krb5.git
13 years agoRemove some declarations from kdc_preauth.c which are no longer needed
Greg Hudson [Wed, 2 Mar 2011 01:48:10 +0000 (01:48 +0000)]
Remove some declarations from kdc_preauth.c which are no longer needed
after r24403.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24676 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn export-check.pl, display a better error if there are duplicate
Greg Hudson [Wed, 2 Mar 2011 00:08:14 +0000 (00:08 +0000)]
In export-check.pl, display a better error if there are duplicate
symbols in the export list.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24675 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoSimplify lib/crypto/krb/arcfour in the wake of r23444. Move the
Greg Hudson [Mon, 28 Feb 2011 23:57:56 +0000 (23:57 +0000)]
Simplify lib/crypto/krb/arcfour in the wake of r23444.  Move the
contents of arcfour_aead.c into arcfour.c, turn the key derivation
helper functions into static functions, and eliminate arcfour-int.h.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24673 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUse the hash provider interface in krb5int_arcfour_string_to_key so
Greg Hudson [Mon, 28 Feb 2011 20:56:02 +0000 (20:56 +0000)]
Use the hash provider interface in krb5int_arcfour_string_to_key so
that we don't need a direct interface to MD4 in the crypto modules.
Also clean up the code a bit.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24672 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoReference random-to-key handlers through the enctype instead of the
Greg Hudson [Sun, 27 Feb 2011 19:08:14 +0000 (19:08 +0000)]
Reference random-to-key handlers through the enctype instead of the
enc_provider, for consistency with string-to-key and the place of
implementation (other enc_provider functions are implemented in the
back end, but random-to-key handlers are in krb).  Use a single
handler for non-DES/DES3 enctypes since it's always just directly
copying the bits.  Collapse the three implementations (des, des3, and
direct) into random_to_key.c, as they're very short, and eliminate the
lib/crypto/krb/rand2key directory.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24669 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRemove nonexistent aes_ctr from object and source file lists in
Greg Hudson [Sun, 27 Feb 2011 18:57:14 +0000 (18:57 +0000)]
Remove nonexistent aes_ctr from object and source file lists in
lib/crypto/openssl/enc_provider/Makefile.in.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24668 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake sure ulog_map() is invoked whenever we open the database in
Greg Hudson [Sun, 27 Feb 2011 02:35:04 +0000 (02:35 +0000)]
Make sure ulog_map() is invoked whenever we open the database in
kdb5_util.  Fixes all of the master key rollover commands in the
presence of iprop.  Reported by kacarstensen@csupomona.edu.

ticket: 6875
tags: pullup
target_version: 1.9.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24667 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoNamespace-protect SHA-256 symbols. Build SHA-256 code independently of
Greg Hudson [Fri, 25 Feb 2011 19:53:04 +0000 (19:53 +0000)]
Namespace-protect SHA-256 symbols.  Build SHA-256 code independently of
whether Fortuna was selected.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24666 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd Fortuna test program to file list for dependency generation
Greg Hudson [Fri, 25 Feb 2011 19:51:44 +0000 (19:51 +0000)]
Add Fortuna test program to file list for dependency generation

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24665 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd a non-default PRNG module which just retrieves entropy from
Greg Hudson [Fri, 25 Feb 2011 19:29:23 +0000 (19:29 +0000)]
Add a non-default PRNG module which just retrieves entropy from
/dev/urandom without any cryptographic post-processing.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24664 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRemove some unnecessary includes from prng_fortuna.c
Greg Hudson [Fri, 25 Feb 2011 19:28:13 +0000 (19:28 +0000)]
Remove some unnecessary includes from prng_fortuna.c

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24663 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake depend
Greg Hudson [Fri, 25 Feb 2011 17:30:37 +0000 (17:30 +0000)]
Make depend

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24662 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoNow that all PRNG modules fit nicely into a single source file,
Greg Hudson [Fri, 25 Feb 2011 17:23:54 +0000 (17:23 +0000)]
Now that all PRNG modules fit nicely into a single source file,
simplify the PRNG abstraction, flattening the implementations into
crypto/krb and removing the indirection through function pointers.
Move the guts of the NSS PRNG implementation into the nss subdir so
that crypto/krb doesn't need to be built with CRYPTO_IMPL_CFLAGS.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24661 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRemove Yarrow PRNG implementation
Greg Hudson [Fri, 25 Feb 2011 15:05:38 +0000 (15:05 +0000)]
Remove Yarrow PRNG implementation

