Tom Yu [Wed, 9 Feb 2011 21:38:04 +0000 (21:38 +0000)]
kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
pull up r24621 from trunk
------------------------------------------------------------------------
r24621 | tlyu | 2011-02-09 15:25:03 -0500 (Wed, 09 Feb 2011) | 8 lines
ticket: 6859
subject: kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
tags: pullup
target_version: 1.9.1
When operating in standalone mode and not doing iprop, don't return
from do_standalone() if the child exits with abnormal status.
ticket: 6864
version_fixed: 1.7.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@24627
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 6 Dec 2010 23:23:17 +0000 (23:23 +0000)]
SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
Apply patch for MITKRB5-SA-2010-007.
Fix multiple checksum handling bugs, as described in:
CVE-2010-1324
CVE-2010-1323
CVE-2010-4020
CVE-2010-4021
* Return the correct (keyed) checksums as the mandatory checksum type
for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
with simplified-profile key derivation or other algorithms relying
on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.
ticket: 6837
target_version: 1.7.2
version_fixed: 1.7.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@24562
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 19 May 2010 21:23:18 +0000 (21:23 +0000)]
CVE-2010-1321 GSS-API lib null pointer deref (MITKRB5-SA-2010-005)
pull up r24056 from trunk
------------------------------------------------------------------------
r24056 | tlyu | 2010-05-19 14:09:37 -0400 (Wed, 19 May 2010) | 8 lines
ticket: 6725
subject: CVE-2010-1321 GSS-API lib null pointer deref (MITKRB5-SA-2010-005)
tags: pullup
target_version: 1.8.2
Make krb5_gss_accept_sec_context() check for a null authenticator
checksum pointer before attempting to dereference it.
ticket: 6729
target_version: 1.7.2
version_fixed: 1.7.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@24067
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 19 May 2010 21:23:14 +0000 (21:23 +0000)]
memory leak in process_tgs_req in r23724
pull up r23959 from trunk
------------------------------------------------------------------------
r23959 | tlyu | 2010-04-30 17:10:55 -0400 (Fri, 30 Apr 2010) | 8 lines
ticket: 6711
subject: memory leak in process_tgs_req in r23724
tags: pullup
target_version: 1.8.2
Fix a KDC memory leak that was introduced by r23724 that could leak
the decoded request.
ticket: 6728
target_version: 1.7.2
version_fixed: 1.7.2
tags: pullup
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@24066
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 19 May 2010 21:23:09 +0000 (21:23 +0000)]
CVE-2010-1320 KDC double free caused by ticket renewal (MITKRB5-SA-2010-004)
pull up r23912 from trunk
------------------------------------------------------------------------
r23912 | tlyu | 2010-04-20 17:12:10 -0400 (Tue, 20 Apr 2010) | 11 lines
ticket: 6702
target_version: 1.8.2
tags: pullup
Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
by ticket renewal. Add a test case.
See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490
Thanks to Joel Johnson and Brian Almeida for the reports.
ticket: 6727
tags: pullup
target_version: 1.7.2
version_fixed: 1.7.2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@24065
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 30 Mar 2010 03:05:11 +0000 (03:05 +0000)]
MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO
pull up r23832 from trunk
------------------------------------------------------------------------
r23832 | tlyu | 2010-03-23 14:53:52 -0400 (Tue, 23 Mar 2010) | 8 lines
ticket: 6690
target_version: 1.8.1
tags: pullup
subject: MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO
The SPNEGO implementation in krb5-1.7 and later could crash due to
assertion failure when receiving some sorts of invalid GSS-API tokens.
ticket: 6694
version_fixed: 1.7.2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23850
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 01:31:49 +0000 (01:31 +0000)]
pull up r23679 from trunk
------------------------------------------------------------------------
r23679 | ghudson | 2010-01-31 13:04:48 -0800 (Sun, 31 Jan 2010) | 4 lines
ticket: 6650
Fix minor error-handling bug in r23676.
ticket: 6650
version_fixed: 1.7.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23823
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 01:31:30 +0000 (01:31 +0000)]
pull up r23676 from trunk
------------------------------------------------------------------------
r23676 | ghudson | 2010-01-28 13:39:31 -0800 (Thu, 28 Jan 2010) | 17 lines
ticket: 6650
subject: Handle migration from pre-1.7 databases with master key kvno != 1
target_version: 1.7.1
tags: pullup
krb5_dbe_lookup_mkvno assumes an mkvno of 1 for entries with no
explicit tl_data. We've seen at least one pre-1.7 KDB with a master
kvno of 0, violating this assumption. Fix this as follows:
* krb5_dbe_lookup_mkvno outputs 0 instead of 1 if no tl_data exists.
* A new function krb5_dbe_get_mkvno translates this 0 value to the
minimum version number in the mkey_list. (krb5_dbe_lookup_mkvno
cannot do this as it doesn't take the mkey_list as a parameter.)
* Call sites to krb5_dbe_lookup_mkvno are converted to
krb5_dbe_get_mkvno, except for an LDAP case where it is acceptable
to store 0 if the mkvno is unknown.
ticket: 6650
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23822
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 17 Feb 2010 05:11:45 +0000 (05:11 +0000)]
pull up r23724 from trunk
------------------------------------------------------------------------
r23724 | tlyu | 2010-02-16 17:10:17 -0500 (Tue, 16 Feb 2010) | 10 lines
ticket: 6662
subject: MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service
tags: pullup
target_version: 1.8
Code introduced in krb5-1.7 can cause an assertion failure if a
KDC-REQ is internally inconsistent, specifically if the ASN.1 tag
doesn't match the msg_type field. Thanks to Emmanuel Bouillon (NATO
C3 Agency) for discovering and reporting this vulnerability.
ticket: 6664
version_fixed: 1.7.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23731
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Feb 2010 16:56:47 +0000 (16:56 +0000)]
krb5-1.7.1-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23693
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Feb 2010 04:33:11 +0000 (04:33 +0000)]
fix reltag for 1.7.1 final
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23691
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Feb 2010 01:24:17 +0000 (01:24 +0000)]
fix patchlevel.h for krb5-1.7.1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23686
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Feb 2010 01:16:22 +0000 (01:16 +0000)]
krb5-1.7.1-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23685
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Feb 2010 01:14:12 +0000 (01:14 +0000)]
patchlevel for krb5-1.7.1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23683
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 25 Jan 2010 21:15:55 +0000 (21:15 +0000)]
krb5-1.7.1-beta1-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23670
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 25 Jan 2010 21:14:37 +0000 (21:14 +0000)]
README and patchlevel for krb5-1.7.1-beta1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23668
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 13 Jan 2010 04:35:20 +0000 (04:35 +0000)]
pull up r23482 from trunk
------------------------------------------------------------------------
r23482 | ghudson | 2009-12-21 12:58:12 -0500 (Mon, 21 Dec 2009) | 9 lines
ticket: 6594
target_version: 1.7.1
tags: pullup
Add a set_cred_option handler for SPNEGO which forwards to the
underlying mechanism. Fixes SPNEGO credential delegation in 1.7 and
copying of SPNEGO initiator creds in both 1.7 and trunk. Patch
provided by nalin@redhat.com.
ticket: 6594
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23655
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 23:04:32 +0000 (23:04 +0000)]
Pull up r23492 from branches/anonymous
------------------------------------------------------------------------
r23492 | hartmans | 2009-12-23 16:09:50 -0500 (Wed, 23 Dec 2009) | 17 lines
Subject: ad-initial-verified-cas logic broken
ticket: 6587
status: open
In the initial pkinit implementation, the server plugin generates an
incorrect encoding for ad-initial-verified-cas. In particular, it
assumes that ad-if-relevant takes a single authorization data element
not a sequence of authorization data elements. Nothing looked at the
authorization data in 1.6.3 so this was not noticed. However in 1.7,
the FAST implementation looks for authorization data. In 1.8 several
more parts of the KDC examine authorization data. The net result is
that the KDC fails to process the TGT it issues.
