Tom Yu [Tue, 7 Feb 2012 00:02:56 +0000 (00:02 +0000)]
krb5-1.8.6
git-svn-id: svn://anonsvn.mit.edu/krb5/tags/krb5-1-8-6-final@25676
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 6 Feb 2012 23:59:36 +0000 (23:59 +0000)]
README and patchlevel.h for krb5-1.8.6
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@25675
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 11 Jan 2012 05:12:47 +0000 (05:12 +0000)]
krb5_server_decrypt_ticket_keytab wrongly succeeds
Pull up r25584 from trunk
------------------------------------------------------------------------
r25584 | ghudson | 2011-12-12 19:53:56 -0500 (Mon, 12 Dec 2011) | 9 lines
ticket: 7051
subject: krb5_server_decrypt_ticket_keytab wrongly succeeds
If krb5_server_decrypt_ticket_keytab doesn't find a key of the
appropriate enctype in an iterable keytab, it returns 0 (without
decrypting the ticket) due to a misplaced initialization of retval.
This bug causes kinit -k to claim "keytab entry valid" when it
shouldn't. Reported by mark@mproehl.net.
ticket: 7070
version_fixed: 1.8.6
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@25643
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 5 Dec 2011 22:29:06 +0000 (22:29 +0000)]
Fix failure interval of 0 in LDAP lockout code
pull up r25480 from trunk, minus a non-applying manpage patch
------------------------------------------------------------------------
r25480 | ghudson | 2011-11-20 00:19:45 -0500 (Sun, 20 Nov 2011) | 13 lines
ticket: 7021
subject: Fix failure interval of 0 in LDAP lockout code
target_version: 1.10
tags: pullup
A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
pass the lockout check (but didn't cause a reset of the failure count
in krb5_ldap_lockout_audit). It should be treated as forever, as in
the DB2 back end.
This bug is the previously unknown cause of the assertion failure
fixed in CVE-2011-1528.
ticket: 7041
version_fixed: 1.8.6
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@25514
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 8 Nov 2011 22:21:36 +0000 (22:21 +0000)]
pull up r25444 from trunk
------------------------------------------------------------------------
r25444 | ghudson | 2011-11-06 00:32:34 -0500 (Sun, 06 Nov 2011) | 10 lines
ticket: 7003
subject: Fix month/year units in getdate
target_version: 1.10
tags: pullup
getdate strings like "1 month" or "next year" would fail some of the
time, depending on the value of stack garbage, because DSTcorrect()
doesn't set *error on success and RelativeMonth() doesn't initialize
error. Make DSTcorrect() responsible for setting *error in all cases.
ticket: 7012
version_fixed: 1.8.6
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@25464
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 8 Nov 2011 22:21:33 +0000 (22:21 +0000)]
Exit on error in kadmind kprop child
pull up r25433 from trunk
------------------------------------------------------------------------
r25433 | ghudson | 2011-11-04 01:53:23 -0400 (Fri, 04 Nov 2011) | 9 lines
ticket: 7000
subject: Exit on error in kadmind kprop child
target_version: 1.10
tags: pullup
When we fork from kadmind to dump the database and kprop to an iprop
slave, if we encounter an error in the child process we should exit
rather than returning to the main loop.
ticket: 7011
version_fixed: 1.8.6
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@25463
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 8 Nov 2011 22:21:29 +0000 (22:21 +0000)]
Fix intermediate key length in hmac-md5 checksum
pull up r25418 from trunk
------------------------------------------------------------------------
r25418 | ghudson | 2011-10-28 11:45:03 -0400 (Fri, 28 Oct 2011) | 9 lines
ticket: 6994
subject: Fix intermediate key length in hmac-md5 checksum
target_version: 1.10
tags: pullup
When using hmac-md5, the intermediate key length is the output of the
hash function (128 bits), not the input key length. Relevant if the
input key is not an RC4 key.
ticket: 7010
version_fixed: 1.8.6
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@25462
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 4 Nov 2011 23:51:23 +0000 (23:51 +0000)]
krb5-1.8.5-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@25440
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 4 Nov 2011 22:20:16 +0000 (22:20 +0000)]
README and patchlevel.h for krb5-1.8.5
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@25438
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 25 Oct 2011 19:58:29 +0000 (19:58 +0000)]
README and patchlevel.h for krb5-1.8.5-beta1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@25415
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 21 Oct 2011 17:45:05 +0000 (17:45 +0000)]
fix tar invocation in mkrel
pull up r25395 from trunk
------------------------------------------------------------------------
r25395 | tlyu | 2011-10-21 13:35:49 -0400 (Fri, 21 Oct 2011) | 10 lines
ticket: 6989
subject: fix tar invocation in mkrel
target_version: 1.10
tags: pullup
Fix the tar invocation in mkrel so that it defaults to using "tar" as
the tar program rather than "gtar".
This should probably be pulled up to at least 1.9 and 1.8 as well.
ticket: 6991
status: resolved
version_fixed: 1.8.5
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@25397
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 18 Oct 2011 20:19:15 +0000 (20:19 +0000)]
pull up r24909 from trunk
------------------------------------------------------------------------
r24909 | tlyu | 2011-05-02 16:57:23 -0400 (Mon, 02 May 2011) | 7 lines
ticket: 6906
subject: modernize doc/Makefile somewhat
status: open
Modernize doc/Makefile somewhat so that it can run more usefully on
modern non-Athena machines.
ticket: 6984
version_fixed: 1.8.5
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@25375
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 18 Oct 2011 18:54:13 +0000 (18:54 +0000)]
SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529]
Fix null pointer dereference and assertion failure conditions that
could cause a denial of service.
ticket: 6983
version_fixed: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@25370
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 28 Jun 2011 22:11:51 +0000 (22:11 +0000)]
work around Dejagnu failure on modern Tcl
Modern releases of Tcl (8.5 and later?) require use the special
procedure "unknown" to implement some autoloading functionality.
Dejagnu replaces "unknown" with its own definition, without chaining
to the original version of "unknown". This causes "clock format
[clock seconds]" to fail while trying to load the "msgcat" Tcl
package.
Use "exec date" instead of "clock format [clock seconds]" to work
around this bug.
