diff options
Diffstat (limited to '')
| -rw-r--r-- | third_party/heimdal/ChangeLog | 485 | ||||
| -rw-r--r-- | third_party/heimdal/ChangeLog.1998 | 3201 | ||||
| -rw-r--r-- | third_party/heimdal/ChangeLog.1999 | 2194 | ||||
| -rw-r--r-- | third_party/heimdal/ChangeLog.2000 | 1320 | ||||
| -rw-r--r-- | third_party/heimdal/ChangeLog.2001 | 1122 | ||||
| -rw-r--r-- | third_party/heimdal/ChangeLog.2002 | 726 | ||||
| -rw-r--r-- | third_party/heimdal/ChangeLog.2003 | 1795 | ||||
| -rw-r--r-- | third_party/heimdal/ChangeLog.2004 | 1485 | ||||
| -rw-r--r-- | third_party/heimdal/ChangeLog.2005 | 2004 | ||||
| -rw-r--r-- | third_party/heimdal/ChangeLog.2006 | 2047 | ||||
| -rw-r--r-- | third_party/heimdal/ChangeLog.2007 | 1321 |
11 files changed, 17700 insertions, 0 deletions
diff --git a/third_party/heimdal/ChangeLog b/third_party/heimdal/ChangeLog new file mode 100644 index 0000000..125740d --- /dev/null +++ b/third_party/heimdal/ChangeLog @@ -0,0 +1,485 @@ + +We stop writing change logs, see the source code version control systems history log instead + +2008-07-28 Love Hornquist Astrand <lha@h5l.org> + + * lib/krb5/v4_glue.c: The "kaserver" part of Heimdal occasionally + issues invalid AFS tokens + (here "occasionally" means for certain users in certain realms). + + In lib/krb5/v4_glue.c, in the routine storage_to_etext the ticket + is padded to a multiple of 8 bytes. If it is already a multiple of + 8 bytes, 8 additional 0-bytes are added. + + This catches the AFS krb4 ticket decoder by surprise: unless the + ticket is exactly 56 bytes, it only supports the minimum necessary + padding. It detects the superfluous padding by comparing the + ticket length decoded to the advertised ticket length. + + Hence a 7-letter userid in "cern.ch" which resulted in a ticket of + 40 bytes, got "padded" to 48 bytes which the rxkad decoder + rejected. + + From Rainer Toebbicke. + +2008-07-25 Love Hörnquist Åstrand <lha@h5l.org> + + * kuser/kinit.c: add --ok-as-delegate and --windows flags + + * kpasswd/kpasswd-generator.c: Switch to krb5_set_password. + + * kuser/kinit.c: Use krb5_cc_set_config. + + * lib/krb5/cache.c: Add krb5_cc_[gs]et_config. + +2008-07-22 Love Hörnquist Åstrand <lha@h5l.org> + + * lib/krb5/crypto.c: Allow numbers to be enctypes to as long as + they are valid. + +2008-07-17 Love Hörnquist Åstrand <lha@h5l.org> + + * lib/hdb/version-script.map: some random bits needed for libkadm + +2008-07-15 Love Hörnquist Åstrand <lha@h5l.org> + + * lib/krb5/send_to_kdc_plugin.h: add name for send_to_kdc plugin. + + * lib/krb5/krbhst.c: handle KRB5_PLUGIN_NO_HANDLE for lookup + plugin. + + * lib/krb5/send_to_kdc.c: Add support for the send_to_kdc plugin + interface. + + * lib/krb5/Makefile.am: add send_to_kdc_plugin.h + + * lib/krb5/krb5_err.et: add plugin error codes + +2008-07-14 Love Hornquist Astrand <lha@kth.se> + + * lib/hdb/Makefile.am: EXTRA_DIST += version-script.map + +2008-07-14 Love Hornquist Astrand <lha@kth.se> + + * lib/krb5/krb5_{address,ccache}.3: spelling, from openbsd via janne + johansson + +2008-07-13 Love Hörnquist Åstrand <lha@kth.se> + + * lib/krb5/version-script.map: add krb5_free_error_message + +2008-06-21 Love Hörnquist Åstrand <lha@kth.se> + + * lib/krb5/init_creds_pw.c: switch to krb5_set_password(). + +2008-06-18 Love Hörnquist Åstrand <lha@kth.se> + + * lib/krb5/time.c (krb5_set_real_time): handle negative usec + +2008-05-31 Love Hörnquist Åstrand <lha@kth.se> + + * lib/krb5/krb5_locl.h: Add <wind.h> + + * lib/krb5/crypto.c: Use wind_utf8ucs2_length to convert the password to utf16. + +2008-05-30 Love Hörnquist Åstrand <lha@kth.se> + + * lib/krb5/kcm.c: Add back krb5_kcmcache argument to try_door(). + +2008-05-27 Love Hörnquist Åstrand <lha@kth.se> + + * lib/krb5/error_string.c (krb5_free_error_message): constify + + * lib/krb5/error_string.c: Add krb5_get_error_message(). + + * lib/krb5/doxygen.c: krb5_cc_new_unique() is name of the creation + function. + +2008-04-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: Use the _ext api for OpenLDAP, from Honza + Machacek (gentoo). + +2008-04-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c: Use DES_set_key_unchecked(). + + * lib/krb5/krb5.conf.5: Document default_cc_type. + + * lib/krb5/cache.c: Pick up [libdefaults]default_cc_type + +2008-04-27 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kaserver.c: Use DES_set_key_unchecked(). + +2008-04-21 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/hx509.texi: About the pkcs11 module. + + * doc/hx509.texi: Pick up version from vars.texi + + * doc/hx509.texi: No MIT code in hx509. + + * hx509 now includes a pkcs11 implementation. + +2008-04-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am: Move OpenLDAP includes to AM_CPPFLAGS to + avoid dropping other defines for the library. + +2008-04-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5: add __declspec() for windows. + + * configure.in: Update rk_WIN32_EXPORT, add gssapi to + rk_WIN32_EXPORT. + + * configure.in: Lets try dependency tracking for automake 1.10 and + later. + + * configure.in: Use at least libtool-2.2. + + * configure.in: Use LT_INIT the right way. + + * lib/krb5/Makefile.am: Update make-proto usage. + + * configure.in: Run autoupdate, use LT_INIT(). + +2008-04-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_forward.c: Don't print krb5_error_code since we + are using krb5_err(). + + * lib/krb5/ticket.c: Cast krb5_error_code to int to avoid warning. + + * lib/krb5/scache.c: Cast krb5_error_code to int to avoid warning. + + * lib/krb5/principal.c: Cast enum to int to avoid warning. + + * lib/krb5/pkinit.c: Cast krb5_error_code to int to avoid warning. + + * lib/krb5/pac.c: Cast size_t to unsigned long to avoid warning. + + * lib/krb5/error_string.c: Cast krb5_error_code to int to avoid + warning. + + * lib/krb5/keytab_keyfile.c: Make num_entries an uint32 to avoid + negative numbers and type warnings. + + * lib/krb5: cc_get_version returns an int, update. + +2008-04-10 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: Check for <asl.h>. + +2008-04-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/version-script.map: sort and export _krb5_pk_kdf + + * lib/krb5/crypto.c: Check kdf params. calculate the second half + of the key. + + * lib/krb5/Makefile.am: Add test_pknistkdf + + * lib/krb5/test_pknistkdf.c: Test the new pkinit nist kdf. + + * lib/krb5/crypto.c: Complete _krb5_pk_kdf. + + * lib/krb5/crypto.c: First version of KDF in + draft-ietf-krb-wg-pkinit-alg-agility-03.txt. + +2008-04-08 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Add text about smbk5pwd overlay from Buchan + Milne. + + * lib/krb5/krb5_locl.h: Name the pkinit type enum. + + * kdc/pkinit.c: Rename constants to match global header. + + * lib/krb5/pkinit.c: Drop krb5_pk_identity and rename constants to + match global header. + + * kdc/pkinit.c: Pick up krb5_pk_identity from krb5_locl.h. + + * lib/krb5/scache.c (scc_alloc): %x is unsigned int. + +2008-04-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/version-script.map: Sort and add krb5_cc_switch. + + * lib/krb5/acache.c: Use unsigned where appropriate. + + * kcm/glue.c: Adapt to chenge to krb5_cc_ops. + + * kcm/acl.c: Add missing op. + + * kdc/connect.c: Use unsigned where appropriate. + + * lib/krb5/n-fold.c: Use size_t where appropriate. + + * lib/krb5/get_addrs.c: Use unsigned where appropriate. + + * lib/krb5/crypto.c: Use unsigned where appropriate. + + * lib/krb5/crc.c: Use unsigned where appropriate. + + * lib/krb5/changepw.c: simplify + + * lib/krb5/copy_host_realm.c: simplify + + * kuser/kswitch.c: Implement --principal. + +2008-04-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/cache.c: allow returning the default cc-type. + + * kuser/kswitch.c: Enable switching between existing caches. + + * lib/krb5/cache.c: Add krb5_cc_switch, to set the default + credential cache. + + * lib/krb5/acache.c: Implement set_default. + + * lib/krb5/krb5.h: Extend krb5_cc_ops and add set_default to set + the default cc name for a credential type. + +2008-04-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_cc.c: test remove + + * lib/krb5/fcache.c: Make the remove cred slight more atomic, now + it might lose creds, but there will be no empty cache at any time. + + * lib/krb5/scache.c: Do credential iteration by temporary table. + +2008-04-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acache.c: Translate ccErrInvalidCCache. + + * lib/krb5/scache.c: implemetation of a sqlite3 backed credential + cache. + + * lib/krb5/test_cc.c: test acc and scc + + * lib/krb5/acache.c: Only release context if its in use. + +2008-04-01 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: No patching of OpenLDAP is needed, from Buchan + Milne. + +2008-03-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: Add scache. + + * lib/krb5/scache.c: initial implementation + + * lib/Makefile.am: sqlite + + * configure.in: lib/sqlite/Makefile + +2008-03-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/fcache.c: Make the storing credential an atomic + write(2) to avoid signal races, bug traced by Harald Barth and Lars + Malinowsky. + +2008-03-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/fcache.c: Make erase_file() do locking too. + + * kcm/protocol.c: Make work when moving to a non-existant + cred-cache. + + * lib/krb5/test_cc.c: more verbose info. + + * lib/krb5/test_cc.c: test krb5_cc_move(). + +2008-03-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_cred.c: Try both kdc server referral and the old + client chasing mode. + + * lib/krb5/get_cred.c: Don't do canonicalize by default, make + add_cred() sane, make loop detection in credential fetching + better. + + * lib/krb5/krb5_locl.h: Add flag EXTRACT_TICKET_AS_REQ. + + * lib/krb5/init_creds_pw.c: Tell _krb5_extract_ticket that this is + an AS-REQ. + + * lib/krb5/get_in_tkt.c: Make server referral work. + +2008-03-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_in_tkt.c: check no server referral, don't use + stringent length tests since encryption layer does padding for + us... + + * kdc/kerberos5.c: Match name in ClientCanonicalizedNames with -10 + + * lib/krb5/principal.c (_krb5_principal_compare_PrincipalName): + new function to compare a principal to a PrincipalName. + + * lib/krb5/init_creds_pw.c: Move client referral checking to + _krb5_extract_ticket(). + + * lib/krb5/get_in_tkt.c: More bits for server referral. + + * lib/krb5/get_in_tkt.c: Make working with client referrals. + + * lib/krb5/get_cred.c: Try moving referrals checking into + _krb5_extract_ticket(). + + * lib/krb5/get_in_tkt.c: Try moving referrals checking into + _krb5_extract_ticket(). + +2008-03-21 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/krb5tgs.c: Send SERVER-REFERRAL data in rep.padata instead + of auth_data in ticket. + +2008-03-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: remove lost bits from using + krb5_principal_set_realm + + * kdc/krb5tgs.c: Better referrals support, use canonicalize flag. + + * kdc/hprop.c: use krb5_principal_set_realm + + * lib/krb5/init_creds_pw.c: use krb5_principal_set_realm + + * lib/krb5/verify_user.c: use krb5_principal_set_realm + + * lib/krb5/version-script.map: add krb5_principal_set_realm + + * lib/krb5/principal.c: add krb5_principal_set_realm + + * lib/krb5/get_cred.c: Insecure tgs referrals. + + * lib/krb5/get_cred.c: Dont try key usage KRB5_KU_AP_REQ_AUTH for + TGS-REQ. This drop compatibility with pre 0.3d KDCs. + + * lib/krb5/get_cred.c: catch KRB5_GC_CANONICALIZE. + + * lib/krb5/krb5.h: set KRB5_GC_CANONICALIZE. + + * kuser/kgetcred.c: set KRB5_GC_CANONICALIZE. + + * kuser/kgetcred.c: Add stub --canonicalize implementation. + +2008-03-19 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Fix sasl-regexp, from Howard Chu. + +2008-03-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kx509.c: Adapt to hx509_env changes. + +2008-03-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Try searchin the key by to use by first + looking for for PK-INIT EKU, then the Microsoft smart card EKU and + last, no special EKU at all. + +2008-03-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acache.c: Create a new credential cache is ->get_name + is called, make acc_initialize() reset the existing credential + cache if needed. + + * lib/krb5/acache.c (acc_get_name): just return the cache_name + directly instead of trying to resolve it. + +2008-02-23 Love Hörnquist Åstrand <lha@it.su.se> + + * include/Makefile.am (CLEANFILES): add wind.h and wind_err.h and + sort. + +2008-02-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: Use malloc() instead of static buffer. + + * lib/hdb/hdb-ldap.c: Use ldap_get_values_len, from LaMont Jones + via Brian May and Debian. + + * doc/Makefile.am: add libwind + +2008-02-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_renew.c: Remove extra ;, From Dennis Davis. + + * lib/krb5/store_emem.c: Make compile on-pre c99 compilers. From + Dennis Davis. + +2008-02-03 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/heimdal-gssapi.pc.in: Add wind. + + * tools/krb5-config.in: Add wind. + + * lib/krb5/pac.c: Use libwind. + +2008-02-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/Makefile.am: SUBDIRS: add wind + +2008-01-29 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/programming.texi: See the Kerberos 5 API introduction and + documentation on the Heimdal webpage. + +2008-01-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5: better error strings for the keytab fetching functions + + * lib/krb5/verify_krb5_conf.c: Catch deprecated entries. + + * lib/krb5/get_cred.c: Remove support + for [libdefaults]capath (not [libdefaults] capaths though). + +2008-01-25 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/heimdal-gssapi.pc.in: Fix caps of prefix, from Joakim + Fallsjo. + +2008-01-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/fcache.c (fcc_move): more explict why the fcc_move + failes, handle cross device moves. + +2008-01-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_for_creds.c: Use on variable less. + + * lib/krb5/get_for_creds.c: Try to handle ticket full and + ticketless tickets better. Add doxygen comments while here. + + * lib/krb5/test_forward.c: Used for testing + krb5_get_forwarded_creds(). + + * lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward + + * lib/krb5/Makefile.am: drop CHECK_SYMBOLS + + * lib/hdb/Makefile.am: drop CHECK_SYMBOLS + + * kdc/Makefile.am: drop CHECK_SYMBOLS + +2008-01-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/version-script.map: Add krb5_digest_probe. + +2008-01-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Replace hx509_name_to_der_name with + hx509_name_binary. + +2008-01-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: add missing files + + * Happy new year. diff --git a/third_party/heimdal/ChangeLog.1998 b/third_party/heimdal/ChangeLog.1998 new file mode 100644 index 0000000..f26dba7 --- /dev/null +++ b/third_party/heimdal/ChangeLog.1998 @@ -0,0 +1,3201 @@ +Sat Dec 5 19:49:34 1998 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/krb5/context.c: remove ktype_is_etype + + * lib/krb5/crypto.c, lib/krb5/krb5.h, acconfig.h: NEW_DES3_CODE + + * configure.in: fix for AIX install; better tests for AIX dynamic + AFS libs; `--enable-new-des3-code' + +Tue Dec 1 14:44:44 1998 Johan Danielsson <joda@hella.pdc.kth.se> + + * appl/afsutil/Makefile.am: link with extra libs for aix + + * kuser/Makefile.am: link with extra libs for aix + +Sun Nov 29 01:56:21 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_addrs.c (krb5_get_all_server_addrs): add. almost + the same as krb5_get_all_client_addrs except that it includes + loopback addresses + + * kdc/connect.c (init_socket): bind to a particular address + (init_sockets): get all local addresses and bind to them all + + * lib/krb5/addr_families.c (addr2sockaddr, print_addr): new + methods + (find_af, find_atype): new functions. use them. + + * configure.in: add hesiod + +Wed Nov 25 11:37:48 1998 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/krb5/krb5_err.et: add some codes from kerberos-revisions-03 + +Mon Nov 23 12:53:48 1998 Assar Westerlund <assar@sics.se> + + * lib/kadm5/log.c: rename delete -> remove + + * lib/kadm5/delete_s.c: rename delete -> remove + + * lib/hdb/common.c: rename delete -> remove + +Sun Nov 22 12:26:26 1998 Assar Westerlund <assar@sics.se> + + * configure.in: check for environ and `struct spwd' + +Sun Nov 22 11:42:45 1998 Johan Danielsson <joda@blubb.pdc.kth.se> + + * kdc/kerberos5.c (as_rep): set keytype to sess_ktype if + ktype_is_etype + + * lib/krb5/encrypt.c (krb5_keytype_to_etypes): zero terminate + etypes + (em): sort entries + +Sun Nov 22 06:54:48 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/init_creds_pw.c: more type correctness + + * lib/krb5/get_cred.c: re-structure code. remove limits on ASN1 + generated bits. + +Sun Nov 22 01:49:50 1998 Johan Danielsson <joda@hella.pdc.kth.se> + + * kdc/hprop.c (v4_prop): fix bogus indexing + +Sat Nov 21 21:39:20 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/verify_init.c (fail_verify_is_ok): new function + (krb5_verify_init_creds): if we cannot get a ticket for + host/`hostname` and fail_verify_is_ok just return. use + krb5_rd_req + +Sat Nov 21 23:12:27 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/free.c (krb5_xfree): new function + + * lib/krb5/creds.c (krb5_free_creds_contents): new function + + * lib/krb5/context.c: more type correctness + + * lib/krb5/checksum.c: more type correctness + + * lib/krb5/auth_context.c (krb5_auth_con_init): more type + correctness + + * lib/asn1/der_get.c (der_get_length): fix test of len + (der_get_tag): more type correctness + + * kuser/klist.c (usage): void-ize + + * admin/ktutil.c (kt_remove): some more type correctness. + +Sat Nov 21 16:49:20 1998 Johan Danielsson <joda@hella.pdc.kth.se> + + * kuser/klist.c: try to list enctypes as keytypes + + * kuser/kinit.c: remove extra `--cache' option, add `--enctypes' + to set list of enctypes to use + + * kadmin/load.c: load strings as hex + + * kadmin/dump.c: dump hex as string is possible + + * admin/ktutil.c: use print_version() + + * configure.in, acconfig.h: test for hesiod + +Sun Nov 15 17:28:19 1998 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/krb5/crypto.c: add some crypto debug code + + * lib/krb5/get_in_tkt.c (_krb5_extract_ticket): don't use fixed + buffer when encoding ticket + + * lib/krb5/auth_context.c (re-)implement `krb5_auth_setenctype' + + * kdc/kerberos5.c: allow mis-match of tgt session key, and service + session key + + * admin/ktutil.c: keytype -> enctype + +Fri Nov 13 05:35:48 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5.h (KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE): added + +Sat Nov 7 19:56:31 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_cred.c (add_cred): add termination NULL pointer + +Mon Nov 2 01:15:06 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_req.c: adapt to new crypto api + + * lib/krb5/rd_rep.c: adapt to new crypto api + + * lib/krb5/rd_priv.c: adopt to new crypto api + + * lib/krb5/rd_cred.c: adopt to new crypto api + + * lib/krb5/principal.c: ENOMEM -> ERANGE + + * lib/krb5/mk_safe.c: cleanup and adopt to new crypto api + + * lib/krb5/mk_req_ext.c: adopt to new crypto api + + * lib/krb5/mk_req.c: get enctype from auth_context keyblock + + * lib/krb5/mk_rep.c: cleanup and adopt to new crypto api + + * lib/krb5/mk_priv.c: adopt to new crypto api + + * lib/krb5/keytab.c: adopt to new crypto api + + * lib/krb5/get_in_tkt_with_skey.c: adopt to new crypto api + + * lib/krb5/get_in_tkt_with_keytab.c: adopt to new crypto api + + * lib/krb5/get_in_tkt_pw.c: adopt to new crypto api + + * lib/krb5/get_in_tkt.c: adopt to new crypto api + + * lib/krb5/get_cred.c: adopt to new crypto api + + * lib/krb5/generate_subkey.c: use new crypto api + + * lib/krb5/context.c: rename etype functions to enctype ditto + + * lib/krb5/build_auth.c: use new crypto api + + * lib/krb5/auth_context.c: remove enctype and cksumtype from + auth_context + +Mon Nov 2 01:15:06 1998 Assar Westerlund <assar@sics.se> + + * kdc/connect.c (handle_udp, handle_tcp): correct type of `n' + +Tue Sep 15 18:41:38 1998 Johan Danielsson <joda@hella.pdc.kth.se> + + * admin/ktutil.c: fix printing of unrecognized keytypes + +Tue Sep 15 17:02:33 1998 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/kadm5/set_keys.c: add KEYTYPE_USE_AFS3_SALT to keytype if + using AFS3 salt + +Tue Aug 25 23:30:52 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): care about + `use_admin_kdc' + + * lib/krb5/changepw.c (get_kdc_address): use + krb5_get_krb_admin_hst + + * lib/krb5/krbhst.c (krb5_get_krb_admin_hst): new function + + * lib/krb5/krb5.h (krb5_context_data): add `use_admin_kdc' + + * lib/krb5/context.c (krb5_get_use_admin_kdc, + krb5_set_use_admin_kdc): new functions + +Tue Aug 18 22:24:12 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/crypto.c: remove all calls to abort(); check return + value from _key_schedule; + (RSA_MD[45]_DES_verify): zero tmp and res; + (RSA_MD5_DES3_{verify,checksum}): implement + +Mon Aug 17 20:18:46 1998 Assar Westerlund <assar@sics.se> + + * kdc/kerberos4.c (swap32): conditionalize + + * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): new function + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): if the hostname + returned from gethostby*() isn't a FQDN, try with the original + hostname + + * lib/krb5/get_cred.c (make_pa_tgs_req): use krb5_mk_req_internal + and correct key usage + + * lib/krb5/crypto.c (verify_checksum): make static + + * admin/ktutil.c (kt_list): use krb5_enctype_to_string + +Sun Aug 16 20:57:56 1998 Assar Westerlund <assar@sics.se> + + * kadmin/cpw.c (do_cpw_entry): use asprintf for the prompt + + * kadmin/ank.c (ank): print principal name in prompt + + * lib/krb5/crypto.c (hmac): always allocate space for checksum. + never trust c.checksum.length + (_get_derived_key): try to return the derived key + +Sun Aug 16 19:48:42 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/crypto.c (hmac): fix some peculiarities and bugs + (get_checksum_key): assume usage is `formatted' + (create_checksum,verify_checksum): moved the guts of the krb5_* + functions here, both take `formatted' key-usages + (encrypt_internal_derived): fix various bogosities + (derive_key): drop key_type parameter (already given by the + encryption_type) + + * kdc/kerberos5.c (check_flags): handle case where client is NULL + + * kdc/connect.c (process_request): return zero after processing + kerberos 4 request + +Sun Aug 16 18:38:15 1998 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/crypto.c: merge x-*.[ch] into one file + + * lib/krb5/cache.c: remove residual from krb5_ccache_data + +Fri Aug 14 16:28:23 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/x-crypto.c (derive_key): move DES3 specific code to + separate function (will eventually end up someplace else) + + * lib/krb5/x-crypto.c (krb5_string_to_key_derived): allocate key + + * configure.in, acconfig.h: test for four valued krb_put_int + +Thu Aug 13 23:46:29 1998 Assar Westerlund <assar@emma.pdc.kth.se> + + * Release 0.0t + +Thu Aug 13 22:40:17 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/config_file.c (parse_binding): remove trailing + whitespace + +Wed Aug 12 20:15:11 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/x-checksum.c (krb5_verify_checksum): pass checksum type + to krb5_create_checksum + + * lib/krb5/x-key.c: implement DES3_string_to_key_derived; fix a + few typos + +Wed Aug 5 12:39:54 1998 Assar Westerlund <assar@emma.pdc.kth.se> + + * Release 0.0s + +Thu Jul 30 23:12:17 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/mk_error.c (krb5_mk_error): realloc until you die + +Thu Jul 23 19:49:03 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/kdc_locl.h: proto for `get_des_key' + + * configure.in: test for four valued el_init + + * kuser/klist.c: keytype -> enctype + + * kpasswd/kpasswdd.c (change): use new `krb5_string_to_key*' + + * kdc/hprop.c (v4_prop, ka_convert): convert to a set of keys + + * kdc/kaserver.c: use `get_des_key' + + * kdc/524.c: use new crypto api + + * kdc/kerberos4.c: use new crypto api + + * kdc/kerberos5.c: always treat keytypes as enctypes; use new + crypto api + + * kdc/kstash.c: adapt to new crypto api + + * kdc/string2key.c: adapt to new crypto api + + * admin/srvconvert.c: add keys for all possible enctypes + + * admin/ktutil.c: keytype -> enctype + + * lib/gssapi/init_sec_context.c: get enctype from auth_context + keyblock + + * lib/hdb/hdb.c: remove hdb_*_keytype2key + + * lib/kadm5/set_keys.c: adapt to new crypto api + + * lib/kadm5/rename_s.c: adapt to new crypto api + + * lib/kadm5/get_s.c: adapt to new crypto api + + * lib/kadm5/create_s.c: add keys for des-cbc-crc, des-cbc-md4, + des-cbc-md5, and des3-cbc-sha1 + + * lib/krb5/heim_err.et: error message for unsupported salt + + * lib/krb5/codec.c: short-circuit these functions, since they are + not needed any more + + * lib/krb5/rd_safe.c: cleanup and adapt to new crypto api + +Mon Jul 13 23:00:59 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): don't advance + hostent->h_addr_list, use a copy instead + +Mon Jul 13 15:00:31 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/config_file.c (parse_binding, parse_section): make sure + everything is ok before adding to linked list + + * lib/krb5/config_file.c: skip ws before checking for comment + +Wed Jul 8 10:45:45 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/asn1/k5.asn1: hmac-sha1-des3 = 12 + +Tue Jun 30 18:08:05 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): do not close the + unopened file + + * lib/krb5/mk_priv.c: realloc correctly + + * lib/krb5/get_addrs.c (find_all_addresses): init j + + * lib/krb5/context.c (krb5_init_context): print error if parsing + of config file produced an error. + + * lib/krb5/config_file.c (parse_list, krb5_config_parse_file): + ignore more spaces + + * lib/krb5/codec.c (krb5_encode_EncKrbCredPart, + krb5_encode_ETYPE_INFO): initialize `ret' + + * lib/krb5/build_auth.c (krb5_build_authenticator): realloc + correctly + + * lib/kadm5/set_keys.c (_kadm5_set_keys): initialize `ret' + + * lib/kadm5/init_c.c (get_cred_cache): try to do the right thing + with default_client + + * kuser/kinit.c (main): initialize `ticket_life' + + * kdc/kerberos5.c (get_pa_etype_info): initialize `ret' + (tgs_rep2): initialize `krbtgt' + + * kdc/connect.c (do_request): check for errors from `sendto' + + * kdc/524.c (do_524): initialize `ret' + + * kadmin/util.c (foreach_principal): don't clobber `ret' + + * kadmin/del.c (del_entry): don't apply on zeroth argument + + * kadmin/cpw.c (do_cpw_entry): initialize `ret' + +Sat Jun 13 04:14:01 1998 Assar Westerlund <assar@juguete.sics.se> + + * Release 0.0r + +Sun Jun 7 04:13:14 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/addr_families.c: fall-back definition of + IN6_ADDR_V6_TO_V4 + + * configure.in: only set CFLAGS if it wasn't set look for + dn_expand and res_search + +Mon Jun 1 21:28:07 1998 Assar Westerlund <assar@sics.se> + + * configure.in: remove duplicate seteuid + +Sat May 30 00:19:51 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/convert_creds.c: import _krb_time_to_life, to avoid + runtime dependencies on libkrb with some shared library + implementations + +Fri May 29 00:09:02 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * kuser/kinit_options.c: Default options for kinit. + + * kuser/kauth_options.c: Default options for kauth. + + * kuser/kinit.c: Implement lots a new options. + + * kdc/kerberos5.c (check_tgs_flags): make sure kdc-req-body->rtime + is not NULL; set endtime to min of new starttime + old_life, and + requested endtime + + * lib/krb5/init_creds_pw.c (get_init_creds_common): if the + forwardable or proxiable flags are set in options, set the + kdc-flags to the value specified, and not always to one + +Thu May 28 21:28:06 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/kerberos5.c: Optionally compare client address to addresses + in ticket. + + * kdc/connect.c: Pass client address to as_rep() and tgs_rep(). + + * kdc/config.c: Add check_ticket_addresses, and + allow_null_ticket_addresses variables. + +Tue May 26 14:03:42 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/kadm5/create_s.c: possibly make DES keys version 4 salted + + * lib/kadm5/set_keys.c: check config file for kadmin/use_v4_salt + before zapping version 4 salts + +Sun May 24 05:22:17 1998 Assar Westerlund <assar@sics.se> + + * Release 0.0q + + * lib/krb5/aname_to_localname.c: new file + + * lib/gssapi/init_sec_context.c (repl_mutual): no output token + + * lib/gssapi/display_name.c (gss_display_name): zero terminate + output. + +Sat May 23 19:11:07 1998 Assar Westerlund <assar@sics.se> + + * lib/gssapi/display_status.c: new file + + * Makefile.am: send -I to aclocal + + * configure.in: remove duplicate setenv + +Sat May 23 04:55:19 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * kadmin/util.c (foreach_principal): Check for expression before + wading through the whole database. + + * kadmin/kadmin.c: Pass NULL password to + kadm5_*_init_with_password. + + * lib/kadm5/init_c.c: Implement init_with_{skey,creds}*. Make use + of `password' parameter to init_with_password. + + * lib/kadm5/init_s.c: implement init_with_{skey,creds}* + + * lib/kadm5/server.c: Better arguments for + kadm5_init_with_password. + +Sat May 16 07:10:36 1998 Assar Westerlund <assar@sics.se> + + * kdc/hprop.c: conditionalize ka-server reading support on + KASERVER_DB + + * configure.in: new option `--enable-kaserver-db' + +Fri May 15 19:39:18 1998 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/get_cred.c: Better error if local tgt couldn't be + found. + +Tue May 12 21:11:02 1998 Assar Westerlund <assar@sics.se> + + * Release 0.0p + + * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): only set + encryption type in auth_context if it's compatible with the type + of the session key + +Mon May 11 21:11:14 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/hprop.c: add support for ka-server databases + + * appl/ftp/ftpd: link with -lcrypt, if needed + +Fri May 1 07:29:52 1998 Assar Westerlund <assar@sics.se> + + * configure.in: don't test for winsock.h + +Sat Apr 18 21:43:11 1998 Johan Danielsson <joda@puffer.pdc.kth.se> + + * Release 0.0o + +Sat Apr 18 00:31:11 1998 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/sock_principal.c: Save hostname. + +Sun Apr 5 11:29:45 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/mk_req_ext.c: Use same enctype as in ticket. + + * kdc/hprop.c (v4_prop): Check for null key. + +Fri Apr 3 03:54:54 1998 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/str2key.c: Fix DES3 string-to-key. + + * lib/krb5/keytab.c: Get default keytab name from context. + + * lib/krb5/context.c: Get `default_keytab_name' value. + + * kadmin/util.c (foreach_principal): Print error message if + `kadm5_get_principals' fails. + + * kadmin/kadmind.c: Use `kadmind_loop'. + + * lib/kadm5/server.c: Replace several other functions with + `kadmind_loop'. + +Sat Mar 28 09:49:18 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/keytab.c (fkt_add_entry): use an explicit seek instead + of O_APPEND + + * configure.in: generate ftp Makefiles + + * kuser/klist.c (print_cred_verbose): print IPv4-address in a + portable way. + + * admin/srvconvert.c (srvconv): return 0 if successful + +Tue Mar 24 00:40:33 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/keytab.c: MIT compatible changes: add and use sizes to + keytab entries, and change default keytab to `/etc/krb5.keytab'. + +Mon Mar 23 23:43:59 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/gssapi/wrap.c: Use `gss_krb5_getsomekey'. + + * lib/gssapi/unwrap.c: Implement and use `gss_krb5_getsomekey'. + Fix bug in checking of pad. + + * lib/gssapi/{un,}wrap.c: Add support for just integrity + protecting data. + + * lib/gssapi/accept_sec_context.c: Use + `gssapi_krb5_verify_8003_checksum'. + + * lib/gssapi/8003.c: Implement `gssapi_krb5_verify_8003_checksum'. + + * lib/gssapi/init_sec_context.c: Zero cred, and store session key + properly in auth-context. + +Sun Mar 22 00:47:22 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/kadm5/delete_s.c: Check immutable bit. + + * kadmin/kadmin.c: Pass client name to kadm5_init. + + * lib/kadm5/init_c.c: Get creds for client name passed in. + + * kdc/hprop.c (v4_prop): Check for `changepw.kerberos'. + +Sat Mar 21 22:57:13 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/mk_error.c: Verify that error_code is in the range + [0,127]. + + * kdc/kerberos5.c: Move checking of principal flags to new + function `check_flags'. + +Sat Mar 21 14:38:51 1998 Assar Westerlund <assar@sics.se> + + * lib/kadm5/get_s.c (kadm5_s_get_principal): handle an empty salt + + * configure.in: define SunOS if running solaris + +Sat Mar 21 00:26:34 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/kadm5/server.c: Unifdef test for same principal when + changing password. + + * kadmin/util.c: If kadm5_get_principals failes, we might still be + able to perform the requested opreration (for instance someone if + trying to change his own password). + + * lib/kadm5/init_c.c: Try to get ticket via initial request, if + not possible via tgt. + + * lib/kadm5/server.c: Check for principals changing their own + passwords. + + * kdc/kerberos5.c (tgs_rep2): check for interesting flags on + involved principals. + + * kadmin/util.c: Fix order of flags. + +Thu Mar 19 16:54:10 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/kerberos4.c: Return sane error code if krb_rd_req fails. + +Wed Mar 18 17:11:47 1998 Assar Westerlund <assar@sics.se> + + * acconfig.h: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6 + +Wed Mar 18 09:58:18 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): don't + free keyseed; use correct keytab + +Tue Mar 10 09:56:16 1998 Assar Westerlund <assar@sics.se> + + * acinclude.m4 (AC_KRB_IPV6): rewrote to avoid false positives + +Mon Mar 16 23:58:23 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * Release 0.0n + +Fri Mar 6 00:41:30 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/gssapi/{accept_sec_context,release_cred}.c: Use + krb5_kt_close/krb5_kt_resolve. + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): Use resolver + to lookup hosts, so CNAMEs can be ignored. + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc, send_and_recv_http): + Add support for using proxy. + + * lib/krb5/context.c: Initialize `http_proxy' from + `libdefaults/http_proxy'. + + * lib/krb5/krb5.h: Add `http_proxy' to context. + + * lib/krb5/send_to_kdc.c: Recognize `http/' and `udp/' as protocol + specifications. + +Wed Mar 4 01:47:29 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * admin/ktutil.c: Implement `add' and `remove' functions. Make + `--keytab' a global option. + + * lib/krb5/keytab.c: Implement remove with files. Add memory + operations. + +Tue Mar 3 20:09:59 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/keytab.c: Use function pointers. + + * admin: Remove kdb_edit. + +Sun Mar 1 03:28:42 1998 Assar Westerlund <assar@sics.se> + + * lib/kadm5/dump_log.c: print operation names + +Sun Mar 1 03:04:12 1998 Assar Westerlund <assar@sics.se> + + * configure.in: add X-tests, and {bin,...}dir appl/{kx,kauth} + + * lib/krb5/build_auth.c,mk_priv.c,rd_safe.c,mk_safe.c,mk_rep.c: + remove arbitrary limit + + * kdc/hprop-common.c: use krb5_{read,write}_message + + * lib/kadm5/ipropd_master.c (send_diffs): more careful use + krb5_{write,read}_message + + * lib/kadm5/ipropd_slave.c (get_creds): get credentials for + `iprop/master' directly. + (main): use `krb5_read_message' + +Sun Mar 1 02:05:11 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * kadmin/kadmin.c: Cleanup commands list, and add help strings. + + * kadmin/get.c: Add long, short, and terse (equivalent to `list') + output formats. Short is the default. + + * kadmin/util.c: Add `include_time' flag to timeval2str. + + * kadmin/init.c: Max-life and max-renew can, infact, be zero. + + * kadmin/{cpw,del,ext,get}.c: Use `foreach_principal'. + + * kadmin/util.c: Add function `foreach_principal', that loops over + all principals matching an expression. + + * kadmin/kadmin.c: Add usage string to `privileges'. + + * lib/kadm5/get_princs_s.c: Also try to match aganist the + expression appended with `@default-realm'. + + * lib/krb5/principal.c: Add `krb5_unparse_name_fixed_short', that + excludes the realm if it's the same as the default realm. + +Fri Feb 27 05:02:21 1998 Assar Westerlund <assar@sics.se> + + * configure.in: more WFLAGS and WFLAGS_NOUNUSED added missing + headers and functions error -> com_err + + (krb5_get_init_creds_keytab): use krb5_keytab_key_proc + + * lib/krb5/get_in_tkt_with_keytab.c: make `krb5_keytab_key_proc' + global + + * lib/kadm5/marshall.c (ret_principal_ent): set `n_tl_data' + + * lib/hdb/ndbm.c: use `struct ndbm_db' everywhere. + +Fri Feb 27 04:49:24 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/mk_priv.c (krb5_mk_priv): bump static limit to 10240. + This should be fixed the correct way. + + * lib/kadm5/ipropd_master.c (check_acl:) truncate buf correctly + (send_diffs): compare versions correctly + (main): reorder handling of events + + * lib/kadm5/log.c (kadm5_log_previous): avoid bad type conversion + +Thu Feb 26 02:22:35 1998 Assar Westerlund <assar@sics.se> + + * lib/kadm5/ipropd_{slave,master}.c: new files + + * lib/kadm5/log.c (kadm5_log_get_version): take an `fd' as + argument + + * lib/krb5/krb5.h (krb5_context_data): `et_list' should be `struct + et_list *' + + * aux/make-proto.pl: Should work with perl4 + +Mon Feb 16 17:20:22 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/krb5_locl.h: Remove <error.h> (it gets included via + {asn1,krb5}_err.h). + +Thu Feb 12 03:28:40 1998 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_in_tkt.c (_krb5_extract_ticket): if time difference + is larger than max_skew, return KRB5KRB_AP_ERR_SKEW + + * lib/kadm5/log.c (get_version): globalize + + * lib/kadm5/kadm5_locl.h: include <sys/file.h> + + * lib/asn1/Makefile.am: add PA_KEY_INFO and PA_KEY_INFO_ENTRY + + * kdc/kerberos5.c (get_pa_etype_info): remove gcc-ism of + initializing local struct in declaration. + +Sat Jan 31 17:28:58 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/524.c: Use krb5_decode_EncTicketPart. + + * kdc/kerberos5.c: Check at runtime whether to use enctypes + instead of keytypes. If so use the same value to encrypt ticket, + and kdc-rep as well as `keytype' for session key. Fix some obvious + bugs with the handling of additional tickets. + + * lib/krb5/rd_req.c: Use krb5_decode_EncTicketPart, and + krb5_decode_Authenticator. + + * lib/krb5/rd_rep.c: Use krb5_decode_EncAPRepPart. + + * lib/krb5/rd_cred.c: Use krb5_decode_EncKrbCredPart. + + * lib/krb5/mk_rep.c: Make sure enc_part.etype is an encryption + type, and not a key type. Use krb5_encode_EncAPRepPart. + + * lib/krb5/init_creds_pw.c: Use krb5_decode_PA_KEY_INFO. + + * lib/krb5/get_in_tkt.c: Use krb5_decode_Enc{AS,TGS}RepPart. + + * lib/krb5/get_for_creds.c: Use krb5_encode_EncKrbCredPart. + + * lib/krb5/get_cred.c: Use krb5_decode_Enc{AS,TGS}RepPart. + + * lib/krb5/build_auth.c: Use krb5_encode_Authenticator. + + * lib/krb5/codec.c: Enctype conversion stuff. + + * lib/krb5/context.c: Ignore KRB5_CONFIG if *not* running + setuid. Get configuration for libdefaults ktype_is_etype, and + default_etypes. + + * lib/krb5/encrypt.c: Add krb5_string_to_etype, rename + krb5_convert_etype to krb5_decode_keytype, and add + krb5_decode_keyblock. + +Fri Jan 23 00:32:09 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/{get_in_tkt,rd_req}.c: Use krb5_convert_etype. + + * lib/krb5/encrypt.c: Add krb5_convert_etype function - converts + from protocol keytypes (that really are enctypes) to internal + representation. + +Thu Jan 22 21:24:36 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/asn1/k5.asn1: Add PA-KEY-INFO structure to hold information + on keys in the database; and also a new `pa-key-info' padata-type. + + * kdc/kerberos5.c: If pre-authentication fails, return a list of + keytypes, salttypes, and salts. + + * lib/krb5/init_creds_pw.c: Add better support for + pre-authentication, by looking at hints from the KDC. + + * lib/krb5/get_in_tkt.c: Add better support for specifying what + pre-authentication to use. + + * lib/krb5/str2key.c: Merge entries for KEYTYPE_DES and + KEYTYPE_DES_AFS3. + + * lib/krb5/krb5.h: Add pre-authentication structures. + + * kdc/connect.c: Don't fail if realloc(X, 0) returns NULL. + +Wed Jan 21 06:20:40 1998 Assar Westerlund <assar@sics.se> + + * lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize + `log_context.socket_name' and `log_context.socket_fd' + + * lib/kadm5/log.c (kadm5_log_flush): send a unix domain datagram + to inform the possible running ipropd of an update. + +Wed Jan 21 01:34:09 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/get_in_tkt.c: Return error-packet to caller. + + * lib/krb5/free.c (krb5_free_kdc_rep): Free krb5_kdc_rep->error. + + * kdc/kerberos5.c: Add some support for using enctypes instead of + keytypes. + + * lib/krb5/get_cred.c: Fixes to send authorization-data to the + KDC. + + * lib/krb5/build_auth.c: Only generate local subkey if there is + none. + + * lib/krb5/krb5.h: Add krb5_authdata type. + + * lib/krb5/auth_context.c: Add + krb5_auth_con_set{,localsub,remotesub}key. + + * lib/krb5/init_creds_pw.c: Return some error if prompter + functions return failure. + +Wed Jan 21 01:16:13 1998 Assar Westerlund <assar@sics.se> + + * kpasswd/kpasswd.c: detect bad password. use krb5_err. + + * kadmin/util.c (edit_entry): remove unused variables + +Tue Jan 20 22:58:31 1998 Assar Westerlund <assar@sics.se> + + * kuser/kinit.c: rename `-s' to `-S' to be MIT-compatible. + + * lib/kadm5/kadm5_locl.h: add kadm5_log_context and + kadm5_log*-functions + + * lib/kadm5/create_s.c (kadm5_s_create_principal): add change to + log + + * lib/kadm5/rename_s.c (kadm5_s_rename_principal): add change to + log + + * lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize + log_context + + * lib/kadm5/delete_s.c (kadm5_s_delete_principal): add change to + log + + * lib/kadm5/modify_s.c (kadm5_s_modify_principal): add change to + log + + * lib/kadm5/randkey_s.c (kadm5_s_randkey_principal): add change to + log + + * lib/kadm5/chpass_s.c (kadm5_s_chpass_principal): add change to + log + + * lib/kadm5/Makefile.am: add log.c, dump_log and replay_log + + * lib/kadm5/replay_log.c: new file + + * lib/kadm5/dump_log.c: new file + + * lib/kadm5/log.c: new file + + * lib/krb5/str2key.c (get_str): initialize pad space to zero + + * lib/krb5/config_file.c (krb5_config_vget_next): handle c == NULL + + * kpasswd/kpasswdd.c: rewritten to use the kadm5 API + + * kpasswd/Makefile.am: link with kadm5srv + + * kdc/kerberos5.c (tgs_rep): initialize `i' + + * kadmin/kadmind.c (main): use kadm5_server_{send,recv}_sp + + * include/Makefile.am: added admin.h + +Sun Jan 18 01:41:34 1998 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/asn1/gen_copy.c: Don't return ENOMEM if allocating 0 bytes. + + * lib/krb5/mcache.c (mcc_store_cred): restore linked list if + copy_creds fails. + +Tue Jan 6 04:17:56 1998 Assar Westerlund <assar@sics.se> + + * lib/kadm5/server.c: add kadm5_server_{send,recv}{,_sp} + + * lib/kadm5/marshall.c: add kadm5_{store,ret}_principal_ent_mask. + + * lib/kadm5/init_c.c (kadm5_c_init_with_password_ctx): use + krb5_getportbyname + + * kadmin/kadmind.c (main): htons correctly. + moved kadm5_server_{recv,send} + + * kadmin/kadmin.c (main): only set admin_server if explicitly + given + +Mon Jan 5 23:34:44 1998 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/hdb/ndbm.c: Implement locking of database. + + * kdc/kerberos5.c: Process AuthorizationData. + +Sat Jan 3 22:07:07 1998 Johan Danielsson <joda@blubb.pdc.kth.se> + + * kdc/string2key.c: Use AFS string-to-key from libkrb5. + + * lib/krb5/get_in_tkt.c: Handle pa-afs3-salt case. + + * lib/krb5/krb5.h: Add value for AFS salts. + + * lib/krb5/str2key.c: Add support for AFS string-to-key. + + * lib/kadm5/rename_s.c: Use correct salt. + + * lib/kadm5/ent_setup.c: Always enable client. Only set max-life + and max-renew if != 0. + + * lib/krb5/config_file.c: Add context to all krb5_config_*get_*. + +Thu Dec 25 17:03:25 1997 Assar Westerlund <assar@sics.se> + + * kadmin/ank.c (ank): don't zero password if --random-key was + given. + +Tue Dec 23 01:56:45 1997 Assar Westerlund <assar@sics.se> + + * Release 0.0m + + * lib/kadm5/ent_setup.c (attr_to_flags): try to set `client' + + * kadmin/util.c (edit_time): only set mask if != 0 + (edit_attributes): only set mask if != 0 + + * kadmin/init.c (init): create `default' + +Sun Dec 21 09:44:05 1997 Assar Westerlund <assar@sics.se> + + * kadmin/util.c (str2deltat, str2attr, get_deltat): return value + as pointer and have return value indicate success. + + (get_response): check NULL from fgets + + (edit_time, edit_attributes): new functions for reading values and + offering list of answers on '?' + + (edit_entry): use edit_time and edit_attributes + + * kadmin/ank.c (add_new_key): test the return value of + `krb5_parse_name' + + * kdc/kerberos5.c (tgs_check_authenticator): RFC1510 doesn't say + that the checksum has to be keyed, even though later drafts do. + Accept unkeyed checksums to be compatible with MIT. + + * kadmin/kadmin_locl.h: add some prototypes. + + * kadmin/util.c (edit_entry): return a value + + * appl/afsutil/afslog.c (main): return a exit code. + + * lib/krb5/get_cred.c (init_tgs_req): use krb5_keytype_to_enctypes + + * lib/krb5/encrypt.c (krb5_keytype_to_enctypes): new function. + + * lib/krb5/build_auth.c (krb5_build_authenticator): use + krb5_{free,copy}_keyblock instead of the _contents versions + +Fri Dec 12 14:20:58 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/{mk,rd}_priv.c: fix check for local/remote subkey + +Mon Dec 8 08:48:09 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/context.c: don't look at KRB5_CONFIG if running setuid + +Sat Dec 6 10:09:40 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/keyblock.c (krb5_free_keyblock): check for NULL + keyblock + +Sat Dec 6 08:26:10 1997 Assar Westerlund <assar@sics.se> + + * Release 0.0l + +Thu Dec 4 03:38:12 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/send_to_kdc.c: Add TCP client support. + + * lib/krb5/store.c: Add k_{put,get}_int. + + * kadmin/ank.c: Set initial kvno to 1. + + * kdc/connect.c: Send version 5 TCP-reply as length+data. + +Sat Nov 29 07:10:11 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_req.c (krb5_rd_req): fixed obvious bug + + * kdc/kaserver.c (create_reply_ticket): use a random nonce in the + reply packet. + + * kdc/connect.c (init_sockets): less reallocing. + + * **/*.c: changed `struct fd_set' to `fd_set' + +Sat Nov 29 05:12:01 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/get_default_principal.c: More guessing. + +Thu Nov 20 02:55:09 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/rd_req.c: Use principal from ticket if no server is + given. + +Tue Nov 18 02:58:02 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kuser/klist.c: Use krb5_err*(). + +Sun Nov 16 11:57:43 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kadmin/kadmin.c: Add local `init', `load', `dump', and `merge' + commands. + +Sun Nov 16 02:52:20 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/mk_req_ext.c (krb5_mk_req_ext): figure out the correct + `enctype' + + * lib/krb5/mk_req.c (krb5_mk_req): use `(*auth_context)->enctype' + if set. + + * lib/krb5/get_cred.c: handle the case of a specific keytype + + * lib/krb5/build_auth.c (krb5_build_authenticator): enctype as a + parameter instead of guessing it. + + * lib/krb5/build_ap_req.c (krb5_build_ap_req): new parameter + `enctype' + + * appl/test/common.c (common_setup): don't use `optarg' + + * lib/krb5/keytab.c (krb5_kt_copy_entry_contents): new function + (krb5_kt_get_entry): retrieve the latest version if kvno == 0 + + * lib/krb5/krb5.h: define KRB5_TC_MATCH_KEYTYPE + + * lib/krb5/creds.c (krb5_compare_creds): check for + KRB5_TC_MATCH_KEYTYPE + + * lib/gssapi/8003.c (gssapi_krb5_create_8003_checksum): remove + unused variable + + * lib/krb5/creds.c (krb5_copy_creds_contents): only free the + contents if we fail. + +Sun Nov 16 00:32:48 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kpasswd/kpasswdd.c: Get password expiration time from config + file. + + * lib/asn1/{der_get,gen_decode}.c: Allow passing NULL size. + +Wed Nov 12 02:35:57 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): + restructured and fixed. + + * lib/krb5/addr_families.c (krb5_h_addr2addr): new function. + +Wed Nov 12 01:36:01 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/get_addrs.c: Fall back to hostname's addresses if other + methods fail. + +Tue Nov 11 22:22:12 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kadmin/kadmin.c: Add `-l' flag to use local database. + + * lib/kadm5/acl.c: Use KADM5_PRIV_ALL. + + * lib/kadm5: Use function pointer trampoline for easier dual use + (without radiation-hardening capability). + +Tue Nov 11 05:15:22 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/encrypt.c (krb5_etype_valid): new function + + * lib/krb5/creds.c (krb5_copy_creds_contents): zero target + + * lib/krb5/context.c (valid_etype): remove + + * lib/krb5/checksum.c: remove dead code + + * lib/krb5/changepw.c (send_request): free memory on error. + + * lib/krb5/build_ap_req.c (krb5_build_ap_req): check return value + from malloc. + + * lib/krb5/auth_context.c (krb5_auth_con_init): free memory on + failure correctly. + (krb5_auth_con_setaddrs_from_fd): return error correctly. + + * lib/krb5/get_in_tkt_with_{keytab,skey}.c: new files + +Tue Nov 11 02:53:19 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/auth_context.c: Implement auth_con_setuserkey. + + * lib/gssapi/init_sec_context.c: Use krb5_auth_con_getkey. + + * lib/krb5/keyblock.c: Rename krb5_free_keyblock to + krb5_free_keyblock_contents, and reimplement krb5_free_keyblock. + + * lib/krb5/rd_req.c: Use auth_context->keyblock if + ap_options.use_session_key. + +Tue Nov 11 02:35:17 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/net_{read,write}.c: change `int fd' to `void *p_fd'. + fix callers. + + * lib/krb5/krb5_locl.h: include <asn1.h> and <der.h> + + * include/Makefile.am: add xdbm.h + +Tue Nov 11 01:58:22 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/get_cred.c: Implement krb5_get_cred_from_kdc. + +Mon Nov 10 22:41:53 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/ticket.c: Implement copy_ticket. + + * lib/krb5/get_in_tkt.c: Make `options' parameter MIT-compatible. + + * lib/krb5/data.c: Implement free_data and copy_data. + +Sun Nov 9 02:17:27 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/kadm5: Implement kadm5_get_privs, and kadm5_get_principals. + + * kadmin/kadmin.c: Add get_privileges function. + + * lib/kadm5: Rename KADM5_ACL_* -> KADM5_PRIV_* to conform with + specification. + + * kdc/connect.c: Exit if no sockets could be bound. + + * kadmin/kadmind.c: Check return value from krb5_net_read(). + + * lib/kadm5,kadmin: Fix memory leaks. + +Fri Nov 7 02:45:26 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/kadm5/create_s.c: Get some default values from `default' + principal. + + * lib/kadm5/ent_setup.c: Add optional default entry to get some + values from. + +Thu Nov 6 00:20:41 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/error/compile_et.awk: Remove generated destroy_*_error_table + prototype + + * kadmin/kadmind.c: Crude admin server. + + * kadmin/kadmin.c: Update to use remote protocol. + + * kadmin/get.c: Fix principal formatting. + + * lib/kadm5: Add client support. + + * lib/kadm5/error.c: Error code mapping. + + * lib/kadm5/server.c: Kadmind support function. + + * lib/kadm5/marshall.c: Kadm5 marshalling. + + * lib/kadm5/acl.c: Simple acl system. + + * lib/kadm5/kadm5_locl.h: Add client stuff. + + * lib/kadm5/init_s.c: Initialize acl. + + * lib/kadm5/*: Return values. + + * lib/kadm5/create_s.c: Correct kvno. + +Wed Nov 5 22:06:50 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/log.c: Fix parsing of log destinations. + +Mon Nov 3 20:33:55 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/principal.c: Reduce number of reallocs in unparse_name. + +Sat Nov 1 01:40:53 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kadmin: Simple kadmin utility. + + * admin/ktutil.c: Print keytype. + + * lib/kadm5/get_s.c: Set correct n_key_data. + + * lib/kadm5/init_s.c: Add kadm5_s_init_with_password_ctx. Use + master key. + + * lib/kadm5/destroy_s.c: Check for allocated context. + + * lib/kadm5/{create,chpass}_s.c: Use _kadm5_set_keys(). + +Sat Nov 1 00:21:00 1997 Assar Westerlund <assar@sics.se> + + * configure.in: test for readv, writev + +Wed Oct 29 23:41:26 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/warn.c (_warnerr): handle the case of an illegal error + code + + * kdc/kerberos5.c (encode_reply): return success + +Wed Oct 29 18:01:59 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/kerberos5.c (find_etype) Return correct index of selected + etype. + +Wed Oct 29 04:07:06 1997 Assar Westerlund <assar@sics.se> + + * Release 0.0k + + * lib/krb5/context.c (krb5_init_context): support `KRB5_CONFIG' + environment variable + + * *: use the roken_get*-macros from roken.h for the benefit of + Crays. + + * configure.in: add --{enable,disable}-otp. check for compatible + prototypes for gethostbyname, gethostbyaddr, getservbyname, and + openlog (they have strange prototypes on Crays) + + * acinclude.m4: new macro `AC_PROTO_COMPAT' + +Tue Oct 28 00:11:22 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/connect.c: Log bad requests. + + * kdc/kerberos5.c: Move stuff that's in common between as_rep and + tgs_rep to separate functions. + + * kdc/kerberos5.c: Fix user-to-user authentication. + + * lib/krb5/get_cred.c: Some restructuring of krb5_get_credentials: + - add a kdc-options argument to krb5_get_credentials, and rename + it to krb5_get_credentials_with_flags + - honour the KRB5_GC_CACHED, and KRB5_GC_USER_USER options + - add some more user-to-user glue + + * lib/krb5/rd_req.c: Move parts of krb5_verify_ap_req into a new + function, krb5_decrypt_ticket, so it is easier to decrypt and + check a ticket without having an ap-req. + + * lib/krb5/krb5.h: Add KRB5_GC_CACHED, and KRB5_GC_USER_USER + flags. + + * lib/krb5/crc.c (crc_init_table): Check if table is already + inited. + +Sun Oct 26 04:51:02 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/asn1/der_get.c (der_get_length, fix_dce): Special-case + indefinite encoding. + + * lib/asn1/gen_glue.c (generate_units): Check for empty + member-list. + +Sat Oct 25 07:24:57 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/error/compile_et.awk: Allow specifying table-base. + +Tue Oct 21 20:21:40 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/kerberos5.c: Check version number of krbtgt. + +Mon Oct 20 01:14:53 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/prompter_posix.c (krb5_prompter_posix): implement the + case of unhidden prompts. + + * lib/krb5/str2key.c (string_to_key_internal): return error + instead of aborting. always free memory + + * admin/ktutil.c: add `help' command + + * admin/kdb_edit.c: implement new commands: add_random_key(ark), + change_password(cpw), change_random_key(crk) + +Thu Oct 16 05:16:36 1997 Assar Westerlund <assar@sics.se> + + * kpasswd/kpasswdd.c: change all the keys in the database + + * kdc: removed all unsealing, now done by the hdb layer + + * lib/hdb/hdb.c: new functions `hdb_create', `hdb_set_master_key' + and `hdb_clear_master_key' + + * admin/misc.c: removed + +Wed Oct 15 22:47:31 1997 Assar Westerlund <assar@sics.se> + + * kuser/klist.c: print year as YYYY iff verbose + +Wed Oct 15 20:02:13 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kuser/klist.c: print etype from ticket + +Mon Oct 13 17:18:57 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * Release 0.0j + + * lib/krb5/get_cred.c: Get the subkey from mk_req so it can be + used to decrypt the reply from DCE secds. + + * lib/krb5/auth_context.c: Add {get,set}enctype. + + * lib/krb5/get_cred.c: Fix for DCE secd. + + * lib/krb5/store.c: Store keytype twice, as MIT does. + + * lib/krb5/get_in_tkt.c: Use etype from reply. + +Fri Oct 10 00:39:48 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/connect.c: check for leading '/' in http request + +Tue Sep 30 21:50:18 1997 Assar Westerlund <assar@assaris.pdc.kth.se> + + * Release 0.0i + +Mon Sep 29 15:58:43 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_req.c (krb5_rd_req): redone because we don't know + the kvno or keytype before receiving the AP-REQ + + * lib/krb5/mk_safe.c (krb5_mk_safe): figure out what cksumtype to + use from the keytype. + + * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): figure out what + cksumtype to use from the keytype. + + * lib/krb5/mk_priv.c (krb5_mk_priv): figure out what etype to use + from the keytype. + + * lib/krb5/keytab.c (krb5_kt_get_entry): check the keytype + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): figure out + what etype to use from the keytype. + + * lib/krb5/generate_seq_number.c (krb5_generate_seq_number): + handle other key types than DES + + * lib/krb5/encrypt.c (key_type): add `best_cksumtype' + (krb5_keytype_to_cksumtype): new function + + * lib/krb5/build_auth.c (krb5_build_authenticator): figure out + what etype to use from the keytype. + + * lib/krb5/auth_context.c (krb5_auth_con_init): set `cksumtype' + and `enctype' to 0 + + * admin/extkeytab.c (ext_keytab): extract all keys + + * appl/telnet/telnet/commands.c: INET6_ADDRSTRLEN kludge + + * configure.in: check for <netinet6/in6.h>. check for -linet6 + +Tue Sep 23 03:00:53 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/encrypt.c: fix checksumtype for des3-cbc-sha1 + + * lib/krb5/rd_safe.c: fix check for keyed and collision-proof + checksum + + * lib/krb5/context.c (valid_etype): remove hard-coded constants + (default_etypes): include DES3 + + * kdc/kerberos5.c: fix check for keyed and collision-proof + checksum + + * admin/util.c (init_des_key, set_password): DES3 keys also + + * lib/krb/send_to_kdc.c (krb5_sendto_kdc): no data returned means + no contact? + + * lib/krb5/addr_families.c: fix typo in `ipv6_anyaddr' + +Mon Sep 22 11:44:27 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * kdc/kerberos5.c: Somewhat fix the etype usage. The list sent by + the client is used to select wich key to encrypt the kdc rep with + (in case of as-req), and with the server info to select the + session key type. The server key the ticket is encrypted is based + purely on the keys in the database. + + * kdc/string2key.c: Add keytype support. Default to version 5 + keys. + + * lib/krb5/get_in_tkt.c: Fix a lot of etype/keytype misuse. + + * lib/krb5/encrypt.c: Add des3-cbc-md5, and des3-cbc-sha1. Add + many *_to_* functions. + + * lib/krb5/str2key.c: Add des3 string-to-key. Add ktype argument + to krb5_string_to_key(). + + * lib/krb5/checksum.c: Some cleanup, and added: + - rsa-md5-des3 + - hmac-sha1-des3 + - keyed and collision proof flags to each checksum method + - checksum<->string functions. + + * lib/krb5/generate_subkey.c: Use krb5_generate_random_keyblock. + +Sun Sep 21 15:19:23 1997 Assar Westerlund <assar@sics.se> + + * kdc/connect.c: use new addr_families functions + + * kpasswd/kpasswdd.c: use new addr_families functions. Now works + over IPv6 + + * kuser/klist.c: use correct symbols for address families + + * lib/krb5/sock_principal.c: use new addr_families functions + + * lib/krb5/send_to_kdc.c: use new addr_families functions + + * lib/krb5/krb5.h: add KRB5_ADDRESS_INET6 + + * lib/krb5/get_addrs.c: use new addr_families functions + + * lib/krb5/changepw.c: use new addr_families functions. Now works + over IPv6 + + * lib/krb5/auth_context.c: use new addr_families functions + + * lib/krb5/addr_families.c: new file + + * acconfig.h: AC_SOCKADDR_IN6 -> AC_STRUCT_SOCKADDR_IN6. Updated + uses. + + * acinclude.m4: new macro `AC_KRB_IPV6'. Use it. + +Sat Sep 13 23:04:23 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/hprop.c: Don't encrypt twice. Complain on non-convertable + principals. + +Sat Sep 13 00:59:36 1997 Assar Westerlund <assar@sics.se> + + * Release 0.0h + + * appl/telnet/telnet/commands.c: AF_INET6 support + + * admin/misc.c: new file + + * lib/krb5/context.c: new configuration variable `max_retries' + + * lib/krb5/get_addrs.c: fixes and better #ifdef's + + * lib/krb5/config_file.c: implement krb5_config_get_int + + * lib/krb5/auth_context.c, send_to_kdc.c, sock_principal.c: + AF_INET6 support + + * kuser/klist.c: support for printing IPv6-addresses + + * kdc/connect.c: support AF_INET6 + + * configure.in: test for gethostbyname2 and struct sockaddr_in6 + +Thu Sep 11 07:25:28 1997 Assar Westerlund <assar@sics.se> + + * lib/asn1/k5.asn1: Use `METHOD-DATA' instead of `SEQUENCE OF + PA-DATA' + +Wed Sep 10 21:20:17 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/kerberos5.c: Fixes for cross-realm, including (but not + limited to): + - allow client to be non-existant (should probably check for + "local realm") + - if server isn't found and it is a request for a krbtgt, try to + find a realm on the way to the requested realm + - update the transited encoding iff + client-realm != server-realm != tgt-realm + + * lib/krb5/get_cred.c: Several fixes for cross-realm. + +Tue Sep 9 15:59:20 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/string2key.c: Fix password handling. + + * lib/krb5/encrypt.c: krb5_key_to_string + +Tue Sep 9 07:46:05 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_addrs.c: rewrote. Now should be able to handle + aliases and IPv6 addresses + + * kuser/klist.c: try printing IPv6 addresses + + * kdc/kerberos5.c: increase the arbitrary limit from 1024 to 8192 + + * configure.in: check for <netinet/in6_var.h> + +Mon Sep 8 02:57:14 1997 Assar Westerlund <assar@sics.se> + + * doc: fixes + + * admin/util.c (init_des_key): increase kvno + (set_password): return -1 if `des_read_pw_string' failed + + * admin/mod.c (doit2): check the return value from `set_password' + + * admin/ank.c (doit): don't add a new entry if `set_password' + failed + +Mon Sep 8 02:20:16 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/verify_init.c: fix ap_req_nofail semantics + + * lib/krb5/transited.c: something that might resemble + domain-x500-compress + +Mon Sep 8 01:24:42 1997 Assar Westerlund <assar@sics.se> + + * kdc/hpropd.c (main): check number of arguments + + * appl/popper/pop_init.c (pop_init): check number of arguments + + * kpasswd/kpasswd.c (main): check number of arguments + + * kdc/string2key.c (main): check number of arguments + + * kuser/kdestroy.c (main): check number of arguments + + * kuser/kinit.c (main): check number of arguments + + * kpasswd/kpasswdd.c (main): use sigaction without SA_RESTART to + break out of select when a signal arrives + + * kdc/main.c (main): use sigaction without SA_RESTART to break out + of select when a signal arrives + + * kdc/kstash.c: default to HDB_DB_DIR "/m-key" + + * kdc/config.c (configure): add `--version'. Check the number of + arguments. Handle the case of there being no specification of port + numbers. + + * admin/util.c: seal and unseal key at appropriate places + + * admin/kdb_edit.c (main): parse arguments, config file and read + master key iff there's one. + + * admin/extkeytab.c (ext_keytab): unseal key while extracting + +Sun Sep 7 20:41:01 1997 Assar Westerlund <assar@sics.se> + + * lib/roken/roken.h: include <fcntl.h> + + * kdc/kerberos5.c (set_salt_padata): new function + + * appl/telnet/telnetd/telnetd.c: Rename some variables that + conflict with cpp symbols on HP-UX 10.20 + + * change all calls of `gethostbyaddr' to cast argument 1 to `const + char *' + + * acconfig.h: only use SGTTY on nextstep + +Sun Sep 7 14:33:50 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/kerberos5.c: Check invalid flag. + +Fri Sep 5 14:19:38 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/verify_user.c: Use get_init_creds/verify_init_creds. + + * lib/kafs: Move functions common to krb/krb5 modules to new file, + and make things more modular. + + * lib/krb5/krb5.h: rename STRING -> krb5_config_string, and LIST + -> krb5_config_list + +Thu Sep 4 23:39:43 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/get_addrs.c: Fix loopback test. + +Thu Sep 4 04:45:49 1997 Assar Westerlund <assar@sics.se> + + * lib/roken/roken.h: fallback definition of `O_ACCMODE' + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful when + checking for a v4 reply + +Wed Sep 3 18:20:14 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/hprop.c: Add `--decrypt' and `--encrypt' flags. + + * lib/hdb/hdb.c: new {seal,unseal}_keys functions + + * kdc/{hprop,hpropd}.c: Add support to dump database to stdout. + + * kdc/hprop.c: Don't use same master key as version 4. + + * admin/util.c: Don't dump core if no `default' is found. + +Wed Sep 3 16:01:07 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * kdc/connect.c: Allow run time port specification. + + * kdc/config.c: Add flags for http support, and port + specifications. + +Tue Sep 2 02:00:03 1997 Assar Westerlund <assar@sics.se> + + * include/bits.c: Don't generate ifndef's in bits.h. Instead, use + them when building the program. This makes it possible to include + bits.h without having defined all HAVE_INT17_T symbols. + + * configure.in: test for sigaction + + * doc: updated documentation. + +Tue Sep 2 00:20:31 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * Release 0.0g + +Mon Sep 1 17:42:14 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/data.c: don't return ENOMEM if len == 0 + +Sun Aug 31 17:15:49 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/hdb/hdb.asn1: Include salt type in salt. + + * kdc/hprop.h: Change port to 754. + + * kdc/hpropd.c: Verify who tries to transmit a database. + + * appl/popper: Use getarg and krb5_log. + + * lib/krb5/get_port.c: Add context parameter. Now takes port in + host byte order. + +Sat Aug 30 18:48:19 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/connect.c: Add timeout to select, and log about expired tcp + connections. + + * kdc/config.c: Add `database' option. + + * kdc/hpropd.c: Log about duplicate entries. + + * lib/hdb/{db,ndbm}.c: Use common routines. + + * lib/hdb/common.c: Implement more generic fetch/store/delete + functions. + + * lib/hdb/hdb.h: Add `replace' parameter to store. + + * kdc/connect.c: Set filedecriptor to -1 on allocated decriptor + entries. + +Fri Aug 29 03:13:23 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_in_tkt.c: extract_ticket -> _krb5_extract_ticket + + * aux/make-proto.pl: fix __P for stone age mode + +Fri Aug 29 02:45:46 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/45/mk_req.c: implementation of krb_mk_req that uses 524 + protocol + + * lib/krb5/init_creds_pw.c: make change_password and + get_init_creds_common static + + * lib/krb5/krb5.h: Merge stuff from removed headerfiles. + + * lib/krb5/fcache.c: fcc_ops -> krb5_fcc_ops + + * lib/krb5/mcache.c: mcc_ops -> krb5_mcc_ops + +Fri Aug 29 01:45:25 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/krb5.h: Remove all prototypes. + + * lib/krb5/convert_creds.c: Use `struct credentials' instead of + `CREDENTIALS'. + +Fri Aug 29 00:08:18 1997 Assar Westerlund <assar@sics.se> + + * lib/asn1/gen_glue.c: new file. generates 2int and int2 functions + and units for bit strings. + + * admin/util.c: flags2int, int2flags, and flag_units are now + generated by asn1_compile + + * lib/roken/parse_units.c: generalised `parse_units' and + `unparse_units' and added new functions `parse_flags' and + `unparse_flags' that use these + + * lib/krb5/krb5_locl.h: moved krb5_data* functions to krb5.h + + * admin/util.c: Use {un,}parse_flags for printing and parsing + hdbflags. + +Thu Aug 28 03:26:12 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_addrs.c: restructured + + * lib/krb5/warn.c (_warnerr): leak less memory + + * lib/hdb/hdb.c (hdb_free_entry): zero keys + (hdb_check_db_format): leak less memory + + * lib/hdb/ndbm.c (NDBM_seq): check for valid hdb_entries implement + NDBM__get, NDBM__put + + * lib/hdb/db.c (DB_seq): check for valid hdb_entries + +Thu Aug 28 02:06:58 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/send_to_kdc.c: Don't use sendto on connected sockets. + +Thu Aug 28 01:13:17 1997 Assar Westerlund <assar@sics.se> + + * kuser/kinit.1, klist.1, kdestroy.1: new man pages + + * kpasswd/kpasswd.1, kpasswdd.8: new man pages + + * kdc/kstash.8, hprop.8, hpropd.8: new man pages + + * admin/ktutil.8, admin/kdb_edit.8: new man pages + + * admin/mod.c: new file + + * admin/life.c: renamed gettime and puttime to getlife and putlife + and moved them to life.c + + * admin/util.c: add print_flags, parse_flags, init_entry, + set_created_by, set_modified_by, edit_entry, set_password. Use + them. + + * admin/get.c: use print_flags + + * admin: removed unused stuff. use krb5_{warn,err}* + + * admin/ank.c: re-organized and abstracted. + + * admin/gettime.c: removed + +Thu Aug 28 00:37:39 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/{get_cred,get_in_tkt}.c: Check for v4 reply. + + * lib/roken/base64.c: Add base64 functions. + + * kdc/connect.c lib/krb5/send_to_kdc.c: Add http support. + +Wed Aug 27 00:29:20 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * include/Makefile.am: Don't make links to built files. + + * admin/kdb_edit.c: Add command to set the database path. + + * lib/hdb: Include version number in database. + +Tue Aug 26 20:14:54 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * admin/ktutil: Merged v4 srvtab conversion. + +Mon Aug 25 23:02:18 1997 Assar Westerlund <assar@sics.se> + + * lib/roken/roken.h: add F_OK + + * lib/gssapi/acquire_creds.c: fix typo + + * configure.in: call AC_TYPE_MODE_T + + * acinclude.m4: Add AC_TYPE_MODE_T + +Sun Aug 24 16:46:53 1997 Assar Westerlund <assar@sics.se> + + * Release 0.0f + +Sun Aug 24 08:06:54 1997 Assar Westerlund <assar@sics.se> + + * appl/popper/pop_pass.c: log poppers + + * kdc/kaserver.c: some more checks + + * kpasswd/kpasswd.c: removed `-p' + + * kuser/kinit.c: removed `-p' + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): If + KDC_ERR_PREUATH_REQUIRED, add preauthentication and try again. + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): don't print out + krb-error text + + * lib/gssapi/import_name.c (input_name): more names types. + + * admin/load.c (parse_keys): handle the case of an empty salt + + * kdc/kaserver.c: fix up memory deallocation + + * kdc/kaserver.c: quick hack at talking kaserver protocol + + * kdc/kerberos4.c: Make `db-fetch4' global + + * configure.in: add --enable-kaserver + + * kdc/rx.h, kdc/kerberos4.h: new header files + + * lib/krb5/principal.c: fix krb5_build_principal_ext & c:o + +Sun Aug 24 03:52:44 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/{get_in_tkt,mk_safe,mk_priv}.c: Fix some Cray specific + type conflicts. + + * lib/krb5/{get_cred,get_in_tkt}.c: Mask nonce to 32 bits. + + * lib/des/{md4,md5,sha}.c: Now works on Crays. + +Sat Aug 23 18:15:01 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * appl/afsutil/afslog.c: If no cells or files specified, get + tokens for all local cells. Better test for files. + +Thu Aug 21 23:33:38 1997 Assar Westerlund <assar@sics.se> + + * lib/gssapi/v1.c: new file with v1 compatibility functions. + +Thu Aug 21 20:36:13 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/kafs/afskrb5.c: Don't check ticket file for afs ticket. + + * kdc/kerberos4.c: Check database when converting v4 principals. + + * kdc/kerberos5.c: Include kvno in Ticket. + + * lib/krb5/encrypt.c: Add kvno parameter to encrypt_EncryptedData. + + * kuser/klist.c: Print version number of ticket, include more + flags. + +Wed Aug 20 21:26:58 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/kafs/afskrb5.c (get_cred): Check cached afs tickets for + expiration. + +Wed Aug 20 17:40:31 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/recvauth.c (krb5_recvauth): Send a KRB-ERROR iff + there's an error. + + * lib/krb5/sendauth.c (krb5_sendauth): correct the protocol + documentation and process KRB-ERROR's + +Tue Aug 19 20:41:30 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/kerberos4.c: Fix memory leak in v4 protocol handler. + +Mon Aug 18 05:15:09 1997 Assar Westerlund <assar@sics.se> + + * lib/gssapi/accept_sec_context.c: Added + `gsskrb5_register_acceptor_identity' + +Sun Aug 17 01:40:20 1997 Assar Westerlund <assar@sics.se> + + * lib/gssapi/accept_sec_context.c (gss_accept_sec_context): don't + always pass server == NULL to krb5_rd_req. + + * lib/gssapi: new files: canonicalize_name.c export_name.c + context_time.c compare_name.c release_cred.c acquire_cred.c + inquire_cred.c, from Luke Howard <lukeh@xedoc.com.au> + + * lib/krb5/config_file.c: Add netinfo support from Luke Howard + <lukeh@xedoc.com.au> + + * lib/editline/sysunix.c: sgtty-support from Luke Howard + <lukeh@xedoc.com.au> + + * lib/krb5/principal.c: krb5_sname_to_principal fix from Luke + Howard <lukeh@xedoc.com.au> + +Sat Aug 16 00:44:47 1997 Assar Westerlund <assar@koi.pdc.kth.se> + + * Release 0.0e + +Sat Aug 16 00:23:46 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * appl/afsutil/afslog.c: Use new libkafs. + + * lib/kafs/afskrb5.c: Get AFS tokens via 524 protocol. + + * lib/krb5/warn.c: Fix format string for *x type. + +Fri Aug 15 22:15:01 1997 Assar Westerlund <assar@sics.se> + + * admin/get.c (get_entry): print more information about the entry + + * lib/des/Makefile.am: build destest, mdtest, des, rpw, speed + + * lib/krb5/config_file.c: new functions `krb5_config_get_time' and + `krb5_config_vget_time'. Use them. + +Fri Aug 15 00:09:37 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * admin/ktutil.c: Keytab manipulation program. + + * lib/krb5/keytab.c: Return sane values from resolve and + start_seq_get. + + * kdc/kerberos5.c: Fix for old clients passing 0 for `no endtime'. + + * lib/45/get_ad_tkt.c: Kerberos 4 get_ad_tkt using + krb524_convert_creds_kdc. + + * lib/krb5/convert_creds.c: Implementation of + krb524_convert_creds_kdc. + + * lib/asn1/k5.asn1: Make kdc-req-body.till OPTIONAL + + * kdc/524.c: A somewhat working 524-protocol module. + + * kdc/kerberos4.c: Add version 4 ticket encoding and encryption + functions. + + * lib/krb5/context.c: Fix kdc_timeout. + + * lib/hdb/{ndbm,db}.c: Free name in close. + + * kdc/kerberos5.c (tgs_check_autenticator): Return error code + +Thu Aug 14 21:29:03 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/kerberos5.c (tgs_make_reply): Fix endtime in reply. + + * lib/krb5/store_emem.c: Fix reallocation bug. + +Tue Aug 12 01:29:46 1997 Assar Westerlund <assar@sics.se> + + * appl/telnet/libtelnet/kerberos5.c, appl/popper/pop_init.c: Use + `krb5_sock_to_principal'. Send server parameter to + krb5_rd_req/krb5_recvauth. Set addresses in auth_context. + + * lib/krb5/recvauth.c: Set addresses in auth_context if there + aren't any + + * lib/krb5/auth_context.c: New function + `krb5_auth_con_setaddrs_from_fd' + + * lib/krb5/sock_principal.c: new function + `krb5_sock_to_principal' + + * lib/krb5/time.c: new file with `krb5_timeofday' and + `krb5_us_timeofday'. Use these functions. + + * kuser/klist.c: print KDC offset iff verbose + + * lib/krb5/get_in_tkt.c: implement KDC time offset and use it if + [libdefaults]kdc_timesync is set. + + * lib/krb5/fcache.c: Implement version 4 of the ccache format. + +Mon Aug 11 05:34:43 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_rep.c (krb5_free_ap_rep_enc_part): free all memory + + * lib/krb5/principal.c (krb5_unparse_name): allocate memory + properly + + * kpasswd/kpasswd.c: Use `krb5_change_password' + + * lib/krb5/init_creds_pw.c (init_cred): set realm of server + correctly. + + * lib/krb5/init_creds_pw.c: support changing of password when it + has expired + + * lib/krb5/changepw.c: new file + + * kuser/klist.c: use getarg + + * admin/init.c (init): add `kadmin/changepw' + +Mon Aug 11 04:30:47 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/get_cred.c: Make get_credentials handle cross-realm. + +Mon Aug 11 00:03:24 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/config_file.c: implement support for #-comments + +Sat Aug 9 02:21:46 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/hprop*.c: Add database propagation programs. + + * kdc/connect.c: Max request size. + +Sat Aug 9 00:47:28 1997 Assar Westerlund <assar@sics.se> + + * lib/otp: resurrected from krb4 + + * appl/push: new program for fetching mail with POP. + + * appl/popper/popper.h: new include files. new fields in `POP' + + * appl/popper/pop_pass.c: Implement both v4 and v5. + + * appl/popper/pop_init.c: Implement both v4 and v5. + + * appl/popper/pop_debug.c: use getarg. Talk both v4 and v5 + + * appl/popper: Popper from krb4. + + * configure.in: check for inline and <netinet/tcp.h> generate + files in appl/popper, appl/push, and lib/otp + +Fri Aug 8 05:51:02 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_cred.c: clean-up and try to free memory even when + there're errors + + * lib/krb5/get_cred.c: adapt to new `extract_ticket' + + * lib/krb5/get_in_tkt.c: reorganize. check everything and try to + return memory even if there are errors. + + * kuser/kverify.c: new file + + * lib/krb5/free_host_realm.c: new file + + * lib/krb5/principal.c (krb5_sname_to_principal): implement + different nametypes. Also free memory. + + * lib/krb5/verify_init.c: more functionality + + * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): free the checksum + + * lib/krb5/get_in_tkt.c (extract_ticket): don't copy over the + principals in creds. Should also compare them with that received + from the KDC + + * lib/krb5/cache.c (krb5_cc_gen_new): copy the newly allocated + krb5_ccache + (krb5_cc_destroy): call krb5_cc_close + (krb5_cc_retrieve_cred): delete the unused creds + +Fri Aug 8 02:30:40 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/log.c: Allow better control of destinations of logging + (like passing explicit destinations, and log-functions). + +Fri Aug 8 01:20:39 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_default_principal.c: new file + + * kpasswd/kpasswdd.c: use krb5_log* + +Fri Aug 8 00:37:47 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/init_creds_pw.c: Implement krb5_get_init_creds_keytab. + +Fri Aug 8 00:37:17 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/init_creds_pw.c: Use `krb5_get_default_principal'. + Print password expire information. + + * kdc/config.c: new variable `kdc_warn_pwexpire' + + * kpasswd/kpasswd.c: converted to getarg and get_init_creds + +Thu Aug 7 22:17:09 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/mcache.c: new file + + * admin/gettime.c: new function puttime. Use it. + + * lib/krb5/keyblock.c: Added krb5_free_keyblock and + krb5_copy_keyblock + + * lib/krb5/init_creds_pw.c: more functionality + + * lib/krb5/creds.c: Added krb5_free_creds_contents and + krb5_copy_creds. Changed callers. + + * lib/krb5/config_file.c: new functions krb5_config_get and + krb5_config_vget + + * lib/krb5/cache.c: cleanup added mcache + + * kdc/kerberos5.c: include last-req's of type 6 and 7, if + applicable + +Wed Aug 6 20:38:23 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/log.c: New parameter `log-level'. Default to `SYSLOG'. + +Tue Aug 5 22:53:54 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/verify_init.c, init_creds_pw.c, init_creds.c, + prompter_posix.c: the beginning of an implementation of the cygnus + initial-ticket API. + + * lib/krb5/get_in_tkt_pw.c: make `krb5_password_key_proc' global + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): new function that is + almost krb5_get_in_tkt but doesn't write the creds to the ccache. + Small fixes in krb5_get_in_tkt + + * lib/krb5/get_addrs.c (krb5_get_all_client_addrs): don't include + loopback. + +Mon Aug 4 20:20:48 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc: Make context global. + +Fri Aug 1 17:23:56 1997 Assar Westerlund <assar@sics.se> + + * Release 0.0d + + * lib/roken/flock.c: new file + + * kuser/kinit.c: check for and print expiry information in the + `kdc_rep' + + * lib/krb5/get_in_tkt.c: Set `ret_as_reply' if != NULL + + * kdc/kerberos5.c: Check the valid times on client and server. + Check the password expiration. + Check the require_preauth flag. + Send an lr_type == 6 with pw_end. + Set key.expiration to min(valid_end, pw_end) + + * lib/hdb/hdb.asn1: new flags `require_preauth' and `change_pw' + + * admin/util.c, admin/load.c: handle the new flags. + +Fri Aug 1 16:56:12 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/hdb: Add some simple locking. + +Sun Jul 27 04:44:31 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/log.c: Add some general logging functions. + + * kdc/kerberos4.c: Add version 4 protocol handler. The requrement + for this to work is that all involved principals has a des key in + the database, and that the client has a version 4 (un-)salted + key. Furthermore krb5_425_conv_principal has to do it's job, as + present it's not very clever. + + * lib/krb5/principal.c: Quick patch to make 425_conv work + somewhat. + + * lib/hdb/hdb.c: Add keytype->key and next key functions. + +Fri Jul 25 17:32:12 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/build_auth.c (krb5_build_authenticator): don't free + `cksum'. It's allocated and freed by the caller + + * lib/krb5/get_cred.c (krb5_get_kdc_cred): Don't free `addresses'. + + * kdc/kerberos5.c (tgs_rep2): make sure we also have an defined + `client' to return as part of the KRB-ERROR + +Thu Jul 24 08:13:59 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/kerberos5.c: Unseal keys from database before use. + + * kdc/misc.c: New functions set_master_key, unseal_key and + free_key. + + * lib/roken/getarg.c: Handle `-f arg' correctly. + +Thu Jul 24 01:54:43 1997 Assar Westerlund <assar@sics.se> + + * kuser/kinit.c: implement `-l' aka `--lifetime' + + * lib/roken/parse_units.c, parse_time.c: new files + + * admin/gettime.c (gettime): use `parse_time' + + * kdc/kerberos5.c (as_rep): Use `METHOD-DATA' when sending + KRB5KDC_ERR_PREAUTH_REQUIRED, not PA-DATA. + + * kpasswd/kpasswdd.c: fix freeing bug use sequence numbers set + addresses in auth_context bind one socket per interface. + + * kpasswd/kpasswd.c: use sequence numbers + + * lib/krb5/rd_req.c (krb5_verify_ap_req): do abs when verifying + the timestamps + + * lib/krb5/rd_priv.c (krb5_rd_priv): Fetch the correct session key + from auth_context + + * lib/krb5/mk_priv.c (krb5_mk_priv): Fetch the correct session key + from auth_context + + * lib/krb5/mk_error.c (krb5_mk_error): return an error number and + not a comerr'd number. + + * lib/krb5/get_in_tkt.c (krb5_get_in_tkt): interpret the error + number in KRB-ERROR correctly. + + * lib/krb5/get_cred.c (krb5_get_kdc_cred): interpret the error + number in KRB-ERROR correctly. + + * lib/asn1/k5.asn1: Add `METHOD-DATA' + + * removed some memory leaks. + +Wed Jul 23 07:53:18 1997 Assar Westerlund <assar@sics.se> + + * Release 0.0c + + * lib/krb5/rd_cred.c, get_for_creds.c: new files + + * lib/krb5/get_host_realm.c: try default realm as last chance + + * kpasswd/kpasswdd.c: updated to hdb changes + + * appl/telnet/libtelnet/kerberos5.c: Implement forwarding + + * appl/telnet/libtelnet: removed totally unused files + + * admin/ank.c: fix prompts and generation of random keys + +Wed Jul 23 04:02:32 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * admin/dump.c: Include salt in dump. + + * admin: Mostly updated for new db-format. + + * kdc/kerberos5.c: Update to use new db format. Better checking of + flags and such. More logging. + + * lib/hdb/hdb.c: Use generated encode and decode functions. + + * lib/hdb/hdb.h: Get hdb_entry from ASN.1 generated code. + + * lib/krb5/get_cred.c: Get addresses from krbtgt if there are none + in the reply. + +Sun Jul 20 16:22:30 1997 Assar Westerlund <assar@sics.se> + + * kuser/kinit.c: break if des_read_pw_string() != 0 + + * kpasswd/kpasswdd.c: send a reply + + * kpasswd/kpasswd.c: restructured code. better report on + krb-error break if des_read_pw_string() != 0 + + * kdc/kerberos5.c: Check `require_enc_timestamp' malloc space for + starttime and renew_till + + * appl/telnet/libtelnet/kerberos5.c (kerberos5_is): Send a + keyblock to krb5_verify_chekcsum + +Sun Jul 20 06:35:46 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * Release 0.0b + + * kpasswd/kpasswd.c: Avoid using non-standard struct names. + +Sat Jul 19 19:26:23 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/keytab.c (krb5_kt_get_entry): check return from + `krb5_kt_start_seq_get'. From <map@stacken.kth.se> + +Sat Jul 19 04:07:39 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/asn1/k5.asn1: Update with more pa-data types from + draft-ietf-cat-kerberos-revisions-00.txt + + * admin/load.c: Update to match current db-format. + + * kdc/kerberos5.c (as_rep): Try all valid pa-datas before giving + up. Send back an empty pa-data if the client has the v4 flag set. + + * lib/krb5/get_in_tkt.c: Pass both version5 and version4 salted + pa-data. DTRT if there is any pa-data in the reply. + + * lib/krb5/str2key.c: XOR with some sane value. + + * lib/hdb/hdb.h: Add `version 4 salted key' flag. + + * kuser/kinit.c: Ask for password before calling get_in_tkt. This + makes it possible to call key_proc more than once. + + * kdc/string2key.c: Add flags to output version 5 (DES only), + version 4, and AFS string-to-key of a password. + + * lib/asn1/gen_copy.c: copy_* functions now returns an int (0 or + ENOMEM). + +Fri Jul 18 02:54:58 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): do the + name2name thing + + * kdc/misc.c: check result of hdb_open + + * admin/kdb_edit: updated to new sl + + * lib/sl: sl_func now returns an int. != 0 means to exit. + + * kpasswd/kpasswdd: A crude (but somewhat working) implementation + of `draft-ietf-cat-kerb-chg-password-00.txt' + +Fri Jul 18 00:55:39 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * kuser/krenew.c: Crude ticket renewing program. + + * kdc/kerberos5.c: Rewritten flags parsing, it now might work to + get forwarded and renewed tickets. + + * kuser/kinit.c: Add `-r' flag. + + * lib/krb5/get_cred.c: Move most of contents of get_creds to new + function get_kdc_cred, that always contacts the kdc and doesn't + save in the cache. This is a hack. + + * lib/krb5/get_in_tkt.c: Pass starttime and renew_till in request + (a bit kludgy). + + * lib/krb5/mk_req_ext.c: Make an auth_context if none passed in. + + * lib/krb5/send_to_kdc.c: Get timeout from context. + + * lib/krb5/context.c: Add kdc_timeout to context struct. + +Thu Jul 17 20:35:45 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * kuser/klist.c: Print start time of ticket if available. + + * lib/krb5/get_host_realm.c: Return error if no realm was found. + +Thu Jul 17 20:28:21 1997 Assar Westerlund <assar@sics.se> + + * kpasswd: non-working kpasswd added + +Thu Jul 17 00:21:22 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * Release 0.0a + + * kdc/main.c: Add -p flag to disable pa-enc-timestamp requirement. + +Wed Jul 16 03:37:41 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/kerberos5.c (tgs_rep2): Free ticket and ap_req. + + * lib/krb5/auth_context.c (krb5_auth_con_free): Free remote + subkey. + + * lib/krb5/principal.c (krb5_free_principal): Check for NULL. + + * lib/krb5/send_to_kdc.c: Check for NULL return from + gethostbyname. + + * lib/krb5/set_default_realm.c: Try to get realm of local host if + no default realm is available. + + * Remove non ASN.1 principal code. + +Wed Jul 16 03:17:30 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * kdc/kerberos5.c: Split tgs_rep in smaller functions. Add better + error handing. Do some logging. + + * kdc/log.c: Some simple logging facilities. + + * kdc/misc.c (db_fetch): Take a krb5_principal. + + * kdc/connect.c: Pass address of request to as_rep and + tgs_rep. Send KRB-ERROR. + + * lib/krb5/mk_error.c: Add more fields. + + * lib/krb5/get_cred.c: Print normal error code if no e_text is + available. + +Wed Jul 16 03:07:50 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_in_tkt.c: implement `krb5_init_etype'. + Change encryption type of pa_enc_timestamp to DES-CBC-MD5 + + * lib/krb5/context.c: recognize all encryption types actually + implemented + + * lib/krb5/auth_context.c (krb5_auth_con_init): Change default + encryption type to `DES_CBC_MD5' + + * lib/krb5/read_message.c, write_message.c: new files + +Tue Jul 15 17:14:21 1997 Assar Westerlund <assar@sics.se> + + * lib/asn1: replaced asn1_locl.h by `der_locl.h' and `gen_locl.h'. + + * lib/error/compile_et.awk: generate a prototype for the + `destroy_foo_error_table' function. + +Mon Jul 14 12:24:40 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/krbhst.c (krb5_get_krbhst): Get all kdc's and try also + with `kerberos.REALM' + + * kdc/kerberos5.c, lib/krb5/rd_priv.c, lib/krb5/rd_safe.c: use + `max_skew' + + * lib/krb5/rd_req.c (krb5_verify_ap_req): record authenticator + subkey + + * lib/krb5/build_auth.c (krb5_build_authenticator): always + generate a subkey. + + * lib/krb5/address.c: implement `krb5_address_order' + + * lib/gssapi/import_name.c: Implement `gss_import_name' + + * lib/gssapi/external.c: Use new OID + + * lib/gssapi/encapsulate.c: New functions + `gssapi_krb5_encap_length' and `gssapi_krb5_make_header'. Changed + callers. + + * lib/gssapi/decapsulate.c: New function + `gssaspi_krb5_verify_header'. Changed callers. + + * lib/asn1/gen*.c: Give tags to generated structs. + Use `err' and `asprintf' + + * appl/test/gss_common.c: new file + + * appl/test/gssapi_server.c: removed all krb5 calls + + * appl/telnet/libtelnet/kerberos5.c: Add support for genering and + verifying checksums. Also start using session subkeys. + +Mon Jul 14 12:08:25 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/rd_req.c (krb5_rd_req_with_keyblock): Split up. + +Sun Jul 13 03:07:44 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_safe.c, mk_safe.c: made bug-compatible with MIT + + * lib/krb5/encrypt.c: new functions `DES_encrypt_null_ivec' and + `DES_encrypt_key_ivec' + + * lib/krb5/checksum.c: implement rsa-md4-des and rsa-md5-des + + * kdc/kerberos5.c (tgs_rep): support keyed checksums + + * lib/krb5/creds.c: new file + + * lib/krb5/get_in_tkt.c: better freeing + + * lib/krb5/context.c (krb5_free_context): more freeing + + * lib/krb5/config_file.c: New function `krb5_config_file_free' + + * lib/error/compile_et.awk: Generate a `destroy_' function. + + * kuser/kinit.c, klist.c: Don't leak memory. + +Sun Jul 13 02:46:27 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * kdc/connect.c: Check filedescriptor in select. + + * kdc/kerberos5.c: Remove most of the most common memory leaks. + + * lib/krb5/rd_req.c: Free allocated data. + + * lib/krb5/auth_context.c (krb5_auth_con_free): Free a lot of + fields. + +Sun Jul 13 00:32:16 1997 Assar Westerlund <assar@sics.se> + + * appl/telnet: Conditionalize the krb4-support. + + * configure.in: Test for krb4 + +Sat Jul 12 17:14:12 1997 Assar Westerlund <assar@sics.se> + + * kdc/kerberos5.c: check if the pre-auth was decrypted properly. + set the `pre_authent' flag + + * lib/krb5/get_cred.c, lib/krb5/get_in_tkt.c: generate a random nonce. + + * lib/krb5/encrypt.c: Made `generate_random_block' global. + + * appl/test: Added gssapi_client and gssapi_server. + + * lib/krb5/data.c: Add `krb5_data_zero' + + * appl/test/tcp_client.c: try `mk_safe' and `mk_priv' + + * appl/test/tcp_server.c: try `rd_safe' and `rd_priv' + +Sat Jul 12 16:45:58 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/get_addrs.c: Fix for systems that has sa_len, but + returns zero length from SIOCGIFCONF. + +Sat Jul 12 16:38:34 1997 Assar Westerlund <assar@sics.se> + + * appl/test: new programs + + * lib/krb5/rd_req.c: add address compare + + * lib/krb5/mk_req_ext.c: allow no checksum + + * lib/krb5/keytab.c (krb5_kt_ret_string): 0-terminate string + + * lib/krb5/address.c: fix `krb5_address_compare' + +Sat Jul 12 15:03:16 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/get_addrs.c: Fix ip4 address extraction. + + * kuser/klist.c: Add verbose flag, and split main into smaller + pieces. + + * lib/krb5/fcache.c: Save ticket flags. + + * lib/krb5/get_in_tkt.c (extract_ticket): Extract addresses and + flags. + + * lib/krb5/krb5.h: Add ticket_flags to krb5_creds. + +Sat Jul 12 13:12:48 1997 Assar Westerlund <assar@sics.se> + + * configure.in: Call `AC_KRB_PROG_LN_S' + + * acinclude.m4: Add `AC_KRB_PROG_LN_S' from krb4 + +Sat Jul 12 00:57:01 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/get_in_tkt.c: Use union of krb5_flags and KDCOptions to + pass options. + +Fri Jul 11 15:04:22 1997 Assar Westerlund <assar@sics.se> + + * appl/telnet: telnet & telnetd seems to be working. + + * lib/krb5/config_file.c: Added krb5_config_v?get_list Fixed + krb5_config_vget_next + + * appl/telnet/libtelnet/kerberos5.c: update to current API + +Thu Jul 10 14:54:39 1997 Assar Westerlund <assar@sics.se> + + * appl/telnet/libtelnet/kerberos5.c (kerberos5_status): call + `krb5_kuserok' + + * appl/telnet: Added. + +Thu Jul 10 05:09:25 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/error/compile_et.awk: Remove usage of sub, gsub, and + functions for compatibility with awk. + + * include/bits.c: Must use signed char. + + * lib/krb5/context.c: Move krb5_get_err_text, and krb5_init_ets + here. + + * lib/error/error.c: Replace krb5_get_err_text with new function + com_right. + + * lib/error/compile_et.awk: Avoid using static variables. + + * lib/error/error.c: Don't use krb5_locl.h + + * lib/error/error.h: Move definitions of error_table and + error_list from krb5.h. + + * lib/error: Moved from lib/krb5. + +Wed Jul 9 07:42:04 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/encrypt.c: Temporary hack to avoid des_rand_data. + +Wed Jul 9 06:58:00 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/{rd,mk}_{*}.c: more checking for addresses and stuff + according to pseudocode from 1510 + +Wed Jul 9 06:06:06 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/hdb/hdb.c: Add hdb_etype2key. + + * kdc/kerberos5.c: Check authenticator. Use more general etype + functions. + +Wed Jul 9 03:51:12 1997 Assar Westerlund <assar@sics.se> + + * lib/asn1/k5.asn1: Made all `s_address' OPTIONAL according to + draft-ietf-cat-kerberos-r-00.txt + + * lib/krb5/principal.c (krb5_parse_name): default to local realm + if none given + + * kuser/kinit.c: New option `-p' and prompt + +Wed Jul 9 02:30:06 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/keyblock.c: Keyblock generation functions. + + * lib/krb5/encrypt.c: Use functions from checksum.c. + + * lib/krb5/checksum.c: Move checksum functions here. Add + krb5_cksumsize function. + +Wed Jul 9 01:15:38 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_host_realm.c: implemented + + * lib/krb5/config_file.c: Redid part. New functions: + krb5_config_v?get_next + + * kuser/kdestroy.c: new program + + * kuser/kinit.c: new flag `-f' + + * lib/asn1/k5.asn1: Made HostAddresses = SEQUENCE OF HostAddress + + * acinclude.m4: Added AC_KRB_STRUCT_SOCKADDR_SA_LEN + + * lib/krb5/krb5.h: krb5_addresses == HostAddresses. Changed all + users. + + * lib/krb5/get_addrs.c: figure out all local addresses, possibly + even IPv6! + + * lib/krb5/checksum.c: table-driven checksum + +Mon Jul 7 21:13:28 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/encrypt.c: Make krb5_decrypt use the same struct as + krb5_encrypt. + +Mon Jul 7 11:15:51 1997 Assar Westerlund <assar@sics.se> + + * lib/roken/vsyslog.c: new file + + * lib/krb5/encrypt.c: add des-cbc-md4. + adjust krb5_encrypt and krb5_decrypt to reality + +Mon Jul 7 02:46:31 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/encrypt.c: Implement as a vector of function pointers. + + * lib/krb5/{decrypt,encrypt}.c: Implement des-cbc-crc, and + des-cbc-md5 in separate functions. + + * lib/krb5/krb5.h: Add more checksum and encryption types. + + * lib/krb5/krb5_locl.h: Add etype to krb5_decrypt. + +Sun Jul 6 23:02:59 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/[gs]et_default_realm.c, kuserok.c: new files + + * lib/krb5/config_file.[ch]: new c-based configuration reading + stuff + +Wed Jul 2 23:12:56 1997 Assar Westerlund <assar@sics.se> + + * configure.in: Set WFLAGS if using gcc + +Wed Jul 2 17:47:03 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/asn1/der_put.c (der_put_int): Return size correctly. + + * admin/ank.c: Be compatible with the asn1 principal format. + +Wed Jul 1 23:52:20 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/asn1: Now all decode_* and encode_* functions now take a + final size_t* argument, that they return the size in. Return + values are zero for success, and anything else (such as some + ASN1_* constant) for error. + +Mon Jun 30 06:08:14 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/keytab.c (krb5_kt_add_entry): change open mode to + O_WRONLY | O_APPEND + + * lib/krb5/get_cred.c: removed stale prototype for + `extract_ticket' and corrected call. + + * lib/asn1/gen_length.c (length_type): Make the length functions + for SequenceOf non-destructive + + * admin/ank.c (doit): Fix reading of `y/n'. + +Mon Jun 16 05:41:43 1997 Assar Westerlund <assar@sics.se> + + * lib/gssapi/wrap.c, unwrap.c: do encrypt and add sequence number + + * lib/gssapi/get_mic.c, verify_mic.c: Add sequence number. + + * lib/gssapi/accept_sec_context.c (gss_accept_sec_context): Set + KRB5_AUTH_CONTEXT_DO_SEQUENCE. Verify 8003 checksum. + + * lib/gssapi/8003.c: New file. + + * lib/krb/krb5.h: Define a `krb_authenticator' as an ASN.1 + Authenticator. + + * lib/krb5/auth_context.c: New functions + `krb5_auth_setlocalseqnumber' and `krb5_auth_setremoteseqnumber' + +Tue Jun 10 00:35:54 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5: Preapre for use of some asn1-types. + + * lib/asn1/*.c (copy_*): Constness. + + * lib/krb5/krb5.h: Include asn1.h; krb5_data is now an + octet_string. + + * lib/asn1/der*,gen.c: krb5_data -> octet_string, char * -> + general_string + + * lib/asn1/libasn1.h: Moved stuff from asn1_locl.h that doesn't + have anything to do with asn1_compile. + + * lib/asn1/asn1_locl.h: Remove der.h. Add some prototypes. + +Sun Jun 8 03:51:55 1997 Assar Westerlund <assar@sics.se> + + * kdc/kerberos5.c: Fix PA-ENC-TS-ENC + + * kdc/connect.c(process_request): Set `new' + + * lib/krb5/get_in_tkt.c: Do PA-ENC-TS-ENC the correct way. + + * lib: Added editline,sl,roken. + +Mon Jun 2 00:37:48 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/fcache.c: Move file cache from cache.c. + + * lib/krb5/cache.c: Allow more than one cache type. + +Sun Jun 1 23:45:33 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * admin/extkeytab.c: Merged with kdb_edit. + +Sun Jun 1 23:23:08 1997 Assar Westerlund <assar@sics.se> + + * kdc/kdc.c: more support for ENC-TS-ENC + + * lib/krb5/get_in_tkt.c: redone to enable pre-authentication + +Sun Jun 1 22:45:11 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/hdb/db.c: Merge fetch and store. + + * admin: Merge to one program. + + * lib/krb5/str2key.c: Fill in keytype and length. + +Sun Jun 1 16:31:23 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_safe.c, lib/krb5/rd_priv.c, lib/krb5/mk_rep.c, + lib/krb5/mk_priv.c, lib/krb5/build_auth.c: Some support for + KRB5_AUTH_CONTEXT_DO_SEQUENCE + + * lib/krb5/get_in_tkt.c (get_in_tkt): be prepared to parse an + KRB_ERROR. Some support for PA_ENC_TS_ENC. + + * lib/krb5/auth_context.c: implemented seq_number functions + + * lib/krb5/generate_subkey.c, generate_seq_number.c: new files + + * lib/gssapi/gssapi.h: avoid including <krb5.h> + + * lib/asn1/Makefile.am: SUFFIXES as a variable to make automake + happy + + * kdc/kdc.c: preliminary PREAUTH_ENC_TIMESTAMP + + * configure.in: adapted to automake 1.1p + +Mon May 26 22:26:21 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/principal.c: Add contexts to many functions. + +Thu May 15 20:25:37 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/verify_user.c: First stab at a verify user. + + * lib/auth/sia/sia5.c: SIA module for Kerberos 5. + +Mon Apr 14 00:09:03 1997 Assar Westerlund <assar@sics.se> + + * lib/gssapi: Enough of a gssapi-over-krb5 implementation to be + able to (mostly) run gss-client and gss-server. + + * lib/krb5/keytab.c: implemented krb5_kt_add_entry, + krb5_kt_store_principal, krb5_kt_store_keyblock + + * lib/des/md5.[ch], sha.[ch]: new files + + * lib/asn1/der_get.c (generalizedtime2time): use `timegm' + + * lib/asn1/timegm.c: new file + + * admin/extkeytab.c: new program + + * admin/admin_locl.h: new file + + * admin/Makefile.am: Added extkeytab + + * configure.in: moved config to include + removed timezone garbage + added lib/gssapi and admin + + * Makefile.am: Added admin + +Mon Mar 17 11:34:05 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * kdc/kdc.c: Use new copying functions, and free some data. + + * lib/asn1/Makefile.am: Try to not always rebuild generated files. + + * lib/asn1/der_put.c: Add fix_dce(). + + * lib/asn1/der_{get,length,put}.c: Fix include files. + + * lib/asn1/der_free.c: Remove unused functions. + + * lib/asn1/gen.c: Split into gen_encode, gen_decode, gen_free, + gen_length, and gen_copy. + +Sun Mar 16 18:13:52 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/sendauth.c: implemented functionality + + * lib/krb5/rd_rep.c: Use `krb5_decrypt' + + * lib/krb5/cache.c (krb5_cc_get_name): return default if `id' == + NULL + + * lib/krb5/principal.c (krb5_free_principal): added `context' + argument. Changed all callers. + + (krb5_sname_to_principal): new function + + * lib/krb5/auth_context.c (krb5_free_authenticator): add `context' + argument. Changed all callers + + * lib/krb5/{net_write.c,net_read.c,recvauth.c}: new files + + * lib/asn1/gen.c: Fix encoding and decoding of BitStrings + +Fri Mar 14 11:29:00 1997 Assar Westerlund <assar@sics.se> + + * configure.in: look for *dbm? + + * lib/asn1/gen.c: Fix filename in generated files. Check fopens. + Put trailing newline in asn1_files. + +Fri Mar 14 05:06:44 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/get_in_tkt.c: Fix some memory leaks. + + * lib/krb5/krbhst.c: Properly free hostlist. + + * lib/krb5/decrypt.c: CRCs are 32 bits. + +Fri Mar 14 04:39:15 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/asn1/gen.c: Generate one file for each type. + +Fri Mar 14 04:13:47 1997 Assar Westerlund <assar@sics.se> + + * lib/asn1/gen.c: Generate `length_FOO' functions + + * lib/asn1/der_length.c: new file + + * kuser/klist.c: renamed stime -> printable_time to avoid conflict + on HP/UX + +Fri Mar 14 03:37:23 1997 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/hdb/ndbm.c: Return NOENTRY if fetch fails. Don't free + datums. Don't add .db to filename. + +Fri Mar 14 02:49:51 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * kdc/dump.c: Database dump program. + + * kdc/ank.c: Trivial database editing program. + + * kdc/{kdc.c, load.c}: Use libhdb. + + * lib/hdb: New database routine library. + + * lib/krb5/error/Makefile.am: Add hdb_err. + +Wed Mar 12 17:41:14 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * kdc/kdc.c: Rewritten AS, and somewhat more working TGS support. + + * lib/asn1/gen.c: Generate free functions. + + * Some specific free functions. + +Wed Mar 12 12:30:13 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5_mk_req_ext.c: new file + + * lib/asn1/gen.c: optimize the case with a simple type + + * lib/krb5/get_cred.c (krb5_get_credentials): Use + `mk_req_extended' and remove old code. + + * lib/krb5/get_in_tkt.c (decrypt_tkt): First try with an + EncASRepPart, then with an EncTGSRepPart. + +Wed Mar 12 08:26:04 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/store_emem.c: New resizable memory storage. + + * lib/krb5/{store.c, store_fd.c, store_mem.c}: Split of store.c + + * lib/krb5/krb5.h: Add free entry to krb5_storage. + + * lib/krb5/decrypt.c: Make keyblock const. + +Tue Mar 11 20:22:17 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/krb5.h: Add EncTicketPart to krb5_ticket. + + * lib/krb5/rd_req.c: Return whole asn.1 ticket in + krb5_ticket->tkt. + + * lib/krb5/get_in_tkt.c: TGS -> AS + + * kuser/kfoo.c: Print error string rather than number. + + * kdc/kdc.c: Some kind of non-working TGS support. + +Mon Mar 10 01:43:22 1997 Assar Westerlund <assar@sics.se> + + * lib/asn1/gen.c: reduced generated code by 1/5 + + * lib/asn1/der_put.c: (der_put_length_and_tag): new function + + * lib/asn1/der_get.c (der_match_tag_and_length): new function + + * lib/asn1/der.h: added prototypes + +Mon Mar 10 01:15:43 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/krb5.h: Include <asn1_err.h>. Add prototype for + krb5_rd_req_with_keyblock. + + * lib/krb5/rd_req.c: Add function krb5_rd_req_with_keyblock that + takes a precomputed keyblock. + + * lib/krb5/get_cred.c: Use krb5_mk_req rather than inlined code. + + * lib/krb5/mk_req.c: Calculate checksum of in_data. + +Sun Mar 9 21:17:58 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/error/compile_et.awk: Add a declaration of struct + error_list, and multiple inclusion block to header files. + +Sun Mar 9 21:01:12 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_req.c: do some checks on times + + * lib/krb/{mk_priv.c, rd_priv.c, sendauth.c, decrypt.c, + address.c}: new files + + * lib/krb5/auth_context.c: more code + + * configure.in: try to figure out timezone + +Sat Mar 8 11:41:07 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/error/error.c: Try strerror if error code wasn't found. + + * lib/krb5/get_in_tkt.c: Remove realm parameter from + krb5_get_salt. + + * lib/krb5/context.c: Initialize error table. + + * kdc: The beginnings of a kdc. + +Sat Mar 8 08:16:28 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_safe.c: new file + + * lib/krb5/checksum.c (krb5_verify_checksum): New function + + * lib/krb5/get_cred.c: use krb5_create_checksum + + * lib/krb5/checksum.c: new file + + * lib/krb5/store.c: no more arithmetic with void* + + * lib/krb5/cache.c: now seems to work again + +Sat Mar 8 06:58:09 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/Makefile.am: Add asn1_glue.c and error/*.c to libkrb5. + + * lib/krb5/get_in_tkt.c: Moved some functions to asn1_glue.c. + + * lib/krb5/asn1_glue.c: Moved some asn1-stuff here. + + * lib/krb5/{cache,keytab}.c: Use new storage functions. + + * lib/krb5/krb5.h: Protypes for new storage functions. + + * lib/krb5/krb5.h: Make krb5_{ret,store}_* functions able to write + data to more than file descriptors. + +Sat Mar 8 01:01:17 1997 Assar Westerlund <assar@sics.se> + + * lib/krb5/encrypt.c: New file. + + * lib/krb5/Makefile.am: More -I + + * configure.in: Test for big endian, random, rand, setitimer + + * lib/asn1/gen.c: perhaps even decodes bitstrings + +Thu Mar 6 19:05:29 1997 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/config_file.y: Better return values on error. + +Sat Feb 8 15:59:56 1997 Assar Westerlund <assar@pdc.kth.se> + + * lib/asn1/parse.y: ifdef HAVE_STRDUP + + * lib/asn1/lex.l: ifdef strdup + brange-dead version of list of special characters to make stupid + lex accept it. + + * lib/asn1/gen.c: A DER integer should really be a `unsigned' + + * lib/asn1/der_put.c: A DER integer should really be a `unsigned' + + * lib/asn1/der_get.c: A DER integer should really be a `unsigned' + + * lib/krb5/error/Makefile.am: It seems "$(SHELL) ./compile_et" is + needed. + + * lib/krb/mk_rep.c, lib/krb/rd_req.c, lib/krb/store.c, + lib/krb/store.h: new files. + + * lib/krb5/keytab.c: now even with some functionality. + + * lib/asn1/gen.c: changed paramater from void * to Foo * + + * lib/asn1/der_get.c (der_get_octet_string): Fixed bug with empty + string. + +Sun Jan 19 06:17:39 1997 Assar Westerlund <assar@pdc.kth.se> + + * lib/krb5/get_cred.c (krb5_get_credentials): Check for creds in + cc before getting new ones. + + * lib/krb5/krb5.h (krb5_free_keyblock): Fix prototype. + + * lib/krb5/build_auth.c (krb5_build_authenticator): It seems the + CRC should be stored LSW first. (?) + + * lib/krb5/auth_context.c: Implement `krb5_auth_con_getkey' and + `krb5_free_keyblock' + + * lib/**/Makefile.am: Rename foo libfoo.a + + * include/Makefile.in: Use test instead of [ + -e does not work with /bin/sh on psoriasis + + * configure.in: Search for awk + create lib/krb/error/compile_et + +Tue Jan 14 03:46:26 1997 Assar Westerlund <assar@pdc.kth.se> + + * lib/krb5/Makefile.am: replaced mit-crc.c by crc.c + +Wed Dec 18 00:53:55 1996 Johan Danielsson <joda@emma.pdc.kth.se> + + * kuser/kinit.c: Guess principal. + + * lib/krb5/error/compile_et.awk: Don't include krb5.h. Fix some + warnings. + + * lib/krb5/error/asn1_err.et: Add ASN.1 error messages. + + * lib/krb5/mk_req.c: Get client from cache. + + * lib/krb5/cache.c: Add better error checking some useful return + values. + + * lib/krb5/krb5.h: Fix krb5_auth_context. + + * lib/asn1/der.h: Make krb5_data compatible with krb5.h + +Tue Dec 17 01:32:36 1996 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/error: Add primitive error library. + +Mon Dec 16 16:30:20 1996 Johan Danielsson <joda@emma.pdc.kth.se> + + * lib/krb5/cache.c: Get correct address type from cache. + + * lib/krb5/krb5.h: Change int16 to int to be compatible with asn1. + diff --git a/third_party/heimdal/ChangeLog.1999 b/third_party/heimdal/ChangeLog.1999 new file mode 100644 index 0000000..e022b96 --- /dev/null +++ b/third_party/heimdal/ChangeLog.1999 @@ -0,0 +1,2194 @@ +1999-12-30 Assar Westerlund <assar@sics.se> + + * configure.in (krb4): use `-ldes' in tests + +1999-12-26 Assar Westerlund <assar@sics.se> + + * lib/hdb/print.c (event2string): handle events without principal. + From Luke Howard <lukeh@PADL.COM> + +1999-12-25 Assar Westerlund <assar@sics.se> + + * Release 0.2j + +Tue Dec 21 18:03:17 1999 Assar Westerlund <assar@sics.se> + + * lib/hdb/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and + related systems + + * lib/asn1/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and + related systems + + * include/Makefile.am (krb5-types.h): add $(EXEEXT) for cygwin and + related systems + +1999-12-20 Assar Westerlund <assar@sics.se> + + * Release 0.2i + +1999-12-20 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to 6:3:1 + + * lib/krb5/send_to_kdc.c (send_via_proxy): free data + * lib/krb5/send_to_kdc.c (send_via_proxy): new function use + getaddrinfo instead of gethostbyname{,2} + * lib/krb5/get_for_creds.c: use getaddrinfo instead of + getnodebyname{,2} + +1999-12-17 Assar Westerlund <assar@sics.se> + + * Release 0.2h + +1999-12-17 Assar Westerlund <assar@sics.se> + + * Release 0.2g + +1999-12-16 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: bump version to 6:2:1 + + * lib/krb5/principal.c (krb5_sname_to_principal): handle + ai_canonname not being set + * lib/krb5/expand_hostname.c (krb5_expand_hostname): handle + ai_canonname not being set + + * appl/test/uu_server.c: print messages to stderr + * appl/test/tcp_server.c: print messages to stderr + * appl/test/nt_gss_server.c: print messages to stderr + * appl/test/gssapi_server.c: print messages to stderr + + * appl/test/tcp_client.c (proto): remove shadowing `context' + * appl/test/common.c (client_doit): add forgotten ntohs + +1999-12-13 Assar Westerlund <assar@sics.se> + + * configure.in (VERISON): bump to 0.2g-pre + +1999-12-12 Assar Westerlund <assar@sics.se> + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): be more + robust and handle extra dot at the beginning of default_domain + +1999-12-12 Assar Westerlund <assar@sics.se> + + * Release 0.2f + +1999-12-12 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: bump version to 6:1:1 + + * lib/krb5/changepw.c (get_kdc_address): use + `krb5_get_krb_changepw_hst' + + * lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): add + + * lib/krb5/get_host_realm.c: add support for _kerberos.domain + (according to draft-ietf-cat-krb-dns-locate-01.txt) + +1999-12-06 Assar Westerlund <assar@sics.se> + + * Release 0.2e + +1999-12-06 Assar Westerlund <assar@sics.se> + + * lib/krb5/changepw.c (krb5_change_password): use the correct + address + + * lib/krb5/Makefile.am: bump version to 6:0:1 + + * lib/asn1/Makefile.am: bump version to 1:4:0 + +1999-12-04 Assar Westerlund <assar@sics.se> + + * configure.in: move AC_KRB_IPv6 to make sure it's performed + before AC_BROKEN + (el_init): use new feature of AC_FIND_FUNC_NO_LIBS + + * appl/test/uu_client.c: use client_doit + * appl/test/test_locl.h (client_doit): add prototype + * appl/test/tcp_client.c: use client_doit + * appl/test/nt_gss_client.c: use client_doit + * appl/test/gssapi_client.c: use client_doit + * appl/test/common.c (client_doit): move identical code here and + start using getaddrinfo + + * appl/kf/kf.c (doit): rewrite to use getaddrinfo + * kdc/hprop.c: re-write to use getaddrinfo + * lib/krb5/principal.c (krb5_sname_to_principal): use getaddrinfo + * lib/krb5/expand_hostname.c (krb5_expand_hostname): use + getaddrinfo + * lib/krb5/changepw.c: re-write to use getaddrinfo + * lib/krb5/addr_families.c (krb5_parse_address): use getaddrinfo + +1999-12-03 Assar Westerlund <assar@sics.se> + + * configure.in (BROKEN): check for freeaddrinfo, getaddrinfo, + getnameinfo, gai_strerror + (socklen_t): check for + +1999-12-02 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/crypto.c: ARCFOUR_set_key -> RC4_set_key + +1999-11-23 Assar Westerlund <assar@sics.se> + + * lib/krb5/crypto.c (ARCFOUR_string_to_key): change order of bytes + within unicode characters. this should probably be done in some + arbitrarly complex way to do it properly and you would have to + know what character encoding was used for the password and salt + string. + + * lib/krb5/addr_families.c (ipv4_uninteresting): ignore 0.0.0.0 + (INADDR_ANY) + (ipv6_uninteresting): remove unused macro + +1999-11-22 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.h: rc4->arcfour + + * lib/krb5/crypto.c: rc4->arcfour + +1999-11-17 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5_locl.h: add <rc4.h> + * lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_RC4 + * lib/krb5/crypto.c: some code for doing RC4/MD5/HMAC which might + not be totally different from some small company up in the + north-west corner of the US + + * lib/krb5/get_addrs.c (find_all_addresses): change code to + actually increment buf_size + +1999-11-14 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5.h (krb5_context_data): add `scan_interfaces' + * lib/krb5/get_addrs.c (krb5_get_all_client_addrs): make interaces + scanning optional + * lib/krb5/context.c (init_context_from_config_file): set + `scan_interfaces' + + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add add_et_list.c + * lib/krb5/add_et_list.c (krb5_add_et_list): new function + +1999-11-12 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_default_realm.c (krb5_get_default_realm, + krb5_get_default_realms): set realms if they were unset + * lib/krb5/context.c (init_context_from_config_file): don't + initialize default realms here. it's done lazily instead. + + * lib/krb5/krb5.h (KRB5_TC_*): make constants unsigned + * lib/asn1/gen_glue.c (generate_2int, generate_units): make sure + bit constants are unsigned + * lib/asn1/gen.c (define_type): make length in sequences be + unsigned. + + * configure.in: remove duplicate test for setsockopt test for + struct tm.tm_isdst + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): generate + preauthentication information if we get back ERR_PREAUTH_REQUIRED + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): remove + preauthentication generation code. it's now in krb5_get_in_cred + + * configure.in (AC_BROKEN_SNPRINTF): add strptime check for struct + tm.tm_gmtoff and timezone + +1999-11-11 Johan Danielsson <joda@pdc.kth.se> + + * kdc/main.c: make this work with multi-db + + * kdc/kdc_locl.h: make this work with multi-db + + * kdc/config.c: make this work with multi-db + +1999-11-09 Johan Danielsson <joda@pdc.kth.se> + + * kdc/misc.c: update for multi-database code + + * kdc/main.c: update for multi-database code + + * kdc/kdc_locl.h: update + + * kdc/config.c: allow us to have more than one database + +1999-11-04 Assar Westerlund <assar@sics.se> + + * Release 0.2d + + * lib/krb5/Makefile.am: bump version to 5:0:0 to be safe + (krb5_context_data has changed and some code do (might) access + fields directly) + + * lib/krb5/krb5.h (krb5_context_data): add `etypes_des' + + * lib/krb5/get_cred.c (init_tgs_req): use + krb5_keytype_to_enctypes_default + + * lib/krb5/crypto.c (krb5_keytype_to_enctypes_default): new + function + + * lib/krb5/context.c (set_etypes): new function + (init_context_from_config_file): set both `etypes' and `etypes_des' + +1999-11-02 Assar Westerlund <assar@sics.se> + + * configure.in (VERSION): bump to 0.2d-pre + +1999-10-29 Assar Westerlund <assar@sics.se> + + * lib/krb5/principal.c (krb5_parse_name): check memory allocations + +1999-10-28 Assar Westerlund <assar@sics.se> + + * Release 0.2c + + * lib/krb5/dump_config.c (print_tree): check for empty tree + + * lib/krb5/string-to-key-test.c (tests): update the test cases + with empty principals so that they actually use an empty realm and + not the default. use the correct etype for 3DES + + * lib/krb5/Makefile.am: bump version to 4:1:0 + + * kdc/config.c (configure): more careful with the port string + +1999-10-26 Assar Westerlund <assar@sics.se> + + * Release 0.2b + +1999-10-20 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: bump version to 4:0:0 + (krb524_convert_creds_kdc and potentially some other functions + have changed prototypes) + + * lib/hdb/Makefile.am: bump version to 4:0:1 + + * lib/asn1/Makefile.am: bump version to 1:3:0 + + * configure.in (LIB_roken): add dbopen. getcap in roken + references dbopen and with shared libraries we need to add this + dependency. + + * lib/krb5/verify_krb5_conf.c (main): support speicifying the + configuration file to test on the command line + + * lib/krb5/config_file.c (parse_binding): handle line with no + whitespace before = + (krb5_config_parse_file_debug): set lineno earlier so that we don't + use it unitialized + + * configure.in (AM_INIT_AUTOMAKE): bump to 0.2b-pre opt*: need + more include files for these tests + + * lib/krb5/set_default_realm.c (krb5_set_default_realm): use + krb5_config_get_strings, which means that your configuration file + should look like: + + [libdefaults] + default_realm = realm1 realm2 realm3 + + * lib/krb5/set_default_realm.c (config_binding_to_list): fix + copy-o. From Michal Vocu <michal@karlin.mff.cuni.cz> + + * kdc/config.c (configure): add a missing strdup. From Michal + Vocu <michal@karlin.mff.cuni.cz> + +1999-10-17 Assar Westerlund <assar@sics.se> + + * Release 0.2a + + * configure.in: only test for db.h with using berkeley_db. remember + to link with LIB_tgetent when checking for el_init. add xnlock + + * appl/Makefile.am: add xnlock + + * kdc/kerberos5.c (find_etype): support null keys + + * kdc/kerberos4.c (get_des_key): support null keys + + * lib/krb5/crypto.c (krb5_get_wrapped_length): more correct + calculation + +1999-10-16 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.c (main): pass ccache to krb524_convert_creds_kdc + +1999-10-12 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/crypto.c (krb5_enctype_to_keytype): remove warning + +1999-10-10 Assar Westerlund <assar@sics.se> + + * lib/krb5/mk_req.c (krb5_mk_req): use krb5_free_host_realm + + * lib/krb5/krb5.h (krb5_ccache_data): make `ops' const + + * lib/krb5/crypto.c (krb5_string_to_salttype): new function + + * **/*.[ch]: const-ize + +1999-10-06 Assar Westerlund <assar@sics.se> + + * lib/krb5/creds.c (krb5_compare_creds): const-ify + + * lib/krb5/cache.c: clean-up and comment-up + + * lib/krb5/copy_host_realm.c (krb5_copy_host_realm): copy all the + strings + + * lib/krb5/verify_user.c (krb5_verify_user_lrealm): free the + correct realm part + + * kdc/connect.c (handle_tcp): things work much better when ret is + initialized + +1999-10-03 Assar Westerlund <assar@sics.se> + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): look at the + type of the session key + + * lib/krb5/crypto.c (krb5_enctypes_compatible_keys): spell + correctly + + * lib/krb5/creds.c (krb5_compare_creds): fix spelling of + krb5_enctypes_compatible_keys + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): get new + credentials from the KDC if the existing one doesn't have a DES + session key. + + * lib/45/get_ad_tkt.c (get_ad_tkt): update to new + krb524_convert_creds_kdc + +1999-10-03 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/keytab_keyfile.c: make krb5_akf_ops const + + * lib/krb5/keytab_memory.c: make krb5_mkt_ops const + + * lib/krb5/keytab_file.c: make krb5_fkt_ops const + +1999-10-01 Assar Westerlund <assar@sics.se> + + * lib/krb5/config_file.c: rewritten to allow error messages + + * lib/krb5/Makefile.am (bin_PROGRAMS): add verify_krb5_conf + (libkrb5_la_SOURCES): add config_file_netinfo.c + + * lib/krb5/verify_krb5_conf.c: new program for verifying that + krb5.conf is corret + + * lib/krb5/config_file_netinfo.c: moved netinfo code here from + config_file.c + +1999-09-28 Assar Westerlund <assar@sics.se> + + * kdc/hpropd.c (dump_krb4): kludge default_realm + + * lib/asn1/check-der.c: add test cases for Generalized time and + make sure we return the correct value + + * lib/asn1/der_put.c: simplify by using der_put_length_and_tag + + * lib/krb5/verify_user.c (krb5_verify_user_lrealm): ariant of + krb5_verify_user that tries in all the local realms + + * lib/krb5/set_default_realm.c: add support for having several + default realms + + * lib/krb5/kuserok.c (krb5_kuserok): use `krb5_get_default_realms' + + * lib/krb5/get_default_realm.c (krb5_get_default_realms): add + + * lib/krb5/krb5.h (krb5_context_data): change `default_realm' to + `default_realms' + + * lib/krb5/context.c: change from `default_realm' to + `default_realms' + + * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use + krb5_get_default_realms + + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add copy_host_realm.c + + * lib/krb5/copy_host_realm.c: new file + +1999-09-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/asn1/der_put.c (encode_generalized_time): encode length + + * lib/krb5/recvauth.c: new function `krb5_recvauth_match_version' + that allows more intelligent matching of the application version + +1999-09-26 Assar Westerlund <assar@sics.se> + + * lib/asn1/asn1_print.c: add err.h + + * kdc/config.c (configure): use parse_bytes + + * appl/test/nt_gss_common.c: use the correct header file + +1999-09-24 Johan Danielsson <joda@pdc.kth.se> + + * kuser/klist.c: add a `--cache' flag + + * kuser/kinit.c (main): only get default value for `get_v4_tgt' if + it's explicitly set in krb5.conf + +1999-09-23 Assar Westerlund <assar@sics.se> + + * lib/asn1/asn1_print.c (tag_names); add another univeral tag + + * lib/asn1/der.h: update universal tags + +1999-09-22 Assar Westerlund <assar@sics.se> + + * lib/asn1/asn1_print.c (loop): print length of octet string + +1999-09-21 Johan Danielsson <joda@pdc.kth.se> + + * admin/ktutil.c (kt_get): add `--help' + +1999-09-21 Assar Westerlund <assar@sics.se> + + * kuser/Makefile.am: add kdecode_ticket + + * kuser/kdecode_ticket.c: new debug program + + * appl/test/nt_gss_server.c: new program to test against `Sample * + SSPI Code' in Windows 2000 RC1 SDK. + + * appl/test/Makefile.am: add nt_gss_client and nt_gss_server + + * lib/asn1/der_get.c (decode_general_string): remember to advance + ret over the length-len + + * lib/asn1/Makefile.am: add asn1_print + + * lib/asn1/asn1_print.c: new program for printing DER-structures + + * lib/asn1/der_put.c: make functions more consistent + + * lib/asn1/der_get.c: make functions more consistent + +1999-09-20 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos5.c: be more informative in pa-data error messages + +1999-09-16 Assar Westerlund <assar@sics.se> + + * configure.in: test for strlcpy, strlcat + +1999-09-14 Assar Westerlund <assar@sics.se> + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): return + KRB5_LIBOS_PWDINTR when interrupted + + * lib/krb5/get_in_tkt_pw.c (krb5_password_key_proc): check return + value from des_read_pw_string + + * kuser/kinit.c (main): don't print any error if reading the + password was interrupted + + * kpasswd/kpasswd.c (main): don't print any error if reading the + password was interrupted + + * kdc/string2key.c (main): check the return value from fgets + + * kdc/kstash.c (main): check return value from des_read_pw_string + + * admin/ktutil.c (kt_add): check the return-value from fgets and + overwrite the password for paranoid reasons + + * lib/krb5/keytab_keyfile.c (get_cell_and_realm): only remove the + newline if it's there + +1999-09-13 Assar Westerlund <assar@sics.se> + + * kdc/hpropd.c (main): remove bogus error with `--print'. remove + sysloging of number of principals transferred + + * kdc/hprop.c (ka_convert): set flags correctly for krbtgt/CELL + principals + (main): get rid of bogus opening of hdb database when propagating + ka-server database + +1999-09-12 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5_locl.h (O_BINARY): add fallback definition + + * lib/krb5/krb5.h (krb5_context_data): add keytab types + + * configure.in: revert back awk test, not worked around in + roken.awk + + * lib/krb5/keytab_krb4.c: remove O_BINARY + + * lib/krb5/keytab_keyfile.c: some support for AFS KeyFile's. From + Love <lha@e.kth.se> + + * lib/krb5/keytab_file.c: remove O_BINARY + + * lib/krb5/keytab.c: move the list of keytab types to the context + + * lib/krb5/fcache.c: remove O_BINARY + + * lib/krb5/context.c (init_context_from_config_file): register all + standard cache and keytab types + (krb5_free_context): free `kt_types' + + * lib/krb5/cache.c (krb5_cc_resolve): move the registration of the + standard types of credential caches to context + + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_keyfile.c + +1999-09-10 Assar Westerlund <assar@sics.se> + + * lib/krb5/keytab.c: add comments and clean-up + + * admin/ktutil.c: add `ktutil copy' + + * lib/krb5/keytab_krb4.c: new file + + * lib/krb5/krb5.h (krb5_kt_cursor): add a `data' field + + * lib/krb5/Makefile.am: add keytab_krb4.c + + * lib/krb5/keytab.c: add krb4 and correct some if's + + * admin/srvconvert.c (srvconv): move common code + + * lib/krb5/krb5.h (krb5_fkt_ops, krb5_mkt_ops): new variables + + * lib/krb5/keytab.c: move out file and memory functions + + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_file.c, + keytab_memory.c + + * lib/krb5/keytab_memory.c: new file + + * lib/krb5/keytab_file.c: new file + + * kpasswd/kpasswdd.c: move out password quality functions + +1999-09-07 Assar Westerlund <assar@sics.se> + + * lib/hdb/Makefile.am (libhdb_la_SOURCES): add keytab.c. From + Love <lha@e.kth.se> + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): check + return value from `krb5_sendto_kdc' + +1999-09-06 Assar Westerlund <assar@sics.se> + + * lib/krb5/send_to_kdc.c (send_and_recv): rename to recv_loop and + remove the sending of data. add a parameter `limit'. let callers + send the date themselves (and preferably with net_write on tcp + sockets) + (send_and_recv_tcp): read first the length field and then only that + many bytes + +1999-09-05 Assar Westerlund <assar@sics.se> + + * kdc/connect.c (handle_tcp): try to print warning `TCP data of + strange type' less often + + * lib/krb5/send_to_kdc.c (send_and_recv): handle EINTR properly. + return on EOF. always free data. check return value from + realloc. + (send_and_recv_tcp, send_and_recv_http): check advertised length + against actual length + +1999-09-01 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: check for sgi capabilities + +1999-08-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/get_addrs.c: krb5_get_all_server_addrs shouldn't return + extra addresses + + * kpasswd/kpasswdd.c: use HDB keytabs; change some error messages; + add --realm flag + + * lib/krb5/address.c (krb5_append_addresses): remove duplicates + +1999-08-26 Johan Danielsson <joda@pdc.kth.se> + + * lib/hdb/keytab.c: HDB keytab backend + +1999-08-25 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/keytab.c + (krb5_kt_{start_seq_get,next_entry,end_seq_get}): check for NULL + pointer + +1999-08-24 Johan Danielsson <joda@pdc.kth.se> + + * kpasswd/kpasswdd.c: add `--keytab' flag + +1999-08-23 Assar Westerlund <assar@sics.se> + + * lib/krb5/addr_families.c (IN6_ADDR_V6_TO_V4): use `s6_addr' + instead of the non-standard `s6_addr32'. From Yoshinobu Inoue + <shin@kame.net> by way of the KAME repository + +1999-08-18 Assar Westerlund <assar@sics.se> + + * configure.in (--enable-new-des3-code): remove check for `struct + addrinfo' + + * lib/krb5/crypto.c (etypes): remove NEW_DES3_CODE, enable + des3-cbc-sha1 and keep old-des3-cbc-sha1 for backwards + compatability + + * lib/krb5/krb5.h (krb5_enctype): des3-cbc-sha1 (with key + derivation) just got assigned etype 16 by <bcn@isi.edu>. keep the + old etype at 7. + +1999-08-16 Assar Westerlund <assar@sics.se> + + * lib/krb5/sendauth.c (krb5_sendauth): only look at errno if + krb5_net_read actually returns -1 + + * lib/krb5/recvauth.c (krb5_recvauth): only look at errno if + krb5_net_read actually returns -1 + + * appl/kf/kf.c (proto): don't trust errno if krb5_net_read hasn't + returned -1 + + * appl/test/tcp_server.c (proto): only trust errno if + krb5_net_read actually returns -1 + + * appl/kf/kfd.c (proto): be more careful with the return value + from krb5_net_read + +1999-08-13 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_addrs.c (get_addrs_int): try the different ways + sequentially instead of just one. this helps if your heimdal was + built with v6-support but your kernel doesn't have it, for + example. + +1999-08-12 Assar Westerlund <assar@sics.se> + + * kdc/hpropd.c: add inetd flag. default means try to figure out + if stdin is a socket or not. + + * Makefile.am (ACLOCAL): just use `cf', this variable is only used + when the current directory is $(top_srcdir) anyways and having + $(top_srcdir) there breaks if it's a relative path + +1999-08-09 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: check for setproctitle + +1999-08-05 Assar Westerlund <assar@sics.se> + + * lib/krb5/principal.c (krb5_sname_to_principal): remember to call + freehostent + + * appl/test/tcp_client.c: call freehostent + + * appl/kf/kf.c (doit): call freehostent + + * appl/kf/kf.c: make v6 friendly and simplify + + * appl/kf/kfd.c: make v6 friendly and simplify + + * appl/test/tcp_server.c: simplify by using krb5_err instead of + errx + + * appl/test/tcp_client.c: simplify by using krb5_err instead of + errx + + * appl/test/tcp_server.c: make v6 friendly and simplify + + * appl/test/tcp_client.c: make v6 friendly and simplify + +1999-08-04 Assar Westerlund <assar@sics.se> + + * Release 0.1m + +1999-08-04 Assar Westerlund <assar@sics.se> + + * kuser/kinit.c (main): some more KRB4-conditionalizing + + * lib/krb5/get_in_tkt.c: type correctness + + * lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): set forwarded in + flags. From Miroslav Ruda <ruda@ics.muni.cz> + + * kuser/kinit.c (main): add config file support for forwardable + and krb4 support. From Miroslav Ruda <ruda@ics.muni.cz> + + * kdc/kerberos5.c (as_rep): add an empty X500-compress string as + transited. + (fix_transited_encoding): check length. + From Miroslav Ruda <ruda@ics.muni.cz> + + * kdc/hpropd.c (dump_krb4): check the realm so that we don't dump + principals in some other realm. From Miroslav Ruda + <ruda@ics.muni.cz> + (main): rename sa_len -> sin_len, sa_lan is a define on some + platforms. + + * appl/kf/kfd.c: add regpag support. From Miroslav Ruda + <ruda@ics.muni.cz> + + * appl/kf/kf.c: add `-G' and forwardable option in krb5.conf. + From Miroslav Ruda <ruda@ics.muni.cz> + + * lib/krb5/config_file.c (parse_list): don't run past end of line + + * appl/test/gss_common.h: new prototypes + + * appl/test/gssapi_client.c: use gss_err instead of abort + + * appl/test/gss_common.c (gss_verr, gss_err): add + +1999-08-03 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am (n_fold_test_LDADD): need to set this + otherwise it doesn't build with shared libraries + + * kdc/hpropd.c: v6-ify + + * kdc/hprop.c: v6-ify + +1999-08-01 Assar Westerlund <assar@sics.se> + + * lib/krb5/mk_req.c (krb5_mk_req): use krb5_expand_hostname + +1999-07-31 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_host_realm.c (krb5_get_host_realm_int): new + function that takes a FQDN + + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add exapnd_hostname.c + + * lib/krb5/expand_hostname.c: new file + +1999-07-28 Assar Westerlund <assar@sics.se> + + * Release 0.1l + +1999-07-28 Assar Westerlund <assar@sics.se> + + * lib/asn1/Makefile.am: bump version to 1:2:0 + + * lib/krb5/Makefile.am: bump version to 3:1:0 + + * configure.in: more inet_pton to roken + + * lib/krb5/principal.c (krb5_sname_to_principal): use + getipnodebyname + +1999-07-26 Assar Westerlund <assar@sics.se> + + * Release 0.1k + +1999-07-26 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/Makefile.am: bump version number (changed function + signatures) + + * lib/hdb/Makefile.am: bump version number (changes to some + function signatures) + +1999-07-26 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: bump version to 3:0:2 + + * lib/hdb/Makefile.am: bump version to 2:1:0 + + * lib/asn1/Makefile.am: bump version to 1:1:0 + +1999-07-26 Assar Westerlund <assar@sics.se> + + * Release 0.1j + +1999-07-26 Assar Westerlund <assar@sics.se> + + * configure.in: rokenize inet_ntop + + * lib/krb5/store_fd.c: lots of changes from size_t to ssize_t + + * lib/krb5/store_mem.c: lots of changes from size_t to ssize_t + + * lib/krb5/store_emem.c: lots of changes from size_t to ssize_t + + * lib/krb5/store.c: lots of changes from size_t to ssize_t + (krb5_ret_stringz): check return value from realloc + + * lib/krb5/mk_safe.c: some type correctness + + * lib/krb5/mk_priv.c: some type correctness + + * lib/krb5/krb5.h (krb5_storage): change return values of + functions from size_t to ssize_t + +1999-07-24 Assar Westerlund <assar@sics.se> + + * Release 0.1i + + * configure.in (AC_PROG_AWK): disable. mawk seems to mishandle \# + in lib/roken/roken.awk + + * lib/krb5/get_addrs.c (find_all_addresses): try to use SA_LEN to + step over addresses if there's no `sa_lan' field + + * lib/krb5/sock_principal.c (krb5_sock_to_principal): simplify by + using `struct sockaddr_storage' + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): simplify