12008-08-14 Love Hornquist Astrand <lha@10a140laptop.local> 2 3 * krb5/accept_sec_context.c: If there is a initiator subkey, copy 4 that to acceptor subkey to match windows behavior. From Metze. 5 62008-08-02 Love Hörnquist Åstrand <lha@h5l.org> 7 8 * ntlm/init_sec_context.c: Catch error 9 10 * krb5/inquire_sec_context_by_oid.c: Catch store failure. 11 12 * mech/gss_canonicalize_name.c: Not init m, return never 13 used (overwritten later). 14 152008-07-25 Love Hörnquist Åstrand <lha@kth.se> 16 17 * ntlm/init_sec_context.c: Use krb5_cc_get_config. 18 192008-07-25 Love Hörnquist Åstrand <lha@kth.se> 20 21 * krb5/init_sec_context.c: Match the orignal patch I got from 22 metze, seems that DCE-STYLE is even more weirer then what I though 23 when I merged the patch. 24 252008-06-02 Love Hörnquist Åstrand <lha@kth.se> 26 27 * krb5/init_sec_context.c: Don't add asn1 wrapping to token when 28 using DCE_STYLE. Patch from Stefan Metzmacher. 29 302008-05-27 Love Hörnquist Åstrand <lha@kth.se> 31 32 * ntlm/init_sec_context.c: use krb5_get_error_message 33 342008-05-05 Love Hörnquist Åstrand <lha@kth.se> 35 36 * spnego/spnego_locl.h: Add back "mech/utils.h", its needed for 37 oid/buffer functions. 38 392008-05-02 Love Hörnquist Åstrand <lha@it.su.se> 40 41 * spnego: Changes from doug barton to make spnego indepedant of 42 the heimdal version of the plugin system. 43 442008-04-27 Love Hörnquist Åstrand <lha@it.su.se> 45 46 * krb5: use DES_set_key_unchecked() 47 482008-04-17 Love Hörnquist Åstrand <lha@it.su.se> 49 50 * add __declspec() for windows. 51 522008-04-15 Love Hörnquist Åstrand <lha@it.su.se> 53 54 * krb5/import_sec_context.c: Use tmp to read ac->flags value to 55 avoid warning. 56 572008-04-07 Love Hörnquist Åstrand <lha@it.su.se> 58 59 * mech/gss_mech_switch.c: Use unsigned where appropriate. 60 612008-03-14 Love Hörnquist Åstrand <lha@it.su.se> 62 63 * test_context.c: Add test for gsskrb5_register_acceptor_identity. 64 652008-03-09 Love Hörnquist Åstrand <lha@it.su.se> 66 67 * krb5/init_sec_context.c (init_auth): use right variable to 68 detect if we want to free or not. 69 702008-02-26 Love Hörnquist Åstrand <lha@it.su.se> 71 72 * Makefile.am: add missing \ 73 74 * Makefile.am: reshuffle depenencies 75 76 * Add flag to krb5 to not add GSS-API INT|CONF to the negotiation 77 782008-02-21 Love Hörnquist Åstrand <lha@it.su.se> 79 80 * make the SPNEGO mech store the error itself instead, works for 81 everything except other stackable mechs 82 832008-02-18 Love Hörnquist Åstrand <lha@it.su.se> 84 85 * spnego/init_sec_context.c (spnego_reply): if the reply token was 86 of length 0, make it the same as no token. Pointed out by Zeqing 87 Xia. 88 89 * krb5/acquire_cred.c (acquire_initiator_cred): handle the 90 credential cache better, use destroy/close when appriate and for 91 all cases. Thanks to Michael Allen for point out the memory-leak 92 that I also fixed. 93 942008-02-03 Love Hörnquist Åstrand <lha@it.su.se> 95 96 * spnego/accept_sec_context.c: Make error reporting somewhat more 97 correct for SPNEGO. 98 992008-01-27 Love Hörnquist Åstrand <lha@it.su.se> 100 101 * test_common.c: Improve the error message. 102 1032008-01-24 Love Hörnquist Åstrand <lha@it.su.se> 104 105 * ntlm/accept_sec_context.c: Avoid free-ing type1 message before 106 its allocated. 107 1082008-01-13 Love Hörnquist Åstrand <lha@it.su.se> 109 110 * test_ntlm.c: Test source name (and make the acceptor in ntlm gss 111 mech useful). 112 1132007-12-30 Love Hörnquist Åstrand <lha@it.su.se> 114 115 * ntlm/init_sec_context.c: Don't confuse target name and source 116 name, make regressiont tests pass again. 117 1182007-12-29 Love Hörnquist Åstrand <lha@it.su.se> 119 120 * ntlm: clean up name handling 121 1222007-12-04 Love Hörnquist Åstrand <lha@it.su.se> 123 124 * ntlm/init_sec_context.c: Use credential if it was passed in. 125 126 * ntlm/acquire_cred.c: Check if there is initial creds with 127 _gss_ntlm_get_user_cred(). 128 129 * ntlm/init_sec_context.c: Add _gss_ntlm_get_user_info() that 130 return the user info so it can be used by external modules. 131 132 * ntlm/inquire_cred.c: use the right error code. 133 134 * ntlm/inquire_cred.c: Return GSS_C_NO_CREDENTIAL if there is no 135 credential, ntlm have (not yet) a default credential. 136 137 * mech/gss_release_oid_set.c: Avoid trying to deref NULL, from 138 Phil Fisher. 139 1402007-12-03 Love Hörnquist Åstrand <lha@it.su.se> 141 142 * test_acquire_cred.c: Always try to fetch cred (even with 143 GSS_C_NO_NAME). 144 1452007-08-09 Love Hörnquist Åstrand <lha@it.su.se> 146 147 * mech/gss_krb5.c: Readd gss_krb5_get_tkt_flags. 148 1492007-08-08 Love Hörnquist Åstrand <lha@it.su.se> 150 151 * spnego/compat.c (_gss_spnego_internal_delete_sec_context): 152 release ctx->target_name too From Rafal Malinowski. 153 1542007-07-26 Love Hörnquist Åstrand <lha@it.su.se> 155 156 * mech/gss_mech_switch.c: Don't try to do dlopen if system doesn't 157 have dlopen. From Rune of Chalmers. 158 1592007-07-10 Love Hörnquist Åstrand <lha@it.su.se> 160 161 * mech/gss_duplicate_name.c: New signature of _gss_find_mn. 162 163 * mech/gss_init_sec_context.c: New signature of _gss_find_mn. 164 165 * mech/gss_acquire_cred.c: New signature of _gss_find_mn. 166 167 * mech/name.h: New signature of _gss_find_mn. 168 169 * mech/gss_canonicalize_name.c: New signature of _gss_find_mn. 170 171 * mech/gss_compare_name.c: New signature of _gss_find_mn. 172 173 * mech/gss_add_cred.c: New signature of _gss_find_mn. 174 175 * mech/gss_names.c (_gss_find_mn): Return an error code for 176 caller. 177 178 * spnego/accept_sec_context.c: remove checks that are done by the 179 previous function. 180 181 * Makefile.am: New library version. 182 1832007-07-04 Love Hörnquist Åstrand <lha@it.su.se> 184 185 * mech/gss_oid_to_str.c: Refuse to print GSS_C_NULL_OID, from 186 Rafal Malinowski. 187 188 * spnego/spnego.asn1: Indent and make NegTokenInit and 189 NegTokenResp extendable. 190 1912007-06-21 Love Hörnquist Åstrand <lha@it.su.se> 192 193 * ntlm/inquire_cred.c: Implement _gss_ntlm_inquire_cred. 194 195 * mech/gss_display_status.c: Provide message for GSS_S_COMPLETE. 196 197 * mech/context.c: If the canned string is "", its no use to the 198 user, make it fall back to the default error string. 199 2002007-06-20 Love Hörnquist Åstrand <lha@it.su.se> 201 202 * mech/gss_display_name.c (gss_display_name): no name -> 203 fail. From Rafal Malinswski. 204 205 * spnego/accept_sec_context.c: Wrap name in a spnego_name instead 206 of just a copy of the underlaying object. From Rafal Malinswski. 207 208 * spnego/accept_sec_context.c: Handle underlaying mech not 209 returning mn. 210 211 * mech/gss_accept_sec_context.c: Handle underlaying mech not 212 returning mn. 213 214 * spnego/accept_sec_context.c: Make sure src_name is always set to 215 GSS_C_NO_NAME when returning. 216 217 * krb5/acquire_cred.c (acquire_acceptor_cred): don't claim 218 everything is well on failure. From Phil Fisher. 219 220 * mech/gss_duplicate_name.c: catch error (and ignore it) 221 222 * ntlm/init_sec_context.c: Use heim_ntlm_calculate_ntlm2_sess. 223 224 * mech/gss_accept_sec_context.c: Only wrap the delegated cred if 225 we got a delegated mech cred. From Rafal Malinowski. 226 227 * spnego/accept_sec_context.c: Only wrap the delegated cred if we 228 are going to return it to the consumer. From Rafal Malinowski. 229 230 * spnego/accept_sec_context.c: Fixed memory leak pointed out by 231 Rafal Malinowski, also while here moved to use NegotiationToken 232 for decoding. 233 2342007-06-18 Love Hörnquist Åstrand <lha@it.su.se> 235 236 * krb5/prf.c (_gsskrb5_pseudo_random): add missing break. 237 238 * krb5/release_name.c: Set *minor_status unconditionallty, its 239 done later anyway. 240 241 * spnego/accept_sec_context.c: Init get_mic to 0. 242 243 * mech/gss_set_cred_option.c: Free memory in failure case, found 244 by beam. 245 246 * mech/gss_inquire_context.c: Handle mech_type being NULL. 247 248 * mech/gss_inquire_cred_by_mech.c: Handle cred_name being NULL. 249 250 * mech/gss_krb5.c: Free memory in error case, found by beam. 251 2522007-06-12 Love Hörnquist Åstrand <lha@it.su.se> 253 254 * ntlm/inquire_context.c: Use ctx->gssflags for flags. 255 256 * krb5/display_name.c: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY, this is 257 not ment for machine consumption. 258 2592007-06-09 Love Hörnquist Åstrand <lha@it.su.se> 260 261 * ntlm/digest.c (kdc_alloc): free memory on failure, pointed out 262 by Rafal Malinowski. 263 264 * ntlm/digest.c (kdc_destroy): free context when done, pointed out 265 by Rafal Malinowski. 266 267 * spnego/context_stubs.c (_gss_spnego_display_name): if input_name 268 is null, fail. From Rafal Malinowski. 269 2702007-06-04 Love Hörnquist Åstrand <lha@it.su.se> 271 272 * ntlm/digest.c: Free memory when done. 273 2742007-06-02 Love Hörnquist Åstrand <lha@it.su.se> 275 276 * test_ntlm.c: Test both with and without keyex. 277 278 * ntlm/digest.c: If we didn't set session key, don't expect one 279 back. 280 281 * test_ntlm.c: Set keyex flag and calculate session key. 282 2832007-05-31 Love Hörnquist Åstrand <lha@it.su.se> 284 285 * spnego/accept_sec_context.c: Use the return value before is 286 overwritten by later calls. From Rafal Malinowski 287 288 * krb5/release_cred.c: Give an minor_status argument to 289 gss_release_oid_set. From Rafal Malinowski 290 2912007-05-30 Love Hörnquist Åstrand <lha@it.su.se> 292 293 * ntlm/accept_sec_context.c: Catch errors and return the up the 294 stack. 295 296 * test_kcred.c: more testing of lifetimes 297 2982007-05-17 Love Hörnquist Åstrand <lha@it.su.se> 299 300 * Makefile.am: Drop the gss oid_set function for the krb5 mech, 301 use the mech glue versions instead. Pointed out by Rafal 302 Malinowski. 303 304 * krb5: Use gss oid_set functions from mechglue 305 3062007-05-14 Love Hörnquist Åstrand <lha@it.su.se> 307 308 * ntlm/accept_sec_context.c: Set session key only if we are 309 returned a session key. Found by David Love. 310 3112007-05-13 Love Hörnquist Åstrand <lha@it.su.se> 312 313 * krb5/prf.c: switched MIN to min to make compile on solaris, 314 pointed out by David Love. 315 3162007-05-09 Love Hörnquist Åstrand <lha@it.su.se> 317 318 * krb5/inquire_cred_by_mech.c: Fill in all of the variables if 319 they are passed in. Pointed out by Phil Fisher. 320 3212007-05-08 Love Hörnquist Åstrand <lha@it.su.se> 322 323 * krb5/inquire_cred.c: Fix copy and paste error, bug spotted by 324 from Phil Fisher. 325 326 * mech: dont keep track of gc_usage, just figure it out at 327 gss_inquire_cred() time 328 329 * mech/gss_mech_switch.c (add_builtin): ok for 330 __gss_mech_initialize() to return NULL 331 332 * test_kcred.c: more correct tests 333 334 * spnego/cred_stubs.c (gss_inquire_cred*): wrap the name with a 335 spnego_name. 336 337 * ntlm/inquire_cred.c: make ntlm gss_inquire_cred fail for now, 338 need to find default cred and friends. 339 340 * krb5/inquire_cred_by_mech.c: reimplement 341 3422007-05-07 Love Hörnquist Åstrand <lha@it.su.se> 343 344 * ntlm/acquire_cred.c: drop unused variable. 345 346 * ntlm/acquire_cred.c: Reimplement. 347 348 * Makefile.am: add ntlm/digest.c 349 350 * ntlm: split out backend ntlm server processing 351 3522007-04-24 Love Hörnquist Åstrand <lha@it.su.se> 353 354 * ntlm/delete_sec_context.c (_gss_ntlm_delete_sec_context): free 355 credcache when done 356 3572007-04-22 Love Hörnquist Åstrand <lha@it.su.se> 358 359 * ntlm/init_sec_context.c: ntlm-key credential entry is prefix with @ 360 361 * ntlm/init_sec_context.c (get_user_ccache): pick up the ntlm 362 creds from the krb5 credential cache. 363 3642007-04-21 Love Hörnquist Åstrand <lha@it.su.se> 365 366 * ntlm/delete_sec_context.c: free the key stored in the context 367 368 * ntlm/ntlm.h: switch password for a key 369 370 * test_oid.c: Switch oid to one that is exported. 371 3722007-04-20 Love Hörnquist Åstrand <lha@it.su.se> 373 374 * ntlm/init_sec_context.c: move where hash is calculated to make 375 it easier to add ccache support. 376 377 * Makefile.am: Add version-script.map to EXTRA_DIST. 378 3792007-04-19 Love Hörnquist Åstrand <lha@it.su.se> 380 381 * Makefile.am: Unconfuse newer versions of automake that doesn't 382 know the diffrence between depenences and setting variables. foo: 383 vs foo=. 384 385 * test_ntlm.c: delete sec context when done. 386 387 * version-script.map: export more symbols. 