krb5.git
14 years agoFix svn:eol-style properties
Tom Yu [Fri, 3 Dec 2010 00:24:15 +0000 (00:24 +0000)]
Fix svn:eol-style properties

ticket: 6826
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24554 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24469, r24530, r24533, r24534, r24535, r24537 from trunk
Tom Yu [Fri, 3 Dec 2010 00:05:44 +0000 (00:05 +0000)]
pull up r24469, r24530, r24533, r24534, r24535, r24537 from trunk

 ------------------------------------------------------------------------
 r24537 | ghudson | 2010-11-30 12:46:10 -0500 (Tue, 30 Nov 2010) | 5 lines

 ticket: 6826

 Install gssapi_ext.h on Windows.  Include gssapi_ext.h in the header
 files considered by def-check.pl in verify-calling-conventions-gssapi.

 ------------------------------------------------------------------------
 r24535 | ghudson | 2010-11-26 11:37:14 -0500 (Fri, 26 Nov 2010) | 5 lines

 ticket: 6826

 Supply static ordinals for new symbols in gssapi32.def and krb5_32.def,
 for consistency with KFW 3.x.

 ------------------------------------------------------------------------
 r24534 | ghudson | 2010-11-25 15:34:06 -0500 (Thu, 25 Nov 2010) | 5 lines

 ticket: 6826

 Fix how gssapi.h is rebuilt on Windows; accidentally omitted from
 r24533.

 ------------------------------------------------------------------------
 r24533 | ghudson | 2010-11-25 15:28:30 -0500 (Thu, 25 Nov 2010) | 29 lines

 ticket: 6826
 subject: Fix Windows build
 target_version: 1.9
 tags: pullup

 Repair the Windows build.  Tested with the prepare-on-Unix method.
 Some specific changes include:

 * Removed the IPC finalizer (no longer used after r20787) from
   ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency
   chain for the pingtest build in ccapi/test.  Also updated pingtest
   to use the k5_ipc_stream interfaces since cci_stream is gone.

 * Reverted the apparently non-functional r20277.

 * klist -V prints just "Kerberos for Windows", since it has no access
   to PACKAGE_NAME and PACKAGE_VERSION from autoconf.  This should be
   addressed correctly.

 * krb5, telnet, gssftp, and NIM are removed from the build.

 * Some files had CRLFs; these were replaced with LFs and the
   svn:eol-style property set on the files.  Otherwise the CRLFs became
   CRCRLFs after the zip transfer.

 * Windows does not have opendir/readdir, so added Windows code to
   prof_parse.c for includedir.  Probable fodder for a libkrb5support
   portability shim.

 ------------------------------------------------------------------------
 r24530 | ghudson | 2010-11-23 13:50:12 -0500 (Tue, 23 Nov 2010) | 3 lines

 Set svn:eol-style on some Windows files and remove the CRs from their
 repository representations.

 ------------------------------------------------------------------------
 r24469 | ghudson | 2010-10-21 20:01:56 -0400 (Thu, 21 Oct 2010) | 3 lines

 Make it possible to override CRYPTO_IMPL_CFLAGS and CRYPTO_IMPL_LIBS at
 make time.

ticket: 6826
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24553 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24550 from trunk
Tom Yu [Wed, 1 Dec 2010 23:11:50 +0000 (23:11 +0000)]
pull up r24550 from trunk

 ------------------------------------------------------------------------
 r24550 | ghudson | 2010-12-01 17:36:38 -0500 (Wed, 01 Dec 2010) | 4 lines

 ticket: 6829

 Correct typo in admin documentation for restrict_anonymous_to_tgt.

ticket: 6829
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24552 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24539 from trunk
Tom Yu [Wed, 1 Dec 2010 23:11:46 +0000 (23:11 +0000)]
pull up r24539 from trunk

 ------------------------------------------------------------------------
 r24539 | hartmans | 2010-11-30 17:46:54 -0500 (Tue, 30 Nov 2010) | 7 lines

 ticket: 6828
 Subject: Install kadm5_hook_plugin.h
 target_version: 1.9
 tags: pullup

 Install the kadm5 hook plugin header

ticket: 6828
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24551 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24547 from trunk
Tom Yu [Wed, 1 Dec 2010 21:37:25 +0000 (21:37 +0000)]
pull up r24547 from trunk

 ------------------------------------------------------------------------
 r24547 | ghudson | 2010-12-01 15:01:46 -0500 (Wed, 01 Dec 2010) | 10 lines

 ticket: 6829
 subject: Implement restrict_anonymous_to_tgt realm flag
 target_version: 1.9
 tags: pullup

 Implement a new realm flag to reject ticket requests from anonymous
 principals to any principal other than the local TGT.  Allows FAST to
 be deployed using anonymous tickets as armor in realms where the set
 of authenticatable users must be constrained.

ticket: 6829
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24549 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoApply ported patch
Tom Yu [Wed, 1 Dec 2010 20:49:06 +0000 (20:49 +0000)]
Apply ported patch

 If kdb5_util load (without -update) fails--say, due to an invalid dump
 file--it calls krb5_db_destroy to destroy the temporary DB.
 Unfortunately, this results in the destruction of the real DB instead.