(Also needs pullup to 1.7.)
ticket: 6926
version_fixed: 1.8.5
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24999
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 28 Jun 2011 22:11:47 +0000 (22:11 +0000)]
Memory leak in save_error_string_nocopy()
pull up r24693 from trunk
------------------------------------------------------------------------
r24693 | tlyu | 2011-03-08 15:53:55 -0500 (Tue, 08 Mar 2011) | 8 lines
ticket: 6844
tags: pullup
target_version: 1.9.1
Fix a memory leak independently found by Tim Pozdeev and Arlene Berry.
This change should be pulled up to the 1.8 and 1.7 branches as well.
ticket: 6925
version_fixed: 1.8.5
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24998
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 23 May 2011 19:27:52 +0000 (19:27 +0000)]
krb5-1.8.4-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24940
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 23 May 2011 19:25:10 +0000 (19:25 +0000)]
README and patchlevel for krb5-1.8.4
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24938
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 14 Apr 2011 22:04:13 +0000 (22:04 +0000)]
kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]
back-port r24878 for 1.8-branch
------------------------------------------------------------------------
r24878 | tlyu | 2011-04-13 14:43:37 -0400 (Wed, 13 Apr 2011) | 11 lines
ticket: 6899
tags: pullup
target_version: 1.9.1
Fix the sole case in process_chpw_request() where a return could occur
without allocating the data pointer in the response. This prevents a
later free() of an invalid pointer in kill_tcp_or_rpc_connection().
Also initialize rep->data to NULL in process_chpw_request() and clean
up *response in dispatch() as an additional precaution.
ticket: 6900
status: resolved
version_fixed: 1.8.4
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24880
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 15 Mar 2011 23:50:09 +0000 (23:50 +0000)]
KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
pull up r24705 from trunk
------------------------------------------------------------------------
r24705 | tlyu | 2011-03-15 17:47:19 -0400 (Tue, 15 Mar 2011) | 8 lines
ticket: 6881
subject: KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
tags: pullup
target_version: 1.9.1
Fix a double-free condition in the KDC that can occur during an
AS-REQ when PKINIT is enabled.
ticket: 6882
status: resolved
version_fixed: 1.8.4
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24707
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Feb 2011 17:42:32 +0000 (17:42 +0000)]
Don't reject AP-REQs based on PACs
back-port r24640 from trunk
------------------------------------------------------------------------
r24640 | ghudson | 2011-02-16 18:34:37 -0500 (Wed, 16 Feb 2011) | 14 lines
ticket: 6870
subject: Don't reject AP-REQs based on PACs
target_version: 1.9.1
tags: pullup
Experience has shown that it was a mistake to fail AP-REQ verification
based on failure to verify the signature of PAC authdata contained in
the ticket. We've had two rounds of interoperability issues with the
hmac-md5 checksum code, an interoperability issue OSX generating
unsigned PACs, and another problem where PACs are copied by older KDCs
from a cross-realm TGT into the service ticket. If a PAC signature
cannot be verified, just don't mark it as verified and continue on
with the AP exchange.
ticket: 6877
version_fixed: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24671
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 28 Feb 2011 17:42:28 +0000 (17:42 +0000)]
hmac-md5 checksum doesn't work with DES keys
pull up r24639, r24641 from trunk
------------------------------------------------------------------------
r24641 | ghudson | 2011-02-18 10:06:57 -0500 (Fri, 18 Feb 2011) | 7 lines
ticket: 6869
Fix a conceptual bug in r24639: the intermediate key container length
should be the hash's output size, not its block size. (The bug did
not show up in testing because it is harmless in practice; MD5 has a
larger block size than output size.)
------------------------------------------------------------------------
r24639 | ghudson | 2011-02-16 17:52:41 -0500 (Wed, 16 Feb 2011) | 11 lines
ticket: 6869
subject: hmac-md5 checksum doesn't work with DES keys
target_version: 1.9
tags: pullup
krb5int_hmacmd5_checksum calculates an intermediate key using an HMAC.
The container for this key should be allocated using the HMAC output
size (which is the hash blocksize), not the original key size. This
bug was causing the function to fail with DES keys, which can be used
with hmac-md5 in PAC signatures.
ticket: 6876
version_fixed: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24670
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 9 Feb 2011 23:31:56 +0000 (23:31 +0000)]
make depend
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24631
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 9 Feb 2011 22:19:02 +0000 (22:19 +0000)]
pull up r24603 from trunk
------------------------------------------------------------------------
r24603 | ghudson | 2011-01-24 19:23:48 -0500 (Mon, 24 Jan 2011) | 15 lines
ticket: 6852
subject: Make gss_krb5_set_allowable_enctypes work for the acceptor
target_version: 1.9.1
tags: pullup
With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
can choose an enctype for the acceptor subkey other than the one in
the keytab. If the resulting security context will be exported and
re-imported by another gss-krb5 implementation (such as one in the
kernel), the acceptor needs a way to restrict the set of negotiated
enctypes to those supported by the other implementation. We had that
functionality for the initiator already in the form of
gss_krb5_set_allowable_enctypes; this change makes it work for the
acceptor as well.
ticket: 6853
version_fixed: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24630
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 9 Feb 2011 21:03:49 +0000 (21:03 +0000)]
KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282]
pull up r24622 from trunk, minus the fix for CVE-2011-0283, which is
only applicable to krb5-1.9 and later.
------------------------------------------------------------------------
r24622 | tlyu | 2011-02-09 15:25:08 -0500 (Wed, 09 Feb 2011) | 10 lines
ticket: 6860
subject: KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
tags: pullup
target_version: 1.9.1
[CVE-2011-0281 CVE-2011-0282] Fix some LDAP back end principal name
handling that could cause the KDC to hang or crash.
