krb5.git/src/lib/krb5/error_tables, branch master MIT Kerberos patches Change KRB5KDC_ERR_NO_ACCEPTABLE_KDF to 100 2013-10-15T03:44:25+00:00 Greg Hudson ghudson@mit.edu 2013-10-09T17:37:17+00:00 2938851a5ec77ab68bcd1f5cfd07991c7ccabea6 draft-ietf-krb-wg-pkinit-alg-agility-07 specifies KDC_ERR_NO_ACCEPTABLE_KDF as 82, but this value conflicts with KRB_AP_ERR_PRINCIPAL_UNKNOWN from RFC 6111. The former value has been reassigned to 100 to fix the conflict. Use the correct value. We believe that this error won't crop up in practice for a long time (when SHA-2 has been superceded by other hash algorithms and people are desupporting it), by which time implementations will mostly have been upgraded to use the new value. ticket: 7715 (new) target_version: 1.12 
draft-ietf-krb-wg-pkinit-alg-agility-07 specifies
KDC_ERR_NO_ACCEPTABLE_KDF as 82, but this value conflicts with
KRB_AP_ERR_PRINCIPAL_UNKNOWN from RFC 6111.  The former value has been
reassigned to 100 to fix the conflict.  Use the correct value.

We believe that this error won't crop up in practice for a long time
(when SHA-2 has been superceded by other hash algorithms and people
are desupporting it), by which time implementations will mostly have
been upgraded to use the new value.

ticket: 7715 (new)
target_version: 1.12
Support new KEYRING anchor names and big_key keys 2013-10-02T14:41:34+00:00 Greg Hudson ghudson@mit.edu 2013-09-28T18:12:58+00:00 7c69a0372db5b7ed670ef3099a97942ede7a4739 Add support for the new anchor names persistent, user, and session. The persistent anchor attempts to use a persistent keyring for a specified uid, and falls back to the user keyring if it cannot; the collection is stored at a fixed name within the persistent or user keyring. The session anchor uses the session keyring without legacy semantics. For all keyring types except legacy, attempt to use the "big_key" key type on systems which have keyctl_get_persistent. (They are essentially unrelated features, but were added at the same time.) This key type is stored in a kernel tmpfs and can store larger tickets. Since kernel commit 96b5c8fea6c0861621051290d705ec2e971963f1, new keys created by add_key() only have VIEW permission for the user, and the rest of the permissions require "possession," which means there is a path from the thread, process, or session keyring to the key. For the user and persistent anchor types, we link the collection into the process keyring to ensure that we have a possession rights on the collection. Adapted from a patch by simo@redhat.com. ticket: 7711 
Add support for the new anchor names persistent, user, and session.
The persistent anchor attempts to use a persistent keyring for a
specified uid, and falls back to the user keyring if it cannot; the
collection is stored at a fixed name within the persistent or user
keyring.  The session anchor uses the session keyring without legacy
semantics.

For all keyring types except legacy, attempt to use the "big_key" key
type on systems which have keyctl_get_persistent.  (They are
essentially unrelated features, but were added at the same time.)
This key type is stored in a kernel tmpfs and can store larger
tickets.

Since kernel commit 96b5c8fea6c0861621051290d705ec2e971963f1, new keys
created by add_key() only have VIEW permission for the user, and the
rest of the permissions require "possession," which means there is a
path from the thread, process, or session keyring to the key.  For the
user and persistent anchor types, we link the collection into the
process keyring to ensure that we have a possession rights on the
collection.

Adapted from a patch by simo@redhat.com.

ticket: 7711
Add collection support for KEYRING ccache type 2013-10-02T14:41:09+00:00 Greg Hudson ghudson@mit.edu 2013-09-27T22:45:29+00:00 c1e8d03a6254e3ce86a71eed31e4c127e3324f9b Augment the KEYRING ccache type to support collection semantics similar to those of the DIR type. For keyrings with no anchor prefix, maintain compatibility with old code by linking the initial primary cache directly from the session keyring and naming it after the collection. See http://k5wiki.kerberos.org/wiki/Projects/Keyring_collection_cache for more information. Adapted from a patch by simo@redhat.com. ticket: 7711 (new) 
Augment the KEYRING ccache type to support collection semantics
similar to those of the DIR type.  For keyrings with no anchor prefix,
maintain compatibility with old code by linking the initial primary
cache directly from the session keyring and naming it after the
collection.

