Tom Yu [Wed, 9 Feb 2011 21:55:36 +0000 (21:55 +0000)]
pull up r24618 from trunk
------------------------------------------------------------------------
r24618 | ghudson | 2011-02-08 17:31:10 -0500 (Tue, 08 Feb 2011) | 8 lines
ticket: 6856
subject: Fix seg faulting trace log message for use of fallback realm
target_version: 1.9.1
tags: pullup
The call to TRACE_TKT_CREDS_FALLBACK in get_creds.c was supplying the
wrong argument, causing a crash.
ticket: 6856
version_fixed: 1.9.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24629
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 9 Feb 2011 20:53:23 +0000 (20:53 +0000)]
pull up r24622 from trunk
------------------------------------------------------------------------
r24622 | tlyu | 2011-02-09 15:25:08 -0500 (Wed, 09 Feb 2011) | 10 lines
ticket: 6860
subject: KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
tags: pullup
target_version: 1.9.1
[CVE-2011-0281 CVE-2011-0282] Fix some LDAP back end principal name
handling that could cause the KDC to hang or crash.
[CVE-2011-0283] Fix a KDC null pointer dereference introduced in krb5-1.9.
ticket: 6860
version_fixed: 1.9.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24624
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 9 Feb 2011 20:53:19 +0000 (20:53 +0000)]
pull up r24621 from trunk
------------------------------------------------------------------------
r24621 | tlyu | 2011-02-09 15:25:03 -0500 (Wed, 09 Feb 2011) | 8 lines
ticket: 6859
subject: kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
tags: pullup
target_version: 1.9.1
When operating in standalone mode and not doing iprop, don't return
from do_standalone() if the child exits with abnormal status.
ticket: 6859
status: resolved
version_fixed: 1.9.1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24623
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 31 Jan 2011 22:44:26 +0000 (22:44 +0000)]
pull up r24603 from trunk
------------------------------------------------------------------------
r24603 | ghudson | 2011-01-24 19:23:48 -0500 (Mon, 24 Jan 2011) | 15 lines
ticket: 6852
subject: Make gss_krb5_set_allowable_enctypes work for the acceptor
target_version: 1.9.1
tags: pullup
With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
can choose an enctype for the acceptor subkey other than the one in
the keytab. If the resulting security context will be exported and
re-imported by another gss-krb5 implementation (such as one in the
kernel), the acceptor needs a way to restrict the set of negotiated
enctypes to those supported by the other implementation. We had that
functionality for the initiator already in the form of
gss_krb5_set_allowable_enctypes; this change makes it work for the
acceptor as well.
ticket: 6852
version_fixed: 1.9.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24610
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 31 Jan 2011 22:44:22 +0000 (22:44 +0000)]
pull up r24601 from trunk
------------------------------------------------------------------------
r24601 | ghudson | 2011-01-21 00:00:53 -0500 (Fri, 21 Jan 2011) | 8 lines
ticket: 6849
subject: Fix edge case in LDAP last_admin_unlock processing
target_version: 1.9.1
tags: pullup
In the LDAP KDB module, set appropriate flags when zeroing
entry->fail_auth_count due to an administrative unlock.
ticket: 6849
version_fixed: 1.9.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24609
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 31 Jan 2011 22:44:18 +0000 (22:44 +0000)]
pull up r24525 from trunk
------------------------------------------------------------------------
r24525 | ghudson | 2010-11-21 12:35:49 -0500 (Sun, 21 Nov 2010) | 4 lines
Suppress building camellia-gen in "make check" for now (it has a build
issue on Solaris which will go away when Camellia support becomes
unconditional).
ticket: 6847
version_fixed: 1.9.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24608
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 31 Jan 2011 22:44:13 +0000 (22:44 +0000)]
pull up r24590 from trunk
------------------------------------------------------------------------
r24590 | ghudson | 2010-12-28 13:27:17 -0500 (Tue, 28 Dec 2010) | 8 lines
ticket: 6675
target_version: 1.9.1
tags: pullup
Don't attempt to serialize a NULL authdata context when serializing a
GSSAPI context (most often seen with initiator contexts). Patch from
aberry@likewise.com.
ticket: 6675
version_fixed: 1.9.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24607
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 22 Dec 2010 21:00:01 +0000 (21:00 +0000)]
krb5-1.9-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24588
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 22 Dec 2010 20:36:11 +0000 (20:36 +0000)]
README and patchlevel.h for krb5-1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24586
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 22 Dec 2010 19:10:27 +0000 (19:10 +0000)]
pull up r24584 from trunk
------------------------------------------------------------------------
r24584 | tlyu | 2010-12-20 17:52:35 -0500 (Mon, 20 Dec 2010) | 6 lines
ticket: 6794
tags: pullup
target_version: 1.9
Document rdns libdefault setting.
