlet. 698 6992006-11-13 Love H�rnquist �strand <lha@it.su.se> 700 701 * test_context.c: Create our own krb5_context. 702 703 * krb5: Switch from using a specific error message context in the 704 TLS to have a whole krb5_context in TLS. This have some 705 interestion side-effekts for the configruration setting options 706 since they operate on per-thread basis now. 707 708 * mech/gss_set_cred_option.c: When calling ->gm_set_cred_option 709 and checking for success, use GSS_S_COMPLETE. From Andrew Bartlet. 710 7112006-11-12 Love H�rnquist �strand <lha@it.su.se> 712 713 * Makefile.am: Help solaris make even more. 714 715 * Makefile.am: Help solaris make. 716 7172006-11-09 Love H�rnquist �strand <lha@it.su.se> 718 719 * Makefile.am: remove include $(srcdir)/Makefile-digest.am for now 720 721 * mech/gss_accept_sec_context.c: Try better guessing what is mech 722 we are going to select by looking harder at the input_token, idea 723 from Luke Howard's mechglue branch. 724 725 * Makefile.am: libgssapi_la_OBJECTS: add depency on gkrb5_err.h 726 727 * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X 728 729 * mech/gss_krb5.c: implement gss_krb5_set_allowable_enctypes 730 731 * gssapi/gssapi.h: GSS_KRB5_S_ 732 733 * krb5/gsskrb5_locl.h: Include <gkrb5_err.h>. 734 735 * gssapi/gssapi_krb5.h: Add gss_krb5_set_allowable_enctypes. 736 737 * Makefile.am: Build and install gkrb5_err.h 738 739 * krb5/gkrb5_err.et: Move the GSS_KRB5_S error here. 740 7412006-11-08 Love H�rnquist �strand <lha@it.su.se> 742 743 * mech/gss_krb5.c: Add gsskrb5_set_default_realm. 744 745 * krb5/set_sec_context_option.c: Support 746 GSS_KRB5_SET_DEFAULT_REALM_X. 747 748 * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DEFAULT_REALM_X 749 750 * krb5/external.c: add GSS_KRB5_SET_DEFAULT_REALM_X 751 7522006-11-07 Love H�rnquist �strand <lha@it.su.se> 753 754 * test_context.c: rename krb5_[gs]et_time_wrap to 755 krb5_[gs]et_max_time_skew 756 757 * krb5/copy_ccache.c: _gsskrb5_extract_authz_data_from_sec_context 758 no longer used, bye bye 759 760 * mech/gss_krb5.c: No depenency of the krb5 gssapi mech. 761 762 * mech/gss_krb5.c (gsskrb5_extract_authtime_from_sec_context): use 763 _gsskrb5_decode_om_uint32. From Andrew Bartlet. 764 765 * mech/gss_krb5.c: Add dummy gss_krb5_set_allowable_enctypes for 766 now. 767 768 * spnego/spnego_locl.h: Include <roken.h> for compatiblity. 769 770 * krb5/arcfour.c: Use IS_DCE_STYLE flag. There is no padding in 771 DCE-STYLE, don't try to use to. From Andrew Bartlett. 772 773 * test_context.c: test wrap/unwrap, add flag for dce-style and 774 mutual auth, also support multi-roundtrip sessions 775 776 * krb5/gsskrb5_locl.h: Add IS_DCE_STYLE macro. 777 778 * krb5/accept_sec_context.c (gsskrb5_acceptor_start): use 779 krb5_rd_req_ctx 780 781 * mech/gss_krb5.c (gsskrb5_get_subkey): return the per message 782 token subkey 783 784 * krb5/inquire_sec_context_by_oid.c: check if there is any key at 785 all 786 7872006-11-06 Love H�rnquist �strand <lha@it.su.se> 788 789 * krb5/inquire_sec_context_by_oid.c: Set more error strings, use 790 right enum for acceptor subkey. From Andrew Bartlett. 791 7922006-11-04 Love H�rnquist �strand <lha@it.su.se> 793 794 * test_context.c: Test gsskrb5_extract_service_keyblock, needed in 795 PAC valication. From Andrew Bartlett 796 797 * mech/gss_krb5.c: Add gsskrb5_extract_authz_data_from_sec_context 798 and keyblock extraction functions. 799 800 * gssapi/gssapi_krb5.h: Add extraction of keyblock function, from 801 Andrew Bartlett. 802 803 * krb5/external.c: Add GSS_KRB5_GET_SERVICE_KEYBLOCK_X 804 8052006-11-03 Love H�rnquist �strand <lha@it.su.se> 806 807 * test_context.c: Rename various routines and constants from 808 canonize to canonicalize. From Andrew Bartlett 809 810 * mech/gss_krb5.c: Rename various routines and constants from 811 canonize to canonicalize. From Andrew Bartlett 812 813 * krb5/set_sec_context_option.c: Rename various routines and 814 constants from canonize to canonicalize. From Andrew Bartlett 815 816 * krb5/external.c: Rename various routines and constants from 817 canonize to canonicalize. From Andrew Bartlett 818 819 * gssapi/gssapi_krb5.h: Rename various routines and constants from 820 canonize to canonicalize. From Andrew Bartlett 821 8222006-10-25 Love H�rnquist �strand <lha@it.su.se> 823 824 * krb5/accept_sec_context.c (gsskrb5_accept_delegated_token): need 825 to free ccache 826 8272006-10-24 Love H�rnquist �strand <lha@it.su.se> 828 829 * test_context.c (loop): free target_name 830 831 * mech/gss_accept_sec_context.c: SLIST_INIT the ->gc_mc' 832 833 * mech/gss_acquire_cred.c : SLIST_INIT the ->gc_mc' 834 835 * krb5/init_sec_context.c: Avoid leaking memory. 836 837 * mech/gss_buffer_set.c (gss_release_buffer_set): don't leak the 838 ->elements memory. 839 840 * test_context.c: make compile 841 842 * krb5/cfx.c (_gssapi_verify_mic_cfx): always free crypto context. 843 844 * krb5/set_cred_option.c (import_cred): free sp 845 8462006-10-22 Love H�rnquist �strand <lha@it.su.se> 847 848 * mech/gss_add_oid_set_member.c: Use old implementation of 849 gss_add_oid_set_member, it leaks less memory. 850 851 * krb5/test_cfx.c: free krb5_crypto. 852 853 * krb5/test_cfx.c: free krb5_context 854 855 * mech/gss_release_name.c (gss_release_name): free input_name 856 it-self. 857 8582006-10-21 Love H�rnquist �strand <lha@it.su.se> 859 860 * test_context.c: Call setprogname. 861 862 * mech/gss_krb5.c: Add gsskrb5_extract_authtime_from_sec_context. 863 864 * gssapi/gssapi_krb5.h: add 865 gsskrb5_extract_authtime_from_sec_context 866 8672006-10-20 Love H�rnquist �strand <lha@it.su.se> 868 869 * krb5/inquire_sec_context_by_oid.c: Add get_authtime. 870 871 * krb5/external.c: add GSS_KRB5_GET_AUTHTIME_X 872 873 * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_AUTHTIME_X 874 875 * krb5/set_sec_context_option.c: Implement GSS_KRB5_SEND_TO_KDC_X. 876 877 * mech/gss_krb5.c: Add gsskrb5_set_send_to_kdc 878 879 * gssapi/gssapi_krb5.h: Add GSS_KRB5_SEND_TO_KDC_X and 880 gsskrb5_set_send_to_kdc 881 882 * krb5/external.c: add GSS_KRB5_SEND_TO_KDC_X 883 884 * Makefile.am: more files 885 8862006-10-19 Love H�rnquist �strand <lha@it.su.se> 887 888 * Makefile.am: remove spnego/gssapi_spnego.h, its now in gssapi/ 889 890 * test_context.c: Allow specifing mech. 891 892 * krb5/external.c: add GSS_SASL_DIGEST_MD5_MECHANISM (for now) 893 894 * gssapi/gssapi.h: Rename GSS_DIGEST_MECHANISM to 895 GSS_SASL_DIGEST_MD5_MECHANISM 896 8972006-10-18 Love H�rnquist �strand <lha@it.su.se> 898 899 * mech/gssapi.asn1: Make it into a heim_any_set, its doesn't 900 except a tag. 901 902 * mech/gssapi.asn1: GSSAPIContextToken is IMPLICIT SEQUENCE 903 904 * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X 905 906 * krb5/external.c: Add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X. 907 908 * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_INITIATOR_SUBKEY_X and 909 GSS_KRB5_GET_SUBKEY_X 910 911 * krb5/external.c: add GSS_KRB5_GET_INITIATOR_SUBKEY_X, 912 GSS_KRB5_GET_SUBKEY_X 913 9142006-10-17 Love H�rnquist �strand <lha@it.su.se> 915 916 * test_context.c: Support switching on name type oid's 917 918 * test_context.c: add test for dns canon flag 919 920 * mech/gss_krb5.c: Add gsskrb5_set_dns_canonlize. 921 922 * gssapi/gssapi_krb5.h: remove gss_krb5_compat_des3_mic 923 924 * gssapi/gssapi_krb5.h: Add gsskrb5_set_dns_canonlize. 925 926 * krb5/set_sec_context_option.c: implement 927 GSS_KRB5_SET_DNS_CANONIZE_X 928 929 * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DNS_CANONIZE_X 930 931 * krb5/external.c: add GSS_KRB5_SET_DNS_CANONIZE_X 932 933 * mech/gss_krb5.c: add bits to make lucid context work 934 9352006-10-14 Love H�rnquist �strand <lha@it.su.se> 936 937 * mech/gss_oid_to_str.c: Prefix der primitives with der_. 938 939 * krb5/inquire_sec_context_by_oid.c: Prefix der primitives with 940 der_. 941 942 * krb5/encapsulate.c: Prefix der primitives with der_. 943 944 * mech/gss_oid_to_str.c: New der_print_heim_oid signature. 945 9462006-10-12 Love H�rnquist �strand <lha@it.su.se> 947 948 * Makefile.am: add test_context 949 950 * krb5/inquire_sec_context_by_oid.c: Make it work. 951 952 * test_oid.c: Test lucid oid. 953 954 * gssapi/gssapi.h: Add OM_uint64_t. 955 956 * krb5/inquire_sec_context_by_oid.c: Add lucid interface. 957 958 * krb5/external.c: Add lucid interface, renumber oids to my 959 delegated space. 960 961 * mech/gss_krb5.c: Add lucid interface. 962 963 * gssapi/gssapi_krb5.h: Add lucid interface. 964 965 * spnego/spnego_locl.h: Maybe include <netdb.h>. 966 9672006-10-09 Love H�rnquist �strand <lha@it.su.se> 968 969 * mech/gss_mech_switch.c: define RTLD_LOCAL to 0 if not defined. 970 9712006-10-08 Love H�rnquist �strand <lha@it.su.se> 972 973 * Makefile.am: install gssapi_krb5.H and gssapi_spnego.h 974 975 * gssapi/gssapi_krb5.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>. 976 977 * gssapi/gssapi.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>. 978 979 * Makefile.am: Drop some -I no longer needed. 980 981 * gssapi/gssapi_spnego.h: Move gssapi_spengo.h over here. 982 983 * krb5: reference all include files using 'krb5/' 984 9852006-10-07 Love H�rnquist �strand <lha@it.su.se> 986 987 * gssapi.h: Add file inclusion protection. 