krb5.git
13 years agoIn kg_acceptor_princ, make Coverity happy by using a different test to
Greg Hudson [Mon, 14 Feb 2011 00:13:17 +0000 (00:13 +0000)]
In kg_acceptor_princ, make Coverity happy by using a different test to
determine if we should set (*princ_out)->type.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24638 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn kadm5_rename_principal, fix an oversight which would cause errors
Greg Hudson [Sun, 13 Feb 2011 22:36:13 +0000 (22:36 +0000)]
In kadm5_rename_principal, fix an oversight which would cause errors
from krb5_principal2salt_norealm to be ignored.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24637 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUntabify trace.c (tabs crept in when the file was created)
Greg Hudson [Sun, 13 Feb 2011 21:14:43 +0000 (21:14 +0000)]
Untabify trace.c (tabs crept in when the file was created)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24636 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDefer hostname lookups in krb5_sendto_kdc
Greg Hudson [Sun, 13 Feb 2011 21:14:00 +0000 (21:14 +0000)]
Defer hostname lookups in krb5_sendto_kdc

Restructure the locate_kdc and sendto_kdc code to defer getaddrinfo
calls until we need the answer.  This requires many changes:

* struct addrlist is now called struct serverlist, and is declared in
  os-proto.h instead of k5-int.h.  It contains an array of struct
  server_entry structures which can hold either a name or an address.
  (Address entries are used for locate_kdc module results.)

* The connection state list is now a linked list, and holds address
  information directly instead of using a struct addrinfo (this
  simplifies memory management).  Each connection entry contains a
  callback buffer (previously stored in a separate array) and an index
  into the server list.

* The {addrstate} trace formatting primitive is no longer needed, and
  has been replaced by {connstate}.  There is also a new tracing event
  for resolving hostnames.

* locate_server, locate_kdc, free_serverlist, and sendto get their
  prefixes changed from krb5int_ to k5_ as their prototypes were being
  adjusted anyway.  The family argument is gone from the locate
  functions as it was never productively used.  k5_sendto now receives
  the socket types of interest.

* krb5_sendto_kdc will now pass a 0 socktype to k5_locate_kdc if both
  socket types are wanted.  There were some allowances for this in
  locate but this was never previously done.  In order to be
  conservative when invoking locate modules, we always pass an
  explicit socktype, thus calling lookup twice (as we did before,
  albeit with a separate init/fini cycle) in the common case.  When
  creating hostname entries in serverlist from profile configuration,
  we preserve the 0 value of socktype, and later create both TCP and
  UDP addresses from the getaddrinfo results when the host is
  resolved.

* Some accessor functions previously used by libkrb4 have been removed
  as they impinged upon this work.

ticket: 6868

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24635 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoTrace logging file descriptor leak
Greg Hudson [Sun, 13 Feb 2011 19:12:36 +0000 (19:12 +0000)]
Trace logging file descriptor leak

File descriptors created for trace logging were never being closed.
With short-lived contexts this leak would eventually overflow the
process's file table.  Correct this oversight by closing the file
descriptor in file_trace_cb before freeing its container.

ticket: 6867
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24634 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoReposition a trace call which was dereferencing freed memory after
Greg Hudson [Sun, 13 Feb 2011 18:48:06 +0000 (18:48 +0000)]
Reposition a trace call which was dereferencing freed memory after
r24616.

ticket: 6855

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24633 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoKDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE...
Tom Yu [Wed, 9 Feb 2011 20:25:08 +0000 (20:25 +0000)]
KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]

[CVE-2011-0281 CVE-2011-0282] Fix some LDAP back end principal name
handling that could cause the KDC to hang or crash.

[CVE-2011-0283] Fix a KDC null pointer dereference introduced in krb5-1.9.

ticket: 6860
tags: pullup
target_version: 1.9.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24622 dc483132-0cff-0310-8789-dd5450dbe970

13 years agokpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
Tom Yu [Wed, 9 Feb 2011 20:25:03 +0000 (20:25 +0000)]
kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]

When operating in standalone mode and not doing iprop, don't return
from do_standalone() if the child exits with abnormal status.

ticket: 6859
tags: pullup
target_version: 1.9.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24621 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd missing KRB5_USE_INET6 ifdefs around some bits of IPv6 code which
Greg Hudson [Wed, 9 Feb 2011 04:59:38 +0000 (04:59 +0000)]
Add missing KRB5_USE_INET6 ifdefs around some bits of IPv6 code which
didn't have them.  From aberry@likewise.com.

ticket: 6857

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24620 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAssume ELF on FreeBSD if objformat doesn't exist
Greg Hudson [Wed, 9 Feb 2011 04:46:46 +0000 (04:46 +0000)]
Assume ELF on FreeBSD if objformat doesn't exist

If /usr/bin/objformat doesn't exist on a FreeBSD system, it could
indicate a pre-3.0 a.out version or a post-7.0 ELF version.  Since
FreeBSD 3.0 is now twelve years old, it's safer to assume ELF than
a.out.

