From 05efb47898b7a29edcfca4b1f0d7c57e0a2bab89 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 11 Apr 2019 16:42:55 -0400 Subject: [PATCH] Remove Kerberos v4 support vestiges (including ktany support) --- ...on-and-enctype-flag-for-deprecations.patch | 2 +- Add-tests-for-KCM-ccache-type.patch | 2 +- Address-some-optimized-out-memset-calls.patch | 2 +- ...llocating-a-register-in-zap-assembly.patch | 2 +- ...er-comment-for-krb5_cc_start_seq_get.patch | 2 +- ...emory-leak-in-none-replay-cache-type.patch | 2 +- ...5_cc_remove_cred-for-remaining-types.patch | 2 +- ...ebug-log-proper-ticket-enctype-names.patch | 2 +- ...ec-always-log-non-permitted-enctypes.patch | 2 +- ...ype-names-in-KDC-logs-human-readable.patch | 2 +- Mark-deprecated-enctypes-when-used.patch | 2 +- Properly-size-ifdef-in-k5_cccol_lock.patch | 2 +- ...beros-v4-support-vestiges-from-ccapi.patch | 1604 ++++ ...api-related-comments-in-configure.ac.patch | 34 + ...ygen-generated-HTML-output-for-ccapi.patch | 7653 +++++++++++++++++ ...admin-RPC-support-for-setting-v4-key.patch | 466 + Remove-srvtab-support.patch | 1410 +++ krb5-1.11-kpasswdtest.patch | 2 +- krb5-1.11-run_user_0.patch | 2 +- krb5-1.12-api.patch | 2 +- krb5-1.12-ktany.patch | 366 - krb5-1.13-dirsrv-accountlock.patch | 2 +- krb5-1.15-beta1-buildconf.patch | 2 +- ...patch => krb5-1.17-Become-FIPS-aware.patch | 4 +- ...7-FIPS-aware-SPAKE-group-negotiation.patch | 4 +- ...S-mode-add-plaintext-fallback-for-RC.patch | 5 +- ...1.17-Use-openssl-s-PRNG-in-FIPS-mode.patch | 4 +- krb5-1.3.1-dns.patch | 2 +- krb5-1.9-debuginfo.patch | 2 +- krb5.spec | 22 +- 30 files changed, 11208 insertions(+), 402 deletions(-) create mode 100644 Remove-Kerberos-v4-support-vestiges-from-ccapi.patch create mode 100644 Remove-ccapi-related-comments-in-configure.ac.patch create mode 100644 Remove-doxygen-generated-HTML-output-for-ccapi.patch create mode 100644 Remove-kadmin-RPC-support-for-setting-v4-key.patch create mode 100644 Remove-srvtab-support.patch delete mode 100644 krb5-1.12-ktany.patch rename Become-FIPS-aware-with-3DES.patch => krb5-1.17-Become-FIPS-aware.patch (98%) rename FIPS-aware-SPAKE-group-negotiation.patch => krb5-1.17-FIPS-aware-SPAKE-group-negotiation.patch (90%) rename In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch => krb5-1.17-In-FIPS-mode-add-plaintext-fallback-for-RC.patch (98%) rename Use-openssl-s-PRNG-in-FIPS-mode.patch => krb5-1.17-Use-openssl-s-PRNG-in-FIPS-mode.patch (89%) diff --git a/Add-function-and-enctype-flag-for-deprecations.patch b/Add-function-and-enctype-flag-for-deprecations.patch index 687eba4..61c865e 100644 --- a/Add-function-and-enctype-flag-for-deprecations.patch +++ b/Add-function-and-enctype-flag-for-deprecations.patch @@ -1,4 +1,4 @@ -From 15d1cbd15d4ea8113fc5dd7bc446ca2b99ab4085 Mon Sep 17 00:00:00 2001 +From 461e3a4d81c73db832401592d417489dc0151a2c Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 15 Jan 2019 16:16:57 -0500 Subject: [PATCH] Add function and enctype flag for deprecations diff --git a/Add-tests-for-KCM-ccache-type.patch b/Add-tests-for-KCM-ccache-type.patch index 177a042..a20a682 100644 --- a/Add-tests-for-KCM-ccache-type.patch +++ b/Add-tests-for-KCM-ccache-type.patch @@ -1,4 +1,4 @@ -From e863c1e068775d066241edacff2bdb50cf1be27c Mon Sep 17 00:00:00 2001 +From 306c0260dca7809c90dfa9e8889a6bd2401cee84 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 22 Nov 2018 00:27:35 -0500 Subject: [PATCH] Add tests for KCM ccache type diff --git a/Address-some-optimized-out-memset-calls.patch b/Address-some-optimized-out-memset-calls.patch index 60cd6a0..6572ba0 100644 --- a/Address-some-optimized-out-memset-calls.patch +++ b/Address-some-optimized-out-memset-calls.patch @@ -1,4 +1,4 @@ -From d3690641a5eecf8ee031053bdedbaa4e249cc771 Mon Sep 17 00:00:00 2001 +From 3dd99db324de1492444aab3e5468aea5f1767c6d Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 30 Dec 2018 16:40:28 -0500 Subject: [PATCH] Address some optimized-out memset() calls diff --git a/Avoid-allocating-a-register-in-zap-assembly.patch b/Avoid-allocating-a-register-in-zap-assembly.patch index 3406b63..b0c139f 100644 --- a/Avoid-allocating-a-register-in-zap-assembly.patch +++ b/Avoid-allocating-a-register-in-zap-assembly.patch @@ -1,4 +1,4 @@ -From d8cba3893687a3976569fef97c1614b9b51ad573 Mon Sep 17 00:00:00 2001 +From 26dc343d4e59ef0f80e1ecca09b40f120b79d809 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 3 Jan 2019 17:19:32 +0100 Subject: [PATCH] Avoid allocating a register in zap() assembly diff --git a/Clarify-header-comment-for-krb5_cc_start_seq_get.patch b/Clarify-header-comment-for-krb5_cc_start_seq_get.patch index a36c364..b898655 100644 --- a/Clarify-header-comment-for-krb5_cc_start_seq_get.patch +++ b/Clarify-header-comment-for-krb5_cc_start_seq_get.patch @@ -1,4 +1,4 @@ -From 7f4af607c9362acc596bc63ca4c46699327d0cae Mon Sep 17 00:00:00 2001 +From 18dd4d5c622238d1607671198cf2b2ddec9abda5 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 2 Apr 2019 14:18:57 -0400 Subject: [PATCH] Clarify header comment for krb5_cc_start_seq_get() diff --git a/Fix-memory-leak-in-none-replay-cache-type.patch b/Fix-memory-leak-in-none-replay-cache-type.patch index 8141247..07e1091 100644 --- a/Fix-memory-leak-in-none-replay-cache-type.patch +++ b/Fix-memory-leak-in-none-replay-cache-type.patch @@ -1,4 +1,4 @@ -From 472131596213337ae01b792aef2fb2580738a1df Mon Sep 17 00:00:00 2001 +From 050acb871c242931b3fb51c59461f22555046d19 Mon Sep 17 00:00:00 2001 From: Corene Casper Date: Sat, 16 Feb 2019 00:49:26 -0500 Subject: [PATCH] Fix memory leak in 'none' replay cache type diff --git a/Implement-krb5_cc_remove_cred-for-remaining-types.patch b/Implement-krb5_cc_remove_cred-for-remaining-types.patch index dfb57bd..a656d57 100644 --- a/Implement-krb5_cc_remove_cred-for-remaining-types.patch +++ b/Implement-krb5_cc_remove_cred-for-remaining-types.patch @@ -1,4 +1,4 @@ -From f1449621399def78384c34216454bd1dfceefb8f Mon Sep 17 00:00:00 2001 +From 57ce492d6700ca6417cc43f3e97e0186b2cdfa90 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 1 Apr 2019 14:28:48 -0400 Subject: [PATCH] Implement krb5_cc_remove_cred for remaining types diff --git a/In-kpropd-debug-log-proper-ticket-enctype-names.patch b/In-kpropd-debug-log-proper-ticket-enctype-names.patch index 1450698..8f0c0ca 100644 --- a/In-kpropd-debug-log-proper-ticket-enctype-names.patch +++ b/In-kpropd-debug-log-proper-ticket-enctype-names.patch @@ -1,4 +1,4 @@ -From 220762a0bdc5151a0d4a25bc7e56251ef351b560 Mon Sep 17 00:00:00 2001 +From c06d20bf241059059cc3ffd810a44e310ff9970d Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 15 Jan 2019 13:41:16 -0500 Subject: [PATCH] In kpropd, debug-log proper ticket enctype names diff --git a/In-rd_req_dec-always-log-non-permitted-enctypes.patch b/In-rd_req_dec-always-log-non-permitted-enctypes.patch index b36321a..9947e2f 100644 --- a/In-rd_req_dec-always-log-non-permitted-enctypes.patch +++ b/In-rd_req_dec-always-log-non-permitted-enctypes.patch @@ -1,4 +1,4 @@ -From 28528d8169d9af3830b3a162c525a8e1a71f05f4 Mon Sep 17 00:00:00 2001 +From 6a316b681a2e0b6917285b9a0cdde605d463288b Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 14 Jan 2019 17:14:42 -0500 Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes diff --git a/Make-etype-names-in-KDC-logs-human-readable.patch b/Make-etype-names-in-KDC-logs-human-readable.patch index 9915f69..6fd40d7 100644 --- a/Make-etype-names-in-KDC-logs-human-readable.patch +++ b/Make-etype-names-in-KDC-logs-human-readable.patch @@ -1,4 +1,4 @@ -From d32d0cfbbe1386b2cf9b31682df4c35ccc029bda Mon Sep 17 00:00:00 2001 +From 2a8005296c3da39f6d0c6ecd48b950447897af91 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 8 Jan 2019 17:42:35 -0500 Subject: [PATCH] Make etype names in KDC logs human-readable diff --git a/Mark-deprecated-enctypes-when-used.patch b/Mark-deprecated-enctypes-when-used.patch index 6faf378..596c74b 100644 --- a/Mark-deprecated-enctypes-when-used.patch +++ b/Mark-deprecated-enctypes-when-used.patch @@ -1,4 +1,4 @@ -From 0f4d9265c808a1e78fb90b54d39e58f3f89e672f Mon Sep 17 00:00:00 2001 +From 6d265afd53ead9290948b5ba07438b6a91939bfd Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 10 Jan 2019 16:34:54 -0500 Subject: [PATCH] Mark deprecated enctypes when used diff --git a/Properly-size-ifdef-in-k5_cccol_lock.patch b/Properly-size-ifdef-in-k5_cccol_lock.patch index 23fb478..bdaa775 100644 --- a/Properly-size-ifdef-in-k5_cccol_lock.patch +++ b/Properly-size-ifdef-in-k5_cccol_lock.patch @@ -1,4 +1,4 @@ -From 8bdcbe143adc71918bd6e5f2e075df6b8e31267a Mon Sep 17 00:00:00 2001 +From ec9e4597188234e402cd318aebe0fa0a3587a993 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 14 Feb 2019 11:50:35 -0500 Subject: [PATCH] Properly size #ifdef in k5_cccol_lock() diff --git a/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch b/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch new file mode 100644 index 0000000..12c58a4 --- /dev/null +++ b/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch @@ -0,0 +1,1604 @@ +From 7fa37c0c80b3bbd611ba27dd162aa0b6016c20b3 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 4 Apr 2019 14:37:38 -0400 +Subject: [PATCH] Remove Kerberos v4 support vestiges from ccapi + +(cherry picked from commit 51395dc956ce9eef27c0d6843561d3d3828b03cd) +--- + src/ccapi/common/cci_cred_union.c | 280 +------------------------ + src/ccapi/lib/ccapi_v2.c | 34 +-- + src/ccapi/lib/win/OldCC/ccapi.h | 20 -- + src/ccapi/server/ccs_ccache.c | 69 +----- + src/ccapi/test/test_ccapi_ccache.c | 223 +++----------------- + src/ccapi/test/test_ccapi_constants.c | 2 - + src/ccapi/test/test_ccapi_context.c | 3 - + src/ccapi/test/test_ccapi_v2.c | 89 -------- + src/include/CredentialsCache.h | 156 ++++---------- + src/include/CredentialsCache2.h | 26 +-- + src/lib/krb5/ccache/ccapi/stdcc.c | 2 - + src/lib/krb5/ccache/ccapi/stdcc_util.c | 8 +- + src/windows/kfwlogon/kfwlogon.h | 2 +- + src/windows/leashdll/leash-int.h | 2 +- + src/windows/lib/cacheapi.h | 53 +---- + 15 files changed, 98 insertions(+), 871 deletions(-) + +diff --git a/src/ccapi/common/cci_cred_union.c b/src/ccapi/common/cci_cred_union.c +index 4c8981610..424a93dab 100644 +--- a/src/ccapi/common/cci_cred_union.c ++++ b/src/ccapi/common/cci_cred_union.c +@@ -25,181 +25,6 @@ + + #include "cci_common.h" + +-#ifdef TARGET_OS_MAC +-#pragma mark - +-#endif +- +-/* ------------------------------------------------------------------------ */ +- +-static cc_uint32 cci_credentials_v4_release (cc_credentials_v4_t *io_v4creds) +-{ +- cc_int32 err = ccNoError; +- +- if (!io_v4creds) { err = ccErrBadParam; } +- +- if (!err) { +- memset (io_v4creds, 0, sizeof (*io_v4creds)); +- free (io_v4creds); +- } +- +- return err; +-} +- +-/* ------------------------------------------------------------------------ */ +- +-static cc_uint32 cci_credentials_v4_read (cc_credentials_v4_t **out_v4creds, +- k5_ipc_stream io_stream) +-{ +- cc_int32 err = ccNoError; +- cc_credentials_v4_t *v4creds = NULL; +- +- if (!io_stream ) { err = cci_check_error (ccErrBadParam); } +- if (!out_v4creds) { err = cci_check_error (ccErrBadParam); } +- +- if (!err) { +- v4creds = malloc (sizeof (*v4creds)); +- if (!v4creds) { err = cci_check_error (ccErrNoMem); } +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read_uint32 (io_stream, &v4creds->version); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read (io_stream, v4creds->principal, cc_v4_name_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read (io_stream, v4creds->principal_instance, cc_v4_instance_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read (io_stream, v4creds->service, cc_v4_name_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read (io_stream, v4creds->service_instance, cc_v4_instance_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read (io_stream, v4creds->realm, cc_v4_realm_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read (io_stream, v4creds->session_key, cc_v4_key_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->kvno); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->string_to_key_type); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read_time (io_stream, &v4creds->issue_date); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->lifetime); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read_uint32 (io_stream, &v4creds->address); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->ticket_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_read (io_stream, v4creds->ticket, cc_v4_ticket_size); +- } +- +- if (!err) { +- *out_v4creds = v4creds; +- v4creds = NULL; +- } +- +- free (v4creds); +- +- return cci_check_error (err); +-} +- +-/* ------------------------------------------------------------------------ */ +- +-static cc_uint32 cci_credentials_v4_write (cc_credentials_v4_t *in_v4creds, +- k5_ipc_stream io_stream) +-{ +- cc_int32 err = ccNoError; +- +- if (!io_stream ) { err = cci_check_error (ccErrBadParam); } +- if (!in_v4creds) { err = cci_check_error (ccErrBadParam); } +- +- if (!err) { +- err = krb5int_ipc_stream_write_uint32 (io_stream, in_v4creds->version); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write (io_stream, in_v4creds->principal, cc_v4_name_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write (io_stream, in_v4creds->principal_instance, cc_v4_instance_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write (io_stream, in_v4creds->service, cc_v4_name_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write (io_stream, in_v4creds->service_instance, cc_v4_instance_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write (io_stream, in_v4creds->realm, cc_v4_realm_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write (io_stream, in_v4creds->session_key, cc_v4_key_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->kvno); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->string_to_key_type); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write_time (io_stream, in_v4creds->issue_date); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->lifetime); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write_uint32 (io_stream, in_v4creds->address); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->ticket_size); +- } +- +- if (!err) { +- err = krb5int_ipc_stream_write (io_stream, in_v4creds->ticket, cc_v4_ticket_size); +- } +- +- return cci_check_error (err); +-} +- +-#ifdef TARGET_OS_MAC +-#pragma mark - +-#endif +- + /* ------------------------------------------------------------------------ */ + + static cc_uint32 cci_cc_data_contents_release (cc_data *io_ccdata) +@@ -600,9 +425,7 @@ cc_uint32 cci_credentials_union_release (cc_credentials_union *io_cred_union) + if (!io_cred_union) { err = ccErrBadParam; } + + if (!err) { +- if (io_cred_union->version == cc_credentials_v4) { +- cci_credentials_v4_release (io_cred_union->credentials.credentials_v4); +- } else if (io_cred_union->version == cc_credentials_v5) { ++ if (io_cred_union->version == cc_credentials_v5) { + cci_credentials_v5_release (io_cred_union->credentials.credentials_v5); + } + free (io_cred_union); +@@ -632,11 +455,7 @@ cc_uint32 cci_credentials_union_read (cc_credentials_union **out_credentials_uni + } + + if (!err) { +- if (credentials_union->version == cc_credentials_v4) { +- err = cci_credentials_v4_read (&credentials_union->credentials.credentials_v4, +- io_stream); +- +- } else if (credentials_union->version == cc_credentials_v5) { ++ if (credentials_union->version == cc_credentials_v5) { + err = cci_credentials_v5_read (&credentials_union->credentials.credentials_v5, + io_stream); + +@@ -671,11 +490,7 @@ cc_uint32 cci_credentials_union_write (const cc_credentials_union *in_credential + } + + if (!err) { +- if (in_credentials_union->version == cc_credentials_v4) { +- err = cci_credentials_v4_write (in_credentials_union->credentials.credentials_v4, +- io_stream); +- +- } else if (in_credentials_union->version == cc_credentials_v5) { ++ if (in_credentials_union->version == cc_credentials_v5) { + err = cci_credentials_v5_write (in_credentials_union->credentials.credentials_v5, + io_stream); + +@@ -714,11 +529,7 @@ cc_uint32 cci_cred_union_release (cred_union *io_cred_union) + if (!io_cred_union) { err = ccErrBadParam; } + + if (!err) { +- if (io_cred_union->cred_type == CC_CRED_V4) { +- memset (io_cred_union->cred.pV4Cred, 0, sizeof (cc_credentials_v4_compat)); +- free (io_cred_union->cred.pV4Cred); +- +- } else if (io_cred_union->cred_type == CC_CRED_V5) { ++ if (io_cred_union->cred_type == CC_CRED_V5) { + free (io_cred_union->cred.pV5Cred->client); + free (io_cred_union->cred.pV5Cred->server); + cci_cc_data_contents_release (&io_cred_union->cred.pV5Cred->keyblock); +@@ -829,36 +640,7 @@ cc_uint32 cci_credentials_union_to_cred_union (const cc_credentials_union *in_c + } + + if (!err) { +- if (in_credentials_union->version == cc_credentials_v4) { +- cc_credentials_v4_compat *compat_v4creds = NULL; +- +- compat_v4creds = malloc (sizeof (*compat_v4creds)); +- if (!compat_v4creds) { err = cci_check_error (ccErrNoMem); } +- +- if (!err) { +- cc_credentials_v4_t *v4creds = in_credentials_union->credentials.credentials_v4; +- +- compat_cred_union->cred_type = CC_CRED_V4; +- compat_cred_union->cred.pV4Cred = compat_v4creds; +- +- compat_v4creds->kversion = v4creds->version; +- strncpy (compat_v4creds->principal, v4creds->principal, KRB_NAME_SZ+1); +- strncpy (compat_v4creds->principal_instance, v4creds->principal_instance, KRB_INSTANCE_SZ+1); +- strncpy (compat_v4creds->service, v4creds->service, KRB_NAME_SZ+1); +- strncpy (compat_v4creds->service_instance, v4creds->service_instance, KRB_INSTANCE_SZ+1); +- strncpy (compat_v4creds->realm, v4creds->realm, KRB_REALM_SZ+1); +- memcpy (compat_v4creds->session_key, v4creds->session_key, 8); +- compat_v4creds->kvno = v4creds->kvno; +- compat_v4creds->str_to_key = v4creds->string_to_key_type; +- compat_v4creds->issue_date = v4creds->issue_date; +- compat_v4creds->lifetime = v4creds->lifetime; +- compat_v4creds->address = v4creds->address; +- compat_v4creds->ticket_sz = v4creds->ticket_size; +- memcpy (compat_v4creds->ticket, v4creds->ticket, MAX_V4_CRED_LEN); +- compat_v4creds->oops = 0; +- } +- +- } else if (in_credentials_union->version == cc_credentials_v5) { ++ if (in_credentials_union->version == cc_credentials_v5) { + cc_credentials_v5_t *v5creds = in_credentials_union->credentials.credentials_v5; + cc_credentials_v5_compat *compat_v5creds = NULL; + +@@ -951,36 +733,7 @@ cc_uint32 cci_cred_union_to_credentials_union (const cred_union *in_cred_un + } + + if (!err) { +- if (in_cred_union->cred_type == CC_CRED_V4) { +- cc_credentials_v4_compat *compat_v4creds = in_cred_union->cred.pV4Cred; +- cc_credentials_v4_t *v4creds = NULL; +- +- if (!err) { +- v4creds = malloc (sizeof (*v4creds)); +- if (!v4creds) { err = cci_check_error (ccErrNoMem); } +- } +- +- if (!err) { +- creds_union->version = cc_credentials_v4; +- creds_union->credentials.credentials_v4 = v4creds; +- +- v4creds->version = compat_v4creds->kversion; +- strncpy (v4creds->principal, compat_v4creds->principal, KRB_NAME_SZ); +- strncpy (v4creds->principal_instance, compat_v4creds->principal_instance, KRB_INSTANCE_SZ); +- strncpy (v4creds->service, compat_v4creds->service, KRB_NAME_SZ); +- strncpy (v4creds->service_instance, compat_v4creds->service_instance, KRB_INSTANCE_SZ); +- strncpy (v4creds->realm, compat_v4creds->realm, KRB_REALM_SZ); +- memcpy (v4creds->session_key, compat_v4creds->session_key, 8); +- v4creds->kvno = compat_v4creds->kvno; +- v4creds->string_to_key_type = compat_v4creds->str_to_key; +- v4creds->issue_date = compat_v4creds->issue_date; +- v4creds->lifetime = compat_v4creds->lifetime; +- v4creds->address = compat_v4creds->address; +- v4creds->ticket_size = compat_v4creds->ticket_sz; +- memcpy (v4creds->ticket, compat_v4creds->ticket, MAX_V4_CRED_LEN); +- } +- +- } else if (in_cred_union->cred_type == CC_CRED_V5) { ++ if (in_cred_union->cred_type == CC_CRED_V5) { + cc_credentials_v5_compat *compat_v5creds = in_cred_union->cred.pV5Cred; + cc_credentials_v5_t *v5creds = NULL; + +@@ -1072,26 +825,7 @@ cc_uint32 cci_cred_union_compare_to_credentials_union (const cred_union + if (!out_equal ) { err = cci_check_error (ccErrBadParam); } + + if (!err) { +- if (in_cred_union_compat->cred_type == CC_CRED_V4 && +- in_credentials_union->version == cc_credentials_v4) { +- cc_credentials_v4_compat *old_creds_v4 = in_cred_union_compat->cred.pV4Cred; +- cc_credentials_v4_t *new_creds_v4 = in_credentials_union->credentials.credentials_v4; +- +- if (old_creds_v4 && new_creds_v4 && +- !strcmp (old_creds_v4->principal, +- new_creds_v4->principal) && +- !strcmp (old_creds_v4->principal_instance, +- new_creds_v4->principal_instance) && +- !strcmp (old_creds_v4->service, +- new_creds_v4->service) && +- !strcmp (old_creds_v4->service_instance, +- new_creds_v4->service_instance) && +- !strcmp (old_creds_v4->realm, new_creds_v4->realm) && +- (old_creds_v4->issue_date == (long) new_creds_v4->issue_date)) { +- equal = 1; +- } +- +- } else if (in_cred_union_compat->cred_type == CC_CRED_V5 && ++ if (in_cred_union_compat->cred_type == CC_CRED_V5 && + in_credentials_union->version == cc_credentials_v5) { + cc_credentials_v5_compat *old_creds_v5 = in_cred_union_compat->cred.pV5Cred; + cc_credentials_v5_t *new_creds_v5 = in_credentials_union->credentials.credentials_v5; +diff --git a/src/ccapi/lib/ccapi_v2.c b/src/ccapi/lib/ccapi_v2.c +index 8a831d796..ae9b790b0 100644 +--- a/src/ccapi/lib/ccapi_v2.c ++++ b/src/ccapi/lib/ccapi_v2.c +@@ -44,10 +44,7 @@ static cc_int32 cci_remap_version (cc_int32 in_v2_version, + if (!out_v3_version) { err = cci_check_error (ccErrBadParam); } + + if (!err) { +- if (in_v2_version == CC_CRED_V4) { +- *out_v3_version = cc_credentials_v4; +- +- } else if (in_v2_version == CC_CRED_V5) { ++ if (in_v2_version == CC_CRED_V5) { + *out_v3_version = cc_credentials_v5; + + } else { +@@ -450,10 +447,7 @@ cc_result cc_get_cred_version (apiCB *in_context, + } + + if (!err) { +- if (compat_version == cc_credentials_v4) { +- *out_version = CC_CRED_V4; +- +- } else if (compat_version == cc_credentials_v5) { ++ if (compat_version == cc_credentials_v5) { + *out_version = CC_CRED_V5; + + } else { +@@ -642,10 +636,6 @@ cc_result cc_seq_fetch_NCs_next (apiCB *in_context, + if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } + if (!in_iterator) { err = cci_check_error (ccErrBadParam); } + +- /* CCache iterators need to return some ccaches twice (when v3 ccache has +- * two kinds of credentials). To do that, we return such ccaches twice +- * v4 first, then v5. */ +- + if (!err) { + err = cci_ccache_iterator_get_saved_ccache_name (iterator, + &saved_ccache_name); +@@ -674,25 +664,7 @@ cc_result cc_seq_fetch_NCs_next (apiCB *in_context, + } + + if (!err) { +- if (version == cc_credentials_v4_v5) { +- cc_string_t name = NULL; +- +- err = cci_ccache_set_compat_version (ccache, cc_credentials_v4); +- +- if (!err) { +- err = ccapi_ccache_get_name (ccache, &name); +- } +- +- if (!err) { +- err = cci_ccache_iterator_set_saved_ccache_name (iterator, +- name->data); +- } +- +- if (name) { ccapi_string_release (name); } +- +- } else { +- err = cci_ccache_set_compat_version (ccache, version); +- } ++ err = cci_ccache_set_compat_version (ccache, version); + } + } + } +diff --git a/src/ccapi/lib/win/OldCC/ccapi.h b/src/ccapi/lib/win/OldCC/ccapi.h +index 82512771a..4d6f3faaf 100644 +--- a/src/ccapi/lib/win/OldCC/ccapi.h ++++ b/src/ccapi/lib/win/OldCC/ccapi.h +@@ -80,7 +80,6 @@ enum __MIDL_ccapi_0003 + { KRB_NAME_SZ = 40, + KRB_INSTANCE_SZ = 40, + KRB_REALM_SZ = 40, +- MAX_V4_CRED_LEN = 1250 + } ; + typedef struct _NC_INFO + { +@@ -95,24 +94,6 @@ typedef struct _NC_INFO_LIST + /* [size_is] */ NC_INFO *info; + } NC_INFO_LIST; + +-typedef struct _V4_CRED +- { +- CC_UCHAR kversion; +- CC_CHAR principal[ 41 ]; +- CC_CHAR principal_instance[ 41 ]; +- CC_CHAR service[ 41 ]; +- CC_CHAR service_instance[ 41 ]; +- CC_CHAR realm[ 41 ]; +- CC_UCHAR session_key[ 8 ]; +- CC_INT32 kvno; +- CC_INT32 str_to_key; +- CC_INT32 issue_date; +- CC_INT32 lifetime; +- CC_UINT32 address; +- CC_INT32 ticket_sz; +- CC_UCHAR ticket[ 1250 ]; +- } V4_CRED; +- + typedef struct _CC_DATA + { + CC_UINT32 type; +@@ -145,7 +126,6 @@ typedef struct _V5_CRED + + typedef /* [switch_type] */ union _CRED_PTR_UNION + { +- /* [case()] */ V4_CRED *pV4Cred; + /* [case()] */ V5_CRED *pV5Cred; + } CRED_PTR_UNION; + +diff --git a/src/ccapi/server/ccs_ccache.c b/src/ccapi/server/ccs_ccache.c +index 65c59e4be..645380a7b 100644 +--- a/src/ccapi/server/ccs_ccache.c ++++ b/src/ccapi/server/ccs_ccache.c +@@ -31,19 +31,16 @@ struct ccs_ccache_d { + ccs_lock_state_t lock_state; + cc_uint32 creds_version; + char *name; +- char *v4_principal; + char *v5_principal; + cc_time_t last_default_time; + cc_time_t last_changed_time; +- cc_uint32 kdc_time_offset_v4_valid; +- cc_time_t kdc_time_offset_v4; + cc_uint32 kdc_time_offset_v5_valid; + cc_time_t kdc_time_offset_v5; + ccs_credentials_list_t credentials; + ccs_callback_array_t change_callbacks; + }; + +-struct ccs_ccache_d ccs_ccache_initializer = { NULL, NULL, 0, NULL, NULL, NULL, 0, 0, 0, 0, 0, 0, NULL, NULL }; ++struct ccs_ccache_d ccs_ccache_initializer = { NULL, NULL, 0, NULL, NULL, 0, 0, 0, 0, NULL, NULL }; + + /* ------------------------------------------------------------------------ */ + +@@ -88,11 +85,7 @@ cc_int32 ccs_ccache_new (ccs_ccache_t *out_ccache, + if (!err) { + ccache->creds_version = in_creds_version; + +- if (ccache->creds_version == cc_credentials_v4) { +- ccache->v4_principal = strdup (in_principal); +- if (!ccache->v4_principal) { err = cci_check_error (ccErrNoMem); } +- +- } else if (ccache->creds_version == cc_credentials_v5) { ++ if (ccache->creds_version == cc_credentials_v5) { + ccache->v5_principal = strdup (in_principal); + if (!ccache->v5_principal) { err = cci_check_error (ccErrNoMem); } + +@@ -147,7 +140,6 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, + const char *in_principal) + { + cc_int32 err = ccNoError; +- char *v4_principal = NULL; + char *v5_principal = NULL; + ccs_credentials_list_t credentials = NULL; + +@@ -158,11 +150,7 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, + if (!err) { + io_ccache->creds_version = in_creds_version; + +- if (io_ccache->creds_version == cc_credentials_v4) { +- v4_principal = strdup (in_principal); +- if (!v4_principal) { err = cci_check_error (ccErrNoMem); } +- +- } else if (io_ccache->creds_version == cc_credentials_v5) { ++ if (io_ccache->creds_version == cc_credentials_v5) { + v5_principal = strdup (in_principal); + if (!v5_principal) { err = cci_check_error (ccErrNoMem); } + +@@ -176,15 +164,9 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, + } + + if (!err) { +- io_ccache->kdc_time_offset_v4 = 0; +- io_ccache->kdc_time_offset_v4_valid = 0; + io_ccache->kdc_time_offset_v5 = 0; + io_ccache->kdc_time_offset_v5_valid = 0; + +- if (io_ccache->v4_principal) { free (io_ccache->v4_principal); } +- io_ccache->v4_principal = v4_principal; +- v4_principal = NULL; /* take ownership */ +- + if (io_ccache->v5_principal) { free (io_ccache->v5_principal); } + io_ccache->v5_principal = v5_principal; + v5_principal = NULL; /* take ownership */ +@@ -196,7 +178,6 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, + err = ccs_ccache_changed (io_ccache, io_cache_collection); + } + +- free (v4_principal); + free (v5_principal); + ccs_credentials_list_release (credentials); + +@@ -250,7 +231,6 @@ cc_int32 ccs_ccache_release (ccs_ccache_t io_ccache) + cci_identifier_release (io_ccache->identifier); + ccs_lock_state_release (io_ccache->lock_state); + free (io_ccache->name); +- free (io_ccache->v4_principal); + free (io_ccache->v5_principal); + ccs_credentials_list_release (io_ccache->credentials); + ccs_callback_array_release (io_ccache->change_callbacks); +@@ -607,15 +587,8 @@ static cc_int32 ccs_ccache_get_principal (ccs_ccache_t io_ccache, + err = krb5int_ipc_stream_read_uint32 (in_request_data, &version); + } + +- if (!err && version == cc_credentials_v4_v5) { +- err = cci_check_error (ccErrBadCredentialsVersion); +- } +- + if (!err) { +- if (version == cc_credentials_v4) { +- err = krb5int_ipc_stream_write_string (io_reply_data, io_ccache->v4_principal); +- +- } else if (version == cc_credentials_v5) { ++ if (version == cc_credentials_v5) { + err = krb5int_ipc_stream_write_string (io_reply_data, io_ccache->v5_principal); + + } else { +@@ -652,16 +625,7 @@ static cc_int32 ccs_ccache_set_principal (ccs_ccache_t io_ccache, + + if (!err) { + /* reset KDC time offsets because they are per-KDC */ +- if (version == cc_credentials_v4) { +- io_ccache->kdc_time_offset_v4 = 0; +- io_ccache->kdc_time_offset_v4_valid = 0; +- +- if (io_ccache->v4_principal) { free (io_ccache->v4_principal); } +- io_ccache->v4_principal = principal; +- principal = NULL; /* take ownership */ +- +- +- } else if (version == cc_credentials_v5) { ++ if (version == cc_credentials_v5) { + io_ccache->kdc_time_offset_v5 = 0; + io_ccache->kdc_time_offset_v5_valid = 0; + +@@ -998,14 +962,7 @@ static cc_int32 ccs_ccache_get_kdc_time_offset (ccs_ccache_t io_ccache + } + + if (!err) { +- if (cred_vers == cc_credentials_v4) { +- if (io_ccache->kdc_time_offset_v4_valid) { +- err = krb5int_ipc_stream_write_time (io_reply_data, io_ccache->kdc_time_offset_v4); +- } else { +- err = cci_check_error (ccErrTimeOffsetNotSet); +- } +- +- } else if (cred_vers == cc_credentials_v5) { ++ if (cred_vers == cc_credentials_v5) { + if (io_ccache->kdc_time_offset_v5_valid) { + err = krb5int_ipc_stream_write_time (io_reply_data, io_ccache->kdc_time_offset_v5); + } else { +@@ -1040,13 +997,7 @@ static cc_int32 ccs_ccache_set_kdc_time_offset (ccs_ccache_t io_ccache + } + + if (!err) { +- if (cred_vers == cc_credentials_v4) { +- err = krb5int_ipc_stream_read_time (in_request_data, &io_ccache->kdc_time_offset_v4); +- +- if (!err) { +- io_ccache->kdc_time_offset_v4_valid = 1; +- } +- } else if (cred_vers == cc_credentials_v5) { ++ if (cred_vers == cc_credentials_v5) { + err = krb5int_ipc_stream_read_time (in_request_data, &io_ccache->kdc_time_offset_v5); + + if (!err) { +@@ -1084,11 +1035,7 @@ static cc_int32 ccs_ccache_clear_kdc_time_offset (ccs_ccache_t io_ccac + } + + if (!err) { +- if (cred_vers == cc_credentials_v4) { +- io_ccache->kdc_time_offset_v4 = 0; +- io_ccache->kdc_time_offset_v4_valid = 0; +- +- } else if (cred_vers == cc_credentials_v5) { ++ if (cred_vers == cc_credentials_v5) { + io_ccache->kdc_time_offset_v5 = 0; + io_ccache->kdc_time_offset_v5_valid = 0; + +diff --git a/src/ccapi/test/test_ccapi_ccache.c b/src/ccapi/test/test_ccapi_ccache.c +index a0fd84af1..fe63e6710 100644 +--- a/src/ccapi/test/test_ccapi_ccache.c ++++ b/src/ccapi/test/test_ccapi_ccache.c +@@ -303,18 +303,6 @@ int check_cc_ccache_get_credentials_version(void) { + failure_count++; + } + +- // try it with added v4 creds +- if (!err) { +- err = cc_ccache_set_principal(ccache, cc_credentials_v4, "foo@BAR.ORG"); +- } +- if (!err) { +- check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4_v5, ccNoError, "v5 with v4 creds added"); +- } +- else { +- log_error("cc_ccache_set_principal failed, can't complete test"); +- failure_count++; +- } +- + if (ccache) { + cc_ccache_destroy(ccache); + ccache = NULL; +@@ -322,35 +310,6 @@ int check_cc_ccache_get_credentials_version(void) { + + err = ccNoError; + +- // try one created with v4 creds +- if (!err) { +- err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAR.ORG", &ccache); +- } +- if (!err) { +- check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4, ccNoError, "v4 creds"); +- } +- else { +- log_error("cc_context_create_new_ccache failed, can't complete test"); +- failure_count++; +- } +- +- // try it with added v5 creds +- if (!err) { +- err = cc_ccache_set_principal(ccache, cc_credentials_v5, "foo@BAR.ORG"); +- } +- if (!err) { +- check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4_v5, ccNoError, "v4 with v5 creds added"); +- } +- else { +- log_error("cc_ccache_set_principal failed, can't complete test"); +- failure_count++; +- } +- +- if (ccache) { +- cc_ccache_destroy(ccache); +- ccache = NULL; +- } +- + if (context) { cc_context_release(context); } + + #endif /* cc_ccache_get_credentials_version */ +@@ -582,31 +541,13 @@ int check_cc_ccache_get_principal(void) { + log_error("cc_context_create_new_ccache failed, can't complete test"); + failure_count++; + } +- if (ccache) { +- cc_ccache_release(ccache); +- ccache = NULL; +- } + +- // try with krb4 principal +- if (!err) { +- err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo.BAR@BAZ.ORG", &ccache); +- } +- if (!err) { +- check_once_cc_ccache_get_principal(ccache, cc_credentials_v4, "foo.BAR@BAZ.ORG", ccNoError, "trying to get krb4 princ for krb4 ccache"); +- } +- else { +- log_error("cc_context_create_new_ccache failed, can't complete test"); +- failure_count++; +- } +- +- // try with bad param +- if (!err) { +- // cc_ccache_t doesn't have any concept of the difference between a v4 and v5 principal +- check_once_cc_ccache_get_principal(ccache, cc_credentials_v4_v5, "foo.BAR@BAZ.ORG", +- ccErrBadCredentialsVersion, +- "passing cc_credentials_v4_v5 (shouldn't be allowed)"); +- check_once_cc_ccache_get_principal(ccache, cc_credentials_v5, NULL, ccErrBadParam, "passed null out param"); +- } ++ // try with bad param ++ if (!err) { ++ check_once_cc_ccache_get_principal(ccache, cc_credentials_v5, ++ NULL, ccErrBadParam, ++ "passed null out param"); ++ } + + if (ccache) { + cc_ccache_release(ccache); +@@ -643,99 +584,33 @@ int check_cc_ccache_set_principal(void) { + err = destroy_all_ccaches(context); + } + +- // bad params +- if (!err) { +- err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache); +- } +- if (!err) { +- check_once_cc_ccache_set_principal(ccache, cc_credentials_v4_v5, "foo/BAZ@BAR.ORG", ccErrBadCredentialsVersion, "cc_credentials_v4_v5 (not allowed)"); +- check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, NULL, ccErrBadParam, "NULL principal"); +- } +- else { +- log_error("cc_context_create_new_ccache failed, can't complete test"); +- failure_count++; +- } +- if (ccache) { +- cc_ccache_destroy(ccache); +- ccache = NULL; +- } ++ // replace v5 only ccache's principal ++ if (!err) { ++ err = cc_context_create_new_ccache(context, cc_credentials_v5, ++ "foo@BAZ.ORG", &ccache); ++ } ++ if (!err) { ++ check_once_cc_ccache_set_principal( ++ ccache, cc_credentials_v5, "foo/BAZ@BAR.ORG", ccNoError, ++ "replace v5 only ccache's principal (empty ccache)"); ++ } ++ else { ++ log_error( ++ "cc_context_create_new_ccache failed, can't complete test"); ++ failure_count++; ++ } + ++ // bad params ++ if (!err) { ++ check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, ++ NULL, ccErrBadParam, ++ "NULL principal"); ++ } + +- // empty ccache +- +- // replace v5 only ccache's principal +- if (!err) { +- err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache); +- } +- if (!err) { +- check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, "foo/BAZ@BAR.ORG", ccNoError, "replace v5 only ccache's principal (empty ccache)"); +- } +- else { +- log_error("cc_context_create_new_ccache failed, can't complete test"); +- failure_count++; +- } +- if (ccache) { +- cc_ccache_destroy(ccache); +- ccache = NULL; +- } +- +- // add v4 principal to v5 only ccache +- if (!err) { +- err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache); +- } +- if (!err) { +- check_once_cc_ccache_set_principal(ccache, cc_credentials_v4, "foo.BAZ@BAR.ORG", ccNoError, "add v4 principal to v5 only ccache (empty ccache)"); +- } +- else { +- log_error("cc_context_create_new_ccache failed, can't complete test"); +- failure_count++; +- } +- if (ccache) { +- cc_ccache_destroy(ccache); +- ccache = NULL; +- } +- +- // replace v4 only ccache's principal +- if (!err) { +- err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAZ.ORG", &ccache); +- } +- if (!err) { +- check_once_cc_ccache_set_principal(ccache, cc_credentials_v4, "foo.BAZ@BAR.ORG", ccNoError, "replace v4 only ccache's principal (empty ccache)"); +- } +- else { +- log_error("cc_context_create_new_ccache failed, can't complete test"); +- failure_count++; +- } +- if (ccache) { +- cc_ccache_destroy(ccache); +- ccache = NULL; +- } +- +- // add v5 principal to v4 only ccache +- if (!err) { +- err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAZ.ORG", &ccache); +- } +- if (!err) { +- check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, "foo/BAZ@BAR.ORG", ccNoError, "add v5 principal to v4 only ccache (empty ccache)"); +- } +- else { +- log_error("cc_context_create_new_ccache failed, can't complete test"); +- failure_count++; +- } +- if (ccache) { +- cc_ccache_destroy(ccache); +- ccache = NULL; +- } +- +- // with credentials +- +- // replace v5 only ccache's principal +- +- // add v4 principal to v5 only ccache +- +- // replace v4 only ccache's principal +- +- // add v5 principal to v4 only ccache ++ if (ccache) { ++ cc_ccache_destroy(ccache); ++ ccache = NULL; ++ } + + if (context) { + err = destroy_all_ccaches(context); +@@ -847,21 +722,6 @@ int check_cc_ccache_store_credentials(void) { + + if (&creds_union) { release_v5_creds_union(&creds_union); } + +- // bad creds version +- if (!err) { +- err = new_v5_creds_union(&creds_union, "BAR.ORG"); +- } +- +- if (!err) { +- creds_union.version = cc_credentials_v4_v5; +- check_once_cc_ccache_store_credentials(ccache, &creds_union, ccErrBadCredentialsVersion, "v4_v5 creds (invalid) into a ccache with only v5 princ"); +- creds_union.version = cc_credentials_v4; +- check_once_cc_ccache_store_credentials(ccache, &creds_union, ccErrBadCredentialsVersion, "v4 creds into a ccache with only v5 princ"); +- creds_union.version = cc_credentials_v5; +- } +- +- if (&creds_union) { release_v5_creds_union(&creds_union); } +- + // non-existent ccache + if (ccache) { + err = cc_ccache_get_name(ccache, &name); +@@ -1809,21 +1669,10 @@ int check_cc_ccache_get_kdc_time_offset(void) { + err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, time_offset); + } + if (!err) { +- check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, &time_offset, ccNoError, "offset set for v5 but not v4"); ++ check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, &time_offset, ccNoError, "offset set for v5"); + } +- if (!err) { +- check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4, &time_offset, ccErrTimeOffsetNotSet, "asking for v4 offset when only v5 is set"); +- } +- if (!err) { +- err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, time_offset); +- } +- if (!err) { +- check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4, &time_offset, ccNoError, "asking for v4 offset when v4 and v5 are set"); +- } +- + + check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, NULL, ccErrBadParam, "NULL time_offset out param"); +- check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4_v5, &time_offset, ccErrBadCredentialsVersion, "v4_v5 creds_vers in param (invalid)"); + + if (ccache) { cc_ccache_release(ccache); } + +@@ -1900,9 +1749,6 @@ int check_cc_ccache_set_kdc_time_offset(void) { + } + + check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, 0, ccNoError, "first time setting offset (v5)"); +- check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, 0, ccNoError, "first time setting offset (v4)"); +- +- check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4_v5, 0, ccErrBadCredentialsVersion, "invalid creds_vers (v4_v5)"); + + if (ccache) { cc_ccache_release(ccache); } + +@@ -1978,15 +1824,10 @@ int check_cc_ccache_clear_kdc_time_offset(void) { + } + + check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v5, ccNoError, "clearing an offset that was never set (v5)"); +- check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4, ccNoError, "clearing an offset that was never set (v4)"); + + err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, 0); +- err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, 0); + + check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v5, ccNoError, "clearing v5"); +- check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4, ccNoError, "clearing v4"); +- +- check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4_v5, ccErrBadCredentialsVersion, "bad in param