Permalink
Switch branches/tags
Nothing to show
Commits on Dec 14, 2011
  1. Fix minor release number typo

    tlyu
    tlyu committed Dec 14, 2011
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25588 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 7052

    tlyu
    tlyu committed Dec 14, 2011
    version_fixed: 1.9.3
    status: resolved
    
    pull up r25536 from trunk
    
     ------------------------------------------------------------------------
     r25536 | ghudson | 2011-12-09 12:57:52 -0500 (Fri, 09 Dec 2011) | 8 lines
    
     ticket: 7049
     subject: Fix subkey memory leak in krb5_get_credentials
     target_version: 1.10
     tags: pullup
    
     If a get_credentials operation requires multiple TGS requests, we need
     to free the subkey from previous requests before saving a new one.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25587 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Dec 6, 2011
  1. ticket: 7043

    tlyu
    tlyu committed Dec 6, 2011
    subject: SA-2011-007 KDC null pointer deref in TGS handling [CVE-2011-1530]
    version_fixed: 1.9.3
    
    pull up r25525 from trunk
    
     ------------------------------------------------------------------------
     r25525 | tlyu | 2011-12-06 15:42:46 -0500 (Tue, 06 Dec 2011) | 8 lines
    
     ticket: 7042
     subject: SA-2011-007 KDC null pointer deref in TGS handling [CVE-2011-1530]
     target_version: 1.10
     tags: pullup
    
     Fix a null pointer dereference condition that could cause a denial of
     service.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25527 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Dec 5, 2011
  1. ticket: 7040

    tlyu
    tlyu committed Dec 5, 2011
    version_fixed: 1.9.3
    status: resolved
    
    pull up r25480 from trunk, minus a non-applying manpage patch
    
     ------------------------------------------------------------------------
     r25480 | ghudson | 2011-11-20 00:19:45 -0500 (Sun, 20 Nov 2011) | 13 lines
    
     ticket: 7021
     subject: Fix failure interval of 0 in LDAP lockout code
     target_version: 1.10
     tags: pullup
    
     A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
     pass the lockout check (but didn't cause a reset of the failure count
     in krb5_ldap_lockout_audit).  It should be treated as forever, as in
     the DB2 back end.
    
     This bug is the previously unknown cause of the assertion failure
     fixed in CVE-2011-1528.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25513 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 7016

    tlyu
    tlyu committed Dec 5, 2011
    version_fixed: 1.9.3
    status: resolved
    
    pull up r25472 from trunk
    
     ------------------------------------------------------------------------
     r25472 | ghudson | 2011-11-14 13:02:52 -0500 (Mon, 14 Nov 2011) | 12 lines
    
     ticket: 7016
     subject: Handle TGS referrals to the same realm
     target_version: 1.9.3
     tags: pullup
    
     krb5 1.6 through 1.8 contained a workaround for the Active Directory
     behavior of returning a TGS referral to the same realm as the request.
     1.9 responds to this behavior by caching the returned TGT, trying
     again, and detecting a referral loop.  This is a partial regression of
     ticket #4955.  Detect this case and fall back to a non-referreal
     request.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25506 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Nov 8, 2011
  1. ticket: 7009

    tlyu
    tlyu committed Nov 8, 2011
    subject: Fix month/year units in getdate
    version_fixed: 1.9.3
    status: resolved
    
    pull up r25444 from trunk
    
     ------------------------------------------------------------------------
     r25444 | ghudson | 2011-11-06 00:32:34 -0500 (Sun, 06 Nov 2011) | 10 lines
    
     ticket: 7003
     subject: Fix month/year units in getdate
     target_version: 1.10
     tags: pullup
    
     getdate strings like "1 month" or "next year" would fail some of the
     time, depending on the value of stack garbage, because DSTcorrect()
     doesn't set *error on success and RelativeMonth() doesn't initialize
     error.  Make DSTcorrect() responsible for setting *error in all cases.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25461 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 7008

    tlyu
    tlyu committed Nov 8, 2011
    subject: Exit on error in kadmind kprop child
    version_fixed: 1.9.3
    status: resolved
    
    pull up r25433 from trunk
    
     ------------------------------------------------------------------------
     r25433 | ghudson | 2011-11-04 01:53:23 -0400 (Fri, 04 Nov 2011) | 9 lines
    
     ticket: 7000
     subject: Exit on error in kadmind kprop child
     target_version: 1.10
     tags: pullup
    