From aberry@likewise.com.

ticket: 6858

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24619 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix seg faulting trace log message for use of fallback realm
Greg Hudson [Tue, 8 Feb 2011 22:31:10 +0000 (22:31 +0000)]
Fix seg faulting trace log message for use of fallback realm

The call to TRACE_TKT_CREDS_FALLBACK in get_creds.c was supplying the
wrong argument, causing a crash.

ticket: 6856
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24618 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoSet JAVADOC_AUTOBRIEF to YES to allow Doxygen interpret the first line of a JavaDoc...
Zhanna Tsitkov [Tue, 8 Feb 2011 21:25:21 +0000 (21:25 +0000)]
Set JAVADOC_AUTOBRIEF to YES to allow Doxygen interpret the first line of a JavaDoc-style comment as the brief description.
Also, minor argument name fix in krb5.hin

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24617 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoImprove acceptor name flexibility
Greg Hudson [Mon, 7 Feb 2011 18:40:00 +0000 (18:40 +0000)]
Improve acceptor name flexibility

Be more flexible about the principal names we will accept for a given
GSS acceptor name.  Also add support for a new libdefaults profile
variable ignore_acceptor_hostname, which causes the hostnames of
host-based service principals to be ignored when passed by server
applications as acceptor names.

Note that we still always invoke krb5_sname_to_principal() when
importing a gss-krb5 mechanism name, even though we won't always use
the result.  This is an unfortunate waste of getaddrinfo/getnameinfo
queries in some situations, but the code surgery necessary to defer
it appears too risky at this time.

The project proposal for this change is at:

http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names

ticket: 6855

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24616 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd "make doxugen" option to generate doxygen output
Zhanna Tsitkov [Mon, 7 Feb 2011 17:06:44 +0000 (17:06 +0000)]
Add "make doxugen" option to generate doxygen output

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24615 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdded doxygen comments (mostly from the backup location)
Zhanna Tsitkov [Mon, 7 Feb 2011 16:50:13 +0000 (16:50 +0000)]
Added doxygen comments (mostly from the backup location)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24614 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoChange flow control in krb5_gss_import_name to better match current
Greg Hudson [Fri, 4 Feb 2011 20:25:05 +0000 (20:25 +0000)]
Change flow control in krb5_gss_import_name to better match current
coding practices.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24613 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRemove an unnecessary statement in acquire_init_cred(). We never set
Greg Hudson [Thu, 3 Feb 2011 17:39:57 +0000 (17:39 +0000)]
Remove an unnecessary statement in acquire_init_cred().  We never set
an acceptor name different from desired_princ.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24612 dc483132-0cff-0310-8789-dd5450dbe970

13 years agokadmin's ktremove can remove wrong entries when removing kvno 0
Greg Hudson [Tue, 1 Feb 2011 01:11:51 +0000 (01:11 +0000)]
kadmin's ktremove can remove wrong entries when removing kvno 0

Because of 8-bit wraparound, keytabs can contain entries with kvno 0.
Because 0 is a distinguished kvno value for krb5_kt_get_entry(),
kadmin's remove_principal() winds up substituting the specified kvno
with the highest-numbered kvno of the specified principal in the
keytab.  Make sure not to perform this substitution when in
specified-kvno mode.

(This fix leaves behind a very minor bug where "ktrem principal 0"
returns silently, instead of producing an error message like it
normally would, if principal exists in the keytab but not at kvno 0.)

ticket: 6854

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24611 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRestore KRB5_CALLCONV_WRONG attribute to krb5_auth_con_getrcache
Tom Yu [Wed, 26 Jan 2011 19:48:16 +0000 (19:48 +0000)]
Restore KRB5_CALLCONV_WRONG attribute to krb5_auth_con_getrcache

It was incorrectly removed in r24600.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24606 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoWhen building PKINIT against OpenSSL 1.0 or later, use the CMS APIs for
Greg Hudson [Wed, 26 Jan 2011 18:23:23 +0000 (18:23 +0000)]
When building PKINIT against OpenSSL 1.0 or later, use the CMS APIs for
better interoperability.  From nalin@redhat.com.

ticket: 6851

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24605 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake principal renaming work in libkadm5srv by converting to explicit
Greg Hudson [Tue, 25 Jan 2011 05:20:07 +0000 (05:20 +0000)]
Make principal renaming work in libkadm5srv by converting to explicit
salts as necessary.  Add a principal rename command to the client.
(The RPC infrastructure was already present.)