However on top of this bug, there is a spec problem. For many of its
intended uses, ad-initial-verified-cas needs to be integrity
protected by the KDC in order to prevent a client from injecting it.
So, it should be contained in kdc-issued not ad-if-relevant.
For now we're simply removing the generation of this AD element until
the spec is clarified.
------------------------------------------------------------------------
ticket: 6587
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23654
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 21:31:59 +0000 (21:31 +0000)]
MITKRB5-SA-2009-004 [CVE-2009-4212] integer underflow in AES and RC4 decryption
Fix integer underflow in AES and RC4 decryption.
[MITKRB5-SA-2009-004, CVE-2009-4212]
ticket: 6637
target_version: 1.7.1
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23651
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 05:37:06 +0000 (05:37 +0000)]
Pull up r22782, r22784, r23610 from trunk, with additional test suite
changes to compensate for the existence of the api.0/ unit tests that
removed for 1.8. Don't pull up the kadmin CLI changes for now.
------------------------------------------------------------------------
r23610 | ghudson | 2010-01-07 21:43:21 -0500 (Thu, 07 Jan 2010) | 10 lines
ticket: 6626
subject: Restore interoperability with 1.6 addprinc -randkey
tags: pullup
target_version: 1.8
The arcfour string-to-key operation in krb5 1.7 (or later) disagrees
with the dummy password used by the addprinc -randkey operation in
krb5 1.6's kadmin client, because it's not valid UTF-8. Recognize the
1.6 dummy password and use a random password instead.
------------------------------------------------------------------------
r22784 | ghudson | 2009-09-24 11:40:26 -0400 (Thu, 24 Sep 2009) | 2 lines
Fix kadm5 unit test modified in r22782.
------------------------------------------------------------------------
r22782 | ghudson | 2009-09-21 14:40:02 -0400 (Mon, 21 Sep 2009) | 5 lines
Improve the mechanism used for addprinc -randkey. In the kadmin
server, if the password is null when creating a principal, treat that
as a request for a random key. In the kadmin client, try using the
new method for random key creation and then fall back to the old one.
ticket: 6635
version_fixed: 1.7.1
target_version: 1.7.1
status: resolved
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23650
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 04:44:34 +0000 (04:44 +0000)]
pull up r22518 from trunk
------------------------------------------------------------------------
r22518 | raeburn | 2009-08-12 13:58:24 -0400 (Wed, 12 Aug 2009) | 19 lines
r22529@squish: raeburn | 2009-08-12 13:49:45 -0400
.
r22530@squish: raeburn | 2009-08-12 13:55:57 -0400
Change KRBCONF_KDC_MODIFIES_KDB to a mostly run-time option.
Change all code conditionals to test a new global variable, the
initial value of which is based on KRBCONF_KDC_MODIFIES_KDB. There is
currently no way to alter the value from the command line; that will
presumably be desired later.
Change initialize_realms to store db_args in a global variable. In
process_as_req, call db_open instead of the old set_name + init.
Don't reopen if an error is reported by krb5_db_fini.
Add a test of running kinit with an incorrect password, to trigger a
kdb update if enabled.
r22531@squish: raeburn | 2009-08-12 13:58:13 -0400
Fix trailing whitespace.
ticket: 5668
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23647
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 04:44:29 +0000 (04:44 +0000)]
pull up r23629 from trunk
------------------------------------------------------------------------
r23629 | ghudson | 2010-01-11 20:07:48 -0500 (Mon, 11 Jan 2010) | 9 lines
ticket: 6633
subject: Use keyed checksum type for DES FAST
target_version: 1.7
tags: pullup
DES enctypes have unkeyed mandatory-to-implement checksums. Since
FAST requires a keyed checksum, we must pick something else in that
case.
ticket: 6633
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23646
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 04:15:40 +0000 (04:15 +0000)]
pull up r23397 from trunk
------------------------------------------------------------------------
r23397 | ghudson | 2009-11-30 20:36:42 -0500 (Mon, 30 Nov 2009) | 10 lines
ticket: 6589
subject: Fix AES IOV decryption of small messages
tags: pullup
target_version: 1.7.1
AES messages never need to be padded because the confounder ensures
that the plaintext is at least one block long. Remove a check in
krb5int_dk_decrypt_iov which was rejecting short AES messages because
it didn't count the header length.
ticket: 6589
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23645
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 04:15:35 +0000 (04:15 +0000)]
pull up r23389 from trunk
------------------------------------------------------------------------
r23389 | ghudson | 2009-11-30 14:03:58 -0500 (Mon, 30 Nov 2009) | 10 lines
ticket: 6588
subject: Fix ivec chaining for DES iov encryption
tags: pullup
target_version: 1.7.1
krb5int_des_cbc_decrypt_iov was using a plaintext block to update the
ivec. Fix it to use the last cipher block, borrowing from the
corresponding des3 function. The impact of this bug is not serious
since ivec chaining is not typically used with IOV encryption in 1.7.
ticket: 6588
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23644
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 04:15:30 +0000 (04:15 +0000)]
pull up r23325, 23384 from trunk
------------------------------------------------------------------------
r23384 | hartmans | 2009-11-30 09:14:47 -0500 (Mon, 30 Nov 2009) | 4 lines
ticket: 6585
Fix memory leak
------------------------------------------------------------------------
r23325 | hartmans | 2009-11-23 20:05:30 -0500 (Mon, 23 Nov 2009) | 12 lines
ticket: 6585
subject: KDC MUST NOT accept ap-request armor in FAST TGS
target_version: 1.7.1
tags: pullup
Per the latest preauth framework spec, the working group has decided
to forbid ap-request armor in the TGS request because of security
problems with that armor type.
This commit was tested against an implementation of FAST TGS client to
confirm that if explicit armor is sent, the request is rejected.
ticket: 6585
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23643
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 03:42:15 +0000 (03:42 +0000)]
Backport test suite portion of r23361 from trunk
------------------------------------------------------------------------
r23361 | tlyu | 2009-11-25 22:54:59 -0500 (Wed, 25 Nov 2009) | 15 lines
ticket: 6584
target_version: 1.7.1
tags: pullup
Pullup to 1.7-branch is only for the test case, as krb5-1.7 behaved
correctly for these checksums.
Fix regression in MD4-DES and MD5-DES keyed checksums. The original
key was being used for the DES encryption, not the "xorkey". (key
with each byte XORed with 0xf0)
Add a test case that will catch future regressions of this sort, by
including a verification of a "known-good" checksum (derived from a
known-to-be-interoperable version of the implementation).
ticket: 6584
version_fixed: 1.7.1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23642
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 03:21:40 +0000 (03:21 +0000)]
pull up r23144, r23145 from trunk
------------------------------------------------------------------------
r23145 | raeburn | 2009-11-09 11:56:01 -0500 (Mon, 09 Nov 2009) | 4 lines
ticket: 6579
Revise patch to avoid using changequote.
