/crypto/heimdal/lib/gssapi/ChangeLog
#! | 2970 lines | 1781 code | 1189 blank | 0 comment | 0 complexity | 064e0feaf998d4b0551c28c4ef696f4c MD5 | raw file
Large files files are truncated, but you can click here to view the full file
12008-08-14 Love Hornquist Astrand <lha@10a140laptop.local> 2 3 * krb5/accept_sec_context.c: If there is a initiator subkey, copy 4 that to acceptor subkey to match windows behavior. From Metze. 5 62008-08-02 Love Hörnquist Åstrand <lha@h5l.org> 7 8 * ntlm/init_sec_context.c: Catch error 9 10 * krb5/inquire_sec_context_by_oid.c: Catch store failure. 11 12 * mech/gss_canonicalize_name.c: Not init m, return never 13 used (overwritten later). 14 152008-07-25 Love Hörnquist Åstrand <lha@kth.se> 16 17 * ntlm/init_sec_context.c: Use krb5_cc_get_config. 18 192008-07-25 Love Hörnquist Åstrand <lha@kth.se> 20 21 * krb5/init_sec_context.c: Match the orignal patch I got from 22 metze, seems that DCE-STYLE is even more weirer then what I though 23 when I merged the patch. 24 252008-06-02 Love Hörnquist Åstrand <lha@kth.se> 26 27 * krb5/init_sec_context.c: Don't add asn1 wrapping to token when 28 using DCE_STYLE. Patch from Stefan Metzmacher. 29 302008-05-27 Love Hörnquist Åstrand <lha@kth.se> 31 32 * ntlm/init_sec_context.c: use krb5_get_error_message 33 342008-05-05 Love Hörnquist Åstrand <lha@kth.se> 35 36 * spnego/spnego_locl.h: Add back "mech/utils.h", its needed for 37 oid/buffer functions. 38 392008-05-02 Love Hörnquist Åstrand <lha@it.su.se> 40 41 * spnego: Changes from doug barton to make spnego indepedant of 42 the heimdal version of the plugin system. 43 442008-04-27 Love Hörnquist Åstrand <lha@it.su.se> 45 46 * krb5: use DES_set_key_unchecked() 47 482008-04-17 Love Hörnquist Åstrand <lha@it.su.se> 49 50 * add __declspec() for windows. 51 522008-04-15 Love Hörnquist Åstrand <lha@it.su.se> 53 54 * krb5/import_sec_context.c: Use tmp to read ac->flags value to 55 avoid warning. 56 572008-04-07 Love Hörnquist Åstrand <lha@it.su.se> 58 59 * mech/gss_mech_switch.c: Use unsigned where appropriate. 60 612008-03-14 Love Hörnquist Åstrand <lha@it.su.se> 62 63 * test_context.c: Add test for gsskrb5_register_acceptor_identity. 64 652008-03-09 Love Hörnquist Åstrand <lha@it.su.se> 66 67 * krb5/init_sec_context.c (init_auth): use right variable to 68 detect if we want to free or not. 69 702008-02-26 Love Hörnquist Åstrand <lha@it.su.se> 71 72 * Makefile.am: add missing \ 73 74 * Makefile.am: reshuffle depenencies 75 76 * Add flag to krb5 to not add GSS-API INT|CONF to the negotiation 77 782008-02-21 Love Hörnquist Åstrand <lha@it.su.se> 79 80 * make the SPNEGO mech store the error itself instead, works for 81 everything except other stackable mechs 82 832008-02-18 Love Hörnquist Åstrand <lha@it.su.se> 84 85 * spnego/init_sec_context.c (spnego_reply): if the reply token was 86 of length 0, make it the same as no token. Pointed out by Zeqing 87 Xia. 88 89 * krb5/acquire_cred.c (acquire_initiator_cred): handle the 90 credential cache better, use destroy/close when appriate and for 91 all cases. Thanks to Michael Allen for point out the memory-leak 92 that I also fixed. 93 942008-02-03 Love Hörnquist Åstrand <lha@it.su.se> 95 96 * spnego/accept_sec_context.c: Make error reporting somewhat more 97 correct for SPNEGO. 98 992008-01-27 Love Hörnquist Åstrand <lha@it.su.se> 100 101 * test_common.c: Improve the error message. 102 1032008-01-24 Love Hörnquist Åstrand <lha@it.su.se> 104 105 * ntlm/accept_sec_context.c: Avoid free-ing type1 message before 106 its allocated. 107 1082008-01-13 Love Hörnquist Åstrand <lha@it.su.se> 109 110 * test_ntlm.c: Test source name (and make the acceptor in ntlm gss 111 mech useful). 112 1132007-12-30 Love Hörnquist Åstrand <lha@it.su.se> 114 115 * ntlm/init_sec_context.c: Don't confuse target name and source 116 name, make regressiont tests pass again. 117 1182007-12-29 Love Hörnquist Åstrand <lha@it.su.se> 119 120 * ntlm: clean up name handling 121 1222007-12-04 Love Hörnquist Åstrand <lha@it.su.se> 123 124 * ntlm/init_sec_context.c: Use credential if it was passed in. 125 126 * ntlm/acquire_cred.c: Check if there is initial creds with 127 _gss_ntlm_get_user_cred(). 128 129 * ntlm/init_sec_context.c: Add _gss_ntlm_get_user_info() that 130 return the user info so it can be used by external modules. 131 132 * ntlm/inquire_cred.c: use the right error code. 133 134 * ntlm/inquire_cred.c: Return GSS_C_NO_CREDENTIAL if there is no 135 credential, ntlm have (not yet) a default credential. 136 137 * mech/gss_release_oid_set.c: Avoid trying to deref NULL, from 138 Phil Fisher. 139 1402007-12-03 Love Hörnquist Åstrand <lha@it.su.se> 141 142 * test_acquire_cred.c: Always try to fetch cred (even with 143 GSS_C_NO_NAME). 144 1452007-08-09 Love Hörnquist Åstrand <lha@it.su.se> 146 147 * mech/gss_krb5.c: Readd gss_krb5_get_tkt_flags. 148 1492007-08-08 Love Hörnquist Åstrand <lha@it.su.se> 150 151 * spnego/compat.c (_gss_spnego_internal_delete_sec_context): 152 release ctx->target_name too From Rafal Malinowski. 153 1542007-07-26 Love Hörnquist Åstrand <lha@it.su.se> 155 156 * mech/gss_mech_switch.c: Don't try to do dlopen if system doesn't 157 have dlopen. From Rune of Chalmers. 158 1592007-07-10 Love Hörnquist Åstrand <lha@it.su.se> 160 161 * mech/gss_duplicate_name.c: New signature of _gss_find_mn. 162 163 * mech/gss_init_sec_context.c: New signature of _gss_find_mn. 164 165 * mech/gss_acquire_cred.c: New signature of _gss_find_mn. 166 167 * mech/name.h: New signature of _gss_find_mn. 168 169 * mech/gss_canonicalize_name.c: New signature of _gss_find_mn. 170 171 * mech/gss_compare_name.c: New signature of _gss_find_mn. 172 173 * mech/gss_add_cred.c: New signature of _gss_find_mn. 174 175 * mech/gss_names.c (_gss_find_mn): Return an error code for 176 caller. 177 178 * spnego/accept_sec_context.c: remove checks that are done by the 179 previous function. 180 181 * Makefile.am: New library version. 182 1832007-07-04 Love Hörnquist Åstrand <lha@it.su.se> 184 185 * mech/gss_oid_to_str.c: Refuse to print GSS_C_NULL_OID, from 186 Rafal Malinowski. 187 188 * spnego/spnego.asn1: Indent and make NegTokenInit and 189 NegTokenResp extendable. 190 1912007-06-21 Love Hörnquist Åstrand <lha@it.su.se> 192 193 * ntlm/inquire_cred.c: Implement _gss_ntlm_inquire_cred. 194 195 * mech/gss_display_status.c: Provide message for GSS_S_COMPLETE. 196 197 * mech/context.c: If the canned string is "", its no use to the 198 user, make it fall back to the default error string. 199 2002007-06-20 Love Hörnquist Åstrand <lha@it.su.se> 201 202 * mech/gss_display_name.c (gss_display_name): no name -> 203 fail. From Rafal Malinswski. 204 205 * spnego/accept_sec_context.c: Wrap name in a spnego_name instead 206 of just a copy of the underlaying object. From Rafal Malinswski. 