xref: /freebsd-9.3-release/crypto/heimdal/ChangeLog

2008-01-24  Love H�rnquist �strand  <lha@it.su.se>

	* Release 1.1

2008-01-21  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/get_for_creds.c: Use on variable less.

	* lib/krb5/get_for_creds.c: Try to handle ticket full and
	ticketless tickets better. Add doxygen comments while here.

	* lib/krb5/test_forward.c: Used for testing
	krb5_get_forwarded_creds().
	
	* lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward

	* lib/krb5/Makefile.am: drop CHECK_SYMBOLS

	* lib/hdb/Makefile.am: drop CHECK_SYMBOLS

	* kdc/Makefile.am: drop CHECK_SYMBOLS

2008-01-18  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/version-script.map: Add krb5_digest_probe.
	
2008-01-13  Love H�rnquist �strand  <lha@it.su.se>
	
	* lib/krb5/pkinit.c: Replace hx509_name_to_der_name with
	hx509_name_binary.

2008-01-12  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/Makefile.am: add missing files

2007-12-28  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/digest.c: Log probe message, add NTLM_TARGET_DOMAIN to the
	type2 message.

2007-12-14  Love H�rnquist �strand  <lha@it.su.se>

	* lib/hdb/dbinfo.c: Add hdb_default_db().

	* Makefile.am: Add some extra cf/*.

2007-12-12  Love H�rnquist �strand  <lha@it.su.se>
	
	* kuser/kgetcred.c: Fix type of name-type. From Andy Polyakov.

2007-12-09  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/log.c: Use hdb_db_dir().

	* kpasswd/kpasswdd.c: Use hdb_db_dir().

2007-12-08  Love H�rnquist �strand  <lha@it.su.se>
	
	* kdc/config.c: Use hdb_db_dir().

	* kdc/kdc_locl.h: add KDC_LOG_FILE

	* kdc/hpropd.c: Use hdb_default_db().

	* kdc/kstash.c: Use hdb_db_dir().

	* kdc/pkinit.c: Adapt to hx509 changes, use hdb_db_dir().

	* lib/krb5/rd_req.c: Document krb5_rd_req_in_set_pac_check.

	* lib/krb5/verify_krb5_conf.c: Check check_pac.

	* lib/krb5/rd_req.c: use KRB5_CTX_F_CHECK_PAC to init check_pac
	field in the krb5_rd_req_in_ctx

	* lib/krb5/expand_hostname.c: Adapt to changing
	dns_canonicalize_hostname into flags field.

	* lib/krb5/context.c: Adapt to changing dns_canonicalize_hostname
	into flags field, add check-pac as an libdefaults option.

	* lib/krb5/pkinit.c: Adapt to changes in hx509 interface.

	* doc: add doxygen documentation to hcrypto

	* doc/doxytmpl.dxy: generate links
	
2007-12-07  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/Makefile.am: build_HEADERZ += heim_threads.h

	* lib/hdb/dbinfo.c (hdb_db_dir): Return the directory where the
	hdb database resides.

	* configure.in: Add --with-hdbdir to specify where the database is
	stored.

	* lib/krb5/crypto.c: revert previous patch, the problem is located
	in the RAND_file_name() function that will cause recursive nss
	lookups, can't fix that here.

2007-12-06  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/crypto.c (krb5_generate_random_block): try to avoid the
	dead-lock in by not holding the lock while running
	RAND_file_name. Prompted by Hai Zaar.

	* lib/krb5/n-fold.c: spelling
	
2007-12-04  Love H�rnquist �strand  <lha@it.su.se>

	* kuser/kdigest.c (digest-probe): implement command.

	* kuser/kdigest-commands.in (digest-probe): new command
	
	* kdc/digest.c: Implement supportedMechs request.

	* lib/krb5/error_string.c: Make krb5_get_error_string return an
	allocated string to make the function indempotent. From
	Zeqing (Fred) Xia.

2007-12-03  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5_locl.h (krb5_context_data): Flag if
	default_cc_name was set by the user.

	* lib/krb5/fcache.c (fcc_move): make sure ->version is uptodate.

	* kcm/acquire.c: use krb5_free_cred_contents

	* kuser/kimpersonate.c: use krb5_free_cred_contents
	
	* kuser/kinit.c: Use krb5_cc_move to make an atomic switch of the
	cred cache.

	* lib/krb5/cache.c: Put back code that was needed, move gen_new
	into new_unique.

	* lib/krb5/mcache.c (mcc_default_name): Remove const

	* lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME_KCM, redefine
	KRB5_DEFAULT_CCNAME to KRB5_DEFAULT_CCTYPE

	* lib/krb5/cache.c: Use krb5_cc_ops->default_name to get the
	default name.

	* lib/krb5/kcm.c: Implement krb5_cc_ops->default_name.

	* lib/krb5/mcache.c: Implement krb5_cc_ops->default_name.

	* lib/krb5/fcache.c: Implement krb5_cc_ops->default_name.

	* lib/krb5/krb5.h: Add krb5_cc_ops->default_name.

	* lib/krb5/acache.c: Free context when done, implement
	krb5_cc_ops->default_name.

	* lib/krb5/kcm.c: implement dummy kcm_move

	* lib/krb5/mcache.c: Implement the move operation.

	* lib/krb5/version-script.map: export krb5_cc_move

	* lib/krb5/cache.c: New function krb5_cc_move().

	* lib/krb5/fcache.c: Implement the move operation.

	* lib/krb5/krb5.h: Add move to the krb5_cc_ops, causes major
	version bump.

