From rt-comment at krbdev.mit.edu Tue May 5 12:30:20 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 5 May 2009 16:30:20 +0000 (UTC) Subject: [krbdev.mit.edu #6401] SVN Commit In-Reply-To: Message-ID: In krb5_get_in_tkt, free the whole encoded request (since the structure was allocated by encode_krb5_as_req), not just the contents. http://src.mit.edu/fisheye/changelog/krb5/?cs=22310 Commit By: ghudson Revision: 22310 Changed Files: U trunk/src/lib/krb5/krb/get_in_tkt.c From rt-comment at krbdev.mit.edu Wed May 6 14:52:45 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Wed, 6 May 2009 18:52:45 +0000 (UTC) Subject: [krbdev.mit.edu #6210] SVN Commit In-Reply-To: Message-ID: In pa_sam, use the correct function to free sam_challenge in the success path. http://src.mit.edu/fisheye/changelog/krb5/?cs=22319 Commit By: ghudson Revision: 22319 Changed Files: U trunk/src/lib/krb5/krb/preauth2.c From rt-comment at krbdev.mit.edu Thu May 7 15:51:47 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Thu, 7 May 2009 19:51:47 +0000 (UTC) Subject: [krbdev.mit.edu #6482] SVN Commit In-Reply-To: Message-ID: Remove the arbitrary limit of 10 past keys in policies. We were not taking advantage of that limit in any other code. http://src.mit.edu/fisheye/changelog/krb5/?cs=22323 Commit By: ghudson Revision: 22323 Changed Files: U trunk/src/lib/kadm5/srv/svr_policy.c U trunk/src/lib/kadm5/unit-test/api.0/crte-policy.exp U trunk/src/lib/kadm5/unit-test/api.2/crte-policy.exp From rt-comment at krbdev.mit.edu Thu May 7 16:35:29 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Thu, 7 May 2009 20:35:29 +0000 (UTC) Subject: [krbdev.mit.edu #6484] SVN Commit In-Reply-To: Message-ID: Heimdal at least up through 1.2 incorrectly encrypts the TGS response in the session key not the subkey when a subkey is supplied. See RFC 4120 page 35. Work around this by trying decryption using the session key after the subkey fails. * decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for TGS and now needs to take keyusage * gc_via_tkt: pass in session key and appropriate usage if subkey fails. Note that the dead code to process AS responses in decode_kdc_rep is not removed by this commit. That will be removed as FAST TGS client support is integrated post 1.7. http://src.mit.edu/fisheye/changelog/krb5/?cs=22325 Commit By: hartmans Revision: 22325 Changed Files: U trunk/src/include/k5-int.h U trunk/src/lib/krb5/krb/decode_kdc.c U trunk/src/lib/krb5/krb/gc_via_tkt.c U trunk/src/lib/krb5/libkrb5.exports From rt-comment at krbdev.mit.edu Thu May 7 16:35:20 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Thu, 7 May 2009 20:35:20 +0000 (UTC) Subject: [krbdev.mit.edu #6483] SVN Commit In-Reply-To: Message-ID: A previous ticket moved kadmin, kadmin.local, ktutil and k5srvutil man pages to man1 from man8. This updates the section within the man page. http://src.mit.edu/fisheye/changelog/krb5/?cs=22324 Commit By: hartmans Revision: 22324 Changed Files: U trunk/src/kadmin/cli/k5srvutil.M U trunk/src/kadmin/cli/kadmin.M U trunk/src/kadmin/cli/kadmin.local.M U trunk/src/kadmin/ktutil/ktutil.M From rt-comment at krbdev.mit.edu Mon May 11 16:55:20 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:55:20 +0000 (UTC) Subject: [krbdev.mit.edu #6473] SVN Commit In-Reply-To: Message-ID: pull up r22272 from trunk ------------------------------------------------------------------------ r22272 | ghudson | 2009-04-23 04:42:40 -0400 (Thu, 23 Apr 2009) | 7 lines Changed paths: M /trunk/src/lib/krb5/krb/gc_via_tkt.c ticket: 6473 tags: pullup In krb5_get_cred_via_tkt, strip the ok-as-delegate flag from credentials obtained using a foreign TGT, unless the TGT also has ok-as-delegate set. http://src.mit.edu/fisheye/changelog/krb5/?cs=22327 Commit By: tlyu Revision: 22327 Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c From rt-comment at krbdev.mit.edu Mon May 11 16:55:23 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:55:23 +0000 (UTC) Subject: [krbdev.mit.edu #6475] SVN Commit In-Reply-To: Message-ID: pull up r22278 from trunk ------------------------------------------------------------------------ r22278 | ghudson | 2009-04-24 15:49:54 -0400 (Fri, 24 Apr 2009) | 9 lines Changed paths: M /trunk/src/lib/krb5/keytab/kt_file.c ticket: 6475 status: open tags: pullup target_version: 1.7 In krb5_ktfileint_find_slot, don't continue the loop when we find a final zero-length buffer. This is a minimal fix intended to be pulled up to the 1.7 branch; a code cleanup commit will follow. http://src.mit.edu/fisheye/changelog/krb5/?cs=22328 Commit By: tlyu Revision: 22328 Changed Files: U branches/krb5-1-7/src/lib/krb5/keytab/kt_file.c From rt-comment at krbdev.mit.edu Mon May 11 16:55:27 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:55:27 +0000 (UTC) Subject: [krbdev.mit.edu #6477] SVN Commit In-Reply-To: Message-ID: pull up r22280 from trunk ------------------------------------------------------------------------ r22280 | raeburn | 2009-04-25 05:36:11 -0400 (Sat, 25 Apr 2009) | 9 lines Changed paths: M /trunk/src/lib/kadm5/admin.h M /trunk/src/tests/misc/Makefile.in M /trunk/src/tests/misc/deps A /trunk/src/tests/misc/test_cxx_kadm5.cpp ticket: 6477 subject: make installed headers C++-safe target_version: 1.7 tags: pullup Now that we're installing the kadm5 headers, they should be C++-safe like the others. Wrap the content in 'extern "C"' if compiling as C++. New test program to verify. http://src.mit.edu/fisheye/changelog/krb5/?cs=22329 Commit By: tlyu Revision: 22329 Changed Files: U branches/krb5-1-7/src/lib/kadm5/admin.h U branches/krb5-1-7/src/tests/misc/Makefile.in U branches/krb5-1-7/src/tests/misc/deps A branches/krb5-1-7/src/tests/misc/test_cxx_kadm5.cpp From rt-comment at krbdev.mit.edu Mon May 11 16:55:30 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:55:30 +0000 (UTC) Subject: [krbdev.mit.edu #5596] SVN Commit In-Reply-To: Message-ID: pull up r22281 from trunk ------------------------------------------------------------------------ r22281 | ghudson | 2009-04-27 11:42:23 -0400 (Mon, 27 Apr 2009) | 8 lines Changed paths: M /trunk/src/include/kdb.h M /trunk/src/include/kdb_ext.h M /trunk/src/kadmin/cli/kadmin.M M /trunk/src/kadmin/cli/kadmin.c M /trunk/src/kdc/do_tgs_req.c M /trunk/src/lib/kadm5/str_conv.c ticket: 5596 Move KRB5_KDB_OK_AS_DELEGATE from kdb_ext.h to kdb.h. Add kadmin support for the flag. In the