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24660 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoA couple more Windows build system adjustments for Fortuna as default
Greg Hudson [Fri, 25 Feb 2011 15:04:49 +0000 (15:04 +0000)]
A couple more Windows build system adjustments for Fortuna as default
PRNG.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24659 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd a stubs file missing from r24656
Greg Hudson [Fri, 25 Feb 2011 14:28:20 +0000 (14:28 +0000)]
Add a stubs file missing from r24656

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24658 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake Fortuna the default PRNG for the Windows build
Greg Hudson [Fri, 25 Feb 2011 14:27:06 +0000 (14:27 +0000)]
Make Fortuna the default PRNG for the Windows build

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24657 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUnbreak the OpenSSL and NSS crypto builds in the wake of r24652
Greg Hudson [Thu, 24 Feb 2011 18:18:11 +0000 (18:18 +0000)]
Unbreak the OpenSSL and NSS crypto builds in the wake of r24652
(Fortuna as default PRNG), and remove some unnecessary related files.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24656 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix dangling Makefile reference after r24652
Greg Hudson [Thu, 24 Feb 2011 16:13:58 +0000 (16:13 +0000)]
Fix dangling Makefile reference after r24652

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24655 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake depend
Greg Hudson [Thu, 24 Feb 2011 10:00:12 +0000 (10:00 +0000)]
Make depend

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24654 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake Fortuna the default PRNG algorithm
Greg Hudson [Thu, 24 Feb 2011 09:59:22 +0000 (09:59 +0000)]
Make Fortuna the default PRNG algorithm

ticket: 6874

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24653 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFortuna as default PRNG
Greg Hudson [Thu, 24 Feb 2011 09:58:45 +0000 (09:58 +0000)]
Fortuna as default PRNG

Rewrite prng_fortuna.c to much more closely match the description of
Fortuna in chapter 9 of Cryptography Engineering.  Add a facility to
get OS entropy and implement it for Unix and Windows (not yet tested
on Windows) to replace prng/fortuna/entropy.c.  Rewrite the test
harness to always ensure stable output and perform a statistical test
on the predictable internal state resulting from the stable-output
tests.

ticket: 6874

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24652 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRemember to free the result of getaddrinfo() in the new sendto_kdc
Greg Hudson [Wed, 23 Feb 2011 18:14:11 +0000 (18:14 +0000)]
Remember to free the result of getaddrinfo() in the new sendto_kdc
code.

ticket: 6868

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24651 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix memory leak in t_expire_warn
Ezra Peisach [Wed, 23 Feb 2011 11:38:33 +0000 (11:38 +0000)]
Fix memory leak in t_expire_warn

Free context.  Allows one to look for new leaks introduced in other
pathways.

ticket: 6872

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24650 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix a memory leak introduced in r23926 where k_cred was not freed on
Greg Hudson [Tue, 22 Feb 2011 21:06:23 +0000 (21:06 +0000)]
Fix a memory leak introduced in r23926 where k_cred was not freed on
successful return from kg_new_connection().  Reported by Julien
Chaffraix.

ticket: 6800
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24646 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDon't leak the mechanism internal context when we get an error in the
Greg Hudson [Tue, 22 Feb 2011 20:30:24 +0000 (20:30 +0000)]
Don't leak the mechanism internal context when we get an error in the
mechglue's gss_accept_sec_context.

From aberry@likewise.com.

ticket: 6813

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24645 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDelete kinit_kdb.o in make clean
Tom Yu [Tue, 22 Feb 2011 17:08:54 +0000 (17:08 +0000)]
Delete kinit_kdb.o in make clean

ticket: 6871
tags: pullup
target_version: 1.9.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24644 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix a conceptual bug in r24639: the intermediate key container length
Greg Hudson [Fri, 18 Feb 2011 15:06:57 +0000 (15:06 +0000)]
Fix a conceptual bug in r24639: the intermediate key container length
should be the hash's output size, not its block size.  (The bug did
not show up in testing because it is harmless in practice; MD5 has a
larger block size than output size.)

ticket: 6869

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24641 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDon't reject AP-REQs based on PACs
Greg Hudson [Wed, 16 Feb 2011 23:34:37 +0000 (23:34 +0000)]
Don't reject AP-REQs based on PACs

Experience has shown that it was a mistake to fail AP-REQ verification
based on failure to verify the signature of PAC authdata contained in
the ticket.  We've had two rounds of interoperability issues with the
hmac-md5 checksum code, an interoperability issue OSX generating
unsigned PACs, and another problem where PACs are copied by older KDCs
from a cross-realm TGT into the service ticket.  If a PAC signature
cannot be verified, just don't mark it as verified and continue on
with the AP exchange.