388 389 * Makefile.am: add version script if ld supports it 390 391 * version-script.map: add version script if ld supports it 392 3932007-04-18 Love Hörnquist Åstrand <lha@it.su.se> 394 395 * Makefile.am: test_acquire_cred need test_common.[ch] 396 397 * test_acquire_cred.c: add more test options. 398 399 * krb5/external.c: add GSS_KRB5_CCACHE_NAME_X 400 401 * gssapi/gssapi_krb5.h: add GSS_KRB5_CCACHE_NAME_X 402 403 * krb5/set_sec_context_option.c: refactor code, implement 404 GSS_KRB5_CCACHE_NAME_X 405 406 * mech/gss_krb5.c: reimplement gss_krb5_ccache_name 407 4082007-04-17 Love Hörnquist Åstrand <lha@it.su.se> 409 410 * spnego/cred_stubs.c: Need to import spnego name before we can 411 use it as a gss_name_t. 412 413 * test_acquire_cred.c: use this test as part of the regression 414 suite. 415 416 * mech/gss_acquire_cred.c (gss_acquire_cred): dont init 417 cred->gc_mc every time in the loop. 418 4192007-04-15 Love Hörnquist Åstrand <lha@it.su.se> 420 421 * Makefile.am: add test_common.h 422 4232007-02-16 Love Hörnquist Åstrand <lha@it.su.se> 424 425 * gss_acquire_cred.3: Add link for 426 gsskrb5_register_acceptor_identity. 427 4282007-02-08 Love Hörnquist Åstrand <lha@it.su.se> 429 430 * krb5/copy_ccache.c: Try to leak less memory in the failure case. 431 4322007-01-31 Love Hörnquist Åstrand <lha@it.su.se> 433 434 * mech/gss_display_status.c: Use right printf formater. 435 436 * test_*.[ch]: split out the error printing function and try to 437 return better errors 438 4392007-01-30 Love Hörnquist Åstrand <lha@it.su.se> 440 441 * krb5/init_sec_context.c: revert 1.75: (init_auth): only turn on 442 GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it. 443 444 This is because Kerberos always support INT|CONF, matches behavior 445 with MS and MIT. The creates problems for the GSS-SPNEGO mech. 446 4472007-01-24 Love Hörnquist Åstrand <lha@it.su.se> 448 449 * krb5/prf.c: constrain desired_output_len 450 451 * krb5/external.c (krb5_mech): add _gsskrb5_pseudo_random 452 453 * mech/gss_pseudo_random.c: Catch error from underlaying mech on 454 failure. 455 456 * Makefile.am: Add krb5/prf.c 457 458 * krb5/prf.c: gss_pseudo_random for krb5 459 460 * test_context.c: Checks for gss_pseudo_random. 461 462 * krb5/gkrb5_err.et: add KG_INPUT_TOO_LONG 463 464 * Makefile.am: Add mech/gss_pseudo_random.c 465 466 * gssapi/gssapi.h: try to load pseudo_random 467 468 * mech/gss_mech_switch.c: try to load pseudo_random 469 470 * mech/gss_pseudo_random.c: Add gss_pseudo_random. 471 472 * gssapi_mech.h: Add hook for gm_pseudo_random. 473 4742007-01-17 Love Hörnquist Åstrand <lha@it.su.se> 475 476 * test_context.c: Don't assume bufer from gss_display_status is 477 ok. 478 479 * mech/gss_wrap_size_limit.c: Reset out variables. 480 481 * mech/gss_wrap.c: Reset out variables. 482 483 * mech/gss_verify_mic.c: Reset out variables. 484 485 * mech/gss_utils.c: Reset out variables. 486 487 * mech/gss_release_oid_set.c: Reset out variables. 488 489 * mech/gss_release_cred.c: Reset out variables. 490 491 * mech/gss_release_buffer.c: Reset variables. 492 493 * mech/gss_oid_to_str.c: Reset out variables. 494 495 * mech/gss_inquire_sec_context_by_oid.c: Fix reset out variables. 496 497 * mech/gss_mech_switch.c: Reset out variables. 498 499 * mech/gss_inquire_sec_context_by_oid.c: Reset out variables. 500 501 * mech/gss_inquire_names_for_mech.c: Reset out variables. 502 503 * mech/gss_inquire_cred_by_oid.c: Reset out variables. 504 505 * mech/gss_inquire_cred_by_oid.c: Reset out variables. 506 507 * mech/gss_inquire_cred_by_mech.c: Reset out variables. 508 509 * mech/gss_inquire_cred.c: Reset out variables, fix memory leak. 510 511 * mech/gss_inquire_context.c: Reset out variables. 512 513 * mech/gss_init_sec_context.c: Zero out outbuffer on failure. 514 515 * mech/gss_import_name.c: Reset out variables. 516 517 * mech/gss_import_name.c: Reset out variables. 518 519 * mech/gss_get_mic.c: Reset out variables. 520 521 * mech/gss_export_name.c: Reset out variables. 522 523 * mech/gss_encapsulate_token.c: Reset out variables. 524 525 * mech/gss_duplicate_oid.c: Reset out variables. 526 527 * mech/gss_duplicate_oid.c: Reset out variables. 528 529 * mech/gss_duplicate_name.c: Reset out variables. 530 531 * mech/gss_display_status.c: Reset out variables. 532 533 * mech/gss_display_name.c: Reset out variables. 534 535 * mech/gss_delete_sec_context.c: Reset out variables using propper 536 macros. 537 538 * mech/gss_decapsulate_token.c: Reset out variables using propper 539 macros. 540 541 * mech/gss_add_cred.c: Reset out variables. 542 543 * mech/gss_acquire_cred.c: Reset out variables. 544 545 * mech/gss_accept_sec_context.c: Reset out variables using propper 546 macros. 547 548 * mech/gss_init_sec_context.c: Reset out variables. 549 550 * mech/mech_locl.h (_mg_buffer_zero): new macro that zaps a 551 gss_buffer_t 552 5532007-01-16 Love Hörnquist Åstrand <lha@it.su.se> 554 555 * mech: sprinkel _gss_mg_error 556 557 * mech/gss_display_status.c (gss_display_status): use 558 _gss_mg_get_error to fetch the error from underlaying mech, if it 559 failes, let do the regular dance for GSS-CODE version and a 560 generic print-the-error code for MECH-CODE. 561 562 * mech/gss_oid_to_str.c: Don't include the NUL in the length of 563 the string. 564 565 * mech/context.h: Protoypes for _gss_mg_. 566 567 * mech/context.c: Glue to catch the error from the lower gss-api 568 layer and save that for later so gss_display_status() can show the 569 error. 570 571 * gss.c: Detect NTLM. 572 5732007-01-11 Love Hörnquist Åstrand <lha@it.su.se> 574 575 * mech/gss_accept_sec_context.c: spelling 576 5772007-01-04 Love Hörnquist Åstrand <lha@it.su.se> 578 579 * Makefile.am: Include build (private) prototypes header files. 580 581 * Makefile.am (ntlmsrc): add ntlm/ntlm-private.h 582 5832006-12-28 Love Hörnquist Åstrand <lha@it.su.se> 584 585 * ntlm/accept_sec_context.c: Pass signseal argument to 586 _gss_ntlm_set_key. 587 588 * ntlm/init_sec_context.c: Pass signseal argument to 589 _gss_ntlm_set_key. 590 591 * ntlm/crypto.c (_gss_ntlm_set_key): add signseal argument 592 593 * test_ntlm.c: add ntlmv2 test 594 595 * ntlm/ntlm.h: break out struct ntlmv2_key; 596 597 * ntlm/crypto.c (_gss_ntlm_set_key): set ntlm v2 keys. 598 599 * ntlm/accept_sec_context.c: Set dummy ntlmv2 keys and Check TI. 600 601 * ntlm/ntlm.h: NTLMv2 keys. 602 603 * ntlm/crypto.c: NTLMv2 sign and verify. 604 6052006-12-20 Love Hörnquist Åstrand <lha@it.su.se> 606 607 * ntlm/accept_sec_context.c: Don't send targetinfo now. 608 609 * ntlm/init_sec_context.c: Build ntlmv2 answer buffer. 610 611 * ntlm/init_sec_context.c: Leak less memory. 612 613 * ntlm/init_sec_context.c: Announce that we support key exchange. 614 615 * ntlm/init_sec_context.c: Add NTLM_NEG_NTLM2_SESSION, NTLMv2 616 session security (disable because missing sign and seal). 617 6182006-12-19 Love Hörnquist Åstrand <lha@it.su.se> 619 620 * ntlm/accept_sec_context.c: split RC4 send and recv keystreams 621 622 * ntlm/init_sec_context.c: split RC4 send and recv keystreams 623 624 * ntlm/ntlm.h: split RC4 send and recv keystreams 625 626 * ntlm/crypto.c: Implement SEAL. 627 628 * ntlm/crypto.c: move gss_wrap/gss_unwrap here 629 630 * test_context.c: request INT and CONF from the gss layer, test 631 get and verify MIC. 632 633 * ntlm/ntlm.h: add crypto bits. 634 635 * ntlm/accept_sec_context.c: Save session master key. 636 637 * Makefile.am: Move get and verify mic to the same file (crypto.c) 638 since they share code. 639 640 * ntlm/crypto.c: Move get and verify mic to the same file since 641 they share code, implement NTLM v1 and dummy signatures. 642 643 * ntlm/init_sec_context.c: pass on GSS_C_CONF_FLAG and 644 GSS_C_INTEG_FLAG, save the session master key 645 646 * spnego/accept_sec_context.c: try using gss_accept_sec_context() 647 on the opportunistic token instead of guessing the acceptor name 648 and do gss_acquire_cred, this make SPNEGO work like before. 649 6502006-12-18 Love Hörnquist Åstrand <lha@it.su.se> 651 652 * ntlm/init_sec_context.c: Calculate the NTLM version 1 "master" 653 key. 654 655 * spnego/accept_sec_context.c: Resurect negHints for the acceptor 656 sends first packet. 657 658 * Makefile.am: Add "windows" versions of the NegTokenInitWin and 659 friends. 660 661 * test_context.c: add --wrapunwrap flag 662 663 * spnego/compat.c: move _gss_spnego_indicate_mechtypelist() to 664 compat.c, use the sequence types of MechTypeList, make 665 add_mech_type() static. 666 667 * spnego/accept_sec_context.c: move 668 _gss_spnego_indicate_mechtypelist() to compat.c 669 670 * Makefile.am: Generate sequence code for MechTypeList 671 672 * spnego: check that the generated acceptor mechlist is acceptable too 673 674 * spnego/init_sec_context.c: Abstract out the initiator filter 675 function, it will be needed for the acceptor too. 676 677 * spnego/accept_sec_context.c: Abstract out the initiator filter 678 function, it will be needed for the acceptor too. Remove negHints. 679 680 * test_context.c: allow asserting return mech 681 682 * ntlm/accept_sec_context.c: add _gss_ntlm_allocate_ctx 683 684 * ntlm/acquire_cred.c: Check that the KDC seem to there and 685 answering us, we can't do better then that wen checking if we will 686 accept the credential. 687 688 * ntlm/get_mic.c: return GSS_S_UNAVAILABLE 689 690 * mech/utils.h: add _gss_free_oid, reverse of _gss_copy_oid 691 692 * mech/gss_utils.c: add _gss_free_oid, reverse of _gss_copy_oid 693 694 * spnego/spnego.asn1: Its very sad, but NegHints its are not part 695 of the NegTokenInit, this makes SPNEGO acceptor life a lot harder. 696 697 * spnego: try harder to handle names better. handle missing 698 acceptor and initator creds better (ie dont propose/accept mech 699 that there are no credentials for) split NegTokenInit and 700 NegTokenResp in acceptor 701 7022006-12-16 Love Hörnquist Åstrand <lha@it.su.se> 703 704 * ntlm/import_name.c: Allocate the buffer from the right length. 705 7062006-12-15 Love Hörnquist Åstrand <lha@it.su.se> 707 708 * ntlm/init_sec_context.c (init_sec_context): Tell the other side 709 what domain we think we are talking to. 710 711 * ntlm/delete_sec_context.c: free username and password 712 713 * ntlm/release_name.c (_gss_ntlm_release_name): free name. 714 715 * ntlm/import_name.c (_gss_ntlm_import_name): add support for 716 GSS_C_NT_HOSTBASED_SERVICE names 717 718 * ntlm/ntlm.h: Add ntlm_name. 719 720 * test_context.c: allow testing of ntlm. 721 722 * gssapi_mech.h: add __gss_ntlm_initialize 723 724 * ntlm/accept_sec_context.c (handle_type3): verify that the kdc 725 approved of the ntlm exchange too 726 727 * mech/gss_mech_switch.c: Add the builtin ntlm mech 728 729 * test_ntlm.c: NTLM test app. 730 731 * mech/gss_accept_sec_context.c: Add detection of NTLMSSP. 732 733 * gssapi/gssapi.h: add ntlm mech oid 734 735 * ntlm/external.c: Switch OID to the ms ntlmssp oid 736 737 * Makefile.am: Add ntlm gss-api module. 738 739 * ntlm/accept_sec_context.c: Catch more error errors. 740 741 * ntlm/accept_sec_context.c: Check after a credential to use. 742 7432006-12-14 Love Hörnquist Åstrand <lha@it.su.se> 744 745 * krb5/set_sec_context_option.c (GSS_KRB5_SET_DEFAULT_REALM_X): 746 don't fail on success. Bug report from Stefan Metzmacher. 747 7482006-12-13 Love Hörnquist Åstrand <lha@it.su.se> 749 750 * krb5/init_sec_context.c (init_auth): only turn on 751 GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it. 752 From Stefan Metzmacher. 753 7542006-12-11 Love Hörnquist Åstrand <lha@it.su.se> 755 756 * Makefile.am (libgssapi_la_OBJECTS): depends on gssapi_asn1.h 757 spnego_asn1.h. 758 7592006-11-20 Love Hörnquist Åstrand <lha@it.su.se> 760 761 * krb5/acquire_cred.c: Make krb5_get_init_creds_opt_free take a 762 context argument. 763 7642006-11-16 Love Hörnquist Åstrand <lha@it.su.se> 765 766 * test_context.c: Test that token keys are the same, return 767 actual_mech. 768 7692006-11-15 Love Hörnquist Åstrand <lha@it.su.se> 770 771 * spnego/spnego_locl.h: Make bitfields unsigned, add maybe_open. 772 773 * spnego/accept_sec_context.c: Use ASN.1 encoder functions to 774 encode CHOICE structure now that we can handle it. 775 776 * spnego/init_sec_context.c: Use ASN.1 encoder functions to encode 777 CHOICE structure now that we can handle it. 778 779 * spnego/accept_sec_context.c (_gss_spnego_accept_sec_context): 780 send back ad accept_completed when the security context is ->open, 781 w/o this the client doesn't know that the server have completed 782 the transaction. 783 784 * test_context.c: Add delegate flag and check that the delegated 785 cred works. 