KDC, remove the restriction on returning the flag on cross-realm TGTs since there is now a defined meaning for that (it allows ok-as-delegate to be honored on the foreign realm's service tickets). http://src.mit.edu/fisheye/changelog/krb5/?cs=22330 Commit By: tlyu Revision: 22330 Changed Files: U branches/krb5-1-7/src/include/kdb.h U branches/krb5-1-7/src/include/kdb_ext.h U branches/krb5-1-7/src/kadmin/cli/kadmin.M U branches/krb5-1-7/src/kadmin/cli/kadmin.c U branches/krb5-1-7/src/kdc/do_tgs_req.c U branches/krb5-1-7/src/lib/kadm5/str_conv.c From rt-comment at krbdev.mit.edu Mon May 11 16:55:49 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:55:49 +0000 (UTC) Subject: [krbdev.mit.edu #6472] SVN Commit In-Reply-To: Message-ID: pull up r22290 from trunk ------------------------------------------------------------------------ r22290 | tlyu | 2009-04-28 20:31:50 -0400 (Tue, 28 Apr 2009) | 5 lines Changed paths: M /trunk/src/clients/ksu/krb_auth_su.c ticket: 6472 target_version: 1.7 tags: pullup Fix typo in error message reported by Marek Mahut (Red Hat). http://src.mit.edu/fisheye/changelog/krb5/?cs=22332 Commit By: tlyu Revision: 22332 Changed Files: U branches/krb5-1-7/src/clients/ksu/krb_auth_su.c From rt-comment at krbdev.mit.edu Mon May 11 16:55:46 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:55:46 +0000 (UTC) Subject: [krbdev.mit.edu #6478] SVN Commit In-Reply-To: Message-ID: pull up r22283, r22288 from trunk. r22283 was not originally part of this ticket but is a prereq for the mk_cred.c change. ------------------------------------------------------------------------ r22288 | ghudson | 2009-04-28 14:00:13 -0400 (Tue, 28 Apr 2009) | 14 lines Changed paths: M /trunk/src/lib/krb5/krb/mk_cred.c M /trunk/src/lib/krb5/krb/mk_priv.c M /trunk/src/lib/krb5/krb/mk_safe.c ticket: 6478 subject: Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred Regularize the handling of KRB5_AUTH_CONTEXT_RET_SEQUENCE in krb5_mk_safe, krb5_mk_priv, and krb5_mk_ncred, using krb5_mk_safe as a baseline. RET_SEQUENCE now implies DO_SEQUENCE for all three functions, the sequence number is always incremented if it is used, and outdata->seq is always set if RET_SEQUENCE is passed. Note that in the corresponding rd_ functions, RET_SEQUENCE and DO_SEQUENCE are independent flags, which is not consistent with the above. This compromise is intended to preserve compatibility with any working code which might exist using the RET_SEQUENCE flag. ------------------------------------------------------------------------ r22283 | ghudson | 2009-04-27 19:48:22 -0400 (Mon, 27 Apr 2009) | 5 lines Changed paths: M /trunk/src/lib/krb5/krb/mk_cred.c Fix a few memory leaks in krb5_mk_ncred. Also tighten up the error handling of the sequence number, only decreasing it if it was increased. The handling of DO_SEQUENCE and RET_SEQUENCE may still be flawed in some cases. http://src.mit.edu/fisheye/changelog/krb5/?cs=22331 Commit By: tlyu Revision: 22331 Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/mk_cred.c U branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c U branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c From rt-comment at krbdev.mit.edu Mon May 11 16:55:52 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:55:52 +0000 (UTC) Subject: [krbdev.mit.edu #6479] SVN Commit In-Reply-To: Message-ID: pull up r22291 from trunk ------------------------------------------------------------------------ r22291 | ghudson | 2009-04-29 19:21:21 -0400 (Wed, 29 Apr 2009) | 9 lines Changed paths: M /trunk/src/include/k5-err.h M /trunk/src/include/k5-int.h M /trunk/src/lib/krb5/krb/kerrs.c M /trunk/src/lib/krb5/libkrb5.exports M /trunk/src/util/support/errors.c M /trunk/src/util/support/libkrb5support-fixed.exports ticket: 6479 subject: Add DEBUG_ERROR_LOCATIONS support If DEBUG_ERROR_LOCATIONS is defined, replace uses of krb5_set_error_message and krb5int_set_error with calls to the new _fl variants of those functions, and include filename and line number information in the calls. Requires C99-style variadic macros if defined. http://src.mit.edu/fisheye/changelog/krb5/?cs=22333 Commit By: tlyu Revision: 22333 Changed Files: U branches/krb5-1-7/src/include/k5-err.h U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/lib/krb5/krb/kerrs.c U branches/krb5-1-7/src/lib/krb5/libkrb5.exports U branches/krb5-1-7/src/util/support/errors.c U branches/krb5-1-7/src/util/support/libkrb5support-fixed.exports From rt-comment at krbdev.mit.edu Mon May 11 16:55:55 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:55:55 +0000 (UTC) Subject: [krbdev.mit.edu #6480] SVN Commit In-Reply-To: Message-ID: pull up r22292 from trunk ------------------------------------------------------------------------ r22292 | hartmans | 2009-04-29 20:38:48 -0400 (Wed, 29 Apr 2009) | 10 lines Changed paths: M /trunk/src/kdc/kdc_preauth.c ticket: 6480 Subject: Do not return PREAUTH_FAILED on unknown preauth Target_Version: 1.7 Tags: pullup If the KDC receives unknown pre-authentication data then ignore it. Do not get into a case where PREAUTH_FAILED is returned because of unknown pre-authentication. The main AS loop will cause PREAUTH_REQUIRED to be returned if the preauth_required flag is set and no valid preauth is found. http://src.mit.edu/fisheye/changelog/krb5/?cs=22334 Commit By: tlyu Revision: 22334 Changed Files: U branches/krb5-1-7/src/kdc/kdc_preauth.c From rt-comment at krbdev.mit.edu Mon May 11 16:55:58 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:55:58 +0000 (UTC) Subject: [krbdev.mit.edu #5587] SVN Commit In-Reply-To: Message-ID: pull up r22298 from trunk ------------------------------------------------------------------------ r22298 | hartmans | 2009-04-30 16:17:42 -0400 (Thu, 30 Apr 2009) | 10 lines Changed paths: M /trunk/src/lib/crypto/des/Makefile.in M /trunk/src/lib/crypto/des/des_int.h A /trunk/src/lib/crypto/des/des_prf.c (from /trunk/src/lib/crypto/dk/dk_prf.c:22295) M /trunk/src/lib/crypto/etypes.c M /trunk/src/lib/crypto/t_cf2.comments M /trunk/src/lib/crypto/t_cf2.expected M /trunk/src/lib/crypto/t_cf2.in ticket: 5587 Tags: pullup Implement DES and 3DES PRF. Patch fromKAMADA Ken'ichi Currently the DES and 3DES PRF output 16-byte results. This is consistent with RFC 3961, but we need to confirm it is consistent with Heimdal and WG decisions. See IETF 74 minutes for some discussion of the concern as it applies