Andrew Bartlett [Fri, 21 Feb 2014 02:58:20 +0000 (15:58 +1300)]
improve apply_heimdal.sh
Andrew Bartlett [Wed, 11 Jan 2012 07:19:14 +0000 (18:19 +1100)]
heimdal: remove checking of KDC PAC signature, delegate to wdc plugin
The checking of the KDC signature is more complex than it looks, it may be of a different
enc type to that which the ticket is encrypted with, and may even be prefixed
with the RODC number.
This is better handled in the plugin which can easily look up the DB for the
correct key to verify this with, and can also quickly determine if this is
an interdomain trust, which we cannot verify the PAC for.
Andrew Bartlett
Andrew Bartlett [Wed, 19 Feb 2014 09:06:57 +0000 (22:06 +1300)]
specify hash to heimdal import, rather than using the date
Stefan Metzmacher [Mon, 25 Jul 2011 07:23:52 +0000 (09:23 +0200)]
lib/krb5: windows KDCs always return the canoncalized server principal
Is there a better way to handle this?
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:45:26 +0000 (11:45 +0200)]
HACK: Netbios Domain as Realm
This is really a ugly hack, to support using the Netbios Domain Name
as realm against windows KDC's, they always return the full realm
based on the DNS Name.
metze
Jelmer Vernooij [Tue, 21 Dec 2010 14:17:30 +0000 (15:17 +0100)]
lorikeet-heimdal: remove obsolete script for importing from svn.
Andrew Tridgell [Wed, 1 Dec 2010 02:00:08 +0000 (13:00 +1100)]
lorikeet-heimdal: Add a new script to help merging patches from Samba4 to heimdal
Stefan Metzmacher [Thu, 14 Jul 2011 14:24:37 +0000 (16:24 +0200)]
lorikeet-heimdal: improve import-lorikeet.sh for the toplevel build
metze
Andrew Bartlett [Tue, 30 Nov 2010 23:54:49 +0000 (10:54 +1100)]
lorikeet-heimdal: Improve the heimdal import scripts
Stefan Metzmacher [Fri, 27 Mar 2009 06:31:11 +0000 (07:31 +0100)]
lorikeet-heimdal: add scipts to rebase and import the latest version into samba4
If you use this scripts, read them! :-)
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:58:18 +0000 (11:58 +0200)]
lorikeet-heimdal: add wrap_ex_ntlm.diff from abartlet
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:57:36 +0000 (11:57 +0200)]
lorikeet-heimdal: add IMPORT-HEIMDAL.sh
I think this can be removed...
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:57:06 +0000 (11:57 +0200)]
lorikeet-heimdal: add HEIMDAL-LICENCE.txt
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:43:50 +0000 (11:43 +0200)]
lorikeet-heimdal: camellia-ntt GPLv2+ license
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:42:21 +0000 (11:42 +0200)]
lorikeet-heimdal: autogen.sh modifications
metze
Love Hörnquist Åstrand [Sun, 24 Aug 2014 02:29:04 +0000 (19:29 -0700)]
no need to make chmod quiet, it supposed to be already because of \
Love Hörnquist Åstrand [Sun, 24 Aug 2014 02:14:10 +0000 (19:14 -0700)]
update (c)
Love Hörnquist Åstrand [Sun, 24 Aug 2014 02:08:00 +0000 (19:08 -0700)]
merge in changes from #79
fixes #79
Love Hörnquist Åstrand [Sun, 24 Aug 2014 02:04:05 +0000 (19:04 -0700)]
Merge pull request #87 from jelmer/travis
Add travis config.
