Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: tags/krb5-1-8-…
Commits on Mar 2, 2010
  1. tag krb5-1.8 final

    tlyu authored
    git-svn-id: svn://anonsvn.mit.edu/krb5/tags/krb5-1-8-final@23761 dc483132-0cff-0310-8789-dd5450dbe970
  2. README and patchlevel.h for krb5-1.8 final

    tlyu authored
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23760 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Feb 25, 2010
  1. krb5-1.8-beta2-postrelease

    tlyu authored
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23755 dc483132-0cff-0310-8789-dd5450dbe970
  2. README and patchlevel.h for krb5-1.8-beta2

    tlyu authored
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23754 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 6669

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23750 from trunk
    
     ------------------------------------------------------------------------
     r23750 | tlyu | 2010-02-25 15:09:45 -0500 (Thu, 25 Feb 2010) | 7 lines
    
     ticket: 6669
     target_version: 1.8
     tags: pullup
     subject: doc updates for allow_weak_crypto
    
     Update documentation to be more helpful about allow_weak_crypto.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23751 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Feb 23, 2010
  1. ticket: 6603

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23742 from trunk
    
     ------------------------------------------------------------------------
     r23742 | ghudson | 2010-02-21 23:52:30 -0500 (Sun, 21 Feb 2010) | 24 lines
    
     ticket: 6603
     target_version: 1.8
     tags: pullup
    
     Fix two unrelated problems in SPNEGO which don't crop up with the krb5
     mechanism.
    
     1. The third call to spnego_init_accept_context uses faulty logic to
     determine if the exchange is complete, preventing a third mech token
     from being sent to the acceptor if no MIC exchange is required.
     Follow the logic used in the second call (in init_ctx_nego), which is
     correct.
    
     2. If the acceptor selects a mech other than the optimistic mech, it
     sets sc->mic_reqd to 1 whether or not the selected mech supports MICs
     (which isn't known until the mech completes).  Most code outside of
     handle_mic checks sc->mic_reqd along with (sc->ctx_flags &
     GSS_C_INTEG_FLAG), but the code in acc_ctx_call_acc neglected to do
     so, so it could improperly delegate responsibility for deciding when
     the negotiation was finished to handle_mic--which never gets called if
     (sc->ctx_flags & GSS_C_INTEG_FLAG) is false.  Fix acc_ctx_call_acc to
     check sc->ctx_flags so that mechs which don't support integrity
     protection can complete if they are selected non-optimistically.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23748 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 6659

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23735 from trunk
    
     ------------------------------------------------------------------------
     r23735 | ghudson | 2010-02-18 13:49:11 -0500 (Thu, 18 Feb 2010) | 8 lines
    
     ticket: 6659
     target_version: 1.8
     tags: pullup
    
     The TGS code was not freeing authdata.  This is an old leak which was
     made more evident in 1.8 by the addition of ad-signedpath authdata
     appearing in most tickets issued through the TGS path.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23747 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 6665

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23734 from trunk
    
     ------------------------------------------------------------------------
     r23734 | ghudson | 2010-02-18 13:04:47 -0500 (Thu, 18 Feb 2010) | 17 lines
    
     ticket: 6665
     subject: Fix cipher state chaining in OpenSSL back end
     target_version: 1.8
     tags: pullup
    
     Make cipher state chaining work in the OpenSSL back end for des, des3,
     and arcfour enc providers.  Subtleties:
    
     * DES and DES3 have checks to avoid clobbering ivec with uninitialized
       data if there is no data to encrypt.
     * Arcfour saves the OpenSSL cipher context across calls.  To protect
       against a caller improperly copying the state (which happens to work
       with other enc providers), a loopback pointer is used, as in GSSAPI.
     * EVP_EncryptFinal_ex is unnecessary with stream ciphers and would
       interfere with cipher state chaining if it did anything, so just
       remove it.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23746 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Feb 17, 2010
  1. krb5-1.8-beta1-postrelease

    tlyu authored
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23730 dc483132-0cff-0310-8789-dd5450dbe970
  2. README and patchlevel.h for krb5-1.8-beta1

    tlyu authored
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23728 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Feb 16, 2010
  1. ticket: 6663

