From noreply at github.com  Thu May  2 19:44:56 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 02 May 2019 10:44:56 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] e60955: roken:
 getuserinfo WIN32 fix username string termi...
Message-ID: <heimdal/heimdal/push/refs/heads/master/f1b27d-e60955@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: e60955e83531d4f383c998d34b5dbbce12c15738
      https://github.com/heimdal/heimdal/commit/e60955e83531d4f383c998d34b5dbbce12c15738
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-02 (Thu, 02 May 2019)

  Changed paths:
    M lib/roken/getuserinfo.c

  Log Message:
  -----------
  roken: getuserinfo WIN32 fix username string termination

95eb83c42431e ("roken: Add roken_get_username() and friends")
failed to copy the username C-String NUL terminator.  As a result
a "DOMAIN\user" is returned as "userIN\user".

Change-Id: I10027e4eef18364074eecf385fa9fab1ae68dbe7



From noreply at github.com  Tue May 14 18:43:02 2019
From: noreply at github.com (Luke Howard)
Date: Tue, 14 May 2019 09:43:02 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] a0606b: CVE-2018-16860
 Heimdal KDC: Reject PA-S4U2Self wit...
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/security/000000-eca2e5@github.com>

  Branch: refs/heads/jaltman/security
  Home:   https://github.com/heimdal/heimdal
  Commit: a0606ba79004c1cee6bbcd90d8b8687d24ad1ee8
      https://github.com/heimdal/heimdal/commit/a0606ba79004c1cee6bbcd90d8b8687d24ad1ee8
  Author: Isaac Boukris <iboukris at gmail.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/krb5tgs.c

  Log Message:
  -----------
  CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum

S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.

S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.

There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed.  This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).

This would allow a S4U2Self ticket requested on behalf of user name
(principal) user at EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator at EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)

=========================
Workaround and Mitigation
=========================

If server does not take privileged actions based on Kerberos tickets
obtained by S4U2Self nor obtains Kerberos tickets via further
S4U2Proxy requests then this issue cannot be exploited.

Note that the path to an exploit is not generic, the KDC is not harmed
by the malicious checksum, it is the client service requesting the
ticket being mislead, because it trusted the KDC to return the correct
ticket and PAC.

It is out of scope for Samba to describe all of the possible tool
chains that might be vulnerable. Here are two examples of possible
exploits in order to explain the issue more clearly.

1). SFU2Self might be used by a web service authenticating an end user
via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
Kerberos service ticket for use by any Kerberos service principal the
web service has a keytab for.  One example is acquiring an AFS token
by requesting an afs/cell at REALM service ticket for a client via
SFU2Self.  With this exploit an organization that deploys a KDC built
from Heimdal (be it Heimdal directly or vendor versions such as found
in Samba) is vulnerable to privilege escalation attacks.

2). If a server authenticates users using X509 certificates, and then
uses S4U2Self to obtain a Kerberos service ticket on behalf of the
user (principal) in order to authorize access to local resources, a
man-in-the-middle attacker could allow a non-privilaged user to access
privilaged resources being protected by the server, or privilaged
resources being protected by a second server, if the first server uses
the S4U2Proxy extension in order to get a new Kerberos service ticket
to obtain access to the second server.

In both these scenarios under conditions allowing man-in-the-middle
active network protocol manipulation, a malicious user could
authenticate using the non-Kerborized credentials of an unprivileged
user, and then elevate its privileges by intercepting the packet from
the server to the KDC and changing the requested user name (principal).

The only Samba clients that use S4U2Self are:

- the "net ads kerberos pac dump" (debugging) tool.

- the CIFS proxy in the deprecated/developer-only NTVFS file
server. Note this code is not compiled or enabled by default.

In particular, winbindd does *not* use S4U2Self.

Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
for Samba AD is understood not to be impacted.

===============
Further Reading
===============

There is more detail on and a description of the protocols in

[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained
Delegation Protocol
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/

=======
Credits
=======

Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
Team and Catalyst.

Patches provided by Isaac Boukris.

Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
Allison.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685
Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeffrey Altman <jaltman at auristor.com>
Signed-off-by: Jeffrey Altman <jaltman at auristor.com>


  Commit: eca2e5bc81ddbd968833cc1b97a8c652533de532
      https://github.com/heimdal/heimdal/commit/eca2e5bc81ddbd968833cc1b97a8c652533de532
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/krb5/init_creds_pw.c
    M lib/krb5/krb5_locl.h
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: always confirm PA-PKINIT-KX for anon PKINIT

RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
when anonymous PKINIT is used.  Failure to do so can permit an active
attacker to become a man-in-the-middle.

Introduced by a1ef548600c5bb51cf52a9a9ea12676506ede19f.  First tagged
release Heimdal 1.4.0.

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8)

Change-Id: I6cc1c0c24985936468af08693839ac6c3edda133
Signed-off-by: Jeffrey Altman <jaltman at auristor.com>
Approved-by: Jeffrey Altman <jaltman at auritor.com>


Compare: https://github.com/heimdal/heimdal/compare/a0606ba79004%5E...eca2e5bc81dd

From noreply at github.com  Tue May 14 21:16:21 2019
From: noreply at github.com (Luke Howard)
Date: Tue, 14 May 2019 12:16:21 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 1bc2eb: krb5: fix
 spelling error in debug log
Message-ID: <heimdal/heimdal/push/refs/heads/master/e60955-5ca229@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: 1bc2eb33f9992142815152581c9fe2a8894d7964
      https://github.com/heimdal/heimdal/commit/1bc2eb33f9992142815152581c9fe2a8894d7964
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/krb5/send_to_kdc.c

  Log Message:
  -----------
  krb5: fix spelling error in debug log


  Commit: 2f013b0d48552b263f5e90279692f55e152ba060
      https://github.com/heimdal/heimdal/commit/2f013b0d48552b263f5e90279692f55e152ba060
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c

  Log Message:
  -----------
  kdc: fix compliance with RFC 8062 Section 4.1

RFC 8062 states that if the client in the AS request is anonymous, the
anonymous KDC option must be set in the request; otherwise, KDC_ERR_BADOPTION
must be returned. We were previously returning KDC_ERR_C_PRINCIPAL_UNKNOWN.


  Commit: 7a7eb9de2fc93e54362b4c8b9ecc15294bc1c762
      https://github.com/heimdal/heimdal/commit/7a7eb9de2fc93e54362b4c8b9ecc15294bc1c762
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c

  Log Message:
  -----------
  kdc: do not include PAC for anonymous AS requests

The PAC will typically contain information that may reveal the identity of a
principal. Do not include it for anonymous requests, at least until such time
as the PAC plugin API supports indicating that the request was anonymous.


  Commit: 5c8f48495eab08736fc4f12a8fff0786303af1a7
      https://github.com/heimdal/heimdal/commit/5c8f48495eab08736fc4f12a8fff0786303af1a7
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c

  Log Message:
  -----------
  kdc: conform _kdc_make_anonymous_principalname() to RFC8062

The utility function _kdc_make_anonymous_principalname() previously returned a
principal of "anonymous" rather than "WELLKNOWN/ANONYMOUS", as specified by
RFC8062. This is not used by the AS-REQ code.


  Commit: 63557427e0a1cd3d23c0942ab58bcae7c2e35534
      https://github.com/heimdal/heimdal/commit/63557427e0a1cd3d23c0942ab58bcae7c2e35534
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/pkinit.c

  Log Message:
  -----------
  kdc: allow anonymous AS requests with long-term keys

RFC8062 section 4.1 allows clients with long-term KDC keys to set the anonymous
flag; in this case their identity is authenticated but the returned ticket
contains the anonymous principal name as the client name.

kdc: allow authenticated anonymous PKINIT

The KDC PKINIT code conflated the checks for authenticated and unauthenticated
anonymous by only looking at the anonymous KDC request option.


  Commit: 3051db0d5dbf52c9dbdb6ed357373ba78750304f
      https://github.com/heimdal/heimdal/commit/3051db0d5dbf52c9dbdb6ed357373ba78750304f
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kuser/kinit.1
    M kuser/kinit.c
    M tests/kdc/check-kdc.in

  Log Message:
  -----------
  kuser: support authenticated anonymous AS-REQs in kinit

Allow kinit to request anonymous tickets with authenticated clients, not just
anonymous PKINIT.


  Commit: af63541515643782a86d0fddf2b97b265b8ec44d
      https://github.com/heimdal/heimdal/commit/af63541515643782a86d0fddf2b97b265b8ec44d
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/krb5tgs.c

  Log Message:
  -----------
  kdc: support for anonymous TGS-REQs

Allow non-anonymous tickets to be used to obtain an anonymous service ticket,
by setting the anonymous KDC option. Do not include Win2K PAC in anonymous
service tickets. Validate anonymous flags per RFC 8062.


  Commit: 55ee6c12825aec0f4c557946c2e7e029484054db
      https://github.com/heimdal/heimdal/commit/55ee6c12825aec0f4c557946c2e7e029484054db
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/krb5/get_cred.c
    M lib/krb5/krb5.h
    M lib/krb5/ticket.c

  Log Message:
  -----------
  krb5: support for anonymous TGS requests

Add support to krb5_get_creds() for requesting anonymous service tickets using
a TGT, using the flag KRB5_GC_ANONYMOUS.


  Commit: 455961839179c55a07502b55203c153711e4d3f0
      https://github.com/heimdal/heimdal/commit/455961839179c55a07502b55203c153711e4d3f0
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kuser/kgetcred.1
    M kuser/kgetcred.c

  Log Message:
  -----------
  kuser: kgetcred support for anonymous service tickets


  Commit: bcc90f1b87dd9e79577c0790a4d76efdaf6c6c51
      https://github.com/heimdal/heimdal/commit/bcc90f1b87dd9e79577c0790a4d76efdaf6c6c51
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kuser/kinit.c
    M kuser/kuser_locl.h
    M lib/krb5/krb5_locl.h
    M lib/krb5/libkrb5-exports.def.in
    M lib/krb5/principal.c
    M lib/krb5/ticket.c
    M lib/krb5/version-script.map

  Log Message:
  -----------
  krb5: _krb5_principal_is_anonymous() helper API

Add _krb5_principal_is_anonymous() private API for checking if a principal is
anonymous or not. The third argument determines whether to match authenticated
anonymous, unauthenticated anonymous, or both types of principal.


  Commit: 5ca229e0d9c19699eb39345a2a8513a956518cb7
      https://github.com/heimdal/heimdal/commit/5ca229e0d9c19699eb39345a2a8513a956518cb7
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kuser/kinit.c
    M lib/krb5/krb5.h
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: krb5_get_init_creds_opt_set_pkinit flag names

Add macros to give symbolic names to the flags which can be passed to
krb5_get_init_creds_opt_set_pkinit(). Reserve flags for BTMM and not validating
KDC anchors.


Compare: https://github.com/heimdal/heimdal/compare/e60955e83531...5ca229e0d9c1

From noreply at github.com  Tue May 14 21:52:04 2019
From: noreply at github.com (Jeffrey Altman)
Date: Tue, 14 May 2019 12:52:04 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] d497d7: krb5_sendto_kdc:
 failover for multiple AAAA/A RRs ...
Message-ID: <heimdal/heimdal/push/refs/heads/master/5ca229-874052@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: d497d7e4a796c6bda153e7f10fe9478724b855ab
      https://github.com/heimdal/heimdal/commit/d497d7e4a796c6bda153e7f10fe9478724b855ab
  Author: Roland C. Dowdeswell <roland.dowdeswell at twosigma.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/krb5/send_to_kdc.c

  Log Message:
  -----------
  krb5_sendto_kdc: failover for multiple AAAA/A RRs on one domain

We found that the libraries behaviour when dealing with domains with
more than one entry in them is slightly suboptimal.  The situation
was

kdc1		IN	A	1.2.3.4
kdc1		IN	AAAA	ff02::1

I.e. a single hostmame with both IPv6 and IPv4 addresses.  When we
run krb5_sendto_kdc on a box with only IPv4 addresses, there is a
3s delay before it fails back to the IPv4 address.  This is because
the library sets the 2nd address on each hostname to be 3s in the
future and each additional one another 3s.

We change wait_response() s.t. if one is able to make progress, we
iterate over the list of hosts and move them all 1s forward.  We
also modify submit_request() to skip hosts if host_connect() fails.


  Commit: 8740528b2477f872147998ca19a66d2fae12631b
      https://github.com/heimdal/heimdal/commit/8740528b2477f872147998ca19a66d2fae12631b
  Author: Viktor Dukhovni <viktor at twosigma.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/krb5/send_to_kdc.c

  Log Message:
  -----------
  Windows-compatible sentinel socket type and value


Compare: https://github.com/heimdal/heimdal/compare/5ca229e0d9c1...8740528b2477

From noreply at github.com  Tue May 14 21:52:26 2019
From: noreply at github.com (Luke Howard)
Date: Tue, 14 May 2019 12:52:26 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] c6257c: CVE-2018-16860
 Heimdal KDC: Reject PA-S4U2Self wit...
Message-ID: <heimdal/heimdal/push/refs/heads/master/874052-38c797@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: c6257cc2c842c0faaeb4ef34e33890ee88c4cbba
      https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba
  Author: Isaac Boukris <iboukris at gmail.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/krb5tgs.c

  Log Message:
  -----------
  CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum

S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.

S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.

There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed.  This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).

This would allow a S4U2Self ticket requested on behalf of user name
(principal) user at EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator at EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)

=========================
Workaround and Mitigation
=========================

If server does not take privileged actions based on Kerberos tickets
obtained by S4U2Self nor obtains Kerberos tickets via further
S4U2Proxy requests then this issue cannot be exploited.

Note that the path to an exploit is not generic, the KDC is not harmed
by the malicious checksum, it is the client service requesting the
ticket being mislead, because it trusted the KDC to return the correct
ticket and PAC.

It is out of scope for Samba to describe all of the possible tool
chains that might be vulnerable. Here are two examples of possible
exploits in order to explain the issue more clearly.

1). SFU2Self might be used by a web service authenticating an end user
via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
Kerberos service ticket for use by any Kerberos service principal the
web service has a keytab for.  One example is acquiring an AFS token
by requesting an afs/cell at REALM service ticket for a client via
SFU2Self.  With this exploit an organization that deploys a KDC built
from Heimdal (be it Heimdal directly or vendor versions such as found
in Samba) is vulnerable to privilege escalation attacks.

2). If a server authenticates users using X509 certificates, and then
uses S4U2Self to obtain a Kerberos service ticket on behalf of the
user (principal) in order to authorize access to local resources, a
man-in-the-middle attacker could allow a non-privilaged user to access
privilaged resources being protected by the server, or privilaged
resources being protected by a second server, if the first server uses
the S4U2Proxy extension in order to get a new Kerberos service ticket
to obtain access to the second server.

In both these scenarios under conditions allowing man-in-the-middle
active network protocol manipulation, a malicious user could
authenticate using the non-Kerborized credentials of an unprivileged
user, and then elevate its privileges by intercepting the packet from
the server to the KDC and changing the requested user name (principal).

The only Samba clients that use S4U2Self are:

- the "net ads kerberos pac dump" (debugging) tool.

- the CIFS proxy in the deprecated/developer-only NTVFS file
server. Note this code is not compiled or enabled by default.

In particular, winbindd does *not* use S4U2Self.

Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
for Samba AD is understood not to be impacted.

===============
Further Reading
===============

There is more detail on and a description of the protocols in

[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained
Delegation Protocol
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/

=======
Credits
=======

Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
Team and Catalyst.

Patches provided by Isaac Boukris.

Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
Allison.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685
Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeffrey Altman <jaltman at auristor.com>
Signed-off-by: Jeffrey Altman <jaltman at auristor.com>


  Commit: 38c797e1ae9b9c8f99ae4aa2e73957679031fd2b
      https://github.com/heimdal/heimdal/commit/38c797e1ae9b9c8f99ae4aa2e73957679031fd2b
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/krb5/init_creds_pw.c
    M lib/krb5/krb5_locl.h
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: always confirm PA-PKINIT-KX for anon PKINIT

RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
when anonymous PKINIT is used.  Failure to do so can permit an active
attacker to become a man-in-the-middle.

Introduced by a1ef548600c5bb51cf52a9a9ea12676506ede19f.  First tagged
release Heimdal 1.4.0.

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8)

Change-Id: I6cc1c0c24985936468af08693839ac6c3edda133
Signed-off-by: Jeffrey Altman <jaltman at auristor.com>
Approved-by: Jeffrey Altman <jaltman at auritor.com>


Compare: https://github.com/heimdal/heimdal/compare/8740528b2477...38c797e1ae9b

From noreply at github.com  Tue May 14 21:52:36 2019
From: noreply at github.com (Jeffrey Altman)
Date: Tue, 14 May 2019 12:52:36 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/security/eca2e5-000000@github.com>

  Branch: refs/heads/jaltman/security
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Tue May 14 23:48:10 2019
From: noreply at github.com (Jeffrey Altman)
Date: Tue, 14 May 2019 14:48:10 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] a57518: hx509: update
 gen_req.sh for OpenSSL 1.1 (#392)
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/dd2492-0c7ccf@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: a57518fcf68b1a561567ed053bab957842238e0d
      https://github.com/heimdal/heimdal/commit/a57518fcf68b1a561567ed053bab957842238e0d
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/hx509/Makefile.am
    M lib/hx509/data/gen-req.sh
    A lib/hx509/data/openssl.1.0.cnf
    A lib/hx509/data/openssl.1.1.cnf
    R lib/hx509/data/openssl.cnf

  Log Message:
  -----------
  hx509: update gen_req.sh for OpenSSL 1.1 (#392)

OpenSSL 1.1 has the pkInitKDC OID built in, which breaks as it was redefined by
openssl.cnf in Heimdal. Try to determine if OpenSSL >= 1.1 and if so, use a
configuration file that omits this OID definition. The implementation is not
robust but as this is simply an example (not run by the test suites), it should
be adequete.

(cherry picked from commit 6561afff3afdf74e3c9c7b0ecaad4b141275431f)


  Commit: 66afdfe1fe639e7b4653d1a8c38199570c2017c3
      https://github.com/heimdal/heimdal/commit/66afdfe1fe639e7b4653d1a8c38199570c2017c3
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/hx509/data/gen-req.sh
    M lib/hx509/data/mkcert.sh

  Log Message:
  -----------
  For https://github.com/heimdal/heimdal/issues/392

Modern OpenSSL no longer has the 2038 year restriction.  Update the
certs to last 500 years rather than 10 years.

Modern crypto requirements suggest a stronger key strength than 1024.
Update to use a minimum of 4096.

Fix executable bit on gen-req.sh

(cherry picked from commit 98f904036c7988f5b53a5880ad7b3cf0b3bb6f0f)


  Commit: 9e00fc27d001e118a71ad58c4e101067c432d32c
      https://github.com/heimdal/heimdal/commit/9e00fc27d001e118a71ad58c4e101067c432d32c
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/hx509/data/openssl.1.1.cnf

  Log Message:
  -----------
  For https://github.com/heimdal/heimdal/issues/392

Correctly reference the OID so gen-cert.sh works correctly

(cherry picked from commit 2d193d380d13e0c8b3c9312c26613d58fa7837df)


  Commit: 7e602b62c6b4c5ba31a09c52dae7081a235e0511
      https://github.com/heimdal/heimdal/commit/7e602b62c6b4c5ba31a09c52dae7081a235e0511
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/hx509/data/ca.crt
    M lib/hx509/data/ca.key
    M lib/hx509/data/crl1.crl
    M lib/hx509/data/crl1.der
    M lib/hx509/data/https.crt
    M lib/hx509/data/https.key
    M lib/hx509/data/kdc.crt
    M lib/hx509/data/kdc.key
    M lib/hx509/data/no-proxy-test.crt
    M lib/hx509/data/no-proxy-test.key
    M lib/hx509/data/ocsp-req1.der
    M lib/hx509/data/ocsp-req2.der
    M lib/hx509/data/ocsp-resp1-ca.der
    M lib/hx509/data/ocsp-resp1-keyhash.der
    M lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
    M lib/hx509/data/ocsp-resp1-ocsp.der
    M lib/hx509/data/ocsp-resp2.der
    M lib/hx509/data/ocsp-responder.crt
    M lib/hx509/data/ocsp-responder.key
    M lib/hx509/data/pkinit-ec.crt
    M lib/hx509/data/pkinit-ec.key
    M lib/hx509/data/pkinit-proxy-chain.crt
    M lib/hx509/data/pkinit-proxy.crt
    M lib/hx509/data/pkinit-proxy.key
    M lib/hx509/data/pkinit-pw.key
    M lib/hx509/data/pkinit.crt
    M lib/hx509/data/pkinit.key
    M lib/hx509/data/proxy-level-test.crt
    M lib/hx509/data/proxy-level-test.key
    M lib/hx509/data/proxy-test.crt
    M lib/hx509/data/proxy-test.key
    M lib/hx509/data/proxy10-child-child-test.crt
    M lib/hx509/data/proxy10-child-child-test.key
    M lib/hx509/data/proxy10-child-test.crt
    M lib/hx509/data/proxy10-child-test.key
    M lib/hx509/data/proxy10-test.crt
    M lib/hx509/data/proxy10-test.key
    M lib/hx509/data/revoke.crt
    M lib/hx509/data/revoke.key
    M lib/hx509/data/secp256r1TestCA.cert.pem
    M lib/hx509/data/secp256r1TestCA.pem
    M lib/hx509/data/secp256r2TestClient.cert.pem
    M lib/hx509/data/secp256r2TestClient.pem
    M lib/hx509/data/secp256r2TestServer.cert.pem
    M lib/hx509/data/secp256r2TestServer.pem
    M lib/hx509/data/sub-ca.crt
    M lib/hx509/data/sub-ca.key
    M lib/hx509/data/sub-cert.crt
    M lib/hx509/data/sub-cert.key
    M lib/hx509/data/sub-cert.p12
    M lib/hx509/data/test-ds-only.crt
    M lib/hx509/data/test-ds-only.key
    M lib/hx509/data/test-enveloped-aes-128
    M lib/hx509/data/test-enveloped-aes-256
    M lib/hx509/data/test-enveloped-des
    M lib/hx509/data/test-enveloped-des-ede3
    M lib/hx509/data/test-enveloped-rc2-128
    M lib/hx509/data/test-enveloped-rc2-40
    M lib/hx509/data/test-enveloped-rc2-64
    M lib/hx509/data/test-ke-only.crt
    M lib/hx509/data/test-ke-only.key
    M lib/hx509/data/test-nopw.p12
    M lib/hx509/data/test-pw.key
    M lib/hx509/data/test-signed-data
    M lib/hx509/data/test-signed-data-noattr
    M lib/hx509/data/test-signed-data-noattr-nocerts
    M lib/hx509/data/test-signed-sha-1
    M lib/hx509/data/test-signed-sha-256
    M lib/hx509/data/test-signed-sha-512
    M lib/hx509/data/test.combined.crt
    M lib/hx509/data/test.crt
    M lib/hx509/data/test.key
    M lib/hx509/data/test.p12

  Log Message:
  -----------
  Fixes https://github.com/heimdal/heimdal/issues/533

Update certs to no longer be expired, last 500 years.

(cherry picked from commit aad5c710145053cdeaa7042d0e80db6f1748c606)


  Commit: 583b1561739c408e2349f25afcfc9bd6fd89d561
      https://github.com/heimdal/heimdal/commit/583b1561739c408e2349f25afcfc9bd6fd89d561
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kuser/kinit.c

  Log Message:
  -----------
  kinit: don't leave dangling temporary ccaches

kinit does not destroy ccaches created with krb5_cc_new_unique() if ticket
acquisition fails. This was leaving dangling keyring entries with the keyring
ccache.

(cherry picked from commit 2e1304b9d55d24a3846f4dc9c794d0c197af4438)


  Commit: 69c9b28fc4243ff88db80d8817239f2f89a83851
      https://github.com/heimdal/heimdal/commit/69c9b28fc4243ff88db80d8817239f2f89a83851
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/krb5tgs.c
    M kuser/kimpersonate.c
    M lib/krb5/build_auth.c
    M lib/krb5/get_for_creds.c
    M lib/krb5/rd_cred.c

  Log Message:
  -----------
  check return copy_Realm, copy_PrincipalName, copy_EncryptionKey

The ASN.1 functions copy_Realm(), copy_PrincipalName() and
copy_EncryptionKey() can fail.  Check the return and perform error
handling as appropriate.