creds vers (v4_v5)"); + + if (ccache) { cc_ccache_release(ccache); } + +diff --git a/src/ccapi/test/test_ccapi_constants.c b/src/ccapi/test/test_ccapi_constants.c +index 9f2aecbc2..57377262e 100644 +--- a/src/ccapi/test/test_ccapi_constants.c ++++ b/src/ccapi/test/test_ccapi_constants.c +@@ -46,9 +46,7 @@ int check_constants(void) { + + /* Credentials versions */ + +- check_int(cc_credentials_v4, 1); + check_int(cc_credentials_v5, 2); +- check_int(cc_credentials_v4_v5, (cc_credentials_v4 | cc_credentials_v5)); + + /* Lock types */ + +diff --git a/src/ccapi/test/test_ccapi_context.c b/src/ccapi/test/test_ccapi_context.c +index 09feebee5..2dc348ea0 100644 +--- a/src/ccapi/test/test_ccapi_context.c ++++ b/src/ccapi/test/test_ccapi_context.c +@@ -583,7 +583,6 @@ int check_cc_context_create_ccache(void) { + + // try bad parameters + err = check_once_cc_context_create_ccache(context, NULL, cc_credentials_v5, "foo@BAR.ORG", &ccache, ccErrBadParam, "NULL name"); // NULL name +- err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers + err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal + err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache + } +@@ -681,7 +680,6 @@ int check_cc_context_create_default_ccache(void) { + } + + // try bad parameters +- err = check_once_cc_context_create_default_ccache(context, cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers + err = check_once_cc_context_create_default_ccache(context, cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal + err = check_once_cc_context_create_default_ccache(context, cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache + } +@@ -773,7 +771,6 @@ int check_cc_context_create_new_ccache(void) { + if (ccache) { cc_ccache_release(ccache); } + + // try bad parameters +- err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers + err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal + err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache + } +diff --git a/src/ccapi/test/test_ccapi_v2.c b/src/ccapi/test/test_ccapi_v2.c +index e0205ce46..c71bb45a8 100644 +--- a/src/ccapi/test/test_ccapi_v2.c ++++ b/src/ccapi/test/test_ccapi_v2.c +@@ -45,20 +45,6 @@ static int compare_v5_creds_unions_compat(const cred_union *a, const cred_union + a->cred.pV5Cred->starttime == b->cred.pV5Cred->starttime) { + retval = 0; + } +- } else if (a->cred_type == CC_CRED_V4) { +- if (!strcmp (a->cred.pV4Cred->principal, +- b->cred.pV4Cred->principal) && +- !strcmp (a->cred.pV4Cred->principal_instance, +- b->cred.pV4Cred->principal_instance) && +- !strcmp (a->cred.pV4Cred->service, +- b->cred.pV4Cred->service) && +- !strcmp (a->cred.pV4Cred->service_instance, +- b->cred.pV4Cred->service_instance) && +- !strcmp (a->cred.pV4Cred->realm, +- b->cred.pV4Cred->realm) && +- a->cred.pV4Cred->issue_date == b->cred.pV4Cred->issue_date) { +- retval = 0; +- } + } + } + +@@ -361,10 +347,6 @@ int check_cc_open(void) { + err = check_once_cc_open(context, name, CC_CRED_V5, &ccache, CC_NOERROR, NULL); + } + +- // check version +- if (!err) { +- err = check_once_cc_open(context, name, CC_CRED_V4, &ccache, CC_ERR_CRED_VERSION, NULL); +- } + // try bad parameters + err = check_once_cc_open(context, NULL, CC_CRED_V5, &ccache, CC_BAD_PARM, NULL); + err = check_once_cc_open(context, name, CC_CRED_V5, NULL, CC_BAD_PARM, NULL); +@@ -681,17 +663,6 @@ int check_cc_get_cred_version(void) { + + err = CC_NOERROR; + +- // try one created with v4 creds +- if (!err) { +- err = cc_create(context, name, "foo@BAR.ORG", CC_CRED_V4, 0, &ccache); +- } +- if (!err) { +- check_once_cc_get_cred_version(context, ccache, CC_CRED_V4, CC_NOERROR, "v4 creds"); +- } +- else { +- log_error("cc_context_create_new_ccache failed, can't complete test"); +- failure_count++; +- } + if (ccache) { + cc_destroy(context, &ccache); + ccache = NULL; +@@ -840,7 +811,6 @@ int check_cc_get_principal(void) { + apiCB *context = NULL; + ccache_p *ccache = NULL; + char *name_v5 = "TEST_CC_GET_PRINCIPAL_V5"; +- char *name_v4 = "TEST_CC_GET_PRINCIPAL_V4"; + + BEGIN_TEST("cc_get_principal"); + +@@ -866,18 +836,6 @@ int check_cc_get_principal(void) { + ccache = NULL; + } + +- // try with krb4 principal +- if (!err) { +- err = cc_create(context, name_v4, "foo.BAR@BAZ.ORG", CC_CRED_V4, 0, &ccache); +- } +- if (!err) { +- check_once_cc_get_principal(context, ccache, "foo.BAR@BAZ.ORG", CC_NOERROR, "trying to get krb4 princ for krb4 ccache"); +- } +- else { +- log_error("cc_create failed, can't complete test"); +- failure_count++; +- } +- + // try with bad param + if (!err) { + check_once_cc_get_principal(context, ccache, NULL, CC_BAD_PARM, "passed null out param"); +@@ -945,7 +903,6 @@ int check_cc_set_principal(void) { + apiCB *context = NULL; + ccache_p *ccache = NULL; + char *name_v5 = "TEST_CC_GET_PRINCIPAL_V5"; +- char *name_v4 = "TEST_CC_GET_PRINCIPAL_V4"; + + BEGIN_TEST("cc_set_principal"); + +@@ -972,37 +929,6 @@ int check_cc_set_principal(void) { + ccache = NULL; + } + +- // empty ccache +- +- // replace v5 ccache's principal +- if (!err) { +- err = cc_create(context, name_v5, "foo@BAZ.ORG", CC_CRED_V5, 0, &ccache); +- } +- if (!err) { +- check_once_cc_set_principal(context, ccache, CC_CRED_V5, "foo/BAZ@BAR.ORG", CC_NOERROR, "replace v5 only ccache's principal (empty ccache)"); +- check_once_cc_set_principal(context, ccache, CC_CRED_V4, "foo.BAZ@BAR.ORG", CC_ERR_CRED_VERSION, "replace v5 principal with v4"); +- } +- else { +- log_error("cc_create failed, can't complete test"); +- failure_count++; +- } +- if (ccache) { +- cc_destroy(context, &ccache); +- ccache = NULL; +- } +- +- // replace v4 ccache's principal +- if (!err) { +- err = cc_create(context, name_v4, "foo@BAZ.ORG", CC_CRED_V4, 0, &ccache); +- } +- if (!err) { +- check_once_cc_set_principal(context, ccache, CC_CRED_V4, "foo.BAZ@BAR.ORG", CC_NOERROR, "replace v4 only ccache's principal (empty ccache)"); +- check_once_cc_set_principal(context, ccache, CC_CRED_V5, "foo/BAZ@BAR.ORG", CC_ERR_CRED_VERSION, "replace v4 principal with v5"); +- } +- else { +- log_error("cc_create failed, can't complete test"); +- failure_count++; +- } + if (ccache) { + cc_destroy(context, &ccache); + ccache = NULL; +@@ -1102,21 +1028,6 @@ int check_cc_store(void) { + } + } + +- // bad creds version +- if (!err) { +- err = new_v5_creds_union_compat(&creds_union, "BAR.ORG"); +- +- if (!err) { +- creds_union.cred_type = CC_CRED_MAX; +- check_once_cc_store(context, ccache, creds_union, CC_ERR_CRED_VERSION, "CC_CRED_MAX (invalid) into a ccache with only v5 princ"); +- creds_union.cred_type = CC_CRED_V4; +- check_once_cc_store(context, ccache, creds_union, CC_ERR_CRED_VERSION, "v4 creds into a v5 ccache"); +- creds_union.cred_type = CC_CRED_V5; +- +- release_v5_creds_union_compat(&creds_union); +- } +- } +- + // non-existent ccache + if (ccache) { + err = cc_get_name(context, ccache, &name); +diff --git a/src/include/CredentialsCache.h b/src/include/CredentialsCache.h +index 54f71a1a0..c18159639 100644 +--- a/src/include/CredentialsCache.h ++++ b/src/include/CredentialsCache.h +@@ -104,19 +104,19 @@ extern "C" { + * \section introduction Introduction + * + * This is the specification for an API which provides Credentials Cache +- * services for both Kerberos v5 and v4. The idea behind this API is that +- * multiple Kerberos implementations can share a single collection of +- * credentials caches, mediated by this API specification. On the Mac OS +- * and Microsoft Windows platforms this will allow single-login, even when +- * more than one Kerberos shared library is in use on a particular system. ++ * services for Kerberos v5 (and previously v4). The idea behind this API is ++ * that multiple Kerberos implementations can share a single collection of ++ * credentials caches, mediated by this API specification. On the Mac OS and ++ * Microsoft Windows platforms this will allow single-login, even when more ++ * than one Kerberos shared library is in use on a particular system. + * + * Abstractly, a credentials cache collection contains one or more credentials + * caches, or ccaches. A ccache is uniquely identified by its name, which is + * a string internal to the API and not intended to be presented to users. + * The user presentable identifier of a ccache is its principal. + * +- * Unlike the previous versions of the API, version 3 of the API stores both +- * Kerberos v4 and v5 credentials in the same ccache. ++ * Unlike the previous versions of the API, version 3 of the API could store ++ * credentials for multiple Kerberos versions in the same ccache. + * + * At any given time, one ccache is the "default" ccache. The exact meaning + * of a default ccache is OS-specific; refer to implementation requirements +@@ -305,10 +305,9 @@ enum { + /*! + * Credentials versions + * +- * These constants are used in several places in the API to discern +- * between Kerberos v4 and Kerberos v5. Not all values are valid +- * inputs and outputs for all functions; function specifications +- * below detail the allowed values. ++ * These constants are used in several places in the API to discern Kerberos ++ * versions. Not all values are valid inputs and outputs for all functions; ++ * function specifications below detail the allowed values. + * + * Kerberos version constants will always be a bit-field, and can be + * tested as such; for example the following test will tell you if +@@ -317,9 +316,9 @@ enum { + * if ((ccacheVersion & cc_credentials_v5) != 0) + */ + enum cc_credential_versions { +- cc_credentials_v4 = 1, ++ /* cc_credentials_v4 = 1, */ + cc_credentials_v5 = 2, +- cc_credentials_v4_v5 = 3 ++ /* cc_credentials_v4_v5 = 3 */ + }; + + /*! +@@ -353,29 +352,6 @@ enum cc_lock_modes { + cc_lock_block = 1 + }; + +-/*! +- * Sizes of fields in cc_credentials_v4_t. +- */ +-enum { +- /* Make sure all of these are multiples of four (for alignment sanity) */ +- cc_v4_name_size = 40, +- cc_v4_instance_size = 40, +- cc_v4_realm_size = 40, +- cc_v4_ticket_size = 1254, +- cc_v4_key_size = 8 +-}; +- +-/*! +- * String to key type (Kerberos v4 only) +- */ +-enum cc_string_to_key_type { +- cc_v4_stk_afs = 0, +- cc_v4_stk_des = 1, +- cc_v4_stk_columbia_special = 2, +- cc_v4_stk_krb5 = 3, +- cc_v4_stk_unknown = 4 +-}; +- + /*!@}*/ + + /*! +@@ -482,15 +458,13 @@ typedef cc_ccache_iterator_d *cc_ccache_iterator_t; + * \defgroup cc_credentials_reference cc_credentials_t Overview + * @{ + * +- * The cc_credentials_t type is used to store a single set of +- * credentials for either Kerberos v4 or Kerberos v5. In addition +- * to its only function, release(), it contains a pointer to a +- * cc_credentials_union structure. A cc_credentials_union ++ * The cc_credentials_t type is used to store a single set of credentials for ++ * Kerberos v5. In addition to its only function, release(), it contains a ++ * pointer to a cc_credentials_union structure. A cc_credentials_union + * structure contains an integer of the enumerator type +- * cc_credentials_version, which is either #cc_credentials_v4 or +- * #cc_credentials_v5, and a pointer union, which contains either a +- * cc_credentials_v4_t pointer or a cc_credentials_v5_t pointer, +- * depending on the value in version. ++ * cc_credentials_version, which is #cc_credentials_v5, and a pointer union, ++ * which contains a cc_credentials_v5_t pointer, depending on the value in ++ * version. + * + * Variables of the type cc_credentials_t are allocated by the CCAPI + * implementation, and should be released with their release() +@@ -501,43 +475,6 @@ typedef cc_ccache_iterator_d *cc_ccache_iterator_t; + * For API functions see \ref cc_credentials_f. + */ + +-/*! +- * If a cc_credentials_t variable is used to store Kerberos v4 +- * credentials, then credentials.credentials_v4 points to a v4 +- * credentials structure. This structure is similar to a +- * krb4 API CREDENTIALS structure. +- */ +-struct cc_credentials_v4_t { +- cc_uint32 version; +- /*! A properly quoted string representation of the first component of the client principal */ +- char principal [cc_v4_name_size]; +- /*! A properly quoted string representation of the second component of the client principal */ +- char principal_instance [cc_v4_instance_size]; +- /*! A properly quoted string representation of the first component of the service principal */ +- char service [cc_v4_name_size]; +- /*! A properly quoted string representation of the second component of the service principal */ +- char service_instance [cc_v4_instance_size]; +- /*! A properly quoted string representation of the realm */ +- char realm [cc_v4_realm_size]; +- /*! Ticket session key */ +- unsigned char session_key [cc_v4_key_size]; +- /*! Key version number */ +- cc_int32 kvno; +- /*! String to key type used. See cc_string_to_key_type for valid values */ +- cc_int32 string_to_key_type; +- /*! Time when the ticket was issued */ +- cc_time_t issue_date; +- /*! Ticket lifetime in 5 minute units */ +- cc_int32 lifetime; +- /*! IPv4 address of the client the ticket was issued for */ +- cc_uint32 address; +- /*! Ticket size (no greater than cc_v4_ticket_size) */ +- cc_int32 ticket_size; +- /*! Ticket data */ +- unsigned char ticket [cc_v4_ticket_size]; +-}; +-typedef struct cc_credentials_v4_t cc_credentials_v4_t; +- + /*! + * The CCAPI data structure. This structure is similar to a krb5_data structure. + * In a v5 credentials structure, cc_data structures are used +@@ -602,8 +539,6 @@ struct cc_credentials_union { + cc_uint32 version; + /*! The credentials. */ + union { +- /*! If \a version is #cc_credentials_v4, a pointer to a cc_credentials_v4_t. */ +- cc_credentials_v4_t* credentials_v4; + /*! If \a version is #cc_credentials_v5, a pointer to a cc_credentials_v5_t. */ + cc_credentials_v5_t* credentials_v5; + } credentials; +@@ -781,13 +716,11 @@ struct cc_context_f { + * \return On success, #ccNoError. On failure, an error code representing the failure. + * \brief \b cc_context_create_ccache(): Create a new ccache. + * +- * Create a new credentials cache. The ccache is uniquely identified by its name. +- * The principal given is also associated with the ccache and the credentials +- * version specified. A NULL name is not allowed (and ccErrBadName is returned +- * if one is passed in). Only cc_credentials_v4 and cc_credentials_v5 are valid +- * input values for cred_vers. If you want to create a new ccache that will hold +- * both versions of credentials, call cc_context_create_ccache() with one version, +- * and then cc_ccache_set_principal() with the other version. ++ * Create a new credentials cache. The ccache is uniquely identified by ++ * its name. The principal given is also associated with the ccache and ++ * the credentials version specified. A NULL name is not allowed (and ++ * ccErrBadName is returned if one is passed in). Only cc_credentials_v5 ++ * can be an input value for cred_vers. + * + * If you want to create a new ccache (with a unique name), you should use + * cc_context_create_new_ccache() instead. If you want to create or reinitialize +@@ -814,10 +747,9 @@ struct cc_context_f { + * cc_context_get_default_ccache_name()); see the description of + * cc_context_get_default_ccache_name() for details. + * +- * The principal should be a C string containing an unparsed Kerberos principal +- * in the format of the appropriate Kerberos version, i.e. \verbatim foo.bar/@BAZ +- * \endverbatim for Kerberos v4 and \verbatim foo/bar/@BAZ \endverbatim +- * for Kerberos v5. ++ * The principal should be a C string containing an unparsed Kerberos ++ * principal in the format of the appropriate Kerberos version, ++ * i.e. \verbatim foo/bar/@BAZ \endverbatim for Kerberos v5. + */ + cc_int32 (*create_ccache) (cc_context_t in_context, + const char *in_name, +@@ -1014,14 +946,11 @@ struct cc_ccache_f { + * \return On success, #ccNoError. On failure, an error code representing the failure. + * \brief \b cc_ccache_get_credentials_version(): Get the credentials version of a ccache. + * +- * cc_ccache_get_credentials_version() returns one value of the enumerated type +- * cc_credentials_vers. The possible return values are #cc_credentials_v4 +- * (if ccache's v4 principal has been set), #cc_credentials_v5 +- * (if ccache's v5 principal has been set), or #cc_credentials_v4_v5 +- * (if both ccache's v4 and v5 principals have been set). A ccache's +- * principal is set with one of cc_context_create_ccache(), +- * cc_context_create_new_ccache(), cc_context_create_default_ccache(), or +- * cc_ccache_set_principal(). ++ * cc_ccache_get_credentials_version() returns one value of the enumerated ++ * type cc_credentials_vers. The return value is #cc_credentials_v5 (if ++ * ccache's v5 principal has been set). A ccache's principal is set with ++ * one of cc_context_create_ccache(), cc_context_create_new_ccache(), ++ * cc_context_create_default_ccache(), or cc_ccache_set_principal(). + */ + cc_int32 (*get_credentials_version) (cc_ccache_t in_ccache, + cc_uint32 *out_credentials_version); +@@ -1046,10 +975,7 @@ struct cc_ccache_f { + * + * Return the principal for the ccache that was set via cc_context_create_ccache(), + * cc_context_create_default_ccache(), cc_context_create_new_ccache(), or +- * cc_ccache_set_principal(). Principals for v4 and v5 are separate, but +- * should be kept synchronized for each ccache; they can be retrieved by +- * passing cc_credentials_v4 or cc_credentials_v5 in cred_vers. Passing +- * cc_credentials_v4_v5 will result in the error ccErrBadCredentialsVersion. ++ * cc_ccache_set_principal(). + */ + cc_int32 (*get_principal) (cc_ccache_t in_ccache, + cc_uint32 in_credentials_version, +@@ -1063,10 +989,7 @@ struct cc_ccache_f { + * \return On success, #ccNoError. On failure, an error code representing the failure. + * \brief \b cc_ccache_set_principal(): Set the principal of a ccache. + * +- * Set the a principal for ccache. The v4 and v5 principals can be set +- * independently, but they should always be kept equal, up to differences in +- * string representation between v4 and v5. Passing cc_credentials_v4_v5 in +- * cred_vers will result in the error ccErrBadCredentialsVersion. ++ * Set the a principal for ccache. + */ + cc_int32 (*set_principal) (cc_ccache_t io_ccache, + cc_uint32 in_credentials_version, +@@ -1083,12 +1006,13 @@ struct cc_ccache_f { + * See the description of the credentials types for the meaning of + * cc_credentials_union fields. + * +- * Before credentials of a specific credential type can be stored in a ccache, +- * the corresponding principal version has to be set. For example, before you can +- * store Kerberos v4 credentials in a ccache, the Kerberos v4 principal has to be set +- * either by cc_context_create_ccache(), cc_context_create_default_ccache(), +- * cc_context_create_new_ccache(), or cc_ccache_set_principal(); likewise for +- * Kerberos v5. Otherwise, ccErrBadCredentialsVersion is returned. ++ * Before credentials of a specific credential type can be stored in a ++ * ccache, the corresponding principal version has to be set. That is, ++ * before you can store Kerberos v5 credentials in a ccache, the Kerberos ++ * v5 principal has to be set either by cc_context_create_ccache(), ++ * cc_context_create_default_ccache(), cc_context_create_new_ccache(), or ++ * cc_ccache_set_principal(); otherwise, ccErrBadCredentialsVersion is ++ * returned. + */ + cc_int32 (*store_credentials) (cc_ccache_t io_ccache, + const cc_credentials_union *in_credentials_union); +diff --git a/src/include/CredentialsCache2.h b/src/include/CredentialsCache2.h +index b3b48996d..9e5a346ac 100644 +--- a/src/include/CredentialsCache2.h ++++ b/src/include/CredentialsCache2.h +@@ -85,36 +85,13 @@ typedef struct cc_credentials_v5_compat { + cc_data_compat** authdata; + } cc_credentials_v5_compat; + +-enum { +- MAX_V4_CRED_LEN = 1250 +-}; +- + enum { + KRB_NAME_SZ = 40, + KRB_INSTANCE_SZ = 40, + KRB_REALM_SZ = 40 + }; + +-typedef struct cc_credentials_v4_compat { +- unsigned char kversion; +- char principal[KRB_NAME_SZ+1]; +- char principal_instance[KRB_INSTANCE_SZ+1]; +- char service[KRB_NAME_SZ+1]; +- char service_instance[KRB_INSTANCE_SZ+1]; +- char realm[KRB_REALM_SZ+1]; +- unsigned char session_key[8]; +- cc_int32 kvno; +- cc_int32 str_to_key; +- long issue_date; +- cc_int32 lifetime; +- cc_uint32 address; +- cc_int32 ticket_sz; +- unsigned char ticket[MAX_V4_CRED_LEN]; +- unsigned long oops; +-} cc_credentials_v4_compat; +- + typedef union cred_ptr_union_compat { +- cc_credentials_v4_compat* pV4Cred; + cc_credentials_v5_compat* pV5Cred; + } cred_ptr_union_compat; + +@@ -135,7 +112,6 @@ typedef struct infoNC infoNC; + + /* Some old type names */ + +-typedef cc_credentials_v4_compat V4Cred_type; + typedef cc_credentials_v5_compat cc_creds; + struct ccache_cit; + typedef struct ccache_cit ccache_cit; +@@ -166,7 +142,7 @@ enum { + + enum { + CC_CRED_UNKNOWN, +- CC_CRED_V4, ++ /* CC_CRED_V4, */ + CC_CRED_V5, + CC_CRED_MAX + }; +diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c +index db69eebb4..cac61e45c 100644 +--- a/src/lib/krb5/ccache/ccapi/stdcc.c ++++ b/src/lib/krb5/ccache/ccapi/stdcc.c +@@ -589,7 +589,6 @@ krb5_stdccv3_next_cred (krb5_context context, + err = stdccv3_setup (context, ccapi_data); + } + +- /* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */ + while (!err) { + err = cc_credentials_iterator_next (iterator, &credentials); + +@@ -836,7 +835,6 @@ krb5_stdccv3_remove (krb5_context context, + &iterator); + } + +- /* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */ + while (!err && !found) { + cc_credentials_t credentials = NULL; + +diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.c b/src/lib/krb5/ccache/ccapi/stdcc_util.c +index 62d847c18..1f2a3865c 100644 +--- a/src/lib/krb5/ccache/ccapi/stdcc_util.c ++++ b/src/lib/krb5/ccache/ccapi/stdcc_util.c +@@ -521,9 +521,6 @@ cred_union_release (cc_credentials_union *in_cred_union) + + free (cv5); + +- } else if (in_cred_union->version == cc_credentials_v4 && +- in_cred_union->credentials.credentials_v4) { +- free (in_cred_union->credentials.credentials_v4); + } + free ((cc_credentials_union *) in_cred_union); + } +@@ -892,10 +889,7 @@ static void deep_free_cc_v5_creds (cc_creds* creds) + + static void deep_free_cc_creds (cred_union creds) + { +- if (creds.cred_type == CC_CRED_V4) { +- /* we shouldn't get this, of course */ +- free (creds.cred.pV4Cred); +- } else if (creds.cred_type == CC_CRED_V5) { ++ if (creds.cred_type == CC_CRED_V5) { + deep_free_cc_v5_creds (creds.cred.pV5Cred); + } + } +diff --git a/src/windows/kfwlogon/kfwlogon.h b/src/windows/kfwlogon/kfwlogon.h +index b2674573e..622d5665c 100644 +--- a/src/windows/kfwlogon/kfwlogon.h ++++ b/src/windows/kfwlogon/kfwlogon.h +@@ -94,7 +94,7 @@ typedef int cc_int32; + + enum { + CC_CRED_VUNKNOWN = 0, // For validation +- CC_CRED_V4 = 1, ++ /* CC_CRED_V4 = 1, */ + CC_CRED_V5 = 2, + CC_CRED_VMAX = 3 // For validation + }; +diff --git a/src/windows/leashdll/leash-int.h b/src/windows/leashdll/leash-int.h +index cb40c607c..bf6f6a08d 100644 +--- a/src/windows/leashdll/leash-int.h ++++ b/src/windows/leashdll/leash-int.h +@@ -182,7 +182,7 @@ typedef int cc_int32; + + enum { + CC_CRED_VUNKNOWN = 0, // For validation +- CC_CRED_V4 = 1, ++ /* CC_CRED_V4 = 1, */ + CC_CRED_V5 = 2, + CC_CRED_VMAX = 3 // For validation + }; +diff --git a/src/windows/lib/cacheapi.h b/src/windows/lib/cacheapi.h +index b30857810..9aab4a098 100644 +--- a/src/windows/lib/cacheapi.h ++++ b/src/windows/lib/cacheapi.h +@@ -126,52 +126,8 @@ typedef struct _cc_creds { + cc_data ** authdata; + } cc_creds; + +-// begin V4 stuff +-// use an enumerated type so all callers infer the same meaning +-// these values are what krbv4win uses internally. +-#define STK_AFS 0 +-#define STK_DES 1 +- +-// K4 uses a MAX_KTXT_LEN of 1250 to hold a ticket +-// K95 uses 256 +-// To be safe I'll use the larger number, but a factor of 5!!! +-#define MAX_V4_CRED_LEN 1250 +- +-// V4 Credentials +- +-enum { +- KRB_NAME_SZ = 40, +- KRB_INSTANCE_SZ = 40, +- KRB_REALM_SZ = 40 +-}; +- +-typedef struct cc_V4credential { +- unsigned char kversion; +- char principal[KRB_NAME_SZ + 1]; +- char principal_instance[KRB_INSTANCE_SZ + 1]; +- char service[KRB_NAME_SZ + 1]; +- char service_instance[KRB_INSTANCE_SZ + 1]; +- char realm[KRB_REALM_SZ + 1]; +- unsigned char session_key[8]; +- cc_int32 kvno; // k95 used BYTE skvno +- cc_int32 str_to_key; // k4 infers dynamically, k95 stores +- long issue_date; // k95 called this issue_time +- cc_int32 lifetime; // k95 used LONG expiration_time +- cc_uint32 address; // IP Address of local host +- cc_int32 ticket_sz; // k95 used BYTE, k4 ktext uses int to hold up to 1250 +- unsigned char ticket[MAX_V4_CRED_LEN]; +- unsigned long oops; // zero to catch runaways +-} V4Cred_type; +- +-enum { +- CC_CRED_VUNKNOWN = 0, // For validation +- CC_CRED_V4 = 1, +- CC_CRED_V5 = 2, +- CC_CRED_VMAX = 3 // For validation +-}; + + typedef union cred_ptr_union_type { +- V4Cred_type* pV4Cred; + cc_creds* pV5Cred; + } cred_ptr_union; + +@@ -223,16 +179,15 @@ cc_get_change_time( + ** create, open, close, destroy, get_principal, get_cred_version, & + ** lock_request + ** +-** Multiple NCs are allowed within the main cache. Each has a Name +-** and kerberos version # (V4 or V5). Caller gets "ccache_ptr"s for +-** NCs. ++** Multiple NCs are allowed within the main cache. Each has a Name and ++** kerberos version # (V5). Caller gets "ccache_ptr"s for NCs. + */ + CCACHE_API + cc_create( + apiCB* cc_ctx, // > DLL's primary control structure + const char* name, // > name of cache to be [destroyed if exists, then] created + const char* principal, +- cc_int32 vers, // > ticket version (CC_CRED_V4 or CC_CRED_V5) ++ cc_int32 vers, // > ticket version (CC_CRED_V5) + cc_uint32 cc_flags, // > options + ccache_p** ccache_ptr // < NC control structure + ); +@@ -241,7 +196,7 @@ CCACHE_API + cc_open( + apiCB* cc_ctx, // > DLL's primary control structure + const char* name, // > name of pre-created cache +- cc_int32 vers, // > ticket version (CC_CRED_V4 or CC_CRED_V5) ++ cc_int32 vers, // > ticket version (CC_CRED_V5) + cc_uint32 cc_flags, // > options + ccache_p** ccache_ptr // < NC control structure + ); diff --git a/Remove-ccapi-related-comments-in-configure.ac.patch b/Remove-ccapi-related-comments-in-configure.ac.patch new file mode 100644 index 0000000..78cf265 --- /dev/null +++ b/Remove-ccapi-related-comments-in-configure.ac.patch @@ -0,0 +1,34 @@ +From 1f214b1265bde1d8f6c9b99af0755ca8f5463385 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 3 Apr 2019 16:01:22 -0400 +Subject: [PATCH] Remove ccapi-related comments in configure.ac + +These suggested ccapi is buildable on non-Windows, and empirically it +is not. + +(cherry picked from commit eb48b176bccf3634b9c82f588dce85125a5c4bd8) +--- + src/configure.in | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/configure.in b/src/configure.in +index 7c309a26b..8d781a7c8 100644 +--- a/src/configure.in ++++ b/src/configure.in +@@ -1450,7 +1450,6 @@ V5_AC_OUTPUT_MAKEFILE(. + lib/crypto/crypto_tests + + lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache +-dnl lib/krb5/ccache/ccapi + lib/krb5/keytab lib/krb5/krb lib/krb5/rcache lib/krb5/os + lib/krb5/unicode + +@@ -1463,8 +1462,6 @@ dnl lib/krb5/ccache/ccapi + lib/krad + lib/apputils + +-dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test +- + kdc kprop config-files build-tools man doc include + + plugins/certauth/test diff --git a/Remove-doxygen-generated-HTML-output-for-ccapi.patch b/Remove-doxygen-generated-HTML-output-for-ccapi.patch new file mode 100644 index 0000000..3165c8e --- /dev/null +++ b/Remove-doxygen-generated-HTML-output-for-ccapi.patch @@ -0,0 +1,7653 @@ +From 5f56eefcf0017d6c0c574e667f55f827b226b295 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 4 Apr 2019 14:15:58 -0400 +Subject: [PATCH] Remove doxygen-generated HTML output for ccapi + +(cherry picked from commit d4f90b750d6d81cc001f6b00266c82c1c916bbf4) +--- + doc/ccapi/Doxyfile | 281 ---- + doc/ccapi/ccache-api-v2.html | 1217 --------------- + doc/ccapi/html/doxygen.css | 310 ---- + doc/ccapi/html/doxygen.png | Bin 1281 -> 0 bytes + ...roup__cc__ccache__iterator__reference.html | 96 -- + .../html/group__cc__ccache__reference.html | 96 -- + .../html/group__cc__context__reference.html | 161 -- + ..._cc__credentials__iterator__reference.html | 133 -- + .../group__cc__credentials__reference.html | 197 --- + .../html/group__cc__string__reference.html | 96 -- + .../group__ccapi__constants__reference.html | 407 ----- + .../html/group__ccapi__types__reference.html | 138 -- + doc/ccapi/html/group__helper__macros.html | 1377 ----------------- + doc/ccapi/html/index.html | 85 - + doc/ccapi/html/structcc__ccache__d.html | 43 - + doc/ccapi/html/structcc__ccache__f.html | 722 --------- + .../html/structcc__ccache__iterator__d.html | 43 - + .../html/structcc__ccache__iterator__f.html | 117 -- + doc/ccapi/html/structcc__context__d.html | 43 - + doc/ccapi/html/structcc__context__f.html | 513 ------ + doc/ccapi/html/structcc__credentials__d.html | 67 - + doc/ccapi/html/structcc__credentials__f.html | 85 - + .../structcc__credentials__iterator__d.html | 43 - + .../structcc__credentials__iterator__f.html | 85 - + .../html/structcc__credentials__union.html | 118 -- + .../html/structcc__credentials__v4__t.html | 358 ----- + .../html/structcc__credentials__v5__t.html | 334 ---- + doc/ccapi/html/structcc__data.html | 94 -- + doc/ccapi/html/structcc__string__d.html | 67 - + doc/ccapi/html/structcc__string__f.html | 51 - + 30 files changed, 7377 deletions(-) + delete mode 100644 doc/ccapi/Doxyfile + delete mode 100755 doc/ccapi/ccache-api-v2.html + delete mode 100644 doc/ccapi/html/doxygen.css + delete mode 100644 doc/ccapi/html/doxygen.png + delete mode 100644 doc/ccapi/html/group__cc__ccache__iterator__reference.html + delete mode 100644 doc/ccapi/html/group__cc__ccache__reference.html + delete mode 100644 doc/ccapi/html/group__cc__context__reference.html + delete mode 100644 doc/ccapi/html/group__cc__credentials__iterator__reference.html + delete mode 100644 doc/ccapi/html/group__cc__credentials__reference.html + delete mode 100644 doc/ccapi/html/group__cc__string__reference.html + delete mode 100644 doc/ccapi/html/group__ccapi__constants__reference.html + delete mode 100644 doc/ccapi/html/group__ccapi__types__reference.html + delete mode 100644 doc/ccapi/html/group__helper__macros.html + delete mode 100644 doc/ccapi/html/index.html + delete mode 100644 doc/ccapi/html/structcc__ccache__d.html + delete mode 100644 doc/ccapi/html/structcc__ccache__f.html + delete mode 100644 doc/ccapi/html/structcc__ccache__iterator__d.html + delete mode 100644 doc/ccapi/html/structcc__ccache__iterator__f.html + delete mode 100644 doc/ccapi/html/structcc__context__d.html + delete mode 100644 doc/ccapi/html/structcc__context__f.html + delete mode 100644 doc/ccapi/html/structcc__credentials__d.html + delete mode 100644 doc/ccapi/html/structcc__credentials__f.html + delete mode 100644 doc/ccapi/html/structcc__credentials__iterator__d.html + delete mode 100644 doc/ccapi/html/structcc__credentials__iterator__f.html + delete mode 100644 doc/ccapi/html/structcc__credentials__union.html + delete mode 100644 doc/ccapi/html/structcc__credentials__v4__t.html + delete mode 100644 doc/ccapi/html/structcc__credentials__v5__t.html + delete mode 100644 doc/ccapi/html/structcc__data.html + delete mode 100644 doc/ccapi/html/structcc__string__d.html + delete mode 100644 doc/ccapi/html/structcc__string__f.html + +diff --git a/doc/ccapi/Doxyfile b/doc/ccapi/Doxyfile +deleted file mode 100644 +index 734c29c90..000000000 +--- a/doc/ccapi/Doxyfile ++++ /dev/null +@@ -1,281 +0,0 @@ +-# Doxyfile 1.5.3 +- +-#--------------------------------------------------------------------------- +-# Project related configuration options +-#--------------------------------------------------------------------------- +-DOXYFILE_ENCODING = UTF-8 +-PROJECT_NAME = "Credentials Cache API " +-PROJECT_NUMBER = +-OUTPUT_DIRECTORY = . +-CREATE_SUBDIRS = NO +-OUTPUT_LANGUAGE = English +-BRIEF_MEMBER_DESC = YES +-REPEAT_BRIEF = YES +-ABBREVIATE_BRIEF = "The $name class " \ +- "The $name widget " \ +- "The $name file " \ +- is \ +- provides \ +- specifies \ +- contains \ +- represents \ +- a \ +- an \ +- the +-ALWAYS_DETAILED_SEC = YES +-INLINE_INHERITED_MEMB = NO +-FULL_PATH_NAMES = NO +-STRIP_FROM_PATH = +-STRIP_FROM_INC_PATH = +-SHORT_NAMES = NO +-JAVADOC_AUTOBRIEF = NO +-QT_AUTOBRIEF = NO +-MULTILINE_CPP_IS_BRIEF = NO +-DETAILS_AT_TOP = YES +-INHERIT_DOCS = YES +-SEPARATE_MEMBER_PAGES = NO +-TAB_SIZE = 8 +-ALIASES = +-OPTIMIZE_OUTPUT_FOR_C = YES +-OPTIMIZE_OUTPUT_JAVA = NO +-BUILTIN_STL_SUPPORT = NO +-CPP_CLI_SUPPORT = NO +-DISTRIBUTE_GROUP_DOC = NO +-SUBGROUPING = YES +-#--------------------------------------------------------------------------- +-# Build related configuration options +-#--------------------------------------------------------------------------- +-EXTRACT_ALL = YES +-EXTRACT_PRIVATE = NO +-EXTRACT_STATIC = NO +-EXTRACT_LOCAL_CLASSES = NO +-EXTRACT_LOCAL_METHODS = NO +-EXTRACT_ANON_NSPACES = NO +-HIDE_UNDOC_MEMBERS = NO +-HIDE_UNDOC_CLASSES = NO +-HIDE_FRIEND_COMPOUNDS = NO +-HIDE_IN_BODY_DOCS = YES +-INTERNAL_DOCS = NO +-CASE_SENSE_NAMES = YES +-HIDE_SCOPE_NAMES = YES +-SHOW_INCLUDE_FILES = NO +-INLINE_INFO = YES +-SORT_MEMBER_DOCS = NO +-SORT_BRIEF_DOCS = NO +-SORT_BY_SCOPE_NAME = NO +-GENERATE_TODOLIST = YES +-GENERATE_TESTLIST = YES +-GENERATE_BUGLIST = YES +-GENERATE_DEPRECATEDLIST= YES +-ENABLED_SECTIONS = +-MAX_INITIALIZER_LINES = 30 +-SHOW_USED_FILES = NO +-SHOW_DIRECTORIES = NO +-FILE_VERSION_FILTER = +-#--------------------------------------------------------------------------- +-# configuration options related to warning and progress messages +-#--------------------------------------------------------------------------- +-QUIET = NO +-WARNINGS = YES +-WARN_IF_UNDOCUMENTED = YES +-WARN_IF_DOC_ERROR = YES +-WARN_NO_PARAMDOC = YES +-WARN_FORMAT = "$file:$line: $text " +-WARN_LOGFILE = +-#--------------------------------------------------------------------------- +-# configuration options related to the input files +-#--------------------------------------------------------------------------- +-INPUT = ../../Sources/include/CredentialsCache.h +-INPUT_ENCODING = UTF-8 +-FILE_PATTERNS = *.c \ +- *.cc \ +- *.cxx \ +- *.cpp \ +- *.c++ \ +- *.d \ +- *.java \ +- *.ii \ +- *.ixx \ +- *.ipp \ +- *.i++ \ +- *.inl \ +- *.h \ +- *.hh \ +- *.hxx \ +- *.hpp \ +- *.h++ \ +- *.idl \ +- *.odl \ +- *.cs \ +- *.php \ +- *.php3 \ +- *.inc \ +- *.m \ +- *.mm \ +- *.dox \ +- *.py \ +- *.C \ +- *.CC \ +- *.C++ \ +- *.II \ +- *.I++ \ +- *.H \ +- *.HH \ +- *.H++ \ +- *.CS \ +- *.PHP \ +- *.PHP3 \ +- *.M \ +- *.MM \ +- *.PY +-RECURSIVE = YES +-EXCLUDE = +-EXCLUDE_SYMLINKS = NO +-EXCLUDE_PATTERNS = +-EXCLUDE_SYMBOLS = +-EXAMPLE_PATH = +-EXAMPLE_PATTERNS = * +-EXAMPLE_RECURSIVE = NO +-IMAGE_PATH = +-INPUT_FILTER = +-FILTER_PATTERNS = +-FILTER_SOURCE_FILES = NO +-#--------------------------------------------------------------------------- +-# configuration options related to source browsing +-#--------------------------------------------------------------------------- +-SOURCE_BROWSER = NO +-INLINE_SOURCES = NO +-STRIP_CODE_COMMENTS = YES +-REFERENCED_BY_RELATION = YES +-REFERENCES_RELATION = YES +-REFERENCES_LINK_SOURCE = YES +-USE_HTAGS = NO +-VERBATIM_HEADERS = NO +-#--------------------------------------------------------------------------- +-# configuration options related to the alphabetical class index +-#--------------------------------------------------------------------------- +-ALPHABETICAL_INDEX = NO +-COLS_IN_ALPHA_INDEX = 5 +-IGNORE_PREFIX = +-#--------------------------------------------------------------------------- +-# configuration options related to the HTML output +-#--------------------------------------------------------------------------- +-GENERATE_HTML = YES +-HTML_OUTPUT = html +-HTML_FILE_EXTENSION = .html +-HTML_HEADER = +-HTML_FOOTER = +-HTML_STYLESHEET = +-HTML_ALIGN_MEMBERS = NO +-GENERATE_HTMLHELP = NO +-HTML_DYNAMIC_SECTIONS = NO +-CHM_FILE = +-HHC_LOCATION = +-GENERATE_CHI = NO +-BINARY_TOC = NO +-TOC_EXPAND = NO +-DISABLE_INDEX = YES +-ENUM_VALUES_PER_LINE = 4 +-GENERATE_TREEVIEW = NO +-TREEVIEW_WIDTH = 250 +-#--------------------------------------------------------------------------- +-# configuration options related to the LaTeX output +-#--------------------------------------------------------------------------- +-GENERATE_LATEX = NO +-LATEX_OUTPUT = latex +-LATEX_CMD_NAME = latex +-MAKEINDEX_CMD_NAME = makeindex +-COMPACT_LATEX = NO +-PAPER_TYPE = letter +-EXTRA_PACKAGES = +-LATEX_HEADER = +-PDF_HYPERLINKS = YES +-USE_PDFLATEX = YES +-LATEX_BATCHMODE = NO +-LATEX_HIDE_INDICES = NO +-#--------------------------------------------------------------------------- +-# configuration options related to the RTF output +-#--------------------------------------------------------------------------- +-GENERATE_RTF = YES +-RTF_OUTPUT = rtf +-COMPACT_RTF = YES +-RTF_HYPERLINKS = YES +-RTF_STYLESHEET_FILE = +-RTF_EXTENSIONS_FILE = +-#--------------------------------------------------------------------------- +-# configuration options related to the man page output +-#--------------------------------------------------------------------------- +-GENERATE_MAN = NO +-MAN_OUTPUT = man +-MAN_EXTENSION = .3 +-MAN_LINKS = NO +-#--------------------------------------------------------------------------- +-# configuration options related to the XML output +-#--------------------------------------------------------------------------- +-GENERATE_XML = NO +-XML_OUTPUT = xml +-XML_SCHEMA = +-XML_DTD = +-XML_PROGRAMLISTING = YES +-#--------------------------------------------------------------------------- +-# configuration options for the AutoGen Definitions output +-#--------------------------------------------------------------------------- +-GENERATE_AUTOGEN_DEF = NO +-#--------------------------------------------------------------------------- +-# configuration options related to the Perl module output +-#--------------------------------------------------------------------------- +-GENERATE_PERLMOD = NO +-PERLMOD_LATEX = NO +-PERLMOD_PRETTY = YES +-PERLMOD_MAKEVAR_PREFIX = +-#--------------------------------------------------------------------------- +-# Configuration options related to the preprocessor +-#--------------------------------------------------------------------------- +-ENABLE_PREPROCESSING = YES +-MACRO_EXPANSION = NO +-EXPAND_ONLY_PREDEF = NO +-SEARCH_INCLUDES = NO +-INCLUDE_PATH = +-INCLUDE_FILE_PATTERNS = +-PREDEFINED = +-EXPAND_AS_DEFINED = +-SKIP_FUNCTION_MACROS = YES +-#--------------------------------------------------------------------------- +-# Configuration::additions related to external references +-#--------------------------------------------------------------------------- +-TAGFILES = +-GENERATE_TAGFILE = +-ALLEXTERNALS = NO +-EXTERNAL_GROUPS = NO +-PERL_PATH = /usr/bin/perl +-#--------------------------------------------------------------------------- +-# Configuration options related to the dot tool +-#--------------------------------------------------------------------------- +-CLASS_DIAGRAMS = NO +-MSCGEN_PATH = /Volumes/Ragna-Blade/Developer/Doxygen/Doxygen.app/Contents/Resources/ +-HIDE_UNDOC_RELATIONS = YES +-HAVE_DOT = NO +-CLASS_GRAPH = YES +-COLLABORATION_GRAPH = YES +-GROUP_GRAPHS = YES +-UML_LOOK = NO +-TEMPLATE_RELATIONS = NO +-INCLUDE_GRAPH = YES +-INCLUDED_BY_GRAPH = YES +-CALL_GRAPH = NO +-CALLER_GRAPH = NO +-GRAPHICAL_HIERARCHY = YES +-DIRECTORY_GRAPH = YES +-DOT_IMAGE_FORMAT = png +-DOT_PATH = +-DOTFILE_DIRS = +-DOT_GRAPH_MAX_NODES = 50 +-MAX_DOT_GRAPH_DEPTH = 1000 +-DOT_TRANSPARENT = NO +-DOT_MULTI_TARGETS = NO +-GENERATE_LEGEND = YES +-DOT_CLEANUP = YES +-#--------------------------------------------------------------------------- +-# Configuration::additions related to the search engine +-#--------------------------------------------------------------------------- +-SEARCHENGINE = NO +diff --git a/doc/ccapi/ccache-api-v2.html b/doc/ccapi/ccache-api-v2.html +deleted file mode 100755 +index b8d3f06e5..000000000 +--- a/doc/ccapi/ccache-api-v2.html ++++ /dev/null +@@ -1,1217 +0,0 @@ +- +- +- +- Credentials Cache API v2 Specification +- +- +-