ticket: 6794
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24585
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 16 Dec 2010 21:52:09 +0000 (21:52 +0000)]
Add missing note about SA-2010-007
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24582
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 16 Dec 2010 03:28:02 +0000 (03:28 +0000)]
krb5-1.9-beta3-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24580
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 16 Dec 2010 03:24:52 +0000 (03:24 +0000)]
README and patchlevel.h for krb5-1.9-beta3
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24578
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Thu, 16 Dec 2010 03:15:29 +0000 (03:15 +0000)]
make depend
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24577
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 15 Dec 2010 23:55:29 +0000 (23:55 +0000)]
update acknowledgments
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24576
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 14 Dec 2010 23:10:52 +0000 (23:10 +0000)]
pull up r24568 from trunk
------------------------------------------------------------------------
r24568 | ghudson | 2010-12-14 13:46:46 -0500 (Tue, 14 Dec 2010) | 10 lines
ticket: 6842
subject: Ensure time() is prototyped in g_accept_sec_context.c
tags: pullup
target_version: 1.9
r22736 added a call to time() in g_accept_sec_context.c. Include
<time.h> to ensure that this call is correctly prototyped. Previously
<time.h> was only included implicitly through <pthread.h>, which
doesn't apply when thread support is disabled.
ticket: 6842
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24573
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 14 Dec 2010 23:10:49 +0000 (23:10 +0000)]
pull up r24567 from trunk
------------------------------------------------------------------------
r24567 | tlyu | 2010-12-14 12:34:48 -0500 (Tue, 14 Dec 2010) | 7 lines
ticket: 6841
subject: memory leak in changepw.c
tags: pullup
target_version: 1.9
Apply patch from Marcus Watts to avoid a memory leak in changepw.c.
ticket: 6841
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24572
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 14 Dec 2010 23:10:45 +0000 (23:10 +0000)]
pull up r24565 from trunk
------------------------------------------------------------------------
r24565 | tlyu | 2010-12-14 12:24:21 -0500 (Tue, 14 Dec 2010) | 7 lines
ticket: 6840
subject: typo in plugin-related error message
tags: pullup
target_version: 1.9
Apply patch from Marcus Watts to fix error message typo.
ticket: 6840
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24571
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 14 Dec 2010 23:10:42 +0000 (23:10 +0000)]
pull up r24566 from trunk
------------------------------------------------------------------------
r24566 | ghudson | 2010-12-14 12:28:38 -0500 (Tue, 14 Dec 2010) | 9 lines
ticket: 6838
tags: pullups
target_version: 1.9
Fix a regression in the client-side ticket renewal code where KDC
options were not folded into the renewal request (most notably, the
KDC_OPT_RENEWABLE flag), so we didn't request renewable renewed
tickets. Add a simple test case for ticket renewal.
ticket: 6838
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24570
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 14 Dec 2010 23:10:36 +0000 (23:10 +0000)]
pull up r24564 from trunk
------------------------------------------------------------------------
r24564 | tlyu | 2010-12-09 20:06:26 -0500 (Thu, 09 Dec 2010) | 18 lines
ticket: 6839
subject: handle MS PACs that lack server checksum
target_version 1.9
tags: pullup
Apple Mac OS X Server's Open Directory KDC issues MS PAC like
authorization data that lacks a server checksum. If this checksum is
missing, mark the PAC as unverfied, but allow
krb5int_authdata_verify() to succeed. Filter out the unverified PAC
in subsequent calls to krb5_authdata_get_attribute(). Add trace
points to indicate where this behavior occurs.
Thanks to Helmut Grohne for help with analysis. This bug is also
Debian Bug #604925:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925
This change should also get backported to krb5-1.8.x.
ticket: 6839
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24569
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 3 Dec 2010 20:38:02 +0000 (20:38 +0000)]
krb5-1.9-beta2-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24559
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 3 Dec 2010 20:35:42 +0000 (20:35 +0000)]
README and patchlevel.h for krb5-1.9-beta2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24557
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 3 Dec 2010 18:47:59 +0000 (18:47 +0000)]
pull up r24555 from trunk
------------------------------------------------------------------------
r24555 | tlyu | 2010-12-03 07:34:53 -0500 (Fri, 03 Dec 2010) | 6 lines
ticket: 1219
target_version: 1.9
tags: pullup
Test for key rollover for TGT, including purging old keys.
ticket: 1219
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24556
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 3 Dec 2010 00:24:15 +0000 (00:24 +0000)]
Fix svn:eol-style properties
ticket: 6826
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24554
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 3 Dec 2010 00:05:44 +0000 (00:05 +0000)]
pull up r24469, r24530, r24533, r24534, r24535, r24537 from trunk
------------------------------------------------------------------------
r24537 | ghudson | 2010-11-30 12:46:10 -0500 (Tue, 30 Nov 2010) | 5 lines
ticket: 6826
Install gssapi_ext.h on Windows. Include gssapi_ext.h in the header
files considered by def-check.pl in verify-calling-conventions-gssapi.
