12004-12-30 Love Hörnquist Åstrand <lha@it.su.se> 2 3 * lib/krb5/Makefile.am (CHECK_SYMBOLS): add heim_ and pkcs7_ for 4 now (used in pkinit) 5 62004-12-29 Love Hörnquist Åstrand <lha@it.su.se> 7 8 * lib/hdb/Makefile.am: add CHECK_SYMBOLS 9 10 * lib/hdb/keys.c: make all_etypes static 11 12 * lib/krb5/Makefile.am: add CHECK_SYMBOLS, approve of: -com_err 13 -version krb5_ _krb5_ __heimdal krb524_ krb4_fkt_ops 14 15 * kdc/kerberos5.c: use private version of principalname 16 17 * kdc/kerberos4.c: use private version of principalname 18 19 * kdc/hpropd.c: use private version of principalname 20 21 * kdc/524.c: use private version of principalname 22 23 * lib/krb5/rd_req.c: use private version of principalname 24 25 * lib/krb5/rd_cred.c: use private version of principalname 26 27 * lib/krb5/init_creds_pw.c: use private version of principalname 28 29 * lib/krb5/get_in_tkt.c: use private version of principalname 30 31 * lib/krb5/asn1_glue.c: make principalname functions private 32 33 * lib/krb5/krb5.h: add key usage for server referrals 34 352004-12-29 Love Hörnquist Åstrand <lha@it.su.se> 36 37 * lib/krb5/principal.c: make default_v4_name_convert static 38 39 * lib/krb5/crypto.c: make lots of crypto related variables static 40 41 * lib/krb5/acache.c: make default_acc_name static 42 432004-12-28 Love Hörnquist Åstrand <lha@it.su.se> 44 45 * doc/setup.texi: add some text about samba, use example.com 46 47 * lib/hdb/hdb-ldap.c: Add account expiration for samba from James 48 F. Hranicky <jfh@cise.ufl.edu>. 49 Add LDAP_addmod_integer and use it. 50 512004-12-27 Love Hörnquist Åstrand <lha@it.su.se> 52 53 * doc/{Makefile.am,setup.texi,win2k.texi}: spelling and text 54 fixes, from Dave Love 55 562004-12-18 Love Hörnquist Åstrand <lha@it.su.se> 57 58 * lib/krb5/heim_threads.h: NetBSD 2.99.11 (any maybe 2.1) just 59 needs pthread.h, threadlib is dead 60 612004-12-17 Love Hörnquist Åstrand <lha@it.su.se> 62 63 * kdc/config.c (configure): check for deprecated 64 enforce-transited-policy is set and fail if it is 65 66 * lib/asn1/asn1_print.c: don't print garabage for octet strings 67 682004-12-13 Love Hörnquist Åstrand <lha@it.su.se> 69 70 * kdc/main.c (main): catch sigpipe, we don't bother select()ing 71 for errors 72 73 * kdc/connect.c (handle_http_tcp): handle error from write(2) 74 75 * doc/setup.texi: clarify credentials refreshing stuff 76 77 * doc/setup.texi: add new node: Providing Kerberos credentials to 78 servers and programs 79 80 * doc/whatis.texi: fix spurious cross-reference makeinfo warning 81 82 * lib/hdb/hdb-ldap.c (pos): uppercase in character 83 842004-12-12 Love Hörnquist Åstrand <lha@it.su.se> 85 86 * lib/hdb/hdb-ldap.c (LDAP__bytes2hex,LDAP__hex2bytes): encode 87 nibbels in the other order 88 89 * lib/hdb/hdb-ldap.c: s/objectclass/objectClass/ check if 90 attribute exists before we try to delete it LDAP__bytes2hex 91 encodes in strange byte order, is this really right ? 92 932004-12-11 Love Hörnquist Åstrand <lha@it.su.se> 94 95 * lib/hdb/hdb-ldap.c (LDAP_firstkey): When iterating over all 96 entries, search for samba accounts too, From: "James F. Hranicky" 97 <jfh@cise.ufl.edu> 98 99 * lib/hdb/hdb-ldap.c (krb5kdcentry_attrs): ask for attribute uid 100 too 101 102 * lib/hdb/hdb-ldap.c (LDAP_message2entry): if the entry is missing 103 both krb5PrincipalName and uid, it must be broken, ignore it and 104 return it doesn't exists. 