Change-Id: I2b3629d19db96eb41d1cd554cef1dca99745e753
(cherry picked from commit 6f3ab01c757a2ec66e6550a133f424955ad8a398)


  Commit: 87f2798a6ad435e28cea00379d67eb5aa5f8b90a
      https://github.com/heimdal/heimdal/commit/87f2798a6ad435e28cea00379d67eb5aa5f8b90a
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/krb5/send_to_kdc.c

  Log Message:
  -----------
  krb5: fix spelling error in debug log

(cherry picked from commit 1bc2eb33f9992142815152581c9fe2a8894d7964)


  Commit: 721487fbc57c0617cdf82a2941987ec4bfffd777
      https://github.com/heimdal/heimdal/commit/721487fbc57c0617cdf82a2941987ec4bfffd777
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c

  Log Message:
  -----------
  kdc: fix compliance with RFC 8062 Section 4.1

RFC 8062 states that if the client in the AS request is anonymous, the
anonymous KDC option must be set in the request; otherwise, KDC_ERR_BADOPTION
must be returned. We were previously returning KDC_ERR_C_PRINCIPAL_UNKNOWN.

(cherry picked from commit 2f013b0d48552b263f5e90279692f55e152ba060)


  Commit: d6e29b2c13591a5e807a448e6de5dbebbdcbac50
      https://github.com/heimdal/heimdal/commit/d6e29b2c13591a5e807a448e6de5dbebbdcbac50
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c

  Log Message:
  -----------
  kdc: do not include PAC for anonymous AS requests

The PAC will typically contain information that may reveal the identity of a
principal. Do not include it for anonymous requests, at least until such time
as the PAC plugin API supports indicating that the request was anonymous.

(cherry picked from commit 7a7eb9de2fc93e54362b4c8b9ecc15294bc1c762)


  Commit: 7f54b116df1d9a5eb22b1e0da094c4280a24a937
      https://github.com/heimdal/heimdal/commit/7f54b116df1d9a5eb22b1e0da094c4280a24a937
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c

  Log Message:
  -----------
  kdc: conform _kdc_make_anonymous_principalname() to RFC8062

The utility function _kdc_make_anonymous_principalname() previously returned a
principal of "anonymous" rather than "WELLKNOWN/ANONYMOUS", as specified by
RFC8062. This is not used by the AS-REQ code.

(cherry picked from commit 5c8f48495eab08736fc4f12a8fff0786303af1a7)


  Commit: f679379f23ca9c665d70e3a38447d82f0a8b9951
      https://github.com/heimdal/heimdal/commit/f679379f23ca9c665d70e3a38447d82f0a8b9951
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/pkinit.c

  Log Message:
  -----------
  kdc: allow anonymous AS requests with long-term keys

RFC8062 section 4.1 allows clients with long-term KDC keys to set the anonymous
flag; in this case their identity is authenticated but the returned ticket
contains the anonymous principal name as the client name.

kdc: allow authenticated anonymous PKINIT

The KDC PKINIT code conflated the checks for authenticated and unauthenticated
anonymous by only looking at the anonymous KDC request option.

(cherry picked from commit 63557427e0a1cd3d23c0942ab58bcae7c2e35534
 except for conflict with: c6232299c3b2831d5d8ecf701fcd286ae509fba8)


  Commit: 6654399e43010fd74824809dd11c5ea8b0403210
      https://github.com/heimdal/heimdal/commit/6654399e43010fd74824809dd11c5ea8b0403210
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kuser/kinit.1
    M kuser/kinit.c
    M tests/kdc/check-kdc.in

  Log Message:
  -----------
  kuser: support authenticated anonymous AS-REQs in kinit

Allow kinit to request anonymous tickets with authenticated clients, not just
anonymous PKINIT.

(cherry picked from commit 3051db0d5dbf52c9dbdb6ed357373ba78750304f)


  Commit: 77a7d073ea58b0fd840a83743a7fb73ef83ec3b3
      https://github.com/heimdal/heimdal/commit/77a7d073ea58b0fd840a83743a7fb73ef83ec3b3
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/krb5tgs.c

  Log Message:
  -----------
  kdc: support for anonymous TGS-REQs

Allow non-anonymous tickets to be used to obtain an anonymous service ticket,
by setting the anonymous KDC option. Do not include Win2K PAC in anonymous
service tickets. Validate anonymous flags per RFC 8062.

(cherry picked from commit af63541515643782a86d0fddf2b97b265b8ec44d)


  Commit: 0972c7f4932fdb632f6b9029598bf90248f723bc
      https://github.com/heimdal/heimdal/commit/0972c7f4932fdb632f6b9029598bf90248f723bc
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/krb5/get_cred.c
    M lib/krb5/krb5.h
    M lib/krb5/ticket.c

  Log Message:
  -----------
  krb5: support for anonymous TGS requests

Add support to krb5_get_creds() for requesting anonymous service tickets using
a TGT, using the flag KRB5_GC_ANONYMOUS.

(cherry picked from commit 55ee6c12825aec0f4c557946c2e7e029484054db)


  Commit: c15211fe3beabaf8e6b701c66e42318876924f37
      https://github.com/heimdal/heimdal/commit/c15211fe3beabaf8e6b701c66e42318876924f37
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kuser/kgetcred.1
    M kuser/kgetcred.c

  Log Message:
  -----------
  kuser: kgetcred support for anonymous service tickets

(cherry picked from commit 455961839179c55a07502b55203c153711e4d3f0)


  Commit: 423f6835d7321c4bbfd36c5d47521a0896749e81
      https://github.com/heimdal/heimdal/commit/423f6835d7321c4bbfd36c5d47521a0896749e81
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kuser/kinit.c
    M kuser/kuser_locl.h
    M lib/krb5/krb5_locl.h
    M lib/krb5/libkrb5-exports.def.in
    M lib/krb5/principal.c
    M lib/krb5/ticket.c
    M lib/krb5/version-script.map

  Log Message:
  -----------
  krb5: _krb5_principal_is_anonymous() helper API

Add _krb5_principal_is_anonymous() private API for checking if a principal is
anonymous or not. The third argument determines whether to match authenticated
anonymous, unauthenticated anonymous, or both types of principal.

(cherry picked from commit bcc90f1b87dd9e79577c0790a4d76efdaf6c6c51)


  Commit: 3cfcab2d4fce29ba562fd15038e913bcdb68214c
      https://github.com/heimdal/heimdal/commit/3cfcab2d4fce29ba562fd15038e913bcdb68214c
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kuser/kinit.c
    M lib/krb5/krb5.h
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: krb5_get_init_creds_opt_set_pkinit flag names

Add macros to give symbolic names to the flags which can be passed to
krb5_get_init_creds_opt_set_pkinit(). Reserve flags for BTMM and not validating
KDC anchors.

(cherry picked from commit 5ca229e0d9c19699eb39345a2a8513a956518cb7)


  Commit: e93798dc52bacfce476eb0c65eb5ea731433f443
      https://github.com/heimdal/heimdal/commit/e93798dc52bacfce476eb0c65eb5ea731433f443
  Author: Roland C. Dowdeswell <roland.dowdeswell at twosigma.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/krb5/send_to_kdc.c

  Log Message:
  -----------
  krb5_sendto_kdc: failover for multiple AAAA/A RRs on one domain

We found that the libraries behaviour when dealing with domains with
more than one entry in them is slightly suboptimal.  The situation
was

kdc1		IN	A	1.2.3.4
kdc1		IN	AAAA	ff02::1

I.e. a single hostmame with both IPv6 and IPv4 addresses.  When we
run krb5_sendto_kdc on a box with only IPv4 addresses, there is a
3s delay before it fails back to the IPv4 address.  This is because
the library sets the 2nd address on each hostname to be 3s in the
future and each additional one another 3s.

We change wait_response() s.t. if one is able to make progress, we
iterate over the list of hosts and move them all 1s forward.  We
also modify submit_request() to skip hosts if host_connect() fails.

(cherry picked from commit d497d7e4a796c6bda153e7f10fe9478724b855ab)


  Commit: 6c9914c871d14d46ec7be34ec320c9b2e847e851
      https://github.com/heimdal/heimdal/commit/6c9914c871d14d46ec7be34ec320c9b2e847e851
  Author: Viktor Dukhovni <viktor at twosigma.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/krb5/send_to_kdc.c

  Log Message:
  -----------
  Windows-compatible sentinel socket type and value

(cherry picked from commit 8740528b2477f872147998ca19a66d2fae12631b)


  Commit: 9f2943750b106b5f0131a39f167d45d35d44044c
      https://github.com/heimdal/heimdal/commit/9f2943750b106b5f0131a39f167d45d35d44044c
  Author: Isaac Boukris <iboukris at gmail.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M kdc/krb5tgs.c

  Log Message:
  -----------
  CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum

S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.

S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.

There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed.  This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).

This would allow a S4U2Self ticket requested on behalf of user name
(principal) user at EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator at EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)

=========================
Workaround and Mitigation
=========================

If server does not take privileged actions based on Kerberos tickets
obtained by S4U2Self nor obtains Kerberos tickets via further
S4U2Proxy requests then this issue cannot be exploited.

Note that the path to an exploit is not generic, the KDC is not harmed
by the malicious checksum, it is the client service requesting the
ticket being mislead, because it trusted the KDC to return the correct
ticket and PAC.

It is out of scope for Samba to describe all of the possible tool
chains that might be vulnerable. Here are two examples of possible
exploits in order to explain the issue more clearly.

1). SFU2Self might be used by a web service authenticating an end user
via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
Kerberos service ticket for use by any Kerberos service principal the
web service has a keytab for.  One example is acquiring an AFS token
by requesting an afs/cell at REALM service ticket for a client via
SFU2Self.  With this exploit an organization that deploys a KDC built
from Heimdal (be it Heimdal directly or vendor versions such as found
in Samba) is vulnerable to privilege escalation attacks.

2). If a server authenticates users using X509 certificates, and then
uses S4U2Self to obtain a Kerberos service ticket on behalf of the
user (principal) in order to authorize access to local resources, a
man-in-the-middle attacker could allow a non-privilaged user to access
privilaged resources being protected by the server, or privilaged
resources being protected by a second server, if the first server uses
the S4U2Proxy extension in order to get a new Kerberos service ticket
to obtain access to the second server.

In both these scenarios under conditions allowing man-in-the-middle
active network protocol manipulation, a malicious user could
authenticate using the non-Kerborized credentials of an unprivileged
user, and then elevate its privileges by intercepting the packet from
the server to the KDC and changing the requested user name (principal).

The only Samba clients that use S4U2Self are:

- the "net ads kerberos pac dump" (debugging) tool.

- the CIFS proxy in the deprecated/developer-only NTVFS file
server. Note this code is not compiled or enabled by default.

In particular, winbindd does *not* use S4U2Self.

Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
for Samba AD is understood not to be impacted.

===============
Further Reading
===============

There is more detail on and a description of the protocols in

[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained
Delegation Protocol
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/

=======
Credits
=======

Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
Team and Catalyst.

Patches provided by Isaac Boukris.

Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
Allison.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685
Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeffrey Altman <jaltman at auristor.com>
Signed-off-by: Jeffrey Altman <jaltman at auristor.com>
(cherry picked from commit c6257cc2c842c0faaeb4ef34e33890ee88c4cbba)


  Commit: 2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
      https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/krb5/init_creds_pw.c
    M lib/krb5/krb5_locl.h
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  CVE-2019-12098: krb5: always confirm PA-PKINIT-KX for anon PKINIT

RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
when anonymous PKINIT is used.  Failure to do so can permit an active
attacker to become a man-in-the-middle.

Introduced by a1ef548600c5bb51cf52a9a9ea12676506ede19f.  First tagged
release Heimdal 1.4.0.

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8)

Change-Id: I6cc1c0c24985936468af08693839ac6c3edda133
Signed-off-by: Jeffrey Altman <jaltman at auristor.com>
Approved-by: Jeffrey Altman <jaltman at auritor.com>
(cherry picked from commit 38c797e1ae9b9c8f99ae4aa2e73957679031fd2b)


  Commit: 54c7b3f86082a95b1dfb04d2588b0078fd144c0a
      https://github.com/heimdal/heimdal/commit/54c7b3f86082a95b1dfb04d2588b0078fd144c0a
  Author: Viktor Dukhovni <viktor at twosigma.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M NEWS

  Log Message:
  -----------
  Update NEWS for 7.6.0


  Commit: 0c7ccf3bd48a5cb13893afb8b62e0e9cd66941d3
      https://github.com/heimdal/heimdal/commit/0c7ccf3bd48a5cb13893afb8b62e0e9cd66941d3
  Author: Viktor Dukhovni <viktor at twosigma.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M configure.ac
    M windows/NTMakefile.version

  Log Message:
  -----------
  Bump version to 7.6


Compare: https://github.com/heimdal/heimdal/compare/dd249257e397...0c7ccf3bd48a

From noreply at github.com  Wed May 15 00:02:26 2019
From: noreply at github.com (Viktor Dukhovni)
Date: Tue, 14 May 2019 15:02:26 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/tags/heimdal-7.6.0/000000-0c7ccf@github.com>

  Branch: refs/tags/heimdal-7.6.0
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Wed May 15 00:31:18 2019
From: noreply at github.com (Jeffrey Altman)
Date: Tue, 14 May 2019 15:31:18 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] d0a558: lib/roken:
 rk_random_init HAVE_ARC4RANDOM #401
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/0c7ccf-d0a558@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: d0a558f918c9d6ff12e312edaafb79aa81bb465c
      https://github.com/heimdal/heimdal/commit/d0a558f918c9d6ff12e312edaafb79aa81bb465c
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/roken/rand.c

  Log Message:
  -----------
  lib/roken: rk_random_init HAVE_ARC4RANDOM #401

When arc4random() is available, rk_random_init() does not have to
call arc4random_stir().  ac4random_stir() will be called as a result
of the first call to arc4random().

Change-Id: I6f4a3be7c39752746657945ed15896472908f889
(cherry picked from commit 434f76bcb77754263fcd5a7ab5938e534dc220bc)



From noreply at github.com  Wed May 15 00:32:23 2019
From: noreply at github.com (Jeffrey Altman)
Date: Tue, 14 May 2019 15:32:23 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] d0a558: lib/roken:
 rk_random_init HAVE_ARC4RANDOM #401
Message-ID: <heimdal/heimdal/push/refs/tags/heimdal-7.6.0/0c7ccf-d0a558@github.com>

  Branch: refs/tags/heimdal-7.6.0
  Home:   https://github.com/heimdal/heimdal
  Commit: d0a558f918c9d6ff12e312edaafb79aa81bb465c
      https://github.com/heimdal/heimdal/commit/d0a558f918c9d6ff12e312edaafb79aa81bb465c
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-14 (Tue, 14 May 2019)

  Changed paths:
    M lib/roken/rand.c

  Log Message:
  -----------
  lib/roken: rk_random_init HAVE_ARC4RANDOM #401

When arc4random() is available, rk_random_init() does not have to
call arc4random_stir().  ac4random_stir() will be called as a result
of the first call to arc4random().

Change-Id: I6f4a3be7c39752746657945ed15896472908f889
(cherry picked from commit 434f76bcb77754263fcd5a7ab5938e534dc220bc)



From noreply at github.com  Wed May 15 09:42:25 2019
From: noreply at github.com (Quanah Gibson-Mount)
Date: Wed, 15 May 2019 00:42:25 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] ceac4a: Fixes
 https://github.com/heimdal/heimdal/issues/294
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6.0/000000-ceac4a@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6.0
  Home:   https://github.com/heimdal/heimdal
  Commit: ceac4a519358e888ce3c6263cf245845a5b07a49
      https://github.com/heimdal/heimdal/commit/ceac4a519358e888ce3c6263cf245845a5b07a49
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/libedit/src/vis.h

  Log Message:
  -----------
  Fixes https://github.com/heimdal/heimdal/issues/294

(cherry picked from commit b787491942651280a323c28ddfee44dd8aa3e915)



From noreply at github.com  Wed May 15 10:07:21 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 15 May 2019 01:07:21 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] c9bf93:
 krb5_principal_is_anonymous
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/krb5_principal_is_anonymous/000000-c9bf93@github.com>

  Branch: refs/heads/jaltman/krb5_principal_is_anonymous
  Home:   https://github.com/heimdal/heimdal
  Commit: c9bf9394496de8b7fa1a97b8034e1651fa876159
      https://github.com/heimdal/heimdal/commit/c9bf9394496de8b7fa1a97b8034e1651fa876159
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kuser/kinit.c
    M kuser/kuser_locl.h
    M lib/krb5/krb5.h
    M lib/krb5/libkrb5-exports.def.in
    M lib/krb5/principal.c
    M lib/krb5/ticket.c
    M lib/krb5/version-script.map

  Log Message:
  -----------
  krb5_principal_is_anonymous

_krb5_principal_is_anonymous() is used outside lib/krb5 and
therefore it needs to be properly exported and its flag macros
need to be in a public header: krb5.h not krb5_locl.h.

Including krb5_locl.h from within kuser_locl.h for instance
results in build failures on Solaris.

This change renames the function and makes it part of the public
api.

Change-Id: I130d1698b10bdbd150b95e8c7d32dfc362889ce6



From noreply at github.com  Wed May 15 20:12:30 2019
From: noreply at github.com (Daria Phoebe Brashear)
Date: Wed, 15 May 2019 18:12:30 +0000 (UTC)
Subject: [Heimdal-source-changes] [heimdal/heimdal] c3e2c0: tests: generate
 test_template_asn1-template.c for ...
Message-ID: <heimdal/heimdal/push/refs/heads/master/38c797-c3e2c0@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: c3e2c048c3048a60fa2d07fb984803c104e3533c
      https://github.com/heimdal/heimdal/commit/c3e2c048c3048a60fa2d07fb984803c104e3533c
  Author: Daria Phoebe Brashear <dariaphoebe at auristor.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/asn1/Makefile.am

  Log Message:
  -----------
  tests: generate test_template_asn1-template.c for testing

the rule to generate test_template_asn1-template.c from
test_template_asn1-template.x was missing. add it.



From noreply at github.com  Wed May 15 20:47:12 2019
From: noreply at github.com (Quanah Gibson-Mount)
Date: Wed, 15 May 2019 11:47:12 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 8b2c49: sunpro c defines
 __SUNPRO_C not __SUNPRO_CC
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/d0a558-552cbb@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: 8b2c4985384bee6a95ae3a06bcbaaff6fb5063d6
      https://github.com/heimdal/heimdal/commit/8b2c4985384bee6a95ae3a06bcbaaff6fb5063d6
  Author: Daria Phoebe Brashear <dariaphoebe at auristor.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M include/heim_threads.h

  Log Message:
  -----------
  sunpro c defines __SUNPRO_C not __SUNPRO_CC

CC is the c++ compiler; C is the c compiler. use the correct define


  Commit: 4e2db841a28ec3054c39acdce0dc7dc35b2e0120
      https://github.com/heimdal/heimdal/commit/4e2db841a28ec3054c39acdce0dc7dc35b2e0120
  Author: Daria Phoebe Brashear <dariaphoebe at auristor.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/libedit/src/makelist

  Log Message:
  -----------
  libedit: makelist should default to awk, but not force it

solaris needs gawk; we should allow the makefile to override awk
with gawk (or whatever else)


  Commit: 552cbb3df302106dca0682aa0853ff48d5936859
      https://github.com/heimdal/heimdal/commit/552cbb3df302106dca0682aa0853ff48d5936859
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/libedit/src/vis.h

  Log Message:
  -----------
  Fixes https://github.com/heimdal/heimdal/issues/294


Compare: https://github.com/heimdal/heimdal/compare/d0a558f918c9...552cbb3df302

From noreply at github.com  Wed May 15 21:35:56 2019
From: noreply at github.com (Luke Howard)
Date: Wed, 15 May 2019 12:35:56 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 4b09f9: Fixes
 https://github.com/heimdal/heimdal/issues/31...
Message-ID: <heimdal/heimdal/push/refs/heads/7.6.0-fixes/000000-ab038d@github.com>

  Branch: refs/heads/7.6.0-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: 4b09f90d25a566f10bf7a12208320a1ac43e28ae
      https://github.com/heimdal/heimdal/commit/4b09f90d25a566f10bf7a12208320a1ac43e28ae
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M kdc/connect.c

  Log Message:
  -----------
  Fixes https://github.com/heimdal/heimdal/issues/310, use PF_UNIX instead
of PF_LOCAL

(cherry picked from commit e7879208e47f60bf88f6a2dad00fb77075843f2c)


  Commit: 8bfbf2cbfe72294517d677142019d5dc3244e843
      https://github.com/heimdal/heimdal/commit/8bfbf2cbfe72294517d677142019d5dc3244e843
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c
    M lib/hcrypto/evp.h

  Log Message:
  -----------
  Fix PKCS#11 hcrypto backend regression (#314, #315, #316, #317)

81c778e broke the PKCS#11 hcrypto backend broke for many cases as it did
not support cipherstate resetting. (Prior to 81c778e, which was to fix #194,
the PKCS#11 backend did not support cipherstate chaining across invocations.)

hcrypto backends that maintain cipherstate independently of the hcrypto
context IV field need to set EVP_CIPH_ALWAYS_CALL_INIT to avoid the two
diverging. Their init function should support resetting the cipherstate
independently of key scheduling.

(cherry picked from commit a88d00660efc0de15514f0957a51954478e31f45)


  Commit: 61513001829ef9eb41eb2b754cf407cbd5ef50a6
      https://github.com/heimdal/heimdal/commit/61513001829ef9eb41eb2b754cf407cbd5ef50a6
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M appl/dceutils/k5dcecon.c
    M kuser/klist.c
    M lib/gssapi/krb5/test_sequence.c
    M lib/hx509/cms.c
    M lib/hx509/print.c
    M lib/kdfs/k5dfspag.c
    M tests/can/check-can.in
    M tests/db/add-modify-delete.in
    M tests/db/check-aliases.in
    M tests/db/loaddump-db.in
    M tests/gss/check-basic.in
    M tests/gss/check-context.in
    M tests/gss/check-gssmask.in
    M tests/gss/check-ntlm.in
    M tests/gss/check-spnego.in
    M tests/kdc/check-canon.in
    M tests/kdc/check-cc.in
    M tests/kdc/check-delegation.in
    M tests/kdc/check-des.in
    M tests/kdc/check-digest.in
    M tests/kdc/check-fast.in
    M tests/kdc/check-hdb-mitdb.in
    M tests/kdc/check-iprop.in
    M tests/kdc/check-kadmin.in
    M tests/kdc/check-kdc.in
    M tests/kdc/check-keys.in
    M tests/kdc/check-kinit.in
    M tests/kdc/check-kpasswdd.in
    M tests/kdc/check-pkinit.in
    M tests/kdc/check-referral.in
    M tests/kdc/check-tester.in
    M tests/kdc/check-uu.in
    M tests/ldap/check-ldap.in
    M tests/plugin/check-pac.in

  Log Message:
  -----------
  Minor typo/grammar fixes

(cherry picked from commit 7c16ce34570ef8b255f2ad1bc3f8fb3b019df84f)


  Commit: 36ac5befe1fceae36c0aa86ba916644a963c8971
      https://github.com/heimdal/heimdal/commit/36ac5befe1fceae36c0aa86ba916644a963c8971
  Author: David Mulder <David.Mulder at software.dell.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  solaris 8 sparc defines _LP64 to empty, causing build failure

(cherry picked from commit f132d2040dbc326b8f3c8b3970001a966e58ade1)


  Commit: 97866e7322a1dc8521c3270396aac23ade592479
      https://github.com/heimdal/heimdal/commit/97866e7322a1dc8521c3270396aac23ade592479
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: allow digest update with NULL (#378)

Some callers of EVP_DigestUpdate (such as libntlm) pass NULL as the
data argument. PKCS#11 returns CKR_ARGUMENTS_BAD which may poison
the context. Pass an empty string to C_DigestUpdate work around this.

