From rt-comment at krbdev.mit.edu  Wed Apr  1 14:25:03 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Wed,  1 Apr 2009 18:25:03 +0000 (UTC)
Subject: [krbdev.mit.edu #1624] SVN Commit 
In-Reply-To: <rt-1624@krbdev.mit.edu>
Message-ID: <rt-1624-30801.8.35524116719419@krbdev.mit.edu>


Use the preferred checksum for non-DES keys in the kdc_req path and
all the time in the ap_req checksum path.  This breaks code to support
DCE versions prior to 1.1 but uses the correct checksum for protocol
compatibility.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22154
Commit By: hartmans
Revision: 22154
Changed Files:
U   trunk/doc/admin.texinfo
U   trunk/src/config-files/krb5.conf.M
U   trunk/src/lib/krb5/krb/mk_req_ext.c
U   trunk/src/lib/krb5/krb/send_tgs.c


From rt-comment at krbdev.mit.edu  Wed Apr  1 15:33:27 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Wed,  1 Apr 2009 19:33:27 +0000 (UTC)
Subject: [krbdev.mit.edu #6108] A client can fail to get initial creds if it
	changes the password while doing so. 
In-Reply-To: <rt-6108@krbdev.mit.edu>
Message-ID: <rt-6108-30802.1.89688465774921@krbdev.mit.edu>

Hi, sorry to take so long to look into this, and thanks for your report.
 I haven't tried reproducing your problem, so apologies if I'm just
confusing myself, but I don't see how your scenario can pan out.  Here
is what I would expect to happen:

1. Client contacts slave KDC, gets KRB5KDC_ERR_KEY_EXP.

2. Client retries with master KDC, setting use_master to 1 (line 159). 
It gets back KRB5KDC_ERR_KEY_EXP again.  Because that value is not one
of KRB5_KDC_UNREACH, KRB5_REALM_CANT_RESOLVE, or KRB5_REALM_UNKNOWN
(line 178), use_master remains 1.

3. Client gets kadmin/changepw tickets from the master, because
use_master is still 1.

4. Client changes password.

5. Client gets a TGT from the master (use_master is still 1).

Your suggested solution would only take effect in a more unlikely
scenario, where in step 2 the client is unable to contact the master KDC
and thus resets use_master to 0, but is able to change the password.

The other part of your bug report appears to be that preauth can fail
when talking to a slave with an out-of-date key.  I can see how that
might be true but want to talk about it with other people first.

From rt-comment at krbdev.mit.edu  Wed Apr  1 17:16:17 2009
From: rt-comment at krbdev.mit.edu (nalin@redhat.com via RT)
Date: Wed,  1 Apr 2009 21:16:17 +0000 (UTC)
Subject: [krbdev.mit.edu #6108] A client can fail to get initial creds if
	it changes the password while doing so.
In-Reply-To: <rt-6108@krbdev.mit.edu>
Message-ID: <rt-6108-30804.19.8575262451957@krbdev.mit.edu>

On Wed, Apr 01, 2009 at 07:33:27PM +0000, Greg Hudson via RT wrote:
> Your suggested solution would only take effect in a more unlikely
> scenario, where in step 2 the client is unable to contact the master KDC
> and thus resets use_master to 0, but is able to change the password.

The variation I've seen is that there isn't an explicitly called-out
master, but several kdcs and one or more kpasswd_servers, or more likely
an admin_server.

The client attempts to get creds from a KDC, and fails, noting that the
key is expired.  It's not able to resolve a master KDC for the realm, so
it resets use_master to 0.  It continues on to get password-changing
creds and changes the password (the password change routine looks for a
kpasswd server, and falls back to an admin server, so this works).  The
client then attempts to get creds, and because it's still talking to the
original server, it fails.

> The other part of your bug report appears to be that preauth can fail
> when talking to a slave with an out-of-date key.  I can see how that
> might be true but want to talk about it with other people first.

Sure, no problem.

Thanks,

Nalin


From rt-comment at krbdev.mit.edu  Wed Apr  1 19:21:33 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Wed,  1 Apr 2009 23:21:33 +0000 (UTC)
Subject: [krbdev.mit.edu #6108] A client can fail to get initial creds if it
	changes the password while doing so. 
In-Reply-To: <rt-6108@krbdev.mit.edu>
Message-ID: <rt-6108-30805.9.08502899552786@krbdev.mit.edu>

In that variation, won't your proposed fix just fail to contact a master
KDC again, as it did earlier in step 2?

From rt-comment at krbdev.mit.edu  Wed Apr  1 22:46:12 2009
From: rt-comment at krbdev.mit.edu (nalin@redhat.com via RT)
Date: Thu,  2 Apr 2009 02:46:12 +0000 (UTC)
Subject: [krbdev.mit.edu #6108] A client can fail to get initial creds if
	it changes the password while doing so.
In-Reply-To: <rt-6108@krbdev.mit.edu>
Message-ID: <rt-6108-30806.19.6857105574052@krbdev.mit.edu>

On Wed, Apr 01, 2009 at 11:21:33PM +0000, Greg Hudson via RT wrote:
> In that variation, won't your proposed fix just fail to contact a master
> KDC again, as it did earlier in step 2?

Yeah, walking through it again, either I'm missing something now, or I
missed that use_master wasn't being reset when the password was changed
inside of krb5_get_init_creds_password().

The part about continuing on in the face of a preauth-failed error from
a slave KDC still reads right, though.  For cases where libkrb5's been
told to not handle the password change internally, the caller gets a
key-expired error, changes the password by calling krb5_change_password()
directly, and subsequently can't get new creds.

Thanks,

Nalin


From rt-comment at krbdev.mit.edu  Thu Apr  2 19:30:29 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Thu,  2 Apr 2009 23:30:29 +0000 (UTC)
Subject: [krbdev.mit.edu #1624] SVN Commit 
In-Reply-To: <rt-1624@krbdev.mit.edu>
Message-ID: <rt-1624-30807.11.3694748848891@krbdev.mit.edu>


Fix krshd and krlogind to use krb5_c_verify_checksum.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22159
Commit By: tlyu
Revision: 22159
Changed Files:
U   trunk/src/appl/bsd/krlogind.c
U   trunk/src/appl/bsd/krshd.c


From rt-comment at krbdev.mit.edu  Thu Apr  2 23:33:03 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Fri,  3 Apr 2009 03:33:03 +0000 (UTC)
Subject: [krbdev.mit.edu #1624] SVN Commit 
In-Reply-To: <rt-1624@krbdev.mit.edu>
Message-ID: <rt-1624-30808.10.8263542883312@krbdev.mit.edu>


Unfortunately, pre-1.7 krshd fails to support keyed checksums because
it uses the wrong API and wrong key usage.  So, if the auth_context
has an explicit checksum type set, then respect that.  kcmd sets such
a checksum type.  Also, because other applications may have the same
problem, allow the config file variable if set to override the default
checksum.

* kcmd.c: Force use of rsa_md5
* init_ctx.c: do not default  to md5
* mk_req_ext.c: allow auth_context to override

http://src.mit.edu/fisheye/changelog/krb5/?cs=22160
Commit By: hartmans
Revision: 22160
Changed Files:
U   trunk/doc/admin.texinfo
U   trunk/src/appl/bsd/kcmd.c
U   trunk/src/config-files/krb5.conf.M
U   trunk/src/lib/krb5/krb/init_ctx.c
U   trunk/src/lib/krb5/krb/mk_req_ext.c


From rt-comment at krbdev.mit.edu  Fri Apr  3 00:03:47 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Fri,  3 Apr 2009 04:03:47 +0000 (UTC)
Subject: [krbdev.mit.edu #6436] SVN Commit 
In-Reply-To: <rt-6436@krbdev.mit.edu>
Message-ID: <rt-6436-30809.15.1026338253384@krbdev.mit.edu>


Merge fast branch at 22166 onto trunk

http://src.mit.edu/fisheye/changelog/krb5/?cs=22167
Commit By: hartmans
Revision: 22167
Changed Files:
U   trunk/src/include/k5-int.h
U   trunk/src/kdc/do_as_req.c
U   trunk/src/kdc/do_tgs_req.c
U   trunk/src/kdc/fast_util.c
U   trunk/src/kdc/kdc_preauth.c
U   trunk/src/kdc/kdc_util.c
U   trunk/src/kdc/kdc_util.h
U   trunk/src/lib/crypto/arcfour/arcfour.c
U   trunk/src/lib/crypto/arcfour/arcfour.h
U   trunk/src/lib/crypto/etypes.c
U   trunk/src/lib/krb5/asn.1/asn1_k_encode.c
U   trunk/src/lib/krb5/asn.1/krb5_decode.c
U   trunk/src/lib/krb5/krb/Makefile.in
U   trunk/src/lib/krb5/krb/fast.c
U   trunk/src/lib/krb5/krb/fast.h
U   trunk/src/lib/krb5/krb/get_in_tkt.c
U   trunk/src/lib/krb5/krb/kfree.c
U   trunk/src/lib/krb5/krb/preauth2.c
A   trunk/src/lib/krb5/krb/t_ad_fx_armor.c
U   trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c


From rt-comment at krbdev.mit.edu  Fri Apr  3 01:36:27 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Fri,  3 Apr 2009 05:36:27 +0000 (UTC)
Subject: [krbdev.mit.edu #6438] SVN Commit 
In-Reply-To: <rt-6438@krbdev.mit.edu>
Message-ID: <rt-6438-30810.13.9838457115209@krbdev.mit.edu>


RFC 4120 requires that if a subkey is present in the TGS request that
authorization data be encrypted in the subkey.  Our KDC did not handle
this correctly.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22168
Commit By: hartmans
Revision: 22168
Changed Files:
U   trunk/src/kdc/kdc_authdata.c


From rt-comment at krbdev.mit.edu  Fri Apr  3 23:03:06 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Sat,  4 Apr 2009 03:03:06 +0000 (UTC)
Subject: [krbdev.mit.edu #6436] SVN Commit 
In-Reply-To: <rt-6436@krbdev.mit.edu>
Message-ID: <rt-6436-30815.19.3215466764038@krbdev.mit.edu>


fix logic errors

http://src.mit.edu/fisheye/changelog/krb5/?cs=22170
Commit By: hartmans
Revision: 22170
Changed Files:
U   trunk/src/kdc/fast_util.c
U   trunk/src/lib/krb5/krb/get_in_tkt.c


From rt-comment at krbdev.mit.edu  Sun Apr  5 17:11:28 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Sun,  5 Apr 2009 21:11:28 +0000 (UTC)
Subject: [krbdev.mit.edu #6439] SVN Commit 
In-Reply-To: <rt-6439@krbdev.mit.edu>
Message-ID: <rt-6439-30832.19.6271300509786@krbdev.mit.edu>


Most of the KDC side of TGS FAST was already present.  This adds
correct generation of the reply key.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22171
Commit By: hartmans
Revision: 22171
Changed Files:
U   trunk/src/kdc/do_tgs_req.c


From rt-comment at krbdev.mit.edu  Tue Apr  7 08:09:10 2009
From: rt-comment at krbdev.mit.edu (The RT System itself via RT)
Date: Tue,  7 Apr 2009 12:09:10 +0000 (UTC)
Subject: [krbdev.mit.edu #6441] PRF doesn't work under des3-cbc-hmac-sha1-kd 
In-Reply-To: <rt-6441@krbdev.mit.edu>
Message-ID: <rt-6441-30838.3.89233110549206@krbdev.mit.edu>

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Tue Apr  7 12:09:09 2009
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
X-Original-To: krb5-send-pr-nospam1 at krbdev.mit.edu
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by krbdev.mit.edu (Postfix) with ESMTP id 777BBCCF17;
	Tue,  7 Apr 2009 12:09:07 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n37C97MU014012;
	Tue, 7 Apr 2009 08:09:07 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n3706jH1031632
	for <krb5-bugs-incoming at PCH.mit.edu>; Mon, 6 Apr 2009 20:06:47 -0400
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
	by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
	n3706Vlx017257
	for <krb5-bugs at mit.edu>; Mon, 6 Apr 2009 20:06:32 -0400 (EDT)
Received: from bahamut.akisada.net (localhost [127.0.0.1])
	by mit.edu (Spam Firewall) with ESMTP id 9D0A8186F8CD
	for <krb5-bugs at mit.edu>; Mon,  6 Apr 2009 20:06:29 -0400 (EDT)
Received: from bahamut.akisada.net (120.145.221.202.bf.2iij.net
	[202.221.145.120]) by mit.edu with ESMTP id u9hTNcseauoHPkgq
	(version=TLSv1 cipher=AES256-SHA bits=256 verify=NO) for
	<krb5-bugs at mit.edu>; Mon, 06 Apr 2009 20:06:28 -0400 (EDT)
Received: from bahamut.akisada.net (localhost [127.0.0.1])
	by bahamut.akisada.net (8.14.2/8.14.2) with ESMTP id n3706Opn002159;
	Tue, 7 Apr 2009 09:06:24 +0900 (JST) (envelope-from akisada at tahi.org)
Received: (from akisada at localhost)
	by bahamut.akisada.net (8.14.2/8.14.2/Submit) id n3706OGw002158;
	Tue, 7 Apr 2009 09:06:24 +0900 (JST) (envelope-from akisada at tahi.org)
Date: Tue, 7 Apr 2009 09:06:24 +0900 (JST)
Message-Id: <200904070006.n3706OGw002158 at bahamut.akisada.net>
X-Authentication-Warning: bahamut.akisada.net: akisada set sender to
	akisada at tahi.org using -f
To: krb5-bugs at mit.edu
Subject: PRF for des3-cbc-hmac-sha1-kd
From: Yukiyo <akisada at tahi.org>
X-send-pr-version: 3.99
X-Spam-Score: 0.22
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Tue, 07 Apr 2009 08:09:03 -0400
Cc: akisada at tahi.org
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: akisada at tahi.org
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	Yukiyo Akisada
>Organization:
	TAHI Project
>Confidential:	no
>Synopsis:	PRF doesn't work under des3-cbc-hmac-sha1-kd
>Severity:	serious
>Priority:	medium
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.6.3
>Environment:
	Panasonic Let's Note CF-R7, FreeBSD 7.0-RELEASE-p6, Kerberos client, p5-Authen-Krb5-1.8/krb5-1.6.3_5 (installed from FreeBSD ports system)
System: FreeBSD bahamut.akisada.net 7.0-RELEASE-p6 FreeBSD 7.0-RELEASE-p6 #0: Tue Dec 9 16:22:14 JST 2008 akisada at bahamut.akisada.net:/usr/obj/usr/src/sys/TAHI i386


>Description:
	Hi, all.
	
	I may misunderstand RFC 3961,
	but in my understanding, des3-cbc-hmac-sha1-kd (etype=16) uses
	PRF on Simplified Profile as its pseudo-random function.
	
	Now, I want to use PRF function
	from Krb5-1.8 perl module which is based on MIT krb5-1.6.3 implementation.
	
	    Krb5: <http://search.cpan.org/dist/Krb5/>
	
	But, PRF function for ENCTYPE_DES3_CBC_SHA1 has not be
	defined in <krb5-1.6.3/src/lib/crypto/etypes.c>.
	
	Indeed,
	I need some modification into Krb5-1.8 to export prf function from krb5-1.6.3,
	but I also need the following modification into krb5-1.6.3.
	
	In this moment,
	the following modification (described at Fix: section) matches with my expected behavior,
	but I'm not sure whether this modification against krb5-1.6.3 is correct or not.
	
	Please investigate this.

	Thanks,
>How-To-Repeat:
	just by calling krb5_c_prf() function under des3-cbc-hmac-sha1-kd
>Fix:
	--- krb5-1.6.3/src/lib/crypto/etypes.c.orig 2009-04-01 17:02:56.000000000 +0900
	+++ krb5-1.6.3/src/lib/crypto/etypes.c  2009-04-01 14:42:01.000000000 +0900
	@@ -94,26 +94,26 @@
	     { ENCTYPE_DES3_CBC_SHA1,
	       "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
	       &krb5int_enc_des3, &krb5int_hash_sha1,
	-      8,
	+      16,
	       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
	       krb5int_dk_string_to_key,
	-      NULL, /*PRF*/
	+      krb5int_dk_prf, /*PRF*/
	       CKSUMTYPE_HMAC_SHA1_DES3 },
	     { ENCTYPE_DES3_CBC_SHA1,   /* alias */
	       "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
	       &krb5int_enc_des3, &krb5int_hash_sha1,
	-      8,
	+      16,
	       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
	       krb5int_dk_string_to_key,
	-      NULL, /*PRF*/
	+      krb5int_dk_prf, /*PRF*/
	       CKSUMTYPE_HMAC_SHA1_DES3 },
	     { ENCTYPE_DES3_CBC_SHA1,   /* alias */
	       "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
	       &krb5int_enc_des3, &krb5int_hash_sha1,
	-      8,
	+      16,
	       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
	       krb5int_dk_string_to_key,
	-      NULL, /*PRF*/
	+      krb5int_dk_prf, /*PRF*/
	       CKSUMTYPE_HMAC_SHA1_DES3 },
	
	     { ENCTYPE_DES_HMAC_SHA1,


From rt-comment at krbdev.mit.edu  Tue Apr  7 08:09:10 2009
From: rt-comment at krbdev.mit.edu (The RT System itself via RT)
Date: Tue,  7 Apr 2009 12:09:10 +0000 (UTC)
Subject: [krbdev.mit.edu #6440] PRF doesn't work under des3-cbc-hmac-sha1-kd
	environment 
In-Reply-To: <rt-6440@krbdev.mit.edu>
Message-ID: <rt-6440-30837.10.1260222409135@krbdev.mit.edu>

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Tue Apr  7 12:09:10 2009
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
X-Original-To: krb5-send-pr-nospam1 at krbdev.mit.edu
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by krbdev.mit.edu (Postfix) with ESMTP id 6F74ECCF14;
	Tue,  7 Apr 2009 12:09:07 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n37C97Gd014009;
	Tue, 7 Apr 2009 08:09:07 -0400
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n368GZ8F030757
	for <krb5-bugs-incoming at PCH.mit.edu>; Mon, 6 Apr 2009 04:16:35 -0400
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223])
	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	n368GQex023172
	for <krb5-bugs at mit.edu>; Mon, 6 Apr 2009 04:16:26 -0400 (EDT)
Received: from localhost.tahi.org (localhost [127.0.0.1])
	by mit.edu (Spam Firewall) with ESMTP id E097315A7B36
	for <krb5-bugs at mit.edu>; Mon,  6 Apr 2009 04:16:25 -0400 (EDT)
Received: from localhost.tahi.org (120.145.221.202.bf.2iij.net
	[202.221.145.120]) by mit.edu with ESMTP id 7DhTUi4C6gHq7Gil
	(version=TLSv1 cipher=AES256-SHA bits=256 verify=NO) for
	<krb5-bugs at mit.edu>; Mon, 06 Apr 2009 04:16:24 -0400 (EDT)
Received: from localhost.tahi.org (localhost [127.0.0.1])
	by localhost.tahi.org (8.14.2/8.14.2) with ESMTP id n368G7WA017631;
	Mon, 6 Apr 2009 17:16:07 +0900 (JST)
	(envelope-from akisada at localhost.tahi.org)
Received: (from akisada at localhost)
	by localhost.tahi.org (8.14.2/8.14.2/Submit) id n368G7Gn017630;
	Mon, 6 Apr 2009 17:16:07 +0900 (JST) (envelope-from akisada)
Date: Mon, 6 Apr 2009 17:16:07 +0900 (JST)
Message-Id: <200904060816.n368G7Gn017630 at localhost.tahi.org>
To: krb5-bugs at mit.edu
Subject: PRF for des3-cbc-hmac-sha1-kd
From: Yukiyo Akisada <akisada at tahi.org>
X-send-pr-version: 3.99
X-Spam-Score: 0.737
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Tue, 07 Apr 2009 08:09:03 -0400
Cc: akisada at tahi.org
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: akisada at tahi.org
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	Yukiyo Akisada
>Organization:
	TAHI Project
>Confidential:	no
>Synopsis:	PRF doesn't work under des3-cbc-hmac-sha1-kd environment
>Severity:	serious
>Priority:	medium
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.6.3
>Environment:
	Panasonic CF-R7, FreeBSD 7.0-RELEASE-p6, krb5-1.6.3_5 (installed from FreeBSD ports system)
System: FreeBSD localhost.tahi.org 7.0-RELEASE-p6 FreeBSD 7.0-RELEASE-p6 #0: Tue Dec 9 16:22:14 JST 2008 akisada at bahamut.akisada.net:/usr/obj/usr/src/sys/TAHI i386


>Description:
	Hi, all.
	