105 1062004-12-10 Love Hörnquist Åstrand <lha@it.su.se> 107 108 * kdc/hpropd.8: spelling, from OpenBSD 109 110 * kdc/kdc.8: use keeps for options, From OpenBSD k 111 1122004-12-09 Love Hörnquist Åstrand <lha@it.su.se> 113 114 * doc/setup.texi: document --random-key and the need to do backup 115 of the master key 116 117 * kdc/kstash.8: add --random-key 118 119 * kdc/kstash.c: add --random-key 120 1212004-12-08 Love Hörnquist Åstrand <lha@it.su.se> 122 123 * lib/krb5/verify_krb5_conf.8: spelling, from openbsd 124 125 * lib/krb5/krb5_init_context.3: spelling, from openbsd 126 127 * lib/krb5/krb5.conf.5: spelling, from openbsd 128 129 * kuser/kdestroy.1: use keeps around options, spelling, from 130 openbsd 131 132 * kpasswd/kpasswdd.8: use ., use keeps around options, from OpenBSD 133 134 * kdc/hpropd.8: use keeps around options, from OpenBSD 135 136 * kdc/hprop.8: use keeps around options, from OpenBSD 137 1382004-11-30 Love Hörnquist Åstrand <lha@it.su.se> 139 140 * lib/krb5/context.c (krb5_free_context): clear error string 141 before destroying mutex 142 (krb5_init_context): don't call krb5_free_context before there is a 143 mutex initialized 144 1452004-11-18 Love Hörnquist Åstrand <lha@it.su.se> 146 147 * kuser/kinit.c (get_new_tickets): only complain about ticket 148 renewable lifetime when the user asked for a specific renewable 149 lifetime 150 1512004-11-15 Love Hörnquist Åstrand <lha@it.su.se> 152 153 * kdc/kerberos5.c (find_keys): log what principal is missing 154 enctypes 155 1562004-11-13 Love Hörnquist Åstrand <lha@it.su.se> 157 158 * lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear pointer after 159 freeing data 160 161 * lib/krb5/init_creds_pw.c (change_password): handle old_options 162 being NULL From Guenther Deschner on samba-technical. 163 1642004-11-12 Love Hörnquist Åstrand <lha@it.su.se> 165 166 * lib/krb5/krb5_get_init_creds.3: add more text describing the 167 krb5_get_init_creds functions 168 1692004-11-11 Love Hörnquist Åstrand <lha@it.su.se> 170 171 * lib/krb5/init_creds_pw.c: make krb5_get_init_creds_keytab work 172 again 173 1742004-11-10 Love Hörnquist Åstrand <lha@it.su.se> 175 176 * lib/hdb/hdb.asn1: use constrained integers 177 1782004-11-09 Love Hörnquist Åstrand <lha@it.su.se> 179 180 * lib/krb5/krb5_get_init_creds.3: add description for opt_init, 181 opt_alloc, opt_free 182 183 * lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit 184 185 * lib/krb5/init_creds.c: unexport 186 krb5_get_init_creds_opt_free_pkinit 187 188 * lib/krb5/init_creds_pw.c: fold init_init_creds_ctx into 189 get_init_creds_common 190 191 * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if the in 192 options NULL, just make a clean copy 193 1942004-11-01 Love Hörnquist Åstrand <lha@it.su.se> 195 196 * lib/krb5/sendauth.c (krb5_rd_rep): free ap_rep message earlier 197 so we don't leak it on error 198 1992004-10-31 Love Hörnquist Åstrand <lha@it.su.se> 200 201 * lib/krb5/krb5.conf.5: unbreak 2b entry 202 203 * lib/krb5/acache.c (make_cred_from_ccred): the address isn't a 204 sockaddr but rather a kerberos address, deal with that. Based on 205 bug report from Jakob Schlyter <jakob@rfc.se>. 206 2072004-10-30 Love Hörnquist Åstrand <lha@it.su.se> 208 209 * kdc/connect.c: Make sure argument passed to ctype isn't signed 210 char 211 2122004-10-14 Love Hörnquist Åstrand <lha@it.su.se> 213 214 * lib/krb5/pkinit.c: match new error names 215 216 * lib/krb5/krb5_err.et: make error messages sane again 217 2182004-10-13 Love Hörnquist Åstrand <lha@it.su.se> 219 220 * lib/krb5/keytab.c: use KRB5_KT_BADNAME 221 222 * lib/krb5/krb5_err.et: sync with mit krb5_err.et (require major 223 version bump) add KRB5_DELTAT_BADFORMAT 224 225 * lib/krb5/krb5.conf.5: time defaults to "s" 226 227 * lib/krb5/time.c (krb5_string_to_deltat): default to "s" again, 228 MIT's behavior was actually that it failed to parse the number 229 (and thus used the default). Even better, ticket_lifetime (that 230 was a consumer supposed a of