Age | Commit message (Collapse) | Author | Files | Lines |
|
git-svn-id: svn://anonsvn.mit.edu/krb5/tags/krb5-1-9-beta2@24558 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24557 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24555 | tlyu | 2010-12-03 07:34:53 -0500 (Fri, 03 Dec 2010) | 6 lines
ticket: 1219
target_version: 1.9
tags: pullup
Test for key rollover for TGT, including purging old keys.
ticket: 1219
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24556 dc483132-0cff-0310-8789-dd5450dbe970
|
|
ticket: 6826
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24554 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24537 | ghudson | 2010-11-30 12:46:10 -0500 (Tue, 30 Nov 2010) | 5 lines
ticket: 6826
Install gssapi_ext.h on Windows. Include gssapi_ext.h in the header
files considered by def-check.pl in verify-calling-conventions-gssapi.
------------------------------------------------------------------------
r24535 | ghudson | 2010-11-26 11:37:14 -0500 (Fri, 26 Nov 2010) | 5 lines
ticket: 6826
Supply static ordinals for new symbols in gssapi32.def and krb5_32.def,
for consistency with KFW 3.x.
------------------------------------------------------------------------
r24534 | ghudson | 2010-11-25 15:34:06 -0500 (Thu, 25 Nov 2010) | 5 lines
ticket: 6826
Fix how gssapi.h is rebuilt on Windows; accidentally omitted from
r24533.
------------------------------------------------------------------------
r24533 | ghudson | 2010-11-25 15:28:30 -0500 (Thu, 25 Nov 2010) | 29 lines
ticket: 6826
subject: Fix Windows build
target_version: 1.9
tags: pullup
Repair the Windows build. Tested with the prepare-on-Unix method.
Some specific changes include:
* Removed the IPC finalizer (no longer used after r20787) from
ccapi/lib/ccapi_ipc.c, as it was creating a difficult dependency
chain for the pingtest build in ccapi/test. Also updated pingtest
to use the k5_ipc_stream interfaces since cci_stream is gone.
* Reverted the apparently non-functional r20277.
* klist -V prints just "Kerberos for Windows", since it has no access
to PACKAGE_NAME and PACKAGE_VERSION from autoconf. This should be
addressed correctly.
* krb5, telnet, gssftp, and NIM are removed from the build.
* Some files had CRLFs; these were replaced with LFs and the
svn:eol-style property set on the files. Otherwise the CRLFs became
CRCRLFs after the zip transfer.
* Windows does not have opendir/readdir, so added Windows code to
prof_parse.c for includedir. Probable fodder for a libkrb5support
portability shim.
------------------------------------------------------------------------
r24530 | ghudson | 2010-11-23 13:50:12 -0500 (Tue, 23 Nov 2010) | 3 lines
Set svn:eol-style on some Windows files and remove the CRs from their
repository representations.
------------------------------------------------------------------------
r24469 | ghudson | 2010-10-21 20:01:56 -0400 (Thu, 21 Oct 2010) | 3 lines
Make it possible to override CRYPTO_IMPL_CFLAGS and CRYPTO_IMPL_LIBS at
make time.
ticket: 6826
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24553 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24550 | ghudson | 2010-12-01 17:36:38 -0500 (Wed, 01 Dec 2010) | 4 lines
ticket: 6829
Correct typo in admin documentation for restrict_anonymous_to_tgt.
ticket: 6829
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24552 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24539 | hartmans | 2010-11-30 17:46:54 -0500 (Tue, 30 Nov 2010) | 7 lines
ticket: 6828
Subject: Install kadm5_hook_plugin.h
target_version: 1.9
tags: pullup
Install the kadm5 hook plugin header
ticket: 6828
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24551 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24547 | ghudson | 2010-12-01 15:01:46 -0500 (Wed, 01 Dec 2010) | 10 lines
ticket: 6829
subject: Implement restrict_anonymous_to_tgt realm flag
target_version: 1.9
tags: pullup
Implement a new realm flag to reject ticket requests from anonymous
principals to any principal other than the local TGT. Allows FAST to
be deployed using anonymous tickets as armor in realms where the set
of authenticatable users must be constrained.
ticket: 6829
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24549 dc483132-0cff-0310-8789-dd5450dbe970
|
|
If kdb5_util load (without -update) fails--say, due to an invalid dump
file--it calls krb5_db_destroy to destroy the temporary DB.
