Ticket History #2587: export usable gss context / limit negotiated enctypes

# Fri Jun 04 16:44:54 2004 kwc@citi.umich.edu (Kevin Coffman) - Ticket created

From:	"Kevin Coffman" <kwc@citi.umich.edu>
To:	<krb5-bugs@mit.edu>
Date:	Fri, 4 Jun 2004 15:55:52 -0400
Cc:	kwc@citi.umich.edu
Subject:	export usable gss context / limit negotiated enctypes

Download (untitled) / with headers
text/plain 378B

The attached files add mechanism-specific GSS-API routines to export and
free a "usable" gssapi security context, and limit the encryption types
negotiated to create the context.

There is a patch file against CVS head circa 2004.04.20, two new .c files
and a .h file which go into the lib/gssapi/krb5 directory.

Kevin Coffman
University of Michigan -- CITI
kwc@citi.umich.edu

Download krb5-export-context.diff
application/octet-stream 8.1KiB

Message body not shown because it is not plain text.

Download set_allowable_enctypes.c
application/octet-stream 3.8KiB

Message body not shown because it is not plain text.

Download gssapi_krb5_ext.h
application/octet-stream 5.7KiB

Message body not shown because it is not plain text.

Download lucid_context.c
application/octet-stream 7.3KiB

Message body not shown because it is not plain text.

# Tue Jun 08 14:39:55 2004 hartmans (Sam Hartman) - Taken

# Tue Jun 08 15:06:11 2004 hartmans (Sam Hartman) - Correspondence added

To:	rt@krbdev.mit.edu
Subject:	[krbdev.mit.edu #2587] copyright
Date:	Tue, 8 Jun 2004 15:06:10 -0400 (EDT)
From:	hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:

Download (untitled) / with headers
text/plain 188B

Hi. Just noting that the only copyright I see on this patch is a MIT
copyright. That's certainly easiest for us, but if you plan to attach
any additional copyrights, please do so now.

# Tue Jun 08 17:38:33 2004 hartmans (Sam Hartman) - Correspondence added

To:	rt@krbdev.mit.edu
Subject:	[krbdev.mit.edu #2587] Why does set_allowable_enctypes take a mechanism
Date:	Tue, 8 Jun 2004 17:38:31 -0400 (EDT)
From:	hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:

Download (untitled) / with headers
text/plain 178B

Why does gss_krb5_set_allowable_enctypes take a mechanism oid?

O, for namespace consistency I've renamed
krb5_gss_set_allowable_enctypes to gss_krb5_set_allowable_enctypes.

# Tue Jun 08 17:50:20 2004 hartmans (Sam Hartman) - Status changed from 'new' to 'open'

# Tue Jun 08 17:50:21 2004 hartmans (Sam Hartman) - Correspondence added

From:	hartmans@mit.edu
Subject:	CVS Commit

Download (untitled) / with headers
text/plain 1.1KiB

Patch from kwc@citi.umich.edu to support
gss_krb5_export_lucid_sec_context and other facilities for NFSv4
implementations.

In order to apply this patch gss_krb5.h needs to be auto-generated so we can expose a 64-bit type for sequence numbers.

To generate a diff of this commit:

cvs diff -r1.69 -r1.70 krb5/src/lib/gssapi/ChangeLog
cvs diff -r1.26 -r1.27 krb5/src/lib/gssapi/configure.in
cvs diff -r1.139 -r1.140 krb5/src/lib/gssapi/generic/ChangeLog
cvs diff -r1.39 -r1.40
krb5/src/lib/gssapi/generic/gssapiP_generic.h
cvs diff -r1.13 -r1.14 krb5/src/lib/gssapi/generic/util_validate.c
cvs diff -r1.6 -r1.7
krb5/src/lib/gssapi/generic/utl_nohash_validate.c
cvs diff -r1.253 -r1.254 krb5/src/lib/gssapi/krb5/ChangeLog
cvs diff -r1.72 -r1.73 krb5/src/lib/gssapi/krb5/Makefile.in
cvs diff -r1.63 -r1.64 krb5/src/lib/gssapi/krb5/gssapiP_krb5.h
cvs diff -r1.5 -r1.6 krb5/src/lib/gssapi/krb5/gssapi_err_krb5.et
cvs diff -r1.79 -r1.80 krb5/src/lib/gssapi/krb5/init_sec_context.c
cvs diff -r0 -r1.1 krb5/src/lib/gssapi/krb5/gssapi_krb5.hin
krb5/src/lib/gssapi/krb5/lucid_context.c
krb5/src/lib/gssapi/krb5/set_allowable_enctypes.c
cvs diff -r1.27 -r0 krb5/src/lib/gssapi/krb5/gssapi_krb5.h

# Wed Jun 09 08:48:57 2004 kwc@citi.umich.edu (Kevin Coffman) - Comments added

To:	rt-comment@krbdev.mit.edu
Cc:	kwc@citi.umich.edu, krb5-prs@mit.edu
Subject:	Re: [krbdev.mit.edu #2587] Why does set_allowable_enctypes take a mechanism
Date:	Wed, 09 Jun 2004 08:48:54 -0400
From:	Kevin Coffman <kwc@citi.umich.edu>
RT-Send-Cc:

Download (untitled) / with headers
text/plain 421B

Show quoted text

> Why does gss_krb5_set_allowable_enctypes take a mechanism oid?