------------------------------------------------------------------------
r24535 | ghudson | 2010-11-26 11:37:14 -0500 (Fri, 26 Nov 2010) | 5 lines
ticket: 6826
Supply static ordinals for new symbols in gssapi32.def and krb5_32.def,
for consistency with KFW 3.x.
------------------------------------------------------------------------
r24534 | ghudson | 2010-11-25 15:34:06 -0500 (Thu, 25 Nov 2010) | 5 lines
ticket: 6826
Fix how gssapi.h is rebuilt on Windows; accidentally omitted from
r24533.
------------------------------------------------------------------------
r24533 | ghudson | 2010-11-25 15:28:30 -0500 (Thu, 25 Nov 2010) | 29 lines
ticket: 6826
subject: Fix Windows build
target_version: 1.9
tags: pullup
Repair the Windows build. Tested with the prepare-on-Unix method.
Some specific changes include:
* Removed the IPC finalizer (no longer used after r20787) from
ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency
chain for the pingtest build in ccapi/test. Also updated pingtest
to use the k5_ipc_stream interfaces since cci_stream is gone.
* Reverted the apparently non-functional r20277.
* klist -V prints just "Kerberos for Windows", since it has no access
to PACKAGE_NAME and PACKAGE_VERSION from autoconf. This should be
addressed correctly.
* krb5, telnet, gssftp, and NIM are removed from the build.
* Some files had CRLFs; these were replaced with LFs and the
svn:eol-style property set on the files. Otherwise the CRLFs became
CRCRLFs after the zip transfer.
* Windows does not have opendir/readdir, so added Windows code to
prof_parse.c for includedir. Probable fodder for a libkrb5support
portability shim.
------------------------------------------------------------------------
r24530 | ghudson | 2010-11-23 13:50:12 -0500 (Tue, 23 Nov 2010) | 3 lines
Set svn:eol-style on some Windows files and remove the CRs from their
repository representations.
------------------------------------------------------------------------
r24469 | ghudson | 2010-10-21 20:01:56 -0400 (Thu, 21 Oct 2010) | 3 lines
Make it possible to override CRYPTO_IMPL_CFLAGS and CRYPTO_IMPL_LIBS at
make time.
ticket: 6826
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24553
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 1 Dec 2010 23:11:50 +0000 (23:11 +0000)]
pull up r24550 from trunk
------------------------------------------------------------------------
r24550 | ghudson | 2010-12-01 17:36:38 -0500 (Wed, 01 Dec 2010) | 4 lines
ticket: 6829
Correct typo in admin documentation for restrict_anonymous_to_tgt.
ticket: 6829
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24552
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 1 Dec 2010 23:11:46 +0000 (23:11 +0000)]
pull up r24539 from trunk
------------------------------------------------------------------------
r24539 | hartmans | 2010-11-30 17:46:54 -0500 (Tue, 30 Nov 2010) | 7 lines
ticket: 6828
Subject: Install kadm5_hook_plugin.h
target_version: 1.9
tags: pullup
Install the kadm5 hook plugin header
ticket: 6828
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24551
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 1 Dec 2010 21:37:25 +0000 (21:37 +0000)]
pull up r24547 from trunk
------------------------------------------------------------------------
r24547 | ghudson | 2010-12-01 15:01:46 -0500 (Wed, 01 Dec 2010) | 10 lines
ticket: 6829
subject: Implement restrict_anonymous_to_tgt realm flag
target_version: 1.9
tags: pullup
Implement a new realm flag to reject ticket requests from anonymous
principals to any principal other than the local TGT. Allows FAST to
be deployed using anonymous tickets as armor in realms where the set
of authenticatable users must be constrained.
ticket: 6829
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24549
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 1 Dec 2010 20:49:06 +0000 (20:49 +0000)]
Apply ported patch
If kdb5_util load (without -update) fails--say, due to an invalid dump
file--it calls krb5_db_destroy to destroy the temporary DB.
Unfortunately, this results in the destruction of the real DB instead.
Luckily, this bug only applies to krb5 1.9, which hasn't been released
yet. In krb5 1.8 the destroy operation fails before it does any damage.
ticket: 6815
version_fixed: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24548
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 1 Dec 2010 02:16:37 +0000 (02:16 +0000)]
pull up r24529, r24532 from trunk
------------------------------------------------------------------------
r24532 | tlyu | 2010-11-23 18:51:50 -0500 (Tue, 23 Nov 2010) | 6 lines
ticket: 6825
Update krb5_gic_opt_private and related code to reflect the change of
krb5_expire_callback_func from a function typedef to a function
pointer typedef. This was causing segfaults.
