diff options
1493 files changed, 253906 insertions, 49127 deletions
diff --git a/crypto/heimdal/ChangeLog b/crypto/heimdal/ChangeLog index 159cf48a4156..e167b09a8957 100644 --- a/crypto/heimdal/ChangeLog +++ b/crypto/heimdal/ChangeLog @@ -1,897 +1,1356 @@ -2004-09-13 Johan Danielsson <joda@pdc.kth.se> +2008-01-24 Love Hörnquist Åstrand <lha@it.su.se> - * Release 0.6.3 - -2004-09-05 Love Hörnquist Åstrand <lha@it.su.se> + * Release 1.1 + +2008-01-21 Love Hörnquist Åstrand <lha@it.su.se> - * lib/asn1/der_get.c (decode_enumerated): check that the tag - length isn't longer the the length + * lib/krb5/get_for_creds.c: Use on variable less. -2004-08-31 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/get_for_creds.c: Try to handle ticket full and + ticketless tickets better. Add doxygen comments while here. - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): - kdc_reply can be set in case of failure too, clean on entry and - free the exit unconditionally to avoid memory leak + * lib/krb5/test_forward.c: Used for testing + krb5_get_forwarded_creds(). -2004-08-20 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward - * lib/krb5/context.c: 1.93: (krb5_get_err_text): if neither of - com_right nor strerror finds the error-code, return Unknown error. + * lib/krb5/Makefile.am: drop CHECK_SYMBOLS -2004-08-13 Love Hörnquist Åstrand <lha@it.su.se> + * lib/hdb/Makefile.am: drop CHECK_SYMBOLS - * kdc/kerberos5.c: based on 1.162: (get_pa_etype_info): check for - dup enctypes from the client and filter them out. - -2004-06-21 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/Makefile.am: drop CHECK_SYMBOLS - * admin/get.c: 1.23: (kt_get): catch errors from krb5_parse_name - -2004-06-21 Love Hörnquist Åstrand <lha@it.su.se> +2008-01-18 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/Makefile.am: man_MANS += krb5_set_password.3 + * lib/krb5/version-script.map: Add krb5_digest_probe. - * lib/krb5/krb5_set_password.3: 1.1-1.3: change password manpage +2008-01-13 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/changepw.c: 1.49: implement - krb5_set_password_using_ccache 1.47: add tcp support to the set - protocol, should be cleaned up to enable sharing code with - krb5_sendto 1.46: (process_reply): log into result_string if - something goes bad, return 0 (even on failure), not the KPASSWD - protocol error code 1.45: krb5_princ_realm -> - krb5_principal_get_realm 1.44: (setpw_send_request): free - ap_req_data on failure 1.41: ooops, remove cut and paste error - 1.40: draft-ietf-cat-kerb-chg-password-02 and rfc3244 share the - response packet sure more constants now that they exists 1.39: - implement rfc3244, partly from shadow@dementia.org + * lib/krb5/pkinit.c: Replace hx509_name_to_der_name with + hx509_name_binary. + +2008-01-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: add missing files + +2007-12-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/digest.c: Log probe message, add NTLM_TARGET_DOMAIN to the + type2 message. + +2007-12-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/dbinfo.c: Add hdb_default_db(). + + * Makefile.am: Add some extra cf/*. + +2007-12-12 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/krb5.h: 1.211: some defines for rfc3244 + * kuser/kgetcred.c: Fix type of name-type. From Andy Polyakov. + +2007-12-09 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/log.c: Use hdb_db_dir(). + + * kpasswd/kpasswdd.c: Use hdb_db_dir(). + +2007-12-08 Love Hörnquist Åstrand <lha@it.su.se> - * lib/asn1/Makefile.am: 1.71: (gen_files): - asn1_ChangePasswdDataMS.x for RFC3244 + * kdc/config.c: Use hdb_db_dir(). + + * kdc/kdc_locl.h: add KDC_LOG_FILE + + * kdc/hpropd.c: Use hdb_default_db(). + + * kdc/kstash.c: Use hdb_db_dir(). + + * kdc/pkinit.c: Adapt to hx509 changes, use hdb_db_dir(). + + * lib/krb5/rd_req.c: Document krb5_rd_req_in_set_pac_check. + + * lib/krb5/verify_krb5_conf.c: Check check_pac. + + * lib/krb5/rd_req.c: use KRB5_CTX_F_CHECK_PAC to init check_pac + field in the krb5_rd_req_in_ctx + + * lib/krb5/expand_hostname.c: Adapt to changing + dns_canonicalize_hostname into flags field. + + * lib/krb5/context.c: Adapt to changing dns_canonicalize_hostname + into flags field, add check-pac as an libdefaults option. + + * lib/krb5/pkinit.c: Adapt to changes in hx509 interface. + + * doc: add doxygen documentation to hcrypto + + * doc/doxytmpl.dxy: generate links - * lib/asn1/k5.asn1: 1.30: add ChangePasswdDataMS, for RFC3244 +2007-12-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: build_HEADERZ += heim_threads.h + + * lib/hdb/dbinfo.c (hdb_db_dir): Return the directory where the + hdb database resides. + + * configure.in: Add --with-hdbdir to specify where the database is + stored. + + * lib/krb5/crypto.c: revert previous patch, the problem is located + in the RAND_file_name() function that will cause recursive nss + lookups, can't fix that here. + +2007-12-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c (krb5_generate_random_block): try to avoid the + dead-lock in by not holding the lock while running + RAND_file_name. Prompted by Hai Zaar. + + * lib/krb5/n-fold.c: spelling - * kuser/kinit.c: 1.114: move "setpag if (argc < 1)" to common path +2007-12-04 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kdigest.c (digest-probe): implement command. + + * kuser/kdigest-commands.in (digest-probe): new command -2004-05-06 Johan Danielsson <joda@pdc.kth.se> + * kdc/digest.c: Implement supportedMechs request. - * Release 0.6.2 + * lib/krb5/error_string.c: Make krb5_get_error_string return an + allocated string to make the function indempotent. From + Zeqing (Fred) Xia. -2004-04-02 Love Hörnquist Åstrand <lha@it.su.se> +2007-12-03 Love Hörnquist Åstrand <lha@it.su.se> - * kdc/connect.c: case size_t to unsigned long for LP64 platforms - -2004-04-01 Johan Danielsson <joda@pdc.kth.se> + * lib/krb5/krb5_locl.h (krb5_context_data): Flag if + default_cc_name was set by the user. - * Release 0.6.1 + * lib/krb5/fcache.c (fcc_move): make sure ->version is uptodate. -2004-03-30 Love Hörnquist Åstrand <lha@it.su.se> + * kcm/acquire.c: use krb5_free_cred_contents - * kdc/kerberos4.c: 1.46: stop the client from renewing tickets - into the future From: Jeffrey Hutzelman <jhutz@cmu.edu> + * kuser/kimpersonate.c: use krb5_free_cred_contents -2004-03-10 Love Hörnquist Åstrand <lha@it.su.se> + * kuser/kinit.c: Use krb5_cc_move to make an atomic switch of the + cred cache. + + * lib/krb5/cache.c: Put back code that was needed, move gen_new + into new_unique. - * lib/krb5/fcache.c: 1.43: (fcc_store_cred): NULL terminate - krb5_config_get_bool_default' arglist + * lib/krb5/mcache.c (mcc_default_name): Remove const + + * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME_KCM, redefine + KRB5_DEFAULT_CCNAME to KRB5_DEFAULT_CCTYPE + + * lib/krb5/cache.c: Use krb5_cc_ops->default_name to get the + default name. + + * lib/krb5/kcm.c: Implement krb5_cc_ops->default_name. + + * lib/krb5/mcache.c: Implement krb5_cc_ops->default_name. + + * lib/krb5/fcache.c: Implement krb5_cc_ops->default_name. + + * lib/krb5/krb5.h: Add krb5_cc_ops->default_name. + + * lib/krb5/acache.c: Free context when done, implement + krb5_cc_ops->default_name. + + * lib/krb5/kcm.c: implement dummy kcm_move + + * lib/krb5/mcache.c: Implement the move operation. + + * lib/krb5/version-script.map: export krb5_cc_move + + * lib/krb5/cache.c: New function krb5_cc_move(). + + * lib/krb5/fcache.c: Implement the move operation. + + * lib/krb5/krb5.h: Add move to the krb5_cc_ops, causes major + version bump. + + * lib/krb5/acache.c: Implement the move operation. Avoid using + cc_set_principal() since it broken on Mac OS X 10.5.0. -2004-03-09 Love Hörnquist Åstrand <lha@it.su.se> +2007-12-02 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/krb5.conf.5: 1.44: document - [libdefaults]fcc-mit-ticketflags=boolean 1.43: don't use path's in - first .Nm, it confuses some locate.updatedb, use FILES section to - describe where the file is instead. + * lib/krb5/krb5_ccapi.h: Drop variable names to avoid -Wshadow. - * lib/krb5/fcache.c (fcc_store_cred): default to use old format +2007-11-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/krb5tgs.c: Should pass different key usage constants + depending on whether or not optional sub-session key was passed by + the client for the check of authorization data. The constant is + used to derive "specific key" and its values are specified in + 7.5.1 of RFC4120. - * lib/krb5/fcache.c: 1.42: (fcc_store_cred): use - [libdefaults]fcc-mit-ticketflags=boolean to decide what format to - write the fcc in. Default to mit format (aka heimdal 0.7 format) - 1.41: (_krb5_xlock): handle that everything was ok, and don't put - an error in the error strings then + Patch from Andy Polyakov. + + * kdc/krb5tgs.c: Don't send auth data in referrals, microsoft + clients have started to not like that. Thanks to Andy Polyakov for + excellent research. + +2007-11-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/creds.c: use krb5_data_cmp + + * lib/krb5/acache.c: use krb5_free_cred_contents + + * lib/krb5/test_renew.c: use krb5_free_cred_contents - * lib/krb5/store.c: 1.43: add _krb5_store_creds_heimdal_0_7 and - _krb5_store_creds_heimdal_pre_0_7 that store the creds in just - that format make krb5_store_creds default to mit format 1.42: - (krb5_ret_creds): Runtime detect the what is the higher bits of - the bitfield 1.41: (krb5_store_creds): add disabled code that - store the ticket flags in reverse order (bitswap32): new function - 1.40: (krb5_ret_creds): if the higher ticket flags are set, its a - mit cache, reverse the bits, bug pointed out by Sergio Gelato - <Sergio.Gelato@astro.su.se> +2007-11-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acl.c: doxygen documentation + + * lib/krb5/addr_families.c: doxygen documentation + + * doc: add doxygen + + * lib/krb5/plugin.c: doxygen documentation + + * lib/krb5/kcm.c: doxygen documentation + + * lib/krb5/fcache.c: doxygen documentation + + * lib/krb5/cache.c: doxygen documentations - delta modfied to not change the behavior of krb5_store_creds + * lib/krb5/doxygen.c: doxygen introduction + + * lib/krb5/error_string.c: Doxygen documentation. + +2007-11-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_plugin.c: expose krb5_plugin_register + + * lib/krb5/plugin.c: expose krb5_plugin_register + + * lib/krb5/version-script.map: sort, expose krb5_plugin_register + +2007-10-24 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Adding same enctype is enough one time. From + Andy Polyakov and Bjorn Sandell. -2004-03-07 Love Hörnquist Åstrand <lha@it.su.se> +2007-10-18 Love <lha@stacken.kth.se> - * lib/krb5/mk_safe.c (krb5_mk_safe): fix assignment of usec2 + * lib/krb5/cache.c (krb5_cc_retrieve_cred): check return value + from krb5_cc_start_seq_get. From Zeqing (Fred) Xia -2004-03-06 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/fcache.c (init_fcc): provide better error codes - * lib/krb5/mcache.c: patch based on 1.17 and 1.18 but with - threading code pulled out; + * kdc/kerberos5.c (get_pa_etype_info2): more paranoia, avoid + sending warning about pruned etypes. + + * kdc/kerberos5.c (older_enctype): old windows enctypes (arcfour + based) "old", this to support windows 2000 clients (unjoined to a + domain). From Andy Polyakov. + +2007-10-07 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Spelling, from Mark Peoples via Bjorn Sandell. - 1.18: (mcc_get_principal): also check for primary_principal == - NULL now that that isn't used as dead flag 1.17: don't overload - the primary_principal == NULL as dead since that doesn't always - work Based on patch from Jeffrey Hutzelman <jhutz@cmu.edu>, but - tweek by me +2007-10-04 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/krb5tgs.c: More prettier printing of enctype, from KAMADA + Ken'ichi. - * lib/krb5/crypto.c: 1.94: (decrypt_internal_special): do not not - modify the original data test case from Ronnie Sahlberg - <ronnie_sahlberg@ozemail.com.au> + * lib/krb5/crypto.c (krb5_enctype_to_string): make sure string is + NULL on failure. -2004-02-13 Love Hörnquist Åstrand <lha@it.su.se> +2007-10-03 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/verify_krb5_conf.c: 1.22->1.23: (check_host): don't - check for EAI_NODATA, because its depricated in RFC3493 Pointed - out by Hajimu UMEMOTO <ume@mahoroba.org> on heimdal-discuss + * kdc/kdc-replay.c: Catch KRB5_PROG_ATYPE_NOSUPP from + krb5_addr2sockaddr and igore thte test is that case. - * lib/krb5/eai_to_heim_errno.c: 1.3->1.4: EAI_ADDRFAMILY and - EAI_NODATA is deprecated in RFC3493 +2007-09-29 Love Hörnquist Åstrand <lha@it.su.se> -2004-02-09 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/context.c (krb5_free_context): free + default_cc_name_env, from Gunther Deschner. - * lib/asn1/der_length.c: 1.16: Fix len_unsigned for certain - negative integers, it got the length wrong, fix from Panasas, Inc. +2007-08-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/{krb5.h,pac.c,test_pac.c,send_to_kdc.c,rd_req.c}: Make + work with c++, reported by Hai Zaar + + * lib/krb5/{digest.c,krb5.h}: Make work with c++, reported by Hai Zaar + +2007-08-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am: EXTRA_DIST += hdb.schema + +2007-07-31 Love Hörnquist Åstrand <lha@it.su.se> + + * check return value of alloc functions, from Charles Longeau + + * lib/krb5/principal.c: spelling. + + * kadmin/kadmin.8: spelling + + * lib/krb5/crypto.c: Check return values from alloc + functions. Prompted by patch of Charles Longeau. + + * lib/krb5/n-fold.c: Make _krb5_n_fold return a error + code. Prompted by patch of Charles Longeau. + +2007-07-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds.c: Always set the ticket options, use + KRB5_ADDRESSLESS_DEFAULT as the default value, this make the unset + tri-state not so useful. + +2007-07-24 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/heimdal-gssapi.pc.in: Add LIB_pkinit to the list of + libraries. + + * tools/heimdal-gssapi.pc.in: pkg-config file for libgssapi in + heimdal. + + * tools/Makefile.am: Add heimdal-gssapi.pc and install it into + $(libdir)/pkgconfig + +2007-07-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Add RFC3526 modp group14 as a default. + +2007-07-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/dbinfo.c (get_dbinfo): use dbname instead of realm as + key if the entry is a correct entry. + + * lib/krb5/get_cred.c: Make krb5_get_renewed_creds work, from + Gunther Deschner. + + * lib/krb5/Makefile.am: Add test_renew to noinst_PROGRAMS. + + * lib/krb5/test_renew.c: Test for krb5_get_renewed_creds. + +2007-07-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/keys.c: Make parse_key_set handle key set string "v5", + from Peter Meinecke. + + * kdc/kaserver.c: Don't ovewrite the error code, from Peter + Meinecke. + +2007-07-18 Love Hörnquist Åstrand <lha@it.su.se> + + * TODO-1.0: remove + + * Makefile.am: remove TODO-1.0 + +2007-07-17 Love Hörnquist Åstrand <lha@it.su.se> + + * Heimdal 1.0 release branch cut here + + * doc/hx509.texi: use version.texi - * lib/asn1/der_locl.h: 1.5: add _heim_len_unsigned, _heim_len_int + * doc/heimdal.texi: use version.texi -2004-01-26 Love Hörnquist Åstrand <lha@it.su.se> + * doc/version.texi: version.texi - * lib/asn1/gen_length.c: 1.14: (length_type): TSequenceOf: add up - the size of all the elements, don't use just the size of the last - element. + * lib/hdb/db3.c: avoid type-punned pointer warning. - * lib/krb5/fcache.c: 1.40: (_krb5_xlock): catch EINVAL and assume - that it means that the filesystem doesn't support locking 1.39: - (_krb5_xlock): fix compile error in last commit 1.38: internally - export x{,un}lock and thus prefix them with _krb5_ - -2004-01-13 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/kx509.c: Use unsigned char * as argument to HMAC_Update to + please OpenSSL and gcc. - * kuser/kinit.c: 1.106: (renew_validate): if renewable_flag and - not time specifed, use "1 month" - 1.105: make -9 work again + * kdc/digest.c: Use unsigned char * as argument to MD5_Update to + please OpenSSL and gcc. -2004-01-09 Love Hörnquist Åstrand <lha@it.su.se> +2007-07-16 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/get_for_creds.c: 1.36: (add_addrs): don't increase - addr->len until in contains interesting data, use right iteration - counter when clearing the addresses 1.39: krb5_princ_realm -> - krb5_principal_get_realm 1.38: (krb5_get_forwarded_creds): use - KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded - krb-cred 1.39: (krb5_get_forwarded_creds): If tickets are - address-less, forward address-less tickets. 1.40: - (krb5_get_forwarded_creds): try to handle errors better for - previous commit 1.41: (add_addrs): don't add same address multiple - times - - * lib/krb5/get_cred.c: 1.96->1.97: rename get_krbtgt to - _krb5_get_krbtgt and export it + * include/Makefile.am: Add krb_err.h. -2003-12-14 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/set_dbinfo.c: Print acl file too. - * kdc/kerberos5.c: part of 1.146->1.147: handle NULL client/server - names + * kdc/kerberos4.c: Error codes are just fine, remove XXX now. -2003-12-03 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/krb5-v4compat.h: Drop duplicate error codes. - * lib/krb5/crypto.c: 1.90->1.91: require cipher-text to be padded - to padsize 1.91->1.92: (decrypt_internal_derived): move up padsize - check to avoid memory leak - -2003-12-01 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/kerberos4.c: switch to ET errors. - * kuser/kinit.c: 1.103->1.104: (main): return the return value - from simple_execvp + * lib/krb5/Makefile.am: Add krb_err.h to build_HEADERZ. -2003-10-22 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/v4_glue.c: If its a Kerberos 4 error-code, remove the + et BASE. - * lib/krb5/transited.c: 1.13->1.14: (krb5_domain_x500_encode): - always zero out encoding to make sure it have a defined value on - failure +2007-07-15 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/transited.c: 1.12->1.13: (krb5_domain_x500_encode): if - num_realms == 0, set encoding and return (avoids malloc(0)) check - return value from malloc - -2003-10-21 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/krb5-v4compat.h: Include "krb_err.h". + + * lib/krb5/v4_glue.c: return more interesting error codes. - * doc/setup.texi: 1.35->1.36: spelling + * lib/krb5/plugin.c: Prefix enum plugin_type. + + * lib/krb5/krb5_locl.h: Expose plugin structures. - * kdc/kdc_locl.h: 1.58->1.59: add flag to always check transited - policy + * lib/krb5/krb5.h: Add plugin structures. + + * lib/krb5/krb_err.et: V4 errors. - * doc/setup.texi: 1.27->1.35: many changes + * lib/krb5/version-script.map: First version of version script. + +2007-07-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Java 1.6 expects the name to be the same type, + lets allow that for uncomplicated name-types. + +2007-07-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/v4_glue.c (_krb5_krb_rd_req): if ticket contains + address 0, its ticket less and don't really care about + from_addr. return better error codes. + + * kpasswd/kpasswdd.c: Fix pointer vs strict alias rules. + +2007-07-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: When using sambaNTPassword, avoid adding + more then one enctype 23 to krb5EncryptionType. + + * lib/krb5/cache.c: Spelling. + + * kdc/kerberos5.c: Don't send newer enctypes in ETYPE-INFO. + (get_pa_etype_info2): return the enctypes as sorted in the + database + +2007-07-10 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: krb5-v4compat.h defines prototypes for + v4 (semiprivate functions) in libkrb5, don't include + krb5-private.h any longer. + + * lib/krb5/krbhst.c: Set error string when there is no KDC for a + realm. + + * lib/krb5/Makefile.am: New library version. + + * kdc/Makefile.am: New library version. + + * lib/krb5/krb5_locl.h: Add default_cc_name_env. + + * lib/krb5/cache.c (enviroment_changed): return non-zero if + enviroment that will determine default krb5cc name has changed. + (krb5_cc_default_name): also check if cached value is uptodate. + + * lib/krb5/krb5_locl.h: Drop pkinit_flags. + +2007-07-05 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: add tests/java/Makefile + + * lib/hdb/dbinfo.c: Add hdb_dbinfo_get_log_file. + +2007-07-04 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Improve the default salt detection to avoid + returning v4 password salting to java that doesn't look at the + returning padata for salting. + + * kdc: Split out krb5_kdc_set_dbinfo, From Andrew Bartlett + +2007-07-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/digest.c: Try harder to provide better error message for + digest messages. + + * lib/krb5/Makefile.am: verify_krb5_conf_OBJECTS depends on + krb5-pr*.h, make -j finds this. - * lib/krb5/get_cred.c: 1.95->1.96: get capath info from [capaths] - section +2007-06-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/digest.c: On success, print username, not ip-adress. - * lib/krb5/rd_req.c: 1.50->1.51: (krb5_decrypt_ticket): try to - verify transited realms, unless the transited-policy-checked flag - is set +2007-06-26 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/transited.c: - 1.12: (krb5_domain_x500_decode): set *num_realms to zero not num_realms - 1.11: (krb5_domain_x500_decode): handle zero length tr data; - (krb5_check_transited): new function that does more useful stuff + * lib/krb5/get_cred.c: Add krb5_get_renewed_creds. - * kdc/kdc.8: 1.23->1.24: document enforce-transited-policy + * lib/krb5/krb5_get_credentials.3: add krb5_get_renewed_creds + + * lib/krb5/pkinit.c: Use hx509_cms_unwrap_ContentInfo. - * kdc/config.c: 1.47->1.48: add flag to always check transited - policy +2007-06-25 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Add example for pkinit_win2k_require_binding + in [kdc] section. + + * kdc/default_config.c: Rename require_binding to + win2k_require_binding to match client configuration. + + * kdc/default_config.c: Add [kdc]pkinit_require_binding option. + + * kdc/pkinit.c (pk_mk_pa_reply_enckey): only allow non-bound reply + if its not required. + + * kdc/default_config.c: rename pkinit_princ_in_cert and add + pkinit_require_binding + + * kdc/kdc.h: rename pkinit_princ_in_cert and add + pkinit_require_binding + + * kdc/pkinit.c: rename pkinit_princ_in_cert + +2007-06-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Adapt to hx509_verify_hostname change. + +2007-06-21 Love Hörnquist Åstrand <lha@it.su.se> - * kdc/kerberos5.c: - 1.150: (fix_transited_encoding): also verify with policy, - unless asked not to - 1.151: always check transited policy if flag set either globally - (on principal part of patch not pulled up) - 1.152: (fix_transited_encoding): set transited type - 1.153: (fix_transited_encoding): always print cross-realm information + * kdc/krb5tgs.c: Drop unused variable. -2003-10-06 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/krb5tgs.c: disable anonyous tgs requests - * lib/krb5/config_file.c: 1.48->1.49: - (krb5_config_parse_file_debug): punt if there is binding before a - section declaration. - Bug found by Arkadiusz Miskiewicz <arekm@pld-linux.org> + * kdc/krb5tgs.c: Don't check PAC on cross realm for now. - * kdc/kaserver.c: 1.21->1.23: - (do_getticket): if times data is shorter then 8 bytes, request is - malformed. - (do_authenticate): if request length is less then 8 bytes, its a - bad request and fail. Pointed out by Marco Foglia <marco@foglia.org> + * kuser/kgetcred.c: Set KRB5_GC_CONSTRAINED_DELEGATION and parse + nametypes. -2003-09-22 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/krb5_principal.3: Document krb5_parse_nametype. - * lib/krb5/verify_krb5_conf.c: 1.17->1.18: add missing " within - #if 0 From: stefan sokoll <stefansokoll@yahoo.de> + * lib/krb5/principal.c (krb5_parse_nametype): parse nametype and + return their integer values. + + * lib/krb5/krb5.h (krb5_get_creds): Add + KRB5_GC_CONSTRAINED_DELEGATION. + + * lib/krb5/get_cred.c (krb5_get_creds): if + KRB5_GC_CONSTRAINED_DELEGATION is set, set both request_anonymous + and constrained_delegation. + +2007-06-20 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/digest.c: Return an error message instead of dropping the + packet for more failure cases. + + * lib/krb5/krb5_principal.3: Add KRB5_PRINCIPAL_UNPARSE_DISPLAY. + + * appl/gssmask/gssmask.c (AcquirePKInitCreds): fail more + gracefully -2003-09-19 Love Hörnquist Åstrand <lha@it.su.se> +2007-06-18 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/rd_req.c: - 1.47->1.48: (krb5_rd_req): allow caller to pass in a key - in the auth_context, they way processes that doesn't use the - keytab can still pass in the key of the service (matches behavior - of MIT Kerberos). + * lib/krb5/pac.c: make compile. -2003-09-18 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/pac.c (verify_checksum): memset cksum to avoid using + pointer from stack. + + * lib/krb5/plugin.c: Don't expose free pointer. + + * lib/krb5/pkinit.c (_krb5_pk_load_id): fail directoy for first + calloc. - * lib/krb5/crypto.c: - 1.87->1.88: (usage2arcfour): simplify, only - include special cases From: Luke Howard <lukeh@PADL.COM> - 1.86->1.87: (arcfour_checksum_p): return true when is arcfour, - not when its not pointed out by Luke Howard - 1.82->1.83: Do the arcfour checksum mapping for - krb5_create_checksum and krb5_verify_checksum, From: Luke Howard - <lukeh@PADL.COM> - 1.81->1.82: (hmac): make it return an error - when out of memory, update callsites to either return error or use - krb5_abortx - (krb5_hmac): expose hmac - * lib/krb5/mk_req_ext.c: 1.26->1.27: (krb5_mk_req_internal): - when using arcfour-hmac-md5, use an unkeyed checksum - (rsa-md5), since Microsoft calculates the keyed checksum with - the subkey of the authenticator. + * lib/krb5/pkinit.c (get_reply_key*): don't expose freed memory + + * lib/krb5/krbhst.c: Host is static memory, don't free. + + * lib/krb5/crypto.c (decrypt_internal_derived): make sure length + is longer then confounder + checksum. - * lib/krb5/get_cred.c: - 1.93->1.94 (init_tgs_req): make generation of subkey - optional on configuration parameter - [realms]realm={tgs_require_subkey=bool} - defaults to off. The RFC1510 weakly defines the correct behavior, - so old DCE secd apparently required the subkey to be there, and MS - will use it when its there. But the request isn't encrypted in the - subkey, so you get to choose if you want to talk to a MS mdc or a - old DCE secd. + * kdc: export get_dbinfo as krb5_kdc_set_dbinfo and call from + users. This to allows libkdc users to to specify their own + databases - partly 1.91->1.92: (init_tgs_req): in case of error, don't - free in the req_body addresses since they where pass in by caller + * lib/krb5/pkinit.c (pk_rd_pa_reply_enckey): simplify handling of + content data (and avoid leaking memory). - lib/krb5/get_in_tkt.c: - 1.108->1.1.09: (krb5_get_in_tkt): for compatibility with with - the mit implemtation, don't free `creds' argument when done, its up - the the caller to do that, also allow a NULL ccache. + * kdc/misc.c (_kdc_db_fetch): set error string for failures. + +2007-06-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: Use KRB5_AUTHDATA_INITIAL_VERIFIED_CAS. - * doc/ack.texi - 1.16->1.17: update Luke Howard email address +2007-06-13 Love Hörnquist Åstrand <lha@it.su.se> - * lib/hdb/hdb-ldap.c: - 1.13->1.14: code rewrite from Luke Howard <lukeh@PADL.COM> - 1.12->1.13: (LDAP_store): log what principal/dn failed - 1.11->1.12: use int2HDBFlags/HDBFlags2int - From: Alberto Patino <jalbertop@aranea.com.mx>, - Luke Howard <lukeh@PADL.COM> - Pointed out by Andrew Bartlett of Samba - 1.10->1.11: (LDAP__connect): bind sasl "EXTERNAL" to ldap connection - (LDAP_store): remove superfluous argument to asprintf - From Alberto Patino <jalbertop@aranea.com.mx> + * kdc/pkinit.c: tell user when they got a pk-init request with + pkinit disabled. - * lib/krb5/krb5.h: - 1.214->1.2015: add KEYTYPE_ARCFOUR_56 +2007-06-12 Love Hörnquist Åstrand <lha@it.su.se> -2003-09-12 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/principal.c: Rename UNPARSE_NO_QUOTE to + UNPARSE_DISPLAY. + + * lib/krb5/krb5.h: Rename UNPARSE_NO_QUOTE to UNPARSE_DISPLAY. + + * lib/krb5/principal.c: Make no-quote mean replace strange chars + with space. + + * lib/krb5/principal.c: Support KRB5_PRINCIPAL_UNPARSE_NO_QUOTE. - * lib/krb5/config_file.c: fix prototypes Fredrik Ljungberg - <flag@pobox.se> + * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_UNPARSE_NO_QUOTE. + + * lib/krb5/test_princ.c: Test quoteing. + + * lib/krb5/pkinit.c: update (c) -2003-09-11 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/get_cred.c: use krb5_sendto_context to talk to the KDC. + + * lib/krb5/send_to_kdc.c (_krb5_kdc_retry): check if the whole + process needs to restart or just skip this KDC. + + * lib/krb5/init_creds_pw.c: Use krb5_sendto_context to talk to + KDC. + + * lib/krb5/krb5.h: Add sendto hooks and opaque structure. - * lib/hdb/hdb_locl.h: 1.18->1.19: include <limits.h> for ULONG_MAX - noted by Wissler Magnus <M.Wissler@abalon.se> on heimdal-discuss + * lib/krb5/krb5_rd_error.3: Update prototype. + + * lib/krb5/send_to_kdc.c: Add hooks for processing the reply from + the server. -2003-08-29 Love Hörnquist Åstrand <lha@it.su.se> +2007-06-11 Love Hörnquist Åstrand <lha@it.su.se> - * lib/hdb/db3.c: 1.8->1.9: patch for working with DB4 on - heimdal-discuss From: Luke Howard <lukeh@PADL.COM> 1.9->1.10: try - to include more db headers + * lib/krb5/krb5_err.et: Some new error codes from RFC 4120. -2003-08-25 Love Hörnquist Åstrand <lha@it.su.se> +2007-06-09 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/krb5tgs.c: Constify. + + * kdc/kerberos5.c: Constify. + + * kdc/pkinit.c: Check for KRB5-PADATA-PK-AS-09-BINDING. Constify. + +2007-06-08 Love Hörnquist Åstrand <lha@it.su.se> - * kdc/connect.c: 1.92->1.93 (handle_tcp): handle recvfrom - returning 0 (connection closed) 1.91->1.92: (grow_descr): - increment the size after we succeed to allocate the space + * include/Makefile.am: Make krb5-types.h nodist_include_HEADERS. + + * kdc/Makefile.am: EXTRA_DIST += version-script.map. + +2007-06-07 Love Hörnquist Åstrand <lha@it.su.se> -2003-08-15 Love Hörnquist Åstrand <lha@it.su.se> + * Makefile.am (print-distdir): print name of dist + + * kdc/pkinit.c: Break out loading of mappings file to a separate + function and remove warning that it can't open the mapping file, + there are now mappings in the db, maybe the users uses that + instead... + + * lib/krb5/crypto.c: Require the raw key have the correct size and + do away with the minsize. Minsize was a thing that originated + from RC2, but since RC2 is done in the x509/cms subsystem now + there is no need to keep that around. + + * lib/hdb/dbinfo.c: If there is no default dbname, also check for + unset mkey_file and set it default mkey name, make backward compat + stuff work. - * lib/krb5/principal.c: 1.83->1.85: (unparse_name): len can't be - zero, so, don't check for that - (unparse_name): make sure there are space for a NUL, set *name to NULL - when there is a failure (so caller can't get hold of a freed - pointer) + * kdc/version-script.map: add new symbols -2003-05-08 Johan Danielsson <joda@ratatosk.pdc.kth.se> + * kdc/kdc-replay.c: Also update krb5_context view of what the time + is. - * Release 0.6 + * configure.in: add tests/can/Makefile -2003-05-08 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/kdc-replay.c: Add --[version|help]. - * kuser/klist.c: 1.68->1.69: print tokens even if there isn't v4 - support + * kdc/pkinit.c: Push down the kdc time into the x509 library. - * kuser/kdestroy.c: 1.14->1.15: destroy tokens even if there isn't - v4 support + * kdc/connect.c: Move up krb5_kdc_save_request so we can catch the + reply data too. - * kuser/kinit.c: 1.90->1.91: print tokens even if there isn't v4 - support + * kdc/kdc-replay.c: verify reply by checking asn1 class, type and + tag of the reply if there is one. -2003-05-06 Johan Danielsson <joda@pdc.kth.se> + * kdc/process.c: Save asn1 class, type and tag of the reply if + there is one. Used to verify the reply in kdc-replay. - * lib/krb5/name-45-test.c: need to use empty krb5.conf for some - tests +2007-06-06 Love Hörnquist Åstrand <lha@it.su.se> - * lib/asn1/check-gen.c: there is no \e escape sequence; replace - everything with hex-codes, and cast to unsigned char* to make some - compilers happy + * kdc/kdc_locl.h: extern for request_log. -2003-05-06 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/Makefile.am: Add kdc-replay. - * lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first - argument to krb5_us_timeofday have correct type + * kdc/kdc-replay.c: Replay kdc messages to the KDC library. + + * kdc/config.c: Pick up request_log from [kdc]kdc-request-log. + + * kdc/connect.c: Option to save the request to disk. + + * kdc/process.c (krb5_kdc_save_request): save request to file. + + * kdc/process.c (krb5_kdc_process*): dont update _kdc_time + automagicly. + (krb5_kdc_update_time): set or get current kdc-time. + + * kdc/pkinit.c (_kdc_pk_rd_padata): accept both pkcs-7 and + pkauthdata as the signeddata oid -2003-05-05 Assar Westerlund <assar@kth.se> + * kdc/pkinit.c (_kdc_pk_rd_padata): Try to log what went wrong. - * include/make_crypto.c (main): include aes.h if ENABLE_AES +2007-06-05 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: Use oid_id_pkcs7_data for pkinit-9 encKey reply to + match windows DC behavior better. + +2007-06-04 Love Hörnquist Åstrand <lha@it.su.se> -2003-05-05 Love Hörnquist Åstrand <lha@it.su.se> + * configure.in: use test for -framework Security - * NEWS: 1.108->1.110: fix text about gssapi compat + * appl/test/uu_server.c: Print status to stdout. + + * kdc/digest.c (digest ntlm): provide log entires by setting ret + to an error. -2003-04-28 Love Hörnquist Åstrand <lha@it.su.se> +2007-06-03 Love Hörnquist Åstrand <lha@it.su.se> - * kdc/v4_dump.c: 1.4->1.5: (v4_prop_dump): limit strings length, - from openbsd + * doc/hx509.texi: Indent crl-sign. -2003-04-24 Love Hörnquist Åstrand <lha@it.su.se> + * doc/hx509.texi: One more crl-sign example. - * doc/programming.texi: 1.2-1.3: s/managment/management/, from jmc - <jmc@prioris.mini.pw.edu.pl> + * lib/krb5/test_princ.c: plug memory leaks. -2003-04-22 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/pac.c: plug memory leaks. - * lib/krb5/krbhst.c: 1.43->1.44: copy NUL too, from janj@wenf.org - via openbsd + * lib/krb5/test_pac.c: plug memory leaks. -2003-04-17 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/test_prf.c: plug memory leak. - * lib/asn1/der_copy.c (copy_general_string): use strdup - * lib/asn1/der_put.c: remove sprintf - * lib/asn1/gen.c: remove strcpy/sprintf - - * lib/krb5/name-45-test.c: use a more unique name then ratatosk so - that other (me) have such hosts in the local domain and the tests - fails, to take hokkigai.pdc.kth.se instead - - * lib/krb5/test_alname.c: add --version and --help + * lib/krb5/test_cc.c: plug memory leaks. + + * doc/hx509.texi: Simple blob about publishing CRLs. + + * doc/win2k.texi: drop text about enctypes. -2003-04-16 Love Hörnquist Åstrand <lha@it.su.se> +2007-06-02 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/krb5_warn.3: add krb5_get_err_text + * kdc/pkinit.c: In case of OCSP verification failure, referash + every 5 min. In case of success, refreash 2 min before expiring or + faster. - * lib/krb5/transited.c: use strlcat/strlcpy, from openbsd - * lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd - * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use - strlcpy, from openbsd - * kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd - * appl/kf/kfd.c: use strlcpy, from openbsd +2007-05-31 Love Hörnquist Åstrand <lha@it.su.se> -2003-04-16 Johan Danielsson <joda@pdc.kth.se> + * lib/krb5/krb5_err.et: add error 68, WRONG_REALM + + * kdc/pkinit.c: Handle the ms san in a propper way, still cheat + with the realm name. + + * kdc/kerberos5.c: If _kdc_pk_check_client failes, bail out + directly and hand the error back to the client. - * configure.in: fix for large file support in AIX, _LARGE_FILES - needs to be defined on the command line, since lex likes to - include stdio.h before we get to config.h + * lib/krb5/krb5_err.et: Add missing REVOCATION_STATUS_UNAVAILABLE + and fix error message for CLIENT_NAME_MISMATCH. -2003-04-16 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/pkinit.c: More logging for pk-init client mismatch. + + * kdc/kerberos5.c: Also add a KRB5_PADATA_PK_AS_REQ_WIN for + windows pk-init (-9) to make MIT clients happy. - * lib/krb5/*.3: Change .Fd #include <header.h> to .In header.h, - from Thomas Klausner <wiz@netbsd.org> +2007-05-30 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/krb5.conf.5: spelling, from Thomas Klausner - <wiz@netbsd.org> + * kdc/pkinit.c: Force des3 for win2k. + + * kdc/pkinit.c: Add wrapping to ContentInfo wrapping to + COMPAT_WIN2K. -2003-04-15 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/keytab_keyfile.c: Spelling. - * kdc/kerberos5.c: fix some more memory leaks + * kdc/pkinit.c: Allow matching by MS UPN SAN, note that this delta + doesn't deal with case of realm. -2003-04-11 Love Hörnquist Åstrand <lha@it.su.se> +2007-05-16 Love Hörnquist Åstrand <lha@it.su.se> - * appl/kf/kf.1: spelling, from jmc <jmc@prioris.mini.pw.edu.pl> + * lib/krb5/crypto.c (krb5_crypto_overhead): return static overhead + of encryption. + +2007-05-10 Dave Love <fx@gnu.org> -2003-04-08 Love Hörnquist Åstrand <lha@it.su.se> + * doc/win2k.texi: Update some URLs. - * admin/ktutil.8: typos, from jmc <jmc@acn.waw.pl> +2007-05-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kimpersonate.c: Fix version number of ticket, it should be + 5 not the kvno. -2003-04-06 Love Hörnquist Åstrand <lha@it.su.se> +2007-05-08 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/krb5.3: s/kerberos/Kerberos/ - * lib/krb5/krb5_data.3: s/kerberos/Kerberos/ - * lib/krb5/krb5_address.3: s/kerberos/Kerberos/ - * lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/ - * lib/krb5/krb5.conf.5: s/kerberos/Kerberos/ - * kuser/kinit.1: s/kerberos/Kerberos/ - * kdc/kdc.8: s/kerberos/Kerberos/ + * doc/setup.texi: Salting is really Encryption types and salting. + +2007-05-07 Love Hörnquist Åstrand <lha@it.su.se> -2003-04-01 Love Hörnquist Åstrand <lha@it.su.se> + * doc/setup.texi: spelling, from Ronny Blomme - * lib/krb5/test_alname.c: more krb5_aname_to_localname tests + * doc/win2k.texi: Fix ksetup /SetComputerPassword, from Ronny + Blomme - * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when - converting too root, make sure user is ok according to - krb5_kuserok before allowing it. +2007-05-02 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname + * lib/hdb/dbinfo.c (hdb_get_dbinfo) If there are no database + specified, create one and let it use the defaults. - * lib/krb5/test_alname.c: add test for krb5_aname_to_localname +2007-04-27 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1 - instead of the "illegal" salt #~, same change as kth-krb did - 1999. Problems occur with crypt() that behaves like AT&T crypt - (openssl does this). Pointed out by Marcus Watts. + * lib/hdb/test_dbinfo.c: test acl file - * admin/change.c (kt_change): collect all principals we are going - to change, and pick the highest kvno and use that to guess what - kvno the resulting kvno is going to be. Now two ktutil change in a - row works. XXX fix the protocol to pass the kvno back. + * lib/hdb/test_dbinfo.c: test acl file + + * lib/hdb/dbinfo.c: add acl file + + * etc: ignore Makefile.in + + * Makefile.am: SUBDIRS += etc + + * configure.in: Add etc/Makefile. + + * etc/Makefile.am: make sure services.append is distributed + +2007-04-24 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc: rename windc_init to krb5_kdc_windc_init + + * kdc/version-script.map: version script for libkdc + + * kdc/Makefile.am: version script for libkdc -2003-03-31 Love Hörnquist Åstrand <lha@it.su.se> +2007-04-23 Love Hörnquist Åstrand <lha@it.su.se> - * appl/kf/kf.1: afs->AFS, from jmc <jmc@acn.waw.pl> + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): + correct the order of the arguments. + + * lib/hdb/Makefile.am: Add and test dbinfo. + + * lib/hdb/hdb.h: Forward declaration for struct hdb_dbinfo; + + * kdc/config.c: Use krb5_kdc_get_config and just fill in what the + users wanted differently. + + * kdc/default_config.c: Make the default configuration fetch info + from the krb5.conf. -2003-03-30 Love Hörnquist Åstrand <lha@it.su.se> +2007-04-22 Love Hörnquist Åstrand <lha@it.su.se> - * doc/setup.texi: add description on how to turn on v4, 524 and - kaserver support + * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to + determine if to send the session-key, for the second place in the + function. -2003-03-29 Love Hörnquist Åstrand <lha@it.su.se> + * tools/krb5-config.in: rename des to hcrypto - * lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog - and afs-use-524 + * kuser/Makefile.am: depend on libheimntlm -2003-03-28 Love Hörnquist Åstrand <lha@it.su.se> + * kuser/kinit.c: Add --ntlm-domain that store the ntlm cred for + this domain if the Kerberos password auth worked. - * kdc/kerberos5.c (as_rep): when the second enctype_to_string - failes, remember to free memory from the first enctype_to_string + * kuser/klist.c: add new option --hidden that doesn't display + principal that starts with @ - * lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2, - from Harald Joerg <harald.joerg@fujitsu-siemens.com> - (enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc + * tools/krb5-config.in: Add heimntlm when we use gssapi. - * lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key - length when key is longer then expected length, its probably - longer since the encrypted data was padded, reported by Aidan - Cully <aidan@kublai.com> + * lib/krb5/krb5_ccache.3 (krb5_cc_retrieve_cred): document what to + free 'cred' with. - * lib/krb5/crypto.c (krb5_enctype_keysize): return key size of - encyption type, inspired by Aidan Cully <aidan@kublai.com> + * lib/krb5/cache.c (krb5_cc_retrieve_cred): document what to free + 'cred' with. -2003-03-27 Love Hörnquist Åstrand <lha@it.su.se> +2007-04-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to + determine if to send the session-key. - * lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0 - (wildcard kvno) after principal when the keytab entry isn't found, - reported by Chris Chiappa <chris@chiappa.net> + * kcm/client.c (kcm_ccache_new_client): make root be able to pass + the name constraints, not the opposite. From Bryan Jacobs. -2003-03-26 Love Hörnquist Åstrand <lha@it.su.se> +2007-04-20 Love Hörnquist Åstrand <lha@it.su.se> - * doc/misc.texi: update 2b example to match reality (from - mattiasa@e.kth.se) + * kcm/acl.c: make compile again. - * doc/misc.texi: spelling and add `Configuring AFS clients' - subsection + * kcm/client.c: fix warning. + + * kcm: First, it allows root to ignore the naming conventions. + Second, it allows root to always perform any operation on any + ccache. Note that root could do this anyway with FILE ccaches. + From Bryan Jacobs. -2003-03-25 Love Hörnquist Åstrand <lha@it.su.se> + * Rename libdes to libhcrypto. - * lib/krb5/krb5.3: add krb5_free_data_contents.3 - - * lib/krb5/data.c: add krb5_free_data_contents for compat with MIT - API +2007-04-19 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/krb5_data.3: add krb5_free_data_contents for compat - with MIT API + * kinit: remove code that depend on kerberos 4 library - * lib/krb5/krb5_verify_user.3: write more about how the ccache - argument should be inited when used + * kdc: remove code that depend on kerberos 4 library -2003-03-25 Johan Danielsson <joda@pdc.kth.se> + * configure.in: Drop kerberos 4 support. - * lib/krb5/addr_families.c (krb5_print_address): make sure - print_addr is defined for the given address type; make addrports - printable + * kdc/hpropd.c (main): free the message when done with it. - * kdc/string2key.c: print the used enctype for kerberos 5 keys + * lib/krb5/pkinit.c (_krb5_get_init_creds_opt_free_pkinit): + remember to free memory too. -2003-03-25 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): free content-type when + done. - * lib/krb5/aes-test.c: add another arcfour test + * configure.in: test rk_VERSIONSCRIPT -2003-03-22 Love Hörnquist Åstrand <lha@it.su.se> +2007-04-18 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5 - -2003-03-20 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/krb5_ccache.3: update .Dd + * fix-export: remove, all done by make dist now - * lib/krb5/krb5.3: sort in krb5_data functions +2007-04-15 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/Makefile.am (man_MANS): += krb5_data.3 + * lib/krb5/krb5_get_credentials.3: spelling, from Jason McIntyre - * lib/krb5/krb5_data.3: document krb5_data +2007-04-11 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if - prompter is NULL, don't try to ask for a password to - change. reported by Iain Moffat @ ufl.edu via Howard Chu - <hyc@highlandsun.com> + * kdc/kstash.8: Spelling, from raga <raga@comcast.net> + via Bjorn Sandell. -2003-03-19 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/store_mem.c: indent. - * lib/krb5/krb5_keytab.3: spelling, from - <jmc@prioris.mini.pw.edu.pl> + * lib/krb5/recvauth.c: Set error string. - * lib/krb5/krb5.conf.5: . means new line - - * lib/krb5/krb5.conf.5: spelling, from - <jmc@prioris.mini.pw.edu.pl> + * lib/krb5/rd_req.c: clear error strings. - * lib/krb5/krb5_auth_context.3: spelling, from - <jmc@prioris.mini.pw.edu.pl> + * lib/krb5/rd_cred.c: clear error string. -2003-03-18 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/pkinit.c: Set error strings. - * kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5 + * lib/krb5/get_cred.c: Tell what principal we are not finding for + all KRB5_CC_NOTFOUND. - * lib/krb5/convert_creds.c: add _krb5_krb_life_to_time +2007-02-22 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time + * kdc/kerberos5.c: Return the same error codes as a windows KDC. - * kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out - #ifdef KRB4 from enable_v4_cross_realm since 524 needs it + * kuser/kinit.c: KRB5KDC_ERR_PREAUTH_FAILED is also a password + failed. - * kdc/config.c: 524 is independent of kerberos 4, so move out - enable_v4_cross_realm from #ifdef KRB4 since 524 needs it - -2003-03-17 Assar Westerlund <assar@kth.se> + * kdc/kerberos5.c: Make handling of replying e_data more generic, + from metze. - * kdc/kdc.8: document --kerberos4-cross-realm - * kdc/kerberos4.c: pay attention to enable_v4_cross_realm - * kdc/kdc_locl.h (enable_v4_cross_realm): add - * kdc/524.c (encode_524_response): check the enable_v4_cross_realm - flag before giving out v4 tickets for foreign v5 principals - * kdc/config.c: add --enable-kerberos4-cross-realm option (default - to off) + * kdc/kerberos5.c: Fix (string const and shadow) warnings, from + metze. -2003-03-17 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/pac.c: Create the PAC element in the same order as + w2k3, maybe there's some broken code in windows which relies on + this... From metze. - * lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3 + * kdc/kerberos5.c: Select a session enctype from the list of the + crypto systems supported enctype, is supported by the client and + is one of the enctype of the enctype of the krbtgt. + + The later is used as a hint what enctype all KDC are supporting to + make sure a newer version of KDC wont generate a session enctype + that and older version of a KDC in the same realm can't decrypt. + + But if the KDC admin is paranoid and doesn't want to have "no the + best" enctypes on the krbtgt, lets save the best pick from the + client list and hope that that will work for any other KDCs. - * lib/krb5/krb5_aname_to_localname.3: manpage for - krb5_aname_to_localname + Reported by metze. - * lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/ + * kdc/hprop.c (propagate_database): on any failure, drop the + connection to the peer and try next one. -2003-03-16 Love Hörnquist Åstrand <lha@it.su.se> +2007-02-18 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3 + * lib/krb5/krb5_get_init_creds.3: document new options. - * lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3 + * kdc/krb5tgs.c: Only check service key for cross realm PACs. - * lib/krb5/krb5_set_default_realm.3: Manpage for - krb5_free_host_realm, krb5_get_default_realm, - krb5_get_default_realms, krb5_get_host_realm, and - krb5_set_default_realm. + * lib/krb5/init_creds.c: use the new merged flags field. + (krb5_get_init_creds_opt_set_win2k): new function, turn on all w2k + compat flags. - * admin/ktutil.8: s/entype/enctype/, from Igor Sobrado - <sobrado@acm.org> via NetBSD + * lib/krb5/init_creds_pw.c: use the new merged flags field. - * lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type + * lib/krb5/krb5_locl.h: merge all flags into one entity - * lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab +2007-02-11 Dave Love <fx@gnu.org> - * lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix + * lib/krb5/krb5_aname_to_localname.3: Small fixes - * lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more - types, add krb5_fcc_ops and krb5_mcc_ops + * lib/krb5/krb5_digest.3: Small fixes - * lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for - a id + * kuser/kimpersonate.1: Small fixes -2003-03-15 Love Hörnquist Åstrand <lha@it.su.se> +2007-02-17 Love Hörnquist Åstrand <lha@it.su.se> - * doc/intro.texi: add reference to source code, binaries and the - manual + * lib/krb5/init_creds_pw.c (find_pa_data): if there is no list, + there is no entry. - * lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal - -2003-03-14 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/krb5tgs.c: Don't check PACs on cross realm requests. + + * lib/krb5/krb5.h: add KRB5_KU_CANONICALIZED_NAMES. - * kdc/kdc.8: better/difrent english + * lib/krb5/init_creds_pw.c: Verify client referral data. - * kdc/kdc.8: . -> .\n, copyright/license + * kdc/kerberos5.c: switch some "return ret" to "goto out". - * kdc/kdc.8: changed configuration file -> restart kdc + * kdc/kerberos5.c: Pass down canonicalize request to hdb layer, + sign client referrals. + + * lib/hdb/hdb.h: Add HDB_F_CANON. + + * lib/hdb: add simple alias support to the database backends - * kdc/kerberos4.c: add krb4 into the most error messages written - to the logfile +2007-02-16 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/krb5_ccache.3: add missing name of argument - (krb5_context) to most functions + * kuser/kinit.c: Add canonicalize flag. -2003-03-13 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/init_creds_pw.c: Use EXTRACT_TICKET_* flags, support + canonicalize. - * lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of - function and return FALSE when there isn't a local account for - `luser'. + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_canonicalize): + new function. + + * lib/krb5/get_cred.c: Use EXTRACT_TICKET_* flags. - * lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text - describing the function + * lib/krb5/get_in_tkt.c: Use EXTRACT_TICKET_* flags. -2003-03-12 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/krb5_locl.h: Add EXTRACT_TICKET_* flags. + +2007-02-15 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name - returned memory, don't return ENOMEM + * lib/krb5/test_princ.c: test parsing enterprise-names. -2003-03-11 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/principal.c: Add support for parsing enterprise-names. - * lib/krb5/krb5.3: add krb5_address stuff and sort + * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_PARSE_ENTERPRISE. + + * lib/hdb/hdb-ldap.c: Make work again. - * lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description +2007-02-11 Dave Love <fx@gnu.org> + + * kcm/client.c (kcm_ccache_new_client): Cast snprintf'ed value. - * lib/krb5/Makefile.am (man_MANS): += krb5_address.3 +2007-02-10 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/krb5_address.3: document types krb5_address and - krb5_addresses and their helper functions + * doc/setup.texi: prune trailing space -2003-03-10 Love Hörnquist Åstrand <lha@it.su.se> + * lib/hdb/db.c: Be better at setting and clearing error string. - * lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3 + * lib/hdb/hdb.c: Be better at setting and clearing error string. - * lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se +2007-02-09 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3 + * lib/krb5/keytab.c (krb5_kt_get_entry): Use krb5_kt_get_full_name + to print out the keytab name. - * lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se + * doc/setup.texi: Spelling, from Guido Guenther - * lib/krb5/krb5.3: add more functions +2007-02-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_cred.c: Plug memory leak, from Michael B Allen. + +2007-02-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_store.c (test_uint16): unsigned ints can't be + negative - * lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc - functions +2007-02-03 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/krb5_kuserok.3: document krb5_kuserok + * kdc/pkinit.c: pass extra flags for detached signatures. + + * lib/krb5/pkinit.c: pass extra flags for detached signatures. + + * kdc/digest.c: Remove debug output. + + * kuser/kdigest.c: Add support for ms-chap-v2 client. - * lib/krb5/krb5_verify_user.3: document - krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior +2007-02-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/digest.c: Fix ms-chap-v2 get_masterkey + + * kdc/digest.c: Fix ms-chap-v2 mutual response auth code. + + * kuser/kdigest.c: Print session key if there is one. - * lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and - krb5_verify_user_opt + * lib/krb5/digest.c: rename hash-a1 to session key - * lib/krb5/*.[0-9]: add copyright/licenses on more manpages + * kdc/digest.c: Add get_master from RFC 3079 3.4 for MS-CHAP-V2 - * kuser/kdestroy.c (main): handle that krb5_cc_default_name can - return NULL + * kuser/kdigest.c: print rsp if there is one, from Klas. - * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor - (TESTS): add test_cc + * kdc/digest.c: Use right size, from Klas Lindfors. - * lib/krb5/test_cc.c: test some - krb5_cc_default_name/krb5_cc_set_default_name combinations + * kuser/kdigest.c: Set client nonce if avaible, from Klas. + + * kdc/digest.c: First version from kllin. + + * kuser/kdigest.c: Don't restrict the type. + +2007-02-01 Love Hörnquist Åstrand <lha@it.su.se> - * lib/krb5/context.c (init_context_from_config_file): set - default_cc_name to NULL - (krb5_free_context): free default_cc_name if set + * kuser/kdigest-commands.in: add --client-response + + * kuser/kdigest.c: Print status instead of response. + + * kdc/digest.c: Better logging and return status = FALSE when + checksum doesn't match. - * lib/krb5/cache.c (krb5_cc_set_default_name): new function - (krb5_cc_default_name): use krb5_cc_set_default_name + * kdc/digest.c: Check the digest response in the KDC. - * lib/krb5/krb5.h (krb5_context_data): add default_cc_name + * lib/krb5/digest.c: New functions to send in requestResponse to + KDC and get status of the request. + + * kdc/digest.c: Add support for MS-CHAP v2. + + * lib/hdb/hdb-ldap.c: Set hdb->hdb_db for ldap. -2003-02-25 Love Hörnquist Åstrand <lha@it.su.se> +2007-01-31 Love Hörnquist Åstrand <lha@it.su.se> - * appl/kf/kf.1: s/securly/securely/ from NetBSD + * fix-export: Make hx509.info too + + * kdc/digest.c: don't verify identifier in CHAP, its the client + that chooses it. -2003-02-18 Love Hörnquist Åstrand <lha@it.su.se> +2007-01-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: Basic test of prf. - * kdc/connect.c: s/intialize/initialize, from - <jmc@prioris.mini.pw.edu.pl> + * lib/krb5/test_prf.c: Basic test of prf. -2003-02-17 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/mit_glue.c: Add MIT glue for Kerberos RFC 3961 PRF + functions. - * configure.in: add AM_MAINTAINER_MODE + * lib/krb5/crypto.c: Add Kerberos RFC 3961 PRF functions. + + * lib/krb5/krb5_data.3: Document krb5_data_cmp. + + * lib/krb5/data.c: Add krb5_data_cmp. + +2007-01-20 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kx509.c: Don't use C99 syntax. + +2007-01-17 Love Hörnquist Åstrand <lha@it.su.se> -2003-02-16 Love Hörnquist Åstrand <lha@it.su.se> + * configure.in: its LIBADD_roken (and shouldn't really exist, our + libtool usage it broken) - * **/*.