1236884Smm2005-12-15 Love H��rnquist ��strand <lha@it.su.se> 2236884Smm 3236884Smm * kdc/kerberos5.c (tgs_make_reply): less const on hdb_entry_ex to 4236884Smm make samba happy 5236884Smm 6236884Smm * fix-export: Build kdc-private.h. 7236884Smm 8236884Smm2005-12-14 Love H��rnquist ��strand <lha@it.su.se> 9236884Smm 10236884Smm * kdc/kerberos5.c (tgs_rep2): also print the principal for which 11236884Smm the enctype was missing 12236884Smm 13236884Smm2005-12-13 Love H��rnquist ��strand <lha@it.su.se> 14236884Smm 15236884Smm * kdc/kaserver.c: Finish up transition from hdb_entry to 16236884Smm hdb_entry_ex. 17236884Smm 18236884Smm * kdc/kerberos4.c: Finish up transition from hdb_entry to 19236884Smm hdb_entry_ex. 20236884Smm 21236884Smm * kdc/524.c: Finish up transition from hdb_entry to hdb_entry_ex. 22236884Smm 23236884Smm * kdc/kerberos5.c: Finish up transition from hdb_entry with 24236884Smm hdb_entry_ex. 25236884Smm 26236884Smm * lib/krb5/cache.c (krb5_cc_set_default_name): use 27236884Smm KRB5_DEFAULT_CCNAME. 28236884Smm 29236884Smm * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME, pointer to 30236884Smm default credential cache. 31236884Smm 32236884Smm * lib/hdb/ndbm.c: memset hdb_entry_ex before use 33249643Smm 34249643Smm * lib/hdb/db3.c: memset hdb_entry_ex before use 35236884Smm 36236884Smm * lib/hdb/db.c: memset hdb_entry_ex before use 37236884Smm 38236884Smm2005-12-12 Love H��rnquist ��strand <lha@it.su.se> 39236884Smm 40236884Smm * lib/krb5/krb5.3: Add some more entrypoints. 41236884Smm 42236884Smm * lib/krb5/changepw.c: If there is a target principal, use the 43236884Smm realm of the realm to change the password with, 44236884Smm 45236884Smm * kuser/kinit.c: Default to use DH when fetching keys. 46236884Smm 47236884Smm * lib/hdb, kdc, kadmin/load.c: Wrap hdb_entry with hdb_entry_ex, patch 48236884Smm originally from Andrew Bartlet 49236884Smm 50236884Smm * lib/hdb/hdb-ldap.c: Wrap hdb_entry with hdb_entry_ex, add url 51236884Smm support, add ldapi support. 52236884Smm 53236884Smm * kdc/kerberos5.c (tgs_make_reply): there are no such things a 54236884Smm keytypes any more, just use enctypes. 55236884Smm 56236884Smm * kdc/kdc_locl.h: Remove private prototypes and instead include 57243674Smm <kdc-private.h>. 58236884Smm 59236884Smm * kdc/Makefile.am: Build kdc-private.h and depend on it. 60236884Smm 61236884Smm * kdc/config.c (configure): wrap line 62236884Smm 63236884Smm * doc/kerberos4.texi: KDC 4 support is always compiled in. 64236884Smm 65236884Smm * TODO: Remove some stuff that have been done. 66236884Smm 67236884Smm * Makefile.am: Split long line 68236884Smm 69236884Smm * doc/apps.texi: Spelling, From M��ns Nilsson. 70236884Smm 71243674Smm * doc/install.texi: spelling, From M��ns Nilsson 72236884Smm 73236884Smm2005-12-11 Love H��rnquist ��strand <lha@it.su.se> 74236884Smm 75236884Smm * lib/krb5/krb5_principal.3: Constify principal argument to on 76236884Smm krb5_principal_get_ functions. 77236884Smm 78236884Smm * lib/krb5/principal.c: Constify principal argument to on 79236884Smm krb5_principal_get_ functions. 80236884Smm 81236884Smm2005-12-08 Love H��rnquist ��strand <lha@it.su.se> 82236884Smm 83236884Smm * lib/hdb: drop convert_db, 0.0 to 0.1 transition was a long long 84236884Smm time ago 85236884Smm 86236884Smm2005-12-05 Love H��rnquist ��strand <lha@it.su.se> 87236884Smm 88236884Smm * lib/krb5/test_keytab.c: more tests, From Andrew Bartlet 89236884Smm 90236884Smm * lib/krb5/keytab_memory.c (mkt_remove_entry): realloc can return 91236884Smm NULL on success in the case 0 entries are allocated, From Andrew 92236884Smm Bartlet 93236884Smm 94236884Smm2005-12-02 Love H��rnquist ��strand <lha@it.su.se> 95236884Smm 96236884Smm * lib/krb5/acl.c (acl_parse_format): tmp needs to be freed too on 97236884Smm failure to parse format specifier. 98236884Smm 99236884Smm * lib/krb5/store-test.c: Free more of the allocated memory. 100236884Smm 101236884Smm * lib/krb5/crypto.c (krb5_derive_key): Free more of the allocated 102236884Smm memory, this function is only used by the test program. 103243674Smm 104236884Smm * lib/krb5/parse-name-test.c: Free more of the allocated memory. 105236884Smm 106236884Smm * lib/krb5/derived-key-test.c: Free more of the allocated memory. 107236884Smm 108236884Smm2005-12-01 Love H��rnquist ��strand <lha@it.su.se> 109236884Smm 110236884Smm * doc/setup.texi: spelling, From M��ns Nilsson 111243674Smm 112236884Smm * lib/krb5/krb5_keytab.3: Memory keytab are now named and 113236884Smm refcounted. 114236884Smm 115236884Smm * lib/krb5/test_keytab.c: Test that memory keytab are refcounted. 116236884Smm 117236884Smm * lib/krb5/keytab_memory.c: Index by name and start reference 118243674Smm counting on entries. 119236884Smm 120236884Smm2005-11-30 Love H��rnquist ��strand <lha@it.su.se> 121249643Smm 122249643Smm * lib/krb5/krb5.h (krb5_address_type): add 123249643Smm KRB5_ADDRESS_NETBIOS (20) 124249643Smm 125249643Smm * lib/hdb/hdb.c (find_method): accept relative paths as old db 126249643Smm format too. 127249643Smm 128249643Smm * lib/krb5/aes-test.c: Remove usage of krb5_enctype_to_keytype. 129249643Smm 130249643Smm2005-11-29 Dave Love <fx@gnu.org> 131249643Smm 132249643Smm * kcm/connect.c (kcm_loop): Use HAVE_DOOR_CREATE, not HAVE_DOORS. 133236884Smm 134236884Smm2005-11-29 Love H��rnquist ��strand <lha@it.su.se> 135236884Smm 136243674Smm * lib/krb5/verify_krb5_conf.c (libdefaults_entries): add 137236884Smm default_cc_name 138236884Smm 139236884Smm * lib/hdb/hdb.c: Only match db databases on filename starting with 140236884Smm '/'. 141236884Smm 142243674Smm * lib/krb5/rd_req.c (krb5_verify_ap_re2): check timestamp in 143236884Smm authenticator 144236884Smm 145236884Smm * lib/krb5/rd_req.c (check_transited): explain the TR-type 0 146236884Smm better and why it matters. 147236884Smm 148243674Smm * lib/krb5/test_cc.c: test krb5_cc_get_prefix_ops 149236884Smm 150236884Smm * lib/krb5/cache.c (krb5_cc_get_prefix_ops): change the behavior 151236884Smm to return NULL when its not found, and fcc when the name starts 152236884Smm with a '/'. Almost matches behavior in other parts of the code, 153236884Smm but can't really do that since the name passed in to this function 154243674Smm may only contain the prefix itself without the colon. 155236884Smm 156236884Smm * lib/krb5/cache.c (krb5_cc_get_prefix_ops): if there are not 157236884Smm colon (:) in the name, its a file credential cache 158236884Smm 159236884Smm * lib/hdb/db3.c (hdb_db_create): use calloc to callocate memory 160243674Smm 161236884Smm * lib/hdb/ndbm.c (hdb_ndbm_create): use calloc to allocate memory 162236884Smm 163236884Smm * lib/hdb/db.c (hdb_db_create): use calloc to allocate memory 164236884Smm 165236884Smm2005-11-28 Love H��rnquist ��strand <lha@it.su.se> 166243674Smm 167236884Smm * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use session 168236884Smm key for delegated credentials 169236884Smm 170236884Smm * kdc/kerberos5.c (_kdc_as_rep): add comment when we send 171236884Smm ETYPE-INFO and ETYPE-INFO2, from Andrew Bartlett 172243674Smm 173236884Smm2005-11-25 Love H��rnquist ��strand <lha@it.su.se> 174236884Smm 175236884Smm * lib/krb5/keytab.c (krb5_kt_get_full_name): new function 176236884Smm 177236884Smm2005-11-24 Love H��rnquist ��strand <lha@it.su.se> 178243674Smm 179236884Smm * lib/krb5/test_crypto.c: Split encryption and s2k iterations to 180236884Smm diffrent counters, 38seconds of aes256 s2k is way too long. 181236884Smm 182236884Smm * lib/krb5/test_crypto.c: Add timing code for s2k function. 183236884Smm 184243674Smm2005-11-07 Love H��rnquist ��strand <lha@it.su.se> 185236884Smm 186236884Smm * kdc/kerberos5.c: Print the time the principal expired, based on 187236884Smm patch from Andrew Bartlett. 188236884Smm 189236884Smm2005-11-01 Love H��rnquist ��strand <lha@it.su.se> 190243674Smm 191236884Smm * lib/krb5/cache.c (krb5_cc_get_full_name): Add 192236884Smm 193236884Smm2005-11-01 Love H��rnquist ��strand <lha@it.su.se> 194236884Smm 195236884Smm * configure.in: Spelling, From Michael Banck <mbanck@debian.org> 196243674Smm 197236884Smm2005-10-30 Love H��rnquist ��strand <lha@it.su.se> 198236884Smm 199236884Smm * kcm/headers.h: Maybe include <sys/param.h>. 200236884Smm 201236884Smm2005-10-27 Love H��rnquist ��strand <lha@it.su.se> 202243674Smm 203236884Smm * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): 204236884Smm understand KRB5_AUTHDATA_IF_RELEVANT and KRB5_AUTHDATA_AND_OR (but 205236884Smm have KRB5_AUTHDATA_KDC_ISSUED commented out for now) 206236884Smm 207236884Smm2005-10-26 Love H��rnquist ��strand <lha@it.su.se> 208243674Smm 209236884Smm * kuser/klist.c: In the list caches view, rename the Status field 210236884Smm to Expires. 