From noreply at github.com Thu Jul 4 07:19:10 2013 From: noreply at github.com (GitHub) Date: Wed, 03 Jul 2013 22:19:10 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 5dfaa0: Be friendly to krb5_generate_random_block consumer... Message-ID: <51d505ce55008_3f17a45de412766b@hookshot-fe1-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 5dfaa0d10b8320293e85387778adcdd043dfc1fe https://github.com/heimdal/heimdal/commit/5dfaa0d10b8320293e85387778adcdd043dfc1fe Author: Ben Kaduk Date: 2013-07-03 (Wed, 03 Jul 2013) Changed paths: M include/NTMakefile M lib/krb5/crypto-rand.c M windows/NTMakefile.config Log Message: ----------- Be friendly to krb5_generate_random_block consumers Allow them to disable the EGD/profile access and the use of a random seed file. These facilities are not tenable when running in the kernel. From noreply at github.com Thu Jul 11 19:29:41 2013 From: noreply at github.com (GitHub) Date: Thu, 11 Jul 2013 10:29:41 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 403f59: better error reporting Message-ID: <51deeb858b225_778b1131dd8821c@hookshot-fe3-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 403f599dbde8318ca95651de79df78a2473d04b1 https://github.com/heimdal/heimdal/commit/403f599dbde8318ca95651de79df78a2473d04b1 Author: Love Hornquist Astrand Date: 2013-07-10 (Wed, 10 Jul 2013) Changed paths: M lib/krb5/fcache.c Log Message: ----------- better error reporting Commit: 44ddd05ec119b08415b2021f3c1a17050b527dd6 https://github.com/heimdal/heimdal/commit/44ddd05ec119b08415b2021f3c1a17050b527dd6 Author: Love Hornquist Astrand Date: 2013-07-10 (Wed, 10 Jul 2013) Changed paths: M lib/krb5/expand_path.c Log Message: ----------- honor env when not issuid Commit: 3ad1bf2dcc186f70fbed88c7d81b581118c6e029 https://github.com/heimdal/heimdal/commit/3ad1bf2dcc186f70fbed88c7d81b581118c6e029 Author: Love Hornquist Astrand Date: 2013-07-10 (Wed, 10 Jul 2013) Changed paths: M lib/roken/roken-common.h Log Message: ----------- provide O_NOFOLLOW if there is non Commit: efe81b12ef6dcd23baa0103a8a49af4dcf54d588 https://github.com/heimdal/heimdal/commit/efe81b12ef6dcd23baa0103a8a49af4dcf54d588 Author: Love Hornquist Astrand Date: 2013-07-11 (Thu, 11 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- allow the non preauth case again Commit: 2a565482f491621fe8a906c990aa890be153a906 https://github.com/heimdal/heimdal/commit/2a565482f491621fe8a906c990aa890be153a906 Author: Love Hornquist Astrand Date: 2013-07-11 (Thu, 11 Jul 2013) Changed paths: M lib/krb5/fcache.c Log Message: ----------- More strict fcache rules - use O_NOFOLLOW - be more strict not to follow symlinks - require cache files to be owned by the user - have sane permissions (not group/other readable) Compare: https://github.com/heimdal/heimdal/compare/5dfaa0d10b83...2a565482f491 From noreply at github.com Thu Jul 11 21:17:59 2013 From: noreply at github.com (GitHub) Date: Thu, 11 Jul 2013 12:17:59 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] f396f6: add [libdefaults]fcache_strict_checking to gate th... Message-ID: <51df04e7e7c9f_36031343dd8510f6@hookshot-fe2-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: f396f665237853de32cb97065646a50301f05d2c https://github.com/heimdal/heimdal/commit/f396f665237853de32cb97065646a50301f05d2c Author: Love Hornquist Astrand Date: 2013-07-11 (Thu, 11 Jul 2013) Changed paths: M lib/krb5/context.c M lib/krb5/fcache.c M lib/krb5/krb5.conf.5 M lib/krb5/krb5_locl.h M lib/krb5/verify_krb5_conf.c Log Message: ----------- add [libdefaults]fcache_strict_checking to gate the strict checking, defaults to on From noreply at github.com Fri Jul 12 17:21:01 2013 From: noreply at github.com (GitHub) Date: Fri, 12 Jul 2013 08:21:01 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 884b00: Check owner too Message-ID: <51e01edd2d352_27c1875dd49176@hookshot-fe1-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 884b0079385112db060750ca3aab31d3d25e837e https://github.com/heimdal/heimdal/commit/884b0079385112db060750ca3aab31d3d25e837e Author: Love Hornquist Astrand Date: 2013-07-12 (Fri, 12 Jul 2013) Changed paths: M lib/krb5/fcache.c Log Message: ----------- Check owner too From noreply at github.com Tue Jul 16 12:45:02 2013 From: noreply at github.com (GitHub) Date: Tue, 16 Jul 2013 03:45:02 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 72e6a0: fcache: correct build errors on Windows Message-ID: <51e5242e25314_6fef7f1d54172634@hookshot-fe2-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 72e6a0f383dd5e1e00f8d8b590885ba25740035a