Tom Yu [Mon, 5 Dec 2011 20:53:52 +0000 (20:53 +0000)]
pull up r25480 from trunk
------------------------------------------------------------------------
r25480 | ghudson | 2011-11-20 00:19:45 -0500 (Sun, 20 Nov 2011) | 13 lines
ticket: 7021
subject: Fix failure interval of 0 in LDAP lockout code
target_version: 1.10
tags: pullup
A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
pass the lockout check (but didn't cause a reset of the failure count
in krb5_ldap_lockout_audit). It should be treated as forever, as in
the DB2 back end.
This bug is the previously unknown cause of the assertion failure
fixed in CVE-2011-1528.
ticket: 7021
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25512
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 5 Dec 2011 20:32:57 +0000 (20:32 +0000)]
pull up r25482 from trunk
------------------------------------------------------------------------
r25482 | ghudson | 2011-11-21 12:30:41 -0500 (Mon, 21 Nov 2011) | 10 lines
ticket: 7020
target_version: 1.10
tags: pullup
Recognize IAKERB mech in krb5_gss_display_status
Minor status codes were not displaying properly when originated from
the IAKERB mech, because of a safety check on mech_type. From Ralf
Haferkamp <rhafer@suse.de>.
ticket: 7020
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25511
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 5 Dec 2011 20:16:05 +0000 (20:16 +0000)]
pull up r25475 and r25479 from trunk
------------------------------------------------------------------------
r25479 | ghudson | 2011-11-19 17:06:15 -0500 (Sat, 19 Nov 2011) | 8 lines
ticket: 7019
Improve documentation in preauth_plugin.h
Also declare the verto_context structure to ensure that it is has the
proper scope when used as the return type of the event_context
callback.
------------------------------------------------------------------------
r25475 | ghudson | 2011-11-14 21:42:58 -0500 (Mon, 14 Nov 2011) | 9 lines
ticket: 7019
subject: Make verto context available to kdcpreauth modules
target_version: 1.10
tags: pullup
Add an event_context callback to kdcpreauth. Adjust the internal KDC
and main loop interfaces to pass around the event context, and expose
it to kdcpreauth modules via the rock.
ticket: 7019
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25510
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 5 Dec 2011 19:44:11 +0000 (19:44 +0000)]
pull up r25474 from trunk
------------------------------------------------------------------------
r25474 | ghudson | 2011-11-14 20:59:01 -0500 (Mon, 14 Nov 2011) | 10 lines
ticket: 7018
subject: Update verto to 0.2.2 release
target_version: 1.10
tags: pullup
Update verto sources to 0.2.2 release versions. verto_reinitialize()
now has a return value; check it in kdc/main.c. Store verto-libev.c
alongside verto-k5ev.c to make it easy to diff corresponding versions
when updating.
ticket: 7018
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25509
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 5 Dec 2011 19:44:05 +0000 (19:44 +0000)]
pull up r25473 from trunk
------------------------------------------------------------------------
r25473 | ghudson | 2011-11-14 16:45:33 -0500 (Mon, 14 Nov 2011) | 16 lines
ticket: 7017
subject: Simplify and fix kdcpreauth request_body callback
target_version: 1.10
tags: pullup
Alter the contract for the kdcpreauth request_body callback so that it
returns an alias to the encoded body instead of a fresh copy. At the
beginning of AS request processing, save a copy of the encoded request
body, or the encoded inner request body for FAST requests. Previously
the request_body callback would re-encode the request structure, which
in some cases has been modified by the AS request code.
No kdcpreauth modules currently use the request_body callback, but
PKINIT will need to start using it in order to handle FAST requests
correctly.
ticket: 7017
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25508
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 5 Dec 2011 19:01:49 +0000 (19:01 +0000)]
Handle TGS referrals to the same realm
pull up r25472 from trunk
------------------------------------------------------------------------
r25472 | ghudson | 2011-11-14 13:02:52 -0500 (Mon, 14 Nov 2011) | 12 lines
ticket: 7016
subject: Handle TGS referrals to the same realm
target_version: 1.9.3
tags: pullup
krb5 1.6 through 1.8 contained a workaround for the Active Directory
behavior of returning a TGS referral to the same realm as the request.