211236884Smm 212236884Smm * lib/krb5/krb5_encrypt.3: Fix mdoc for 213236884Smm krb5_encrypt_EncryptedData, Johnny Lam <jlam@pkgsrc.org> 214243674Smm 215236884Smm2005-10-25 Love H��rnquist ��strand <lha@it.su.se> 216236884Smm 217236884Smm * appl/test/gssapi_client.c: Check return value from asprintf 218236884Smm instead of string != NULL since it undefined behavior on 219236884Smm Linux. From Bj��rn Sandell 220236884Smm 221243674Smm2005-10-21 Love H��rnquist ��strand <lha@it.su.se> 222236884Smm 223236884Smm * lib/krb5/pkinit.c (_krb5_dh_group_ok): if not enough bits are 224236884Smm generated from the DH groups, fail. 225236884Smm 226236884Smm * kdc/pkinit.c (get_dh_param): Pass down config so this function 227243674Smm can check pkinit_dh_min_bits 228236884Smm 229236884Smm * kdc/config.c: Fill in pkinit_dh_min_bits from configuration 230236884Smm file. 231236884Smm 232236884Smm * kdc/kdc.h: Add pkinit_dh_min_bits to krb5_kdc_configuration. 233243674Smm 234236884Smm2005-10-20 Love H��rnquist ��strand <lha@it.su.se> 235236884Smm 236236884Smm * lib/krb5/pkinit.c: Add option to require binding between reply 237236884Smm and response for the win2k version of the protocol. 238236884Smm 239243674Smm2005-10-19 Love H��rnquist ��strand <lha@it.su.se> 240236884Smm 241236884Smm * doc/programming.texi: Text about Kerberos errors. 242236884Smm 243236884Smm * lib/krb5/pkinit.c: Try both ReplyKey and ReplyKey-Win2k for the 244236884Smm Windows case to support the updated -09 protocol (using 245243674Smm asChecksum). Tell KDC we support this by sending 246236884Smm KRB5-PADATA-PK-AS-09-BINDING in the pa-data. 247236884Smm 248236884Smm * lib/krb5/test_cc.c: Test copy FILE -> FILE, and MEMORY -> MEMORY 249236884Smm too. 250236884Smm 251236884Smm * lib/krb5/test_cc.c: Test krb5_cc_copy_cache and 252243674Smm krb5_cc_cache_match. 253236884Smm 254236884Smm * lib/krb5/cache.c (krb5_cc_cache_match): add function that 255236884Smm iterates over all credential caches for a user and returns a 256236884Smm match. 257236884Smm 258243674Smm * lib/krb5/krb5_ccache.3: Add krb5_cc_start_seq_get and an 259236884Smm example. 260236884Smm 261236884Smm2005-10-18 Love H��rnquist ��strand <lha@it.su.se> 262236884Smm 263236884Smm * doc/programming.texi: Try to explain krb5_ccache, krb5_principal 264236884Smm and errors. 265243674Smm 266236884Smm2005-10-13 Love H��rnquist ��strand <lha@it.su.se> 267236884Smm 268236884Smm * lib/krb5/krb5_get_credentials.3: Add example how to use 269236884Smm krb5_get_credentials. 270236884Smm 271243674Smm2005-10-12 Love H��rnquist ��strand <lha@it.su.se> 272236884Smm 273236884Smm * lib/krb5/init_creds.c: Rename private to opt_private. 274236884Smm 275236884Smm * lib/krb5/init_creds_pw.c: Rename private to opt_private. 276236884Smm 277236884Smm * lib/krb5/pkinit.c: rename element private to opt_private to make 278243674Smm c++ picky compilers less upset. 279236884Smm 280236884Smm * lib/krb5/krb5.h (krb5_get_init_creds_opt): rename element 281236884Smm private to opt_private to make c++ picky compilers less upset. 282236884Smm 283236884Smm2005-10-08 Love H��rnquist ��strand <lha@it.su.se> 284236884Smm 285243674Smm * lib/krb5/krbhst.c (_krb5_krbhost_info_move): new function 286236884Smm (_krb5_free_krbhst_info): expose to internal use 287236884Smm 288236884Smm * lib/krb5/init_creds_pw.c: Prepare to pass down a 289236884Smm krb5_krbhst_info into the pre-auth mechs 290236884Smm 291236884Smm * lib/krb5/pkinit.c: Inline short functions, share more code, 292243674Smm rename COMPAT_27 to COMPAT_IETF, pass down a krb5_krbhst_info for 293236884Smm verification of KDC info, and general cleaning up. 294236884Smm 295236884Smm2005-10-07 Love H��rnquist ��strand <lha@it.su.se> 296236884Smm 297236884Smm * lib/krb5/Makefile.am: Install krb5.moduli in sysconfdir. 298243674Smm 299236884Smm * lib/krb5/krb5_locl.h: rename moduli file to SYSCONFDIR 300236884Smm "/krb5.moduli" 301236884Smm 302236884Smm * lib/krb5/krb5_locl.h: Add forward declaration for 303236884Smm krb5_dh_moduli. Add define for MODULI_FILE. 304243674Smm 305236884Smm * kdc/pkinit.c: Removing PK-INIT-19 support. 306236884Smm 307236884Smm * lib/krb5/pkinit.c: Removing PK-INIT-19 support. 308236884Smm 309236884Smm * lib/krb5/pkinit.c (_krb5_dh_group_ok): return DH group name on 310236884Smm success. 311243674Smm (krb5_get_init_creds_opt_set_pkinit): use moduli file if it exists 312236884Smm 313236884Smm * kdc/pkinit.c: Save DH group name and print it on success. 314236884Smm 315236884Smm * lib/krb5/pkinit.c (_krb5_dh_group_ok): if q is zero, ignore it. 316236884Smm 317236884Smm * kdc/pkinit.c: Check dh group parameters from client. 318236884Smm 319236884Smm * lib/krb5/krb5_err.et: Match error code with pk-init-27. 320236884Smm 321236884Smm * lib/krb5/pkinit.c: Update error codes. Add name to group. Change 322236884Smm return value of _krb5_dh_group_ok. 323236884Smm 324236884Smm * lib/krb5/pkinit.c: Add support for reading a moduli-file for DH 325236884Smm parameters. 326243674Smm 327236884Smm2005-10-06 Love H��rnquist ��strand <lha@it.su.se> 328236884Smm 329236884Smm * kuser/klist.1: Document --list-caches 330236884Smm 331236884Smm * kuser/klist.c: Change short flag of --list-caches to -l (-v is 332236884Smm already used). 333236884Smm 334243674Smm2005-10-03 Love H��rnquist ��strand <lha@it.su.se> 335236884Smm 336236884Smm * lib/krb5/kerberos.8: RFC 1510 was obsoleted by 4120. 337236884Smm 338236884Smm * lib/krb5/acache.c (init_ccapi): return kerberos errors, callers 339236884Smm expect it 340236884Smm (acc_get_cache_first): don't leak memory or abort on malloc 341236884Smm failure 342243674Smm 343236884Smm2005-10-02 Love H��rnquist ��strand <lha@it.su.se> 344236884Smm 345236884Smm * lib/krb5/kerberos.8: Update text about Kerberos RFC's. 346236884Smm 347236884Smm2005-10-01 Love H��rnquist ��strand <lha@it.su.se> 348236884Smm 349236884Smm * kuser/klist.c: Add option --list-caches that lists the avaible 350243674Smm caches and their status. 351236884Smm 352236884Smm $ klist --list-caches 353236884Smm Principal Cache name Status 354236884Smm lha@E.KTH.SE 2 Valid 355236884Smm lha@SU.SE 1 Expired 356236884Smm lha/root@SU.SE 0 Expired 357236884Smm lha@N.L.NXS.SE Initial default ccache Expired 358243674Smm 359236884Smm2005-09-30 Love H��rnquist ��strand <lha@it.su.se> 360236884Smm 361236884Smm * lib/krb5/keytab_keyfile.c: Use all DES keys, not just 362236884Smm des-cbc-md5, verify that they all are the same. 363236884Smm 364236884Smm * lib/krb5/mcache.c Implement the cache iteration functions. 365236884Smm 366243674Smm * lib/krb5/acache.c: Implement the cache iteration functions. 367236884Smm 368236884Smm * lib/krb5/test_cc.c: Test the new cache iteration functions. 369236884Smm 370236884Smm * lib/krb5/cache.c: Add cache iteration funcations. Add internal 371236884Smm allocation function for the memory of a krb5_ccache, and use it. 372236884Smm 373236884Smm * lib/krb5/krb5.h (krb5_cc_ops): add cache iteration functions 374243674Smm 375236884Smm2005-09-25 Love H��rnquist ��strand <lha@it.su.se> 376236884Smm 377236884Smm * lib/krb5/krb5_mk_req.3: Remove leftovers, remove extra space. 378236884Smm 379236884Smm * kdc/kerberos5.c: More verbose PK-INIT logging. 380236884Smm 381236884Smm * kdc/pkinit.c: The public DH key is encoded as an INTEGER in 382243674Smm subjectPublicKey. Don't verify OID's for now. 383236884Smm 384236884Smm * lib/krb5/pkinit.c: Support cached DH variable (still need to 385236884Smm store it though), don't check the oid of the DH signedData for 386236884Smm now. 387236884Smm 388236884Smm2005-09-22 Love H��rnquist ��strand <lha@it.su.se> 389236884Smm 390243674Smm * lib/krb5/rd_cred.c (krb5_rd_cred): try both the session key and 391236884Smm the sender subkey. Both RFC1510 and RFC4120 say that you have to 392236884Smm use the session key, Heimdal uses subkey. 393236884Smm 394236884Smm2005-09-21 Love H��rnquist ��strand <lha@it.su.se> 395236884Smm 396236884Smm * lib/krb5/pkinit.c: Don't check oid's too closely, they change in 397236884Smm Windows Vista. 398243674Smm 399236884Smm2005-09-20 Love H��rnquist ��strand <lha@it.su.se> 400236884Smm 401236884Smm * lib/krb5/pkinit.c: Disable sending -19, fix parsing -27 of the 402236884Smm protocol. 403236884Smm 404236884Smm * kdc/pkinit.c: Support PK-INIT-27 DH (and remove -19) 405236884Smm 406243674Smm * lib/krb5/pkinit.c (pk_verify_chain_standard): set cert to NULL 407236884Smm to make sure its not freed. 408236884Smm 409236884Smm2005-09-19 Love H��rnquist ��strand <lha@it.su.se> 410236884Smm 411236884Smm * lib/krb5/crypto.c (krb5_DES_string_to_key): If the opaque length 412236884Smm it set to 1, and content is 0x01, use the afs3 string-to-key. 413236884Smm 414243674Smm * kdc/kerberos5.c (make_etype_info2_entry): When its a afs3-salted 415236884Smm key, use send the opaque, length 1 (with content set to 0x01) in 416236884Smm ETYPE-INFO2-ENTRY. 417236884Smm 418236884Smm * lib/krb5/kcm.c: Remove signedness warnings. 419236884Smm 420236884Smm2005-09-15 Love H��rnquist ��strand <lha@it.su.se> 421236884Smm 422243674Smm * configure.in: Use libtool's default values for building 423236884Smm shared/static libaries, ie remove AC_ENABLE_SHARED(no), solves 424236884Smm building problems users have on Mac OS X. 425236884Smm 426236884Smm2005-09-08 Love H��rnquist ��strand <lha@it.su.se> 427236884Smm 428236884Smm * lib/krb5/changepw.c: Constify password. 