From rt-comment at krbdev.mit.edu Fri Mar 6 12:26:30 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Fri, 6 Mar 2009 17:26:30 +0000 (UTC) Subject: [krbdev.mit.edu #6401] SVN Commit In-Reply-To: Message-ID: krb5_get_init_creds calls encode_krb5_as_req to produce an encoding for the preauth plugins, then passes the unencoded request structure into the static function send_as_req. That function re-encodes the request. This is an unnecessary call to the encoder. In addition, for the FAST project, it is desirable to encapsulate the unencoded outer request so that krb5_get_init_creds does not need it. * send_as_req is modified to take an encoded request and realm * Remove unused logic to fill in request nonce from send_as_req http://src.mit.edu/fisheye/changelog/krb5/?cs=22067 Commit By: hartmans Revision: 22067 Changed Files: U trunk/src/lib/krb5/krb/get_in_tkt.c From rt-comment at krbdev.mit.edu Fri Mar 6 18:57:11 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Fri, 6 Mar 2009 23:57:11 +0000 (UTC) Subject: [krbdev.mit.edu #4241] SVN Commit In-Reply-To: Message-ID: Add "-V" option to klist to print the package name and version, and exit. http://src.mit.edu/fisheye/changelog/krb5/?cs=22068 Commit By: raeburn Revision: 22068 Changed Files: U trunk/src/clients/klist/klist.c From rt-comment at krbdev.mit.edu Sun Mar 8 16:36:28 2009 From: rt-comment at krbdev.mit.edu ( Richard Evans via RT) Date: Sun, 8 Mar 2009 20:36:28 +0000 (UTC) Subject: [krbdev.mit.edu #6402] Invalid initial GSSAPI/SPNEGO token can cause segmentation error or assert failure In-Reply-To: Message-ID: I've been testing a Java client using SPNEGO against Apache using mod_auth_kerb. Apache segfaults with this trace: #0 0x006ffa25 in spnego_gss_accept_sec_context () from /usr/lib/libgssapi_krb5.so.2 #1 0x006e3349 in gss_accept_sec_context () from /usr/lib/libgssapi_krb5.so.2 #2 0x00929769 in kerb_authenticate_user (r=0xb85a1340) at src/mod_auth_kerb.c:1390 ... The client code has sent slightly invalid ContextFlags for the reqFlags field in the NegTokenInit (RFC 4178). This is the sequence which causes the crash. Code fragments are from 1.6.3. In spnego_gss_accept_sec_context: if (*context_handle == GSS_C_NO_CONTEXT) { ... ret = acc_ctx_new(minor_status, input_token, context_handle, verifier_cred_handle, &mechtok_in, &mic_in, &negState, &return_token); if (ret != GSS_S_COMPLETE) goto cleanup; The call to acc_ctx_new fails so the cleanup code is run: cleanup: if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, &mechtok_out, mic_out, return_token, output_token); acc_ctx_new initialises return_token to ERROR_TOKEN_SEND and so the cleanup code proceeds with the call to make_spnego_tokenTarg_msg. At this point 'sc' has not been set, so it still NULL and the reference to sc->internal_mech segfaults. The acc_ctx_new call fails because get_req_flags rejects the ASN.1 bit string sent by the client for the reqFlags. I've tested with 1.7-alpha1 and this fails at the cleanup code with an assertion failure: assert(sc != NULL); This client code could cause any server using Kerberos/SPNEGO to fail. Richard Evans From rt-comment at krbdev.mit.edu Mon Mar 9 18:54:32 2009 From: rt-comment at krbdev.mit.edu (william.fiveash@sun.com via RT) Date: Mon, 9 Mar 2009 22:54:32 +0000 (UTC) Subject: [krbdev.mit.edu #6403] kdb5_ldap_util create segfaults when krb5_dbekd_encrypt_key_data() called In-Reply-To: Message-ID: I'm seeing a segfault when I run: kdb5_ldap_util -P test123 -D "cn=Manager,dc=zone,dc=net" -w test123 create -r ZONE.NET -s Core was generated by `kdb5_ldap_util -P test123 -D cn=Manager,dc=zone,dc=net -w test123 create -r ZON'. Program terminated with signal 11, Segmentation fault. #0 0xfeef873d in krb5_dbekd_encrypt_key_data (kcontext=0x80876c8, mkey=0x80479e0, dbkey=0x809ac1c, keysalt=0x0, keyver=1, key_data=0x8098940) at ../../../migrate_bugfix/src/lib/kdb/kdb5.c:3052 3052 status = (gdb) where #0 0xfeef873d in krb5_dbekd_encrypt_key_data (kcontext=0x80876c8, mkey=0x80479e0, dbkey=0x809ac1c, keysalt=0x0, keyver=1, key_data=0x8098940) at ../../../migrate_bugfix/src/lib/kdb/kdb5.c:3052 #1 0x08057b40 in kdb_ldap_create_principal (context=0x80876c8, princ=0x8099cc0, op=MASTER_KEY, pblock=0x806ec1c) at ../../../../../migrate_bugfix/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:2503 #2 0x08055ddc in kdb5_ldap_create (argc=2, argv=0x809df88) at ../../../../../migrate_bugfix/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:700 #3 0x08054248 in main (argc=0, argv=0x8047b00) at ../../../../../migrate_bugfix/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:614 052 status = 3053 dal_handle->lib_handle->vftabl.dbekd_encrypt_key_data(kcontext, 3054 mkey, dbkey, keysalt, keyver, key_data); print dal_handle->lib_handle $1 = 0x0 In src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:main() there is this to initialize dal_handle: /* Setup DAL handle to access the database */ dal_handle = calloc((size_t)1, sizeof(kdb5_dal_handle)); if (dal_handle == NULL) { goto cleanup; } dal_handle->db_context = ldap_context; util_context->dal_handle = dal_handle; ldap_context = NULL; db_retval = krb5_ldap_read_server_params(util_context, conf_section, KRB5_KDB_SRV_TYPE_OTHER); if (db_retval) { com_err(progname, db_retval, "while reading ldap configuration"); exit_status++; goto cleanup; } if (cmd->opendb) { db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)dal_handle->db_context); if (db_retval) { com_err(progname, db_retval, "while initializing database"); exit_status++; goto cleanup; } db_inited = TRUE; } (*cmd->func)(cmd_argc, cmd_argv); Note that dal_handle->lib_handle