Permalink
Switch branches/tags
Nothing to show
Commits on Dec 14, 2011
  1. ticket: 7049

    tlyu committed Dec 14, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25536 from trunk
    
     ------------------------------------------------------------------------
     r25536 | ghudson | 2011-12-09 12:57:52 -0500 (Fri, 09 Dec 2011) | 8 lines
    
     ticket: 7049
     subject: Fix subkey memory leak in krb5_get_credentials
     target_version: 1.10
     tags: pullup
    
     If a get_credentials operation requires multiple TGS requests, we need
     to free the subkey from previous requests before saving a new one.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25586 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 7050

    tlyu committed Dec 14, 2011
    version_fixed: 1.10
    status: resolved
    
    Squash commits for KfW updates.
    
    windows ccapiserver: replace Sleep with event wait
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    fix warning in test_cc_credentials_iterator_next.c
    
    include test_ccapi_iterators.h for check_cc_credentials_iterator_next
    
    Make ccapiserver exit if its receiveloop thread terminates for any reason.
    
    This happens, for example, when the rpc endpoint is already registered
    by another ccapiserver process.  There's no reason to leave a zombie
    process running that can't receive messages.
    
    windows ccapi: launch server without console by default.
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    windows ccapi: use a random challenge to authenticate ccapiserver.
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    LeashView.cpp: only specify TVIF_TEXT if there is actually text.
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw installer: add runtime.wxi WIXINCLUDES in Makefile to fix dependencies.
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    Windows leash64 fixes: use proper names for leash and krb5 dlls
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    Windows leash fixes: 'make install' installs leash exes.
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw installer: use MSVC 2010 merge modules
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw installer: install leash32.exe
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw: clean out unused #defines from Lglobals.h
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw: use correct message id to obtain tgt from leash
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw: update copyright notice in license.rtf
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw fixes: install xpprof32
    
    TODO: xpprof64!
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw installer: purge support for old compilers
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw installer: don't build installer into installer
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw fixes: make leash ignore credentials that store config principals.
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw fix: make Leash_kdestroy() actually destroy k5 tickets
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw fix: Add custom "Password incorrect" message to Leash_int_kinit_ex()
    
    Overrides obscure KRB5KRB_AP_ERR_BAD_INTEGRITY message.
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw fixes: define USE_MESSAGE_BOX in leashdll code for user feedback.
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw fixes: krb5_get_init_creds_opt_init->krb5_get_init_creds_opt_alloc
    
    Should enable leash to generate config credentials (needs verification!)
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw fix: int -> size_t to fix warning in krb5routines.c
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw fix: restructure low ticket warning popup code to workaround mfc bug
    
    mfc bug causes assertions when dialog is generated from
    within PreTranslateMessages() (MSG input param points to a global
    variable which is corrupted in the dialog message loop).  So we need
    to instead PostMessage() to cause the popup later.
    Also fixed logic to cause warning dialog to actually be modal as intended
    when the leash window is not minimized.
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw fixes: fix _snprintf usage; use full error code in leash_error_message
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw fixes: ccapiserver only quits after all clients detach.
    
    Not sure if this is really a good idea or not...
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw: generate manifests
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw installer: generate leash shortcuts (desktop and start menu)
    
    ...also install xpprof64
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw: fix 'K5_ORIGINAL_NAME' for 64 bit dlls.
    
    ...still need to actually to define _WIN64 for rc.exe though
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw installer: purge bufferoverflowu from custom.dll
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw: rename leash32/64.exe to simply leash.exe
    
    Also install leash.exe in 64 bit installer.
    
    Split cci_thread_init into per-process and per-thread portions
    
    Call the per-thread code on thread attach and per-process once per
    process.  Previously, while the function was named 'thread', it was
    only actually called once per process.  Currently, the per-thread
    code does nothing on non-windows platforms and is not even actually
    invoked.
    
