xref: /freebsd/crypto/heimdal/ChangeLog.2003 (revision 6a068746777241722b2b32c5d0bc443a2a64d80b)

2003-12-19  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/error_string.c: protect error_string with mutex

	* lib/krb5/context.c: allocate and destroy mutex in krb5_context

	* lib/krb5/krb5.h (krb5_context_data): add mutex for error_string

2003-12-18  Love Hörnquist Åstrand  <lha@it.su.se>

	* kuser/kinit.c: make -9 work again

2003-12-17  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/init_creds_pw.c: try handle ts preauth better, still
	not good, but at least it work with older heimdal releases that
	doesn't send back KRB5KDC_ERR_PREAUTH_REQUIRED when preauth was
	sent

2003-12-16  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/hdb/hdb.asn1: remove enforce-transited-policy, its no longer
	used

2003-12-11  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/pkinit.c (_krb5_pk_create_sign): fill in NULL as
	parameters, required by CMS

2003-12-07  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/get_in_tkt_with_keytab.c (krb5_get_in_tkt_with_keytab):
	avoid memory leak that snuck in when krb5_keytab_key_proc was
	exported, pointed out by Panases Inc

	* lib/krb5/keytab_file.c: do locking, found to be a problem for
	Panasas Inc

	* lib/krb5/fcache.c: internally export x{,un}lock and thus prefix
	them with _krb5_

	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use
	KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded
	krb-cred

	* lib/krb5/krb5_auth_context.3: some text about
	krb5_auth_con_{add,remove}flags

	* lib/krb5/auth_context.c: add krb5_auth_con_addflags and
	krb5_auth_con_removeflags

2003-12-03  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/crypto.c (decrypt_internal_derived): move up padsize to
	avoid memory leak

2003-12-02  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/crypto.c: require cipher-text to be padded to padsize

	* lib/krb5/eai_to_heim_errno.c: EAI_ADDRFAMILY and EAI_NODATA is
	deprecated in RFC3493

	* lib/krb5/verify_krb5_conf.c (check_host): don't check for
	EAI_NODATA, because its depricated in RFC3493 Pointed out by
	Hajimu UMEMOTO <ume@mahoroba.org> on heimdal-discuss

2003-12-01  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/Makefile.am: move test_crypto to noinst_PROGRAMS

	* lib/krb5/test_crypto.c: add --version,--help

	* kuser/kinit.c (main): return the return value from simple_execvp

2003-11-26  Love Hörnquist Åstrand  <lha@it.su.se>

	* kuser/kinit.c: don't use PKINIT DH per default since its too
	slow

	* lib/krb5/pkinit.c: tweek to make pkinit work with the fact the
	asn1_compile can't generate code for context tagless optionals

	* kdc/pkinit.c: add support for KDC side of DH PKINIT

	* lib/krb5/pkinit.c: clean up error handling, make enc-type work
	again

2003-11-25  Love Hörnquist Åstrand  <lha@it.su.se>

	* kuser/kinit.c: add flag to make it work with pkinit dh

	* lib/krb5/pkinit.c: make PKINIT DH support work

2003-11-24  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/hdb/Makefile.am (LDADD): link with LIB_dlopen

	* kdc/pkinit.c: clean up

	* lib/krb5/krb5.h: make pkinit_win2k_compatible into a flag field

	* lib/krb5/pkinit.c: remove most compile depencies clean up

	* kdc/pkinit.c: print an error and turn of pkinit if openssl
	failed to load

	* kdc/config.c: read pkinit (pki-mumble) configuration options

	* kdc/kerberos5.c: add pkinit support

	* kdc/kdc_locl.h: add prototypes for pkinit

	* kdc/pkinit.c: PKINIT patch from Daniel Kouril and Petr Holub, I
	removed the dependency on valicert asn1 parser, remove smartcard
	and globus support (for now). Work to be done on this: DH support,
	Globus support, Smartcard support, windows support (MS implements
	-09 of the draft), make it conform to the new draft

	* lib/krb5/pkinit.c: fix bugs, improve error reporting

2003-11-23  Love Hörnquist Åstrand  <lha@it.su.se>

	* kuser/kinit.c: add some "struct foo;" glue for pkinit
	structures that isn't used

	* lib/krb5/pkinit.c: clean up, make remove depenency on openssl's
	api

	* lib/krb5/krb5_locl.h: add some glue for pkinit add reference
	counter to _krb5_get_init_creds_opt_private

	* lib/krb5/init_creds.c: reference count krb5_get_init_creds_opt
	private component to avoid copy all the data in it

	* lib/krb5/crypto.c (AES_string_to_key): fix memory leak

	* lib/krb5/init_creds_pw.c (init_cred_loop): fix memory leak

	* lib/krb5/heim_threads.h: include pthread.h in the pthread case

2003-11-18  Love Hörnquist Åstrand  <lha@it.su.se>

	* kpasswd/kpasswdd.c (main): parse kdc.conf
	From: Jeffrey Hutzelman <jhutz@cmu.edu>

2003-11-15  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/Makefile.am (TESTS): add test_crypto

	* lib/krb5/test_crypto.c: time crypto operations

2003-11-14  Love Hörnquist Åstrand  <lha@it.su.se>

	* doc/init-creds: spelling, Bruno Rohee <bruno@rohee.com>

2003-11-09  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/rd_req.c (krb5_verify_ap_req2): krb5_free_ticket free
	the ticket now, rewrite error handling to handle that

	* kpasswd/kpasswdd.c (process): don't free ticket,
	krb5_free_ticket does that now

	* kdc/kerberos5.c (tgs_rep2): don't free ticket, krb5_free_ticket
	does that now

	* lib/krb5/ticket.c (krb5_free_ticket): free the ticket itself to
	match mit behavior, pointed out by Derrick Brashear

	* lib/krb5/krb5_ticket.3: krb5_free_ticket free the whole ticket

2003-11-08  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/padata.c: add krb5_padata_add

	* lib/krb5/krb5.h: krb5_context_data.pkinit_win2k_compatible

	* lib/krb5/Makefile.am: add pkinit.c

	* kuser/kinit.c: add pkinit support

	* lib/krb5/init_creds_pw.c: add support for pkinit

	* lib/krb5/krb5_locl.h: add the opaque krb5_pk_init_ctx to
	_krb5_get_init_creds_opt_private

	* lib/krb5/pkinit.c: rename krb5_pk_init_openssl_ctx to
	krb5_pk_init_ctx fix win2k error handling

	* lib/krb5/pkinit.c: PKINIT patch from Daniel Kouril and Petr
	Holub, I removed the dependency on valicert asn1 parser, remove
	smartcard and globus support (for now). Work to be done on this:
	DH support, Globus support, Smartcard support, windows support (MS
	implements -09 of the draft), verify that it conforms the new
	draft

2003-11-07  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/asn1/der_copy.c (copy_oid): copy all components

2003-10-27  Johan Danielsson  <joda@pdc.kth.se>

	* lib/krb5/krb5.conf.5: document capaths section

2003-10-22  Johan Danielsson  <joda@pdc.kth.se>

	* kdc/kerberos5.c: make sure that the server realm and the krbtgt
	second component are identical; get rpath from the capaths section

	* kdc/kerberos5.c: change logic for when to check transited policy
	to a tri-state model involving per principal flags (to be
	implemented)