ticket: 6870
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24640 dc483132-0cff-0310-8789-dd5450dbe970

13 years agohmac-md5 checksum doesn't work with DES keys
Greg Hudson [Wed, 16 Feb 2011 22:52:41 +0000 (22:52 +0000)]
hmac-md5 checksum doesn't work with DES keys

krb5int_hmacmd5_checksum calculates an intermediate key using an HMAC.
The container for this key should be allocated using the HMAC output
size (which is the hash blocksize), not the original key size.  This
bug was causing the function to fail with DES keys, which can be used
with hmac-md5 in PAC signatures.

ticket: 6869
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24639 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn kg_acceptor_princ, make Coverity happy by using a different test to
Greg Hudson [Mon, 14 Feb 2011 00:13:17 +0000 (00:13 +0000)]
In kg_acceptor_princ, make Coverity happy by using a different test to
determine if we should set (*princ_out)->type.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24638 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn kadm5_rename_principal, fix an oversight which would cause errors
Greg Hudson [Sun, 13 Feb 2011 22:36:13 +0000 (22:36 +0000)]
In kadm5_rename_principal, fix an oversight which would cause errors
from krb5_principal2salt_norealm to be ignored.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24637 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUntabify trace.c (tabs crept in when the file was created)
Greg Hudson [Sun, 13 Feb 2011 21:14:43 +0000 (21:14 +0000)]
Untabify trace.c (tabs crept in when the file was created)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24636 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDefer hostname lookups in krb5_sendto_kdc
Greg Hudson [Sun, 13 Feb 2011 21:14:00 +0000 (21:14 +0000)]
Defer hostname lookups in krb5_sendto_kdc

Restructure the locate_kdc and sendto_kdc code to defer getaddrinfo
calls until we need the answer.  This requires many changes:

* struct addrlist is now called struct serverlist, and is declared in
  os-proto.h instead of k5-int.h.  It contains an array of struct
  server_entry structures which can hold either a name or an address.
  (Address entries are used for locate_kdc module results.)

* The connection state list is now a linked list, and holds address
  information directly instead of using a struct addrinfo (this
  simplifies memory management).  Each connection entry contains a
  callback buffer (previously stored in a separate array) and an index
  into the server list.

* The {addrstate} trace formatting primitive is no longer needed, and
  has been replaced by {connstate}.  There is also a new tracing event
  for resolving hostnames.

* locate_server, locate_kdc, free_serverlist, and sendto get their
  prefixes changed from krb5int_ to k5_ as their prototypes were being
  adjusted anyway.  The family argument is gone from the locate
  functions as it was never productively used.  k5_sendto now receives
  the socket types of interest.

* krb5_sendto_kdc will now pass a 0 socktype to k5_locate_kdc if both
  socket types are wanted.  There were some allowances for this in
  locate but this was never previously done.  In order to be
  conservative when invoking locate modules, we always pass an
  explicit socktype, thus calling lookup twice (as we did before,
  albeit with a separate init/fini cycle) in the common case.  When
  creating hostname entries in serverlist from profile configuration,
  we preserve the 0 value of socktype, and later create both TCP and
  UDP addresses from the getaddrinfo results when the host is
  resolved.

* Some accessor functions previously used by libkrb4 have been removed
  as they impinged upon this work.

ticket: 6868

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24635 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoTrace logging file descriptor leak
Greg Hudson [Sun, 13 Feb 2011 19:12:36 +0000 (19:12 +0000)]
Trace logging file descriptor leak

File descriptors created for trace logging were never being closed.
With short-lived contexts this leak would eventually overflow the
process's file table.  Correct this oversight by closing the file
descriptor in file_trace_cb before freeing its container.

ticket: 6867
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24634 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoReposition a trace call which was dereferencing freed memory after
Greg Hudson [Sun, 13 Feb 2011 18:48:06 +0000 (18:48 +0000)]
Reposition a trace call which was dereferencing freed memory after
r24616.

ticket: 6855

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24633 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoKDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE...
Tom Yu [Wed, 9 Feb 2011 20:25:08 +0000 (20:25 +0000)]
KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]

[CVE-2011-0281 CVE-2011-0282] Fix some LDAP back end principal name
handling that could cause the KDC to hang or crash.

