Robbie Harwood
|
feaafc07b2
|
Fix test suite by removing wrapper workarounds
|
2020-06-08 22:00:22 +00:00 |
|
Robbie Harwood
|
3c4e18f2f3
|
Omit PA_FOR_USER if we can't compute its checksum
|
2020-06-08 16:01:55 -04:00 |
|
Robbie Harwood
|
49849de329
|
Replace gssrpc tests with a Python script
|
2020-05-30 12:38:04 -04:00 |
|
Robbie Harwood
|
883355750a
|
Default dns_canonicalize_hostname to "fallback"
|
2020-05-30 12:01:58 -04:00 |
|
Robbie Harwood
|
331a9df349
|
dns_canonicalize_hostname = fallback
|
2020-05-26 21:47:51 +00:00 |
|
Robbie Harwood
|
dec02b8411
|
Pass channel bindings through SPNEGO
|
2020-05-26 14:34:53 -04:00 |
|
Robbie Harwood
|
102adf5edf
|
New upstream release (1.18.2)
|
2020-05-22 14:26:04 -04:00 |
|
Robbie Harwood
|
d370e2a431
|
Fix SPNEGO acceptor mech filtering
|
2020-05-22 13:28:09 -04:00 |
|
Robbie Harwood
|
0963a62bc3
|
Fix typo ("in in") in the ksu man page
|
2020-05-18 14:02:44 -04:00 |
|
Robbie Harwood
|
a9ccd6fd57
|
Omit KDC indicator check for S4U2Self requests
|
2020-05-08 14:14:22 -04:00 |
|
Robbie Harwood
|
19d5d2e504
|
Pass gss_localname() through SPNEGO
|
2020-04-28 13:12:21 -04:00 |
|
Robbie Harwood
|
7fca7fd076
|
New upstream version (1.18.1)
|
2020-04-14 15:45:43 -04:00 |
|
Robbie Harwood
|
66ec722479
|
Make ksu honor KRB5CCNAME again
|
2020-04-07 15:51:54 -04:00 |
|
Robbie Harwood
|
9f3201c4bc
|
Do expiration warnings for all init_creds APIs
|
2020-04-02 14:03:07 -04:00 |
|
Robbie Harwood
|
c262ec69f6
|
Correctly import "service@" GSS host-based name
|
2020-04-01 14:24:49 -04:00 |
|
Robbie Harwood
|
4e7e5fe69b
|
Eliminate redundant PKINIT responder invocation
|
2020-03-26 16:01:18 -04:00 |
|
Robbie Harwood
|
dd7e9481aa
|
Add finalization safety check to com_err
|
2020-03-26 10:20:02 -04:00 |
|
Robbie Harwood
|
5c9732a545
|
Add maximum openssl version in preparation for openssl 3
|
2020-03-20 16:16:55 +00:00 |
|
Robbie Harwood
|
bea8330f52
|
Document client keytab usage
|
2020-03-17 15:26:56 -04:00 |
|
Robbie Harwood
|
f6c62d5e63
|
Refresh manually acquired creds from client keytab
|
2020-03-03 12:34:50 -05:00 |
|
Robbie Harwood
|
812c07a94f
|
Allow deletion of require_auth with LDAP KDB
|
2020-02-28 13:35:47 -05:00 |
|
Robbie Harwood
|
0ecf7a0e65
|
Allow certauth modules to set hw-authent flag
|
2020-02-27 16:13:51 -05:00 |
|
Robbie Harwood
|
3b6955d99e
|
Fix AS-REQ checking of KDB-modified indicators
|
2020-02-21 13:16:49 -05:00 |
|
Robbie Harwood
|
48a220a102
|
Fix missing dist
|
2020-02-12 17:47:03 -05:00 |
|
Robbie Harwood
|
f287f939a9
|
New upstream version (1.18)
|
2020-02-12 22:29:13 +00:00 |
|
Robbie Harwood
|
dd3e136188
|