    Fixes a windows bug when multiple non-main threads try to use ccapi
    at the same time.
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw leash: add -console option to create console for debug output
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw: use _WIN64 names where appropriate
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw leash: bracket krb.con code with #ifndef NO_KRB4
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw installer: install krb5.ini to CommonAppDataFolder, not WindowsFolder
    
    ...but only if there isn't already a krb5.ini in the WindowsFolder.
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw: "make install" also installs pdbs
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw installer: leash32.pdb->leash.pdb
    
    kfw installer: add site-local.wxi
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw: leash htmlhelp file source
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw: use html help in leash
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw: "make install" installs htmlhelp (leash.chm)
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw installer: install leash help file (leash.chm)
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw: remove line breaks from html to fix table of contents generation
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw leash help: fix/add aliases for command help
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    kfw leash: fix bad data in get tickets dialog when -autoinit specified
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25585 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Dec 7, 2011
  1. Make depend

    tlyu committed Dec 7, 2011
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25528 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Dec 6, 2011
  1. ticket: 7042

    tlyu committed Dec 6, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25525 from trunk
    
     ------------------------------------------------------------------------
     r25525 | tlyu | 2011-12-06 15:42:46 -0500 (Tue, 06 Dec 2011) | 8 lines
    
     ticket: 7042
     subject: SA-2011-007 KDC null pointer deref in TGS handling [CVE-2011-1530]
     target_version: 1.10
     tags: pullup
    
     Fix a null pointer dereference condition that could cause a denial of
     service.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25526 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 7033

    tlyu committed Dec 6, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25504 from trunk
    
     ------------------------------------------------------------------------
     r25504 | ghudson | 2011-12-04 17:38:36 -0500 (Sun, 04 Dec 2011) | 20 lines
    
     ticket: 7033
     target_version: 1.10
     tags: pullup
    
     Set a default enctype for optimistic preauth
    
     When the client application requests optimistic preauth for a preauth
     type which uses the password, we don't have an etype-info2 to
     interpret since we haven't talked to the KDC.  So we need to guess an
     enctype, salt, and s2k parameters.  In 1.9 and prior, encrypted
     timestamp contained code to use the first requested enctype in this
     case, but encrypted challenge did not.  In 1.10 prior to this change,
     neither mechanism uses a reasonable default.
    
     Set a default enctype in krb5_init_creds_init so that all
     password-based preauth mechanisms will use a reasonable default in the
     optimistic preauth case.  The default salt and s2k parameters for this
     case will be the principal-based default salt and the enctype-based
     default parameters.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25524 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Dec 5, 2011
  1. ticket: 7038

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25500 from trunk
    
     ------------------------------------------------------------------------
     r25500 | hartmans | 2011-12-02 14:42:12 -0500 (Fri, 02 Dec 2011) | 7 lines
    
     ticket: 7038
     subject: Added support for loading of Krb5.ini from Windows APPDATA
     target_version: 1.10
     tags: pullup
    
     Signed-off-by: Alexey Melnikov <aamelnikov@gmail.com>
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25523 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 7037

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25499 from trunk
    
     ------------------------------------------------------------------------
     r25499 | hartmans | 2011-12-02 14:20:54 -0500 (Fri, 02 Dec 2011) | 7 lines
    
     ticket: 7037
     subject:  Use LsaDeregisterLogonProcess(), not CloseHandle()
     target_version: 1.10
     tags: pullup
    
     Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25522 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 7036

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25498 from trunk
    
     ------------------------------------------------------------------------
     r25498 | hartmans | 2011-12-02 13:52:22 -0500 (Fri, 02 Dec 2011) | 8 lines
    
     ticket: 7036
     subject: Fix free ofuninitialized memory in sname_to_princ
     tags: pullup
     Target_Version: 1.10
    
     Fix free of uninitialized memory in error case introduced in 1.10
     development cycle.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25521 dc483132-0cff-0310-8789-dd5450dbe970
  4. ticket: 7035

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25497 from trunk
    
     ------------------------------------------------------------------------
     r25497 | hartmans | 2011-12-02 13:52:19 -0500 (Fri, 02 Dec 2011) | 7 lines
    
     ticket: 7035
     subject:  krb5_lcc_store() now ignores config credentials
     target_version: 1.10
     tags: pullup
    
     Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25520 dc483132-0cff-0310-8789-dd5450dbe970
  5. ticket: 7034

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25496 from trunk
    
     ------------------------------------------------------------------------
     r25496 | hartmans | 2011-12-02 13:52:12 -0500 (Fri, 02 Dec 2011) | 11 lines
    
     ticket: 7034
     subject: mk_cred: memory management
     target_version: 1.10
     tags: pullup
    
     Fix for mk_cred.c: calloc() not malloc()
    
     Avoid calling free() in cleanup on uninitialized sub-ptrs if error occurs.
    
     Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25519 dc483132-0cff-0310-8789-dd5450dbe970
  6. ticket: 7030

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25494 from trunk
    
     ------------------------------------------------------------------------
     r25494 | hartmans | 2011-11-29 18:11:13 -0500 (Tue, 29 Nov 2011) | 7 lines
    
     ticket: 7030
     subject: Ldap dependency for parallel builds
     tags: pullup
     target_version: 1.10
    
     The ldap plugin needs to declare a dependency on the ldap library
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25518 dc483132-0cff-0310-8789-dd5450dbe970
  7. ticket: 7029

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25493 from trunk
    
     ------------------------------------------------------------------------
     r25493 | ghudson | 2011-11-29 17:49:56 -0500 (Tue, 29 Nov 2011) | 9 lines
    
     ticket: 7029
     subject: Fix --with-system-verto without pkg-config
     target_version: 1.10
     tags: pullup
    
     If we're using the system verto and pkg-config isn't found but
     libverto is, set VERTO_LIBS to just -lverto as there won't be a k5ev
     module.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25517 dc483132-0cff-0310-8789-dd5450dbe970
  8. ticket: 7027

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25486 from trunk
    
     ------------------------------------------------------------------------
     r25486 | hartmans | 2011-11-22 20:00:27 -0500 (Tue, 22 Nov 2011) | 14 lines
    
         ticket: new
         subject: FAST PKINIT
         target_version: 1.10
         tags: pullup
    
         Per RFC 6113 fast should use the inner request body for the pkinit
         checksum. We did that on the KDC; now do so on the client.  Remove
         code that explicitly blocked pkinit under FAST.
    
         Also, use the reply key *before* the strengthen key is applied when
         verifying the PADATA_PKINIT_KX.
    
         Add FAST pkinit test.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25516 dc483132-0cff-0310-8789-dd5450dbe970
  9. ticket: 7023

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25483 and r25484 from trunk
    
     ------------------------------------------------------------------------
     r25484 | ghudson | 2011-11-22 12:48:29 -0500 (Tue, 22 Nov 2011) | 7 lines
    
     ticket: 7023
    
     Fix compile error in previous change
    
     A last-minute code editing mistake crept into the previous commit; fix
     it.
    
     ------------------------------------------------------------------------
     r25483 | ghudson | 2011-11-21 16:14:39 -0500 (Mon, 21 Nov 2011) | 21 lines
    
     ticket: 7023
     subject: Clean up client-side preauth error data handling
     target_version: 1.10
     tags: pullup
    
     Change the clpreauth tryagain method to accept a list of pa-data,
     taken either from the FAST response or from decoding the e_data as
     either pa-data or typed-data.  Also change the in_padata argument to
     contain just the type of the request padata rather than the whole
     element, since modules generally shouldn't care about the contents of
     their request padata (or they can remember it).
    
     In krb5int_fast_process_error, no longer re-encode FAST pa-data as
     typed-data for the inner error e_data, but decode traditional error
     e_data for all error types, and try both pa-data and typed-data
     encoding.
    
     In PKINIT, try all elements of the new pa-data list, since it may
     contain FAST elements as well as the actual PKINIT array.  (Fixes an
     outstanding bug in FAST PKINIT.)
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25515 dc483132-0cff-0310-8789-dd5450dbe970
  10. ticket: 7021

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25480 from trunk
    
     ------------------------------------------------------------------------
     r25480 | ghudson | 2011-11-20 00:19:45 -0500 (Sun, 20 Nov 2011) | 13 lines
    
     ticket: 7021
     subject: Fix failure interval of 0 in LDAP lockout code
     target_version: 1.10
     tags: pullup
    
     A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
     pass the lockout check (but didn't cause a reset of the failure count
     in krb5_ldap_lockout_audit).  It should be treated as forever, as in
     the DB2 back end.
    