	* kdc/kdc_locl.h: change enforce_transited_policy to a tri-state
	variable

	* kdc/config.c: change enforce_transited_policy to a tri-state
	variable

2003-10-22  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/transited.c (krb5_domain_x500_encode): always zero out
	encoding to make sure it have a defined value on failure

	* lib/krb5/transited.c (krb5_domain_x500_encode):
	if num_realms ==0, set encoding and return (avoids malloc(0)),
	check return value for malloc

2003-10-21  Johan Danielsson  <joda@pdc.kth.se>

	* kdc/kerberos5.c (fix_transited_encoding): always print
	cross-realm information

2003-10-21  Love Hörnquist Åstrand  <lha@it.su.se>

	* doc/setup.texi: spelling, From: Tracy Di Marco White

	* kdc/kerberos5.c (fix_transited_encoding): set transited type

2003-10-21  Johan Danielsson  <joda@pdc.kth.se>

	* kdc/kdc.8: document enforce-transited-policy

	* kdc/kerberos5.c: always check transited policy if flag set
	either globally or on principal

	* kdc/config.c: add flag to always check transited policy

	* lib/hdb/hdb.asn1: add flag to enforce transited policy

2003-10-21  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/transited.c (krb5_domain_x500_decode): set *num_realms
	to zero not num_realms

	* kuser/kgetcred.1: add --no-transit-check

	* kuser/kgetcred.c: add --no-transit-check

	* doc/setup.texi: describe Transit policy

2003-10-20  Johan Danielsson  <joda@pdc.kth.se>

	* kdc/kerberos5.c (fix_transited_encoding): also verify with
	policy, unless asked not to

	* lib/krb5/rd_req.c (krb5_decrypt_ticket): try to verify transited
	realms, unless the transited-policy-checked flag is set

	* lib/krb5/transited.c (krb5_domain_x500_decode): handle zero
	length tr data;
	(krb5_check_transited): new function that does more useful stuff

	* lib/krb5/get_cred.c: get capath info from [capaths] section

2003-10-16  Johan Danielsson  <joda@pdc.kth.se>

	* lib/krb5/fcache.c: Sleep forever waiting for lock. Previous
	method doesn't work well with a large number of clients accessing
	the cache at the same time, and there is no simple way to add a
	timeout to the lock.

2003-10-13  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/verify_krb5_conf.c: print the error value
	krb5_init_context failed with

	* lib/krb5/config_file.c (krb5_config_parse_file_debug): punt if
	there is binding before a section declaration. Bug found by
	Arkadiusz Miskiewicz <arekm@pld-linux.org>

2003-10-13  Johan Danielsson  <joda@pdc.kth.se>

	* lib/krb5/fcache.c (erase_file): revert a change in previous; if
	the ccache is a symlink, kdestroy should remove it

	* lib/krb5/fcache.c: implement locking

2003-10-12  Johan Danielsson  <joda@pdc.kth.se>

	* kuser/klist.c (print_tickets): bail out if krb5_cc_next_cred
	returns error other than KRB5_CC_END

2003-10-07  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/init_creds_pw.c: add some help function that is common
	between ENC_TS and SAM2, free the etype{,2}-infos on failure, move
	the pa counter into krb5_get_init_creds_ctx

2003-10-06  Love Hörnquist Åstrand  <lha@it.su.se>

	* kdc/kaserver.c (do_getticket): if times data is shorter then 8
	byte, request is malformed.

	* kdc/kaserver.c (do_authenticate): if request length is less then
	8 byte, its a bad request and fail. Pointed out by Marco Foglia
	<marco@foglia.org>

	* lib/krb5/verify_krb5_conf.c: add flag --warn-mit-syntax that
	warns for mit syntax is used and just ignore the mit syntax when
	its used

	* lib/krb5/verify_krb5_conf.c: parse [kdc]use_2b and [gssapi]

2003-10-04  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/asn1/lex.l: add BOOLEAN

	* lib/asn1/parse.y: add BOOLEAN

2003-10-03  Love Hörnquist Åstrand  <lha@it.su.se>

	* kuser/kinit.c: When running kinit in "fork mode" do pagsh
	independent of krb4, also always do krb4 setup of cc. Always try
	to destroy the v4 cc.
	- add boolean --{,no-}request-pac that will request pac or not

	* kuser/klist.c (check_for_tgt): set client as part of the
	pattern/match cred

	* lib/krb5/convert_creds.c (_krb5_krb_dest_tkt): unlink v4 token
	(get_krb4_cc_name): move out from _krb5_krb_tf_setup
	(_krb5_krb_tf_setup): adapt to allocated filename instead of
	static filename

	* lib/krb5/krb5-v4compat.h: add _krb5_krb_dest_tkt and TKT_ROOT

	* lib/krb5/init_creds_pw.c (*) send PA_PAC_REQUEST when the user
	have requested either use PAC or not use PAC, if the option not
	set from the user, leave it up to the kdc to decide.
	(init_creds_loop): clear error string on success

	* lib/krb5/init_creds.c: add
	krb5_get_init_creds_opt_set_paq_request break out common part of
	extended opt functions to require_ext_opt

	* lib/krb5/krb5_locl.h: add enum krb5_get_init_creds_req_pac and
	use it in struct _krb5_get_init_creds_opt_private

	* tools/kdc-log-analyze.pl: handle some more failure lines

	* doc/programming.texi: some diffrences between Heimdal and MIT
	Kerberos in the API

	* doc/setup.texi: add Setting up DNS

	* lib/krb5/rd_req.c (krb5_rd_req): always free keyblock since its
	alway used

	* lib/asn1/Makefile.am: add SAM types and PAC_REQUEST

	* lib/asn1/k5.asn1: add more preauth types, add PA-PAC-REQUEST

	* lib/asn1: add boolean support

2003-10-02  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/changepw.c (setpw_send_request): free ap_req_data on
	failure

2003-09-30  Love Hörnquist Åstrand  <lha@it.su.se>

	* appl/test/http_client.c (do_connect): use ai_protocol 0

	* lib/krb5/init_creds_pw.c (init_cred_loop): handle
	KRB5KRB_ERR_RESPONSE_TOO_BIG and loop again, this time requesting
	LARGE_MSG from send to kdc, and if this is the second time bail
	out; try to free memory

	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc_flags): new function,
	and then implement the order krb5_sendto_kdc* function with this
	function.

