From noreply at github.com Thu Oct 3 20:36:29 2019 From: noreply at github.com (Nico Williams) Date: Thu, 03 Oct 2019 11:36:29 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 338d47: Fix Appveyor Windows build Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 338d47120b29944a38d6ae8b318def936a2d6658 https://github.com/heimdal/heimdal/commit/338d47120b29944a38d6ae8b318def936a2d6658 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/kadm5/init_c.c M lib/krb5/get_default_principal.c Log Message: ----------- Fix Appveyor Windows build Commit: 5859bc3bdfb797a9a16ef19a97e28605529c6c77 https://github.com/heimdal/heimdal/commit/5859bc3bdfb797a9a16ef19a97e28605529c6c77 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M kadmin/kadmin.1 M kadmin/kadmin.c Log Message: ----------- kadmin: add --hdb / -H argument Makes it possible to $ kadmin -l -H /tmp/hdb init FOO.EXAMPLE rather than being able to only init /var/heimdal/heimdal. Commit: 1ae941af9b5beef88ffb91c274dc6b99c7c77191 https://github.com/heimdal/heimdal/commit/1ae941af9b5beef88ffb91c274dc6b99c7c77191 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M kadmin/kadmind.c M kcm/main.c M kdc/config.c M kpasswd/kpasswdd.c M lib/kadm5/ipropd_master.c M lib/kadm5/ipropd_slave.c M lib/roken/detach.c M lib/roken/roken.h.in M lib/roken/test-detach.c Log Message: ----------- roken_detach_prep() should return fd Commit: 34728ce79ee4539606b0e33e973eefb089250a85 https://github.com/heimdal/heimdal/commit/34728ce79ee4539606b0e33e973eefb089250a85 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/roken/base64.c Log Message: ----------- rk_base64_encode(): set errno in all error cases Commit: 1ee136ce40b6a0e4c03a6aaa49d142f02437b946 https://github.com/heimdal/heimdal/commit/1ee136ce40b6a0e4c03a6aaa49d142f02437b946 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M cf/roken-frag.m4 Log Message: ----------- autoconf: look for unlinkat() Commit: 8d232aa87d2b38c491356bf8843d9f27dcad7e14 https://github.com/heimdal/heimdal/commit/8d232aa87d2b38c491356bf8843d9f27dcad7e14 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/libhx509-exports.def Log Message: ----------- hx509: export hx509_parse_private_key (Windows) Commit: 252487dfe45cc7af6ed6074d024259dd2e9d93e0 https://github.com/heimdal/heimdal/commit/252487dfe45cc7af6ed6074d024259dd2e9d93e0 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/cert.c M lib/hx509/ks_file.c M lib/hx509/libhx509-exports.def M lib/hx509/version-script.map Log Message: ----------- hx509: support reading private keys from PEM files This commit adds: - hx509_cert_init_private_key() for creating an hx509_cert object that has just a private key - hx509_cert_have_private_key_only() for checking whether an hx509_cert object has just a private key This also generalizes the get_key() internal function in hxtool, which is tasked with reding or generating a private key for use in signing CSRs. Now hxtool request-create can read/write private keys to/from PEM files, not just DER files. This is needed to support key types other than just RSA for CSRs and certificates. Commit: 005ba36b83dbbb6a4bbcf5da2bb1cecd9fb886f2 https://github.com/heimdal/heimdal/commit/005ba36b83dbbb6a4bbcf5da2bb1cecd9fb886f2 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/hxtool.c Log Message: ----------- hxtool request-create: fix --key argument handling ``` hxtool request-create --subject=... \ --generate-key=... \ --key-bits=... \ --key=STORE \ store ``` wants to generate a key, store it in the location specified by the --key argument, then read it back, then generate the CSR, and store it in `store`. But it didn't work because for generating a key this really wants the `--key` argument to be a file path into which a raw DER-encoded RSA key will be written (only RSA is supported, ay!), but for reading the key back it uses `hx509_certs_init()`, which wants `TYPE:name` keystore specification. A deadly embrace. Now that we have improved libhx509 functionality for reading/writing private keys from/to PEM files we use this functionality and require a store type in the `--key=STORE` argument. Commit: 859c587dc25bebf0c3618a7a531fb26642f1416f https://github.com/heimdal/heimdal/commit/859c587dc25bebf0c3618a7a531fb26642f1416f Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/ca.c M lib/hx509/hxtool-commands.in M lib/hx509/hxtool.c M lib/hx509/libhx509-exports.def M lib/hx509/version-script.map Log Message: ----------- Add more hxtool EKU options, and KeyUsage too This is necessary in order to have more control over, e.g., template certificates for kx509. But also it's good to have this more generally. Some batteries not included. Specifically: no attempt is made to validate that given KeyUsage values are compatible with the subjectPublicKey's alrogithm and parameters. Commit: a2db5caebfb2bf05cd6ec526b5ad94e3a33c4dd6 https://github.com/heimdal/heimdal/commit/a2db5caebfb2bf05cd6ec526b5ad94e3a33c4dd6 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/gssapi/krb5/test_kcred.c M lib/gssapi/test_kcred.c Log Message: ----------- Add note about racy tests Commit: 049d817c667c7ad67ff23b284639dd09f0b91ca2 https://github.com/heimdal/heimdal/commit/049d817c667c7ad67ff23b284639dd09f0b91ca2 