------------------------------------------------------------------------
r23144 | raeburn | 2009-11-09 01:13:34 -0500 (Mon, 09 Nov 2009) | 21 lines
ticket: 6579
target_version: 1.7.1
tags: pullup
subject: quoting bug causes solaris pre-10 thread handling bugs
Quoting problems in pattern matching on the OS name cause Solaris
versions up through 9 to not be properly recognized in the
thread-system configuration setup. This causes our libraries to make
the erroneous assumption that valid thread support routines are
available on all Solaris systems, rather than just assuming it for
Solaris 10 and later.
The result is assertion failures like this one reported by Meraj
Mohammed and others:
Assertion failed: k5int_i->did_run != 0, file krb5_libinit.c, line 63
Thanks to Tom Shaw for noticing the cause of the problem.
The bug may be present in the 1.6.x series as well.
ticket: 6579
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23641
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 03:21:35 +0000 (03:21 +0000)]
backport r22890 from trunk
------------------------------------------------------------------------
r22890 | ghudson | 2009-10-13 15:43:17 -0400 (Tue, 13 Oct 2009) | 11 lines
ticket: 6573
subject: Fix preauth looping in krb5_get_init_creds
tags: pullup
target_version: 1.7.1
In 1.7, krb5_get_init_creds will continue attempting the same built-in
preauth mechanism (e.g. encrypted timestamp) until the loop counter
maxes out. Until the preauth framework can remember not to retry
built-in mechanisms, only continue with preauth after a PREAUTH_FAILED
error resulting from optimistic preauth.
ticket: 6573
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23640
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 03:11:49 +0000 (03:11 +0000)]
Add manual kfree.c change missing from previous pullup
ticket: 6571
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23639
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 03:03:42 +0000 (03:03 +0000)]
pull up r22872 from trunk
------------------------------------------------------------------------
r22872 | ghudson | 2009-10-09 10:21:04 -0400 (Fri, 09 Oct 2009) | 7 lines
ticket: 6571
tags: pullup
target_version: 1.7.1
In asn1_decode_enc_kdc_rep_part, don't leak the enc_padata field on
invalid representations.
ticket: 6571
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23638
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 03:03:37 +0000 (03:03 +0000)]
pull up r22781 from trunk
------------------------------------------------------------------------
r22781 | ghudson | 2009-09-21 12:11:26 -0400 (Mon, 21 Sep 2009) | 10 lines
ticket: 6568
subject: Fix addprinc -randkey when policy requires multiple character classes
tags: pullup
target_version: 1.7.1
The fix for ticket #6074 (r20650) caused a partial regression of
ticket #115 (r9210) because the dummy password contained only one
character class. As a minimal 1.7 fix, use all five character classes
in the dummy password.
ticket: 6568
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23637
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 02:50:15 +0000 (02:50 +0000)]
pull up r22732 from trunk
------------------------------------------------------------------------
r22732 | ghudson | 2009-09-11 13:30:51 -0400 (Fri, 11 Sep 2009) | 7 lines
ticket: 6559
subject: Fix parsing of GSS exported names
tags: pullup
target_version: 1.7.1
Cherry-picked from Luke's authdata branch.
ticket: 6559
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23636
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 02:50:09 +0000 (02:50 +0000)]
pull up r22718 from trunk
------------------------------------------------------------------------
r22718 | ghudson | 2009-09-09 11:17:09 -0400 (Wed, 09 Sep 2009) | 8 lines
ticket: 6558
subject: Fix memory leak in gss_krb5int_copy_ccache
tags: pullup
target_version: 1.7.1
gss_krb5int_copy_ccache was iterating over credentials in a ccache
without freeing them.
ticket: 6558
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23635
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 02:50:04 +0000 (02:50 +0000)]
------------------------------------------------------------------------
r22710 | ghudson | 2009-09-03 16:41:56 -0400 (Thu, 03 Sep 2009) | 10 lines
ticket: 6557
subject: Supply canonical name if present in LDAP iteration
target_version: 1.7.1
tags: pullup
In the presence of aliases, LDAP iteration was supplying the first
principal it found within the expected realm, which is not necessarily
the same as the canonical name. If the entry has a canonical name
field, use that in preference to any of the principal names.
ticket: 6557
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23634
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 02:49:59 +0000 (02:49 +0000)]
pull up r22708 from trunk
------------------------------------------------------------------------
r22708 | ghudson | 2009-09-03 13:39:50 -0400 (Thu, 03 Sep 2009) | 9 lines
ticket: 6556
subject: Supply LDAP service principal aliases to non-referrals clients
target_version: 1.7
tags: pullup
In the LDAP back end, return aliases when the CLIENT_REFERRALS_ONLY
flag isn't set (abusing that flag to recognize a client name lookup).
Based on a patch from Luke Howard.
ticket: 6556
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23633
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 02:49:53 +0000 (02:49 +0000)]
pull up r22648 from trunk
------------------------------------------------------------------------
r22648 | tlyu | 2009-08-28 17:36:28 -0400 (Fri, 28 Aug 2009) | 8 lines
ticket: 6553
subject: use perror instead of error in kadm5 test suite
target_version: 1.7.1
tags: pullup
Use "perror" instead of "error" to ensure that framework error
conditions actually cause "make check" to report failure.
ticket: 6553
version_fixed: 1.7.1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23632
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 02:49:47 +0000 (02:49 +0000)]
pull up r22644 from trunk
------------------------------------------------------------------------
r22644 | ghudson | 2009-08-28 13:23:20 -0400 (Fri, 28 Aug 2009) | 8 lines
ticket: 6552
subject: Document kinit -C and -E options
target_version: 1.7.1
tags: pullup
kinit -C (canonicalize name) and -E (enterprise principal name)
weren't documented in the man page.
ticket: 6552
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23631
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 Jan 2010 02:49:42 +0000 (02:49 +0000)]
pull up r22643 from trunk
------------------------------------------------------------------------
r22643 | ghudson | 2009-08-28 12:00:54 -0400 (Fri, 28 Aug 2009) | 7 lines
ticket: 6534
Disable the COPY_FIRST_CANONNAME workaround on Linux glibc 2.4 and
later, since it leaks memory on fixed glibc versions. We will still
leak memory on glibc 2.3.4 through 2.3.6 (e.g. RHEL 4) but that's
harder to detect.
ticket: 6534
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23630
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 29 Dec 2009 02:56:46 +0000 (02:56 +0000)]
pull up r23533 from trunk
------------------------------------------------------------------------
r23533 | tlyu | 2009-12-28 21:42:51 -0500 (Mon, 28 Dec 2009) | 10 lines
ticket: 6608
subject: MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referrals
tags: pullup
target_version: 1.7.1
On certain error conditions, prep_reprocess_req() calls kdc_err() with
a null pointer as the format string, causing a null dereference and
denial of service. Legitimate protocol requests can trigger this
problem.
ticket: 6608
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23534
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 29 Sep 2009 01:39:08 +0000 (01:39 +0000)]
pull up r22636 from trunk
------------------------------------------------------------------------
r22636 | ghudson | 2009-08-27 09:40:50 -0400 (Thu, 27 Aug 2009) | 17 lines
ticket: 6551
subject: Memory leak in spnego accept_sec_context error path
tags: pullup
target_version: 1.7
If the underlying mechanism's accept_sec_context returns an error, the
spnego accept_sec_context was leaving allocated data in
*context_handle, which is incorrect for the first call according to
RFC 2744.
