From noreply at github.com Wed Mar 4 22:59:17 2015 From: noreply at github.com (GitHub) Date: Wed, 04 Mar 2015 13:59:17 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] e4a857: Fix DB: prefix check Message-ID: <54f780359dba9_78853f89550152c0896c4@hookshot-fe3-cp1-prd.iad.github.net.mail> Branch: refs/heads/gh-master Home: https://github.com/heimdal/heimdal Commit: e4a857143490a23dfe351668440d1ae4faa1f710 https://github.com/heimdal/heimdal/commit/e4a857143490a23dfe351668440d1ae4faa1f710 Author: Viktor Dukhovni Date: 2015-03-04 (Wed, 04 Mar 2015) Changed paths: M lib/krb5/aname_to_localname.c Log Message: ----------- Fix DB: prefix check From noreply at github.com Wed Mar 4 23:01:14 2015 From: noreply at github.com (GitHub) Date: Wed, 04 Mar 2015 14:01:14 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] Message-ID: <54f780aabde92_56b23fe3836df2bc183e@hookshot-fe5-cp1-prd.iad.github.net.mail> Branch: refs/heads/gh-master Home: https://github.com/heimdal/heimdal From noreply at github.com Wed Mar 4 23:01:35 2015 From: noreply at github.com (GitHub) Date: Wed, 04 Mar 2015 14:01:35 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] e4a857: Fix DB: prefix check Message-ID: <54f780bf8136a_15463fafcab2929c32355@hookshot-fe4-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: e4a857143490a23dfe351668440d1ae4faa1f710 https://github.com/heimdal/heimdal/commit/e4a857143490a23dfe351668440d1ae4faa1f710 Author: Viktor Dukhovni Date: 2015-03-04 (Wed, 04 Mar 2015) Changed paths: M lib/krb5/aname_to_localname.c Log Message: ----------- Fix DB: prefix check From noreply at github.com Wed Mar 4 23:04:30 2015 From: noreply at github.com (GitHub) Date: Wed, 04 Mar 2015 14:04:30 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] c3ddec: Name canon kdc config breaks iprop Message-ID: <54f7816eaee14_222d3fc5493fd2b888974@hookshot-fe1-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: c3ddece8d4b3247e9ff090068c392e86e73cbd3e https://github.com/heimdal/heimdal/commit/c3ddece8d4b3247e9ff090068c392e86e73cbd3e Author: Viktor Dukhovni Date: 2015-03-04 (Wed, 04 Mar 2015) Changed paths: M tests/kdc/krb5.conf.in Log Message: ----------- Name canon kdc config breaks iprop From noreply at github.com Thu Mar 5 01:53:17 2015 From: noreply at github.com (GitHub) Date: Wed, 04 Mar 2015 16:53:17 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] a71fa7: Silence LLVM compiler warnings Message-ID: <54f7a8fdce442_222d3fc5493fd2b8919f2@hookshot-fe1-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: a71fa7b04d28c091b3118a2de8a0e282567bb5f0 https://github.com/heimdal/heimdal/commit/a71fa7b04d28c091b3118a2de8a0e282567bb5f0 Author: Viktor Dukhovni Date: 2015-03-04 (Wed, 04 Mar 2015) Changed paths: M appl/ftp/ftp/cmds.c Log Message: ----------- Silence LLVM compiler warnings Should we simply drop FTP from the source at some point? Commit: 529f17bbec4053d39fcc4ac2471fb9ba0b5c1900 https://github.com/heimdal/heimdal/commit/529f17bbec4053d39fcc4ac2471fb9ba0b5c1900 Author: Viktor Dukhovni Date: 2015-03-04 (Wed, 04 Mar 2015) Changed paths: M cf/crypto.m4 M include/crypto-headers.h Log Message: ----------- OpenSSL master requires more explicit #includes Commit: 08c628b240bc7b81b6abfcafa6bf147e2187e4d9 https://github.com/heimdal/heimdal/commit/08c628b240bc7b81b6abfcafa6bf147e2187e4d9 Author: Viktor Dukhovni Date: 2015-03-04 (Wed, 04 Mar 2015) Changed paths: M cf/crypto.m4 M include/crypto-headers.h Log Message: ----------- BN_is_negative is no longer a macro in OpenSSL master Commit: ba39f42b81b643531401f1cb7ab12f2e29bfcd4a https://github.com/heimdal/heimdal/commit/ba39f42b81b643531401f1cb7ab12f2e29bfcd4a Author: Viktor Dukhovni Date: 2015-03-04 (Wed, 04 Mar 2015) Changed paths: M lib/hx509/crypto.c Log Message: ----------- TBS vs Certificate sigalg consistency for RSA Commit: 0d52fd607fd2ad094358a8c69ff49e46ec6254be https://github.com/heimdal/heimdal/commit/0d52fd607fd2ad094358a8c69ff49e46ec6254be Author: Viktor Dukhovni Date: 2015-03-04 (Wed, 04 Mar 2015) Changed paths: M lib/kafs/rxkad_kdf.c Log Message: ----------- LLVM enum range warning Commit: d4fda7e4f0a739aca859d2d1626a873839b4f659 https://github.com/heimdal/heimdal/commit/d4fda7e4f0a739aca859d2d1626a873839b4f659 Author: Viktor Dukhovni Date: 2015-03-04 (Wed, 04 Mar 2015) Changed