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/ca.c Log Message: ----------- Fix hx509_ca_tbs_free() segfault Commit: cc8a5c59a842873e998220cc316ad43487c67776 https://github.com/heimdal/heimdal/commit/cc8a5c59a842873e998220cc316ad43487c67776 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/hxtool-commands.in M lib/hx509/hxtool.c Log Message: ----------- hxtool: add generate-key command This will help us not commit private keys in-tree for testing as we can now more easily generate them as needed. Commit: 63116100a8b2e096b9230a0cfd6adfa35339dec2 https://github.com/heimdal/heimdal/commit/63116100a8b2e096b9230a0cfd6adfa35339dec2 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/ks_dir.c M lib/hx509/ks_file.c M lib/hx509/ks_p11.c M lib/hx509/ks_p12.c Log Message: ----------- hx509: do not crash on missing FILE: name Commit: 5a0d85e42328d8e6843ef2e16007c48500e27987 https://github.com/heimdal/heimdal/commit/5a0d85e42328d8e6843ef2e16007c48500e27987 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/crypto.c M lib/hx509/hx509.h Log Message: ----------- hx509: Add PKCS#8 private key format option Commit: e4b35ba13f077bc25c7e67e17edcf68d37c0d9ff https://github.com/heimdal/heimdal/commit/e4b35ba13f077bc25c7e67e17edcf68d37c0d9ff Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/ks_file.c Log Message: ----------- hx509: create files with safe mode_t Commit: 41fcafd20c6dc2e1cc61e0b3d4e77936ab3eec61 https://github.com/heimdal/heimdal/commit/41fcafd20c6dc2e1cc61e0b3d4e77936ab3eec61 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/file.c M lib/hx509/hx_locl.h M lib/hx509/keyset.c M lib/hx509/ks_dir.c M lib/hx509/ks_file.c M lib/hx509/ks_keychain.c M lib/hx509/ks_mem.c M lib/hx509/ks_null.c M lib/hx509/ks_p11.c M lib/hx509/ks_p12.c M lib/hx509/libhx509-exports.def M lib/hx509/version-script.map Log Message: ----------- hx509: add hx509_certs_destroy() Commit: eaebb892b8f9c3a39dd15441584fa8d1e87290ae https://github.com/heimdal/heimdal/commit/eaebb892b8f9c3a39dd15441584fa8d1e87290ae Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/cert.c Log Message: ----------- hx509: hx509_context_free(&null_var) should work Commit: f2776ce84104192782924c79a467f962238598f1 https://github.com/heimdal/heimdal/commit/f2776ce84104192782924c79a467f962238598f1 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/error.c Log Message: ----------- hx509: make hx509_get_error_string(NULL, ...) work If hx509_context_init() fails we should still be able to do something with its return code. Commit: 87eb05df6aac26e0ee5f2ae4d40b361007a83355 https://github.com/heimdal/heimdal/commit/87eb05df6aac26e0ee5f2ae4d40b361007a83355 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/req.c Log Message: ----------- hx509: always verify CSR signature Commit: d13f89cb110cd917ea6c5ecd42a9b5b77f1b887c https://github.com/heimdal/heimdal/commit/d13f89cb110cd917ea6c5ecd42a9b5b77f1b887c Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/hxtool.c M lib/hx509/libhx509-exports.def M lib/hx509/req.c M lib/hx509/version-script.map Log Message: ----------- hx509: expose hx509_request_parse*() Commit: 63ccdca13701677a8351d4dec444c7f741ba5785 https://github.com/heimdal/heimdal/commit/63ccdca13701677a8351d4dec444c7f741ba5785 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/keyset.c Log Message: ----------- hx509: _hx509_certs_keys_free() should not require gate Commit: 44677c01aefe099a77b9d534833e9024b1fa3450 https://github.com/heimdal/heimdal/commit/44677c01aefe099a77b9d534833e9024b1fa3450 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/hx509/cert.c M lib/hx509/hxtool.c Log Message: ----------- hxtool print: fix output device bugs Commit: 5e270a89145b97b947b16f944b761ebb87488904 https://github.com/heimdal/heimdal/commit/5e270a89145b97b947b16f944b761ebb87488904 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/krb5/pkinit.c Log Message: ----------- Fix missing error checking in lib/krb5/pkinit.c Commit: 75b5c94a62115e8a27a51a7ee4d3c22ca177df29 https://github.com/heimdal/heimdal/commit/75b5c94a62115e8a27a51a7ee4d3c22ca177df29 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M kdc/connect.c Log Message: ----------- kdc: fix invalid free at exit time Commit: d3ef0ee74358276bf65af3d4b26b9f530ad1c57b https://github.com/heimdal/heimdal/commit/d3ef0ee74358276bf65af3d4b26b9f530ad1c57b Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M kdc/connect.c M kdc/main.c Log Message: ----------- kdc: fix leaks Commit: f31cdc30b2c7e58260935f8df7207f9c247a8ae6 https://github.com/heimdal/heimdal/commit/f31cdc30b2c7e58260935f8df7207f9c247a8ae6 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M cf/roken-frag.m4 M lib/roken/Makefile.am M lib/roken/NTMakefile A lib/roken/memmem.c M lib/roken/roken.h.in M lib/roken/version-script.map Log Message: ----------- roken: add rk_memmem() Commit: 96d1e80bdaded9211b3becc82a2e6c58ccc9a33a https://github.com/heimdal/heimdal/commit/96d1e80bdaded9211b3becc82a2e6c58ccc9a33a Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M cf/roken-frag.m4 M lib/roken/Makefile.am M lib/roken/NTMakefile A lib/roken/mkostemp.c M lib/roken/roken.h.in M lib/roken/version-script.map Log Message: ----------- roken: add