Fix this by mirroring some code from the spnego init_sec_context,
which always cleans up the half-constructed context in case of error.
This is allowed (though not encouraged) by RFC 2744 for second and
subsequent calls; since we were already doing it in init_sec_context,
it seems simpler to do that than keep track of whether this is a first
call or not.
ticket: 6551
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22813
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 29 Sep 2009 01:39:02 +0000 (01:39 +0000)]
pull up r22519 from trunk
------------------------------------------------------------------------
r22519 | ghudson | 2009-08-12 14:53:47 -0400 (Wed, 12 Aug 2009) | 12 lines
ticket: 6543
subject: Reply message ordering bug in ftpd
tags: pullup
target_version: 1.7
user() was replying to the user command and then calling login(),
which could send a continuation reply if it fails to chdir to the
user's homedir. Continuation replies must come before the actual
reply; the mis-ordering was causing ftp and ftpd to deadlock. To fix
the bug, invoke login() before reply() so that the continuation reply
comes first.
ticket: 6543
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22812
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 29 Sep 2009 01:38:48 +0000 (01:38 +0000)]
pull up r22516 from trunk
------------------------------------------------------------------------
r22516 | ghudson | 2009-08-10 15:12:47 -0400 (Mon, 10 Aug 2009) | 8 lines
ticket: 6542
subject: Check for null characters in pkinit cert fields
tags: pullup
target_version: 1.7
When processing DNS names or MS UPNs in pkinit certs, disallow
embedded null characters.
ticket: 6542
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22811
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 29 Sep 2009 01:12:42 +0000 (01:12 +0000)]
pull up r22475 from trunk
------------------------------------------------------------------------
r22475 | ghudson | 2009-07-30 15:06:37 -0400 (Thu, 30 Jul 2009) | 8 lines
ticket: 6533
tags: pullup
target_version: 1.7
Include <assert.h> in k5-platform.h, since we use assertions in some
of the macros defined there, as well as in many source files which do
not themselves include <assert.h>. Report and fix by Rainer Weikusat.
ticket: 6533
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22810
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 29 Sep 2009 01:12:36 +0000 (01:12 +0000)]
pull up r22474 from trunk
------------------------------------------------------------------------
r22474 | epeisach | 2009-07-30 13:22:28 -0400 (Thu, 30 Jul 2009) | 7 lines
ticket: 6541
subject: Fix memory leak in k5_pac_verify_server_checksum
k5_pac_verify_server_checksum was leaking memory when the checksum was valid.
t_pac.c: Fix memory leak by forgetting to release memory.
ticket: 6541
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22809
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 29 Sep 2009 01:12:31 +0000 (01:12 +0000)]
pull up r22473 from trunk
------------------------------------------------------------------------
r22473 | epeisach | 2009-07-30 13:12:20 -0400 (Thu, 30 Jul 2009) | 5 lines
ticket: 6540
subject: memory leak in test code t_authdata
Free the krb5_context at the end to release memory.
ticket: 6540
status: resolved
version_fixed: 1.7.1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22808
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 29 Sep 2009 01:12:25 +0000 (01:12 +0000)]
pull up r22443 from trunk
------------------------------------------------------------------------
r22443 | tlyu | 2009-07-16 21:35:58 -0400 (Thu, 16 Jul 2009) | 8 lines
ticket: 6531
target_version: 1.6.4
tags: pullup
subject: include win-mac.h in gssftp/ftp/cmds.c for HAVE_STDLIB_H
gssftp/ftp/cmds.c had a preprocessor conditional on HAVE_STDLIB_H that
will not evaluate correctly on WIN32 unless win-mac.h is included first.
ticket: 6532
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22807
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Sep 2009 21:27:42 +0000 (21:27 +0000)]
pull up r22435 from trunk
------------------------------------------------------------------------
r22435 | tlyu | 2009-07-10 15:46:20 -0400 (Fri, 10 Jul 2009) | 9 lines
ticket: 6530
target_version: 1.7.1
tags: pullup
subject: check for slogin failure in setup_root_shell
Add a check for a slogin message that indicates an unknown public key
fingerprint, as rlogin looks like it points to slogin by default on
Debian Lenny.
ticket: 6530
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22805
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Sep 2009 21:27:39 +0000 (21:27 +0000)]
pull up r22424 from trunk
------------------------------------------------------------------------
r22424 | ghudson | 2009-06-26 21:00:05 -0400 (Fri, 26 Jun 2009) | 7 lines
ticket: 6519
tags: pullup
target_version: 1.7
In krb5_copy_error_message, pass correct pointer to
krb5int_clear_error.
ticket: 6519
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22804
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Sep 2009 21:22:47 +0000 (21:22 +0000)]
pull up r22434 from trunk
------------------------------------------------------------------------
r22434 | tlyu | 2009-07-10 15:20:26 -0400 (Fri, 10 Jul 2009) | 8 lines
ticket: 1233
Add a new '-W' option to kadmind and kdb5_util create to allow reading
weak random numbers on startup, to avoid long delays in testing
situations. Use only for testing.
Update testing scripts accordingly.
ticket: 1233
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22803
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Sep 2009 21:22:43 +0000 (21:22 +0000)]
pull up r22423, r22422 from trunk
------------------------------------------------------------------------
r22423 | tlyu | 2009-06-25 22:44:41 -0400 (Thu, 25 Jun 2009) | 4 lines
ticket: 6428
Add test case omitted in last commit.
------------------------------------------------------------------------
r22422 | tlyu | 2009-06-25 22:43:21 -0400 (Thu, 25 Jun 2009) | 8 lines
ticket: 6428
version_reported: 1.7
target_version: 1.7.1
tags: pullup
Check for principal expiration prior to checking for password
expiration. Reported by Phil Pishioneri.
ticket: 6428
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22802
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Sep 2009 20:58:56 +0000 (20:58 +0000)]
pull up r22418 from trunk
------------------------------------------------------------------------
r22418 | raeburn | 2009-06-18 19:25:25 -0400 (Thu, 18 Jun 2009) | 36 lines
ticket: 6515
subject: reduce some mutex performance problems in profile library
tags: pullup
target_version: 1.7.1
version_reported: 1.7
In profile_node_iterator we unlock a mutex in order to call
profile_update_file_data, which wants to lock that mutex itself, and
then when it returns we re-lock the mutex. (We don't use recursive
mutexes, and I would continue to argue that we shouldn't.) On the
Mac, when running multiple threads, it appears that this results in
very poor peformance, and much system and user CPU time is spent
working with the locks. (Linux doesn't seem to suffer as much.)
So: Split profile_update_file_data into a locking wrapper, and an
inner routine that does the real work but requires that the lock be
held on entry. Call the latter from profile_node_iterator *without*
unlocking first, and only unlock if there's an error. This doesn't
move any significant amount of work into the locking region; it pretty
much just joins locking regions that were disjoint for no good reason.
On my tests on an 8-core Mac, in a test program running
gss_init_sec_context in a loop in 6 threads, this brought CPU usage
per call down by 40%, and improved wall-clock time even more.