paths: M lib/krb5/principal.c Log Message: ----------- LLVM unused variable warning Compare: https://github.com/heimdal/heimdal/compare/c3ddece8d4b3...d4fda7e4f0a7 From noreply at github.com Thu Mar 5 04:18:09 2015 From: noreply at github.com (GitHub) Date: Wed, 04 Mar 2015 19:18:09 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 920ecc: X11 tools have outlived their usefulness, use SSH ... Message-ID: <54f7caf16ce2e_10d43fb4997c729c83918@hookshot-fe4-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 920eccc59e09c214557619744b76c0607f702f70 https://github.com/heimdal/heimdal/commit/920eccc59e09c214557619744b76c0607f702f70 Author: Love Hörnquist Åstrand Date: 2015-03-04 (Wed, 04 Mar 2015) Changed paths: M appl/Makefile.am R appl/kx/ChangeLog R appl/kx/Makefile.am R appl/kx/NTMakefile R appl/kx/common.c R appl/kx/context.c R appl/kx/krb5.c R appl/kx/kx.1 R appl/kx/kx.c R appl/kx/kx.h R appl/kx/kxd.8 R appl/kx/kxd.c R appl/kx/rxtelnet.1 R appl/kx/rxtelnet.in R appl/kx/rxterm.1 R appl/kx/rxterm.in R appl/kx/tenletxr.1 R appl/kx/tenletxr.in R appl/kx/writeauth.c R appl/xnlock/ChangeLog R appl/xnlock/Makefile.am R appl/xnlock/NTMakefile R appl/xnlock/README R appl/xnlock/nose.0.left R appl/xnlock/nose.0.right R appl/xnlock/nose.1.left R appl/xnlock/nose.1.right R appl/xnlock/nose.down R appl/xnlock/nose.front R appl/xnlock/nose.left.front R appl/xnlock/nose.right.front R appl/xnlock/xnlock.1 R appl/xnlock/xnlock.c M configure.ac Log Message: ----------- X11 tools have outlived their usefulness, use SSH and pam with native locker From noreply at github.com Thu Mar 5 09:26:12 2015 From: noreply at github.com (GitHub) Date: Thu, 05 Mar 2015 00:26:12 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 35add9: make sure that serial number is valid DER when don... Message-ID: <54f813248ddaa_622e3fe8addb529c506dc@hookshot-fe5-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 35add96d37c3fbefc3ce70de23b085e552feb4db https://github.com/heimdal/heimdal/commit/35add96d37c3fbefc3ce70de23b085e552feb4db Author: Love Hörnquist Åstrand Date: 2015-03-05 (Thu, 05 Mar 2015) Changed paths: M lib/hx509/ca.c Log Message: ----------- make sure that serial number is valid DER when done (found by Viktor Dukhovni) From noreply at github.com Thu Mar 5 09:58:07 2015 From: noreply at github.com (GitHub) Date: Thu, 05 Mar 2015 00:58:07 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] b7ca6b: Revert "make sure that serial number is valid DER ... Message-ID: <54f81a9fbe017_31883fd06d87b2c065556@hookshot-fe2-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: b7ca6bbc7ad67955b0ebb0e77181c22261566c1f https://github.com/heimdal/heimdal/commit/b7ca6bbc7ad67955b0ebb0e77181c22261566c1f Author: Viktor Dukhovni Date: 2015-03-05 (Thu, 05 Mar 2015) Changed paths: M lib/hx509/ca.c Log Message: ----------- Revert "make sure that serial number is valid DER when done ..." A simpler fix will be the next commit. This reverts commit 35add96d37c3fbefc3ce70de23b085e552feb4db. From noreply at github.com Thu Mar 5 09:59:01 2015 From: noreply at github.com (GitHub) Date: Thu, 05 Mar 2015 00:59:01 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 745eeb: Ensure DER form of hxtool ca random serial numbers Message-ID: <54f81ad57db90_c9d3f8cd98492c0419ef@hookshot-fe6-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 745eeb1252937e177b0567c296cc4b346e7dc763 https://github.com/heimdal/heimdal/commit/745eeb1252937e177b0567c296cc4b346e7dc763 Author: Viktor Dukhovni Date: 2015-03-05 (Thu, 05 Mar 2015) Changed paths: M lib/hx509/ca.c Log Message: ----------- Ensure DER form of hxtool ca random serial numbers From noreply at github.com Fri Mar 6 19:38:31 2015 From: noreply at github.com (GitHub) Date: Fri, 06 Mar 2015 10:38:31 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 848525: roken: Add memset_s implementation Message-ID: <54f9f42721d25_4d3d3f9f6809d2a0131c1@hookshot-fe4-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 84852509896abba2a98a35d1dff6deaf514a2d95 https://github.com/heimdal/heimdal/commit/84852509896abba2a98a35d1dff6deaf514a2d95 Author: Simon Wilkinson Date: 2015-03-05 (Thu, 05 Mar 2015) Changed paths: M cf/roken-frag.m4 M lib/roken/NTMakefile A lib/roken/memset_s.c M lib/roken/roken.h.in M lib/roken/version-script.map