mkostemp() Commit: cf16e60f3b2c7d5549ffe959ade7505d5e5ce638 https://github.com/heimdal/heimdal/commit/cf16e60f3b2c7d5549ffe959ade7505d5e5ce638 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/krb5/krcache.c Log Message: ----------- Fix off by one in KEYRING krcc_remove_cred() Commit: ec84667763547219241b79547b4d186b8b0c4787 https://github.com/heimdal/heimdal/commit/ec84667763547219241b79547b4d186b8b0c4787 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/krb5/acache.c M lib/krb5/cache.c M lib/krb5/fcache.c M lib/krb5/kcm.c M lib/krb5/krcache.c M lib/krb5/mcache.c M lib/krb5/scache.c M lib/krb5/test_cc.c Log Message: ----------- Fix krb5_cc_move() issues Move init/copy/destroy fallback sequence from fcc_move() to krb5_cc_move(). Make sure all backends's move() method calls krb5_cc_destroy() on the source on success (and only on success). In text_cc make sure that we can find in the destination the cred stored into the source. Commit: e163bfd81b5a24343cb59fd30c40ab1e828f45c8 https://github.com/heimdal/heimdal/commit/e163bfd81b5a24343cb59fd30c40ab1e828f45c8 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/krb5/fcache.c Log Message: ----------- Make ccache init atomic Commit: 621c68abeaaba1108f19904edf9e822d6d0ed1cb https://github.com/heimdal/heimdal/commit/621c68abeaaba1108f19904edf9e822d6d0ed1cb Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/krb5/test_cc.c Log Message: ----------- Improve krb5_cc_remove_cred() test Commit: fe5c0a907c4b9c1b69caefe54e16ed69dd950a00 https://github.com/heimdal/heimdal/commit/fe5c0a907c4b9c1b69caefe54e16ed69dd950a00 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/krb5/principal.c Log Message: ----------- unparse_principal: reject embedded NULs Commit: 6deb2a6baeba9ed528059eb2d612fdc39e5c06ca https://github.com/heimdal/heimdal/commit/6deb2a6baeba9ed528059eb2d612fdc39e5c06ca Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M kdc/connect.c Log Message: ----------- kdc: improve HTTP parsing Commit: 37b55e1fdb7f2e3f01f18f9cee13b756960fa2ac https://github.com/heimdal/heimdal/commit/37b55e1fdb7f2e3f01f18f9cee13b756960fa2ac Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/krb5/pkinit.c Log Message: ----------- pkinit: fix memory leak in libkrb5 Commit: 941dfd95a32088d8e1dfce9fe1839d14bd8413b5 https://github.com/heimdal/heimdal/commit/941dfd95a32088d8e1dfce9fe1839d14bd8413b5 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/krb5/pkinit.c Log Message: ----------- pkinit: fix leak in client Commit: 697c6462cf4ef2a0d5c93d0215fb914d820a2592 https://github.com/heimdal/heimdal/commit/697c6462cf4ef2a0d5c93d0215fb914d820a2592 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M kuser/klist.c Log Message: ----------- klist: fix verbose printing of config entries Commit: 375dd8897f8c11946a008eaa4da0868d47862622 https://github.com/heimdal/heimdal/commit/375dd8897f8c11946a008eaa4da0868d47862622 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M kuser/klist.c Log Message: ----------- klist: partial fix of -v --json It's still not supported, but at least it generates valid JSON now. Note that --json w/o -v is functional but has issues, specifically the rtbl_add_column_entry() does not encode strings properly for output as JSON strings. Fixing this will take significantly more effort. One wonders if it might not be better to use a proper JSON library instead of the rtbl stuff. Commit: afaaf3d89d86bb33f42a63767b41f57c24238aed https://github.com/heimdal/heimdal/commit/afaaf3d89d86bb33f42a63767b41f57c24238aed Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/krb5/cache.c M lib/krb5/context.c M lib/krb5/krb5_locl.h M lib/krb5/libkrb5-exports.def.in M lib/krb5/version-script.map Log Message: ----------- Add krb5_cc_configured_default_name() Refactor krb5_cc_set_default_name() by splitting out the part that looks for a configured default ccache name. This will allow one to check if a given ccache is a default ccache for a process ignoring KRB5CCNAME, which might prove useful in the kx509 client. Compare: https://github.com/heimdal/heimdal/compare/989422e0fcd8...afaaf3d89d86 From noreply at github.com Thu Oct 3 22:52:16 2019 From: noreply at github.com (Nico Williams) Date: Thu, 03 Oct 2019 13:52:16 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] c6d079: Do not recover log in kadm5_get_principal() Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: c6d0793e63120dcac393e188bcdfc7590d8b5e75 https://github.com/heimdal/heimdal/commit/c6d0793e63120dcac393e188bcdfc7590d8b5e75 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/kadm5/get_s.c M tests/kdc/check-iprop.in Log Message: ----------- Do not recover log in kadm5_get_principal() Commit: 9de1728850bf14aba043b23c895f815a3ab0c64f https://github.com/heimdal/heimdal/commit/9de1728850bf14aba043b23c895f815a3ab0c64f Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/kadm5/ipropd_slave.c Log Message: ----------- ipropd-slave: don't send I_HAVE in response to AYT ipropd-master sends AYT messages often as a result of a possibly- transient error, but if the slave responds to such an AYT with I_HAVE, then the same code path that failed will be executed on the master, and if the error wasn't transient then we'll loop hard. So don't