1.9 responds to this behavior by caching the returned TGT, trying
again, and detecting a referral loop. This is a partial regression of
ticket #4955. Detect this case and fall back to a non-referreal
request.
ticket: 7039
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25507
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 2 Dec 2011 21:20:22 +0000 (21:20 +0000)]
pull up r25470 from trunk
------------------------------------------------------------------------
r25470 | ghudson | 2011-11-12 17:03:54 -0500 (Sat, 12 Nov 2011) | 9 lines
ticket: 7015
subject: Add plugin interface_names entry for ccselect
target_version: 1.10
tags: pullup
When the ccselect pluggable interface was added, the interface_names
table wasn't updated, so configuring modules for it wouldn't work.
Add it now.
ticket: 7015
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25503
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 2 Dec 2011 21:20:18 +0000 (21:20 +0000)]
pull up r25468 from trunk
------------------------------------------------------------------------
r25468 | ghudson | 2011-11-10 23:04:58 -0500 (Thu, 10 Nov 2011) | 12 lines
ticket: 7014
subject: Fix com_err.h dependencies in gss-kernel-lib
target_version: 1.10
tags: pullup
make check was failing in util/gss-kernel-lib due to dependencies
when the build is configured with --with-system-et, because depfix.pl
wasn't smart enough to substitute the dependency on com_err.h in the
current directory. Make depfix.pl smarter, and adjust COM_ERR_DEPS
to be com_err.h in gss-kernel-lib when building with the bundled
com_err.
ticket: 7014
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25502
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 2 Dec 2011 21:20:13 +0000 (21:20 +0000)]
pull up r25469 from trunk
------------------------------------------------------------------------
r25469 | ghudson | 2011-11-11 12:01:12 -0500 (Fri, 11 Nov 2011) | 14 lines
ticket: 6430
subject: Avoid looping when preauth can't be generated
target_version: 1.10
tags: pullup
If we receive a PREAUTH_REQUIRED error and fail to generate any real
preauthentication, error out immediately instead of continuing to
generate non-preauthenticated requests until we hit the loop count.
There is a lot of room to generate a more meaningful error about why
we failed to generate preauth (although in many cases the answer may
be too complicated to explain in an error message), but that requires
more radical restructuring of the preauth framework.
ticket: 6430
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25501
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 7 Nov 2011 22:51:36 +0000 (22:51 +0000)]
pull up r25424 from trunk
------------------------------------------------------------------------
r25424 | ghudson | 2011-10-31 12:43:40 -0400 (Mon, 31 Oct 2011) | 9 lines
ticket: 6996
subject: Make krb5_check_clockskew public
target_version: 1.10
tags: pullup
Rename krb5int_check_clockskew to krb5_check_clockskew and make it
public, in order to give kdcpreauth plugins a way to check timestamps
against the configured clock skew.
ticket: 6996
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25456
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 7 Nov 2011 22:35:54 +0000 (22:35 +0000)]
pull up r25444 from trunk
------------------------------------------------------------------------
r25444 | ghudson | 2011-11-06 00:32:34 -0500 (Sun, 06 Nov 2011) | 10 lines
ticket: 7003
subject: Fix month/year units in getdate
target_version: 1.10
tags: pullup
getdate strings like "1 month" or "next year" would fail some of the
time, depending on the value of stack garbage, because DSTcorrect()
doesn't set *error on success and RelativeMonth() doesn't initialize
error. Make DSTcorrect() responsible for setting *error in all cases.
ticket: 7003
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25455
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 7 Nov 2011 22:35:51 +0000 (22:35 +0000)]
pull up r25443 from trunk
------------------------------------------------------------------------
r25443 | ghudson | 2011-11-05 15:55:34 -0400 (Sat, 05 Nov 2011) | 11 lines
ticket: 7002
target_version: 1.10
tags: pullup
Improve verto and libev documentation
NOTICE was missing the copyright statement for verto (it's not quite
the same as other Red Hat licenses). util/verto had no README file,
and neither the verto nor k5ev README contained pointers to the
upstream project pages.