[0-9]: add copyright/licenses on all manpages + * configure.in: Add an extra variable for roken, LIBADD, that + should be used for library depencies. -2003-14-16 Jacques Vidrine <nectar@kth.se> + * lib/krb5/send_to_kdc.c (krb5_sendto): zero out receive buffer. - * lib/krb5/get_in_tkt.c (init_as_req): Send only a single - PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption - type specified by the KDC. + * lib/krb5/krb5_init_context.3: fix mdoc errors -2003-02-15 Love Hörnquist Åstrand <lha@it.su.se> + * Heimdal 0.8 branch cut today - * fix-export: some autoconf put their version number in - autom4te.cache, so remove autom4te*.cache + * doc/hx509.texi: Spelling and more about proxy certificates. + + * configure.in: check for arc4random - * fix-export: make sure $1 is a directory +2007-01-16 Love Hörnquist Åstrand <lha@it.su.se> -2003-02-04 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/send_to_kdc.c (krb5_sendto): zero receive krb5_data + before starting - * kpasswd/kpasswdd.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl> + * tools/heimdal-build.sh: make cvs keep quiet - * kdc/kdc.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl> + * kuser/kverify.c: Use argument as principal if passed an + argument. Bug report from Douglas E. Engert + +2007-01-15 Love Hörnquist Åstrand <lha@it.su.se> -2003-01-31 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/rd_req.c (krb5_rd_req_ctx): The code failed to consider + the enc_tkt_in_skey case, from Douglas E. Engert. + + * kdc/kx509.c: Issue certificates. - * kdc/hpropd.8: s/databases/a database/ s/Not/not/ + * kdc/config.c: Parse kx509/kca configuration. - * kdc/hprop.8: add missing . + * kdc/kdc.h: add kx509 config -2003-01-30 Love Hörnquist Åstrand <lha@it.su.se> +2007-01-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (_kdc_find_padata): if there is not padata, + there is nothing find. + + * doc/hx509.texi: Examples for pk-init. - * lib/krb5/krb5.conf.5: documentation for of boolean, etypes, - address, write out encryption type in sentences, s/Host/host + * doc/hx509.texi: About extending ca lifetime and sub cas. -2003-01-26 Love Hörnquist Åstrand <lha@it.su.se> +2007-01-13 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/hx509.texi: More about certificates. + +2007-01-12 Love Hörnquist Åstrand <lha@it.su.se> - * lib/asn1/check-gen.c: add checks for Authenticator too + * doc/hx509.texi: add Application requirements and write about + xmpp/jabber. -2003-01-25 Love Hörnquist Åstrand <lha@it.su.se> +2007-01-11 Love Hörnquist Åstrand <lha@it.su.se> - * doc/setup.texi: in the hprop example, use hprop and the first - component, not host + * doc/hx509.texi: More about issuing certificates. - * lib/krb5/get_addrs.c (find_all_addresses): address-less - point-to-point might not have an address, just ignore - those. Reported by Harald Barth. + * doc/hx509.texi: Start of a x.509 manual. -2003-01-23 Love Hörnquist Åstrand <lha@it.su.se> + * include/Makefile.am: remove install headerfiles - * lib/krb5/verify_krb5_conf.c (check_section): when key isn't - found, don't print out all known keys + * lib/krb5/test_pac.c: Use more interesting data to cause more + errors. - * lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity - and facility start resp - (check_log): find_value() returns -1 when key isn't found + * include/Makefile.am: remove install headerfiles - * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a - 'const void *' to avoid AES_KEY being exposed in krb5-private.h - - * lib/krb5/krb5.conf.5: add [kdc]use_2b + * lib/krb5/mcache.c: MCC_CURSOR not used, remove. - * kdc/524.c (encode_524_response): its 2b not b2 - - * doc/misc.texi: quote @ where missing + * lib/krb5/crypto.c: macro kcrypto_oid_enc now longer used + + * lib/krb5/rd_safe.c (krb5_rd_safe): set length before trying to + allocate data - * lib/asn1/Makefile.am: add check-gen +2007-01-10 Love Hörnquist Åstrand <lha@it.su.se> - * lib/asn1/check-gen.c: add Principal check + * doc/setup.texi: Hint about hxtool validate. + + * appl/test/uu_server.c: print both "server" and "client" + + * kdc/krb5tgs.c: Rename keys to be more obvious what they do. + + * kdc/kerberos5.c: Use other keys to sign PAC with. From Andrew + Bartlett - * lib/asn1/check-common.h: move generic asn1/der functions from - check-der.c to here + * kdc/windc.c: ident, spelling. + + * kdc/windc_plugin.h: indent. - * lib/asn1/check-common.c: move generic asn1/der functions from - check-der.c to here + * kdc/krb5tgs.c: Pass down server entry to verify_pac function. + from Andrew Bartlett - * lib/asn1/check-der.c: move out the generic asn1/der functions to - a common file + * kdc/windc.c: pass down server entry to verify_pac function, from + Andrew Bartlett -2003-01-22 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/windc_plugin.h: pass down server entry to verify_pac + function, from Andrew Bartlett - * doc/misc.texi: more text about afs, how to get get your KeyFile, - and how to start use 2b tokens + * configure.in: Provide a automake symbol ENABLE_SHARED if shared + libraries are built. - * lib/krb5/krb5.conf.5: spelling, from Jason McIntyre - <jmc@cvs.openbsd.org> + * lib/krb5/rd_req.c (krb5_rd_req_ctx): Use the correct keyblock + when verifying the PAC. From Andrew Bartlett. -2003-01-21 Jacques Vidrine <nectar@kth.se> +2007-01-09 Love Hörnquist Åstrand <lha@it.su.se> - * kuser/kuser_locl.h: include crypto-headers.h for - des_read_pw_string prototype + * lib/krb5/test_pac.c: move around to code test on real PAC. -2003-01-16 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/pac.c: A tiny 2 char diffrence that make the code work + for real. - * admin/ktutil.8: document -v, --verbose + * lib/krb5/test_pac.c: Test more PAC (note that the values used in + this test is wrong, they have to be fixed when the pac code is + fixed). - * admin/get.c (kt_get): make getarg usage consistent with other - other parts of ktutil + * doc/setup.texi: Update to new hxtool issue-certificate usage - * admin/copy.c (kt_copy): remove adding verbose_flag to args - struct, since it will overrun the args array (from Sumit Bose) + * lib/krb5/init_creds_pw.c: Make sure we don't sent both ENC-TS + and PK-INIT pa data, no need to expose our password protecting our + PKCS12 key. + + * kuser/klist.c (print_cred_verbose): include ticket length in the + verbose output + +2007-01-08 Love Hörnquist Åstrand <lha@it.su.se> -2003-01-15 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/acache.c (loadlib): pass RTLD_LAZY to dlopen, without + it linux is unhappy. - * lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc = - ... } + * lib/krb5/plugin.c (loadlib): pass RTLD_LAZY to dlopen, without + it linux is unhappy. - * lib/krb5/aes-test.c: test vectors in aes-draft - - * lib/krb5/Makefile.am: add aes-test.c + * lib/krb5/name-45-test.c: One of the hosts I sometimes uses is + named "bar.domain", this make one of the tests pass when it + shouldn't. - * lib/krb5/crypto.c: Add support for AES - (draft-raeburn-krb-rijndael-krb-02), not enabled by default. - (HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify - to support checksumtype that are have a shorter wireformat then - their output block size. - - * lib/krb5/crypto.c (struct encryption_type): split the blocksize - into blocksize and padsize, padsize is the minimum padding - size. they are the same for now - (enctype_*): add padsize - (encrypt_internal): use padsize - (encrypt_internal_derived): use padsize - (wrapped_length): use padsize - (wrapped_length_dervied): use padsize +2007-01-05 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Change --key argument to --out-key. - * lib/krb5/crypto.c: add extra `opaque' argument to string_to_key - function for each enctype in preparation enctypes that uses - `Encryption and Checksum Specifications for Kerberos 5' draft + * kuser/kimpersonate.1: mangle my name - * lib/asn1/k5.asn1: add checksum and enctype for AES from - draft-raeburn-krb-rijndael-krb-02.txt +2007-01-04 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: describe how to use hx509 to create + certificates. - * lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128, - KEYTYPE_AES256 + * tools/heimdal-build.sh: Add --distcheck. -2003-01-14 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/kerberos5.c: Check for KRB5_PADATA_PA_PAC_REQUEST to check + if we should include the PAC in the krbtgt. - * lib/hdb/common.c (_hdb_fetch): handle error code from - hdb_value2entry + * kdc/pkinit.c (_kdc_as_rep): check if + krb5_generate_random_keyblock failes. - * kdc/Makefile.am: always include kerberos4.c and 524.c in - kdc_SOURCES to support 524 + * kdc/kerberos5.c (_kdc_as_rep): check if + krb5_generate_random_keyblock failes. - * kdc/524.c: always compile in support for 524 - - * kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4 + * kdc/krb5tgs.c (tgs_build_reply): check if + krb5_generate_random_keyblock failes. + + * kdc/krb5tgs.c: Scope etype. + + * lib/krb5/rd_req.c: Make it possible to turn off PAC check, its + default on. + + * lib/krb5/rd_req.c (krb5_rd_req_ctx): If there is a PAC, verify + its server signature. + + * kdc/kerberos5.c (_kdc_as_rep): call windc client access hook. + (_kdc_tkt_add_if_relevant_ad): constify in data argument. + + * kdc/windc_plugin.h: More comments add a client_access hook. + + * kdc/windc.c: Add _kdc_windc_client_access. + + * kdc/krb5tgs.c: rename functions after export some more pac + functions. + + * lib/krb5/test_pac.c: export some more pac functions. + + * lib/krb5/pac.c: export some more pac functions. + + * kdc/krb5tgs.c: Resign the PAC in tgsreq if we have a PAC. + + * configure.in: add tests/plugin/Makefile - * kdc/config.c: always compile in support for 524 +2007-01-03 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/krb5tgs.c: Get right key for PAC krbtgt verification. + + * kdc/config.c: spelling + + * lib/krb5/krb5.h: typedef for krb5_pac. + + * kdc/headers.h: Include <windc_plugin.h>. + + * kdc/Makefile.am: Include windc.c and use windc_plugin.h + + * kdc/krb5tgs.c: Call callbacks for emulating a Windows Domain + Controller. + + * kdc/kerberos5.c: Call callbacks for emulating a Windows Domain + Controller. Move the some of the log related stuff to its own + function. + + * kdc/config.c: Init callbacks for emulating a Windows Domain + Controller. + + * kdc/windc.c: Rename the init function to windc instead of pac. + + * kdc/windc.c: Callbacks specific to emulating a Windows Domain + Controller. + + * kdc/windc_plugin.h: Callbacks specific to emulating a Windows + Domain Controller. + + * lib/krb5/Makefile.am: add krb5_HEADERS to build_HEADERZ + + * lib/krb5/pac.c: Support all keyed checksum types. - * kdc/connect.c: always compile in support for 524 +2007-01-02 Love Hörnquist Åstrand <lha@it.su.se> - * kdc/kerberos4.c: export encode_v4_ticket() and get_des_key() - even when we build without kerberos 4, 524 needs them + * lib/krb5/pac.c (krb5_pac_get_types): Return list of types. - * lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out - Kerberos 4 help functions/structures so other parts of the source - tree can use it (like the KDC) + * lib/krb5/test_pac.c: test krb5_pac_get_types + + * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA. + + * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA. + + * lib/krb5/krb5.h: Add KRB5_KRBHST_KCA. + * lib/krb5/test_pac.c: test Add/remove pac buffer functions. + + * lib/krb5/pac.c: Add/remove pac buffer functions. + + * lib/krb5/pac.c: sprinkle const + + * lib/krb5/pac.c: rename DCHECK to CHECK + + * Happy New Year. diff --git a/crypto/heimdal/ChangeLog.2003 b/crypto/heimdal/ChangeLog.2003 new file mode 100644 index 000000000000..82233515246e --- /dev/null +++ b/crypto/heimdal/ChangeLog.2003 @@ -0,0 +1,1795 @@ +2003-12-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/error_string.c: protect error_string with mutex + + * lib/krb5/context.c: allocate and destroy mutex in krb5_context + + * lib/krb5/krb5.h (krb5_context_data): add mutex for error_string + +2003-12-18 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: make -9 work again + +2003-12-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: try handle ts preauth better, still + not good, but at least it work with older heimdal releases that + doesn't send back KRB5KDC_ERR_PREAUTH_REQUIRED when preauth was + sent + +2003-12-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.asn1: remove enforce-transited-policy, its no longer + used + +2003-12-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (_krb5_pk_create_sign): fill in NULL as + parameters, required by CMS + +2003-12-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_in_tkt_with_keytab.c (krb5_get_in_tkt_with_keytab): + avoid memory leak that snuck in when krb5_keytab_key_proc was + exported, pointed out by Panases Inc + + * lib/krb5/keytab_file.c: do locking, found to be a problem for + Panasas Inc + + * lib/krb5/fcache.c: internally export x{,un}lock and thus prefix + them with _krb5_ + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use + KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded + krb-cred + + * lib/krb5/krb5_auth_context.3: some text about + krb5_auth_con_{add,remove}flags + + * lib/krb5/auth_context.c: add krb5_auth_con_addflags and + krb5_auth_con_removeflags + +2003-12-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c (decrypt_internal_derived): move up padsize to + avoid memory leak + +2003-12-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c: require cipher-text to be padded to padsize + + * lib/krb5/eai_to_heim_errno.c: EAI_ADDRFAMILY and EAI_NODATA is + deprecated in RFC3493 + + * lib/krb5/verify_krb5_conf.c (check_host): don't check for + EAI_NODATA, because its depricated in RFC3493 Pointed out by + Hajimu UMEMOTO <ume@mahoroba.org> on heimdal-discuss + +2003-12-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: move test_crypto to noinst_PROGRAMS + + * lib/krb5/test_crypto.c: add --version,--help + + * kuser/kinit.c (main): return the return value from simple_execvp + +2003-11-26 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: don't use PKINIT DH per default since its too + slow + + * lib/krb5/pkinit.c: tweek to make pkinit work with the fact the + asn1_compile can't generate code for context tagless optionals + + * kdc/pkinit.c: add support for KDC side of DH PKINIT + + * lib/krb5/pkinit.c: clean up error handling, make enc-type work + again + +2003-11-25 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: add flag to make it work with pkinit dh + + * lib/krb5/pkinit.c: make PKINIT DH support work + +2003-11-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am (LDADD): link with LIB_dlopen + + * kdc/pkinit.c: clean up + + * lib/krb5/krb5.h: make pkinit_win2k_compatible into a flag field + + * lib/krb5/pkinit.c: remove most compile depencies clean up + + * kdc/pkinit.c: print an error and turn of pkinit if openssl + failed to load + + * kdc/config.c: read pkinit (pki-mumble) configuration options + + * kdc/kerberos5.c: add pkinit support + + * kdc/kdc_locl.h: add prototypes for pkinit + + * kdc/pkinit.c: PKINIT patch from Daniel Kouril and Petr Holub, I + removed the dependency on valicert asn1 parser, remove smartcard + and globus support (for now). Work to be done on this: DH support, + Globus support, Smartcard support, windows support (MS implements + -09 of the draft), make it conform to the new draft + + * lib/krb5/pkinit.c: fix bugs, improve error reporting + +2003-11-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: add some "struct foo;" glue for pkinit + structures that isn't used + + * lib/krb5/pkinit.c: clean up, make remove depenency on openssl's + api + + * lib/krb5/krb5_locl.h: add some glue for pkinit add reference + counter to _krb5_get_init_creds_opt_private + + * lib/krb5/init_creds.c: reference count krb5_get_init_creds_opt + private component to avoid copy all the data in it + + * lib/krb5/crypto.c (AES_string_to_key): fix memory leak + + * lib/krb5/init_creds_pw.c (init_cred_loop): fix memory leak + + * lib/krb5/heim_threads.h: include pthread.h in the pthread case + +2003-11-18 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswdd.c (main): parse kdc.conf + From: Jeffrey Hutzelman <jhutz@cmu.edu> + +2003-11-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am (TESTS): add test_crypto + + * lib/krb5/test_crypto.c: time crypto operations + +2003-11-14 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/init-creds: spelling, Bruno Rohee <bruno@rohee.com> + +2003-11-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_req.c (krb5_verify_ap_req2): krb5_free_ticket free + the ticket now, rewrite error handling to handle that + + * kpasswd/kpasswdd.c (process): don't free ticket, + krb5_free_ticket does that now + + * kdc/kerberos5.c (tgs_rep2): don't free ticket, krb5_free_ticket + does that now + + * lib/krb5/ticket.c (krb5_free_ticket): free the ticket itself to + match mit behavior, pointed out by Derrick Brashear + + * lib/krb5/krb5_ticket.3: krb5_free_ticket free the whole ticket + +2003-11-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/padata.c: add krb5_padata_add + + * lib/krb5/krb5.h: krb5_context_data.pkinit_win2k_compatible + + * lib/krb5/Makefile.am: add pkinit.c + + * kuser/kinit.c: add pkinit support + + * lib/krb5/init_creds_pw.c: add support for pkinit + + * lib/krb5/krb5_locl.h: add the opaque krb5_pk_init_ctx to + _krb5_get_init_creds_opt_private + + * lib/krb5/pkinit.c: rename krb5_pk_init_openssl_ctx to + krb5_pk_init_ctx fix win2k error handling + + * lib/krb5/pkinit.c: PKINIT patch from Daniel Kouril and Petr + Holub, I removed the dependency on valicert asn1 parser, remove + smartcard and globus support (for now). Work to be done on this: + DH support, Globus support, Smartcard support, windows support (MS + implements -09 of the draft), verify that it conforms the new + draft + +2003-11-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/der_copy.c (copy_oid): copy all components + +2003-10-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.conf.5: document capaths section + +2003-10-22 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos5.c: make sure that the server realm and the krbtgt + second component are identical; get rpath from the capaths section + + * kdc/kerberos5.c: change logic for when to check transited policy + to a tri-state model involving per principal flags (to be + implemented) + + * kdc/kdc_locl.h: change enforce_transited_policy to a tri-state + variable + + * kdc/config.c: change enforce_transited_policy to a tri-state + variable + +2003-10-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/transited.c (krb5_domain_x500_encode): always zero out + encoding to make sure it have a defined value on failure + + * lib/krb5/transited.c (krb5_domain_x500_encode): + if num_realms ==0, set encoding and return (avoids malloc(0)), + check return value for malloc + +2003-10-21 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos5.c (fix_transited_encoding): always print + cross-realm information + +2003-10-21 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: spelling, From: Tracy Di Marco White + + * kdc/kerberos5.c (fix_transited_encoding): set transited type + +2003-10-21 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kdc.8: document enforce-transited-policy + + * kdc/kerberos5.c: always check transited policy if flag set + either globally or on principal + + * kdc/config.c: add flag to always check transited policy + + * lib/hdb/hdb.asn1: add flag to enforce transited policy + +2003-10-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/transited.c (krb5_domain_x500_decode): set *num_realms + to zero not num_realms + + * kuser/kgetcred.1: add --no-transit-check + + * kuser/kgetcred.c: add --no-transit-check + + * doc/setup.texi: describe Transit policy + +2003-10-20 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos5.c (fix_transited_encoding): also verify with + policy, unless asked not to + + * lib/krb5/rd_req.c (krb5_decrypt_ticket): try to verify transited + realms, unless the transited-policy-checked flag is set + + * lib/krb5/transited.c (krb5_domain_x500_decode): handle zero + length tr data; + (krb5_check_transited): new function that does more useful stuff + + * lib/krb5/get_cred.c: get capath info from [capaths] section + +2003-10-16 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/fcache.c: Sleep forever waiting for lock. Previous + method doesn't work well with a large number of clients accessing + the cache at the same time, and there is no simple way to add a + timeout to the lock. + +2003-10-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c: print the error value + krb5_init_context failed with + + * lib/krb5/config_file.c (krb5_config_parse_file_debug): punt if + there is binding before a section declaration. Bug found by + Arkadiusz Miskiewicz <arekm@pld-linux.org> + +2003-10-13 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/fcache.c (erase_file): revert a change in previous; if + the ccache is a symlink, kdestroy should remove it + + * lib/krb5/fcache.c: implement locking + +2003-10-12 Johan Danielsson <joda@pdc.kth.se> + + * kuser/klist.c (print_tickets): bail out if krb5_cc_next_cred + returns error other than KRB5_CC_END + +2003-10-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: add some help function that is common + between ENC_TS and SAM2, free the etype{,2}-infos on failure, move + the pa counter into krb5_get_init_creds_ctx + +2003-10-06 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kaserver.c (do_getticket): if times data is shorter then 8 + byte, request is malformed. + + * kdc/kaserver.c (do_authenticate): if request length is less then + 8 byte, its a bad request and fail. Pointed out by Marco Foglia + <marco@foglia.org> + + * lib/krb5/verify_krb5_conf.c: add flag --warn-mit-syntax that + warns for mit syntax is used and just ignore the mit syntax when + its used + + * lib/krb5/verify_krb5_conf.c: parse [kdc]use_2b and [gssapi] + +2003-10-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/lex.l: add BOOLEAN + + * lib/asn1/parse.y: add BOOLEAN + +2003-10-03 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: When running kinit in "fork mode" do pagsh + independent of krb4, also always do krb4 setup of cc. Always try + to destroy the v4 cc. + - add boolean --{,no-}request-pac that will request pac or not + + * kuser/klist.c (check_for_tgt): set client as part of the + pattern/match cred + + * lib/krb5/convert_creds.c (_krb5_krb_dest_tkt): unlink v4 token + (get_krb4_cc_name): move out from _krb5_krb_tf_setup + (_krb5_krb_tf_setup): adapt to allocated filename instead of + static filename + + * lib/krb5/krb5-v4compat.h: add _krb5_krb_dest_tkt and TKT_ROOT + + * lib/krb5/init_creds_pw.c (*) send PA_PAC_REQUEST when the user + have requested either use PAC or not use PAC, if the option not + set from the user, leave it up to the kdc to decide. + (init_creds_loop): clear error string on success + + * lib/krb5/init_creds.c: add + krb5_get_init_creds_opt_set_paq_request break out common part of + extended opt functions to require_ext_opt + + * lib/krb5/krb5_locl.h: add enum krb5_get_init_creds_req_pac and + use it in struct _krb5_get_init_creds_opt_private + + * tools/kdc-log-analyze.pl: handle some more failure lines + + * doc/programming.texi: some diffrences between Heimdal and MIT + Kerberos in the API + + * doc/setup.texi: add Setting up DNS + + * lib/krb5/rd_req.c (krb5_rd_req): always free keyblock since its + alway used + + * lib/asn1/Makefile.am: add SAM types and PAC_REQUEST + + * lib/asn1/k5.asn1: add more preauth types, add PA-PAC-REQUEST + + * lib/asn1: add boolean support + +2003-10-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/changepw.c (setpw_send_request): free ap_req_data on + failure + +2003-09-30 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/http_client.c (do_connect): use ai_protocol 0 + + * lib/krb5/init_creds_pw.c (init_cred_loop): handle + KRB5KRB_ERR_RESPONSE_TOO_BIG and loop again, this time requesting + LARGE_MSG from send to kdc, and if this is the second time bail + out; try to free memory + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc_flags): new function, + and then implement the order krb5_sendto_kdc* function with this + function. + + * lib/krb5/krbhst.c (krb5_krbhst_init_flags): new function, use it + and adapt callers + (krbhst_get_default_proto): new function, returns udp, or in case + large_msg was requested for the krb5_krbhst_data, use tcp. + (*): if the flag KD_LARGE_MSG was set on the krb5_krbhst_data, avoid + using udp, use krbhst_get_default_proto + + * lib/krb5/krb5.h: flags for krb5_krbhst_init_flags (and + krb5_send_to_kdc_flags) + +2003-09-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_req.c (krb5_rd_req): if we have a keyblock in auth + context, use that + + * appl/test/uu_client.c: print authorization data if there are any + + * lib/asn1/asn1_print.c: decode IA5Stringa and UTF8String + +2003-09-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: use _krb5_get_init_creds_opt_copy + * lib/krb5/init_creds.c: don't export krb5_get_init_creds_opt_copy + + * lib/hdb/Makefile.am: libhdb might depend on LIB_dlopen + + * kuser/kinit.c: don't get v4 tickets by default + +2003-09-20 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswdd.c (process): remove a abort() + + * doc/win2k.texi: add some text about netdom.exe and trusts + + * TODO-1.0: gssapi rc4 done + + * kpasswd/kpasswdd.c: add support for Set password protocol as + defined by RFC3244 -- Microsoft Windows 2000 Kerberos Change + Password and Set Password Protocols + +2003-09-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/db3.c: improve readability of ->open ifdef, check if + version >= 4.1 + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_copy): add + + * lib/krb5/rd_req.c (krb5_rd_req): allow caller to pass in a key + in the auth_context, they way processes that doesn't use the + keytab can still pass in the key of the service (matches behavior + of MIT Kerberos). + +2003-09-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: collect all init_creds context into a + structure so it can easier be passed around, also, while here, + change nonce for every request + + * lib/krb5/get_in_tkt.c (init_as_req): don't realloc data before + the loop, add_padata() will handle that itself + + * lib/krb5/get_for_creds.c (add_addrs): don't increase addr->len + until in contains interesting data, use right iteration counter + when clearing the addresses + + * lib/krb5/log.c (log_realloc): increase len after realloc returns + sucessfully + +2003-09-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/config_file.c: fix prototypes + From: Fredrik Ljungberg <flag@pobox.se> + +2003-09-10 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/http_client.c: close socket when we are done, don't + allow the server to restart gssapi negotiation + + * lib/hdb/hdb_locl.h: include <limits.h> for ULONG_MAX noted by + Wissler Magnus <M.Wissler@abalon.se> on heimdal-discuss + + * appl/test/gssapi_client.c (proto): use select_mech + + * appl/test/http_client.c: use getarg + + * appl/test/gss_common.h: prototype for select_mech + + * appl/test/gss_common.c (select_mech): return the gss_OID from a + mech name + + * appl/test/http_client.c: print both source and target + + * appl/test/Makefile.am: build http_client + +2003-09-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/asn1_print.c: add support for printing Enumerated + + * appl/test/gssapi_client.c: allow user to select mech; krb5, + spnego, and no-oid + + * appl/test/test_locl.h: add mech + + * appl/test/common.c: add --mech,-m argument + + * appl/test/gssapi_server.c: print the mech that was used + + * kdc/kerberos5.c (only_older_enctype_p): check request if the + client only supports old enctypes, before it used the database + +2003-09-08 Love Hörnquist Åstrand <lha@it.su.se> + + * **/*.c: add context argument to krb5_get_init_creds_opt_alloc + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): add + context argument + + * lib/krb5/krb5_get_init_creds.3: spelling + +2003-09-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c (add_file): make len argument an pointer to + an integer + + * lib/asn1/k5.asn1: add SAM types + + * lib/krb5/init_creds_pw.c: break out the encrypt timestamp + preauth to its function break out the pa_data_to_key_plain to its + own function make more variables const + +2003-09-04 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.conf.5: document appdefaults/{forward,encrypt} + +2003-09-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: Add key usage for encryption of the + SAM-NONCE-OR-SAD field. + + * include/make_crypto.c: include <openssl/ui.h> in the openssl + case + + * kdc/hprop.h: use new DES_ api + + * lib/krb5/krb5-v4compat.h: assume session key is a char array of + length 8 + + * lib/krb5/prompter_posix.c: + s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * kuser/kinit.