send an I_HAVE in response to an AYT. Commit: 0334472ab5a093bb3f17d39ebb7fad004af81035 https://github.com/heimdal/heimdal/commit/0334472ab5a093bb3f17d39ebb7fad004af81035 Author: Nicolas Williams Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/kadm5/ipropd_master.c Log Message: ----------- ipropd-master: use async I/O If a slave is slow to consume what the master sends it, the master can block and all iprop operations with it. With minimal effort we make the master async oriented. Commit: 96fd393d2934af2a6cdcbf6bf32b4377a3d55863 https://github.com/heimdal/heimdal/commit/96fd393d2934af2a6cdcbf6bf32b4377a3d55863 Author: Viktor Dukhovni Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M configure.ac M include/config.h.w32 M lib/kadm5/ipropd_master.c M lib/kadm5/ipropd_slave.c M lib/kadm5/kadm5_locl.h Log Message: ----------- Disable Nagle in iprop master and slave Commit: d0211ef4754e6bb1295a16b06b246f1de5ca6be6 https://github.com/heimdal/heimdal/commit/d0211ef4754e6bb1295a16b06b246f1de5ca6be6 Author: Viktor Dukhovni Date: 2019-10-03 (Thu, 03 Oct 2019) Changed paths: M lib/kadm5/ipropd_master.c M lib/kadm5/libkadm5srv-exports.def M lib/kadm5/log.c M lib/kadm5/version-script.map Log Message: ----------- Refactor send_diffs making it progressive When a slave is many diffs behind, send these in batches of up to 50, then handle other slaves. This also implements a fast-path that makes incremental diffs faster when the log has not rolled over. Related code cleanup. Compare: https://github.com/heimdal/heimdal/compare/afaaf3d89d86...d0211ef4754e From noreply at github.com Tue Oct 8 02:18:10 2019 From: noreply at github.com (Viktor Dukhovni) Date: Mon, 07 Oct 2019 17:18:10 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 6f2b52: Expose new Heimdal 8 KRB5_PLUGIN_COMMON_SPI_VERSIO... Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 6f2b52bc97318d3177937c3d1b7fb1eb722007a1 https://github.com/heimdal/heimdal/commit/6f2b52bc97318d3177937c3d1b7fb1eb722007a1 Author: Viktor Dukhovni Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/krb5/krb5.h Log Message: ----------- Expose new Heimdal 8 KRB5_PLUGIN_COMMON_SPI_VERSION macro From noreply at github.com Tue Oct 8 04:32:22 2019 From: noreply at github.com (Nico Williams) Date: Mon, 07 Oct 2019 19:32:22 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 120619: asn1: use rfc2459.opt Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 120619dbd0061e932698a766f31fbca4ef9cb446 https://github.com/heimdal/heimdal/commit/120619dbd0061e932698a766f31fbca4ef9cb446 Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/asn1/Makefile.am M lib/asn1/NTMakefile M lib/asn1/libasn1-exports.def M lib/asn1/rfc2459.opt Log Message: ----------- asn1: use rfc2459.opt Commit: 6471fcaa54d3ca335d4cd4d04ad4d26a1ef5281f https://github.com/heimdal/heimdal/commit/6471fcaa54d3ca335d4cd4d04ad4d26a1ef5281f Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/asn1/Makefile.am M lib/asn1/NTMakefile A lib/asn1/crmf.asn1 A lib/asn1/crmf.opt A lib/asn1/ocsp.asn1 A lib/asn1/ocsp.opt A lib/asn1/pkcs10.asn1 A lib/asn1/pkcs10.opt M lib/hx509/Makefile.am M lib/hx509/NTMakefile R lib/hx509/crmf.asn1 R lib/hx509/ocsp.asn1 R lib/hx509/ocsp.opt R lib/hx509/pkcs10.asn1 R lib/hx509/pkcs10.opt Log Message: ----------- Move ASN.1 modules from lib/hx509 to lib/asn1 This will help us generate a directory of OIDs from all the ASN.1 modules in lib/asn1, which will then help us create an hx509 API for resolving OIDs to/from friendly names, which ultimately will help us make hxtool more user-friendly. Commit: 5465b2ddec3961aee4931705d60803d9a1c102b1 https://github.com/heimdal/heimdal/commit/5465b2ddec3961aee4931705d60803d9a1c102b1 Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/asn1/Makefile.am M lib/asn1/NTMakefile M lib/asn1/asn1_print.c M lib/asn1/crmf.asn1 M lib/asn1/gen.c A lib/asn1/oid_resolution.c Log Message: ----------- libasn1: Add OID symbol resolution This commit adds functions for finding OIDs by symbolic name, meaning by their symbolic names given in the ASN.1 modules that define them. TBD: - Resolve OIDs to names. - Support a file in /etc for additional OID resolution. - Add support for resolving OID arc names. Commit: 93e48f8fba12b3d7c2b99ab0e85cf374171a55f5 https://github.com/heimdal/heimdal/commit/93e48f8fba12b3d7c2b99ab0e85cf374171a55f5 Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/hx509/hxtool-commands.in M lib/hx509/hxtool.c Log Message: ----------- hxtool: Add OID symbol resolution Commit: d657528e912af5ec971473491b0c70c2e6060ec2 https://github.com/heimdal/heimdal/commit/d657528e912af5ec971473491b0c70c2e6060ec2 Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/asn1/gen.c Log Message: ----------- asn1: work around OpenSSL conflict Commit: 330ced5b9e39c256d8f654caa532abbe745aa2a2 https://github.com/heimdal/heimdal/commit/330ced5b9e39c256d8f654caa532abbe745aa2a2 Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/asn1/libasn1-exports.def Log Message: ----------- asn1: add missing symbols on Windows Commit: cb2db14ed12160c761edaa80a5c4a0d67c3a570e https://github.com/heimdal/heimdal/commit/cb2db14ed12160c761edaa80a5c4a0d67c3a570e Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/asn1/canthandle.asn1 