by using + `struct sockaddr_storage' + + * lib/krb5/changepw.c (krb5_change_password): simplify by using + `struct sockaddr_storage' + + * lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd): + simplify by using `struct sockaddr_storage' + + * kpasswd/kpasswdd.c (*): simplify by using `struct + sockaddr_storage' + + * kdc/connect.c (*): simplify by using `struct sockaddr_storage' + + * configure.in (sa_family_t): just test for existence + (sockaddr_storage): also specify include file + + * configure.in (AM_INIT_AUTOMAKE): bump version to 0.1i + (sa_family_t): test for + (struct sockaddr_storage): test for + + * kdc/hprop.c (propagate_database): typo, NULL should be + auth_context + + * lib/krb5/get_addrs.c: conditionalize on HAVE_IPV6 instead of + AF_INET6 + + * appl/kf/kf.c (main): use warnx + + * appl/kf/kf.c (proto): remove shadowing context + + * lib/krb5/get_addrs.c (find_all_addresses): try to handle the + case of getting back an `sockaddr_in6' address when sizeof(struct + sockaddr_in6) > sizeof(struct sockaddr) and we have no sa_len to + tell us how large the address is. This obviously doesn't work + with unknown protocol types. + +1999-07-24 Assar Westerlund <assar@sics.se> + + * Release 0.1h + +1999-07-23 Assar Westerlund <assar@sics.se> + + * appl/kf/kfd.c: clean-up and more paranoia + + * etc/services.append: add kf + + * appl/kf/kf.c: rename tk_file to ccache for consistency. clean-up + +1999-07-22 Assar Westerlund <assar@sics.se> + + * lib/krb5/n-fold-test.c (main): print the correct data + + * appl/Makefile.am (SUBDIRS): add kf + + * appl/kf: new program. From Miroslav Ruda <ruda@ics.muni.cz> + + * kdc/hprop.c: declare some variables unconditionally to simplify + things + + * kpasswd/kpasswdd.c: initialize kadm5 connection for every change + (otherwise the modifier in the database doesn't get set) + + * kdc/hpropd.c: clean-up and re-organize + + * kdc/hprop.c: clean-up and re-organize + + * configure.in (SunOS): define to xy for SunOS x.y + +1999-07-19 Assar Westerlund <assar@sics.se> + + * configure.in (AC_BROKEN): test for copyhostent, freehostent, + getipnodebyaddr, getipnodebyname + +1999-07-15 Assar Westerlund <assar@sics.se> + + * lib/asn1/check-der.c: more test cases for integers + + * lib/asn1/der_length.c (length_int): handle the case of the + largest negative integer by not calling abs + +1999-07-14 Assar Westerlund <assar@sics.se> + + * lib/asn1/check-der.c (generic_test): check malloc return value + properly + + * lib/krb5/Makefile.am: add string_to_key_test + + * lib/krb5/prog_setup.c (krb5_program_setup): always initialize + the context + + * lib/krb5/n-fold-test.c (main): return a relevant return value + + * lib/krb5/krbhst.c: do SRV lookups for admin server as well. + some clean-up. + +1999-07-12 Assar Westerlund <assar@sics.se> + + * configure.in: handle not building X programs + +1999-07-06 Assar Westerlund <assar@sics.se> + + * lib/krb5/addr_families.c (ipv6_parse_addr): remove duplicate + variable + (ipv6_sockaddr2port): fix typo + + * etc/services.append: beginning of a file with services + + * lib/krb5/cache.c (krb5_cc_resolve): fall-back to files if + there's no prefix. also clean-up a little bit. + + * kdc/hprop.c (--kaspecials): new flag for handling special KA + server entries. From "Brandon S. Allbery KF8NH" + <allbery@kf8nh.apk.net> + +1999-07-05 Assar Westerlund <assar@sics.se> + + * kdc/connect.c (handle_tcp): make sure we have data before + starting to look for HTTP + + * kdc/connect.c (handle_tcp): always do getpeername, we can't + trust recvfrom to return anything sensible + +1999-07-04 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_in_tkt.c (add_padat): encrypt pre-auth data with + all enctypes + + * kpasswd/kpasswdd.c (change): fetch the salt-type from the entry + + * admin/srvconvert.c (srvconv): better error messages + +1999-07-03 Assar Westerlund <assar@sics.se> + + * lib/krb5/principal.c (unparse_name): error check malloc properly + + * lib/krb5/get_in_tkt.c (krb5_init_etype): error check malloc + properly + + * lib/krb5/crypto.c (*): do some malloc return-value checks + properly + + * lib/hdb/hdb.c (hdb_process_master_key): simplify by using + krb5_data_alloc + + * lib/hdb/hdb.c (hdb_process_master_key): check return value from + malloc + + * lib/asn1/gen_decode.c (decode_type): fix generation of decoding + information for TSequenceOf. + + * kdc/kerberos5.c (get_pa_etype_info): check return value from + malloc + +1999-07-02 Assar Westerlund <assar@sics.se> + + * lib/asn1/der_copy.c (copy_octet_string): don't fail if length == + 0 and malloc returns NULL + +1999-06-29 Assar Westerlund <assar@sics.se> + + * lib/krb5/addr_families.c (ipv6_parse_addr): implement + +1999-06-24 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_cred.c (krb5_rd_cred): compare the sender's address + as an addrport one + + * lib/krb5/krb5.h (KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_IPPORT): + add + (krb5_auth_context): add local and remote port + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): get the + local and remote address and add them to the krb-cred packet + + * lib/krb5/auth_context.c: save the local and remove ports in the + auth_context + + * lib/krb5/address.c (krb5_make_addrport): create an address of + type KRB5_ADDRESS_ADDRPORT from (addr, port) + + * lib/krb5/addr_families.c (krb5_sockaddr2port): new function for + grabbing the port number out of the sockaddr + +1999-06-23 Assar Westerlund <assar@sics.se> + + * admin/srvcreate.c (srvcreate): always take the DES-CBC-MD5 key. + increase possible verbosity. + + * lib/krb5/config_file.c (parse_list): handle blank lines at + another place + + * kdc/connect.c (add_port_string): don't return a value + + * lib/kadm5/init_c.c (get_cred_cache): you cannot reuse the cred + cache if the principals are different. close and NULL the old one + so that we create a new one. + + * configure.in: move around cgywin et al + (LIB_kdb): set at the end of krb4-block + (krb4): test for krb_enable_debug and krb_disable_debug + +1999-06-16 Assar Westerlund <assar@sics.se> + + * kuser/kdestroy.c (main): try to destroy v4 ticket even if the + destruction of the v5 one fails + + * lib/krb5/crypto.c (DES3_postproc): new version that does the + right thing + (*): don't put and recover length in 3DES encoding + other small fixes + +1999-06-15 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_default_principal.c: rewrite to use + get_default_username + + * lib/krb5/Makefile.am: add n-fold-test + + * kdc/connect.c: add fallbacks for all lookups by service name + (handle_tcp): break-up and clean-up + +1999-06-09 Assar Westerlund <assar@sics.se> + + * lib/krb5/addr_families.c (ipv6_uninteresting): don't consider + the loopback address as uninteresting + + * lib/krb5/get_addrs.c: new magic flag to get loopback address if + there are no other addresses. + (krb5_get_all_client_addrs): use that flag + +1999-06-04 Assar Westerlund <assar@sics.se> + + * lib/krb5/crypto.c (HMAC_SHA1_DES3_checksum): don't include the + length + (checksum_sha1, checksum_hmac_sha1_des3): blocksize should be 64 + (encrypt_internal_derived): don't include the length and don't + decrease by the checksum size twice + (_get_derived_key): the constant should be 5 bytes + +1999-06-02 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: use KRB_CHECK_X + + * configure.in: check for netinet/ip.h + +1999-05-31 Assar Westerlund <assar@sics.se> + + * kpasswd/kpasswdd.c (setup_passwd_quality_check): conditionalize + on RTLD_NOW + +1999-05-23 Assar Westerlund <assar@sics.se> + + * appl/test/uu_server.c: removed unused stuff + + * appl/test/uu_client.c: removed unused stuff + +1999-05-21 Assar Westerlund <assar@sics.se> + + * kuser/kgetcred.c (main): correct error message + + * lib/krb5/crypto.c (verify_checksum): call (*ct->checksum) + directly, avoiding redundant lookups and memory leaks + + * lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd): free + local and remote addresses + + * lib/krb5/get_default_principal.c (get_logname): also try + $USERNAME + + * lib/asn1/Makefile.am (asn1_files): add $(EXEEXT) + + * lib/krb5/principal.c (USE_RESOLVER): try to define only if we + have a libresolv (currently by checking for res_search) + +1999-05-18 Johan Danielsson <joda@pdc.kth.se> + + * kdc/connect.c (handle_tcp): remove %-escapes in request + +1999-05-14 Assar Westerlund <assar@sics.se> + + * Release 0.1g + + * admin/ktutil.c (kt_remove): -t should be -e + + * configure.in (CHECK_NETINET_IP_AND_TCP): use + + * kdc/hpropd.c: support for dumping to krb4. From Miroslav Ruda + <ruda@ics.muni.cz> + + * admin/ktutil.c (kt_add): new option `--no-salt'. From Miroslav + Ruda <ruda@ics.muni.cz> + + * configure.in: add cygwin and DOS tests replace sendmsg, recvmsg, + and innetgr with roken versions + + * kuser/kgetcred.c: new program + +Tue May 11 14:09:33 1999 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/mcache.c: fix paste-o + +1999-05-10 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: don't use uname + +1999-05-10 Assar Westerlund <assar@sics.se> + + * acconfig.h (KRB_PUT_INT): if we don't have KRB4 use four + arguments :-) + + * appl/test/uu_server.c (setsockopt): cast to get rid of a warning + + * appl/test/tcp_server.c (setsockopt): cast to get rid of a + warning + + * appl/test/tcp_client.c (proto): call krb5_sendauth with ccache + == NULL + + * appl/test/gssapi_server.c (setsockopt): cast to get rid of a + warning + + * lib/krb5/sendauth.c (krb5_sendauth): handle ccache == NULL by + setting the default ccache. + + * configure.in (getsockopt, setsockopt): test for + (AM_INIT_AUTOMAKE): bump version to 0.1g + + * appl/Makefile.am (SUBDIRS): add kx + + * lib/hdb/convert_db.c (main): handle the case of no master key + +1999-05-09 Assar Westerlund <assar@sics.se> + + * Release 0.1f + + * kuser/kinit.c: add --noaddresses + + * lib/krb5/get_in_tkt.c (init_as_req): interpret `addrs' being an + empty sit of list as to not ask for any addresses. + +1999-05-08 Assar Westerlund <assar@sics.se> + + * acconfig.h (_GNU_SOURCE): define this to enable (used) + extensions on glibc-based systems such as linux + +1999-05-03 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_cred.c (get_cred_from_kdc_flags): allocate and free + `*out_creds' properly + + * lib/krb5/creds.c (krb5_compare_creds): just verify that the + keytypes/enctypes are compatible, not that they are the same + + * kuser/kdestroy.c (cache): const-correctness + +1999-05-03 Johan Danielsson <joda@pdc.kth.se> + + * lib/hdb/hdb.c (hdb_set_master_key): initialise master key + version + + * lib/hdb/convert_db.c: add support for upgrading database + versions + + * kdc/misc.c: add flags to fetch + + * kdc/kstash.c: unlink keyfile on failure, chmod to 400 + + * kdc/hpropd.c: add --print option + + * kdc/hprop.c: pass flags to hdb_foreach + + * lib/hdb/convert_db.c: add some flags + + * lib/hdb/Makefile.am: remove extra LDFLAGS, update version to 2; + build prototype headers + + * lib/hdb/hdb_locl.h: update prototypes + + * lib/hdb/print.c: move printable version of entry from kadmin + + * lib/hdb/hdb.c: change hdb_{seal,unseal}_* to check if the key is + sealed or not; add flags to hdb_foreach + + * lib/hdb/ndbm.c: add flags to NDBM_seq, NDBM_firstkey, and + NDBM_nextkey + + * lib/hdb/db.c: add flags to DB_seq, DB_firstkey, and DB_nextkey + + * lib/hdb/common.c: add flags to _hdb_{fetch,store} + + * lib/hdb/hdb.h: add master_key_version to struct hdb, update + prototypes + + * lib/hdb/hdb.asn1: make mkvno optional, update version to 2 + + * configure.in: --enable-netinfo + + * lib/krb5/config_file.c: HAVE_NETINFO_NI_H -> HAVE_NETINFO + + * config.sub: fix for crays + + * config.guess: new version from automake 1.4 + + * config.sub: new version from automake 1.4 + +Wed Apr 28 00:21:17 1999 Assar Westerlund <assar@sics.se> + + * Release 0.1e + + * lib/krb5/mcache.c (mcc_get_next): get the current cursor + correctly + + * acconfig.h: correct definition of KRB_PUT_INT for old krb4 code. + From Ake Sandgren <ake@cs.umu.se> + +1999-04-27 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos5.c: fix arguments to decrypt_ticket + +1999-04-25 Assar Westerlund <assar@sics.se> + + * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): try to handle old + DCE secd's that are not able to handle MD5 checksums by defaulting + to MD4 if the keytype was DES-CBC-CRC + + * lib/krb5/mk_req.c (krb5_mk_req): use auth_context->keytype + + * lib/krb5/krb5.h (krb5_auth_context_data): add `keytype' and + `cksumtype' + + * lib/krb5/get_cred.c (make_pa_tgs_req): remove old kludge for + secd + (init_tgs_req): add all supported enctypes for the keytype in + `in_creds->session.keytype' if it's set + + * lib/krb5/crypto.c (F_PSEUDO): new flag for non-protocol + encryption types + (do_checksum): new function + (verify_checksum): take the checksum to use from the checksum message + and not from the crypto struct + (etypes): add F_PSEUDO flags + (krb5_keytype_to_enctypes): new function + + * lib/krb5/auth_context.c (krb5_auth_con_init): initalize keytype + and cksumtype + (krb5_auth_setcksumtype, krb5_auth_getcksumtype): implement + (krb5_auth_setkeytype, krb5_auth_getkeytype): implement + (krb5_auth_setenctype): comment out, it's rather bogus anyway + +Sun Apr 25 16:55:50 1999 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5_locl.h: fix for stupid aix warnings + + * lib/krb5/fcache.c (erase_file): don't malloc + +Sat Apr 24 18:35:21 1999 Johan Danielsson <joda@pdc.kth.se> + + * kdc/config.c: pass context to krb5_config_file_free + + * kuser/kinit.c: add `--fcache-version' to set cache version to + create + + * kuser/klist.c: print cache version if verbose + + * lib/krb5/transited.c (krb5_domain_x500_decode): don't abort + + * lib/krb5/principal.c: abort -> krb5_abortx + + * lib/krb5/mk_rep.c: abort -> krb5_abortx + + * lib/krb5/config_file.c: abort -> krb5_abortx + + * lib/krb5/context.c (init_context_from_config_file): init + fcache_version; add krb5_{get,set}_fcache_version + + * lib/krb5/keytab.c: add support for reading (and writing?) old + version keytabs + + * lib/krb5/cache.c: add krb5_cc_get_version + + * lib/krb5/fcache.c: add support for reading and writing old + version cache files + + * lib/krb5/store_mem.c (krb5_storage_from_mem): zero flags + + * lib/krb5/store_emem.c (krb5_storage_emem): zero flags + + * lib/krb5/store_fd.c (krb5_storage_from_fd): zero flags + + * lib/krb5/store.c: add flags to change how various fields are + stored, used for old cache version support + + * lib/krb5/krb5.h: add support for reading and writing old version + cache files, and keytabs + +Wed Apr 21 00:09:26 1999 Assar Westerlund <assar@sics.se> + + * configure.in: fix test for readline.h remember to link with + $LIB_tgetent when trying linking with readline + + * lib/krb5/init_creds_pw.c (get_init_creds_common): if start_time + is given, request a postdated ticket. + + * lib/krb5/data.c (krb5_data_free): free data as long as it's not + NULL + +Tue Apr 20 20:18:14 1999 Assar Westerlund <assar@sics.se> + + * kpasswd/Makefile.am (kpasswdd_LDADD): add LIB_dlopen + + * lib/krb5/krb5.h (KRB5_VERIFY_AP_REQ_IGNORE_INVALID): add + + * lib/krb5/rd_req.c (krb5_decrypt_ticket): add `flags` and + KRB5_VERIFY_AP_REQ_IGNORE_INVALID for ignoring that the ticket is + invalid + +Tue Apr 20 12:42:08 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * kpasswd/kpasswdd.c: don't try to load library by default; get + library and function name from krb5.conf + + * kpasswd/sample_passwd_check.c: sample password checking + functions + +Mon Apr 19 22:22:19 1999 Assar Westerlund <assar@sics.se> + + * lib/krb5/store.c (krb5_storage_to_data, krb5_ret_data): use + krb5_data_alloc and be careful with checking allocation and sizes. + + * kuser/klist.c (--tokens): conditionalize on KRB4 + + * kuser/kinit.c (renew_validate): set all flags + (main): fix cut-n-paste error when setting start-time + + * kdc/kerberos5.c (check_tgs_flags): starttime of a validate + ticket should be > than current time + (*): send flags to krb5_verify_ap_req and krb5_decrypt_ticket + + * kuser/kinit.c (renew_validate): use the client realm instead of + the local realm when renewing tickets. + + * lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): compat function + (krb5_get_forwarded_creds): correct freeing of out_creds + + * kuser/kinit.c (renew_validate): hopefully fix up freeing of + memory + + * configure.in: do all the krb4 tests with "$krb4" != "no" + + * lib/krb5/keyblock.c (krb5_free_keyblock_contents): don't zero + keyvalue if it's NULL. noticed by Ake Sandgren <ake@cs.umu.se> + + * lib/krb5/get_in_tkt.c (add_padata): loop over all enctypes + instead of just taking the first one. fix all callers. From + "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net> + + * kdc/kdc_locl.h (enable_kaserver): declaration + + * kdc/hprop.c (ka_convert): print the failing principal. AFS 3.4a + creates krbtgt.REALMOFCELL as NOTGS+NOSEAL, work around. From + "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net> + + * kdc/hpropd.c (open_socket): stupid cast to get rid of a warning + + * kdc/connect.c (add_standard_ports, process_request): look at + enable_kaserver. From "Brandon S. Allbery KF8NH" + <allbery@kf8nh.apk.net> + + * kdc/config.c: new flag --kaserver and config file option + enable-kaserver. From "Brandon S. Allbery KF8NH" + <allbery@kf8nh.apk.net> + +Mon Apr 19 12:32:04 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * configure.in: check for dlopen, and dlfcn.h + + * kpasswd/kpasswdd.c: add support for dlopen:ing password quality + check library + + * configure.in: add appl/su + +Sun Apr 18 15:46:53 1999 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/cache.c: add krb5_cc_get_type that returns type of a + cache + +Fri Apr 16 17:58:51 1999 Assar Westerlund <assar@sics.se> + + * configure.in: LIB_kdb: -L should be before -lkdb + test for prototype of strsep + +Thu Apr 15 11:34:38 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/krb5/Makefile.am: update version + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use + ALLOC_SEQ + + * lib/krb5/fcache.c: add some support for reading and writing old + cache formats; + (fcc_store_cred): use krb5_store_creds; (fcc_read_cred): use + krb5_ret_creds + + * lib/krb5/store_mem.c (krb5_storage_from_mem): check malloc, + initialize host_byteorder + + * lib/krb5/store_fd.c (krb5_storage_from_fd): initialize + host_byteorder + + * lib/krb5/store_emem.c (krb5_storage_emem): initialize + host_byteorder + + * lib/krb5/store.c (krb5_storage_set_host_byteorder): add; + (krb5_store_int32,krb5_ret_int32,krb5_store_int16,krb5_ret_int16): + check host_byteorder flag; (krb5_store_creds): add; + (krb5_ret_creds): add + + * lib/krb5/krb5.h (krb5_storage): add `host_byteorder' flag for + storage of numbers + + * lib/krb5/heim_err.et: add `host not found' error + + * kdc/connect.c: don't use data after clearing decriptor + + * lib/krb5/auth_context.c: abort -> krb5_abortx + + * lib/krb5/warn.c: add __attribute__; add *abort functions + + * configure.in: check for __attribute__ + + * kdc/connect.c: log bogus requests + +Tue Apr 13 18:38:05 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/kadm5/create_s.c (kadm5_s_create_principal): create v4 salts + for all DES keys + +1999-04-12 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_cred.c (init_tgs_req): re-structure a little bit + + * lib/krb5/get_cred.c (init_tgs_req): some more error checking + + * lib/krb5/generate_subkey.c (krb5_generate_subkey): check return + value from malloc + +Sun Apr 11 03:47:23 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/krb5/krb5.conf.5: update to reality + + * lib/krb5/krb5_425_conv_principal.3: update to reality + +1999-04-11 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_host_realm.c: handle more than one realm for a host + + * kpasswd/kpasswd.c (main): use krb5_program_setup and + print_version + + * kdc/string2key.c (main): use krb5_program_setup and + print_version + +Sun Apr 11 02:35:58 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/krb5/principal.c (krb5_524_conv_principal): make it actually + work, and check built-in list of host-type first-components + + * lib/krb5/krbhst.c: lookup SRV-records to find a kdc for a realm + + * lib/krb5/context.c: add srv_* flags to context + + * lib/krb5/principal.c: add default v4_name_convert entries + + * lib/krb5/krb5.h: add srv_* flags to context + +Sat Apr 10 22:52:28 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * kadmin/kadmin.c: complain about un-recognised commands + + * admin/ktutil.c: complain about un-recognised commands + +Sat Apr 10 15:41:49 1999 Assar Westerlund <assar@sics.se> + + * kadmin/load.c (doit): fix error message + + * lib/krb5/crypto.c (encrypt_internal): free checksum if lengths + fail to match. + (krb5_get_wrapped_length): new function + + * configure.in: security/pam_modules.h: check for + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): kludge + around `ret_as_reply' semantics by only freeing it when ret == 0 + +Fri Apr 9 20:24:04 1999 Assar Westerlund <assar@sics.se> + + * kuser/klist.c (print_cred_verbose): handle the case of a bad + enctype + + * configure.in: test for more header files + (LIB_roken): set + +Thu Apr 8 15:01:59 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * configure.in: fixes for building w/o krb4 + + * ltmain.sh: update to libtool 1.2d + + * ltconfig: update to libtool 1.2d + +Wed Apr 7 23:37:26 1999 Assar Westerlund <assar@sics.se> + + * kdc/hpropd.c: fix some error messages to be more understandable. + + * kdc/hprop.c (ka_dump): remove unused variables + + * appl/test/tcp_server.c: remove unused variables + + * appl/test/gssapi_server.c: remove unused variables + + * appl/test/gssapi_client.c: remove unused variables + +Wed Apr 7 14:05:15 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/krb5/context.c (krb5_get_err_text): long -> krb5_error_code + + * kuser/klist.c: make it compile w/o krb4 + + * kuser/kdestroy.c: make it compile w/o krb4 + + * admin/ktutil.c: fix {srv,key}2{srv,key}tab confusion; add help + strings + +Mon Apr 5 16:13:46 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * configure.in: test for MIPS ABI; new test_package + +Thu Apr 1 11:00:40 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * include/Makefile.am: clean krb5-private.h + + * Release 0.1d + + * kpasswd/kpasswdd.c (doit): pass context to + krb5_get_all_client_addrs + + * kdc/connect.c (init_sockets): pass context to + krb5_get_all_server_addrs + + * lib/krb5/get_in_tkt.c (init_as_req): pass context to + krb5_get_all_client_addrs + + * lib/krb5/get_cred.c (get_cred_kdc_la): pass context to + krb5_get_all_client_addrs + + * lib/krb5/get_addrs.c (get_addrs_int): add extra host addresses + + * lib/krb5/krb5.h: add support for adding an extra set of + addresses + + * lib/krb5/context.c: add support for adding an extra set of + addresses + + * lib/krb5/addr_families.c: add krb5_parse_address + + * lib/krb5/address.c: krb5_append_addresses + + * lib/krb5/config_file.c (parse_binding): don't zap everything + after first whitespace + + * kuser/kinit.c (renew_validate): don't allocate out + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't + allocate out_creds + + * lib/krb5/get_cred.c (get_cred_kdc, get_cred_kdc_la): make + out_creds pointer; + (krb5_get_kdc_cred): allocate out_creds; (get_cred_from_kdc_flags): + free more memory + + * lib/krb5/crypto.c (encrypt_internal): free checksum + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): free reply, + and ticket + + * kuser/Makefile.am: remove kfoo + + * lib/Makefile.am: add auth + + * lib/kadm5/iprop.h: getarg.h + + * lib/kadm5/replay_log.c: use getarg + + * lib/kadm5/ipropd_slave.c: use getarg + + * lib/kadm5/ipropd_master.c: use getarg + + * lib/kadm5/dump_log.c: use getarg + + * kpasswd/kpasswdd.c: use getarg + + * Makefile.am.common: make a more working check-local target + + * lib/asn1/main.c: use getargs + +Mon Mar 29 20:19:57 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * kuser/klist.c (print_cred_verbose): use krb5_print_address + + * lib/kadm5/server.c: k_{put,get}_int -> _krb5_{put,get}_int + + * lib/krb5/addr_families.c (krb5_print_address): handle unknown + address types; (ipv6_print_addr): print in 16-bit groups (as it + should) + + * lib/krb5/crc.c: crc_{init_table,update} -> + _krb5_crc_{init_table,update} + + * lib/krb5/crypto.c: k_{put,get}_int -> _krb5_{put,get}_int + crc_{init_table,update} -> _krb5_crc_{init_table,update} + + * lib/krb5/send_to_kdc.c: k_{put,get}_int -> _krb5_{put,get}_int + + * lib/krb5/store.c: k_{put,get}_int -> _krb5_{put,get}_int + + * lib/krb5/krb5_locl.h: include krb5-private.h + + * kdc/connect.c (addr_to_string): use krb5_print_address + + * lib/krb5/addr_families.c (krb5_print_address): int -> size_t + + * lib/krb5/addr_families.c: add support for printing ipv6 + addresses, either with inet_ntop, or ugly for-loop + + * kdc/524.c: check that the ticket came from a valid address; use + the address of the connection as the address to put in the v4 + ticket (if this address is AF_INET) + + * kdc/connect.c: pass addr to do_524 + + * kdc/kdc_locl.h: prototype for do_524 + +Sat Mar 27 17:48:31 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * configure.in: check for OSF C2; bind/bitypes.h, getudbnam, + setlim; check for auth modules; siad.h, getpwnam_r; + lib/auth/Makefile, lib/auth/sia/Makefile + + * lib/krb5/crypto.c: n_fold -> _krb5_n_fold + + * lib/krb5/n-fold.c: n_fold -> _krb5_n_fold + +Thu Mar 25 04:35:21 1999 Assar Westerlund <assar@sics.se> + + * lib/kadm5/set_keys.c (_kadm5_set_keys): free salt when zapping + it + + * lib/kadm5/free.c (kadm5_free_principal_ent): free `key_data' + + * lib/hdb/ndbm.c (NDBM_destroy): clear master key + + * lib/hdb/db.c (DB_destroy): clear master key + (DB_open): check malloc + + * kdc/connect.c (init_sockets): free addresses + + * kadmin/kadmin.c (main): make code more consistent. always free + configuration information. + + * kadmin/init.c (create_random_entry): free the entry + +Wed Mar 24 04:02:03 1999 Assar Westerlund <assar@sics.se> + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): + re-organize the code to always free `kdc_reply' + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful about + freeing memory + + * lib/krb5/fcache.c (fcc_destroy): don't call fcc_close + + * lib/krb5/crypto.c (krb5_crypto_destroy): free `crypto' + + * lib/hdb/hdb_locl.h: try db_185.h first in case db.h is a DB 2.0 + header + + * configure.in (db_185.h): check for + + * admin/srvcreate.c: new file. contributed by Daniel Kouril + <kouril@informatics.muni.cz> + + * admin/ktutil.c: srvcreate: new command + + * kuser/klist.c: add support for printing AFS tokens + + * kuser/kdestroy.c: add support for destroying v4 tickets and AFS + tokens. based on code by Love <lha@stacken.kth.se> + + * kuser/Makefile.am (kdestroy_LDADD, klist_LDADD): more libraries + + * configure.in: sys/ioccom.h: test for + + * kuser/klist.c (main): don't print `no ticket file' with --test. + From: Love <lha@e.kth.se> + + * kpasswd/kpasswdd.c (doit): more braces to make gcc happy + + * kdc/connect.c (init_socket): get rid of a stupid warning + + * include/bits.c (my_strupr): cast away some stupid warnings + +Tue Mar 23 14:34:44 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): no infinite + loops, please + +Tue Mar 23 00:00:45 1999 Assar Westerlund <assar@sics.se> + + * lib/kadm5/Makefile.am (install_build_headers): recover from make + rewriting the names of the headers kludge to help solaris make + + * lib/krb5/Makefile.am: kludge to help solaris make + + * lib/hdb/Makefile.am: kludge to help solaris make + + * configure.in (LIB_kdb): make sure there's a -L option in here by + adding $(LIB_krb4) + + * lib/asn1/gen_glue.c (generate_2int, generate_int2): int -> + unsigned + + * configure.in (SunOS): set to a number KRB4, KRB5 conditionals: + remove the `dnl' to work around an automake flaw + +Sun Mar 21 15:08:49 1999 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/get_default_realm.c: char* -> krb5_realm + +Sun Mar 21 14:08:30 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * include/bits.c: <bind/bitypes.h> + + * lib/krb5/Makefile.am: create krb5-private.h + +Sat Mar 20 00:08:59 1999 Assar Westerlund <assar@sics.se> + + * configure.in (gethostname): remove duplicate + +Fri Mar 19 14:48:03 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/hdb/Makefile.am: add version-info + + * lib/gssapi/Makefile.am: add version-info + + * lib/asn1/Makefile.am: use $(x:y=z) make syntax; move check-der + to check_PROGRAMS + + * lib/Makefile.am: add 45 + + * lib/kadm5/Makefile.am: split in client and server libraries + (breaks shared libraries otherwise) + +Thu Mar 18 11:33:30 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * include/kadm5/Makefile.am: clean a lot of header files (since + automake lacks a clean-hook) + + * include/Makefile.am: clean a lot of header files (since automake + lacks a clean-hook) + + * lib/kadm5/Makefile.am: fix build-installation of headers + + * lib/krb5/Makefile.am: remove include_dir hack + + * lib/hdb/Makefile.am: remove include_dir hack + + * lib/asn1/Makefile.am: remove include_dir hack + + * include/Makefile.am: remove include_dir hack + + * doc/whatis.texi: define sub for html + + * configure.in: LIB_kdb, have_err_h, have_fnmatch_h, have_glob_h + + * lib/asn1/Makefile.am: der.h + + * kpasswd/kpasswdd.c: admin.h -> kadm5/admin.h + + * kdc/Makefile.am: remove junk + + * kadmin/Makefile.am: sl.a -> sl.la + + * appl/afsutil/Makefile.am: remove EXTRA_bin_PROGRAMS + + * admin/Makefile.am: sl.a -> sl.la + + * configure.in: condition KRB5; AC_CHECK_XAU + + * Makefile.am: include Makefile.am.common + + * include/kadm5/Makefile.am: include Makefile.am.common; don't + install headers from here + + * include/Makefile.am: include Makefile.am.common; don't install + headers from here + + * doc/Makefile.am: include Makefile.am.common + + * lib/krb5/Makefile.am: include Makefile.am.common + + * lib/kadm5/Makefile.am: include Makefile.am.common + + * lib/hdb/Makefile.am: include Makefile.am.common + + * lib/gssapi/Makefile.am: include Makefile.am.common + + * lib/asn1/Makefile.am: include Makefile.am.common + + * lib/Makefile.am: include Makefile.am.common + + * lib/45/Makefile.am: include Makefile.am.common + + * kuser/Makefile.am: include Makefile.am.common + + * kpasswd/Makefile.am: include Makefile.am.common + + * kdc/Makefile.am: include Makefile.am.common + + * kadmin/Makefile.am: include Makefile.am.common + + * appl/test/Makefile.am: include Makefile.am.common + + * appl/afsutil/Makefile.am: include Makefile.am.common + + * appl/Makefile.am: include Makefile.am.common + + * admin/Makefile.am: include Makefile.am.common + +Wed Mar 17 03:04:38 1999 Assar Westerlund <assar@sics.se> + + * lib/krb5/store.c (krb5_store_stringz): braces fix + + * lib/kadm5/get_s.c (kadm5_s_get_principal): braces fix + + * lib/kadm5/ent_setup.c (_kadm5_setup_entry): braces fix + + * kdc/connect.c (loop): braces fix + + * lib/krb5/config_file.c: cast to unsigned char to make is* happy + + * lib/krb5/log.c (krb5_addlog_dest): more braces to make gcc happy + + * lib/krb5/crypto.c (krb5_verify_checksum): rename C -> cksum to + be consistent + + * kadmin/util.c (timeval2str): more braces to make gcc happy + + * kadmin/load.c: cast in is* to get rid of stupid warning + + * kadmin/dump.c (append_hex): cast in isalnum to get rid of stupid + warning + + * kdc/kaserver.c: malloc checks and fixes + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): include leading + dot (if any) when looking up realms. + +Fri Mar 12 13:57:56 1999 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/get_host_realm.c: add dns support + + * lib/krb5/set_default_realm.c: use krb5_free_host_realm + + * lib/krb5/free_host_realm.c: check for NULL realmlist + + * lib/krb5/context.c: don't print warning if there is no krb5.conf + +Wed Mar 10 19:29:46 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * configure.in: use AC_WFLAGS + +Mon Mar 8 11:49:43 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * Release 0.1c + + * kuser/klist.c: use print_version + + * kuser/kdestroy.c: use print_version + + * kdc/hpropd.c: use print_version + + * kdc/hprop.c: use print_version + + * kdc/config.c: use print_version + + * kadmin/kadmind.c: use print_version + + * kadmin/kadmin.c: use print_version + + * appl/test/common.c: use print_version + + * appl/afsutil/afslog.c: use print_version + +Mon Mar 1 10:49:14 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/krb5/get_addrs.c: SOCKADDR_HAS_SA_LEN -> + HAVE_STRUCT_SOCKADDR_SA_LEN + + * configure.in, acconfig.h, cf/*: update to automake 1.4/autoconf 2.13 + +Sun Feb 28 18:19:20 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/asn1/gen.c: make `BIT STRING's unsigned + + * lib/asn1/{symbol.h,gen.c}: add TUInteger type + + * lib/krb5/verify_user.c (krb5_verify_user): pass prompter to + krb5_get_init_creds_password + + * lib/krb5/fcache.c (fcc_gen_new): implement + +Sat Feb 27 22:41:23 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * doc/install.texi: krb4 is now automatically detected + + * doc/misc.texi: update procedure to set supported encryption + types + + * doc/setup.texi: change some silly wordings + +Sat Feb 27 22:17:30 1999 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/krb5/keytab.c (fkt_remove_entry): make this work + + * admin/ktutil.c: add minimally working `get' command + +Sat Feb 27 19:44:49 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * lib/hdb/convert_db.c: more typos + + * include/Makefile.am: remove EXTRA_DATA (as of autoconf + 2.13/automake 1.4) + + * appl/Makefile.am: OTP_dir + +Fri Feb 26 17:37:00 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * doc/setup.texi: add kadmin section + + * lib/asn1/check-der.c: fix printf warnings + +Thu Feb 25 11:16:49 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * configure.in: -O does not belong in WFLAGS + +Thu Feb 25 11:05:57 1999 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/asn1/der_put.c: fix der_put_int + +Tue Feb 23 20:35:12 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * configure.in: use AC_BROKEN_GLOB + +Mon Feb 22 15:12:44 1999 Johan Danielsson <joda@blubb.pdc.kth.se> + + * configure.in: check for glob + +Mon Feb 22 11:32:42 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * Release 0.1b + +Sat Feb 20 15:48:06 1999 Johan Danielsson <joda@blubb.pdc.kth.se> + + * lib/hdb/convert_db.c: convert DES3 keys to des3-cbc-sha1, and + des3-cbc-md5 + + * lib/krb5/crypto.c (DES3_string_to_key): make this actually do + what the draft said it should + + * lib/hdb/convert_db.c: little program for database conversion + + * lib/hdb/db.c (DB_open): try to open database w/o .db extension + + * lib/hdb/ndbm.c (NDBM_open): add test for database format + + * lib/hdb/db.c (DB_open): add test for database format + + * lib/asn1/gen_glue.c (generate_2int): don't depend on flags being + unsigned + + * lib/hdb/hdb.c: change `hdb_set_master_key' to take an + EncryptionKey, and add a new function `hdb_set_master_keyfile' to + do what `hdb_set_master_key' used to do + + * kdc/kstash.c: add `--convert-file' option to change keytype of + existing master key file + +Fri Feb 19 07:04:14 1999 Assar Westerlund <assar@squid.pdc.kth.se> + + * Release 0.1a + +Sat Feb 13 17:12:53 1999 Assar Westerlund <assar@sics.se> + + * lib/krb5/mk_safe.c (krb5_mk_safe): sizeof(buf) -> buf_size, buf + is now a `u_char *' + + * lib/krb5/get_in_tkt.c (krb5_init_etype): etypes are now `int' + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): constize + orig_host + + (krb5_salttype_to_string): new function (RSA_MD5_DES_verify, + RSA_MD5_DES3_verify): initialize ret + + * lib/gssapi/init_sec_context.c (init_auth): remove unnecessary + gssapi_krb5_init. ask for KEYTYPE_DES credentials + + * kadmin/get.c (print_entry_long): print the keytypes and salts + available for the principal + + * configure.in (WFLAGS): add `-O' to catch unitialized variables + and such + (gethostname, mkstemp, getusershell, inet_aton): more tests + + * lib/hdb/hdb.h: update prototypes + + * configure.in: homogenize broken detection with krb4 + + * lib/kadm5/init_c.c (kadm5_c_init_with_context): remove unused + `error' + + * lib/asn1/Makefile.am (check-der): add + + * lib/asn1/gen.c (define_type): map ASN1 Integer to `int' instead + of `unsigned' + + * lib/asn1/der_length.c (length_unsigned): new function + (length_int): handle signed integers + + * lib/asn1/der_put.c (der_put_unsigned): new function + (der_put_int): handle signed integers + + * lib/asn1/der_get.c (der_get_unsigned): new function + (der_get_int): handle signed integers + + * lib/asn1/der.h: all integer functions take `int' instead of + `unsigned' + + * lib/asn1/lex.l (filename): unused. remove. + + * lib/asn1/check-der.c: new test program for der encoding and + decoding. + +Mon Feb 1 04:09:06 1999 Assar Westerlund <assar@sics.se> + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): only call + gethostbyname2 with AF_INET6 if we actually have IPv6. From + "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net> + + * lib/krb5/changepw.c (get_kdc_address): dito + +Sun Jan 31 06:26:36 1999 Assar Westerlund <assar@sics.se> + + * kdc/connect.c (parse_prots): always bind to AF_INET, there are + v6-implementations without support for `mapped V4 addresses'. + From Jun-ichiro itojun Hagino <itojun@kame.net> + +Sat Jan 30 22:38:27 1999 Assar Westerlund <assar@juguete.sics.se> + + * Release 0.0u + +Sat Jan 30 13:43:02 1999 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: explicit rules for *.et files + + * lib/kadm5/init_c.c (get_kadm_ticket): only remove creds if + krb5_get_credentials was succesful. + (get_new_cache): return better error codes and return earlier. + (get_cred_cache): only delete default_client if it's different + from client + (kadm5_c_init_with_context): return a more descriptive error. + + * kdc/kerberos5.c (check_flags): handle NULL client or server + + * lib/krb5/sendauth.c (krb5_sendauth): return the error in + `ret_error' iff != NULL + + * lib/krb5/rd_error.c (krb5_free_error, krb5_free_error_contents): + new functions + + * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): more + type-correctness + + * lib/krb5/krb5.h (krb5_error): typedef to KRB_ERROR + + * lib/krb5/init_creds_pw.c: KRB5_TGS_NAME: use + + * lib/krb5/get_cred.c: KRB5_TGS_NAME: use + + * lib/kafs/afskrb5.c (afslog_uid_int): update to changes + + * lib/kadm5/rename_s.c (kadm5_s_rename_principal): call remove + instead of rename, but shouldn't this just call rename? + + * lib/kadm5/get_s.c (kadm5_s_get_principal): always return an + error if the principal wasn't found. + + * lib/hdb/ndbm.c (NDBM_seq): unseal key + + * lib/hdb/db.c (DB_seq): unseal key + + * lib/asn1/Makefile.am: added explicit rules for asn1_err.[ch] + + * kdc/hprop.c (v4_prop): add krbtgt/THISREALM@OTHERREALM when + finding cross-realm tgts in the v4 database + + * kadmin/mod.c (mod_entry): check the number of arguments. check + that kadm5_get_principal worked. + + * lib/krb5/keytab.c (fkt_remove_entry): remove KRB5_KT_NOTFOUND if + we weren't able to remove it. + + * admin/ktutil.c: less drive-by-deleting. From Love + <lha@e.kth.se> + + * kdc/connect.c (parse_ports): copy the string before mishandling + it with strtok_r + + * kdc/kerberos5.c (tgs_rep2): print the principal with mismatching + kvnos + + * kadmin/kadmind.c (main): convert `debug_port' to network byte + order + + * kadmin/kadmin.c: allow specification of port number. + + * lib/kadm5/kadm5_locl.h (kadm5_client_context): add + `kadmind_port'. + + * lib/kadm5/init_c.c (_kadm5_c_init_context): move up + initalize_kadm5_error_table_r. + allow specification of port number. + + From Love <lha@stacken.kth.se> + + * kuser/klist.c: add option -t | --test + diff --git a/third_party/heimdal/ChangeLog.2000 b/third_party/heimdal/ChangeLog.2000 new file mode 100644 index 0000000..a1cb687 --- /dev/null +++ b/third_party/heimdal/ChangeLog.2000 @@ -0,0 +1,1320 @@ +2000-12-31 Assar Westerlund <assar@sics.se> + + * lib/krb5/test_get_addrs.c (main): handle krb5_init_context + failure consistently + * lib/krb5/string-to-key-test.c (main): handle krb5_init_context + failure consistently + * lib/krb5/prog_setup.c (krb5_program_setup): handle + krb5_init_context failure consistently + * lib/hdb/convert_db.c (main): handle krb5_init_context failure + consistently + * kuser/kverify.c (main): handle krb5_init_context failure + consistently + * kuser/klist.c (main): handle krb5_init_context failure + consistently + * kuser/kinit.c (main): handle krb5_init_context failure + consistently + * kuser/kgetcred.c (main): handle krb5_init_context failure + consistently + * kuser/kdestroy.c (main): handle krb5_init_context failure + consistently + * kuser/kdecode_ticket.c (main): handle krb5_init_context failure + consistently + * kuser/generate-requests.c (generate_requests): handle + krb5_init_context failure consistently + * kpasswd/kpasswd.c (main): handle krb5_init_context failure + consistently + * kpasswd/kpasswd-generator.c (generate_requests): handle + krb5_init_context failure consistently + * kdc/main.c (main): handle krb5_init_context failure consistently + * appl/test/uu_client.c (proto): handle krb5_init_context failure + consistently + * appl/kf/kf.c (main): handle krb5_init_context failure + consistently + * admin/ktutil.c (main): handle krb5_init_context failure + consistently + + * admin/get.c (kt_get): more error checking + +2000-12-29 Assar Westerlund <assar@sics.se> + + * lib/asn1/asn1_print.c (loop): check for length longer than data. + inspired by lha@stacken.kth.se + +2000-12-16 Johan Danielsson <joda@pdc.kth.se> + + * admin/ktutil.8: reflect recent changes + + * admin/copy.c: don't copy an entry that already exists in the + keytab, and warn if the keyblock differs + +2000-12-15 Johan Danielsson <joda@pdc.kth.se> + + * admin/Makefile.am: merge srvconvert and srvcreate with copy + + * admin/copy.c: merge srvconvert and srvcreate with copy + + * lib/krb5/Makefile.am: always build keytab_krb4.c + + * lib/krb5/context.c: always register the krb4 keytab functions + + * lib/krb5/krb5.h: declare krb4_ftk_ops + + * lib/krb5/keytab_krb4.c: We don't really need to include krb.h + here, since we only use the principal size macros, so define these + here. Theoretically someone could have a krb4 system where these + values are != 40, but this is unlikely, and + krb5_524_conv_principal also assume they are 40. + +2000-12-13 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.h: s/krb5_donot_reply/krb5_donot_replay/ + + * lib/krb5/replay.c: fix query-replace-o from MD5 API change, and + the struct is called krb5_donot_replay + +2000-12-12 Assar Westerlund <assar@sics.se> + + * admin/srvconvert.c (srvconvert): do not use data after free:ing + it + +2000-12-11 Assar Westerlund <assar@sics.se> + + * Release 0.3d + +2000-12-11 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 14:0:0 + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 6:3:0 + * lib/krb5/Makefile.am (libkrb5_la_LIBADD): add library + dependencies + +2000-12-10 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/auth_context.c: implement krb5_auth_con_{get,set}rcache + +2000-12-08 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5.h (krb5_enctype): add ETYPE_DES3_CBC_NONE_IVEC as + a new pseudo-type + + * lib/krb5/crypto.c (DES_AFS3_CMU_string_to_key): always treat + cell names as lower case + (krb5_encrypt_ivec, krb5_decrypt_ivec): new functions that allow an + explicit ivec to be specified. fix all sub-functions. + (DES3_CBC_encrypt_ivec): new function that takes an explicit ivec + +2000-12-06 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/Makefile.am: actually build replay cache code + + * lib/krb5/replay.c: implement krb5_get_server_rcache + + * kpasswd/kpasswdd.c: de-pointerise auth_context parameter to + krb5_mk_rep + + * lib/krb5/recvauth.c: de-pointerise auth_context parameter to + krb5_mk_rep + + * lib/krb5/mk_rep.c: auth_context should not be a pointer + + * lib/krb5/auth_context.c: implement krb5_auth_con_genaddrs, and + make setaddrs_from_fd use that + + * lib/krb5/krb5.h: add some more KRB5_AUTH_CONTEXT_* flags + +2000-12-05 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/Makefile.am: add kerberos.8 manpage + + * lib/krb5/cache.c: check for NULL remove_cred function + + * lib/krb5/fcache.c: pretend that empty files are non-existant + + * lib/krb5/get_addrs.c (find_all_addresses): use getifaddrs, from + Jason Thorpe <thorpej@netbsd.org> + +2000-12-01 Assar Westerlund <assar@sics.se> + + * configure.in: remove configure-time generation of krb5-config + * tools/Makefile.am: add generation of krb5-config at make-time + instead of configure-time + + * tools/krb5-config.in: add --prefix and --exec-prefix + +2000-11-30 Assar Westerlund <assar@sics.se> + + * tools/Makefile.am: add krb5-config.1 + * tools/krb5-config.in: add kadm-client and kadm5-server as + libraries + +2000-11-29 Assar Westerlund <assar@sics.se> + + * tools/krb5-config.in: add --prefix, --exec-prefix and gssapi + +2000-11-29 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: add roken/Makefile here, since it can't live in + rk_ROKEN + +2000-11-16 Assar Westerlund <assar@sics.se> + + * configure.in: use the libtool -rpath, do not rely on ld + understanding -rpath + + * configure.in: fix the -Wl stuff for krb4 linking add some + gratuitous extra options when linking with an existing libdes + +2000-11-15 Assar Westerlund <assar@sics.se> + + * lib/hdb/hdb.c (hdb_next_enctype2key): const-ize a little bit + * lib/Makefile.am (SUBDIRS): try to only build des when needed + * kuser/klist.c: print key versions numbers of v4 tickets in + verbose mode + + * kdc/kerberos5.c (tgs_rep2): adapt to new krb5_verify_ap_req2 + * appl/test/gss_common.c (read_token): remove unused variable + + * configure.in (krb4): add -Wl + (MD4Init et al): look for these in more libraries + (getmsg): only run test if we have the function + (AC_OUTPUT): create tools/krb5-config + + * tools/krb5-config.in: new script for storing flags to use + * Makefile.am (SUBDIRS): add tools + + * lib/krb5/get_cred.c (make_pa_tgs_req): update to new + krb5_mk_req_internal + * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): allow different + usages for the encryption. change callers + * lib/krb5/rd_req.c (decrypt_authenticator): add an encryption + `usage'. also try the old + (and wrong) usage of KRB5_KU_AP_REQ_AUTH for backwards compatibility + (krb5_verify_ap_req2): new function for specifying the usage different + from the default (KRB5_KU_AP_REQ_AUTH) + * lib/krb5/build_auth.c (krb5_build_authenticator): add a `usage' + parameter to permit the generation of authenticators with + different crypto usage + + * lib/krb5/mk_req.c (krb5_mk_req_exact): new function that takes a + krb5_principal + (krb5_mk_req): use krb5_mk_req_exact + + * lib/krb5/mcache.c (mcc_close): free data + (mcc_destroy): don't free data + +2000-11-13 Assar Westerlund <assar@sics.se> + + * lib/hdb/ndbm.c: handle both ndbm.h and gdbm/ndbm.h + * lib/hdb/hdb.c: handle both ndbm.h and gdbm/ndbm.h + +2000-11-12 Johan Danielsson <joda@pdc.kth.se> + + * kdc/hpropd.8: remove extra .Xc + +2000-10-27 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.c: fix v4 fallback lifetime calculation + +2000-10-10 Johan Danielsson <joda@pdc.kth.se> + + * kdc/524.c: fix log messge + +2000-10-08 Assar Westerlund <assar@sics.se> + + * lib/krb5/changepw.c (krb5_change_password): check for fd's being + too large to select on + * kpasswd/kpasswdd.c (add_new_tcp): check for the socket fd being + too large to select on + * kdc/connect.c (add_new_tcp): check for the socket fd being too + large to selct on + * kdc/connect.c (loop): check that the socket fd is not too large + to select on + * lib/krb5/send_to_kdc.c (recv_loop): check `fd' for being too + large to be able to select on + + * kdc/kaserver.c (do_authenticate): check for time skew + +2000-10-01 Assar Westerlund <assar@sics.se> + + * kdc/524.c (set_address): allocate memory for storing addresses + in if the original request had an empty set of addresses + * kdc/524.c (set_address): fix bad return of pointer to automatic + data + + * config.sub: update to version 2000-09-11 (aka 1.181) from + subversions.gnu.org + + * config.guess: update to version 2000-09-05 (aka 1.156) from + subversions.gnu.org plus some minor tweaks + +2000-09-20 Assar Westerlund <assar@juguete.sics.se> + + * Release 0.3c + +2000-09-19 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to + 13:1:0 + + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 6:2:0 + +2000-09-17 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_req.c (krb5_decrypt_ticket): plug some memory leak + (krb5_rd_req): try not to return an allocated auth_context on error + + * lib/krb5/log.c (krb5_vlog_msg): fix const-ness + +2000-09-10 Assar Westerlund <assar@sics.se> + + * kdc/524.c: re-organize + * kdc/kerberos5.c (tgs_rep2): try to avoid leaking auth_context + * kdc/kerberos4.c (valid_princ): check return value of functions + (encode_v4_ticket): add some const + * kdc/misc.c (db_fetch): check malloc + (free_ent): new function + + * lib/krb5/log.c (krb5_vlog_msg): log just the format string it we + fail to allocate the actual string to log, should at least provide + some hint as to where things went wrong + +2000-09-10 Johan Danielsson <joda@pdc.kth.se> + + * kdc/log.c: use DEFAULT_LOG_DEST + + * kdc/config.c: use _PATH_KDC_CONF + + * kdc/kdc_locl.h: add macro constants for kdc.conf, and kdc.log + +2000-09-09 Assar Westerlund <assar@sics.se> + + * lib/krb5/crypto.c (_key_schedule): re-use an existing schedule + +2000-09-06 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: fix dpagaix test + +2000-09-05 Assar Westerlund <assar@sics.se> + + * configure.in: with_dce -> enable_dce. noticed by Ake Sandgren + <ake@cs.umu.se> + +2000-09-01 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kstash.8: update manual page + + * kdc/kstash.c: fix typo, and remove unused option + + * lib/krb5/kerberos.7: short kerberos intro page + +2000-08-27 Assar Westerlund <assar@sics.se> + + * include/bits.c: add __attribute__ for gcc's pleasure + * lib/hdb/keytab.c: re-write to delay the opening of the database + till it's known which principal is being sought, thereby allowing + the usage of multiple databases, however they need to be specified + in /etc/krb5.conf since all the programs using this keytab do not + read kdc.conf + + * appl/test/test_locl.h (keytab): add + * appl/test/common.c: add --keytab + * lib/krb5/crypto.c: remove trailing commas + (KRB5_KU_USAGE_SEQ): renamed from KRB5_KU_USAGE_MIC + +2000-08-26 Assar Westerlund <assar@sics.se> + + * lib/krb5/send_to_kdc.c (send_via_proxy): handle `http://' at the + beginning of the proxy specification. use getaddrinfo correctly + (krb5_sendto): always return a return code + + * lib/krb5/krb5.h (KRB5_KU_USAGE_MIC): rename to KRB5_KU_USAGE_SEQ + * lib/krb5/auth_context.c (krb5_auth_con_free): handle + auth_context == NULL + +2000-08-23 Assar Westerlund <assar@sics.se> + + * kdc/kerberos5.c (find_type): make sure of always setting + `ret_etype' correctly. clean-up structure some + +2000-08-23 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/mcache.c: implement resolve + +2000-08-18 Assar Westerlund <assar@sics.se> + + * kuser/kdecode_ticket.c: check return value from krb5_crypto_init + * kdc/kerberos5.c, kdc/524.c: check return value from krb5_crypto_init + * lib/krb5/*.c: check return value from krb5_crypto_init + +2000-08-16 Assar Westerlund <assar@sics.se> + + * Release 0.3b + +2000-08-16 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: bump version to 13:0:0 + + * lib/hdb/Makefile.am: set version to 6:1:0 + + * configure.in: do getmsg testing the same way as in krb4 + + * lib/krb5/config_file.c (krb5_config_parse_file_debug): make sure + of closing the file on error + + * lib/krb5/crypto.c (encrypt_internal_derived): free the checksum + after use + + * lib/krb5/warn.c (_warnerr): initialize args to make third, + purify et al happy + +2000-08-13 Assar Westerlund <assar@sics.se> + + * kdc/kerberos5.c: re-write search for keys code. loop over all + supported enctypes in order, looping over all keys of each type, + and picking the one with the v5 default salt preferably + +2000-08-10 Assar Westerlund <assar@sics.se> + + * appl/test/gss_common.c (enet_read): add and use + * lib/krb5/krb5.h (heimdal_version, heimdal_long_version): make + const + + * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): add comment on + checksum type selection + + * lib/krb5/context.c (krb5_init_context): do not leak memory on + failure + (default_etypes): prefer arcfour-hmac-md5 to des-cbc-md5 + + * lib/krb5/principal.c: add fnmatch.h + +2000-08-09 Assar Westerlund <assar@sics.se> + + * configure.in: call AC_PROG_CC and AC_PROG_CPP to make sure later + checks that should require them don't fail + * acconfig.h: add HAVE_UINT17_T + +2000-08-09 Johan Danielsson <joda@pdc.kth.se> + + * kdc/mit_dump.c: handle all sorts of weird MIT salt types + +2000-08-08 Johan Danielsson <joda@pdc.kth.se> + + * doc/setup.texi: port 212 -> 2121 + + * lib/krb5/principal.c: krb5_principal_match + +2000-08-04 Johan Danielsson <joda@pdc.kth.se> + + * lib/asn1/der_get.c: add comment on *why* DCE sometimes used BER + encoding + + * kpasswd/Makefile.am: link with pidfile library + + * kpasswd/kpasswdd.c: write a pid file + + * kpasswd/kpasswd_locl.h: util.h + + * kdc/Makefile.am: link with pidfile library + + * kdc/main.c: write a pid file + + * kdc/headers.h: util.h + +2000-08-04 Assar Westerlund <assar@sics.se> + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): always put + hostnames in lower case + (default_v4_name_convert): add imap + +2000-08-03 Assar Westerlund <assar@sics.se> + + * lib/krb5/crc.c (_krb5_crc_update): const-ize (finally) + +2000-07-31 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: check for uint*_t + * include/bits.c: define uint*_t + +2000-07-29 Assar Westerlund <assar@sics.se> + + * kdc/kerberos5.c (check_tgs_flags): set endtime correctly when + renewing, From Derrick J Brashear <shadow@dementia.org> + +2000-07-28 Assar Westerlund <assar@juguete.sics.se> + + * Release 0.3a + +2000-07-27 Assar Westerlund <assar@sics.se> + + * kdc/hprop.c (dump_database): write an empty message to signal + end of dump + +2000-07-26 Assar Westerlund <assar@sics.se> + + * lib/krb5/changepw.c (krb5_change_password): try to be more + careful when not to resend + + * lib/hdb/db3.c: always create a cursor with db3. From Derrick J + Brashear <shadow@dementia.org> + +2000-07-25 Johan Danielsson <joda@pdc.kth.se> + + * lib/hdb/Makefile.am: bump version to 6:0:0 + + * lib/asn1/Makefile.am: bump version to 3:0:1 + + * lib/krb5/Makefile.am: bump version to 12:0:1 + + * lib/krb5/krb5_config.3: manpage + + * lib/krb5/krb5_appdefault.3: manpage + + * lib/krb5/appdefault.c: implementation of the krb5_appdefault set + of functions + +2000-07-23 Assar Westerlund <assar@sics.se> + + * lib/krb5/init_creds_pw.c (change_password): reset forwardable + and proxiable. copy preauthentication list correctly from + supplied options + + * kdc/hpropd.c (main): check that the ticket was for `hprop/' for + paranoid reasons + + * lib/krb5/sock_principal.c (krb5_sock_to_principal): look in + aliases for the real name + +2000-07-22 Johan Danielsson <joda@pdc.kth.se> + + * doc/setup.texi: say something about starting kadmind from the + command line + +2000-07-22 Assar Westerlund <assar@sics.se> + + * kpasswd/kpasswdd.c: use kadm5_s_chpass_principal_cond instead of + mis-doing it here + + * lib/krb5/changepw.c (krb5_change_password): make timeout 1 + + 2^{0,1,...}. also keep track if we got an old packet back and + then just wait without sending a new packet + * lib/krb5/changepw.c: use a datagram socket and remove the + sequence numbers + * lib/krb5/changepw.c (krb5_change_password): clarify an + expression, avoiding a warning + +2000-07-22 Johan Danielsson <joda@pdc.kth.se> + + * kuser/klist.c: make -a and -n aliases for -v + + * lib/krb5/write_message.c: ws + + * kdc/hprop-common.c: nuke extra definitions of + krb5_read_priv_message et.al + + * lib/krb5/read_message.c (krb5_read_message): return error if EOF + +2000-07-20 Assar Westerlund <assar@sics.se> + + * kpasswd/kpasswd.c: print usage consistently + * kdc/hprop.h (HPROP_KEYTAB): use HDB for the keytab + * kdc/hpropd.c: add --keytab + * kdc/hpropd.c: don't care what principal we recvauth as + + * lib/krb5/get_cred.c: be more careful of not returning creds at + all when an error is returned + * lib/krb5/fcache.c (fcc_gen_new): do mkstemp correctly + +2000-07-19 Johan Danielsson <joda@pdc.kth.se> + + * fix-export: use autoreconf + + * configure.in: remove stuff that belong in roken, and remove some + obsolete constructs + +2000-07-18 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: fix some typos + + * appl/Makefile.am: dceutil*s* + + * missing: update to missing from automake 1.4a + +2000-07-17 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: try to get xlc flags from ibmcxx.cfg use + conditional for X use readline cf macro + + * configure.in: subst AIX compiler flags + +2000-07-15 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: pass sixth parameter to test-package; use some + newer autoconf constructs + + * ltmain.sh: update to libtool 1.3c + + * ltconfig: update to libtool 1.3c + + * configure.in: update this to newer auto*/libtool + + * appl/Makefile.am: use conditional for dce + + * lib/Makefile.am: use conditional for dce + +2000-07-11 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/write_message.c: krb5_write_{priv,save}_message + * lib/krb5/read_message.c: krb5_read_{priv,save}_message + * lib/krb5/convert_creds.c: try port kerberos/88 if no response on + krb524/4444 + + * lib/krb5/convert_creds.c: use krb5_sendto + + * lib/krb5/send_to_kdc.c: add more generic krb5_sendto that send + to a port at arbitrary list of hosts + +2000-07-10 Johan Danielsson <joda@pdc.kth.se> + + * doc/misc.texi: language; say something about kadmin del_enctype + +2000-07-10 Assar Westerlund <assar@sics.se> + + * appl/kf/Makefile.am: actually install + +2000-07-08 Assar Westerlund <assar@sics.se> + + * configure.in (AM_INIT_AUTOMAKE): bump to 0.3a-pre + (AC_ROKEN): roken is now at 10 + + * lib/krb5/string-to-key-test.c: add a arcfour-hmac-md5 test case + * kdc/Makefile.am (INCLUDES): add ../lib/krb5 + * configure.in: update for standalone roken + * lib/Makefile.am (SUBDIRS): make roken conditional + * kdc/hprop.c: update to new hdb_seal_keys_mkey + * lib/hdb/mkey.c (_hdb_unseal_keys_int, _hdb_seal_keys_int): + rename and export them + + * kdc/headers.h: add krb5_locl.h (since we just use some stuff + from there) + +2000-07-08 Johan Danielsson <joda@pdc.kth.se> + + * kuser/klist.1: update for -f and add some more text for -v + + * kuser/klist.c: use rtbl to format cred listing, add -f and -s + + * lib/krb5/crypto.c: fix type in des3-cbc-none + + * lib/hdb/mkey.c: add key usage + + * kdc/kstash.c: remove writing of old keyfile, and treat + --convert-file as just reading and writing the keyfile without + asking for a new key + + * lib/hdb/mkey.c (read_master_encryptionkey): handle old keytype + based files, and convert the key to cfb64 + + * lib/hdb/mkey.c (hdb_read_master_key): set mkey to NULL before + doing anything else + + * lib/krb5/send_to_kdc.c: use krb5_eai_to_heim_errno + + * lib/krb5/get_for_creds.c: use krb5_eai_to_heim_errno + + * lib/krb5/changepw.c: use krb5_eai_to_heim_errno + + * lib/krb5/addr_families.c: use krb5_eai_to_heim_errno + + * lib/krb5/eai_to_heim_errno.c: convert getaddrinfo error codes to + something that can be passed to get_err_text + +2000-07-07 Assar Westerlund <assar@sics.se> + + * lib/hdb/hdb.c (hdb_next_enctype2key): make sure of skipping + `*key' + + * kdc/kerberos4.c (get_des_key): rewrite some, be more careful + +2000-07-06 Assar Westerlund <assar@sics.se> + + * kdc/kerberos5.c (as_rep): be careful as to now overflowing when + calculating the end of lifetime of a ticket. + + * lib/krb5/context.c (default_etypes): add ETYPE_ARCFOUR_HMAC_MD5 + + * lib/hdb/db3.c: only use a cursor when needed, from Derrick J + Brashear <shadow@dementia.org> + + * lib/krb5/crypto.c: introduce the `special' encryption methods + that are not like all other encryption methods and implement + arcfour-hmac-md5 + +2000-07-05 Johan Danielsson <joda@pdc.kth.se> + + * kdc/mit_dump.c: set initial master key version number to 0 + instead of 1; if we lated bump the mkvno we don't risk using the + wrong key to decrypt + + * kdc/hprop.c: only get master key if we're actually going to use + it; enable reading of MIT krb5 dump files + + * kdc/mit_dump.c: read MIT krb5 dump files + + * lib/hdb/mkey.c (read_master_mit): fix this + + * kdc/kstash.c: make this work with the new mkey code + + * lib/hdb/Makefile.am: add mkey.c, and bump version number + + * lib/hdb/hdb.h: rewrite master key handling + + * lib/hdb/mkey.c: rewrite master key handling + + * lib/krb5/crypto.c: add some more pseudo crypto types + + * lib/krb5/krb5.h: change some funny etypes to use negative + numbers, and add some more + +2000-07-04 Assar Westerlund <assar@sics.se> + + * lib/krb5/krbhst.c (get_krbhst): only try SRV lookup if there are + none in the configuration file + +2000-07-02 Assar Westerlund <assar@sics.se> + + * lib/krb5/keytab_keyfile.c (akf_add_entry): remove unused + variable + + * kpasswd/kpasswd-generator.c: new test program + * kpasswd/Makefile.am: add kpasswd-generator + + * include/Makefile.am (CLEANFILES): add rc4.h + + * kuser/generate-requests.c: new test program + * kuser/Makefile.am (noinst_PROGRAMS): add generate-requests + +2000-07-01 Assar Westerlund <assar@sics.se> + + * configure.in: add --enable-dce and related stuff + * appl/Makefile.am (SUBDIRS): add $(APPL_dce) + +2000-06-29 Assar Westerlund <assar@sics.se> + + * kdc/kerberos4.c (get_des_key): fix thinkos/typos + +2000-06-29 Johan Danielsson <joda@pdc.kth.se> + + * admin/purge.c: use parse_time to parse age + + * lib/krb5/log.c (krb5_vlog_msg): use krb5_format_time + + * admin/list.c: add printing of timestamp and key data; some + cleanup + + * lib/krb5/time.c (krb5_format_time): new function to format time + + * lib/krb5/context.c (init_context_from_config_file): init + date_fmt, also do some cleanup + + * lib/krb5/krb5.h: add date_fmt to context + +2000-06-28 Johan Danielsson <joda@pdc.kth.se> + + * kdc/{kerberos4,kaserver,524}.c (get_des_key): change to return + v4 or afs keys if possible + +2000-06-25 Johan Danielsson <joda@pdc.kth.se> + + * kdc/hprop.c (ka_convert): allow using null salt, and treat 0 + pw_expire as never (from Derrick Brashear) + +2000-06-24 Johan Danielsson <joda@pdc.kth.se> + + * kdc/connect.c (add_standard_ports): only listen to port 750 if + serving v4 requests + +2000-06-22 Assar Westerlund <assar@sics.se> + + * lib/asn1/lex.l: fix includes, and lex stuff + * lib/asn1/lex.h (error_message): update prototype + (yylex): add + * lib/asn1/gen_length.c (length_type): fail on malloc error + * lib/asn1/gen_decode.c (decode_type): fail on malloc error + +2000-06-21 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_for_creds.c: be more compatible with MIT code. + From Daniel Kouril <kouril@ics.muni.cz> + * lib/krb5/rd_cred.c: be more compatible with MIT code. From + Daniel Kouril <kouril@ics.muni.cz> + * kdc/kerberos5.c (get_pa_etype_info): do not set salttype if it's + vanilla pw-salt, that keeps win2k happy. also do the malloc check + correctly. From Daniel Kouril <kouril@ics.muni.cz> + +2000-06-21 Johan Danielsson <joda@pdc.kth.se> + + * kdc/hprop.c: add hdb keytabs + +2000-06-20 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/principal.c: back out rev. 1.64 + +2000-06-19 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos5.c: pa_* -> KRB5_PADATA_* + + * kdc/hpropd.c: add realm override flag + + * kdc/v4_dump.c: code for reading krb4 dump files + + * kdc/hprop.c: generalize source database handing, add support for + non-standard local realms (from by Daniel Kouril + <kouril@ics.muni.cz> and Miroslav Ruda <ruda@ics.muni.cz>), and + support for using different ports (requested by the Czechs, but + implemented differently) + + * lib/krb5/get_cred.c: pa_* -> KRB5_PADATA_* + + * lib/krb5/get_in_tkt.c: pa_* -> KRB5_PADATA_* + + * lib/krb5/krb5.h: use some definitions from asn1.h + + * lib/hdb/hdb.asn1: use new import syntax + + * lib/asn1/k5.asn1: use distinguished value integers + + * lib/asn1/gen_length.c: support for distinguished value integers + + * lib/asn1/gen_encode.c: support for distinguished value integers + + * lib/asn1/gen_decode.c: support for distinguished value integers + + * lib/asn1/gen.c: support for distinguished value integers + + * lib/asn1/lex.l: add support for more standards like import + statements + + * lib/asn1/parse.y: add support for more standards like import + statements, and distinguished value integers + +2000-06-11 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_for_creds.c (add_addrs): ignore addresses of + unknown type + * lib/krb5/get_for_creds.c (add_addrs): zero memory before + starting to copy memory + +2000-06-10 Assar Westerlund <assar@sics.se> + + * lib/krb5/test_get_addrs.c: test program for get_addrs + * lib/krb5/get_addrs.c (find_all_addresses): remember to add in + the size of ifr->ifr_name when using SA_LEN. noticed by Ken + Raeburn <raeburn@MIT.EDU> + +2000-06-07 Assar Westerlund <assar@sics.se> + + * configure.in: add db3 detection stuff do not use streamsptys on + HP-UX 11 + * lib/hdb/hdb.h (HDB): add dbc for db3 + * kdc/connect.c (add_standard_ports): also listen on krb524 aka + 4444 + * etc/services.append (krb524): add + * lib/hdb/db3.c: add berkeley db3 interface. contributed by + Derrick J Brashear <shadow@dementia.org> + * lib/hdb/hdb.h (struct HDB): add + +2000-06-07 Johan Danielsson <joda@pdc.kth.se> + + * kdc/524.c: if 524 is not enabled, just generate error reply and + exit + + * kdc/kerberos4.c: if v4 is not enabled, just generate error reply + and exit + + * kdc/connect.c: only listen to port 4444 if 524 is enabled + + * kdc/config.c: add options to enable/disable v4 and 524 requests + +2000-06-06 Johan Danielsson <joda@pdc.kth.se> + + * kdc/524.c: handle non-existant server principals (from Daniel + Kouril) + +2000-06-03 Assar Westerlund <assar@sics.se> + + * admin/ktutil.c: print name when failing to open keytab + + * kuser/kinit.c: try also to fallback to v4 when no KDC is found + +2000-05-28 Assar Westerlund <assar@sics.se> + + * kuser/klist.c: continue even we have no v5 ccache. make showing + your krb4 tickets the default (if build with krb4 support) + * kuser/kinit.c: add a fallback that tries to get a v4 ticket if + built with krb4 support and we got back a version error from the + KDC + +2000-05-23 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/keytab_keyfile.c: make this actually work + +2000-05-19 Assar Westerlund <assar@sics.se> + + * lib/krb5/store_emem.c (emem_store): make it write-compatible + * lib/krb5/store_fd.c (fd_store): make it write-compatible + * lib/krb5/store_mem.c (mem_store): make it write-compatible + * lib/krb5/krb5.h (krb5_storage): make store write-compatible + +2000-05-18 Assar Westerlund <assar@sics.se> + + * configure.in: add stdio.h in dbopen test + +2000-05-16 Assar Westerlund <assar@assaris.sics.se> + + * Release 0.2t + +2000-05-16 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 11:1:0 + * lib/krb5/fcache.c: fix second lseek + * lib/krb5/principal.c (krb5_524_conv_principal): fix typo + +2000-05-15 Assar Westerlund <assar@sics.se> + + * Release 0.2s + +2000-05-15 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 11:0:0 + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): set version to 4:2:1 + * lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump to 2:0:0 + * lib/krb5/principal.c (krb5_524_conv_principal): comment-ize, and + simplify string copying + +2000-05-12 Assar Westerlund <assar@sics.se> + + * lib/krb5/fcache.c (scrub_file): new function + (erase_file): re-write, use scrub_file + * lib/krb5/krb5.h (KRB5_DEFAULT_CCFILE_ROOT): add + + * configure.in (dbopen): add header files + + * lib/krb5/krb5.h (krb5_key_usage): add some more + * lib/krb5/fcache.c (erase_file): try to detect symlink games. + also call revoke. + * lib/krb5/changepw.c (krb5_change_password): remember to close + the socket on error + + * kdc/main.c (main): also call sigterm on SIGTERM + +2000-05-06 Assar Westerlund <assar@sics.se> + + * lib/krb5/config_file.c (krb5_config_vget_string_default, + krb5_config_get_string_default): add + +2000-04-25 Assar Westerlund <assar@sics.se> + + * lib/krb5/fcache.c (fcc_initialize): just forget about + over-writing the old cred cache. it's too much of a hazzle trying + to do this safely. + +2000-04-11 Assar Westerlund <assar@sics.se> + + * lib/krb5/crypto.c (krb5_get_wrapped_length): rewrite into + different parts for the derived and non-derived cases + * lib/krb5/crypto.c (krb5_get_wrapped_length): the padding should + be done after having added confounder and checksum + +2000-04-09 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_addrs.c (find_all_addresses): apperently solaris + can return EINVAL when the buffer is too small. cope. + * lib/asn1/Makefile.am (gen_files): add asn1_UNSIGNED.x + * lib/asn1/gen_locl.h (filename): add prototype + (init_generate): const-ize + * lib/asn1/gen.c (filename): new function clean-up a little bit. + * lib/asn1/parse.y: be more tolerant in ranges + * lib/asn1/lex.l: count lines correctly. + (error_message): print filename in messages + +2000-04-08 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_safe.c (krb5_rd_safe): increment sequence number + after comparing + * lib/krb5/rd_priv.c (krb5_rd_priv): increment sequence number + after comparing + * lib/krb5/mk_safe.c (krb5_mk_safe): make `tmp_seq' unsigned + * lib/krb5/mk_priv.c (krb5_mk_priv): make `tmp_seq' unsigned + * lib/krb5/generate_seq_number.c (krb5_generate_seq_number): make + `seqno' be unsigned + * lib/krb5/mk_safe.c (krb5_mk_safe): increment local sequence + number after the fact and only increment it if we were successful + * lib/krb5/mk_priv.c (krb5_mk_priv): increment local sequence + number after the fact and only increment it if we were successful + * lib/krb5/krb5.h (krb5_auth_context_data): make sequence number + unsigned + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): + `in_tkt_service' can be NULL + +2000-04-06 Assar Westerlund <assar@sics.se> + + * lib/asn1/parse.y: regonize INTEGER (0..UNIT_MAX). + (DOTDOT): add + * lib/asn1/lex.l (DOTDOT): add + * lib/asn1/k5.asn1 (UNSIGNED): add. use UNSIGNED for all sequence + numbers. + * lib/asn1/gen_length.c (length_type): add TUInteger + * lib/asn1/gen_free.c (free_type): add TUInteger + * lib/asn1/gen_encode.c (encode_type, generate_type_encode): add + TUInteger + * lib/asn1/gen_decode.c (decode_type, generate_type_decode): add + TUInteger + * lib/asn1/gen_copy.c (copy_type): add TUInteger + * lib/asn1/gen.c (define_asn1): add TUInteger + * lib/asn1/der_put.c (encode_unsigned): add + * lib/asn1/der_length.c (length_unsigned): add + * lib/asn1/der_get.c (decode_unsigned): add + * lib/asn1/der.h (decode_unsigned, encode_unsigned, + length_unsigned): add prototypes + + * lib/asn1/k5.asn1: update pre-authentication types + * lib/krb5/krb5_err.et: add some error codes from pkinit + +2000-04-05 Assar Westerlund <assar@sics.se> + + * lib/hdb/hdb.c: add support for hdb methods (aka back-ends). + include ldap. + * lib/hdb/hdb-ldap.c: tweak the ifdef to OPENLDAP + * lib/hdb/Makefile.am: add hdb-ldap.c and openldap + * kdc/Makefile.am, kpasswd/Makefile.am, kadmin/Makefile.am: add + * configure.in: bump version to 0.2s-pre add options and testing + for (open)ldap + +2000-04-04 Assar Westerlund <assar@sics.se> + + * configure.in (krb4): fix the krb_mk_req test + +2000-04-03 Assar Westerlund <assar@sics.se> + + * configure.in (krb4): add test for const arguments to krb_mk_req + * lib/45/mk_req.c (krb_mk_req): conditionalize const-ness of + arguments + +2000-04-03 Assar Westerlund <assar@sics.se> + + * Release 0.2r + +2000-04-03 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: set version to 10:0:0 + * lib/45/mk_req.c (krb_mk_req): const-ize the arguments + +2000-03-30 Assar Westerlund <assar@sics.se> + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): add some + comments. add fall-back on adding the realm name in lower case. + +2000-03-29 Assar Westerlund <assar@sics.se> + + * kdc/connect.c: remember to repoint all descr->sa to _ss after + realloc as this might have moved the memory around. problem + discovered and diagnosed by Brandon S. Allbery + +2000-03-27 Assar Westerlund <assar@sics.se> + + * configure.in: recognize solaris 2.8 + * config.guess, config.sub: update to current version from + :pserver:anoncvs@subversions.gnu.org:/home/cvs + + * lib/krb5/init_creds_pw.c (print_expire): do not assume anything + about the size of time_t, i.e. make it 64-bit happy + +2000-03-13 Assar Westerlund <assar@sics.se> + + * kuser/klist.c: add support for display v4 tickets + +2000-03-11 Assar Westerlund <assar@sics.se> + + * kdc/kaserver.c (do_authenticate, do_getticket): call check_flags + * kdc/kerberos4.c (do_version4): call check_flags. + * kdc/kerberos5.c (check_flags): make global + +2000-03-10 Assar Westerlund <assar@sics.se> + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): evil + hack to avoid recursion + +2000-03-04 Assar Westerlund <assar@sics.se> + + * kuser/kinit.c: add `krb4_get_tickets' per realm. add --anonymous + * lib/krb5/krb5.h (krb5_get_init_creds_opt): add `anonymous' and + KRB5_GET_INIT_CREDS_OPT_ANONYMOUS + * lib/krb5/init_creds_pw.c (get_init_creds_common): set + request_anonymous flag appropriatly + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_anonymous): + add + + * lib/krb5/get_in_tkt.c (_krb5_extract_ticket): new parameter to + determine whetever to ignore client name of not. always copy + client name from kdc. fix callers. + + * kdc: add support for anonymous tickets + + * kdc/string2key.8: add man-page for string2key + +2000-03-03 Assar Westerlund <assar@sics.se> + + * kdc/hpropd.c (dump_krb4): get expiration date from `valid_end' + and not `pw_end' + + * kdc/kadb.h (ka_entry): fix name pw_end -> valid_end. add some + more fields + + * kdc/hprop.c (v4_prop): set the `valid_end' from the v4 + expiration date instead of the `pw_expire' + (ka_convert): set `valid_end' from ka expiration data and `pw_expire' + from pw_change + pw_expire + (main): add a default database for ka dumping + +2000-02-28 Assar Westerlund <assar@sics.se> + + * lib/krb5/context.c (init_context_from_config_file): change + rfc2052 default to no. 2782 says that underscore should be used. + +2000-02-24 Assar Westerlund <assar@sics.se> + + * lib/krb5/fcache.c (fcc_initialize, fcc_store_cred): verify that + stores and close succeed + * lib/krb5/store.c (krb5_store_creds): check to see that the + stores are succesful. + +2000-02-23 Assar Westerlund <assar@sics.se> + + * Release 0.2q + +2000-02-22 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: set version to 9:2:0 + + * lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): copy + the correct hostname + + * kdc/connect.c (add_new_tcp): use the correct entries in the + descriptor table + * kdc/connect.c: initialize `descr' uniformly and correctly + +2000-02-20 Assar Westerlund <assar@sics.se> + + * Release 0.2p + +2000-02-19 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: set version to 9:1:0 + + * lib/krb5/expand_hostname.c (krb5_expand_hostname): make sure + that realms is filled in even when getaddrinfo fails or does not + return any canonical name + + * kdc/connect.c (descr): add sockaddr and string representation + (*): re-write to use the above mentioned + +2000-02-16 Assar Westerlund <assar@sics.se> + + * lib/krb5/addr_families.c (krb5_parse_address): use + krb5_sockaddr2address to copy the result from getaddrinfo. + +2000-02-14 Assar Westerlund <assar@sics.se> + + * Release 0.2o + +2000-02-13 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: set version to 9:0:0 + + * kdc/kaserver.c (do_authenticate): return the kvno of the server + and not the client. Thanks to Brandon S. Allbery KF8NH + <allbery@kf8nh.apk.net> and Chaskiel M Grundman + <cg2v@andrew.cmu.edu> for debugging. + + * kdc/kerberos4.c (do_version4): if an tgs-req is received with an + old kvno, return an error reply and write a message in the log. + +2000-02-12 Assar Westerlund <assar@sics.se> + + * appl/test/gssapi_server.c (proto): with `--fork', create a child + and send over/receive creds with export/import_sec_context + * appl/test/gssapi_client.c (proto): with `--fork', create a child + and send over/receive creds with export/import_sec_context + * appl/test/common.c: add `--fork' / `-f' (only used by gssapi) + +2000-02-11 Assar Westerlund <assar@sics.se> + + * kdc/kdc_locl.h: remove keyfile add explicit_addresses + * kdc/connect.c (init_sockets): pay attention to + explicit_addresses some more comments. better error messages. + * kdc/config.c: add some comments. + remove --key-file. + add --addresses. + + * lib/krb5/context.c (krb5_set_extra_addresses): const-ize and use + proper abstraction + +2000-02-07 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/changepw.c: use roken_getaddrinfo_hostspec + +2000-02-07 Assar Westerlund <assar@sics.se> + + * Release 0.2n + +2000-02-07 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: set version to 8:0:0 + * lib/krb5/keytab.c (krb5_kt_default_name): use strlcpy + (krb5_kt_add_entry): set timestamp + +2000-02-06 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5.h: add macros for accessing krb5_realm + * lib/krb5/time.c (krb5_timeofday): use `krb5_timestamp' instead + of `int32_t' + + * lib/krb5/replay.c (checksum_authenticator): update to new API + for md5 + + * lib/krb5/krb5.h: remove des.h, it's not needed and applications + should not have to make sure to find it. + +2000-02-03 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_req.c (get_key_from_keytab): rename parameter to + `out_key' to avoid conflicting with label. reported by Sean Doran + <smd@ebone.net> + +2000-02-02 Assar Westerlund <assar@sics.se> + + * lib/krb5/expand_hostname.c: remember to lower-case host names. + bug reported by <amu@mit.edu> + + * kdc/kerberos4.c (do_version4): look at check_ticket_addresses + and emulate that by setting krb_ignore_ip_address (not a great + interface but it doesn't seem like the time to go around fixing + libkrb stuff now) + +2000-02-01 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.c: change --noaddresses into --no-addresses + +2000-01-28 Assar Westerlund <assar@sics.se> + + * kpasswd/kpasswd.c (main): make sure the ticket is not + forwardable and not proxiable + +2000-01-26 Assar Westerlund <assar@sics.se> + + * lib/krb5/crypto.c: update to pseudo-standard APIs for + md4,md5,sha. some changes to libdes calls to make them more + portable. + +2000-01-21 Assar Westerlund <assar@sics.se> + + * lib/krb5/verify_init.c (krb5_verify_init_creds): make sure to + clean up the correct creds. + +2000-01-16 Assar Westerlund <assar@sics.se> + + * lib/krb5/principal.c (append_component): change parameter to + `const char *'. check malloc + * lib/krb5/principal.c (append_component, va_ext_princ, va_princ): + const-ize + * lib/krb5/mk_req.c (krb5_mk_req): make `service' and `hostname' + const + * lib/krb5/principal.c (replace_chars): also add space here + * lib/krb5/principal.c: (quotable_chars): add space + +2000-01-12 Assar Westerlund <assar@sics.se> + + * kdc/kerberos4.c (do_version4): check if preauth was required and + bail-out if so since there's no way that could be done in v4. + Return NULL_KEY as an error to the client (which is non-obvious, + but what can you do?) + +2000-01-09 Assar Westerlund <assar@sics.se> + + * lib/krb5/principal.c (krb5_sname_to_principal): use + krb5_expand_hostname_realms + * lib/krb5/mk_req.c (krb5_km_req): use krb5_expand_hostname_realms + * lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): new + variant of krb5_expand_hostname that tries until it expands into + something that's digestable by krb5_get_host_realm, returning also + the result from that function. + +2000-01-08 Assar Westerlund <assar@sics.se> + + * Release 0.2m + +2000-01-08 Assar Westerlund <assar@sics.se> + + * configure.in: replace AC_C_BIGENDIAN with KRB_C_BIGENDIAN + + * lib/krb5/Makefile.am: bump version to 7:1:0 + + * lib/krb5/principal.c (krb5_sname_to_principal): use + krb5_expand_hostname + * lib/krb5/expand_hostname.c (krb5_expand_hostname): handle + ai_canonname being set in any of the addresses returnedby + getaddrinfo. glibc apparently returns the reverse lookup of every + address in ai_canonname. + +2000-01-06 Assar Westerlund <assar@sics.se> + + * Release 0.2l + +2000-01-06 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: set version to 7:0:0 + * lib/krb5/principal.c (krb5_sname_to_principal): remove `hp' + + * lib/hdb/Makefile.am: set version to 4:1:1 + + * kdc/hpropd.c (dump_krb4): use `krb5_get_default_realms' + * lib/krb5/get_in_tkt.c (add_padata): change types to make + everything work out + (krb5_get_in_cred): remove const to make types match + * lib/krb5/crypto.c (ARCFOUR_string_to_key): correct signature + * lib/krb5/principal.c (krb5_sname_to_principal): handle not + getting back a canonname + +2000-01-06 Assar Westerlund <assar@sics.se> + + * Release 0.2k + +2000-01-06 Assar Westerlund <assar@sics.se> + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): advance colon so that + we actually parse the port number. based on a patch from Leif + Johansson <leifj@it.su.se> + +2000-01-02 Assar Westerlund <assar@sics.se> + + * admin/purge.c: remove all non-current and old entries from a + keytab + + * admin: break up ktutil.c into files + + * admin/ktutil.c (list): support --verbose (also listning time + stamps) + (kt_add, kt_get): set timestamp in newly created entries + (kt_change): add `change' command + + * admin/srvconvert.c (srvconv): set timestamp in newly created + entries + * lib/krb5/keytab_keyfile.c (akf_next_entry): set timetsamp, + always go the a predicatble position on error + * lib/krb5/keytab.c (krb5_kt_copy_entry_contents): copy timestamp + * lib/krb5/keytab_file.c (fkt_add_entry): store timestamp + (fkt_next_entry_int): return timestamp + * lib/krb5/krb5.h (krb5_keytab_entry): add timestamp diff --git a/third_party/heimdal/ChangeLog.2001 b/third_party/heimdal/ChangeLog.2001 new file mode 100644 index 0000000..b048488 --- /dev/null +++ b/third_party/heimdal/ChangeLog.2001 @@ -0,0 +1,1122 @@ +2001-12-20 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/crypto.c: use our own des string-to-key function, since + the one from openssl sometimes generates wrong output + +2001-12-05 Jacques Vidrine <n@nectar.cc> + + * lib/hdb/mkey.c: fix a bug in which kstash would crash if + there were no /etc/krb5.conf + +2001-11-09 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5_verify_user.3: sort references (from Thomas + Klausner) + + * lib/krb5/krb5_principal_get_realm.3: add section to reference + (from Thomas Klausner) + + * lib/krb5/krb5_krbhst_init.3: sort references (from Thomas + Klausner) + + * lib/krb5/krb5_keytab.3: white space fixes (from Thomas Klausner) + + * lib/krb5/krb5_get_krbhst.3: remove extra white space (from + Thomas Klausner) + + * lib/krb5/krb5_get_all_client_addrs.3: add section to reference + (from Thomas Klausner) + +2001-10-29 Jacques Vidrine <n@nectar.com> + + * admin/get.c: fix a bug in which a reference to a data + structure on the stack was being kept after the containing + function's lifetime, resulting in a segfault during `ktutil + get'. + +2001-10-22 Assar Westerlund <assar@sics.se> + + * lib/krb5/crypto.c: make all high-level encrypting and decrypting + functions check the return value of the underlying function and + handle errors more consistently. noted by Sam Hartman + <hartmans@mit.edu> + +2001-10-21 Assar Westerlund <assar@sics.se> + + * lib/krb5/crypto.c (enctype_arcfour_hmac_md5): actually use a + non-keyed checksum when it should be non-keyed + +2001-09-29 Assar Westerlund <assar@sics.se> + + * kuser/kinit.1: add the kauth alias + * kuser/kinit.c: allow specification of afslog in krb5.conf, noted + by jhutz@cs.cmu.edu + +2001-09-27 Assar Westerlund <assar@sics.se> + + * lib/asn1/gen.c: remove the need for libasn1.h, also make + generated files include all files from IMPORTed modules + + * lib/krb5/krb5.h (KRB5_KPASSWD_*): set correct values + * kpasswd/kpasswd.c: improve error message printing + * lib/krb5/changepw.c (krb5_passwd_result_to_string): add change + to use sequence numbers connect the udp socket so that we can + figure out the local address + +2001-09-25 Assar Westerlund <assar@sics.se> + + * lib/asn1: implement OBJECT IDENTIFIER and ENUMERATED + +2001-09-20 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): try using + lower case realm as domain, but only when given a verification + function + +2001-09-20 Assar Westerlund <assar@sics.se> + + * lib/asn1/der_put.c (der_put_length): do not even try writing + anything when len == 0 + +2001-09-18 Johan Danielsson <joda@pdc.kth.se> + + * kdc/hpropd.c: add realm override option + + * lib/krb5/set_default_realm.c (krb5_set_default_realm): make + realm parameter const + + * kdc/hprop.c: more free's + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_keytab): free key + proc data + + * lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): free + addrinfo + + * lib/hdb/mkey.c (hdb_set_master_keyfile): clear error string when + not returning error + +2001-09-16 Assar Westerlund <assar@sics.se> + + * lib/krb5/appdefault.c (krb5_appdefault_{boolean,string,time): + make realm const + + * lib/krb5/crypto.c: use des functions to avoid generating + warnings with openssl's prototypes + +2001-09-05 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: check for termcap.h + + * lib/asn1/lex.l: add another undef ECHO to keep AIX lex happy + +2001-09-03 Assar Westerlund <assar@sics.se> + + * lib/krb5/addr_families.c (krb5_print_address): handle snprintf + returning < 0. noticed by hin@stacken.kth.se + +2001-09-03 Assar Westerlund <assar@sics.se> + + * Release 0.4e + +2001-09-02 Johan Danielsson <joda@pdc.kth.se> + + * kuser/Makefile.am: install kauth as a symlink to kinit + + * kuser/kinit.c: get v4_tickets by default + + * lib/asn1/Makefile.am: fix for broken automake + +2001-08-31 Johan Danielsson <joda@pdc.kth.se> + + * lib/hdb/hdb-ldap.c: some pretty much untested changes from Luke + Howard + + * kuser/kinit.1: remove references to kauth + + * kuser/Makefile.am: kauth is no more + + * kuser/kinit.c: use appdefaults for everything. defaults are now + as in kauth. + + * lib/krb5/appdefault.c: also check libdefaults, and realms/realm + + * lib/krb5/context.c (krb5_free_context): free more stuff + +2001-08-30 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/verify_krb5_conf.c: do some checks of the values in the + file + + * lib/krb5/krb5.conf.5: remove srv_try_txt, fix spelling + + * lib/krb5/context.c: don't init srv_try_txt, since it isn't used + anymore + +2001-08-29 Jacques Vidrine <n@nectar.com> + + * configure.in: Check for already-installed com_err. + +2001-08-28 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set versoin to 18:2:1 + +2001-08-24 Assar Westerlund <assar@sics.se> + + * kuser/Makefile.am: remove CHECK_LOCAL - non bin programs require + no special treatment now + + * kuser/generate-requests.c: parse arguments in a useful way + * kuser/kverify.c: add --help/--verify + +2001-08-22 Assar Westerlund <assar@sics.se> + + * configure.in: bump prereq to 2.52 remove unused test_LIB_KRB4 + + * configure.in: re-write the handling of crypto libraries. try to + use the one of openssl's libcrypto or krb4's libdes that has all + the required functionality (md4, md5, sha1, des, rc4). if there + is no such library, the included lib/des is built. + + * kdc/headers.h: include libutil.h if it exists + * kpasswd/kpasswd_locl.h: include libutil.h if it exists + * kdc/kerberos4.c (get_des_key): check for null keys even if + is_server + +2001-08-21 Assar Westerlund <assar@sics.se> + + * lib/asn1/asn1_print.c: print some size_t correctly + * configure.in: remove extra space after -L check for libutil.h + +2001-08-17 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kdc_locl.h: fix prototype for get_des_key + + * kdc/kaserver.c: fix call to get_des_key + + * kdc/524.c: fix call to get_des_key + + * kdc/kerberos4.c (get_des_key): if getting a key for a server, + return any des-key not just keys that can be string-to-keyed by + the client + +2001-08-10 Assar Westerlund <assar@sics.se> + + * Release 0.4d + +2001-08-10 Assar Westerlund <assar@sics.se> + + * configure.in: check for openpty + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 7:4:0 + +2001-08-08 Assar Westerlund <assar@sics.se> + + * configure.in: just add -L (if required) from krb4 when testing + for libdes/libcrypto + +2001-08-04 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am (man_MANS): add some missing man pages + * fix-export: fix the sed expression for finding the man pages + +2001-07-31 Assar Westerlund <assar@sics.se> + + * kpasswd/kpasswd-generator.c (main): implement --version and + --help + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): update version to + 18:1:1 + +2001-07-27 Assar Westerlund <assar@sics.se> + + * lib/krb5/context.c (init_context_from_config_file): check + parsing of addresses + +2001-07-26 Assar Westerlund <assar@sics.se> + + * lib/krb5/sock_principal.c (krb5_sock_to_principal): rename + sa_len -> salen to avoid the macro that's defined on irix. noted + by "Jacques A. Vidrine" <n@nectar.com> + +2001-07-24 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/addr_families.c: add support for type + KRB5_ADDRESS_ADDRPORT + + * lib/krb5/addr_families.c (krb5_address_order): complain about + unsuppored address types + +2001-07-23 Johan Danielsson <joda@pdc.kth.se> + + * admin/get.c: don't open connection to server until we loop over + the principals, at that time we know the realm of the (first) + principal and we can default to that admin server + + * admin: add a rename command + +2001-07-19 Assar Westerlund <assar@sics.se> + + * kdc/hprop.c (usage): clarify a tiny bit + +2001-07-19 Assar Westerlund <assar@sics.se> + + * Release 0.4c + +2001-07-19 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to + 18:0:1 + + * lib/krb5/get_for_creds.c (krb5_fwd_tgt_creds): make it behave + the same way as the MIT function + + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 7:3:0 + * lib/krb5/sock_principal.c (krb5_sock_to_principal): use + getnameinfo + + * lib/krb5/krbhst.c (srv_find_realm): handle port numbers + consistenly in local byte order + + * lib/krb5/get_default_realm.c (krb5_get_default_realm): set an + error string + + * kuser/kinit.c (renew_validate): invert condition correctly. get + v4 tickets if we succeed renewing + * lib/krb5/principal.c (krb5_principal_get_type): add + (default_v4_name_convert): add "smtp" + +2001-07-13 Assar Westerlund <assar@sics.se> + + * configure.in: remove make-print-version from LIBOBJS, it's no + longer in lib/roken but always built in lib/vers + +2001-07-12 Johan Danielsson <joda@pdc.kth.se> + + * lib/hdb/mkey.c: more set_error_string + +2001-07-12 Assar Westerlund <assar@sics.se> + + * lib/hdb/Makefile.am (libhdb_la_LIBADD): add required library + dependencies + + * lib/asn1/Makefile.am (libasn1_la_LIBADD): add required library + dependencies + +2001-07-11 Johan Danielsson <joda@pdc.kth.se> + + * kdc/hprop.c: remove v4 master key handling; remove old v4-db and + ka-db flags; add defaults for v4_realm and afs_cell + +2001-07-09 Assar Westerlund <assar@sics.se> + + * lib/krb5/sock_principal.c (krb5_sock_to_principal): copy hname + before calling krb5_sname_to_principal. from "Jacques A. Vidrine" + <n@nectar.com> + +2001-07-08 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/context.c: use krb5_copy_addresses instead of + copy_HostAddresses + +2001-07-06 Assar Westerlund <assar@sics.se> + + * configure.in (LIB_des_a, LIB_des_so): add these so that they can + be used by lib/auth/sia + + * kuser/kinit.c: re-do some of the v4 fallbacks: look at + get-tokens flag do not print extra errors do not try to do 524 if + we got tickets from a v4 server + +2001-07-03 Assar Westerlund <assar@sics.se> + + * lib/krb5/replay.c (krb5_get_server_rcache): cast argument to + printf + + * lib/krb5/get_addrs.c (find_all_addresses): call free_addresses + on ignore_addresses correctly + * lib/krb5/init_creds.c + (krb5_get_init_creds_opt_set_default_flags): change to take a + const realm + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): if the + instance is the first component of the local hostname, the + converted host should be the long hostname. from + <shadow@dementia.org> + +2001-07-02 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/Makefile.am: address.c is no more; add a couple of + manpages + + * lib/krb5/krb5_timeofday.3: new manpage + + * lib/krb5/krb5_get_all_client_addrs.3: new manpage + + * lib/krb5/get_in_tkt.c (init_as_req): treat no addresses as + wildcard + + * lib/krb5/get_cred.c (get_cred_kdc_la): treat no addresses as + wildcard + + * lib/krb5/get_addrs.c: don't include client addresses that match + ignore_addresses + + * lib/krb5/context.c: initialise ignore_addresses + + * lib/krb5/addr_families.c: add new `arange' fake address type, + that matches more than one address; this required some internal + changes to many functions, so all of address.c got moved here + (wasn't much left there) + + * lib/krb5/krb5.h: add list of ignored addresses to context + +2001-07-03 Assar Westerlund <assar@sics.se> + + * Release 0.4b + +2001-07-03 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 17:0:0 + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): set version to 7:2:0 + +2001-07-03 Assar Westerlund <assar@sics.se> + + * Release 0.4a + +2001-07-02 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.c: make this compile without krb4 support + + * lib/krb5/write_message.c: remove priv parameter from + write_safe_message; don't know why it was there in the first place + + * doc/install.texi: remove kaserver switches, it's always compiled + in now + + * kdc/hprop.c: always include kadb support + + * kdc/kaserver.c: always include kaserver support + +2001-07-02 Assar Westerlund <assar@sics.se> + + * kpasswd/kpasswdd.c (doit): make failing to bind a socket a + non-fatal error, and abort if no sockets were bound + +2001-07-01 Assar Westerlund <assar@sics.se> + + * lib/krb5/krbhst.c: remember the real port number when falling + back from kpasswd -> kadmin, and krb524 -> kdc + +2001-06-29 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if + no_addresses is set, do not add any local addresses to KRB_CRED + + * kuser/kinit.c: remove extra clearing of password and some + redundant code + +2001-06-29 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.c: move ticket conversion code to separate function, + and call that from a couple of places, like when renewing a + ticket; also add a flag for just converting a ticket + + * lib/krb5/init_creds_pw.c: set renew-life to some sane value + + * kdc/524.c: don't send more data than required + +2001-06-24 Assar Westerlund <assar@sics.se> + + * lib/krb5/store_fd.c (krb5_storage_from_fd): check malloc returns + + * lib/krb5/keytab_any.c (any_resolve); improving parsing of ANY: + (any_start_seq_get): remove a double free + (any_next_entry): iterate over all (sub) keytabs and avoid leave data + around to be freed again + + * kdc/kdc_locl.h: add a define for des_new_random_key when using + openssl's libcrypto + + * configure.in: move v6 tests down + + * lib/krb5/krb5.h (krb5_context_data): remove srv_try_rfc2052 + + * update to libtool 1.4 and autoconf 2.50 + +2001-06-22 Johan Danielsson <joda@pdc.kth.se> + + * lib/hdb/hdb.c: use krb5_add_et_list + +2001-06-21 Johan Danielsson <joda@pdc.kth.se> + + * lib/hdb/Makefile.am: add generation number + * lib/hdb/common.c: add generation number code + * lib/hdb/hdb.asn1: add generation number + * lib/hdb/print.c: use krb5_storage to make it more dynamic + +2001-06-21 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5.conf.5: update to changed names used by + krb5_get_init_creds_opt_set_default_flags + * lib/krb5/init_creds.c + (krb5_get_init_creds_opt_set_default_flags): make the appdefault + keywords have the same names + + * configure.in: only add -L and -R to the krb4 libdir if we are + actually using it + + * lib/krb5/krbhst.c (fallback_get_hosts): do not copy trailing + dot of hostname add some comments + * lib/krb5/krbhst.c: use getaddrinfo instead of dns_lookup when + testing for kerberos.REALM. this allows reusing that information + when actually contacting the server and thus avoids one DNS lookup + +2001-06-20 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.h: include k524_err.h + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): don't test + for keytype, the server will do this for us if it has anything to + complain about + + * lib/krb5/context.c: add protocol compatible krb524 error codes + + * lib/krb5/Makefile.am: add protocol compatible krb524 error codes + + * lib/krb5/k524_err.et: add protocol compatible krb524 error codes + + * lib/krb5/krb5_principal_get_realm.3: manpage + + * lib/krb5/principal.c: add functions `krb5_principal_get_realm' + and `krb5_principal_get_comp_string' that returns parts of a + principal; this is a replacement for the internal + `krb5_princ_realm' and `krb5_princ_component' macros that everyone + seem to use + +2001-06-19 Assar Westerlund <assar@sics.se> + + * kuser/kinit.c (main): dereference result from krb5_princ_realm. + from Thomas Nystrom <thn@saeab.se> + +2001-06-18 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/mk_req.c (krb5_mk_req_exact): free creds when done + * lib/krb5/crypto.c (krb5_string_to_key_derived): fix memory leak + * lib/krb5/krbhst.c (config_get_hosts): free hostlist + * kuser/kinit.c: free principal + +2001-06-18 Assar Westerlund <assar@sics.se> + + * lib/krb5/send_to_kdc.c (krb5_sendto): remove an extra + freeaddrinfo + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc_ccache): + remove some unused variables + + * lib/krb5/krbhst.c (admin_get_next): spell kerberos correctly + * kdc/kerberos5.c: update to new krb5_auth_con* names + * kdc/hpropd.c: update to new krb5_auth_con* names + * lib/krb5/rd_req.c (krb5_rd_req): use krb5_auth_con* functions + and remove some comments + * lib/krb5/rd_safe.c (krb5_rd_safe): pick the keys in the right + order: remote - local - session + * lib/krb5/rd_rep.c (krb5_rd_rep): save the remote sub key in the + auth_context + * lib/krb5/rd_priv.c (krb5_rd_priv): pick keys in the correct + order: remote - local - session + * lib/krb5/mk_safe.c (krb5_mk_safe): pick keys in the right order, + local - remote - session + +2001-06-18 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/convert_creds.c: use starttime instead of authtime, + from Chris Chiappa + + * lib/krb5/convert_creds.c: make krb524_convert_creds_kdc match + the MIT function by the same name; add + krb524_convert_creds_kdc_ccache that does what the old version did + + * admin/list.c (do_list): make sure list of keys is NULL + terminated; similar to patch sent by Chris Chiappa + +2001-06-18 Assar Westerlund <assar@sics.se> + + * lib/krb5/mcache.c (mcc_remove_cred): use + krb5_free_creds_contents + + * lib/krb5/auth_context.c: name function krb5_auth_con more + consistenly + * lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): use + renamed krb5_auth_con_getauthenticator + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): update to + use krb5_krbhst API + * lib/krb5/changepw.c (krb5_change_password): update to use + krb5_krbhst API + * lib/krb5/send_to_kdc.c: update to use krb5_krbhst API + * lib/krb5/krbhst.c (krb5_krbhst_get_addrinfo): add set def_port + in krb5_krbhst_info + (krb5_krbhst_free): free everything + + * lib/krb5/krb5.h (KRB5_VERIFY_NO_ADDRESSES): add + (krb5_krbhst_info): add def_port (default port for this service) + + * lib/krb5/krbhst-test.c: make it more verbose and useful + * lib/krb5/krbhst.c: remove some more memory leaks do not try any + dns operations if there is local configuration admin: fallback to + kerberos.REALM 524: fallback to kdcs kpasswd: fallback to admin + add some comments + + * configure.in: remove initstate and setstate, they should be in + cf/roken-frag.m4 + + * lib/krb5/Makefile.am (noinst_PROGRAMS): add krbhst-test + * lib/krb5/krbhst-test.c: new program for testing krbhst + * lib/krb5/krbhst.c (common_init): remove memory leak + (main): move test program into krbhst-test + +2001-06-17 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5_krbhst_init.3: manpage + + * lib/krb5/krb5_get_krbhst.3: manpage + +2001-06-16 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.h: add opaque krb5_krbhst_handle type + + * lib/krb5/krbhst.c: change void* to krb5_krbhst_handle + + * lib/krb5/krb5.h: types for new krbhst api + + * lib/krb5/krbhst.c: implement a new api that looks up one host at + a time, instead of making a list of hosts + +2001-06-09 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: test for initstate and setstate + + * lib/krb5/krbhst.c: remove rfc2052 support + +2001-06-08 Johan Danielsson <joda@pdc.kth.se> + + * fix some manpages for broken mdoc.old grog test + +2001-05-28 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5.conf.5: add [appdefaults] + * lib/krb5/init_creds_pw.c: remove configuration reading that is + now done in krb5_get_init_creds_opt_set_default_flags + * lib/krb5/init_creds.c + (krb5_get_init_creds_opt_set_default_flags): add reading of + libdefaults versions of these and add no_addresses + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear error string + when preauth was required and we retry + +2001-05-25 Assar Westerlund <assar@sics.se> + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): call + krb5_get_krb524hst + * lib/krb5/krbhst.c (krb5_get_krb524hst): add and restructure the + support functions + +2001-05-22 Assar Westerlund <assar@sics.se> + + * kdc/kerberos5.c (tgs_rep2): alloc and free csec and cusec + properly + +2001-05-17 Assar Westerlund <assar@sics.se> + + * Release 0.3f + +2001-05-17 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am: bump version to 16:0:0 + * lib/hdb/Makefile.am: bump version to 7:1:0 + * lib/asn1/Makefile.am: bump version to 5:0:0 + * lib/krb5/keytab_krb4.c: add SRVTAB as an alias for krb4 + * lib/krb5/codec.c: remove dead code + +2001-05-17 Johan Danielsson <joda@pdc.kth.se> + + * kdc/config.c: actually check the ticket addresses + +2001-05-15 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_error.c (krb5_error_from_rd_error): use correct + parenthesis + + * lib/krb5/eai_to_heim_errno.c (krb5_eai_to_heim_errno): add + `errno' (called system_error) to allow callers to make sure they + pass the current and relevant value. update callers + +2001-05-14 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/verify_user.c: krb5_verify_user_opt + + * lib/krb5/krb5.h: verify_opt + + * kdc/kerberos5.c: pass context to krb5_domain_x500_decode + +2001-05-14 Assar Westerlund <assar@sics.se> + + * kpasswd/kpasswdd.c: adapt to new address functions + * kdc/kerberos5.c: adapt to changing address functions use LR_TYPE + * kdc/connect.c: adapt to changing address functions + * kdc/config.c: new krb5_config_parse_file + * kdc/524.c: new krb5_sockaddr2address + * lib/krb5/*: add some krb5_{set,clear}_error_string + + * lib/asn1/k5.asn1 (LR_TYPE): add + * lib/asn1/Makefile.am (gen_files): add asn1_LR_TYPE.x + +2001-05-11 Assar Westerlund <assar@sics.se> + + * kdc/kerberos5.c (tsg_rep): fix typo in variable name + + * kpasswd/kpasswd-generator.c (nop_prompter): update prototype + * lib/krb5/init_creds_pw.c: update to new prompter, use prompter + types and send two prompts at once when changning password + * lib/krb5/prompter_posix.c (krb5_prompter_posix): add name + * lib/krb5/krb5.h (krb5_prompt): add type + (krb5_prompter_fct): add anem + + * lib/krb5/cache.c (krb5_cc_next_cred): transpose last two + paramaters to krb5_cc_next_cred (as MIT does, and not as they + document). From "Jacques A. Vidrine" <n@nectar.com> + +2001-05-11 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/Makefile.am: store-test + + * lib/krb5/store-test.c: simple bit storage test + + * lib/krb5/store.c: add more byteorder storage flags + + * lib/krb5/krb5.h: add more byteorder storage flags + + * kdc/kerberos5.c: don't use NULL where we mean 0 + + * kdc/kerberos5.c: put referral test code in separate function, + and test for KRB5_NT_SRV_INST + +2001-05-10 Assar Westerlund <assar@sics.se> + + * admin/list.c (do_list): do not close the keytab if opening it + failed + * admin/list.c (do_list): always print complete names. print + everything to stdout. + * admin/list.c: print both v5 and v4 list by default + * admin/remove.c (kt_remove): reorganize some. open the keytab + (defaulting to the modify one). + * admin/purge.c (kt_purge): reorganize some. open the keytab + (defaulting to the modify one). correct usage strings + * admin/list.c (kt_list): reorganize some. open the keytab + * admin/get.c (kt_get): reorganize some. open the keytab + (defaulting to the modify one) + * admin/copy.c (kt_copy): default to modify key name. re-organise + * admin/change.c (kt_change): reorganize some. open the keytab + (defaulting to the modify one) + * admin/add.c (kt_add): reorganize some. open the keytab + (defaulting to the modify one) + * admin/ktutil.c (main): do not open the keytab, let every + sub-function handle it + + * kdc/config.c (configure): call free_getarg_strings + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): set error strings for + a few more errors + + * lib/krb5/get_host_realm.c (krb5_get_host_realm_int): make + `use_dns' parameter boolean + + * lib/krb5/krb5.h (krb5_context_data): add default_keytab_modify + * lib/krb5/context.c (init_context_from_config_file): set + default_keytab_modify + * lib/krb5/krb5_locl.h (KEYTAB_DEFAULT): change to + ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab + (KEYTAB_DEFAULT_MODIFY): add + * lib/krb5/keytab.c (krb5_kt_default_modify_name): add + (krb5_kt_resolve): set error string for failed keytab type + +2001-05-08 Assar Westerlund <assar@sics.se> + + * lib/krb5/crypto.c (encryption_type): make field names more + consistent + (create_checksum): separate usage and type + (krb5_create_checksum): add a separate type parameter + (encrypt_internal): only free once on mismatched checksum length + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc2): try to tell what + realm we didn't manage to reach any KDC for in the error string + + * lib/krb5/generate_seq_number.c (krb5_generate_seq_number): free + the entire subkey. from <tmartin@mirapoint.com> + +2001-05-07 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/keytab_keyfile.c (akf_start_seq_get): return + KT_NOTFOUND if the file is empty + +2001-05-07 Assar Westerlund <assar@sics.se> + + * lib/krb5/fcache.c: call krb5_set_error_string when open fails + fatally + * lib/krb5/keytab_file.c: call krb5_set_error_string when open + fails fatally + + * lib/krb5/warn.c (_warnerr): print error_string in context in + preference to error string derived from error code + * kuser/kinit.c (main): try to print the error string + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): set some sensible + error strings for errors + + * lib/krb5/krb5.h (krb5_context_data): add error_string and + error_buf + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add error_string.c + * lib/krb5/error_string.c: new file + +2001-05-02 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/time.c: krb5_string_to_deltat + + * lib/krb5/sock_principal.c: one less data copy + + * lib/krb5/eai_to_heim_errno.c: conversion function for h_errno's + + * lib/krb5/get_default_principal.c: change this slightly + + * lib/krb5/crypto.c: make checksum_types into an array of pointers + + * lib/krb5/convert_creds.c: make sure we always use a des-cbc-crc + ticket + +2001-04-29 Assar Westerlund <assar@sics.se> + + * kdc/kerberos5.c (tgs_rep2): return a reference to a krbtgt for + the right realm if we fail to find a non-krbtgt service in the + database and the second component does a succesful non-dns lookup + to get the real realm (which has to be different from the + originally-supplied realm). this should help windows 2000 clients + that always start their lookups in `their' realm and do not have + any idea of how to map hostnames into realms + * kdc/kerberos5.c (is_krbtgt): rename to get_krbtgt_realm + +2001-04-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/get_host_realm.c (krb5_get_host_realm_int): add extra + parameter to request use of dns or not + +2001-04-25 Assar Westerlund <assar@sics.se> + + * admin/get.c (kt_get): allow specification of encryption types + * lib/krb5/verify_init.c (krb5_verify_init_creds): do not try to + close an unopened ccache, noted by <marc@mit.edu> + + * lib/krb5/krb5.h (krb5_any_ops): add declaration + * lib/krb5/context.c (init_context_from_config_file): register + krb5_any_ops + + * lib/krb5/keytab_any.c: new file, implementing union of keytabs + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_any.c + + * lib/krb5/init_creds_pw.c (get_init_creds_common): handle options + == NULL. noted by <marc@mit.edu> + +2001-04-19 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/rd_cred.c: set ret_creds to NULL before doing anything + else, from Jacques Vidrine + +2001-04-18 Johan Danielsson <joda@pdc.kth.se> + + * lib/hdb/libasn1.h: asn1.h -> krb5_asn1.h + + * lib/asn1/Makefile.am: add asn1_ENCTYPE.x + + * lib/krb5/krb5.h: adapt to asn1 changes + + * lib/asn1/k5.asn1: move enctypes here + + * lib/asn1/libasn1.h: rename asn1.h to krb5_asn1.h to avoid + conflicts + + * lib/asn1/Makefile.am: rename asn1.h to krb5_asn1.h to avoid + conflicts + + * lib/asn1/lex.l: use strtol to parse constants + +2001-04-06 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.c: add simple support for running commands + +2001-03-26 Assar Westerlund <assar@sics.se> + + * lib/hdb/hdb-ldap.c: change order of includes to allow it to work + with more versions of openldap + + * kdc/kerberos5.c (tgs_rep2): try to set sec and usec in error + replies + (*): update callers of krb5_km_error + (check_tgs_flags): handle renews requesting non-renewable tickets + + * lib/krb5/mk_error.c (krb5_mk_error): allow specifying both ctime + and cusec + + * lib/krb5/krb5.h (krb5_checksum, krb5_keyusage): add + compatibility names + + * lib/krb5/crypto.c (create_checksum): change so that `type == 0' + means pick from the `crypto' (context) and otherwise use that + type. this is not a large change in practice and allows callers + to specify the exact checksum algorithm to use + +2001-03-13 Assar Westerlund <assar@sics.se> + + * lib/krb5/get_cred.c (get_cred_kdc): add support for falling back + to KRB5_KU_AP_REQ_AUTH when KRB5_KU_TGS_REQ_AUTH gives `bad + integrity'. this helps for talking to old (pre 0.3d) KDCs + +2001-03-12 Assar Westerlund <assar@pdc.kth.se> + + * lib/krb5/crypto.c (krb5_derive_key): new function, used by + derived-key-test.c + * lib/krb5/string-to-key-test.c: add new test vectors posted by + Ken Raeburn <raeburn@mit.edu> in <tx1bsra8919.fsf@raeburn.org> to + ietf-krb-wg@anl.gov + * lib/krb5/n-fold-test.c: more test vectors from same source + * lib/krb5/derived-key-test.c: more tests from same source + +2001-03-06 Assar Westerlund <assar@sics.se> + + * acconfig.h: include roken_rename.h when appropriate + +2001-03-06 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5.h (krb5_enctype): remove trailing comma + +2001-03-04 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5.h (krb5_enctype): add ENCTYPE_* aliases for + compatibility with MIT krb5 + +2001-03-02 Assar Westerlund <assar@sics.se> + + * kuser/kinit.c (main): only request a renewable ticket when + explicitly requested. it still gets a renewable one if the renew + life is specified + * kuser/kinit.c (renew_validate): treat -1 as flags not being set + +2001-02-28 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/context.c (krb5_init_ets): use krb5_add_et_list + +2001-02-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/get_cred.c: implement krb5_get_cred_from_kdc_opt + +2001-02-25 Assar Westerlund <assar@sics.se> + + * configure.in: do not use -R when testing for des functions + +2001-02-14 Assar Westerlund <assar@sics.se> + + * configure.in: test for lber.h when trying to link against + openldap to handle openldap v1, from Sumit Bose + <sumit.bose@suse.de> + +2001-02-19 Assar Westerlund <assar@sics.se> + + * lib/asn1/libasn1.h: add string.h (for memset) + +2001-02-15 Assar Westerlund <assar@sics.se> + + * lib/krb5/warn.c (_warnerr): add printf attributes + * lib/krb5/send_to_kdc.c (krb5_sendto): loop over all address + returned by getaddrinfo before trying the next kdc. from + thorpej@netbsd.org + + * lib/krb5/krb5.conf.5: fix default_realm in example + + * kdc/connect.c: fix a few kdc_log format types + + * configure.in: try to handle libdes/libcrypto ont requiring -L + +2001-02-10 Assar Westerlund <assar@sics.se> + + * lib/asn1/gen_decode.c (generate_type_decode): zero the data at + the beginning of the generated function, and add a label `fail' + that the code jumps to in case of errors that frees all allocated + data + +2001-02-07 Assar Westerlund <assar@sics.se> + + * configure.in: aix dce: fix misquotes, from Ake Sandgren + <ake@cs.umu.se> + + * configure.in (dpagaix_LDFLAGS): try to add export file + +2001-02-05 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5_keytab.3: new man page, contributed by + <lha@stacken.kth.se> + + * kdc/kaserver.c: update to new db_fetch4 + +2001-02-05 Assar Westerlund <assar@assaris.sics.se> + + * Release 0.3e + +2001-01-30 Assar Westerlund <assar@sics.se> + + * kdc/hprop.c (v4_get_masterkey): check kdb_verify_master_key + properly + (kdb_prop): decrypt key properly + * kdc/hprop.c: handle building with KRB4 always try to decrypt v4 + data with the master key leave it up to the v5 how to encrypt with + that master key + + * kdc/kstash.c: include file name in error messages + * kdc/hprop.c: fix a typo and check some more return values + * lib/hdb/hdb-ldap.c (LDAP__lookup_princ): call ldap_search_s + correctly. From Jacques Vidrine <n@nectar.com> + * kdc/misc.c (db_fetch): HDB_ERR_NOENTRY makes more sense than + ENOENT + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to + 15:0:0 + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 7:0:0 + * lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump version to 4:0:2 + * kdc/misc.c (db_fetch): return an error code. change callers to + look at this and try to print it in log messages + + * lib/krb5/crypto.c (decrypt_internal_derived): check that there's + enough data + +2001-01-29 Assar Westerlund <assar@sics.se> + + * kdc/hprop.c (realm_buf): move it so it becomes properly + conditional on KRB4 + + * lib/hdb/mkey.c (hdb_unseal_keys_mkey, hdb_seal_keys_mkey, + hdb_unseal_keys, hdb_seal_keys): check that we have the correct + master key and that we manage to decrypt the key properly, + returning an error code. fix all callers to check return value. + + * tools/krb5-config.in: use @LIB_des_appl@ + * tools/Makefile.am (krb5-config): add LIB_des_appl + * configure.in (LIB_des): set correctly + (LIB_des_appl): add for the use by krb5-config.in + + * lib/krb5/store_fd.c (fd_fetch, fd_store): use net_{read,write} + to make sure of not dropping data when doing it over a socket. + (this might break when used with ordinary files on win32) + + * lib/hdb/hdb_err.et (NO_MKEY): add + + * kdc/kerberos5.c (as_rep): be paranoid and check + krb5_enctype_to_string for failure, noted by <lha@stacken.kth.se> + + * lib/krb5/krb5_init_context.3, lib/krb5/krb5_context.3, + lib/krb5/krb5_auth_context.3: add new man pages, contributed by + <lha@stacken.kth.se> + + * use the openssl api for md4/md5/sha and handle openssl/*.h + + * kdc/kaserver.c (do_getticket): check length of ticket. noted by + <lha@stacken.kth.se> + +2001-01-28 Assar Westerlund <assar@sics.se> + + * configure.in: send -R instead of -rpath to libtool to set + runtime library paths + + * lib/krb5/Makefile.am: remove all dependencies on libkrb + +2001-01-27 Assar Westerlund <assar@sics.se> + + * appl/rcp: add port of bsd rcp changed to use existing rsh, + contributed by Richard Nyberg <rnyberg@it.su.se> + +2001-01-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/get_port.c: don't warn if the port name can't be found, + nobody cares anyway + +2001-01-26 Johan Danielsson <joda@pdc.kth.se> + + * kdc/hprop.c: make it possible to convert a v4 dump file without + having any v4 libraries; the kdb backend still require them + + * kdc/v4_dump.c: include shadow definition of kdb Principal, so we + don't have to depend on any v4 libraries + + * kdc/hprop.h: include shadow definition of kdb Principal, so we + don't have to depend on any v4 libraries + + * lib/hdb/print.c: reduce number of memory allocations + + * lib/hdb/mkey.c: add support for reading krb4 /.k files + +2001-01-19 Assar Westerlund <assar@sics.se> + + * lib/krb5/krb5.conf.5: document admin_server and kpasswd_server + for realms document capath better + + * lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): preferably look + at kpasswd_server before admin_server + + * lib/krb5/get_cred.c (get_cred_from_kdc_flags): look in + [libdefaults]capath for better hint of realm to send request to. + this allows the client to specify `realm routing information' in + case it cannot be done at the server (which is preferred) + + * lib/krb5/rd_priv.c (krb5_rd_priv): handle no sequence number as + zero when we were expecting a sequence number. MIT krb5 cannot + generate a sequence number of zero, instead generating no sequence + number + * lib/krb5/rd_safe.c (krb5_rd_safe): dito + +2001-01-11 Assar Westerlund <assar@sics.se> + + * kpasswd/kpasswdd.c: add --port option + +2001-01-10 Assar Westerlund <assar@sics.se> + + * lib/krb5/appdefault.c (krb5_appdefault_string): fix condition + just before returning + +2001-01-09 Assar Westerlund <assar@sics.se> + + * appl/kf/kfd.c (proto): use krb5_rd_cred2 instead of krb5_rd_cred + +2001-01-05 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.c: call a time `time', and not `seconds' + + * lib/krb5/init_creds.c: not much point in setting the anonymous + flag here + + * lib/krb5/krb5_appdefault.3: document appdefault_time + +2001-01-04 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/verify_user.c: use + krb5_get_init_creds_opt_set_default_flags + + * kuser/kinit.c: use krb5_get_init_creds_opt_set_default_flags + + * lib/krb5/init_creds.c: new function + krb5_get_init_creds_opt_set_default_flags to set options from + krb5.conf + + * lib/krb5/rd_cred.c: make this match the MIT function + + * lib/krb5/appdefault.c (krb5_appdefault_string): handle NULL + def_val + (krb5_appdefault_time): new function + +2001-01-03 Assar Westerlund <assar@sics.se> + + * kdc/hpropd.c (main): handle EOF when reading from stdin diff --git a/third_party/heimdal/ChangeLog.2002 b/third_party/heimdal/ChangeLog.2002 new file mode 100644 index 0000000..8101be1 --- /dev/null +++ b/third_party/heimdal/ChangeLog.2002 @@ -0,0 +1,726 @@ +2002-12-19 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/mk_rep.c: free allocated storage; reported by Howard + Chu + +2002-12-08 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kdc_locl.h: remove old encrypt_v4_ticket prototype + +2002-12-02 Johan Danielsson <joda@pdc.kth.se> + + * kpasswd/kpasswdd.c (doit): initialise sa_size to size of + sockaddr_storage + + * kdc/connect.c (init_socket): initialise sa_size to size of + sockaddr_storage + +2002-11-15 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.h: remove trailing comma in enum + +2002-11-07 Johan Danielsson <joda@pdc.kth.se> + + * kdc/524.c: implement crude b2 style (non-)conversion for use + with afs + + * kdc/kerberos4.c: move encrypt_v4_ticket to 524.c, since that's + where it's used + +2002-10-21 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/keytab_keyfile.c: more strcspn + + * lib/krb5/store_emem.c (emem_store): limit how much we allocate + (from Olaf Kirch) + + * lib/krb5/principal.c: don't allow trailing backslashes in + components + + * kdc/connect.c: check that %-quotes are followed by two hex + digits + + * lib/krb5/keytab_any.c: properly close the open keytabs (from + Larry Greenfield) + + * kdc/kaserver.c: make sure life is positive (from John Godehn) + +2002-10-17 Johan Danielsson <joda@pdc.kth.se> + + * kuser/klist.c (display_tokens): allow tokens up to size of + buffer (from Magnus Holmberg) + +2002-09-29 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/changepw.c (process_reply): fix reply length check + calculation (reported by various people) + +2002-09-24 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/keytab_file.c (fkt_remove_entry): check return value + from start_seq_get (from Wynn Wilkes) + +2002-09-19 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/context.c (krb5_set_config_files): return ENXIO instead + of ENOENT when "unconfigured" + +2002-09-16 Jacques Vidrine <nectar@kth.se> + + * lib/krb5/kuserok.c, lib/krb5/prompter_posix.c: use strcspn + to convert the newline to NUL in fgets results. + +2002-09-13 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.1: remove unneeded Ns + + * lib/krb5/krb5_appdefault.3: remove extra "application" + + * fix-export: remove autom4ate.cache + +2002-09-10 Johan Danielsson <joda@pdc.kth.se> + + * include/make_crypto.c: don't use function macros if possible + + * lib/krb5/krb5_locl.h: get limits.h for UINT_MAX + + * include/Makefile.am: use make_crypto to create crypto-headers.h + + * include/make_crypto.c: crypto header generation tool + + * configure.in: move crypto test to just after testing for krb4, + and move roken tests to after both, this speeds up various failure + cases with krb4 + + * lib/krb5/config_file.c: don't use NULL when we mean 0 + + * configure.in: we don't set package_libdir anymore, so no point + in testing for it + + * tools/Makefile.am: subst INCLUDE_des + + * tools/krb5-config.in: add INCLUDE_des to cflags + + * configure.in: use AC_CONFIG_SRCDIR + + * fix-export: remove some unneeded stuff + + * kuser/kinit.c (do_524init): free principals + +2002-09-09 Jacques Vidrine <nectar@kth.se> + + * kdc/kerberos5.c (get_pa_etype_info, fix_transited_encoding), + kdc/kaserver.c (krb5_ret_xdr_data), + lib/krb5/transited.c (krb5_domain_x500_decode): Validate some + counts: Check that they are non-negative, and that they are small + enough to avoid integer overflow when used in memory allocation + calculations. Potential problem areas pointed out by + Sebastian Krahmer <krahmer@suse.de>. + + * lib/krb5/keytab_keyfile.c (akf_add_entry): Use O_EXCL when + creating a new keyfile. + +2002-09-09 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: don't try to build pam module + +2002-09-05 Johan Danielsson <joda@pdc.kth.se> + + * appl/kf/kf.c: fix warning string + + * lib/krb5/log.c (krb5_vlog_msg): delay message formating till we + know we need it + +2002-09-04 Assar Westerlund <assar@kth.se> + + * kdc/kerberos5.c (encode_reply): correct error logging + +2002-09-04 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/sendauth.c: close ccache if we opened it + + * appl/kf/kf.c: handle new protocol + + * appl/kf/kfd.c: use krb5_err instead of sysloging directly, + handle the new protocol, and bail out if an old client tries to + connect + + * appl/kf/kf_locl.h: we need a protocol version string + + * lib/hdb/hdb-ldap.c: use ASN1_MALLOC_ENCODE + + * kdc/kerberos5.c: use ASN1_MALLOC_ENCODE + + * kdc/hprop.c: set AP_OPTS_USE_SUBKEY + + * lib/hdb/common.c: use ASN1_MALLOC_ENCODE + + * lib/asn1/gen.c: add convenience macro that allocates a buffer + and encoded into that + + * lib/krb5/get_cred.c (init_tgs_req): use + in_creds->session.keytype literally instead of trying to convert + to a list of enctypes (it should already be an enctype) + + * lib/krb5/get_cred.c (init_tgs_req): init ret + +2002-09-03 Johan Danielsson <joda@pdc.kth.se> + + * lib/asn1/k5.asn1: remove ETYPE_DES3_CBC_NONE_IVEC + + * lib/krb5/krb5.h: remove ENCTYPE_DES3_CBC_NONE_IVEC + + * lib/krb5/crypto.c: get rid of DES3_CBC_encrypt_ivec, just use + zero ivec in DES3_CBC_encrypt if passed ivec is NULL + + * lib/krb5/Makefile.am: back out 1.144, since it will re-create + krb5-protos.h at build-time, which requires perl, which is bad + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't + blindly use the local subkey + + * lib/krb5/crypto.c: add function krb5_crypto_getblocksize that + extracts the required blocksize from a crypto context + + * lib/krb5/build_auth.c: just get the length of the encoded + authenticator instead of trying to grow a buffer + +2002-09-03 Assar Westerlund <assar@kth.se> + + * configure.in: add --disable-mmap option, and tests for + sys/mman.h and mmap + +2002-09-03 Jacques Vidrine <nectar@kth.se> + + * lib/krb5/changepw.c: verify lengths in response + + * lib/asn1/der_get.c (decode_integer, decode_unsigned): check for + truncated integers + +2002-09-02 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/mk_req_ext.c: generate a local subkey if + AP_OPTS_USE_SUBKEY is set + + * lib/krb5/build_auth.c: we don't have enough information about + whether to generate a local subkey here, so don't try to + + * lib/krb5/auth_context.c: new function + krb5_auth_con_generatelocalsubkey + + * lib/krb5/get_in_tkt.c: only set kdc_sec_offset if looking at an + initial ticket + + * lib/krb5/context.c (init_context_from_config_file): simplify + initialisation of srv_lookup + + * lib/krb5/changepw.c (send_request): set AP_OPTS_USE_SUBKEY + + * lib/krb5/krb5.h: add AP_OPTS_USE_SUBKEY + +2002-08-30 Assar Westerlund <assar@kth.se> + + * lib/krb5/name-45-test.c: also test krb5_524_conv_principal + * lib/krb5/Makefile.am (TESTS): add name-45-test + * lib/krb5/name-45-test.c: add testcases for + krb5_425_conv_principal + +2002-08-29 Assar Westerlund <assar@kth.se> + + * lib/krb5/parse-name-test.c: also test unparse_short functions + * lib/asn1/asn1_print.c: use com_err/error_message API + * lib/krb5/Makefile.am: add parse-name-test + * lib/krb5/parse-name-test.c: add a program for testing parsing + and unparsing principal names + +2002-08-28 Assar Westerlund <assar@kth.se> + + * kdc/config.c: add missing ifdef DAEMON + +2002-08-28 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: use rk_SUNOS + + * kdc/config.c: add detach options + + * kdc/main.c: maybe detach from console? + + * kdc/kdc.8: markup changes + + * configure.in: AC_TEST_PACKAGE_NEW -> rk_TEST_PACKAGE + + * configure.in: use rk_TELNET, rename some other macros, and don't + add -ldes to krb4 link command + + * kuser/kinit.1: whitespace fix (from NetBSD) + + * include/bits.c: we may need unistd.h for ssize_t + +2002-08-26 Assar Westerlund <assar@kth.se> + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): lookup AAAA + rrs before A ones when using the resolver to verify a mapping, + also use getaddrinfo when resolver is not available + + * lib/hdb/keytab.c (find_db): const-correctness in parameters to + krb5_config_get_next + + * lib/asn1/gen.c: include <string.h> in the generated files (for + memset) + +2002-08-22 Assar Westerlund <assar@kth.se> + + * lib/krb5/test_get_addrs.c, lib/krb5/krbhst-test.c: make it use + getarg so that it can handle --help and --version (and thus make + check can pass) + + * lib/asn1/check-der.c: make this build again + +2002-08-22 Assar Westerlund <assar@kth.se> + + * lib/asn1/der_get.c (der_get_int): handle len == 0. based on a + patch from Love <lha@stacken.kth.se> + +2002-08-22 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.h: we seem to call KRB5KDC_ERR_KEY_EXP + KRB5KDC_ERR_KEY_EXPIRED, so define the former to the latter + + * kdc/kdc.8: add blurb about adding and removing addresses; update + kdc.conf section to match reality + + * configure.in: KRB_SENDAUTH_VLEN seems to always have existed, so + don't define it + +2002-08-21 Assar Westerlund <assar@kth.se> + + * lib/asn1/asn1_print.c: print OIDs too, based on a patch from + Love <lha@stacken.kth.se> + +2002-08-21 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.c (do_v4_fallback): don't use krb_get_pw_in_tkt2 + since it might not exist, and we don't actually care about the key + +2002-08-20 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.conf.5: correct documentation for + verify_ap_req_nofail + + * lib/krb5/log.c: rename syslog_data to avoid name conflicts (from + Mattias Amnefelt) + + * kuser/klist.c (display_tokens): increase token buffer size, and + add more checks of the kernel data (from Love) + +2002-08-19 Johan Danielsson <joda@pdc.kth.se> + + * fix-export: use make to parse Makefile.am instead of perl + + * configure.in: use argument-less AM_INIT_AUTOMAKE, now that it + groks AC_INIT with package name etc. + + * kpasswd/kpasswdd.c: include <kadm5/private.h> + + * lib/asn1/asn1_print.c: include com_right.h + + * lib/krb5/addr_families.c: socklen_t -> krb5_socklen_t + + * include/bits.c: define krb5_socklen_t type; this should really + go someplace else, but this was easy + + * lib/krb5/verify_krb5_conf.c: don't bail out if parsing of a file + fails, just warn about it + + * kdc/log.c (kdc_openlog): no need for a config_file parameter + + * kdc/config.c: just treat kdc.conf like any other config file + + * lib/krb5/context.c (krb5_get_default_config_files): ignore + duplicate files + +2002-08-16 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.h: turn strings into pointers, so we can assign to + them + + * lib/krb5/constants.c: turn strings into pointers, so we can + assign to them + + * lib/krb5/get_addrs.c (get_addrs_int): initialise res if + SCAN_INTERFACES is not set + + * lib/krb5/context.c: fix various borked stuff in previous commits + +2002-08-16 Jacques Vidrine <n@nectar.com> + + * lib/krb5/krbhst.c (kpasswd_get_next): if we fall back to using + the `admin_server' entry for kpasswd, override the `proto' result + to be UDP. + +2002-08-15 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/auth_context.c: check return value of + krb5_sockaddr2address + + * lib/krb5/addr_families.c: check return value of + krb5_sockaddr2address + + * lib/krb5/context.c: get the default keytab from KRB5_KTNAME + +2002-08-14 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/verify_krb5_conf.c: allow parsing of more than one file + + * lib/krb5/context.c: allow changing config files with the + function krb5_set_config_files, there are also related functions + krb5_get_default_config_files and krb5_free_config_files; these + should work similar to their MIT counterparts + + * lib/krb5/config_file.c: allow the use of more than one config + file by using the new function krb5_config_parse_file_multi + +2002-08-12 Johan Danielsson <joda@pdc.kth.se> + + * use sysconfdir instead of /etc + + * configure.in: require autoconf 2.53; rename dpagaix_LDFLAGS etc + to appease automake; force sysconfdir and localstatedir to /etc + and /var/heimdal for now + + * kdc/connect.c (addr_to_string): check return value of + sockaddr2address + +2002-08-09 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/rd_cred.c: if the remote address isn't an addrport, + don't try comparing to one; this should make old clients work with + new servers + + * lib/asn1/gen_decode.c: remove unused variable + +2002-07-31 Johan Danielsson <joda@pdc.kth.se> + + * kdc/{kerberos5,524}.c: ENOENT -> HDB_ERR_NOENTRY (from Derrick + Brashear) + + * lib/krb5/principal.c: actually lower case the lower case + instance name (spotted by Derrick Brashear) + +2002-07-24 Johan Danielsson <joda@pdc.kth.se> + + * fix-export: if DATEDVERSION is set, change the version to + current date + + * configure.in: don't use AC_PROG_RANLIB, and use magic foo to set + LTLIBOBJS + +2002-07-04 Johan Danielsson <joda@pdc.kth.se> + + * kdc/connect.c: add some cache-control-foo to the http responses + (from Gombas Gabor) + + * lib/krb5/addr_families.c (krb5_print_address): don't copy size + if ret_len == NULL + +2002-06-28 Johan Danielsson <joda@pdc.kth.se> + + * kuser/klist.c (display_tokens): don't bail out before we get + EDOM (signaling the end of the tokens), the kernel can also return + ENOTCONN, meaning that the index does not exist anymore (for + example if the token has expired) + +2002-06-06 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/changepw.c: make sure we return an error if there are + no changepw hosts found; from Wynn Wilkes + +2002-05-29 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/cache.c (krb5_cc_register): break out of loop when the + same type is found; spotted by Wynn Wilkes + +2002-05-28 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/keytab_file.c: check size of entry before trying to + read 32-bit kvno; also fix typo in previous + +2002-05-24 Johan Danielsson <joda@pdc.kth.se> + + * include/Makefile.am: only add to INCLUDES + + * lib/45/mk_req.c: fix for storage change + + * lib/hdb/print.c: fix for storage change + +2002-05-15 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos5.c: don't free encrypted padata until we're really + done with it + +2002-05-07 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos5.c: when decrypting pa-data, try all keys matching + enctype + + * kuser/kinit.1: document -a + + * kuser/kinit.c: add command line switch for extra addresses + +2002-04-30 Johan Danielsson <joda@blubb.pdc.kth.se> + + * configure.in: remove some duplicate tests + + * configure.in: use AC_HELP_STRING + +2002-04-29 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/crypto.c (usage2arcfour): don't abort if the usage is + unknown + +2002-04-25 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: use rk_DESTDIRS + +2002-04-22 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5_verify_user.3: make it clear that _lrealm modifies + the principal + +2002-04-19 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/verify_init.c: fix typo in error string + +2002-04-18 Johan Danielsson <joda@pdc.kth.se> + + * acconfig.h: remove some stuff that is defined elsewhere + + * lib/krb5/krb5_locl.h: include <sys/file.h> + + * lib/krb5/acl.c: rename acl_string