	* lib/krb5/acache.c: Implement the move operation. Avoid using
	cc_set_principal() since it broken on Mac OS X 10.5.0.
	
2007-12-02  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5_ccapi.h: Drop variable names to avoid -Wshadow.
	
2007-11-14  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/krb5tgs.c: Should pass different key usage constants
	depending on whether or not optional sub-session key was passed by
	the client for the check of authorization data. The constant is
	used to derive "specific key" and its values are specified in
	7.5.1 of RFC4120.
	
	Patch from Andy Polyakov.

	* kdc/krb5tgs.c: Don't send auth data in referrals, microsoft
	clients have started to not like that. Thanks to Andy Polyakov for
	excellent research.

2007-11-11  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/creds.c: use krb5_data_cmp

	* lib/krb5/acache.c: use krb5_free_cred_contents

	* lib/krb5/test_renew.c: use krb5_free_cred_contents
	
2007-11-10  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/acl.c: doxygen documentation

	* lib/krb5/addr_families.c: doxygen documentation

	* doc: add doxygen

	* lib/krb5/plugin.c: doxygen documentation

	* lib/krb5/kcm.c: doxygen documentation

	* lib/krb5/fcache.c: doxygen documentation

	* lib/krb5/cache.c: doxygen documentations
	
	* lib/krb5/doxygen.c: doxygen introduction

	* lib/krb5/error_string.c: Doxygen documentation.

2007-11-03  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/test_plugin.c: expose krb5_plugin_register

	* lib/krb5/plugin.c: expose krb5_plugin_register

	* lib/krb5/version-script.map: sort, expose krb5_plugin_register

2007-10-24  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/kerberos5.c: Adding same enctype is enough one time. From
	Andy Polyakov and Bjorn Sandell.
	
2007-10-18  Love  <lha@stacken.kth.se>

	* lib/krb5/cache.c (krb5_cc_retrieve_cred): check return value
	from krb5_cc_start_seq_get. From Zeqing (Fred) Xia
	
	* lib/krb5/fcache.c (init_fcc): provide better error codes

	* kdc/kerberos5.c (get_pa_etype_info2): more paranoia, avoid
	sending warning about pruned etypes.

	* kdc/kerberos5.c (older_enctype): old windows enctypes (arcfour
	based) "old", this to support windows 2000 clients (unjoined to a
	domain). From Andy Polyakov.

2007-10-07  Love H�rnquist �strand  <lha@it.su.se>

	* doc/setup.texi: Spelling, from Mark Peoples via Bjorn Sandell.
	
2007-10-04  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/krb5tgs.c: More prettier printing of enctype, from KAMADA
	Ken'ichi.

	* lib/krb5/crypto.c (krb5_enctype_to_string): make sure string is
	NULL on failure.

2007-10-03  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/kdc-replay.c: Catch KRB5_PROG_ATYPE_NOSUPP from
	krb5_addr2sockaddr and igore thte test is that case.
	
2007-09-29  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/context.c (krb5_free_context): free
	default_cc_name_env, from Gunther Deschner.

2007-08-27  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/{krb5.h,pac.c,test_pac.c,send_to_kdc.c,rd_req.c}: Make
	work with c++, reported by Hai Zaar

	* lib/krb5/{digest.c,krb5.h}: Make work with c++, reported by Hai Zaar

2007-08-20  Love H�rnquist �strand  <lha@it.su.se>

	* lib/hdb/Makefile.am: EXTRA_DIST += hdb.schema

2007-07-31  Love H�rnquist �strand  <lha@it.su.se>

	* check return value of alloc functions, from Charles Longeau

	* lib/krb5/principal.c: spelling.

	* kadmin/kadmin.8: spelling

	* lib/krb5/crypto.c: Check return values from alloc
	functions. Prompted by patch of Charles Longeau.

	* lib/krb5/n-fold.c: Make _krb5_n_fold return a error
	code. Prompted by patch of Charles Longeau.

2007-07-27  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/init_creds.c: Always set the ticket options, use
	KRB5_ADDRESSLESS_DEFAULT as the default value, this make the unset
	tri-state not so useful.

2007-07-24  Love H�rnquist �strand  <lha@it.su.se>

	* tools/heimdal-gssapi.pc.in: Add LIB_pkinit to the list of
	libraries.

	* tools/heimdal-gssapi.pc.in: pkg-config file for libgssapi in
	heimdal.

	* tools/Makefile.am: Add heimdal-gssapi.pc and install it into
	$(libdir)/pkgconfig

2007-07-23  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/pkinit.c: Add RFC3526 modp group14 as a default.

2007-07-22  Love H�rnquist �strand  <lha@it.su.se>

	* lib/hdb/dbinfo.c (get_dbinfo): use dbname instead of realm as
	key if the entry is a correct entry.

	* lib/krb5/get_cred.c: Make krb5_get_renewed_creds work, from
	Gunther Deschner.

	* lib/krb5/Makefile.am: Add test_renew to noinst_PROGRAMS.

	* lib/krb5/test_renew.c: Test for krb5_get_renewed_creds.

2007-07-21  Love H�rnquist �strand  <lha@it.su.se>

	* lib/hdb/keys.c: Make parse_key_set handle key set string "v5",
	from Peter Meinecke.

	* kdc/kaserver.c: Don't ovewrite the error code, from Peter
	Meinecke.

2007-07-18  Love H�rnquist �strand  <lha@it.su.se>

	* TODO-1.0: remove 

	* Makefile.am: remove TODO-1.0

2007-07-17  Love H�rnquist �strand  <lha@it.su.se>

	* Heimdal 1.0 release branch cut here
	
	* doc/hx509.texi: use version.texi
	
	* doc/heimdal.texi: use version.texi
	
	* doc/version.texi: version.texi

	* lib/hdb/db3.c: avoid type-punned pointer warning.