M lib/asn1/gen_decode.c Log Message: ----------- asn1: support DEFAULTed sequence fields Prior to this commit the Heimdal ASN.1 compiler supported DEFAULTing SEQUENCE fields on the encoder side, but not the decoder side, where ASN1_MISSING_FIELD would inevitably result when fields were defaulted. This patch adds the missing decode-side support for DEFAULT. Commit: 038ed5ec3137b6972ce8ad9afbf3612f573e4621 https://github.com/heimdal/heimdal/commit/038ed5ec3137b6972ce8ad9afbf3612f573e4621 Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/asn1/rfc2459.asn1 M lib/hx509/name.c Log Message: ----------- hx509: check Name RDN attribute size bounds Commit: 25dbe282917abc725bd9be9caf14aed2a3f5ba48 https://github.com/heimdal/heimdal/commit/25dbe282917abc725bd9be9caf14aed2a3f5ba48 Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/hx509/ca.c M lib/hx509/libhx509-exports.def M lib/hx509/name.c M lib/hx509/version-script.map Log Message: ----------- hx509: SANs are critical if DN is empty Commit: 25c493137d7f692b0e3c3d2047bcd3eea6683dc6 https://github.com/heimdal/heimdal/commit/25c493137d7f692b0e3c3d2047bcd3eea6683dc6 Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/asn1/libasn1-exports.def M lib/asn1/rfc2459.opt Log Message: ----------- asn1: use --sequence=Certificates Commit: fbacb5f5fe774b077d6a9d23e25f8292cb7a4166 https://github.com/heimdal/heimdal/commit/fbacb5f5fe774b077d6a9d23e25f8292cb7a4166 Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/hx509/cert.c Log Message: ----------- hx509: set errno in hx509_cert_init_data() Commit: 89b076c5430c4af74ef4bf4ce62ff4238d773839 https://github.com/heimdal/heimdal/commit/89b076c5430c4af74ef4bf4ce62ff4238d773839 Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/hx509/keyset.c Log Message: ----------- hx509: match docs for hx509_certs_init() Commit: 098f6480e463604507f5eabdacfd8bc751e61e53 https://github.com/heimdal/heimdal/commit/098f6480e463604507f5eabdacfd8bc751e61e53 Author: Nicolas Williams Date: 2019-10-07 (Mon, 07 Oct 2019) Changed paths: M lib/krb5/keytab.c Log Message: ----------- krb5: Fix spurious error (debug) msg in keytab Compare: https://github.com/heimdal/heimdal/compare/6f2b52bc9731...098f6480e463 From noreply at github.com Wed Oct 9 05:20:00 2019 From: noreply at github.com (Nico Williams) Date: Tue, 08 Oct 2019 20:20:00 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] d31dd9: hx509: make file store writes atomic Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: d31dd9e00be371a2e763a51e7c7526f6da99ba76 https://github.com/heimdal/heimdal/commit/d31dd9e00be371a2e763a51e7c7526f6da99ba76 Author: Nicolas Williams Date: 2019-10-08 (Tue, 08 Oct 2019) Changed paths: M lib/hx509/ks_file.c Log Message: ----------- hx509: make file store writes atomic Now we'll use mkostemp() and rename() into place to make hx509_certs_store() atomic for FILE/DER-FILE/PEM-FILE stores. This is not ideal, as it can leave temp files in place if a process crashes in between the mkostemp() and the rename into place. On Linux we'll eventually make use of O_TMPFILE and linkat(). The idea will be to first create an anonymous, zero-link file in the directory that will contain the file at the end, write the file, then linkat() the file into place as a .new file, then rename() the .new into place. That will limit the amount of junk that may be left behind to just one file. (If the linkat() fails, then unlink() the .new and try again. If the rename() fails that just means the caller raced with another and the operation is complete.) We should really make a lib/roken interface that does this. Commit: 78cb995e6e6d744f3b8f036f4e62e7ccc693454e https://github.com/heimdal/heimdal/commit/78cb995e6e6d744f3b8f036f4e62e7ccc693454e Author: Nicolas Williams Date: 2019-10-08 (Tue, 08 Oct 2019) Changed paths: M lib/krb5/version-script.map Log Message: ----------- krb5: add missing export Commit: 6a7e7eace67cb3021bcd6dce3a2ff80e6dff76d1 https://github.com/heimdal/heimdal/commit/6a7e7eace67cb3021bcd6dce3a2ff80e6dff76d1 Author: Nicolas Williams Date: 2019-10-08 (Tue, 08 Oct 2019) Changed paths: A doc/standardisation/rfc6717.txt M kdc/default_config.c M kdc/kx509.c M kdc/process.c M kuser/Makefile.am M kuser/NTMakefile M kuser/heimtools-commands.in M kuser/klist.1 M kuser/klist.c M lib/asn1/kx509.asn1 M lib/krb5/Makefile.am M lib/krb5/NTMakefile M lib/krb5/cache.c M lib/krb5/krb5.conf.5 M lib/krb5/krb5.h A lib/krb5/kx509.c A lib/krb5/kx509_err.et M lib/krb5/libkrb5-exports.def.in M lib/krb5/version-script.map M tests/gss/krb5.conf.in M tests/kdc/Makefile.am M tests/kdc/check-pkinit.in M tests/kdc/krb5-pkinit.conf.in Log Message: ----------- Add kx509 client and revamp kx509 service This commit adds support for kx509 in libkrb5, and revamps the KDC's kx509 service (fixing bugs, adding features). Of note is that kx509 is attempted optimistically by the client, with the certificate and private key stored in the ccache, and optionally in an external PEM or DER file. NOTE: We do not optimistically use kx509 in krb5_cc_store_cred() if the ccache is a MEMORY ccache so we don't generate a key when accepting a GSS context with a delegated credential. kx509 protocol issues to be