git.tremily.us Git - krb5.git/log

pull up r22434 from trunk

------------------------------------------------------------------------
r22434 | tlyu | 2009-07-10 15:20:26 -0400 (Fri, 10 Jul 2009) | 8 lines

ticket: 1233

Add a new '-W' option to kadmind and kdb5_util create to allow reading
weak random numbers on startup, to avoid long delays in testing
situations. Use only for testing.

Update testing scripts accordingly.

ticket: 1233
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22803 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22423, r22422 from trunk

------------------------------------------------------------------------
r22423 | tlyu | 2009-06-25 22:44:41 -0400 (Thu, 25 Jun 2009) | 4 lines

ticket: 6428

Add test case omitted in last commit.
------------------------------------------------------------------------
r22422 | tlyu | 2009-06-25 22:43:21 -0400 (Thu, 25 Jun 2009) | 8 lines

ticket: 6428
version_reported: 1.7
target_version: 1.7.1
tags: pullup

Check for principal expiration prior to checking for password
expiration. Reported by Phil Pishioneri.

ticket: 6428
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22802 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22418 from trunk

------------------------------------------------------------------------
r22418 | raeburn | 2009-06-18 19:25:25 -0400 (Thu, 18 Jun 2009) | 36 lines

ticket: 6515
subject: reduce some mutex performance problems in profile library
tags: pullup
target_version: 1.7.1
version_reported: 1.7

In profile_node_iterator we unlock a mutex in order to call
profile_update_file_data, which wants to lock that mutex itself, and
then when it returns we re-lock the mutex.  (We don't use recursive
mutexes, and I would continue to argue that we shouldn't.)  On the
Mac, when running multiple threads, it appears that this results in
very poor peformance, and much system and user CPU time is spent
working with the locks.  (Linux doesn't seem to suffer as much.)

So: Split profile_update_file_data into a locking wrapper, and an
inner routine that does the real work but requires that the lock be
held on entry.  Call the latter from profile_node_iterator *without*
unlocking first, and only unlock if there's an error.  This doesn't
move any significant amount of work into the locking region; it pretty
much just joins locking regions that were disjoint for no good reason.

On my tests on an 8-core Mac, in a test program running
gss_init_sec_context in a loop in 6 threads, this brought CPU usage
per call down by 40%, and improved wall-clock time even more.
Single-threaded performance improved very slightly, probably in the
noise.

Linux showed modest improvement (5% or less) in CPU usage in a
3-thread test on a 4-core system.

Similar tests with gss_accept_sec_context showed similar contention
around the profile-library mutexes, but I haven't analyzed the
performance changes there from this patch.

More work is needed, but this will help.

ticket: 6515
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22801 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22417 from trunk

------------------------------------------------------------------------
r22417 | raeburn | 2009-06-18 17:56:48 -0400 (Thu, 18 Jun 2009) | 13 lines

ticket: 6514
subject: minor memory leak in 'none' replay cache type
tags: pullup
target_version: 1.7.1
version_reported: 1.7

The replay cache type implementations are responsible for freeing the
main rcache structure when the cache handle is closed. The 'none'
rcache type wasn't doing this, resulting in a small memory leak each
time such a cache was opened and closed. Not a big deal for a server
process servicing a single client, but it could accumulate (very very
slowly) for a long-running server.

ticket: 6514
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22800 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22413, r22410 from trunk

------------------------------------------------------------------------
r22413 | epeisach | 2009-06-17 13:51:31 -0400 (Wed, 17 Jun 2009) | 5 lines

ticket: 6512

In the previous patch - I neglected a potential NULL deref in the call
to krb5int_yarrow_cipher_final.  Trivial fix.
------------------------------------------------------------------------
r22410 | epeisach | 2009-06-11 13:01:13 -0400 (Thu, 11 Jun 2009) | 7 lines

subject:  krb5int_yarrow_final could deref NULL if out of memory
ticket: 6512
  krb5int_yarrow_final tests if the Yarrow_CTX* is valid (not NULL) -
  and if not - signals and error for return - but still invokes
  mem_zero (memset) with it as an argument.  This will only happen in
  an out-of-memory situation.

ticket: 6512
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22799 dc483132-0cff-0310-8789-dd5450dbe970

------------------------------------------------------------------------
r22409 | epeisach | 2009-06-09 22:55:22 -0400 (Tue, 09 Jun 2009) | 7 lines

ticket: 6511
subject: krb5int_rd_chpw_rep could call krb5_free_error with random value

clang picked up on a path in which krberror is not set and passed as
an argument to krb5_free_error(). Essentially if the clearresult
length < 2 but everything decodes - you can hit this path...

ticket: 6511
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22798 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22403 from trunk

------------------------------------------------------------------------
r22403 | epeisach | 2009-06-06 09:46:06 -0400 (Sat, 06 Jun 2009) | 9 lines

ticket: 6509
subject: kadmind is parsing acls good deref NULL pointer on error

In kadm5int_acl_parse_line, if you setup an acl w/ restrictions
(i.e. the four argument acl format) - but have an error parsing the
first few fields, acle is NULLed out, and is then derefed.

This adds a conditional and indents according to the krb5 c-style...

ticket: 6509
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22797 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22402 from trunk
------------------------------------------------------------------------
r22402 | epeisach | 2009-06-05 23:55:44 -0400 (Fri, 05 Jun 2009) | 7 lines

ticket: 6508
subject: kadm5int_acl_parse_restrictions could ref uninitialized variable

The variable sp is never initialized. If the first argument to the
function is null, the code falls through to freeing sp if valid.
However, sp is never set.

ticket: 6508
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22796 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22397 from trunk

------------------------------------------------------------------------
r22397 | ghudson | 2009-06-01 18:39:31 -0400 (Mon, 01 Jun 2009) | 17 lines

ticket: 6506
subject: Make results of krb5_db_def_fetch_mkey more predictable
tags: pullup
target_version: 1.7

krb5_db_def_fetch_mkey tries the stash file as a keytab, then falls
back to the old stash file format.  If the stash file was in keytab
format, but didn't contain the desired master key, we would try to
read a keytab file as a stash file.  This could succeed or fail
depending on byte order and other unpredictable factors.  The upshot
was that one of the libkadm5 unit tests (init 108) was getting a
different error code on different platforms.

To fix this, only try the stash file format if we get
KRB5_KEYTAB_BADVNO trying the keytab format.  This requires reworking
the error handling logic.

ticket: 6506
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22795 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22392 from trunk

------------------------------------------------------------------------
r22392 | raeburn | 2009-05-27 16:03:46 -0400 (Wed, 27 May 2009) | 10 lines

ticket: 6505
target_version: 1.7
tags: pullup
subject: fix t_prf test code properly

Correction to patch in r22364: "i" was used in two places, one of
which required an int-sized value and the other of which required a
size_t. Instead of changing the type, split the two uses into
separate variables.

ticket: 6505
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22794 dc483132-0cff-0310-8789-dd5450dbe970

C++ compatibility for Windows compilation

pull up r21902, r21917, r21918, r21919 to improve C++ compatibility
and to enable Windows compilation.