Love Hörnquist Åstrand [Sun, 24 Aug 2014 01:54:05 +0000 (18:54 -0700)]
release pool when done
Love Hörnquist Åstrand [Sun, 24 Aug 2014 01:48:34 +0000 (18:48 -0700)]
now that use used up more then 16 flags and we have been using the right bit order for many years, lets stop dealing with broken bit fields from ticket flags
Love Hörnquist Åstrand [Sat, 23 Aug 2014 04:52:27 +0000 (21:52 -0700)]
hush autoconf
Love Hörnquist Åstrand [Sat, 23 Aug 2014 04:52:10 +0000 (21:52 -0700)]
use LT_INIT only, fixes #95
Love Hörnquist Åstrand [Sat, 23 Aug 2014 04:38:55 +0000 (21:38 -0700)]
Merge pull request #109 from cg2v/dist-kadmin-version-script
version-script-client.map needs to be in dist
Love Hörnquist Åstrand [Sat, 23 Aug 2014 04:35:22 +0000 (21:35 -0700)]
Merge pull request #110 from cg2v/anonymous-pkinit
Anonymous pkinit improvements
Love Hörnquist Åstrand [Sat, 23 Aug 2014 04:33:14 +0000 (21:33 -0700)]
Merge pull request #105 from jelmer/compatibility-symlinks
Install compatibility symlinks for kadmin and ktutil.
Love Hörnquist Åstrand [Sat, 23 Aug 2014 04:31:32 +0000 (21:31 -0700)]
Merge pull request #100 from ktdreyer/kadmin-systemd-setpgid
kadmin: handle systemd setpgid failure
Love Hörnquist Åstrand [Sat, 23 Aug 2014 04:26:15 +0000 (21:26 -0700)]
make quiet
Love Hörnquist Åstrand [Sat, 23 Aug 2014 04:25:01 +0000 (21:25 -0700)]
make quiet
Love Hörnquist Åstrand [Sat, 23 Aug 2014 04:23:30 +0000 (21:23 -0700)]
remove stray a
Love Hörnquist Åstrand [Sat, 23 Aug 2014 04:17:05 +0000 (21:17 -0700)]
check for JSON perl module and if not found ask developer to install it
partial fix for #74
Love Hörnquist Åstrand [Sat, 23 Aug 2014 03:57:24 +0000 (20:57 -0700)]
rename roken base64, fixes #107
Love Hörnquist Åstrand [Sat, 23 Aug 2014 03:21:37 +0000 (20:21 -0700)]
Merge pull request #112 from jhutz/rxkad-kdf
libkafs: derivation from non-DES key (rxkad-kdf)
Love Hörnquist Åstrand [Sat, 23 Aug 2014 03:19:36 +0000 (20:19 -0700)]
resurrect password change support again
Jeffrey Hutzelman [Thu, 21 Aug 2014 17:05:59 +0000 (13:05 -0400)]
libkafs: derivation from non-DES key (rxkad-kdf)
Add support for the "rxkad-kdf" protocol for deriving rxkad session keys
from non-DES Kerberos session keys. This allows rxkad to be used in
realms where the KDC is unwilling or unable to issue tickets with
single-DES session keys.
Viktor Dukhovni [Tue, 22 Jul 2014 22:02:26 +0000 (18:02 -0400)]
Avoid appearance of if if else ambiguity
Viktor Dukhovni [Mon, 21 Jul 2014 21:00:19 +0000 (21:00 +0000)]
Avoid kinit NPE when default cred not in keytab
Samuel Cabrero [Fri, 18 Jul 2014 13:13:19 +0000 (15:13 +0200)]
Check _kdc_db_fetch return value before dereference entry pointer
This fixes a segfault if the _kdc_db_fetch function does not find
the entry in the database (the entry pointer will be NULL if entry
is not found).
Signed-off-by: Samuel Cabrero <scabrero@zentyal.com>
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Love Hörnquist Åstrand [Thu, 26 Jun 2014 04:39:33 +0000 (21:39 -0700)]
check for sys/errno.h
Jelmer Vernooij [Mon, 21 Apr 2014 20:30:33 +0000 (22:30 +0200)]
Add travis config.
Chaskiel Grundman [Mon, 7 Jul 2014 16:39:49 +0000 (12:39 -0400)]
version-script-client.map needs to be in dist
version-script-client.map needs to be in lib/kadm5's EXTRA_DIST,
otherwise make distcheck fails
Chaskiel Grundman [Mon, 7 Jul 2014 16:35:43 +0000 (12:35 -0400)]
Use anon realm for anonymous PKINIT
When an AS request names the anonymous principal, use the anonymous
realm in the response and ticket.