429236884Smm 430243674Smm2005-09-05 Love H��rnquist ��strand <lha@it.su.se> 431236884Smm 432236884Smm * lib/krb5/krb5_mk_req.3: Document krb5_rd_req. 433236884Smm 434236884Smm * lib/krb5/Makefile.am: MAN_mans+= krb5_mk_req.3 435236884Smm 436236884Smm * lib/krb5/krb5_mk_req.3: Document krb5_mk_req, krb5_mk_req_exact, 437236884Smm krb5_mk_req_extended, krb5_rd_req, krb5_rd_req_with_keyblock, 438243674Smm krb5_mk_rep, krb5_mk_rep_exact, krb5_mk_rep_extended, krb5_rd_rep, 439236884Smm krb5_build_ap_req, krb5_verify_ap_req. 440236884Smm 441236884Smm2005-09-01 Love H��rnquist ��strand <lha@it.su.se> 442236884Smm 443236884Smm * kdc/kerberos5.c (make_etype_info_entry): Dont send salttype at 444236884Smm all, use KRB5-PADATA-AFS3-SALT 445236884Smm 446243674Smm2005-08-31 Love H��rnquist ��strand <lha@it.su.se> 447236884Smm 448236884Smm * kdc/kerberos5.c (log_timestamp): endtime, not endtype 449236884Smm 450236884Smm2005-08-30 Love H��rnquist ��strand <lha@it.su.se> 451236884Smm 452236884Smm * configure.in: Check for <sys/ucred.h>. 453236884Smm 454243674Smm * kcm/connect.c (update_client_creds): in case there is no 455236884Smm UCRED_VERSION, skip LOCAL_PEERCRED 456236884Smm 457236884Smm * kcm/headers.h: include <sys/ucred.h> 458236884Smm 459236884Smm2005-08-27 Love H��rnquist ��strand <lha@it.su.se> 460236884Smm 461236884Smm * lib/krb5/rd_req.c (check_transited): Allow empty content of type 462243674Smm 0 because that is was Microsoft generates in their TGT. 463236884Smm 464236884Smm * kdc/kerberos5.c (fix_transited_encoding): Allow empty content of 465236884Smm type 0 because that is was Microsoft enerates in their TGT. 466236884Smm 467236884Smm2005-08-26 Love H��rnquist ��strand <lha@it.su.se> 468236884Smm 469236884Smm * doc/intro.texi: RFC 4120 replaces RFC 1510 470243674Smm 471236884Smm2005-08-25 Love H��rnquist ��strand <lha@it.su.se> 472236884Smm 473236884Smm * configure.in: Add --disable-afs-support. 474236884Smm 475236884Smm2005-08-23 Love H��rnquist ��strand <lha@it.su.se> 476236884Smm 477236884Smm * lib/krb5/Makefile.am: Add test_hostname to check_PROGRAMS but 478243674Smm not TESTS, I have no same dns to use. 479236884Smm 480236884Smm * lib/krb5/test_hostname.c: Testprogram for krb5_expand_hostname() 481236884Smm and krb5_expand_hostname_realms(). 482236884Smm 483236884Smm * configure.in: Build KCM if we have doors or unix sockets. 484236884Smm 485236884Smm * lib/krb5/principal.c (krb5_425_conv_principal_ex2): Remove 486243674Smm shadowing variable. 487236884Smm 488236884Smm * lib/krb5/get_host_realm.c (dns_find_realm): Fix const warnings, 489236884Smm plug memory leak. From: Stefan Metzmacher <metze@samba.org> 490236884Smm 491236884Smm * lib/krb5/krb5_config.3: Document what happens with NULL to 492236884Smm krb5_config_free_strings 493236884Smm (nothing). Mdoc nit. 494243674Smm 495236884Smm2005-08-22 Love H��rnquist ��strand <lha@it.su.se> 496236884Smm 497236884Smm * kuser/klist.c (check_for_tgt): Re-order code so it only free the 498236884Smm credential if one was returned. 499236884Smm 500236884Smm * lib/krb5/test_crypto_wrapping.c: Fix printing of size_t. 501236884Smm 502243674Smm2005-08-19 Love H��rnquist ��strand <lha@it.su.se> 503236884Smm 504236884Smm * lib/hdb/dbinfo.c: provide interface to find databases 505236884Smm 506236884Smm * lib/hdb/mkey.c: hdb_seal_key_mkey): dont double encrypt keys 507236884Smm 508236884Smm2005-08-15 Love H��rnquist ��strand <lha@it.su.se> 509236884Smm 510243674Smm * kdc/kdc_locl.h: Update prototype for _kdc_pk_mk_pa_reply. 511236884Smm 512236884Smm2005-08-13 Love H��rnquist ��strand <lha@it.su.se> 513 514 * lib/krb5/init_creds_pw.c: Save the request buffer so that 515 pre-auth mechanism that needs it can verify the reply. 516 5172005-08-12 Love H��rnquist ��strand <lha@it.su.se> 518 519 * lib/krb5/test_mem.c: Rename logf to avoid shadowing. 520 521 * lib/krb5/krb5_keytab.3: Fix the version number for 522 fcc-mit-ticketflags. 523 524 * lib/krb5/fcache.c: Revert previous, I was confused. 525 526 * lib/krb5/krb5_keytab.3: Document fcc-mit-ticketflags in 527 COMPATIBILITY section. 528 529 * lib/krb5/fcache.c (fcc_store_cred): default to MIT style ticket 530 flags. 531 532 * kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break; 533 534 * lib/krb5/krb5_create_checksum.3: Update prototype for 535 krb5_create_checksum. 536 537 * kdc/pkinit.c: Make compile. 538 539 * lib/krb5/pkinit.c: Implement verification of asChecksum, now 540 client side code is using -27 of the pk-init draft. 541 542 * kdc/kdc_locl.h: update prototype for _kdc_as_rep 543 544 * kdc/pkinit.c: Fill in asChecksum, we now implements -27 in the KDC. 545 546 * kdc/process.c: Pass down the request buffer to _kdc_as_rep(). 547 548 * kdc/kerberos5.c (_kdc_as_rep): Pass down the request buffer to 549 _kdc_pk_mk_pa_reply. 550 5512005-08-11 Love H��rnquist ��strand <lha@it.su.se> 552 553 * lib/hdb/ext.c: HDB extensions access glue. 554 555 * kcm/acquire.c: Use krb5_set_password instead of 556 krb5_change_password. 557 558 * configure.in: Add tests/Makefile and tests/db/Makefile. 559 560 * NEWS: New ASN.1 compiler 561 562 * lib/hdb/Makefile.am: Build extensions. 563 564 * lib/hdb/print.c: Print extensions. 565 566 * lib/hdb/hdb_err.et: Add error "Entry contains unknown mandatory 567 extension". 568 569 * lib/hdb/hdb.h: Update interface version (and indent). 570 571 * lib/hdb/hdb.asn1: Add support for HDB-extension. 572 5732005-08-10 Love H��rnquist ��strand <lha@it.su.se> 574 575 * lib/krb5/test_pkinit_dh2key.c: add tests vectors from 576 "Liqiang(Larry) Zhu" <lzhu@windows.microsoft.com> 577 578 * lib/hdb/mkey.c: Expose the crypto operations on the master key. 579 580 * lib/krb5/test_pkinit_dh2key.c: even more bits, not done yet 581 5822005-08-09 Love H��rnquist ��strand <lha@it.su.se> 583 584 * kdc/kerberos5.c (_kdc_as_rep): preserve the error code in the 585 ENC-TS case. From: Andrew Bartlett <abartlet@samba.org> 586 587 * kdc/kerberos5.c (tgs_rep2): only needs to log "Failed to verify 588 authenticator" once, its already done by 589 tgs_check_authenticator(). 590 591 * kdc/kerberos5.c: Indent strings. 592 593 * kdc/kerberos5.c (log_timestamp): avoid shadow warnings From: 594 Andrew Bartlett <abartlet@samba.org> 595 596 * lib/krb5/verify_user.c: Add krb5_verify_opt_alloc and 597 krb5_verify_opt_free. 598 599 * lib/krb5/krb5_verify_user.3: Document krb5_verify_opt_alloc and 600 krb5_verify_opt_free. 601 602 * lib/hdb/db3.c (DB_open): catch errors from the d->open calls 603 instead of letting them slip though to d->cursor. Bug repport from 604 Andrew Bartlett <abartlet@samba.org> 605 6062005-07-29 Love H��rnquist ��strand <lha@it.su.se> 607 608 * kdc/Makefile.am (kdc_LDADD): add LDADD 609 6102005-07-28 Love H��rnquist ��strand <lha@it.su.se> 611 612 * kdc/kerberos5.c (_kdc_as_rep): log what enctypes was using in 613 ENC-TS preauth, both for failure and success. 614 615 * kdc/hprop.c: Use the _krb5_krb_life_to_time function from 616 libkrb5 instead of including our own here too. 617 618 * kdc/kerberos5.c: indent printf strings 619 620 * lib/hdb/mkey.c (hdb_unseal_key_mkey): try to unseal key with 621 keyusage 0 in case the key was encrypted with MIT Kerberos (old 622 patch from Johan) 623 6242005-07-26 Love H��rnquist ��strand <lha@it.su.se> 625 626 * kdc/pkinit.c: update to pkinit-27 627 6282005-07-23 Love H��rnquist ��strand <lha@it.su.se> 629 630 * lib/krb5/pkinit.c: Adapt to IMPLICIT changes in CMS module. 631 6322005-07-20 Love H��rnquist ��strand <lha@it.su.se> 633 634 * lib/krb5/test_pkinit_dh2key.c: framework for testing 635 _krb5_pk_octetstring2key 636 637 * kpasswd/kpasswdd.c (doit): krb5_addr2sockaddr takes a 638 krb5_socklen_t 639 640 * kdc/connect.c (de_http): sscanf takes a char *, not unsigned 641 ditto, cast approriately 642 643 * lib/krb5/crypto.c (_krb5_pk_octetstring2key): make sha1 output 644 unsigned char to match openssl 645 6462005-07-14 Love H��rnquist ��strand <lha@it.su.se> 647 648 * lib/hdb/common.c: Check encoder lengths from ASN1_MALLOC_ENCODE. 649 6502005-07-13 Love H��rnquist ��strand <lha@it.su.se> 651 652 * lib/krb5/rd_cred.c (krb5_rd_cred): don't leak memory 653 654 * lib/krb5/get_cred.c (krb5_get_credentials_with_flags): only call 655 krb5_cc_retrieve_cred once, and plug memory leak. 656 6572005-07-13 Love H��rnquist ��strand <lha@it.su.se> 658 659 * lib/hdb/Makefile.am: the new asn.1 compiler includes the modules 660 name in the depend file 661 662 * lib/krb5/keytab_file.c (fkt_start_seq_get_int): check return 663 value from krb5_storage_from_fd 664 665 * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): client do not contribute 666 to the DH when the server doesn't support the cached DH request. 667 668 * lib/krb5/crypto.c (_krb5_pk_octetstring2key): fix arguments 669 6702005-07-12 Love H��rnquist ��strand <lha@it.su.se> 671 672 * lib/krb5/pkinit.c: clean up pk-init DH support, not finished 673 yet; improve error reporting 674 675 * lib/krb5/crypto.c (_krb5_pk_octetstring2key): string2key 676 function used in pk-init-25 677 678 * configure.in: Use a configure switch to turn on PK-INIT, not by 679 detecting existence of the new ASN.1 library. 