ticket: 7002
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25454
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 7 Nov 2011 22:35:48 +0000 (22:35 +0000)]
pull up r25433 from trunk
------------------------------------------------------------------------
r25433 | ghudson | 2011-11-04 01:53:23 -0400 (Fri, 04 Nov 2011) | 9 lines
ticket: 7000
subject: Exit on error in kadmind kprop child
target_version: 1.10
tags: pullup
When we fork from kadmind to dump the database and kprop to an iprop
slave, if we encounter an error in the child process we should exit
rather than returning to the main loop.
ticket: 7000
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25453
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 7 Nov 2011 22:35:45 +0000 (22:35 +0000)]
pull up r25445 from trunk
------------------------------------------------------------------------
r25445 | ghudson | 2011-11-06 19:47:20 -0500 (Sun, 06 Nov 2011) | 8 lines
ticket: 6999
target_version: 1.10
tags: pullup
Fix warnings and version check for NSS pkinit
From nalin@redhat.com.
ticket: 6999
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25452
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 7 Nov 2011 22:35:41 +0000 (22:35 +0000)]
pull up r25425 from trunk
------------------------------------------------------------------------
r25425 | ghudson | 2011-10-31 23:49:16 -0400 (Mon, 31 Oct 2011) | 10 lines
ticket: 6997
target_version: 1.10
tags: pullup
Conditionalize po subdir on msgfmt, not dgetext
The presence of dgettext in libc or libintl doesn't imply that msgfmt
is installed, so conditionalize building the po subdir on whether
msgfmt is installed.
ticket: 6997
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25451
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 7 Nov 2011 22:35:39 +0000 (22:35 +0000)]
pull up r25419 from trunk
------------------------------------------------------------------------
r25419 | ghudson | 2011-10-28 11:53:50 -0400 (Fri, 28 Oct 2011) | 11 lines
ticket: 6995
subject: Initialize typed_e_data in as_req_state
target_version: 1.10
tags: pullup
The typed_e_data field in struct as_req_state was not properly
initialized, causing the KDC to sometimes respond with typed-data
e_data for a preauth-required error when the client sends no padata.
This bug was masked with recent clients, which send a
KRB5_ENCPADATA_REQ_ENC_PA_REP padata.
ticket: 6995
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25450
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 7 Nov 2011 22:35:35 +0000 (22:35 +0000)]
pull up r25418 from trunk
------------------------------------------------------------------------
r25418 | ghudson | 2011-10-28 11:45:03 -0400 (Fri, 28 Oct 2011) | 9 lines
ticket: 6994
subject: Fix intermediate key length in hmac-md5 checksum
target_version: 1.10
tags: pullup
When using hmac-md5, the intermediate key length is the output of the
hash function (128 bits), not the input key length. Relevant if the
input key is not an RC4 key.
ticket: 6994
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25449
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 7 Nov 2011 22:35:32 +0000 (22:35 +0000)]
Fix format string for TRACE_INIT_CREDS_SERVICE
pull up r25417 from trunk
------------------------------------------------------------------------
r25417 | ghudson | 2011-10-26 18:34:21 -0400 (Wed, 26 Oct 2011) | 7 lines
ticket: 6993
subject: Fix format string for TRACE_INIT_CREDS_SERVICE
tags: pullup
target_version: 1.9.2
This should also be pulled up to 1.10.
ticket: 7006
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25448
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 7 Nov 2011 22:35:24 +0000 (22:35 +0000)]
pull up r25414 from trunk
------------------------------------------------------------------------
r25414 | ghudson | 2011-10-25 14:30:14 -0400 (Tue, 25 Oct 2011) | 7 lines
ticket: 6992
subject: Make krb5_find_authdata public
target_version: 1.10
tags: pullup
Rename krb5int_find_authdata to krb5_find_authdata and make it public.
ticket: 6992
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25447
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Sat, 5 Nov 2011 00:03:44 +0000 (00:03 +0000)]
Update acknowledgments
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25442
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 21 Oct 2011 18:03:54 +0000 (18:03 +0000)]
krb5-1.10-alpha1-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25402
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 21 Oct 2011 18:02:10 +0000 (18:02 +0000)]
README and patchlevel.h for krb5-1.10-alpha1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25400
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 21 Oct 2011 17:58:47 +0000 (17:58 +0000)]
pull up r25395 from trunk
------------------------------------------------------------------------
r25395 | tlyu | 2011-10-21 13:35:49 -0400 (Fri, 21 Oct 2011) | 10 lines
ticket: 6989
subject: fix tar invocation in mkrel
target_version: 1.10
tags: pullup
Fix the tar invocation in mkrel so that it defaults to using "tar" as
the tar program rather than "gtar".