786 787 * spnego/init_sec_context.c: Keep track of the opportunistic token 788 in the inital message, it might be a complete gss-api context, in 789 that case we'll get back accept_completed without any token. With 790 this change, krb5 w/o mutual authentication works. 791 792 * spnego/accept_sec_context.c: Use ASN.1 encoder functions to 793 encode CHOICE structure now that we can handle it. 794 795 * spnego/accept_sec_context.c: Filter out SPNEGO from the out 796 supported mechs list and make sure we don't select that for the 797 preferred mechamism. 798 7992006-11-14 Love Hörnquist Åstrand <lha@it.su.se> 800 801 * mech/gss_init_sec_context.c (_gss_mech_cred_find): break out the 802 cred finding to its own function 803 804 * krb5/wrap.c: Better error strings, from Andrew Bartlet. 805 8062006-11-13 Love Hörnquist Åstrand <lha@it.su.se> 807 808 * test_context.c: Create our own krb5_context. 809 810 * krb5: Switch from using a specific error message context in the 811 TLS to have a whole krb5_context in TLS. This have some 812 interestion side-effekts for the configruration setting options 813 since they operate on per-thread basis now. 814 815 * mech/gss_set_cred_option.c: When calling ->gm_set_cred_option 816 and checking for success, use GSS_S_COMPLETE. From Andrew Bartlet. 817 8182006-11-12 Love Hörnquist Åstrand <lha@it.su.se> 819 820 * Makefile.am: Help solaris make even more. 821 822 * Makefile.am: Help solaris make. 823 8242006-11-09 Love Hörnquist Åstrand <lha@it.su.se> 825 826 * Makefile.am: remove include $(srcdir)/Makefile-digest.am for now 827 828 * mech/gss_accept_sec_context.c: Try better guessing what is mech 829 we are going to select by looking harder at the input_token, idea 830 from Luke Howard's mechglue branch. 831 832 * Makefile.am: libgssapi_la_OBJECTS: add depency on gkrb5_err.h 833 834 * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X 835 836 * mech/gss_krb5.c: implement gss_krb5_set_allowable_enctypes 837 838 * gssapi/gssapi.h: GSS_KRB5_S_ 839 840 * krb5/gsskrb5_locl.h: Include <gkrb5_err.h>. 841 842 * gssapi/gssapi_krb5.h: Add gss_krb5_set_allowable_enctypes. 843 844 * Makefile.am: Build and install gkrb5_err.h 845 846 * krb5/gkrb5_err.et: Move the GSS_KRB5_S error here. 847 8482006-11-08 Love Hörnquist Åstrand <lha@it.su.se> 849 850 * mech/gss_krb5.c: Add gsskrb5_set_default_realm. 851 852 * krb5/set_sec_context_option.c: Support 853 GSS_KRB5_SET_DEFAULT_REALM_X. 854 855 * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DEFAULT_REALM_X 856 857 * krb5/external.c: add GSS_KRB5_SET_DEFAULT_REALM_X 858 8592006-11-07 Love Hörnquist Åstrand <lha@it.su.se> 860 861 * test_context.c: rename krb5_[gs]et_time_wrap to 862 krb5_[gs]et_max_time_skew 863 864 * krb5/copy_ccache.c: _gsskrb5_extract_authz_data_from_sec_context 865 no longer used, bye bye 866 867 * mech/gss_krb5.c: No depenency of the krb5 gssapi mech. 868 869 * mech/gss_krb5.c (gsskrb5_extract_authtime_from_sec_context): use 870 _gsskrb5_decode_om_uint32. From Andrew Bartlet. 871 872 * mech/gss_krb5.c: Add dummy gss_krb5_set_allowable_enctypes for 873 now. 874 875 * spnego/spnego_locl.h: Include <roken.h> for compatiblity. 876 877 * krb5/arcfour.c: Use IS_DCE_STYLE flag. There is no padding in 878 DCE-STYLE, don't try to use to. From Andrew Bartlett. 879 880 * test_context.c: test wrap/unwrap, add flag for dce-style and 881 mutual auth, also support multi-roundtrip sessions 882 883 * krb5/gsskrb5_locl.h: Add IS_DCE_STYLE macro. 884 885 * krb5/accept_sec_context.c (gsskrb5_acceptor_start): use 886 krb5_rd_req_ctx 887 888 * mech/gss_krb5.c (gsskrb5_get_subkey): return the per message 889 token subkey 890 891 * krb5/inquire_sec_context_by_oid.c: check if there is any key at 892 all 893 8942006-11-06 Love Hörnquist Åstrand <lha@it.su.se> 895 896 * krb5/inquire_sec_context_by_oid.c: Set more error strings, use 897 right enum for acceptor subkey. From Andrew Bartlett. 898 8992006-11-04 Love Hörnquist Åstrand <lha@it.su.se> 900 901 * test_context.c: Test gsskrb5_extract_service_keyblock, needed in 902 PAC valication. From Andrew Bartlett 903 904 * mech/gss_krb5.c: Add gsskrb5_extract_authz_data_from_sec_context 905 and keyblock extraction functions. 906 907 * gssapi/gssapi_krb5.h: Add extraction of keyblock function, from 908 Andrew Bartlett. 909 910 * krb5/external.c: Add GSS_KRB5_GET_SERVICE_KEYBLOCK_X 911 9122006-11-03 Love Hörnquist Åstrand <lha@it.su.se> 913 914 * test_context.c: Rename various routines and constants from 915 canonize to canonicalize. From Andrew Bartlett 916 917 * mech/gss_krb5.c: Rename various routines and constants from 918 canonize to canonicalize. From Andrew Bartlett 919 920 * krb5/set_sec_context_option.c: Rename various routines and 921 constants from canonize to canonicalize. From Andrew Bartlett 922 923 * krb5/external.c: Rename various routines and constants from 924 canonize to canonicalize. From Andrew Bartlett 925 926 * gssapi/gssapi_krb5.h: Rename various routines and constants from 927 canonize to canonicalize. From Andrew Bartlett 928 9292006-10-25 Love Hörnquist Åstrand <lha@it.su.se> 930 931 * krb5/accept_sec_context.c (gsskrb5_accept_delegated_token): need 932 to free ccache 933 9342006-10-24 Love Hörnquist Åstrand <lha@it.su.se> 935 936 * test_context.c (loop): free target_name 937 938 * mech/gss_accept_sec_context.c: SLIST_INIT the ->gc_mc' 939 940 * mech/gss_acquire_cred.c : SLIST_INIT the ->gc_mc' 941 942 * krb5/init_sec_context.c: Avoid leaking memory. 943 944 * mech/gss_buffer_set.c (gss_release_buffer_set): don't leak the 945 ->elements memory. 946 947 * test_context.c: make compile 948 949 * krb5/cfx.c (_gssapi_verify_mic_cfx): always free crypto context. 950 951 * krb5/set_cred_option.c (import_cred): free sp 952 9532006-10-22 Love Hörnquist Åstrand <lha@it.su.se> 954 955 * mech/gss_add_oid_set_member.c: Use old implementation of 956 gss_add_oid_set_member, it leaks less memory. 957 958 * krb5/test_cfx.c: free krb5_crypto. 959 960 * krb5/test_cfx.c: free krb5_context 961 962 * mech/gss_release_name.c (gss_release_name): free input_name 963 it-self. 964 9652006-10-21 Love Hörnquist Åstrand <lha@it.su.se> 966 967 * test_context.c: Call setprogname. 968 969 * mech/gss_krb5.c: Add gsskrb5_extract_authtime_from_sec_context. 970 971 * gssapi/gssapi_krb5.h: add 972 gsskrb5_extract_authtime_from_sec_context 973 9742006-10-20 Love Hörnquist Åstrand <lha@it.su.se> 975 976 * krb5/inquire_sec_context_by_oid.c: Add get_authtime. 977 978 * krb5/external.c: add GSS_KRB5_GET_AUTHTIME_X 979 980 * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_AUTHTIME_X 981 982 * krb5/set_sec_context_option.c: Implement GSS_KRB5_SEND_TO_KDC_X. 983 984 * mech/gss_krb5.c: Add gsskrb5_set_send_to_kdc 985 986 * gssapi/gssapi_krb5.h: Add GSS_KRB5_SEND_TO_KDC_X and 987 gsskrb5_set_send_to_kdc 988 989 * krb5/external.c: add GSS_KRB5_SEND_TO_KDC_X 990 991 * Makefile.am: more files 992 9932006-10-19 Love Hörnquist Åstrand <lha@it.su.se> 994 995 * Makefile.am: remove spnego/gssapi_spnego.h, its now in gssapi/ 996 997 * test_context.c: Allow specifing mech. 998 999 * krb5/external.c: add GSS_SASL_DIGEST_MD5_MECHANISM (for now) 1000 1001 * gssapi/gssapi.h: Rename GSS_DIGEST_MECHANISM to 1002 GSS_SASL_DIGEST_MD5_MECHANISM 1003 10042006-10-18 Love Hörnquist Åstrand <lha@it.su.se> 1005 1006 * mech/gssapi.asn1: Make it into a heim_any_set, its doesn't 1007 except a tag. 1008 1009 * mech/gssapi.asn1: GSSAPIContextToken is IMPLICIT SEQUENCE 1010 1011 * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X 1012 1013 * krb5/external.c: Add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X. 1014 1015 * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_INITIATOR_SUBKEY_X and 1016 GSS_KRB5_GET_SUBKEY_X 1017 1018 * krb5/external.c: add GSS_KRB5_GET_INITIATOR_SUBKEY_X, 1019 GSS_KRB5_GET_SUBKEY_X 1020 10212006-10-17 Love Hörnquist Åstrand <lha@it.su.se> 1022 1023 * test_context.c: Support switching on name type oid's 1024 1025 * test_context.c: add test for dns canon flag 1026 1027 * mech/gss_krb5.c: Add gsskrb5_set_dns_canonlize. 1028 1029 * gssapi/gssapi_krb5.h: remove gss_krb5_compat_des3_mic 1030 1031 * gssapi/gssapi_krb5.h: Add gsskrb5_set_dns_canonlize. 1032 1033 * krb5/set_sec_context_option.c: implement 1034 GSS_KRB5_SET_DNS_CANONIZE_X 1035 1036 * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DNS_CANONIZE_X 1037 1038 * krb5/external.c: add GSS_KRB5_SET_DNS_CANONIZE_X 1039 1040 * mech/gss_krb5.c: add bits to make lucid context work 1041 10422006-10-14 Love Hörnquist Åstrand <lha@it.su.se> 1043 1044 * mech/gss_oid_to_str.c: Prefix der primitives with der_. 1045 1046 * krb5/inquire_sec_context_by_oid.c: Prefix der primitives with 1047 der_. 1048 1049 * krb5/encapsulate.c: Prefix der primitives with der_. 1050 1051 * mech/gss_oid_to_str.c: New der_print_heim_oid signature. 1052 10532006-10-12 Love Hörnquist Åstrand <lha@it.su.se> 1054 1055 * Makefile.am: add test_context 1056 1057 * krb5/inquire_sec_context_by_oid.c: Make it work. 1058 1059 * test_oid.c: Test lucid oid. 1060 1061 * gssapi/gssapi.h: Add OM_uint64_t. 1062 1063 * krb5/inquire_sec_context_by_oid.c: Add lucid interface. 1064 1065 * krb5/external.c: Add lucid interface, renumber oids to my 1066 delegated space. 1067 1068 * mech/gss_krb5.c: Add lucid interface. 1069 1070 * gssapi/gssapi_krb5.h: Add lucid interface. 1071 1072 * spnego/spnego_locl.h: Maybe include <netdb.h>. 1073 10742006-10-09 Love Hörnquist Åstrand <lha@it.su.se> 1075 1076 * mech/gss_mech_switch.c: define RTLD_LOCAL to 0 if not defined. 1077 10782006-10-08 Love Hörnquist Åstrand <lha@it.su.se> 1079 1080 * Makefile.am: install gssapi_krb5.H and gssapi_spnego.h 1081 1082 * gssapi/gssapi_krb5.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>. 1083 1084 * gssapi/gssapi.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>. 1085 1086 * Makefile.am: Drop some -I no longer needed. 1087 1088 * gssapi/gssapi_spnego.h: Move gssapi_spengo.h over here. 1089 1090 * krb5: reference all include files using 'krb5/' 1091 10922006-10-07 Love Hörnquist Åstrand <lha@it.su.se> 1093 1094 * gssapi.h: Add file inclusion protection. 1095 1096 * gssapi/gssapi.h: Correct header file inclusion protection. 1097 1098 * gssapi/gssapi.h: Move the gssapi.h from lib/gssapi/ to 1099 lib/gssapi/gssapi/ to please automake. 1100 1101 * spnego/spnego_locl.h: Maybe include <sys/types.h>. 1102 1103 * mech/mech_locl.h: Include <roken.h>. 1104 1105 * Makefile.am: split build files into dist_ and noinst_ SOURCES 1106 11072006-10-06 Love Hörnquist Åstrand <lha@it.su.se> 1108 1109 * gss.c: #if 0 out unused code. 1110 1111 * mech/gss_mech_switch.c: Cast argument to ctype(3) functions 1112 to (unsigned char). 1113 11142006-10-05 Love Hörnquist Åstrand <lha@it.su.se> 1115 1116 * mech/name.h: remove <sys/queue.h> 1117 1118 * mech/mech_switch.h: remove <sys/queue.h> 1119 1120 * mech/cred.h: remove <sys/queue.h> 1121 11222006-10-02 Love Hörnquist Åstrand <lha@it.su.se> 1123 1124 * krb5/arcfour.c: Thinker more with header lengths. 1125 1126 * krb5/arcfour.c: Improve the calcucation of header 1127 lengths. DCE-STYLE data is also padded so remove if (1 || ...) 1128 code. 1129 1130 * krb5/wrap.c (_gsskrb5_wrap_size_limit): use 1131 _gssapi_wrap_size_arcfour for arcfour 1132 1133 * krb5/arcfour.c: Move _gssapi_wrap_size_arcfour here. 1134 1135 * Makefile.am: Split all mech to diffrent mechsrc variables. 1136 1137 * spnego/context_stubs.c: Make internal function static (and 1138 rename). 1139 11402006-10-01 Love Hörnquist Åstrand <lha@it.su.se> 1141 1142 * krb5/inquire_cred.c: Fix "if (x) lock(y)" bug. From Harald 1143 Barth. 1144 1145 * spnego/spnego_locl.h: Include <sys/param.h> for MAXHOSTNAMELEN. 1146 11472006-09-25 Love Hörnquist Åstrand <lha@it.su.se> 1148 1149 * krb5/arcfour.c: Add wrap support, interrop with itself but not 1150 w2k3s-sp1 1151 1152 * krb5/gsskrb5_locl.h: move the arcfour specific stuff to the 1153 arcfour header. 1154 1155 * krb5/arcfour.c: Support DCE-style unwrap, tested with 1156 w2k3server-sp1. 1157 1158 * mech/gss_accept_sec_context.c (gss_accept_sec_context): if the 1159 token doesn't start with [APPLICATION 0] SEQUENCE, lets assume its 1160 a DCE-style kerberos 5 connection. XXX this needs to be made 1161 better in cause we get another GSS-API protocol violating 1162 protocol. It should be possible to detach the Kerberos DCE-style 1163 since it starts with a AP-REQ PDU, but that have to wait for now. 1164 11652006-09-22 Love Hörnquist Åstrand <lha@it.su.se> 1166 1167 * gssapi.h: Add GSS_C flags from 1168 draft-brezak-win2k-krb-rc4-hmac-04.txt. 1169 1170 * krb5/delete_sec_context.c: Free service_keyblock and fwd_data, 1171 indent. 