Merge V1_0_FREEZE_3 into the mainline. (Note this merge does *not*

include the doc subtree!!) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9632 dc483132-0cff-0310-8789-dd5450dbe970
author: Theodore Tso <tytso@mit.edu> 1996-12-13 19:28:16 +0000
committer: Theodore Tso <tytso@mit.edu> 1996-12-13 19:28:16 +0000
commit: e73566996463fb1947cf80ad2e11fadce3dc0b66 (patch)
tree: 4c75494b8a5a0e1169c37bcac34cc0aeccda7de2 /src/lib/gssapi
parent: 20b3f46e04d4d0104dc971d22793011f20f2e51c (diff)
download: krb5-e73566996463fb1947cf80ad2e11fadce3dc0b66.tar.gz
krb5-e73566996463fb1947cf80ad2e11fadce3dc0b66.tar.xz
krb5-e73566996463fb1947cf80ad2e11fadce3dc0b66.zip
12 files changed, 122 insertions, 48 deletions
diff --git a/src/lib/gssapi/ChangeLog b/src/lib/gssapi/ChangeLog
index 505b5d355..b29cc371b 100644
--- a/src/lib/gssapi/ChangeLog
+++ b/src/lib/gssapi/ChangeLog
@@ -1,3 +1,7 @@
+Mon Nov 18 20:39:41 1996  Ezra Peisach  <epeisach@mit.edu>
+
+	* configure.in: Set shared library version to 1.0. [krb5-libs/201]
+
 Tue Jul 23 22:50:22 1996  Theodore Y. Ts'o  <tytso@mit.edu>
 
 	* Makefile.in (MAC_SUBDIRS): Remove mechglue from the list of
diff --git a/src/lib/gssapi/configure.in b/src/lib/gssapi/configure.in
index 164582c64..f2bb70429 100644
--- a/src/lib/gssapi/configure.in
+++ b/src/lib/gssapi/configure.in
@@ -7,7 +7,7 @@ AC_PROG_ARCHIVE_ADD
 AC_PROG_RANLIB
 AC_PROG_INSTALL
 DO_SUBDIRS
-V5_MAKE_SHARED_LIB(libgssapi_krb5,0.1,.., ./gssapi)
+V5_MAKE_SHARED_LIB(libgssapi_krb5,1.0,.., ./gssapi)
 CRYPTO_SH_VERS=$krb5_cv_shlib_version_libcrypto
 AC_SUBST(CRYPTO_SH_VERS)
 COMERR_SH_VERS=$krb5_cv_shlib_version_libcom_err
diff --git a/src/lib/gssapi/generic/ChangeLog b/src/lib/gssapi/generic/ChangeLog
index 993470825..30fd1c3c2 100644
--- a/src/lib/gssapi/generic/ChangeLog
+++ b/src/lib/gssapi/generic/ChangeLog
@@ -1,3 +1,12 @@
+Wed Nov 20 13:59:58 1996  Ezra Peisach  <epeisach@mit.edu>
+
+	* Makefile.in (install): Install gssapi.h from the build tree.
+
+Tue Nov 19 16:43:16 1996  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (gssapi.h): grep USE_.*_H out from autoconf.h as
+	well (some stuff was depending on USE_STRING_H).
+
 Mon Nov 18 12:38:34 1996  Tom Yu  <tlyu@mit.edu>
 
 	*gssapi.h: Renamed to gssapi.hin.
diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in
index 1e1aa7ebb..87b414f47 100644
--- a/src/lib/gssapi/generic/Makefile.in
+++ b/src/lib/gssapi/generic/Makefile.in
@@ -37,6 +37,7 @@ gssapi.h: gssapi.hin
 	echo "/* It contains some choice pieces of autoconf.h */" >> $@
 	grep SIZEOF $(BUILDTOP)/include/krb5/autoconf.h >> $@
 	grep 'HAVE_.*_H' $(BUILDTOP)/include/krb5/autoconf.h >> $@
+	grep 'USE_.*_H' $(BUILDTOP)/include/krb5/autoconf.h >> $@
 	echo "/* End of gssapi.h prologue. */"
 	cat $(srcdir)/gssapi.hin >> $@
 
@@ -84,7 +85,8 @@ OBJS = \
 
 $(OBJS): $(HDRS) $(ETHDRS)
 