isn't being initialized. krb5_dbekd_encrypt_key_data() used to be in lib/krb5/kdb/encrypt_key.c and did not call dal_handle->lib_handle->vftabl.dbekd_encrypt_key_data(). Now krb5_dbekd_encrypt_key_data() is in src/lib/kdb/kdb5.c and is calling dal_handle->lib_handle->vftabl.dbekd_encrypt_key_data(). I think this was introduced by ticket 6313. From rt-comment at krbdev.mit.edu Mon Mar 9 20:07:18 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 10 Mar 2009 00:07:18 +0000 (UTC) Subject: [krbdev.mit.edu #6404] kdb5_ldap_util broken by virtualization of krb5_dbekd_encrypt_key_data In-Reply-To: Message-ID: The merge of Luke's code in r21690 changed krb5_dbekd_encrypt_key_data into a virtual function indirecting through lib_handle. This breaks kdb_ldap_util, which uses a dal_handle with a NULL lib_handle and makes direct calls to libkdb_ldap and (formerly) non-virtual functions in libkdb. The reason for using this faked-up dal_handle is that there is possibly no valid LDAP back end to open. Sam's opinion is that the best fix is to expose kdb_setup_lib_handle, thus allowing kdb5_util to set up a dal_handle with a valid lib_handle (and then fill in the db_context itself, as it does now). There is also the option of using a krb5_db_create or krb5_db_open depending on the kdap_ldap_util operation, and adjust the code accordingly. From rt-comment at krbdev.mit.edu Mon Mar 9 21:28:14 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 10 Mar 2009 01:28:14 +0000 (UTC) Subject: [krbdev.mit.edu #6403] SVN Commit In-Reply-To: Message-ID: Rename kdb_setup_lib_handle to krb5_db_setup_lib_handle and export it. Make kdb5_ldap_util work again by calling this function to set up dal_handle instead of using one with an uninitialized lib_handle. It is likely that kdb5_ldap_util will only function given a krb5.conf which specifies a realm with an LDAP database module as the default realm. Not sure if that was the case before. http://src.mit.edu/fisheye/changelog/krb5/?cs=22071 Commit By: ghudson Revision: 22071 Changed Files: U trunk/src/include/kdb.h U trunk/src/lib/kdb/kdb5.c U trunk/src/lib/kdb/libkdb5.exports U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c From rt-comment at krbdev.mit.edu Tue Mar 10 14:27:26 2009 From: rt-comment at krbdev.mit.edu (william.fiveash@sun.com via RT) Date: Tue, 10 Mar 2009 18:27:26 +0000 (UTC) Subject: [krbdev.mit.edu #6405] fixing several bugs relating to the migrate mkey project using a LDAP KDB In-Reply-To: Message-ID: While testing the migrate mkey functionality when a LDAP KDB is in use I noticed these commands failed: kdb5_util add_mkey kdb5_util update_princ_encryption -f kdb5_util -x "binddn=cn=adm-service,dc=zone,dc=net" purge_mkeys -f I have a small patch which fixes these issues and also removes some dead code that was introduced by the migrate mkey project. From rt-comment at krbdev.mit.edu Tue Mar 10 16:26:25 2009 From: rt-comment at krbdev.mit.edu (william.fiveash@sun.com via RT) Date: Tue, 10 Mar 2009 20:26:25 +0000 (UTC) Subject: [krbdev.mit.edu #6405] SVN Commit In-Reply-To: Message-ID: Several small fixes to enable the migrate mkey commands to work properly with a LDAP KDB. See the ticket for more details. http://src.mit.edu/fisheye/changelog/krb5/?cs=22073 Commit By: wfiveash Revision: 22073 Changed Files: U trunk/src/kadmin/dbutil/kdb5_mkey.c U trunk/src/lib/kdb/kdb5.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c From rt-comment at krbdev.mit.edu Wed Mar 11 17:38:19 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Wed, 11 Mar 2009 21:38:19 +0000 (UTC) Subject: [krbdev.mit.edu #6406] useless error message from krb5kdc In-Reply-To: Message-ID: A minor typo in a config file caused a useless error message to be displayed. It probably should've said something about not finding a definition for the database module "opeldap_ldapconf". Begin forwarded message: > From: Mathew Rowley > Date: March 11, 2009 14:39:14 EDT > To: Mathew Rowley , > "kerberos at mit.edu" > Subject: Re: Forgetting something? krb5kdc: No such file or > directory - whileinitializing database for realm COMCAST.COM > X-Spam-Score: -0.963 > > My problem was actually a typo. In my realm, I had: > > database_module = opeldap_ldapconf > > Which did not match ‘opeNldap_ldapconf’ > > MAT > > > > On 3/11/09 9:15 AM, "Mathew Rowley" > wrote: > >> I am trying to start up a freshly installed/configured MIT kerberos >> (1.6.1-31) implementation, but I am obviously missing something. I >> am using >> an LDAP backend, but the service will not start. Here is what I >> have done, >> can anyone see something I am missing? Or know of a way I can get >> more >> logging? Thanks. >> >> 1. Modified /var/kerberos/krb5kdc/krb.conf to set up the realm >> >> 2. Modified /etc/krb5.conf to include ldap information: >> [dbdefaults] >> ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com >> [dbmodules] >> openldap_ldapconf = { >> db_library = kldap >> ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com >> ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com" >> # this object needs to have read rights on >> # the realm container, principal container and realm sub-trees >> ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com" >> # this object needs to have read and write rights on >> # the realm container, principal container and realm sub-trees >> ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.keyfile >> ldap_servers = ldap://kdc01.security.lab.comcast.net >> ldap_conns_per_server = 5 >> } >> >> 3. Created the ldap users (kadmin, kdc) >> >> 4. Initialized the ldap backed with kdb5_ldap_util ( kdb5_ldap_util >> -H >> ldap://10.252.152.78 -D 'cn=manager,dc=comcast,dc=com' create - >> subtrees >> 'dc=comcast,dc=com' -r COMCAST.NET –s) >> >> 5. Stased kadmin and kdc passwords in /var/kerberos/krb5kdc/ >> kdc5.keyfile >> using kdb5_ldap_util (kdb5_ldap_util stashsrvpw -f >> /var/kerberos/krb5kdc/kdc5.keyfile 'cn=kadmin,dc=comcast,dc=com') >> >> 6. Modified ldap ACL as according to >> http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html >> but with >> my kadmin/kdc name and my dn >> (using ldap 2.4.15 – with new cn=config) >> olcAccess: to dn.base="" by * read >> olcAccess: to dn.base="cn=Subschema" by * read >> olcAccess: to attrs=userPassword,userPKCS12 by self write >> by * read >> olcAccess: to dn.subtree="dc=comcast,dc=com" by >> dn.exact="cn=kdc,dc=comcast,dc=com" read >> by dn.exact="cn=kadmin,dc=comcast,dc=com" write >> by * none >> olcAccess: to >> dn.subtree="cn=COMCAST.COM,cn=krbcontainer,dc=comcast,dc=com" >> by dn.exact="cn=kdc,dc=comcast,dc=com" read >> by dn.exact="cn=kadmin,dc=comcast,dc=com" write >> by * none >> olcAccess: to * by * read >> >> 7. Confirmed I can ldapsearch with kadmin and kdc ldap users >> >> 8. Tried to start krb5kdc - /etc/init.d/krb5kdc start: >> [root at kdc01 krb5kdc]# /etc/init.d/krb5kdc start >> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm >> COMCAST.COM - see >> log file for details >> [FAILED] >> [root at kdc01 krb5kdc]# cat /var/log/krb5kdc.log >> krb5kdc: No such file or directory - while initializing database >> for realm >> COMCAST.COM >> >> Any ideas? Thanks for any help. >> >> -- >> MAT >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > -- > MAT > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From rt-comment at krbdev.mit.edu Wed Mar 11 17:59:17 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Wed, 11 Mar 2009 21:59:17 +0000 (UTC) Subject: [krbdev.mit.edu #6406] useless error message from krb5kdc In-Reply-To: Message-ID: I thought I was going to fix this with the commits I'm working on, but it turns out it's a different problem. (The code returning ENOENT isn't setting an error message.) Releasing this ticket for now. From rt-comment at krbdev.mit.edu Wed Mar 11 18:11:08 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Wed, 11 Mar 2009 22:11:08 +0000 (UTC) Subject: [krbdev.mit.edu #6407] SVN Commit In-Reply-To: Message-ID: The krb5_copy_error_state macro wasn't used, didn't work, and didn't need to be a macro. Replace it with an exported API function named krb5_copy_error_message. http://src.mit.edu/fisheye/changelog/krb5/?cs=22078 Commit By: ghudson Revision: 22078 Changed Files: U trunk/src/include/k5-int.h U trunk/src/include/krb5/krb5.hin U trunk/src/lib/krb5/krb/kerrs.c U trunk/src/lib/krb5/libkrb5.exports From rt-comment at krbdev.mit.edu Wed Mar 11 18:14:26 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Wed, 11 Mar 2009 22:14:26 +0000 (UTC) Subject: [krbdev.mit.edu #6408] SVN Commit In-Reply-To: Message-ID: We were losing verbose error messages when logging from the KDC because the context passed to krb5_klog_init did not match the realm-specific context used for most library function calls. Introduce a wrapper function kdc_err which copies the error state from the call context to the log context. The wrapper function also knows the program name, which removes the need to pass argv[0] around everywhere or make up program names. http://src.mit.edu/fisheye/changelog/krb5/?cs=22079 Commit By: ghudson Revision: 22079 Changed Files: U trunk/src/kdc/do_tgs_req.c U trunk/src/kdc/kdc_preauth.c U trunk/src/kdc/kdc_util.h U trunk/src/kdc/main.c U trunk/src/kdc/network.c From rt-comment at krbdev.mit.edu Wed Mar 11 20:35:21 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 12 Mar 2009 00:35:21 +0000 (UTC) Subject: [krbdev.mit.edu #6409] use of fsync In-Reply-To: Message-ID: Seeing some stuff Ted's written up at https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/317781 reminds me... we've got various places where we write out new versions of files and rename them into place, but we don't call fsync or fsyncdata in all of them to ensure that the new file is safely on disk before we kill the old one. It would be a shame if a system crash while using "kdb5_ldap_util stashsrvpw" to add a new password entry caused the old password entries to get lost. We should check other cases... calls to rename(), or open() with O_TRUNC (to rewrite a file in place, which may also be risky depending on the file) would be a good place to start. We don't have a lot of them, and a bunch are within the db2 code, which is probably already doing the fsync reasonably. Ken From rt-comment at krbdev.mit.edu Thu Mar 12 12:48:17 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 12 Mar 2009 16:48:17 +0000 (UTC) Subject: [krbdev.mit.edu #6412] SVN Commit In-Reply-To: Message-ID: When allocating storage for the header buffer, update the internal output buffer pointer as well. http://src.mit.edu/fisheye/changelog/krb5/?cs=22081 Commit By: raeburn Revision: 22081 Changed Files: U trunk/src/lib/gssapi/krb5/k5sealv3iov.c From rt-comment at krbdev.mit.edu Thu Mar 12 17:26:37 2009 From: rt-comment at krbdev.mit.edu ( Arlene Berry via RT) Date: Thu, 12 Mar 2009 21:26:37 +0000 (UTC) Subject: [krbdev.mit.edu #6402] Invalid initial GSSAPI/SPNEGO token can cause segmentation error or assert failure In-Reply-To: Message-ID: This fixed 1.6.3 for us. I changed the call so that it doesn't dereference a NULL pointer and altered make_spnego_tokenTarg_msg to allow for no mechanism since there may not be one when rejecting the request. --- spnego_mech.c (revision