1172 1173 * krb5/accept_sec_context.c: Merge of the acceptor part from the 1174 samba patch by Stefan Metzmacher and Andrew Bartlet. 1175 1176 * krb5/init_sec_context.c: Add GSS_C_DCE_STYLE. 1177 1178 * krb5/{init_sec_context.c,gsskrb5_locl.h}: merge most of the 1179 initiator part from the samba patch by Stefan Metzmacher and 1180 Andrew Bartlet (still missing DCE/RPC support) 1181 11822006-08-28 Love Hörnquist Åstrand <lha@it.su.se> 1183 1184 * gss.c (help): use sl_slc_help(). 1185 11862006-07-22 Love Hörnquist Åstrand <lha@it.su.se> 1187 1188 * gss-commands.in: rename command to supported-mechanisms 1189 1190 * Makefile.am: Make gss objects depend on the slc built 1191 gss-commands.h 1192 11932006-07-20 Love Hörnquist Åstrand <lha@it.su.se> 1194 1195 * gss-commands.in: add slc commands for gss 1196 1197 * krb5/gsskrb5_locl.h: Remove dup prototype of _gsskrb5_init() 1198 1199 * Makefile.am: Add test_cfx 1200 1201 * krb5/external.c: add GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X 1202 1203 * krb5/set_sec_context_option.c: catch 1204 GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X 1205 1206 * krb5/accept_sec_context.c: reimplement 1207 gsskrb5_register_acceptor_identity 1208 1209 * mech/gss_krb5.c: implement gsskrb5_register_acceptor_identity 1210 1211 * mech/gss_inquire_mechs_for_name.c: call _gss_load_mech 1212 1213 * mech/gss_inquire_cred.c (gss_inquire_cred): call _gss_load_mech 1214 1215 * mech/gss_mech_switch.c: Make _gss_load_mech() atomic and run 1216 only once, this have the side effect that _gss_mechs and 1217 _gss_mech_oids is only initialized once, so if just the users of 1218 these two global variables calls _gss_load_mech() first, it will 1219 act as a barrier and make sure the variables are never changed and 1220 we don't need to lock them. 1221 1222 * mech/utils.h: no need to mark functions extern. 1223 1224 * mech/name.h: no need to mark _gss_find_mn extern. 1225 12262006-07-19 Love Hörnquist Åstrand <lha@it.su.se> 1227 1228 * krb5/cfx.c: Redo the wrap length calculations. 1229 1230 * krb5/test_cfx.c: test max_wrap_size in cfx.c 1231 1232 * mech/gss_display_status.c: Handle more error codes. 1233 12342006-07-07 Love Hörnquist Åstrand <lha@it.su.se> 1235 1236 * mech/mech_locl.h: Include <krb5-types.h> and "mechqueue.h" 1237 1238 * mech/mechqueue.h: Add SLIST macros. 1239 1240 * krb5/inquire_context.c: Don't free return values on success. 1241 1242 * krb5/inquire_cred.c (_gsskrb5_inquire_cred): When cred provided 1243 is the default cred, acquire the acceptor cred and initator cred 1244 in two diffrent steps and then query them for the information, 1245 this way, the code wont fail if there are no keytab, but there is 1246 a credential cache. 1247 1248 * mech/gss_inquire_cred.c: move the check if we found any cred 1249 where it matter for both cases 1250 (default cred and provided cred) 1251 1252 * mech/gss_init_sec_context.c: If the desired mechanism can't 1253 convert the name to a MN, fail with GSS_S_BAD_NAME rather then a 1254 NULL de-reference. 1255 12562006-07-06 Love Hörnquist Åstrand <lha@it.su.se> 1257 1258 * spnego/external.c: readd gss_spnego_inquire_names_for_mech 1259 1260 * spnego/spnego_locl.h: reimplement 1261 gss_spnego_inquire_names_for_mech add support function 1262 _gss_spnego_supported_mechs 1263 1264 * spnego/context_stubs.h: reimplement 1265 gss_spnego_inquire_names_for_mech add support function 1266 _gss_spnego_supported_mechs 1267 1268 * spnego/context_stubs.c: drop gss_spnego_indicate_mechs 1269 1270 * mech/gss_indicate_mechs.c: if the underlaying mech doesn't 1271 support gss_indicate_mechs, use the oid in the mechswitch 1272 structure 1273 1274 * spnego/external.c: let the mech glue layer implement 1275 gss_indicate_mechs 1276 1277 * spnego/cred_stubs.c (gss_spnego_acquire_cred): don't care about 1278 desired_mechs, get our own list with indicate_mechs and remove 1279 ourself. 1280 12812006-07-05 Love Hörnquist Åstrand <lha@it.su.se> 1282 1283 * spnego/external.c: remove gss_spnego_inquire_names_for_mech, let 1284 the mechglue layer implement it 1285 1286 * spnego/context_stubs.c: remove gss_spnego_inquire_names_for_mech, let 1287 the mechglue layer implement it 1288 1289 * spnego/spnego_locl.c: remove gss_spnego_inquire_names_for_mech, let 1290 the mechglue layer implement it 1291 12922006-07-01 Love Hörnquist Åstrand <lha@it.su.se> 1293 1294 * mech/gss_set_cred_option.c: fix argument to gss_release_cred 1295 12962006-06-30 Love Hörnquist Åstrand <lha@it.su.se> 1297 1298 * krb5/init_sec_context.c: Make work on compilers that are 1299 somewhat more picky then gcc4 (like gcc2.95) 1300 1301 * krb5/init_sec_context.c (do_delegation): use KDCOptions2int to 1302 convert fwd_flags to an integer, since otherwise int2KDCOptions in 1303 krb5_get_forwarded_creds wont do the right thing. 1304 1305 * mech/gss_set_cred_option.c (gss_set_cred_option): free memory on 1306 failure 1307 1308 * krb5/set_sec_context_option.c (_gsskrb5_set_sec_context_option): 1309 init global kerberos context 1310 1311 * krb5/set_cred_option.c (_gsskrb5_set_cred_option): init global 1312 kerberos context 1313 1314 * mech/gss_accept_sec_context.c: Insert the delegated sub cred on 1315 the delegated cred handle, not cred handle 1316 1317 * mech/gss_accept_sec_context.c (gss_accept_sec_context): handle 1318 the case where ret_flags == NULL 1319 1320 * mech/gss_mech_switch.c (add_builtin): set 1321 _gss_mech_switch->gm_mech_oid 1322 1323 * mech/gss_set_cred_option.c (gss_set_cred_option): laod mechs 1324 1325 * test_cred.c (gss_print_errors): don't try to print error when 1326 gss_display_status failed 1327 1328 * Makefile.am: Add mech/gss_release_oid.c 1329 1330 * mech/gss_release_oid.c: Add gss_release_oid, reverse of 1331 gss_duplicate_oid 1332 1333 * spnego/compat.c: preferred_mech_type was allocated with 1334 gss_duplicate_oid in one place and assigned static varianbles a 1335 the second place. change that static assignement to 1336 gss_duplicate_oid and bring back gss_release_oid. 1337 1338 * spnego/compat.c (_gss_spnego_delete_sec_context): don't release 1339 preferred_mech_type and negotiated_mech_type, they where never 1340 allocated from the begining. 1341 13422006-06-29 Love Hörnquist Åstrand <lha@it.su.se> 1343 1344 * mech/gss_import_name.c (gss_import_name): avoid 1345 type-punned/strict aliasing rules 1346 1347 * mech/gss_add_cred.c: avoid type-punned/strict aliasing rules 1348 1349 * gssapi.h: Make gss_name_t an opaque type. 1350 1351 * krb5: make gss_name_t an opaque type 1352 1353 * krb5/set_cred_option.c: Add 1354 1355 * mech/gss_set_cred_option.c (gss_set_cred_option): support the 1356 case where *cred_handle == NULL 1357 1358 * mech/gss_krb5.c (gss_krb5_import_cred): make sure cred is 1359 GSS_C_NO_CREDENTIAL on failure. 1360 1361 * mech/gss_acquire_cred.c (gss_acquire_cred): if desired_mechs is 1362 NO_OID_SET, there is a need to load the mechs, so always do that. 1363 13642006-06-28 Love Hörnquist Åstrand <lha@it.su.se> 1365 1366 * krb5/inquire_cred_by_oid.c: Reimplement GSS_KRB5_COPY_CCACHE_X 1367 to instead pass a fullname to the credential, then resolve and 1368 copy out the content, and then close the cred. 1369 1370 * mech/gss_krb5.c: Reimplement GSS_KRB5_COPY_CCACHE_X to instead 1371 pass a fullname to the credential, then resolve and copy out the 1372 content, and then close the cred. 1373 1374 * krb5/inquire_cred_by_oid.c: make "work", GSS_KRB5_COPY_CCACHE_X 1375 interface needs to be re-done, currently its utterly broken. 1376 1377 * mech/gss_set_cred_option.c: Make work. 1378 1379 * krb5/external.c: Add _gsskrb5_set_{sec_context,cred}_option 1380 1381 * mech/gss_krb5.c (gss_krb5_import_cred): implement 1382 1383 * Makefile.am: Add gss_set_{sec_context,cred}_option and sort 1384 1385 * mech/gss_set_{sec_context,cred}_option.c: add 1386 1387 * gssapi.h: Add GSS_KRB5_IMPORT_CRED_X 1388 1389 * test_*.c: make compile again 1390 1391 * Makefile.am: Add lib dependencies and test programs 1392 1393 * spnego: remove dependency on libkrb5 1394 1395 * mech: Bug fixes, cleanup, compiler warnings, restructure code. 1396 1397 * spnego: Rename gss_context_id_t and gss_cred_id_t to local names 1398 1399 * krb5: repro copy the krb5 files here 1400 1401 * mech: import Doug Rabson mechglue from freebsd 1402 1403 * spnego: Import Luke Howard's SPNEGO from the mechglue branch 1404 14052006-06-22 Love Hörnquist Åstrand <lha@it.su.se> 1406 1407 * gssapi.h: Add oid_to_str. 1408 1409 * Makefile.am: add oid_to_str and test_oid 1410 1411 * oid_to_str.c: Add gss_oid_to_str 1412 1413 * test_oid.c: Add test for gss_oid_to_str() 1414 14152006-05-13 Love Hörnquist Åstrand <lha@it.su.se> 1416 1417 * verify_mic.c: Less pointer signedness warnings. 1418 1419 * unwrap.c: Less pointer signedness warnings. 1420 1421 * arcfour.c: Less pointer signedness warnings. 1422 1423 * gssapi_locl.h: Use const void * to instead of unsigned char * to 1424 avoid pointer signedness warnings. 1425 1426 * encapsulate.c: Use const void * to instead of unsigned char * to 1427 avoid pointer signedness warnings. 1428 1429 * decapsulate.c: Use const void * to instead of unsigned char * to 1430 avoid pointer signedness warnings. 1431 1432 * decapsulate.c: Less pointer signedness warnings. 1433 1434 * cfx.c: Less pointer signedness warnings. 1435 1436 * init_sec_context.c: Less pointer signedness warnings (partly by 1437 using the new asn.1 CHOICE decoder) 1438 1439 * import_sec_context.c: Less pointer signedness warnings. 1440 14412006-05-09 Love Hörnquist Åstrand <lha@it.su.se> 1442 1443 * accept_sec_context.c (gsskrb5_is_cfx): always set is_cfx. From 1444 Andrew Abartlet. 1445 14462006-05-08 Love Hörnquist Åstrand <lha@it.su.se> 1447 1448 * get_mic.c (mic_des3): make sure message_buffer doesn't point to 1449 free()ed memory on failure. Pointed out by IBM checker. 1450 14512006-05-05 Love Hörnquist Åstrand <lha@it.su.se> 1452 1453 * Rename u_intXX_t to uintXX_t 1454 14552006-05-04 Love Hörnquist Åstrand <lha@it.su.se> 1456 1457 * cfx.c: Less pointer signedness warnings. 1458 1459 * arcfour.c: Avoid pointer signedness warnings. 1460 1461 * gssapi_locl.h (gssapi_decode_*): make data argument const void * 1462 1463 * 8003.c (gssapi_decode_*): make data argument const void * 1464 14652006-04-12 Love Hörnquist Åstrand <lha@it.su.se> 1466 1467 * export_sec_context.c: Export sequence order element. From Wynn 1468 Wilkes <wynn.wilkes@quest.com>. 1469 1470 * import_sec_context.c: Import sequence order element. From Wynn 1471 Wilkes <wynn.wilkes@quest.com>. 1472 1473 * sequence.c (_gssapi_msg_order_import,_gssapi_msg_order_export): 1474 New functions, used by {import,export}_sec_context. From Wynn 1475 Wilkes <wynn.wilkes@quest.com>. 1476 1477 * test_sequence.c: Add test for import/export sequence. 1478 14792006-04-09 Love Hörnquist Åstrand <lha@it.su.se> 1480 1481 * add_cred.c: Check that cred != GSS_C_NO_CREDENTIAL, this is a 1482 standard conformance failure, but much better then a crash. 1483 14842006-04-02 Love Hörnquist Åstrand <lha@it.su.se> 1485 1486 * get_mic.c (get_mic*)_: make sure message_token is cleaned on 1487 error, found by IBM checker. 1488 1489 * wrap.c (wrap*): Reset output_buffer on error, found by IBM 1490 checker. 1491 14922006-02-15 Love Hörnquist Åstrand <lha@it.su.se> 1493 1494 * import_name.c: Accept both GSS_C_NT_HOSTBASED_SERVICE and 1495 GSS_C_NT_HOSTBASED_SERVICE_X as nametype for hostbased names. 1496 14972006-01-16 Love Hörnquist Åstrand <lha@it.su.se> 1498 1499 * delete_sec_context.c (gss_delete_sec_context): if the context 1500 handle is GSS_C_NO_CONTEXT, don't fall over. 1501 15022005-12-12 Love Hörnquist Åstrand <lha@it.su.se> 1503 1504 * gss_acquire_cred.3: Replace gss_krb5_import_ccache with 1505 gss_krb5_import_cred and add more references 1506 15072005-12-05 Love Hörnquist Åstrand <lha@it.su.se> 1508 1509 * gssapi.h: Change gss_krb5_import_ccache to gss_krb5_import_cred, 1510 it can handle keytabs too. 1511 1512 * add_cred.c (gss_add_cred): avoid deadlock 1513 1514 * context_time.c (gssapi_lifetime_left): define the 0 lifetime as 1515 GSS_C_INDEFINITE. 1516 15172005-12-01 Love Hörnquist Åstrand <lha@it.su.se> 1518 1519 * acquire_cred.c (acquire_acceptor_cred): only check if principal 1520 exists if we got called with principal as an argument. 