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * kdc/string2key.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * kdc/kstash.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * admin/add.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * lib/krb5/crypto.c: switch from the des_ to the DES_ api + + * kdc/hprop.c: use DES_KEY_SZ instead of sizeof(des_block) + + * kuser/kverify.c: use + krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free + + * kpasswd/kpasswd-generator.c: use + krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free + + * kdc/hprop.c: use + krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free compare + a uint32_t with 0xffffffff instead of -1 + + * lib/krb5/krb5_425_conv_principal.3: fix [Gt] + + * kuser/kinit.c: use + krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): handle + password passed in though context + + * lib/krb5/Makefile.am (TESTS): += test_config + + * lib/krb5/aes-test.c: move variable thats used within a #ifdef to + be defined within that #ifdef + + * lib/krb5/data.c (krb5_data_free): reset whole krb5_data when + freeing it + + * lib/krb5/keyblock.c (krb5_keyblock_zero): new function, zeros + out a keyblock + + * lib/krb5/init_creds_pw.c: rewrite/implement + krb5_get_init_creds_password with new preauth handing, still it + can only work with krb5-pa-enc-timestamp for preauth, but now it + can handle etype-info2 + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): allocate + a opt structure + (krb5_get_init_creds_opt_free): free a opt structure + (krb5_get_init_creds_opt_set_pa_password): set preauth info for + enc-timestamp + + * lib/krb5/krb5_locl.h: add struct + _krb5_get_init_creds_opt_private + +2003-09-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: add SAM keyusage numbers, add s2k proc typedef, + add a pointer to a private part of krb5_get_init_creds_opt + + * kdc/string2key.c (main): avoid const warning by using a extra + variable + +2003-08-31 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): + reindent + + * lib/krb5/ticket.c (krb5_copy_ticket): free all data when + failing, copy data to right memory, the later pointed out by Luke + Howard. + +2003-08-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: cfx-01 use diffrent usage numbers + +2003-08-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/db3.c: try to include more db headers + + * lib/hdb/db3.c: patch for working with DB4 on heimdal-discuss + From: Luke Howard <lukeh@PADL.COM> + +2003-08-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: add KEYTYPE_ARCFOUR_56 + + * appl/test/gssapi_client.c: send both INT and CONF wrapped token + + * appl/test/gssapi_server.c: recv both INT and CONF wrapped token + + * lib/asn1/k5.asn1: add KRB5_NT_SMTP_NAME and KRB5_NT_ENTERPRISE + +2003-08-27 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/uu_client.c (proto): fill in client in the match cred + +2003-08-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: CFX uses slightly diffrent usage numbers + + * lib/krb5/crypto.c (usage2arcfour): simplify, only include + special cases From: Luke Howard <lukeh@PADL.COM> + +2003-08-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: code rewrite from Luke Howard + <lukeh@PADL.COM> + + * lib/krb5/crypto.c (arcfour_checksum_p): return true when is + arcfour, not when its not pointed out by Luke Howard + + * doc/ack.texi: update Luke Howard email address + +2003-08-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_encrypt.3: document: + krb5_crypto_getconfoundersize, krb5_crypto_getblocksize + krb5_crypto_getenctype, krb5_crypto_getpadsize + + * lib/krb5/crypto.c (krb5_crypto_getpadsize, + krb5_crypto_getconfoundersize): added From: Luke Howard + <lukeh@PADL.COM> + +2003-08-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/connect.c (handle_tcp): handle recvfrom returning 0 + (connection closed) + + * kdc/connect.c (grow_descr): increment the size after we succeed + to allocate the space + + * lib/krb5/krb5_create_checksum.3: text about when + krb5_crypto_get_checksum_type is useful + + * lib/krb5/crypto.c (krb5_crypto_get_checksum_type): fix format + string + + * lib/krb5/krb5_create_checksum.3: document + krb5_crypto_get_checksum_type + + * lib/krb5/crypto.c: add krb5_crypto_get_checksum_type + From: Luke Howard <lukeh@PADL.COM> + + * lib/asn1/gen.c: s/UTF8String/heim_utf8_string/ in generated code + From: Luke Howard <lukeh@PADL.COM> + +2003-08-21 Love Hörnquist Åstrand <lha@it.su.se> + + * include/make_crypto.c: include aes.h inc in the local libdes + case too + +2003-08-20 Johan Danielsson <joda@pdc.kth.se> + + * lib/asn1/der_free.c: set free'd poiners to NULL + + * lib/asn1/gen_free.c: set free'd poiners to NULL + +2003-08-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/heim_threads.h: XXX don't use "plain" pthread support + on netbsd + + * lib/krb5/crypto.c: Do the arcfour checksum mapping for + krb5_create_checksum and krb5_verify_checksum, From: Luke Howard + <lukeh@PADL.COM> + +2003-08-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_config.c: check krb5_prepend_config_files_default + and krb5_prepend_config_files + + * lib/krb5/context.c: add krb5_prepend_config_files and + krb5_prepend_config_files_default + +2003-08-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/mkey.c (read_master_mit): krb5_ret_int16 takes a int16_t + as argument + + * lib/krb5/parse-name-test.c: please lint (and me) + + * kdc/config.c (configure): remove only set variable 'e' + + * kdc/connect.c (init_socket): sockaddr size argument to + krb5_addr2sockaddr is a krb5_addr2sockaddr * + + * kdc/kerberos5.c (as_rep): remove usused variable + (tgs_rep2): don't use a temporary ret-variable, ret is reset later + + * lib/krb5/krb5_get_in_cred.3: these function will be deprecated + + * lib/krb5/Makefile.am: man_MANS += krb5_get_init_creds.3 + + * lib/krb5/krb5_get_init_creds.3: begining of documentation of + krb5_get_init_creds + + * lib/krb5/get_in_tkt.c (krb5_get_in_tkt): for compatibility with + with the mit implemtation, don't free `creds' argument when done, + its up the the caller to do that, also allow a NULL ccache. + +2003-08-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: document tgs_require_subkey + + * lib/asn1/Makefile.am: remove trance of generate tests files, its + not really for consumption yet + + * lib/hdb/Makefile.am: split generated source from non generated + source we make-proto.pl can generate prototypes for non + generate-source only (make-proto.pl dies on asn1compile's .c + files) + + * lib/krb5/get_cred.c (init_tgs_req): make generation of subkey + optional on configuration parameter + [realms]realm={tgs_require_subkey=bool} + defaults to off. The RFC1510 weakly defines the correct behavior, + so old DCE secd apparently required the subkey to be there, and MS + will use it when its there. But the request isn't encrypted in the + subkey, so you get to choose if you want to talk to a MS mdc or a + old DCE secd. + + * kdc/kerberos5.c (*): handle krb5_unparse_name returning non-zero + +2003-08-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/principal.c (unparse_name): len can't be zero, so, + don't check for that + +2003-08-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/principal.c (unparse_name): make sure there are space + for a NUL, set *name to NULL when there is a failure (so caller + can't get hold of a freed pointer) + +2003-07-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/kerberos.8: remove duplicate manual, from + cjep@netbsd.org + +2003-07-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/cache.c: indent + + * lib/krb5/cache.c (krb5_cc_set_default_name): only read + KRB5CCNAME when not suid + +2003-07-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab_krb4.c (read_v4_entry): the des key is 8 bytes, + use a char array instead of des_cblock + +2003-07-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: add support for KRB5_PADATA_ETYPE_INFO2 + + * lib/krb5/crypto.c (hmac): make it return an error when out of + memory, update callsites to either return error or use krb5_abortx + (krb5_hmac): expose hmac + +2003-07-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keyblock.c (krb5_keyblock_get_enctype): return enctype + of keyblock + + * lib/krb5/Makefile.am (man_MANS): += krb5_keyblock.3 + + * lib/krb5/krb5_keyblock.3: some information about krb5_keyblock + and related functions + + * lib/krb5/heim_threads.h: make the non-debug version of the mutex + macros "use" the "mutex" integer so the compile wont complain + about defined unused variables + + * lib/krb5/heim_threads.h: make thread local storage macros take a + "return" argument so no functions need to be created for the + no-pthread case + + * lib/krb5/heim_threads.h: adding RWLOCKS and [sg]etspecific + + * configure.in: use KRB_PTHREADS + + * lib/asn1/Makefile.am (gen_files): add asn1_KerberosString and + sort + + * lib/asn1/k5.asn1 (ETYPE-INFO2-ENTRY): salt is a KerberosString + + * lib/krb5/krb5.3: add ticket access functions + * lib/krb5/krb5_ticket.3: ditto + * lib/krb5/ticket.c: ditto + * lib/krb5/Makefile.am: ditto + + * lib/krb5/mit_glue.c: add some more krb5_c functions + + * lib/krb5/krb5_c_make_checksum.3: add some more krb5_c functions + + * lib/krb5/crypto.c (krb5_cksumtype_valid): check is checksum type + is a valid one + + * lib/krb5/crypto.c (krb5_checksum_is_keyed): only set extented + error string when there is a context + (krb5_checksum_is_collision_proof): ditto + +2003-07-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/mit_glue.c (krb5_c_get_checksum): make type and data + argument optional + (krb5_c_{encrypt,decrypt}): return "better" error codes for + invalid ivec length + + * lib/krb5/krb5_c_make_checksum.3: update krb5_c_get_checksum + usage + + * lib/krb5/crypto.c (krb5_crypto_getenctype): new function + + * include/make_crypto.c: avoid redefining + OPENSSL_DES_LIBDES_COMPATIBILITY + + * lib/krb5/krb5.h: add krb5_enc_data + +2003-07-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.3: add krb5_c_ functions + + * lib/krb5/mit_glue.c: support passing in NULL as the + cipher_state/ivec + + * lib/krb5/aes-test.c: add test for krb5_c_encrypt_length and + krb5_c_decrypt + + * lib/krb5/krb5_c_make_checksum.3: krb5_c encryption glue + + * lib/krb5/crypto.c (wrapped_length/wrapped_length_derived): when + calculating the length of the encrypted data, use the keyed + checksum length if the enctype supports a keyed checksum. This + only matter for aes, for all other enctypes the key and unkeyed + checksum have the same length. + +2003-07-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/mit_glue.c: first version of krb5_c encryption glue + + * doc/install.texi: update pointer to luke ldap documentation + + * lib/hdb/hdb.c (hdb_create): check for dynamic backend after + static to avoid warning from dynamic backend when using a known + static backend + +2003-07-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/cache.c: don't return value in void function + +2003-07-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/creds.c (krb5_compare_creds): if client is specified in + the mcreds, check that too + + * lib/krb5/{keytab_file.c,principal.c,mk_error.c,krb5.h,get_cred.c}: + prefix libasn1 types with heim_ + + * lib/asn1: prefix typedefs and structs with heim_ + +2003-07-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.c: avoid unnecessary setting of variable + +2003-07-07 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/klist.c (check_for_tgt): use krb5_cc_clear_mcred + + * appl/test/uu_client.c (proto): use krb5_cc_clear_mcred + + * lib/krb5/get_cred.c (init_tgs_req): in case of error, don't free + in the req_body addresses since they where pass in by caller + (find_cred): use krb5_cc_clear_mcred + + * lib/krb5/krb5_ccache.3: document krb5_cc_clear_mcred + + * lib/krb5/cache.c (krb5_cc_clear_mcred): new function, clear a + krb5_creds to use with krb5_cc_retrieve_cred + +2003-06-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.c (find_dynamic_method): if there isn't a prefix, + don't load anything + +2003-06-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.c: Dynamic backend loading, based on patch from Luke + Howard <lukeh@PADL.COM> + + * lib/hdb/hdb.h: add struct hdb_so_method and + HDB_INTERFACE_VERSION + +2003-06-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): when using + arcfour-hmac-md5, use an unkeyed checksum (rsa-md5), since + Microsoft calculates the keyed checksum with the subkey of the + authenticator. + + * kuser/kinit.c: write out v4 credential caches with + _krb5_krb_tf_setup + + * lib/krb5/krb5-v4compat.h: add _krb5_krb_tf_setup + + * lib/krb5/convert_creds.c (_krb5_krb_tf_setup): create/append v4 + credential to a new krb4 ticket file + +2003-06-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5_kuserok.3: put Nd argument in double quotes since + it contains more than 9 words; from wiz + +2003-06-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c: add missing " within #if 0, from + stefan sokoll <stefansokoll@yahoo.de> + +2003-06-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_timeofday.3: improve krb5_set_real_time text + + * lib/krb5/time.c: improve comment for krb5_set_real_time + +2003-06-23 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.1: document -A + + * kuser/kinit.c: add -A as an alias for --no-addresses + +2003-06-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): pass in a + krb5_timestamp to krb5_us_timeofday + + * lib/krb5/mk_error.c (krb5_mk_error): pass in a krb5_timestamp to + krb5_us_timeofday + + * lib/krb5/time.c (krb5_set_real_time): fix comment and make it + work + + * lib/krb5/time.c, lib/krb5/krb5_timeofday.3, + lib/krb5/Makefile.am lib/krb5/test_time.c: + + implement krb5_set_real_time, used by SAMBA, requested by Luke + Howard <lukeh@PADL.COM> + + * lib/asn1/k5.asn1: make the aes and sha1 checksum types match + draft-ietf-krb-wg-crypto-05 + +2003-06-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/aes-test.c: add a test for aes kcrypto encrypted data + + * lib/krb5/crypto.c: clean up AES code to use a structure instead + of a key array + (_krb5_AES_string_to_default_iterator): set to 4096 as described in + aes draft -04 + (derive_key): always remove the key->schedule since its + will contain the wrong (parent key) info + +2003-06-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/aes-test.c: add aes256 test vectors from Ken Raeburn + * doc/setup.texi: add more kdc's to the example + +2003-06-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: use int2HDBFlags/HDBFlags2int From: Alberto + Patino <jalbertop@aranea.com.mx>, Luke Howard <lukeh@PADL.COM> + Pointed out by Andrew Bartlett of Samba + + * lib/krb5/heim_threads.h: remove freebsd comment, don't use debug + pthread stubs by default + + * lib/krb5/Makefile.am (man_MANS): drop krb5_free_addresses.3 + + * lib/krb5/krb5_free_addresses.3: removed file, functions are + documented in krb5_address.3 + + * lib/krb5/codec.c: add krb5_{de,en}code_ETYPE_INFO2 + + * lib/krb5/crypto.c: add _krb5_AES_string_to_default_iterator add + krb5_string_to_key_salt_opaque() fix keylengh for keytype_aes256 + +2003-06-06 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: Point out that slave needs /var/heimdal + directory and masterkey From: Mans Nilsson <mansaxel@sunet.se>, + Fix spelling while here + +2003-06-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am, krb5_get_in_cred.3, krb5.3: + add manpage for: krb5_get_in_cred, krb5_get_in_tkt, + krb5_get_in_tkt_with_keytab, krb5_get_in_tkt_with_password, + krb5_get_in_tkt_with_skey + +2003-05-28 Assar Westerlund <assar@kth.se> + + * lib/krb5/heim_threads.h: Fix unlock/destroy macros for the + non-threaded cases to work. Fix typo. + +2003-05-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/asn1/{der_put.c,der_length.c,check-der.c}: Fix encoding of + "unsigned" integers. If MSB is set, we need to pad with a zero + byte. + +2003-05-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_c_make_checksum.3: some more mdoc fixes + + * lib/hdb/hdb-ldap.c (LDAP__connect): bind sasl "EXTERNAL" to ldap + connection + (LDAP_store): remove superfluous argument to asprintf + + From Alberto Patino <jalbertop@aranea.com.mx> + +2003-05-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/*.[0-9]: pacify mdoclink + + * lib/krb5/krb5_ccache.3: document diffrences between mit and + heimdal krb5_cc_gen_new ccache -> credential cache s/[\t ]+$// + +2003-05-21 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/gssapi_server.c (proto): start to use + gss_krb5_copy_ccache + + * appl/test/nt_gss_server.c (proto): comment out gss_ctx_id_t + groveling for now + +2003-05-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1: + - add parser/generate glue for UTF8String and NULL + (DER primitive encode/decode functions missing) + - handle parsing of DEFAULT and, ... + +2003-05-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/heim_threads.h: add missing argument to mutex_init + + * lib/krb5/crypto.c: protect the random initiator with a mutex + + * lib/krb5/mcache.c: protect the mcc_head with a mutex + + * lib/krb5/krb5_locl.h: include heim_threads.h + + * lib/krb5/heim_threads.h: wrapper macros for thread + synchronization primitives + +2003-05-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_principal.3 + lib/krb5/Makefile.am: + Add all Kerberos principal function to one manpage, add a few more + principal function to it, remove old now dup manpages + + * lib/krb5/krb5_build_principal.3: remove file + * lib/krb5/krb5_free_principal.3: remove file + * lib/krb5/krb5_sname_to_principal.3: remove file + * lib/krb5/krb5_principal_get_realm.3: remove file + +2003-05-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.8: sort sections, from netbsd + + * lib/krb5/krb5_verify_user.3: .Sh EXAMPLE -> .Sh EXAMPLES, from + netbsd + + * lib/krb5/krb5_openlog.3: .Sh EXAMPLE -> .Sh EXAMPLES, sort + sections, from netbsd + + * lib/krb5/krb5_keytab.3: .Sh EXAMPLE -> .Sh EXAMPLES, mdoc fixes, + from netbsd + + * lib/krb5/krb5_get_krbhst.3: .Sh EXAMPLE -> .Sh EXAMPLES, from + netbsd + + * lib/krb5/krb5_get_all_client_addrs.3: add .Os, from NetBSD + + * lib/krb5/krb5_build_principal.3: sort sections, from NetBSD + + * lib/krb5/krb5.conf.5: .Sh EXAMPLE -> .Sh EXAMPLES, from netbsd + + * lib/krb5/get_default_realm.c: compatability -> compatibility, + from netbsd + + * lib/krb5/krb5_warn.3: add copyright/license + + * lib/krb5/krb5_context.3: add SYNOPSIS and LIBRARY + + * lib/krb5/krb5.3: add RCSID + + * kdc/hprop.8: fix mdoc problem, from netbsd + + * lib/krb5/krb5_krbhst_init.3: uppercase url, from Thomas Klausner + <wiz@netbsd.org> + + * kuser/kinit.1: setup -> set up, new sentence, new line from + Thomas Klausner <wiz@netbsd.org> + +2003-05-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswd.1: handle setting passwords for multiple + principals at the same time + + * kpasswd/kpasswd.c: handle setting passwords for multiple + principals at the same time + + * lib/krb5/changepw.c: draft-ietf-cat-kerb-chg-password-02 and + rfc3244 share the response packet sure more constants now that + they exists + +2003-05-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: some define for rfc3244 + + * lib/krb5/krb5.3: add krb5_change_password and krb5_set_password + + * kpasswd/kpasswd.1: document --admin-principal + + * kpasswd/kpasswd.c: use krb5_set_password + + * lib/krb5/krb5_set_password.3: document krb5_change_password and + krb5_set_password + + * lib/krb5/changepw.c: implement rfc3244, partly from + shadow@dementia.org + + * lib/asn1/Makefile.am (gen_files): asn1_ChangePasswdDataMS.x for + RFC3244 + + * lib/asn1/k5.asn1: add ChangePasswdDataMS, for + RFC3244 + +2003-05-08 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kdestroy.c: destroy tokens even if there isn't v4 support + + * kuser/kinit.c: get token even if there isn't v4 support + + * kuser/klist.c: print tokens even if there isn't v4 support + +2003-05-06 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/name-45-test.c: need to use empty krb5.conf for some + tests + + * lib/asn1/check-gen.c: there is no \e escape sequence; replace + everything with hex-codes, and cast to unsigned char* to make some + compilers happy + +2003-05-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first + argument to krb5_us_timeofday have correct type + +2003-05-05 Assar Westerlund <assar@kth.se> + + * include/make_crypto.c (main): include aes.h if ENABLE_AES + +2003-05-05 Love Hörnquist Åstrand <lha@it.su.se> + + * make-release: when fixing a valid cvs tag from release name + replace all number. to number- for all non-overlapping matches + +2003-05-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/Makefile.am: gen_files += asn1_ETYPE_INFO2.x and + asn1_ETYPE_INFO2_ENTRY.x + (libasn1_la_LDFLAGS): set version to 6:1:1 + + * doc/Makefile.am: add apps.texi + + * doc/setup.texi: add move forward link to applications + + * doc/heimdal.texi: add applications + + * doc/misc.texi: move afs stuff to applications add link to + applications + + * doc/apps.texi: text about applications using kerberos + move afs text here + +2003-05-03 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: add cross realm text + +2003-04-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_crypto_init.3: document krb5_enctype_to_string and + krb5_string_to_enctype + +2003-04-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/v4_dump.c (v4_prop_dump): limit strings length, from openbsd + +2003-04-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/aes-test.c: use _krb5_PKCS5_PBKDF2 + * lib/krb5/crypto.c: unexport krb5_PKCS5_PBKDF2 + +2003-04-25 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/build_auth.c (krb5_build_authenticator): if the local + sequence number is non-zero, don't generate a new one + + * lib/krb5/mk_rep.c (krb5_mk_rep): if the local sequence number is + non-zero, don't generate a new one + + * lib/krb5/time.c (krb5_us_timeofday): make the sec parameter a + krb5_timestamp + + * lib/krb5/mk_priv.c lib/krb5/mk_safe.c lib/krb5/rd_priv.c + lib/krb5/rd_safe.c lib/krb5/rd_cred.c: implement RET_SEQUENCE and + RET_TIME + + * lib/krb5/krb5.h (krb5_replay_data): make usec signed (matching + asn1) + +2003-04-24 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/programming.texi: s/managment/management/, from jmc + <jmc@prioris.mini.pw.edu.pl> + +2003-04-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c (default_etypes): also advertise that we + handle aes encryption types + + * lib/krb5/Makefile.am: add krb5_c_ checksum related functions + + * lib/krb5/krb5_c_make_checksum.3: document krb5_c_ checksum + related functions + + * lib/krb5/mit_glue.c: add compat mit krb5_c checksum related + functions + + * lib/asn1/k5.asn1: add ETYPE-INFO2 and ETYPE-INFO2-ENTRY + +2003-04-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krbhst.c: copy NUL too, from janj@wenf.org via openbsd + +2003-04-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/der_copy.c (copy_general_string): use strdup + * lib/asn1/der_put.c: remove sprintf + * lib/asn1/gen.c: remove strcpy/sprintf + + * lib/krb5/name-45-test.c: use a more unique name then ratatosk so + that other (me) have such hosts in the local domain and the tests + fails, to take hokkigai.pdc.kth.se instead + + * lib/krb5/test_alname.c: add --version and --help + +2003-04-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_warn.3: add krb5_get_err_text + + * lib/krb5/transited.c: use strlcat/strlcpy, from openbsd + * lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd + * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use + strlcpy, from openbsd + * kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd + * appl/kf/kfd.c: use strlcpy, from openbsd + +2003-04-16 Johan Danielsson <joda@pdc.kth.se> + + * configure.in: fix for large file support in AIX, _LARGE_FILES + needs to be defined on the command line, since lex likes to + include stdio.h before we get to config.h + +2003-04-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/*.3: Change .Fd #include <header.h> to .In header.h, + from Thomas Klausner <wiz@netbsd.org> + + * lib/krb5/krb5.conf.5: spelling, from Thomas Klausner + <wiz@netbsd.org> + +2003-04-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: fix some more memory leaks + +2003-04-11 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/kf/kf.1: spelling, from jmc <jmc@prioris.mini.pw.edu.pl> + +2003-04-08 Love Hörnquist Åstrand <lha@it.su.se> + + * admin/ktutil.8: typos, from jmc <jmc@acn.waw.pl> + +2003-04-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.3: s/kerberos/Kerberos/ + * lib/krb5/krb5_data.3: s/kerberos/Kerberos/ + * lib/krb5/krb5_address.3: s/kerberos/Kerberos/ + * lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/ + * lib/krb5/krb5.conf.5: s/kerberos/Kerberos/ + * kuser/kinit.1: s/kerberos/Kerberos/ + * kdc/kdc.8: s/kerberos/Kerberos/ + +2003-04-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_alname.c: more krb5_aname_to_localname tests + + * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when + converting too root, make sure user is ok according to + krb5_kuserok before allowing it. + + * lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname + + * lib/krb5/test_alname.c: add test for