Don't assume OpenSSL failures are memory errors
|
2020-02-07 10:59:57 -05:00 |
|
Robbie Harwood
|
edfb00e001
|
Put KDB authdata first
|
2020-02-06 10:17:38 -05:00 |
|
Robbie Harwood
|
8fb4697062
|
New upstream beta release - 1.18-beta2
Adjust naming convention for downstream patches
|
2020-01-31 20:31:53 +00:00 |
|
Fedora Release Engineering
|
b3d5b8f719
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
|
2020-01-29 07:50:49 +00:00 |
|
Robbie Harwood
|
7f642b1512
|
New upstream beta release - 1.18-beta1
|
2020-01-13 18:19:19 -05:00 |
|
Robbie Harwood
|
84aac1fa6d
|
Fix LDAP policy enforcement of pw_expiration
Fix handling of invalid CAMMAC service verifier
|
2020-01-08 14:07:00 -05:00 |
|
Robbie Harwood
|
2496b50d00
|
Fix xdr_bytes() strict-aliasing violations
|
2020-01-06 16:36:41 -05:00 |
|
Robbie Harwood
|
fd463aed6a
|
Don't warn in kadmin when no policy is specified
Do not always canonicalize enterprise principals
|
2020-01-03 11:36:21 -05:00 |
|
Robbie Harwood
|
d6ef09022c
|
Enable the LMDB backend for the KDB
|
2019-12-13 19:11:07 +00:00 |
|
Robbie Harwood
|
9d642021d7
|
New upstream version - 1.17.1
Stop building and packaging PDFs
|
2019-12-12 18:42:51 +00:00 |
|
Robbie Harwood
|
4aee4bdd71
|
Qualify short hostnames when not using DNS
|
2019-12-06 13:44:42 -05:00 |
|
Robbie Harwood
|
02c0c74c74
|
Various gssalloc fixes
|
2019-11-27 12:36:19 -05:00 |
|
Robbie Harwood
|
76d9979dc3
|
Turns out openssl has an epoch
|
2019-11-21 22:06:25 +00:00 |
|
Robbie Harwood
|
4c128ec39a
|
Fix runtime openssl version to actually propogate
|
2019-11-20 23:03:40 +00:00 |
|
Robbie Harwood
|
b9ea889e2a
|
Add runtime openssl version requirement too
|
2019-11-20 21:13:58 +00:00 |
|
Robbie Harwood
|
4b8056ef08
|
Fix kadmin addprinc -randkey -kvno
|
2019-11-20 14:16:04 -05:00 |
|
Robbie Harwood
|
1404656ded
|
Use OpenSSL's backported KDFs
Restore MD4 in FIPS mode (for samba)
|
2019-11-19 14:45:23 -05:00 |
|
Robbie Harwood
|
cbf35c8b1f
|
Add default_principal_flags to example kdc.conf
|
2019-11-08 20:45:40 +00:00 |
|
Robbie Harwood
|
9ce53b906d
|
Log unknown enctypes as unsupported in KDC
|
2019-10-02 11:19:07 -04:00 |
|
Robbie Harwood
|
1a6673d2ee
|
Fix KDC crash when logging PKINIT enctypes (CVE-2019-14844)
|
2019-09-25 13:15:11 -04:00 |
|
Robbie Harwood
|
bff738a25d
|
Static analyzer appeasement
|
2019-09-12 10:15:52 -04:00 |
|
Robbie Harwood
|
6ea5e5fa9a
|
Simplify krb5_dbe_def_search_enctype()
|
2019-08-27 11:24:25 -04:00 |
|
Robbie Harwood
|
2dabf02464
|
Update FIPS patches to remove SPAKE
|
2019-08-22 15:54:34 -04:00 |
|
Robbie Harwood
|
4906d9dae9
|
Support building in COPR now that %{copr_username} is gone
|