Credentials Cache API v2 Specification

+-

This version of the API is deprecated.
+-Please refer to CCAPI version 3 or later for the current API.

+- +- +- +-

+-


+- +- +-

Abstract

+- +-

This is the specification for an API which provides Credentials +-Cache services for both +-Kerberos V5 and V4. +-The idea behind this API is that multiple Kerberos implementations +-can share a single Credentials Cache, mediated by this API +-specification. On the Microsoft Windows platform this will allow +-single-signon, even when more than one Kerberos DLL is in use on a +-particular system. Ideally, this problem could be solved by +-standardizing the Kerberos V5 API library interface. However, the +-Kerberos API is complicated enough that this would be hard to +-accomplish. Standardizing the interface for credentials cache access +-is much simpler. This API has also been adopted in the MIT Kerberos +-for the Macintosh implementation. +- +-

This specification has been revised to allow storage and +-manipulation of both V4 and V5 tickets. A cache contains one or more +-"Named Cache"s. It is assumed that V4 and V5 credentials would each +-be stored in separate "Named Cache"s and not mixed in a single "Named +-Cache". +- +-

Below, "NC" refers to "Named Cache".
+- +- +- +-

+-


+- +- +-

Revision History/Notes

+- +-

Original version (Draft Version 1)

+- +-

1/27/96 by +-Theodore Ts'o +- +-

Revision 2 (Draft Version 1)

+- +-

970628 by Steve Rothwell +-for the V4Cache Team (Paul Hill, Jenny Khuon, Jean Luker, Dave +-Detlefs, Allan Bjorklund, & Steve Rothwell) +- +-

+- +-

Revision 3 (Draft Version 1)

+- +-

970725 by Steve Rothwell after initial implementation and alpha +-release. The term "credentials cache" was previously used to mean +-both "the main cache" and individual "named cache"s within the main +-cache. I have started using the term "NC" for "named cache" to make +-the distinction clearer and to reduce the overloading of the word +-"cache". +- +-

Changes made for revision 3 of this API:
+- +-
    +-
  • Added cred version type to cc_create() & cc_open() +- +-
  • New functions +- +-
      +-
    • cc_get_NC_info(), returns NC_info list for all NCs +- +-
    • cc_free_NC_info(), frees NC_info list +- +-
    • cc_get_cred_version(), returns version type of NC +- +-
    • cc_get_name(), returns name of NC +- +-
    • cc_free_name(), frees name aquired via cc_get_name() +- +-
    • cc_seq_fetch_NCs(), iterate over all NCs +-
    +- +-
  • New return codes +- +-
      +-
    • CC_BAD_PARM +- +-
    • CC_ERR_CACHE_ATTACH +- +-
    • CC_ERR_CACHE_RELEASE +- +-
    • CC_ERR_CACHE_FULL +- +-
    • CC_ERR_CRED_VERSION +-
    +- +-
  • Modified functions +- +-
      +-
    • cc_create(), cc_open(), pass version type of NC +- +-
    • cc_store(), cc_remove(), cc_ +-
    +- +-
  • New & Modified typedefs & data structures +- +-
      +-
    • cc_cred_vers { CC_CRED_VUNKNOWN, CC_CRED_V4, CC_CRED_V5 } +- +-
    • cred_ptr_union : contains pointer to credentials (either V4 +- or V5) +- +-
    • cred_union : contains version type and cred_ptr_union +- +-
    • modified V4Cred_type +- +-
    • enum StringToKey_Type { STK_AFS or STK_DES } +- +-
    • copies of the maximum V4 string size indicators +- KRB_PRINCIPAL_SZ, KRB_SERVICE_SZ, KRB_INSTANCE_SZ, +- KRB_REALM_SZ, ADDR_SZ +-
    +-
+- +-

Revision 4 (Draft Version 1)

+- +-

970908 by Steve Rothwell to incorporate changes initiated by Ted +-Tso. Further changes are expected in the comments for cc_create() and +-cc_get_change_time(). +- +-

Revision 4a (Final Version 1)

+- +-

980603 by Scott McGuire to +-correct typographical errors, HTML errors, and minor clarifications. +-Final API Version 1 spec. +- +-

Revision 5 (Draft Version 2)

+- +-

990201 by Scott McGuire. +- +-

    +-
  • Increased API version number to 2. +- +-
  • Added enum's defining version numbers. +- +-
  • Changes to cc_initialize() to specify how to deal with +- different API version numbers. +- +-
  • Added description of cc_int32 and cc_uint32 types. +- +-
  • Change some cc_int32's to cc_uint32's. +- +-
  • Changed way cc_create() will behave when called on an existing +- cache. +- +-
  • Replaced cc_seq_fetch_NCs() with cc_seq_fetch_NCs_begin(), +- cc_seq_fetch_NCs_next(), and cc_seq_fetch_NCs_end(); +- +-
  • Replaced cc_seq_fetch_creds() with cc_seq_fetch_creds_begin(), +- cc_seq_fetch_creds_next(), and cc_seq_fetch_creds_end(); +- +-
  • Replaced enum type references in structs and function +- paramenters with cc_int32 references; +- +-
  • Replaced int type references in function parameters with +- cc_int32; +- +-
  • Added return type of cc_int32 to all functions; +- +-
  • Removed #ifdef from cred_union structure; +- +-
  • Constant definitions and changes to V4Cred_type structure; +- +-
  • Removed incorrect const ccache_p * parameters from cc_store() +- and cc_remove_cred(); +- +-
  • Added CC_NOERROR and CC_BAD_PARM as possible return codes from +- all functions (except no CC_BAD_PARM from cc_shutdown() ); +- +-
  • Added CC_ERR_CRED_VERSION as possible return code from +- cc_open() and cc_create(); +- +-
  • Moved infoNC structure definition up to be with rest of +- structure definitions; +- +-
  • Changed "struct _infoNC" to "infoNC" in parameter type +- references. +- +-
  • cc_free_principal() and cc_free_name() now take char ** +- instead of char * for final parameter. (This change was made +- between rev 4a and rev 5, but I'm re-emphasizing it here.) +- +-
  • Added Implementation Notes section with requirement that all +- functions must be atomic and name requirements for Windows DLL's. +- +-
  • Renamed "the proposed changes to this API are" section to +- "Ideas for Future Versions" -- but removed all items but one +- because they'd all been done. +- +-
  • Removed most of the notes about differences with the Win NT/95 +- implementation of the API -- the differences have been reconciled. +- +-
  • Removed unnecessary and inconsistent italicizing. +-
+- +-

Revsion 5a (Final Version 2)

+- +-

990723 by Scott McGuire. +- +-

    +-
  • cc_create(): Removed text about "expected" form of name. +- Removed note about "the alpha version does not do this." +- +-
  • cc_destroy(): Clarified that you do not need to call +- cc_close() on the cache_pointer after calling this function. +- +-
  • Removed note about Windows cc_get_instance() and +- cc_set_instance() functions, they are no longer part of the +- Windows code! +-
+- +-

Ideas for Future Versions

+- +-
    +-
  • Define Get/Set functions for all components of _cc_creds? +- (This will allow future changes to the data structure to be +- transparent to the caller. This also makes backward compatibility +- much easier to maintain.) +-
+- +-


+- +- +-


+- +- +-

Type definitions

+- +-
// enums for API versions used in cc_initialize()
+-enum {
+-   CC_API_VER_1 = 1,
+-   CC_API_VER_2 = 2
+-};
+- 
+-
+-// cc_int32 and cc_uint32 are not exactly defined in this API due
+-// to a lack of standard 32-bit integer size between platforms
+-// (although there is the C9X standard).
+-// However, we will place the following constraints:
+-//
+-// cc_int32 is a signed integer that is at least 32 bits wide.
+-// cc_uint32 is an unsigned integer that is at least 32 bits wide
+- 
+-
+-typedef cc_int32 cc_time_t;  //see notes below
+-
+-typedef cc_uint32 cc_nc_flags;
+- 
+- 
+-
+-typedef struct opaque_dll_control_block_type* apiCB;
+-typedef struct opaque_ccache_pointer_type* ccache_p;
+-typedef struct opaque_credential_iterator_type* ccache_cit;
+- 
+-// These really are intended to be opaque. All implementations of the cache API must have
+-// them but what they are is implementation specific. In the case of SGR's implementation,
+-// the cc_ctx returned available after a call to cc_initialize, is a CCache_ctx class object. The 
+-// code that normally calls the cc_initialize function is straight C, which means the calling
+-// application doesn't have a chance in hell of manipulating this directly. The API is designed
+-// so that it does not have to. It does have to pass the pointer to the class around, one reason 
+-// being so that the destructor can eventually be called.
+- 
+- 
+-
+-typedef struct _cc_data {
+-    cc_uint32            type;
+-    cc_uint32            length;
+-    unsigned char*      data;
+-} cc_data;
+- 
+-
+-typedef struct _cc_creds {
+-    char*       client; /* client's principal identifier */
+-    char*       server; /* server's principal identifier */
+-    cc_data     keyblock;       /* session encryption key info */
+-    cc_time_t   authtime;
+-    cc_time_t   starttime;
+-    cc_time_t   endtime;
+-    cc_time_t   renew_till;
+-    cc_uint32    is_skey;        /* true if ticket is encrypted in
+-                                   another ticket's skey */
+-    cc_uint32    ticket_flags;   /* flags in ticket */
+-    cc_data**   addresses;      /* addrs in ticket */
+-    cc_data     ticket;         /* ticket string itself */
+-    cc_data     second_ticket;  /* second ticket, if related to
+-                                   ticket (via DUPLICATE-SKEY or
+-                                   ENC-TKT-IN-SKEY) */
+-    cc_data**   authdata;       /* authorization data */
+-} cc_creds;
+- 
+- 
+-// use an enumerated type so all callers infer the same meaning
+-// these values are what krbv4win uses internally.
+-
+-enum StringToKey_Type { STK_AFS = 0, STK_DES = 1 };
+- 
+-enum { MAX_V4_CRED_LEN = 1250 };
+- 
+- 
+-// V4 Credentials
+-
+-enum {
+-  KRB_NAME_SZ = 40,
+-  KRB_INSTANCE_SZ = 40,
+-  KRB_REALM_SZ = 40
+-};
+- 
+-typedef struct _V4credential {
+-    unsigned char              kversion;
+-    char                       principal[KRB_NAME_SZ+1];
+-    char                       principal_instance[KRB_INSTANCE_SZ+1];
+-    char                       service[KRB_NAME_SZ+1];
+-    char                       service_instance[KRB_INSTANCE_SZ+1];
+-    char                       realm[KRB_REALM_SZ+1];
+-    unsigned char              session_key[8];
+-    cc_int32                   kvno;                   // k95 used BYTE skvno
+-    cc_int32                   str_to_key;             // k4 infers dynamically, k95 stores; of type enum StringToKey_Type
+-    long                       issue_date;             // k95 called this issue_time
+-    cc_int32                   lifetime;               // k95 used LONG expiration_time
+-    cc_uint32                  address;                // IP Address of local host as an unsigned 32-bit integer
+-    cc_int32                   ticket_sz;              // k95 used BYTE, k4 ktext uses int to hold up to 1250
+-    unsigned char              ticket[MAX_V4_CRED_LEN];
+-    unsigned long              oops;                   // zero to catch runaways
+-} V4Cred_type;
+- 
+-
+-enum cc_cred_vers {  
+-    CC_CRED_VUNKNOWN = 0,       // For validation
+-    CC_CRED_V4 = 1,
+-    CC_CRED_V5 = 2,
+-    CC_CRED_VMAX = 3            // For validation
+-};
+- 
+-
+-typedef union cred_ptr_union_type {
+-    V4Cred_type* pV4Cred;
+-    cc_creds*    pV5Cred;
+-} cred_ptr_union;
+- 
+-
+-typedef struct cred_union_type {
+-    cc_int32 cred_type;  // cc_cred_vers
+-    cred_ptr_union cred;
+-} cred_union;
+- 
+-
+-typedef struct _infoNC {
+-        char*   name;
+-        char*   principal;
+-        cc_int32 vers;   // cc_cred_vers
+-} infoNC;
+- +-

The cc_data structure

+- +-

The cc_data structure is used to store the following elements: +- +-

    +-
  • keyblock +- +-
  • addresses +- +-
  • ticket (and second_ticket) +- +-
  • authorization data +-
+- +-

For cc_creds.ticket and cc_creds.second_ticket, the cc_data.type +-field MUST be zero. For the cc_creds.addresses, cc_creds.authdata, +-and cc_data.keyblock, the cc_data.type field should be the address +-type, authorization data type, and encryption type, as defined by the +-Kerberos V5 protocol definition. +- +-

cc_time_t

+- +-

The cc_time_t fields are used to represent time. The time must be +-stored as the number of seconds since midnight GMT on January 1, +-1970. +- +-

Principal names

+- +-

Principal names are stored as C strings in this API. The C strings +-may contain UTF-8 encoded strings for internationalization +-purposes.
+- +- +-


+- +- +-

Error Codes Definition

+- +-

+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
+-

0  +-

+-

CC_NOERROR  +-

+-

"Successful return"  +-

+-

1  +-

+-

CC_BADNAME  +-

+-

"Bad credential cache name format"  +-

+-

2  +-

+-

CC_NOTFOUD  +-

+-

"Matching credential not found"  +-

+-

3  +-

+-

CC_END  +-

+-

"End of credential cache reached"  +-

+-

4  +-

+-

CC_IO  +-

+-

"Credentials cache I/O operation failed"  +-

+-

5  +-

+-

CC_WRITE  +-

+-

"Error writing to credentials cache file"  +-

+-

6  +-

+-

CC_NOMEM  +-

+-

"No memory"  +-

+-

7  +-

+-

CC_FORMAT  +-

+-

"Corrupted credentials cache"  +-

+-

8  +-

+-

CC_LOCKED  +-

+-

"The credentials cache or NC is locked"  +-

+-

9  +-

+-

CC_BAD_API_VERSION  +-

+-

"Unsupported API version"  +-

+-

10  +-

+-

CC_NO_EXIST  +-

+-

"Credentials cache or NC does not exist"  +-

+-

11  +-

+-

CC_NOT_SUPP  +-

+-

"Function not supported"  +-

+-

12  +-

+-

CC_BAD_PARM  +-

+-

"Bad Paramter Passed"  +-

+-

13  +-

+-

CC_ERR_CACHE_ATTACH  +-

+-

"Failed to attach cache"  +-

+-

14  +-

+-

CC_ERR_CACHE_RELEASE  +-

+-

"Failed to release cache"  +-

+-

15  +-

+-

CC_ERR_CACHE_FULL  +-

+-

"Cache FULL"  +-

+-

16  +-

+-

CC_ERR_CRED_VERSION  +-

+-

"Wrong Cred Version"  +-

+- +-

+-


+- +- +-

Implementation Notes

+- +-

All functions are atomic

+- +-

All Credentials Cache API functions must be atomic. +- +-

Windows +- +-

DLLs should be named KrbCC16.dll and KrbCC32.dll. +- +-

+-


+- +- +-

Function definitions

+- +-

+- +-

Main Cache Functions

+- +-

+- +- +-

+- +-

cc_initialize

+- +-
cc_int32 cc_initialize(apiCB** cc_ctx, cc_int32 api_version, cc_int32* api_supported, char** vendor)
+- +-

This function performs any initialization required by the +-API. It must be called before any other function in the +-API is called. The cc_ctx returned by this function must be +-passed to all other API functions as the first argument. +- +-

The application must pass in the maximum version number of the API +-it supports in the api_version parameter. +- +-

If api_supported non-NULL, then cc_initialize will store +-the maximum API version number supported by the library implementing +-the API there. +- +-

If the version requested by api_version is not equal to the +-version supported by the library, CC_BAD_API_VERSION will be returned +-as the error code (along with the version the library does support in +-api_supported) and cc_initialize should not allocate any +-memory. +- +-

If the vendor is non-NULL, then cc_initialize will store a +-pointer to a read/only C string which contains a string describing +-the vendor which implemented the credentials cache API. +- +-

Possible error codes: CC_NOERROR, CC_NOMEM, CC_BAD_API_VERSION, +-CC_BAD_PARM +- +-


+- +- +- +-

cc_shutdown

+- +-
cc_int32 cc_shutdown(apiCB** cc_ctx)
+- +-

This function performs any cleanup required by the API. +-cc_ctx will be NULL on return. The application program must call +-cc_initialize() again before making any credentials cache API +-calls. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM +- +-


+- +- +- +-

cc_get_change_time

+- +-
cc_int32 cc_get_change_time(apiCB* cc_ctx, cc_time_t* time)
+- +-

This function returns the time of the most recent change for the +-entire cache. There is ONE timestamp maintained for the entire cache. +-By maintaining a local copy the caller can deduce whether "something +-changed" or not. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_NOMEM, +-CC_BAD_PARM +- +-


+- +- +- +-

cc_get_NC_info

+- +-
cc_int32 cc_get_NC_info(apiCB* cc_ctx, infoNC*** ppNCi)
+- +-

cc_get_NC_info() is a wrapper for cc_seq_fetch_NCs(), +-cc_get_name() cc_get_cred_version(), and cc_get_principal(). It +-returns all the information needed to uniquely identify each NC in +-the cache (name and cred_version) and the associated principal. +-Specifically it returns a null terminated list of pointers to infoNC +-structs. Each infoNC struct contain a pointer to the NC's name, a +-pointer to the the principal associated with the NC, and the version +-number (as an enumerated type) of the credentials stored in this NC. +- +-

The ppNCi (the entire data structure) aquired by this routine +-should be freed with cc_free_NC_info(). +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_NOMEM, +-CC_BAD_PARM +- +-


+- +- +- +-

cc_open

+- +-
cc_int32 cc_open(apiCB* cc_ctx, const char* name, cc_int32 cred_vers, cc_uint32 cc_flags,
+-                 ccache_p** ccache_pointer)
+- +-

Opens an already exising NC identified by both name, and +-cred_vers. It fills in the parameter **ccache_pointer with a +-pointer to the NC. +- +-

The list of cache names, principals, and credentials versions may +-be retrieved via cc_seq_fetch_NCs(), cc_get_name(), +-cc_get_cred_version(), & cc_get_principal() OR via +-cc_get_NC_info(). +- +-

Possible error codes: CC_NOERROR, CC_BADNAME, CC_NO_EXIST, +-CC_NOMEM, CC_ERR_CRED_VERSION, CC_BAD_PARM +- +-


+- +- +- +-

cc_create

+- +-
cc_int32 cc_create(apiCB* cc_ctx, const char* name, const char* principal,
+-                cc_int32 cred_vers, cc_uint32 cc_flags, ccache_p** ccache_pointer)
+- +-

Create a new NC. The NC is uniquely identified by the combination +-of it's name and the "cc_creds_vers" (i.e. which credentials version +-it holds). The principal given is also associated with the NC. A NULL +-name is not allowed (and CC_BADNAME should be returned if one +-is passed in). If name is non-null and there is already a NC +-named name, all credentials in the cache are removed, and +-handle for the existing cache is returned. If there is already a NC +-named name, all existing handles for this cache remain valid. The NC +-is created with a primary principal specified by principal. +- +-

(Removed text about the "expected" form of the NC name.) +- +-

An NC is intended to hold credentials for a single principal in a +-single realm, and for a single credentials version (i.e. V4 or V5). +-The cache can contain credentials for other credential versions, +-other realms, and even other principals, but each in a separate NC. +-This rule will allow callers that can only handle a single principal +-in a single realm to continue to work by dealing with only one NC. +-Callers that can deal with multiple principals, multiple realms, +-and/or multiple credentials versions can do so by dealing with +-multiple NCs. By doing it this way, the callers that are able to +-handle multiple principals, realms, and/or versions can do so without +-interfering with "differently abled" code. +- +-

The list of cache names, principals, & cred_versions may be +-retrieved via cc_get_NC_info(). +- +-

Possible error codes: CC_NOERROR, CC_BADNAME, CC_BAD_PARM, +-CC_NO_EXIST, CC_NOMEM, CC_ERR_CRED_VERSION +- +-


+- +- +- +-

cc_close

+- +-
cc_int32 cc_close(apiCB* cc_ctx, ccache_p** ccache_pointer)
+- +-

Close the NC. The ccache_pointer related memory is +-deallocated, and ccache_pointer is set to NULL before being returned +-to caller. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM +- +-


+- +- +- +-

cc_destroy

+- +-
cc_int32 cc_destroy(apiCB* cc_ctx, ccache_p** ccache_pointer)
+- +-

Destroy the NC pointed to by ccache_pointer. The +-ccache_pointer related memory is deallocated, and +-ccache_pointer is set to NULL before being returned to caller. The +-caller does not need to call cc_close() on the cache_pointer +-afterwards. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM +- +-


+- +- +- +-

+- +-

cc_seq_fetch_NCs_begin

+- +-
cc_int32 cc_seq_fetch_NCs_begin(apiCB* cc_ctx, ccache_cit** itNCs)
+- +-

Used to allocate memory and initialize the iterator *itNCs. Use +-cc_seq_fetch_NCs_end() to deallocate the memory used by *itNCs. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM, +-CC_NOMEM +- +-

+- +-

cc_seq_fetch_NCs_next

+- +-
cc_int32 cc_seq_fetch_NCs_next(apiCB* cc_ctx, ccache_p** ccache_pointer, ccache_cit* itNCs)
+- +-