the interface) was documented but 231 never implemented, when it was implemented, people configuraiton 232 files started to fail. Also, use KRB5_DELTAT_BADFORMAT as a 233 failure code. 234 235 * lib/asn1/k5.asn1: sync enctypes with pkinit branch 236 237 * lib/asn1/parse.y (readd) support negative numbers 238 239 * lib/asn1/lex.l: support hex numbers 240 2412004-10-12 Love Hörnquist Åstrand <lha@it.su.se> 242 243 * kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS 244 245 * lib/krb5/crypto.c: add enctype_des3_cbc_none_cms add cms padding 246 for rc2 don't to padding for blocksize 1 247 248 * lib/hdb/{keys.c,Makefile.am},lib/kadm5/{keys,set_keys}.c: 249 Move keyset parsing and password based keyset generation into hdb. 250 Requested by Andrew Bartlett <abartlet@samba.org> for hdb-ldb 251 backend. 252 2532004-10-07 Love Hörnquist Åstrand <lha@it.su.se> 254 255 * kuser/kinit.c: adapt to new signature of 256 krb5_get_init_creds_opt_set_pkinit 257 258 * lib/krb5/pkinit.c: free openssl engine deal with 259 RecipientIdentifier -> CMSIdentifier and heim_any -> name change 260 improve error messages 261 262 * kdc/pkinit.c: free openssl engine deal with RecipientIdentifier 263 -> CMSIdentifier and heim_any -> name change 264 2652004-10-04 Johan Danielsson <joda@pdc.kth.se> 266 267 * kuser/klist.c: use rtbl_set_separator 268 2692004-10-03 Love Hörnquist Åstrand <lha@it.su.se> 270 271 * lib/krb5/pkinit.c: filter out dup openssl engine keys, parse 272 user options first 273 274 * lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add 275 openssl engine support for private key 276 277 * lib/krb5/crypto.c: support padding as its done in CMS 278 279 * kdc/pkinit.c: improve error logging 280 281 * kdc/pkinit.c: stop using AlgorithmIdentifierNonOpt 282 2832004-09-30 Love Hörnquist Åstrand <lha@it.su.se> 284 285 * lib/krb5/krb5.conf.5: assume minutes for time 286 287 * lib/krb5/config_file.c (krb5_config_vget_time_default): use 288 krb5_string_to_deltat 289 290 * lib/krb5/appdefault.c (krb5_appdefault_time): use 291 krb5_string_to_deltat 292 293 * lib/krb5/time.c (krb5_string_to_deltat): set default unit to 294 minute for compatibility with MIT Kerberos. 295 296 2972004-09-28 Love Hörnquist Åstrand <lha@it.su.se> 298 299 * lib/krb5/get_cred.c (get_cred_kdc_usage): retry using "large 300 message safe" transport if we get back 301 KRB5KRB_ERR_RESPONSE_TOO_BIG error. Idea from Guenther Deschner 302 <gd@sernet.de> 303 3042004-09-23 Johan Danielsson <joda@pdc.kth.se> 305 306 * admin/list.c: use rtbl 307 308 * admin/ktutil-commands.in: slc source file 309 310 * lib/krb5/constants.c: check 311 /Library/Preferences/edu.mit.Kerberos on OSX 312 3132004-09-21 Johan Danielsson <joda@pdc.kth.se> 314 315 * lib/krb5/time.c (krb5_format_time): check return value from 316 localtime and strftime 317 3182004-09-14 Johan Danielsson <joda@pdc.kth.se> 319 320 * kuser/kinit.c: make sure we don't always get renewable creds 321 3222004-09-11 Love Hörnquist Åstrand <lha@it.su.se> 323 324 * lib/krb5/acache.c: use krb5_ccapi.h 325 326 * lib/krb5/krb5_ccapi.h: break out krb5 api definitions to 327 separate (not installed) file 328 329 * lib/krb5/Makefile.am: add AM_CPPFLAGS to libkrb5_la_CPPFLAGS 330 since AM_CPPFLAGS overridden by target specific _CPPFLAGS 331 3322004-09-08 Love Hörnquist Åstrand <lha@it.su.se> 333 334 * lib/krb5/pkinit.c: make variable shorter, make error messages 335 from pkinit, make freeing easier 336 3372004-09-06 Love Hörnquist Åstrand <lha@it.su.se> 338 339 * lib/krb5/Makefile.am: link libkrb5 with LIB_dlopen 340 341 * lib/krb5/crypto.c (seed_something): avoid poking at memory that 342 is uninitialized, make valgrind unhappy. Pointd out by 