krb5_aname_to_localname + + * lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1 + instead of the "illegal" salt #~, same change as kth-krb did + 1999. Problems occur with crypt() that behaves like AT&T crypt + (openssl does this). Pointed out by Marcus Watts. + + * admin/change.c (kt_change): collect all principals we are going + to change, and pick the highest kvno and use that to guess what + kvno the resulting kvno is going to be. Now two ktutil change in a + row works. XXX fix the protocol to pass the kvno back. + +2003-03-31 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/kf/kf.1: afs->AFS, from jmc <jmc@acn.waw.pl> + +2003-03-30 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: add description on how to turn on v4, 524 and + kaserver support + +2003-03-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog + and afs-use-524 + +2003-03-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (as_rep): when the second enctype_to_string + failes, remember to free memory from the first enctype_to_string + + * lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2, + from Harald Joerg <harald.joerg@fujitsu-siemens.com> + (enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc + + * lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key + length when key is longer then expected length, its probably + longer since the encrypted data was padded, reported by Aidan + Cully <aidan@kublai.com> + + * lib/krb5/crypto.c (krb5_enctype_keysize): return key size of + encyption type, inspired by Aidan Cully <aidan@kublai.com> + +2003-03-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0 + (wildcard kvno) after principal when the keytab entry isn't found, + reported by Chris Chiappa <chris@chiappa.net> + +2003-03-26 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/misc.texi: update 2b example to match reality (from + mattiasa@e.kth.se) + + * doc/misc.texi: spelling and add `Configuring AFS clients' + subsection + +2003-03-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.3: add krb5_free_data_contents.3 + + * lib/krb5/data.c: add krb5_free_data_contents for compat with MIT + API + + * lib/krb5/krb5_data.3: add krb5_free_data_contents for compat + with MIT API + + * lib/krb5/krb5_verify_user.3: write more about how the ccache + argument should be inited when used + +2003-03-25 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/addr_families.c (krb5_print_address): make sure + print_addr is defined for the given address type; make addrports + printable + + * kdc/string2key.c: print the used enctype for kerberos 5 keys + +2003-03-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/aes-test.c: add another arcfour test + +2003-03-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5 + +2003-03-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_ccache.3: update .Dd + + * lib/krb5/krb5.3: sort in krb5_data functions + + * lib/krb5/Makefile.am (man_MANS): += krb5_data.3 + + * lib/krb5/krb5_data.3: document krb5_data + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if + prompter is NULL, don't try to ask for a password to + change. reported by Iain Moffat @ ufl.edu via Howard Chu + <hyc@highlandsun.com> + +2003-03-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_keytab.3: spelling, from + <jmc@prioris.mini.pw.edu.pl> + + * lib/krb5/krb5.conf.5: . means new line + + * lib/krb5/krb5.conf.5: spelling, from + <jmc@prioris.mini.pw.edu.pl> + + * lib/krb5/krb5_auth_context.3: spelling, from + <jmc@prioris.mini.pw.edu.pl> + +2003-03-18 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5 + + * lib/krb5/convert_creds.c: add _krb5_krb_life_to_time + + * lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time + + * kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out + #ifdef KRB4 from enable_v4_cross_realm since 524 needs it + + * kdc/config.c: 524 is independent of kerberos 4, so move out + enable_v4_cross_realm from #ifdef KRB4 since 524 needs it + +2003-03-17 Assar Westerlund <assar@kth.se> + + * kdc/kdc.8: document --kerberos4-cross-realm + * kdc/kerberos4.c: pay attention to enable_v4_cross_realm + * kdc/kdc_locl.h (enable_v4_cross_realm): add + * kdc/524.c (encode_524_response): check the enable_v4_cross_realm + flag before giving out v4 tickets for foreign v5 principals + * kdc/config.c: add --enable-kerberos4-cross-realm option (default + to off) + +2003-03-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3 + + * lib/krb5/krb5_aname_to_localname.3: manpage for + krb5_aname_to_localname + + * lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/ + +2003-03-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3 + + * lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3 + + * lib/krb5/krb5_set_default_realm.3: Manpage for + krb5_free_host_realm, krb5_get_default_realm, + krb5_get_default_realms, krb5_get_host_realm, and + krb5_set_default_realm. + + * admin/ktutil.8: s/entype/enctype/, from Igor Sobrado + <sobrado@acm.org> via NetBSD + + * lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type + + * lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab + + * lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix + + * lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more + types, add krb5_fcc_ops and krb5_mcc_ops + + * lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for + a id + +2003-03-15 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/intro.texi: add reference to source code, binaries and the + manual + + * lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal + +2003-03-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kdc.8: better/difrent english + + * kdc/kdc.8: . -> .\n, copyright/license + + * kdc/kdc.8: changed configuration file -> restart kdc + + * kdc/kerberos4.c: add krb4 into the most error messages written + to the logfile + + * lib/krb5/krb5_ccache.3: add missing name of argument + (krb5_context) to most functions + +2003-03-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of + function and return FALSE when there isn't a local account for + `luser'. + + * lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text + describing the function + +2003-03-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name + returned memory, don't return ENOMEM + +2003-03-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.3: add krb5_address stuff and sort + + * lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description + + * lib/krb5/Makefile.am (man_MANS): += krb5_address.3 + + * lib/krb5/krb5_address.3: document types krb5_address and + krb5_addresses and their helper functions + +2003-03-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3 + + * lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se + + * lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3 + + * lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se + + * lib/krb5/krb5.3: add more functions + + * lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc + functions + + * lib/krb5/krb5_kuserok.3: document krb5_kuserok + + * lib/krb5/krb5_verify_user.3: document + krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior + + * lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and + krb5_verify_user_opt + + * lib/krb5/*.[0-9]: add copyright/licenses on more manpages + + * kuser/kdestroy.c (main): handle that krb5_cc_default_name can + return NULL + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor + (TESTS): add test_cc + + * lib/krb5/test_cc.c: test some + krb5_cc_default_name/krb5_cc_set_default_name combinations + + * lib/krb5/context.c (init_context_from_config_file): set + default_cc_name to NULL + (krb5_free_context): free default_cc_name if set + + * lib/krb5/cache.c (krb5_cc_set_default_name): new function + (krb5_cc_default_name): use krb5_cc_set_default_name + + * lib/krb5/krb5.h (krb5_context_data): add default_cc_name + +2003-02-25 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/kf/kf.1: s/securly/securely/ from NetBSD + +2003-02-18 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/connect.c: s/intialize/initialize, from + <jmc@prioris.mini.pw.edu.pl> + +2003-02-17 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: add AM_MAINTAINER_MODE + +2003-02-16 Love Hörnquist Åstrand <lha@it.su.se> + + * **/*.[0-9]: add copyright/licenses on all manpages + +2003-14-16 Jacques Vidrine <nectar@kth.se> + + * lib/krb5/get_in_tkt.c (init_as_req): Send only a single + PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption + type specified by the KDC. + +2003-02-15 Love Hörnquist Åstrand <lha@it.su.se> + + * fix-export: some autoconf put their version number in + autom4te.cache, so remove autom4te*.cache + + * fix-export: make sure $1 is a directory + +2003-02-04 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswdd.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl> + + * kdc/kdc.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl> + +2003-01-31 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/hpropd.8: s/databases/a database/ s/Not/not/ + + * kdc/hprop.8: add missing . + +2003-01-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: documentation for of boolean, etypes, + address, write out encryption type in sentences, s/Host/host + +2003-01-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/check-gen.c: add checks for Authenticator too + +2003-01-25 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: in the hprop example, use hprop and the first + component, not host + + * lib/krb5/get_addrs.c (find_all_addresses): address-less + point-to-point might not have an address, just ignore + those. Reported by Harald Barth. + +2003-01-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c (check_section): when key isn't + found, don't print out all known keys + + * lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity + and facility start resp + (check_log): find_value() returns -1 when key isn't found + + * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a + 'const void *' to avoid AES_KEY being exposed in krb5-private.h + + * lib/krb5/krb5.conf.5: add [kdc]use_2b + + * kdc/524.c (encode_524_response): its 2b not b2 + + * doc/misc.texi: quote @ where missing + + * lib/asn1/Makefile.am: add check-gen + + * lib/asn1/check-gen.c: add Principal check + + * lib/asn1/check-common.h: move generic asn1/der functions from + check-der.c to here + + * lib/asn1/check-common.c: move generic asn1/der functions from + check-der.c to here + + * lib/asn1/check-der.c: move out the generic asn1/der functions to + a common file + +2003-01-22 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/misc.texi: more text about afs, how to get get your KeyFile, + and how to start use 2b tokens + + * lib/krb5/krb5.conf.5: spelling, from Jason McIntyre + <jmc@cvs.openbsd.org> + +2003-01-21 Jacques Vidrine <nectar@kth.se> + + * kuser/kuser_locl.h: include crypto-headers.h for + des_read_pw_string prototype + +2003-01-16 Love Hörnquist Åstrand <lha@it.su.se> + + * admin/ktutil.8: document -v, --verbose + + * admin/get.c (kt_get): make getarg usage consistent with other + other parts of ktutil + + * admin/copy.c (kt_copy): remove adding verbose_flag to args + struct, since it will overrun the args array (from Sumit Bose) + +2003-01-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc = + ... } + + * lib/krb5/aes-test.c: test vectors in aes-draft + + * lib/krb5/Makefile.am: add aes-test.c + + * lib/krb5/crypto.c: Add support for AES + (draft-raeburn-krb-rijndael-krb-02), not enabled by default. + (HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify + to support checksumtype that are have a shorter wireformat then + their output block size. + + * lib/krb5/crypto.c (struct encryption_type): split the blocksize + into blocksize and padsize, padsize is the minimum padding + size. they are the same for now + (enctype_*): add padsize + (encrypt_internal): use padsize + (encrypt_internal_derived): use padsize + (wrapped_length): use padsize + (wrapped_length_dervied): use padsize + + * lib/krb5/crypto.c: add extra `opaque' argument to string_to_key + function for each enctype in preparation enctypes that uses + `Encryption and Checksum Specifications for Kerberos 5' draft + + * lib/asn1/k5.asn1: add checksum and enctype for AES from + draft-raeburn-krb-rijndael-krb-02.txt + + * lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128, + KEYTYPE_AES256 + +2003-01-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/common.c (_hdb_fetch): handle error code from + hdb_value2entry + + * kdc/Makefile.am: always include kerberos4.c and 524.c in + kdc_SOURCES to support 524 + + * kdc/524.c: always compile in support for 524 + + * kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4 + + * kdc/config.c: always compile in support for 524 + + * kdc/connect.c: always compile in support for 524 + + * kdc/kerberos4.c: export encode_v4_ticket() and get_des_key() + even when we build without kerberos 4, 524 needs them + + * lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out + Kerberos 4 help functions/structures so other parts of the source + tree can use it (like the KDC) + diff --git a/crypto/heimdal/ChangeLog.2004 b/crypto/heimdal/ChangeLog.2004 new file mode 100644 index 000000000000..5e3934256828 --- /dev/null +++ b/crypto/heimdal/ChangeLog.2004 @@ -0,0 +1,1485 @@ +2004-12-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am (CHECK_SYMBOLS): add heim_ and pkcs7_ for + now (used in pkinit) + +2004-12-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am: add CHECK_SYMBOLS + + * lib/hdb/keys.c: make all_etypes static + + * lib/krb5/Makefile.am: add CHECK_SYMBOLS, approve of: -com_err + -version krb5_ _krb5_ __heimdal krb524_ krb4_fkt_ops + + * kdc/kerberos5.c: use private version of principalname + + * kdc/kerberos4.c: use private version of principalname + + * kdc/hpropd.c: use private version of principalname + + * kdc/524.c: use private version of principalname + + * lib/krb5/rd_req.c: use private version of principalname + + * lib/krb5/rd_cred.c: use private version of principalname + + * lib/krb5/init_creds_pw.c: use private version of principalname + + * lib/krb5/get_in_tkt.c: use private version of principalname + + * lib/krb5/asn1_glue.c: make principalname functions private + + * lib/krb5/krb5.h: add key usage for server referrals + +2004-12-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/principal.c: make default_v4_name_convert static + + * lib/krb5/crypto.c: make lots of crypto related variables static + + * lib/krb5/acache.c: make default_acc_name static + +2004-12-28 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: add some text about samba, use example.com + + * lib/hdb/hdb-ldap.c: Add account expiration for samba from James + F. Hranicky <jfh@cise.ufl.edu>. + Add LDAP_addmod_integer and use it. + +2004-12-27 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/{Makefile.am,setup.texi,win2k.texi}: spelling and text + fixes, from Dave Love + +2004-12-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/heim_threads.h: NetBSD 2.99.11 (any maybe 2.1) just + needs pthread.h, threadlib is dead + +2004-12-17 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/config.c (configure): check for deprecated + enforce-transited-policy is set and fail if it is + + * lib/asn1/asn1_print.c: don't print garabage for octet strings + +2004-12-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/main.c (main): catch sigpipe, we don't bother select()ing + for errors + + * kdc/connect.c (handle_http_tcp): handle error from write(2) + + * doc/setup.texi: clarify credentials refreshing stuff + + * doc/setup.texi: add new node: Providing Kerberos credentials to + servers and programs + + * doc/whatis.texi: fix spurious cross-reference makeinfo warning + + * lib/hdb/hdb-ldap.c (pos): uppercase in character + +2004-12-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (LDAP__bytes2hex,LDAP__hex2bytes): encode + nibbels in the other order + + * lib/hdb/hdb-ldap.c: s/objectclass/objectClass/ check if + attribute exists before we try to delete it LDAP__bytes2hex + encodes in strange byte order, is this really right ? + +2004-12-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (LDAP_firstkey): When iterating over all + entries, search for samba accounts too, From: "James F. Hranicky" + <jfh@cise.ufl.edu> + + * lib/hdb/hdb-ldap.c (krb5kdcentry_attrs): ask for attribute uid + too + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): if the entry is missing + both krb5PrincipalName and uid, it must be broken, ignore it and + return it doesn't exists. + +2004-12-10 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/hpropd.8: spelling, from OpenBSD + + * kdc/kdc.8: use keeps for options, From OpenBSD k + +2004-12-09 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: document --random-key and the need to do backup + of the master key + + * kdc/kstash.8: add --random-key + + * kdc/kstash.c: add --random-key + +2004-12-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.8: spelling, from openbsd + + * lib/krb5/krb5_init_context.3: spelling, from openbsd + + * lib/krb5/krb5.conf.5: spelling, from openbsd + + * kuser/kdestroy.1: use keeps around options, spelling, from + openbsd + + * kpasswd/kpasswdd.8: use ., use keeps around options, from OpenBSD + + * kdc/hpropd.8: use keeps around options, from OpenBSD + + * kdc/hprop.8: use keeps around options, from OpenBSD + +2004-11-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c (krb5_free_context): clear error string + before destroying mutex + (krb5_init_context): don't call krb5_free_context before there is a + mutex initialized + +2004-11-18 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c (get_new_tickets): only complain about ticket + renewable lifetime when the user asked for a specific renewable + lifetime + +2004-11-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (find_keys): log what principal is missing + enctypes + +2004-11-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear pointer after + freeing data + + * lib/krb5/init_creds_pw.c (change_password): handle old_options + being NULL From Guenther Deschner on samba-technical. + +2004-11-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_get_init_creds.3: add more text describing the + krb5_get_init_creds functions + +2004-11-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: make krb5_get_init_creds_keytab work + again + +2004-11-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.asn1: use constrained integers + +2004-11-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_get_init_creds.3: add description for opt_init, + opt_alloc, opt_free + + * lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit + + * lib/krb5/init_creds.c: unexport + krb5_get_init_creds_opt_free_pkinit + + * lib/krb5/init_creds_pw.c: fold init_init_creds_ctx into + get_init_creds_common + + * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if the in + options NULL, just make a clean copy + +2004-11-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/sendauth.c (krb5_rd_rep): free ap_rep message earlier + so we don't leak it on error + +2004-10-31 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: unbreak 2b entry + + * lib/krb5/acache.c (make_cred_from_ccred): the address isn't a + sockaddr but rather a kerberos address, deal with that. Based on + bug report from Jakob Schlyter <jakob@rfc.se>. + +2004-10-30 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/connect.c: Make sure argument passed to ctype isn't signed + char + +2004-10-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: match new error names + + * lib/krb5/krb5_err.et: make error messages sane again + +2004-10-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab.c: use KRB5_KT_BADNAME + + * lib/krb5/krb5_err.et: sync with mit krb5_err.et (require major + version bump) add KRB5_DELTAT_BADFORMAT + + * lib/krb5/krb5.conf.5: time defaults to "s" + + * lib/krb5/time.c (krb5_string_to_deltat): default to "s" again, + MIT's behavior was actually that it failed to parse the number + (and thus used the default). Even better, ticket_lifetime (that + was a consumer supposed a of the interface) was documented but + never implemented, when it was implemented, people configuraiton + files started to fail. Also, use KRB5_DELTAT_BADFORMAT as a + failure code. + + * lib/asn1/k5.asn1: sync enctypes with pkinit branch + + * lib/asn1/parse.y (readd) support negative numbers + + * lib/asn1/lex.l: support hex numbers + +2004-10-12 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS + + * lib/krb5/crypto.c: add enctype_des3_cbc_none_cms add cms padding + for rc2 don't to padding for blocksize 1 + + * lib/hdb/{keys.c,Makefile.am},lib/kadm5/{keys,set_keys}.c: + Move keyset parsing and password based keyset generation into hdb. + Requested by Andrew Bartlett <abartlet@samba.org> for hdb-ldb + backend. + +2004-10-07 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: adapt to new signature of + krb5_get_init_creds_opt_set_pkinit + + * lib/krb5/pkinit.c: free openssl engine deal with + RecipientIdentifier -> CMSIdentifier and heim_any -> name change + improve error messages + + * kdc/pkinit.c: free openssl engine deal with RecipientIdentifier + -> CMSIdentifier and heim_any -> name change + +2004-10-04 Johan Danielsson <joda@pdc.kth.se> + + * kuser/klist.c: use rtbl_set_separator + +2004-10-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: filter out dup openssl engine keys, parse + user options first + + * lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add + openssl engine support for private key + + * lib/krb5/crypto.c: support padding as its done in CMS + + * kdc/pkinit.c: improve error logging + + * kdc/pkinit.c: stop using AlgorithmIdentifierNonOpt + +2004-09-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: assume minutes for time + + * lib/krb5/config_file.c (krb5_config_vget_time_default): use + krb5_string_to_deltat + + * lib/krb5/appdefault.c (krb5_appdefault_time): use + krb5_string_to_deltat + + * lib/krb5/time.c (krb5_string_to_deltat): set default unit to + minute for compatibility with MIT Kerberos. + + +2004-09-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_cred.c (get_cred_kdc_usage): retry using "large + message safe" transport if we get back + KRB5KRB_ERR_RESPONSE_TOO_BIG error. Idea from Guenther Deschner + <gd@sernet.de> + +2004-09-23 Johan Danielsson <joda@pdc.kth.se> + + * admin/list.c: use rtbl + + * admin/ktutil-commands.in: slc source file + + * lib/krb5/constants.c: check + /Library/Preferences/edu.mit.Kerberos on OSX + +2004-09-21 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/time.c (krb5_format_time): check return value from + localtime and strftime + +2004-09-14 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.c: make sure we don't always get renewable creds + +2004-09-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acache.c: use krb5_ccapi.h + + * lib/krb5/krb5_ccapi.h: break out krb5 api definitions to + separate (not installed) file + + * lib/krb5/Makefile.am: add AM_CPPFLAGS to libkrb5_la_CPPFLAGS + since AM_CPPFLAGS overridden by target specific _CPPFLAGS + +2004-09-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: make variable shorter, make error messages + from pkinit, make freeing easier + +2004-09-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: link libkrb5 with LIB_dlopen + + * lib/krb5/crypto.c (seed_something): avoid poking at memory that + is uninitialized, make valgrind unhappy. Pointd out by + abartlet@samba.org. While where, plug the fd leak. + +2004-09-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/der_get.c (decode_*): name all tag-length variables the + same + (decode_enumerated): check that the tag-length is not longer the length + + * lib/asn1/der_get.c (decode_boolean): fail if length of tag is + larger then len + +2004-08-31 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds): kdc_reply can be + set in case of failure too, free unconditionally on exit to avoid + memory leak + +2004-08-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_cred.c (set_auth_data): set pointer to NULL after + free + +2004-08-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c (krb5_get_err_text): if neither of com_right + nor strerror finds the error-code, return Unknown error. + +2004-08-19 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5_kuserok.3: update to reality + + * lib/krb5/kuserok.c: if a .k5login file exist, don't give + implicit rights to anyone; also check owner/mode of .k5login + +2004-08-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: man_MANS = krb5_getportbyname.3 + + * lib/krb5/krb5_getportbyname.3: manpage for krb5_getportbyname + + * lib/krb5/krb5.3: add krb5_getportbyname + + * lib/krb5/krb5.3: krb5_free_salt and krb5_enctype_valid + + * lib/krb5/krb5_encrypt.3: document krb5_enctype_valid + +2004-08-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (get_pa_etype_info{,2}): check for dup enctypes + from the client and filter them out. + + * lib/krb5/krb5_string_to_key.3: document krb5_free_salt + +2004-08-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_ticket.3: data needs to be freed when using + krb5_ticket_get_authorization_data_type + +2004-08-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_cc.c: test variables in default_cc_name + + * lib/krb5/krb5.conf.5: explain support for varibles in + [libdefaults]default_cc_name + + * lib/krb5/cache.c: drop ${time}, its not very useful + + * lib/krb5/cache.c: Add _krb5_expand_default_cc_name that expand + variables in the default cc name. Supported variables now are: + ${time},${uid} and ${null} + + * lib/krb5/krb5.conf.5: document default_cc_name + + * lib/krb5/cache.c (krb5_cc_set_default_name): + s/libdefault/libdefaults/ + +2004-08-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acache.c: replace magic 3 with ccapi_version_3 + + * lib/krb5/Makefile.am: libkrb5_la_SOURCES += acache.c + + * lib/krb5/krb5.h: add krb5_acc_ops + + * lib/krb5/acache.c: CCAPI v3 implementation, the read only + support was from Magnus Ahltorp and then extended by me to support + all other operations. Tested with MIT kerberos cc cache + implementation on MacOS 10.3.3 + + * lib/krb5/cache.c (krb5_cc_set_default_name): allow setting the + default cc name, this is not very useful for general purpose glue + since its not possible to glue in user information (like uid), but + for CCAPI it works just fine + +2004-08-05 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kgetcred.1: document --cache/-c + + * kuser/kgetcred.c: allow to specify what credential cache to use + +2004-08-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: add krb5_eai_to_heim_errno.3 + + * lib/krb5/krb5_eai_to_heim_errno.3: document + krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno + + * lib/krb5/krb5.3: add krb5_eai_to_heim_errno, + krb5_h_errno_to_heim_errno + +2004-07-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_expand_hostname.3: krb5_expand_hostname_realms + result should be free with krb5_free_host_realm drop + krb5_get_host_realm text + + * lib/krb5/krb5_set_default_realm.3: krb5_get_host_realm result + should be free with krb5_free_host_realm + + * lib/krb5/krb5_get_in_cred.3: document krb5_free_kdc_rep + + * lib/krb5/krb5_get_init_creds.3: remove dup krb5_get_init_creds + + * lib/krb5/krb5_auth_context.3: sort, add krb5_free_authenticator + + * lib/krb5/Makefile.am: man_MANS += krb5_rd_error + + * lib/krb5/krb5_rd_error.3: krb5_rd_error and friends + + * lib/krb5/krb5_warn.3: clarify on what string + krb5_free_error_string should operate on + + * lib/krb5/krb5_get_credentials.3: add krb5_get_kdc_cred + + * lib/krb5/Makefile.am: krb5_get_credentials, + krb5_get_forwarded_creds and friends + + * lib/krb5/krb5_get_forwarded_creds.3: krb5_get_forwarded_creds + and friends + + * lib/krb5/krb5_get_credentials.3: krb5_get_credentials and + friends + +2004-07-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/klist.c (print_cred_verbose): keytypes are no longer, use + enctype + +2004-07-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (LDAP_entry2mods): allow for pre-c99 + compilers, From metze at samba.org + +2004-07-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_cc.c: more cc tests + + * lib/krb5/krb5_check_transited.3: document krb5_check_transited + +2004-07-19 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c (pk_principal_from_X509): reverse test, makes + principal in cert work From: Mayur Patel <patelm4@rpi.edu> + +2004-07-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: add krb5_verify_init_creds.3 + + * lib/krb5/krb5_verify_init_creds.3: add krb5_verify_init_creds + +2004-07-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_set_password.3: spelling from wiz@netbsd.org + description for krb5_passwd_result_to_string + +2004-07-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_set_password.3: Remove superfluous comma; grammar + fixes; split sentence in two for better understanding. From + wiz@NetBSD.org. Describe krb5_set_password_using_ccache while here. + + * lib/krb5/krb5_set_password.3: nroff and spelling, from Jonathan + Stone <jonathan@dsg.stanford.edu> + + * lib/krb5/changepw.c (process_reply): cast ssize_t to long and + print that From NetBSD via Havard Eidnes. + +2004-07-09 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: fix helpstring for hdb-openldap-module + + * lib/krb5/test_cc.c: don't use krb5_err on error code 0 + +2004-07-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (LDAP_seq): try handling errors better + +2004-07-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_in_tkt.c (set_ptypes): make ptypes const + +2004-07-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (LDAP__connect): call ldap_initialize with + right argument + +2004-06-27 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if the + krbtgt is without addresses, default to not sending our own + addrport + + * lib/asn1/lex.l: add support for /* */ and partial line -- + comments + + * kuser/Makefile.am: don't install copy_cred_cache manpage + +2004-06-24 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if + copying a static opt, make sure to allocate the "private" field + +2004-06-24 Love <lha@stacken.kth.se> + + * kdc/config.c: add enable_pkinit_princ_in_cert + + * kdc/kdc_locl.h: enable_pkinit_princ_in_cert + + * kdc/pkinit.c: Check certificate for Kerberos Principal in + OtherName of subjectAltName Based on patch from Mayur Patel + <patelm4@rpi.edu> + +2004-06-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_cred.c (init_tgs_req): if subkey not avaible, use + session key for authorization-data + +2004-06-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/connect.c (handle_tcp): note who is what that closed the + connection on us + +2004-06-09 Love Hörnquist Åstrand <lha@it.su.se> + + * admin/get.c (kt_get): catch errors from krb5_parse_name + +2004-06-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: if its the entry just contains the + structural object (no samba nor heimdal object), add an aux + heimdal object on to it. + +2004-06-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswd.c: use krb5_set_password_using_ccache + + * lib/krb5/krb5_set_password.3: add krb5_set_password_using_ccache + + * lib/krb5/changepw.c: implement krb5_set_password_using_ccache + + * lib/hdb/hdb-ldap.c: Allow the objectClass to be + "sambaSamAccount" or structural_object when searching for uid + entries. + + * lib/krb5/krb5.conf.5: document [kdc]hdb-ldap-create-base + + * lib/hdb/hdb-ldap.c: add creation base that defaults to the + search base + + * lib/hdb/hdb-ldap.c: indent like the rest of the code + +2004-06-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: check return values from ldap operations and + close it we get back LDAP_SERVER_DOWN. stupid ldap client lib, you + should retry by yourself. + + * lib/hdb/hdb-ldap.c: require search base to be configured, create + local context structure + +2004-05-31 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: more ldap text, partly from Tarjei Huse + <tarjei@nu.no> + +2004-05-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: clean, indent + + * lib/hdb/hdb-ldap.c (LDAP_entry2mods): make sure + krb5KeyVersionNumber is added on new entires + +2004-05-27 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: minor fixes, partly from Tarjei Huse + <tarjei@nu.no> + + * lib/krb5/krb5.conf.5: some text about dbname and realm + + * lib/krb5/krb5.conf.5: default value for + hdb-ldap-structural-object is account + +2004-05-26 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/Makefile.am: use ! instead of , as sed delimiter + +2004-05-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/*.c: add KRB5_LIB_FUNCTION to all exported functions + +2004-05-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: make samba_forwardable a krb5_boolean + + * lib/hdb/hdb-ldap.c: make samba forwarding a runtime configure + option + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): fix [] test From: + Andrew Bartlett <abartlet@samba.org> + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): remove bogus length + check From: Andrew Bartlett <abartlet@samba.org> + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): in the sambaNTPassword + case, make sure ent->etypes are allocated, From: Andrew Bartlett + <abartlet@samba.org> + +2004-05-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c: move "setpag if (argc < 1)" to common path + +2004-05-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c: pacify pre c99 compilers + + * fix-export: use right argument for -E + +2004-05-06 Johan Danielsson <joda@pdc.kth.se> + + * kuser/kinit.c: print some diagnostics if the exec fails + +2004-04-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): use krb5_random_to_key + From: Luke Howard <lukeh@padl.com> + + * lib/krb5/rd_req.c (krb5_verify_ap_req2): clear the whole ticket, + not just a pointer size of it From: Luke Howard <lukeh@padl.com> + +2004-04-28 Love Hörnquist Åstrand <lha@it.su.se> + + * fix-export: add -E flag where needed to make-proto + +2004-04-26 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c: add set_param for RC2 + + * lib/krb5/pkinit.c: use krb5_oid_to_enctype and remove all oids + that are no longer needed + + * kdc/pkinit.c: use krb5_enctype_to_oid + + * lib/krb5/crypto.c (krb5_oid_to_enctype): make sure oid exists + before we compare with it + + * lib/krb5/crypto.c (krb5_crypto_get_params): check ivec length + before returning it add aes-oids + + * lib/krb5/crypto.c: add krb5_enctype_to_oid and + krb5_oid_to_enctype + + * kdc/pkinit.c: use krb5_crypto_set_params + + * lib/krb5/crypto.c: add krb5_crypto_set_params, add aes-NNN-cbc-none + + * lib/krb5/krb5.h: add KEYTYPE_AES192 + + * lib/krb5/pkinit.c: use krb5_crypto_get_params to implement + kcrypto RC2 support + + * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype + rc2-cbc XXX RC2CBCParameter is wrong because the compiler is + broken + + * lib/krb5/krb5.h: add KEYTYPE_RC2 + + * lib/krb5/crypto.c: add partial CMS parameter handling, this is + needed for RC2 + + * lib/asn1/der_cmp.c: add heim_oid_cmp and heim_octet_string_cmp + + * lib/asn1/Makefile.am (libasn1_la_SOURCES) += der_cmp.c + + * lib/asn1/der.h: add heim_oid_cmp and heim_octet_string_cmp + + * lib/asn1/k5.asn1: add ETYPE_AESNNN_CBC_NONE + + * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype + rc2-cbc, XXX RC2CBCParameter is wrong because the compiler is broken + +2004-04-26 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/config_file.c: allow parsing directly from strings with + krb5_config_parse_string_multi + + * lib/krb5/verify_krb5_conf.c: try to resolve hostnames + +2004-04-25 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/store_fd.c (krb5_storage_from_fd): dup the file + descriptor so we don't have to keep track of it in two places + + * kuser/copy_cred_cache.c: krb5_cc_copy_cache_match now lives in + libkrb5 + + * lib/krb5/krb5_{,compare_}creds.3: move krb5_compare_creds to its + own manpage + + * replace krb5_free_creds_contents by krb5_free_cred_contents + + * lib/krb5/cache.c: add krb5_cc_next_cred_match() and + krb5_cc_copy_cred_match() + + * lib/krb5/creds.c (krb5_compare_creds): add more matching options + + * lib/krb5/krb5.h: add more creds match flags + + * kuser/copy_cred_cache: add --valid-for option + + * lib/krb5/store.c (krb5_store_creds): set is_skey flag if length + of second ticket is > 0 + +2004-04-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: use the right oid for pkauthdata + + * lib/krb5/pkinit.c: always send both win2k compat version and the + ietf draft one, this is possible since microsoft use + wrong/diffrent PA number. Make the configuration flag boolean + configuring if NOT to send the win2k compat glue. + + * lib/krb5/krb5_encrypt.3: document krb5_{de,en}crypt_ivec + + * kuser/copy_cred_cache.1: pacify mdoclint + + * kdc/pkinit.c: use IV for envelopeddata encryption, patch + originally from Luke Howard <lukeh@padl.com>, tweeked by me. + + * lib/krb5/krb5_storage.3: document + KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER + + * lib/krb5/krb5_data.3: document that krb5_data_free cleans the + structure too + + * lib/krb5/pkinit.c: use IV for envelopeddata encryption, patch + originally from Luke Howard <lukeh@padl.com>, tweeked by me. + +2004-04-24 Johan Danielsson <joda@pdc.kth.se> + + * kuser/copy_cred_cache.{c,1}: add cred cache copy tool + + * configure.in: use rk_SYS_LARGEFILE + + * lib/krb5/{krb5.h,store.c,fcache.c}: Fix the cache flags bitorder + issue with a storage flag instead of a separate function. + +2004-04-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: move out the oid check from get_reply_key + + * lib/krb5/pkinit.c: uniquify error messages + + * lib/krb5/init_creds_pw.c: make the pkinit nonce same os the + plain nonce for now + + * lib/krb5/pkinit.c: more w2k compat from Luke Howard + <lukeh@padl.com> add RC2 support, clean up error messages + + * lib/krb5/pkinit.c: remove more dependency on + krb5_config->pkinit_flags + + * lib/krb5/pkinit.c (_krb5_pk_convert_rep): convert microsoft + style answer to IETF, From Luke Howard <lukeh@padl.com> + (_krb5_pk_create_sign): ms handles NULL in param, so always send it + (_krb5_pk_mk_padata): look for [realms]REALM = { win2k_pkinit = bool } + + * lib/krb5/pkinit.c (_krb5_pk_create_sign): always set the + digestAlgorithm to sha1 (both for SignerInfo and SignedData, add + new function _set_digest_alg to set it + +2004-04-23 Love Hörnquist Åstrand <lha@it.su.se> + + * include/make_crypto.c: include rc2.h, and when I'm here, make + aes mandatory + + * lib/krb5/krb5.h: add ENCTYPE_ARCFOUR_HMAC as compat glue for MIT + kerberos + + * lib/krb5/crypto.c (krb5_crypto_init): clear return pointer on + failure + + * lib/krb5/crypto.c (DES3_random_to_key): make it produce the + right result + (DES3_postproc): use DES3_random_to_key + (krb5_random_to_key): check the required number of bits (not the size + of the key) + + * lib/krb5/aes-test.c: test random to key function + + * lib/krb5/string-to-key-test.c: comment out the "@"/"" test for + now + +2004-04-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_string_to_key.3: document that + krb5_string_to_key_derived is broken for non 3des enctypes and + thus deprecated + + * kdc/pkinit.c (generate_dh_keyblock): use the new function + krb5_random_to_key + + * lib/krb5/crypto.c: add des and DES3 random_to_key hooks, they + need special processing + + * lib/krb5/crypto.c (krb5_random_to_key): new function + + * lib/krb5/krb5_keyblock.3: document krb5_random_to_key + +2004-04-21 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: use the first proposed enable enctype + + * lib/krb5/context.c (krb5_set_default_in_tkt_etypes): use the + return from krb5_enctype_valid + + * kdc/pkinit.c: at least try to handle diffrent enveloped enctypes + +2004-04-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/der_get.c: 1.28.2.16: (der_get_oid): handle all oid + components being smaller then 127 and allocate one extra element + since first byte is split to to elements. + +2004-04-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/k5.asn1: ETYPE_DIGEST_MD5_NONE, ETYPE_CRAM_MD5_NONE: + private use, lukeh@padl.com + +2004-04-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (build_auth_pack): use heim_integer to encode + DH public key + +2004-04-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_init_context.3: add krb5_context to so its added + as manpage-link too + +2004-04-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/fcache.c (fcc_remove_cred): simplistic implementation, + XXX add locking + + * kuser/kdestroy.c: add --credential argument that just remove one + credential entry out of the cache specified + + * kdc/pkinit.c: replace the krb5.conf configuration option that + describes the mapping between principals and subject names with a + file, default /var/heimdal/pki-mapping. XXX this should be pushed + into HDB. XXX should add issuer too + + * kdc/config.c: merge certificate/private_key to a user_id + +2004-04-16 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kdc_locl.h: update prototype for pk_initialize + + * kuser/kinit.c: merge certificate/private_key to a user_id + + * kdc/pkinit.c: adapt to heim_integer changes + + * lib/krb5/pkinit.c: merge certificate/private_key to a user_id + + * kdc/pkinit.c: adapt to heim_integer changes, + merge certificate/private_key to a user_id + +2004-04-15 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_WIN free X509_STORE + +2004-04-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: define BUILD_KRB5_LIB when building + libkrb5.la, add KRB5_LIB_FUNCTION proto + + * lib/krb5/add_et_list.c: add KRB5_LIB_FUNCTION + + * configure.in: export KRB5_LIB_FUNCTION when building with + BUILD_KRB5_LIB + + * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): add + error strings + + * lib/krb5/prompter_posix.c (krb5_prompter_posix): if some thing + is printed on stderr, fflush it + + * lib/krb5/krb5_keyblock.3: free functions also zeros out the key + + * lib/krb5/krb5_get_init_creds.3: some text about + krb5_prompter_posix + + * lib/krb5/krb5.conf.5: document hdb-ldap-structural-object + + * lib/krb5/cache.c: add krb5_cc_get_prefix_ops + + * lib/krb5/krb5_ccache.3: add krb5_cc_get_prefix_ops + +2004-04-05 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/http_client.c: support GSS_C_DELEG_FLAG and + GSS_C_MUTUAL_FLAG + + * appl/test/http_client.c: verbose logging + +2004-04-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/connect.c: case size_t to unsigned long for LP64 platforms + +2004-04-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c (hdb_ldap_create): allow configuration of + default structural object + + * tools/Makefile.am: handle sed expression breaking + +2004-03-31 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krbhst.c: also lookup _kpasswd._tcp SRV-rr + + * lib/krb5/changepw.c: add tcp support to the set protocol, should + be cleaned up to enable sharing code with krb5_sendto + + * kpasswd/kpasswd.c (change_password): remove extra free + + * lib/krb5/krb5_acl_match_file.3: try to pacify mdoc macros on + osf/1 + +2004-03-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c (pa_data_add_pac_request): don't + increase md->len, krb5_padata_add already does that + + * lib/krb5/init_creds.c: its PAC not PAQ + + * kuser/kinit.c: its PAC not PAQ + + * kdc/kerberos4.c: stop the client from renewing tickets into the + future From: Jeffrey Hutzelman <jhutz@cmu.edu> + +2004-03-29 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: try to handle sys/strtty.h needing sys/stream.h + +2004-03-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/send_to_kdc.c: remove function krb5_sendto_kdc2, its no + longer used + + * kdc/kerberos5.c: s/krb5_get_host_realm_int/_&/ + + * lib/krb5/get_host_realm.c: unexport krb5_get_host_realm_int to + external users by prefixing it with _ + + * lib/krb5/get_cred.c: s/krb5_mk_req_internal/_&/ + + * lib/krb5/mk_req_ext.c: unexport krb5_mk_req_internal to external + users by prefixing it with _ + +2004-03-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: add missing } + +2004-03-21 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: adapt to change of signature of + _krb5_pk_load_openssl_id + + * lib/krb5/pkinit.c: (krb5_get_init_creds_opt_set_pkinit): add + prompter argument and use it + + * kuser/kinit.c: adapt to signature change of + krb5_get_init_creds_opt_set_pkinit + + * lib/krb5/krb5.3: add more stuff, 105 functions to go + + * lib/krb5/krb5_rcache.3: add krb5_get_server_rcache + + * lib/krb5/krb5_rcache.3: framework for replay cache manpage + + * lib/krb5/krb5_string_to_key.3: document string to key functions + + * lib/krb5/Makefile.am: man_MANS += krb5_expand_hostname.3 + krb5_find_padata.3 krb5_generate_random_block.3 + + * lib/krb5/krb5_encrypt.3: document krb5_get_wrapped_length + + * lib/krb5/krb5.3: add some more, 137 to go + + * lib/krb5/krb5_principal.3: document krb5_get_default_principal + + * lib/krb5/krb5_keyblock.3: document krb5_generate_subkey + + * lib/krb5/krb5_generate_random_block.3: document + krb5_generate_random_block + + * lib/krb5/krb5_find_padata.3: document padata functions + + * lib/krb5/krb5.3: add some more, 142 to go + + * lib/krb5/krb5_creds.3: drop .Pp before .Sh + + * lib/krb5/krb5_set_default_realm.3: document krb5_copy_host_realm + + * lib/krb5/krb5_expand_hostname.3: document krb5_expand_hostname + and krb5_expand_hostname_realms + + * lib/krb5/krb5.3: add more functions, 147 to go + + * lib/krb5/krb5_creds.3: document krb5_creds + + * lib/krb5/krb5_get_init_creds.3: add more functions, some more + text + + * lib/krb5/krb5_ticket.3: document + krb5_ticket_get_authorization_data_type + +2004-03-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/aes-test.c: remove #if 0'ed code + + * lib/krb5/krb5.3: add keyblock functions, 177 functions to go + + * lib/krb5/krb5_verify_user.3: add krb5_verify_opt_set_ccache + + * lib/krb5/krb5_encrypt.3: document krb5_decrypt_ticket + + * lib/krb5/krb5_config.3: document krb5_config_free_strings and + krb5_config_file_free + + * lib/krb5/krb5_create_checksum.3: add krb5_hmac + + * lib/krb5/krb5.3: add keyblock functions, 190 functions to go + + * lib/krb5/krb5_keyblock.3: update .Dd + + * lib/krb5/krb5_keyblock.3: document krb5_copy_keyblock and + krb5_generate_random_keyblock + + * lib/krb5/krb5_init_context.3: add krb5_init_ets + + * lib/krb5/krb5_config.3: add more krb5_config_ functions and + prototypes + + * lib/krb5/krb5_init_context.3: document context modifcation + functions: address list, config file, use admin kdc, fcc version + + * lib/krb5/krb5_storage.3: document krb5_storage and related + functions + + * lib/krb5/Makefile.am: add acl and krb524_convert_creds_kdc + manpages and test_acl test program + + * lib/krb5/krb5.3: add error string functions and sort + + * lib/krb5/krb5_warn.3: document krb5_abort and error string + functions + + * lib/krb5/krb5.3: add missing functions, only 285 left to + document + + * lib/krb5/krb5_crypto_init.3: remove various enctype related + function + + * lib/krb5/krb5_encrypt.3: add various enctype related function + here + + * lib/krb5/krb5_create_checksum.3: add krb5_cksumtype_valid + krb5_cksumtype_valid + + * lib/krb5/crypto.c: real return values for + krb5_{enctype,cksumtype}_valid + + * lib/krb5/krb5_create_checksum.3: add some functions and + descriptions + + * lib/krb5/krb5_c_make_checksum.3: move out non krb5_c functions + + * lib/krb5/krb5_auth_context.3: document + krb5_auth_con_generatelocalsubkey + + * lib/krb5/krb5_krbhst_init.3: document krb5_krbhst_init_flags + + * lib/krb5/krb5_keytab.3: document krb5_kt_default_modify_name + + * lib/krb5/krb5_init_context.3: document krb5_add_et_list + + * lib/krb5/krb524_convert_creds_kdc.3: document + krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache + + * lib/krb5/krb5_acl_match_file.3: document krb5_acl_match_* + + * lib/krb5/test_acl.c: test for generic acl code + + * lib/krb5/acl.c: plug memory leak on file matching, + make it not fall over when no non matching acl, + make fnmatch matching useful by switching arguments + +2004-03-19 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/config.c: add --builtin-hdb command + + * lib/hdb/hdb.c (hdb_list_builtin): return a list of builtin + backends + + * doc/setup.texi: include Luke Howard of PADL.COM ldap hdb + documentation + + * doc/win2k.texi: fix bugs in examples, add more restrictions, use + example.com as an example. From: Pavel Ferdan + <xferdan@informatics.muni.cz> + +2004-03-18 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/krb5.conf.5: add a bunch of Li and document [kadmin] + password_lifetime; from Henry B. Hotz + +2004-03-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/mk_rep.c (krb5_mk_rep): if KRB5_AUTH_CONTEXT_USE_SUBKEY + is set send subkey + (generate if needed) + + * lib/krb5/krb5.h: add KRB5_AUTH_CONTEXT_USE_SUBKEY + +2004-03-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: clean up error handling, plug memory leaks, + and free memory in error path, assume realloc(NULL, ...) works, + factor out common code, indent + +2004-03-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c: understand [password_quality] + spelling + + * kuser/kgetcred.1: document --canonicalize + + * kuser/kgetcred.c: add --canonicalize + +2004-03-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/fcache.c (fcc_store_cred): NULL terminate + krb5_config_get_bool_default' arglist + +2004-03-09 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: add missing req argument to pk_mk_pa_reply + + * kdc/pkinit.c (pk_mk_pa_reply): add hdb_entry + + * kdc/pkinit.c: pass client hdb_entry to pk_check_client + + * kdc/kdc_locl.h: pass client hdb_entry to pk_check_client + + * kuser/kinit.c: rename ca_dir to pkinit/x509_anchors since its + more like that language in RFC3280 + + * lib/krb5/pkinit.c: rename ca_dir to pkinit/x509_anchors since + its more like that language in RFC3280 + + * lib/krb5/krb5.conf.5: document + [libdefaults]fcc-mit-ticketflags=boolean + + * lib/krb5/fcache.c (fcc_store_cred): use + [libdefaults]fcc-mit-ticketflags=boolean to decide what format to + write the fcc in. Default to mit version (aka heimdal 0.7) + + * lib/krb5/store.c: add _krb5_store_creds_heimdal_0_7 and + _krb5_store_creds_heimdal_pre_0_7 that store the creds in just + that format make krb5_store_creds default to mit format + + * lib/krb5/store.c (krb5_ret_creds): Runtime detect the what is + the higher bits of the bitfield + +2004-03-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/store.c (krb5_store_creds): add disabled code that + store the ticket flags in reverse order + (bitswap32): new function + + * lib/krb5/store.c (krb5_ret_creds): if the higher ticket flags + are set, its a mit cache, reverse the bits, bug pointed out by + Sergio Gelato <Sergio.Gelato@astro.su.se> + +2004-03-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb-ldap.c: use macro for HDB * -> LDAP * + + * kuser/kinit.c: when running kinit with a subprocess, fetch new + tickets after half the tickets lifetime + + * lib/hdb/hdb.c: spelling + + * lib/hdb/hdb-ldap.c: Intergrate Heimdal's hdb-ldap and the Samba + password database. From: Andrew Bartlett <abartlet@samba.org> + + * kdc/config.c: add --disable-DES + + * kdc/kdc.8: document --detach and --disable-DES + + * kdc/kerberos5.c: check if enctype is disabled before using it + + * lib/krb5/crypto.c: add support for disabling checksum/encryption + types + + * tools/kdc-log-analyze.pl: add more cases + + * kdc/connect.c: on strange tcp error; log local port number and + socket type + + * lib/asn1/der.h: fix prototype of encode_utf8string + + * lib/asn1/gen.c: catch CHOICE and generate dummy placeholder + + * lib/asn1/lex.l: added dummy parsing of CHOICE + + * lib/asn1/parse.y: added dummy parsing of CHOICE + + * lib/asn1/k5.asn1: drop SMTP_NAME + +2004-03-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am: support building ldap backend as module + sort asn1 hdb files + + * lib/hdb/hdb.c: when building ldap as a shared module, don't + include it in the list + + * configure.in: add --enable-hdb-openldap-module + + * lib/hdb/hdb-ldap.c: make ldap possible to build as a shared + module + + * lib/hdb/mkey.c: add hdb_{,un}seal_key{,_mkey} from Andrew + Bartlett <abartlet@samba.org> + + * lib/krb5/crypto.c (decrypt_internal_special): do not not modify + the original data test case from Ronnie Sahlberg + <ronnie_sahlberg@ozemail.com.au> + +2004-03-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_cc.c: more cc tests, mostly related to mcc + behavior + + * lib/krb5/mcache.c (mcc_get_principal): also check for + primary_principal == NULL now that that isn't used as dead flag + + * lib/krb5/mcache.c: don't overload the primary_principal == NULL + as dead since that doesn't always work. Based on patch from + Jeffrey Hutzelman <jhutz@cmu.edu>, tweeked by me + +2004-02-22 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp + + * lib/krb5/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp + + * lib/hdb/db3.c: fix all db >= 4.1 cases + + * doc/setup.texi: add text about hostname to realm mapping using + DNS + +2004-02-20 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: update error codes + + * lib/krb5/krb5_err.et: prefix pkinit error codes with KRB5_ + + * lib/krb5/pkinit.c: update error codes + +2004-02-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: indent, use krb5_abortx() instead of abort() + + * lib/krb5/init_creds_pw.c (process_pa_data_to_key): spelling + + * lib/krb5/store.c: handle memory allocate errors + + * lib/krb5/fcache.c (_krb5_xlock): handle that everything was ok, + and don't put an error in the error strings then + +2004-02-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: s/heim_big_integer/heim_integer/ + + * lib/krb5/pkinit.c: s/heim_big_integer/heim_integer/ + + * kdc/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT errors + + * lib/krb5/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT + errors + + * lib/krb5/heim_err.et: add HEIM_PKINIT specific errors + +2004-02-12 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: rename AC_WFLAGS to rk_WFLAGS + + * acinclude.m4: use m4_define, over-quote string + +2004-02-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c (change_password): handle that + printf("%.*s", 0, (void*)NULL); doesn't work on solaris + +2004-02-10 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswd.c (change_password): handle that printf("%.