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23726 from trunk
    
     ------------------------------------------------------------------------
     r23726 | tlyu | 2010-02-16 17:41:27 -0500 (Tue, 16 Feb 2010) | 8 lines
    
     ticket: 6663
     subject: update mkrel to deal with changed source layout
     target_version: 1.8
     tags: pullup
    
     Update mkrel so it deals somewhat better with removed src/lib/des425,
     NOTICES, etc.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23727 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 6662

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23724 from trunk
    
     ------------------------------------------------------------------------
     r23724 | tlyu | 2010-02-16 17:10:17 -0500 (Tue, 16 Feb 2010) | 10 lines
    
     ticket: 6662
     subject: MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service
     tags: pullup
     target_version: 1.8
    
     Code introduced in krb5-1.7 can cause an assertion failure if a
     KDC-REQ is internally inconsistent, specifically if the ASN.1 tag
     doesn't match the msg_type field.  Thanks to Emmanuel Bouillon (NATO
     C3 Agency) for discovering and reporting this vulnerability.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23725 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Feb 12, 2010
  1. ticket: 6660

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23716 from trunk
    
     ------------------------------------------------------------------------
     r23716 | ghudson | 2010-02-11 11:07:08 -0500 (Thu, 11 Feb 2010) | 15 lines
    
     ticket: 6660
     subject: Minimal support for updating history key
     target_version: 1.8
     tags: pullup
    
     Add minimal support for re-randomizing the history key:
    
     * cpw -randkey kadmin/history now works, but creates only one key.
     * cpw -randkey -keepold kadmin/history still fails.
     * libkadm5 no longer caches the history key.  Performance impact
       is minimal since password changes are not common.
     * randkey no longer checks the newly randomized key against old keys,
       and the disabled code to do so in setkey/setv4key is gone, so now
       only kadm5_chpass_principal_3 accesses the password history.
    
    ------------------------------------------------------------------------
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23721 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 6658

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23715 from trunk
    
     ------------------------------------------------------------------------
     r23715 | ghudson | 2010-02-10 18:44:18 -0500 (Wed, 10 Feb 2010) | 14 lines
    
     ticket: 6658
     subject: Implement gss_set_neg_mechs
     target_version: 1.8
     tags: pullup
    
     Implement gss_set_neg_mechs in SPNEGO by intersecting the provided
     mech set with the mechanisms available in the union credential.  As
     we now need space to hold the mech set, the SPNEGO credential is now
     a structure and not just a mechglue credential.
    
     t_spnego.c is a test program which exercises the new logic.  Like the
     other GSSAPI tests, it is not run as part of "make check" at this
     time.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23720 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 6657

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23713 from trunk
    
     ------------------------------------------------------------------------
     r23713 | hartmans | 2010-02-09 14:15:12 -0500 (Tue, 09 Feb 2010) | 10 lines
    
     subject: krb5int_fast_free_state segfaults if state is null
     ticket: 6657
     target_version: 1.8
     tags: pullup
    
     krb5int_fast_free_state fails if state is null.  INstead it should
     simply return Reorganization of the get_init_creds logic has created
     situations where the init_creds loop can fail between the time when
     the context is initialized and the fast state is initialized.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23719 dc483132-0cff-0310-8789-dd5450dbe970
  4. ticket: 6656

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23712, r23714 from trunk
    
     ------------------------------------------------------------------------
     r23714 | ghudson | 2010-02-09 20:55:36 -0500 (Tue, 09 Feb 2010) | 13 lines
    
     ticket: 6656
    
     Followon fixes to r23712:
     * A few formatting fixes.
     * Fix unlikely leak in kdc_handle_protected_negotiation: if
       add_pa_data_element with copy == FALSE fails, it's still the
       caller's responsibility to free pa.contents.
     * Fix pre-existing (since r23465) leak of reply_encpart.enc_padata in
       process_as_req.
     * Call add_pa_data_element with copy == TRUE in
       return_referral_enc_padata since we are passing memory owned by the
       database entry.
    