[CVE-2011-0283] Fix a KDC null pointer dereference introduced in krb5-1.9.
ticket: 6862
version_fixed: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24626
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 9 Feb 2011 21:03:45 +0000 (21:03 +0000)]
kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
pull up r24621 from trunk
------------------------------------------------------------------------
r24621 | tlyu | 2011-02-09 15:25:03 -0500 (Wed, 09 Feb 2011) | 8 lines
ticket: 6859
subject: kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
tags: pullup
target_version: 1.9.1
When operating in standalone mode and not doing iprop, don't return
from do_standalone() if the child exits with abnormal status.
ticket: 6861
version_fixed: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24625
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 14 Dec 2010 23:25:13 +0000 (23:25 +0000)]
handle MS PACs that lack server checksum
backport r24564 from trunk
------------------------------------------------------------------------
r24564 | tlyu | 2010-12-09 20:06:26 -0500 (Thu, 09 Dec 2010) | 18 lines
ticket: 6839
subject: handle MS PACs that lack server checksum
target_version 1.9
tags: pullup
Apple Mac OS X Server's Open Directory KDC issues MS PAC like
authorization data that lacks a server checksum. If this checksum is
missing, mark the PAC as unverfied, but allow
krb5int_authdata_verify() to succeed. Filter out the unverified PAC
in subsequent calls to krb5_authdata_get_attribute(). Add trace
points to indicate where this behavior occurs.
Thanks to Helmut Grohne for help with analysis. This bug is also
Debian Bug #604925:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925
This change should also get backported to krb5-1.8.x.
ticket: 6843
version_fixed: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24574
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sat, 4 Dec 2010 05:11:04 +0000 (05:11 +0000)]
SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
Apply patch for MITKRB5-SA-2010-007.
Fix multiple checksum handling bugs, as described in:
CVE-2010-1324
CVE-2010-1323
CVE-2010-4020
CVE-2010-4021
* Return the correct (keyed) checksums as the mandatory checksum type
for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
with simplified-profile key derivation or other algorithms relying
on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.
ticket: 6833
target_version: 1.8.4
version_fixed: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24560
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 15 Oct 2010 21:42:29 +0000 (21:42 +0000)]
pull up r24370 from trunk
------------------------------------------------------------------------
r24370 | ghudson | 2010-09-28 15:09:11 -0400 (Tue, 28 Sep 2010) | 9 lines
ticket: 6790
target_version: 1.8.4
tags: pullup
Make krb5_dbe_def_search_enctype skip key data entries with invalid
enctypes instead of erroring out on them. We had this behavior prior
to 1.8 (more by accident than by design), but it changed as a
side-effect of r23599.
ticket: 6790
target_version: 1.8.4
version_fixed: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24461
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 15 Oct 2010 21:42:25 +0000 (21:42 +0000)]
pull up r24399 from trunk
------------------------------------------------------------------------
r24399 | ghudson | 2010-09-30 23:45:43 -0400 (Thu, 30 Sep 2010) | 12 lines
ticket: 6768
subject: GSSAPI forwarded credentials must be encrypted in session key
target_version: 1.8.4
tags: pullup
When IAKERB support was added, the krb5_mk_req checksum function
gained access to the send subkey. This caused GSSAPI forwarded
credentials to be encrypted in the subkey, which violates RFC 4121
section 4.1.1 and is not accepted by Microsoft's implementation.
Temporarily null out the send subkey in the auth context so that
krb5_mk_ncred uses the session key instead.
ticket: 6768
version_fixed: 1.8.4
target_version: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24460
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 15 Oct 2010 21:42:22 +0000 (21:42 +0000)]
pull up r24286 from trunk
------------------------------------------------------------------------
r24286 | ghudson | 2010-09-02 11:35:25 -0400 (Thu, 02 Sep 2010) | 7 lines
ticket: 6764
tags: pullup
target_version: 1.8.4
Properly search for MANDATORY-FOR-KDC authdata elements. Reported by
Mike Roszkowski.
ticket: 6764
target_version: 1.8.4
version_fixed: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24459
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 15 Oct 2010 21:42:17 +0000 (21:42 +0000)]
pull up r24441 from trunk
------------------------------------------------------------------------
r24441 | ghudson | 2010-10-07 13:50:06 -0400 (Thu, 07 Oct 2010) | 6 lines
ticket: 6701
target_version: 1.8.4
tags: pullup
Fix a typo in kerberos.ldif. Reported by nalin@redhat.com.
ticket: 6701
version_fixed: 1.8.4
target_version: 1.8.4
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24458
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 7 Oct 2010 17:22:55 +0000 (17:22 +0000)]
pull up r24438 from trunk
------------------------------------------------------------------------
r24438 | tlyu | 2010-10-06 19:57:37 -0400 (Wed, 06 Oct 2010) | 11 lines
ticket: 6798
subject: set NT-SRV-INST on TGS principal names
tags: pullup
target_version: 1.8.4
Set NT-SRV-INST on TGS principal names in
get_in_tkt.c:build_in_tkt_name because Windows Server 2008 R2 RODC
insists on it.
Thanks to Bill Fellows for reporting this problem.
ticket: 6798
version_fixed: 1.8.4
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24439
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 5 Oct 2010 22:32:34 +0000 (22:32 +0000)]
pull up r24429 from trunk
------------------------------------------------------------------------
r24429 | tlyu | 2010-10-05 17:05:19 -0400 (Tue, 05 Oct 2010) | 14 lines
ticket: 6797
subject: CVE-2010-1322 KDC uninitialized pointer crash in authorization data handling (MITKRB5-SA-2010-006)
tags: pullup
target_version: 1.8.4
When the KDC receives certain TGS-REQ messages, it may dereference an
uninitialized pointer while processing authorization data, causing a
crash, or in rare cases, unauthorized information disclosure, ticket
modification, or execution of arbitrary code. The crash may be
triggered by legitimate requests.