[CVE-2011-0283] Fix a KDC null pointer dereference introduced in krb5-1.9.

ticket: 6860
tags: pullup
target_version: 1.9.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24622 dc483132-0cff-0310-8789-dd5450dbe970

13 years agokpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
Tom Yu [Wed, 9 Feb 2011 20:25:03 +0000 (20:25 +0000)]
kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]

When operating in standalone mode and not doing iprop, don't return
from do_standalone() if the child exits with abnormal status.

ticket: 6859
tags: pullup
target_version: 1.9.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24621 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd missing KRB5_USE_INET6 ifdefs around some bits of IPv6 code which
Greg Hudson [Wed, 9 Feb 2011 04:59:38 +0000 (04:59 +0000)]
Add missing KRB5_USE_INET6 ifdefs around some bits of IPv6 code which
didn't have them.  From aberry@likewise.com.

ticket: 6857

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24620 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAssume ELF on FreeBSD if objformat doesn't exist
Greg Hudson [Wed, 9 Feb 2011 04:46:46 +0000 (04:46 +0000)]
Assume ELF on FreeBSD if objformat doesn't exist

If /usr/bin/objformat doesn't exist on a FreeBSD system, it could
indicate a pre-3.0 a.out version or a post-7.0 ELF version.  Since
FreeBSD 3.0 is now twelve years old, it's safer to assume ELF than
a.out.

From aberry@likewise.com.

ticket: 6858

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24619 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix seg faulting trace log message for use of fallback realm
Greg Hudson [Tue, 8 Feb 2011 22:31:10 +0000 (22:31 +0000)]
Fix seg faulting trace log message for use of fallback realm

The call to TRACE_TKT_CREDS_FALLBACK in get_creds.c was supplying the
wrong argument, causing a crash.

ticket: 6856
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24618 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoSet JAVADOC_AUTOBRIEF to YES to allow Doxygen interpret the first line of a JavaDoc...
Zhanna Tsitkov [Tue, 8 Feb 2011 21:25:21 +0000 (21:25 +0000)]
Set JAVADOC_AUTOBRIEF to YES to allow Doxygen interpret the first line of a JavaDoc-style comment as the brief description.
Also, minor argument name fix in krb5.hin

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24617 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoImprove acceptor name flexibility
Greg Hudson [Mon, 7 Feb 2011 18:40:00 +0000 (18:40 +0000)]
Improve acceptor name flexibility

Be more flexible about the principal names we will accept for a given
GSS acceptor name.  Also add support for a new libdefaults profile
variable ignore_acceptor_hostname, which causes the hostnames of
host-based service principals to be ignored when passed by server
applications as acceptor names.

Note that we still always invoke krb5_sname_to_principal() when
importing a gss-krb5 mechanism name, even though we won't always use
the result.  This is an unfortunate waste of getaddrinfo/getnameinfo
queries in some situations, but the code surgery necessary to defer
it appears too risky at this time.

The project proposal for this change is at:

http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names

ticket: 6855

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24616 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd "make doxugen" option to generate doxygen output
Zhanna Tsitkov [Mon, 7 Feb 2011 17:06:44 +0000 (17:06 +0000)]
Add "make doxugen" option to generate doxygen output

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24615 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdded doxygen comments (mostly from the backup location)
Zhanna Tsitkov [Mon, 7 Feb 2011 16:50:13 +0000 (16:50 +0000)]
Added doxygen comments (mostly from the backup location)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24614 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoChange flow control in krb5_gss_import_name to better match current
Greg Hudson [Fri, 4 Feb 2011 20:25:05 +0000 (20:25 +0000)]
Change flow control in krb5_gss_import_name to better match current
coding practices.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24613 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRemove an unnecessary statement in acquire_init_cred(). We never set
Greg Hudson [Thu, 3 Feb 2011 17:39:57 +0000 (17:39 +0000)]
Remove an unnecessary statement in acquire_init_cred().  We never set
an acceptor name different from desired_princ.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24612 dc483132-0cff-0310-8789-dd5450dbe970

13 years agokadmin's ktremove can remove wrong entries when removing kvno 0
Greg Hudson [Tue, 1 Feb 2011 01:11:51 +0000 (01:11 +0000)]
kadmin's ktremove can remove wrong entries when removing kvno 0

Because of 8-bit wraparound, keytabs can contain entries with kvno 0.
Because 0 is a distinguished kvno value for krb5_kt_get_entry(),
kadmin's remove_principal() winds up substituting the specified kvno
with the highest-numbered kvno of the specified principal in the
keytab.  Make sure not to perform this substitution when in
specified-kvno mode.