 Luckily, this bug only applies to krb5 1.9, which hasn't been released
 yet.  In krb5 1.8 the destroy operation fails before it does any damage.

ticket: 6815
version_fixed: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24548 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24529, r24532 from trunk
Tom Yu [Wed, 1 Dec 2010 02:16:37 +0000 (02:16 +0000)]
pull up r24529, r24532 from trunk

 ------------------------------------------------------------------------
 r24532 | tlyu | 2010-11-23 18:51:50 -0500 (Tue, 23 Nov 2010) | 6 lines

 ticket: 6825

 Update krb5_gic_opt_private and related code to reflect the change of
 krb5_expire_callback_func from a function typedef to a function
 pointer typedef.  This was causing segfaults.

 ------------------------------------------------------------------------
 r24529 | ghudson | 2010-11-22 23:50:40 -0500 (Mon, 22 Nov 2010) | 9 lines

 ticket: 6825
 subject: Add missing KRB5_CALLCONV in callback declaration
 target_version: 1.9
 tags: pullup

 krb5_get_init_creds_opt_set_expire_callback was correctly tagged with
 KRB5_CALLCONV but the corresponding callback type was not.  Add that
 in.

ticket: 6825
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24546 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24528 from trunk
Tom Yu [Wed, 1 Dec 2010 02:16:31 +0000 (02:16 +0000)]
pull up r24528 from trunk

 ------------------------------------------------------------------------
 r24528 | ghudson | 2010-11-22 23:41:08 -0500 (Mon, 22 Nov 2010) | 7 lines

 ticket: 6824
 subject: Export krb5_tkt_creds_get
 target_version: 1.9
 tags: pullup

 krb5_tkt_creds_get was overlooked in the export list; add it.

ticket: 6824
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24545 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24526, r24527 from trunk
Tom Yu [Wed, 1 Dec 2010 02:16:25 +0000 (02:16 +0000)]
pull up r24526, r24527 from trunk

 ------------------------------------------------------------------------
 r24527 | ghudson | 2010-11-21 22:58:15 -0500 (Sun, 21 Nov 2010) | 4 lines

 ticket: 6823

 Correct typo in r24526.

 ------------------------------------------------------------------------
 r24526 | hartmans | 2010-11-21 22:33:22 -0500 (Sun, 21 Nov 2010) | 9 lines

 ticket: 6823
 subject: getdate.y: declare yyparse
 target_version: 1.9
 tags: pullup

 At least on lucid, byacc doesn't declare yyparse, which creates
 problems because lucid treats calls to unprototyped functions as
 errors.

ticket: 6823
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24544 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24524 from trunk
Tom Yu [Wed, 1 Dec 2010 02:16:14 +0000 (02:16 +0000)]
pull up r24524 from trunk

 ------------------------------------------------------------------------
 r24524 | ghudson | 2010-11-19 19:31:46 -0500 (Fri, 19 Nov 2010) | 8 lines

 ticket: 6822
 subject: Implement Camellia-CTS-CMAC instead of Camellia-CCM
 target_verion: 1.9
 tags: pullup

 Replace the Camellia-CCM enctypes with Camellia-CTS-CMAC.  Still not
 compiled in by default since we don't have enctype assignments yet.

ticket: 6822
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24543 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24519 from trunk
Tom Yu [Wed, 1 Dec 2010 02:16:04 +0000 (02:16 +0000)]
pull up r24519 from trunk

 ------------------------------------------------------------------------
 r24519 | ghudson | 2010-11-15 21:54:26 -0500 (Mon, 15 Nov 2010) | 8 lines

 ticket: 6820
 subject: Read KDC profile settings in kpropd
 target_version: 1.9
 tags: pullup

 kpropd can modify the KDB with ulog_replay(), so it should read the
 KDC profile settings in case the KDB configuration is in there.

ticket: 6820
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24542 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24518 from trunk
Tom Yu [Wed, 1 Dec 2010 02:15:55 +0000 (02:15 +0000)]
pull up r24518 from trunk

 ------------------------------------------------------------------------
 r24518 | ghudson | 2010-11-15 21:30:16 -0500 (Mon, 15 Nov 2010) | 12 lines

 ticket: 6819
 subject: Handle referral realm in kprop client principal
 target_version: 1.9
 tags: pullup

 kprop uses krb5_sname_to_principal() to determine its client
 principal.  If the local hostname cannot be mapped to a realm based on
 the profile's domain_realm section, krb5_sname_to_principal() will (as
 of 1.6) return a principal with the referral realm (""), which does
 not work in a client principal.  Handle this by substituting the
 default realm.

ticket: 6819
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24541 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24538 from trunk
Tom Yu [Wed, 1 Dec 2010 02:15:45 +0000 (02:15 +0000)]
pull up r24538 from trunk

 ------------------------------------------------------------------------
 r24538 | ghudson | 2010-11-30 16:20:49 -0500 (Tue, 30 Nov 2010) | 27 lines

 ticket: 6827
 subject: SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)

 Fix multiple checksum handling bugs, as described in:
   CVE-2010-1324
   CVE-2010-1323
   CVE-2010-4020
   CVE-2010-4021

 * Return the correct (keyed) checksums as the mandatory checksum type
   for DES enctypes.
 * Restrict simplified-profile checksums to their corresponding etypes.
 * Add internal checks to reduce the risk of stream ciphers being used
   with simplified-profile key derivation or other algorithms relying
   on the block encryption primitive.
 * Use the mandatory checksum type for the PKINIT KDC signature,
   instead of the first-listed keyed checksum.
 * Use the mandatory checksum type when sending KRB-SAFE messages by
   default, instead of the first-listed keyed checksum.
 * Use the mandatory checksum type for the t_kperf test program.
 * Use the mandatory checksum type (without additional logic) for the
   FAST request checksum.
 * Preserve the existing checksum choices (unkeyed checksums for DES
   enctypes) for the authenticator checksum, using explicit logic.
 * Ensure that SAM checksums received from the KDC are keyed.
 * Ensure that PAC checksums are keyed.