988 989 * gssapi/gssapi.h: Correct header file inclusion protection. 990 991 * gssapi/gssapi.h: Move the gssapi.h from lib/gssapi/ to 992 lib/gssapi/gssapi/ to please automake. 993 994 * spnego/spnego_locl.h: Maybe include <sys/types.h>. 995 996 * mech/mech_locl.h: Include <roken.h>. 997 998 * Makefile.am: split build files into dist_ and noinst_ SOURCES 999 10002006-10-06 Love H�rnquist �strand <lha@it.su.se> 1001 1002 * gss.c: #if 0 out unused code. 1003 1004 * mech/gss_mech_switch.c: Cast argument to ctype(3) functions 1005 to (unsigned char). 1006 10072006-10-05 Love H�rnquist �strand <lha@it.su.se> 1008 1009 * mech/name.h: remove <sys/queue.h> 1010 1011 * mech/mech_switch.h: remove <sys/queue.h> 1012 1013 * mech/cred.h: remove <sys/queue.h> 1014 10152006-10-02 Love H�rnquist �strand <lha@it.su.se> 1016 1017 * krb5/arcfour.c: Thinker more with header lengths. 1018 1019 * krb5/arcfour.c: Improve the calcucation of header 1020 lengths. DCE-STYLE data is also padded so remove if (1 || ...) 1021 code. 1022 1023 * krb5/wrap.c (_gsskrb5_wrap_size_limit): use 1024 _gssapi_wrap_size_arcfour for arcfour 1025 1026 * krb5/arcfour.c: Move _gssapi_wrap_size_arcfour here. 1027 1028 * Makefile.am: Split all mech to diffrent mechsrc variables. 1029 1030 * spnego/context_stubs.c: Make internal function static (and 1031 rename). 1032 10332006-10-01 Love H�rnquist �strand <lha@it.su.se> 1034 1035 * krb5/inquire_cred.c: Fix "if (x) lock(y)" bug. From Harald 1036 Barth. 1037 1038 * spnego/spnego_locl.h: Include <sys/param.h> for MAXHOSTNAMELEN. 1039 10402006-09-25 Love H�rnquist �strand <lha@it.su.se> 1041 1042 * krb5/arcfour.c: Add wrap support, interrop with itself but not 1043 w2k3s-sp1 1044 1045 * krb5/gsskrb5_locl.h: move the arcfour specific stuff to the 1046 arcfour header. 1047 1048 * krb5/arcfour.c: Support DCE-style unwrap, tested with 1049 w2k3server-sp1. 1050 1051 * mech/gss_accept_sec_context.c (gss_accept_sec_context): if the 1052 token doesn't start with [APPLICATION 0] SEQUENCE, lets assume its 1053 a DCE-style kerberos 5 connection. XXX this needs to be made 1054 better in cause we get another GSS-API protocol violating 1055 protocol. It should be possible to detach the Kerberos DCE-style 1056 since it starts with a AP-REQ PDU, but that have to wait for now. 1057 10582006-09-22 Love H�rnquist �strand <lha@it.su.se> 1059 1060 * gssapi.h: Add GSS_C flags from 1061 draft-brezak-win2k-krb-rc4-hmac-04.txt. 1062 1063 * krb5/delete_sec_context.c: Free service_keyblock and fwd_data, 1064 indent. 1065 1066 * krb5/accept_sec_context.c: Merge of the acceptor part from the 1067 samba patch by Stefan Metzmacher and Andrew Bartlet. 1068 1069 * krb5/init_sec_context.c: Add GSS_C_DCE_STYLE. 1070 1071 * krb5/{init_sec_context.c,gsskrb5_locl.h}: merge most of the 1072 initiator part from the samba patch by Stefan Metzmacher and 1073 Andrew Bartlet (still missing DCE/RPC support) 1074 10752006-08-28 Love H�rnquist �strand <lha@it.su.se> 1076 1077 * gss.c (help): use sl_slc_help(). 1078 10792006-07-22 Love H�rnquist �strand <lha@it.su.se> 1080 1081 * gss-commands.in: rename command to supported-mechanisms 1082 1083 * Makefile.am: Make gss objects depend on the slc built 1084 gss-commands.h 1085 10862006-07-20 Love H�rnquist �strand <lha@it.su.se> 1087 1088 * gss-commands.in: add slc commands for gss 1089 1090 * krb5/gsskrb5_locl.h: Remove dup prototype of _gsskrb5_init() 1091 1092 * Makefile.am: Add test_cfx 1093 1094 * krb5/external.c: add GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X 1095 1096 * krb5/set_sec_context_option.c: catch 1097 GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X 1098 1099 * krb5/accept_sec_context.c: reimplement 1100 gsskrb5_register_acceptor_identity 1101 1102 * mech/gss_krb5.c: implement gsskrb5_register_acceptor_identity 1103 1104 * mech/gss_inquire_mechs_for_name.c: call _gss_load_mech 1105 1106 * mech/gss_inquire_cred.c (gss_inquire_cred): call _gss_load_mech 1107 1108 * mech/gss_mech_switch.c: Make _gss_load_mech() atomic and run 1109 only once, this have the side effect that _gss_mechs and 1110 _gss_mech_oids is only initialized once, so if just the users of 1111 these two global variables calls _gss_load_mech() first, it will 1112 act as a barrier and make sure the variables are never changed and 1113 we don't need to lock them. 1114 1115 * mech/utils.h: no need to mark functions extern. 1116 1117 * mech/name.h: no need to mark _gss_find_mn extern. 1118 11192006-07-19 Love H�rnquist �strand <lha@it.su.se> 1120 1121 * krb5/cfx.c: Redo the wrap length calculations. 1122 1123 * krb5/test_cfx.c: test max_wrap_size in cfx.c 1124 1125 * mech/gss_display_status.c: Handle more error codes. 1126 11272006-07-07 Love H�rnquist �strand <lha@it.su.se> 1128 1129 * mech/mech_locl.h: Include <krb5-types.h> and "mechqueue.h" 1130 1131 * mech/mechqueue.h: Add SLIST macros. 1132 1133 * krb5/inquire_context.c: Don't free return values on success. 1134 1135 * krb5/inquire_cred.c (_gsskrb5_inquire_cred): When cred provided 1136 is the default cred, acquire the acceptor cred and initator cred 1137 in two diffrent steps and then query them for the information, 1138 this way, the code wont fail if there are no keytab, but there is 1139 a credential cache. 1140 1141 * mech/gss_inquire_cred.c: move the check if we found any cred 1142 where it matter for both cases 1143 (default cred and provided cred) 1144 1145 * mech/gss_init_sec_context.c: If the desired mechanism can't 1146 convert the name to a MN, fail with GSS_S_BAD_NAME rather then a 1147 NULL de-reference. 1148 11492006-07-06 Love H�rnquist �strand <lha@it.su.se> 1150 1151 * spnego/external.c: readd gss_spnego_inquire_names_for_mech 1152 1153 * spnego/spnego_locl.h: reimplement 1154 gss_spnego_inquire_names_for_mech add support function 1155 _gss_spnego_supported_mechs 1156 1157 * spnego/context_stubs.h: reimplement 1158 gss_spnego_inquire_names_for_mech add support function 1159 _gss_spnego_supported_mechs 1160 1161 * spnego/context_stubs.c: drop gss_spnego_indicate_mechs 1162 1163 * mech/gss_indicate_mechs.c: if the underlaying mech doesn't 1164 support gss_indicate_mechs, use the oid in the mechswitch 1165 structure 1166 1167 * spnego/external.c: let the mech glue layer implement 1168 gss_indicate_mechs 1169 1170 * spnego/cred_stubs.c (gss_spnego_acquire_cred): don't care about 1171 desired_mechs, get our own list with indicate_mechs and remove 1172 ourself. 1173 11742006-07-05 Love H�rnquist �strand <lha@it.su.se> 1175 1176 * spnego/external.c: remove gss_spnego_inquire_names_for_mech, let 1177 the mechglue layer implement it 1178 1179 * spnego/context_stubs.c: remove gss_spnego_inquire_names_for_mech, let 1180 the mechglue layer implement it 1181 1182 * spnego/spnego_locl.c: remove gss_spnego_inquire_names_for_mech, let 1183 the mechglue layer implement it 1184 11852006-07-01 Love H�rnquist �strand <lha@it.su.se> 1186 1187 * mech/gss_set_cred_option.c: fix argument to gss_release_cred 1188 11892006-06-30 Love H�rnquist �strand <lha@it.su.se> 1190 1191 * krb5/init_sec_context.c: Make work on compilers that are 1192 somewhat more picky then gcc4 (like gcc2.95) 1193 1194 * krb5/init_sec_context.c (do_delegation): use KDCOptions2int to 1195 convert fwd_flags to an integer, since otherwise int2KDCOptions in 1196 krb5_get_forwarded_creds wont do the right thing. 1197 1198 * mech/gss_set_cred_option.c (gss_set_cred_option): free memory on 1199 failure 1200 1201 * krb5/set_sec_context_option.c (_gsskrb5_set_sec_context_option): 1202 init global kerberos context 1203 1204 * krb5/set_cred_option.c (_gsskrb5_set_cred_option): init global 1205 kerberos context 1206 1207 * mech/gss_accept_sec_context.c: Insert the delegated sub cred on 1208 the delegated cred handle, not cred handle 1209 1210 * mech/gss_accept_sec_context.c (gss_accept_sec_context): handle 1211 the case where ret_flags == NULL 1212 1213 * mech/gss_mech_switch.c (add_builtin): set 1214 _gss_mech_switch->gm_mech_oid 1215 1216 * mech/gss_set_cred_option.c (gss_set_cred_option): laod mechs 1217 1218 * test_cred.c (gss_print_errors): don't try to print error when 1219 gss_display_status failed 1220 1221 * Makefile.am: Add mech/gss_release_oid.c 1222 1223 * mech/gss_release_oid.c: Add gss_release_oid, reverse of 1224 gss_duplicate_oid 1225 1226 * spnego/compat.c: preferred_mech_type was allocated with 1227 gss_duplicate_oid in one place and assigned static varianbles a 1228 the second place. change that static assignement to 1229 gss_duplicate_oid and bring back gss_release_oid. 1230 1231 * spnego/compat.c (_gss_spnego_delete_sec_context): don't release 1232 preferred_mech_type and negotiated_mech_type, they where never 1233 allocated from the begining. 1234 12352006-06-29 Love H�rnquist �strand <lha@it.su.se> 1236 1237 * mech/gss_import_name.c (gss_import_name): avoid 1238 type-punned/strict aliasing rules 1239 1240 * mech/gss_add_cred.c: avoid type-punned/strict aliasing rules 1241 1242 * gssapi.h: Make gss_name_t an opaque type. 1243 1244 * krb5: make gss_name_t an opaque type 1245 1246 * krb5/set_cred_option.c: Add 1247 1248 * mech/gss_set_cred_option.c (gss_set_cred_option): support the 1249 case where *cred_handle == NULL 1250 1251 * mech/gss_krb5.c (gss_krb5_import_cred): make sure cred is 1252 GSS_C_NO_CREDENTIAL on failure. 