207 208 * spnego/accept_sec_context.c: Handle underlaying mech not 209 returning mn. 210 211 * mech/gss_accept_sec_context.c: Handle underlaying mech not 212 returning mn. 213 214 * spnego/accept_sec_context.c: Make sure src_name is always set to 215 GSS_C_NO_NAME when returning. 216 217 * krb5/acquire_cred.c (acquire_acceptor_cred): don't claim 218 everything is well on failure. From Phil Fisher. 219 220 * mech/gss_duplicate_name.c: catch error (and ignore it) 221 222 * ntlm/init_sec_context.c: Use heim_ntlm_calculate_ntlm2_sess. 223 224 * mech/gss_accept_sec_context.c: Only wrap the delegated cred if 225 we got a delegated mech cred. From Rafal Malinowski. 226 227 * spnego/accept_sec_context.c: Only wrap the delegated cred if we 228 are going to return it to the consumer. From Rafal Malinowski. 229 230 * spnego/accept_sec_context.c: Fixed memory leak pointed out by 231 Rafal Malinowski, also while here moved to use NegotiationToken 232 for decoding. 233 2342007-06-18 Love Hörnquist Åstrand <lha@it.su.se> 235 236 * krb5/prf.c (_gsskrb5_pseudo_random): add missing break. 237 238 * krb5/release_name.c: Set *minor_status unconditionallty, its 239 done later anyway. 240 241 * spnego/accept_sec_context.c: Init get_mic to 0. 242 243 * mech/gss_set_cred_option.c: Free memory in failure case, found 244 by beam. 245 246 * mech/gss_inquire_context.c: Handle mech_type being NULL. 247 248 * mech/gss_inquire_cred_by_mech.c: Handle cred_name being NULL. 249 250 * mech/gss_krb5.c: Free memory in error case, found by beam. 251 2522007-06-12 Love Hörnquist Åstrand <lha@it.su.se> 253 254 * ntlm/inquire_context.c: Use ctx->gssflags for flags. 255 256 * krb5/display_name.c: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY, this is 257 not ment for machine consumption. 258 2592007-06-09 Love Hörnquist Åstrand <lha@it.su.se> 260 261 * ntlm/digest.c (kdc_alloc): free memory on failure, pointed out 262 by Rafal Malinowski. 263 264 * ntlm/digest.c (kdc_destroy): free context when done, pointed out 265 by Rafal Malinowski. 266 267 * spnego/context_stubs.c (_gss_spnego_display_name): if input_name 268 is null, fail. From Rafal Malinowski. 269 2702007-06-04 Love Hörnquist Åstrand <lha@it.su.se> 271 272 * ntlm/digest.c: Free memory when done. 273 2742007-06-02 Love Hörnquist Åstrand <lha@it.su.se> 275 276 * test_ntlm.c: Test both with and without keyex. 277 278 * ntlm/digest.c: If we didn't set session key, don't expect one 279 back. 280 281 * test_ntlm.c: Set keyex flag and calculate session key. 282 2832007-05-31 Love Hörnquist Åstrand <lha@it.su.se> 284 285 * spnego/accept_sec_context.c: Use the return value before is 286 overwritten by later calls. From Rafal Malinowski 287 288 * krb5/release_cred.c: Give an minor_status argument to 289 gss_release_oid_set. From Rafal Malinowski 290 2912007-05-30 Love Hörnquist Åstrand <lha@it.su.se> 292 293 * ntlm/accept_sec_context.c: Catch errors and return the up the 294 stack. 295 296 * test_kcred.c: more testing of lifetimes 297 2982007-05-17 Love Hörnquist Åstrand <lha@it.su.se> 299 300 * Makefile.am: Drop the gss oid_set function for the krb5 mech, 301 use the mech glue versions instead. Pointed out by Rafal 302 Malinowski. 303 304 * krb5: Use gss oid_set functions from mechglue 305 3062007-05-14 Love Hörnquist Åstrand <lha@it.su.se> 307 308 * ntlm/accept_sec_context.c: Set session key only if we are 309 returned a session key. Found by David Love. 310 3112007-05-13 Love Hörnquist Åstrand <lha@it.su.se> 312 313 * krb5/prf.c: switched MIN to min to make compile on solaris, 314 pointed out by David Love. 315 3162007-05-09 Love Hörnquist Åstrand <lha@it.su.se> 317 318 * krb5/inquire_cred_by_mech.c: Fill in all of the variables if 319 they are passed in. Pointed out by Phil Fisher. 320 3212007-05-08 Love Hörnquist Åstrand <lha@it.su.se> 322 323 * krb5/inquire_cred.c: Fix copy and paste error, bug spotted by 324 from Phil Fisher. 325 326 * mech: dont keep track of gc_usage, just figure it out at 327 gss_inquire_cred() time 328 329 * mech/gss_mech_switch.c (add_builtin): ok for 330 __gss_mech_initialize() to return NULL 331 332 * test_kcred.c: more correct tests 333 334 * spnego/cred_stubs.c (gss_inquire_cred*): wrap the name with a 335 spnego_name. 336 337 * ntlm/inquire_cred.c: make ntlm gss_inquire_cred fail for now, 338 need to find default cred and friends. 339 340 * krb5/inquire_cred_by_mech.c: reimplement 341 3422007-05-07 Love Hörnquist Åstrand <lha@it.su.se> 343 344 * ntlm/acquire_cred.c: drop unused variable. 345 346 * ntlm/acquire_cred.c: Reimplement. 347 348 * Makefile.am: add ntlm/digest.c 349 350 * ntlm: split out backend ntlm server processing 351 3522007-04-24 Love Hörnquist Åstrand <lha@it.su.se> 353 354 * ntlm/delete_sec_context.c (_gss_ntlm_delete_sec_context): free 355 credcache when done 356 3572007-04-22 Love Hörnquist Åstrand <lha@it.su.se> 358 359 * ntlm/init_sec_context.c: ntlm-key credential entry is prefix with @ 360 361 * ntlm/init_sec_context.c (get_user_ccache): pick up the ntlm 362 creds from the krb5 credential cache. 363 3642007-04-21 Love Hörnquist Åstrand <lha@it.su.se> 365 366 * ntlm/delete_sec_context.c: free the key stored in the context 367 368 * ntlm/ntlm.h: switch password for a key 369 370 * test_oid.c: Switch oid to one that is exported. 371 3722007-04-20 Love Hörnquist Åstrand <lha@it.su.se> 373 374 * ntlm/init_sec_context.c: move where hash is calculated to make 375 it easier to add ccache support. 376 377 * Makefile.am: Add version-script.map to EXTRA_DIST. 378 3792007-04-19 Love Hörnquist Åstrand <lha@it.su.se> 380 381 * Makefile.am: Unconfuse newer versions of automake that doesn't 382 know the diffrence between depenences and setting variables. foo: 383 vs foo=. 384 385 * test_ntlm.c: delete sec context when done. 386 387 * version-script.map: export more symbols. 388 389 * Makefile.am: add version script if ld supports it 390 391 * version-script.map: add version script if ld supports it 392 3932007-04-18 Love Hörnquist Åstrand <lha@it.su.se> 394 395 * Makefile.am: test_acquire_cred need test_common.[ch] 396 397 * test_acquire_cred.c: add more test options. 398 399 * krb5/external.c: add GSS_KRB5_CCACHE_NAME_X 400 401 * gssapi/gssapi_krb5.h: add GSS_KRB5_CCACHE_NAME_X 402 403 * krb5/set_sec_context_option.c: refactor code, implement 404 GSS_KRB5_CCACHE_NAME_X 405 406 * mech/gss_krb5.c: reimplement gss_krb5_ccache_name 407 4082007-04-17 Love Hörnquist Åstrand <lha@it.su.se> 409 410 * spnego/cred_stubs.c: Need to import spnego name before we can 411 use it as a gss_name_t. 412 413 * test_acquire_cred.c: use this test as part of the regression 414 suite. 415 416 * mech/gss_acquire_cred.c (gss_acquire_cred): dont init 417 cred->gc_mc every time in the loop. 418 4192007-04-15 Love Hörnquist Åstrand <lha@it.su.se> 420 421 * Makefile.am: add test_common.h 422 4232007-02-16 Love Hörnquist Åstrand <lha@it.su.se> 424 425 * gss_acquire_cred.3: Add link for 426 gsskrb5_register_acceptor_identity. 