From noreply at github.com Thu Jun 2 08:41:05 2016 From: noreply at github.com (GitHub) Date: Wed, 01 Jun 2016 23:41:05 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 7d9fcb: Ensure newly allocated ccache handles are zeroed Message-ID: <574fd50168430_7f4d3fa1d7c4d2a01082a0@hookshot-fe5-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 7d9fcb46b9f63016bccfd469d1685b72a5756b3f https://github.com/heimdal/heimdal/commit/7d9fcb46b9f63016bccfd469d1685b72a5756b3f Author: Viktor Dukhovni Date: 2016-06-02 (Thu, 02 Jun 2016) Changed paths: M lib/krb5/cache.c Log Message: ----------- Ensure newly allocated ccache handles are zeroed Otherwise, type-independent fields such as `initialized` have uninitialized values, and incorrect behaviour may result. From noreply at github.com Thu Jun 9 07:06:41 2016 From: noreply at github.com (GitHub) Date: Wed, 08 Jun 2016 22:06:41 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] ffd0dd: Fix iprop against legacy master with full log Message-ID: <5758f961b6d83_79c13f8e7a4f129c625b4@hookshot-fe6-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: ffd0dda237fd3dea8e609070e23b37a6ff761090 https://github.com/heimdal/heimdal/commit/ffd0dda237fd3dea8e609070e23b37a6ff761090 Author: Viktor Dukhovni Date: 2016-06-09 (Thu, 09 Jun 2016) Changed paths: M kadmin/init.c M kadmin/load.c M lib/kadm5/iprop-log.c M lib/kadm5/ipropd_slave.c M lib/kadm5/log.c Log Message: ----------- Fix iprop against legacy master with full log When the master's log has all entries from version 1 to now, and no uber entry (legacy master), then new slaves will not pull version 1, because their uber record has version 1. The fix is to force the uber version to 0 always, and avoid adding a truncate nop when doing a full prop. The uber record now records the database version even in the absence of any other log entries so that we know what to pull going forward. From noreply at github.com Thu Jun 9 07:13:39 2016 From: noreply at github.com (GitHub) Date: Wed, 08 Jun 2016 22:13:39 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 529a91: MacOS/X fixes Message-ID: <5758fb03d44a2_fd83fd61d27d2a0172491@hookshot-fe2-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 529a91d69ad9d44bfd1de0813d89e5bdac094f08 https://github.com/heimdal/heimdal/commit/529a91d69ad9d44bfd1de0813d89e5bdac094f08 Author: Viktor Dukhovni Date: 2016-06-09 (Thu, 09 Jun 2016) Changed paths: M kdc/config.c M kdc/connect.c M kdc/kdc-tester.c M kdc/kdc_locl.h M kdc/main.c M lib/hcrypto/evp-cc.c Log Message: ----------- MacOS/X fixes Commit: 2623cee389b6a93b2096f494456490b5cf1f55ec https://github.com/heimdal/heimdal/commit/2623cee389b6a93b2096f494456490b5cf1f55ec Author: Nicolas Williams Date: 2016-06-09 (Thu, 09 Jun 2016) Changed paths: M lib/krb5/context.c Log Message: ----------- Do not search system paths for non-ccapi plugins On OS X anyways, since Heimdal cannot be built to replace the system Kerberos implementation in OS X (even though it's based on Heimdal). Heimdal plugins other than the CCAPI plugins have private ABIs with strong coupling to the internals of the Heimdal libraries, thus using system plugins in a non-system Heimdal is likely to end in tears (e.g., segfaults). This means, for example, that OS X's plugins for PAC creation and verification cannot be used by Heimdal. Commit: 812b01b4ed50d46e410bf14809b67bfde3a026c2 https://github.com/heimdal/heimdal/commit/812b01b4ed50d46e410bf14809b67bfde3a026c2 Author: Nicolas Williams Date: 2016-06-09 (Thu, 09 Jun 2016) Changed paths: M kdc/windc.c Log Message: ----------- Fix KDC segfault with OS X plugins At least one "windc" plugin provided by OS X lacks a client_access() entry point and caused the KDC to crash. The KDC now checks for each entry point in "windc" plugins and either falls back on alternative default functionality or fails more