1521 1522 * acquire_cred.c (acquire_acceptor_cred): check that the acceptor 1523 exists in the keytab before returning ok. 1524 15252005-11-29 Love Hörnquist Åstrand <lha@it.su.se> 1526 1527 * copy_ccache.c (gss_krb5_import_cred): fix buglet, from Andrew 1528 Bartlett. 1529 15302005-11-25 Love Hörnquist Åstrand <lha@it.su.se> 1531 1532 * test_kcred.c: Rename gss_krb5_import_ccache to 1533 gss_krb5_import_cred. 1534 1535 * copy_ccache.c: Rename gss_krb5_import_ccache to 1536 gss_krb5_import_cred and let it grow code to handle keytabs too. 1537 15382005-11-02 Love Hörnquist Åstrand <lha@it.su.se> 1539 1540 * init_sec_context.c: Change sematics of ok-as-delegate to match 1541 windows if 1542 [gssapi]realm/ok-as-delegate=true is set, otherwise keep old 1543 sematics. 1544 1545 * release_cred.c (gss_release_cred): use 1546 GSS_CF_DESTROY_CRED_ON_RELEASE to decide if the cache should be 1547 krb5_cc_destroy-ed 1548 1549 * acquire_cred.c (acquire_initiator_cred): 1550 GSS_CF_DESTROY_CRED_ON_RELEASE on created credentials. 1551 1552 * accept_sec_context.c (gsskrb5_accept_delegated_token): rewrite 1553 to use gss_krb5_import_ccache 1554 15552005-11-01 Love Hörnquist Åstrand <lha@it.su.se> 1556 1557 * arcfour.c: Remove signedness warnings. 1558 15592005-10-31 Love Hörnquist Åstrand <lha@it.su.se> 1560 1561 * gss_acquire_cred.3: Document that gss_krb5_import_ccache is copy 1562 by reference. 1563 1564 * copy_ccache.c (gss_krb5_import_ccache): Instead of making a copy 1565 of the ccache, make a reference by getting the name and resolving 1566 the name. This way the cache is shared, this flipp side is of 1567 course that if someone calls krb5_cc_destroy the cache is lost for 1568 everyone. 1569 1570 * test_kcred.c: Remove memory leaks. 1571 15722005-10-26 Love Hörnquist Åstrand <lha@it.su.se> 1573 1574 * Makefile.am: build test_kcred 1575 1576 * gss_acquire_cred.3: Document gss_krb5_import_ccache 1577 1578 * gssapi.3: Sort and add gss_krb5_import_ccache. 1579 1580 * acquire_cred.c (_gssapi_krb5_ccache_lifetime): break out code 1581 used to extract lifetime from a credential cache 1582 1583 * gssapi_locl.h: Add _gssapi_krb5_ccache_lifetime, used to extract 1584 lifetime from a credential cache. 1585 1586 * gssapi.h: add gss_krb5_import_ccache, reverse of 1587 gss_krb5_copy_ccache 1588 1589 * copy_ccache.c: add gss_krb5_import_ccache, reverse of 1590 gss_krb5_copy_ccache 1591 1592 * test_kcred.c: test gss_krb5_import_ccache 1593 15942005-10-21 Love Hörnquist Åstrand <lha@it.su.se> 1595 1596 * acquire_cred.c (acquire_initiator_cred): use krb5_cc_cache_match 1597 to find a matching creditial cache, if that failes, fallback to 1598 the default cache. 1599 16002005-10-12 Love Hörnquist Åstrand <lha@it.su.se> 1601 1602 * gssapi_locl.h: Add gssapi_krb5_set_status and 1603 gssapi_krb5_clear_status 1604 1605 * init_sec_context.c (spnego_reply): Don't pass back raw Kerberos 1606 errors, use GSS-API errors instead. From Michael B Allen. 1607 1608 * display_status.c: Add gssapi_krb5_clear_status, 1609 gssapi_krb5_set_status for handling error messages. 1610 16112005-08-23 Love Hörnquist Åstrand <lha@it.su.se> 1612 1613 * external.c: Use rk_UNCONST to avoid const warning. 1614 1615 * display_status.c: Constify strings to avoid warnings. 1616 16172005-08-11 Love Hörnquist Åstrand <lha@it.su.se> 1618 1619 * init_sec_context.c: avoid warnings, update (c) 1620 16212005-07-13 Love Hörnquist Åstrand <lha@it.su.se> 1622 1623 * init_sec_context.c (spnego_initial): use NegotiationToken 1624 encoder now that we have one with the new asn1. compiler. 1625 1626 * Makefile.am: the new asn.1 compiler includes the modules name in 1627 the depend file 1628 16292005-06-16 Love Hörnquist Åstrand <lha@it.su.se> 1630 1631 * decapsulate.c: use rk_UNCONST 1632 1633 * ccache_name.c: rename to avoid shadowing 1634 1635 * gssapi_locl.h: give kret in GSSAPI_KRB5_INIT a more unique name 1636 1637 * process_context_token.c: use rk_UNCONST to unconstify 1638 1639 * test_cred.c: rename optind to optidx 1640 16412005-05-30 Love Hörnquist Åstrand <lha@it.su.se> 1642 1643 * init_sec_context.c (init_auth): honor ok-as-delegate if local 1644 configuration approves 1645 1646 * gssapi_locl.h: prototype for _gss_check_compat 1647 1648 * compat.c: export check_compat as _gss_check_compat 1649 16502005-05-29 Love Hörnquist Åstrand <lha@it.su.se> 1651 1652 * init_sec_context.c: Prefix Der_class with ASN1_C_ to avoid 1653 problems with system headerfiles that pollute the name space. 1654 1655 * accept_sec_context.c: Prefix Der_class with ASN1_C_ to avoid 1656 problems with system headerfiles that pollute the name space. 1657 16582005-05-17 Love Hörnquist Åstrand <lha@it.su.se> 1659 1660 * init_sec_context.c (init_auth): set 1661 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED (for java compatibility), 1662 also while here, use krb5_auth_con_addflags 1663 16642005-05-06 Love Hörnquist Åstrand <lha@it.su.se> 1665 1666 * arcfour.c (_gssapi_wrap_arcfour): fix calculating the encap 1667 length. From: Tom Maher <tmaher@eecs.berkeley.edu> 1668 16692005-05-02 Dave Love <fx@gnu.org> 1670 1671 * test_cred.c (main): Call setprogname. 1672 16732005-04-27 Love Hörnquist Åstrand <lha@it.su.se> 1674 1675 * prefix all sequence symbols with _, they are not part of the 1676 GSS-API api. By comment from Wynn Wilkes <wynnw@vintela.com> 1677 16782005-04-10 Love Hörnquist Åstrand <lha@it.su.se> 1679 1680 * accept_sec_context.c: break out the processing of the delegated 1681 credential to a separate function to make error handling easier, 1682 move the credential handling to after other setup is done 1683 1684 * test_sequence.c: make less verbose in case of success 1685 1686 * Makefile.am: add test_sequence to TESTS 1687 16882005-04-01 Love Hörnquist Åstrand <lha@it.su.se> 1689 1690 * 8003.c (gssapi_krb5_verify_8003_checksum): check that cksum 1691 isn't NULL From: Nicolas Pouvesle <npouvesle@tenablesecurity.com> 1692 16932005-03-21 Love Hörnquist Åstrand <lha@it.su.se> 1694 1695 * Makefile.am: use $(LIB_roken) 1696 16972005-03-16 Love Hörnquist Åstrand <lha@it.su.se> 1698 1699 * display_status.c (gssapi_krb5_set_error_string): pass in the 1700 krb5_context to krb5_free_error_string 1701 17022005-03-15 Love Hörnquist Åstrand <lha@it.su.se> 1703 1704 * display_status.c (gssapi_krb5_set_error_string): don't misuse 1705 the krb5_get_error_string api 1706 17072005-03-01 Love Hörnquist Åstrand <lha@it.su.se> 1708 1709 * compat.c (_gss_DES3_get_mic_compat): don't unlock mutex 1710 here. Bug reported by Stefan Metzmacher <metze@samba.org> 1711 17122005-02-21 Luke Howard <lukeh@padl.com> 1713 1714 * init_sec_context.c: don't call krb5_get_credentials() with 1715 KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache 1716 growing indefinitely as no key is found with KEYTYPE_NULL 1717 1718 * compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is 1719 no longer used (however the mechListMIC behaviour is broken, 1720 rfc2478bis support requires the code in the mechglue branch) 1721 1722 * init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG 1723 1724 * gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG 1725 17262005-01-05 Luke Howard <lukeh@padl.com> 1727 1728 * 8003.c: use symbolic name for checksum type 1729 1730 * accept_sec_context.c: allow client to indicate 1731 that subkey should be used 1732 1733 * acquire_cred.c: plug leak 1734 1735 * get_mic.c: use gss_krb5_get_subkey() instead 1736 of gss_krb5_get_{local,remote}key(), support 1737 KEYTYPE_ARCFOUR_56 1738 1739 * gssapi_local.c: use gss_krb5_get_subkey(), 1740 support KEYTYPE_ARCFOUR_56 1741 1742 * import_sec_context.c: plug leak 1743 1744 * unwrap.c: use gss_krb5_get_subkey(), 1745 support KEYTYPE_ARCFOUR_56 1746 1747 * verify_mic.c: use gss_krb5_get_subkey(), 1748 support KEYTYPE_ARCFOUR_56 1749 1750 * wrap.c: use gss_krb5_get_subkey(), 1751 support KEYTYPE_ARCFOUR_56 1752 17532004-11-30 Love Hörnquist Åstrand <lha@it.su.se> 1754 1755 * inquire_cred.c: Reverse order of HEIMDAL_MUTEX_unlock and 1756 gss_release_cred to avoid deadlock, from Luke Howard 1757 <lukeh@padl.com>. 1758 17592004-09-06 Love Hörnquist Åstrand <lha@it.su.se> 1760 1761 * gss_acquire_cred.3: gss_krb5_extract_authz_data_from_sec_context 1762 was renamed to gsskrb5_extract_authz_data_from_sec_context 1763 17642004-08-07 Love Hörnquist Åstrand <lha@it.su.se> 1765 1766 * unwrap.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM> 1767 1768 * arcfour.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM> 1769 17702004-05-06 Love Hörnquist Åstrand <lha@it.su.se> 1771 1772 * gssapi.3: spelling from Josef El-Rayes <josef@FreeBSD.org> while 1773 here, write some text about the SPNEGO situation 1774 17752004-04-08 Love Hörnquist Åstrand <lha@it.su.se> 1776 1777 * cfx.c: s/CTXAcceptorSubkey/CFXAcceptorSubkey/ 1778 17792004-04-07 Love Hörnquist Åstrand <lha@it.su.se> 1780 1781 * gssapi.h: add GSS_C_EXPECTING_MECH_LIST_MIC_FLAG From: Luke 1782 Howard <lukeh@padl.com> 1783 1784 * init_sec_context.c (spnego_reply): use 1785 _gss_spnego_require_mechlist_mic to figure out if we need to check 1786 MechListMIC; From: Luke Howard <lukeh@padl.com> 1787 1788 * accept_sec_context.c (send_accept): use 1789 _gss_spnego_require_mechlist_mic to figure out if we need to send 1790 MechListMIC; From: Luke Howard <lukeh@padl.com> 1791 1792 * gssapi_locl.h: add _gss_spnego_require_mechlist_mic 1793 From: Luke Howard <lukeh@padl.com> 1794 1795 * compat.c: add _gss_spnego_require_mechlist_mic for compatibility 1796 with MS SPNEGO, From: Luke Howard <lukeh@padl.com> 1797 17982004-04-05 Love Hörnquist Åstrand <lha@it.su.se> 1799 1800 * accept_sec_context.c (gsskrb5_is_cfx): krb5_keyblock->keytype is 1801 an enctype, not keytype 1802 1803 * accept_sec_context.c: use ASN1_MALLOC_ENCODE 1804 1805 * init_sec_context.c: avoid the malloc loop and just allocate the 1806 propper amount of data 1807 1808 * init_sec_context.c (spnego_initial): handle mech_token better 1809 18102004-03-19 Love Hörnquist Åstrand <lha@it.su.se> 1811 1812 * gssapi.h: add gss_krb5_get_tkt_flags 1813 1814 * Makefile.am: add ticket_flags.c 1815 1816 * ticket_flags.c: Get ticket-flags from acceptor ticket From: Luke 1817 Howard <lukeh@PADL.COM> 1818 1819 * gss_acquire_cred.3: document gss_krb5_get_tkt_flags 1820 18212004-03-14 Love Hörnquist Åstrand <lha@it.su.se> 1822 1823 * acquire_cred.c (gss_acquire_cred): check usage before even 1824 bothering to process it, add both keytab and initial tgt if 1825 requested 1826 1827 * wrap.c: support cfx, try to handle acceptor asserted subkey 1828 1829 * unwrap.c: support cfx, try to handle acceptor asserted subkey 1830 1831 * verify_mic.c: support cfx 1832 1833 * get_mic.c: support cfx 1834 1835 * test_sequence.c: handle changed signature of 1836 gssapi_msg_order_create 1837 1838 * import_sec_context.c: handle acceptor asserted subkey 1839 1840 * init_sec_context.c: handle acceptor asserted subkey 1841 1842 * accept_sec_context.c: handle acceptor asserted subkey 1843 1844 * sequence.c: add dummy use_64 argument to gssapi_msg_order_create 1845 1846 * gssapi_locl.h: add partial support for CFX 1847 1848 * Makefile.am (noinst_PROGRAMS) += test_cred 1849 1850 * test_cred.c: gssapi credential testing 1851 1852 * test_acquire_cred.c: fix comment 1853 18542004-03-07 Love Hörnquist Åstrand <lha@it.su.se> 1855 1856 * arcfour.h: drop structures for message formats, no longer used 1857 1858 * arcfour.c: comment describing message formats 1859 1860 * accept_sec_context.c (spnego_accept_sec_context): make sure the 1861 length of the choice element doesn't overrun us 1862 1863 * init_sec_context.c (spnego_reply): make sure the length of the 1864 choice element doesn't overrun us 1865 1866 * spnego.asn1: move NegotiationToken to avoid warning 1867 1868 * spnego.asn1: uncomment NegotiationToken 1869 1870 * Makefile.am: spnego_files += asn1_NegotiationToken.x 1871 18722004-01-25 Love Hörnquist Åstrand <lha@it.su.se> 1873 1874 * gssapi.h: add gss_krb5_ccache_name 1875 1876 * Makefile.am (libgssapi_la_SOURCES): += ccache_name.c 1877 1878 * ccache_name.c (gss_krb5_ccache_name): help function enable to 1879 set krb5 name, using out_name argument makes function no longer 1880 thread-safe 1881 1882 * gssapi.3: add missing gss_krb5_ references 1883 1884 * gss_acquire_cred.3: document gss_krb5_ccache_name 1885 18862003-12-12 Love Hörnquist Åstrand <lha@it.su.se> 1887 1888 * cfx.c: make rrc a modulus operation if its longer then the 1889 length of the message, noticed by Sam Hartman 