(cherry picked from commit 590be3d7dadb8e17a15261bce9275f37f6dfc917)


  Commit: 7c785cc4ef50c5a00ba203f3696b326d834567c6
      https://github.com/heimdal/heimdal/commit/7c785cc4ef50c5a00ba203f3696b326d834567c6
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: allow digest update with NULL (#378)

In the PKCS#11 backend, add an assertion check to p11_md_update()
to validate that the data length is zero if the data is NULL.

(cherry picked from commit 6a1bb953230a2095a9ef7b9f1e979cf519ac616b)


  Commit: c381868cbf6f59d2c8dddb45a2dff9081298c861
      https://github.com/heimdal/heimdal/commit/c381868cbf6f59d2c8dddb45a2dff9081298c861
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: don't leak sessions on digest reinit

Clients of the EVP API can reinitialize message digest contexts
without destroying them. The PKCS#11 backend assumed they were
only used once, and was leaking session handles upon reinitialization.
This fix disposes of any existing PKCS#11 message digest context
in the initialization method.

(cherry picked from commit 9518f2965b4d0daef0eda733c31c6c26ccae20a4)


  Commit: ecd7915eda0339a56d9b7e3a0b2c3c6ac216fbed
      https://github.com/heimdal/heimdal/commit/ecd7915eda0339a56d9b7e3a0b2c3c6ac216fbed
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-wincng.c

  Log Message:
  -----------
  hcrypto WinCNG backend: don't leak handles on digest reinit

Similar fix to 9518f296, but for the WinCNG EVP backend.

(cherry picked from commit bd0b6f8c2b8663e372b713769b554984b2d929ae)


  Commit: 12bfe40451c5a9fd0969e44cbadf3ac5ebff4382
      https://github.com/heimdal/heimdal/commit/12bfe40451c5a9fd0969e44cbadf3ac5ebff4382
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-wincng.c

  Log Message:
  -----------
  hcrypto WinCNG backend: don't leak handles on crypto reinit

Similar fix to a88d0066, but for the WinCNG EVP backend. However this
is just a fix for leaking handles if the same EVP context is used with
a new key; there is no functionality issue as cipherstate is maintained
directly in the EVP context, not internally by WinCNG.

(cherry picked from commit 3224a282a65bfcabfb730112b53a89f95341f8b3)


  Commit: ab038dcd1456816d4279428a8173224567a9d11b
      https://github.com/heimdal/heimdal/commit/ab038dcd1456816d4279428a8173224567a9d11b
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: Call C_Initialize() on every hcrypto call

This is required as the PKCS#11 library needs to be reinitialized after
forking. This was causing a problem with ipropd.

This fix appears to incur a repeatable 10ms performance penalty on aes-test.

Caching the initialization status using a once control and invalidating it
on fork provided no measurable performance benefit on Solaris 11. Other
approaches would not be thread-safe or would involve more intrusive code
changes, such as exposing heimbase's atomics.

(cherry picked from commit 934d5e09bf3ba0774d303da53446e5ff94daae01)

Change-Id: I47566373f43eab3cb30a24ffbe37bbcd309a5f3e


Compare: https://github.com/heimdal/heimdal/compare/4b09f90d25a5%5E...ab038dcd1456

From noreply at github.com  Wed May 15 21:38:13 2019
From: noreply at github.com (Luke Howard)
Date: Wed, 15 May 2019 12:38:13 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] b2475e: Minor
 typo/grammar fixes
Message-ID: <heimdal/heimdal/push/refs/heads/7.6.0-fixes/ab038d-ab5d4c@github.com>

  Branch: refs/heads/7.6.0-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: b2475e191666a115a852983a35a6675967d2c543
      https://github.com/heimdal/heimdal/commit/b2475e191666a115a852983a35a6675967d2c543
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M appl/dceutils/k5dcecon.c
    M kuser/klist.c
    M lib/gssapi/krb5/test_sequence.c
    M lib/hx509/cms.c
    M lib/hx509/print.c
    M lib/kdfs/k5dfspag.c
    M tests/can/check-can.in
    M tests/db/add-modify-delete.in
    M tests/db/check-aliases.in
    M tests/db/loaddump-db.in
    M tests/gss/check-basic.in
    M tests/gss/check-context.in
    M tests/gss/check-gssmask.in
    M tests/gss/check-ntlm.in
    M tests/gss/check-spnego.in
    M tests/kdc/check-canon.in
    M tests/kdc/check-cc.in
    M tests/kdc/check-delegation.in
    M tests/kdc/check-des.in
    M tests/kdc/check-digest.in
    M tests/kdc/check-fast.in
    M tests/kdc/check-hdb-mitdb.in
    M tests/kdc/check-iprop.in
    M tests/kdc/check-kadmin.in
    M tests/kdc/check-kdc.in
    M tests/kdc/check-keys.in
    M tests/kdc/check-kinit.in
    M tests/kdc/check-kpasswdd.in
    M tests/kdc/check-pkinit.in
    M tests/kdc/check-referral.in
    M tests/kdc/check-tester.in
    M tests/kdc/check-uu.in
    M tests/ldap/check-ldap.in
    M tests/plugin/check-pac.in

  Log Message:
  -----------
  Minor typo/grammar fixes

(cherry picked from commit 7c16ce34570ef8b255f2ad1bc3f8fb3b019df84f)


  Commit: 17a5124f8f0fc4a0001ef5afbebb90de02453f35
      https://github.com/heimdal/heimdal/commit/17a5124f8f0fc4a0001ef5afbebb90de02453f35
  Author: David Mulder <David.Mulder at software.dell.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  solaris 8 sparc defines _LP64 to empty, causing build failure

(cherry picked from commit f132d2040dbc326b8f3c8b3970001a966e58ade1)


  Commit: 5da575d87c15caaa9eba38f332848b6930fb2afb
      https://github.com/heimdal/heimdal/commit/5da575d87c15caaa9eba38f332848b6930fb2afb
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M kdc/connect.c

  Log Message:
  -----------
  Fixes https://github.com/heimdal/heimdal/issues/310, use PF_UNIX instead
of PF_LOCAL

(cherry picked from commit e7879208e47f60bf88f6a2dad00fb77075843f2c)


  Commit: b645b6526afac4121d86579e9fd97fd50dd70909
      https://github.com/heimdal/heimdal/commit/b645b6526afac4121d86579e9fd97fd50dd70909
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c
    M lib/hcrypto/evp.h

  Log Message:
  -----------
  Fix PKCS#11 hcrypto backend regression (#314, #315, #316, #317)

81c778e broke the PKCS#11 hcrypto backend broke for many cases as it did
not support cipherstate resetting. (Prior to 81c778e, which was to fix #194,
the PKCS#11 backend did not support cipherstate chaining across invocations.)

hcrypto backends that maintain cipherstate independently of the hcrypto
context IV field need to set EVP_CIPH_ALWAYS_CALL_INIT to avoid the two
diverging. Their init function should support resetting the cipherstate
independently of key scheduling.

(cherry picked from commit a88d00660efc0de15514f0957a51954478e31f45)


  Commit: c37a0352191b42eb5c463f121e0bd41fd6938bee
      https://github.com/heimdal/heimdal/commit/c37a0352191b42eb5c463f121e0bd41fd6938bee
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: allow digest update with NULL (#378)

Some callers of EVP_DigestUpdate (such as libntlm) pass NULL as the
data argument. PKCS#11 returns CKR_ARGUMENTS_BAD which may poison
the context. Pass an empty string to C_DigestUpdate work around this.

(cherry picked from commit 590be3d7dadb8e17a15261bce9275f37f6dfc917)


  Commit: b981424cb59e371179053c51aadf010a4b643970
      https://github.com/heimdal/heimdal/commit/b981424cb59e371179053c51aadf010a4b643970
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: allow digest update with NULL (#378)

In the PKCS#11 backend, add an assertion check to p11_md_update()
to validate that the data length is zero if the data is NULL.

(cherry picked from commit 6a1bb953230a2095a9ef7b9f1e979cf519ac616b)


  Commit: c20a8fd3b6950b844c9f5dedc4cd85edf0c77100
      https://github.com/heimdal/heimdal/commit/c20a8fd3b6950b844c9f5dedc4cd85edf0c77100
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: don't leak sessions on digest reinit

Clients of the EVP API can reinitialize message digest contexts
without destroying them. The PKCS#11 backend assumed they were
only used once, and was leaking session handles upon reinitialization.
This fix disposes of any existing PKCS#11 message digest context
in the initialization method.

(cherry picked from commit 9518f2965b4d0daef0eda733c31c6c26ccae20a4)


  Commit: 8c0f6b771619668eca82bd6b758826b39c2f3abe
      https://github.com/heimdal/heimdal/commit/8c0f6b771619668eca82bd6b758826b39c2f3abe
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-wincng.c

  Log Message:
  -----------
  hcrypto WinCNG backend: don't leak handles on digest reinit

Similar fix to 9518f296, but for the WinCNG EVP backend.

(cherry picked from commit bd0b6f8c2b8663e372b713769b554984b2d929ae)


  Commit: 17b62207108b7f14e0e495fb85129bdf9fc24cc4
      https://github.com/heimdal/heimdal/commit/17b62207108b7f14e0e495fb85129bdf9fc24cc4
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-wincng.c

  Log Message:
  -----------
  hcrypto WinCNG backend: don't leak handles on crypto reinit

Similar fix to a88d0066, but for the WinCNG EVP backend. However this
is just a fix for leaking handles if the same EVP context is used with
a new key; there is no functionality issue as cipherstate is maintained
directly in the EVP context, not internally by WinCNG.

(cherry picked from commit 3224a282a65bfcabfb730112b53a89f95341f8b3)


  Commit: ab5d4c82fd03c36d384ec830e934579fb19f0537
      https://github.com/heimdal/heimdal/commit/ab5d4c82fd03c36d384ec830e934579fb19f0537
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: Call C_Initialize() on every hcrypto call

This is required as the PKCS#11 library needs to be reinitialized after
forking. This was causing a problem with ipropd.

This fix appears to incur a repeatable 10ms performance penalty on aes-test.

Caching the initialization status using a once control and invalidating it
on fork provided no measurable performance benefit on Solaris 11. Other
approaches would not be thread-safe or would involve more intrusive code
changes, such as exposing heimbase's atomics.

(cherry picked from commit 934d5e09bf3ba0774d303da53446e5ff94daae01)

Change-Id: I47566373f43eab3cb30a24ffbe37bbcd309a5f3e


Compare: https://github.com/heimdal/heimdal/compare/ab038dcd1456...ab5d4c82fd03

From noreply at github.com  Wed May 15 23:00:51 2019
From: noreply at github.com (Luke Howard)
Date: Wed, 15 May 2019 14:00:51 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 0b6af6: Minor
 typo/grammar fixes
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/552cbb-5995db@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: 0b6af62fd935d228381a4538fbe3a8f98ee285ce
      https://github.com/heimdal/heimdal/commit/0b6af62fd935d228381a4538fbe3a8f98ee285ce
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M appl/dceutils/k5dcecon.c
    M kuser/klist.c
    M lib/gssapi/krb5/test_sequence.c
    M lib/hx509/cms.c
    M lib/hx509/print.c
    M lib/kdfs/k5dfspag.c
    M tests/can/check-can.in
    M tests/db/add-modify-delete.in
    M tests/db/check-aliases.in
    M tests/db/loaddump-db.in
    M tests/gss/check-basic.in
    M tests/gss/check-context.in
    M tests/gss/check-gssmask.in
    M tests/gss/check-ntlm.in
    M tests/gss/check-spnego.in
    M tests/kdc/check-canon.in
    M tests/kdc/check-cc.in
    M tests/kdc/check-delegation.in
    M tests/kdc/check-des.in
    M tests/kdc/check-digest.in
    M tests/kdc/check-fast.in
    M tests/kdc/check-hdb-mitdb.in
    M tests/kdc/check-iprop.in
    M tests/kdc/check-kadmin.in
    M tests/kdc/check-kdc.in
    M tests/kdc/check-keys.in
    M tests/kdc/check-kinit.in
    M tests/kdc/check-kpasswdd.in
    M tests/kdc/check-pkinit.in
    M tests/kdc/check-referral.in
    M tests/kdc/check-tester.in
    M tests/kdc/check-uu.in
    M tests/ldap/check-ldap.in
    M tests/plugin/check-pac.in

  Log Message:
  -----------
  Minor typo/grammar fixes

(cherry picked from commit 7c16ce34570ef8b255f2ad1bc3f8fb3b019df84f)


  Commit: 56f9911670986e8e3fba4063d1bae05d1bc82170
      https://github.com/heimdal/heimdal/commit/56f9911670986e8e3fba4063d1bae05d1bc82170
  Author: David Mulder <David.Mulder at software.dell.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  solaris 8 sparc defines _LP64 to empty, causing build failure

(cherry picked from commit f132d2040dbc326b8f3c8b3970001a966e58ade1)


  Commit: f2ee12e91deece93540d1240d516e80d6305bf0e
      https://github.com/heimdal/heimdal/commit/f2ee12e91deece93540d1240d516e80d6305bf0e
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M kdc/connect.c

  Log Message:
  -----------
  Fixes https://github.com/heimdal/heimdal/issues/310, use PF_UNIX instead
of PF_LOCAL

(cherry picked from commit e7879208e47f60bf88f6a2dad00fb77075843f2c)


  Commit: edcdb0bae5a6e95522a95ef68826ab0f68d76a7f
      https://github.com/heimdal/heimdal/commit/edcdb0bae5a6e95522a95ef68826ab0f68d76a7f
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c
    M lib/hcrypto/evp.h

  Log Message:
  -----------
  Fix PKCS#11 hcrypto backend regression (#314, #315, #316, #317)

81c778e broke the PKCS#11 hcrypto backend broke for many cases as it did
not support cipherstate resetting. (Prior to 81c778e, which was to fix #194,
the PKCS#11 backend did not support cipherstate chaining across invocations.)

hcrypto backends that maintain cipherstate independently of the hcrypto
context IV field need to set EVP_CIPH_ALWAYS_CALL_INIT to avoid the two
diverging. Their init function should support resetting the cipherstate
independently of key scheduling.

(cherry picked from commit a88d00660efc0de15514f0957a51954478e31f45)


  Commit: 9c859ac64fba8e59d27af0aca3efca7b79a7b4a8
      https://github.com/heimdal/heimdal/commit/9c859ac64fba8e59d27af0aca3efca7b79a7b4a8
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: allow digest update with NULL (#378)

Some callers of EVP_DigestUpdate (such as libntlm) pass NULL as the
data argument. PKCS#11 returns CKR_ARGUMENTS_BAD which may poison
the context. Pass an empty string to C_DigestUpdate work around this.

(cherry picked from commit 590be3d7dadb8e17a15261bce9275f37f6dfc917)


  Commit: fdfa1f225eb843ca2a40f2da71292f4d11c60811
      https://github.com/heimdal/heimdal/commit/fdfa1f225eb843ca2a40f2da71292f4d11c60811
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: allow digest update with NULL (#378)

In the PKCS#11 backend, add an assertion check to p11_md_update()
to validate that the data length is zero if the data is NULL.

(cherry picked from commit 6a1bb953230a2095a9ef7b9f1e979cf519ac616b)


  Commit: c2bcabb86c8ac0d7cbd69fb06c80d8b3856bf63e
      https://github.com/heimdal/heimdal/commit/c2bcabb86c8ac0d7cbd69fb06c80d8b3856bf63e
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: don't leak sessions on digest reinit

Clients of the EVP API can reinitialize message digest contexts
without destroying them. The PKCS#11 backend assumed they were
only used once, and was leaking session handles upon reinitialization.
This fix disposes of any existing PKCS#11 message digest context
in the initialization method.

(cherry picked from commit 9518f2965b4d0daef0eda733c31c6c26ccae20a4)


  Commit: 9e76f25322ed2decef2807107e1e88f596305072
      https://github.com/heimdal/heimdal/commit/9e76f25322ed2decef2807107e1e88f596305072
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-wincng.c

  Log Message:
  -----------
  hcrypto WinCNG backend: don't leak handles on digest reinit

Similar fix to 9518f296, but for the WinCNG EVP backend.

(cherry picked from commit bd0b6f8c2b8663e372b713769b554984b2d929ae)


  Commit: 613cb65e9ef6881167a1dd2a299800959649eb24
      https://github.com/heimdal/heimdal/commit/613cb65e9ef6881167a1dd2a299800959649eb24
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-wincng.c

  Log Message:
  -----------
  hcrypto WinCNG backend: don't leak handles on crypto reinit

Similar fix to a88d0066, but for the WinCNG EVP backend. However this
is just a fix for leaking handles if the same EVP context is used with
a new key; there is no functionality issue as cipherstate is maintained
directly in the EVP context, not internally by WinCNG.

(cherry picked from commit 3224a282a65bfcabfb730112b53a89f95341f8b3)


  Commit: 5995db43564f31537c52c823851bf2b565543cc7
      https://github.com/heimdal/heimdal/commit/5995db43564f31537c52c823851bf2b565543cc7
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: Call C_Initialize() on every hcrypto call

This is required as the PKCS#11 library needs to be reinitialized after
forking. This was causing a problem with ipropd.

This fix appears to incur a repeatable 10ms performance penalty on aes-test.

Caching the initialization status using a once control and invalidating it
on fork provided no measurable performance benefit on Solaris 11. Other
approaches would not be thread-safe or would involve more intrusive code
changes, such as exposing heimbase's atomics.

(cherry picked from commit 934d5e09bf3ba0774d303da53446e5ff94daae01)

Change-Id: I47566373f43eab3cb30a24ffbe37bbcd309a5f3e


Compare: https://github.com/heimdal/heimdal/compare/552cbb3df302...5995db43564f

From noreply at github.com  Wed May 15 23:00:58 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 15 May 2019 14:00:58 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/7.6.0-fixes/ab5d4c-000000@github.com>

  Branch: refs/heads/7.6.0-fixes
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Wed May 15 23:41:28 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 15 May 2019 14:41:28 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6.0/ceac4a-000000@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6.0
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Wed May 15 23:46:51 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 15 May 2019 14:46:51 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] b2475e: Minor
 typo/grammar fixes
Message-ID: <heimdal/heimdal/push/refs/heads/7.6.0-fixes/000000-70edd4@github.com>

  Branch: refs/heads/7.6.0-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: b2475e191666a115a852983a35a6675967d2c543
      https://github.com/heimdal/heimdal/commit/b2475e191666a115a852983a35a6675967d2c543
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M appl/dceutils/k5dcecon.c
    M kuser/klist.c
    M lib/gssapi/krb5/test_sequence.c
    M lib/hx509/cms.c
    M lib/hx509/print.c
    M lib/kdfs/k5dfspag.c
    M tests/can/check-can.in
    M tests/db/add-modify-delete.in
    M tests/db/check-aliases.in
    M tests/db/loaddump-db.in
    M tests/gss/check-basic.in
    M tests/gss/check-context.in
    M tests/gss/check-gssmask.in
    M tests/gss/check-ntlm.in
    M tests/gss/check-spnego.in
    M tests/kdc/check-canon.in
    M tests/kdc/check-cc.in
    M tests/kdc/check-delegation.in
    M tests/kdc/check-des.in
    M tests/kdc/check-digest.in
    M tests/kdc/check-fast.in
    M tests/kdc/check-hdb-mitdb.in
    M tests/kdc/check-iprop.in
    M tests/kdc/check-kadmin.in
    M tests/kdc/check-kdc.in
    M tests/kdc/check-keys.in
    M tests/kdc/check-kinit.in
    M tests/kdc/check-kpasswdd.in
    M tests/kdc/check-pkinit.in
    M tests/kdc/check-referral.in
    M tests/kdc/check-tester.in
    M tests/kdc/check-uu.in
    M tests/ldap/check-ldap.in
    M tests/plugin/check-pac.in

  Log Message:
  -----------
  Minor typo/grammar fixes

(cherry picked from commit 7c16ce34570ef8b255f2ad1bc3f8fb3b019df84f)


  Commit: 17a5124f8f0fc4a0001ef5afbebb90de02453f35
      https://github.com/heimdal/heimdal/commit/17a5124f8f0fc4a0001ef5afbebb90de02453f35
  Author: David Mulder <David.Mulder at software.dell.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  solaris 8 sparc defines _LP64 to empty, causing build failure

(cherry picked from commit f132d2040dbc326b8f3c8b3970001a966e58ade1)


  Commit: 5da575d87c15caaa9eba38f332848b6930fb2afb
      https://github.com/heimdal/heimdal/commit/5da575d87c15caaa9eba38f332848b6930fb2afb
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M kdc/connect.c

  Log Message:
  -----------
  Fixes https://github.com/heimdal/heimdal/issues/310, use PF_UNIX instead
of PF_LOCAL

(cherry picked from commit e7879208e47f60bf88f6a2dad00fb77075843f2c)


  Commit: b645b6526afac4121d86579e9fd97fd50dd70909
      https://github.com/heimdal/heimdal/commit/b645b6526afac4121d86579e9fd97fd50dd70909
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c
    M lib/hcrypto/evp.h

  Log Message:
  -----------
  Fix PKCS#11 hcrypto backend regression (#314, #315, #316, #317)

81c778e broke the PKCS#11 hcrypto backend broke for many cases as it did
not support cipherstate resetting. (Prior to 81c778e, which was to fix #194,
the PKCS#11 backend did not support cipherstate chaining across invocations.)

hcrypto backends that maintain cipherstate independently of the hcrypto
context IV field need to set EVP_CIPH_ALWAYS_CALL_INIT to avoid the two
diverging. Their init function should support resetting the cipherstate
independently of key scheduling.

(cherry picked from commit a88d00660efc0de15514f0957a51954478e31f45)


  Commit: c37a0352191b42eb5c463f121e0bd41fd6938bee
      https://github.com/heimdal/heimdal/commit/c37a0352191b42eb5c463f121e0bd41fd6938bee
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: allow digest update with NULL (#378)

Some callers of EVP_DigestUpdate (such as libntlm) pass NULL as the
data argument. PKCS#11 returns CKR_ARGUMENTS_BAD which may poison
the context. Pass an empty string to C_DigestUpdate work around this.

(cherry picked from commit 590be3d7dadb8e17a15261bce9275f37f6dfc917)


  Commit: b981424cb59e371179053c51aadf010a4b643970
      https://github.com/heimdal/heimdal/commit/b981424cb59e371179053c51aadf010a4b643970
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: allow digest update with NULL (#378)

In the PKCS#11 backend, add an assertion check to p11_md_update()
to validate that the data length is zero if the data is NULL.

(cherry picked from commit 6a1bb953230a2095a9ef7b9f1e979cf519ac616b)


  Commit: c20a8fd3b6950b844c9f5dedc4cd85edf0c77100
      https://github.com/heimdal/heimdal/commit/c20a8fd3b6950b844c9f5dedc4cd85edf0c77100
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: don't leak sessions on digest reinit

Clients of the EVP API can reinitialize message digest contexts
without destroying them. The PKCS#11 backend assumed they were
only used once, and was leaking session handles upon reinitialization.
This fix disposes of any existing PKCS#11 message digest context
in the initialization method.

(cherry picked from commit 9518f2965b4d0daef0eda733c31c6c26ccae20a4)


  Commit: 8c0f6b771619668eca82bd6b758826b39c2f3abe
      https://github.com/heimdal/heimdal/commit/8c0f6b771619668eca82bd6b758826b39c2f3abe
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-wincng.c

  Log Message:
  -----------
  hcrypto WinCNG backend: don't leak handles on digest reinit

Similar fix to 9518f296, but for the WinCNG EVP backend.

(cherry picked from commit bd0b6f8c2b8663e372b713769b554984b2d929ae)


  Commit: 17b62207108b7f14e0e495fb85129bdf9fc24cc4
      https://github.com/heimdal/heimdal/commit/17b62207108b7f14e0e495fb85129bdf9fc24cc4
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-wincng.c

  Log Message:
  -----------
  hcrypto WinCNG backend: don't leak handles on crypto reinit

Similar fix to a88d0066, but for the WinCNG EVP backend. However this
is just a fix for leaking handles if the same EVP context is used with
a new key; there is no functionality issue as cipherstate is maintained
directly in the EVP context, not internally by WinCNG.

