From noreply at github.com Sat Jun 1 17:14:29 2019 From: noreply at github.com (Isaac Boukris) Date: Sat, 01 Jun 2019 08:14:29 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] ea7615: Do not set anonymous flag in S4U2Proxy request Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: ea7615ade3af28843f358e715703226b760db73b https://github.com/heimdal/heimdal/commit/ea7615ade3af28843f358e715703226b760db73b Author: Isaac Boukris Date: 2019-06-01 (Sat, 01 Jun 2019) Changed paths: M lib/krb5/get_cred.c Log Message: ----------- Do not set anonymous flag in S4U2Proxy request It is not specified in MS-SFU, Apple dropped it as well and it now breaks master branch. Signed-off-by: Isaac Boukris From noreply at github.com Sat Jun 1 23:04:19 2019 From: noreply at github.com (Jeffrey Altman) Date: Sat, 01 Jun 2019 14:04:19 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] cad699: kdc: handle kdc_options bit 14 confusion Message-ID: Branch: refs/heads/jaltman/kdc-anon-request-confusion Home: https://github.com/heimdal/heimdal Commit: cad699a8f011de08925bd969bcb7a35c43e25d77 https://github.com/heimdal/heimdal/commit/cad699a8f011de08925bd969bcb7a35c43e25d77 Author: Jeffrey Altman Date: 2019-06-01 (Sat, 01 Jun 2019) Changed paths: M kdc/kerberos5.c Log Message: ----------- kdc: handle kdc_options bit 14 confusion Drafts 0 through 10 of the Kerberos anonymity draft specified the TicketFlags.anonymous flag as bit 14. This was changed to bit 16 after it was discovered that Microsoft used bit 14 for S4U2Proxy. d5bb7a7c566841d52662b230248f06522bfa64ad ("(krb5_get_creds): if KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the anonymous and constrained_delegation TicketFlags when issuing a S4U2Proxy request. The setting of the anonymous TicketFlag was removed by ea7615ade3af28843f358e715703226b760db73b("Do not set anonymous flag in S4U2Proxy request"). 014e318d6bdefd8ecfcb99ca9928921f6a49d721 ("krb5: check KDC supports anonymous if requested") introduced a client side check to ensure that an anonymous request is responded to with an anonymized ticket. The combination of setting the anonymous TicketFlag and the anonymized ticket validation broke S4U2Proxy requests to Windows KDCs because they ignore the anonymous TicketFlag when constrained_delegation is requested. The Heimdal KDC includes fallback logic to handle Heimdal clients that set the anonymous TicketFlag as bit 14 in _kdc_is_anon_request(). However, it failed to adjust the kdc_options flags when it determined that the request came from an old Heimdal client. This change clears the constrained_delegation flag and sets the request_anonymous flag when an old Heimdal client is detected. It also clears the request_anonymous flag if both bit 14 and 16 are set. Change-Id: If57b6f9fe95fdba0109c4450dba5548b4ae6eba9 From noreply at github.com Sat Jun 1 23:11:24 2019 From: noreply at github.com (Jeffrey Altman) Date: Sat, 01 Jun 2019 14:11:24 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 9c2af0: kdc: handle kdc_options bit 14 confusion Message-ID: Branch: refs/heads/jaltman/kdc-anon-request-confusion Home: https://github.com/heimdal/heimdal Commit: 9c2af0ed7f270a0539b0cc565b7cadb9915d585a https://github.com/heimdal/heimdal/commit/9c2af0ed7f270a0539b0cc565b7cadb9915d585a Author: Jeffrey Altman Date: 2019-06-01 (Sat, 01 Jun 2019) Changed paths: M kdc/kerberos5.c Log Message: ----------- kdc: handle kdc_options bit 14 confusion Drafts 0 through 10 of the Kerberos anonymity draft specified the TicketFlags.anonymous flag as bit 14. This was changed to bit 16 after it was discovered that Microsoft used bit 14 for S4U2Proxy. d5bb7a7c566841d52662b230248f06522bfa64ad ("(krb5_get_creds): if KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the anonymous and constrained_delegation TicketFlags when issuing a S4U2Proxy request. The setting of the anonymous TicketFlag was removed by ea7615ade3af28843f358e715703226b760db73b("Do not set anonymous flag in S4U2Proxy request"). 014e318d6bdefd8ecfcb99ca9928921f6a49d721 ("krb5: check KDC supports anonymous if requested") introduced a client side check to ensure that an anonymous request is responded to with an anonymized ticket. The combination of setting the anonymous TicketFlag and the anonymized ticket validation broke S4U2Proxy requests to Windows KDCs because they ignore the anonymous TicketFlag when constrained_delegation is requested. The Heimdal KDC includes fallback logic to handle Heimdal clients that set the anonymous TicketFlag as bit 14 in _kdc_is_anon_request(). However, it failed to adjust the kdc_options flags when it determined that the request came from an old Heimdal client. This change clears the constrained_delegation flag and sets the request_anonymous flag when an old Heimdal client is detected. It also clears the request_anonymous flag if both bit 14 and 16 are set. Change-Id: If57b6f9fe95fdba0109c4450dba5548b4ae6eba9 From noreply at github.com Sat Jun 1 23:21:09 2019 From: noreply at github.com (Jeffrey Altman) Date: Sat, 01 Jun 2019 14:21:09 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] a1c742: kdc: handle kdc_options bit 14 confusion Message-ID: Branch: refs/heads/jaltman/kdc-anon-request-confusion Home: https://github.com/heimdal/heimdal Commit: a1c742040dcaceef9298d95b3f6f4e1ddb946a2c https://github.com/heimdal/heimdal/commit/a1c742040dcaceef9298d95b3f6f4e1ddb946a2c Author: Jeffrey Altman Date: 2019-06-01 (Sat, 01 Jun 2019) Changed paths: M kdc/kerberos5.c Log Message: ----------- kdc: handle kdc_options bit 14 confusion Drafts 0 through 10 of the Kerberos anonymity draft specified the TicketFlags.anonymous flag as bit 14. This was changed to bit 16 after it was discovered that Microsoft used bit 14 for S4U2Proxy. d5bb7a7c566841d52662b230248f06522bfa64ad ("(krb5_get_creds): if KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the anonymous and constrained_delegation TicketFlags when issuing a S4U2Proxy request. The setting of the anonymous TicketFlag was removed by ea7615ade3af28843f358e715703226b760db73b("Do not set anonymous flag in S4U2Proxy request"). 