343 abartlet@samba.org. While where, plug the fd leak. 344 3452004-09-05 Love Hörnquist Åstrand <lha@it.su.se> 346 347 * lib/asn1/der_get.c (decode_*): name all tag-length variables the 348 same 349 (decode_enumerated): check that the tag-length is not longer the length 350 351 * lib/asn1/der_get.c (decode_boolean): fail if length of tag is 352 larger then len 353 3542004-08-31 Love Hörnquist Åstrand <lha@it.su.se> 355 356 * lib/krb5/init_creds_pw.c (krb5_get_init_creds): kdc_reply can be 357 set in case of failure too, free unconditionally on exit to avoid 358 memory leak 359 3602004-08-23 Love Hörnquist Åstrand <lha@it.su.se> 361 362 * lib/krb5/get_cred.c (set_auth_data): set pointer to NULL after 363 free 364 3652004-08-20 Love Hörnquist Åstrand <lha@it.su.se> 366 367 * lib/krb5/context.c (krb5_get_err_text): if neither of com_right 368 nor strerror finds the error-code, return Unknown error. 369 3702004-08-19 Johan Danielsson <joda@pdc.kth.se> 371 372 * lib/krb5/krb5_kuserok.3: update to reality 373 374 * lib/krb5/kuserok.c: if a .k5login file exist, don't give 375 implicit rights to anyone; also check owner/mode of .k5login 376 3772004-08-15 Love Hörnquist Åstrand <lha@it.su.se> 378 379 * lib/krb5/Makefile.am: man_MANS = krb5_getportbyname.3 380 381 * lib/krb5/krb5_getportbyname.3: manpage for krb5_getportbyname 382 383 * lib/krb5/krb5.3: add krb5_getportbyname 384 385 * lib/krb5/krb5.3: krb5_free_salt and krb5_enctype_valid 386 387 * lib/krb5/krb5_encrypt.3: document krb5_enctype_valid 388 3892004-08-13 Love Hörnquist Åstrand <lha@it.su.se> 390 391 * kdc/kerberos5.c (get_pa_etype_info{,2}): check for dup enctypes 392 from the client and filter them out. 393 394 * lib/krb5/krb5_string_to_key.3: document krb5_free_salt 395 3962004-08-12 Love Hörnquist Åstrand <lha@it.su.se> 397 398 * lib/krb5/krb5_ticket.3: data needs to be freed when using 399 krb5_ticket_get_authorization_data_type 400 4012004-08-11 Love Hörnquist Åstrand <lha@it.su.se> 402 403 * lib/krb5/test_cc.c: test variables in default_cc_name 404 405 * lib/krb5/krb5.conf.5: explain support for varibles in 406 [libdefaults]default_cc_name 407 408 * lib/krb5/cache.c: drop ${time}, its not very useful 409 410 * lib/krb5/cache.c: Add _krb5_expand_default_cc_name that expand 411 variables in the default cc name. Supported variables now are: 412 ${time},${uid} and ${null} 413 414 * lib/krb5/krb5.conf.5: document default_cc_name 415 416 * lib/krb5/cache.c (krb5_cc_set_default_name): 417 s/libdefault/libdefaults/ 418 4192004-08-06 Love Hörnquist Åstrand <lha@it.su.se> 420 421 * lib/krb5/acache.c: replace magic 3 with ccapi_version_3 422 423 * lib/krb5/Makefile.am: libkrb5_la_SOURCES += acache.c 424 425 * lib/krb5/krb5.h: add krb5_acc_ops 426 427 * lib/krb5/acache.c: CCAPI v3 implementation, the read only 428 support was from Magnus Ahltorp and then extended by me to support 429 all other operations. Tested with MIT kerberos cc cache 430 implementation on MacOS 10.3.3 431 432 * lib/krb5/cache.c (krb5_cc_set_default_name): allow setting the 433 default cc name, this is not very useful for general purpose glue 434 since its not possible to glue in user information (like uid), but 435 for CCAPI it works just fine 436 4372004-08-05 Love Hörnquist Åstrand <lha@it.su.se> 438 439 * kuser/kgetcred.1: document --cache/-c 440 441 * kuser/kgetcred.c: allow to specify what credential cache to use 442 4432004-08-03 Love Hörnquist Åstrand <lha@it.su.se> 444 445 * lib/krb5/Makefile.am: add krb5_eai_to_heim_errno.3 446 447 * lib/krb5/krb5_eai_to_heim_errno.3: document 448 krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno 449 450 * lib/krb5/krb5.3: add krb5_eai_to_heim_errno, 451 