	I may misunderstand RFC 3961,
	but in my understanding, des3-cbc-hmac-sha1-kd (etype=16) uses
	PRF on Simplified Profile as its pseudo-random function.
	
	Now, I want to use PRF function
	from Krb5-1.8 perl module which is based on MIT krb5-1.6.3 implementation.
	
	    Krb5: <http://search.cpan.org/dist/Krb5/>
	
	But, PRF function for ENCTYPE_DES3_CBC_SHA1 has not be
	defined in <krb5-1.6.3/src/lib/crypto/etypes.c>.
	
	Indeed,
	I need some modification into Krb5-1.8 to export prf function from krb5-1.6.3,
	but I also need the following modification into krb5-1.6.3.
	
	In this moment,
	the following modification (at Fix section) matches with my expected behavior,
	but I'm not sure whether this modification against krb5-1.6.3 is correct or not.
	
	Please investigate this.

	Thanks,

>How-To-Repeat:
	just by calling krb5_c_prf() function under des3-cbc-hmac-sha1-kd
>Fix:
	--- krb5-1.6.3/src/lib/crypto/etypes.c.orig 2009-04-01 17:02:56.000000000 +0900
	+++ krb5-1.6.3/src/lib/crypto/etypes.c  2009-04-01 14:42:01.000000000 +0900
	@@ -94,26 +94,26 @@
	     { ENCTYPE_DES3_CBC_SHA1,
	       "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
	       &krb5int_enc_des3, &krb5int_hash_sha1,
	-      8,
	+      16,
	       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
	       krb5int_dk_string_to_key,
	-      NULL, /*PRF*/
	+      krb5int_dk_prf, /*PRF*/
	       CKSUMTYPE_HMAC_SHA1_DES3 },
	     { ENCTYPE_DES3_CBC_SHA1,   /* alias */
	       "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
	       &krb5int_enc_des3, &krb5int_hash_sha1,
	-      8,
	+      16,
	       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
	       krb5int_dk_string_to_key,
	-      NULL, /*PRF*/
	+      krb5int_dk_prf, /*PRF*/
	       CKSUMTYPE_HMAC_SHA1_DES3 },
	     { ENCTYPE_DES3_CBC_SHA1,   /* alias */
	       "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
	       &krb5int_enc_des3, &krb5int_hash_sha1,
	-      8,
	+      16,
	       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
	       krb5int_dk_string_to_key,
	-      NULL, /*PRF*/
	+      krb5int_dk_prf, /*PRF*/
	       CKSUMTYPE_HMAC_SHA1_DES3 },
	
	     { ENCTYPE_DES_HMAC_SHA1,


From rt-comment at krbdev.mit.edu  Tue Apr  7 10:47:53 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Tue,  7 Apr 2009 14:47:53 +0000 (UTC)
Subject: [krbdev.mit.edu #6440] PRF doesn't work under
	des3-cbc-hmac-sha1-kd environment
In-Reply-To: <rt-6440@krbdev.mit.edu>
Message-ID: <rt-6440-30841.7.92360732857539@krbdev.mit.edu>

Based on the discussions on the ietf-krb-wg list, I'd expect the DES3
PRF output to be 8 bytes not 16.
What environment do you have where  you would expect 16 bytes.


From rt-comment at krbdev.mit.edu  Tue Apr  7 13:57:58 2009
From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT)
Date: Tue,  7 Apr 2009 17:57:58 +0000 (UTC)
Subject: [krbdev.mit.edu #6442] SVN Commit 
In-Reply-To: <rt-6442@krbdev.mit.edu>
Message-ID: <rt-6442-30843.8.5165641464507@krbdev.mit.edu>


Clearly the code is broken - and we either never use it - or callers never pass
NULL...

Detected by clang static checker.



http://src.mit.edu/fisheye/changelog/krb5/?cs=22172
Commit By: epeisach
Revision: 22172
Changed Files:
U   trunk/src/util/ss/help.c


From rt-comment at krbdev.mit.edu  Tue Apr  7 17:22:14 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue,  7 Apr 2009 21:22:14 +0000 (UTC)
Subject: [krbdev.mit.edu #6402] SVN Commit 
In-Reply-To: <rt-6402@krbdev.mit.edu>
Message-ID: <rt-6402-30848.16.4678095940715@krbdev.mit.edu>


Apply revised patch from Apple that ensures that a REJECT token is
sent on error.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22173
Commit By: tlyu
Revision: 22173
Changed Files:
U   trunk/src/lib/gssapi/spnego/spnego_mech.c


From rt-comment at krbdev.mit.edu  Tue Apr  7 17:22:18 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue,  7 Apr 2009 21:22:18 +0000 (UTC)
Subject: [krbdev.mit.edu #6443] SVN Commit 
In-Reply-To: <rt-6443@krbdev.mit.edu>
Message-ID: <rt-6443-30849.17.94060817065@krbdev.mit.edu>


SPNEGO can read beyond the end of a buffer if the claimed DER length
exceeds the number of bytes in the input buffer. This can lead to
crash or information disclosure.

Thanks to Apple for reporting this vulnerability and providing
patches.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22174
Commit By: tlyu
Revision: 22174
Changed Files:
U   trunk/src/lib/gssapi/spnego/spnego_mech.c


From rt-comment at krbdev.mit.edu  Tue Apr  7 17:22:21 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue,  7 Apr 2009 21:22:21 +0000 (UTC)
Subject: [krbdev.mit.edu #6444] SVN Commit 
In-Reply-To: <rt-6444@krbdev.mit.edu>
Message-ID: <rt-6444-30854.8.03150015494133@krbdev.mit.edu>


asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
pointer of the subbuffer to be less than the "next" pointer.  This can
lead to malloc() failure or crash.

In asn1buf_imbed(), check the length before doing arithmetic to set
subbuf->bound.  In asn1buf_remove_octetstring() and
asn1buf_remove_charstring(), check for invalid buffer pointers before
executing an unsigned length check against a (casted to size_t)
negative number.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22175
Commit By: tlyu
Revision: 22175
Changed Files:
U   trunk/src/lib/krb5/asn.1/asn1buf.c


From rt-comment at krbdev.mit.edu  Tue Apr  7 17:22:24 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue,  7 Apr 2009 21:22:24 +0000 (UTC)
Subject: [krbdev.mit.edu #6445] SVN Commit 
In-Reply-To: <rt-6445@krbdev.mit.edu>
Message-ID: <rt-6445-30859.15.2620905971369@krbdev.mit.edu>


The asn1_decode_generaltime() function can free an uninitialized
pointer if asn1buf_remove_charstring() fails.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22176
Commit By: tlyu
Revision: 22176
Changed Files:
U   trunk/src/lib/krb5/asn.1/asn1_decode.c
U   trunk/src/tests/asn.1/krb5_decode_test.c


From rt-comment at krbdev.mit.edu  Tue Apr  7 21:22:52 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed,  8 Apr 2009 01:22:52 +0000 (UTC)
Subject: [krbdev.mit.edu #6446] SVN Commit 
In-Reply-To: <rt-6446@krbdev.mit.edu>
Message-ID: <rt-6446-30865.15.7223678527614@krbdev.mit.edu>


pull up rxxxxx from trunk

SPNEGO can read beyond the end of a buffer if the claimed DER length
exceeds the number of bytes in the input buffer. This can lead to
crash or information disclosure.

Thanks to Apple for reporting this vulnerability and providing
patches.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22179
Commit By: tlyu
Revision: 22179
Changed Files:
U   branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c


From rt-comment at krbdev.mit.edu  Tue Apr  7 21:22:58 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed,  8 Apr 2009 01:22:58 +0000 (UTC)
Subject: [krbdev.mit.edu #6447] SVN Commit 
In-Reply-To: <rt-6447@krbdev.mit.edu>
Message-ID: <rt-6447-30870.16.4557262890255@krbdev.mit.edu>


pull up rxxxx from trunk

asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
pointer of the subbuffer to be less than the "next" pointer.  This can
lead to malloc() failure or crash.

In asn1buf_imbed(), check the length before doing arithmetic to set
subbuf->bound.  In asn1buf_remove_octetstring() and
asn1buf_remove_charstring(), check for invalid buffer pointers before
executing an unsigned length check against a (casted to size_t)
negative number.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22180
Commit By: tlyu
Revision: 22180
Changed Files:
U   branches/krb5-1-6/src/lib/krb5/asn.1/asn1buf.c


From rt-comment at krbdev.mit.edu  Tue Apr  7 21:22:46 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed,  8 Apr 2009 01:22:46 +0000 (UTC)
Subject: [krbdev.mit.edu #6426] SVN Commit 
In-Reply-To: <rt-6426@krbdev.mit.edu>
Message-ID: <rt-6426-30864.11.7976732885679@krbdev.mit.edu>


Apply revised patch from Apple that ensures that a REJECT token is
sent on error.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22178
Commit By: tlyu
Revision: 22178
Changed Files:
U   branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c


From rt-comment at krbdev.mit.edu  Tue Apr  7 21:23:05 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed,  8 Apr 2009 01:23:05 +0000 (UTC)
Subject: [krbdev.mit.edu #6448] SVN Commit 
In-Reply-To: <rt-6448@krbdev.mit.edu>
Message-ID: <rt-6448-30876.5.48749636935348@krbdev.mit.edu>


pull up rxxxx from trunk

The asn1_decode_generaltime() function can free an uninitialized
pointer if asn1buf_remove_charstring() fails.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22181
Commit By: tlyu
Revision: 22181
Changed Files:
U   branches/krb5-1-6/src/lib/krb5/asn.1/asn1_decode.c
U   branches/krb5-1-6/src/tests/asn.1/krb5_decode_test.c


From rt-comment at krbdev.mit.edu  Wed Apr  8 04:18:11 2009
From: rt-comment at krbdev.mit.edu (akisada@tahi.org via RT)
Date: Wed,  8 Apr 2009 08:18:11 +0000 (UTC)
Subject: [krbdev.mit.edu #6441] Re: [krbdev.mit.edu #6440] PRF doesn't work
	under des3-cbc-hmac-sha1-kd environment 
In-Reply-To: <rt-6441@krbdev.mit.edu>
Message-ID: <rt-6441-30882.3.92595299034795@krbdev.mit.edu>

Hi, Sam.

Actually, I'm developping RFC 4430 (KINK) protocol conformance tester
which uses krb5-1.6.3 as the Kerberos engine.
And I'm using kinkd in Racoon2 as the counterpart implementation now.

    * Racoon2 is IKEv1/IKEv2/KINK IPsec daemon developped by The Racoon2
      Project which is one of WGs in WIDE Project in Japan.

        <http://www.racoon2.wide.ad.jp/>

Racoon2 has its own PRF function, and the function expects 16 bytes PRF.

Now, I changed prf_length from 16 bytes to 8 bytes
in krb5_enctypes_list for ENCTYPE_DES3_CBC_SHA1 on my side (MIT Kerberos
implementation).
But I think that MIT Kerberos implementation itself still expects 16
bytes PRF.

I performed following 2 tests under this environment.

    test 1)

        When I use 8 bytes output buffer for generated PRF,
        following validation is not passed.

        <krb5-1.6.3/src/lib/crypto/enc_provider/des3.c: validate_and_schedule()>
        43     if (input->length != output->length)
        44         return(KRB5_BAD_MSIZE);

    test 2)

        When I expect 16 bytes output buffer for generated PRF
        (prf_length is still set 8 bytes),
        following validation is not passed.

        <krb5-1.6.3/src/lib/crypto/prf.c: krb5_c_prf()>
        80     krb5_c_prf_length (context, key->enctype, &len);
        81     if( len != output->length)
        82         return (KRB5_CRYPTO_INTERNAL);

For the reason of above failure,
I found the following code in krb5int_dk_prf() function.

    <krb5-1.6.3/src/lib/crypto/dk/dk_prf.c: krb5int_dk_prf()>
     48   tmp.length = hash->hashsize;
     49   tmp.data = malloc(hash->hashsize);
     50   if (tmp.data == NULL)
     51     return ENOMEM;
     52   hash->hash(1, in, &tmp);
     53   tmp.length = (tmp.length/enc->block_size)*enc->block_size; /*truncate to block size*/

The initial tmp.length (line 48) is 20 bytes under des3-cbc-hmac-sha1-kd.
At the same time, enc->block_size is 8 bytes.
Finally, tmp.length (line 53) will be 16 bytes.

This buffer (tmp) will be passed into enc->encrypt(), that is
k5_des3_encrypt().

That is why I guess that MIT implementation expects 16 bytes PRF.

How do you think?

Regards,


On Tue,  7 Apr 2009 14:47:53 +0000 (UTC)
"Sam Hartman via RT" <rt-comment at krbdev.mit.edu> wrote:

> Based on the discussions on the ietf-krb-wg list, I'd expect the DES3
> PRF output to be 8 bytes not 16.
> What environment do you have where  you would expect 16 bytes.
> 
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs
> 


-- 
Yukiyo Akisada <akisada at tahi.org>


From rt-comment at krbdev.mit.edu  Wed Apr  8 11:22:18 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Wed,  8 Apr 2009 15:22:18 +0000 (UTC)
Subject: [krbdev.mit.edu #6108] SVN Commit 
In-Reply-To: <rt-6108@krbdev.mit.edu>
Message-ID: <rt-6108-30886.0.692156363113767@krbdev.mit.edu>


When getting initial credentials with a password, try the master if
preauth fails on a slave, since preauth can fail due to an out-of-date
key.  This removes a snippet added in r14939 which was considering
only hardware preauth.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22182
Commit By: ghudson
Revision: 22182
Changed Files:
U   trunk/src/lib/krb5/krb/gic_pwd.c


From rt-comment at krbdev.mit.edu  Wed Apr  8 11:25:44 2009
From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT)
Date: Wed,  8 Apr 2009 15:25:44 +0000 (UTC)
Subject: [krbdev.mit.edu #6449] SVN Commit 
In-Reply-To: <rt-6449@krbdev.mit.edu>
Message-ID: <rt-6449-30887.18.7006227353802@krbdev.mit.edu>


If decoding the encoded_req_body fails, proceed goto errout instead of falling
through to fast handling.

Looks like a merge error.

Reindented code.



http://src.mit.edu/fisheye/changelog/krb5/?cs=22183
Commit By: epeisach
Revision: 22183
Changed Files:
U   trunk/src/kdc/do_as_req.c


From rt-comment at krbdev.mit.edu  Wed Apr  8 11:58:25 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Wed,  8 Apr 2009 15:58:25 +0000 (UTC)
Subject: [krbdev.mit.edu #1165] SVN Commit 
In-Reply-To: <rt-1165@krbdev.mit.edu>
Message-ID: <rt-1165-30892.3.66837679019476@krbdev.mit.edu>


mk_safe and mk_priv require the local address to be set in the auth
context; rd_safe and rd_priv require the remote address to be set.
Create error codes for both kinds of missing addresses and stop trying
futilely to handle the cases where they are not set.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22184
Commit By: ghudson
Revision: 22184
Changed Files:
U   trunk/src/lib/krb5/error_tables/krb5_err.et
U   trunk/src/lib/krb5/krb/mk_priv.c
U   trunk/src/lib/krb5/krb/mk_safe.c
U   trunk/src/lib/krb5/krb/rd_priv.c
U   trunk/src/lib/krb5/krb/rd_safe.c


From rt-comment at krbdev.mit.edu  Wed Apr  8 12:09:33 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Wed,  8 Apr 2009 16:09:33 +0000 (UTC)
Subject: [krbdev.mit.edu #6203] DELEG_POLICY_FLAG for GSS 
In-Reply-To: <rt-6203@krbdev.mit.edu>
Message-ID: <rt-6203-30893.1.91944360915961@krbdev.mit.edu>

A good description of the meaning of this flag is at:

http://www.h5l.org/blog/index.php/2008/10/ok-as-delegate-and-gss-api/

From rt-comment at krbdev.mit.edu  Wed Apr  8 12:39:34 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Wed,  8 Apr 2009 16:39:34 +0000 (UTC)
Subject: [krbdev.mit.edu #6203] SVN Commit 
In-Reply-To: <rt-6203@krbdev.mit.edu>
Message-ID: <rt-6203-30897.14.7280132731637@krbdev.mit.edu>


Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG,
which requests delegation only if the ok-as-delegate ticket flag is
set.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22185
Commit By: ghudson
Revision: 22185
Changed Files:
U   trunk/src/lib/gssapi/generic/gssapi.hin
U   trunk/src/lib/gssapi/krb5/init_sec_context.c


From rt-comment at krbdev.mit.edu  Thu Apr  9 07:53:29 2009
From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT)
Date: Thu,  9 Apr 2009 11:53:29 +0000 (UTC)
Subject: [krbdev.mit.edu #6450] SVN Commit 
In-Reply-To: <rt-6450@krbdev.mit.edu>
Message-ID: <rt-6450-30899.12.5464944828516@krbdev.mit.edu>


retval was set but never returned.



http://src.mit.edu/fisheye/changelog/krb5/?cs=22186
Commit By: epeisach
Revision: 22186
Changed Files:
U   trunk/src/kdc/main.c


From rt-comment at krbdev.mit.edu  Thu Apr  9 13:57:04 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Thu,  9 Apr 2009 17:57:04 +0000 (UTC)
Subject: [krbdev.mit.edu #6451] SVN Commit 
In-Reply-To: <rt-6451@krbdev.mit.edu>
Message-ID: <rt-6451-30903.15.027865772902@krbdev.mit.edu>


doc/definitions.texinfo had, predictably, fallen out of date with
respect to the code.  Update a few of the out of date comments and
defaults, particularly the default enctype lists.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22187
Commit By: ghudson
Revision: 22187
Changed Files:
U   trunk/doc/definitions.texinfo


From rt-comment at krbdev.mit.edu  Fri Apr 10 12:09:22 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Fri, 10 Apr 2009 16:09:22 +0000 (UTC)
Subject: [krbdev.mit.edu #6452] SVN Commit 
In-Reply-To: <rt-6452@krbdev.mit.edu>
Message-ID: <rt-6452-30908.17.0100572293838@krbdev.mit.edu>


Also document which cryptosystems are defined to be weak, and add some
enctype entries which weren't in the documentation.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22188
Commit By: ghudson
Revision: 22188
Changed Files:
U   trunk/doc/admin.texinfo
U   trunk/doc/support-enc.texinfo


From rt-comment at krbdev.mit.edu  Sun Apr 12 10:59:10 2009
From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT)
Date: Sun, 12 Apr 2009 14:59:10 +0000 (UTC)
Subject: [krbdev.mit.edu #6453] SVN Commit 
In-Reply-To: <rt-6453@krbdev.mit.edu>
Message-ID: <rt-6453-30913.0.960430540910906@krbdev.mit.edu>


Remove some more dead code assignment - where the variable is
immediately assigned in the next statement - or not used at all.



http://src.mit.edu/fisheye/changelog/krb5/?cs=22195
Commit By: epeisach
Revision: 22195
Changed Files:
U   trunk/src/lib/krb5/rcache/rc_conv.c
U   trunk/src/lib/krb5/rcache/ser_rc.c


From rt-comment at krbdev.mit.edu  Sun Apr 12 11:40:42 2009
From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT)
Date: Sun, 12 Apr 2009 15:40:42 +0000 (UTC)
Subject: [krbdev.mit.edu #6453] SVN Commit 
In-Reply-To: <rt-6453@krbdev.mit.edu>
Message-ID: <rt-6453-30918.15.6617768628737@krbdev.mit.edu>


More dead code elimination.  When asprintf was used the varaible namelen was
no longer necessary.



http://src.mit.edu/fisheye/changelog/krb5/?cs=22196
Commit By: epeisach
Revision: 22196
Changed Files:
U   trunk/src/lib/krb5/keytab/kt_file.c


From rt-comment at krbdev.mit.edu  Mon Apr 13 14:36:44 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Mon, 13 Apr 2009 18:36:44 +0000 (UTC)
Subject: [krbdev.mit.edu #6454] SVN Commit 
In-Reply-To: <rt-6454@krbdev.mit.edu>
Message-ID: <rt-6454-30919.6.14452660626078@krbdev.mit.edu>


Very little is likely to go wrong inside krb5_mkt_resolve (it just
allocates memory and plays with mutexes), but if anything did, the
handling was almost always wrong.  Reorganize the function to handle
errors properly, using a helper create_list_node function to simplify
the task.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22198
Commit By: ghudson
Revision: 22198
Changed Files:
U   trunk/src/lib/krb5/keytab/kt_memory.c


From rt-comment at krbdev.mit.edu  Mon Apr 13 15:22:08 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Mon, 13 Apr 2009 19:22:08 +0000 (UTC)
Subject: [krbdev.mit.edu #6455] (1.6.x) Handle authdata encrypted in subkey 
In-Reply-To: <rt-6455@krbdev.mit.edu>
Message-ID: <rt-6455-30922.19.8210496195475@krbdev.mit.edu>

Port ticket #6438 to 1.6-branch.  Fixes a significant non-conformance to RFC 4120.