Log Message: ----------- roken: Add memset_s implementation Add an implementation of memset_s to roken. Some optimising compilers may remove the memset() instruction when it is used immediately before a free, which defeats its purpose if the intention is to zero memory before returning it to the heap or stack. C11 added memset_s, provide a fallback in roken so that memset_s can be used on all platforms. From noreply at github.com Tue Mar 10 04:12:14 2015 From: noreply at github.com (GitHub) Date: Mon, 09 Mar 2015 20:12:14 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] ca052e: Fix gss_inquire_cred_by_mech. Message-ID: <54fe610e53211_4a123fbc0b2652bc10358b@hookshot-fe2-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: ca052eadd5590e9d7feafc2b7b805a2e1c577c92 https://github.com/heimdal/heimdal/commit/ca052eadd5590e9d7feafc2b7b805a2e1c577c92 Author: Viktor Dukhovni Date: 2015-03-10 (Tue, 10 Mar 2015) Changed paths: M lib/gssapi/krb5/inquire_cred.c M lib/gssapi/krb5/inquire_cred_by_mech.c Log Message: ----------- Fix gss_inquire_cred_by_mech. Delegated or other explicit credentials were mishandled, the code only worked correctly when processing default credentials. In particular this caused root's default credential cache to be accessed when accepting delegated credentials in SSH: ssh_gssapi_accept_ctx() -> ssh_gssapi_getclient() -> gss_inquire_cred_by_mech() When /tmp/krb5cc_0 contained expired tickets, cascaded credentials stopped working for non-root users! Commit: fca6363307d03a7c80ad201f17f5d357b794c4e9 https://github.com/heimdal/heimdal/commit/fca6363307d03a7c80ad201f17f5d357b794c4e9 Author: Viktor Dukhovni Date: 2015-03-10 (Tue, 10 Mar 2015) Changed paths: M lib/gssapi/krb5/accept_sec_context.c Log Message: ----------- Drop delegated creds when target is NULL In gsskrb5_accept_delegated_token() it is wrong to store the delegated credentials in the default ccache by default. When the caller does not provide a target credential handle, we just do nothing and return success. Test the return value of gsskrb5_accept_delegated_token() against GSS_S_COMPLETE, rather than 0. Compare: https://github.com/heimdal/heimdal/compare/84852509896a...fca6363307d0 From noreply at github.com Sat Mar 14 21:09:13 2015 From: noreply at github.com (GitHub) Date: Sat, 14 Mar 2015 13:09:13 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 830112: kdc: adjust flags passed to hdb_fetch_kvno() Message-ID: <550495692f373_11903fb90872729c39518@hookshot-fe5-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 83011252d7be71d60aa23df8648c516a6148203e https://github.com/heimdal/heimdal/commit/83011252d7be71d60aa23df8648c516a6148203e Author: Jeffrey Altman Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M kdc/misc.c Log Message: ----------- kdc: adjust flags passed to hdb_fetch_kvno() The KDC's _kdc_db_fetch() cals the database's hdb_fetch_kvno() to obtain one or more decrypted versioned key sets. The KDC either requires one specific key set if a non-zero key version number is provided or all key sets. The key version zero indicates that the latest key version should be used. Prior to this change the KDC called hdb_fetch_kvno() with the HDB_F_KVNO_SPECIFIED flag when the kvno is zero breaking cross-realm with Active Directory. As of this change, HDB_F_KVNO_SPECIFIED is set for a non-zero kvno and HDB_F_ALL_KVNOS is set otherwise. Change-Id: I32f4d8da9b601d7bbec7d80cc34d0ff94f6670be Commit: 95e56fa3aea1f1b7c7acd8bced6aba8d30efb2a0 https://github.com/heimdal/heimdal/commit/95e56fa3aea1f1b7c7acd8bced6aba8d30efb2a0 Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M lib/hdb/mkey.c Log Message: ----------- hdb: fix hdb_unseal_keys_kvno return when no history Prior to this change hdb_unseal_keys_kvno() could return successfully (0) if the choice_HDB_extension_data_hist_keys extension was found but the hist_keys list was empty. As a side effect callers would believe that the provide hdb_entry keys were unsealed when they weren't. This could cause the KDC or kadmin to report invalid key size errors. If the extension is present and the history list is empty attempt to unseal the provided hdb_entry using hdb_unseal_keys_mkey(). Change-Id: I9218b02bccdbcf22133a9464a677374db53ade85 Commit: d9e3e376a364024b11e4705949aaa507714b3979 