summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/ChangeLog.2006
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/ChangeLog.2006')
-rw-r--r--third_party/heimdal/ChangeLog.20062047
1 files changed, 2047 insertions, 0 deletions
diff --git a/third_party/heimdal/ChangeLog.2006 b/third_party/heimdal/ChangeLog.2006
new file mode 100644
index 0000000..d48ea8a
--- /dev/null
+++ b/third_party/heimdal/ChangeLog.2006
@@ -0,0 +1,2047 @@
+2006-12-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/process.c: Handle kx509 requests.
+
+ * kdc/connect.c: Listen to 9878 if kca is turned on.
+
+ * kdc/headers.h: Include <kx509_asn1.h>.
+
+ * kdc/config.c: code to parse [kdc]enable-kx509
+
+ * kdc/kdc.h: add enable_kx509
+
+ * kdc/Makefile.am: add kx509.c
+
+ * kdc/kx509.c: Kx509server (external certificate genration).
+
+ * lib/krb5/ticket.c: add krb5_ticket_get_endtime
+
+ * lib/krb5/krb5_ticket.3: Document krb5_ticket_get_endtime
+
+ * kdc/digest.c: Remove <digest_asn.h>, its already included in
+ headers.h
+
+ * kdc/digest.c: Return session key for the NTLMv2 case too
+
+ * lib/krb5/digest.c (krb5_ntlm_rep_get_sessionkey): return value
+ is krb5_error_code
+
+2006-12-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): use md5 for
+ des-cbc-md4 and des-cbc-md5. This is for (older) windows that
+ will be unhappy anything else. From Inna Bort-Shatsky
+
+2006-12-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/digest.c: Prefix internal symbol with _kdc_.
+
+ * kdc/kdc.h: add digests_allowed
+
+ * kdc/digest.c: return NTLM2 targetinfo structure.
+
+ * lib/krb5/digest.c: Add krb5_ntlm_init_get_targetinfo.
+
+ * kdc/config.c: Parse digest acl's
+
+ * kdc/kdc_locl.h: forward decl;
+
+ * kdc/digest.c: Add digest acl's
+
+2006-12-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * fix-export: build ntlm-private.h
+
+2006-12-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * include/make_crypto.c: Include <.../hmac.h>.
+
+ * kdc/digest.c: reorder to show slot here ntlmv2 code will be
+ placed.
+
+ * kdc/digest.c: Announce that we support key exchange and add bits
+ to detect when it wasn't used.
+
+ * kdc/digest.c: Add support for generating NTLM2 session security
+ answer.
+
+2006-12-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/digest.c: Add sessionkey accessor functions.
+
+2006-12-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/digest.c: Unwrap the NTLM session key and return it to the
+ server.
+
+2006-12-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/store.c (krb5_ret_principal): Fix a bug in the malloc
+ failure part, noticed by Arnaud Lacombe in NetBSD coverity scan.
+
+2006-12-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/fcache.c (fcc_get_cache_next): avoid const warning.
+
+ * kdc/digest.c: Support NTLM verification, note that the KDC does
+ no NTLM packet parsing, its all done by the client side, the KDC
+ just calculate and verify the digest and return the result to the
+ service.
+
+ * kuser/kdigest.c: add ntlm-server-init
+
+ * kuser/Makefile.am: kdigest depends on libheimntlm.la
+
+ * kdc/headers.h: Include <heimntlm.h>.
+
+ * kdc/Makefile.am: libkdc needs libheimntlm.la
+
+ * autogen.sh: just run autoreconf -i -f
+
+ * lib/Makefile.am: hook in ntlm
+
+ * configure.in (AC_CONFIG_FILES): add lib/ntlm/Makefile
+
+ * lib/krb5/digest.c: API to authenticate ntlm requests.
+
+ * lib/krb5/fcache.c: Support "iteration" of file credential caches
+ by giving the user back the default file credential cache and only
+ that.
+
+ * lib/krb5/krb5_locl.h: Expand the default root for some of the cc
+ type names.
+
+2006-12-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/init_creds_pw.c (free_paid): free the krb5_data
+ structure too. Bug report from Stefan Metzmacher.
+
+2006-12-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kuser/kinit.c: Read the appdefault configration before we try to
+ use the flags. Bug reported by Ingemar Nilsson.
+
+ * kuser/kdigest.c: prefix digest commands with digest_
+
+ * kuser/kdigest-commands.in: prefix digest commands with digest-
+
+2006-12-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/hprop.c: Return error codes on failure, improve error
+ reporting.
+
+2006-12-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c: sprinkle more _krb5_pk_copy_error
+
+ * lib/krb5/pkinit.c: Copy more hx509 error strings to krb5 error
+ strings
+
+2006-12-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * include/Makefile.am: CLEANFILES += vis.h
+
+2006-12-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/kerberos5.c (_kdc_as_rep): add AD-INITAL-VERIFIED-CAS to the
+ encrypted ticket
+
+ * kdc/pkinit.c (_kdc_add_inital_verified_cas): new function, adds
+ an empty (for now) AD_INITIAL_VERIFIED_CAS to tell the clients
+ that we vouches for the CA.
+
+ * kdc/kerberos5.c (_kdc_tkt_add_if_relevant_ad): new function.
+
+ * lib/Makefile.am: Make the directories test automake conditional
+ so automake can include directories in make dist step.
+
+ * kdc/pkinit.c (_kdc_pk_rd_padata): leak less memory for
+ ExternalPrincipalIdentifiers
+
+ * kdc/pkinit.c: Parse and use PA-PK-AS-REQ.trustedCertifiers
+
+ * kdc/pkinit.c: Add comment that the anchors in the signed data
+ really should be the trust anchors of the client.
+
+ * kuser/generate-requests.c: Use strcspn to remove \n from
+ string returned by fgets. From Björn Sandell
+
+ * kpasswd/kpasswd-generator.c: Use strcspn to remove \n from
+ string returned by fgets. From Björn Sandell
+
+2006-12-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/hdb/hdb-ldap.c: Clear errno before calling the strtol
+ functions. From Paul Stoeber to OpenBSD by Ray Lai and Björn
+ Sandell.
+
+ * lib/krb5/config_file.c: Use strcspn to remove \n from fgets
+ result. Prompted by change by Ray Lai of OpenBSD via Björn
+ Sandell.
+
+ * kdc/string2key.c: Use strcspn to remove \n from fgets
+ result. Prompted by change by Ray Lai of OpenBSD via Björn
+ Sandell.
+
+2006-11-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/krbhst.c (plugin_get_hosts): be more paranoid and pass
+ in a NULLed plugin list
+
+2006-11-29 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/verify_krb5_conf.c: add more pkinit options.
+
+ * lib/krb5/pkinit.c: Store what PK-INIT type we used to know reply
+ to expect, this avoids overwriting the real PK-INIT error from
+ just a failed requeat with a Windows PK-INIT error (that always
+ failes).
+
+ * kdc/Makefile.am: Add LIB_pkinit to pacify AIX
+
+ * lib/hdb/Makefile.am: Add LIB_com_err to pacify AIX
+
+2006-11-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/hdb/hdb-ldap.c: Make build again from the hdb_entry
+ wrapping. Patch from Andreas Hasenack.
+
+ * kdc/pkinit.c: Need better code in the DH parameter rejection
+ case, add comment to that effect.
+
+2006-11-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/krb5tgs.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG for too large
+ packets when using datagram based transports.
+
+ * kdc/process.c: Pass down datagram_reply to _kdc_tgs_rep.
+
+ * lib/krb5/pkinit.c (build_auth_pack): set supportedCMSTypes.
+
+2006-11-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c: Pass down hx509_peer_info.
+
+ * kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and
+ pass in into hx509_cms_create_signed_1 via hx509_peer_info blob.
+
+ * kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and
+ pass in into hx509_cms_create_signed_1 via hx509_peer_info blob.
+
+2006-11-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/send_to_kdc.c: Set the large_msg_size to 1400, lets not
+ fragment packets and avoid stupid linklayers that doesn't allow
+ fragmented packets (unix dgram sockets on Mac OS X)
+
+2006-11-23 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c (_krb5_pk_create_sign): stuff down the users
+ certs in the pool to make sure a path is returned, without this
+ proxy certificates wont work.
+
+2006-11-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/config.c: Make all pkinit options prefixed with pkinit_
+
+ * lib/krb5/log.c (krb5_get_warn_dest): return warn_dest from
+ krb5_context
+
+ * lib/krb5/krb5_warn.3: document krb5_[gs]et_warn_dest
+
+ * lib/krb5/krb5.h: Drop KRB5_KU_TGS_IMPERSONATE.
+
+ * kdc/krb5tgs.c: Use KRB5_KU_OTHER_CKSUM for the impersonate
+ checksum.