------------------------------------------------------------------------
r21919 | raeburn | 2009-02-09 11:36:09 -0500 (Mon, 09 Feb 2009) | 3 lines

Check C++ compatibility for some internal headers that may (now or in
the future) be used in C++ code on Windows.
------------------------------------------------------------------------
r21918 | raeburn | 2009-02-09 11:35:01 -0500 (Mon, 09 Feb 2009) | 3 lines

More C++ compatibility: Don't use "typedef struct tag *tag"; rename
the tag and keep the same typedefname.
------------------------------------------------------------------------
r21917 | raeburn | 2009-02-09 11:28:29 -0500 (Mon, 09 Feb 2009) | 3 lines

C++ compatibility fix -- g++ says "types may not be defined in casts",
so do the gcc unaligned-struct trick only for C, not C++.
------------------------------------------------------------------------
r21902 | raeburn | 2009-02-05 16:56:21 -0500 (Thu, 05 Feb 2009) | 2 lines

use casts, for c++ compilation on windows

ticket: 6536
version_fixed: 1.7.1
target_version: 1.7.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22455 dc483132-0cff-0310-8789-dd5450dbe970

krb5-1.7-postrelease

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22401 dc483132-0cff-0310-8789-dd5450dbe970

krb5-1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22399 dc483132-0cff-0310-8789-dd5450dbe970

Update copyrights. Reorganize "major changes" listing

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22398 dc483132-0cff-0310-8789-dd5450dbe970

krb5-1.7-beta3-postrelease

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22391 dc483132-0cff-0310-8789-dd5450dbe970

readme and patchlevel for krb5-1.7-beta3

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22389 dc483132-0cff-0310-8789-dd5450dbe970

typo in admin.texinfo

pull up r22266 from trunk

------------------------------------------------------------------------
r22266 | ghudson | 2009-04-22 10:26:17 +0200 (Wed, 22 Apr 2009) | 4 lines

In the cross-realm setup example in the admin documentation, use
"addprinc" instead of "add_princ" since the latter is not a recognized
alias for add_principal.

ticket: 6503
version_fixed: 1.7
target_version: 1.7
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22388 dc483132-0cff-0310-8789-dd5450dbe970

typo in doc/api/krb5.tex

------------------------------------------------------------------------
r22287 | ghudson | 2009-04-28 19:54:13 +0200 (Tue, 28 Apr 2009) | 2 lines

Fix typo.

ticket: 6502
target_version: 1.7
tags: pullup
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22387 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22382 from trunk
------------------------------------------------------------------------
r22382 | ghudson | 2009-05-25 18:47:40 +0200 (Mon, 25 May 2009) | 6 lines

ticket: 6497
tags: pullup
target_version: 1.7

Fix up kinit -T documentation.

ticket: 6497
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22386 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22381 from trunk
------------------------------------------------------------------------
r22381 | ghudson | 2009-05-25 18:40:00 +0200 (Mon, 25 May 2009) | 10 lines

ticket: 6501
subject: Temporarily disable FAST PKINIT for 1.7 release
tags: pullup
target_version: 1.7

There are protocol issues and implementation defects surrounding the
combination of FAST an PKINIT currently. To avoid impacting the 1.7
scheduled and to avoid creating interoperability problems later,
disable the combination until the problems are resolved.

ticket: 6501
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22385 dc483132-0cff-0310-8789-dd5450dbe970

use correct type for krb5_c_prf_length length arg

pull up r22364 from trunk
------------------------------------------------------------------------
r22364 | raeburn | 2009-05-22 19:20:15 +0200 (Fri, 22 May 2009) | 2 lines

Use correct type for krb5_c_prf_length length arg.

ticket: 6500
target_version: 1.7
tags: pullup
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22380 dc483132-0cff-0310-8789-dd5450dbe970

use printf format attribute only with gcc

pull up r22363 from trunk

------------------------------------------------------------------------
r22363 | raeburn | 2009-05-22 19:19:37 +0200 (Fri, 22 May 2009) | 2 lines

Use printf format attribute only with gcc.

ticket: 6499
target_version: 1.7
tags: pullup
version_fixed: 1.7
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22379 dc483132-0cff-0310-8789-dd5450dbe970

spnego_mech.c syntax error under _GSS_STATIC_LINK

pull up r22361 from trunk

------------------------------------------------------------------------
r22361 | raeburn | 2009-05-22 16:12:17 +0200 (Fri, 22 May 2009) | 2 lines

fix minor syntax error

ticket: 6498
target_version: 1.7
tags: pullup
version_fixed: 1.7
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22378 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22369 from trunk

------------------------------------------------------------------------
r22369 | ghudson | 2009-05-24 17:53:51 +0200 (Sun, 24 May 2009) | 11 lines

ticket: 6496
subject: Fix vector initialization error in KDC preauth code
target_version: 1.7
tags: pullup

In the KDC, get_preauth_hint_list had two bugs initializing the
preauth array. It was allocating 21 extra entries instead of two due
to a typo (harmless), and it was only zeroing up through one extra
entry (harmful). Adjust the code to use calloc to avoid further
disagreements of this nature.

ticket: 6496
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22377 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22368 from trunk

------------------------------------------------------------------------
r22368 | ghudson | 2009-05-24 02:48:31 +0200 (Sun, 24 May 2009) | 10 lines

ticket: 6495
subject: Fix test rules for non-gmake make versions
target_version: 1.7
tags: pullup

The build rules for the new t_ad_fx_armor and t_authdata test programs
used $<, which is only portable for implicit rules (but is valid in
gmake for all rules). Stop using $< in those rules so that "make
check" works with System V make.

ticket: 6495
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22376 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22360 from trunk
------------------------------------------------------------------------
r22360 | ghudson | 2009-05-22 16:08:25 +0200 (Fri, 22 May 2009) | 10 lines

ticket: 6492
subject: Remove spurious assertion in handle_authdata
tags: pullup
target_version: 1.7

In handle_authdata in the KDC, remove a spurious assertion (added in
r21566 on the mskrb-integ branch) that authdata starts out empty.
authdata can be legitimately added by check_padata, which precedes
handle_authdata, and this happens with pkinit.

ticket: 6492
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22375 dc483132-0cff-0310-8789-dd5450dbe970

pull up 22355, 22356, 22357 from trunk

------------------------------------------------------------------------
r22357 | ghudson | 2009-05-20 04:05:53 +0200 (Wed, 20 May 2009) | 6 lines

ticket: 6490

Restore compatibility with KDCs using key usage 8 to encrypt TGS
replies in a subkey, by implementing a fallback in
krb5_arcfour_decrypt.

------------------------------------------------------------------------
r22356 | ghudson | 2009-05-20 01:17:49 +0200 (Wed, 20 May 2009) | 13 lines

ticket: 6490
status: open
tags: pullup

When using keyed checksum types with TGS subkeys, Microsoft AD 2003
verifies the checksum using the subkey, whereas MIT and Heimdal verify
it using the TGS session key.  (RFC 4120 is actually silent on which
is correct; RFC 4757 specifies the TGS session key.)  To sidestep this
interop issue, don't use keyed checksum types with RC4 keys without
explicit configuration in krb5.conf.  Using keyed checksum types with
AES is fine since, experimentally, AD 2008 accepts checksums keyed
with the TGS session key.

------------------------------------------------------------------------
r22355 | hartmans | 2009-05-19 01:28:53 +0200 (Tue, 19 May 2009) | 5 lines

ticket: 6490
status: open

In practice, key usage 9 requires no translation.

ticket: 6490
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22374 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22351, r22354 from trunk

------------------------------------------------------------------------
r22354 | hartmans | 2009-05-18 21:08:48 +0200 (Mon, 18 May 2009) | 8 lines

ticket: 6488
target_version: 1.7
tags: pullup

Copy the sequence key rather than the subkey for lucid contexts in RFC
1964 mode, so that we map to raw des enctypes rather than say
des-cbc-crc.
------------------------------------------------------------------------
r22351 | ghudson | 2009-05-14 18:50:52 +0200 (Thu, 14 May 2009) | 9 lines

ticket: 6488
status: open
tags: pullup
target_version: 1.7

gss_krb5int_export_lucid_sec_context was erroneously copying the first
sizeof(void *) bytes of the context into data_set, instead of the
pointer to the context.

ticket: 6488
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22373 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22350 from trunk

------------------------------------------------------------------------
r22350 | ghudson | 2009-05-14 18:16:32 +0200 (Thu, 14 May 2009) | 9 lines

ticket: 6489
subject: UCS2 support doesn't handle upper half of BMP
tags: pullup
target_version: 1.7

Make krb5_ucs2 an unsigned type. Eliminate the need for distinguished
values for ucs2 and ucs4 characters by changing the API of the single-
character conversion routines.

ticket: 6489
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22372 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22348 from trunk

------------------------------------------------------------------------
r22348 | tlyu | 2009-05-13 22:41:37 +0200 (Wed, 13 May 2009) | 13 lines

ticket: 6486
tags: pullup
target_version: 1.7

In util/support/utf8_conv.c, the SWAP16 macro is invoked with an
argument that has side effects. On platforms where SWAP16 can
evaluate its argument twice (including platforms where utf8_conv.c
creates a fallback definition for the SWAP16 macro), this can cause a
read overrun by a factor of two.