427 4282007-02-08 Love Hörnquist Åstrand <lha@it.su.se> 429 430 * krb5/copy_ccache.c: Try to leak less memory in the failure case. 431 4322007-01-31 Love Hörnquist Åstrand <lha@it.su.se> 433 434 * mech/gss_display_status.c: Use right printf formater. 435 436 * test_*.[ch]: split out the error printing function and try to 437 return better errors 438 4392007-01-30 Love Hörnquist Åstrand <lha@it.su.se> 440 441 * krb5/init_sec_context.c: revert 1.75: (init_auth): only turn on 442 GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it. 443 444 This is because Kerberos always support INT|CONF, matches behavior 445 with MS and MIT. The creates problems for the GSS-SPNEGO mech. 446 4472007-01-24 Love Hörnquist Åstrand <lha@it.su.se> 448 449 * krb5/prf.c: constrain desired_output_len 450 451 * krb5/external.c (krb5_mech): add _gsskrb5_pseudo_random 452 453 * mech/gss_pseudo_random.c: Catch error from underlaying mech on 454 failure. 455 456 * Makefile.am: Add krb5/prf.c 457 458 * krb5/prf.c: gss_pseudo_random for krb5 459 460 * test_context.c: Checks for gss_pseudo_random. 461 462 * krb5/gkrb5_err.et: add KG_INPUT_TOO_LONG 463 464 * Makefile.am: Add mech/gss_pseudo_random.c 465 466 * gssapi/gssapi.h: try to load pseudo_random 467 468 * mech/gss_mech_switch.c: try to load pseudo_random 469 470 * mech/gss_pseudo_random.c: Add gss_pseudo_random. 471 472 * gssapi_mech.h: Add hook for gm_pseudo_random. 473 4742007-01-17 Love Hörnquist Åstrand <lha@it.su.se> 475 476 * test_context.c: Don't assume bufer from gss_display_status is 477 ok. 478 479 * mech/gss_wrap_size_limit.c: Reset out variables. 480 481 * mech/gss_wrap.c: Reset out variables. 482 483 * mech/gss_verify_mic.c: Reset out variables. 484 485 * mech/gss_utils.c: Reset out variables. 486 487 * mech/gss_release_oid_set.c: Reset out variables. 488 489 * mech/gss_release_cred.c: Reset out variables. 490 491 * mech/gss_release_buffer.c: Reset variables. 492 493 * mech/gss_oid_to_str.c: Reset out variables. 494 495 * mech/gss_inquire_sec_context_by_oid.c: Fix reset out variables. 496 497 * mech/gss_mech_switch.c: Reset out variables. 498 499 * mech/gss_inquire_sec_context_by_oid.c: Reset out variables. 500 501 * mech/gss_inquire_names_for_mech.c: Reset out variables. 502 503 * mech/gss_inquire_cred_by_oid.c: Reset out variables. 504 505 * mech/gss_inquire_cred_by_oid.c: Reset out variables. 506 507 * mech/gss_inquire_cred_by_mech.c: Reset out variables. 508 509 * mech/gss_inquire_cred.c: Reset out variables, fix memory leak. 510 511 * mech/gss_inquire_context.c: Reset out variables. 512 513 * mech/gss_init_sec_context.c: Zero out outbuffer on failure. 514 515 * mech/gss_import_name.c: Reset out variables. 516 517 * mech/gss_import_name.c: Reset out variables. 518 519 * mech/gss_get_mic.c: Reset out variables. 520 521 * mech/gss_export_name.c: Reset out variables. 522 523 * mech/gss_encapsulate_token.c: Reset out variables. 524 525 * mech/gss_duplicate_oid.c: Reset out variables. 526 527 * mech/gss_duplicate_oid.c: Reset out variables. 528 529 * mech/gss_duplicate_name.c: Reset out variables. 530 531 * mech/gss_display_status.c: Reset out variables. 532 533 * mech/gss_display_name.c: Reset out variables. 534 535 * mech/gss_delete_sec_context.c: Reset out variables using propper 536 macros. 537 538 * mech/gss_decapsulate_token.c: Reset out variables using propper 539 macros. 540 541 * mech/gss_add_cred.c: Reset out variables. 542 543 * mech/gss_acquire_cred.c: Reset out variables. 544 545 * mech/gss_accept_sec_context.c: Reset out variables using propper 546 macros. 547 548 * mech/gss_init_sec_context.c: Reset out variables. 549 550 * mech/mech_locl.h (_mg_buffer_zero): new macro that zaps a 551 gss_buffer_t 552 5532007-01-16 Love Hörnquist Åstrand <lha@it.su.se> 554 555 * mech: sprinkel _gss_mg_error 556 557 * mech/gss_display_status.c (gss_display_status): use 558 _gss_mg_get_error to fetch the error from underlaying mech, if it 559 failes, let do the regular dance for GSS-CODE version and a 560 generic print-the-error code for MECH-CODE. 561 562 * mech/gss_oid_to_str.c: Don't include the NUL in the length of 563 the string. 564 565 * mech/context.h: Protoypes for _gss_mg_. 566 567 * mech/context.c: Glue to catch the error from the lower gss-api 568 layer and save that for later so gss_display_status() can show the 569 error. 570 571 * gss.c: Detect NTLM. 572 5732007-01-11 Love Hörnquist Åstrand <lha@it.su.se> 574 575 * mech/gss_accept_sec_context.c: spelling 576 5772007-01-04 Love Hörnquist Åstrand <lha@it.su.se> 578 579 * Makefile.am: Include build (private) prototypes header files. 580 581 * Makefile.am (ntlmsrc): add ntlm/ntlm-private.h 582 5832006-12-28 Love Hörnquist Åstrand <lha@it.su.se> 584 585 * ntlm/accept_sec_context.c: Pass signseal argument to 586 _gss_ntlm_set_key. 587 588 * ntlm/init_sec_context.c: Pass signseal argument to 589 _gss_ntlm_set_key. 590 591 * ntlm/crypto.c (_gss_ntlm_set_key): add signseal argument 592 593 * test_ntlm.c: add ntlmv2 test 594 595 * ntlm/ntlm.h: break out struct ntlmv2_key; 596 597 * ntlm/crypto.c (_gss_ntlm_set_key): set ntlm v2 keys. 598 599 * ntlm/accept_sec_context.c: Set dummy ntlmv2 keys and Check TI. 600 601 * ntlm/ntlm.h: NTLMv2 keys. 602 603 * ntlm/crypto.c: NTLMv2 sign and verify. 604 6052006-12-20 Love Hörnquist Åstrand <lha@it.su.se> 606 607 * ntlm/accept_sec_context.c: Don't send targetinfo now. 608 609 * ntlm/init_sec_context.c: Build ntlmv2 answer buffer. 610 611 * ntlm/init_sec_context.c: Leak less memory. 612 613 * ntlm/init_sec_context.c: Announce that we support key exchange. 614 615 * ntlm/init_sec_context.c: Add NTLM_NEG_NTLM2_SESSION, NTLMv2 616 session security (disable because missing sign and seal). 617 6182006-12-19 Love Hörnquist Åstrand <lha@it.su.se> 619 620 * ntlm/accept_sec_context.c: split RC4 send and recv keystreams 621 622 * ntlm/init_sec_context.c: split RC4 send and recv keystreams 623 624 * ntlm/ntlm.h: split RC4 send and recv keystreams 625 626 * ntlm/crypto.c: Implement SEAL. 627 628 * ntlm/crypto.c: move gss_wrap/gss_unwrap here 629 630 * test_context.c: request INT and CONF from the gss layer, test 631 get and verify MIC. 632 633 * ntlm/ntlm.h: add crypto bits. 634 635 * ntlm/accept_sec_context.c: Save session master key. 636 637 * Makefile.am: Move get and verify mic to the same file (crypto.c) 638 since they share code. 639 640 * ntlm/crypto.c: Move get and verify mic to the same file since 641 they share code, implement NTLM v1 and dummy signatures. 642 643 * ntlm/init_sec_context.c: pass on GSS_C_CONF_FLAG and 644 GSS_C_INTEG_FLAG, save the session master key 645 646 * spnego/accept_sec_context.c: try using gss_accept_sec_context() 647 on the opportunistic token instead of guessing the acceptor name 648 and do gss_acquire_cred, this make SPNEGO work like before. 649 6502006-12-18 Love Hörnquist Åstrand <lha@it.su.se> 651 652 * ntlm/init_sec_context.c: Calculate the NTLM version 1 "master" 653 key. 654 655 * spnego/accept_sec_context.c: Resurect negHints for the acceptor 656 sends first packet. 