+
+ * lib/krb5/get_cred.c: Use KRB5_KU_OTHER_CKSUM for the impersonate
+ checksum.
+
+2006-11-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/verify_user.c: Make krb5_get_init_creds_opt_free take a
+ context argument.
+
+ * lib/krb5/krb5_get_init_creds.3: Make
+ krb5_get_init_creds_opt_free take a context argument.
+
+ * lib/krb5/init_creds_pw.c: Make krb5_get_init_creds_opt_free take
+ a context argument.
+
+ * kuser/kinit.c: Make krb5_get_init_creds_opt_free take a context
+ argument.
+
+ * kpasswd/kpasswd.c: Make krb5_get_init_creds_opt_free take a
+ context argument.
+
+ * kpasswd/kpasswd-generator.c: Make krb5_get_init_creds_opt_free
+ take a context argument.
+
+ * kdc/hprop.c: Make krb5_get_init_creds_opt_free take a context
+ argument.
+
+ * lib/krb5/init_creds.c: Make krb5_get_init_creds_opt_free take a
+ context argument.
+
+ * appl/gssmask/gssmask.c: Make krb5_get_init_creds_opt_free take a
+ context argument.
+
+2006-11-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * doc/setup.texi: fix pkinit option (s/-/_/)
+
+ * kdc/config.c: revert the enable-pkinit change, and make it
+ consistant with all other other enable- options
+
+2006-11-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * doc/setup.texi: Make all pkinit options prefixed with pkinit_
+
+ * kdc/config.c: Make all pkinit options prefixed with pkinit_
+
+ * kdc/pkinit.c: Make app pkinit options prefixed with pkinit_
+
+ * lib/krb5/pkinit.c: Make app pkinit options prefixed with pkinit_
+
+ * lib/krb5/mit_glue.c (krb5_c_keylengths): make compile again.
+
+ * lib/krb5/mit_glue.c (krb5_c_keylengths): rename.
+
+ * lib/krb5/mit_glue.c (krb5_c_keylength): mit changed the api,
+ deal.
+
+2006-11-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pac.c (fill_zeros): stop using MIN.
+
+ * kuser/kinit.c: Forward decl
+
+ * lib/krb5/test_plugin.c: Use NOTHERE.H5L.SE.
+
+ * lib/krb5/krbhst.c: Fill in hints for picky getaddrinfo()s.
+
+ * lib/krb5/test_plugin.c: Set sin_len if it exists.
+
+ * lib/krb5/krbhst.c: Use plugin for the other realm locate types
+ too.
+
+2006-11-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/krb5_locl.h: Add plugin api
+
+ * lib/krb5/Makefile.am: Add plugin api.
+
+ * lib/krb5/krbhst.c: Use the resolve plugin interface.
+
+ * lib/krb5/locate_plugin.h: Add plugin interface for resolving
+ that is API compatible with MITs version.
+
+ * lib/krb5/plugin.c: Add first version of the plugin interface.
+
+ * lib/krb5/test_pac.c: Test signing.
+
+ * lib/krb5/pac.c: Add code to sign PACs, only arcfour for now.
+
+ * lib/krb5/krb5.h: Add struct krb5_pac.
+
+2006-11-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/test_pac.c: PAC testing.
+
+ * lib/krb5/pac.c: Sprinkle error strings.
+
+ * lib/krb5/pac.c: Verify LOGON_NAME.
+
+ * kdc/pkinit.c (_kdc_pk_check_client): drop client_princ as an
+ argument
+
+ * kdc/kerberos5.c (_kdc_as_rep): drop client_princ from
+ _kdc_pk_check_client since its not valid in canonicalize case
+
+ * lib/krb5/krb5_c_make_checksum.3: Document krb5_c_keylength.
+
+ * lib/krb5/mit_glue.c: Add krb5_c_keylength.
+
+2006-11-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pac.c: Almost enough code to do PAC parsing and
+ verification, missing in the unix2NTTIME and ucs2 corner. The
+ later will be adressed by finally adding libwind.
+
+ * lib/krb5/krb5_init_context.3: document krb5_[gs]et_max_time_skew
+
+ * kdc/hpropd.c: Remove support dumping to a kerberos 4 database.
+
+2006-11-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/context.c: rename krb5_[gs]et_time_wrap to
+ krb5_[gs]et_max_time_skew
+
+ * kdc/pkinit.c: Catch error string from hx509_cms_verify_signed.
+ Check for id-pKKdcEkuOID and warn if its not there.
+
+ * lib/krb5/rd_req.c: Add more krb5_rd_req_out_get functions.
+
+2006-11-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/krb5.h: krb5_rd_req{,_in,_out}_ctx.
+
+ * lib/krb5/rd_req.c (krb5_rd_req_ctx): Add context all singing-all
+ dancing version of the krb5_rd_req and implement krb5_rd_req and
+ krb5_rd_req_with_keyblock using it.
+
+2006-11-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/kerberos5.c (_kdc_as_rep): More verbose time skew logging.
+
+2006-11-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/expand_hostname.c: Rename various routines and
+ constants from canonize to canonicalize. From Andrew Bartlett
+
+ * lib/krb5/context.c: Add krb5_[gs]et_time_wrap
+
+ * lib/krb5/krb5_locl.h: Rename various routines and constants from
+ canonize to canonicalize. From Andrew Bartlett
+
+ * appl/gssmask/common.c (add_list): fix alloc statement.
+ From Alex Deiter
+
+2006-10-25 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * include/Makefile.am: Move version.h and version.h.in to
+ DISTCLEANFILES.
+
+2006-10-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * appl/gssmask/gssmask.c: Only log when there are resources left.
+
+ * appl/gssmask/gssmask.c: make compile
+
+ * appl/gssmask/gssmask.c (AcquireCreds): free
+ krb5_get_init_creds_opt
+
+2006-10-23 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * configure.in: heimdal 0.8-RC1
+
+2006-10-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/digest.c: Try to not leak memory.
+
+ * kdc/digest.c: Try to not leak memory.
+
+ * Makefile.am: remove valgrind target, it doesn't belong here.
+
+ * kuser/kinit.c: Try to not leak memory.
+
+ * kuser/kgetcred.c: Try to not leak memory.
+
+ * kdc/krb5tgs.c (check_KRB5SignedPath): free KRB5SignedPath on
+ successful completion too, not just the error cases.
+
+ * fix-export: Make make fix-export less verbose.
+
+ * kuser/kgetcred.c: Try to not leak memory.
+
+ * lib/hdb/keys.c (hdb_generate_key_set): free list of enctype when
+ done.
+
+ * lib/krb5/crypto.c: Allocate the memory we later use.
+
+ * lib/krb5/test_princ.c: Try to not leak memory.
+
+ * lib/krb5/test_crypto_wrapping.c: Try to not leak memory.
+
+ * lib/krb5/test_cc.c: Try to not leak memory.
+
+ * lib/krb5/addr_families.c (arange_free): Try to not leak memory.
+
+ * lib/krb5/crypto.c (AES_string_to_key): Try to not leak memory.
+
+2006-10-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * tools/heimdal-build.sh: Add --test-environment
+
+ * tools/heimdal-build.sh: Add --ccache-dir
+
+ * lib/hdb/Makefile.am: remove dependency on et files covert_db
+ that now is removed
+
+2006-10-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * include/Makefile.am: add gssapi to subdirs
+
+ * lib/hdb/hdb-ldap.c: Make compile.
+
+ * configure.in: add include/gssapi/Makefile.
+
+ * include/Makefile.am: clean more files
+
+ * include/make_crypto.c: Avoid creating a file called --version.
+
+ * include/bits.c: Avoid creating a file called --version.
+
+ * appl/test/Makefile.am: add nt_gss_common.h
+
+ * doc/Makefile.am: Disable TEXI2DVI for now.
+
+ * tools/Makefile.am: more files
+
+ * lib/krb5/context.c (krb5_free_context): free send_to_kdc context
+
+ * doc/heimdal.texi: Put Heimdal in the dircategory Security.
+
+ * lib/krb5/send_to_kdc.c: Add sent_to_kdc hook, from Andrew
+ Bartlet.
+
+ * lib/krb5/krb5_locl.h: Add send_to_kdc hook.
+
+ * lib/krb5/krb5.h: Add krb5_send_to_kdc_func prototype.
+
+ * kcm/Makefile.am: more files
+
+ * kdc/Makefile.am: more files
+
+ * lib/hdb/Makefile.am: more files
+
+ * lib/krb5/Makefile.am: add more files
+
+2006-10-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * tools/Makefile.am: Add heimdal-build.sh to EXTRA_DIST.
+
+ * configure.in: Don't check for timegm, libroken provides it for
+ us.
+
+ * lib/krb5/acache.c: Does function typecasts instead of void *
+ type-casts.