https://github.com/heimdal/heimdal/commit/d9e3e376a364024b11e4705949aaa507714b3979 Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M tests/kdc/check-kdc.in Log Message: ----------- tests: Add simple key history test for kdc Use kadmin cpw with the --keepold parameter to create a history list. Change-Id: I21811c840be0bd1b8dd8dc66e63f88f8da6fac7e Commit: c37f1b3e4f8793b24582bfd0aac3a5a1e36841e1 https://github.com/heimdal/heimdal/commit/c37f1b3e4f8793b24582bfd0aac3a5a1e36841e1 Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M lib/krb5/get_cred.c Log Message: ----------- krb5: Don't cache/reuse referral TGTs Prior to this change _krb5_get_cred_kdc_any() would include TGTs obtained via KDC referrals in the "*ret_tgts" array returned to the caller. The caller typically stores these TGTs in the active credential cache. However, referrals TGTs must not be cached or reused for any request beyond the one it was issued for. The referral is for a specific service principal and the resulting TGT could include service specific AuthData. The referral might also direct the client along a transitive path that is specific to this service and not applicable in the general case. This change removes the *ret_tgts parameter from get_cred_kdc_referral() so that the obtained TGTs are never returned to its caller. This also prevents these TGTs from being used by any subsequent call to get_cred_kdc_capath(). Change-Id: Iacc76c5b1639af3cf6bf277966cfd1535dd1e84d Commit: e13c0946f699019da133e9deefd07271b9cad42f https://github.com/heimdal/heimdal/commit/e13c0946f699019da133e9deefd07271b9cad42f Author: Jeffrey Altman Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M lib/krb5/get_cred.c Log Message: ----------- krb5: refactor get_cred_kdc_capath_worker This change adds a common out: path for all cleanup. It also adjusts whitespace for consistency. Change-Id: Ic90d6568a44aebc0c0adb64fad641e5420ea8e27 Commit: 4f074487b46e95c96530405950d51b950814c52c https://github.com/heimdal/heimdal/commit/4f074487b46e95c96530405950d51b950814c52c Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M lib/krb5/get_cred.c Log Message: ----------- krb5: reject referrals in capath code paths In get_cred_kdc_capath_worker() if the credentials obtained by get_cred_kdc_address() does not exactly match the requested service principal discard them and return KRB5KC_ERR_S_PRINCIPAL_UNKNOWN. Change-Id: Iaeacd07f87374f64e3a7bb860adfeb2dc9550fd1 Commit: b84bdf213d9d2c62fb942c09729cf7276557374a https://github.com/heimdal/heimdal/commit/b84bdf213d9d2c62fb942c09729cf7276557374a Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M lib/krb5/get_cred.c Log Message: ----------- krb5: improve comments in get_cred_kdc_capath_worker Change-Id: I0d47ada32fdc9f7938d69d93022f1daac80d4e88 Commit: 8a5d50a328f294e95b1bd73775820448ae0d301d https://github.com/heimdal/heimdal/commit/8a5d50a328f294e95b1bd73775820448ae0d301d Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M lib/krb5/get_cred.c Log Message: ----------- krb5: do not store TGTs if GC_NO_STORE krb5_get_credentials_with_flags() and krb5_get_creds() do not store obtained TGTs if the KRB5_GC_NO_STORE flag is set. Change-Id: Ie999ec4e985463ff60e9d499c3e870880033dfa7 Commit: cfdf6d5cbe3e9d664709f28676eeabf4f38ae591 https://github.com/heimdal/heimdal/commit/cfdf6d5cbe3e9d664709f28676eeabf4f38ae591 Author: Viktor Dukhovni Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M lib/gssapi/krb5/acquire_cred.c M lib/gssapi/krb5/canonicalize_name.c M lib/gssapi/krb5/gsskrb5_locl.h M lib/gssapi/krb5/import_name.c M lib/gssapi/krb5/init_sec_context.c M lib/krb5/get_cred.c M lib/krb5/principal.c Log Message: ----------- gsskrb5: Make krb5 mech use referrals Modify the gss krb5 mech to always use referrals unless the KRB5_NCRO_NO_REFERRALS flag is set. Change-Id: I7efd873ac922a43adafa2c492703b576847a885f Commit: db72e66eb93689706b91b66c69d0c4f214b9f16c https://github.com/heimdal/heimdal/commit/db72e66eb93689706b91b66c69d0c4f214b9f16c Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M lib/kadm5/libkadm5srv-exports.def M lib/kadm5/marshall.c M lib/kadm5/version-script-client.map M lib/kadm5/version-script.map Log Message: ----------- kadm5: Add functions to check for bogus keys Introduce kadm5_all_keys_are_bogus() and