Adapted from patches submitted by mdw@umich.edu and lha@apple.com.

ticket: 6323

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24604 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake gss_krb5_set_allowable_enctypes work for the acceptor
Greg Hudson [Tue, 25 Jan 2011 00:23:48 +0000 (00:23 +0000)]
Make gss_krb5_set_allowable_enctypes work for the acceptor

With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
can choose an enctype for the acceptor subkey other than the one in
the keytab.  If the resulting security context will be exported and
re-imported by another gss-krb5 implementation (such as one in the
kernel), the acceptor needs a way to restrict the set of negotiated
enctypes to those supported by the other implementation.  We had that
functionality for the initiator already in the form of
gss_krb5_set_allowable_enctypes; this change makes it work for the
acceptor as well.

ticket: 6852
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24603 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd a trace log event for unrecognized enctypes in a profile enctype
Greg Hudson [Fri, 21 Jan 2011 18:09:56 +0000 (18:09 +0000)]
Add a trace log event for unrecognized enctypes in a profile enctype
list.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24602 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix edge case in LDAP last_admin_unlock processing
Greg Hudson [Fri, 21 Jan 2011 05:00:53 +0000 (05:00 +0000)]
Fix edge case in LDAP last_admin_unlock processing

In the LDAP KDB module, set appropriate flags when zeroing
entry->fail_auth_count due to an administrative unlock.

ticket: 6849
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24601 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoWhere missing, add the argument's names to the function signatures
Zhanna Tsitkov [Wed, 19 Jan 2011 16:49:41 +0000 (16:49 +0000)]
Where missing, add the argument's names to the function signatures

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24600 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRenamed static function krb5_rd_safe_basic into rd_safe_basic to avoid confusion...
Zhanna Tsitkov [Tue, 18 Jan 2011 21:54:58 +0000 (21:54 +0000)]
Renamed static function krb5_rd_safe_basic into rd_safe_basic to avoid confusion with API

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24599 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn t_expire_warn.py, put the hashbang line at the top, instead of
Greg Hudson [Tue, 18 Jan 2011 17:51:58 +0000 (17:51 +0000)]
In t_expire_warn.py, put the hashbang line at the top, instead of
after the copyright comments.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24598 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdate copyright year in prototype sources
Greg Hudson [Tue, 18 Jan 2011 17:03:54 +0000 (17:03 +0000)]
Update copyright year in prototype sources

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24597 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDoxygen style re-formating of the existing comments
Zhanna Tsitkov [Thu, 13 Jan 2011 15:32:47 +0000 (15:32 +0000)]
Doxygen style re-formating of the existing comments

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24596 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn krb5_set_realm():
Greg Hudson [Wed, 12 Jan 2011 23:31:58 +0000 (23:31 +0000)]
In krb5_set_realm():
* Return EINVAL and ENOMEM correctly.
* Accept an empty realm instead of returning EINVAL.
* Wrap a long line.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24595 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDon't call memset with a zero length
Ken Raeburn [Wed, 12 Jan 2011 22:00:40 +0000 (22:00 +0000)]
Don't call memset with a zero length

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24594 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAsn.1 decode related file rearrangement. It was made based on the following criteria:
Zhanna Tsitkov [Tue, 11 Jan 2011 20:00:52 +0000 (20:00 +0000)]
Asn.1 decode related file rearrangement. It was made based on the following criteria:
1. based on functionality (for example, kdc-only code)
2. Well defined clusters of functions (fast, sam).