parameter + + * lib/krb5/Makefile.am: remove __P from protos, and put parameter + names in comments + + * kuser/klist.c: better align some headers + + * kdc/kerberos4.c: storage tweaks + + * kdc/kaserver.c: storage tweaks + + * kdc/524.c: storage tweaks + + * lib/krb5/keytab_krb4.c: storage tweaks + + * lib/krb5/keytab_keyfile.c: storage tweaks + + * lib/krb5/keytab_file.c: storage tweaks; also try to handle zero + sized keytab files + + * lib/krb5/keytab_any.c: use KRB5_KT_END instead of KRB5_CC_END + + * lib/krb5/fcache.c: storage tweaks + + * lib/krb5/store_mem.c: make the krb5_storage opaque, and add + function wrappers for store/fetch/seek, and also make the eof-code + configurable + + * lib/krb5/store_fd.c: make the krb5_storage opaque, and add + function wrappers for store/fetch/seek, and also make the eof-code + configurable + + * lib/krb5/store_emem.c: make the krb5_storage opaque, and add + function wrappers for store/fetch/seek, and also make the eof-code + configurable + + * lib/krb5/store.c: make the krb5_storage opaque, and add function + wrappers for store/fetch/seek, and also make the eof-code + configurable + + * lib/krb5/store-int.h: make the krb5_storage opaque, and add + function wrappers for store/fetch/seek, and also make the eof-code + configurable + + * lib/krb5/krb5.h: make the krb5_storage opaque, and add function + wrappers for store/fetch/seek, and also make the eof-code + configurable + + * include/bits.c: include <sys/socket.h> to get socklen_t + + * kdc/kerberos5.c (get_pa_etype_info): sort ETYPE-INFOs by + requested KDC-REQ etypes + + * kdc/hpropd.c: constify + + * kdc/hprop.c: constify + + * kdc/string2key.c: constify + + * kdc/kdc_locl.h: make port_str const + + * kdc/config.c: constify + + * lib/krb5/config_file.c: constify + + * kdc/kstash.c: constify + + * lib/krb5/verify_user.c: remove unnecessary cast + + * lib/krb5/recvauth.c: constify + + * lib/krb5/principal.c (krb5_parse_name): const qualify + + * lib/krb5/mcache.c (mcc_get_name): constify return type + + * lib/krb5/context.c (krb5_free_context): don't try to free the + ccache prefix + + * lib/krb5/cache.c (krb5_cc_register): don't make a copy of the + prefix + + * lib/krb5/krb5.h: constify some struct members + + * lib/krb5/log.c: constify + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): const + qualify + + * lib/krb5/get_in_tkt.c (krb5_init_etype): constify + + * lib/krb5/crypto.c: constify some + + * lib/krb5/config_file.c: constify + + * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): + constify local variable + + * lib/krb5/addr_families.c (ipv4_sockaddr2port): constify + +2002-04-17 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/verify_krb5_conf.c: add some log checking + + * lib/krb5/log.c (krb5_addlog_dest): reorganise syslog parsing + +2002-04-16 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/crypto.c (krb5_crypto_init): check that the key size + matches the expected length + +2002-03-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/send_to_kdc.c: rename send parameter to send_data + + * lib/krb5/mk_error.c: rename ctime parameter to client_time + +2002-03-22 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos5.c (find_etype): unsigned -> krb5_enctype (from + Reinoud Zandijk) + +2002-03-18 Johan Danielsson <joda@pdc.kth.se> + + * lib/asn1/k5.asn1: add the GSS-API checksum type here + +2002-03-11 Assar Westerlund <assar@sics.se> + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to + 18:3:1 + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 7:5:0 + * lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump version to 6:0:0 + +2002-03-10 Assar Westerlund <assar@sics.se> + + * lib/krb5/rd_cred.c: handle addresses with port numbers + + * lib/krb5/keytab_file.c, lib/krb5/keytab.c: + store the kvno % 256 as the byte and the complete 32 bit kvno after + the end of the current keytab entry + + * lib/krb5/init_creds_pw.c: + handle LR_PW_EXPTIME and LR_ACCT_EXPTIME in the same way + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): + handle ports giving for the remote address + + * lib/krb5/get_cred.c: + get a ticket with no addresses if no-addresses is set + + * lib/krb5/crypto.c: + rename functions DES_* to krb5_* to avoid colliding with modern + openssl + + * lib/krb5/addr_families.c: + make all functions taking 'struct sockaddr' actually take a socklen_t + instead of int and that acts as an in-out parameter (indicating the + maximum length of the sockaddr to be written) + + * kdc/kerberos4.c: + make the kvno's in the krb4 universe by the real one % 256, since they + cannot only be 8 bit, and the v5 ones are actually 32 bits + +2002-02-15 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/keytab_keyfile.c (akf_add_entry): don't create the file + before we need to write to it + (from Åke Sandgren) + +2002-02-14 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: rk_RETSIGTYPE and rk_BROKEN_REALLOC are called via + rk_ROKEN (from Gombas Gabor); find inttypes by CHECK_TYPES + directly + + * lib/krb5/rd_safe.c: actually use the correct key (from Daniel + Kouril) + +2002-02-12 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/context.c (krb5_get_err_text): protect against NULL + context + +2002-02-11 Johan Danielsson <joda@pdc.kth.se> + + * admin/ktutil.c: no need to use the "modify" keytab anymore + + * lib/krb5/keytab_any.c: implement add and remove + + * lib/krb5/keytab_krb4.c: implement add and remove + + * lib/krb5/store_emem.c (emem_free): clear memory before freeing + (this should perhaps be selectable with a flag) + +2002-02-04 Johan Danielsson <joda@pdc.kth.se> + + * kdc/config.c (get_dbinfo): if there are database specifications + in the config file, don't automatically try to use the default + values (from Gombas Gabor) + + * lib/krb5/log.c (krb5_closelog): don't pass pointer to pointer + (from Gombas Gabor) + +2002-01-30 Johan Danielsson <joda@pdc.kth.se> + + * admin/list.c: get the default keytab from krb5.conf, and list + all parts of an ANY type keytab + + * lib/krb5/context.c: default default_keytab_modify to NULL + + * lib/krb5/keytab.c (krb5_kt_default_modify_name): if no modify + name is specified take it from the first component of the default + keytab name + +2002-01-29 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/keytab.c: compare keytab types case insensitively + +2002-01-07 Assar Westerlund <assar@sics.se> + + * lib/krb5/crypto.c (create_checksum): make usage `unsigned' (it's + not really a krb5_key_usage). From Ben Harris <bjh21@netbsd.org> + * lib/krb5/get_in_tkt.c: use krb5_enctype consistently. From Ben + Harris <bjh21@netbsd.org> + * lib/krb5/crypto.c: use krb5_enctype consistently. From Ben + Harris <bjh21@netbsd.org> + * kdc/kerberos5.c: use krb5_enctype consistently. From Ben Harris + <bjh21@netbsd.org> diff --git a/third_party/heimdal/ChangeLog.2003 b/third_party/heimdal/ChangeLog.2003 new file mode 100644 index 0000000..1ffd9de --- /dev/null +++ b/third_party/heimdal/ChangeLog.2003 @@ -0,0 +1,1795 @@ +2003-12-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/error_string.c: protect error_string with mutex + + * lib/krb5/context.c: allocate and destroy mutex in krb5_context + + * lib/krb5/krb5.h (krb5_context_data): add mutex for error_string + +2003-12-18 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: make -9 work again + +2003-12-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: try handle ts preauth better, still + not good, but at least it work with older heimdal releases that + doesn't send back KRB5KDC_ERR_PREAUTH_REQUIRED when preauth was + sent + +2003-12-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.asn1: remove enforce-transited-policy, its no longer + used + +2003-12-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (_krb5_pk_create_sign): fill in NULL as + parameters, required by CMS + +2003-12-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_in_tkt_with_keytab.c (krb5_get_in_tkt_with_keytab): + avoid memory leak that snuck in when krb5_keytab_key_proc was + exported, pointed out by Panases Inc + + * lib/krb5/keytab_file.c: do locking, found to be a problem for + Panasas Inc + + * lib/krb5/fcache.c: internally export x{,un}lock and thus prefix + them with _krb5_ + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use + KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded + krb-cred + + * lib/krb5/krb5_auth_context.3: some text about + krb5_auth_con_{add,remove}flags + + * lib/krb5/auth_context.c: add krb5_auth_con_addflags and + krb5_auth_con_removeflags + +2003-12-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c (decrypt_internal_derived): move up padsize to + avoid memory leak + +2003-12-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c: require cipher-text to be padded to padsize + + * lib/krb5/eai_to_heim_errno.c: EAI_ADDRFAMILY and EAI_NODATA is + deprecated in RFC3493 + + * lib/krb5/verify_krb5_conf.c (check_host): don't check for + EAI_NODATA, because its depricated in RFC3493 Pointed out by + Hajimu UMEMOTO <ume@mahoroba.org> on heimdal-discuss + +2003-12-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: move test_crypto to noinst_PROGRAMS + + * lib/krb5/test_crypto.c: add --version,--help + + * kuser/kinit.c (main): return the return value from simple_execvp + +2003-11-26 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: don't use PKINIT DH per default since its too + slow + + * lib/krb5/pkinit.c: tweek to make pkinit work with the fact the + asn1_compile can't generate code for context tagless optionals + + * kdc/pkinit.c: add support for KDC side of DH PKINIT + + * lib/krb5/pkinit.c: clean up error handling, make enc-type work + again + +2003-11-25 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: add flag to make it work with pkinit dh + + * lib/krb5/pkinit.c: make PKINIT DH support work + +2003-11-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am (LDADD): link with LIB_dlopen + + * kdc/pkinit.c: clean up + + * lib/krb5/krb5.h: make pkinit_win2k_compatible into a flag field + + * lib/krb5/pkinit.c: remove most compile depencies clean up + + * kdc/pkinit.c: print an error and turn of pkinit if openssl + failed to load + + * kdc/config.c: read pkinit (pki-mumble) configuration options + + * kdc/kerberos5.c: add pkinit support + + * kdc/kdc_locl.h: add prototypes for pkinit + + * kdc/pkinit.c: PKINIT patch from Daniel Kouril and Petr Holub, I + removed the dependency on valicert asn1 parser, remove smartcard + and globus support (for now). Work to be done on this: DH support, + Globus support, Smartcard support, windows support (MS implements + -09 of the draft), make it conform to the new draft + + * lib/krb5/pkinit.c: fix bugs, improve error reporting + +2003-11-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: add some "struct foo;" glue for pkinit + structures that isn't used + + * lib/krb5/pkinit.c: clean up, make remove depenency on openssl's + api + + * lib/krb5/krb5_locl.h: add some glue for pkinit add reference + counter to _krb5_get_init_creds_opt_private + + * lib/krb5/init_creds.c: reference count krb5_get_init_creds_opt + private component to avoid copy all the data in it + + * lib/krb5/crypto.c (AES_string_to_key): fix memory leak + + * lib/krb5/init_creds_pw.c (init_cred_loop): fix memory leak + + * lib/krb5/heim_threads.h: include pthread.h in the pthread case + +2003-11-18 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswdd.c (main): parse kdc.conf + From: Jeffrey Hutzelman <jhutz@cmu.edu> + +2003-11-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am (TESTS): add test_crypto + + * lib/krb5/test_crypto.c: time crypto operations + +2003-11-14 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/init-creds: spelling, Bruno Rohee <bruno@rohee.com> + +2003-11-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_req.c (krb5_verify_ap_req2): krb5_free_ticket free + the ticket now, rewrite error handling to handle that + + * kpasswd/kpasswdd.c (process): don't free ticket, + krb5_free_ticket does that now + + * kdc/kerberos5.c (tgs_rep2): don't free ticket, krb5_free_ticket + does that now + + * lib/krb5/ticket.c (krb5_free_ticket): free the ticket itself to + match mit behavior, pointed out by Derrick Brashear + + * lib/krb5/krb5_ticket.3: krb5_free_ticket free the whole ticket + +2003-11-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/padata.c: add krb5_padata_add + + * lib/krb5/krb5.h: krb5_context_data.pkinit_win2k_compatible + + * lib/krb5/Makefile.am: add pkinit.c + + * kuser/kinit.c: add pkinit support + + * lib/krb5/init_creds_pw.c: add support for pkinit + + * lib/krb5/krb5_locl.h: add the opaque krb5_pk_init_ctx to + _krb5_get_init_creds_opt_private + + * lib/krb5/pkinit.c: rename krb5_pk_init_openssl_ctx to + krb5_pk_init_ctx fix win2k error handling + + * lib/krb5/pkinit.c: PKINIT patch from Daniel Kouril and Petr + Holub, I removed the dependency on valicert asn1 parser, remove + smartcard and globus support (for now). Work to be done on this: + DH support, Globus support, Smartcard support, windows support (MS + implements -09 of the draft), verify that it conforms the new + draft + +2003-11-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/der_copy.c (copy_oid): copy all components + +2003-10-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.conf.5: document capaths section + +2003-10-22 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos5.c: make sure that the server realm and the krbtgt + second component are identical; get rpath from the capaths section + + * kdc/kerberos5.c: change logic for when to check transited policy + to a tri-state model involving per principal flags (to be + implemented) + + * kdc/kdc_locl.h: change enforce_transited_policy to a tri-state + variable + + * kdc/config.c: change enforce_transited_policy to a tri-state + variable + +2003-10-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/transited.c (krb5_domain_x500_encode): always zero out + encoding to make sure it have a defined value on failure + + * lib/krb5/transited.c (krb5_domain_x500_encode): + if num_realms ==0, set encoding and return (avoids malloc(0)), + check return value for malloc + +2003-10-21 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos5.c (fix_transited_encoding): always print + cross-realm information + +2003-10-21 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: spelling, From: Tracy Di Marco White + + * kdc/kerberos5.c (fix_transited_encoding): set transited type + +2003-10-21 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kdc.8: document enforce-transited-policy + + * kdc/kerberos5.c: always check transited policy if flag set + either globally or on principal + + * kdc/config.c: add flag to always check transited policy + + * lib/hdb/hdb.asn1: add flag to enforce transited policy + +2003-10-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/transited.c (krb5_domain_x500_decode): set *num_realms + to zero not num_realms + + * kuser/kgetcred.1: add --no-transit-check + + * kuser/kgetcred.c: add --no-transit-check + + * doc/setup.texi: describe Transit policy + +2003-10-20 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos5.c (fix_transited_encoding): also verify with + policy, unless asked not to + + * lib/krb5/rd_req.c (krb5_decrypt_ticket): try to verify transited + realms, unless the transited-policy-checked flag is set + + * lib/krb5/transited.c (krb5_domain_x500_decode): handle zero + length tr data; + (krb5_check_transited): new function that does more useful stuff + + * lib/krb5/get_cred.c: get capath info from [capaths] section + +2003-10-16 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/fcache.c: Sleep forever waiting for lock. Previous + method doesn't work well with a large number of clients accessing + the cache at the same time, and there is no simple way to add a + timeout to the lock. + +2003-10-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c: print the error value + krb5_init_context failed with + + * lib/krb5/config_file.c (krb5_config_parse_file_debug): punt if + there is binding before a section declaration. Bug found by + Arkadiusz Miskiewicz <arekm@pld-linux.org> + +2003-10-13 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/fcache.c (erase_file): revert a change in previous; if + the ccache is a symlink, kdestroy should remove it + + * lib/krb5/fcache.c: implement locking + +2003-10-12 Johan Danielsson <joda@pdc.kth.se> + + * kuser/klist.c (print_tickets): bail out if krb5_cc_next_cred + returns error other than KRB5_CC_END + +2003-10-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: add some help function that is common + between ENC_TS and SAM2, free the etype{,2}-infos on failure, move + the pa counter into krb5_get_init_creds_ctx + +2003-10-06 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kaserver.c (do_getticket): if times data is shorter then 8 + byte, request is malformed. + + * kdc/kaserver.c (do_authenticate): if request length is less then + 8 byte, its a bad request and fail. Pointed out by Marco Foglia + <marco@foglia.org> + + * lib/krb5/verify_krb5_conf.c: add flag --warn-mit-syntax that + warns for mit syntax is used and just ignore the mit syntax when + its used + + * lib/krb5/verify_krb5_conf.c: parse [kdc]use_2b and [gssapi] + +2003-10-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/lex.l: add BOOLEAN + + * lib/asn1/parse.y: add BOOLEAN + +2003-10-03 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: When running kinit in "fork mode" do pagsh + independent of krb4, also always do krb4 setup of cc. Always try + to destroy the v4 cc. + - add boolean --{,no-}request-pac that will request pac or not + + * kuser/klist.c (check_for_tgt): set client as part of the + pattern/match cred + + * lib/krb5/convert_creds.c (_krb5_krb_dest_tkt): unlink v4 token + (get_krb4_cc_name): move out from _krb5_krb_tf_setup + (_krb5_krb_tf_setup): adapt to allocated filename instead of + static filename + + * lib/krb5/krb5-v4compat.h: add _krb5_krb_dest_tkt and TKT_ROOT + + * lib/krb5/init_creds_pw.c (*) send PA_PAC_REQUEST when the user + have requested either use PAC or not use PAC, if the option not + set from the user, leave it up to the kdc to decide. + (init_creds_loop): clear error string on success + + * lib/krb5/init_creds.c: add + krb5_get_init_creds_opt_set_paq_request break out common part of + extended opt functions to require_ext_opt + + * lib/krb5/krb5_locl.h: add enum krb5_get_init_creds_req_pac and + use it in struct _krb5_get_init_creds_opt_private + + * tools/kdc-log-analyze.pl: handle some more failure lines + + * doc/programming.texi: some diffrences between Heimdal and MIT + Kerberos in the API + + * doc/setup.texi: add Setting up DNS + + * lib/krb5/rd_req.c (krb5_rd_req): always free keyblock since its + alway used + + * lib/asn1/Makefile.am: add SAM types and PAC_REQUEST + + * lib/asn1/k5.asn1: add more preauth types, add PA-PAC-REQUEST + + * lib/asn1: add boolean support + +2003-10-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/changepw.c (setpw_send_request): free ap_req_data on + failure + +2003-09-30 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/http_client.c (do_connect): use ai_protocol 0 + + * lib/krb5/init_creds_pw.c (init_cred_loop): handle + KRB5KRB_ERR_RESPONSE_TOO_BIG and loop again, this time requesting + LARGE_MSG from send to kdc, and if this is the second time bail + out; try to free memory + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc_flags): new function, + and then implement the order krb5_sendto_kdc* function with this + function. + + * lib/krb5/krbhst.c (krb5_krbhst_init_flags): new function, use it + and adapt callers + (krbhst_get_default_proto): new function, returns udp, or in case + large_msg was requested for the krb5_krbhst_data, use tcp. + (*): if the flag KD_LARGE_MSG was set on the krb5_krbhst_data, avoid + using udp, use krbhst_get_default_proto + + * lib/krb5/krb5.h: flags for krb5_krbhst_init_flags (and + krb5_send_to_kdc_flags) + +2003-09-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_req.c (krb5_rd_req): if we have a keyblock in auth + context, use that + + * appl/test/uu_client.c: print authorization data if there are any + + * lib/asn1/asn1_print.c: decode IA5Stringa and UTF8String + +2003-09-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: use _krb5_get_init_creds_opt_copy + * lib/krb5/init_creds.c: don't export krb5_get_init_creds_opt_copy + + * lib/hdb/Makefile.am: libhdb might depend on LIB_dlopen + + * kuser/kinit.c: don't get v4 tickets by default + +2003-09-20 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswdd.c (process): remove a abort() + + * doc/win2k.texi: add some text about netdom.exe and trusts + + * TODO-1.0: gssapi rc4 done + + * kpasswd/kpasswdd.c: add support for Set password protocol as + defined by RFC3244 -- Microsoft Windows 2000 Kerberos Change + Password and Set Password Protocols + +2003-09-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/db3.c: improve readability of ->open ifdef, check if + version >= 4.1 + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_copy): add + + * lib/krb5/rd_req.c (krb5_rd_req): allow caller to pass in a key + in the auth_context, they way processes that doesn't use the + keytab can still pass in the key of the service (matches behavior + of MIT Kerberos). + +2003-09-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: collect all init_creds context into a + structure so it can easier be passed around, also, while here, + change nonce for every request + + * lib/krb5/get_in_tkt.c (init_as_req): don't realloc data before + the loop, add_padata() will handle that itself + + * lib/krb5/get_for_creds.c (add_addrs): don't increase addr->len + until in contains interesting data, use right iteration counter + when clearing the addresses + + * lib/krb5/log.c (log_realloc): increase len after realloc returns + sucessfully + +2003-09-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/config_file.c: fix prototypes + From: Fredrik Ljungberg <flag@pobox.se> + +2003-09-10 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/http_client.c: close socket when we are done, don't + allow the server to restart gssapi negotiation + + * lib/hdb/hdb_locl.h: include <limits.h> for ULONG_MAX noted by + Wissler Magnus <M.Wissler@abalon.se> on heimdal-discuss + + * appl/test/gssapi_client.c (proto): use select_mech + + * appl/test/http_client.c: use getarg + + * appl/test/gss_common.h: prototype for select_mech + + * appl/test/gss_common.c (select_mech): return the gss_OID from a + mech name + + * appl/test/http_client.c: print both source and target + + * appl/test/Makefile.am: build http_client + +2003-09-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/asn1_print.c: add support for printing Enumerated + + * appl/test/gssapi_client.c: allow user to select mech; krb5, + spnego, and no-oid + + * appl/test/test_locl.h: add mech + + * appl/test/common.c: add --mech,-m argument + + * appl/test/gssapi_server.c: print the mech that was used + + * kdc/kerberos5.c (only_older_enctype_p): check request if the + client only supports old enctypes, before it used the database + +2003-09-08 Love Hörnquist Åstrand <lha@it.su.se> + + * **/*.c: add context argument to krb5_get_init_creds_opt_alloc + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): add + context argument + + * lib/krb5/krb5_get_init_creds.3: spelling + +2003-09-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c (add_file): make len argument an pointer to + an integer + + * lib/asn1/k5.asn1: add SAM types + + * lib/krb5/init_creds_pw.c: break out the encrypt timestamp + preauth to its function break out the pa_data_to_key_plain to its + own function make more variables const + +2003-09-04 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.conf.5: document appdefaults/{forward,encrypt} + +2003-09-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: Add key usage for encryption of the + SAM-NONCE-OR-SAD field. + + * include/make_crypto.c: include <openssl/ui.h> in the openssl + case + + * kdc/hprop.h: use new DES_ api + + * lib/krb5/krb5-v4compat.h: assume session key is a char array of + length 8 + + * lib/krb5/prompter_posix.c: + s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * kuser/kinit.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * kdc/string2key.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * kdc/kstash.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * admin/add.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * lib/krb5/crypto.c: switch from the des_ to the DES_ api + + * kdc/hprop.c: use DES_KEY_SZ instead of sizeof(des_block) + + * kuser/kverify.c: use + krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free + + * kpasswd/kpasswd-generator.c: use + krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free + + * kdc/hprop.c: use + krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free compare + a uint32_t with 0xffffffff instead of -1 + + * lib/krb5/krb5_425_conv_principal.3: fix [Gt] + + * kuser/kinit.c: use + krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): handle + password passed in though context + + * lib/krb5/Makefile.am (TESTS): += test_config + + * lib/krb5/aes-test.c: move variable thats used within a #ifdef to + be defined within that #ifdef + + * lib/krb5/data.c (krb5_data_free): reset whole krb5_data when + freeing it + + * lib/krb5/keyblock.c (krb5_keyblock_zero): new function, zeros + out a keyblock + + * lib/krb5/init_creds_pw.c: rewrite/implement + krb5_get_init_creds_password with new preauth handing, still it + can only work with krb5-pa-enc-timestamp for preauth, but now it + can handle etype-info2 + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): allocate + a opt structure + (krb5_get_init_creds_opt_free): free a opt structure + (krb5_get_init_creds_opt_set_pa_password): set preauth info for + enc-timestamp + + * lib/krb5/krb5_locl.h: add struct + _krb5_get_init_creds_opt_private + +2003-09-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: add SAM keyusage numbers, add s2k proc typedef, + add a pointer to a private part of krb5_get_init_creds_opt + + * kdc/string2key.c (main): avoid const warning by using a extra + variable + +2003-08-31 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): + reindent + + * lib/krb5/ticket.c (krb5_copy_ticket): free all data when + failing, copy data to right memory, the later pointed out by Luke + Howard. + +2003-08-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: cfx-01 use diffrent usage numbers + +2003-08-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/db3.c: try to include more db headers + + * lib/hdb/db3.c: patch for working with DB4 on heimdal-discuss + From: Luke Howard <lukeh@PADL.COM> + +2003-08-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: add KEYTYPE_ARCFOUR_56 + + * appl/test/gssapi_client.c: send both INT and CONF wrapped token + + * appl/test/gssapi_server.c: recv both INT and CONF wrapped token + + * lib/asn1/k5.asn1: add KRB5_NT_SMTP_NAME and KRB5_NT_ENTERPRISE + +2003-08-27 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/uu_client.c (proto): fill in client in the match cred + +2003-08-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: CFX uses slightly diffrent usage numbers + + * lib/krb5/crypto.c (usage2arcfour): simplify, only include + special cases From: Luke Howard <lukeh@PADL.COM> + +2003-08-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: code rewrite from Luke Howard + <lukeh@PADL.COM> + + * lib/krb5/crypto.c (arcfour_checksum_p): return true when is + arcfour, not when its not pointed out by Luke Howard + + * doc/ack.texi: update Luke Howard email address + +2003-08-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_encrypt.3: document: + krb5_crypto_getconfoundersize, krb5_crypto_getblocksize + krb5_crypto_getenctype, krb5_crypto_getpadsize + + * lib/krb5/crypto.c (krb5_crypto_getpadsize, + krb5_crypto_getconfoundersize): added From: Luke Howard + <lukeh@PADL.COM> + +2003-08-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/connect.c (handle_tcp): handle recvfrom returning 0 + (connection closed) + + * kdc/connect.c (grow_descr): increment the size after we succeed + to allocate the space + + * lib/krb5/krb5_create_checksum.3: text about when + krb5_crypto_get_checksum_type is useful + + * lib/krb5/crypto.c (krb5_crypto_get_checksum_type): fix format + string + + * lib/krb5/krb5_create_checksum.3: document + krb5_crypto_get_checksum_type + + * lib/krb5/crypto.c: add krb5_crypto_get_checksum_type + From: Luke Howard <lukeh@PADL.COM> + + * lib/asn1/gen.c: s/UTF8String/heim_utf8_string/ in generated code + From: Luke Howard <lukeh@PADL.COM> + +2003-08-21 Love Hörnquist Åstrand <lha@it.su.se> + + * include/make_crypto.c: include aes.h inc in the local libdes + case too + +2003-08-20 Johan Danielsson <joda@pdc.kth.se> + + * lib/asn1/der_free.c: set free'd poiners to NULL + + * lib/asn1/gen_free.c: set free'd poiners to NULL + +2003-08-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/heim_threads.h: XXX don't use "plain" pthread support + on netbsd + + * lib/krb5/crypto.c: Do the arcfour checksum mapping for + krb5_create_checksum and krb5_verify_checksum, From: Luke Howard + <lukeh@PADL.COM> + +2003-08-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_config.c: check krb5_prepend_config_files_default + and krb5_prepend_config_files + + * lib/krb5/context.c: add krb5_prepend_config_files and + krb5_prepend_config_files_default + +2003-08-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/mkey.c (read_master_mit): krb5_ret_int16 takes a int16_t + as argument + + * lib/krb5/parse-name-test.c: please lint (and me) + + * kdc/config.c (configure): remove only set variable 'e' + + * kdc/connect.c (init_socket): sockaddr size argument to + krb5_addr2sockaddr is a krb5_addr2sockaddr * + + * kdc/kerberos5.c (as_rep): remove usused variable + (tgs_rep2): don't use a temporary ret-variable, ret is reset later + + * lib/krb5/krb5_get_in_cred.3: these function will be deprecated + + * lib/krb5/Makefile.am: man_MANS += krb5_get_init_creds.3 + + * lib/krb5/krb5_get_init_creds.3: begining of documentation of + krb5_get_init_creds + + * lib/krb5/get_in_tkt.c (krb5_get_in_tkt): for compatibility with + with the mit implemtation, don't free `creds' argument when done, + its up the the caller to do that, also allow a NULL ccache. + +2003-08-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: document tgs_require_subkey + + * lib/asn1/Makefile.am: remove trance of generate tests files, its + not really for consumption yet + + * lib/hdb/Makefile.am: split generated source from non generated + source we make-proto.pl can generate prototypes for non + generate-source only (make-proto.pl dies on asn1compile's .c + files) + + * lib/krb5/get_cred.c (init_tgs_req): make generation of subkey + optional on configuration parameter + [realms]realm={tgs_require_subkey=bool} + defaults to off. The RFC1510 weakly defines the correct behavior, + so old DCE secd apparently required the subkey to be there, and MS + will use it when its there. But the request isn't encrypted in the + subkey, so you get to choose if you want to talk to a MS mdc or a + old DCE secd. + + * kdc/kerberos5.c (*): handle krb5_unparse_name returning non-zero + +2003-08-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/principal.c (unparse_name): len can't be zero, so, + don't check for that + +2003-08-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/principal.c (unparse_name): make sure there are space + for a NUL, set *name to NULL when there is a failure (so caller + can't get hold of a freed pointer) + +2003-07-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/kerberos.8: remove duplicate manual, from + cjep@netbsd.org + +2003-07-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/cache.c: indent + + * lib/krb5/cache.c (krb5_cc_set_default_name): only read + KRB5CCNAME when not suid + +2003-07-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab_krb4.c (read_v4_entry): the des key is 8 bytes, + use a char array instead of des_cblock + +2003-07-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: add support for KRB5_PADATA_ETYPE_INFO2 + + * lib/krb5/crypto.c (hmac): make it return an error when out of + memory, update callsites to either return error or use krb5_abortx + (krb5_hmac): expose hmac + +2003-07-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keyblock.c (krb5_keyblock_get_enctype): return enctype + of keyblock + + * lib/krb5/Makefile.am (man_MANS): += krb5_keyblock.3 + + * lib/krb5/krb5_keyblock.3: some information about krb5_keyblock + and related functions + + * lib/krb5/heim_threads.h: make the non-debug version of the mutex + macros "use" the "mutex" integer so the compile wont complain + about defined unused variables + + * lib/krb5/heim_threads.h: make thread local storage macros take a + "return" argument so no functions need to be created for the + no-pthread case + + * lib/krb5/heim_threads.h: adding RWLOCKS and [sg]etspecific + + * configure.in: use KRB_PTHREADS + + * lib/asn1/Makefile.am (gen_files): add asn1_KerberosString and + sort + + * lib/asn1/k5.asn1 (ETYPE-INFO2-ENTRY): salt is a KerberosString + + * lib/krb5/krb5.3: add ticket access functions + * lib/krb5/krb5_ticket.3: ditto + * lib/krb5/ticket.c: ditto + * lib/krb5/Makefile.am: ditto + + * lib/krb5/mit_glue.c: add some more krb5_c functions + + * lib/krb5/krb5_c_make_checksum.3: add some more krb5_c functions + + * lib/krb5/crypto.c (krb5_cksumtype_valid): check is checksum type + is a valid one + + * lib/krb5/crypto.c (krb5_checksum_is_keyed): only set extented + error string when there is a context + (krb5_checksum_is_collision_proof): ditto + +2003-07-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/mit_glue.c (krb5_c_get_checksum): make type and data + argument optional + (krb5_c_{encrypt,decrypt}): return "better" error codes for + invalid ivec length + + * lib/krb5/krb5_c_make_checksum.3: update krb5_c_get_checksum + usage + + * lib/krb5/crypto.c (krb5_crypto_getenctype): new function + + * include/make_crypto.c: avoid redefining + OPENSSL_DES_LIBDES_COMPATIBILITY + + * lib/krb5/krb5.h: add krb5_enc_data + +2003-07-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.3: add krb5_c_ functions + + * lib/krb5/mit_glue.c: support passing in NULL as the + cipher_state/ivec + + * lib/krb5/aes-test.c: add test for krb5_c_encrypt_length and + krb5_c_decrypt + + * lib/krb5/krb5_c_make_checksum.3: krb5_c encryption glue + + * lib/krb5/crypto.c (wrapped_length/wrapped_length_derived): when + calculating the length of the encrypted data, use the keyed + checksum length if the enctype supports a keyed checksum. This + only matter for aes, for all other enctypes the key and unkeyed + checksum have the same length. + +2003-07-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/mit_glue.c: first version of krb5_c encryption glue + + * doc/install.texi: update pointer to luke ldap documentation + + * lib/hdb/hdb.c (hdb_create): check for dynamic backend after + static to avoid warning from dynamic backend when using a known + static backend + +2003-07-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/cache.c: don't return value in void function + +2003-07-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/creds.c (krb5_compare_creds): if client is specified in + the mcreds, check that too + + * lib/krb5/{keytab_file.c,principal.c,mk_error.c,krb5.h,get_cred.c}: + prefix libasn1 types with heim_ + + * lib/asn1: prefix typedefs and structs with heim_ + +2003-07-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.c: avoid unnecessary setting of variable + +2003-07-07 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/klist.c (check_for_tgt): use krb5_cc_clear_mcred + + * appl/test/uu_client.c (proto): use krb5_cc_clear_mcred + + * lib/krb5/get_cred.c (init_tgs_req): in case of error, don't free + in the req_body addresses since they where pass in by caller + (find_cred): use krb5_cc_clear_mcred + + * lib/krb5/krb5_ccache.3: document krb5_cc_clear_mcred + + * lib/krb5/cache.c (krb5_cc_clear_mcred): new function, clear a + krb5_creds to use with krb5_cc_retrieve_cred + +2003-06-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.c (find_dynamic_method): if there isn't a prefix, + don't load anything + +2003-06-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.c: Dynamic backend loading, based on patch from Luke + Howard <lukeh@PADL.COM> + + * lib/hdb/hdb.h: add struct hdb_so_method and + HDB_INTERFACE_VERSION + +2003-06-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): when using + arcfour-hmac-md5, use an unkeyed checksum (rsa-md5), since + Microsoft calculates the keyed checksum with the subkey of the + authenticator. + + * kuser/kinit.c: write out v4 credential caches with + _krb5_krb_tf_setup + + * lib/krb5/krb5-v4compat.h: add _krb5_krb_tf_setup + + * lib/krb5/convert_creds.c (_krb5_krb_tf_setup): create/append v4 + credential to a new krb4 ticket file + +2003-06-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5_kuserok.3: put Nd argument in double quotes since + it contains more than 9 words; from wiz + +2003-06-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c: add missing " within #if 0, from + stefan sokoll <stefansokoll@yahoo.de> + +2003-06-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_timeofday.3: improve krb5_set_real_time text + + * lib/krb5/time.c: improve comment for krb5_set_real_time + +2003-06-23 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.1: document -A + + * kuser/kinit.c: add -A as an alias for --no-addresses + +2003-06-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): pass in a + krb5_timestamp to krb5_us_timeofday + + * lib/krb5/mk_error.c (krb5_mk_error): pass in a krb5_timestamp to + krb5_us_timeofday + + * lib/krb5/time.c (krb5_set_real_time): fix comment and make it + work + + * lib/krb5/time.c, lib/krb5/krb5_timeofday.3, + lib/krb5/Makefile.am lib/krb5/test_time.c: + + implement krb5_set_real_time, used by SAMBA, requested by Luke + Howard <lukeh@PADL.COM> + + * lib/asn1/k5.asn1: make the aes and sha1 checksum types match + draft-ietf-krb-wg-crypto-05 + +2003-06-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/aes-test.c: add a test for aes kcrypto encrypted data + + * lib/krb5/crypto.c: clean up AES code to use a structure instead + of a key array + (_krb5_AES_string_to_default_iterator): set to 4096 as described in + aes draft -04 + (derive_key): always remove the key->schedule since its + will contain the wrong (parent key) info + +2003-06-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/aes-test.c: add aes256 test vectors from Ken Raeburn + * doc/setup.texi: add more kdc's to the example + +2003-06-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: use int2HDBFlags/HDBFlags2int From: Alberto + Patino <jalbertop@aranea.com.mx>, Luke Howard <lukeh@PADL.COM> + Pointed out by Andrew Bartlett of Samba + + * lib/krb5/heim_threads.h: remove freebsd comment, don't use debug + pthread stubs by default + + * lib/krb5/Makefile.am (man_MANS): drop krb5_free_addresses.3 + + * lib/krb5/krb5_free_addresses.3: removed file, functions are + documented in krb5_address.3 + + * lib/krb5/codec.c: add krb5_{de,en}code_ETYPE_INFO2 + + * lib/krb5/crypto.c: add _krb5_AES_string_to_default_iterator add + krb5_string_to_key_salt_opaque() fix keylengh for keytype_aes256 + +2003-06-06 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Point out that slave needs /var/heimdal + directory and masterkey From: Mans Nilsson <mansaxel@sunet.se>, + Fix spelling while here + +2003-06-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am, krb5_get_in_cred.3, krb5.3: + add manpage for: krb5_get_in_cred, krb5_get_in_tkt, + krb5_get_in_tkt_with_keytab, krb5_get_in_tkt_with_password, + krb5_get_in_tkt_with_skey + +2003-05-28 Assar Westerlund <assar@kth.se> + + * lib/krb5/heim_threads.h: Fix unlock/destroy macros for the + non-threaded cases to work. Fix typo. + +2003-05-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/asn1/{der_put.c,der_length.c,check-der.c}: Fix encoding of + "unsigned" integers. If MSB is set, we need to pad with a zero + byte. + +2003-05-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_c_make_checksum.3: some more mdoc fixes + + * lib/hdb/hdb-ldap.c (LDAP__connect): bind sasl "EXTERNAL" to ldap + connection + (LDAP_store): remove superfluous argument to asprintf + + From Alberto Patino <jalbertop@aranea.com.mx> + +2003-05-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/*.[0-9]: pacify mdoclink + + * lib/krb5/krb5_ccache.3: document diffrences between mit and + heimdal krb5_cc_gen_new ccache -> credential cache s/[\t ]+$// + +2003-05-21 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/gssapi_server.c (proto): start to use + gss_krb5_copy_ccache + + * appl/test/nt_gss_server.c (proto): comment out gss_ctx_id_t + groveling for now + +2003-05-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1: + - add parser/generate glue for UTF8String and NULL + (DER primitive encode/decode functions missing) + - handle parsing of DEFAULT and, ... + +2003-05-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/heim_threads.h: add missing argument to mutex_init + + * lib/krb5/crypto.c: protect the random initiator with a mutex + + * lib/krb5/mcache.c: protect the mcc_head with a mutex + + * lib/krb5/krb5_locl.h: include heim_threads.h + + * lib/krb5/heim_threads.h: wrapper macros for thread + synchronization primitives + +2003-05-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_principal.3 + lib/krb5/Makefile.am: + Add all Kerberos principal function to one manpage, add a few more + principal function to it, remove old now dup manpages + + * lib/krb5/krb5_build_principal.3: remove file + * lib/krb5/krb5_free_principal.3: remove file + * lib/krb5/krb5_sname_to_principal.3: remove file + * lib/krb5/krb5_principal_get_realm.3: remove file + +2003-05-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.8: sort sections, from netbsd + + * lib/krb5/krb5_verify_user.3: .Sh EXAMPLE -> .Sh EXAMPLES, from + netbsd + + * lib/krb5/krb5_openlog.3: .Sh EXAMPLE -> .Sh EXAMPLES, sort + sections, from netbsd + + * lib/krb5/krb5_keytab.3: .Sh EXAMPLE -> .Sh EXAMPLES, mdoc fixes, + from netbsd + + * lib/krb5/krb5_get_krbhst.3: .Sh EXAMPLE -> .Sh EXAMPLES, from + netbsd + + * lib/krb5/krb5_get_all_client_addrs.3: add .Os, from NetBSD + + * lib/krb5/krb5_build_principal.3: sort sections, from NetBSD + + * lib/krb5/krb5.conf.5: .Sh EXAMPLE -> .Sh EXAMPLES, from netbsd + + * lib/krb5/get_default_realm.c: compatability -> compatibility, + from netbsd + + * lib/krb5/krb5_warn.3: add copyright/license + + * lib/krb5/krb5_context.3: add SYNOPSIS and LIBRARY + + * lib/krb5/krb5.3: add RCSID + + * kdc/hprop.8: fix mdoc problem, from netbsd + + * lib/krb5/krb5_krbhst_init.3: uppercase url, from Thomas Klausner + <wiz@netbsd.org> + + * kuser/kinit.1: setup -> set up, new sentence, new line from + Thomas Klausner <wiz@netbsd.org> + +2003-05-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswd.1: handle setting passwords for multiple + principals at the same time + + * kpasswd/kpasswd.c: handle setting passwords for multiple + principals at the same time + + * lib/krb5/changepw.c: draft-ietf-cat-kerb-chg-password-02 and + rfc3244 share the response packet sure more constants now that + they exists + +2003-05-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: some define for rfc3244 + + * lib/krb5/krb5.3: add krb5_change_password and krb5_set_password + + * kpasswd/kpasswd.1: document --admin-principal + + * kpasswd/kpasswd.c: use krb5_set_password + + * lib/krb5/krb5_set_password.3: document krb5_change_password and + krb5_set_password + + * lib/krb5/changepw.c: implement rfc3244, partly from + shadow@dementia.org + + * lib/asn1/Makefile.am (gen_files): asn1_ChangePasswdDataMS.x for + RFC3244 + + * lib/asn1/k5.asn1: add ChangePasswdDataMS, for + RFC3244 + +2003-05-08 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kdestroy.c: destroy tokens even if there isn't v4 support + + * kuser/kinit.c: get token even if there isn't v4 support + + * kuser/klist.c: print tokens even if there isn't v4 support + +2003-05-06 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/name-45-test.c: need to use empty krb5.conf for some + tests + + * lib/asn1/check-gen.c: there is no \e escape sequence; replace + everything with hex-codes, and cast to unsigned char* to make some + compilers happy + +2003-05-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first + argument to krb5_us_timeofday have correct type + +2003-05-05 Assar Westerlund <assar@kth.se> + + * include/make_crypto.c (main): include aes.h if ENABLE_AES + +2003-05-05 Love Hörnquist Åstrand <lha@it.su.se> + + * make-release: when fixing a valid cvs tag from release name + replace all number. to number- for all non-overlapping matches + +2003-05-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/Makefile.am: gen_files += asn1_ETYPE_INFO2.x and + asn1_ETYPE_INFO2_ENTRY.x + (libasn1_la_LDFLAGS): set version to 6:1:1 + + * doc/Makefile.am: add apps.texi + + * doc/setup.texi: add move forward link to applications + + * doc/heimdal.texi: add applications + + * doc/misc.texi: move afs stuff to applications add link to + applications + + * doc/apps.texi: text about applications using kerberos + move afs text here + +2003-05-03 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: add cross realm text + +2003-04-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_crypto_init.3: document krb5_enctype_to_string and + krb5_string_to_enctype + +2003-04-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/v4_dump.c (v4_prop_dump): limit strings length, from openbsd + +2003-04-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/aes-test.c: use _krb5_PKCS5_PBKDF2 + * lib/krb5/crypto.c: unexport krb5_PKCS5_PBKDF2 + +2003-04-25 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/build_auth.c (krb5_build_authenticator): if the local + sequence number is non-zero, don't generate a new one + + * lib/krb5/mk_rep.c (krb5_mk_rep): if the local sequence number is + non-zero, don't generate a new one + + * lib/krb5/time.c (krb5_us_timeofday): make the sec parameter a + krb5_timestamp + + * lib/krb5/mk_priv.c lib/krb5/mk_safe.c lib/krb5/rd_priv.c + lib/krb5/rd_safe.c lib/krb5/rd_cred.c: implement RET_SEQUENCE and + RET_TIME + + * lib/krb5/krb5.h (krb5_replay_data): make usec signed (matching + asn1) + +2003-04-24 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/programming.texi: s/managment/management/, from jmc + <jmc@prioris.mini.pw.edu.pl> + +2003-04-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c (default_etypes): also advertise that we + handle aes encryption types + + * lib/krb5/Makefile.am: add krb5_c_ checksum related functions + + * lib/krb5/krb5_c_make_checksum.3: document krb5_c_ checksum + related functions + + * lib/krb5/mit_glue.c: add compat mit krb5_c checksum related + functions + + * lib/asn1/k5.asn1: add ETYPE-INFO2 and ETYPE-INFO2-ENTRY + +2003-04-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krbhst.c: copy NUL too, from janj@wenf.org via openbsd + +2003-04-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/der_copy.c (copy_general_string): use strdup + * lib/asn1/der_put.c: remove sprintf + * lib/asn1/gen.c: remove strcpy/sprintf + + * lib/krb5/name-45-test.c: use a more unique name then ratatosk so + that other (me) have such hosts in the local domain and the tests + fails, to take hokkigai.pdc.kth.se instead + + * lib/krb5/test_alname.c: add --version and --help + +2003-04-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_warn.3: add krb5_get_err_text + + * lib/krb5/transited.c: use strlcat/strlcpy, from openbsd + * lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd + * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use + strlcpy, from openbsd + * kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd + * appl/kf/kfd.c: use strlcpy, from openbsd + +2003-04-16 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: fix for large file support in AIX, _LARGE_FILES + needs to be defined on the command line, since lex likes to + include stdio.h before we get to config.h + +2003-04-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/*.3: Change .Fd #include <header.h> to .In header.h, + from Thomas Klausner <wiz@netbsd.org> + + * lib/krb5/krb5.conf.5: spelling, from Thomas Klausner + <wiz@netbsd.org> + +2003-04-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: fix some more memory leaks + +2003-04-11 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/kf/kf.1: spelling, from jmc <jmc@prioris.mini.pw.edu.pl> + +2003-04-08 Love Hörnquist Åstrand <lha@it.su.se> + + * admin/ktutil.8: typos, from jmc <jmc@acn.waw.pl> + +2003-04-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.3: s/kerberos/Kerberos/ + * lib/krb5/krb5_data.3: s/kerberos/Kerberos/ + * lib/krb5/krb5_address.3: s/kerberos/Kerberos/ + * lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/ + * lib/krb5/krb5.conf.5: s/kerberos/Kerberos/ + * kuser/kinit.1: s/kerberos/Kerberos/ + * kdc/kdc.8: s/kerberos/Kerberos/ + +2003-04-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_alname.c: more krb5_aname_to_localname tests + + * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when + converting too root, make sure user is ok according to + krb5_kuserok before allowing it. + + * lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname + + * lib/krb5/test_alname.c: add test for krb5_aname_to_localname + + * lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1 + instead of the "illegal" salt #~, same change as kth-krb did + 1999. Problems occur with crypt() that behaves like AT&T crypt + (openssl does this). Pointed out by Marcus Watts. + + * admin/change.c (kt_change): collect all principals we are going + to change, and pick the highest kvno and use that to guess what + kvno the resulting kvno is going to be. Now two ktutil change in a + row works. XXX fix the protocol to pass the kvno back. + +2003-03-31 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/kf/kf.1: afs->AFS, from jmc <jmc@acn.waw.pl> + +2003-03-30 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: add description on how to turn on v4, 524 and + kaserver support + +2003-03-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog + and afs-use-524 + +2003-03-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (as_rep): when the second enctype_to_string + failes, remember to free memory from the first enctype_to_string + + * lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2, + from Harald Joerg <harald.joerg@fujitsu-siemens.com> + (enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc + + * lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key + length when key is longer then expected length, its probably + longer since the encrypted data was padded, reported by Aidan + Cully <aidan@kublai.com> + + * lib/krb5/crypto.c (krb5_enctype_keysize): return key size of + encyption type, inspired by Aidan Cully <aidan@kublai.com> + +2003-03-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0 + (wildcard kvno) after principal when the keytab entry isn't found, + reported by Chris Chiappa <chris@chiappa.net> + +2003-03-26 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/misc.texi: update 2b example to match reality (from + mattiasa@e.kth.se) + + * doc/misc.texi: spelling and add `Configuring AFS clients' + subsection + +2003-03-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.3: add krb5_free_data_contents.3 + + * lib/krb5/data.c: add krb5_free_data_contents for compat with MIT + API + + * lib/krb5/krb5_data.3: add krb5_free_data_contents for compat + with MIT API + + * lib/krb5/krb5_verify_user.3: write more about how the ccache + argument should be inited when used + +2003-03-25 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/addr_families.c (krb5_print_address): make sure + print_addr is defined for the given address type; make addrports + printable + + * kdc/string2key.c: print the used enctype for kerberos 5 keys + +2003-03-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/aes-test.c: add another arcfour test + +2003-03-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5 + +2003-03-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_ccache.3: update .Dd + + * lib/krb5/krb5.3: sort in krb5_data functions + + * lib/krb5/Makefile.am (man_MANS): += krb5_data.3 + + * lib/krb5/krb5_data.3: document krb5_data + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if + prompter is NULL, don't try to ask for a password to + change. reported by Iain Moffat @ ufl.edu via Howard Chu + <hyc@highlandsun.com> + +2003-03-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_keytab.3: spelling, from + <jmc@prioris.mini.pw.edu.pl> + + * lib/krb5/krb5.conf.5: . means new line + + * lib/krb5/krb5.conf.5: spelling, from + <jmc@prioris.mini.pw.edu.pl> + + * lib/krb5/krb5_auth_context.3: spelling, from + <jmc@prioris.mini.pw.edu.pl> + +2003-03-18 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5 + + * lib/krb5/convert_creds.c: add _krb5_krb_life_to_time + + * lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time + + * kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out + #ifdef KRB4 from enable_v4_cross_realm since 524 needs it + + * kdc/config.c: 524 is independent of kerberos 4, so move out + enable_v4_cross_realm from #ifdef KRB4 since 524 needs it + +2003-03-17 Assar Westerlund <assar@kth.se> + + * kdc/kdc.8: document --kerberos4-cross-realm + * kdc/kerberos4.c: pay attention to enable_v4_cross_realm + * kdc/kdc_locl.h (enable_v4_cross_realm): add + * kdc/524.c (encode_524_response): check the enable_v4_cross_realm + flag before giving out v4 tickets for foreign v5 principals + * kdc/config.c: add --enable-kerberos4-cross-realm option (default + to off) + +2003-03-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3 + + * lib/krb5/krb5_aname_to_localname.3: manpage for + krb5_aname_to_localname + + * lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/ + +2003-03-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3 + + * lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3 + + * lib/krb5/krb5_set_default_realm.3: Manpage for + krb5_free_host_realm, krb5_get_default_realm, + krb5_get_default_realms, krb5_get_host_realm, and + krb5_set_default_realm. + + * admin/ktutil.8: s/entype/enctype/, from Igor Sobrado + <sobrado@acm.org> via NetBSD + + * lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type + + * lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab + + * lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix + + * lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more + types, add krb5_fcc_ops and krb5_mcc_ops + + * lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for + a id + +2003-03-15 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/intro.texi: add reference to source code, binaries and the + manual + + * lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal + +2003-03-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kdc.8: better/difrent english + + * kdc/kdc.8: . -> .\n, copyright/license + + * kdc/kdc.8: changed configuration file -> restart kdc + + * kdc/kerberos4.c: add krb4 into the most error messages written + to the logfile + + * lib/krb5/krb5_ccache.3: add missing name of argument + (krb5_context) to most functions + +2003-03-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of + function and return FALSE when there isn't a local account for + `luser'. + + * lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text + describing the function + +2003-03-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name + returned memory, don't return ENOMEM + +2003-03-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.3: add krb5_address stuff and sort + + * lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description + + * lib/krb5/Makefile.am (man_MANS): += krb5_address.3 + + * lib/krb5/krb5_address.3: document types krb5_address and + krb5_addresses and their helper functions + +2003-03-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3 + + * lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se + + * lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3 + + * lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se + + * lib/krb5/krb5.3: add more functions + + * lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc + functions + + * lib/krb5/krb5_kuserok.3: document krb5_kuserok + + * lib/krb5/krb5_verify_user.3: document + krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior + + * lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and + krb5_verify_user_opt + + * lib/krb5/*.[0-9]: add copyright/licenses on more manpages + + * kuser/kdestroy.c (main): handle that krb5_cc_default_name can + return NULL + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor + (TESTS): add test_cc + + * lib/krb5/test_cc.c: test some + krb5_cc_default_name/krb5_cc_set_default_name combinations + + * lib/krb5/context.c (init_context_from_config_file): set + default_cc_name to NULL + (krb5_free_context): free default_cc_name if set + + * lib/krb5/cache.c (krb5_cc_set_default_name): new function + (krb5_cc_default_name): use krb5_cc_set_default_name + + * lib/krb5/krb5.h (krb5_context_data): add default_cc_name + +2003-02-25 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/kf/kf.1: s/securly/securely/ from NetBSD + +2003-02-18 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/connect.c: s/intialize/initialize, from + <jmc@prioris.mini.pw.edu.pl> + +2003-02-17 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: add AM_MAINTAINER_MODE + +2003-02-16 Love Hörnquist Åstrand <lha@it.su.se> + + * **/*.[0-9]: add copyright/licenses on all manpages + +2003-14-16 Jacques Vidrine <nectar@kth.se> + + * lib/krb5/get_in_tkt.c (init_as_req): Send only a single + PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption + type specified by the KDC. + +2003-02-15 Love Hörnquist Åstrand <lha@it.su.se> + + * fix-export: some autoconf put their version number in + autom4te.cache, so remove autom4te*.cache + + * fix-export: make sure $1 is a directory + +2003-02-04 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswdd.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl> + + * kdc/kdc.