657 658 * Makefile.am: Add "windows" versions of the NegTokenInitWin and 659 friends. 660 661 * test_context.c: add --wrapunwrap flag 662 663 * spnego/compat.c: move _gss_spnego_indicate_mechtypelist() to 664 compat.c, use the sequence types of MechTypeList, make 665 add_mech_type() static. 666 667 * spnego/accept_sec_context.c: move 668 _gss_spnego_indicate_mechtypelist() to compat.c 669 670 * Makefile.am: Generate sequence code for MechTypeList 671 672 * spnego: check that the generated acceptor mechlist is acceptable too 673 674 * spnego/init_sec_context.c: Abstract out the initiator filter 675 function, it will be needed for the acceptor too. 676 677 * spnego/accept_sec_context.c: Abstract out the initiator filter 678 function, it will be needed for the acceptor too. Remove negHints. 679 680 * test_context.c: allow asserting return mech 681 682 * ntlm/accept_sec_context.c: add _gss_ntlm_allocate_ctx 683 684 * ntlm/acquire_cred.c: Check that the KDC seem to there and 685 answering us, we can't do better then that wen checking if we will 686 accept the credential. 687 688 * ntlm/get_mic.c: return GSS_S_UNAVAILABLE 689 690 * mech/utils.h: add _gss_free_oid, reverse of _gss_copy_oid 691 692 * mech/gss_utils.c: add _gss_free_oid, reverse of _gss_copy_oid 693 694 * spnego/spnego.asn1: Its very sad, but NegHints its are not part 695 of the NegTokenInit, this makes SPNEGO acceptor life a lot harder. 696 697 * spnego: try harder to handle names better. handle missing 698 acceptor and initator creds better (ie dont propose/accept mech 699 that there are no credentials for) split NegTokenInit and 700 NegTokenResp in acceptor 701 7022006-12-16 Love Hörnquist Åstrand <lha@it.su.se> 703 704 * ntlm/import_name.c: Allocate the buffer from the right length. 705 7062006-12-15 Love Hörnquist Åstrand <lha@it.su.se> 707 708 * ntlm/init_sec_context.c (init_sec_context): Tell the other side 709 what domain we think we are talking to. 710 711 * ntlm/delete_sec_context.c: free username and password 712 713 * ntlm/release_name.c (_gss_ntlm_release_name): free name. 714 715 * ntlm/import_name.c (_gss_ntlm_import_name): add support for 716 GSS_C_NT_HOSTBASED_SERVICE names 717 718 * ntlm/ntlm.h: Add ntlm_name. 719 720 * test_context.c: allow testing of ntlm. 721 722 * gssapi_mech.h: add __gss_ntlm_initialize 723 724 * ntlm/accept_sec_context.c (handle_type3): verify that the kdc 725 approved of the ntlm exchange too 726 727 * mech/gss_mech_switch.c: Add the builtin ntlm mech 728 729 * test_ntlm.c: NTLM test app. 730 731 * mech/gss_accept_sec_context.c: Add detection of NTLMSSP. 732 733 * gssapi/gssapi.h: add ntlm mech oid 734 735 * ntlm/external.c: Switch OID to the ms ntlmssp oid 736 737 * Makefile.am: Add ntlm gss-api module. 738 739 * ntlm/accept_sec_context.c: Catch more error errors. 740 741 * ntlm/accept_sec_context.c: Check after a credential to use. 742 7432006-12-14 Love Hörnquist Åstrand <lha@it.su.se> 744 745 * krb5/set_sec_context_option.c (GSS_KRB5_SET_DEFAULT_REALM_X): 746 don't fail on success. Bug report from Stefan Metzmacher. 747 7482006-12-13 Love Hörnquist Åstrand <lha@it.su.se> 749 750 * krb5/init_sec_context.c (init_auth): only turn on 751 GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it. 752 From Stefan Metzmacher. 753 7542006-12-11 Love Hörnquist Åstrand <lha@it.su.se> 755 756 * Makefile.am (libgssapi_la_OBJECTS): depends on gssapi_asn1.h 757 spnego_asn1.h. 758 7592006-11-20 Love Hörnquist Åstrand <lha@it.su.se> 760 761 * krb5/acquire_cred.c: Make krb5_get_init_creds_opt_free take a 762 context argument. 763 7642006-11-16 Love Hörnquist Åstrand <lha@it.su.se> 765 766 * test_context.c: Test that token keys are the same, return 767 actual_mech. 768 7692006-11-15 Love Hörnquist Åstrand <lha@it.su.se> 770 771 * spnego/spnego_locl.h: Make bitfields unsigned, add maybe_open. 772 773 * spnego/accept_sec_context.c: Use ASN.1 encoder functions to 774 encode CHOICE structure now that we can handle it. 775 776 * spnego/init_sec_context.c: Use ASN.1 encoder functions to encode 777 CHOICE structure now that we can handle it. 778 779 * spnego/accept_sec_context.c (_gss_spnego_accept_sec_context): 780 send back ad accept_completed when the security context is ->open, 781 w/o this the client doesn't know that the server have completed 782 the transaction. 783 784 * test_context.c: Add delegate flag and check that the delegated 785 cred works. 786 787 * spnego/init_sec_context.c: Keep track of the opportunistic token 788 in the inital message, it might be a complete gss-api context, in 789 that case we'll get back accept_completed without any token. With 790 this change, krb5 w/o mutual authentication works. 791 792 * spnego/accept_sec_context.c: Use ASN.1 encoder functions to 793 encode CHOICE structure now that we can handle it. 794 795 * spnego/accept_sec_context.c: Filter out SPNEGO from the out 796 supported mechs list and make sure we don't select that for the 797 preferred mechamism. 798 7992006-11-14 Love Hörnquist Åstrand <lha@it.su.se> 800 801 * mech/gss_init_sec_context.c (_gss_mech_cred_find): break out the 802 cred finding to its own function 803 804 * krb5/wrap.c: Better error strings, from Andrew Bartlet. 805 8062006-11-13 Love Hörnquist Åstrand <lha@it.su.se> 807 808 * test_context.c: Create our own krb5_context. 809 810 * krb5: Switch from using a specific error message context in the 811 TLS to have a whole krb5_context in TLS. This have some 812 interestion side-effekts for the configruration setting options 813 since they operate on per-thread basis now. 814 815 * mech/gss_set_cred_option.c: When calling ->gm_set_cred_option 816 and checking for success, use GSS_S_COMPLETE. From Andrew Bartlet. 817 8182006-11-12 Love Hörnquist Åstrand <lha@it.su.se> 819 820 * Makefile.am: Help solaris make even more. 821 822 * Makefile.am: Help solaris make. 823 8242006-11-09 Love Hörnquist Åstrand <lha@it.su.se> 825 826 * Makefile.am: remove include $(srcdir)/Makefile-digest.am for now 827 828 * mech/gss_accept_sec_context.c: Try better guessing what is mech 829 we are going to select by looking harder at the input_token, idea 830 from Luke Howard's mechglue branch. 831 832 * Makefile.am: libgssapi_la_OBJECTS: add depency on gkrb5_err.h 833 834 * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X 835 836 * mech/gss_krb5.c: implement gss_krb5_set_allowable_enctypes 837 838 * gssapi/gssapi.h: GSS_KRB5_S_ 839 840 * krb5/gsskrb5_locl.h: Include <gkrb5_err.h>. 841 842 * gssapi/gssapi_krb5.h: Add gss_krb5_set_allowable_enctypes. 843 844 * Makefile.am: Build and install gkrb5_err.h 845 846 * krb5/gkrb5_err.et: Move the GSS_KRB5_S error here. 847 8482006-11-08 Love Hörnquist Åstrand <lha@it.su.se> 849 850 * mech/gss_krb5.c: Add gsskrb5_set_default_realm. 