	* lib/krb5/krbhst.c (krb5_krbhst_init_flags): new function, use it
	and adapt callers
	(krbhst_get_default_proto): new function, returns udp, or in case
	large_msg was requested for the krb5_krbhst_data, use tcp.
	(*): if the flag KD_LARGE_MSG was set on the krb5_krbhst_data, avoid
	using udp, use krbhst_get_default_proto

	* lib/krb5/krb5.h: flags for krb5_krbhst_init_flags (and
	krb5_send_to_kdc_flags)

2003-09-23  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/rd_req.c (krb5_rd_req): if we have a keyblock in auth
	context, use that

	* appl/test/uu_client.c: print authorization data if there are any

	* lib/asn1/asn1_print.c: decode IA5Stringa and UTF8String

2003-09-21  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/init_creds_pw.c: use _krb5_get_init_creds_opt_copy
	* lib/krb5/init_creds.c: don't export krb5_get_init_creds_opt_copy

	* lib/hdb/Makefile.am: libhdb might depend on LIB_dlopen

	* kuser/kinit.c: don't get v4 tickets by default

2003-09-20  Love Hörnquist Åstrand  <lha@it.su.se>

	* kpasswd/kpasswdd.c (process): remove a abort()

	* doc/win2k.texi: add some text about netdom.exe and trusts

	* TODO-1.0: gssapi rc4 done

	* kpasswd/kpasswdd.c: add support for Set password protocol as
	defined by RFC3244 -- Microsoft Windows 2000 Kerberos Change
	Password and Set Password Protocols

2003-09-19  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/hdb/db3.c: improve readability of ->open ifdef, check if
	version >= 4.1

	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_copy): add

	* lib/krb5/rd_req.c (krb5_rd_req): allow caller to pass in a key
	in the auth_context, they way processes that doesn't use the
	keytab can still pass in the key of the service (matches behavior
	of MIT Kerberos).

2003-09-18  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/init_creds_pw.c: collect all init_creds context into a
	structure so it can easier be passed around, also, while here,
	change nonce for every request

	* lib/krb5/get_in_tkt.c (init_as_req): don't realloc data before
	the loop, add_padata() will handle that itself

	* lib/krb5/get_for_creds.c (add_addrs): don't increase addr->len
	until in contains interesting data, use right iteration counter
	when clearing the addresses

	* lib/krb5/log.c (log_realloc): increase len after realloc returns
	sucessfully

2003-09-12  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/config_file.c: fix prototypes
	From: Fredrik Ljungberg <flag@pobox.se>

2003-09-10  Love Hörnquist Åstrand  <lha@it.su.se>

	* appl/test/http_client.c: close socket when we are done, don't
	allow the server to restart gssapi negotiation

	* lib/hdb/hdb_locl.h: include <limits.h> for ULONG_MAX noted by
	Wissler Magnus <M.Wissler@abalon.se> on heimdal-discuss

	* appl/test/gssapi_client.c (proto): use select_mech

	* appl/test/http_client.c: use getarg

	* appl/test/gss_common.h: prototype for select_mech

	* appl/test/gss_common.c (select_mech): return the gss_OID from a
	mech name

	* appl/test/http_client.c: print both source and target

	* appl/test/Makefile.am: build http_client

2003-09-09  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/asn1/asn1_print.c: add support for printing Enumerated

	* appl/test/gssapi_client.c: allow user to select mech; krb5,
	spnego, and no-oid

	* appl/test/test_locl.h: add mech

	* appl/test/common.c: add --mech,-m argument

	* appl/test/gssapi_server.c: print the mech that was used

	* kdc/kerberos5.c (only_older_enctype_p): check request if the
	client only supports old enctypes, before it used the database

2003-09-08  Love Hörnquist Åstrand  <lha@it.su.se>

	* **/*.c: add context argument to krb5_get_init_creds_opt_alloc

	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): add
	context argument

	* lib/krb5/krb5_get_init_creds.3: spelling

2003-09-04  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/context.c (add_file): make len argument an pointer to
	an integer

	* lib/asn1/k5.asn1: add SAM types

	* lib/krb5/init_creds_pw.c: break out the encrypt timestamp
	preauth to its function break out the pa_data_to_key_plain to its
	own function make more variables const

2003-09-04  Johan Danielsson  <joda@pdc.kth.se>

	* lib/krb5/krb5.conf.5: document appdefaults/{forward,encrypt}

2003-09-03  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.h: Add key usage for encryption of the
	SAM-NONCE-OR-SAD field.

	* include/make_crypto.c: include <openssl/ui.h> in the openssl
	case

	* kdc/hprop.h: use new DES_ api

	* lib/krb5/krb5-v4compat.h: assume session key is a char array of
	length 8

	* lib/krb5/prompter_posix.c:
	s/des_read_pw_string/UI_UTIL_read_pw_string/

	* kuser/kinit.c: s/des_read_pw_string/UI_UTIL_read_pw_string/

	* kdc/string2key.c: s/des_read_pw_string/UI_UTIL_read_pw_string/

	* kdc/kstash.c: s/des_read_pw_string/UI_UTIL_read_pw_string/

	* admin/add.c: s/des_read_pw_string/UI_UTIL_read_pw_string/

	* lib/krb5/crypto.c: switch from the des_ to the DES_ api

	* kdc/hprop.c: use DES_KEY_SZ instead of sizeof(des_block)

	* kuser/kverify.c: use
	krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free

	* kpasswd/kpasswd-generator.c: use
	krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free

	* kdc/hprop.c: use
	krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free compare
	a uint32_t with 0xffffffff instead of -1

	* lib/krb5/krb5_425_conv_principal.3: fix [Gt]

	* kuser/kinit.c: use
	krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free

	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): handle
	password passed in though context

	* lib/krb5/Makefile.am (TESTS): += test_config

	* lib/krb5/aes-test.c: move variable thats used within a #ifdef to
	be defined within that #ifdef

	* lib/krb5/data.c (krb5_data_free): reset whole krb5_data when
	freeing it

	* lib/krb5/keyblock.c (krb5_keyblock_zero): new function, zeros
	out a keyblock

	* lib/krb5/init_creds_pw.c: rewrite/implement
	krb5_get_init_creds_password with new preauth handing, still it
	can only work with krb5-pa-enc-timestamp for preauth, but now it
	can handle etype-info2

	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): allocate
	a opt structure
	(krb5_get_init_creds_opt_free): free a opt structure
	(krb5_get_init_creds_opt_set_pa_password): set preauth info for
	enc-timestamp

	* lib/krb5/krb5_locl.h: add struct
	_krb5_get_init_creds_opt_private

2003-09-02  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.h: add SAM keyusage numbers, add s2k proc typedef,
	add a pointer to a private part of krb5_get_init_creds_opt

	* kdc/string2key.c (main): avoid const warning by using a extra
	variable

2003-08-31  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type):
	reindent

	* lib/krb5/ticket.c (krb5_copy_ticket): free all data when
	failing, copy data to right memory, the later pointed out by Luke
	Howard.

2003-08-30  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.h: cfx-01 use diffrent usage numbers

2003-08-29  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/hdb/db3.c: try to include more db headers

	* lib/hdb/db3.c: patch for working with DB4 on heimdal-discuss
	From: Luke Howard <lukeh@PADL.COM>

2003-08-28  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.h: add KEYTYPE_ARCFOUR_56

	* appl/test/gssapi_client.c: send both INT and CONF wrapped token

	* appl/test/gssapi_server.c: recv both INT and CONF wrapped token

	* lib/asn1/k5.asn1: add KRB5_NT_SMTP_NAME and KRB5_NT_ENTERPRISE

2003-08-27  Love Hörnquist Åstrand  <lha@it.su.se>

	* appl/test/uu_client.c (proto): fill in client in the match cred

2003-08-26  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.h: CFX uses slightly diffrent usage numbers

	* lib/krb5/crypto.c (usage2arcfour): simplify, only include
	special cases From: Luke Howard <lukeh@PADL.COM>

2003-08-25  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/hdb/hdb-ldap.c: code rewrite from Luke Howard
	<lukeh@PADL.COM>