https://github.com/heimdal/heimdal/commit/72e6a0f383dd5e1e00f8d8b590885ba25740035a Author: Jeffrey Altman Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M lib/krb5/fcache.c Log Message: ----------- fcache: correct build errors on Windows Windows does not have getuid(). Change-Id: Ib92785716b056a69e42c32ec122d8a5f6f12ffbe Signed-off-by: Love Hornquist Astrand From noreply at github.com Tue Jul 16 13:07:18 2013 From: noreply at github.com (GitHub) Date: Tue, 16 Jul 2013 04:07:18 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 9f979d: prefix json functions Message-ID: <51e52966435fd_f8ff4bd48115419@hookshot-fe3-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 9f979d20d72e13bc686c6faa368096950a9340a2 https://github.com/heimdal/heimdal/commit/9f979d20d72e13bc686c6faa368096950a9340a2 Author: Love Hornquist Astrand Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M lib/base/db.c M lib/base/heimbase.h M lib/base/json.c M lib/base/version-script.map Log Message: ----------- prefix json functions From noreply at github.com Tue Jul 16 14:49:48 2013 From: noreply at github.com (GitHub) Date: Tue, 16 Jul 2013 05:49:48 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] a11688: use krb5_cc_get_lifetime Message-ID: <51e5416cd7acf_10b2bcbd581795af@hookshot-fe3-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: a1168815ecb2f17e45aad71e15d155318ff34551 https://github.com/heimdal/heimdal/commit/a1168815ecb2f17e45aad71e15d155318ff34551 Author: Love Hornquist Astrand Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M kuser/klist.c Log Message: ----------- use krb5_cc_get_lifetime From noreply at github.com Tue Jul 16 15:31:47 2013 From: noreply at github.com (GitHub) Date: Tue, 16 Jul 2013 06:31:47 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] d41f00: add _krb5_get_ad Message-ID: <51e54b4387924_6da829d584636@hookshot-fe5-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: d41f005cc1c58604b73847d3ff566f6da6dfdd81 https://github.com/heimdal/heimdal/commit/d41f005cc1c58604b73847d3ff566f6da6dfdd81 Author: Love Hornquist Astrand Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M lib/krb5/ticket.c Log Message: ----------- add _krb5_get_ad Commit: 4d799bdd26df18e2ec8d410cea9b207398547bd3 https://github.com/heimdal/heimdal/commit/4d799bdd26df18e2ec8d410cea9b207398547bd3 Author: Love Hornquist Astrand Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M lib/krb5/crypto-des3.c M lib/krb5/crypto.c Log Message: ----------- support derive key and prf for des3 Commit: 28611511ec5447c2d3feb9d5335f6978bd25b294 https://github.com/heimdal/heimdal/commit/28611511ec5447c2d3feb9d5335f6978bd25b294 Author: Love Hornquist Astrand Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M lib/krb5/rd_req.c Log Message: ----------- adopt _krb5_get_ad Commit: bee5290cc3512e7ad3a41ca44a185ef10b72adf9 https://github.com/heimdal/heimdal/commit/bee5290cc3512e7ad3a41ca44a185ef10b72adf9 Author: Love Hornquist Astrand Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M lib/asn1/krb5.asn1 Log Message: ----------- add KERB-ARMOR-SERVICE-REPLY Commit: b4d1168557970e83b26799004f48d1d5984cd233 https://github.com/heimdal/heimdal/commit/b4d1168557970e83b26799004f48d1d5984cd233 Author: Love Hornquist Astrand Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M lib/krb5/krb5.h Log Message: ----------- add auth_data Commit: 5be28884338f0ffb18265ff86195b85a5aec281e https://github.com/heimdal/heimdal/commit/5be28884338f0ffb18265ff86195b85a5aec281e Author: Love Hornquist Astrand Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M lib/krb5/auth_context.c Log Message: ----------- add auth_data bits Commit: ad74581850c94a6cc89d059fc33a4755c9442228 https://github.com/heimdal/heimdal/commit/ad74581850c94a6cc89d059fc33a4755c9442228 Author: Love Hornquist Astrand Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M lib/krb5/init_creds_pw.c Log Message: ----------- add KRB5_PADATA_FX_FAST_ARMOR to the fast armor data Commit: f49339f31bf4e4d47987456086c58148f966510f https://github.com/heimdal/heimdal/commit/f49339f31bf4e4d47987456086c58148f966510f Author: Love Hornquist Astrand Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M lib/krb5/init_creds_pw.c Log Message: ----------- make fast work with mit kerberos Compare: https://github.com/heimdal/heimdal/compare/a1168815ecb2...f49339f31bf4 From noreply at github.com Wed Jul 17 04:06:26 2013 From: noreply at github.com (GitHub) Date: Tue, 16 Jul 2013 19:06:26 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 1f78ba: Make krb5-types.h define int64_t on Win32 Message-ID: <51e5fc22bbdfd_257a1435d541527e1@hookshot-fe3-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 1f78baf198e768f1bb6047dcfed95a862eb87157 https://github.com/heimdal/heimdal/commit/1f78baf198e768f1bb6047dcfed95a862eb87157 Author: Nico Williams Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M include/NTMakefile Log Message: ----------- Make krb5-types.h define int64_t on Win32 From noreply at github.com Wed Jul 17 04:07:22 2013 From: noreply at github.com (GitHub) Date: Tue, 16 Jul 2013 19:07:22 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] ea1e37: heim_ipc is not available on Win32 yet Message-ID: <51e5fc5a5e114_255a1439d50142964@hookshot-fe3-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: ea1e3776fba46070d712ca727c8fec56e41b5fcc https://github.com/heimdal/heimdal/commit/ea1e3776fba46070d712ca727c8fec56e41b5fcc Author: Nico Williams Date: 2013-07-16 (Tue, 16 Jul 2013) Changed paths: M lib/krb5/init_creds_pw.c Log Message: ----------- heim_ipc is not available on Win32 yet From noreply at github.com Thu Jul 18 14:57:39 2013 From: noreply at github.com (GitHub) Date: Thu, 18 Jul 2013 05:57:39 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 7c7684: check for db6/db.h Message-ID: <51e7e6438b77c_2d5c5f3d5453474@hookshot-fe2-pe1-prd.aws.github.net.mail> Branch: refs/heads/heimdal-1-5-branch Home: https://github.com/heimdal/heimdal Commit: 7c768475b0231ca14304076fa47a5211c507d704 https://github.com/heimdal/heimdal/commit/7c768475b0231ca14304076fa47a5211c507d704 Author: Love Hornquist Astrand Date: 2013-07-18 (Thu, 18 Jul 2013) Changed paths: M cf/db.m4 Log Message: ----------- check for db6/db.h Commit: 1bb93228d3a973dc14ea71715469bfe21677d92e https://github.com/heimdal/heimdal/commit/1bb93228d3a973dc14ea71715469bfe21677d92e Author: Love Hornquist Astrand Date: 2013-07-18 (Thu, 18 Jul 2013) Changed paths: M cf/db.m4 Log Message: ----------- include db6/db.h Commit: 74ab0b29ebd13959f48355d17c05a597a3585711 https://github.com/heimdal/heimdal/commit/74ab0b29ebd13959f48355d17c05a597a3585711 Author: Love Hornquist Astrand Date: 2013-07-18 (Thu, 18 Jul 2013) Changed paths: M lib/hdb/db3.c Log Message: ----------- fix condition for db >= 4.1 Compare: https://github.com/heimdal/heimdal/compare/6d590c8ee79b...74ab0b29ebd1 From noreply at github.com Thu Jul 18 14:59:02 2013 From: noreply at github.com (GitHub) Date: Thu, 18 Jul 2013 05:59:02 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] f8fb62: remember to free auth_data Message-ID: <51e7e69677f75_e46c1bd5827920@hookshot-fe5-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: f8fb62ff1bf5991826253fbf62a2afa5e64c693b https://github.com/heimdal/heimdal/commit/f8fb62ff1bf5991826253fbf62a2afa5e64c693b Author: Love Hornquist Astrand Date: 2013-07-18 (Thu, 18 Jul 2013) Changed paths: M lib/krb5/auth_context.c Log Message: ----------- remember to free auth_data Commit: 644bbff26f78d09d8c5ddf1d32c46e2bab8f862d https://github.com/heimdal/heimdal/commit/644bbff26f78d09d8c5ddf1d32c46e2bab8f862d Author: Love Hornquist Astrand Date: 2013-07-18 (Thu, 18 Jul 2013) Changed paths: M cf/make-proto.pl Log Message: ----------- better documentation Commit: 82d71b063b441144a767ac42abaf9e27f10833ec https://github.com/heimdal/heimdal/commit/82d71b063b441144a767ac42abaf9e27f10833ec Author: Love Hornquist Astrand Date: 2013-07-18 (Thu, 18 Jul 2013) Changed paths: M lib/hdb/db3.c Log Message: ----------- support db6 too, based on patch from Lars Wendler Commit: 787d9ceec98229d222e6a2d238c61c2b5d4fddac https://github.com/heimdal/heimdal/commit/787d9ceec98229d222e6a2d238c61c2b5d4fddac Author: Love Hornquist Astrand Date: 2013-07-18 (Thu, 18 Jul 2013) Changed paths: M cf/db.m4 Log Message: ----------- check for db6/db.h Commit: 581f834b4e8eed959705a242f8ebff86a0b3288d https://github.com/heimdal/heimdal/commit/581f834b4e8eed959705a242f8ebff86a0b3288d Author: Love Hornquist Astrand Date: 2013-07-18 (Thu, 18 Jul 2013) Changed paths: M cf/db.m4 Log Message: ----------- include db6/db.h Compare: https://github.com/heimdal/heimdal/compare/ea1e3776fba4...581f834b4e8e From noreply at github.com Fri Jul 19 14:51:01 2013 From: noreply at github.com (GitHub) Date: Fri, 19 Jul 2013 05:51:01 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] a21f1f: We always say we support FAST/enc-pa-rep Message-ID: <51e9363592a0d_767fb5d4c509f0@hookshot-fe4-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: a21f1f384a6205beb6ac66ffa04cea60309ed332 