-2008-01-21 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/get_for_creds.c: Use on variable less.
-
- * lib/krb5/get_for_creds.c: Try to handle ticket full and
- ticketless tickets better. Add doxygen comments while here.
-
- * lib/krb5/test_forward.c: Used for testing
- krb5_get_forwarded_creds().
-
- * lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward
-
- * lib/krb5/Makefile.am: drop CHECK_SYMBOLS
-
- * lib/hdb/Makefile.am: drop CHECK_SYMBOLS
-
- * kdc/Makefile.am: drop CHECK_SYMBOLS
-
-2008-01-18 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/version-script.map: Add krb5_digest_probe.
-
-2008-01-13 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/pkinit.c: Replace hx509_name_to_der_name with
- hx509_name_binary.
-
-2008-01-12 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/Makefile.am: add missing files
-
-2007-12-28 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/digest.c: Log probe message, add NTLM_TARGET_DOMAIN to the
- type2 message.
-
-2007-12-14 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/hdb/dbinfo.c: Add hdb_default_db().
-
- * Makefile.am: Add some extra cf/*.
-
-2007-12-12 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kuser/kgetcred.c: Fix type of name-type. From Andy Polyakov.
-
-2007-12-09 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/log.c: Use hdb_db_dir().
-
- * kpasswd/kpasswdd.c: Use hdb_db_dir().
-
-2007-12-08 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/config.c: Use hdb_db_dir().
-
- * kdc/kdc_locl.h: add KDC_LOG_FILE
-
- * kdc/hpropd.c: Use hdb_default_db().
-
- * kdc/kstash.c: Use hdb_db_dir().
-
- * kdc/pkinit.c: Adapt to hx509 changes, use hdb_db_dir().
-
- * lib/krb5/rd_req.c: Document krb5_rd_req_in_set_pac_check.
-
- * lib/krb5/verify_krb5_conf.c: Check check_pac.
-
- * lib/krb5/rd_req.c: use KRB5_CTX_F_CHECK_PAC to init check_pac
- field in the krb5_rd_req_in_ctx
-
- * lib/krb5/expand_hostname.c: Adapt to changing
- dns_canonicalize_hostname into flags field.
-
- * lib/krb5/context.c: Adapt to changing dns_canonicalize_hostname
- into flags field, add check-pac as an libdefaults option.
-
- * lib/krb5/pkinit.c: Adapt to changes in hx509 interface.
-
- * doc: add doxygen documentation to hcrypto
-
- * doc/doxytmpl.dxy: generate links
-
-2007-12-07 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/Makefile.am: build_HEADERZ += heim_threads.h
-
- * lib/hdb/dbinfo.c (hdb_db_dir): Return the directory where the
- hdb database resides.
-
- * configure.in: Add --with-hdbdir to specify where the database is
- stored.
-
- * lib/krb5/crypto.c: revert previous patch, the problem is located
- in the RAND_file_name() function that will cause recursive nss
- lookups, can't fix that here.
-
-2007-12-06 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/crypto.c (krb5_generate_random_block): try to avoid the
- dead-lock in by not holding the lock while running
- RAND_file_name. Prompted by Hai Zaar.
-
- * lib/krb5/n-fold.c: spelling
-
-2007-12-04 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kuser/kdigest.c (digest-probe): implement command.
-
- * kuser/kdigest-commands.in (digest-probe): new command
-
- * kdc/digest.c: Implement supportedMechs request.
-
- * lib/krb5/error_string.c: Make krb5_get_error_string return an
- allocated string to make the function indempotent. From
- Zeqing (Fred) Xia.
-
-2007-12-03 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/krb5_locl.h (krb5_context_data): Flag if
- default_cc_name was set by the user.
-
- * lib/krb5/fcache.c (fcc_move): make sure ->version is uptodate.
-
- * kcm/acquire.c: use krb5_free_cred_contents
-
- * kuser/kimpersonate.c: use krb5_free_cred_contents
-
- * kuser/kinit.c: Use krb5_cc_move to make an atomic switch of the
- cred cache.
-
- * lib/krb5/cache.c: Put back code that was needed, move gen_new
- into new_unique.
-
- * lib/krb5/mcache.c (mcc_default_name): Remove const
-
- * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME_KCM, redefine
- KRB5_DEFAULT_CCNAME to KRB5_DEFAULT_CCTYPE
-
- * lib/krb5/cache.c: Use krb5_cc_ops->default_name to get the
- default name.
-
- * lib/krb5/kcm.c: Implement krb5_cc_ops->default_name.
-
- * lib/krb5/mcache.c: Implement krb5_cc_ops->default_name.
-
- * lib/krb5/fcache.c: Implement krb5_cc_ops->default_name.
-
- * lib/krb5/krb5.h: Add krb5_cc_ops->default_name.
-
- * lib/krb5/acache.c: Free context when done, implement
- krb5_cc_ops->default_name.
-
- * lib/krb5/kcm.c: implement dummy kcm_move
-
- * lib/krb5/mcache.c: Implement the move operation.
-
- * lib/krb5/version-script.map: export krb5_cc_move
-
- * lib/krb5/cache.c: New function krb5_cc_move().
-
- * lib/krb5/fcache.c: Implement the move operation.
-
- * lib/krb5/krb5.h: Add move to the krb5_cc_ops, causes major
- version bump.
-
- * lib/krb5/acache.c: Implement the move operation. Avoid using
- cc_set_principal() since it broken on Mac OS X 10.5.0.
-
-2007-12-02 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/krb5_ccapi.h: Drop variable names to avoid -Wshadow.
-
-2007-11-14 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/krb5tgs.c: Should pass different key usage constants
- depending on whether or not optional sub-session key was passed by
- the client for the check of authorization data. The constant is
- used to derive "specific key" and its values are specified in
- 7.5.1 of RFC4120.
-
- Patch from Andy Polyakov.
-
- * kdc/krb5tgs.c: Don't send auth data in referrals, microsoft
- clients have started to not like that. Thanks to Andy Polyakov for
- excellent research.
-
-2007-11-11 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/creds.c: use krb5_data_cmp
-
- * lib/krb5/acache.c: use krb5_free_cred_contents
-
- * lib/krb5/test_renew.c: use krb5_free_cred_contents
-
-2007-11-10 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/acl.c: doxygen documentation
-
- * lib/krb5/addr_families.c: doxygen documentation
-
- * doc: add doxygen
-
- * lib/krb5/plugin.c: doxygen documentation
-
- * lib/krb5/kcm.c: doxygen documentation
-
- * lib/krb5/fcache.c: doxygen documentation
-
- * lib/krb5/cache.c: doxygen documentations
-
- * lib/krb5/doxygen.c: doxygen introduction
-
- * lib/krb5/error_string.c: Doxygen documentation.
-
-2007-11-03 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/test_plugin.c: expose krb5_plugin_register
-
- * lib/krb5/plugin.c: expose krb5_plugin_register
-
- * lib/krb5/version-script.map: sort, expose krb5_plugin_register
-
-2007-10-24 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/kerberos5.c: Adding same enctype is enough one time. From
- Andy Polyakov and Bjorn Sandell.
-
-2007-10-18 Love <lha@stacken.kth.se>
-
- * lib/krb5/cache.c (krb5_cc_retrieve_cred): check return value
- from krb5_cc_start_seq_get. From Zeqing (Fred) Xia
-
- * lib/krb5/fcache.c (init_fcc): provide better error codes
-
- * kdc/kerberos5.c (get_pa_etype_info2): more paranoia, avoid
- sending warning about pruned etypes.