     When we fork from kadmind to dump the database and kprop to an iprop
     slave, if we encounter an error in the child process we should exit
     rather than returning to the main loop.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25460 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 7007

    tlyu
    tlyu committed Nov 8, 2011
    subject: Fix intermediate key length in hmac-md5 checksum
    version_fixed: 1.9.3
    status: resolved
    
    pull up r25418 from trunk
    
     ------------------------------------------------------------------------
     r25418 | ghudson | 2011-10-28 11:45:03 -0400 (Fri, 28 Oct 2011) | 9 lines
    
     ticket: 6994
     subject: Fix intermediate key length in hmac-md5 checksum
     target_version: 1.10
     tags: pullup
    
     When using hmac-md5, the intermediate key length is the output of the
     hash function (128 bits), not the input key length.  Relevant if the
     input key is not an RC4 key.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25459 dc483132-0cff-0310-8789-dd5450dbe970
  4. ticket: 6993

    tlyu
    tlyu committed Nov 8, 2011
    version_fixed: 1.9.3
    status: resolved
    
    pull up r25417 from trunk
    
     ------------------------------------------------------------------------
     r25417 | ghudson | 2011-10-26 18:34:21 -0400 (Wed, 26 Oct 2011) | 7 lines
    
     ticket: 6993
     subject: Fix format string for TRACE_INIT_CREDS_SERVICE
     tags: pullup
     target_version: 1.9.2
    
     This should also be pulled up to 1.10.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25458 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Nov 4, 2011
  1. krb5-1.9.2-postrelease

    tlyu
    tlyu committed Nov 4, 2011
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25441 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Nov 2, 2011
  1. README and patchlevel.h for krb5-1.9.2

    tlyu
    tlyu committed Nov 2, 2011
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25427 dc483132-0cff-0310-8789-dd5450dbe970
  2. make depend

    tlyu
    tlyu committed Nov 2, 2011
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25426 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Oct 25, 2011
  1. krb5-1.9.2-beta1-postrelease

    tlyu
    tlyu committed Oct 25, 2011
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25413 dc483132-0cff-0310-8789-dd5450dbe970
  2. README and patchlevel.h for krb5-1.9.2-beta1

    tlyu
    tlyu committed Oct 25, 2011
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25411 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Oct 21, 2011
  1. ticket: 6990

    tlyu
    tlyu committed Oct 21, 2011
    subject: fix tar invocation in mkrel
    version_fixed: 1.9.2
    status: resolved
    
    pull up r25395 from trunk
    
     ------------------------------------------------------------------------
     r25395 | tlyu | 2011-10-21 13:35:49 -0400 (Fri, 21 Oct 2011) | 10 lines
    
     ticket: 6989
     subject: fix tar invocation in mkrel
     target_version: 1.10
     tags: pullup
    
     Fix the tar invocation in mkrel so that it defaults to using "tar" as
     the tar program rather than "gtar".
    
     This should probably be pulled up to at least 1.9 and 1.8 as well.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25396 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Oct 20, 2011
  1. ticket: 6939

    tlyu
    tlyu committed Oct 20, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r25059 from trunk
    
     ------------------------------------------------------------------------
     r25059 | ghudson | 2011-07-26 17:57:20 -0400 (Tue, 26 Jul 2011) | 10 lines
    
     ticket: 6939
     subject: Legacy checksum APIs usually fail
     target_version: 1.9.2
     tags: pullup
    
     krb5_calculate_checksum() and krb5_verify_checksum(), both deprecated,
     construct invalid keyblocks and pass them to the real functions, which
     used to work but now doesn't.  Try harder to construct valid keyblocks
     or pass NULL if there's no key.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25390 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Oct 18, 2011
  1. ticket: 6972

    tlyu
    tlyu committed Oct 18, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r25323 from trunk
    
     ------------------------------------------------------------------------
     r25323 | ghudson | 2011-10-07 18:17:06 -0400 (Fri, 07 Oct 2011) | 8 lines
    
     ticket: 6972
     target_version: 1.9.2
     tags: pullup
    
     Fix a memory leak in make_gss_checksum.
    