https://github.com/heimdal/heimdal/commit/a21f1f384a6205beb6ac66ffa04cea60309ed332 Author: Love Hornquist Astrand Date: 2013-07-18 (Thu, 18 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- We always say we support FAST/enc-pa-rep Commit: bf6962542492496af9d0ab22906df838f2207040 https://github.com/heimdal/heimdal/commit/bf6962542492496af9d0ab22906df838f2207040 Author: Love Hornquist Astrand Date: 2013-07-18 (Thu, 18 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- spelling Commit: ad824fcd6a80b08188110f74c26afa0417b377b1 https://github.com/heimdal/heimdal/commit/ad824fcd6a80b08188110f74c26afa0417b377b1 Author: Love Hornquist Astrand Date: 2013-07-19 (Fri, 19 Jul 2013) Changed paths: M cf/make-proto.pl Log Message: ----------- remove bit that might make old perl fail Compare: https://github.com/heimdal/heimdal/compare/39abb10aa938...ad824fcd6a80 From noreply at github.com Fri Jul 19 14:53:32 2013 From: noreply at github.com (GitHub) Date: Fri, 19 Jul 2013 05:53:32 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 348443: clean log between test, dump log on failure Message-ID: <51e936cc24ae8_4fbb1209d50114159@hookshot-fe3-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 3484432cc553f9f3eb8c8dec027fcd01539963b3 https://github.com/heimdal/heimdal/commit/3484432cc553f9f3eb8c8dec027fcd01539963b3 Author: Love Hornquist Astrand Date: 2013-07-19 (Fri, 19 Jul 2013) Changed paths: M tests/kdc/check-fast.in Log Message: ----------- clean log between test, dump log on failure From noreply at github.com Fri Jul 19 14:56:18 2013 From: noreply at github.com (GitHub) Date: Fri, 19 Jul 2013 05:56:18 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 1a8038: don't free armor_ccache, since krb5_cc are not yet... Message-ID: <51e937724af6c_1f7812d1d50438d3@hookshot-fe5-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 1a8038d8a61b4d44a2ab956bcf0c8bceec20c804 https://github.com/heimdal/heimdal/commit/1a8038d8a61b4d44a2ab956bcf0c8bceec20c804 Author: Love Hornquist Astrand Date: 2013-07-19 (Fri, 19 Jul 2013) Changed paths: M lib/krb5/init_creds_pw.c Log Message: ----------- don't free armor_ccache, since krb5_cc are not yet ref counted From noreply at github.com Fri Jul 26 10:36:07 2013 From: noreply at github.com (GitHub) Date: Fri, 26 Jul 2013 01:36:07 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] afa9db: match code, pointed out by Sergio Gelato Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: afa9db62ba8250d24e7e5beb0a1d91d6b2d0a85a https://github.com/heimdal/heimdal/commit/afa9db62ba8250d24e7e5beb0a1d91d6b2d0a85a Author: Love Hornquist Astrand Date: 2013-07-26 (Fri, 26 Jul 2013) Changed paths: M lib/krb5/krb5.conf.5 Log Message: ----------- match code, pointed out by Sergio Gelato From noreply at github.com Sat Jul 27 10:21:48 2013 From: noreply at github.com (GitHub) Date: Sat, 27 Jul 2013 01:21:48 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] f4f89a: Fix bug with use strongest session key feature Message-ID: <51f3831c586ec_5bc073fd484073d@hookshot-fe5-pe1-prd.aws.github.net.mail> Branch: refs/heads/use_strongest_fix Home: https://github.com/heimdal/heimdal Commit: f4f89ac8e0f8583b7a2a3413fee5526a5b137d5b https://github.com/heimdal/heimdal/commit/f4f89ac8e0f8583b7a2a3413fee5526a5b137d5b Author: Nicolas Williams Date: 2013-07-27 (Sat, 27 Jul 2013) Changed paths: M kdc/kerberos5.c M lib/krb5/krb5.conf.5 Log Message: ----------- Fix bug with use strongest session key feature From noreply at github.com Sat Jul 27 22:01:44 2013 From: noreply at github.com (GitHub) Date: Sat, 27 Jul 2013 13:01:44 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] Message-ID: <51f42728701dc_22d1ee3d4c86352@hookshot-fe3-pe1-prd.aws.github.net.mail> Branch: refs/heads/use_strongest_fix Home: https://github.com/heimdal/heimdal From noreply at github.com Sat Jul 27 23:44:23 2013 From: noreply at github.com (GitHub) Date: Sat, 27 Jul 2013 14:44:23 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] f4f89a: Fix bug with use strongest session key feature Message-ID: <51f43f3740df9_67301317d50213cc@hookshot-fe1-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: f4f89ac8e0f8583b7a2a3413fee5526a5b137d5b https://github.com/heimdal/heimdal/commit/f4f89ac8e0f8583b7a2a3413fee5526a5b137d5b Author: Nicolas Williams Date: 2013-07-27 (Sat, 27 Jul 2013) Changed paths: M kdc/kerberos5.c M lib/krb5/krb5.conf.5 Log Message: ----------- Fix bug with use strongest session key feature From noreply at github.com Sat Jul 27 23:51:24 2013 From: noreply at github.com (GitHub) Date: Sat, 27 Jul 2013 14:51:24 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 1f147f: Check all three DES types Message-ID: <51f440dc3c3b3_269fdbfd58713@hookshot-fe3-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 1f147f0fa66427c1976d5f88eb8bcdfe5f213287 https://github.com/heimdal/heimdal/commit/1f147f0fa66427c1976d5f88eb8bcdfe5f213287 Author: Nicolas Williams Date: 2013-07-27 (Sat, 27 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- Check all three DES types From noreply at github.com Sun Jul 28 00:38:27 2013 From: noreply at github.com (GitHub) Date: Sat, 27 Jul 2013 15:38:27 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 182610: When asking for the strongest key, get it right Message-ID: <51f44be3a2697_874bebd4c86156@hookshot-fe2-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 1826106ff4befe3e7dffc18692e40bd244c0d8d8 https://github.com/heimdal/heimdal/commit/1826106ff4befe3e7dffc18692e40bd244c0d8d8 Author: Nicolas Williams Date: 2013-07-27 (Sat, 27 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- When asking for the strongest key, get it right From noreply at github.com Sun Jul 28 03:18:19 2013 From: noreply at github.com (GitHub) Date: Sat, 27 Jul 2013 18:18:19 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 5b223c: roken: do not require use of rk_mkdir on all platf... Message-ID: <51f4715b791e4_6650cdfd48968e3@hookshot-fe1-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 5b223c2caa98068bb51d9c15123cadfe87b13297 https://github.com/heimdal/heimdal/commit/5b223c2caa98068bb51d9c15123cadfe87b13297 Author: Jeffrey Altman Date: 2013-07-27 (Sat, 27 Jul 2013) Changed paths: M lib/roken/Makefile.am M lib/roken/mkdir.c M lib/roken/roken-common.h M lib/roken/roken.h.in M windows/NTMakefile.config Log Message: ----------- roken: do not require use of rk_mkdir on all platforms Although rk_mkdir can be provided on all platforms there is no reason to require that it be used by unconditionally mapping mkdir -> rk_mkdir Change-Id: Ic149500037abf446434332bf6ba67dfb3906cd72 Commit: 37ca3d35a9a0fc239e9a0d04164f41dd82ce493a https://github.com/heimdal/heimdal/commit/37ca3d35a9a0fc239e9a0d04164f41dd82ce493a Author: Jeffrey Altman Date: 2013-07-27 (Sat, 27 Jul 2013) Changed paths: M windows/NTMakefile.config Log Message: ----------- Windows: use roken's rk_rename Windows CRT rename does not unlink the target if it exists. Change-Id: Id7bdf5729d418bb22b59ab11d0d5f31ccb7e3577 Commit: 71fb56309c63f51ce9a4e0b6d454b60ff3ea786b https://github.com/heimdal/heimdal/commit/71fb56309c63f51ce9a4e0b6d454b60ff3ea786b Author: Jeffrey Altman Date: 2013-07-27 (Sat, 27 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- _kdc_find_etype consolidation The 'use_strongest_session_key' block and its alternate should have similar behavior except for the order in which the enctype lists are processed. This patchset attempts to consolidate the exit processing and ensure that the inner loop enctype and key validation is the same. Bugs fixed: 1. In the 'use_strongest_session_key' case, the _kdc_is_weak_exception() test was applied during the client enctype loop which is only processed for acceptable enctypes. This test is moved to the local supported enctypes loop so as not to filter out weak keys when the service principal has an explicit exception. 2. In the 'use_strongest_session_key' case, the possibility of an enctype having keys with more than one salt was excluded. 3. In the 'use_strongest_session_key' case, the 'key' variable was not reset to NULL within each loop of the client enctype list. 4. In the '!use_strongest_session_key' case, the default salt test and is_preauth was inconsistent with the 'use_strongest_session_key' block. With this consolidation, if no enctype is selected and the service principal is permitted to use 1DES, then 1DES is selected. It doesn't matter whether 'use_strongest_session_key' is in use or not. Change-Id: Ib57264fc8bc23df64c70d39b4f6de48beeb54739 Compare: https://github.com/heimdal/heimdal/compare/1826106ff4be...71fb56309c63 From noreply at github.com Sun Jul 28 04:08:33 2013 From: noreply at github.com (GitHub) Date: Sat, 27 Jul 2013 19:08:33 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] dfc7ed: _kdc_find_etype: fix typo Message-ID: <51f47d21d7f12_6653b2fd54978a6@hookshot-fe1-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: dfc7ed639f8ba7eced10f2d7efd08aa038ac2ecd https://github.com/heimdal/heimdal/commit/dfc7ed639f8ba7eced10f2d7efd08aa038ac2ecd Author: Jeffrey Altman Date: 2013-07-27 (Sat, 27 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- _kdc_find_etype: fix typo Fix a type introduced by 71fb56309c63f51ce9a4e0b6d454b60ff3ea786b. Change-Id: I0c3b6aa73cab8679b2ad1bef3969296b20c3ea7d From noreply at github.com Mon Jul 29 23:55:53 2013 From: noreply at github.com (GitHub) Date: Mon, 29 Jul 2013 14:55:53 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 95f2ab: _kdc_find_etype: do not return success if ret_key ... Message-ID: <51f6e4e986960_2c8e4b9d5892882@hookshot-fe4-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 95f2abc1168f7050edc20af13f3f31ffd6fb8e69 https://github.com/heimdal/heimdal/commit/95f2abc1168f7050edc20af13f3f31ffd6fb8e69 Author: Jeffrey Altman Date: 2013-07-29 (Mon, 29 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- _kdc_find_etype: do not return success if ret_key != NULL If _kdc_find_etype() is being called with 'ret_key' != NULL, the caller is attempting to find an actual principal key. If 'ret_key' is NULL then it is seeking a session key type. Only return an enctype that is not in the principal key list unless 'ret_key' is NULL. As part of this change remove 'clientbest' and the associated logic as it is both unnecessary and can produce an enctype for which the key cannot be returned. Change-Id: Iba319e95fc1eac139f00b0cce20e1249482d2c6f Commit: 002a5acbf01efc2596a41b7685f03822b3895216 https://github.com/heimdal/heimdal/commit/002a5acbf01efc2596a41b7685f03822b3895216 Author: Jeffrey Altman Date: 2013-07-29 (Mon, 29 Jul 2013) Changed paths: M kdc/misc.c Log Message: ----------- apply weak key exceptions to _kdc_get_preferred_key As part of the keytype validity checks within _kdc_get_preferred_key _kdc_is_weak_exception must be used to permit the afs/* principals to have only DES in the key list. Change-Id: I70801ce9b8c4d3f057542541ce11e06d195efd52 Compare: https://github.com/heimdal/heimdal/compare/dfc7ed639f8b...002a5acbf01e From noreply at github.com Mon Jul 29 23:59:55 2013 From: noreply at github.com (GitHub) Date: Mon, 29 Jul 2013 14:59:55 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 32baf7: Fix TGS ticket enc-part key selection Message-ID: <51f6e5dbd8392_2be1b71d58166957@hookshot-fe4-pe1-prd.aws.github.net.mail> Branch: refs/heads/heimdal-1-5-branch Home: https://github.com/heimdal/heimdal Commit: 32baf75c3ec8aedf373ed68cc6dbd49fde664415 https://github.com/heimdal/heimdal/commit/32baf75c3ec8aedf373ed68cc6dbd49fde664415 Author: Nicolas Williams Date: 2013-07-29 (Mon, 29 Jul 2013) Changed paths: M kdc/krb5tgs.c Log Message: ----------- Fix TGS ticket enc-part key selection When I added support for configuring how the KDC selects session, reply, and ticket enc-part keys I accidentally had the KDC use the session key selection algorithm for selecting the ticket enc-part key. This becomes a problem when using a Heimdal KDC with an MIT KDB as the HDB backend and when the krbtgt keys are not in strongest-to-weakest order, in which case forwardable tickets minted by the Heimdal KDC will not be accepted by MIT KDCs with the same KDB. (cherry picked from commit 12cd2c9cbd1ca027a3ef9ac7ab3e79526b1348ae) Conflicts: kdc/krb5tgs.c Change-Id: Iace4d27a7a4f1166efc1b858d944f0dab2587990 Commit: 50309911ba90a0c5c3881f518e16a88d59abc879 https://github.com/heimdal/heimdal/commit/50309911ba90a0c5c3881f518e16a88d59abc879 Author: Nicolas Williams Date: 2013-07-29 (Mon, 29 Jul 2013) Changed paths: M kdc/krb5tgs.c Log Message: ----------- Fix check-des The previous fix was incomplete. But it also finally uncovered an old check-des problem that I'd had once and which may have gotten papered over by changing the default of one of the *strongest* KDC parameters. The old problem is that we were passing the wrong enctype to _kdc_encode_reply(): we were passing the session key enctype where the ticket enc-part key's enctype was expected. The whole enctype being passed in is superfluous anyways. Let's clean that up next. Commit: ad7bb0311c41449921ab82fdcfb8545e801f6429 https://github.com/heimdal/heimdal/commit/ad7bb0311c41449921ab82fdcfb8545e801f6429 Author: Nicolas Williams Date: 2013-07-29 (Mon, 29 Jul 2013) Changed paths: M kdc/krb5tgs.c Log Message: ----------- Rename and fix as/tgs-use-strongest-key config parameters Different ticket session key enctype selection options should distinguish between target principal type (krbtgt vs. not), not between KDC request types. Commit: fff00cc34536937974caccbb2278dab1562a5594 https://github.com/heimdal/heimdal/commit/fff00cc34536937974caccbb2278dab1562a5594 