2019-08-16 12:24:27 -04:00 |
|
Robbie Harwood
|
cdaea01dc8
|
Fix KCM client time offset propagation
|
2019-08-15 16:32:06 -04:00 |
|
Robbie Harwood
|
6fb26c9d3d
|
Initialize life/rlife in kdcpolicy interface
|
2019-08-09 16:05:18 -04:00 |
|
Robbie Harwood
|
e73c24bb36
|
Fix memory leaks in soft-pkcs11 code
|
2019-08-06 09:46:36 -04:00 |
|
Robbie Harwood
|
f4c04f8cde
|
Add soft-pkcs11 and use it for testing
|
2019-07-30 08:56:06 -04:00 |
|
Fedora Release Engineering
|
52c0e4ab88
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
|
2019-07-25 12:06:52 +00:00 |
|
Robbie Harwood
|
7c5b49f828
|
Filter enctypes in gss_set_allowable_enctypes()
|
2019-07-18 12:49:23 -04:00 |
|
Robbie Harwood
|
4c8ed38666
|
Don't error on invalid enctypes in keytab
Resolves: #1724380
|
2019-07-15 13:07:54 -04:00 |
|
Robbie Harwood
|
a0277fd396
|
Remove now-unused checksum functions
|
2019-07-02 11:42:28 -04:00 |
|
Robbie Harwood
|
490a817464
|
Fix typo in 3des commit
|
2019-06-26 18:23:02 -04:00 |
|
Robbie Harwood
|
7bee5f19e1
|
Remove PKINIT draft9 support (compat with EOL, pre-2008 Windows)
|
2019-06-26 18:07:12 -04:00 |
|
Robbie Harwood
|
2843572c2f
|
Remove strerror() calls from k5_get_error()
|
2019-06-10 12:41:26 -04:00 |
|
Robbie Harwood
|
6d60b0827f
|
Remove 3des from kdc.conf example
|
2019-06-07 08:52:53 -04:00 |
|
Robbie Harwood
|
1cae0b7e96
|
Remove 3DES support
|
2019-06-03 17:33:31 -04:00 |
|
Robbie Harwood
|
19e2656c15
|
Remove 3des support
|
2019-06-03 17:25:49 -04:00 |
|
Robbie Harwood
|
48af99c1f7
|
Remove krb5int_c_combine_keys() and no-flags SAM-2 preauth
|
2019-05-30 13:32:37 -04:00 |
|
Robbie Harwood
|
3f80a77313
|
Remove support for single-DES and CRC
|
2019-05-28 15:22:45 -04:00 |
|
Robbie Harwood
|
f50ceacadf
|
Add missing newlines to deprecation warnings
Switch to upstream's ksu path patch
|
2019-05-22 10:59:16 -04:00 |
|
Robbie Harwood
|
79613952e3
|
Update default krb5kdc mkey manual-entry enctype
Also update account lockout patch to upstream version
|
2019-05-21 12:59:56 -04:00 |
|
Robbie Harwood
|
39ba823db6
|
Test & docs fixes in preparation for DES removal
|
2019-05-20 16:49:04 -04:00 |
|
Robbie Harwood
|
f91545040c
|
Drop krb5_realm_compare() etc. NULL check patches
|
2019-05-15 17:01:26 -04:00 |
|
Robbie Harwood
|
bebe7bd29f
|
Re-provide krb5-kdb-version in -devel as well (IPA wants it)
|
2019-05-15 15:16:18 +00:00 |
|
Robbie Harwood
|
aa55266a84
|
(Patch consolidation; hopefully no changes)
|
2019-05-14 12:34:12 -04:00 |
|
Robbie Harwood
|
4b3d9079ae
|
Remove checksum type profile variables
|
2019-05-14 11:07:43 -04:00 |
|
Robbie Harwood
|
0b0d802a54
|
Pull in 2019-05-02 static analysis updates