to AES and thus possibly all simplified profile enctypes. http://src.mit.edu/fisheye/changelog/krb5/?cs=22335 Commit By: tlyu Revision: 22335 Changed Files: U branches/krb5-1-7/src/lib/crypto/des/Makefile.in U branches/krb5-1-7/src/lib/crypto/des/des_int.h A branches/krb5-1-7/src/lib/crypto/des/des_prf.c U branches/krb5-1-7/src/lib/crypto/etypes.c U branches/krb5-1-7/src/lib/crypto/t_cf2.comments U branches/krb5-1-7/src/lib/crypto/t_cf2.expected U branches/krb5-1-7/src/lib/crypto/t_cf2.in From rt-comment at krbdev.mit.edu Mon May 11 16:56:01 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:56:01 +0000 (UTC) Subject: [krbdev.mit.edu #6401] SVN Commit In-Reply-To: Message-ID: pull up r22310 from trunk ------------------------------------------------------------------------ r22310 | ghudson | 2009-05-05 12:30:19 -0400 (Tue, 05 May 2009) | 5 lines Changed paths: M /trunk/src/lib/krb5/krb/get_in_tkt.c ticket: 6401 In krb5_get_in_tkt, free the whole encoded request (since the structure was allocated by encode_krb5_as_req), not just the contents. http://src.mit.edu/fisheye/changelog/krb5/?cs=22336 Commit By: tlyu Revision: 22336 Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c From rt-comment at krbdev.mit.edu Mon May 11 16:56:18 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:56:18 +0000 (UTC) Subject: [krbdev.mit.edu #6210] SVN Commit In-Reply-To: Message-ID: pull up r22319 from trunk ------------------------------------------------------------------------ r22319 | ghudson | 2009-05-06 14:52:44 -0400 (Wed, 06 May 2009) | 5 lines Changed paths: M /trunk/src/lib/krb5/krb/preauth2.c ticket: 6210 In pa_sam, use the correct function to free sam_challenge in the success path. http://src.mit.edu/fisheye/changelog/krb5/?cs=22337 Commit By: tlyu Revision: 22337 Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/preauth2.c From rt-comment at krbdev.mit.edu Mon May 11 16:56:34 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:56:34 +0000 (UTC) Subject: [krbdev.mit.edu #6482] SVN Commit In-Reply-To: Message-ID: pull up r22323 from trunk ------------------------------------------------------------------------ r22323 | ghudson | 2009-05-07 15:51:46 -0400 (Thu, 07 May 2009) | 8 lines Changed paths: M /trunk/src/lib/kadm5/srv/svr_policy.c M /trunk/src/lib/kadm5/unit-test/api.0/crte-policy.exp M /trunk/src/lib/kadm5/unit-test/api.2/crte-policy.exp ticket: 6482 subject: Allow more than 10 past keys to be stored by a policy target_version: 1.7 tags: pullup Remove the arbitrary limit of 10 past keys in policies. We were not taking advantage of that limit in any other code. http://src.mit.edu/fisheye/changelog/krb5/?cs=22338 Commit By: tlyu Revision: 22338 Changed Files: U branches/krb5-1-7/src/lib/kadm5/srv/svr_policy.c U branches/krb5-1-7/src/lib/kadm5/unit-test/api.0/crte-policy.exp U branches/krb5-1-7/src/lib/kadm5/unit-test/api.2/crte-policy.exp From rt-comment at krbdev.mit.edu Mon May 11 16:56:51 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:56:51 +0000 (UTC) Subject: [krbdev.mit.edu #6483] SVN Commit In-Reply-To: Message-ID: pull up r22324 from trunk ------------------------------------------------------------------------ r22324 | hartmans | 2009-05-07 16:35:19 -0400 (Thu, 07 May 2009) | 8 lines Changed paths: M /trunk/src/kadmin/cli/k5srvutil.M M /trunk/src/kadmin/cli/kadmin.M M /trunk/src/kadmin/cli/kadmin.local.M M /trunk/src/kadmin/ktutil/ktutil.M ticket: 6483 Subject: man1 in title header for man1 manpages Target_Version: 1.7 Tags: pullup A previous ticket moved kadmin, kadmin.local, ktutil and k5srvutil man pages to man1 from man8. This updates the section within the man page. http://src.mit.edu/fisheye/changelog/krb5/?cs=22339 Commit By: tlyu Revision: 22339 Changed Files: U branches/krb5-1-7/src/kadmin/cli/k5srvutil.M U branches/krb5-1-7/src/kadmin/cli/kadmin.M U branches/krb5-1-7/src/kadmin/cli/kadmin.local.M U branches/krb5-1-7/src/kadmin/ktutil/ktutil.M From rt-comment at krbdev.mit.edu Mon May 11 16:56:54 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 20:56:54 +0000 (UTC) Subject: [krbdev.mit.edu #6484] SVN Commit In-Reply-To: Message-ID: pull up r22325 from trunk ------------------------------------------------------------------------ r22325 | hartmans | 2009-05-07 16:35:28 -0400 (Thu, 07 May 2009) | 18 lines Changed paths: M /trunk/src/include/k5-int.h M /trunk/src/lib/krb5/krb/decode_kdc.c M /trunk/src/lib/krb5/krb/gc_via_tkt.c M /trunk/src/lib/krb5/libkrb5.exports Subject: Try decrypting using session key if subkey fails in tgs rep handling ticket: 6484 Tags: pullup Target_Version: 1.7 Heimdal at least up through 1.2 incorrectly encrypts the TGS response in the session key not the subkey when a subkey is supplied. See RFC 4120 page 35. Work around this by trying decryption using the session key after the subkey fails. * decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for TGS and now needs to take keyusage * gc_via_tkt: pass in session key and appropriate usage if subkey fails. Note that the dead code to process AS responses in decode_kdc_rep is not removed by this commit. That will be removed as FAST TGS client support is integrated post 1.7. http://src.mit.edu/fisheye/changelog/krb5/?cs=22340 Commit By: tlyu Revision: 22340 Changed Files: U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c U branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c U branches/krb5-1-7/src/lib/krb5/libkrb5.exports From rt-comment at krbdev.mit.edu Mon May 11 18:11:32 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 11 May 2009 22:11:32 +0000 (UTC) Subject: [krbdev.mit.edu #6485] SVN Commit In-Reply-To: Message-ID: pull up r2293, r22304 from trunk ------------------------------------------------------------------------ r22304 | ghudson | 2009-05-03 14:47:27 -0400 (Sun, 03 May 2009) | 2 lines Changed paths: M /trunk/doc/admin.texinfo Fix formatting of ok_as_delegate documentation in admin guide. ------------------------------------------------------------------------ r22293 | ghudson | 2009-04-30 11:08:50 -0400 (Thu, 30 Apr 2009) | 2 lines Changed paths: M /trunk/doc/admin.texinfo Document ok_as_delegate in the admin guide. http://src.mit.edu/fisheye/changelog/krb5/?cs=22342 Commit By: tlyu Revision: 22342 Changed Files: U branches/krb5-1-7/doc/admin.texinfo From rt-comment at krbdev.mit.edu Mon May 11 18:46:57 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 