Correctly implement the filtering of authorization data items to avoid
leaving uninitialized pointers when omitting items.
ticket: 6797
status: resolved
version_fixed: 1.8.4
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24431
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 5 Aug 2010 18:36:52 +0000 (18:36 +0000)]
krb5-1.8.3-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24233
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 4 Aug 2010 16:37:30 +0000 (16:37 +0000)]
README for krb5-1.8.3 final
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24230
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 23 Jul 2010 20:39:45 +0000 (20:39 +0000)]
krb5-1.8.3-beta1-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24209
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 23 Jul 2010 20:25:17 +0000 (20:25 +0000)]
README and patchlevel.h for krb5-1.8.3-beta1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24207
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 21 Jul 2010 17:55:42 +0000 (17:55 +0000)]
pull up r24141 from trunk
------------------------------------------------------------------------
r24141 | ghudson | 2010-06-21 15:56:29 -0400 (Mon, 21 Jun 2010) | 10 lines
ticket: 6345
target_version: 1.8.3
tags: pullup
kdb5_stash() contains its own kdb5_db_open() call (because it doesn't
use util_context for some reason), which didn't work with the LDAP
back end because LDAP doesn't recognize KRB5_KDB_SRV_TYPE_OTHER. As a
minimal fix, change that to KRB5_KDB_SRV_TYPE_ADMIN to be consistent
with open_db_and_mkey()--see also r18736.
ticket: 6345
version_fixed: 1.8.3
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24199
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 20 Jul 2010 22:28:51 +0000 (22:28 +0000)]
pull up r24191 from trunk
------------------------------------------------------------------------
r24191 | ghudson | 2010-07-19 01:01:45 -0400 (Mon, 19 Jul 2010) | 15 lines
ticket: 6751
subject: Allow Microsoft HMAC-MD5 checksum types to use non-RC4 keys
target_version: 1.8.3
tags: pullup
In PAC signatures, the hmac-md5 checksum type can be used with AES
keys. Make this work by removing the enc field from the hmac-md5 and
md5-hmac checksum types, and adding a check in
krb5int_hmacmd5_checksum() for a null key or a key which is longer
than the hash block size (64 bytes for MD5). The checksum algorithm
only uses the key bits; it does invoke the cipher.
The checksum type names are kind of wrong, but we'll leave them alone
for compatibility. The descriptions are updated.
ticket: 6751
version_fixed: 1.8.3
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24198
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 20 Jul 2010 22:28:48 +0000 (22:28 +0000)]
pull up r24176 from trunk
------------------------------------------------------------------------
r24176 | ghudson | 2010-07-07 16:52:06 -0400 (Wed, 07 Jul 2010) | 7 lines
ticket: 6750
target_version: 1.8.3
tags: pullup
Add a missing break in the parsing of krb5kdc's -P option. Reported
by nalin@redhat.com.
ticket: 6750
version_fixed: 1.8.3
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24197
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 20 Jul 2010 22:28:44 +0000 (22:28 +0000)]
pull up r24139 from trunk
------------------------------------------------------------------------
r24139 | ghudson | 2010-06-21 11:18:37 -0400 (Mon, 21 Jun 2010) | 12 lines
ticket: 6745
subject: Add correct error table when initializing gss-krb5
target_version: 1.8.3
tags: pullup
gss_krb5int_lib_init was adding the generic GSS error table (again)
instead of the krb5 error table, which could lead to crashes on
library unload. This bug was introduced in krb5 1.7; the fix is also
applicable there.
Patch from Leonardo Chiquitto <leonardo.lists@gmail.com>.
ticket: 6745
version_fixed: 1.8.3
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24196
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 20 Jul 2010 22:28:41 +0000 (22:28 +0000)]
pull up r24138 from trunk
------------------------------------------------------------------------
r24138 | tlyu | 2010-06-18 15:41:48 -0400 (Fri, 18 Jun 2010) | 13 lines
ticket: 6744
subject: only test t_locate_kdc if known-good DNS name is present
target_version: 1.8.3
tags: pullup
Running "make check" while offline or on a firewalled network may
result in failure in lib/krb5/os because the invocation of
t_locate_kdc requires that the DNS servers for ATHENA.MIT.EDU be
reachable. Autodetect DNS utilities "dig" and "nslookup", and use
them to check for existence of the known-good DNS name. Also
parameterize the test so that the known-good DNS name can be
overridden on the make command line.
ticket: 6744
version_fixed: 1.8.3
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24195
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 20 Jul 2010 22:28:35 +0000 (22:28 +0000)]
pull up r24137 from trunk
------------------------------------------------------------------------
r24137 | ghudson | 2010-06-14 16:46:27 -0400 (Mon, 14 Jun 2010) | 7 lines
ticket: 6738
target_version: 1.8.3
tags: pullup
In PKINIT, notice if DH_compute_key() returns a value less than the
buffer size, and pad it on the left if so.
ticket: 6738
version_fixed: 1.8.3
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24194
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 10 Jun 2010 21:14:34 +0000 (21:14 +0000)]
pull up r24123 from trunk
------------------------------------------------------------------------
r24123 | ghudson | 2010-06-08 14:18:03 -0400 (Tue, 08 Jun 2010) | 11 lines
ticket: 6740
subject: kadmin ktadd may display wrong name of default keytab
target_version: 1.8.2
tags: pullup
kadmin's ktadd (and ktrem) displays WRFILE:/etc/krb5.keytab whenever
it uses the default keytab, even if the default has been overridden
(e.g. by KRB5_KTNAME). Use krb5_kt_get_name to get the correct name
of the default cache instead of displaying the string we think was
used to open it.
ticket: 6740
version_fixed: 1.8.3
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24131
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 10 Jun 2010 21:14:26 +0000 (21:14 +0000)]
pull up r24120, r24121 from trunk
------------------------------------------------------------------------
r24120 | ghudson | 2010-06-08 12:14:24 -0400 (Tue, 08 Jun 2010) | 12 lines
ticket: 6739
target_version: 1.8.2
tags: pullup
Stop checking the current time against the context expiration time in
the message wrap/unwrap functions in the krb5 GSS mech. Heimdal
doesn't do it, and it generally results in poor app behavior when a
ticket expires. In exchange, it doesn't provide much security benefit
since it's not enforced across the board--for example, ssh sessions
can persist beyond ticket expiration time since they don't use GSS to
wrap payload data.
ticket: 6739
version_fixed: 1.8.3
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24130
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 10 Jun 2010 18:29:35 +0000 (18:29 +0000)]
krb5-1.8.2-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24129
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 10 Jun 2010 18:14:11 +0000 (18:14 +0000)]
README and patchlevel for krb5-1.8.2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24127
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 28 May 2010 23:00:02 +0000 (23:00 +0000)]
krb5-1.8.2-beta1-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24114
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 28 May 2010 22:55:45 +0000 (22:55 +0000)]
README and patchlevel.h for krb5-1.8.2-beta1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24112
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 28 May 2010 18:41:45 +0000 (18:41 +0000)]
pull up r24102 from trunk
------------------------------------------------------------------------
r24102 | ghudson | 2010-05-24 22:44:45 -0400 (Mon, 24 May 2010) | 11 lines
ticket: 6734
subject: FAST negotiation could erroneously succeed
target_version: 1.8.2
tags: pullup
When FAST negotiation is performed against an older KDC
(rep->enc_part2->flags & TKT_FLG_ENC_PA_REP not set),
krb5int_fast_verify_nego did not set the value of *fast_avail, causing
stack garbage to be used in init_creds_step_reply. Initialize
*fast_avail at the beginning of the function per coding practices.