xxxxx) +++ spnego_mech.c (working copy) @@ -1269,7 +1269,8 @@ } cleanup: if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { - tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, + tmpret = make_spnego_tokenTarg_msg(negState, + sc ? sc->internal_mech : NULL, &mechtok_out, mic_out, return_token, output_token, 0); @@ -2504,7 +2505,7 @@ * If this is the initial token, include length of * mech_type and the negotiation result fields. */ - if (sendtoken == INIT_TOKEN_SEND) { + if (sendtoken == INIT_TOKEN_SEND && mech_wanted) { int mechlistTokenSize; /* * 1 byte for the CONTEXT ID(0xa0), @@ -2605,7 +2606,7 @@ goto errout; } } - if (sendtoken == INIT_TOKEN_SEND) { + if (sendtoken == INIT_TOKEN_SEND && mech_wanted) { /* * Next, is the Supported MechType */ From rt-comment at krbdev.mit.edu Thu Mar 12 17:33:25 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Thu, 12 Mar 2009 21:33:25 +0000 (UTC) Subject: [krbdev.mit.edu #6402] Invalid initial GSSAPI/SPNEGO token can cause segmentation error or assert failure In-Reply-To: Message-ID: "" Arlene Berry " via RT" writes: > This fixed 1.6.3 for us. I changed the call so that it doesn't > dereference a NULL pointer and altered make_spnego_tokenTarg_msg to > allow for no mechanism since there may not be one when rejecting the > request. [...] Actually, based on discussion on the krbdev list, I had come up with this shorter patch. Do you find any particular reasons to prefer one over the other? --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -1248,7 +1248,8 @@ spnego_gss_accept_sec_context(void *ct, &negState, &return_token); } cleanup: - if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { + if (return_token == INIT_TOKEN_SEND || + return_token == CONT_TOKEN_SEND) { tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, &mechtok_out, mic_out, return_token, From rt-comment at krbdev.mit.edu Thu Mar 12 17:36:43 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 12 Mar 2009 21:36:43 +0000 (UTC) Subject: [krbdev.mit.edu #6413] pkinit thread safety In-Reply-To: Message-ID: Begin forwarded message: > From: Mark Phalan > Date: March 12, 2009 17:13:40 EDT > To: Ken Raeburn > Cc: Nikhil Mishra , krbdev at mit.edu > Subject: Re: Is MIT kerberos thread safe ?? > X-Spam-Score: 0.00 > > > On 12 Mar 2009, at 17:43, Ken Raeburn wrote: > >> On Mar 12, 2009, at 08:55, Nikhil Mishra wrote: >>> As the subject says , Is MIT kerberos thread safe ? >>> My device is a high performance network appliance and >>> I need to analyze threadsafe-ness of MIT kerberos library. >> >> The 1.6.x releases should be thread-safe provided certain objects are >> not shared across threads for simultaneous use, primarily the >> Kerberos >> and GSSAPI context types. Various other objects, especially the >> simpler ones like krb5_data and krb5_principal, and most of the >> structures exposed in our API, can be shared as long as both uses are >> read-only. Some more complex, opaque types like krb5_ccache, and >> most >> if not all internal static data, have internal locking performed >> within the libraries, so that they can be used from multiple threads >> without corruption. >> >> Unfortunately, we don't have documentation written up on *exactly* >> what can be shared across threads and when, but "never share >> contexts, >> and share other stuff only as inputs not outputs" is a good >> guideline. >> >> And, all the above said, there could of course be bugs; if you run >> into anything, we'd like to know. > > > The PKINIT plugin is a problem if it is used in multiple threads due > to its use of OpenSSL. > > -M From rt-comment at krbdev.mit.edu Thu Mar 12 17:38:49 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Thu, 12 Mar 2009 21:38:49 +0000 (UTC) Subject: [krbdev.mit.edu #6414] kprop uses unsafe temporary files In-Reply-To: Message-ID: Noticed while doing a build thanks to a linker warning: /* * Initialize cache file which we're going to be using */ (void) mktemp(tkstring); snprintf(buf, sizeof(buf), "FILE:%s", tkstring); From rt-comment at krbdev.mit.edu Thu Mar 12 18:06:36 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 12 Mar 2009 22:06:36 +0000 (UTC) Subject: [krbdev.mit.edu #6412] SVN Commit In-Reply-To: Message-ID: Better fix: Delay setting 'outbuf' until after the header buffer might have been allocated locally, and set it in both code paths instead of just the confidentiality-requested code path. http://src.mit.edu/fisheye/changelog/krb5/?cs=22082 Commit By: raeburn Revision: 22082 Changed Files: U trunk/src/lib/gssapi/krb5/k5sealv3iov.c From rt-comment at krbdev.mit.edu Thu Mar 12 23:10:14 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 13 Mar 2009 03:10:14 +0000 (UTC) Subject: [krbdev.mit.edu #6415] SVN Commit In-Reply-To: Message-ID: In cases where the salt is derived from the client principal, use the canonicalized principal received from the KDC to determine the salt. Further changes are probably required for some preauth cases. http://src.mit.edu/fisheye/changelog/krb5/?cs=22083 Commit By: ghudson Revision: 22083 Changed Files: U trunk/src/lib/krb5/krb/get_in_tkt.c From rt-comment at krbdev.mit.edu Thu Mar 12 23:27:33 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Fri, 13 Mar 2009 03:27:33 +0000 (UTC) Subject: [krbdev.mit.edu #6416] kinit and krb5_get_init_creds_password discard error message state In-Reply-To: Message-ID: There is a lot of code behind krb5_get_init_creds (and significantly more with FAST) that calls krb5_set_error_message. Unfortunately, this interacts badly with the use_master loop in routines like krb5_get_init_creds_password, particularly if no