------------------------------------------------------------------------
r24529 | ghudson | 2010-11-22 23:50:40 -0500 (Mon, 22 Nov 2010) | 9 lines
ticket: 6825
subject: Add missing KRB5_CALLCONV in callback declaration
target_version: 1.9
tags: pullup
krb5_get_init_creds_opt_set_expire_callback was correctly tagged with
KRB5_CALLCONV but the corresponding callback type was not. Add that
in.
ticket: 6825
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24546
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 1 Dec 2010 02:16:31 +0000 (02:16 +0000)]
pull up r24528 from trunk
------------------------------------------------------------------------
r24528 | ghudson | 2010-11-22 23:41:08 -0500 (Mon, 22 Nov 2010) | 7 lines
ticket: 6824
subject: Export krb5_tkt_creds_get
target_version: 1.9
tags: pullup
krb5_tkt_creds_get was overlooked in the export list; add it.
ticket: 6824
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24545
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 1 Dec 2010 02:16:25 +0000 (02:16 +0000)]
pull up r24526, r24527 from trunk
------------------------------------------------------------------------
r24527 | ghudson | 2010-11-21 22:58:15 -0500 (Sun, 21 Nov 2010) | 4 lines
ticket: 6823
Correct typo in r24526.
------------------------------------------------------------------------
r24526 | hartmans | 2010-11-21 22:33:22 -0500 (Sun, 21 Nov 2010) | 9 lines
ticket: 6823
subject: getdate.y: declare yyparse
target_version: 1.9
tags: pullup
At least on lucid, byacc doesn't declare yyparse, which creates
problems because lucid treats calls to unprototyped functions as
errors.
ticket: 6823
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24544
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 1 Dec 2010 02:16:14 +0000 (02:16 +0000)]
pull up r24524 from trunk
------------------------------------------------------------------------
r24524 | ghudson | 2010-11-19 19:31:46 -0500 (Fri, 19 Nov 2010) | 8 lines
ticket: 6822
subject: Implement Camellia-CTS-CMAC instead of Camellia-CCM
target_verion: 1.9
tags: pullup
Replace the Camellia-CCM enctypes with Camellia-CTS-CMAC. Still not
compiled in by default since we don't have enctype assignments yet.
ticket: 6822
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24543
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 1 Dec 2010 02:16:04 +0000 (02:16 +0000)]
pull up r24519 from trunk
------------------------------------------------------------------------
r24519 | ghudson | 2010-11-15 21:54:26 -0500 (Mon, 15 Nov 2010) | 8 lines
ticket: 6820
subject: Read KDC profile settings in kpropd
target_version: 1.9
tags: pullup
kpropd can modify the KDB with ulog_replay(), so it should read the
KDC profile settings in case the KDB configuration is in there.
ticket: 6820
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24542
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 1 Dec 2010 02:15:55 +0000 (02:15 +0000)]
pull up r24518 from trunk
------------------------------------------------------------------------
r24518 | ghudson | 2010-11-15 21:30:16 -0500 (Mon, 15 Nov 2010) | 12 lines
ticket: 6819
subject: Handle referral realm in kprop client principal
target_version: 1.9
tags: pullup
kprop uses krb5_sname_to_principal() to determine its client
principal. If the local hostname cannot be mapped to a realm based on
the profile's domain_realm section, krb5_sname_to_principal() will (as
of 1.6) return a principal with the referral realm (""), which does
not work in a client principal. Handle this by substituting the
default realm.
ticket: 6819
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24541
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 1 Dec 2010 02:15:45 +0000 (02:15 +0000)]
pull up r24538 from trunk
------------------------------------------------------------------------
r24538 | ghudson | 2010-11-30 16:20:49 -0500 (Tue, 30 Nov 2010) | 27 lines
ticket: 6827
subject: SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
Fix multiple checksum handling bugs, as described in:
CVE-2010-1324
CVE-2010-1323
CVE-2010-4020
CVE-2010-4021
* Return the correct (keyed) checksums as the mandatory checksum type
for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
with simplified-profile key derivation or other algorithms relying
on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.
ticket: 6827
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24540
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Nov 2010 02:07:42 +0000 (02:07 +0000)]
krb5-1.9-beta1-postrelease
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24504
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 2 Nov 2010 02:06:23 +0000 (02:06 +0000)]
README and patchlevel.h for krb5-1.9-beta1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24502
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 1 Nov 2010 20:36:48 +0000 (20:36 +0000)]
pull up r24488 from trunk
------------------------------------------------------------------------
r24488 | ghudson | 2010-10-27 13:05:05 -0400 (Wed, 27 Oct 2010) | 5 lines
ticket: 6812
Don't fail out from krb5_get_credentials() if we can't store a ticket
into the ccache.