Rearrange the data flow to avoid calling SWAP16 with an argument that
has side effects.

ticket: 6486
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22371 dc483132-0cff-0310-8789-dd5450dbe970

krb5-1.7-beta2-postrelease

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22347 dc483132-0cff-0310-8789-dd5450dbe970

README and patchlevel for krb5-1.7-beta2

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22345 dc483132-0cff-0310-8789-dd5450dbe970

document ok_as_delegate in admin.texinfo

pull up r2293, r22304 from trunk

------------------------------------------------------------------------
r22304 | ghudson | 2009-05-03 14:47:27 -0400 (Sun, 03 May 2009) | 2 lines
Changed paths:
M /trunk/doc/admin.texinfo

Fix formatting of ok_as_delegate documentation in admin guide.
------------------------------------------------------------------------
r22293 | ghudson | 2009-04-30 11:08:50 -0400 (Thu, 30 Apr 2009) | 2 lines
Changed paths:
M /trunk/doc/admin.texinfo

Document ok_as_delegate in the admin guide.

ticket: 6485
tags: pullup
target_version: 1.7
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22342 dc483132-0cff-0310-8789-dd5450dbe970

make depend

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22341 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22325 from trunk
------------------------------------------------------------------------
r22325 | hartmans | 2009-05-07 16:35:28 -0400 (Thu, 07 May 2009) | 18 lines
Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/lib/krb5/krb/decode_kdc.c
    M /trunk/src/lib/krb5/krb/gc_via_tkt.c
    M /trunk/src/lib/krb5/libkrb5.exports

Subject: Try decrypting using session key if subkey fails in tgs rep handling
ticket: 6484
Tags: pullup
Target_Version: 1.7

Heimdal at least up through 1.2 incorrectly encrypts the TGS response
in the session key not the subkey when a subkey is supplied.  See RFC
4120 page 35.  Work around this by trying decryption using the session
key after the subkey fails.

* decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for
   TGS and now needs to take keyusage
* gc_via_tkt: pass in session key and appropriate usage if subkey
   fails.

Note that the dead code to process AS responses in decode_kdc_rep is
not removed by this commit.  That will be removed as FAST TGS client
support is integrated post 1.7.

ticket: 6484
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22340 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22324 from trunk
------------------------------------------------------------------------
r22324 | hartmans | 2009-05-07 16:35:19 -0400 (Thu, 07 May 2009) | 8 lines
Changed paths:
    M /trunk/src/kadmin/cli/k5srvutil.M
    M /trunk/src/kadmin/cli/kadmin.M
    M /trunk/src/kadmin/cli/kadmin.local.M
    M /trunk/src/kadmin/ktutil/ktutil.M

ticket: 6483
Subject: man1 in title header for man1 manpages
Target_Version: 1.7
Tags: pullup

A previous ticket moved kadmin, kadmin.local, ktutil and k5srvutil man
pages to man1 from man8.  This updates the section within the man
page.

ticket: 6483
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22339 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22323 from trunk

------------------------------------------------------------------------
r22323 | ghudson | 2009-05-07 15:51:46 -0400 (Thu, 07 May 2009) | 8 lines
Changed paths:
    M /trunk/src/lib/kadm5/srv/svr_policy.c
    M /trunk/src/lib/kadm5/unit-test/api.0/crte-policy.exp
    M /trunk/src/lib/kadm5/unit-test/api.2/crte-policy.exp

ticket: 6482
subject: Allow more than 10 past keys to be stored by a policy
target_version: 1.7
tags: pullup

Remove the arbitrary limit of 10 past keys in policies.  We were not
taking advantage of that limit in any other code.

ticket: 6482
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22338 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22319 from trunk
------------------------------------------------------------------------
r22319 | ghudson | 2009-05-06 14:52:44 -0400 (Wed, 06 May 2009) | 5 lines
Changed paths:
M /trunk/src/lib/krb5/krb/preauth2.c

ticket: 6210

In pa_sam, use the correct function to free sam_challenge in the
success path.

ticket: 6210
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22337 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22310 from trunk

------------------------------------------------------------------------
r22310 | ghudson | 2009-05-05 12:30:19 -0400 (Tue, 05 May 2009) | 5 lines
Changed paths:
M /trunk/src/lib/krb5/krb/get_in_tkt.c

ticket: 6401

In krb5_get_in_tkt, free the whole encoded request (since the
structure was allocated by encode_krb5_as_req), not just the contents.

ticket: 6401
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22336 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22298 from trunk

------------------------------------------------------------------------
r22298 | hartmans | 2009-04-30 16:17:42 -0400 (Thu, 30 Apr 2009) | 10 lines
Changed paths:
    M /trunk/src/lib/crypto/des/Makefile.in
    M /trunk/src/lib/crypto/des/des_int.h
    A /trunk/src/lib/crypto/des/des_prf.c (from /trunk/src/lib/crypto/dk/dk_prf.c:22295)
    M /trunk/src/lib/crypto/etypes.c
    M /trunk/src/lib/crypto/t_cf2.comments
    M /trunk/src/lib/crypto/t_cf2.expected
    M /trunk/src/lib/crypto/t_cf2.in

ticket: 5587
Tags: pullup

Implement DES and 3DES PRF. Patch fromKAMADA Ken'ichi

Currently the DES and 3DES PRF output 16-byte results.  This is
consistent with RFC 3961, but we need to confirm it is consistent with
Heimdal and WG decisions.  See IETF 74 minutes for some discussion of
the concern as it applies to AES and thus possibly all simplified
profile enctypes.

ticket: 5587
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22335 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22292 from trunk

------------------------------------------------------------------------
r22292 | hartmans | 2009-04-29 20:38:48 -0400 (Wed, 29 Apr 2009) | 10 lines
Changed paths:
M /trunk/src/kdc/kdc_preauth.c

ticket: 6480
Subject: Do not return PREAUTH_FAILED on unknown preauth
Target_Version: 1.7
Tags: pullup

If the KDC receives unknown pre-authentication data then ignore it.
Do not get into a case where PREAUTH_FAILED is returned because of
unknown pre-authentication. The main AS loop will cause
PREAUTH_REQUIRED to be returned if the preauth_required flag is set
and no valid preauth is found.

ticket: 6480
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22334 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22291 from trunk

------------------------------------------------------------------------
r22291 | ghudson | 2009-04-29 19:21:21 -0400 (Wed, 29 Apr 2009) | 9 lines
Changed paths:
    M /trunk/src/include/k5-err.h
    M /trunk/src/include/k5-int.h
    M /trunk/src/lib/krb5/krb/kerrs.c
    M /trunk/src/lib/krb5/libkrb5.exports
    M /trunk/src/util/support/errors.c
    M /trunk/src/util/support/libkrb5support-fixed.exports

ticket: 6479
subject: Add DEBUG_ERROR_LOCATIONS support

If DEBUG_ERROR_LOCATIONS is defined, replace uses of
krb5_set_error_message and krb5int_set_error with calls to the new
_fl variants of those functions, and include filename and line number
information in the calls.  Requires C99-style variadic macros if
defined.

ticket: 6479
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22333 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22290 from trunk

------------------------------------------------------------------------
r22290 | tlyu | 2009-04-28 20:31:50 -0400 (Tue, 28 Apr 2009) | 5 lines
Changed paths:
M /trunk/src/clients/ksu/krb_auth_su.c

ticket: 6472
target_version: 1.7
tags: pullup

Fix typo in error message reported by Marek Mahut (Red Hat).

ticket: 6472
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22332 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22283, r22288 from trunk.  r22283 was not originally part of
this ticket but is a prereq for the mk_cred.c change.