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl> + +2003-01-31 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/hpropd.8: s/databases/a database/ s/Not/not/ + + * kdc/hprop.8: add missing . + +2003-01-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: documentation for of boolean, etypes, + address, write out encryption type in sentences, s/Host/host + +2003-01-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/check-gen.c: add checks for Authenticator too + +2003-01-25 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: in the hprop example, use hprop and the first + component, not host + + * lib/krb5/get_addrs.c (find_all_addresses): address-less + point-to-point might not have an address, just ignore + those. Reported by Harald Barth. + +2003-01-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c (check_section): when key isn't + found, don't print out all known keys + + * lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity + and facility start resp + (check_log): find_value() returns -1 when key isn't found + + * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a + 'const void *' to avoid AES_KEY being exposed in krb5-private.h + + * lib/krb5/krb5.conf.5: add [kdc]use_2b + + * kdc/524.c (encode_524_response): its 2b not b2 + + * doc/misc.texi: quote @ where missing + + * lib/asn1/Makefile.am: add check-gen + + * lib/asn1/check-gen.c: add Principal check + + * lib/asn1/check-common.h: move generic asn1/der functions from + check-der.c to here + + * lib/asn1/check-common.c: move generic asn1/der functions from + check-der.c to here + + * lib/asn1/check-der.c: move out the generic asn1/der functions to + a common file + +2003-01-22 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/misc.texi: more text about afs, how to get get your KeyFile, + and how to start use 2b tokens + + * lib/krb5/krb5.conf.5: spelling, from Jason McIntyre + <jmc@cvs.openbsd.org> + +2003-01-21 Jacques Vidrine <nectar@kth.se> + + * kuser/kuser_locl.h: include crypto-headers.h for + des_read_pw_string prototype + +2003-01-16 Love Hörnquist Åstrand <lha@it.su.se> + + * admin/ktutil.8: document -v, --verbose + + * admin/get.c (kt_get): make getarg usage consistent with other + other parts of ktutil + + * admin/copy.c (kt_copy): remove adding verbose_flag to args + struct, since it will overrun the args array (from Sumit Bose) + +2003-01-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc = + ... } + + * lib/krb5/aes-test.c: test vectors in aes-draft + + * lib/krb5/Makefile.am: add aes-test.c + + * lib/krb5/crypto.c: Add support for AES + (draft-raeburn-krb-rijndael-krb-02), not enabled by default. + (HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify + to support checksumtype that are have a shorter wireformat then + their output block size. + + * lib/krb5/crypto.c (struct encryption_type): split the blocksize + into blocksize and padsize, padsize is the minimum padding + size. they are the same for now + (enctype_*): add padsize + (encrypt_internal): use padsize + (encrypt_internal_derived): use padsize + (wrapped_length): use padsize + (wrapped_length_dervied): use padsize + + * lib/krb5/crypto.c: add extra `opaque' argument to string_to_key + function for each enctype in preparation enctypes that uses + `Encryption and Checksum Specifications for Kerberos 5' draft + + * lib/asn1/k5.asn1: add checksum and enctype for AES from + draft-raeburn-krb-rijndael-krb-02.txt + + * lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128, + KEYTYPE_AES256 + +2003-01-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/common.c (_hdb_fetch): handle error code from + hdb_value2entry + + * kdc/Makefile.am: always include kerberos4.c and 524.c in + kdc_SOURCES to support 524 + + * kdc/524.c: always compile in support for 524 + + * kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4 + + * kdc/config.c: always compile in support for 524 + + * kdc/connect.c: always compile in support for 524 + + * kdc/kerberos4.c: export encode_v4_ticket() and get_des_key() + even when we build without kerberos 4, 524 needs them + + * lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out + Kerberos 4 help functions/structures so other parts of the source + tree can use it (like the KDC) + diff --git a/third_party/heimdal/ChangeLog.2004 b/third_party/heimdal/ChangeLog.2004 new file mode 100644 index 0000000..47cd799 --- /dev/null +++ b/third_party/heimdal/ChangeLog.2004 @@ -0,0 +1,1485 @@ +2004-12-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am (CHECK_SYMBOLS): add heim_ and pkcs7_ for + now (used in pkinit) + +2004-12-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am: add CHECK_SYMBOLS + + * lib/hdb/keys.c: make all_etypes static + + * lib/krb5/Makefile.am: add CHECK_SYMBOLS, approve of: -com_err + -version krb5_ _krb5_ __heimdal krb524_ krb4_fkt_ops + + * kdc/kerberos5.c: use private version of principalname + + * kdc/kerberos4.c: use private version of principalname + + * kdc/hpropd.c: use private version of principalname + + * kdc/524.c: use private version of principalname + + * lib/krb5/rd_req.c: use private version of principalname + + * lib/krb5/rd_cred.c: use private version of principalname + + * lib/krb5/init_creds_pw.c: use private version of principalname + + * lib/krb5/get_in_tkt.c: use private version of principalname + + * lib/krb5/asn1_glue.c: make principalname functions private + + * lib/krb5/krb5.h: add key usage for server referrals + +2004-12-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/principal.c: make default_v4_name_convert static + + * lib/krb5/crypto.c: make lots of crypto related variables static + + * lib/krb5/acache.c: make default_acc_name static + +2004-12-28 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: add some text about samba, use example.com + + * lib/hdb/hdb-ldap.c: Add account expiration for samba from James + F. Hranicky <jfh@cise.ufl.edu>. + Add LDAP_addmod_integer and use it. + +2004-12-27 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/{Makefile.am,setup.texi,win2k.texi}: spelling and text + fixes, from Dave Love + +2004-12-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/heim_threads.h: NetBSD 2.99.11 (any maybe 2.1) just + needs pthread.h, threadlib is dead + +2004-12-17 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/config.c (configure): check for deprecated + enforce-transited-policy is set and fail if it is + + * lib/asn1/asn1_print.c: don't print garabage for octet strings + +2004-12-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/main.c (main): catch sigpipe, we don't bother select()ing + for errors + + * kdc/connect.c (handle_http_tcp): handle error from write(2) + + * doc/setup.texi: clarify credentials refreshing stuff + + * doc/setup.texi: add new node: Providing Kerberos credentials to + servers and programs + + * doc/whatis.texi: fix spurious cross-reference makeinfo warning + + * lib/hdb/hdb-ldap.c (pos): uppercase in character + +2004-12-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (LDAP__bytes2hex,LDAP__hex2bytes): encode + nibbels in the other order + + * lib/hdb/hdb-ldap.c: s/objectclass/objectClass/ check if + attribute exists before we try to delete it LDAP__bytes2hex + encodes in strange byte order, is this really right ? + +2004-12-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (LDAP_firstkey): When iterating over all + entries, search for samba accounts too, From: "James F. Hranicky" + <jfh@cise.ufl.edu> + + * lib/hdb/hdb-ldap.c (krb5kdcentry_attrs): ask for attribute uid + too + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): if the entry is missing + both krb5PrincipalName and uid, it must be broken, ignore it and + return it doesn't exists. + +2004-12-10 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/hpropd.8: spelling, from OpenBSD + + * kdc/kdc.8: use keeps for options, From OpenBSD k + +2004-12-09 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: document --random-key and the need to do backup + of the master key + + * kdc/kstash.8: add --random-key + + * kdc/kstash.c: add --random-key + +2004-12-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.8: spelling, from openbsd + + * lib/krb5/krb5_init_context.3: spelling, from openbsd + + * lib/krb5/krb5.conf.5: spelling, from openbsd + + * kuser/kdestroy.1: use keeps around options, spelling, from + openbsd + + * kpasswd/kpasswdd.8: use ., use keeps around options, from OpenBSD + + * kdc/hpropd.8: use keeps around options, from OpenBSD + + * kdc/hprop.8: use keeps around options, from OpenBSD + +2004-11-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c (krb5_free_context): clear error string + before destroying mutex + (krb5_init_context): don't call krb5_free_context before there is a + mutex initialized + +2004-11-18 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c (get_new_tickets): only complain about ticket + renewable lifetime when the user asked for a specific renewable + lifetime + +2004-11-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (find_keys): log what principal is missing + enctypes + +2004-11-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear pointer after + freeing data + + * lib/krb5/init_creds_pw.c (change_password): handle old_options + being NULL From Guenther Deschner on samba-technical. + +2004-11-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_get_init_creds.3: add more text describing the + krb5_get_init_creds functions + +2004-11-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: make krb5_get_init_creds_keytab work + again + +2004-11-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.asn1: use constrained integers + +2004-11-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_get_init_creds.3: add description for opt_init, + opt_alloc, opt_free + + * lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit + + * lib/krb5/init_creds.c: unexport + krb5_get_init_creds_opt_free_pkinit + + * lib/krb5/init_creds_pw.c: fold init_init_creds_ctx into + get_init_creds_common + + * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if the in + options NULL, just make a clean copy + +2004-11-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/sendauth.c (krb5_rd_rep): free ap_rep message earlier + so we don't leak it on error + +2004-10-31 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: unbreak 2b entry + + * lib/krb5/acache.c (make_cred_from_ccred): the address isn't a + sockaddr but rather a kerberos address, deal with that. Based on + bug report from Jakob Schlyter <jakob@rfc.se>. + +2004-10-30 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/connect.c: Make sure argument passed to ctype isn't signed + char + +2004-10-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: match new error names + + * lib/krb5/krb5_err.et: make error messages sane again + +2004-10-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab.c: use KRB5_KT_BADNAME + + * lib/krb5/krb5_err.et: sync with mit krb5_err.et (require major + version bump) add KRB5_DELTAT_BADFORMAT + + * lib/krb5/krb5.conf.5: time defaults to "s" + + * lib/krb5/time.c (krb5_string_to_deltat): default to "s" again, + MIT's behavior was actually that it failed to parse the number + (and thus used the default). Even better, ticket_lifetime (that + was a consumer supposed a of the interface) was documented but + never implemented, when it was implemented, people configuraiton + files started to fail. Also, use KRB5_DELTAT_BADFORMAT as a + failure code. + + * lib/asn1/k5.asn1: sync enctypes with pkinit branch + + * lib/asn1/parse.y (readd) support negative numbers + + * lib/asn1/lex.l: support hex numbers + +2004-10-12 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS + + * lib/krb5/crypto.c: add enctype_des3_cbc_none_cms add cms padding + for rc2 don't to padding for blocksize 1 + + * lib/hdb/{keys.c,Makefile.am},lib/kadm5/{keys,set_keys}.c: + Move keyset parsing and password based keyset generation into hdb. + Requested by Andrew Bartlett <abartlet@samba.org> for hdb-ldb + backend. + +2004-10-07 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: adapt to new signature of + krb5_get_init_creds_opt_set_pkinit + + * lib/krb5/pkinit.c: free openssl engine deal with + RecipientIdentifier -> CMSIdentifier and heim_any -> name change + improve error messages + + * kdc/pkinit.c: free openssl engine deal with RecipientIdentifier + -> CMSIdentifier and heim_any -> name change + +2004-10-04 Johan Danielsson <joda@pdc.kth.se> + + * kuser/klist.c: use rtbl_set_separator + +2004-10-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: filter out dup openssl engine keys, parse + user options first + + * lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add + openssl engine support for private key + + * lib/krb5/crypto.c: support padding as its done in CMS + + * kdc/pkinit.c: improve error logging + + * kdc/pkinit.c: stop using AlgorithmIdentifierNonOpt + +2004-09-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: assume minutes for time + + * lib/krb5/config_file.c (krb5_config_vget_time_default): use + krb5_string_to_deltat + + * lib/krb5/appdefault.c (krb5_appdefault_time): use + krb5_string_to_deltat + + * lib/krb5/time.c (krb5_string_to_deltat): set default unit to + minute for compatibility with MIT Kerberos. + + +2004-09-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_cred.c (get_cred_kdc_usage): retry using "large + message safe" transport if we get back + KRB5KRB_ERR_RESPONSE_TOO_BIG error. Idea from Guenther Deschner + <gd@sernet.de> + +2004-09-23 Johan Danielsson <joda@pdc.kth.se> + + * admin/list.c: use rtbl + + * admin/ktutil-commands.in: slc source file + + * lib/krb5/constants.c: check + /Library/Preferences/edu.mit.Kerberos on OSX + +2004-09-21 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/time.c (krb5_format_time): check return value from + localtime and strftime + +2004-09-14 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.c: make sure we don't always get renewable creds + +2004-09-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acache.c: use krb5_ccapi.h + + * lib/krb5/krb5_ccapi.h: break out krb5 api definitions to + separate (not installed) file + + * lib/krb5/Makefile.am: add AM_CPPFLAGS to libkrb5_la_CPPFLAGS + since AM_CPPFLAGS overridden by target specific _CPPFLAGS + +2004-09-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: make variable shorter, make error messages + from pkinit, make freeing easier + +2004-09-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: link libkrb5 with LIB_dlopen + + * lib/krb5/crypto.c (seed_something): avoid poking at memory that + is uninitialized, make valgrind unhappy. Pointd out by + abartlet@samba.org. While where, plug the fd leak. + +2004-09-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/der_get.c (decode_*): name all tag-length variables the + same + (decode_enumerated): check that the tag-length is not longer the length + + * lib/asn1/der_get.c (decode_boolean): fail if length of tag is + larger then len + +2004-08-31 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds): kdc_reply can be + set in case of failure too, free unconditionally on exit to avoid + memory leak + +2004-08-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_cred.c (set_auth_data): set pointer to NULL after + free + +2004-08-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c (krb5_get_err_text): if neither of com_right + nor strerror finds the error-code, return Unknown error. + +2004-08-19 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5_kuserok.3: update to reality + + * lib/krb5/kuserok.c: if a .k5login file exist, don't give + implicit rights to anyone; also check owner/mode of .k5login + +2004-08-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: man_MANS = krb5_getportbyname.3 + + * lib/krb5/krb5_getportbyname.3: manpage for krb5_getportbyname + + * lib/krb5/krb5.3: add krb5_getportbyname + + * lib/krb5/krb5.3: krb5_free_salt and krb5_enctype_valid + + * lib/krb5/krb5_encrypt.3: document krb5_enctype_valid + +2004-08-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (get_pa_etype_info{,2}): check for dup enctypes + from the client and filter them out. + + * lib/krb5/krb5_string_to_key.3: document krb5_free_salt + +2004-08-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_ticket.3: data needs to be freed when using + krb5_ticket_get_authorization_data_type + +2004-08-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_cc.c: test variables in default_cc_name + + * lib/krb5/krb5.conf.5: explain support for varibles in + [libdefaults]default_cc_name + + * lib/krb5/cache.c: drop ${time}, its not very useful + + * lib/krb5/cache.c: Add _krb5_expand_default_cc_name that expand + variables in the default cc name. Supported variables now are: + ${time},${uid} and ${null} + + * lib/krb5/krb5.conf.5: document default_cc_name + + * lib/krb5/cache.c (krb5_cc_set_default_name): + s/libdefault/libdefaults/ + +2004-08-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acache.c: replace magic 3 with ccapi_version_3 + + * lib/krb5/Makefile.am: libkrb5_la_SOURCES += acache.c + + * lib/krb5/krb5.h: add krb5_acc_ops + + * lib/krb5/acache.c: CCAPI v3 implementation, the read only + support was from Magnus Ahltorp and then extended by me to support + all other operations. Tested with MIT kerberos cc cache + implementation on MacOS 10.3.3 + + * lib/krb5/cache.c (krb5_cc_set_default_name): allow setting the + default cc name, this is not very useful for general purpose glue + since its not possible to glue in user information (like uid), but + for CCAPI it works just fine + +2004-08-05 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kgetcred.1: document --cache/-c + + * kuser/kgetcred.c: allow to specify what credential cache to use + +2004-08-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: add krb5_eai_to_heim_errno.3 + + * lib/krb5/krb5_eai_to_heim_errno.3: document + krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno + + * lib/krb5/krb5.3: add krb5_eai_to_heim_errno, + krb5_h_errno_to_heim_errno + +2004-07-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_expand_hostname.3: krb5_expand_hostname_realms + result should be free with krb5_free_host_realm drop + krb5_get_host_realm text + + * lib/krb5/krb5_set_default_realm.3: krb5_get_host_realm result + should be free with krb5_free_host_realm + + * lib/krb5/krb5_get_in_cred.3: document krb5_free_kdc_rep + + * lib/krb5/krb5_get_init_creds.3: remove dup krb5_get_init_creds + + * lib/krb5/krb5_auth_context.3: sort, add krb5_free_authenticator + + * lib/krb5/Makefile.am: man_MANS += krb5_rd_error + + * lib/krb5/krb5_rd_error.3: krb5_rd_error and friends + + * lib/krb5/krb5_warn.3: clarify on what string + krb5_free_error_string should operate on + + * lib/krb5/krb5_get_credentials.3: add krb5_get_kdc_cred + + * lib/krb5/Makefile.am: krb5_get_credentials, + krb5_get_forwarded_creds and friends + + * lib/krb5/krb5_get_forwarded_creds.3: krb5_get_forwarded_creds + and friends + + * lib/krb5/krb5_get_credentials.3: krb5_get_credentials and + friends + +2004-07-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/klist.c (print_cred_verbose): keytypes are no longer, use + enctype + +2004-07-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (LDAP_entry2mods): allow for pre-c99 + compilers, From metze at samba.org + +2004-07-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_cc.c: more cc tests + + * lib/krb5/krb5_check_transited.3: document krb5_check_transited + +2004-07-19 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c (pk_principal_from_X509): reverse test, makes + principal in cert work From: Mayur Patel <patelm4@rpi.edu> + +2004-07-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: add krb5_verify_init_creds.3 + + * lib/krb5/krb5_verify_init_creds.3: add krb5_verify_init_creds + +2004-07-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_set_password.3: spelling from wiz@netbsd.org + description for krb5_passwd_result_to_string + +2004-07-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_set_password.3: Remove superfluous comma; grammar + fixes; split sentence in two for better understanding. From + wiz@NetBSD.org. Describe krb5_set_password_using_ccache while here. + + * lib/krb5/krb5_set_password.3: nroff and spelling, from Jonathan + Stone <jonathan@dsg.stanford.edu> + + * lib/krb5/changepw.c (process_reply): cast ssize_t to long and + print that From NetBSD via Havard Eidnes. + +2004-07-09 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: fix helpstring for hdb-openldap-module + + * lib/krb5/test_cc.c: don't use krb5_err on error code 0 + +2004-07-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (LDAP_seq): try handling errors better + +2004-07-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_in_tkt.c (set_ptypes): make ptypes const + +2004-07-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (LDAP__connect): call ldap_initialize with + right argument + +2004-06-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if the + krbtgt is without addresses, default to not sending our own + addrport + + * lib/asn1/lex.l: add support for /* */ and partial line -- + comments + + * kuser/Makefile.am: don't install copy_cred_cache manpage + +2004-06-24 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if + copying a static opt, make sure to allocate the "private" field + +2004-06-24 Love <lha@stacken.kth.se> + + * kdc/config.c: add enable_pkinit_princ_in_cert + + * kdc/kdc_locl.h: enable_pkinit_princ_in_cert + + * kdc/pkinit.c: Check certificate for Kerberos Principal in + OtherName of subjectAltName Based on patch from Mayur Patel + <patelm4@rpi.edu> + +2004-06-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_cred.c (init_tgs_req): if subkey not avaible, use + session key for authorization-data + +2004-06-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/connect.c (handle_tcp): note who is what that closed the + connection on us + +2004-06-09 Love Hörnquist Åstrand <lha@it.su.se> + + * admin/get.c (kt_get): catch errors from krb5_parse_name + +2004-06-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: if its the entry just contains the + structural object (no samba nor heimdal object), add an aux + heimdal object on to it. + +2004-06-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswd.c: use krb5_set_password_using_ccache + + * lib/krb5/krb5_set_password.3: add krb5_set_password_using_ccache + + * lib/krb5/changepw.c: implement krb5_set_password_using_ccache + + * lib/hdb/hdb-ldap.c: Allow the objectClass to be + "sambaSamAccount" or structural_object when searching for uid + entries. + + * lib/krb5/krb5.conf.5: document [kdc]hdb-ldap-create-base + + * lib/hdb/hdb-ldap.c: add creation base that defaults to the + search base + + * lib/hdb/hdb-ldap.c: indent like the rest of the code + +2004-06-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: check return values from ldap operations and + close it we get back LDAP_SERVER_DOWN. stupid ldap client lib, you + should retry by yourself. + + * lib/hdb/hdb-ldap.c: require search base to be configured, create + local context structure + +2004-05-31 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: more ldap text, partly from Tarjei Huse + <tarjei@nu.no> + +2004-05-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: clean, indent + + * lib/hdb/hdb-ldap.c (LDAP_entry2mods): make sure + krb5KeyVersionNumber is added on new entires + +2004-05-27 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: minor fixes, partly from Tarjei Huse + <tarjei@nu.no> + + * lib/krb5/krb5.conf.5: some text about dbname and realm + + * lib/krb5/krb5.conf.5: default value for + hdb-ldap-structural-object is account + +2004-05-26 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/Makefile.am: use ! instead of , as sed delimiter + +2004-05-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/*.c: add KRB5_LIB_FUNCTION to all exported functions + +2004-05-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: make samba_forwardable a krb5_boolean + + * lib/hdb/hdb-ldap.c: make samba forwarding a runtime configure + option + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): fix [] test From: + Andrew Bartlett <abartlet@samba.org> + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): remove bogus length + check From: Andrew Bartlett <abartlet@samba.org> + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): in the sambaNTPassword + case, make sure ent->etypes are allocated, From: Andrew Bartlett + <abartlet@samba.org> + +2004-05-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: move "setpag if (argc < 1)" to common path + +2004-05-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c: pacify pre c99 compilers + + * fix-export: use right argument for -E + +2004-05-06 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.c: print some diagnostics if the exec fails + +2004-04-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): use krb5_random_to_key + From: Luke Howard <lukeh@padl.com> + + * lib/krb5/rd_req.c (krb5_verify_ap_req2): clear the whole ticket, + not just a pointer size of it From: Luke Howard <lukeh@padl.com> + +2004-04-28 Love Hörnquist Åstrand <lha@it.su.se> + + * fix-export: add -E flag where needed to make-proto + +2004-04-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c: add set_param for RC2 + + * lib/krb5/pkinit.c: use krb5_oid_to_enctype and remove all oids + that are no longer needed + + * kdc/pkinit.c: use krb5_enctype_to_oid + + * lib/krb5/crypto.c (krb5_oid_to_enctype): make sure oid exists + before we compare with it + + * lib/krb5/crypto.c (krb5_crypto_get_params): check ivec length + before returning it add aes-oids + + * lib/krb5/crypto.c: add krb5_enctype_to_oid and + krb5_oid_to_enctype + + * kdc/pkinit.c: use krb5_crypto_set_params + + * lib/krb5/crypto.c: add krb5_crypto_set_params, add aes-NNN-cbc-none + + * lib/krb5/krb5.h: add KEYTYPE_AES192 + + * lib/krb5/pkinit.c: use krb5_crypto_get_params to implement + kcrypto RC2 support + + * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype + rc2-cbc XXX RC2CBCParameter is wrong because the compiler is + broken + + * lib/krb5/krb5.h: add KEYTYPE_RC2 + + * lib/krb5/crypto.c: add partial CMS parameter handling, this is + needed for RC2 + + * lib/asn1/der_cmp.c: add heim_oid_cmp and heim_octet_string_cmp + + * lib/asn1/Makefile.am (libasn1_la_SOURCES) += der_cmp.c + + * lib/asn1/der.h: add heim_oid_cmp and heim_octet_string_cmp + + * lib/asn1/k5.asn1: add ETYPE_AESNNN_CBC_NONE + + * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype + rc2-cbc, XXX RC2CBCParameter is wrong because the compiler is broken + +2004-04-26 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/config_file.c: allow parsing directly from strings with + krb5_config_parse_string_multi + + * lib/krb5/verify_krb5_conf.c: try to resolve hostnames + +2004-04-25 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/store_fd.c (krb5_storage_from_fd): dup the file + descriptor so we don't have to keep track of it in two places + + * kuser/copy_cred_cache.c: krb5_cc_copy_cache_match now lives in + libkrb5 + + * lib/krb5/krb5_{,compare_}creds.3: move krb5_compare_creds to its + own manpage + + * replace krb5_free_creds_contents by krb5_free_cred_contents + + * lib/krb5/cache.c: add krb5_cc_next_cred_match() and + krb5_cc_copy_cred_match() + + * lib/krb5/creds.c (krb5_compare_creds): add more matching options + + * lib/krb5/krb5.h: add more creds match flags + + * kuser/copy_cred_cache: add --valid-for option + + * lib/krb5/store.c (krb5_store_creds): set is_skey flag if length + of second ticket is > 0 + +2004-04-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: use the right oid for pkauthdata + + * lib/krb5/pkinit.c: always send both win2k compat version and the + ietf draft one, this is possible since microsoft use + wrong/diffrent PA number. Make the configuration flag boolean + configuring if NOT to send the win2k compat glue. + + * lib/krb5/krb5_encrypt.3: document krb5_{de,en}crypt_ivec + + * kuser/copy_cred_cache.1: pacify mdoclint + + * kdc/pkinit.c: use IV for envelopeddata encryption, patch + originally from Luke Howard <lukeh@padl.com>, tweeked by me. + + * lib/krb5/krb5_storage.3: document + KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER + + * lib/krb5/krb5_data.3: document that krb5_data_free cleans the + structure too + + * lib/krb5/pkinit.c: use IV for envelopeddata encryption, patch + originally from Luke Howard <lukeh@padl.com>, tweeked by me. + +2004-04-24 Johan Danielsson <joda@pdc.kth.se> + + * kuser/copy_cred_cache.{c,1}: add cred cache copy tool + + * configure.in: use rk_SYS_LARGEFILE + + * lib/krb5/{krb5.h,store.c,fcache.c}: Fix the cache flags bitorder + issue with a storage flag instead of a separate function. + +2004-04-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: move out the oid check from get_reply_key + + * lib/krb5/pkinit.c: uniquify error messages + + * lib/krb5/init_creds_pw.c: make the pkinit nonce same os the + plain nonce for now + + * lib/krb5/pkinit.c: more w2k compat from Luke Howard + <lukeh@padl.com> add RC2 support, clean up error messages + + * lib/krb5/pkinit.c: remove more dependency on + krb5_config->pkinit_flags + + * lib/krb5/pkinit.c (_krb5_pk_convert_rep): convert microsoft + style answer to IETF, From Luke Howard <lukeh@padl.com> + (_krb5_pk_create_sign): ms handles NULL in param, so always send it + (_krb5_pk_mk_padata): look for [realms]REALM = { win2k_pkinit = bool } + + * lib/krb5/pkinit.c (_krb5_pk_create_sign): always set the + digestAlgorithm to sha1 (both for SignerInfo and SignedData, add + new function _set_digest_alg to set it + +2004-04-23 Love Hörnquist Åstrand <lha@it.su.se> + + * include/make_crypto.c: include rc2.h, and when I'm here, make + aes mandatory + + * lib/krb5/krb5.h: add ENCTYPE_ARCFOUR_HMAC as compat glue for MIT + kerberos + + * lib/krb5/crypto.c (krb5_crypto_init): clear return pointer on + failure + + * lib/krb5/crypto.c (DES3_random_to_key): make it produce the + right result + (DES3_postproc): use DES3_random_to_key + (krb5_random_to_key): check the required number of bits (not the size + of the key) + + * lib/krb5/aes-test.c: test random to key function + + * lib/krb5/string-to-key-test.c: comment out the "@"/"" test for + now + +2004-04-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_string_to_key.3: document that + krb5_string_to_key_derived is broken for non 3des enctypes and + thus deprecated + + * kdc/pkinit.c (generate_dh_keyblock): use the new function + krb5_random_to_key + + * lib/krb5/crypto.c: add des and DES3 random_to_key hooks, they + need special processing + + * lib/krb5/crypto.c (krb5_random_to_key): new function + + * lib/krb5/krb5_keyblock.3: document krb5_random_to_key + +2004-04-21 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: use the first proposed enable enctype + + * lib/krb5/context.c (krb5_set_default_in_tkt_etypes): use the + return from krb5_enctype_valid + + * kdc/pkinit.c: at least try to handle diffrent enveloped enctypes + +2004-04-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/der_get.c: 1.28.2.16: (der_get_oid): handle all oid + components being smaller then 127 and allocate one extra element + since first byte is split to to elements. + +2004-04-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/k5.asn1: ETYPE_DIGEST_MD5_NONE, ETYPE_CRAM_MD5_NONE: + private use, lukeh@padl.com + +2004-04-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (build_auth_pack): use heim_integer to encode + DH public key + +2004-04-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_init_context.3: add krb5_context to so its added + as manpage-link too + +2004-04-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/fcache.c (fcc_remove_cred): simplistic implementation, + XXX add locking + + * kuser/kdestroy.c: add --credential argument that just remove one + credential entry out of the cache specified + + * kdc/pkinit.c: replace the krb5.conf configuration option that + describes the mapping between principals and subject names with a + file, default /var/heimdal/pki-mapping. XXX this should be pushed + into HDB. XXX should add issuer too + + * kdc/config.c: merge certificate/private_key to a user_id + +2004-04-16 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kdc_locl.h: update prototype for pk_initialize + + * kuser/kinit.c: merge certificate/private_key to a user_id + + * kdc/pkinit.c: adapt to heim_integer changes + + * lib/krb5/pkinit.c: merge certificate/private_key to a user_id + + * kdc/pkinit.c: adapt to heim_integer changes, + merge certificate/private_key to a user_id + +2004-04-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_WIN free X509_STORE + +2004-04-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: define BUILD_KRB5_LIB when building + libkrb5.la, add KRB5_LIB_FUNCTION proto + + * lib/krb5/add_et_list.c: add KRB5_LIB_FUNCTION + + * configure.in: export KRB5_LIB_FUNCTION when building with + BUILD_KRB5_LIB + + * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): add + error strings + + * lib/krb5/prompter_posix.c (krb5_prompter_posix): if some thing + is printed on stderr, fflush it + + * lib/krb5/krb5_keyblock.3: free functions also zeros out the key + + * lib/krb5/krb5_get_init_creds.3: some text about + krb5_prompter_posix + + * lib/krb5/krb5.conf.5: document hdb-ldap-structural-object + + * lib/krb5/cache.c: add krb5_cc_get_prefix_ops + + * lib/krb5/krb5_ccache.3: add krb5_cc_get_prefix_ops + +2004-04-05 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/http_client.c: support GSS_C_DELEG_FLAG and + GSS_C_MUTUAL_FLAG + + * appl/test/http_client.c: verbose logging + +2004-04-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/connect.c: case size_t to unsigned long for LP64 platforms + +2004-04-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (hdb_ldap_create): allow configuration of + default structural object + + * tools/Makefile.am: handle sed expression breaking + +2004-03-31 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krbhst.c: also lookup _kpasswd._tcp SRV-rr + + * lib/krb5/changepw.c: add tcp support to the set protocol, should + be cleaned up to enable sharing code with krb5_sendto + + * kpasswd/kpasswd.c (change_password): remove extra free + + * lib/krb5/krb5_acl_match_file.3: try to pacify mdoc macros on + osf/1 + +2004-03-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c (pa_data_add_pac_request): don't + increase md->len, krb5_padata_add already does that + + * lib/krb5/init_creds.c: its PAC not PAQ + + * kuser/kinit.c: its PAC not PAQ + + * kdc/kerberos4.c: stop the client from renewing tickets into the + future From: Jeffrey Hutzelman <jhutz@cmu.edu> + +2004-03-29 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: try to handle sys/strtty.h needing sys/stream.h + +2004-03-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/send_to_kdc.c: remove function krb5_sendto_kdc2, its no + longer used + + * kdc/kerberos5.c: s/krb5_get_host_realm_int/_&/ + + * lib/krb5/get_host_realm.c: unexport krb5_get_host_realm_int to + external users by prefixing it with _ + + * lib/krb5/get_cred.c: s/krb5_mk_req_internal/_&/ + + * lib/krb5/mk_req_ext.c: unexport krb5_mk_req_internal to external + users by prefixing it with _ + +2004-03-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: add missing } + +2004-03-21 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: adapt to change of signature of + _krb5_pk_load_openssl_id + + * lib/krb5/pkinit.c: (krb5_get_init_creds_opt_set_pkinit): add + prompter argument and use it + + * kuser/kinit.c: adapt to signature change of + krb5_get_init_creds_opt_set_pkinit + + * lib/krb5/krb5.3: add more stuff, 105 functions to go + + * lib/krb5/krb5_rcache.3: add krb5_get_server_rcache + + * lib/krb5/krb5_rcache.3: framework for replay cache manpage + + * lib/krb5/krb5_string_to_key.3: document string to key functions + + * lib/krb5/Makefile.am: man_MANS += krb5_expand_hostname.3 + krb5_find_padata.3 krb5_generate_random_block.3 + + * lib/krb5/krb5_encrypt.3: document krb5_get_wrapped_length + + * lib/krb5/krb5.3: add some more, 137 to go + + * lib/krb5/krb5_principal.3: document krb5_get_default_principal + + * lib/krb5/krb5_keyblock.3: document krb5_generate_subkey + + * lib/krb5/krb5_generate_random_block.3: document + krb5_generate_random_block + + * lib/krb5/krb5_find_padata.3: document padata functions + + * lib/krb5/krb5.3: add some more, 142 to go + + * lib/krb5/krb5_creds.3: drop .Pp before .Sh + + * lib/krb5/krb5_set_default_realm.3: document krb5_copy_host_realm + + * lib/krb5/krb5_expand_hostname.3: document krb5_expand_hostname + and krb5_expand_hostname_realms + + * lib/krb5/krb5.3: add more functions, 147 to go + + * lib/krb5/krb5_creds.3: document krb5_creds + + * lib/krb5/krb5_get_init_creds.3: add more functions, some more + text + + * lib/krb5/krb5_ticket.3: document + krb5_ticket_get_authorization_data_type + +2004-03-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/aes-test.c: remove #if 0'ed code + + * lib/krb5/krb5.3: add keyblock functions, 177 functions to go + + * lib/krb5/krb5_verify_user.3: add krb5_verify_opt_set_ccache + + * lib/krb5/krb5_encrypt.3: document krb5_decrypt_ticket + + * lib/krb5/krb5_config.3: document krb5_config_free_strings and + krb5_config_file_free + + * lib/krb5/krb5_create_checksum.3: add krb5_hmac + + * lib/krb5/krb5.3: add keyblock functions, 190 functions to go + + * lib/krb5/krb5_keyblock.3: update .Dd + + * lib/krb5/krb5_keyblock.3: document krb5_copy_keyblock and + krb5_generate_random_keyblock + + * lib/krb5/krb5_init_context.3: add krb5_init_ets + + * lib/krb5/krb5_config.3: add more krb5_config_ functions and + prototypes + + * lib/krb5/krb5_init_context.3: document context modifcation + functions: address list, config file, use admin kdc, fcc version + + * lib/krb5/krb5_storage.3: document krb5_storage and related + functions + + * lib/krb5/Makefile.am: add acl and krb524_convert_creds_kdc + manpages and test_acl test program + + * lib/krb5/krb5.3: add error string functions and sort + + * lib/krb5/krb5_warn.3: document krb5_abort and error string + functions + + * lib/krb5/krb5.3: add missing functions, only 285 left to + document + + * lib/krb5/krb5_crypto_init.3: remove various enctype related + function + + * lib/krb5/krb5_encrypt.3: add various enctype related function + here + + * lib/krb5/krb5_create_checksum.3: add krb5_cksumtype_valid + krb5_cksumtype_valid + + * lib/krb5/crypto.c: real return values for + krb5_{enctype,cksumtype}_valid + + * lib/krb5/krb5_create_checksum.3: add some functions and + descriptions + + * lib/krb5/krb5_c_make_checksum.3: move out non krb5_c functions + + * lib/krb5/krb5_auth_context.3: document + krb5_auth_con_generatelocalsubkey + + * lib/krb5/krb5_krbhst_init.3: document krb5_krbhst_init_flags + + * lib/krb5/krb5_keytab.3: document krb5_kt_default_modify_name + + * lib/krb5/krb5_init_context.3: document krb5_add_et_list + + * lib/krb5/krb524_convert_creds_kdc.3: document + krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache + + * lib/krb5/krb5_acl_match_file.3: document krb5_acl_match_* + + * lib/krb5/test_acl.c: test for generic acl code + + * lib/krb5/acl.c: plug memory leak on file matching, + make it not fall over when no non matching acl, + make fnmatch matching useful by switching arguments + +2004-03-19 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/config.c: add --builtin-hdb command + + * lib/hdb/hdb.c (hdb_list_builtin): return a list of builtin + backends + + * doc/setup.texi: include Luke Howard of PADL.COM ldap hdb + documentation + + * doc/win2k.texi: fix bugs in examples, add more restrictions, use + example.com as an example. From: Pavel Ferdan + <xferdan@informatics.muni.cz> + +2004-03-18 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.conf.5: add a bunch of Li and document [kadmin] + password_lifetime; from Henry B. Hotz + +2004-03-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/mk_rep.c (krb5_mk_rep): if KRB5_AUTH_CONTEXT_USE_SUBKEY + is set send subkey + (generate if needed) + + * lib/krb5/krb5.h: add KRB5_AUTH_CONTEXT_USE_SUBKEY + +2004-03-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: clean up error handling, plug memory leaks, + and free memory in error path, assume realloc(NULL, ...) works, + factor out common code, indent + +2004-03-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c: understand [password_quality] + spelling + + * kuser/kgetcred.1: document --canonicalize + + * kuser/kgetcred.c: add --canonicalize + +2004-03-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/fcache.c (fcc_store_cred): NULL terminate + krb5_config_get_bool_default' arglist + +2004-03-09 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: add missing req argument to pk_mk_pa_reply + + * kdc/pkinit.c (pk_mk_pa_reply): add hdb_entry + + * kdc/pkinit.c: pass client hdb_entry to pk_check_client + + * kdc/kdc_locl.h: pass client hdb_entry to pk_check_client + + * kuser/kinit.c: rename ca_dir to pkinit/x509_anchors since its + more like that language in RFC3280 + + * lib/krb5/pkinit.c: rename ca_dir to pkinit/x509_anchors since + its more like that language in RFC3280 + + * lib/krb5/krb5.conf.5: document + [libdefaults]fcc-mit-ticketflags=boolean + + * lib/krb5/fcache.c (fcc_store_cred): use + [libdefaults]fcc-mit-ticketflags=boolean to decide what format to + write the fcc in. Default to mit version (aka heimdal 0.7) + + * lib/krb5/store.c: add _krb5_store_creds_heimdal_0_7 and + _krb5_store_creds_heimdal_pre_0_7 that store the creds in just + that format make krb5_store_creds default to mit format + + * lib/krb5/store.c (krb5_ret_creds): Runtime detect the what is + the higher bits of the bitfield + +2004-03-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/store.c (krb5_store_creds): add disabled code that + store the ticket flags in reverse order + (bitswap32): new function + + * lib/krb5/store.c (krb5_ret_creds): if the higher ticket flags + are set, its a mit cache, reverse the bits, bug pointed out by + Sergio Gelato <Sergio.Gelato@astro.su.se> + +2004-03-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: use macro for HDB * -> LDAP * + + * kuser/kinit.c: when running kinit with a subprocess, fetch new + tickets after half the tickets lifetime + + * lib/hdb/hdb.c: spelling + + * lib/hdb/hdb-ldap.c: Intergrate Heimdal's hdb-ldap and the Samba + password database. From: Andrew Bartlett <abartlet@samba.org> + + * kdc/config.c: add --disable-DES + + * kdc/kdc.8: document --detach and --disable-DES + + * kdc/kerberos5.c: check if enctype is disabled before using it + + * lib/krb5/crypto.c: add support for disabling checksum/encryption + types + + * tools/kdc-log-analyze.pl: add more cases + + * kdc/connect.c: on strange tcp error; log local port number and + socket type + + * lib/asn1/der.h: fix prototype of encode_utf8string + + * lib/asn1/gen.c: catch CHOICE and generate dummy placeholder + + * lib/asn1/lex.l: added dummy parsing of CHOICE + + * lib/asn1/parse.y: added dummy parsing of CHOICE + + * lib/asn1/k5.asn1: drop SMTP_NAME + +2004-03-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am: support building ldap backend as module + sort asn1 hdb files + + * lib/hdb/hdb.c: when building ldap as a shared module, don't + include it in the list + + * configure.in: add --enable-hdb-openldap-module + + * lib/hdb/hdb-ldap.c: make ldap possible to build as a shared + module + + * lib/hdb/mkey.c: add hdb_{,un}seal_key{,_mkey} from Andrew + Bartlett <abartlet@samba.org> + + * lib/krb5/crypto.c (decrypt_internal_special): do not not modify + the original data test case from Ronnie Sahlberg + <ronnie_sahlberg@ozemail.com.au> + +2004-03-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_cc.c: more cc tests, mostly related to mcc + behavior + + * lib/krb5/mcache.c (mcc_get_principal): also check for + primary_principal == NULL now that that isn't used as dead flag + + * lib/krb5/mcache.c: don't overload the primary_principal == NULL + as dead since that doesn't always work. Based on patch from + Jeffrey Hutzelman <jhutz@cmu.edu>, tweeked by me + +2004-02-22 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp + + * lib/krb5/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp + + * lib/hdb/db3.c: fix all db >= 4.1 cases + + * doc/setup.texi: add text about hostname to realm mapping using + DNS + +2004-02-20 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: update error codes + + * lib/krb5/krb5_err.et: prefix pkinit error codes with KRB5_ + + * lib/krb5/pkinit.c: update error codes + +2004-02-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: indent, use krb5_abortx() instead of abort() + + * lib/krb5/init_creds_pw.c (process_pa_data_to_key): spelling + + * lib/krb5/store.c: handle memory allocate errors + + * lib/krb5/fcache.c (_krb5_xlock): handle that everything was ok, + and don't put an error in the error strings then + +2004-02-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: s/heim_big_integer/heim_integer/ + + * lib/krb5/pkinit.c: s/heim_big_integer/heim_integer/ + + * kdc/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT errors + + * lib/krb5/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT + errors + + * lib/krb5/heim_err.et: add HEIM_PKINIT specific errors + +2004-02-12 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: rename AC_WFLAGS to rk_WFLAGS + + * acinclude.m4: use m4_define, over-quote string + +2004-02-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c (change_password): handle that + printf("%.*s", 0, (void*)NULL); doesn't work on solaris + +2004-02-10 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswd.c (change_password): handle that printf("%.*s", + 0, (void*)NULL); doesn't work on solaris + + * lib/krb5/krb5.conf.5: don't use path's in first .Nm, it confuses + some locate.updatedb, use FILES section to describe where the file + is instead. + +2004-02-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/check-der.c: test for "der_length.c: Fix len_unsigned + for certain negative integers, it got the length wrong" , from + Panasas, Inc. + + * lib/asn1/der_length.c: Fix len_unsigned for certain negative + integers, it got the length wrong, fix from Panasas, Inc. + + rename len_int and len_unsigned to _heim_\& + + * lib/asn1/der_locl.h: add _heim_len_unsigned, _heim_len_int + +2004-02-06 Dave Love <d.love@dl.ac.uk> + + * configure.in: Check for sys/socket.h, net/if.h. Modify term.h, + security/pam_appl.h tests. + +2004-02-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/check-gen.c: test for: (length_type): TSequenceOf: add + up the size of all the elements, don't use just the size of the + last element. + + * lib/krb5/aes-test.c: add "next iv" test for aes128, check + decryption case too + + * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of + the next to last block, fix decryption case too + + * lib/krb5/aes-test.c: add "next iv" test for aes128 + + * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of + the next to last block + + * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode + error + + * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode + error + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): abort on internal asn1 + encode error + + * lib/krb5/mk_priv.c (krb5_mk_priv): abort on internal asn1 encode + error + + * lib/krb5/get_cred.c (make_pa_tgs_req): abort on internal asn1 + encode error + + * lib/krb5/build_auth.c (krb5_build_authenticator): abort on + internal asn1 encode error + + * lib/krb5/build_ap_req.c (krb5_build_ap_req): abort on internal + asn1 encode error + +2004-01-30 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: some text about order of [capaths] realms + +2004-01-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c: register WRFILE ops + + * lib/krb5/keytab_file.c: add krb5_wrfkt_ops/WRFILE (same as FILE) + + * lib/krb5/krb5.h: add krb5_wrfkt_ops + + * kpasswd/kpasswdd.c (change): use the right password when + changing the password + +2004-01-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/fcache.c (_krb5_xlock): catch EINVAL and assume that it + means that the filesystem doesn't support locking + + * lib/krb5/keytab.c: remove #if 0 out file locking code + +2004-01-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/gen_length.c (length_type): TSequenceOf: add up the + size of all the elements, don't use just the size of the last + element. + +2004-01-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c (renew_validate): if renewable_flag and not time + specifed, use "1 month" + +2004-01-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_keyblock.3: add prototypes, describe + krb5_keyblock_zero + +2004-01-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_for_creds.c (add_addrs): don't add same address + multiple times + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): try to + handle errors better for previous commit + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): If tickets + are address-less, forward address-less tickets. + + * lib/krb5/get_cred.c: rename get_krbtgt to _krb5_get_krbtgt and + export it + diff --git a/third_party/heimdal/ChangeLog.2005 b/third_party/heimdal/ChangeLog.2005 new file mode 100644 index 0000000..a594d09 --- /dev/null +++ b/third_party/heimdal/ChangeLog.2005 @@ -0,0 +1,2004 @@ +2005-12-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (tgs_make_reply): less const on hdb_entry_ex to + make samba happy + + * fix-export: Build kdc-private.h. + +2005-12-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (tgs_rep2): also print the principal for which + the enctype was missing + +2005-12-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kaserver.c: Finish up transition from hdb_entry to + hdb_entry_ex. + + * kdc/kerberos4.c: Finish up transition from hdb_entry to + hdb_entry_ex. + + * kdc/524.c: Finish up transition from hdb_entry to hdb_entry_ex. + + * kdc/kerberos5.c: Finish up transition from hdb_entry with + hdb_entry_ex. + + * lib/krb5/cache.c (krb5_cc_set_default_name): use + KRB5_DEFAULT_CCNAME. + + * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME, pointer to + default credential cache. + + * lib/hdb/ndbm.c: memset hdb_entry_ex before use + + * lib/hdb/db3.c: memset hdb_entry_ex before use + + * lib/hdb/db.c: memset hdb_entry_ex before use + +2005-12-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.3: Add some more entrypoints. + + * lib/krb5/changepw.c: If there is a target principal, use the + realm of the realm to change the password with, + + * kuser/kinit.c: Default to use DH when fetching keys. + + * lib/hdb, kdc, kadmin/load.c: Wrap hdb_entry with hdb_entry_ex, patch + originally from Andrew Bartlet + + * lib/hdb/hdb-ldap.c: Wrap hdb_entry with hdb_entry_ex, add url + support, add ldapi support. + + * kdc/kerberos5.c (tgs_make_reply): there are no such things a + keytypes any more, just use enctypes. + + * kdc/kdc_locl.h: Remove private prototypes and instead include + <kdc-private.h>. + + * kdc/Makefile.am: Build kdc-private.h and depend on it. + + * kdc/config.c (configure): wrap line + + * doc/kerberos4.texi: KDC 4 support is always compiled in. + + * TODO: Remove some stuff that have been done. + + * Makefile.am: Split long line + + * doc/apps.texi: Spelling, From Måns Nilsson. + + * doc/install.texi: spelling, From Måns Nilsson + +2005-12-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_principal.3: Constify principal argument to on + krb5_principal_get_ functions. + + * lib/krb5/principal.c: Constify principal argument to on + krb5_principal_get_ functions. + +2005-12-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb: drop convert_db, 0.0 to 0.1 transition was a long long + time ago + +2005-12-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_keytab.c: more tests, From Andrew Bartlet + + * lib/krb5/keytab_memory.c (mkt_remove_entry): realloc can return + NULL on success in the case 0 entries are allocated, From Andrew + Bartlet + +2005-12-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acl.c (acl_parse_format): tmp needs to be freed too on + failure to parse format specifier. + + * lib/krb5/store-test.c: Free more of the allocated memory. + + * lib/krb5/crypto.c (krb5_derive_key): Free more of the allocated + memory, this function is only used by the test program. + + * lib/krb5/parse-name-test.c: Free more of the allocated memory. + + * lib/krb5/derived-key-test.c: Free more of the allocated memory. + +2005-12-01 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: spelling, From Måns Nilsson + + * lib/krb5/krb5_keytab.3: Memory keytab are now named and + refcounted. + + * lib/krb5/test_keytab.c: Test that memory keytab are refcounted. + + * lib/krb5/keytab_memory.c: Index by name and start reference + counting on entries. + +2005-11-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h (krb5_address_type): add + KRB5_ADDRESS_NETBIOS (20) + + * lib/hdb/hdb.c (find_method): accept relative paths as old db + format too. + + * lib/krb5/aes-test.c: Remove usage of krb5_enctype_to_keytype. + +2005-11-29 Dave Love <fx@gnu.org> + + * kcm/connect.c (kcm_loop): Use HAVE_DOOR_CREATE, not HAVE_DOORS. + +2005-11-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c (libdefaults_entries): add + default_cc_name + + * lib/hdb/hdb.c: Only match db databases on filename starting with + '/'. + + * lib/krb5/rd_req.c (krb5_verify_ap_re2): check timestamp in + authenticator + + * lib/krb5/rd_req.c (check_transited): explain the TR-type 0 + better and why it matters. + + * lib/krb5/test_cc.c: test krb5_cc_get_prefix_ops + + * lib/krb5/cache.c (krb5_cc_get_prefix_ops): change the behavior + to return NULL when its not found, and fcc when the name starts + with a '/'. Almost matches behavior in other parts of the code, + but can't really do that since the name passed in to this function + may only contain the prefix itself without the colon. + + * lib/krb5/cache.c (krb5_cc_get_prefix_ops): if there are not + colon (:) in the name, its a file credential cache + + * lib/hdb/db3.c (hdb_db_create): use calloc to callocate memory + + * lib/hdb/ndbm.c (hdb_ndbm_create): use calloc to allocate memory + + * lib/hdb/db.c (hdb_db_create): use calloc to allocate memory + +2005-11-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use session + key for delegated credentials + + * kdc/kerberos5.c (_kdc_as_rep): add comment when we send + ETYPE-INFO and ETYPE-INFO2, from Andrew Bartlett + +2005-11-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab.c (krb5_kt_get_full_name): new function + +2005-11-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_crypto.c: Split encryption and s2k iterations to + diffrent counters, 38seconds of aes256 s2k is way too long. + + * lib/krb5/test_crypto.c: Add timing code for s2k function. + +2005-11-07 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Print the time the principal expired, based on + patch from Andrew Bartlett. + +2005-11-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/cache.c (krb5_cc_get_full_name): Add + +2005-11-01 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: Spelling, From Michael Banck <mbanck@debian.org> + +2005-10-30 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/headers.h: Maybe include <sys/param.h>. + +2005-10-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): + understand KRB5_AUTHDATA_IF_RELEVANT and KRB5_AUTHDATA_AND_OR (but + have KRB5_AUTHDATA_KDC_ISSUED commented out for now) + +2005-10-26 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/klist.c: In the list caches view, rename the Status field + to Expires. + + * lib/krb5/krb5_encrypt.3: Fix mdoc for + krb5_encrypt_EncryptedData, Johnny Lam <jlam@pkgsrc.org> + +2005-10-25 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/gssapi_client.c: Check return value from asprintf + instead of string != NULL since it undefined behavior on + Linux. From Björn Sandell + +2005-10-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (_krb5_dh_group_ok): if not enough bits are + generated from the DH groups, fail. + + * kdc/pkinit.c (get_dh_param): Pass down config so this function + can check pkinit_dh_min_bits + + * kdc/config.c: Fill in pkinit_dh_min_bits from configuration + file. + + * kdc/kdc.h: Add pkinit_dh_min_bits to krb5_kdc_configuration. + +2005-10-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Add option to require binding between reply + and response for the win2k version of the protocol. + +2005-10-19 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/programming.texi: Text about Kerberos errors. + + * lib/krb5/pkinit.c: Try both ReplyKey and ReplyKey-Win2k for the + Windows case to support the updated -09 protocol (using + asChecksum). Tell KDC we support this by sending + KRB5-PADATA-PK-AS-09-BINDING in the pa-data. + + * lib/krb5/test_cc.c: Test copy FILE -> FILE, and MEMORY -> MEMORY + too. + + * lib/krb5/test_cc.c: Test krb5_cc_copy_cache and + krb5_cc_cache_match. + + * lib/krb5/cache.c (krb5_cc_cache_match): add function that + iterates over all credential caches for a user and returns a + match. + + * lib/krb5/krb5_ccache.3: Add krb5_cc_start_seq_get and an + example. + +2005-10-18 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/programming.texi: Try to explain krb5_ccache, krb5_principal + and errors. + +2005-10-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_get_credentials.3: Add example how to use + krb5_get_credentials. + +2005-10-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds.c: Rename private to opt_private. + + * lib/krb5/init_creds_pw.c: Rename private to opt_private. + + * lib/krb5/pkinit.c: rename element private to opt_private to make + c++ picky compilers less upset. + + * lib/krb5/krb5.h (krb5_get_init_creds_opt): rename element + private to opt_private to make c++ picky compilers less upset. + +2005-10-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krbhst.c (_krb5_krbhost_info_move): new function + (_krb5_free_krbhst_info): expose to internal use + + * lib/krb5/init_creds_pw.c: Prepare to pass down a + krb5_krbhst_info into the pre-auth mechs + + * lib/krb5/pkinit.c: Inline short functions, share more code, + rename COMPAT_27 to COMPAT_IETF, pass down a krb5_krbhst_info for + verification of KDC info, and general cleaning up. + +2005-10-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: Install krb5.moduli in sysconfdir. + + * lib/krb5/krb5_locl.h: rename moduli file to SYSCONFDIR + "/krb5.moduli" + + * lib/krb5/krb5_locl.h: Add forward declaration for + krb5_dh_moduli. Add define for MODULI_FILE. + + * kdc/pkinit.c: Removing PK-INIT-19 support. + + * lib/krb5/pkinit.c: Removing PK-INIT-19 support. + + * lib/krb5/pkinit.c (_krb5_dh_group_ok): return DH group name on + success. + (krb5_get_init_creds_opt_set_pkinit): use moduli file if it exists + + * kdc/pkinit.c: Save DH group name and print it on success. + + * lib/krb5/pkinit.c (_krb5_dh_group_ok): if q is zero, ignore it. + + * kdc/pkinit.c: Check dh group parameters from client. + + * lib/krb5/krb5_err.et: Match error code with pk-init-27. + + * lib/krb5/pkinit.c: Update error codes. Add name to group. Change + return value of _krb5_dh_group_ok. + + * lib/krb5/pkinit.c: Add support for reading a moduli-file for DH + parameters. + +2005-10-06 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/klist.1: Document --list-caches + + * kuser/klist.c: Change short flag of --list-caches to -l (-v is + already used). + +2005-10-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/kerberos.8: RFC 1510 was obsoleted by 4120. + + * lib/krb5/acache.c (init_ccapi): return kerberos errors, callers + expect it + (acc_get_cache_first): don't leak memory or abort on malloc + failure + +2005-10-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/kerberos.8: Update text about Kerberos RFC's. + +2005-10-01 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/klist.c: Add option --list-caches that lists the avaible + caches and their status. + + $ klist --list-caches + Principal Cache name Status + lha@E.KTH.SE 2 Valid + lha@SU.SE 1 Expired + lha/root@SU.SE 0 Expired + lha@N.L.NXS.SE Initial default ccache Expired + +2005-09-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab_keyfile.c: Use all DES keys, not just + des-cbc-md5, verify that they all are the same. + + * lib/krb5/mcache.c Implement the cache iteration functions. + + * lib/krb5/acache.c: Implement the cache iteration functions. + + * lib/krb5/test_cc.c: Test the new cache iteration functions. + + * lib/krb5/cache.c: Add cache iteration funcations. Add internal + allocation function for the memory of a krb5_ccache, and use it. + + * lib/krb5/krb5.h (krb5_cc_ops): add cache iteration functions + +2005-09-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_mk_req.3: Remove leftovers, remove extra space. + + * kdc/kerberos5.c: More verbose PK-INIT logging. + + * kdc/pkinit.c: The public DH key is encoded as an INTEGER in + subjectPublicKey. Don't verify OID's for now. + + * lib/krb5/pkinit.c: Support cached DH variable (still need to + store it though), don't check the oid of the DH signedData for + now. + +2005-09-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_cred.c (krb5_rd_cred): try both the session key and + the sender subkey. Both RFC1510 and RFC4120 say that you have to + use the session key, Heimdal uses subkey. + +2005-09-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Don't check oid's too closely, they change in + Windows Vista. + +2005-09-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Disable sending -19, fix parsing -27 of the + protocol. + + * kdc/pkinit.c: Support PK-INIT-27 DH (and remove -19) + + * lib/krb5/pkinit.c (pk_verify_chain_standard): set cert to NULL + to make sure its not freed. + +2005-09-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c (krb5_DES_string_to_key): If the opaque length + it set to 1, and content is 0x01, use the afs3 string-to-key. + + * kdc/kerberos5.c (make_etype_info2_entry): When its a afs3-salted + key, use send the opaque, length 1 (with content set to 0x01) in + ETYPE-INFO2-ENTRY. + + * lib/krb5/kcm.c: Remove signedness warnings. + +2005-09-15 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: Use libtool's default values for building + shared/static libaries, ie remove AC_ENABLE_SHARED(no), solves + building problems users have on Mac OS X. + +2005-09-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/changepw.c: Constify password. + +2005-09-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_mk_req.3: Document krb5_rd_req. + + * lib/krb5/Makefile.am: MAN_mans+= krb5_mk_req.3 + + * lib/krb5/krb5_mk_req.3: Document krb5_mk_req, krb5_mk_req_exact, + krb5_mk_req_extended, krb5_rd_req, krb5_rd_req_with_keyblock, + krb5_mk_rep, krb5_mk_rep_exact, krb5_mk_rep_extended, krb5_rd_rep, + krb5_build_ap_req, krb5_verify_ap_req. + +2005-09-01 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (make_etype_info_entry): Dont send salttype at + all, use KRB5-PADATA-AFS3-SALT + +2005-08-31 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (log_timestamp): endtime, not endtype + +2005-08-30 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: Check for <sys/ucred.h>. + + * kcm/connect.c (update_client_creds): in case there is no + UCRED_VERSION, skip LOCAL_PEERCRED + + * kcm/headers.h: include <sys/ucred.h> + +2005-08-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_req.c (check_transited): Allow empty content of type + 0 because that is was Microsoft generates in their TGT. + + * kdc/kerberos5.c (fix_transited_encoding): Allow empty content of + type 0 because that is was Microsoft enerates in their TGT. + +2005-08-26 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/intro.texi: RFC 4120 replaces RFC 1510 + +2005-08-25 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: Add --disable-afs-support. + +2005-08-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: Add test_hostname to check_PROGRAMS but + not TESTS, I have no same dns to use. + + * lib/krb5/test_hostname.c: Testprogram for krb5_expand_hostname() + and krb5_expand_hostname_realms(). + + * configure.in: Build KCM if we have doors or unix sockets. + + * lib/krb5/principal.c (krb5_425_conv_principal_ex2): Remove + shadowing variable. + + * lib/krb5/get_host_realm.c (dns_find_realm): Fix const warnings, + plug memory leak. From: Stefan Metzmacher <metze@samba.org> + + * lib/krb5/krb5_config.3: Document what happens with NULL to + krb5_config_free_strings + (nothing). Mdoc nit. + +2005-08-22 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/klist.c (check_for_tgt): Re-order code so it only free the + credential if one was returned. + + * lib/krb5/test_crypto_wrapping.c: Fix printing of size_t. + +2005-08-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/dbinfo.c: provide interface to find databases + + * lib/hdb/mkey.c: hdb_seal_key_mkey): dont double encrypt keys + +2005-08-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kdc_locl.h: Update prototype for _kdc_pk_mk_pa_reply. + +2005-08-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: Save the request buffer so that + pre-auth mechanism that needs it can verify the reply. + +2005-08-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_mem.c: Rename logf to avoid shadowing. + + * lib/krb5/krb5_keytab.3: Fix the version number for + fcc-mit-ticketflags. + + * lib/krb5/fcache.c: Revert previous, I was confused. + + * lib/krb5/krb5_keytab.3: Document fcc-mit-ticketflags in + COMPATIBILITY section. + + * lib/krb5/fcache.c (fcc_store_cred): default to MIT style ticket + flags. + + * kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break; + + * lib/krb5/krb5_create_checksum.3: Update prototype for + krb5_create_checksum. + + * kdc/pkinit.c: Make compile. + + * lib/krb5/pkinit.c: Implement verification of asChecksum, now + client side code is using -27 of the pk-init draft. + + * kdc/kdc_locl.h: update prototype for _kdc_as_rep + + * kdc/pkinit.c: Fill in asChecksum, we now implements -27 in the KDC. + + * kdc/process.c: Pass down the request buffer to _kdc_as_rep(). + + * kdc/kerberos5.c (_kdc_as_rep): Pass down the request buffer to + _kdc_pk_mk_pa_reply. + +2005-08-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/ext.c: HDB extensions access glue. + + * kcm/acquire.c: Use krb5_set_password instead of + krb5_change_password. + + * configure.in: Add tests/Makefile and tests/db/Makefile. + + * NEWS: New ASN.1 compiler + + * lib/hdb/Makefile.am: Build extensions. + + * lib/hdb/print.c: Print extensions. + + * lib/hdb/hdb_err.et: Add error "Entry contains unknown mandatory + extension". + + * lib/hdb/hdb.h: Update interface version (and indent). + + * lib/hdb/hdb.asn1: Add support for HDB-extension. + +2005-08-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_pkinit_dh2key.c: add tests vectors from + "Liqiang(Larry) Zhu" <lzhu@windows.microsoft.com> + + * lib/hdb/mkey.c: Expose the crypto operations on the master key. + + * lib/krb5/test_pkinit_dh2key.c: even more bits, not done yet + +2005-08-09 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (_kdc_as_rep): preserve the error code in the + ENC-TS case. From: Andrew Bartlett <abartlet@samba.org> + + * kdc/kerberos5.c (tgs_rep2): only needs to log "Failed to verify + authenticator" once, its already done by + tgs_check_authenticator(). + + * kdc/kerberos5.c: Indent strings. + + * kdc/kerberos5.c (log_timestamp): avoid shadow warnings From: + Andrew Bartlett <abartlet@samba.org> + + * lib/krb5/verify_user.c: Add krb5_verify_opt_alloc and + krb5_verify_opt_free. + + * lib/krb5/krb5_verify_user.3: Document krb5_verify_opt_alloc and + krb5_verify_opt_free. + + * lib/hdb/db3.c (DB_open): catch errors from the d->open calls + instead of letting them slip though to d->cursor. Bug repport from + Andrew Bartlett <abartlet@samba.org> + +2005-07-29 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/Makefile.am (kdc_LDADD): add LDADD + +2005-07-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (_kdc_as_rep): log what enctypes was using in + ENC-TS preauth, both for failure and success. + + * kdc/hprop.c: Use the _krb5_krb_life_to_time function from + libkrb5 instead of including our own here too. + + * kdc/kerberos5.c: indent printf strings + + * lib/hdb/mkey.c (hdb_unseal_key_mkey): try to unseal key with + keyusage 0 in case the key was encrypted with MIT Kerberos (old + patch from Johan) + +2005-07-26 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: update to pkinit-27 + +2005-07-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Adapt to IMPLICIT changes in CMS module. + +2005-07-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_pkinit_dh2key.c: framework for testing + _krb5_pk_octetstring2key + + * kpasswd/kpasswdd.c (doit): krb5_addr2sockaddr takes a + krb5_socklen_t + + * kdc/connect.c (de_http): sscanf takes a char *, not unsigned + ditto, cast approriately + + * lib/krb5/crypto.c (_krb5_pk_octetstring2key): make sha1 output + unsigned char to match openssl + +2005-07-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/common.c: Check encoder lengths from ASN1_MALLOC_ENCODE. + +2005-07-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_cred.c (krb5_rd_cred): don't leak memory + + * lib/krb5/get_cred.c (krb5_get_credentials_with_flags): only call + krb5_cc_retrieve_cred once, and plug memory leak. + +2005-07-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am: the new asn.1 compiler includes the modules + name in the depend file + + * lib/krb5/keytab_file.c (fkt_start_seq_get_int): check return + value from krb5_storage_from_fd + + * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): client do not contribute + to the DH when the server doesn't support the cached DH request. + + * lib/krb5/crypto.c (_krb5_pk_octetstring2key): fix arguments + +2005-07-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: clean up pk-init DH support, not finished + yet; improve error reporting + + * lib/krb5/crypto.c (_krb5_pk_octetstring2key): string2key + function used in pk-init-25 + + * configure.in: Use a configure switch to turn on PK-INIT, not by + detecting existence of the new ASN.1 library. + + * lib/asn1: Much improved ASN.1 compiler from joda-choice-branch. + + Highlighs for the compiler is support for CHOICE and in general better + support for tags. This compiler support most of what is needed for + PK-INIT, LDAP, X.509, PKCS-12 and many other protocols. + +2005-07-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1: make scope variables unique to avoid shadow warnings + +2005-07-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: comment out paramenter name in typedef + functions to avoid shadow warnings + + * lib/krb5/crypto.c: make input data to krb5_encrypt{,_ivec} const + + * kuser/klist.c: If there are no addresses, print addressless + instead of nothing. + + * lib/krb5/Makefile.am (TESTS): add test_crypto_wrapping + + * lib/krb5/crypto.c (wrapped_length): the underived encrypted + types checksum are all unkeyed (matches the code in + encrypt_internal() and encrypt_internal_special()) + + * lib/krb5/test_crypto_wrapping.c: ETYPE_ARCFOUR_HMAC_MD5_56 isn't + not supported + + * lib/krb5/test_crypto_wrapping.c: test encryption wrapping + + * lib/krb5/test_crypto.c (time_encryption): free cleartext buffer + +2005-07-08 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: run AM_INIT_AUTOMAKE before AM_PROG_CC_C_O + otherwise am_aux_dir will be expanded using ac_aux_dir before the + later is set. + + * configure.in: check for strings.h explicitly instead of + depending on AC_HEADER_STDC to check it for us + +2005-07-07 Assar Westerlund <assar@kth.se> + + * configure.in: add AM_PROG_CC_C_O for automake 1.9 + +2005-07-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab.c (krb5_kt_get_entry): clear error string when + returning a new error + + * lib/krb5/keytab.c: krb5_kt_close frees all resources, even on + error. + + * lib/krb5/verify_init.c (krb5_verify_init_creds): `entry' unused, + remove From: "Henry B. Hotz" <hotz@jpl.nasa.gov> + +2005-07-05 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/win2k.texi: arcfour-hmac-md5 support for windows cross was + added in w2k3-sp1 From David Love + + * doc/setup.texi: document kadmin command password-quality instead + of the not installed test_pw_quality + + * lib/krb5/krb5_get_init_creds.3: Spelling, from David Love + + * fix-export: build kdc-protos.h + +2005-07-01 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc: prefix pkinit symbols with _kdc + + * kuser/kinit.c: avoid shadowing variables + + * kuser: s/optind/optidx/ + + * kdc: adapt pkinit code to libkdc split + +2005-06-30 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/Makefile.am: add depency on LIB_dlopen and LIB_door_create + + * tools/krb5-config.in: add depency on LIB_dlopen and LIB_door_create + + * kdc/kdc_locl.h: indent, remove dup prototypes + + * kdc/libkdc: don't pollute namespace, generate public headerfile + + * lib/krb5/principal.c: add krb5_425_conv_principal_ext2 that work + just like krb5_425_conv_principal_ext but takes a context variable + for the verification function + + * kdc/Makefile.am: there is no export script, not pretend there is + + * kdc: Merge in the libkdc/kdc configuration split from Andrew + Bartlet <abartlet@samba.org> + + * lib/krb5/crypto.c: optionally compile in support for afs string2key + + * configure.in: add --disable-afs-string-to-key to allow removal + of support for afs string2key (and dependency on crypt) + +2005-06-29 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Add logging of all timestamps in AS-REQ and + TGS-REQ, for auditing + + * kdc/kerberos5.c (as_req): print the supported encryption types + so its possible to know what clients to update. + (find_rpath): return const char * and update callers. + +2005-06-28 Luke Howard <lukeh@padl.com> + + * kcm/connect.c: fix arguments to kcm_log() when reporting + sendmsg() error + + * kcm/connect.c: don't send socket address in msghdr, it + returns an already connected error on Linux + +2005-06-24 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/524.c: Always include <krb5-v4compat.h>. + +2005-06-23 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/intro.texi: no more libdes, gssapi lib is complete + + * lib/krb5/krb5.conf.5: Documentation for password quality + control. From: "James F. Hranicky" <jfh@cise.ufl.edu> + + * lib/krb5/verify_krb5_conf.c (password_quality_entries): add + min_length and min_classes + + * kdc/kaserver.c: log the kaserver requests, avoid shadowing + variables + + * lib/hdb/db3.c (DB_open): in case of error, close database + + * lib/hdb/ndbm.c (NDBM_open): in case of error, close database + + * lib/hdb/db.c (DB_open): in case of error, close database + +2005-06-20 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/kcm.8: fix example + +2005-06-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_rep.c: indent + + * lib/krb5/rd_rep.c (krb5_rd_rep): check if + KRB5_AUTH_CONTEXT_DO_TIME set and use that as a que that timestamp + should be checked, DCE-STYLE gssapi needs to be able to tweek this + + * kdc/string2key.c: rename optind to optidx + + * lib/hdb/convert_db.c: rename optind to optidx + + * lib/hdb/keytab.c: const poison, add a unconst where needed + + * lib/krb5/crypto.c (krb5_string_to_key): unconst password + + * lib/asn1/k5.asn1: rename pvno to krb5-pvno + + * lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): + unconst argument + + * lib/krb5/verify_krb5_conf.c: rename optind to optidx + + * lib/krb5/transited.c: rename the temporary string variable to + `str' + + * lib/krb5/test_crypto.c: rename optind to optidx + + * lib/krb5/test_alname.c: rename optind to optidx + + * lib/krb5/store.c: unconst argument to krb5_store (XXX this + should be fixed, krb5_store doesn't need to modify its argument) + + * lib/krb5/send_to_kdc.c (krb5_sendto): remove shadowing + unnessecery variable ret + + * lib/krb5/rd_cred.c (krb5_rd_cred): remove shadowing unnessecery + variable len + + * lib/krb5/prog_setup.c: rename optind to optidx + + * lib/krb5/padata.c: rename variable index to idx + + * lib/krb5/log.c: rename variable time to timestr to avoid + shadowing + + * lib/krb5/krbhst.c (krb5_krbhst_init_flags): rename variable to + avoid