680 681 * lib/asn1: Much improved ASN.1 compiler from joda-choice-branch. 682 683 Highlighs for the compiler is support for CHOICE and in general better 684 support for tags. This compiler support most of what is needed for 685 PK-INIT, LDAP, X.509, PKCS-12 and many other protocols. 686 6872005-07-10 Love H��rnquist ��strand <lha@it.su.se> 688 689 * lib/asn1: make scope variables unique to avoid shadow warnings 690 6912005-07-09 Love H��rnquist ��strand <lha@it.su.se> 692 693 * lib/krb5/krb5.h: comment out paramenter name in typedef 694 functions to avoid shadow warnings 695 696 * lib/krb5/crypto.c: make input data to krb5_encrypt{,_ivec} const 697 698 * kuser/klist.c: If there are no addresses, print addressless 699 instead of nothing. 700 701 * lib/krb5/Makefile.am (TESTS): add test_crypto_wrapping 702 703 * lib/krb5/crypto.c (wrapped_length): the underived encrypted 704 types checksum are all unkeyed (matches the code in 705 encrypt_internal() and encrypt_internal_special()) 706 707 * lib/krb5/test_crypto_wrapping.c: ETYPE_ARCFOUR_HMAC_MD5_56 isn't 708 not supported 709 710 * lib/krb5/test_crypto_wrapping.c: test encryption wrapping 711 712 * lib/krb5/test_crypto.c (time_encryption): free cleartext buffer 713 7142005-07-08 Love H��rnquist ��strand <lha@it.su.se> 715 716 * configure.in: run AM_INIT_AUTOMAKE before AM_PROG_CC_C_O 717 otherwise am_aux_dir will be expanded using ac_aux_dir before the 718 later is set. 719 720 * configure.in: check for strings.h explicitly instead of 721 depending on AC_HEADER_STDC to check it for us 722 7232005-07-07 Assar Westerlund <assar@kth.se> 724 725 * configure.in: add AM_PROG_CC_C_O for automake 1.9 726 7272005-07-06 Love H��rnquist ��strand <lha@it.su.se> 728 729 * lib/krb5/keytab.c (krb5_kt_get_entry): clear error string when 730 returning a new error 731 732 * lib/krb5/keytab.c: krb5_kt_close frees all resources, even on 733 error. 734 735 * lib/krb5/verify_init.c (krb5_verify_init_creds): `entry' unused, 736 remove From: "Henry B. Hotz" <hotz@jpl.nasa.gov> 737 7382005-07-05 Love H��rnquist ��strand <lha@it.su.se> 739 740 * doc/win2k.texi: arcfour-hmac-md5 support for windows cross was 741 added in w2k3-sp1 From David Love 742 743 * doc/setup.texi: document kadmin command password-quality instead 744 of the not installed test_pw_quality 745 746 * lib/krb5/krb5_get_init_creds.3: Spelling, from David Love 747 748 * fix-export: build kdc-protos.h 749 7502005-07-01 Love H��rnquist ��strand <lha@it.su.se> 751 752 * kdc: prefix pkinit symbols with _kdc 753 754 * kuser/kinit.c: avoid shadowing variables 755 756 * kuser: s/optind/optidx/ 757 758 * kdc: adapt pkinit code to libkdc split 759 7602005-06-30 Love H��rnquist ��strand <lha@it.su.se> 761 762 * tools/Makefile.am: add depency on LIB_dlopen and LIB_door_create 763 764 * tools/krb5-config.in: add depency on LIB_dlopen and LIB_door_create 765 766 * kdc/kdc_locl.h: indent, remove dup prototypes 767 768 * kdc/libkdc: don't pollute namespace, generate public headerfile 769 770 * lib/krb5/principal.c: add krb5_425_conv_principal_ext2 that work 771 just like krb5_425_conv_principal_ext but takes a context variable 772 for the verification function 773 774 * kdc/Makefile.am: there is no export script, not pretend there is 775 776 * kdc: Merge in the libkdc/kdc configuration split from Andrew 777 Bartlet <abartlet@samba.org> 778 779 * lib/krb5/crypto.c: optionally compile in support for afs string2key 780 781 * configure.in: add --disable-afs-string-to-key to allow removal 782 of support for afs string2key (and dependency on crypt) 783 7842005-06-29 Love H��rnquist ��strand <lha@it.su.se> 785 786 * kdc/kerberos5.c: Add logging of all timestamps in AS-REQ and 787 TGS-REQ, for auditing 788 789 * kdc/kerberos5.c (as_req): print the supported encryption types 790 so its possible to know what clients to update. 791 (find_rpath): return const char * and update callers. 792 7932005-06-28 Luke Howard <lukeh@padl.com> 794 795 * kcm/connect.c: fix arguments to kcm_log() when reporting 796 sendmsg() error 797 798 * kcm/connect.c: don't send socket address in msghdr, it 799 returns an already connected error on Linux 800 8012005-06-24 Love H��rnquist ��strand <lha@it.su.se> 802 803 * kdc/524.c: Always include <krb5-v4compat.h>. 804 8052005-06-23 Love H��rnquist ��strand <lha@it.su.se> 806 807 * doc/intro.texi: no more libdes, gssapi lib is complete 808 809 * lib/krb5/krb5.conf.5: Documentation for password quality 810 control. From: "James F. Hranicky" <jfh@cise.ufl.edu> 811 812 * lib/krb5/verify_krb5_conf.c (password_quality_entries): add 813 min_length and min_classes 814 815 * kdc/kaserver.c: log the kaserver requests, avoid shadowing 816 variables 817 818 * lib/hdb/db3.c (DB_open): in case of error, close database 819 820 * lib/hdb/ndbm.c (NDBM_open): in case of error, close database 821 822 * lib/hdb/db.c (DB_open): in case of error, close database 823 8242005-06-20 Love H��rnquist ��strand <lha@it.su.se> 825 826 * kcm/kcm.8: fix example 827 8282005-06-17 Love H��rnquist ��strand <lha@it.su.se> 829 830 * lib/krb5/rd_rep.c: indent 831 832 * lib/krb5/rd_rep.c (krb5_rd_rep): check if 833 KRB5_AUTH_CONTEXT_DO_TIME set and use that as a que that timestamp 834 should be checked, DCE-STYLE gssapi needs to be able to tweek this 835 836 * kdc/string2key.c: rename optind to optidx 837 838 * lib/hdb/convert_db.c: rename optind to optidx 839 840 * lib/hdb/keytab.c: const poison, add a unconst where needed 841 842 * lib/krb5/crypto.c (krb5_string_to_key): unconst password 843 844 * lib/asn1/k5.asn1: rename pvno to krb5-pvno 845 846 * lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): 847 unconst argument 848 849 * lib/krb5/verify_krb5_conf.c: rename optind to optidx 850 851 * lib/krb5/transited.c: rename the temporary string variable to 852 `str' 853 854 * lib/krb5/test_crypto.c: rename optind to optidx 855 856 * lib/krb5/test_alname.c: rename optind to optidx 857 858 * lib/krb5/store.c: unconst argument to krb5_store (XXX this 859 should be fixed, krb5_store doesn't need to modify its argument) 860 861 * lib/krb5/send_to_kdc.c (krb5_sendto): remove shadowing 862 unnessecery variable ret 863 864 * lib/krb5/rd_cred.c (krb5_rd_cred): remove shadowing unnessecery 865 variable len 866 867 * lib/krb5/prog_setup.c: rename optind to optidx 868 869 * lib/krb5/padata.c: rename variable index to idx 870 871 * lib/krb5/log.c: rename variable time to timestr to avoid 872 shadowing 873 874 * lib/krb5/krbhst.c (krb5_krbhst_init_flags): rename variable to 875 avoid shadowing 876 877 * lib/krb5/krbhst-test.c: rename optind to optidx 878 879 * lib/krb5/kcm.c: unconst argumen to connect, unconst argument to 880 krb5_store (XXX this should be fixed, krb5_store doesn't need to 881 modify its argument) 882 883 * lib/krb5/init_creds_pw.c (default_s2k_func): unconst password 884 885 * lib/krb5/crypto.c: rename `encrypt' to avoid shadow warning 886 8872005-06-16 Love H��rnquist ��strand <lha@it.su.se> 888 889 * lib/krb5/principal.c: rename index to idx 890 891 * lib/krb5/mk_error.c: use rk_UNCONST 892 893 * lib/krb5/fcache.c: rename to avoid shadowing 894 895 * lib/krb5/config_file.c: rename to avoid shadowing 896 897 * lib/krb5/cache.c (_krb5_expand_default_cc_name): just copy the 898 string instead of losing const 899 900 * lib/krb5/addr_families.c: use rk_UNCONST to silence const 901 warning 902 903 * lib/krb5/addr_families.c: rename sin to sin4 904 905 * lib/asn1/asn1_print.c: rename optind to optidx, remove shadowed 906 variables 907 908 * lib/asn1/main.c: rename optind to optidx 909 910 * lib/asn1/gen_copy.c: rename to avoid shadowing 911 912 * lib/asn1/gen_locl.h: rename function filename to get_filename 913 914 * lib/asn1/lex.l: use get_filename 915 916 * lib/asn1/gen.c: rename function filename to get_filename 917 918 * lib/krb5/acache.c: use HAVE_DLOPEN around cc_handle 919 920 * configure.in: add headers and prototypes to logwtmp, logout and 921 openpty checks 922 923 * configure.in: include headerfiles and set prototype for tgetent 924 925 * kdc/kerberos5.c (make_etype_info2_entry): NUL terminate the 926 string 927 928 * kdc/kerberos5.c: replace strndup with inline copy, free data on 929 failure 930 931 * lib/krb5/cache.c (_krb5_expand_default_cc_name): replace strndup 932 with inline copy 933 934 * lib/krb5/log.c: rename close and log to avoid shadow warnings 935 936 * lib/krb5/get_in_tkt.c: rename index to i to avoid shadowing 937 938 * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): rename two 939 of the local `realm' to srealm to avoid shadowing 940 941 * kdc/kerberos5.c (tgs_rep2): rename one of the tkey to uukey to 942 avoid shadow warning 943 944 * kdc/kerberos5.c (tgs_rep2): rename loop to nloop to avoid shadow 945 warning 946 9472005-06-15 Love H��rnquist ��strand <lha@it.su.se> 948 949 * Release 0.7, see branch 950 9512005-06-14 Love H��rnquist ��strand <lha@it.su.se> 952 953 * lib/krb5/Makefile.am: TESTS += test_mem libkrb5_la_SOURCES += 954 kcm.h 955 956 * kuser/kinit.c (main): catch KRB5_CONFIG_BADFORMAT from 957 krb5_init_context 958 959 * kdc/main.c (main): catch KRB5_CONFIG_BADFORMAT from 960 krb5_init_context 961 962 * lib/krb5/verify_krb5_conf.c (main): catch KRB5_CONFIG_BADFORMAT 963 from krb5_init_context From: Mathias Feiler 964 <feiler@uni-hohenheim.de> 965 966 * lib/krb5/verify_krb5_conf.c: Add more missig entires, from 967 Mathias Feiler <feiler@uni-hohenheim.de> 968 9692005-06-11 Love H��rnquist ��strand <lha@it.su.se> 970 971 * kdc/pkinit.c (pk_principal_from_X509): remember to free 972 KRB5PrincipalName 973 974 * lib/krb5/log.c (krb5_closelog): free all content in 975 krb5_log_facility 976 9772005-06-08 Love H��rnquist ��strand <lha@it.su.se> 978 979 * kdc/524.c: init kvno to please gcc 980 981 * kdc/kaserver.c (do_authenticate): check return value from 982 unparse_auth_args 983 9842005-06-07 Dave Love <fx@gnu.org> 985 986 * doc/setup.texi: Spelling. 