(cherry picked from commit 3224a282a65bfcabfb730112b53a89f95341f8b3)


  Commit: ab5d4c82fd03c36d384ec830e934579fb19f0537
      https://github.com/heimdal/heimdal/commit/ab5d4c82fd03c36d384ec830e934579fb19f0537
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: Call C_Initialize() on every hcrypto call

This is required as the PKCS#11 library needs to be reinitialized after
forking. This was causing a problem with ipropd.

This fix appears to incur a repeatable 10ms performance penalty on aes-test.

Caching the initialization status using a once control and invalidating it
on fork provided no measurable performance benefit on Solaris 11. Other
approaches would not be thread-safe or would involve more intrusive code
changes, such as exposing heimbase's atomics.

(cherry picked from commit 934d5e09bf3ba0774d303da53446e5ff94daae01)

Change-Id: I47566373f43eab3cb30a24ffbe37bbcd309a5f3e


  Commit: 05ed440d20fdd629dbb744c3038af4bbd5b12d97
      https://github.com/heimdal/heimdal/commit/05ed440d20fdd629dbb744c3038af4bbd5b12d97
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:

  Log Message:
  -----------
  Merge branch 'heimdal-7-1-branch' of github.com:heimdal/heimdal into heimdal-7-1-branch

Change-Id: Iba9c4654df433cec6fe6d09f3c856f48754d3704


  Commit: 70edd4ea7c0b957676fe4d5d8ed8f67f549d5c09
      https://github.com/heimdal/heimdal/commit/70edd4ea7c0b957676fe4d5d8ed8f67f549d5c09
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M NEWS

  Log Message:
  -----------
  NEWS: further updates to 7.6.0

Change-Id: I57dd3c4d403a62dc1dd6252afee474f700ebc09b


Compare: https://github.com/heimdal/heimdal/compare/b2475e191666%5E...70edd4ea7c0b

From noreply at github.com  Wed May 15 23:53:44 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 15 May 2019 14:53:44 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] bc1fc6: NEWS: further
 updates to 7.6.0
Message-ID: <heimdal/heimdal/push/refs/heads/7.6.0-fixes/70edd4-bc1fc6@github.com>

  Branch: refs/heads/7.6.0-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: bc1fc621619272889b164714a5a5d9e7fd6933a0
      https://github.com/heimdal/heimdal/commit/bc1fc621619272889b164714a5a5d9e7fd6933a0
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M NEWS

  Log Message:
  -----------
  NEWS: further updates to 7.6.0

Change-Id: I57dd3c4d403a62dc1dd6252afee474f700ebc09b



From noreply at github.com  Wed May 15 23:54:17 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 15 May 2019 14:54:17 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 94a03b: NEWS: further
 updates to 7.6.0
Message-ID: <heimdal/heimdal/push/refs/heads/7.6.0-fixes/bc1fc6-94a03b@github.com>

  Branch: refs/heads/7.6.0-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: 94a03b67fc5181603f5859d0382a9d081f9cf8b6
      https://github.com/heimdal/heimdal/commit/94a03b67fc5181603f5859d0382a9d081f9cf8b6
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M NEWS

  Log Message:
  -----------
  NEWS: further updates to 7.6.0

Change-Id: I57dd3c4d403a62dc1dd6252afee474f700ebc09b



From noreply at github.com  Wed May 15 23:58:33 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 15 May 2019 14:58:33 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 4e0a07: NEWS: further
 updates to 7.6.0
Message-ID: <heimdal/heimdal/push/refs/heads/7.6.0-fixes/94a03b-4e0a07@github.com>

  Branch: refs/heads/7.6.0-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: 4e0a07dd8fc88b9d3aacb87ca8bb8db2141cfa00
      https://github.com/heimdal/heimdal/commit/4e0a07dd8fc88b9d3aacb87ca8bb8db2141cfa00
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M NEWS

  Log Message:
  -----------
  NEWS: further updates to 7.6.0

Change-Id: I57dd3c4d403a62dc1dd6252afee474f700ebc09b



From noreply at github.com  Wed May 15 23:59:17 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 15 May 2019 14:59:17 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] bbafe7: NEWS: further
 updates to 7.6.0
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/5995db-bbafe7@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: bbafe725f10b6bfd60e4d411ba08719b632e3043
      https://github.com/heimdal/heimdal/commit/bbafe725f10b6bfd60e4d411ba08719b632e3043
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M NEWS

  Log Message:
  -----------
  NEWS: further updates to 7.6.0

Change-Id: I57dd3c4d403a62dc1dd6252afee474f700ebc09b



From noreply at github.com  Wed May 15 23:59:21 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 15 May 2019 14:59:21 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/7.6.0-fixes/4e0a07-000000@github.com>

  Branch: refs/heads/7.6.0-fixes
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Thu May 16 00:19:51 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 15 May 2019 22:19:51 +0000 (UTC)
Subject: [Heimdal-source-changes] [heimdal/heimdal] 8b2c49: sunpro c defines
 __SUNPRO_C not __SUNPRO_CC
Message-ID: <heimdal/heimdal/push/refs/tags/heimdal-7.6.0/d0a558-bbafe7@github.com>

  Branch: refs/tags/heimdal-7.6.0
  Home:   https://github.com/heimdal/heimdal
  Commit: 8b2c4985384bee6a95ae3a06bcbaaff6fb5063d6
      https://github.com/heimdal/heimdal/commit/8b2c4985384bee6a95ae3a06bcbaaff6fb5063d6
  Author: Daria Phoebe Brashear <dariaphoebe at auristor.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M include/heim_threads.h

  Log Message:
  -----------
  sunpro c defines __SUNPRO_C not __SUNPRO_CC

CC is the c++ compiler; C is the c compiler. use the correct define


  Commit: 4e2db841a28ec3054c39acdce0dc7dc35b2e0120
      https://github.com/heimdal/heimdal/commit/4e2db841a28ec3054c39acdce0dc7dc35b2e0120
  Author: Daria Phoebe Brashear <dariaphoebe at auristor.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/libedit/src/makelist

  Log Message:
  -----------
  libedit: makelist should default to awk, but not force it

solaris needs gawk; we should allow the makefile to override awk
with gawk (or whatever else)


  Commit: 552cbb3df302106dca0682aa0853ff48d5936859
      https://github.com/heimdal/heimdal/commit/552cbb3df302106dca0682aa0853ff48d5936859
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/libedit/src/vis.h

  Log Message:
  -----------
  Fixes https://github.com/heimdal/heimdal/issues/294


  Commit: 0b6af62fd935d228381a4538fbe3a8f98ee285ce
      https://github.com/heimdal/heimdal/commit/0b6af62fd935d228381a4538fbe3a8f98ee285ce
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M appl/dceutils/k5dcecon.c
    M kuser/klist.c
    M lib/gssapi/krb5/test_sequence.c
    M lib/hx509/cms.c
    M lib/hx509/print.c
    M lib/kdfs/k5dfspag.c
    M tests/can/check-can.in
    M tests/db/add-modify-delete.in
    M tests/db/check-aliases.in
    M tests/db/loaddump-db.in
    M tests/gss/check-basic.in
    M tests/gss/check-context.in
    M tests/gss/check-gssmask.in
    M tests/gss/check-ntlm.in
    M tests/gss/check-spnego.in
    M tests/kdc/check-canon.in
    M tests/kdc/check-cc.in
    M tests/kdc/check-delegation.in
    M tests/kdc/check-des.in
    M tests/kdc/check-digest.in
    M tests/kdc/check-fast.in
    M tests/kdc/check-hdb-mitdb.in
    M tests/kdc/check-iprop.in
    M tests/kdc/check-kadmin.in
    M tests/kdc/check-kdc.in
    M tests/kdc/check-keys.in
    M tests/kdc/check-kinit.in
    M tests/kdc/check-kpasswdd.in
    M tests/kdc/check-pkinit.in
    M tests/kdc/check-referral.in
    M tests/kdc/check-tester.in
    M tests/kdc/check-uu.in
    M tests/ldap/check-ldap.in
    M tests/plugin/check-pac.in

  Log Message:
  -----------
  Minor typo/grammar fixes

(cherry picked from commit 7c16ce34570ef8b255f2ad1bc3f8fb3b019df84f)


  Commit: 56f9911670986e8e3fba4063d1bae05d1bc82170
      https://github.com/heimdal/heimdal/commit/56f9911670986e8e3fba4063d1bae05d1bc82170
  Author: David Mulder <David.Mulder at software.dell.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  solaris 8 sparc defines _LP64 to empty, causing build failure

(cherry picked from commit f132d2040dbc326b8f3c8b3970001a966e58ade1)


  Commit: f2ee12e91deece93540d1240d516e80d6305bf0e
      https://github.com/heimdal/heimdal/commit/f2ee12e91deece93540d1240d516e80d6305bf0e
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M kdc/connect.c

  Log Message:
  -----------
  Fixes https://github.com/heimdal/heimdal/issues/310, use PF_UNIX instead
of PF_LOCAL

(cherry picked from commit e7879208e47f60bf88f6a2dad00fb77075843f2c)


  Commit: edcdb0bae5a6e95522a95ef68826ab0f68d76a7f
      https://github.com/heimdal/heimdal/commit/edcdb0bae5a6e95522a95ef68826ab0f68d76a7f
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c
    M lib/hcrypto/evp.h

  Log Message:
  -----------
  Fix PKCS#11 hcrypto backend regression (#314, #315, #316, #317)

81c778e broke the PKCS#11 hcrypto backend broke for many cases as it did
not support cipherstate resetting. (Prior to 81c778e, which was to fix #194,
the PKCS#11 backend did not support cipherstate chaining across invocations.)

hcrypto backends that maintain cipherstate independently of the hcrypto
context IV field need to set EVP_CIPH_ALWAYS_CALL_INIT to avoid the two
diverging. Their init function should support resetting the cipherstate
independently of key scheduling.

(cherry picked from commit a88d00660efc0de15514f0957a51954478e31f45)


  Commit: 9c859ac64fba8e59d27af0aca3efca7b79a7b4a8
      https://github.com/heimdal/heimdal/commit/9c859ac64fba8e59d27af0aca3efca7b79a7b4a8
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: allow digest update with NULL (#378)

Some callers of EVP_DigestUpdate (such as libntlm) pass NULL as the
data argument. PKCS#11 returns CKR_ARGUMENTS_BAD which may poison
the context. Pass an empty string to C_DigestUpdate work around this.

(cherry picked from commit 590be3d7dadb8e17a15261bce9275f37f6dfc917)


  Commit: fdfa1f225eb843ca2a40f2da71292f4d11c60811
      https://github.com/heimdal/heimdal/commit/fdfa1f225eb843ca2a40f2da71292f4d11c60811
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: allow digest update with NULL (#378)

In the PKCS#11 backend, add an assertion check to p11_md_update()
to validate that the data length is zero if the data is NULL.

(cherry picked from commit 6a1bb953230a2095a9ef7b9f1e979cf519ac616b)


  Commit: c2bcabb86c8ac0d7cbd69fb06c80d8b3856bf63e
      https://github.com/heimdal/heimdal/commit/c2bcabb86c8ac0d7cbd69fb06c80d8b3856bf63e
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: don't leak sessions on digest reinit

Clients of the EVP API can reinitialize message digest contexts
without destroying them. The PKCS#11 backend assumed they were
only used once, and was leaking session handles upon reinitialization.
This fix disposes of any existing PKCS#11 message digest context
in the initialization method.

(cherry picked from commit 9518f2965b4d0daef0eda733c31c6c26ccae20a4)


  Commit: 9e76f25322ed2decef2807107e1e88f596305072
      https://github.com/heimdal/heimdal/commit/9e76f25322ed2decef2807107e1e88f596305072
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-wincng.c

  Log Message:
  -----------
  hcrypto WinCNG backend: don't leak handles on digest reinit

Similar fix to 9518f296, but for the WinCNG EVP backend.

(cherry picked from commit bd0b6f8c2b8663e372b713769b554984b2d929ae)


  Commit: 613cb65e9ef6881167a1dd2a299800959649eb24
      https://github.com/heimdal/heimdal/commit/613cb65e9ef6881167a1dd2a299800959649eb24
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-wincng.c

  Log Message:
  -----------
  hcrypto WinCNG backend: don't leak handles on crypto reinit

Similar fix to a88d0066, but for the WinCNG EVP backend. However this
is just a fix for leaking handles if the same EVP context is used with
a new key; there is no functionality issue as cipherstate is maintained
directly in the EVP context, not internally by WinCNG.

(cherry picked from commit 3224a282a65bfcabfb730112b53a89f95341f8b3)


  Commit: 5995db43564f31537c52c823851bf2b565543cc7
      https://github.com/heimdal/heimdal/commit/5995db43564f31537c52c823851bf2b565543cc7
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: Call C_Initialize() on every hcrypto call

This is required as the PKCS#11 library needs to be reinitialized after
forking. This was causing a problem with ipropd.

This fix appears to incur a repeatable 10ms performance penalty on aes-test.

Caching the initialization status using a once control and invalidating it
on fork provided no measurable performance benefit on Solaris 11. Other
approaches would not be thread-safe or would involve more intrusive code
changes, such as exposing heimbase's atomics.

(cherry picked from commit 934d5e09bf3ba0774d303da53446e5ff94daae01)

Change-Id: I47566373f43eab3cb30a24ffbe37bbcd309a5f3e


  Commit: bbafe725f10b6bfd60e4d411ba08719b632e3043
      https://github.com/heimdal/heimdal/commit/bbafe725f10b6bfd60e4d411ba08719b632e3043
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M NEWS

  Log Message:
  -----------
  NEWS: further updates to 7.6.0

Change-Id: I57dd3c4d403a62dc1dd6252afee474f700ebc09b


Compare: https://github.com/heimdal/heimdal/compare/d0a558f918c9...bbafe725f10b

From noreply at github.com  Thu May 16 02:21:49 2019
From: noreply at github.com (Luke Howard)
Date: Wed, 15 May 2019 17:21:49 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 78b868: hcrypto PKCS#11
 backend: fix 5995db43564f31537c52c...
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7.6.0-fix/000000-78b868@github.com>

  Branch: refs/heads/heimdal-7.6.0-fix
  Home:   https://github.com/heimdal/heimdal
  Commit: 78b868c85257a83fcaf81856075db67656958ea2
      https://github.com/heimdal/heimdal/commit/78b868c85257a83fcaf81856075db67656958ea2
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-15 (Wed, 15 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: fix 5995db43564f31537c52c823851bf2b565543cc7

The cherry pick of 934d5e09bf3ba0774d303da53446e5ff94daae01 dropped
the initialization of p11_module_load() *ppFunctionList to NULL.

Change-Id: I0b07315c040340c7ca95ff87fd985c6c7e865aeb



From noreply at github.com  Thu May 16 08:23:22 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 15 May 2019 23:23:22 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] bdcd7d:
 krb5_principal_is_anonymous
Message-ID: <heimdal/heimdal/push/refs/heads/master/c3e2c0-bdcd7d@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: bdcd7d2f3dc02f902628a9145084cf7a80496f7a
      https://github.com/heimdal/heimdal/commit/bdcd7d2f3dc02f902628a9145084cf7a80496f7a
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-16 (Thu, 16 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kuser/kinit.c
    M kuser/kuser_locl.h
    M lib/krb5/krb5.h
    M lib/krb5/libkrb5-exports.def.in
    M lib/krb5/principal.c
    M lib/krb5/ticket.c
    M lib/krb5/version-script.map

  Log Message:
  -----------
  krb5_principal_is_anonymous

_krb5_principal_is_anonymous() is used outside lib/krb5 and
therefore it needs to be properly exported and its flag macros
need to be in a public header: krb5.h not krb5_locl.h.

Including krb5_locl.h from within kuser_locl.h for instance
results in build failures on Solaris.

This change renames the function and makes it part of the public
api.

Change-Id: I130d1698b10bdbd150b95e8c7d32dfc362889ce6



From noreply at github.com  Thu May 16 16:53:39 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 16 May 2019 07:53:39 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 69f992: krb5_sendto_kdc:
 Windows no KDC reachable error
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/windows-sendto-kdc-fix/000000-69f992@github.com>

  Branch: refs/heads/jaltman/windows-sendto-kdc-fix
  Home:   https://github.com/heimdal/heimdal
  Commit: 69f99276cc3a7b4dcd4a166348f67cd1b3b03f9c
      https://github.com/heimdal/heimdal/commit/69f99276cc3a7b4dcd4a166348f67cd1b3b03f9c
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-16 (Thu, 16 May 2019)

  Changed paths:
    M lib/krb5/send_to_kdc.c

  Log Message:
  -----------
  krb5_sendto_kdc: Windows no KDC reachable error

The combination of 8740528b2477f872147998ca19a66d2fae12631b
("Windows-compatible sentinel socket type and value") and
d497d7e4a796c6bda153e7f10fe9478724b855ab ("krb5_sendto_kdc:
failover for multiple AAAA/A RRs on one domain") broke
all the send to kdc loop on Windows.  rk_socket_t is
a HANDLE and rk_INVALID_SOCKET is the max value.  Therefore,
no valid socket will be larger and all communications
will fail.

Change-Id: I3464f78d67b19f14050ad7a01738fb32bac99385



From noreply at github.com  Thu May 16 18:10:01 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 16 May 2019 09:10:01 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] a1276c: krb5_sendto_kdc:
 Windows no KDC reachable error
Message-ID: <heimdal/heimdal/push/refs/heads/master/bdcd7d-a1276c@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: a1276c54aaebb0c6e71b3347ba2a49cb27d0c5ee
      https://github.com/heimdal/heimdal/commit/a1276c54aaebb0c6e71b3347ba2a49cb27d0c5ee
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-16 (Thu, 16 May 2019)

  Changed paths:
    M lib/krb5/send_to_kdc.c

  Log Message:
  -----------
  krb5_sendto_kdc: Windows no KDC reachable error

The combination of 8740528b2477f872147998ca19a66d2fae12631b
("Windows-compatible sentinel socket type and value") and
d497d7e4a796c6bda153e7f10fe9478724b855ab ("krb5_sendto_kdc:
failover for multiple AAAA/A RRs on one domain") broke
all the send to kdc loop on Windows.  rk_socket_t is
a HANDLE and rk_INVALID_SOCKET is the max value.  Therefore,
no valid socket will be larger and all communications
will fail.

Change-Id: I3464f78d67b19f14050ad7a01738fb32bac99385



From noreply at github.com  Thu May 16 18:12:03 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 16 May 2019 09:12:03 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/windows-sendto-kdc-fix/69f992-000000@github.com>

  Branch: refs/heads/jaltman/windows-sendto-kdc-fix
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Thu May 16 18:13:00 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 16 May 2019 09:13:00 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 98a1e6: krb5_sendto_kdc:
 Windows no KDC reachable error
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7.6.0-fix/78b868-98a1e6@github.com>

  Branch: refs/heads/heimdal-7.6.0-fix
  Home:   https://github.com/heimdal/heimdal
  Commit: 98a1e630e96ec60c8cb4050ab7db3f77dcba4d58
      https://github.com/heimdal/heimdal/commit/98a1e630e96ec60c8cb4050ab7db3f77dcba4d58
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-16 (Thu, 16 May 2019)

  Changed paths:
    M lib/krb5/send_to_kdc.c

  Log Message:
  -----------
  krb5_sendto_kdc: Windows no KDC reachable error

The combination of 8740528b2477f872147998ca19a66d2fae12631b
("Windows-compatible sentinel socket type and value") and
d497d7e4a796c6bda153e7f10fe9478724b855ab ("krb5_sendto_kdc:
failover for multiple AAAA/A RRs on one domain") broke
all the send to kdc loop on Windows.  rk_socket_t is
a HANDLE and rk_INVALID_SOCKET is the max value.  Therefore,
no valid socket will be larger and all communications
will fail.

Change-Id: I3464f78d67b19f14050ad7a01738fb32bac99385
(cherry picked from commit a1276c54aaebb0c6e71b3347ba2a49cb27d0c5ee)



From noreply at github.com  Thu May 16 19:47:21 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 16 May 2019 10:47:21 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] dcc814: hcrypto PKCS#11
 backend: fix 5995db43564f31537c52c...
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/bbafe7-9a1a98@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: dcc81499c3c6130454cc0ef7c6e56a09dc2ac350
      https://github.com/heimdal/heimdal/commit/dcc81499c3c6130454cc0ef7c6e56a09dc2ac350
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-16 (Thu, 16 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto PKCS#11 backend: fix 5995db43564f31537c52c823851bf2b565543cc7

The cherry pick of 934d5e09bf3ba0774d303da53446e5ff94daae01 dropped
the initialization of p11_module_load() *ppFunctionList to NULL.

Change-Id: I0b07315c040340c7ca95ff87fd985c6c7e865aeb


  Commit: 9a1a98f93ec19ee8dda0bda72b311c428128a4d7
      https://github.com/heimdal/heimdal/commit/9a1a98f93ec19ee8dda0bda72b311c428128a4d7
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-16 (Thu, 16 May 2019)

  Changed paths:
    M lib/krb5/send_to_kdc.c

  Log Message:
  -----------
  krb5_sendto_kdc: Windows no KDC reachable error

The combination of 8740528b2477f872147998ca19a66d2fae12631b
("Windows-compatible sentinel socket type and value") and
d497d7e4a796c6bda153e7f10fe9478724b855ab ("krb5_sendto_kdc:
failover for multiple AAAA/A RRs on one domain") broke
all the send to kdc loop on Windows.  rk_socket_t is
a HANDLE and rk_INVALID_SOCKET is the max value.  Therefore,
no valid socket will be larger and all communications
will fail.

Change-Id: I3464f78d67b19f14050ad7a01738fb32bac99385
(cherry picked from commit a1276c54aaebb0c6e71b3347ba2a49cb27d0c5ee)


Compare: https://github.com/heimdal/heimdal/compare/bbafe725f10b...9a1a98f93ec1

From noreply at github.com  Thu May 16 22:34:11 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 16 May 2019 13:34:11 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] dc5e29: hcrypto: avoid
 hcrypto_validate race
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/hcrypto_validation_race/000000-dc5e29@github.com>

  Branch: refs/heads/jaltman/hcrypto_validation_race
  Home:   https://github.com/heimdal/heimdal
  Commit: dc5e29c25e42c5cfe787ccbaf6890fa865abbb27
      https://github.com/heimdal/heimdal/commit/dc5e29c25e42c5cfe787ccbaf6890fa865abbb27
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-16 (Thu, 16 May 2019)

  Changed paths:
    M lib/hcrypto/validate.c

  Log Message:
  -----------
  hcrypto: avoid hcrypto_validate race

Do not increment 'validated' until after all of the validation
steps have been performed.  While its ok the validate more than
once we need to ensure that validation occurs at least once
before the cipher is used.

Change-Id: I6896c132ec2a7423c5166c1c074a2dedac54e00d



From noreply at github.com  Thu May 16 23:14:16 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 16 May 2019 14:14:16 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/hcrypto_validation_race/dc5e29-000000@github.com>

  Branch: refs/heads/jaltman/hcrypto_validation_race
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Sat May 18 05:58:52 2019
From: noreply at github.com (Luke Howard)
Date: Fri, 17 May 2019 20:58:52 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] dc791c: krb5: remove
 duplicate KRB5_ANON_MATCH_xxx defines
Message-ID: <heimdal/heimdal/push/refs/heads/master/a1276c-dc791c@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: dc791c8fcfb8f61fe0d0a14307a6a6cf999a13b7
      https://github.com/heimdal/heimdal/commit/dc791c8fcfb8f61fe0d0a14307a6a6cf999a13b7
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/krb5/krb5_locl.h

  Log Message:
  -----------
  krb5: remove duplicate KRB5_ANON_MATCH_xxx defines

Commit bdcd7d2f moved the KRB5_ANON_MATCH_xxx preprocessor symbols to krb5.h,
but did not remove the originals from krb5_locl.h. This commit removes them.