-
- * kdc/kerberos5.c (older_enctype): old windows enctypes (arcfour
- based) "old", this to support windows 2000 clients (unjoined to a
- domain). From Andy Polyakov.
-
-2007-10-07 Love Hörnquist Åstrand <lha@it.su.se>
-
- * doc/setup.texi: Spelling, from Mark Peoples via Bjorn Sandell.
-
-2007-10-04 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/krb5tgs.c: More prettier printing of enctype, from KAMADA
- Ken'ichi.
-
- * lib/krb5/crypto.c (krb5_enctype_to_string): make sure string is
- NULL on failure.
-
-2007-10-03 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/kdc-replay.c: Catch KRB5_PROG_ATYPE_NOSUPP from
- krb5_addr2sockaddr and igore thte test is that case.
-
-2007-09-29 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/context.c (krb5_free_context): free
- default_cc_name_env, from Gunther Deschner.
-
-2007-08-27 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/{krb5.h,pac.c,test_pac.c,send_to_kdc.c,rd_req.c}: Make
- work with c++, reported by Hai Zaar
-
- * lib/krb5/{digest.c,krb5.h}: Make work with c++, reported by Hai Zaar
-
-2007-08-20 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/hdb/Makefile.am: EXTRA_DIST += hdb.schema
-
-2007-07-31 Love Hörnquist Åstrand <lha@it.su.se>
-
- * check return value of alloc functions, from Charles Longeau
-
- * lib/krb5/principal.c: spelling.
-
- * kadmin/kadmin.8: spelling
-
- * lib/krb5/crypto.c: Check return values from alloc
- functions. Prompted by patch of Charles Longeau.
-
- * lib/krb5/n-fold.c: Make _krb5_n_fold return a error
- code. Prompted by patch of Charles Longeau.
-
-2007-07-27 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/init_creds.c: Always set the ticket options, use
- KRB5_ADDRESSLESS_DEFAULT as the default value, this make the unset
- tri-state not so useful.
-
-2007-07-24 Love Hörnquist Åstrand <lha@it.su.se>
-
- * tools/heimdal-gssapi.pc.in: Add LIB_pkinit to the list of
- libraries.
-
- * tools/heimdal-gssapi.pc.in: pkg-config file for libgssapi in
- heimdal.
-
- * tools/Makefile.am: Add heimdal-gssapi.pc and install it into
- $(libdir)/pkgconfig
-
-2007-07-23 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/pkinit.c: Add RFC3526 modp group14 as a default.
-
-2007-07-22 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/hdb/dbinfo.c (get_dbinfo): use dbname instead of realm as
- key if the entry is a correct entry.
-
- * lib/krb5/get_cred.c: Make krb5_get_renewed_creds work, from
- Gunther Deschner.
-
- * lib/krb5/Makefile.am: Add test_renew to noinst_PROGRAMS.
-
- * lib/krb5/test_renew.c: Test for krb5_get_renewed_creds.
-
-2007-07-21 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/hdb/keys.c: Make parse_key_set handle key set string "v5",
- from Peter Meinecke.
-
- * kdc/kaserver.c: Don't ovewrite the error code, from Peter
- Meinecke.
-
-2007-07-18 Love Hörnquist Åstrand <lha@it.su.se>
-
- * TODO-1.0: remove
-
- * Makefile.am: remove TODO-1.0
-
-2007-07-17 Love Hörnquist Åstrand <lha@it.su.se>
-
- * Heimdal 1.0 release branch cut here
-
- * doc/hx509.texi: use version.texi
-
- * doc/heimdal.texi: use version.texi
-
- * doc/version.texi: version.texi
-
- * lib/hdb/db3.c: avoid type-punned pointer warning.
-
- * kdc/kx509.c: Use unsigned char * as argument to HMAC_Update to
- please OpenSSL and gcc.
-
- * kdc/digest.c: Use unsigned char * as argument to MD5_Update to
- please OpenSSL and gcc.
-
-2007-07-16 Love Hörnquist Åstrand <lha@it.su.se>
-
- * include/Makefile.am: Add krb_err.h.
-
- * kdc/set_dbinfo.c: Print acl file too.
-
- * kdc/kerberos4.c: Error codes are just fine, remove XXX now.
-
- * lib/krb5/krb5-v4compat.h: Drop duplicate error codes.
-
- * kdc/kerberos4.c: switch to ET errors.
-
- * lib/krb5/Makefile.am: Add krb_err.h to build_HEADERZ.
-
- * lib/krb5/v4_glue.c: If its a Kerberos 4 error-code, remove the
- et BASE.
-
-2007-07-15 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/krb5-v4compat.h: Include "krb_err.h".
-
- * lib/krb5/v4_glue.c: return more interesting error codes.
-
- * lib/krb5/plugin.c: Prefix enum plugin_type.
-
- * lib/krb5/krb5_locl.h: Expose plugin structures.
-
- * lib/krb5/krb5.h: Add plugin structures.
-
- * lib/krb5/krb_err.et: V4 errors.
-
- * lib/krb5/version-script.map: First version of version script.
-
-2007-07-13 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/kerberos5.c: Java 1.6 expects the name to be the same type,
- lets allow that for uncomplicated name-types.
-
-2007-07-12 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/v4_glue.c (_krb5_krb_rd_req): if ticket contains
- address 0, its ticket less and don't really care about
- from_addr. return better error codes.
-
- * kpasswd/kpasswdd.c: Fix pointer vs strict alias rules.
-
-2007-07-11 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/hdb/hdb-ldap.c: When using sambaNTPassword, avoid adding
- more then one enctype 23 to krb5EncryptionType.
-
- * lib/krb5/cache.c: Spelling.
-
- * kdc/kerberos5.c: Don't send newer enctypes in ETYPE-INFO.
- (get_pa_etype_info2): return the enctypes as sorted in the
- database
-
-2007-07-10 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kuser/kinit.c: krb5-v4compat.h defines prototypes for
- v4 (semiprivate functions) in libkrb5, don't include
- krb5-private.h any longer.
-
- * lib/krb5/krbhst.c: Set error string when there is no KDC for a
- realm.
-
- * lib/krb5/Makefile.am: New library version.
-
- * kdc/Makefile.am: New library version.
-
- * lib/krb5/krb5_locl.h: Add default_cc_name_env.
-
- * lib/krb5/cache.c (enviroment_changed): return non-zero if
- enviroment that will determine default krb5cc name has changed.
- (krb5_cc_default_name): also check if cached value is uptodate.
-
- * lib/krb5/krb5_locl.h: Drop pkinit_flags.
-
-2007-07-05 Love Hörnquist Åstrand <lha@it.su.se>
-
- * configure.in: add tests/java/Makefile
-
- * lib/hdb/dbinfo.c: Add hdb_dbinfo_get_log_file.
-
-2007-07-04 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/kerberos5.c: Improve the default salt detection to avoid
- returning v4 password salting to java that doesn't look at the
- returning padata for salting.
-
- * kdc: Split out krb5_kdc_set_dbinfo, From Andrew Bartlett
-
-2007-07-02 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/digest.c: Try harder to provide better error message for
- digest messages.
-
- * lib/krb5/Makefile.am: verify_krb5_conf_OBJECTS depends on
- krb5-pr*.h, make -j finds this.
+We stop writing change logs, see the source code version control systems history log instead
-2007-06-28 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/digest.c: On success, print username, not ip-adress.
-
-2007-06-26 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/get_cred.c: Add krb5_get_renewed_creds.
-
- * lib/krb5/krb5_get_credentials.3: add krb5_get_renewed_creds
+2008-07-28 Love Hornquist Astrand <lha@h5l.org>
- * lib/krb5/pkinit.c: Use hx509_cms_unwrap_ContentInfo.
