Changes in data.3 http://nxr.netbsd.org/rss/src/crypto/external/bsd/heimdal/dist/doc/doxyout/ntlm/man/man3/data.3 en Copyright 2005 Java branches: 1.2.4;<br/>resolve conflicts, document HEAD vs release import process. /src/crypto/external/bsd/heimdal/dist/doc/doxyout/ntlm/man/man3/data.3 - 1.2 Sun Dec 15 22:50:46 UTC 2019 christos branches: 1.1.1;<br/>Initial revision /src/crypto/external/bsd/heimdal/dist/doc/doxyout/ntlm/man/man3/data.3 - 1.1 Sun Dec 15 22:45:38 UTC 2019 christos Release Notes - Heimdal - Version Heimdal 7.7<br/><br/>Bug fixes<br/><br/>PKCS#11 hcrypto back-end<br/>. initialize the p11_module_load function list<br/>. verify that not only is a mechanism present but that its mechanism<br/>info states that it offers the required encryption, decryption or<br/>digest services<br/><br/>krb5:<br/>. Starting with 7.6, Heimdal permitted requesting authenticated<br/>anonymous tickets. However, it did not verify that a KDC in fact<br/>returned an anonymous ticket when one was requested.<br/>. Cease setting the KDCOption reaquest_anonymous flag when issuing<br/>S4UProxy (constrained delegation) TGS requests.<br/>. when the Win2K PKINIT compatibility option is set, do<br/>not require krbtgt otherName to match when validating KDC<br/>certificate.<br/>. set PKINIT_BTMM flag per Apple implementation<br/>. use memset_s() instead of memset()<br/><br/>kdc:<br/>. When generating KRB5SignedPath in the AS, use the reply client name<br/>rather than the one from the request, so validation will work<br/>correctly in the TGS.<br/>. allow checksum of PA-FOR-USER to be HMAC_MD5. Even if TGT used<br/>an enctype with a different checksum. Per [MS-SFU] 2.2.1<br/>PA-FOR-USER the checksum is always HMAC_MD5, and that's what<br/>Windows and MIT clients send.<br/><br/>In Heimdal both the client and kdc use instead the<br/>checksum of the TGT, and therefore work with each other<br/>but Windows and MIT clients fail against Heimdal KDC.<br/><br/>Both Windows and MIT KDC would allow any keyed checksum<br/>to be used so Heimdal client work fine against it.<br/><br/>Change Heimdal KDC to allow HMAC_MD5 even for non RC4<br/>based TGT in order to support per-spec clients.<br/>. use memset_s() instead of memset()<br/>. Detect Heimdal 1.0 through 7.6 clients that issue S4UProxy<br/>(constrained delegation) TGS Requests with the request<br/>anonymous flag set. These requests will be treated as<br/>S4UProxy requests and not anonymous requests.<br/><br/>HDB:<br/>. Set SQLite3 backend default page size to 8KB.<br/>. Add hdb_set_sync() method<br/><br/>kadmind:<br/>. disable HDB sync during database load avoiding unnecessary disk i/o.<br/><br/>ipropd:<br/>. disable HDB sync during receive_everything. Doing an fsync<br/>per-record when receiving the complete HDB is a performance<br/>disaster. Among other things, if the HDB is very large, then<br/>one slave receving a full HDB can cause other slaves to timeout<br/>and, if HDB write activity is high enough to cause iprop log<br/>truncation, then also need full syncs, which leads to a cycle of<br/>full syncs for all slaves until HDB write activity drops.<br/>Allowing the iprop log to be larger helps, but improving<br/>receive_everything() performance helps even more.<br/><br/>kinit:<br/>. Anonymous PKINIT tickets discard the realm information used<br/>to locate the issuing AS. Store the issuing realm in the<br/>credentials cache in order to locate a KDC which can renew them.<br/>. Do not leak the result of krb5_cc_get_config() when determining<br/>anonymous PKINIT start realm.<br/><br/>klist:<br/>. Show transited-policy-checked, ok-as-delegate and anonymous<br/>flags when listing credentials.<br/><br/>tests:<br/>. Regenerate certs so that they expire before the 2038 armageddon<br/>so the test suite will pass on 32-bit operating systems until the<br/>underlying issues can be resolved.