Unfortunately, this results in the destruction of the real DB instead.
Luckily, this bug only applies to krb5 1.9, which hasn't been released
yet. In krb5 1.8 the destroy operation fails before it does any damage.
ticket: 6815
version_fixed: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24548 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24532 | tlyu | 2010-11-23 18:51:50 -0500 (Tue, 23 Nov 2010) | 6 lines
ticket: 6825
Update krb5_gic_opt_private and related code to reflect the change of
krb5_expire_callback_func from a function typedef to a function
pointer typedef. This was causing segfaults.
------------------------------------------------------------------------
r24529 | ghudson | 2010-11-22 23:50:40 -0500 (Mon, 22 Nov 2010) | 9 lines
ticket: 6825
subject: Add missing KRB5_CALLCONV in callback declaration
target_version: 1.9
tags: pullup
krb5_get_init_creds_opt_set_expire_callback was correctly tagged with
KRB5_CALLCONV but the corresponding callback type was not. Add that
in.
ticket: 6825
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24546 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24528 | ghudson | 2010-11-22 23:41:08 -0500 (Mon, 22 Nov 2010) | 7 lines
ticket: 6824
subject: Export krb5_tkt_creds_get
target_version: 1.9
tags: pullup
krb5_tkt_creds_get was overlooked in the export list; add it.
ticket: 6824
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24545 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24527 | ghudson | 2010-11-21 22:58:15 -0500 (Sun, 21 Nov 2010) | 4 lines
ticket: 6823
Correct typo in r24526.
------------------------------------------------------------------------
r24526 | hartmans | 2010-11-21 22:33:22 -0500 (Sun, 21 Nov 2010) | 9 lines
ticket: 6823
subject: getdate.y: declare yyparse
target_version: 1.9
tags: pullup
At least on lucid, byacc doesn't declare yyparse, which creates
problems because lucid treats calls to unprototyped functions as
errors.
ticket: 6823
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24544 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24524 | ghudson | 2010-11-19 19:31:46 -0500 (Fri, 19 Nov 2010) | 8 lines
ticket: 6822
subject: Implement Camellia-CTS-CMAC instead of Camellia-CCM
target_verion: 1.9
tags: pullup
Replace the Camellia-CCM enctypes with Camellia-CTS-CMAC. Still not
compiled in by default since we don't have enctype assignments yet.
ticket: 6822
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24543 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24519 | ghudson | 2010-11-15 21:54:26 -0500 (Mon, 15 Nov 2010) | 8 lines
ticket: 6820
subject: Read KDC profile settings in kpropd
target_version: 1.9
tags: pullup
kpropd can modify the KDB with ulog_replay(), so it should read the
KDC profile settings in case the KDB configuration is in there.
ticket: 6820
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24542 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24518 | ghudson | 2010-11-15 21:30:16 -0500 (Mon, 15 Nov 2010) | 12 lines
ticket: 6819
subject: Handle referral realm in kprop client principal
target_version: 1.9
tags: pullup
kprop uses krb5_sname_to_principal() to determine its client
principal. If the local hostname cannot be mapped to a realm based on
the profile's domain_realm section, krb5_sname_to_principal() will (as
of 1.6) return a principal with the referral realm (""), which does
not work in a client principal. Handle this by substituting the
default realm.
ticket: 6819
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24541 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24538 | ghudson | 2010-11-30 16:20:49 -0500 (Tue, 30 Nov 2010) | 27 lines
ticket: 6827
subject: SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
Fix multiple checksum handling bugs, as described in:
CVE-2010-1324
CVE-2010-1323
CVE-2010-4020
CVE-2010-4021
* Return the correct (keyed) checksums as the mandatory checksum type
for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
with simplified-profile key derivation or other algorithms relying
on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.