From rt-comment at krbdev.mit.edu  Mon Apr 13 16:26:31 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Mon, 13 Apr 2009 20:26:31 +0000 (UTC)
Subject: [krbdev.mit.edu #6458] SVN Commit 
In-Reply-To: <rt-6458@krbdev.mit.edu>
Message-ID: <rt-6458-30937.3.56296154747064@krbdev.mit.edu>


pull up r22041 from trunk

 Adjust to the return value of isflagset routine.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22205
Commit By: tlyu
Revision: 22205
Changed Files:
U   branches/krb5-1-7/src/kdc/do_tgs_req.c


From rt-comment at krbdev.mit.edu  Mon Apr 13 16:26:23 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Mon, 13 Apr 2009 20:26:23 +0000 (UTC)
Subject: [krbdev.mit.edu #6398] SVN Commit 
In-Reply-To: <rt-6398@krbdev.mit.edu>
Message-ID: <rt-6398-30927.7.05472262652869@krbdev.mit.edu>


pull up r22038 from trunk

 ticket: 6398
 subject: remove obsolete GNU.ORG realm info
 target_version: 1.7
 tags: pullup

 Our sample krb5.conf has obsolete info on the GNU.ORG realm; the DNS
 entries named don't exist, and AFAIK this hasn't been accurate in
 years.  (I don't even know if they're currently running a Kerberos
 realm.)

http://src.mit.edu/fisheye/changelog/krb5/?cs=22202
Commit By: tlyu
Revision: 22202
Changed Files:
U   branches/krb5-1-7/src/config-files/krb5.conf


From rt-comment at krbdev.mit.edu  Mon Apr 13 16:26:26 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Mon, 13 Apr 2009 20:26:26 +0000 (UTC)
Subject: [krbdev.mit.edu #6456] SVN Commit 
In-Reply-To: <rt-6456@krbdev.mit.edu>
Message-ID: <rt-6456-30928.5.92931247858608@krbdev.mit.edu>


pull up r22037 from trunk

 Fix in handle_referral_params

http://src.mit.edu/fisheye/changelog/krb5/?cs=22203
Commit By: tlyu
Revision: 22203
Changed Files:
U   branches/krb5-1-7/src/kdc/main.c


From rt-comment at krbdev.mit.edu  Mon Apr 13 16:26:19 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Mon, 13 Apr 2009 20:26:19 +0000 (UTC)
Subject: [krbdev.mit.edu #6393] SVN Commit 
In-Reply-To: <rt-6393@krbdev.mit.edu>
Message-ID: <rt-6393-30925.13.7618067262908@krbdev.mit.edu>


pull up 21993 from trunk

 Subject: Implement TGS authenticator subkey usage
 ticket: 6393
 tags: enhancement

 Implement support for use of a subkey in the TGS req.  This is needed
 by FAST TGS support.  The interface to krb5_send_tgs changed in order
 to gain a subkey output parameter.  Since this is a private interface
 it was renamed to krb5int_send_tgs and removed from the export list.

 * send_tgs.c: generate a subkey and return to caller
 * decode_kdc_rep.c: Use subkey keyusage
 * gc_via_tkt.c: pass in subkey to decode_kdc_rep
 * send_tgs.c: use subkey for encrypting authorization data

http://src.mit.edu/fisheye/changelog/krb5/?cs=22201
Commit By: tlyu
Revision: 22201
Changed Files:
U   branches/krb5-1-7/src/include/k5-int.h
U   branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c
U   branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c
U   branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c
U   branches/krb5-1-7/src/lib/krb5/libkrb5.exports


From rt-comment at krbdev.mit.edu  Mon Apr 13 16:26:28 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Mon, 13 Apr 2009 20:26:28 +0000 (UTC)
Subject: [krbdev.mit.edu #6457] SVN Commit 
In-Reply-To: <rt-6457@krbdev.mit.edu>
Message-ID: <rt-6457-30932.16.777224997825@krbdev.mit.edu>


pull up r22040 from trunk

 KDC realm referral test

http://src.mit.edu/fisheye/changelog/krb5/?cs=22204
Commit By: tlyu
Revision: 22204
Changed Files:
A   branches/krb5-1-7/src/tests/kdc_realm/
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/kdc_pri_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/kdc_ref_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priCL_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_1_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_2_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_3_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_4_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_5_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_6_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_7_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_8_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_priKDC_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/krb5_ref_template.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_KDCs.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_princs.conf
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_setup.conf
A   branches/krb5-1-7/src/tests/kdc_realm/kdcref.py


From rt-comment at krbdev.mit.edu  Mon Apr 13 16:26:34 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Mon, 13 Apr 2009 20:26:34 +0000 (UTC)
Subject: [krbdev.mit.edu #6348] SVN Commit 
In-Reply-To: <rt-6348@krbdev.mit.edu>
Message-ID: <rt-6348-30943.0.133147468625552@krbdev.mit.edu>


pull up r21966, r22042 from trunk

 ------------------------------------------------------------------------
 r22042 | rra | 2009-02-20 13:48:26 -0500 (Fri, 20 Feb 2009) | 5 lines
 Changed paths:
    M /trunk/src/kadmin/cli/Makefile.in

 Ticket: 6348
 Tags: pullup

 Also install k5srvutil into PREFIX/bin instead of PREFIX/sbin.

 ------------------------------------------------------------------------
 r21966 | rra | 2009-02-11 00:00:24 -0500 (Wed, 11 Feb 2009) | 6 lines
 Changed paths:
    M /trunk/src/kadmin/cli/Makefile.in
    M /trunk/src/kadmin/ktutil/Makefile.in

 Ticket: 6348
 Tags: pullup

 Install ktutil and kadmin into CLIENT_BINDIR instead of ADMIN_BINDIR
 since both are useful for users other than the system administrator.

 ------------------------------------------------------------------------

http://src.mit.edu/fisheye/changelog/krb5/?cs=22206
Commit By: tlyu
Revision: 22206
Changed Files:
U   branches/krb5-1-7/src/kadmin/cli/Makefile.in
U   branches/krb5-1-7/src/kadmin/ktutil/Makefile.in


From rt-comment at krbdev.mit.edu  Mon Apr 13 16:26:36 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Mon, 13 Apr 2009 20:26:36 +0000 (UTC)
Subject: [krbdev.mit.edu #6425] SVN Commit 
In-Reply-To: <rt-6425@krbdev.mit.edu>
Message-ID: <rt-6425-30945.0.481685610323197@krbdev.mit.edu>


pull up r21927, r21928, r21940, r21969, r21981, r22004 from trunk

------------------------------------------------------------------------
r22004 | ghudson | 2009-02-13 17:05:48 -0500 (Fri, 13 Feb 2009) | 3 lines
Changed paths:
   M /trunk/src/lib/krb5/asn.1/asn1_k_decode.c
   M /trunk/src/lib/krb5/asn.1/asn1_k_decode.h
   M /trunk/src/lib/krb5/asn.1/krb5_decode.c

Correct numerous memory leaks on error conditions in the ASN.1
decoder functions.

------------------------------------------------------------------------
r21981 | ghudson | 2009-02-12 13:21:33 -0500 (Thu, 12 Feb 2009) | 4 lines
Changed paths:
   M /trunk/src/lib/krb5/asn.1/asn1_encode.c
   M /trunk/src/lib/krb5/asn.1/asn1buf.c

Modify asn12krb5_buf and asn1_do_full_encode to make output parameter
values well-defined on error.  Clean up memory handling and an unused
variable in asn1_do_full_encode.

------------------------------------------------------------------------
r21969 | ghudson | 2009-02-11 15:18:43 -0500 (Wed, 11 Feb 2009) | 6 lines
Changed paths:
   M /trunk/src/include/k5-int.h
   M /trunk/src/lib/krb5/krb/kfree.c
   M /trunk/src/lib/krb5/libkrb5.exports

Ensure we have a free function for every data type we have an ASN.1
decoder for.  Export the new free functions, but only declare them
in k5-int.h since they shouldn't be needed by applications.  Also
export a couple of encoder and decoder functions not previously
exported.

------------------------------------------------------------------------
r21940 | ghudson | 2009-02-09 21:01:58 -0500 (Mon, 09 Feb 2009) | 5 lines
Changed paths:
   M /trunk/src/lib/krb5/asn.1/krb5_decode.c

Adjust the structure of krb5_decode.c functions to initialize output
parameters to NULL and not set them to the real values until a
successful return is guaranteed.  Also fix get_eoc which was returning
without clean_return.

------------------------------------------------------------------------
r21928 | ghudson | 2009-02-09 16:25:53 -0500 (Mon, 09 Feb 2009) | 4 lines
Changed paths:
   M /trunk/src/lib/krb5/asn.1/asn1buf.c
   M /trunk/src/lib/krb5/asn.1/asn1buf.h
   M /trunk/src/lib/krb5/asn.1/krb5_encode.c

Make asn1buf_destroy return void, since it's a free function.  In
krb5_encode.c functions, make *code well-defined in case of error,
and clean up some memory leaks.

------------------------------------------------------------------------
r21927 | ghudson | 2009-02-09 16:23:00 -0500 (Mon, 09 Feb 2009) | 3 lines
Changed paths:
   M /trunk/src/lib/krb5/asn.1/asn1_k_encode.c

In asn1_k_encode.c, stop inconsistently destroying buf on some errors.
It belongs to the caller.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22207
Commit By: tlyu
Revision: 22207
Changed Files:
U   branches/krb5-1-7/src/include/k5-int.h
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1_encode.c
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.h
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.h
U   branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c
U   branches/krb5-1-7/src/lib/krb5/asn.1/krb5_encode.c
U   branches/krb5-1-7/src/lib/krb5/krb/kfree.c
U   branches/krb5-1-7/src/lib/krb5/libkrb5.exports


From rt-comment at krbdev.mit.edu  Mon Apr 13 18:15:07 2009
From: rt-comment at krbdev.mit.edu (william.fiveash@sun.com via RT)
Date: Mon, 13 Apr 2009 22:15:07 +0000 (UTC)
Subject: [krbdev.mit.edu #6459] SVN Commit 
In-Reply-To: <rt-6459@krbdev.mit.edu>
Message-ID: <rt-6459-30946.19.3599806547379@krbdev.mit.edu>


While previously updating the kdb5_util command man page to include
documentation on new subcommands added as a result of the Master Key
Migration project I missed the purge_mkeys command.  I've added that
with this commit.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22208
Commit By: wfiveash
Revision: 22208
Changed Files:
U   trunk/src/kadmin/dbutil/kdb5_util.M


From rt-comment at krbdev.mit.edu  Tue Apr 14 11:05:23 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Tue, 14 Apr 2009 15:05:23 +0000 (UTC)
Subject: [krbdev.mit.edu #6460] SVN Commit 
In-Reply-To: <rt-6460@krbdev.mit.edu>
Message-ID: <rt-6460-30952.11.7725968275433@krbdev.mit.edu>


Implement the -T option to kinit to specify the FAST armor ccache.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22209
Commit By: hartmans
Revision: 22209
Changed Files:
U   trunk/src/clients/kinit/kinit.M
U   trunk/src/clients/kinit/kinit.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 11:35:14 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Tue, 14 Apr 2009 15:35:14 +0000 (UTC)
Subject: [krbdev.mit.edu #6461] SVN Commit 
In-Reply-To: <rt-6461@krbdev.mit.edu>
Message-ID: <rt-6461-30957.6.92550448777432@krbdev.mit.edu>


Since the fast_req checksum is unencrypted, a keyed checksum type needs to be used.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22210
Commit By: hartmans
Revision: 22210
Changed Files:
U   trunk/src/kdc/fast_util.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 14:33:29 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 18:33:29 +0000 (UTC)
Subject: [krbdev.mit.edu #6462] SVN Commit 
In-Reply-To: <rt-6462@krbdev.mit.edu>
Message-ID: <rt-6462-30962.10.4678057607477@krbdev.mit.edu>


pull up r22046, r22070 from trunk

 ------------------------------------------------------------------------
 r22070 | tsitkova | 2009-03-09 10:23:31 -0400 (Mon, 09 Mar 2009) | 2 lines
 Changed paths:
    M /trunk/src/kdc/do_tgs_req.c

 Removed unneeded  printf's

 ------------------------------------------------------------------------
 r22046 | tsitkova | 2009-02-23 13:47:28 -0500 (Mon, 23 Feb 2009) | 2 lines
 Changed paths:
    M /trunk/src/kdc/do_tgs_req.c

 Correct the return code.

 ------------------------------------------------------------------------
 Removed unneeded  printf's

http://src.mit.edu/fisheye/changelog/krb5/?cs=22211
Commit By: tlyu
Revision: 22211
Changed Files:
U   branches/krb5-1-7/src/kdc/do_tgs_req.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 15:53:51 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 19:53:51 +0000 (UTC)
Subject: [krbdev.mit.edu #6400] SVN Commit 
In-Reply-To: <rt-6400@krbdev.mit.edu>
Message-ID: <rt-6400-30970.16.6410368642052@krbdev.mit.edu>


pull up r22056, r22057 from trunk

 ------------------------------------------------------------------------
 r22057 | hartmans | 2009-02-26 15:32:35 -0500 (Thu, 26 Feb 2009) | 3 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/copy_auth.c

 ticket: 6400

 krb5_merge_authdata  should initialize output on failure.
 ------------------------------------------------------------------------
 r22056 | hartmans | 2009-02-26 15:07:05 -0500 (Thu, 26 Feb 2009) | 11 lines
 Changed paths:
    M /trunk/src/include/krb5/krb5.hin
    M /trunk/src/lib/gssapi/krb5/accept_sec_context.c
    M /trunk/src/lib/krb5/krb/copy_auth.c
    M /trunk/src/lib/krb5/libkrb5.exports

 Subject: Include authenticator and ticket authdata in gss-api
 ticket: 6400
 Target_version: 1.7
 Tags: pullup

 Currently, the GSS-API routines for handling authdata only extract the
 authorization data from the ticket, not that from the authenticator.
 This is incorrect.  Introduce a new function krb5_merge_authadata to
 merge two authdata arrays into a newly allocated result array.  Use
 this function in accept_sec_context.c to include both sets of
 authdata.
 ------------------------------------------------------------------------

http://src.mit.edu/fisheye/changelog/krb5/?cs=22212
Commit By: tlyu
Revision: 22212
Changed Files:
U   branches/krb5-1-7/src/include/krb5/krb5.hin
U   branches/krb5-1-7/src/lib/gssapi/krb5/accept_sec_context.c
U   branches/krb5-1-7/src/lib/krb5/krb/copy_auth.c
U   branches/krb5-1-7/src/lib/krb5/libkrb5.exports


From rt-comment at krbdev.mit.edu  Tue Apr 14 15:53:55 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 19:53:55 +0000 (UTC)
Subject: [krbdev.mit.edu #6401] SVN Commit 
In-Reply-To: <rt-6401@krbdev.mit.edu>
Message-ID: <rt-6401-30972.1.29020701239163@krbdev.mit.edu>


pull up r22067 from trunk

 ------------------------------------------------------------------------
 r22067 | hartmans | 2009-03-06 12:26:29 -0500 (Fri, 06 Mar 2009) | 12 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/get_in_tkt.c

 ticket: 6401
 Subject: send_as_req re-encodes the request

 krb5_get_init_creds calls encode_krb5_as_req to produce an encoding
 for the preauth plugins, then passes the unencoded request structure
 into the static function send_as_req.  That function re-encodes the
 request.  This is an unnecessary call to the encoder.  In addition,
 for the FAST project, it is desirable to encapsulate the unencoded
 outer request so that krb5_get_init_creds does not need it.

 * send_as_req is modified to take an encoded request and realm
 * Remove unused logic to fill in request nonce from send_as_req
 ------------------------------------------------------------------------

http://src.mit.edu/fisheye/changelog/krb5/?cs=22213
Commit By: tlyu
Revision: 22213
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 15:53:57 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 19:53:57 +0000 (UTC)
Subject: [krbdev.mit.edu #4241] SVN Commit 
In-Reply-To: <rt-4241@krbdev.mit.edu>
Message-ID: <rt-4241-30974.1.61941707676554@krbdev.mit.edu>


pull up r22068 from trunk

 ------------------------------------------------------------------------
 r22068 | raeburn | 2009-03-06 18:57:10 -0500 (Fri, 06 Mar 2009) | 6 lines
 Changed paths:
    M /trunk/src/clients/klist/klist.c

 ticket: 4241
 target_version: 1.7
 tags: pullup

 Add "-V" option to klist to print the package name and version, and exit.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22214
Commit By: tlyu
Revision: 22214
Changed Files:
U   branches/krb5-1-7/src/clients/klist/klist.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 15:54:00 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 19:54:00 +0000 (UTC)
Subject: [krbdev.mit.edu #6463] SVN Commit 
In-Reply-To: <rt-6463@krbdev.mit.edu>
Message-ID: <rt-6463-30975.8.62473048346395@krbdev.mit.edu>


 ------------------------------------------------------------------------
 r22072 | tsitkova | 2009-03-10 10:49:43 -0400 (Tue, 10 Mar 2009) | 2 lines
 Changed paths:
    A /trunk/src/tests/kdc_realm/input_conf/test_KDCs_1.conf
    M /trunk/src/tests/kdc_realm/input_conf/test_setup.conf
    M /trunk/src/tests/kdc_realm/kdcref.py

 Added test for KRB5_NT_UNKNOWN princ type
 ------------------------------------------------------------------------
 r22069 | tsitkova | 2009-03-09 10:21:20 -0400 (Mon, 09 Mar 2009) | 2 lines
 Changed paths:
    M /trunk/src/clients/kvno/kvno.c

 Introduced '-u' option to kvno to enforce KRB5_NT_UNKNOWN princ type.

 ------------------------------------------------------------------------

http://src.mit.edu/fisheye/changelog/krb5/?cs=22215
Commit By: tlyu
Revision: 22215
Changed Files:
U   branches/krb5-1-7/src/clients/kvno/kvno.c
A   branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_KDCs_1.conf
U   branches/krb5-1-7/src/tests/kdc_realm/input_conf/test_setup.conf
U   branches/krb5-1-7/src/tests/kdc_realm/kdcref.py


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:10 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:10 +0000 (UTC)
Subject: [krbdev.mit.edu #6403] SVN Commit 
In-Reply-To: <rt-6403@krbdev.mit.edu>
Message-ID: <rt-6403-30980.8.13607463689799@krbdev.mit.edu>


pull up r22071 from trunk

 ------------------------------------------------------------------------
 r22071 | ghudson | 2009-03-09 21:28:12 -0400 (Mon, 09 Mar 2009) | 10 lines
 Changed paths:
    M /trunk/src/include/kdb.h
    M /trunk/src/lib/kdb/kdb5.c
    M /trunk/src/lib/kdb/libkdb5.exports
    M /trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c

 ticket: 6403

 Rename kdb_setup_lib_handle to krb5_db_setup_lib_handle and export it.
 Make kdb5_ldap_util work again by calling this function to set up
 dal_handle instead of using one with an uninitialized lib_handle.