-EXPORTED_HEADERS= gssapi.h gssapi_generic.h
+EXPORTED_HEADERS= gssapi_generic.h
+EXPORTED_BUILT_HEADERS= gssapi.h
 
 all-unix:: shared $(SRCS) $(ETHDRS) $(OBJS)
 
@@ -116,5 +118,9 @@ install::
 	do $(INSTALL_DATA) $(srcdir)/$$f	\
 		$(DESTDIR)$(KRB5_INCDIR)/gssapi/$$f ; \
 	done
+	@set -x; for f in $(EXPORTED_BUILT_HEADERS) ; \
+	do $(INSTALL_DATA) $$f	\
+		$(DESTDIR)$(KRB5_INCDIR)/gssapi/$$f ; \
+	done
 
 depend:: $(ETSRCS)
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index e1c1d9849..8f9ac2c0d 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -4,6 +4,30 @@ Wed Dec  4 13:06:13 1996  Barry Jaspan  <bjaspan@mit.edu>
  	instead of scanning through keytab to find matching principal
  	[krb5-libs/210]
 
+Wed Nov 20 19:55:29 1996  Marc Horowitz  <marc@cygnus.com>
+
+	* init_sec_context.c (make_ap_rep, krb5_gss_init_sec_context),
+ 	accept_sec_context.c (krb5_gss_accept_sec_context): fix up use of
+ 	gss flags.  under some circumstances, the context would not have
+ 	checked for replay or sequencing, even if those features were
+	requested.
+
+	* init_sec_context.c (make_ap_req), (krb5_gss_init_sec_context):
+ 	If delegation is requested, but forwarding the credentials fails,
+	instead of aborting the context setup, just don't forward
+	credentials.
+
+	* gssapiP_krb5.h (krb5_gss_ctx_id_t), ser_sctx.c
+ 	(kg_ctx_externalize, kg_ctx_internalize), init_sec_context.c
+ 	(krb5_gss_init_sec_context), get_tkt_flags.c
+ 	(gss_krb5_get_tkt_flags), accept_sec_context.c
+ 	(krb5_gss_accept_sec_context): rename ctx->flags to
+ 	ctx->krb_flags, to disambiguate it from ctx->gss_flags
+
+	* accept_sec_context.c (krb5_gss_accept_sec_context): If the subkey
+	isn't present in the authenticator, then use the session key
+	instead.
+
 Sat Oct 19 00:38:22 1996  Theodore Y. Ts'o  <tytso@mit.edu>
 
 	* ser_sctx.c (kg_oid_externalize, kg_oid_internalize,
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 234606921..158983557 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -384,8 +384,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    ctx->mech_used = mech_used;
    ctx->auth_context = auth_context;
    ctx->initiate = 0;
-   ctx->gss_flags = GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG |
-	(gss_flags & (GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG));
+   ctx->gss_flags = KG_IMPLFLAGS(gss_flags);
    ctx->seed_init = 0;
    ctx->big_endian = bigend;
 
@@ -417,6 +416,29 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
       return(GSS_S_FAILURE);
    }
 
+   /* use the session key if the subkey isn't present */
+
+   if (ctx->subkey == NULL) {
+       if ((code = krb5_auth_con_getkey(context, auth_context,
+					&ctx->subkey))) {
+	   krb5_free_principal(context, ctx->there);
+	   krb5_free_principal(context, ctx->here);
+	   xfree(ctx);
+	   *minor_status = code;
+	   return(GSS_S_FAILURE);
+       }
+   }
+
+   if (ctx->subkey == NULL) {
+       krb5_free_principal(context, ctx->there);
+       krb5_free_principal(context, ctx->here);
+       xfree(ctx);
+       /* this isn't a very good error, but it's not clear to me this
+	  can actually happen */
+       *minor_status = KRB5KDC_ERR_NULL_KEY;
+       return(GSS_S_FAILURE);
+   }
+
    switch(ctx->subkey->enctype) {
    case ENCTYPE_DES_CBC_MD5:
    case ENCTYPE_DES_CBC_CRC:
@@ -464,7 +486,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    }
 
    ctx->endtime = ticket->enc_part2->times.endtime;
-   ctx->flags = ticket->enc_part2->flags;
+   ctx->krb_flags = ticket->enc_part2->flags;
 
    krb5_free_ticket(context, ticket); /* Done with ticket */
 
@@ -487,8 +509,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    }
 
    g_order_init(&(ctx->seqstate), ctx->seq_recv,
-		(gss_flags & GSS_C_REPLAY_FLAG) != 0,
-		(gss_flags & GSS_C_SEQUENCE_FLAG) != 0);
+		(ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
+		(ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0);
 