ticket: 6827
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24540 dc483132-0cff-0310-8789-dd5450dbe970

14 years agokrb5-1.9-beta1-postrelease
Tom Yu [Tue, 2 Nov 2010 02:07:42 +0000 (02:07 +0000)]
krb5-1.9-beta1-postrelease

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24504 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoREADME and patchlevel.h for krb5-1.9-beta1
Tom Yu [Tue, 2 Nov 2010 02:06:23 +0000 (02:06 +0000)]
README and patchlevel.h for krb5-1.9-beta1

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24502 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24488 from trunk
Tom Yu [Mon, 1 Nov 2010 20:36:48 +0000 (20:36 +0000)]
pull up r24488 from trunk

 ------------------------------------------------------------------------
 r24488 | ghudson | 2010-10-27 13:05:05 -0400 (Wed, 27 Oct 2010) | 5 lines

 ticket: 6812

 Don't fail out from krb5_get_credentials() if we can't store a ticket
 into the ccache.

ticket: 6812
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24501 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24486 from trunk
Tom Yu [Mon, 1 Nov 2010 20:36:43 +0000 (20:36 +0000)]
pull up r24486 from trunk

 ------------------------------------------------------------------------
 r24486 | ghudson | 2010-10-26 13:34:41 -0400 (Tue, 26 Oct 2010) | 8 lines

 ticket: 6811
 subject: Mark Camellia-CCM code as experimental
 target_version: 1.9
 tags: pullup

 Add a comment noting that the Camellia-CCM code in 1.9 is
 experimental.

ticket: 6811
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24500 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24481 from trunk
Tom Yu [Mon, 1 Nov 2010 20:36:37 +0000 (20:36 +0000)]
pull up r24481 from trunk

 ------------------------------------------------------------------------
 r24481 | ghudson | 2010-10-25 16:17:54 -0400 (Mon, 25 Oct 2010) | 7 lines

 ticket: 6796
 target_version: 1.9
 tags: pullup

 Use safer output parameter handling in
 krb5_gss_acquire_cred_impersonate_name and its subsidiary helpers.

ticket: 6796
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24499 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24483 from trunk
Tom Yu [Mon, 1 Nov 2010 20:36:33 +0000 (20:36 +0000)]
pull up r24483 from trunk

 ------------------------------------------------------------------------
 r24483 | ghudson | 2010-10-26 10:17:38 -0400 (Tue, 26 Oct 2010) | 8 lines

 ticket: 6809
 target_version: 1.9
 tags: pullup

 Set *conf_state on successful return from
 gss_krb5int_make_seal_token_v3_iov, fixing a case where it wasn't
 always set by gss_wrap_iov.  Patch from aberry@likewise.com.

ticket: 6809
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24498 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24482 from trunk
Tom Yu [Mon, 1 Nov 2010 20:36:28 +0000 (20:36 +0000)]
pull up r24482 from trunk

 ------------------------------------------------------------------------
 r24482 | ghudson | 2010-10-25 17:55:54 -0400 (Mon, 25 Oct 2010) | 8 lines

 ticket: 6787
 target_version: 1.9
 tags: pullup

 When we create a temporary memory ccache for use within a
 krb5_gss_cred_id_rec, set a flag to indicate that the ccache should be
 destroyed rather than closed.  Patch from aberry@likewise.com.

ticket: 6787
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24497 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24480 from trunk
Tom Yu [Mon, 1 Nov 2010 20:36:22 +0000 (20:36 +0000)]
pull up r24480 from trunk

 ------------------------------------------------------------------------
 r24480 | ghudson | 2010-10-25 15:37:03 -0400 (Mon, 25 Oct 2010) | 8 lines

 ticket: 6793
 target_version: 1.9
 tags: pullup

 In acquire_init_cred in the GSS krb5 mech, don't intern cred->name,
 since it's not used as an output parameter.  Fixes a memory leak.
 Reported by aberry@likewise.com.

ticket: 6793
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24496 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24470 from trunk
Tom Yu [Mon, 1 Nov 2010 20:36:17 +0000 (20:36 +0000)]
pull up r24470 from trunk

 ------------------------------------------------------------------------
 r24470 | ghudson | 2010-10-22 20:38:17 -0400 (Fri, 22 Oct 2010) | 10 lines

 ticket: 6810
 subject: Better libk5crypto NSS fork safety
 target_version: 1.9
 tags: pullup

 Use SECMOD_RestartModules() from the forthcoming NSS 3.12.9 release to
 make the libk5crypto back end work after a fork.  Add a test program
 to exercise fork detection in the NSS back end.  Add a configure-time
 version check to ensure that we're using NSS 3.12.9 or later.

ticket: 6810
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24495 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24467 from trunk
Tom Yu [Mon, 1 Nov 2010 19:49:44 +0000 (19:49 +0000)]
pull up r24467 from trunk

 ------------------------------------------------------------------------
 r24467 | hartmans | 2010-10-19 15:50:48 -0400 (Tue, 19 Oct 2010) | 8 lines

 ticket: 6807
 subject: SecurID build support
 target_version: 1.9
 tags: pullup

 Integrate SecurID into the build if libaceclnt is found.
 Add a README file with an example of how to build it.