(This fix leaves behind a very minor bug where "ktrem principal 0"
returns silently, instead of producing an error message like it
normally would, if principal exists in the keytab but not at kvno 0.)

ticket: 6854

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24611 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRestore KRB5_CALLCONV_WRONG attribute to krb5_auth_con_getrcache
Tom Yu [Wed, 26 Jan 2011 19:48:16 +0000 (19:48 +0000)]
Restore KRB5_CALLCONV_WRONG attribute to krb5_auth_con_getrcache

It was incorrectly removed in r24600.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24606 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoWhen building PKINIT against OpenSSL 1.0 or later, use the CMS APIs for
Greg Hudson [Wed, 26 Jan 2011 18:23:23 +0000 (18:23 +0000)]
When building PKINIT against OpenSSL 1.0 or later, use the CMS APIs for
better interoperability.  From nalin@redhat.com.

ticket: 6851

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24605 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake principal renaming work in libkadm5srv by converting to explicit
Greg Hudson [Tue, 25 Jan 2011 05:20:07 +0000 (05:20 +0000)]
Make principal renaming work in libkadm5srv by converting to explicit
salts as necessary.  Add a principal rename command to the client.
(The RPC infrastructure was already present.)

Adapted from patches submitted by mdw@umich.edu and lha@apple.com.

ticket: 6323

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24604 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoMake gss_krb5_set_allowable_enctypes work for the acceptor
Greg Hudson [Tue, 25 Jan 2011 00:23:48 +0000 (00:23 +0000)]
Make gss_krb5_set_allowable_enctypes work for the acceptor

With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
can choose an enctype for the acceptor subkey other than the one in
the keytab.  If the resulting security context will be exported and
re-imported by another gss-krb5 implementation (such as one in the
kernel), the acceptor needs a way to restrict the set of negotiated
enctypes to those supported by the other implementation.  We had that
functionality for the initiator already in the form of
gss_krb5_set_allowable_enctypes; this change makes it work for the
acceptor as well.

ticket: 6852
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24603 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAdd a trace log event for unrecognized enctypes in a profile enctype
Greg Hudson [Fri, 21 Jan 2011 18:09:56 +0000 (18:09 +0000)]
Add a trace log event for unrecognized enctypes in a profile enctype
list.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24602 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix edge case in LDAP last_admin_unlock processing
Greg Hudson [Fri, 21 Jan 2011 05:00:53 +0000 (05:00 +0000)]
Fix edge case in LDAP last_admin_unlock processing

In the LDAP KDB module, set appropriate flags when zeroing
entry->fail_auth_count due to an administrative unlock.

ticket: 6849
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24601 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoWhere missing, add the argument's names to the function signatures
Zhanna Tsitkov [Wed, 19 Jan 2011 16:49:41 +0000 (16:49 +0000)]
Where missing, add the argument's names to the function signatures

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24600 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoRenamed static function krb5_rd_safe_basic into rd_safe_basic to avoid confusion...
Zhanna Tsitkov [Tue, 18 Jan 2011 21:54:58 +0000 (21:54 +0000)]
Renamed static function krb5_rd_safe_basic into rd_safe_basic to avoid confusion with API

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24599 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn t_expire_warn.py, put the hashbang line at the top, instead of
Greg Hudson [Tue, 18 Jan 2011 17:51:58 +0000 (17:51 +0000)]
In t_expire_warn.py, put the hashbang line at the top, instead of
after the copyright comments.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24598 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoUpdate copyright year in prototype sources
Greg Hudson [Tue, 18 Jan 2011 17:03:54 +0000 (17:03 +0000)]
Update copyright year in prototype sources

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24597 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDoxygen style re-formating of the existing comments
Zhanna Tsitkov [Thu, 13 Jan 2011 15:32:47 +0000 (15:32 +0000)]
Doxygen style re-formating of the existing comments

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24596 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoIn krb5_set_realm():
Greg Hudson [Wed, 12 Jan 2011 23:31:58 +0000 (23:31 +0000)]
In krb5_set_realm():
* Return EINVAL and ENOMEM correctly.
* Accept an empty realm instead of returning EINVAL.
* Wrap a long line.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24595 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoDon't call memset with a zero length
Ken Raeburn [Wed, 12 Jan 2011 22:00:40 +0000 (22:00 +0000)]
Don't call memset with a zero length

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24594 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoAsn.1 decode related file rearrangement. It was made based on the following criteria:
Zhanna Tsitkov [Tue, 11 Jan 2011 20:00:52 +0000 (20:00 +0000)]
Asn.1 decode related file rearrangement. It was made based on the following criteria:
1. based on functionality (for example, kdc-only code)
2. Well defined clusters of functions (fast, sam).