Single-threaded performance improved very slightly, probably in the
noise.
Linux showed modest improvement (5% or less) in CPU usage in a
3-thread test on a 4-core system.
Similar tests with gss_accept_sec_context showed similar contention
around the profile-library mutexes, but I haven't analyzed the
performance changes there from this patch.
More work is needed, but this will help.
ticket: 6515
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22801
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Sep 2009 20:58:54 +0000 (20:58 +0000)]
pull up r22417 from trunk
------------------------------------------------------------------------
r22417 | raeburn | 2009-06-18 17:56:48 -0400 (Thu, 18 Jun 2009) | 13 lines
ticket: 6514
subject: minor memory leak in 'none' replay cache type
tags: pullup
target_version: 1.7.1
version_reported: 1.7
The replay cache type implementations are responsible for freeing the
main rcache structure when the cache handle is closed. The 'none'
rcache type wasn't doing this, resulting in a small memory leak each
time such a cache was opened and closed. Not a big deal for a server
process servicing a single client, but it could accumulate (very very
slowly) for a long-running server.
ticket: 6514
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22800
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Sep 2009 20:44:23 +0000 (20:44 +0000)]
pull up r22413, r22410 from trunk
------------------------------------------------------------------------
r22413 | epeisach | 2009-06-17 13:51:31 -0400 (Wed, 17 Jun 2009) | 5 lines
ticket: 6512
In the previous patch - I neglected a potential NULL deref in the call
to krb5int_yarrow_cipher_final. Trivial fix.
------------------------------------------------------------------------
r22410 | epeisach | 2009-06-11 13:01:13 -0400 (Thu, 11 Jun 2009) | 7 lines
subject: krb5int_yarrow_final could deref NULL if out of memory
ticket: 6512
krb5int_yarrow_final tests if the Yarrow_CTX* is valid (not NULL) -
and if not - signals and error for return - but still invokes
mem_zero (memset) with it as an argument. This will only happen in
an out-of-memory situation.
ticket: 6512
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22799
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Sep 2009 20:44:20 +0000 (20:44 +0000)]
------------------------------------------------------------------------
r22409 | epeisach | 2009-06-09 22:55:22 -0400 (Tue, 09 Jun 2009) | 7 lines
ticket: 6511
subject: krb5int_rd_chpw_rep could call krb5_free_error with random value
clang picked up on a path in which krberror is not set and passed as
an argument to krb5_free_error(). Essentially if the clearresult
length < 2 but everything decodes - you can hit this path...
ticket: 6511
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22798
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Sep 2009 20:34:52 +0000 (20:34 +0000)]
pull up r22403 from trunk
------------------------------------------------------------------------
r22403 | epeisach | 2009-06-06 09:46:06 -0400 (Sat, 06 Jun 2009) | 9 lines
ticket: 6509
subject: kadmind is parsing acls good deref NULL pointer on error
In kadm5int_acl_parse_line, if you setup an acl w/ restrictions
(i.e. the four argument acl format) - but have an error parsing the
first few fields, acle is NULLed out, and is then derefed.
This adds a conditional and indents according to the krb5 c-style...
ticket: 6509
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22797
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Sep 2009 20:27:13 +0000 (20:27 +0000)]
pull up r22402 from trunk
------------------------------------------------------------------------
r22402 | epeisach | 2009-06-05 23:55:44 -0400 (Fri, 05 Jun 2009) | 7 lines
ticket: 6508
subject: kadm5int_acl_parse_restrictions could ref uninitialized variable
The variable sp is never initialized. If the first argument to the
function is null, the code falls through to freeing sp if valid.
However, sp is never set.
ticket: 6508
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22796
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Sep 2009 20:27:10 +0000 (20:27 +0000)]
pull up r22397 from trunk
------------------------------------------------------------------------
r22397 | ghudson | 2009-06-01 18:39:31 -0400 (Mon, 01 Jun 2009) | 17 lines
ticket: 6506
subject: Make results of krb5_db_def_fetch_mkey more predictable
tags: pullup
target_version: 1.7
krb5_db_def_fetch_mkey tries the stash file as a keytab, then falls
back to the old stash file format. If the stash file was in keytab
format, but didn't contain the desired master key, we would try to
read a keytab file as a stash file. This could succeed or fail
depending on byte order and other unpredictable factors. The upshot
was that one of the libkadm5 unit tests (init 108) was getting a
different error code on different platforms.
To fix this, only try the stash file format if we get
KRB5_KEYTAB_BADVNO trying the keytab format. This requires reworking
the error handling logic.
ticket: 6506
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22795
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Sep 2009 20:06:57 +0000 (20:06 +0000)]
pull up r22392 from trunk
------------------------------------------------------------------------
r22392 | raeburn | 2009-05-27 16:03:46 -0400 (Wed, 27 May 2009) | 10 lines
ticket: 6505
target_version: 1.7
tags: pullup
subject: fix t_prf test code properly
Correction to patch in r22364: "i" was used in two places, one of
which required an int-sized value and the other of which required a
size_t. Instead of changing the type, split the two uses into
separate variables.
ticket: 6505
version_fixed: 1.7.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22794
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 24 Jul 2009 18:21:57 +0000 (18:21 +0000)]
C++ compatibility for Windows compilation
pull up r21902, r21917, r21918, r21919 to improve C++ compatibility
and to enable Windows compilation.
------------------------------------------------------------------------
r21919 | raeburn | 2009-02-09 11:36:09 -0500 (Mon, 09 Feb 2009) | 3 lines
Check C++ compatibility for some internal headers that may (now or in
the future) be used in C++ code on Windows.
------------------------------------------------------------------------
r21918 | raeburn | 2009-02-09 11:35:01 -0500 (Mon, 09 Feb 2009) | 3 lines
More C++ compatibility: Don't use "typedef struct tag *tag"; rename
the tag and keep the same typedefname.
------------------------------------------------------------------------
r21917 | raeburn | 2009-02-09 11:28:29 -0500 (Mon, 09 Feb 2009) | 3 lines
C++ compatibility fix -- g++ says "types may not be defined in casts",
so do the gcc unaligned-struct trick only for C, not C++.
------------------------------------------------------------------------
r21902 | raeburn | 2009-02-05 16:56:21 -0500 (Thu, 05 Feb 2009) | 2 lines
use casts, for c++ compilation on windows
ticket: 6536
version_fixed: 1.7.1
target_version: 1.7.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22455
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Jun 2009 01:04:20 +0000 (01:04 +0000)]
krb5-1.7-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22401
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Jun 2009 00:45:43 +0000 (00:45 +0000)]
krb5-1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22399
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Jun 2009 00:25:44 +0000 (00:25 +0000)]
Update copyrights. Reorganize "major changes" listing
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22398
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 26 May 2009 09:53:43 +0000 (09:53 +0000)]
krb5-1.7-beta3-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22391
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 26 May 2009 09:51:12 +0000 (09:51 +0000)]
readme and patchlevel for krb5-1.7-beta3
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22389
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 26 May 2009 09:41:54 +0000 (09:41 +0000)]
typo in admin.texinfo
pull up r22266 from trunk
------------------------------------------------------------------------
r22266 | ghudson | 2009-04-22 10:26:17 +0200 (Wed, 22 Apr 2009) | 4 lines
In the cross-realm setup example in the admin documentation, use
"addprinc" instead of "add_princ" since the latter is not a recognized
alias for add_principal.