Used to sequentially open every NC in the cache. +- +-

Ccache_pointer must be a pointer to a ccache_p*. The +-ccache_pointer returned may be used to get information about the NC +-by calling cc_get_name(), cc_get_cred_version(), and +-cc_get_principal(). Ccache_pointer's returned must be freed via +-cc_close() between calls to cc_seq_fetch_NCs_next(). +- +-

itNCs must be a pointer to a ccache_cit* variable provided by the +-calling application and which is used by cc_seq_fetch_NCs_next() to +-determine the next NC to return. It must have been initialized by +-cc_seq_fetch_NCs_begin(). +- +-

If changes are made to the credentials cache while it iterator is +-being used, it must return at least the intersection, and at most the +-union, of the set of NC's that were in the cache when the iteration +-began and the set of NC's that are in the cache when it ends. +- +-

When the last NC in the sequence is returned, the return code from +-cc_seq_fetch_NCs_next() will be CC_END. +- +-

Possible error codes: CC_NOERROR, CC_END, CC_NO_EXIST. +-CC_BAD_PARM, CC_NOMEM +- +-

 

+- +-

+- +-

cc_seq_fetch_NCs_end

+- +-
cc_int32 cc_seq_fetch_NCs_end(apiCB* cc_ctx, ccache_cit** itNCs)
+- +-

Deallocates the memory used by *itNCs, and sets *itNCs to NULL. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM +- +-

  +- +-

+- +-

NC Functions

+- +-

+- +- +-

cc_get_name

+- +-
cc_int32 cc_get_name(apiCB* cc_ctx, const ccache_p* ccache_pointer, char** name)
+- +-

cc_get_name() returns the name of the NC indicated by +-ccache_pointer. The name can be used in cc_open() or cc_create(). The +-combination of the name and the credentials version uniqeuly identify +-an NC. The returned name should be freed via cc_free_name(). +- +-

Possible error codes: CC_NOERROR, CC_NOMEM, CC_NO_EXIST, +-CC_BAD_PARM +- +-


+- +- +- +-

cc_get_cred_version

+- +-
cc_int32 cc_get_cred_version(apiCB* cc_ctx, const ccache_p* ccache_pointer, cc_int32* cred_vers)
+- +-

cc_get_cred_version() returns one of the enumerated type +-cc_cred_vers in cred_vers. The expected values are CC_CRED_V4, or +-CC_CRED_V5. The combination of the name and the credentials version +-uniquely identify an NC. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM +- +-


+- +- +- +-

cc_set_principal

+- +-
cc_int32 cc_set_principal(apiCB* cc_ctx, const ccache_p* ccache_pointer, const cc_int32 cred_vers,
+-                          const char* principal)
+- +-

Set the primary principal for the NC indicated by ccache_pointer. +-This is the complement to cc_get_principal(). +- +-

cred_vers is used as a double check. +- +-

principal points to a null terminated string that will be copied +-into the NC. This new principal will be returned if you call +-cc_get_principal() for this NC. +- +-

Possible error codes: CC_NOERROR, CC_NOMEM, CC_NO_EXIST, +-CC_ERR_CRED_VERSION, CC_BAD_PARM
+- +-  +- +-


+- +- +- +-

cc_get_principal

+- +-
cc_int32 cc_get_principal(apiCB* cc_ctx, const ccache_p* ccache_pointer, char** principal)
+- +-

Return the primary principal for the NC that was set via +-cc_create() or cc_set_principal(). The returned principal should be +-freed via cc_free_principal() . +- +-

Possible error codes: CC_NOERROR, CC_NOMEM, CC_NO_EXIST, +-CC_BAD_PARM
+- +- +- +-


+- +- +- +-

cc_store

+- +-
cc_int32 cc_store(apiCB* cc_ctx, ccache_p* ccache_pointer, const cred_union cred)
+- +-

Store (make a copy of) cred in the NC indicated by +-ccache_pointer. +- +-

A cred_union contains a cred_type indicator and a cred_ptr_union. +-A cred_ptr_union can contain either a V4Cred_type pointer or a +-cc_creds (V5 creds) pointer. Cred_type indicates which type of +-pointer is in the cred_ptr_union. This also allows the API to +-enforce the credentials version declared in cc_create() or cc_open(). +- +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_ERR_CACHE_FULL, +-CC_ERR_CRED_VERSION, CC_BAD_PARM +- +-


+- +- +- +-

cc_remove_cred

+- +-
cc_int32 cc_remove_cred(apiCB* cc_ctx, ccache_p* ccache_pointer, const cred_union cred)
+- +-

Removes the credential cred from ccache_pointer. The +-credentials in the NC indicated by ccache_pointer are searched to +-find a matching credential. If found, that credential is removed from +-the NC. The cred parameter is not modified and should be freed via +-cc_free_creds(). It is legitimate to call this function during a +-sequential fetch, and the deletion of a credential already returned +-by cc_seq_fetch_creds() should not disturb sequence of credentials +-returned by cc_seq_fetch_creds(). +- +-

Use of cred_union is the same as is explained in cc_store(). +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_NOTFOUND, +-CC_ERR_CRED_VERSION, CC_BAD_PARM +- +-


+- +- +- +-

cc_seq_fetch_creds_begin

+- +-
cc_int32 cc_seq_fetch_creds_begin(apiCB* cc_ctx, const ccache_p* ccache_pointer, ccache_cit** itCreds)
+- +-

Allocates memory for and initializes *itCreds. This memory must be +-deallocated using cc_seq_fetch_creds_end(). +- +-

Ccache_pointer must be a valid pointer to the NC containing the +-creds to be returned by the iterator. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM, +-CC_NOMEM +- +-

  +- +-

+- +-

cc_seq_fetch_creds_next

+- +-
cc_int32 cc_seq_fetch_creds_next(apiCB* cc_ctx, cred_union** cred, ccache_cit* itCreds)
+- +-

cc_seq_fetch_creds_next() is used to sequentially read every set +-of credentials in an NC. The NC has been indicated in the call to +-cc_seq_fetch_creds_begin(). +- +-

itCreds must be a pointer to a ccache_cit* variable provided by +-the calling application and which is used by +-cc_seq_fetch_creds_next() to determine the next cached credential to +-return. The ccache_cit* variable must be initialized by calling +-cc_seq_fetch_creds_begin(). +- +-

The credentials are filled into the cred_union pointed to by +-creds. Note that the cred_union contains elements which are +-dynamically allocated, so must be freed using cc_free_creds() between +-calls to cc_seq_fetch_creds_next(). +- +-

If changes are made to the NC while it iterator is being used, it +-must return at least the intersection, and at most the union, of the +-set of credentials that were in the NC when the iteration began and +-the set of credentials that are in the NC when it ends. +- +-

When the last credential in the sequence is returned, the return +-code from cc_seq_fetch_creds_next() will be CC_END. +- +-

Possible error codes: CC_NOERROR, CC_END, CC_NO_EXIST, +-CC_BAD_PARM, CC_NOMEM +- +-

  +- +-

+- +-

cc_seq_fetch_creds_end

+- +-
cc_int32 cc_seq_fetch_creds_end(apiCB* cc_ctx, ccache_cit** itCreds)
+- +-

Deallocates memory used by *itCreds and sets *itCreds to NULL. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM +- +-


+- +- +- +-

cc_lock_request

+- +-
cc_int32 cc_lock_request(apiCB* cc_ctx, const ccache_p* ccache_pointer, cc_int32 lock_type)
+- +-
+-
99/02/11 - smcguire +- +-
As of this date there is no locking in the Win NT/95 +- or Machintosh implementations. The description below may not be +- completely accurate as to how this function should be +- implemented. +-
+- +-

This function is currently NOT IMPLEMENTED. All functions attach +-to the cache, take action, and detach from the cache before returning +-to the caller. +- +-

This function will lock or unlock the NC based on the argument +-value of lock_type: +- +-

        CC_LOCK_UNLOCK  1       Unlock the NC
+-        CC_LOCK_READER  2       Lock the NC for reading
+-        CC_LOCK_WRITER  3       Lock the NC for writing
+- 
+-        CC_LOCK_NOBLOCK 16      Don't block, but return an error code if
+-                                the request cannot be satisfied.
+- 
+- +-

Locking is done on a per-thread basis. At most one thread may have +-the credentials locked for writing; if so, there must not be any +-threads that have the credentials locked for reading. +- +-

Multiple threads may have the cache locked for reading, as long as +-there is not a writer lock asserted on the cache. +- +-

If a thread has a cache locked for reading, that lock may be +-upgraded to a writer lock by calling cc_lock_request() with a +-lock_type of CC_LOCK_WRITER. If a thread has the cache locked for +-reading or writing, a request to cc_lock_request() for a reader or +-writer lock, respectively, is a no-op. If a thread does not have the +-cache locked, and calls cc_lock_request() with a lock_type of +-CC_LOCK_UNLOCK, this is also a no-op. +- +-

A request for CC_LOCK_READER and CC_LOCK_WRITER may be made +-non-blocking by logical or'ing the value CC_LOCK_NOBLOCK. In that +-case, if it is not possible to satisfy the lock request, the error +-CC_LOCKED will be returned. +- +-

  +- +-

+- +-

Liberation Functions

+- +-

+- +- +-

cc_free_principal

+- +-
cc_int32 cc_free_principal(apiCB* cc_ctx, char** principal)
+- +-

This function frees the principal returned by +-cc_get_principal() and sets *principal to NULL. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM +- +-


+- +- +- +-

cc_free_name

+- +-
cc_int32 cc_free_name(apiCB* cc_ctx, char** name)
+- +-

This function frees the name returned by cc_get_name() and +-sets *name to NULL. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM +- +-


+- +- +- +-

cc_free_creds

+- +-
cc_int32 cc_free_creds(apiCB* cc_ctx, cred_union** creds)
+- +-

This function frees all storage associated with creds returned by +-cc_seq_fetch_creds() and sets the creds pointer to NULL. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM +- +-


+- +- +- +-

cc_free_NC_info

+- +-
cc_int32 cc_free_NC_info(apiCB* cc_ctx, infoNC*** ppNCi)
+- +-

This routine frees all storage aquired by cc_get_NC_info() and +-sets ppNCi to NULL. +- +-

Possible error codes: CC_NOERROR, CC_NO_EXIST, CC_BAD_PARM +- +- +- +- +- +diff --git a/doc/ccapi/html/doxygen.css b/doc/ccapi/html/doxygen.css +deleted file mode 100644 +index 05615b2e6..000000000 +--- a/doc/ccapi/html/doxygen.css ++++ /dev/null +@@ -1,310 +0,0 @@ +-BODY,H1,H2,H3,H4,H5,H6,P,CENTER,TD,TH,UL,DL,DIV { +- font-family: Geneva, Arial, Helvetica, sans-serif; +-} +-BODY,TD { +- font-size: 90%; +-} +-H1 { +- text-align: center; +- font-size: 160%; +-} +-H2 { +- font-size: 120%; +-} +-H3 { +- font-size: 100%; +-} +-CAPTION { font-weight: bold } +-DIV.qindex { +- width: 100%; +- background-color: #e8eef2; +- border: 1px solid #84b0c7; +- text-align: center; +- margin: 2px; +- padding: 2px; +- line-height: 140%; +-} +-DIV.nav { +- width: 100%; +- background-color: #e8eef2; +- border: 1px solid #84b0c7; +- text-align: center; +- margin: 2px; +- padding: 2px; +- line-height: 140%; +-} +-DIV.navtab { +- background-color: #e8eef2; +- border: 1px solid #84b0c7; +- text-align: center; +- margin: 2px; +- margin-right: 15px; +- padding: 2px; +-} +-TD.navtab { +- font-size: 70%; +-} +-A.qindex { +- text-decoration: none; +- font-weight: bold; +- color: #1A419D; +-} +-A.qindex:visited { +- text-decoration: none; +- font-weight: bold; +- color: #1A419D +-} +-A.qindex:hover { +- text-decoration: none; +- background-color: #ddddff; +-} +-A.qindexHL { +- text-decoration: none; +- font-weight: bold; +- background-color: #6666cc; +- color: #ffffff; +- border: 1px double #9295C2; +-} +-A.qindexHL:hover { +- text-decoration: none; +- background-color: #6666cc; +- color: #ffffff; +-} +-A.qindexHL:visited { text-decoration: none; background-color: #6666cc; color: #ffffff } +-A.el { text-decoration: none; font-weight: bold } +-A.elRef { font-weight: bold } +-A.code:link { text-decoration: none; font-weight: normal; color: #0000FF} +-A.code:visited { text-decoration: none; font-weight: normal; color: #0000FF} +-A.codeRef:link { font-weight: normal; color: #0000FF} +-A.codeRef:visited { font-weight: normal; color: #0000FF} +-A:hover { text-decoration: none; background-color: #f2f2ff } +-DL.el { margin-left: -1cm } +-.fragment { +- font-family: Fixed, monospace; +- font-size: 95%; +-} +-PRE.fragment { +- border: 1px solid #CCCCCC; +- background-color: #f5f5f5; +- margin-top: 4px; +- margin-bottom: 4px; +- margin-left: 2px; +- margin-right: 8px; +- padding-left: 6px; +- padding-right: 6px; +- padding-top: 4px; +- padding-bottom: 4px; +-} +-DIV.ah { background-color: black; font-weight: bold; color: #ffffff; margin-bottom: 3px; margin-top: 3px } +-TD.md { background-color: #F4F4FB; font-weight: bold; } +-TD.mdPrefix { +- background-color: #F4F4FB; +- color: #606060; +- font-size: 80%; +-} +-TD.mdname1 { background-color: #F4F4FB; font-weight: bold; color: #602020; } +-TD.mdname { background-color: #F4F4FB; font-weight: bold; color: #602020; width: 600px; } +-DIV.groupHeader { +- margin-left: 16px; +- margin-top: 12px; +- margin-bottom: 6px; +- font-weight: bold; +-} +-DIV.groupText { margin-left: 16px; font-style: italic; font-size: 90% } +-BODY { +- background: white; +- color: black; +- margin-right: 20px; +- margin-left: 20px; +-} +-TD.indexkey { +- background-color: #e8eef2; +- font-weight: bold; +- padding-right : 10px; +- padding-top : 2px; +- padding-left : 10px; +- padding-bottom : 2px; +- margin-left : 0px; +- margin-right : 0px; +- margin-top : 2px; +- margin-bottom : 2px; +- border: 1px solid #CCCCCC; +-} +-TD.indexvalue { +- background-color: #e8eef2; +- font-style: italic; +- padding-right : 10px; +- padding-top : 2px; +- padding-left : 10px; +- padding-bottom : 2px; +- margin-left : 0px; +- margin-right : 0px; +- margin-top : 2px; +- margin-bottom : 2px; +- border: 1px solid #CCCCCC; +-} +-TR.memlist { +- background-color: #f0f0f0; +-} +-P.formulaDsp { text-align: center; } +-IMG.formulaDsp { } +-IMG.formulaInl { vertical-align: middle; } +-SPAN.keyword { color: #008000 } +-SPAN.keywordtype { color: #604020 } +-SPAN.keywordflow { color: #e08000 } +-SPAN.comment { color: #800000 } +-SPAN.preprocessor { color: #806020 } +-SPAN.stringliteral { color: #002080 } +-SPAN.charliteral { color: #008080 } +-.mdTable { +- border: 1px solid #868686; +- background-color: #F4F4FB; +-} +-.mdRow { +- padding: 8px 10px; +-} +-.mdescLeft { +- padding: 0px 8px 4px 8px; +- font-size: 80%; +- font-style: italic; +- background-color: #FAFAFA; +- border-top: 1px none #E0E0E0; +- border-right: 1px none #E0E0E0; +- border-bottom: 1px none #E0E0E0; +- border-left: 1px none #E0E0E0; +- margin: 0px; +-} +-.mdescRight { +- padding: 0px 8px 4px 8px; +- font-size: 80%; +- font-style: italic; +- background-color: #FAFAFA; +- border-top: 1px none #E0E0E0; +- border-right: 1px none #E0E0E0; +- border-bottom: 1px none #E0E0E0; +- border-left: 1px none #E0E0E0; +- margin: 0px; +-} +-.memItemLeft { +- padding: 1px 0px 0px 8px; +- margin: 4px; +- border-top-width: 1px; +- border-right-width: 1px; +- border-bottom-width: 1px; +- border-left-width: 1px; +- border-top-color: #E0E0E0; +- border-right-color: #E0E0E0; +- border-bottom-color: #E0E0E0; +- border-left-color: #E0E0E0; +- border-top-style: solid; +- border-right-style: none; +- border-bottom-style: none; +- border-left-style: none; +- background-color: #FAFAFA; +- font-size: 80%; +-} +-.memItemRight { +- padding: 1px 8px 0px 8px; +- margin: 4px; +- border-top-width: 1px; +- border-right-width: 1px; +- border-bottom-width: 1px; +- border-left-width: 1px; +- border-top-color: #E0E0E0; +- border-right-color: #E0E0E0; +- border-bottom-color: #E0E0E0; +- border-left-color: #E0E0E0; +- border-top-style: solid; +- border-right-style: none; +- border-bottom-style: none; +- border-left-style: none; +- background-color: #FAFAFA; +- font-size: 80%; +-} +-.memTemplItemLeft { +- padding: 1px 0px 0px 8px; +- margin: 4px; +- border-top-width: 1px; +- border-right-width: 1px; +- border-bottom-width: 1px; +- border-left-width: 1px; +- border-top-color: #E0E0E0; +- border-right-color: #E0E0E0; +- border-bottom-color: #E0E0E0; +- border-left-color: #E0E0E0; +- border-top-style: none; +- border-right-style: none; +- border-bottom-style: none; +- border-left-style: none; +- background-color: #FAFAFA; +- font-size: 80%; +-} +-.memTemplItemRight { +- padding: 1px 8px 0px 8px; +- margin: 4px; +- border-top-width: 1px; +- border-right-width: 1px; +- border-bottom-width: 1px; +- border-left-width: 1px; +- border-top-color: #E0E0E0; +- border-right-color: #E0E0E0; +- border-bottom-color: #E0E0E0; +- border-left-color: #E0E0E0; +- border-top-style: none; +- border-right-style: none; +- border-bottom-style: none; +- border-left-style: none; +- background-color: #FAFAFA; +- font-size: 80%; +-} +-.memTemplParams { +- padding: 1px 0px 0px 8px; +- margin: 4px; +- border-top-width: 1px; +- border-right-width: 1px; +- border-bottom-width: 1px; +- border-left-width: 1px; +- border-top-color: #E0E0E0; +- border-right-color: #E0E0E0; +- border-bottom-color: #E0E0E0; +- border-left-color: #E0E0E0; +- border-top-style: solid; +- border-right-style: none; +- border-bottom-style: none; +- border-left-style: none; +- color: #606060; +- background-color: #FAFAFA; +- font-size: 80%; +-} +-.search { color: #003399; +- font-weight: bold; +-} +-FORM.search { +- margin-bottom: 0px; +- margin-top: 0px; +-} +-INPUT.search { font-size: 75%; +- color: #000080; +- font-weight: normal; +- background-color: #e8eef2; +-} +-TD.tiny { font-size: 75%; +-} +-a { +- color: #1A41A8; +-} +-a:visited { +- color: #2A3798; +-} +-.dirtab { padding: 4px; +- border-collapse: collapse; +- border: 1px solid #84b0c7; +-} +-TH.dirtab { background: #e8eef2; +- font-weight: bold; +-} +-HR { height: 1px; +- border: none; +- border-top: 1px solid black; +-} +- +diff --git a/doc/ccapi/html/doxygen.png b/doc/ccapi/html/doxygen.png +deleted file mode 100644 +index f0a274bbaffdd67f6d784c894d9cf28729db0e14..0000000000000000000000000000000000000000 +GIT binary patch +literal 0 +HcmV?d00001 + +literal 1281 +zcmaJ>ZA?>F7(Vx-ms?uoS`b@hdRtpo6o^%HU>M$hfGrBvQnk$LE?p^P!kn&ikhyq! +zX~V@&tPF5Qt@V?oTL96Bi%aRiwbe1)9DWQI#?)=HxS7QSw`J`5fAJ*eJbB;uNuKA& +zdERDo*{Y<(If(#(B$Lr#;nB(8Y#ia=ZCeW?JfPLuQY`=@cW$k}Rivq|vbxGrRq1Tl9;+(gNt?}UtVKM2`T5t1jLzuL@0UIs`S#vlhl4)^ +zLgSYrPj@$+`|j?eSbXTmiHGkWxV8V}BzNR?pl9k_s4pDu9vd5a_UzZEPk)}Ad{AV_ +zzddrjrh4=Imr`E06;LY{)YYt?o}L~H@7C}F^WB!Ra=v`Q0bj{>5&$66CWF>mf6vjP +z2N>RRY6ZYa=K`76>+|_)Xdwko+7wv}7cN|btOhWb(*{sta~6b?S8Omrxw}!4`NhGr +zZVpNqpu1@BE`QGWNTpEpcJVW5izu~2B^GlM?1(OPg)zwW;QcP@Ltcclm>XbJL9C|j +z=9!2?ua=uIlf0%AndzHsRC}IyTL$EhAee(fdKB`?27KeS^2M8M_7b~PiCFO&r5LC7 +z7gl1*a<8;SjNaw#h=843_AV9iZbWQOAp5YOC^&_F*9K0> +zB|6%IDb?aM#3viTxkLU4aXg&@+CkNTOnQ1iMP*^?b|^lJy$4C)Zk4isV!|RZ*XhXh +zw8q3$=*0LeGC!XI_Wc?dkT~3+*Gu%%yIqP+Wr3H$=&ROMQU6q}Ag^P~>c5vAEO;a- +z_dK-3PPeKar%)6$j~vI2#*-YH!1h6HYVtwCX5_wM`iF#UKz&&@9Oo5w3%XGYrX +zW>dY~)SG-((Yim%`InwgTvyRC?e=Wh^8KCao!R6Eg&TpVWUY1sN~4G}V?nFnEGo-; +zHZ_$eW9-GnC%^WS9b +z@p;-$oH#MtC0v>Q$HX%4^JdFdO$0cbv-W)Q +TtK}Eh@>>I#ipmV1>S*>q-hkC} + +diff --git a/doc/ccapi/html/group__cc__ccache__iterator__reference.html b/doc/ccapi/html/group__cc__ccache__iterator__reference.html +deleted file mode 100644 +index 2c8bfe27b..000000000 +--- a/doc/ccapi/html/group__cc__ccache__iterator__reference.html ++++ /dev/null +@@ -1,96 +0,0 @@ +- +- +-Credentials Cache API : cc_ccache_iterator_t Overview +- +- +- +- +-

cc_ccache_iterator_t Overview


Detailed Description

+-The cc_ccache_iterator_t type represents an iterator that iterates over a set of ccaches and returns them in all in some order. A new instance of this type can be obtained by calling cc_context_new_ccache_iterator().

+-For API function documentation see cc_ccache_iterator_f. +-

+-

Data Structures

+- +-

Typedefs

+- +-

Typedef Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_ccache_iterator_f cc_ccache_iterator_f
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_ccache_iterator_d cc_ccache_iterator_d
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef cc_ccache_iterator_d* cc_ccache_iterator_t
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/group__cc__ccache__reference.html b/doc/ccapi/html/group__cc__ccache__reference.html +deleted file mode 100644 +index ce47b73c6..000000000 +--- a/doc/ccapi/html/group__cc__ccache__reference.html ++++ /dev/null +@@ -1,96 +0,0 @@ +- +- +-Credentials Cache API : cc_ccache_t Overview +- +- +- +- +-

cc_ccache_t Overview


Detailed Description

+-The cc_ccache_t type represents a reference to a ccache. Callers can access a ccache and the credentials stored in it via a cc_ccache_t. A cc_ccache_t can be acquired via cc_context_open_ccache(), cc_context_open_default_ccache(), or cc_ccache_iterator_next().

+-For API function documentation see cc_ccache_f. +-

+-

Data Structures

+- +-

Typedefs

+- +-

Typedef Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_ccache_f cc_ccache_f
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_ccache_d cc_ccache_d
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef cc_ccache_d* cc_ccache_t
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/group__cc__context__reference.html b/doc/ccapi/html/group__cc__context__reference.html +deleted file mode 100644 +index cd7e6be3d..000000000 +--- a/doc/ccapi/html/group__cc__context__reference.html ++++ /dev/null +@@ -1,161 +0,0 @@ +- +- +-Credentials Cache API : cc_context_t Overview +- +- +- +- +-

cc_context_t Overview


Detailed Description

+-The cc_context_t type gives the caller access to a ccache collection. Before being able to call any functions in the CCache API, the caller needs to acquire an instance of cc_context_t by calling cc_initialize().

+-For API function documentation see cc_context_f. +-

+-

Data Structures

+- +-

Typedefs

+- +-

Functions

+- +-

Typedef Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_context_f cc_context_f
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_context_d cc_context_d
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef cc_context_d* cc_context_t
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-


Function Documentation

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
CCACHE_API cc_int32 cc_initialize cc_context_t out_context,
cc_int32  in_version,
cc_int32 out_supported_version,
char const **  out_vendor
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Initialize a new cc_context. +-

+-

Parameters:
+- +- +- +- +- +-
out_context on exit, a new context object. Must be free with cc_context_release().
in_version the requested API version. This should be the maximum version the application supports.
out_supported_version if non-NULL, on exit contains the maximum API version supported by the implementation.
out_vendor if non-NULL, on exit contains a pointer to a read-only C string which contains a string describing the vendor which implemented the credentials cache API.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure. May return CCAPI v2 error CC_BAD_API_VERSION if ccapi_version_2 is passed in.
+-
+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/group__cc__credentials__iterator__reference.html b/doc/ccapi/html/group__cc__credentials__iterator__reference.html +deleted file mode 100644 +index 41ba42f86..000000000 +--- a/doc/ccapi/html/group__cc__credentials__iterator__reference.html ++++ /dev/null +@@ -1,133 +0,0 @@ +- +- +-Credentials Cache API : cc_credentials_iterator_t +- +- +- +- +-

cc_credentials_iterator_t


Detailed Description

+-The cc_credentials_iterator_t type represents an iterator that iterates over a set of credentials. A new instance of this type can be obtained by calling cc_ccache_new_credentials_iterator().

+-For API function documentation see cc_credentials_iterator_f. +-

+-

Data Structures

+- +-

Typedefs

+- +-

Variables

+- +-

Typedef Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_credentials_iterator_f cc_credentials_iterator_f
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_credentials_iterator_d cc_credentials_iterator_d
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef cc_credentials_iterator_d* cc_credentials_iterator_t
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-


Variable Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* clone)(cc_credentials_iterator_t in_credentials_iterator, cc_credentials_iterator_t *out_credentials_iterator) [inherited]
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_credentials_iterator_clone(): Make a copy of a credentials iterator. +-

+-

Parameters:
+- +- +- +-
in_credentials_iterator a credentials iterator object.
out_credentials_iterator on exit, a copy of in_credentials_iterator.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/group__cc__credentials__reference.html b/doc/ccapi/html/group__cc__credentials__reference.html +deleted file mode 100644 +index d083e6c07..000000000 +--- a/doc/ccapi/html/group__cc__credentials__reference.html ++++ /dev/null +@@ -1,197 +0,0 @@ +- +- +-Credentials Cache API : cc_credentials_t Overview +- +- +- +- +-

cc_credentials_t Overview


Detailed Description

+-The cc_credentials_t type is used to store a single set of credentials for either Kerberos v4 or Kerberos v5. In addition to its only function, release(), it contains a pointer to a cc_credentials_union structure. A cc_credentials_union structure contains an integer of the enumerator type cc_credentials_version, which is either cc_credentials_v4 or cc_credentials_v5, and a pointer union, which contains either a cc_credentials_v4_t pointer or a cc_credentials_v5_t pointer, depending on the value in version.

+-Variables of the type cc_credentials_t are allocated by the CCAPI implementation, and should be released with their release() function. API functions which receive credentials structures from the caller always accept cc_credentials_union, which is allocated by the caller, and accordingly disposed by the caller.

+-For API functions see cc_credentials_f. +-

+-

Data Structures

+- +-

Typedefs

+- +-

Typedef Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_credentials_v4_t cc_credentials_v4_t
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_data cc_data
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_credentials_v5_t cc_credentials_v5_t
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_credentials_union cc_credentials_union
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_credentials_f cc_credentials_f
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_credentials_d cc_credentials_d
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef cc_credentials_d* cc_credentials_t
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/group__cc__string__reference.html b/doc/ccapi/html/group__cc__string__reference.html +deleted file mode 100644 +index 9ce3b7195..000000000 +--- a/doc/ccapi/html/group__cc__string__reference.html ++++ /dev/null +@@ -1,96 +0,0 @@ +- +- +-Credentials Cache API : cc_string_t Overview +- +- +- +- +-

cc_string_t Overview


Detailed Description

+-The cc_string_t represents a C string returned by the API. It has a pointer to the string data and a release() function. This type is used for both principal names and ccache names returned by the API. Principal names may contain UTF-8 encoded strings for internationalization purposes.

+-For API function documentation see cc_string_f. +-

+-

Data Structures

+- +-

Typedefs

+- +-

Typedef Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_string_f cc_string_f
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef struct cc_string_d cc_string_d
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
typedef cc_string_d* cc_string_t
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/group__ccapi__constants__reference.html b/doc/ccapi/html/group__ccapi__constants__reference.html +deleted file mode 100644 +index 87ec30b83..000000000 +--- a/doc/ccapi/html/group__ccapi__constants__reference.html ++++ /dev/null +@@ -1,407 +0,0 @@ +- +- +-Credentials Cache API : Constants +- +- +- +- +-

Constants

+-

+-

Enumerations

+- +-

Enumeration Type Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
anonymous enum
+-
+- +- +- +- +- +-
+-   +- +- +-

+-API version numbers

+-These constants are passed into cc_initialize() to indicate the version of the API the caller wants to use.

+-CCAPI v1 and v2 are deprecated and should not be used.

Enumerator:
+- +- +- +- +- +- +- +- +-
ccapi_version_2  +-
ccapi_version_3  +-
ccapi_version_4  +-
ccapi_version_5  +-
ccapi_version_6  +-
ccapi_version_7  +-
ccapi_version_max  +-
+-
+-
+-

+- +- +- +- +-
+- +- +- +- +-
anonymous enum
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Error codes

Enumerator:
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
ccNoError  +-Success.
ccIteratorEnd  +-Iterator is done iterating.
ccErrBadParam  +-Bad parameter (NULL or invalid pointer where valid pointer expected).
ccErrNoMem  +-Not enough memory to complete the operation.
ccErrInvalidContext  +-Context is invalid (e.g., it was released).
ccErrInvalidCCache  +-CCache is invalid (e.g., it was released or destroyed).
ccErrInvalidString  +-String is invalid (e.g., it was released).
ccErrInvalidCredentials  +-Credentials are invalid (e.g., they were released), or they have a bad version.
ccErrInvalidCCacheIterator  +-CCache iterator is invalid (e.g., it was released).
ccErrInvalidCredentialsIterator  +-Credentials iterator is invalid (e.g., it was released).
ccErrInvalidLock  +-Lock is invalid (e.g., it was released).
ccErrBadName  +-Bad credential cache name format.
ccErrBadCredentialsVersion  +-Credentials version is invalid.
ccErrBadAPIVersion  +-Unsupported API version.
ccErrContextLocked  +-Context is already locked.
ccErrContextUnlocked  +-Context is not locked by the caller.
ccErrCCacheLocked  +-CCache is already locked.
ccErrCCacheUnlocked  +-CCache is not locked by the caller.
ccErrBadLockType  +-Bad lock type.
ccErrNeverDefault  +-CCache was never default.
ccErrCredentialsNotFound  +-Matching credentials not found in the ccache.
ccErrCCacheNotFound  +-Matching ccache not found in the collection.
ccErrContextNotFound  +-Matching cache collection not found.
ccErrServerUnavailable  +-CCacheServer is unavailable.
ccErrServerInsecure  +-CCacheServer has detected that it is running as the wrong user.
ccErrServerCantBecomeUID  +-CCacheServer failed to start running as the user.
ccErrTimeOffsetNotSet  +-KDC time offset not set for this ccache.
ccErrBadInternalMessage  +-The client and CCacheServer can't communicate (e.g., a version mismatch).
ccErrNotImplemented  +-API function not supported by this implementation.
ccErrClientNotFound  +-CCacheServer has no record of the caller's process (e.g., the server crashed).
+-
+-
+-

+- +- +- +- +-
+- +- +- +- +-
enum cc_credential_versions
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Credentials versions

+-These constants are used in several places in the API to discern between Kerberos v4 and Kerberos v5. Not all values are valid inputs and outputs for all functions; function specifications below detail the allowed values.

+-Kerberos version constants will always be a bit-field, and can be tested as such; for example the following test will tell you if a ccacheVersion includes v5 credentials:

+-if ((ccacheVersion & cc_credentials_v5) != 0)

Enumerator:
+- +- +- +- +-
cc_credentials_v4  +-
cc_credentials_v5  +-
cc_credentials_v4_v5  +-
+-
+-
+-

+- +- +- +- +-
+- +- +- +- +-
enum cc_lock_types
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Lock types

+-These constants are used in the locking functions to describe the type of lock requested. Note that all CCAPI locks are advisory so only callers using the lock calls will be blocked by each other. This is because locking functions were introduced after the CCAPI came into common use and we did not want to break existing callers.

Enumerator:
+- +- +- +- +- +-
cc_lock_read  +-
cc_lock_write  +-
cc_lock_upgrade  +-
cc_lock_downgrade  +-
+-
+-
+-

+- +- +- +- +-
+- +- +- +- +-
enum cc_lock_modes
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Locking Modes

+-These constants are used in the advisory locking functions to describe whether or not the lock function should block waiting for a lock or return an error immediately. For example, attempting to acquire a lock with a non-blocking call will result in an error if the lock cannot be acquired; otherwise, the call will block until the lock can be acquired.

Enumerator:
+- +- +- +-
cc_lock_noblock  +-
cc_lock_block  +-
+-
+-
+-

+- +- +- +- +-
+- +- +- +- +-
anonymous enum
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Sizes of fields in cc_credentials_v4_t.

Enumerator:
+- +- +- +- +- +- +-
cc_v4_name_size  +-
cc_v4_instance_size  +-
cc_v4_realm_size  +-
cc_v4_ticket_size  +-
cc_v4_key_size  +-
+-
+-
+-

+- +- +- +- +-
+- +- +- +- +-
enum cc_string_to_key_type
+-
+- +- +- +- +- +-
+-   +- +- +-

+-String to key type (Kerberos v4 only)

Enumerator:
+- +- +- +- +- +- +-
cc_v4_stk_afs  +-
cc_v4_stk_des  +-
cc_v4_stk_columbia_special  +-
cc_v4_stk_krb5  +-
cc_v4_stk_unknown  +-
+-
+-
+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/group__ccapi__types__reference.html b/doc/ccapi/html/group__ccapi__types__reference.html +deleted file mode 100644 +index 9c646b8d9..000000000 +--- a/doc/ccapi/html/group__ccapi__types__reference.html ++++ /dev/null +@@ -1,138 +0,0 @@ +- +- +-Credentials Cache API : Basic Types +- +- +- +- +-

Basic Types

+-

+-

Typedefs

+- +-

Typedef Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
typedef uint32_t cc_uint32
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Unsigned 32-bit integer type

+-

+- +- +- +- +-
+- +- +- +- +-
typedef int32_t cc_int32
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Signed 32-bit integer type

+-

+- +- +- +- +-
+- +- +- +- +-
typedef int64_t cc_int64
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Unsigned 64-bit integer type

+-

+- +- +- +- +-
+- +- +- +- +-
typedef uint64_t cc_uint64
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Signed 64-bit integer type

+-

+- +- +- +- +-
+- +- +- +- +-
typedef cc_uint32 cc_time_t
+-
+- +- +- +- +- +-
+-   +- +- +-

+-The cc_time_t type is used to represent a time in seconds. The time must be stored as the number of seconds since midnight GMT on January 1, 1970.