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24593 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoTighten up the error handling in the mechglue's gss_canonicalize_name,
Greg Hudson [Mon, 10 Jan 2011 20:32:56 +0000 (20:32 +0000)]
Tighten up the error handling in the mechglue's gss_canonicalize_name,
eliminating a null pointer dereference in the (unlikely) case that
allocation of out_union fails.  Reported by aberry@likewise.com.

ticket: 6817

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24592 dc483132-0cff-0310-8789-dd5450dbe970

13 years agoFix a couple of cases in the SPNEGO implementation where a
Greg Hudson [Mon, 10 Jan 2011 18:25:36 +0000 (18:25 +0000)]
Fix a couple of cases in the SPNEGO implementation where a
half-constructed SPNEGO context could be leaked.  Patch from
aberry@likewise.com, slightly amended.

ticket: 6816

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24591 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDon't attempt to serialize a NULL authdata context when serializing a
Greg Hudson [Tue, 28 Dec 2010 18:27:17 +0000 (18:27 +0000)]
Don't attempt to serialize a NULL authdata context when serializing a
GSSAPI context (most often seen with initiator contexts).  Patch from
aberry@likewise.com.

ticket: 6675
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24590 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDon't use a krb5 context in t_fork, since we don't set up a krb5.conf
Greg Hudson [Tue, 28 Dec 2010 17:27:15 +0000 (17:27 +0000)]
Don't use a krb5 context in t_fork, since we don't set up a krb5.conf
in the crypto test directory's "make check".

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24589 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoDocument rdns libdefault setting
Tom Yu [Mon, 20 Dec 2010 22:52:35 +0000 (22:52 +0000)]
Document rdns libdefault setting

ticket: 6794
tags: pullup
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24584 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEliminate some unused variable warnings
Greg Hudson [Mon, 20 Dec 2010 17:48:06 +0000 (17:48 +0000)]
Eliminate some unused variable warnings

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24583 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRemove an unnecessary clause from safe_cksumtype() which served only
Greg Hudson [Thu, 16 Dec 2010 05:07:24 +0000 (05:07 +0000)]
Remove an unnecessary clause from safe_cksumtype() which served only
to create a theoretical (but impossible in practice) memory leak.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24581 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoupdate acknowledgments
Tom Yu [Wed, 15 Dec 2010 19:14:37 +0000 (19:14 +0000)]
update acknowledgments

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24575 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoEnsure time() is prototyped in g_accept_sec_context.c
Greg Hudson [Tue, 14 Dec 2010 18:46:46 +0000 (18:46 +0000)]
Ensure time() is prototyped in g_accept_sec_context.c

r22736 added a call to time() in g_accept_sec_context.c.  Include
<time.h> to ensure that this call is correctly prototyped.  Previously
<time.h> was only included implicitly through <pthread.h>, which
doesn't apply when thread support is disabled.

ticket: 6842
tags: pullup
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24568 dc483132-0cff-0310-8789-dd5450dbe970

14 years agomemory leak in changepw.c
Tom Yu [Tue, 14 Dec 2010 17:34:48 +0000 (17:34 +0000)]
memory leak in changepw.c

Apply patch from Marcus Watts to avoid a memory leak in changepw.c.

ticket: 6841
tags: pullup
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24567 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a regression in the client-side ticket renewal code where KDC
Greg Hudson [Tue, 14 Dec 2010 17:28:38 +0000 (17:28 +0000)]
Fix a regression in the client-side ticket renewal code where KDC
options were not folded into the renewal request (most notably, the
KDC_OPT_RENEWABLE flag), so we didn't request renewable renewed
tickets.  Add a simple test case for ticket renewal.

ticket: 6838
tags: pullups
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24566 dc483132-0cff-0310-8789-dd5450dbe970

14 years agotypo in plugin-related error message
Tom Yu [Tue, 14 Dec 2010 17:24:21 +0000 (17:24 +0000)]
typo in plugin-related error message

Apply patch from Marcus Watts to fix error message typo.

ticket: 6840
tags: pullup
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24565 dc483132-0cff-0310-8789-dd5450dbe970

14 years agohandle MS PACs that lack server checksum
Tom Yu [Fri, 10 Dec 2010 01:06:26 +0000 (01:06 +0000)]
handle MS PACs that lack server checksum

target_version 1.9
tags: pullup

Apple Mac OS X Server's Open Directory KDC issues MS PAC like
authorization data that lacks a server checksum.  If this checksum is
missing, mark the PAC as unverfied, but allow
krb5int_authdata_verify() to succeed.  Filter out the unverified PAC
in subsequent calls to krb5_authdata_get_attribute().  Add trace
points to indicate where this behavior occurs.