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24593 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoTighten up the error handling in the mechglue's gss_canonicalize_name,
Greg Hudson [Mon, 10 Jan 2011 20:32:56 +0000 (20:32 +0000)]
Tighten up the error handling in the mechglue's gss_canonicalize_name,
eliminating a null pointer dereference in the (unlikely) case that
allocation of out_union fails.  Reported by aberry@likewise.com.

ticket: 6817

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24592 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix a couple of cases in the SPNEGO implementation where a
Greg Hudson [Mon, 10 Jan 2011 18:25:36 +0000 (18:25 +0000)]
Fix a couple of cases in the SPNEGO implementation where a
half-constructed SPNEGO context could be leaked.  Patch from
aberry@likewise.com, slightly amended.

ticket: 6816

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24591 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDon't attempt to serialize a NULL authdata context when serializing a
Greg Hudson [Tue, 28 Dec 2010 18:27:17 +0000 (18:27 +0000)]
Don't attempt to serialize a NULL authdata context when serializing a
GSSAPI context (most often seen with initiator contexts).  Patch from
aberry@likewise.com.

ticket: 6675
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24590 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDon't use a krb5 context in t_fork, since we don't set up a krb5.conf
Greg Hudson [Tue, 28 Dec 2010 17:27:15 +0000 (17:27 +0000)]
Don't use a krb5 context in t_fork, since we don't set up a krb5.conf
in the crypto test directory's "make check".

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24589 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDocument rdns libdefault setting
Tom Yu [Mon, 20 Dec 2010 22:52:35 +0000 (22:52 +0000)]
Document rdns libdefault setting

ticket: 6794
tags: pullup
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24584 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEliminate some unused variable warnings
Greg Hudson [Mon, 20 Dec 2010 17:48:06 +0000 (17:48 +0000)]
Eliminate some unused variable warnings

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24583 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove an unnecessary clause from safe_cksumtype() which served only
Greg Hudson [Thu, 16 Dec 2010 05:07:24 +0000 (05:07 +0000)]
Remove an unnecessary clause from safe_cksumtype() which served only
to create a theoretical (but impossible in practice) memory leak.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24581 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoupdate acknowledgments
Tom Yu [Wed, 15 Dec 2010 19:14:37 +0000 (19:14 +0000)]
update acknowledgments

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24575 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEnsure time() is prototyped in g_accept_sec_context.c
Greg Hudson [Tue, 14 Dec 2010 18:46:46 +0000 (18:46 +0000)]
Ensure time() is prototyped in g_accept_sec_context.c

r22736 added a call to time() in g_accept_sec_context.c.  Include
<time.h> to ensure that this call is correctly prototyped.  Previously
<time.h> was only included implicitly through <pthread.h>, which
doesn't apply when thread support is disabled.

ticket: 6842
tags: pullup
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24568 dc483132-0cff-0310-8789-dd5450dbe970

14 years agomemory leak in changepw.c
Tom Yu [Tue, 14 Dec 2010 17:34:48 +0000 (17:34 +0000)]
memory leak in changepw.c

Apply patch from Marcus Watts to avoid a memory leak in changepw.c.

ticket: 6841
tags: pullup
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24567 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a regression in the client-side ticket renewal code where KDC
Greg Hudson [Tue, 14 Dec 2010 17:28:38 +0000 (17:28 +0000)]
Fix a regression in the client-side ticket renewal code where KDC
options were not folded into the renewal request (most notably, the
KDC_OPT_RENEWABLE flag), so we didn't request renewable renewed
tickets.  Add a simple test case for ticket renewal.

ticket: 6838
tags: pullups
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24566 dc483132-0cff-0310-8789-dd5450dbe970

14 years agotypo in plugin-related error message
Tom Yu [Tue, 14 Dec 2010 17:24:21 +0000 (17:24 +0000)]
typo in plugin-related error message

Apply patch from Marcus Watts to fix error message typo.

ticket: 6840
tags: pullup
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24565 dc483132-0cff-0310-8789-dd5450dbe970

14 years agohandle MS PACs that lack server checksum
Tom Yu [Fri, 10 Dec 2010 01:06:26 +0000 (01:06 +0000)]
handle MS PACs that lack server checksum

target_version 1.9
tags: pullup

Apple Mac OS X Server's Open Directory KDC issues MS PAC like
authorization data that lacks a server checksum.  If this checksum is
missing, mark the PAC as unverfied, but allow
krb5int_authdata_verify() to succeed.  Filter out the unverified PAC
in subsequent calls to krb5_authdata_get_attribute().  Add trace
points to indicate where this behavior occurs.