krb5_h_errno_to_heim_errno 452 4532004-07-26 Love Hörnquist Åstrand <lha@it.su.se> 454 455 * lib/krb5/krb5_expand_hostname.3: krb5_expand_hostname_realms 456 result should be free with krb5_free_host_realm drop 457 krb5_get_host_realm text 458 459 * lib/krb5/krb5_set_default_realm.3: krb5_get_host_realm result 460 should be free with krb5_free_host_realm 461 462 * lib/krb5/krb5_get_in_cred.3: document krb5_free_kdc_rep 463 464 * lib/krb5/krb5_get_init_creds.3: remove dup krb5_get_init_creds 465 466 * lib/krb5/krb5_auth_context.3: sort, add krb5_free_authenticator 467 468 * lib/krb5/Makefile.am: man_MANS += krb5_rd_error 469 470 * lib/krb5/krb5_rd_error.3: krb5_rd_error and friends 471 472 * lib/krb5/krb5_warn.3: clarify on what string 473 krb5_free_error_string should operate on 474 475 * lib/krb5/krb5_get_credentials.3: add krb5_get_kdc_cred 476 477 * lib/krb5/Makefile.am: krb5_get_credentials, 478 krb5_get_forwarded_creds and friends 479 480 * lib/krb5/krb5_get_forwarded_creds.3: krb5_get_forwarded_creds 481 and friends 482 483 * lib/krb5/krb5_get_credentials.3: krb5_get_credentials and 484 friends 485 4862004-07-23 Love Hörnquist Åstrand <lha@it.su.se> 487 488 * kuser/klist.c (print_cred_verbose): keytypes are no longer, use 489 enctype 490 4912004-07-22 Love Hörnquist Åstrand <lha@it.su.se> 492 493 * lib/hdb/hdb-ldap.c (LDAP_entry2mods): allow for pre-c99 494 compilers, From metze at samba.org 495 4962004-07-20 Love Hörnquist Åstrand <lha@it.su.se> 497 498 * lib/krb5/test_cc.c: more cc tests 499 500 * lib/krb5/krb5_check_transited.3: document krb5_check_transited 501 5022004-07-19 Love Hörnquist Åstrand <lha@it.su.se> 503 504 * kdc/pkinit.c (pk_principal_from_X509): reverse test, makes 505 principal in cert work From: Mayur Patel <patelm4@rpi.edu> 506 5072004-07-18 Love Hörnquist Åstrand <lha@it.su.se> 508 509 * lib/krb5/Makefile.am: add krb5_verify_init_creds.3 510 511 * lib/krb5/krb5_verify_init_creds.3: add krb5_verify_init_creds 512 5132004-07-15 Love Hörnquist Åstrand <lha@it.su.se> 514 515 * lib/krb5/krb5_set_password.3: spelling from wiz@netbsd.org 516 description for krb5_passwd_result_to_string 517 5182004-07-14 Love Hörnquist Åstrand <lha@it.su.se> 519 520 * lib/krb5/krb5_set_password.3: Remove superfluous comma; grammar 521 fixes; split sentence in two for better understanding. From 522 wiz@NetBSD.org. Describe krb5_set_password_using_ccache while here. 523 524 * lib/krb5/krb5_set_password.3: nroff and spelling, from Jonathan 525 Stone <jonathan@dsg.stanford.edu> 526 527 * lib/krb5/changepw.c (process_reply): cast ssize_t to long and 528 print that From NetBSD via Havard Eidnes. 529 5302004-07-09 Love Hörnquist Åstrand <lha@it.su.se> 531 532 * configure.in: fix helpstring for hdb-openldap-module 533 534 * lib/krb5/test_cc.c: don't use krb5_err on error code 0 535 5362004-07-08 Love Hörnquist Åstrand <lha@it.su.se> 537 538 * lib/hdb/hdb-ldap.c (LDAP_seq): try handling errors better 539 5402004-07-02 Love Hörnquist Åstrand <lha@it.su.se> 541 542 * lib/krb5/get_in_tkt.c (set_ptypes): make ptypes const 543 5442004-07-01 Love Hörnquist Åstrand <lha@it.su.se> 545 546 * lib/hdb/hdb-ldap.c (LDAP__connect): call ldap_initialize with 547 right argument 548 5492004-06-27 Johan Danielsson <joda@pdc.kth.se> 550 551 * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if the 552 krbtgt is without addresses, default to not sending our own 553 addrport 554 555 * lib/asn1/lex.l: add support for /* */ and partial line -- 556 comments 557 558 * kuser/Makefile.am: don't install copy_cred_cache manpage 559 5602004-06-24 Johan Danielsson <joda@pdc.kth.se> 561 562 * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if 563 copying