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/group__helper__macros.html b/doc/ccapi/html/group__helper__macros.html +deleted file mode 100644 +index cf1c681dc..000000000 +--- a/doc/ccapi/html/group__helper__macros.html ++++ /dev/null +@@ -1,1377 +0,0 @@ +- +- +-Credentials Cache API : CCAPI Function Helper Macros +- +- +- +- +-

CCAPI Function Helper Macros

+-

+-

Defines

+-
    +-
  • #define cc_context_release(context)   ((context) -> functions -> release (context)) +-
  • #define cc_context_get_change_time(context, change_time)   ((context) -> functions -> get_change_time (context, change_time)) +-
  • #define cc_context_get_default_ccache_name(context, name)   ((context) -> functions -> get_default_ccache_name (context, name)) +-
  • #define cc_context_open_ccache(context, name, ccache)   ((context) -> functions -> open_ccache (context, name, ccache)) +-
  • #define cc_context_open_default_ccache(context, ccache)   ((context) -> functions -> open_default_ccache (context, ccache)) +-
  • #define cc_context_create_ccache(context, name, version, principal, ccache)   ((context) -> functions -> create_ccache (context, name, version, principal, ccache)) +-
  • #define cc_context_create_default_ccache(context, version, principal, ccache)   ((context) -> functions -> create_default_ccache (context, version, principal, ccache)) +-
  • #define cc_context_create_new_ccache(context, version, principal, ccache)   ((context) -> functions -> create_new_ccache (context, version, principal, ccache)) +-
  • #define cc_context_new_ccache_iterator(context, iterator)   ((context) -> functions -> new_ccache_iterator (context, iterator)) +-
  • #define cc_context_lock(context, type, block)   ((context) -> functions -> lock (context, type, block)) +-
  • #define cc_context_unlock(context)   ((context) -> functions -> unlock (context)) +-
  • #define cc_context_compare(context, compare_to, equal)   ((context) -> functions -> compare (context, compare_to, equal)) +-
  • #define cc_context_wait_for_change(context)   ((context) -> functions -> wait_for_change (context)) +-
  • #define cc_ccache_release(ccache)   ((ccache) -> functions -> release (ccache)) +-
  • #define cc_ccache_destroy(ccache)   ((ccache) -> functions -> destroy (ccache)) +-
  • #define cc_ccache_set_default(ccache)   ((ccache) -> functions -> set_default (ccache)) +-
  • #define cc_ccache_get_credentials_version(ccache, version)   ((ccache) -> functions -> get_credentials_version (ccache, version)) +-
  • #define cc_ccache_get_name(ccache, name)   ((ccache) -> functions -> get_name (ccache, name)) +-
  • #define cc_ccache_get_principal(ccache, version, principal)   ((ccache) -> functions -> get_principal (ccache, version, principal)) +-
  • #define cc_ccache_set_principal(ccache, version, principal)   ((ccache) -> functions -> set_principal (ccache, version, principal)) +-
  • #define cc_ccache_store_credentials(ccache, credentials)   ((ccache) -> functions -> store_credentials (ccache, credentials)) +-
  • #define cc_ccache_remove_credentials(ccache, credentials)   ((ccache) -> functions -> remove_credentials (ccache, credentials)) +-
  • #define cc_ccache_new_credentials_iterator(ccache, iterator)   ((ccache) -> functions -> new_credentials_iterator (ccache, iterator)) +-
  • #define cc_ccache_lock(ccache, type, block)   ((ccache) -> functions -> lock (ccache, type, block)) +-
  • #define cc_ccache_unlock(ccache)   ((ccache) -> functions -> unlock (ccache)) +-
  • #define cc_ccache_get_last_default_time(ccache, last_default_time)   ((ccache) -> functions -> get_last_default_time (ccache, last_default_time)) +-
  • #define cc_ccache_get_change_time(ccache, change_time)   ((ccache) -> functions -> get_change_time (ccache, change_time)) +-
  • #define cc_ccache_move(source, destination)   ((source) -> functions -> move (source, destination)) +-
  • #define cc_ccache_compare(ccache, compare_to, equal)   ((ccache) -> functions -> compare (ccache, compare_to, equal)) +-
  • #define cc_ccache_get_kdc_time_offset(ccache, version, time_offset)   ((ccache) -> functions -> get_kdc_time_offset (ccache, version, time_offset)) +-
  • #define cc_ccache_set_kdc_time_offset(ccache, version, time_offset)   ((ccache) -> functions -> set_kdc_time_offset (ccache, version, time_offset)) +-
  • #define cc_ccache_clear_kdc_time_offset(ccache, version)   ((ccache) -> functions -> clear_kdc_time_offset (ccache, version)) +-
  • #define cc_ccache_wait_for_change(ccache)   ((ccache) -> functions -> wait_for_change (ccache)) +-
  • #define cc_string_release(string)   ((string) -> functions -> release (string)) +-
  • #define cc_credentials_release(credentials)   ((credentials) -> functions -> release (credentials)) +-
  • #define cc_credentials_compare(credentials, compare_to, equal)   ((credentials) -> functions -> compare (credentials, compare_to, equal)) +-
  • #define cc_ccache_iterator_release(iterator)   ((iterator) -> functions -> release (iterator)) +-
  • #define cc_ccache_iterator_next(iterator, ccache)   ((iterator) -> functions -> next (iterator, ccache)) +-
  • #define cc_ccache_iterator_clone(iterator, new_iterator)   ((iterator) -> functions -> clone (iterator, new_iterator)) +-
  • #define cc_credentials_iterator_release(iterator)   ((iterator) -> functions -> release (iterator)) +-
  • #define cc_credentials_iterator_next(iterator, credentials)   ((iterator) -> functions -> next (iterator, credentials)) +-
  • #define cc_credentials_iterator_clone(iterator, new_iterator)   ((iterator) -> functions -> clone (iterator, new_iterator)) +-
+-

Define Documentation

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +-
#define cc_context_release context   )    ((context) -> functions -> release (context))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f release()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_context_get_change_time context,
change_time   )    ((context) -> functions -> get_change_time (context, change_time))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f get_change_time()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_context_get_default_ccache_name context,
name   )    ((context) -> functions -> get_default_ccache_name (context, name))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f get_default_ccache_name()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_context_open_ccache context,
name,
ccache   )    ((context) -> functions -> open_ccache (context, name, ccache))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f open_ccache()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_context_open_default_ccache context,
ccache   )    ((context) -> functions -> open_default_ccache (context, ccache))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f open_default_ccache()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_context_create_ccache context,
name,
version,
principal,
ccache   )    ((context) -> functions -> create_ccache (context, name, version, principal, ccache))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f create_ccache()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_context_create_default_ccache context,
version,
principal,
ccache   )    ((context) -> functions -> create_default_ccache (context, version, principal, ccache))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f create_default_ccache()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_context_create_new_ccache context,
version,
principal,
ccache   )    ((context) -> functions -> create_new_ccache (context, version, principal, ccache))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f create_new_ccache()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_context_new_ccache_iterator context,
iterator   )    ((context) -> functions -> new_ccache_iterator (context, iterator))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f new_ccache_iterator()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_context_lock context,
type,
block   )    ((context) -> functions -> lock (context, type, block))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f lock()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +-
#define cc_context_unlock context   )    ((context) -> functions -> unlock (context))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f unlock()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_context_compare context,
compare_to,
equal   )    ((context) -> functions -> compare (context, compare_to, equal))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f compare()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +-
#define cc_context_wait_for_change context   )    ((context) -> functions -> wait_for_change (context))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_context_f wait_for_change()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +-
#define cc_ccache_release ccache   )    ((ccache) -> functions -> release (ccache))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f release()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +-
#define cc_ccache_destroy ccache   )    ((ccache) -> functions -> destroy (ccache))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f destroy()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +-
#define cc_ccache_set_default ccache   )    ((ccache) -> functions -> set_default (ccache))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f set_default()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_get_credentials_version ccache,
version   )    ((ccache) -> functions -> get_credentials_version (ccache, version))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f get_credentials_version()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_get_name ccache,
name   )    ((ccache) -> functions -> get_name (ccache, name))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f get_name()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_get_principal ccache,
version,
principal   )    ((ccache) -> functions -> get_principal (ccache, version, principal))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f get_principal()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_set_principal ccache,
version,
principal   )    ((ccache) -> functions -> set_principal (ccache, version, principal))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f set_principal()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_store_credentials ccache,
credentials   )    ((ccache) -> functions -> store_credentials (ccache, credentials))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f store_credentials()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_remove_credentials ccache,
credentials   )    ((ccache) -> functions -> remove_credentials (ccache, credentials))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f remove_credentials()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_new_credentials_iterator ccache,
iterator   )    ((ccache) -> functions -> new_credentials_iterator (ccache, iterator))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f new_credentials_iterator()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_lock ccache,
type,
block   )    ((ccache) -> functions -> lock (ccache, type, block))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f lock()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +-
#define cc_ccache_unlock ccache   )    ((ccache) -> functions -> unlock (ccache))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f unlock()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_get_last_default_time ccache,
last_default_time   )    ((ccache) -> functions -> get_last_default_time (ccache, last_default_time))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f get_last_default_time()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_get_change_time ccache,
change_time   )    ((ccache) -> functions -> get_change_time (ccache, change_time))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f get_change_time()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_move source,
destination   )    ((source) -> functions -> move (source, destination))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f move()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_compare ccache,
compare_to,
equal   )    ((ccache) -> functions -> compare (ccache, compare_to, equal))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f compare()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_get_kdc_time_offset ccache,
version,
time_offset   )    ((ccache) -> functions -> get_kdc_time_offset (ccache, version, time_offset))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f get_kdc_time_offset()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_set_kdc_time_offset ccache,
version,
time_offset   )    ((ccache) -> functions -> set_kdc_time_offset (ccache, version, time_offset))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f set_kdc_time_offset()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_clear_kdc_time_offset ccache,
version   )    ((ccache) -> functions -> clear_kdc_time_offset (ccache, version))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f clear_kdc_time_offset()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +-
#define cc_ccache_wait_for_change ccache   )    ((ccache) -> functions -> wait_for_change (ccache))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_f wait_for_change()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +-
#define cc_string_release string   )    ((string) -> functions -> release (string))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_string_f release()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +-
#define cc_credentials_release credentials   )    ((credentials) -> functions -> release (credentials))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_credentials_f release()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_credentials_compare credentials,
compare_to,
equal   )    ((credentials) -> functions -> compare (credentials, compare_to, equal))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_credentials_f compare()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +-
#define cc_ccache_iterator_release iterator   )    ((iterator) -> functions -> release (iterator))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_iterator_f release()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_iterator_next iterator,
ccache   )    ((iterator) -> functions -> next (iterator, ccache))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_iterator_f next()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_ccache_iterator_clone iterator,
new_iterator   )    ((iterator) -> functions -> clone (iterator, new_iterator))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_ccache_iterator_f clone()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +-
#define cc_credentials_iterator_release iterator   )    ((iterator) -> functions -> release (iterator))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_credentials_iterator_f release()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_credentials_iterator_next iterator,
credentials   )    ((iterator) -> functions -> next (iterator, credentials))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_credentials_iterator_f next()

+-

+- +- +- +- +-
+- +- +- +- +- +- +- +- +- +- +- +- +-
#define cc_credentials_iterator_clone iterator,
new_iterator   )    ((iterator) -> functions -> clone (iterator, new_iterator))
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Helper macro for cc_credentials_iterator_f clone()

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/index.html b/doc/ccapi/html/index.html +deleted file mode 100644 +index bf920052f..000000000 +--- a/doc/ccapi/html/index.html ++++ /dev/null +@@ -1,85 +0,0 @@ +- +- +-Credentials Cache API : Credentials Cache API (CCAPI) Documentation +- +- +- +- +-

Credentials Cache API (CCAPI) Documentation

+-

+-

+-Table of Contents

+- +- +- +- +- +- +- +- +-

+-Introduction

+-This is the specification for an API which provides Credentials Cache services for both Kerberos v5 and v4. The idea behind this API is that multiple Kerberos implementations can share a single collection of credentials caches, mediated by this API specification. On the Mac OS and Microsoft Windows platforms this will allow single-login, even when more than one Kerberos shared library is in use on a particular system.

+-Abstractly, a credentials cache collection contains one or more credentials caches, or ccaches. A ccache is uniquely identified by its name, which is a string internal to the API and not intended to be presented to users. The user presentable identifier of a ccache is its principal.

+-Unlike the previous versions of the API, version 3 of the API stores both Kerberos v4 and v5 credentials in the same ccache.

+-At any given time, one ccache is the "default" ccache. The exact meaning of a default ccache is OS-specific; refer to implementation requirements for details.

+-Error Handling

+-All functions of the API return some of the error constants listed FIXME; the exact list of error constants returned by any API function is provided in the function descriptions below.

+-When returning an error constant other than ccNoError or ccIteratorEnd, API functions never modify any of the values passed in by reference.

+-Synchronization and Atomicity

+-Every function in the API is atomic. In order to make a series of calls atomic, callers should lock the ccache or cache collection they are working with to advise other callers not to modify that container. Note that advisory locks are per container so even if you have a read lock on the cache collection other callers can obtain write locks on ccaches in that cache collection.

+-Note that iterators do not iterate over ccaches and credentials atomically because locking ccaches and the cache collection over every iteration would degrade performance considerably under high load. However, iterators do guarantee a consistent view of items they are iterating over. Iterators will never return duplicate entries or skip entries when items are removed or added to the container they are iterating over.

+-An application can always lock a ccache or the cache collection to guarantee that other callers participating in the advisory locking system do not modify the ccache or cache collection.

+-Implementations should not use copy-on-write techniques to implement locks because those techniques imply that same parts of the ccache collection remain visible to some callers even though they are not present in the collection, which is a potential security risk. For example, a copy-on-write technique might make a copy of the entire collection when a read lock is acquired, so as to allow the owner of the lock to access the collection in an apparently unmodified state, while also allowing others to make modifications to the collection. However, this would also enable the owner of the lock to indefinitely (until the expiration time) use credentials that have actually been deleted from the collection.

+-Object Memory Management

+-The lifetime of an object returned by the API is until release() is called for it. Releasing one object has no effect on existence of any other object. For example, a ccache obtained within a context continue to exist when the context is released.

+-Every object returned by the API (cc_context_t, cc_ccache_t, cc_ccache_iterator_t, cc_credentials_t, cc_credentials_iterator_t, cc_string_t) is owned by the caller of the API, and it is the responsibility of the caller to call release() for every object to prevent memory leaks.

+-Opaque Types

+-All of the opaque high-level types in CCache API are implemented as structures of function pointers and private data. To perform some operation on a type, the caller of the API has to first obtain an instance of that type, and then call the appropriate function pointer from that instance. For example, to call get_change_time() on a cc_context_t, one would call cc_initialize() which creates a new cc_context_t and then call its get_change_time(), like this:

+-

 cc_context_t context;
+- cc_int32 err = cc_initialize (&context, ccapi_version_3, nil, nil);
+- if (err == ccNoError)
+- time = context->functions->get_change_time (context)
+-

+-All API functions also have convenience preprocessor macros, which make the API seem completely function-based. For example, cc_context_get_change_time (context, time) is equivalent to context->functions->get_change_time (context, time). The convenience macros follow the following naming convention:

+-The API function some_function()

 cc_type_t an_object;
+- result = an_object->functions->some_function (opaque_pointer, args)
+-

+-has an equivalent convenience macro of the form cc_type_some_function():

 cc_type_t an_object;
+- result = cc_type_some_function (an_object, args)
+-

+-The specifications below include the names for both the functions and the convenience macros, in that order. For clarity, it is recommended that clients using the API use the convenience macros, but that is merely a stylistic choice.

+-Implementing the API in this manner allows us to extend and change the interface in the future, while preserving compatibility with older clients.

+-For example, consider the case when the signature or the semantics of a cc_ccache_t function is changed. The API version number is incremented. The library implementation contains both a function with the old signature and semantics and a function with the new signature and semantics. When a context is created, the API version number used in that context is stored in the context, and therefore it can be used whenever a ccache is created in that context. When a ccache is created in a context with the old API version number, the function pointer structure for the ccache is filled with pointers to functions implementing the old semantics; when a ccache is created in a context with the new API version number, the function pointer structure for the ccache is filled with poitners to functions implementing the new semantics.

+-Similarly, if a function is added to the API, the version number in the context can be used to decide whether to include the implementation of the new function in the appropriate function pointer structure or not.


Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__ccache__d.html b/doc/ccapi/html/structcc__ccache__d.html +deleted file mode 100644 +index c19aa2b59..000000000 +--- a/doc/ccapi/html/structcc__ccache__d.html ++++ /dev/null +@@ -1,43 +0,0 @@ +- +- +-Credentials Cache API : cc_ccache_d Struct Reference +- +- +- +- +-

cc_ccache_d Struct Reference
+- +-[cc_ccache_t Overview] +-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
const cc_ccache_f* functions
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-


Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__ccache__f.html b/doc/ccapi/html/structcc__ccache__f.html +deleted file mode 100644 +index ddab94ff9..000000000 +--- a/doc/ccapi/html/structcc__ccache__f.html ++++ /dev/null +@@ -1,722 +0,0 @@ +- +- +-Credentials Cache API : cc_ccache_f Struct Reference +- +- +- +- +-

cc_ccache_f Struct Reference


Detailed Description

+-Function pointer table for cc_ccache_t. For more information see cc_ccache_t Overview. +-

+-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* release)(cc_ccache_t io_ccache)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_release(): Release memory associated with a cc_ccache_t object. +-

+-

Parameters:
+- +- +-
io_ccache the ccache object to release.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
Note:
Does not modify the ccache. If you wish to remove the ccache see cc_ccache_destroy().
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* destroy)(cc_ccache_t io_ccache)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_destroy(): Destroy a ccache. +-

+-

Parameters:
+- +- +-
io_ccache the ccache object to destroy and release.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-Destroy the ccache referred to by io_ccache and releases memory associated with the io_ccache object. After this call io_ccache becomes invalid. If io_ccache was the default ccache, the next ccache in the cache collection (if any) becomes the new default.
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* set_default)(cc_ccache_t io_ccache)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_set_default(): Make a ccache the default ccache. +-

+-

Parameters:
+- +- +-
io_ccache a ccache object to make the new default ccache.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* get_credentials_version)(cc_ccache_t in_ccache, cc_uint32 *out_credentials_version)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_get_credentials_version(): Get the credentials version of a ccache. +-

+-

Parameters:
+- +- +- +-
in_ccache a ccache object.
out_credentials_version on exit, the credentials version of in_ccache.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-cc_ccache_get_credentials_version() returns one value of the enumerated type cc_credentials_vers. The possible return values are cc_credentials_v4 (if ccache's v4 principal has been set), cc_credentials_v5 (if ccache's v5 principal has been set), or cc_credentials_v4_v5 (if both ccache's v4 and v5 principals have been set). A ccache's principal is set with one of cc_context_create_ccache(), cc_context_create_new_ccache(), cc_context_create_default_ccache(), or cc_ccache_set_principal().
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* get_name)(cc_ccache_t in_ccache, cc_string_t *out_name)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_get_name(): Get the name of a ccache. +-

+-

Parameters:
+- +- +- +-
in_ccache a ccache object.
out_name on exit, a cc_string_t representing the name of in_ccache. out_name must be released with cc_string_release().
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* get_principal)(cc_ccache_t in_ccache, cc_uint32 in_credentials_version, cc_string_t *out_principal)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_get_principal(): Get the principal of a ccache. +-

+-

Parameters:
+- +- +- +- +-
in_ccache a ccache object.
in_credentials_version the credentials version to get the principal for.
out_principal on exit, a cc_string_t representing the principal of in_ccache. out_principal must be released with cc_string_release().
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-Return the principal for the ccache that was set via cc_context_create_ccache(), cc_context_create_default_ccache(), cc_context_create_new_ccache(), or cc_ccache_set_principal(). Principals for v4 and v5 are separate, but should be kept synchronized for each ccache; they can be retrieved by passing cc_credentials_v4 or cc_credentials_v5 in cred_vers. Passing cc_credentials_v4_v5 will result in the error ccErrBadCredentialsVersion.
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* set_principal)(cc_ccache_t io_ccache, cc_uint32 in_credentials_version, const char *in_principal)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_set_principal(): Set the principal of a ccache. +-

+-

Parameters:
+- +- +- +- +-
in_ccache a ccache object.
in_credentials_version the credentials version to set the principal for.
in_principal a C string representing the new principal of in_ccache.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-Set the a principal for ccache. The v4 and v5 principals can be set independently, but they should always be kept equal, up to differences in string representation between v4 and v5. Passing cc_credentials_v4_v5 in cred_vers will result in the error ccErrBadCredentialsVersion.
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* store_credentials)(cc_ccache_t io_ccache, const cc_credentials_union *in_credentials_union)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_store_credentials(): Store credentials in a ccache. +-

+-

Parameters:
+- +- +- +-
io_ccache a ccache object.
in_credentials_union the credentials to store in io_ccache.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-Store a copy of credentials in the ccache.

+-See the description of the credentials types for the meaning of cc_credentials_union fields.

+-Before credentials of a specific credential type can be stored in a ccache, the corresponding principal version has to be set. For example, before you can store Kerberos v4 credentials in a ccache, the Kerberos v4 principal has to be set either by cc_context_create_ccache(), cc_context_create_default_ccache(), cc_context_create_new_ccache(), or cc_ccache_set_principal(); likewise for Kerberos v5. Otherwise, ccErrBadCredentialsVersion is returned.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* remove_credentials)(cc_ccache_t io_ccache, cc_credentials_t in_credentials)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_remove_credentials(): Remove credentials from a ccache. +-

+-

Parameters:
+- +- +- +-
io_ccache a ccache object.
in_credentials the credentials to remove from io_ccache.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-Removes credentials from a ccache. Note that credentials must be previously acquired from the CCache API; only exactly matching credentials will be removed. (This places the burden of determining exactly which credentials to remove on the caller, but ensures there is no ambigity about which credentials will be removed.) cc_credentials_t objects can be obtained by iterating over the ccache's credentials with cc_ccache_new_credentials_iterator().

+-If found, the credentials are removed from the ccache. The credentials parameter is not modified and should be freed by the caller. It is legitimate to call this function while an iterator is traversing the ccache, and the deletion of a credential already returned by cc_credentials_iterator_next() will not disturb sequence of credentials returned by cc_credentials_iterator_next().

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* new_credentials_iterator)(cc_ccache_t in_ccache, cc_credentials_iterator_t *out_credentials_iterator)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_new_credentials_iterator(): Iterate over credentials in a ccache. +-

+-

Parameters:
+- +- +- +-
in_ccache a ccache object.
out_credentials_iterator a credentials iterator for io_ccache.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-Allocates memory for iterator and initializes it. Successive calls to cc_credentials_iterator_next() will return credentials from the ccache.

+-If changes are made to the ccache while an iterator is being used on it, the iterator must return at least the intersection, and at most the union, of the set of credentials that were in the ccache when the iteration began and the set of credentials that are in the ccache when it ends.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* move)(cc_ccache_t io_source_ccache, cc_ccache_t io_destination_ccache)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_move(): Move the contents of one ccache into another, destroying the source. +-

+-

Parameters:
+- +- +- +-
io_source_ccache a ccache object to move.
io_destination_ccache a ccache object replace with the contents of io_source_ccache.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-cc_ccache_move() atomically copies the credentials, credential versions and principals from one ccache to another. On successful completion io_source_ccache will be released and the ccache it points to will be destroyed. Any credentials previously in io_destination_ccache will be replaced with credentials from io_source_ccache. The only part of io_destination_ccache which remains constant is the name. Any other callers referring to io_destination_ccache will suddenly see new data in it.

+-Typically cc_ccache_move() is used when the caller wishes to safely overwrite the contents of a ccache with new data which requires several steps to generate. cc_ccache_move() allows the caller to create a temporary ccache (which can be destroyed if any intermediate step fails) and the atomically copy the temporary cache into the destination.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* lock)(cc_ccache_t io_ccache, cc_uint32 in_lock_type, cc_uint32 in_block)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_lock(): Lock a ccache. +-

+-

Parameters:
+- +- +- +- +-
io_ccache the ccache object for the ccache you wish to lock.
in_lock_type the type of lock to obtain.
in_block whether or not the function should block if the lock cannot be obtained immediately.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-Attempts to acquire an advisory lock for a ccache. Allowed values for lock_type are:

+-

    +-
  • cc_lock_read: a read lock.
  • +-
  • cc_lock_write: a write lock
  • +-
  • cc_lock_upgrade: upgrade an already-obtained read lock to a write lock
  • +-
  • cc_lock_downgrade: downgrade an already-obtained write lock to a read lock
  • +-
+-If block is cc_lock_block, lock() will not return until the lock is acquired. If block is cc_lock_noblock, lock() will return immediately, either acquiring the lock and returning ccNoError, or failing to acquire the lock and returning an error explaining why.

+-To avoid having to deal with differences between thread semantics on different platforms, locks are granted per ccache, rather than per thread or per process. That means that different threads of execution have to acquire separate contexts in order to be able to synchronize with each other.

+-The lock should be unlocked by using cc_ccache_unlock().

+-

Note:
All locks are advisory. For example, callers which do not call cc_ccache_lock() and cc_ccache_unlock() will not be prevented from writing to the ccache when you have a read lock. This is because the CCAPI locking was added after the first release and thus adding mandatory locks would have changed the user experience and performance of existing applications.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* unlock)(cc_ccache_t io_ccache)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_unlock(): Unlock a ccache. +-

+-

Parameters:
+- +- +-
io_ccache a ccache object.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* get_last_default_time)(cc_ccache_t in_ccache, cc_time_t *out_last_default_time)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_get_change_time(): Get the last time a ccache was the default ccache. +-

+-

Parameters:
+- +- +- +-
in_ccache a cache object.
out_last_default_time on exit, the last time the ccache was default.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-This function returns the last time when the ccache was made the default ccache. This allows clients to sort the ccaches by how recently they were default, which is useful for user listing of ccaches. If the ccache was never default, ccErrNeverDefault is returned.
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* get_change_time)(cc_ccache_t in_ccache, cc_time_t *out_change_time)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_get_change_time(): Get the last time a ccache changed. +-

+-

Parameters:
+- +- +- +-
in_ccache a cache object.
out_change_time on exit, the last time the ccache changed.
+-
+-
Returns:
On success, ccNoError. If the ccache was never the default ccache, ccErrNeverDefault. Otherwise, an error code representing the failure.
+-This function returns the time of the most recent change made to a ccache. By maintaining a local copy the caller can deduce whether or not the ccache has been modified since the previous call to cc_ccache_get_change_time().

+-The time returned by cc_ccache_get_change_time() increases whenever:

+-

    +-
  • a credential is stored
  • +-
  • a credential is removed
  • +-
  • a ccache principal is changed
  • +-
  • the ccache becomes the default ccache
  • +-
  • the ccache is no longer the default ccache
  • +-
+-
Note:
In order to be able to compare two values returned by cc_ccache_get_change_time(), the caller must use the same ccache object to acquire them. Callers should maintain a single ccache object in memory for cc_ccache_get_change_time() calls rather than creating a new ccache object for every call.
+-
See also:
wait_for_change
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* compare)(cc_ccache_t in_ccache, cc_ccache_t in_compare_to_ccache, cc_uint32 *out_equal)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_compare(): Compare two ccache objects. +-

+-

Parameters:
+- +- +- +- +-
in_ccache a ccache object.
in_compare_to_ccache a ccache object to compare with in_ccache.
out_equal on exit, whether or not the two ccaches refer to the same ccache.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* get_kdc_time_offset)(cc_ccache_t in_ccache, cc_uint32 in_credentials_version, cc_time_t *out_time_offset)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_get_kdc_time_offset(): Get the KDC time offset for credentials in a ccache. +-

+-

Parameters:
+- +- +- +- +-
in_ccache a ccache object.
in_credentials_version the credentials version to get the time offset for.
out_time_offset on exit, the KDC time offset for in_ccache for credentials version in_credentials_version.
+-
+-
Returns:
On success, ccNoError if a time offset was obtained or ccErrTimeOffsetNotSet if a time offset has not been set. On failure, an error code representing the failure.
+-
See also:
set_kdc_time_offset, clear_kdc_time_offset
+-Sometimes the KDC and client's clocks get out of sync. cc_ccache_get_kdc_time_offset() returns the difference between the KDC and client's clocks at the time credentials were acquired. This offset allows callers to figure out how much time is left on a given credential even though the end_time is based on the KDC's clock not the client's clock.
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* set_kdc_time_offset)(cc_ccache_t io_ccache, cc_uint32 in_credentials_version, cc_time_t in_time_offset)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_set_kdc_time_offset(): Set the KDC time offset for credentials in a ccache. +-

+-

Parameters:
+- +- +- +- +-
in_ccache a ccache object.
in_credentials_version the credentials version to get the time offset for.
in_time_offset the new KDC time offset for in_ccache for credentials version in_credentials_version.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
See also:
get_kdc_time_offset, clear_kdc_time_offset
+-Sometimes the KDC and client's clocks get out of sync. cc_ccache_set_kdc_time_offset() sets the difference between the KDC and client's clocks at the time credentials were acquired. This offset allows callers to figure out how much time is left on a given credential even though the end_time is based on the KDC's clock not the client's clock.
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* clear_kdc_time_offset)(cc_ccache_t io_ccache, cc_uint32 in_credentials_version)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_clear_kdc_time_offset(): Clear the KDC time offset for credentials in a ccache. +-

+-

Parameters:
+- +- +- +-
in_ccache a ccache object.
in_credentials_version the credentials version to get the time offset for.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
See also:
get_kdc_time_offset, set_kdc_time_offset
+-Sometimes the KDC and client's clocks get out of sync. cc_ccache_clear_kdc_time_offset() clears the difference between the KDC and client's clocks at the time credentials were acquired. This offset allows callers to figure out how much time is left on a given credential even though the end_time is based on the KDC's clock not the client's clock.
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* wait_for_change)(cc_ccache_t in_ccache)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_wait_for_change(): Wait for the next change to a ccache. +-

+-

Parameters:
+- +- +-
in_ccache a ccache object.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-This function blocks until the next change is made to the ccache referenced by in_ccache. By repeatedly calling cc_ccache_wait_for_change() from a worker thread the caller can effectively receive callbacks whenever the ccache changes. This is considerably more efficient than polling with cc_ccache_get_change_time().

+-cc_ccache_wait_for_change() will return whenever:

+-

    +-
  • a credential is stored
  • +-
  • a credential is removed
  • +-
  • the ccache principal is changed
  • +-
  • the ccache becomes the default ccache
  • +-
  • the ccache is no longer the default ccache
  • +-
+-
Note:
In order to make sure that the caller doesn't miss any changes, cc_ccache_wait_for_change() always returns immediately after the first time it is called on a new ccache object. Callers must use the same ccache object for successive calls to cc_ccache_wait_for_change() rather than creating a new ccache object for every call.
+-
See also:
get_change_time
+-
+-


Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__ccache__iterator__d.html b/doc/ccapi/html/structcc__ccache__iterator__d.html +deleted file mode 100644 +index 5e85ee2da..000000000 +--- a/doc/ccapi/html/structcc__ccache__iterator__d.html ++++ /dev/null +@@ -1,43 +0,0 @@ +- +- +-Credentials Cache API : cc_ccache_iterator_d Struct Reference +- +- +- +- +-

cc_ccache_iterator_d Struct Reference
+- +-[cc_ccache_iterator_t Overview] +-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
const cc_ccache_iterator_f* functions
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-


Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__ccache__iterator__f.html b/doc/ccapi/html/structcc__ccache__iterator__f.html +deleted file mode 100644 +index 333aab8f4..000000000 +--- a/doc/ccapi/html/structcc__ccache__iterator__f.html ++++ /dev/null +@@ -1,117 +0,0 @@ +- +- +-Credentials Cache API : cc_ccache_iterator_f Struct Reference +- +- +- +- +-

cc_ccache_iterator_f Struct Reference


Detailed Description

+-Function pointer table for cc_ccache_iterator_t. For more information see cc_ccache_iterator_t Overview. +-

+-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* release)(cc_ccache_iterator_t io_ccache_iterator)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_iterator_release(): Release memory associated with a cc_ccache_iterator_t object. +-

+-

Parameters:
+- +- +-
io_ccache_iterator the ccache iterator object to release.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* next)(cc_ccache_iterator_t in_ccache_iterator, cc_ccache_t *out_ccache)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_iterator_next(): Get the next ccache in the cache collection. +-

+-

Parameters:
+- +- +- +-
in_ccache_iterator a ccache iterator object.
out_ccache on exit, the next ccache in the cache collection.
+-
+-
Returns:
On success, ccNoError if the next ccache in the cache collection was obtained or ccIteratorEnd if there are no more ccaches. On failure, an error code representing the failure.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* clone)(cc_ccache_iterator_t in_ccache_iterator, cc_ccache_iterator_t *out_ccache_iterator)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_ccache_iterator_clone(): Make a copy of a ccache iterator. +-

+-

Parameters:
+- +- +- +-
in_ccache_iterator a ccache iterator object.
out_ccache_iterator on exit, a copy of in_ccache_iterator.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-


Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__context__d.html b/doc/ccapi/html/structcc__context__d.html +deleted file mode 100644 +index d3904a2a1..000000000 +--- a/doc/ccapi/html/structcc__context__d.html ++++ /dev/null +@@ -1,43 +0,0 @@ +- +- +-Credentials Cache API : cc_context_d Struct Reference +- +- +- +- +-

cc_context_d Struct Reference
+- +-[cc_context_t Overview] +-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
const cc_context_f* functions
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-


Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__context__f.html b/doc/ccapi/html/structcc__context__f.html +deleted file mode 100644 +index fe310518a..000000000 +--- a/doc/ccapi/html/structcc__context__f.html ++++ /dev/null +@@ -1,513 +0,0 @@ +- +- +-Credentials Cache API : cc_context_f Struct Reference +- +- +- +- +-

cc_context_f Struct Reference


Detailed Description

+-Function pointer table for cc_context_t. For more information see cc_context_t Overview. +-

+-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* release)(cc_context_t io_context)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_release(): Release memory associated with a cc_context_t. +-

+-

Parameters:
+- +- +-
io_context the context object to free.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* get_change_time)(cc_context_t in_context, cc_time_t *out_time)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_get_change_time(): Get the last time the cache collection changed. +-

+-

Parameters:
+- +- +- +-
in_context the context object for the cache collection to examine.
out_time on exit, the time of the most recent change for the entire ccache collection.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-This function returns the time of the most recent change for the entire ccache collection. By maintaining a local copy the caller can deduce whether or not the ccache collection has been modified since the previous call to cc_context_get_change_time().

+-The time returned by cc_context_get_changed_time() increases whenever:

+-

    +-
  • a ccache is created
  • +-
  • a ccache is destroyed
  • +-
  • a credential is stored
  • +-
  • a credential is removed
  • +-
  • a ccache principal is changed
  • +-
  • the default ccache is changed
  • +-
+-
Note:
In order to be able to compare two values returned by cc_context_get_change_time(), the caller must use the same context to acquire them. Callers should maintain a single context in memory for cc_context_get_change_time() calls rather than creating a new context for every call.
+-
See also:
wait_for_change
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* get_default_ccache_name)(cc_context_t in_context, cc_string_t *out_name)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_get_default_ccache_name(): Get the name of the default ccache. +-

+-

Parameters:
+- +- +- +-
in_context the context object for the cache collection.
out_name on exit, the name of the default ccache.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-This function returns the name of the default ccache. When the default ccache exists, its name is returned. If there are no ccaches in the collection, and thus there is no default ccache, the name that the default ccache should have is returned. The ccache with that name will be used as the default ccache by all processes which initialized Kerberos libraries before the ccache was created.

+-If there is no default ccache, and the client is creating a new ccache, it should be created with the default name. If there already is a default ccache, and the client wants to create a new ccache (as opposed to reusing an existing ccache), it should be created with any unique name; create_new_ccache() can be used to accomplish that more easily.

+-If the first ccache is created with a name other than the default name, then the processes already running will not notice the credentials stored in the new ccache, which is normally undesirable.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* open_ccache)(cc_context_t in_context, const char *in_name, cc_ccache_t *out_ccache)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_open_ccache(): Open a ccache. +-

+-

Parameters:
+- +- +- +- +-
in_context the context object for the cache collection.
in_name the name of the ccache to open.
out_ccache on exit, a ccache object for the ccache
+-
+-
Returns:
On success, ccNoError. If no ccache named in_name exists, ccErrCCacheNotFound. On failure, an error code representing the failure.
+-Opens an already existing ccache identified by its name. It returns a reference to the ccache in out_ccache.

+-The list of all ccache names, principals, and credentials versions may be retrieved by calling cc_context_new_cache_iterator(), cc_ccache_get_name(), cc_ccache_get_principal(), and cc_ccache_get_cred_version().

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* open_default_ccache)(cc_context_t in_context, cc_ccache_t *out_ccache)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_open_default_ccache(): Open the default ccache. +-

+-

Parameters:
+- +- +- +-
in_context the context object for the cache collection.
out_ccache on exit, a ccache object for the default ccache
+-
+-
Returns:
On success, ccNoError. If no default ccache exists, ccErrCCacheNotFound. On failure, an error code representing the failure.
+-Opens the default ccache. It returns a reference to the ccache in *ccache.

+-This function performs the same function as calling cc_context_get_default_ccache_name followed by cc_context_open_ccache, but it performs it atomically.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* create_ccache)(cc_context_t in_context, const char *in_name, cc_uint32 in_cred_vers, const char *in_principal, cc_ccache_t *out_ccache)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_create_ccache(): Create a new ccache. +-

+-

Parameters:
+- +- +- +- +- +- +-
in_context the context object for the cache collection.
in_name the name of the new ccache to create
in_cred_vers the version of the credentials the new ccache will hold
in_principal the client principal of the credentials the new ccache will hold
out_ccache on exit, a ccache object for the newly created ccache
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-Create a new credentials cache. The ccache is uniquely identified by its name. The principal given is also associated with the ccache and the credentials version specified. A NULL name is not allowed (and ccErrBadName is returned if one is passed in). Only cc_credentials_v4 and cc_credentials_v5 are valid input values for cred_vers. If you want to create a new ccache that will hold both versions of credentials, call cc_context_create_ccache() with one version, and then cc_ccache_set_principal() with the other version.

+-If you want to create a new ccache (with a unique name), you should use cc_context_create_new_ccache() instead. If you want to create or reinitialize the default cache, you should use cc_context_create_default_ccache().

+-If name is non-NULL and there is already a ccache named name:

+-

    +-
  • the credentials in the ccache whose version is cred_vers are removed
  • +-
  • the principal (of the existing ccache) associated with cred_vers is set to principal
  • +-
  • a handle for the existing ccache is returned and all existing handles for the ccache remain valid
  • +-
+-If no ccache named name already exists:

+-

    +-
  • a new empty ccache is created
  • +-
  • the principal of the new ccache associated with cred_vers is set to principal
  • +-
  • a handle for the new ccache is returned
  • +-
+-For a new ccache, the name should be any unique string. The name is not intended to be presented to users.