	* kdc/kx509.c: Use unsigned char * as argument to HMAC_Update to
	please OpenSSL and gcc.

	* kdc/digest.c: Use unsigned char * as argument to MD5_Update to
	please OpenSSL and gcc.

2007-07-16  Love H�rnquist �strand  <lha@it.su.se>

	* include/Makefile.am: Add krb_err.h.

	* kdc/set_dbinfo.c: Print acl file too.

	* kdc/kerberos4.c: Error codes are just fine, remove XXX now.

	* lib/krb5/krb5-v4compat.h: Drop duplicate error codes.

	* kdc/kerberos4.c: switch to ET errors.

	* lib/krb5/Makefile.am: Add krb_err.h to build_HEADERZ.

	* lib/krb5/v4_glue.c: If its a Kerberos 4 error-code, remove the
	et BASE.

2007-07-15  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5-v4compat.h: Include "krb_err.h".

	* lib/krb5/v4_glue.c: return more interesting error codes.

	* lib/krb5/plugin.c: Prefix enum plugin_type.

	* lib/krb5/krb5_locl.h: Expose plugin structures.
	
	* lib/krb5/krb5.h: Add plugin structures.

	* lib/krb5/krb_err.et: V4 errors.

	* lib/krb5/version-script.map: First version of version script.

2007-07-13  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/kerberos5.c: Java 1.6 expects the name to be the same type,
	lets allow that for uncomplicated name-types.

2007-07-12  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/v4_glue.c (_krb5_krb_rd_req): if ticket contains
	address 0, its ticket less and don't really care about
	from_addr. return better error codes.

	* kpasswd/kpasswdd.c: Fix pointer vs strict alias rules.

2007-07-11  Love H�rnquist �strand  <lha@it.su.se>

	* lib/hdb/hdb-ldap.c: When using sambaNTPassword, avoid adding
	more then one enctype 23 to krb5EncryptionType.

	* lib/krb5/cache.c: Spelling.

	* kdc/kerberos5.c: Don't send newer enctypes in ETYPE-INFO.
	(get_pa_etype_info2): return the enctypes as sorted in the
	database

2007-07-10  Love H�rnquist �strand  <lha@it.su.se>

	* kuser/kinit.c: krb5-v4compat.h defines prototypes for
	v4 (semiprivate functions) in libkrb5, don't include
	krb5-private.h any longer.

	* lib/krb5/krbhst.c: Set error string when there is no KDC for a
	realm.

	* lib/krb5/Makefile.am: New library version.

	* kdc/Makefile.am: New library version.

	* lib/krb5/krb5_locl.h: Add default_cc_name_env.

	* lib/krb5/cache.c (enviroment_changed): return non-zero if
	enviroment that will determine default krb5cc name has changed.
	(krb5_cc_default_name): also check if cached value is uptodate.

	* lib/krb5/krb5_locl.h: Drop pkinit_flags.

2007-07-05  Love H�rnquist �strand  <lha@it.su.se>

	* configure.in: add tests/java/Makefile

	* lib/hdb/dbinfo.c: Add hdb_dbinfo_get_log_file.

2007-07-04  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/kerberos5.c: Improve the default salt detection to avoid
	returning v4 password salting to java that doesn't look at the
	returning padata for salting.

	* kdc: Split out krb5_kdc_set_dbinfo, From Andrew Bartlett

2007-07-02  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/digest.c: Try harder to provide better error message for
	digest messages.

	* lib/krb5/Makefile.am: verify_krb5_conf_OBJECTS depends on
	krb5-pr*.h, make -j finds this.
	
2007-06-28  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/digest.c: On success, print username, not ip-adress.

2007-06-26  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/get_cred.c: Add krb5_get_renewed_creds.

	* lib/krb5/krb5_get_credentials.3: add krb5_get_renewed_creds

	* lib/krb5/pkinit.c: Use hx509_cms_unwrap_ContentInfo.
	
2007-06-25  Love H�rnquist �strand  <lha@it.su.se>

	* doc/setup.texi: Add example for pkinit_win2k_require_binding
	in [kdc] section.

	* kdc/default_config.c: Rename require_binding to
	win2k_require_binding to match client configuration.

	* kdc/default_config.c: Add [kdc]pkinit_require_binding option.

	* kdc/pkinit.c (pk_mk_pa_reply_enckey): only allow non-bound reply
	if its not required.

	* kdc/default_config.c: rename pkinit_princ_in_cert and add
	pkinit_require_binding

	* kdc/kdc.h: rename pkinit_princ_in_cert and add
	pkinit_require_binding

	* kdc/pkinit.c: rename pkinit_princ_in_cert

2007-06-24  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/pkinit.c: Adapt to hx509_verify_hostname change.

2007-06-21  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/krb5tgs.c: Drop unused variable.

	* kdc/krb5tgs.c: disable anonyous tgs requests

	* kdc/krb5tgs.c: Don't check PAC on cross realm for now.

	* kuser/kgetcred.c: Set KRB5_GC_CONSTRAINED_DELEGATION and parse
	nametypes.

	* lib/krb5/krb5_principal.3: Document krb5_parse_nametype.

	* lib/krb5/principal.c (krb5_parse_nametype): parse nametype and
	return their integer values.

	* lib/krb5/krb5.h (krb5_get_creds): Add
	KRB5_GC_CONSTRAINED_DELEGATION.