kadm5_some_keys_are_bogus() which will be used in later changes. Change-Id: I3a07ffe07bee7d6eb17c3d2eae91c107e0bac255 Commit: 668365033778c02724053652930749f74d48c585 https://github.com/heimdal/heimdal/commit/668365033778c02724053652930749f74d48c585 Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M kadmin/add_enctype.c Log Message: ----------- kadmin: add_enctype fix whitespace Correct whitespace in add_enctype() Change-Id: Iebc1df46496b0340c418d7a44a6071b48f44f828 Commit: edb6c1b07527e3412de8b9297cf166dba5299ba7 https://github.com/heimdal/heimdal/commit/edb6c1b07527e3412de8b9297cf166dba5299ba7 Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M kadmin/del_enctype.c Log Message: ----------- kadmin: del_enctype whitespace Fix whitespace and bracing in del_enctype(). No functional change. Change-Id: I4e70b381aa54a6b0965c88713fbfb4d29bc4495e Commit: 7ab1e01d75eb5776cbc384d677dc3530024d108e https://github.com/heimdal/heimdal/commit/7ab1e01d75eb5776cbc384d677dc3530024d108e Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M kadmin/add_enctype.c Log Message: ----------- kadmin: add_enctype check for bogus keys If kadmind returned bogus keys it means that the user lacks the get-keys permission. Generate a warning and exit. Also use calloc() to allocate the new_key_data. Change-Id: I21b697e2ff5adf753b1cfe698877b3f593bbea9e Commit: 14195658a4e6e2390eeb28bf72cb11bce2e08f6d https://github.com/heimdal/heimdal/commit/14195658a4e6e2390eeb28bf72cb11bce2e08f6d Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M kadmin/del_enctype.c Log Message: ----------- kadmin: del_enctype check for bogus keys If kadmind returned bogus keys it means that the user lacks the get-keys permission. Generate a warning and exit. Change-Id: Ib76dd86b65bd84a00f3e27c245b9cfc0173fff56 Commit: 1bfb759a646cbb627c0bde5af2396030ac6b912d https://github.com/heimdal/heimdal/commit/1bfb759a646cbb627c0bde5af2396030ac6b912d Author: Jeffrey Altman Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M kadmin/ext.c Log Message: ----------- kadmin: refactor do_ext_keytab for common cleanup Refactor do_ext_keytab() so that all cleanup is performed by jumping to the out label on error. Change-Id: Ic0c0f57e8ebabf30b49519f14743370d1c1672d2 Commit: dcbe8ae73baab2f019d2d87ee668e432dabd3e0c https://github.com/heimdal/heimdal/commit/dcbe8ae73baab2f019d2d87ee668e432dabd3e0c Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M kadmin/ext.c Log Message: ----------- kadmin: do_ext_keytab add bogus key warnings If any of the keys returned by kadmin are the magic bogus key generate a warning to the user that they are missing the git-keys privilege. Change-Id: I235b87eeb2f81e8fd8c8481154d613e92a7e11e2 Commit: 69b0a8f4eb0a5b47db65f3427530903fb2238b35 https://github.com/heimdal/heimdal/commit/69b0a8f4eb0a5b47db65f3427530903fb2238b35 Author: Nicolas Williams Date: 2015-03-14 (Sat, 14 Mar 2015) Changed paths: M lib/kadm5/modify_s.c Log Message: ----------- kadm5: kadmin modify must refuse bogus keys kadmin should not permit a modify that stores invalid keys into the database. Accepting bad key data into the database will result in errors when those keys are eventually used. This change does not address the general case. It does address the specific case of the kadmin client attempting to store the magic bogus key since that is trivial to check for and can be unintentionally returned to kadmind by a 1.6rc2 or prior client. This can happen when a user has get privilege but lacks the new get-keys privilege. Change-Id: I44795e6428472b75ab1e4257ce7cb9160f0299f5 Compare: https://github.com/heimdal/heimdal/compare/fca6363307d0...69b0a8f4eb0a From noreply at github.com Mon Mar 16 16:40:29 2015 From: noreply at github.com (GitHub) Date: Mon, 16 Mar 2015 08:40:29 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 9fbbc4: Refactor capath_worker() a bit more Message-ID: <5506f96d740b3_161b3fa65797d2bc3637b@hookshot-fe1-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 9fbbc4cf85e2069193d538aa04387eda4c6367a8 https://github.com/heimdal/heimdal/commit/9fbbc4cf85e2069193d538aa04387eda4c6367a8 Author: Nicolas Williams Date: 2015-03-16 (Mon, 16 Mar 2015) Changed paths: M lib/krb5/get_cred.c Log Message: ----------- Refactor capath_worker() a bit more From noreply at github.com Mon Mar 16 