	* lib/krb5/crypto.c (arcfour_checksum_p): return true when is
	arcfour, not when its not pointed out by Luke Howard

	* doc/ack.texi: update Luke Howard email address

2003-08-24  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5_encrypt.3: document:
	krb5_crypto_getconfoundersize, krb5_crypto_getblocksize
	krb5_crypto_getenctype, krb5_crypto_getpadsize

	* lib/krb5/crypto.c (krb5_crypto_getpadsize,
	krb5_crypto_getconfoundersize): added From: Luke Howard
	<lukeh@PADL.COM>

2003-08-23  Love Hörnquist Åstrand  <lha@it.su.se>

	* kdc/connect.c (handle_tcp): handle recvfrom returning 0
	(connection closed)

	* kdc/connect.c (grow_descr): increment the size after we succeed
	to allocate the space

	* lib/krb5/krb5_create_checksum.3: text about when
	krb5_crypto_get_checksum_type is useful

	* lib/krb5/crypto.c (krb5_crypto_get_checksum_type): fix format
	string

	* lib/krb5/krb5_create_checksum.3: document
	krb5_crypto_get_checksum_type

	* lib/krb5/crypto.c: add krb5_crypto_get_checksum_type
	From: Luke Howard <lukeh@PADL.COM>

	* lib/asn1/gen.c: s/UTF8String/heim_utf8_string/ in generated code
	From: Luke Howard <lukeh@PADL.COM>

2003-08-21  Love Hörnquist Åstrand  <lha@it.su.se>

	* include/make_crypto.c: include aes.h inc in the local libdes
	case too

2003-08-20  Johan Danielsson  <joda@pdc.kth.se>

	* lib/asn1/der_free.c: set free'd poiners to NULL

	* lib/asn1/gen_free.c: set free'd poiners to NULL

2003-08-20  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/heim_threads.h: XXX don't use "plain" pthread support
	on netbsd

	* lib/krb5/crypto.c: Do the arcfour checksum mapping for
	krb5_create_checksum and krb5_verify_checksum, From: Luke Howard
	<lukeh@PADL.COM>

2003-08-18  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/test_config.c: check krb5_prepend_config_files_default
	and krb5_prepend_config_files

	* lib/krb5/context.c: add krb5_prepend_config_files and
	krb5_prepend_config_files_default

2003-08-17  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/hdb/mkey.c (read_master_mit): krb5_ret_int16 takes a int16_t
	as argument

	* lib/krb5/parse-name-test.c: please lint (and me)

	* kdc/config.c (configure): remove only set variable 'e'

	* kdc/connect.c (init_socket): sockaddr size argument to
	krb5_addr2sockaddr is a krb5_addr2sockaddr *

	* kdc/kerberos5.c (as_rep): remove usused variable
	(tgs_rep2): don't use a temporary ret-variable, ret is reset later

	* lib/krb5/krb5_get_in_cred.3: these function will be deprecated

	* lib/krb5/Makefile.am: man_MANS += krb5_get_init_creds.3

	* lib/krb5/krb5_get_init_creds.3: begining of documentation of
	krb5_get_init_creds

	* lib/krb5/get_in_tkt.c (krb5_get_in_tkt): for compatibility with
	with the mit implemtation, don't free `creds' argument when done,
	its up the the caller to do that, also allow a NULL ccache.

2003-08-16  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.conf.5: document tgs_require_subkey

	* lib/asn1/Makefile.am: remove trance of generate tests files, its
	not really for consumption yet

	* lib/hdb/Makefile.am: split generated source from non generated
	source we make-proto.pl can generate prototypes for non
	generate-source only (make-proto.pl dies on asn1compile's .c
	files)

	* lib/krb5/get_cred.c (init_tgs_req): make generation of subkey
	optional on configuration parameter
	[realms]realm={tgs_require_subkey=bool}
	defaults to off. The RFC1510 weakly defines the correct behavior,
	so old DCE secd apparently required the subkey to be there, and MS
	will use it when its there. But the request isn't encrypted in the
	subkey, so you get to choose if you want to talk to a MS mdc or a
	old DCE secd.

	* kdc/kerberos5.c (*): handle krb5_unparse_name returning non-zero

2003-08-15  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/principal.c (unparse_name): len can't be zero, so,
	don't check for that

2003-08-13  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/principal.c (unparse_name): make sure there are space
	for a NUL, set *name to NULL when there is a failure (so caller
	can't get hold of a freed pointer)

2003-07-26  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/kerberos.8: remove duplicate manual, from
	cjep@netbsd.org

2003-07-25  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/cache.c: indent

	* lib/krb5/cache.c (krb5_cc_set_default_name): only read
	KRB5CCNAME when not suid

2003-07-24  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/keytab_krb4.c (read_v4_entry): the des key is 8 bytes,
	use a char array instead of des_cblock

2003-07-23  Love Hörnquist Åstrand  <lha@it.su.se>

	* kdc/kerberos5.c: add support for KRB5_PADATA_ETYPE_INFO2

	* lib/krb5/crypto.c (hmac): make it return an error when out of
	memory, update callsites to either return error or use krb5_abortx
	(krb5_hmac): expose hmac

2003-07-22  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/keyblock.c (krb5_keyblock_get_enctype): return enctype
	of keyblock

	* lib/krb5/Makefile.am (man_MANS): += krb5_keyblock.3

	* lib/krb5/krb5_keyblock.3: some information about krb5_keyblock
	and related functions

	* lib/krb5/heim_threads.h: make the non-debug version of the mutex
	macros "use" the "mutex" integer so the compile wont complain
	about defined unused variables

	* lib/krb5/heim_threads.h: make thread local storage macros take a
	"return" argument so no functions need to be created for the
	no-pthread case

	* lib/krb5/heim_threads.h: adding RWLOCKS and [sg]etspecific

	* configure.in: use KRB_PTHREADS

	* lib/asn1/Makefile.am (gen_files): add asn1_KerberosString and
	sort

	* lib/asn1/k5.asn1 (ETYPE-INFO2-ENTRY): salt is a KerberosString

	* lib/krb5/krb5.3: add ticket access functions
	* lib/krb5/krb5_ticket.3: ditto
	* lib/krb5/ticket.c: ditto
	* lib/krb5/Makefile.am: ditto

	* lib/krb5/mit_glue.c: add some more krb5_c functions

	* lib/krb5/krb5_c_make_checksum.3: add some more krb5_c functions

	* lib/krb5/crypto.c (krb5_cksumtype_valid): check is checksum type
	is a valid one

	* lib/krb5/crypto.c (krb5_checksum_is_keyed): only set extented
	error string when there is a context
	(krb5_checksum_is_collision_proof): ditto

2003-07-21  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/mit_glue.c (krb5_c_get_checksum): make type and data
	argument optional
	(krb5_c_{encrypt,decrypt}): return "better" error codes for
	invalid ivec length

	* lib/krb5/krb5_c_make_checksum.3: update krb5_c_get_checksum
	usage

	* lib/krb5/crypto.c (krb5_crypto_getenctype): new function

	* include/make_crypto.c: avoid redefining
	OPENSSL_DES_LIBDES_COMPATIBILITY

	* lib/krb5/krb5.h: add krb5_enc_data

2003-07-19  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.3: add krb5_c_ functions

	* lib/krb5/mit_glue.c: support passing in NULL as the
	cipher_state/ivec

	* lib/krb5/aes-test.c: add test for krb5_c_encrypt_length and
	krb5_c_decrypt

	* lib/krb5/krb5_c_make_checksum.3: krb5_c encryption glue

	* lib/krb5/crypto.c (wrapped_length/wrapped_length_derived): when
	calculating the length of the encrypted data, use the keyed
	checksum length if the enctype supports a keyed checksum. This
	only matter for aes, for all other enctypes the key and unkeyed
	checksum have the same length.