Thanks to Helmut Grohne for help with analysis.  This bug is also
Debian Bug #604925:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604925

This change should also get backported to krb5-1.8.x.

ticket: 6839

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24564 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd comment noting that RFC 4121 appears to omit RC4-HMAC from the
Tom Yu [Tue, 7 Dec 2010 23:45:15 +0000 (23:45 +0000)]
Add comment noting that RFC 4121 appears to omit RC4-HMAC from the
list of "not-newer" enctypes, even though RFC 4757 effectively treats
it as one.  Suggested by Derrick Brashear.

ticket: 6835

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24563 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoupdate dependencies
Ken Raeburn [Sun, 5 Dec 2010 20:16:17 +0000 (20:16 +0000)]
update dependencies

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24561 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoTest for key rollover for TGT, including purging old keys
Tom Yu [Fri, 3 Dec 2010 12:34:53 +0000 (12:34 +0000)]
Test for key rollover for TGT, including purging old keys

ticket: 1219
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24555 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCorrect typo in admin documentation for restrict_anonymous_to_tgt
Greg Hudson [Wed, 1 Dec 2010 22:36:38 +0000 (22:36 +0000)]
Correct typo in admin documentation for restrict_anonymous_to_tgt

ticket: 6829

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24550 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoImplement restrict_anonymous_to_tgt realm flag
Greg Hudson [Wed, 1 Dec 2010 20:01:46 +0000 (20:01 +0000)]
Implement restrict_anonymous_to_tgt realm flag

Implement a new realm flag to reject ticket requests from anonymous
principals to any principal other than the local TGT.  Allows FAST to
be deployed using anonymous tickets as armor in realms where the set
of authenticatable users must be constrained.

ticket: 6829
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24547 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInstall kadm5_hook_plugin.h
Sam Hartman [Tue, 30 Nov 2010 22:46:54 +0000 (22:46 +0000)]
Install kadm5_hook_plugin.h

Install the kadm5 hook plugin header

ticket: 6828
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24539 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
Greg Hudson [Tue, 30 Nov 2010 21:20:49 +0000 (21:20 +0000)]
SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)

Fix multiple checksum handling bugs, as described in:
  CVE-2010-1324
  CVE-2010-1323
  CVE-2010-4020
  CVE-2010-4021

* Return the correct (keyed) checksums as the mandatory checksum type
  for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
  with simplified-profile key derivation or other algorithms relying
  on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
  instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
  default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
  FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
  enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.

ticket: 6827

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24538 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoInstall gssapi_ext.h on Windows. Include gssapi_ext.h in the header
Greg Hudson [Tue, 30 Nov 2010 17:46:10 +0000 (17:46 +0000)]
Install gssapi_ext.h on Windows.  Include gssapi_ext.h in the header
files considered by def-check.pl in verify-calling-conventions-gssapi.

ticket: 6826

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24537 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUse for loops for recursion in the Windows build, cutting down on the
Greg Hudson [Sun, 28 Nov 2010 01:36:42 +0000 (01:36 +0000)]
Use for loops for recursion in the Windows build, cutting down on the
verbiage in Makefile.in files.  For correctness of output, every
Makefile.in mydir= definition is changed to use $(S) instead of /.

ticket: 6826

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24536 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSupply static ordinals for new symbols in gssapi32.def and krb5_32.def,
Greg Hudson [Fri, 26 Nov 2010 16:37:14 +0000 (16:37 +0000)]
Supply static ordinals for new symbols in gssapi32.def and krb5_32.def,
for consistency with KFW 3.x.

ticket: 6826

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24535 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix how gssapi.h is rebuilt on Windows; accidentally omitted from
Greg Hudson [Thu, 25 Nov 2010 20:34:06 +0000 (20:34 +0000)]
Fix how gssapi.h is rebuilt on Windows; accidentally omitted from
r24533.

ticket: 6826

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24534 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix Windows build
Greg Hudson [Thu, 25 Nov 2010 20:28:30 +0000 (20:28 +0000)]
Fix Windows build

Repair the Windows build.  Tested with the prepare-on-Unix method.
Some specific changes include:

* Removed the IPC finalizer (no longer used after r20787) from
  ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency
  chain for the pingtest build in ccapi/test.  Also updated pingtest
  to use the k5_ipc_stream interfaces since cci_stream is gone.

* Reverted the apparently non-functional r20277.

* klist -V prints just "Kerberos for Windows", since it has no access
  to PACKAGE_NAME and PACKAGE_VERSION from autoconf.  This should be
  addressed correctly.

* krb5, telnet, gssftp, and NIM are removed from the build.

* Some files had CRLFs; these were replaced with LFs and the
  svn:eol-style property set on the files.  Otherwise the CRLFs became
  CRCRLFs after the zip transfer.