gracefully than by crashing. Commit: 840dc40574530b1608d87411fdcde8eff1029b97 https://github.com/heimdal/heimdal/commit/840dc40574530b1608d87411fdcde8eff1029b97 Author: Viktor Dukhovni Date: 2016-06-09 (Thu, 09 Jun 2016) Changed paths: M lib/krb5/get_cred.c M lib/krb5/principal.c Log Message: ----------- Refine name canonicalization When storing credentials whose ticket principal is not equal to the requested principal, store the ticket under both names not only when the original realm is the referral realm, but more generally for any difference at all. This matches MIT behaviour. Allow explicit name_canon rules to specify a realm to go with the canonicalized hostname, if that realm is empty the effect is the same "use-referrals" Also fix segfault when no creds and debugging Commit: 316e0d21846972bad85ef05ebaecd9804ca8e1f2 https://github.com/heimdal/heimdal/commit/316e0d21846972bad85ef05ebaecd9804ca8e1f2 Author: Nicolas Williams Date: 2016-06-09 (Thu, 09 Jun 2016) Changed paths: M lib/kadm5/ipropd_slave.c Log Message: ----------- Store the canonical client princ in ipropd-slave Otherwise we risk storing a name with the referral (empty) realm name, which will then cause various knock-on effects, such as thinking that the start_realm is "", and failing to find matching credentials in the ccache. Compare: https://github.com/heimdal/heimdal/compare/ffd0dda237fd...316e0d218469 From noreply at github.com Thu Jun 9 13:07:03 2016 From: noreply at github.com (GitHub) Date: Thu, 09 Jun 2016 04:07:03 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] a5237e: Fix handling of uber record nominal version Message-ID: <57594dd7e076a_51043f81c3c4929c82937@hookshot-fe2-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: a5237e6940c3e1e67e8fc8478bcc783635354b3a https://github.com/heimdal/heimdal/commit/a5237e6940c3e1e67e8fc8478bcc783635354b3a Author: Viktor Dukhovni Date: 2016-06-09 (Thu, 09 Jun 2016) Changed paths: M lib/kadm5/log.c Log Message: ----------- Fix handling of uber record nominal version When flushing the uber record, retain the current log version. When the uber record is the only (thus last) record in the log, return its nominal version as the last version, not 0. Upgrade the log if the current uber record version number is not 0. From noreply at github.com Thu Jun 9 14:31:38 2016 From: noreply at github.com (GitHub) Date: Thu, 09 Jun 2016 05:31:38 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 74f598: Set uber record nominal version when truncating Message-ID: <575961aaa870b_36e63fbbe0fe929c80688@hookshot-fe1-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 74f598e1591a2e16136ccbb880f40c799ed0228a https://github.com/heimdal/heimdal/commit/74f598e1591a2e16136ccbb880f40c799ed0228a Author: Viktor Dukhovni Date: 2016-06-09 (Thu, 09 Jun 2016) Changed paths: M lib/kadm5/log.c Log Message: ----------- Set uber record nominal version when truncating It needs to match the version of the last record saved and have a reasonable timestamp. From noreply at github.com Fri Jun 10 20:54:18 2016 From: noreply at github.com (GitHub) Date: Fri, 10 Jun 2016 11:54:18 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 1f89ce: Fix typo: Sepember -> September Message-ID: <575b0cda167f9_d493fce2a3432c0163057@hookshot-fe5-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 1f89ce4973ecded0448512c7a50c4e48cb88c852 https://github.com/heimdal/heimdal/commit/1f89ce4973ecded0448512c7a50c4e48cb88c852 Author: Abhinav Upadhyay Date: 2016-06-11 (Sat, 11 Jun 2016) Changed paths: M lib/krb5/krb5_timeofday.3 Log Message: ----------- Fix typo: Sepember -> September Commit: cfc5b42bb14d84b2151639da95108e6aee5a3c97 https://github.com/heimdal/heimdal/commit/cfc5b42bb14d84b2151639da95108e6aee5a3c97 Author: Jeffrey Altman Date: 2016-06-10 (Fri, 10 Jun 2016) Changed paths: M lib/krb5/krb5_timeofday.3 Log