     ------------------------------------------------------------------------
     r23712 | hartmans | 2010-02-09 14:15:07 -0500 (Tue, 09 Feb 2010) | 14 lines
    
     subject: enc_padata can include empty sequence
     ticket: 6656
     target_version: 1.8
     tags: pullup
    
     There are two issues with return_enc_padata.
     1)  It often will return an empty sequence of enc_padata rather than not including the field
     2) FAST negotiation is double supported in the referral tgs path and not supported in the non-referral path
    
     Rewrite the return_enc_padata logic to:
    
     * Split  out referral interactions with kdb into its own function
     * Use add_pa_data_element
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23718 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Feb 8, 2010
  1. ticket: 6652

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23677 from trunk
    
     ------------------------------------------------------------------------
     r23677 | ghudson | 2010-01-28 20:22:17 -0500 (Thu, 28 Jan 2010) | 14 lines
    
     ticket: 6652
     subject: Make decryption of master key list more robust
     target_version: 1.8
     tags: pullup
    
     krb5_def_fetch_mkey_list was incorrectly filtering mkey_aux entries
     when searching the list for an entry which can be decrypted with the
     stashed master key.  This bug was masked in most cases by the mkvno
     heuristic.
    
     Remove the mkvno heuristic, since performance is not an issue for this
     rarely-performed operation, and remove the incorrect enctype
     comparison in the brute-force search.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23711 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 6643

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23699 from trunk
    
     ------------------------------------------------------------------------
     r23699 | ghudson | 2010-02-05 16:46:35 -0500 (Fri, 05 Feb 2010) | 10 lines
    
     ticket: 6643
     target_version: 1.8
     tags: pullup
    
     Consistently place $(LDFLAGS) after $(SHLIB_EXPFLAGS) when building
     shared libraries.  Previously we sometimes failing to use $(LDFLAGS)
     at all, and at other times were putting it before $(SHLIB_EXPFLAGS)
     where it could pick up tree-internal libraries from outside the build
     tree.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23710 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 6601

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23698 from trunk
    
     ------------------------------------------------------------------------
     r23698 | tlyu | 2010-02-05 15:52:42 -0500 (Fri, 05 Feb 2010) | 8 lines
    
     ticket: 6601
     tags: pullup
     target_version: 1.8
    
     Apply patch from Arlene Berry to handle the case where a mechanism
     implements set_cred_option but does not implement the requested
     option.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23709 dc483132-0cff-0310-8789-dd5450dbe970
  4. ticket: 6655

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23697 from trunk
    
     ------------------------------------------------------------------------
     r23697 | ghudson | 2010-02-04 22:43:54 -0500 (Thu, 04 Feb 2010) | 12 lines
    
     ticket: 6655
     subject: Fix cross-realm handling of AD-SIGNEDPATH
     target_version: 1.8
     tags: pullup
    
     Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT.
     Previously we were avoiding it when answering a cross-realm client,
     which was wrong.
    
     Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust
     the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present).
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23708 dc483132-0cff-0310-8789-dd5450dbe970
  5. ticket: 6600

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23696 from trunk
    
     ------------------------------------------------------------------------
     r23696 | tlyu | 2010-02-04 22:25:49 -0500 (Thu, 04 Feb 2010) | 7 lines
    
     ticket: 6600
     tags: pullup
     target_version: 1.8
    
     Apply patch from Arlene Berry to avoid segfault if a mech
     gss_inquire_context returns GSS_C_NO_NAME for the target name.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23707 dc483132-0cff-0310-8789-dd5450dbe970
  6. ticket: 6598

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23695 from trunk
    
     ------------------------------------------------------------------------
     r23695 | tlyu | 2010-02-04 22:05:42 -0500 (Thu, 04 Feb 2010) | 8 lines
    
     ticket: 6598
     tags: pullup
     target_version: 1.8
    
     Apply patch from Arlene Berry to return a comparable static OID object
     instead of the application-passed (probably dynamically allocated)
     OID, to avoid use-after-free problems.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23706 dc483132-0cff-0310-8789-dd5450dbe970
  7. ticket: 6654

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23694 from trunk
    
     ------------------------------------------------------------------------
     r23694 | ghudson | 2010-02-03 14:55:05 -0500 (Wed, 03 Feb 2010) | 7 lines
    
     ticket: 6654
     subject: Fix greet_server build
     target_version: 1.8
     tags: pullup
    