|
2019-05-10 13:50:56 -04:00 |
|
Robbie Harwood
|
d1b5e24f4c
|
Drop --with-pkinit-crypto-impl
|
2019-05-06 14:38:08 -04:00 |
|
Robbie Harwood
|
85664dde3d
|
Move krb5-kdb-version provide into krb5-server for freeipa
|
2019-05-03 18:36:31 +00:00 |
|
Robbie Harwood
|
4c5654d0fb
|
Use secure_getenv() where appropriate
|
2019-05-01 12:47:31 -04:00 |
|
Robbie Harwood
|
cdfd42332f
|
Get that squeaky rpmlint clean
|
2019-04-24 15:51:18 -04:00 |
|
Robbie Harwood
|
0555bc87c8
|
Add dns_canonicalize_hostname=fallback support
|
2019-04-24 11:45:11 -04:00 |
|
Robbie Harwood
|
9d9730eb07
|
Check more errors in OpenSSL crypto backend
|
2019-04-24 11:39:04 -04:00 |
|
Robbie Harwood
|
aa800df204
|
Fix potential close(-1) in cc_file.c
|
2019-04-22 13:09:23 -04:00 |
|
Robbie Harwood
|
707673a505
|
Remove ovsec_adm_export and confvalidator
|
2019-04-17 16:17:17 -04:00 |
|
Robbie Harwood
|
5ebfb70254
|
Fix config realm change logic in FILE remove_cred
|
2019-04-17 16:16:38 -04:00 |
|
Robbie Harwood
|
05efb47898
|
Remove Kerberos v4 support vestiges (including ktany support)
|
2019-04-11 16:44:09 -04:00 |
|
Robbie Harwood
|
7f7eba0cef
|
Implement krb5_cc_remove_cred for remaining types
Resolves: #1693836
|
2019-04-11 13:18:46 -04:00 |
|
Robbie Harwood
|
caa2dd1a26
|
FIPS-aware SPAKE group negotiation
|
2019-04-01 13:13:49 -04:00 |
|
Robbie Harwood
|
bf081fdccd
|
Fix memory leak in 'none' replay cache type
Silence a coverity warning while we're here.
|
2019-02-25 15:24:36 -05:00 |
|
Robbie Harwood
|
ae3b432439
|
Update FIPS blocking for RC4
|
2019-02-01 16:11:20 -05:00 |
|
Fedora Release Engineering
|
f417500667
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
|
2019-02-01 06:00:21 +00:00 |
|
Igor Gnatenko
|
acad58ce13
|
Remove obsolete Group tag
References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag
|
2019-01-28 20:24:10 +01:00 |
|
Robbie Harwood
|
1458a863a4
|
enctype logging and explicit_bzero()
|
2019-01-17 13:44:00 -05:00 |
|
Robbie Harwood
|
658f28f754
|
New upstream version (1.17)
|
2019-01-08 19:15:01 +00:00 |
|
Robbie Harwood
|
7e29fac83e
|
Use openssl's PRNG in FIPS mode
|
2019-01-04 17:01:07 -05:00 |
|
Robbie Harwood
|
645562ea2f
|
Address some optimized-out memset() calls
|
2019-01-04 10:52:20 -05:00 |
|
Robbie Harwood
|
7338b669da
|
Remove incorrect KDC assertion
|
2018-12-20 18:00:42 -05:00 |
|
Robbie Harwood
|
6c692d18f2
|
Fix syntax on pkinit_anchors field in default krb5.conf
|
2018-12-20 21:46:31 +00:00 |
|
Robbie Harwood
|
8968aa45c7
|
Restore pdfs source file
Resolves: #1659716
|
2018-12-17 20:39:53 +00:00 |
|
Robbie Harwood
|
56c48beaec
|
Forgot to bump prerelease...