ticket: 6827
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24540 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24504 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24502 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24488 | ghudson | 2010-10-27 13:05:05 -0400 (Wed, 27 Oct 2010) | 5 lines
ticket: 6812
Don't fail out from krb5_get_credentials() if we can't store a ticket
into the ccache.
ticket: 6812
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24501 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24486 | ghudson | 2010-10-26 13:34:41 -0400 (Tue, 26 Oct 2010) | 8 lines
ticket: 6811
subject: Mark Camellia-CCM code as experimental
target_version: 1.9
tags: pullup
Add a comment noting that the Camellia-CCM code in 1.9 is
experimental.
ticket: 6811
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24500 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24481 | ghudson | 2010-10-25 16:17:54 -0400 (Mon, 25 Oct 2010) | 7 lines
ticket: 6796
target_version: 1.9
tags: pullup
Use safer output parameter handling in
krb5_gss_acquire_cred_impersonate_name and its subsidiary helpers.
ticket: 6796
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24499 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24483 | ghudson | 2010-10-26 10:17:38 -0400 (Tue, 26 Oct 2010) | 8 lines
ticket: 6809
target_version: 1.9
tags: pullup
Set *conf_state on successful return from
gss_krb5int_make_seal_token_v3_iov, fixing a case where it wasn't
always set by gss_wrap_iov. Patch from aberry@likewise.com.
ticket: 6809
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24498 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24482 | ghudson | 2010-10-25 17:55:54 -0400 (Mon, 25 Oct 2010) | 8 lines
ticket: 6787
target_version: 1.9
tags: pullup
When we create a temporary memory ccache for use within a
krb5_gss_cred_id_rec, set a flag to indicate that the ccache should be
destroyed rather than closed. Patch from aberry@likewise.com.
ticket: 6787
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24497 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24480 | ghudson | 2010-10-25 15:37:03 -0400 (Mon, 25 Oct 2010) | 8 lines
ticket: 6793
target_version: 1.9
tags: pullup
In acquire_init_cred in the GSS krb5 mech, don't intern cred->name,
since it's not used as an output parameter. Fixes a memory leak.
Reported by aberry@likewise.com.
ticket: 6793
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24496 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24470 | ghudson | 2010-10-22 20:38:17 -0400 (Fri, 22 Oct 2010) | 10 lines
ticket: 6810
subject: Better libk5crypto NSS fork safety
target_version: 1.9
tags: pullup
Use SECMOD_RestartModules() from the forthcoming NSS 3.12.9 release to
make the libk5crypto back end work after a fork. Add a test program
to exercise fork detection in the NSS back end. Add a configure-time
version check to ensure that we're using NSS 3.12.9 or later.
ticket: 6810
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24495 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24467 | hartmans | 2010-10-19 15:50:48 -0400 (Tue, 19 Oct 2010) | 8 lines
ticket: 6807
subject: SecurID build support
target_version: 1.9
tags: pullup
Integrate SecurID into the build if libaceclnt is found.
Add a README file with an example of how to build it.
ticket: 6807
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24494 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24466 | hartmans | 2010-10-19 15:50:42 -0400 (Tue, 19 Oct 2010) | 8 lines
ticket: 6806
subject: securID error handling fix
target_version: 1.9
tags: pullup
In porting forward, I incorrectly used krb5_set_error_message instead of com_err.
This commit reverts that change.
ticket: 6806
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24493 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24465 | hartmans | 2010-10-19 15:50:37 -0400 (Tue, 19 Oct 2010) | 19 lines
ticket: 6805
subject: securID code fixes
target_version: 1.9
tags: pullup
Fixes to get securID preauth plugin working. A separate patch will
address error handling and build issues.
* Permit a preauth plugin to return KRB5KDC_ERR_PREAUTH_REQUIRED from
the verify entry point.