Love Hörnquist Åstrand [Sun, 6 Jul 2014 21:03:55 +0000 (23:03 +0200)]
Merge pull request #108 from ktdreyer/kadm5-make-race
kadm5: fix race in Makefile with kadm5_err.h
Chaskiel Grundman [Sun, 6 Jul 2014 18:37:49 +0000 (14:37 -0400)]
Document logic in _krb5_is_anon_request
describe why we look at the different bits and fields
Chaskiel Grundman [Thu, 3 Jul 2014 01:00:18 +0000 (21:00 -0400)]
When using PKINIT with DH, compute session key
RFC6112 provides a method of computing a session key when the PKINIT DH
is used, and mandates it for anonymous pkinit. The session key is computed
using KRB-FX-CF2 from the reply key and a random key chosen by the kdc.
The random key is provided to the client, which is supposed to verify
that the session key was computed this way.
Chaskiel Grundman [Thu, 3 Jul 2014 00:49:16 +0000 (20:49 -0400)]
Include empty PKINIT-KX padata
rfc6112 requires kdcs implementing anonymous PKINIT to include an
empty PKINIT-KX padata in PREAUTH_REQUIRED messages.
Including this improves compatibility with MIT kerberos.
Chaskiel Grundman [Thu, 3 Jul 2014 00:39:38 +0000 (20:39 -0400)]
Recognize anonymous AS requests using bit 14
Check KDC Option bit 14 in addition to 16 when identifying anonymous
AS-REQs. This provides compatibility with older heimdal releases.
Chaskiel Grundman [Thu, 3 Jul 2014 00:24:49 +0000 (20:24 -0400)]
Use correct value for anonymous flags
The KDC Option and Ticket Flag for the anonymous extension were changed
from 14 to 16 due to a conflict with S4U2Proxy in version 11 of the anonymous
draft (now RFC6112). Fix the definitions
Jakub Čajka [Tue, 1 Jul 2014 19:13:43 +0000 (13:13 -0600)]
kadm5: fix race in Makefile with kadm5_err.h
When running make with -j4, occasionally kadm5 fails due to a missing
header file kadm5_err.h. Fix the race condition.
Reported at https://bugzilla.redhat.com/
1115164
Reviewed-by: Ken Dreyer <ktdreyer@ktdreyer.com>
Jeffrey Altman [Sat, 21 Jun 2014 00:15:13 +0000 (20:15 -0400)]
asn1: check overflow against SIZE_MAX not +1
A comparison of (len > len + 1) is permitted to be optimized out
as dead code because it can't be true. Overflowing is an exceptional
condition that results in undefined behavior. The correct conditional
is (len == SIZE_MAX) when len is size_t.
Change-Id: Ia5586556a973d9fa5228430c4304ea9792c996bb
Jelmer Vernooij [Wed, 11 Jun 2014 01:44:28 +0000 (03:44 +0200)]
Install compatibility symlinks for kadmin and ktutil.
Love Hörnquist Åstrand [Tue, 10 Jun 2014 21:29:37 +0000 (14:29 -0700)]
Merge pull request #104 from jelmer/kadmin-ktutil-to-usr-bin
Move kadmin and ktutil to /usr/bin.
Jelmer Vernooij [Mon, 9 Jun 2014 21:36:23 +0000 (23:36 +0200)]
Move kadmin and ktutil to /usr/bin.
Jeffrey Altman [Sun, 1 Jun 2014 23:59:35 +0000 (19:59 -0400)]
Merge pull request #102 from jelmer/manpages-no-krb4
Remove references to Kerberos 4 from manpages.
Jelmer Vernooij [Sun, 1 Jun 2014 22:32:27 +0000 (00:32 +0200)]
Remove references to KRBTKFILE from login.1 and kinit.1.
Jelmer Vernooij [Sun, 1 Jun 2014 22:30:04 +0000 (00:30 +0200)]
afslog.1: Remove documentation for removed no-v4 argument.
Jeffrey Altman [Sun, 1 Jun 2014 21:35:48 +0000 (17:35 -0400)]
Merge pull request #101 from jelmer/kimpersonate-no-kerb4
Remove kerberos 4 references from kimpersonate.8.
Jelmer Vernooij [Sun, 1 Jun 2014 21:21:52 +0000 (23:21 +0200)]
Remove kerberos 4 references from kimpersonate.8.