1253 1254 * mech/gss_acquire_cred.c (gss_acquire_cred): if desired_mechs is 1255 NO_OID_SET, there is a need to load the mechs, so always do that. 1256 12572006-06-28 Love H�rnquist �strand <lha@it.su.se> 1258 1259 * krb5/inquire_cred_by_oid.c: Reimplement GSS_KRB5_COPY_CCACHE_X 1260 to instead pass a fullname to the credential, then resolve and 1261 copy out the content, and then close the cred. 1262 1263 * mech/gss_krb5.c: Reimplement GSS_KRB5_COPY_CCACHE_X to instead 1264 pass a fullname to the credential, then resolve and copy out the 1265 content, and then close the cred. 1266 1267 * krb5/inquire_cred_by_oid.c: make "work", GSS_KRB5_COPY_CCACHE_X 1268 interface needs to be re-done, currently its utterly broken. 1269 1270 * mech/gss_set_cred_option.c: Make work. 1271 1272 * krb5/external.c: Add _gsskrb5_set_{sec_context,cred}_option 1273 1274 * mech/gss_krb5.c (gss_krb5_import_cred): implement 1275 1276 * Makefile.am: Add gss_set_{sec_context,cred}_option and sort 1277 1278 * mech/gss_set_{sec_context,cred}_option.c: add 1279 1280 * gssapi.h: Add GSS_KRB5_IMPORT_CRED_X 1281 1282 * test_*.c: make compile again 1283 1284 * Makefile.am: Add lib dependencies and test programs 1285 1286 * spnego: remove dependency on libkrb5 1287 1288 * mech: Bug fixes, cleanup, compiler warnings, restructure code. 1289 1290 * spnego: Rename gss_context_id_t and gss_cred_id_t to local names 1291 1292 * krb5: repro copy the krb5 files here 1293 1294 * mech: import Doug Rabson mechglue from freebsd 1295 1296 * spnego: Import Luke Howard's SPNEGO from the mechglue branch 1297 12982006-06-22 Love H�rnquist �strand <lha@it.su.se> 1299 1300 * gssapi.h: Add oid_to_str. 1301 1302 * Makefile.am: add oid_to_str and test_oid 1303 1304 * oid_to_str.c: Add gss_oid_to_str 1305 1306 * test_oid.c: Add test for gss_oid_to_str() 1307 13082006-05-13 Love H�rnquist �strand <lha@it.su.se> 1309 1310 * verify_mic.c: Less pointer signedness warnings. 1311 1312 * unwrap.c: Less pointer signedness warnings. 1313 1314 * arcfour.c: Less pointer signedness warnings. 1315 1316 * gssapi_locl.h: Use const void * to instead of unsigned char * to 1317 avoid pointer signedness warnings. 1318 1319 * encapsulate.c: Use const void * to instead of unsigned char * to 1320 avoid pointer signedness warnings. 1321 1322 * decapsulate.c: Use const void * to instead of unsigned char * to 1323 avoid pointer signedness warnings. 1324 1325 * decapsulate.c: Less pointer signedness warnings. 1326 1327 * cfx.c: Less pointer signedness warnings. 1328 1329 * init_sec_context.c: Less pointer signedness warnings (partly by 1330 using the new asn.1 CHOICE decoder) 1331 1332 * import_sec_context.c: Less pointer signedness warnings. 1333 13342006-05-09 Love H�rnquist �strand <lha@it.su.se> 1335 1336 * accept_sec_context.c (gsskrb5_is_cfx): always set is_cfx. From 1337 Andrew Abartlet. 1338 13392006-05-08 Love H�rnquist �strand <lha@it.su.se> 1340 1341 * get_mic.c (mic_des3): make sure message_buffer doesn't point to 1342 free()ed memory on failure. Pointed out by IBM checker. 1343 13442006-05-05 Love H�rnquist �strand <lha@it.su.se> 1345 1346 * Rename u_intXX_t to uintXX_t 1347 13482006-05-04 Love H�rnquist �strand <lha@it.su.se> 1349 1350 * cfx.c: Less pointer signedness warnings. 1351 1352 * arcfour.c: Avoid pointer signedness warnings. 1353 1354 * gssapi_locl.h (gssapi_decode_*): make data argument const void * 1355 1356 * 8003.c (gssapi_decode_*): make data argument const void * 1357 13582006-04-12 Love H�rnquist �strand <lha@it.su.se> 1359 1360 * export_sec_context.c: Export sequence order element. From Wynn 1361 Wilkes <wynn.wilkes@quest.com>. 1362 1363 * import_sec_context.c: Import sequence order element. From Wynn 1364 Wilkes <wynn.wilkes@quest.com>. 1365 1366 * sequence.c (_gssapi_msg_order_import,_gssapi_msg_order_export): 1367 New functions, used by {import,export}_sec_context. From Wynn 1368 Wilkes <wynn.wilkes@quest.com>. 1369 1370 * test_sequence.c: Add test for import/export sequence. 1371 13722006-04-09 Love H�rnquist �strand <lha@it.su.se> 1373 1374 * add_cred.c: Check that cred != GSS_C_NO_CREDENTIAL, this is a 1375 standard conformance failure, but much better then a crash. 1376 13772006-04-02 Love H�rnquist �strand <lha@it.su.se> 1378 1379 * get_mic.c (get_mic*)_: make sure message_token is cleaned on 1380 error, found by IBM checker. 1381 1382 * wrap.c (wrap*): Reset output_buffer on error, found by IBM 1383 checker. 1384 13852006-02-15 Love H�rnquist �strand <lha@it.su.se> 1386 1387 * import_name.c: Accept both GSS_C_NT_HOSTBASED_SERVICE and 1388 GSS_C_NT_HOSTBASED_SERVICE_X as nametype for hostbased names. 1389 13902006-01-16 Love H�rnquist �strand <lha@it.su.se> 1391 1392 * delete_sec_context.c (gss_delete_sec_context): if the context 1393 handle is GSS_C_NO_CONTEXT, don't fall over. 1394 13952005-12-12 Love H�rnquist �strand <lha@it.su.se> 1396 1397 * gss_acquire_cred.3: Replace gss_krb5_import_ccache with 1398 gss_krb5_import_cred and add more references 1399 14002005-12-05 Love H�rnquist �strand <lha@it.su.se> 1401 1402 * gssapi.h: Change gss_krb5_import_ccache to gss_krb5_import_cred, 1403 it can handle keytabs too. 1404 1405 * add_cred.c (gss_add_cred): avoid deadlock 1406 1407 * context_time.c (gssapi_lifetime_left): define the 0 lifetime as 1408 GSS_C_INDEFINITE. 1409 14102005-12-01 Love H�rnquist �strand <lha@it.su.se> 1411 1412 * acquire_cred.c (acquire_acceptor_cred): only check if principal 1413 exists if we got called with principal as an argument. 1414 1415 * acquire_cred.c (acquire_acceptor_cred): check that the acceptor 1416 exists in the keytab before returning ok. 1417 14182005-11-29 Love H�rnquist �strand <lha@it.su.se> 1419 1420 * copy_ccache.c (gss_krb5_import_cred): fix buglet, from Andrew 1421 Bartlett. 1422 14232005-11-25 Love H�rnquist �strand <lha@it.su.se> 1424 1425 * test_kcred.c: Rename gss_krb5_import_ccache to 1426 gss_krb5_import_cred. 1427 1428 * copy_ccache.c: Rename gss_krb5_import_ccache to 1429 gss_krb5_import_cred and let it grow code to handle keytabs too. 1430 14312005-11-02 Love H�rnquist �strand <lha@it.su.se> 1432 1433 * init_sec_context.c: Change sematics of ok-as-delegate to match 1434 windows if 1435 [gssapi]realm/ok-as-delegate=true is set, otherwise keep old 1436 sematics. 1437 1438 * release_cred.c (gss_release_cred): use 1439 GSS_CF_DESTROY_CRED_ON_RELEASE to decide if the cache should be 1440 krb5_cc_destroy-ed 1441 1442 * acquire_cred.c (acquire_initiator_cred): 1443 GSS_CF_DESTROY_CRED_ON_RELEASE on created credentials. 1444 1445 * accept_sec_context.c (gsskrb5_accept_delegated_token): rewrite 1446 to use gss_krb5_import_ccache 1447 14482005-11-01 Love H�rnquist �strand <lha@it.su.se> 1449 1450 * arcfour.c: Remove signedness warnings. 1451 14522005-10-31 Love H�rnquist �strand <lha@it.su.se> 1453 1454 * gss_acquire_cred.3: Document that gss_krb5_import_ccache is copy 1455 by reference. 1456 1457 * copy_ccache.c (gss_krb5_import_ccache): Instead of making a copy 1458 of the ccache, make a reference by getting the name and resolving 1459 the name. This way the cache is shared, this flipp side is of 1460 course that if someone calls krb5_cc_destroy the cache is lost for 1461 everyone. 1462 1463 * test_kcred.c: Remove memory leaks. 1464 14652005-10-26 Love H�rnquist �strand <lha@it.su.se> 1466 1467 * Makefile.am: build test_kcred 1468 1469 * gss_acquire_cred.3: Document gss_krb5_import_ccache 1470 1471 * gssapi.3: Sort and add gss_krb5_import_ccache. 1472 1473 * acquire_cred.c (_gssapi_krb5_ccache_lifetime): break out code 1474 used to extract lifetime from a credential cache 1475 1476 * gssapi_locl.h: Add _gssapi_krb5_ccache_lifetime, used to extract 1477 lifetime from a credential cache. 1478 1479 * gssapi.h: add gss_krb5_import_ccache, reverse of 1480 gss_krb5_copy_ccache 1481 1482 * copy_ccache.c: add gss_krb5_import_ccache, reverse of 1483 gss_krb5_copy_ccache 1484 1485 * test_kcred.c: test gss_krb5_import_ccache 1486 14872005-10-21 Love H�rnquist �strand <lha@it.su.se> 1488 1489 * acquire_cred.c (acquire_initiator_cred): use krb5_cc_cache_match 1490 to find a matching creditial cache, if that failes, fallback to 1491 the default cache. 1492 14932005-10-12 Love H�rnquist �strand <lha@it.su.se> 1494 1495 * gssapi_locl.h: Add gssapi_krb5_set_status and 1496 gssapi_krb5_clear_status 1497 1498 * init_sec_context.c (spnego_reply): Don't pass back raw Kerberos 1499 errors, use GSS-API errors instead. From Michael B Allen. 1500 1501 * display_status.c: Add gssapi_krb5_clear_status, 1502 gssapi_krb5_set_status for handling error messages. 1503 15042005-08-23 Love H�rnquist �strand <lha@it.su.se> 1505 1506 * external.c: Use rk_UNCONST to avoid const warning. 1507 1508 * display_status.c: Constify strings to avoid warnings. 1509 15102005-08-11 Love H�rnquist �strand <lha@it.su.se> 1511 1512 * init_sec_context.c: avoid warnings, update (c) 1513 15142005-07-13 Love H�rnquist �strand <lha@it.su.se> 1515 1516 * init_sec_context.c (spnego_initial): use NegotiationToken 1517 encoder now that we have one with the new asn1. compiler. 