|
2018-12-06 18:35:50 +00:00 |
|
Robbie Harwood
|
59f64bf750
|
New upstream release (1.17-beta2)
Drop pdfs source file
|
2018-12-06 18:31:06 +00:00 |
|
Robbie Harwood
|
fef40744ec
|
Add tests for KCM ccache type
|
2018-11-29 14:58:18 -05:00 |
|
Robbie Harwood
|
83e3cdfc7d
|
Gain FIPS awareness
|
2018-11-12 20:39:38 +00:00 |
|
Robbie Harwood
|
d401b30b5f
|
Fix spurious errors from kcmio_unix_socket_write
Resolves: #1645912
|
2018-11-08 11:22:27 -05:00 |
|
Robbie Harwood
|
f745542b78
|
New upstream beta release (1.17-beta1)
|
2018-11-01 20:07:33 +00:00 |
|
Robbie Harwood
|
5f59f89111
|
Package kerberos(7)
|
2018-10-24 15:36:36 -04:00 |
|
Robbie Harwood
|
3ce8c381c3
|
Update man pages to reference kerberos(7)
Resolves: #1143767
|
2018-10-24 15:07:14 -04:00 |
|
Robbie Harwood
|
d760ebeab2
|
Use port-sockets.h macros in cc_kcm, sendto_kdc
Resolves: #1631998
|
2018-10-17 15:27:45 -04:00 |
|
Robbie Harwood
|
c0ac611ad3
|
Correct kpasswd_server description in krb5.conf(5)
Resolves: #1640272
|
2018-10-17 13:49:20 -04:00 |
|
Robbie Harwood
|
0eeac3abaf
|
Prefer TCP to UDP for password changes
Resolves: #1637611
|
2018-10-15 13:26:07 -04:00 |
|
Adam Williamson
|
4a2dfb104c
|
Revert the patch from -20 as it seems to make FreeIPA worse
|
2018-10-09 13:57:21 -07:00 |
|
Robbie Harwood
|
af8b6635d6
|
Fix bugs with concurrent use of MEMORY ccaches
|
2018-10-02 13:36:43 -04:00 |
|
Robbie Harwood
|
ef8eae7c7b
|
In FIPS mode, add plaintext fallback for RC4 usages and taint
|
2018-08-01 15:11:35 -04:00 |
|
Robbie Harwood
|
d21edd514c
|
Fix k5test prompts for Python 3
|
2018-07-26 14:23:13 -04:00 |
|
Robbie Harwood
|
29b7ff3bb1
|
Remove outdated note in krb5kdc man page
|
2018-07-19 16:43:33 -04:00 |
|
Robbie Harwood
|
e506fad693
|
Make krb5kdc -p affect TCP ports
|
2018-07-19 16:43:21 -04:00 |
|
Robbie Harwood
|
e3ab2c3591
|
Eliminate preprocessor-disabled dead code
|
2018-07-19 16:43:06 -04:00 |
|
Robbie Harwood
|
b5615f9f2c
|
Fix some broken tests for Python 3
|
2018-07-18 17:25:00 -04:00 |
|
Robbie Harwood
|
c0f34c36f8
|
Zap copy of secret in RC4 string-to-key
|
2018-07-16 10:38:52 -04:00 |
|
Robbie Harwood
|
6bb371b555
|
Convert Python tests to Python 3
|
2018-07-12 13:08:20 -04:00 |
|
Robbie Harwood
|
18245c6b0f
|
Actually add the dependency this time
|
2018-07-11 12:56:14 -04:00 |
|
Robbie Harwood
|
50f81aad57
|
Add build dependency on gcc
|
2018-07-11 16:49:26 +00:00 |
|
Robbie Harwood
|
40a05d0347
|
Use SHA-256 instead of MD5 for audit ticket IDs
|
2018-07-10 17:34:02 -04:00 |
|
Jason Tibbitts
|
816afcf8e2
|
Remove needless use of %defattr
|
2018-07-10 01:32:54 -05:00 |
|
Robbie Harwood
|
2fc18e9142
|
Add BuildRequires on python2 so we can run tests at build-time
|
2018-07-06 15:27:23 +00:00 |
|
Robbie Harwood
|
97d3fa66d0
|
Explicitly look for python2 in configure.in
|
2018-07-06 10:59:48 -04:00 |
|
Robbie Harwood
|
ff388043f1
|
Add flag to disable encrypted timestamp on client
|
2018-06-14 17:45:09 -04:00 |
|
Robbie Harwood
|
d6ae33b85a
|