+
+ * lib/krb5/krb5.h: Remove bonus , that Love sneeked in.
+
+ * configure.in: make --disable-pk-init help text also negative
+
+2006-10-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kuser/kgetcred.c: Avoid memory leak.
+
+ * tools/heimdal-build.sh: Add more verbose logging, add version of
+ script and heimdal to the mail.
+
+ * lib/hdb/db3.c: Wrap function call pointer calls in (*func) to
+ avoid macros rewriting open and close.
+
+ * lib/krb5/Makefile.am: Add test_princ.
+
+ * lib/krb5/principal.c: More error strings, handle realm-less
+ printing.
+
+ * lib/krb5/test_princ.c: Test principal parsing and unparsing.
+
+2006-10-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/get_host_realm.c (krb5_get_host_realm): make sure we
+ don't recurse
+
+ * lib/krb5/get_host_realm.c (krb5_get_host_realm): no components
+ -> no dns. no mapping, try local realm and hope KDC knows better.
+
+ * lib/krb5/krb5.h: Add flags for krb5_unparse_name_flags
+
+ * lib/krb5/krb5_principal.3: Document
+ krb5_unparse_name{_fixed,}_flags.
+
+ * lib/krb5/principal.c: Add krb5_unparse_name_flags and
+ krb5_unparse_name_fixed_flags.
+
+ * lib/krb5/krb5_principal.3: Document krb5_parse_name_flags.
+
+ * lib/krb5/principal.c: Add krb5_parse_name_flags.
+
+ * lib/krb5/principal.c: Add krb5_parse_name_flags.
+
+ * lib/krb5/krb5.h: Add krb5_parse_name_flags flags.
+
+ * lib/krb5/krb5_locl.h: Hide krb5_context_data from public
+ exposure.
+
+ * lib/krb5/krb5.h: Hide krb5_context_data from public exposure.
+
+ * kuser/klist.c: Use krb5_get_kdc_sec_offset.
+
+ * lib/krb5/context.c: Document krb5_get_kdc_sec_offset()
+
+ * lib/krb5/krb5_init_context.3: Add krb5_get_kdc_sec_offset()
+
+ * lib/krb5/krb5_init_context.3: Add krb5_set_dns_canonize_hostname
+ and krb5_get_dns_canonize_hostname
+
+ * lib/krb5/verify_krb5_conf.c:
+ add [libdefaults]dns_canonize_hostname
+
+ * lib/krb5/expand_hostname.c: use dns_canonize_hostname to
+ determin if we should talk to dns to find the canonical name of
+ the host.
+
+ * lib/krb5/krb5.h (krb5_context): add dns_canonize_hostname.
+
+ * tools/heimdal-build.sh: Set status.
+
+ * appl/gssmask/gssmask.c: handle more bits
+
+ * kdc/kerberos5.c: Prefix asn1 primitives with der_.
+
+2006-10-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * fix-export: Build lib/asn1/der-protos.h.
+
+2006-10-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * appl/gssmask/Makefile.am: Add explit depenency on libroken.
+
+ * kdc/krb5tgs.c: Prefix der primitives with der_.
+
+ * kdc/pkinit.c: Prefix der primitives with der_.
+
+ * lib/hdb/ext.c: Prefix der primitives with der_.
+
+ * lib/hdb/ext.c: Prefix der primitives with der_.
+
+ * lib/krb5/crypto.c: Remove workaround from when there wasn't
+ always aes.
+
+ * lib/krb5/ticket.c: Prefix der primitives with der_.
+
+ * lib/krb5/digest.c: Prefix der primitives with der_.
+
+ * lib/krb5/crypto.c: Prefix der primitives with der_.
+
+ * lib/krb5/data.c: Prefix der primitives with der_.
+
+2006-10-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break. From
+ Olga Kornievskaia.
+
+ * kdc/kdc.8: document max-kdc-datagram-reply-length
+
+ * include/bits.c: Include Xint64 types.
+
+2006-10-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * tools/heimdal-build.sh: Add socketwrapper and cputime limit.
+
+ * kdc/connect.c (loop): Log that the kdc have started.
+
+2006-10-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/connect.c (do_request): tell krb5_kdc_process_request if its
+ a datagram reply or not
+
+ * kdc/kerberos5.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG error if its
+ a datagram reply and the datagram reply length limit is reached.
+
+ * kdc/process.c: Rename krb5_kdc_process_generic_request to
+ krb5_kdc_process_request Add datagram_reply argument.
+
+ * kdc/config.c: check for [kdc]max-kdc-datagram-reply-length
+
+ * kdc/kdc.h (krb5_kdc_config): Add max_datagram_reply_length.
+
+ * lib/hdb/keytab.c: Change || to |, From metze.
+
+ * lib/hdb/keytab.c: Add back :file to sample format.
+
+ * lib/hdb/keytab.c: Add more HDB_F flags to hdb_fetch. Pointed out
+ by Andrew Bartlet.
+
+ * kdc/krb5tgs.c (tgs_parse_request): set cusec, not csec from
+ auth->cusec.
+
+2006-10-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * fix-export: dist_-ify libkadm5clnt_la_SOURCES too
+
+ * doc/heimdal.texi: Update (c) years.
+
+ * appl/gssmask/protocol.h: Clarify protocol.
+
+ * kdc/hpropd.c: Adapt to signature change of
+ _krb5_principalname2krb5_principal.
+
+ * kdc/kerberos4.c: Adapt to signature change of
+ _krb5_principalname2krb5_principal.
+
+ * kdc/connect.c (handle_vanilla_tcp): shorten length when we
+ shorten the buffer, this matter im the PK-INIT encKey case where a
+ checksum is done over the whole packet. Reported by Olga
+ Kornievskaia
+
+2006-10-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * include/Makefile.am: crypto-headers.h is a nodist header
+
+ * lib/krb5/aes-test.c: Make argument to PKCS5_PBKDF2_HMAC_SHA1
+ unsigned char to make OpenSSL happy.
+
+ * appl/kf/Makefile.am: Add man_MANS to EXTRA_DIST
+
+ * kuser/Makefile.am: split build files into dist_ and noinst_
+ SOURCES
+
+ * lib/hdb/Makefile.am: split build files into dist_ and noinst_
+ SOURCES
+
+ * lib/krb5/Makefile.am: split build files into dist_ and noinst_
+ SOURCES
+
+ * kdc/kerberos5.c: Adapt to signature change of
+ _krb5_principalname2krb5_principal.
+
+2006-10-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/krbhst.c (common_init): don't try DNS when there is
+ realm w/o a dot.
+
+ * kdc/524.c: Adapt to signature change of
+ _krb5_principalname2krb5_principal.
+
+ * kdc/krb5tgs.c: Adapt to signature change of
+ _krb5_principalname2krb5_principal.
+
+ * lib/krb5/get_in_tkt.c: Adapt to signature change of
+ _krb5_principalname2krb5_principal.
+
+ * lib/krb5/rd_cred.c: Adapt to signature change of
+ _krb5_principalname2krb5_principal.
+
+ * lib/krb5/rd_req.c: Adapt to signature change of
+ _krb5_principalname2krb5_principal.
+
+ * lib/krb5/asn1_glue.c (_krb5_principalname2krb5_principal): add
+ krb5_context to signature.
+
+ * kdc/524.c (_krb5_principalname2krb5_principal): adapt to
+ signature change
+
+ * lib/hdb/keytab.c (hdb_get_entry): close and destroy the database
+ later, the hdb_entry_ex might still contain links to the database
+ that it expects to use.
+
+ * kdc/digest.c: Make digest argument o MD5_final unsigned char to
+ help OpenSSL.
+
+ * kuser/kdigest.c: Make digest argument o MD5_final unsigned char
+ to help OpenSSL.
+
+ * appl/gssmask/common.h: Maybe include <sys/wait.h>.
+
+2006-10-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * appl/gssmask/common.h: disable ENABLE_PTHREAD_SUPPORT and
+ explain why
+
+ * tools/heimdal-build.sh: Another mail header.
+
+ * tools/heimdal-build.sh: small fixes
+
+ * fix-export: More liberal parsing of AC_INIT
+
+ * tools/heimdal-build.sh: first cut
+
+2006-10-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * configure.in: Call AB_INIT.
+
+ * kuser/kinit.c: Add flag --pk-use-enckey.
+
+ * kdc/pkinit.c: Sign the request in the encKey case. Bug reported
+ by Olga Kornievskaia of Umich.
+
+ * lib/krb5/Makefile.am: man_MANS += krb5_digest.3
+
+ * lib/krb5/krb5_digest.3: Add all protos
+
+2006-10-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/krb5_digest.3: Basic krb5_digest manpage.