ticket: 6807
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24494 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24466 from trunk
Tom Yu [Mon, 1 Nov 2010 19:49:40 +0000 (19:49 +0000)]
pull up r24466 from trunk

 ------------------------------------------------------------------------
 r24466 | hartmans | 2010-10-19 15:50:42 -0400 (Tue, 19 Oct 2010) | 8 lines

 ticket: 6806
 subject: securID error handling fix
 target_version: 1.9
 tags: pullup

 In porting forward, I incorrectly used krb5_set_error_message instead of com_err.
 This commit reverts that change.

ticket: 6806
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24493 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24465 from trunk
Tom Yu [Mon, 1 Nov 2010 19:49:36 +0000 (19:49 +0000)]
pull up r24465 from trunk

 ------------------------------------------------------------------------
 r24465 | hartmans | 2010-10-19 15:50:37 -0400 (Tue, 19 Oct 2010) | 19 lines

 ticket: 6805
 subject: securID code fixes
 target_version: 1.9
 tags: pullup

 Fixes to get securID preauth plugin working. A separate patch will
 address error handling and build issues.

 * Permit a preauth plugin to return KRB5KDC_ERR_PREAUTH_REQUIRED from
   the verify entry point.

 * If verify_securid2 fails, save the return value and return that
   rather than success after dealing with encoding the out_edata

 * Use the client key not the securid principal key for the sam
   checksum

 * indicate that securID is hardware authentication

ticket: 6805
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24492 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24464 from trunk
Tom Yu [Mon, 1 Nov 2010 19:49:29 +0000 (19:49 +0000)]
pull up r24464 from trunk

 ------------------------------------------------------------------------
 r24464 | ghudson | 2010-10-19 15:08:38 -0400 (Tue, 19 Oct 2010) | 9 lines

 ticket: 6804
 subject: Remove KDC replay cache
 target_version: 1.9
 tags: pullup

 Now that SAM1 support has been removed, the KDC does not need a replay
 replay cache.  Remove all code within USE_RCACHE and associated support.
 Rename --disable-kdc-replay-cache to --disable-kdc-lookaside-cache.

ticket: 6804
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24491 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUpdate README and patchlevel.h
Tom Yu [Mon, 1 Nov 2010 19:21:45 +0000 (19:21 +0000)]
Update README and patchlevel.h

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24490 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24462 from trunk
Tom Yu [Mon, 18 Oct 2010 23:28:46 +0000 (23:28 +0000)]
pull up r24462 from trunk

 ------------------------------------------------------------------------
 r24462 | tlyu | 2010-10-18 18:52:28 -0400 (Mon, 18 Oct 2010) | 5 lines

 ticket: 6802

 Adjust copyright.texinfo to fix some TeX output issues.  Also do minor
 cleanup.

ticket: 6802

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24463 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24455 from trunk
Tom Yu [Fri, 15 Oct 2010 20:42:30 +0000 (20:42 +0000)]
pull up r24455 from trunk

 ------------------------------------------------------------------------
 r24455 | tlyu | 2010-10-14 18:49:11 -0400 (Thu, 14 Oct 2010) | 9 lines

 ticket: 6802
 tags: pullup
 subject: copyright notice updates
 target_version: 1.9

 Update copyright.texinfo.  Move full copyright notices to appendices
 of documentation.  New rules to generate top-level NOTICE file from
 copyright.texinfo.  Regenerate NOTICE file.

ticket: 6802
version_fixed: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24457 dc483132-0cff-0310-8789-dd5450dbe970

14 years agopull up r24452, r24453, r24454 from trunk
Tom Yu [Fri, 15 Oct 2010 20:42:23 +0000 (20:42 +0000)]
pull up r24452, r24453, r24454 from trunk

 ------------------------------------------------------------------------
 r24454 | ghudson | 2010-10-13 13:20:36 -0400 (Wed, 13 Oct 2010) | 2 lines

 Whitespace.

 ------------------------------------------------------------------------
 r24453 | hartmans | 2010-10-12 21:19:20 -0400 (Tue, 12 Oct 2010) | 2 lines

 Adjust valgrind support to assume a modern valgrind that requires %p in log files.

 ------------------------------------------------------------------------
 r24452 | hartmans | 2010-10-12 21:19:14 -0400 (Tue, 12 Oct 2010) | 14 lines

 ticket: 6801
 target_version: 1.9
 Subject: Fix leaks in get_init_creds interface

 In Debian Bug 598032, Bastian Blank points out that there are two
 leaks in the get_init_creds interface:

 * Free ctx->request->padata after sending the KDC request so it is not
 overwritten the next time around the loop.