From noreply at github.com  Sat May 18 23:15:28 2019
From: noreply at github.com (Luke Howard)
Date: Sat, 18 May 2019 14:15:28 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 5c70e5: hcrypto-pkcs11:
 check mechanism flags
Message-ID: <heimdal/heimdal/push/refs/heads/master/dc791c-5c70e5@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: 5c70e5015edbe056eb192c166c3056c29d70482b
      https://github.com/heimdal/heimdal/commit/5c70e5015edbe056eb192c166c3056c29d70482b
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto-pkcs11: check mechanism flags

Before committing to a PKCS#11 mechanism, check that it can provide the
required encryption or digest services by validating the flags returned by
C_GetMechanismInfo().



From noreply at github.com  Sat May 18 23:25:19 2019
From: noreply at github.com (Luke Howard)
Date: Sat, 18 May 2019 14:25:19 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 4bf526: hcrypto-pkcs11:
 check mechanism flags
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6-fixes/000000-4bf526@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: 4bf526078275620de8dfa79e6776210db26d1c0e
      https://github.com/heimdal/heimdal/commit/4bf526078275620de8dfa79e6776210db26d1c0e
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto-pkcs11: check mechanism flags

Before committing to a PKCS#11 mechanism, check that it can provide the
required encryption or digest services by validating the flags returned by
C_GetMechanismInfo().

(cherry picked from commit 5c70e5015edbe056eb192c166c3056c29d70482b)



From noreply at github.com  Sun May 19 01:51:47 2019
From: noreply at github.com (Luke Howard)
Date: Sat, 18 May 2019 16:51:47 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] cabd96: hcrypto-pkcs11:
 check mechanism flags
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/9a1a98-cabd96@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: cabd96a7b3e35eccef5118b1a265635e15c3f418
      https://github.com/heimdal/heimdal/commit/cabd96a7b3e35eccef5118b1a265635e15c3f418
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/hcrypto/evp-pkcs11.c

  Log Message:
  -----------
  hcrypto-pkcs11: check mechanism flags

Before committing to a PKCS#11 mechanism, check that it can provide the
required encryption or digest services by validating the flags returned by
C_GetMechanismInfo().

(cherry picked from commit 5c70e5015edbe056eb192c166c3056c29d70482b)



From noreply at github.com  Sun May 19 01:51:50 2019
From: noreply at github.com (Jeffrey Altman)
Date: Sat, 18 May 2019 16:51:50 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6-fixes/4bf526-000000@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6-fixes
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Sun May 19 02:31:54 2019
From: noreply at github.com (Luke Howard)
Date: Sat, 18 May 2019 17:31:54 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 014e31: krb5: check KDC
 supports anonymous if requested
Message-ID: <heimdal/heimdal/push/refs/heads/master/5c70e5-014e31@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: 014e318d6bdefd8ecfcb99ca9928921f6a49d721
      https://github.com/heimdal/heimdal/commit/014e318d6bdefd8ecfcb99ca9928921f6a49d721
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/krb5/get_cred.c
    M lib/krb5/get_in_tkt.c
    M lib/krb5/init_creds_pw.c
    M lib/krb5/krb5_locl.h
    M lib/krb5/ticket.c

  Log Message:
  -----------
  krb5: check KDC supports anonymous if requested

Verify the KDC recognized the request-anonymous flag by validating the returned
client principal name.



From noreply at github.com  Sun May 19 02:42:44 2019
From: noreply at github.com (Luke Howard)
Date: Sat, 18 May 2019 17:42:44 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] bcc0cf: krb5: check KDC
 supports anonymous if requested
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6-fixes/000000-bcc0cf@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: bcc0cf473df7816a09880e3bb7796ea6ad011cb0
      https://github.com/heimdal/heimdal/commit/bcc0cf473df7816a09880e3bb7796ea6ad011cb0
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/krb5/get_cred.c
    M lib/krb5/get_in_tkt.c
    M lib/krb5/init_creds_pw.c
    M lib/krb5/krb5_locl.h
    M lib/krb5/ticket.c

  Log Message:
  -----------
  krb5: check KDC supports anonymous if requested

Verify the KDC recognized the request-anonymous flag by validating the returned
client principal name.

(cherry picked from commit 014e318d6bdefd8ecfcb99ca9928921f6a49d721)



From noreply at github.com  Sun May 19 03:49:55 2019
From: noreply at github.com (Luke Howard)
Date: Sat, 18 May 2019 18:49:55 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 2f110d:
 krb5_principal_is_anonymous
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6-fixes/bcc0cf-20032f@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: 2f110d6608a1f167052df0c1813b839ee7c2cd02
      https://github.com/heimdal/heimdal/commit/2f110d6608a1f167052df0c1813b839ee7c2cd02
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kuser/kinit.c
    M kuser/kuser_locl.h
    M lib/krb5/krb5.h
    M lib/krb5/libkrb5-exports.def.in
    M lib/krb5/principal.c
    M lib/krb5/ticket.c
    M lib/krb5/version-script.map

  Log Message:
  -----------
  krb5_principal_is_anonymous

_krb5_principal_is_anonymous() is used outside lib/krb5 and
therefore it needs to be properly exported and its flag macros
need to be in a public header: krb5.h not krb5_locl.h.

Including krb5_locl.h from within kuser_locl.h for instance
results in build failures on Solaris.

This change renames the function and makes it part of the public
api.

Change-Id: I130d1698b10bdbd150b95e8c7d32dfc362889ce6
(cherry picked from commit bdcd7d2f3dc02f902628a9145084cf7a80496f7a)


  Commit: 20032f8447c9b01bee9fc9bbc629789b23f38c59
      https://github.com/heimdal/heimdal/commit/20032f8447c9b01bee9fc9bbc629789b23f38c59
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/krb5/get_cred.c
    M lib/krb5/get_in_tkt.c
    M lib/krb5/init_creds_pw.c
    M lib/krb5/krb5_locl.h
    M lib/krb5/ticket.c

  Log Message:
  -----------
  krb5: check KDC supports anonymous if requested

Verify the KDC recognized the request-anonymous flag by validating the returned
client principal name.

(cherry picked from commit 014e318d6bdefd8ecfcb99ca9928921f6a49d721)


Compare: https://github.com/heimdal/heimdal/compare/bcc0cf473df7...20032f8447c9

From noreply at github.com  Sun May 19 04:33:50 2019
From: noreply at github.com (Isaac Boukris)
Date: Sat, 18 May 2019 19:33:50 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] b7fe0f: kdc: allow
 checksum of PA-FOR-USER to be HMAC_MD5
Message-ID: <heimdal/heimdal/push/refs/heads/master/014e31-b7fe0f@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: b7fe0fb85a780fed3c54ed2539fc974db1884dc2
      https://github.com/heimdal/heimdal/commit/b7fe0fb85a780fed3c54ed2539fc974db1884dc2
  Author: Isaac Boukris <iboukris at gmail.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M kdc/krb5tgs.c
    M lib/krb5/libkrb5-exports.def.in
    M lib/krb5/version-script.map
    M tests/kdc/check-kdc.in

  Log Message:
  -----------
  kdc: allow checksum of PA-FOR-USER to be HMAC_MD5

even if tgt used an enctype with a different checksum.

Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always
HMAC_MD5, and that's what Windows and MIT clients send.

In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but windows and MIT clients fail against heimdal KDC.

Both Windows and MIT KDC would allow any keyed checksum
to be used so Heimdal client work fine against it.

Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.

Signed-off-by: Isaac Boukris <iboukris at gmail.com>



From noreply at github.com  Sun May 19 05:19:08 2019
From: noreply at github.com (Luke Howard)
Date: Sat, 18 May 2019 20:19:08 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] c63414: kdc: use actual
 client princ for KRB5SignedPath
Message-ID: <heimdal/heimdal/push/refs/heads/master/b7fe0f-a7bb45@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: c634146b14be9746d70d6a448e9bb2dd6f518c44
      https://github.com/heimdal/heimdal/commit/c634146b14be9746d70d6a448e9bb2dd6f518c44
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/krb5tgs.c

  Log Message:
  -----------
  kdc: use actual client princ for KRB5SignedPath

When generating KRB5SignedPath in the AS, use the reply client name rather than
the one from the request, so validation will work correctly in the TGS.


  Commit: 8350f34a05ba2cbc1ead0214eb85352f8e7805ef
      https://github.com/heimdal/heimdal/commit/8350f34a05ba2cbc1ead0214eb85352f8e7805ef
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/krb5/init_creds.c
    M lib/krb5/krb5_locl.h
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: don't require krbtgt otherName match for Win2K

Merged from Apple branch: when the Win2K PKINIT compatibility option is set, do
not require krbtgt otherName to match when validating KDC certificate.


  Commit: fd209c5dca89e599f24a853cc9e9a55dc2d04f4c
      https://github.com/heimdal/heimdal/commit/fd209c5dca89e599f24a853cc9e9a55dc2d04f4c
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: set PKINIT_BTMM flag per Apple implementation


  Commit: a7bb4504f2f3dfb276f8aa154858f46ed1063011
      https://github.com/heimdal/heimdal/commit/a7bb4504f2f3dfb276f8aa154858f46ed1063011
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M kuser/klist.c

  Log Message:
  -----------
  klist: display all known flags when listing tickets

Show transited-policy-checked, ok-as-delegate and anonymous flags when listing
credentials.


Compare: https://github.com/heimdal/heimdal/compare/b7fe0fb85a78...a7bb4504f2f3

From noreply at github.com  Sun May 19 05:19:33 2019
From: noreply at github.com (Luke Howard)
Date: Sat, 18 May 2019 20:19:33 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 211b3f:
 krb5_principal_is_anonymous
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/cabd96-61c5d2@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: 211b3f0ae3abb7989b8312c87d71c39c6f8daa62
      https://github.com/heimdal/heimdal/commit/211b3f0ae3abb7989b8312c87d71c39c6f8daa62
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kuser/kinit.c
    M kuser/kuser_locl.h
    M lib/krb5/krb5.h
    M lib/krb5/libkrb5-exports.def.in
    M lib/krb5/principal.c
    M lib/krb5/ticket.c
    M lib/krb5/version-script.map

  Log Message:
  -----------
  krb5_principal_is_anonymous

_krb5_principal_is_anonymous() is used outside lib/krb5 and
therefore it needs to be properly exported and its flag macros
need to be in a public header: krb5.h not krb5_locl.h.

Including krb5_locl.h from within kuser_locl.h for instance
results in build failures on Solaris.

This change renames the function and makes it part of the public
api.

Change-Id: I130d1698b10bdbd150b95e8c7d32dfc362889ce6
(cherry picked from commit bdcd7d2f3dc02f902628a9145084cf7a80496f7a)


  Commit: 61c5d273ca07dab99e57e7f753f85b40ca531796
      https://github.com/heimdal/heimdal/commit/61c5d273ca07dab99e57e7f753f85b40ca531796
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/krb5/get_cred.c
    M lib/krb5/get_in_tkt.c
    M lib/krb5/init_creds_pw.c
    M lib/krb5/krb5_locl.h
    M lib/krb5/ticket.c

  Log Message:
  -----------
  krb5: check KDC supports anonymous if requested

Verify the KDC recognized the request-anonymous flag by validating the returned
client principal name.

(cherry picked from commit 014e318d6bdefd8ecfcb99ca9928921f6a49d721)


Compare: https://github.com/heimdal/heimdal/compare/cabd96a7b3e3...61c5d273ca07

From noreply at github.com  Sun May 19 05:19:41 2019
From: noreply at github.com (Jeffrey Altman)
Date: Sat, 18 May 2019 20:19:41 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6-fixes/20032f-000000@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6-fixes
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Sun May 19 05:23:43 2019
From: noreply at github.com (Isaac Boukris)
Date: Sat, 18 May 2019 20:23:43 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 625eb2: kdc: use actual
 client princ for KRB5SignedPath
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6-fixes/000000-17c704@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: 625eb27347e0bbb4d2a617b0a5f9ec336c791e08
      https://github.com/heimdal/heimdal/commit/625eb27347e0bbb4d2a617b0a5f9ec336c791e08
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/krb5tgs.c

  Log Message:
  -----------
  kdc: use actual client princ for KRB5SignedPath

When generating KRB5SignedPath in the AS, use the reply client name rather than
the one from the request, so validation will work correctly in the TGS.

(cherry picked from commit c634146b14be9746d70d6a448e9bb2dd6f518c44)


  Commit: 3d72b44772bce5d0139d7bc8672834ac8bab6f46
      https://github.com/heimdal/heimdal/commit/3d72b44772bce5d0139d7bc8672834ac8bab6f46
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/krb5/init_creds.c
    M lib/krb5/krb5_locl.h
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: don't require krbtgt otherName match for Win2K

Merged from Apple branch: when the Win2K PKINIT compatibility option is set, do
not require krbtgt otherName to match when validating KDC certificate.

(cherry picked from commit 8350f34a05ba2cbc1ead0214eb85352f8e7805ef)


  Commit: 6116640a18d049accb0217cf319e10416daa2190
      https://github.com/heimdal/heimdal/commit/6116640a18d049accb0217cf319e10416daa2190
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: set PKINIT_BTMM flag per Apple implementation

(cherry picked from commit fd209c5dca89e599f24a853cc9e9a55dc2d04f4c)


  Commit: 4f864fb74442882b879f5fad1630049d0c2fbc28
      https://github.com/heimdal/heimdal/commit/4f864fb74442882b879f5fad1630049d0c2fbc28
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M kuser/klist.c

  Log Message:
  -----------
  klist: display all known flags when listing tickets

Show transited-policy-checked, ok-as-delegate and anonymous flags when listing
credentials.

(cherry picked from commit a7bb4504f2f3dfb276f8aa154858f46ed1063011)


  Commit: 17c7042bce2e578cf1bad01b6aacef0f84fd210a
      https://github.com/heimdal/heimdal/commit/17c7042bce2e578cf1bad01b6aacef0f84fd210a
  Author: Isaac Boukris <iboukris at gmail.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M kdc/krb5tgs.c
    M lib/krb5/libkrb5-exports.def.in
    M lib/krb5/version-script.map
    M tests/kdc/check-kdc.in

  Log Message:
  -----------
  kdc: allow checksum of PA-FOR-USER to be HMAC_MD5

even if tgt used an enctype with a different checksum.

Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always
HMAC_MD5, and that's what Windows and MIT clients send.

In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but windows and MIT clients fail against heimdal KDC.

Both Windows and MIT KDC would allow any keyed checksum
to be used so Heimdal client work fine against it.

Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.

Signed-off-by: Isaac Boukris <iboukris at gmail.com>
(cherry picked from commit b7fe0fb85a780fed3c54ed2539fc974db1884dc2)


Compare: https://github.com/heimdal/heimdal/compare/625eb27347e0%5E...17c7042bce2e

From noreply at github.com  Sun May 19 16:09:58 2019
From: noreply at github.com (Jeffrey Altman)
Date: Sun, 19 May 2019 07:09:58 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6-fixes/17c704-4f864f@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6-fixes
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Sun May 19 16:35:52 2019
From: noreply at github.com (Luke Howard)
Date: Sun, 19 May 2019 07:35:52 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] b12d32: krb5: remove
 duplicate KRB5_ANON_MATCH_xxx defines
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6-fixes/4f864f-37abcd@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: b12d322906b92a0f6c627425e9caa6a565e7b25f
      https://github.com/heimdal/heimdal/commit/b12d322906b92a0f6c627425e9caa6a565e7b25f
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-19 (Sun, 19 May 2019)

  Changed paths:
    M lib/krb5/krb5_locl.h

  Log Message:
  -----------
  krb5: remove duplicate KRB5_ANON_MATCH_xxx defines

Commit bdcd7d2f moved the KRB5_ANON_MATCH_xxx preprocessor symbols to krb5.h,
but did not remove the originals from krb5_locl.h. This commit removes them.

(cherry picked from commit dc791c8fcfb8f61fe0d0a14307a6a6cf999a13b7)

Change-Id: Ia24d4b1467c6547a9748325c9632d1df5add563c


  Commit: ad6ed7c7e3742e49520f1c79fb596c1fd7a29d91
      https://github.com/heimdal/heimdal/commit/ad6ed7c7e3742e49520f1c79fb596c1fd7a29d91
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-19 (Sun, 19 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/krb5tgs.c

  Log Message:
  -----------
  kdc: use actual client princ for KRB5SignedPath

When generating KRB5SignedPath in the AS, use the reply client name rather than
the one from the request, so validation will work correctly in the TGS.

(cherry picked from commit c634146b14be9746d70d6a448e9bb2dd6f518c44)


  Commit: 4ac29cecb0fb34e4e6fec9351ce5ee0495de47a8
      https://github.com/heimdal/heimdal/commit/4ac29cecb0fb34e4e6fec9351ce5ee0495de47a8
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-19 (Sun, 19 May 2019)

  Changed paths:
    M lib/krb5/init_creds.c
    M lib/krb5/krb5_locl.h
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: don't require krbtgt otherName match for Win2K

Merged from Apple branch: when the Win2K PKINIT compatibility option is set, do
not require krbtgt otherName to match when validating KDC certificate.

(cherry picked from commit 8350f34a05ba2cbc1ead0214eb85352f8e7805ef)


  Commit: 37abcd741e5501ccc08cfaac914d14279b4488f6
      https://github.com/heimdal/heimdal/commit/37abcd741e5501ccc08cfaac914d14279b4488f6
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-19 (Sun, 19 May 2019)

  Changed paths:
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: set PKINIT_BTMM flag per Apple implementation

(cherry picked from commit fd209c5dca89e599f24a853cc9e9a55dc2d04f4c)


Compare: https://github.com/heimdal/heimdal/compare/4f864fb74442...37abcd741e55

From noreply at github.com  Sun May 19 18:14:59 2019
From: noreply at github.com (Luke Howard)
Date: Sun, 19 May 2019 09:14:59 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 58a28c: krb5: remove
 duplicate KRB5_ANON_MATCH_xxx defines
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/61c5d2-64c77f@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: 58a28ca5197e2024b37afa6bd3ddc2f4fc2beba5
      https://github.com/heimdal/heimdal/commit/58a28ca5197e2024b37afa6bd3ddc2f4fc2beba5
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-19 (Sun, 19 May 2019)

  Changed paths:
    M lib/krb5/krb5_locl.h

  Log Message:
  -----------
  krb5: remove duplicate KRB5_ANON_MATCH_xxx defines

Commit bdcd7d2f moved the KRB5_ANON_MATCH_xxx preprocessor symbols to krb5.h,
but did not remove the originals from krb5_locl.h. This commit removes them.

(cherry picked from commit dc791c8fcfb8f61fe0d0a14307a6a6cf999a13b7)

Change-Id: Ia24d4b1467c6547a9748325c9632d1df5add563c


  Commit: 67c4829891f4c6434a829f9eff92c41845a6d81d
      https://github.com/heimdal/heimdal/commit/67c4829891f4c6434a829f9eff92c41845a6d81d
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-19 (Sun, 19 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/krb5tgs.c

  Log Message:
  -----------
  kdc: use actual client princ for KRB5SignedPath

When generating KRB5SignedPath in the AS, use the reply client name rather than
the one from the request, so validation will work correctly in the TGS.

(cherry picked from commit c634146b14be9746d70d6a448e9bb2dd6f518c44)


  Commit: d931cb316b998be255876d9a8738b9bd9d42cd0b
      https://github.com/heimdal/heimdal/commit/d931cb316b998be255876d9a8738b9bd9d42cd0b
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-19 (Sun, 19 May 2019)

  Changed paths:
    M lib/krb5/init_creds.c
    M lib/krb5/krb5_locl.h
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: don't require krbtgt otherName match for Win2K

Merged from Apple branch: when the Win2K PKINIT compatibility option is set, do
not require krbtgt otherName to match when validating KDC certificate.

(cherry picked from commit 8350f34a05ba2cbc1ead0214eb85352f8e7805ef)


  Commit: 64c77f60dfcebb87d1d293430062b353c22e8738
      https://github.com/heimdal/heimdal/commit/64c77f60dfcebb87d1d293430062b353c22e8738
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-19 (Sun, 19 May 2019)

  Changed paths:
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: set PKINIT_BTMM flag per Apple implementation

(cherry picked from commit fd209c5dca89e599f24a853cc9e9a55dc2d04f4c)


Compare: https://github.com/heimdal/heimdal/compare/61c5d273ca07...64c77f60dfce

From noreply at github.com  Sun May 19 18:15:02 2019
From: noreply at github.com (Jeffrey Altman)
Date: Sun, 19 May 2019 09:15:02 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6-fixes/37abcd-000000@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6-fixes
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Mon May 20 14:30:26 2019
From: noreply at github.com (Isaac Boukris)
Date: Mon, 20 May 2019 05:30:26 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 979355: kdc: allow
 checksum of PA-FOR-USER to be HMAC_MD5
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/64c77f-979355@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: 9793551bb919d0dc6b41d9d6b80356f44d82ac9e
      https://github.com/heimdal/heimdal/commit/9793551bb919d0dc6b41d9d6b80356f44d82ac9e
  Author: Isaac Boukris <iboukris at gmail.com>
  Date:   2019-05-20 (Mon, 20 May 2019)

  Changed paths:
    M kdc/krb5tgs.c
    M lib/krb5/libkrb5-exports.def.in
    M lib/krb5/version-script.map
    M tests/kdc/check-kdc.in

  Log Message:
  -----------
  kdc: allow checksum of PA-FOR-USER to be HMAC_MD5

even if tgt used an enctype with a different checksum.

Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always
HMAC_MD5, and that's what Windows and MIT clients send.

In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but windows and MIT clients fail against heimdal KDC.

Both Windows and MIT KDC would allow any keyed checksum
to be used so Heimdal client work fine against it.

Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.

Back ported from master, commit:
b7fe0fb85a780fed3c54ed2539fc974db1884dc2

Signed-off-by: Isaac Boukris <iboukris at gmail.com>



From noreply at github.com  Tue May 21 08:00:22 2019
From: noreply at github.com (Luke Howard)
Date: Mon, 20 May 2019 23:00:22 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] d89b5c: kuser: allow
 kinit to renew anonymous PKINIT tickets
Message-ID: <heimdal/heimdal/push/refs/heads/master/a7bb45-d89b5c@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: d89b5cb966c41015fad524027107dd2d241b44e8
      https://github.com/heimdal/heimdal/commit/d89b5cb966c41015fad524027107dd2d241b44e8
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-21 (Tue, 21 May 2019)

  Changed paths:
    M kuser/kinit.c
    M tests/kdc/check-kdc.in

  Log Message:
  -----------
  kuser: allow kinit to renew anonymous PKINIT tickets

Anonymous PKINIT tickets discard the realm information used to locate the
issuing AS. Store the issuing realm in the credentials cache in order to locate
a KDC which can renew them.



From noreply at github.com  Tue May 21 08:23:51 2019
From: noreply at github.com (Luke Howard)
Date: Mon, 20 May 2019 23:23:51 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] af8ade: kuser: allow
 kinit to renew anonymous PKINIT tickets
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6-fixes/000000-af8ade@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: af8ade02bb437446b85b668ec2fc00ddd2aa6c93
      https://github.com/heimdal/heimdal/commit/af8ade02bb437446b85b668ec2fc00ddd2aa6c93
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-21 (Tue, 21 May 2019)

  Changed paths:
    M kuser/kinit.c
    M tests/kdc/check-kdc.in

  Log Message:
  -----------
  kuser: allow kinit to renew anonymous PKINIT tickets

Anonymous PKINIT tickets discard the realm information used to locate the
issuing AS. Store the issuing realm in the credentials cache in order to locate
a KDC which can renew them.