* If verify_securid2 fails, save the return value and return that
rather than success after dealing with encoding the out_edata
* Use the client key not the securid principal key for the sam
checksum
* indicate that securID is hardware authentication
ticket: 6805
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24492 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24464 | ghudson | 2010-10-19 15:08:38 -0400 (Tue, 19 Oct 2010) | 9 lines
ticket: 6804
subject: Remove KDC replay cache
target_version: 1.9
tags: pullup
Now that SAM1 support has been removed, the KDC does not need a replay
replay cache. Remove all code within USE_RCACHE and associated support.
Rename --disable-kdc-replay-cache to --disable-kdc-lookaside-cache.
ticket: 6804
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24491 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24490 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24462 | tlyu | 2010-10-18 18:52:28 -0400 (Mon, 18 Oct 2010) | 5 lines
ticket: 6802
Adjust copyright.texinfo to fix some TeX output issues. Also do minor
cleanup.
ticket: 6802
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24463 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24455 | tlyu | 2010-10-14 18:49:11 -0400 (Thu, 14 Oct 2010) | 9 lines
ticket: 6802
tags: pullup
subject: copyright notice updates
target_version: 1.9
Update copyright.texinfo. Move full copyright notices to appendices
of documentation. New rules to generate top-level NOTICE file from
copyright.texinfo. Regenerate NOTICE file.
ticket: 6802
version_fixed: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24457 dc483132-0cff-0310-8789-dd5450dbe970
|
|
------------------------------------------------------------------------
r24454 | ghudson | 2010-10-13 13:20:36 -0400 (Wed, 13 Oct 2010) | 2 lines
Whitespace.
------------------------------------------------------------------------
r24453 | hartmans | 2010-10-12 21:19:20 -0400 (Tue, 12 Oct 2010) | 2 lines
Adjust valgrind support to assume a modern valgrind that requires %p in log files.
------------------------------------------------------------------------
r24452 | hartmans | 2010-10-12 21:19:14 -0400 (Tue, 12 Oct 2010) | 14 lines
ticket: 6801
target_version: 1.9
Subject: Fix leaks in get_init_creds interface
In Debian Bug 598032, Bastian Blank points out that there are two
leaks in the get_init_creds interface:
* Free ctx->request->padata after sending the KDC request so it is not
overwritten the next time around the loop.
* If options is NULL passed into krb5_get_init_creds_init, then set up
a non-extended options structure so that krb5_get_init_creds_free will
free the options.
ticket: 6801
version_fixed: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24456 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24450 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24449 dc483132-0cff-0310-8789-dd5450dbe970
|
|
extended error message indicating which principal was not found.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24448 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24447 dc483132-0cff-0310-8789-dd5450dbe970
|
|
files to UTF-8.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24446 dc483132-0cff-0310-8789-dd5450dbe970
|
|
is guaranteed.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24445 dc483132-0cff-0310-8789-dd5450dbe970
|
|
!= NULL in a particular error case.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24444 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24443 dc483132-0cff-0310-8789-dd5450dbe970
|
|
change_password -keepold), and add a kadmin CLI command for it.
Keeping ticket open because an automated test needs to be added.
Long-term future work includes start/expire dates on keys, or
not-yet-valid flags.
ticket: 1219
status: open
target_version: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24442 dc483132-0cff-0310-8789-dd5450dbe970
|
|
ticket: 6701
target_version: 1.8.4
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24441 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Instead of performing a tree search to fill in the refcnt field of a
policy object whenever a policy is fetched, set the refcnt to 0 and
perform a check when policies are deleted.
ticket: 6799
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24440 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Set NT-SRV-INST on TGS principal names in
get_in_tkt.c:build_in_tkt_name because Windows Server 2008 R2 RODC
insists on it.
Thanks to Bill Fellows for reporting this problem.
ticket: 6798
tags: pullup
target_version: 1.8.4
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24438 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24437 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24436 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24433 dc483132-0cff-0310-8789-dd5450dbe970
|
|
statements, per mailing list discussion.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24432 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24430 dc483132-0cff-0310-8789-dd5450dbe970
|