| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Update lib/crypto/builtin/aes to commit
8798ad829374cd5ff312f55ba3ccccfcf586fa11 of
https://github.com/BrianGladman/aes .
The following changes are made to the upstream code:
* In aes.h, #defines are added to give the linker-visible symbols a
prefix.
* In aes.h, AES_192 is undefined, since we only need AES-128 and
AES-256.
* In aesopt.h, USE_INTEL_AES_IF_PRESENT and USE_VIA_ACE_IF_PRESENT are
suppressed by changing the corresponding "#if 1"s to "#if 0"s.
* In aesopt.h, the conditionals for ENC_UNROLL, DEC_UNROLL, ENC_ROUND,
LAST_ENC_ROUND, DEC_ROUND, LAST_DEC_ROUND, and KEY_SCHED are changed
from "#if 1" to "#if !defined(CONFIG_SMALL) ||
defined(CONFIG_SMALL_NO_CRYPTO)".
bigredbutton: whitespace
ticket: 8954
|
|
Address all warnings issued by "python -Werror::DeprecationWarning"
in the test suite and doc build, as of Python 3.8.2.
|
|
In krb5.hin, fix some apparently harmless whitespace nits in comments
which cause newer Doxygen versions to generate <detaileddescription>
content containing <linebreak/> tags. Also remove the explicit "@n"
linebreaks in the responder JSON schemas, instead relying on Doxygen
markup support (added in Doxygen 1.8). Add a verbatim handler in
doxybuilder_types.py to translate the resulting section, replacing the
linebreak handler which is no longer needed.
css_files is deprecated in Sphinx. Instead use app.add_stylesheet()
in a setup function in conf.py. (Sphinx 1.8 has a slightly simpler
method, but that is currently too recent to depend on.) Also remove
the obsolete html_use_smartypants setting.
In func_document.tmpl, fix an incorrent use of "is".
ticket: 8952 (new)
|
|
The KDC has listened to TCP connections by default since commit
8d88e2ab00be126237569dc72827ced2ce6b7d04 (ticket 6731). Update the
documentation for _kerberos._tcp accordingly.
Correct a formatting error introduced by commit
10eb93809b1af06e2b1147aee2e3e50058ba1bbd (ticket 8921).
For _kpasswd._udp, if the _kerberos-adm._tcp fallback is used, the
port number is changed to 464, not 749.
Add entries for _kerberos-master._tcp and _kpasswd._tcp.
ticket: 8948
|
|
In enctypes.rst, note that des3-cbc-sha1 and arcfour-hmac are
deprecated, and add a paragraph about des3-cbc-sha1 support being
removed in the future. Add a section on migrating away from legacy
enctypes (briefer than the existing advanced/retiring-des.rst and not
specific to single-DES).
In kdc_conf.rst, note that des3-cbc-sha1 and arcfour-hmac are
deprecated.
ticket: 8950 (new)
|
|
Use "primary_kdc" and "iprop_ulogsize" as the preferred names of the
two relations. Fall back to the old keys if the new ones are not set.
ticket: 8921
|
|
Where it does not affect program behavior, use the term "primary KDC".
This commit does not change any profile variables, DNS labels,
pathnames, or externally visible identifiers, nor does it change the
term "master key".
ticket: 8921 (new)
|
|
Add missing kvno options to the kvno.rst synopsis and option
descriptions, and to the kvno usage message. Remove mention of '-h'
(help text), from kvno.rst as it is an implicit option. Note that the
three new caching options were added in release 1.19.
Indicate the two exclusions (-u/-S and --u2u with the S4U2Self options)
and dependency (-P on S4U2Self) where they are missing.
Switch xusage() to print only a single localized string, rather than
running each line of output through localization separately.
Leave kvno -C undocumented for now, as the semantics of
KRB5_GC_CANONICALIZE are minimally useful and likely to change.
[ghudson@mit.edu: edited documentation and commit message]
ticket: 7476
tags: pullup
target_version: 1.18-next
|
|
The MIT krb5 kadmin protocol originally used kadmin/admin as the
service principal. Commits 493f0da5fbf92b0ac2f10e887706d1964d8a15e8
and 5cfaec38a8e8f1c4b76228ba0a252987af797ca4 changed it to use
kadmin/hostname preferentially, with kadmin/admin as a fallback, for
interoperability with the Solaris SEAM administrative protocol.
Change the preference order so that kadmin/admin is tried first, with
kadmin/hostname as a fallback.
ticket: 8934 (new)
|
|
If this name type is used for the desired_name parameter of
gss_acquire_cred_impersonate_name(), identify the S4U2Self user by
certificate. Co-authored with Purand Chand <pchand@vmware.com>.
[ghudson@mit.edu: added documentation; updated to use a boolean at the
GSS layer rather than a new krb5 name type; rewrote commit message]
ticket: 8923 (new)
|
|
Add the flags --cached-only and --no-store, which pass the
corresponding options to krb5_get_credentials(). Add the option
--out-cache to write the retrieved credentials to a specified output
cache.