851 852 * krb5/set_sec_context_option.c: Support 853 GSS_KRB5_SET_DEFAULT_REALM_X. 854 855 * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DEFAULT_REALM_X 856 857 * krb5/external.c: add GSS_KRB5_SET_DEFAULT_REALM_X 858 8592006-11-07 Love Hörnquist Åstrand <lha@it.su.se> 860 861 * test_context.c: rename krb5_[gs]et_time_wrap to 862 krb5_[gs]et_max_time_skew 863 864 * krb5/copy_ccache.c: _gsskrb5_extract_authz_data_from_sec_context 865 no longer used, bye bye 866 867 * mech/gss_krb5.c: No depenency of the krb5 gssapi mech. 868 869 * mech/gss_krb5.c (gsskrb5_extract_authtime_from_sec_context): use 870 _gsskrb5_decode_om_uint32. From Andrew Bartlet. 871 872 * mech/gss_krb5.c: Add dummy gss_krb5_set_allowable_enctypes for 873 now. 874 875 * spnego/spnego_locl.h: Include <roken.h> for compatiblity. 876 877 * krb5/arcfour.c: Use IS_DCE_STYLE flag. There is no padding in 878 DCE-STYLE, don't try to use to. From Andrew Bartlett. 879 880 * test_context.c: test wrap/unwrap, add flag for dce-style and 881 mutual auth, also support multi-roundtrip sessions 882 883 * krb5/gsskrb5_locl.h: Add IS_DCE_STYLE macro. 884 885 * krb5/accept_sec_context.c (gsskrb5_acceptor_start): use 886 krb5_rd_req_ctx 887 888 * mech/gss_krb5.c (gsskrb5_get_subkey): return the per message 889 token subkey 890 891 * krb5/inquire_sec_context_by_oid.c: check if there is any key at 892 all 893 8942006-11-06 Love Hörnquist Åstrand <lha@it.su.se> 895 896 * krb5/inquire_sec_context_by_oid.c: Set more error strings, use 897 right enum for acceptor subkey. From Andrew Bartlett. 898 8992006-11-04 Love Hörnquist Åstrand <lha@it.su.se> 900 901 * test_context.c: Test gsskrb5_extract_service_keyblock, needed in 902 PAC valication. From Andrew Bartlett 903 904 * mech/gss_krb5.c: Add gsskrb5_extract_authz_data_from_sec_context 905 and keyblock extraction functions. 906 907 * gssapi/gssapi_krb5.h: Add extraction of keyblock function, from 908 Andrew Bartlett. 909 910 * krb5/external.c: Add GSS_KRB5_GET_SERVICE_KEYBLOCK_X 911 9122006-11-03 Love Hörnquist Åstrand <lha@it.su.se> 913 914 * test_context.c: Rename various routines and constants from 915 canonize to canonicalize. From Andrew Bartlett 916 917 * mech/gss_krb5.c: Rename various routines and constants from 918 canonize to canonicalize. From Andrew Bartlett 919 920 * krb5/set_sec_context_option.c: Rename various routines and 921 constants from canonize to canonicalize. From Andrew Bartlett 922 923 * krb5/external.c: Rename various routines and constants from 924 canonize to canonicalize. From Andrew Bartlett 925 926 * gssapi/gssapi_krb5.h: Rename various routines and constants from 927 canonize to canonicalize. From Andrew Bartlett 928 9292006-10-25 Love Hörnquist Åstrand <lha@it.su.se> 930 931 * krb5/accept_sec_context.c (gsskrb5_accept_delegated_token): need 932 to free ccache 933 9342006-10-24 Love Hörnquist Åstrand <lha@it.su.se> 935 936 * test_context.c (loop): free target_name 937 938 * mech/gss_accept_sec_context.c: SLIST_INIT the ->gc_mc' 939 940 * mech/gss_acquire_cred.c : SLIST_INIT the ->gc_mc' 941 942 * krb5/init_sec_context.c: Avoid leaking memory. 943 944 * mech/gss_buffer_set.c (gss_release_buffer_set): don't leak the 945 ->elements memory. 946 947 * test_context.c: make compile 948 949 * krb5/cfx.c (_gssapi_verify_mic_cfx): always free crypto context. 950 951 * krb5/set_cred_option.c (import_cred): free sp 952 9532006-10-22 Love Hörnquist Åstrand <lha@it.su.se> 954 955 * mech/gss_add_oid_set_member.c: Use old implementation of 956 gss_add_oid_set_member, it leaks less memory. 957 958 * krb5/test_cfx.c: free krb5_crypto. 959 960 * krb5/test_cfx.c: free krb5_context 961 962 * mech/gss_release_name.c (gss_release_name): free input_name 963 it-self. 964 9652006-10-21 Love Hörnquist Åstrand <lha@it.su.se> 966 967 * test_context.c: Call setprogname. 968 969 * mech/gss_krb5.c: Add gsskrb5_extract_authtime_from_sec_context. 970 971 * gssapi/gssapi_krb5.h: add 972 gsskrb5_extract_authtime_from_sec_context 973 9742006-10-20 Love Hörnquist Åstrand <lha@it.su.se> 975 976 * krb5/inquire_sec_context_by_oid.c: Add get_authtime. 977 978 * krb5/external.c: add GSS_KRB5_GET_AUTHTIME_X 979 980 * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_AUTHTIME_X 981 982 * krb5/set_sec_context_option.c: Implement GSS_KRB5_SEND_TO_KDC_X. 983 984 * mech/gss_krb5.c: Add gsskrb5_set_send_to_kdc 985 986 * gssapi/gssapi_krb5.h: Add GSS_KRB5_SEND_TO_KDC_X and 987 gsskrb5_set_send_to_kdc 988 989 * krb5/external.c: add GSS_KRB5_SEND_TO_KDC_X 990 991 * Makefile.am: more files 992 9932006-10-19 Love Hörnquist Åstrand <lha@it.su.se> 994 995 * Makefile.am: remove spnego/gssapi_spnego.h, its now in gssapi/ 996 997 * test_context.c: Allow specifing mech. 998 999 * krb5/external.c: add GSS_SASL_DIGEST_MD5_MECHANISM (for now) 1000 1001 * gssapi/gssapi.h: Rename GSS_DIGEST_MECHANISM to 1002 GSS_SASL_DIGEST_MD5_MECHANISM 1003 10042006-10-18 Love Hörnquist Åstrand <lha@it.su.se> 1005 1006 * mech/gssapi.asn1: Make it into a heim_any_set, its doesn't 1007 except a tag. 1008 1009 * mech/gssapi.asn1: GSSAPIContextToken is IMPLICIT SEQUENCE 1010 1011 * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X 1012 1013 * krb5/external.c: Add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X. 1014 1015 * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_INITIATOR_SUBKEY_X and 1016 GSS_KRB5_GET_SUBKEY_X 1017 1018 * krb5/external.c: add GSS_KRB5_GET_INITIATOR_SUBKEY_X, 1019 GSS_KRB5_GET_SUBKEY_X 1020 10212006-10-17 Love Hörnquist Åstrand <lha@it.su.se> 1022 1023 * test_context.c: Support switching on name type oid's 1024 1025 * test_context.c: add test for dns canon flag 1026 1027 * mech/gss_krb5.c: Add gsskrb5_set_dns_canonlize. 1028 1029 * gssapi/gssapi_krb5.h: remove gss_krb5_compat_des3_mic 1030 1031 * gssapi/gssapi_krb5.h: Add gsskrb5_set_dns_canonlize. 1032 1033 * krb5/set_sec_context_option.c: implement 1034 GSS_KRB5_SET_DNS_CANONIZE_X 1035 1036 * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DNS_CANONIZE_X 1037 1038 * krb5/external.c: add GSS_KRB5_SET_DNS_CANONIZE_X 1039 1040 * mech/gss_krb5.c: add bits to make lucid context work 1041 10422006-10-14 Love Hörnquist Åstrand <lha@it.su.se> 1043 1044 * mech/gss_oid_to_str.c: Prefix der primitives with der_. 1045 1046 * krb5/inquire_sec_context_by_oid.c: Prefix der primitives with 1047 der_. 1048 1049 * krb5/encapsulate.c: Prefix der primitives with der_. 1050 1051 * mech/gss_oid_to_str.c: New der_print_heim_oid signature. 1052 10532006-10-12 Love Hörnquist Åstrand <lha@it.su.se> 1054 1055 * Makefile.am: add test_context 1056 1057 * krb5/inquire_sec_context_by_oid.c: Make it work. 1058 1059 * test_oid.c: Test lucid oid. 1060 1061 * gssapi/gssapi.h: Add OM_uint64_t. 1062 1063 * krb5/inquire_sec_context_by_oid.c: Add lucid interface. 1064 1065 * krb5/external.c: Add lucid interface, renumber oids to my 1066 delegated space. 1067 1068 * mech/gss_krb5.c: Add lucid interface. 