+
+2006-10-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * fix-export: build gssapi mech private files
+
+ * lib/krb5/init_creds_pw.c: minimize layering and remove
+ krb5_kdc_flags
+
+ * lib/krb5/get_in_tkt.c: Always use the kdc_flags in the right bit
+ order.
+
+ * lib/krb5/init_creds_pw.c: Always use the kdc_flags in the right
+ bit order.
+
+ * kuser/kdigest.c: Don't require --kerberos-realm.
+
+ * lib/krb5/digest.c (digest_request): if NULL is passed in as
+ realm, use default realm.
+
+ * fix-export: build gssapi mech private files
+
+2006-09-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * appl/gssmask/gssmaestro.c: Handle FIRST_CALL in the context
+ building, better error handling.
+
+ * appl/gssmask/gssmaestro.c: switch from wrap/unwrap to
+ encrypt/decrypt
+
+ * appl/gssmask/gssmask.c: Don't announce spn if there is none.
+
+ * appl/gssmask/gssmaestro.c: Check that the pre-wrapped data is
+ the same as afterward.
+
+2006-09-25 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * appl/gssmask/gssmaestro.c: Remove stray GSS_C_DCE_STYLE.
+
+ * appl/gssmask/gssmaestro.c: Add logsocket support.
+
+2006-09-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * appl/gssmask/gssmaestro.c (build_context): print the step the
+ context exchange.
+
+2006-09-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * appl/gssmask/gssmaestro.c: Add GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG
+ to all context flags
+
+ * appl/gssmask/gssmaestro.c: Add wrap and mic tests for all
+ elements
+
+ * appl/gssmask/gssmask.c: Add mic tests
+
+ * appl/gssmask/gssmaestro.c: dont exit early then when context
+ is half built.
+
+ * lib/krb5/rd_req.c: disable ETypeList parsing usage for now, cfx
+ seems broken and its not good to upgrade to a broken enctype.
+
+2006-09-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * appl/gssmask/gssmask.c: Add wrap/unwrap ops
+
+ * appl/gssmask/protocol.h: Add eGetVersionAndCapabilities flags
+
+ * appl/gssmask/common.c: Add permutate_all (and support
+ functions).
+
+ * appl/gssmask/common.h: Add permutate_all
+
+ * appl/gssmask/gssmask.c: use new flags, return moniker
+
+ * appl/gssmask/gssmaestro.c: test self context building and all
+ permutation of clients
+
+2006-09-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * appl/gssmask/gssmask.c: add --logfile option, use htons() on
+ port number
+
+ * appl/gssmask/gssmaestro.c: Log port in connection message.
+
+ * configure.in: Make pk-init turned on by default.
+
+2006-09-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * fix-export: Build lib/hx509/{hx509-protos.h,hx509-private.h}.
+
+ * kuser/Makefile.am: Add tool for printing tickets.
+
+ * kuser/kimpersonate.1: Add tool for printing tickets.
+
+ * kuser/kimpersonate.c: Add tool for printing tickets.
+
+ * kdc/krb5tgs.c: Check the adtkt in the constrained delegation
+ case too.
+
+2006-09-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/main.c (sigterm): don't _exit, let loop() catch the signal
+ instead.
+
+ * lib/krb5/krb5_timeofday.3: Fixes from Björn Sandell.
+
+ * lib/krb5/krb5_get_init_creds.3: Fixes from Björn Sandell.
+
+2006-09-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * tools/krb5-config.in: Add "kafs" option.
+
+2006-09-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/hdb/db.c: By using full function calling conversion (*func)
+ we avoid problem when close(fd) is overridden using a macro.
+
+ * lib/krb5/cache.c: By using full function calling
+ conversion (*func) we avoid problem when close(fd) is overridden
+ using a macro.
+
+2006-09-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/kerberos5.c: Signing outgoing tickets.
+
+ * kdc/krb5tgs.c: Add signing and checking of tickets to s4u2self
+ works securely.
+
+ * lib/krb5/pkinit.c: Adapt to new signature of
+ hx509_cms_unenvelope.
+
+2006-09-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c (pk_verify_host): set errorstrings in a
+ sensable way
+
+2006-09-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/krb5_init_context.3: Prevent a font generation warning,
+ from Jason McIntyre.
+
+2006-09-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/context.c (krb5_init_ets): Add the hx errortable
+
+ * lib/krb5/krb5_locl.h: Include hx509_err.h.
+
+ * lib/krb5/pkinit.c (_krb5_pk_verify_sign): catch the error string
+ from the hx509 lib
+
+2006-09-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags):
+ fix argument to krb5_get_init_creds_opt_set_addressless.
+
+ * lib/krb5/init_creds_pw.c (init_cred_loop): try to catch the
+ error when we actually have an error to catch.
+
+ * lib/krb5/init_creds_pw.c: Remove debug printfs.
+
+ * kuser/kinit.c: Remove debug printf
+
+ * lib/krb5/krb5_get_init_creds.3: Document
+ krb5_get_init_creds_opt_set_addressless.
+
+ * kuser/kinit.c: Use new function
+ krb5_get_init_creds_opt_set_addressless.
+
+ * lib/krb5/krb5_locl.h: use new addressless, convert pa-pac option
+ to use the same tri-state option as the new addressless option.
+
+ * lib/krb5/init_creds_pw.c: use new addressless, convert pa-pac
+ option to use the same tri-state option as the new addressless
+ option.
+
+ * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_addressless):
+ used to control the address-lessness of the initial tickets
+ instead of passing in the empty set of address into
+ krb5_get_init_creds_opt_set_addresses.
+
+2006-09-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kuser/kinit.c (renew_validate): inherit the proxiable and
+ forwardable from the orignal ticket, pointed out by Bernard
+ Antoine of CERN.
+
+ * doc/setup.texi: More text about the acl_file entry and
+ hdb-ldap-structural-object. From Rüdiger Ranft.
+
+ * lib/krb5/krbhst.c (fallback_get_hosts): limit the fallback
+ lookups to 5. Patch from Wesley Craig, umich.edu
+
+ * configure.in: Add special tests for <sys/ucred.h>, include test
+ for sys/param.h and sys/types.h
+
+ * appl/test/tcp_server.c (proto): use keytab for krb5_recvauth
+ Patch from Ingemar Nilsson <init@pdc.kth.se>
+
+2006-08-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kuser/kdigest.c (help): use sl_slc_help().
+
+ * kdc/digest.c: Catch more error, add SASL DIGEST MD5.
+
+ * lib/krb5/digest.c: Catch more error.
+
+2006-08-25 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * doc/setup.texi: language.
+
+ * doc/heimdal.texi: Add last updated text.
+
+ * doc/heimdal.css: make box around heimdal title
+
+ * doc/heimdal.css: Inital Heimdal css for the info manual
+
+ * lib/krb5/digest.c: In the case where we get a DigestError back,
+ save the error string and code.
+
+2006-08-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/kerberos5.c: Remove _kdc_find_etype(), its no longer used.
+
+ * kdc/digest.c: Remove local error label and have just one exit
+ label, set error strings properly.
+
+ * kdc/digest.c: Simply the disabled-service case. Check the
+ allow-digest flag in the HDB entry for the client.
+
+ * kdc/process.c (krb5_kdc_process_generic_request): check if we
+ got a digest request and process it.
+
+ * kdc/main.c: Register hdb keytab operations.
+
+ * kdc/kdc.8: document [kdc]enable-digest=boolean
+
+ * kdc/Makefile.am: add digest to libkdc
+
+ * kdc/digest.c: Make a return a goto to avoid freeing un-inited
+ memory in cleanup code.
+
+ * kdc/default_config.c (krb5_kdc_default_config): default to all
+ bits set to zero.
+
+ * kdc/kdc.h (krb5_kdc_configuration): Add enable_digest
+
+ * kdc/headers.h: Include <digest_asn1.h>.
+
+ * lib/krb5/context.c (krb5_kerberos_enctypes): new function,
+ returns the list of Kerberos encryption types sorted in order of
+ most preferred to least preferred encryption type.
+
+ * kdc/misc.c (_kdc_get_preferred_key): new function, Use the order
+ list of preferred encryption types and sort the available keys and
+ return the most preferred key.
+
+ * kdc/krb5tgs.c: Adapt to the new sigature of _kdc_find_keys().
+
+ * kdc/kerberos5.c: Handle session key etype separately from the
+ tgt etype, now the krbtgt can be a aes-only key without the need
+ to support not-as-good etypes for the krbtgt.
+
+2006-08-23 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/misc.c: Change _kdc_db_fetch() to return the database
+ pointer to if needed by the consumer.
+
+ * kdc/krb5tgs.c: Change _kdc_db_fetch() to return the database
+ pointer to if needed by the consumer.
+
+ * kdc/kerberos5.c: Change _kdc_db_fetch() to return the database
+ pointer to if needed by the consumer.