     This bug is the previously unknown cause of the assertion failure
     fixed in CVE-2011-1528.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25512 dc483132-0cff-0310-8789-dd5450dbe970
  11. ticket: 7020

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25482 from trunk
    
     ------------------------------------------------------------------------
     r25482 | ghudson | 2011-11-21 12:30:41 -0500 (Mon, 21 Nov 2011) | 10 lines
    
     ticket: 7020
     target_version: 1.10
     tags: pullup
    
     Recognize IAKERB mech in krb5_gss_display_status
    
     Minor status codes were not displaying properly when originated from
     the IAKERB mech, because of a safety check on mech_type.  From Ralf
     Haferkamp <rhafer@suse.de>.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25511 dc483132-0cff-0310-8789-dd5450dbe970
  12. ticket: 7019

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25475 and r25479 from trunk
    
     ------------------------------------------------------------------------
     r25479 | ghudson | 2011-11-19 17:06:15 -0500 (Sat, 19 Nov 2011) | 8 lines
    
     ticket: 7019
    
     Improve documentation in preauth_plugin.h
    
     Also declare the verto_context structure to ensure that it is has the
     proper scope when used as the return type of the event_context
     callback.
    
     ------------------------------------------------------------------------
     r25475 | ghudson | 2011-11-14 21:42:58 -0500 (Mon, 14 Nov 2011) | 9 lines
    
     ticket: 7019
     subject: Make verto context available to kdcpreauth modules
     target_version: 1.10
     tags: pullup
    
     Add an event_context callback to kdcpreauth.  Adjust the internal KDC
     and main loop interfaces to pass around the event context, and expose
     it to kdcpreauth modules via the rock.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25510 dc483132-0cff-0310-8789-dd5450dbe970
  13. ticket: 7018

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25474 from trunk
    
     ------------------------------------------------------------------------
     r25474 | ghudson | 2011-11-14 20:59:01 -0500 (Mon, 14 Nov 2011) | 10 lines
    
     ticket: 7018
     subject: Update verto to 0.2.2 release
     target_version: 1.10
     tags: pullup
    
     Update verto sources to 0.2.2 release versions.  verto_reinitialize()
     now has a return value; check it in kdc/main.c.  Store verto-libev.c
     alongside verto-k5ev.c to make it easy to diff corresponding versions
     when updating.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25509 dc483132-0cff-0310-8789-dd5450dbe970
  14. ticket: 7017

    tlyu committed Dec 5, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25473 from trunk
    
     ------------------------------------------------------------------------
     r25473 | ghudson | 2011-11-14 16:45:33 -0500 (Mon, 14 Nov 2011) | 16 lines
    
     ticket: 7017
     subject: Simplify and fix kdcpreauth request_body callback
     target_version: 1.10
     tags: pullup
    
     Alter the contract for the kdcpreauth request_body callback so that it
     returns an alias to the encoded body instead of a fresh copy.  At the
     beginning of AS request processing, save a copy of the encoded request
     body, or the encoded inner request body for FAST requests.  Previously
     the request_body callback would re-encode the request structure, which
     in some cases has been modified by the AS request code.
    
     No kdcpreauth modules currently use the request_body callback, but
     PKINIT will need to start using it in order to handle FAST requests
     correctly.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25508 dc483132-0cff-0310-8789-dd5450dbe970
  15. ticket: 7039

    tlyu committed Dec 5, 2011
    subject: Handle TGS referrals to the same realm
    version_fixed: 1.10
    status: resolved
    
    pull up r25472 from trunk
    
     ------------------------------------------------------------------------
     r25472 | ghudson | 2011-11-14 13:02:52 -0500 (Mon, 14 Nov 2011) | 12 lines
    
     ticket: 7016
     subject: Handle TGS referrals to the same realm
     target_version: 1.9.3
     tags: pullup
    
     krb5 1.6 through 1.8 contained a workaround for the Active Directory
     behavior of returning a TGS referral to the same realm as the request.
     1.9 responds to this behavior by caching the returned TGT, trying
     again, and detecting a referral loop.  This is a partial regression of
     ticket #4955.  Detect this case and fall back to a non-referreal
     request.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25507 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Dec 2, 2011
  1. ticket: 7015

    tlyu committed Dec 2, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25470 from trunk
    