* Windows does not have opendir/readdir, so added Windows code to
  prof_parse.c for includedir.  Probable fodder for a libkrb5support
  portability shim.

ticket: 6826
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24533 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoUpdate krb5_gic_opt_private and related code to reflect the change of
Tom Yu [Tue, 23 Nov 2010 23:51:50 +0000 (23:51 +0000)]
Update krb5_gic_opt_private and related code to reflect the change of
krb5_expire_callback_func from a function typedef to a function
pointer typedef.  This was causing segfaults.

ticket: 6825

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24532 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoupdate acknowledgments
Tom Yu [Tue, 23 Nov 2010 23:51:45 +0000 (23:51 +0000)]
update acknowledgments

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24531 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSet svn:eol-style on some Windows files and remove the CRs from their
Greg Hudson [Tue, 23 Nov 2010 18:50:12 +0000 (18:50 +0000)]
Set svn:eol-style on some Windows files and remove the CRs from their
repository representations.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24530 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoAdd missing KRB5_CALLCONV in callback declaration
Greg Hudson [Tue, 23 Nov 2010 04:50:40 +0000 (04:50 +0000)]
Add missing KRB5_CALLCONV in callback declaration

krb5_get_init_creds_opt_set_expire_callback was correctly tagged with
KRB5_CALLCONV but the corresponding callback type was not.  Add that
in.

ticket: 6825
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24529 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoExport krb5_tkt_creds_get
Greg Hudson [Tue, 23 Nov 2010 04:41:08 +0000 (04:41 +0000)]
Export krb5_tkt_creds_get

krb5_tkt_creds_get was overlooked in the export list; add it.

ticket: 6824
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24528 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoCorrect typo in r24526
Greg Hudson [Mon, 22 Nov 2010 03:58:15 +0000 (03:58 +0000)]
Correct typo in r24526

ticket: 6823

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24527 dc483132-0cff-0310-8789-dd5450dbe970

14 years agogetdate.y: declare yyparse
Sam Hartman [Mon, 22 Nov 2010 03:33:22 +0000 (03:33 +0000)]
getdate.y: declare yyparse

At least on lucid, byacc doesn't declare yyparse, which creates
problems because lucid treats calls to unprototyped functions as
errors.

ticket: 6823
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24526 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoSuppress building camellia-gen in "make check" for now (it has a build
Greg Hudson [Sun, 21 Nov 2010 17:35:49 +0000 (17:35 +0000)]
Suppress building camellia-gen in "make check" for now (it has a build
issue on Solaris which will go away when Camellia support becomes
unconditional).

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24525 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoImplement Camellia-CTS-CMAC instead of Camellia-CCM
Greg Hudson [Sat, 20 Nov 2010 00:31:46 +0000 (00:31 +0000)]
Implement Camellia-CTS-CMAC instead of Camellia-CCM

Replace the Camellia-CCM enctypes with Camellia-CTS-CMAC.  Still not
compiled in by default since we don't have enctype assignments yet.

ticket: 6822
target_verion: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24524 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoRead KDC profile settings in kpropd
Greg Hudson [Tue, 16 Nov 2010 02:54:26 +0000 (02:54 +0000)]
Read KDC profile settings in kpropd

kpropd can modify the KDB with ulog_replay(), so it should read the
KDC profile settings in case the KDB configuration is in there.

ticket: 6820
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24519 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoHandle referral realm in kprop client principal
Greg Hudson [Tue, 16 Nov 2010 02:30:16 +0000 (02:30 +0000)]
Handle referral realm in kprop client principal

kprop uses krb5_sname_to_principal() to determine its client
principal.  If the local hostname cannot be mapped to a realm based on
the profile's domain_realm section, krb5_sname_to_principal() will (as
of 1.6) return a principal with the referral realm (""), which does
not work in a client principal.  Handle this by substituting the
default realm.

ticket: 6819
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24518 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoFix a typo in install.texinfo
Greg Hudson [Tue, 16 Nov 2010 00:12:52 +0000 (00:12 +0000)]
Fix a typo in install.texinfo

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24517 dc483132-0cff-0310-8789-dd5450dbe970

14 years agoThe iprop dejagnu test had some deceptive commented-out debugging code
Greg Hudson [Tue, 16 Nov 2010 00:12:38 +0000 (00:12 +0000)]
The iprop dejagnu test had some deceptive commented-out debugging code
(it would set up the user to run kpropd in the master environment
instead of the slave environment).  Make it more useful.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24516 dc483132-0cff-0310-8789-dd5450dbe970