17:39:13 2015 From: noreply at github.com (GitHub) Date: Mon, 16 Mar 2015 09:39:13 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 6043cc: kadmind: check for KADM5_PRIV_GET when op GET Message-ID: <55070731bad19_32a63fc0ec44b2bc6459d@hookshot-fe5-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 6043cc8c88a7faf20e16176bd9982356fa4b3d24 https://github.com/heimdal/heimdal/commit/6043cc8c88a7faf20e16176bd9982356fa4b3d24 Author: Jeffrey Altman Date: 2015-03-16 (Mon, 16 Mar 2015) Changed paths: M kadmin/server.c Log Message: ----------- kadmind: check for KADM5_PRIV_GET when op GET When performing a permission check for a GET operation the KADM5_PRIV_GET_KEYS privilege should not be assumed to be a pure superset of KADM5_PRIV_GET. If the "get" permission is denied the user cannot get an entry with or without key data. Commit: 34bf7ae1629eb29a87f45f6e9f4e0e42bc2a1fd2 https://github.com/heimdal/heimdal/commit/34bf7ae1629eb29a87f45f6e9f4e0e42bc2a1fd2 Author: Jeffrey Altman Date: 2015-03-16 (Mon, 16 Mar 2015) Changed paths: M kadmin/server.c Log Message: ----------- kadmind: don't send bogus keys to ext_keytab et al The Heimdal kadmind sends bogus keys when the client has 'get' but not 'get-keys' permission. For some kadmin commands this is dangerous. For example, ext_keytab could happily write bogus keys to a keytab when real keys are expected, causing eventual breakage. Sending bogus keys is important for the kadmin get command: so it can list the keysets that a principal has. This patch implements a heuristic detection of kadmin get vs. ext_keytab, add_enctype, del_enctype, and check commands. If the client principal lacks 'get-keys' permission, then the server will fail requests that appear to be from those kadmin commands, but will continue to serve bogus keys to kadmin get commands. Thanks to Nico Williams for the idea behind this implementation. Commit: 15e69fbb58103706c96ebcead58413905ce12145 https://github.com/heimdal/heimdal/commit/15e69fbb58103706c96ebcead58413905ce12145 Author: Jeffrey Altman Date: 2015-03-16 (Mon, 16 Mar 2015) Changed paths: M kadmin/ext.c M kadmin/kadmin-commands.in Log Message: ----------- kadmin: add ext_keytab --random-key switch Add a --random-key switch to kadmin's ext_keytab to force the generation of a new keyset consisting of random keys and a new key version number. Commit: 540c3273c4fab980a474a2f1d489a0a0d5690bc8 https://github.com/heimdal/heimdal/commit/540c3273c4fab980a474a2f1d489a0a0d5690bc8 Author: Nicolas Williams Date: 2015-03-16 (Mon, 16 Mar 2015) Changed paths: M kadmin/ext.c Log Message: ----------- kadmin: improve warnings in ext_keytab Compare: https://github.com/heimdal/heimdal/compare/9fbbc4cf85e2...540c3273c4fa From noreply at github.com Sat Mar 21 20:48:24 2015 From: noreply at github.com (GitHub) Date: Sat, 21 Mar 2015 12:48:24 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 2c6830: hcrypto: Remove w32crypt NTDDI_VERSION checks Message-ID: <550dcb082f2f9_3e4f3fc3bac692c012373@hookshot-fe5-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 2c683058568c76a6569310db345897446a96b100 https://github.com/heimdal/heimdal/commit/2c683058568c76a6569310db345897446a96b100 Author: Jeffrey Altman Date: 2015-03-21 (Sat, 21 Mar 2015) Changed paths: M lib/hcrypto/evp-w32.c M lib/hcrypto/evp-wincng.c Log Message: ----------- hcrypto: Remove w32crypt NTDDI_VERSION checks The library delay loads bcrypt.dll so that it can run on versions of Windows older than Vista. Remove the compile time checks. Change-Id: I632b248dcca8b6e40e47011fc11d277e911ff209 Commit: 902aa4ee02da9544df88daa0de321f29ac440dec https://github.com/heimdal/heimdal/commit/902aa4ee02da9544df88daa0de321f29ac440dec Author: Jeffrey Altman Date: 2015-03-21 (Sat, 21 Mar 2015) Changed paths: M lib/asn1/NTMakefile M lib/base/NTMakefile M lib/gssapi/NTMakefile M lib/hcrypto/NTMakefile M lib/hdb/NTMakefile M lib/hdb/test_hdbplugin.c M lib/kadm5/NTMakefile M lib/krb5/NTMakefile M lib/krb5/test_crypto.c M lib/ntlm/NTMakefile M lib/roken/NTMakefile M lib/sl/NTMakefile M lib/wind/NTMakefile Log Message: ----------- tests on Windows Modify the NTMakefile rules for tests so that a failed test does not prevent subsequent tests from being executed. Change-Id: I9595ad4a1527feae7c402241bf06ab21a0b76d4a Compare: https://github.com/heimdal/heimdal/compare/540c3273c4fa...902aa4ee02da From noreply at github.com Tue Mar 24 18:25:53 2015 From: noreply at github.com (GitHub) Date: Tue, 24 Mar 2015 10:25:53 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] a1c87d: Add guard in krb5_free_creds() Message-ID: <55119e21934e6_77ca3ff8850392c0681c5@hookshot-fe2-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: a1c87df26077aaaa8cd644c3d5400cbbd61a3379 https://github.com/heimdal/heimdal/commit/a1c87df26077aaaa8cd644c3d5400cbbd61a3379 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/krb5/creds.c Log Message: ----------- Add guard in krb5_free_creds() Don't call krb5_free_contents() if the creds pointer is NULL. MIT krb5 also has this guard. Commit: 487b6820f6c6e5d0ce1bc515b2180fa5533a6a50 https://github.com/heimdal/heimdal/commit/487b6820f6c6e5d0ce1bc515b2180fa5533a6a50 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/asn1/krb5.asn1 M lib/gssapi/krb5/acquire_cred.c M lib/gssapi/krb5/canonicalize_name.c M lib/gssapi/krb5/import_name.c M lib/gssapi/krb5/init_sec_context.c M lib/krb5/context.c M lib/krb5/get_cred.c M lib/krb5/init_creds_pw.c M lib/krb5/keytab.c M lib/krb5/krb5.h M lib/krb5/krb5_locl.h M lib/krb5/principal.c M tests/kdc/krb5-canon2.conf.in Log Message: ----------- Revamp name canonicalization code Commit: 5fffc4061f8f8cb1dc00a7cb6267cac7498d748f https://github.com/heimdal/heimdal/commit/5fffc4061f8f8cb1dc00a7cb6267cac7498d748f Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/krb5/principal.c Log Message: ----------- Don't use canon rules in principal name comparison Commit: a7587b08e2920fd46f349bb0bbab2999fb5defd1 https://github.com/heimdal/heimdal/commit/a7587b08e2920fd46f349bb0bbab2999fb5defd1 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/krb5/principal.c Log Message: ----------- Support hostname:port svc princs Commit: 0778b19c3fd9ab8be73df107cf2196bbc69b90b9 https://github.com/heimdal/heimdal/commit/0778b19c3fd9ab8be73df107cf2196bbc69b90b9 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/krb5/krb5.conf.5 Log Message: ----------- Revive name rule docs Commit: b48bed5f42c02fe8562c7ce623172cf3e29c9c90 https://github.com/heimdal/heimdal/commit/b48bed5f42c02fe8562c7ce623172cf3e29c9c90 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M cf/roken-frag.m4 M kadmin/kadm_conn.c M kadmin/kadmind.c M kcm/config.c M kcm/kcm_locl.h M kcm/main.c M kdc/config.c M kdc/connect.c M kdc/kdc-tester.c M kdc/kdc_locl.h M kdc/main.c M kpasswd/kpasswdd.c M lib/kadm5/ipropd_master.c M lib/kadm5/ipropd_slave.c M lib/krb5/principal.c M lib/roken/Makefile.am M lib/roken/NTMakefile M lib/roken/daemon.c A lib/roken/detach.c M lib/roken/getarg.c M lib/roken/roken-common.h M lib/roken/roken.h.in A lib/roken/test-detach.c M lib/roken/version-script.map M lib/roken/write_pid.c Log Message: ----------- Daemons detach atomically to avoid having to wait Tests that start daemons have to "wait" for them to start. This commit makes Heimdal daemons prep to detach (when requested) by forking early, then having the child signal readiness to the parent when the child really is ready. The parent exits only which the child is ready. This means that tests will no longer need to wait for daemons. However, tests will still need a pidfile or such so they can stop the daemons. Note that the --detach options should not be used on OS X from launchd, only from tests. Commit: e75f790fe6d600e72ada211a7afdac16d9a24084 https://github.com/heimdal/heimdal/commit/e75f790fe6d600e72ada211a7afdac16d9a24084 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M cf/roken-frag.m4 M lib/roken/issuid.c Log Message: ----------- Use getauxval() for issuid() on Linux Commit: 3021258f6064a7bdb46bb2e039a093230650b408 https://github.com/heimdal/heimdal/commit/3021258f6064a7bdb46bb2e039a093230650b408 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M tests/bin/Makefile.am A tests/bin/intr.c Log Message: ----------- Add tests/bin/intr This utility, inspired by the old SunOS 4.x intr(8) utility, will be used to start daemons with --detach and a timeout, like this: intr -t 5 kdc --detach || { echo failed to start kdc; exit 1 } This will allow tests to stop having to sleep poll for "started" output from the daemons they start, allowing them to run faster and to impose