     ------------------------------------------------------------------------
     r25470 | ghudson | 2011-11-12 17:03:54 -0500 (Sat, 12 Nov 2011) | 9 lines
    
     ticket: 7015
     subject: Add plugin interface_names entry for ccselect
     target_version: 1.10
     tags: pullup
    
     When the ccselect pluggable interface was added, the interface_names
     table wasn't updated, so configuring modules for it wouldn't work.
     Add it now.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25503 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 7014

    tlyu committed Dec 2, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25468 from trunk
    
     ------------------------------------------------------------------------
     r25468 | ghudson | 2011-11-10 23:04:58 -0500 (Thu, 10 Nov 2011) | 12 lines
    
     ticket: 7014
     subject: Fix com_err.h dependencies in gss-kernel-lib
     target_version: 1.10
     tags: pullup
    
     make check was failing in util/gss-kernel-lib due to dependencies
     when the build is configured with --with-system-et, because depfix.pl
     wasn't smart enough to substitute the dependency on com_err.h in the
     current directory.  Make depfix.pl smarter, and adjust COM_ERR_DEPS
     to be com_err.h in gss-kernel-lib when building with the bundled
     com_err.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25502 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 6430

    tlyu committed Dec 2, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25469 from trunk
    
     ------------------------------------------------------------------------
     r25469 | ghudson | 2011-11-11 12:01:12 -0500 (Fri, 11 Nov 2011) | 14 lines
    
     ticket: 6430
     subject: Avoid looping when preauth can't be generated
     target_version: 1.10
     tags: pullup
    
     If we receive a PREAUTH_REQUIRED error and fail to generate any real
     preauthentication, error out immediately instead of continuing to
     generate non-preauthenticated requests until we hit the loop count.
    
     There is a lot of room to generate a more meaningful error about why
     we failed to generate preauth (although in many cases the answer may
     be too complicated to explain in an error message), but that requires
     more radical restructuring of the preauth framework.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25501 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Nov 7, 2011
  1. ticket: 6996

    tlyu committed Nov 7, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25424 from trunk
    
     ------------------------------------------------------------------------
     r25424 | ghudson | 2011-10-31 12:43:40 -0400 (Mon, 31 Oct 2011) | 9 lines
    
     ticket: 6996
     subject: Make krb5_check_clockskew public
     target_version: 1.10
     tags: pullup
    
     Rename krb5int_check_clockskew to krb5_check_clockskew and make it
     public, in order to give kdcpreauth plugins a way to check timestamps
     against the configured clock skew.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25456 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 7003

    tlyu committed Nov 7, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25444 from trunk
    
     ------------------------------------------------------------------------
     r25444 | ghudson | 2011-11-06 00:32:34 -0500 (Sun, 06 Nov 2011) | 10 lines
    
     ticket: 7003
     subject: Fix month/year units in getdate
     target_version: 1.10
     tags: pullup
    
     getdate strings like "1 month" or "next year" would fail some of the
     time, depending on the value of stack garbage, because DSTcorrect()
     doesn't set *error on success and RelativeMonth() doesn't initialize
     error.  Make DSTcorrect() responsible for setting *error in all cases.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25455 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 7002

    tlyu committed Nov 7, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25443 from trunk
    
     ------------------------------------------------------------------------
     r25443 | ghudson | 2011-11-05 15:55:34 -0400 (Sat, 05 Nov 2011) | 11 lines
    
     ticket: 7002
     target_version: 1.10
     tags: pullup
    
     Improve verto and libev documentation
    
     NOTICE was missing the copyright statement for verto (it's not quite
     the same as other Red Hat licenses).  util/verto had no README file,
     and neither the verto nor k5ev README contained pointers to the
     upstream project pages.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25454 dc483132-0cff-0310-8789-dd5450dbe970
  4. ticket: 7000

    tlyu committed Nov 7, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25433 from trunk
    
     ------------------------------------------------------------------------
     r25433 | ghudson | 2011-11-04 01:53:23 -0400 (Fri, 04 Nov 2011) | 9 lines
    
     ticket: 7000
     subject: Exit on error in kadmind kprop child
     target_version: 1.10
     tags: pullup
    