 It is likely that kdb5_ldap_util will only function given a krb5.conf
 which specifies a realm with an LDAP database module as the default
 realm.  Not sure if that was the case before.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22216
Commit By: tlyu
Revision: 22216
Changed Files:
U   branches/krb5-1-7/src/include/kdb.h
U   branches/krb5-1-7/src/lib/kdb/kdb5.c
U   branches/krb5-1-7/src/lib/kdb/libkdb5.exports
U   branches/krb5-1-7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:14 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:14 +0000 (UTC)
Subject: [krbdev.mit.edu #6405] SVN Commit 
In-Reply-To: <rt-6405@krbdev.mit.edu>
Message-ID: <rt-6405-30982.11.461671838372@krbdev.mit.edu>


pull up r22073 from trunk

 ------------------------------------------------------------------------
 r22073 | wfiveash | 2009-03-10 16:26:24 -0400 (Tue, 10 Mar 2009) | 5 lines
 Changed paths:
    M /trunk/src/kadmin/dbutil/kdb5_mkey.c
    M /trunk/src/lib/kdb/kdb5.c
    M /trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c

 ticket: 6405
 Tags: pullup

 Several small fixes to enable the migrate mkey commands to work properly with a LDAP KDB.  See the ticket for more details.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22217
Commit By: tlyu
Revision: 22217
Changed Files:
U   branches/krb5-1-7/src/kadmin/dbutil/kdb5_mkey.c
U   branches/krb5-1-7/src/lib/kdb/kdb5.c
U   branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:19 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:19 +0000 (UTC)
Subject: [krbdev.mit.edu #6408] SVN Commit 
In-Reply-To: <rt-6408@krbdev.mit.edu>
Message-ID: <rt-6408-30986.17.1929307569032@krbdev.mit.edu>


pull up r22079 from trunk

 ------------------------------------------------------------------------
 r22079 | ghudson | 2009-03-11 18:14:24 -0400 (Wed, 11 Mar 2009) | 13 lines
 Changed paths:
    M /trunk/src/kdc/do_tgs_req.c
    M /trunk/src/kdc/kdc_preauth.c
    M /trunk/src/kdc/kdc_util.h
    M /trunk/src/kdc/main.c
    M /trunk/src/kdc/network.c

 ticket: 6408
 subject: Report verbose error messages from KDC
 target_version: 1.7
 tags: pullup

 We were losing verbose error messages when logging from the KDC because
 the context passed to krb5_klog_init did not match the realm-specific
 context used for most library function calls.  Introduce a wrapper
 function kdc_err which copies the error state from the call context
 to the log context.  The wrapper function also knows the program name,
 which removes the need to pass argv[0] around everywhere or make up
 program names.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22219
Commit By: tlyu
Revision: 22219
Changed Files:
U   branches/krb5-1-7/src/kdc/do_tgs_req.c
U   branches/krb5-1-7/src/kdc/kdc_preauth.c
U   branches/krb5-1-7/src/kdc/kdc_util.h
U   branches/krb5-1-7/src/kdc/main.c
U   branches/krb5-1-7/src/kdc/network.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:22 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:22 +0000 (UTC)
Subject: [krbdev.mit.edu #6412] SVN Commit 
In-Reply-To: <rt-6412@krbdev.mit.edu>
Message-ID: <rt-6412-30988.5.93437817490006@krbdev.mit.edu>


pull up r22081, r22082 from trunk

 ------------------------------------------------------------------------
 r22082 | raeburn | 2009-03-12 18:06:35 -0400 (Thu, 12 Mar 2009) | 6 lines
 Changed paths:
    M /trunk/src/lib/gssapi/krb5/k5sealv3iov.c

 ticket: 6412
 tags: pullup

 Better fix: Delay setting 'outbuf' until after the header buffer might
 have been allocated locally, and set it in both code paths instead of
 just the confidentiality-requested code path.
 ------------------------------------------------------------------------
 r22081 | raeburn | 2009-03-12 12:48:15 -0400 (Thu, 12 Mar 2009) | 7 lines
 Changed paths:
    M /trunk/src/lib/gssapi/krb5/k5sealv3iov.c

 ticket: 6412
 subject: crash using library-allocated storage for header in wrap_iov
 target_version: 1.7
 tags: pullup

 When allocating storage for the header buffer, update the internal
 output buffer pointer as well.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22220
Commit By: tlyu
Revision: 22220
Changed Files:
U   branches/krb5-1-7/src/lib/gssapi/krb5/k5sealv3iov.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:25 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:25 +0000 (UTC)
Subject: [krbdev.mit.edu #6415] SVN Commit 
In-Reply-To: <rt-6415@krbdev.mit.edu>
Message-ID: <rt-6415-30990.12.5430750994226@krbdev.mit.edu>


pull up r22083 from trunk

 ------------------------------------------------------------------------
 r22083 | ghudson | 2009-03-12 23:10:12 -0400 (Thu, 12 Mar 2009) | 9 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/get_in_tkt.c

 ticket: 6415
 subject: Use correct salt for canonicalized principals
 target_version: 1.7
 tags: pullup

 In cases where the salt is derived from the client principal, use the
 canonicalized principal received from the KDC to determine the salt.
 Further changes are probably required for some preauth cases.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22221
Commit By: tlyu
Revision: 22221
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:27 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:27 +0000 (UTC)
Subject: [krbdev.mit.edu #6402] SVN Commit 
In-Reply-To: <rt-6402@krbdev.mit.edu>
Message-ID: <rt-6402-30991.13.2946158301299@krbdev.mit.edu>


pull up r22173 from trunk

 ------------------------------------------------------------------------
 r22173 | tlyu | 2009-04-07 17:22:13 -0400 (Tue, 07 Apr 2009) | 4 lines
 Changed paths:
    M /trunk/src/lib/gssapi/spnego/spnego_mech.c

 ticket: 6417

 Apply revised patch from Apple that ensures that a REJECT token is
 sent on error.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22222
Commit By: tlyu
Revision: 22222
Changed Files:
U   branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:29 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:29 +0000 (UTC)
Subject: [krbdev.mit.edu #6418] SVN Commit 
In-Reply-To: <rt-6418@krbdev.mit.edu>
Message-ID: <rt-6418-30993.17.5916082373103@krbdev.mit.edu>


pull up r22088 from trunk

 ------------------------------------------------------------------------
 r22088 | ghudson | 2009-03-14 01:46:18 -0400 (Sat, 14 Mar 2009) | 15 lines
 Changed paths:
    M /trunk/doc/admin.texinfo

 ticket: 6418
 subject: Improve LDAP admin documentation
 target_version: 1.7
 tags: pullup

 Use dc=example,dc=com as the example base DN instead of more archaic
 forms.  Provide a little more cross-referencing of concepts and
 mechanisms.  Add additional steps in the OpenLDAP setup instructions
 for choosing DNs for the Kerberos container, KDC service, and kadmin
 service.  Explain a little bit about what the Kerberos container and
 realm container are.  Be clearer that using separate subtrees from the
 realm container for principals is an option, not a necessity, and
 don't use the base DN as an example of a separate subtree (it's
 confusing).

http://src.mit.edu/fisheye/changelog/krb5/?cs=22223
Commit By: tlyu
Revision: 22223
Changed Files:
U   branches/krb5-1-7/doc/admin.texinfo


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:16 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:16 +0000 (UTC)
Subject: [krbdev.mit.edu #6407] SVN Commit 
In-Reply-To: <rt-6407@krbdev.mit.edu>
Message-ID: <rt-6407-30984.8.43500867562646@krbdev.mit.edu>


pull up r22078 from trunk

 ------------------------------------------------------------------------
 r22078 | ghudson | 2009-03-11 18:11:06 -0400 (Wed, 11 Mar 2009) | 9 lines
 Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/include/krb5/krb5.hin
    M /trunk/src/lib/krb5/krb/kerrs.c
    M /trunk/src/lib/krb5/libkrb5.exports

 ticket: 6407
 subject: Make a working krb5_copy_error_message
 target_version: 1.7
 tags: pullup

 The krb5_copy_error_state macro wasn't used, didn't work, and didn't
 need to be a macro.  Replace it with an exported API function named
 krb5_copy_error_message.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22218
Commit By: tlyu
Revision: 22218
Changed Files:
U   branches/krb5-1-7/src/include/k5-int.h
U   branches/krb5-1-7/src/include/krb5/krb5.hin
U   branches/krb5-1-7/src/lib/krb5/krb/kerrs.c
U   branches/krb5-1-7/src/lib/krb5/libkrb5.exports


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:32 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:32 +0000 (UTC)
Subject: [krbdev.mit.edu #6419] SVN Commit 
In-Reply-To: <rt-6419@krbdev.mit.edu>
Message-ID: <rt-6419-30995.16.1676413387274@krbdev.mit.edu>


pull up r22089 from trunk

 ------------------------------------------------------------------------
 r22089 | ghudson | 2009-03-15 00:15:16 -0400 (Sun, 15 Mar 2009) | 9 lines
 Changed paths:
    M /trunk/doc/admin.texinfo

 ticket: 6419
 subject: Document alias support in LDAP back end
 tags: pullup
 target_version: 1.7

 Add a few paragraphs to the LDAP instructions on creating aliases
 through direct manipulation of the LDAP data, and briefly explain when
 aliases will be used.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22224
Commit By: tlyu
Revision: 22224
Changed Files:
U   branches/krb5-1-7/doc/admin.texinfo


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:35 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:35 +0000 (UTC)
Subject: [krbdev.mit.edu #6420] SVN Commit 
In-Reply-To: <rt-6420@krbdev.mit.edu>
Message-ID: <rt-6420-30997.7.29744193220789@krbdev.mit.edu>


pull up r22090 from trunk

 ------------------------------------------------------------------------
 r22090 | ghudson | 2009-03-15 00:21:12 -0400 (Sun, 15 Mar 2009) | 10 lines
 Changed paths:
    M /trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
    M /trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
    M /trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
    M /trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c

 ticket: 6420
 subject: Add LDAP back end support for canonical name attribute
 tags: pullup
 target_version: 1.7

 Add a krbCanonicalName attribute to the schema.  When looking up a
 principal, if the canonical name is set and does not match the
 requested name, then return the entry only if canonicalization was
 requested, and use the entry's canonical name.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22225
Commit By: tlyu
Revision: 22225
Changed Files:
U   branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
U   branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
U   branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
U   branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:38 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:38 +0000 (UTC)
Subject: [krbdev.mit.edu #6423] SVN Commit 
In-Reply-To: <rt-6423@krbdev.mit.edu>
Message-ID: <rt-6423-30999.19.1085289240097@krbdev.mit.edu>


pull up r22092 from trunk

 ------------------------------------------------------------------------
 r22092 | hartmans | 2009-03-16 12:49:59 -0400 (Mon, 16 Mar 2009) | 4 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/auth_con.c

 ticket: 6423
 Subject: krb5_auth_con_free should support freeing a null auth_context without segfault.

 If the input auth_con is NULL, return success.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22226
Commit By: tlyu
Revision: 22226
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/krb/auth_con.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:40 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:40 +0000 (UTC)
Subject: [krbdev.mit.edu #6424] SVN Commit 
In-Reply-To: <rt-6424@krbdev.mit.edu>
Message-ID: <rt-6424-31001.8.40741396958286@krbdev.mit.edu>


pull up r22093 from trunk

 ------------------------------------------------------------------------
 r22093 | hartmans | 2009-03-16 12:50:04 -0400 (Mon, 16 Mar 2009) | 7 lines
 Changed paths:
    M /trunk/src/kdc/kdc_util.c
    M /trunk/src/kdc/main.c

 ticket: 6424
 Subject: Call kdb_set_mkey_list from the KDC
 Target_version: 1.7
 tags: pullup

 In order for the kdb keytab to be used from within the KDC, the KDC
 needs to set the master key list in the context.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22227
Commit By: tlyu
Revision: 22227
Changed Files:
U   branches/krb5-1-7/src/kdc/kdc_util.c
U   branches/krb5-1-7/src/kdc/main.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:44 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:44 +0000 (UTC)
Subject: [krbdev.mit.edu #6421] SVN Commit 
In-Reply-To: <rt-6421@krbdev.mit.edu>
Message-ID: <rt-6421-31003.6.22179135756845@krbdev.mit.edu>


pull up r22094, r22095 from trunk

 ------------------------------------------------------------------------
 r22095 | hartmans | 2009-03-16 12:50:23 -0400 (Mon, 16 Mar 2009) | 7 lines
 Changed paths:
    M /trunk/src/lib/crypto/Makefile.in
    A /trunk/src/lib/crypto/t_cf2.c
    A /trunk/src/lib/crypto/t_cf2.comments
    A /trunk/src/lib/crypto/t_cf2.expected
    A /trunk/src/lib/crypto/t_cf2.in
    A /trunk/src/lib/crypto/t_prf.comments
    A /trunk/src/lib/crypto/t_prf.expected
    A /trunk/src/lib/crypto/t_prf.in

 ticket: 6421

 Implement test cases for CF2

 Implement a simple program to call KRB-FX-CF2 and print the resulting
 keys.  Add to regression tests.  Also, use the PRF testing application
 to confirm that CF2 generates consistent keys if called by hand.
 ------------------------------------------------------------------------
 r22094 | hartmans | 2009-03-16 12:50:09 -0400 (Mon, 16 Mar 2009) | 6 lines
 Changed paths:
    M /trunk/src/include/krb5/krb5.hin
    M /trunk/src/lib/crypto/Makefile.in
    A /trunk/src/lib/crypto/cf2.c
    M /trunk/src/lib/crypto/etypes.h
    M /trunk/src/lib/crypto/libk5crypto.exports

 ticket: 6421
 Subject: Implement KRB-FX_CF2

 Draft-ietf-krb-wg-preauth-framework defines a function KRB-FX-CF2 that
 combines two keys of arbitrary enctype.  Implement this function as an
 exported API.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22228
Commit By: tlyu
Revision: 22228
Changed Files:
U   branches/krb5-1-7/src/include/krb5/krb5.hin
U   branches/krb5-1-7/src/lib/crypto/Makefile.in
A   branches/krb5-1-7/src/lib/crypto/cf2.c
U   branches/krb5-1-7/src/lib/crypto/etypes.h
U   branches/krb5-1-7/src/lib/crypto/libk5crypto.exports
A   branches/krb5-1-7/src/lib/crypto/t_cf2.c
A   branches/krb5-1-7/src/lib/crypto/t_cf2.comments
A   branches/krb5-1-7/src/lib/crypto/t_cf2.expected
A   branches/krb5-1-7/src/lib/crypto/t_cf2.in
A   branches/krb5-1-7/src/lib/crypto/t_prf.comments
A   branches/krb5-1-7/src/lib/crypto/t_prf.expected
A   branches/krb5-1-7/src/lib/crypto/t_prf.in


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:48 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:48 +0000 (UTC)
Subject: [krbdev.mit.edu #6422] SVN Commit 
In-Reply-To: <rt-6422@krbdev.mit.edu>
Message-ID: <rt-6422-31005.17.0407843969976@krbdev.mit.edu>


pull up r22096, r22097 from trunk

 ------------------------------------------------------------------------
 r22097 | hartmans | 2009-03-16 12:50:30 -0400 (Mon, 16 Mar 2009) | 6 lines
 Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/lib/krb5/krb/Makefile.in
    A /trunk/src/lib/krb5/krb/t_authdata.c

 ticket: 6422

 Implement tests for authdata functions

 Implement some test cases for krb5_merge_authdata and
 krb5int_find_authdata
 ------------------------------------------------------------------------
 r22096 | hartmans | 2009-03-16 12:50:26 -0400 (Mon, 16 Mar 2009) | 5 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/copy_auth.c

 subject: Implement krb5int_find_authdata
 ticket: 6422

 Implement a function to find all instances of a particular ad_type in
 ticket or authenticator authdata.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22229
Commit By: tlyu
Revision: 22229
Changed Files:
U   branches/krb5-1-7/src/include/k5-int.h
U   branches/krb5-1-7/src/lib/krb5/krb/Makefile.in
U   branches/krb5-1-7/src/lib/krb5/krb/copy_auth.c
A   branches/krb5-1-7/src/lib/krb5/krb/t_authdata.c


From rt-comment at krbdev.mit.edu  Tue Apr 14 17:07:51 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 14 Apr 2009 21:07:51 +0000 (UTC)
Subject: [krbdev.mit.edu #6464] SVN Commit 
In-Reply-To: <rt-6464@krbdev.mit.edu>
Message-ID: <rt-6464-31006.5.34717956168855@krbdev.mit.edu>


pull up r22100 from trunk

 ------------------------------------------------------------------------
 r22100 | tsitkova | 2009-03-16 14:00:06 -0400 (Mon, 16 Mar 2009) | 2 lines
 Changed paths:
    M /trunk/src/kdc/kdc_util.c
    M /trunk/src/kdc/main.c

 Verify return code from krb5_db_set_mkey_list.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22230
Commit By: tlyu
Revision: 22230
Changed Files:
U   branches/krb5-1-7/src/kdc/kdc_util.c
U   branches/krb5-1-7/src/kdc/main.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 14:59:40 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Wed, 15 Apr 2009 18:59:40 +0000 (UTC)
Subject: [krbdev.mit.edu #6323] kadmin: rename support 
In-Reply-To: <rt-6323@krbdev.mit.edu>
Message-ID: <rt-6323-31012.12.0443567918643@krbdev.mit.edu>

I am confused about the handling of KRB5_KDB_SALTTYPE_ONLYREALM.  You
appear to be leaving the type alone and filling in the contents with the
realm from the source principal name.  But get_salt_from_key will ignore
the contents when it sees that salt type, so setting the contents won't
have any effect.

From rt-comment at krbdev.mit.edu  Wed Apr 15 15:30:50 2009
From: rt-comment at krbdev.mit.edu (Love Hornquist Astrand via RT)
Date: Wed, 15 Apr 2009 19:30:50 +0000 (UTC)
Subject: [krbdev.mit.edu #6323] kadmin: rename support 
In-Reply-To: <rt-6323@krbdev.mit.edu>
Message-ID: <rt-6323-31013.13.8162713516326@krbdev.mit.edu>

That would be a bug in etype-info, wouldn't it. In pw-salt it does the right thing.

From rt-comment at krbdev.mit.edu  Wed Apr 15 16:06:31 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:06:31 +0000 (UTC)
Subject: [krbdev.mit.edu #6427] SVN Commit 
In-Reply-To: <rt-6427@krbdev.mit.edu>
Message-ID: <rt-6427-31015.4.87129094155783@krbdev.mit.edu>


pull up r22107 from trunk

 ------------------------------------------------------------------------
 r22107 | ghudson | 2009-03-17 17:54:51 -0400 (Tue, 17 Mar 2009) | 8 lines
 Changed paths:
    M /trunk/src/lib/krb5/asn.1/asn1_k_decode.c

 ticket: 6427
 subject: Fix error handling issue in ASN.1 decoder
 tags: pullup
 target_version: 1.7

 In asn1_k_decode.c, check the return value of
 end_sequence_of_no_tagvars_helper.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22231
Commit By: tlyu
Revision: 22231
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:06:36 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:06:36 +0000 (UTC)
Subject: [krbdev.mit.edu #6431] SVN Commit 
In-Reply-To: <rt-6431@krbdev.mit.edu>
Message-ID: <rt-6431-31017.9.70678368659968@krbdev.mit.edu>


pull up r22112 from trunk

 ------------------------------------------------------------------------
 r22112 | ghudson | 2009-03-20 14:09:19 -0400 (Fri, 20 Mar 2009) | 11 lines
 Changed paths:
    M /trunk/src/config/pre.in
    M /trunk/src/include/Makefile.in
    M /trunk/src/include/kdb.h
    M /trunk/src/lib/kadm5/Makefile.in
    M /trunk/src/lib/kadm5/admin.h

 ticket: 6431
 subject: Install kadmin and kdb headers
 tags: pullup
 target_version: 1.7

 Add disclaimers to the kadmin and kdb headers about the weaker
 stability commitments we make for their APIs, and install them for the
 benefit of users who can tolerate such instability.  (The kadmin
 interface is the real goal here, but the kadmin header includes kdb.h
 so we need to install both.)

http://src.mit.edu/fisheye/changelog/krb5/?cs=22232
Commit By: tlyu
Revision: 22232
Changed Files:
U   branches/krb5-1-7/src/config/pre.in
U   branches/krb5-1-7/src/include/Makefile.in
U   branches/krb5-1-7/src/include/kdb.h
U   branches/krb5-1-7/src/lib/kadm5/Makefile.in
U   branches/krb5-1-7/src/lib/kadm5/admin.h


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:06:45 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:06:45 +0000 (UTC)
Subject: [krbdev.mit.edu #6435] SVN Commit 
In-Reply-To: <rt-6435@krbdev.mit.edu>
Message-ID: <rt-6435-31023.11.691339896827@krbdev.mit.edu>


pull up r22147 from trunk

 ------------------------------------------------------------------------
 r22147 | ghudson | 2009-03-29 22:43:51 -0400 (Sun, 29 Mar 2009) | 5 lines
 Changed paths:
    M /trunk/README
    M /trunk/src/lib/krb5/krb/Makefile.in
    M /trunk/src/lib/krb5/krb/deps
    A /trunk/src/lib/krb5/krb/t_pac.c
    A /trunk/src/lib/krb5/krb/t_princ.c

 ticket: 6435
 subject: Add PAC and principal parsing test cases

 From Heimdal, ported by Luke, further modified by me.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22235
Commit By: tlyu
Revision: 22235
Changed Files:
U   branches/krb5-1-7/README
U   branches/krb5-1-7/src/lib/krb5/krb/Makefile.in
U   branches/krb5-1-7/src/lib/krb5/krb/deps
A   branches/krb5-1-7/src/lib/krb5/krb/t_pac.c
A   branches/krb5-1-7/src/lib/krb5/krb/t_princ.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:06:42 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:06:42 +0000 (UTC)
Subject: [krbdev.mit.edu #6432] SVN Commit 
In-Reply-To: <rt-6432@krbdev.mit.edu>
Message-ID: <rt-6432-31021.0.927668494007534@krbdev.mit.edu>


pull up r22114 from trunk

 ------------------------------------------------------------------------
 r22114 | wfiveash | 2009-03-25 17:12:58 -0400 (Wed, 25 Mar 2009) | 9 lines
 Changed paths:
    M /trunk/src/kadmin/dbutil/kdb5_util.M

 Ticket: 6432
 Subject: Update kdb5_util man page for mkey migration project
 Version_Reported: 1.7
 Target_Version: 1.7
 Tags: pullup

 Updated the kdb5_util command man page to include documentation on new
 subcommands added as a result of the Master Key Migration project.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22234
Commit By: tlyu
Revision: 22234
Changed Files:
U   branches/krb5-1-7/src/kadmin/dbutil/kdb5_util.M


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:06:48 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:06:48 +0000 (UTC)
Subject: [krbdev.mit.edu #6393] SVN Commit 
In-Reply-To: <rt-6393@krbdev.mit.edu>
Message-ID: <rt-6393-31024.19.9167741842782@krbdev.mit.edu>


pull up r22044 from trunk

 ------------------------------------------------------------------------
 r22044 | hartmans | 2009-02-23 11:22:47 -0500 (Mon, 23 Feb 2009) | 10 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/send_tgs.c

 Ticket: 6393

 send_tgs.c:
 * Move generation of subkey into krb5int_send_tgs from construct_authenticator so that it is available for encrypting authorization data.