ticket: 6503
version_fixed: 1.7
target_version: 1.7
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22388
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 26 May 2009 09:41:46 +0000 (09:41 +0000)]
typo in doc/api/krb5.tex
------------------------------------------------------------------------
r22287 | ghudson | 2009-04-28 19:54:13 +0200 (Tue, 28 Apr 2009) | 2 lines
Fix typo.
ticket: 6502
target_version: 1.7
tags: pullup
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22387
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 26 May 2009 07:58:52 +0000 (07:58 +0000)]
pull up r22382 from trunk
------------------------------------------------------------------------
r22382 | ghudson | 2009-05-25 18:47:40 +0200 (Mon, 25 May 2009) | 6 lines
ticket: 6497
tags: pullup
target_version: 1.7
Fix up kinit -T documentation.
ticket: 6497
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22386
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 26 May 2009 07:58:28 +0000 (07:58 +0000)]
pull up r22381 from trunk
------------------------------------------------------------------------
r22381 | ghudson | 2009-05-25 18:40:00 +0200 (Mon, 25 May 2009) | 10 lines
ticket: 6501
subject: Temporarily disable FAST PKINIT for 1.7 release
tags: pullup
target_version: 1.7
There are protocol issues and implementation defects surrounding the
combination of FAST an PKINIT currently. To avoid impacting the 1.7
scheduled and to avoid creating interoperability problems later,
disable the combination until the problems are resolved.
ticket: 6501
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22385
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 25 May 2009 05:44:09 +0000 (05:44 +0000)]
use correct type for krb5_c_prf_length length arg
pull up r22364 from trunk
------------------------------------------------------------------------
r22364 | raeburn | 2009-05-22 19:20:15 +0200 (Fri, 22 May 2009) | 2 lines
Use correct type for krb5_c_prf_length length arg.
ticket: 6500
target_version: 1.7
tags: pullup
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22380
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 25 May 2009 05:43:55 +0000 (05:43 +0000)]
use printf format attribute only with gcc
pull up r22363 from trunk
------------------------------------------------------------------------
r22363 | raeburn | 2009-05-22 19:19:37 +0200 (Fri, 22 May 2009) | 2 lines
Use printf format attribute only with gcc.
ticket: 6499
target_version: 1.7
tags: pullup
version_fixed: 1.7
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22379
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 25 May 2009 05:43:42 +0000 (05:43 +0000)]
spnego_mech.c syntax error under _GSS_STATIC_LINK
pull up r22361 from trunk
------------------------------------------------------------------------
r22361 | raeburn | 2009-05-22 16:12:17 +0200 (Fri, 22 May 2009) | 2 lines
fix minor syntax error
ticket: 6498
target_version: 1.7
tags: pullup
version_fixed: 1.7
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22378
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sun, 24 May 2009 22:51:42 +0000 (22:51 +0000)]
pull up r22369 from trunk
------------------------------------------------------------------------
r22369 | ghudson | 2009-05-24 17:53:51 +0200 (Sun, 24 May 2009) | 11 lines
ticket: 6496
subject: Fix vector initialization error in KDC preauth code
target_version: 1.7
tags: pullup
In the KDC, get_preauth_hint_list had two bugs initializing the
preauth array. It was allocating 21 extra entries instead of two due
to a typo (harmless), and it was only zeroing up through one extra
entry (harmful). Adjust the code to use calloc to avoid further
disagreements of this nature.
ticket: 6496
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22377
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sun, 24 May 2009 22:51:32 +0000 (22:51 +0000)]
pull up r22368 from trunk
------------------------------------------------------------------------
r22368 | ghudson | 2009-05-24 02:48:31 +0200 (Sun, 24 May 2009) | 10 lines
ticket: 6495
subject: Fix test rules for non-gmake make versions
target_version: 1.7
tags: pullup
The build rules for the new t_ad_fx_armor and t_authdata test programs
used $<, which is only portable for implicit rules (but is valid in
gmake for all rules). Stop using $< in those rules so that "make
check" works with System V make.
ticket: 6495
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22376
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sun, 24 May 2009 22:51:08 +0000 (22:51 +0000)]
pull up r22360 from trunk
------------------------------------------------------------------------
r22360 | ghudson | 2009-05-22 16:08:25 +0200 (Fri, 22 May 2009) | 10 lines
ticket: 6492
subject: Remove spurious assertion in handle_authdata
tags: pullup
target_version: 1.7
In handle_authdata in the KDC, remove a spurious assertion (added in
r21566 on the mskrb-integ branch) that authdata starts out empty.
authdata can be legitimately added by check_padata, which precedes
handle_authdata, and this happens with pkinit.
ticket: 6492
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22375
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sun, 24 May 2009 22:50:58 +0000 (22:50 +0000)]
pull up 22355, 22356, 22357 from trunk
------------------------------------------------------------------------
r22357 | ghudson | 2009-05-20 04:05:53 +0200 (Wed, 20 May 2009) | 6 lines
ticket: 6490
Restore compatibility with KDCs using key usage 8 to encrypt TGS
replies in a subkey, by implementing a fallback in
krb5_arcfour_decrypt.
------------------------------------------------------------------------
r22356 | ghudson | 2009-05-20 01:17:49 +0200 (Wed, 20 May 2009) | 13 lines
ticket: 6490
status: open
tags: pullup
When using keyed checksum types with TGS subkeys, Microsoft AD 2003
verifies the checksum using the subkey, whereas MIT and Heimdal verify
it using the TGS session key. (RFC 4120 is actually silent on which
is correct; RFC 4757 specifies the TGS session key.) To sidestep this
interop issue, don't use keyed checksum types with RC4 keys without
explicit configuration in krb5.conf. Using keyed checksum types with
AES is fine since, experimentally, AD 2008 accepts checksums keyed
with the TGS session key.
------------------------------------------------------------------------
r22355 | hartmans | 2009-05-19 01:28:53 +0200 (Tue, 19 May 2009) | 5 lines
ticket: 6490
status: open
In practice, key usage 9 requires no translation.
ticket: 6490
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22374
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sun, 24 May 2009 22:50:44 +0000 (22:50 +0000)]
pull up r22351, r22354 from trunk
------------------------------------------------------------------------
r22354 | hartmans | 2009-05-18 21:08:48 +0200 (Mon, 18 May 2009) | 8 lines
ticket: 6488
target_version: 1.7
tags: pullup
Copy the sequence key rather than the subkey for lucid contexts in RFC
1964 mode, so that we map to raw des enctypes rather than say
des-cbc-crc.