Thanks to Helmut Grohne for help with analysis.  This bug is also
Debian Bug #604925:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925

This change should also get backported to krb5-1.8.x.

ticket: 6839

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24564 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd comment noting that RFC 4121 appears to omit RC4-HMAC from the
Tom Yu [Tue, 7 Dec 2010 23:45:15 +0000 (23:45 +0000)]
Add comment noting that RFC 4121 appears to omit RC4-HMAC from the
list of "not-newer" enctypes, even though RFC 4757 effectively treats
it as one.  Suggested by Derrick Brashear.

ticket: 6835

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24563 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoupdate dependencies
Ken Raeburn [Sun, 5 Dec 2010 20:16:17 +0000 (20:16 +0000)]
update dependencies

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24561 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoTest for key rollover for TGT, including purging old keys
Tom Yu [Fri, 3 Dec 2010 12:34:53 +0000 (12:34 +0000)]
Test for key rollover for TGT, including purging old keys

ticket: 1219
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24555 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCorrect typo in admin documentation for restrict_anonymous_to_tgt
Greg Hudson [Wed, 1 Dec 2010 22:36:38 +0000 (22:36 +0000)]
Correct typo in admin documentation for restrict_anonymous_to_tgt

ticket: 6829

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24550 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoImplement restrict_anonymous_to_tgt realm flag
Greg Hudson [Wed, 1 Dec 2010 20:01:46 +0000 (20:01 +0000)]
Implement restrict_anonymous_to_tgt realm flag

Implement a new realm flag to reject ticket requests from anonymous
principals to any principal other than the local TGT.  Allows FAST to
be deployed using anonymous tickets as armor in realms where the set
of authenticatable users must be constrained.

ticket: 6829
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24547 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInstall kadm5_hook_plugin.h
Sam Hartman [Tue, 30 Nov 2010 22:46:54 +0000 (22:46 +0000)]
Install kadm5_hook_plugin.h

Install the kadm5 hook plugin header

ticket: 6828
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24539 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
Greg Hudson [Tue, 30 Nov 2010 21:20:49 +0000 (21:20 +0000)]
SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)

Fix multiple checksum handling bugs, as described in:
  CVE-2010-1324
  CVE-2010-1323
  CVE-2010-4020
  CVE-2010-4021

* Return the correct (keyed) checksums as the mandatory checksum type
  for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
  with simplified-profile key derivation or other algorithms relying
  on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
  instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
  default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
  FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
  enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.

ticket: 6827

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24538 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInstall gssapi_ext.h on Windows. Include gssapi_ext.h in the header
Greg Hudson [Tue, 30 Nov 2010 17:46:10 +0000 (17:46 +0000)]
Install gssapi_ext.h on Windows.  Include gssapi_ext.h in the header
files considered by def-check.pl in verify-calling-conventions-gssapi.

ticket: 6826

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24537 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse for loops for recursion in the Windows build, cutting down on the
Greg Hudson [Sun, 28 Nov 2010 01:36:42 +0000 (01:36 +0000)]
Use for loops for recursion in the Windows build, cutting down on the
verbiage in Makefile.in files.  For correctness of output, every
Makefile.in mydir= definition is changed to use $(S) instead of /.

ticket: 6826

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24536 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSupply static ordinals for new symbols in gssapi32.def and krb5_32.def,
Greg Hudson [Fri, 26 Nov 2010 16:37:14 +0000 (16:37 +0000)]
Supply static ordinals for new symbols in gssapi32.def and krb5_32.def,
for consistency with KFW 3.x.

ticket: 6826

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24535 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix how gssapi.h is rebuilt on Windows; accidentally omitted from
Greg Hudson [Thu, 25 Nov 2010 20:34:06 +0000 (20:34 +0000)]
Fix how gssapi.h is rebuilt on Windows; accidentally omitted from
r24533.

ticket: 6826

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24534 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix Windows build
Greg Hudson [Thu, 25 Nov 2010 20:28:30 +0000 (20:28 +0000)]
Fix Windows build

Repair the Windows build.  Tested with the prepare-on-Unix method.
Some specific changes include:

* Removed the IPC finalizer (no longer used after r20787) from
  ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency
  chain for the pingtest build in ccapi/test.  Also updated pingtest
  to use the k5_ipc_stream interfaces since cci_stream is gone.

* Reverted the apparently non-functional r20277.

* klist -V prints just "Kerberos for Windows", since it has no access
  to PACKAGE_NAME and PACKAGE_VERSION from autoconf.  This should be
  addressed correctly.

* krb5, telnet, gssftp, and NIM are removed from the build.

* Some files had CRLFs; these were replaced with LFs and the
  svn:eol-style property set on the files.  Otherwise the CRLFs became
  CRCRLFs after the zip transfer.