See http://k5wiki.kerberos.org/wiki/Projects/Keyring_collection_cache
for more information.  Adapted from a patch by simo@redhat.com.

ticket: 7711 (new)
Reduce boilerplate in makefiles 2013-05-17T00:09:27+00:00 Greg Hudson ghudson@mit.edu 2013-05-16T18:21:12+00:00 4b0985f8573840838bcfa8ec1df3dcd39a3dbf15 Provide default values in pre.in for PROG_LIBPATH, PROG_RPATH, SHLIB_DIRS, SHLIB_RDIRS, and STOBJLISTS so that they don't have to be specified in the common case. Rename KRB5_RUN_ENV and KRB5_RUN_VARS to RUN_SETUP (already the most commonly used name) and RUN_VARS. Make sure to use DEFINES for local defines (not DEFS). Remove some other unnecessary makefile content. 
Provide default values in pre.in for PROG_LIBPATH, PROG_RPATH,
SHLIB_DIRS, SHLIB_RDIRS, and STOBJLISTS so that they don't have to be
specified in the common case.  Rename KRB5_RUN_ENV and KRB5_RUN_VARS
to RUN_SETUP (already the most commonly used name) and RUN_VARS.  Make
sure to use DEFINES for local defines (not DEFS).  Remove some other
unnecessary makefile content.
make depend 2013-01-10T17:46:26+00:00 Greg Hudson ghudson@mit.edu 2013-01-10T17:46:26+00:00 2807e8e1e1dc89b3d482de7c73d13d19187fdb38 Mostly this gets rid of the trailing space on line 2 after bb76891f5386526bdf91bc790c614fc9296cb5fa. 
Mostly this gets rid of the trailing space on line 2 after
bb76891f5386526bdf91bc790c614fc9296cb5fa.
Change optional handling in ASN.1 encoder 2012-02-11T23:25:21+00:00 Greg Hudson ghudson@mit.edu 2012-02-11T23:25:21+00:00 0af4df0af5fb856419681e8d259a5229c59e361f Create a new atype_optional with a function pointer to decide whether the type is present in the C object. For simple cases, sequences just reference the optional version of a type. For more complex cases (such as when the presence of the usec field of a sequence depends on whether the timestamp is set), we define a predicate on the structure object and nest the field type inside the optional type. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25692 dc483132-0cff-0310-8789-dd5450dbe970 
Create a new atype_optional with a function pointer to decide whether
the type is present in the C object.  For simple cases, sequences just
reference the optional version of a type.  For more complex cases (such
as when the presence of the usec field of a sequence depends on whether
the timestamp is set), we define a predicate on the structure object
and nest the field type inside the optional type.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25692 dc483132-0cff-0310-8789-dd5450dbe970
If the client offers the alg agility KDF, use it 2011-09-21T18:40:16+00:00 Sam Hartman hartmans@mit.edu 2011-09-21T18:40:16+00:00 af2ddab839944028ef51d9ef393496063f454bea Signed-off-by: Margaret Wasserman <mrw@painless-security.com> pkinit: changes to call alg-agility KDF git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25218 dc483132-0cff-0310-8789-dd5450dbe970 
Signed-off-by: Margaret Wasserman <mrw@painless-security.com>

pkinit:  changes to call alg-agility KDF

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25218 dc483132-0cff-0310-8789-dd5450dbe970
Add KRB5_TL_STRING_ATTRS and libkdb5 accessors 2011-09-21T16:28:54+00:00 Greg Hudson ghudson@mit.edu 2011-09-21T16:28:54+00:00 237e57c297708c8009cf2af4833b78abc4e05bbc git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25214 dc483132-0cff-0310-8789-dd5450dbe970 
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25214 dc483132-0cff-0310-8789-dd5450dbe970
Add the DIR ccache type 2011-09-05T16:26:30+00:00 Greg Hudson ghudson@mit.edu 2011-09-05T16:26:30+00:00 319c01a8f523843169b9e5342ac2d085ad67f8a2 The DIR ccache type supports a collection of credential caches within a private directory (which must be created out of band). One cache is designated as primary at any given time. Setting the default cache name to DIR:dirname will cause caches within dirname to be present in the global cache collection. ticket: 6953 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25154 dc483132-0cff-0310-8789-dd5450dbe970 
The DIR ccache type supports a collection of credential caches within
a private directory (which must be created out of band).  One cache is
designated as primary at any given time.  Setting the default cache
name to DIR:dirname will cause caches within dirname to be present in
the global cache collection.

ticket: 6953

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25154 dc483132-0cff-0310-8789-dd5450dbe970
Adjust most C source files to match the new standards for copyright 2011-03-09T21:46:07+00:00 Greg Hudson ghudson@mit.edu 2011-03-09T21:46:07+00:00 7da53e2942176c5ddfe007ba0a36f449e9fdb9fb and license comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970 
and license comments.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970