 * Initialize rep->message_type and note that rep is touched on
 unsuccessful calls (this has always been true).

 * Do not set *subkey until successful return.
 Thanks to Greg Hudson for pointing out these problems.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22236
Commit By: tlyu
Revision: 22236
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:06:51 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:06:51 +0000 (UTC)
Subject: [krbdev.mit.edu #6465] SVN Commit 
In-Reply-To: <rt-6465@krbdev.mit.edu>
Message-ID: <rt-6465-31025.1.20925294311995@krbdev.mit.edu>


pull up r22002 from trunk

 ------------------------------------------------------------------------
 r22002 | ghudson | 2009-02-13 17:00:47 -0500 (Fri, 13 Feb 2009) | 4 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/send_tgs.c

 In tgs_construct_tgsreq, free scratch even if scratch->data is NULL.
 (Which probably can't happen, but static analyzers don't know that.)
 Also protect scratch from being freed before initialization.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22237
Commit By: tlyu
Revision: 22237
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:06:54 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:06:54 +0000 (UTC)
Subject: [krbdev.mit.edu #6466] SVN Commit 
In-Reply-To: <rt-6466@krbdev.mit.edu>
Message-ID: <rt-6466-31031.10.8958988784095@krbdev.mit.edu>


pull up r22050 from trunk

 ------------------------------------------------------------------------
 r22050 | tsitkova | 2009-02-23 16:26:29 -0500 (Mon, 23 Feb 2009) | 2 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/send_tgs.c

 Check return code of encode_krb5_ap_req. Also, tabs vs whitespace.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22238
Commit By: tlyu
Revision: 22238
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:06:56 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:06:56 +0000 (UTC)
Subject: [krbdev.mit.edu #6393] SVN Commit 
In-Reply-To: <rt-6393@krbdev.mit.edu>
Message-ID: <rt-6393-31037.2.0843568219086@krbdev.mit.edu>


pull up r22148 from trunk

 ------------------------------------------------------------------------
 r22148 | hartmans | 2009-03-31 12:50:25 -0400 (Tue, 31 Mar 2009) | 4 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/send_tgs.c

 ticket: 6393

 in send_tgs.c:
 Encrypt using local_subkey not *subkey

http://src.mit.edu/fisheye/changelog/krb5/?cs=22239
Commit By: tlyu
Revision: 22239
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:06:39 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:06:39 +0000 (UTC)
Subject: [krbdev.mit.edu #6397] SVN Commit 
In-Reply-To: <rt-6397@krbdev.mit.edu>
Message-ID: <rt-6397-31019.8.51565075183565@krbdev.mit.edu>


pull up r22113 from trunk

 ------------------------------------------------------------------------
 r22113 | ghudson | 2009-03-24 13:24:31 -0400 (Tue, 24 Mar 2009) | 5 lines
 Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/plugins/preauth/pkinit/pkinit.h
    M /trunk/src/plugins/preauth/pkinit/pkinit_clnt.c
    M /trunk/src/plugins/preauth/pkinit/pkinit_matching.c
    M /trunk/src/plugins/preauth/pkinit/pkinit_srv.c

 Revert r21880 which included k5-int.h in several pkinit source files.
 Instead, move the pkinit-specific KRB5_CONF macros to pkinit.h, and
 add duplicate definitions of the non-pkinit-specific macros used by
 the pkinit code.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22233
Commit By: tlyu
Revision: 22233
Changed Files:
U   branches/krb5-1-7/src/include/k5-int.h
U   branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit.h
U   branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c
U   branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_matching.c
U   branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:06:59 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:06:59 +0000 (UTC)
Subject: [krbdev.mit.edu #6467] SVN Commit 
In-Reply-To: <rt-6467@krbdev.mit.edu>
Message-ID: <rt-6467-31038.17.8745264101988@krbdev.mit.edu>


pull up r21893 from trunk

 ------------------------------------------------------------------------
 r21893 | raeburn | 2009-02-05 13:42:10 -0500 (Thu, 05 Feb 2009) | 4 lines
 Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/lib/kdb/kdb_cpw.c
    M /trunk/src/lib/krb5/krb/bld_pr_ext.c
    M /trunk/src/lib/krb5/krb/copy_data.c
    M /trunk/src/lib/krb5/krb/copy_princ.c
    M /trunk/src/lib/krb5/libkrb5.exports

 Create and use (in several places) a variant of
 krb5int_copy_data_contents that adds a trailing '\0' so the result can
 be used as a C string.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22240
Commit By: tlyu
Revision: 22240
Changed Files:
U   branches/krb5-1-7/src/include/k5-int.h
U   branches/krb5-1-7/src/lib/kdb/kdb_cpw.c
U   branches/krb5-1-7/src/lib/krb5/krb/bld_pr_ext.c
U   branches/krb5-1-7/src/lib/krb5/krb/copy_data.c
U   branches/krb5-1-7/src/lib/krb5/krb/copy_princ.c
U   branches/krb5-1-7/src/lib/krb5/libkrb5.exports


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:16 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:16 +0000 (UTC)
Subject: [krbdev.mit.edu #1624] SVN Commit 
In-Reply-To: <rt-1624@krbdev.mit.edu>
Message-ID: <rt-1624-31049.2.27445005981529@krbdev.mit.edu>


pull up r22154, r22159, r22160 from trunk

 ------------------------------------------------------------------------
 r22160 | hartmans | 2009-04-02 23:33:01 -0400 (Thu, 02 Apr 2009) | 12 lines
 Changed paths:
    M /trunk/doc/admin.texinfo
    M /trunk/src/appl/bsd/kcmd.c
    M /trunk/src/config-files/krb5.conf.M
    M /trunk/src/lib/krb5/krb/init_ctx.c
    M /trunk/src/lib/krb5/krb/mk_req_ext.c

 ticket: 1624

 Unfortunately, pre-1.7 krshd fails to support keyed checksums because
 it uses the wrong API and wrong key usage.  So, if the auth_context
 has an explicit checksum type set, then respect that.  kcmd sets such
 a checksum type.  Also, because other applications may have the same
 problem, allow the config file variable if set to override the default
 checksum.

 * kcmd.c: Force use of rsa_md5
 * init_ctx.c: do not default  to md5
 * mk_req_ext.c: allow auth_context to override
 ------------------------------------------------------------------------
 r22159 | tlyu | 2009-04-02 19:30:28 -0400 (Thu, 02 Apr 2009) | 3 lines
 Changed paths:
    M /trunk/src/appl/bsd/krlogind.c
    M /trunk/src/appl/bsd/krshd.c

 ticket: 1624

 Fix krshd and krlogind to use krb5_c_verify_checksum.
 ------------------------------------------------------------------------
 r22154 | hartmans | 2009-04-01 14:25:02 -0400 (Wed, 01 Apr 2009) | 8 lines
 Changed paths:
    M /trunk/doc/admin.texinfo
    M /trunk/src/config-files/krb5.conf.M
    M /trunk/src/lib/krb5/krb/mk_req_ext.c
    M /trunk/src/lib/krb5/krb/send_tgs.c

 ticket: 1624
 Target_version: 1.7
 tags: pullup

 Use the preferred checksum for non-DES keys in the kdc_req path and
 all the time in the ap_req checksum path.  This breaks code to support
 DCE versions prior to 1.1 but uses the correct checksum for protocol
 compatibility.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22243
Commit By: tlyu
Revision: 22243
Changed Files:
U   branches/krb5-1-7/doc/admin.texinfo
U   branches/krb5-1-7/src/appl/bsd/kcmd.c
U   branches/krb5-1-7/src/appl/bsd/krlogind.c
U   branches/krb5-1-7/src/appl/bsd/krshd.c
U   branches/krb5-1-7/src/config-files/krb5.conf.M
U   branches/krb5-1-7/src/lib/krb5/krb/init_ctx.c
U   branches/krb5-1-7/src/lib/krb5/krb/mk_req_ext.c
U   branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:07 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:07 +0000 (UTC)
Subject: [krbdev.mit.edu #6436] SVN Commit 
In-Reply-To: <rt-6436@krbdev.mit.edu>
Message-ID: <rt-6436-31045.15.8456081345891@krbdev.mit.edu>


pull up r22149, r22151, r22153 from trunk

 ------------------------------------------------------------------------
 r22153 | tlyu | 2009-03-31 19:51:48 -0400 (Tue, 31 Mar 2009) | 3 lines
 Changed paths:
    M /trunk/src/lib/krb5/asn.1/asn1_k_decode.c
    M /trunk/src/lib/krb5/asn.1/asn1_k_encode.c
    M /trunk/src/lib/krb5/asn.1/krb5_decode.c
    M /trunk/src/lib/krb5/asn.1/krb5_encode.c

 ticket: 6436

 Make FAST changes build when pkinit is disabled.
 ------------------------------------------------------------------------
 r22151 | hartmans | 2009-03-31 18:35:59 -0400 (Tue, 31 Mar 2009) | 3 lines
 Changed paths:
    M /trunk/src/kdc/do_tgs_req.c

 ticket: 6436

 Initialize request state in the TGS path.
 ------------------------------------------------------------------------
 r22149 | hartmans | 2009-03-31 13:00:41 -0400 (Tue, 31 Mar 2009) | 8 lines
 Changed paths:
    M /trunk/src/Makefile.in
    M /trunk/src/configure.in
    M /trunk/src/include/k5-int-pkinit.h
    M /trunk/src/include/k5-int.h
    M /trunk/src/include/krb5/krb5.hin
    M /trunk/src/include/krb5/preauth_plugin.h
    M /trunk/src/kdc/Makefile.in
    M /trunk/src/kdc/dispatch.c
    M /trunk/src/kdc/do_as_req.c
    M /trunk/src/kdc/do_tgs_req.c
    A /trunk/src/kdc/fast_util.c
    M /trunk/src/kdc/kdc_preauth.c
    M /trunk/src/kdc/kdc_util.c
    M /trunk/src/kdc/kdc_util.h
    M /trunk/src/lib/krb5/asn.1/asn1_k_decode.c
    M /trunk/src/lib/krb5/asn.1/asn1_k_decode.h
    M /trunk/src/lib/krb5/asn.1/asn1_k_encode.c
    M /trunk/src/lib/krb5/asn.1/krb5_decode.c
    M /trunk/src/lib/krb5/error_tables/krb5_err.et
    M /trunk/src/lib/krb5/error_tables/kv5m_err.et
    M /trunk/src/lib/krb5/krb/Makefile.in
    A /trunk/src/lib/krb5/krb/fast.c
    A /trunk/src/lib/krb5/krb/fast.h
    M /trunk/src/lib/krb5/krb/get_in_tkt.c
    M /trunk/src/lib/krb5/krb/gic_opt.c
    M /trunk/src/lib/krb5/krb/kfree.c
    M /trunk/src/lib/krb5/krb/preauth2.c
    M /trunk/src/lib/krb5/libkrb5.exports
    M /trunk/src/lib/krb5/os/accessor.c
    A /trunk/src/plugins/preauth/encrypted_challenge
    A /trunk/src/plugins/preauth/encrypted_challenge/Makefile.in (from /trunk/src/plugins/preauth/cksum_body/Makefile.in:22148)
    A /trunk/src/plugins/preauth/encrypted_challenge/deps (from /trunk/src/ccapi/test/deps:22148)
    A /trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports (from /trunk/src/plugins/preauth/pkinit/pkinit.exports:22148)
    A /trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c
    A /trunk/src/plugins/preauth/fast_factor.h

 ticket: 6436
 subject: Implement FAST from draft-ietf-krb-wg-preauth-framework
 Target_Version: 1.7

 Merge fast branch at 22146 onto trunk

 Implement the kerberos pre-authentication framework FAST feature per
 Projects/FAST on the wiki.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22241
Commit By: tlyu
Revision: 22241
Changed Files:
U   branches/krb5-1-7/src/Makefile.in
U   branches/krb5-1-7/src/configure.in
U   branches/krb5-1-7/src/include/k5-int-pkinit.h
U   branches/krb5-1-7/src/include/k5-int.h
U   branches/krb5-1-7/src/include/krb5/krb5.hin
U   branches/krb5-1-7/src/include/krb5/preauth_plugin.h
U   branches/krb5-1-7/src/kdc/Makefile.in
U   branches/krb5-1-7/src/kdc/dispatch.c
U   branches/krb5-1-7/src/kdc/do_as_req.c
U   branches/krb5-1-7/src/kdc/do_tgs_req.c
A   branches/krb5-1-7/src/kdc/fast_util.c
U   branches/krb5-1-7/src/kdc/kdc_preauth.c
U   branches/krb5-1-7/src/kdc/kdc_util.c
U   branches/krb5-1-7/src/kdc/kdc_util.h
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.c
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_decode.h
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c
U   branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c
U   branches/krb5-1-7/src/lib/krb5/asn.1/krb5_encode.c
U   branches/krb5-1-7/src/lib/krb5/error_tables/krb5_err.et
U   branches/krb5-1-7/src/lib/krb5/error_tables/kv5m_err.et
U   branches/krb5-1-7/src/lib/krb5/krb/Makefile.in
A   branches/krb5-1-7/src/lib/krb5/krb/fast.c
A   branches/krb5-1-7/src/lib/krb5/krb/fast.h
U   branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c
U   branches/krb5-1-7/src/lib/krb5/krb/gic_opt.c
U   branches/krb5-1-7/src/lib/krb5/krb/kfree.c
U   branches/krb5-1-7/src/lib/krb5/krb/preauth2.c
U   branches/krb5-1-7/src/lib/krb5/libkrb5.exports
U   branches/krb5-1-7/src/lib/krb5/os/accessor.c
A   branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/
A   branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/Makefile.in
A   branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/deps
A   branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports
A   branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c
A   branches/krb5-1-7/src/plugins/preauth/fast_factor.h


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:19 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:19 +0000 (UTC)
Subject: [krbdev.mit.edu #6438] SVN Commit 
In-Reply-To: <rt-6438@krbdev.mit.edu>
Message-ID: <rt-6438-31051.5.87755469216312@krbdev.mit.edu>


pull up r22168 from trunk

 ------------------------------------------------------------------------
 r22168 | hartmans | 2009-04-03 01:36:25 -0400 (Fri, 03 Apr 2009) | 8 lines
 Changed paths:
    M /trunk/src/kdc/kdc_authdata.c

 ticket: 6438
 Subject: Handle authdata encrypted in subkey
 target_version: 1.7
 tags: pullup

 RFC 4120 requires that if a subkey is present in the TGS request that
 authorization data be encrypted in the subkey.  Our KDC did not handle
 this correctly.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22244
Commit By: tlyu
Revision: 22244
Changed Files:
U   branches/krb5-1-7/src/kdc/kdc_authdata.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:25 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:25 +0000 (UTC)
Subject: [krbdev.mit.edu #6439] SVN Commit 
In-Reply-To: <rt-6439@krbdev.mit.edu>
Message-ID: <rt-6439-31053.13.6671504618814@krbdev.mit.edu>


pull up r22171 from trunk

 ------------------------------------------------------------------------
 r22171 | hartmans | 2009-04-05 17:11:26 -0400 (Sun, 05 Apr 2009) | 7 lines
 Changed paths:
    M /trunk/src/kdc/do_tgs_req.c

 ticket: 6439
 Subject: Implement KDC side of TGS FAST
 target_version: 1.7
 tags: pullup

 Most of the KDC side of TGS FAST was already present.  This adds
 correct generation of the reply key.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22246
Commit By: tlyu
Revision: 22246
Changed Files:
U   branches/krb5-1-7/src/kdc/do_tgs_req.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:14 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:14 +0000 (UTC)
Subject: [krbdev.mit.edu #6437] SVN Commit 
In-Reply-To: <rt-6437@krbdev.mit.edu>
Message-ID: <rt-6437-31047.9.3195456320634@krbdev.mit.edu>


pull up r22152 from trunk

 ------------------------------------------------------------------------
 r22152 | hartmans | 2009-03-31 18:36:03 -0400 (Tue, 31 Mar 2009) | 6 lines
 Changed paths:
    M /trunk/src/lib/crypto/etypes.c

 ticket: 6437
 target_version: 1.7
 tags: pullup
 Subject: mark export grade RC4 as weak

 Set the weak enctype flag on the 40-bit RC4.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22242
Commit By: tlyu
Revision: 22242
Changed Files:
U   branches/krb5-1-7/src/lib/crypto/etypes.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:35 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:35 +0000 (UTC)
Subject: [krbdev.mit.edu #6445] SVN Commit 
In-Reply-To: <rt-6445@krbdev.mit.edu>
Message-ID: <rt-6445-31061.2.0005023393994@krbdev.mit.edu>


pull up r22176 from trunk

 ------------------------------------------------------------------------
 r22176 | tlyu | 2009-04-07 17:22:23 -0400 (Tue, 07 Apr 2009) | 7 lines
 Changed paths:
    M /trunk/src/lib/krb5/asn.1/asn1_decode.c
    M /trunk/src/tests/asn.1/krb5_decode_test.c

 ticket: 6445
 subject: CVE-2009-0846 asn1_decode_generaltime can free uninitialized pointer
 tags: pullup
 target_version: 1.7

 The asn1_decode_generaltime() function can free an uninitialized
 pointer if asn1buf_remove_charstring() fails.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22250
Commit By: tlyu
Revision: 22250
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1_decode.c
U   branches/krb5-1-7/src/tests/asn.1/krb5_decode_test.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:33 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:33 +0000 (UTC)
Subject: [krbdev.mit.edu #6444] SVN Commit 
In-Reply-To: <rt-6444@krbdev.mit.edu>
Message-ID: <rt-6444-31059.12.5948104176884@krbdev.mit.edu>


pull up r22175 from trunk

 ------------------------------------------------------------------------
 r22175 | tlyu | 2009-04-07 17:22:20 -0400 (Tue, 07 Apr 2009) | 14 lines
 Changed paths:
    M /trunk/src/lib/krb5/asn.1/asn1buf.c

 ticket: 6444
 subject: CVE-2009-0847 asn1buf_imbed incorrect length validation
 tags: pullup
 target_version: 1.7

 asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
 pointer of the subbuffer to be less than the "next" pointer.  This can
 lead to malloc() failure or crash.

 In asn1buf_imbed(), check the length before doing arithmetic to set
 subbuf->bound.  In asn1buf_remove_octetstring() and
 asn1buf_remove_charstring(), check for invalid buffer pointers before
 executing an unsigned length check against a (casted to size_t)
 negative number.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22249
Commit By: tlyu
Revision: 22249
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:27 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:27 +0000 (UTC)
Subject: [krbdev.mit.edu #6442] SVN Commit 
In-Reply-To: <rt-6442@krbdev.mit.edu>
Message-ID: <rt-6442-31055.3.47980943585092@krbdev.mit.edu>


pull up r22172 from trunk
 ------------------------------------------------------------------------
 r22172 | epeisach | 2009-04-07 13:57:56 -0400 (Tue, 07 Apr 2009) | 9 lines
 Changed paths:
    M /trunk/src/util/ss/help.c

 ticket: 6442
 subject: Null pointer defref in adding info

 Clearly the code is broken - and we either never use it - or callers never pass
 NULL...