	* lib/krb5/get_cred.c (krb5_get_creds): if
	KRB5_GC_CONSTRAINED_DELEGATION is set, set both request_anonymous
	and constrained_delegation.

2007-06-20  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/digest.c: Return an error message instead of dropping the
	packet for more failure cases.

	* lib/krb5/krb5_principal.3: Add KRB5_PRINCIPAL_UNPARSE_DISPLAY.

	* appl/gssmask/gssmask.c (AcquirePKInitCreds): fail more
	gracefully
	
2007-06-18  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/pac.c: make compile.
	
	* lib/krb5/pac.c (verify_checksum): memset cksum to avoid using
	pointer from stack.

	* lib/krb5/plugin.c: Don't expose free pointer.

	* lib/krb5/pkinit.c (_krb5_pk_load_id): fail directoy for first
	calloc.
	
	* lib/krb5/pkinit.c (get_reply_key*): don't expose freed memory

	* lib/krb5/krbhst.c: Host is static memory, don't free.

	* lib/krb5/crypto.c (decrypt_internal_derived): make sure length
	is longer then confounder + checksum.

	* kdc: export get_dbinfo as krb5_kdc_set_dbinfo and call from
	users. This to allows libkdc users to to specify their own
	databases

	* lib/krb5/pkinit.c (pk_rd_pa_reply_enckey): simplify handling of
	content data (and avoid leaking memory).

	* kdc/misc.c (_kdc_db_fetch): set error string for failures.
	
2007-06-15  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/pkinit.c: Use KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.

2007-06-13  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/pkinit.c: tell user when they got a pk-init request with
	pkinit disabled.

2007-06-12  Love H�rnquist �strand  <lha@it.su.se>
	
	* lib/krb5/principal.c: Rename UNPARSE_NO_QUOTE to
	UNPARSE_DISPLAY.

	* lib/krb5/krb5.h: Rename UNPARSE_NO_QUOTE to UNPARSE_DISPLAY.

	* lib/krb5/principal.c: Make no-quote mean replace strange chars
	with space.

	* lib/krb5/principal.c: Support KRB5_PRINCIPAL_UNPARSE_NO_QUOTE.

	* lib/krb5/krb5.h: Add KRB5_PRINCIPAL_UNPARSE_NO_QUOTE.

	* lib/krb5/test_princ.c: Test quoteing.

	* lib/krb5/pkinit.c: update (c)
	
	* lib/krb5/get_cred.c: use krb5_sendto_context to talk to the KDC.

	* lib/krb5/send_to_kdc.c (_krb5_kdc_retry): check if the whole
	process needs to restart or just skip this KDC.

	* lib/krb5/init_creds_pw.c: Use krb5_sendto_context to talk to
	KDC.

	* lib/krb5/krb5.h: Add sendto hooks and opaque structure.

	* lib/krb5/krb5_rd_error.3: Update prototype.

	* lib/krb5/send_to_kdc.c: Add hooks for processing the reply from
	the server.
	
2007-06-11  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5_err.et: Some new error codes from RFC 4120.
	
2007-06-09  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/krb5tgs.c: Constify.

	* kdc/kerberos5.c: Constify.

	* kdc/pkinit.c: Check for KRB5-PADATA-PK-AS-09-BINDING. Constify.

2007-06-08  Love H�rnquist �strand  <lha@it.su.se>

	* include/Makefile.am: Make krb5-types.h nodist_include_HEADERS.

	* kdc/Makefile.am: EXTRA_DIST += version-script.map.
	
2007-06-07  Love H�rnquist �strand  <lha@it.su.se>
	
	* Makefile.am (print-distdir): print name of dist

	* kdc/pkinit.c: Break out loading of mappings file to a separate
	function and remove warning that it can't open the mapping file,
	there are now mappings in the db, maybe the users uses that
	instead...

	* lib/krb5/crypto.c: Require the raw key have the correct size and
	do away with the minsize.  Minsize was a thing that originated
	from RC2, but since RC2 is done in the x509/cms subsystem now
	there is no need to keep that around.

	* lib/hdb/dbinfo.c: If there is no default dbname, also check for
	unset mkey_file and set it default mkey name, make backward compat
	stuff work.

	* kdc/version-script.map: add new symbols

	* kdc/kdc-replay.c: Also update krb5_context view of what the time
	is.

	* configure.in: add tests/can/Makefile

	* kdc/kdc-replay.c: Add --[version|help].

	* kdc/pkinit.c: Push down the kdc time into the x509 library.

	* kdc/connect.c: Move up krb5_kdc_save_request so we can catch the
	reply data too.

	* kdc/kdc-replay.c: verify reply by checking asn1 class, type and
	tag of the reply if there is one.

	* kdc/process.c: Save asn1 class, type and tag of the reply if
	there is one. Used to verify the reply in kdc-replay.

2007-06-06  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/kdc_locl.h: extern for request_log.

	* kdc/Makefile.am: Add kdc-replay.

	* kdc/kdc-replay.c: Replay kdc messages to the KDC library.

	* kdc/config.c: Pick up request_log from [kdc]kdc-request-log.

	* kdc/connect.c: Option to save the request to disk.

	* kdc/process.c (krb5_kdc_save_request): save request to file.

	* kdc/process.c (krb5_kdc_process*): dont update _kdc_time
	automagicly.
	(krb5_kdc_update_time): set or get current kdc-time.

	* kdc/pkinit.c (_kdc_pk_rd_padata): accept both pkcs-7 and
	pkauthdata as the signeddata oid
	
	* kdc/pkinit.c (_kdc_pk_rd_padata): Try to log what went wrong.