987 988 * doc/programming.texi: Spelling. 989 9902005-06-02 Dave Love <fx@gnu.org> 991 992 * kcm/connect.c (kcm_door_server): Make static. 993 994 * kcm/kcm_locl.h (disallow_getting_krbtgt): Declare. 995 9962005-06-02 Love H��rnquist ��strand <lha@it.su.se> 997 998 * kdc/mit_dump.c (mit_prop_dump): cast argument to 999 krb5_parse_principal to avoid warning 1000 1001 * kdc/mit_dump.c: rename KRB5_TL_MOD_PRINC to 1002 mit_KRB5_TL_MOD_PRINC to hint its a constant originating from mit 1003 codebase 1004 10052005-06-01 Love H��rnquist ��strand <lha@it.su.se> 1006 1007 * lib/krb5/store.c: If we are allocating 0 entires, avoid failing 1008 if ALLOC returns NULL 1009 1010 * lib/krb5/verify_krb5_conf.c: Check for [kdc]v4-realm 1011 1012 * lib/krb5/cache.c: When returning a new error code, set error 1013 string. 1014 10152005-05-31 Love H��rnquist ��strand <lha@it.su.se> 1016 1017 * lib/krb5/keytab_file.c: Adapt to changed signature of 1018 _krb5_xunlock, clear more error string where needed. 1019 1020 * lib/krb5/fcache.c (_krb5_xunlock): catch the error and turn it 1021 into something sensable 1022 10232005-05-30 Love H��rnquist ��strand <lha@it.su.se> 1024 1025 * kdc/kerberos5.c (tgs_make_reply): copy ok-as-delegate flag from 1026 server entry to encrypted ticket flags 1027 10282005-05-30 Johan Danielsson <joda@pdc.kth.se> 1029 1030 * kdc/connect.c: rename sendlength to prependlength (which 1031 hopefully better represents its purpose), and change type to 1032 krb5_boolean 1033 1034 * kdc/connect.c: log signal causing exit 1035 1036 * kdc/main.c (sigterm): set exit_flag to signal causing exit; 1037 (main): trap SIGXCPU 1038 10392005-05-30 Love H��rnquist ��strand <lha@it.su.se> 1040 1041 * kcm/kcm.8: document --disallow-getting-krbtgt and --door-path 1042 1043 * kcm/protocol.c (kcm_op_retrieve): check server for krbtgt, not 1044 client 1045 1046 * kcm/main.c: ignore SIGPIPE 1047 1048 * kcm/protocol.c: Add option to disallow getting krbtgt out from 1049 from KCM. KCM will do the fetching part itself. 1050 1051 * kcm/config.c: Add option to disallow getting krbtgt out from 1052 from KCM. KCM will do the fetching part itself. 1053 10542005-05-30 Luke Howard <lukeh@padl.com> 1055 1056 * kcm/events.c: if credentials have expired when attempting 1057 to renew, attempt to reacquire them using initial creds 1058 10592005-05-29 Love H��rnquist ��strand <lha@it.su.se> 1060 1061 * lib/krb5/krb5_principal.3: Spelling, from Bj��rn Sandell 1062 1063 * doc/setup.texi: spelling, from Bj��rn Sandell 1064 1065 * lib/krb5/name-45-test.c: XXX don't run the test unless the 1066 machine is in kth.se or su.se because it depends on local resolver 1067 configuration. 1068 1069 * lib/hdb/hdb.c: provde RTLD_NOW and RTLD_GLOBAL if they don't 1070 exists 1071 1072 * kcm/connect.c: fix doors support, fix signedness warnings 1073 1074 * kcm/config.c: add --door-path= 1075 1076 * configure.in: comment what the "detect doors on solaris" 1077 fragment tries to do 1078 1079 * kcm/acquire.c (generate_random_pw): fix signed-ness warnings 1080 1081 * kcm/connect.c (update_client_creds): fix compile error in the 1082 getpeerucred case 1083 1084 * lib/krb5/test_cc.c: change format for expantion variables in 1085 default_cc_name to %{variable} to not confuse them with shell 1086 ditto 1087 1088 * kcm/headers.h: Maybe include <door.h>. 1089 1090 * kcm/kcm_locl.h: add extern door_path; 1091 1092 * configure.in: detect doors using door_create 1093 1094 * kcm/Makefile.am: add dependcy on kcm_protos.h add lib depency on 1095 LIB_door_create 1096 1097 * lib/krb5/kcm.h: add _PATH_KCM_DOOR, default path to kcm door 1098 1099 * lib/krb5/kcm.c: use [libdefaults]kcm_door to find the door to 1100 kcm 1101 1102 * lib/krb5/Makefile.am: libkrb5_la_LIBADD += LIB_door_create 1103 1104 * lib/krb5/krb5_locl.h: Maybe include <sys/mman.h>, maybe include 1105 <door.h>. 1106 1107 * lib/krb5/kcm.c (kcm_send_request): add support for doing a door 1108 call to kcm 1109 1110 * lib/asn1: prefix Der_class with ASN1_C_ to avoid problems with 1111 system headerfiles that pollute the name space 1112 1113 * kcm/kcm.8: change format for expantion variables in 1114 default_cc_name to %{variable} to not confuse them with shell 1115 ditto 1116 1117 * lib/krb5/krb5.conf.5: change format for expantion variables in 1118 default_cc_name to %{variable} to not confuse them with shell 1119 ditto 1120 1121 * lib/krb5/cache.c (_krb5_expand_default_cc_name): change format 1122 for expantion variables to %{variable} to not confuse them with 1123 shell ditto 1124 1125 * kcm/connect.c: add LOCAL_PEERCRED and experimental doors support 1126 11272005-05-27 Love H��rnquist ��strand <lha@it.su.se> 1128 1129 * appl/kf/kfd.c: case uid_t to unsigned long in printf format 1130 11312005-05-25 Love H��rnquist ��strand <lha@it.su.se> 1132 1133 * lib/krb5/krb5_auth_context.3: remove trailing space 1134 11352005-05-24 Love H��rnquist ��strand <lha@it.su.se> 1136 1137 * kcm/connect.c (do_request): use sendmsg to send the reply 1138 1139 * fix-export: add make_proto for kcm/kcm_protos.h 1140 1141 * kcm/kcm_locl.h: remove prototypes and add <kcm_protos.h> 1142 1143 * kcm/Makefile.am (kcm_SOURCES): add headerfiles 1144 (kcm_protos.h): generate prototypes 1145 1146 * kcm/protocol.c: fix error in last commit, use right function 1147 1148 * kcm/headers.h: include <ucred.h> if we have getpeerucred 1149 1150 * configure.in: check for functions getpeerucred and getpeereid 1151 1152 * kcm/connect.c (update_client_creds): add support for 1153 getpeerucred and getpeereid 1154 1155 * lib/krb5/kcm.c (kcm_alloc): allow kcm socket to be configured by 1156 [libdefaults]kcm_socket=/path 1157 11582005-05-24 David Love <fx@gnu.org> 1159 1160 * kcm/kcm.8: KRB5CCNAME needs an literal uid, not ${uid}, spelling 1161 11622005-05-23 Love H��rnquist ��strand <lha@it.su.se> 1163 1164 * kcm/protocol.c: Merge the description and function jumptables 1165 into one structure. Use the length of the array when checking if 1166 opcode is value, not a constant. 1167 1168 * kcm/kcm_locl.h: struct kcm_op: jumptable structure 1169 1170 * kcm/main.c: move declaration of detach_from_console away from 1171 here to kcm_locl.h, Don't test HAVE_DAEMON since roken supplies it. 1172 1173 * kcm/kcm_locl.h: move declaration of detach_from_console here 1174 1175 * kdc/config.c: Don't test HAVE_DAEMON since roken supplies it. 1176 11772005-05-23 Dave Love <fx@gnu.org> 1178 1179 * kcm/config.c: Don't test HAVE_DAEMON since roken supplies it. 1180 1181 * kdc/main.c: Don't test HAVE_DAEMON since roken supplies it. 1182 11832005-05-23 Love H��rnquist ��strand <lha@it.su.se> 1184 1185 * lib/krb5/krb5_keytab.3: document WRFILE and JAVA14 1186 11872005-05-20 Love H��rnquist ��strand <lha@it.su.se> 1188 1189 * lib/krb5/krbhst.c (srv_get_hosts): if srv_get_hosts failes, 1190 return and ignore the error 1191 1192 * lib/krb5/krbhst.c (srv_find_realm): make sure `res' and `count' 1193 have good values 1194 1195 * lib/krb5/test_keytab.c: tests all keytab format 1196 11972005-05-19 Love H��rnquist ��strand <lha@it.su.se> 1198 1199 * lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): non non asn1 decoding 1200 errors, fail. Make sure we free memory on error. 1201 (pk_verify_chain_standard): make sure we provide good errors. 1202 1203 * lib/krb5/verify_krb5_conf.c: add missing options, prompted by 1204 James F. Hranicky mail to heimdal-discuss 1205 1206 * lib/krb5/verify_krb5_conf.c: add pkinit and password quailty 1207 check options 1208 1209 * lib/krb5/pkinit.c (pk_verify_chain_standard): store better error 1210 message in the context for certificate errors. 1211 1212 * lib/krb5/keytab.c (krb5_kt_free_entry): zero out content of all 1213 krb5_free_x_content like functions to make sure data doesnt get 1214 reused, idea from Wynn Wilkes <wwilkes@vintela.com> 1215 1216 * configure.in: depend on automake 1.8, we don't test anything 1217 older 1218 1219 * lib/krb5/init_creds_pw.c (process_pa_data_to_md): add comment 1220 that the caller always free out_md; remove comment about memory, 1221 it doesn't happen. 1222 (init_cred_loop): free ctx->as_req.padata when its reset (From Wynn 1223 Wilkes <wwilkes@vintela.com>), move a comment close the the code 1224 1225 * lib/krb5/keytab_krb4.c (fkt_remove_entry): need to call 1226 krb5_kt_free_entry after each krb5_kt_next_entry. 