ticket: 6734
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24111
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 20 May 2010 22:57:53 +0000 (22:57 +0000)]
pull up r24074 from trunk
------------------------------------------------------------------------
r24074 | tlyu | 2010-05-20 16:42:26 -0400 (Thu, 20 May 2010) | 11 lines
ticket: 6730
subject: kdc_tcp_ports not documented in kdc.conf.M
target_version: 1.8.2
tags: pullup
The kdc.conf setting kdc_tcp_ports was not documented in kdc.conf.M,
though it was documented in doc/admin.texinfo. Copy text from there
for now. The setting defaults to an empty string at the moment,
causing the KDC to not listen on TCP by default, confusing some users.
Changing this behavior is a separate issue.
ticket: 6730
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24077
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 20 May 2010 22:57:50 +0000 (22:57 +0000)]
pull up r24075 from trunk
------------------------------------------------------------------------
r24075 | tlyu | 2010-05-20 17:32:47 -0400 (Thu, 20 May 2010) | 8 lines
ticket: 6726
target_version: 1.8.2
tags: pullup
Apply patch from Arlene Berry to detect and ignore a duplicate
mechanism token sent in the mechListMIC field, such as sent by Windows
2000 Server.
ticket: 6726
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24076
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 20 May 2010 20:41:16 +0000 (20:41 +0000)]
pull up r24055 from trunk
------------------------------------------------------------------------
r24055 | ghudson | 2010-05-18 13:19:15 -0400 (Tue, 18 May 2010) | 6 lines
ticket: 6562
When parsing a KDC or admin server string, allow the name or address
to be enclosed in brackets so that IPv6 addresses can be represented.
(IPv6 addresses contain colons, which look like port separators.)
ticket: 6562
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24073
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 19 May 2010 18:52:54 +0000 (18:52 +0000)]
pull up r24056 from trunk
------------------------------------------------------------------------
r24056 | tlyu | 2010-05-19 14:09:37 -0400 (Wed, 19 May 2010) | 8 lines
ticket: 6725
subject: CVE-2010-1321 GSS-API lib null pointer deref (MITKRB5-SA-2010-005)
tags: pullup
target_version: 1.8.2
Make krb5_gss_accept_sec_context() check for a null authenticator
checksum pointer before attempting to dereference it.
ticket: 6725
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24063
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 19 May 2010 18:52:49 +0000 (18:52 +0000)]
pull up r24020 from trunk
------------------------------------------------------------------------
r24020 | ghudson | 2010-05-13 14:49:20 -0400 (Thu, 13 May 2010) | 8 lines
ticket: 6722
subject: Error handling bug in krb5_init_creds_init()
tags: pullup
target_version: 1.8.2
Fix a bug in krb5_init_creds_init() where a freed context could be
returned to the caller in certain error cases.
ticket: 6722
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24062
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 19 May 2010 18:52:46 +0000 (18:52 +0000)]
pull up r24002 from trunk
------------------------------------------------------------------------
r24002 | ghudson | 2010-05-10 18:23:57 -0400 (Mon, 10 May 2010) | 14 lines
ticket: 6718
subject: Make KADM5_FAIL_AUTH_COUNT_INCREMENT more robust with LDAP
target_version: 1.8.2
tags: pullup
In krb5_ldap_put_principal, use krb5_get_attributes_mask to determine
whether krbLoginFailedCount existed on the entry when it was
retrieved. If it didn't exist, don't try to use LDAP_MOD_INCREMENT,
and don't assert an old value when not using LDAP_MOD_INCREMENT.
Also, create the krbLoginFailedCount attribute when creating new
entries. This allows us to use LDAP_MOD_INCREMENT during the first
failed login (if the server supports it), avoiding a race condition.
ticket: 6718
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24061
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 19 May 2010 18:52:43 +0000 (18:52 +0000)]
pull up r23959 from trunk
------------------------------------------------------------------------
r23959 | tlyu | 2010-04-30 17:10:55 -0400 (Fri, 30 Apr 2010) | 8 lines
ticket: 6711
subject: memory leak in process_tgs_req in r23724
tags: pullup
target_version: 1.8.2
Fix a KDC memory leak that was introduced by r23724 that could leak
the decoded request.
ticket: 6711
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24060
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 19 May 2010 18:52:39 +0000 (18:52 +0000)]
pull up r23928 from trunk
------------------------------------------------------------------------
r23928 | tlyu | 2010-04-22 21:10:20 -0400 (Thu, 22 Apr 2010) | 10 lines
ticket: 6698
target_version: 1.8.2
tags: pullup
Adapted patch from Jason Rogers. It wasn't complete, so this commit
fixes the other instances of the 64-bit problem.
Also fix krb5_deltat_to_str(), which would previously always return an
empty string.
ticket: 6698
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24059
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 19 May 2010 18:52:36 +0000 (18:52 +0000)]
pull up r23929 from trunk
------------------------------------------------------------------------
r23929 | tlyu | 2010-04-22 21:30:48 -0400 (Thu, 22 Apr 2010) | 7 lines
ticket: 6697
target_version: 1.8.2
tags: pullup
Adapted patch from Arlene Berry to handle dlerror() returning a null
pointer.
ticket: 6697
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24058
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 19 May 2010 18:52:32 +0000 (18:52 +0000)]
pull up r23925 from trunk
------------------------------------------------------------------------
r23925 | tlyu | 2010-04-22 16:04:01 -0400 (Thu, 22 Apr 2010) | 8 lines
ticket: 6696
target_version: 1.8.2
tags: pullup
Apply patch from Arlene Berry to cease freeing error tokens output by
accept_sec_context, allowing them to actually be sent to the
initiator.
ticket: 6696
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24057
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 20 Apr 2010 22:37:22 +0000 (22:37 +0000)]
pull up r23912 from trunk
------------------------------------------------------------------------
r23912 | tlyu | 2010-04-20 17:12:10 -0400 (Tue, 20 Apr 2010) | 11 lines
ticket: 6702
target_version: 1.8.2
tags: pullup
Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
by ticket renewal. Add a test case.