master KDC is available. What ends up happening is that the error message is overwritten indicating what KDC cannot be contacted. The code correctly returns the original error code but does not restore the error state. --Sam From rt-comment at krbdev.mit.edu Fri Mar 13 17:16:16 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Fri, 13 Mar 2009 21:16:16 +0000 (UTC) Subject: [krbdev.mit.edu #6417] SVN Commit In-Reply-To: Message-ID: acc_ctx_new() can return an error condition without establishing a SPNEGO context structure. This can cause a null pointer dereference in cleanup code in spnego_gss_accept_sec_context(). http://src.mit.edu/fisheye/changelog/krb5/?cs=22084 Commit By: tlyu Revision: 22084 Changed Files: U trunk/src/lib/gssapi/spnego/spnego_mech.c From rt-comment at krbdev.mit.edu Fri Mar 13 17:21:31 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Fri, 13 Mar 2009 21:21:31 +0000 (UTC) Subject: [krbdev.mit.edu #6402] CVE-2009-0845 SPNEGO can dereference a null pointer In-Reply-To: Message-ID: Committed fix. Please test and review. I accidentally created a new ticket instead of updating the existing one, but they are now merged. From rt-comment at krbdev.mit.edu Sat Mar 14 01:46:20 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Sat, 14 Mar 2009 05:46:20 +0000 (UTC) Subject: [krbdev.mit.edu #6418] SVN Commit In-Reply-To: Message-ID: Use dc=example,dc=com as the example base DN instead of more archaic forms. Provide a little more cross-referencing of concepts and mechanisms. Add additional steps in the OpenLDAP setup instructions for choosing DNs for the Kerberos container, KDC service, and kadmin service. Explain a little bit about what the Kerberos container and realm container are. Be clearer that using separate subtrees from the realm container for principals is an option, not a necessity, and don't use the base DN as an example of a separate subtree (it's confusing). http://src.mit.edu/fisheye/changelog/krb5/?cs=22088 Commit By: ghudson Revision: 22088 Changed Files: U trunk/doc/admin.texinfo From rt-comment at krbdev.mit.edu Sun Mar 15 00:15:17 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Sun, 15 Mar 2009 04:15:17 +0000 (UTC) Subject: [krbdev.mit.edu #6419] SVN Commit In-Reply-To: Message-ID: Add a few paragraphs to the LDAP instructions on creating aliases through direct manipulation of the LDAP data, and briefly explain when aliases will be used. http://src.mit.edu/fisheye/changelog/krb5/?cs=22089 Commit By: ghudson Revision: 22089 Changed Files: U trunk/doc/admin.texinfo From rt-comment at krbdev.mit.edu Sun Mar 15 00:21:13 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Sun, 15 Mar 2009 04:21:13 +0000 (UTC) Subject: [krbdev.mit.edu #6420] SVN Commit In-Reply-To: Message-ID: Add a krbCanonicalName attribute to the schema. When looking up a principal, if the canonical name is set and does not match the requested name, then return the entry only if canonicalization was requested, and use the entry's canonical name. http://src.mit.edu/fisheye/changelog/krb5/?cs=22090 Commit By: ghudson Revision: 22090 Changed Files: U trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif U trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c From rt-comment at krbdev.mit.edu Mon Mar 16 12:27:27 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 16 Mar 2009 16:27:27 +0000 (UTC) Subject: [krbdev.mit.edu #6421] Implement XKRB-FX-CF2 In-Reply-To: Message-ID: Implement a function to combine two keys from draft-ietf-krb-wg-preauth-framework From rt-comment at krbdev.mit.edu Mon Mar 16 12:28:31 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 16 Mar 2009 16:28:31 +0000 (UTC) Subject: [krbdev.mit.edu #6422] Implement krb5int_find_authdata In-Reply-To: Message-ID: The FAST project proposes a utility function to find an authorization data item in a ticket, authenticator or in an ad-if-relevant container. Implement this utility as an exported API From rt-comment at krbdev.mit.edu Mon Mar 16 12:50:01 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 16 Mar 2009 16:50:01 +0000 (UTC) Subject: [krbdev.mit.edu #6423] SVN Commit In-Reply-To: Message-ID: If the input auth_con is NULL, return success. http://src.mit.edu/fisheye/changelog/krb5/?cs=22092 Commit By: hartmans Revision: 22092 Changed Files: U trunk/src/lib/krb5/krb/auth_con.c From rt-comment at krbdev.mit.edu Mon Mar 16 12:50:05 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 16 Mar 2009 16:50:05 +0000 (UTC) Subject: [krbdev.mit.edu #6424] SVN Commit In-Reply-To: Message-ID: In order for the kdb keytab to be used from within the KDC, the KDC needs to set the master key list in the context. http://src.mit.edu/fisheye/changelog/krb5/?cs=22093 Commit By: hartmans Revision: 22093 Changed Files: U trunk/src/kdc/kdc_util.c U trunk/src/kdc/main.c From rt-comment at krbdev.mit.edu Mon Mar 16 12:50:11 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 16 Mar 2009 16:50:11 +0000 (UTC) Subject: [krbdev.mit.edu #6421] SVN Commit In-Reply-To: Message-ID: Draft-ietf-krb-wg-preauth-framework defines a function KRB-FX-CF2 that combines two keys of arbitrary enctype. Implement this function as an exported API. http://src.mit.edu/fisheye/changelog/krb5/?cs=22094 Commit By: hartmans Revision: 22094 Changed Files: U trunk/src/include/krb5/krb5.hin U trunk/src/lib/crypto/Makefile.in A trunk/src/lib/crypto/cf2.c U trunk/src/lib/crypto/etypes.h U trunk/src/lib/crypto/libk5crypto.exports From rt-comment at krbdev.mit.edu Mon Mar 16 12:50:24 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 16 Mar 2009 16:50:24 +0000 (UTC) Subject: [krbdev.mit.edu #6421] SVN Commit In-Reply-To: Message-ID: Implement test cases for CF2 Implement a simple program to call KRB-FX-CF2 and print the resulting keys. Add to regression tests. Also, use the PRF testing application to confirm that CF2 generates consistent keys if called by hand. http://src.mit.edu/fisheye/changelog/krb5/?cs=22095 Commit By: hartmans Revision: 22095 Changed Files: U trunk/src/lib/crypto/Makefile.in A trunk/src/lib/crypto/t_cf2.c A trunk/src/lib/crypto/t_cf2.comments A trunk/src/lib/crypto/t_cf2.expected A trunk/src/lib/crypto/t_cf2.in A trunk/src/lib/crypto/t_prf.comments A trunk/src/lib/crypto/t_prf.expected A trunk/src/lib/crypto/t_prf.in From rt-comment at krbdev.mit.edu Mon Mar 16 12:50:27 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 16 Mar 2009 16:50:27 +0000 (UTC) Subject: [krbdev.mit.edu #6422] SVN Commit In-Reply-To: Message-ID: Implement a function to find all instances of a particular ad_type in ticket or authenticator authdata. http://src.mit.edu/fisheye/changelog/krb5/?cs=22096 Commit By: hartmans Revision: 22096 Changed Files: U trunk/src/lib/krb5/krb/copy_auth.c From rt-comment at krbdev.mit.edu Mon Mar 16 12:50:31 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 16 Mar 2009 16:50:31 +0000 (UTC) Subject: [krbdev.mit.edu #6422] SVN Commit In-Reply-To: Message-ID: Implement tests for authdata functions Implement some test cases for krb5_merge_authdata and krb5int_find_authdata http://src.mit.edu/fisheye/changelog/krb5/?cs=22097 Commit By: hartmans Revision: 22097 Changed Files: U trunk/src/include/k5-int.h U trunk/src/lib/krb5/krb/Makefile.in A trunk/src/lib/krb5/krb/t_authdata.c From rt-comment at krbdev.mit.edu Mon Mar 16 13:58:54 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 16 Mar 2009 17:58:54 +0000 (UTC) Subject: [krbdev.mit.edu #6402] SVN Commit In-Reply-To: Message-ID: pull up r22084 from trunk acc_ctx_new() can return an error condition without establishing a SPNEGO context structure. This can cause a null pointer dereference in cleanup code in spnego_gss_accept_sec_context(). http://src.mit.edu/fisheye/changelog/krb5/?cs=22099 Commit By: tlyu Revision: 22099 Changed Files: U branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c From rt-comment at krbdev.mit.edu Mon Mar 16 23:27:54 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 17 Mar 2009 03:27:54 +0000 (UTC) Subject: [krbdev.mit.edu #6425] Memory leak cleanup in ASN.1 In-Reply-To: Message-ID: The following five commits to the trunk were involved in cleaning up a slew of memory leaks in the ASN.1 code: r22004 (krb5_decode memory leaks) r21981 (utility function fixes) r21940 (krb5_decode restructuring) r21928 (krb5_encode memory leaks) r21927 (don't free caller memory in asn1_k_encode) From rt-comment at krbdev.mit.edu Tue Mar 17 17:34:15 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 17 Mar 2009 21:34:15 +0000 (UTC) Subject: [krbdev.mit.edu #6426] SVN Commit In-Reply-To: Message-ID: pull up r22084 from trunk acc_ctx_new() can return an error condition without establishing a SPNEGO context structure. This can cause a null pointer dereference in cleanup code in spnego_gss_accept_sec_context(). http://src.mit.edu/fisheye/changelog/krb5/?cs=22104 Commit By: tlyu Revision: 22104 Changed Files: U branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c From rt-comment at krbdev.mit.edu Tue Mar 17 17:54:53 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 17 Mar 2009 21:54:53 +0000 (UTC) Subject: [krbdev.mit.edu #6427] SVN Commit In-Reply-To: Message-ID: In asn1_k_decode.c, check the return value of end_sequence_of_no_tagvars_helper. http://src.mit.edu/fisheye/changelog/krb5/?cs=22107 Commit By: ghudson Revision: 22107 Changed Files: U trunk/src/lib/krb5/asn.1/asn1_k_decode.c From rt-comment at krbdev.mit.edu Wed Mar 18 14:26:58 2009 From: rt-comment at krbdev.mit.edu (The RT System itself via RT) Date: Wed, 18 Mar 2009 18:26:58 +0000 (UTC) Subject: [krbdev.mit.edu #6428] KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP In-Reply-To: Message-ID: >From krb5-bugs-incoming-bounces at PCH.mit.edu Wed Mar 18 18:26:57 2009 Return-Path: X-Original-To: krb5-send-pr-nospam1 at krbdev.mit.edu Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id D3E3ECCC84; Wed, 18 Mar 2009 18:26:57 +0000 (UTC) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n2IIQvMw011599; Wed, 18 Mar 2009 14:26:57 -0400 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n2IG9YeF021478 for ; Wed, 18 Mar 2009 12:09:34 -0400 Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id n2IG9Q2p023353 for ; Wed, 18 Mar 2009 12:09:27 -0400 (EDT) Received: from f04n07.cac.psu.edu (localhost [127.0.0.1]) by mit.edu (Spam Firewall) with ESMTP id 0568715DD970 for ; Wed, 18 Mar 2009 12:09:15 -0400 (EDT) Received: from f04n07.cac.psu.edu (f04s07.cac.psu.edu [128.118.141.35]) by mit.edu with ESMTP id TKHdns2yIPlCwa86 for ; Wed, 18 Mar 2009 12:09:15 -0400 (EDT) X-Barracuda-Reputation: Registry Received: from smallbus.aset.psu.edu (smallbus.aset.psu.edu [128.118.57.250]) by f04n07.cac.psu.edu (8.13.2/8.13.2) with ESMTP id n2IG9Bu3045952 for ; Wed, 18 Mar 2009 12:09:12 -0400 Received: (from pgp at localhost) by smallbus.aset.psu.edu (AIX5.3/8.13.4/8.11.0) id n2IG7gwA017670; Wed, 18 Mar 2009 12:07:42 -0400 Date: Wed, 18 Mar 2009 12:07:42 -0400 Message-Id: <200903181607.n2IG7gwA017670 at smallbus.aset.psu.edu> To: krb5-bugs at mit.edu Subject: KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP From: pgp at psu.edu X-send-pr-version: 3.99 X-Spam-Score: 0.55 X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 X-Mailman-Approved-At: Wed, 18 Mar 