014e318d6bdefd8ecfcb99ca9928921f6a49d721 ("krb5: check KDC supports anonymous if requested") introduced a client side check to ensure that an anonymous request is responded to with an anonymized ticket. The combination of setting the anonymous TicketFlag and the anonymized ticket validation broke S4U2Proxy requests to Windows KDCs because they ignore the anonymous TicketFlag when constrained_delegation is requested. The Heimdal KDC includes fallback logic to handle Heimdal clients that set the anonymous TicketFlag as bit 14 in _kdc_is_anon_request(). However, it failed to adjust the kdc_options flags when it determined that the request came from an old Heimdal client. This change clears the constrained_delegation flag and sets the request_anonymous flag when an old Heimdal client is detected. It also clears the request_anonymous flag if both bit 14 and 16 are set. Change-Id: If57b6f9fe95fdba0109c4450dba5548b4ae6eba9 From noreply at github.com Sun Jun 2 06:44:54 2019 From: noreply at github.com (Luke Howard) Date: Sat, 01 Jun 2019 21:44:54 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] cf940e: krb5: rename constrained-delegatiom to cname-in-ad... Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: cf940e15f4eac71d7b739bbb6672d7be9f9b98cb https://github.com/heimdal/heimdal/commit/cf940e15f4eac71d7b739bbb6672d7be9f9b98cb Author: Luke Howard Date: 2019-06-02 (Sun, 02 Jun 2019) Changed paths: M kdc/kerberos5.c M lib/asn1/krb5.asn1 M lib/krb5/get_cred.c Log Message: ----------- krb5: rename constrained-delegatiom to cname-in-addl-tkt For consistency with [MS-SFU] rename the constrained-delegation KDC option to cname-in-addl-tkt (client name in additional ticket). From noreply at github.com Mon Jun 3 04:36:02 2019 From: noreply at github.com (Luke Howard) Date: Sun, 02 Jun 2019 19:36:02 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 7381a2: kdc: check for cname-in-addl-tkt flag in constrain... Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 7381a280c82e29d7c56fad938175e70b7ef85a9f https://github.com/heimdal/heimdal/commit/7381a280c82e29d7c56fad938175e70b7ef85a9f Author: Luke Howard Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/krb5tgs.c Log Message: ----------- kdc: check for cname-in-addl-tkt flag in constrained delegation Before accepting an additional ticket for use with constrained delegation, verify the cname-in-addl-tkt flag was set. If not, ignore the request. Commit: 27c6cf7a9f26883eee0b17b36dd58a52d2ca3d98 https://github.com/heimdal/heimdal/commit/27c6cf7a9f26883eee0b17b36dd58a52d2ca3d98 Author: Luke Howard Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/kerberos5.c M kdc/krb5tgs.c Log Message: ----------- kdc: refactor anonymous checks in KDC _kdc_is_anon_request() is only used by the AS, so make it static. Centralize anonymous poilcy checks shared between AS and TGS into a shared function, _kdc_check_anon_policy(). When issuing an anonymous ticket, set the ticket flag early and test that rather than re-testing the request. Compare: https://github.com/heimdal/heimdal/compare/cf940e15f4ea...27c6cf7a9f26 From noreply at github.com Mon Jun 3 06:42:24 2019 From: noreply at github.com (Luke Howard) Date: Sun, 02 Jun 2019 21:42:24 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] cdd0b7: kdc: don't misidentify constrained delegation requ... Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: cdd0b70d37d87026e8618ff44b8d636c0bf9cb6c https://github.com/heimdal/heimdal/commit/cdd0b70d37d87026e8618ff44b8d636c0bf9cb6c Author: Luke Howard Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/kerberos5.c M kdc/krb5tgs.c Log Message: ----------- kdc: don't misidentify constrained delegation requests as anonymous Earlier (pre-7.6) Heimdal clients would send both the request-anonymous and cname-in-addl-tkt flags for constrained delegation requests. A true anonymous TGS request will only have the former flag set. Do not treat TGS requests with both flags set as anonymous requests. From noreply at github.com Mon Jun 3 17:01:47 2019 From: noreply at github.com (Jeffrey Altman) Date: Mon, 03 Jun 2019 08:01:47 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] cce6c6: kdc: history of request_anonymous vs cname-in-addl... Message-ID: Branch: refs/heads/jaltman/kdc-anon-request-confusion Home: https://github.com/heimdal/heimdal Commit: cce6c6dcf0f972bc6a9d2e7b4f2cb7f5aaa2030f https://github.com/heimdal/heimdal/commit/cce6c6dcf0f972bc6a9d2e7b4f2cb7f5aaa2030f Author: Jeffrey Altman Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/kerberos5.c M kdc/krb5tgs.c Log Message: ----------- kdc: history of request_anonymous vs cname-in-addl-tkt confusion Drafts 0 through 10 of the Kerberos anonymity internet