See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490
Thanks to Joel Johnson and Brian Almeida for the reports.
ticket: 6702
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23914
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 8 Apr 2010 20:35:03 +0000 (20:35 +0000)]
krb5-1.8.1-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23880
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 8 Apr 2010 20:33:32 +0000 (20:33 +0000)]
README and patchlevel.h for krb5-1.8.1 final
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23878
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 30 Mar 2010 01:54:21 +0000 (01:54 +0000)]
krb5-1.8.1-beta2-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23849
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 30 Mar 2010 01:52:51 +0000 (01:52 +0000)]
README and patchlevel for krb5-1.8.1-beta2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23847
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 30 Mar 2010 01:51:11 +0000 (01:51 +0000)]
make depend
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23846
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 30 Mar 2010 01:51:04 +0000 (01:51 +0000)]
pull up r23844 from trunk
------------------------------------------------------------------------
r23844 | ghudson | 2010-03-29 18:08:21 -0400 (Mon, 29 Mar 2010) | 9 lines
ticket: 6693
subject: Fix backwards flag output in krb5_init_creds_step()
tags: pullup
target_version: 1.8.1
krb5_init_creds_step() is taken from Heimdal, which sets *flags to 1
for "continue" and 0 for "stop". Unfortunately, we got it backwards
in 1.8; fix it for 1.8.1.
ticket: 6693
version_fixed: 1.8.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23845
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sun, 28 Mar 2010 23:00:08 +0000 (23:00 +0000)]
krb5-1.8.1-beta1-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23841
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sun, 28 Mar 2010 22:47:01 +0000 (22:47 +0000)]
README and patchlevel for krb5-1.8.1-beta1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23839
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 22:31:00 +0000 (22:31 +0000)]
pull up r23834 from trunk
------------------------------------------------------------------------
r23834 | tlyu | 2010-03-23 15:00:13 -0700 (Tue, 23 Mar 2010) | 7 lines
ticket: 6678
target_version: 1.8.1
tags: pullup
Apply patch from Arlene Berry to not use freed memory in
gss_import_sec_context in some error paths.
ticket: 6678
version_fixed: 1.8.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23835
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 19:08:53 +0000 (19:08 +0000)]
pull up r23832 from trunk
------------------------------------------------------------------------
r23832 | tlyu | 2010-03-23 11:53:52 -0700 (Tue, 23 Mar 2010) | 8 lines
ticket: 6690
target_version: 1.8.1
tags: pullup
subject: MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO
The SPNEGO implementation in krb5-1.7 and later could crash due to
assertion failure when receiving some sorts of invalid GSS-API tokens.
ticket: 6690
version_fixed: 1.8.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23833
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 07:21:04 +0000 (07:21 +0000)]
pull up r23829 from trunk
------------------------------------------------------------------------
r23829 | tlyu | 2010-03-22 23:09:02 -0700 (Mon, 22 Mar 2010) | 10 lines
ticket: 6689
target_version: 1.8.1
tags: pullup
subject: krb5_typed_data not castable to krb5_pa_data on 64-bit MacOSX
Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because
krb5int_fast_process_error was assuming that it was safe to cast it to
krb5_pa_data. It's not safe to do the cast on 64-bit MacOSX because
krb5.hin uses #pragma pack on that platform.
ticket: 6689
version_fixed: 1.8.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23830
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 01:58:29 +0000 (01:58 +0000)]
pull up r23821 from trunk
------------------------------------------------------------------------
r23821 | ghudson | 2010-03-19 20:50:06 -0700 (Fri, 19 Mar 2010) | 17 lines
ticket: 6687
subject: Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
target_version: 1.8.1
tags: pullup
KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data
type, was used to implement PAC-less constrained delegation in krb5
1.8. Unfortunately, it was found that Microsoft was using 142 for
other purposes, which could result in a ticket issued by an MIT or
Heimdal KDC being rejected by a Windows Server 2008 R2 application
server. Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate
among a realm's KDCs, it is relatively easy to change the number, so
MIT and Heimdal are both migrating to a new number. This change will
cause a transitional interoperability issue when a realm mixes MIT
krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal
1.3.2) KDCs, but only for constrained delegation evidence tickets.
ticket: 6687
version_fixed: 1.8.1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23828
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 01:58:22 +0000 (01:58 +0000)]
pull up r23820 from trunk
------------------------------------------------------------------------
r23820 | ghudson | 2010-03-19 09:17:05 -0700 (Fri, 19 Mar 2010) | 7 lines
ticket: 6680
target_version: 1.8.1
tags: pullup
Document the ticket_lifetime libdefaults setting (which was added in
r16656, #2656). Based on a patch from nalin@redhat.com.
ticket: 6680
version_fixed: 1.8.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23827
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 01:58:15 +0000 (01:58 +0000)]
pull up r23819 from trunk
------------------------------------------------------------------------
r23819 | ghudson | 2010-03-18 10:37:31 -0700 (Thu, 18 Mar 2010) | 7 lines
ticket: 6683
target_version: 1.8.1
tags: pullup
Fix the kpasswd fallback from the ccache principal name to the
username in the case where the ccache doesn't exist.
ticket: 6683
version_fixed: 1.8.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23826
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 01:58:07 +0000 (01:58 +0000)]
pull up r23815 from trunk
------------------------------------------------------------------------
r23815 | ghudson | 2010-03-17 14:10:10 -0700 (Wed, 17 Mar 2010) | 7 lines
ticket: 6681
target_version: 1.8.1
tags: pullup
When checking for KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT, don't
dereference options if it's NULL.