1518 1519 * Makefile.am: the new asn.1 compiler includes the modules name in 1520 the depend file 1521 15222005-06-16 Love H�rnquist �strand <lha@it.su.se> 1523 1524 * decapsulate.c: use rk_UNCONST 1525 1526 * ccache_name.c: rename to avoid shadowing 1527 1528 * gssapi_locl.h: give kret in GSSAPI_KRB5_INIT a more unique name 1529 1530 * process_context_token.c: use rk_UNCONST to unconstify 1531 1532 * test_cred.c: rename optind to optidx 1533 15342005-05-30 Love H�rnquist �strand <lha@it.su.se> 1535 1536 * init_sec_context.c (init_auth): honor ok-as-delegate if local 1537 configuration approves 1538 1539 * gssapi_locl.h: prototype for _gss_check_compat 1540 1541 * compat.c: export check_compat as _gss_check_compat 1542 15432005-05-29 Love H�rnquist �strand <lha@it.su.se> 1544 1545 * init_sec_context.c: Prefix Der_class with ASN1_C_ to avoid 1546 problems with system headerfiles that pollute the name space. 1547 1548 * accept_sec_context.c: Prefix Der_class with ASN1_C_ to avoid 1549 problems with system headerfiles that pollute the name space. 1550 15512005-05-17 Love H�rnquist �strand <lha@it.su.se> 1552 1553 * init_sec_context.c (init_auth): set 1554 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED (for java compatibility), 1555 also while here, use krb5_auth_con_addflags 1556 15572005-05-06 Love H�rnquist �strand <lha@it.su.se> 1558 1559 * arcfour.c (_gssapi_wrap_arcfour): fix calculating the encap 1560 length. From: Tom Maher <tmaher@eecs.berkeley.edu> 1561 15622005-05-02 Dave Love <fx@gnu.org> 1563 1564 * test_cred.c (main): Call setprogname. 1565 15662005-04-27 Love H�rnquist �strand <lha@it.su.se> 1567 1568 * prefix all sequence symbols with _, they are not part of the 1569 GSS-API api. By comment from Wynn Wilkes <wynnw@vintela.com> 1570 15712005-04-10 Love H�rnquist �strand <lha@it.su.se> 1572 1573 * accept_sec_context.c: break out the processing of the delegated 1574 credential to a separate function to make error handling easier, 1575 move the credential handling to after other setup is done 1576 1577 * test_sequence.c: make less verbose in case of success 1578 1579 * Makefile.am: add test_sequence to TESTS 1580 15812005-04-01 Love H�rnquist �strand <lha@it.su.se> 1582 1583 * 8003.c (gssapi_krb5_verify_8003_checksum): check that cksum 1584 isn't NULL From: Nicolas Pouvesle <npouvesle@tenablesecurity.com> 1585 15862005-03-21 Love H�rnquist �strand <lha@it.su.se> 1587 1588 * Makefile.am: use $(LIB_roken) 1589 15902005-03-16 Love H�rnquist �strand <lha@it.su.se> 1591 1592 * display_status.c (gssapi_krb5_set_error_string): pass in the 1593 krb5_context to krb5_free_error_string 1594 15952005-03-15 Love H�rnquist �strand <lha@it.su.se> 1596 1597 * display_status.c (gssapi_krb5_set_error_string): don't misuse 1598 the krb5_get_error_string api 1599 16002005-03-01 Love H�rnquist �strand <lha@it.su.se> 1601 1602 * compat.c (_gss_DES3_get_mic_compat): don't unlock mutex 1603 here. Bug reported by Stefan Metzmacher <metze@samba.org> 1604 16052005-02-21 Luke Howard <lukeh@padl.com> 1606 1607 * init_sec_context.c: don't call krb5_get_credentials() with 1608 KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache 1609 growing indefinitely as no key is found with KEYTYPE_NULL 1610 1611 * compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is 1612 no longer used (however the mechListMIC behaviour is broken, 1613 rfc2478bis support requires the code in the mechglue branch) 1614 1615 * init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG 1616 1617 * gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG 1618 16192005-01-05 Luke Howard <lukeh@padl.com> 1620 1621 * 8003.c: use symbolic name for checksum type 1622 1623 * accept_sec_context.c: allow client to indicate 1624 that subkey should be used 1625 1626 * acquire_cred.c: plug leak 1627 1628 * get_mic.c: use gss_krb5_get_subkey() instead 1629 of gss_krb5_get_{local,remote}key(), support 1630 KEYTYPE_ARCFOUR_56 1631 1632 * gssapi_local.c: use gss_krb5_get_subkey(), 1633 support KEYTYPE_ARCFOUR_56 1634 1635 * import_sec_context.c: plug leak 1636 1637 * unwrap.c: use gss_krb5_get_subkey(), 1638 support KEYTYPE_ARCFOUR_56 1639 1640 * verify_mic.c: use gss_krb5_get_subkey(), 1641 support KEYTYPE_ARCFOUR_56 1642 1643 * wrap.c: use gss_krb5_get_subkey(), 1644 support KEYTYPE_ARCFOUR_56 1645 16462004-11-30 Love H�rnquist �strand <lha@it.su.se> 1647 1648 * inquire_cred.c: Reverse order of HEIMDAL_MUTEX_unlock and 1649 gss_release_cred to avoid deadlock, from Luke Howard 1650 <lukeh@padl.com>. 1651 16522004-09-06 Love H�rnquist �strand <lha@it.su.se> 1653 1654 * gss_acquire_cred.3: gss_krb5_extract_authz_data_from_sec_context 1655 was renamed to gsskrb5_extract_authz_data_from_sec_context 1656 16572004-08-07 Love H�rnquist �strand <lha@it.su.se> 1658 1659 * unwrap.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM> 1660 1661 * arcfour.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM> 1662 16632004-05-06 Love H�rnquist �strand <lha@it.su.se> 1664 1665 * gssapi.3: spelling from Josef El-Rayes <josef@FreeBSD.org> while 1666 here, write some text about the SPNEGO situation 1667 16682004-04-08 Love H�rnquist �strand <lha@it.su.se> 1669 1670 * cfx.c: s/CTXAcceptorSubkey/CFXAcceptorSubkey/ 1671 16722004-04-07 Love H�rnquist �strand <lha@it.su.se> 1673 1674 * gssapi.h: add GSS_C_EXPECTING_MECH_LIST_MIC_FLAG From: Luke 1675 Howard <lukeh@padl.com> 1676 1677 * init_sec_context.c (spnego_reply): use 1678 _gss_spnego_require_mechlist_mic to figure out if we need to check 1679 MechListMIC; From: Luke Howard <lukeh@padl.com> 1680 1681 * accept_sec_context.c (send_accept): use 1682 _gss_spnego_require_mechlist_mic to figure out if we need to send 1683 MechListMIC; From: Luke Howard <lukeh@padl.com> 1684 1685 * gssapi_locl.h: add _gss_spnego_require_mechlist_mic 1686 From: Luke Howard <lukeh@padl.com> 1687 1688 * compat.c: add _gss_spnego_require_mechlist_mic for compatibility 1689 with MS SPNEGO, From: Luke Howard <lukeh@padl.com> 1690 16912004-04-05 Love H�rnquist �strand <lha@it.su.se> 1692 1693 * accept_sec_context.c (gsskrb5_is_cfx): krb5_keyblock->keytype is 1694 an enctype, not keytype 1695 1696 * accept_sec_context.c: use ASN1_MALLOC_ENCODE 1697 1698 * init_sec_context.c: avoid the malloc loop and just allocate the 1699 propper amount of data 1700 1701 * init_sec_context.c (spnego_initial): handle mech_token better 1702 17032004-03-19 Love H�rnquist �strand <lha@it.su.se> 1704 1705 * gssapi.h: add gss_krb5_get_tkt_flags 1706 1707 * Makefile.am: add ticket_flags.c 1708 1709 * ticket_flags.c: Get ticket-flags from acceptor ticket From: Luke 1710 Howard <lukeh@PADL.COM> 1711 1712 * gss_acquire_cred.3: document gss_krb5_get_tkt_flags 1713 17142004-03-14 Love H�rnquist �strand <lha@it.su.se> 1715 1716 * acquire_cred.c (gss_acquire_cred): check usage before even 1717 bothering to process it, add both keytab and initial tgt if 1718 requested 1719 1720 * wrap.c: support cfx, try to handle acceptor asserted subkey 1721 1722 * unwrap.c: support cfx, try to handle acceptor asserted subkey 1723 1724 * verify_mic.c: support cfx 1725 1726 * get_mic.c: support cfx 1727 1728 * test_sequence.c: handle changed signature of 1729 gssapi_msg_order_create 1730 1731 * import_sec_context.c: handle acceptor asserted subkey 1732 1733 * init_sec_context.c: handle acceptor asserted subkey 1734 1735 * accept_sec_context.c: handle acceptor asserted subkey 1736 1737 * sequence.c: add dummy use_64 argument to gssapi_msg_order_create 1738 1739 * gssapi_locl.h: add partial support for CFX 1740 1741 * Makefile.am (noinst_PROGRAMS) += test_cred 1742 1743 * test_cred.c: gssapi credential testing 1744 1745 * test_acquire_cred.c: fix comment 1746 17472004-03-07 Love H�rnquist �strand <lha@it.su.se> 1748 1749 * arcfour.h: drop structures for message formats, no longer used 1750 1751 * arcfour.c: comment describing message formats 1752 1753 * accept_sec_context.c (spnego_accept_sec_context): make sure the 1754 length of the choice element doesn't overrun us 1755 1756 * init_sec_context.c (spnego_reply): make sure the length of the 1757 choice element doesn't overrun us 1758 1759 * spnego.asn1: move NegotiationToken to avoid warning 1760 1761 * spnego.asn1: uncomment NegotiationToken 1762 1763 * Makefile.am: spnego_files += asn1_NegotiationToken.x 1764 17652004-01-25 Love H�rnquist �strand <lha@it.su.se> 1766 1767 * gssapi.h: add gss_krb5_ccache_name 1768 1769 * Makefile.am (libgssapi_la_SOURCES): += ccache_name.c 1770 1771 * ccache_name.c (gss_krb5_ccache_name): help function enable to 1772 set krb5 name, using out_name argument makes function no longer 1773 thread-safe 1774 1775 * gssapi.3: add missing gss_krb5_ references 1776 1777 * gss_acquire_cred.3: document gss_krb5_ccache_name 1778 17792003-12-12 Love H�rnquist �strand <lha@it.su.se> 1780 1781 * cfx.c: make rrc a modulus operation if its longer then the 1782 length of the message, noticed by Sam Hartman 1783 17842003-12-07 Love H�rnquist �strand <lha@it.su.se> 1785 1786 * accept_sec_context.c: use krb5_auth_con_addflags 1787 17882003-12-05 Love H�rnquist �strand <lha@it.su.se> 1789 1790 * cfx.c: Wrap token id was in wrong order, found by Sam Hartman 1791 17922003-12-04 Love H�rnquist �strand <lha@it.su.se> 1793 1794 * cfx.c: add AcceptorSubkey (but no code understand it yet) ignore 1795 unknown token flags 1796 17972003-11-22 Love H�rnquist �strand <lha@it.su.se> 1798 1799 * accept_sec_context.c: Don't require timestamp to be set on 1800 delegated token, its already protected by the outer token (and 1801 windows doesn't alway send it) Pointed out by Zi-Bin Yang 1802 <zbyang@decru.com> on heimdal-discuss 1803 18042003-11-14 Love H�rnquist �strand <lha@it.su.se> 1805 1806 * cfx.c: fix {} error, pointed out by Liqiang Zhu 1807 18082003-11-10 Love H�rnquist �strand <lha@it.su.se> 1809 1810 * cfx.c: Sequence number should be stored in bigendian order From: 1811 Luke Howard <lukeh@padl.com> 1812 18132003-11-09 Love H�rnquist �strand <lha@it.su.se> 1814 1815 * delete_sec_context.c (gss_delete_sec_context): don't free 1816 ticket, krb5_free_ticket does that now 1817 18182003-11-06 Love H�rnquist �strand <lha@it.su.se> 1819 1820 * cfx.c: checksum the header last in MIC token, update to -03 1821 From: Luke Howard <lukeh@padl.com> 1822 18232003-10-07 Love H�rnquist �strand <lha@it.su.se> 1824 1825 * add_cred.c: If its a MEMORY cc, make a copy. We need to do this 1826 since now gss_release_cred will destroy the cred. This should be 1827 really be solved a better way. 1828 1829 * acquire_cred.c (gss_release_cred): if its a mcc, destroy it 1830 rather the just release it Found by: "Zi-Bin Yang" 1831 <zbyang@decru.com> 1832 1833 * acquire_cred.c (acquire_initiator_cred): use kret instead of ret 1834 where appropriate 1835 18362003-09-30 Love H�rnquist �strand <lha@it.su.se> 1837 1838 * gss_acquire_cred.3: spelling 1839 From: jmc <jmc@prioris.mini.pw.edu.pl> 1840 18412003-09-23 Love H�rnquist �strand <lha@it.su.se> 1842 1843 * cfx.c: - EC and RRC are big-endian, not little-endian - The 1844 default is now to rotate regardless of GSS_C_DCE_STYLE. There are 1845 no longer any references to GSS_C_DCE_STYLE. - rrc_rotate() 1846 avoids allocating memory on the heap if rrc <= 256 1847 From: Luke Howard <lukeh@padl.com> 1848 18492003-09-22 Love H�rnquist �strand <lha@it.su.se> 1850 1851 * cfx.[ch]: rrc_rotate() was untested and broken, fix it. 1852 Set and verify wrap Token->Filler. 1853 Correct token ID for wrap tokens, 1854 were accidentally swapped with delete tokens. 1855 From: Luke Howard <lukeh@PADL.COM> 1856 18572003-09-21 Love H�rnquist �strand <lha@it.su.se> 1858 1859 * cfx.[ch]: no ASN.1-ish header on per-message tokens 1860 From: Luke Howard <lukeh@PADL.COM> 1861 18622003-09-19 Love H�rnquist �strand <lha@it.su.se> 1863 1864 * arcfour.h: remove depenency on gss_arcfour_mic_token and 1865 gss_arcfour_warp_token 1866 1867 * arcfour.c: remove depenency on gss_arcfour_mic_token and 1868 gss_arcfour_warp_token 1869 18702003-09-18 Love H�rnquist �strand <lha@it.su.se> 1871 1872 * 8003.c: remove #if 0'ed code 1873 18742003-09-17 Love H�rnquist �strand <lha@it.su.se> 1875 1876 * accept_sec_context.c (gsskrb5_accept_sec_context): set sequence 1877 number when not requesting mutual auth From: Luke Howard 1878 <lukeh@PADL.COM> 1879 1880 * init_sec_context.c (init_auth): set sequence number when not 1881 requesting mutual auth From: Luke Howard <lukeh@PADL.COM> 1882 18832003-09-16 Love H�rnquist �strand <lha@it.su.se> 1884 1885 * arcfour.c (*): set minor_status 1886 (gss_wrap): set conf_state to conf_req_flags on success 1887 From: Luke Howard <lukeh@PADL.COM> 1888 1889 * wrap.c (gss_wrap_size_limit): use existing function From: Luke 1890 Howard <lukeh@PADL.COM> 1891 18922003-09-12 Love H�rnquist �strand <lha@it.su.se> 1893 1894 * indicate_mechs.c (gss_indicate_mechs): in case of error, free 1895 mech_set 1896 1897 * indicate_mechs.c (gss_indicate_mechs): add SPNEGO 1898 18992003-09-10 Love H�rnquist �strand <lha@it.su.se> 1900 1901 * init_sec_context.c (spnego_initial): catch errors and return 1902 them 1903 1904 * init_sec_context.c (spnego_initial): add #if 0 out version of 1905 the CHOICE branch encoding, also where here, free no longer used 1906 memory 1907 19082003-09-09 Love H�rnquist �strand <lha@it.su.se> 1909 1910 * gss_acquire_cred.3: support GSS_SPNEGO_MECHANISM 1911 1912 * accept_sec_context.c: SPNEGO doesn't include gss wrapping on 1913 SubsequentContextToken like the Kerberos 5 mech does. 1914 1915 * init_sec_context.c (spnego_reply): SPNEGO doesn't include gss 1916 wrapping on SubsequentContextToken like the Kerberos 5 mech 1917 does. Lets check for it anyway. 1918 1919 * accept_sec_context.c: Add support for SPNEGO on the initator 1920 side. Implementation initially from Assar Westerlund, passes 1921 though quite a lot of hands before I commited it. 1922 1923 * init_sec_context.c: Add support for SPNEGO on the initator side. 1924 Tested with ldap server on a Windows 2000 DC. Implementation 1925 initially from Assar Westerlund, passes though quite a lot of 1926 hands before I commited it. 1927 1928 * gssapi.h: export GSS_SPNEGO_MECHANISM 1929 1930 * gssapi_locl.h: include spnego_as.h add prototype for 1931 gssapi_krb5_get_mech 1932 1933 * decapsulate.c (gssapi_krb5_get_mech): make non static 1934 1935 * Makefile.am: build SPNEGO file 1936 19372003-09-08 Love H�rnquist �strand <lha@it.su.se> 1938 1939 * external.c: SPENGO and IAKERB oids 1940 1941 * spnego.asn1: SPENGO ASN1 1942 19432003-09-05 Love H�rnquist �strand <lha@it.su.se> 1944 1945 * cfx.c: RRC also need to be zero before wraping them 1946 From: Luke Howard <lukeh@PADL.COM> 1947 19482003-09-04 Love H�rnquist �strand <lha@it.su.se> 1949 1950 * encapsulate.c (gssapi_krb5_encap_length): don't return void 1951 19522003-09-03 Love H�rnquist �strand <lha@it.su.se> 1953 1954 * verify_mic.c: switch from the des_ to the DES_ api 1955 1956 * get_mic.c: switch from the des_ to the DES_ api 1957 1958 * unwrap.c: switch from the des_ to the DES_ api 1959 1960 * wrap.c: switch from the des_ to the DES_ api 1961 1962 * cfx.c: EC is not included in the checksum since the length might 1963 change depending on the data. From: Luke Howard <lukeh@PADL.COM> 1964 1965 * acquire_cred.c: use 1966 krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free 1967 19682003-09-01 Love H�rnquist �strand <lha@it.su.se> 1969 1970 * copy_ccache.c: rename 1971 gss_krb5_extract_authz_data_from_sec_context to 1972 gsskrb5_extract_authz_data_from_sec_context 1973 1974 * gssapi.h: rename gss_krb5_extract_authz_data_from_sec_context to 1975 gsskrb5_extract_authz_data_from_sec_context 1976 19772003-08-31 Love H�rnquist �strand <lha@it.su.se> 1978 1979 * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context): 1980 check that we have a ticket before we start to use it 1981 1982 * gss_acquire_cred.3: document 1983 gss_krb5_extract_authz_data_from_sec_context 1984 1985 * gssapi.h (gss_krb5_extract_authz_data_from_sec_context): 1986 return the kerberos authorizationdata, from idea of Luke Howard 1987 1988 * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context): 1989 return the kerberos authorizationdata, from idea of Luke Howard 1990 1991 * verify_mic.c (gss_verify_mic_internal): switch type and key 1992 argument 1993 19942003-08-30 Love H�rnquist �strand <lha@it.su.se> 1995 1996 * cfx.[ch]: draft-ietf-krb-wg-gssapi-cfx-01.txt implemetation 1997 From: Luke Howard <lukeh@PADL.COM> 1998 19992003-08-28 Love H�rnquist �strand <lha@it.su.se> 2000 2001 * arcfour.c (arcfour_mic_cksum): use free_Checksum to free the 2002 checksum 2003 2004 * arcfour.h: swap two last arguments to verify_mic for consistency 2005 with des3 2006 2007 * wrap.c,unwrap.c,get_mic.c,verify_mic.c,cfx.c,cfx.h: 2008 prefix cfx symbols with _gssapi_ 2009 2010 * arcfour.c: release the right buffer 2011 2012 * arcfour.c: rename token structure in consistency with rest of 2013 GSS-API From: Luke Howard <lukeh@PADL.COM> 2014 2015 * unwrap.c (unwrap_des3): use _gssapi_verify_pad 2016 (unwrap_des): use _gssapi_verify_pad 2017 2018 * arcfour.c (_gssapi_wrap_arcfour): set the correct padding 2019 (_gssapi_unwrap_arcfour): verify and strip padding 2020 2021 * gssapi_locl.h: added _gssapi_verify_pad 2022 2023 * decapsulate.c (_gssapi_verify_pad): verify padding of a gss 2024 wrapped message and return its length 2025 2026 * arcfour.c: support KEYTYPE_ARCFOUR_56 keys, from Luke Howard 2027 <lukeh@PADL.COM> 2028 2029 * arcfour.c: use right seal alg, inherit keytype from parent key 2030 2031 * arcfour.c: include the confounder in the checksum use the right 2032 key usage number for warped/unwraped tokens 2033 2034 * gssapi.h: add gss_krb5_nt_general_name as an mit compat glue 2035 (same as GSS_KRB5_NT_PRINCIPAL_NAME) 2036 2037 * unwrap.c: hook in arcfour unwrap 2038 2039 * wrap.c: hook in arcfour wrap 2040 2041 * verify_mic.c: hook in arcfour verify_mic 2042 2043 * get_mic.c: hook in arcfour get_mic 2044 2045 * arcfour.c: implement wrap/unwarp 2046 2047 * gssapi_locl.h: add gssapi_{en,de}code_be_om_uint32 2048 2049 * 8003.c: add gssapi_{en,de}code_be_om_uint32 2050 20512003-08-27 Love H�rnquist �strand <lha@it.su.se> 2052 2053 * arcfour.c (_gssapi_verify_mic_arcfour): Do the checksum on right 2054 area. Swap filler check, it was reversed. 2055 2056 * Makefile.am (libgssapi_la_SOURCES): += arcfour.c 2057 2058 * gssapi_locl.h: include "arcfour.h" 2059 2060 * arcfour.c: arcfour gss-api mech, get_mic/verify_mic working 2061 2062 * arcfour.h: arcfour gss-api mech, get_mic/verify_mic working 2063 20642003-08-26 Love H�rnquist �strand <lha@it.su.se> 2065 2066 * gssapi_locl.h: always include cfx.h add prototype for 2067 _gssapi_decapsulate 2068 2069 * cfx.