------------------------------------------------------------------------
r22288 | ghudson | 2009-04-28 14:00:13 -0400 (Tue, 28 Apr 2009) | 14 lines
Changed paths:
    M /trunk/src/lib/krb5/krb/mk_cred.c
    M /trunk/src/lib/krb5/krb/mk_priv.c
    M /trunk/src/lib/krb5/krb/mk_safe.c

ticket: 6478
subject: Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred

Regularize the handling of KRB5_AUTH_CONTEXT_RET_SEQUENCE in
krb5_mk_safe, krb5_mk_priv, and krb5_mk_ncred, using krb5_mk_safe as
a baseline.  RET_SEQUENCE now implies DO_SEQUENCE for all three
functions, the sequence number is always incremented if it is used,
and outdata->seq is always set if RET_SEQUENCE is passed.

Note that in the corresponding rd_ functions, RET_SEQUENCE and
DO_SEQUENCE are independent flags, which is not consistent with the
above.  This compromise is intended to preserve compatibility with
any working code which might exist using the RET_SEQUENCE flag.
------------------------------------------------------------------------
r22283 | ghudson | 2009-04-27 19:48:22 -0400 (Mon, 27 Apr 2009) | 5 lines
Changed paths:
    M /trunk/src/lib/krb5/krb/mk_cred.c

Fix a few memory leaks in krb5_mk_ncred.  Also tighten up the error
handling of the sequence number, only decreasing it if it was
increased.  The handling of DO_SEQUENCE and RET_SEQUENCE may still be
flawed in some cases.

ticket: 6478
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22331 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22281 from trunk
------------------------------------------------------------------------
r22281 | ghudson | 2009-04-27 11:42:23 -0400 (Mon, 27 Apr 2009) | 8 lines
Changed paths:
    M /trunk/src/include/kdb.h
    M /trunk/src/include/kdb_ext.h
    M /trunk/src/kadmin/cli/kadmin.M
    M /trunk/src/kadmin/cli/kadmin.c
    M /trunk/src/kdc/do_tgs_req.c
    M /trunk/src/lib/kadm5/str_conv.c

ticket: 5596

Move KRB5_KDB_OK_AS_DELEGATE from kdb_ext.h to kdb.h.  Add kadmin
support for the flag.  In the KDC, remove the restriction on returning
the flag on cross-realm TGTs since there is now a defined meaning for
that (it allows ok-as-delegate to be honored on the foreign realm's
service tickets).

ticket: 5596
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22330 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22280 from trunk

------------------------------------------------------------------------
r22280 | raeburn | 2009-04-25 05:36:11 -0400 (Sat, 25 Apr 2009) | 9 lines
Changed paths:
    M /trunk/src/lib/kadm5/admin.h
    M /trunk/src/tests/misc/Makefile.in
    M /trunk/src/tests/misc/deps
    A /trunk/src/tests/misc/test_cxx_kadm5.cpp

ticket: 6477
subject: make installed headers C++-safe
target_version: 1.7
tags: pullup

Now that we're installing the kadm5 headers, they should be C++-safe
like the others.  Wrap the content in 'extern "C"' if compiling as
C++.  New test program to verify.

ticket: 6477
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22329 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22278 from trunk

------------------------------------------------------------------------
r22278 | ghudson | 2009-04-24 15:49:54 -0400 (Fri, 24 Apr 2009) | 9 lines
Changed paths:
M /trunk/src/lib/krb5/keytab/kt_file.c

ticket: 6475
status: open
tags: pullup
target_version: 1.7

In krb5_ktfileint_find_slot, don't continue the loop when we find a
final zero-length buffer. This is a minimal fix intended to be pulled
up to the 1.7 branch; a code cleanup commit will follow.

ticket: 6475
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22328 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22272 from trunk

------------------------------------------------------------------------
r22272 | ghudson | 2009-04-23 04:42:40 -0400 (Thu, 23 Apr 2009) | 7 lines
Changed paths:
M /trunk/src/lib/krb5/krb/gc_via_tkt.c

ticket: 6473
tags: pullup

In krb5_get_cred_via_tkt, strip the ok-as-delegate flag from
credentials obtained using a foreign TGT, unless the TGT also has
ok-as-delegate set.

ticket: 6473
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22327 dc483132-0cff-0310-8789-dd5450dbe970

Fix accidentally reversed description of allow_weak_crypto

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22289 dc483132-0cff-0310-8789-dd5450dbe970

krb5-1.7-beta1-postrelease

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22271 dc483132-0cff-0310-8789-dd5450dbe970

README and patchlevel for krb5-1.7-beta1

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22269 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22267 from trunk

------------------------------------------------------------------------
r22267 | hartmans | 2009-04-22 09:30:00 -0400 (Wed, 22 Apr 2009) | 7 lines
Changed paths:
M /trunk/src/kadmin/cli/Makefile.in
M /trunk/src/kadmin/ktutil/Makefile.in

Ticket: 6474
Subject: move kadmin, ktutil, k5srvutil man pages to man1
Target_Version: 1.7
Tags: pullup

These binaries have been moved to /usr/bin so their manpages should
move from man8 to man1.

ticket: 6474
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22268 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22264 from trunk

------------------------------------------------------------------------
r22264 | ghudson | 2009-04-16 12:46:33 -0400 (Thu, 16 Apr 2009) | 12 lines
Changed paths:
    M /trunk/src/kdc/kdc_preauth.c
    M /trunk/src/kdc/kdc_util.c

ticket: 6470
subject: Send explicit salt for SALTTYPE_NORMAL keys
target_version: 1.7
tags: pullup

Change the signature of _make_etype_info_entry to take the canonical
client principal instead of the request structure.  Also fixes the salt
we compute for SALTTYPE_NOREALM keys.

Sending an explicit salt for SALTTYPE_NORMAL keys is believed to be
necessary for some preauth scenarios involving aliases.

ticket: 6470
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22265 dc483132-0cff-0310-8789-dd5450dbe970

make depend

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22263 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22210 from trunk

------------------------------------------------------------------------
r22210 | hartmans | 2009-04-14 11:35:12 -0400 (Tue, 14 Apr 2009) | 6 lines
Changed paths:
M /trunk/src/kdc/fast_util.c

ticket: 6461
Subject: Require fast_req checksum to be keyed
Target_Version: 1.7
Tags: pullup

Since the fast_req checksum is unencrypted, a keyed checksum type needs to be used.

ticket: 6461
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22262 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22209 from trunk

------------------------------------------------------------------------
r22209 | hartmans | 2009-04-14 11:05:21 -0400 (Tue, 14 Apr 2009) | 6 lines
Changed paths:
M /trunk/src/clients/kinit/kinit.M
M /trunk/src/clients/kinit/kinit.c

ticket: 6460
subject: Implement kinit option for FAST armor ccache
Target_version: 1.7
tags: pullup

Implement the -T option to kinit to specify the FAST armor ccache.

ticket: 6460
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22261 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22208 from trunk

------------------------------------------------------------------------
r22208 | wfiveash | 2009-04-13 18:15:05 -0400 (Mon, 13 Apr 2009) | 11 lines
Changed paths:
M /trunk/src/kadmin/dbutil/kdb5_util.M

Ticket: 6459
Subject: Update kdb5_util man page with missing purge_mkeys command
Version_Reported: 1.7
Target_Version: 1.7
Tags: pullup

While previously updating the kdb5_util command man page to include
documentation on new subcommands added as a result of the Master Key
Migration project I missed the purge_mkeys command. I've added that
with this commit.

ticket: 6459
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22260 dc483132-0cff-0310-8789-dd5450dbe970

fcc_generate_new destroys locked mutex on error

pull up r22200 from trunk

------------------------------------------------------------------------
r22200 | ghudson | 2009-04-13 15:29:14 -0400 (Mon, 13 Apr 2009) | 3 lines
Changed paths:
M /trunk/src/lib/krb5/ccache/cc_file.c

krb5_fcc_generate_new was destroying a locked mutex in the err_out
label, which is used for I/O failures. Unlock the mutex first.