This should probably be pulled up to at least 1.9 and 1.8 as well.
ticket: 6989
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25399
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 20 Oct 2011 22:19:39 +0000 (22:19 +0000)]
Fix patchlevel.h for krb5-1.10 branch
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25392
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 20 Oct 2011 22:13:09 +0000 (22:13 +0000)]
Update README for 1.10 branch
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25391
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 20 Oct 2011 19:27:46 +0000 (19:27 +0000)]
pull up r25385 from trunk
------------------------------------------------------------------------
r25385 | ghudson | 2011-10-20 11:16:03 -0400 (Thu, 20 Oct 2011) | 9 lines
ticket: 6988
subject: Fix handling of null edata method in KDC preauth
target_version: 1.10
tags: pullup
Correctly include an empty padata value if a KDC preauth system has no
get_edata method. This bug prevented the KDC from indicating FAST
support in preauth-required errors.
ticket: 6988
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25389
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 20 Oct 2011 19:27:43 +0000 (19:27 +0000)]
pull up r25384 from trunk
------------------------------------------------------------------------
r25384 | ghudson | 2011-10-19 23:45:12 -0400 (Wed, 19 Oct 2011) | 12 lines
ticket: 6987
subject: Fix krb5_cc_set_config
target_version: 1.10
tags: pullup
krb5_cc_set_config has been non-functional since r24753 on cache types
which don't support removal of credential entries. Fix it by only
calling krb5_cc_remove_cred if data is NULL, since krb5_cc_store_cred
will do it anyway in the positive case.
Also fix an old memory leak in an uncommon error case.
ticket: 6987
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25388
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 20 Oct 2011 19:27:38 +0000 (19:27 +0000)]
pull up r25368 from trunk
------------------------------------------------------------------------
r25368 | tlyu | 2011-10-18 14:51:35 -0400 (Tue, 18 Oct 2011) | 8 lines
ticket: 6981
subject: SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529]
target_version: 1.10
tags: pullup
Fix null pointer dereference and assertion failure conditions that
could cause a denial of service.
ticket: 6981
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25387
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 20 Oct 2011 19:27:32 +0000 (19:27 +0000)]
pull up r25367 from trunk
------------------------------------------------------------------------
r25367 | ghudson | 2011-10-18 12:32:28 -0400 (Tue, 18 Oct 2011) | 12 lines
ticket: 6980
subject: Ensure termination in Windows vsnprintf wrapper
target_version: 1.10
tags: pullup
The Windows _vsnprintf does not terminate its output buffer in the
overflow case. Make sure we do that in the wrapper. Reported by
Chris Hecker.
(Not an issue for KfW 3.2 since we weren't using snprintf in 1.6.x
except in Unix-specific code.)
ticket: 6980
version_fixed: 1.10
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25386
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 17 Oct 2011 22:55:44 +0000 (22:55 +0000)]
branch for krb5-1.10 release
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25366
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 17 Oct 2011 22:54:12 +0000 (22:54 +0000)]
Bump release numbers in definitions.texinfo
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25365
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Mon, 17 Oct 2011 20:17:08 +0000 (20:17 +0000)]
Noted that kadmind should be restarted if its acl file has been changed
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25364
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 17 Oct 2011 19:34:08 +0000 (19:34 +0000)]
Delete Network Identity Manager
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25363
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 17 Oct 2011 19:11:01 +0000 (19:11 +0000)]
Make reindent
Also fix pkinit_crypto_nss.c struct initializers and add parens to a
ternary operator in do_as_req.c for better indentation.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25362
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 17 Oct 2011 19:10:52 +0000 (19:10 +0000)]
Exclude util/wshelper from reindent
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25361
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 17 Oct 2011 17:15:31 +0000 (17:15 +0000)]
Add AC_LANG_SOURCE to PKINIT NSS version check
The configure.in code for the PKINIT NSS back end version check was
copied from the k5crypto NSS back end version check, but from before
r25181 which added AC_LANG_SOURCE wrappers.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25360
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 17 Oct 2011 04:05:56 +0000 (04:05 +0000)]
Style police
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25359
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Mon, 17 Oct 2011 00:45:30 +0000 (00:45 +0000)]
gssalloc-related fixes to naming_exts.c
renamed kg_data_list_to_buffer_set_nocopy to data_list_buffer_set
(since nocopy is no longer guaranteed).