(cherry picked from commit d89b5cb966c41015fad524027107dd2d241b44e8)



From noreply at github.com  Tue May 21 15:05:36 2019
From: noreply at github.com (Luke Howard)
Date: Tue, 21 May 2019 06:05:36 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 4b2c3e: kuser: allow
 kinit to renew anonymous PKINIT tickets
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/979355-4b2c3e@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: 4b2c3ea03277a42ff7d424e634213d15913229e2
      https://github.com/heimdal/heimdal/commit/4b2c3ea03277a42ff7d424e634213d15913229e2
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-21 (Tue, 21 May 2019)

  Changed paths:
    M kuser/kinit.c
    M tests/kdc/check-kdc.in

  Log Message:
  -----------
  kuser: allow kinit to renew anonymous PKINIT tickets

Anonymous PKINIT tickets discard the realm information used to locate the
issuing AS. Store the issuing realm in the credentials cache in order to locate
a KDC which can renew them.

(cherry picked from commit d89b5cb966c41015fad524027107dd2d241b44e8)



From noreply at github.com  Tue May 21 15:05:46 2019
From: noreply at github.com (Jeffrey Altman)
Date: Tue, 21 May 2019 06:05:46 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.6-fixes/af8ade-000000@github.com>

  Branch: refs/heads/jaltman/heimdal-7.6-fixes
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Wed May 22 04:20:16 2019
From: noreply at github.com (Jeffrey Altman)
Date: Tue, 21 May 2019 19:20:16 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 22cf04: lib/krb5: krb5.h
 missing KRB5_LIB_CALL definition
Message-ID: <heimdal/heimdal/push/refs/heads/master/d89b5c-b276d1@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: 22cf04fdaff4c6d23ec1ea16004d8971404712a9
      https://github.com/heimdal/heimdal/commit/22cf04fdaff4c6d23ec1ea16004d8971404712a9
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-21 (Tue, 21 May 2019)

  Changed paths:
    M lib/krb5/krb5.h

  Log Message:
  -----------
  lib/krb5: krb5.h missing KRB5_LIB_CALL definition

KRB5_LIB_CALL must be defined for out of tree users.

Change-Id: I10a02fdca3ed64093fabd8d391761448b9c480a5


  Commit: cc2070dbc8dd9a1c0bdff90930c2165b82dcef10
      https://github.com/heimdal/heimdal/commit/cc2070dbc8dd9a1c0bdff90930c2165b82dcef10
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-21 (Tue, 21 May 2019)

  Changed paths:
    M lib/krb5/krb5.h

  Log Message:
  -----------
  lib/krb5: fix krb5_get_instance_func_t prototype

KRB5_LIB_CALL not KRB5_CALLCONV

Change-Id: I31b8750d63849c2f5cce49642a63fd66e7fa1a32


  Commit: 32fe791c2e6756de724864cbab8561cf50a1889d
      https://github.com/heimdal/heimdal/commit/32fe791c2e6756de724864cbab8561cf50a1889d
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-21 (Tue, 21 May 2019)

  Changed paths:
    M lib/krb5/plugin.c

  Log Message:
  -----------
  lib/krb5: common plugin only fallback if load_fn() fails

Only fallback to loading the plugin function table directly if
if the initialization function is not exported.  Failing a
consistency check should not permit falling back to a potentially
incompatible function table.

Change-Id: Ic753ed9a090aef6073853f7309f0f8f0f29d0aa9


  Commit: df78c88cc032d5e4fd8f1c7fb238b993eb529ca3
      https://github.com/heimdal/heimdal/commit/df78c88cc032d5e4fd8f1c7fb238b993eb529ca3
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-21 (Tue, 21 May 2019)

  Changed paths:
    M lib/krb5/plugin.c

  Log Message:
  -----------
  lib/krb5: common_plugin_ftable_desc funcs KRB5_LIB_CALL

As with the krb5plugin_an2ln_ftable_desc, krb5plugin_db_ftable_desc,
and krb5plugin_kuserok_ftable_desc the function pointers in
common_plugin_ftable_desc must be annotated with KRB5_LIB_CALL.

Change-Id: Ia7ea78743ee9eb8c7f6b648063852ca91a360d2c


  Commit: ac6fa4cadc2bded960319a8da7be4194b50580c5
      https://github.com/heimdal/heimdal/commit/ac6fa4cadc2bded960319a8da7be4194b50580c5
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-21 (Tue, 21 May 2019)

  Changed paths:
    M lib/krb5/ccache_plugin.h
    A lib/krb5/common_plugin.h
    M lib/krb5/plugin.c

  Log Message:
  -----------
  lib/krb5: prepare to make common plugins public

Rename common_plugin_ftable to krb5_plugin_common_ftable.

Create lib/krb5/common_plugin.h to include the structure and typedef.

The common_plugin.h header is now included by ccache_plugin.h
along with a prototype for the required ccache_ops_plugin_load()
function.

Change-Id: I2b27d6d0f5cf0544482c3f01784fef945e12e8d8


  Commit: 434b34d71c39820b4e2415dca646a39bee1086fb
      https://github.com/heimdal/heimdal/commit/434b34d71c39820b4e2415dca646a39bee1086fb
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-21 (Tue, 21 May 2019)

  Changed paths:
    M lib/krb5/ccache_plugin.h
    M lib/krb5/common_plugin.h
    M lib/krb5/plugin.c

  Log Message:
  -----------
  lib/krb5: prevent build failures of krb5_plugin_common on Windows

The Microsoft compiler cannot handle multiple const modifiers
for the same type.    It is also unhappy with the output pointer
parameter being declared const.

This change introduces new typedefs and cast of the dlsym() return
type to prevent warnings.

Change-Id: Ia92645efab8d2ec6745339a6f47c690782ae730a


  Commit: b276d139efbfc8483709a62b9d4311bbd3c9f7c1
      https://github.com/heimdal/heimdal/commit/b276d139efbfc8483709a62b9d4311bbd3c9f7c1
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-21 (Tue, 21 May 2019)

  Changed paths:
    M lib/krb5/Makefile.am
    M lib/krb5/NTMakefile

  Log Message:
  -----------
  lib/krb5: add plugin headers to Makefiles

Change-Id: I6701035da2e7ff3f83feee6cbb4921e5bd5dfd75


Compare: https://github.com/heimdal/heimdal/compare/d89b5cb966c4...b276d139efbf

From noreply at github.com  Wed May 22 04:20:20 2019
From: noreply at github.com (Jeffrey Altman)
Date: Tue, 21 May 2019 19:20:20 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/plugin-fixes/a51b3c-000000@github.com>

  Branch: refs/heads/jaltman/plugin-fixes
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Wed May 22 06:05:18 2019
From: noreply at github.com (Luke Howard)
Date: Tue, 21 May 2019 21:05:18 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 3138c1: kuser: plug leak
 in kinit anonymous PKINIT renew
Message-ID: <heimdal/heimdal/push/refs/heads/master/b276d1-3138c1@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: 3138c1836c770621347ef0f9a16e5ffb87d464b3
      https://github.com/heimdal/heimdal/commit/3138c1836c770621347ef0f9a16e5ffb87d464b3
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M kuser/kinit.c

  Log Message:
  -----------
  kuser: plug leak in kinit anonymous PKINIT renew

Do not leak the result of krb5_cc_get_config() when determining anonymous
PKINIT start realm.



From noreply at github.com  Wed May 22 06:43:38 2019
From: noreply at github.com (Luke Howard)
Date: Tue, 21 May 2019 21:43:38 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] eacfcd: kuser: use
 anon_pkinit_realm instead of anon-pkini...
Message-ID: <heimdal/heimdal/push/refs/heads/master/3138c1-eacfcd@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: eacfcd5ce1a36087078d96dfe7070cd16e0938db
      https://github.com/heimdal/heimdal/commit/eacfcd5ce1a36087078d96dfe7070cd16e0938db
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M kuser/kinit.c

  Log Message:
  -----------
  kuser: use anon_pkinit_realm instead of anon-pkinit-realm

MIT prefers underscores in ccache configuration file keys, so in the interest
of future interoperability use anon_pkinit_realm instead of anon-pkinit-realm
when storing the anonymous PKINIT TGS realm.



From noreply at github.com  Wed May 22 06:48:58 2019
From: noreply at github.com (Luke Howard)
Date: Tue, 21 May 2019 21:48:58 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] acca76: kuser: plug leak
 in kinit anonymous PKINIT renew
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7-pullups/000000-516109@github.com>

  Branch: refs/heads/jaltman/heimdal-7-pullups
  Home:   https://github.com/heimdal/heimdal
  Commit: acca7631b16d0290dccf107c13a6b09d17a3126d
      https://github.com/heimdal/heimdal/commit/acca7631b16d0290dccf107c13a6b09d17a3126d
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M kuser/kinit.c

  Log Message:
  -----------
  kuser: plug leak in kinit anonymous PKINIT renew

Do not leak the result of krb5_cc_get_config() when determining anonymous
PKINIT start realm.

(cherry picked from commit 3138c1836c770621347ef0f9a16e5ffb87d464b3)


  Commit: 5161093224b40f7aa302cddcfeeb5767e69a9be0
      https://github.com/heimdal/heimdal/commit/5161093224b40f7aa302cddcfeeb5767e69a9be0
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M kuser/kinit.c

  Log Message:
  -----------
  kuser: use anon_pkinit_realm instead of anon-pkinit-realm

MIT prefers underscores in ccache configuration file keys, so in the interest
of future interoperability use anon_pkinit_realm instead of anon-pkinit-realm
when storing the anonymous PKINIT TGS realm.

(cherry picked from commit eacfcd5ce1a36087078d96dfe7070cd16e0938db)


Compare: https://github.com/heimdal/heimdal/compare/acca7631b16d%5E...5161093224b4

From noreply at github.com  Wed May 22 15:35:19 2019
From: noreply at github.com (Luke Howard)
Date: Wed, 22 May 2019 06:35:19 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] dc81aa: kuser: plug leak
 in kinit anonymous PKINIT renew
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/4b2c3e-224428@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: dc81aa0f966b4f1e2853e9af1e90eaf990cf42ae
      https://github.com/heimdal/heimdal/commit/dc81aa0f966b4f1e2853e9af1e90eaf990cf42ae
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M kuser/kinit.c

  Log Message:
  -----------
  kuser: plug leak in kinit anonymous PKINIT renew

Do not leak the result of krb5_cc_get_config() when determining anonymous
PKINIT start realm.

(cherry picked from commit 3138c1836c770621347ef0f9a16e5ffb87d464b3)


  Commit: 224428452903b85781a1a49d89a5f00e279824ba
      https://github.com/heimdal/heimdal/commit/224428452903b85781a1a49d89a5f00e279824ba
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M kuser/kinit.c

  Log Message:
  -----------
  kuser: use anon_pkinit_realm instead of anon-pkinit-realm

MIT prefers underscores in ccache configuration file keys, so in the interest
of future interoperability use anon_pkinit_realm instead of anon-pkinit-realm
when storing the anonymous PKINIT TGS realm.

(cherry picked from commit eacfcd5ce1a36087078d96dfe7070cd16e0938db)


Compare: https://github.com/heimdal/heimdal/compare/4b2c3ea03277...224428452903

From noreply at github.com  Wed May 22 15:35:43 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 22 May 2019 13:35:43 +0000 (UTC)
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7-pullups/516109-000000@github.com>

  Branch: refs/heads/jaltman/heimdal-7-pullups
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Wed May 22 15:37:50 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 22 May 2019 06:37:50 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/krb5_principal_is_anonymous/c9bf93-000000@github.com>

  Branch: refs/heads/jaltman/krb5_principal_is_anonymous
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Wed May 22 15:48:01 2019
From: noreply at github.com (Rod Widdowson)
Date: Wed, 22 May 2019 13:48:01 +0000 (UTC)
Subject: [Heimdal-source-changes] [heimdal/heimdal] e14363: Windows: Windows
 CRT doesn't support %k as format ...
Message-ID: <heimdal/heimdal/push/refs/heads/master/eacfcd-e14363@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: e143639400c9d0cd5d383c1e790d4fb7beedf5d9
      https://github.com/heimdal/heimdal/commit/e143639400c9d0cd5d383c1e790d4fb7beedf5d9
  Author: Rod Widdowson <rdw at steadingsoftware.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M include/config.h.w32
    M lib/roken/NTMakefile

  Log Message:
  -----------
  Windows: Windows CRT doesn't support %k as format for strftime

The fix involves:
  - Removing HAVE_STRFTIME from config.h.w32
  - Adding strftime.c to the makefile
  - Defining timezone and tzname to their windows equivalent
    for the compile of this module



From noreply at github.com  Wed May 22 18:04:16 2019
From: noreply at github.com (Nico Williams)
Date: Wed, 22 May 2019 09:04:16 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] fc042f: klist: display
 all known flags when listing tickets
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.x-pullups/000000-952fa4@github.com>

  Branch: refs/heads/jaltman/heimdal-7.x-pullups
  Home:   https://github.com/heimdal/heimdal
  Commit: fc042f9646fdaad63d3c55f5db6c6d1ae757cfc4
      https://github.com/heimdal/heimdal/commit/fc042f9646fdaad63d3c55f5db6c6d1ae757cfc4
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M kuser/klist.c

  Log Message:
  -----------
  klist: display all known flags when listing tickets

Show transited-policy-checked, ok-as-delegate and anonymous flags when listing
credentials.

(cherry picked from commit a7bb4504f2f3dfb276f8aa154858f46ed1063011)


  Commit: 952fa458961d4f1a0240a2d49a19539c194b69ac
      https://github.com/heimdal/heimdal/commit/952fa458961d4f1a0240a2d49a19539c194b69ac
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M kadmin/load.c

  Log Message:
  -----------
  Disable sync during kadmin load

(cherry picked from commit 7d5f8bb051ca84592d1196bf5d5522da5a50f9d6)

Change-Id: I1fb60d697a4f80be1336dd0980f0758eb6436bbb


Compare: https://github.com/heimdal/heimdal/compare/fc042f9646fd%5E...952fa458961d

From noreply at github.com  Wed May 22 18:43:49 2019
From: noreply at github.com (Nico Williams)
Date: Wed, 22 May 2019 09:43:49 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 5cda8b: Add
 hdb_set_sync() method
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.x-pullups/952fa4-720bcd@github.com>

  Branch: refs/heads/jaltman/heimdal-7.x-pullups
  Home:   https://github.com/heimdal/heimdal
  Commit: 5cda8b61aa47105e2713f0a4f7037540d0eca638
      https://github.com/heimdal/heimdal/commit/5cda8b61aa47105e2713f0a4f7037540d0eca638
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M lib/hdb/db.c
    M lib/hdb/db3.c
    M lib/hdb/hdb-ldap.c
    M lib/hdb/hdb-mdb.c
    M lib/hdb/hdb-mitdb.c
    M lib/hdb/hdb-sqlite.c
    M lib/hdb/hdb.h

  Log Message:
  -----------
  Add hdb_set_sync() method

(cherry picked from commit 5bcbe2125b18160f6ad348b15f8036ffedc15770)


  Commit: 8cc8c37f3f664d8b71860d9a17d725763dca637e
      https://github.com/heimdal/heimdal/commit/8cc8c37f3f664d8b71860d9a17d725763dca637e
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M lib/kadm5/ipropd_slave.c

  Log Message:
  -----------
  Disable sync during iprop receive_everything()

Doing an fsync per-record when receiving the complete HDB is a performance
disaster.  Among other things, if the HDB is very large, then one slave
receving a full HDB can cause other slaves to timeout and, if HDB write
activity is high enough to cause iprop log truncation, then also need full
syncs, which leads to a cycle of full syncs for all slaves until HDB write
activity drops.

Allowing the iprop log to be larger helps, but improving receive_everything()
performance helps even more.

(cherry picked from commit 305dc816525f461f9bfe640d87f671f53f0e0fc6)


  Commit: 720bcd2b57e32ba22852c5f8d49c47a8e7d0a2ef
      https://github.com/heimdal/heimdal/commit/720bcd2b57e32ba22852c5f8d49c47a8e7d0a2ef
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M kadmin/load.c

  Log Message:
  -----------
  Disable sync during kadmin load

(cherry picked from commit 7d5f8bb051ca84592d1196bf5d5522da5a50f9d6)

Change-Id: I1fb60d697a4f80be1336dd0980f0758eb6436bbb


Compare: https://github.com/heimdal/heimdal/compare/952fa458961d...720bcd2b57e3

From noreply at github.com  Wed May 22 19:17:18 2019
From: noreply at github.com (Nico Williams)
Date: Wed, 22 May 2019 10:17:18 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] d6eebc: Set def page
 size for HDB SQLite3 backend to 8KB
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.x-pullups/720bcd-0286ef@github.com>

  Branch: refs/heads/jaltman/heimdal-7.x-pullups
  Home:   https://github.com/heimdal/heimdal
  Commit: d6eebcac2230f7bd2674b3c4891e1ff8b8795438
      https://github.com/heimdal/heimdal/commit/d6eebcac2230f7bd2674b3c4891e1ff8b8795438
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M lib/hdb/hdb-sqlite.c

  Log Message:
  -----------
  Set def page size for HDB SQLite3 backend to 8KB

(cherry picked from commit e3cc7dfb94826aa709a617fb8e59ab07db584f92)


  Commit: c555d4577f15b3a226afc5d0f9b8b28db651a108
      https://github.com/heimdal/heimdal/commit/c555d4577f15b3a226afc5d0f9b8b28db651a108
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M lib/hdb/db.c
    M lib/hdb/db3.c
    M lib/hdb/hdb-ldap.c
    M lib/hdb/hdb-mdb.c
    M lib/hdb/hdb-mitdb.c
    M lib/hdb/hdb-sqlite.c
    M lib/hdb/hdb.h

  Log Message:
  -----------
  Add hdb_set_sync() method

(cherry picked from commit 5bcbe2125b18160f6ad348b15f8036ffedc15770)


  Commit: d7f8575ec40e62a687fd53572c8c7eacd8292ba4
      https://github.com/heimdal/heimdal/commit/d7f8575ec40e62a687fd53572c8c7eacd8292ba4
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M lib/kadm5/ipropd_slave.c

  Log Message:
  -----------
  Disable sync during iprop receive_everything()

Doing an fsync per-record when receiving the complete HDB is a performance
disaster.  Among other things, if the HDB is very large, then one slave
receving a full HDB can cause other slaves to timeout and, if HDB write
activity is high enough to cause iprop log truncation, then also need full
syncs, which leads to a cycle of full syncs for all slaves until HDB write
activity drops.

Allowing the iprop log to be larger helps, but improving receive_everything()
performance helps even more.

(cherry picked from commit 305dc816525f461f9bfe640d87f671f53f0e0fc6)


  Commit: 0286ef3626b7e7832bbf62d60143569118fad5a7
      https://github.com/heimdal/heimdal/commit/0286ef3626b7e7832bbf62d60143569118fad5a7
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M kadmin/load.c

  Log Message:
  -----------
  Disable sync during kadmin load

(cherry picked from commit 7d5f8bb051ca84592d1196bf5d5522da5a50f9d6)

Change-Id: I1fb60d697a4f80be1336dd0980f0758eb6436bbb


Compare: https://github.com/heimdal/heimdal/compare/720bcd2b57e3...0286ef3626b7

From noreply at github.com  Wed May 22 19:24:33 2019
From: noreply at github.com (Nico Williams)
Date: Wed, 22 May 2019 10:24:33 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] c43cf1: use memset_s
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.x-pullups/0286ef-3c32a6@github.com>

  Branch: refs/heads/jaltman/heimdal-7.x-pullups
  Home:   https://github.com/heimdal/heimdal
  Commit: c43cf121b7b76bd86f9670748f92a98a74e590bd
      https://github.com/heimdal/heimdal/commit/c43cf121b7b76bd86f9670748f92a98a74e590bd
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M appl/su/su.c
    M kadmin/cpw.c
    M kadmin/random_password.c
    M kuser/kinit.c
    M lib/gssapi/krb5/arcfour.c
    M lib/gssapi/krb5/get_mic.c
    M lib/gssapi/krb5/verify_mic.c
    M lib/gssapi/ntlm/init_sec_context.c
    M lib/hcrypto/md2.c
    M lib/hcrypto/rand-fortuna.c
    M lib/hdb/mkey.c
    M lib/hx509/ks_file.c
    M lib/krb5/crypto-arcfour.c
    M lib/krb5/crypto-des-common.c
    M lib/krb5/crypto-pk.c
    M lib/krb5/deprecated.c
    M lib/krb5/init_creds_pw.c
    M lib/krb5/kcm.c
    M lib/krb5/salt-des.c
    M lib/krb5/salt-des3.c
    M lib/ntlm/ntlm.c

  Log Message:
  -----------
  use memset_s

lib roken includes support for memset_s() but it was not applied
to the Heimdal source tree.

Change-Id: I8362ec97a9be50205bb2d398e65b629b88ce1acd
(cherry picked from commit 93518bfab4e495bf4130be354464965e48a786c0)


  Commit: 071864decf30bd0b696c86972c7996f6c583df56
      https://github.com/heimdal/heimdal/commit/071864decf30bd0b696c86972c7996f6c583df56
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M kadmin/random_password.c
    M lib/krb5/salt-des3.c

  Log Message:
  -----------
  fix calls to memset_s

In random_password() and DES3_string_to_key(), do not call
memset_s() with the sizeof a pointer.

Change-Id: I7dd49b9f717e1cb5c262f2d375d2b85be82cd2db
(cherry picked from commit 029d32580a3b04550ff736d8878d331dcfca864f)


  Commit: 85c914f5517967e7a9ea09f4883e8cc11e8c35c0
      https://github.com/heimdal/heimdal/commit/85c914f5517967e7a9ea09f4883e8cc11e8c35c0
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M lib/hdb/hdb-sqlite.c

  Log Message:
  -----------
  Set def page size for HDB SQLite3 backend to 8KB

(cherry picked from commit e3cc7dfb94826aa709a617fb8e59ab07db584f92)


  Commit: 288d4f31284231f1c60152c36b7586b536ffd2f3
      https://github.com/heimdal/heimdal/commit/288d4f31284231f1c60152c36b7586b536ffd2f3
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M lib/hdb/db.c
    M lib/hdb/db3.c
    M lib/hdb/hdb-ldap.c
    M lib/hdb/hdb-mdb.c
    M lib/hdb/hdb-mitdb.c
    M lib/hdb/hdb-sqlite.c
    M lib/hdb/hdb.h

  Log Message:
  -----------
  Add hdb_set_sync() method

(cherry picked from commit 5bcbe2125b18160f6ad348b15f8036ffedc15770)


  Commit: ede3e55b0d24fe6ace329685738ec111de202226
      https://github.com/heimdal/heimdal/commit/ede3e55b0d24fe6ace329685738ec111de202226
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M lib/kadm5/ipropd_slave.c

  Log Message:
  -----------
  Disable sync during iprop receive_everything()

Doing an fsync per-record when receiving the complete HDB is a performance
disaster.  Among other things, if the HDB is very large, then one slave
receving a full HDB can cause other slaves to timeout and, if HDB write
activity is high enough to cause iprop log truncation, then also need full
syncs, which leads to a cycle of full syncs for all slaves until HDB write
activity drops.

Allowing the iprop log to be larger helps, but improving receive_everything()
performance helps even more.

(cherry picked from commit 305dc816525f461f9bfe640d87f671f53f0e0fc6)


  Commit: 3c32a615b339032fd3e75cc570a5b95ad3e2eea6
      https://github.com/heimdal/heimdal/commit/3c32a615b339032fd3e75cc570a5b95ad3e2eea6
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M kadmin/load.c

  Log Message:
  -----------
  Disable sync during kadmin load

(cherry picked from commit 7d5f8bb051ca84592d1196bf5d5522da5a50f9d6)

Change-Id: I1fb60d697a4f80be1336dd0980f0758eb6436bbb


Compare: https://github.com/heimdal/heimdal/compare/0286ef3626b7...3c32a615b339

From noreply at github.com  Wed May 22 23:11:21 2019
From: noreply at github.com (Jeffrey Altman)
Date: Wed, 22 May 2019 14:11:21 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 68f5e2: hx509: replace
 time_t with int64_t for cert timest...
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/hx509-64-bit-time/000000-68f5e2@github.com>

  Branch: refs/heads/jaltman/hx509-64-bit-time
  Home:   https://github.com/heimdal/heimdal
  Commit: 68f5e27b4ea56c68df17f936b0cb3205a256a396
      https://github.com/heimdal/heimdal/commit/68f5e27b4ea56c68df17f936b0cb3205a256a396
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-22 (Wed, 22 May 2019)

  Changed paths:
    M lib/hx509/ca.c
    M lib/hx509/cert.c
    M lib/hx509/cms.c
    M lib/hx509/hx_locl.h
    M lib/hx509/hxtool.c
    M lib/hx509/print.c
    M lib/hx509/revoke.c

  Log Message:
  -----------
  hx509: replace time_t with int64_t for cert timestamps

On platforms with 32-bit time_t (e.g. Linux i386), certificates
with timestamps later than 03:14:07 UTC on 19 January 2038 fail
to be processed correctly.