a static opt, make sure to allocate the "private" field 564 5652004-06-24 Love <lha@stacken.kth.se> 566 567 * kdc/config.c: add enable_pkinit_princ_in_cert 568 569 * kdc/kdc_locl.h: enable_pkinit_princ_in_cert 570 571 * kdc/pkinit.c: Check certificate for Kerberos Principal in 572 OtherName of subjectAltName Based on patch from Mayur Patel 573 <patelm4@rpi.edu> 574 5752004-06-21 Love Hörnquist Åstrand <lha@it.su.se> 576 577 * lib/krb5/get_cred.c (init_tgs_req): if subkey not avaible, use 578 session key for authorization-data 579 5802004-06-15 Love Hörnquist Åstrand <lha@it.su.se> 581 582 * kdc/connect.c (handle_tcp): note who is what that closed the 583 connection on us 584 5852004-06-09 Love Hörnquist Åstrand <lha@it.su.se> 586 587 * admin/get.c (kt_get): catch errors from krb5_parse_name 588 5892004-06-05 Love Hörnquist Åstrand <lha@it.su.se> 590 591 * lib/hdb/hdb-ldap.c: if its the entry just contains the 592 structural object (no samba nor heimdal object), add an aux 593 heimdal object on to it. 594 5952004-06-02 Love Hörnquist Åstrand <lha@it.su.se> 596 597 * kpasswd/kpasswd.c: use krb5_set_password_using_ccache 598 599 * lib/krb5/krb5_set_password.3: add krb5_set_password_using_ccache 600 601 * lib/krb5/changepw.c: implement krb5_set_password_using_ccache 602 603 * lib/hdb/hdb-ldap.c: Allow the objectClass to be 604 "sambaSamAccount" or structural_object when searching for uid 605 entries. 606 607 * lib/krb5/krb5.conf.5: document [kdc]hdb-ldap-create-base 608 609 * lib/hdb/hdb-ldap.c: add creation base that defaults to the 610 search base 611 612 * lib/hdb/hdb-ldap.c: indent like the rest of the code 613 6142004-06-01 Love Hörnquist Åstrand <lha@it.su.se> 615 616 * lib/hdb/hdb-ldap.c: check return values from ldap operations and 617 close it we get back LDAP_SERVER_DOWN. stupid ldap client lib, you 618 should retry by yourself. 619 620 * lib/hdb/hdb-ldap.c: require search base to be configured, create 621 local context structure 622 6232004-05-31 Love Hörnquist Åstrand <lha@it.su.se> 624 625 * doc/setup.texi: more ldap text, partly from Tarjei Huse 626 <tarjei@nu.no> 627 6282004-05-28 Love Hörnquist Åstrand <lha@it.su.se> 629 630 * lib/hdb/hdb-ldap.c: clean, indent 631 632 * lib/hdb/hdb-ldap.c (LDAP_entry2mods): make sure 633 krb5KeyVersionNumber is added on new entires 634 6352004-05-27 Love Hörnquist Åstrand <lha@it.su.se> 636 637 * doc/setup.texi: minor fixes, partly from Tarjei Huse 638 <tarjei@nu.no> 639 640 * lib/krb5/krb5.conf.5: some text about dbname and realm 641 642 * lib/krb5/krb5.conf.5: default value for 643 hdb-ldap-structural-object is account 644 6452004-05-26 Love Hörnquist Åstrand <lha@it.su.se> 646 647 * tools/Makefile.am: use ! instead of , as sed delimiter 648 6492004-05-25 Love Hörnquist Åstrand <lha@it.su.se> 650 651 * lib/krb5/*.c: add KRB5_LIB_FUNCTION to all exported functions 652 6532004-05-23 Love Hörnquist Åstrand <lha@it.su.se> 654 655 * lib/hdb/hdb-ldap.c: make samba_forwardable a krb5_boolean 656 657 * lib/hdb/hdb-ldap.c: make samba forwarding a runtime configure 658 option 659 660 * lib/hdb/hdb-ldap.c (LDAP_message2entry): fix [] test From: 661 Andrew Bartlett <abartlet@samba.org> 662 663 * lib/hdb/hdb-ldap.c (LDAP_message2entry): remove bogus length 664 check From: Andrew Bartlett <abartlet@samba.org> 665 666 * lib/hdb/hdb-ldap.c (LDAP_message2entry): in the sambaNTPassword 667 case, make sure ent->etypes are allocated, From: Andrew Bartlett 668 <abartlet@samba.org> 669 6702004-05-14 Love Hörnquist Åstrand <lha@it.su.se> 671 672 * kuser/kinit.c: move "setpag if (argc < 1)" to common path 673 6742004-05-12 Love Hörnquist Åstrand <lha@it.su.se> 675 676 * lib/krb5/verify_krb5_conf.c: pacify pre c99 compilers 677 678 * fix-export: use right argument for -E 679 6802004-05-06 Johan Danielsson <joda@pdc.kth.se> 681 682 * kuser/kinit.c: print some diagnostics if the exec fails 683 6842004-04-29 Love Hörnquist Åstrand <lha@it.su.se> 685 686 * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): use krb5_random_to_key 687 From: Luke Howard <lukeh@padl.com> 688 689 * lib/krb5/rd_req.c (krb5_verify_ap_req2): clear the whole ticket, 690 not just a pointer size of it From: Luke Howard <lukeh@padl.com> 691 6922004-04-28 Love Hörnquist Åstrand <lha@it.su.se> 693 694 * fix-export: add -E flag where needed to make-proto 695 6962004-04-26 Love Hörnquist Åstrand <lha@it.su.se> 697 698 * lib/krb5/crypto.c: add set_param for RC2 699 700 * lib/krb5/pkinit.c: use krb5_oid_to_enctype and remove all oids 701 that are no longer needed 702 703 * kdc/pkinit.c: use krb5_enctype_to_oid 704 705 * lib/krb5/crypto.c (krb5_oid_to_enctype): make sure oid exists 706 before we compare with it 707 708 * lib/krb5/crypto.c (krb5_crypto_get_params): check ivec length 709 before returning it add aes-oids 710 711 * lib/krb5/crypto.c: add krb5_enctype_to_oid and 712 krb5_oid_to_enctype 713 714 * kdc/pkinit.c: use krb5_crypto_set_params 715 716 * lib/krb5/crypto.c: add krb5_crypto_set_params, add aes-NNN-cbc-none 717 718 * lib/krb5/krb5.h: add KEYTYPE_AES192 719 720 * lib/krb5/pkinit.c: use krb5_crypto_get_params to implement 721 kcrypto RC2 support 722 723 * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype 724 rc2-cbc XXX RC2CBCParameter is wrong because the compiler is 725 broken 726 727 * lib/krb5/krb5.h: add KEYTYPE_RC2 728 729 * lib/krb5/crypto.c: add partial CMS parameter handling, this is 730 needed for RC2 731 732 * lib/asn1/der_cmp.c: add heim_oid_cmp and heim_octet_string_cmp 733 734 * lib/asn1/Makefile.am (libasn1_la_SOURCES) += der_cmp.c 735 736 * lib/asn1/der.h: add heim_oid_cmp and heim_octet_string_cmp 737 738 * lib/asn1/k5.asn1: add ETYPE_AESNNN_CBC_NONE 739 740 * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype 741 rc2-cbc, XXX RC2CBCParameter is wrong because the compiler is broken 742 7432004-04-26 Johan Danielsson <joda@pdc.kth.se> 744 745 * lib/krb5/config_file.c: allow parsing directly from strings with 746 krb5_config_parse_string_multi 747 748 * lib/krb5/verify_krb5_conf.c: try to resolve hostnames 749 7502004-04-25 Johan Danielsson <joda@pdc.kth.se> 751 752 * lib/krb5/store_fd.c (krb5_storage_from_fd): dup the file 753 descriptor so we don't have to keep track of it in two places 754 755 * kuser/copy_cred_cache.c: krb5_cc_copy_cache_match now lives in 756 libkrb5 757 758 * lib/krb5/krb5_{,compare_}creds.3: move krb5_compare_creds to its 759 own manpage 760 761 * replace krb5_free_creds_contents by krb5_free_cred_contents 762 763 * lib/krb5/cache.c: add krb5_cc_next_cred_match() and 764 krb5_cc_copy_cred_match() 765 766 * lib/krb5/creds.c (krb5_compare_creds): add more matching options 767 768 * lib/krb5/krb5.h: add more creds match flags 769 770 * kuser/copy_cred_cache: add --valid-for option 771 772 * lib/krb5/store.c (krb5_store_creds): set is_skey flag if length 773 of second ticket is > 0 774 7752004-04-25 Love Hörnquist Åstrand <lha@it.su.se> 776 777 * lib/krb5/pkinit.c: use the right oid for pkauthdata 778 779 * lib/krb5/pkinit.c: always send both win2k compat version and the 780 ietf draft one, this is possible since microsoft use 781 wrong/diffrent PA number. Make the configuration flag boolean 782 configuring if NOT to send the win2k compat glue. 783 784 * lib/krb5/krb5_encrypt.3: document krb5_{de,en}crypt_ivec 785 786 * kuser/copy_cred_cache.1: pacify mdoclint 787 788 * kdc/pkinit.c: use IV for envelopeddata encryption, patch 789 originally from Luke Howard <lukeh@padl.com>, tweeked by me. 790 791 * lib/krb5/krb5_storage.3: document 792 KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER 793 794 * lib/krb5/krb5_data.3: document that krb5_data_free cleans the 795 structure too 796 797 * lib/krb5/pkinit.c: use IV for envelopeddata encryption, patch 798 originally from Luke Howard <lukeh@padl.com>, tweeked by me. 799 8002004-04-24 Johan Danielsson <joda@pdc.kth.se> 801 802 * kuser/copy_cred_cache.