removed extra indirection to input krb5_data list.
ensured input krb5_data list is always completely freed.
no longer returns EINVAL when output buffer set is NULL.
fixed krb5_gss_get_name_attribute to use data_to_gss.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25358
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Mon, 17 Oct 2011 00:45:23 +0000 (00:45 +0000)]
RFC 4120 says that we should not canonicalize using DNS. We cannot get
that far today, but there's no reason we should fail to use a
perfectly good principal name just because DNS is failing. For some
services there isn't even a requirement they be in DNS. With
AI_ADDRCONFIG there's no reason that Kerberos canonicalization should
fail simply because a v6 address is not present, for example. So, if
getaddrinfo fails in krb5_sname_to_principal simply use the input
hostname uncanonicalized.
sn2princ: On getaddrinfo failure use the input
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25357
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 15 Oct 2011 16:56:30 +0000 (16:56 +0000)]
Allow password changes over NATs
In the kpasswd server code, don't set a remote address in the auth
context before calling krb5_rd_priv, since the kpasswd protocol is
well-protected against reflection attacks. This allows password
changes to work in cases where a NAT has changed the client IP address
as it is seen by the server.
ticket: 6979
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25356
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 15 Oct 2011 16:56:26 +0000 (16:56 +0000)]
Allow rd_priv/rd_safe without remote address
Allow krb5_rd_priv and krb5_rd_safe to work when there is no remote
address set in the auth context, unless the KRB5_AUTH_CONTEXT_DO_TIMES
flag is set (in which case we need the remote address for the replay
cache name). Note that failing to set the remote address can create a
vulnerability to reflection attacks in some protocols, although it is
fairly easy to defend against--either use sequence numbers, or make
sure that requests don't look like replies, or both.
ticket: 6978
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25355
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 15 Oct 2011 16:31:00 +0000 (16:31 +0000)]
Update mit-krb5.pot
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25354
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 15 Oct 2011 16:29:28 +0000 (16:29 +0000)]
Install krb5/preauth_plugin.h
The clpreauth and kdcpreauth pluggable interfaces are public as of
krb5 1.10. Install the header so that preauth modules can be built
outside of the krb5 source tree.
ticket: 6977
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25353
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 15 Oct 2011 16:26:27 +0000 (16:26 +0000)]
Rename PAC type constants to avoid conflicts
Since the PAC type constants are now exposed in krb5.h, give them a
KRB5_ prefix so they don't conflict with similar PAC type constants
in other packages, like Samba.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25352
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 15 Oct 2011 16:06:03 +0000 (16:06 +0000)]
Hide gak_fct interface and arguments in clpreauth
Remove the gak_fct, gak_data, salt, s2kparams, and as_key arguments
of krb5_clpreauth_process_fn and krb5_clpreauth_tryagain_fn. To
replace them, add two callbacks: one which gets the AS key using the
previously selected etype-info2 information, and a second which lets
the module replace the AS key with one it has computed.