     Fix the export list for the greet_server plugin.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23705 dc483132-0cff-0310-8789-dd5450dbe970
  8. ticket: 6653

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23681 from trunk
    
     ------------------------------------------------------------------------
     r23681 | tlyu | 2010-02-01 16:48:19 -0500 (Mon, 01 Feb 2010) | 15 lines
    
     ticket: 6653
     subject: set_default_enctype_var should filter not reject weak enctypes
     tags: pullup
     target_version: 1.8
    
     With allow_weak_crypto=false, set_default_enctype_var() (helper
     function for krb5_set_default_tgs_enctypes(), etc.) was rejecting any
     application-provided enctype list that contained any weak enctype even
     when valid strong enctypes were present.  This broke some Samba
     things.  Filter the weak enctypes instead.  Add test cases.
    
     Reported to Debian by Holger Isenberg. (Debian bug #566977)
     http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977
     Thanks to Simo Sorce for testing.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23704 dc483132-0cff-0310-8789-dd5450dbe970
  9. ticket: 6651

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23676, r23679 from trunk
    
     ------------------------------------------------------------------------
     r23679 | ghudson | 2010-01-31 16:04:48 -0500 (Sun, 31 Jan 2010) | 4 lines
    
     ticket: 6650
    
     Fix minor error-handling bug in r23676.
    
     ------------------------------------------------------------------------
     r23676 | ghudson | 2010-01-28 16:39:31 -0500 (Thu, 28 Jan 2010) | 17 lines
    
     ticket: 6650
     subject: Handle migration from pre-1.7 databases with master key kvno != 1
     target_version: 1.7.1
     tags: pullup
    
     krb5_dbe_lookup_mkvno assumes an mkvno of 1 for entries with no
     explicit tl_data.  We've seen at least one pre-1.7 KDB with a master
     kvno of 0, violating this assumption.  Fix this as follows:
    
     * krb5_dbe_lookup_mkvno outputs 0 instead of 1 if no tl_data exists.
     * A new function krb5_dbe_get_mkvno translates this 0 value to the
       minimum version number in the mkey_list.  (krb5_dbe_lookup_mkvno
       cannot do this as it doesn't take the mkey_list as a parameter.)
     * Call sites to krb5_dbe_lookup_mkvno are converted to
       krb5_dbe_get_mkvno, except for an LDAP case where it is acceptable
       to store 0 if the mkvno is unknown.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23703 dc483132-0cff-0310-8789-dd5450dbe970
  10. ticket: 6649

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23674, r23675 from trunk
    
     ------------------------------------------------------------------------
     r23675 | ghudson | 2010-01-27 17:17:12 -0500 (Wed, 27 Jan 2010) | 4 lines
    
     ticket: 6649
    
     Update the LDAP dependencies for r23674.
    
     ------------------------------------------------------------------------
     r23674 | ghudson | 2010-01-26 22:52:52 -0500 (Tue, 26 Jan 2010) | 10 lines
    
     ticket: 6649
     subject: Get rid of kdb_ext.h and allow out-of-tree KDB plugins
     target_version: 1.8
     tags: pullup
    
     Move the contents of kdb_ext.h into kdb.h, since there is no meaningful
     "extensions" category of DB interfaces now that this stuff is in our
     tree.  Allows out-of-tree KDB plugins to be built since we install
     kdb.h.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23702 dc483132-0cff-0310-8789-dd5450dbe970
  11. ticket: 6648

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23673 from trunk
    
     ------------------------------------------------------------------------
     r23673 | tlyu | 2010-01-26 17:55:07 -0500 (Tue, 26 Jan 2010) | 9 lines
    
     ticket: 6648
     target_version: 1.8
     tags: pullup
     subject: define MIN() in lib/gssapi/krb5/prf.c
    
     Apply patch from Doug Engert to define MIN(), which was causing prf.c
     to fail compilation on Solaris.  (The definition was probably leaking
     from sys/param.h, included indirectly somehow.)
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23701 dc483132-0cff-0310-8789-dd5450dbe970
  12. ticket: 6599

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23672 from trunk
    
     ------------------------------------------------------------------------
     r23672 | tlyu | 2010-01-26 13:43:29 -0500 (Tue, 26 Jan 2010) | 6 lines
    
     ticket: 6599
     target_version: 1.8
     tags: pullup
    
     Apply patch from Arlene Berry to plug a memory leak.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23700 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Jan 21, 2010
  1. ticket: 6645