1069 1070 * gssapi/gssapi_krb5.h: Add lucid interface. 1071 1072 * spnego/spnego_locl.h: Maybe include <netdb.h>. 1073 10742006-10-09 Love Hörnquist Åstrand <lha@it.su.se> 1075 1076 * mech/gss_mech_switch.c: define RTLD_LOCAL to 0 if not defined. 1077 10782006-10-08 Love Hörnquist Åstrand <lha@it.su.se> 1079 1080 * Makefile.am: install gssapi_krb5.H and gssapi_spnego.h 1081 1082 * gssapi/gssapi_krb5.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>. 1083 1084 * gssapi/gssapi.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>. 1085 1086 * Makefile.am: Drop some -I no longer needed. 1087 1088 * gssapi/gssapi_spnego.h: Move gssapi_spengo.h over here. 1089 1090 * krb5: reference all include files using 'krb5/' 1091 10922006-10-07 Love Hörnquist Åstrand <lha@it.su.se> 1093 1094 * gssapi.h: Add file inclusion protection. 1095 1096 * gssapi/gssapi.h: Correct header file inclusion protection. 1097 1098 * gssapi/gssapi.h: Move the gssapi.h from lib/gssapi/ to 1099 lib/gssapi/gssapi/ to please automake. 1100 1101 * spnego/spnego_locl.h: Maybe include <sys/types.h>. 1102 1103 * mech/mech_locl.h: Include <roken.h>. 1104 1105 * Makefile.am: split build files into dist_ and noinst_ SOURCES 1106 11072006-10-06 Love Hörnquist Åstrand <lha@it.su.se> 1108 1109 * gss.c: #if 0 out unused code. 1110 1111 * mech/gss_mech_switch.c: Cast argument to ctype(3) functions 1112 to (unsigned char). 1113 11142006-10-05 Love Hörnquist Åstrand <lha@it.su.se> 1115 1116 * mech/name.h: remove <sys/queue.h> 1117 1118 * mech/mech_switch.h: remove <sys/queue.h> 1119 1120 * mech/cred.h: remove <sys/queue.h> 1121 11222006-10-02 Love Hörnquist Åstrand <lha@it.su.se> 1123 1124 * krb5/arcfour.c: Thinker more with header lengths. 1125 1126 * krb5/arcfour.c: Improve the calcucation of header 1127 lengths. DCE-STYLE data is also padded so remove if (1 || ...) 1128 code. 1129 1130 * krb5/wrap.c (_gsskrb5_wrap_size_limit): use 1131 _gssapi_wrap_size_arcfour for arcfour 1132 1133 * krb5/arcfour.c: Move _gssapi_wrap_size_arcfour here. 1134 1135 * Makefile.am: Split all mech to diffrent mechsrc variables. 1136 1137 * spnego/context_stubs.c: Make internal function static (and 1138 rename). 1139 11402006-10-01 Love Hörnquist Åstrand <lha@it.su.se> 1141 1142 * krb5/inquire_cred.c: Fix "if (x) lock(y)" bug. From Harald 1143 Barth. 1144 1145 * spnego/spnego_locl.h: Include <sys/param.h> for MAXHOSTNAMELEN. 1146 11472006-09-25 Love Hörnquist Åstrand <lha@it.su.se> 1148 1149 * krb5/arcfour.c: Add wrap support, interrop with itself but not 1150 w2k3s-sp1 1151 1152 * krb5/gsskrb5_locl.h: move the arcfour specific stuff to the 1153 arcfour header. 1154 1155 * krb5/arcfour.c: Support DCE-style unwrap, tested with 1156 w2k3server-sp1. 1157 1158 * mech/gss_accept_sec_context.c (gss_accept_sec_context): if the 1159 token doesn't start with [APPLICATION 0] SEQUENCE, lets assume its 1160 a DCE-style kerberos 5 connection. XXX this needs to be made 1161 better in cause we get another GSS-API protocol violating 1162 protocol. It should be possible to detach the Kerberos DCE-style 1163 since it starts with a AP-REQ PDU, but that have to wait for now. 1164 11652006-09-22 Love Hörnquist Åstrand <lha@it.su.se> 1166 1167 * gssapi.h: Add GSS_C flags from 1168 draft-brezak-win2k-krb-rc4-hmac-04.txt. 1169 1170 * krb5/delete_sec_context.c: Free service_keyblock and fwd_data, 1171 indent. 1172 1173 * krb5/accept_sec_context.c: Merge of the acceptor part from the 1174 samba patch by Stefan Metzmacher and Andrew Bartlet. 1175 1176 * krb5/init_sec_context.c: Add GSS_C_DCE_STYLE. 1177 1178 * krb5/{init_sec_context.c,gsskrb5_locl.h}: merge most of the 1179 initiator part from the samba patch by Stefan Metzmacher and 1180 Andrew Bartlet (still missing DCE/RPC support) 1181 11822006-08-28 Love Hörnquist Åstrand <lha@it.su.se> 1183 1184 * gss.c (help): use sl_slc_help(). 1185 11862006-07-22 Love Hörnquist Åstrand <lha@it.su.se> 1187 1188 * gss-commands.in: rename command to supported-mechanisms 1189 1190 * Makefile.am: Make gss objects depend on the slc built 1191 gss-commands.h 1192 11932006-07-20 Love Hörnquist Åstrand <lha@it.su.se> 1194 1195 * gss-commands.in: add slc commands for gss 1196 1197 * krb5/gsskrb5_locl.h: Remove dup prototype of _gsskrb5_init() 1198 1199 * Makefile.am: Add test_cfx 1200 1201 * krb5/external.c: add GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X 1202 1203 * krb5/set_sec_context_option.c: catch 1204 GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X 1205 1206 * krb5/accept_sec_context.c: reimplement 1207 gsskrb5_register_acceptor_identity 1208 1209 * mech/gss_krb5.c: implement gsskrb5_register_acceptor_identity 1210 1211 * mech/gss_inquire_mechs_for_name.c: call _gss_load_mech 1212 1213 * mech/gss_inquire_cred.c (gss_inquire_cred): call _gss_load_mech 1214 1215 * mech/gss_mech_switch.c: Make _gss_load_mech() atomic and run 1216 only once, this have the side effect that _gss_mechs and 1217 _gss_mech_oids is only initialized once, so if just the users of 1218 these two global variables calls _gss_load_mech() first, it will 1219 act as a barrier and make sure the variables are never changed and 1220 we don't need to lock them. 1221 1222 * mech/utils.h: no need to mark functions extern. 1223 1224 * mech/name.h: no need to mark _gss_find_mn extern. 1225 12262006-07-19 Love Hörnquist Åstrand <lha@it.su.se> 1227 1228 * krb5/cfx.c: Redo the wrap length calculations. 1229 1230 * krb5/test_cfx.c: test max_wrap_size in cfx.c 1231 1232 * mech/gss_display_status.c: Handle more error codes. 1233 12342006-07-07 Love Hörnquist Åstrand <lha@it.su.se> 1235 1236 * mech/mech_locl.h: Include <krb5-types.h> and "mechqueue.h" 1237 1238 * mech/mechqueue.h: Add SLIST macros. 1239 1240 * krb5/inquire_context.c: Don't free return values on success. 1241 1242 * krb5/inquire_cred.c (_gsskrb5_inquire_cred): When cred provided 1243 is the default cred, acquire the acceptor cred and initator cred 1244 in two diffrent steps and then query them for the information, 1245 this way, the code wont fail if there are no keytab, but there is 1246 a credential cache. 1247 1248 * mech/gss_inquire_cred.c: move the check if we found any cred 1249 where it matter for both cases 1250 (default cred and provided cred) 1251 1252 * mech/gss_init_sec_context.c: If the desired mechanism can't 1253 convert the name to a MN, fail with GSS_S_BAD_NAME rather then a 1254 NULL de-reference. 1255 12562006-07-06 Love Hörnquist Åstrand <lha@it.su.se> 1257 1258 * spnego/external.c: readd gss_spnego_inquire_names_for_mech 1259 1260 * spnego/spnego_locl.h: reimplement 1261 gss_spnego_inquire_names_for_mech add support function 1262 _gss_spnego_supported_mechs 1263 1264 * spnego/context_stubs.h: reimplement 1265 gss_spnego_inquire_names_for_mech add support function 1266 _gss_spnego_supported_mechs 1267 1268 * spnego/context_stubs.c: drop gss_spnego_indicate_mechs 1269 1270 * mech/gss_indicate_mechs.c: if the underlaying mech doesn't 1271 support gss_indicate_mechs, use the oid in the mechswitch 1272 structure 1273 1274 * spnego/external.c: let the mech glue layer implement 1275 gss_indicate_mechs 1276 1277 * spnego/cred_stubs.c (gss_spnego_acquire_cred): don't care about 1278 desired_mechs, get our own list with indicate_mechs and remove 1279 ourself. 