(lha@NetBSD.ORG), to incorporate contemporary (last-year-ish)
set-password and change-password extensions derived RFC-3244
(Microsoft set-password/change-password extensions), and the
subsequent MIT-KRB5 APIs for changing and setting passwords.
Required for compatibility with recent (2002/2003-ish) open-source
code which uses the MIT KRB5 APIs for setting passwords, or for
joining Microsoft domains as a "computer account".
Modified files (for pullup tracking purposes):
lib/libasn1/Makefile
crypto/dist/heimdal/lib/asn1/k5.asn1
crypto/dist/heimdal/lib/krb5/changepw.c
crypto/dist/heimdal/lib/krb5/krb5-protos.h
crypto/dist/heimdal/lib/krb5/krb5.h
* Restore the signal mask with sigprocmask() instead of _UC_SIGMASK,
* since libpthread may want to interpose on signal handling.
Fixes regress/lib/libpthread/siglongjmp1.
The algorithm used is essentially PBKDF1 from RFC 2898 but using
hmac_sha1 rather than SHA1 directly (suggested by smb@research.att.com).
* The format of the encrypted password is:
* $<tag>$<iterations>$<salt>$<digest>
*
* where:
* <tag> is "sha1"
* <iterations> is an unsigned int identifying how many rounds
* have been applied to <digest>. The number
* should vary slightly for each password to make
* it harder to generate a dictionary of
* pre-computed hashes. See crypt_sha1_iterations.
* <salt> up to 64 bytes of random data, 8 bytes is
* currently considered more than enough.
* <digest> the hashed password.
hmac.c implementes HMAC as defined in RFC 2104 and includes a unit
test for both hmac_sha1 and hmac_sha1 using a selection of the Known
Answer Tests from RFC 2202.
It is worth noting that to be FIPS compliant the hmac key (password)
should be 10-20 chars.
(fixed in fdlibm-5.3)
-being here, sync with -5.3 as far as possible (There is another bugfix -
sign in overflow/underflow cases -; this doesn't change anything for us
because the wrapper (w_pow.c) fixes this up. Keep things in sync anyway
to ease further maintainance.)
sleep(3) expects this, even though it's not a documented property of
nanosleep().
Fixes a problem where sleep() in a threaded program would return
nonzero even on success.
_NETBSD_SOURCE as this makes cross building from older/newer versions of
NetBSD harder, not easier (and also makes the resulting tools 'different')
Wrap all required code with the inclusion of nbtool_config.h, attempt to
only use POSIX code in all places (or when reasonable test w. configure and
provide definitions: ala u_int, etc).
Reviewed by lukem. Tested on FreeBSD 4.9, Redhat Linux ES3, NetBSD 1.6.2 x86
NetBSD current (x86 and amd64) and Solaris 9.
Fixes PR's: PR#17762 PR#25944
drochner