From noreply at github.com Fri Jul 24 12:04:47 2015 From: noreply at github.com (GitHub) Date: Fri, 24 Jul 2015 03:04:47 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 5cf302: Add new error codes related to PIN Message-ID: <55b20dbfe8497_4a903ff427bdd2a09164@hookshot-fe5-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 5cf302def79beae59f4f54b655e9180bd9aad4b1 https://github.com/heimdal/heimdal/commit/5cf302def79beae59f4f54b655e9180bd9aad4b1 Author: HenryJacques Date: 2015-07-20 (Mon, 20 Jul 2015) Changed paths: M lib/hx509/hx509_err.et Log Message: ----------- Add new error codes related to PIN Not all error codes have been added, only the most common ones. Commit: 75a304c45254486296e319f121b5c6da19b30381 https://github.com/heimdal/heimdal/commit/75a304c45254486296e319f121b5c6da19b30381 Author: HenryJacques Date: 2015-07-20 (Mon, 20 Jul 2015) Changed paths: M lib/hx509/ks_p11.c Log Message: ----------- Fix typo Commit: 1639697c975e13428d6dda7973232f3c62d0c801 https://github.com/heimdal/heimdal/commit/1639697c975e13428d6dda7973232f3c62d0c801 Author: HenryJacques Date: 2015-07-20 (Mon, 20 Jul 2015) Changed paths: M lib/hx509/ks_p11.c Log Message: ----------- add error codes related to User PIN Commit: 35a569bd83c7e10322f4c121f53a109a937c5506 https://github.com/heimdal/heimdal/commit/35a569bd83c7e10322f4c121f53a109a937c5506 Author: HenryJacques Date: 2015-07-20 (Mon, 20 Jul 2015) Changed paths: M lib/hx509/ks_p11.c Log Message: ----------- Allow to use more than one token This is needed if the first is not usable Commit: 5a4e9d15393f14d03c1c103014a8db9311d61ed1 https://github.com/heimdal/heimdal/commit/5a4e9d15393f14d03c1c103014a8db9311d61ed1 Author: HenryJacques Date: 2015-07-20 (Mon, 20 Jul 2015) Changed paths: M lib/hx509/ks_p11.c Log Message: ----------- Fix typo Commit: db4175c2258c17a16cfaf0e2ebe776549f53d922 https://github.com/heimdal/heimdal/commit/db4175c2258c17a16cfaf0e2ebe776549f53d922 Author: Love Hörnquist Åstrand Date: 2015-07-24 (Fri, 24 Jul 2015) Changed paths: M lib/hx509/hx509_err.et M lib/hx509/ks_p11.c Log Message: ----------- Merge pull request #136 from HenryJacques/pkinit_improvements PK-INIT improvements Compare: https://github.com/heimdal/heimdal/compare/be63a2914adc...db4175c2258c From noreply at github.com Fri Jul 31 06:15:56 2015 From: noreply at github.com (GitHub) Date: Thu, 30 Jul 2015 21:15:56 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] f132e0: GSSAPI: update lib/gssapi/gen-oid.pl to work with ... Message-ID: <55baf67cc543c_45123ff3312352bc56397@hookshot-fe4-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: f132e0b2a3c66becd305f6f2ac1c311f6e453001 https://github.com/heimdal/heimdal/commit/f132e0b2a3c66becd305f6f2ac1c311f6e453001 Author: Douglas Bagnall Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/gssapi/gen-oid.pl Log Message: ----------- GSSAPI: update lib/gssapi/gen-oid.pl to work with Perl 5 The invocation `require "getopts.pl"; Getopts(...)` works in Perl 4, but not in recent Perl 5. Signed-off-by: Douglas Bagnall Commit: afab2ff86778340fc54f532c2dcf2d383f393a48 https://github.com/heimdal/heimdal/commit/afab2ff86778340fc54f532c2dcf2d383f393a48 Author: Douglas Bagnall Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/gssapi/mech/gss_oid.c Log Message: ----------- GSSAPI: use rk_UNCONST() on password and cert oid These missed out on the rk_UNCONST()ification by virtue of being added in a parallel branch. In the diagram below, they got added in 02cf28e, while the rk_UNCONSTs were added in f5f9014. * cc47c8f Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix issues. * 3069d80 Merge branch 'master' into lukeh/acquire-cred-ex |\ | * f5f9014 Warning fixes from Christos Zoulas * | 02cf28e implement gss_acquire_cred_ex with password support |/ * 2170219 add more oids rk_UNCONST amounts to a cast to (void *), removing const. Signed-off-by: Douglas Bagnall Commit: 0c36f11f1793ae84f1d06ea36f0e8d746d26e3fe https://github.com/heimdal/heimdal/commit/0c36f11f1793ae84f1d06ea36f0e8d746d26e3fe Author: Douglas Bagnall Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/gssapi/gen-oid.pl Log Message: ----------- GSSAPI: keep consistent sort order in lib/gssapi/gen-oid.pl Signed-off-by: Douglas Bagnall Commit: 0d31145e9defc7d58953a13c422ccac407ce6b61 https://github.com/heimdal/heimdal/commit/0d31145e9defc7d58953a13c422ccac407ce6b61 Author: Douglas Bagnall Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/gssapi/gen-oid.pl Log Message: ----------- GSSAPI: generate full NULL structure initializers in gen-oid.pl As seen in commit cc47c8fa7 (Roland C. Dowdeswell , "Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix issues"), compilers can be persuaded to dislike a single {NULL} and prefer {NULL, NULL, NULL, NULL}. That patch altered the C code directly; here we change the generating file to match. Signed-off-by: Douglas Bagnall Commit: 832d7af01872252c9e9c754a6387971622d3e30c https://github.com/heimdal/heimdal/commit/832d7af01872252c9e9c754a6387971622d3e30c Author: Douglas Bagnall Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/gssapi/mech/gss_oid.c Log Message: ----------- GSSAPI: regenerate lib/gssapi/mech/gss_oid.c with consistent sort This is generated from lib/gssapi/oid.txt using lib/gssapi/gen-oid.pl, which sorts the entries to ensure minimal diff churn when an oid is added or changed. The lack of effective changes can be seen by sorting both versions, a bit like this: $ git show HEAD~~:lib/gssapi/mech/gss_oid.c | sort > /tmp/gss_oid.c-OLD $ cat lib/gssapi/mech/gss_oid.c | sort > /tmp/gss_oid.c-NEW $ diff -u /tmp/gss_oid.c* $ #Nothing to see! This is of course not a reliable check in general, but works for this simple file in concert with ordinary inspection. Signed-off-by: Douglas Bagnall Commit: 71c95fb38d1edba18ff3fe059215115b9d8bb56f https://github.com/heimdal/heimdal/commit/71c95fb38d1edba18ff3fe059215115b9d8bb56f Author: Andrew Bartlett Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/gssapi/gen-oid.pl M lib/gssapi/mech/gss_oid.c Log Message: ----------- Merge pull request #137 from douglasbagnall/oid-regenerate Oid regenerate The GSSAPI oid C files were originally generated by a perl 4 script that no longer runs on a modern system. Subsequently the C has been manually modified. These patches update the script to perl 5 and alter its output to reflect the manually changed C. Because modern perl uses hash randomisation, the order of the oids in the C file is sorted -- otherwise they will be ordered differently every time, making changes hard to review. Compare: https://github.com/heimdal/heimdal/compare/db4175c2258c...71c95fb38d1e From noreply at github.com Fri Jul 31 08:03:08 2015 From: noreply at github.com (GitHub) Date: Thu, 30 Jul 2015 23:03:08 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] be37f2: lib/ntlm: add missing dependency to libwind.la Message-ID: <55bb0f9c8cb4b_3e333fd5004272b8961aa@hookshot-fe2-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: be37f24ef4911c1770bb06aed0f45b45921f66ae https://github.com/heimdal/heimdal/commit/be37f24ef4911c1770bb06aed0f45b45921f66ae Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/ntlm/Makefile.am Log Message: ----------- lib/ntlm: add missing dependency to libwind.la Signed-off-by: Stefan Metzmacher Commit: 20da6cad02d5b57ce081b8bf28c41cedb70c00bb https://github.com/heimdal/heimdal/commit/20da6cad02d5b57ce081b8bf28c41cedb70c00bb Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: A doc/standardisation/rfc6806.txt Log Message: ----------- doc/standardisation: add rfc6806.txt Signed-off-by: Stefan Metzmacher Commit: ae4d222f586b7e93800b902b6823ab3a3978ff54 https://github.com/heimdal/heimdal/commit/ae4d222f586b7e93800b902b6823ab3a3978ff54 Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/krb5/pac.c Log Message: ----------- lib/krb5: verify_logonname() to handle multi component principal FreeIPA can generate tickets with a client principal of 'host/hostname.example.com'. verify_logonname() should just verify the principal name in the PAC_LOGON_NAME is the same as the principal of the client principal (without realm) of the ticket. Samba commit b7cc8c1187ff967e44587cd0d09185330378f366 break this. We try to compare ['host']['hostname.example.com'] with ['host/hostname.example.com]' (as we interpret it as enterprise principal) this fail if we don't compare them as strings. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Commit: bbff216dc659954a76bb395ee36aa1a1c8571941 https://github.com/heimdal/heimdal/commit/bbff216dc659954a76bb395ee36aa1a1c8571941 Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/krb5/init_creds_pw.c Log Message: ----------- lib/krb5: correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals An AS-REQ with an enterprise principal will always directed to a kdc of the local (default) realm. The KDC directs the client into the direction of the final realm. See rfc6806.txt. Signed-off-by: Stefan Metzmacher Commit: 25f3db919fa73f0ad4caa31dff2275da6730f266 https://github.com/heimdal/heimdal/commit/25f3db919fa73f0ad4caa31dff2275da6730f266 Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/krb5/libkrb5-exports.def.in M lib/krb5/mk_error.c M