+
+ * kdc/kerberos4.c: Change _kdc_db_fetch() to return the database
+ pointer to if needed by the consumer.
+
+ * kdc/kaserver.c: Change _kdc_db_fetch() to return the database
+ pointer to if needed by the consumer.
+
+ * kdc/524.c: Change _kdc_db_fetch() to return the database pointer
+ to if needed by the consumer.
+
+ * kuser/kdigest-commands.in: Add --kerberos-realm, add client
+ request command.
+
+ * lib/krb5/Makefile.am: digest.c
+
+ * lib/krb5/krb5.h: Add digest glue.
+
+ * lib/krb5/digest.c (krb5_digest_set_authentication_user): use
+ krb5_principal
+
+ * lib/krb5/digest.c: Add digest support to the client side.
+
+2006-08-21 Love Hörnquist Åstrand <lha@it.kth.se>
+
+ * lib/krb5/rd_rep.c (krb5_rd_rep): free krb5_ap_rep_enc_part on
+ error and set return pointer to NULL
+ (krb5_free_ap_rep_enc_part): permit freeing of NULL
+
+2006-08-18 Love Hörnquist Åstrand <lha@it.kth.se>
+
+ * kdc/{Makefile.am,kdigest.c,kdigest-commands.in}:
+ Frontend for remote digest service in KDC
+
+ * lib/krb5/krb5_storage.3: Document krb5_{ret,store}_stringnl
+ functions.
+
+ * lib/krb5/store.c: Add krb5_{ret,store}_stringnl functions,
+ stores/retrieves a \n terminated string.
+
+ * lib/krb5/krb5_locl.h: Default to address-less tickets.
+
+ * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): clear
+ error string on error.
+
+2006-07-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/crypto.c: remove aes-192 (CMS)
+
+ * lib/krb5/crypto.c: Remove more CMS bits.
+
+ * lib/krb5/crypto.c: Remove CMS symmetric encryption support.
+
+2006-07-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/pkinit.c (_kdc_pk_check_client): make it not crash when
+ there are no acl
+
+ * kdc/pkinit.c (_kdc_pk_check_client): use the acl in the kerberos
+ database
+
+ * lib/hdb/hdb.asn1: Rename HDB-Ext-PKINIT-certificate to
+ HDB-Ext-PKINIT-hash. Add trust anchor to HDB-Ext-PKINIT-acl.
+
+ * lib/hdb/Makefile.am: rename asn1_HDB_Ext_PKINIT_certificate to
+ asn1_HDB_Ext_PKINIT_hash
+
+ * lib/hdb/ext.c: Add hdb_entry_get_pkinit_hash().
+
+2006-07-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kuser/kinit.c: If --password-file gets STDIN, read the password
+ from the standard input.
+
+ * kuser/kinit.1: Document --password-file=STDIN.
+
+ * lib/krb5/krb5_string_to_key.3: Remove duplicate to.
+
+2006-07-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/krb5tgs.c: (tgs_build_reply): when checking for removed
+ principals, check the second component of the krbtgt, otherwise
+ cross realm wont work. Prompted by report from Mattias Amnefelt.
+
+2006-07-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/connect.c (handle_vanilla_tcp): use unsigned integer for for
+ length
+ (handle_tcp): if the high bit it set in the unknown case, send
+ back a KRB_ERR_FIELD_TOOLONG
+
+2006-07-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * appl/gssmask/gssmaestro.c: Add get_version_capa, cache
+ target_name.
+
+ * appl/gssmask/gssmask.c: use utname() to find the local hostname
+ and version of operatingsystem
+
+ * appl/gssmask/common.h: include <sys/utsname.h>
+
+ * appl/gssmask/gssmask.c: break out creation of a client and make
+ handleServer pthread_create compatible
+
+ * appl/gssmask/gssmaestro.c: break out out the build context
+ function
+
+2006-07-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * appl/gssmask/gssmaestro.c: externalize slave handling, add
+ GetTargetName glue
+
+ * appl/gssmask/gssmaestro.c: externalize principal/password handling
+
+ * lib/krb5/principal.c (krb5_parse_name): set *principal to NULL
+ the first thing we do, so that on failure its set to a known value
+
+ * appl/gssmask/gssmask.c: AcquireCreds: set principal to NULL to
+ avoid memory corruption GetTargetName: always send a string, even
+ though we don't have a targetname
+
+ * appl/gssmask: break out common function; add gssmaestro (that
+ only tests one context for now)
+
+2006-06-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/store_fd.c (krb5_storage_from_fd): don't leak fd on
+ malloc failure
+
+ * appl/gssmask/gssmask.c: split out fetching of credentials for
+ easier reuse for pk-init testing
+
+ * appl/gssmask: maggot replacement, handles context testing
+
+ * lib/krb5/cache.c (krb5_cc_new_unique): use KRB5_DEFAULT_CCNAME
+ as the default prefix
+
+2006-06-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * doc/heimdal.texi: Add Doug Rabson's license
+
+2006-06-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/init_creds.c: Add storing and getting KRB-ERROR in the
+ krb5_get_init_creds_opt structure.
+
+ * lib/krb5/init_creds_pw.c: Save KRB-ERROR on error.
+
+ * lib/krb5/krb5_locl.h (_krb5_get_init_creds_opt_private): add
+ KRB-ERROR
+
+2006-06-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * doc/setup.texi: section about verify_krb5_conf and kadmin check
+
+2006-06-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/init_creds_pw.c (get_init_creds_common): drop cred
+ argument, its unused
+
+ * lib/krb5/Makefile.am: install krb5_get_creds.3
+
+ * lib/krb5/krb5_get_creds.3: new file
+
+2006-06-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/hdb/hdb-ldap.c: don't use the sambaNTPassword if there is
+ ARCFOUR key already. Idea from Andreas Hasenack. While here, set
+ pw change time using sambaPwdLastSet
+
+ * kdc/kerberos4.c: Use enable_v4_per_principal and check the new
+ hdb flag.
+
+ * kdc/kdc.h: Add enable_v4_per_principal
+
+2006-06-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/kerberos5.c (_kdc_as_rep): if kdc_time +
+ config->kdc_warn_pwexpire is past pw_end, add expiration
+ message. From Bernard Antoine.
+
+ * kdc/default_config.c (krb5_kdc_default_config): set
+ kdc_warn_pwexpire to 0
+
+ * kdc/kerberos5.c: indent.
+
+2006-06-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/kerberos5.c: constify
+
+2006-06-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/get_cred.c: Allow setting additional tickets in the
+ tgs-req
+
+ * kuser/kgetcred.c: add --delegation-credential-cache
+
+ * kdc/krb5tgs.c (tgs_build_reply): add constrained delegation.
+
+ * kdc/krb5tgs.c: Add impersonation.
+
+ * kuser/kgetcred.c: use new krb5_get_creds interface, add
+ impersonation.
+
+ * lib/krb5/get_cred.c (krb5_get_creds): add
+ KRB5_GC_NO_TRANSIT_CHECK
+
+ * lib/krb5/misc.c: Add impersonate support functions.
+
+ * lib/krb5/get_cred.c: Add impersonate and new krb5_get_creds interface.
+
+ * lib/hdb/hdb.asn1 (HDBFlags): add trusted-for-delegation
+
+ * lib/krb5/krb5.h: Add krb5_get_creds_opt_data and some more
+ KRB5_GC flags.
+
+2006-06-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/hdb/ext.c (hdb_entry_get_ConstrainedDelegACL): new function.
+
+ * lib/krb5/pkinit.c: Avoid more shadowing.
+
+ * kdc/connect.c (do_request): clean reply with krb5_data_zero
+
+ * kdc/krb5tgs.c: Split up the reverse cross krbtgt check and local
+ clien must exists test.
+
+ * kdc/krb5tgs.c: Plug old memory leaks, unify all goto's.
+
+ * kdc/krb5tgs.c: Split tgs_rep2 into tgs_parse_request and
+ tgs_build_reply.
+
+ * kdc/kerberos5.c: split out krb5 tgs req to make it easier to
+ reorganize the code.
+
+2006-05-29 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/krb5_get_init_creds.3: spelling Björn Sandell
+
+ * lib/krb5/krb5_get_in_cred.3: spelling Björn Sandell
+
+2006-05-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kpasswd/kpasswdd.c (change): select the realm based on the
+ target principal From Gabor Gombas
+
+ * lib/krb5/krb5_get_init_creds.3: Add KRB5_PROMPT_TYPE_INFO
+
+ * lib/krb5/krb5.h: Add KRB5_PROMPT_TYPE_INFO
+
+2006-05-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c: Hidden field of hx509 prompter is removed.
+ Fix a warning.
+
+ * doc/setup.texi: Point to more examples, hint that you have to
+ use openssl 0.9.8a or later.
+
+ * doc/setup.texi: DIR now handles both PEM and DER.