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23663 from trunk
    
     ------------------------------------------------------------------------
     r23663 | ghudson | 2010-01-19 18:35:39 -0500 (Tue, 19 Jan 2010) | 9 lines
    
     ticket: 6645
     subject: Add krb5_allow_weak_crypto API
     target_version: 1.8
     tags: pullup
    
     Add an API to allow apps to override the profile setting of
     allow_weak_crypto, so that aklog can work with krb5 1.8 out of the box
     until OpenAFS finishes migrating away from DES.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23665 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 6644

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23662 from trunk
    
     ------------------------------------------------------------------------
     r23662 | ghudson | 2010-01-19 13:44:57 -0500 (Tue, 19 Jan 2010) | 3 lines
    
     ticket: 6644
     subject: Change basename of libkadm5 libraries to avoid Heimdal conflict
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23664 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Jan 14, 2010
  1. ticket: 6642

    tlyu authored
    target_version: 1.8
    version_fixed: 1.8
    tags: pullup
    subject: Add test program for decryption of overly short buffers
    status: resolved
    
    Pull up r23652 from trunk.
    
    Test case for integer underflow in AES and RC4 decryption.
    [MITKRB5-SA-2009-004, CVE-2009-4212] krb5-1.8 branch isn't vulnerable,
    but include this test anyway.
    
     ------------------------------------------------------------------------
     r23652 | ghudson | 2010-01-12 16:59:58 -0500 (Tue, 12 Jan 2010) | 2 lines
    
     Add test program for decryption of overly short buffers.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23660 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 6640

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23657 from trunk
    
     ------------------------------------------------------------------------
     r23657 | ghudson | 2010-01-14 11:09:24 -0500 (Thu, 14 Jan 2010) | 9 lines
    
     ticket: 6640
     subject: Make history key exempt from permitted_enctypes
     tags: pullup
     target_version: 1.8
    
     In kdb_init_hist, just use the first key entry in the kadmin/history
     entry.  This makes the history key work even if the enctype is
     disallowed by allow_weak_crypto=false or other configuration.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23659 dc483132-0cff-0310-8789-dd5450dbe970
  3. ticket: 6546

    tlyu authored
    status: resolved
    version_fixed: 1.8
    
    pull up r23607 from trunk
    
     ------------------------------------------------------------------------
     r23607 | ghudson | 2010-01-07 15:57:02 -0500 (Thu, 07 Jan 2010) | 7 lines
    
     ticket: 6546
     status: open
    
     When retrieving the kadmin/history key, accept any enctype, as the
     current master key enctype may not match the one the KDB was created
     with.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23658 dc483132-0cff-0310-8789-dd5450dbe970
Commits on Jan 12, 2010
  1. ticket: 6632

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23628 from trunk
    
     ------------------------------------------------------------------------
     r23628 | ghudson | 2010-01-11 20:05:37 -0500 (Mon, 11 Jan 2010) | 9 lines
    
     ticket: 6632
     subject: Simplify and fix FAST check for keyed checksum type
     target_version: 1.8
     tags: pullup
    
     Use krb5_c_is_keyed_checksum to detect unkeyed checksums when handling
     FAST requests.  The old check was broken for 1.8 because
     krb5_c_verify_checksum got pickier about invalid keyblocks.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23649 dc483132-0cff-0310-8789-dd5450dbe970
  2. ticket: 6633

    tlyu authored
    version_fixed: 1.8
    status: resolved
    
    pull up r23629 from trunk
    
     ------------------------------------------------------------------------
     r23629 | ghudson | 2010-01-11 20:07:48 -0500 (Mon, 11 Jan 2010) | 9 lines
    
     ticket: 6633
     subject: Use keyed checksum type for DES FAST
     target_version: 1.7
     tags: pullup
    
     DES enctypes have unkeyed mandatory-to-implement checksums.  Since
     FAST requires a keyed checksum, we must pick something else in that
     case.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23648 dc483132-0cff-0310-8789-dd5450dbe970
Something went wrong with that request. Please try again.