shadowing + + * lib/krb5/krbhst-test.c: rename optind to optidx + + * lib/krb5/kcm.c: unconst argumen to connect, unconst argument to + krb5_store (XXX this should be fixed, krb5_store doesn't need to + modify its argument) + + * lib/krb5/init_creds_pw.c (default_s2k_func): unconst password + + * lib/krb5/crypto.c: rename `encrypt' to avoid shadow warning + +2005-06-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/principal.c: rename index to idx + + * lib/krb5/mk_error.c: use rk_UNCONST + + * lib/krb5/fcache.c: rename to avoid shadowing + + * lib/krb5/config_file.c: rename to avoid shadowing + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): just copy the + string instead of losing const + + * lib/krb5/addr_families.c: use rk_UNCONST to silence const + warning + + * lib/krb5/addr_families.c: rename sin to sin4 + + * lib/asn1/asn1_print.c: rename optind to optidx, remove shadowed + variables + + * lib/asn1/main.c: rename optind to optidx + + * lib/asn1/gen_copy.c: rename to avoid shadowing + + * lib/asn1/gen_locl.h: rename function filename to get_filename + + * lib/asn1/lex.l: use get_filename + + * lib/asn1/gen.c: rename function filename to get_filename + + * lib/krb5/acache.c: use HAVE_DLOPEN around cc_handle + + * configure.in: add headers and prototypes to logwtmp, logout and + openpty checks + + * configure.in: include headerfiles and set prototype for tgetent + + * kdc/kerberos5.c (make_etype_info2_entry): NUL terminate the + string + + * kdc/kerberos5.c: replace strndup with inline copy, free data on + failure + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): replace strndup + with inline copy + + * lib/krb5/log.c: rename close and log to avoid shadow warnings + + * lib/krb5/get_in_tkt.c: rename index to i to avoid shadowing + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): rename two + of the local `realm' to srealm to avoid shadowing + + * kdc/kerberos5.c (tgs_rep2): rename one of the tkey to uukey to + avoid shadow warning + + * kdc/kerberos5.c (tgs_rep2): rename loop to nloop to avoid shadow + warning + +2005-06-15 Love Hörnquist Åstrand <lha@it.su.se> + + * Release 0.7, see branch + +2005-06-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: TESTS += test_mem libkrb5_la_SOURCES += + kcm.h + + * kuser/kinit.c (main): catch KRB5_CONFIG_BADFORMAT from + krb5_init_context + + * kdc/main.c (main): catch KRB5_CONFIG_BADFORMAT from + krb5_init_context + + * lib/krb5/verify_krb5_conf.c (main): catch KRB5_CONFIG_BADFORMAT + from krb5_init_context From: Mathias Feiler + <feiler@uni-hohenheim.de> + + * lib/krb5/verify_krb5_conf.c: Add more missig entires, from + Mathias Feiler <feiler@uni-hohenheim.de> + +2005-06-11 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c (pk_principal_from_X509): remember to free + KRB5PrincipalName + + * lib/krb5/log.c (krb5_closelog): free all content in + krb5_log_facility + +2005-06-08 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/524.c: init kvno to please gcc + + * kdc/kaserver.c (do_authenticate): check return value from + unparse_auth_args + +2005-06-07 Dave Love <fx@gnu.org> + + * doc/setup.texi: Spelling. + + * doc/programming.texi: Spelling. + +2005-06-02 Dave Love <fx@gnu.org> + + * kcm/connect.c (kcm_door_server): Make static. + + * kcm/kcm_locl.h (disallow_getting_krbtgt): Declare. + +2005-06-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/mit_dump.c (mit_prop_dump): cast argument to + krb5_parse_principal to avoid warning + + * kdc/mit_dump.c: rename KRB5_TL_MOD_PRINC to + mit_KRB5_TL_MOD_PRINC to hint its a constant originating from mit + codebase + +2005-06-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/store.c: If we are allocating 0 entires, avoid failing + if ALLOC returns NULL + + * lib/krb5/verify_krb5_conf.c: Check for [kdc]v4-realm + + * lib/krb5/cache.c: When returning a new error code, set error + string. + +2005-05-31 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab_file.c: Adapt to changed signature of + _krb5_xunlock, clear more error string where needed. + + * lib/krb5/fcache.c (_krb5_xunlock): catch the error and turn it + into something sensable + +2005-05-30 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (tgs_make_reply): copy ok-as-delegate flag from + server entry to encrypted ticket flags + +2005-05-30 Johan Danielsson <joda@pdc.kth.se> + + * kdc/connect.c: rename sendlength to prependlength (which + hopefully better represents its purpose), and change type to + krb5_boolean + + * kdc/connect.c: log signal causing exit + + * kdc/main.c (sigterm): set exit_flag to signal causing exit; + (main): trap SIGXCPU + +2005-05-30 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/kcm.8: document --disallow-getting-krbtgt and --door-path + + * kcm/protocol.c (kcm_op_retrieve): check server for krbtgt, not + client + + * kcm/main.c: ignore SIGPIPE + + * kcm/protocol.c: Add option to disallow getting krbtgt out from + from KCM. KCM will do the fetching part itself. + + * kcm/config.c: Add option to disallow getting krbtgt out from + from KCM. KCM will do the fetching part itself. + +2005-05-30 Luke Howard <lukeh@padl.com> + + * kcm/events.c: if credentials have expired when attempting + to renew, attempt to reacquire them using initial creds + +2005-05-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_principal.3: Spelling, from Björn Sandell + + * doc/setup.texi: spelling, from Björn Sandell + + * lib/krb5/name-45-test.c: XXX don't run the test unless the + machine is in kth.se or su.se because it depends on local resolver + configuration. + + * lib/hdb/hdb.c: provde RTLD_NOW and RTLD_GLOBAL if they don't + exists + + * kcm/connect.c: fix doors support, fix signedness warnings + + * kcm/config.c: add --door-path= + + * configure.in: comment what the "detect doors on solaris" + fragment tries to do + + * kcm/acquire.c (generate_random_pw): fix signed-ness warnings + + * kcm/connect.c (update_client_creds): fix compile error in the + getpeerucred case + + * lib/krb5/test_cc.c: change format for expantion variables in + default_cc_name to %{variable} to not confuse them with shell + ditto + + * kcm/headers.h: Maybe include <door.h>. + + * kcm/kcm_locl.h: add extern door_path; + + * configure.in: detect doors using door_create + + * kcm/Makefile.am: add dependcy on kcm_protos.h add lib depency on + LIB_door_create + + * lib/krb5/kcm.h: add _PATH_KCM_DOOR, default path to kcm door + + * lib/krb5/kcm.c: use [libdefaults]kcm_door to find the door to + kcm + + * lib/krb5/Makefile.am: libkrb5_la_LIBADD += LIB_door_create + + * lib/krb5/krb5_locl.h: Maybe include <sys/mman.h>, maybe include + <door.h>. + + * lib/krb5/kcm.c (kcm_send_request): add support for doing a door + call to kcm + + * lib/asn1: prefix Der_class with ASN1_C_ to avoid problems with + system headerfiles that pollute the name space + + * kcm/kcm.8: change format for expantion variables in + default_cc_name to %{variable} to not confuse them with shell + ditto + + * lib/krb5/krb5.conf.5: change format for expantion variables in + default_cc_name to %{variable} to not confuse them with shell + ditto + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): change format + for expantion variables to %{variable} to not confuse them with + shell ditto + + * kcm/connect.c: add LOCAL_PEERCRED and experimental doors support + +2005-05-27 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/kf/kfd.c: case uid_t to unsigned long in printf format + +2005-05-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_auth_context.3: remove trailing space + +2005-05-24 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/connect.c (do_request): use sendmsg to send the reply + + * fix-export: add make_proto for kcm/kcm_protos.h + + * kcm/kcm_locl.h: remove prototypes and add <kcm_protos.h> + + * kcm/Makefile.am (kcm_SOURCES): add headerfiles + (kcm_protos.h): generate prototypes + + * kcm/protocol.c: fix error in last commit, use right function + + * kcm/headers.h: include <ucred.h> if we have getpeerucred + + * configure.in: check for functions getpeerucred and getpeereid + + * kcm/connect.c (update_client_creds): add support for + getpeerucred and getpeereid + + * lib/krb5/kcm.c (kcm_alloc): allow kcm socket to be configured by + [libdefaults]kcm_socket=/path + +2005-05-24 David Love <fx@gnu.org> + + * kcm/kcm.8: KRB5CCNAME needs an literal uid, not ${uid}, spelling + +2005-05-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/protocol.c: Merge the description and function jumptables + into one structure. Use the length of the array when checking if + opcode is value, not a constant. + + * kcm/kcm_locl.h: struct kcm_op: jumptable structure + + * kcm/main.c: move declaration of detach_from_console away from + here to kcm_locl.h, Don't test HAVE_DAEMON since roken supplies it. + + * kcm/kcm_locl.h: move declaration of detach_from_console here + + * kdc/config.c: Don't test HAVE_DAEMON since roken supplies it. + +2005-05-23 Dave Love <fx@gnu.org> + + * kcm/config.c: Don't test HAVE_DAEMON since roken supplies it. + + * kdc/main.c: Don't test HAVE_DAEMON since roken supplies it. + +2005-05-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_keytab.3: document WRFILE and JAVA14 + +2005-05-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krbhst.c (srv_get_hosts): if srv_get_hosts failes, + return and ignore the error + + * lib/krb5/krbhst.c (srv_find_realm): make sure `res' and `count' + have good values + + * lib/krb5/test_keytab.c: tests all keytab format + +2005-05-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): non non asn1 decoding + errors, fail. Make sure we free memory on error. + (pk_verify_chain_standard): make sure we provide good errors. + + * lib/krb5/verify_krb5_conf.c: add missing options, prompted by + James F. Hranicky mail to heimdal-discuss + + * lib/krb5/verify_krb5_conf.c: add pkinit and password quailty + check options + + * lib/krb5/pkinit.c (pk_verify_chain_standard): store better error + message in the context for certificate errors. + + * lib/krb5/keytab.c (krb5_kt_free_entry): zero out content of all + krb5_free_x_content like functions to make sure data doesnt get + reused, idea from Wynn Wilkes <wwilkes@vintela.com> + + * configure.in: depend on automake 1.8, we don't test anything + older + + * lib/krb5/init_creds_pw.c (process_pa_data_to_md): add comment + that the caller always free out_md; remove comment about memory, + it doesn't happen. + (init_cred_loop): free ctx->as_req.padata when its reset (From Wynn + Wilkes <wwilkes@vintela.com>), move a comment close the the code + + * lib/krb5/keytab_krb4.c (fkt_remove_entry): need to call + krb5_kt_free_entry after each krb5_kt_next_entry. + + * lib/krb5/keytab_file.c (fkt_remove_entry): need to call + krb5_kt_free_entry after each fkt_next_entry_int. From: Wynn + Wilkes <wwilkes@vintela.com> + +2005-05-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: TESTS += test_keytab + + * lib/krb5/keytab_krb4.c (krb4_kt_remove_entry): plug memory leaks, + avoid crashing on empty keytab + + * lib/krb5/krb5_keytab.3: document behavior of + krb5_kt_remove_entry + + * lib/krb5/keytab_memory.c (mkt_remove_entry): check if there + isn't any entries in the keytab before removing any since that + leads to bad pointer arithmetic and crashing. From: Wynn Wilkes + <wwilkes@vintela.com>. Make the function return KRB5_KT_NOTFOUND + if the entry wasn't in the keytab (just like the filebased + keytab). + + * lib/krb5/test_keytab.c: test memory corruption in MEMORY keytab + + * lib/krb5{addr_families,context,creds,free,keyblock, + mit_glue,rd_error}.c:zero out content of all krb5_free_x_content + like functions to make sure data doesnt get reused, idea from + Wynn Wilkes <wwilkes@vintela.com> + + * lib/krb5/krb5_get_credentials.3: document KRB5_GC_EXPIRED_OK + + * lib/krb5/krb5.3: add krb5_cc_new_unique + +2005-05-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/fcache.c (fcc_get_first): check return value from + malloc, memset the structure, make sure cursor doesn't point to + freed memory on failure. From: Wynn Wilkes <wwilkes@vintela.com> + + * lib/krb5/krb5_auth_context.3: document + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED + + * lib/krb5/get_cred.c: Remove expired credentials, based on + patches and comments from Anders Magnusson <ragge@ltu.se> and Wynn + Wilkes <wwilkes@vintela.com> + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): honor + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED and create unencrypted + (ENCTYPE_NULL) credentials. for use with old mit server and java based + ones as they can't handle encrypted KRB-CRED. Note that the option + needs to turned on because if the consumer sends the KRB-CRED in + clear bad things will happen. + + * lib/krb5/context.c (krb5_init_context): register krb5_javakt_ops + + * lib/krb5/krb5.h: KRB5_GC_EXPIRED_OK: expired credentials is ok + to return from krb5_get_credentials. + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED: make forward credentials + be unencrypted, for compatibility with mit kerberos and java + kerberos. krb5_javakt_ops: export + +2005-05-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab_file.c: Add new keytab file format JAVA14 that + doesn't the use extended kvnos, as hinted, this is needed for + Java's Kerberos implementation. + +2005-05-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 + enckey, still no DH + + * kdc/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 enckey, + still no DH + + * kdc/kerberos5.c (as_rep): search for pkinit-9, pkinit-19, and + pkinit-25 pa-data, return empty pkinit pa-data in the + PREAUTH_REQUIRED krb-error + + * doc/ack.texi: add pkinit people + + * lib/krb5/krb5_storage.3: document krb5_storage_is_flags + + * lib/krb5/{krb5_compare_creds.3,krb5_get_init_creds.3, + krb5_krbhst_init.3,krb5_storage.3}: + make more pretty, from Björn Sandell + +2005-05-09 Dave Love <fx@gnu.org> + + * doc/setup.texi: Fix and clarify password quality check examples. + +2005-05-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/kuserok.c (krb5_kuserok): use POSIX_GETPWNAM_R instead + of HAVE_GETPWNAM_R From: Dave Love <d.love@dl.ac.uk> + +2005-05-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/addr_families.c (krb5_print_address): catch when the + unknown adress don't fit. From Björn Sandell <biorn@dce.chalmers.se> + +2005-05-05 Dave Love <d.love@dl.ac.uk> + + * configure.in: fix type right test, include <termios.h> for + sys/strtty.h, not sys/ptyvar.h + +2005-05-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: spelling + +2005-05-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: expand on what "trailing component" means + +2005-05-04 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/rd_cred.c: put address comparison in separate function + + * lib/krb5/krb5_kuserok.3: check the user's ~/.k5login.d directory + for access files, all of which is handled like the regular + ~/.k5login + + * lib/krb5/kuserok.c: check the user's ~/.k5login.d directory for + access files, all of which is handled like the regular ~/.k5login + +2005-05-03 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/ack.texi: Clearify what version of libdes we are using and + who's code in it we are using. + + * kcm/kcm.8: more text about usage + + * kcm/Makefile.am: man_MANS += kcm.8 + + * kcm/kcm.8: initial manpage + + * configure.in: if we have a $srcdir/lib/asn1/pkcs12.asn1, define + PKINIT + +2005-05-02 Dave Love <fx@gnu.org> + + * configure.in: sys/tty.h (for sys/ptyvar.h) might need termios.h. + +2005-05-02 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/krb5-config.in: add com_err to required libs + + * lib/krb5/pkinit.c (krb5_ui_method_read_string): use the fill in + length + + * lib/krb5/init_creds_pw.c: Now that we fixed the signed-ness of + nonce for windows, remove the code that removed the signed + bit. Instead add comment that they still need to be the same + (Kerberos protocol nonce and pk-init nonce) for Windows. + +2005-05-02 David Love <fx@gnu.org> + + * lib/krb5/crypto.c: Don't declare des_salt &c as static with + incomplete type (invalid in c89, at least). + +2005-05-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_locl.h: include <crypt.h> + +2005-05-02 David Love <fx@gnu.org> + + * kcm/connect.c (init_socket): rename variable sun to un to avoid + namespace collision. + (handle_stream): Cast arg of krb5_warnx. + +2005-04-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: if we are using PKINIT, strip of the + highest bit to make windows PK-INIT happy. Also make the nonces + the same, again for windows, they are using pk-init-9. + + XXX check if it isn't the that nonce is an unsigned variable so + its just a asn1 mismatch. + + * kdc/pkinit.c: pass a NULL prompter data to _krb5_pk_load_openssl_id + + * kuser/kinit.c: krb5_get_init_creds_opt_set_pkinit + + * lib/krb5/pkinit.c: Pass prompter data to the prompter function, + implement a UI prompter function wrapping the kerberos prompter + function so that the the OpenSSL ENGINE can ask for a password + when loading the private key. From: Douglas E. Engert + + * lib/krb5: add <err.h> in test programs + + * configure.in: sys/ptyvar.h might need <sys/tty.h> + + * lib/krb5/Makefile.am: use LIB_com_err for libkrb5.la + +2005-04-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/Makefile.am: use $(LIB_com_err) + +2005-04-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c (krb5_set_config_files): ignore permission + denied on configuration files, user might not be allowed to read + /var/heimdal/kdc.conf + +2005-04-26 Dave Love <fx@gnu.org> + + * lib/krb5/krb5_locl.h: define _POSIX_PTHREAD_SEMANTICS so we get + posix getpwnam_r + +2005-04-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/gen_glue.c: switch the units variable to a + function. gcc-4.1 needs the size of the structure if its defined + as extern struct units foo_units[] an we don't want to include + <parse_units.h> in the generate headerfile + +2005-04-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.schema: add EQUALITY rule for krb5ValidStart, + krb5ValidEnd, krb5PasswordEnd From Howard Chu + +2005-04-24 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/whatis.texi: comment out docbook stuff for now + + * kuser/klist.c: use strlcpy + + * doc/ack.texi: we no longer use eay libdes, make acknowledgment + still be there, but claim that we no longer use it. Mark editline + to be a modified version as required by the license. + + * lib/krb5/pkinit.c: use the unexported oid_to_enctype function + + * lib/krb5/crypto.c: unexport the oid_to_enctype function, not for + external consumers + + * kdc/Makefile.am: always add kaserver + + * lib/krb5/krb5_ccache.3: document krb5_cc_new_unique + + * lib/krb5/cache.c (krb5_cc_new_unique): new function to create a + new credential cache + + * kdc/headers.h: don't include kerberos 4 headers here + + * kdc/hpropd.c: include kerberos 4 headers here + + * kdc/connect.c: add kaserver support independ of having krb4 + support + + * kdc/config.c: add kaserver support unconditionally, make kdc + only fail to start when there are no v4 realm configured and + krb4/kaserver is turned on + + * kdc/kaserver.c: Use the new Kerberos 4 functions in libkrb5 and + so kaserver support is always compiled in (still default disabled) + + * lib/krb5/v4_glue.c: simplify error handling + + * doc/whatis.texi: add docbook version macro of @sub + + * doc/heimdal.texi: change the wrapping around the Top node to + ifnottex, make html generation work + + * lib/krb5/krb5_krbhst_init.3: spelling, from Björn Sandell + <biorn@dce.chalmers.se> + + * lib/krb5/krb5_get_krbhst.3: spelling, from Björn Sandell + <biorn@dce.chalmers.se> + + * lib/krb5/krb5_data.3: spelling, from Björn Sandell + <biorn@dce.chalmers.se> + + * lib/krb5/krb5_aname_to_localname.3: spelling, from Björn Sandell + <biorn@dce.chalmers.se> + + * lib/krb5/krb5_address.3: spelling, from Björn Sandell + <biorn@dce.chalmers.se> + +2005-04-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/config.c: Use the new Kerberos 4 functions in libkrb5 and so + kerberos 4 is always compiled in (still default disabled) + + * kdc/kerberos4.c: Use the new Kerberos 4 functions in libkrb5 and + so kerberos 4 is always compiled in (still default disabled) + + * lib/krb5/krb5_locl.h: forward declaration of _krb5_krb_auth_data + + * lib/krb5/convert_creds.c: Move the kerberos v4 replacement + functions to v4_glue.c + + * lib/krb5/v4_glue.c: Implement enough of kerberos 4 protocol to + be a KDC, move the v4 bits over here + + * lib/krb5/krb5-v4compat.h: add more v4 defines + +2005-04-22 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswdd.c: Support multi-realms databases, requires + that all the realms are configured on the KDC in krb5.conf with + [libdefaults]default_realm stanzas. + +2005-04-21 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: spell succeeded correctly, From Sean Chittenden + + * lib/krb5/addr_families.c: catch two more snprintf problems + +2005-04-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am: this lib include com_err, add -com_err to + CHECK_SYMBOLS + + * appl/test/http_client.c: cast ssize_t to unsigned long, fix + printf format + +2005-04-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/kuserok.c: use asprintf to avoid truncating pathnames + + * lib/krb5/get_host_realm.c: check return value of snprintf + + * lib/krb5/test_addr.c: check address truncation + + * lib/krb5/addr_families.c: check return values from snprintf and + clean up semantics of ret_len + + * lib/krb5/krb5_address.3: clarify what ret_len is in + krb5_print_address + + * lib/krb5/test_kuserok.c: add --version and --help + + * lib/krb5/kuserok.c: use getpwnamn_r if it exists + + * lib/krb5/Makefile.am: noinst_PROGRAMS += test_kuserok + + * lib/krb5/test_kuserok.c: test program for krb5_kuserok + +2005-04-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acache.c (acc_resolve): if open_default_ccache failed + with ccErrCCacheNotFound try again with create_default_ccache, + this fixes the problem where the security server apperenly haven't + started yet on Mac OS X + + * lib/krb5/get_default_principal.c + (_krb5_get_default_principal_local): add, for use of functions + that in ccache layer to avoid recursive calls. + + * lib/hdb/hdb-ldap.c: drop <ctype.h>, no longer use any of the is* + macros in this file + + * include/make_crypto.c: cast to unsigned char to make sure its + not negative when passing it to is* functions + +2005-04-15 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/programming.texi: remove manpage macro, add some more + references to manpages + + * doc/heimdal.texi: define manpage macro + + * doc/setup.texi: document new password policy code + + * kpasswd/kpasswdd.c: add verifier libraries with + kadm5_add_passwd_quality_verifier + + * lib/krb5/krb5_keyblock.3: document krb5_keyblock_init + +2005-04-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kaserver.c: AUTHENTICATE and AUTHENTICATE_V2 is almost the + same, and clients + (klog) can deal with that the kaserver returns the same thing for + both + + * lib/krb5/keyblock.c: Add krb5_keyblock_init to allocate an fill + in a keyblock from key data. + +2005-04-12 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: rk_WIN32_EXPORT for roken + +2005-04-10 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/gssapi_server.c: print out client principla of + delegated credential + +2005-04-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c (process_pa_data_to_key): also check + for KRB5_PADATA_PK_AS_REP_19, From: Douglas Engert + +2005-04-07 Love Hörnquist Åstrand <lha@it.su.se> + + * .cvsignore: ignore more generate files + +2005-04-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/check-der.c: use size_t, print size_t by casting to + unsigned long + + * lib/krb5/test_crypto.c: print size_t by casting to unsigned long + + * lib/krb5/acache.c: Argument to create_new_ccache is a principal, + not a credential cache name. Clean up lossage related to this + problem. + + * lib/hdb/Makefile.am: CHECK_SYMBOLS += HDBFlags2int + + * lib/krb5/addr_families.c + (krb5_address_prefixlen_boundary,krb5_free_address): + use find_atype when we are dealing with a kerberos address type + + * lib/krb5/aes-test.c: size_t vs int + fix printf + + * lib/krb5/pkinit.c: Since the decode can't make out the diffrence + between PA-PK-AS-REP-19 and PA-PK-AS-REQ-Win2k, try harder to + verify both cases + +2005-04-03 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/uu_client.c: print size_t by casting to unsigned long + +2005-04-01 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos4.c (do_version4): check client and server max_life + + * kdc/kaserver.c (do_getticket): check client max_life + +2005-03-31 Love <lha@kth.se> + + * lib/krb5/verify_krb5_conf.c: const poison + + * lib/krb5/test_alname.c: const poison + + * lib/asn1/main.c: const poison + + * lib/krb5/test_addr.c: test parse IPv6 RANGE addresses + + * lib/krb5/addr_families.c: implement mask boundary for IPv6 + + * lib/asn1/gen.c: avoid const string warnings steming from + writeable-string + +2005-03-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: TESTS += test_addr + + * lib/krb5/test_addr.c: simple test for addresses + + * lib/krb5/addr_families.c: make RANGE parse prefixlen style + addresses too, fix printing of RANGE addresses, add + krb5_address_prefixlen_boundary + + * lib/krb5/krb5_keytab.3: stop memory leak in example, expand on + wildcards + +2005-03-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_principal.3: spelling, from Tomas Olsson + + * lib/krb5/krb5_warn.3: spelling, from Tomas Olsson + +2005-03-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acache.c: add mutex for global variables, clean up + returned error codes, implement storing addresses into the ccapi + + * appl/test/gssapi_server.c: free memory, make error strings match + + * appl/test/gssapi_server.c: use print_gss_name, print server name + too + + * appl/test/gss_common.h (print_gss_name): common code for + printing gss name + + * appl/test/gss_common.c (print_gss_name): common code for + printing gss name + + * appl/test/http_client.c: Make constent with rest of the gssapi + test programs + +2005-03-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/keys.c: AES is enabled by default, remove ifdefs + + * lib/krb5/crypto.c: AES is enabled by default, remove ifdefs + + * lib/krb5/aes-test.c: use hex encoder from roken AES is enabled + by default, remove ifdefs + + * kdc/kerberos5.c: AES is enabled by default, remove ifdefs + +2005-03-16 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Add some text about modifying the database + +2005-03-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: widen lifetime/renewal warning text field, also + make use of unparse_time_approx, no need to be specific to the + second when ticket needs to be renewed or their lifetime. + + * doc/heimdal.texi: copyright maintenance, drop eay, use updated + UCB license + + * lib/krb5/crypto.c: more static and unsigned issues + + * lib/krb5/crypto.c: fix signedness issues, prompted by report of + Magnus Ahltorp + +2005-03-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_keytab.3: more text about how to free returned + resources + +2005-03-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: handle the -25 generation path + + * lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_19 + + * lib/krb5/pkinit.c: fold in pk-init-25 asn1 changes + +2005-03-09 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: use generated oid's + + * lib/krb5/pkinit.c: use generated oid's + +2005-03-08 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: update to the asn1 structures used in -25's + + * lib/krb5/pkinit.c: update to the asn1 structures used in -25's + +2005-03-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: use the newly written hex function from + roken and remove the old implementation + +2005-03-01 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/http_client.c: allow specifing port to connect to + +2005-02-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: bump version to 21:0:4 + + * lib/hdb/Makefile.am: bump version to 8:0:1 + + * lib/asn1/Makefile.am: bump version to 7:0:1 + +2005-02-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c (DES_string_to_key_int): must check for weak + keys after doing the DES_cbc_cksum + +2005-02-19 Luke Howard <lukeh@padl.com> + + * lib/krb5/krbhst.c: set KD_CONFIG after calling + config_get_hosts() in kpasswd_get_next() + From: Wynn Wilkes <wynnw@vintela.com> + +2005-02-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/db3.c (DB_open): correct the check for O_RDONLY + From: Chaskiel M Grundman <cg2v@andrew.cmu.edu> + +2005-02-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c (krb5_random_to_key): cast size_t to int to + make %d work + +2005-02-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab.c (krb5_kt_get_entry): tell what enctype the + caller requested to provide the user with a glue what the caller + was asking for. + +2005-02-05 Luke Howard <lukeh@padl.com> + + * lib/krb5/kcm.c: add _krb5_kcm_is_running, _krb5_kcm_noop + + * kcm/acquire.c: don't leak salt if keyproc called multiple + times + + * kcm/config.c: allow KCM system ccache to be configured from + krb5.conf, in the system_ccache stanza of [kcm] + +2005-02-03 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/protocol.c: use -1 as the invalid pid number + + * kcm/connect.c: support SCM_CREDS (for NetBSD) + + * kcm/Makefile.am: LDADD += LIB_pidfile + + * kcm/connect.c: make it possible to build on systems without + SO_PEERCRED (still doesn't work) + + * kcm/config.c: cast argument to isdigit to unsigned char + + * lib/krb5/krb5.conf.5: document large_msg_size + + * lib/krb5/context.c (init_context_from_config_file): init + large_msg_size to 6000 + + * lib/krb5/krb5.h (krb5_context_data): add large_msg_size, + threshold where we start to use transport protocols without tiny + max data transport sizes. + + * lib/krb5/kcm.h: drop prototypes, they all live in krb5-private.h + by now + +2005-02-02 Luke Howard <lukeh@padl.com> + + * configure.in: generate kcm/Makefile + + * Makefile.am: recurse into kcm/ if KCM defined + + * kcm: add KCM daemon + +2005-02-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/send_to_kdc.c (send_and_recv_udp): make private again + + * lib/krb5/kcm.c: use AF_UNIX like the rest of the codebase, add + some more error strings + +2005-02-02 Luke Howard <lukeh@padl.com> + + * configure.in: add --enable-kcm option for Kerberos + Credentials Manager (KCM) + + * lib/krb5/Makefile.am: add kcm.c + + * lib/krb5/cache.c: use cc_retrieve_cred if present rather + than enumerating ccache + + * lib/krb5/context.c: register KCM cc_ops + + * lib/krb5/get_cred.c: pass all options to cc_retrieve_cred + + * lib/krb5/init_creds_pw.c: add krb5_get_init_creds_keyblock + + * lib/krb5/kcm.[ch]: add initial implementation of KCM + client library + + * lib/krb5/krb5.h: fix cc_retrieve prototype, add KCM cc_ops + + * lib/krb5/send_to_kdc.c: add _krb5_send_and_recv_tcp + + * lib/krb5/store.c: add krb5_store_creds_tag, krb5_ret_creds_tag + +2005-01-24 Luke Howard <lukeh@padl.com> + + * lib/krb5/init_creds_pw.c: allow NULL in_options to be passed + krb5_get_init_creds_password() + + * kdc/kerberos5.c: don't crash when logging no server etype + support if client == NULL + +2005-01-17 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kstash.c: s/random_key/random_key_flag/, From Dave Love + <d.love@dl.ac.uk> + +2005-01-12 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/apps.texi: Texinfo fixes. Text about irix 6.5 using + PAM. From: Dave Love <d.love@dl.ac.uk> + +2005-01-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c: cast argument to isdigit to + unsigned char + + * lib/krb5/keytab_keyfile.c: cast argument to toupper to unsigned + char + + * lib/asn1/hash.c (hashcaseadd): cast argument to toupper to + unsigned char + + * appl/kf/kfd.c (kfd_match_version): cast argument to islower to + unsigned char + + * lib/krb5/krb5.3: drop krb5_{checksum,enctype}_is_disabled + + * lib/krb5/krb5_encrypt.3: drop krb5_enctype_is_disabled, more + text about krb5_enctype_valid + + * lib/krb5/krb5_create_checksum.3: drop + krb5_checksum_is_disabled + + * lib/krb5/crypto.c: drop krb5_{checksum,enctype}_isdisabled + + * lib/krb5/context.c: krb5_enctype_is_disabled is the same thing + as krb5_enctype_valid, so use the later since its older and the + api doesn't really need another entry point + + * lib/krb5/rd_req.c: krb5_enctype_is_disabled is the same thing as + krb5_enctype_valid, so use the later since its older and the api + doesn't really need another entry point + + * kdc/kerberos5.c: krb5_enctype_is_disabled is the same thing as + krb5_enctype_valid, so use the later since its older and the api + doesn't really need another entry point + +2005-01-05 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswdd.8: document --addresses, controls what + addresses kpasswd should listen too + + * kpasswd/kpasswdd.c: add --addresses, controls what addresses + kpasswd should listen too + + * lib/krb5/addr_families.c (krb5_parse_address): filter out dup + addresses from getaddrinfo + + * kpasswd/kpasswd.1: document -c + + * kpasswd/kpasswd.c: allow specifying a credential cache to use + for the admin principal + + * include/bits.c: constify to avoid warning with -Wwrite-string + + * NEWS: add 0.6.2 and 0.6.3 items + + * lib/krb5/krb5_keyblock.3: document krb5_generate_subkey_extended + + * lib/krb5/krb5_is_thread_safe.3: document function + + * lib/krb5/Makefile.am (man_MANS) += krb5_is_thread_safe.3 + + * lib/krb5/context.c (krb5_is_thread_safe): return TRUE is the + library was compiled with multithreading support. If not, + application must global lock the library, it it uses threads that + call kerberos functions at the same time. + +2005-01-05 Luke Howard <lukeh@padl.com> + + * lib/krb5/auth_context.c: use krb5_generate_subkey_extended() + + * lib/krb5/appdefault.c: remove redundant KRB5_LIB_FUNCTION + + * lib/krb5/build_auth.c: support for enctype negotiation + (client sends EtypeList in Authenticator authz data) + + * lib/krb5/context.c: mutex should be destroyed last in + krb5_free_context() + + * lib/krb5/generate_subkey.c: add krb5_generate_subkey_extended(), + set *subkey to NULL if key geneartion fails + + * lib/krb5/krb5.h: add KRB5_KU_PA_SERVER_REFERRAL_DATA + + * lib/krb5/mk_req_ext.c: support ETYPE_ARCFOUR_HMAC_MD5_56 + + * lib/krb5/rd_req.c: support for enctype negotiation + (client sends EtypeList in Authenticator authz data) + +2005-01-04 Luke Howard <lukeh@padl.com> + + * lib/asn1/k5.asn1: add authorization data types for enctype + negotiation implementation + +2005-01-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/changepw.c (change_password_loop): on failing to find a + kdc, set result_code to KRB5_KPASSWD_HARDERROR + +2005-01-01 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/heimdal.texi: Happy New Year + diff --git a/third_party/heimdal/ChangeLog.2006 b/third_party/heimdal/ChangeLog.2006 new file mode 100644 index 0000000..d48ea8a --- /dev/null +++ b/third_party/heimdal/ChangeLog.2006 @@ -0,0 +1,2047 @@ +2006-12-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/process.c: Handle kx509 requests. + + * kdc/connect.c: Listen to 9878 if kca is turned on. + + * kdc/headers.h: Include <kx509_asn1.h>. + + * kdc/config.c: code to parse [kdc]enable-kx509 + + * kdc/kdc.h: add enable_kx509 + + * kdc/Makefile.am: add kx509.c + + * kdc/kx509.c: Kx509server (external certificate genration). + + * lib/krb5/ticket.c: add krb5_ticket_get_endtime + + * lib/krb5/krb5_ticket.3: Document krb5_ticket_get_endtime + + * kdc/digest.c: Remove <digest_asn.h>, its already included in + headers.h + + * kdc/digest.c: Return session key for the NTLMv2 case too + + * lib/krb5/digest.c (krb5_ntlm_rep_get_sessionkey): return value + is krb5_error_code + +2006-12-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): use md5 for + des-cbc-md4 and des-cbc-md5. This is for (older) windows that + will be unhappy anything else. From Inna Bort-Shatsky + +2006-12-26 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/digest.c: Prefix internal symbol with _kdc_. + + * kdc/kdc.h: add digests_allowed + + * kdc/digest.c: return NTLM2 targetinfo structure. + + * lib/krb5/digest.c: Add krb5_ntlm_init_get_targetinfo. + + * kdc/config.c: Parse digest acl's + + * kdc/kdc_locl.h: forward decl; + + * kdc/digest.c: Add digest acl's + +2006-12-22 Love Hörnquist Åstrand <lha@it.su.se> + + * fix-export: build ntlm-private.h + +2006-12-20 Love Hörnquist Åstrand <lha@it.su.se> + + * include/make_crypto.c: Include <.../hmac.h>. + + * kdc/digest.c: reorder to show slot here ntlmv2 code will be + placed. + + * kdc/digest.c: Announce that we support key exchange and add bits + to detect when it wasn't used. + + * kdc/digest.c: Add support for generating NTLM2 session security + answer. + +2006-12-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/digest.c: Add sessionkey accessor functions. + +2006-12-18 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/digest.c: Unwrap the NTLM session key and return it to the + server. + +2006-12-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/store.c (krb5_ret_principal): Fix a bug in the malloc + failure part, noticed by Arnaud Lacombe in NetBSD coverity scan. + +2006-12-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/fcache.c (fcc_get_cache_next): avoid const warning. + + * kdc/digest.c: Support NTLM verification, note that the KDC does + no NTLM packet parsing, its all done by the client side, the KDC + just calculate and verify the digest and return the result to the + service. + + * kuser/kdigest.c: add ntlm-server-init + + * kuser/Makefile.am: kdigest depends on libheimntlm.la + + * kdc/headers.h: Include <heimntlm.h>. + + * kdc/Makefile.am: libkdc needs libheimntlm.la + + * autogen.sh: just run autoreconf -i -f + + * lib/Makefile.am: hook in ntlm + + * configure.in (AC_CONFIG_FILES): add lib/ntlm/Makefile + + * lib/krb5/digest.c: API to authenticate ntlm requests. + + * lib/krb5/fcache.c: Support "iteration" of file credential caches + by giving the user back the default file credential cache and only + that. + + * lib/krb5/krb5_locl.h: Expand the default root for some of the cc + type names. + +2006-12-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c (free_paid): free the krb5_data + structure too. Bug report from Stefan Metzmacher. + +2006-12-12 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: Read the appdefault configration before we try to + use the flags. Bug reported by Ingemar Nilsson. + + * kuser/kdigest.c: prefix digest commands with digest_ + + * kuser/kdigest-commands.in: prefix digest commands with digest- + +2006-12-10 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/hprop.c: Return error codes on failure, improve error + reporting. + +2006-12-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: sprinkle more _krb5_pk_copy_error + + * lib/krb5/pkinit.c: Copy more hx509 error strings to krb5 error + strings + +2006-12-07 Love Hörnquist Åstrand <lha@it.su.se> + + * include/Makefile.am: CLEANFILES += vis.h + +2006-12-06 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (_kdc_as_rep): add AD-INITAL-VERIFIED-CAS to the + encrypted ticket + + * kdc/pkinit.c (_kdc_add_inital_verified_cas): new function, adds + an empty (for now) AD_INITIAL_VERIFIED_CAS to tell the clients + that we vouches for the CA. + + * kdc/kerberos5.c (_kdc_tkt_add_if_relevant_ad): new function. + + * lib/Makefile.am: Make the directories test automake conditional + so automake can include directories in make dist step. + + * kdc/pkinit.c (_kdc_pk_rd_padata): leak less memory for + ExternalPrincipalIdentifiers + + * kdc/pkinit.c: Parse and use PA-PK-AS-REQ.trustedCertifiers + + * kdc/pkinit.c: Add comment that the anchors in the signed data + really should be the trust anchors of the client. + + * kuser/generate-requests.c: Use strcspn to remove \n from + string returned by fgets. From Björn Sandell + + * kpasswd/kpasswd-generator.c: Use strcspn to remove \n from + string returned by fgets. From Björn Sandell + +2006-12-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: Clear errno before calling the strtol + functions. From Paul Stoeber to OpenBSD by Ray Lai and Björn + Sandell. + + * lib/krb5/config_file.c: Use strcspn to remove \n from fgets + result. Prompted by change by Ray Lai of OpenBSD via Björn + Sandell. + + * kdc/string2key.c: Use strcspn to remove \n from fgets + result. Prompted by change by Ray Lai of OpenBSD via Björn + Sandell. + +2006-11-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krbhst.c (plugin_get_hosts): be more paranoid and pass + in a NULLed plugin list + +2006-11-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c: add more pkinit options. + + * lib/krb5/pkinit.c: Store what PK-INIT type we used to know reply + to expect, this avoids overwriting the real PK-INIT error from + just a failed requeat with a Windows PK-INIT error (that always + failes). + + * kdc/Makefile.am: Add LIB_pkinit to pacify AIX + + * lib/hdb/Makefile.am: Add LIB_com_err to pacify AIX + +2006-11-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: Make build again from the hdb_entry + wrapping. Patch from Andreas Hasenack. + + * kdc/pkinit.c: Need better code in the DH parameter rejection + case, add comment to that effect. + +2006-11-27 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/krb5tgs.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG for too large + packets when using datagram based transports. + + * kdc/process.c: Pass down datagram_reply to _kdc_tgs_rep. + + * lib/krb5/pkinit.c (build_auth_pack): set supportedCMSTypes. + +2006-11-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Pass down hx509_peer_info. + + * kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and + pass in into hx509_cms_create_signed_1 via hx509_peer_info blob. + + * kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and + pass in into hx509_cms_create_signed_1 via hx509_peer_info blob. + +2006-11-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/send_to_kdc.c: Set the large_msg_size to 1400, lets not + fragment packets and avoid stupid linklayers that doesn't allow + fragmented packets (unix dgram sockets on Mac OS X) + +2006-11-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (_krb5_pk_create_sign): stuff down the users + certs in the pool to make sure a path is returned, without this + proxy certificates wont work. + +2006-11-21 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/config.c: Make all pkinit options prefixed with pkinit_ + + * lib/krb5/log.c (krb5_get_warn_dest): return warn_dest from + krb5_context + + * lib/krb5/krb5_warn.3: document krb5_[gs]et_warn_dest + + * lib/krb5/krb5.h: Drop KRB5_KU_TGS_IMPERSONATE. + + * kdc/krb5tgs.c: Use KRB5_KU_OTHER_CKSUM for the impersonate + checksum. + + * lib/krb5/get_cred.c: Use KRB5_KU_OTHER_CKSUM for the impersonate + checksum. + +2006-11-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_user.c: Make krb5_get_init_creds_opt_free take a + context argument. + + * lib/krb5/krb5_get_init_creds.3: Make + krb5_get_init_creds_opt_free take a context argument. + + * lib/krb5/init_creds_pw.c: Make krb5_get_init_creds_opt_free take + a context argument. + + * kuser/kinit.c: Make krb5_get_init_creds_opt_free take a context + argument. + + * kpasswd/kpasswd.c: Make krb5_get_init_creds_opt_free take a + context argument. + + * kpasswd/kpasswd-generator.c: Make krb5_get_init_creds_opt_free + take a context argument. + + * kdc/hprop.c: Make krb5_get_init_creds_opt_free take a context + argument. + + * lib/krb5/init_creds.c: Make krb5_get_init_creds_opt_free take a + context argument. + + * appl/gssmask/gssmask.c: Make krb5_get_init_creds_opt_free take a + context argument. + +2006-11-19 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: fix pkinit option (s/-/_/) + + * kdc/config.c: revert the enable-pkinit change, and make it + consistant with all other other enable- options + +2006-11-17 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Make all pkinit options prefixed with pkinit_ + + * kdc/config.c: Make all pkinit options prefixed with pkinit_ + + * kdc/pkinit.c: Make app pkinit options prefixed with pkinit_ + + * lib/krb5/pkinit.c: Make app pkinit options prefixed with pkinit_ + + * lib/krb5/mit_glue.c (krb5_c_keylengths): make compile again. + + * lib/krb5/mit_glue.c (krb5_c_keylengths): rename. + + * lib/krb5/mit_glue.c (krb5_c_keylength): mit changed the api, + deal. + +2006-11-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pac.c (fill_zeros): stop using MIN. + + * kuser/kinit.c: Forward decl + + * lib/krb5/test_plugin.c: Use NOTHERE.H5L.SE. + + * lib/krb5/krbhst.c: Fill in hints for picky getaddrinfo()s. + + * lib/krb5/test_plugin.c: Set sin_len if it exists. + + * lib/krb5/krbhst.c: Use plugin for the other realm locate types + too. + +2006-11-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_locl.h: Add plugin api + + * lib/krb5/Makefile.am: Add plugin api. + + * lib/krb5/krbhst.c: Use the resolve plugin interface. + + * lib/krb5/locate_plugin.h: Add plugin interface for resolving + that is API compatible with MITs version. + + * lib/krb5/plugin.c: Add first version of the plugin interface. + + * lib/krb5/test_pac.c: Test signing. + + * lib/krb5/pac.c: Add code to sign PACs, only arcfour for now. + + * lib/krb5/krb5.h: Add struct krb5_pac. + +2006-11-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_pac.c: PAC testing. + + * lib/krb5/pac.c: Sprinkle error strings. + + * lib/krb5/pac.c: Verify LOGON_NAME. + + * kdc/pkinit.c (_kdc_pk_check_client): drop client_princ as an + argument + + * kdc/kerberos5.c (_kdc_as_rep): drop client_princ from + _kdc_pk_check_client since its not valid in canonicalize case + + * lib/krb5/krb5_c_make_checksum.3: Document krb5_c_keylength. + + * lib/krb5/mit_glue.c: Add krb5_c_keylength. + +2006-11-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pac.c: Almost enough code to do PAC parsing and + verification, missing in the unix2NTTIME and ucs2 corner. The + later will be adressed by finally adding libwind. + + * lib/krb5/krb5_init_context.3: document krb5_[gs]et_max_time_skew + + * kdc/hpropd.c: Remove support dumping to a kerberos 4 database. + +2006-11-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c: rename krb5_[gs]et_time_wrap to + krb5_[gs]et_max_time_skew + + * kdc/pkinit.c: Catch error string from hx509_cms_verify_signed. + Check for id-pKKdcEkuOID and warn if its not there. + + * lib/krb5/rd_req.c: Add more krb5_rd_req_out_get functions. + +2006-11-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: krb5_rd_req{,_in,_out}_ctx. + + * lib/krb5/rd_req.c (krb5_rd_req_ctx): Add context all singing-all + dancing version of the krb5_rd_req and implement krb5_rd_req and + krb5_rd_req_with_keyblock using it. + +2006-11-04 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (_kdc_as_rep): More verbose time skew logging. + +2006-11-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/expand_hostname.c: Rename various routines and + constants from canonize to canonicalize. From Andrew Bartlett + + * lib/krb5/context.c: Add krb5_[gs]et_time_wrap + + * lib/krb5/krb5_locl.h: Rename various routines and constants from + canonize to canonicalize. From Andrew Bartlett + + * appl/gssmask/common.c (add_list): fix alloc statement. + From Alex Deiter + +2006-10-25 Love Hörnquist Åstrand <lha@it.su.se> + + * include/Makefile.am: Move version.h and version.h.in to + DISTCLEANFILES. + +2006-10-24 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/gssmask/gssmask.c: Only log when there are resources left. + + * appl/gssmask/gssmask.c: make compile + + * appl/gssmask/gssmask.c (AcquireCreds): free + krb5_get_init_creds_opt + +2006-10-23 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: heimdal 0.8-RC1 + +2006-10-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/digest.c: Try to not leak memory. + + * kdc/digest.c: Try to not leak memory. + + * Makefile.am: remove valgrind target, it doesn't belong here. + + * kuser/kinit.c: Try to not leak memory. + + * kuser/kgetcred.c: Try to not leak memory. + + * kdc/krb5tgs.c (check_KRB5SignedPath): free KRB5SignedPath on + successful completion too, not just the error cases. + + * fix-export: Make make fix-export less verbose. + + * kuser/kgetcred.c: Try to not leak memory. + + * lib/hdb/keys.c (hdb_generate_key_set): free list of enctype when + done. + + * lib/krb5/crypto.c: Allocate the memory we later use. + + * lib/krb5/test_princ.c: Try to not leak memory. + + * lib/krb5/test_crypto_wrapping.c: Try to not leak memory. + + * lib/krb5/test_cc.c: Try to not leak memory. + + * lib/krb5/addr_families.c (arange_free): Try to not leak memory. + + * lib/krb5/crypto.c (AES_string_to_key): Try to not leak memory. + +2006-10-21 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/heimdal-build.sh: Add --test-environment + + * tools/heimdal-build.sh: Add --ccache-dir + + * lib/hdb/Makefile.am: remove dependency on et files covert_db + that now is removed + +2006-10-20 Love Hörnquist Åstrand <lha@it.su.se> + + * include/Makefile.am: add gssapi to subdirs + + * lib/hdb/hdb-ldap.c: Make compile. + + * configure.in: add include/gssapi/Makefile. + + * include/Makefile.am: clean more files + + * include/make_crypto.c: Avoid creating a file called --version. + + * include/bits.c: Avoid creating a file called --version. + + * appl/test/Makefile.am: add nt_gss_common.h + + * doc/Makefile.am: Disable TEXI2DVI for now. + + * tools/Makefile.am: more files + + * lib/krb5/context.c (krb5_free_context): free send_to_kdc context + + * doc/heimdal.texi: Put Heimdal in the dircategory Security. + + * lib/krb5/send_to_kdc.c: Add sent_to_kdc hook, from Andrew + Bartlet. + + * lib/krb5/krb5_locl.h: Add send_to_kdc hook. + + * lib/krb5/krb5.h: Add krb5_send_to_kdc_func prototype. + + * kcm/Makefile.am: more files + + * kdc/Makefile.am: more files + + * lib/hdb/Makefile.am: more files + + * lib/krb5/Makefile.am: add more files + +2006-10-19 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/Makefile.am: Add heimdal-build.sh to EXTRA_DIST. + + * configure.in: Don't check for timegm, libroken provides it for + us. + + * lib/krb5/acache.c: Does function typecasts instead of void * + type-casts. + + * lib/krb5/krb5.h: Remove bonus , that Love sneeked in. + + * configure.in: make --disable-pk-init help text also negative + +2006-10-18 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kgetcred.c: Avoid memory leak. + + * tools/heimdal-build.sh: Add more verbose logging, add version of + script and heimdal to the mail. + + * lib/hdb/db3.c: Wrap function call pointer calls in (*func) to + avoid macros rewriting open and close. + + * lib/krb5/Makefile.am: Add test_princ. + + * lib/krb5/principal.c: More error strings, handle realm-less + printing. + + * lib/krb5/test_princ.c: Test principal parsing and unparsing. + +2006-10-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): make sure we + don't recurse + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): no components + -> no dns. no mapping, try local realm and hope KDC knows better. + + * lib/krb5/krb5.h: Add flags for krb5_unparse_name_flags + + * lib/krb5/krb5_principal.3: Document + krb5_unparse_name{_fixed,}_flags. + + * lib/krb5/principal.c: Add krb5_unparse_name_flags and + krb5_unparse_name_fixed_flags. + + * lib/krb5/krb5_principal.3: Document krb5_parse_name_flags. + + * lib/krb5/principal.c: Add krb5_parse_name_flags. + + * lib/krb5/principal.c: Add krb5_parse_name_flags. + + * lib/krb5/krb5.h: Add krb5_parse_name_flags flags. + + * lib/krb5/krb5_locl.h: Hide krb5_context_data from public + exposure. + + * lib/krb5/krb5.h: Hide krb5_context_data from public exposure. + + * kuser/klist.c: Use krb5_get_kdc_sec_offset. + + * lib/krb5/context.c: Document krb5_get_kdc_sec_offset() + + * lib/krb5/krb5_init_context.3: Add krb5_get_kdc_sec_offset() + + * lib/krb5/krb5_init_context.3: Add krb5_set_dns_canonize_hostname + and krb5_get_dns_canonize_hostname + + * lib/krb5/verify_krb5_conf.c: + add [libdefaults]dns_canonize_hostname + + * lib/krb5/expand_hostname.c: use dns_canonize_hostname to + determin if we should talk to dns to find the canonical name of + the host. + + * lib/krb5/krb5.h (krb5_context): add dns_canonize_hostname. + + * tools/heimdal-build.sh: Set status. + + * appl/gssmask/gssmask.c: handle more bits + + * kdc/kerberos5.c: Prefix asn1 primitives with der_. + +2006-10-16 Love Hörnquist Åstrand <lha@it.su.se> + + * fix-export: Build lib/asn1/der-protos.h. + +2006-10-14 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/gssmask/Makefile.am: Add explit depenency on libroken. + + * kdc/krb5tgs.c: Prefix der primitives with der_. + + * kdc/pkinit.c: Prefix der primitives with der_. + + * lib/hdb/ext.c: Prefix der primitives with der_. + + * lib/hdb/ext.c: Prefix der primitives with der_. + + * lib/krb5/crypto.c: Remove workaround from when there wasn't + always aes. + + * lib/krb5/ticket.c: Prefix der primitives with der_. + + * lib/krb5/digest.c: Prefix der primitives with der_. + + * lib/krb5/crypto.c: Prefix der primitives with der_. + + * lib/krb5/data.c: Prefix der primitives with der_. + +2006-10-12 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break. From + Olga Kornievskaia. + + * kdc/kdc.8: document max-kdc-datagram-reply-length + + * include/bits.c: Include Xint64 types. + +2006-10-10 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/heimdal-build.sh: Add socketwrapper and cputime limit. + + * kdc/connect.c (loop): Log that the kdc have started. + +2006-10-09 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/connect.c (do_request): tell krb5_kdc_process_request if its + a datagram reply or not + + * kdc/kerberos5.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG error if its + a datagram reply and the datagram reply length limit is reached. + + * kdc/process.c: Rename krb5_kdc_process_generic_request to + krb5_kdc_process_request Add datagram_reply argument. + + * kdc/config.c: check for [kdc]max-kdc-datagram-reply-length + + * kdc/kdc.h (krb5_kdc_config): Add max_datagram_reply_length. + + * lib/hdb/keytab.c: Change || to |, From metze. + + * lib/hdb/keytab.c: Add back :file to sample format. + + * lib/hdb/keytab.c: Add more HDB_F flags to hdb_fetch. Pointed out + by Andrew Bartlet. + + * kdc/krb5tgs.c (tgs_parse_request): set cusec, not csec from + auth->cusec. + +2006-10-08 Love Hörnquist Åstrand <lha@it.su.se> + + * fix-export: dist_-ify libkadm5clnt_la_SOURCES too + + * doc/heimdal.texi: Update (c) years. + + * appl/gssmask/protocol.h: Clarify protocol. + + * kdc/hpropd.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * kdc/kerberos4.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * kdc/connect.c (handle_vanilla_tcp): shorten length when we + shorten the buffer, this matter im the PK-INIT encKey case where a + checksum is done over the whole packet. Reported by Olga + Kornievskaia + +2006-10-07 Love Hörnquist Åstrand <lha@it.su.se> + + * include/Makefile.am: crypto-headers.h is a nodist header + + * lib/krb5/aes-test.c: Make argument to PKCS5_PBKDF2_HMAC_SHA1 + unsigned char to make OpenSSL happy. + + * appl/kf/Makefile.am: Add man_MANS to EXTRA_DIST + + * kuser/Makefile.am: split build files into dist_ and noinst_ + SOURCES + + * lib/hdb/Makefile.am: split build files into dist_ and noinst_ + SOURCES + + * lib/krb5/Makefile.am: split build files into dist_ and noinst_ + SOURCES + + * kdc/kerberos5.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + +2006-10-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krbhst.c (common_init): don't try DNS when there is + realm w/o a dot. + + * kdc/524.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * kdc/krb5tgs.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * lib/krb5/get_in_tkt.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * lib/krb5/rd_cred.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * lib/krb5/rd_req.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * lib/krb5/asn1_glue.c (_krb5_principalname2krb5_principal): add + krb5_context to signature. + + * kdc/524.c (_krb5_principalname2krb5_principal): adapt to + signature change + + * lib/hdb/keytab.c (hdb_get_entry): close and destroy the database + later, the hdb_entry_ex might still contain links to the database + that it expects to use. + + * kdc/digest.c: Make digest argument o MD5_final unsigned char to + help OpenSSL. + + * kuser/kdigest.c: Make digest argument o MD5_final unsigned char + to help OpenSSL. + + * appl/gssmask/common.h: Maybe include <sys/wait.h>. + +2006-10-05 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/gssmask/common.h: disable ENABLE_PTHREAD_SUPPORT and + explain why + + * tools/heimdal-build.sh: Another mail header. + + * tools/heimdal-build.sh: small fixes + + * fix-export: More liberal parsing of AC_INIT + + * tools/heimdal-build.sh: first cut + +2006-10-04 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: Call AB_INIT. + + * kuser/kinit.c: Add flag --pk-use-enckey. + + * kdc/pkinit.c: Sign the request in the encKey case. Bug reported + by Olga Kornievskaia of Umich. + + * lib/krb5/Makefile.am: man_MANS += krb5_digest.3 + + * lib/krb5/krb5_digest.3: Add all protos + +2006-10-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_digest.3: Basic krb5_digest manpage. + +2006-10-02 Love Hörnquist Åstrand <lha@it.su.se> + + * fix-export: build gssapi mech private files + + * lib/krb5/init_creds_pw.c: minimize layering and remove + krb5_kdc_flags + + * lib/krb5/get_in_tkt.c: Always use the kdc_flags in the right bit + order. + + * lib/krb5/init_creds_pw.c: Always use the kdc_flags in the right + bit order. + + * kuser/kdigest.c: Don't require --kerberos-realm. + + * lib/krb5/digest.c (digest_request): if NULL is passed in as + realm, use default realm. + + * fix-export: build gssapi mech private files + +2006-09-26 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/gssmask/gssmaestro.c: Handle FIRST_CALL in the context + building, better error handling. + + * appl/gssmask/gssmaestro.c: switch from wrap/unwrap to + encrypt/decrypt + + * appl/gssmask/gssmask.c: Don't announce spn if there is none. + + * appl/gssmask/gssmaestro.c: Check that the pre-wrapped data is + the same as afterward. + +2006-09-25 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/gssmask/gssmaestro.c: Remove stray GSS_C_DCE_STYLE. + + * appl/gssmask/gssmaestro.c: Add logsocket support. + +2006-09-22 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/gssmask/gssmaestro.c (build_context): print the step the + context exchange. + +2006-09-21 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/gssmask/gssmaestro.c: Add GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG + to all context flags + + * appl/gssmask/gssmaestro.c: Add wrap and mic tests for all + elements + + * appl/gssmask/gssmask.c: Add mic tests + + * appl/gssmask/gssmaestro.c: dont exit early then when context + is half built. + + * lib/krb5/rd_req.c: disable ETypeList parsing usage for now, cfx + seems broken and its not good to upgrade to a broken enctype. + +2006-09-20 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/gssmask/gssmask.c: Add wrap/unwrap ops + + * appl/gssmask/protocol.h: Add eGetVersionAndCapabilities flags + + * appl/gssmask/common.c: Add permutate_all (and support + functions). + + * appl/gssmask/common.h: Add permutate_all + + * appl/gssmask/gssmask.c: use new flags, return moniker + + * appl/gssmask/gssmaestro.c: test self context building and all + permutation of clients + +2006-09-19 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/gssmask/gssmask.c: add --logfile option, use htons() on + port number + + * appl/gssmask/gssmaestro.c: Log port in connection message. + + * configure.in: Make pk-init turned on by default. + +2006-09-18 Love Hörnquist Åstrand <lha@it.su.se> + + * fix-export: Build lib/hx509/{hx509-protos.h,hx509-private.h}. + + * kuser/Makefile.am: Add tool for printing tickets. + + * kuser/kimpersonate.1: Add tool for printing tickets. + + * kuser/kimpersonate.c: Add tool for printing tickets. + + * kdc/krb5tgs.c: Check the adtkt in the constrained delegation + case too. + +2006-09-16 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/main.c (sigterm): don't _exit, let loop() catch the signal + instead. + + * lib/krb5/krb5_timeofday.3: Fixes from Björn Sandell. + + * lib/krb5/krb5_get_init_creds.3: Fixes from Björn Sandell. + +2006-09-15 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/krb5-config.in: Add "kafs" option. + +2006-09-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/db.c: By using full function calling conversion (*func) + we avoid problem when close(fd) is overridden using a macro. + + * lib/krb5/cache.c: By using full function calling + conversion (*func) we avoid problem when close(fd) is overridden + using a macro. + +2006-09-11 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Signing outgoing tickets. + + * kdc/krb5tgs.c: Add signing and checking of tickets to s4u2self + works securely. + + * lib/krb5/pkinit.c: Adapt to new signature of + hx509_cms_unenvelope. + +2006-09-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (pk_verify_host): set errorstrings in a + sensable way + +2006-09-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_init_context.3: Prevent a font generation warning, + from Jason McIntyre. + +2006-09-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c (krb5_init_ets): Add the hx errortable + + * lib/krb5/krb5_locl.h: Include hx509_err.h. + + * lib/krb5/pkinit.c (_krb5_pk_verify_sign): catch the error string + from the hx509 lib + +2006-09-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags): + fix argument to krb5_get_init_creds_opt_set_addressless. + + * lib/krb5/init_creds_pw.c (init_cred_loop): try to catch the + error when we actually have an error to catch. + + * lib/krb5/init_creds_pw.c: Remove debug printfs. + + * kuser/kinit.c: Remove debug printf + + * lib/krb5/krb5_get_init_creds.3: Document + krb5_get_init_creds_opt_set_addressless. + + * kuser/kinit.c: Use new function + krb5_get_init_creds_opt_set_addressless. + + * lib/krb5/krb5_locl.h: use new addressless, convert pa-pac option + to use the same tri-state option as the new addressless option. + + * lib/krb5/init_creds_pw.c: use new addressless, convert pa-pac + option to use the same tri-state option as the new addressless + option. + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_addressless): + used to control the address-lessness of the initial tickets + instead of passing in the empty set of address into + krb5_get_init_creds_opt_set_addresses. + +2006-09-01 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c (renew_validate): inherit the proxiable and + forwardable from the orignal ticket, pointed out by Bernard + Antoine of CERN. + + * doc/setup.texi: More text about the acl_file entry and + hdb-ldap-structural-object. From Rüdiger Ranft. + + * lib/krb5/krbhst.c (fallback_get_hosts): limit the fallback + lookups to 5. Patch from Wesley Craig, umich.edu + + * configure.in: Add special tests for <sys/ucred.h>, include test + for sys/param.h and sys/types.h + + * appl/test/tcp_server.c (proto): use keytab for krb5_recvauth + Patch from Ingemar Nilsson <init@pdc.kth.se> + +2006-08-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kdigest.c (help): use sl_slc_help(). + + * kdc/digest.c: Catch more error, add SASL DIGEST MD5. + + * lib/krb5/digest.c: Catch more error. + +2006-08-25 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: language. + + * doc/heimdal.texi: Add last updated text. + + * doc/heimdal.css: make box around heimdal title + + * doc/heimdal.css: Inital Heimdal css for the info manual + + * lib/krb5/digest.c: In the case where we get a DigestError back, + save the error string and code. + +2006-08-24 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Remove _kdc_find_etype(), its no longer used. + + * kdc/digest.c: Remove local error label and have just one exit + label, set error strings properly. + + * kdc/digest.c: Simply the disabled-service case. Check the + allow-digest flag in the HDB entry for the client. + + * kdc/process.c (krb5_kdc_process_generic_request): check if we + got a digest request and process it. + + * kdc/main.c: Register hdb keytab operations. + + * kdc/kdc.8: document [kdc]enable-digest=boolean + + * kdc/Makefile.am: add digest to libkdc + + * kdc/digest.c: Make a return a goto to avoid freeing un-inited + memory in cleanup code. + + * kdc/default_config.c (krb5_kdc_default_config): default to all + bits set to zero. + + * kdc/kdc.h (krb5_kdc_configuration): Add enable_digest + + * kdc/headers.h: Include <digest_asn1.h>. + + * lib/krb5/context.c (krb5_kerberos_enctypes): new function, + returns the list of Kerberos encryption types sorted in order of + most preferred to least preferred encryption type. + + * kdc/misc.c (_kdc_get_preferred_key): new function, Use the order + list of preferred encryption types and sort the available keys and + return the most preferred key. + + * kdc/krb5tgs.c: Adapt to the new sigature of _kdc_find_keys(). + + * kdc/kerberos5.c: Handle session key etype separately from the + tgt etype, now the krbtgt can be a aes-only key without the need + to support not-as-good etypes for the krbtgt. + +2006-08-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/misc.c: Change _kdc_db_fetch() to return the database + pointer to if needed by the consumer. + + * kdc/krb5tgs.c: Change _kdc_db_fetch() to return the database + pointer to if needed by the consumer. + + * kdc/kerberos5.c: Change _kdc_db_fetch() to return the database + pointer to if needed by the consumer. + + * kdc/kerberos4.c: Change _kdc_db_fetch() to return the database + pointer to if needed by the consumer. + + * kdc/kaserver.c: Change _kdc_db_fetch() to return the database + pointer to if needed by the consumer. + + * kdc/524.c: Change _kdc_db_fetch() to return the database pointer + to if needed by the consumer. + + * kuser/kdigest-commands.in: Add --kerberos-realm, add client + request command. + + * lib/krb5/Makefile.am: digest.c + + * lib/krb5/krb5.h: Add digest glue. + + * lib/krb5/digest.c (krb5_digest_set_authentication_user): use + krb5_principal + + * lib/krb5/digest.c: Add digest support to the client side. + +2006-08-21 Love Hörnquist Åstrand <lha@it.kth.se> + + * lib/krb5/rd_rep.c (krb5_rd_rep): free krb5_ap_rep_enc_part on + error and set return pointer to NULL + (krb5_free_ap_rep_enc_part): permit freeing of NULL + +2006-08-18 Love Hörnquist Åstrand <lha@it.kth.se> + + * kdc/{Makefile.am,kdigest.c,kdigest-commands.in}: + Frontend for remote digest service in KDC + + * lib/krb5/krb5_storage.3: Document krb5_{ret,store}_stringnl + functions. + + * lib/krb5/store.c: Add krb5_{ret,store}_stringnl functions, + stores/retrieves a \n terminated string. + + * lib/krb5/krb5_locl.h: Default to address-less tickets. + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): clear + error string on error. + +2006-07-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c: remove aes-192 (CMS) + + * lib/krb5/crypto.c: Remove more CMS