 Detected by clang static checker.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22247
Commit By: tlyu
Revision: 22247
Changed Files:
U   branches/krb5-1-7/src/util/ss/help.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:31 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:31 +0000 (UTC)
Subject: [krbdev.mit.edu #6443] SVN Commit 
In-Reply-To: <rt-6443@krbdev.mit.edu>
Message-ID: <rt-6443-31057.1.27837305033857@krbdev.mit.edu>


pull up r22174 from trunk

 ------------------------------------------------------------------------
 r22174 | tlyu | 2009-04-07 17:22:17 -0400 (Tue, 07 Apr 2009) | 11 lines
 Changed paths:
    M /trunk/src/lib/gssapi/spnego/spnego_mech.c

 ticket: 6443
 subject: CVE-2009-0844 SPNEGO can read beyond buffer end
 tags: pullup
 target_version: 1.7

 SPNEGO can read beyond the end of a buffer if the claimed DER length
 exceeds the number of bytes in the input buffer. This can lead to
 crash or information disclosure.

 Thanks to Apple for reporting this vulnerability and providing
 patches.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22248
Commit By: tlyu
Revision: 22248
Changed Files:
U   branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:41 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:41 +0000 (UTC)
Subject: [krbdev.mit.edu #6108] SVN Commit 
In-Reply-To: <rt-6108@krbdev.mit.edu>
Message-ID: <rt-6108-31069.19.1591246107807@krbdev.mit.edu>


pull up r22182 from trunk

 ------------------------------------------------------------------------
 r22182 | ghudson | 2009-04-08 11:22:17 -0400 (Wed, 08 Apr 2009) | 9 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/gic_pwd.c

 ticket: 6108
 tags: pullup
 target_version: 1.7

 When getting initial credentials with a password, try the master if
 preauth fails on a slave, since preauth can fail due to an out-of-date
 key.  This removes a snippet added in r14939 which was considering
 only hardware preauth.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22252
Commit By: tlyu
Revision: 22252
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/krb/gic_pwd.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:22 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:22 +0000 (UTC)
Subject: [krbdev.mit.edu #6436] SVN Commit 
In-Reply-To: <rt-6436@krbdev.mit.edu>
Message-ID: <rt-6436-31052.8.63561039867157@krbdev.mit.edu>


pull up r22167, r22170 from trunk

 ------------------------------------------------------------------------
 r22170 | hartmans | 2009-04-03 23:03:04 -0400 (Fri, 03 Apr 2009) | 3 lines
 Changed paths:
    M /trunk/src/kdc/fast_util.c
    M /trunk/src/lib/krb5/krb/get_in_tkt.c

 ticket: 6436

 fix logic errors
 ------------------------------------------------------------------------
 r22167 | hartmans | 2009-04-03 00:03:45 -0400 (Fri, 03 Apr 2009) | 3 lines
 Changed paths:
    M /trunk/src/include/k5-int.h
    M /trunk/src/kdc/do_as_req.c
    M /trunk/src/kdc/do_tgs_req.c
    M /trunk/src/kdc/fast_util.c
    M /trunk/src/kdc/kdc_preauth.c
    M /trunk/src/kdc/kdc_util.c
    M /trunk/src/kdc/kdc_util.h
    M /trunk/src/lib/crypto/arcfour/arcfour.c
    M /trunk/src/lib/crypto/arcfour/arcfour.h
    M /trunk/src/lib/crypto/etypes.c
    M /trunk/src/lib/krb5/asn.1/asn1_k_encode.c
    M /trunk/src/lib/krb5/asn.1/krb5_decode.c
    M /trunk/src/lib/krb5/krb/Makefile.in
    M /trunk/src/lib/krb5/krb/fast.c
    M /trunk/src/lib/krb5/krb/fast.h
    M /trunk/src/lib/krb5/krb/get_in_tkt.c
    M /trunk/src/lib/krb5/krb/kfree.c
    M /trunk/src/lib/krb5/krb/preauth2.c
    A /trunk/src/lib/krb5/krb/t_ad_fx_armor.c
    M /trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c

 ticket: 6436

 Merge fast branch at 22166 onto trunk

http://src.mit.edu/fisheye/changelog/krb5/?cs=22245
Commit By: tlyu
Revision: 22245
Changed Files:
U   branches/krb5-1-7/src/include/k5-int.h
U   branches/krb5-1-7/src/kdc/do_as_req.c
U   branches/krb5-1-7/src/kdc/do_tgs_req.c
U   branches/krb5-1-7/src/kdc/fast_util.c
U   branches/krb5-1-7/src/kdc/kdc_preauth.c
U   branches/krb5-1-7/src/kdc/kdc_util.c
U   branches/krb5-1-7/src/kdc/kdc_util.h
U   branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.c
U   branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.h
U   branches/krb5-1-7/src/lib/crypto/etypes.c
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1_k_encode.c
U   branches/krb5-1-7/src/lib/krb5/asn.1/krb5_decode.c
U   branches/krb5-1-7/src/lib/krb5/krb/Makefile.in
U   branches/krb5-1-7/src/lib/krb5/krb/fast.c
U   branches/krb5-1-7/src/lib/krb5/krb/fast.h
U   branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c
U   branches/krb5-1-7/src/lib/krb5/krb/kfree.c
U   branches/krb5-1-7/src/lib/krb5/krb/preauth2.c
A   branches/krb5-1-7/src/lib/krb5/krb/t_ad_fx_armor.c
U   branches/krb5-1-7/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:43 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:43 +0000 (UTC)
Subject: [krbdev.mit.edu #6449] SVN Commit 
In-Reply-To: <rt-6449@krbdev.mit.edu>
Message-ID: <rt-6449-31071.19.3932985801464@krbdev.mit.edu>


pull up r22183 from trunk

 ------------------------------------------------------------------------
 r22183 | epeisach | 2009-04-08 11:25:43 -0400 (Wed, 08 Apr 2009) | 11 lines
 Changed paths:
    M /trunk/src/kdc/do_as_req.c

 ticket: 6449
 subject: Fall through on error return

 If decoding the encoded_req_body fails, proceed goto errout instead of falling
 through to fast handling.

 Looks like a merge error.

 Reindented code.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22253
Commit By: tlyu
Revision: 22253
Changed Files:
U   branches/krb5-1-7/src/kdc/do_as_req.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:47 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:47 +0000 (UTC)
Subject: [krbdev.mit.edu #1165] SVN Commit 
In-Reply-To: <rt-1165@krbdev.mit.edu>
Message-ID: <rt-1165-31073.13.3201968584424@krbdev.mit.edu>


pull up r22184 from trunk

 ------------------------------------------------------------------------
 r22184 | ghudson | 2009-04-08 11:58:24 -0400 (Wed, 08 Apr 2009) | 7 lines
 Changed paths:
    M /trunk/src/lib/krb5/error_tables/krb5_err.et
    M /trunk/src/lib/krb5/krb/mk_priv.c
    M /trunk/src/lib/krb5/krb/mk_safe.c
    M /trunk/src/lib/krb5/krb/rd_priv.c
    M /trunk/src/lib/krb5/krb/rd_safe.c

 ticket: 1165

 mk_safe and mk_priv require the local address to be set in the auth
 context; rd_safe and rd_priv require the remote address to be set.
 Create error codes for both kinds of missing addresses and stop trying
 futilely to handle the cases where they are not set.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22254
Commit By: tlyu
Revision: 22254
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/error_tables/krb5_err.et
U   branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c
U   branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c
U   branches/krb5-1-7/src/lib/krb5/krb/rd_priv.c
U   branches/krb5-1-7/src/lib/krb5/krb/rd_safe.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:49 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:49 +0000 (UTC)
Subject: [krbdev.mit.edu #6203] SVN Commit 
In-Reply-To: <rt-6203@krbdev.mit.edu>
Message-ID: <rt-6203-31075.9.48979096098149@krbdev.mit.edu>


pull up r22185 from trunk

 ------------------------------------------------------------------------
 r22185 | ghudson | 2009-04-08 12:39:33 -0400 (Wed, 08 Apr 2009) | 8 lines
 Changed paths:
    M /trunk/src/lib/gssapi/generic/gssapi.hin
    M /trunk/src/lib/gssapi/krb5/init_sec_context.c

 ticket: 6203
 tags: pullup
 target_version: 1.7

 Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG,
 which requests delegation only if the ok-as-delegate ticket flag is
 set.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22255
Commit By: tlyu
Revision: 22255
Changed Files:
U   branches/krb5-1-7/src/lib/gssapi/generic/gssapi.hin
U   branches/krb5-1-7/src/lib/gssapi/krb5/init_sec_context.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:38 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:38 +0000 (UTC)
Subject: [krbdev.mit.edu #6468] SVN Commit 
In-Reply-To: <rt-6468@krbdev.mit.edu>
Message-ID: <rt-6468-31062.3.49850575050617@krbdev.mit.edu>


pull up r22177 from trunk

 ------------------------------------------------------------------------
 r22177 | epeisach | 2009-04-07 19:59:25 -0400 (Tue, 07 Apr 2009) | 10 lines
 Changed paths:
    M /trunk/src/util/support/utf8_conv.c

 ticket:
 Subject k5_utf8s_to_ucs2s could deref NULL pointer...

 Based on usage of this static function, this will never happen as
 results are always malloced (and checked) by caller.  However, the
 function is already coded to handle the first argument being null - so
 be consistent throughout.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22251
Commit By: tlyu
Revision: 22251
Changed Files:
U   branches/krb5-1-7/src/util/support/utf8_conv.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:56 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:56 +0000 (UTC)
Subject: [krbdev.mit.edu #6452] SVN Commit 
In-Reply-To: <rt-6452@krbdev.mit.edu>
Message-ID: <rt-6452-31081.3.74965576997305@krbdev.mit.edu>


pull up r22188 from trunk
 ------------------------------------------------------------------------
 r22188 | ghudson | 2009-04-10 12:09:19 -0400 (Fri, 10 Apr 2009) | 8 lines
 Changed paths:
    M /trunk/doc/admin.texinfo
    M /trunk/doc/support-enc.texinfo

 ticket: 6452
 subject: Document allow_weak_crypto
 tags: pullup
 target_version: 1.7

 Also document which cryptosystems are defined to be weak, and add some
 enctype entries which weren't in the documentation.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22258
Commit By: tlyu
Revision: 22258
Changed Files:
U   branches/krb5-1-7/doc/admin.texinfo
U   branches/krb5-1-7/doc/support-enc.texinfo


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:54 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:54 +0000 (UTC)
Subject: [krbdev.mit.edu #6451] SVN Commit 
In-Reply-To: <rt-6451@krbdev.mit.edu>
Message-ID: <rt-6451-31079.11.5168481467506@krbdev.mit.edu>


pull up r22187 from trunk

 ------------------------------------------------------------------------
 r22187 | ghudson | 2009-04-09 13:57:03 -0400 (Thu, 09 Apr 2009) | 9 lines
 Changed paths:
    M /trunk/doc/definitions.texinfo

 ticket: 6451
 subject: Update defaults in documentation
 tags: pullup
 target_version: 1.7

 doc/definitions.texinfo had, predictably, fallen out of date with
 respect to the code.  Update a few of the out of date comments and
 defaults, particularly the default enctype lists.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22257
Commit By: tlyu
Revision: 22257
Changed Files:
U   branches/krb5-1-7/doc/definitions.texinfo


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:07:52 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 20:07:52 +0000 (UTC)
Subject: [krbdev.mit.edu #6450] SVN Commit 
In-Reply-To: <rt-6450@krbdev.mit.edu>
Message-ID: <rt-6450-31077.19.194750618956@krbdev.mit.edu>


pull up r22186 from trunk

 ------------------------------------------------------------------------
 r22186 | epeisach | 2009-04-09 07:53:27 -0400 (Thu, 09 Apr 2009) | 7 lines
 Changed paths:
    M /trunk/src/kdc/main.c

 ticket: 6450
 subject: kdc: handle_referral_params does not return ENOMEM errors
 tags: pullup

 retval was set but never returned.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22256
Commit By: tlyu
Revision: 22256
Changed Files:
U   branches/krb5-1-7/src/kdc/main.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 16:43:02 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Wed, 15 Apr 2009 20:43:02 +0000 (UTC)
Subject: [krbdev.mit.edu #6323] kadmin: rename support 
In-Reply-To: <rt-6323@krbdev.mit.edu>
Message-ID: <rt-6323-31084.7.33249836589437@krbdev.mit.edu>

return_pw_salt also appears to ignore the contents of the salt for
ONLYREALM, and just fills in the realm of the requested principal.

From rt-comment at krbdev.mit.edu  Wed Apr 15 17:00:25 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 21:00:25 +0000 (UTC)
Subject: [krbdev.mit.edu #6469] SVN Commit 
In-Reply-To: <rt-6469@krbdev.mit.edu>
Message-ID: <rt-6469-31085.14.2341779692313@krbdev.mit.edu>


pull up r22200 from trunk

 ------------------------------------------------------------------------
 r22200 | ghudson | 2009-04-13 15:29:14 -0400 (Mon, 13 Apr 2009) | 3 lines
 Changed paths:
    M /trunk/src/lib/krb5/ccache/cc_file.c

 krb5_fcc_generate_new was destroying a locked mutex in the err_out
 label, which is used for I/O failures.  Unlock the mutex first.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22259
Commit By: tlyu
Revision: 22259
Changed Files:
U   branches/krb5-1-7/src/lib/krb5/ccache/cc_file.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 17:00:29 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 21:00:29 +0000 (UTC)
Subject: [krbdev.mit.edu #6459] SVN Commit 
In-Reply-To: <rt-6459@krbdev.mit.edu>
Message-ID: <rt-6459-31092.17.8372254509693@krbdev.mit.edu>


pull up r22208 from trunk

 ------------------------------------------------------------------------
 r22208 | wfiveash | 2009-04-13 18:15:05 -0400 (Mon, 13 Apr 2009) | 11 lines
 Changed paths:
    M /trunk/src/kadmin/dbutil/kdb5_util.M

 Ticket: 6459
 Subject: Update kdb5_util man page with missing purge_mkeys command
 Version_Reported: 1.7
 Target_Version: 1.7
 Tags: pullup

 While previously updating the kdb5_util command man page to include
 documentation on new subcommands added as a result of the Master Key
 Migration project I missed the purge_mkeys command.  I've added that
 with this commit.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22260
Commit By: tlyu
Revision: 22260
Changed Files:
U   branches/krb5-1-7/src/kadmin/dbutil/kdb5_util.M


From rt-comment at krbdev.mit.edu  Wed Apr 15 17:00:32 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 21:00:32 +0000 (UTC)
Subject: [krbdev.mit.edu #6460] SVN Commit 
In-Reply-To: <rt-6460@krbdev.mit.edu>
Message-ID: <rt-6460-31094.13.7246191276451@krbdev.mit.edu>


pull up r22209 from trunk

 ------------------------------------------------------------------------
 r22209 | hartmans | 2009-04-14 11:05:21 -0400 (Tue, 14 Apr 2009) | 6 lines
 Changed paths:
    M /trunk/src/clients/kinit/kinit.M
    M /trunk/src/clients/kinit/kinit.c

 ticket: 6460
 subject: Implement kinit option for FAST armor ccache
 Target_version: 1.7
 tags: pullup

 Implement the -T option to kinit to specify the FAST armor ccache.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22261
Commit By: tlyu
Revision: 22261
Changed Files:
U   branches/krb5-1-7/src/clients/kinit/kinit.M
U   branches/krb5-1-7/src/clients/kinit/kinit.c


From rt-comment at krbdev.mit.edu  Wed Apr 15 17:00:35 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 15 Apr 2009 21:00:35 +0000 (UTC)
Subject: [krbdev.mit.edu #6461] SVN Commit 
In-Reply-To: <rt-6461@krbdev.mit.edu>
Message-ID: <rt-6461-31096.15.1511561412578@krbdev.mit.edu>


pull up r22210 from trunk

 ------------------------------------------------------------------------
 r22210 | hartmans | 2009-04-14 11:35:12 -0400 (Tue, 14 Apr 2009) | 6 lines
 Changed paths:
    M /trunk/src/kdc/fast_util.c

 ticket: 6461
 Subject: Require fast_req checksum to be keyed
 Target_Version: 1.7
 Tags: pullup

 Since the fast_req checksum is unencrypted, a keyed checksum type needs to be used.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22262
Commit By: tlyu
Revision: 22262
Changed Files:
U   branches/krb5-1-7/src/kdc/fast_util.c


From rt-comment at krbdev.mit.edu  Thu Apr 16 12:46:35 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Thu, 16 Apr 2009 16:46:35 +0000 (UTC)
Subject: [krbdev.mit.edu #6470] SVN Commit 
In-Reply-To: <rt-6470@krbdev.mit.edu>
Message-ID: <rt-6470-31097.6.3572257578587@krbdev.mit.edu>


Change the signature of _make_etype_info_entry to take the canonical
client principal instead of the request structure.  Also fixes the salt
we compute for SALTTYPE_NOREALM keys.

Sending an explicit salt for SALTTYPE_NORMAL keys is believed to be
necessary for some preauth scenarios involving aliases.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22264
Commit By: ghudson
Revision: 22264
Changed Files:
U   trunk/src/kdc/kdc_preauth.c
U   trunk/src/kdc/kdc_util.c


From rt-comment at krbdev.mit.edu  Fri Apr 17 14:56:08 2009
From: rt-comment at krbdev.mit.edu (marussi@lorenzomarussi.it via RT)
Date: Fri, 17 Apr 2009 18:56:08 +0000 (UTC)
Subject: [krbdev.mit.edu #6471] making mit-krb5 with uclibc = error 
In-Reply-To: <rt-6471@krbdev.mit.edu>
Message-ID: <rt-6471-31102.19.5793820364813@krbdev.mit.edu>

hello list.

I'm tryng to make mit-krb5 package in a uclibc environment (gentoo  
based), but I get this error:


making all in appl/gssftp/ftp...
make[3]: Entering directory  
`/var/tmp/portage/app-crypt/mit-krb5-1.6.3-r4/work/krb5-1.6.3/src/appl/gssftp/ftp'
i586-gentoo-linux-uclibc-gcc -DPACKAGE_NAME=\"Kerberos\ 5\"  
-DPACKAGE_TARNAME=\"krb5\" -DPACKAGE_VERSION=\"1.6.3\"  
-DPACKAGE_STRING=\"Kerberos\ 5\ 1.6.3\"  
-DPACKAGE_BUGREPORT=\"krb5-bugs at mit.edu\" -DSTDC_HEADERS=1  
-DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1  
-DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1  
-DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1  
-DHAVE_BT_RSEQ=1 -DKRB5_DNS_LOOKUP_KDC=1 -DKRB5_DNS_LOOKUP_REALM=1  
-DKRB5_DNS_LOOKUP=1 -DHAVE_LIBRESOLV=1 -DHAVE_NS_NAME_UNCOMPRESS=1  
-DHAVE_RES_SEARCH=1 -DHAVE_PRAGMA_WEAK_REF=1 -DDELAY_INITIALIZER=1  
-DCONSTRUCTOR_ATTR_WORKS=1 -DDESTRUCTOR_ATTR_WORKS=1  
-DENABLE_THREADS=1 -DHAVE_PTHREAD=1  
-DHAVE_PTHREAD_RWLOCK_INIT_IN_THREAD_LIB=1 -DUSE_DLOPEN=1  
-DPOSIX_SIGTYPE=1 -Dkrb5_sigtype=void -DPOSIX_SIGNALS=1  
-DUSE_SIGPROCMASK=1 -DWAIT_USES_INT=1 -DHAVE_STDARG_H=1  
-DPOSIX_TERMIOS=1 -DHAVE_UNISTD_H=1 -DHAVE_STDLIB_H=1  
-DHAVE_STRING_H=1 -DHAVE_SYS_SELECT_H=1 -DHAVE_PATHS_H=1  
-DHAVE_STRUCT_UTMP_UT_PID=1 -DHAVE_STRUCT_UTMP_UT_TYPE=1  
-DHAVE_STRUCT_UTMP_UT_HOST=1 -DHAVE_STRUCT_UTMP_UT_EXIT=1  
-DHAVE_SETUTENT=1 -DHAVE_UPDWTMP=1 -DHAVE_GETDTABLESIZE=1  
-DHAVE_GETCWD=1 -DHAVE_GETDTABLESIZE=1 -DHAVE_GETUSERSHELL=1  
-DHAVE_SETEUID=1 -DHAVE_SETREUID=1 -DHAVE_SETRESUID=1  
-DHAVE_STRERROR=1 -DHAVE_GETENV=1 -DHAVE_LIBCRYPT=1 -DHAVE_LIBUTIL=1  
-DHAVE_SHADOW=1 -DHAVE_REGCOMP=1  -DGSSAPI -DFTP_BUFSIZ=65535  
-I../../../include -I./../../../include -I./.. -I.   
-DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1  -march=k6-2 -Os -pipe  
-fomit-frame-pointer -mmmx -m3dnow -fno-align-functions  
-fno-align-loops -fno-align-jumps -fno-align-labels -finline-functions  
-I/usr/include/et -pthread -c cmds.c
In file included from cmds.c:73:
ftp_var.h:274: error: conflicting types for 'ruserpass'
/usr/include/netdb.h:449: error: previous declaration of 'ruserpass' was here
make[3]: *** [cmds.o] Error 1
make[3]: Leaving directory  
`/var/tmp/portage/app-crypt/mit-krb5-1.6.3-r4/work/krb5-1.6.3/src/appl/gssftp/ftp'
make[2]: *** [all-recurse] Error 1
make[2]: Leaving directory  
`/var/tmp/portage/app-crypt/mit-krb5-1.6.3-r4/work/krb5-1.6.3/src/appl/gssftp'
make[1]: *** [all-recurse] Error 1
make[1]: Leaving directory  
`/var/tmp/portage/app-crypt/mit-krb5-1.6.3-r4/work/krb5-1.6.3/src/appl'
make: *** [all-recurse] Error 1



any idea to resolve this?
I searched in bug-tracking, lists, google.. but I found nothing for this error





From rt-comment at krbdev.mit.edu  Fri Apr 17 17:28:39 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Fri, 17 Apr 2009 21:28:39 +0000 (UTC)
Subject: [krbdev.mit.edu #6470] SVN Commit 
In-Reply-To: <rt-6470@krbdev.mit.edu>
Message-ID: <rt-6470-31104.10.0338173758453@krbdev.mit.edu>


pull up r22264 from trunk

 ------------------------------------------------------------------------
 r22264 | ghudson | 2009-04-16 12:46:33 -0400 (Thu, 16 Apr 2009) | 12 lines
 Changed paths:
    M /trunk/src/kdc/kdc_preauth.c
    M /trunk/src/kdc/kdc_util.c

 ticket: 6470
 subject: Send explicit salt for SALTTYPE_NORMAL keys
 target_version: 1.7
 tags: pullup

 Change the signature of _make_etype_info_entry to take the canonical
 client principal instead of the request structure.  Also fixes the salt
 we compute for SALTTYPE_NOREALM keys.