This changes limits module flexibility in a few ways. Modules cannot
check whether the AS key was already obtained before asking for it,
and they cannot use the etype-info2 salt and s2kparams for purposes
other than getting the password-based AS key. It is believed that
of existing preauth mechanisms, only SAM-2 preauth needs more
flexibility than the new interfaces provide, and as an internal legacy
mechanism it can cheat. Future mechanisms should be okay since the
current IETF philosophy is that etype-info2 information should not be
used for other purposes.
ticket: 6976
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25351
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 15 Oct 2011 15:35:46 +0000 (15:35 +0000)]
Drop retransmits while processing requests
Supporting asynchronous preauth modules means that the KDC can receive
a retransmitted request before it finishes processing the initial
request. Ignore those retransmits instead of processing them.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25350
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 15 Oct 2011 15:08:02 +0000 (15:08 +0000)]
Untabify kdc_preauth_encts.c
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25349
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 15 Oct 2011 15:06:37 +0000 (15:06 +0000)]
Make kdcpreauth edata method respond via callback
From npmccallum@redhat.com with changes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25348
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 15 Oct 2011 15:03:17 +0000 (15:03 +0000)]
Make get_preauth_hint_list respond via callback
From npmccallum@redhat.com with changes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25347
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 15 Oct 2011 15:03:10 +0000 (15:03 +0000)]
Remove enc-timestamp code from kdc_preauth.c
This code should have been removed in r25319 but was not.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25346
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 14 Oct 2011 23:14:53 +0000 (23:14 +0000)]
Exclude more stuff from make reindent
Apply exclusions to "make reindent" as well, to fully exclude some
files from whitespace cleanups. Add fnmatch.c to exclusions.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25345
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 14 Oct 2011 18:19:36 +0000 (18:19 +0000)]
make depend
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25344
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 14 Oct 2011 15:14:57 +0000 (15:14 +0000)]
Untabify a recent gssapi_alloc.h change
Also mark the file as using the krb5 C style.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25343
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 15:07:01 +0000 (15:07 +0000)]
Fix gssapi_strdup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25342
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:46:57 +0000 (14:46 +0000)]
gssalloc memory management for gss_buffer_set
compiles, but untested
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25341
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:44:35 +0000 (14:44 +0000)]
build profile dll (xpprof32/64.dll) on windows
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25340
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:42:37 +0000 (14:42 +0000)]
Further attempt at removing K4 specific code from the leash executable
Updates to leash Makefile.in to make it link on Windows 64
Signed-off-by: Alexey Melnikov <aamelnikov@gmail.com>
leash link fixes: fix mfc library and fix path to wshelper
MFC100D.lib for mscv2010; util\wshelper instead of windows\wshelper
Add ver.rc for leash
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25339
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:40:36 +0000 (14:40 +0000)]
Fixed some warnings and Windows 64 portability issues in the leash executable
Signed-off-by: Alexey Melnikov <aamelnikov@gmail.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25338
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:40:32 +0000 (14:40 +0000)]
Fixed some warnings in libwin
Signed-off-by: Alexey Melnikov <aamelnikov@gmail.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25337
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:40:28 +0000 (14:40 +0000)]
Updated resource file dependencies for leashdll
Signed-off-by: Alexey Melnikov <aamelnikov@gmail.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25336
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:40:24 +0000 (14:40 +0000)]
re-remove windows/gss from windows build
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25335
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:40:20 +0000 (14:40 +0000)]
Fix windows fork detection
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25334
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:40:17 +0000 (14:40 +0000)]
Add "-dce" commandline option to gss-client.c to set GSS_C_DCE_STYLE flag
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25333
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:40:10 +0000 (14:40 +0000)]
Use gssalloc memory management where appropriate
gss_buffer_t may be freed in a different module from where they
are allocated so it is not safe to use strdup/malloc/calloc/free.
similarly, gss_OID_set need to use gssalloc functions.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25332
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:40:05 +0000 (14:40 +0000)]
Utility functions to move allocations from k5buf/krb5_data to gss_buffer_t
On Unix, these simply move the buffer pointer, but on windows they need to
reallocated with gssalloc_malloc and coied since the gss_buffer_t may need
to be freed in a separate module with potentially mismatched c runtime.
Also fix a mismatched parameter warning in generic_gss_copy_oid_set().