bits. + + * lib/krb5/crypto.c: Remove CMS symmetric encryption support. + +2006-07-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c (_kdc_pk_check_client): make it not crash when + there are no acl + + * kdc/pkinit.c (_kdc_pk_check_client): use the acl in the kerberos + database + + * lib/hdb/hdb.asn1: Rename HDB-Ext-PKINIT-certificate to + HDB-Ext-PKINIT-hash. Add trust anchor to HDB-Ext-PKINIT-acl. + + * lib/hdb/Makefile.am: rename asn1_HDB_Ext_PKINIT_certificate to + asn1_HDB_Ext_PKINIT_hash + + * lib/hdb/ext.c: Add hdb_entry_get_pkinit_hash(). + +2006-07-10 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: If --password-file gets STDIN, read the password + from the standard input. + + * kuser/kinit.1: Document --password-file=STDIN. + + * lib/krb5/krb5_string_to_key.3: Remove duplicate to. + +2006-07-06 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/krb5tgs.c: (tgs_build_reply): when checking for removed + principals, check the second component of the krbtgt, otherwise + cross realm wont work. Prompted by report from Mattias Amnefelt. + +2006-07-05 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/connect.c (handle_vanilla_tcp): use unsigned integer for for + length + (handle_tcp): if the high bit it set in the unknown case, send + back a KRB_ERR_FIELD_TOOLONG + +2006-07-03 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/gssmask/gssmaestro.c: Add get_version_capa, cache + target_name. + + * appl/gssmask/gssmask.c: use utname() to find the local hostname + and version of operatingsystem + + * appl/gssmask/common.h: include <sys/utsname.h> + + * appl/gssmask/gssmask.c: break out creation of a client and make + handleServer pthread_create compatible + + * appl/gssmask/gssmaestro.c: break out out the build context + function + +2006-07-01 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/gssmask/gssmaestro.c: externalize slave handling, add + GetTargetName glue + + * appl/gssmask/gssmaestro.c: externalize principal/password handling + + * lib/krb5/principal.c (krb5_parse_name): set *principal to NULL + the first thing we do, so that on failure its set to a known value + + * appl/gssmask/gssmask.c: AcquireCreds: set principal to NULL to + avoid memory corruption GetTargetName: always send a string, even + though we don't have a targetname + + * appl/gssmask: break out common function; add gssmaestro (that + only tests one context for now) + +2006-06-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/store_fd.c (krb5_storage_from_fd): don't leak fd on + malloc failure + + * appl/gssmask/gssmask.c: split out fetching of credentials for + easier reuse for pk-init testing + + * appl/gssmask: maggot replacement, handles context testing + + * lib/krb5/cache.c (krb5_cc_new_unique): use KRB5_DEFAULT_CCNAME + as the default prefix + +2006-06-28 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/heimdal.texi: Add Doug Rabson's license + +2006-06-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds.c: Add storing and getting KRB-ERROR in the + krb5_get_init_creds_opt structure. + + * lib/krb5/init_creds_pw.c: Save KRB-ERROR on error. + + * lib/krb5/krb5_locl.h (_krb5_get_init_creds_opt_private): add + KRB-ERROR + +2006-06-21 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: section about verify_krb5_conf and kadmin check + +2006-06-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c (get_init_creds_common): drop cred + argument, its unused + + * lib/krb5/Makefile.am: install krb5_get_creds.3 + + * lib/krb5/krb5_get_creds.3: new file + +2006-06-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: don't use the sambaNTPassword if there is + ARCFOUR key already. Idea from Andreas Hasenack. While here, set + pw change time using sambaPwdLastSet + + * kdc/kerberos4.c: Use enable_v4_per_principal and check the new + hdb flag. + + * kdc/kdc.h: Add enable_v4_per_principal + +2006-06-12 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (_kdc_as_rep): if kdc_time + + config->kdc_warn_pwexpire is past pw_end, add expiration + message. From Bernard Antoine. + + * kdc/default_config.c (krb5_kdc_default_config): set + kdc_warn_pwexpire to 0 + + * kdc/kerberos5.c: indent. + +2006-06-07 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: constify + +2006-06-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_cred.c: Allow setting additional tickets in the + tgs-req + + * kuser/kgetcred.c: add --delegation-credential-cache + + * kdc/krb5tgs.c (tgs_build_reply): add constrained delegation. + + * kdc/krb5tgs.c: Add impersonation. + + * kuser/kgetcred.c: use new krb5_get_creds interface, add + impersonation. + + * lib/krb5/get_cred.c (krb5_get_creds): add + KRB5_GC_NO_TRANSIT_CHECK + + * lib/krb5/misc.c: Add impersonate support functions. + + * lib/krb5/get_cred.c: Add impersonate and new krb5_get_creds interface. + + * lib/hdb/hdb.asn1 (HDBFlags): add trusted-for-delegation + + * lib/krb5/krb5.h: Add krb5_get_creds_opt_data and some more + KRB5_GC flags. + +2006-06-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/ext.c (hdb_entry_get_ConstrainedDelegACL): new function. + + * lib/krb5/pkinit.c: Avoid more shadowing. + + * kdc/connect.c (do_request): clean reply with krb5_data_zero + + * kdc/krb5tgs.c: Split up the reverse cross krbtgt check and local + clien must exists test. + + * kdc/krb5tgs.c: Plug old memory leaks, unify all goto's. + + * kdc/krb5tgs.c: Split tgs_rep2 into tgs_parse_request and + tgs_build_reply. + + * kdc/kerberos5.c: split out krb5 tgs req to make it easier to + reorganize the code. + +2006-05-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_get_init_creds.3: spelling Björn Sandell + + * lib/krb5/krb5_get_in_cred.3: spelling Björn Sandell + +2006-05-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswdd.c (change): select the realm based on the + target principal From Gabor Gombas + + * lib/krb5/krb5_get_init_creds.3: Add KRB5_PROMPT_TYPE_INFO + + * lib/krb5/krb5.h: Add KRB5_PROMPT_TYPE_INFO + +2006-05-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Hidden field of hx509 prompter is removed. + Fix a warning. + + * doc/setup.texi: Point to more examples, hint that you have to + use openssl 0.9.8a or later. + + * doc/setup.texi: DIR now handles both PEM and DER. + + * kuser/kinit.c: Pass down prompter and password to + krb5_get_init_creds_opt_set_pkinit. + + * lib/krb5/pkinit.c (_krb5_pk_load_id): only use password if its + longer then 0 + + * doc/ack.texi: Add Jason McIntyre. + + * lib/krb5/krb5_acl_match_file.3: Various tweaks, from Jason + McIntyre. + +2006-05-11 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: Move parsing of the PK-INIT configuration file to + the library so application doesn't need to deal with it. + + * lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit): move + parsing of the configuration file to the library so application + doesn't need to deal with it. + + * lib/krb5/pkinit.c (_krb5_pk_load_id): pass the hx509_lock to + when trying to read the user certificate. + + * lib/krb5/pkinit.c (hx_pass_prompter): return 0 on success and 1 + on failure. Pointed out by Douglas E. Engert. + +2006-05-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c: Catches both keyed checkout w/o crypto + context cases and doesn't reset the string, and corrects the + grammar. + + * lib/krb5/crypto.c: Drop aes-cbc, rc2 and CMS padding support, + its all containted in libhcrypto and libhx509 now. + +2006-05-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (_krb5_pk_verify_sign): Use + hx509_get_one_cert. + + * lib/krb5/crypto.c (create_checksum): provide a error message + that a key checksum needs a key. From Andew Bartlett. + +2006-05-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Now that hcrypto supports DH, remove check + for hx509 null DH. + + * kdc/pkinit.c: Don't call DH_check_pubkey, it doesn't exists in + older OpenSSL. + + * doc/heimdal.texi: Add blob about imath. + + * doc/ack.texi: Add blob about imath. + + * include/make_crypto.c: Move up evp.h to please OpenSSL, from + Douglas E. Engert. + + * kcm/acl.c: Multicache kcm interation isn't done yet, let wait + with this enum. + +2006-05-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_set_default_realm.3: Spelling/mdoc from Björn + Sandell + + * lib/krb5/krb5_rcache.3: Spelling/mdoc from Björn Sandell + + * lib/krb5/krb5_keytab.3: Spelling/mdoc from Björn Sandell + + * lib/krb5/krb5_get_in_cred.3: Spelling/mdoc from Björn Sandell + + * lib/krb5/krb5_expand_hostname.3: Spelling/mdoc from Björn + Sandell + + * lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc from Björn + Sandell + + * lib/krb5/keytab_file.c (fkt_next_entry_int): read the 32 bit + kvno if the reset of the data is longer then 4 bytes in hope to be + forward compatible. Pointed out by Michael B Allen. + + * doc/programming.texi: Add fileformats. + + * appl/test: Rename u_intXX_t to uintXX_t + + * kuser: Rename u_intXX_t to uintXX_t + + * kdc: Rename u_intXX_t to uintXX_t + + * lib/hdb: Rename u_intXX_t to uintXX_t + + * lib/45]: Rename u_intXX_t to uintXX_t + + * lib/krb5: Rename u_intXX_t to uintXX_t + + * lib/krb5/Makefile.am: Add test_store to TESTS + + * lib/krb5/pkinit.c: Catch using hx509 null DH and print a more + useful error message. + + * lib/krb5/store.c: Rewrite the krb5_ret_u as proposed by Johan. + +2006-05-04 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos4.c: Use the new unsigned integer storage types. + + * kdc/kaserver.c: Use the new unsigned integer storage + types. Sprinkle some error handling. + + * lib/krb5/krb5_storage.3: Document ret and store function for the + unsigned fixed size integer types. + + * lib/krb5/v4_glue.c: Use the new unsigned integer storage + types. Fail that the address doesn't match, not the reverse. + + * lib/krb5/store.c: Add ret and store function for the unsigned + fixed size integer types. + + * lib/krb5/test_store.c: Test the integer storage types. + +2006-05-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/store.c (krb5_store_principal): make it take a + krb5_const_principal, indent + + * lib/krb5/krb5_storage.3: krb5_store_principal takes a + krb5_const_principal + + * lib/krb5/pkinit.c: Deal with that hx509_prompt.reply is no + longer a pointer. + + * kdc/kdc.h (krb5_kdc_configuration): add pkinit_kdc_ocsp_file + + * kdc/config.c: read [kdc]pki-kdc-ocsp + +2006-05-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c (_kdc_pk_mk_pa_reply): send back ocsp response if + it seems to be valid, simplfy the pkinit-windows DH case (it + doesn't exists). + +2006-05-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_warn.3: Spelling/mdoc changes, from Björn Sandell. + + * lib/krb5/krb5_verify_user.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_verify_init_creds.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5_timeofday.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_ticket.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_rd_safe.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_rcache.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_principal.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_parse_name.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_mk_safe.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_keyblock.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_is_thread_safe.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes, + from Björn Sandell. + + * lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes, + from Björn Sandell. + + * lib/krb5/krb5_expand_hostname.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5_check_transited.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5_address.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5_acl_match_file.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5.3: Spelling, from Björn Sandell. + + * doc/ack.texi: add Björn + +2006-04-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (cert2epi): don't include subject if its null + +2006-04-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Send over what trust anchors the client have + configured. + + * lib/krb5/pkinit.c (pk_verify_host): set better error string, + only check kdc name/address when we got a hostname/address passed + in the the function. + + * kdc/pkinit.c (_kdc_pk_check_client): reorganize and make log + when a SAN matches. + +2006-04-28 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: More options and some text about windows + clients, certificate and KDCs. + + * doc/setup.texi: notice about pki-mappings file space sensitive + + * doc/setup.texi: Example pki-mapping file. + + * lib/krb5/pkinit.c (pk_verify_host): verify hostname/address + + * lib/hdb/hdb.h: Bump hdb interface version to 4. + +2006-04-27 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kdestroy.1: Document --credential=principal. + + * kdc/kerberos5.c (tgs_rep2): check that the client exists in the + kerberos database if its local request. + + * kdc/{misc.c,524.c,kaserver.c,kerberos5.c}: pass down HDB_F_GET_ + flags as appropriate + + * kdc/kerberos4.c (_kdc_db_fetch4): pass down flags though + krb5_425_conv_principal_ext2 + + * kdc/misc.c (_kdc_db_fetch): Break out the that we request from + principal from the entry and pass it in as a seprate argument. + + * lib/hdb/keytab.c (hdb_get_entry): Break out the that we request + from principal from the entry and pass it in as a seprate + argument. + + * lib/hdb/common.c: Break out the that we request from principal + from the entry and pass it in as a seprate argument. + + * lib/hdb/hdb.h: Break out the that we request from principal from + the entry and pass it in as a seprate argument. Add more flags to + ->hdb_get(). Re-indent. + +2006-04-26 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: document pki-allow-proxy-certificate + + * kdc/pkinit.c: Add option [kdc]pki-allow-proxy-certificate=bool + to allow using proxy certificate. + + * lib/krb5/pkinit.c (_krb5_pk_allow_proxy_certificates): expose + hx509_verify_set_proxy_certificate + + * kdc/pkinit.c (_kdc_pk_check_client): Use + hx509_cert_get_base_subject to get subject name of the + certificate, needed for proxy certificates. + + * kdc/kerberos5.c: Now that find_keys speaks for it self, remove + extra logging. + + * kdc/kerberos5.c (find_keys): add client_name and server_name + argument and use them, and adapt callers. + +2006-04-25 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.1: document option password-file + + * kuser/kinit.c: Add option password-file, read password from the + first line of a file. + + * configure.in: make tests/kdc/Makefile + + * kdc/kerberos5.c: Catch the case where the client sends no + encryption types or no pa-types. + + * lib/hdb/ext.c (hdb_replace_extension): set error message on + failure, not success. + + * lib/hdb/keys.c (parse_key_set): handle error case better + (hdb_generate_key_set): return better error + +2006-04-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.c (hdb_create): print out what we don't support + + * lib/krb5/principal.c: Remove a double free introduced in 1.93 + + * lib/krb5/log.c (log_file): reset pointer to freed memory + + * lib/krb5/keytab_keyfile.c (get_cell_and_realm): reset d->cell to + make sure its not refereced + + * tools/krb5-config.in: libhcrypto might depend on libasn1, switch + order + + * lib/krb5/recvauth.c: indent + + * doc/heimdal.texi: Add Setting up PK-INIT to Detailed Node + Listing. + + * lib/krb5/pkinit.c: Pass down realm to pk_verify_host so the + function can verify the certificate is from the right realm. + + * lib/krb5/init_creds_pw.c: Pass down realm to + _krb5_pk_rd_pa_reply + +2006-04-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (pk_verify_host): Add begining of finding + subjectAltName_otherName pk-init-san and verifing it. + + * lib/krb5/sendauth.c: reindent + + * doc/Makefile.am: use --no-split to make one large file, mostly + for html + + * doc/setup.texi: "document" pkinit_require_eku and + pkinit_require_krbtgt_otherName + + * lib/krb5/pkinit.c: Add pkinit_require_eku and + pkinit_require_krbtgt_otherName + + * doc/setup.texi: Add text about pk-init + + * tools/kdc-log-analyze.pl: count v5 cross realms too + +2006-04-22 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: Adapt to change in hx509_cms_create_signed_1. + + * lib/krb5/pkinit.c: Adapt to change in hx509_cms_create_signed_1. + +2006-04-20 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c (_kdc_pk_rd_padata): use + hx509_cms_unwrap_ContentInfo. + + * kdc/config.c: unbreak + + * lib/krb5/pkinit.c: Handle diffrences between libhcrypto and + libcrypto. + + * kdc/config.c: Rename pki-chain to pki-pool to match rest of + code. + +2006-04-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_priv.c: Fix argument to krb5_data_zero. + + * kdc/config.c: Added certificate revoke information from + configuration file. + + * kdc/pkinit.c: Added certificate revoke information. + + * kuser/kinit.c: Added certificate revoke information from + configuration file. + + * lib/krb5/pkinit.c (_krb5_pk_load_id): Added certificate revoke + information, ie CRL's + +2006-04-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/replay.c (krb5_rc_resolve_full): make compile again. + + * lib/krb5/keytab_krb4.c (krb4_kt_start_seq_get_int): make compile + again. + + * lib/krb5/transited.c (make_path): make sure we return allocated + memory Coverity, NetBSD CID#1892 + + * lib/krb5/transited.c (make_path): make sure we return allocated + memory Coverity, NetBSD CID#1892 + + * lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): on + protocol failure, avoid leaking memory Coverity, NetBSD CID#1900 + + * lib/krb5/principal.c (krb5_parse_name): remember to free realm + in case of error Coverity, NetBSD CID#1883 + + * lib/krb5/principal.c (krb5_425_conv_principal_ext2): remove + memory leak in case of weird formated dns replys. + Coverity, NetBSD CID#1885 + + * lib/krb5/replay.c (krb5_rc_resolve_full): don't return pointer + to a allocated krb5_rcache in case of error. + + * lib/krb5/log.c (krb5_addlog_dest): free fn in case of error + Coverity, NetBSD CID#1882 + + * lib/krb5/keytab_krb4.c: Fix deref before NULL check, fix error + handling. Coverity, NetBSD CID#2369 + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): + in_creds->client should always be set, assume so. + + * lib/krb5/keytab_any.c (any_next_entry): restructure to make it + easier to read Fixes Coverity, NetBSD CID#625 + + * lib/krb5/crypto.c (krb5_string_to_key_derived): deref after NULL + check. Coverity NetBSD CID#2367 + + * lib/krb5/build_auth.c (krb5_build_authenticator): use + calloc. removed check that was never really used. Coverity NetBSD + CID#2370 + +2006-04-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_req.c (krb5_verify_ap_req2): make sure `ticket´ + points to NULL in case of error, add error handling, use calloc. + + * kpasswd/kpasswdd.c (doit): when done, close all fd in the + sockets array and free it. Coverity NetBSD CID#1916 + +2006-04-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/store.c (krb5_ret_principal): fix memory leak Coverity, + NetBSD CID#1695 + + * kdc/524.c (_kdc_do_524): Handle memory allocation failure + Coverity, NetBSD CID#2752 + +2006-04-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab_file.c (krb5_kt_ret_principal): plug a memory + leak Coverity NetBSD CID#1890 + + * kdc/hprop.c (main): make sure type doesn't need to be set + + * kdc/mit_dump.c (mit_prop_dump): close fd when done processing + Coverity NetBSD CID#1955 + + * kdc/string2key.c (tokey): catch warnings, free memory after use. + Based on Coverity NetBSD CID#1894 + + * kdc/hprop.c (main): remove dead code. Coverity NetBSD CID#633 + +2006-04-04 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswd-generator.c (read_words): catch empty file case, + will cause PBE (division by zero) later. From Tobias Stoeckmann. + +2006-04-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/keytab.c: Remove a delta from last revision that should + have gone in later. + + * lib/krb5/krbhst.c: fix spelling + + * lib/krb5/send_to_kdc.c (send_and_recv_http): don't expose freed + pointer, found by IBM checker. + + * lib/krb5/rd_cred.c (krb5_rd_cred): don't expose freed pointer, + found by IBM checker. + + * lib/krb5/addr_families.c (krb5_make_addrport): clear return + value on error, found by IBM checker. + + * kdc/kerberos5.c (check_addresses): treat netbios as no addresses + + * kdc/{kerberos4,kaserver}.c: _kdc_check_flags takes hdb_entry_ex + + * kdc/kerberos5.c (_kdc_check_flags): make it take hdb_entry_ex to + avoid ?:'s at callers + + * lib/krb5/v4_glue.c: Avoid using free memory, found by IBM + checker. + + * lib/krb5/transited.c (expand_realm): avoid passing NULL to + strlen, found by IBM checker. + + * lib/krb5/rd_cred.c (krb5_rd_cred): avoid a memory leak on malloc + failure, found by IBM checker. + + * lib/krb5/krbhst.c (_krb5_krbhost_info_move): replace a strcpy + with a memcpy + + * lib/krb5/keytab_keyfile.c (get_cell_and_realm): plug a memory + leak, found by IBM checker. + + * lib/krb5/keytab_file.c (fkt_next_entry_int): remove a + dereferencing NULL pointer, found by IBM checker. + + * lib/krb5/init_creds_pw.c (init_creds_init_as_req): in AS-REQ the + cname must always be given, don't avoid that fact and remove a + cname == NULL case. Plugs a memory leak found by IBM checker. + + * lib/krb5/init_creds_pw.c (default_s2k_func): avoid exposing + free-ed memory on error. Found by IBM checker. + + * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): use + calloc to avoid uninitialized memory problem. + + * lib/krb5/data.c (krb5_copy_data): avoid exposing free-ed memory + on error. Found by IBM checker. + + * lib/krb5/fcache.c (fcc_gen_new): fix a use after free, found by + IBM checker. + + * lib/krb5/config_file.c (krb5_config_vget_strings): IBM checker + thought it found a memory leak, it didn't, but there was another + error in the code, lets fix that instead. + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): plug memory + leak. Found by IBM checker. + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): avoid return + pointer to freed memory in the error case. Found by IBM checker. + + * lib/hdb/keytab.c (hdb_resolve): off by one, found by IBM + checker. + + * lib/hdb/keys.c (hdb_generate_key_set): set ret_key_set before + going into the error clause and freeing key_set. Found by IBM + checker. Make sure ret == 0 after of parse error, we catch the + "no entries parsed" case later. + + * lib/krb5/log.c (krb5_addlog_dest): make string length match + strings in strcasecmp. Found by IBM checker. + +2006-03-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): in declaration set + variable_name as "hdb_entry_ex" + (hdb_ldap_common): change "arg" in condition (if) to "search_base" + (hdb_ldapi_create): change "serach_base" to "search_base" From + Alex V. Labuta. + + * lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit); fix + prototype + + * kuser/kinit.c: Add pool of certificates to help certificate path + building for clients sending incomplete path in the signedData. + +2006-03-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: Add pool of certificates to help certificate path + building for clients sending incomplete path in the signedData. + + * lib/krb5/pkinit.c: Add pool of certificates to help certificate + path building for clients sending incomplete path in the + signedData. + +2006-03-27 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/config.c: Allow passing in related certificates used to + build the chain. + + * kdc/pkinit.c: Allow passing in related certificates used to + build the chain. + + * kdc/kerberos5.c (log_patype): Add case for + KRB5_PADATA_PA_PK_OCSP_RESPONSE. + + * tools/Makefile.am: Spelling + + * tools/krb5-config.in: Add hx509 when using PK-INIT. + + * tools/Makefile.am: Add hx509 when using PK-INIT. + +2006-03-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acache.c: Use ticket flags definition, might fix Mac OS + X Kerberos.app problems. + + * lib/krb5/krb5_ccapi.h: Add ticket flags definitions + + * lib/krb5/pkinit.c: Use less openssl, spell chelling. + + * kdc/pkinit.c (pk_mk_pa_reply_dh): encode the DH public key with + asn1 wrapping + + * configure.in (AC_CONFIG_FILES): add lib/hx509/Makefile + + * lib/Makefile.am: Add hx509. + + * lib/krb5/Makefile.am: Add libhx509.la when PKINIT is used. + + * configure.in: define automake PKINIT variable + + * kdc/pkinit.c: Switch to hx509. + + * lib/krb5/pkinit.c: Switch to hx509. + +2006-03-24 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (log_patypes): log the patypes requested by the + client + +2006-03-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): pass down the + req_buffer in the w2k case too. From Douglas E. Engert. + +2006-03-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): on failure, goto + error handling. Fixes Coverity NetBSD CID 2591 by catching a + failing krb5_copy_keyblock() + +2006-03-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/addr_families.c (krb5_free_addresses): reset val,len in + address when free-ing. Fixes Coverity NetBSD bug #2605 + (krb5_parse_address): reset val,len before possibly return errors + Fixes Coverity NetBSD bug #2605 + +2006-03-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/send_to_kdc.c (recv_loop): it should never happen, but + make sure nbytes > 0 + + * lib/krb5/get_for_creds.c (add_addrs): handle the case where + addr->len == 0 and n == 0, then realloc might return NULL. + + * lib/krb5/crypto.c (decrypt_*): handle the case where the + plaintext is 0 bytes long, realloc might then return NULL. + +2006-02-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_string_to_key.3: Drop krb5_string_to_key_derived. + + * lib/krb5/krb5.3: Remove krb5_string_to_key_derived. + + * lib/krb5/crypto.c (AES_string_to_key): drop _krb5_PKCS5_PBKDF2 + and use PKCS5_PBKDF2_HMAC_SHA1 instead. + + * lib/krb5/aes-test.c: reformat, avoid free-ing un-init'd memory + + * lib/krb5/aes-test.c: Only use PKCS5_PBKDF2_HMAC_SHA1. + +2006-02-27 Johan Danielsson <joda@pdc.kth.se> + + * doc/setup.texi: remove cartouches - we don't use them anywhere + else, they should be around the example, not inside it, and + probably shouldn't be used in html at all + +2006-02-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_warn.3: Document that applications want to use + krb5_get_error_message, add example. + +2006-02-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c (krb5_generate_random_block): check return + value from RAND_bytes + + * lib/krb5/error_string.c: Change indentation, update (c) + +2006-02-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Make struct krb5_dh_moduli available when + compiling w/o pkinit. + +2006-02-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: update to new paChecksum definition, update + the dhgroup handling + + * kdc/pkinit.c: update to new paChecksum definition, use + hdb_entry_ex + +2006-02-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_locl.h: Move Configurable options to last in the + file. + + * lib/krb5/krb5_locl.h: Wrap KRB5_ADDRESSLESS_DEFAULT with #ifndef + +2006-02-03 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswdd.c: Send back a better error-message to the + client in case the password change was rejected. + + * lib/krb5/krb5_warn.3: Document krb5_get_error_message. + + * lib/krb5/error_string.c (krb5_get_error_message): new function, + and combination of krb5_get_error_string and krb5_get_err_text + + * lib/krb5/krb5.3: sort, and krb5_get_error_message + + * lib/hdb/hdb-ldap.c: Log the filter string to the error message + when doing searches. + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags): + Use KRB5_ADDRESSLESS_DEFAULT when + checking [appdefault]no-addresses. + + * lib/krb5/get_cred.c (get_cred_from_kdc_flags): Use + KRB5_ADDRESSLESS_DEFAULT when checking + [appdefault]no-addresses. + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): + Use [appdefault]no-addresses before checking if the krbtgt is + address-less, use KRB5_ADDRESSLESS_DEFAULT. + + * lib/krb5/krb5_locl.h: Introduce KRB5_ADDRESSLESS_DEFAULT that + controlls all address-less behavior. Defaults to false. + +2006-02-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/n-fold-test.c: main is not a KRB5_LIB_FUNCTION + + * lib/krb5/mk_priv.c (krb5_mk_priv): abort if ASN1_MALLOC_ENCODE + failes to produce the matching lenghts. + +2006-01-27 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/protocol.c (kcm_op_retrieve): remove unused variable + +2006-01-15 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/krb5-config.in: Move depenency on @LIB_dbopen@ to + kadm-server, kerberos library doesn't depend on db-library. + +2006-01-13 Love Hörnquist Åstrand <lha@it.su.se> + + * include/Makefile.am: Don't clean crypto headers, they now live + in hcrypto/. Add hcrypto to SUBDIRS. + + * include/hcrypto/Makefile.am: clean installed headers + + * include/make_crypto.c: include crypto headers from hcrypto/ + + * include/make_crypto.c: Include more crypto headerfiles. Remove + support for old hash names. + +2006-01-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/misc.c (_kdc_db_fetch): use calloc to allocate the entry, + from Andrew Bartlet. + + * Happy New Year. diff --git a/third_party/heimdal/ChangeLog.2007 b/third_party/heimdal/ChangeLog.2007 new file mode 100644 index 0000000..60c9545 --- /dev/null +++ b/third_party/heimdal/ChangeLog.2007 @@ -0,0 +1,1321 @@ +2007-12-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/digest.c: Log probe message, add NTLM_TARGET_DOMAIN to the + type2 message. + +2007-12-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/dbinfo.c: Add hdb_default_db(). + + * Makefile.am: Add some extra cf/*. + +2007-12-12 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kgetcred.c: Fix type of name-type. From Andy Polyakov. + +2007-12-09 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/log.c: Use hdb_db_dir(). + + * kpasswd/kpasswdd.c: Use hdb_db_dir(). + +2007-12-08 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/config.c: Use hdb_db_dir(). + + * kdc/kdc_locl.h: add KDC_LOG_FILE + + * kdc/hpropd.c: Use hdb_default_db(). + + * kdc/kstash.c: Use hdb_db_dir(). + + * kdc/pkinit.c: Adapt to hx509 changes, use hdb_db_dir(). + + * lib/krb5/rd_req.c: Document krb5_rd_req_in_set_pac_check. + + * lib/krb5/verify_krb5_conf.c: Check check_pac. + + * lib/krb5/rd_req.c: use KRB5_CTX_F_CHECK_PAC to init check_pac + field in the krb5_rd_req_in_ctx + + * lib/krb5/expand_hostname.c: Adapt to changing + dns_canonicalize_hostname into flags field. + + * lib/krb5/context.c: Adapt to changing dns_canonicalize_hostname + into flags field, add check-pac as an libdefaults option. + + * lib/krb5/pkinit.c: Adapt to changes in hx509 interface. + + * doc: add doxygen documentation to hcrypto + + * doc/doxytmpl.dxy: generate links + +2007-12-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: build_HEADERZ += heim_threads.h + + * lib/hdb/dbinfo.c (hdb_db_dir): Return the directory where the + hdb database resides. + + * configure.in: Add --with-hdbdir to specify where the database is + stored. + + * lib/krb5/crypto.c: revert previous patch, the problem is located + in the RAND_file_name() function that will cause recursive nss + lookups, can't fix that here. + +2007-12-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c (krb5_generate_random_block): try to avoid the + dead-lock in by not holding the lock while running + RAND_file_name. Prompted by Hai Zaar. + + * lib/krb5/n-fold.c: spelling + +2007-12-04 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kdigest.c (digest-probe): implement command. + + * kuser/kdigest-commands.in (digest-probe): new command + + * kdc/digest.c: Implement supportedMechs request. + + * lib/krb5/error_string.c: Make krb5_get_error_string return an + allocated string to make the function indempotent. From + Zeqing (Fred) Xia. + +2007-12-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_locl.h (krb5_context_data): Flag if + default_cc_name was set by the user. + + * lib/krb5/fcache.c (fcc_move): make sure ->version is uptodate. + + * kcm/acquire.c: use krb5_free_cred_contents + + * kuser/kimpersonate.c: use krb5_free_cred_contents + + * kuser/kinit.c: Use krb5_cc_move to make an atomic switch of the + cred cache. + + * lib/krb5/cache.c: Put back code that was needed, move gen_new + into new_unique. + + * lib/krb5/mcache.c (mcc_default_name): Remove const + + * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME_KCM, redefine + KRB5_DEFAULT_CCNAME to KRB5_DEFAULT_CCTYPE + + * lib/krb5/cache.c: Use krb5_cc_ops->default_name to get the + default name. + + * lib/krb5/kcm.c: Implement krb5_cc_ops->default_name. + + * lib/krb5/mcache.c: Implement krb5_cc_ops->default_name. + + * lib/krb5/fcache.c: Implement krb5_cc_ops->default_name. + + * lib/krb5/krb5.h: Add krb5_cc_ops->default_name. + + * lib/krb5/acache.c: Free context when done, implement + krb5_cc_ops->default_name. + + * lib/krb5/kcm.c: implement dummy kcm_move + + * lib/krb5/mcache.c: Implement the move operation. + + * lib/krb5/version-script.map: export krb5_cc_move + + * lib/krb5/cache.c: New function krb5_cc_move(). + + * lib/krb5/fcache.c: Implement the move operation. + + * lib/krb5/krb5.h: Add move to the krb5_cc_ops, causes major + version bump. + + * lib/krb5/acache.c: Implement the move operation. Avoid using + cc_set_principal() since it broken on Mac OS X 10.5.0. + +2007-12-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_ccapi.h: Drop variable names to avoid -Wshadow. + +2007-11-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/krb5tgs.c: Should pass different key usage constants + depending on whether or not optional sub-session key was passed by + the client for the check of authorization data. The constant is + used to derive "specific key" and its values are specified in + 7.5.1 of RFC4120. + + Patch from Andy Polyakov. + + * kdc/krb5tgs.c: Don't send auth data in referrals, microsoft + clients have started to not like that. Thanks to Andy Polyakov for + excellent research. + +2007-11-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/creds.c: use krb5_data_cmp + + * lib/krb5/acache.c: use krb5_free_cred_contents + + * lib/krb5/test_renew.c: use krb5_free_cred_contents + +2007-11-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acl.c: doxygen documentation + + * lib/krb5/addr_families.c: doxygen documentation + + * doc: add doxygen + + * lib/krb5/plugin.c: doxygen documentation + + * lib/krb5/kcm.c: doxygen documentation + + * lib/krb5/fcache.c: doxygen documentation + + * lib/krb5/cache.c: doxygen documentations + + * lib/krb5/doxygen.c: doxygen introduction + + * lib/krb5/error_string.c: Doxygen documentation. + +2007-11-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_plugin.c: expose krb5_plugin_register + + * lib/krb5/plugin.c: expose krb5_plugin_register + + * lib/krb5/version-script.map: sort, expose krb5_plugin_register + +2007-10-24 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Adding same enctype is enough one time. From + Andy Polyakov and Bjorn Sandell. + +2007-10-18 Love <lha@stacken.kth.se> + + * lib/krb5/cache.c (krb5_cc_retrieve_cred): check return value + from krb5_cc_start_seq_get. From Zeqing (Fred) Xia + + * lib/krb5/fcache.c (init_fcc): provide better error codes + + * kdc/kerberos5.c (get_pa_etype_info2): more paranoia, avoid + sending warning about pruned etypes. + + * kdc/kerberos5.c (older_enctype): old windows enctypes (arcfour + based) "old", this to support windows 2000 clients (unjoined to a + domain). From Andy Polyakov. + +2007-10-07 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Spelling, from Mark Peoples via Bjorn Sandell. + +2007-10-04 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/krb5tgs.c: More prettier printing of enctype, from KAMADA + Ken'ichi. + + * lib/krb5/crypto.c (krb5_enctype_to_string): make sure string is + NULL on failure. + +2007-10-03 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kdc-replay.c: Catch KRB5_PROG_ATYPE_NOSUPP from + krb5_addr2sockaddr and igore thte test is that case. + +2007-09-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c (krb5_free_context): free + default_cc_name_env, from Gunther Deschner. + +2007-08-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/{krb5.h,pac.c,test_pac.c,send_to_kdc.c,rd_req.c}: Make + work with c++, reported by Hai Zaar + + * lib/krb5/{digest.c,krb5.h}: Make work with c++, reported by Hai Zaar + +2007-08-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am: EXTRA_DIST += hdb.schema + +2007-07-31 Love Hörnquist Åstrand <lha@it.su.se> + + * check return value of alloc functions, from Charles Longeau + + * lib/krb5/principal.c: spelling. + + * kadmin/kadmin.8: spelling + + * lib/krb5/crypto.c: Check return values from alloc + functions. Prompted by patch of Charles Longeau. + + * lib/krb5/n-fold.c: Make _krb5_n_fold return a error + code. Prompted by patch of Charles Longeau. + +2007-07-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds.c: Always set the ticket options, use + KRB5_ADDRESSLESS_DEFAULT as the default value, this make the unset + tri-state not so useful. + +2007-07-24 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/heimdal-gssapi.pc.in: Add LIB_pkinit to the list of + libraries. + + * tools/heimdal-gssapi.pc.in: pkg-config file for libgssapi in + heimdal. + + * tools/Makefile.am: Add heimdal-gssapi.pc and install it into + $(libdir)/pkgconfig + +2007-07-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Add RFC3526 modp group14 as a default. + +2007-07-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/dbinfo.c (get_dbinfo): use dbname instead of realm as + key if the entry is a correct entry. + + * lib/krb5/get_cred.c: Make krb5_get_renewed_creds work, from + Gunther Deschner. + + * lib/krb5/Makefile.am: Add test_renew to noinst_PROGRAMS. + + * lib/krb5/test_renew.c: Test for krb5_get_renewed_creds. + +2007-07-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/keys.c: Make parse_key_set handle key set string "v5", + from Peter Meinecke. + + * kdc/kaserver.c: Don't ovewrite the error code, from Peter + Meinecke. + +2007-07-18 Love Hörnquist Åstrand <lha@it.su.se> + + * TODO-1.0: remove + + * Makefile.am: remove TODO-1.0 + +2007-07-17 Love Hörnquist Åstrand <lha@it.su.se> + + * Heimdal 1.0 release branch cut here + + * doc/hx509.texi: use version.texi + + * doc/heimdal.texi: use version.texi + + * doc/version.texi: version.texi + + * lib/hdb/db3.c: avoid type-punned pointer warning. + + * kdc/kx509.c: Use unsigned char * as argument to HMAC_Update to + please OpenSSL and gcc. + + * kdc/digest.c: Use unsigned char * as argument to MD5_Update to + please OpenSSL and gcc. + +2007-07-16 Love Hörnquist Åstrand <lha@it.su.se> + + * include/Makefile.am: Add krb_err.h. + + * kdc/set_dbinfo.c: Print acl file too. + + * kdc/kerberos4.c: Error codes are just fine, remove XXX now. + + * lib/krb5/krb5-v4compat.h: Drop duplicate error codes. + + * kdc/kerberos4.c: switch to ET errors. + + * lib/krb5/Makefile.am: Add krb_err.h to build_HEADERZ. + + * lib/krb5/v4_glue.c: If its a Kerberos 4 error-code, remove the + et BASE. + +2007-07-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5-v4compat.h: Include "krb_err.h". + + * lib/krb5/v4_glue.c: return more interesting error codes. + + * lib/krb5/plugin.c: Prefix enum plugin_type. + + * lib/krb5/krb5_locl.h: Expose plugin structures. + + * lib/krb5/krb5.h: Add plugin structures. + + * lib/krb5/krb_err.et: V4 errors. + + * lib/krb5/version-script.map: First version of version script. + +2007-07-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Java 1.6 expects the name to be the same type, + lets allow that for uncomplicated name-types. + +2007-07-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/v4_glue.c (_krb5_krb_rd_req): if ticket contains + address 0, its ticket less and don't really care about + from_addr. return better error codes. + + * kpasswd/kpasswdd.c: Fix pointer vs strict alias rules. + +2007-07-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: When using sambaNTPassword, avoid adding + more then one enctype 23 to krb5EncryptionType. + + * lib/krb5/cache.c: Spelling. + + * kdc/kerberos5.c: Don't send newer enctypes in ETYPE-INFO. + (get_pa_etype_info2): return the enctypes as sorted in the + database + +2007-07-10 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: krb5-v4compat.h defines prototypes for + v4 (semiprivate functions) in libkrb5, don't include + krb5-private.h any longer. + + * lib/krb5/krbhst.c: Set error string when there is no KDC for a + realm. + + * lib/krb5/Makefile.am: New library version. + + * kdc/Makefile.am: New library version. + + * lib/krb5/krb5_locl.h: Add default_cc_name_env. + + * lib/krb5/cache.c (enviroment_changed): return non-zero if + enviroment that will determine default krb5cc name has changed. + (krb5_cc_default_name): also check if cached value is uptodate. + + * lib/krb5/krb5_locl.h: Drop pkinit_flags. + +2007-07-05 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: add tests/java/Makefile + + * lib/hdb/dbinfo.c: Add hdb_dbinfo_get_log_file. + +2007-07-04 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Improve the default salt detection to avoid + returning v4 password salting to java that doesn't look at the + returning padata for salting. + + * kdc: Split out krb5_kdc_set_dbinfo, From Andrew Bartlett + +2007-07-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/digest.c: Try harder to provide better error message for + digest messages. + + * lib/krb5/Makefile.am: verify_krb5_conf_OBJECTS depends on + krb5-pr*.h, make -j finds this. + +2007-06-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/digest.c: On success, print username, not ip-adress. + +2007-06-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_cred.c: Add krb5_get_renewed_creds. + + * lib/krb5/krb5_get_credentials.3: add krb5_get_renewed_creds + + * lib/krb5/pkinit.c: Use hx509_cms_unwrap_ContentInfo. + +2007-06-25 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Add example for pkinit_win2k_require_binding + in [kdc] section. + + * kdc/default_config.c: Rename require_binding to + win2k_require_binding to match client configuration. + + * kdc/default_config.c: Add [kdc]pkinit_require_binding option. + + * kdc/pkinit.c (pk_mk_pa_reply_enckey): only allow non-bound reply + if its not required. + + * kdc/default_config.c: rename pkinit_princ_in_cert and add + pkinit_require_binding + + * kdc/kdc.h: rename pkinit_princ_in_cert and add + pkinit_require_binding + + * kdc/pkinit.c: rename pkinit_princ_in_cert + +2007-06-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Adapt to hx509_verify_hostname change. + +2007-06-21 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/krb5tgs.c: Drop unused variable. + + * kdc/krb5tgs.c: disable anonyous tgs requests + + * kdc/krb5tgs.c: Don't check PAC on cross realm for now. + + * kuser/kgetcred.c: Set KRB5_GC_CONSTRAINED_DELEGATION and parse + nametypes. + + * lib/krb5/krb5_principal.3: Document krb5_parse_nametype. + + * lib/krb5/principal.c (krb5_parse_nametype): parse nametype and + return their integer values. + + * lib/krb5/krb5.h (krb5_get_creds): Add + KRB5_GC_CONSTRAINED_DELEGATION. + + * lib/krb5/get_cred.c (krb5_get_creds): if + KRB5_GC_CONSTRAINED_DELEGATION is set, set both request_anonymous + and constrained_delegation. + +2007-06-20 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/digest.c: Return an error message instead of dropping the + packet for more failure cases. + + * lib/krb5/krb5_principal.3: Add KRB5_PRINCIPAL_UNPARSE_DISPLAY. + + * appl/gssmask/gssmask.c (AcquirePKInitCreds): fail more + gracefully + +2007-06-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pac.c: make compile. + + * lib/krb5/pac.c (verify_checksum): memset cksum to avoid using + pointer from stack. + + * lib/krb5/plugin.c: Don't expose free pointer. + + * lib/krb5/pkinit.c (_krb5_pk_load_id): fail directoy for first + calloc. + + * lib/krb5/pkinit.c (get_reply_key*): don't expose freed memory + + * lib/krb5/krbhst.c: Host is static memory, don't free. + + * lib/krb5/crypto.c (decrypt_internal_derived): make sure length + is longer then confounder + checksum. + + * kdc: export get_dbinfo as krb5_kdc_set_dbinfo and call from + users. This to allows libkdc users to to specify their own + databases + + * lib/krb5/pkinit.c (pk_rd_pa_reply_enckey): simplify handling of + content data (and avoid leaking memory). + + * kdc/misc.c (_kdc_db_fetch): set error string for failures. + +2007-06-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: Use KRB5_AUTHDATA_INITIAL_VERIFIED_CAS. + +2007-06-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: tell user when they got a pk-init request with + pkinit disabled. + +2007-06-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/principal.c: Rename UNPARSE_NO_QUOTE to + UNPARSE_DISPLAY. + + * lib/krb5/krb5.h: Rename UNPARSE_NO_QUOTE to UNPARSE_DISPLAY. + + * lib/krb5/principal.c: Make no-quote mean replace strange chars + with space. + + * lib/krb5/principal.c: Support KRB5_PRINCIPAL_UNPARSE_NO_QUOTE. + + * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_UNPARSE_NO_QUOTE. + + * lib/krb5/test_princ.c: Test quoteing. + + * lib/krb5/pkinit.c: update (c) + + * lib/krb5/get_cred.c: use krb5_sendto_context to talk to the KDC. + + * lib/krb5/send_to_kdc.c (_krb5_kdc_retry): check if the whole + process needs to restart or just skip this KDC. + + * lib/krb5/init_creds_pw.c: Use krb5_sendto_context to talk to + KDC. + + * lib/krb5/krb5.h: Add sendto hooks and opaque structure. + + * lib/krb5/krb5_rd_error.3: Update prototype. + + * lib/krb5/send_to_kdc.c: Add hooks for processing the reply from + the server. + +2007-06-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_err.et: Some new error codes from RFC 4120. + +2007-06-09 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/krb5tgs.c: Constify. + + * kdc/kerberos5.c: Constify. + + * kdc/pkinit.c: Check for KRB5-PADATA-PK-AS-09-BINDING. Constify. + +2007-06-08 Love Hörnquist Åstrand <lha@it.su.se> + + * include/Makefile.am: Make krb5-types.h nodist_include_HEADERS. + + * kdc/Makefile.am: EXTRA_DIST += version-script.map. + +2007-06-07 Love Hörnquist Åstrand <lha@it.su.se> + + * Makefile.am (print-distdir): print name of dist + + * kdc/pkinit.c: Break out loading of mappings file to a separate + function and remove warning that it can't open the mapping file, + there are now mappings in the db, maybe the users uses that + instead... + + * lib/krb5/crypto.c: Require the raw key have the correct size and + do away with the minsize. Minsize was a thing that originated + from RC2, but since RC2 is done in the x509/cms subsystem now + there is no need to keep that around. + + * lib/hdb/dbinfo.c: If there is no default dbname, also check for + unset mkey_file and set it default mkey name, make backward compat + stuff work. + + * kdc/version-script.map: add new symbols + + * kdc/kdc-replay.c: Also update krb5_context view of what the time + is. + + * configure.in: add tests/can/Makefile + + * kdc/kdc-replay.c: Add --[version|help]. + + * kdc/pkinit.c: Push down the kdc time into the x509 library. + + * kdc/connect.c: Move up krb5_kdc_save_request so we can catch the + reply data too. + + * kdc/kdc-replay.c: verify reply by checking asn1 class, type and + tag of the reply if there is one. + + * kdc/process.c: Save asn1 class, type and tag of the reply if + there is one. Used to verify the reply in kdc-replay. + +2007-06-06 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kdc_locl.h: extern for request_log. + + * kdc/Makefile.am: Add kdc-replay. + + * kdc/kdc-replay.c: Replay kdc messages to the KDC library. + + * kdc/config.c: Pick up request_log from [kdc]kdc-request-log. + + * kdc/connect.c: Option to save the request to disk. + + * kdc/process.c (krb5_kdc_save_request): save request to file. + + * kdc/process.c (krb5_kdc_process*): dont update _kdc_time + automagicly. + (krb5_kdc_update_time): set or get current kdc-time. + + * kdc/pkinit.c (_kdc_pk_rd_padata): accept both pkcs-7 and + pkauthdata as the signeddata oid + + * kdc/pkinit.c (_kdc_pk_rd_padata): Try to log what went wrong. + +2007-06-05 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: Use oid_id_pkcs7_data for pkinit-9 encKey reply to + match windows DC behavior better. + +2007-06-04 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: use test for -framework Security + + * appl/test/uu_server.c: Print status to stdout. + + * kdc/digest.c (digest ntlm): provide log entires by setting ret + to an error. + +2007-06-03 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/hx509.texi: Indent crl-sign. + + * doc/hx509.texi: One more crl-sign example. + + * lib/krb5/test_princ.c: plug memory leaks. + + * lib/krb5/pac.c: plug memory leaks. + + * lib/krb5/test_pac.c: plug memory leaks. + + * lib/krb5/test_prf.c: plug memory leak. + + * lib/krb5/test_cc.c: plug memory leaks. + + * doc/hx509.texi: Simple blob about publishing CRLs. + + * doc/win2k.texi: drop text about enctypes. + +2007-06-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: In case of OCSP verification failure, referash + every 5 min. In case of success, refreash 2 min before expiring or + faster. + +2007-05-31 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_err.et: add error 68, WRONG_REALM + + * kdc/pkinit.c: Handle the ms san in a propper way, still cheat + with the realm name. + + * kdc/kerberos5.c: If _kdc_pk_check_client failes, bail out + directly and hand the error back to the client. + + * lib/krb5/krb5_err.et: Add missing REVOCATION_STATUS_UNAVAILABLE + and fix error message for CLIENT_NAME_MISMATCH. + + * kdc/pkinit.c: More logging for pk-init client mismatch. + + * kdc/kerberos5.c: Also add a KRB5_PADATA_PK_AS_REQ_WIN for + windows pk-init (-9) to make MIT clients happy. + +2007-05-30 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: Force des3 for win2k. + + * kdc/pkinit.c: Add wrapping to ContentInfo wrapping to + COMPAT_WIN2K. + + * lib/krb5/keytab_keyfile.c: Spelling. + + * kdc/pkinit.c: Allow matching by MS UPN SAN, note that this delta + doesn't deal with case of realm. + +2007-05-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c (krb5_crypto_overhead): return static overhead + of encryption. + +2007-05-10 Dave Love <fx@gnu.org> + + * doc/win2k.texi: Update some URLs. + +2007-05-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kimpersonate.c: Fix version number of ticket, it should be + 5 not the kvno. + +2007-05-08 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Salting is really Encryption types and salting. + +2007-05-07 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: spelling, from Ronny Blomme + + * doc/win2k.texi: Fix ksetup /SetComputerPassword, from Ronny + Blomme + +2007-05-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/dbinfo.c (hdb_get_dbinfo) If there are no database + specified, create one and let it use the defaults. + +2007-04-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/test_dbinfo.c: test acl file + + * lib/hdb/test_dbinfo.c: test acl file + + * lib/hdb/dbinfo.c: add acl file + + * etc: ignore Makefile.in + + * Makefile.am: SUBDIRS += etc + + * configure.in: Add etc/Makefile. + + * etc/Makefile.am: make sure services.append is distributed + +2007-04-24 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc: rename windc_init to krb5_kdc_windc_init + + * kdc/version-script.map: version script for libkdc + + * kdc/Makefile.am: version script for libkdc + +2007-04-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): + correct the order of the arguments. + + * lib/hdb/Makefile.am: Add and test dbinfo. + + * lib/hdb/hdb.h: Forward declaration for struct hdb_dbinfo; + + * kdc/config.c: Use krb5_kdc_get_config and just fill in what the + users wanted differently. + + * kdc/default_config.c: Make the default configuration fetch info + from the krb5.conf. + +2007-04-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to + determine if to send the session-key, for the second place in the + function. + + * tools/krb5-config.in: rename des to hcrypto + + * kuser/Makefile.am: depend on libheimntlm + + * kuser/kinit.c: Add --ntlm-domain that store the ntlm cred for + this domain if the Kerberos password auth worked. + + * kuser/klist.c: add new option --hidden that doesn't display + principal that starts with @ + + * tools/krb5-config.in: Add heimntlm when we use gssapi. + + * lib/krb5/krb5_ccache.3 (krb5_cc_retrieve_cred): document what to + free 'cred' with. + + * lib/krb5/cache.c (krb5_cc_retrieve_cred): document what to free + 'cred' with. + +2007-04-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to + determine if to send the session-key. + + * kcm/client.c (kcm_ccache_new_client): make root be able to pass + the name constraints, not the opposite. From Bryan Jacobs. + +2007-04-20 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/acl.c: make compile again. + + * kcm/client.c: fix warning. + + * kcm: First, it allows root to ignore the naming conventions. + Second, it allows root to always perform any operation on any + ccache. Note that root could do this anyway with FILE ccaches. + From Bryan Jacobs. + + * Rename libdes to libhcrypto. + +2007-04-19 Love Hörnquist Åstrand <lha@it.su.se> + + * kinit: remove code that depend on kerberos 4 library + + * kdc: remove code that depend on kerberos 4 library + + * configure.in: Drop kerberos 4 support. + + * kdc/hpropd.c (main): free the message when done with it. + + * lib/krb5/pkinit.c (_krb5_get_init_creds_opt_free_pkinit): + remember to free memory too. + + * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): free content-type when + done. + + * configure.in: test rk_VERSIONSCRIPT + +2007-04-18 Love Hörnquist Åstrand <lha@it.su.se> + + * fix-export: remove, all done by make dist now + +2007-04-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_get_credentials.3: spelling, from Jason McIntyre + +2007-04-11 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kstash.8: Spelling, from raga <raga@comcast.net> + via Bjorn Sandell. + + * lib/krb5/store_mem.c: indent. + + * lib/krb5/recvauth.c: Set error string. + + * lib/krb5/rd_req.c: clear error strings. + + * lib/krb5/rd_cred.c: clear error string. + + * lib/krb5/pkinit.c: Set error strings. + + * lib/krb5/get_cred.c: Tell what principal we are not finding for + all KRB5_CC_NOTFOUND. + +2007-02-22 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Return the same error codes as a windows KDC. + + * kuser/kinit.c: KRB5KDC_ERR_PREAUTH_FAILED is also a password + failed. + + * kdc/kerberos5.c: Make handling of replying e_data more generic, + from metze. + + * kdc/kerberos5.c: Fix (string const and shadow) warnings, from + metze. + + * lib/krb5/pac.c: Create the PAC element in the same order as + w2k3, maybe there's some broken code in windows which relies on + this... From metze. + + * kdc/kerberos5.c: Select a session enctype from the list of the + crypto systems supported enctype, is supported by the client and + is one of the enctype of the enctype of the krbtgt. + + The later is used as a hint what enctype all KDC are supporting to + make sure a newer version of KDC wont generate a session enctype + that and older version of a KDC in the same realm can't decrypt. + + But if the KDC admin is paranoid and doesn't want to have "no the + best" enctypes on the krbtgt, lets save the best pick from the + client list and hope that that will work for any other KDCs. + + Reported by metze. + + * kdc/hprop.c (propagate_database): on any failure, drop the + connection to the peer and try next one. + +2007-02-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_get_init_creds.3: document new options. + + * kdc/krb5tgs.c: Only check service key for cross realm PACs. + + * lib/krb5/init_creds.c: use the new merged flags field. + (krb5_get_init_creds_opt_set_win2k): new function, turn on all w2k + compat flags. + + * lib/krb5/init_creds_pw.c: use the new merged flags field. + + * lib/krb5/krb5_locl.h: merge all flags into one entity + +2007-02-11 Dave Love <fx@gnu.org> + + * lib/krb5/krb5_aname_to_localname.3: Small fixes + + * lib/krb5/krb5_digest.3: Small fixes + + * kuser/kimpersonate.1: Small fixes + +2007-02-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c (find_pa_data): if there is no list, + there is no entry. + + * kdc/krb5tgs.c: Don't check PACs on cross realm requests. + + * lib/krb5/krb5.h: add KRB5_KU_CANONICALIZED_NAMES. + + * lib/krb5/init_creds_pw.c: Verify client referral data. + + * kdc/kerberos5.c: switch some "return ret" to "goto out". + + * kdc/kerberos5.c: Pass down canonicalize request to hdb layer, + sign client referrals. + + * lib/hdb/hdb.h: Add HDB_F_CANON. + + * lib/hdb: add simple alias support to the database backends + +2007-02-16 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: Add canonicalize flag. + + * lib/krb5/init_creds_pw.c: Use EXTRACT_TICKET_* flags, support + canonicalize. + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_canonicalize): + new function. + + * lib/krb5/get_cred.c: Use EXTRACT_TICKET_* flags. + + * lib/krb5/get_in_tkt.c: Use EXTRACT_TICKET_* flags. + + * lib/krb5/krb5_locl.h: Add EXTRACT_TICKET_* flags. + +2007-02-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_princ.c: test parsing enterprise-names. + + * lib/krb5/principal.c: Add support for parsing enterprise-names. + + * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_PARSE_ENTERPRISE. + + * lib/hdb/hdb-ldap.c: Make work again. + +2007-02-11 Dave Love <fx@gnu.org> + + * kcm/client.c (kcm_ccache_new_client): Cast snprintf'ed value. + +2007-02-10 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: prune trailing space + + * lib/hdb/db.c: Be better at setting and clearing error string. + + * lib/hdb/hdb.c: Be better at setting and clearing error string. + +2007-02-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab.c (krb5_kt_get_entry): Use krb5_kt_get_full_name + to print out the keytab name. + + * doc/setup.texi: Spelling, from Guido Guenther + +2007-02-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_cred.c: Plug memory leak, from Michael B Allen. + +2007-02-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_store.c (test_uint16): unsigned ints can't be + negative + +2007-02-03 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: pass extra flags for detached signatures. + + * lib/krb5/pkinit.c: pass extra flags for detached signatures. + + * kdc/digest.c: Remove debug output. + + * kuser/kdigest.c: Add support for ms-chap-v2 client. + +2007-02-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/digest.c: Fix ms-chap-v2 get_masterkey + + * kdc/digest.c: Fix ms-chap-v2 mutual response auth code. + + * kuser/kdigest.c: Print session key if there is one. + + * lib/krb5/digest.c: rename hash-a1 to session key + + * kdc/digest.c: Add get_master from RFC 3079 3.4 for MS-CHAP-V2 + + * kuser/kdigest.c: print rsp if there is one, from Klas. + + * kdc/digest.c: Use right size, from Klas Lindfors. + + * kuser/kdigest.c: Set client nonce if avaible, from Klas. + + * kdc/digest.c: First version from kllin. + + * kuser/kdigest.c: Don't restrict the type. + +2007-02-01 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kdigest-commands.in: add --client-response + + * kuser/kdigest.c: Print status instead of response. + + * kdc/digest.c: Better logging and return status = FALSE when + checksum doesn't match. + + * kdc/digest.c: Check the digest response in the KDC. + + * lib/krb5/digest.c: New functions to send in requestResponse to + KDC and get status of the request. + + * kdc/digest.c: Add support for MS-CHAP v2. + + * lib/hdb/hdb-ldap.c: Set hdb->hdb_db for ldap. + +2007-01-31 Love Hörnquist Åstrand <lha@it.su.se> + + * fix-export: Make hx509.info too + + * kdc/digest.c: don't verify identifier in CHAP, its the client + that chooses it. + +2007-01-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: Basic test of prf. + + * lib/krb5/test_prf.c: Basic test of prf. + + * lib/krb5/mit_glue.c: Add MIT glue for Kerberos RFC 3961 PRF + functions. + + * lib/krb5/crypto.c: Add Kerberos RFC 3961 PRF functions. + + * lib/krb5/krb5_data.3: Document krb5_data_cmp. + + * lib/krb5/data.c: Add krb5_data_cmp. + +2007-01-20 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kx509.c: Don't use C99 syntax. + +2007-01-17 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: its LIBADD_roken (and shouldn't really exist, our + libtool usage it broken) + + * configure.in: Add an extra variable for roken, LIBADD, that + should be used for library depencies. + + * lib/krb5/send_to_kdc.c (krb5_sendto): zero out receive buffer. + + * lib/krb5/krb5_init_context.3: fix mdoc errors + + * Heimdal 0.8 branch cut today + + * doc/hx509.texi: Spelling and more about proxy certificates. + + * configure.in: check for arc4random + +2007-01-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/send_to_kdc.c (krb5_sendto): zero receive krb5_data + before starting + + * tools/heimdal-build.sh: make cvs keep quiet + + * kuser/kverify.c: Use argument as principal if passed an + argument. Bug report from Douglas E. Engert + +2007-01-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_req.c (krb5_rd_req_ctx): The code failed to consider + the enc_tkt_in_skey case, from Douglas E. Engert. + + * kdc/kx509.c: Issue certificates. + + * kdc/config.c: Parse kx509/kca configuration. + + * kdc/kdc.h: add kx509 config + +2007-01-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (_kdc_find_padata): if there is not padata, + there is nothing find. + + * doc/hx509.texi: Examples for pk-init. + + * doc/hx509.texi: About extending ca lifetime and sub cas. + +2007-01-13 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/hx509.texi: More about certificates. + +2007-01-12 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/hx509.texi: add Application requirements and write about + xmpp/jabber. + +2007-01-11 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/hx509.texi: More about issuing certificates. + + * doc/hx509.texi: Start of a x.509 manual. + + * include/Makefile.am: remove install headerfiles + + * lib/krb5/test_pac.c: Use more interesting data to cause more + errors. + + * include/Makefile.am: remove install headerfiles + + * lib/krb5/mcache.c: MCC_CURSOR not used, remove. + + * lib/krb5/crypto.c: macro kcrypto_oid_enc now longer used + + * lib/krb5/rd_safe.c (krb5_rd_safe): set length before trying to + allocate data + +2007-01-10 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Hint about hxtool validate. + + * appl/test/uu_server.c: print both "server" and "client" + + * kdc/krb5tgs.c: Rename keys to be more obvious what they do. + + * kdc/kerberos5.c: Use other keys to sign PAC with. From Andrew + Bartlett + + * kdc/windc.c: ident, spelling. + + * kdc/windc_plugin.h: indent. + + * kdc/krb5tgs.c: Pass down server entry to verify_pac function. + from Andrew Bartlett + + * kdc/windc.c: pass down server entry to verify_pac function, from + Andrew Bartlett + + * kdc/windc_plugin.h: pass down server entry to verify_pac + function, from Andrew Bartlett + + * configure.in: Provide a automake symbol ENABLE_SHARED if shared + libraries are built. + + * lib/krb5/rd_req.c (krb5_rd_req_ctx): Use the correct keyblock + when verifying the PAC. From Andrew Bartlett. + +2007-01-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_pac.c: move around to code test on real PAC. + + * lib/krb5/pac.c: A tiny 2 char diffrence that make the code work + for real. + + * lib/krb5/test_pac.c: Test more PAC (note that the values used in + this test is wrong, they have to be fixed when the pac code is + fixed). + + * doc/setup.texi: Update to new hxtool issue-certificate usage + + * lib/krb5/init_creds_pw.c: Make sure we don't sent both ENC-TS + and PK-INIT pa data, no need to expose our password protecting our + PKCS12 key. + + * kuser/klist.c (print_cred_verbose): include ticket length in the + verbose output + +2007-01-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acache.c (loadlib): pass RTLD_LAZY to dlopen, without + it linux is unhappy. + + * lib/krb5/plugin.c (loadlib): pass RTLD_LAZY to dlopen, without + it linux is unhappy. + + * lib/krb5/name-45-test.c: One of the hosts I sometimes uses is + named "bar.domain", this make one of the tests pass when it + shouldn't. + +2007-01-05 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Change --key argument to --out-key. + + * kuser/kimpersonate.1: mangle my name + +2007-01-04 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: describe how to use hx509 to create + certificates. + + * tools/heimdal-build.sh: Add --distcheck. + + * kdc/kerberos5.c: Check for KRB5_PADATA_PA_PAC_REQUEST to check + if we should include the PAC in the krbtgt. + + * kdc/pkinit.c (_kdc_as_rep): check if + krb5_generate_random_keyblock failes. + + * kdc/kerberos5.c (_kdc_as_rep): check if + krb5_generate_random_keyblock failes. + + * kdc/krb5tgs.c (tgs_build_reply): check if + krb5_generate_random_keyblock failes. + + * kdc/krb5tgs.c: Scope etype. + + * lib/krb5/rd_req.c: Make it possible to turn off PAC check, its + default on. + + * lib/krb5/rd_req.c (krb5_rd_req_ctx): If there is a PAC, verify + its server signature. + + * kdc/kerberos5.c (_kdc_as_rep): call windc client access hook. + (_kdc_tkt_add_if_relevant_ad): constify in data argument. + + * kdc/windc_plugin.h: More comments add a client_access hook. + + * kdc/windc.c: Add _kdc_windc_client_access. + + * kdc/krb5tgs.c: rename functions after export some more pac + functions. + + * lib/krb5/test_pac.c: export some more pac functions. + + * lib/krb5/pac.c: export some more pac functions. + + * kdc/krb5tgs.c: Resign the PAC in tgsreq if we have a PAC. + + * configure.in: add tests/plugin/Makefile + +2007-01-03 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/krb5tgs.c: Get right key for PAC krbtgt verification. + + * kdc/config.c: spelling + + * lib/krb5/krb5.h: typedef for krb5_pac. + + * kdc/headers.h: Include <windc_plugin.h>. + + * kdc/Makefile.am: Include windc.c and use windc_plugin.h + + * kdc/krb5tgs.c: Call callbacks for emulating a Windows Domain + Controller. + + * kdc/kerberos5.c: Call callbacks for emulating a Windows Domain + Controller. Move the some of the log related stuff to its own + function. + + * kdc/config.c: Init callbacks for emulating a Windows Domain + Controller. + + * kdc/windc.c: Rename the init function to windc instead of pac. + + * kdc/windc.c: Callbacks specific to emulating a Windows Domain + Controller. + + * kdc/windc_plugin.h: Callbacks specific to emulating a Windows + Domain Controller. + + * lib/krb5/Makefile.am: add krb5_HEADERS to build_HEADERZ + + * lib/krb5/pac.c: Support all keyed checksum types. + +2007-01-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pac.c (krb5_pac_get_types): Return list of types. + + * lib/krb5/test_pac.c: test krb5_pac_get_types + + * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA. + + * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA. + + * lib/krb5/krb5.h: Add KRB5_KRBHST_KCA. + + * lib/krb5/test_pac.c: test Add/remove pac buffer functions. + + * lib/krb5/pac.c: Add/remove pac buffer functions. + + * lib/krb5/pac.c: sprinkle const + + * lib/krb5/pac.c: rename DCHECK to CHECK + + * Happy New Year. |