1227 1228 * lib/krb5/keytab_file.c (fkt_remove_entry): need to call 1229 krb5_kt_free_entry after each fkt_next_entry_int. From: Wynn 1230 Wilkes <wwilkes@vintela.com> 1231 12322005-05-18 Love H��rnquist ��strand <lha@it.su.se> 1233 1234 * lib/krb5/Makefile.am: TESTS += test_keytab 1235 1236 * lib/krb5/keytab_krb4.c (krb4_kt_remove_entry): plug memory leaks, 1237 avoid crashing on empty keytab 1238 1239 * lib/krb5/krb5_keytab.3: document behavior of 1240 krb5_kt_remove_entry 1241 1242 * lib/krb5/keytab_memory.c (mkt_remove_entry): check if there 1243 isn't any entries in the keytab before removing any since that 1244 leads to bad pointer arithmetic and crashing. From: Wynn Wilkes 1245 <wwilkes@vintela.com>. Make the function return KRB5_KT_NOTFOUND 1246 if the entry wasn't in the keytab (just like the filebased 1247 keytab). 1248 1249 * lib/krb5/test_keytab.c: test memory corruption in MEMORY keytab 1250 1251 * lib/krb5{addr_families,context,creds,free,keyblock, 1252 mit_glue,rd_error}.c:zero out content of all krb5_free_x_content 1253 like functions to make sure data doesnt get reused, idea from 1254 Wynn Wilkes <wwilkes@vintela.com> 1255 1256 * lib/krb5/krb5_get_credentials.3: document KRB5_GC_EXPIRED_OK 1257 1258 * lib/krb5/krb5.3: add krb5_cc_new_unique 1259 12602005-05-17 Love H��rnquist ��strand <lha@it.su.se> 1261 1262 * lib/krb5/fcache.c (fcc_get_first): check return value from 1263 malloc, memset the structure, make sure cursor doesn't point to 1264 freed memory on failure. From: Wynn Wilkes <wwilkes@vintela.com> 1265 1266 * lib/krb5/krb5_auth_context.3: document 1267 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED 1268 1269 * lib/krb5/get_cred.c: Remove expired credentials, based on 1270 patches and comments from Anders Magnusson <ragge@ltu.se> and Wynn 1271 Wilkes <wwilkes@vintela.com> 1272 1273 * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): honor 1274 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED and create unencrypted 1275 (ENCTYPE_NULL) credentials. for use with old mit server and java based 1276 ones as they can't handle encrypted KRB-CRED. Note that the option 1277 needs to turned on because if the consumer sends the KRB-CRED in 1278 clear bad things will happen. 1279 1280 * lib/krb5/context.c (krb5_init_context): register krb5_javakt_ops 1281 1282 * lib/krb5/krb5.h: KRB5_GC_EXPIRED_OK: expired credentials is ok 1283 to return from krb5_get_credentials. 1284 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED: make forward credentials 1285 be unencrypted, for compatibility with mit kerberos and java 1286 kerberos. krb5_javakt_ops: export 1287 12882005-05-16 Love H��rnquist ��strand <lha@it.su.se> 1289 1290 * lib/krb5/keytab_file.c: Add new keytab file format JAVA14 that 1291 doesn't the use extended kvnos, as hinted, this is needed for 1292 Java's Kerberos implementation. 1293 12942005-05-10 Love H��rnquist ��strand <lha@it.su.se> 1295 1296 * lib/krb5/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 1297 enckey, still no DH 1298 1299 * kdc/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 enckey, 1300 still no DH 1301 1302 * kdc/kerberos5.c (as_rep): search for pkinit-9, pkinit-19, and 1303 pkinit-25 pa-data, return empty pkinit pa-data in the 1304 PREAUTH_REQUIRED krb-error 1305 1306 * doc/ack.texi: add pkinit people 1307 1308 * lib/krb5/krb5_storage.3: document krb5_storage_is_flags 1309 1310 * lib/krb5/{krb5_compare_creds.3,krb5_get_init_creds.3, 1311 krb5_krbhst_init.3,krb5_storage.3}: 1312 make more pretty, from Bj��rn Sandell 1313 13142005-05-09 Dave Love <fx@gnu.org> 1315 1316 * doc/setup.texi: Fix and clarify password quality check examples. 1317 13182005-05-09 Love H��rnquist ��strand <lha@it.su.se> 1319 1320 * lib/krb5/kuserok.c (krb5_kuserok): use POSIX_GETPWNAM_R instead 1321 of HAVE_GETPWNAM_R From: Dave Love <d.love@dl.ac.uk> 1322 13232005-05-07 Love H��rnquist ��strand <lha@it.su.se> 1324 1325 * lib/krb5/addr_families.c (krb5_print_address): catch when the 1326 unknown adress don't fit. From Bj��rn Sandell <biorn@dce.chalmers.se> 1327 13282005-05-05 Dave Love <d.love@dl.ac.uk> 1329 1330 * configure.in: fix type right test, include <termios.h> for 1331 sys/strtty.h, not sys/ptyvar.h 1332 13332005-05-05 Love H��rnquist ��strand <lha@it.su.se> 1334 1335 * lib/krb5/krb5.conf.5: spelling 1336 13372005-05-04 Love H��rnquist ��strand <lha@it.su.se> 1338 1339 * lib/krb5/krb5.conf.5: expand on what "trailing component" means 1340 13412005-05-04 Johan Danielsson <joda@pdc.kth.se> 1342 1343 * lib/krb5/rd_cred.c: put address comparison in separate function 1344 1345 * lib/krb5/krb5_kuserok.3: check the user's ~/.k5login.d directory 1346 for access files, all of which is handled like the regular 1347 ~/.k5login 1348 1349 * lib/krb5/kuserok.c: check the user's ~/.k5login.d directory for 1350 access files, all of which is handled like the regular ~/.k5login 1351 13522005-05-03 Love H��rnquist ��strand <lha@it.su.se> 1353 1354 * doc/ack.texi: Clearify what version of libdes we are using and 1355 who's code in it we are using. 1356 1357 * kcm/kcm.8: more text about usage 1358 1359 * kcm/Makefile.am: man_MANS += kcm.8 1360 1361 * kcm/kcm.8: initial manpage 1362 1363 * configure.in: if we have a $srcdir/lib/asn1/pkcs12.asn1, define 1364 PKINIT 1365 13662005-05-02 Dave Love <fx@gnu.org> 1367 1368 * configure.in: sys/tty.h (for sys/ptyvar.h) might need termios.h. 1369 13702005-05-02 Love H��rnquist ��strand <lha@it.su.se> 1371 1372 * tools/krb5-config.in: add com_err to required libs 1373 1374 * lib/krb5/pkinit.c (krb5_ui_method_read_string): use the fill in 1375 length 1376 1377 * lib/krb5/init_creds_pw.c: Now that we fixed the signed-ness of 1378 nonce for windows, remove the code that removed the signed 1379 bit. Instead add comment that they still need to be the same 1380 (Kerberos protocol nonce and pk-init nonce) for Windows. 1381 13822005-05-02 David Love <fx@gnu.org> 1383 1384 * lib/krb5/crypto.c: Don't declare des_salt &c as static with 1385 incomplete type (invalid in c89, at least). 1386 13872005-05-02 Love H��rnquist ��strand <lha@it.su.se> 1388 1389 * lib/krb5/krb5_locl.h: include <crypt.h> 1390 13912005-05-02 David Love <fx@gnu.org> 1392 1393 * kcm/connect.c (init_socket): rename variable sun to un to avoid 1394 namespace collision. 1395 (handle_stream): Cast arg of krb5_warnx. 1396 13972005-04-30 Love H��rnquist ��strand <lha@it.su.se> 1398 1399 * lib/krb5/init_creds_pw.c: if we are using PKINIT, strip of the 1400 highest bit to make windows PK-INIT happy. Also make the nonces 1401 the same, again for windows, they are using pk-init-9. 1402 1403 XXX check if it isn't the that nonce is an unsigned variable so 1404 its just a asn1 mismatch. 1405 1406 * kdc/pkinit.c: pass a NULL prompter data to _krb5_pk_load_openssl_id 1407 1408 * kuser/kinit.c: krb5_get_init_creds_opt_set_pkinit 1409 1410 * lib/krb5/pkinit.c: Pass prompter data to the prompter function, 1411 implement a UI prompter function wrapping the kerberos prompter 1412 function so that the the OpenSSL ENGINE can ask for a password 1413 when loading the private key. From: Douglas E. Engert 1414 1415 * lib/krb5: add <err.h> in test programs 1416 1417 * configure.in: sys/ptyvar.h might need <sys/tty.h> 1418 1419 * lib/krb5/Makefile.am: use LIB_com_err for libkrb5.la 1420 14212005-04-29 Love H��rnquist ��strand <lha@it.su.se> 1422 1423 * lib/asn1/Makefile.am: use $(LIB_com_err) 1424 14252005-04-28 Love H��rnquist ��strand <lha@it.su.se> 1426 1427 * lib/krb5/context.c (krb5_set_config_files): ignore permission 1428 denied on configuration files, user might not be allowed to read 1429 /var/heimdal/kdc.conf 1430 14312005-04-26 Dave Love <fx@gnu.org> 1432 1433 * lib/krb5/krb5_locl.h: define _POSIX_PTHREAD_SEMANTICS so we get 1434 posix getpwnam_r 1435 14362005-04-25 Love H��rnquist ��strand <lha@it.su.se> 1437 1438 * lib/asn1/gen_glue.c: switch the units variable to a 1439 function. gcc-4.1 needs the size of the structure if its defined 1440 as extern struct units foo_units[] an we don't want to include 1441 <parse_units.h> in the generate headerfile 1442 14432005-04-25 Love H��rnquist ��strand <lha@it.su.se> 1444 1445 * lib/hdb/hdb.schema: add EQUALITY rule for krb5ValidStart, 1446 krb5ValidEnd, krb5PasswordEnd From Howard Chu 1447 14482005-04-24 Love H��rnquist ��strand <lha@it.su.se> 1449 1450 * doc/whatis.texi: comment out docbook stuff for now 1451 1452 * kuser/klist.c: use strlcpy 1453 1454 * doc/ack.texi: we no longer use eay libdes, make acknowledgment 1455 still be there, but claim that we no longer use it. Mark editline 1456 to be a modified version as required by the license. 