[ch]: Implementation of draft-ietf-krb-wg-gssapi-cfx-00.txt 2070 from Luke Howard <lukeh@PADL.COM> 2071 2072 * decapsulate.c: add _gssapi_decapsulate, from Luke Howard 2073 <lukeh@PADL.COM> 2074 20752003-08-25 Love H�rnquist �strand <lha@it.su.se> 2076 2077 * unwrap.c: encap/decap now takes a oid if the enctype/keytype is 2078 arcfour, return error add hook for cfx 2079 2080 * verify_mic.c: encap/decap now takes a oid if the enctype/keytype 2081 is arcfour, return error add hook for cfx 2082 2083 * get_mic.c: encap/decap now takes a oid if the enctype/keytype is 2084 arcfour, return error add hook for cfx 2085 2086 * accept_sec_context.c: encap/decap now takes a oid 2087 2088 * init_sec_context.c: encap/decap now takes a oid 2089 2090 * gssapi_locl.h: include cfx.h if we need it lifetime is a 2091 OM_uint32, depend on gssapi interface add all new encap/decap 2092 functions 2093 2094 * decapsulate.c: add decap functions that doesn't take the token 2095 type also make all decap function take the oid mech that they 2096 should use 2097 2098 * encapsulate.c: add encap functions that doesn't take the token 2099 type also make all encap function take the oid mech that they 2100 should use 2101 2102 * sequence.c (elem_insert): fix a off by one index counter 2103 2104 * inquire_cred.c (gss_inquire_cred): handle cred_handle being 2105 GSS_C_NO_CREDENTIAL and use the default cred then. 2106 21072003-08-19 Love H�rnquist �strand <lha@it.su.se> 2108 2109 * gss_acquire_cred.3: break out extensions and document 2110 gsskrb5_register_acceptor_identity 2111 21122003-08-18 Love H�rnquist �strand <lha@it.su.se> 2113 2114 * test_acquire_cred.c (print_time): time is returned in seconds 2115 from now, not unix time 2116 21172003-08-17 Love H�rnquist �strand <lha@it.su.se> 2118 2119 * compat.c (check_compat): avoid leaking principal when finding a 2120 match 2121 2122 * address_to_krb5addr.c: sa_size argument to krb5_addr2sockaddr is 2123 a krb5_socklen_t 2124 2125 * acquire_cred.c (gss_acquire_cred): 4th argument to 2126 gss_test_oid_set_member is a int 2127 21282003-07-22 Love H�rnquist �strand <lha@it.su.se> 2129 2130 * init_sec_context.c (repl_mutual): don't set kerberos error where 2131 there was no kerberos error 2132 2133 * gssapi_locl.h: Add destruction/creation prototypes and structure 2134 for the thread specific storage. 2135 2136 * display_status.c: use thread specific storage to set/get the 2137 kerberos error message 2138 2139 * init.c: Provide locking around the creation of the global 2140 krb5_context. Add destruction/creation functions for the thread 2141 specific storage that the error string handling is using. 2142 21432003-07-20 Love H�rnquist �strand <lha@it.su.se> 2144 2145 * gss_acquire_cred.3: add missing prototype and missing .Ft 2146 arguments 2147 21482003-06-17 Love H�rnquist �strand <lha@it.su.se> 2149 2150 * verify_mic.c: reorder code so sequence numbers can can be used 2151 2152 * unwrap.c: reorder code so sequence numbers can can be used 2153 2154 * sequence.c: remove unused function, indent, add 2155 gssapi_msg_order_f that filter gss flags to gss_msg_order flags 2156 2157 * gssapi_locl.h: prototypes for 2158 gssapi_{encode_om_uint32,decode_om_uint32} add sequence number 2159 verifier prototypes 2160 2161 * delete_sec_context.c: destroy sequence number verifier 2162 2163 * init_sec_context.c: remember to free data use sequence number 2164 verifier 2165 2166 * accept_sec_context.c: don't clear output_token twice remember to 2167 free data use sequence number verifier 2168 2169 * 8003.c: export and rename encode_om_uint32/decode_om_uint32 and 2170 start to use them 2171 21722003-06-09 Johan Danielsson <joda@pdc.kth.se> 2173 2174 * Makefile.am: can't have sequence.c in two different places 2175 21762003-06-06 Love H�rnquist �strand <lha@it.su.se> 2177 2178 * test_sequence.c: check rollover, print summery 2179 2180 * wrap.c (sub_wrap_size): gss_wrap_size_limit() has 2181 req_output_size and max_input_size around the wrong way -- it 2182 returns the output token size for a given input size, rather than 2183 the maximum input size for a given output token size. 2184 2185 From: Luke Howard <lukeh@PADL.COM> 2186 21872003-06-05 Love H�rnquist �strand <lha@it.su.se> 2188 2189 * gssapi_locl.h: add prototypes for sequence.c 2190 2191 * Makefile.am (libgssapi_la_SOURCES): add sequence.c 2192 (test_sequence): build 2193 2194 * sequence.c: sequence number checks, order and replay 2195 * test_sequence.c: sequence number checks, order and replay 2196 21972003-06-03 Love H�rnquist �strand <lha@it.su.se> 2198 2199 * accept_sec_context.c (gss_accept_sec_context): make sure time is 2200 returned in seconds from now, not in kerberos time 2201 2202 * acquire_cred.c (gss_aquire_cred): make sure time is returned in 2203 seconds from now, not in kerberos time 2204 2205 * init_sec_context.c (init_auth): if the cred is expired before we 2206 tries to create a token, fail so the peer doesn't need reject us 2207 (*): make sure time is returned in seconds from now, 2208 not in kerberos time 2209 (repl_mutual): remember to unlock the context mutex 2210 2211 * context_time.c (gss_context_time): remove unused variable 2212 2213 * verify_mic.c: make sure minor_status is always set, pointed out 2214 by Luke Howard <lukeh@PADL.COM> 2215 22162003-05-21 Love H�rnquist �strand <lha@it.su.se> 2217 2218 * *.[ch]: do some basic locking (no reference counting so contexts 2219 can be removed while still used) 2220 - don't export gss_ctx_id_t_desc_struct and gss_cred_id_t_desc_struct 2221 - make sure all lifetime are returned in seconds left until expired, 2222 not in unix epoch 2223 2224 * gss_acquire_cred.3: document argument lifetime_rec to function 2225 gss_inquire_context 2226 22272003-05-17 Love H�rnquist �strand <lha@it.su.se> 2228 2229 * test_acquire_cred.c: test gss_add_cred more then once 2230 22312003-05-06 Love H�rnquist �strand <lha@it.su.se> 2232 2233 * gssapi.h: if __cplusplus, wrap the extern variable (just to be 2234 safe) and functions in extern "C" { } 2235 22362003-04-30 Love H�rnquist �strand <lha@it.su.se> 2237 2238 * gssapi.3: more about the des3 mic mess 2239 2240 * verify_mic.c (verify_mic_des3): always check if the mic is the 2241 correct mic or the mic that old heimdal would have generated 2242 22432003-04-28 Jacques Vidrine <nectar@kth.se> 2244 2245 * verify_mic.c (verify_mic_des3): If MIC verification fails, 2246 retry using the `old' MIC computation (with zero IV). 2247 22482003-04-26 Love H�rnquist �strand <lha@it.su.se> 2249 2250 * gss_acquire_cred.3: more about difference between comparing IN 2251 and MN 2252 2253 * gss_acquire_cred.3: more about name type and access control 2254 22552003-04-25 Love H�rnquist �strand <lha@it.su.se> 2256 2257 * gss_acquire_cred.3: document gss_context_time 2258 2259 * context_time.c: if lifetime of context have expired, set 2260 time_rec to 0 and return GSS_S_CONTEXT_EXPIRED 2261 2262 * gssapi.3: document [gssapi]correct_des3_mic 2263 [gssapi]broken_des3_mic 2264 2265 * gss_acquire_cred.3: document gss_krb5_compat_des3_mic 2266 2267 * compat.c (gss_krb5_compat_des3_mic): enable turning on/off des3 2268 mic compat 2269 (_gss_DES3_get_mic_compat): handle [gssapi]correct_des3_mic too 2270 2271 * gssapi.h (gss_krb5_compat_des3_mic): new function, turn on/off 2272 des3 mic compat 2273 (GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if 2274 gss_krb5_compat_des3_mic exists 2275 22762003-04-24 Love H�rnquist �strand <lha@it.su.se> 2277 2278 * Makefile.am: (libgssapi_la_LDFLAGS): update major 2279 version of gssapi for incompatiblity in 3des getmic support 2280 22812003-04-23 Love H�rnquist �strand <lha@it.su.se> 2282 2283 * Makefile.am: test_acquire_cred_LDADD: use libgssapi.la not 2284 ./libgssapi.la (make make -jN work) 2285 22862003-04-16 Love H�rnquist �strand <lha@it.su.se> 2287 2288 * gssapi.3: spelling 2289 2290 * gss_acquire_cred.3: Change .Fd #include <header.h> to .In 2291 header.h, from Thomas Klausner <wiz@netbsd.org> 2292 2293 22942003-04-06 Love H�rnquist �strand <lha@it.su.se> 2295 2296 * gss_acquire_cred.3: spelling 2297 2298 * Makefile.am: remove stuff that sneaked in with last commit 2299 2300 * acquire_cred.c (acquire_initiator_cred): if the requested name 2301 isn't in the ccache, also check keytab. Extact the krbtgt for the 2302 default realm to check how long the credentials will last. 2303 2304 * add_cred.c (gss_add_cred): don't create a new ccache, just open 2305 the old one; better check if output handle is compatible with new 2306 (copied) handle 2307 2308 * test_acquire_cred.c: test gss_add_cred too 2309 23102003-04-03 Love H�rnquist �strand <lha@it.su.se> 2311 2312 * Makefile.am: build test_acquire_cred 2313 2314 * test_acquire_cred.c: simple gss_acquire_cred test 2315 23162003-04-02 Love H�rnquist �strand <lha@it.su.se> 2317 2318 * gss_acquire_cred.3: s/gssapi/GSS-API/ 2319 23202003-03-19 Love H�rnquist �strand <lha@it.su.se> 2321 2322 * gss_acquire_cred.3: document v1 interface (and that they are 2323 obsolete) 2324 23252003-03-18 Love H�rnquist �strand <lha@it.su.se> 2326 2327 * gss_acquire_cred.3: list supported mechanism and nametypes 