Obviously, it is not used. I just forgot to remove it.
I believe Love pointed this out as unnecessary earlier.

Show quoted text

> O, for namespace consistency I've renamed
> krb5_gss_set_allowable_enctypes to gss_krb5_set_allowable_enctypes.

I'm happy with either name. It makes our glue code a bit more
complicated.

BTW, I don't think we need to add any copyright.

# Wed Jun 09 13:58:21 2004 hartmans (Sam Hartman) - Correspondence added

To:	rt@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #2587] Why does set_allowable_enctypes take a mechanism
From:	Sam Hartman <hartmans@mit.edu>
Date:	Wed, 09 Jun 2004 13:58:19 -0400
RT-Send-Cc:

Download (untitled) / with headers
text/plain 119B

OK. I believe things are all checked in then. You should look at
gssapi_krb5.h and see if things look good for you.

# Wed Jun 09 14:15:35 2004 kwc@citi.umich.edu (Kevin Coffman) - Comments added

To:	rt-comment@krbdev.mit.edu
Cc:	kwc@citi.umich.edu, krb5-prs@mit.edu
Subject:	Re: [krbdev.mit.edu #2587] Why does set_allowable_enctypes take a mechanism
Date:	Wed, 09 Jun 2004 14:15:33 -0400
From:	Kevin Coffman <kwc@citi.umich.edu>
RT-Send-Cc:

Download (untitled) / with headers
text/plain 317B

Show quoted text

> OK. I believe things are all checked in then. You should look at
> gssapi_krb5.h and see if things look good for you.

I'm trying it out. I'm still/again hitting an assertion failure
involved with the pthreads locking changes, but am currently trying to
create a better environment where I can test/debug this.

# Wed Jun 09 19:56:46 2004 raeburn (Ken Raeburn) - Comments added

Cc:	rt-comment@krbdev.mit.edu, krb5-prs@mit.edu
From:	Ken Raeburn <raeburn@MIT.EDU>
Subject:	Re: [krbdev.mit.edu #2587] Why does set_allowable_enctypes take a mechanism
Date:	Wed, 9 Jun 2004 19:56:20 -0400
To:	Kevin Coffman <kwc@citi.umich.edu>
RT-Send-Cc:

Download (untitled) / with headers
text/plain 844B

On Jun 9, 2004, at 14:15, Kevin Coffman wrote:

Show quoted text

> I'm trying it out. I'm still/again hitting an assertion failure
> involved with the pthreads locking changes, but am currently trying to
> create a better environment where I can test/debug this.

I'd like to know of any cases like that you run into, if it's a
single-threaded program, or if it's a multi-threaded program *and* you
configured the Kerberos build with --enable-thread-support. That
option may not be present in our next release, so don't advertise it
too much.

If it's a multi-threaded program and the thread support isn't turned
on, then assertion failures are the correct result, for the current
snapshots. The debug code is still switched on in that case to help me
find cases where locks are accidentally left locked, or don't get
initialized properly, etc.

Ken

# Wed Jun 09 22:17:43 2004 hartmans (Sam Hartman) - Correspondence added

From:	hartmans@mit.edu
Subject:	CVS Commit

Download (untitled) / with headers
text/plain 211B

Install gssapi_krb5.h from build dir not srcdir.

To generate a diff of this commit:

cvs diff -r1.255 -r1.256 krb5/src/lib/gssapi/krb5/ChangeLog
cvs diff -r1.74 -r1.75 krb5/src/lib/gssapi/krb5/Makefile.in

# Thu Jul 29 11:29:26 2004 hartmans (Sam Hartman) - Status changed from 'open' to 'resolved'

# Thu Jul 29 11:29:26 2004 hartmans (Sam Hartman) - Correspondence added

From:	hartmans@mit.edu
Subject:	CVS Commit

Download (untitled) / with headers
text/plain 226B

Export lucid context functions and gss_krb5_set_allowable_enctypes

To generate a diff of this commit:

cvs diff -r1.76 -r1.77 krb5/src/lib/gssapi/ChangeLog
cvs diff -r1.2 -r1.3 krb5/src/lib/gssapi/libgssapi_krb5.exports

# Mon Nov 15 22:22:10 2004 tlyu (Taylor Yu) - Version_Fixed 1.4 added