ticket: 6681
version_fixed: 1.8.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23825
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Mar 2010 01:58:00 +0000 (01:58 +0000)]
pull up r23810 from trunk
------------------------------------------------------------------------
r23810 | tlyu | 2010-03-16 12:14:33 -0700 (Tue, 16 Mar 2010) | 8 lines
ticket: 6685
target_version: 1.8.1
subject: handle NT_SRV_INST in service principal referrals
Handle NT_SRV_INST in service principal cross-realm referrals, as
Windows apparently uses that instead of NT_SRV_HST for at least some
service principals.
ticket: 6685
version_fixed: 1.8.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23824
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 15 Mar 2010 23:50:52 +0000 (23:50 +0000)]
pull up r23766 from trunk
------------------------------------------------------------------------
r23766 | ghudson | 2010-03-05 12:45:46 -0500 (Fri, 05 Mar 2010) | 10 lines
ticket: 6676
subject: Ignore improperly encoded signedpath AD elements
target_version: 1.8.1
tags: pullup
We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_ad_signedpath(). For better interoperability, treat such
tickets as unsigned, rather than invalid.
ticket: 6676
version_fixed: 1.8.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23809
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 15 Mar 2010 23:50:49 +0000 (23:50 +0000)]
pull up r23772 from trunk
------------------------------------------------------------------------
r23772 | ghudson | 2010-03-05 15:35:26 -0500 (Fri, 05 Mar 2010) | 7 lines
ticket: 6674
target_version: 1.8.1
tags: pullup
Release the internal_name field of a SPNEGO context if it has not been
claimed for a caller argument.
ticket: 6674
status: resolved
version_fixed: 1.8.1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23808
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 15 Mar 2010 23:50:46 +0000 (23:50 +0000)]
pull up r23749 from trunk
------------------------------------------------------------------------
r23749 | ghudson | 2010-02-24 13:57:08 -0500 (Wed, 24 Feb 2010) | 9 lines
ticket: 6668
subject: Two problems in kadm5_get_principal mask handling
target_version: 1.8
tags: pullup
KADM5_MOD_NAME was being applied to entry->principal instead of
entry->mod_name. KADM5_MKVNO was not being applied to entry->mkvno.
Patch from Marcus Watts <mdw@umich.edu>.
ticket: 6668
version_fixed: 1.8.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23807
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 15 Mar 2010 23:50:40 +0000 (23:50 +0000)]
pull up r23767 from trunk
------------------------------------------------------------------------
r23767 | ghudson | 2010-03-05 14:19:42 -0500 (Fri, 05 Mar 2010) | 7 lines
ticket: 6661
target_version: 1.8.1
tags: pullup
Add IPv6 support to changepw.c (reverting r21004 since it is no longer
necessary). Patch from Submit Bose <sbose@redhat.com>.
ticket: 6661
version_fixed: 1.8.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23806
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 10 Mar 2010 20:33:05 +0000 (20:33 +0000)]
Revert KRB5_CONF_ macro change intended for trunk
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23797
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 10 Mar 2010 15:59:30 +0000 (15:59 +0000)]
Use KRB5_CONF_ macros instead of strings in source for profile config arguments "default" and "logging"
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23795
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Mar 2010 18:21:06 +0000 (18:21 +0000)]
krb5-1.8-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23762
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Mar 2010 18:13:43 +0000 (18:13 +0000)]
README and patchlevel.h for krb5-1.8 final
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23760
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 25 Feb 2010 21:28:29 +0000 (21:28 +0000)]
krb5-1.8-beta2-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23755
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 25 Feb 2010 21:28:22 +0000 (21:28 +0000)]
README and patchlevel.h for krb5-1.8-beta2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23754
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 25 Feb 2010 20:14:21 +0000 (20:14 +0000)]
pull up r23750 from trunk
------------------------------------------------------------------------
r23750 | tlyu | 2010-02-25 15:09:45 -0500 (Thu, 25 Feb 2010) | 7 lines
ticket: 6669
target_version: 1.8
tags: pullup
subject: doc updates for allow_weak_crypto
Update documentation to be more helpful about allow_weak_crypto.
ticket: 6669
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23751
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Feb 2010 00:25:58 +0000 (00:25 +0000)]
pull up r23742 from trunk
------------------------------------------------------------------------
r23742 | ghudson | 2010-02-21 23:52:30 -0500 (Sun, 21 Feb 2010) | 24 lines
ticket: 6603
target_version: 1.8
tags: pullup
Fix two unrelated problems in SPNEGO which don't crop up with the krb5
mechanism.
1. The third call to spnego_init_accept_context uses faulty logic to
determine if the exchange is complete, preventing a third mech token
from being sent to the acceptor if no MIC exchange is required.
Follow the logic used in the second call (in init_ctx_nego), which is
correct.
2. If the acceptor selects a mech other than the optimistic mech, it
sets sc->mic_reqd to 1 whether or not the selected mech supports MICs
(which isn't known until the mech completes). Most code outside of
handle_mic checks sc->mic_reqd along with (sc->ctx_flags &
GSS_C_INTEG_FLAG), but the code in acc_ctx_call_acc neglected to do
so, so it could improperly delegate responsibility for deciding when
the negotiation was finished to handle_mic--which never gets called if
(sc->ctx_flags & GSS_C_INTEG_FLAG) is false. Fix acc_ctx_call_acc to
check sc->ctx_flags so that mechs which don't support integrity
protection can complete if they are selected non-optimistically.
ticket: 6603
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23748
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Feb 2010 00:25:54 +0000 (00:25 +0000)]
pull up r23735 from trunk
------------------------------------------------------------------------
r23735 | ghudson | 2010-02-18 13:49:11 -0500 (Thu, 18 Feb 2010) | 8 lines
ticket: 6659
target_version: 1.8
tags: pullup
The TGS code was not freeing authdata. This is an old leak which was
made more evident in 1.8 by the addition of ad-signedpath authdata
appearing in most tickets issued through the TGS path.
ticket: 6659
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23747
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 23 Feb 2010 00:25:51 +0000 (00:25 +0000)]
pull up r23734 from trunk
------------------------------------------------------------------------
r23734 | ghudson | 2010-02-18 13:04:47 -0500 (Thu, 18 Feb 2010) | 17 lines
ticket: 6665
subject: Fix cipher state chaining in OpenSSL back end
target_version: 1.8
tags: pullup
Make cipher state chaining work in the OpenSSL back end for des, des3,
and arcfour enc providers. Subtleties:
* DES and DES3 have checks to avoid clobbering ivec with uninitialized
data if there is no data to encrypt.