Ken Dreyer [Sat, 31 May 2014 08:00:58 +0000 (02:00 -0600)]
kadmin: handle systemd setpgid failure
When running as a service under systemd, kadmin cannot successfully use
setpgid(). The call fails with EPERM. Do not treat this as a fatal
error; instead, allow kadmind to continue starting up.
Love Hörnquist Åstrand [Wed, 28 May 2014 21:40:24 +0000 (23:40 +0200)]
Merge pull request #99 from ktdreyer/klist-spelling-comments
klist: fix spelling in comments
Ken Dreyer [Wed, 28 May 2014 20:34:06 +0000 (14:34 -0600)]
klist: fix spelling in comments
Jeffrey Altman [Thu, 15 May 2014 01:56:51 +0000 (21:56 -0400)]
roken: Windows ELOOP definition
Microsoft VC 2010 defines ELOOP as 114
Change-Id: Iba6cfd83e4a9ea1d43ed8aff7893d557648fc7e5
Jeffrey Altman [Thu, 15 May 2014 01:42:45 +0000 (21:42 -0400)]
kinit: get_switched_ccache
Provide a new internal function called get_switched() to encapsulate
the algorithm for selecting a credential cache when the selected
ccache type supports switching. There is no change in behavior for
UNIX which always calls krb5_cc_new_unique(). However, on Windows
alternate behavior is provided when the ccache type is API or MSLSA.
For the API ccache the default ccache name is stored in the Windows
registry which is shared across all logon sessions belonging to a
user. For users that are members of the Administrators group this
includes both the UAC restricted and elevated sessions sharing the
same desktop. It is very disconcerting when the elevated session obtains
credentials for the same client principal as the restricted session
and then all apps in the restricted session lose access to their
credential cache. For Windows, the API credential caches are named
after the principal that is stored within them. It provides for a
better end user experience.
For the MSLSA ccache tickets belonging to multiple principals are
all stored within the MSLSA ccache. As a result, all attempts to
switch ccache names default back to the one and only one name.
Change-Id: I7865cd044cff01ff38ab107ec0961e42788fa073
Jeffrey Altman [Sat, 10 May 2014 13:30:04 +0000 (09:30 -0400)]
Merge pull request #94 from jelmer/ignore-test-output
Update .gitignore to ignore all test binaries and output.
Jelmer Vernooij [Sat, 10 May 2014 13:03:57 +0000 (15:03 +0200)]
Update .gitignore to ignore all test binaries and output.
Nicolas Williams [Mon, 5 May 2014 05:00:46 +0000 (00:00 -0500)]
Use thread-safe errno on Solaris
Love Hörnquist Åstrand [Thu, 1 May 2014 04:33:13 +0000 (21:33 -0700)]
Merge pull request #91 from ktdreyer/test-fx-weak-crypto
test_fx: enable weak crypto
Ken Dreyer [Tue, 29 Apr 2014 16:40:13 +0000 (10:40 -0600)]
test_fx: enable weak crypto
Now that test_fx checks 1DES keys, we need to call allow_weak_crypto on
the test's context.
Without this fix, "make check" was failing with the following error:
lt-test_fx: krb5_crypto_init: Encryption type des-cbc-crc not
supported
Jeffrey Altman [Mon, 28 Apr 2014 02:00:10 +0000 (22:00 -0400)]
Merge pull request #88 from jelmer/rm-krb4-references
Remove rereferences to Kerberos 4.
Jelmer Vernooij [Sun, 27 Apr 2014 23:03:10 +0000 (01:03 +0200)]
Various manpages: Remove references to Kerberos 4.
Jelmer Vernooij [Sun, 27 Apr 2014 23:02:45 +0000 (01:02 +0200)]
kdc.8: Remove references to kerberos 4.
Jelmer Vernooij [Sun, 27 Apr 2014 22:48:10 +0000 (00:48 +0200)]
Remove use of krb4 settings in example krb5.conf.
Love Hörnquist Åstrand [Fri, 25 Apr 2014 00:47:44 +0000 (17:47 -0700)]
Merge pull request #85 from jelmer/fix-typos
Fix some typos.
Jelmer Vernooij [Fri, 25 Apr 2014 00:36:25 +0000 (02:36 +0200)]
Fix some typos.