     From greg.mcclement@sap.com.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25383 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 6970

    tlyu
    tlyu committed Oct 18, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r25309 from trunk
    
     ------------------------------------------------------------------------
     r25309 | hartmans | 2011-10-05 17:30:42 -0400 (Wed, 05 Oct 2011) | 11 lines
    
     ticket: 6970
     subject: gss_unwrap_iov crashes with stream buffers for 3des, des, rc4
     tags: pullup
    
     Use correct key to determine enctype for KG2 tokens in
     kg_unseal_stream_iov
    
     Tested with AES for a new enctype and 3DES for an old enctype.
    
     Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25382 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 6960

    tlyu
    tlyu committed Oct 18, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r24828 from trunk
    
     ------------------------------------------------------------------------
     r24828 | raeburn | 2011-04-03 17:54:32 -0400 (Sun, 03 Apr 2011) | 2 lines
    
     Include krb5_libinit.h always, since we call krb5int_initialize_library always.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25381 dc483132-0cff-0310-8789-dd5450dbe970
  4. ticket: 6952

    tlyu
    tlyu committed Oct 18, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r25121 from trunk
    
     ------------------------------------------------------------------------
     r25121 | ghudson | 2011-09-01 12:21:25 -0400 (Thu, 01 Sep 2011) | 9 lines
    
     ticket: 6952
     subject: Fix cross-realm traversal TGT requests
     target_version: 1.9.2
     tags: pullup
    
     When requesting a cross-realm TGT, use the KDC instance of the current
     TGT (the second data component), not the realm which the TGT came
     from.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25380 dc483132-0cff-0310-8789-dd5450dbe970
  5. ticket: 6949

    tlyu
    tlyu committed Oct 18, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r25115 from trunk
    
     ------------------------------------------------------------------------
     r25115 | ghudson | 2011-08-26 13:56:44 -0400 (Fri, 26 Aug 2011) | 9 lines
    
     ticket: 6949
    
     Remember and close the kadmin socket we opened.
    
     Prior to ticket #6746, the RPC library opened the kadmin socket and
     took responsibility for closing.  When we added IPv6 support, the
     calling code became the owner of the socket but wasn't closing it,
     resulting in a file descriptor leak.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25379 dc483132-0cff-0310-8789-dd5450dbe970
  6. ticket: 6943

    tlyu
    tlyu committed Oct 18, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r25096 from trunk
    
     ------------------------------------------------------------------------
     r25096 | ghudson | 2011-08-11 11:03:28 -0400 (Thu, 11 Aug 2011) | 7 lines
    
     ticket: 6943
     target_version: 1.9.2
     tags: pullup
    
     Correctly dereference cred_handle when assigning to spcred in
     spnego_gss_set_cred_option.  Reported by aberry@likewise.com.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25378 dc483132-0cff-0310-8789-dd5450dbe970
  7. ticket: 6941

    tlyu
    tlyu committed Oct 18, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r25076 from trunk
    
     ------------------------------------------------------------------------
     r25076 | ghudson | 2011-08-08 14:27:15 -0400 (Mon, 08 Aug 2011) | 14 lines
    
     ticket: 6941
     subject: Fix accidental KDC use of replay cache
     target_version: 1.9.2
     tags: pullup
    
     r24464 (ticket #6804) intended to remove the KDC replay cache by
     eliminating all of the USE_RCACHE code, but it had the unintended side
     effect of causing krb5_rd_req_decoded to use the default server
     rcache.  Using this cache is much less efficient because it is opened
     and re-read for each request.
    
     Set appropriate flags on the auth context to disable replay cache use
     for TGS requests altogether.
    