11 May 2009 22:46:57 +0000 (UTC) Subject: [krbdev.mit.edu #6200] SVN Commit In-Reply-To: Message-ID: In recvauth_common, convert a use of strcpy to strdup. http://src.mit.edu/fisheye/changelog/krb5/?cs=22343 Commit By: ghudson Revision: 22343 Changed Files: U trunk/src/lib/krb5/krb/recvauth.c From rt-comment at krbdev.mit.edu Tue May 12 18:20:01 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 12 May 2009 22:20:01 +0000 (UTC) Subject: [krbdev.mit.edu #6486] t_pac fails on SPARC Solaris In-Reply-To: Message-ID: During make check: LD_LIBRARY_PATH=`echo -L../../../lib | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; ./t_pac t_pac: krb5_pac_verify: Invalid argument The test passes on x86 Linux and x86 Mac OS 10.5, I believe. I suspect an endianness problem. From rt-comment at krbdev.mit.edu Tue May 12 18:26:43 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 12 May 2009 22:26:43 +0000 (UTC) Subject: [krbdev.mit.edu #6487] gss_unwrap_iov fails in stream mode In-Reply-To: Message-ID: Using IOV_SHIM_EXERCISE results in segfaults in kg_unseal_stream_iov during gss_unwrap operations. Refining the test by only using the IOV_SHIM for gss_wrap causes no problem. One of the segfaults is from a null pointer dereference of ctx->enc. From rt-comment at krbdev.mit.edu Wed May 13 16:41:39 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Wed, 13 May 2009 20:41:39 +0000 (UTC) Subject: [krbdev.mit.edu #6486] SVN Commit In-Reply-To: Message-ID: In util/support/utf8_conv.c, the SWAP16 macro is invoked with an argument that has side effects. On platforms where SWAP16 can evaluate its argument twice (including platforms where utf8_conv.c creates a fallback definition for the SWAP16 macro), this can cause a read overrun by a factor of two. Rearrange the data flow to avoid calling SWAP16 with an argument that has side effects. http://src.mit.edu/fisheye/changelog/krb5/?cs=22348 Commit By: tlyu Revision: 22348 Changed Files: U trunk/src/util/support/utf8_conv.c From rt-comment at krbdev.mit.edu Wed May 13 17:32:22 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Wed, 13 May 2009 21:32:22 +0000 (UTC) Subject: [krbdev.mit.edu #6488] NFS fails to work with KRB5 1.7 In-Reply-To: Message-ID: I didn't make much progress on this today and may not have additional time to work on it, so I wanted to at least open the bug. See http://bugs.debian.org/528514 Apparently, gss_export_lucid_sec_context creates a returned context that segfaults when accessed by rpc.gssd. From rt-comment at krbdev.mit.edu Thu May 14 12:16:34 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Thu, 14 May 2009 16:16:34 +0000 (UTC) Subject: [krbdev.mit.edu #6489] SVN Commit In-Reply-To: Message-ID: Make krb5_ucs2 an unsigned type. Eliminate the need for distinguished values for ucs2 and ucs4 characters by changing the API of the single- character conversion routines. http://src.mit.edu/fisheye/changelog/krb5/?cs=22350 Commit By: ghudson Revision: 22350 Changed Files: U trunk/src/include/k5-utf8.h U trunk/src/lib/krb5/unicode/ucstr.c U trunk/src/util/support/utf8.c From rt-comment at krbdev.mit.edu Thu May 14 12:50:53 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Thu, 14 May 2009 16:50:53 +0000 (UTC) Subject: [krbdev.mit.edu #6488] SVN Commit In-Reply-To: Message-ID: gss_krb5int_export_lucid_sec_context was erroneously copying the first sizeof(void *) bytes of the context into data_set, instead of the pointer to the context. http://src.mit.edu/fisheye/changelog/krb5/?cs=22351 Commit By: ghudson Revision: 22351 Changed Files: U trunk/src/lib/gssapi/krb5/lucid_context.c From rt-comment at krbdev.mit.edu Thu May 14 12:52:09 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Thu, 14 May 2009 16:52:09 +0000 (UTC) Subject: [krbdev.mit.edu #6488] NFS fails to work with KRB5 1.7 In-Reply-To: Message-ID: I'm leaving this issue open until we hear back from the reporter of the Debian bug, since I haven't tested the fix. From rt-comment at krbdev.mit.edu Thu May 14 17:04:58 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Thu, 14 May 2009 21:04:58 +0000 (UTC) Subject: [krbdev.mit.edu #6487] SVN Commit In-Reply-To: Message-ID: Add IOV_SHIM_EXERCISE_WRAP and IOV_SHIM_EXERCISE_UNWRAP conditionals to allow finer-grained testing. http://src.mit.edu/fisheye/changelog/krb5/?cs=22352 Commit By: tlyu Revision: 22352 Changed Files: U trunk/src/lib/gssapi/krb5/gssapi_krb5.c From rt-comment at krbdev.mit.edu Fri May 15 15:57:27 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Fri, 15 May 2009 19:57:27 +0000 (UTC) Subject: [krbdev.mit.edu #6488] NFS fails to work with KRB5 1.7 In-Reply-To: Message-ID: Also, that there is an additional issue reported in that Debian bug having to do with "unsupported algorithm 1". This looks like it is due to the kernel supporting only des-cbc-raw. It could be that the subkey setup that occurs in the context no longer smashes the enctype of the keyblock, but we need to investigate further. From rt-comment at krbdev.mit.edu Mon May 18 09:03:44 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 18 May 2009 13:03:44 +0000 (UTC) Subject: [krbdev.mit.edu #6490] [Russ Allbery] Bug#528729: libkrb5-3: cannot obtain cross-realm tickets with Windows 2003 AD In-Reply-To: Message-ID: There seems to be a problem with multi-hop cross-realm involving AD. From rt-comment at krbdev.mit.edu Mon May 18 15:08:49 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 18 May 2009 19:08:49 +0000 (UTC) Subject: [krbdev.mit.edu #6488] SVN Commit In-Reply-To: Message-ID: Copy the sequence key rather than the subkey for lucid contexts in RFC 1964 mode, so that we map to raw des enctypes rather than say des-cbc-crc. http://src.mit.edu/fisheye/changelog/krb5/?cs=22354 Commit By: hartmans Revision: 22354 Changed Files: U trunk/src/lib/gssapi/krb5/lucid_context.c From rt-comment at krbdev.mit.edu Mon May 18 16:44:54 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 18 May 2009 20:44:54 +0000 (UTC) Subject: [krbdev.mit.edu #6490] [Russ Allbery] Bug#528729: libkrb5-3: cannot obtain cross-realm tickets with Windows 2003 AD In-Reply-To: Message-ID: Findings so far, if I'm interpreting this all correctly: 1. It's probably a bug in the TGS path with rc4 keys against AD, not an issue retrieving or storing the cross TGTs. 2. The immediate problem arises from using a keyed checksum in the TGS request. Something about the way we are doing that causes AD to fail the integrity check. 