ticket: 6469
tags: pullup
target_version: 1.7
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22259 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22188 from trunk
------------------------------------------------------------------------
r22188 | ghudson | 2009-04-10 12:09:19 -0400 (Fri, 10 Apr 2009) | 8 lines
Changed paths:
M /trunk/doc/admin.texinfo
M /trunk/doc/support-enc.texinfo

ticket: 6452
subject: Document allow_weak_crypto
tags: pullup
target_version: 1.7

Also document which cryptosystems are defined to be weak, and add some
enctype entries which weren't in the documentation.

ticket: 6452
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22258 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22187 from trunk

------------------------------------------------------------------------
r22187 | ghudson | 2009-04-09 13:57:03 -0400 (Thu, 09 Apr 2009) | 9 lines
Changed paths:
M /trunk/doc/definitions.texinfo

ticket: 6451
subject: Update defaults in documentation
tags: pullup
target_version: 1.7

doc/definitions.texinfo had, predictably, fallen out of date with
respect to the code. Update a few of the out of date comments and
defaults, particularly the default enctype lists.

ticket: 6451
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22257 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22186 from trunk

------------------------------------------------------------------------
r22186 | epeisach | 2009-04-09 07:53:27 -0400 (Thu, 09 Apr 2009) | 7 lines
Changed paths:
M /trunk/src/kdc/main.c

ticket: 6450
subject: kdc: handle_referral_params does not return ENOMEM errors
tags: pullup

retval was set but never returned.

ticket: 6450
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22256 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22185 from trunk

------------------------------------------------------------------------
r22185 | ghudson | 2009-04-08 12:39:33 -0400 (Wed, 08 Apr 2009) | 8 lines
Changed paths:
M /trunk/src/lib/gssapi/generic/gssapi.hin
M /trunk/src/lib/gssapi/krb5/init_sec_context.c

ticket: 6203
tags: pullup
target_version: 1.7

Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG,
which requests delegation only if the ok-as-delegate ticket flag is
set.

ticket: 6203
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22255 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22184 from trunk

------------------------------------------------------------------------
r22184 | ghudson | 2009-04-08 11:58:24 -0400 (Wed, 08 Apr 2009) | 7 lines
Changed paths:
    M /trunk/src/lib/krb5/error_tables/krb5_err.et
    M /trunk/src/lib/krb5/krb/mk_priv.c
    M /trunk/src/lib/krb5/krb/mk_safe.c
    M /trunk/src/lib/krb5/krb/rd_priv.c
    M /trunk/src/lib/krb5/krb/rd_safe.c

ticket: 1165

mk_safe and mk_priv require the local address to be set in the auth
context; rd_safe and rd_priv require the remote address to be set.
Create error codes for both kinds of missing addresses and stop trying
futilely to handle the cases where they are not set.

ticket: 1165
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22254 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22183 from trunk

------------------------------------------------------------------------
r22183 | epeisach | 2009-04-08 11:25:43 -0400 (Wed, 08 Apr 2009) | 11 lines
Changed paths:
M /trunk/src/kdc/do_as_req.c

ticket: 6449
subject: Fall through on error return

If decoding the encoded_req_body fails, proceed goto errout instead of falling
through to fast handling.

Looks like a merge error.

Reindented code.

ticket: 6449
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22253 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22182 from trunk

------------------------------------------------------------------------
r22182 | ghudson | 2009-04-08 11:22:17 -0400 (Wed, 08 Apr 2009) | 9 lines
Changed paths:
M /trunk/src/lib/krb5/krb/gic_pwd.c

ticket: 6108
tags: pullup
target_version: 1.7

When getting initial credentials with a password, try the master if
preauth fails on a slave, since preauth can fail due to an out-of-date
key. This removes a snippet added in r14939 which was considering
only hardware preauth.

ticket: 6108
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22252 dc483132-0cff-0310-8789-dd5450dbe970

k5_utf8s_to_ucs2s could deref NULL pointer..

pull up r22177 from trunk

------------------------------------------------------------------------
r22177 | epeisach | 2009-04-07 19:59:25 -0400 (Tue, 07 Apr 2009) | 10 lines
Changed paths:
M /trunk/src/util/support/utf8_conv.c

ticket:
Subject k5_utf8s_to_ucs2s could deref NULL pointer...

Based on usage of this static function, this will never happen as
results are always malloced (and checked) by caller. However, the
function is already coded to handle the first argument being null - so
be consistent throughout.

ticket: 6468
version_fixed: 1.7
tags: pullup
target_version: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22251 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22176 from trunk

------------------------------------------------------------------------
r22176 | tlyu | 2009-04-07 17:22:23 -0400 (Tue, 07 Apr 2009) | 7 lines
Changed paths:
M /trunk/src/lib/krb5/asn.1/asn1_decode.c
M /trunk/src/tests/asn.1/krb5_decode_test.c

ticket: 6445
subject: CVE-2009-0846 asn1_decode_generaltime can free uninitialized pointer
tags: pullup
target_version: 1.7

The asn1_decode_generaltime() function can free an uninitialized
pointer if asn1buf_remove_charstring() fails.

ticket: 6445
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22250 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22175 from trunk

------------------------------------------------------------------------
r22175 | tlyu | 2009-04-07 17:22:20 -0400 (Tue, 07 Apr 2009) | 14 lines
Changed paths:
    M /trunk/src/lib/krb5/asn.1/asn1buf.c

ticket: 6444
subject: CVE-2009-0847 asn1buf_imbed incorrect length validation
tags: pullup
target_version: 1.7

asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
pointer of the subbuffer to be less than the "next" pointer.  This can
lead to malloc() failure or crash.

In asn1buf_imbed(), check the length before doing arithmetic to set
subbuf->bound.  In asn1buf_remove_octetstring() and
asn1buf_remove_charstring(), check for invalid buffer pointers before
executing an unsigned length check against a (casted to size_t)
negative number.

ticket: 6444
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22249 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22174 from trunk

------------------------------------------------------------------------
r22174 | tlyu | 2009-04-07 17:22:17 -0400 (Tue, 07 Apr 2009) | 11 lines
Changed paths:
M /trunk/src/lib/gssapi/spnego/spnego_mech.c

ticket: 6443
subject: CVE-2009-0844 SPNEGO can read beyond buffer end
tags: pullup
target_version: 1.7

SPNEGO can read beyond the end of a buffer if the claimed DER length
exceeds the number of bytes in the input buffer. This can lead to
crash or information disclosure.

Thanks to Apple for reporting this vulnerability and providing
patches.

ticket: 6443
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22248 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22172 from trunk
------------------------------------------------------------------------
r22172 | epeisach | 2009-04-07 13:57:56 -0400 (Tue, 07 Apr 2009) | 9 lines
Changed paths:
M /trunk/src/util/ss/help.c

ticket: 6442
subject: Null pointer defref in adding info

Clearly the code is broken - and we either never use it - or callers never pass
NULL...