Love Hörnquist Åstrand [Thu, 24 Apr 2014 15:49:00 +0000 (08:49 -0700)]
Merge pull request #80 from ktdreyer/ldap-declaration
build failure with Fedora regarding hdb_ldap_create and hdb_ldapi_create
Love Hörnquist Åstrand [Thu, 24 Apr 2014 15:38:50 +0000 (08:38 -0700)]
Merge pull request #83 from jelmer/pc-limit-libs
Limit the libraries pulled in when dynamic linking.
Love Hörnquist Åstrand [Thu, 24 Apr 2014 15:36:25 +0000 (08:36 -0700)]
Merge pull request #84 from jelmer/fix-typos
Fix some typos in hx509_err.et.
Jelmer Vernooij [Wed, 23 Apr 2014 01:05:23 +0000 (03:05 +0200)]
Fix some typos.
Jelmer Vernooij [Tue, 22 Apr 2014 23:20:14 +0000 (01:20 +0200)]
Limit the libraries pulled in when dynamic linking.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745543
Ken Dreyer [Thu, 27 Mar 2014 16:07:29 +0000 (10:07 -0600)]
remove hdb ldap create declarations
The hdb_ldap_create and hdb_ldapi_create prototypes use the "static"
keyword, but the functions themselves are not implemented as static.
Heimdal's buildsystem dynamically adds function declarations to
hdb-protos.h based on the actual function implementations. Those
declarations in hdb-protos.h are not declared as static.
Since the build system generates the declarations dynamically, just
remove them from hdb-ldap.c.
Nicolas Williams [Wed, 26 Mar 2014 02:57:54 +0000 (21:57 -0500)]
Document that ext_keytab can change a princ's keys
Nicolas Williams [Wed, 26 Mar 2014 02:45:10 +0000 (21:45 -0500)]
Make kadmin ext work when lacking get-keys priv
When we added the get-keys privilege we lost the ability to setup
keytabs with the kadmin ext command. The fix is to note that we got
bogus key data and randkey (as we used to).
Andrew Bartlett [Fri, 21 Feb 2014 03:27:48 +0000 (16:27 +1300)]
lib/base: Rename strbuf to heim_strbuf to avoid conflict with stropts.h on linux
Andrew Bartlett [Thu, 20 Feb 2014 21:19:30 +0000 (10:19 +1300)]
heimdal: rename send and recv pointers to avoid conflict with socket wrapper
Andrew Bartlett [Fri, 21 Feb 2014 02:40:28 +0000 (15:40 +1300)]
lib/base: Add define for HEIMDAL_TEXTDOMAIN
Andrew Bartlett [Wed, 19 Feb 2014 20:48:23 +0000 (09:48 +1300)]
lib/asn1: Add extern to declaration of fuzzer string in gen_locl.h
Volker Lendecke [Fri, 24 Jan 2014 09:09:29 +0000 (10:09 +0100)]
heimdal: Fix a format error on FreeBSD10
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 12 Nov 2013 21:00:54 +0000 (22:00 +0100)]
heimdal: Fix CID 240779 Allocation size mismatch
(rebased on current Heimdal by abartlet)
The error Coverity complains about is in the malloc. krb5_enctypes is
an enum, so it is usually smaller than the size of a pointer. So we
overallocate, but in the memcpy further down we copy from potentially
invalid memory.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 13 11:05:44 CET 2013 on sn-devel-104
Volker Lendecke [Mon, 11 Nov 2013 21:07:09 +0000 (21:07 +0000)]
heimdal: Fix CID 241943 Uninitialized pointer read
In the error case without EXTRA_ADDRESSES we access ignore_addresses
without initialization
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sun, 10 Nov 2013 08:45:38 +0000 (09:45 +0100)]
heimdal: Fix 241482 Resource leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
Stefan Metzmacher [Sun, 17 Jun 2012 12:18:49 +0000 (14:18 +0200)]
heimdal:lib/wind: include <stdlib.h> at the end
This makes sure config.h gets includes first.
This should fix the build on AIX.
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jun 17 16:16:24 CEST 2012 on sn-devel-104
Stefan Metzmacher [Sat, 16 Jun 2012 20:03:29 +0000 (22:03 +0200)]
heimdal:lib/wind: make sure errorlist_table.c includes config.h as first header
This should fix the build on AIX.