 Sending an explicit salt for SALTTYPE_NORMAL keys is believed to be
 necessary for some preauth scenarios involving aliases.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22265
Commit By: tlyu
Revision: 22265
Changed Files:
U   branches/krb5-1-7/src/kdc/kdc_preauth.c
U   branches/krb5-1-7/src/kdc/kdc_util.c


From rt-comment at krbdev.mit.edu  Tue Apr 21 14:41:10 2009
From: rt-comment at krbdev.mit.edu (The RT System itself via RT)
Date: Tue, 21 Apr 2009 18:41:10 +0000 (UTC)
Subject: [krbdev.mit.edu #6472] typo in ksu error message 
In-Reply-To: <rt-6472@krbdev.mit.edu>
Message-ID: <rt-6472-31107.17.2365012912294@krbdev.mit.edu>

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Tue Apr 21 18:41:10 2009
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
X-Original-To: krb5-send-pr-nospam1 at krbdev.mit.edu
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by krbdev.mit.edu (Postfix) with ESMTP id 151A5CCF14;
	Tue, 21 Apr 2009 18:41:10 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n3LIf9gI010353;
	Tue, 21 Apr 2009 14:41:09 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n3LHtIVg000563
	for <krb5-bugs-incoming at PCH.mit.edu>; Tue, 21 Apr 2009 13:55:18 -0400
Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114])
	by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
	n3LHt9N6002030
	for <krb5-bugs at mit.edu>; Tue, 21 Apr 2009 13:55:09 -0400 (EDT)
Received: from mx1.redhat.com (localhost [127.0.0.1])
	by mit.edu (Spam Firewall) with ESMTP id 6FC0B1895AA4
	for <krb5-bugs at mit.edu>; Tue, 21 Apr 2009 13:55:09 -0400 (EDT)
Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by mit.edu with
	ESMTP id uRg24YdKI6V1ljho for <krb5-bugs at mit.edu>;
	Tue, 21 Apr 2009 13:55:09 -0400 (EDT)
X-Barracuda-Reputation: Registry
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
	[172.16.52.254])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n3LHt8iZ018473
	for <krb5-bugs at mit.edu>; Tue, 21 Apr 2009 13:55:08 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n3LHt7im016464
	for <krb5-bugs at mit.edu>; Tue, 21 Apr 2009 13:55:08 -0400
Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1])
	by blade.bos.redhat.com (8.14.3/8.14.2) with ESMTP id n3LHt7nV005299
	for <krb5-bugs at mit.edu>; Tue, 21 Apr 2009 13:55:07 -0400
Received: (from nalin at localhost)
	by blade.bos.redhat.com (8.14.3/8.14.3/Submit) id n3LHt79v005297;
	Tue, 21 Apr 2009 13:55:07 -0400
Date: Tue, 21 Apr 2009 13:55:07 -0400
Message-Id: <200904211755.n3LHt79v005297 at blade.bos.redhat.com>
To: krb5-bugs at mit.edu
Subject: typo in ksu error message
From: nalin at redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.42
X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Mailman-Approved-At: Tue, 21 Apr 2009 14:40:50 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin at redhat.com
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	Nalin Dahyabhai <nalin at redhat.com>
>Organization:
>Confidential:	no
>Synopsis:	typo in ksu error message
>Severity:	non-critical
>Priority:	low
>Category:	krb5-clients
>Class:		change-request
>Release:	1.6.3
>Environment:
	
System: Linux blade.bos.redhat.com 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11 23:14:31 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

>Description:
	Marek Mahut (mmahut at redhat.com) pointed out to me that the error
	message on line 182 of src/clients/ksu/krb_auth_su.c has a typo in
	it: "geting" should be "getting".


From rt-comment at krbdev.mit.edu  Tue Apr 21 14:54:33 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 21 Apr 2009 18:54:33 +0000 (UTC)
Subject: [krbdev.mit.edu #6473] strip ok-as-delegate if not in cross-realm TGT
	chain 
In-Reply-To: <rt-6473@krbdev.mit.edu>
Message-ID: <rt-6473-31110.10.2511803078033@krbdev.mit.edu>

The existing implementation of GSS_C_DELEG_POLICY_FLAG does not examine cross-realm 
tickets leading to the service ticket.  Implement Heimdal's solution of stripping ok-as-delegate 
flags inside get_creds if an intervening cross-realm TGT lacks it.

From rt-comment at krbdev.mit.edu  Tue Apr 21 15:34:09 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Tue, 21 Apr 2009 19:34:09 +0000 (UTC)
Subject: [krbdev.mit.edu #6473] strip ok-as-delegate if not in cross-realm
	TGT chain
In-Reply-To: <rt-6473@krbdev.mit.edu>
Message-ID: <rt-6473-31112.9.36713751465483@krbdev.mit.edu>

>>>>> "Tom" == Tom Yu via RT <rt-comment at krbdev.mit.edu> writes:

    Tom> The existing implementation of GSS_C_DELEG_POLICY_FLAG does
    Tom> not examine cross-realm tickets leading to the service
    Tom> ticket.  Implement Heimdal's solution of stripping
    Tom> ok-as-delegate flags inside get_creds if an intervening
    Tom> cross-realm TGT lacks it.

I think this is definitely a good long-term solution.


From rt-comment at krbdev.mit.edu  Tue Apr 21 17:41:04 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Tue, 21 Apr 2009 21:41:04 +0000 (UTC)
Subject: [krbdev.mit.edu #6203] DELEG_POLICY_FLAG for GSS 
In-Reply-To: <rt-6203@krbdev.mit.edu>
Message-ID: <rt-6203-31114.3.04587425225947@krbdev.mit.edu>

Love, do you have code to implement the cross-realm part of this change
in MIT krb5?  (Corresponding to r23846 in Heimdal which strips
ok-as-delegate from cross-realm tickets if the TGT ticket didn't have it.)

If not I will do it myself this week; I just want to make sure I'm not
duplicating effort.

From rt-comment at krbdev.mit.edu  Tue Apr 21 18:04:02 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Tue, 21 Apr 2009 22:04:02 +0000 (UTC)
Subject: [krbdev.mit.edu #6203] DELEG_POLICY_FLAG for GSS
In-Reply-To: <rt-6203@krbdev.mit.edu>
Message-ID: <rt-6203-31116.12.1939768275659@krbdev.mit.edu>

"Greg Hudson via RT" <rt-comment at krbdev.mit.edu> writes:

> Love, do you have code to implement the cross-realm part of this change
> in MIT krb5?  (Corresponding to r23846 in Heimdal which strips
> ok-as-delegate from cross-realm tickets if the TGT ticket didn't have it.)
>
> If not I will do it myself this week; I just want to make sure I'm not
> duplicating effort.

I opened RT ticket #6473 for tracking the cross-realm ok-as-delegate
issue.


From rt-comment at krbdev.mit.edu  Tue Apr 21 22:25:13 2009
From: rt-comment at krbdev.mit.edu (Love Hornquist Astrand via RT)
Date: Wed, 22 Apr 2009 02:25:13 +0000 (UTC)
Subject: [krbdev.mit.edu #6203] DELEG_POLICY_FLAG for GSS 
In-Reply-To: <rt-6203@krbdev.mit.edu>
Message-ID: <rt-6203-31118.5.53693005847755@krbdev.mit.edu>

> Love, do you have code to implement the cross-realm part of this change
> in MIT krb5? 

I have no code for MIT Kerberos to do that.

From rt-comment at krbdev.mit.edu  Wed Apr 22 00:34:53 2009
From: rt-comment at krbdev.mit.edu (Roland C. Dowdeswell via RT)
Date: Wed, 22 Apr 2009 04:34:53 +0000 (UTC)
Subject: [krbdev.mit.edu #6317] AutoReply: select(2) if no fds <
	FD_SETSIZE are available. 
In-Reply-To: <rt-6317@krbdev.mit.edu>
Message-ID: <rt-6317-31119.16.4077940635796@krbdev.mit.edu>

On 1231362354 seconds since the Beginning of the UNIX epoch
"krb5" wrote:
>

>	2.  increase the limit to DESIRED_FD_SETSIZE which I define
>	    to be 8192.

Apparently, to do this, one must also modify kdc/network.c to have
the same FD_SETSIZE because it calls krb5int_cm_call_select().
This is a little counter-intuitive as the function is defined in
a file called sendto_kdc.c and is marked internal.

A patch is attached.  This patch is suboptimal because one should
either remove the dependency on krb5int_cm_call_select() or centrally
define the FD_SETSIZE in another header which is included quite
early.  cm.h is not included early enough and putting this sort of
logic in there does not work.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

Index: kdc/network.c
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/kdc/network.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -u -r1.8 -r1.9
--- kdc/network.c	1 Apr 2008 21:09:02 -0000	1.8
+++ kdc/network.c	11 Mar 2009 17:05:10 -0000	1.9
@@ -26,6 +26,25 @@
  * Network code for Kerberos v5 KDC.
  */
 
+/*
+ * We start out by upping the size of FD_SETSIZE.  On rational operating
+ * systems, this is simple.  One simply #defines FD_SETSIZE before including
+ * anything else.  Linux of course does not support this because they are
+ * better than that.  So, we special case things...
+ */
+
+#define DESIRED_FD_SETSIZE     8192
+#ifndef linux
+#define FD_SETSIZE     DESIRED_FD_SETSIZE
+#else
+#include <features.h>
+#if (__GLIBC__ > 2) || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 2)
+#include <bits/types.h>
+#undef __FD_SETSIZE
+#define __FD_SETSIZE DESIRED_FD_SETSIZE
+#endif
+#endif
+
 #define NEED_SOCKETS
 #include "k5-int.h"
 #include "com_err.h"



From rt-comment at krbdev.mit.edu  Wed Apr 22 05:29:38 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Wed, 22 Apr 2009 09:29:38 +0000 (UTC)
Subject: [krbdev.mit.edu #5596] patch for providing a way to set the
	ok-as-delegate flag 
In-Reply-To: <rt-5596@krbdev.mit.edu>
Message-ID: <rt-5596-31120.17.8280807427041@krbdev.mit.edu>

I've been handed this ticket.

The client side behavior will be handled using GSS_C_DELEG_POLICY_FLAG
as specified in
http://tools.ietf.org/html/draft-lha-gssapi-delegate-policy-04 .  Code
from Apple has already been committed to handle the flag, and I am
working on the cross-realm handling now.  I don't yet have specific
plans to use the flag in any client program.

That leaves the KDC support.  Sam wanted us to use the same user-visible
flag name as the Sandia patch, but I honestly think it will be less
confusing if we remain consistent with the RFC (ok-as-delegate) than if
we use the redundant-seeming "allow-ok-as-delegate" name.  What do the
people from Sandia think?  Will it be particularly traumatic to switch
to a different name for setting the flag in kadmin?

From rt-comment at krbdev.mit.edu  Wed Apr 22 09:30:02 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Wed, 22 Apr 2009 13:30:02 +0000 (UTC)
Subject: [krbdev.mit.edu #6474] SVN Commit 
In-Reply-To: <rt-6474@krbdev.mit.edu>
Message-ID: <rt-6474-31121.15.8575427167332@krbdev.mit.edu>


These binaries have been moved to /usr/bin so their manpages should
move from man8 to man1.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22267
Commit By: hartmans
Revision: 22267
Changed Files:
U   trunk/src/kadmin/cli/Makefile.in
U   trunk/src/kadmin/ktutil/Makefile.in


From rt-comment at krbdev.mit.edu  Wed Apr 22 12:17:49 2009
From: rt-comment at krbdev.mit.edu (Roland C. Dowdeswell via RT)
Date: Wed, 22 Apr 2009 16:17:49 +0000 (UTC)
Subject: [krbdev.mit.edu #6475] Adding keys to malformed keytabs can
	infinitely extend the file 
In-Reply-To: <rt-6475@krbdev.mit.edu>
Message-ID: <rt-6475-31126.19.0411709348152@krbdev.mit.edu>

I have notice that in some conditions, krb5_ktfileint_find_slot() will
get into an infinite loop extending a keytab until it fills the disk.

To recreate this error condition, append a few zeros to the end of an
existing keytab, e.g.:

	$ perl -e 'printf("%c%c%c%c", 0, 0, 0, 0)' >> /tmp/keytab
	$ perl -e 'printf("%c%c%c%c", 0, 0, 0, 0)' >> /tmp/keytab
	$ perl -e 'printf("%c%c%c%c", 0, 0, 0, 0)' >> /tmp/keytab
	$ perl -e 'printf("%c%c%c%c", 0, 0, 0, 0)' >> /tmp/keytab

And then attempt to add a key to it.

I attach a patch which addresses the issue and simplifies the code a
bit.  It could certainly be simplified a little more, of course...

I have only yet run cursory testing on the patch and it appears to
address the issue.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

Index: krb5/keytab/kt_file.c
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/lib/krb5/keytab/kt_file.c,v
retrieving revision 1.1.1.1
diff -u -u -r1.1.1.1 kt_file.c
--- krb5/keytab/kt_file.c	28 Mar 2005 21:43:35 -0000	1.1.1.1
+++ krb5/keytab/kt_file.c	22 Apr 2009 03:43:50 -0000
@@ -1604,11 +1604,8 @@
 krb5_ktfileint_find_slot(krb5_context context, krb5_keytab id, krb5_int32 *size_needed, krb5_int32 *commit_point)
 {
     krb5_int32      size;
-    krb5_int32      remainder;
     krb5_int32      zero_point;
     krb5_kt_vno     kt_vno;
-    krb5_boolean    found = FALSE;
-    char            iobuf[BUFSIZ];
 
     KTCHECKLOCK(id);
     /*
@@ -1621,7 +1618,7 @@
         return KRB5_KT_IOERR;
     }
 
-    while (!found) {
+    for (;;) {
         *commit_point = ftell(KTFILEP(id));
         if (!xfread(&size, sizeof(size), 1, KTFILEP(id))) {
             /*
@@ -1632,86 +1629,62 @@
             /* fseek to synchronise buffered I/O on the key table. */
 	    /* XXX Without the weird setbuf hack, can we nuke this now?  */
             if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
-            {
                 return errno;
-            }
-	    
-#ifdef notdef
-	    /* We don't have to do this because htonl(0) == 0 */
-	    if (KTVERSION(id) != KRB5_KT_VNO_1)
-		    size = htonl(size);
-#endif
-	    
-            if (!xfwrite(&size, sizeof(size), 1, KTFILEP(id))) {
+
+            if (!xfwrite(&size, sizeof(size), 1, KTFILEP(id)))
                 return KRB5_KT_IOERR;
-            }
-            found = TRUE;
+	    break;
         }
 
 	if (KTVERSION(id) != KRB5_KT_VNO_1)
 		size = ntohl(size);
 
-        if (size > 0) {
-            if (fseek(KTFILEP(id), size, SEEK_CUR)) {
-                return errno;
-            }
-        } else if (!found) {
-            size = -size;
-            if (size >= *size_needed) {
-                *size_needed = size;
-                found = TRUE;	
-            } else if (size > 0) {
-                /*
-                 * The current hole is not large enough, so skip it
-                 */
-                if (fseek(KTFILEP(id), size, SEEK_CUR)) {
-                    return errno;
-                }
-            } else {
-
-                 /* fseek to synchronise buffered I/O on the key table. */
-
-                 if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
-                 {
-                     return errno;
-                 }
-
-                /*
-                 * Found the end of the file (marked by a 0 length buffer)
-                 * Make sure we zero any trailing data.
-                 */
-                zero_point = ftell(KTFILEP(id));
-                while ((size = xfread(iobuf, 1, sizeof(iobuf), KTFILEP(id)))) {
-                    if (size != sizeof(iobuf)) {
-                        remainder = size % sizeof(krb5_int32);
-                        if (remainder) {
-                            size += sizeof(krb5_int32) - remainder;
-                        }
-                    }
-
-                    if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
-                    {
-                        return errno;
-                    }
-
-                    memset(iobuf, 0, (size_t) size);
-                    xfwrite(iobuf, 1, (size_t) size, KTFILEP(id));
-		    fflush(KTFILEP(id));
-                    if (feof(KTFILEP(id))) {
-                        break;
-                    }
-
-                    if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
-                    {
-                        return errno;
-                    }
-
-                }
-                if (fseek(KTFILEP(id), zero_point, SEEK_SET)) {
-                    return errno;
-                }
-            }
-        }
+	/* Positive size indicates full, negative indicates empty. */
+
+	if (-size >= *size_needed) {
+	    /* We found a slot which is large enough, return it */
+	    *size_needed = size;
+	    break;
+	}
+
+	/* fseek to synchronise buffered I/O on the key table. */
+	if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
+	     return errno;
+
+	if (size != 0) {
+	    /* Hole is either full or too small, skip it... */
+	    if (fseek(KTFILEP(id), size>0?size:-size, SEEK_CUR) < 0)
+		 return errno;
+	    continue;
+	}
+
+	/*
+	 * Found the end of the file (marked by a 0 length buffer)
+	 * Make sure we zero enough space to contain both our new
+	 * key and include sizeof(krb5_int32) of zero's afterwards
+	 * just in case there are additional extra bytes further on
+	 * in the file...
+	 */
+
+	zero_point = ftell(KTFILEP(id));
+	while (size < (*size_needed + sizeof(krb5_int32))) {
+	    size_t	bufsiz;
+	    char    iobuf[BUFSIZ];
+
+	    bufsiz = (*size_needed + sizeof(krb5_int32));
+	    if (bufsiz > sizeof(iobuf))
+		bufsiz = sizeof(iobuf);
+
+	    memset(iobuf, 0, (size_t) size);
+	    xfwrite(iobuf, 1, bufsiz, KTFILEP(id));
+	    fflush(KTFILEP(id));
+	    if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
+		return errno;
+	    size += bufsiz;
+	}
+	if (fseek(KTFILEP(id), zero_point, SEEK_SET))
+	    return errno;
+	break;
     }
 
     return 0;



From rt-comment at krbdev.mit.edu  Wed Apr 22 12:17:49 2009
From: rt-comment at krbdev.mit.edu (Roland C. Dowdeswell via RT)
Date: Wed, 22 Apr 2009 16:17:49 +0000 (UTC)
Subject: [krbdev.mit.edu #6476] feature: krb5kdc as a wait service. 
In-Reply-To: <rt-6476@krbdev.mit.edu>
Message-ID: <rt-6476-31127.5.37926336344732@krbdev.mit.edu>

Sometimes it is nice to be able to start daemons as a wait service from
inetd or similar program.  This provides some benefits mainly revolving
around being restarted if things go awry.