fixed in an upcoming commit: - no proof of possession (this is mostly not too bad, but we'll want to fix it by using CSRs) - no algorithm agility (only plain RSA is supported) - very limited (no way to request any options in regards to the requested cert) - error codes are not very useful Things we're adding in this commit: - libkrb5 kx509 client - automatic kx509 usage hooked in via krb5_cc_store_cred() of start TGT - per-realm templates on the KDC side - per-realm issuer certificates - send error messages on the KDC side (this is essential to avoid client-side timeouts on error) - authenticate as many error messages - add a protocol probe feature so we can avoid generating a keypair if the service is not enabled (once we add support for ECC algorithms we won't need this anymore; the issue is that RSA keygen is slow) - support for different types of client principals, not just username: - host-based service and domain-based service, each with its own template set per-{realm, service} or per-service (the idea is to support issuance of server certificates too, not just client/user certs) - more complete support for SAN types - tests (including that PKINIT->kx509->PKINIT works, which makes it possible to have "delegation" of PKIX credentials by just delegating Kerberos credentials) - document the protocol in lib/krb5/kx509.c Future work: - add option for longer-ticket-lifetime service certs - add support for ECDSA, and some day for ed25519 and ed448 - reuse private key when running kinit (this will require rethinking how we trigger optimistic kx509 usage) - HDB lookup for: - optional revocation check (not strictly necessary) - adding to certificates those SANs listed in HDB - hostname aliases (dNSName SANs) - rfc822Name (email) - XMPP SANs - id-pkinit-san (a user could have aliases too) - support username wild-card A RRs, ala OSKT/krb5_admin i.e., if a host/f.q.d.n principal asks for a certificate for some service at some-label.f.q.d.n, then issue it (this is not needed at OSKT sites because OSKT already supports keying such service principals, which means kx509 will issue certificates for them, however, it would be nice to be able to have this independent of OSKT) (a better way to do this would be to integrate more of OSKT into Heimdal proper) - a kx509 command, or heimtools kx509 subcommand for explicitly attempting use of the kx509 protocol (as opposed to implicit, as is done in kinit via krb5_cc_store_cred() magic right now) Issues: - optimistically trying kx509 on start realm TGT store -> timeout issues! - newer KDCs will return errors because of this commit; older ones will not, which causes timouts - need a separate timeout setting for kx509 for optimistic case - need a [realm] config item and DNS SRV RR lookup for whether a realm is expected to support kx509 service Compare: https://github.com/heimdal/heimdal/compare/098f6480e463...6a7e7eace67c From noreply at github.com Wed Oct 9 06:33:13 2019 From: noreply at github.com (Nico Williams) Date: Tue, 08 Oct 2019 21:33:13 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 8af2d7: hx509: Add missing CSR extension request support Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 8af2d79d35a2a8223c19ed99a49d184e92447927 https://github.com/heimdal/heimdal/commit/8af2d79d35a2a8223c19ed99a49d184e92447927 Author: Nicolas Williams Date: 2019-10-08 (Tue, 08 Oct 2019) Changed paths: M lib/asn1/pkcs10.asn1 M lib/asn1/pkcs9.asn1 M lib/asn1/rfc2459.asn1 M lib/hx509/ca.c M lib/hx509/hxtool-commands.in M lib/hx509/hxtool.c M lib/hx509/libhx509-exports.def M lib/hx509/name.c M lib/hx509/req.c M lib/hx509/test_name.c M lib/hx509/test_req.in M lib/hx509/version-script.map M lib/roken/parse_units.c Log Message: ----------- hx509: Add missing CSR extension request support This is necessary in order to add proper support for CSRs in kx509, where the KDC can examine all requested KUs/EKUs/SANs, check authorization, and issue a certificate with all those extensions if authorized. This is the convention used by OpenSSL, of encoding all the KU, EKUs, and SANs being requested as Extensions as they would appear in the TBSCertificate, then putting those in as a single Attribute in the CSR's Attributes list with attribute OID {id-pkcs-9, 14}. - expose all hx509_request_*() functions - finish support in hx509_request_parse*() for KU, EKU, and SAN CSR attributes - finish support in hx509_request_to_pkcs10() for encoding all requested KU, EKU, and SAN extensions as a CSR extReq (extension request) - add hx509_request_add_*() support for: - id-pkinit-san and ms-upn-pkinit-san - XMPP (Jabber) SAN - registeredID (useless but trivial) - add hxtool request-create options for all supported SANs - add hxtool request-create options for KeyUsage - add hxtool request-create options for ExtKeyUsage - add hxtool request-print support for all these things - fix bugs in existing id-pkinit-san handling Possible future improvements - add HX509_TRACE env var and support (it would be nice to be able to observe why some certificate is rejected, or not matched in a query) - add testing that CSR creating and printing round-trip for all KUs, EKUs, and SANs (probably in tests/kdc/check-pkinit.in) - add