<br/><br/>Solaris:<br/>. Define _STDC_C11_BCI for memset_s prototype<br/><br/>build tooling:<br/>. Convert from python 2 to python 3<br/><br/>documentation<br/>. rename verify-password to verify-password-quality<br/>. hprop default mode is encrypt<br/>. kadmind "all" permission does not include "get-keys"<br/>. verify-password-quality might not be stateless<br/><br/>Release Notes - Heimdal - Version Heimdal 7.6<br/><br/>Security (#555)<br/><br/>CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum<br/><br/>When the Heimdal KDC checks the checksum that is placed on the<br/>S4U2Self packet by the server to protect the requested principal<br/>against modification, it does not confirm that the checksum<br/>algorithm that protects the user name (principal) in the request<br/>is keyed. This allows a man-in-the-middle attacker who can<br/>intercept the request to the KDC to modify the packet by replacing<br/>the user name (principal) in the request with any desired user<br/>name (principal) that exists in the KDC and replace the checksum<br/>protecting that name with a CRC32 checksum (which requires no<br/>prior knowledge to compute).<br/><br/>This would allow a S4U2Self ticket requested on behalf of user<br/>name (principal) user@EXAMPLE.COM to any service to be changed<br/>to a S4U2Self ticket with a user name (principal) of<br/>Administrator@EXAMPLE.COM. This ticket would then contain the<br/>PAC of the modified user name (principal).<br/><br/>CVE-2019-12098, client-only:<br/><br/>RFC8062 Section 7 requires verification of the PA-PKINIT-KX key exchange<br/>when anonymous PKINIT is used. Failure to do so can permit an active<br/>attacker to become a man-in-the-middle.<br/><br/>Bug fixes<br/><br/>Happy eyeballs: Don't wait for responses from known-unreachable KDCs.<br/>kdc: check return copy_Realm, copy_PrincipalName, copy_EncryptionKey<br/>kinit:<br/>. cleanup temporary ccaches<br/>. see man page for "kinit --anonymous" command line syntax change<br/>kdc: Make anonymous AS-requests more RFC8062-compliant.<br/>Updated expired test certificates<br/>Solaris:<br/>. PKCS#11 hcrypto backend broken since 7.0.1<br/>. Building with Sun Pro C<br/>Features<br/><br/>kuser: support authenticated anonymous AS-REQs in kinit<br/>kdc: support for anonymous TGS-REQs<br/>kgetcred support for anonymous service tickets<br/>Support builds with OpenSSL 1.1.1<br/>Building from source:<br/><br/>Heimdal 7.5<br/><br/>This is a security release of Heimdal<br/><br/>This release patches a remote denial of service<br/><br/>CVE-2017-17439: In Heimdal 7.1 through 7.4, remote unauthenticated attackers are able to crash the KDC by sending a crafted UDP packet containing empty data fields for client name or realm.<br/><br/>Heimdal 7.4<br/><br/>This is a security release of Heimdal.<br/><br/>This release patches a critical vulnerability:<br/><br/>CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation<br/><br/>In _krb5_extract_ticket() the KDC-REP service name must be obtained from<br/>encrypted version stored in 'enc_part' instead of the unencrypted version<br/>stored in 'ticket'. Use of the unecrypted version provides an<br/>opportunity for successful server impersonation and other attacks.<br/><br/>Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.<br/>See https://www.orpheus-lyre.info/<br/><br/>This is the Heimdal 7.3 security release.<br/><br/>This release addresses CVE-2017-6594. See the NEWS file for details.<br/><br/>Heimdal 7.2<br/><br/>This is the Heimdal 7.2 release. /src/crypto/external/bsd/heimdal/dist/doc/doxyout/ntlm/man/man3/data.3 - 1.1.1.1 Sun Dec 15 22:45:38 UTC 2019 christos Sync with HEAD /src/crypto/external/bsd/heimdal/dist/doc/doxyout/ntlm/man/man3/data.3 - 1.2.4.3 Tue Apr 21 18:41:38 UTC 2020 martin Mostly merge changes from HEAD upto 20200411 /src/crypto/external/bsd/heimdal/dist/doc/doxyout/ntlm/man/man3/data.3 - 1.2.4.2 Mon Apr 13 07:45:17 UTC 2020 martin file data.3 was added on branch phil-wifi on 2020-04-13 07:45:17 +0000 /src/crypto/external/bsd/heimdal/dist/doc/doxyout/ntlm/man/man3/data.3 - 1.2.4.1 Sun Dec 15 22:50:46 UTC 2019 martin