2003-07-18  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/mit_glue.c: first version of krb5_c encryption glue

	* doc/install.texi: update pointer to luke ldap documentation

	* lib/hdb/hdb.c (hdb_create): check for dynamic backend after
	static to avoid warning from dynamic backend when using a known
	static backend

2003-07-16  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/cache.c: don't return value in void function

2003-07-15  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/creds.c (krb5_compare_creds): if client is specified in
	the mcreds, check that too

	* lib/krb5/{keytab_file.c,principal.c,mk_error.c,krb5.h,get_cred.c}:
	prefix libasn1 types with heim_

	* lib/asn1: prefix typedefs and structs with heim_

2003-07-13  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/hdb/hdb.c: avoid unnecessary setting of variable

2003-07-07  Love Hörnquist Åstrand  <lha@it.su.se>

	* kuser/klist.c (check_for_tgt): use krb5_cc_clear_mcred

	* appl/test/uu_client.c (proto): use krb5_cc_clear_mcred

	* lib/krb5/get_cred.c (init_tgs_req): in case of error, don't free
	in the req_body addresses since they where pass in by caller
	(find_cred): use krb5_cc_clear_mcred

	* lib/krb5/krb5_ccache.3: document krb5_cc_clear_mcred

	* lib/krb5/cache.c (krb5_cc_clear_mcred): new function, clear a
	krb5_creds to use with krb5_cc_retrieve_cred

2003-06-30  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/hdb/hdb.c (find_dynamic_method): if there isn't a prefix,
	don't load anything

2003-06-29  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/hdb/hdb.c: Dynamic backend loading, based on patch from Luke
	Howard <lukeh@PADL.COM>

	* lib/hdb/hdb.h: add struct hdb_so_method and
	HDB_INTERFACE_VERSION

2003-06-28  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): when using
	arcfour-hmac-md5, use an unkeyed checksum (rsa-md5), since
	Microsoft calculates the keyed checksum with the subkey of the
	authenticator.

	* kuser/kinit.c: write out v4 credential caches with
	_krb5_krb_tf_setup

	* lib/krb5/krb5-v4compat.h: add _krb5_krb_tf_setup

	* lib/krb5/convert_creds.c (_krb5_krb_tf_setup): create/append v4
	credential to a new krb4 ticket file

2003-06-27  Johan Danielsson  <joda@pdc.kth.se>

	* lib/krb5/krb5_kuserok.3: put Nd argument in double quotes since
	it contains more than 9 words; from wiz

2003-06-25  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/verify_krb5_conf.c: add missing " within #if 0, from
	stefan sokoll <stefansokoll@yahoo.de>

2003-06-24  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5_timeofday.3: improve krb5_set_real_time text

	* lib/krb5/time.c: improve comment for krb5_set_real_time

2003-06-23  Johan Danielsson  <joda@pdc.kth.se>

	* kuser/kinit.1: document -A

	* kuser/kinit.c: add -A as an alias for --no-addresses

2003-06-22  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): pass in a
	krb5_timestamp to krb5_us_timeofday

	* lib/krb5/mk_error.c (krb5_mk_error): pass in a krb5_timestamp to
	krb5_us_timeofday

	* lib/krb5/time.c (krb5_set_real_time): fix comment and make it
	work

	* lib/krb5/time.c, lib/krb5/krb5_timeofday.3,
	lib/krb5/Makefile.am lib/krb5/test_time.c:

	implement krb5_set_real_time, used by SAMBA, requested by Luke
	Howard <lukeh@PADL.COM>

	* lib/asn1/k5.asn1: make the aes and sha1 checksum types match
	draft-ietf-krb-wg-crypto-05

2003-06-21  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/aes-test.c: add a test for aes kcrypto encrypted data

	* lib/krb5/crypto.c: clean up AES code to use a structure instead
	of a key array
	(_krb5_AES_string_to_default_iterator): set to 4096 as described in
	aes draft -04
	(derive_key): always remove the key->schedule since its
	will contain the wrong (parent key) info

2003-06-18  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/aes-test.c: add aes256 test vectors from Ken Raeburn
	* doc/setup.texi: add more kdc's to the example

2003-06-17  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/hdb/hdb-ldap.c: use int2HDBFlags/HDBFlags2int From: Alberto
	Patino <jalbertop@aranea.com.mx>, Luke Howard <lukeh@PADL.COM>
	Pointed out by Andrew Bartlett of Samba

	* lib/krb5/heim_threads.h: remove freebsd comment, don't use debug
	pthread stubs by default

	* lib/krb5/Makefile.am (man_MANS): drop krb5_free_addresses.3

	* lib/krb5/krb5_free_addresses.3: removed file, functions are
	documented in krb5_address.3

	* lib/krb5/codec.c: add krb5_{de,en}code_ETYPE_INFO2

	* lib/krb5/crypto.c: add _krb5_AES_string_to_default_iterator add
	krb5_string_to_key_salt_opaque() fix keylengh for keytype_aes256

2003-06-06  Love Hörnquist Åstrand  <lha@it.su.se>

	* doc/setup.texi: Point out that slave needs /var/heimdal
	directory and masterkey From: Mans Nilsson <mansaxel@sunet.se>,
	Fix spelling while here

2003-06-02  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/Makefile.am, krb5_get_in_cred.3, krb5.3:
	add manpage for: krb5_get_in_cred, krb5_get_in_tkt,
	krb5_get_in_tkt_with_keytab, krb5_get_in_tkt_with_password,
	krb5_get_in_tkt_with_skey

2003-05-28  Assar Westerlund  <assar@kth.se>

	* lib/krb5/heim_threads.h: Fix unlock/destroy macros for the
	non-threaded cases to work.  Fix typo.

2003-05-27  Johan Danielsson  <joda@pdc.kth.se>

	* lib/asn1/{der_put.c,der_length.c,check-der.c}: Fix encoding of
	"unsigned" integers. If MSB is set, we need to pad with a zero
	byte.

2003-05-27  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5_c_make_checksum.3: some more mdoc fixes

	* lib/hdb/hdb-ldap.c (LDAP__connect): bind sasl "EXTERNAL" to ldap
	connection
	(LDAP_store): remove superfluous argument to asprintf

	From Alberto Patino <jalbertop@aranea.com.mx>

2003-05-26  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/*.[0-9]: pacify mdoclink

	* lib/krb5/krb5_ccache.3: document diffrences between mit and
	heimdal krb5_cc_gen_new ccache -> credential cache s/[\t ]+$//

2003-05-21  Love Hörnquist Åstrand  <lha@it.su.se>

	* appl/test/gssapi_server.c (proto): start to use
	gss_krb5_copy_ccache

	* appl/test/nt_gss_server.c (proto): comment out gss_ctx_id_t
	groveling for now

2003-05-20  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/asn1:
	- add parser/generate glue for UTF8String and NULL
	  (DER primitive encode/decode functions missing)
	- handle parsing of DEFAULT and, ...