I attach a small patch which allows for krb5kdc to be started as
a TCP or UDP wait service.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

Index: main.c
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/kdc/main.c,v
retrieving revision 1.2
retrieving revision 1.4
diff -u -r1.2 -r1.4
--- main.c	29 Mar 2005 14:43:21 -0000	1.2
+++ main.c	29 Jan 2007 19:06:18 -0000	1.4
@@ -66,6 +66,7 @@
 void finish_realms (char *);
 
 static int nofork = 0;
+static int nowait = 1;
 static int rkey_init_done = 0;
 
 #ifdef POSIX_SIGNALS
@@ -464,7 +465,7 @@
      * Loop through the option list.  Each time we encounter a realm name,
      * use the previously scanned options to fill in for defaults.
      */
-    while ((c = getopt(argc, argv, "r:d:mM:k:R:e:p:s:n4:X3")) != -1) {
+    while ((c = getopt(argc, argv, "r:d:mM:k:R:e:p:s:nw4:X3")) != -1) {
 	switch(c) {
 	case 'r':			/* realm name for db */
 	    if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) {
@@ -513,6 +514,10 @@
 	    default_tcp_ports = strdup(optarg);
 #endif
 	    break;
+	case 'w':
+	    nowait = 0;
+	    nofork = 1;
+	    break;
 	case '4':
 #ifdef KRB5_KRB4_COMPAT
 	    if (v4mode)
@@ -670,7 +675,13 @@
 	return 1;
     }
 
-    if ((retval = setup_network(argv[0]))) {
+    if (nowait && (retval = setup_network(argv[0]))) {
+	com_err(argv[0], retval, "while initializing network");
+	finish_realms(argv[0]);
+	return 1;
+    }
+
+    if (!nowait && (retval = setup_network_inetd_wait(*argv))) {
 	com_err(argv[0], retval, "while initializing network");
 	finish_realms(argv[0]);
 	return 1;
Index: network.c
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/kdc/network.c,v
retrieving revision 1.5
retrieving revision 1.7
diff -u -r1.5 -r1.7
--- network.c	21 Jul 2005 13:12:34 -0000	1.5
+++ network.c	1 Feb 2007 01:18:56 -0000	1.7
@@ -63,6 +63,14 @@
 #include <sys/filio.h>		/* FIONBIO */
 #endif
 
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#ifndef _PATH_DEVNULL
+#define _PATH_DEVNULL "/dev/null"
+#endif
+
 #include "fake-addrinfo.h"
 
 /* Misc utility routines.  */
@@ -675,6 +683,51 @@
 
     return 0;
 }
+
+
+krb5_error_code
+setup_network_inetd_wait(const char *prog)
+{
+    socklen_t len;
+    struct socksetup data;
+    int devnull = open(_PATH_DEVNULL, O_RDWR, 0);
+    int fd;
+    int type;
+
+    data.prog = prog;
+    data.retval = 0;
+
+    fd = dup(STDIN_FILENO);
+
+    /*
+     * Unfortunately, we duplicate code from daemon(3) but can't
+     * reuse it.  We definitely want to bounce the fds about 2 for
+     * obvious reasons.
+     */
+    (void) chdir("/");
+    if (devnull != -1) {
+		(void) dup2(devnull, 0);
+		(void) dup2(devnull, 1);
+		(void) dup2(devnull, 2);
+		if (devnull > 2)
+			(void) close(devnull);
+	}
+
+    len = sizeof(type);
+    if (getsockopt(fd, SOL_SOCKET, SO_TYPE, &type, &len)) {
+        krb5_klog_syslog(LOG_ERR, "getsockopt(2) error: %m");
+        return -1;	/* XXXrcd: wrong error. */
+    }
+
+    FD_SET(fd, &sstate.rfds);
+    if (fd >= sstate.max)
+	sstate.max = fd + 1;
+    krb5_klog_syslog(LOG_INFO, "listening on fd %d (inetd, type %d)", fd, type);
+    if (type == SOCK_DGRAM)
+        return !add_udp_fd(&data, fd);
+    return !add_tcp_listener_fd(&data, fd);
+}
+
 
 static void init_addr(krb5_fulladdr *faddr, struct sockaddr *sa)
 {



From rt-comment at krbdev.mit.edu  Wed Apr 22 12:20:50 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 22 Apr 2009 16:20:50 +0000 (UTC)
Subject: [krbdev.mit.edu #6474] SVN Commit 
In-Reply-To: <rt-6474@krbdev.mit.edu>
Message-ID: <rt-6474-31129.16.1085955107799@krbdev.mit.edu>


pull up r22267 from trunk

 ------------------------------------------------------------------------
 r22267 | hartmans | 2009-04-22 09:30:00 -0400 (Wed, 22 Apr 2009) | 7 lines
 Changed paths:
    M /trunk/src/kadmin/cli/Makefile.in
    M /trunk/src/kadmin/ktutil/Makefile.in

 Ticket: 6474
 Subject: move kadmin, ktutil, k5srvutil man pages to man1
 Target_Version: 1.7
 Tags: pullup

 These binaries have been moved to /usr/bin so their manpages should
 move from man8 to man1.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22268
Commit By: tlyu
Revision: 22268
Changed Files:
U   branches/krb5-1-7/src/kadmin/cli/Makefile.in
U   branches/krb5-1-7/src/kadmin/ktutil/Makefile.in


From rt-comment at krbdev.mit.edu  Wed Apr 22 12:23:07 2009
From: rt-comment at krbdev.mit.edu (Roland C. Dowdeswell via RT)
Date: Wed, 22 Apr 2009 16:23:07 +0000 (UTC)
Subject: [krbdev.mit.edu #6475] Adding keys to malformed keytabs can
	infinitely extend the file 
In-Reply-To: <rt-6475@krbdev.mit.edu>
Message-ID: <rt-6475-31130.4.26503183845831@krbdev.mit.edu>

On 1240417069 seconds since the Beginning of the UNIX epoch
"krb5" wrote:
>

>+	    bufsiz = (*size_needed + sizeof(krb5_int32));

As it turns out, I made a quite similar mistake.  This line should
actually be:

	    bufsiz = (*size_needed + sizeof(krb5_int32)) - size;

In order to take care of what we've already written.

It might also be better to just fseek(3) out to the right place
and slap the sizeof(krb5_int32) zeros in place and fseek(3) back
to where we originally were.  That would be much more clear but I
didn't read the standards to see if that would be properly portable.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/


From rt-comment at krbdev.mit.edu  Wed Apr 22 14:12:01 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Wed, 22 Apr 2009 18:12:01 +0000 (UTC)
Subject: [krbdev.mit.edu #5596] patch for providing a way to set the
	ok-as-delegate flag 
In-Reply-To: <rt-5596@krbdev.mit.edu>
Message-ID: <rt-5596-31131.4.39708118241178@krbdev.mit.edu>

During the time this patch has waited, Luke's work added KDC support for
OK_AS_DELEGATE (but no kadmin support for setting the flag). 
Unfortunately, he used a value of 0x00100000 (five zeros after the 1)
while both Red Hat's and Sandia's patch used 0x00010000 (four zeros
after the 1).  I am guessing Luke's chosen value came from Novell.  This
presents a big transition issue for anyone using Red Hat's or Sandia's
code in production.

From rt-comment at krbdev.mit.edu  Wed Apr 22 14:39:14 2009
From: rt-comment at krbdev.mit.edu (nalin@redhat.com via RT)
Date: Wed, 22 Apr 2009 18:39:14 +0000 (UTC)
Subject: [krbdev.mit.edu #5596] patch for providing a way to set the
	ok-as-delegate flag
In-Reply-To: <rt-5596@krbdev.mit.edu>
Message-ID: <rt-5596-31152.17.7166682953428@krbdev.mit.edu>

On Wed, Apr 22, 2009 at 06:12:00PM +0000, Greg Hudson via RT wrote:
> During the time this patch has waited, Luke's work added KDC support for
> OK_AS_DELEGATE (but no kadmin support for setting the flag). 
> Unfortunately, he used a value of 0x00100000 (five zeros after the 1)
> while both Red Hat's and Sandia's patch used 0x00010000 (four zeros
> after the 1).  I am guessing Luke's chosen value came from Novell.  This
> presents a big transition issue for anyone using Red Hat's or Sandia's
> code in production.

We haven't shipped anything with this patch applied, so there shouldn't
be an issue on our end.

Cheers,

Nalin


From rt-comment at krbdev.mit.edu  Thu Apr 23 02:24:54 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Thu, 23 Apr 2009 06:24:54 +0000 (UTC)
Subject: [krbdev.mit.edu #6473] strip ok-as-delegate if not in cross-realm TGT
	chain 
In-Reply-To: <rt-6473@krbdev.mit.edu>
Message-ID: <rt-6473-31154.1.07528384581144@krbdev.mit.edu>

A snag: our KDC never returns ok-as-delegate on a cross-realm TGT. 
Luke's code in do_tgs_req.c does:

    is_referral = krb5_is_tgs_principal(server.princ) &&
        !krb5_principal_compare(kdc_context, tgs_server, server.princ);
    [,..]
    if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) &&
        !is_referral) {
        /* Ensure that we are not returning a referral */
        setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
    }

I'll ask Luke why he thought that check was appropriate, I guess.

From rt-comment at krbdev.mit.edu  Thu Apr 23 04:42:41 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Thu, 23 Apr 2009 08:42:41 +0000 (UTC)
Subject: [krbdev.mit.edu #6473] SVN Commit 
In-Reply-To: <rt-6473@krbdev.mit.edu>
Message-ID: <rt-6473-31157.6.15027161857391@krbdev.mit.edu>


In krb5_get_cred_via_tkt, strip the ok-as-delegate flag from
credentials obtained using a foreign TGT, unless the TGT also has
ok-as-delegate set.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22272
Commit By: ghudson
Revision: 22272
Changed Files:
U   trunk/src/lib/krb5/krb/gc_via_tkt.c


From rt-comment at krbdev.mit.edu  Fri Apr 24 15:49:55 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Fri, 24 Apr 2009 19:49:55 +0000 (UTC)
Subject: [krbdev.mit.edu #6475] SVN Commit 
In-Reply-To: <rt-6475@krbdev.mit.edu>
Message-ID: <rt-6475-31162.18.4035350995352@krbdev.mit.edu>


In krb5_ktfileint_find_slot, don't continue the loop when we find a
final zero-length buffer.  This is a minimal fix intended to be pulled
up to the 1.7 branch; a code cleanup commit will follow.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22278
Commit By: ghudson
Revision: 22278
Changed Files:
U   trunk/src/lib/krb5/keytab/kt_file.c


From rt-comment at krbdev.mit.edu  Fri Apr 24 17:15:05 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Fri, 24 Apr 2009 21:15:05 +0000 (UTC)
Subject: [krbdev.mit.edu #6475] SVN Commit 
In-Reply-To: <rt-6475@krbdev.mit.edu>
Message-ID: <rt-6475-31164.2.53376880737299@krbdev.mit.edu>


Simplify and shorten krb5_ktfileint_find_slot, and properly handle the
commit_point output parameter.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22279
Commit By: ghudson
Revision: 22279
Changed Files:
U   trunk/src/lib/krb5/keytab/kt_file.c


From rt-comment at krbdev.mit.edu  Sat Apr 25 05:36:12 2009
From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT)
Date: Sat, 25 Apr 2009 09:36:12 +0000 (UTC)
Subject: [krbdev.mit.edu #6477] SVN Commit 
In-Reply-To: <rt-6477@krbdev.mit.edu>
Message-ID: <rt-6477-31165.13.3752216546079@krbdev.mit.edu>


Now that we're installing the kadm5 headers, they should be C++-safe
like the others.  Wrap the content in 'extern "C"' if compiling as
C++.  New test program to verify.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22280
Commit By: raeburn
Revision: 22280
Changed Files:
U   trunk/src/lib/kadm5/admin.h
U   trunk/src/tests/misc/Makefile.in
U   trunk/src/tests/misc/deps
A   trunk/src/tests/misc/test_cxx_kadm5.cpp


From rt-comment at krbdev.mit.edu  Mon Apr 27 11:42:25 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Mon, 27 Apr 2009 15:42:25 +0000 (UTC)
Subject: [krbdev.mit.edu #5596] SVN Commit 
In-Reply-To: <rt-5596@krbdev.mit.edu>
Message-ID: <rt-5596-31171.18.0902543438813@krbdev.mit.edu>


Move KRB5_KDB_OK_AS_DELEGATE from kdb_ext.h to kdb.h.  Add kadmin
support for the flag.  In the KDC, remove the restriction on returning
the flag on cross-realm TGTs since there is now a defined meaning for
that (it allows ok-as-delegate to be honored on the foreign realm's
service tickets).


http://src.mit.edu/fisheye/changelog/krb5/?cs=22281
Commit By: ghudson
Revision: 22281
Changed Files:
U   trunk/src/include/kdb.h
U   trunk/src/include/kdb_ext.h
U   trunk/src/kadmin/cli/kadmin.M
U   trunk/src/kadmin/cli/kadmin.c
U   trunk/src/kdc/do_tgs_req.c
U   trunk/src/lib/kadm5/str_conv.c


From rt-comment at krbdev.mit.edu  Tue Apr 28 14:00:14 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Tue, 28 Apr 2009 18:00:14 +0000 (UTC)
Subject: [krbdev.mit.edu #6478] SVN Commit 
In-Reply-To: <rt-6478@krbdev.mit.edu>
Message-ID: <rt-6478-31172.18.7287584280809@krbdev.mit.edu>


Regularize the handling of KRB5_AUTH_CONTEXT_RET_SEQUENCE in
krb5_mk_safe, krb5_mk_priv, and krb5_mk_ncred, using krb5_mk_safe as
a baseline.  RET_SEQUENCE now implies DO_SEQUENCE for all three
functions, the sequence number is always incremented if it is used,
and outdata->seq is always set if RET_SEQUENCE is passed.

Note that in the corresponding rd_ functions, RET_SEQUENCE and
DO_SEQUENCE are independent flags, which is not consistent with the
above.  This compromise is intended to preserve compatibility with
any working code which might exist using the RET_SEQUENCE flag.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22288
Commit By: ghudson
Revision: 22288
Changed Files:
U   trunk/src/lib/krb5/krb/mk_cred.c
U   trunk/src/lib/krb5/krb/mk_priv.c
U   trunk/src/lib/krb5/krb/mk_safe.c


From rt-comment at krbdev.mit.edu  Tue Apr 28 20:31:51 2009
From: rt-comment at krbdev.mit.edu (Tom Yu via RT)
Date: Wed, 29 Apr 2009 00:31:51 +0000 (UTC)
Subject: [krbdev.mit.edu #6472] SVN Commit 
In-Reply-To: <rt-6472@krbdev.mit.edu>
Message-ID: <rt-6472-31179.8.88339352870638@krbdev.mit.edu>


Fix typo in error message reported by Marek Mahut (Red Hat).

http://src.mit.edu/fisheye/changelog/krb5/?cs=22290
Commit By: tlyu
Revision: 22290
Changed Files:
U   trunk/src/clients/ksu/krb_auth_su.c


From rt-comment at krbdev.mit.edu  Wed Apr 29 18:30:00 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Wed, 29 Apr 2009 22:30:00 +0000 (UTC)
Subject: [krbdev.mit.edu #5587] DES PRF
In-Reply-To: <rt-5587@krbdev.mit.edu>
Message-ID: <rt-5587-31180.4.39768023383273@krbdev.mit.edu>

Hi.  In your patch in ticket 5587 you indicated that you  could send along DES diffs if we wanted them.
How difficult would that be to do?
If you can send us DES diffs in the next day or so we'd really appreciate them.

--Sam


From rt-comment at krbdev.mit.edu  Wed Apr 29 19:21:22 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Wed, 29 Apr 2009 23:21:22 +0000 (UTC)
Subject: [krbdev.mit.edu #6479] SVN Commit 
In-Reply-To: <rt-6479@krbdev.mit.edu>
Message-ID: <rt-6479-31183.13.6578530919021@krbdev.mit.edu>


If DEBUG_ERROR_LOCATIONS is defined, replace uses of
krb5_set_error_message and krb5int_set_error with calls to the new
_fl variants of those functions, and include filename and line number
information in the calls.  Requires C99-style variadic macros if
defined.


http://src.mit.edu/fisheye/changelog/krb5/?cs=22291
Commit By: ghudson
Revision: 22291
Changed Files:
U   trunk/src/include/k5-err.h
U   trunk/src/include/k5-int.h
U   trunk/src/lib/krb5/krb/kerrs.c
U   trunk/src/lib/krb5/libkrb5.exports
U   trunk/src/util/support/errors.c
U   trunk/src/util/support/libkrb5support-fixed.exports


From rt-comment at krbdev.mit.edu  Wed Apr 29 20:38:50 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Thu, 30 Apr 2009 00:38:50 +0000 (UTC)
Subject: [krbdev.mit.edu #6480] SVN Commit 
In-Reply-To: <rt-6480@krbdev.mit.edu>
Message-ID: <rt-6480-31186.3.99950096925998@krbdev.mit.edu>


If the KDC receives unknown pre-authentication data then ignore it.
Do not get into a case where PREAUTH_FAILED is returned because of
unknown pre-authentication.  The main AS loop will cause
PREAUTH_REQUIRED to be returned if the preauth_required flag is set
and no valid preauth is found.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22292
Commit By: hartmans
Revision: 22292
Changed Files:
U   trunk/src/kdc/kdc_preauth.c


From rt-comment at krbdev.mit.edu  Thu Apr 30 11:47:45 2009
From: rt-comment at krbdev.mit.edu (KAMADA Ken'ichi via RT)
Date: Thu, 30 Apr 2009 15:47:45 +0000 (UTC)
Subject: [krbdev.mit.edu #5587] DES PRF
In-Reply-To: <rt-5587@krbdev.mit.edu>
Message-ID: <rt-5587-31191.9.72920925416453@krbdev.mit.edu>

I digged around my old working copies and found this patch.
Please find attached two files.
I do not remember if I did any test on these single-DES etypes.

# I completely forgot about the fact that I have sent this report...

# The changes of prf_length (8 to 16) should be perhaps ignored.
# The PRFs of single-DES etypes do not use them anyway.

Ken'ichi


From rt-comment at krbdev.mit.edu  Thu Apr 30 13:42:51 2009
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Thu, 30 Apr 2009 17:42:51 +0000 (UTC)
Subject: [krbdev.mit.edu #3235] Race condition in lib/krb5/ccache/cc_memory.c 
In-Reply-To: <rt-3235@krbdev.mit.edu>
Message-ID: <rt-3235-31196.4.6078994184294@krbdev.mit.edu>

Fixed in krb5 1.6 by ticket #4805, which uses krb5_cc_new_unique().

From rt-comment at krbdev.mit.edu  Thu Apr 30 15:35:11 2009
From: rt-comment at krbdev.mit.edu (william.fiveash@sun.com via RT)
Date: Thu, 30 Apr 2009 19:35:11 +0000 (UTC)
Subject: [krbdev.mit.edu #6481] kdb ldap integration removed rev/recurse
	kdb5_util dumps 
In-Reply-To: <rt-6481@krbdev.mit.edu>
Message-ID: <rt-6481-31198.4.2815180212127@krbdev.mit.edu>

The integration of the kdb ldap backend removed the rev/recurse options
for kdb5_util dumps for the db2 KDB backend.  I've attached the patch of
the fix used for Solaris krb.

From rt-comment at krbdev.mit.edu  Thu Apr 30 16:17:43 2009
From: rt-comment at krbdev.mit.edu (Sam Hartman via RT)
Date: Thu, 30 Apr 2009 20:17:43 +0000 (UTC)
Subject: [krbdev.mit.edu #5587] SVN Commit 
In-Reply-To: <rt-5587@krbdev.mit.edu>
Message-ID: <rt-5587-31203.16.2116479881322@krbdev.mit.edu>


Implement DES and 3DES PRF. Patch fromKAMADA Ken'ichi

Currently the DES and 3DES PRF output 16-byte results.  This is
consistent with RFC 3961, but we need to confirm it is consistent with
Heimdal and WG decisions.  See IETF 74 minutes for some discussion of
the concern as it applies to AES and thus possibly all simplified
profile enctypes.

http://src.mit.edu/fisheye/changelog/krb5/?cs=22298
Commit By: hartmans
Revision: 22298
Changed Files:
U   trunk/src/lib/crypto/des/Makefile.in
U   trunk/src/lib/crypto/des/des_int.h
A   trunk/src/lib/crypto/des/des_prf.c
U   trunk/src/lib/crypto/etypes.c
U   trunk/src/lib/crypto/t_cf2.comments
U   trunk/src/lib/crypto/t_cf2.expected
U   trunk/src/lib/crypto/t_cf2.in