From noreply at github.com Thu Dec 5 04:35:47 2019 From: noreply at github.com (Nico Williams) Date: Wed, 04 Dec 2019 19:35:47 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 982ba8: roken: fix leak in roken_detach_prep() Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 982ba80b6e2e8e62fcaac7b25c012e2aa1f296c6 https://github.com/heimdal/heimdal/commit/982ba80b6e2e8e62fcaac7b25c012e2aa1f296c6 Author: Nicolas Williams Date: 2019-12-04 (Wed, 04 Dec 2019) Changed paths: M lib/roken/detach.c Log Message: ----------- roken: fix leak in roken_detach_prep() Commit: f9a0e8f076176ff6e41ba134becfe46dbcfa8ea4 https://github.com/heimdal/heimdal/commit/f9a0e8f076176ff6e41ba134becfe46dbcfa8ea4 Author: Nicolas Williams Date: 2019-12-04 (Wed, 04 Dec 2019) Changed paths: M lib/roken/Makefile.am M lib/roken/base64.c Log Message: ----------- roken: add rkbase64 noinst program This will be useful in tests. Commit: 4f8577a98829f23372a1e573dd5146a7f56e0d8b https://github.com/heimdal/heimdal/commit/4f8577a98829f23372a1e573dd5146a7f56e0d8b Author: Nicolas Williams Date: 2019-12-04 (Wed, 04 Dec 2019) Changed paths: M lib/hx509/hxtool.c Log Message: ----------- hxtool: add cert type: https-negotiate-server Commit: d519094117961a7df6dd8f2c5e97303d3fc9ae8c https://github.com/heimdal/heimdal/commit/d519094117961a7df6dd8f2c5e97303d3fc9ae8c Author: Nicolas Williams Date: 2019-12-04 (Wed, 04 Dec 2019) Changed paths: M lib/hx509/hxtool.c Log Message: ----------- hxtool: fix leak Commit: a7a1d798c3d1f2e5aba9a9d94db52b28d8744f80 https://github.com/heimdal/heimdal/commit/a7a1d798c3d1f2e5aba9a9d94db52b28d8744f80 Author: Nicolas Williams Date: 2019-12-04 (Wed, 04 Dec 2019) Changed paths: M lib/hx509/ca.c M lib/hx509/hx509.h M lib/hx509/hx509_err.et M lib/hx509/libhx509-exports.def M lib/hx509/req.c M lib/hx509/test_req.in M lib/hx509/version-script.map Log Message: ----------- hx509: keep track of authorized CSR features This commit adds a few functions for marking KU, EKUs, and SANs as authorized, and for getting a count of unsupported certificate extensions requested, and a count of authorized KU/EKUs/SANs. The intent is to make it easier to build CSR authorization and CA code that is robust in the face of future support for certificate extensions and SAN types not currently supported. An application could parse a CSR, iterate all KU/EKUs/SANs, check a subject's authorization to them, mark them authorized where authorized, then check if there are any remaining unauthorized extensions or unsupported extensions requested. Ultimately, if a CSR's KU/EKUs/SANs are all authorized, then they can all be copied to a TBS, and a certificate can be issued. Commit: 4d4c7078cd72345d68e940ec5eb072f2fc41f187 https://github.com/heimdal/heimdal/commit/4d4c7078cd72345d68e940ec5eb072f2fc41f187 Author: Nicolas Williams Date: 2019-12-04 (Wed, 04 Dec 2019) Changed paths: M lib/asn1/kx509.asn1 Log Message: ----------- kx509: Add desired_life to Kx509CSRPlus Commit: 575c67806be9d60fac820eee1c403f7e66d22b91 https://github.com/heimdal/heimdal/commit/575c67806be9d60fac820eee1c403f7e66d22b91 Author: Nicolas Williams Date: 2019-12-04 (Wed, 04 Dec 2019) Changed paths: M .travis.yml M README M README.md M configure.ac M doc/heimdal.texi M doc/hx509.texi M doc/whatis.texi M kdc/Makefile.am M kdc/NTMakefile A kdc/bx509d.c A kdc/ca.c A kdc/cjwt_token_validator.c A kdc/csr_authorizer.c A kdc/csr_authorizer_plugin.h M kdc/default_config.c A kdc/ipc_csr_authorizer.c M kdc/kdc.h M kdc/kx509.c M kdc/libkdc-exports.def A kdc/negotiate_token_validator.c A kdc/simple_csr_authorizer.c A kdc/test_csr_authorizer.c A kdc/test_kdc_ca.c A kdc/test_token_validator.c A kdc/token_validator.c A kdc/token_validator_plugin.h M kdc/version-script.map M kuser/kx509.c M lib/asn1/krb5.asn1 M lib/asn1/kx509.asn1 M lib/krb5/krb5.conf.5 M lib/krb5/kx509.c M lib/krb5/libkrb5-exports.def.in M lib/krb5/version-script.map M tests/bin/setup-env.in M tests/kdc/Makefile.am A tests/kdc/check-bx509.in M tests/kdc/check-pkinit.in A tests/kdc/krb5-bx509.conf.in M tests/kdc/krb5-pkinit.conf.in M tests/plugin/windc.c Log Message: ----------- Add bx509d Compare: https://github.com/heimdal/heimdal/compare/8c5d2f7cc426...575c67806be9 From noreply at github.com Thu Dec 5 06:05:58 2019 From: noreply at github.com (Roland C. Dowdeswell) Date: Wed, 04 Dec 2019 21:05:58 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] fb9a78: We stop strnvisx(3)ing logs to FILE: by default. Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: fb9a78223c5a481630436ac80c95eecaced4a153 https://github.com/heimdal/heimdal/commit/fb9a78223c5a481630436ac80c95eecaced4a153 Author: Roland C. Dowdeswell Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M lib/krb5/log.c Log Message: ----------- We stop strnvisx(3)ing logs to FILE: by default. Our logging framework used to strnvisx(3) each and every line iff it is written to a FILE. This is often unhelpful because the line usually contains a number of elements that have already been quoted and it makes the logs much more difficult to read in this case. An example if krb5_unparse_name() which will already quote most characters that one cares about. We change the behaviour to simply drop unprintable characters rather than encoding them. We thus rely on the rest of the code to properly encode data elements written into the logs. Commit: 7d353d05570e5be3def8341d54e18e49f91b130b https://github.com/heimdal/heimdal/commit/7d353d05570e5be3def8341d54e18e49f91b130b Author: Roland C. Dowdeswell Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M kdc/digest-service.c M kdc/fast.c M kdc/kdc.h M kdc/kdc_locl.h M kdc/kerberos5.c M kdc/krb5tgs.c M kdc/pkinit.c M kdc/process.c M kdc/windc.c Log Message: ----------- Generate a single summary audit line for AS/TGS. We refactor the code a bit to extend kdc_request_t which until now was only used for the AS. We make the structure extensible and start using it for the TGS as well. We leave digest and kx509 alone for the time being. We also define the concept of kv-pairs in our audit trail which allows us to define a rigorous but extensible format: type error from-addr client server key1=val1 key2=val2 ... Commit: 6db323157f533bc89c81a75c7307843c470806bd https://github.com/heimdal/heimdal/commit/6db323157f533bc89c81a75c7307843c470806bd Author: Roland C. Dowdeswell Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M kdc/kerberos5.c M kdc/krb5tgs.c M kdc/windc.c Log Message: ----------- Reduce older log messages to level 4 and collect some errors. We take all of the kdc_log() and _kdc_r_log() calls in AS and TGS and move their log levels down to debugging on the assumption that our new log line subsumes the "informational" requirements. We collect some additional information in the kv-pair "pe-text" which is like e-text except it is not returned to the client. Commit: c76e30e90cf9f2dfc4fadf73ba7944f325ade81d https://github.com/heimdal/heimdal/commit/c76e30e90cf9f2dfc4fadf73ba7944f325ade81d Author: Roland C. Dowdeswell Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M lib/krb5/krb5_openlog.3 Log Message: ----------- Document that log level 7 is for tracing. Commit: 430e18c0741f5e86982289c521b028d3867ceb06 https://github.com/heimdal/heimdal/commit/430e18c0741f5e86982289c521b028d3867ceb06 Author: Roland C. Dowdeswell Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M kdc/kdc.h M kdc/process.c Log Message: ----------- kdc/process.c: add tracing messages. Commit: 05e851754291c735d387a5d92859d90ea2edc8bc https://github.com/heimdal/heimdal/commit/05e851754291c735d387a5d92859d90ea2edc8bc Author: Roland C. Dowdeswell Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M kdc/fast.c Log Message: ----------- kdc/fast.c: fix leak in unusual error path. Commit: 001e312ba5e7972b403e6b403b78bd53c22d8b80 https://github.com/heimdal/heimdal/commit/001e312ba5e7972b403e6b403b78bd53c22d8b80 Author: Roland C. Dowdeswell Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M lib/krb5/cache.c Log Message: ----------- Make krb5_cc_close(ctx, NULL) stop SEGV'ing. Compare: https://github.com/heimdal/heimdal/compare/575c67806be9...001e312ba5e7 From noreply at github.com Thu Dec 5 06:12:14 2019 From: noreply at github.com (Nico Williams) Date: Wed, 04 Dec 2019 21:12:14 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 2d1454: Fix Travis build Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 2d1454c686db240a7ed3bdeb6fa1a5069012dbbd https://github.com/heimdal/heimdal/commit/2d1454c686db240a7ed3bdeb6fa1a5069012dbbd Author: Nicolas Williams Date: 2019-12-04 (Wed, 04 Dec 2019) Changed paths: M kdc/Makefile.am Log Message: ----------- Fix Travis build From noreply at github.com Thu Dec 5 18:27:07 2019 From: noreply at github.com (Nico Williams) Date: Thu, 05 Dec 2019 09:27:07 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] bdff78: kdc: Fix warnings: fix _kdc_audit_addkv() usage Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: bdff7835a20391278d538a823ed74dd385cc5aa4 https://github.com/heimdal/heimdal/commit/bdff7835a20391278d538a823ed74dd385cc5aa4 Author: Nicolas Williams Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M kdc/krb5tgs.c M kdc/process.c Log Message: ----------- kdc: Fix warnings: fix _kdc_audit_addkv() usage Commit: 6acb2e3f360e158d12e61e4b679406c453e65379 https://github.com/heimdal/heimdal/commit/6acb2e3f360e158d12e61e4b679406c453e65379 Author: Nicolas Williams Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M kdc/cjwt_token_validator.c Log Message: ----------- kdc: Fix JWK key rotation danger Compare: https://github.com/heimdal/heimdal/compare/2d1454c686db...6acb2e3f360e From noreply at github.com Thu Dec 5 22:34:15 2019 From: noreply at github.com (Nico Williams) Date: Thu, 05 Dec 2019 13:34:15 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 52b8fa: Fix Travis build moar Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 52b8fae5e00be40a126a55a689dc9984d82ab668 https://github.com/heimdal/heimdal/commit/52b8fae5e00be40a126a55a689dc9984d82ab668 Author: Nicolas Williams Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M kdc/Makefile.am Log Message: ----------- Fix Travis build moar From noreply at github.com Fri Dec 6 00:24:36 2019 From: noreply at github.com (Nico Williams) Date: Thu, 05 Dec 2019 15:24:36 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] b5c158: Fix tests/can and tests/kdc Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: b5c158d9f7eba8868775c24b20e4f6d13c2303b9 https://github.com/heimdal/heimdal/commit/b5c158d9f7eba8868775c24b20e4f6d13c2303b9 Author: Nicolas Williams Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M kdc/kerberos5.c M tests/can/krb5.conf.in Log Message: ----------- Fix tests/can and tests/kdc krb5_kdc_process_request() must return 0 when it produces a reply, and only return non-zero when it could not construct any kind of reply (e.g., ENOMEM, or -1 if no handler claimed responsibility for the request). From noreply at github.com Fri Dec 6 00:37:28 2019 From: noreply at github.com (Nico Williams) Date: Thu, 05 Dec 2019 15:37:28 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 614522: bx509: do not test bx509d if not built Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 61452235ad524384ea4423a4634f8e6f84cc14a4 https://github.com/heimdal/heimdal/commit/61452235ad524384ea4423a4634f8e6f84cc14a4 Author: Nicolas Williams Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M tests/kdc/check-bx509.in Log Message: ----------- bx509: do not test bx509d if not built From noreply at github.com Fri Dec 6 02:20:30 2019 From: noreply at github.com (Luke Howard) Date: Thu, 05 Dec 2019 17:20:30 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 3daef8: roken: Windows version support helpers Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 3daef8a5fd8268406a4c9d33afd8b464a1f87130 https://github.com/heimdal/heimdal/commit/3daef8a5fd8268406a4c9d33afd8b464a1f87130 Author: Luke Howard Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M