Detected by clang static checker.

ticket: 6442
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22247 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22171 from trunk

------------------------------------------------------------------------
r22171 | hartmans | 2009-04-05 17:11:26 -0400 (Sun, 05 Apr 2009) | 7 lines
Changed paths:
M /trunk/src/kdc/do_tgs_req.c

ticket: 6439
Subject: Implement KDC side of TGS FAST
target_version: 1.7
tags: pullup

Most of the KDC side of TGS FAST was already present. This adds
correct generation of the reply key.

ticket: 6439

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22246 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22167, r22170 from trunk

------------------------------------------------------------------------
r22170 | hartmans | 2009-04-03 23:03:04 -0400 (Fri, 03 Apr 2009) | 3 lines
Changed paths:
    M /trunk/src/kdc/fast_util.c
    M /trunk/src/lib/krb5/krb/get_in_tkt.c

ticket: 6436

fix logic errors
------------------------------------------------------------------------
r22167 | hartmans | 2009-04-03 00:03:45 -0400 (Fri, 03 Apr 2009) | 3 lines
Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/kdc/do_as_req.c
    M /trunk/src/kdc/do_tgs_req.c
    M /trunk/src/kdc/fast_util.c
    M /trunk/src/kdc/kdc_preauth.c
    M /trunk/src/kdc/kdc_util.c
    M /trunk/src/kdc/kdc_util.h
    M /trunk/src/lib/crypto/arcfour/arcfour.c
    M /trunk/src/lib/crypto/arcfour/arcfour.h
    M /trunk/src/lib/crypto/etypes.c
    M /trunk/src/lib/krb5/asn.1/asn1_k_encode.c
    M /trunk/src/lib/krb5/asn.1/krb5_decode.c
    M /trunk/src/lib/krb5/krb/Makefile.in
    M /trunk/src/lib/krb5/krb/fast.c
    M /trunk/src/lib/krb5/krb/fast.h
    M /trunk/src/lib/krb5/krb/get_in_tkt.c
    M /trunk/src/lib/krb5/krb/kfree.c
    M /trunk/src/lib/krb5/krb/preauth2.c
    A /trunk/src/lib/krb5/krb/t_ad_fx_armor.c
    M /trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c

ticket: 6436

Merge fast branch at 22166 onto trunk

ticket: 6436

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22245 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22168 from trunk

------------------------------------------------------------------------
r22168 | hartmans | 2009-04-03 01:36:25 -0400 (Fri, 03 Apr 2009) | 8 lines
Changed paths:
M /trunk/src/kdc/kdc_authdata.c

ticket: 6438
Subject: Handle authdata encrypted in subkey
target_version: 1.7
tags: pullup

RFC 4120 requires that if a subkey is present in the TGS request that
authorization data be encrypted in the subkey. Our KDC did not handle
this correctly.

ticket: 6438
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22244 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22154, r22159, r22160 from trunk

------------------------------------------------------------------------
r22160 | hartmans | 2009-04-02 23:33:01 -0400 (Thu, 02 Apr 2009) | 12 lines
Changed paths:
    M /trunk/doc/admin.texinfo
    M /trunk/src/appl/bsd/kcmd.c
    M /trunk/src/config-files/krb5.conf.M
    M /trunk/src/lib/krb5/krb/init_ctx.c
    M /trunk/src/lib/krb5/krb/mk_req_ext.c

ticket: 1624

Unfortunately, pre-1.7 krshd fails to support keyed checksums because
it uses the wrong API and wrong key usage.  So, if the auth_context
has an explicit checksum type set, then respect that.  kcmd sets such
a checksum type.  Also, because other applications may have the same
problem, allow the config file variable if set to override the default
checksum.

* kcmd.c: Force use of rsa_md5
* init_ctx.c: do not default  to md5
* mk_req_ext.c: allow auth_context to override
------------------------------------------------------------------------
r22159 | tlyu | 2009-04-02 19:30:28 -0400 (Thu, 02 Apr 2009) | 3 lines
Changed paths:
    M /trunk/src/appl/bsd/krlogind.c
    M /trunk/src/appl/bsd/krshd.c

ticket: 1624

Fix krshd and krlogind to use krb5_c_verify_checksum.
------------------------------------------------------------------------
r22154 | hartmans | 2009-04-01 14:25:02 -0400 (Wed, 01 Apr 2009) | 8 lines
Changed paths:
    M /trunk/doc/admin.texinfo
    M /trunk/src/config-files/krb5.conf.M
    M /trunk/src/lib/krb5/krb/mk_req_ext.c
    M /trunk/src/lib/krb5/krb/send_tgs.c

ticket: 1624
Target_version: 1.7
tags: pullup

Use the preferred checksum for non-DES keys in the kdc_req path and
all the time in the ap_req checksum path.  This breaks code to support
DCE versions prior to 1.1 but uses the correct checksum for protocol
compatibility.

ticket: 1624
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22243 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22152 from trunk

------------------------------------------------------------------------
r22152 | hartmans | 2009-03-31 18:36:03 -0400 (Tue, 31 Mar 2009) | 6 lines
Changed paths:
M /trunk/src/lib/crypto/etypes.c

ticket: 6437
target_version: 1.7
tags: pullup
Subject: mark export grade RC4 as weak

Set the weak enctype flag on the 40-bit RC4.

ticket: 6437
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22242 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22149, r22151, r22153 from trunk

------------------------------------------------------------------------
r22153 | tlyu | 2009-03-31 19:51:48 -0400 (Tue, 31 Mar 2009) | 3 lines
Changed paths:
    M /trunk/src/lib/krb5/asn.1/asn1_k_decode.c
    M /trunk/src/lib/krb5/asn.1/asn1_k_encode.c
    M /trunk/src/lib/krb5/asn.1/krb5_decode.c
    M /trunk/src/lib/krb5/asn.1/krb5_encode.c

ticket: 6436

Make FAST changes build when pkinit is disabled.
------------------------------------------------------------------------
r22151 | hartmans | 2009-03-31 18:35:59 -0400 (Tue, 31 Mar 2009) | 3 lines
Changed paths:
    M /trunk/src/kdc/do_tgs_req.c

ticket: 6436

Initialize request state in the TGS path.
------------------------------------------------------------------------
r22149 | hartmans | 2009-03-31 13:00:41 -0400 (Tue, 31 Mar 2009) | 8 lines
Changed paths:
    M /trunk/src/Makefile.in
    M /trunk/src/configure.in
    M /trunk/src/include/k5-int-pkinit.h
    M /trunk/src/include/k5-int.h
    M /trunk/src/include/krb5/krb5.hin
    M /trunk/src/include/krb5/preauth_plugin.h
    M /trunk/src/kdc/Makefile.in
    M /trunk/src/kdc/dispatch.c
    M /trunk/src/kdc/do_as_req.c
    M /trunk/src/kdc/do_tgs_req.c
    A /trunk/src/kdc/fast_util.c
    M /trunk/src/kdc/kdc_preauth.c
    M /trunk/src/kdc/kdc_util.c
    M /trunk/src/kdc/kdc_util.h
    M /trunk/src/lib/krb5/asn.1/asn1_k_decode.c
    M /trunk/src/lib/krb5/asn.1/asn1_k_decode.h
    M /trunk/src/lib/krb5/asn.1/asn1_k_encode.c
    M /trunk/src/lib/krb5/asn.1/krb5_decode.c
    M /trunk/src/lib/krb5/error_tables/krb5_err.et
    M /trunk/src/lib/krb5/error_tables/kv5m_err.et
    M /trunk/src/lib/krb5/krb/Makefile.in
    A /trunk/src/lib/krb5/krb/fast.c
    A /trunk/src/lib/krb5/krb/fast.h
    M /trunk/src/lib/krb5/krb/get_in_tkt.c
    M /trunk/src/lib/krb5/krb/gic_opt.c
    M /trunk/src/lib/krb5/krb/kfree.c
    M /trunk/src/lib/krb5/krb/preauth2.c
    M /trunk/src/lib/krb5/libkrb5.exports
    M /trunk/src/lib/krb5/os/accessor.c
    A /trunk/src/plugins/preauth/encrypted_challenge
    A /trunk/src/plugins/preauth/encrypted_challenge/Makefile.in (from /trunk/src/plugins/preauth/cksum_body/Makefile.in:22148)
    A /trunk/src/plugins/preauth/encrypted_challenge/deps (from /trunk/src/ccapi/test/deps:22148)
    A /trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports (from /trunk/src/plugins/preauth/pkinit/pkinit.exports:22148)
    A /trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c
    A /trunk/src/plugins/preauth/fast_factor.h

ticket: 6436
subject: Implement FAST from draft-ietf-krb-wg-preauth-framework
Target_Version: 1.7

Merge fast branch at 22146 onto trunk

Implement the kerberos pre-authentication framework FAST feature per
Projects/FAST on the wiki.