2003-05-16  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/heim_threads.h: add missing argument to mutex_init

	* lib/krb5/crypto.c: protect the random initiator with a mutex

	* lib/krb5/mcache.c: protect the mcc_head with a mutex

	* lib/krb5/krb5_locl.h: include heim_threads.h

	* lib/krb5/heim_threads.h: wrapper macros for thread
	synchronization primitives

2003-05-15  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5_principal.3
	lib/krb5/Makefile.am:
	Add all Kerberos principal function to one manpage, add a few more
	principal function to it, remove old now dup manpages

	* lib/krb5/krb5_build_principal.3: remove file
	* lib/krb5/krb5_free_principal.3: remove file
	* lib/krb5/krb5_sname_to_principal.3: remove file
	* lib/krb5/krb5_principal_get_realm.3: remove file

2003-05-14  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/verify_krb5_conf.8: sort sections, from netbsd

	* lib/krb5/krb5_verify_user.3: .Sh EXAMPLE -> .Sh EXAMPLES, from
	netbsd

	* lib/krb5/krb5_openlog.3: .Sh EXAMPLE -> .Sh EXAMPLES, sort
	sections, from netbsd

	* lib/krb5/krb5_keytab.3: .Sh EXAMPLE -> .Sh EXAMPLES, mdoc fixes,
	from netbsd

	* lib/krb5/krb5_get_krbhst.3: .Sh EXAMPLE -> .Sh EXAMPLES, from
	netbsd

	* lib/krb5/krb5_get_all_client_addrs.3: add .Os, from NetBSD

	* lib/krb5/krb5_build_principal.3: sort sections, from NetBSD

	* lib/krb5/krb5.conf.5: .Sh EXAMPLE -> .Sh EXAMPLES, from netbsd

	* lib/krb5/get_default_realm.c: compatability -> compatibility,
	from netbsd

	* lib/krb5/krb5_warn.3: add copyright/license

	* lib/krb5/krb5_context.3: add SYNOPSIS and LIBRARY

	* lib/krb5/krb5.3: add RCSID

	* kdc/hprop.8: fix mdoc problem, from netbsd

	* lib/krb5/krb5_krbhst_init.3: uppercase url, from Thomas Klausner
	<wiz@netbsd.org>

	* kuser/kinit.1: setup -> set up, new sentence, new line from
	Thomas Klausner <wiz@netbsd.org>

2003-05-13  Love Hörnquist Åstrand  <lha@it.su.se>

	* kpasswd/kpasswd.1: handle setting passwords for multiple
	principals at the same time

	* kpasswd/kpasswd.c: handle setting passwords for multiple
	principals at the same time

	* lib/krb5/changepw.c: draft-ietf-cat-kerb-chg-password-02 and
	rfc3244 share the response packet sure more constants now that
	they exists

2003-05-12  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.h: some define for rfc3244

	* lib/krb5/krb5.3: add krb5_change_password and krb5_set_password

	* kpasswd/kpasswd.1: document --admin-principal

	* kpasswd/kpasswd.c: use krb5_set_password

	* lib/krb5/krb5_set_password.3: document krb5_change_password and
	krb5_set_password

	* lib/krb5/changepw.c: implement rfc3244, partly from
	shadow@dementia.org

	* lib/asn1/Makefile.am (gen_files): asn1_ChangePasswdDataMS.x for
	RFC3244

	* lib/asn1/k5.asn1: add ChangePasswdDataMS, for
	RFC3244

2003-05-08  Love Hörnquist Åstrand  <lha@it.su.se>

	* kuser/kdestroy.c: destroy tokens even if there isn't v4 support

	* kuser/kinit.c: get token even if there isn't v4 support

	* kuser/klist.c: print tokens even if there isn't v4 support

2003-05-06  Johan Danielsson  <joda@pdc.kth.se>

	* lib/krb5/name-45-test.c: need to use empty krb5.conf for some
	tests

	* lib/asn1/check-gen.c: there is no \e escape sequence; replace
	everything with hex-codes, and cast to unsigned char* to make some
	compilers happy

2003-05-06  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first
	argument to krb5_us_timeofday have correct type

2003-05-05  Assar Westerlund  <assar@kth.se>

	* include/make_crypto.c (main): include aes.h if ENABLE_AES

2003-05-05  Love Hörnquist Åstrand  <lha@it.su.se>

	* make-release: when fixing a valid cvs tag from release name
	replace all number. to number- for all non-overlapping matches

2003-05-04  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/asn1/Makefile.am: gen_files += asn1_ETYPE_INFO2.x and
	asn1_ETYPE_INFO2_ENTRY.x
	(libasn1_la_LDFLAGS): set version to 6:1:1

	* doc/Makefile.am: add apps.texi

	* doc/setup.texi: add move forward link to applications

	* doc/heimdal.texi: add applications

	* doc/misc.texi: move afs stuff to applications add link to
	applications

	* doc/apps.texi: text about applications using kerberos
	move afs text here

2003-05-03  Love Hörnquist Åstrand  <lha@it.su.se>

	* doc/setup.texi: add cross realm text

2003-04-29  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5_crypto_init.3: document krb5_enctype_to_string and
	krb5_string_to_enctype

2003-04-28  Love Hörnquist Åstrand  <lha@it.su.se>

	* kdc/v4_dump.c (v4_prop_dump): limit strings length, from openbsd

2003-04-26  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/aes-test.c: use _krb5_PKCS5_PBKDF2
	* lib/krb5/crypto.c: unexport krb5_PKCS5_PBKDF2

2003-04-25  Johan Danielsson  <joda@pdc.kth.se>

	* lib/krb5/build_auth.c (krb5_build_authenticator): if the local
	sequence number is non-zero, don't generate a new one

	* lib/krb5/mk_rep.c (krb5_mk_rep): if the local sequence number is
	non-zero, don't generate a new one

	* lib/krb5/time.c (krb5_us_timeofday): make the sec parameter a
	krb5_timestamp

	* lib/krb5/mk_priv.c lib/krb5/mk_safe.c lib/krb5/rd_priv.c
	lib/krb5/rd_safe.c lib/krb5/rd_cred.c: implement RET_SEQUENCE and
	RET_TIME

	* lib/krb5/krb5.h (krb5_replay_data): make usec signed (matching
	asn1)

2003-04-24  Love Hörnquist Åstrand  <lha@it.su.se>

	* doc/programming.texi: s/managment/management/, from jmc
	<jmc@prioris.mini.pw.edu.pl>

2003-04-23  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/context.c (default_etypes): also advertise that we
	handle aes encryption types

	* lib/krb5/Makefile.am: add krb5_c_ checksum related functions

	* lib/krb5/krb5_c_make_checksum.3: document krb5_c_ checksum
	related functions

	* lib/krb5/mit_glue.c: add compat mit krb5_c checksum related
	functions

	* lib/asn1/k5.asn1: add ETYPE-INFO2 and ETYPE-INFO2-ENTRY

2003-04-22  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krbhst.c: copy NUL too, from janj@wenf.org via openbsd

2003-04-17  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/asn1/der_copy.c (copy_general_string): use strdup
	* lib/asn1/der_put.c: remove sprintf
	* lib/asn1/gen.c: remove strcpy/sprintf