+
+ * kuser/kinit.c: Pass down prompter and password to
+ krb5_get_init_creds_opt_set_pkinit.
+
+ * lib/krb5/pkinit.c (_krb5_pk_load_id): only use password if its
+ longer then 0
+
+ * doc/ack.texi: Add Jason McIntyre.
+
+ * lib/krb5/krb5_acl_match_file.3: Various tweaks, from Jason
+ McIntyre.
+
+2006-05-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kuser/kinit.c: Move parsing of the PK-INIT configuration file to
+ the library so application doesn't need to deal with it.
+
+ * lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit): move
+ parsing of the configuration file to the library so application
+ doesn't need to deal with it.
+
+ * lib/krb5/pkinit.c (_krb5_pk_load_id): pass the hx509_lock to
+ when trying to read the user certificate.
+
+ * lib/krb5/pkinit.c (hx_pass_prompter): return 0 on success and 1
+ on failure. Pointed out by Douglas E. Engert.
+
+2006-05-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/crypto.c: Catches both keyed checkout w/o crypto
+ context cases and doesn't reset the string, and corrects the
+ grammar.
+
+ * lib/krb5/crypto.c: Drop aes-cbc, rc2 and CMS padding support,
+ its all containted in libhcrypto and libhx509 now.
+
+2006-05-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c (_krb5_pk_verify_sign): Use
+ hx509_get_one_cert.
+
+ * lib/krb5/crypto.c (create_checksum): provide a error message
+ that a key checksum needs a key. From Andew Bartlett.
+
+2006-05-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c: Now that hcrypto supports DH, remove check
+ for hx509 null DH.
+
+ * kdc/pkinit.c: Don't call DH_check_pubkey, it doesn't exists in
+ older OpenSSL.
+
+ * doc/heimdal.texi: Add blob about imath.
+
+ * doc/ack.texi: Add blob about imath.
+
+ * include/make_crypto.c: Move up evp.h to please OpenSSL, from
+ Douglas E. Engert.
+
+ * kcm/acl.c: Multicache kcm interation isn't done yet, let wait
+ with this enum.
+
+2006-05-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/krb5_set_default_realm.3: Spelling/mdoc from Björn
+ Sandell
+
+ * lib/krb5/krb5_rcache.3: Spelling/mdoc from Björn Sandell
+
+ * lib/krb5/krb5_keytab.3: Spelling/mdoc from Björn Sandell
+
+ * lib/krb5/krb5_get_in_cred.3: Spelling/mdoc from Björn Sandell
+
+ * lib/krb5/krb5_expand_hostname.3: Spelling/mdoc from Björn
+ Sandell
+
+ * lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc from Björn
+ Sandell
+
+ * lib/krb5/keytab_file.c (fkt_next_entry_int): read the 32 bit
+ kvno if the reset of the data is longer then 4 bytes in hope to be
+ forward compatible. Pointed out by Michael B Allen.
+
+ * doc/programming.texi: Add fileformats.
+
+ * appl/test: Rename u_intXX_t to uintXX_t
+
+ * kuser: Rename u_intXX_t to uintXX_t
+
+ * kdc: Rename u_intXX_t to uintXX_t
+
+ * lib/hdb: Rename u_intXX_t to uintXX_t
+
+ * lib/45]: Rename u_intXX_t to uintXX_t
+
+ * lib/krb5: Rename u_intXX_t to uintXX_t
+
+ * lib/krb5/Makefile.am: Add test_store to TESTS
+
+ * lib/krb5/pkinit.c: Catch using hx509 null DH and print a more
+ useful error message.
+
+ * lib/krb5/store.c: Rewrite the krb5_ret_u as proposed by Johan.
+
+2006-05-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/kerberos4.c: Use the new unsigned integer storage types.
+
+ * kdc/kaserver.c: Use the new unsigned integer storage
+ types. Sprinkle some error handling.
+
+ * lib/krb5/krb5_storage.3: Document ret and store function for the
+ unsigned fixed size integer types.
+
+ * lib/krb5/v4_glue.c: Use the new unsigned integer storage
+ types. Fail that the address doesn't match, not the reverse.
+
+ * lib/krb5/store.c: Add ret and store function for the unsigned
+ fixed size integer types.
+
+ * lib/krb5/test_store.c: Test the integer storage types.
+
+2006-05-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/store.c (krb5_store_principal): make it take a
+ krb5_const_principal, indent
+
+ * lib/krb5/krb5_storage.3: krb5_store_principal takes a
+ krb5_const_principal
+
+ * lib/krb5/pkinit.c: Deal with that hx509_prompt.reply is no
+ longer a pointer.
+
+ * kdc/kdc.h (krb5_kdc_configuration): add pkinit_kdc_ocsp_file
+
+ * kdc/config.c: read [kdc]pki-kdc-ocsp
+
+2006-05-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/pkinit.c (_kdc_pk_mk_pa_reply): send back ocsp response if
+ it seems to be valid, simplfy the pkinit-windows DH case (it
+ doesn't exists).
+
+2006-05-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/krb5_warn.3: Spelling/mdoc changes, from Björn Sandell.
+
+ * lib/krb5/krb5_verify_user.3: Spelling/mdoc changes, from Björn
+ Sandell.
+
+ * lib/krb5/krb5_verify_init_creds.3: Spelling/mdoc changes, from
+ Björn Sandell.
+
+ * lib/krb5/krb5_timeofday.3: Spelling/mdoc changes, from Björn
+ Sandell.
+
+ * lib/krb5/krb5_ticket.3: Spelling/mdoc changes, from Björn
+ Sandell.
+
+ * lib/krb5/krb5_rd_safe.3: Spelling/mdoc changes, from Björn
+ Sandell.
+
+ * lib/krb5/krb5_rcache.3: Spelling/mdoc changes, from Björn
+ Sandell.
+
+ * lib/krb5/krb5_principal.3: Spelling/mdoc changes, from Björn
+ Sandell.
+
+ * lib/krb5/krb5_parse_name.3: Spelling/mdoc changes, from Björn
+ Sandell.
+
+ * lib/krb5/krb5_mk_safe.3: Spelling/mdoc changes, from Björn
+ Sandell.
+
+ * lib/krb5/krb5_keyblock.3: Spelling/mdoc changes, from Björn
+ Sandell.
+
+ * lib/krb5/krb5_is_thread_safe.3: Spelling/mdoc changes, from
+ Björn Sandell.
+
+ * lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes,
+ from Björn Sandell.
+
+ * lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes,
+ from Björn Sandell.
+
+ * lib/krb5/krb5_expand_hostname.3: Spelling/mdoc changes, from
+ Björn Sandell.
+
+ * lib/krb5/krb5_check_transited.3: Spelling/mdoc changes, from
+ Björn Sandell.
+
+ * lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc changes, from
+ Björn Sandell.
+
+ * lib/krb5/krb5_address.3: Spelling/mdoc changes, from
+ Björn Sandell.
+
+ * lib/krb5/krb5_acl_match_file.3: Spelling/mdoc changes, from
+ Björn Sandell.
+
+ * lib/krb5/krb5.3: Spelling, from Björn Sandell.
+
+ * doc/ack.texi: add Björn
+
+2006-04-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c (cert2epi): don't include subject if its null
+
+2006-04-29 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c: Send over what trust anchors the client have
+ configured.
+
+ * lib/krb5/pkinit.c (pk_verify_host): set better error string,
+ only check kdc name/address when we got a hostname/address passed
+ in the the function.
+
+ * kdc/pkinit.c (_kdc_pk_check_client): reorganize and make log
+ when a SAN matches.
+
+2006-04-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * doc/setup.texi: More options and some text about windows
+ clients, certificate and KDCs.
+
+ * doc/setup.texi: notice about pki-mappings file space sensitive
+
+ * doc/setup.texi: Example pki-mapping file.
+
+ * lib/krb5/pkinit.c (pk_verify_host): verify hostname/address
+
+ * lib/hdb/hdb.h: Bump hdb interface version to 4.
+
+2006-04-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kuser/kdestroy.1: Document --credential=principal.
+
+ * kdc/kerberos5.c (tgs_rep2): check that the client exists in the
+ kerberos database if its local request.
+
+ * kdc/{misc.c,524.c,kaserver.c,kerberos5.c}: pass down HDB_F_GET_
+ flags as appropriate
+
+ * kdc/kerberos4.c (_kdc_db_fetch4): pass down flags though
+ krb5_425_conv_principal_ext2
+
+ * kdc/misc.c (_kdc_db_fetch): Break out the that we request from
+ principal from the entry and pass it in as a seprate argument.
+
+ * lib/hdb/keytab.c (hdb_get_entry): Break out the that we request
+ from principal from the entry and pass it in as a seprate
+ argument.