3. If we go back to using an unkeyed checksum (as we did in 1.6), we run into a second problem: we get a reply back from AD that we can't decrypt, even with the workaround of r22325. That problem dates back to when we started using subkeys in TGS requests. Sam can now reproduce at least the immediate problem against WIN.MIT.EDU. From rt-comment at krbdev.mit.edu Mon May 18 19:28:54 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 18 May 2009 23:28:54 +0000 (UTC) Subject: [krbdev.mit.edu #6490] SVN Commit In-Reply-To: Message-ID: In practice, key usage 9 requires no translation. http://src.mit.edu/fisheye/changelog/krb5/?cs=22355 Commit By: hartmans Revision: 22355 Changed Files: U trunk/src/lib/crypto/arcfour/arcfour.c From rt-comment at krbdev.mit.edu Mon May 18 21:32:37 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 19 May 2009 01:32:37 +0000 (UTC) Subject: [krbdev.mit.edu #6490] [Russ Allbery] Bug#528729: libkrb5-3: cannot obtain cross-realm tickets with Windows 2003 AD In-Reply-To: Message-ID: Here is what we know right now: 1. If you use a keyed checksum with RC4 keys and an authenticator subkey in a TGS request, AD 2003 verifies the checksum using the subkey. It turns out that RFC 4120 doesn't specify what key to use for AP-REQ checksums, but Heimdal and MIT use the TGS session key. RFC 4757 (Microsoft's own informational RFC about RC4-HMAC) says to use the TGS session key, so MS is in conflict with its own documentation if not with the binding standards. What we don't yet know for sure is whether this problem affects AES. We need to find that out to know the appropriate scope of the fix. If the problem affects only RC4, then the appropriate answer is probably "don't use keyed checksums with RC4, it hurts." If the problem affects AES as well, then it gets more involved. 2. RFC 4757 erroneously documents a key usage of 8 for a TGS-REP encrypted part authenticated with a subkey; the value used by MS is actually 9. Unfortunately, Heimdal and MIT both implement what is documented. This means you can't interoperate with both {Heimdal or MIT 1.6} and AD with RC4 TGS subkeys using a single key usage value. It's easy enough to try both when decrypting the response, however. Sam has committed a change to switch from 8 to 9, fixing TGS RC4 subkey interoperability with MS but breaking it with Heimdal and MIT 1.6. We will need to amend this to try both usage values. From rt-comment at krbdev.mit.edu Tue May 19 18:24:49 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 19 May 2009 22:24:49 +0000 (UTC) Subject: [krbdev.mit.edu #6490] [Russ Allbery] Bug#528729: libkrb5-3: cannot obtain cross-realm tickets with Windows 2003 AD In-Reply-To: Message-ID: "Greg Hudson via RT" writes: > Here is what we know right now: > > 1. If you use a keyed checksum with RC4 keys and an authenticator subkey > in a TGS request, AD 2003 verifies the checksum using the subkey. It > turns out that RFC 4120 doesn't specify what key to use for AP-REQ > checksums, but Heimdal and MIT use the TGS session key. RFC 4757 > (Microsoft's own informational RFC about RC4-HMAC) says to use the TGS > session key, so MS is in conflict with its own documentation if not with > the binding standards. > > What we don't yet know for sure is whether this problem affects AES. We > need to find that out to know the appropriate scope of the fix. If the > problem affects only RC4, then the appropriate answer is probably "don't > use keyed checksums with RC4, it hurts." If the problem affects AES as > well, then it gets more involved. Confirmed that the keyed checksum problem does not appear on Windows Server 2008 SP1 with AES-256 keys. Also, the RC4 keyed checksum failure does not occur on Windows Server 2008 SP1, so I can infer that Microsoft considered it to be a bug and fixed it on Windows Server 2008 SP1 (or maybe even before SP1). > 2. RFC 4757 erroneously documents a key usage of 8 for a TGS-REP > encrypted part authenticated with a subkey; the value used by MS is > actually 9. Unfortunately, Heimdal and MIT both implement what is > documented. This means you can't interoperate with both {Heimdal or MIT > 1.6} and AD with RC4 TGS subkeys using a single key usage value. It's > easy enough to try both when decrypting the response, however. > > Sam has committed a change to switch from 8 to 9, fixing TGS RC4 subkey > interoperability with MS but breaking it with Heimdal and MIT 1.6. We > will need to amend this to try both usage values. Confirmed that Windows Server 2008 SP1 appears to use key usage 9 for TGS-REP encrypted part with RC4. (Fails before r22355 change, succeeds with r22355.) From rt-comment at krbdev.mit.edu Tue May 19 19:17:51 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 19 May 2009 23:17:51 +0000 (UTC) Subject: [krbdev.mit.edu #6490] SVN Commit In-Reply-To: Message-ID: When using keyed checksum types with TGS subkeys, Microsoft AD 2003 verifies the checksum using the subkey, whereas MIT and Heimdal verify it using the TGS session key. (RFC 4120 is actually silent on which is correct; RFC 4757 specifies the TGS session key.) To sidestep this interop issue, don't use keyed checksum types with RC4 keys without explicit configuration in krb5.conf. Using keyed checksum types with AES is fine since, experimentally, AD 2008 accepts checksums keyed with the TGS session key. http://src.mit.edu/fisheye/changelog/krb5/?cs=22356 Commit By: ghudson Revision: 22356 Changed Files: U trunk/src/lib/krb5/krb/send_tgs.c From rt-comment at krbdev.mit.edu Tue May 19 22:05:54 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Wed, 20 May 2009 02:05:54 +0000 (UTC) Subject: [krbdev.mit.edu #6490] SVN Commit In-Reply-To: Message-ID: Restore compatibility with KDCs using key usage 8 to encrypt TGS replies in a subkey, by implementing a fallback in krb5_arcfour_decrypt. http://src.mit.edu/fisheye/changelog/krb5/?cs=22357 Commit By: ghudson Revision: 22357 Changed Files: U trunk/src/lib/crypto/arcfour/arcfour.c U trunk/src/lib/crypto/t_encrypt.c From rt-comment at krbdev.mit.edu Tue May 19 22:07:36 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Wed, 20 May 2009 02:07:36 +0000 (UTC) Subject: [krbdev.mit.edu #6490] [Russ Allbery] Bug#528729: libkrb5-3: cannot obtain cross-realm tickets with Windows 2003 AD In-Reply-To: Message-ID: Both problems tracked here should