draft, https://tools.ietf.org/html/draft-ietf-krb-wg-anon, specified the TicketFlags.anonymous flag as bit 14 and the KDCOptions.anonymous flag as bit 14. These were changed to bit 16 by MIT after it was discovered that Microsoft used KDCOptions bit 14 for S4U2Proxy cname-in-addl-tkt. (Feb 2007) Heimdal added constrained delegation support prior to 1.0 but named the KDCOptions flag constrained_delegation instead of cname-in-addl-tkt as per MS-SFU. It also assigned bit 16 instead of bit 14. Perhaps this was done in the hope that the conflict with Microsoft would be resolved in favor of the IETF internet draft instead of the proprietary protocol extension. adf912182266321b754ed1cb5a705ba2103e139a ("Add PA-ClientCanonicalized and friends.") introduced the KDCOptions.constrained_delegation flag as bit 16. (June 2007) In order to make Heimdal's constrained delegation work with Microsoft's implementation Heimdal began to set both KDCOptions bits 14 and 16 when requesting constrained delegation. d5bb7a7c566841d52662b230248f06522bfa64ad ("(krb5_get_creds): if KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the anonymous and constrained_delegation TicketFlags when issuing a S4U2Proxy request. (June 2010) MIT reassigned the KDCOption.anonymous and TicketFlags.anonymous flags to bit 16. draft-ietf-krb-anon-11 was published with this change. (July 2014) After the release of Heimdal 1.5.0 and prior to 1.5.1 it was noticed that Heimdal's anonymous TGT support did not interoperate with MIT. 86554f5a7f81da1efa2849fa6961ca71ad3b8e90 ("Use correct value for anonymous flags") swapped the bit assignments for request_anonymous and constrained_delegation but failed to remove the setting of KDCOptions bit 16 ("anonymous") when requesting constrained delegation. (May 2019) Prior to the 7.6 release many corrections to Heimdal's anonymity support were introduced to bring it into compliance with RFC8062. This included support for requesting anonymous tickets via the TGS service. Because not all KDC can satisfy anonymous requests the client must verify if the response was anonymized. This check wasn't added until after 7.6 was released. 014e318d6bdefd8ecfcb99ca9928921f6a49d721 ("krb5: check KDC supports anonymous if requested"). The combination of setting KDCOption.anonymous when requesting constrained delegation and the anonymized ticket validation broke S4U2Proxy requests to Windows KDCs. Windows KDCs ignore the KDCOption.anonymous flag when processing a TGS request with KDCOption.cname-in-addl-tkt set. ea7615ade3af28843f358e715703226b760db73b ("Do not set anonymous flag in S4U2Proxy request") removed the behavior of setting the KDCOption.anonymous flag that should have been removed in July 2014. (June 2019) The Heimdal KDC includes fallback logic to handle Heimdal clients from 1.0 to 1.5.0, inclusive, that set the KDCOptions.anonymous flag as bit 14. Prior to the 7.7 release this logic only handled AS request but failed to handle the constrained delegation request case where both bits 14 and 16 were set in the TGS request. cdd0b70d37d87026e8618ff44b8d636c0bf9cb6c ("kdc: don't misidentify constrained delegation requests as anonymous") added the TGS request validation to distinguish anonymous requests from constrained delegation requests. This change documents the history in the commit message and updates some in-tree comments. Change-Id: I625cd012e2e6c263c71948c6021cc2fad4d2e53a From noreply at github.com Tue Jun 4 01:35:20 2019 From: noreply at github.com (Jeffrey Altman) Date: Mon, 03 Jun 2019 16:35:20 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 4331f4: kdc: history of request_anonymous vs cname-in-addl... Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 4331f4c7d4679762cd3d68ba6262745d9b122674 https://github.com/heimdal/heimdal/commit/4331f4c7d4679762cd3d68ba6262745d9b122674 Author: Jeffrey Altman Date: 2019-06-04 (Tue, 04 Jun 2019) Changed paths: M kdc/kerberos5.c M kdc/krb5tgs.c Log Message: ----------- kdc: history of request_anonymous vs cname-in-addl-tkt confusion Drafts 0 through 10 of the Kerberos anonymity internet draft, https://tools.ietf.org/html/draft-ietf-krb-wg-anon, specified the TicketFlags.anonymous flag as bit 14 and the KDCOptions.anonymous flag as bit 14. These were changed to bit 16 by MIT after it was discovered that Microsoft used KDCOptions bit 14 for S4U2Proxy cname-in-addl-tkt. (Feb 2007) Heimdal added constrained delegation support prior to 1.0 but named the KDCOptions flag constrained_delegation instead of cname-in-addl-tkt as per MS-SFU. It also assigned bit 16 instead of bit 14. Perhaps this was done in the hope that the conflict with Microsoft would be resolved in favor of the IETF internet draft instead of the proprietary protocol extension. adf912182266321b754ed1cb5a705ba2103e139a ("Add PA-ClientCanonicalized and friends.") introduced the KDCOptions.constrained_delegation flag as bit 16. (June 2007) In order to make Heimdal's constrained delegation work with Microsoft's implementation Heimdal began to set both KDCOptions bits 14 and 16 when requesting constrained delegation. d5bb7a7c566841d52662b230248f06522bfa64ad ("(krb5_get_creds): if KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the anonymous and constrained_delegation TicketFlags when issuing a S4U2Proxy request. (June 2010) MIT reassigned the KDCOption.anonymous and TicketFlags.anonymous flags to bit 16. draft-ietf-krb-anon-11 was published with this change. (July 2014) After the release of Heimdal 1.5.0 and prior to 1.5.1 it was noticed that Heimdal's anonymous TGT support did not interoperate with MIT. 86554f5a7f81da1efa2849fa6961ca71ad3b8e90 ("Use correct value for anonymous flags") swapped the bit assignments for request_anonymous and constrained_delegation but failed to remove the setting of KDCOptions bit 16 ("anonymous") when requesting constrained delegation. (May 2019) Prior to the 7.6 release many corrections to Heimdal's anonymity support were introduced to bring it into compliance with RFC8062. This included support for requesting anonymous tickets via the TGS service. Because not all KDC can satisfy anonymous requests the client must verify if the response was anonymized. This check wasn't added until after 7.6 was released. 