+ * lib/krb5/v4_glue.c: The "kaserver" part of Heimdal occasionally
+ issues invalid AFS tokens
+ (here "occasionally" means for certain users in certain realms).
-2007-06-25 Love Hörnquist Åstrand <lha@it.su.se>
-
- * doc/setup.texi: Add example for pkinit_win2k_require_binding
- in [kdc] section.
-
- * kdc/default_config.c: Rename require_binding to
- win2k_require_binding to match client configuration.
-
- * kdc/default_config.c: Add [kdc]pkinit_require_binding option.
-
- * kdc/pkinit.c (pk_mk_pa_reply_enckey): only allow non-bound reply
- if its not required.
-
- * kdc/default_config.c: rename pkinit_princ_in_cert and add
- pkinit_require_binding
-
- * kdc/kdc.h: rename pkinit_princ_in_cert and add
- pkinit_require_binding
-
- * kdc/pkinit.c: rename pkinit_princ_in_cert
-
-2007-06-24 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/pkinit.c: Adapt to hx509_verify_hostname change.
-
-2007-06-21 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/krb5tgs.c: Drop unused variable.
-
- * kdc/krb5tgs.c: disable anonyous tgs requests
-
- * kdc/krb5tgs.c: Don't check PAC on cross realm for now.
-
- * kuser/kgetcred.c: Set KRB5_GC_CONSTRAINED_DELEGATION and parse
- nametypes.
-
- * lib/krb5/krb5_principal.3: Document krb5_parse_nametype.
-
- * lib/krb5/principal.c (krb5_parse_nametype): parse nametype and
- return their integer values.
-
- * lib/krb5/krb5.h (krb5_get_creds): Add
- KRB5_GC_CONSTRAINED_DELEGATION.
-
- * lib/krb5/get_cred.c (krb5_get_creds): if
- KRB5_GC_CONSTRAINED_DELEGATION is set, set both request_anonymous
- and constrained_delegation.
-
-2007-06-20 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/digest.c: Return an error message instead of dropping the
- packet for more failure cases.
-
- * lib/krb5/krb5_principal.3: Add KRB5_PRINCIPAL_UNPARSE_DISPLAY.
-
- * appl/gssmask/gssmask.c (AcquirePKInitCreds): fail more
- gracefully
-
-2007-06-18 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/pac.c: make compile.
+ In lib/krb5/v4_glue.c, in the routine storage_to_etext the ticket
+ is padded to a multiple of 8 bytes. If it is already a multiple of
+ 8 bytes, 8 additional 0-bytes are added.
- * lib/krb5/pac.c (verify_checksum): memset cksum to avoid using
- pointer from stack.
-
- * lib/krb5/plugin.c: Don't expose free pointer.
-
- * lib/krb5/pkinit.c (_krb5_pk_load_id): fail directoy for first
- calloc.
-
- * lib/krb5/pkinit.c (get_reply_key*): don't expose freed memory
-
- * lib/krb5/krbhst.c: Host is static memory, don't free.
-
- * lib/krb5/crypto.c (decrypt_internal_derived): make sure length
- is longer then confounder + checksum.
-
- * kdc: export get_dbinfo as krb5_kdc_set_dbinfo and call from
- users. This to allows libkdc users to to specify their own
- databases
-
- * lib/krb5/pkinit.c (pk_rd_pa_reply_enckey): simplify handling of
- content data (and avoid leaking memory).
-
- * kdc/misc.c (_kdc_db_fetch): set error string for failures.
+ This catches the AFS krb4 ticket decoder by surprise: unless the
+ ticket is exactly 56 bytes, it only supports the minimum necessary
+ padding. It detects the superfluous padding by comparing the
+ ticket length decoded to the advertised ticket length.
-2007-06-15 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/pkinit.c: Use KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.
-
-2007-06-13 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/pkinit.c: tell user when they got a pk-init request with
- pkinit disabled.
-
-2007-06-12 Love Hörnquist Åstrand <lha@it.su.se>
+ Hence a 7-letter userid in "cern.ch" which resulted in a ticket of
+ 40 bytes, got "padded" to 48 bytes which the rxkad decoder
+ rejected.
- * lib/krb5/principal.c: Rename UNPARSE_NO_QUOTE to
- UNPARSE_DISPLAY.
+ From Rainer Toebbicke.
- * lib/krb5/krb5.h: Rename UNPARSE_NO_QUOTE to UNPARSE_DISPLAY.
+2008-07-25 Love Hörnquist Åstrand <lha@h5l.org>
- * lib/krb5/principal.c: Make no-quote mean replace strange chars
- with space.
+ * kuser/kinit.c: add --ok-as-delegate and --windows flags
- * lib/krb5/principal.c: Support KRB5_PRINCIPAL_UNPARSE_NO_QUOTE.
+ * kpasswd/kpasswd-generator.c: Switch to krb5_set_password.
- * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_UNPARSE_NO_QUOTE.
+ * kuser/kinit.c: Use krb5_cc_set_config.
- * lib/krb5/test_princ.c: Test quoteing.
+ * lib/krb5/cache.c: Add krb5_cc_[gs]et_config.
- * lib/krb5/pkinit.c: update (c)
-
- * lib/krb5/get_cred.c: use krb5_sendto_context to talk to the KDC.
-
- * lib/krb5/send_to_kdc.c (_krb5_kdc_retry): check if the whole
- process needs to restart or just skip this KDC.
+2008-07-22 Love Hörnquist Åstrand <lha@h5l.org>
- * lib/krb5/init_creds_pw.c: Use krb5_sendto_context to talk to
- KDC.
+ * lib/krb5/crypto.c: Allow numbers to be enctypes to as long as
+ they are valid.
- * lib/krb5/krb5.h: Add sendto hooks and opaque structure.
+2008-07-17 Love Hörnquist Åstrand <lha@h5l.org>
- * lib/krb5/krb5_rd_error.3: Update prototype.
+ * lib/hdb/version-script.map: some random bits needed for libkadm
- * lib/krb5/send_to_kdc.c: Add hooks for processing the reply from
- the server.
-
-2007-06-11 Love Hörnquist Åstrand <lha@it.su.se>
+2008-07-15 Love Hörnquist Åstrand <lha@h5l.org>
- * lib/krb5/krb5_err.et: Some new error codes from RFC 4120.
+ * lib/krb5/send_to_kdc_plugin.h: add name for send_to_kdc plugin.
-2007-06-09 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/krb5tgs.c: Constify.
-
- * kdc/kerberos5.c: Constify.
-
- * kdc/pkinit.c: Check for KRB5-PADATA-PK-AS-09-BINDING. Constify.
-
-2007-06-08 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/krbhst.c: handle KRB5_PLUGIN_NO_HANDLE for lookup
+ plugin.
- * include/Makefile.am: Make krb5-types.h nodist_include_HEADERS.
+ * lib/krb5/send_to_kdc.c: Add support for the send_to_kdc plugin
+ interface.
- * kdc/Makefile.am: EXTRA_DIST += version-script.map.
+ * lib/krb5/Makefile.am: add send_to_kdc_plugin.h
-2007-06-07 Love Hörnquist Åstrand <lha@it.su.se>
-
- * Makefile.am (print-distdir): print name of dist
-
- * kdc/pkinit.c: Break out loading of mappings file to a separate
- function and remove warning that it can't open the mapping file,
- there are now mappings in the db, maybe the users uses that
- instead...