 * If options is NULL passed into krb5_get_init_creds_init, then set up
 a non-extended options structure so that krb5_get_init_creds_free will
 free the options.

ticket: 6801
version_fixed: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24456 dc483132-0cff-0310-8789-dd5450dbe970

14 years agobranch krb5-1-9
Tom Yu [Mon, 11 Oct 2010 21:38:39 +0000 (21:38 +0000)]
branch krb5-1-9

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24450 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInterim update of README and NOTICE
Tom Yu [Mon, 11 Oct 2010 21:37:16 +0000 (21:37 +0000)]
Interim update of README and NOTICE

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24449 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhen returning KRB5_KT_NOTFOUND from krb5_ktfile_get_entry, set an
Greg Hudson [Mon, 11 Oct 2010 16:43:42 +0000 (16:43 +0000)]
When returning KRB5_KT_NOTFOUND from krb5_ktfile_get_entry, set an
extended error message indicating which principal was not found.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24448 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoPlug a memory leak in gss_indicate_mechs
Greg Hudson [Sat, 9 Oct 2010 11:46:53 +0000 (11:46 +0000)]
Plug a memory leak in gss_indicate_mechs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24447 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEncoding cleanup: curly quotes to ASCII quotes, and some ISO-8859-1
Tom Yu [Fri, 8 Oct 2010 18:40:13 +0000 (18:40 +0000)]
Encoding cleanup: curly quotes to ASCII quotes, and some ISO-8859-1
files to UTF-8.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24446 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn gss_indicate_mechs, avoid setting the output pointer until success
Greg Hudson [Fri, 8 Oct 2010 15:25:13 +0000 (15:25 +0000)]
In gss_indicate_mechs, avoid setting the output pointer until success
is guaranteed.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24445 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn gss_inquire_attrs_for_mech, remove the assumption that mech_attrs
Greg Hudson [Fri, 8 Oct 2010 14:57:58 +0000 (14:57 +0000)]
In gss_inquire_attrs_for_mech, remove the assumption that mech_attrs
!= NULL in a particular error case.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24444 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove duplicate code block in spnego_gss_set_cred_option()
Greg Hudson [Fri, 8 Oct 2010 14:55:06 +0000 (14:55 +0000)]
Remove duplicate code block in spnego_gss_set_cred_option()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24443 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a kadm5 RPC for purging old keys from the KDB (e.g., from
Tom Yu [Fri, 8 Oct 2010 03:57:28 +0000 (03:57 +0000)]
Add a kadm5 RPC for purging old keys from the KDB (e.g., from
change_password -keepold), and add a kadmin CLI command for it.

Keeping ticket open because an automated test needs to be added.

Long-term future work includes start/expire dates on keys, or
not-yet-valid flags.

ticket: 1219
status: open
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24442 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a typo in kerberos.ldif. Reported by nalin@redhat.com
Greg Hudson [Thu, 7 Oct 2010 17:50:06 +0000 (17:50 +0000)]
Fix a typo in kerberos.ldif.  Reported by nalin@redhat.com

ticket: 6701
target_version: 1.8.4
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24441 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoPerformance issue in LDAP policy fetch
Greg Hudson [Thu, 7 Oct 2010 17:49:44 +0000 (17:49 +0000)]
Performance issue in LDAP policy fetch

Instead of performing a tree search to fill in the refcnt field of a
policy object whenever a policy is fetched, set the refcnt to 0 and
perform a check when policies are deleted.

ticket: 6799

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24440 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoset NT-SRV-INST on TGS principal names
Tom Yu [Wed, 6 Oct 2010 23:57:37 +0000 (23:57 +0000)]
set NT-SRV-INST on TGS principal names

Set NT-SRV-INST on TGS principal names in
get_in_tkt.c:build_in_tkt_name because Windows Server 2008 R2 RODC
insists on it.

Thanks to Bill Fellows for reporting this problem.

ticket: 6798
tags: pullup
target_version: 1.8.4

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24438 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCorrect a miscarriage of justice committed by the style police
Greg Hudson [Wed, 6 Oct 2010 22:20:34 +0000 (22:20 +0000)]
Correct a miscarriage of justice committed by the style police

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24437 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMerge users/lhoward/sasl-gs2 to trunk
Greg Hudson [Wed, 6 Oct 2010 18:25:04 +0000 (18:25 +0000)]
Merge users/lhoward/sasl-gs2 to trunk

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24436 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMinor comments related changed.
Zhanna Tsitkov [Wed, 6 Oct 2010 03:00:03 +0000 (03:00 +0000)]
Minor comments related changed.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24433 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdjust prototype files for easier extraction of copyright/license
Greg Hudson [Wed, 6 Oct 2010 01:37:24 +0000 (01:37 +0000)]
Adjust prototype files for easier extraction of copyright/license
statements, per mailing list discussion.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24432 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDocument that krb5_get_error_message() never returns NULL
Greg Hudson [Tue, 5 Oct 2010 21:44:14 +0000 (21:44 +0000)]
Document that krb5_get_error_message() never returns NULL

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24430 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCVE-2010-1322 KDC uninitialized pointer crash in authorization data handling (MITKRB5...
Tom Yu [Tue, 5 Oct 2010 21:05:19 +0000 (21:05 +0000)]
CVE-2010-1322 KDC uninitialized pointer crash in authorization data handling (MITKRB5-SA-2010-006)

When the KDC receives certain TGS-REQ messages, it may dereference an
uninitialized pointer while processing authorization data, causing a
crash, or in rare cases, unauthorized information disclosure, ticket
modification, or execution of arbitrary code.  The crash may be
triggered by legitimate requests.