    /* at this point, the entire context structure is filled in, 
       so it can be released.  */
@@ -545,7 +567,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
       *time_rec = ctx->endtime - now;
 
    if (ret_flags)
-      *ret_flags = KG_IMPLFLAGS(gss_flags);
+      *ret_flags = ctx->gss_flags;
 
    ctx->established = 1;
 
diff --git a/src/lib/gssapi/krb5/get_tkt_flags.c b/src/lib/gssapi/krb5/get_tkt_flags.c
index 5dd91064f..eebf06d81 100644
--- a/src/lib/gssapi/krb5/get_tkt_flags.c
+++ b/src/lib/gssapi/krb5/get_tkt_flags.c
@@ -48,7 +48,7 @@ gss_krb5_get_tkt_flags(minor_status, context_handle, ticket_flags)
    }
 
    if (ticket_flags)
-      *ticket_flags = ctx->flags;
+      *ticket_flags = ctx->krb_flags;
 
    *minor_status = 0;
    return(GSS_S_COMPLETE);
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index ee327baf6..97f2d51d5 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -113,7 +113,7 @@ typedef struct _krb5_gss_ctx_id_rec {
    krb5_gss_enc_desc enc;
    krb5_gss_enc_desc seq;
    krb5_timestamp endtime;
-   krb5_flags flags;
+   krb5_flags krb_flags;
    krb5_int32 seq_send;
    krb5_int32 seq_recv;
    void *seqstate;
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 690d5af2b..3b8935fff 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -30,15 +30,15 @@
 
 static krb5_error_code
 make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, 
-	    req_flags, flags, mech_type, token)
+	    req_flags, krb_flags, mech_type, token)
     krb5_context context;
     krb5_auth_context * auth_context;
     krb5_gss_cred_id_t cred;
     krb5_principal server;
     krb5_timestamp *endtime;
     gss_channel_bindings_t chan_bindings;
-    OM_uint32 req_flags;
-    krb5_flags *flags;
+    OM_uint32 *req_flags;
+    krb5_flags *krb_flags;
     gss_OID mech_type;
     gss_buffer_t token;
 {
@@ -74,8 +74,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings,
 
     /* build the checksum field */
 
-    if(*flags && GSS_C_DELEG_FLAG) {
-
+    if (*req_flags & GSS_C_DELEG_FLAG) {
 	/* first get KRB_CRED message, so we know its length */
 
 	/* clear the time check flag that was set in krb5_auth_con_init() */
@@ -83,20 +82,27 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings,
 	krb5_auth_con_setflags(context, *auth_context,
 			       con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
 
-	if ((code = krb5_fwd_tgt_creds(context, *auth_context, 0,
+	code = krb5_fwd_tgt_creds(context, *auth_context, 0,
 				  cred->princ, server, cred->ccache, 1,
-				  &credmsg)))
-	    return(code);
+				  &credmsg);
 
 	/* turn KRB5_AUTH_CONTEXT_DO_TIME back on */
 	krb5_auth_con_setflags(context, *auth_context, con_flags);
 
-	if(credmsg.length+28 > KRB5_INT16_MAX) {
-            krb5_xfree(credmsg.data);
-	    return(KRB5KRB_ERR_FIELD_TOOLONG);
-	}
+	if (code) {
+	    /* don't fail here; just don't accept/do the delegation
+               request */
+	    *req_flags &= ~GSS_C_DELEG_FLAG;
 
-	checksum_data.length = 28+credmsg.length;
+	    checksum_data.length = 24;
+	} else {
+	    if (credmsg.length+28 > KRB5_INT16_MAX) {
+		krb5_xfree(credmsg.data);
+		return(KRB5KRB_ERR_FIELD_TOOLONG);
+	    }
+
+	    checksum_data.length = 28+credmsg.length;
+	}
     } else {
 	checksum_data.length = 24;
     }
@@ -115,7 +121,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings,
 