ticket: 6436
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22241 dc483132-0cff-0310-8789-dd5450dbe970

new copy_data_contents variant that null-terminates

pull up r21893 from trunk

------------------------------------------------------------------------
r21893 | raeburn | 2009-02-05 13:42:10 -0500 (Thu, 05 Feb 2009) | 4 lines
Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/lib/kdb/kdb_cpw.c
    M /trunk/src/lib/krb5/krb/bld_pr_ext.c
    M /trunk/src/lib/krb5/krb/copy_data.c
    M /trunk/src/lib/krb5/krb/copy_princ.c
    M /trunk/src/lib/krb5/libkrb5.exports

Create and use (in several places) a variant of
krb5int_copy_data_contents that adds a trailing '\0' so the result can
be used as a C string.

ticket: 6467
version_fixed: 1.7
tags: pullup
target_version: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22240 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22148 from trunk

------------------------------------------------------------------------
r22148 | hartmans | 2009-03-31 12:50:25 -0400 (Tue, 31 Mar 2009) | 4 lines
Changed paths:
M /trunk/src/lib/krb5/krb/send_tgs.c

ticket: 6393

in send_tgs.c:
Encrypt using local_subkey not *subkey

ticket: 6393

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22239 dc483132-0cff-0310-8789-dd5450dbe970

check encode_krb5_ap_req return in send_tgs.c

pull up r22050 from trunk

------------------------------------------------------------------------
r22050 | tsitkova | 2009-02-23 16:26:29 -0500 (Mon, 23 Feb 2009) | 2 lines
Changed paths:
M /trunk/src/lib/krb5/krb/send_tgs.c

Check return code of encode_krb5_ap_req. Also, tabs vs whitespace.

ticket: 6466
tags: pullup
target_version: 1.7
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22238 dc483132-0cff-0310-8789-dd5450dbe970

send_tgs.c static analyzer friendliness

pull up r22002 from trunk

------------------------------------------------------------------------
r22002 | ghudson | 2009-02-13 17:00:47 -0500 (Fri, 13 Feb 2009) | 4 lines
Changed paths:
M /trunk/src/lib/krb5/krb/send_tgs.c

In tgs_construct_tgsreq, free scratch even if scratch->data is NULL.
(Which probably can't happen, but static analyzers don't know that.)
Also protect scratch from being freed before initialization.

ticket: 6465
tags: pullup
target_version: 1.7
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22237 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22044 from trunk

------------------------------------------------------------------------
r22044 | hartmans | 2009-02-23 11:22:47 -0500 (Mon, 23 Feb 2009) | 10 lines
Changed paths:
M /trunk/src/lib/krb5/krb/send_tgs.c

Ticket: 6393

send_tgs.c:
* Move generation of subkey into krb5int_send_tgs from construct_authenticator so that it is available for encrypting authorization data.

* Initialize rep->message_type and note that rep is touched on
unsuccessful calls (this has always been true).

* Do not set *subkey until successful return.
Thanks to Greg Hudson for pointing out these problems.

ticket: 6393

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22236 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22147 from trunk

------------------------------------------------------------------------
r22147 | ghudson | 2009-03-29 22:43:51 -0400 (Sun, 29 Mar 2009) | 5 lines
Changed paths:
    M /trunk/README
    M /trunk/src/lib/krb5/krb/Makefile.in
    M /trunk/src/lib/krb5/krb/deps
    A /trunk/src/lib/krb5/krb/t_pac.c
    A /trunk/src/lib/krb5/krb/t_princ.c

ticket: 6435
subject: Add PAC and principal parsing test cases

From Heimdal, ported by Luke, further modified by me.

ticket: 6435
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22235 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22114 from trunk

------------------------------------------------------------------------
r22114 | wfiveash | 2009-03-25 17:12:58 -0400 (Wed, 25 Mar 2009) | 9 lines
Changed paths:
M /trunk/src/kadmin/dbutil/kdb5_util.M

Ticket: 6432
Subject: Update kdb5_util man page for mkey migration project
Version_Reported: 1.7
Target_Version: 1.7
Tags: pullup

Updated the kdb5_util command man page to include documentation on new
subcommands added as a result of the Master Key Migration project.

ticket: 6432
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22234 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22113 from trunk

------------------------------------------------------------------------
r22113 | ghudson | 2009-03-24 13:24:31 -0400 (Tue, 24 Mar 2009) | 5 lines
Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/plugins/preauth/pkinit/pkinit.h
    M /trunk/src/plugins/preauth/pkinit/pkinit_clnt.c
    M /trunk/src/plugins/preauth/pkinit/pkinit_matching.c
    M /trunk/src/plugins/preauth/pkinit/pkinit_srv.c

Revert r21880 which included k5-int.h in several pkinit source files.
Instead, move the pkinit-specific KRB5_CONF macros to pkinit.h, and
add duplicate definitions of the non-pkinit-specific macros used by
the pkinit code.

ticket: 6397

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22233 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22112 from trunk

------------------------------------------------------------------------
r22112 | ghudson | 2009-03-20 14:09:19 -0400 (Fri, 20 Mar 2009) | 11 lines
Changed paths:
    M /trunk/src/config/pre.in
    M /trunk/src/include/Makefile.in
    M /trunk/src/include/kdb.h
    M /trunk/src/lib/kadm5/Makefile.in
    M /trunk/src/lib/kadm5/admin.h

ticket: 6431
subject: Install kadmin and kdb headers
tags: pullup
target_version: 1.7

Add disclaimers to the kadmin and kdb headers about the weaker
stability commitments we make for their APIs, and install them for the
benefit of users who can tolerate such instability.  (The kadmin
interface is the real goal here, but the kadmin header includes kdb.h
so we need to install both.)

ticket: 6431
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22232 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22107 from trunk

------------------------------------------------------------------------
r22107 | ghudson | 2009-03-17 17:54:51 -0400 (Tue, 17 Mar 2009) | 8 lines
Changed paths:
M /trunk/src/lib/krb5/asn.1/asn1_k_decode.c

ticket: 6427
subject: Fix error handling issue in ASN.1 decoder
tags: pullup
target_version: 1.7

In asn1_k_decode.c, check the return value of
end_sequence_of_no_tagvars_helper.

ticket: 6427
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22231 dc483132-0cff-0310-8789-dd5450dbe970

verify return code from krb5_db_set_mkey_list

pull up r22100 from trunk

------------------------------------------------------------------------
r22100 | tsitkova | 2009-03-16 14:00:06 -0400 (Mon, 16 Mar 2009) | 2 lines
Changed paths:
M /trunk/src/kdc/kdc_util.c
M /trunk/src/kdc/main.c

Verify return code from krb5_db_set_mkey_list.

ticket: 6464
tags: pullup
target_version: 1.7
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22230 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22096, r22097 from trunk

------------------------------------------------------------------------
r22097 | hartmans | 2009-03-16 12:50:30 -0400 (Mon, 16 Mar 2009) | 6 lines
Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/lib/krb5/krb/Makefile.in
    A /trunk/src/lib/krb5/krb/t_authdata.c

ticket: 6422

Implement tests for authdata functions

Implement some test cases for krb5_merge_authdata and
krb5int_find_authdata
------------------------------------------------------------------------
r22096 | hartmans | 2009-03-16 12:50:26 -0400 (Mon, 16 Mar 2009) | 5 lines
Changed paths:
    M /trunk/src/lib/krb5/krb/copy_auth.c

subject: Implement krb5int_find_authdata
ticket: 6422

Implement a function to find all instances of a particular ad_type in
ticket or authenticator authdata.

ticket: 6422
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22229 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22094, r22095 from trunk