+-If the created ccache is the first ccache in the collection, it is made the default ccache. Note that normally it is undesirable to create the first ccache with a name different from the default ccache name (as returned by cc_context_get_default_ccache_name()); see the description of cc_context_get_default_ccache_name() for details.

+-The principal should be a C string containing an unparsed Kerberos principal in the format of the appropriate Kerberos version, i.e.

foo.bar/@BAZ 
+-      * 
for Kerberos v4 and
foo/bar/@BAZ 
for Kerberos v5.
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* create_default_ccache)(cc_context_t in_context, cc_uint32 in_cred_vers, const char *in_principal, cc_ccache_t *out_ccache)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_create_default_ccache(): Create a new default ccache. +-

+-

Parameters:
+- +- +- +- +- +-
in_context the context object for the cache collection.
in_cred_vers the version of the credentials the new default ccache will hold
in_principal the client principal of the credentials the new default ccache will hold
out_ccache on exit, a ccache object for the newly created default ccache
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-Create the default credentials cache. The behavior of this function is similar to that of cc_create_ccache(). If there is a default ccache (which is always the case except when there are no ccaches at all in the collection), it is initialized with the specified credentials version and principal, as per cc_create_ccache(); otherwise, a new ccache is created, and its name is the name returned by cc_context_get_default_ccache_name().
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* create_new_ccache)(cc_context_t in_context, cc_uint32 in_cred_vers, const char *in_principal, cc_ccache_t *out_ccache)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_create_new_ccache(): Create a new uniquely named ccache. +-

+-

Parameters:
+- +- +- +- +- +-
in_context the context object for the cache collection.
in_cred_vers the version of the credentials the new ccache will hold
in_principal the client principal of the credentials the new ccache will hold
out_ccache on exit, a ccache object for the newly created ccache
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-Create a new unique credentials cache. The behavior of this function is similar to that of cc_create_ccache(). If there are no ccaches, and therefore no default ccache, the new ccache is created with the default ccache name as would be returned by get_default_ccache_name(). If there are some ccaches, and therefore there is a default ccache, the new ccache is created with a new unique name. Clearly, this function never reinitializes a ccache, since it always uses a unique name.
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* new_ccache_iterator)(cc_context_t in_context, cc_ccache_iterator_t *out_iterator)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_new_ccache_iterator(): Get an iterator for the cache collection. +-

+-

Parameters:
+- +- +- +-
in_context the context object for the cache collection.
out_iterator on exit, a ccache iterator object for the ccache collection.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-Used to allocate memory and initialize iterator. Successive calls to iterator's next() function will return ccaches in the collection.

+-If changes are made to the collection while an iterator is being used on it, the iterator must return at least the intersection, and at most the union, of the set of ccaches that were present when the iteration began and the set of ccaches that are present when it ends.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* lock)(cc_context_t in_context, cc_uint32 in_lock_type, cc_uint32 in_block)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_lock(): Lock the cache collection. +-

+-

Parameters:
+- +- +- +- +-
in_context the context object for the cache collection.
in_lock_type the type of lock to obtain.
in_block whether or not the function should block if the lock cannot be obtained immediately.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-Attempts to acquire an advisory lock for the ccache collection. Allowed values for lock_type are:

+-

    +-
  • cc_lock_read: a read lock.
  • +-
  • cc_lock_write: a write lock
  • +-
  • cc_lock_upgrade: upgrade an already-obtained read lock to a write lock
  • +-
  • cc_lock_downgrade: downgrade an already-obtained write lock to a read lock
  • +-
+-If block is cc_lock_block, lock() will not return until the lock is acquired. If block is cc_lock_noblock, lock() will return immediately, either acquiring the lock and returning ccNoError, or failing to acquire the lock and returning an error explaining why.

+-Locks apply only to the list of ccaches, not the contents of those ccaches. To prevent callers participating in the advisory locking from changing the credentials in a cache you must also lock that ccache with cc_ccache_lock(). This is so that you can get the list of ccaches without preventing applications from simultaneously obtaining service tickets.

+-To avoid having to deal with differences between thread semantics on different platforms, locks are granted per context, rather than per thread or per process. That means that different threads of execution have to acquire separate contexts in order to be able to synchronize with each other.

+-The lock should be unlocked by using cc_context_unlock().

+-

Note:
All locks are advisory. For example, callers which do not call cc_context_lock() and cc_context_unlock() will not be prevented from writing to the cache collection when you have a read lock. This is because the CCAPI locking was added after the first release and thus adding mandatory locks would have changed the user experience and performance of existing applications.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* unlock)(cc_context_t in_cc_context)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_unlock(): Unlock the cache collection. +-

+-

Parameters:
+- +- +-
in_context the context object for the cache collection.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* compare)(cc_context_t in_cc_context, cc_context_t in_compare_to_context, cc_uint32 *out_equal)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_compare(): Compare two context objects. +-

+-

Parameters:
+- +- +- +- +-
in_context a context object.
in_compare_to_context a context object to compare with in_context.
out_equal on exit, whether or not the two contexts refer to the same cache collection.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* wait_for_change)(cc_context_t in_cc_context)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_context_wait_for_change(): Wait for the next change in the cache collection. +-

+-

Parameters:
+- +- +-
in_context a context object.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-This function blocks until the next change is made to the cache collection ccache collection. By repeatedly calling cc_context_wait_for_change() from a worker thread the caller can effectively receive callbacks whenever the cache collection changes. This is considerably more efficient than polling with cc_context_get_change_time().

+-cc_context_wait_for_change() will return whenever:

+-

    +-
  • a ccache is created
  • +-
  • a ccache is destroyed
  • +-
  • a credential is stored
  • +-
  • a credential is removed
  • +-
  • a ccache principal is changed
  • +-
  • the default ccache is changed
  • +-
+-
Note:
In order to make sure that the caller doesn't miss any changes, cc_context_wait_for_change() always returns immediately after the first time it is called on a new context object. Callers must use the same context object for successive calls to cc_context_wait_for_change() rather than creating a new context for every call.
+-
See also:
get_change_time
+-
+-


Generated on Tue Oct 2 17:16:05 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__credentials__d.html b/doc/ccapi/html/structcc__credentials__d.html +deleted file mode 100644 +index 8a13251e5..000000000 +--- a/doc/ccapi/html/structcc__credentials__d.html ++++ /dev/null +@@ -1,67 +0,0 @@ +- +- +-Credentials Cache API : cc_credentials_d Struct Reference +- +- +- +- +-

cc_credentials_d Struct Reference
+- +-[cc_credentials_t Overview] +-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
const cc_credentials_union* data
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
const cc_credentials_f* functions
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__credentials__f.html b/doc/ccapi/html/structcc__credentials__f.html +deleted file mode 100644 +index 91f4b3adb..000000000 +--- a/doc/ccapi/html/structcc__credentials__f.html ++++ /dev/null +@@ -1,85 +0,0 @@ +- +- +-Credentials Cache API : cc_credentials_f Struct Reference +- +- +- +- +-

cc_credentials_f Struct Reference


Detailed Description

+-Function pointer table for cc_credentials_t. For more information see cc_credentials_t Overview. +-

+-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* release)(cc_credentials_t io_credentials)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_credentials_release(): Release memory associated with a cc_credentials_t object. +-

+-

Parameters:
+- +- +-
io_credentials the credentials object to release.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* compare)(cc_credentials_t in_credentials, cc_credentials_t in_compare_to_credentials, cc_uint32 *out_equal)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_credentials_compare(): Compare two credentials objects. +-

+-

Parameters:
+- +- +- +- +-
in_credentials a credentials object.
in_compare_to_credentials a credentials object to compare with in_credentials.
out_equal on exit, whether or not the two credentials objects refer to the same credentials in the cache collection.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__credentials__iterator__d.html b/doc/ccapi/html/structcc__credentials__iterator__d.html +deleted file mode 100644 +index 5682db0ed..000000000 +--- a/doc/ccapi/html/structcc__credentials__iterator__d.html ++++ /dev/null +@@ -1,43 +0,0 @@ +- +- +-Credentials Cache API : cc_credentials_iterator_d Struct Reference +- +- +- +- +-

cc_credentials_iterator_d Struct Reference
+- +-[cc_credentials_iterator_t] +-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
const cc_credentials_iterator_f* functions
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__credentials__iterator__f.html b/doc/ccapi/html/structcc__credentials__iterator__f.html +deleted file mode 100644 +index 66aec178a..000000000 +--- a/doc/ccapi/html/structcc__credentials__iterator__f.html ++++ /dev/null +@@ -1,85 +0,0 @@ +- +- +-Credentials Cache API : cc_credentials_iterator_f Struct Reference +- +- +- +- +-

cc_credentials_iterator_f Struct Reference


Detailed Description

+-Function pointer table for cc_credentials_iterator_t. For more information see cc_credentials_iterator_t. +-

+-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* release)(cc_credentials_iterator_t io_credentials_iterator)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_credentials_iterator_release(): Release memory associated with a cc_credentials_iterator_t object. +-

+-

Parameters:
+- +- +-
io_credentials_iterator the credentials iterator object to release.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* next)(cc_credentials_iterator_t in_credentials_iterator, cc_credentials_t *out_credentials)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_credentials_iterator_next(): Get the next credentials in the ccache. +-

+-

Parameters:
+- +- +- +-
in_credentials_iterator a credentials iterator object.
out_credentials on exit, the next credentials in the ccache.
+-
+-
Returns:
On success, ccNoError if the next credential in the ccache was obtained or ccIteratorEnd if there are no more credentials. On failure, an error code representing the failure.
+-
+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__credentials__union.html b/doc/ccapi/html/structcc__credentials__union.html +deleted file mode 100644 +index 6082346cc..000000000 +--- a/doc/ccapi/html/structcc__credentials__union.html ++++ /dev/null +@@ -1,118 +0,0 @@ +- +- +-Credentials Cache API : cc_credentials_union Struct Reference +- +- +- +- +-

cc_credentials_union Struct Reference
+- +-[cc_credentials_t Overview] +-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
cc_uint32 version
+-
+- +- +- +- +- +-
+-   +- +- +-

+-The credentials version of this credentials object.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_credentials_v4_t* credentials_v4
+-
+- +- +- +- +- +-
+-   +- +- +-

+-If version is cc_credentials_v4, a pointer to a cc_credentials_v4_t.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_credentials_v5_t* credentials_v5
+-
+- +- +- +- +- +-
+-   +- +- +-

+-If version is cc_credentials_v5, a pointer to a cc_credentials_v5_t.

+-

+- +- +- +- +-
+- +- +- +- +-
union { ... } credentials
+-
+- +- +- +- +- +-
+-   +- +- +-

+-The credentials.

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__credentials__v4__t.html b/doc/ccapi/html/structcc__credentials__v4__t.html +deleted file mode 100644 +index 086e7fea7..000000000 +--- a/doc/ccapi/html/structcc__credentials__v4__t.html ++++ /dev/null +@@ -1,358 +0,0 @@ +- +- +-Credentials Cache API : cc_credentials_v4_t Struct Reference +- +- +- +- +-

cc_credentials_v4_t Struct Reference
+- +-[cc_credentials_t Overview] +-


Detailed Description

+-If a cc_credentials_t variable is used to store Kerberos v4 credentials, then credentials.credentials_v4 points to a v4 credentials structure. This structure is similar to a krb4 API CREDENTIALS structure. +-

+-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
cc_uint32 version
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
char principal[cc_v4_name_size]
+-
+- +- +- +- +- +-
+-   +- +- +-

+-A properly quoted string representation of the first component of the client principal

+-

+- +- +- +- +-
+- +- +- +- +-
char principal_instance[cc_v4_instance_size]
+-
+- +- +- +- +- +-
+-   +- +- +-

+-A properly quoted string representation of the second component of the client principal

+-

+- +- +- +- +-
+- +- +- +- +-
char service[cc_v4_name_size]
+-
+- +- +- +- +- +-
+-   +- +- +-

+-A properly quoted string representation of the first component of the service principal

+-

+- +- +- +- +-
+- +- +- +- +-
char service_instance[cc_v4_instance_size]
+-
+- +- +- +- +- +-
+-   +- +- +-

+-A properly quoted string representation of the second component of the service principal

+-

+- +- +- +- +-
+- +- +- +- +-
char realm[cc_v4_realm_size]
+-
+- +- +- +- +- +-
+-   +- +- +-

+-A properly quoted string representation of the realm

+-

+- +- +- +- +-
+- +- +- +- +-
unsigned char session_key[cc_v4_key_size]
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Ticket session key

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32 kvno
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Key version number

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32 string_to_key_type
+-
+- +- +- +- +- +-
+-   +- +- +-

+-String to key type used. See cc_string_to_key_type for valid values

+-

+- +- +- +- +-
+- +- +- +- +-
cc_time_t issue_date
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Time when the ticket was issued

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32 lifetime
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Ticket lifetime in 5 minute units

+-

+- +- +- +- +-
+- +- +- +- +-
cc_uint32 address
+-
+- +- +- +- +- +-
+-   +- +- +-

+-IPv4 address of the client the ticket was issued for

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32 ticket_size
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Ticket size (no greater than cc_v4_ticket_size)

+-

+- +- +- +- +-
+- +- +- +- +-
unsigned char ticket[cc_v4_ticket_size]
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Ticket data

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__credentials__v5__t.html b/doc/ccapi/html/structcc__credentials__v5__t.html +deleted file mode 100644 +index ad0996281..000000000 +--- a/doc/ccapi/html/structcc__credentials__v5__t.html ++++ /dev/null +@@ -1,334 +0,0 @@ +- +- +-Credentials Cache API : cc_credentials_v5_t Struct Reference +- +- +- +- +-

cc_credentials_v5_t Struct Reference
+- +-[cc_credentials_t Overview] +-


Detailed Description

+-If a cc_credentials_t variable is used to store Kerberos v5 c redentials, and then credentials.credentials_v5 points to a v5 credentials structure. This structure is similar to a krb5_creds structure. +-

+-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
char* client
+-
+- +- +- +- +- +-
+-   +- +- +-

+-A properly quoted string representation of the client principal.

+-

+- +- +- +- +-
+- +- +- +- +-
char* server
+-
+- +- +- +- +- +-
+-   +- +- +-

+-A properly quoted string representation of the service principal.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_data keyblock
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Session encryption key info.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_time_t authtime
+-
+- +- +- +- +- +-
+-   +- +- +-

+-The time when the ticket was issued.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_time_t starttime
+-
+- +- +- +- +- +-
+-   +- +- +-

+-The time when the ticket becomes valid.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_time_t endtime
+-
+- +- +- +- +- +-
+-   +- +- +-

+-The time when the ticket expires.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_time_t renew_till
+-
+- +- +- +- +- +-
+-   +- +- +-

+-The time when the ticket becomes no longer renewable (if renewable).

+-

+- +- +- +- +-
+- +- +- +- +-
cc_uint32 is_skey
+-
+- +- +- +- +- +-
+-   +- +- +-

+-1 if the ticket is encrypted in another ticket's key, or 0 otherwise.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_uint32 ticket_flags
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Ticket flags, as defined by the Kerberos 5 API.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_data** addresses
+-
+- +- +- +- +- +-
+-   +- +- +-

+-The the list of network addresses of hosts that are allowed to authenticate using this ticket.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_data ticket
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Ticket data.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_data second_ticket
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Second ticket data.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_data** authdata
+-
+- +- +- +- +- +-
+-   +- +- +-

+-Authorization data.

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__data.html b/doc/ccapi/html/structcc__data.html +deleted file mode 100644 +index 346f6a41d..000000000 +--- a/doc/ccapi/html/structcc__data.html ++++ /dev/null +@@ -1,94 +0,0 @@ +- +- +-Credentials Cache API : cc_data Struct Reference +- +- +- +- +-

cc_data Struct Reference
+- +-[cc_credentials_t Overview] +-


Detailed Description

+-The CCAPI data structure. This structure is similar to a krb5_data structure. In a v5 credentials structure, cc_data structures are used to store tagged variable-length binary data. Specifically, for cc_credentials_v5.ticket and cc_credentials_v5.second_ticket, the cc_data.type field must be zero. For the cc_credentials_v5.addresses, cc_credentials_v5.authdata, and cc_credentials_v5.keyblock, the cc_data.type field should be the address type, authorization data type, and encryption type, as defined by the Kerberos v5 protocol definition. +-

+-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
cc_uint32 type
+-
+- +- +- +- +- +-
+-   +- +- +-

+-The type of the data as defined by the krb5_data structure.

+-

+- +- +- +- +-
+- +- +- +- +-
cc_uint32 length
+-
+- +- +- +- +- +-
+-   +- +- +-

+-The length of data.

+-

+- +- +- +- +-
+- +- +- +- +-
void* data
+-
+- +- +- +- +- +-
+-   +- +- +-

+-The data buffer.

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__string__d.html b/doc/ccapi/html/structcc__string__d.html +deleted file mode 100644 +index b38286b3e..000000000 +--- a/doc/ccapi/html/structcc__string__d.html ++++ /dev/null +@@ -1,67 +0,0 @@ +- +- +-Credentials Cache API : cc_string_d Struct Reference +- +- +- +- +-

cc_string_d Struct Reference
+- +-[cc_string_t Overview] +-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
const char* data
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-

+- +- +- +- +-
+- +- +- +- +-
const cc_string_f* functions
+-
+- +- +- +- +- +-
+-   +- +- +-

+-

+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- +diff --git a/doc/ccapi/html/structcc__string__f.html b/doc/ccapi/html/structcc__string__f.html +deleted file mode 100644 +index d5f738f49..000000000 +--- a/doc/ccapi/html/structcc__string__f.html ++++ /dev/null +@@ -1,51 +0,0 @@ +- +- +-Credentials Cache API : cc_string_f Struct Reference +- +- +- +- +-

cc_string_f Struct Reference


Detailed Description

+-Function pointer table for cc_string_t. For more information see cc_string_t Overview. +-

+-

Data Fields

+- +-

Field Documentation

+-

+- +- +- +- +-
+- +- +- +- +-
cc_int32(* release)(cc_string_t io_string)
+-
+- +- +- +- +- +-
+-   +- +- +-

+-cc_string_release(): Release memory associated with a cc_string_t object. +-

+-

Parameters:
+- +- +-
io_string the string object to release.
+-
+-
Returns:
On success, ccNoError. On failure, an error code representing the failure.
+-
+-