Add a Python test script for kvno command-line options, including
tests for the new options.
ticket: 8917 (new)
|
|
This change should mitigate some of the pain caused by the rdns=true
default (generally associated with unwanted PTR records that cannot
easily be changed), with a minimum of fallout.
Update the documentation and tests accordingly. In test environments,
disable qualify_shortname and use the uncanonicalized system hostname
(lowercased) to match the initial sn2princ result.
ticket: 8911 (new)
|
|
Commits 5975ab86bf0ab791282cf1103b8143cccd1034fd and
4f7c77b64a048ca5e3199b26b31493698c777a9c added constants to krb5.hin
but did not update doc/appdev/refs/macros/index.rst.
|
|
Add client support for KERB_AP_OPTIONS_CBT in the form of a profile
option "client_aware_gss_bindings". Adjust the make_etype_list()
helper so that enctype negotiation and AP_OPTIONS can be included in
the same IF-RELEVANT wrapper.
[ghudson@mit.edu: refactored; edited documentation; wrote commit
message]
ticket: 8900
|
|
|
|
ticket: 8896 (new)
tags: pullup
target_version: 1.18-next
|
|
Correct documentation spelling errors detected using codespell.
Reported by Jens Schleusener.
ticket: 8891
tags: pullup
target_version: 1.18-next
|
|
ticket: 8886 (new)
tags: pullup
target_version: 1.18-next
|
|
|
|
In PKINIT, if a certauth module returns KRB5_CERTAUTH_HWAUTH from its
authorize method, set the hw-authent flag in the ticket.
ticket: 8879 (new)
|
|
permitted_enctypes was initially intended only to restrict the
processing of AP requests (and was later applied to KDB key data
searches so that the KDC wouldn't issue a ticket it would refuse to
accept). Because the documentation was never clear about its scope,
many configurations assume that permitted_enctypes also applies to
clients.
In light of the existing configurations, take the simple way out and
use permitted_enctypes as the default for default_tkt_enctypes and
default_tgs_enctypes. Update the documentation, add a test to
explicitly check the new behavior, and remove now-unnecessary
configuration from the test suite.
[ghudson@mit.edu: unrolled helper function; edited documentation and
commit message; simplified test case]
ticket: 8869 (new)
tags: pullup
target_version: 1.18
|
|
|
|
Not having policy defined is a normal occurrence. While it's a useful
message to log in case it's unexpected, the current form is
unnecessarily alarmist.
ticket: 8857 (new)
|
|
Implement draft-zhu-negoex. Mechanisms supporting the NegoEx GSS
extensions will be negotiated only through NegoEx, unless they assert
the GSS_C_MA_NEGOEX_AND_SPNEGO mech attribute, in which case they may
also be negotiated directly via SPNEGO.
ticket: 8851
|
|
When DNS forward canonicalization is turned off or fails, qualify
single-component hostnames with the first DNS search domain. Add the
qualify_shortname relation to override this suffix.
For one of the tests we need to disable qualification, which is
accomplished with an empty value. Adjust k5test.py to correctly emit
empty values when writing profiles.
ticket: 8855 (new)
|
|
If this flag is set to true, then GSSAPI credential delegation will be
disabled when the "ok-as-delegate" flag is not set in the service
ticket.
Rebuild krb5.conf.man.
[ghudson@mit.edu: edited comments and documentation]
ticket: 8847 (new)
|
|
/etc/gss/mech lines begin with a name field, but this field was not
included in the format documentation.
ticket: 8839 (new)
tags: pullup
target_version: 1.17-next
|
|
Commit 2977b8e88002fc928a0ff3757098b34ca83645ef documented the wrong
default GSS mechanism config filename. Reported by Dilyan Palauzov.
ticket: 8833
|
|
Commit 969331732b62e73d1e073ff3ad87bf1774ee9fd1 (ticket 7369) removed
the code to return UPDATE_BUSY if the database was modified within the
last ten seconds, but did not remove the corresponding documentation
text. Remove it now.
ticket: 8835 (new)
tags: pullup
target_version: 1.17-next
|
|
|
|
In commit 38a31852c3e58f6e2f6b3b035a87f817d1db5537, the aes-sha1
enctypes became the only defaults, but the documentation was not
updated.
ticket: 8834 (new)
tags: pullup
target_version: 1.17-next
|
|
Remove ldapbackend.rst, as it is largely redundant with conf_ldap.rst.
Simplify conf_ldap.rst, using kerberos.openldap.ldif (added by ticket
8529) and removing unnecessary command arguments. Mention the
possibility of using SASL authentication (added by ticket 7944) as an
alternative to binding with DN and password. Remove unnecessary
access rights.
In kdc_conf.rst, remove ldap_servers from the list of relations read
from [dbdefaults], as it is only read from the realm's database
configuration section.
In kdb5_ldap_util.rst, document "-r" as a global parameter, as it
applies in some fashion to all commands. Make the same changes to the
kdb5_ldap_util usage message, and make it fit within 80 columns.
Reported by Dilyan Palauzov.
ticket: 8831 (new)
tags: pullup
target_version: 1.17-next
|
|
If the environment variable GSS_MECH_CONFIG is set (and the process is
not privileged), read it instead of /etc/gss/mech or files within
/etc/gss/mech.d.