1457 1458 * lib/krb5/pkinit.c: use the unexported oid_to_enctype function 1459 1460 * lib/krb5/crypto.c: unexport the oid_to_enctype function, not for 1461 external consumers 1462 1463 * kdc/Makefile.am: always add kaserver 1464 1465 * lib/krb5/krb5_ccache.3: document krb5_cc_new_unique 1466 1467 * lib/krb5/cache.c (krb5_cc_new_unique): new function to create a 1468 new credential cache 1469 1470 * kdc/headers.h: don't include kerberos 4 headers here 1471 1472 * kdc/hpropd.c: include kerberos 4 headers here 1473 1474 * kdc/connect.c: add kaserver support independ of having krb4 1475 support 1476 1477 * kdc/config.c: add kaserver support unconditionally, make kdc 1478 only fail to start when there are no v4 realm configured and 1479 krb4/kaserver is turned on 1480 1481 * kdc/kaserver.c: Use the new Kerberos 4 functions in libkrb5 and 1482 so kaserver support is always compiled in (still default disabled) 1483 1484 * lib/krb5/v4_glue.c: simplify error handling 1485 1486 * doc/whatis.texi: add docbook version macro of @sub 1487 1488 * doc/heimdal.texi: change the wrapping around the Top node to 1489 ifnottex, make html generation work 1490 1491 * lib/krb5/krb5_krbhst_init.3: spelling, from Bj��rn Sandell 1492 <biorn@dce.chalmers.se> 1493 1494 * lib/krb5/krb5_get_krbhst.3: spelling, from Bj��rn Sandell 1495 <biorn@dce.chalmers.se> 1496 1497 * lib/krb5/krb5_data.3: spelling, from Bj��rn Sandell 1498 <biorn@dce.chalmers.se> 1499 1500 * lib/krb5/krb5_aname_to_localname.3: spelling, from Bj��rn Sandell 1501 <biorn@dce.chalmers.se> 1502 1503 * lib/krb5/krb5_address.3: spelling, from Bj��rn Sandell 1504 <biorn@dce.chalmers.se> 1505 15062005-04-23 Love H��rnquist ��strand <lha@it.su.se> 1507 1508 * kdc/config.c: Use the new Kerberos 4 functions in libkrb5 and so 1509 kerberos 4 is always compiled in (still default disabled) 1510 1511 * kdc/kerberos4.c: Use the new Kerberos 4 functions in libkrb5 and 1512 so kerberos 4 is always compiled in (still default disabled) 1513 1514 * lib/krb5/krb5_locl.h: forward declaration of _krb5_krb_auth_data 1515 1516 * lib/krb5/convert_creds.c: Move the kerberos v4 replacement 1517 functions to v4_glue.c 1518 1519 * lib/krb5/v4_glue.c: Implement enough of kerberos 4 protocol to 1520 be a KDC, move the v4 bits over here 1521 1522 * lib/krb5/krb5-v4compat.h: add more v4 defines 1523 15242005-04-22 Love H��rnquist ��strand <lha@it.su.se> 1525 1526 * kpasswd/kpasswdd.c: Support multi-realms databases, requires 1527 that all the realms are configured on the KDC in krb5.conf with 1528 [libdefaults]default_realm stanzas. 1529 15302005-04-21 Love H��rnquist ��strand <lha@it.su.se> 1531 1532 * kdc/kerberos5.c: spell succeeded correctly, From Sean Chittenden 1533 1534 * lib/krb5/addr_families.c: catch two more snprintf problems 1535 15362005-04-20 Love H��rnquist ��strand <lha@it.su.se> 1537 1538 * lib/hdb/Makefile.am: this lib include com_err, add -com_err to 1539 CHECK_SYMBOLS 1540 1541 * appl/test/http_client.c: cast ssize_t to unsigned long, fix 1542 printf format 1543 15442005-04-19 Love H��rnquist ��strand <lha@it.su.se> 1545 1546 * lib/krb5/kuserok.c: use asprintf to avoid truncating pathnames 1547 1548 * lib/krb5/get_host_realm.c: check return value of snprintf 1549 1550 * lib/krb5/test_addr.c: check address truncation 1551 1552 * lib/krb5/addr_families.c: check return values from snprintf and 1553 clean up semantics of ret_len 1554 1555 * lib/krb5/krb5_address.3: clarify what ret_len is in 1556 krb5_print_address 1557 1558 * lib/krb5/test_kuserok.c: add --version and --help 1559 1560 * lib/krb5/kuserok.c: use getpwnamn_r if it exists 1561 1562 * lib/krb5/Makefile.am: noinst_PROGRAMS += test_kuserok 1563 1564 * lib/krb5/test_kuserok.c: test program for krb5_kuserok 1565 15662005-04-18 Love H��rnquist ��strand <lha@it.su.se> 1567 1568 * lib/krb5/acache.c (acc_resolve): if open_default_ccache failed 1569 with ccErrCCacheNotFound try again with create_default_ccache, 1570 this fixes the problem where the security server apperenly haven't 1571 started yet on Mac OS X 1572 1573 * lib/krb5/get_default_principal.c 1574 (_krb5_get_default_principal_local): add, for use of functions 1575 that in ccache layer to avoid recursive calls. 1576 1577 * lib/hdb/hdb-ldap.c: drop <ctype.h>, no longer use any of the is* 1578 macros in this file 1579 1580 * include/make_crypto.c: cast to unsigned char to make sure its 1581 not negative when passing it to is* functions 1582 15832005-04-15 Love H��rnquist ��strand <lha@it.su.se> 1584 1585 * doc/programming.texi: remove manpage macro, add some more 1586 references to manpages 1587 1588 * doc/heimdal.texi: define manpage macro 1589 1590 * doc/setup.texi: document new password policy code 1591 1592 * kpasswd/kpasswdd.c: add verifier libraries with 1593 kadm5_add_passwd_quality_verifier 1594 1595 * lib/krb5/krb5_keyblock.3: document krb5_keyblock_init 1596 15972005-04-14 Love H��rnquist ��strand <lha@it.su.se> 1598 1599 * kdc/kaserver.c: AUTHENTICATE and AUTHENTICATE_V2 is almost the 1600 same, and clients 1601 (klog) can deal with that the kaserver returns the same thing for 1602 both 1603 1604 * lib/krb5/keyblock.c: Add krb5_keyblock_init to allocate an fill 1605 in a keyblock from key data. 1606 16072005-04-12 Love H��rnquist ��strand <lha@it.su.se> 1608 1609 * configure.in: rk_WIN32_EXPORT for roken 1610 16112005-04-10 Love H��rnquist ��strand <lha@it.su.se> 1612 1613 * appl/test/gssapi_server.c: print out client principla of 1614 delegated credential 1615 16162005-04-07 Love H��rnquist ��strand <lha@it.su.se> 1617 1618 * lib/krb5/init_creds_pw.c (process_pa_data_to_key): also check 1619 for KRB5_PADATA_PK_AS_REP_19, From: Douglas Engert 1620 16212005-04-07 Love H��rnquist ��strand <lha@it.su.se> 1622 1623 * .cvsignore: ignore more generate files 1624 16252005-04-04 Love H��rnquist ��strand <lha@it.su.se> 1626 1627 * lib/asn1/check-der.c: use size_t, print size_t by casting to 1628 unsigned long 1629 1630 * lib/krb5/test_crypto.c: print size_t by casting to unsigned long 1631 1632 * lib/krb5/acache.c: Argument to create_new_ccache is a principal, 1633 not a credential cache name. Clean up lossage related to this 1634 problem. 1635 1636 * lib/hdb/Makefile.am: CHECK_SYMBOLS += HDBFlags2int 1637 1638 * lib/krb5/addr_families.c 1639 (krb5_address_prefixlen_boundary,krb5_free_address): 1640 use find_atype when we are dealing with a kerberos address type 1641 1642 * lib/krb5/aes-test.c: size_t vs int + fix printf 1643 1644 * lib/krb5/pkinit.c: Since the decode can't make out the diffrence 1645 between PA-PK-AS-REP-19 and PA-PK-AS-REQ-Win2k, try harder to 1646 verify both cases 1647 16482005-04-03 Love H��rnquist ��strand <lha@it.su.se> 1649 1650 * appl/test/uu_client.c: print size_t by casting to unsigned long 1651 16522005-04-01 Johan Danielsson <joda@pdc.kth.se> 1653 1654 * kdc/kerberos4.c (do_version4): check client and server max_life 1655 1656 * kdc/kaserver.c (do_getticket): check client max_life 1657 16582005-03-31 Love <lha@kth.se> 1659 1660 * lib/krb5/verify_krb5_conf.c: const poison 1661 1662 * lib/krb5/test_alname.c: const poison 1663 1664 * lib/asn1/main.c: const poison 1665 1666 * lib/krb5/test_addr.c: test parse IPv6 RANGE addresses 1667 1668 * lib/krb5/addr_families.c: implement mask boundary for IPv6 1669 1670 * lib/asn1/gen.c: avoid const string warnings steming from 1671 writeable-string 1672 16732005-03-28 Love H��rnquist ��strand <lha@it.su.se> 1674 1675 * lib/krb5/Makefile.am: TESTS += test_addr 1676 1677 * lib/krb5/test_addr.c: simple test for addresses 1678 1679 * lib/krb5/addr_families.c: make RANGE parse prefixlen style 1680 addresses too, fix printing of RANGE addresses, add 1681 krb5_address_prefixlen_boundary 1682 1683 * lib/krb5/krb5_keytab.3: stop memory leak in example, expand on 1684 wildcards 1685 16862005-03-26 Love H��rnquist ��strand <lha@it.su.se> 1687 1688 * lib/krb5/krb5_principal.3: spelling, from Tomas Olsson 1689 1690 * lib/krb5/krb5_warn.3: spelling, from Tomas Olsson 1691 16922005-03-19 Love H��rnquist ��strand <lha@it.su.se> 1693 1694 * lib/krb5/acache.c: add mutex for global variables, clean up 1695 returned error codes, implement storing addresses into the ccapi 1696 1697 * appl/test/gssapi_server.c: free memory, make error strings match 1698 1699 * appl/test/gssapi_server.c: use print_gss_name, print server name 1700 too 1701 1702 * appl/test/gss_common.h (print_gss_name): common code for 1703 printing gss name 1704 1705 * appl/test/gss_common.c (print_gss_name): common code for 1706 printing gss name 1707 1708 * appl/test/http_client.c: Make constent with rest of the gssapi 1709 test programs 1710 17112005-03-17 Love H��rnquist ��strand <lha@it.su.se> 1712 1713 * lib/hdb/keys.c: AES is enabled by default, remove ifdefs 1714 1715 * lib/krb5/crypto.c: AES is enabled by default, remove ifdefs 1716 1717 * lib/krb5/aes-test.c: use hex encoder from roken AES is enabled 1718 by default, remove ifdefs 1719 1720 * kdc/kerberos5.c: AES is enabled by default, remove ifdefs 1721 17222005-03-16 Love H��rnquist ��strand <lha@it.su.se> 1723 1724 * doc/setup.texi: Add some text about modifying the database 1725 17262005-03-15 Love H��rnquist ��strand <lha@it.su.se> 1727 1728 * kuser/kinit.c: widen lifetime/renewal warning text field, also 1729 make use of unparse_time_approx, no need to be specific to the 1730 second when ticket needs to be renewed or their lifetime. 