* Windows does not have opendir/readdir, so added Windows code to
  prof_parse.c for includedir.  Probable fodder for a libkrb5support
  portability shim.

ticket: 6826
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24533 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUpdate krb5_gic_opt_private and related code to reflect the change of
Tom Yu [Tue, 23 Nov 2010 23:51:50 +0000 (23:51 +0000)]
Update krb5_gic_opt_private and related code to reflect the change of
krb5_expire_callback_func from a function typedef to a function
pointer typedef.  This was causing segfaults.

ticket: 6825

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24532 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoupdate acknowledgments
Tom Yu [Tue, 23 Nov 2010 23:51:45 +0000 (23:51 +0000)]
update acknowledgments

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24531 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSet svn:eol-style on some Windows files and remove the CRs from their
Greg Hudson [Tue, 23 Nov 2010 18:50:12 +0000 (18:50 +0000)]
Set svn:eol-style on some Windows files and remove the CRs from their
repository representations.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24530 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd missing KRB5_CALLCONV in callback declaration
Greg Hudson [Tue, 23 Nov 2010 04:50:40 +0000 (04:50 +0000)]
Add missing KRB5_CALLCONV in callback declaration

krb5_get_init_creds_opt_set_expire_callback was correctly tagged with
KRB5_CALLCONV but the corresponding callback type was not.  Add that
in.

ticket: 6825
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24529 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoExport krb5_tkt_creds_get
Greg Hudson [Tue, 23 Nov 2010 04:41:08 +0000 (04:41 +0000)]
Export krb5_tkt_creds_get

krb5_tkt_creds_get was overlooked in the export list; add it.

ticket: 6824
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24528 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCorrect typo in r24526
Greg Hudson [Mon, 22 Nov 2010 03:58:15 +0000 (03:58 +0000)]
Correct typo in r24526

ticket: 6823

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24527 dc483132-0cff-0310-8789-dd5450dbe970

14 years agogetdate.y: declare yyparse
Sam Hartman [Mon, 22 Nov 2010 03:33:22 +0000 (03:33 +0000)]
getdate.y: declare yyparse

At least on lucid, byacc doesn't declare yyparse, which creates
problems because lucid treats calls to unprototyped functions as
errors.

ticket: 6823
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24526 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSuppress building camellia-gen in "make check" for now (it has a build
Greg Hudson [Sun, 21 Nov 2010 17:35:49 +0000 (17:35 +0000)]
Suppress building camellia-gen in "make check" for now (it has a build
issue on Solaris which will go away when Camellia support becomes
unconditional).

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24525 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoImplement Camellia-CTS-CMAC instead of Camellia-CCM
Greg Hudson [Sat, 20 Nov 2010 00:31:46 +0000 (00:31 +0000)]
Implement Camellia-CTS-CMAC instead of Camellia-CCM

Replace the Camellia-CCM enctypes with Camellia-CTS-CMAC.  Still not
compiled in by default since we don't have enctype assignments yet.

ticket: 6822
target_verion: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24524 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRead KDC profile settings in kpropd
Greg Hudson [Tue, 16 Nov 2010 02:54:26 +0000 (02:54 +0000)]
Read KDC profile settings in kpropd

kpropd can modify the KDB with ulog_replay(), so it should read the
KDC profile settings in case the KDB configuration is in there.

ticket: 6820
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24519 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoHandle referral realm in kprop client principal
Greg Hudson [Tue, 16 Nov 2010 02:30:16 +0000 (02:30 +0000)]
Handle referral realm in kprop client principal

kprop uses krb5_sname_to_principal() to determine its client
principal.  If the local hostname cannot be mapped to a realm based on
the profile's domain_realm section, krb5_sname_to_principal() will (as
of 1.6) return a principal with the referral realm (""), which does
not work in a client principal.  Handle this by substituting the
default realm.

ticket: 6819
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24518 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a typo in install.texinfo
Greg Hudson [Tue, 16 Nov 2010 00:12:52 +0000 (00:12 +0000)]
Fix a typo in install.texinfo

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24517 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoThe iprop dejagnu test had some deceptive commented-out debugging code
Greg Hudson [Tue, 16 Nov 2010 00:12:38 +0000 (00:12 +0000)]
The iprop dejagnu test had some deceptive commented-out debugging code
(it would set up the user to run kpropd in the master environment
instead of the slave environment).  Make it more useful.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24516 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCorrect a minor error in the k5test documentation
Greg Hudson [Mon, 15 Nov 2010 15:24:37 +0000 (15:24 +0000)]
Correct a minor error in the k5test documentation