2007-06-05  Love H�rnquist �strand  <lha@it.su.se>
	
	* kdc/pkinit.c: Use oid_id_pkcs7_data for pkinit-9 encKey reply to
	match windows DC behavior better.
	
2007-06-04  Love H�rnquist �strand  <lha@it.su.se>

	* configure.in: use test for -framework Security

	* appl/test/uu_server.c: Print status to stdout.

	* kdc/digest.c (digest ntlm): provide log entires by setting ret
	to an error.
	
2007-06-03  Love H�rnquist �strand  <lha@it.su.se>

	* doc/hx509.texi: Indent crl-sign.

	* doc/hx509.texi: One more crl-sign example.

	* lib/krb5/test_princ.c: plug memory leaks.

	* lib/krb5/pac.c: plug memory leaks.

	* lib/krb5/test_pac.c: plug memory leaks.

	* lib/krb5/test_prf.c: plug memory leak.

	* lib/krb5/test_cc.c: plug memory leaks.

	* doc/hx509.texi: Simple blob about publishing CRLs.

	* doc/win2k.texi: drop text about enctypes.
	
2007-06-02  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/pkinit.c: In case of OCSP verification failure, referash
	every 5 min. In case of success, refreash 2 min before expiring or
	faster.
	
2007-05-31  Love H�rnquist �strand  <lha@it.su.se>
	
	* lib/krb5/krb5_err.et: add error 68, WRONG_REALM

	* kdc/pkinit.c: Handle the ms san in a propper way, still cheat
	with the realm name.

	* kdc/kerberos5.c: If _kdc_pk_check_client failes, bail out
	directly and hand the error back to the client.

	* lib/krb5/krb5_err.et: Add missing REVOCATION_STATUS_UNAVAILABLE
	and fix error message for CLIENT_NAME_MISMATCH.

	* kdc/pkinit.c: More logging for pk-init client mismatch.

	* kdc/kerberos5.c: Also add a KRB5_PADATA_PK_AS_REQ_WIN for
	windows pk-init (-9) to make MIT clients happy.
	
2007-05-30  Love H�rnquist �strand  <lha@it.su.se>
	
	* kdc/pkinit.c: Force des3 for win2k.

	* kdc/pkinit.c: Add wrapping to ContentInfo wrapping to
	COMPAT_WIN2K.

	* lib/krb5/keytab_keyfile.c: Spelling.

	* kdc/pkinit.c: Allow matching by MS UPN SAN, note that this delta
	doesn't deal with case of realm.
	
2007-05-16  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/crypto.c (krb5_crypto_overhead): return static overhead
	of encryption.
	
2007-05-10  Dave Love  <fx@gnu.org>
	
	* doc/win2k.texi: Update some URLs.

2007-05-13  Love H�rnquist �strand  <lha@it.su.se>

	* kuser/kimpersonate.c: Fix version number of ticket, it should be
	5 not the kvno.
	
2007-05-08  Love H�rnquist �strand  <lha@it.su.se>

	* doc/setup.texi: Salting is really Encryption types and salting.
	
2007-05-07  Love H�rnquist �strand  <lha@it.su.se>
	
	* doc/setup.texi: spelling, from Ronny Blomme

	* doc/win2k.texi: Fix ksetup /SetComputerPassword, from Ronny
	Blomme
	
2007-05-02  Love H�rnquist �strand  <lha@it.su.se>

	* lib/hdb/dbinfo.c (hdb_get_dbinfo) If there are no database
	specified, create one and let it use the defaults.
	
2007-04-27  Love H�rnquist �strand  <lha@it.su.se>
	
	* lib/hdb/test_dbinfo.c: test acl file

	* lib/hdb/test_dbinfo.c: test acl file

	* lib/hdb/dbinfo.c: add acl file

	* etc: ignore Makefile.in

	* Makefile.am: SUBDIRS += etc

	* configure.in: Add etc/Makefile.

	* etc/Makefile.am: make sure services.append is distributed

2007-04-24  Love H�rnquist �strand  <lha@it.su.se>

	* kdc: rename windc_init to krb5_kdc_windc_init

	* kdc/version-script.map: version script for libkdc
	
	* kdc/Makefile.am: version script for libkdc
	
2007-04-23  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error):
	correct the order of the arguments.

	* lib/hdb/Makefile.am: Add and test dbinfo.

	* lib/hdb/hdb.h: Forward declaration for struct hdb_dbinfo;

	* kdc/config.c: Use krb5_kdc_get_config and just fill in what the
	users wanted differently.

	* kdc/default_config.c: Make the default configuration fetch info
	from the krb5.conf.
	
2007-04-22  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to
	determine if to send the session-key, for the second place in the
	function.

	* tools/krb5-config.in: rename des to hcrypto

	* kuser/Makefile.am: depend on libheimntlm

	* kuser/kinit.c: Add --ntlm-domain that store the ntlm cred for
	this domain if the Kerberos password auth worked.

	* kuser/klist.c: add new option --hidden that doesn't display
	principal that starts with @

	* tools/krb5-config.in: Add heimntlm when we use gssapi.

	* lib/krb5/krb5_ccache.3 (krb5_cc_retrieve_cred): document what to
	free 'cred' with.

	* lib/krb5/cache.c (krb5_cc_retrieve_cred): document what to free
	'cred' with.
	
2007-04-21  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to
	determine if to send the session-key.

	* kcm/client.c (kcm_ccache_new_client): make root be able to pass
	the name constraints, not the opposite. From Bryan Jacobs.
	