* Arcfour saves the OpenSSL cipher context across calls. To protect
against a caller improperly copying the state (which happens to work
with other enc providers), a loopback pointer is used, as in GSSAPI.
* EVP_EncryptFinal_ex is unnecessary with stream ciphers and would
interfere with cipher state chaining if it did anything, so just
remove it.
ticket: 6665
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23746
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 17 Feb 2010 03:41:03 +0000 (03:41 +0000)]
krb5-1.8-beta1-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23730
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 17 Feb 2010 03:13:29 +0000 (03:13 +0000)]
README and patchlevel.h for krb5-1.8-beta1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23728
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 16 Feb 2010 23:01:30 +0000 (23:01 +0000)]
pull up r23726 from trunk
------------------------------------------------------------------------
r23726 | tlyu | 2010-02-16 17:41:27 -0500 (Tue, 16 Feb 2010) | 8 lines
ticket: 6663
subject: update mkrel to deal with changed source layout
target_version: 1.8
tags: pullup
Update mkrel so it deals somewhat better with removed src/lib/des425,
NOTICES, etc.
ticket: 6663
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23727
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 16 Feb 2010 22:21:08 +0000 (22:21 +0000)]
pull up r23724 from trunk
------------------------------------------------------------------------
r23724 | tlyu | 2010-02-16 17:10:17 -0500 (Tue, 16 Feb 2010) | 10 lines
ticket: 6662
subject: MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service
tags: pullup
target_version: 1.8
Code introduced in krb5-1.7 can cause an assertion failure if a
KDC-REQ is internally inconsistent, specifically if the ASN.1 tag
doesn't match the msg_type field. Thanks to Emmanuel Bouillon (NATO
C3 Agency) for discovering and reporting this vulnerability.
ticket: 6662
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23725
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 12 Feb 2010 20:28:51 +0000 (20:28 +0000)]
pull up r23716 from trunk
------------------------------------------------------------------------
r23716 | ghudson | 2010-02-11 11:07:08 -0500 (Thu, 11 Feb 2010) | 15 lines
ticket: 6660
subject: Minimal support for updating history key
target_version: 1.8
tags: pullup
Add minimal support for re-randomizing the history key:
* cpw -randkey kadmin/history now works, but creates only one key.
* cpw -randkey -keepold kadmin/history still fails.
* libkadm5 no longer caches the history key. Performance impact
is minimal since password changes are not common.
* randkey no longer checks the newly randomized key against old keys,
and the disabled code to do so in setkey/setv4key is gone, so now
only kadm5_chpass_principal_3 accesses the password history.
------------------------------------------------------------------------
ticket: 6660
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23721
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 12 Feb 2010 20:28:47 +0000 (20:28 +0000)]
pull up r23715 from trunk
------------------------------------------------------------------------
r23715 | ghudson | 2010-02-10 18:44:18 -0500 (Wed, 10 Feb 2010) | 14 lines
ticket: 6658
subject: Implement gss_set_neg_mechs
target_version: 1.8
tags: pullup
Implement gss_set_neg_mechs in SPNEGO by intersecting the provided
mech set with the mechanisms available in the union credential. As
we now need space to hold the mech set, the SPNEGO credential is now
a structure and not just a mechglue credential.
t_spnego.c is a test program which exercises the new logic. Like the
other GSSAPI tests, it is not run as part of "make check" at this
time.
ticket: 6658
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23720
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 12 Feb 2010 20:28:43 +0000 (20:28 +0000)]
pull up r23713 from trunk
------------------------------------------------------------------------
r23713 | hartmans | 2010-02-09 14:15:12 -0500 (Tue, 09 Feb 2010) | 10 lines
subject: krb5int_fast_free_state segfaults if state is null
ticket: 6657
target_version: 1.8
tags: pullup
krb5int_fast_free_state fails if state is null. INstead it should
simply return Reorganization of the get_init_creds logic has created
situations where the init_creds loop can fail between the time when
the context is initialized and the fast state is initialized.
ticket: 6657
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23719
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 12 Feb 2010 20:28:39 +0000 (20:28 +0000)]
pull up r23712, r23714 from trunk
------------------------------------------------------------------------
r23714 | ghudson | 2010-02-09 20:55:36 -0500 (Tue, 09 Feb 2010) | 13 lines
ticket: 6656
Followon fixes to r23712:
* A few formatting fixes.
* Fix unlikely leak in kdc_handle_protected_negotiation: if
add_pa_data_element with copy == FALSE fails, it's still the
caller's responsibility to free pa.contents.
* Fix pre-existing (since r23465) leak of reply_encpart.enc_padata in
process_as_req.
* Call add_pa_data_element with copy == TRUE in
return_referral_enc_padata since we are passing memory owned by the
database entry.
------------------------------------------------------------------------
r23712 | hartmans | 2010-02-09 14:15:07 -0500 (Tue, 09 Feb 2010) | 14 lines
subject: enc_padata can include empty sequence
ticket: 6656
target_version: 1.8
tags: pullup
There are two issues with return_enc_padata.
1) It often will return an empty sequence of enc_padata rather than not including the field
2) FAST negotiation is double supported in the referral tgs path and not supported in the non-referral path
Rewrite the return_enc_padata logic to:
* Split out referral interactions with kdb into its own function
* Use add_pa_data_element
ticket: 6656
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23718
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 8 Feb 2010 21:22:18 +0000 (21:22 +0000)]
pull up r23677 from trunk
------------------------------------------------------------------------
r23677 | ghudson | 2010-01-28 20:22:17 -0500 (Thu, 28 Jan 2010) | 14 lines
ticket: 6652
subject: Make decryption of master key list more robust
target_version: 1.8
tags: pullup
krb5_def_fetch_mkey_list was incorrectly filtering mkey_aux entries
when searching the list for an entry which can be decrypted with the
stashed master key. This bug was masked in most cases by the mkvno
heuristic.
Remove the mkvno heuristic, since performance is not an issue for this
rarely-performed operation, and remove the incorrect enctype
comparison in the brute-force search.
ticket: 6652
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23711
dc483132-0cff-0310-8789-
dd5450dbe970