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jun 16 23:59:07 CEST 2012 on sn-devel-104
Stefan Metzmacher [Sat, 16 Jun 2012 11:25:18 +0000 (13:25 +0200)]
heimdal:lib/krb5: don't name a struct 'token'
This is a static const struct and the name is never used,
so just make it an anonymous struct.
This hopefully fixes the build on AIX:
"../lib/roken/roken-common.h", line 276.9: 1506-236 (W) Macro name __attribute__ has been redefined.
"../lib/roken/roken-common.h", line 276.9: 1506-358 (I) "__attribute__" is defined on line 45 of ../lib/com_err/com_err.h.
"../lib/krb5/expand_path.c", line 331.21: 1506-334 (S) Identifier token has already been defined on line 98 of "/usr/include/net/if_arp.h".
"../lib/krb5/expand_path.c", line 390.43: 1506-019 (S) Expecting an array or a pointer to object type.
"../lib/krb5/expand_path.c", line 391.31: 1506-019 (S) Expecting an array or a pointer to object type.
"../lib/krb5/expand_path.c", line 392.20: 1506-019 (S) Expecting an array or a pointer to object type.
"../lib/krb5/expand_path.c", line 392.48: 1506-019 (S) Expecting an array or a pointer to object type.
"../lib/krb5/expand_path.c", line 393.39: 1506-019 (S) Expecting an array or a pointer to object type.
Waf: Leaving directory `/opt/home/build/build_farm/samba_4_0_test/bin'
Build failed: -> task failed (err #1):
{task: cc expand_path.c -> expand_path_52.o}
gmake: *** [all] Error 1
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jun 16 15:20:59 CEST 2012 on sn-devel-104
Volker Lendecke [Thu, 1 Mar 2012 01:56:10 +0000 (02:56 +0100)]
heimdal: Fix the build on FreeBSD
We don't have BACKTRACE_SYMBOLS by default
Andreas Schneider [Thu, 23 Feb 2012 08:24:02 +0000 (09:24 +0100)]
s4-heimdal: Remove the execute flag of cfx.c.
The scripts which are extracting debuginfo are looking for files with
the executable bit and find cfx.c which isn't a executable.
Andrew Tridgell [Wed, 28 Sep 2011 04:18:14 +0000 (14:18 +1000)]
heimdal: handle referrals for 3 part DRSUAPI SPNs
This handles referrals for SPNs of the form
E3514235-4B06-11D1-AB04-
00C04FC2DCD2/NTDSGUID/REALM, which are
used during DRS replication when we don't know the dnsHostName of the
target DC (which we don't know until the first replication from that
DC completes).
We use the 3rd part of the SPN directly as the realm name in the
referral.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Jelmer Vernooij [Fri, 28 Feb 2014 19:10:42 +0000 (19:10 +0000)]
Avoid breaking symbol names for all previously present functions.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Signed-off-by: Nicolas Williams <nico@cryptonector.com>
Love Hörnquist Åstrand [Thu, 20 Mar 2014 21:35:51 +0000 (22:35 +0100)]
don't see anything since /dev/random doesn't really need more seeding
redhat have Linux SE rules that slows down openssh when heimdal tries
to write, so lets not write.
https://bugzilla.redhat.com/show_bug.cgi?id=
1076979
Benjamin Kaduk [Fri, 14 Mar 2014 22:13:21 +0000 (18:13 -0400)]
Fix KRB-FX-CF2 for enctypes with non-dense keyspaces
It is necessary to use the RFC3961 random_to_key operation when
creating a key from a bitstring.
Signed-off-by: Nicolas Williams <nico@cryptonector.com>
Greg Hudson [Sat, 15 Mar 2014 18:48:01 +0000 (14:48 -0400)]
Fix DES3 PRF
RFC 3961 says the simplified profile PRF should truncate the hash
output to "multiple of m", which MIT krb5 interprets as the largest
possible multiple of m. RFC 6113 appendix A also uses that
interpretation for the KRB-FX-CF2 test vector. So the DES3 PRF should
truncate the 20-byte SHA-1 result to 16 bytes, not 8. Also make
krb5_crypto_prf_length work with DES3 by giving the DES3 enctype a
non-zero PRF length.
Signed-off-by: Nicolas Williams <nico@cryptonector.com>