------------------------------------------------------------------------
r22095 | hartmans | 2009-03-16 12:50:23 -0400 (Mon, 16 Mar 2009) | 7 lines
Changed paths:
    M /trunk/src/lib/crypto/Makefile.in
    A /trunk/src/lib/crypto/t_cf2.c
    A /trunk/src/lib/crypto/t_cf2.comments
    A /trunk/src/lib/crypto/t_cf2.expected
    A /trunk/src/lib/crypto/t_cf2.in
    A /trunk/src/lib/crypto/t_prf.comments
    A /trunk/src/lib/crypto/t_prf.expected
    A /trunk/src/lib/crypto/t_prf.in

ticket: 6421

Implement test cases for CF2

Implement a simple program to call KRB-FX-CF2 and print the resulting
keys.  Add to regression tests.  Also, use the PRF testing application
to confirm that CF2 generates consistent keys if called by hand.
------------------------------------------------------------------------
r22094 | hartmans | 2009-03-16 12:50:09 -0400 (Mon, 16 Mar 2009) | 6 lines
Changed paths:
    M /trunk/src/include/krb5/krb5.hin
    M /trunk/src/lib/crypto/Makefile.in
    A /trunk/src/lib/crypto/cf2.c
    M /trunk/src/lib/crypto/etypes.h
    M /trunk/src/lib/crypto/libk5crypto.exports

ticket: 6421
Subject: Implement KRB-FX_CF2

Draft-ietf-krb-wg-preauth-framework defines a function KRB-FX-CF2 that
combines two keys of arbitrary enctype.  Implement this function as an
exported API.

ticket: 6421
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22228 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22093 from trunk

------------------------------------------------------------------------
r22093 | hartmans | 2009-03-16 12:50:04 -0400 (Mon, 16 Mar 2009) | 7 lines
Changed paths:
M /trunk/src/kdc/kdc_util.c
M /trunk/src/kdc/main.c

ticket: 6424
Subject: Call kdb_set_mkey_list from the KDC
Target_version: 1.7
tags: pullup

In order for the kdb keytab to be used from within the KDC, the KDC
needs to set the master key list in the context.

ticket: 6424
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22227 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22092 from trunk

------------------------------------------------------------------------
r22092 | hartmans | 2009-03-16 12:49:59 -0400 (Mon, 16 Mar 2009) | 4 lines
Changed paths:
M /trunk/src/lib/krb5/krb/auth_con.c

ticket: 6423
Subject: krb5_auth_con_free should support freeing a null auth_context without segfault.

If the input auth_con is NULL, return success.

ticket: 6423
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22226 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22090 from trunk

------------------------------------------------------------------------
r22090 | ghudson | 2009-03-15 00:21:12 -0400 (Sun, 15 Mar 2009) | 10 lines
Changed paths:
    M /trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
    M /trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
    M /trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
    M /trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c

ticket: 6420
subject: Add LDAP back end support for canonical name attribute
tags: pullup
target_version: 1.7

Add a krbCanonicalName attribute to the schema.  When looking up a
principal, if the canonical name is set and does not match the
requested name, then return the entry only if canonicalization was
requested, and use the entry's canonical name.

ticket: 6420
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22225 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22089 from trunk

------------------------------------------------------------------------
r22089 | ghudson | 2009-03-15 00:15:16 -0400 (Sun, 15 Mar 2009) | 9 lines
Changed paths:
M /trunk/doc/admin.texinfo

ticket: 6419
subject: Document alias support in LDAP back end
tags: pullup
target_version: 1.7

Add a few paragraphs to the LDAP instructions on creating aliases
through direct manipulation of the LDAP data, and briefly explain when
aliases will be used.

ticket: 6419
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22224 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22088 from trunk

------------------------------------------------------------------------
r22088 | ghudson | 2009-03-14 01:46:18 -0400 (Sat, 14 Mar 2009) | 15 lines
Changed paths:
    M /trunk/doc/admin.texinfo

ticket: 6418
subject: Improve LDAP admin documentation
target_version: 1.7
tags: pullup

Use dc=example,dc=com as the example base DN instead of more archaic
forms.  Provide a little more cross-referencing of concepts and
mechanisms.  Add additional steps in the OpenLDAP setup instructions
for choosing DNs for the Kerberos container, KDC service, and kadmin
service.  Explain a little bit about what the Kerberos container and
realm container are.  Be clearer that using separate subtrees from the
realm container for principals is an option, not a necessity, and
don't use the base DN as an example of a separate subtree (it's
confusing).

ticket: 6418
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22223 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22173 from trunk

------------------------------------------------------------------------
r22173 | tlyu | 2009-04-07 17:22:13 -0400 (Tue, 07 Apr 2009) | 4 lines
Changed paths:
M /trunk/src/lib/gssapi/spnego/spnego_mech.c

ticket: 6417

Apply revised patch from Apple that ensures that a REJECT token is
sent on error.

ticket: 6417
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22222 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22083 from trunk

------------------------------------------------------------------------
r22083 | ghudson | 2009-03-12 23:10:12 -0400 (Thu, 12 Mar 2009) | 9 lines
Changed paths:
M /trunk/src/lib/krb5/krb/get_in_tkt.c

ticket: 6415
subject: Use correct salt for canonicalized principals
target_version: 1.7
tags: pullup

In cases where the salt is derived from the client principal, use the
canonicalized principal received from the KDC to determine the salt.
Further changes are probably required for some preauth cases.

ticket: 6415
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22221 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22081, r22082 from trunk

------------------------------------------------------------------------
r22082 | raeburn | 2009-03-12 18:06:35 -0400 (Thu, 12 Mar 2009) | 6 lines
Changed paths:
M /trunk/src/lib/gssapi/krb5/k5sealv3iov.c

ticket: 6412
tags: pullup

Better fix: Delay setting 'outbuf' until after the header buffer might
have been allocated locally, and set it in both code paths instead of
just the confidentiality-requested code path.
------------------------------------------------------------------------
r22081 | raeburn | 2009-03-12 12:48:15 -0400 (Thu, 12 Mar 2009) | 7 lines
Changed paths:
M /trunk/src/lib/gssapi/krb5/k5sealv3iov.c

ticket: 6412
subject: crash using library-allocated storage for header in wrap_iov
target_version: 1.7
tags: pullup

When allocating storage for the header buffer, update the internal
output buffer pointer as well.

ticket: 6412
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22220 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22079 from trunk

------------------------------------------------------------------------
r22079 | ghudson | 2009-03-11 18:14:24 -0400 (Wed, 11 Mar 2009) | 13 lines
Changed paths:
    M /trunk/src/kdc/do_tgs_req.c
    M /trunk/src/kdc/kdc_preauth.c
    M /trunk/src/kdc/kdc_util.h
    M /trunk/src/kdc/main.c
    M /trunk/src/kdc/network.c

ticket: 6408
subject: Report verbose error messages from KDC
target_version: 1.7
tags: pullup

We were losing verbose error messages when logging from the KDC because
the context passed to krb5_klog_init did not match the realm-specific
context used for most library function calls.  Introduce a wrapper
function kdc_err which copies the error state from the call context
to the log context.  The wrapper function also knows the program name,
which removes the need to pass argv[0] around everywhere or make up
program names.

ticket: 6408
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22219 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22078 from trunk

------------------------------------------------------------------------
r22078 | ghudson | 2009-03-11 18:11:06 -0400 (Wed, 11 Mar 2009) | 9 lines
Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/include/krb5/krb5.hin
    M /trunk/src/lib/krb5/krb/kerrs.c
    M /trunk/src/lib/krb5/libkrb5.exports

ticket: 6407
subject: Make a working krb5_copy_error_message
target_version: 1.7
tags: pullup

The krb5_copy_error_state macro wasn't used, didn't work, and didn't
need to be a macro.  Replace it with an exported API function named
krb5_copy_error_message.

ticket: 6407
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22218 dc483132-0cff-0310-8789-dd5450dbe970

pull up r22073 from trunk

------------------------------------------------------------------------
r22073 | wfiveash | 2009-03-10 16:26:24 -0400 (Tue, 10 Mar 2009) | 5 lines
Changed paths:
    M /trunk/src/kadmin/dbutil/kdb5_mkey.c
    M /trunk/src/lib/kdb/kdb5.c
    M /trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c

ticket: 6405
Tags: pullup

Several small fixes to enable the migrate mkey commands to work properly with a LDAP KDB.  See the ticket for more details.

ticket: 6405
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22217 dc483132-0cff-0310-8789-dd5450dbe970