a reasonable timeout on daemon startup. The default timeout is 3 seconds. Commit: 533578e7266f6e3d8f941eff014b06c817534f5a https://github.com/heimdal/heimdal/commit/533578e7266f6e3d8f941eff014b06c817534f5a Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/gssapi/krb5/store_cred.c M lib/gssapi/mech/gss_store_cred.c Log Message: ----------- Make gss_store_cred() work Commit: df41d53c674f9296641d88532ff3b22abb4216b9 https://github.com/heimdal/heimdal/commit/df41d53c674f9296641d88532ff3b22abb4216b9 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/gssapi/krb5/add_cred.c Log Message: ----------- Fix gss_add_cred() (krb5) gss_add_cred() with GSS_C_NO_CREDENTIAL as the input_cred_handle should act like gss_acquire_cred() with desired_mechs containing just the desired_mech. Commit: f73c4edf696d018326e34d9e1648ce2f420a48da https://github.com/heimdal/heimdal/commit/f73c4edf696d018326e34d9e1648ce2f420a48da Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/gssapi/Makefile.am M lib/gssapi/krb5/store_cred.c M tests/gss/check-basic.in Log Message: ----------- Fix gss_store_cred() Commit: a318ac86f5fde13bb1adcdcb145ded1550b0888e https://github.com/heimdal/heimdal/commit/a318ac86f5fde13bb1adcdcb145ded1550b0888e Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M tests/gss/Makefile.am Log Message: ----------- Run tests/gss/check-basic Commit: 89aed008a95b5b17ae56df3466842dbd15ad2d13 https://github.com/heimdal/heimdal/commit/89aed008a95b5b17ae56df3466842dbd15ad2d13 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M kuser/kswitch.c Log Message: ----------- Fix memleak in kswitch Commit: d07d93ce3546bc64ea203ab9971c48ccf667a7fa https://github.com/heimdal/heimdal/commit/d07d93ce3546bc64ea203ab9971c48ccf667a7fa Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/krb5/aname_to_localname.c Log Message: ----------- Bounds check in aname2lname Commit: 13759fb73f70b01709102e87dd55055c1d7c9082 https://github.com/heimdal/heimdal/commit/13759fb73f70b01709102e87dd55055c1d7c9082 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/kadm5/free.c Log Message: ----------- Free kadm5 princ policy Commit: 2bbf56b2e4ca46813d23e875f6c947587f6cafe2 https://github.com/heimdal/heimdal/commit/2bbf56b2e4ca46813d23e875f6c947587f6cafe2 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/krb5/aname_to_localname.c Log Message: ----------- Fix error-case memleak in aname2lname Commit: 2fbd7331a65d39730a6167b0a1232206110c712a https://github.com/heimdal/heimdal/commit/2fbd7331a65d39730a6167b0a1232206110c712a Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/base/db.c Log Message: ----------- Fix error-case leaks in lib/base/db.c Commit: 86017e8798e81b3be95884cf6171acf37a545972 https://github.com/heimdal/heimdal/commit/86017e8798e81b3be95884cf6171acf37a545972 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/krb5/test_kuserok.c Log Message: ----------- Fix leaks in test_kuserok.c Commit: b81f16abf648e458722a9d5de0e1da551da74f45 https://github.com/heimdal/heimdal/commit/b81f16abf648e458722a9d5de0e1da551da74f45 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M kuser/kswitch.c Log Message: ----------- Fix memleak in kswitch rare error Commit: 3d54f93bed83877ff19a8c2e18fe15ff7ef69176 https://github.com/heimdal/heimdal/commit/3d54f93bed83877ff19a8c2e18fe15ff7ef69176 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M kadmin/ank.c Log Message: ----------- Fix leak in kadmin ank Commit: 333c6fe95d272dfd4441579096cbe0040d4e423b https://github.com/heimdal/heimdal/commit/333c6fe95d272dfd4441579096cbe0040d4e423b Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M kuser/kinit.c Log Message: ----------- Fix leak in kinit Commit: 945fe5fb2f904be4cafb0d2d5ab14d76e928de6d https://github.com/heimdal/heimdal/commit/945fe5fb2f904be4cafb0d2d5ab14d76e928de6d Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/krb5/fcache.c Log Message: ----------- Fix leak in fcc_remove_cred() Commit: 465483de49cae3b5caf623a299dc0e4e8e5dd065 https://github.com/heimdal/heimdal/commit/465483de49cae3b5caf623a299dc0e4e8e5dd065 Author: Nicolas Williams Date: 2015-03-24 (Tue, 24 Mar 2015) Changed paths: M lib/krb5/test_kuserok.c Log Message: ----------- Fix use after free in test_kuserok.c Compare: https://github.com/heimdal/heimdal/compare/902aa4ee02da...465483de49ca