1890 18912003-12-07 Love Hörnquist Åstrand <lha@it.su.se> 1892 1893 * accept_sec_context.c: use krb5_auth_con_addflags 1894 18952003-12-05 Love Hörnquist Åstrand <lha@it.su.se> 1896 1897 * cfx.c: Wrap token id was in wrong order, found by Sam Hartman 1898 18992003-12-04 Love Hörnquist Åstrand <lha@it.su.se> 1900 1901 * cfx.c: add AcceptorSubkey (but no code understand it yet) ignore 1902 unknown token flags 1903 19042003-11-22 Love Hörnquist Åstrand <lha@it.su.se> 1905 1906 * accept_sec_context.c: Don't require timestamp to be set on 1907 delegated token, its already protected by the outer token (and 1908 windows doesn't alway send it) Pointed out by Zi-Bin Yang 1909 <zbyang@decru.com> on heimdal-discuss 1910 19112003-11-14 Love Hörnquist Åstrand <lha@it.su.se> 1912 1913 * cfx.c: fix {} error, pointed out by Liqiang Zhu 1914 19152003-11-10 Love Hörnquist Åstrand <lha@it.su.se> 1916 1917 * cfx.c: Sequence number should be stored in bigendian order From: 1918 Luke Howard <lukeh@padl.com> 1919 19202003-11-09 Love Hörnquist Åstrand <lha@it.su.se> 1921 1922 * delete_sec_context.c (gss_delete_sec_context): don't free 1923 ticket, krb5_free_ticket does that now 1924 19252003-11-06 Love Hörnquist Åstrand <lha@it.su.se> 1926 1927 * cfx.c: checksum the header last in MIC token, update to -03 1928 From: Luke Howard <lukeh@padl.com> 1929 19302003-10-07 Love Hörnquist Åstrand <lha@it.su.se> 1931 1932 * add_cred.c: If its a MEMORY cc, make a copy. We need to do this 1933 since now gss_release_cred will destroy the cred. This should be 1934 really be solved a better way. 1935 1936 * acquire_cred.c (gss_release_cred): if its a mcc, destroy it 1937 rather the just release it Found by: "Zi-Bin Yang" 1938 <zbyang@decru.com> 1939 1940 * acquire_cred.c (acquire_initiator_cred): use kret instead of ret 1941 where appropriate 1942 19432003-09-30 Love Hörnquist Åstrand <lha@it.su.se> 1944 1945 * gss_acquire_cred.3: spelling 1946 From: jmc <jmc@prioris.mini.pw.edu.pl> 1947 19482003-09-23 Love Hörnquist Åstrand <lha@it.su.se> 1949 1950 * cfx.c: - EC and RRC are big-endian, not little-endian - The 1951 default is now to rotate regardless of GSS_C_DCE_STYLE. There are 1952 no longer any references to GSS_C_DCE_STYLE. - rrc_rotate() 1953 avoids allocating memory on the heap if rrc <= 256 1954 From: Luke Howard <lukeh@padl.com> 1955 19562003-09-22 Love Hörnquist Åstrand <lha@it.su.se> 1957 1958 * cfx.[ch]: rrc_rotate() was untested and broken, fix it. 1959 Set and verify wrap Token->Filler. 1960 Correct token ID for wrap tokens, 1961 were accidentally swapped with delete tokens. 1962 From: Luke Howard <lukeh@PADL.COM> 1963 19642003-09-21 Love Hörnquist Åstrand <lha@it.su.se> 1965 1966 * cfx.[ch]: no ASN.1-ish header on per-message tokens 1967 From: Luke Howard <lukeh@PADL.COM> 1968 19692003-09-19 Love Hörnquist Åstrand <lha@it.su.se> 1970 1971 * arcfour.h: remove depenency on gss_arcfour_mic_token and 1972 gss_arcfour_warp_token 1973 1974 * arcfour.c: remove depenency on gss_arcfour_mic_token and 1975 gss_arcfour_warp_token 1976 19772003-09-18 Love Hörnquist Åstrand <lha@it.su.se> 1978 1979 * 8003.c: remove #if 0'ed code 1980 19812003-09-17 Love Hörnquist Åstrand <lha@it.su.se> 1982 1983 * accept_sec_context.c (gsskrb5_accept_sec_context): set sequence 1984 number when not requesting mutual auth From: Luke Howard 1985 <lukeh@PADL.COM> 1986 1987 * init_sec_context.c (init_auth): set sequence number when not 1988 requesting mutual auth From: Luke Howard <lukeh@PADL.COM> 1989 19902003-09-16 Love Hörnquist Åstrand <lha@it.su.se> 1991 1992 * arcfour.c (*): set minor_status 1993 (gss_wrap): set conf_state to conf_req_flags on success 1994 From: Luke Howard <lukeh@PADL.COM> 1995 1996 * wrap.c (gss_wrap_size_limit): use existing function From: Luke 1997 Howard <lukeh@PADL.COM> 1998 19992003-09-12 Love Hörnquist Åstrand <lha@it.su.se> 2000 2001 * indicate_mechs.c (gss_indicate_mechs): in case of error, free 2002 mech_set 2003 2004 * indicate_mechs.c (gss_indicate_mechs): add SPNEGO 2005 20062003-09-10 Love Hörnquist Åstrand <lha@it.su.se> 2007 2008 * init_sec_context.c (spnego_initial): catch errors and return 2009 them 2010 2011 * init_sec_context.c (spnego_initial): add #if 0 out version of 2012 the CHOICE branch encoding, also where here, free no longer used 2013 memory 2014 20152003-09-09 Love Hörnquist Åstrand <lha@it.su.se> 2016 2017 * gss_acquire_cred.3: support GSS_SPNEGO_MECHANISM 2018 2019 * accept_sec_context.c: SPNEGO doesn't include gss wrapping on 2020 SubsequentContextToken like the Kerberos 5 mech does. 2021 2022 * init_sec_context.c (spnego_reply): SPNEGO doesn't include gss 2023 wrapping on SubsequentContextToken like the Kerberos 5 mech 2024 does. Lets check for it anyway. 2025 2026 * accept_sec_context.c: Add support for SPNEGO on the initator 2027 side. Implementation initially from Assar Westerlund, passes 2028 though quite a lot of hands before I commited it. 2029 2030 * init_sec_context.c: Add support for SPNEGO on the initator side. 2031 Tested with ldap server on a Windows 2000 DC. Implementation 2032 initially from Assar Westerlund, passes though quite a lot of 2033 hands before I commited it. 2034 2035 * gssapi.h: export GSS_SPNEGO_MECHANISM 2036 2037 * gssapi_locl.h: include spnego_as.h add prototype for 2038 gssapi_krb5_get_mech 2039 2040 * decapsulate.c (gssapi_krb5_get_mech): make non static 2041 2042 * Makefile.am: build SPNEGO file 2043 20442003-09-08 Love Hörnquist Åstrand <lha@it.su.se> 2045 2046 * external.c: SPENGO and IAKERB oids 2047 2048 * spnego.asn1: SPENGO ASN1 2049 20502003-09-05 Love Hörnquist Åstrand <lha@it.su.se> 2051 2052 * cfx.c: RRC also need to be zero before wraping them 2053 From: Luke Howard <lukeh@PADL.COM> 2054 20552003-09-04 Love Hörnquist Åstrand <lha@it.su.se> 2056 2057 * encapsulate.c (gssapi_krb5_encap_length): don't return void 2058 20592003-09-03 Love Hörnquist Åstrand <lha@it.su.se> 2060 2061 * verify_mic.c: switch from the des_ to the DES_ api 2062 2063 * get_mic.c: switch from the des_ to the DES_ api 2064 2065 * unwrap.c: switch from the des_ to the DES_ api 2066 2067 * wrap.c: switch from the des_ to the DES_ api 2068 2069 * cfx.c: EC is not included in the checksum since the length might 2070 change depending on the data. From: Luke Howard <lukeh@PADL.COM> 2071 2072 * acquire_cred.c: use 2073 krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free 2074 20752003-09-01 Love Hörnquist Åstrand <lha@it.su.se> 2076 2077 * copy_ccache.c: rename 2078 gss_krb5_extract_authz_data_from_sec_context to 2079 gsskrb5_extract_authz_data_from_sec_context 2080 2081 * gssapi.h: rename gss_krb5_extract_authz_data_from_sec_context to 2082 gsskrb5_extract_authz_data_from_sec_context 2083 20842003-08-31 Love Hörnquist Åstrand <lha@it.su.se> 2085 2086 * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context): 2087 check that we have a ticket before we start to use it 2088 2089 * gss_acquire_cred.3: document 2090 gss_krb5_extract_authz_data_from_sec_context 2091 2092 * gssapi.h (gss_krb5_extract_authz_data_from_sec_context): 2093 return the kerberos authorizationdata, from idea of Luke Howard 2094 2095 * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context): 2096 return the kerberos authorizationdata, from idea of Luke Howard 2097 2098 * verify_mic.c (gss_verify_mic_internal): switch type and key 2099 argument 2100 21012003-08-30 Love Hörnquist Åstrand <lha@it.su.se> 2102 2103 * cfx.[ch]: draft-ietf-krb-wg-gssapi-cfx-01.txt implemetation 2104 From: Luke Howard <lukeh@PADL.COM> 2105 21062003-08-28 Love Hörnquist Åstrand <lha@it.su.se> 2107 2108 * arcfour.c (arcfour_mic_cksum): use free_Checksum to free the 2109 checksum 2110 2111 * arcfour.h: swap two last arguments to verify_mic for consistency 2112 with des3 2113 2114 * wrap.c,unwrap.c,get_mic.c,verify_mic.c,cfx.c,cfx.h: 2115 prefix cfx symbols with _gssapi_ 2116 2117 * arcfour.c: release the right buffer 2118 2119 * arcfour.c: rename token structure in consistency with rest of 2120 GSS-API From: Luke Howard <lukeh@PADL.COM> 2121 2122 * unwrap.c (unwrap_des3): use _gssapi_verify_pad 2123 (unwrap_des): use _gssapi_verify_pad 2124 2125 * arcfour.c (_gssapi_wrap_arcfour): set the correct padding 2126 (_gssapi_unwrap_arcfour): verify and strip padding 2127 2128 * gssapi_locl.h: added _gssapi_verify_pad 2129 2130 * decapsulate.c (_gssapi_verify_pad): verify padding of a gss 2131 wrapped message and return its length 2132 2133 * arcfour.c: support KEYTYPE_ARCFOUR_56 keys, from Luke Howard 2134 <lukeh@PADL.COM> 2135 2136 * arcfour.c: use right seal alg, inherit keytype from parent key 2137 2138 * arcfour.c: include the confounder in the checksum use the right 2139 key usage number for warped/unwraped tokens 2140 2141 * gssapi.h: add gss_krb5_nt_general_name as an mit compat glue 2142 (same as GSS_KRB5_NT_PRINCIPAL_NAME) 2143 2144 * unwrap.c: hook in arcfour unwrap 2145 2146 * wrap.c: hook in arcfour wrap 2147 2148 * verify_mic.c: hook in arcfour verify_mic 2149 2150 * get_mic.c: hook in arcfour get_mic 2151 2152 * arcfour.c: implement wrap/unwarp 2153 2154 * gssapi_locl.h: add gssapi_{en,de}code_be_om_uint32 2155 2156 * 8003.c: add gssapi_{en,de}code_be_om_uint32 2157 21582003-08-27 Love Hörnquist Åstrand <lha@it.su.se> 2159 2160 * arcfour.c (_gssapi_verify_mic_arcfour): Do the checksum on right 2161 area. Swap filler check, it was reversed. 2162 2163 * Makefile.am (libgssapi_la_SOURCES): += arcfour.c 2164 2165 * gssapi_locl.h: include "arcfour.h" 2166 2167 * arcfour.c: arcfour gss-api mech, get_mic/verify_mic working 2168 2169 * arcfour.h: arcfour gss-api mech, get_mic/verify_mic working 2170 21712003-08-26 Love Hörnquist Åstrand <lha@it.su.se> 2172 2173 * gssapi_locl.h: always include cfx.h add prototype for 2174 _gssapi_decapsulate 2175 2176 * cfx.[ch]: Implementation of draft-ietf-krb-wg-gssapi-cfx-00.txt 2177 from Luke Howard <lukeh@PADL.COM> 2178 2179 * decapsulate.c: add _gssapi_decapsulate, from Luke Howard 2180 <lukeh@PADL.COM> 2181 21822003-08-25 Love Hörnquist Åstrand <lha@it.su.se> 2183 2184 * unwrap.c: encap/decap now takes a oid if the enctype/keytype is 2185 arcfour, return error add hook for cfx 2186 2187 * verify_mic.c: encap/decap now takes a oid if the enctype/keytype 2188 is arcfour, return error add hook for cfx 2189 2190 * get_mic.c: encap/decap now takes a oid if the enctype/keytype is 2191 arcfour, return error add hook for cfx 2192 2193 * accept_sec_context.c: encap/decap now takes a oid 2194 2195 * init_sec_context.c: encap/decap now takes a oid 2196 2197 * gssapi_locl.h: include cfx.h if we need it lifetime is a 2198 OM_uint32, depend on gssapi interface add all new encap/decap 2199 functions 2200 2201 * decapsulate.c: add decap functions that doesn't take the token 2202 type also make all decap function take the oid mech that they 2203 should use 2204 2205 * encapsulate.c: add encap functions that doesn't take the token 2206 type also make all encap function take the oid mech that they 2207 should use 2208 2209 * sequence.c (elem_insert): fix a off by one index counter 2210 2211 * inquire_cred.c (gss_inquire_cred): handle cred_handle being 2212 GSS_C_NO_CREDENTIAL and use the default cred then. 2213 22142003-08-19 Love Hörnquist Åstrand <lha@it.su.se> 2215 2216 * gss_acquire_cred.3: break out extensions and document 2217 gsskrb5_register_acceptor_identity 2218 22192003-08-18 Love Hörnquist Åstrand <lha@it.su.se> 2220 2221 * test_acquire_cred.c (print_time): time is returned in seconds 2222 from now, not unix time 2223 22242003-08-17 Love Hörnquist Åstrand <lha@it.su.se> 2225 2226 * compat.c (check_compat): avoid leaking principal when finding a 2227 match 2228 2229 * address_to_krb5addr.c: sa_size argument to krb5_addr2sockaddr is 2230 a krb5_socklen_t 2231 2232 * acquire_cred.c (gss_acquire_cred): 4th argument to 2233 gss_test_oid_set_member is a int 2234 22352003-07-22 Love Hörnquist Åstrand <lha@it.su.se> 2236 2237 * init_sec_context.c (repl_mutual): don't set kerberos error where 2238 there was no kerberos error 2239 2240 * gssapi_locl.h: Add destruction/creation prototypes and structure 2241 for the thread specific storage. 2242 2243 * display_status.c: use thread specific storage to set/get the 2244 kerberos error message 2245 2246 * init.c: Provide locking around the creation of the global 2247 krb5_context. Add destruction/creation functions for the thread 2248 specific storage that the error string handling is using. 