+
+ * lib/hdb/common.c: Break out the that we request from principal
+ from the entry and pass it in as a seprate argument.
+
+ * lib/hdb/hdb.h: Break out the that we request from principal from
+ the entry and pass it in as a seprate argument. Add more flags to
+ ->hdb_get(). Re-indent.
+
+2006-04-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * doc/setup.texi: document pki-allow-proxy-certificate
+
+ * kdc/pkinit.c: Add option [kdc]pki-allow-proxy-certificate=bool
+ to allow using proxy certificate.
+
+ * lib/krb5/pkinit.c (_krb5_pk_allow_proxy_certificates): expose
+ hx509_verify_set_proxy_certificate
+
+ * kdc/pkinit.c (_kdc_pk_check_client): Use
+ hx509_cert_get_base_subject to get subject name of the
+ certificate, needed for proxy certificates.
+
+ * kdc/kerberos5.c: Now that find_keys speaks for it self, remove
+ extra logging.
+
+ * kdc/kerberos5.c (find_keys): add client_name and server_name
+ argument and use them, and adapt callers.
+
+2006-04-25 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kuser/kinit.1: document option password-file
+
+ * kuser/kinit.c: Add option password-file, read password from the
+ first line of a file.
+
+ * configure.in: make tests/kdc/Makefile
+
+ * kdc/kerberos5.c: Catch the case where the client sends no
+ encryption types or no pa-types.
+
+ * lib/hdb/ext.c (hdb_replace_extension): set error message on
+ failure, not success.
+
+ * lib/hdb/keys.c (parse_key_set): handle error case better
+ (hdb_generate_key_set): return better error
+
+2006-04-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/hdb/hdb.c (hdb_create): print out what we don't support
+
+ * lib/krb5/principal.c: Remove a double free introduced in 1.93
+
+ * lib/krb5/log.c (log_file): reset pointer to freed memory
+
+ * lib/krb5/keytab_keyfile.c (get_cell_and_realm): reset d->cell to
+ make sure its not refereced
+
+ * tools/krb5-config.in: libhcrypto might depend on libasn1, switch
+ order
+
+ * lib/krb5/recvauth.c: indent
+
+ * doc/heimdal.texi: Add Setting up PK-INIT to Detailed Node
+ Listing.
+
+ * lib/krb5/pkinit.c: Pass down realm to pk_verify_host so the
+ function can verify the certificate is from the right realm.
+
+ * lib/krb5/init_creds_pw.c: Pass down realm to
+ _krb5_pk_rd_pa_reply
+
+2006-04-23 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c (pk_verify_host): Add begining of finding
+ subjectAltName_otherName pk-init-san and verifing it.
+
+ * lib/krb5/sendauth.c: reindent
+
+ * doc/Makefile.am: use --no-split to make one large file, mostly
+ for html
+
+ * doc/setup.texi: "document" pkinit_require_eku and
+ pkinit_require_krbtgt_otherName
+
+ * lib/krb5/pkinit.c: Add pkinit_require_eku and
+ pkinit_require_krbtgt_otherName
+
+ * doc/setup.texi: Add text about pk-init
+
+ * tools/kdc-log-analyze.pl: count v5 cross realms too
+
+2006-04-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/pkinit.c: Adapt to change in hx509_cms_create_signed_1.
+
+ * lib/krb5/pkinit.c: Adapt to change in hx509_cms_create_signed_1.
+
+2006-04-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/pkinit.c (_kdc_pk_rd_padata): use
+ hx509_cms_unwrap_ContentInfo.
+
+ * kdc/config.c: unbreak
+
+ * lib/krb5/pkinit.c: Handle diffrences between libhcrypto and
+ libcrypto.
+
+ * kdc/config.c: Rename pki-chain to pki-pool to match rest of
+ code.
+
+2006-04-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/rd_priv.c: Fix argument to krb5_data_zero.
+
+ * kdc/config.c: Added certificate revoke information from
+ configuration file.
+
+ * kdc/pkinit.c: Added certificate revoke information.
+
+ * kuser/kinit.c: Added certificate revoke information from
+ configuration file.
+
+ * lib/krb5/pkinit.c (_krb5_pk_load_id): Added certificate revoke
+ information, ie CRL's
+
+2006-04-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/replay.c (krb5_rc_resolve_full): make compile again.
+
+ * lib/krb5/keytab_krb4.c (krb4_kt_start_seq_get_int): make compile
+ again.
+
+ * lib/krb5/transited.c (make_path): make sure we return allocated
+ memory Coverity, NetBSD CID#1892
+
+ * lib/krb5/transited.c (make_path): make sure we return allocated
+ memory Coverity, NetBSD CID#1892
+
+ * lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): on
+ protocol failure, avoid leaking memory Coverity, NetBSD CID#1900
+
+ * lib/krb5/principal.c (krb5_parse_name): remember to free realm
+ in case of error Coverity, NetBSD CID#1883
+
+ * lib/krb5/principal.c (krb5_425_conv_principal_ext2): remove
+ memory leak in case of weird formated dns replys.
+ Coverity, NetBSD CID#1885
+
+ * lib/krb5/replay.c (krb5_rc_resolve_full): don't return pointer
+ to a allocated krb5_rcache in case of error.
+
+ * lib/krb5/log.c (krb5_addlog_dest): free fn in case of error
+ Coverity, NetBSD CID#1882
+
+ * lib/krb5/keytab_krb4.c: Fix deref before NULL check, fix error
+ handling. Coverity, NetBSD CID#2369
+
+ * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
+ in_creds->client should always be set, assume so.
+
+ * lib/krb5/keytab_any.c (any_next_entry): restructure to make it
+ easier to read Fixes Coverity, NetBSD CID#625
+
+ * lib/krb5/crypto.c (krb5_string_to_key_derived): deref after NULL
+ check. Coverity NetBSD CID#2367
+
+ * lib/krb5/build_auth.c (krb5_build_authenticator): use
+ calloc. removed check that was never really used. Coverity NetBSD
+ CID#2370
+
+2006-04-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/rd_req.c (krb5_verify_ap_req2): make sure `ticket´
+ points to NULL in case of error, add error handling, use calloc.
+
+ * kpasswd/kpasswdd.c (doit): when done, close all fd in the
+ sockets array and free it. Coverity NetBSD CID#1916
+
+2006-04-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/store.c (krb5_ret_principal): fix memory leak Coverity,
+ NetBSD CID#1695
+
+ * kdc/524.c (_kdc_do_524): Handle memory allocation failure
+ Coverity, NetBSD CID#2752
+
+2006-04-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/keytab_file.c (krb5_kt_ret_principal): plug a memory
+ leak Coverity NetBSD CID#1890
+
+ * kdc/hprop.c (main): make sure type doesn't need to be set
+
+ * kdc/mit_dump.c (mit_prop_dump): close fd when done processing
+ Coverity NetBSD CID#1955
+
+ * kdc/string2key.c (tokey): catch warnings, free memory after use.
+ Based on Coverity NetBSD CID#1894
+
+ * kdc/hprop.c (main): remove dead code. Coverity NetBSD CID#633
+
+2006-04-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kpasswd/kpasswd-generator.c (read_words): catch empty file case,
+ will cause PBE (division by zero) later. From Tobias Stoeckmann.
+
+2006-04-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/hdb/keytab.c: Remove a delta from last revision that should
+ have gone in later.
+
+ * lib/krb5/krbhst.c: fix spelling
+
+ * lib/krb5/send_to_kdc.c (send_and_recv_http): don't expose freed
+ pointer, found by IBM checker.
+
+ * lib/krb5/rd_cred.c (krb5_rd_cred): don't expose freed pointer,
+ found by IBM checker.
+
+ * lib/krb5/addr_families.c (krb5_make_addrport): clear return
+ value on error, found by IBM checker.
+
+ * kdc/kerberos5.c (check_addresses): treat netbios as no addresses
+
+ * kdc/{kerberos4,kaserver}.c: _kdc_check_flags takes hdb_entry_ex
+
+ * kdc/kerberos5.c (_kdc_check_flags): make it take hdb_entry_ex to
+ avoid ?:'s at callers
+
+ * lib/krb5/v4_glue.c: Avoid using free memory, found by IBM
+ checker.
+
+ * lib/krb5/transited.c (expand_realm): avoid passing NULL to
+ strlen, found by IBM checker.
+
+ * lib/krb5/rd_cred.c (krb5_rd_cred): avoid a memory leak on malloc
+ failure, found by IBM checker.
+
+ * lib/krb5/krbhst.c (_krb5_krbhost_info_move): replace a strcpy
+ with a memcpy
+
+ * lib/krb5/keytab_keyfile.c (get_cell_and_realm): plug a memory
+ leak, found by IBM checker.
+
+ * lib/krb5/keytab_file.c (fkt_next_entry_int): remove a
+ dereferencing NULL pointer, found by IBM checker.