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24515 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInclude <openssl/des.h> in the OpenSSL back end's weak_key.c for the
Greg Hudson [Tue, 9 Nov 2010 23:24:31 +0000 (23:24 +0000)]
Include <openssl/des.h> in the OpenSSL back end's weak_key.c for the
DES_is_weak_key prototype.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24512 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAfter a failed kdb5_util load, make a subsequent load operation work
Greg Hudson [Sat, 6 Nov 2010 00:02:13 +0000 (00:02 +0000)]
After a failed kdb5_util load, make a subsequent load operation work
by removing the remnant temporary files after obtaining a lock.  To
make this safe, the private contract for temporary DB creation and
promotion had to be altered, along with many of the DB2 internal
helper functions.

ticket: 6814

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24511 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFurther kdb_db2 code cleanup: make gen_dbsuffix return a
Greg Hudson [Thu, 4 Nov 2010 21:27:03 +0000 (21:27 +0000)]
Further kdb_db2 code cleanup: make gen_dbsuffix return a
krb5_error_code to simplify error handling in callers, and discard the
db_lf_time field which was set but never used.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24510 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove a stray spawn_shell in the iprop dejagnu tests
Greg Hudson [Thu, 4 Nov 2010 17:20:30 +0000 (17:20 +0000)]
Remove a stray spawn_shell in the iprop dejagnu tests

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24509 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSimplify kdb_db2's open_db() a little further, avoiding a suspicious
Greg Hudson [Wed, 3 Nov 2010 17:32:11 +0000 (17:32 +0000)]
Simplify kdb_db2's open_db() a little further, avoiding a suspicious
switch fallthrough.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24508 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAvoid running off the end of the spares array in db2's page_to_oaddr()
Greg Hudson [Wed, 3 Nov 2010 16:43:49 +0000 (16:43 +0000)]
Avoid running off the end of the spares array in db2's page_to_oaddr()
in unrealistically large databases.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24507 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse size_t to hold set counts in net-server.c
Greg Hudson [Wed, 3 Nov 2010 16:42:05 +0000 (16:42 +0000)]
Use size_t to hold set counts in net-server.c

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24506 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoClean up the DB2 KDB module code a bit, making it more conformant with
Greg Hudson [Tue, 2 Nov 2010 17:21:28 +0000 (17:21 +0000)]
Clean up the DB2 KDB module code a bit, making it more conformant with
current coding practices.  Mostly namespace changes, but also simplify
krb5_db2_destroy().

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24505 dc483132-0cff-0310-8789-dd5450dbe970

14 years agokrb5_get_error_message cannot return NULL, and returns "Success" on
Greg Hudson [Mon, 1 Nov 2010 15:19:00 +0000 (15:19 +0000)]
krb5_get_error_message cannot return NULL, and returns "Success" on
error code 0.  Simplify some overly paranoid code accordingly.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24489 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDon't fail out from krb5_get_credentials() if we can't store a ticket
Greg Hudson [Wed, 27 Oct 2010 17:05:05 +0000 (17:05 +0000)]
Don't fail out from krb5_get_credentials() if we can't store a ticket
into the ccache.

ticket: 6812

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24488 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFILE keytabs have been able to handle write operations since krb5 1.7,
Greg Hudson [Tue, 26 Oct 2010 19:36:58 +0000 (19:36 +0000)]
FILE keytabs have been able to handle write operations since krb5 1.7,
as an apparently unintended side effect of r20594.  Clean up the code
by combining the identical resolve functions for FILE and WRFILE, and
removing the code to set up a WRFILE default keytab name in kadmin.c.
Also fixes a slight display bug; k5test.py needs to be adjusted to
expect the correct output.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24487 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMark Camellia-CCM code as experimental
Greg Hudson [Tue, 26 Oct 2010 17:34:41 +0000 (17:34 +0000)]
Mark Camellia-CCM code as experimental

Add a comment noting that the Camellia-CCM code in 1.9 is
experimental.

ticket: 6811
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24486 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd a kg_encrypt_inplace() utility function to the krb5 GSS mech, and
Greg Hudson [Tue, 26 Oct 2010 17:18:22 +0000 (17:18 +0000)]
Add a kg_encrypt_inplace() utility function to the krb5 GSS mech, and
use it where we do in-place encryption of checksums in the non-CFX
seal tokens with raw DES enctypes.  Avoids a harmless but incorrect
in-place memcpy().