014e318d6bdefd8ecfcb99ca9928921f6a49d721 ("krb5: check KDC supports anonymous if requested"). The combination of setting KDCOption.anonymous when requesting constrained delegation and the anonymized ticket validation broke S4U2Proxy requests to Windows KDCs. Windows KDCs ignore the KDCOption.anonymous flag when processing a TGS request with KDCOption.cname-in-addl-tkt set. ea7615ade3af28843f358e715703226b760db73b ("Do not set anonymous flag in S4U2Proxy request") removed the behavior of setting the KDCOption.anonymous flag that should have been removed in July 2014. (June 2019) The Heimdal KDC includes fallback logic to handle Heimdal clients from 1.0 to 1.5.0, inclusive, that set the KDCOptions.anonymous flag as bit 14. Prior to the 7.7 release this logic only handled AS request but failed to handle the constrained delegation request case where both bits 14 and 16 were set in the TGS request. cdd0b70d37d87026e8618ff44b8d636c0bf9cb6c ("kdc: don't misidentify constrained delegation requests as anonymous") added the TGS request validation to distinguish anonymous requests from constrained delegation requests. This change documents the history in the commit message and updates some in-tree comments. Change-Id: I625cd012e2e6c263c71948c6021cc2fad4d2e53a From noreply at github.com Tue Jun 4 04:17:51 2019 From: noreply at github.com (Jeffrey Altman) Date: Mon, 03 Jun 2019 19:17:51 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] Message-ID: Branch: refs/heads/jaltman/kdc-anon-request-confusion Home: https://github.com/heimdal/heimdal From noreply at github.com Tue Jun 4 04:31:41 2019 From: noreply at github.com (Jeffrey Altman) Date: Mon, 03 Jun 2019 19:31:41 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] b365c2: Do not set anonymous flag in S4U2Proxy request Message-ID: Branch: refs/heads/jaltman/7.7-cherry-picks Home: https://github.com/heimdal/heimdal Commit: b365c208bdb8bf7352e1fad3ed2917956706f87d https://github.com/heimdal/heimdal/commit/b365c208bdb8bf7352e1fad3ed2917956706f87d Author: Isaac Boukris Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M lib/krb5/get_cred.c Log Message: ----------- Do not set anonymous flag in S4U2Proxy request It is not specified in MS-SFU, Apple dropped it as well and it now breaks master branch. Signed-off-by: Isaac Boukris (cherry picked from commit ea7615ade3af28843f358e715703226b760db73b) Commit: bd632a28e5257eabf527979c9b2f2a58201b316c https://github.com/heimdal/heimdal/commit/bd632a28e5257eabf527979c9b2f2a58201b316c Author: Luke Howard Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/kerberos5.c M lib/asn1/krb5.asn1 M lib/krb5/get_cred.c Log Message: ----------- krb5: rename constrained-delegatiom to cname-in-addl-tkt For consistency with [MS-SFU] rename the constrained-delegation KDC option to cname-in-addl-tkt (client name in additional ticket). (cherry picked from commit cf940e15f4eac71d7b739bbb6672d7be9f9b98cb) Commit: 976294e0ee64ac2ce9a76fe1ce63c8ae69336363 https://github.com/heimdal/heimdal/commit/976294e0ee64ac2ce9a76fe1ce63c8ae69336363 Author: Luke Howard Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/krb5tgs.c Log Message: ----------- kdc: check for cname-in-addl-tkt flag in constrained delegation Before accepting an additional ticket for use with constrained delegation, verify the cname-in-addl-tkt flag was set. If not, ignore the request. (cherry picked from commit 7381a280c82e29d7c56fad938175e70b7ef85a9f) Commit: 0bf6a9ce9875a89ddbe0d94c6e5e7100cb152a90 https://github.com/heimdal/heimdal/commit/0bf6a9ce9875a89ddbe0d94c6e5e7100cb152a90 Author: Luke Howard Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/kerberos5.c M kdc/krb5tgs.c Log Message: ----------- kdc: refactor anonymous checks in KDC _kdc_is_anon_request() is only used by the AS, so make it static. Centralize anonymous poilcy checks shared between AS and TGS into a shared function, _kdc_check_anon_policy(). When issuing an anonymous ticket, set the ticket flag early and test that rather than re-testing the request. (cherry picked from commit 27c6cf7a9f26883eee0b17b36dd58a52d2ca3d98) Commit: fe34442dd65e664f0952e5f495c05c2c0c7134fb https://github.com/heimdal/heimdal/commit/fe34442dd65e664f0952e5f495c05c2c0c7134fb Author: Luke Howard Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/kerberos5.c M kdc/krb5tgs.c Log Message: ----------- kdc: don't misidentify constrained delegation requests as anonymous Earlier (pre-7.6) Heimdal clients would send both the request-anonymous and cname-in-addl-tkt flags for constrained delegation requests. A true anonymous TGS request will only have the former flag