     TWRITE_INT(ptr, md5.length, 0);
     TWRITE_STR(ptr, (unsigned char *) md5.contents, md5.length);
-    TWRITE_INT(ptr, KG_IMPLFLAGS(req_flags), 0);
+    TWRITE_INT(ptr, *req_flags, 0);
 
     /* done with this, free it */
     xfree(md5.contents);
@@ -151,7 +157,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings,
 
     mk_req_flags = AP_OPTS_USE_SUBKEY;
 
-    if (req_flags & GSS_C_MUTUAL_FLAG)
+    if (*req_flags & GSS_C_MUTUAL_FLAG)
 	mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED;
 
     if ((code = krb5_mk_req_extended(context, auth_context, mk_req_flags,
@@ -160,7 +166,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings,
 
    /* store the interesting stuff from creds and authent */
    *endtime = out_creds->times.endtime;
-   *flags = out_creds->ticket_flags;
+   *krb_flags = out_creds->ticket_flags;
 
    /* build up the token */
 
@@ -264,15 +270,15 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
 
    err = 0;
    if (mech_type == GSS_C_NULL_OID) {
-      mech_type = cred->rfc_mech?gss_mech_krb5:gss_mech_krb5_old;
-  } else if (g_OID_equal(mech_type, gss_mech_krb5)) {
-      if (!cred->rfc_mech)
-	  err = 1;
-  } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
-      if (!cred->prerfc_mech)
-	  err = 1;
-  } else
-      err = 1;
+       mech_type = cred->rfc_mech?gss_mech_krb5:gss_mech_krb5_old;
+   } else if (g_OID_equal(mech_type, gss_mech_krb5)) {
+       if (!cred->rfc_mech)
+	   err = 1;
+   } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
+       if (!cred->prerfc_mech)
+	   err = 1;
+   } else
+       err = 1;
    
    if (err) {
       *minor_status = 0;
@@ -318,9 +324,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
       ctx->mech_used = mech_type;
       ctx->auth_context = NULL;
       ctx->initiate = 1;
-      ctx->gss_flags = ((req_flags & (GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG)) |
-			GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG);
-      ctx->flags = req_flags & GSS_C_DELEG_FLAG;
+      ctx->gss_flags = KG_IMPLFLAGS(req_flags);
       ctx->seed_init = 0;
       ctx->big_endian = 0;  /* all initiators do little-endian, as per spec */
       ctx->seqstate = 0;
@@ -352,7 +356,8 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
 
       if ((code = make_ap_req(context, &(ctx->auth_context), cred, 
 			      ctx->there, &ctx->endtime, input_chan_bindings, 
-			      req_flags, &ctx->flags, mech_type, &token))) {
+			      &ctx->gss_flags, &ctx->krb_flags, mech_type,
+			      &token))) {
 	 krb5_free_principal(context, ctx->here);
 	 krb5_free_principal(context, ctx->there);
 	 xfree(ctx);
@@ -438,7 +443,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
       *output_token = token;
 
       if (ret_flags)
-	 *ret_flags = KG_IMPLFLAGS(req_flags);
+	 *ret_flags = ctx->gss_flags;
 
       if (actual_mech_type)
 	 *actual_mech_type = mech_type;
@@ -452,8 +457,8 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
       } else {
 	 ctx->seq_recv = ctx->seq_send;
 	 g_order_init(&(ctx->seqstate), ctx->seq_recv,
-		      (req_flags & GSS_C_REPLAY_FLAG) != 0, 
-		      (req_flags & GSS_C_SEQUENCE_FLAG) != 0);
+		      (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, 
+		      (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0);
 	 ctx->established = 1;
 	 /* fall through to GSS_S_COMPLETE */
       }
@@ -477,7 +482,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
 
       if ((ctx->established) ||
 	  (((gss_cred_id_t) cred) != claimant_cred_handle) ||
-	  ((req_flags & GSS_C_MUTUAL_FLAG) == 0)) {
+	  ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) {
 	 (void)krb5_gss_delete_sec_context(minor_status, 
 					   context_handle, NULL);
 	 /* XXX this minor status is wrong if an arg was changed */
@@ -534,8 +539,8 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
       /* store away the sequence number */
       ctx->seq_recv = ap_rep_data->seq_number;
       g_order_init(&(ctx->seqstate), ctx->seq_recv,
-		   (req_flags & GSS_C_REPLAY_FLAG) != 0,
-		   (req_flags & GSS_C_SEQUENCE_FLAG) !=0);
+		   (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
+		   (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0);
 