ticket: 6812
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24501
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 1 Nov 2010 20:36:43 +0000 (20:36 +0000)]
pull up r24486 from trunk
------------------------------------------------------------------------
r24486 | ghudson | 2010-10-26 13:34:41 -0400 (Tue, 26 Oct 2010) | 8 lines
ticket: 6811
subject: Mark Camellia-CCM code as experimental
target_version: 1.9
tags: pullup
Add a comment noting that the Camellia-CCM code in 1.9 is
experimental.
ticket: 6811
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24500
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 1 Nov 2010 20:36:37 +0000 (20:36 +0000)]
pull up r24481 from trunk
------------------------------------------------------------------------
r24481 | ghudson | 2010-10-25 16:17:54 -0400 (Mon, 25 Oct 2010) | 7 lines
ticket: 6796
target_version: 1.9
tags: pullup
Use safer output parameter handling in
krb5_gss_acquire_cred_impersonate_name and its subsidiary helpers.
ticket: 6796
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24499
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 1 Nov 2010 20:36:33 +0000 (20:36 +0000)]
pull up r24483 from trunk
------------------------------------------------------------------------
r24483 | ghudson | 2010-10-26 10:17:38 -0400 (Tue, 26 Oct 2010) | 8 lines
ticket: 6809
target_version: 1.9
tags: pullup
Set *conf_state on successful return from
gss_krb5int_make_seal_token_v3_iov, fixing a case where it wasn't
always set by gss_wrap_iov. Patch from aberry@likewise.com.
ticket: 6809
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24498
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 1 Nov 2010 20:36:28 +0000 (20:36 +0000)]
pull up r24482 from trunk
------------------------------------------------------------------------
r24482 | ghudson | 2010-10-25 17:55:54 -0400 (Mon, 25 Oct 2010) | 8 lines
ticket: 6787
target_version: 1.9
tags: pullup
When we create a temporary memory ccache for use within a
krb5_gss_cred_id_rec, set a flag to indicate that the ccache should be
destroyed rather than closed. Patch from aberry@likewise.com.
ticket: 6787
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24497
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 1 Nov 2010 20:36:22 +0000 (20:36 +0000)]
pull up r24480 from trunk
------------------------------------------------------------------------
r24480 | ghudson | 2010-10-25 15:37:03 -0400 (Mon, 25 Oct 2010) | 8 lines
ticket: 6793
target_version: 1.9
tags: pullup
In acquire_init_cred in the GSS krb5 mech, don't intern cred->name,
since it's not used as an output parameter. Fixes a memory leak.
Reported by aberry@likewise.com.
ticket: 6793
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24496
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 1 Nov 2010 20:36:17 +0000 (20:36 +0000)]
pull up r24470 from trunk
------------------------------------------------------------------------
r24470 | ghudson | 2010-10-22 20:38:17 -0400 (Fri, 22 Oct 2010) | 10 lines
ticket: 6810
subject: Better libk5crypto NSS fork safety
target_version: 1.9
tags: pullup
Use SECMOD_RestartModules() from the forthcoming NSS 3.12.9 release to
make the libk5crypto back end work after a fork. Add a test program
to exercise fork detection in the NSS back end. Add a configure-time
version check to ensure that we're using NSS 3.12.9 or later.
ticket: 6810
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24495
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 1 Nov 2010 19:49:44 +0000 (19:49 +0000)]
pull up r24467 from trunk
------------------------------------------------------------------------
r24467 | hartmans | 2010-10-19 15:50:48 -0400 (Tue, 19 Oct 2010) | 8 lines
ticket: 6807
subject: SecurID build support
target_version: 1.9
tags: pullup
Integrate SecurID into the build if libaceclnt is found.
Add a README file with an example of how to build it.
ticket: 6807
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24494
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 1 Nov 2010 19:49:40 +0000 (19:49 +0000)]
pull up r24466 from trunk
------------------------------------------------------------------------
r24466 | hartmans | 2010-10-19 15:50:42 -0400 (Tue, 19 Oct 2010) | 8 lines
ticket: 6806
subject: securID error handling fix
target_version: 1.9
tags: pullup
In porting forward, I incorrectly used krb5_set_error_message instead of com_err.
This commit reverts that change.
ticket: 6806
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24493
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 1 Nov 2010 19:49:36 +0000 (19:49 +0000)]
pull up r24465 from trunk
------------------------------------------------------------------------
r24465 | hartmans | 2010-10-19 15:50:37 -0400 (Tue, 19 Oct 2010) | 19 lines
ticket: 6805
subject: securID code fixes
target_version: 1.9
tags: pullup
Fixes to get securID preauth plugin working. A separate patch will
address error handling and build issues.