set. Do not treat TGS requests with both flags set as anonymous requests. (cherry picked from commit cdd0b70d37d87026e8618ff44b8d636c0bf9cb6c) Commit: 38120019a95ace55c92d8ba463d0e7d59c2dc59f https://github.com/heimdal/heimdal/commit/38120019a95ace55c92d8ba463d0e7d59c2dc59f Author: Jeffrey Altman Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/kerberos5.c M kdc/krb5tgs.c Log Message: ----------- kdc: history of request_anonymous vs cname-in-addl-tkt confusion Drafts 0 through 10 of the Kerberos anonymity internet draft, https://tools.ietf.org/html/draft-ietf-krb-wg-anon, specified the TicketFlags.anonymous flag as bit 14 and the KDCOptions.anonymous flag as bit 14. These were changed to bit 16 by MIT after it was discovered that Microsoft used KDCOptions bit 14 for S4U2Proxy cname-in-addl-tkt. (Feb 2007) Heimdal added constrained delegation support prior to 1.0 but named the KDCOptions flag constrained_delegation instead of cname-in-addl-tkt as per MS-SFU. It also assigned bit 16 instead of bit 14. Perhaps this was done in the hope that the conflict with Microsoft would be resolved in favor of the IETF internet draft instead of the proprietary protocol extension. adf912182266321b754ed1cb5a705ba2103e139a ("Add PA-ClientCanonicalized and friends.") introduced the KDCOptions.constrained_delegation flag as bit 16. (June 2007) In order to make Heimdal's constrained delegation work with Microsoft's implementation Heimdal began to set both KDCOptions bits 14 and 16 when requesting constrained delegation. d5bb7a7c566841d52662b230248f06522bfa64ad ("(krb5_get_creds): if KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the anonymous and constrained_delegation TicketFlags when issuing a S4U2Proxy request. (June 2010) MIT reassigned the KDCOption.anonymous and TicketFlags.anonymous flags to bit 16. draft-ietf-krb-anon-11 was published with this change. (July 2014) After the release of Heimdal 1.5.0 and prior to 1.5.1 it was noticed that Heimdal's anonymous TGT support did not interoperate with MIT. 86554f5a7f81da1efa2849fa6961ca71ad3b8e90 ("Use correct value for anonymous flags") swapped the bit assignments for request_anonymous and constrained_delegation but failed to remove the setting of KDCOptions bit 16 ("anonymous") when requesting constrained delegation. (May 2019) Prior to the 7.6 release many corrections to Heimdal's anonymity support were introduced to bring it into compliance with RFC8062. This included support for requesting anonymous tickets via the TGS service. Because not all KDC can satisfy anonymous requests the client must verify if the response was anonymized. This check wasn't added until after 7.6 was released. 014e318d6bdefd8ecfcb99ca9928921f6a49d721 ("krb5: check KDC supports anonymous if requested"). The combination of setting KDCOption.anonymous when requesting constrained delegation and the anonymized ticket validation broke S4U2Proxy requests to Windows KDCs. Windows KDCs ignore the KDCOption.anonymous flag when processing a TGS request with KDCOption.cname-in-addl-tkt set. ea7615ade3af28843f358e715703226b760db73b ("Do not set anonymous flag in S4U2Proxy request") removed the behavior of setting the KDCOption.anonymous flag that should have been removed in July 2014. (June 2019) The Heimdal KDC includes fallback logic to handle Heimdal clients from 1.0 to 1.5.0, inclusive, that set the KDCOptions.anonymous flag as bit 14. Prior to the 7.7 release this logic only handled AS request but failed to handle the constrained delegation request case where both bits 14 and 16 were set in the TGS request. cdd0b70d37d87026e8618ff44b8d636c0bf9cb6c ("kdc: don't misidentify constrained delegation requests as anonymous") added the TGS request validation to distinguish anonymous requests from constrained delegation requests. This change documents the history in the commit message and updates some in-tree comments. Change-Id: I625cd012e2e6c263c71948c6021cc2fad4d2e53a (cherry picked from commit 4331f4c7d4679762cd3d68ba6262745d9b122674) Compare: https://github.com/heimdal/heimdal/compare/b365c208bdb8%5E...38120019a95a From noreply at github.com Tue Jun 4 05:30:07 2019 From: noreply at github.com (Jeffrey Altman) Date: Mon, 03 Jun 2019 20:30:07 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 91d492: Do not set anonymous flag in S4U2Proxy request Message-ID: Branch: refs/heads/heimdal-7-1-branch Home: https://github.com/heimdal/heimdal Commit: 91d4920b3c08f4253aba489af5b1d08fdf08abac https://github.com/heimdal/heimdal/commit/91d4920b3c08f4253aba489af5b1d08fdf08abac Author: Isaac Boukris Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M lib/krb5/get_cred.c Log Message: ----------- Do not set anonymous flag in S4U2Proxy request It is not specified in MS-SFU, Apple dropped it as well and it now breaks master branch. Signed-off-by: Isaac Boukris (cherry picked from commit ea7615ade3af28843f358e715703226b760db73b) Commit: ef210453f8045607891ebcf7780b4167364e5453 https://github.com/heimdal/heimdal/commit/ef210453f8045607891ebcf7780b4167364e5453 Author: Luke Howard Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/kerberos5.c M lib/asn1/krb5.asn1 M lib/krb5/get_cred.c Log Message: ----------- krb5: rename constrained-delegatiom to cname-in-addl-tkt For consistency with [MS-SFU] rename the constrained-delegation KDC option to cname-in-addl-tkt (client name in additional ticket). (cherry picked from commit