2007-04-20  Love H�rnquist �strand  <lha@it.su.se>

	* kcm/acl.c: make compile again.

	* kcm/client.c: fix warning.
	
	* kcm: First, it allows root to ignore the naming conventions.
	Second, it allows root to always perform any operation on any
	ccache.  Note that root could do this anyway with FILE ccaches.
	From Bryan Jacobs.

	* Rename libdes to libhcrypto.

2007-04-19  Love H�rnquist �strand  <lha@it.su.se>

	* kinit: remove code that depend on kerberos 4 library
	
	* kdc: remove code that depend on kerberos 4 library
	
	* configure.in: Drop kerberos 4 support.

	* kdc/hpropd.c (main): free the message when done with it.

	* lib/krb5/pkinit.c (_krb5_get_init_creds_opt_free_pkinit):
	remember to free memory too.

	* lib/krb5/pkinit.c (pk_rd_pa_reply_dh): free content-type when
	done.

	* configure.in: test rk_VERSIONSCRIPT
	
2007-04-18  Love H�rnquist �strand  <lha@it.su.se>

	* fix-export: remove, all done by make dist now

2007-04-15  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5_get_credentials.3: spelling, from Jason McIntyre

2007-04-11  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/kstash.8: Spelling, from raga <raga@comcast.net> 
	via Bjorn Sandell.

	* lib/krb5/store_mem.c: indent.

	* lib/krb5/recvauth.c: Set error string.

	* lib/krb5/rd_req.c: clear error strings.

	* lib/krb5/rd_cred.c: clear error string.

	* lib/krb5/pkinit.c: Set error strings.

	* lib/krb5/get_cred.c: Tell what principal we are not finding for
	all KRB5_CC_NOTFOUND.
	
2007-02-22  Love H�rnquist �strand  <lha@it.su.se>
	
	* kdc/kerberos5.c: Return the same error codes as a windows KDC.

	* kuser/kinit.c: KRB5KDC_ERR_PREAUTH_FAILED is also a password
	failed.
	
	* kdc/kerberos5.c: Make handling of replying e_data more generic,
	from metze.

	* kdc/kerberos5.c: Fix (string const and shadow) warnings, from
	metze.

	* lib/krb5/pac.c: Create the PAC element in the same order as
	w2k3, maybe there's some broken code in windows which relies on
	this... From metze.

	* kdc/kerberos5.c: Select a session enctype from the list of the
	crypto systems supported enctype, is supported by the client and
	is one of the enctype of the enctype of the krbtgt.
	
	The later is used as a hint what enctype all KDC are supporting to
	make sure a newer version of KDC wont generate a session enctype
	that and older version of a KDC in the same realm can't decrypt.
	
	But if the KDC admin is paranoid and doesn't want to have "no the
	best" enctypes on the krbtgt, lets save the best pick from the
	client list and hope that that will work for any other KDCs.
	
	Reported by metze.

	* kdc/hprop.c (propagate_database): on any failure, drop the
	connection to the peer and try next one.
	
2007-02-18  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5_get_init_creds.3: document new options.

	* kdc/krb5tgs.c: Only check service key for cross realm PACs.

	* lib/krb5/init_creds.c: use the new merged flags field.
	(krb5_get_init_creds_opt_set_win2k): new function, turn on all w2k
	compat flags.

	* lib/krb5/init_creds_pw.c: use the new merged flags field.

	* lib/krb5/krb5_locl.h: merge all flags into one entity
	
2007-02-11  Dave Love  <fx@gnu.org>
	
	* lib/krb5/krb5_aname_to_localname.3: Small fixes
	
	* lib/krb5/krb5_digest.3: Small fixes
	
	* kuser/kimpersonate.1: Small fixes

2007-02-17  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/init_creds_pw.c (find_pa_data): if there is no list,
	there is no entry.

	* kdc/krb5tgs.c: Don't check PACs on cross realm requests.

	* lib/krb5/krb5.h: add KRB5_KU_CANONICALIZED_NAMES.

	* lib/krb5/init_creds_pw.c: Verify client referral data.

	* kdc/kerberos5.c: switch some "return ret" to "goto out".
	
	* kdc/kerberos5.c: Pass down canonicalize request to hdb layer,
	sign client referrals.
	
	* lib/hdb/hdb.h: Add HDB_F_CANON.

	* lib/hdb: add simple alias support to the database backends

2007-02-16  Love H�rnquist �strand  <lha@it.su.se>

	* kuser/kinit.c: Add canonicalize flag.

	* lib/krb5/init_creds_pw.c: Use EXTRACT_TICKET_* flags, support
	canonicalize.

	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_canonicalize):
	new function.
	
	* lib/krb5/get_cred.c: Use EXTRACT_TICKET_* flags.

	* lib/krb5/get_in_tkt.c: Use EXTRACT_TICKET_* flags.

	* lib/krb5/krb5_locl.h: Add EXTRACT_TICKET_* flags.
	
2007-02-15  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/test_princ.c: test parsing enterprise-names.

	* lib/krb5/principal.c: Add support for parsing enterprise-names.

	* lib/krb5/krb5.h: Add KRB5_PRINCIPAL_PARSE_ENTERPRISE.

	* lib/hdb/hdb-ldap.c: Make work again.
	
2007-02-11  Dave Love  <fx@gnu.org>

	* kcm/client.c (kcm_ccache_new_client): Cast snprintf'ed value.
	
2007-02-10  Love H�rnquist �strand  <lha@it.su.se>
	
	* doc/setup.texi: prune trailing space

	* lib/hdb/db.c: Be better at setting and clearing error string.