1280 12812006-07-05 Love Hörnquist Åstrand <lha@it.su.se> 1282 1283 * spnego/external.c: remove gss_spnego_inquire_names_for_mech, let 1284 the mechglue layer implement it 1285 1286 * spnego/context_stubs.c: remove gss_spnego_inquire_names_for_mech, let 1287 the mechglue layer implement it 1288 1289 * spnego/spnego_locl.c: remove gss_spnego_inquire_names_for_mech, let 1290 the mechglue layer implement it 1291 12922006-07-01 Love Hörnquist Åstrand <lha@it.su.se> 1293 1294 * mech/gss_set_cred_option.c: fix argument to gss_release_cred 1295 12962006-06-30 Love Hörnquist Åstrand <lha@it.su.se> 1297 1298 * krb5/init_sec_context.c: Make work on compilers that are 1299 somewhat more picky then gcc4 (like gcc2.95) 1300 1301 * krb5/init_sec_context.c (do_delegation): use KDCOptions2int to 1302 convert fwd_flags to an integer, since otherwise int2KDCOptions in 1303 krb5_get_forwarded_creds wont do the right thing. 1304 1305 * mech/gss_set_cred_option.c (gss_set_cred_option): free memory on 1306 failure 1307 1308 * krb5/set_sec_context_option.c (_gsskrb5_set_sec_context_option): 1309 init global kerberos context 1310 1311 * krb5/set_cred_option.c (_gsskrb5_set_cred_option): init global 1312 kerberos context 1313 1314 * mech/gss_accept_sec_context.c: Insert the delegated sub cred on 1315 the delegated cred handle, not cred handle 1316 1317 * mech/gss_accept_sec_context.c (gss_accept_sec_context): handle 1318 the case where ret_flags == NULL 1319 1320 * mech/gss_mech_switch.c (add_builtin): set 1321 _gss_mech_switch->gm_mech_oid 1322 1323 * mech/gss_set_cred_option.c (gss_set_cred_option): laod mechs 1324 1325 * test_cred.c (gss_print_errors): don't try to print error when 1326 gss_display_status failed 1327 1328 * Makefile.am: Add mech/gss_release_oid.c 1329 1330 * mech/gss_release_oid.c: Add gss_release_oid, reverse of 1331 gss_duplicate_oid 1332 1333 * spnego/compat.c: preferred_mech_type was allocated with 1334 gss_duplicate_oid in one place and assigned static varianbles a 1335 the second place. change that static assignement to 1336 gss_duplicate_oid and bring back gss_release_oid. 1337 1338 * spnego/compat.c (_gss_spnego_delete_sec_context): don't release 1339 preferred_mech_type and negotiated_mech_type, they where never 1340 allocated from the begining. 1341 13422006-06-29 Love Hörnquist Åstrand <lha@it.su.se> 1343 1344 * mech/gss_import_name.c (gss_import_name): avoid 1345 type-punned/strict aliasing rules 1346 1347 * mech/gss_add_cred.c: avoid type-punned/strict aliasing rules 1348 1349 * gssapi.h: Make gss_name_t an opaque type. 1350 1351 * krb5: make gss_name_t an opaque type 1352 1353 * krb5/set_cred_option.c: Add 1354 1355 * mech/gss_set_cred_option.c (gss_set_cred_option): support the 1356 case where *cred_handle == NULL 1357 1358 * mech/gss_krb5.c (gss_krb5_import_cred): make sure cred is 1359 GSS_C_NO_CREDENTIAL on failure. 1360 1361 * mech/gss_acquire_cred.c (gss_acquire_cred): if desired_mechs is 1362 NO_OID_SET, there is a need to load the mechs, so always do that. 1363 13642006-06-28 Love Hörnquist Åstrand <lha@it.su.se> 1365 1366 * krb5/inquire_cred_by_oid.c: Reimplement GSS_KRB5_COPY_CCACHE_X 1367 to instead pass a fullname to the credential, then resolve and 1368 copy out the content, and then close the cred. 1369 1370 * mech/gss_krb5.c: Reimplement GSS_KRB5_COPY_CCACHE_X to instead 1371 pass a fullname to the credential, then resolve and copy out the 1372 content, and then close the cred. 1373 1374 * krb5/inquire_cred_by_oid.c: make "work", GSS_KRB5_COPY_CCACHE_X 1375 interface needs to be re-done, currently its utterly broken. 1376 1377 * mech/gss_set_cred_option.c: Make work. 1378 1379 * krb5/external.c: Add _gsskrb5_set_{sec_context,cred}_option 1380 1381 * mech/gss_krb5.c (gss_krb5_import_cred): implement 1382 1383 * Makefile.am: Add gss_set_{sec_context,cred}_option and sort 1384 1385 * mech/gss_set_{sec_context,cred}_option.c: add 1386 1387 * gssapi.h: Add GSS_KRB5_IMPORT_CRED_X 1388 1389 * test_*.c: make compile again 1390 1391 * Makefile.am: Add lib dependencies and test programs 1392 1393 * spnego: remove dependency on libkrb5 1394 1395 * mech: Bug fixes, cleanup, compiler warnings, restructure code. 1396 1397 * spnego: Rename gss_context_id_t and gss_cred_id_t to local names 1398 1399 * krb5: repro copy the krb5 files here 1400 1401 * mech: import Doug Rabson mechglue from freebsd 1402 1403 * spnego: Import Luke Howard's SPNEGO from the mechglue branch 1404 14052006-06-22 Love Hörnquist Åstrand <lha@it.su.se> 1406 1407 * gssapi.h: Add oid_to_str. 1408 1409 * Makefile.am: add oid_to_str and test_oid 1410 1411 * oid_to_str.c: Add gss_oid_to_str 1412 1413 * test_oid.c: Add test for gss_oid_to_str() 1414 14152006-05-13 Love Hörnquist Åstrand <lha@it.su.se> 1416 1417 * verify_mic.c: Less pointer signedness warnings. 1418 1419 * unwrap.c: Less pointer signedness warnings. 1420 1421 * arcfour.c: Less pointer signedness warnings. 1422 1423 * gssapi_locl.h: Use const void * to instead of unsigned char * to 1424 avoid pointer signedness warnings. 1425 1426 * encapsulate.c: Use const void * to instead of unsigned char * to 1427 avoid pointer signedness warnings. 1428 1429 * decapsulate.c: Use const void * to instead of unsigned char * to 1430 avoid pointer signedness warnings. 1431 1432 * decapsulate.c: Less pointer signedness warnings. 1433 1434 * cfx.c: Less pointer signedness warnings. 1435 1436 * init_sec_context.c: Less pointer signedness warnings (partly by 1437 using the new asn.1 CHOICE decoder) 1438 1439 * import_sec_context.c: Less pointer signedness warnings. 1440 14412006-05-09 Love Hörnquist Åstrand <lha@it.su.se> 1442 1443 * accept_sec_context.c (gsskrb5_is_cfx): always set is_cfx. From 1444 Andrew Abartlet. 1445 14462006-05-08 Love Hörnquist Åstrand <lha@it.su.se> 1447 1448 * get_mic.c (mic_des3): make sure message_buffer doesn't point to 1449 free()ed memory on failure. Pointed out by IBM checker. 1450 14512006-05-05 Love Hörnquist Åstrand <lha@it.su.se> 1452 1453 * Rename u_intXX_t to uintXX_t 1454 14552006-05-04 Love Hörnquist Åstrand <lha@it.su.se> 1456 1457 * cfx.c: Less pointer signedness warnings. 1458 1459 * arcfour.c: Avoid pointer signedness warnings. 1460 1461 * gssapi_locl.h (gssapi_decode_*): make data argument const void * 1462 1463 * 8003.c (gssapi_decode_*): make data argument const void * 1464 14652006-04-12 Love Hörnquist Åstrand <lha@it.su.se> 1466 1467 * export_sec_context.c: Export sequence order element. From Wynn 1468 Wilkes <wynn.wilkes@quest.com>. 