	* lib/krb5/name-45-test.c: use a more unique name then ratatosk so
	that other (me) have such hosts in the local domain and the tests
	fails, to take hokkigai.pdc.kth.se instead

	* lib/krb5/test_alname.c: add --version and --help

2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5_warn.3: add krb5_get_err_text

	* lib/krb5/transited.c: use strlcat/strlcpy, from openbsd
	* lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd
	* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use
	strlcpy, from openbsd
	* kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd
	* appl/kf/kfd.c: use strlcpy, from openbsd

2003-04-16  Johan Danielsson  <joda@pdc.kth.se>

	* configure.in: fix for large file support in AIX, _LARGE_FILES
	needs to be defined on the command line, since lex likes to
	include stdio.h before we get to config.h

2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/*.3: Change .Fd #include <header.h> to .In header.h,
	from Thomas Klausner <wiz@netbsd.org>

	* lib/krb5/krb5.conf.5: spelling, from Thomas Klausner
	<wiz@netbsd.org>

2003-04-15  Love Hörnquist Åstrand  <lha@it.su.se>

	* kdc/kerberos5.c: fix some more memory leaks

2003-04-11  Love Hörnquist Åstrand  <lha@it.su.se>

	* appl/kf/kf.1: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>

2003-04-08  Love Hörnquist Åstrand  <lha@it.su.se>

	* admin/ktutil.8: typos, from jmc <jmc@acn.waw.pl>

2003-04-06  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.3: s/kerberos/Kerberos/
	* lib/krb5/krb5_data.3: s/kerberos/Kerberos/
	* lib/krb5/krb5_address.3: s/kerberos/Kerberos/
	* lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/
	* lib/krb5/krb5.conf.5: s/kerberos/Kerberos/
	* kuser/kinit.1: s/kerberos/Kerberos/
	* kdc/kdc.8: s/kerberos/Kerberos/

2003-04-01  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/test_alname.c: more krb5_aname_to_localname tests

	* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when
	converting too root, make sure user is ok according to
	krb5_kuserok before allowing it.

	* lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname

	* lib/krb5/test_alname.c: add test for krb5_aname_to_localname

	* lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1
	instead of the "illegal" salt #~, same change as kth-krb did
	1999. Problems occur with crypt() that behaves like AT&T crypt
	(openssl does this). Pointed out by Marcus Watts.

	* admin/change.c (kt_change): collect all principals we are going
	to change, and pick the highest kvno and use that to guess what
	kvno the resulting kvno is going to be. Now two ktutil change in a
	row works. XXX fix the protocol to pass the kvno back.

2003-03-31  Love Hörnquist Åstrand  <lha@it.su.se>

	* appl/kf/kf.1: afs->AFS, from jmc <jmc@acn.waw.pl>

2003-03-30  Love Hörnquist Åstrand  <lha@it.su.se>

	* doc/setup.texi: add description on how to turn on v4, 524 and
	kaserver support

2003-03-29  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog
	and afs-use-524

2003-03-28  Love Hörnquist Åstrand  <lha@it.su.se>

	* kdc/kerberos5.c (as_rep): when the second enctype_to_string
	failes, remember to free memory from the first enctype_to_string

	* lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2,
	from Harald Joerg <harald.joerg@fujitsu-siemens.com>
	(enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc

	* lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key
	length when key is longer then expected length, its probably
	longer since the encrypted data was padded, reported by Aidan
	Cully <aidan@kublai.com>

	* lib/krb5/crypto.c (krb5_enctype_keysize): return key size of
	encyption type, inspired by Aidan Cully <aidan@kublai.com>

2003-03-27  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0
	(wildcard kvno) after principal when the keytab entry isn't found,
	reported by Chris Chiappa <chris@chiappa.net>

2003-03-26  Love Hörnquist Åstrand  <lha@it.su.se>

	* doc/misc.texi: update 2b example to match reality (from
	mattiasa@e.kth.se)

	* doc/misc.texi: spelling and add `Configuring AFS clients'
	subsection

2003-03-25  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.3: add krb5_free_data_contents.3

	* lib/krb5/data.c: add krb5_free_data_contents for compat with MIT
	API

	* lib/krb5/krb5_data.3: add krb5_free_data_contents for compat
	with MIT API

	* lib/krb5/krb5_verify_user.3: write more about how the ccache
	argument should be inited when used

2003-03-25  Johan Danielsson  <joda@pdc.kth.se>

	* lib/krb5/addr_families.c (krb5_print_address): make sure
	print_addr is defined for the given address type; make addrports
	printable

	* kdc/string2key.c: print the used enctype for kerberos 5 keys

2003-03-25  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/aes-test.c: add another arcfour test

2003-03-22  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5

2003-03-20  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5_ccache.3: update .Dd

	* lib/krb5/krb5.3: sort in krb5_data functions

	* lib/krb5/Makefile.am (man_MANS): += krb5_data.3

	* lib/krb5/krb5_data.3: document krb5_data

	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if
	prompter is NULL, don't try to ask for a password to
	change. reported by Iain Moffat @ ufl.edu via Howard Chu
	<hyc@highlandsun.com>

2003-03-19  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5_keytab.3: spelling, from
	<jmc@prioris.mini.pw.edu.pl>

	* lib/krb5/krb5.conf.5: . means new line

	* lib/krb5/krb5.conf.5: spelling, from
	<jmc@prioris.mini.pw.edu.pl>

	* lib/krb5/krb5_auth_context.3: spelling, from
	<jmc@prioris.mini.pw.edu.pl>

2003-03-18  Love Hörnquist Åstrand  <lha@it.su.se>

	* kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5

	* lib/krb5/convert_creds.c: add _krb5_krb_life_to_time

	* lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time

	* kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out
	#ifdef KRB4 from enable_v4_cross_realm since 524 needs it

	* kdc/config.c: 524 is independent of kerberos 4, so move out
	enable_v4_cross_realm from #ifdef KRB4 since 524 needs it

2003-03-17  Assar Westerlund  <assar@kth.se>

	* kdc/kdc.8: document --kerberos4-cross-realm
	* kdc/kerberos4.c: pay attention to enable_v4_cross_realm
	* kdc/kdc_locl.h (enable_v4_cross_realm): add
	* kdc/524.c (encode_524_response): check the enable_v4_cross_realm
	flag before giving out v4 tickets for foreign v5 principals
	* kdc/config.c: add --enable-kerberos4-cross-realm option (default
	to off)

2003-03-17  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3

	* lib/krb5/krb5_aname_to_localname.3: manpage for
	krb5_aname_to_localname

	* lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/

2003-03-16  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3

	* lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3

	* lib/krb5/krb5_set_default_realm.3: Manpage for
	krb5_free_host_realm, krb5_get_default_realm,
	krb5_get_default_realms, krb5_get_host_realm, and
	krb5_set_default_realm.