-
- * lib/krb5/crypto.c: Require the raw key have the correct size and
- do away with the minsize. Minsize was a thing that originated
- from RC2, but since RC2 is done in the x509/cms subsystem now
- there is no need to keep that around.
+ * lib/krb5/krb5_err.et: add plugin error codes
- * lib/hdb/dbinfo.c: If there is no default dbname, also check for
- unset mkey_file and set it default mkey name, make backward compat
- stuff work.
+2008-07-14 Love Hornquist Astrand <lha@kth.se>
- * kdc/version-script.map: add new symbols
+ * lib/hdb/Makefile.am: EXTRA_DIST += version-script.map
- * kdc/kdc-replay.c: Also update krb5_context view of what the time
- is.
+2008-07-14 Love Hornquist Astrand <lha@kth.se>
- * configure.in: add tests/can/Makefile
+ * lib/krb5/krb5_{address,ccache}.3: spelling, from openbsd via janne
+ johansson
- * kdc/kdc-replay.c: Add --[version|help].
+2008-07-13 Love Hörnquist Åstrand <lha@kth.se>
- * kdc/pkinit.c: Push down the kdc time into the x509 library.
+ * lib/krb5/version-script.map: add krb5_free_error_message
- * kdc/connect.c: Move up krb5_kdc_save_request so we can catch the
- reply data too.
+2008-06-21 Love Hörnquist Åstrand <lha@kth.se>
- * kdc/kdc-replay.c: verify reply by checking asn1 class, type and
- tag of the reply if there is one.
+ * lib/krb5/init_creds_pw.c: switch to krb5_set_password().
- * kdc/process.c: Save asn1 class, type and tag of the reply if
- there is one. Used to verify the reply in kdc-replay.
+2008-06-18 Love Hörnquist Åstrand <lha@kth.se>
-2007-06-06 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/time.c (krb5_set_real_time): handle negative usec
- * kdc/kdc_locl.h: extern for request_log.
+2008-05-31 Love Hörnquist Åstrand <lha@kth.se>
- * kdc/Makefile.am: Add kdc-replay.
+ * lib/krb5/krb5_locl.h: Add <wind.h>
- * kdc/kdc-replay.c: Replay kdc messages to the KDC library.
+ * lib/krb5/crypto.c: Use wind_utf8ucs2_length to convert the password to utf16.
- * kdc/config.c: Pick up request_log from [kdc]kdc-request-log.
+2008-05-30 Love Hörnquist Åstrand <lha@kth.se>
- * kdc/connect.c: Option to save the request to disk.
+ * lib/krb5/kcm.c: Add back krb5_kcmcache argument to try_door().
- * kdc/process.c (krb5_kdc_save_request): save request to file.
+2008-05-27 Love Hörnquist Åstrand <lha@kth.se>
- * kdc/process.c (krb5_kdc_process*): dont update _kdc_time
- automagicly.
- (krb5_kdc_update_time): set or get current kdc-time.
-
- * kdc/pkinit.c (_kdc_pk_rd_padata): accept both pkcs-7 and
- pkauthdata as the signeddata oid
+ * lib/krb5/error_string.c (krb5_free_error_message): constify
- * kdc/pkinit.c (_kdc_pk_rd_padata): Try to log what went wrong.
+ * lib/krb5/error_string.c: Add krb5_get_error_message().
-2007-06-05 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/pkinit.c: Use oid_id_pkcs7_data for pkinit-9 encKey reply to
- match windows DC behavior better.
-
-2007-06-04 Love Hörnquist Åstrand <lha@it.su.se>
-
- * configure.in: use test for -framework Security
-
- * appl/test/uu_server.c: Print status to stdout.
-
- * kdc/digest.c (digest ntlm): provide log entires by setting ret
- to an error.
+ * lib/krb5/doxygen.c: krb5_cc_new_unique() is name of the creation
+ function.
-2007-06-03 Love Hörnquist Åstrand <lha@it.su.se>
-
- * doc/hx509.texi: Indent crl-sign.
-
- * doc/hx509.texi: One more crl-sign example.
+2008-04-30 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/test_princ.c: plug memory leaks.
+ * lib/hdb/hdb-ldap.c: Use the _ext api for OpenLDAP, from Honza
+ Machacek (gentoo).
- * lib/krb5/pac.c: plug memory leaks.
+2008-04-28 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/test_pac.c: plug memory leaks.
+ * lib/krb5/crypto.c: Use DES_set_key_unchecked().
- * lib/krb5/test_prf.c: plug memory leak.
+ * lib/krb5/krb5.conf.5: Document default_cc_type.
- * lib/krb5/test_cc.c: plug memory leaks.
+ * lib/krb5/cache.c: Pick up [libdefaults]default_cc_type
- * doc/hx509.texi: Simple blob about publishing CRLs.
-
- * doc/win2k.texi: drop text about enctypes.
+2008-04-27 Love Hörnquist Åstrand <lha@it.su.se>
-2007-06-02 Love Hörnquist Åstrand <lha@it.su.se>
+ * kdc/kaserver.c: Use DES_set_key_unchecked().
- * kdc/pkinit.c: In case of OCSP verification failure, referash
- every 5 min. In case of success, refreash 2 min before expiring or
- faster.
-
-2007-05-31 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/krb5_err.et: add error 68, WRONG_REALM
+2008-04-21 Love Hörnquist Åstrand <lha@it.su.se>
- * kdc/pkinit.c: Handle the ms san in a propper way, still cheat
- with the realm name.
+ * doc/hx509.texi: About the pkcs11 module.
- * kdc/kerberos5.c: If _kdc_pk_check_client failes, bail out
- directly and hand the error back to the client.
+ * doc/hx509.texi: Pick up version from vars.texi
- * lib/krb5/krb5_err.et: Add missing REVOCATION_STATUS_UNAVAILABLE
- and fix error message for CLIENT_NAME_MISMATCH.
+ * doc/hx509.texi: No MIT code in hx509.
- * kdc/pkinit.c: More logging for pk-init client mismatch.
+ * hx509 now includes a pkcs11 implementation.
- * kdc/kerberos5.c: Also add a KRB5_PADATA_PK_AS_REQ_WIN for
- windows pk-init (-9) to make MIT clients happy.
-
-2007-05-30 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/pkinit.c: Force des3 for win2k.
+2008-04-20 Love Hörnquist Åstrand <lha@it.su.se>
- * kdc/pkinit.c: Add wrapping to ContentInfo wrapping to
- COMPAT_WIN2K.
+ * lib/hdb/Makefile.am: Move OpenLDAP includes to AM_CPPFLAGS to
+ avoid dropping other defines for the library.
- * lib/krb5/keytab_keyfile.c: Spelling.
+2008-04-17 Love Hörnquist Åstrand <lha@it.su.se>
- * kdc/pkinit.c: Allow matching by MS UPN SAN, note that this delta
- doesn't deal with case of realm.
-
-2007-05-16 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5: add __declspec() for windows.
- * lib/krb5/crypto.c (krb5_crypto_overhead): return static overhead
- of encryption.
+ * configure.in: Update rk_WIN32_EXPORT, add gssapi to
+ rk_WIN32_EXPORT.
-2007-05-10 Dave Love <fx@gnu.org>
+ * configure.in: Lets try dependency tracking for automake 1.10 and
+ later.
- * doc/win2k.texi: Update some URLs.
+ * configure.in: Use at least libtool-2.2.
-2007-05-13 Love Hörnquist Åstrand <lha@it.su.se>
+ * configure.in: Use LT_INIT the right way.
- * kuser/kimpersonate.c: Fix version number of ticket, it should be
- 5 not the kvno.