lib/krb5/version-script.map Log Message: ----------- lib/krb5: add krb5_mk_error_ext() helper function This gives the caller the ability to skip the client_name and only provide client_realm. This is required for KDC_ERR_WRONG_REALM messages. Signed-off-by: Stefan Metzmacher Commit: a873e21d7c06f22943a90a41dc733ae76799390d https://github.com/heimdal/heimdal/commit/a873e21d7c06f22943a90a41dc733ae76799390d Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M kdc/fast.c M kdc/kerberos5.c M kdc/krb5tgs.c Log Message: ----------- kdc: base _kdc_fast_mk_error() on krb5_mk_error_ext() Signed-off-by: Stefan Metzmacher Commit: 81f9ed4a6cd1ad71d1af25a2883bcff431e74a69 https://github.com/heimdal/heimdal/commit/81f9ed4a6cd1ad71d1af25a2883bcff431e74a69 Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M kdc/krb5tgs.c Log Message: ----------- kdc: generic support for 3part servicePrincipalNames This is not DRSUAPI specific, it works for all 3 part principals. Signed-off-by: Stefan Metzmacher Commit: 078e6f5dd2fcf50b40ed32e9178afa7c708a19fa https://github.com/heimdal/heimdal/commit/078e6f5dd2fcf50b40ed32e9178afa7c708a19fa Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M kdc/kerberos5.c M kdc/krb5tgs.c M kdc/misc.c M lib/hdb/hdb_err.et Log Message: ----------- kdc: add support for HDB_ERR_WRONG_REALM A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ. entry_ex->entry.principal->realm needs to return the real realm of the principal (or at least a the realm of the next cross-realm trust hop). This is needed to route enterprise principals between AD domain trusts. Signed-off-by: Stefan Metzmacher Commit: 63ed9620416744b044281b5c8b1e951cbaa65568 https://github.com/heimdal/heimdal/commit/63ed9620416744b044281b5c8b1e951cbaa65568 Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/gssapi/krb5/decapsulate.c Log Message: ----------- lib/gssapi/krb5: make _gssapi_verify_pad() more robust Signed-off-by: Stefan Metzmacher Commit: e33e47650a9734ed159308b0de268f4717ae2280 https://github.com/heimdal/heimdal/commit/e33e47650a9734ed159308b0de268f4717ae2280 Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/gssapi/krb5/aeap.c Log Message: ----------- lib/gssapi/krb5: fix indentation in _gk_wrap_iov() Now it matches _gk_unwrap_iov() and _gk_wrap_iov_length(). Signed-off-by: Stefan Metzmacher Commit: 5f79ac2bb989fd29cd52447d44b6ac7eddb726f1 https://github.com/heimdal/heimdal/commit/5f79ac2bb989fd29cd52447d44b6ac7eddb726f1 Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/gssapi/krb5/arcfour.c Log Message: ----------- lib/gssapi/krb5: clear temporary buffer with cleartext data. Signed-off-by: Stefan Metzmacher Commit: ef0059b8b6d18d562954f023c98abb4f8e01986b https://github.com/heimdal/heimdal/commit/ef0059b8b6d18d562954f023c98abb4f8e01986b Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/gssapi/krb5/arcfour.c Log Message: ----------- lib/gssapi/krb5: add const to arcfour_mic_key() Signed-off-by: Stefan Metzmacher Commit: bafefad87fe9766dd8c8c755f5d78bb7d8f93578 https://github.com/heimdal/heimdal/commit/bafefad87fe9766dd8c8c755f5d78bb7d8f93578 Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/gssapi/krb5/arcfour.c Log Message: ----------- lib/gssapi/krb5: split out a arcfour_mic_cksum_iov() function Signed-off-by: Stefan Metzmacher Commit: ad3acc2aef955c3c1d28607629cc9e6140ad3efd https://github.com/heimdal/heimdal/commit/ad3acc2aef955c3c1d28607629cc9e6140ad3efd Author: Stefan Metzmacher Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: M lib/gssapi/krb5/aeap.c M lib/gssapi/krb5/arcfour.c Log Message: ----------- lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5 Pair-Programmed-With: Andreas Schneider Signed-off-by: Stefan Metzmacher Signed-off-by: Andreas Schneider Commit: 411da1fb3175f890c23b1471b105c1aa925a2a1e https://github.com/heimdal/heimdal/commit/411da1fb3175f890c23b1471b105c1aa925a2a1e Author: Andrew Bartlett Date: 2015-07-31 (Fri, 31 Jul 2015) Changed paths: A doc/standardisation/rfc6806.txt M kdc/fast.c M kdc/kerberos5.c M kdc/krb5tgs.c M kdc/misc.c M lib/gssapi/krb5/aeap.c M lib/gssapi/krb5/arcfour.c M lib/gssapi/krb5/decapsulate.c M lib/hdb/hdb_err.et M lib/krb5/init_creds_pw.c M lib/krb5/libkrb5-exports.def.in M lib/krb5/mk_error.c M lib/krb5/pac.c M lib/krb5/version-script.map M lib/ntlm/Makefile.am Log Message: ----------- Merge pull request #138 from abartlet/lorikeet-heimdal-for-upstream Samba Cross-realm support patches from metze These patches were posted to heimdal-discuss by metze, and there were no objections there. Compare: https://github.com/heimdal/heimdal/compare/71c95fb38d1e...411da1fb3175