cf940e15f4eac71d7b739bbb6672d7be9f9b98cb) Commit: 7c84781cd2525aaaad5285eb09c86c7f1b82ac7c https://github.com/heimdal/heimdal/commit/7c84781cd2525aaaad5285eb09c86c7f1b82ac7c Author: Luke Howard Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/krb5tgs.c Log Message: ----------- kdc: check for cname-in-addl-tkt flag in constrained delegation Before accepting an additional ticket for use with constrained delegation, verify the cname-in-addl-tkt flag was set. If not, ignore the request. (cherry picked from commit 7381a280c82e29d7c56fad938175e70b7ef85a9f) Commit: 172e4356db0a4ccd1d834d74bdd0478209ab6df9 https://github.com/heimdal/heimdal/commit/172e4356db0a4ccd1d834d74bdd0478209ab6df9 Author: Luke Howard Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/kerberos5.c M kdc/krb5tgs.c Log Message: ----------- kdc: refactor anonymous checks in KDC _kdc_is_anon_request() is only used by the AS, so make it static. Centralize anonymous poilcy checks shared between AS and TGS into a shared function, _kdc_check_anon_policy(). When issuing an anonymous ticket, set the ticket flag early and test that rather than re-testing the request. (cherry picked from commit 27c6cf7a9f26883eee0b17b36dd58a52d2ca3d98) Commit: 2f5b57bffb06f80d0f085169aca21988837a1e0c https://github.com/heimdal/heimdal/commit/2f5b57bffb06f80d0f085169aca21988837a1e0c Author: Luke Howard Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/kerberos5.c M kdc/krb5tgs.c Log Message: ----------- kdc: don't misidentify constrained delegation requests as anonymous Earlier (pre-7.6) Heimdal clients would send both the request-anonymous and cname-in-addl-tkt flags for constrained delegation requests. A true anonymous TGS request will only have the former flag set. Do not treat TGS requests with both flags set as anonymous requests. (cherry picked from commit cdd0b70d37d87026e8618ff44b8d636c0bf9cb6c) Commit: 0cb00b83fd8accc095441f41afa3db2514240cc8 https://github.com/heimdal/heimdal/commit/0cb00b83fd8accc095441f41afa3db2514240cc8 Author: Jeffrey Altman Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M kdc/kerberos5.c M kdc/krb5tgs.c Log Message: ----------- kdc: history of request_anonymous vs cname-in-addl-tkt confusion Drafts 0 through 10 of the Kerberos anonymity internet draft, https://tools.ietf.org/html/draft-ietf-krb-wg-anon, specified the TicketFlags.anonymous flag as bit 14 and the KDCOptions.anonymous flag as bit 14. These were changed to bit 16 by MIT after it was discovered that Microsoft used KDCOptions bit 14 for S4U2Proxy cname-in-addl-tkt. (Feb 2007) Heimdal added constrained delegation support prior to 1.0 but named the KDCOptions flag constrained_delegation instead of cname-in-addl-tkt as per MS-SFU. It also assigned bit 16 instead of bit 14. Perhaps this was done in the hope that the conflict with Microsoft would be resolved in favor of the IETF internet draft instead of the proprietary protocol extension. adf912182266321b754ed1cb5a705ba2103e139a ("Add PA-ClientCanonicalized and friends.") introduced the KDCOptions.constrained_delegation flag as bit 16. (June 2007) In order to make Heimdal's constrained delegation work with Microsoft's implementation Heimdal began to set both KDCOptions bits 14 and 16 when requesting constrained delegation. d5bb7a7c566841d52662b230248f06522bfa64ad ("(krb5_get_creds): if KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the anonymous and constrained_delegation TicketFlags when issuing a S4U2Proxy request. (June 2010) MIT reassigned the KDCOption.anonymous and TicketFlags.anonymous flags to bit 16. draft-ietf-krb-anon-11 was published with this change. (July 2014) After the release of Heimdal 1.5.0 and prior to 1.5.1 it was noticed that Heimdal's anonymous TGT support did not interoperate with MIT. 86554f5a7f81da1efa2849fa6961ca71ad3b8e90 ("Use correct value for anonymous flags") swapped the bit assignments for request_anonymous and constrained_delegation but failed to remove the setting of KDCOptions bit 16 ("anonymous") when requesting constrained delegation. (May 2019) Prior to the 7.6 release many corrections to Heimdal's anonymity support were introduced to bring it into compliance with RFC8062. This included support for requesting anonymous tickets via the TGS service. Because not all KDC can satisfy anonymous requests the client must verify if the response was anonymized. This check wasn't added until after 7.6 was released. 014e318d6bdefd8ecfcb99ca9928921f6a49d721 ("krb5: check KDC supports anonymous if requested"). The combination of setting KDCOption.anonymous when requesting constrained delegation and the anonymized ticket validation broke S4U2Proxy requests to Windows KDCs. Windows KDCs ignore the KDCOption.anonymous flag when processing a TGS request with KDCOption.cname-in-addl-tkt set. ea7615ade3af28843f358e715703226b760db73b ("Do not set anonymous flag in S4U2Proxy request") removed the behavior of setting the KDCOption.anonymous flag that should have been removed in July 2014. (June 2019) The Heimdal KDC includes fallback logic to handle Heimdal clients from 1.0 to 1.5.0, inclusive, that set the KDCOptions.anonymous flag as bit 14. Prior to the 7.7 release this logic only handled AS request but failed to handle the constrained delegation request case where both bits 14 and 16 were set in the TGS request. cdd0b70d37d87026e8618ff44b8d636c0bf9cb6c ("kdc: don't misidentify constrained delegation requests as