* Permit a preauth plugin to return KRB5KDC_ERR_PREAUTH_REQUIRED from
the verify entry point.
* If verify_securid2 fails, save the return value and return that
rather than success after dealing with encoding the out_edata
* Use the client key not the securid principal key for the sam
checksum
* indicate that securID is hardware authentication
ticket: 6805
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24492
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 1 Nov 2010 19:49:29 +0000 (19:49 +0000)]
pull up r24464 from trunk
------------------------------------------------------------------------
r24464 | ghudson | 2010-10-19 15:08:38 -0400 (Tue, 19 Oct 2010) | 9 lines
ticket: 6804
subject: Remove KDC replay cache
target_version: 1.9
tags: pullup
Now that SAM1 support has been removed, the KDC does not need a replay
replay cache. Remove all code within USE_RCACHE and associated support.
Rename --disable-kdc-replay-cache to --disable-kdc-lookaside-cache.
ticket: 6804
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24491
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 1 Nov 2010 19:21:45 +0000 (19:21 +0000)]
Update README and patchlevel.h
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24490
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 18 Oct 2010 23:28:46 +0000 (23:28 +0000)]
pull up r24462 from trunk
------------------------------------------------------------------------
r24462 | tlyu | 2010-10-18 18:52:28 -0400 (Mon, 18 Oct 2010) | 5 lines
ticket: 6802
Adjust copyright.texinfo to fix some TeX output issues. Also do minor
cleanup.
ticket: 6802
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24463
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 15 Oct 2010 20:42:30 +0000 (20:42 +0000)]
pull up r24455 from trunk
------------------------------------------------------------------------
r24455 | tlyu | 2010-10-14 18:49:11 -0400 (Thu, 14 Oct 2010) | 9 lines
ticket: 6802
tags: pullup
subject: copyright notice updates
target_version: 1.9
Update copyright.texinfo. Move full copyright notices to appendices
of documentation. New rules to generate top-level NOTICE file from
copyright.texinfo. Regenerate NOTICE file.
ticket: 6802
version_fixed: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24457
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 15 Oct 2010 20:42:23 +0000 (20:42 +0000)]
pull up r24452, r24453, r24454 from trunk
------------------------------------------------------------------------
r24454 | ghudson | 2010-10-13 13:20:36 -0400 (Wed, 13 Oct 2010) | 2 lines
Whitespace.
------------------------------------------------------------------------
r24453 | hartmans | 2010-10-12 21:19:20 -0400 (Tue, 12 Oct 2010) | 2 lines
Adjust valgrind support to assume a modern valgrind that requires %p in log files.
------------------------------------------------------------------------
r24452 | hartmans | 2010-10-12 21:19:14 -0400 (Tue, 12 Oct 2010) | 14 lines
ticket: 6801
target_version: 1.9
Subject: Fix leaks in get_init_creds interface
In Debian Bug 598032, Bastian Blank points out that there are two
leaks in the get_init_creds interface:
* Free ctx->request->padata after sending the KDC request so it is not
overwritten the next time around the loop.
* If options is NULL passed into krb5_get_init_creds_init, then set up
a non-extended options structure so that krb5_get_init_creds_free will
free the options.
ticket: 6801
version_fixed: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24456
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 Oct 2010 21:38:39 +0000 (21:38 +0000)]
branch krb5-1-9
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24450
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Mon, 11 Oct 2010 21:37:16 +0000 (21:37 +0000)]
Interim update of README and NOTICE
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24449
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 11 Oct 2010 16:43:42 +0000 (16:43 +0000)]
When returning KRB5_KT_NOTFOUND from krb5_ktfile_get_entry, set an
extended error message indicating which principal was not found.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24448
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 9 Oct 2010 11:46:53 +0000 (11:46 +0000)]
Plug a memory leak in gss_indicate_mechs
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24447
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 8 Oct 2010 18:40:13 +0000 (18:40 +0000)]
Encoding cleanup: curly quotes to ASCII quotes, and some ISO-8859-1
files to UTF-8.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24446
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 8 Oct 2010 15:25:13 +0000 (15:25 +0000)]
In gss_indicate_mechs, avoid setting the output pointer until success
is guaranteed.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24445
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 8 Oct 2010 14:57:58 +0000 (14:57 +0000)]
In gss_inquire_attrs_for_mech, remove the assumption that mech_attrs
!= NULL in a particular error case.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24444
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 8 Oct 2010 14:55:06 +0000 (14:55 +0000)]
Remove duplicate code block in spnego_gss_set_cred_option()
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24443
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 8 Oct 2010 03:57:28 +0000 (03:57 +0000)]
Add a kadm5 RPC for purging old keys from the KDB (e.g., from
change_password -keepold), and add a kadmin CLI command for it.