ticket: 6770

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24485 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake k5-buf.h comments consistent with coding style
Greg Hudson [Tue, 26 Oct 2010 16:41:38 +0000 (16:41 +0000)]
Make k5-buf.h comments consistent with coding style

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24484 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSet *conf_state on successful return from
Greg Hudson [Tue, 26 Oct 2010 14:17:38 +0000 (14:17 +0000)]
Set *conf_state on successful return from
gss_krb5int_make_seal_token_v3_iov, fixing a case where it wasn't
always set by gss_wrap_iov.  Patch from aberry@likewise.com.

ticket: 6809
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24483 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhen we create a temporary memory ccache for use within a
Greg Hudson [Mon, 25 Oct 2010 21:55:54 +0000 (21:55 +0000)]
When we create a temporary memory ccache for use within a
krb5_gss_cred_id_rec, set a flag to indicate that the ccache should be
destroyed rather than closed.  Patch from aberry@likewise.com.

ticket: 6787
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24482 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse safer output parameter handling in
Greg Hudson [Mon, 25 Oct 2010 20:17:54 +0000 (20:17 +0000)]
Use safer output parameter handling in
krb5_gss_acquire_cred_impersonate_name and its subsidiary helpers.

ticket: 6796
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24481 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn acquire_init_cred in the GSS krb5 mech, don't intern cred->name,
Greg Hudson [Mon, 25 Oct 2010 19:37:03 +0000 (19:37 +0000)]
In acquire_init_cred in the GSS krb5 mech, don't intern cred->name,
since it's not used as an output parameter.  Fixes a memory leak.
Reported by aberry@likewise.com.

ticket: 6793
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24480 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhitespace
Greg Hudson [Sun, 24 Oct 2010 14:39:41 +0000 (14:39 +0000)]
Whitespace

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24479 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoWhitespace
Greg Hudson [Sun, 24 Oct 2010 14:25:07 +0000 (14:25 +0000)]
Whitespace

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24478 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix adjustment of counter
Ken Raeburn [Sat, 23 Oct 2010 22:26:10 +0000 (22:26 +0000)]
Fix adjustment of counter

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24477 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDeclare xdr_purgekeys_arg
Ken Raeburn [Sat, 23 Oct 2010 22:26:07 +0000 (22:26 +0000)]
Declare xdr_purgekeys_arg

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24476 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDeclare kadmin_purgekeys
Ken Raeburn [Sat, 23 Oct 2010 22:26:04 +0000 (22:26 +0000)]
Declare kadmin_purgekeys

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24475 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDeclare krb5_set_error_message_fl
Ken Raeburn [Sat, 23 Oct 2010 22:26:01 +0000 (22:26 +0000)]
Declare krb5_set_error_message_fl

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24474 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInclude k5-int.h for function declarations
Ken Raeburn [Sat, 23 Oct 2010 22:25:58 +0000 (22:25 +0000)]
Include k5-int.h for function declarations

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24473 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoIn profile-reading performance test, print microseconds not milliseconds
Ken Raeburn [Sat, 23 Oct 2010 22:25:55 +0000 (22:25 +0000)]
In profile-reading performance test, print microseconds not milliseconds

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24472 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoTry harder to retain the "brand" string in the shared library
Ken Raeburn [Sat, 23 Oct 2010 22:25:51 +0000 (22:25 +0000)]
Try harder to retain the "brand" string in the shared library

Make the brand array non-static, and actually use the value in (the
infrequently-called) krb5_init_secure_context.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24471 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoBetter libk5crypto NSS fork safety
Greg Hudson [Sat, 23 Oct 2010 00:38:17 +0000 (00:38 +0000)]
Better libk5crypto NSS fork safety

Use SECMOD_RestartModules() from the forthcoming NSS 3.12.9 release to
make the libk5crypto back end work after a fork.  Add a test program
to exercise fork detection in the NSS back end.  Add a configure-time
version check to ensure that we're using NSS 3.12.9 or later.

ticket: 6810
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24470 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoMake it possible to override CRYPTO_IMPL_CFLAGS and CRYPTO_IMPL_LIBS at
Greg Hudson [Fri, 22 Oct 2010 00:01:56 +0000 (00:01 +0000)]
Make it possible to override CRYPTO_IMPL_CFLAGS and CRYPTO_IMPL_LIBS at
make time.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24469 dc483132-0cff-0310-8789-dd5450dbe970