-
-2007-05-08 Love Hörnquist Åstrand <lha@it.su.se>
-
- * doc/setup.texi: Salting is really Encryption types and salting.
-
-2007-05-07 Love Hörnquist Åstrand <lha@it.su.se>
-
- * doc/setup.texi: spelling, from Ronny Blomme
-
- * doc/win2k.texi: Fix ksetup /SetComputerPassword, from Ronny
- Blomme
-
-2007-05-02 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/Makefile.am: Update make-proto usage.
- * lib/hdb/dbinfo.c (hdb_get_dbinfo) If there are no database
- specified, create one and let it use the defaults.
-
-2007-04-27 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/hdb/test_dbinfo.c: test acl file
-
- * lib/hdb/test_dbinfo.c: test acl file
+ * configure.in: Run autoupdate, use LT_INIT().
- * lib/hdb/dbinfo.c: add acl file
+2008-04-15 Love Hörnquist Åstrand <lha@it.su.se>
- * etc: ignore Makefile.in
+ * lib/krb5/test_forward.c: Don't print krb5_error_code since we
+ are using krb5_err().
- * Makefile.am: SUBDIRS += etc
+ * lib/krb5/ticket.c: Cast krb5_error_code to int to avoid warning.
- * configure.in: Add etc/Makefile.
+ * lib/krb5/scache.c: Cast krb5_error_code to int to avoid warning.
- * etc/Makefile.am: make sure services.append is distributed
+ * lib/krb5/principal.c: Cast enum to int to avoid warning.
-2007-04-24 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc: rename windc_init to krb5_kdc_windc_init
-
- * kdc/version-script.map: version script for libkdc
-
- * kdc/Makefile.am: version script for libkdc
-
-2007-04-23 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/pkinit.c: Cast krb5_error_code to int to avoid warning.
- * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error):
- correct the order of the arguments.
+ * lib/krb5/pac.c: Cast size_t to unsigned long to avoid warning.
- * lib/hdb/Makefile.am: Add and test dbinfo.
+ * lib/krb5/error_string.c: Cast krb5_error_code to int to avoid
+ warning.
- * lib/hdb/hdb.h: Forward declaration for struct hdb_dbinfo;
+ * lib/krb5/keytab_keyfile.c: Make num_entries an uint32 to avoid
+ negative numbers and type warnings.
- * kdc/config.c: Use krb5_kdc_get_config and just fill in what the
- users wanted differently.
+ * lib/krb5: cc_get_version returns an int, update.
- * kdc/default_config.c: Make the default configuration fetch info
- from the krb5.conf.
-
-2007-04-22 Love Hörnquist Åstrand <lha@it.su.se>
+2008-04-10 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to
- determine if to send the session-key, for the second place in the
- function.
+ * configure.in: Check for <asl.h>.
- * tools/krb5-config.in: rename des to hcrypto
+2008-04-09 Love Hörnquist Åstrand <lha@it.su.se>
- * kuser/Makefile.am: depend on libheimntlm
+ * lib/krb5/version-script.map: sort and export _krb5_pk_kdf
- * kuser/kinit.c: Add --ntlm-domain that store the ntlm cred for
- this domain if the Kerberos password auth worked.
+ * lib/krb5/crypto.c: Check kdf params. calculate the second half
+ of the key.
- * kuser/klist.c: add new option --hidden that doesn't display
- principal that starts with @
+ * lib/krb5/Makefile.am: Add test_pknistkdf
- * tools/krb5-config.in: Add heimntlm when we use gssapi.
+ * lib/krb5/test_pknistkdf.c: Test the new pkinit nist kdf.
- * lib/krb5/krb5_ccache.3 (krb5_cc_retrieve_cred): document what to
- free 'cred' with.
+ * lib/krb5/crypto.c: Complete _krb5_pk_kdf.
- * lib/krb5/cache.c (krb5_cc_retrieve_cred): document what to free
- 'cred' with.
+ * lib/krb5/crypto.c: First version of KDF in
+ draft-ietf-krb-wg-pkinit-alg-agility-03.txt.
-2007-04-21 Love Hörnquist Åstrand <lha@it.su.se>
+2008-04-08 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to
- determine if to send the session-key.
-
- * kcm/client.c (kcm_ccache_new_client): make root be able to pass
- the name constraints, not the opposite. From Bryan Jacobs.
+ * doc/setup.texi: Add text about smbk5pwd overlay from Buchan
+ Milne.
-2007-04-20 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kcm/acl.c: make compile again.
+ * lib/krb5/krb5_locl.h: Name the pkinit type enum.
- * kcm/client.c: fix warning.
-
- * kcm: First, it allows root to ignore the naming conventions.
- Second, it allows root to always perform any operation on any
- ccache. Note that root could do this anyway with FILE ccaches.
- From Bryan Jacobs.
+ * kdc/pkinit.c: Rename constants to match global header.
- * Rename libdes to libhcrypto.
+ * lib/krb5/pkinit.c: Drop krb5_pk_identity and rename constants to
+ match global header.
-2007-04-19 Love Hörnquist Åstrand <lha@it.su.se>
+ * kdc/pkinit.c: Pick up krb5_pk_identity from krb5_locl.h.
- * kinit: remove code that depend on kerberos 4 library
+ * lib/krb5/scache.c (scc_alloc): %x is unsigned int.
- * kdc: remove code that depend on kerberos 4 library
-
- * configure.in: Drop kerberos 4 support.
+2008-04-07 Love Hörnquist Åstrand <lha@it.su.se>
- * kdc/hpropd.c (main): free the message when done with it.
+ * lib/krb5/version-script.map: Sort and add krb5_cc_switch.
- * lib/krb5/pkinit.c (_krb5_get_init_creds_opt_free_pkinit):
- remember to free memory too.
+ * lib/krb5/acache.c: Use unsigned where appropriate.
- * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): free content-type when
- done.
+ * kcm/glue.c: Adapt to chenge to krb5_cc_ops.
- * configure.in: test rk_VERSIONSCRIPT
-
-2007-04-18 Love Hörnquist Åstrand <lha@it.su.se>
+ * kcm/acl.c: Add missing op.
- * fix-export: remove, all done by make dist now
+ * kdc/connect.c: Use unsigned where appropriate.
-2007-04-15 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/n-fold.c: Use size_t where appropriate.
- * lib/krb5/krb5_get_credentials.3: spelling, from Jason McIntyre
+ * lib/krb5/get_addrs.c: Use unsigned where appropriate.
-2007-04-11 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/crypto.c: Use unsigned where appropriate.
- * kdc/kstash.8: Spelling, from raga <raga@comcast.net>
- via Bjorn Sandell.
+ * lib/krb5/crc.c: Use unsigned where appropriate.
- * lib/krb5/store_mem.c: indent.
+ * lib/krb5/changepw.c: simplify
- * lib/krb5/recvauth.c: Set error string.
+ * lib/krb5/copy_host_realm.c: simplify
- * lib/krb5/rd_req.c: clear error strings.
+ * kuser/kswitch.c: Implement --principal.
- * lib/krb5/rd_cred.c: clear error string.
+2008-04-05 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/pkinit.c: Set error strings.
+ * lib/krb5/cache.c: allow returning the default cc-type.
- * lib/krb5/get_cred.c: Tell what principal we are not finding for
- all KRB5_CC_NOTFOUND.
-
-2007-02-22 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/kerberos5.c: Return the same error codes as a windows KDC.
+ * kuser/kswitch.c: Enable switching between existing caches.
- * kuser/kinit.c: KRB5KDC_ERR_PREAUTH_FAILED is also a password
- failed.