2009 14:26:56 -0400 X-BeenThere: krb5-bugs-incoming at mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: pgp at psu.edu Sender: krb5-bugs-incoming-bounces at PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu >Submitter-Id: net >Originator: Phil Pishioneri >Organization: Penn State University, ITS >Confidential: no >Synopsis: KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP >Severity: non-critical >Priority: medium >Category: krb5-kdc >Class: sw-bug >Release: krb5-current >Environment: System: AIX smallbus 3 5 000F48BD4C00 >Description: In kdc/kdc_util.c, there are two checks for password (key) expiration and account expiration. In each case, the code (and error return) for key expiration is done before the check for account expiration. However, it seems that account expiration is more significant than key expiration, and should be checked for, and returned first. >How-To-Repeat: Create an account, expire both the password and account. Attempt to "kinit" to the account: KDC_ERR_KEY_EXP ("CLIENT KEY EXPIRED") will be returned instead of KDC_ERR_NAME_EXP ("CLIENT EXPIRED"). >Fix: In the two areas of code (search for "KDC_ERR_NAME_EXP" to find them), move the check for KDC_ERR_NAME_EXP to be before the check for KDC_ERR_KEY_EXP. A diff can be provided if that would help to clarify the change. From rt-comment at krbdev.mit.edu Thu Mar 19 17:41:50 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Thu, 19 Mar 2009 21:41:50 +0000 (UTC) Subject: [krbdev.mit.edu #6429] KDC prefers built-in preauth to plugins In-Reply-To: Message-ID: By default, the client respects KDC preauth order within certain bounds. However the client will only use one "real" preauth mechanism. However the KDC prefers built in pre-authentication mechanisms to plugin mechanisms . This basically means that without heroic efforts, you end up stuck with encrypted timestamp no matter what. There is some logic to prefer mechanisms like pkinit that replace keys to all other mechanisms. I think something like this is needed, although I'm dubious about the specific decision. It seems like you might want to prefer mechanisms that require per-user/per-realm configuration to mechanisms that do not. Basically if the mechanism's get_edata_proc might sometimes return "not me", then allow it to do so. From rt-comment at krbdev.mit.edu Thu Mar 19 17:48:29 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Thu, 19 Mar 2009 21:48:29 +0000 (UTC) Subject: [krbdev.mit.edu #6430] If we fail to generate preauth, don't loop In-Reply-To: Message-ID: If krb5_do_preauth is called in response to a PREAUTH_REQUIRED error, and fails to actually produce pre-authentication data, then don't try again. The current (1.7) code tends to try again and again and eventually give you a toom many loops eerror. This is made worse by treating PREAUTH_FAILED like PREAUTH_REQUIRED as recommended by the preauth framework. (The recommendation still seems sound, but the client should avoid looping) From rt-comment at krbdev.mit.edu Fri Mar 20 14:09:21 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 20 Mar 2009 18:09:21 +0000 (UTC) Subject: [krbdev.mit.edu #6431] SVN Commit In-Reply-To: Message-ID: Add disclaimers to the kadmin and kdb headers about the weaker stability commitments we make for their APIs, and install them for the benefit of users who can tolerate such instability. (The kadmin interface is the real goal here, but the kadmin header includes kdb.h so we need to install both.) http://src.mit.edu/fisheye/changelog/krb5/?cs=22112 Commit By: ghudson Revision: 22112 Changed Files: U trunk/src/config/pre.in U trunk/src/include/Makefile.in U trunk/src/include/kdb.h U trunk/src/lib/kadm5/Makefile.in U trunk/src/lib/kadm5/admin.h From rt-comment at krbdev.mit.edu Wed Mar 25 17:13:00 2009 From: rt-comment at krbdev.mit.edu (william.fiveash@sun.com via RT) Date: Wed, 25 Mar 2009 21:13:00 +0000 (UTC) Subject: [krbdev.mit.edu #6432] SVN Commit In-Reply-To: Message-ID: Updated the kdb5_util command man page to include documentation on new subcommands added as a result of the Master Key Migration project. http://src.mit.edu/fisheye/changelog/krb5/?cs=22114 Commit By: wfiveash Revision: 22114 Changed Files: U trunk/src/kadmin/dbutil/kdb5_util.M From rt-comment at krbdev.mit.edu Wed Mar 25 23:45:24 2009 From: rt-comment at krbdev.mit.edu (Jeffrey Altman via RT) Date: Thu, 26 Mar 2009 03:45:24 +0000 (UTC) Subject: [krbdev.mit.edu #6433] Ticket 5995 (r20586) broke ticket acquistion on Microsoft Windows In-Reply-To: Message-ID: Ticket 5995 (r20586) lib/krb5/os/sendto_kdc.c was designed to prevent socket fd values larger than FD_SETSIZE from being accepted because in gssapi there are arrays of size FD_SETSIZE that track fd connection state. Unfortunately, this commit made two errors: 1. It fails to take into account that on Windows, a SOCKET is a form of HANDLE and it is not an integer value ranging from 0 to FD_SETSIZE-1. In fact, on Windows, an FD_SET is of arbitrary size and the number of file descriptors parameter in select() calls is simply ignored. 