lib/roken/NTMakefile M lib/roken/rand.c A lib/roken/versionsupport.h Log Message: ----------- roken: Windows version support helpers Add helper functions for determining the version of Windows upon which we are running. Commit: a17a6bcc54316e43d7e1f5b645001c23bc498529 https://github.com/heimdal/heimdal/commit/a17a6bcc54316e43d7e1f5b645001c23bc498529 Author: Luke Howard Date: 2019-12-05 (Thu, 05 Dec 2019) Changed paths: M lib/hcrypto/evp-wincng.c Log Message: ----------- hcrypto: support BCRYPT_HASH_REUSABLE_FLAG support BCRYPT_HASH_REUSABLE_FLAG in the WinCNG backend on versions of Windows that support it, to avoid destroying and recreating a hash object Compare: https://github.com/heimdal/heimdal/compare/61452235ad52...a17a6bcc5431 From noreply at github.com Sat Dec 7 04:34:31 2019 From: noreply at github.com (Nico Williams) Date: Fri, 06 Dec 2019 19:34:31 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] dd762e: kadmin: Improve ext_keytab usage Message-ID: Branch: refs/heads/d4a319d57 Home: https://github.com/heimdal/heimdal Commit: dd762e53d1e7511324fffd8349d7885d7a63cd13 https://github.com/heimdal/heimdal/commit/dd762e53d1e7511324fffd8349d7885d7a63cd13 Author: Nicolas Williams Date: 2019-12-06 (Fri, 06 Dec 2019) Changed paths: M kadmin/kadmin-commands.in M kadmin/kadmin.1 Log Message: ----------- kadmin: Improve ext_keytab usage Commit: d4a319d57ddb465f2027a13e4f89e2ab318c884c https://github.com/heimdal/heimdal/commit/d4a319d57ddb465f2027a13e4f89e2ab318c884c Author: Nicolas Williams Date: 2019-12-06 (Fri, 06 Dec 2019) Changed paths: M lib/gssapi/gss-token.c Log Message: ----------- gss: fix gss-token accept bug Commit: 3f81fa6c3ebd250df468bad283d858892a122521 https://github.com/heimdal/heimdal/commit/3f81fa6c3ebd250df468bad283d858892a122521 Author: Nicolas Williams Date: 2019-12-06 (Fri, 06 Dec 2019) Changed paths: M lib/hx509/cert.c M lib/hx509/hx509.h M lib/hx509/keyset.c M lib/hx509/ks_file.c M lib/hx509/ks_keychain.c M lib/hx509/ks_p11.c M lib/hx509/ks_p12.c M lib/hx509/libhx509-exports.def M lib/hx509/req.c M lib/hx509/version-script.map Log Message: ----------- hx509: private key exclusion option Add two ways to exclude private keys when dealing with an hx509 certificate store. This is useful for CA code so it can have a single store with the issuer's credentials _and_ the chain for it, and copy those to a store with the issued certificate and _not_ accidentally include the issuer's private key. Commit: b896158270d9958a789e9757a626e07112345c1f https://github.com/heimdal/heimdal/commit/b896158270d9958a789e9757a626e07112345c1f Author: Nicolas Williams Date: 2019-12-06 (Fri, 06 Dec 2019) Changed paths: M kdc/ca.c Log Message: ----------- kdc: kx509: Do not vend issuer private keys Commit: a5882a5e7371b929f0a150ceb51cdd86343bc2f9 https://github.com/heimdal/heimdal/commit/a5882a5e7371b929f0a150ceb51cdd86343bc2f9 Author: Nicolas Williams Date: 2019-12-06 (Fri, 06 Dec 2019) Changed paths: M kdc/bx509d.c M lib/gssapi/gss-token.c M tests/kdc/Makefile.am M tests/kdc/check-bx509.in Log Message: ----------- bx509: CSRF protection for /bnegotiate Compare: https://github.com/heimdal/heimdal/compare/dd762e53d1e7%5E...a5882a5e7371 From noreply at github.com Sat Dec 7 04:34:39 2019 From: noreply at github.com (Nico Williams) Date: Fri, 06 Dec 2019 19:34:39 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] Message-ID: Branch: refs/heads/d4a319d57 Home: https://github.com/heimdal/heimdal From noreply at github.com Sat Dec 7 04:34:54 2019 From: noreply at github.com (Nico Williams) Date: Fri, 06 Dec 2019 19:34:54 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] dd762e: kadmin: Improve ext_keytab usage Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: dd762e53d1e7511324fffd8349d7885d7a63cd13 https://github.com/heimdal/heimdal/commit/dd762e53d1e7511324fffd8349d7885d7a63cd13 Author: Nicolas Williams Date: 2019-12-06 (Fri, 06 Dec 2019) Changed paths: M kadmin/kadmin-commands.in M kadmin/kadmin.1 Log Message: ----------- kadmin: Improve ext_keytab usage Commit: d4a319d57ddb465f2027a13e4f89e2ab318c884c https://github.com/heimdal/heimdal/commit/d4a319d57ddb465f2027a13e4f89e2ab318c884c Author: Nicolas Williams Date: 2019-12-06 (Fri, 06 Dec 2019) Changed paths: M lib/gssapi/gss-token.c Log Message: ----------- gss: fix gss-token accept bug Compare: https://github.com/heimdal/heimdal/compare/a17a6bcc5431...d4a319d57ddb From noreply at github.com Tue Dec 10 03:26:39 2019 From: noreply at github.com (Nico Williams) Date: Mon, 09 Dec 2019 18:26:39 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 90a59a: krb5: Fix fcc_open() FD leak Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 90a59a064b4f40194bbde55075792ce1bf9d3a1f https://github.com/heimdal/heimdal/commit/90a59a064b4f40194bbde55075792ce1bf9d3a1f Author: Nicolas Williams Date: 2019-12-06 (Fri, 06 Dec 2019) Changed paths: M lib/krb5/fcache.c Log Message: ----------- krb5: Fix fcc_open() FD leak Commit: 7102f2be9e4a7bed4b3a25428789fd4d01280ed5 https://github.com/heimdal/heimdal/commit/7102f2be9e4a7bed4b3a25428789fd4d01280ed5 Author: Nicolas Williams Date: 2019-12-06 (Fri, 06 Dec 2019) Changed paths: M lib/krb5/pkinit.c Log Message: ----------- krb5: Fix leak in PKINIT client Commit: d021710efc1d9ba06fb2fd73a8455f527ca23eef https://github.com/heimdal/heimdal/commit/d021710efc1d9ba06fb2fd73a8455f527ca23eef Author: Nicolas Williams Date: 2019-12-06 (Fri, 06 Dec 2019) Changed paths: M lib/gssapi/mech/gss_add_cred_from.c Log Message: ----------- gss: Fix leak in gss_add_cred_from() Commit: 3c0d1258ceae61a00f7fb2a8ac220399cb0cbe84 https://github.com/heimdal/heimdal/commit/3c0d1258ceae61a00f7fb2a8ac220399cb0cbe84 Author: Nicolas Williams Date: 2019-12-09 (Mon, 09 Dec 2019) Changed paths: M lib/hx509/req.c Log Message: ----------- hx509: Fix unauthorized feature accounting Commit: e51574599662486e2e54fec03eb69003a8998fa5 https://github.com/heimdal/heimdal/commit/e51574599662486e2e54fec03eb69003a8998fa5 Author: Nicolas Williams Date: 2019-12-09 (Mon, 09 Dec 2019) Changed paths: M lib/hx509/cert.c M lib/hx509/hx509.h M lib/hx509/hxtool-commands.in M lib/hx509/hxtool.c M lib/hx509/keyset.c M lib/hx509/ks_file.c M lib/hx509/ks_keychain.c M lib/hx509/ks_p11.c M lib/hx509/ks_p12.c Log Message: ----------- hx509: private key exclusion options Add two ways to exclude private keys when dealing with an hx509 certificate store. One as a load option (load no private keys, never add private keys), one as a store option (store no private keys). This is useful for CA code so it can have a single store with the issuer's credentials _and_ the chain for it, and copy those to a store with the issued certificate and _not_ accidentally include the issuer's private key. It would be much safer still to flip the default for this flag, but that could break out-of-tree libhx509 dependents. Commit: 0a0a27ccecb44123df394dc1eed5d54dae96b7d8 https://github.com/heimdal/heimdal/commit/0a0a27ccecb44123df394dc1eed5d54dae96b7d8 Author: Nicolas Williams Date: 2019-12-09 (Mon, 09 Dec 2019) Changed paths: M kdc/bx509d.c M kdc/ca.c Log Message: ----------- kdc: bx509: Do not vend issuer private keys Commit: d1a265209098c10586b19044ef987ba9ed33068a https://github.com/heimdal/heimdal/commit/d1a265209098c10586b19044ef987ba9ed33068a Author: Nicolas Williams Date: 2019-12-09 (Mon, 09 Dec 2019) Changed paths: M kdc/bx509d.c M lib/gssapi/gss-token.c M tests/kdc/Makefile.am M tests/kdc/check-bx509.in Log Message: ----------- bx509: CSRF protection for /bnegotiate Compare: https://github.com/heimdal/heimdal/compare/d4a319d57ddb...d1a265209098 From noreply at github.com Tue Dec 10 05:15:48 2019 From: noreply at github.com (Nico Williams) Date: Mon, 09 Dec 2019 20:15:48 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 733140: kdc: Fix leaks Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 733140553a2c548ec1e0010394c6f1bcff4a8647 https://github.com/heimdal/heimdal/commit/733140553a2c548ec1e0010394c6f1bcff4a8647 Author: Nicolas Williams Date: 2019-12-09 (Mon, 09 Dec 2019) Changed paths: M kdc/bx509d.c M kdc/main.c M kdc/process.c M kdc/test_csr_authorizer.c M kdc/test_kdc_ca.c M kdc/test_token_validator.c Log Message: ----------- kdc: Fix leaks From noreply at github.com Tue Dec 10 11:24:06 2019 From: noreply at github.com (Isaac Boukris) Date: Tue, 10 Dec 2019 02:24:06 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 51415e: CVE-2019-14870: Always lookup impersonate client i... Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 51415eaaaeab0bd776e6e756fa209127e1c6954b https://github.com/heimdal/heimdal/commit/51415eaaaeab0bd776e6e756fa209127e1c6954b Author: Isaac Boukris Date: 2019-12-10 (Tue, 10 Dec 2019) Changed paths: M kdc/krb5tgs.c M tests/kdc/check-kdc.in Log Message: ----------- CVE-2019-14870: Always lookup impersonate client in DB Signed-off-by: Isaac Boukris Commit: 013210d1eb5b915ec94446e1d9a998d0dbedd253 https://github.com/heimdal/heimdal/commit/013210d1eb5b915ec94446e1d9a998d0dbedd253 Author: Isaac Boukris Date: 2019-12-10 (Tue, 10 Dec 2019) Changed paths: M kdc/krb5tgs.c M tests/kdc/check-kdc.in Log Message: ----------- CVE-2019-14870: Apply forwardable policy in protocol-transition Signed-off-by: Isaac Boukris Commit: 77b480d2a07f51ffdec825f700949cffef5163f6 https://github.com/heimdal/heimdal/commit/77b480d2a07f51ffdec825f700949cffef5163f6 Author: Isaac Boukris Date: 2019-12-10 (Tue, 10 Dec 2019) Changed paths: M kdc/krb5tgs.c M tests/kdc/check-kdc.in Log Message: ----------- CVE-2019-14870: Validate client attributes in protocol-transition Signed-off-by: Isaac Boukris Compare: https://github.com/heimdal/heimdal/compare/733140553a2c...77b480d2a07f From noreply at github.com Tue Dec 10 11:25:22 2019 From: noreply at github.com (Isaac Boukris) Date: Tue, 10 Dec 2019 02:25:22 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 33ad85: CVE-2019-14870: Always lookup impersonate client i... Message-ID: Branch: refs/heads/heimdal-7-1-branch Home: https://github.com/heimdal/heimdal Commit: 33ad855814912242e884125eb48bd65e92877938 https://github.com/heimdal/heimdal/commit/33ad855814912242e884125eb48bd65e92877938 Author: Isaac Boukris Date: 2019-12-10 (Tue, 10 Dec 2019) Changed paths: M kdc/krb5tgs.c M tests/kdc/check-kdc.in Log Message: ----------- CVE-2019-14870: Always lookup impersonate client in DB Signed-off-by: Isaac Boukris Commit: 6eceb26a5fbe2e770f3df16b50a54b803cb5994e https://github.com/heimdal/heimdal/commit/6eceb26a5fbe2e770f3df16b50a54b803cb5994e Author: Isaac Boukris Date: 2019-12-10 (Tue, 10 Dec 2019) Changed paths: M kdc/krb5tgs.c M tests/kdc/check-kdc.in Log Message: ----------- CVE-2019-14870: Apply forwardable policy in protocol-transition Signed-off-by: Isaac Boukris Commit: 26dce4a1143b4330360c089156e53cc6be01e3dc https://github.com/heimdal/heimdal/commit/26dce4a1143b4330360c089156e53cc6be01e3dc Author: Isaac Boukris Date: 2019-12-10 (Tue, 10 Dec 2019) Changed paths: M kdc/krb5tgs.c M tests/kdc/check-kdc.in Log Message: ----------- CVE-2019-14870: Validate client attributes in protocol-transition Signed-off-by: Isaac Boukris Compare: https://github.com/heimdal/heimdal/compare/f000d7032243...26dce4a1143b From noreply at github.com Tue Dec 10 21:11:06 2019 From: noreply at github.com (Nico Williams) Date: Tue, 10 Dec 2019 12:11:06 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 5c2545: Revert docs changes for bx509 for now Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 5c25450e504f525720b5565f5f6c5367bc238f21 https://github.com/heimdal/heimdal/commit/5c25450e504f525720b5565f5f6c5367bc238f21 Author: Nicolas Williams Date: 2019-12-10 (Tue, 10 Dec 2019) Changed paths: M doc/heimdal.texi M doc/hx509.texi M doc/whatis.texi Log Message: ----------- Revert docs changes for bx509 for now From noreply at github.com Wed Dec 11 05:27:59 2019 From: noreply at github.com (Nico Williams) Date: Tue, 10 Dec 2019 20:27:59 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 58848f: kdc: Add missing