-
- * kdc/kerberos5.c: Make handling of replying e_data more generic,
- from metze.
+ * lib/krb5/cache.c: Add krb5_cc_switch, to set the default
+ credential cache.
- * kdc/kerberos5.c: Fix (string const and shadow) warnings, from
- metze.
+ * lib/krb5/acache.c: Implement set_default.
- * lib/krb5/pac.c: Create the PAC element in the same order as
- w2k3, maybe there's some broken code in windows which relies on
- this... From metze.
+ * lib/krb5/krb5.h: Extend krb5_cc_ops and add set_default to set
+ the default cc name for a credential type.
- * kdc/kerberos5.c: Select a session enctype from the list of the
- crypto systems supported enctype, is supported by the client and
- is one of the enctype of the enctype of the krbtgt.
-
- The later is used as a hint what enctype all KDC are supporting to
- make sure a newer version of KDC wont generate a session enctype
- that and older version of a KDC in the same realm can't decrypt.
-
- But if the KDC admin is paranoid and doesn't want to have "no the
- best" enctypes on the krbtgt, lets save the best pick from the
- client list and hope that that will work for any other KDCs.
-
- Reported by metze.
+2008-04-04 Love Hörnquist Åstrand <lha@it.su.se>
- * kdc/hprop.c (propagate_database): on any failure, drop the
- connection to the peer and try next one.
-
-2007-02-18 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/test_cc.c: test remove
- * lib/krb5/krb5_get_init_creds.3: document new options.
+ * lib/krb5/fcache.c: Make the remove cred slight more atomic, now
+ it might lose creds, but there will be no empty cache at any time.
- * kdc/krb5tgs.c: Only check service key for cross realm PACs.
+ * lib/krb5/scache.c: Do credential iteration by temporary table.
- * lib/krb5/init_creds.c: use the new merged flags field.
- (krb5_get_init_creds_opt_set_win2k): new function, turn on all w2k
- compat flags.
+2008-04-02 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/init_creds_pw.c: use the new merged flags field.
+ * lib/krb5/acache.c: Translate ccErrInvalidCCache.
- * lib/krb5/krb5_locl.h: merge all flags into one entity
-
-2007-02-11 Dave Love <fx@gnu.org>
-
- * lib/krb5/krb5_aname_to_localname.3: Small fixes
-
- * lib/krb5/krb5_digest.3: Small fixes
-
- * kuser/kimpersonate.1: Small fixes
+ * lib/krb5/scache.c: implemetation of a sqlite3 backed credential
+ cache.
-2007-02-17 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/test_cc.c: test acc and scc
- * lib/krb5/init_creds_pw.c (find_pa_data): if there is no list,
- there is no entry.
+ * lib/krb5/acache.c: Only release context if its in use.
- * kdc/krb5tgs.c: Don't check PACs on cross realm requests.
+2008-04-01 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/krb5.h: add KRB5_KU_CANONICALIZED_NAMES.
+ * doc/setup.texi: No patching of OpenLDAP is needed, from Buchan
+ Milne.
- * lib/krb5/init_creds_pw.c: Verify client referral data.
+2008-03-30 Love Hörnquist Åstrand <lha@it.su.se>
- * kdc/kerberos5.c: switch some "return ret" to "goto out".
-
- * kdc/kerberos5.c: Pass down canonicalize request to hdb layer,
- sign client referrals.
-
- * lib/hdb/hdb.h: Add HDB_F_CANON.
-
- * lib/hdb: add simple alias support to the database backends
+ * lib/krb5/Makefile.am: Add scache.
-2007-02-16 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/scache.c: initial implementation
- * kuser/kinit.c: Add canonicalize flag.
+ * lib/Makefile.am: sqlite
- * lib/krb5/init_creds_pw.c: Use EXTRACT_TICKET_* flags, support
- canonicalize.
+ * configure.in: lib/sqlite/Makefile
- * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_canonicalize):
- new function.
-
- * lib/krb5/get_cred.c: Use EXTRACT_TICKET_* flags.
-
- * lib/krb5/get_in_tkt.c: Use EXTRACT_TICKET_* flags.
+2008-03-26 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/krb5_locl.h: Add EXTRACT_TICKET_* flags.
-
-2007-02-15 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/fcache.c: Make the storing credential an atomic
+ write(2) to avoid signal races, bug traced by Harald Barth and Lars
+ Malinowsky.
- * lib/krb5/test_princ.c: test parsing enterprise-names.
+2008-03-25 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/principal.c: Add support for parsing enterprise-names.
+ * lib/krb5/fcache.c: Make erase_file() do locking too.
- * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_PARSE_ENTERPRISE.
+ * kcm/protocol.c: Make work when moving to a non-existant
+ cred-cache.
- * lib/hdb/hdb-ldap.c: Make work again.
+ * lib/krb5/test_cc.c: more verbose info.
-2007-02-11 Dave Love <fx@gnu.org>
-
- * kcm/client.c (kcm_ccache_new_client): Cast snprintf'ed value.
+ * lib/krb5/test_cc.c: test krb5_cc_move().
-2007-02-10 Love Hörnquist Åstrand <lha@it.su.se>
+2008-03-23 Love Hörnquist Åstrand <lha@it.su.se>
- * doc/setup.texi: prune trailing space
-
- * lib/hdb/db.c: Be better at setting and clearing error string.
-
- * lib/hdb/hdb.c: Be better at setting and clearing error string.
+ * lib/krb5/get_cred.c: Try both kdc server referral and the old
+ client chasing mode.
-2007-02-09 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/keytab.c (krb5_kt_get_entry): Use krb5_kt_get_full_name
- to print out the keytab name.
-
- * doc/setup.texi: Spelling, from Guido Guenther
-
-2007-02-08 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/get_cred.c: Don't do canonicalize by default, make
+ add_cred() sane, make loop detection in credential fetching
+ better.
- * lib/krb5/rd_cred.c: Plug memory leak, from Michael B Allen.
+ * lib/krb5/krb5_locl.h: Add flag EXTRACT_TICKET_AS_REQ.
-2007-02-06 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/init_creds_pw.c: Tell _krb5_extract_ticket that this is
+ an AS-REQ.
- * lib/krb5/test_store.c (test_uint16): unsigned ints can't be
- negative
+ * lib/krb5/get_in_tkt.c: Make server referral work.
-2007-02-03 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/pkinit.c: pass extra flags for detached signatures.
-
- * lib/krb5/pkinit.c: pass extra flags for detached signatures.
-
- * kdc/digest.c: Remove debug output.
-
- * kuser/kdigest.c: Add support for ms-chap-v2 client.
+2008-03-22 Love Hörnquist Åstrand <lha@it.su.se>
-2007-02-02 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/digest.c: Fix ms-chap-v2 get_masterkey
-
- * kdc/digest.c: Fix ms-chap-v2 mutual response auth code.
+ * lib/krb5/get_in_tkt.c: check no server referral, don't use
+ stringent length tests since encryption layer does padding for
+ us...
- * kuser/kdigest.c: Print session key if there is one.
+ * kdc/kerberos5.c: Match name in ClientCanonicalizedNames with -10
- * lib/krb5/digest.c: rename hash-a1 to session key
+ * lib/krb5/principal.c (_krb5_principal_compare_PrincipalName):
+ new function to compare a principal to a PrincipalName.
- * kdc/digest.c: Add get_master from RFC 3079 3.4 for MS-CHAP-V2
+ * lib/krb5/init_creds_pw.c: Move client referral checking to
+ _krb5_extract_ticket().
- * kuser/kdigest.c: print rsp if there is one, from Klas.