testing that OpenSSL can print a CSR made by hxtool and vice-versa - hxtool ca: add KU sanity checking (via hx509_ca_sign() and/or friends) (don't allow encrypt for signing-only algs) (don't allow encrypt for RSA at all, or for RSA with small e exponents) - hxtool request-print: warn about all unknown attributes and extensions - hxtool ca: MAYBE add support for adding requested extensions from the --req=CSR ("Maybe" because CA operators should really verify and authorize all requested attributes, and should acknowledge that they have, and the simplest way to do this is to make them add all the corresponding CLI arguments to the hxtool ca command, but too, that is error-prone, thus it's not clear yet which approach is best. Perhaps interactively prompt for yes/no for each attribute.) - add additional SAN types: - iPAddress (useless?) - dNSSrv (useful!) - directoryName (useless, but trivial) - uniformResourceIdentifier (useful) - it would be nice if the ASN.1 compiler could generate print functions..., and/or even better, to-JSON functions - it would be nice if we had a known-OID db, including the names of the types they refer to in certificate extensions, otherName SANs and CSR attributes, then we could generate a CSR and certificate printer for all known options even when they are not supported by the rest of Heimdal - and we could also get friendly names for OIDs, and we could resolve their arc names - longer term, we could also stand to add some ASN.1 information object system functionality, just enough to make lib/hx509/asn1_print awesome by being able to automatically decode all heim_any and OCTET STRING content (better than its current --inner option) Commit: 6f9eb81243fea2aca71ce9464e5c3c7ae280f53f https://github.com/heimdal/heimdal/commit/6f9eb81243fea2aca71ce9464e5c3c7ae280f53f Author: Nicolas Williams Date: 2019-10-08 (Tue, 08 Oct 2019) Changed paths: M lib/krb5/auth_context.c M lib/krb5/build_auth.c Log Message: ----------- krb5: copy AD from auth_context to Authenticator If the caller provides authz data in the auth context, then we should copy it to the Authenticator when making an AP-REQ! Compare: https://github.com/heimdal/heimdal/compare/6a7e7eace67c...6f9eb81243fe From noreply at github.com Thu Oct 10 04:14:30 2019 From: noreply at github.com (Nico Williams) Date: Wed, 09 Oct 2019 19:14:30 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] c838ab: ipc: fix warning Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: c838abdf1a0d0b79aa16d760fa981b7370ce83fe https://github.com/heimdal/heimdal/commit/c838abdf1a0d0b79aa16d760fa981b7370ce83fe Author: Nicolas Williams Date: 2019-10-09 (Wed, 09 Oct 2019) Changed paths: M lib/ipc/tc.c Log Message: ----------- ipc: fix warning Commit: dfada0ccad773f2a9bde854051bd5d9521465bcb https://github.com/heimdal/heimdal/commit/dfada0ccad773f2a9bde854051bd5d9521465bcb Author: Nicolas Williams Date: 2019-10-09 (Wed, 09 Oct 2019) Changed paths: M kdc/kx509.c M kuser/Makefile.am M kuser/NTMakefile M kuser/heimtools-commands.in M kuser/klist.1 M kuser/klist.c A kuser/kx509.1 A kuser/kx509.c M lib/asn1/krb5.asn1 M lib/asn1/kx509.asn1 M lib/krb5/krb5.h M lib/krb5/kx509.c M lib/krb5/libkrb5-exports.def.in M lib/krb5/version-script.map M tests/bin/setup-env.in M tests/kdc/check-pkinit.in Log Message: ----------- kx509: Add CSR support This commit adds support for proof of posession to the kx509 protocol by using PKCS#10 CSRs. This allows conveyance of extReq CSR attributes requesting desired Certificate Extensions. Compare: https://github.com/heimdal/heimdal/compare/6f9eb81243fe...dfada0ccad77 From noreply at github.com Fri Oct 18 20:47:35 2019 From: noreply at github.com (Roland C. Dowdeswell) Date: Fri, 18 Oct 2019 11:47:35 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] aa5c52: Implement [kdc] derived_keys_maxdots Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: aa5c525e71bb0b799ce49b9b024f0d45c57f1ab0 https://github.com/heimdal/heimdal/commit/aa5c525e71bb0b799ce49b9b024f0d45c57f1ab0 Author: Roland C. Dowdeswell Date: 2019-10-18 (Fri, 18 Oct 2019) Changed paths: M kdc/default_config.c M kdc/kdc.h M kdc/misc.c Log Message: ----------- Implement [kdc] derived_keys_maxdots From noreply at github.com Mon Oct 21 14:43:02 2019 From: noreply at github.com (Roland C. Dowdeswell) Date: Mon, 21 Oct 2019 05:43:02 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] c7d468: Define log levels in docs and change default to 0-3. Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: c7d4682aed220399072a60dd48616064e24a56a6 https://github.com/heimdal/heimdal/commit/c7d4682aed220399072a60dd48616064e24a56a6 Author: Roland C. Dowdeswell Date: 2019-10-21 (Mon, 21 Oct 2019) Changed paths: M kdc/connect.c M kdc/digest-service.c M kdc/digest.c M kdc/fast.c M kdc/kerberos5.c M kdc/krb5tgs.c M kdc/kx509.c M kdc/misc.c M kdc/set_dbinfo.c M lib/krb5/krb5_openlog.3 M lib/krb5/log.c Log Message: ----------- Define log levels in docs and change default to 0-3. We define the meaning of the various log levels in the man page for krb5_openlog(3). If logging configured and levels are not specified, we change the default levels to 0-3 which should exclude debugging messages which are generally only desired in exceptional circumstances. We also go through the KDC and adjust the levels to be appropriate. From noreply at github.com Tue Oct 29 15:19:03 2019 From: noreply at github.com (=?UTF-8?B?VsOhY2xhdiBDaGx1bXNrw70=?