Keeping ticket open because an automated test needs to be added.
Long-term future work includes start/expire dates on keys, or
not-yet-valid flags.
ticket: 1219
status: open
target_version: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24442
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 7 Oct 2010 17:50:06 +0000 (17:50 +0000)]
Fix a typo in kerberos.ldif. Reported by nalin@redhat.com
ticket: 6701
target_version: 1.8.4
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24441
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 7 Oct 2010 17:49:44 +0000 (17:49 +0000)]
Performance issue in LDAP policy fetch
Instead of performing a tree search to fill in the refcnt field of a
policy object whenever a policy is fetched, set the refcnt to 0 and
perform a check when policies are deleted.
ticket: 6799
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24440
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Wed, 6 Oct 2010 23:57:37 +0000 (23:57 +0000)]
set NT-SRV-INST on TGS principal names
Set NT-SRV-INST on TGS principal names in
get_in_tkt.c:build_in_tkt_name because Windows Server 2008 R2 RODC
insists on it.
Thanks to Bill Fellows for reporting this problem.
ticket: 6798
tags: pullup
target_version: 1.8.4
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24438
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 6 Oct 2010 22:20:34 +0000 (22:20 +0000)]
Correct a miscarriage of justice committed by the style police
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24437
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 6 Oct 2010 18:25:04 +0000 (18:25 +0000)]
Merge users/lhoward/sasl-gs2 to trunk
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24436
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Wed, 6 Oct 2010 03:00:03 +0000 (03:00 +0000)]
Minor comments related changed.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24433
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Wed, 6 Oct 2010 01:37:24 +0000 (01:37 +0000)]
Adjust prototype files for easier extraction of copyright/license
statements, per mailing list discussion.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24432
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 5 Oct 2010 21:44:14 +0000 (21:44 +0000)]
Document that krb5_get_error_message() never returns NULL
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24430
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Tue, 5 Oct 2010 21:05:19 +0000 (21:05 +0000)]
CVE-2010-1322 KDC uninitialized pointer crash in authorization data handling (MITKRB5-SA-2010-006)
When the KDC receives certain TGS-REQ messages, it may dereference an
uninitialized pointer while processing authorization data, causing a
crash, or in rare cases, unauthorized information disclosure, ticket
modification, or execution of arbitrary code. The crash may be
triggered by legitimate requests.
Correctly implement the filtering of authorization data items to avoid
leaving uninitialized pointers when omitting items.
ticket: 6797
tags: pullup
target_version: 1.8.4
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24429
dc483132-0cff-0310-8789-
dd5450dbe970
Ezra Peisach [Tue, 5 Oct 2010 19:59:49 +0000 (19:59 +0000)]
Add RUN_SETUP so make check works by setting the proper LD_LIBRARY_PATH
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24428
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 5 Oct 2010 19:44:26 +0000 (19:44 +0000)]
Fix the NSS PRNG build. Fix the build for non-gmake make. Revert a
no longer necessary change to lib/crypto/krb/Makefile.in.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24427
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 5 Oct 2010 16:39:59 +0000 (16:39 +0000)]
Constify the name field of a kadm5_hook vtable, since it holds a
string literal.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24426
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 5 Oct 2010 16:00:23 +0000 (16:00 +0000)]
Add a name field to the pwqual plugin vtable and log pwqual module
rejections.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24425
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 5 Oct 2010 14:53:09 +0000 (14:53 +0000)]
Propagate modprinc -unlock from master to slave KDCs
Create a new tl-data type to hold the time of the last administrative
unlock, and factor it into decisions about account lockout. Since
tl-data values are propagated from master to slave, this will cause
modprinc -unlock operations to reach slave KDCs on the next
propagation.
ticket: 6795
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24424
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Tue, 5 Oct 2010 13:57:27 +0000 (13:57 +0000)]
Add additional NRL copyright
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24423
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Tue, 5 Oct 2010 13:57:23 +0000 (13:57 +0000)]
Document kadm5_hook interface
* krb5.conf
* admin.texinfo
* kadm5_hook_plugin.h: document initvt requirement
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24422
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 5 Oct 2010 03:29:35 +0000 (03:29 +0000)]
Some missed files needed for rev #24420
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24421
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 5 Oct 2010 03:18:22 +0000 (03:18 +0000)]
Improves prng code modularity. Introduces fortuna-like prng that can be used in lieu of yarrow.
Yarrow stays the default prng while fortuna may be engaged during configuration by using "--with-prng-alg=fortuna" flag.