Correctly implement the filtering of authorization data items to avoid
leaving uninitialized pointers when omitting items.

ticket: 6797
tags: pullup
target_version: 1.8.4

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24429 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd RUN_SETUP so make check works by setting the proper LD_LIBRARY_PATH
Ezra Peisach [Tue, 5 Oct 2010 19:59:49 +0000 (19:59 +0000)]
Add RUN_SETUP so make check works by setting the proper LD_LIBRARY_PATH

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24428 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix the NSS PRNG build. Fix the build for non-gmake make. Revert a
Greg Hudson [Tue, 5 Oct 2010 19:44:26 +0000 (19:44 +0000)]
Fix the NSS PRNG build.  Fix the build for non-gmake make.  Revert a
no longer necessary change to lib/crypto/krb/Makefile.in.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24427 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoConstify the name field of a kadm5_hook vtable, since it holds a
Greg Hudson [Tue, 5 Oct 2010 16:39:59 +0000 (16:39 +0000)]
Constify the name field of a kadm5_hook vtable, since it holds a
string literal.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24426 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a name field to the pwqual plugin vtable and log pwqual module
Greg Hudson [Tue, 5 Oct 2010 16:00:23 +0000 (16:00 +0000)]
Add a name field to the pwqual plugin vtable and log pwqual module
rejections.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24425 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoPropagate modprinc -unlock from master to slave KDCs
Greg Hudson [Tue, 5 Oct 2010 14:53:09 +0000 (14:53 +0000)]
Propagate modprinc -unlock from master to slave KDCs

Create a new tl-data type to hold the time of the last administrative
unlock, and factor it into decisions about account lockout.  Since
tl-data values are propagated from master to slave, this will cause
modprinc -unlock operations to reach slave KDCs on the next
propagation.

ticket: 6795

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24424 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd additional NRL copyright
Sam Hartman [Tue, 5 Oct 2010 13:57:27 +0000 (13:57 +0000)]
Add additional NRL copyright

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24423 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDocument kadm5_hook interface
Sam Hartman [Tue, 5 Oct 2010 13:57:23 +0000 (13:57 +0000)]
Document kadm5_hook interface

* krb5.conf
* admin.texinfo
* kadm5_hook_plugin.h: document initvt requirement

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24422 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSome missed files needed for rev #24420
Zhanna Tsitkov [Tue, 5 Oct 2010 03:29:35 +0000 (03:29 +0000)]
Some missed files needed for rev #24420

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24421 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoImproves prng code modularity. Introduces fortuna-like prng that can be used in lieu...
Zhanna Tsitkov [Tue, 5 Oct 2010 03:18:22 +0000 (03:18 +0000)]
Improves prng code modularity. Introduces fortuna-like prng that can be used in lieu of yarrow.
Yarrow stays the default prng while fortuna may be engaged during configuration by using "--with-prng-alg=fortuna" flag.
Also, nss crypto backend continues to use its own prng.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24420 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd mit_afs_string_to_key declaration
Zhanna Tsitkov [Tue, 5 Oct 2010 03:01:01 +0000 (03:01 +0000)]
Add mit_afs_string_to_key declaration

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24419 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a missing protototype which was breaking the crypto build with the
Greg Hudson [Tue, 5 Oct 2010 00:16:10 +0000 (00:16 +0000)]
Add a missing protototype which was breaking the crypto build with the
NSS back end after r24409.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24418 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoProtoize old-style function definitions in kdb5.c and normalize
Greg Hudson [Mon, 4 Oct 2010 18:23:00 +0000 (18:23 +0000)]
Protoize old-style function definitions in kdb5.c and normalize
formatting of definition headers.  No functional changes.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24417 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMerge branches/nss to trunk
Greg Hudson [Sat, 2 Oct 2010 17:21:54 +0000 (17:21 +0000)]
Merge branches/nss to trunk

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24416 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCopyright statements, whitespace, and other code formatting
Greg Hudson [Sat, 2 Oct 2010 17:17:35 +0000 (17:17 +0000)]
Copyright statements, whitespace, and other code formatting

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24415 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn the krb5_kuserok implementation, fix an unintentional type change
Greg Hudson [Sat, 2 Oct 2010 11:48:06 +0000 (11:48 +0000)]
In the krb5_kuserok implementation, fix an unintentional type change
to "gobble" (was an int, was accidentally changed to a char) which
could result in an infinite loop.

ticket: 6792

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24413 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix type errors in t_gssexts
Greg Hudson [Sat, 2 Oct 2010 11:34:27 +0000 (11:34 +0000)]
Fix type errors in t_gssexts

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24412 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEliminate K&R-style function definition headers in t_gssexts.c, and
Greg Hudson [Sat, 2 Oct 2010 11:30:50 +0000 (11:30 +0000)]
Eliminate K&R-style function definition headers in t_gssexts.c, and
reformat other definitions according to coding practices.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24411 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse gss_set_cred_option instead of (undeclared) gssspi_set_cred_option
Ken Raeburn [Sat, 2 Oct 2010 03:29:37 +0000 (03:29 +0000)]
Use gss_set_cred_option instead of (undeclared) gssspi_set_cred_option

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24410 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoTry to require function declarations for GCC, as we already do for the
Ken Raeburn [Sat, 2 Oct 2010 03:29:34 +0000 (03:29 +0000)]
Try to require function declarations for GCC, as we already do for the
Sun compiler.