Generated on Tue Oct 2 17:16:06 2007 for Credentials Cache API by  +- +-doxygen 1.4.6
+- +- diff --git a/Remove-kadmin-RPC-support-for-setting-v4-key.patch b/Remove-kadmin-RPC-support-for-setting-v4-key.patch new file mode 100644 index 0000000..17d63c5 --- /dev/null +++ b/Remove-kadmin-RPC-support-for-setting-v4-key.patch @@ -0,0 +1,466 @@ +From a2fc99321c797c1534f6314d17560c622ec93418 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 4 Apr 2019 16:14:46 -0400 +Subject: [PATCH] Remove kadmin RPC support for setting v4 key + +ticket: 8794 (new) +(cherry picked from commit 752187a441ed0f301f1a8adb1fea843080ac8c97) +--- + src/kadmin/server/kadm_rpc_svc.c | 7 -- + src/kadmin/server/ovsec_kadmd.c | 2 +- + src/kadmin/server/server_stubs.c | 50 --------- + src/lib/kadm5/admin.h | 3 - + src/lib/kadm5/admin_xdr.h | 1 - + src/lib/kadm5/clnt/Makefile.in | 2 +- + src/lib/kadm5/clnt/client_principal.c | 22 ---- + src/lib/kadm5/clnt/client_rpc.c | 8 -- + src/lib/kadm5/clnt/libkadm5clnt_mit.exports | 2 - + src/lib/kadm5/kadm_rpc.h | 16 +-- + src/lib/kadm5/kadm_rpc_xdr.c | 19 ---- + src/lib/kadm5/srv/Makefile.in | 2 +- + src/lib/kadm5/srv/libkadm5srv_mit.exports | 2 - + src/lib/kadm5/srv/svr_principal.c | 118 -------------------- + 14 files changed, 6 insertions(+), 248 deletions(-) + +diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c +index 41fc88ac8..d343e2c25 100644 +--- a/src/kadmin/server/kadm_rpc_svc.c ++++ b/src/kadmin/server/kadm_rpc_svc.c +@@ -53,7 +53,6 @@ void kadm_1(rqstp, transp) + mpol_arg modify_policy_2_arg; + gpol_arg get_policy_2_arg; + setkey_arg setkey_principal_2_arg; +- setv4key_arg setv4key_principal_2_arg; + cprinc3_arg create_principal3_2_arg; + chpass3_arg chpass_principal3_2_arg; + chrand3_arg chrand_principal3_2_arg; +@@ -134,12 +133,6 @@ void kadm_1(rqstp, transp) + local = (bool_t (*)()) chpass_principal_2_svc; + break; + +- case SETV4KEY_PRINCIPAL: +- xdr_argument = xdr_setv4key_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) setv4key_principal_2_svc; +- break; +- + case SETKEY_PRINCIPAL: + xdr_argument = xdr_setkey_arg; + xdr_result = xdr_generic_ret; +diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c +index 6a6b21401..3737791b6 100644 +--- a/src/kadmin/server/ovsec_kadmd.c ++++ b/src/kadmin/server/ovsec_kadmd.c +@@ -227,7 +227,7 @@ log_badverf(gss_name_t client_name, gss_name_t server_name, + {14, "GET_PRINCS"}, + {15, "GET_POLS"}, + {16, "SETKEY_PRINCIPAL"}, +- {17, "SETV4KEY_PRINCIPAL"}, ++ /* 17 was "SETV4KEY_PRINCIPAL" */ + {18, "CREATE_PRINCIPAL3"}, + {19, "CHPASS_PRINCIPAL3"}, + {20, "CHRAND_PRINCIPAL3"}, +diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c +index cfef97fec..d5a25e502 100644 +--- a/src/kadmin/server/server_stubs.c ++++ b/src/kadmin/server/server_stubs.c +@@ -893,56 +893,6 @@ exit_func: + return TRUE; + } + +-bool_t +-setv4key_principal_2_svc(setv4key_arg *arg, generic_ret *ret, +- struct svc_req *rqstp) +-{ +- char *prime_arg = NULL; +- gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; +- gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; +- kadm5_server_handle_t handle; +- const char *errmsg = NULL; +- +- ret->code = stub_setup(arg->api_version, rqstp, arg->princ, &handle, +- &ret->api_version, &client_name, &service_name, +- &prime_arg); +- if (ret->code) +- goto exit_func; +- +- ret->code = check_lockdown_keys(handle, arg->princ); +- if (ret->code != KADM5_OK) { +- if (ret->code == KADM5_PROTECT_KEYS) { +- log_unauth("kadm5_setv4key_principal", prime_arg, &client_name, +- &service_name, rqstp); +- ret->code = KADM5_AUTH_SETKEY; +- } +- } else if (!(CHANGEPW_SERVICE(rqstp)) && +- stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) { +- ret->code = kadm5_setv4key_principal(handle, arg->princ, +- arg->keyblock); +- } else { +- log_unauth("kadm5_setv4key_principal", prime_arg, +- &client_name, &service_name, rqstp); +- ret->code = KADM5_AUTH_SETKEY; +- } +- +- if (ret->code != KADM5_AUTH_SETKEY) { +- if (ret->code != 0) +- errmsg = krb5_get_error_message(handle->context, ret->code); +- +- log_done("kadm5_setv4key_principal", prime_arg, errmsg, +- &client_name, &service_name, rqstp); +- +- if (errmsg != NULL) +- krb5_free_error_message(handle->context, errmsg); +- } +- +-exit_func: +- stub_cleanup(handle, prime_arg, &client_name, &service_name); +- return TRUE; +-} +- +- + bool_t + setkey_principal_2_svc(setkey_arg *arg, generic_ret *ret, + struct svc_req *rqstp) +diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h +index b765148b3..7268be44e 100644 +--- a/src/lib/kadm5/admin.h ++++ b/src/lib/kadm5/admin.h +@@ -394,9 +394,6 @@ kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, + krb5_key_salt_tuple *ks_tuple, + krb5_keyblock **keyblocks, + int *n_keys); +-kadm5_ret_t kadm5_setv4key_principal(void *server_handle, +- krb5_principal principal, +- krb5_keyblock *keyblock); + + kadm5_ret_t kadm5_setkey_principal(void *server_handle, + krb5_principal principal, +diff --git a/src/lib/kadm5/admin_xdr.h b/src/lib/kadm5/admin_xdr.h +index 2d22611e7..9da98451e 100644 +--- a/src/lib/kadm5/admin_xdr.h ++++ b/src/lib/kadm5/admin_xdr.h +@@ -37,7 +37,6 @@ bool_t xdr_mprinc_arg(XDR *xdrs, mprinc_arg *objp); + bool_t xdr_rprinc_arg(XDR *xdrs, rprinc_arg *objp); + bool_t xdr_chpass_arg(XDR *xdrs, chpass_arg *objp); + bool_t xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp); +-bool_t xdr_setv4key_arg(XDR *xdrs, setv4key_arg *objp); + bool_t xdr_setkey_arg(XDR *xdrs, setkey_arg *objp); + bool_t xdr_setkey3_arg(XDR *xdrs, setkey3_arg *objp); + bool_t xdr_setkey4_arg(XDR *xdrs, setkey4_arg *objp); +diff --git a/src/lib/kadm5/clnt/Makefile.in b/src/lib/kadm5/clnt/Makefile.in +index a180e85cd..2bc385afe 100644 +--- a/src/lib/kadm5/clnt/Makefile.in ++++ b/src/lib/kadm5/clnt/Makefile.in +@@ -3,7 +3,7 @@ BUILDTOP=$(REL)..$(S)..$(S).. + LOCALINCLUDES = -I$(BUILDTOP)/include/kadm5 + + LIBBASE=kadm5clnt_mit +-LIBMAJOR=11 ++LIBMAJOR=12 + LIBMINOR=0 + STOBJLISTS=../OBJS.ST OBJS.ST + SHLIB_EXPDEPS=\ +diff --git a/src/lib/kadm5/clnt/client_principal.c b/src/lib/kadm5/clnt/client_principal.c +index 18714bf37..96d9d1932 100644 +--- a/src/lib/kadm5/clnt/client_principal.c ++++ b/src/lib/kadm5/clnt/client_principal.c +@@ -273,28 +273,6 @@ kadm5_chpass_principal_3(void *server_handle, + return r.code; + } + +-kadm5_ret_t +-kadm5_setv4key_principal(void *server_handle, +- krb5_principal princ, +- krb5_keyblock *keyblock) +-{ +- setv4key_arg arg; +- generic_ret r = { 0, 0 }; +- kadm5_server_handle_t handle = server_handle; +- +- CHECK_HANDLE(server_handle); +- +- arg.princ = princ; +- arg.keyblock = keyblock; +- arg.api_version = handle->api_version; +- +- if(princ == NULL || keyblock == NULL) +- return EINVAL; +- if (setv4key_principal_2(&arg, &r, handle->clnt)) +- eret(); +- return r.code; +-} +- + kadm5_ret_t + kadm5_setkey_principal(void *server_handle, + krb5_principal princ, +diff --git a/src/lib/kadm5/clnt/client_rpc.c b/src/lib/kadm5/clnt/client_rpc.c +index df5455fd8..d84d158b4 100644 +--- a/src/lib/kadm5/clnt/client_rpc.c ++++ b/src/lib/kadm5/clnt/client_rpc.c +@@ -84,14 +84,6 @@ chpass_principal3_2(chpass3_arg *argp, generic_ret *res, CLIENT *clnt) + (xdrproc_t)xdr_generic_ret, (caddr_t)res, TIMEOUT); + } + +-enum clnt_stat +-setv4key_principal_2(setv4key_arg *argp, generic_ret *res, CLIENT *clnt) +-{ +- return clnt_call(clnt, SETV4KEY_PRINCIPAL, +- (xdrproc_t)xdr_setv4key_arg, (caddr_t)argp, +- (xdrproc_t)xdr_generic_ret, (caddr_t)res, TIMEOUT); +-} +- + enum clnt_stat + setkey_principal_2(setkey_arg *argp, generic_ret *res, CLIENT *clnt) + { +diff --git a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports +index f122b31ab..e41c8e4f7 100644 +--- a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports ++++ b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports +@@ -44,7 +44,6 @@ kadm5_set_string + kadm5_setkey_principal + kadm5_setkey_principal_3 + kadm5_setkey_principal_4 +-kadm5_setv4key_principal + kadm5_unlock + krb5_aprof_finish + krb5_aprof_get_boolean +@@ -114,6 +113,5 @@ xdr_rprinc_arg + xdr_setkey3_arg + xdr_setkey4_arg + xdr_setkey_arg +-xdr_setv4key_arg + xdr_ui_4 + kadm5_init_iprop +diff --git a/src/lib/kadm5/kadm_rpc.h b/src/lib/kadm5/kadm_rpc.h +index 8d7cf3b36..5099c6c14 100644 +--- a/src/lib/kadm5/kadm_rpc.h ++++ b/src/lib/kadm5/kadm_rpc.h +@@ -82,13 +82,6 @@ struct chpass3_arg { + }; + typedef struct chpass3_arg chpass3_arg; + +-struct setv4key_arg { +- krb5_ui_4 api_version; +- krb5_principal princ; +- krb5_keyblock *keyblock; +-}; +-typedef struct setv4key_arg setv4key_arg; +- + struct setkey_arg { + krb5_ui_4 api_version; + krb5_principal princ; +@@ -322,11 +315,9 @@ extern enum clnt_stat setkey_principal_2(setkey_arg *, generic_ret *, + CLIENT *); + extern bool_t setkey_principal_2_svc(setkey_arg *, generic_ret *, + struct svc_req *); +-#define SETV4KEY_PRINCIPAL 17 +-extern enum clnt_stat setv4key_principal_2(setv4key_arg *, generic_ret *, +- CLIENT *); +-extern bool_t setv4key_principal_2_svc(setv4key_arg *, generic_ret *, +- struct svc_req *); ++ ++/* 17 was SETV4KEY_PRINCIPAL (removed in 1.18). */ ++ + #define CREATE_PRINCIPAL3 18 + extern enum clnt_stat create_principal3_2(cprinc3_arg *, generic_ret *, + CLIENT *); +@@ -380,7 +371,6 @@ extern bool_t xdr_gprincs_arg (); + extern bool_t xdr_gprincs_ret (); + extern bool_t xdr_chpass_arg (); + extern bool_t xdr_chpass3_arg (); +-extern bool_t xdr_setv4key_arg (); + extern bool_t xdr_setkey_arg (); + extern bool_t xdr_setkey3_arg (); + extern bool_t xdr_setkey4_arg (); +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 2892d4147..745ee857e 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -710,25 +710,6 @@ xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp) + return (TRUE); + } + +-bool_t +-xdr_setv4key_arg(XDR *xdrs, setv4key_arg *objp) +-{ +- unsigned int n_keys = 1; +- +- if (!xdr_ui_4(xdrs, &objp->api_version)) { +- return (FALSE); +- } +- if (!xdr_krb5_principal(xdrs, &objp->princ)) { +- return (FALSE); +- } +- if (!xdr_array(xdrs, (caddr_t *) &objp->keyblock, +- &n_keys, ~0, +- sizeof(krb5_keyblock), xdr_krb5_keyblock)) { +- return (FALSE); +- } +- return (TRUE); +-} +- + bool_t + xdr_setkey_arg(XDR *xdrs, setkey_arg *objp) + { +diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in +index 617d65666..89e6097cf 100644 +--- a/src/lib/kadm5/srv/Makefile.in ++++ b/src/lib/kadm5/srv/Makefile.in +@@ -9,7 +9,7 @@ DEFINES = @HESIOD_DEFS@ + ##DOSLIBNAME = libkadm5srv.lib + + LIBBASE=kadm5srv_mit +-LIBMAJOR=11 ++LIBMAJOR=12 + LIBMINOR=0 + STOBJLISTS=../OBJS.ST OBJS.ST + +diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports +index 64ad5dd69..e3c04e690 100644 +--- a/src/lib/kadm5/srv/libkadm5srv_mit.exports ++++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports +@@ -45,7 +45,6 @@ kadm5_set_string + kadm5_setkey_principal + kadm5_setkey_principal_3 + kadm5_setkey_principal_4 +-kadm5_setv4key_principal + kadm5_unlock + kdb_delete_entry + kdb_free_entry +@@ -133,7 +132,6 @@ xdr_rprinc_arg + xdr_setkey3_arg + xdr_setkey4_arg + xdr_setkey_arg +-xdr_setv4key_arg + xdr_sstring_arg + xdr_ui_4 + kadm5_init_iprop +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 9ab2c5a74..48cac0c11 100644 +--- a/src/lib/kadm5/srv/svr_principal.c ++++ b/src/lib/kadm5/srv/svr_principal.c +@@ -1645,124 +1645,6 @@ done: + return ret; + } + +-/* +- * kadm5_setv4key_principal: +- * +- * Set only ONE key of the principal, removing all others. This key +- * must have the DES_CBC_CRC enctype and is entered as having the +- * krb4 salttype. This is to enable things like kadmind4 to work. +- */ +-kadm5_ret_t +-kadm5_setv4key_principal(void *server_handle, +- krb5_principal principal, +- krb5_keyblock *keyblock) +-{ +- krb5_db_entry *kdb; +- osa_princ_ent_rec adb; +- krb5_timestamp now; +- kadm5_policy_ent_rec pol; +- krb5_keysalt keysalt; +- int i, kvno, ret; +- krb5_boolean have_pol = FALSE; +- kadm5_server_handle_t handle = server_handle; +- krb5_key_data tmp_key_data; +- krb5_keyblock *act_mkey; +- +- memset( &tmp_key_data, 0, sizeof(tmp_key_data)); +- +- CHECK_HANDLE(server_handle); +- +- krb5_clear_error_message(handle->context); +- +- if (principal == NULL || keyblock == NULL) +- return EINVAL; +- if (hist_princ && /* this will be NULL when initializing the databse */ +- ((krb5_principal_compare(handle->context, +- principal, hist_princ)) == TRUE)) +- return KADM5_PROTECT_PRINCIPAL; +- +- if (keyblock->enctype != ENCTYPE_DES_CBC_CRC) +- return KADM5_SETV4KEY_INVAL_ENCTYPE; +- +- if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) +- return(ret); +- +- for (kvno = 0, i=0; in_key_data; i++) +- if (kdb->key_data[i].key_data_kvno > kvno) +- kvno = kdb->key_data[i].key_data_kvno; +- +- if (kdb->key_data != NULL) +- cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data); +- +- kdb->key_data = calloc(1, sizeof(krb5_key_data)); +- if (kdb->key_data == NULL) +- return ENOMEM; +- kdb->n_key_data = 1; +- keysalt.type = KRB5_KDB_SALTTYPE_V4; +- /* XXX data.magic? */ +- keysalt.data.length = 0; +- keysalt.data.data = NULL; +- +- ret = kdb_get_active_mkey(handle, NULL, &act_mkey); +- if (ret) +- goto done; +- +- /* use tmp_key_data as temporary location and reallocate later */ +- ret = krb5_dbe_encrypt_key_data(handle->context, act_mkey, keyblock, +- &keysalt, kvno + 1, kdb->key_data); +- if (ret) { +- goto done; +- } +- +- kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; +- +- ret = krb5_timeofday(handle->context, &now); +- if (ret) +- goto done; +- +- if ((adb.aux_attributes & KADM5_POLICY)) { +- ret = get_policy(handle, adb.policy, &pol, &have_pol); +- if (ret) +- goto done; +- } +- if (have_pol) { +- if (pol.pw_max_life) +- kdb->pw_expiration = ts_incr(now, pol.pw_max_life); +- else +- kdb->pw_expiration = 0; +- } else { +- kdb->pw_expiration = 0; +- } +- +- ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now); +- if (ret) +- goto done; +- +- /* unlock principal on this KDC */ +- kdb->fail_auth_count = 0; +- +- /* key data changed, let the database provider know */ +- kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT; +- +- if ((ret = kdb_put_entry(handle, kdb, &adb))) +- goto done; +- +- ret = KADM5_OK; +-done: +- for (i = 0; i < tmp_key_data.key_data_ver; i++) { +- if (tmp_key_data.key_data_contents[i]) { +- memset (tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]); +- free (tmp_key_data.key_data_contents[i]); +- } +- } +- +- kdb_free_entry(handle, kdb, &adb); +- if (have_pol) +- kadm5_free_policy_ent(handle->lhandle, &pol); +- +- return ret; +-} +- + kadm5_ret_t + kadm5_setkey_principal(void *server_handle, + krb5_principal principal, diff --git a/Remove-srvtab-support.patch b/Remove-srvtab-support.patch new file mode 100644 index 0000000..48535af --- /dev/null +++ b/Remove-srvtab-support.patch @@ -0,0 +1,1410 @@ +From 152f5ed9961f54dd9d764ffb3c6298eb85d8f934 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 9 Oct 2017 15:58:33 -0400 +Subject: [PATCH] Remove srvtab support + +Also change internal names from "srvtab" to "keytab" where the old +name was used. + +ticket: 8793 (new) +(cherry picked from commit a23e670b40f69b6be0024f8a60d2afaf7f7a005a) +--- + doc/admin/admin_commands/ktutil.rst | 22 +- + doc/basic/keytab_def.rst | 6 +- + src/kadmin/ktutil/ktutil.c | 11 +- + src/kadmin/ktutil/ktutil.h | 4 - + src/kadmin/ktutil/ktutil_ct.ct | 4 +- + src/kadmin/ktutil/ktutil_funcs.c | 19 - + src/kadmin/testing/proto/krb5.conf.proto | 2 +- + src/kadmin/testing/scripts/env-setup.shin | 2 +- + src/kadmin/testing/scripts/init_db | 2 +- + .../testing/scripts/make-host-keytab.plin | 2 +- + .../testing/scripts/start_servers_local | 3 - + src/kprop/kprop.c | 10 +- + src/kprop/kpropd.c | 12 +- + src/lib/kadm5/unit-test/api.current/init.exp | 4 +- + src/lib/krb5/keytab/Makefile.in | 3 - + src/lib/krb5/keytab/deps | 11 - + src/lib/krb5/keytab/kt_srvtab.c | 435 ------------------ + src/lib/krb5/keytab/ktbase.c | 7 +- + src/lib/krb5/krb/in_tkt_sky.c | 6 +- + src/lib/krb5/libkrb5.exports | 1 - + src/lib/rpc/unit-test/Makefile.in | 6 +- + src/lib/rpc/unit-test/config/unix.exp | 2 +- + src/lib/rpc/unit-test/lib/helpers.exp | 4 +- + src/lib/rpc/unit-test/rpc_test_setup.sh | 6 +- + src/man/ktutil.man | 26 +- + src/tests/dejagnu/config/default.exp | 58 ++- + src/tests/dejagnu/krb-standalone/gssapi.exp | 8 +- + src/tests/dejagnu/krb-standalone/kadmin.exp | 48 +- + src/tests/dejagnu/krb-standalone/kprop.exp | 6 +- + src/tests/dejagnu/krb-standalone/sample.exp | 8 +- + src/tests/dejagnu/krb-standalone/simple.exp | 6 +- + .../dejagnu/krb-standalone/standalone.exp | 4 +- + src/tests/dejagnu/krb-standalone/tcp.exp | 5 - + 33 files changed, 86 insertions(+), 667 deletions(-) + delete mode 100644 src/lib/krb5/keytab/kt_srvtab.c + +diff --git a/doc/admin/admin_commands/ktutil.rst b/doc/admin/admin_commands/ktutil.rst +index 0dbc08f60..0897c7757 100644 +--- a/doc/admin/admin_commands/ktutil.rst ++++ b/doc/admin/admin_commands/ktutil.rst +@@ -13,8 +13,8 @@ DESCRIPTION + ----------- + + The ktutil command invokes a command interface from which an +-administrator can read, write, or edit entries in a keytab or Kerberos +-V4 srvtab file. ++administrator can read, write, or edit entries in a keytab. (Kerberos ++V4 srvtab files are no longer supported.) + + + COMMANDS +@@ -38,15 +38,6 @@ Read the Kerberos V5 keytab file *keytab* into the current keylist. + + Alias: **rkt** + +-read_st +-~~~~~~~ +- +- **read_st** *srvtab* +- +-Read the Kerberos V4 srvtab file *srvtab* into the current keylist. +- +-Alias: **rst** +- + write_kt + ~~~~~~~~ + +@@ -56,15 +47,6 @@ Write the current keylist into the Kerberos V5 keytab file *keytab*. + + Alias: **wkt** + +-write_st +-~~~~~~~~ +- +- **write_st** *srvtab* +- +-Write the current keylist into the Kerberos V4 srvtab file *srvtab*. +- +-Alias: **wst** +- + clear_list + ~~~~~~~~~~ + +diff --git a/doc/basic/keytab_def.rst b/doc/basic/keytab_def.rst +index 33ae67c6c..6c7fcc3b0 100644 +--- a/doc/basic/keytab_def.rst ++++ b/doc/basic/keytab_def.rst +@@ -12,10 +12,8 @@ credentials for client applications. + + Keytabs are named using the format *type*\ ``:``\ *value*. Usually + *type* is ``FILE`` and *value* is the absolute pathname of the file. +-Other possible values for *type* are ``SRVTAB``, which indicates a +-file in the deprecated Kerberos 4 srvtab format, and ``MEMORY``, which +-indicates a temporary keytab stored in the memory of the current +-process. ++The other possible value for *type* is ``MEMORY``, which indicates a ++temporary keytab stored in the memory of the current process. + + A keytab contains one or more entries, where each entry consists of a + timestamp (indicating when the entry was written to the keytab), a +diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c +index 196f20786..92d7023a4 100644 +--- a/src/kadmin/ktutil/ktutil.c ++++ b/src/kadmin/ktutil/ktutil.c +@@ -98,15 +98,8 @@ void ktutil_read_v4(argc, argv) + int argc; + char *argv[]; + { +- krb5_error_code retval; +- +- if (argc != 2) { +- fprintf(stderr, _("%s: must specify the srvtab to read\n"), argv[0]); +- return; +- } +- retval = ktutil_read_srvtab(kcontext, argv[1], &ktlist); +- if (retval) +- com_err(argv[0], retval, _("while reading srvtab \"%s\""), argv[1]); ++ fprintf(stderr, _("%s: reading srvtabs is no longer supported\n"), ++ argv[0]); + } + + void ktutil_write_v5(argc, argv) +diff --git a/src/kadmin/ktutil/ktutil.h b/src/kadmin/ktutil/ktutil.h +index ddb754bae..acaf0239a 100644 +--- a/src/kadmin/ktutil/ktutil.h ++++ b/src/kadmin/ktutil/ktutil.h +@@ -50,10 +50,6 @@ krb5_error_code ktutil_write_keytab (krb5_context, + krb5_kt_list, + char *); + +-krb5_error_code ktutil_read_srvtab (krb5_context, +- char *, +- krb5_kt_list *); +- + void ktutil_add_entry (int, char *[]); + + void ktutil_clear_list (int, char *[]); +diff --git a/src/kadmin/ktutil/ktutil_ct.ct b/src/kadmin/ktutil/ktutil_ct.ct +index 0c7ccb689..2061ef9d0 100644 +--- a/src/kadmin/ktutil/ktutil_ct.ct ++++ b/src/kadmin/ktutil/ktutil_ct.ct +@@ -32,13 +32,13 @@ request ktutil_clear_list, "Clear the current keylist.", + request ktutil_read_v5, "Read a krb5 keytab into the current keylist.", + read_kt, rkt; + +-request ktutil_read_v4, "Read a krb4 srvtab into the current keylist.", ++request ktutil_read_v4, "Deprecated and removed.", + read_st, rst; + + request ktutil_write_v5, "Write the current keylist to a krb5 keytab.", + write_kt, wkt; + +-request ktutil_write_v4, "Write the current keylist to a krb4 srvtab.", ++request ktutil_write_v4, "Deprecated and removed.", + write_st, wst; + + request ktutil_add_entry, "Add an entry to the current keylist.", +diff --git a/src/kadmin/ktutil/ktutil_funcs.c b/src/kadmin/ktutil/ktutil_funcs.c +index 6d119a2b6..e2e005d22 100644 +--- a/src/kadmin/ktutil/ktutil_funcs.c ++++ b/src/kadmin/ktutil/ktutil_funcs.c +@@ -368,22 +368,3 @@ krb5_error_code ktutil_write_keytab(context, list, name) + krb5_kt_close(context, kt); + return retval; + } +- +-/* +- * Read in a named krb4 srvtab and append to list. Allocate new list +- * if needed. +- */ +-krb5_error_code ktutil_read_srvtab(context, name, list) +- krb5_context context; +- char *name; +- krb5_kt_list *list; +-{ +- char *ktname; +- krb5_error_code result; +- +- if (asprintf(&ktname, "SRVTAB:%s", name) < 0) +- return ENOMEM; +- result = ktutil_read_keytab(context, ktname, list); +- free(ktname); +- return result; +-} +diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto +index 9c4bc1de7..f91cf70f3 100644 +--- a/src/kadmin/testing/proto/krb5.conf.proto ++++ b/src/kadmin/testing/proto/krb5.conf.proto +@@ -1,6 +1,6 @@ + [libdefaults] + default_realm = __REALM__ +- default_keytab_name = FILE:__K5ROOT__/v5srvtab ++ default_keytab_name = FILE:__K5ROOT__/keytab + dns_fallback = no + plugin_base_dir = __PLUGIN_DIR__ + allow_weak_crypto = true +diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin +index c8d866f15..726298351 100755 +--- a/src/kadmin/testing/scripts/env-setup.shin ++++ b/src/kadmin/testing/scripts/env-setup.shin +@@ -77,7 +77,7 @@ SRVTCL=$TESTDIR/util/kadm5_srv_tcl; export SRVTCL + + KRB5_CONFIG=$K5ROOT/krb5.conf; export KRB5_CONFIG + KRB5_KDC_PROFILE=$K5ROOT/kdc.conf; export KRB5_KDC_PROFILE +-KRB5_KTNAME=$K5ROOT/ovsec_adm.srvtab; export KRB5_KTNAME ++KRB5_KTNAME=$K5ROOT/ovsec_adm.keytab; export KRB5_KTNAME + KRB5_CLIENT_KTNAME=$K5ROOT/client_keytab; export KRB5_CLIENT_KTNAME + KRB5CCNAME=$K5ROOT/krb5cc_unit-test; export KRB5CCNAME + +diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db +index cd7165628..bf119f2ac 100755 +--- a/src/kadmin/testing/scripts/init_db ++++ b/src/kadmin/testing/scripts/init_db +@@ -218,7 +218,7 @@ changepw/kerberos@$REALM cil + + EOF + +-eval $LOCAL_MAKE_KEYTAB -princ kadmin/admin -princ kadmin/changepw -princ ovsec_adm/admin -princ ovsec_adm/changepw $K5ROOT/ovsec_adm.srvtab $REDIRECT ++eval $LOCAL_MAKE_KEYTAB -princ kadmin/admin -princ kadmin/changepw -princ ovsec_adm/admin -princ ovsec_adm/changepw $K5ROOT/ovsec_adm.keytab $REDIRECT + + # Create $K5ROOT/setup.csh to make it easy to run other programs against + # the test db +diff --git a/src/kadmin/testing/scripts/make-host-keytab.plin b/src/kadmin/testing/scripts/make-host-keytab.plin +index dfe0b3a01..c77d61c70 100755 +--- a/src/kadmin/testing/scripts/make-host-keytab.plin ++++ b/src/kadmin/testing/scripts/make-host-keytab.plin +@@ -11,7 +11,7 @@ $usage = "Usage: $whoami [ -server server ] [ -princ principal ] + Default principals are host/hostname\@SECURE-TEST.OV.COM and + test/hostname\@SECURE-TEST.OV.COM. + If any principals are specified, the default principals are +- not added to the srvtab. ++ not added to the keytab. + The string \"xCANONHOSTx\" in a principal specification will be + replaced by the canonical host name of the local host."; + +diff --git a/src/kadmin/testing/scripts/start_servers_local b/src/kadmin/testing/scripts/start_servers_local +index 0cbed462d..809892974 100755 +--- a/src/kadmin/testing/scripts/start_servers_local ++++ b/src/kadmin/testing/scripts/start_servers_local +@@ -98,9 +98,6 @@ x=$? + rm /tmp/start_servers_local$$ + if test $x != 0 ; then exit 1 ; fi + +-# rm -f /etc/v5srvtab +-# eval $LOCAL_MAKE_KEYTAB -princ host/xCANONHOSTx /etc/v5srvtab $REDIRECT +- + # run the servers (from the build tree) + + adm_start_file=/tmp/adm_server_start.$$ +diff --git a/src/kprop/kprop.c b/src/kprop/kprop.c +index b7fb63777..0b53aae7e 100644 +--- a/src/kprop/kprop.c ++++ b/src/kprop/kprop.c +@@ -49,7 +49,7 @@ static char *kprop_version = KPROP_PROT_VERSION; + + static char *progname = NULL; + static int debug = 0; +-static char *srvtab = NULL; ++static char *keytab_path = NULL; + static char *replica_host; + static char *realm = NULL; + static char *def_realm = NULL; +@@ -83,7 +83,7 @@ static void update_last_prop_file(char *hostname, char *file_name); + static void usage() + { + fprintf(stderr, _("\nUsage: %s [-r realm] [-f file] [-d] [-P port] " +- "[-s srvtab] replica_host\n\n"), progname); ++ "[-s keytab] replica_host\n\n"), progname); + exit(1); + } + +@@ -140,7 +140,7 @@ parse_args(krb5_context context, int argc, char **argv) + port = optarg; + break; + case 's': +- srvtab = optarg; ++ keytab_path = optarg; + break; + default: + usage(); +@@ -191,8 +191,8 @@ get_tickets(krb5_context context) + exit(1); + } + +- if (srvtab != NULL) { +- retval = krb5_kt_resolve(context, srvtab, &keytab); ++ if (keytab_path != NULL) { ++ retval = krb5_kt_resolve(context, keytab_path, &keytab); + if (retval) { + com_err(progname, retval, _("while resolving keytab")); + exit(1); +diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c +index 0c7bffa24..e4aaf553c 100644 +--- a/src/kprop/kpropd.c ++++ b/src/kprop/kpropd.c +@@ -117,7 +117,7 @@ static kadm5_config_params params; + static char *progname; + static int debug = 0; + static int nodaemon = 0; +-static char *srvtab = NULL; ++static char *keytab_path = NULL; + static int standalone = 0; + static const char *pid_file = NULL; + +@@ -168,7 +168,7 @@ static void + usage() + { + fprintf(stderr, +- _("\nUsage: %s [-r realm] [-s srvtab] [-dS] [-f replica_file]\n"), ++ _("\nUsage: %s [-r realm] [-s keytab] [-dS] [-f replica_file]\n"), + progname); + fprintf(stderr, _("\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n")); + fprintf(stderr, _("\t[-x db_args]* [-P port] [-a acl_file]\n")); +@@ -701,7 +701,7 @@ reinit: + iprop_svc_princstr); + } + retval = kadm5_init_with_skey(kpropd_context, iprop_svc_princstr, +- srvtab, ++ keytab_path, + master_svc_princstr, + ¶ms, + KADM5_STRUCT_VERSION, +@@ -1092,7 +1092,7 @@ parse_args(int argc, char **argv) + realm = optarg; + break; + case 's': +- srvtab = optarg; ++ keytab_path = optarg; + break; + case 'D': + nodaemon++; +@@ -1246,8 +1246,8 @@ kerberos_authenticate(krb5_context context, int fd, krb5_principal *clientp, + exit(1); + } + +- if (srvtab != NULL) { +- retval = krb5_kt_resolve(context, srvtab, &keytab); ++ if (keytab_path != NULL) { ++ retval = krb5_kt_resolve(context, keytab_path, &keytab); + if (retval) { + syslog(LOG_ERR, _("Error in krb5_kt_resolve: %s"), + error_message(retval)); +diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/unit-test/api.current/init.exp +index d9ae3fbd8..f78261376 100644 +--- a/src/lib/kadm5/unit-test/api.current/init.exp ++++ b/src/lib/kadm5/unit-test/api.current/init.exp +@@ -695,10 +695,10 @@ if {$RPC} { + test45_46 ovsec_adm/changepw + + # re-extract the keytab so it is right +- exec rm $env(K5ROOT)/ovsec_adm.srvtab ++ exec rm $env(K5ROOT)/ovsec_adm.keytab + exec $env(MAKE_KEYTAB) -princ ovsec_adm/admin -princ ovsec_adm/changepw \ + -princ kadmin/admin -princ kadmin/changepw \ +- $env(K5ROOT)/ovsec_adm.srvtab ++ $env(K5ROOT)/ovsec_adm.keytab + } + + return "" +diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in +index 2a8fceb00..4621bf714 100644 +--- a/src/lib/krb5/keytab/Makefile.in ++++ b/src/lib/krb5/keytab/Makefile.in +@@ -14,7 +14,6 @@ STLIBOBJS= \ + ktfns.o \ + kt_file.o \ + kt_memory.o \ +- kt_srvtab.o \ + read_servi.o + + OBJS= \ +@@ -26,7 +25,6 @@ OBJS= \ + $(OUTPRE)ktfns.$(OBJEXT) \ + $(OUTPRE)kt_file.$(OBJEXT) \ + $(OUTPRE)kt_memory.$(OBJEXT) \ +- $(OUTPRE)kt_srvtab.$(OBJEXT) \ + $(OUTPRE)read_servi.$(OBJEXT) + + SRCS= \ +@@ -38,7 +36,6 @@ SRCS= \ + $(srcdir)/ktfns.c \ + $(srcdir)/kt_file.c \ + $(srcdir)/kt_memory.c \ +- $(srcdir)/kt_srvtab.c \ + $(srcdir)/read_servi.c + + EXTRADEPSRCS= \ +diff --git a/src/lib/krb5/keytab/deps b/src/lib/krb5/keytab/deps +index 4c98188ca..522cad0e8 100644 +--- a/src/lib/krb5/keytab/deps ++++ b/src/lib/krb5/keytab/deps +@@ -87,17 +87,6 @@ kt_memory.so kt_memory.po $(OUTPRE)kt_memory.$(OBJEXT): \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + kt-int.h kt_memory.c +-kt_srvtab.so kt_srvtab.po $(OUTPRE)kt_srvtab.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ +- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- kt_srvtab.c + read_servi.so read_servi.po $(OUTPRE)read_servi.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +diff --git a/src/lib/krb5/keytab/kt_srvtab.c b/src/lib/krb5/keytab/kt_srvtab.c +deleted file mode 100644 +index bbfaadfc2..000000000 +--- a/src/lib/krb5/keytab/kt_srvtab.c ++++ /dev/null +@@ -1,435 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/krb5/keytab/kt_srvtab.c */ +-/* +- * Copyright 1990,1991,2002,2007,2008 by the Massachusetts Institute of Technology. +- * All Rights Reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +-/* +- * Copyright (c) Hewlett-Packard Company 1991 +- * Released to the Massachusetts Institute of Technology for inclusion +- * in the Kerberos source code distribution. +- * +- * Copyright 1990,1991 by the Massachusetts Institute of Technology. +- * All Rights Reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-#include "k5-int.h" +-#include +- +-#ifndef LEAN_CLIENT +- +-/* +- * Constants +- */ +- +-#define KRB5_KT_VNO_1 0x0501 /* krb v5, keytab version 1 (DCE compat) */ +-#define KRB5_KT_VNO 0x0502 /* krb v5, keytab version 2 (standard) */ +- +-#define KRB5_KT_DEFAULT_VNO KRB5_KT_VNO +- +-/* +- * Types +- */ +-typedef struct _krb5_ktsrvtab_data { +- char *name; /* Name of the file */ +- FILE *openf; /* open file, if any. */ +-} krb5_ktsrvtab_data; +- +-/* +- * Macros +- */ +-#define KTPRIVATE(id) ((krb5_ktsrvtab_data *)(id)->data) +-#define KTFILENAME(id) (((krb5_ktsrvtab_data *)(id)->data)->name) +-#define KTFILEP(id) (((krb5_ktsrvtab_data *)(id)->data)->openf) +- +-extern const struct _krb5_kt_ops krb5_kts_ops; +- +-static krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_resolve(krb5_context, const char *, krb5_keytab *); +- +-static krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_get_name(krb5_context, krb5_keytab, char *, unsigned int); +- +-static krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_close(krb5_context, krb5_keytab); +- +-static krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_get_entry(krb5_context, krb5_keytab, krb5_const_principal, +- krb5_kvno, krb5_enctype, krb5_keytab_entry *); +- +-static krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_start_seq_get(krb5_context, krb5_keytab, krb5_kt_cursor *); +- +-static krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_get_next(krb5_context, krb5_keytab, krb5_keytab_entry *, +- krb5_kt_cursor *); +- +-static krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_end_get(krb5_context, krb5_keytab, krb5_kt_cursor *); +- +-static krb5_error_code +-krb5_ktsrvint_open(krb5_context, krb5_keytab); +- +-static krb5_error_code +-krb5_ktsrvint_close(krb5_context, krb5_keytab); +- +-static krb5_error_code +-krb5_ktsrvint_read_entry(krb5_context, krb5_keytab, krb5_keytab_entry *); +- +-/* +- * This is an implementation specific resolver. It returns a keytab id +- * initialized with srvtab keytab routines. +- */ +- +-static krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_resolve(krb5_context context, const char *name, krb5_keytab *id) +-{ +- krb5_ktsrvtab_data *data; +- +- if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL) +- return(ENOMEM); +- +- (*id)->ops = &krb5_kts_ops; +- data = (krb5_ktsrvtab_data *)malloc(sizeof(krb5_ktsrvtab_data)); +- if (data == NULL) { +- free(*id); +- return(ENOMEM); +- } +- +- data->name = strdup(name); +- if (data->name == NULL) { +- free(data); +- free(*id); +- return(ENOMEM); +- } +- +- data->openf = 0; +- +- (*id)->data = (krb5_pointer)data; +- (*id)->magic = KV5M_KEYTAB; +- return(0); +-} +- +-/* +- * "Close" a file-based keytab and invalidate the id. This means +- * free memory hidden in the structures. +- */ +- +-krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_close(krb5_context context, krb5_keytab id) +-/* +- * This routine is responsible for freeing all memory allocated +- * for this keytab. There are no system resources that need +- * to be freed nor are there any open files. +- * +- * This routine should undo anything done by krb5_ktsrvtab_resolve(). +- */ +-{ +- free(KTFILENAME(id)); +- free(id->data); +- id->ops = 0; +- free(id); +- return (0); +-} +- +-/* +- * This is the get_entry routine for the file based keytab implementation. +- * It opens the keytab file, and either retrieves the entry or returns +- * an error. +- */ +- +-krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_get_entry(krb5_context context, krb5_keytab id, krb5_const_principal principal, krb5_kvno kvno, krb5_enctype enctype, krb5_keytab_entry *entry) +-{ +- krb5_keytab_entry best_entry, ent; +- krb5_error_code kerror = 0; +- int found_wrong_kvno = 0; +- +- /* Open the srvtab. */ +- if ((kerror = krb5_ktsrvint_open(context, id))) +- return(kerror); +- +- /* srvtab files only have DES_CBC_CRC keys. */ +- switch (enctype) { +- case ENCTYPE_DES_CBC_CRC: +- case ENCTYPE_DES_CBC_MD5: +- case ENCTYPE_DES_CBC_MD4: +- case ENCTYPE_DES_CBC_RAW: +- case IGNORE_ENCTYPE: +- break; +- default: +- return KRB5_KT_NOTFOUND; +- } +- +- best_entry.principal = 0; +- best_entry.vno = 0; +- best_entry.key.contents = 0; +- while ((kerror = krb5_ktsrvint_read_entry(context, id, &ent)) == 0) { +- ent.key.enctype = enctype; +- if (krb5_principal_compare(context, principal, ent.principal)) { +- if (kvno == IGNORE_VNO || ent.vno == IGNORE_VNO) { +- if (!best_entry.principal || (best_entry.vno < ent.vno)) { +- krb5_kt_free_entry(context, &best_entry); +- best_entry = ent; +- } +- } else { +- if (ent.vno == kvno) { +- best_entry = ent; +- break; +- } else { +- found_wrong_kvno = 1; +- } +- } +- } else { +- krb5_kt_free_entry(context, &ent); +- } +- } +- if (kerror == KRB5_KT_END) { +- if (best_entry.principal) +- kerror = 0; +- else if (found_wrong_kvno) +- kerror = KRB5_KT_KVNONOTFOUND; +- else +- kerror = KRB5_KT_NOTFOUND; +- } +- if (kerror) { +- (void) krb5_ktsrvint_close(context, id); +- krb5_kt_free_entry(context, &best_entry); +- return kerror; +- } +- if ((kerror = krb5_ktsrvint_close(context, id)) != 0) { +- krb5_kt_free_entry(context, &best_entry); +- return kerror; +- } +- *entry = best_entry; +- return 0; +-} +- +-/* +- * Get the name of the file containing a srvtab-based keytab. +- */ +- +-krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_get_name(krb5_context context, krb5_keytab id, char *name, unsigned int len) +-/* +- * This routine returns the name of the name of the file associated with +- * this srvtab-based keytab. The name is prefixed with PREFIX:, so that +- * trt will happen if the name is passed back to resolve. +- */ +-{ +- int result; +- +- memset(name, 0, len); +- result = snprintf(name, len, "%s:%s", id->ops->prefix, KTFILENAME(id)); +- if (SNPRINTF_OVERFLOW(result, len)) +- return(KRB5_KT_NAME_TOOLONG); +- return(0); +-} +- +-/* +- * krb5_ktsrvtab_start_seq_get() +- */ +- +-krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursorp) +-{ +- krb5_error_code retval; +- long *fileoff; +- +- if ((retval = krb5_ktsrvint_open(context, id))) +- return retval; +- +- if (!