	* admin/ktutil.8: s/entype/enctype/, from Igor Sobrado
	<sobrado@acm.org> via NetBSD

	* lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type

	* lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab

	* lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix

	* lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more
	types, add krb5_fcc_ops and krb5_mcc_ops

	* lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for
	a id

2003-03-15  Love Hörnquist Åstrand  <lha@it.su.se>

	* doc/intro.texi: add reference to source code, binaries and the
	manual

	* lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal

2003-03-14  Love Hörnquist Åstrand  <lha@it.su.se>

	* kdc/kdc.8: better/difrent english

	* kdc/kdc.8: . -> .\n, copyright/license

	* kdc/kdc.8: changed configuration file -> restart kdc

	* kdc/kerberos4.c: add krb4 into the most error messages written
	to the logfile

	* lib/krb5/krb5_ccache.3: add missing name of argument
	(krb5_context) to most functions

2003-03-13  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of
	function and return FALSE when there isn't a local account for
	`luser'.

	* lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text
	describing the function

2003-03-12  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name
	returned memory, don't return ENOMEM

2003-03-11  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.3: add krb5_address stuff and sort

	* lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description

	* lib/krb5/Makefile.am (man_MANS): += krb5_address.3

	* lib/krb5/krb5_address.3: document types krb5_address and
	krb5_addresses and their helper functions

2003-03-10  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3

	* lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se

	* lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3

	* lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se

	* lib/krb5/krb5.3: add more functions

	* lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc
	functions

	* lib/krb5/krb5_kuserok.3: document krb5_kuserok

	* lib/krb5/krb5_verify_user.3: document
	krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior

	* lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and
	krb5_verify_user_opt

	* lib/krb5/*.[0-9]: add copyright/licenses on more manpages

	* kuser/kdestroy.c (main): handle that krb5_cc_default_name can
	return NULL

	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor
	(TESTS): add test_cc

	* lib/krb5/test_cc.c: test some
	krb5_cc_default_name/krb5_cc_set_default_name combinations

	* lib/krb5/context.c (init_context_from_config_file): set
	default_cc_name to NULL
	(krb5_free_context): free default_cc_name if set

	* lib/krb5/cache.c (krb5_cc_set_default_name): new function
	(krb5_cc_default_name): use krb5_cc_set_default_name

	* lib/krb5/krb5.h (krb5_context_data): add default_cc_name

2003-02-25  Love Hörnquist Åstrand  <lha@it.su.se>

	* appl/kf/kf.1: s/securly/securely/ from NetBSD

2003-02-18  Love Hörnquist Åstrand  <lha@it.su.se>

	* kdc/connect.c: s/intialize/initialize, from
	<jmc@prioris.mini.pw.edu.pl>

2003-02-17  Love Hörnquist Åstrand  <lha@it.su.se>

	* configure.in: add AM_MAINTAINER_MODE

2003-02-16  Love Hörnquist Åstrand  <lha@it.su.se>

	* **/*.[0-9]: add copyright/licenses on all manpages

2003-14-16  Jacques Vidrine  <nectar@kth.se>

	* lib/krb5/get_in_tkt.c (init_as_req): Send only a single
	PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption
	type specified by the KDC.

2003-02-15  Love Hörnquist Åstrand  <lha@it.su.se>

	* fix-export: some autoconf put their version number in
	autom4te.cache, so remove autom4te*.cache

	* fix-export: make sure $1 is a directory

2003-02-04  Love Hörnquist Åstrand  <lha@it.su.se>

	* kpasswd/kpasswdd.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>

	* kdc/kdc.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>

2003-01-31  Love Hörnquist Åstrand  <lha@it.su.se>

	* kdc/hpropd.8: s/databases/a database/ s/Not/not/

	* kdc/hprop.8: add missing .

2003-01-30  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.conf.5: documentation for of boolean, etypes,
	address, write out encryption type in sentences, s/Host/host

2003-01-26  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/asn1/check-gen.c: add checks for Authenticator too

2003-01-25  Love Hörnquist Åstrand  <lha@it.su.se>

	* doc/setup.texi: in the hprop example, use hprop and the first
	component, not host

	* lib/krb5/get_addrs.c (find_all_addresses): address-less
	point-to-point might not have an address, just ignore
	those. Reported by Harald Barth.

2003-01-23  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/verify_krb5_conf.c (check_section): when key isn't
	found, don't print out all known keys

	* lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity
	and facility start resp
	(check_log): find_value() returns -1 when key isn't found

	* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a
	'const void *' to avoid AES_KEY being exposed in krb5-private.h

	* lib/krb5/krb5.conf.5: add [kdc]use_2b

	* kdc/524.c (encode_524_response): its 2b not b2

	* doc/misc.texi: quote @ where missing

	* lib/asn1/Makefile.am: add check-gen

	* lib/asn1/check-gen.c: add Principal check

	* lib/asn1/check-common.h: move generic asn1/der functions from
	check-der.c to here

	* lib/asn1/check-common.c: move generic asn1/der functions from
	check-der.c to here

	* lib/asn1/check-der.c: move out the generic asn1/der functions to
	a common file

2003-01-22  Love Hörnquist Åstrand  <lha@it.su.se>

	* doc/misc.texi: more text about afs, how to get get your KeyFile,
	and how to start use 2b tokens

	* lib/krb5/krb5.conf.5: spelling, from Jason McIntyre
	<jmc@cvs.openbsd.org>

2003-01-21  Jacques Vidrine  <nectar@kth.se>

	* kuser/kuser_locl.h: include crypto-headers.h for
	des_read_pw_string prototype

2003-01-16  Love Hörnquist Åstrand  <lha@it.su.se>

	* admin/ktutil.8: document -v, --verbose

	* admin/get.c (kt_get): make getarg usage consistent with other
	other parts of ktutil

	* admin/copy.c (kt_copy): remove adding verbose_flag to args
	struct, since it will overrun the args array (from Sumit Bose)

2003-01-15  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc =
	... }

	* lib/krb5/aes-test.c: test vectors in aes-draft

	* lib/krb5/Makefile.am: add aes-test.c

	* lib/krb5/crypto.c: Add support for AES
	(draft-raeburn-krb-rijndael-krb-02), not enabled by default.
	(HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify
	to support checksumtype that are have a shorter wireformat then
	their output block size.

	* lib/krb5/crypto.c (struct encryption_type): split the blocksize
	into blocksize and padsize, padsize is the minimum padding
	size. they are the same for now
	(enctype_*): add padsize
	(encrypt_internal): use padsize
	(encrypt_internal_derived): use padsize
	(wrapped_length): use padsize
	(wrapped_length_dervied): use padsize

	* lib/krb5/crypto.c: add extra `opaque' argument to string_to_key
	function for each enctype in preparation enctypes that uses
	`Encryption and Checksum Specifications for Kerberos 5' draft

	* lib/asn1/k5.asn1: add checksum and enctype for AES from
	draft-raeburn-krb-rijndael-krb-02.txt

	* lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128,
	KEYTYPE_AES256

2003-01-14  Love Hörnquist Åstrand  <lha@it.su.se>

	* lib/hdb/common.c (_hdb_fetch): handle error code from
	hdb_value2entry

	* kdc/Makefile.am: always include kerberos4.c and 524.c in
	kdc_SOURCES to support 524

	* kdc/524.c: always compile in support for 524

	* kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4

	* kdc/config.c: always compile in support for 524

	* kdc/connect.c: always compile in support for 524

	* kdc/kerberos4.c: export encode_v4_ticket() and get_des_key()
	even when we build without kerberos 4, 524 needs them

	* lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out
	Kerberos 4 help functions/structures so other parts of the source
	tree can use it (like the KDC)