=) Date: Tue, 29 Oct 2019 07:19:03 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 1522ec: _gsskrb5_acquire_cred_from leaks context Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 1522ec5171af0b10fa135c18357325018f1e2154 https://github.com/heimdal/heimdal/commit/1522ec5171af0b10fa135c18357325018f1e2154 Author: Václav Chlumský Date: 2019-10-29 (Tue, 29 Oct 2019) Changed paths: M lib/gssapi/krb5/acquire_cred.c Log Message: ----------- _gsskrb5_acquire_cred_from leaks context From noreply at github.com Tue Oct 29 22:25:29 2019 From: noreply at github.com (Jeffrey Altman) Date: Tue, 29 Oct 2019 14:25:29 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] cd10e3: lib/ipc: client double close of socket file descri... Message-ID: Branch: refs/heads/heimdal-7-1-branch Home: https://github.com/heimdal/heimdal Commit: cd10e32900a043f0854b2c8c00620697a5b1dec3 https://github.com/heimdal/heimdal/commit/cd10e32900a043f0854b2c8c00620697a5b1dec3 Author: Jeffrey Altman Date: 2019-10-29 (Tue, 29 Oct 2019) Changed paths: M lib/ipc/client.c Log Message: ----------- lib/ipc: client double close of socket file descriptor #431 When connect() fails in connect_unix() the path_ctx.fd is not set to -1 after close(). When common_release() is executed due to the error return from connect_unix() it calls close() a second time. There is no need to call close() from connect_unix(). Remove the duplicate request. This issue was reported by YASUOKA Masahiko. Change-Id: I825e274cc7f12e50a8779a2b62ddb756817cdb52 From noreply at github.com Wed Oct 30 19:18:43 2019 From: noreply at github.com (Roland C. Dowdeswell) Date: Wed, 30 Oct 2019 11:18:43 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] a86e10: Ignore tags files and *_asn1_oid.x Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: a86e1076a0ffc5d7413a6a18194092e81293457f https://github.com/heimdal/heimdal/commit/a86e1076a0ffc5d7413a6a18194092e81293457f Author: Roland C. Dowdeswell Date: 2019-10-30 (Wed, 30 Oct 2019) Changed paths: M .gitignore Log Message: ----------- Ignore tags files and *_asn1_oid.x From noreply at github.com Wed Oct 30 22:21:00 2019 From: noreply at github.com (Nico Williams) Date: Wed, 30 Oct 2019 14:21:00 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 2e0366: Teach make-proto.pl about #define \-continuation. Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 2e0366b7a0c2fb95129e52f6b329cbb2c7fe4b79 https://github.com/heimdal/heimdal/commit/2e0366b7a0c2fb95129e52f6b329cbb2c7fe4b79 Author: Roland C. Dowdeswell Date: 2019-10-30 (Wed, 30 Oct 2019) Changed paths: M cf/make-proto.pl Log Message: ----------- Teach make-proto.pl about #define \-continuation. Commit: d81118cc1f924df3c68f528d37cff0faa10565c7 https://github.com/heimdal/heimdal/commit/d81118cc1f924df3c68f528d37cff0faa10565c7 Author: Roland C. Dowdeswell Date: 2019-10-30 (Wed, 30 Oct 2019) Changed paths: M lib/krb5/Makefile.am M lib/krb5/NTMakefile M lib/krb5/libkrb5-exports.def.in A lib/krb5/mk_cred.c M lib/krb5/version-script.map Log Message: ----------- Implement krb5_mk_{1,n}cred Commit: 5bbe7c8dc65d42f5efd872a02937f676f3a127d8 https://github.com/heimdal/heimdal/commit/5bbe7c8dc65d42f5efd872a02937f676f3a127d8 Author: Viktor Dukhovni Date: 2019-10-30 (Wed, 30 Oct 2019) Changed paths: M kuser/kinit.1 M kuser/kinit.c M lib/gssapi/krb5/init_sec_context.c M lib/krb5/addr_families.c M lib/krb5/get_for_creds.c M lib/krb5/krb5.conf.5 Log Message: ----------- Implement forwarding of leaf TGTs to selected realms. Refactor and enhance TGT forwarding to allow forwarding of leaf (destination) TGTs for selected destination realms. Enhance kinit(1) to renew non-origin realm tickets Document delegate-destination-tgt Use the newly implemented _krb5_mk_1cred(). Compare: https://github.com/heimdal/heimdal/compare/a86e1076a0ff...5bbe7c8dc65d From noreply at github.com Wed Oct 30 22:31:53 2019 From: noreply at github.com (Roland C. Dowdeswell) Date: Wed, 30 Oct 2019 14:31:53 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] ba6503: Lightly document derived key namespaces Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: ba6503958624aaf6ef639dc478909c51a6fb5ee2 https://github.com/heimdal/heimdal/commit/ba6503958624aaf6ef639dc478909c51a6fb5ee2 Author: Roland C. Dowdeswell Date: 2019-10-30 (Wed, 30 Oct 2019) Changed paths: M lib/krb5/krb5.conf.5 Log Message: ----------- Lightly document derived key namespaces From noreply at github.com Thu Oct 31 03:18:26 2019 From: noreply at github.com (Nico Williams) Date: Wed, 30 Oct 2019 19:18:26 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] f717c7: gss: Fix double-free in acquire_from Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: f717c7344bf7ea67779252991c6a6c050e16591c https://github.com/heimdal/heimdal/commit/f717c7344bf7ea67779252991c6a6c050e16591c Author: Nicolas Williams Date: 2019-10-30 (Wed, 30 Oct 2019) Changed paths: M lib/gssapi/krb5/acquire_cred.c Log Message: ----------- gss: Fix double-free in acquire_from