Message: ----------- Merge pull request #179 from abhinav-upadhyay/fix_month Fix typo: Sepember -> September Compare: https://github.com/heimdal/heimdal/compare/74f598e1591a...cfc5b42bb14d From noreply at github.com Thu Jun 16 22:38:27 2016 From: noreply at github.com (GitHub) Date: Thu, 16 Jun 2016 13:38:27 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] b7cf5e: lib/krb5: do not fail set_config_files due to pars... Message-ID: <57630e43a4540_68b53fa2ad9992bc101854@hookshot-fe2-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: b7cf5e7caf9b270f4d4151d2690177b11a7a1bdf https://github.com/heimdal/heimdal/commit/b7cf5e7caf9b270f4d4151d2690177b11a7a1bdf Author: Jeffrey Altman Date: 2016-06-16 (Thu, 16 Jun 2016) Changed paths: M lib/krb5/config_file.c M lib/krb5/context.c Log Message: ----------- lib/krb5: do not fail set_config_files due to parse error Follow Apple's lead and do not fail krb5_set_config_files() simply because one of the files in the profile list fails to parse correctly. Doing so can lead to hard to find failures and could lead to an end user shooting themselves in the foot and no longer be able to login to their system to fix it. Parse as many of the files as we can. Only fail krb5_set_config_files() if init_context_from_config_file() fails. Change-Id: I122664c6d707a5f926643808ba414bf4f681f8b8 From noreply at github.com Sat Jun 18 23:36:20 2016 From: noreply at github.com (GitHub) Date: Sat, 18 Jun 2016 14:36:20 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 9f6baf: lib/krb5: Implement krb5_c_random_make_octets corr... Message-ID: <5765bed4c6d1f_54663f9453ecd2a01365fe@hookshot-fe4-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 9f6baf00f6b7c6f4bb6a231cf1753234b9f6148d https://github.com/heimdal/heimdal/commit/9f6baf00f6b7c6f4bb6a231cf1753234b9f6148d Author: Mikhail T Date: 2016-06-18 (Sat, 18 Jun 2016) Changed paths: M lib/krb5/mit_glue.c Log Message: ----------- lib/krb5: Implement krb5_c_random_make_octets correctly The function, found in lib/krb5/mit_glue.c, is currently using krb5_generate_random_keyblock(). This compiles because warning-level is not high enough, but does not work. At runtime the krb5_generate_random_keyblock() interprets the second argument as the krb5_enctype (rather than a length of anything) and tries to verify it. When the length does not match any known enctype, as usually happens, the function fails and returns an error. If the length happened to correspond to an enctype, the function would likely crash due to misinterpreting its third argument as a valid krb5_keyblock. The change uses krb5_generate_random_block() instead. This function does not return anything -- upon detecting failure it will cause the entire application to exist instead... Change-Id: I865a360037a513ce91abc7abba1dc554f844b464 From noreply at github.com Thu Jun 23 19:45:39 2016 From: noreply at github.com (GitHub) Date: Thu, 23 Jun 2016 10:45:39 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] f32fd2: kdc: fix AD -> Heimdal x-realm trusts again Message-ID: <576c20431f682_1ff63f986b6db29c27e2@hookshot-fe3-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: f32fd2d56ddf6f848b5fe2139376d852a3af70bc https://github.com/heimdal/heimdal/commit/f32fd2d56ddf6f848b5fe2139376d852a3af70bc Author: Jeffrey Altman Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M kdc/misc.c Log Message: ----------- kdc: fix AD -> Heimdal x-realm trusts again The HDB_F_ALL_KVNOS flag is not getting set in _kdc_db_fetch() if kvno_ptr == NULL. Fix the conditional to ensure that one of HDB_F_ALL_KVNOS or HDB_F_KVNO_SPECIFIED is set in the flags field. Prior to this change cross-realm TGS_REQ failed with KRB5_GENERIC_ERROR and e-text "encryption key has bad length". With this change, the cross-realm TGS_REQ succeeds. Change-Id: I4216137a192032544dfbdada12b5c377603ca4b6