Change the cache variable name construction to distinguish "=" from
"-" in option names.  Prefer -Werror-implicit-function-declaration
over -Werror=implicit-function-declaration since in some versions of
GCC only the former works properly.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24409 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd empty src/plugins/preauth/securid_sam2/deps to allow build to work again
Tom Yu [Fri, 1 Oct 2010 20:15:00 +0000 (20:15 +0000)]
Add empty src/plugins/preauth/securid_sam2/deps to allow build to work again

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24407 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd an error to be returned by a preauth mechanism indicating that the KDC should...
Sam Hartman [Fri, 1 Oct 2010 17:12:41 +0000 (17:12 +0000)]
Add an error to be returned by a preauth mechanism indicating that the KDC should not respond to a packet

* Do not generate an error response in this case
* Drop a TCP connection if we are not going to respond to it.

kdc: add KRB5KDC_ERR_DISCARD

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24406 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInitial securid2 support.
Sam Hartman [Fri, 1 Oct 2010 17:12:37 +0000 (17:12 +0000)]
Initial securid2 support.
builds but untested

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24405 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEnable sam_challenge_2 encoders
Sam Hartman [Fri, 1 Oct 2010 17:12:30 +0000 (17:12 +0000)]
Enable sam_challenge_2 encoders

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24404 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove support for the old pa-sam-challenge and pa-sam-response
Sam Hartman [Fri, 1 Oct 2010 17:12:26 +0000 (17:12 +0000)]
Remove support for the old pa-sam-challenge and pa-sam-response
preauth type per discussion on krbdev.  The pa-sam-challenge-2 code
remains in the client.

preauth: remove pa-sam-challenge

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24403 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoImplement k5login_directory and k5login_authoritative options
Greg Hudson [Fri, 1 Oct 2010 15:56:30 +0000 (15:56 +0000)]
Implement k5login_directory and k5login_authoritative options

Add and document two new options for controlling k5login behavior.

ticket: 6792

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24402 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a simple test harness for kuserok. Build it during make check but
Greg Hudson [Fri, 1 Oct 2010 13:44:12 +0000 (13:44 +0000)]
Add a simple test harness for kuserok.  Build it during make check but
don't run any automated tests for the moment.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24401 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoA cleaner impleentation of r24399 which adds two new auth context APIs
Greg Hudson [Fri, 1 Oct 2010 03:47:38 +0000 (03:47 +0000)]
A cleaner impleentation of r24399 which adds two new auth context APIs
(and is therefore less suitable for backporting to 1.8) but doesn't
reach inside the auth context structure in the krb5 mechanism code.

ticket: 6768

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24400 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoGSSAPI forwarded credentials must be encrypted in session key
Greg Hudson [Fri, 1 Oct 2010 03:45:43 +0000 (03:45 +0000)]
GSSAPI forwarded credentials must be encrypted in session key

When IAKERB support was added, the krb5_mk_req checksum function
gained access to the send subkey.  This caused GSSAPI forwarded
credentials to be encrypted in the subkey, which violates RFC 4121
section 4.1.1 and is not accepted by Microsoft's implementation.
Temporarily null out the send subkey in the auth context so that
krb5_mk_ncred uses the session key instead.

ticket: 6768
target_version: 1.8.4
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24399 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhitespace
Greg Hudson [Thu, 30 Sep 2010 17:16:46 +0000 (17:16 +0000)]
Whitespace

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24393 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhitespace
Greg Hudson [Thu, 30 Sep 2010 17:02:29 +0000 (17:02 +0000)]
Whitespace

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24392 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse a different construction for defaulting ks_tuple and n_ks_tuple in
Greg Hudson [Thu, 30 Sep 2010 17:01:30 +0000 (17:01 +0000)]
Use a different construction for defaulting ks_tuple and n_ks_tuple in
the libkadm5 server principal routines, to avoid repeated conditional
expressions.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24391 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhitespace and minor style changes
Greg Hudson [Thu, 30 Sep 2010 15:53:44 +0000 (15:53 +0000)]
Whitespace and minor style changes

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24390 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCorrect the admin documentation for auth_to_local
Greg Hudson [Thu, 30 Sep 2010 13:13:41 +0000 (13:13 +0000)]
Correct the admin documentation for auth_to_local

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24387 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFollow-on to r24258: initialize the new k5e1 error table where we
Greg Hudson [Wed, 29 Sep 2010 21:38:26 +0000 (21:38 +0000)]
Follow-on to r24258: initialize the new k5e1 error table where we
initialize the krb5 error table, and add initialize_k5e1_error_table
to the libkrb5 exports list for consistency with the other error
tables.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24378 dc483132-0cff-0310-8789-dd5450dbe970

14 years agomake depend
Sam Hartman [Wed, 29 Sep 2010 21:29:25 +0000 (21:29 +0000)]
make depend
Add kadm5_hook test plugin to toplevel Makefile.in

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24377 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAutomated tests for kadm5_hook plugin
Sam Hartman [Wed, 29 Sep 2010 21:29:20 +0000 (21:29 +0000)]
Automated tests for kadm5_hook plugin

Include a k5test Python test and test plugin for the kadm5_hook interface.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24376 dc483132-0cff-0310-8789-dd5450dbe970

14 years agokadm5_hook: new plugin interface
Sam Hartman [Wed, 29 Sep 2010 21:29:14 +0000 (21:29 +0000)]
kadm5_hook: new plugin interface

Implement http://k5wiki.kerberos.org/wiki/Projects/Kadmin_hook_interface

This provides an interface that allows a plugin to track kadmin
operations. This can be used for projects like the krb5-sync project.

ticket: 6791

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24375 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake krb5_dbe_def_search_enctype skip key data entries with invalid
Greg Hudson [Tue, 28 Sep 2010 19:09:11 +0000 (19:09 +0000)]
Make krb5_dbe_def_search_enctype skip key data entries with invalid
enctypes instead of erroring out on them.  We had this behavior prior
to 1.8 (more by accident than by design), but it changed as a
side-effect of r23599.