anonymous") added the TGS request validation to distinguish anonymous requests from constrained delegation requests. This change documents the history in the commit message and updates some in-tree comments. Change-Id: I625cd012e2e6c263c71948c6021cc2fad4d2e53a (cherry picked from commit 4331f4c7d4679762cd3d68ba6262745d9b122674) Compare: https://github.com/heimdal/heimdal/compare/ed7bd297861e...0cb00b83fd8a From noreply at github.com Tue Jun 4 05:30:10 2019 From: noreply at github.com (Jeffrey Altman) Date: Mon, 03 Jun 2019 20:30:10 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] Message-ID: Branch: refs/heads/jaltman/7.7-cherry-picks Home: https://github.com/heimdal/heimdal From noreply at github.com Tue Jun 4 05:53:47 2019 From: noreply at github.com (Jeffrey Altman) Date: Mon, 03 Jun 2019 20:53:47 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 725a18: Heimdal 7.7 NEWS Message-ID: Branch: refs/heads/jaltman/7.7-NEWS Home: https://github.com/heimdal/heimdal Commit: 725a1878e521c84c9c6665075e5aea10434525c7 https://github.com/heimdal/heimdal/commit/725a1878e521c84c9c6665075e5aea10434525c7 Author: Jeffrey Altman Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M NEWS Log Message: ----------- Heimdal 7.7 NEWS Change-Id: Ic7651ad7d94f6bf4f5695d805f48510e8344f3d7 Commit: d9fda63fd4a9c16faaa032c1a3bc458d3551b2a1 https://github.com/heimdal/heimdal/commit/d9fda63fd4a9c16faaa032c1a3bc458d3551b2a1 Author: Jeffrey Altman Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M windows/NTMakefile.version Log Message: ----------- windows: the 7.x series is not pre-release The VER_PRERELEASE define should not be present for a release series. Uncomment it. Change-Id: I71a1bf1a971f086d37ab8f4a8bdd9896548ed566 Commit: 83ec9cb141d9c02906b521e31e8b04bf471e0201 https://github.com/heimdal/heimdal/commit/83ec9cb141d9c02906b521e31e8b04bf471e0201 Author: Jeffrey Altman Date: 2019-06-03 (Mon, 03 Jun 2019) Changed paths: M configure.ac M windows/NTMakefile.version Log Message: ----------- Bump version to 7.7.0 Change-Id: Ifce23fa75fa01664116b37a8a19dcf375ad9cf51 Compare: https://github.com/heimdal/heimdal/compare/954d3bf9ada3...83ec9cb141d9 From noreply at github.com Thu Jun 6 04:56:59 2019 From: noreply at github.com (Jeffrey Altman) Date: Wed, 05 Jun 2019 19:56:59 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] fd7245: Heimdal 7.7 NEWS Message-ID: Branch: refs/heads/heimdal-7-1-branch Home: https://github.com/heimdal/heimdal Commit: fd7245ae3957e0c8e32be88e8254c805c7707f4a https://github.com/heimdal/heimdal/commit/fd7245ae3957e0c8e32be88e8254c805c7707f4a Author: Jeffrey Altman Date: 2019-06-05 (Wed, 05 Jun 2019) Changed paths: M NEWS Log Message: ----------- Heimdal 7.7 NEWS Change-Id: Ic7651ad7d94f6bf4f5695d805f48510e8344f3d7 Commit: 6df21882b213940c085c14882a033eb0b7a62120 https://github.com/heimdal/heimdal/commit/6df21882b213940c085c14882a033eb0b7a62120 Author: Jeffrey Altman Date: 2019-06-05 (Wed, 05 Jun 2019) Changed paths: M windows/NTMakefile.version Log Message: ----------- windows: the 7.x series is not pre-release The VER_PRERELEASE define should not be present for a release series. Uncomment it. Change-Id: I71a1bf1a971f086d37ab8f4a8bdd9896548ed566 Commit: e1959605bd490e1eb9ea5e2277f4a332208097de https://github.com/heimdal/heimdal/commit/e1959605bd490e1eb9ea5e2277f4a332208097de Author: Jeffrey Altman Date: 2019-06-05 (Wed, 05 Jun 2019) Changed paths: M configure.ac M windows/NTMakefile.version Log Message: ----------- Bump version to 7.7.0 Change-Id: Ifce23fa75fa01664116b37a8a19dcf375ad9cf51 Compare: https://github.com/heimdal/heimdal/compare/0cb00b83fd8a...e1959605bd49 From noreply at github.com Thu Jun 6 04:57:03 2019 From: noreply at github.com (Jeffrey Altman) Date: Wed, 05 Jun 2019 19:57:03 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] Message-ID: Branch: refs/heads/jaltman/7.7-NEWS Home: https://github.com/heimdal/heimdal From noreply at github.com Fri Jun 7 16:43:12 2019 From: noreply at github.com (Jeffrey Altman) Date: Fri, 07 Jun 2019 07:43:12 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] Message-ID: Branch: refs/tags/heimdal-7.7.0 Home: https://github.com/heimdal/heimdal From noreply at github.com Sat Jun 8 04:03:07 2019 From: noreply at github.com (Jeffrey Altman) Date: Fri, 07 Jun 2019 19:03:07 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 63b3f4: Create CODE_OF_CONDUCT.md Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 63b3f4cb3726cdd4a7ed4ada3bd949f9cce67c84 https://github.com/heimdal/heimdal/commit/63b3f4cb3726cdd4a7ed4ada3bd949f9cce67c84 Author: Jeffrey Altman Date: 2019-06-07 (Fri, 07 Jun 2019) Changed paths: A CODE_OF_CONDUCT.md Log Message: ----------- Create CODE_OF_CONDUCT.md From noreply at github.com Sat Jun 8 04:08:41 2019 From: noreply at github.com (Jeffrey Altman) Date: Fri, 07 Jun 2019 19:08:41 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 492197: Create GitHub issue templates Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 4921975b626c6cdd0e6b378f30585f868e541896 https://github.com/heimdal/heimdal/commit/4921975b626c6cdd0e6b378f30585f868e541896 Author: Jeffrey Altman Date: 2019-06-07 (Fri, 07 Jun 2019) Changed paths: A .github/ISSUE_TEMPLATE/bug_report.md A .github/ISSUE_TEMPLATE/feature_request.md Log Message: ----------- Create GitHub issue templates From noreply at github.com Sat Jun 8 04:10:51 2019 From: noreply at github.com (Jeffrey