2328 23292003-03-16 Love H�rnquist �strand <lha@it.su.se> 2330 2331 * gss_acquire_cred.3: text about gss_display_name 2332 2333 * Makefile.am (libgssapi_la_LDFLAGS): bump to 3:6:2 2334 (libgssapi_la_SOURCES): add all new functions 2335 2336 * gssapi.3: now that we have a functions, uncomment the missing 2337 ones 2338 2339 * gss_acquire_cred.3: now that we have a functions, uncomment the 2340 missing ones 2341 2342 * process_context_token.c: implement gss_process_context_token 2343 2344 * inquire_names_for_mech.c: implement gss_inquire_names_for_mech 2345 2346 * inquire_mechs_for_name.c: implement gss_inquire_mechs_for_name 2347 2348 * inquire_cred_by_mech.c: implement gss_inquire_cred_by_mech 2349 2350 * add_cred.c: implement gss_add_cred 2351 2352 * acquire_cred.c (gss_acquire_cred): more testing of input 2353 argument, make sure output arguments are ok, since we don't know 2354 the time_rec (for now), set it to time_req 2355 2356 * export_sec_context.c: send lifetime, also set minor_status 2357 2358 * get_mic.c: set minor_status 2359 2360 * import_sec_context.c (gss_import_sec_context): add error 2361 checking, pick up lifetime (if there is no lifetime, use 2362 GSS_C_INDEFINITE) 2363 2364 * init_sec_context.c: take care to set export value to something 2365 sane before we start so caller will have harmless values in them 2366 if then function fails 2367 2368 * release_buffer.c (gss_release_buffer): set minor_status 2369 2370 * wrap.c: make sure minor_status get set 2371 2372 * verify_mic.c (gss_verify_mic_internal): rename verify_mic to 2373 gss_verify_mic_internal and let it take the type as an argument, 2374 (gss_verify_mic): call gss_verify_mic_internal 2375 set minor_status 2376 2377 * unwrap.c: set minor_status 2378 2379 * test_oid_set_member.c (gss_test_oid_set_member): use 2380 gss_oid_equal 2381 2382 * release_oid_set.c (gss_release_oid_set): set minor_status 2383 2384 * release_name.c (gss_release_name): set minor_status 2385 2386 * release_cred.c (gss_release_cred): set minor_status 2387 2388 * add_oid_set_member.c (gss_add_oid_set_member): set minor_status 2389 2390 * compare_name.c (gss_compare_name): set minor_status 2391 2392 * compat.c (check_compat): make sure ret have a defined value 2393 2394 * context_time.c (gss_context_time): set minor_status 2395 2396 * copy_ccache.c (gss_krb5_copy_ccache): set minor_status 2397 2398 * create_emtpy_oid_set.c (gss_create_empty_oid_set): set 2399 minor_status 2400 2401 * delete_sec_context.c (gss_delete_sec_context): set minor_status 2402 2403 * display_name.c (gss_display_name): set minor_status 2404 2405 * display_status.c (gss_display_status): use gss_oid_equal, handle 2406 supplementary errors 2407 2408 * duplicate_name.c (gss_duplicate_name): set minor_status 2409 2410 * inquire_context.c (gss_inquire_context): set lifetime_rec now 2411 when we know it, set minor_status 2412 2413 * inquire_cred.c (gss_inquire_cred): take care to set export value 2414 to something sane before we start so caller will have harmless 2415 values in them if the function fails 2416 2417 * accept_sec_context.c (gss_accept_sec_context): take care to set 2418 export value to something sane before we start so caller will have 2419 harmless values in them if then function fails, set lifetime from 2420 ticket expiration date 2421 2422 * indicate_mechs.c (gss_indicate_mechs): use 2423 gss_create_empty_oid_set and gss_add_oid_set_member 2424 2425 * gssapi.h (gss_ctx_id_t_desc): store the lifetime in the cred, 2426 since there is no ticket transfered in the exported context 2427 2428 * export_name.c (gss_export_name): export name with 2429 GSS_C_NT_EXPORT_NAME wrapping, not just the principal 2430 2431 * import_name.c (import_export_name): new function, parses a 2432 GSS_C_NT_EXPORT_NAME 2433 (import_krb5_name): factor out common code of parsing krb5 name 2434 (gss_oid_equal): rename from oid_equal 2435 2436 * gssapi_locl.h: add prototypes for gss_oid_equal and 2437 gss_verify_mic_internal 2438 2439 * gssapi.h: comment out the argument names 2440 24412003-03-15 Love H�rnquist �strand <lha@it.su.se> 2442 2443 * gssapi.3: add LIST OF FUNCTIONS and copyright/license 2444 2445 * Makefile.am: s/gss_aquire_cred.3/gss_acquire_cred.3/ 2446 2447 * Makefile.am: man_MANS += gss_aquire_cred.3 2448 24492003-03-14 Love H�rnquist �strand <lha@it.su.se> 2450 2451 * gss_aquire_cred.3: the gssapi api manpage 2452 24532003-03-03 Love H�rnquist �strand <lha@it.su.se> 2454 2455 * inquire_context.c: (gss_inquire_context): rename argument open 2456 to open_context 2457 2458 * gssapi.h (gss_inquire_context): rename argument open to open_context 2459 24602003-02-27 Love H�rnquist �strand <lha@it.su.se> 2461 2462 * init_sec_context.c (do_delegation): remove unused variable 2463 subkey 2464 2465 * gssapi.3: all 0.5.x version had broken token delegation 2466 24672003-02-21 Love H�rnquist �strand <lha@it.su.se> 2468 2469 * (init_auth): only generate one subkey 2470 24712003-01-27 Love H�rnquist �strand <lha@it.su.se> 2472 2473 * verify_mic.c (verify_mic_des3): fix 3des verify_mic to conform 2474 to rfc (and mit kerberos), provide backward compat hook 2475 2476 * get_mic.c (mic_des3): fix 3des get_mic to conform to rfc (and 2477 mit kerberos), provide backward compat hook 2478 2479 * init_sec_context.c (init_auth): check if we need compat for 2480 older get_mic/verify_mic 2481 2482 * gssapi_locl.h: add prototype for _gss_DES3_get_mic_compat 2483 2484 * gssapi.h (more_flags): add COMPAT_OLD_DES3 2485 2486 * Makefile.am: add gssapi.3 and compat.c 2487 2488 * gssapi.3: add gssapi COMPATIBILITY documentation 2489 2490 * accept_sec_context.c (gss_accept_sec_context): check if we need 2491 compat for older get_mic/verify_mic 2492 2493 * compat.c: check for compatiblity with other heimdal's 3des 2494 get_mic/verify_mic 2495 24962002-10-31 Johan Danielsson <joda@pdc.kth.se> 2497 2498 * check return value from gssapi_krb5_init 2499 2500 * 8003.c (gssapi_krb5_verify_8003_checksum): check size of input 2501 25022002-09-03 Johan Danielsson <joda@pdc.kth.se> 2503 2504 * wrap.c (wrap_des3): use ETYPE_DES3_CBC_NONE 2505 2506 * unwrap.c (unwrap_des3): use ETYPE_DES3_CBC_NONE 2507 25082002-09-02 Johan Danielsson <joda@pdc.kth.se> 2509 2510 * init_sec_context.c: we need to generate a local subkey here 2511 25122002-08-20 Jacques Vidrine <n@nectar.com> 2513 2514 * acquire_cred.c, inquire_cred.c, release_cred.c: Use default 2515 credential resolution if gss_acquire_cred is called with 2516 GSS_C_NO_NAME. 2517 25182002-06-20 Jacques Vidrine <n@nectar.com> 2519 2520 * import_name.c: Compare name types by value if pointers do 2521 not match. Reported by: "Douglas E. Engert" <deengert@anl.gov> 2522 25232002-05-20 Jacques Vidrine <n@nectar.com> 2524 2525 * verify_mic.c (gss_verify_mic), unwrap.c (gss_unwrap): initialize 2526 the qop_state parameter. from Doug Rabson <dfr@nlsystems.com> 2527 25282002-05-09 Jacques Vidrine <n@nectar.com> 2529 2530 * acquire_cred.c: handle GSS_C_INITIATE/GSS_C_ACCEPT/GSS_C_BOTH 2531 25322002-05-08 Jacques Vidrine <n@nectar.com> 2533 2534 * acquire_cred.c: initialize gssapi; handle null desired_name 2535 25362002-03-22 Johan Danielsson <joda@pdc.kth.se> 2537 2538 * Makefile.am: remove non-functional stuff accidentally committed 2539 25402002-03-11 Assar Westerlund <assar@sics.se> 2541 2542 * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:5:2 2543 * 8003.c (gssapi_krb5_verify_8003_checksum): handle zero channel 2544 bindings 2545 25462001-10-31 Jacques Vidrine <n@nectar.com> 2547 2548 * get_mic.c (mic_des3): MIC computation using DES3/SHA1 2549 was bogusly appending the message buffer to the result, 2550 overwriting a heap buffer in the process. 2551 25522001-08-29 Assar Westerlund <assar@sics.se> 2553 2554 * 8003.c (gssapi_krb5_verify_8003_checksum, 2555 gssapi_krb5_create_8003_checksum): make more consistent by always 2556 returning an gssapi error and setting minor status. update 2557 callers 2558 25592001-08-28 Jacques Vidrine <n@nectar.com> 2560 2561 * accept_sec_context.c: Create a cache for delegated credentials 2562 when needed. 