Recent changes to include certificates in the test suite with
500 year lifetimes cause the test suite to fail on these platforms.

This change replaces all use of time_t with int64_t to permit
uniform processing of certificate timestamps on all platforms.

Change-Id: I8ada6392478f39862c62d5b6490682b026e49261



From noreply at github.com  Thu May 23 19:24:42 2019
From: noreply at github.com (Quanah Gibson-Mount)
Date: Thu, 23 May 2019 10:24:42 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 8ed97b: Regenerate certs
 so that they expire before the 20...
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/224428-8ed97b@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: 8ed97b8583e000288b40a14efb901cbaf4c5d5c7
      https://github.com/heimdal/heimdal/commit/8ed97b8583e000288b40a14efb901cbaf4c5d5c7
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/hx509/data/ca.crt
    M lib/hx509/data/ca.key
    M lib/hx509/data/crl1.crl
    M lib/hx509/data/crl1.der
    M lib/hx509/data/https.crt
    M lib/hx509/data/https.key
    M lib/hx509/data/kdc.crt
    M lib/hx509/data/kdc.key
    M lib/hx509/data/no-proxy-test.crt
    M lib/hx509/data/no-proxy-test.key
    M lib/hx509/data/ocsp-req1.der
    M lib/hx509/data/ocsp-req2.der
    M lib/hx509/data/ocsp-resp1-ca.der
    M lib/hx509/data/ocsp-resp1-keyhash.der
    M lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
    M lib/hx509/data/ocsp-resp1-ocsp.der
    M lib/hx509/data/ocsp-resp2.der
    M lib/hx509/data/ocsp-responder.crt
    M lib/hx509/data/ocsp-responder.key
    M lib/hx509/data/pkinit-ec.crt
    M lib/hx509/data/pkinit-ec.key
    M lib/hx509/data/pkinit-proxy-chain.crt
    M lib/hx509/data/pkinit-proxy.crt
    M lib/hx509/data/pkinit-proxy.key
    M lib/hx509/data/pkinit-pw.key
    M lib/hx509/data/pkinit.crt
    M lib/hx509/data/pkinit.key
    M lib/hx509/data/proxy-level-test.crt
    M lib/hx509/data/proxy-level-test.key
    M lib/hx509/data/proxy-test.crt
    M lib/hx509/data/proxy-test.key
    M lib/hx509/data/proxy10-child-child-test.crt
    M lib/hx509/data/proxy10-child-child-test.key
    M lib/hx509/data/proxy10-child-test.crt
    M lib/hx509/data/proxy10-child-test.key
    M lib/hx509/data/proxy10-test.crt
    M lib/hx509/data/proxy10-test.key
    M lib/hx509/data/revoke.crt
    M lib/hx509/data/revoke.key
    M lib/hx509/data/sub-ca.crt
    M lib/hx509/data/sub-ca.key
    M lib/hx509/data/sub-cert.crt
    M lib/hx509/data/sub-cert.key
    M lib/hx509/data/sub-cert.p12
    M lib/hx509/data/test-ds-only.crt
    M lib/hx509/data/test-ds-only.key
    M lib/hx509/data/test-enveloped-aes-128
    M lib/hx509/data/test-enveloped-aes-256
    M lib/hx509/data/test-enveloped-des
    M lib/hx509/data/test-enveloped-des-ede3
    M lib/hx509/data/test-enveloped-rc2-128
    M lib/hx509/data/test-enveloped-rc2-40
    M lib/hx509/data/test-enveloped-rc2-64
    M lib/hx509/data/test-ke-only.crt
    M lib/hx509/data/test-ke-only.key
    M lib/hx509/data/test-nopw.p12
    M lib/hx509/data/test-pw.key
    M lib/hx509/data/test-signed-data
    M lib/hx509/data/test-signed-data-noattr
    M lib/hx509/data/test-signed-data-noattr-nocerts
    M lib/hx509/data/test-signed-sha-1
    M lib/hx509/data/test-signed-sha-256
    M lib/hx509/data/test-signed-sha-512
    M lib/hx509/data/test.combined.crt
    M lib/hx509/data/test.crt
    M lib/hx509/data/test.key
    M lib/hx509/data/test.p12

  Log Message:
  -----------
  Regenerate certs so that they expire before the 2038 armageddon so the
test suite will pass on 32-bit operating systems until the underlying
issues can be resolved.



From noreply at github.com  Thu May 23 19:45:13 2019
From: noreply at github.com (Nico Williams)
Date: Thu, 23 May 2019 10:45:13 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 618a30: klist: display
 all known flags when listing tickets
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.x-pullups/3c32a6-b9b985@github.com>

  Branch: refs/heads/jaltman/heimdal-7.x-pullups
  Home:   https://github.com/heimdal/heimdal
  Commit: 618a308646edc04bbfffad470b8a25f087e0f996
      https://github.com/heimdal/heimdal/commit/618a308646edc04bbfffad470b8a25f087e0f996
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M kuser/klist.c

  Log Message:
  -----------
  klist: display all known flags when listing tickets

Show transited-policy-checked, ok-as-delegate and anonymous flags when listing
credentials.

(cherry picked from commit a7bb4504f2f3dfb276f8aa154858f46ed1063011)


  Commit: 1fe4a3883cb3cbeedc72c0f5e2ed7ac9189ab49b
      https://github.com/heimdal/heimdal/commit/1fe4a3883cb3cbeedc72c0f5e2ed7ac9189ab49b
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M appl/su/su.c
    M kadmin/cpw.c
    M kadmin/random_password.c
    M kuser/kinit.c
    M lib/gssapi/krb5/arcfour.c
    M lib/gssapi/krb5/get_mic.c
    M lib/gssapi/krb5/verify_mic.c
    M lib/gssapi/ntlm/init_sec_context.c
    M lib/hcrypto/md2.c
    M lib/hcrypto/rand-fortuna.c
    M lib/hdb/mkey.c
    M lib/hx509/ks_file.c
    M lib/krb5/crypto-arcfour.c
    M lib/krb5/crypto-des-common.c
    M lib/krb5/crypto-pk.c
    M lib/krb5/deprecated.c
    M lib/krb5/init_creds_pw.c
    M lib/krb5/kcm.c
    M lib/krb5/salt-des.c
    M lib/krb5/salt-des3.c
    M lib/ntlm/ntlm.c

  Log Message:
  -----------
  use memset_s

lib roken includes support for memset_s() but it was not applied
to the Heimdal source tree.

Change-Id: I8362ec97a9be50205bb2d398e65b629b88ce1acd
(cherry picked from commit 93518bfab4e495bf4130be354464965e48a786c0)


  Commit: dce3c1349047d78b072517b05822b29ccdcbea09
      https://github.com/heimdal/heimdal/commit/dce3c1349047d78b072517b05822b29ccdcbea09
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M kadmin/random_password.c
    M lib/krb5/salt-des3.c

  Log Message:
  -----------
  fix calls to memset_s

In random_password() and DES3_string_to_key(), do not call
memset_s() with the sizeof a pointer.

Change-Id: I7dd49b9f717e1cb5c262f2d375d2b85be82cd2db
(cherry picked from commit 029d32580a3b04550ff736d8878d331dcfca864f)


  Commit: 9eeaa0a149871bef3c4139245ba427c8f8e506e7
      https://github.com/heimdal/heimdal/commit/9eeaa0a149871bef3c4139245ba427c8f8e506e7
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/hdb/hdb-sqlite.c

  Log Message:
  -----------
  Set def page size for HDB SQLite3 backend to 8KB

(cherry picked from commit e3cc7dfb94826aa709a617fb8e59ab07db584f92)


  Commit: 7829cb97b231a55526648b5d1c1de83d41e53861
      https://github.com/heimdal/heimdal/commit/7829cb97b231a55526648b5d1c1de83d41e53861
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/hdb/db.c
    M lib/hdb/db3.c
    M lib/hdb/hdb-ldap.c
    M lib/hdb/hdb-mdb.c
    M lib/hdb/hdb-mitdb.c
    M lib/hdb/hdb-sqlite.c
    M lib/hdb/hdb.h

  Log Message:
  -----------
  Add hdb_set_sync() method

(cherry picked from commit 5bcbe2125b18160f6ad348b15f8036ffedc15770)


  Commit: 27cb77466f9cb93bf7c52e4bd1c02358492daf04
      https://github.com/heimdal/heimdal/commit/27cb77466f9cb93bf7c52e4bd1c02358492daf04
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/kadm5/ipropd_slave.c

  Log Message:
  -----------
  Disable sync during iprop receive_everything()

Doing an fsync per-record when receiving the complete HDB is a performance
disaster.  Among other things, if the HDB is very large, then one slave
receving a full HDB can cause other slaves to timeout and, if HDB write
activity is high enough to cause iprop log truncation, then also need full
syncs, which leads to a cycle of full syncs for all slaves until HDB write
activity drops.

Allowing the iprop log to be larger helps, but improving receive_everything()
performance helps even more.

(cherry picked from commit 305dc816525f461f9bfe640d87f671f53f0e0fc6)


  Commit: b9b985fc3fd3ec5dc99bd2268a75524c695df243
      https://github.com/heimdal/heimdal/commit/b9b985fc3fd3ec5dc99bd2268a75524c695df243
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M kadmin/load.c

  Log Message:
  -----------
  Disable sync during kadmin load

(cherry picked from commit 7d5f8bb051ca84592d1196bf5d5522da5a50f9d6)

Change-Id: I1fb60d697a4f80be1336dd0980f0758eb6436bbb


Compare: https://github.com/heimdal/heimdal/compare/3c32a615b339...b9b985fc3fd3

From noreply at github.com  Fri May 24 01:05:13 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 16:05:13 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] dc46b1: solaris: Define
 _STDC_C11_BCI for memset_s prototype
Message-ID: <heimdal/heimdal/push/refs/heads/master/e14363-dc46b1@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: dc46b1f82d89912965a6bf5d86291884069d3007
      https://github.com/heimdal/heimdal/commit/dc46b1f82d89912965a6bf5d86291884069d3007
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M cf/sunos.m4

  Log Message:
  -----------
  solaris: Define _STDC_C11_BCI for memset_s prototype

On Solaris, the memset_s() prototype is only visible if _STDC_C11_BCI
is defined.

93518bfab4e495bf4130be354464965e48a786c0 ("use memset_s")
introduced warnings on Solaris

  warning: implicit declaration of function ‘memset_s’;
  did you mean ‘memset’? [-Wimplicit-function-declaration]

Change-Id: Ia02db5e96021a26fb30aa1a593ef6a2b3e3a5b5f



From noreply at github.com  Fri May 24 01:06:05 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 16:06:05 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] f3b74d: solaris: Define
 _STDC_C11_BCI for memset_s prototype
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/8ed97b-f3b74d@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: f3b74d8d72436e928755471a704384e33a33ef72
      https://github.com/heimdal/heimdal/commit/f3b74d8d72436e928755471a704384e33a33ef72
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M cf/sunos.m4

  Log Message:
  -----------
  solaris: Define _STDC_C11_BCI for memset_s prototype

On Solaris, the memset_s() prototype is only visible if _STDC_C11_BCI
is defined.

93518bfab4e495bf4130be354464965e48a786c0 ("use memset_s")
introduced warnings on Solaris

  warning: implicit declaration of function ‘memset_s’;
  did you mean ‘memset’? [-Wimplicit-function-declaration]

Change-Id: Ia02db5e96021a26fb30aa1a593ef6a2b3e3a5b5f
(cherry picked from commit dc46b1f82d89912965a6bf5d86291884069d3007)



From noreply at github.com  Fri May 24 01:09:18 2019
From: noreply at github.com (Nico Williams)
Date: Thu, 23 May 2019 16:09:18 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 02b5f1: klist: display
 all known flags when listing tickets
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/f3b74d-1293b2@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: 02b5f1af9bc4a8016a6246163cd7d39b2aaa26a0
      https://github.com/heimdal/heimdal/commit/02b5f1af9bc4a8016a6246163cd7d39b2aaa26a0
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M kuser/klist.c

  Log Message:
  -----------
  klist: display all known flags when listing tickets

Show transited-policy-checked, ok-as-delegate and anonymous flags when listing
credentials.

(cherry picked from commit a7bb4504f2f3dfb276f8aa154858f46ed1063011)


  Commit: 9739fddaf189cf609fd39d3158e4465b46deab06
      https://github.com/heimdal/heimdal/commit/9739fddaf189cf609fd39d3158e4465b46deab06
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M appl/su/su.c
    M kadmin/cpw.c
    M kadmin/random_password.c
    M kuser/kinit.c
    M lib/gssapi/krb5/arcfour.c
    M lib/gssapi/krb5/get_mic.c
    M lib/gssapi/krb5/verify_mic.c
    M lib/gssapi/ntlm/init_sec_context.c
    M lib/hcrypto/md2.c
    M lib/hcrypto/rand-fortuna.c
    M lib/hdb/mkey.c
    M lib/hx509/ks_file.c
    M lib/krb5/crypto-arcfour.c
    M lib/krb5/crypto-des-common.c
    M lib/krb5/crypto-pk.c
    M lib/krb5/deprecated.c
    M lib/krb5/init_creds_pw.c
    M lib/krb5/kcm.c
    M lib/krb5/salt-des.c
    M lib/krb5/salt-des3.c
    M lib/ntlm/ntlm.c

  Log Message:
  -----------
  use memset_s

lib roken includes support for memset_s() but it was not applied
to the Heimdal source tree.

Change-Id: I8362ec97a9be50205bb2d398e65b629b88ce1acd
(cherry picked from commit 93518bfab4e495bf4130be354464965e48a786c0)


  Commit: 2a01f4e9483bc171d0281feca2d349f66d0a0af0
      https://github.com/heimdal/heimdal/commit/2a01f4e9483bc171d0281feca2d349f66d0a0af0
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M kadmin/random_password.c
    M lib/krb5/salt-des3.c

  Log Message:
  -----------
  fix calls to memset_s

In random_password() and DES3_string_to_key(), do not call
memset_s() with the sizeof a pointer.

Change-Id: I7dd49b9f717e1cb5c262f2d375d2b85be82cd2db
(cherry picked from commit 029d32580a3b04550ff736d8878d331dcfca864f)


  Commit: b1ad2cdd134ad480d6b569c8d7fafa492eeb7325
      https://github.com/heimdal/heimdal/commit/b1ad2cdd134ad480d6b569c8d7fafa492eeb7325
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/hdb/hdb-sqlite.c

  Log Message:
  -----------
  Set def page size for HDB SQLite3 backend to 8KB

(cherry picked from commit e3cc7dfb94826aa709a617fb8e59ab07db584f92)


  Commit: 90801574137eac288451caf4ac014395143b7c35
      https://github.com/heimdal/heimdal/commit/90801574137eac288451caf4ac014395143b7c35
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/hdb/db.c
    M lib/hdb/db3.c
    M lib/hdb/hdb-ldap.c
    M lib/hdb/hdb-mdb.c
    M lib/hdb/hdb-mitdb.c
    M lib/hdb/hdb-sqlite.c
    M lib/hdb/hdb.h

  Log Message:
  -----------
  Add hdb_set_sync() method

(cherry picked from commit 5bcbe2125b18160f6ad348b15f8036ffedc15770)


  Commit: bc45c4de721a81af14789a7ca55e3336be6458a6
      https://github.com/heimdal/heimdal/commit/bc45c4de721a81af14789a7ca55e3336be6458a6
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/kadm5/ipropd_slave.c

  Log Message:
  -----------
  Disable sync during iprop receive_everything()

Doing an fsync per-record when receiving the complete HDB is a performance
disaster.  Among other things, if the HDB is very large, then one slave
receving a full HDB can cause other slaves to timeout and, if HDB write
activity is high enough to cause iprop log truncation, then also need full
syncs, which leads to a cycle of full syncs for all slaves until HDB write
activity drops.

Allowing the iprop log to be larger helps, but improving receive_everything()
performance helps even more.

(cherry picked from commit 305dc816525f461f9bfe640d87f671f53f0e0fc6)


  Commit: 1293b21e13e8374a4a27629b34bd269c119cd03c
      https://github.com/heimdal/heimdal/commit/1293b21e13e8374a4a27629b34bd269c119cd03c
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M kadmin/load.c

  Log Message:
  -----------
  Disable sync during kadmin load

(cherry picked from commit 7d5f8bb051ca84592d1196bf5d5522da5a50f9d6)

Change-Id: I1fb60d697a4f80be1336dd0980f0758eb6436bbb


Compare: https://github.com/heimdal/heimdal/compare/f3b74d8d7243...1293b21e13e8

From noreply at github.com  Fri May 24 01:09:21 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 16:09:21 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7.x-pullups/b9b985-000000@github.com>

  Branch: refs/heads/jaltman/heimdal-7.x-pullups
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Fri May 24 01:11:47 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 16:11:47 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 67f667: PY3: dict has no
 iterkeys method
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7-python-3/000000-772452@github.com>

  Branch: refs/heads/jaltman/heimdal-7-python-3
  Home:   https://github.com/heimdal/heimdal
  Commit: 67f66797b376dbad29ef1073a274c50e0b5ed5f1
      https://github.com/heimdal/heimdal/commit/67f66797b376dbad29ef1073a274c50e0b5ed5f1
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-map.py

  Log Message:
  -----------
  PY3: dict has no iterkeys method

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit c6884138e4c1aec80e8f99ef0978b43919ae9d3a)
(cherry picked from commit f7c2860a3623e382ae524a353ec428705f02e786)


  Commit: db5bea0ad2e52e31fcbaf6ea6e1acab758ab18df
      https://github.com/heimdal/heimdal/commit/db5bea0ad2e52e31fcbaf6ea6e1acab758ab18df
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-errorlist.py

  Log Message:
  -----------
  PY3: iterkeys -> keys

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit d20e85d008e1b7badbea5ada8b22639f7767a097)
(cherry picked from commit 965bb515ed54d768bf8b702e548ec8acfcd8c10b)


  Commit: 9df26cf308ed6b681a5651b3e078f7a29b09c926
      https://github.com/heimdal/heimdal/commit/9df26cf308ed6b681a5651b3e078f7a29b09c926
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-errorlist.py

  Log Message:
  -----------
  PY3: iterkeys -> keys

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit b2b0f8191dde58fe234b0147c4a0bd39020aa504)
(cherry picked from commit f26b1cd599ed3f1fef9a1476bca708055b2c59b2)


  Commit: 2b51de2e1d8cce93ae60b63a10e53904cd6b89d5
      https://github.com/heimdal/heimdal/commit/2b51de2e1d8cce93ae60b63a10e53904cd6b89d5
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-normalize.py

  Log Message:
  -----------
  PY3: dict doesn't have has_key

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit 82c84513331da9d0f42ba73d03e58dce5d0f76d3)
(cherry picked from commit fc9aab949fcb1bb93f43a5bee01132ffed70a01a)


  Commit: f87c2513176d411a9a01c9cedc082e9386528836
      https://github.com/heimdal/heimdal/commit/f87c2513176d411a9a01c9cedc082e9386528836
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-combining.py

  Log Message:
  -----------
  PY3: dict_keys doesn't have a sort method

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit 0358d57db4705b2330e294b5d6318c1a78a8518c)
(cherry picked from commit 07e3cbb7fb88ef27d6145f4f2b22a1becf7088c5)


  Commit: bff7b5c247365d2c72548cf9020795d6b691a859
      https://github.com/heimdal/heimdal/commit/bff7b5c247365d2c72548cf9020795d6b691a859
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/generate.py

  Log Message:
  -----------
  PY3: bytes.maketrans, string.maketrans is a PY2 only function

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit b342e6f038b5277cf30115f11cf0f30d238c12ea)
(cherry picked from commit 96b410ed46689f4cfb8b6505ab6c9ac0d4965f9f)


  Commit: d289f637b21d47e5cc5e0d074ec87616e909a1a9
      https://github.com/heimdal/heimdal/commit/d289f637b21d47e5cc5e0d074ec87616e909a1a9
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/generate.py

  Log Message:
  -----------
  PY3: string.translate string.upper don't exist in PY3

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit a0c8c8c8331856d9f09d18b389b7dd01c8d33de2)
(cherry picked from commit 76b2f1572911e2872414dfd64db5001439e858cf)


  Commit: 59a3594a07e1c6b4c8a749a627038ecbb0aac933
      https://github.com/heimdal/heimdal/commit/59a3594a07e1c6b4c8a749a627038ecbb0aac933
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/stringprep.py

  Log Message:
  -----------
  PY3: string.upper not in PY3

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit 899ef5d186c2c44f63c1cbf415daa33e9f668a5b)
(cherry picked from commit 926b3aae822e72b85f1d5adefba49417806909d8)


  Commit: 1aa998f7e4ea5f2bf5582c9012e844300343ea9c
      https://github.com/heimdal/heimdal/commit/1aa998f7e4ea5f2bf5582c9012e844300343ea9c
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-map.py

  Log Message:
  -----------
  PY3: xrange->range

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit e2c0af6bcdf271ff75c455695c129bc18322bd5a)
(cherry picked from commit 06143cc12bbd377172203c032491b58ee7c4c6b2)


  Commit: 81c96a4cdc76ac318710b5d193c2800e7edd2a36
      https://github.com/heimdal/heimdal/commit/81c96a4cdc76ac318710b5d193c2800e7edd2a36
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-normalize.py

  Log Message:
  -----------
  Bulk: enclose .keys() method with list where list (from python2) expected

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit 521bc6056edc5252f2256664f4eacba13a3749e3)
(cherry picked from commit fa3c0031a8becea94045cd0d060ce37d1a58ed52)


  Commit: 985eee52a57e1adf0baa473e8937d2415d9ac1e7
      https://github.com/heimdal/heimdal/commit/985eee52a57e1adf0baa473e8937d2415d9ac1e7
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-bidi.py
    M lib/wind/gen-combining.py
    M lib/wind/gen-errorlist.py
    M lib/wind/gen-map.py
    M lib/wind/gen-normalize.py

  Log Message:
  -----------
  PY3: make sure print stmt is enclosed by '(' & ')'

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba merge request https://gitlab.com/samba-team/samba/merge_requests/68)
(cherry picked from commit 5542a0ba16b53eb223c9cc0acdf91b53d80adc54)


  Commit: 131505ab4bfa80bbe580b2477e91fe3b68513b94
      https://github.com/heimdal/heimdal/commit/131505ab4bfa80bbe580b2477e91fe3b68513b94
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/UnicodeData.py

  Log Message:
  -----------
  PY3: fix "TabError: inconsistent use of tabs and spaces"

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

(cherry-picked from Samba commit e8fec94827c933041acd5b447eeeefd0b7b507ef)

(cherry picked from commit 59aee7cad2b3fdb7fe8ddcc621e12703cdc35022)


  Commit: a107d3be9839da0d15c52db51913fb1ecd660899
      https://github.com/heimdal/heimdal/commit/a107d3be9839da0d15c52db51913fb1ecd660899
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-punycode-examples.py

  Log Message:
  -----------
  lib/wind: PY3 gen-punycode-examples.py

Update gen-punycode-examples.py for python 3.

gen-punycode-examples.py parses the Sample strings from section 7.1
of rfc3492.txt and generates the punycode_examples.[ch] sources containing
the punycode_examples[].

Python 3 requires that print output be surrounded by parentheses
and the split and join operations have been moved from the "string"
class to built-ins.

This change adds the missing parentheses and switches to the built-in
split and join str operations.

The "string" class is no longer required as an import.