exports Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 58848fce7b351e042446c5a158b7257cb8775a8c https://github.com/heimdal/heimdal/commit/58848fce7b351e042446c5a158b7257cb8775a8c Author: Nicolas Williams Date: 2019-12-10 (Tue, 10 Dec 2019) Changed paths: M kdc/libkdc-exports.def M kdc/version-script.map Log Message: ----------- kdc: Add missing exports Commit: 18df68d6e96616bd3a778e3ebbf826209e9e39a7 https://github.com/heimdal/heimdal/commit/18df68d6e96616bd3a778e3ebbf826209e9e39a7 Author: Nicolas Williams Date: 2019-12-10 (Tue, 10 Dec 2019) Changed paths: M kdc/Makefile.am M kdc/bx509d.c M kdc/process.c M tests/kdc/check-bx509.in Log Message: ----------- bx509: Add proper logging Commit: 9063d92dbb311e5c43d9570b1458ef63eb6d614e https://github.com/heimdal/heimdal/commit/9063d92dbb311e5c43d9570b1458ef63eb6d614e Author: Nicolas Williams Date: 2019-12-10 (Tue, 10 Dec 2019) Changed paths: M lib/krb5/fcache.c Log Message: ----------- krb5: Fix fcc_open() leak on double-init, and msg Commit: 608c2876d4503fd5bdcaf588a894159a79f1aa98 https://github.com/heimdal/heimdal/commit/608c2876d4503fd5bdcaf588a894159a79f1aa98 Author: Nicolas Williams Date: 2019-12-10 (Tue, 10 Dec 2019) Changed paths: M kdc/bx509d.c M kdc/kdc_locl.h M kdc/kerberos5.c M kdc/krb5tgs.c M kdc/libkdc-exports.def M kdc/process.c M kdc/version-script.map Log Message: ----------- kdc: Fix audit_addkv() typos and reason handling Now we'll put the "reason=..." last in the log lines and we won't escape spaces -- just newlines and other control characters. This makes reading log lines much easier without complicating parsing of log lines because interior key=value pairs do get whitespace escaped or removed. Compare: https://github.com/heimdal/heimdal/compare/5c25450e504f...608c2876d450 From noreply at github.com Thu Dec 12 03:32:03 2019 From: noreply at github.com (Nico Williams) Date: Wed, 11 Dec 2019 18:32:03 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 1d5062: kdc: Modernize kx509 logging too Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 1d5062b167b2576b05481ee0285c9a2ad2944d25 https://github.com/heimdal/heimdal/commit/1d5062b167b2576b05481ee0285c9a2ad2944d25 Author: Nicolas Williams Date: 2019-12-11 (Wed, 11 Dec 2019) Changed paths: M kdc/ca.c M kdc/headers.h M kdc/kdc.h M kdc/kdc_locl.h M kdc/kx509.c M kdc/libkdc-exports.def M kdc/process.c M kdc/version-script.map M tests/kdc/check-bx509.in Log Message: ----------- kdc: Modernize kx509 logging too Commit: 5c7a8f63c7b8d3810e25fb24deafe3a3e2bb95ab https://github.com/heimdal/heimdal/commit/5c7a8f63c7b8d3810e25fb24deafe3a3e2bb95ab Author: Nicolas Williams Date: 2019-12-11 (Wed, 11 Dec 2019) Changed paths: M lib/asn1/NTMakefile M lib/asn1/libasn1-exports.def Log Message: ----------- Fix Windows build Compare: https://github.com/heimdal/heimdal/compare/608c2876d450...5c7a8f63c7b8 From noreply at github.com Fri Dec 20 22:50:31 2019 From: noreply at github.com (Nico Williams) Date: Fri, 20 Dec 2019 13:50:31 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 73a9c9: hx509: Avoid double-free on CSR parse error Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 73a9c95b7b1c7d132a5707ef33558f3faf87cc2e https://github.com/heimdal/heimdal/commit/73a9c95b7b1c7d132a5707ef33558f3faf87cc2e Author: Nicolas Williams Date: 2019-12-20 (Fri, 20 Dec 2019) Changed paths: M lib/hx509/req.c Log Message: ----------- hx509: Avoid double-free on CSR parse error From noreply at github.com Fri Dec 20 22:54:32 2019 From: noreply at github.com (Nico Williams) Date: Fri, 20 Dec 2019 13:54:32 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] ee0a28: bx509: Work around microhttpd bug Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: ee0a288f9257e0653e99ebae305ac03eb4397164 https://github.com/heimdal/heimdal/commit/ee0a288f9257e0653e99ebae305ac03eb4397164 Author: Nicolas Williams Date: 2019-12-20 (Fri, 20 Dec 2019) Changed paths: M kdc/bx509d.c Log Message: ----------- bx509: Work around microhttpd bug From noreply at github.com Fri Dec 