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25331
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:39:01 +0000 (14:39 +0000)]
Add new header gssapi_alloc.h
Contains allocator methods for use with mechanisms and mechglues for
allocations that must be made in one module but freed in another. On
windows, an allocation made in one module cannot safely be freed in
another using the usual c runtime malloc/free; runtime dll mismatch
will cause heap corruption in that case. But it is safe to instead
directly use HeapAlloc()/HeapFree() specifying the default process
heap. For now, this header is not public. If it becomes public
strncpy will need to be used instead of strlcpy.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25330
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 14 Oct 2011 14:37:14 +0000 (14:37 +0000)]
Simplify gss_indicate_mechs() by using generic_gss_copy_oid_set
...instead of hand-duplicating all the logic therein. Also makes
the switch to using gssalloc functions with oid_sets easier.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25329
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Fri, 14 Oct 2011 14:25:23 +0000 (14:25 +0000)]
Removed unused macros
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25328
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 13 Oct 2011 16:07:23 +0000 (16:07 +0000)]
Add PKINIT NSS support
Add an implementation of PKINIT using NSS instead of OpenSSL, from
nalin@redhat.com.
ticket: 6975
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25327
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 12 Oct 2011 17:57:33 +0000 (17:57 +0000)]
Fix the doxygen comments for krb5_pac_sign
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25326
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 12 Oct 2011 16:34:07 +0000 (16:34 +0000)]
Make krb5_pac_sign public
krb5int_pac_sign was created as a private API because it is only
needed by the KDC. But it is actually used by DAL or authdata plugin
modules, not the core KDC code. Since plugin modules should not need
to consume internal libkrb5 functions, rename krb5int_pac_sign to
krb5_pac_sign and make it public.
ticket: 6974
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25325
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 12 Oct 2011 15:05:39 +0000 (15:05 +0000)]
Documentation pass over preauth_plugin.h
No functional changes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25324
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 7 Oct 2011 22:17:06 +0000 (22:17 +0000)]
Fix a memory leak in make_gss_checksum
From greg.mcclement@sap.com.
ticket: 6972
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25323
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Fri, 7 Oct 2011 21:19:41 +0000 (21:19 +0000)]
Removed references to non-existing krb5_default_local_realm(3) and some source-code-defined macros from the administration programs documentation.
Also, minor cleanup & corrections.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25322
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Fri, 7 Oct 2011 16:33:25 +0000 (16:33 +0000)]
Minor updates and correction of the RST documents
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25321
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 7 Oct 2011 14:44:15 +0000 (14:44 +0000)]
Minor cleanups to encrypted challenge
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25320
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 7 Oct 2011 14:26:25 +0000 (14:26 +0000)]
Use built-in modules for encrypted timestamp
Break out the encrypted timestamp code from kdc_preauth.c and
preauth2.c into built-in modules, allowing admins to disable it and
reducing the size of the framework code.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25319
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 6 Oct 2011 20:08:29 +0000 (20:08 +0000)]
Add get_string, free_string kdcpreauth callbacks
String attributes should be useful to preauth modules without having
to link against libkdb5. Add a callback to make client string
attributes accessible to modules.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25318
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 6 Oct 2011 19:24:56 +0000 (19:24 +0000)]
Ditch fast_factor.h since it contains only stubs
Leave a comment behind where we called fast_set_kdc_verified().
Remove the call to fast_kdc_replace_reply_key() since it's wrong
(encrypted challenge doesn't replace the reply key in that sense).
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25317
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 6 Oct 2011 16:38:35 +0000 (16:38 +0000)]
Initialize localname on error in gss_localname
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25316
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 6 Oct 2011 16:18:56 +0000 (16:18 +0000)]
Use type-safe callbacks in preauth interface
Replace the generic get_data functions in clpreauth and kdcpreauth
with structures containing callback functions. Each structure has a
minor version number to allow adding new callbacks.