+
+ * lib/krb5/init_creds_pw.c (init_creds_init_as_req): in AS-REQ the
+ cname must always be given, don't avoid that fact and remove a
+ cname == NULL case. Plugs a memory leak found by IBM checker.
+
+ * lib/krb5/init_creds_pw.c (default_s2k_func): avoid exposing
+ free-ed memory on error. Found by IBM checker.
+
+ * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): use
+ calloc to avoid uninitialized memory problem.
+
+ * lib/krb5/data.c (krb5_copy_data): avoid exposing free-ed memory
+ on error. Found by IBM checker.
+
+ * lib/krb5/fcache.c (fcc_gen_new): fix a use after free, found by
+ IBM checker.
+
+ * lib/krb5/config_file.c (krb5_config_vget_strings): IBM checker
+ thought it found a memory leak, it didn't, but there was another
+ error in the code, lets fix that instead.
+
+ * lib/krb5/cache.c (_krb5_expand_default_cc_name): plug memory
+ leak. Found by IBM checker.
+
+ * lib/krb5/cache.c (_krb5_expand_default_cc_name): avoid return
+ pointer to freed memory in the error case. Found by IBM checker.
+
+ * lib/hdb/keytab.c (hdb_resolve): off by one, found by IBM
+ checker.
+
+ * lib/hdb/keys.c (hdb_generate_key_set): set ret_key_set before
+ going into the error clause and freeing key_set. Found by IBM
+ checker. Make sure ret == 0 after of parse error, we catch the
+ "no entries parsed" case later.
+
+ * lib/krb5/log.c (krb5_addlog_dest): make string length match
+ strings in strcasecmp. Found by IBM checker.
+
+2006-03-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/hdb/hdb-ldap.c (LDAP_message2entry): in declaration set
+ variable_name as "hdb_entry_ex"
+ (hdb_ldap_common): change "arg" in condition (if) to "search_base"
+ (hdb_ldapi_create): change "serach_base" to "search_base" From
+ Alex V. Labuta.
+
+ * lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit); fix
+ prototype
+
+ * kuser/kinit.c: Add pool of certificates to help certificate path
+ building for clients sending incomplete path in the signedData.
+
+2006-03-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/pkinit.c: Add pool of certificates to help certificate path
+ building for clients sending incomplete path in the signedData.
+
+ * lib/krb5/pkinit.c: Add pool of certificates to help certificate
+ path building for clients sending incomplete path in the
+ signedData.
+
+2006-03-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/config.c: Allow passing in related certificates used to
+ build the chain.
+
+ * kdc/pkinit.c: Allow passing in related certificates used to
+ build the chain.
+
+ * kdc/kerberos5.c (log_patype): Add case for
+ KRB5_PADATA_PA_PK_OCSP_RESPONSE.
+
+ * tools/Makefile.am: Spelling
+
+ * tools/krb5-config.in: Add hx509 when using PK-INIT.
+
+ * tools/Makefile.am: Add hx509 when using PK-INIT.
+
+2006-03-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/acache.c: Use ticket flags definition, might fix Mac OS
+ X Kerberos.app problems.
+
+ * lib/krb5/krb5_ccapi.h: Add ticket flags definitions
+
+ * lib/krb5/pkinit.c: Use less openssl, spell chelling.
+
+ * kdc/pkinit.c (pk_mk_pa_reply_dh): encode the DH public key with
+ asn1 wrapping
+
+ * configure.in (AC_CONFIG_FILES): add lib/hx509/Makefile
+
+ * lib/Makefile.am: Add hx509.
+
+ * lib/krb5/Makefile.am: Add libhx509.la when PKINIT is used.
+
+ * configure.in: define automake PKINIT variable
+
+ * kdc/pkinit.c: Switch to hx509.
+
+ * lib/krb5/pkinit.c: Switch to hx509.
+
+2006-03-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/kerberos5.c (log_patypes): log the patypes requested by the
+ client
+
+2006-03-23 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): pass down the
+ req_buffer in the w2k case too. From Douglas E. Engert.
+
+2006-03-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): on failure, goto
+ error handling. Fixes Coverity NetBSD CID 2591 by catching a
+ failing krb5_copy_keyblock()
+
+2006-03-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/addr_families.c (krb5_free_addresses): reset val,len in
+ address when free-ing. Fixes Coverity NetBSD bug #2605
+ (krb5_parse_address): reset val,len before possibly return errors
+ Fixes Coverity NetBSD bug #2605
+
+2006-03-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/send_to_kdc.c (recv_loop): it should never happen, but
+ make sure nbytes > 0
+
+ * lib/krb5/get_for_creds.c (add_addrs): handle the case where
+ addr->len == 0 and n == 0, then realloc might return NULL.
+
+ * lib/krb5/crypto.c (decrypt_*): handle the case where the
+ plaintext is 0 bytes long, realloc might then return NULL.
+
+2006-02-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/krb5_string_to_key.3: Drop krb5_string_to_key_derived.
+
+ * lib/krb5/krb5.3: Remove krb5_string_to_key_derived.
+
+ * lib/krb5/crypto.c (AES_string_to_key): drop _krb5_PKCS5_PBKDF2
+ and use PKCS5_PBKDF2_HMAC_SHA1 instead.
+
+ * lib/krb5/aes-test.c: reformat, avoid free-ing un-init'd memory
+
+ * lib/krb5/aes-test.c: Only use PKCS5_PBKDF2_HMAC_SHA1.
+
+2006-02-27 Johan Danielsson <joda@pdc.kth.se>
+
+ * doc/setup.texi: remove cartouches - we don't use them anywhere
+ else, they should be around the example, not inside it, and
+ probably shouldn't be used in html at all
+
+2006-02-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/krb5_warn.3: Document that applications want to use
+ krb5_get_error_message, add example.
+
+2006-02-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/crypto.c (krb5_generate_random_block): check return
+ value from RAND_bytes
+
+ * lib/krb5/error_string.c: Change indentation, update (c)
+
+2006-02-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c: Make struct krb5_dh_moduli available when
+ compiling w/o pkinit.
+
+2006-02-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/pkinit.c: update to new paChecksum definition, update
+ the dhgroup handling
+
+ * kdc/pkinit.c: update to new paChecksum definition, use
+ hdb_entry_ex
+
+2006-02-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/krb5_locl.h: Move Configurable options to last in the
+ file.
+
+ * lib/krb5/krb5_locl.h: Wrap KRB5_ADDRESSLESS_DEFAULT with #ifndef
+
+2006-02-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kpasswd/kpasswdd.c: Send back a better error-message to the
+ client in case the password change was rejected.
+
+ * lib/krb5/krb5_warn.3: Document krb5_get_error_message.
+
+ * lib/krb5/error_string.c (krb5_get_error_message): new function,
+ and combination of krb5_get_error_string and krb5_get_err_text
+
+ * lib/krb5/krb5.3: sort, and krb5_get_error_message
+
+ * lib/hdb/hdb-ldap.c: Log the filter string to the error message
+ when doing searches.
+
+ * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags):
+ Use KRB5_ADDRESSLESS_DEFAULT when
+ checking [appdefault]no-addresses.
+
+ * lib/krb5/get_cred.c (get_cred_from_kdc_flags): Use
+ KRB5_ADDRESSLESS_DEFAULT when checking
+ [appdefault]no-addresses.
+
+ * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
+ Use [appdefault]no-addresses before checking if the krbtgt is
+ address-less, use KRB5_ADDRESSLESS_DEFAULT.
+
+ * lib/krb5/krb5_locl.h: Introduce KRB5_ADDRESSLESS_DEFAULT that
+ controlls all address-less behavior. Defaults to false.
+
+2006-02-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * lib/krb5/n-fold-test.c: main is not a KRB5_LIB_FUNCTION
+
+ * lib/krb5/mk_priv.c (krb5_mk_priv): abort if ASN1_MALLOC_ENCODE
+ failes to produce the matching lenghts.
+
+2006-01-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kcm/protocol.c (kcm_op_retrieve): remove unused variable
+
+2006-01-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * tools/krb5-config.in: Move depenency on @LIB_dbopen@ to
+ kadm-server, kerberos library doesn't depend on db-library.
+
+2006-01-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * include/Makefile.am: Don't clean crypto headers, they now live
+ in hcrypto/. Add hcrypto to SUBDIRS.
+
+ * include/hcrypto/Makefile.am: clean installed headers
+
+ * include/make_crypto.c: include crypto headers from hcrypto/
+
+ * include/make_crypto.c: Include more crypto headerfiles. Remove
+ support for old hash names.
+
+2006-01-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * kdc/misc.c (_kdc_db_fetch): use calloc to allocate the entry,
+ from Andrew Bartlet.
+
+ * Happy New Year.