*s", + 0, (void*)NULL); doesn't work on solaris + + * lib/krb5/krb5.conf.5: don't use path's in first .Nm, it confuses + some locate.updatedb, use FILES section to describe where the file + is instead. + +2004-02-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/check-der.c: test for "der_length.c: Fix len_unsigned + for certain negative integers, it got the length wrong" , from + Panasas, Inc. + + * lib/asn1/der_length.c: Fix len_unsigned for certain negative + integers, it got the length wrong, fix from Panasas, Inc. + + rename len_int and len_unsigned to _heim_\& + + * lib/asn1/der_locl.h: add _heim_len_unsigned, _heim_len_int + +2004-02-06 Dave Love <d.love@dl.ac.uk> + + * configure.in: Check for sys/socket.h, net/if.h. Modify term.h, + security/pam_appl.h tests. + +2004-02-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/check-gen.c: test for: (length_type): TSequenceOf: add + up the size of all the elements, don't use just the size of the + last element. + + * lib/krb5/aes-test.c: add "next iv" test for aes128, check + decryption case too + + * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of + the next to last block, fix decryption case too + + * lib/krb5/aes-test.c: add "next iv" test for aes128 + + * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of + the next to last block + + * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode + error + + * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode + error + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): abort on internal asn1 + encode error + + * lib/krb5/mk_priv.c (krb5_mk_priv): abort on internal asn1 encode + error + + * lib/krb5/get_cred.c (make_pa_tgs_req): abort on internal asn1 + encode error + + * lib/krb5/build_auth.c (krb5_build_authenticator): abort on + internal asn1 encode error + + * lib/krb5/build_ap_req.c (krb5_build_ap_req): abort on internal + asn1 encode error + +2004-01-30 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: some text about order of [capaths] realms + +2004-01-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c: register WRFILE ops + + * lib/krb5/keytab_file.c: add krb5_wrfkt_ops/WRFILE (same as FILE) + + * lib/krb5/krb5.h: add krb5_wrfkt_ops + + * kpasswd/kpasswdd.c (change): use the right password when + changing the password + +2004-01-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/fcache.c (_krb5_xlock): catch EINVAL and assume that it + means that the filesystem doesn't support locking + + * lib/krb5/keytab.c: remove #if 0 out file locking code + +2004-01-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/gen_length.c (length_type): TSequenceOf: add up the + size of all the elements, don't use just the size of the last + element. + +2004-01-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/kinit.c (renew_validate): if renewable_flag and not time + specifed, use "1 month" + +2004-01-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_keyblock.3: add prototypes, describe + krb5_keyblock_zero + +2004-01-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_for_creds.c (add_addrs): don't add same address + multiple times + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): try to + handle errors better for previous commit + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): If tickets + are address-less, forward address-less tickets. + + * lib/krb5/get_cred.c: rename get_krbtgt to _krb5_get_krbtgt and + export it + diff --git a/crypto/heimdal/ChangeLog.2005 b/crypto/heimdal/ChangeLog.2005 new file mode 100644 index 000000000000..8c84b1c5c385 --- /dev/null +++ b/crypto/heimdal/ChangeLog.2005 @@ -0,0 +1,2004 @@ +2005-12-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (tgs_make_reply): less const on hdb_entry_ex to + make samba happy + + * fix-export: Build kdc-private.h. + +2005-12-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (tgs_rep2): also print the principal for which + the enctype was missing + +2005-12-13 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kaserver.c: Finish up transition from hdb_entry to + hdb_entry_ex. + + * kdc/kerberos4.c: Finish up transition from hdb_entry to + hdb_entry_ex. + + * kdc/524.c: Finish up transition from hdb_entry to hdb_entry_ex. + + * kdc/kerberos5.c: Finish up transition from hdb_entry with + hdb_entry_ex. + + * lib/krb5/cache.c (krb5_cc_set_default_name): use + KRB5_DEFAULT_CCNAME. + + * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME, pointer to + default credential cache. + + * lib/hdb/ndbm.c: memset hdb_entry_ex before use + + * lib/hdb/db3.c: memset hdb_entry_ex before use + + * lib/hdb/db.c: memset hdb_entry_ex before use + +2005-12-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.3: Add some more entrypoints. + + * lib/krb5/changepw.c: If there is a target principal, use the + realm of the realm to change the password with, + + * kuser/kinit.c: Default to use DH when fetching keys. + + * lib/hdb, kdc, kadmin/load.c: Wrap hdb_entry with hdb_entry_ex, patch + originally from Andrew Bartlet + + * lib/hdb/hdb-ldap.c: Wrap hdb_entry with hdb_entry_ex, add url + support, add ldapi support. + + * kdc/kerberos5.c (tgs_make_reply): there are no such things a + keytypes any more, just use enctypes. + + * kdc/kdc_locl.h: Remove private prototypes and instead include + <kdc-private.h>. + + * kdc/Makefile.am: Build kdc-private.h and depend on it. + + * kdc/config.c (configure): wrap line + + * doc/kerberos4.texi: KDC 4 support is always compiled in. + + * TODO: Remove some stuff that have been done. + + * Makefile.am: Split long line + + * doc/apps.texi: Spelling, From Måns Nilsson. + + * doc/install.texi: spelling, From Måns Nilsson + +2005-12-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_principal.3: Constify principal argument to on + krb5_principal_get_ functions. + + * lib/krb5/principal.c: Constify principal argument to on + krb5_principal_get_ functions. + +2005-12-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb: drop convert_db, 0.0 to 0.1 transition was a long long + time ago + +2005-12-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_keytab.c: more tests, From Andrew Bartlet + + * lib/krb5/keytab_memory.c (mkt_remove_entry): realloc can return + NULL on success in the case 0 entries are allocated, From Andrew + Bartlet + +2005-12-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acl.c (acl_parse_format): tmp needs to be freed too on + failure to parse format specifier. + + * lib/krb5/store-test.c: Free more of the allocated memory. + + * lib/krb5/crypto.c (krb5_derive_key): Free more of the allocated + memory, this function is only used by the test program. + + * lib/krb5/parse-name-test.c: Free more of the allocated memory. + + * lib/krb5/derived-key-test.c: Free more of the allocated memory. + +2005-12-01 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/setup.texi: spelling, From Måns Nilsson + + * lib/krb5/krb5_keytab.3: Memory keytab are now named and + refcounted. + + * lib/krb5/test_keytab.c: Test that memory keytab are refcounted. + + * lib/krb5/keytab_memory.c: Index by name and start reference + counting on entries. + +2005-11-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h (krb5_address_type): add + KRB5_ADDRESS_NETBIOS (20) + + * lib/hdb/hdb.c (find_method): accept relative paths as old db + format too. + + * lib/krb5/aes-test.c: Remove usage of krb5_enctype_to_keytype. + +2005-11-29 Dave Love <fx@gnu.org> + + * kcm/connect.c (kcm_loop): Use HAVE_DOOR_CREATE, not HAVE_DOORS. + +2005-11-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/verify_krb5_conf.c (libdefaults_entries): add + default_cc_name + + * lib/hdb/hdb.c: Only match db databases on filename starting with + '/'. + + * lib/krb5/rd_req.c (krb5_verify_ap_re2): check timestamp in + authenticator + + * lib/krb5/rd_req.c (check_transited): explain the TR-type 0 + better and why it matters. + + * lib/krb5/test_cc.c: test krb5_cc_get_prefix_ops + + * lib/krb5/cache.c (krb5_cc_get_prefix_ops): change the behavior + to return NULL when its not found, and fcc when the name starts + with a '/'. Almost matches behavior in other parts of the code, + but can't really do that since the name passed in to this function + may only contain the prefix itself without the colon. + + * lib/krb5/cache.c (krb5_cc_get_prefix_ops): if there are not + colon (:) in the name, its a file credential cache + + * lib/hdb/db3.c (hdb_db_create): use calloc to callocate memory + + * lib/hdb/ndbm.c (hdb_ndbm_create): use calloc to allocate memory + + * lib/hdb/db.c (hdb_db_create): use calloc to allocate memory + +2005-11-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use session + key for delegated credentials + + * kdc/kerberos5.c (_kdc_as_rep): add comment when we send + ETYPE-INFO and ETYPE-INFO2, from Andrew Bartlett + +2005-11-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab.c (krb5_kt_get_full_name): new function + +2005-11-24 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_crypto.c: Split encryption and s2k iterations to + diffrent counters, 38seconds of aes256 s2k is way too long. + + * lib/krb5/test_crypto.c: Add timing code for s2k function. + +2005-11-07 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Print the time the principal expired, based on + patch from Andrew Bartlett. + +2005-11-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/cache.c (krb5_cc_get_full_name): Add + +2005-11-01 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: Spelling, From Michael Banck <mbanck@debian.org> + +2005-10-30 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/headers.h: Maybe include <sys/param.h>. + +2005-10-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): + understand KRB5_AUTHDATA_IF_RELEVANT and KRB5_AUTHDATA_AND_OR (but + have KRB5_AUTHDATA_KDC_ISSUED commented out for now) + +2005-10-26 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/klist.c: In the list caches view, rename the Status field + to Expires. + + * lib/krb5/krb5_encrypt.3: Fix mdoc for + krb5_encrypt_EncryptedData, Johnny Lam <jlam@pkgsrc.org> + +2005-10-25 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/gssapi_client.c: Check return value from asprintf + instead of string != NULL since it undefined behavior on + Linux. From Björn Sandell + +2005-10-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (_krb5_dh_group_ok): if not enough bits are + generated from the DH groups, fail. + + * kdc/pkinit.c (get_dh_param): Pass down config so this function + can check pkinit_dh_min_bits + + * kdc/config.c: Fill in pkinit_dh_min_bits from configuration + file. + + * kdc/kdc.h: Add pkinit_dh_min_bits to krb5_kdc_configuration. + +2005-10-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Add option to require binding between reply + and response for the win2k version of the protocol. + +2005-10-19 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/programming.texi: Text about Kerberos errors. + + * lib/krb5/pkinit.c: Try both ReplyKey and ReplyKey-Win2k for the + Windows case to support the updated -09 protocol (using + asChecksum). Tell KDC we support this by sending + KRB5-PADATA-PK-AS-09-BINDING in the pa-data. + + * lib/krb5/test_cc.c: Test copy FILE -> FILE, and MEMORY -> MEMORY + too. + + * lib/krb5/test_cc.c: Test krb5_cc_copy_cache and + krb5_cc_cache_match. + + * lib/krb5/cache.c (krb5_cc_cache_match): add function that + iterates over all credential caches for a user and returns a + match. + + * lib/krb5/krb5_ccache.3: Add krb5_cc_start_seq_get and an + example. + +2005-10-18 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/programming.texi: Try to explain krb5_ccache, krb5_principal + and errors. + +2005-10-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_get_credentials.3: Add example how to use + krb5_get_credentials. + +2005-10-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds.c: Rename private to opt_private. + + * lib/krb5/init_creds_pw.c: Rename private to opt_private. + + * lib/krb5/pkinit.c: rename element private to opt_private to make + c++ picky compilers less upset. + + * lib/krb5/krb5.h (krb5_get_init_creds_opt): rename element + private to opt_private to make c++ picky compilers less upset. + +2005-10-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krbhst.c (_krb5_krbhost_info_move): new function + (_krb5_free_krbhst_info): expose to internal use + + * lib/krb5/init_creds_pw.c: Prepare to pass down a + krb5_krbhst_info into the pre-auth mechs + + * lib/krb5/pkinit.c: Inline short functions, share more code, + rename COMPAT_27 to COMPAT_IETF, pass down a krb5_krbhst_info for + verification of KDC info, and general cleaning up. + +2005-10-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: Install krb5.moduli in sysconfdir. + + * lib/krb5/krb5_locl.h: rename moduli file to SYSCONFDIR + "/krb5.moduli" + + * lib/krb5/krb5_locl.h: Add forward declaration for + krb5_dh_moduli. Add define for MODULI_FILE. + + * kdc/pkinit.c: Removing PK-INIT-19 support. + + * lib/krb5/pkinit.c: Removing PK-INIT-19 support. + + * lib/krb5/pkinit.c (_krb5_dh_group_ok): return DH group name on + success. + (krb5_get_init_creds_opt_set_pkinit): use moduli file if it exists + + * kdc/pkinit.c: Save DH group name and print it on success. + + * lib/krb5/pkinit.c (_krb5_dh_group_ok): if q is zero, ignore it. + + * kdc/pkinit.c: Check dh group parameters from client. + + * lib/krb5/krb5_err.et: Match error code with pk-init-27. + + * lib/krb5/pkinit.c: Update error codes. Add name to group. Change + return value of _krb5_dh_group_ok. + + * lib/krb5/pkinit.c: Add support for reading a moduli-file for DH + parameters. + +2005-10-06 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/klist.1: Document --list-caches + + * kuser/klist.c: Change short flag of --list-caches to -l (-v is + already used). + +2005-10-03 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/kerberos.8: RFC 1510 was obsoleted by 4120. + + * lib/krb5/acache.c (init_ccapi): return kerberos errors, callers + expect it + (acc_get_cache_first): don't leak memory or abort on malloc + failure + +2005-10-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/kerberos.8: Update text about Kerberos RFC's. + +2005-10-01 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/klist.c: Add option --list-caches that lists the avaible + caches and their status. + + $ klist --list-caches + Principal Cache name Status + lha@E.KTH.SE 2 Valid + lha@SU.SE 1 Expired + lha/root@SU.SE 0 Expired + lha@N.L.NXS.SE Initial default ccache Expired + +2005-09-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab_keyfile.c: Use all DES keys, not just + des-cbc-md5, verify that they all are the same. + + * lib/krb5/mcache.c Implement the cache iteration functions. + + * lib/krb5/acache.c: Implement the cache iteration functions. + + * lib/krb5/test_cc.c: Test the new cache iteration functions. + + * lib/krb5/cache.c: Add cache iteration funcations. Add internal + allocation function for the memory of a krb5_ccache, and use it. + + * lib/krb5/krb5.h (krb5_cc_ops): add cache iteration functions + +2005-09-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_mk_req.3: Remove leftovers, remove extra space. + + * kdc/kerberos5.c: More verbose PK-INIT logging. + + * kdc/pkinit.c: The public DH key is encoded as an INTEGER in + subjectPublicKey. Don't verify OID's for now. + + * lib/krb5/pkinit.c: Support cached DH variable (still need to + store it though), don't check the oid of the DH signedData for + now. + +2005-09-22 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_cred.c (krb5_rd_cred): try both the session key and + the sender subkey. Both RFC1510 and RFC4120 say that you have to + use the session key, Heimdal uses subkey. + +2005-09-21 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Don't check oid's too closely, they change in + Windows Vista. + +2005-09-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Disable sending -19, fix parsing -27 of the + protocol. + + * kdc/pkinit.c: Support PK-INIT-27 DH (and remove -19) + + * lib/krb5/pkinit.c (pk_verify_chain_standard): set cert to NULL + to make sure its not freed. + +2005-09-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/crypto.c (krb5_DES_string_to_key): If the opaque length + it set to 1, and content is 0x01, use the afs3 string-to-key. + + * kdc/kerberos5.c (make_etype_info2_entry): When its a afs3-salted + key, use send the opaque, length 1 (with content set to 0x01) in + ETYPE-INFO2-ENTRY. + + * lib/krb5/kcm.c: Remove signedness warnings. + +2005-09-15 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: Use libtool's default values for building + shared/static libaries, ie remove AC_ENABLE_SHARED(no), solves + building problems users have on Mac OS X. + +2005-09-08 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/changepw.c: Constify password. + +2005-09-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_mk_req.3: Document krb5_rd_req. + + * lib/krb5/Makefile.am: MAN_mans+= krb5_mk_req.3 + + * lib/krb5/krb5_mk_req.3: Document krb5_mk_req, krb5_mk_req_exact, + krb5_mk_req_extended, krb5_rd_req, krb5_rd_req_with_keyblock, + krb5_mk_rep, krb5_mk_rep_exact, krb5_mk_rep_extended, krb5_rd_rep, + krb5_build_ap_req, krb5_verify_ap_req. + +2005-09-01 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (make_etype_info_entry): Dont send salttype at + all, use KRB5-PADATA-AFS3-SALT + +2005-08-31 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (log_timestamp): endtime, not endtype + +2005-08-30 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: Check for <sys/ucred.h>. + + * kcm/connect.c (update_client_creds): in case there is no + UCRED_VERSION, skip LOCAL_PEERCRED + + * kcm/headers.h: include <sys/ucred.h> + +2005-08-27 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_req.c (check_transited): Allow empty content of type + 0 because that is was Microsoft generates in their TGT. + + * kdc/kerberos5.c (fix_transited_encoding): Allow empty content of + type 0 because that is was Microsoft enerates in their TGT. + +2005-08-26 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/intro.texi: RFC 4120 replaces RFC 1510 + +2005-08-25 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: Add --disable-afs-support. + +2005-08-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: Add test_hostname to check_PROGRAMS but + not TESTS, I have no same dns to use. + + * lib/krb5/test_hostname.c: Testprogram for krb5_expand_hostname() + and krb5_expand_hostname_realms(). + + * configure.in: Build KCM if we have doors or unix sockets. + + * lib/krb5/principal.c (krb5_425_conv_principal_ex2): Remove + shadowing variable. + + * lib/krb5/get_host_realm.c (dns_find_realm): Fix const warnings, + plug memory leak. From: Stefan Metzmacher <metze@samba.org> + + * lib/krb5/krb5_config.3: Document what happens with NULL to + krb5_config_free_strings + (nothing). Mdoc nit. + +2005-08-22 Love Hörnquist Åstrand <lha@it.su.se> + + * kuser/klist.c (check_for_tgt): Re-order code so it only free the + credential if one was returned. + + * lib/krb5/test_crypto_wrapping.c: Fix printing of size_t. + +2005-08-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/dbinfo.c: provide interface to find databases + + * lib/hdb/mkey.c: hdb_seal_key_mkey): dont double encrypt keys + +2005-08-15 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kdc_locl.h: Update prototype for _kdc_pk_mk_pa_reply. + +2005-08-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: Save the request buffer so that + pre-auth mechanism that needs it can verify the reply. + +2005-08-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_mem.c: Rename logf to avoid shadowing. + + * lib/krb5/krb5_keytab.3: Fix the version number for + fcc-mit-ticketflags. + + * lib/krb5/fcache.c: Revert previous, I was confused. + + * lib/krb5/krb5_keytab.3: Document fcc-mit-ticketflags in + COMPATIBILITY section. + + * lib/krb5/fcache.c (fcc_store_cred): default to MIT style ticket + flags. + + * kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break; + + * lib/krb5/krb5_create_checksum.3: Update prototype for + krb5_create_checksum. + + * kdc/pkinit.c: Make compile. + + * lib/krb5/pkinit.c: Implement verification of asChecksum, now + client side code is using -27 of the pk-init draft. + + * kdc/kdc_locl.h: update prototype for _kdc_as_rep + + * kdc/pkinit.c: Fill in asChecksum, we now implements -27 in the KDC. + + * kdc/process.c: Pass down the request buffer to _kdc_as_rep(). + + * kdc/kerberos5.c (_kdc_as_rep): Pass down the request buffer to + _kdc_pk_mk_pa_reply. + +2005-08-11 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/ext.c: HDB extensions access glue. + + * kcm/acquire.c: Use krb5_set_password instead of + krb5_change_password. + + * configure.in: Add tests/Makefile and tests/db/Makefile. + + * NEWS: New ASN.1 compiler + + * lib/hdb/Makefile.am: Build extensions. + + * lib/hdb/print.c: Print extensions. + + * lib/hdb/hdb_err.et: Add error "Entry contains unknown mandatory + extension". + + * lib/hdb/hdb.h: Update interface version (and indent). + + * lib/hdb/hdb.asn1: Add support for HDB-extension. + +2005-08-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_pkinit_dh2key.c: add tests vectors from + "Liqiang(Larry) Zhu" <lzhu@windows.microsoft.com> + + * lib/hdb/mkey.c: Expose the crypto operations on the master key. + + * lib/krb5/test_pkinit_dh2key.c: even more bits, not done yet + +2005-08-09 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (_kdc_as_rep): preserve the error code in the + ENC-TS case. From: Andrew Bartlett <abartlet@samba.org> + + * kdc/kerberos5.c (tgs_rep2): only needs to log "Failed to verify + authenticator" once, its already done by + tgs_check_authenticator(). + + * kdc/kerberos5.c: Indent strings. + + * kdc/kerberos5.c (log_timestamp): avoid shadow warnings From: + Andrew Bartlett <abartlet@samba.org> + + * lib/krb5/verify_user.c: Add krb5_verify_opt_alloc and + krb5_verify_opt_free. + + * lib/krb5/krb5_verify_user.3: Document krb5_verify_opt_alloc and + krb5_verify_opt_free. + + * lib/hdb/db3.c (DB_open): catch errors from the d->open calls + instead of letting them slip though to d->cursor. Bug repport from + Andrew Bartlett <abartlet@samba.org> + +2005-07-29 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/Makefile.am (kdc_LDADD): add LDADD + +2005-07-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (_kdc_as_rep): log what enctypes was using in + ENC-TS preauth, both for failure and success. + + * kdc/hprop.c: Use the _krb5_krb_life_to_time function from + libkrb5 instead of including our own here too. + + * kdc/kerberos5.c: indent printf strings + + * lib/hdb/mkey.c (hdb_unseal_key_mkey): try to unseal key with + keyusage 0 in case the key was encrypted with MIT Kerberos (old + patch from Johan) + +2005-07-26 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c: update to pkinit-27 + +2005-07-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: Adapt to IMPLICIT changes in CMS module. + +2005-07-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/test_pkinit_dh2key.c: framework for testing + _krb5_pk_octetstring2key + + * kpasswd/kpasswdd.c (doit): krb5_addr2sockaddr takes a + krb5_socklen_t + + * kdc/connect.c (de_http): sscanf takes a char *, not unsigned + ditto, cast approriately + + * lib/krb5/crypto.c (_krb5_pk_octetstring2key): make sha1 output + unsigned char to match openssl + +2005-07-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/common.c: Check encoder lengths from ASN1_MALLOC_ENCODE. + +2005-07-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_cred.c (krb5_rd_cred): don't leak memory + + * lib/krb5/get_cred.c (krb5_get_credentials_with_flags): only call + krb5_cc_retrieve_cred once, and plug memory leak. + +2005-07-13 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am: the new asn.1 compiler includes the modules + name in the depend file + + * lib/krb5/keytab_file.c (fkt_start_seq_get_int): check return + value from krb5_storage_from_fd + + * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): client do not contribute + to the DH when the server doesn't support the cached DH request. + + * lib/krb5/crypto.c (_krb5_pk_octetstring2key): fix arguments + +2005-07-12 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: clean up pk-init DH support, not finished + yet; improve error reporting + + * lib/krb5/crypto.c (_krb5_pk_octetstring2key): string2key + function used in pk-init-25 + + * configure.in: Use a configure switch to turn on PK-INIT, not by + detecting existence of the new ASN.1 library. + + * lib/asn1: Much improved ASN.1 compiler from joda-choice-branch. + + Highlighs for the compiler is support for CHOICE and in general better + support for tags. This compiler support most of what is needed for + PK-INIT, LDAP, X.509, PKCS-12 and many other protocols. + +2005-07-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1: make scope variables unique to avoid shadow warnings + +2005-07-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.h: comment out paramenter name in typedef + functions to avoid shadow warnings + + * lib/krb5/crypto.c: make input data to krb5_encrypt{,_ivec} const + + * kuser/klist.c: If there are no addresses, print addressless + instead of nothing. + + * lib/krb5/Makefile.am (TESTS): add test_crypto_wrapping + + * lib/krb5/crypto.c (wrapped_length): the underived encrypted + types checksum are all unkeyed (matches the code in + encrypt_internal() and encrypt_internal_special()) + + * lib/krb5/test_crypto_wrapping.c: ETYPE_ARCFOUR_HMAC_MD5_56 isn't + not supported + + * lib/krb5/test_crypto_wrapping.c: test encryption wrapping + + * lib/krb5/test_crypto.c (time_encryption): free cleartext buffer + +2005-07-08 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: run AM_INIT_AUTOMAKE before AM_PROG_CC_C_O + otherwise am_aux_dir will be expanded using ac_aux_dir before the + later is set. + + * configure.in: check for strings.h explicitly instead of + depending on AC_HEADER_STDC to check it for us + +2005-07-07 Assar Westerlund <assar@kth.se> + + * configure.in: add AM_PROG_CC_C_O for automake 1.9 + +2005-07-06 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab.c (krb5_kt_get_entry): clear error string when + returning a new error + + * lib/krb5/keytab.c: krb5_kt_close frees all resources, even on + error. + + * lib/krb5/verify_init.c (krb5_verify_init_creds): `entry' unused, + remove From: "Henry B. Hotz" <hotz@jpl.nasa.gov> + +2005-07-05 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/win2k.texi: arcfour-hmac-md5 support for windows cross was + added in w2k3-sp1 From David Love + + * doc/setup.texi: document kadmin command password-quality instead + of the not installed test_pw_quality + + * lib/krb5/krb5_get_init_creds.3: Spelling, from David Love + + * fix-export: build kdc-protos.h + +2005-07-01 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc: prefix pkinit symbols with _kdc + + * kuser/kinit.c: avoid shadowing variables + + * kuser: s/optind/optidx/ + + * kdc: adapt pkinit code to libkdc split + +2005-06-30 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/Makefile.am: add depency on LIB_dlopen and LIB_door_create + + * tools/krb5-config.in: add depency on LIB_dlopen and LIB_door_create + + * kdc/kdc_locl.h: indent, remove dup prototypes + + * kdc/libkdc: don't pollute namespace, generate public headerfile + + * lib/krb5/principal.c: add krb5_425_conv_principal_ext2 that work + just like krb5_425_conv_principal_ext but takes a context variable + for the verification function + + * kdc/Makefile.am: there is no export script, not pretend there is + + * kdc: Merge in the libkdc/kdc configuration split from Andrew + Bartlet <abartlet@samba.org> + + * lib/krb5/crypto.c: optionally compile in support for afs string2key + + * configure.in: add --disable-afs-string-to-key to allow removal + of support for afs string2key (and dependency on crypt) + +2005-06-29 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: Add logging of all timestamps in AS-REQ and + TGS-REQ, for auditing + + * kdc/kerberos5.c (as_req): print the supported encryption types + so its possible to know what clients to update. + (find_rpath): return const char * and update callers. + +2005-06-28 Luke Howard <lukeh@padl.com> + + * kcm/connect.c: fix arguments to kcm_log() when reporting + sendmsg() error + + * kcm/connect.c: don't send socket address in msghdr, it + returns an already connected error on Linux + +2005-06-24 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/524.c: Always include <krb5-v4compat.h>. + +2005-06-23 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/intro.texi: no more