now be fixed on trunk, and soon in 1.7 beta 3. From rt-comment at krbdev.mit.edu Wed May 20 10:29:46 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Wed, 20 May 2009 14:29:46 +0000 (UTC) Subject: [krbdev.mit.edu #6490] [Russ Allbery] Bug#528729: libkrb5-3: cannot obtain cross-realm tickets with Windows 2003 AD In-Reply-To: Message-ID: A correction, for posterity: RFC 4120 does actually specify the key to be used for ap-req checksums, including for TGS reqs, in the list of key usages (7.5.1), and I missed that on my reading. (It should probably also be specified in the text, but it's there.) From rt-comment at krbdev.mit.edu Thu May 21 13:02:03 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Thu, 21 May 2009 17:02:03 +0000 (UTC) Subject: [krbdev.mit.edu #6491] Regression: pkinit causes assertion failure in 1.7 beta2 In-Reply-To: Message-ID: Using a set of configuration files and database that works with pkinit with the 1.6.4 beta1 KKDC, I get krb5kdc: ../../src/kdc/kdc_authdata.c:577: handle_authdata: Assertion `enc_tkt_reply->authorizatio n_data == ((void *)0)' failed. when I try to request a pkinit authenticated ticket with 1.7 beta2 and with the trunk. From rt-comment at krbdev.mit.edu Fri May 22 10:08:27 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 22 May 2009 14:08:27 +0000 (UTC) Subject: [krbdev.mit.edu #6492] SVN Commit In-Reply-To: Message-ID: In handle_authdata in the KDC, remove a spurious assertion (added in r21566 on the mskrb-integ branch) that authdata starts out empty. authdata can be legitimately added by check_padata, which precedes handle_authdata, and this happens with pkinit. http://src.mit.edu/fisheye/changelog/krb5/?cs=22360 Commit By: ghudson Revision: 22360 Changed Files: U trunk/src/kdc/kdc_authdata.c From rt-comment at krbdev.mit.edu Fri May 22 13:33:25 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Fri, 22 May 2009 17:33:25 +0000 (UTC) Subject: [krbdev.mit.edu #6493] some fixes for 1.7 In-Reply-To: Message-ID: I should've opened tickets for these checkins on the trunk: 22365 - make Sun cc complain about unknown attributes (optional) 22364 - fix bug in prf test on 64-bit big-endian platforms 22363 - only use format attributes with gcc 22361 - fix minor syntax error in spnego code -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From rt-comment at krbdev.mit.edu Sat May 23 16:23:45 2009 From: rt-comment at krbdev.mit.edu (dclarke@blastwave.org via RT) Date: Sat, 23 May 2009 20:23:45 +0000 (UTC) Subject: [krbdev.mit.edu #6494] error in configure script In-Reply-To: Message-ID: in krb5-1.6.3/src I run ./configure eventually see : ./configure: line 6255: syntax error near unexpected token `in' ./configure: line 6255: `for ac_func in' configure: error: /bin/bash './configure' failed for plugins/preauth/pkinit This happens with either bash or ksh on Solaris 8 -- Dennis Clarke From rt-comment at krbdev.mit.edu Sat May 23 20:48:33 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Sun, 24 May 2009 00:48:33 +0000 (UTC) Subject: [krbdev.mit.edu #6495] SVN Commit In-Reply-To: Message-ID: The build rules for the new t_ad_fx_armor and t_authdata test programs used $<, which is only portable for implicit rules (but is valid in gmake for all rules). Stop using $< in those rules so that "make check" works with System V make. http://src.mit.edu/fisheye/changelog/krb5/?cs=22368 Commit By: ghudson Revision: 22368 Changed Files: U trunk/src/lib/krb5/krb/Makefile.in From rt-comment at krbdev.mit.edu Sun May 24 11:53:52 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Sun, 24 May 2009 15:53:52 +0000 (UTC) Subject: [krbdev.mit.edu #6496] SVN Commit In-Reply-To: Message-ID: In the KDC, get_preauth_hint_list had two bugs initializing the preauth array. It was allocating 21 extra entries instead of two due to a typo (harmless), and it was only zeroing up through one extra entry (harmful). Adjust the code to use calloc to avoid further disagreements of this nature. http://src.mit.edu/fisheye/changelog/krb5/?cs=22369 Commit By: ghudson Revision: 22369 Changed Files: U trunk/src/kdc/kdc_preauth.c From rt-comment at krbdev.mit.edu Sun May 24 18:50:19 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Sun, 24 May 2009 22:50:19 +0000 (UTC) Subject: [krbdev.mit.edu #6486] SVN Commit In-Reply-To: Message-ID: pull up r22348 from trunk ------------------------------------------------------------------------ r22348 | tlyu | 2009-05-13 22:41:37 +0200 (Wed, 13 May 2009) | 13 lines ticket: 6486 tags: pullup target_version: 1.7 In util/support/utf8_conv.c, the SWAP16 macro is invoked with an argument that has side effects. On platforms where SWAP16 can evaluate its argument twice (including platforms where utf8_conv.c creates a fallback definition for the SWAP16 macro), this can cause a read overrun by a factor of two. Rearrange the data flow to avoid calling SWAP16 with an argument that has side effects. http://src.mit.edu/fisheye/changelog/krb5/?cs=22371 Commit By: tlyu Revision: 22371 Changed Files: U branches/krb5-1-7/src/util/support/utf8_conv.c From rt-comment at krbdev.mit.edu Sun May 24 18:50:35 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Sun, 24 May 2009 22:50:35 +0000 (UTC) Subject: [krbdev.mit.edu #6489] SVN Commit In-Reply-To: Message-ID: pull up r22350 from trunk ------------------------------------------------------------------------ r22350 | ghudson | 2009-05-14 18:16:32 +0200 (Thu, 14 May 2009) | 9 lines ticket: 6489 subject: UCS2 support doesn't handle upper half of BMP tags: pullup target_version: 1.7 Make krb5_ucs2 an unsigned type. Eliminate the need for distinguished values for ucs2 and ucs4 characters by changing the API of the single- character conversion routines. http://src.mit.edu/fisheye/changelog/krb5/?cs=22372 Commit By: tlyu Revision: 22372 Changed Files: U branches/krb5-1-7/src/include/k5-utf8.h U branches/krb5-1-7/src/lib/krb5/unicode/ucstr.c U branches/krb5-1-7/src/util/support/utf8.c From rt-comment at krbdev.mit.edu Sun May 24 18:50:45 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Sun, 24 May 2009 22:50:45 +0000 (UTC) Subject: [krbdev.mit.edu #6488] SVN Commit In-Reply-To: Message-ID: pull up r22351, r22354 from trunk ------------------------------------------------------------------------ r22354 | hartmans | 2009-05-18 21:08:48 +0200 (Mon, 18 May 2009) | 8 lines ticket: 6488 target_version: 1.7 tags: pullup Copy