(fileoff = (long *)malloc(sizeof(*fileoff)))) { +- krb5_ktsrvint_close(context, id); +- return ENOMEM; +- } +- *fileoff = ftell(KTFILEP(id)); +- *cursorp = (krb5_kt_cursor)fileoff; +- +- return 0; +-} +- +-/* +- * krb5_ktsrvtab_get_next() +- */ +- +-krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry, krb5_kt_cursor *cursor) +-{ +- long *fileoff = (long *)*cursor; +- krb5_keytab_entry cur_entry; +- krb5_error_code kerror; +- +- if (fseek(KTFILEP(id), *fileoff, 0) == -1) +- return KRB5_KT_END; +- if ((kerror = krb5_ktsrvint_read_entry(context, id, &cur_entry))) +- return kerror; +- *fileoff = ftell(KTFILEP(id)); +- *entry = cur_entry; +- return 0; +-} +- +-/* +- * krb5_ktsrvtab_end_get() +- */ +- +-krb5_error_code KRB5_CALLCONV +-krb5_ktsrvtab_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) +-{ +- free(*cursor); +- return krb5_ktsrvint_close(context, id); +-} +- +-/* +- * krb5_kts_ops +- */ +- +-const struct _krb5_kt_ops krb5_kts_ops = { +- 0, +- "SRVTAB", /* Prefix -- this string should not appear anywhere else! */ +- krb5_ktsrvtab_resolve, +- krb5_ktsrvtab_get_name, +- krb5_ktsrvtab_close, +- krb5_ktsrvtab_get_entry, +- krb5_ktsrvtab_start_seq_get, +- krb5_ktsrvtab_get_next, +- krb5_ktsrvtab_end_get, +- 0, +- 0, +- 0 +-}; +- +-/* formerly: lib/krb5/keytab/srvtab/kts_util.c */ +- +-#include +- +-/* The maximum sizes for V4 aname, realm, sname, and instance +1 */ +-/* Taken from krb.h */ +-#define ANAME_SZ 40 +-#define REALM_SZ 40 +-#define SNAME_SZ 40 +-#define INST_SZ 40 +- +-static krb5_error_code +-read_field(FILE *fp, char *s, int len) +-{ +- int c; +- +- while ((c = getc(fp)) != 0) { +- if (c == EOF || len <= 1) +- return KRB5_KT_END; +- *s = c; +- s++; +- len--; +- } +- *s = 0; +- return 0; +-} +- +-krb5_error_code +-krb5_ktsrvint_open(krb5_context context, krb5_keytab id) +-{ +- KTFILEP(id) = fopen(KTFILENAME(id), "rb"); +- if (!KTFILEP(id)) +- return errno; +- set_cloexec_file(KTFILEP(id)); +- return 0; +-} +- +-krb5_error_code +-krb5_ktsrvint_close(krb5_context context, krb5_keytab id) +-{ +- if (!KTFILEP(id)) +- return 0; +- (void) fclose(KTFILEP(id)); +- KTFILEP(id) = 0; +- return 0; +-} +- +-krb5_error_code +-krb5_ktsrvint_read_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *ret_entry) +-{ +- FILE *fp; +- char name[SNAME_SZ], instance[INST_SZ], realm[REALM_SZ]; +- unsigned char key[8]; +- int vno; +- krb5_error_code kerror; +- +- /* Read in an entry from the srvtab file. */ +- fp = KTFILEP(id); +- kerror = read_field(fp, name, sizeof(name)); +- if (kerror != 0) +- return kerror; +- kerror = read_field(fp, instance, sizeof(instance)); +- if (kerror != 0) +- return kerror; +- kerror = read_field(fp, realm, sizeof(realm)); +- if (kerror != 0) +- return kerror; +- vno = getc(fp); +- if (vno == EOF) +- return KRB5_KT_END; +- if (fread(key, 1, sizeof(key), fp) != sizeof(key)) +- return KRB5_KT_END; +- +- /* Fill in ret_entry with the data we read. Everything maps well +- * except for the timestamp, which we don't have a value for. For +- * now we just set it to 0. */ +- memset(ret_entry, 0, sizeof(*ret_entry)); +- ret_entry->magic = KV5M_KEYTAB_ENTRY; +- kerror = krb5_425_conv_principal(context, name, instance, realm, +- &ret_entry->principal); +- if (kerror != 0) +- return kerror; +- ret_entry->vno = vno; +- ret_entry->timestamp = 0; +- ret_entry->key.enctype = ENCTYPE_DES_CBC_CRC; +- ret_entry->key.magic = KV5M_KEYBLOCK; +- ret_entry->key.length = sizeof(key); +- ret_entry->key.contents = k5memdup(key, sizeof(key), &kerror); +- if (ret_entry->key.contents == NULL) { +- krb5_free_principal(context, ret_entry->principal); +- return kerror; +- } +- +- return 0; +-} +-#endif /* LEAN_CLIENT */ +diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c +index 0d39b2940..25752245a 100644 +--- a/src/lib/krb5/keytab/ktbase.c ++++ b/src/lib/krb5/keytab/ktbase.c +@@ -55,20 +55,15 @@ + + extern const krb5_kt_ops krb5_ktf_ops; + extern const krb5_kt_ops krb5_ktf_writable_ops; +-extern const krb5_kt_ops krb5_kts_ops; + extern const krb5_kt_ops krb5_mkt_ops; + + struct krb5_kt_typelist { + const krb5_kt_ops *ops; + const struct krb5_kt_typelist *next; + }; +-const static struct krb5_kt_typelist krb5_kt_typelist_srvtab = { +- &krb5_kts_ops, +- NULL +-}; + const static struct krb5_kt_typelist krb5_kt_typelist_memory = { + &krb5_mkt_ops, +- &krb5_kt_typelist_srvtab ++ NULL + }; + const static struct krb5_kt_typelist krb5_kt_typelist_wrfile = { + &krb5_ktf_writable_ops, +diff --git a/src/lib/krb5/krb/in_tkt_sky.c b/src/lib/krb5/krb/in_tkt_sky.c +index 7a8922623..342fe18dc 100644 +--- a/src/lib/krb5/krb/in_tkt_sky.c ++++ b/src/lib/krb5/krb/in_tkt_sky.c +@@ -56,9 +56,9 @@ get_as_key_skey(krb5_context context, krb5_principal client, + If addrs is non-NULL, it is used for the addresses requested. If it is + null, the system standard addresses are used. + +- If keyblock is NULL, an appropriate key for creds->client is retrieved +- from the system key store (e.g. /etc/srvtab). If keyblock is non-NULL, +- it is used as the decryption key. ++ If keyblock is NULL, an appropriate key for creds->client is retrieved from ++ the system key store (e.g. /etc/krb5.keytab). If keyblock is non-NULL, it ++ is used as the decryption key. + + A succesful call will place the ticket in the credentials cache ccache. + +diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports +index dfdb72daf..038e4de4b 100644 +--- a/src/lib/krb5/libkrb5.exports ++++ b/src/lib/krb5/libkrb5.exports +@@ -459,7 +459,6 @@ krb5_kt_resolve + krb5_kt_start_seq_get + krb5_ktf_ops + krb5_ktf_writable_ops +-krb5_kts_ops + krb5_kuserok + krb5_lock_file + krb5_make_authdata_kdc_issued +diff --git a/src/lib/rpc/unit-test/Makefile.in b/src/lib/rpc/unit-test/Makefile.in +index 6f29e33c9..46f2f1d4b 100644 +--- a/src/lib/rpc/unit-test/Makefile.in ++++ b/src/lib/rpc/unit-test/Makefile.in +@@ -45,8 +45,8 @@ PASS=@PASS@ + unit-test-body: + $(RM) krb5cc_rpc_test_* + $(ENV_SETUP) $(VALGRIND) $(START_SERVERS) +- RPC_TEST_SRVTAB=/tmp/rpc_test_v5srvtab.$$$$ ; export RPC_TEST_SRVTAB ; \ +- trap "echo Failed, cleaning up... ; rm -f $$RPC_TEST_SRVTAB ; $(ENV_SETUP) $(STOP_SERVERS) ; trap '' 0 ; exit 1" 0 1 2 3 14 15 ; \ ++ RPC_TEST_KEYTAB=/tmp/rpc_test_keytab.$$$$ ; export RPC_TEST_KEYTAB ; \ ++ trap "echo Failed, cleaning up... ; rm -f $$RPC_TEST_KEYTAB ; $(ENV_SETUP) $(STOP_SERVERS) ; trap '' 0 ; exit 1" 0 1 2 3 14 15 ; \ + if $(ENV_SETUP) \ + $(RUNTEST) SERVER=./server CLIENT=./client \ + KINIT=$(BUILDTOP)/clients/kinit/kinit \ +@@ -55,7 +55,7 @@ unit-test-body: + PASS="$(PASS)" --tool rpc_test $(RUNTESTFLAGS) ; \ + then \ + echo Cleaning up... ; \ +- rm -f $$RPC_TEST_SRVTAB krb5cc_rpc_test_* ; \ ++ rm -f $$RPC_TEST_KEYTAB krb5cc_rpc_test_* ; \ + $(ENV_SETUP) $(STOP_SERVERS) ; \ + trap 0 ; exit 0 ; \ + else exit 1 ; fi +diff --git a/src/lib/rpc/unit-test/config/unix.exp b/src/lib/rpc/unit-test/config/unix.exp +index ba57b703e..ed179bbe3 100644 +--- a/src/lib/rpc/unit-test/config/unix.exp ++++ b/src/lib/rpc/unit-test/config/unix.exp +@@ -139,7 +139,7 @@ proc rpc_test_start { } { + + if [info exists server_pid] { rpc_test_exit } + +- set env(KRB5_KTNAME) FILE:$env(RPC_TEST_SRVTAB) ++ set env(KRB5_KTNAME) FILE:$env(RPC_TEST_KEYTAB) + + verbose "% $SERVER" 1 + set server_pid [spawn $SERVER $PROT] +diff --git a/src/lib/rpc/unit-test/lib/helpers.exp b/src/lib/rpc/unit-test/lib/helpers.exp +index a1b078374..6ba2b10ae 100644 +--- a/src/lib/rpc/unit-test/lib/helpers.exp ++++ b/src/lib/rpc/unit-test/lib/helpers.exp +@@ -121,8 +121,8 @@ proc setup_database {} { + if ![info exists CANON_HOST] { + set CANON_HOST [exec $env(QUALNAME)] + setup_database +- file delete $env(RPC_TEST_SRVTAB) +- exec $env(MAKE_KEYTAB) -princ "server/$CANON_HOST" $env(RPC_TEST_SRVTAB) ++ file delete $env(RPC_TEST_KEYTAB) ++ exec $env(MAKE_KEYTAB) -princ "server/$CANON_HOST" $env(RPC_TEST_KEYTAB) + } + + +diff --git a/src/lib/rpc/unit-test/rpc_test_setup.sh b/src/lib/rpc/unit-test/rpc_test_setup.sh +index 968f52a67..b610f87ef 100755 +--- a/src/lib/rpc/unit-test/rpc_test_setup.sh ++++ b/src/lib/rpc/unit-test/rpc_test_setup.sh +@@ -1,7 +1,7 @@ + #!/bin/sh + # + # This script performs additional setup for the RPC unit test. It +-# assumes that gmake has put TOP and RPC_TEST_SRVTAB into the ++# assumes that gmake has put TOP and RPC_TEST_KEYTAB into the + # environment. + # + # $Id$ +@@ -42,9 +42,9 @@ if test $? != 0 ; then + fi + rm /tmp/rpc_test_setup$$ + +-rm -f $RPC_TEST_SRVTAB ++rm -f $RPC_TEST_KEYTAB + +-eval $MAKE_KEYTAB -princ server/$CANON_HOST $RPC_TEST_SRVTAB $REDIRECT ++eval $MAKE_KEYTAB -princ server/$CANON_HOST $RPC_TEST_KEYTAB $REDIRECT + + # grep -s "$CANON_HOST SECURE-TEST.OV.COM" /etc/krb.realms + # if [ $? != 0 ]; then +diff --git a/src/man/ktutil.man b/src/man/ktutil.man +index 4e174c0fe..233329468 100644 +--- a/src/man/ktutil.man ++++ b/src/man/ktutil.man +@@ -1,6 +1,6 @@ + .\" Man page generated from reStructuredText. + . +-.TH "KTUTIL" "1" " " "1.17" "MIT Kerberos" ++.TH "KTUTIL" "1" " " "1.18" "MIT Kerberos" + .SH NAME + ktutil \- Kerberos keytab file maintenance utility + . +@@ -36,8 +36,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] + .SH DESCRIPTION + .sp + The ktutil command invokes a command interface from which an +-administrator can read, write, or edit entries in a keytab or Kerberos +-V4 srvtab file. ++administrator can read, write, or edit entries in a keytab. (Kerberos ++V4 srvtab files are no longer supported.) + .SH COMMANDS + .SS list + .INDENT 0.0 +@@ -59,16 +59,6 @@ Alias: \fBl\fP + Read the Kerberos V5 keytab file \fIkeytab\fP into the current keylist. + .sp + Alias: \fBrkt\fP +-.SS read_st +-.INDENT 0.0 +-.INDENT 3.5 +-\fBread_st\fP \fIsrvtab\fP +-.UNINDENT +-.UNINDENT +-.sp +-Read the Kerberos V4 srvtab file \fIsrvtab\fP into the current keylist. +-.sp +-Alias: \fBrst\fP + .SS write_kt + .INDENT 0.0 + .INDENT 3.5 +@@ -79,16 +69,6 @@ Alias: \fBrst\fP + Write the current keylist into the Kerberos V5 keytab file \fIkeytab\fP\&. + .sp + Alias: \fBwkt\fP +-.SS write_st +-.INDENT 0.0 +-.INDENT 3.5 +-\fBwrite_st\fP \fIsrvtab\fP +-.UNINDENT +-.UNINDENT +-.sp +-Write the current keylist into the Kerberos V4 srvtab file \fIsrvtab\fP\&. +-.sp +-Alias: \fBwst\fP + .SS clear_list + .INDENT 0.0 + .INDENT 3.5 +diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp +index d7b296516..ea9bedd45 100644 +--- a/src/tests/dejagnu/config/default.exp ++++ b/src/tests/dejagnu/config/default.exp +@@ -440,8 +440,8 @@ proc delete_db {} { + $tmppwd/kdc-db.ulog \ + $tmppwd/replica-db $tmppwd/replica-db.ok $tmppwd/replica-db.kadm5 $tmppwd/replica-db.kadm5.lock \ + $tmppwd/replica-db~ $tmppwd/replica-db~.ok $tmppwd/replica-db~.kadm5 $tmppwd/replica-db~.kadm5.lock +- # Creating a new database means we need a new srvtab. +- file delete $tmppwd/srvtab $tmppwd/cpw_srvtab ++ # Creating a new database means we need a new keytab. ++ file delete $tmppwd/keytab $tmppwd/cpw_keytab + } + + delete_db +@@ -1510,11 +1510,9 @@ proc start_kpropd {} { + + envstack_push + setup_kerberos_env replica +- spawn $KPROPD -S -d -t -P [expr 10 + $portbase] -s $tmppwd/srvtab -f $tmppwd/incoming-replica-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl ++ spawn $KPROPD -S -d -t -P [expr 10 + $portbase] -s $tmppwd/keytab -f $tmppwd/incoming-replica-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl + set kpropd_pid [exp_pid] + set kpropd_spawn_id $spawn_id +-# send_user [list $KPROPD -S -d -P [expr 10 + $portbase] -s $tmppwd/srvtab -f $tmppwd/incoming-replica-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl]\n +-# spawn_shell + envstack_pop + } + +@@ -1859,13 +1857,13 @@ proc add_random_key { kkey standalone } { + } + } + +-# setup_srvtab +-# Set up a srvtab file. start_kerberos_daemons and add_random_key ++# setup_keytab ++# Set up a keytab file. start_kerberos_daemons and add_random_key + # $id/$hostname must be called before this procedure. If the + # argument is non-zero, call pass at relevant points. Returns 1 on + # success, 0 on failure. If the id field is not provided, host is used. + +-proc setup_srvtab { standalone {id host} } { ++proc setup_keytab { standalone {id host} } { + global REALMNAME + global KADMIN_LOCAL + global KEY +@@ -1874,17 +1872,17 @@ proc setup_srvtab { standalone {id host} } { + global spawn_id + global last_service + +- if {!$standalone && [file exists $tmppwd/srvtab] && $last_service == $id} { ++ if {!$standalone && [file exists $tmppwd/keytab] && $last_service == $id} { + return 1 + } + +- file delete $tmppwd/srvtab $tmppwd/srvtab.old ++ file delete $tmppwd/keytab $tmppwd/keytab.old + + if ![get_hostname] { + return 0 + } + +- file delete $hostname-new-srvtab ++ file delete $hostname-new-keytab + + envstack_push + setup_kerberos_env kdc +@@ -1892,40 +1890,40 @@ proc setup_srvtab { standalone {id host} } { + envstack_pop + expect_after { + -re "(.*)\r\nkadmin.local: " { +- fail "kadmin.local srvtab (unmatched output: $expect_out(1,string))" ++ fail "kadmin.local keytab (unmatched output: $expect_out(1,string))" + if {!$standalone} { +- file delete $tmppwd/srvtab ++ file delete $tmppwd/keytab + } + catch "expect_after" + return 0 + } + timeout { +- fail "kadmin.local srvtab" ++ fail "kadmin.local keytab" + if {!$standalone} { +- file delete $tmppwd/srvtab ++ file delete $tmppwd/keytab + } + catch "expect_after" + return 0 + } + eof { +- fail "kadmin.local srvtab" ++ fail "kadmin.local keytab" + if {!$standalone} { +- file delete $tmppwd/srvtab ++ file delete $tmppwd/keytab + } + catch "expect_after" + return 0 + } + } + expect "kadmin.local: " +- send "xst -k $hostname-new-srvtab $id/$hostname kiprop/$hostname\r" +- expect "xst -k $hostname-new-srvtab $id/$hostname kiprop/$hostname\r\n" ++ send "xst -k $hostname-new-keytab $id/$hostname kiprop/$hostname\r" ++ expect "xst -k $hostname-new-keytab $id/$hostname kiprop/$hostname\r\n" + expect { +- -re ".*Entry for principal $id/$hostname.* added to keytab WRFILE:$hostname-new-srvtab." { } ++ -re ".*Entry for principal $id/$hostname.* added to keytab WRFILE:$hostname-new-keytab." { } + -re "\r\nkadmin.local: " { + if {$standalone} { +- fail "kadmin.local srvtab" ++ fail "kadmin.local keytab" + } else { +- file delete $tmppwd/srvtab ++ file delete $tmppwd/keytab + } + catch expect_after + return 0 +@@ -1935,27 +1933,27 @@ proc setup_srvtab { standalone {id host} } { + send "quit\r" + expect eof + catch expect_after +- if ![check_exit_status "kadmin.local srvtab"] { ++ if ![check_exit_status "kadmin.local keytab"] { + if {!$standalone} { +- file delete $tmppwd/srvtab ++ file delete $tmppwd/keytab + } + return 0 + } + +- catch "exec mv -f $hostname-new-srvtab $tmppwd/srvtab" exec_output ++ catch "exec mv -f $hostname-new-keytab $tmppwd/keytab" exec_output + if ![string match "" $exec_output] { + verbose -log "$exec_output" +- perror "can't mv new srvtab" ++ perror "can't mv new keytab" + return 0 + } + + if {$standalone} { +- pass "kadmin.local srvtab" ++ pass "kadmin.local keytab" + } + +- # Make the srvtab file globally readable in case we are using a +- # root shell and the srvtab is NFS mounted. +- catch "exec chmod a+r $tmppwd/srvtab" ++ # Make the keytab file globally readable in case we are using a ++ # root shell and the keytab is NFS mounted. ++ catch "exec chmod a+r $tmppwd/keytab" + + # Remember what we just extracted + set last_service $id +diff --git a/src/tests/dejagnu/krb-standalone/gssapi.exp b/src/tests/dejagnu/krb-standalone/gssapi.exp +index 582e08719..e3357e769 100644 +--- a/src/tests/dejagnu/krb-standalone/gssapi.exp ++++ b/src/tests/dejagnu/krb-standalone/gssapi.exp +@@ -238,9 +238,9 @@ proc doit { } { + perror "failed to set up gssservice/$hostname key" + } + +- # Use kdb5_edit to create a srvtab entry for gssservice +- if ![setup_srvtab 0 gssservice] { +- perror "failed to set up gssservice srvtab" ++ # Use kdb5_edit to create a keytab entry for gssservice ++ if ![setup_keytab 0 gssservice] { ++ perror "failed to set up gssservice keytab" + } + + catch "exec rm -f $tmppwd/gss_tk_0 $tmppwd/gss_tk_1 $tmppwd/gss_tk_2 $tmppwd/gss_tk_3" +@@ -278,7 +278,7 @@ proc doit { } { + # + # set KRB5CCNAME and KRB5_KTNAME + # +- set env(KRB5_KTNAME) FILE:$tmppwd/srvtab ++ set env(KRB5_KTNAME) FILE:$tmppwd/keytab + verbose "KRB5_KTNAME=$env(KRB5_KTNAME)" + + # Now start the gss-server. +diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp +index 33fc34a7b..36a345258 100644 +--- a/src/tests/dejagnu/krb-standalone/kadmin.exp ++++ b/src/tests/dejagnu/krb-standalone/kadmin.exp +@@ -457,62 +457,16 @@ proc kadmin_extract { instance name } { + expect -re "assword\[^\r\n\]*: *" { + send "adminpass$KEY\r" + } +-# expect -re "kadmin: Entry for principal $name/$instance with kvno [0-9], encryption type .* added to keytab WRFILE:$tmppwd/keytab." + expect_after + expect eof + set k_stat [wait -i $spawn_id] + verbose "wait -i $spawn_id returned $k_stat (kadmin xst)" + catch "close -i $spawn_id" +- catch "exec rm -f $instance-new-srvtab" ++ catch "exec rm -f $instance-new-keytab" + pass "kadmin xst $instance $name" + return 1 + } + +-#++ +-# kadmin_extractv4 - Test extract service key in v4 format function of +-# kadmin. +-# +-# Extracts service key for service name $name instance $instance in version +-# 4 format. Returns 1 on success. +-#-- +-#proc kadmin_extractv4 { instance name } { +-# global REALMNAME +-# global KADMIN +-# global KEY +-# global spawn_id +-# +-# spawn $KADMIN -p krbtest/admin@$REALMNAME -q "xst4 $instance $name" +-# expect_after { +-# "Cannot contact any KDC" { +-# fail "kadmin xst4 $instance $name lost KDC" +-# catch "expect_after" +-# return 0 +-# } +-# timeout { +-# fail "kadmin xst4 $instance $name" +-# catch "expect_after" +-# return 0 +-# } +-# eof { +-# fail "kadmin xst4 $instance $name" +-# catch "expect_after" +-# return 0 +-# } +-# } +-# expect -re "assword\[^\r\n\]*: *" { +-# send "adminpass$KEY\r" +-# } +-# expect "extracted entry $name to key table $instance-new-v4-srvtab" +-# expect_after +-# expect eof +-# set k_stat [wait -i $spawn_id] +-# verbose "wait -i $spawn_id returned $k_stat (kadmin xst4)" +-# catch "close -i $spawn_id" +-# catch "exec rm -f $instance-new-v4-srvtab" +-# pass "kadmin xst4 $instance $name" +-# return 1 +-#} +- + #++ + # kadmin_delete - Test delete principal function of kadmin. + # +diff --git a/src/tests/dejagnu/krb-standalone/kprop.exp b/src/tests/dejagnu/krb-standalone/kprop.exp +index 2221a65e4..f71ee8638 100644 +--- a/src/tests/dejagnu/krb-standalone/kprop.exp ++++ b/src/tests/dejagnu/krb-standalone/kprop.exp +@@ -72,8 +72,8 @@ proc doit { } { + fail "kprop (host key)" + return + } +- if ![setup_srvtab 0] { +- fail "kprop (srvtab)" ++ if ![setup_keytab 0] { ++ fail "kprop (keytab)" + return + } + +@@ -99,7 +99,7 @@ proc doit { } { + sleep 1 + + # Try a propagation. +- spawn $KPROP -f $tmppwd/replica_datatrans -P [expr 10 + $portbase] -s $tmppwd/srvtab $hostname ++ spawn $KPROP -f $tmppwd/replica_datatrans -P [expr 10 + $portbase] -s $tmppwd/keytab $hostname + expect eof + set kprop_exit [check_exit_status "kprop (exit status)"] + # log output for debugging +diff --git a/src/tests/dejagnu/krb-standalone/sample.exp b/src/tests/dejagnu/krb-standalone/sample.exp +index 326f1848d..93a75f1d0 100644 +--- a/src/tests/dejagnu/krb-standalone/sample.exp ++++ b/src/tests/dejagnu/krb-standalone/sample.exp +@@ -42,7 +42,7 @@ proc start_sserver_daemon { inetd } { + # if inetd = 0, then we are running stand-alone + if !{$inetd} { + # Start the sserver +- spawn $SSERVER -p [expr 8 + $portbase] -S $tmppwd/srvtab ++ spawn $SSERVER -p [expr 8 + $portbase] -S $tmppwd/keytab + set sserver_pid [exp_pid] + set sserver_spawn_id $spawn_id + +@@ -52,7 +52,7 @@ proc start_sserver_daemon { inetd } { + sleep 2 + } else { + # Start the sserver +- spawn $T_INETD [expr 8 + $portbase] $SSERVER sserver -S $tmppwd/srvtab ++ spawn $T_INETD [expr 8 + $portbase] $SSERVER sserver -S $tmppwd/keytab + set sserver_pid [exp_pid] + set sserver_spawn_id $spawn_id + +@@ -166,8 +166,8 @@ proc doit { } { + return + } + +- # Use ksrvutil to create a srvtab entry for sample +- if ![setup_srvtab 1 sample] { ++ # Use ksrvutil to create a keytab entry for sample ++ if ![setup_keytab 1 sample] { + return + } + +diff --git a/src/tests/dejagnu/krb-standalone/simple.exp b/src/tests/dejagnu/krb-standalone/simple.exp +index fa749035f..d8b218248 100644 +--- a/src/tests/dejagnu/krb-standalone/simple.exp ++++ b/src/tests/dejagnu/krb-standalone/simple.exp +@@ -40,7 +40,7 @@ proc start_sim_server_daemon { } { + global portbase + + # Start the sim_server +- spawn $SIM_SERVER -p [expr 8 + $portbase] -S $tmppwd/srvtab ++ spawn $SIM_SERVER -p [expr 8 + $portbase] -S $tmppwd/keytab + set sim_server_pid [exp_pid] + set sim_server_spawn_id $spawn_id + +@@ -179,8 +179,8 @@ proc doit { } { + return + } + +- # Use ksrvutil to create a srvtab entry for sample +- if ![setup_srvtab 1 sample] { ++ # Use ksrvutil to create a keytab entry for sample ++ if ![setup_keytab 1 sample] { + return + } + +diff --git a/src/tests/dejagnu/krb-standalone/standalone.exp b/src/tests/dejagnu/krb-standalone/standalone.exp +index 5b5970fba..d284297e8 100644 +--- a/src/tests/dejagnu/krb-standalone/standalone.exp ++++ b/src/tests/dejagnu/krb-standalone/standalone.exp +@@ -166,8 +166,8 @@ proc doit { } { + verbose "wait -i $spawn_id returned $k_stat (kadmin addpol)" + catch "close -i $spawn_id" + +- # Use ksrvutil to create a srvtab entry. +- if ![setup_srvtab 1] { ++ # Use ksrvutil to create a keytab entry. ++ if ![setup_keytab 1] { + return + } + +diff --git a/src/tests/dejagnu/krb-standalone/tcp.exp b/src/tests/dejagnu/krb-standalone/tcp.exp +index db09b895e..df3195bb6 100644 +--- a/src/tests/dejagnu/krb-standalone/tcp.exp ++++ b/src/tests/dejagnu/krb-standalone/tcp.exp +@@ -33,11 +33,6 @@ proc doit { } { + return + } + +- # Use ksrvutil to create a srvtab entry. +-# if ![setup_srvtab 1] { +-# return +-# } +- + # Use kinit to get a ticket. + if ![kinit krbtest/admin adminpass$KEY 1] { + return diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch index 0a9fff6..ccb92aa 100644 --- a/krb5-1.11-kpasswdtest.patch +++ b/krb5-1.11-kpasswdtest.patch @@ -1,4 +1,4 @@ -From d4035585df4b3132d1897067d6c452cc06aa16dd Mon Sep 17 00:00:00 2001 +From 1da0d2fdbd9cb2ded1913e05664986dce1e1a916 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:52:01 -0400 Subject: [PATCH] krb5-1.11-kpasswdtest.patch diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch index 705af96..196944e 100644 --- a/krb5-1.11-run_user_0.patch +++ b/krb5-1.11-run_user_0.patch @@ -1,4 +1,4 @@ -From 3d09297c65f27033cce8abbab2e50716abdae48f Mon Sep 17 00:00:00 2001 +From c95d33cc1c66122bc229beb65d36f988fbd05e59 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:57 -0400 Subject: [PATCH] krb5-1.11-run_user_0.patch diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch index 159ad57..b49cea6 100644 --- a/krb5-1.12-api.patch +++ b/krb5-1.12-api.patch @@ -1,4 +1,4 @@ -From f267d34d0dea6778c700036b89156fc17ca506e9 Mon Sep 17 00:00:00 2001 +From 4ddac573dfc8fea30b5f8750c8c0733c553afcfa Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:47:00 -0400 Subject: [PATCH] krb5-1.12-api.patch diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch deleted file mode 100644 index 8049432..0000000 --- a/krb5-1.12-ktany.patch +++ /dev/null @@ -1,366 +0,0 @@ -From c93c099e3d3e0a78393e7445fe17d58cf1abc666 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 23 Aug 2016 16:33:53 -0400 -Subject: [PATCH] krb5-1.12-ktany.patch - -Adds an "ANY" keytab type which is a list of other keytab locations to search -when searching for a specific entry. When iterated through, it only presents -the contents of the first keytab. ---- - src/lib/krb5/keytab/Makefile.in | 3 + - src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++ - src/lib/krb5/keytab/ktbase.c | 7 +- - 3 files changed, 301 insertions(+), 1 deletion(-) - create mode 100644 src/lib/krb5/keytab/kt_any.c - -diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in -index 2a8fceb00..ffd179fb2 100644 ---- a/src/lib/krb5/keytab/Makefile.in -+++ b/src/lib/krb5/keytab/Makefile.in -@@ -12,6 +12,7 @@ STLIBOBJS= \ - ktfr_entry.o \ - ktremove.o \ - ktfns.o \ -+ kt_any.o \ - kt_file.o \ - kt_memory.o \ - kt_srvtab.o \ -@@ -24,6 +25,7 @@ OBJS= \ - $(OUTPRE)ktfr_entry.$(OBJEXT) \ - $(OUTPRE)ktremove.$(OBJEXT) \ - $(OUTPRE)ktfns.$(OBJEXT) \ -+ $(OUTPRE)kt_any.$(OBJEXT) \ - $(OUTPRE)kt_file.$(OBJEXT) \ - $(OUTPRE)kt_memory.$(OBJEXT) \ - $(OUTPRE)kt_srvtab.$(OBJEXT) \ -@@ -36,6 +38,7 @@ SRCS= \ - $(srcdir)/ktfr_entry.c \ - $(srcdir)/ktremove.c \ - $(srcdir)/ktfns.c \ -+ $(srcdir)/kt_any.c \ - $(srcdir)/kt_file.c \ - $(srcdir)/kt_memory.c \ - $(srcdir)/kt_srvtab.c \ -diff --git a/src/lib/krb5/keytab/kt_any.c b/src/lib/krb5/keytab/kt_any.c -new file mode 100644 -index 000000000..1b9b7765b ---- /dev/null -+++ b/src/lib/krb5/keytab/kt_any.c -@@ -0,0 +1,292 @@ -+/* -+ * lib/krb5/keytab/kt_any.c -+ * -+ * Copyright 1998, 1999 by the Massachusetts Institute of Technology. -+ * All Rights Reserved. -+ * -+ * Export of this software from the United States of America may -+ * require a specific license from the United States Government. -+ * It is the responsibility of any person or organization contemplating -+ * export to obtain such a license before exporting. -+ * -+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -+ * distribute this software and its documentation for any purpose and -+ * without fee is hereby granted, provided that the above copyright -+ * notice appear in all copies and that both that copyright notice and -+ * this permission notice appear in supporting documentation, and that -+ * the name of M.I.T. not be used in advertising or publicity pertaining -+ * to distribution of the software without specific, written prior -+ * permission. M.I.T. makes no representations about the suitability of -+ * this software for any purpose. It is provided "as is" without express -+ * or implied warranty. -+ * -+ * -+ * krb5_kta_ops -+ */ -+ -+#include "k5-int.h" -+ -+typedef struct _krb5_ktany_data { -+ char *name; -+ krb5_keytab *choices; -+ int nchoices; -+} krb5_ktany_data; -+ -+typedef struct _krb5_ktany_cursor_data { -+ int which; -+ krb5_kt_cursor cursor; -+} krb5_ktany_cursor_data; -+ -+static krb5_error_code krb5_ktany_resolve -+ (krb5_context, -+ const char *, -+ krb5_keytab *); -+static krb5_error_code krb5_ktany_get_name -+ (krb5_context context, -+ krb5_keytab id, -+ char *name, -+ unsigned int len); -+static krb5_error_code krb5_ktany_close -+ (krb5_context context, -+ krb5_keytab id); -+static krb5_error_code krb5_ktany_get_entry -+ (krb5_context context, -+ krb5_keytab id, -+ krb5_const_principal principal, -+ krb5_kvno kvno, -+ krb5_enctype enctype, -+ krb5_keytab_entry *entry); -+static krb5_error_code krb5_ktany_start_seq_get -+ (krb5_context context, -+ krb5_keytab id, -+ krb5_kt_cursor *cursorp); -+static krb5_error_code krb5_ktany_next_entry -+ (krb5_context context, -+ krb5_keytab id, -+ krb5_keytab_entry *entry, -+ krb5_kt_cursor *cursor); -+static krb5_error_code krb5_ktany_end_seq_get -+ (krb5_context context, -+ krb5_keytab id, -+ krb5_kt_cursor *cursor); -+static void cleanup -+ (krb5_context context, -+ krb5_ktany_data *data, -+ int nchoices); -+ -+struct _krb5_kt_ops krb5_kta_ops = { -+ 0, -+ "ANY", /* Prefix -- this string should not appear anywhere else! */ -+ krb5_ktany_resolve, -+ krb5_ktany_get_name, -+ krb5_ktany_close, -+ krb5_ktany_get_entry, -+ krb5_ktany_start_seq_get, -+ krb5_ktany_next_entry, -+ krb5_ktany_end_seq_get, -+ NULL, -+ NULL, -+ NULL, -+}; -+ -+static krb5_error_code -+krb5_ktany_resolve(context, name, id) -+ krb5_context context; -+ const char *name; -+ krb5_keytab *id; -+{ -+ const char *p, *q; -+ char *copy; -+ krb5_error_code kerror; -+ krb5_ktany_data *data; -+ int i; -+ -+ /* Allocate space for our data and remember a copy of the name. */ -+ if ((data = (krb5_ktany_data *)malloc(sizeof(krb5_ktany_data))) == NULL) -+ return(ENOMEM); -+ if ((data->name = (char *)malloc(strlen(name) + 1)) == NULL) { -+ free(data); -+ return(ENOMEM); -+ } -+ strcpy(data->name, name); -+ -+ /* Count the number of choices and allocate memory for them. */ -+ data->nchoices = 1; -+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1) -+ data->nchoices++; -+ if ((data->choices = (krb5_keytab *) -+ malloc(data->nchoices * sizeof(krb5_keytab))) == NULL) { -+ free(data->name); -+ free(data); -+ return(ENOMEM); -+ } -+ -+ /* Resolve each of the choices. */ -+ i = 0; -+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1) { -+ /* Make a copy of the choice name so we can terminate it. */ -+ if ((copy = (char *)malloc(q - p + 1)) == NULL) { -+ cleanup(context, data, i); -+ return(ENOMEM); -+ } -+ memcpy(copy, p, q - p); -+ copy[q - p] = 0; -+ -+ /* Try resolving the choice name. */ -+ kerror = krb5_kt_resolve(context, copy, &data->choices[i]); -+ free(copy); -+ if (kerror) { -+ cleanup(context, data, i); -+ return(kerror); -+ } -+ i++; -+ } -+ if ((kerror = krb5_kt_resolve(context, p, &data->choices[i]))) { -+ cleanup(context, data, i); -+ return(kerror); -+ } -+ -+ /* Allocate and fill in an ID for the caller. */ -+ if ((*id = (krb5_keytab)malloc(sizeof(**id))) == NULL) { -+ cleanup(context, data, i); -+ return(ENOMEM); -+ } -+ (*id)->ops = &krb5_kta_ops; -+ (*id)->data = (krb5_pointer)data; -+ (*id)->magic = KV5M_KEYTAB; -+ -+ return(0); -+} -+ -+static krb5_error_code -+krb5_ktany_get_name(context, id, name, len) -+ krb5_context context; -+ krb5_keytab id; -+ char *name; -+ unsigned int len; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ -+ if (len < strlen(data->name) + 1) -+ return(KRB5_KT_NAME_TOOLONG); -+ strcpy(name, data->name); -+ return(0); -+} -+ -+static krb5_error_code -+krb5_ktany_close(context, id) -+ krb5_context context; -+ krb5_keytab id; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ -+ cleanup(context, data, data->nchoices); -+ id->ops = 0; -+ free(id); -+ return(0); -+} -+ -+static krb5_error_code -+krb5_ktany_get_entry(context, id, principal, kvno, enctype, entry) -+ krb5_context context; -+ krb5_keytab id; -+ krb5_const_principal principal; -+ krb5_kvno kvno; -+ krb5_enctype enctype; -+ krb5_keytab_entry *entry; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ krb5_error_code kerror = KRB5_KT_NOTFOUND; -+ int i; -+ -+ for (i = 0; i < data->nchoices; i++) { -+ if ((kerror = krb5_kt_get_entry(context, data->choices[i], principal, -+ kvno, enctype, entry)) != ENOENT) -+ return kerror; -+ } -+ return kerror; -+} -+ -+static krb5_error_code -+krb5_ktany_start_seq_get(context, id, cursorp) -+ krb5_context context; -+ krb5_keytab id; -+ krb5_kt_cursor *cursorp; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ krb5_ktany_cursor_data *cdata; -+ krb5_error_code kerror = ENOENT; -+ int i; -+ -+ if ((cdata = (krb5_ktany_cursor_data *) -+ malloc(sizeof(krb5_ktany_cursor_data))) == NULL) -+ return(ENOMEM); -+ -+ /* Find a choice which can handle the serialization request. */ -+ for (i = 0; i < data->nchoices; i++) { -+ if ((kerror = krb5_kt_start_seq_get(context, data->choices[i], -+ &cdata->cursor)) == 0) -+ break; -+ else if (kerror != ENOENT) { -+ free(cdata); -+ return(kerror); -+ } -+ } -+ -+ if (i == data->nchoices) { -+ /* Everyone returned ENOENT, so no go. */ -+ free(cdata); -+ return(kerror); -+ } -+ -+ cdata->which = i; -+ *cursorp = (krb5_kt_cursor)cdata; -+ return(0); -+} -+ -+static krb5_error_code -+krb5_ktany_next_entry(context, id, entry, cursor) -+ krb5_context context; -+ krb5_keytab id; -+ krb5_keytab_entry *entry; -+ krb5_kt_cursor *cursor; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor; -+ krb5_keytab choice_id; -+ -+ choice_id = data->choices[cdata->which]; -+ return(krb5_kt_next_entry(context, choice_id, entry, &cdata->cursor)); -+} -+ -+static krb5_error_code -+krb5_ktany_end_seq_get(context, id, cursor) -+ krb5_context context; -+ krb5_keytab id; -+ krb5_kt_cursor *cursor; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor; -+ krb5_keytab choice_id; -+ krb5_error_code kerror; -+ -+ choice_id = data->choices[cdata->which]; -+ kerror = krb5_kt_end_seq_get(context, choice_id, &cdata->cursor); -+ free(cdata); -+ return(kerror); -+} -+ -+static void -+cleanup(context, data, nchoices) -+ krb5_context context; -+ krb5_ktany_data *data; -+ int nchoices; -+{ -+ int i; -+ -+ free(data->name); -+ for (i = 0; i < nchoices; i++) -+ krb5_kt_close(context, data->choices[i]); -+ free(data->choices); -+ free(data); -+} -diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c -index 0d39b2940..6534d7c52 100644 ---- a/src/lib/krb5/keytab/ktbase.c -+++ b/src/lib/krb5/keytab/ktbase.c -@@ -57,14 +57,19 @@ extern const krb5_kt_ops krb5_ktf_ops; - extern const krb5_kt_ops krb5_ktf_writable_ops; - extern const krb5_kt_ops krb5_kts_ops; - extern const krb5_kt_ops krb5_mkt_ops; -+extern const krb5_kt_ops krb5_kta_ops; - - struct krb5_kt_typelist { - const krb5_kt_ops *ops; - const struct krb5_kt_typelist *next; - }; -+static struct krb5_kt_typelist krb5_kt_typelist_any = { -+ &krb5_kta_ops, -+ NULL -+}; - const static struct krb5_kt_typelist krb5_kt_typelist_srvtab = { - &krb5_kts_ops, -- NULL -+ &krb5_kt_typelist_any - }; - const static struct krb5_kt_typelist krb5_kt_typelist_memory = { - &krb5_mkt_ops, diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch index 7faa245..56500af 100644 --- a/krb5-1.13-dirsrv-accountlock.patch +++ b/krb5-1.13-dirsrv-accountlock.patch @@ -1,4 +1,4 @@ -From 3da19a991cce8861c092ed1341d9cd7837b2f6f7 Mon Sep 17 00:00:00 2001 +From 10f64f13ee3d44a31bcdc124e9ce721bc17b3e00 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:47:44 -0400 Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch diff --git a/krb5-1.15-beta1-buildconf.patch b/krb5-1.15-beta1-buildconf.patch index 5725758..ad1f7e9 100644 --- a/krb5-1.15-beta1-buildconf.patch +++ b/krb5-1.15-beta1-buildconf.patch @@ -1,4 +1,4 @@ -From 7b457b5b4130208745b8c592e53e42c10f356e27 Mon Sep 17 00:00:00 2001 +From fd8c1f7e68fd999c07ca47243ef85ac726f775ce Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:45:26 -0400 Subject: [PATCH] krb5-1.15-beta1-buildconf.patch diff --git a/Become-FIPS-aware-with-3DES.patch b/krb5-1.17-Become-FIPS-aware.patch similarity index 98% rename from Become-FIPS-aware-with-3DES.patch rename to krb5-1.17-Become-FIPS-aware.patch index 8bf76c1..b67f95c 100644 --- a/Become-FIPS-aware-with-3DES.patch +++ b/krb5-1.17-Become-FIPS-aware.patch @@ -1,7 +1,7 @@ -From 9f5fbf191d74cae9b28d318fff4c80d3d3e49c86 Mon Sep 17 00:00:00 2001 +From 15c0aec4315cc5cfae864b179848f043e2b100c6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 -Subject: [PATCH] Become FIPS-aware (with 3DES) +Subject: [PATCH] krb5-1.17 Become FIPS-aware A lot of the FIPS error conditions from OpenSSL are incredibly mysterious (at best, things return NULL unexpectedly; at worst, diff --git a/FIPS-aware-SPAKE-group-negotiation.patch b/krb5-1.17-FIPS-aware-SPAKE-group-negotiation.patch similarity index 90% rename from FIPS-aware-SPAKE-group-negotiation.patch rename to krb5-1.17-FIPS-aware-SPAKE-group-negotiation.patch index 6017f4b..a3b72d1 100644 --- a/FIPS-aware-SPAKE-group-negotiation.patch +++ b/krb5-1.17-FIPS-aware-SPAKE-group-negotiation.patch @@ -1,7 +1,7 @@ -From 59269fca96168aa89dc32834d188a54eea8953ac Mon Sep 17 00:00:00 2001 +From e039796a0fbefac03a3fd888aef7d192e7c1437e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 1 Apr 2019 13:13:09 -0400 -Subject: [PATCH] FIPS-aware SPAKE group negotiation +Subject: [PATCH] krb5-1.17 FIPS-aware SPAKE group negotiation --- src/plugins/preauth/spake/groups.c | 8 ++++++++ diff --git a/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch b/krb5-1.17-In-FIPS-mode-add-plaintext-fallback-for-RC.patch similarity index 98% rename from In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch rename to krb5-1.17-In-FIPS-mode-add-plaintext-fallback-for-RC.patch index 99acb66..f74faa0 100644 --- a/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch +++ b/krb5-1.17-In-FIPS-mode-add-plaintext-fallback-for-RC.patch @@ -1,7 +1,8 @@ -From 1382f982a18aec4bc14780b175638d44969ac1d2 Mon Sep 17 00:00:00 2001 +From 105bd2c8be23ab94ba6e0601ee8e531f013389d6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 31 Jul 2018 13:47:26 -0400 -Subject: [PATCH] In FIPS mode, add plaintext fallback for RC4 usages and taint +Subject: [PATCH] krb5-1.17 In FIPS mode, add plaintext fallback for RC4 usages + and taint --- src/lib/krad/attr.c | 45 +++++++++++++++++++++++++++++----------- diff --git a/Use-openssl-s-PRNG-in-FIPS-mode.patch b/krb5-1.17-Use-openssl-s-PRNG-in-FIPS-mode.patch similarity index 89% rename from Use-openssl-s-PRNG-in-FIPS-mode.patch rename to krb5-1.17-Use-openssl-s-PRNG-in-FIPS-mode.patch index 837a747..97d2bc8 100644 --- a/Use-openssl-s-PRNG-in-FIPS-mode.patch +++ b/krb5-1.17-Use-openssl-s-PRNG-in-FIPS-mode.patch @@ -1,7 +1,7 @@ -From 9724b7f409410a7c3cc0330089009d7b9aa92ae6 Mon Sep 17 00:00:00 2001 +From e307112cfcc52474d07eac890825303655ef8b6f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 4 Jan 2019 17:00:15 -0500 -Subject: [PATCH] Use openssl's PRNG in FIPS mode +Subject: [PATCH] krb5-1.17 Use openssl's PRNG in FIPS mode --- src/lib/crypto/krb/prng.c | 11 ++++++++++- diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch index d213d71..5d87aa1 100644 --- a/krb5-1.3.1-dns.patch +++ b/krb5-1.3.1-dns.patch @@ -1,4 +1,4 @@ -From 40259729fa4fbec2b22e9ca8043202ac914cca24 Mon Sep 17 00:00:00 2001 +From 64c9cb22ec6d7ecdeafaf60bfc8d26780d2cb4ad Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:46:21 -0400 Subject: [PATCH] krb5-1.3.1-dns.patch diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index 6b1c220..6cf5368 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -1,4 +1,4 @@ -From d6758af31afecc3835043a8e599302f372fcef82 Mon Sep 17 00:00:00 2001 +From 8ee5efa6aec5d02e25081b6dc809cef668ce45ea Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] krb5-1.9-debuginfo.patch diff --git a/krb5.spec b/krb5.spec index 9fbbb43..9af8128 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.17 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 8%{?dist} +Release: 9%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz @@ -52,7 +52,6 @@ Source100: noport.c Patch26: krb5-1.12.1-pam.patch Patch27: krb5-1.17-beta1-selinux-label.patch Patch28: krb5-1.12-ksu-path.patch -Patch29: krb5-1.12-ktany.patch Patch30: krb5-1.15-beta1-buildconf.patch Patch31: krb5-1.3.1-dns.patch Patch32: krb5-1.12-api.patch @@ -60,10 +59,10 @@ Patch33: krb5-1.13-dirsrv-accountlock.patch Patch34: krb5-1.9-debuginfo.patch Patch35: krb5-1.11-run_user_0.patch Patch36: krb5-1.11-kpasswdtest.patch -Patch89: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch +Patch37: krb5-1.17-In-FIPS-mode-add-plaintext-fallback-for-RC.patch Patch90: Add-tests-for-KCM-ccache-type.patch Patch92: Address-some-optimized-out-memset-calls.patch -Patch93: Use-openssl-s-PRNG-in-FIPS-mode.patch +Patch93: krb5-1.17-Use-openssl-s-PRNG-in-FIPS-mode.patch Patch94: Avoid-allocating-a-register-in-zap-assembly.patch Patch95: In-rd_req_dec-always-log-non-permitted-enctypes.patch Patch96: In-kpropd-debug-log-proper-ticket-enctype-names.patch @@ -72,10 +71,15 @@ Patch98: Make-etype-names-in-KDC-logs-human-readable.patch Patch99: Mark-deprecated-enctypes-when-used.patch Patch100: Properly-size-ifdef-in-k5_cccol_lock.patch Patch101: Fix-memory-leak-in-none-replay-cache-type.patch -Patch102: Become-FIPS-aware-with-3DES.patch -Patch103: FIPS-aware-SPAKE-group-negotiation.patch +Patch102: krb5-1.17-Become-FIPS-aware.patch +Patch103: krb5-1.17-FIPS-aware-SPAKE-group-negotiation.patch Patch104: Clarify-header-comment-for-krb5_cc_start_seq_get.patch Patch105: Implement-krb5_cc_remove_cred-for-remaining-types.patch +Patch106: Remove-srvtab-support.patch +Patch107: Remove-kadmin-RPC-support-for-setting-v4-key.patch +Patch108: Remove-ccapi-related-comments-in-configure.ac.patch +Patch109: Remove-doxygen-generated-HTML-output-for-ccapi.patch +Patch110: Remove-Kerberos-v4-support-vestiges-from-ccapi.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -255,9 +259,6 @@ interface is not considered stable. %autosetup -S git -n %{name}-%{version}%{prerelease} -a 3 ln NOTICE LICENSE -# Take the execute bit off of documentation. -chmod -x doc/ccapi/*.html - # Generate an FDS-compatible LDIF file. inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif cat > '60kerberos.ldif' << EOF @@ -715,6 +716,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu Apr 11 2019 Robbie Harwood - 1.17-9 +- Remove Kerberos v4 support vestiges (including ktany support) + * Thu Apr 11 2019 Robbie Harwood - 1.17-8 - Implement krb5_cc_remove_cred for remaining types - Resolves: #1693836