Author: Love Hornquist Astrand Date: 2013-07-29 (Mon, 29 Jul 2013) Changed paths: M lib/krb5/krb5.conf.5 Log Message: ----------- match code, pointed out by Sergio Gelato (cherry picked from commit afa9db62ba8250d24e7e5beb0a1d91d6b2d0a85a) Commit: 800345591daa0ec0d916fa71032b78f4c4e225c9 https://github.com/heimdal/heimdal/commit/800345591daa0ec0d916fa71032b78f4c4e225c9 Author: Nicolas Williams Date: 2013-07-29 (Mon, 29 Jul 2013) Changed paths: M kdc/kerberos5.c M lib/krb5/krb5.conf.5 Log Message: ----------- Fix bug with use strongest session key feature (cherry picked from commit f4f89ac8e0f8583b7a2a3413fee5526a5b137d5b) Change-Id: I593b6ba7bdf050cc635baa463e741b584f0fa0bf Commit: e1dd757fe13c818dfb259b540d84345d9e20f98b https://github.com/heimdal/heimdal/commit/e1dd757fe13c818dfb259b540d84345d9e20f98b Author: Nicolas Williams Date: 2013-07-29 (Mon, 29 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- Check all three DES types (cherry picked from commit 1f147f0fa66427c1976d5f88eb8bcdfe5f213287) Commit: 2a5a96d60ec464e831274fda3e3b6653de96196f https://github.com/heimdal/heimdal/commit/2a5a96d60ec464e831274fda3e3b6653de96196f Author: Nicolas Williams Date: 2013-07-29 (Mon, 29 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- When asking for the strongest key, get it right (cherry picked from commit 1826106ff4befe3e7dffc18692e40bd244c0d8d8) Commit: a2d0f8e3ee350f7db48d7bcd6eed775ff1ace6e4 https://github.com/heimdal/heimdal/commit/a2d0f8e3ee350f7db48d7bcd6eed775ff1ace6e4 Author: Jeffrey Altman Date: 2013-07-29 (Mon, 29 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- _kdc_find_etype consolidation The 'use_strongest_session_key' block and its alternate should have similar behavior except for the order in which the enctype lists are processed. This patchset attempts to consolidate the exit processing and ensure that the inner loop enctype and key validation is the same. Bugs fixed: 1. In the 'use_strongest_session_key' case, the _kdc_is_weak_exception() test was applied during the client enctype loop which is only processed for acceptable enctypes. This test is moved to the local supported enctypes loop so as not to filter out weak keys when the service principal has an explicit exception. 2. In the 'use_strongest_session_key' case, the possibility of an enctype having keys with more than one salt was excluded. 3. In the 'use_strongest_session_key' case, the 'key' variable was not reset to NULL within each loop of the client enctype list. 4. In the '!use_strongest_session_key' case, the default salt test and is_preauth was inconsistent with the 'use_strongest_session_key' block. With this consolidation, if no enctype is selected and the service principal is permitted to use 1DES, then 1DES is selected. It doesn't matter whether 'use_strongest_session_key' is in use or not. Change-Id: Ib57264fc8bc23df64c70d39b4f6de48beeb54739 (cherry picked from commit 8f2d779663f4b1245cd53c3a593be94f5a616513) Commit: 20090f7ba301453fc32bceda90125d043ff9210f https://github.com/heimdal/heimdal/commit/20090f7ba301453fc32bceda90125d043ff9210f Author: Jeffrey Altman Date: 2013-07-29 (Mon, 29 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- _kdc_find_etype: do not return success if ret_key != NULL If _kdc_find_etype() is being called with 'ret_key' != NULL, the caller is attempting to find an actual principal key. If 'ret_key' is NULL then it is seeking a session key type. Only return an enctype that is not in the principal key list unless 'ret_key' is NULL. As part of this change remove 'clientbest' and the associated logic as it is both unnecessary and can produce an enctype for which the key cannot be returned. Change-Id: Iba319e95fc1eac139f00b0cce20e1249482d2c6f (cherry picked from commit 95f2abc1168f7050edc20af13f3f31ffd6fb8e69) Commit: 33a3a172ad3cf53764388efb8767ce5793b49a41 https://github.com/heimdal/heimdal/commit/33a3a172ad3cf53764388efb8767ce5793b49a41 Author: Jeffrey Altman Date: 2013-07-29 (Mon, 29 Jul 2013) Changed paths: M kdc/misc.c Log Message: ----------- apply weak key exceptions to _kdc_get_preferred_key As part of the keytype validity checks within _kdc_get_preferred_key _kdc_is_weak_exception must be used to permit the afs/* principals to have only DES in the key list. Change-Id: I70801ce9b8c4d3f057542541ce11e06d195efd52 (cherry picked from commit 002a5acbf01efc2596a41b7685f03822b3895216) Compare: https://github.com/heimdal/heimdal/compare/74ab0b29ebd1...33a3a172ad3c From noreply at github.com Tue Jul 30 20:17:22 2013 From: noreply at github.com (GitHub) Date: Tue, 30 Jul 2013 11:17:22 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] c4aa2f: _kdc_find_etype: prefer default salt for preauth Message-ID: <51f8033250e73_7cc652bd5410862b@hookshot-fe3-pe1-prd.aws.