    ------------------------------------------------------------------------
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25374 dc483132-0cff-0310-8789-dd5450dbe970
  8. ticket: 6932

    tlyu
    tlyu committed Oct 18, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r25037 from trunk
    
     ------------------------------------------------------------------------
     r25037 | ghudson | 2011-07-22 12:56:36 -0400 (Fri, 22 Jul 2011) | 9 lines
    
     Fix gss_set_cred_option cred creation with no name.
    
     When creating a cred in the mechglue with gss_acquire_cred, the
     mechanism is allowed to return no name from gss_inquire_cred.  But in
     the analagous operation in gss_set_cred_option, that would result in
     an error from gss_display_name.  Make the call to gss_display_name
     conditional on the mechanism name being set.  Reported by Andrew
     Bartlett.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25373 dc483132-0cff-0310-8789-dd5450dbe970
  9. ticket: 6906

    tlyu
    tlyu committed Oct 18, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r24909 from trunk
    
     ------------------------------------------------------------------------
     r24909 | tlyu | 2011-05-02 16:57:23 -0400 (Mon, 02 May 2011) | 7 lines
    
     ticket: 6906
     subject: modernize doc/Makefile somewhat
     status: open
    
     Modernize doc/Makefile somewhat so that it can run more usefully on
     modern non-Athena machines.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25372 dc483132-0cff-0310-8789-dd5450dbe970
  10. ticket: 6982

    tlyu
    tlyu committed Oct 18, 2011
    subject: SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529]
    version_fixed: 1.9.2
    status: resolved
    
    Fix null pointer dereference and assertion failure conditions that
    could cause a denial of service.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25369 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Jun 20, 2011
  1. ticket: 6920

    tlyu
    tlyu committed Jun 20, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r24967 from trunk
    
     ------------------------------------------------------------------------
     r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 12 lines
    
     ticket: 6920
     subject: Fix old-style GSSRPC authentication
     target_version: 1.9.2
     tags: pullup
    
     r24147 (ticket #6746) made libgssrpc ignorant of the remote address of
     the kadmin socket, even when it's IPv4.  This made old-style GSSAPI
     authentication fail because it uses the wrong channel bindings.  Fix
     this problem by making clnttcp_create() get the remote address from
     the socket using getpeername() if the caller doesn't provide it and
     it's an IPv4 address.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24971 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Jun 10, 2011
  1. ticket: 6907

    tlyu
    tlyu committed Jun 10, 2011
    version_fixed: 1.9.2
    status: resolved
    
    Fix an incorrect shift-and-mask length decoding operation reported by
    Russ Allbery.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24958 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Jun 9, 2011
  1. ticket: 6917

    tlyu
    tlyu committed Jun 9, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r24946 from trunk
    
     ------------------------------------------------------------------------
     r24946 | ghudson | 2011-06-02 21:00:52 -0400 (Thu, 02 Jun 2011) | 12 lines
    
     ticket: 6917
     subject: Restore fallback non-referral TGS request to same realm
     target_version: 1.9.2
     tags: pullup
    
     MIT krb5 1.2 and earlier KDCs reject TGS requests if the canonicalize
     bit is set.  Prior to 1.9, we used to handle this by making a
     non-referral fallback request on any error, but the rewrite in 1.9
     mistakenly changed the behavior so that fallback requests are only
     made if the original request used the referral realm and the fallback
     realm is different from the default realm.  Restore the old behavior.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24957 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 6916

    tlyu
    tlyu committed Jun 9, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r24945 from trunk
    
     ------------------------------------------------------------------------
     r24945 | ghudson | 2011-05-26 14:05:49 -0400 (Thu, 26 May 2011) | 12 lines
    
     ticket: 6916
     subject: Restore krb5_get_credentials caching for referral requests
     target_version: 1.9.2
     tags: pullup
    
     The krb5_get_credentials() rewrite for IAKERB accidentally omitted the
     final step of restoring the requested realm in the output credentials.
     As a result, referral entries are not cached, and the caller sees the
     actual realm in (*out_creds)->server instead of the referral realm as
     before.  Fix this in complete() by swapping ctx->req_server into
     ctx->reply_creds->server.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24956 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 6913

    tlyu
    tlyu committed Jun 9, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r24937 from trunk
    