------------------------------------------------------------------------
r22351 | ghudson | 2009-05-14 18:50:52 +0200 (Thu, 14 May 2009) | 9 lines
ticket: 6488
status: open
tags: pullup
target_version: 1.7
gss_krb5int_export_lucid_sec_context was erroneously copying the first
sizeof(void *) bytes of the context into data_set, instead of the
pointer to the context.
ticket: 6488
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22373
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sun, 24 May 2009 22:50:30 +0000 (22:50 +0000)]
pull up r22350 from trunk
------------------------------------------------------------------------
r22350 | ghudson | 2009-05-14 18:16:32 +0200 (Thu, 14 May 2009) | 9 lines
ticket: 6489
subject: UCS2 support doesn't handle upper half of BMP
tags: pullup
target_version: 1.7
Make krb5_ucs2 an unsigned type. Eliminate the need for distinguished
values for ucs2 and ucs4 characters by changing the API of the single-
character conversion routines.
ticket: 6489
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22372
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sun, 24 May 2009 22:50:17 +0000 (22:50 +0000)]
pull up r22348 from trunk
------------------------------------------------------------------------
r22348 | tlyu | 2009-05-13 22:41:37 +0200 (Wed, 13 May 2009) | 13 lines
ticket: 6486
tags: pullup
target_version: 1.7
In util/support/utf8_conv.c, the SWAP16 macro is invoked with an
argument that has side effects. On platforms where SWAP16 can
evaluate its argument twice (including platforms where utf8_conv.c
creates a fallback definition for the SWAP16 macro), this can cause a
read overrun by a factor of two.
Rearrange the data flow to avoid calling SWAP16 with an argument that
has side effects.
ticket: 6486
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22371
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 May 2009 23:15:32 +0000 (23:15 +0000)]
krb5-1.7-beta2-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22347
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 12 May 2009 23:13:57 +0000 (23:13 +0000)]
README and patchlevel for krb5-1.7-beta2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22345
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 22:11:30 +0000 (22:11 +0000)]
document ok_as_delegate in admin.texinfo
pull up r2293, r22304 from trunk
------------------------------------------------------------------------
r22304 | ghudson | 2009-05-03 14:47:27 -0400 (Sun, 03 May 2009) | 2 lines
Changed paths:
M /trunk/doc/admin.texinfo
Fix formatting of ok_as_delegate documentation in admin guide.
------------------------------------------------------------------------
r22293 | ghudson | 2009-04-30 11:08:50 -0400 (Thu, 30 Apr 2009) | 2 lines
Changed paths:
M /trunk/doc/admin.texinfo
Document ok_as_delegate in the admin guide.
ticket: 6485
tags: pullup
target_version: 1.7
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22342
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:56:55 +0000 (20:56 +0000)]
make depend
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22341
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:56:53 +0000 (20:56 +0000)]
pull up r22325 from trunk
------------------------------------------------------------------------
r22325 | hartmans | 2009-05-07 16:35:28 -0400 (Thu, 07 May 2009) | 18 lines
Changed paths:
M /trunk/src/include/k5-int.h
M /trunk/src/lib/krb5/krb/decode_kdc.c
M /trunk/src/lib/krb5/krb/gc_via_tkt.c
M /trunk/src/lib/krb5/libkrb5.exports
Subject: Try decrypting using session key if subkey fails in tgs rep handling
ticket: 6484
Tags: pullup
Target_Version: 1.7
Heimdal at least up through 1.2 incorrectly encrypts the TGS response
in the session key not the subkey when a subkey is supplied. See RFC
4120 page 35. Work around this by trying decryption using the session
key after the subkey fails.
* decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for
TGS and now needs to take keyusage
* gc_via_tkt: pass in session key and appropriate usage if subkey
fails.
Note that the dead code to process AS responses in decode_kdc_rep is
not removed by this commit. That will be removed as FAST TGS client
support is integrated post 1.7.
ticket: 6484
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22340
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:56:50 +0000 (20:56 +0000)]
pull up r22324 from trunk
------------------------------------------------------------------------
r22324 | hartmans | 2009-05-07 16:35:19 -0400 (Thu, 07 May 2009) | 8 lines
Changed paths:
M /trunk/src/kadmin/cli/k5srvutil.M
M /trunk/src/kadmin/cli/kadmin.M
M /trunk/src/kadmin/cli/kadmin.local.M
M /trunk/src/kadmin/ktutil/ktutil.M
ticket: 6483
Subject: man1 in title header for man1 manpages
Target_Version: 1.7
Tags: pullup
A previous ticket moved kadmin, kadmin.local, ktutil and k5srvutil man
pages to man1 from man8. This updates the section within the man
page.
ticket: 6483
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22339
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:56:33 +0000 (20:56 +0000)]
pull up r22323 from trunk
------------------------------------------------------------------------
r22323 | ghudson | 2009-05-07 15:51:46 -0400 (Thu, 07 May 2009) | 8 lines
Changed paths:
M /trunk/src/lib/kadm5/srv/svr_policy.c
M /trunk/src/lib/kadm5/unit-test/api.0/crte-policy.exp
M /trunk/src/lib/kadm5/unit-test/api.2/crte-policy.exp
ticket: 6482
subject: Allow more than 10 past keys to be stored by a policy
target_version: 1.7
tags: pullup
Remove the arbitrary limit of 10 past keys in policies. We were not
taking advantage of that limit in any other code.
ticket: 6482
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22338
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:56:16 +0000 (20:56 +0000)]
pull up r22319 from trunk
------------------------------------------------------------------------
r22319 | ghudson | 2009-05-06 14:52:44 -0400 (Wed, 06 May 2009) | 5 lines
Changed paths:
M /trunk/src/lib/krb5/krb/preauth2.c
ticket: 6210
In pa_sam, use the correct function to free sam_challenge in the
success path.
ticket: 6210
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22337
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:55:59 +0000 (20:55 +0000)]
pull up r22310 from trunk
------------------------------------------------------------------------
r22310 | ghudson | 2009-05-05 12:30:19 -0400 (Tue, 05 May 2009) | 5 lines
Changed paths:
M /trunk/src/lib/krb5/krb/get_in_tkt.c
ticket: 6401
In krb5_get_in_tkt, free the whole encoded request (since the
structure was allocated by encode_krb5_as_req), not just the contents.
ticket: 6401
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22336
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:55:57 +0000 (20:55 +0000)]
pull up r22298 from trunk
------------------------------------------------------------------------
r22298 | hartmans | 2009-04-30 16:17:42 -0400 (Thu, 30 Apr 2009) | 10 lines
Changed paths:
M /trunk/src/lib/crypto/des/Makefile.in
M /trunk/src/lib/crypto/des/des_int.h
A /trunk/src/lib/crypto/des/des_prf.c (from /trunk/src/lib/crypto/dk/dk_prf.c:22295)
M /trunk/src/lib/crypto/etypes.c
M /trunk/src/lib/crypto/t_cf2.comments
M /trunk/src/lib/crypto/t_cf2.expected
M /trunk/src/lib/crypto/t_cf2.in
ticket: 5587
Tags: pullup
Implement DES and 3DES PRF. Patch fromKAMADA Ken'ichi
Currently the DES and 3DES PRF output 16-byte results. This is
consistent with RFC 3961, but we need to confirm it is consistent with
Heimdal and WG decisions. See IETF 74 minutes for some discussion of
the concern as it applies to AES and thus possibly all simplified
profile enctypes.
ticket: 5587
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22335
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:55:54 +0000 (20:55 +0000)]
pull up r22292 from trunk
------------------------------------------------------------------------
r22292 | hartmans | 2009-04-29 20:38:48 -0400 (Wed, 29 Apr 2009) | 10 lines
Changed paths:
M /trunk/src/kdc/kdc_preauth.c
ticket: 6480
Subject: Do not return PREAUTH_FAILED on unknown preauth
Target_Version: 1.7
Tags: pullup
If the KDC receives unknown pre-authentication data then ignore it.