the sequence key rather than the subkey for lucid contexts in RFC 1964 mode, so that we map to raw des enctypes rather than say des-cbc-crc. ------------------------------------------------------------------------ r22351 | ghudson | 2009-05-14 18:50:52 +0200 (Thu, 14 May 2009) | 9 lines ticket: 6488 status: open tags: pullup target_version: 1.7 gss_krb5int_export_lucid_sec_context was erroneously copying the first sizeof(void *) bytes of the context into data_set, instead of the pointer to the context. http://src.mit.edu/fisheye/changelog/krb5/?cs=22373 Commit By: tlyu Revision: 22373 Changed Files: U branches/krb5-1-7/src/lib/gssapi/krb5/lucid_context.c From rt-comment at krbdev.mit.edu Sun May 24 18:51:00 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Sun, 24 May 2009 22:51:00 +0000 (UTC) Subject: [krbdev.mit.edu #6490] SVN Commit In-Reply-To: Message-ID: pull up 22355, 22356, 22357 from trunk ------------------------------------------------------------------------ r22357 | ghudson | 2009-05-20 04:05:53 +0200 (Wed, 20 May 2009) | 6 lines ticket: 6490 Restore compatibility with KDCs using key usage 8 to encrypt TGS replies in a subkey, by implementing a fallback in krb5_arcfour_decrypt. ------------------------------------------------------------------------ r22356 | ghudson | 2009-05-20 01:17:49 +0200 (Wed, 20 May 2009) | 13 lines ticket: 6490 status: open tags: pullup When using keyed checksum types with TGS subkeys, Microsoft AD 2003 verifies the checksum using the subkey, whereas MIT and Heimdal verify it using the TGS session key. (RFC 4120 is actually silent on which is correct; RFC 4757 specifies the TGS session key.) To sidestep this interop issue, don't use keyed checksum types with RC4 keys without explicit configuration in krb5.conf. Using keyed checksum types with AES is fine since, experimentally, AD 2008 accepts checksums keyed with the TGS session key. ------------------------------------------------------------------------ r22355 | hartmans | 2009-05-19 01:28:53 +0200 (Tue, 19 May 2009) | 5 lines ticket: 6490 status: open In practice, key usage 9 requires no translation. http://src.mit.edu/fisheye/changelog/krb5/?cs=22374 Commit By: tlyu Revision: 22374 Changed Files: U branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.c U branches/krb5-1-7/src/lib/crypto/t_encrypt.c U branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c From rt-comment at krbdev.mit.edu Sun May 24 18:51:10 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Sun, 24 May 2009 22:51:10 +0000 (UTC) Subject: [krbdev.mit.edu #6492] SVN Commit In-Reply-To: Message-ID: pull up r22360 from trunk ------------------------------------------------------------------------ r22360 | ghudson | 2009-05-22 16:08:25 +0200 (Fri, 22 May 2009) | 10 lines ticket: 6492 subject: Remove spurious assertion in handle_authdata tags: pullup target_version: 1.7 In handle_authdata in the KDC, remove a spurious assertion (added in r21566 on the mskrb-integ branch) that authdata starts out empty. authdata can be legitimately added by check_padata, which precedes handle_authdata, and this happens with pkinit. http://src.mit.edu/fisheye/changelog/krb5/?cs=22375 Commit By: tlyu Revision: 22375 Changed Files: U branches/krb5-1-7/src/kdc/kdc_authdata.c From rt-comment at krbdev.mit.edu Sun May 24 18:51:34 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Sun, 24 May 2009 22:51:34 +0000 (UTC) Subject: [krbdev.mit.edu #6495] SVN Commit In-Reply-To: Message-ID: pull up r22368 from trunk ------------------------------------------------------------------------ r22368 | ghudson | 2009-05-24 02:48:31 +0200 (Sun, 24 May 2009) | 10 lines ticket: 6495 subject: Fix test rules for non-gmake make versions target_version: 1.7 tags: pullup The build rules for the new t_ad_fx_armor and t_authdata test programs used $<, which is only portable for implicit rules (but is valid in gmake for all rules). Stop using $< in those rules so that "make check" works with System V make. http://src.mit.edu/fisheye/changelog/krb5/?cs=22376 Commit By: tlyu Revision: 22376 Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/Makefile.in From rt-comment at krbdev.mit.edu Sun May 24 18:51:44 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Sun, 24 May 2009 22:51:44 +0000 (UTC) Subject: [krbdev.mit.edu #6496] SVN Commit In-Reply-To: Message-ID: pull up r22369 from trunk ------------------------------------------------------------------------ r22369 | ghudson | 2009-05-24 17:53:51 +0200 (Sun, 24 May 2009) | 11 lines ticket: 6496 subject: Fix vector initialization error in KDC preauth code target_version: 1.7 tags: pullup In the KDC, get_preauth_hint_list had two bugs initializing the preauth array. It was allocating 21 extra entries instead of two due to a typo (harmless), and it was only zeroing up through one extra entry (harmful). Adjust the code to use calloc to avoid further disagreements of this nature. http://src.mit.edu/fisheye/changelog/krb5/?cs=22377 Commit By: tlyu Revision: 22377 Changed Files: U branches/krb5-1-7/src/kdc/kdc_preauth.c From rt-comment at krbdev.mit.edu Mon May 25 01:12:15 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Mon, 25 May 2009 05:12:15 +0000 (UTC) Subject: [krbdev.mit.edu #6497] kinit/fast usage message In-Reply-To: Message-ID: On the trunk: % ./bin/kinit -\? ./bin/kinit: illegal option -- ? Usage: kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-f | -F] [-p | -P] [-a | -A] [-C] [-E] [-v] [-R] [-k [-t keytab_file]] [-c cachename] [-S service_name]-T ticket_armor_cache [-X [=]] [principal] options: -V verbose -l lifetime -s start time -r renewable lifetime -f forwardable -F not forwardable -p proxiable -P not proxiable -a include addresses -A do not include addresses -v validate -R renew -C canonicalize -E client is enterprise principal name -k use keytab -t filename of keytab to use -c Kerberos 5 cache name -S service -X [=] The "-T ticket_armor_cache" should be in square brackets, unless it's a required option, and for consistency should be separated from the "- S service_name" option by one space. It should also be listed with a description further down. There should also be a line break between "options:" and the "-V" description. (Sorry, no patch handy.) -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From rt-comment at krbdev.mit.edu Mon May 25 01:43:44 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 