Altman) Date: Fri, 07 Jun 2019 19:10:51 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 451975: .gitignore Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 4519757881366cf66e38d0566c676c8b6949a23a https://github.com/heimdal/heimdal/commit/4519757881366cf66e38d0566c676c8b6949a23a Author: Jeffrey Altman Date: 2019-06-07 (Fri, 07 Jun 2019) Changed paths: M .gitignore Log Message: ----------- .gitignore ignore Visual Studio Code directory (.vscode) Change-Id: I4760ef5382cec6ef1c1c178fe477967132d73aed From noreply at github.com Sat Jun 8 04:13:35 2019 From: noreply at github.com (Jeffrey Altman) Date: Fri, 07 Jun 2019 19:13:35 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 7d8a72: .gitignore Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 7d8a72dbe6ddfa297a4a4d52623312ed6018f7ae https://github.com/heimdal/heimdal/commit/7d8a72dbe6ddfa297a4a4d52623312ed6018f7ae Author: Jeffrey Altman Date: 2019-06-07 (Fri, 07 Jun 2019) Changed paths: M .gitignore Log Message: ----------- .gitignore RimStar state file (rs_state.ini) Change-Id: I110de7d64e23d644d70f8b37f4f5d7c2e3d087a4 From noreply at github.com Sat Jun 8 04:55:33 2019 From: noreply at github.com (Jeffrey Altman) Date: Fri, 07 Jun 2019 19:55:33 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] b62bc5: Create SECURITY.md Message-ID: Branch: refs/heads/jaltman/security-policy Home: https://github.com/heimdal/heimdal Commit: b62bc5176288200f889ec7a73b4cc82f07c9b591 https://github.com/heimdal/heimdal/commit/b62bc5176288200f889ec7a73b4cc82f07c9b591 Author: Jeffrey Altman Date: 2019-06-07 (Fri, 07 Jun 2019) Changed paths: A SECURITY.md Log Message: ----------- Create SECURITY.md From noreply at github.com Sun Jun 9 19:29:09 2019 From: noreply at github.com (Jeffrey Altman) Date: Sun, 09 Jun 2019 10:29:09 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] f37917: Update SECURITY.md Message-ID: Branch: refs/heads/jaltman/security-policy Home: https://github.com/heimdal/heimdal Commit: f379177f618dccf7c9a5a28839b7504aa8fe8b48 https://github.com/heimdal/heimdal/commit/f379177f618dccf7c9a5a28839b7504aa8fe8b48 Author: Jeffrey Altman Date: 2019-06-09 (Sun, 09 Jun 2019) Changed paths: M SECURITY.md Log Message: ----------- Update SECURITY.md This is a new PGP key for heimdal-security at heimdal.team From noreply at github.com Sun Jun 9 19:43:49 2019 From: noreply at github.com (Jeffrey Altman) Date: Sun, 09 Jun 2019 10:43:49 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 4a4971: Create SECURITY.md Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 4a4971a496942335def6f409e7de5baf0bb43fd5 https://github.com/heimdal/heimdal/commit/4a4971a496942335def6f409e7de5baf0bb43fd5 Author: Jeffrey Altman Date: 2019-06-09 (Sun, 09 Jun 2019) Changed paths: A SECURITY.md Log Message: ----------- Create SECURITY.md Commit: 15ae5f06a9c7a23215aee9244e6892f9c47a1ee2 https://github.com/heimdal/heimdal/commit/15ae5f06a9c7a23215aee9244e6892f9c47a1ee2 Author: Jeffrey Altman Date: 2019-06-09 (Sun, 09 Jun 2019) Changed paths: M SECURITY.md Log Message: ----------- Update SECURITY.md This is a new PGP key for heimdal-security at heimdal.team Compare: https://github.com/heimdal/heimdal/compare/7d8a72dbe6dd...15ae5f06a9c7 From noreply at github.com Sun Jun 9 19:43:55 2019 From: noreply at github.com (Jeffrey Altman) Date: Sun, 09 Jun 2019 10:43:55 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] Message-ID: Branch: refs/heads/jaltman/security-policy Home: https://github.com/heimdal/heimdal From noreply at github.com Mon Jun 17 03:23:53 2019 From: noreply at github.com (Roland C. Dowdeswell) Date: Sun, 16 Jun 2019 18:23:53 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] fcd57a: Implement KRB5_TRACE using existing logging framework Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: fcd57af8e1497f4558789251768f9d2900b54679 https://github.com/heimdal/heimdal/commit/fcd57af8e1497f4558789251768f9d2900b54679 Author: Roland C. Dowdeswell Date: 2019-06-16 (Sun, 16 Jun 2019) Changed paths: M lib/krb5/context.c Log Message: ----------- Implement KRB5_TRACE using existing logging framework From noreply at github.com Fri Jun 21 16:12:01 2019 From: noreply at github.com (Roland C. Dowdeswell) Date: Fri, 21 Jun 2019 07:12:01 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 9aa573: kdc: no error if req is fwdable on non-fwdable princ Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 9aa573c9ce76341f9835f43605e5925167076e20 https://github.com/heimdal/heimdal/commit/9aa573c9ce76341f9835f43605e5925167076e20 Author: Roland C. Dowdeswell Date: 2019-06-21 (Fri, 21 Jun 2019) Changed paths: M kdc/kerberos5.c Log Message: ----------- kdc: no error if req is fwdable on non-fwdable princ Instead of returning an error if the client asks for a forwardable ticket where it isn't allowed, we simply return one that isn't forwardable. From noreply at github.com Fri Jun 21 17:32:05 2019 From: noreply at github.com (Roland C. Dowdeswell) Date: Fri, 21 Jun 2019 08:32:05 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] f2bd71: Fix build for out-of-source objdir Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: f2bd714e69ffa5588304bef891c71f4551b481e1 https://github.com/heimdal/heimdal/commit/f2bd714e69ffa5588304bef891c71f4551b481e1 Author: Roland C. Dowdeswell Date: 2019-06-21 (Fri, 21 Jun 2019) Changed paths: M configure.ac Log Message: ----------- Fix build for out-of-source objdir