1731 1732 * doc/heimdal.texi: copyright maintenance, drop eay, use updated 1733 UCB license 1734 1735 * lib/krb5/crypto.c: more static and unsigned issues 1736 1737 * lib/krb5/crypto.c: fix signedness issues, prompted by report of 1738 Magnus Ahltorp 1739 17402005-03-13 Love H��rnquist ��strand <lha@it.su.se> 1741 1742 * lib/krb5/krb5_keytab.3: more text about how to free returned 1743 resources 1744 17452005-03-10 Love H��rnquist ��strand <lha@it.su.se> 1746 1747 * lib/krb5/pkinit.c: handle the -25 generation path 1748 1749 * lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_19 1750 1751 * lib/krb5/pkinit.c: fold in pk-init-25 asn1 changes 1752 17532005-03-09 Love H��rnquist ��strand <lha@it.su.se> 1754 1755 * kdc/pkinit.c: use generated oid's 1756 1757 * lib/krb5/pkinit.c: use generated oid's 1758 17592005-03-08 Love H��rnquist ��strand <lha@it.su.se> 1760 1761 * kdc/pkinit.c: update to the asn1 structures used in -25's 1762 1763 * lib/krb5/pkinit.c: update to the asn1 structures used in -25's 1764 17652005-03-04 Love H��rnquist ��strand <lha@it.su.se> 1766 1767 * lib/hdb/hdb-ldap.c: use the newly written hex function from 1768 roken and remove the old implementation 1769 17702005-03-01 Love H��rnquist ��strand <lha@it.su.se> 1771 1772 * appl/test/http_client.c: allow specifing port to connect to 1773 17742005-02-24 Love H��rnquist ��strand <lha@it.su.se> 1775 1776 * lib/krb5/Makefile.am: bump version to 21:0:4 1777 1778 * lib/hdb/Makefile.am: bump version to 8:0:1 1779 1780 * lib/asn1/Makefile.am: bump version to 7:0:1 1781 17822005-02-23 Love H��rnquist ��strand <lha@it.su.se> 1783 1784 * lib/krb5/crypto.c (DES_string_to_key_int): must check for weak 1785 keys after doing the DES_cbc_cksum 1786 17872005-02-19 Luke Howard <lukeh@padl.com> 1788 1789 * lib/krb5/krbhst.c: set KD_CONFIG after calling 1790 config_get_hosts() in kpasswd_get_next() 1791 From: Wynn Wilkes <wynnw@vintela.com> 1792 17932005-02-15 Love H��rnquist ��strand <lha@it.su.se> 1794 1795 * lib/hdb/db3.c (DB_open): correct the check for O_RDONLY 1796 From: Chaskiel M Grundman <cg2v@andrew.cmu.edu> 1797 17982005-02-09 Love H��rnquist ��strand <lha@it.su.se> 1799 1800 * lib/krb5/crypto.c (krb5_random_to_key): cast size_t to int to 1801 make %d work 1802 18032005-02-08 Love H��rnquist ��strand <lha@it.su.se> 1804 1805 * lib/krb5/keytab.c (krb5_kt_get_entry): tell what enctype the 1806 caller requested to provide the user with a glue what the caller 1807 was asking for. 1808 18092005-02-05 Luke Howard <lukeh@padl.com> 1810 1811 * lib/krb5/kcm.c: add _krb5_kcm_is_running, _krb5_kcm_noop 1812 1813 * kcm/acquire.c: don't leak salt if keyproc called multiple 1814 times 1815 1816 * kcm/config.c: allow KCM system ccache to be configured from 1817 krb5.conf, in the system_ccache stanza of [kcm] 1818 18192005-02-03 Love H��rnquist ��strand <lha@it.su.se> 1820 1821 * kcm/protocol.c: use -1 as the invalid pid number 1822 1823 * kcm/connect.c: support SCM_CREDS (for NetBSD) 1824 1825 * kcm/Makefile.am: LDADD += LIB_pidfile 1826 1827 * kcm/connect.c: make it possible to build on systems without 1828 SO_PEERCRED (still doesn't work) 1829 1830 * kcm/config.c: cast argument to isdigit to unsigned char 1831 1832 * lib/krb5/krb5.conf.5: document large_msg_size 1833 1834 * lib/krb5/context.c (init_context_from_config_file): init 1835 large_msg_size to 6000 1836 1837 * lib/krb5/krb5.h (krb5_context_data): add large_msg_size, 1838 threshold where we start to use transport protocols without tiny 1839 max data transport sizes. 1840 1841 * lib/krb5/kcm.h: drop prototypes, they all live in krb5-private.h 1842 by now 1843 18442005-02-02 Luke Howard <lukeh@padl.com> 1845 1846 * configure.in: generate kcm/Makefile 1847 1848 * Makefile.am: recurse into kcm/ if KCM defined 1849 1850 * kcm: add KCM daemon 1851 18522005-02-02 Love H��rnquist ��strand <lha@it.su.se> 1853 1854 * lib/krb5/send_to_kdc.c (send_and_recv_udp): make private again 1855 1856 * lib/krb5/kcm.c: use AF_UNIX like the rest of the codebase, add 1857 some more error strings 1858 18592005-02-02 Luke Howard <lukeh@padl.com> 1860 1861 * configure.in: add --enable-kcm option for Kerberos 1862 Credentials Manager (KCM) 1863 1864 * lib/krb5/Makefile.am: add kcm.c 1865 1866 * lib/krb5/cache.c: use cc_retrieve_cred if present rather 1867 than enumerating ccache 1868 1869 * lib/krb5/context.c: register KCM cc_ops 1870 1871 * lib/krb5/get_cred.c: pass all options to cc_retrieve_cred 1872 1873 * lib/krb5/init_creds_pw.c: add krb5_get_init_creds_keyblock 1874 1875 * lib/krb5/kcm.[ch]: add initial implementation of KCM 1876 client library 1877 1878 * lib/krb5/krb5.h: fix cc_retrieve prototype, add KCM cc_ops 1879 1880 * lib/krb5/send_to_kdc.c: add _krb5_send_and_recv_tcp 1881 1882 * lib/krb5/store.c: add krb5_store_creds_tag, krb5_ret_creds_tag 1883 18842005-01-24 Luke Howard <lukeh@padl.com> 1885 1886 * lib/krb5/init_creds_pw.c: allow NULL in_options to be passed 1887 krb5_get_init_creds_password() 1888 1889 * kdc/kerberos5.c: don't crash when logging no server etype 1890 support if client == NULL 1891 18922005-01-17 Love H��rnquist ��strand <lha@it.su.se> 1893 1894 * kdc/kstash.c: s/random_key/random_key_flag/, From Dave Love 1895 <d.love@dl.ac.uk> 1896 18972005-01-12 Love H��rnquist ��strand <lha@it.su.se> 1898 1899 * doc/apps.texi: Texinfo fixes. Text about irix 6.5 using 1900 PAM. From: Dave Love <d.love@dl.ac.uk> 1901 19022005-01-08 Love H��rnquist ��strand <lha@it.su.se> 1903 1904 * lib/krb5/verify_krb5_conf.c: cast argument to isdigit to 1905 unsigned char 1906 1907 * lib/krb5/keytab_keyfile.c: cast argument to toupper to unsigned 1908 char 1909 1910 * lib/asn1/hash.c (hashcaseadd): cast argument to toupper to 1911 unsigned char 1912 1913 * appl/kf/kfd.c (kfd_match_version): cast argument to islower to 1914 unsigned char 1915 1916 * lib/krb5/krb5.3: drop krb5_{checksum,enctype}_is_disabled 1917 1918 * lib/krb5/krb5_encrypt.3: drop krb5_enctype_is_disabled, more 1919 text about krb5_enctype_valid 1920 1921 * lib/krb5/krb5_create_checksum.3: drop 1922 krb5_checksum_is_disabled 1923 1924 * lib/krb5/crypto.c: drop krb5_{checksum,enctype}_isdisabled 1925 1926 * lib/krb5/context.c: krb5_enctype_is_disabled is the same thing 1927 as krb5_enctype_valid, so use the later since its older and the 1928 api doesn't really need another entry point 1929 1930 * lib/krb5/rd_req.c: krb5_enctype_is_disabled is the same thing as 1931 krb5_enctype_valid, so use the later since its older and the api 1932 doesn't really need another entry point 1933 1934 * kdc/kerberos5.c: krb5_enctype_is_disabled is the same thing as 1935 krb5_enctype_valid, so use the later since its older and the api 1936 doesn't really need another entry point 1937 19382005-01-05 Love H��rnquist ��strand <lha@it.su.se> 1939 1940 * kpasswd/kpasswdd.8: document --addresses, controls what 1941 addresses kpasswd should listen too 1942 1943 * kpasswd/kpasswdd.c: add --addresses, controls what addresses 1944 kpasswd should listen too 1945 1946 * lib/krb5/addr_families.c (krb5_parse_address): filter out dup 1947 addresses from getaddrinfo 1948 1949 * kpasswd/kpasswd.1: document -c 1950 1951 * kpasswd/kpasswd.c: allow specifying a credential cache to use 1952 for the admin principal 1953 1954 * include/bits.c: constify to avoid warning with -Wwrite-string 1955 1956 * NEWS: add 0.6.2 and 0.6.3 items 1957 1958 * lib/krb5/krb5_keyblock.3: document krb5_generate_subkey_extended 1959 1960 * lib/krb5/krb5_is_thread_safe.3: document function 1961 1962 * lib/krb5/Makefile.am (man_MANS) += krb5_is_thread_safe.3 1963 1964 * lib/krb5/context.c (krb5_is_thread_safe): return TRUE is the 1965 library was compiled with multithreading support. If not, 1966 application must global lock the library, it it uses threads that 1967 call kerberos functions at the same time. 1968 19692005-01-05 Luke Howard <lukeh@padl.com> 1970 1971 * lib/krb5/auth_context.c: use krb5_generate_subkey_extended() 1972 1973 * lib/krb5/appdefault.c: remove redundant KRB5_LIB_FUNCTION 1974 1975 * lib/krb5/build_auth.c: support for enctype negotiation 1976 (client sends EtypeList in Authenticator authz data) 1977 1978 * lib/krb5/context.c: mutex should be destroyed last in 1979 krb5_free_context() 1980 1981 * lib/krb5/generate_subkey.c: add krb5_generate_subkey_extended(), 1982 set *subkey to NULL if key geneartion fails 1983 1984 * lib/krb5/krb5.h: add KRB5_KU_PA_SERVER_REFERRAL_DATA 1985 1986 * lib/krb5/mk_req_ext.c: support ETYPE_ARCFOUR_HMAC_MD5_56 1987 1988 * lib/krb5/rd_req.c: support for enctype negotiation 1989 (client sends EtypeList in Authenticator authz data) 1990 19912005-01-04 Luke Howard <lukeh@padl.com> 1992 1993 * lib/asn1/k5.asn1: add authorization data types for enctype 1994 negotiation implementation 1995 19962005-01-04 Love H��rnquist ��strand <lha@it.su.se> 1997 1998 * lib/krb5/changepw.c (change_password_loop): on failing to find a 1999 kdc, set result_code to KRB5_KPASSWD_HARDERROR 2000 20012005-01-01 Love H��rnquist ��strand <lha@it.su.se> 2002 2003 * doc/heimdal.texi: Happy New Year 2004 2005