     ------------------------------------------------------------------------
     r24937 | ghudson | 2011-05-21 22:08:37 -0400 (Sat, 21 May 2011) | 10 lines
    
     ticket: 6913
     subject: Fix multiple tl-data updates over iprop
     target_version: 1.9.2
     tags: pullup
    
     krb5_dbe_update_tl_data() accepts a single read-only tl-data entry,
     but ulog_conv_2dbentry() expects it to process a full list.  Fix
     ulog_conv_2dbentry() to call krb5_db2_update_tl_data() on each entry
     individually, simplifying its memory management in the process.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24955 dc483132-0cff-0310-8789-dd5450dbe970
  4. ticket: 6912

    tlyu
    tlyu committed Jun 9, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r24929 from trunk
    
     ------------------------------------------------------------------------
     r24929 | ghudson | 2011-05-14 10:49:00 -0400 (Sat, 14 May 2011) | 11 lines
    
     ticket: 6912
     subject: Use hmac-md5 checksum for PA-FOR-USER padata
     target_version: 1.9.2
     tags: pullup
    
     The MS-S4U documentation specifies that hmac-md5 be used for
     PA-FOR-USER checksums; we were using the mandatory checksum type for
     the key.  Although some other checksum types appear to be allowed by
     Active Directory KDCs, Richard Silverman reports that md5-des is not
     one of them, causing S4U2Self requests to fail for DES keys.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24954 dc483132-0cff-0310-8789-dd5450dbe970
  5. ticket: 6908

    tlyu
    tlyu committed Jun 9, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r24917 from trunk
    
     ------------------------------------------------------------------------
     r24917 | ghudson | 2011-05-09 13:28:07 -0400 (Mon, 09 May 2011) | 10 lines
    
     ticket: 6908
     subject: Delete sec context properly in gss_krb5_export_lucid_sec_context
     target_version: 1.9.2
     tags: pullup
    
     Since r21690, gss_krb5_export_lucid_sec_context() has been passing a
     union context to krb5_gss_delete_sec_context(), causing a crash as the
     krb5 routine attempts to interpret a union context structure as a krb5
     GSS context.  Call the mechglue gss_delete_sec_context instead.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24953 dc483132-0cff-0310-8789-dd5450dbe970
  6. ticket: 6888

    tlyu
    tlyu committed Jun 9, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r24755 from trunk
    
     ------------------------------------------------------------------------
     r24755 | ghudson | 2011-03-29 18:44:30 -0400 (Tue, 29 Mar 2011) | 11 lines
    
     ticket: 6888
     target_version: 1.9.1
     tags: pullup
    
     In r21175 (on the mskrb branch, merged in r21690) the result codes for
     password quality and other errors were accidentally reversed.  Fix
     them so that password quality errors generate a "soft" failure and
     other errors generate a "hard" failure, as Heimdal and Microsoft do.
     Also recognize KADM5_PASS_Q_GENERIC (added in 1.9) as a password
     quality error.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24952 dc483132-0cff-0310-8789-dd5450dbe970
  7. ticket: 6886

    tlyu
    tlyu committed Jun 9, 2011
    version_fixed: 1.9.2
    status: resolved
    
    pull up r24750 from trunk
    
     ------------------------------------------------------------------------
     r24750 | ghudson | 2011-03-28 19:35:54 -0400 (Mon, 28 Mar 2011) | 11 lines
    
     ticket: 6886
     target_version: 1.9.1
     tags: pullup
    
     Remove the weak key checks from the builtin rc4 enc provider.  There
     is no standards support for avoiding RC4 weak keys, so rejecting them
     causes periodic failures.  Heimdal and Microsoft do not check for weak
     keys.  Attacks based on these weak keys are probably thwarted by the
     use of a confounder, and even if not, the reduction in work factor is
     not terribly significant for 128-bit keys.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24951 dc483132-0cff-0310-8789-dd5450dbe970