krb5.git/src/lib/gssapi/generic, branch master MIT Kerberos patches Fix t_seqstate build with Solaris compiler 2014-03-28T15:53:46+00:00 Greg Hudson ghudson@mit.edu 2014-03-25T16:28:05+00:00 92f76302fa249713ca461e5fe7fa8ea51467b2a3 The Solaris native compiler (as of version 5.9) outputs code for static inline functions even if they are not used. So the k5buf_to_gss helper in gssapiP_generic.h causes t_seqstate to have a dependency on libkrb5support. ticket: 7872 
The Solaris native compiler (as of version 5.9) outputs code for
static inline functions even if they are not used.  So the
k5buf_to_gss helper in gssapiP_generic.h causes t_seqstate to have a
dependency on libkrb5support.

ticket: 7872
Rewrite GSS sequence state tracking code 2014-03-18T15:59:11+00:00 Greg Hudson ghudson@mit.edu 2014-03-12T16:13:08+00:00 cb3db58b1942998a5e2c4d46c21ca0554e769a8c Replace util_ordering.c with a new file util_seqstate.c, implemented using a bitmap of previously received sequence numbers instead of a 20-element circular queue. This approach has slightly different limitations--it can check for replays for values within 64 of the expected next number, where the old code could check within the range of the last 20 received numbers regardless of how far apart they are. The new approach should work as well or better for any realistic packet reordering scenario. ticket: 7879 (new) 
Replace util_ordering.c with a new file util_seqstate.c, implemented
using a bitmap of previously received sequence numbers instead of a
20-element circular queue.  This approach has slightly different
limitations--it can check for replays for values within 64 of the
expected next number, where the old code could check within the range
of the last 20 received numbers regardless of how far apart they are.
The new approach should work as well or better for any realistic
packet reordering scenario.

ticket: 7879 (new)
Improve internal API for GSS sequence numbers 2014-03-18T15:58:50+00:00 Greg Hudson ghudson@mit.edu 2014-03-11T03:01:40+00:00 23a378046bd8122839e501b3e47bb807b66e1c03 Use an opaque structure type instead of a void pointer for the sequence number state. Rename all functions to use a g_seqstate prefix rather than a mix of g_order and g_queue. Remove the unneccessary indirection from the state object parameter in g_seqstate_check and g_seqstate_free. Return OM_uint32 where we return a GSS major code, long where we return an errno value, and void where we can't fail. 
Use an opaque structure type instead of a void pointer for the
sequence number state.  Rename all functions to use a g_seqstate
prefix rather than a mix of g_order and g_queue.  Remove the
unneccessary indirection from the state object parameter in
g_seqstate_check and g_seqstate_free.  Return OM_uint32 where we
return a GSS major code, long where we return an errno value, and void
where we can't fail.
Add tests for GSSAPI sequence number processing 2014-03-18T15:55:39+00:00 Greg Hudson ghudson@mit.edu 2014-03-12T15:03:48+00:00 40b105e2e6637d370025b4433dc9e1bda5d3950a ticket: 7872 
ticket: 7872
Fix GSS krb5 initial sequence number gap handling 2014-03-18T15:55:39+00:00 Tomas Kuthan tkuthan@gmail.com 2014-03-06T12:05:24+00:00 13a9cb721194c8aa4ccf6ed6ef23e3ac8dd24037 Since #2040, the dummy queue element inserted by g_order_init no longer compares less than the initial sequence number, so we fail when the first few sequence numbers are received out of order. Properly detect when a sequence number fits between the dummy element and the first real queue element. [ghudson@mit.edu: rewrote commit message] ticket: 7872 target_version: 1.12.2 tags: pullup 
Since #2040, the dummy queue element inserted by g_order_init no
longer compares less than the initial sequence number, so we fail when
the first few sequence numbers are received out of order.  Properly
detect when a sequence number fits between the dummy element and the
first real queue element.