20 22:58:51 2019 From: noreply at github.com (Nico Williams) Date: Fri, 20 Dec 2019 13:58:51 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 9a4178: bx509: Fix cjwt_token_validator build Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 9a41785682ac0ee5c7e7733d757a576ba62f9eb4 https://github.com/heimdal/heimdal/commit/9a41785682ac0ee5c7e7733d757a576ba62f9eb4 Author: Nicolas Williams Date: 2019-12-20 (Fri, 20 Dec 2019) Changed paths: M kdc/Makefile.am M kdc/cjwt_token_validator.c Log Message: ----------- bx509: Fix cjwt_token_validator build From noreply at github.com Fri Dec 20 23:05:11 2019 From: noreply at github.com (Nico Williams) Date: Fri, 20 Dec 2019 14:05:11 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 4d9613: bx509: Tolerate older microhttpd versions Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 4d96132cefb4854d260364c70c1bcaa0c0c2a2d3 https://github.com/heimdal/heimdal/commit/4d96132cefb4854d260364c70c1bcaa0c0c2a2d3 Author: Nicolas Williams Date: 2019-12-20 (Fri, 20 Dec 2019) Changed paths: M configure.ac Log Message: ----------- bx509: Tolerate older microhttpd versions Commit: a79714da93c9e0f8ea61e982cb11d65c5c27e798 https://github.com/heimdal/heimdal/commit/a79714da93c9e0f8ea61e982cb11d65c5c27e798 Author: Nicolas Williams Date: 2019-12-20 (Fri, 20 Dec 2019) Changed paths: M kdc/Makefile.am Log Message: ----------- kdc: Fix build race Compare: https://github.com/heimdal/heimdal/compare/9a41785682ac...a79714da93c9 From noreply at github.com Fri Dec 20 23:14:09 2019 From: noreply at github.com (Nico Williams) Date: Fri, 20 Dec 2019 14:14:09 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] bc9054: hx509: Better handle OpenSSL diffs in test_req Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: bc9054d4b5b8b989fdc866c6a96a78600e815470 https://github.com/heimdal/heimdal/commit/bc9054d4b5b8b989fdc866c6a96a78600e815470 Author: Nicolas Williams Date: 2019-12-20 (Fri, 20 Dec 2019) Changed paths: M lib/hx509/test_req.in Log Message: ----------- hx509: Better handle OpenSSL diffs in test_req From noreply at github.com Fri Dec 20 23:52:11 2019 From: noreply at github.com (Nico Williams) Date: Fri, 20 Dec 2019 14:52:11 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 148230: iprop: Use test port for testing Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 14823095652cc1dc4f0e92e7ca177823b43eacd9 https://github.com/heimdal/heimdal/commit/14823095652cc1dc4f0e92e7ca177823b43eacd9 Author: Nicolas Williams Date: 2019-12-20 (Fri, 20 Dec 2019) Changed paths: M tests/kdc/Makefile.am M tests/kdc/check-iprop.in Log Message: ----------- iprop: Use test port for testing From noreply at github.com Thu Dec 26 23:38:12 2019 From: noreply at github.com (Nico Williams) Date: Thu, 26 Dec 2019 14:38:12 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] d2542d: bx509: Make test work with older curl versions Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: d2542d82612ef2830bb0ce93ff361f3e10ea04b1 https://github.com/heimdal/heimdal/commit/d2542d82612ef2830bb0ce93ff361f3e10ea04b1 Author: Nicolas Williams Date: 2019-12-26 (Thu, 26 Dec 2019) Changed paths: M tests/kdc/check-bx509.in Log Message: ----------- bx509: Make test work with older curl versions The --connect-to option is much nicer and better than --resolve for testing, but for testing against localhost --resolve is good enough and available in older versions of curl. From noreply at github.com Tue Dec 31 03:45:48 2019 From: noreply at github.com (Nico Williams) Date: Mon, 30 Dec 2019 18:45:48 -0800 Subject: [Heimdal-source-changes] [heimdal/heimdal] 1a3716: krb5: Do not write start_realm ccconfig twice Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 1a3716a132595b61f0aaa166662a86b8f718f208 https://github.com/heimdal/heimdal/commit/1a3716a132595b61f0aaa166662a86b8f718f208 Author: Nicolas Williams Date: 2019-12-30 (Mon, 30 Dec 2019) Changed paths: M lib/krb5/cache.c Log Message: ----------- krb5: Do not write start_realm ccconfig twice