	* lib/hdb/hdb.c: Be better at setting and clearing error string.

2007-02-09  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/keytab.c (krb5_kt_get_entry): Use krb5_kt_get_full_name
	to print out the keytab name.

	* doc/setup.texi: Spelling, from Guido Guenther
	
2007-02-08  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/rd_cred.c: Plug memory leak, from Michael B Allen.

2007-02-06  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/test_store.c (test_uint16): unsigned ints can't be
	negative
	
2007-02-03  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/pkinit.c: pass extra flags for detached signatures.

	* lib/krb5/pkinit.c: pass extra flags for detached signatures.

	* kdc/digest.c: Remove debug output.

	* kuser/kdigest.c: Add support for ms-chap-v2 client.
	
2007-02-02  Love H�rnquist �strand  <lha@it.su.se>
		
	* kdc/digest.c: Fix ms-chap-v2 get_masterkey

	* kdc/digest.c: Fix ms-chap-v2 mutual response auth code.

	* kuser/kdigest.c: Print session key if there is one.

	* lib/krb5/digest.c: rename hash-a1 to session key

	* kdc/digest.c: Add get_master from RFC 3079 3.4 for MS-CHAP-V2

	* kuser/kdigest.c: print rsp if there is one, from Klas.

	* kdc/digest.c: Use right size, from Klas Lindfors.

	* kuser/kdigest.c: Set client nonce if avaible, from Klas.

	* kdc/digest.c: First version from kllin.

	* kuser/kdigest.c: Don't restrict the type.
	
2007-02-01  Love H�rnquist �strand  <lha@it.su.se>
	
	* kuser/kdigest-commands.in: add --client-response

	* kuser/kdigest.c: Print status instead of response.

	* kdc/digest.c: Better logging and return status = FALSE when
	checksum doesn't match.

	* kdc/digest.c: Check the digest response in the KDC.

	* lib/krb5/digest.c: New functions to send in requestResponse to
	KDC and get status of the request.

	* kdc/digest.c: Add support for MS-CHAP v2.

	* lib/hdb/hdb-ldap.c: Set hdb->hdb_db for ldap.
	
2007-01-31  Love H�rnquist �strand  <lha@it.su.se>

	* fix-export: Make hx509.info too

	* kdc/digest.c: don't verify identifier in CHAP, its the client
	that chooses it.
	
2007-01-23  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/Makefile.am: Basic test of prf.

	* lib/krb5/test_prf.c: Basic test of prf.

	* lib/krb5/mit_glue.c: Add MIT glue for Kerberos RFC 3961 PRF
	functions.

	* lib/krb5/crypto.c: Add Kerberos RFC 3961 PRF functions.

	* lib/krb5/krb5_data.3: Document krb5_data_cmp.

	* lib/krb5/data.c: Add krb5_data_cmp.
	
2007-01-20  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/kx509.c: Don't use C99 syntax.
	
2007-01-17  Love H�rnquist �strand  <lha@it.su.se>
	
	* configure.in: its LIBADD_roken (and shouldn't really exist, our
	libtool usage it broken)

	* configure.in: Add an extra variable for roken, LIBADD, that
	should be used for library depencies.

	* lib/krb5/send_to_kdc.c (krb5_sendto): zero out receive buffer.

	* lib/krb5/krb5_init_context.3: fix mdoc errors

	* Heimdal 0.8 branch cut today

	* doc/hx509.texi: Spelling and more about proxy certificates.

	* configure.in: check for arc4random
	
2007-01-16  Love H�rnquist �strand  <lha@it.su.se>
	
	* lib/krb5/send_to_kdc.c (krb5_sendto): zero receive krb5_data
	before starting

	* tools/heimdal-build.sh: make cvs keep quiet

	* kuser/kverify.c: Use argument as principal if passed an
	argument. Bug report from Douglas E. Engert
	
2007-01-15  Love H�rnquist �strand  <lha@it.su.se>
	
	* lib/krb5/rd_req.c (krb5_rd_req_ctx): The code failed to consider
	the enc_tkt_in_skey case, from Douglas E. Engert.

	* kdc/kx509.c: Issue certificates.

	* kdc/config.c: Parse kx509/kca configuration.

	* kdc/kdc.h: add kx509 config
	
2007-01-14  Love H�rnquist �strand  <lha@it.su.se>
	
	* kdc/kerberos5.c (_kdc_find_padata): if there is not padata,
	there is nothing find.

	* doc/hx509.texi: Examples for pk-init.

	* doc/hx509.texi: About extending ca lifetime and sub cas.
	
2007-01-13  Love H�rnquist �strand <lha@it.su.se>
	
	* doc/hx509.texi: More about certificates.
	
2007-01-12  Love H�rnquist �strand  <lha@it.su.se>

	* doc/hx509.texi: add Application requirements and write about
	xmpp/jabber.
	
2007-01-11  Love H�rnquist �strand  <lha@it.su.se>

	* doc/hx509.texi: More about issuing certificates.

	* doc/hx509.texi: Start of a x.509 manual.

	* include/Makefile.am: remove install headerfiles

	* lib/krb5/test_pac.c: Use more interesting data to cause more
	errors.

	* include/Makefile.am: remove install headerfiles

	* lib/krb5/mcache.c: MCC_CURSOR not used, remove.

	* lib/krb5/crypto.c: macro kcrypto_oid_enc now longer used

	* lib/krb5/rd_safe.c (krb5_rd_safe): set length before trying to
	allocate data
	
2007-01-10  Love H�rnquist �strand  <lha@it.su.se>
	
	* doc/setup.texi: Hint about hxtool validate.