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: c4aa2f90674da250af99f4afbb199d653d27b1af https://github.com/heimdal/heimdal/commit/c4aa2f90674da250af99f4afbb199d653d27b1af Author: Jeffrey Altman Date: 2013-07-30 (Tue, 30 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- _kdc_find_etype: prefer default salt for preauth if the query is "preauth" and the caller is seeking a Key, search try to find a Key that has the default salt but do not exclude keys that have a non-default salt. Move the assignment of 'ret' and 'enctype' before the preauth default salt test. If the only key of the given type is the non-default salt key, it should be used. If the caller is not seeking a Key, do not bother with the preauth test at all since the Key itself doesn't matter and we are simply seeking an enctype. Change-Id: I7cd37c579c0bfdd88bccfbc9eb5e5f55cd1910cb Commit: 1bed48b75cdebebfb1a3ce1e8c6962ca43848e32 https://github.com/heimdal/heimdal/commit/1bed48b75cdebebfb1a3ce1e8c6962ca43848e32 Author: Ragnar Sundblad Date: 2013-07-30 (Tue, 30 Jul 2013) Changed paths: M kdc/krb5tgs.c Log Message: ----------- tgs_make_reply: fix temp weak enctype exception The default heimdal KDC chokes when trying to encrypt a ticket with a weak server key that has a different type than the session key. The problem happens in the krb5_crypto_init function called from the _kdc_encode_reply function. The existing work-around of the problem temporarily enabled the weak enctype in case it was disabled but the principal was on the (hard-coded) exception list. Unfortunately the code used the keytype of the key encoded in the ticked (the session key) instead of the keytype of the key used to encrypt the ticket (the serverkey) thus enabling the incorrect encryption type if those two are different, for instance des-cbc-md5 and des-cbc-crc. Change-Id: Ia55dc344e3e5fc9ec1eb93c9e8ebb0a58c673d57 Compare: https://github.com/heimdal/heimdal/compare/002a5acbf01e...1bed48b75cde From noreply at github.com Tue Jul 30 20:18:17 2013 From: noreply at github.com (GitHub) Date: Tue, 30 Jul 2013 11:18:17 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 76bee4: _kdc_find_etype: prefer default salt for preauth Message-ID: <51f80369a85ad_1db25e3d50990f9@hookshot-fe4-pe1-prd.aws.github.net.mail> Branch: refs/heads/heimdal-1-5-branch Home: https://github.com/heimdal/heimdal Commit: 76bee4df58994d45852e2e8d5da7ec09bdc6f5d4 https://github.com/heimdal/heimdal/commit/76bee4df58994d45852e2e8d5da7ec09bdc6f5d4 Author: Jeffrey Altman Date: 2013-07-30 (Tue, 30 Jul 2013) Changed paths: M kdc/kerberos5.c Log Message: ----------- _kdc_find_etype: prefer default salt for preauth if the query is "preauth" and the caller is seeking a Key, search try to find a Key that has the default salt but do not exclude keys that have a non-default salt. Move the assignment of 'ret' and 'enctype' before the preauth default salt test. If the only key of the given type is the non-default salt key, it should be used. If the caller is not seeking a Key, do not bother with the preauth test at all since the Key itself doesn't matter and we are simply seeking an enctype. Change-Id: I7cd37c579c0bfdd88bccfbc9eb5e5f55cd1910cb Commit: d9b3691b0f993a4b80fddc7b2771209e3856c26a https://github.com/heimdal/heimdal/commit/d9b3691b0f993a4b80fddc7b2771209e3856c26a Author: Ragnar Sundblad Date: 2013-07-30 (Tue, 30 Jul 2013) Changed paths: M kdc/krb5tgs.c Log Message: ----------- tgs_make_reply: fix temp weak enctype exception The default heimdal KDC chokes when trying to encrypt a ticket with a weak server key that has a different type than the session key. The problem happens in the krb5_crypto_init function called from the _kdc_encode_reply function. The existing work-around of the problem temporarily enabled the weak enctype in case it was disabled but the principal was on the (hard-coded) exception list. Unfortunately the code used the keytype of the key encoded in the ticked (the session key) instead of the keytype of the key used to encrypt the ticket (the serverkey) thus enabling the incorrect encryption type if those two are different, for instance des-cbc-md5 and des-cbc-crc. Change-Id: Ia55dc344e3e5fc9ec1eb93c9e8ebb0a58c673d57 Compare: https://github.com/heimdal/heimdal/compare/33a3a172ad3c...d9b3691b0f99