2249 22502003-07-20 Love Hörnquist Åstrand <lha@it.su.se> 2251 2252 * gss_acquire_cred.3: add missing prototype and missing .Ft 2253 arguments 2254 22552003-06-17 Love Hörnquist Åstrand <lha@it.su.se> 2256 2257 * verify_mic.c: reorder code so sequence numbers can can be used 2258 2259 * unwrap.c: reorder code so sequence numbers can can be used 2260 2261 * sequence.c: remove unused function, indent, add 2262 gssapi_msg_order_f that filter gss flags to gss_msg_order flags 2263 2264 * gssapi_locl.h: prototypes for 2265 gssapi_{encode_om_uint32,decode_om_uint32} add sequence number 2266 verifier prototypes 2267 2268 * delete_sec_context.c: destroy sequence number verifier 2269 2270 * init_sec_context.c: remember to free data use sequence number 2271 verifier 2272 2273 * accept_sec_context.c: don't clear output_token twice remember to 2274 free data use sequence number verifier 2275 2276 * 8003.c: export and rename encode_om_uint32/decode_om_uint32 and 2277 start to use them 2278 22792003-06-09 Johan Danielsson <joda@pdc.kth.se> 2280 2281 * Makefile.am: can't have sequence.c in two different places 2282 22832003-06-06 Love Hörnquist Åstrand <lha@it.su.se> 2284 2285 * test_sequence.c: check rollover, print summery 2286 2287 * wrap.c (sub_wrap_size): gss_wrap_size_limit() has 2288 req_output_size and max_input_size around the wrong way -- it 2289 returns the output token size for a given input size, rather than 2290 the maximum input size for a given output token size. 2291 2292 From: Luke Howard <lukeh@PADL.COM> 2293 22942003-06-05 Love Hörnquist Åstrand <lha@it.su.se> 2295 2296 * gssapi_locl.h: add prototypes for sequence.c 2297 2298 * Makefile.am (libgssapi_la_SOURCES): add sequence.c 2299 (test_sequence): build 2300 2301 * sequence.c: sequence number checks, order and replay 2302 * test_sequence.c: sequence number checks, order and replay 2303 23042003-06-03 Love Hörnquist Åstrand <lha@it.su.se> 2305 2306 * accept_sec_context.c (gss_accept_sec_context): make sure time is 2307 returned in seconds from now, not in kerberos time 2308 2309 * acquire_cred.c (gss_aquire_cred): make sure time is returned in 2310 seconds from now, not in kerberos time 2311 2312 * init_sec_context.c (init_auth): if the cred is expired before we 2313 tries to create a token, fail so the peer doesn't need reject us 2314 (*): make sure time is returned in seconds from now, 2315 not in kerberos time 2316 (repl_mutual): remember to unlock the context mutex 2317 2318 * context_time.c (gss_context_time): remove unused variable 2319 2320 * verify_mic.c: make sure minor_status is always set, pointed out 2321 by Luke Howard <lukeh@PADL.COM> 2322 23232003-05-21 Love Hörnquist Åstrand <lha@it.su.se> 2324 2325 * *.[ch]: do some basic locking (no reference counting so contexts 2326 can be removed while still used) 2327 - don't export gss_ctx_id_t_desc_struct and gss_cred_id_t_desc_struct 2328 - make sure all lifetime are returned in seconds left until expired, 2329 not in unix epoch 2330 2331 * gss_acquire_cred.3: document argument lifetime_rec to function 2332 gss_inquire_context 2333 23342003-05-17 Love Hörnquist Åstrand <lha@it.su.se> 2335 2336 * test_acquire_cred.c: test gss_add_cred more then once 2337 23382003-05-06 Love Hörnquist Åstrand <lha@it.su.se> 2339 2340 * gssapi.h: if __cplusplus, wrap the extern variable (just to be 2341 safe) and functions in extern "C" { } 2342 23432003-04-30 Love Hörnquist Åstrand <lha@it.su.se> 2344 2345 * gssapi.3: more about the des3 mic mess 2346 2347 * verify_mic.c (verify_mic_des3): always check if the mic is the 2348 correct mic or the mic that old heimdal would have generated 2349 23502003-04-28 Jacques Vidrine <nectar@kth.se> 2351 2352 * verify_mic.c (verify_mic_des3): If MIC verification fails, 2353 retry using the `old' MIC computation (with zero IV). 2354 23552003-04-26 Love Hörnquist Åstrand <lha@it.su.se> 2356 2357 * gss_acquire_cred.3: more about difference between comparing IN 2358 and MN 2359 2360 * gss_acquire_cred.3: more about name type and access control 2361 23622003-04-25 Love Hörnquist Åstrand <lha@it.su.se> 2363 2364 * gss_acquire_cred.3: document gss_context_time 2365 2366 * context_time.c: if lifetime of context have expired, set 2367 time_rec to 0 and return GSS_S_CONTEXT_EXPIRED 2368 2369 * gssapi.3: document [gssapi]correct_des3_mic 2370 [gssapi]broken_des3_mic 2371 2372 * gss_acquire_cred.3: document gss_krb5_compat_des3_mic 2373 2374 * compat.c (gss_krb5_compat_des3_mic): enable turning on/off des3 2375 mic compat 2376 (_gss_DES3_get_mic_compat): handle [gssapi]correct_des3_mic too 2377 2378 * gssapi.h (gss_krb5_compat_des3_mic): new function, turn on/off 2379 des3 mic compat 2380 (GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if 2381 gss_krb5_compat_des3_mic exists 2382 23832003-04-24 Love Hörnquist Åstrand <lha@it.su.se> 2384 2385 * Makefile.am: (libgssapi_la_LDFLAGS): update major 2386 version of gssapi for incompatiblity in 3des getmic support 2387 23882003-04-23 Love Hörnquist Åstrand <lha@it.su.se> 2389 2390 * Makefile.am: test_acquire_cred_LDADD: use libgssapi.la not 2391 ./libgssapi.la (make make -jN work) 2392 23932003-04-16 Love Hörnquist Åstrand <lha@it.su.se> 2394 2395 * gssapi.3: spelling 2396 2397 * gss_acquire_cred.3: Change .Fd #include <header.h> to .In 2398 header.h, from Thomas Klausner <wiz@netbsd.org> 2399 2400 24012003-04-06 Love Hörnquist Åstrand <lha@it.su.se> 2402 2403 * gss_acquire_cred.3: spelling 2404 2405 * Makefile.am: remove stuff that sneaked in with last commit 2406 2407 * acquire_cred.c (acquire_initiator_cred): if the requested name 2408 isn't in the ccache, also check keytab. Extact the krbtgt for the 2409 default realm to check how long the credentials will last. 2410 2411 * add_cred.c (gss_add_cred): don't create a new ccache, just open 2412 the old one; better check if output handle is compatible with new 2413 (copied) handle 2414 2415 * test_acquire_cred.c: test gss_add_cred too 2416 24172003-04-03 Love Hörnquist Åstrand <lha@it.su.se> 2418 2419 * Makefile.am: build test_acquire_cred 2420 2421 * test_acquire_cred.c: simple gss_acquire_cred test 2422 24232003-04-02 Love Hörnquist Åstrand <lha@it.su.se> 2424 2425 * gss_acquire_cred.3: s/gssapi/GSS-API/ 2426 24272003-03-19 Love Hörnquist Åstrand <lha@it.su.se> 2428 2429 * gss_acquire_cred.3: document v1 interface (and that they are 2430 obsolete) 2431 24322003-03-18 Love Hörnquist Åstrand <lha@it.su.se> 2433 2434 * gss_acquire_cred.3: list supported mechanism and nametypes 2435 24362003-03-16 Love Hörnquist Åstrand <lha@it.su.se> 2437 2438 * gss_acquire_cred.3: text about gss_display_name 2439 2440 * Makefile.am (libgssapi_la_LDFLAGS): bump to 3:6:2 2441 (libgssapi_la_SOURCES): add all new functions 2442 2443 * gssapi.3: now that we have a functions, uncomment the missing 2444 ones 2445 2446 * gss_acquire_cred.3: now that we have a functions, uncomment the 2447 missing ones 2448 2449 * process_context_token.c: implement gss_process_context_token 2450 2451 * inquire_names_for_mech.c: implement gss_inquire_names_for_mech 2452 2453 * inquire_mechs_for_name.c: implement gss_inquire_mechs_for_name 2454 2455 * inquire_cred_by_mech.c: implement gss_inquire_cred_by_mech 2456 2457 * add_cred.c: implement gss_add_cred 2458 2459 * acquire_cred.c (gss_acquire_cred): more testing of input 2460 argument, make sure output arguments are ok, since we don't know 2461 the time_rec (for now), set it to time_req 2462 2463 * export_sec_context.c: send lifetime, also set minor_status 2464 2465 * get_mic.c: set minor_status 2466 2467 * import_sec_context.c (gss_import_sec_context): add error 2468 checking, pick up lifetime (if there is no lifetime, use 2469 GSS_C_INDEFINITE) 2470 2471 * init_sec_context.c: take care to set export value to something 2472 sane before we start so caller will have harmless values in them 2473 if then function fails 2474 2475 * release_buffer.c (gss_release_buffer): set minor_status 2476 2477 * wrap.c: make sure minor_status get set 2478 2479 * verify_mic.c (gss_verify_mic_internal): rename verify_mic to 2480 gss_verify_mic_internal and let it take the type as an argument, 2481 (gss_verify_mic): call gss_verify_mic_internal 2482 set minor_status 2483 2484 * unwrap.c: set minor_status 2485 2486 * test_oid_set_member.c (gss_test_oid_set_member): use 2487 gss_oid_equal 2488 2489 * release_oid_set.c (gss_release_oid_set): set minor_status 2490 2491 * release_name.c (gss_release_name): set minor_status 2492 2493 * release_cred.c (gss_release_cred): set minor_status 2494 2495 * add_oid_set_member.c (gss_add_oid_set_member): set minor_status 2496 2497 * compare_name.c (gss_compare_name): set minor_status 2498 2499 * compat.c (check_compat): make sure ret have a defined value 2500 2501 * context_time.c (gss_context_time): set minor_status 2502 2503 * copy_ccache.c (gss_krb5_copy_ccache): set minor_status 2504 2505 * create_emtpy_oid_set.c (gss_create_empty_oid_set): set 2506 minor_status 2507 2508 * delete_sec_context.c (gss_delete_sec_context): set minor_status 2509 2510 * display_name.c (gss_display_name): set minor_status 2511 2512 * display_status.c (gss_display_status): use gss_oid_equal, handle 2513 supplementary errors 2514 2515 * duplicate_name.c (gss_duplicate_name): set minor_status 2516 2517 * inquire_context.c (gss_inquire_context): set lifetime_rec now 2518 when we know it, set minor_status 2519 2520 * inquire_cred.c (gss_inquire_cred): take care to set export value 2521 to something sane before we start so caller will have harmless 2522 values in them if the function fails 2523 2524 * accept_sec_context.c (gss_accept_sec_context): take care to set 2525 export value to something sane before we start so caller will have 2526 harmless values in them if then function fails, set lifetime from 2527 ticket expiration date 2528 2529 * indicate_mechs.c (gss_indicate_mechs): use 2530 gss_create_empty_oid_set and gss_add_oid_set_member 2531 2532 * gssapi.h (gss_ctx_id_t_desc): store the lifetime in the cred, 2533 since there is no ticket transfered in the exported context 2534 2535 * export_name.c (gss_export_name): export name with 2536 GSS_C_NT_EXPORT_NAME wrapping, not just the principal 2537 2538 * import_name.c (import_export_name): new function, parses a 2539 GSS_C_NT_EXPORT_NAME 2540 (import_krb5_name): factor out common code of parsing krb5 name 2541 (gss_oid_equal): rename from oid_equal 2542 2543 * gssapi_locl.h: add prototypes for gss_oid_equal and 2544 gss_verify_mic_internal 2545 2546 * gssapi.h: comment out the argument names 2547 25482003-03-15 Love Hörnquist Åstrand <lha@it.su.se> 2549 2550 * gssapi.3: add LIST OF FUNCTIONS and copyright/license 2551 2552 * Makefile.am: s/gss_aquire_cred.3/gss_acquire_cred.3/ 2553 2554 * Makefile.am: man_MANS += gss_aquire_cred.3 2555 25562003-03-14 Love Hörnquist Åstrand <lha@it.su.se> 2557 2558 * gss_aquire_cred.3: the gssapi api manpage 2559 25602003-03-03 Love Hörnquist Åstrand <lha@it.su.se> 2561 2562 * inquire_context.c: (gss_inquire_context): rename argument open 2563 to open_context 2564 2565 * gssapi.h (gss_inquire_context): rename argument open to open_context 2566 25672003-02-27 Love Hörnquist Åstrand <lha@it.su.se> 2568 2569 * init_sec_context.c (do_delegation): remove unused variable 2570 subkey 2571 2572 * gssapi.3: all 0.5.x version had broken token delegation 2573 25742003-02-21 Love Hörnquist Åstrand <lha@it.su.se> 2575 2576 * (init_auth): only generate one subkey 2577 25782003-01-27 Love Hörnquist Åstrand <lha@it.su.se> 2579 2580 * verify_mic.c (verify_mic_des3): fix 3des verify_mic to conform 2581 to rfc (and mit kerberos), provide backward compat hook 2582 2583 * get_mic.c (mic_des3): fix 3des get_mic to conform to rfc (and 2584 mit kerberos), provide backward compat hook 2585 2586 * init_sec_context.c (init_auth): check if we need compat for 2587 older get_mic/verify_mic 2588 2589 * gssapi_locl.h: add prototype for _gss_DES3_get_mic_compat 2590 2591 * gssapi.h (more_flags): add COMPAT_OLD_DES3 2592 2593 * Makefile.am: add gssapi.3 and compat.c 2594 2595 * gssapi.3: add gssapi COMPATIBILITY documentation 2596 2597 * accept_sec_context.c (gss_accept_sec_context): check if we need 2598 compat for older get_mic/verify_mic 2599 2600 * compat.c: check for compatiblity with other heimdal's 3des 2601 get_mic/verify_mic 2602 26032002-10-31 Johan Danielsson <joda@pdc.kth.se> 2604 2605 * check return value from gssapi_krb5_init 2606 2607 * 8003.c (gssapi_krb5_verify_8003_checksum): check size of input 2608 26092002-09-03 Johan Danielsson <joda@pdc.kth.se> 2610 2611 * wrap.c (wrap_des3): use ETYPE_DES3_CBC_NONE 2612 2613 * unwrap.c (unwrap_des3): use ETYPE_DES3_CBC_NONE 2614 26152002-09-02 Johan Danielsson <joda@pdc.kth.se> 2616 2617 * init_sec_context.c: we need to generate a local subkey here 2618 26192002-08-20 Jacques Vidrine <n@nectar.com> 2620 2621 * acquire_cred.c, inquire_cred.c, release_cred.c: Use default 2622 credential resolution if gss_acquire_cred is called with 2623 GSS_C_NO_NAME. 2624 26252002-06-20 Jacques Vidrine <n@nectar.com> 2626 2627 * import_name.c: Compare name types by value if pointers do 2628 not match. Reported by: "Douglas E. Engert" <deengert@anl.gov> 2629 26302002-05-20 Jacques Vidrine <n@nectar.com> 2631 2632 * verify_mic.c (gss_verify_mic), unwrap.c (gss_unwrap): initialize 2633 the qop_state parameter. from Doug Rabson <dfr@nlsystems.com> 2634 26352002-05-09 Jacques Vidrine <n@nectar.com> 2636 2637 * acquire_cred.c: handle GSS_C_INITIATE/GSS_C_ACCEPT/GSS_C_BOTH 2638 26392002-05-08 Jacques Vidrine <n@nectar.com> 2640 2641 * acquire_cred.c: initialize gssapi; handle null desired_name 2642 26432002-03-22 Johan Danielsson <joda@pdc.kth.se> 2644 2645 * Makefile.am: remove non-functional stuff accidentally committed 2646 26472002-03-11 Assar Westerlund <assar@sics.se> 2648 2649 * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:5:2 2650 * 8003.c (gssapi_krb5_verify_8003_checksum): handle zero channel 2651 bindings 2652 26532001-10-31 Jacques Vidrine <n@nectar.com> 2654 2655 * get_mic.c (mic_des3): MIC computation using DES3/SHA1 2656 was bogusly appending the message buffer to the result, 2657 overwriting a heap buffer in the process. 