	* appl/test/uu_server.c: print both "server" and "client"

	* kdc/krb5tgs.c: Rename keys to be more obvious what they do.

	* kdc/kerberos5.c: Use other keys to sign PAC with. From Andrew
	Bartlett
	
	* kdc/windc.c: ident, spelling.

	* kdc/windc_plugin.h: indent.

	* kdc/krb5tgs.c: Pass down server entry to verify_pac function.
	from Andrew Bartlett

	* kdc/windc.c: pass down server entry to verify_pac function, from
	Andrew Bartlett

	* kdc/windc_plugin.h: pass down server entry to verify_pac
	function, from Andrew Bartlett

	* configure.in: Provide a automake symbol ENABLE_SHARED if shared
	libraries are built.

	* lib/krb5/rd_req.c (krb5_rd_req_ctx): Use the correct keyblock
	when verifying the PAC.  From Andrew Bartlett.
	
2007-01-09  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/test_pac.c: move around to code test on real PAC.

	* lib/krb5/pac.c: A tiny 2 char diffrence that make the code work
	for real.

	* lib/krb5/test_pac.c: Test more PAC (note that the values used in
	this test is wrong, they have to be fixed when the pac code is
	fixed).

	* doc/setup.texi: Update to new hxtool issue-certificate usage

	* lib/krb5/init_creds_pw.c: Make sure we don't sent both ENC-TS
	and PK-INIT pa data, no need to expose our password protecting our
	PKCS12 key.

	* kuser/klist.c (print_cred_verbose): include ticket length in the
	verbose output
	
2007-01-08  Love H�rnquist �strand  <lha@it.su.se>
	
	* lib/krb5/acache.c (loadlib): pass RTLD_LAZY to dlopen, without
	it linux is unhappy.

	* lib/krb5/plugin.c (loadlib): pass RTLD_LAZY to dlopen, without
	it linux is unhappy.

	* lib/krb5/name-45-test.c: One of the hosts I sometimes uses is
	named "bar.domain", this make one of the tests pass when it
	shouldn't.

2007-01-05  Love H�rnquist �strand  <lha@it.su.se>

	* doc/setup.texi: Change --key argument to --out-key.

	* kuser/kimpersonate.1: mangle my name
	
2007-01-04  Love H�rnquist �strand  <lha@it.su.se>
	
	* doc/setup.texi: describe how to use hx509 to create
	certificates.

	* tools/heimdal-build.sh: Add --distcheck.

	* kdc/kerberos5.c: Check for KRB5_PADATA_PA_PAC_REQUEST to check
	if we should include the PAC in the krbtgt.

	* kdc/pkinit.c (_kdc_as_rep): check if
	krb5_generate_random_keyblock failes.

	* kdc/kerberos5.c (_kdc_as_rep): check if
	krb5_generate_random_keyblock failes.

	* kdc/krb5tgs.c (tgs_build_reply): check if
	krb5_generate_random_keyblock failes.

	* kdc/krb5tgs.c: Scope etype.

	* lib/krb5/rd_req.c: Make it possible to turn off PAC check, its
	default on.

	* lib/krb5/rd_req.c (krb5_rd_req_ctx): If there is a PAC, verify
	its server signature.

	* kdc/kerberos5.c (_kdc_as_rep): call windc client access hook.
	(_kdc_tkt_add_if_relevant_ad): constify in data argument.

	* kdc/windc_plugin.h: More comments add a client_access hook.

	* kdc/windc.c: Add _kdc_windc_client_access.

	* kdc/krb5tgs.c: rename functions after export some more pac
	functions.

	* lib/krb5/test_pac.c: export some more pac functions.

	* lib/krb5/pac.c: export some more pac functions.

	* kdc/krb5tgs.c: Resign the PAC in tgsreq if we have a PAC.

	* configure.in: add tests/plugin/Makefile
	
2007-01-03  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/krb5tgs.c: Get right key for PAC krbtgt verification.

	* kdc/config.c: spelling

	* lib/krb5/krb5.h: typedef for krb5_pac.

	* kdc/headers.h: Include <windc_plugin.h>.

	* kdc/Makefile.am: Include windc.c and use windc_plugin.h

	* kdc/krb5tgs.c: Call callbacks for emulating a Windows Domain
	Controller.

	* kdc/kerberos5.c: Call callbacks for emulating a Windows Domain
	Controller.  Move the some of the log related stuff to its own
	function.

	* kdc/config.c: Init callbacks for emulating a Windows Domain
	Controller.

	* kdc/windc.c: Rename the init function to windc instead of pac.

	* kdc/windc.c: Callbacks specific to emulating a Windows Domain
	Controller.

	* kdc/windc_plugin.h: Callbacks specific to emulating a Windows
	Domain Controller.

	* lib/krb5/Makefile.am: add krb5_HEADERS to build_HEADERZ

	* lib/krb5/pac.c: Support all keyed checksum types.
	
2007-01-02  Love H�rnquist �strand  <lha@it.su.se>
	
	* lib/krb5/pac.c (krb5_pac_get_types): Return list of types.
	
	* lib/krb5/test_pac.c: test krb5_pac_get_types

	* lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA.

	* lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA.

	* lib/krb5/krb5.h: Add KRB5_KRBHST_KCA.

	* lib/krb5/test_pac.c: test Add/remove pac buffer functions.

	* lib/krb5/pac.c: Add/remove pac buffer functions.

	* lib/krb5/pac.c: sprinkle const

	* lib/krb5/pac.c: rename DCHECK to CHECK
	
	* Happy New Year.