Change-Id: Ic5f341080d2ff2feef692c89e0b28dcbf4e48cb4
(cherry picked from commit 63914b95b8aa1153fc44c7cc5b6a4ca1eb2bbc39)


  Commit: 772452c8ee87bf4fb6204d320bf5e747d5cc2fa8
      https://github.com/heimdal/heimdal/commit/772452c8ee87bf4fb6204d320bf5e747d5cc2fa8
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-punycode-examples.py

  Log Message:
  -----------
  lib/wind: get-punycode-examples.py whitespace fix

Change-Id: I89e82539578fd9436ee735c124401fa019369eee
(cherry picked from commit 4d57ee72f322352c19497bdea1849b42034cb2a2)


Compare: https://github.com/heimdal/heimdal/compare/67f66797b376%5E...772452c8ee87

From noreply at github.com  Fri May 24 03:12:26 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 18:12:26 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 829bf5: PY3: dict has no
 iterkeys method
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/1293b2-9dbafc@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: 829bf5d171709e6bc7c11d3a2d22dad903eff83f
      https://github.com/heimdal/heimdal/commit/829bf5d171709e6bc7c11d3a2d22dad903eff83f
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-map.py

  Log Message:
  -----------
  PY3: dict has no iterkeys method

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit c6884138e4c1aec80e8f99ef0978b43919ae9d3a)
(cherry picked from commit f7c2860a3623e382ae524a353ec428705f02e786)


  Commit: ccda072e9fd6c153e15a9bc007f76bcd2af20016
      https://github.com/heimdal/heimdal/commit/ccda072e9fd6c153e15a9bc007f76bcd2af20016
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-errorlist.py

  Log Message:
  -----------
  PY3: iterkeys -> keys

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit d20e85d008e1b7badbea5ada8b22639f7767a097)
(cherry picked from commit 965bb515ed54d768bf8b702e548ec8acfcd8c10b)


  Commit: 25021c05e464bee0d35687b1b76b4cedf6b54a49
      https://github.com/heimdal/heimdal/commit/25021c05e464bee0d35687b1b76b4cedf6b54a49
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-errorlist.py

  Log Message:
  -----------
  PY3: iterkeys -> keys

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit b2b0f8191dde58fe234b0147c4a0bd39020aa504)
(cherry picked from commit f26b1cd599ed3f1fef9a1476bca708055b2c59b2)


  Commit: 923306a462230957c8c68164b3d7fdfcc6bc60bf
      https://github.com/heimdal/heimdal/commit/923306a462230957c8c68164b3d7fdfcc6bc60bf
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-normalize.py

  Log Message:
  -----------
  PY3: dict doesn't have has_key

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit 82c84513331da9d0f42ba73d03e58dce5d0f76d3)
(cherry picked from commit fc9aab949fcb1bb93f43a5bee01132ffed70a01a)


  Commit: 8bee05fa1f13438c75fa223611bfbbed3f975478
      https://github.com/heimdal/heimdal/commit/8bee05fa1f13438c75fa223611bfbbed3f975478
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-combining.py

  Log Message:
  -----------
  PY3: dict_keys doesn't have a sort method

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit 0358d57db4705b2330e294b5d6318c1a78a8518c)
(cherry picked from commit 07e3cbb7fb88ef27d6145f4f2b22a1becf7088c5)


  Commit: 7fcf69642739cf15ec2fbcc2ca547d7d2d9407eb
      https://github.com/heimdal/heimdal/commit/7fcf69642739cf15ec2fbcc2ca547d7d2d9407eb
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/generate.py

  Log Message:
  -----------
  PY3: bytes.maketrans, string.maketrans is a PY2 only function

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit b342e6f038b5277cf30115f11cf0f30d238c12ea)
(cherry picked from commit 96b410ed46689f4cfb8b6505ab6c9ac0d4965f9f)


  Commit: cec805e2e7b51b191352920245820fbe390f284b
      https://github.com/heimdal/heimdal/commit/cec805e2e7b51b191352920245820fbe390f284b
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/generate.py

  Log Message:
  -----------
  PY3: string.translate string.upper don't exist in PY3

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit a0c8c8c8331856d9f09d18b389b7dd01c8d33de2)
(cherry picked from commit 76b2f1572911e2872414dfd64db5001439e858cf)


  Commit: 7534f547c9f4e92a7512937968d2fb8ffe5829c2
      https://github.com/heimdal/heimdal/commit/7534f547c9f4e92a7512937968d2fb8ffe5829c2
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/stringprep.py

  Log Message:
  -----------
  PY3: string.upper not in PY3

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit 899ef5d186c2c44f63c1cbf415daa33e9f668a5b)
(cherry picked from commit 926b3aae822e72b85f1d5adefba49417806909d8)


  Commit: 3363caec5348d81f5bbb4123fd1e493773421c79
      https://github.com/heimdal/heimdal/commit/3363caec5348d81f5bbb4123fd1e493773421c79
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-map.py

  Log Message:
  -----------
  PY3: xrange->range

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit e2c0af6bcdf271ff75c455695c129bc18322bd5a)
(cherry picked from commit 06143cc12bbd377172203c032491b58ee7c4c6b2)


  Commit: 064ab7e2777a4b47141f63045c70b4230f5059ec
      https://github.com/heimdal/heimdal/commit/064ab7e2777a4b47141f63045c70b4230f5059ec
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-normalize.py

  Log Message:
  -----------
  Bulk: enclose .keys() method with list where list (from python2) expected

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba commit 521bc6056edc5252f2256664f4eacba13a3749e3)
(cherry picked from commit fa3c0031a8becea94045cd0d060ce37d1a58ed52)


  Commit: 23a9769aab688720f396250104387aa304816dcb
      https://github.com/heimdal/heimdal/commit/23a9769aab688720f396250104387aa304816dcb
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-bidi.py
    M lib/wind/gen-combining.py
    M lib/wind/gen-errorlist.py
    M lib/wind/gen-map.py
    M lib/wind/gen-normalize.py

  Log Message:
  -----------
  PY3: make sure print stmt is enclosed by '(' & ')'

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from Samba merge request https://gitlab.com/samba-team/samba/merge_requests/68)
(cherry picked from commit 5542a0ba16b53eb223c9cc0acdf91b53d80adc54)


  Commit: 423d5bc52cb6e4f2890370e196553dbce4418f80
      https://github.com/heimdal/heimdal/commit/423d5bc52cb6e4f2890370e196553dbce4418f80
  Author: Noel Power <noel.power at suse.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/UnicodeData.py

  Log Message:
  -----------
  PY3: fix "TabError: inconsistent use of tabs and spaces"

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

(cherry-picked from Samba commit e8fec94827c933041acd5b447eeeefd0b7b507ef)

(cherry picked from commit 59aee7cad2b3fdb7fe8ddcc621e12703cdc35022)


  Commit: 6fd276011e191e714333e990042b2272c2592f08
      https://github.com/heimdal/heimdal/commit/6fd276011e191e714333e990042b2272c2592f08
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-punycode-examples.py

  Log Message:
  -----------
  lib/wind: PY3 gen-punycode-examples.py

Update gen-punycode-examples.py for python 3.

gen-punycode-examples.py parses the Sample strings from section 7.1
of rfc3492.txt and generates the punycode_examples.[ch] sources containing
the punycode_examples[].

Python 3 requires that print output be surrounded by parentheses
and the split and join operations have been moved from the "string"
class to built-ins.

This change adds the missing parentheses and switches to the built-in
split and join str operations.

The "string" class is no longer required as an import.

Change-Id: Ic5f341080d2ff2feef692c89e0b28dcbf4e48cb4
(cherry picked from commit 63914b95b8aa1153fc44c7cc5b6a4ca1eb2bbc39)


  Commit: 9dbafc06742dc2fc8667573249e78db0df46727c
      https://github.com/heimdal/heimdal/commit/9dbafc06742dc2fc8667573249e78db0df46727c
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-23 (Thu, 23 May 2019)

  Changed paths:
    M lib/wind/gen-punycode-examples.py

  Log Message:
  -----------
  lib/wind: get-punycode-examples.py whitespace fix

Change-Id: I89e82539578fd9436ee735c124401fa019369eee
(cherry picked from commit 4d57ee72f322352c19497bdea1849b42034cb2a2)


Compare: https://github.com/heimdal/heimdal/compare/1293b21e13e8...9dbafc06742d

From noreply at github.com  Fri May 24 03:12:30 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 18:12:30 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/heimdal-7-python-3/772452-000000@github.com>

  Branch: refs/heads/jaltman/heimdal-7-python-3
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Fri May 24 06:52:07 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 21:52:07 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 3c640c: .travis.yml:
 synchronize with master
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/7.x-travis/000000-3c640c@github.com>

  Branch: refs/heads/jaltman/7.x-travis
  Home:   https://github.com/heimdal/heimdal
  Commit: 3c640c3f7c03c4d8b65ce489952c3b48a937ab96
      https://github.com/heimdal/heimdal/commit/3c640c3f7c03c4d8b65ce489952c3b48a937ab96
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-24 (Fri, 24 May 2019)

  Changed paths:
    M .travis.yml

  Log Message:
  -----------
  .travis.yml: synchronize with master

matches the file contents of 26048694d736aa844d2be0abc6bd82a1cf51cfef

Change-Id: Ic4b269abb20618824ed4ad9f68424167700d833b



From noreply at github.com  Fri May 24 07:52:15 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 22:52:15 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] e868c0: .travis.yml:
 synchronize with master
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/9dbafc-e868c0@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: e868c0ce681e51d518688dfec082beceb79402f5
      https://github.com/heimdal/heimdal/commit/e868c0ce681e51d518688dfec082beceb79402f5
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-24 (Fri, 24 May 2019)

  Changed paths:
    M .travis.yml

  Log Message:
  -----------
  .travis.yml: synchronize with master

matches the file contents of 26048694d736aa844d2be0abc6bd82a1cf51cfef

Change-Id: Ic4b269abb20618824ed4ad9f68424167700d833b



From noreply at github.com  Fri May 24 07:52:18 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 22:52:18 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/7.x-travis/3c640c-000000@github.com>

  Branch: refs/heads/jaltman/7.x-travis
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Fri May 24 07:52:56 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 22:52:56 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] ddb2ec: .travis.yml: add
 gcc 32-bit build on linux
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/travis-32bit/000000-ddb2ec@github.com>

  Branch: refs/heads/jaltman/travis-32bit
  Home:   https://github.com/heimdal/heimdal
  Commit: ddb2ec3c1c9f3700141da15b0992994cbc27ec36
      https://github.com/heimdal/heimdal/commit/ddb2ec3c1c9f3700141da15b0992994cbc27ec36
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-24 (Fri, 24 May 2019)

  Changed paths:
    M .travis.yml

  Log Message:
  -----------
  .travis.yml: add gcc 32-bit build on linux

Change-Id: I6dbb72d9ed5e45ae862a2e6742a2e6a5cee4a6de



From noreply at github.com  Fri May 24 07:54:40 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 22:54:40 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] c28be0: .travis.yml: add
 gcc 32-bit build on linux
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/travis-32bit/ddb2ec-c28be0@github.com>

  Branch: refs/heads/jaltman/travis-32bit
  Home:   https://github.com/heimdal/heimdal
  Commit: c28be0ef0f08aa92cad3e422525d5569827d436c
      https://github.com/heimdal/heimdal/commit/c28be0ef0f08aa92cad3e422525d5569827d436c
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-24 (Fri, 24 May 2019)

  Changed paths:
    M .travis.yml

  Log Message:
  -----------
  .travis.yml: add gcc 32-bit build on linux

Change-Id: I6dbb72d9ed5e45ae862a2e6742a2e6a5cee4a6de



From noreply at github.com  Fri May 24 07:57:18 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 22:57:18 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 81c7ec: .travis.yml: add
 gcc 32-bit build on linux
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/travis-32bit/c28be0-81c7ec@github.com>

  Branch: refs/heads/jaltman/travis-32bit
  Home:   https://github.com/heimdal/heimdal
  Commit: 81c7ec028a74ac5012e9c80c8a05bef74de82f87
      https://github.com/heimdal/heimdal/commit/81c7ec028a74ac5012e9c80c8a05bef74de82f87
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-24 (Fri, 24 May 2019)

  Changed paths:
    M .travis.yml

  Log Message:
  -----------
  .travis.yml: add gcc 32-bit build on linux

Change-Id: I6dbb72d9ed5e45ae862a2e6742a2e6a5cee4a6de



From noreply at github.com  Fri May 24 08:06:52 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 23:06:52 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 7db8bb: .travis.yml: add
 gcc 32-bit build on linux
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/travis-32bit/81c7ec-7db8bb@github.com>

  Branch: refs/heads/jaltman/travis-32bit
  Home:   https://github.com/heimdal/heimdal
  Commit: 7db8bb8cd45a692509e089239a3b8973befa7fee
      https://github.com/heimdal/heimdal/commit/7db8bb8cd45a692509e089239a3b8973befa7fee
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-24 (Fri, 24 May 2019)

  Changed paths:
    M .travis.yml

  Log Message:
  -----------
  .travis.yml: add gcc 32-bit build on linux

Change-Id: I6dbb72d9ed5e45ae862a2e6742a2e6a5cee4a6de



From noreply at github.com  Fri May 24 08:28:52 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 23 May 2019 23:28:52 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 832498: .travis.yml: add
 gcc 32-bit build on linux
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/travis-32bit/7db8bb-832498@github.com>

  Branch: refs/heads/jaltman/travis-32bit
  Home:   https://github.com/heimdal/heimdal
  Commit: 832498de31142c4fdca525c96db7edadb4aed09a
      https://github.com/heimdal/heimdal/commit/832498de31142c4fdca525c96db7edadb4aed09a
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-24 (Fri, 24 May 2019)

  Changed paths:
    M .travis.yml

  Log Message:
  -----------
  .travis.yml: add gcc 32-bit build on linux

Change-Id: I6dbb72d9ed5e45ae862a2e6742a2e6a5cee4a6de



From noreply at github.com  Fri May 31 02:09:55 2019
From: noreply at github.com (Quanah Gibson-Mount)
Date: Thu, 30 May 2019 17:09:55 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 4371af: Fixes issue#535
 - verify-password-quality
Message-ID: <heimdal/heimdal/push/refs/heads/master/dc46b1-4371af@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: 4371af9e75f8b560b851b2a9b6faf63fc8535598
      https://github.com/heimdal/heimdal/commit/4371af9e75f8b560b851b2a9b6faf63fc8535598
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M kadmin/kadmin.1

  Log Message:
  -----------
  Fixes issue#535 - verify-password-quality

At one point in time, the configuration option was named
"password-quality" but this was later changed to
"verify-password-quality".  Update the kadmin(1) man page to reflect
this change.



From noreply at github.com  Fri May 31 02:10:27 2019
From: noreply at github.com (Quanah Gibson-Mount)
Date: Thu, 30 May 2019 17:10:27 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 68f74f: Fixes #550 -
 Note that encrypt is the default option
Message-ID: <heimdal/heimdal/push/refs/heads/master/4371af-68f74f@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: 68f74fbaf11344c802a8a46ecf05115c120b86d5
      https://github.com/heimdal/heimdal/commit/68f74fbaf11344c802a8a46ecf05115c120b86d5
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M kdc/hprop.8

  Log Message:
  -----------
  Fixes #550 - Note that encrypt is the default option

There are two options to hprop.  It's important to note that the default
behavior is to transmit the database with encrypted keys.



From noreply at github.com  Fri May 31 02:11:05 2019
From: noreply at github.com (Quanah Gibson-Mount)
Date: Thu, 30 May 2019 17:11:05 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 9de4da: Fixes #532 -
 Note that all does not include get-keys
Message-ID: <heimdal/heimdal/push/refs/heads/master/68f74f-9de4da@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: 9de4da0dcc0a4a135e87c228b555500b2623c201
      https://github.com/heimdal/heimdal/commit/9de4da0dcc0a4a135e87c228b555500b2623c201
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M kadmin/kadmind.8

  Log Message:
  -----------
  Fixes #532 - Note that all does not include get-keys

Update the kadmind(8) man page to note that the "all" option for ACLs
does not include the "get-keys" option.



From noreply at github.com  Fri May 31 02:12:00 2019
From: noreply at github.com (Quanah Gibson-Mount)
Date: Thu, 30 May 2019 17:12:00 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 290d7e: Fixes #536 -
 Note that this can cause unexpected b...
Message-ID: <heimdal/heimdal/push/refs/heads/master/9de4da-290d7e@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: 290d7e75f25c3c60a2665ba19282649fe5a7e3e5
      https://github.com/heimdal/heimdal/commit/290d7e75f25c3c60a2665ba19282649fe5a7e3e5
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M kadmin/kadmin.1

  Log Message:
  -----------
  Fixes #536 - Note that this can cause unexpected behavior with certain
backends

When running with verify-password-quality and a back-end that stores
history (such as heimdal-history) this command can cause an update to
the database meaning the password can no longer be used with this
principal in the future



From noreply at github.com  Fri May 31 02:17:09 2019
From: noreply at github.com (Quanah Gibson-Mount)
Date: Thu, 30 May 2019 17:17:09 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 7daa26: Fixes issue#535
 - verify-password-quality
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/7-7-docs/000000-551dab@github.com>

  Branch: refs/heads/jaltman/7-7-docs
  Home:   https://github.com/heimdal/heimdal
  Commit: 7daa26cf88cad969abf032ff23477160ed264c8b
      https://github.com/heimdal/heimdal/commit/7daa26cf88cad969abf032ff23477160ed264c8b
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M kadmin/kadmin.1

  Log Message:
  -----------
  Fixes issue#535 - verify-password-quality

At one point in time, the configuration option was named
"password-quality" but this was later changed to
"verify-password-quality".  Update the kadmin(1) man page to reflect
this change.

(cherry picked from commit 4371af9e75f8b560b851b2a9b6faf63fc8535598)


  Commit: f79875dd9b2ac6eff0d22a7fbfa2137bf35687bb
      https://github.com/heimdal/heimdal/commit/f79875dd9b2ac6eff0d22a7fbfa2137bf35687bb
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M kdc/hprop.8

  Log Message:
  -----------
  Fixes #550 - Note that encrypt is the default option

There are two options to hprop.  It's important to note that the default
behavior is to transmit the database with encrypted keys.

(cherry picked from commit 68f74fbaf11344c802a8a46ecf05115c120b86d5)


  Commit: 6d845da6c278b366eb33847de39d4cc5e38ff50e
      https://github.com/heimdal/heimdal/commit/6d845da6c278b366eb33847de39d4cc5e38ff50e
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M kadmin/kadmind.8

  Log Message:
  -----------
  Fixes #532 - Note that all does not include get-keys

Update the kadmind(8) man page to note that the "all" option for ACLs
does not include the "get-keys" option.

(cherry picked from commit 9de4da0dcc0a4a135e87c228b555500b2623c201)


  Commit: 551dab5c847651b263d4f336c2707ac8795c9995
      https://github.com/heimdal/heimdal/commit/551dab5c847651b263d4f336c2707ac8795c9995
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M kadmin/kadmin.1

  Log Message:
  -----------
  Fixes #536 - Note that this can cause unexpected behavior with certain
backends

When running with verify-password-quality and a back-end that stores
history (such as heimdal-history) this command can cause an update to
the database meaning the password can no longer be used with this
principal in the future

(cherry picked from commit 290d7e75f25c3c60a2665ba19282649fe5a7e3e5)


Compare: https://github.com/heimdal/heimdal/compare/7daa26cf88ca%5E...551dab5c8476

From noreply at github.com  Fri May 31 02:17:57 2019
From: noreply at github.com (Quanah Gibson-Mount)
Date: Thu, 30 May 2019 17:17:57 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 1384b3: Fixes issue#535
 - verify-password-quality
Message-ID: <heimdal/heimdal/push/refs/heads/heimdal-7-1-branch/e868c0-ed7bd2@github.com>

  Branch: refs/heads/heimdal-7-1-branch
  Home:   https://github.com/heimdal/heimdal
  Commit: 1384b3c59aa3357796115f836a1fc185ba4b0ba8
      https://github.com/heimdal/heimdal/commit/1384b3c59aa3357796115f836a1fc185ba4b0ba8
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M kadmin/kadmin.1

  Log Message:
  -----------
  Fixes issue#535 - verify-password-quality

At one point in time, the configuration option was named
"password-quality" but this was later changed to
"verify-password-quality".  Update the kadmin(1) man page to reflect
this change.

(cherry picked from commit 4371af9e75f8b560b851b2a9b6faf63fc8535598)


  Commit: a7c7e310e11cbeaa988561c9f8659e74073ecfa7
      https://github.com/heimdal/heimdal/commit/a7c7e310e11cbeaa988561c9f8659e74073ecfa7
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M kdc/hprop.8

  Log Message:
  -----------
  Fixes #550 - Note that encrypt is the default option

There are two options to hprop.  It's important to note that the default
behavior is to transmit the database with encrypted keys.

(cherry picked from commit 68f74fbaf11344c802a8a46ecf05115c120b86d5)


  Commit: b8bc1235a52272ff7dda570e5ffc924913816c63
      https://github.com/heimdal/heimdal/commit/b8bc1235a52272ff7dda570e5ffc924913816c63
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M kadmin/kadmind.8

  Log Message:
  -----------
  Fixes #532 - Note that all does not include get-keys

Update the kadmind(8) man page to note that the "all" option for ACLs
does not include the "get-keys" option.

(cherry picked from commit 9de4da0dcc0a4a135e87c228b555500b2623c201)


  Commit: ed7bd297861ecb73c59b5cc6f991912f7e1b702c
      https://github.com/heimdal/heimdal/commit/ed7bd297861ecb73c59b5cc6f991912f7e1b702c
  Author: Quanah Gibson-Mount <quanah at symas.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M kadmin/kadmin.1

  Log Message:
  -----------
  Fixes #536 - Note that this can cause unexpected behavior with certain
backends

When running with verify-password-quality and a back-end that stores
history (such as heimdal-history) this command can cause an update to
the database meaning the password can no longer be used with this
principal in the future

(cherry picked from commit 290d7e75f25c3c60a2665ba19282649fe5a7e3e5)


Compare: https://github.com/heimdal/heimdal/compare/e868c0ce681e...ed7bd297861e

From noreply at github.com  Fri May 31 02:18:04 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 30 May 2019 17:18:04 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal]
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/7-7-docs/551dab-000000@github.com>

  Branch: refs/heads/jaltman/7-7-docs
  Home:   https://github.com/heimdal/heimdal

From noreply at github.com  Fri May 31 03:54:41 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 30 May 2019 18:54:41 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 73fc54: Heimdal 7.7 NEWS
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/7.7-NEWS/000000-73fc54@github.com>

  Branch: refs/heads/jaltman/7.7-NEWS
  Home:   https://github.com/heimdal/heimdal
  Commit: 73fc5421499f005870ed743055583417a95a6526
      https://github.com/heimdal/heimdal/commit/73fc5421499f005870ed743055583417a95a6526
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M NEWS

  Log Message:
  -----------
  Heimdal 7.7 NEWS

Change-Id: Ic7651ad7d94f6bf4f5695d805f48510e8344f3d7



From noreply at github.com  Fri May 31 04:30:51 2019
From: noreply at github.com (Jeffrey Altman)
Date: Thu, 30 May 2019 19:30:51 -0700
Subject: [Heimdal-source-changes] [heimdal/heimdal] 954d3b: Heimdal 7.7 NEWS
Message-ID: <heimdal/heimdal/push/refs/heads/jaltman/7.7-NEWS/73fc54-954d3b@github.com>

  Branch: refs/heads/jaltman/7.7-NEWS
  Home:   https://github.com/heimdal/heimdal
  Commit: 954d3bf9ada381d140eb694f8877d354da2b25c5
      https://github.com/heimdal/heimdal/commit/954d3bf9ada381d140eb694f8877d354da2b25c5
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-05-30 (Thu, 30 May 2019)

  Changed paths:
    M NEWS

  Log Message:
  -----------
  Heimdal 7.7 NEWS

Change-Id: Ic7651ad7d94f6bf4f5695d805f48510e8344f3d7