+ * lib/krb5/get_in_tkt.c: More bits for server referral.
- * kdc/digest.c: Use right size, from Klas Lindfors.
+ * lib/krb5/get_in_tkt.c: Make working with client referrals.
- * kuser/kdigest.c: Set client nonce if avaible, from Klas.
+ * lib/krb5/get_cred.c: Try moving referrals checking into
+ _krb5_extract_ticket().
- * kdc/digest.c: First version from kllin.
+ * lib/krb5/get_in_tkt.c: Try moving referrals checking into
+ _krb5_extract_ticket().
- * kuser/kdigest.c: Don't restrict the type.
-
-2007-02-01 Love Hörnquist Åstrand <lha@it.su.se>
+2008-03-21 Love Hörnquist Åstrand <lha@it.su.se>
- * kuser/kdigest-commands.in: add --client-response
+ * kdc/krb5tgs.c: Send SERVER-REFERRAL data in rep.padata instead
+ of auth_data in ticket.
- * kuser/kdigest.c: Print status instead of response.
+2008-03-20 Love Hörnquist Åstrand <lha@it.su.se>
- * kdc/digest.c: Better logging and return status = FALSE when
- checksum doesn't match.
-
- * kdc/digest.c: Check the digest response in the KDC.
-
- * lib/krb5/digest.c: New functions to send in requestResponse to
- KDC and get status of the request.
-
- * kdc/digest.c: Add support for MS-CHAP v2.
-
- * lib/hdb/hdb-ldap.c: Set hdb->hdb_db for ldap.
-
-2007-01-31 Love Hörnquist Åstrand <lha@it.su.se>
-
- * fix-export: Make hx509.info too
-
- * kdc/digest.c: don't verify identifier in CHAP, its the client
- that chooses it.
+ * lib/krb5/init_creds_pw.c: remove lost bits from using
+ krb5_principal_set_realm
-2007-01-23 Love Hörnquist Åstrand <lha@it.su.se>
+ * kdc/krb5tgs.c: Better referrals support, use canonicalize flag.
- * lib/krb5/Makefile.am: Basic test of prf.
+ * kdc/hprop.c: use krb5_principal_set_realm
- * lib/krb5/test_prf.c: Basic test of prf.
+ * lib/krb5/init_creds_pw.c: use krb5_principal_set_realm
- * lib/krb5/mit_glue.c: Add MIT glue for Kerberos RFC 3961 PRF
- functions.
+ * lib/krb5/verify_user.c: use krb5_principal_set_realm
- * lib/krb5/crypto.c: Add Kerberos RFC 3961 PRF functions.
+ * lib/krb5/version-script.map: add krb5_principal_set_realm
- * lib/krb5/krb5_data.3: Document krb5_data_cmp.
+ * lib/krb5/principal.c: add krb5_principal_set_realm
- * lib/krb5/data.c: Add krb5_data_cmp.
-
-2007-01-20 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/get_cred.c: Insecure tgs referrals.
- * kdc/kx509.c: Don't use C99 syntax.
-
-2007-01-17 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/get_cred.c: Dont try key usage KRB5_KU_AP_REQ_AUTH for
+ TGS-REQ. This drop compatibility with pre 0.3d KDCs.
- * configure.in: its LIBADD_roken (and shouldn't really exist, our
- libtool usage it broken)
+ * lib/krb5/get_cred.c: catch KRB5_GC_CANONICALIZE.
- * configure.in: Add an extra variable for roken, LIBADD, that
- should be used for library depencies.
+ * lib/krb5/krb5.h: set KRB5_GC_CANONICALIZE.
- * lib/krb5/send_to_kdc.c (krb5_sendto): zero out receive buffer.
+ * kuser/kgetcred.c: set KRB5_GC_CANONICALIZE.
- * lib/krb5/krb5_init_context.3: fix mdoc errors
+ * kuser/kgetcred.c: Add stub --canonicalize implementation.
- * Heimdal 0.8 branch cut today
+2008-03-19 Love Hörnquist Åstrand <lha@it.su.se>
- * doc/hx509.texi: Spelling and more about proxy certificates.
-
- * configure.in: check for arc4random
-
-2007-01-16 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/send_to_kdc.c (krb5_sendto): zero receive krb5_data
- before starting
+ * doc/setup.texi: Fix sasl-regexp, from Howard Chu.
- * tools/heimdal-build.sh: make cvs keep quiet
+2008-03-14 Love Hörnquist Åstrand <lha@it.su.se>
- * kuser/kverify.c: Use argument as principal if passed an
- argument. Bug report from Douglas E. Engert
+ * kdc/kx509.c: Adapt to hx509_env changes.
-2007-01-15 Love Hörnquist Åstrand <lha@it.su.se>
-
- * lib/krb5/rd_req.c (krb5_rd_req_ctx): The code failed to consider
- the enc_tkt_in_skey case, from Douglas E. Engert.
-
- * kdc/kx509.c: Issue certificates.
-
- * kdc/config.c: Parse kx509/kca configuration.
+2008-03-10 Love Hörnquist Åstrand <lha@it.su.se>
- * kdc/kdc.h: add kx509 config
-
-2007-01-14 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/kerberos5.c (_kdc_find_padata): if there is not padata,
- there is nothing find.
+ * lib/krb5/pkinit.c: Try searchin the key by to use by first
+ looking for for PK-INIT EKU, then the Microsoft smart card EKU and
+ last, no special EKU at all.
- * doc/hx509.texi: Examples for pk-init.
+2008-03-09 Love Hörnquist Åstrand <lha@it.su.se>
- * doc/hx509.texi: About extending ca lifetime and sub cas.
-
-2007-01-13 Love Hörnquist Åstrand <lha@it.su.se>
-
- * doc/hx509.texi: More about certificates.
-
-2007-01-12 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/acache.c: Create a new credential cache is ->get_name
+ is called, make acc_initialize() reset the existing credential
+ cache if needed.
- * doc/hx509.texi: add Application requirements and write about
- xmpp/jabber.
-
-2007-01-11 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/acache.c (acc_get_name): just return the cache_name
+ directly instead of trying to resolve it.
- * doc/hx509.texi: More about issuing certificates.
+2008-02-23 Love Hörnquist Åstrand <lha@it.su.se>
- * doc/hx509.texi: Start of a x.509 manual.
+ * include/Makefile.am (CLEANFILES): add wind.h and wind_err.h and
+ sort.
- * include/Makefile.am: remove install headerfiles
+2008-02-11 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/test_pac.c: Use more interesting data to cause more
- errors.
+ * lib/hdb/hdb-ldap.c: Use malloc() instead of static buffer.
- * include/Makefile.am: remove install headerfiles
+ * lib/hdb/hdb-ldap.c: Use ldap_get_values_len, from LaMont Jones
+ via Brian May and Debian.
- * lib/krb5/mcache.c: MCC_CURSOR not used, remove.
+ * doc/Makefile.am: add libwind
- * lib/krb5/crypto.c: macro kcrypto_oid_enc now longer used
+2008-02-05 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/rd_safe.c (krb5_rd_safe): set length before trying to
- allocate data
-
-2007-01-10 Love Hörnquist Åstrand <lha@it.su.se>
-
- * doc/setup.texi: Hint about hxtool validate.
+ * lib/krb5/test_renew.c: Remove extra ;, From Dennis Davis.
- * appl/test/uu_server.c: print both "server" and "client"
+ * lib/krb5/store_emem.c: Make compile on-pre c99 compilers. From
+ Dennis Davis.
- * kdc/krb5tgs.c: Rename keys to be more obvious what they do.