[ghudson@mit.edu: rewrote commit message]

ticket: 7872
target_version: 1.12.2
tags: pullup
Fix two omissions in stdint.h changes 2014-02-26T23:05:23+00:00 Greg Hudson ghudson@mit.edu 2014-02-26T22:39:55+00:00 654ea67e99ea91e39896d55c0e6dd3bfc8ee049a Since we no longer prefix an "#include <stdint.h>" in the gssapi.h preamble at build time, include it in gssapi.hin. Update util/gss/kernel-lib/Makefile.in to account for gssapi_krb5.h being in the source tree. 
Since we no longer prefix an "#include <stdint.h>" in the gssapi.h
preamble at build time, include it in gssapi.hin.

Update util/gss/kernel-lib/Makefile.in to account for gssapi_krb5.h
being in the source tree.
Eliminate internal fixed-width type wrappers 2014-02-26T21:15:20+00:00 Greg Hudson ghudson@mit.edu 2014-02-01T21:26:51+00:00 1041af9f85e4be342339475cf5c8878fef1de10d Directly use stdint.h names for integer types in preference to the various internal names we have made up for them. 
Directly use stdint.h names for integer types in preference to the
various internal names we have made up for them.
Assume <stdint.h> and fixed-width types 2014-02-26T21:15:19+00:00 Greg Hudson ghudson@mit.edu 2014-02-01T20:20:08+00:00 17e205070745e4712d40eed32d92d02edb47009f Make unconditional use of <stdint.h> and fixed-width types such as uint32_t. k5-plugin.h doesn't use any special integer types, so remove the conditional include block there. Nothing uses INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now. 
Make unconditional use of <stdint.h> and fixed-width types such as
uint32_t.  k5-plugin.h doesn't use any special integer types, so
remove the conditional include block there.  Nothing uses
INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now.
Add GSSAPI IOV MIC functions 2013-09-18T22:22:16+00:00 Greg Hudson ghudson@mit.edu 2013-09-08T01:13:48+00:00 d750ef3130b76dd079e863ed395eb3620a37386b Add gss_get_mic_iov, gss_get_mic_iov_length, and gss_verify_mic_iov functions, which work similarly to the corresponding IOV wrap functions. Add a new buffer type GSS_IOV_BUFFER_TYPE_MIC_TOKEN for the destination buffer. Most of the internal code for this was already present, and just needed to be fixed up and adjusted to use the new buffer type for the MIC token. ticket: 7705 (new) 
Add gss_get_mic_iov, gss_get_mic_iov_length, and gss_verify_mic_iov
functions, which work similarly to the corresponding IOV wrap
functions.  Add a new buffer type GSS_IOV_BUFFER_TYPE_MIC_TOKEN for
the destination buffer.

Most of the internal code for this was already present, and just
needed to be fixed up and adjusted to use the new buffer type for the
MIC token.

ticket: 7705 (new)
Get rid of G_VFY_TOKEN_HDR_IGNORE_SEQ_SIZE 2013-09-08T18:18:26+00:00 Greg Hudson ghudson@mit.edu 2013-09-08T18:10:37+00:00 daf42938a262c3a88164b07972f2a2e6e8552620 This flag was introduced in the mskrb-integ merge but is not actually used after r21742--while kg_unseal_iov_token sets it in vfyflags for DCE-style contexts, it doesn't actually pass vfyflags to g_verify_token_header or otherwise use it. Moreover, the flag is not necessary there; we correctly set input_length to the header length (without data, padding, or trailer) for v1 tokens in a DCE-style context. 
This flag was introduced in the mskrb-integ merge but is not actually
used after r21742--while kg_unseal_iov_token sets it in vfyflags for
DCE-style contexts, it doesn't actually pass vfyflags to
g_verify_token_header or otherwise use it.  Moreover, the flag is not
necessary there; we correctly set input_length to the header length
(without data, padding, or trailer) for v1 tokens in a DCE-style
context.