       /* free the ap_rep_data */
       krb5_free_ap_rep_enc_part(context, ap_rep_data);
diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c
index 259cce5b8..22b5c367c 100644
--- a/src/lib/gssapi/krb5/ser_sctx.c
+++ b/src/lib/gssapi/krb5/ser_sctx.c
@@ -515,7 +515,7 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain)
 				       &bp, &remain);
 	    (void) krb5_ser_pack_int32((krb5_int32) ctx->endtime,
 				       &bp, &remain);
-	    (void) krb5_ser_pack_int32((krb5_int32) ctx->flags,
+	    (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_flags,
 				       &bp, &remain);
 	    (void) krb5_ser_pack_int32((krb5_int32) ctx->seq_send,
 				       &bp, &remain);
@@ -632,7 +632,7 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain)
 	    (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
 	    ctx->endtime = (krb5_timestamp) ibuf;
 	    (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
-	    ctx->flags = (krb5_flags) ibuf;
+	    ctx->krb_flags = (krb5_flags) ibuf;
 	    (void) krb5_ser_unpack_int32(&ctx->seq_send, &bp, &remain);
 	    (void) krb5_ser_unpack_int32(&ctx->seq_recv, &bp, &remain);
 	    (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
diff --git a/src/lib/gssapi/mechglue/ChangeLog b/src/lib/gssapi/mechglue/ChangeLog
index 97558b1a2..9f8fb1bc4 100644
--- a/src/lib/gssapi/mechglue/ChangeLog
+++ b/src/lib/gssapi/mechglue/ChangeLog
@@ -1,3 +1,7 @@
+Mon Nov 18 20:43:54 1996  Ezra Peisach  <epeisach@mit.edu>
+
+	* configure.in: Shared library version number to 1.0. [krb5-libs/201]
+
 Wed Jun 12 00:50:32 1996  Theodore Ts'o  <tytso@rsts-11.mit.edu>
 
 	* Makefile.in: Remove include of config/windows.in; that's done
diff --git a/src/lib/gssapi/mechglue/configure.in b/src/lib/gssapi/mechglue/configure.in
index 73cf30efd..bd9b4db21 100644
--- a/src/lib/gssapi/mechglue/configure.in
+++ b/src/lib/gssapi/mechglue/configure.in
@@ -13,7 +13,7 @@ case $host in
      *-*-aix*) # don't build libgssapi.a on AIX
        ;;
      *)
-       V5_MAKE_SHARED_LIB(libgssapi,0.1,.., ./mechglue)
+       V5_MAKE_SHARED_LIB(libgssapi,1.0,.., ./mechglue)
        AppendRule([install:: libgssapi.[$](LIBEXT)
 	       [$](INSTALL_DATA) libgssapi.[$](LIBEXT) [$](DESTDIR)[$](KRB5_LIBDIR)[$](S)libgssapi.[$](LIBEXT)])
        LinkFileDir([$](TOPLIBD)/libgssapi.[$](LIBEXT),libgssapi.[$](LIBEXT),./gssapi/mechglue)
author	Theodore Tso <tytso@mit.edu>	1996-12-13 19:28:16 +0000
committer	Theodore Tso <tytso@mit.edu>	1996-12-13 19:28:16 +0000
commit	e73566996463fb1947cf80ad2e11fadce3dc0b66 (patch)
tree	4c75494b8a5a0e1169c37bcac34cc0aeccda7de2 /src/lib/gssapi
parent	20b3f46e04d4d0104dc971d22793011f20f2e51c (diff)
download	krb5-e73566996463fb1947cf80ad2e11fadce3dc0b66.tar.gz krb5-e73566996463fb1947cf80ad2e11fadce3dc0b66.tar.xz krb5-e73566996463fb1947cf80ad2e11fadce3dc0b66.zip