libdes, gssapi lib is complete + + * lib/krb5/krb5.conf.5: Documentation for password quality + control. From: "James F. Hranicky" <jfh@cise.ufl.edu> + + * lib/krb5/verify_krb5_conf.c (password_quality_entries): add + min_length and min_classes + + * kdc/kaserver.c: log the kaserver requests, avoid shadowing + variables + + * lib/hdb/db3.c (DB_open): in case of error, close database + + * lib/hdb/ndbm.c (NDBM_open): in case of error, close database + + * lib/hdb/db.c (DB_open): in case of error, close database + +2005-06-20 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/kcm.8: fix example + +2005-06-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/rd_rep.c: indent + + * lib/krb5/rd_rep.c (krb5_rd_rep): check if + KRB5_AUTH_CONTEXT_DO_TIME set and use that as a que that timestamp + should be checked, DCE-STYLE gssapi needs to be able to tweek this + + * kdc/string2key.c: rename optind to optidx + + * lib/hdb/convert_db.c: rename optind to optidx + + * lib/hdb/keytab.c: const poison, add a unconst where needed + + * lib/krb5/crypto.c (krb5_string_to_key): unconst password + + * lib/asn1/k5.asn1: rename pvno to krb5-pvno + + * lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): + unconst argument + + * lib/krb5/verify_krb5_conf.c: rename optind to optidx + + * lib/krb5/transited.c: rename the temporary string variable to + `str' + + * lib/krb5/test_crypto.c: rename optind to optidx + + * lib/krb5/test_alname.c: rename optind to optidx + + * lib/krb5/store.c: unconst argument to krb5_store (XXX this + should be fixed, krb5_store doesn't need to modify its argument) + + * lib/krb5/send_to_kdc.c (krb5_sendto): remove shadowing + unnessecery variable ret + + * lib/krb5/rd_cred.c (krb5_rd_cred): remove shadowing unnessecery + variable len + + * lib/krb5/prog_setup.c: rename optind to optidx + + * lib/krb5/padata.c: rename variable index to idx + + * lib/krb5/log.c: rename variable time to timestr to avoid + shadowing + + * lib/krb5/krbhst.c (krb5_krbhst_init_flags): rename variable to + avoid shadowing + + * lib/krb5/krbhst-test.c: rename optind to optidx + + * lib/krb5/kcm.c: unconst argumen to connect, unconst argument to + krb5_store (XXX this should be fixed, krb5_store doesn't need to + modify its argument) + + * lib/krb5/init_creds_pw.c (default_s2k_func): unconst password + + * lib/krb5/crypto.c: rename `encrypt' to avoid shadow warning + +2005-06-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/principal.c: rename index to idx + + * lib/krb5/mk_error.c: use rk_UNCONST + + * lib/krb5/fcache.c: rename to avoid shadowing + + * lib/krb5/config_file.c: rename to avoid shadowing + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): just copy the + string instead of losing const + + * lib/krb5/addr_families.c: use rk_UNCONST to silence const + warning + + * lib/krb5/addr_families.c: rename sin to sin4 + + * lib/asn1/asn1_print.c: rename optind to optidx, remove shadowed + variables + + * lib/asn1/main.c: rename optind to optidx + + * lib/asn1/gen_copy.c: rename to avoid shadowing + + * lib/asn1/gen_locl.h: rename function filename to get_filename + + * lib/asn1/lex.l: use get_filename + + * lib/asn1/gen.c: rename function filename to get_filename + + * lib/krb5/acache.c: use HAVE_DLOPEN around cc_handle + + * configure.in: add headers and prototypes to logwtmp, logout and + openpty checks + + * configure.in: include headerfiles and set prototype for tgetent + + * kdc/kerberos5.c (make_etype_info2_entry): NUL terminate the + string + + * kdc/kerberos5.c: replace strndup with inline copy, free data on + failure + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): replace strndup + with inline copy + + * lib/krb5/log.c: rename close and log to avoid shadow warnings + + * lib/krb5/get_in_tkt.c: rename index to i to avoid shadowing + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): rename two + of the local `realm' to srealm to avoid shadowing + + * kdc/kerberos5.c (tgs_rep2): rename one of the tkey to uukey to + avoid shadow warning + + * kdc/kerberos5.c (tgs_rep2): rename loop to nloop to avoid shadow + warning + +2005-06-15 Love Hörnquist Åstrand <lha@it.su.se> + + * Release 0.7, see branch + +2005-06-14 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: TESTS += test_mem libkrb5_la_SOURCES += + kcm.h + + * kuser/kinit.c (main): catch KRB5_CONFIG_BADFORMAT from + krb5_init_context + + * kdc/main.c (main): catch KRB5_CONFIG_BADFORMAT from + krb5_init_context + + * lib/krb5/verify_krb5_conf.c (main): catch KRB5_CONFIG_BADFORMAT + from krb5_init_context From: Mathias Feiler + <feiler@uni-hohenheim.de> + + * lib/krb5/verify_krb5_conf.c: Add more missig entires, from + Mathias Feiler <feiler@uni-hohenheim.de> + +2005-06-11 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/pkinit.c (pk_principal_from_X509): remember to free + KRB5PrincipalName + + * lib/krb5/log.c (krb5_closelog): free all content in + krb5_log_facility + +2005-06-08 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/524.c: init kvno to please gcc + + * kdc/kaserver.c (do_authenticate): check return value from + unparse_auth_args + +2005-06-07 Dave Love <fx@gnu.org> + + * doc/setup.texi: Spelling. + + * doc/programming.texi: Spelling. + +2005-06-02 Dave Love <fx@gnu.org> + + * kcm/connect.c (kcm_door_server): Make static. + + * kcm/kcm_locl.h (disallow_getting_krbtgt): Declare. + +2005-06-02 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/mit_dump.c (mit_prop_dump): cast argument to + krb5_parse_principal to avoid warning + + * kdc/mit_dump.c: rename KRB5_TL_MOD_PRINC to + mit_KRB5_TL_MOD_PRINC to hint its a constant originating from mit + codebase + +2005-06-01 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/store.c: If we are allocating 0 entires, avoid failing + if ALLOC returns NULL + + * lib/krb5/verify_krb5_conf.c: Check for [kdc]v4-realm + + * lib/krb5/cache.c: When returning a new error code, set error + string. + +2005-05-31 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab_file.c: Adapt to changed signature of + _krb5_xunlock, clear more error string where needed. + + * lib/krb5/fcache.c (_krb5_xunlock): catch the error and turn it + into something sensable + +2005-05-30 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c (tgs_make_reply): copy ok-as-delegate flag from + server entry to encrypted ticket flags + +2005-05-30 Johan Danielsson <joda@pdc.kth.se> + + * kdc/connect.c: rename sendlength to prependlength (which + hopefully better represents its purpose), and change type to + krb5_boolean + + * kdc/connect.c: log signal causing exit + + * kdc/main.c (sigterm): set exit_flag to signal causing exit; + (main): trap SIGXCPU + +2005-05-30 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/kcm.8: document --disallow-getting-krbtgt and --door-path + + * kcm/protocol.c (kcm_op_retrieve): check server for krbtgt, not + client + + * kcm/main.c: ignore SIGPIPE + + * kcm/protocol.c: Add option to disallow getting krbtgt out from + from KCM. KCM will do the fetching part itself. + + * kcm/config.c: Add option to disallow getting krbtgt out from + from KCM. KCM will do the fetching part itself. + +2005-05-30 Luke Howard <lukeh@padl.com> + + * kcm/events.c: if credentials have expired when attempting + to renew, attempt to reacquire them using initial creds + +2005-05-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_principal.3: Spelling, from Björn Sandell + + * doc/setup.texi: spelling, from Björn Sandell + + * lib/krb5/name-45-test.c: XXX don't run the test unless the + machine is in kth.se or su.se because it depends on local resolver + configuration. + + * lib/hdb/hdb.c: provde RTLD_NOW and RTLD_GLOBAL if they don't + exists + + * kcm/connect.c: fix doors support, fix signedness warnings + + * kcm/config.c: add --door-path= + + * configure.in: comment what the "detect doors on solaris" + fragment tries to do + + * kcm/acquire.c (generate_random_pw): fix signed-ness warnings + + * kcm/connect.c (update_client_creds): fix compile error in the + getpeerucred case + + * lib/krb5/test_cc.c: change format for expantion variables in + default_cc_name to %{variable} to not confuse them with shell + ditto + + * kcm/headers.h: Maybe include <door.h>. + + * kcm/kcm_locl.h: add extern door_path; + + * configure.in: detect doors using door_create + + * kcm/Makefile.am: add dependcy on kcm_protos.h add lib depency on + LIB_door_create + + * lib/krb5/kcm.h: add _PATH_KCM_DOOR, default path to kcm door + + * lib/krb5/kcm.c: use [libdefaults]kcm_door to find the door to + kcm + + * lib/krb5/Makefile.am: libkrb5_la_LIBADD += LIB_door_create + + * lib/krb5/krb5_locl.h: Maybe include <sys/mman.h>, maybe include + <door.h>. + + * lib/krb5/kcm.c (kcm_send_request): add support for doing a door + call to kcm + + * lib/asn1: prefix Der_class with ASN1_C_ to avoid problems with + system headerfiles that pollute the name space + + * kcm/kcm.8: change format for expantion variables in + default_cc_name to %{variable} to not confuse them with shell + ditto + + * lib/krb5/krb5.conf.5: change format for expantion variables in + default_cc_name to %{variable} to not confuse them with shell + ditto + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): change format + for expantion variables to %{variable} to not confuse them with + shell ditto + + * kcm/connect.c: add LOCAL_PEERCRED and experimental doors support + +2005-05-27 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/kf/kfd.c: case uid_t to unsigned long in printf format + +2005-05-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_auth_context.3: remove trailing space + +2005-05-24 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/connect.c (do_request): use sendmsg to send the reply + + * fix-export: add make_proto for kcm/kcm_protos.h + + * kcm/kcm_locl.h: remove prototypes and add <kcm_protos.h> + + * kcm/Makefile.am (kcm_SOURCES): add headerfiles + (kcm_protos.h): generate prototypes + + * kcm/protocol.c: fix error in last commit, use right function + + * kcm/headers.h: include <ucred.h> if we have getpeerucred + + * configure.in: check for functions getpeerucred and getpeereid + + * kcm/connect.c (update_client_creds): add support for + getpeerucred and getpeereid + + * lib/krb5/kcm.c (kcm_alloc): allow kcm socket to be configured by + [libdefaults]kcm_socket=/path + +2005-05-24 David Love <fx@gnu.org> + + * kcm/kcm.8: KRB5CCNAME needs an literal uid, not ${uid}, spelling + +2005-05-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kcm/protocol.c: Merge the description and function jumptables + into one structure. Use the length of the array when checking if + opcode is value, not a constant. + + * kcm/kcm_locl.h: struct kcm_op: jumptable structure + + * kcm/main.c: move declaration of detach_from_console away from + here to kcm_locl.h, Don't test HAVE_DAEMON since roken supplies it. + + * kcm/kcm_locl.h: move declaration of detach_from_console here + + * kdc/config.c: Don't test HAVE_DAEMON since roken supplies it. + +2005-05-23 Dave Love <fx@gnu.org> + + * kcm/config.c: Don't test HAVE_DAEMON since roken supplies it. + + * kdc/main.c: Don't test HAVE_DAEMON since roken supplies it. + +2005-05-23 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_keytab.3: document WRFILE and JAVA14 + +2005-05-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krbhst.c (srv_get_hosts): if srv_get_hosts failes, + return and ignore the error + + * lib/krb5/krbhst.c (srv_find_realm): make sure `res' and `count' + have good values + + * lib/krb5/test_keytab.c: tests all keytab format + +2005-05-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): non non asn1 decoding + errors, fail. Make sure we free memory on error. + (pk_verify_chain_standard): make sure we provide good errors. + + * lib/krb5/verify_krb5_conf.c: add missing options, prompted by + James F. Hranicky mail to heimdal-discuss + + * lib/krb5/verify_krb5_conf.c: add pkinit and password quailty + check options + + * lib/krb5/pkinit.c (pk_verify_chain_standard): store better error + message in the context for certificate errors. + + * lib/krb5/keytab.c (krb5_kt_free_entry): zero out content of all + krb5_free_x_content like functions to make sure data doesnt get + reused, idea from Wynn Wilkes <wwilkes@vintela.com> + + * configure.in: depend on automake 1.8, we don't test anything + older + + * lib/krb5/init_creds_pw.c (process_pa_data_to_md): add comment + that the caller always free out_md; remove comment about memory, + it doesn't happen. + (init_cred_loop): free ctx->as_req.padata when its reset (From Wynn + Wilkes <wwilkes@vintela.com>), move a comment close the the code + + * lib/krb5/keytab_krb4.c (fkt_remove_entry): need to call + krb5_kt_free_entry after each krb5_kt_next_entry. + + * lib/krb5/keytab_file.c (fkt_remove_entry): need to call + krb5_kt_free_entry after each fkt_next_entry_int. From: Wynn + Wilkes <wwilkes@vintela.com> + +2005-05-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: TESTS += test_keytab + + * lib/krb5/keytab_krb4.c (krb4_kt_remove_entry): plug memory leaks, + avoid crashing on empty keytab + + * lib/krb5/krb5_keytab.3: document behavior of + krb5_kt_remove_entry + + * lib/krb5/keytab_memory.c (mkt_remove_entry): check if there + isn't any entries in the keytab before removing any since that + leads to bad pointer arithmetic and crashing. From: Wynn Wilkes + <wwilkes@vintela.com>. Make the function return KRB5_KT_NOTFOUND + if the entry wasn't in the keytab (just like the filebased + keytab). + + * lib/krb5/test_keytab.c: test memory corruption in MEMORY keytab + + * lib/krb5{addr_families,context,creds,free,keyblock, + mit_glue,rd_error}.c:zero out content of all krb5_free_x_content + like functions to make sure data doesnt get reused, idea from + Wynn Wilkes <wwilkes@vintela.com> + + * lib/krb5/krb5_get_credentials.3: document KRB5_GC_EXPIRED_OK + + * lib/krb5/krb5.3: add krb5_cc_new_unique + +2005-05-17 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/fcache.c (fcc_get_first): check return value from + malloc, memset the structure, make sure cursor doesn't point to + freed memory on failure. From: Wynn Wilkes <wwilkes@vintela.com> + + * lib/krb5/krb5_auth_context.3: document + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED + + * lib/krb5/get_cred.c: Remove expired credentials, based on + patches and comments from Anders Magnusson <ragge@ltu.se> and Wynn + Wilkes <wwilkes@vintela.com> + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): honor + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED and create unencrypted + (ENCTYPE_NULL) credentials. for use with old mit server and java based + ones as they can't handle encrypted KRB-CRED. Note that the option + needs to turned on because if the consumer sends the KRB-CRED in + clear bad things will happen. + + * lib/krb5/context.c (krb5_init_context): register krb5_javakt_ops + + * lib/krb5/krb5.h: KRB5_GC_EXPIRED_OK: expired credentials is ok + to return from krb5_get_credentials. + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED: make forward credentials + be unencrypted, for compatibility with mit kerberos and java + kerberos. krb5_javakt_ops: export + +2005-05-16 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/keytab_file.c: Add new keytab file format JAVA14 that + doesn't the use extended kvnos, as hinted, this is needed for + Java's Kerberos implementation. + +2005-05-10 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 + enckey, still no DH + + * kdc/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 enckey, + still no DH + + * kdc/kerberos5.c (as_rep): search for pkinit-9, pkinit-19, and + pkinit-25 pa-data, return empty pkinit pa-data in the + PREAUTH_REQUIRED krb-error + + * doc/ack.texi: add pkinit people + + * lib/krb5/krb5_storage.3: document krb5_storage_is_flags + + * lib/krb5/{krb5_compare_creds.3,krb5_get_init_creds.3, + krb5_krbhst_init.3,krb5_storage.3}: + make more pretty, from Björn Sandell + +2005-05-09 Dave Love <fx@gnu.org> + + * doc/setup.texi: Fix and clarify password quality check examples. + +2005-05-09 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/kuserok.c (krb5_kuserok): use POSIX_GETPWNAM_R instead + of HAVE_GETPWNAM_R From: Dave Love <d.love@dl.ac.uk> + +2005-05-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/addr_families.c (krb5_print_address): catch when the + unknown adress don't fit. From Björn Sandell <biorn@dce.chalmers.se> + +2005-05-05 Dave Love <d.love@dl.ac.uk> + + * configure.in: fix type right test, include <termios.h> for + sys/strtty.h, not sys/ptyvar.h + +2005-05-05 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: spelling + +2005-05-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5.conf.5: expand on what "trailing component" means + +2005-05-04 Johan Danielsson <joda@pdc.kth.se> + + * lib/krb5/rd_cred.c: put address comparison in separate function + + * lib/krb5/krb5_kuserok.3: check the user's ~/.k5login.d directory + for access files, all of which is handled like the regular + ~/.k5login + + * lib/krb5/kuserok.c: check the user's ~/.k5login.d directory for + access files, all of which is handled like the regular ~/.k5login + +2005-05-03 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/ack.texi: Clearify what version of libdes we are using and + who's code in it we are using. + + * kcm/kcm.8: more text about usage + + * kcm/Makefile.am: man_MANS += kcm.8 + + * kcm/kcm.8: initial manpage + + * configure.in: if we have a $srcdir/lib/asn1/pkcs12.asn1, define + PKINIT + +2005-05-02 Dave Love <fx@gnu.org> + + * configure.in: sys/tty.h (for sys/ptyvar.h) might need termios.h. + +2005-05-02 Love Hörnquist Åstrand <lha@it.su.se> + + * tools/krb5-config.in: add com_err to required libs + + * lib/krb5/pkinit.c (krb5_ui_method_read_string): use the fill in + length + + * lib/krb5/init_creds_pw.c: Now that we fixed the signed-ness of + nonce for windows, remove the code that removed the signed + bit. Instead add comment that they still need to be the same + (Kerberos protocol nonce and pk-init nonce) for Windows. + +2005-05-02 David Love <fx@gnu.org> + + * lib/krb5/crypto.c: Don't declare des_salt &c as static with + incomplete type (invalid in c89, at least). + +2005-05-02 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/krb5_locl.h: include <crypt.h> + +2005-05-02 David Love <fx@gnu.org> + + * kcm/connect.c (init_socket): rename variable sun to un to avoid + namespace collision. + (handle_stream): Cast arg of krb5_warnx. + +2005-04-30 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c: if we are using PKINIT, strip of the + highest bit to make windows PK-INIT happy. Also make the nonces + the same, again for windows, they are using pk-init-9. + + XXX check if it isn't the that nonce is an unsigned variable so + its just a asn1 mismatch. + + * kdc/pkinit.c: pass a NULL prompter data to _krb5_pk_load_openssl_id + + * kuser/kinit.c: krb5_get_init_creds_opt_set_pkinit + + * lib/krb5/pkinit.c: Pass prompter data to the prompter function, + implement a UI prompter function wrapping the kerberos prompter + function so that the the OpenSSL ENGINE can ask for a password + when loading the private key. From: Douglas E. Engert + + * lib/krb5: add <err.h> in test programs + + * configure.in: sys/ptyvar.h might need <sys/tty.h> + + * lib/krb5/Makefile.am: use LIB_com_err for libkrb5.la + +2005-04-29 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/Makefile.am: use $(LIB_com_err) + +2005-04-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/context.c (krb5_set_config_files): ignore permission + denied on configuration files, user might not be allowed to read + /var/heimdal/kdc.conf + +2005-04-26 Dave Love <fx@gnu.org> + + * lib/krb5/krb5_locl.h: define _POSIX_PTHREAD_SEMANTICS so we get + posix getpwnam_r + +2005-04-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/gen_glue.c: switch the units variable to a + function. gcc-4.1 needs the size of the structure if its defined + as extern struct units foo_units[] an we don't want to include + <parse_units.h> in the generate headerfile + +2005-04-25 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/hdb.schema: add EQUALITY rule for krb5ValidStart, + krb5ValidEnd, krb5PasswordEnd From Howard Chu + +2005-04-24 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/whatis.texi: comment out docbook stuff for now + + * kuser/klist.c: use strlcpy + + * doc/ack.texi: we no longer use eay libdes, make acknowledgment + still be there, but claim that we no longer use it. Mark editline + to be a modified version as required by the license. + + * lib/krb5/pkinit.c: use the unexported oid_to_enctype function + + * lib/krb5/crypto.c: unexport the oid_to_enctype function, not for + external consumers + + * kdc/Makefile.am: always add kaserver + + * lib/krb5/krb5_ccache.3: document krb5_cc_new_unique + + * lib/krb5/cache.c (krb5_cc_new_unique): new function to create a + new credential cache + + * kdc/headers.h: don't include kerberos 4 headers here + + * kdc/hpropd.c: include kerberos 4 headers here + + * kdc/connect.c: add kaserver support independ of having krb4 + support + + * kdc/config.c: add kaserver support unconditionally, make kdc + only fail to start when there are no v4 realm configured and + krb4/kaserver is turned on + + * kdc/kaserver.c: Use the new Kerberos 4 functions in libkrb5 and + so kaserver support is always compiled in (still default disabled) + + * lib/krb5/v4_glue.c: simplify error handling + + * doc/whatis.texi: add docbook version macro of @sub + + * doc/heimdal.texi: change the wrapping around the Top node to + ifnottex, make html generation work + + * lib/krb5/krb5_krbhst_init.3: spelling, from Björn Sandell + <biorn@dce.chalmers.se> + + * lib/krb5/krb5_get_krbhst.3: spelling, from Björn Sandell + <biorn@dce.chalmers.se> + + * lib/krb5/krb5_data.3: spelling, from Björn Sandell + <biorn@dce.chalmers.se> + + * lib/krb5/krb5_aname_to_localname.3: spelling, from Björn Sandell + <biorn@dce.chalmers.se> + + * lib/krb5/krb5_address.3: spelling, from Björn Sandell + <biorn@dce.chalmers.se> + +2005-04-23 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/config.c: Use the new Kerberos 4 functions in libkrb5 and so + kerberos 4 is always compiled in (still default disabled) + + * kdc/kerberos4.c: Use the new Kerberos 4 functions in libkrb5 and + so kerberos 4 is always compiled in (still default disabled) + + * lib/krb5/krb5_locl.h: forward declaration of _krb5_krb_auth_data + + * lib/krb5/convert_creds.c: Move the kerberos v4 replacement + functions to v4_glue.c + + * lib/krb5/v4_glue.c: Implement enough of kerberos 4 protocol to + be a KDC, move the v4 bits over here + + * lib/krb5/krb5-v4compat.h: add more v4 defines + +2005-04-22 Love Hörnquist Åstrand <lha@it.su.se> + + * kpasswd/kpasswdd.c: Support multi-realms databases, requires + that all the realms are configured on the KDC in krb5.conf with + [libdefaults]default_realm stanzas. + +2005-04-21 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kerberos5.c: spell succeeded correctly, From Sean Chittenden + + * lib/krb5/addr_families.c: catch two more snprintf problems + +2005-04-20 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/hdb/Makefile.am: this lib include com_err, add -com_err to + CHECK_SYMBOLS + + * appl/test/http_client.c: cast ssize_t to unsigned long, fix + printf format + +2005-04-19 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/kuserok.c: use asprintf to avoid truncating pathnames + + * lib/krb5/get_host_realm.c: check return value of snprintf + + * lib/krb5/test_addr.c: check address truncation + + * lib/krb5/addr_families.c: check return values from snprintf and + clean up semantics of ret_len + + * lib/krb5/krb5_address.3: clarify what ret_len is in + krb5_print_address + + * lib/krb5/test_kuserok.c: add --version and --help + + * lib/krb5/kuserok.c: use getpwnamn_r if it exists + + * lib/krb5/Makefile.am: noinst_PROGRAMS += test_kuserok + + * lib/krb5/test_kuserok.c: test program for krb5_kuserok + +2005-04-18 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/acache.c (acc_resolve): if open_default_ccache failed + with ccErrCCacheNotFound try again with create_default_ccache, + this fixes the problem where the security server apperenly haven't + started yet on Mac OS X + + * lib/krb5/get_default_principal.c + (_krb5_get_default_principal_local): add, for use of functions + that in ccache layer to avoid recursive calls. + + * lib/hdb/hdb-ldap.c: drop <ctype.h>, no longer use any of the is* + macros in this file + + * include/make_crypto.c: cast to unsigned char to make sure its + not negative when passing it to is* functions + +2005-04-15 Love Hörnquist Åstrand <lha@it.su.se> + + * doc/programming.texi: remove manpage macro, add some more + references to manpages + + * doc/heimdal.texi: define manpage macro + + * doc/setup.texi: document new password policy code + + * kpasswd/kpasswdd.c: add verifier libraries with + kadm5_add_passwd_quality_verifier + + * lib/krb5/krb5_keyblock.3: document krb5_keyblock_init + +2005-04-14 Love Hörnquist Åstrand <lha@it.su.se> + + * kdc/kaserver.c: AUTHENTICATE and AUTHENTICATE_V2 is almost the + same, and clients + (klog) can deal with that the kaserver returns the same thing for + both + + * lib/krb5/keyblock.c: Add krb5_keyblock_init to allocate an fill + in a keyblock from key data. + +2005-04-12 Love Hörnquist Åstrand <lha@it.su.se> + + * configure.in: rk_WIN32_EXPORT for roken + +2005-04-10 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/gssapi_server.c: print out client principla of + delegated credential + +2005-04-07 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/init_creds_pw.c (process_pa_data_to_key): also check + for KRB5_PADATA_PK_AS_REP_19, From: Douglas Engert + +2005-04-07 Love Hörnquist Åstrand <lha@it.su.se> + + * .cvsignore: ignore more generate files + +2005-04-04 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/asn1/check-der.c: use size_t, print size_t by casting to + unsigned long + + * lib/krb5/test_crypto.c: print size_t by casting to unsigned long + + * lib/krb5/acache.c: Argument to create_new_ccache is a principal, + not a credential cache name. Clean up lossage related to this + problem. + + * lib/hdb/Makefile.am: CHECK_SYMBOLS += HDBFlags2int + + * lib/krb5/addr_families.c + (krb5_address_prefixlen_boundary,krb5_free_address): + use find_atype when we are dealing with a kerberos address type + + * lib/krb5/aes-test.c: size_t vs int + fix printf + + * lib/krb5/pkinit.c: Since the decode can't make out the diffrence + between PA-PK-AS-REP-19 and PA-PK-AS-REQ-Win2k, try harder to + verify both cases + +2005-04-03 Love Hörnquist Åstrand <lha@it.su.se> + + * appl/test/uu_client.c: print size_t by casting to unsigned long + +2005-04-01 Johan Danielsson <joda@pdc.kth.se> + + * kdc/kerberos4.c (do_version4): check client and server max_life + + * kdc/kaserver.c (do_getticket): check client max_life + +2005-03-31 Love <lha@kth.se> + + * lib/krb5/verify_krb5_conf.c: const poison + + * lib/krb5/test_alname.c: const poison + + * lib/asn1/main.c: const poison + + * lib/krb5/test_addr.c: test parse IPv6 RANGE addresses + + * lib/krb5/addr_families.c: implement mask boundary for IPv6 + + * lib/asn1/gen.c: avoid const string warnings steming from + writeable-string + +2005-03-28 Love Hörnquist Åstrand <lha@it.su.se> + + * lib/krb5/Makefile.am: TESTS += test_addr + + * lib/krb5/test_addr.c: simple test for addresses + + * lib/krb5/addr_families.c: make RANGE parse prefixlen style + addresses too, fix printing of RANGE addresses, add + krb5_address_prefixlen_boundary + + * lib/krb5/krb5_keytab.3: stop memory leak in example, expand on + wildcards + +2005-03-26 Love Hörnquist Åstrand <lha@it.su.se></ |