For simplicity, the new fast armor key callbacks return aliases, which
is how we would supply the armor key as a function parameter. The new
client keys callback is paired with a free_keys callback to reduce the
amount of cleanup code needed in modules.
ticket: 6971
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25315
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 5 Oct 2011 22:11:19 +0000 (22:11 +0000)]
Remove edata code in sample preauth plugins
The code assumes unstructured edata and would be somewhat annoying to
reframe in terms of pa-data.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25314
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:31:08 +0000 (21:31 +0000)]
Replace gss_pname_to_uid with gss_localname in gss-server.c
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25313
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:30:59 +0000 (21:30 +0000)]
Replace gss_pname_to_uid with gss_localname in gssapi32.def
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25312
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:30:55 +0000 (21:30 +0000)]
Don't need to check for fork on windows
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25311
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:30:50 +0000 (21:30 +0000)]
Add krb5int_gettimeofday to k5sprt for platforms w/o native gettimeofday
Microsecond accuracy on _WIN32, but only one second accuracy on other,
AFAIK purely hypothetical, platforms that lack native gettimeofday.
Shamelessly cribbed from Heimdal.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25310
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:30:42 +0000 (21:30 +0000)]
gss_unwrap_iov crashes with stream buffers for 3des, des, rc4
Use correct key to determine enctype for KG2 tokens in
kg_unseal_stream_iov
Tested with AES for a new enctype and 3DES for an old enctype.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 6970
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25309
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:30:31 +0000 (21:30 +0000)]
From: Sam Hartman <hartmans@debian.org>
Pkinit: offer supported KDFs in client
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25308
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:30:28 +0000 (21:30 +0000)]
Add tests to pkinit_kdf_test to test SHA-256/AES and SHA-512/DES3
Signed-off-by: Margaret Wasserman <mrw@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25307
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:30:24 +0000 (21:30 +0000)]
Make alg agility KDF work properly when the hash length differs from the key length
Signed-off-by: Margaret Wasserman <mrw@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25306
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:30:20 +0000 (21:30 +0000)]
Clean up unused constants
From: Margaret Wasserman <mrw@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25305
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:30:16 +0000 (21:30 +0000)]
Make pkinit fall back to octetstring2key() if there are not matching KDFs
From: Margaret Wasserman <mrw@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25304
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:30:12 +0000 (21:30 +0000)]
Treat the client's list of supported KDFs as an unordered list
Signed-off-by: Margaret Wasserman <mrw@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25303
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:30:08 +0000 (21:30 +0000)]
Make KDF work when length of random data differs from length of hash
Signed-off-by: Margaret Wasserman <mrw@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25302
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Wed, 5 Oct 2011 21:30:02 +0000 (21:30 +0000)]
Fix incorrect formatting of KDF fields, no substantive change
Signed-off-by: Margaret Wasserman <mrw@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25301
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 5 Oct 2011 17:27:15 +0000 (17:27 +0000)]
Use an opaque handle in the kdcpreauth callback
Instead of passing a request and entry to the kdcpreauth get_data
callback, pass an opaque handle. Remove DB entry and key data
parameters from kdcpreauth methods (but keep the request, since that's
transparent).
The SecurID plugin links against libkdb5 and needs access to the client
DB entry. Rather than continue to pass a DB entry to kdcpreauth
methods, add a get_data callback to get the client DB entry for the few
plugins which might need it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 4 Oct 2011 22:40:10 +0000 (22:40 +0000)]
Fix initialization and pointer bugs in new code
Coverity found some minor-to-medium bugs in some recent changes; fix
them.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25299
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 4 Oct 2011 20:16:07 +0000 (20:16 +0000)]
Create e_data as pa_data in KDC interfaces
All current known uses of e_data are encoded as pa-data or typed-data.
FAST requires that e_data be expressed as pa-data. Change the DAL and
kdcpreauth interfaces so that e_data is returned as a sequence of
pa-data elements. Add a preauth module flag to indicate that the
sequence should be encoded as typed-data in non-FAST errors.
ticket: 6969
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25298
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 4 Oct 2011 15:11:45 +0000 (15:11 +0000)]
Improve k5_get_os_entropy for Windows
When acquiring a crypto context for CryptGenRandom, pass
CRYPT_VERIFYCONTEXT to indicate that we don't need access to private
keys. Appears to make OS entropy work on Windows XP.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25297
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Mon, 3 Oct 2011 20:15:27 +0000 (20:15 +0000)]
Minor RST adjustment
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25296
dc483132-0cff-0310-8789-
dd5450dbe970