2658 26592001-08-29 Assar Westerlund <assar@sics.se> 2660 2661 * 8003.c (gssapi_krb5_verify_8003_checksum, 2662 gssapi_krb5_create_8003_checksum): make more consistent by always 2663 returning an gssapi error and setting minor status. update 2664 callers 2665 26662001-08-28 Jacques Vidrine <n@nectar.com> 2667 2668 * accept_sec_context.c: Create a cache for delegated credentials 2669 when needed. 2670 26712001-08-28 Assar Westerlund <assar@sics.se> 2672 2673 * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:4:2 2674 26752001-08-23 Assar Westerlund <assar@sics.se> 2676 2677 * *.c: handle minor_status more consistently 2678 2679 * display_status.c (gss_display_status): handle krb5_get_err_text 2680 failing 2681 26822001-08-15 Johan Danielsson <joda@pdc.kth.se> 2683 2684 * gssapi_locl.h: fix prototype for gssapi_krb5_init 2685 26862001-08-13 Johan Danielsson <joda@pdc.kth.se> 2687 2688 * accept_sec_context.c (gsskrb5_register_acceptor_identity): init 2689 context and check return value from kt_resolve 2690 2691 * init.c: return error code 2692 26932001-07-19 Assar Westerlund <assar@sics.se> 2694 2695 * Makefile.am (libgssapi_la_LDFLAGS): update to 3:3:2 2696 26972001-07-12 Assar Westerlund <assar@sics.se> 2698 2699 * Makefile.am (libgssapi_la_LIBADD): add required library 2700 dependencies 2701 27022001-07-06 Assar Westerlund <assar@sics.se> 2703 2704 * accept_sec_context.c (gsskrb5_register_acceptor_identity): set 2705 the keytab to be used for gss_acquire_cred too' 2706 27072001-07-03 Assar Westerlund <assar@sics.se> 2708 2709 * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:2:2 2710 27112001-06-18 Assar Westerlund <assar@sics.se> 2712 2713 * wrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey 2714 and gss_krb5_get_remotekey 2715 * verify_mic.c: update krb5_auth_con function names use 2716 gss_krb5_get_remotekey 2717 * unwrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey 2718 and gss_krb5_get_remotekey 2719 * gssapi_locl.h (gss_krb5_get_remotekey, gss_krb5_get_localkey): 2720 add prototypes 2721 * get_mic.c: update krb5_auth_con function names. use 2722 gss_krb5_get_localkey 2723 * accept_sec_context.c: update krb5_auth_con function names 2724 27252001-05-17 Assar Westerlund <assar@sics.se> 2726 2727 * Makefile.am: bump version to 3:1:2 2728 27292001-05-14 Assar Westerlund <assar@sics.se> 2730 2731 * address_to_krb5addr.c: adapt to new address functions 2732 27332001-05-11 Assar Westerlund <assar@sics.se> 2734 2735 * try to return the error string from libkrb5 where applicable 2736 27372001-05-08 Assar Westerlund <assar@sics.se> 2738 2739 * delete_sec_context.c (gss_delete_sec_context): remember to free 2740 the memory used by the ticket itself. from <tmartin@mirapoint.com> 2741 27422001-05-04 Assar Westerlund <assar@sics.se> 2743 2744 * gssapi_locl.h: add config.h for completeness 2745 * gssapi.h: remove config.h, this is an installed header file 2746 sys/types.h is not needed either 2747 27482001-03-12 Assar Westerlund <assar@sics.se> 2749 2750 * acquire_cred.c (gss_acquire_cred): remove memory leaks. from 2751 Jason R Thorpe <thorpej@zembu.com> 2752 27532001-02-18 Assar Westerlund <assar@sics.se> 2754 2755 * accept_sec_context.c (gss_accept_sec_context): either return 2756 gss_name NULL-ed or set 2757 2758 * import_name.c: set minor_status in some cases where it was not 2759 done 2760 27612001-02-15 Assar Westerlund <assar@sics.se> 2762 2763 * wrap.c: use krb5_generate_random_block for the confounders 2764 27652001-01-30 Assar Westerlund <assar@sics.se> 2766 2767 * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:0:2 2768 * acquire_cred.c, init_sec_context.c, release_cred.c: add support 2769 for getting creds from a keytab, from fvdl@netbsd.org 2770 2771 * copy_ccache.c: add gss_krb5_copy_ccache 2772 27732001-01-27 Assar Westerlund <assar@sics.se> 2774 2775 * get_mic.c: cast parameters to des function to non-const pointers 2776 to handle the case where these functions actually take non-const 2777 des_cblock * 2778 27792001-01-09 Assar Westerlund <assar@sics.se> 2780 2781 * accept_sec_context.c (gss_accept_sec_context): use krb5_rd_cred2 2782 instead of krb5_rd_cred 2783 27842000-12-11 Assar Westerlund <assar@sics.se> 2785 2786 * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:3:1 2787 27882000-12-08 Assar Westerlund <assar@sics.se> 2789 2790 * wrap.c (wrap_des3): use the checksum as ivec when encrypting the 2791 sequence number 2792 * unwrap.c (unwrap_des3): use the checksum as ivec when encrypting 2793 the sequence number 2794 * init_sec_context.c (init_auth): always zero fwd_data 2795 27962000-12-06 Johan Danielsson <joda@pdc.kth.se> 2797 2798 * accept_sec_context.c: de-pointerise auth_context parameter to 2799 krb5_mk_rep 2800 28012000-11-15 Assar Westerlund <assar@sics.se> 2802 2803 * init_sec_context.c (init_auth): update to new 2804 krb5_build_authenticator 2805 28062000-09-19 Assar Westerlund <assar@sics.se> 2807 2808 * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:2:1 2809 28102000-08-27 Assar Westerlund <assar@sics.se> 2811 2812 * init_sec_context.c: actually pay attention to `time_req' 2813 * init_sec_context.c: re-organize. leak less memory. 2814 * gssapi_locl.h (gssapi_krb5_encapsulate, gss_krb5_getsomekey): 2815 update prototypes add assert.h 2816 * gssapi.h (GSS_KRB5_CONF_C_QOP_DES, GSS_KRB5_CONF_C_QOP_DES3_KD): 2817 add 2818 * verify_mic.c: re-organize and add 3DES code 2819 * wrap.c: re-organize and add 3DES code 2820 * unwrap.c: re-organize and add 3DES code 2821 * get_mic.c: re-organize and add 3DES code 2822 * encapsulate.c (gssapi_krb5_encapsulate): do not free `in_data', 2823 let the caller do that. fix the callers. 2824 28252000-08-16 Assar Westerlund <assar@sics.se> 2826 2827 * Makefile.am: bump version to 2:1:1 2828 28292000-07-29 Assar Westerlund <assar@sics.se> 2830 2831 * decapsulate.c (gssapi_krb5_verify_header): sanity-check length 2832 28332000-07-25 Johan Danielsson <joda@pdc.kth.se> 2834 2835 * Makefile.am: bump version to 2:0:1 2836 28372000-07-22 Assar Westerlund <assar@sics.se> 2838 2839 * gssapi.h: update OID for GSS_C_NT_HOSTBASED_SERVICE and other 2840 details from rfc2744 2841 28422000-06-29 Assar Westerlund <assar@sics.se> 2843 2844 * address_to_krb5addr.c (gss_address_to_krb5addr): actually use 2845 `int' instead of `sa_family_t' for the address family. 2846 28472000-06-21 Assar Westerlund <assar@sics.se> 2848 2849 * add support for token delegation. From Daniel Kouril 2850 <kouril@ics.muni.cz> and Miroslav Ruda <ruda@ics.muni.cz> 2851 28522000-05-15 Assar Westerlund <assar@sics.se> 2853 2854 * Makefile.am (libgssapi_la_LDFLAGS): set version to 1:1:1 2855 28562000-04-12 Assar Westerlund <assar@sics.se> 2857 2858 * release_oid_set.c (gss_release_oid_set): clear set for 2859 robustness. From GOMBAS Gabor <gombasg@inf.elte.hu> 2860 * release_name.c (gss_release_name): reset input_name for 2861 robustness. From GOMBAS Gabor <gombasg@inf.elte.hu> 2862 * release_buffer.c (gss_release_buffer): set value to NULL to be 2863 more robust. From GOMBAS Gabor <gombasg@inf.elte.hu> 2864 * add_oid_set_member.c (gss_add_oid_set_member): actually check if 2865 the oid is a member first. leave the oid_set unchanged if realloc 2866 fails. 2867 28682000-02-13 Assar Westerlund <assar@sics.se> 2869 2870 * Makefile.am: set version to 1:0:1 2871 28722000-02-12 Assar Westerlund <assar@sics.se> 2873 2874 * gssapi_locl.h: add flags for import/export 2875 * import_sec_context.c (import_sec_context: add flags for what 2876 fields are included. do not include the authenticator for now. 2877 * export_sec_context.c (export_sec_context: add flags for what 2878 fields are included. do not include the authenticator for now. 2879 * accept_sec_context.c (gss_accept_sec_context): set target in 2880 context_handle 2881 28822000-02-11 Assar Westerlund <assar@sics.se> 2883 2884 * delete_sec_context.c (gss_delete_sec_context): set context to 2885 GSS_C_NO_CONTEXT 2886 2887 * Makefile.am: add {export,import}_sec_context.c 2888 * export_sec_context.c: new file 2889 * import_sec_context.c: new file 2890 * accept_sec_context.c (gss_accept_sec_context): set trans flag 2891 28922000-02-07 Assar Westerlund <assar@sics.se> 2893 2894 * Makefile.am: set version to 0:5:0 2895 28962000-01-26 Assar Westerlund <assar@sics.se> 2897 2898 * delete_sec_context.c (gss_delete_sec_context): handle a NULL 2899 output_token 2900 2901 * wrap.c: update to pseudo-standard APIs for md4,md5,sha. some 2902 changes to libdes calls to make them more portable. 2903 * verify_mic.c: update to pseudo-standard APIs for md4,md5,sha. 2904 some changes to libdes calls to make them more portable. 2905 * unwrap.c: update to pseudo-standard APIs for md4,md5,sha. some 2906 changes to libdes calls to make them more portable. 2907 * get_mic.c: update to pseudo-standard APIs for md4,md5,sha. some 2908 changes to libdes calls to make them more portable. 2909 * 8003.c: update to pseudo-standard APIs for md4,md5,sha. 2910 29112000-01-06 Assar Westerlund <assar@sics.se> 2912 2913 * Makefile.am: set version to 0:4:0 2914 29151999-12-26 Assar Westerlund <assar@sics.se> 2916 2917 * accept_sec_context.c (gss_accept_sec_context): always set 2918 `output_token' 2919 * init_sec_context.c (init_auth): always initialize `output_token' 2920 * delete_sec_context.c (gss_delete_sec_context): always set 2921 `output_token' 2922 29231999-12-06 Assar Westerlund <assar@sics.se> 2924 2925 * Makefile.am: bump version to 0:3:0 2926 29271999-10-20 Assar Westerlund <assar@sics.se> 2928 2929 * Makefile.am: set version to 0:2:0 2930 29311999-09-21 Assar Westerlund <assar@sics.se> 2932 2933 * init_sec_context.c (gss_init_sec_context): initialize `ticket' 2934 2935 * gssapi.h (gss_ctx_id_t_desc): add ticket in here. ick. 2936 2937 * delete_sec_context.c (gss_delete_sec_context): free ticket 2938 2939 * accept_sec_context.c (gss_accept_sec_context): stove away 2940 `krb5_ticket' in context so that ugly programs such as 2941 gss_nt_server can get at it. uck. 2942 29431999-09-20 Johan Danielsson <joda@pdc.kth.se> 2944 2945 * accept_sec_context.c: set minor_status 2946 29471999-08-04 Assar Westerlund <assar@sics.se> 2948 2949 * display_status.c (calling_error, routine_error): right shift the 2950 code to make it possible to index into the arrays 2951 29521999-07-28 Assar Westerlund <assar@sics.se> 2953 2954 * gssapi.h (GSS_C_AF_INET6): add 2955 2956 * import_name.c (import_hostbased_name): set minor_status 2957 29581999-07-26 Assar Westerlund <assar@sics.se> 2959 2960 * Makefile.am: set version to 0:1:0 2961 2962Wed Apr 7 14:05:15 1999 Johan Danielsson <joda@hella.pdc.kth.se> 2963 2964 * display_status.c: set minor_status 2965 2966 * init_sec_context.c: set minor_status 2967 2968 * lib/gssapi/init.c: remove donep (check gssapi_krb5_context 2969 directly) 2970 2971