Do not get into a case where PREAUTH_FAILED is returned because of
unknown pre-authentication. The main AS loop will cause
PREAUTH_REQUIRED to be returned if the preauth_required flag is set
and no valid preauth is found.
ticket: 6480
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22334
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:55:51 +0000 (20:55 +0000)]
pull up r22291 from trunk
------------------------------------------------------------------------
r22291 | ghudson | 2009-04-29 19:21:21 -0400 (Wed, 29 Apr 2009) | 9 lines
Changed paths:
M /trunk/src/include/k5-err.h
M /trunk/src/include/k5-int.h
M /trunk/src/lib/krb5/krb/kerrs.c
M /trunk/src/lib/krb5/libkrb5.exports
M /trunk/src/util/support/errors.c
M /trunk/src/util/support/libkrb5support-fixed.exports
ticket: 6479
subject: Add DEBUG_ERROR_LOCATIONS support
If DEBUG_ERROR_LOCATIONS is defined, replace uses of
krb5_set_error_message and krb5int_set_error with calls to the new
_fl variants of those functions, and include filename and line number
information in the calls. Requires C99-style variadic macros if
defined.
ticket: 6479
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22333
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:55:48 +0000 (20:55 +0000)]
pull up r22290 from trunk
------------------------------------------------------------------------
r22290 | tlyu | 2009-04-28 20:31:50 -0400 (Tue, 28 Apr 2009) | 5 lines
Changed paths:
M /trunk/src/clients/ksu/krb_auth_su.c
ticket: 6472
target_version: 1.7
tags: pullup
Fix typo in error message reported by Marek Mahut (Red Hat).
ticket: 6472
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22332
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:55:45 +0000 (20:55 +0000)]
pull up r22283, r22288 from trunk. r22283 was not originally part of
this ticket but is a prereq for the mk_cred.c change.
------------------------------------------------------------------------
r22288 | ghudson | 2009-04-28 14:00:13 -0400 (Tue, 28 Apr 2009) | 14 lines
Changed paths:
M /trunk/src/lib/krb5/krb/mk_cred.c
M /trunk/src/lib/krb5/krb/mk_priv.c
M /trunk/src/lib/krb5/krb/mk_safe.c
ticket: 6478
subject: Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred
Regularize the handling of KRB5_AUTH_CONTEXT_RET_SEQUENCE in
krb5_mk_safe, krb5_mk_priv, and krb5_mk_ncred, using krb5_mk_safe as
a baseline. RET_SEQUENCE now implies DO_SEQUENCE for all three
functions, the sequence number is always incremented if it is used,
and outdata->seq is always set if RET_SEQUENCE is passed.
Note that in the corresponding rd_ functions, RET_SEQUENCE and
DO_SEQUENCE are independent flags, which is not consistent with the
above. This compromise is intended to preserve compatibility with
any working code which might exist using the RET_SEQUENCE flag.
------------------------------------------------------------------------
r22283 | ghudson | 2009-04-27 19:48:22 -0400 (Mon, 27 Apr 2009) | 5 lines
Changed paths:
M /trunk/src/lib/krb5/krb/mk_cred.c
Fix a few memory leaks in krb5_mk_ncred. Also tighten up the error
handling of the sequence number, only decreasing it if it was
increased. The handling of DO_SEQUENCE and RET_SEQUENCE may still be
flawed in some cases.
ticket: 6478
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22331
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:55:28 +0000 (20:55 +0000)]
pull up r22281 from trunk
------------------------------------------------------------------------
r22281 | ghudson | 2009-04-27 11:42:23 -0400 (Mon, 27 Apr 2009) | 8 lines
Changed paths:
M /trunk/src/include/kdb.h
M /trunk/src/include/kdb_ext.h
M /trunk/src/kadmin/cli/kadmin.M
M /trunk/src/kadmin/cli/kadmin.c
M /trunk/src/kdc/do_tgs_req.c
M /trunk/src/lib/kadm5/str_conv.c
ticket: 5596
Move KRB5_KDB_OK_AS_DELEGATE from kdb_ext.h to kdb.h. Add kadmin
support for the flag. In the KDC, remove the restriction on returning
the flag on cross-realm TGTs since there is now a defined meaning for
that (it allows ok-as-delegate to be honored on the foreign realm's
service tickets).
ticket: 5596
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22330
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:55:25 +0000 (20:55 +0000)]
pull up r22280 from trunk
------------------------------------------------------------------------
r22280 | raeburn | 2009-04-25 05:36:11 -0400 (Sat, 25 Apr 2009) | 9 lines
Changed paths:
M /trunk/src/lib/kadm5/admin.h
M /trunk/src/tests/misc/Makefile.in
M /trunk/src/tests/misc/deps
A /trunk/src/tests/misc/test_cxx_kadm5.cpp
ticket: 6477
subject: make installed headers C++-safe
target_version: 1.7
tags: pullup
Now that we're installing the kadm5 headers, they should be C++-safe
like the others. Wrap the content in 'extern "C"' if compiling as
C++. New test program to verify.
ticket: 6477
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22329
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:55:22 +0000 (20:55 +0000)]
pull up r22278 from trunk
------------------------------------------------------------------------
r22278 | ghudson | 2009-04-24 15:49:54 -0400 (Fri, 24 Apr 2009) | 9 lines
Changed paths:
M /trunk/src/lib/krb5/keytab/kt_file.c
ticket: 6475
status: open
tags: pullup
target_version: 1.7
In krb5_ktfileint_find_slot, don't continue the loop when we find a
final zero-length buffer. This is a minimal fix intended to be pulled
up to the 1.7 branch; a code cleanup commit will follow.
ticket: 6475
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22328
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 May 2009 20:55:19 +0000 (20:55 +0000)]
pull up r22272 from trunk
------------------------------------------------------------------------
r22272 | ghudson | 2009-04-23 04:42:40 -0400 (Thu, 23 Apr 2009) | 7 lines
Changed paths:
M /trunk/src/lib/krb5/krb/gc_via_tkt.c
ticket: 6473
tags: pullup
In krb5_get_cred_via_tkt, strip the ok-as-delegate flag from
credentials obtained using a foreign TGT, unless the TGT also has
ok-as-delegate set.
ticket: 6473
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22327
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 29 Apr 2009 00:28:19 +0000 (00:28 +0000)]
Fix accidentally reversed description of allow_weak_crypto
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22289
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 22 Apr 2009 18:10:57 +0000 (18:10 +0000)]
krb5-1.7-beta1-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22271
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 22 Apr 2009 18:08:46 +0000 (18:08 +0000)]
README and patchlevel for krb5-1.7-beta1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22269
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 22 Apr 2009 16:20:49 +0000 (16:20 +0000)]
pull up r22267 from trunk
------------------------------------------------------------------------
r22267 | hartmans | 2009-04-22 09:30:00 -0400 (Wed, 22 Apr 2009) | 7 lines
Changed paths:
M /trunk/src/kadmin/cli/Makefile.in
M /trunk/src/kadmin/ktutil/Makefile.in
Ticket: 6474
Subject: move kadmin, ktutil, k5srvutil man pages to man1
Target_Version: 1.7
Tags: pullup
These binaries have been moved to /usr/bin so their manpages should
move from man8 to man1.
ticket: 6474
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22268
dc483132-0cff-0310-8789-
dd5450dbe970