Switch to python3-sphinx for docs
Resolves: #1590928
|
2018-06-14 16:56:44 +00:00 |
|
Robbie Harwood
|
367b100b3b
|
Make docs build python3-compatible
Resolves: #1590928
|
2018-06-14 10:49:23 -04:00 |
|
Robbie Harwood
|
6dd406494d
|
Update includedir processing to match upstream
|
2018-06-07 12:37:24 -04:00 |
|
Robbie Harwood
|
6e3058a9c5
|
Log when non-root ksu authorization fails
Resolves: #1575771
|
2018-06-01 14:04:16 -04:00 |
|
Robbie Harwood
|
9467290bc7
|
Remove "-nodes" option from make-certs scripts
|
2018-05-04 10:59:52 -04:00 |
|
Robbie Harwood
|
88ba66fe53
|
New upstream release - 1.16.1
|
2018-05-04 14:59:45 +00:00 |
|
Robbie Harwood
|
ab1e0477e9
|
Fix indentation in krb5.conf of default_ccache_name
|
2018-05-03 13:01:11 -04:00 |
|
Robbie Harwood
|
ace60f7773
|
Set error message on KCM get_princ failure
|
2018-04-30 12:08:36 -04:00 |
|
Robbie Harwood
|
c150a97555
|
Set error message on KCM get_princ failure
|
2018-04-30 12:08:15 -04:00 |
|
Robbie Harwood
|
1dc2c64cf3
|
Fix KDC null dereference on large TGS replies
|
2018-04-24 11:19:31 -04:00 |
|
Robbie Harwood
|
58b0bd97d4
|
Explicitly use openssl rather than builtin crypto
Resolves: #1570910
|
2018-04-23 17:11:53 +00:00 |
|
Robbie Harwood
|
a48c97c32b
|
Merge duplicate subsections in profile library
|
2018-04-17 13:28:40 -04:00 |
|
Robbie Harwood
|
8ed07abedf
|
Restrict pre-authentication fallback cases
|
2018-04-09 12:12:08 -04:00 |
|
Robbie Harwood
|
9f52d3d29f
|
Be more careful asking for AS key in SPAKE client
|
2018-04-03 15:05:13 -04:00 |
|
Robbie Harwood
|
091dcbf794
|
Zap data when freeing krb5_spake_factor
|
2018-04-02 12:37:37 -04:00 |
|
Robbie Harwood
|
09f9308fd8
|
Continue after KRB5_CC_END in KCM cache iteration
|
2018-03-29 10:43:22 -04:00 |
|
Robbie Harwood
|
27ca1f2678
|
Fix SPAKE memory leak
Also fix build problem
|
2018-03-27 18:01:05 +00:00 |
|
Robbie Harwood
|
99cea2e511
|
Fix gitignore problem with previous patchset
|
2018-03-27 15:13:46 +00:00 |
|
Robbie Harwood
|
2c340efca2
|
Add SPAKE support
- Improve protections on internal sensitive buffers
- Improve internal hex encoding/decoding
|
2018-03-27 15:09:05 +00:00 |
|
Robbie Harwood
|
8b49b0644c
|
Fix problem with ccache_name logic in previous build
|
2018-03-20 18:20:01 +00:00 |
|
Robbie Harwood
|
6b1b652d4d
|
Add pkinit_anchors default value to krb5.conf
Reindent krb5.conf to not be terrible
|
2018-03-20 17:53:38 +00:00 |
|
Robbie Harwood
|
2eafc4d8aa
|
Include preauth names in trace output where possible
Also fix misc bugs
|
2018-03-20 15:21:19 +00:00 |
|
Robbie Harwood
|
a387becbf5
|
Add PKINIT KDC support for freshness token
Also, fix securid_sam2 preauth for non-default salt
|
2018-03-19 22:16:46 +00:00 |
|
Robbie Harwood
|
ed142b51b1
|
Exit with status 0 from kadmind
|
2018-03-14 14:44:04 -04:00 |
|
Robbie Harwood
|
5f3f6ef19b
|
Fix hex conversion of PKINIT certid strings
|
2018-03-13 17:45:47 -04:00 |
|
Robbie Harwood
|
4b5cd8c1f8
|
Fix capaths "." values on client
Resolves: 1551099
|
2018-03-07 17:41:04 +00:00 |
|