2. Since SOCKETs are not run time library file descriptors, closesocket() must be used to close the socket and not close(). As a result of the first error, all sockets that are allocated are larger than FD_SETSIZE and are immediately closed. It is therefore impossible to communicate with a KDC. As a result of the second error, memory is corrupted and random crashes will occur upon process exit. A proposed patch: Index: os/sendto_kdc.c =================================================================== --- os/sendto_kdc.c (revision 22114) +++ os/sendto_kdc.c (working copy) @@ -654,12 +654,17 @@ dprint("socket: %m creating with af %d\n", state->err, ai->ai_family); return -1; /* try other hosts */ } - if (fd >= FD_SETSIZE) { - close(fd); +#ifndef _WIN32 + /* Windows sockets are handles, not sequential ints. + * FD_SETSIZE is meaningless on Windows. + */ + if (fd >= FD_SETSIZE) { + closesocket(fd); state->err = EMFILE; dprint("socket: fd %d too high\n", fd); return -1; } +#endif /* _WIN32 */ /* Make it non-blocking. */ if (ai->ai_socktype == SOCK_STREAM) { static const int one = 1; Please pullup to 1.6 branch when applied. Jeffrey Altman From rt-comment at krbdev.mit.edu Wed Mar 25 23:48:22 2009 From: rt-comment at krbdev.mit.edu (Jeffrey Altman via RT) Date: Thu, 26 Mar 2009 03:48:22 +0000 (UTC) Subject: [krbdev.mit.edu #6434] krb5_cc_resolve() will crash if a null name param is provided In-Reply-To: Message-ID: Proposed fix: Index: ccache/ccbase.c =================================================================== --- ccache/ccbase.c (revision 22114) +++ ccache/ccbase.c (working copy) @@ -181,7 +181,7 @@ const krb5_cc_ops *ops; pfx = NULL; - cp = strchr (name, ':'); + cp = name ? strchr (name, ':') : NULL; if (!cp) { if (krb5_cc_dfl_ops) return (*krb5_cc_dfl_ops->resolve)(context, cache, name); From rt-comment at krbdev.mit.edu Fri Mar 27 13:23:57 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 27 Mar 2009 17:23:57 +0000 (UTC) Subject: [krbdev.mit.edu #6434] krb5_cc_resolve() will crash if a null name param is provided In-Reply-To: Message-ID: A null check was added in r20560 (July 2008) and should be present in the 1.7 release. From rt-comment at krbdev.mit.edu Sun Mar 29 22:43:53 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 30 Mar 2009 02:43:53 +0000 (UTC) Subject: [krbdev.mit.edu #6435] SVN Commit In-Reply-To: Message-ID: >From Heimdal, ported by Luke, further modified by me. http://src.mit.edu/fisheye/changelog/krb5/?cs=22147 Commit By: ghudson Revision: 22147 Changed Files: U trunk/README U trunk/src/lib/krb5/krb/Makefile.in U trunk/src/lib/krb5/krb/deps A trunk/src/lib/krb5/krb/t_pac.c A trunk/src/lib/krb5/krb/t_princ.c From rt-comment at krbdev.mit.edu Tue Mar 31 12:50:27 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Tue, 31 Mar 2009 16:50:27 +0000 (UTC) Subject: [krbdev.mit.edu #6393] SVN Commit In-Reply-To: Message-ID: in send_tgs.c: Encrypt using local_subkey not *subkey http://src.mit.edu/fisheye/changelog/krb5/?cs=22148 Commit By: hartmans Revision: 22148 Changed Files: U trunk/src/lib/krb5/krb/send_tgs.c From rt-comment at krbdev.mit.edu Tue Mar 31 13:00:44 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Tue, 31 Mar 2009 17:00:44 +0000 (UTC) Subject: [krbdev.mit.edu #6436] SVN Commit In-Reply-To: Message-ID: Merge fast branch at 22146 onto trunk Implement the kerberos pre-authentication framework FAST feature per Projects/FAST on the wiki. http://src.mit.edu/fisheye/changelog/krb5/?cs=22149 Commit By: hartmans Revision: 22149 Changed Files: U trunk/src/Makefile.in U trunk/src/configure.in U trunk/src/include/k5-int-pkinit.h U trunk/src/include/k5-int.h U trunk/src/include/krb5/krb5.hin U trunk/src/include/krb5/preauth_plugin.h U trunk/src/kdc/Makefile.in U trunk/src/kdc/dispatch.c U trunk/src/kdc/do_as_req.c U trunk/src/kdc/do_tgs_req.c A trunk/src/kdc/fast_util.c U trunk/src/kdc/kdc_preauth.c U trunk/src/kdc/kdc_util.c U trunk/src/kdc/kdc_util.h U trunk/src/lib/krb5/asn.1/asn1_k_decode.c U trunk/src/lib/krb5/asn.1/asn1_k_decode.h U trunk/src/lib/krb5/asn.1/asn1_k_encode.c U trunk/src/lib/krb5/asn.1/krb5_decode.c U trunk/src/lib/krb5/error_tables/krb5_err.et U trunk/src/lib/krb5/error_tables/kv5m_err.et U trunk/src/lib/krb5/krb/Makefile.in A trunk/src/lib/krb5/krb/fast.c A trunk/src/lib/krb5/krb/fast.h U trunk/src/lib/krb5/krb/get_in_tkt.c U trunk/src/lib/krb5/krb/gic_opt.c U trunk/src/lib/krb5/krb/kfree.c U trunk/src/lib/krb5/krb/preauth2.c U trunk/src/lib/krb5/libkrb5.exports U trunk/src/lib/krb5/os/accessor.c A trunk/src/plugins/preauth/encrypted_challenge/ A trunk/src/plugins/preauth/encrypted_challenge/Makefile.in A trunk/src/plugins/preauth/encrypted_challenge/deps A trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports A trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c A trunk/src/plugins/preauth/fast_factor.h From rt-comment at krbdev.mit.edu Tue Mar 31 18:36:00 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Tue, 31 Mar 2009 22:36:00 +0000 (UTC) Subject: [krbdev.mit.edu #6436] SVN Commit In-Reply-To: Message-ID: Initialize request state in the TGS path. http://src.mit.edu/fisheye/changelog/krb5/?cs=22151 Commit By: hartmans Revision: 22151 Changed Files: U trunk/src/kdc/do_tgs_req.c From rt-comment at krbdev.mit.edu Tue Mar 31 18:36:04 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Tue, 31 Mar 2009 22:36:04 +0000 (UTC) Subject: [krbdev.mit.edu #6437] SVN Commit In-Reply-To: Message-ID: Set the weak enctype flag on the 40-bit RC4. http://src.mit.edu/fisheye/changelog/krb5/?cs=22152 Commit By: hartmans Revision: 22152 Changed Files: U trunk/src/lib/crypto/etypes.c From rt-comment at krbdev.mit.edu Tue Mar 31 19:51:50 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 31 Mar 2009 23:51:50 +0000 (UTC) Subject: [krbdev.mit.edu #6436] SVN Commit In-Reply-To: Message-ID: Make FAST changes build when pkinit is disabled. http://src.mit.edu/fisheye/changelog/krb5/?cs=22153 Commit By: tlyu Revision: 22153 Changed Files: U trunk/src/lib/krb5/asn.1/asn1_k_decode.c U trunk/src/lib/krb5/asn.1/asn1_k_encode.c U trunk/src/lib/krb5/asn.1/krb5_decode.c U trunk/src/lib/krb5/asn.1/krb5_encode.c