25 May 2009 05:43:44 +0000 (UTC) Subject: [krbdev.mit.edu #6498] SVN Commit In-Reply-To: Message-ID: pull up r22361 from trunk ------------------------------------------------------------------------ r22361 | raeburn | 2009-05-22 16:12:17 +0200 (Fri, 22 May 2009) | 2 lines fix minor syntax error http://src.mit.edu/fisheye/changelog/krb5/?cs=22378 Commit By: tlyu Revision: 22378 Changed Files: U branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c From rt-comment at krbdev.mit.edu Mon May 25 01:43:56 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 25 May 2009 05:43:56 +0000 (UTC) Subject: [krbdev.mit.edu #6499] SVN Commit In-Reply-To: Message-ID: pull up r22363 from trunk ------------------------------------------------------------------------ r22363 | raeburn | 2009-05-22 19:19:37 +0200 (Fri, 22 May 2009) | 2 lines Use printf format attribute only with gcc. http://src.mit.edu/fisheye/changelog/krb5/?cs=22379 Commit By: tlyu Revision: 22379 Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/t_pac.c U branches/krb5-1-7/src/lib/krb5/krb/t_princ.c From rt-comment at krbdev.mit.edu Mon May 25 01:44:10 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 25 May 2009 05:44:10 +0000 (UTC) Subject: [krbdev.mit.edu #6500] SVN Commit In-Reply-To: Message-ID: pull up r22364 from trunk ------------------------------------------------------------------------ r22364 | raeburn | 2009-05-22 19:20:15 +0200 (Fri, 22 May 2009) | 2 lines Use correct type for krb5_c_prf_length length arg. http://src.mit.edu/fisheye/changelog/krb5/?cs=22380 Commit By: tlyu Revision: 22380 Changed Files: U branches/krb5-1-7/src/lib/crypto/t_prf.c From rt-comment at krbdev.mit.edu Mon May 25 12:40:02 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 25 May 2009 16:40:02 +0000 (UTC) Subject: [krbdev.mit.edu #6501] SVN Commit In-Reply-To: Message-ID: There are protocol issues and implementation defects surrounding the combination of FAST an PKINIT currently. To avoid impacting the 1.7 scheduled and to avoid creating interoperability problems later, disable the combination until the problems are resolved. http://src.mit.edu/fisheye/changelog/krb5/?cs=22381 Commit By: ghudson Revision: 22381 Changed Files: U trunk/src/plugins/preauth/pkinit/pkinit_clnt.c U trunk/src/plugins/preauth/pkinit/pkinit_srv.c From rt-comment at krbdev.mit.edu Mon May 25 12:47:41 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 25 May 2009 16:47:41 +0000 (UTC) Subject: [krbdev.mit.edu #6497] SVN Commit In-Reply-To: Message-ID: Fix up kinit -T documentation. http://src.mit.edu/fisheye/changelog/krb5/?cs=22382 Commit By: ghudson Revision: 22382 Changed Files: U trunk/src/clients/kinit/kinit.M U trunk/src/clients/kinit/kinit.c From rt-comment at krbdev.mit.edu Tue May 26 03:58:29 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 26 May 2009 07:58:29 +0000 (UTC) Subject: [krbdev.mit.edu #6501] SVN Commit In-Reply-To: Message-ID: pull up r22381 from trunk ------------------------------------------------------------------------ r22381 | ghudson | 2009-05-25 18:40:00 +0200 (Mon, 25 May 2009) | 10 lines ticket: 6501 subject: Temporarily disable FAST PKINIT for 1.7 release tags: pullup target_version: 1.7 There are protocol issues and implementation defects surrounding the combination of FAST an PKINIT currently. To avoid impacting the 1.7 scheduled and to avoid creating interoperability problems later, disable the combination until the problems are resolved. http://src.mit.edu/fisheye/changelog/krb5/?cs=22385 Commit By: tlyu Revision: 22385 Changed Files: U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c From rt-comment at krbdev.mit.edu Tue May 26 03:58:53 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 26 May 2009 07:58:53 +0000 (UTC) Subject: [krbdev.mit.edu #6497] SVN Commit In-Reply-To: Message-ID: pull up r22382 from trunk ------------------------------------------------------------------------ r22382 | ghudson | 2009-05-25 18:47:40 +0200 (Mon, 25 May 2009) | 6 lines ticket: 6497 tags: pullup target_version: 1.7 Fix up kinit -T documentation. http://src.mit.edu/fisheye/changelog/krb5/?cs=22386 Commit By: tlyu Revision: 22386 Changed Files: U branches/krb5-1-7/src/clients/kinit/kinit.M U branches/krb5-1-7/src/clients/kinit/kinit.c From rt-comment at krbdev.mit.edu Tue May 26 05:15:52 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 26 May 2009 09:15:52 +0000 (UTC) Subject: [krbdev.mit.edu #6494] error in configure script In-Reply-To: Message-ID: Thanks. It's a previously known problem and will be fixed in krb5-1.6.4. (also in krb5-1.7) http://krbdev.mit.edu/rt/Ticket/Display.html?id=5830 From rt-comment at krbdev.mit.edu Tue May 26 05:41:47 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 26 May 2009 09:41:47 +0000 (UTC) Subject: [krbdev.mit.edu #6502] SVN Commit In-Reply-To: Message-ID: ------------------------------------------------------------------------ r22287 | ghudson | 2009-04-28 19:54:13 +0200 (Tue, 28 Apr 2009) | 2 lines Fix typo. http://src.mit.edu/fisheye/changelog/krb5/?cs=22387 Commit By: tlyu Revision: 22387 Changed Files: U branches/krb5-1-7/doc/api/krb5.tex From rt-comment at krbdev.mit.edu Tue May 26 05:41:55 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 26 May 2009 09:41:55 +0000 (UTC) Subject: [krbdev.mit.edu #6503] SVN Commit In-Reply-To: Message-ID: pull up r22266 from trunk ------------------------------------------------------------------------ r22266 | ghudson | 2009-04-22 10:26:17 +0200 (Wed, 22 Apr 2009) | 4 lines In the cross-realm setup example in the admin documentation, use "addprinc" instead of "add_princ" since the latter is not a recognized alias for add_principal. http://src.mit.edu/fisheye/changelog/krb5/?cs=22388 Commit By: tlyu Revision: 22388 Changed Files: U branches/krb5-1-7/doc/admin.texinfo From rt-comment at krbdev.mit.edu Wed May 27 16:03:48 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Wed, 27 May 2009 20:03:48 +0000 (UTC) Subject: [krbdev.mit.edu #6505] SVN Commit In-Reply-To: Message-ID: Correction to patch in r22364: "i" was used in two places, one of which required an int-sized value and the other of which required a size_t. Instead of changing the type, split the two uses into separate variables. http://src.mit.edu/fisheye/changelog/krb5/?cs=22392 Commit By: raeburn Revision: 22392 Changed Files: U trunk/src/lib/crypto/t_prf.c