+2008-02-03 Love Hörnquist Åstrand <lha@it.su.se>
- * kdc/kerberos5.c: Use other keys to sign PAC with. From Andrew
- Bartlett
-
- * kdc/windc.c: ident, spelling.
+ * tools/heimdal-gssapi.pc.in: Add wind.
- * kdc/windc_plugin.h: indent.
+ * tools/krb5-config.in: Add wind.
- * kdc/krb5tgs.c: Pass down server entry to verify_pac function.
- from Andrew Bartlett
+ * lib/krb5/pac.c: Use libwind.
- * kdc/windc.c: pass down server entry to verify_pac function, from
- Andrew Bartlett
+2008-02-01 Love Hörnquist Åstrand <lha@it.su.se>
- * kdc/windc_plugin.h: pass down server entry to verify_pac
- function, from Andrew Bartlett
+ * lib/Makefile.am: SUBDIRS: add wind
- * configure.in: Provide a automake symbol ENABLE_SHARED if shared
- libraries are built.
+2008-01-29 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/rd_req.c (krb5_rd_req_ctx): Use the correct keyblock
- when verifying the PAC. From Andrew Bartlett.
+ * doc/programming.texi: See the Kerberos 5 API introduction and
+ documentation on the Heimdal webpage.
-2007-01-09 Love Hörnquist Åstrand <lha@it.su.se>
+2008-01-27 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/test_pac.c: move around to code test on real PAC.
+ * lib/krb5: better error strings for the keytab fetching functions
- * lib/krb5/pac.c: A tiny 2 char diffrence that make the code work
- for real.
+ * lib/krb5/verify_krb5_conf.c: Catch deprecated entries.
- * lib/krb5/test_pac.c: Test more PAC (note that the values used in
- this test is wrong, they have to be fixed when the pac code is
- fixed).
+ * lib/krb5/get_cred.c: Remove support
+ for [libdefaults]capath (not [libdefaults] capaths though).
- * doc/setup.texi: Update to new hxtool issue-certificate usage
+2008-01-25 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/init_creds_pw.c: Make sure we don't sent both ENC-TS
- and PK-INIT pa data, no need to expose our password protecting our
- PKCS12 key.
+ * tools/heimdal-gssapi.pc.in: Fix caps of prefix, from Joakim
+ Fallsjo.
- * kuser/klist.c (print_cred_verbose): include ticket length in the
- verbose output
+2008-01-24 Love Hörnquist Åstrand <lha@it.su.se>
-2007-01-08 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/fcache.c (fcc_move): more explict why the fcc_move
+ failes, handle cross device moves.
- * lib/krb5/acache.c (loadlib): pass RTLD_LAZY to dlopen, without
- it linux is unhappy.
+2008-01-21 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/plugin.c (loadlib): pass RTLD_LAZY to dlopen, without
- it linux is unhappy.
-
- * lib/krb5/name-45-test.c: One of the hosts I sometimes uses is
- named "bar.domain", this make one of the tests pass when it
- shouldn't.
-
-2007-01-05 Love Hörnquist Åstrand <lha@it.su.se>
-
- * doc/setup.texi: Change --key argument to --out-key.
-
- * kuser/kimpersonate.1: mangle my name
-
-2007-01-04 Love Hörnquist Åstrand <lha@it.su.se>
-
- * doc/setup.texi: describe how to use hx509 to create
- certificates.
-
- * tools/heimdal-build.sh: Add --distcheck.
-
- * kdc/kerberos5.c: Check for KRB5_PADATA_PA_PAC_REQUEST to check
- if we should include the PAC in the krbtgt.
-
- * kdc/pkinit.c (_kdc_as_rep): check if
- krb5_generate_random_keyblock failes.
-
- * kdc/kerberos5.c (_kdc_as_rep): check if
- krb5_generate_random_keyblock failes.
-
- * kdc/krb5tgs.c (tgs_build_reply): check if
- krb5_generate_random_keyblock failes.
-
- * kdc/krb5tgs.c: Scope etype.
-
- * lib/krb5/rd_req.c: Make it possible to turn off PAC check, its
- default on.
-
- * lib/krb5/rd_req.c (krb5_rd_req_ctx): If there is a PAC, verify
- its server signature.
-
- * kdc/kerberos5.c (_kdc_as_rep): call windc client access hook.
- (_kdc_tkt_add_if_relevant_ad): constify in data argument.
-
- * kdc/windc_plugin.h: More comments add a client_access hook.
-
- * kdc/windc.c: Add _kdc_windc_client_access.
-
- * kdc/krb5tgs.c: rename functions after export some more pac
- functions.
-
- * lib/krb5/test_pac.c: export some more pac functions.
-
- * lib/krb5/pac.c: export some more pac functions.
+ * lib/krb5/get_for_creds.c: Use on variable less.
- * kdc/krb5tgs.c: Resign the PAC in tgsreq if we have a PAC.
+ * lib/krb5/get_for_creds.c: Try to handle ticket full and
+ ticketless tickets better. Add doxygen comments while here.
- * configure.in: add tests/plugin/Makefile
+ * lib/krb5/test_forward.c: Used for testing
+ krb5_get_forwarded_creds().
-2007-01-03 Love Hörnquist Åstrand <lha@it.su.se>
-
- * kdc/krb5tgs.c: Get right key for PAC krbtgt verification.
-
- * kdc/config.c: spelling
-
- * lib/krb5/krb5.h: typedef for krb5_pac.
-
- * kdc/headers.h: Include <windc_plugin.h>.
-
- * kdc/Makefile.am: Include windc.c and use windc_plugin.h
-
- * kdc/krb5tgs.c: Call callbacks for emulating a Windows Domain
- Controller.
-
- * kdc/kerberos5.c: Call callbacks for emulating a Windows Domain
- Controller. Move the some of the log related stuff to its own
- function.
-
- * kdc/config.c: Init callbacks for emulating a Windows Domain
- Controller.
+ * lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward
- * kdc/windc.c: Rename the init function to windc instead of pac.
+ * lib/krb5/Makefile.am: drop CHECK_SYMBOLS
- * kdc/windc.c: Callbacks specific to emulating a Windows Domain
- Controller.
+ * lib/hdb/Makefile.am: drop CHECK_SYMBOLS
- * kdc/windc_plugin.h: Callbacks specific to emulating a Windows
- Domain Controller.
+ * kdc/Makefile.am: drop CHECK_SYMBOLS
- * lib/krb5/Makefile.am: add krb5_HEADERS to build_HEADERZ
+2008-01-18 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/pac.c: Support all keyed checksum types.
-
-2007-01-02 Love Hörnquist Åstrand <lha@it.su.se>
+ * lib/krb5/version-script.map: Add krb5_digest_probe.
- * lib/krb5/pac.c (krb5_pac_get_types): Return list of types.
+2008-01-13 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/test_pac.c: test krb5_pac_get_types
-
- * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA.
-
- * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA.
-
- * lib/krb5/krb5.h: Add KRB5_KRBHST_KCA.
-
- * lib/krb5/test_pac.c: test Add/remove pac buffer functions.
+ * lib/krb5/pkinit.c: Replace hx509_name_to_der_name with
+ hx509_name_binary.
- * lib/krb5/pac.c: Add/remove pac buffer functions.
+2008-01-12 Love Hörnquist Åstrand <lha@it.su.se>
- * lib/krb5/pac.c: sprinkle const
+ * lib/krb5/Makefile.am: add missing files
- * lib/krb5/pac.c: rename DCHECK to CHECK
-
- * Happy New Year.
+ * Happy new year.