Set GSS_MECH_CONFIG in test frameworks so that system configuration
does not interfere with tests.
Fix documentation to indicate that the default mech config file is in
sysconfdir, not necessarily /etc.
ticket: 8833 (new)
|
|
Commit c426ef2ca2ba45dbf96f5380cf7d153ec0679424 added
KRB5_PADATA_PAC_OPTIONS to krb5.hin, but did not put it in an API
index, causing a documentation build failure. Add it now.
ticket: 8479
|
|
Add a krb5_pac_get_client_info() API to interpret the PAC_CLIENT_INFO
buffer of a PAC. This API is needed by KDB plugin modules to set the
reply client for cross-realm RBCD requests.
[ghudson@mit.edu: added doxygen comment; clarified commit message]
ticket: 8828 (new)
|
|
With the introduction of resource-based constrained delegation, the
absence of the forwardable flag no longer implies that a ticket cannot
be used for constrained delegation requests.
Instead, we should check in the PAC to see if the user is marked as
sensitive, and error out in that case rather than making a failed
request. But we don't always have access to the PAC and we currently
do not have the code to retrieve this attribute from the PAC.
Since krb5_get_credentials_for_proxy() no longer needs to look at the
decrypted ticket, change kvno to not require a keytab for constrained
delegation.
[ghudson@mit.edu: made minor style changes and commit message edits;
updated documentation]
ticket: 8479
|
|
The documentation for krb5.conf explaining final values is incorrect.
Only sections and subsections may usefully be marked as final, and
final designations only apply to later files, not to the same file.
[ghudson@mit.edu: corrected and shortened documentation; rewrote
commit message]
ticket: 8821 (new)
tags: pullup
target_version: 1.17-next
|
|
|
|
The default severity was removed by commit
6ce8fd4cfa2e9b1e92debd204a5b2ddf053cca55 (ticket 8630) but the example
still talks about it; remove that text. Add a note about the default
being syslog if nothing else is specified, and a note on how to
disable logging.
ticket: 8813 (new)
tags: pullup
target_version: 1.17-next
|
|
Move http links to https where appropriate. Update links which have
moved. Remove a couple of links which no longer work and have no
obvious replacement. Remove a link from a comment in the German
translation which does not appear to be related to the message.
[ghudson@mit.edu: adjusted changes; rewrote commit message]
|
|
In krb5_get_server_rcache(), stop constructing a residual value based
on piece and the euid, and instead resolve default replay cache
(previously an unused operation, as krb5_rc_default() was not part of
the API and was never used).
To determine the default replay cache name, try the KRB5RCACHENAME
environment variable first, and then try KRB5RCACHETYPE for
compatibility. If neither of those environment variables are set, try
the default_rcache_name profile relation in [libdefaults] before
falling back to "dfl:".
ticket: 8786
|
|
Remove the existing default replay cache implementation and replace it
with a wrapper around the file2 replay cache code. Change the
filename to krb5_EUID.rcache2, ignoring the residual (and therefore
the server principal name). On Windows, use the local appdata
directory if KRB5RCACHEDIR is not set in the environment.
ticket: 8786
|
|
Add a new replay cache type using a hash-based file format.
ticket: 8786
|
|
Single-DES removal brings us closer to compliance with RFC 6649.
Single-DES was disabled by default starting in release 1.8, and
user-visible deprecation warnings were issued starting in release
1.17.
ticket: 8808
|
|
In preparation for removing single-DES support, remove the v4 and afs3
salt types. The afs3 salt type could only be used with single-DES
keys, and the v4 salt type was only useful for single-DES keys from
krb4 databases.
[ghudson@mit.edu: wrote commit message]
ticket: 8808
|
|
Change from the legacy des-cbc-crc to the default for kdb5_util and
kadmind, which is currently aes256-cts-hmac-sha1-96.
|
|
ticket: 8805 (new)
|
|
Remove rcsid.sty and the uses of the \rcsId macro as git does not
perform the keyword expansion necessary to make it work. Add comments
indicating the historic status of the kadm5 documentation.
[ghudson@mit.edu: fix the tex files instead of marking them as
non-building]
|
|
Remove support for the krb5.conf relations ap_req_checksum_type,
kdc_req_checksum_type, and safe_checksum_type. These values were
useful for interoperating with very old KDCs, which should no longer
be deployed.
Additionally, kdc_req_checksum_type was incorrectly documented as only
applying to single-DES keys; in practice it also worked for RC4. The
other two were not clearly documented, but safe_checksum_type did
allow use of hmac-md5-rc4 for any enctype, and ap_req_checksum_type
did not impose any limitations.
[ghudson@mit.edu: edited commit message]
ticket: 8804 (new)
|
|
Some init systems, such as systemd, can run daemon processes in the
foreground, so admonishments to let krb5kdc and kadmind background
themselves in normal operation can be confusing. Remove those
sentences.
ticket: 8802 (new)
tags: pullup
target_version: 1.17-next
|