2563 25642001-08-28 Assar Westerlund <assar@sics.se> 2565 2566 * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:4:2 2567 25682001-08-23 Assar Westerlund <assar@sics.se> 2569 2570 * *.c: handle minor_status more consistently 2571 2572 * display_status.c (gss_display_status): handle krb5_get_err_text 2573 failing 2574 25752001-08-15 Johan Danielsson <joda@pdc.kth.se> 2576 2577 * gssapi_locl.h: fix prototype for gssapi_krb5_init 2578 25792001-08-13 Johan Danielsson <joda@pdc.kth.se> 2580 2581 * accept_sec_context.c (gsskrb5_register_acceptor_identity): init 2582 context and check return value from kt_resolve 2583 2584 * init.c: return error code 2585 25862001-07-19 Assar Westerlund <assar@sics.se> 2587 2588 * Makefile.am (libgssapi_la_LDFLAGS): update to 3:3:2 2589 25902001-07-12 Assar Westerlund <assar@sics.se> 2591 2592 * Makefile.am (libgssapi_la_LIBADD): add required library 2593 dependencies 2594 25952001-07-06 Assar Westerlund <assar@sics.se> 2596 2597 * accept_sec_context.c (gsskrb5_register_acceptor_identity): set 2598 the keytab to be used for gss_acquire_cred too' 2599 26002001-07-03 Assar Westerlund <assar@sics.se> 2601 2602 * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:2:2 2603 26042001-06-18 Assar Westerlund <assar@sics.se> 2605 2606 * wrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey 2607 and gss_krb5_get_remotekey 2608 * verify_mic.c: update krb5_auth_con function names use 2609 gss_krb5_get_remotekey 2610 * unwrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey 2611 and gss_krb5_get_remotekey 2612 * gssapi_locl.h (gss_krb5_get_remotekey, gss_krb5_get_localkey): 2613 add prototypes 2614 * get_mic.c: update krb5_auth_con function names. use 2615 gss_krb5_get_localkey 2616 * accept_sec_context.c: update krb5_auth_con function names 2617 26182001-05-17 Assar Westerlund <assar@sics.se> 2619 2620 * Makefile.am: bump version to 3:1:2 2621 26222001-05-14 Assar Westerlund <assar@sics.se> 2623 2624 * address_to_krb5addr.c: adapt to new address functions 2625 26262001-05-11 Assar Westerlund <assar@sics.se> 2627 2628 * try to return the error string from libkrb5 where applicable 2629 26302001-05-08 Assar Westerlund <assar@sics.se> 2631 2632 * delete_sec_context.c (gss_delete_sec_context): remember to free 2633 the memory used by the ticket itself. from <tmartin@mirapoint.com> 2634 26352001-05-04 Assar Westerlund <assar@sics.se> 2636 2637 * gssapi_locl.h: add config.h for completeness 2638 * gssapi.h: remove config.h, this is an installed header file 2639 sys/types.h is not needed either 2640 26412001-03-12 Assar Westerlund <assar@sics.se> 2642 2643 * acquire_cred.c (gss_acquire_cred): remove memory leaks. from 2644 Jason R Thorpe <thorpej@zembu.com> 2645 26462001-02-18 Assar Westerlund <assar@sics.se> 2647 2648 * accept_sec_context.c (gss_accept_sec_context): either return 2649 gss_name NULL-ed or set 2650 2651 * import_name.c: set minor_status in some cases where it was not 2652 done 2653 26542001-02-15 Assar Westerlund <assar@sics.se> 2655 2656 * wrap.c: use krb5_generate_random_block for the confounders 2657 26582001-01-30 Assar Westerlund <assar@sics.se> 2659 2660 * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:0:2 2661 * acquire_cred.c, init_sec_context.c, release_cred.c: add support 2662 for getting creds from a keytab, from fvdl@netbsd.org 2663 2664 * copy_ccache.c: add gss_krb5_copy_ccache 2665 26662001-01-27 Assar Westerlund <assar@sics.se> 2667 2668 * get_mic.c: cast parameters to des function to non-const pointers 2669 to handle the case where these functions actually take non-const 2670 des_cblock * 2671 26722001-01-09 Assar Westerlund <assar@sics.se> 2673 2674 * accept_sec_context.c (gss_accept_sec_context): use krb5_rd_cred2 2675 instead of krb5_rd_cred 2676 26772000-12-11 Assar Westerlund <assar@sics.se> 2678 2679 * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:3:1 2680 26812000-12-08 Assar Westerlund <assar@sics.se> 2682 2683 * wrap.c (wrap_des3): use the checksum as ivec when encrypting the 2684 sequence number 2685 * unwrap.c (unwrap_des3): use the checksum as ivec when encrypting 2686 the sequence number 2687 * init_sec_context.c (init_auth): always zero fwd_data 2688 26892000-12-06 Johan Danielsson <joda@pdc.kth.se> 2690 2691 * accept_sec_context.c: de-pointerise auth_context parameter to 2692 krb5_mk_rep 2693 26942000-11-15 Assar Westerlund <assar@sics.se> 2695 2696 * init_sec_context.c (init_auth): update to new 2697 krb5_build_authenticator 2698 26992000-09-19 Assar Westerlund <assar@sics.se> 2700 2701 * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:2:1 2702 27032000-08-27 Assar Westerlund <assar@sics.se> 2704 2705 * init_sec_context.c: actually pay attention to `time_req' 2706 * init_sec_context.c: re-organize. leak less memory. 2707 * gssapi_locl.h (gssapi_krb5_encapsulate, gss_krb5_getsomekey): 2708 update prototypes add assert.h 2709 * gssapi.h (GSS_KRB5_CONF_C_QOP_DES, GSS_KRB5_CONF_C_QOP_DES3_KD): 2710 add 2711 * verify_mic.c: re-organize and add 3DES code 2712 * wrap.c: re-organize and add 3DES code 2713 * unwrap.c: re-organize and add 3DES code 2714 * get_mic.c: re-organize and add 3DES code 2715 * encapsulate.c (gssapi_krb5_encapsulate): do not free `in_data', 2716 let the caller do that. fix the callers. 2717 27182000-08-16 Assar Westerlund <assar@sics.se> 2719 2720 * Makefile.am: bump version to 2:1:1 2721 27222000-07-29 Assar Westerlund <assar@sics.se> 2723 2724 * decapsulate.c (gssapi_krb5_verify_header): sanity-check length 2725 27262000-07-25 Johan Danielsson <joda@pdc.kth.se> 2727 2728 * Makefile.am: bump version to 2:0:1 2729 27302000-07-22 Assar Westerlund <assar@sics.se> 2731 2732 * gssapi.h: update OID for GSS_C_NT_HOSTBASED_SERVICE and other 2733 details from rfc2744 2734 27352000-06-29 Assar Westerlund <assar@sics.se> 2736 2737 * address_to_krb5addr.c (gss_address_to_krb5addr): actually use 2738 `int' instead of `sa_family_t' for the address family. 2739 27402000-06-21 Assar Westerlund <assar@sics.se> 2741 2742 * add support for token delegation. From Daniel Kouril 2743 <kouril@ics.muni.cz> and Miroslav Ruda <ruda@ics.muni.cz> 2744 27452000-05-15 Assar Westerlund <assar@sics.se> 2746 2747 * Makefile.am (libgssapi_la_LDFLAGS): set version to 1:1:1 2748 27492000-04-12 Assar Westerlund <assar@sics.se> 2750 2751 * release_oid_set.c (gss_release_oid_set): clear set for 2752 robustness. From GOMBAS Gabor <gombasg@inf.elte.hu> 2753 * release_name.c (gss_release_name): reset input_name for 2754 robustness. From GOMBAS Gabor <gombasg@inf.elte.hu> 2755 * release_buffer.c (gss_release_buffer): set value to NULL to be 2756 more robust. From GOMBAS Gabor <gombasg@inf.elte.hu> 2757 * add_oid_set_member.c (gss_add_oid_set_member): actually check if 2758 the oid is a member first. leave the oid_set unchanged if realloc 2759 fails. 2760 27612000-02-13 Assar Westerlund <assar@sics.se> 2762 2763 * Makefile.am: set version to 1:0:1 2764 27652000-02-12 Assar Westerlund <assar@sics.se> 2766 2767 * gssapi_locl.h: add flags for import/export 2768 * import_sec_context.c (import_sec_context: add flags for what 2769 fields are included. do not include the authenticator for now. 2770 * export_sec_context.c (export_sec_context: add flags for what 2771 fields are included. do not include the authenticator for now. 2772 * accept_sec_context.c (gss_accept_sec_context): set target in 2773 context_handle 2774 27752000-02-11 Assar Westerlund <assar@sics.se> 2776 2777 * delete_sec_context.c (gss_delete_sec_context): set context to 2778 GSS_C_NO_CONTEXT 2779 2780 * Makefile.am: add {export,import}_sec_context.c 2781 * export_sec_context.c: new file 2782 * import_sec_context.c: new file 2783 * accept_sec_context.c (gss_accept_sec_context): set trans flag 2784 27852000-02-07 Assar Westerlund <assar@sics.se> 2786 2787 * Makefile.am: set version to 0:5:0 2788 27892000-01-26 Assar Westerlund <assar@sics.se> 2790 2791 * delete_sec_context.c (gss_delete_sec_context): handle a NULL 2792 output_token 2793 2794 * wrap.c: update to pseudo-standard APIs for md4,md5,sha. some 2795 changes to libdes calls to make them more portable. 2796 * verify_mic.c: update to pseudo-standard APIs for md4,md5,sha. 2797 some changes to libdes calls to make them more portable. 2798 * unwrap.c: update to pseudo-standard APIs for md4,md5,sha. some 2799 changes to libdes calls to make them more portable. 2800 * get_mic.c: update to pseudo-standard APIs for md4,md5,sha. some 2801 changes to libdes calls to make them more portable. 2802 * 8003.c: update to pseudo-standard APIs for md4,md5,sha. 2803 28042000-01-06 Assar Westerlund <assar@sics.se> 2805 2806 * Makefile.am: set version to 0:4:0 2807 28081999-12-26 Assar Westerlund <assar@sics.se> 2809 2810 * accept_sec_context.c (gss_accept_sec_context): always set 2811 `output_token' 2812 * init_sec_context.c (init_auth): always initialize `output_token' 2813 * delete_sec_context.c (gss_delete_sec_context): always set 2814 `output_token' 2815 28161999-12-06 Assar Westerlund <assar@sics.se> 2817 2818 * Makefile.am: bump version to 0:3:0 2819 28201999-10-20 Assar Westerlund <assar@sics.se> 2821 2822 * Makefile.am: set version to 0:2:0 2823 28241999-09-21 Assar Westerlund <assar@sics.se> 2825 2826 * init_sec_context.c (gss_init_sec_context): initialize `ticket' 2827 2828 * gssapi.h (gss_ctx_id_t_desc): add ticket in here. ick. 2829 2830 * delete_sec_context.c (gss_delete_sec_context): free ticket 2831 2832 * accept_sec_context.c (gss_accept_sec_context): stove away 2833 `krb5_ticket' in context so that ugly programs such as 2834 gss_nt_server can get at it. uck. 2835 28361999-09-20 Johan Danielsson <joda@pdc.kth.se> 2837 2838 * accept_sec_context.c: set minor_status 2839 28401999-08-04 Assar Westerlund <assar@sics.se> 2841 2842 * display_status.c (calling_error, routine_error): right shift the 2843 code to make it possible to index into the arrays 2844 28451999-07-28 Assar Westerlund <assar@sics.se> 2846 2847 * gssapi.h (GSS_C_AF_INET6): add 2848 2849 * import_name.c (import_hostbased_name): set minor_status 2850 28511999-07-26 Assar Westerlund <assar@sics.se> 2852 2853 * Makefile.am: set version to 0:1:0 2854 2855Wed Apr 7 14:05:15 1999 Johan Danielsson <joda@hella.pdc.kth.se> 2856 2857 * display_status.c: set minor_status 2858 2859 * init_sec_context.c: set minor_status 2860 2861 * lib/gssapi/init.c: remove donep (check gssapi_krb5_context 2862 directly) 2863 2864