ticket: 6790
target_version: 1.8.4
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24370 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse IAKERB OID header for all IAKERB messages including AP-REQ
Luke Howard [Mon, 27 Sep 2010 18:51:55 +0000 (18:51 +0000)]
Use IAKERB OID header for all IAKERB messages including AP-REQ

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24363 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDoxygen for k5-buf.h
Sam Hartman [Mon, 27 Sep 2010 17:16:47 +0000 (17:16 +0000)]
Doxygen for k5-buf.h

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24360 dc483132-0cff-0310-8789-dd5450dbe970

14 years agokpasswd: if a credential cache is present, use FAST
Sam Hartman [Mon, 27 Sep 2010 17:16:41 +0000 (17:16 +0000)]
kpasswd: if a credential cache is present, use FAST

If a credentials cache is available, use it as an armor cache to enable FAST negotiation for kpasswd. This requires an attacker to attack both the user's long-term key for the old password as well as the ticket used for the armor cache in order to attack the password change. Depending on how the armor ticket is obtained, this may provide limited value. However, it provides users an easy option if they are concerned about their current password. Users can kinit with one principal to help protect changing the password of another principal.

* krb5_get_init_creds_opt_set_fast_ccache: new API to set fast ccache based on a krb5_ccache object rather than a resolvable string

* kpasswd: always open the current credential cache even if not needed
  for determining the principal. If the cache has tickets, use it as
  an armor cache.

* tests/dejagnu/krb-standalone/kadmin.exp: Arrange to test new code path

ticket: 6786

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24359 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSimplify acquire_accept_cred very slightly, avoiding some long lines
Greg Hudson [Mon, 27 Sep 2010 03:46:57 +0000 (03:46 +0000)]
Simplify acquire_accept_cred very slightly, avoiding some long lines
and repeated macro calls.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24357 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd gss_krb5_import_cred
Greg Hudson [Mon, 27 Sep 2010 03:39:22 +0000 (03:39 +0000)]
Add gss_krb5_import_cred

Add gss_krb5_import_cred from Heimdal; allows krb5 creds to be
acquired from a keytab or ccache into a GSSAPI credential without
using global process or thread variables.

Merged from the users/lhoward/import-cred branch.

ticket: 6785

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24356 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInitialize kdb5_ldap_util's context with kadm5_init_krb5_context, like
Greg Hudson [Wed, 22 Sep 2010 22:09:24 +0000 (22:09 +0000)]
Initialize kdb5_ldap_util's context with kadm5_init_krb5_context, like
kdb5_util does, in order to get the KDC profile settings as well as
the regular krb5 profile settings.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24337 dc483132-0cff-0310-8789-dd5450dbe970

14 years agorelicense Sun RPC to 3-clause BSD-style
Tom Yu [Wed, 22 Sep 2010 21:50:48 +0000 (21:50 +0000)]
relicense Sun RPC to 3-clause BSD-style

Per e-mail from Wim Coekaerts, Oracle America authorizes the
relicensing of Sun RPC to 3-clause BSD-style.

ticket: 6784

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24336 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdjust the k5login man page to have a slightly more neutral tone
Greg Hudson [Mon, 20 Sep 2010 18:25:18 +0000 (18:25 +0000)]
Adjust the k5login man page to have a slightly more neutral tone

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24335 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSlight revisions to create_workers() in the KDC:
Greg Hudson [Sun, 19 Sep 2010 12:03:18 +0000 (12:03 +0000)]
Slight revisions to create_workers() in the KDC:
* Use calloc() to allocate the pids array; squashes a Coverity false
  positive.
* Don't leak the pids array in worker processes.
* Use consistent terminology in comments.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24329 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoKDC worker processes feature
Greg Hudson [Fri, 17 Sep 2010 17:42:31 +0000 (17:42 +0000)]
KDC worker processes feature

Add support for a krb5kdc -w option which causes the KDC to spawn
worker processes which can process requests in parallel.  See also:
http://k5wiki.kerberos.org/wiki/Projects/Parallel_KDC

ticket: 6783

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24328 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd an extra arguments parameter to k5test's realm.start_kdc()
Greg Hudson [Fri, 17 Sep 2010 16:06:34 +0000 (16:06 +0000)]
Add an extra arguments parameter to k5test's realm.start_kdc()

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24327 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn kinit_kdb_init(), ensure that we don't return an error with the
Greg Hudson [Fri, 17 Sep 2010 15:52:23 +0000 (15:52 +0000)]
In kinit_kdb_init(), ensure that we don't return an error with the
old, freed value of *pcontext still there--that would result in a
double free.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24326 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFollow-on to r24315: remove get/set_mkey_list from export list of
Greg Hudson [Thu, 16 Sep 2010 17:38:30 +0000 (17:38 +0000)]
Follow-on to r24315: remove get/set_mkey_list from export list of
libkdb_ldap.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24324 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn the PKINIT OpenSSL crypto code, use a signed int to hold the result
Greg Hudson [Wed, 15 Sep 2010 22:43:00 +0000 (22:43 +0000)]
In the PKINIT OpenSSL crypto code, use a signed int to hold the result
of X509_get_ext_by_NID so we can detect negative return values.
Reported by nalin@redhat.com.

ticket: 6774

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24323 dc483132-0cff-0310-8789-dd5450dbe970