1469 1470 * import_sec_context.c: Import sequence order element. From Wynn 1471 Wilkes <wynn.wilkes@quest.com>. 1472 1473 * sequence.c (_gssapi_msg_order_import,_gssapi_msg_order_export): 1474 New functions, used by {import,export}_sec_context. From Wynn 1475 Wilkes <wynn.wilkes@quest.com>. 1476 1477 * test_sequence.c: Add test for import/export sequence. 1478 14792006-04-09 Love Hörnquist Åstrand <lha@it.su.se> 1480 1481 * add_cred.c: Check that cred != GSS_C_NO_CREDENTIAL, this is a 1482 standard conformance failure, but much better then a crash. 1483 14842006-04-02 Love Hörnquist Åstrand <lha@it.su.se> 1485 1486 * get_mic.c (get_mic*)_: make sure message_token is cleaned on 1487 error, found by IBM checker. 1488 1489 * wrap.c (wrap*): Reset output_buffer on error, found by IBM 1490 checker. 1491 14922006-02-15 Love Hörnquist Åstrand <lha@it.su.se> 1493 1494 * import_name.c: Accept both GSS_C_NT_HOSTBASED_SERVICE and 1495 GSS_C_NT_HOSTBASED_SERVICE_X as nametype for hostbased names. 1496 14972006-01-16 Love Hörnquist Åstrand <lha@it.su.se> 1498 1499 * delete_sec_context.c (gss_delete_sec_context): if the context 1500 handle is GSS_C_NO_CONTEXT, don't fall over. 1501 15022005-12-12 Love Hörnquist Åstrand <lha@it.su.se> 1503 1504 * gss_acquire_cred.3: Replace gss_krb5_import_ccache with 1505 gss_krb5_import_cred and add more references 1506 15072005-12-05 Love Hörnquist Åstrand <lha@it.su.se> 1508 1509 * gssapi.h: Change gss_krb5_import_ccache to gss_krb5_import_cred, 1510 it can handle keytabs too. 1511 1512 * add_cred.c (gss_add_cred): avoid deadlock 1513 1514 * context_time.c (gssapi_lifetime_left): define the 0 lifetime as 1515 GSS_C_INDEFINITE. 1516 15172005-12-01 Love Hörnquist Åstrand <lha@it.su.se> 1518 1519 * acquire_cred.c (acquire_acceptor_cred): only check if principal 1520 exists if we got called with principal as an argument. 1521 1522 * acquire_cred.c (acquire_acceptor_cred): check that the acceptor 1523 exists in the keytab before returning ok. 1524 15252005-11-29 Love Hörnquist Åstrand <lha@it.su.se> 1526 1527 * copy_ccache.c (gss_krb5_import_cred): fix buglet, from Andrew 1528 Bartlett. 1529 15302005-11-25 Love Hörnquist Åstrand <lha@it.su.se> 1531 1532 * test_kcred.c: Rename gss_krb5_import_ccache to 1533 gss_krb5_import_cred. 1534 1535 * copy_ccache.c: Rename gss_krb5_import_ccache to 1536 gss_krb5_import_cred and let it grow code to handle keytabs too. 1537 15382005-11-02 Love Hörnquist Åstrand <lha@it.su.se> 1539 1540 * init_sec_context.c: Change sematics of ok-as-delegate to match 1541 windows if 1542 [gssapi]realm/ok-as-delegate=true is set, otherwise keep old 1543 sematics. 1544 1545 * release_cred.c (gss_release_cred): use 1546 GSS_CF_DESTROY_CRED_ON_RELEASE to decide if the cache should be 1547 krb5_cc_destroy-ed 1548 1549 * acquire_cred.c (acquire_initiator_cred): 1550 GSS_CF_DESTROY_CRED_ON_RELEASE on created credentials. 1551 1552 * accept_sec_context.c (gsskrb5_accept_delegated_token): rewrite 1553 to use gss_krb5_import_ccache 1554 15552005-11-01 Love Hörnquist Åstrand <lha@it.su.se> 1556 1557 * arcfour.c: Remove signedness warnings. 1558 15592005-10-31 Love Hörnquist Åstrand <lha@it.su.se> 1560 1561 * gss_acquire_cred.3: Document that gss_krb5_import_ccache is copy 1562 by reference. 1563 1564 * copy_ccache.c (gss_krb5_import_ccache): Instead of making a copy 1565 of the ccache, make a reference by getting the name and resolving 1566 the name. This way the cache is shared, this flipp side is of 1567 course that if someone calls krb5_cc_destroy the cache is lost for 1568 everyone. 1569 1570 * test_kcred.c: Remove memory leaks. 1571 15722005-10-26 Love Hörnquist Åstrand <lha@it.su.se> 1573 1574 * Makefile.am: build test_kcred 1575 1576 * gss_acquire_cred.3: Document gss_krb5_import_ccache 1577 1578 * gssapi.3: Sort and add gss_krb5_import_ccache. 1579 1580 * acquire_cred.c (_gssapi_krb5_ccache_lifetime): break out code 1581 used to extract lifetime from a credential cache 1582 1583 * gssapi_locl.h: Add _gssapi_krb5_ccache_lifetime, used to extract 1584 lifetime from a credential cache. 1585 1586 * gssapi.h: add gss_krb5_import_ccache, reverse of 1587 gss_krb5_copy_ccache 1588 1589 * copy_ccache.c: add gss_krb5_import_ccache, reverse of 1590 gss_krb5_copy_ccache 1591 1592 * test_kcred.c: test gss_krb5_import_ccache 1593 15942005-10-21 Love Hörnquist Åstrand <lha@it.su.se> 1595 1596 * acquire_cred.c (acquire_initiator_cred): use krb5_cc_cache_match 1597 to find a matching creditial cache, if that failes, fallback to 1598 the default cache. 1599 16002005-10-12 Love Hörnquist Åstrand <lha@it.su.se> 1601 1602 * gssapi_locl.h: Add gssapi_krb5_set_status and 1603 gssapi_krb5_clear_status 1604 1605 * init_sec_context.c (spnego_reply): Don't pass back raw Kerberos 1606 errors, use GSS-API errors instead. From Michael B Allen. 1607 1608 * display_status.c: Add gssapi_krb5_clear_status, 1609 gssapi_krb5_set_status for handling error messages. 1610 16112005-08-23 Love Hörnquist Åstrand <lha@it.su.se> 1612 1613 * external.c: Use rk_UNCONST to avoid const warning. 1614 1615 * display_status.c: Constify strings to avoid warnings. 1616 16172005-08-11 Love Hörnquist Åstrand <lha@it.su.se> 1618 1619 * init_sec_context.c: avoid warnings, update (c) 1620 16212005-07-13 Love Hörnquist Åstrand <lha@it.su.se> 1622 1623 * init_sec_context.c (spnego_initial): use NegotiationToken 1624 encoder now that we have one with the new asn1. compiler. 1625 1626 * Makefile.am: the new asn.1 compiler includes the modules name in 1627 the depend file 1628 16292005-06-16 Love Hörnquist Åstrand <lha@it.su.se> 1630 1631 * decapsulate.c: use rk_UNCONST 1632 1633 * ccache_name.c: rename to avoid shadowing 1634 1635 * gssapi_locl.h: give kret in GSSAPI_KRB5_INIT a more unique name 1636 1637 * process_context_token.c: use rk_UNCONST to unconstify 1638 1639 * test_cred.c: rename optind to optidx 1640 16412005-05-30 Love Hörnquist Åstrand <lha@it.su.se> 1642 1643 * init_sec_context.c (init_auth): honor ok-as-delegate if local 1644 configuration approves 1645 1646 * gssapi_locl.h: prototype for _gss_check_compat 1647 1648 * compat.c: export check_compat as _gss_check_compat 1649 16502005-05-29 Love Hörnquist Åstrand <lha@it.su.se> 1651 1652 * init_sec_context.c: Prefix Der_class with ASN1_C_ to avoid 1653 problems with system headerfiles that pollute the name space. 1654 1655 * accept_sec_context.c: Prefix Der_class with ASN1_C_ to avoid 1656 problems with system headerfiles that pollute the name space. 1657 16582005-05-17 Love Hörnquist Åstrand <lha@it.su.se> 1659 1660 * init_sec_context.c (init_auth): set 1661 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED (for java compatibility), 1662 also while here, use krb5_auth_con_addflags 1663 16642005-05-06 Love Hörnquist Åstrand <lha@it.su.se> 1665 1666 * arcfour.c (_…
Large files files are truncated, but you can click here to view the full file