     When we fork from kadmind to dump the database and kprop to an iprop
     slave, if we encounter an error in the child process we should exit
     rather than returning to the main loop.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25453 dc483132-0cff-0310-8789-dd5450dbe970
  5. ticket: 6999

    tlyu committed Nov 7, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25445 from trunk
    
     ------------------------------------------------------------------------
     r25445 | ghudson | 2011-11-06 19:47:20 -0500 (Sun, 06 Nov 2011) | 8 lines
    
     ticket: 6999
     target_version: 1.10
     tags: pullup
    
     Fix warnings and version check for NSS pkinit
    
     From nalin@redhat.com.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25452 dc483132-0cff-0310-8789-dd5450dbe970
  6. ticket: 6997

    tlyu committed Nov 7, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25425 from trunk
    
     ------------------------------------------------------------------------
     r25425 | ghudson | 2011-10-31 23:49:16 -0400 (Mon, 31 Oct 2011) | 10 lines
    
     ticket: 6997
     target_version: 1.10
     tags: pullup
    
     Conditionalize po subdir on msgfmt, not dgetext
    
     The presence of dgettext in libc or libintl doesn't imply that msgfmt
     is installed, so conditionalize building the po subdir on whether
     msgfmt is installed.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25451 dc483132-0cff-0310-8789-dd5450dbe970
  7. ticket: 6995

    tlyu committed Nov 7, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25419 from trunk
    
     ------------------------------------------------------------------------
     r25419 | ghudson | 2011-10-28 11:53:50 -0400 (Fri, 28 Oct 2011) | 11 lines
    
     ticket: 6995
     subject: Initialize typed_e_data in as_req_state
     target_version: 1.10
     tags: pullup
    
     The typed_e_data field in struct as_req_state was not properly
     initialized, causing the KDC to sometimes respond with typed-data
     e_data for a preauth-required error when the client sends no padata.
     This bug was masked with recent clients, which send a
     KRB5_ENCPADATA_REQ_ENC_PA_REP padata.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25450 dc483132-0cff-0310-8789-dd5450dbe970
  8. ticket: 6994

    tlyu committed Nov 7, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25418 from trunk
    
     ------------------------------------------------------------------------
     r25418 | ghudson | 2011-10-28 11:45:03 -0400 (Fri, 28 Oct 2011) | 9 lines
    
     ticket: 6994
     subject: Fix intermediate key length in hmac-md5 checksum
     target_version: 1.10
     tags: pullup
    
     When using hmac-md5, the intermediate key length is the output of the
     hash function (128 bits), not the input key length.  Relevant if the
     input key is not an RC4 key.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25449 dc483132-0cff-0310-8789-dd5450dbe970
  9. ticket: 7006

    tlyu committed Nov 7, 2011
    subject: Fix format string for TRACE_INIT_CREDS_SERVICE
    version_fixed: 1.10
    status: resolved
    
    pull up r25417 from trunk
    
     ------------------------------------------------------------------------
     r25417 | ghudson | 2011-10-26 18:34:21 -0400 (Wed, 26 Oct 2011) | 7 lines
    
     ticket: 6993
     subject: Fix format string for TRACE_INIT_CREDS_SERVICE
     tags: pullup
     target_version: 1.9.2
    
     This should also be pulled up to 1.10.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25448 dc483132-0cff-0310-8789-dd5450dbe970
  10. ticket: 6992

    tlyu committed Nov 7, 2011
    version_fixed: 1.10
    status: resolved
    
    pull up r25414 from trunk
    
     ------------------------------------------------------------------------
     r25414 | ghudson | 2011-10-25 14:30:14 -0400 (Tue, 25 Oct 2011) | 7 lines
    
     ticket: 6992
     subject: Make krb5_find_authdata public
     target_version: 1.10
     tags: pullup
    
     Rename krb5int_find_authdata to krb5_find_authdata and make it public.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25447 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Nov 5, 2011
  1. Update acknowledgments

    tlyu committed Nov 5, 2011
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25442 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Oct 21, 2011
  1. krb5-1.10-alpha1-postrelease

    tlyu committed Oct 21, 2011
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25402 dc483132-0cff-0310-8789-dd5450dbe970