Also, nss crypto backend continues to use its own prng.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24420
dc483132-0cff-0310-8789-
dd5450dbe970
Zhanna Tsitkov [Tue, 5 Oct 2010 03:01:01 +0000 (03:01 +0000)]
Add mit_afs_string_to_key declaration
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24419
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Tue, 5 Oct 2010 00:16:10 +0000 (00:16 +0000)]
Add a missing protototype which was breaking the crypto build with the
NSS back end after r24409.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24418
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Mon, 4 Oct 2010 18:23:00 +0000 (18:23 +0000)]
Protoize old-style function definitions in kdb5.c and normalize
formatting of definition headers. No functional changes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24417
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 2 Oct 2010 17:21:54 +0000 (17:21 +0000)]
Merge branches/nss to trunk
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24416
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 2 Oct 2010 17:17:35 +0000 (17:17 +0000)]
Copyright statements, whitespace, and other code formatting
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24415
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 2 Oct 2010 11:48:06 +0000 (11:48 +0000)]
In the krb5_kuserok implementation, fix an unintentional type change
to "gobble" (was an int, was accidentally changed to a char) which
could result in an infinite loop.
ticket: 6792
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24413
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 2 Oct 2010 11:34:27 +0000 (11:34 +0000)]
Fix type errors in t_gssexts
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24412
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Sat, 2 Oct 2010 11:30:50 +0000 (11:30 +0000)]
Eliminate K&R-style function definition headers in t_gssexts.c, and
reformat other definitions according to coding practices.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24411
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 2 Oct 2010 03:29:37 +0000 (03:29 +0000)]
Use gss_set_cred_option instead of (undeclared) gssspi_set_cred_option
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24410
dc483132-0cff-0310-8789-
dd5450dbe970
Ken Raeburn [Sat, 2 Oct 2010 03:29:34 +0000 (03:29 +0000)]
Try to require function declarations for GCC, as we already do for the
Sun compiler.
Change the cache variable name construction to distinguish "=" from
"-" in option names. Prefer -Werror-implicit-function-declaration
over -Werror=implicit-function-declaration since in some versions of
GCC only the former works properly.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24409
dc483132-0cff-0310-8789-
dd5450dbe970
Tom Yu [Fri, 1 Oct 2010 20:15:00 +0000 (20:15 +0000)]
Add empty src/plugins/preauth/securid_sam2/deps to allow build to work again
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24407
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 1 Oct 2010 17:12:41 +0000 (17:12 +0000)]
Add an error to be returned by a preauth mechanism indicating that the KDC should not respond to a packet
* Do not generate an error response in this case
* Drop a TCP connection if we are not going to respond to it.
kdc: add KRB5KDC_ERR_DISCARD
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24406
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 1 Oct 2010 17:12:37 +0000 (17:12 +0000)]
Initial securid2 support.
builds but untested
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24405
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 1 Oct 2010 17:12:30 +0000 (17:12 +0000)]
Enable sam_challenge_2 encoders
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24404
dc483132-0cff-0310-8789-
dd5450dbe970
Sam Hartman [Fri, 1 Oct 2010 17:12:26 +0000 (17:12 +0000)]
Remove support for the old pa-sam-challenge and pa-sam-response
preauth type per discussion on krbdev. The pa-sam-challenge-2 code
remains in the client.
preauth: remove pa-sam-challenge
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24403
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 1 Oct 2010 15:56:30 +0000 (15:56 +0000)]
Implement k5login_directory and k5login_authoritative options
Add and document two new options for controlling k5login behavior.
ticket: 6792
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24402
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 1 Oct 2010 13:44:12 +0000 (13:44 +0000)]
Add a simple test harness for kuserok. Build it during make check but
don't run any automated tests for the moment.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24401
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 1 Oct 2010 03:47:38 +0000 (03:47 +0000)]
A cleaner impleentation of r24399 which adds two new auth context APIs
(and is therefore less suitable for backporting to 1.8) but doesn't
reach inside the auth context structure in the krb5 mechanism code.
ticket: 6768
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24400
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Fri, 1 Oct 2010 03:45:43 +0000 (03:45 +0000)]
GSSAPI forwarded credentials must be encrypted in session key
When IAKERB support was added, the krb5_mk_req checksum function
gained access to the send subkey. This caused GSSAPI forwarded
credentials to be encrypted in the subkey, which violates RFC 4121
section 4.1.1 and is not accepted by Microsoft's implementation.
Temporarily null out the send subkey in the auth context so that
krb5_mk_ncred uses the session key instead.
ticket: 6768
target_version: 1.8.4
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24399
dc483132-0cff-0310-8789-
dd5450dbe970
Greg Hudson [Thu, 30 Sep 2010 17:16:46 +0000 (17:16 +0000)]
Whitespace
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24393
dc483132-0cff-0310-8789-
dd5450dbe970