{c,1}: add cred cache copy tool 803 804 * configure.in: use rk_SYS_LARGEFILE 805 806 * lib/krb5/{krb5.h,store.c,fcache.c}: Fix the cache flags bitorder 807 issue with a storage flag instead of a separate function. 808 8092004-04-24 Love Hörnquist Åstrand <lha@it.su.se> 810 811 * lib/krb5/pkinit.c: move out the oid check from get_reply_key 812 813 * lib/krb5/pkinit.c: uniquify error messages 814 815 * lib/krb5/init_creds_pw.c: make the pkinit nonce same os the 816 plain nonce for now 817 818 * lib/krb5/pkinit.c: more w2k compat from Luke Howard 819 <lukeh@padl.com> add RC2 support, clean up error messages 820 821 * lib/krb5/pkinit.c: remove more dependency on 822 krb5_config->pkinit_flags 823 824 * lib/krb5/pkinit.c (_krb5_pk_convert_rep): convert microsoft 825 style answer to IETF, From Luke Howard <lukeh@padl.com> 826 (_krb5_pk_create_sign): ms handles NULL in param, so always send it 827 (_krb5_pk_mk_padata): look for [realms]REALM = { win2k_pkinit = bool } 828 829 * lib/krb5/pkinit.c (_krb5_pk_create_sign): always set the 830 digestAlgorithm to sha1 (both for SignerInfo and SignedData, add 831 new function _set_digest_alg to set it 832 8332004-04-23 Love Hörnquist Åstrand <lha@it.su.se> 834 835 * include/make_crypto.c: include rc2.h, and when I'm here, make 836 aes mandatory 837 838 * lib/krb5/krb5.h: add ENCTYPE_ARCFOUR_HMAC as compat glue for MIT 839 kerberos 840 841 * lib/krb5/crypto.c (krb5_crypto_init): clear return pointer on 842 failure 843 844 * lib/krb5/crypto.c (DES3_random_to_key): make it produce the 845 right result 846 (DES3_postproc): use DES3_random_to_key 847 (krb5_random_to_key): check the required number of bits (not the size 848 of the key) 849 850 * lib/krb5/aes-test.c: test random to key function 851 852 * lib/krb5/string-to-key-test.c: comment out the "@"/"" test for 853 now 854 8552004-04-22 Love Hörnquist Åstrand <lha@it.su.se> 856 857 * lib/krb5/krb5_string_to_key.3: document that 858 krb5_string_to_key_derived is broken for non 3des enctypes and 859 thus deprecated 860 861 * kdc/pkinit.c (generate_dh_keyblock): use the new function 862 krb5_random_to_key 863 864 * lib/krb5/crypto.c: add des and DES3 random_to_key hooks, they 865 need special processing 866 867 * lib/krb5/crypto.c (krb5_random_to_key): new function 868 869 * lib/krb5/krb5_keyblock.3: document krb5_random_to_key 870 8712004-04-21 Love Hörnquist Åstrand <lha@it.su.se> 872 873 * kdc/pkinit.c: use the first proposed enable enctype 874 875 * lib/krb5/context.c (krb5_set_default_in_tkt_etypes): use the 876 return from krb5_enctype_valid 877 878 * kdc/pkinit.c: at least try to handle diffrent enveloped enctypes 879 8802004-04-21 Love Hörnquist Åstrand <lha@it.su.se> 881 882 * lib/asn1/der_get.c: 1.28.2.16: (der_get_oid): handle all oid 883 components being smaller then 127 and allocate one extra element 884 since first byte is split to to elements. 885 8862004-04-20 Love Hörnquist Åstrand <lha@it.su.se> 887 888 * lib/asn1/k5.asn1: ETYPE_DIGEST_MD5_NONE, ETYPE_CRAM_MD5_NONE: 889 private use, lukeh@padl.com 890 8912004-04-19 Love Hörnquist Åstrand <lha@it.su.se> 892 893 * lib/krb5/pkinit.c (build_auth_pack): use heim_integer to encode 894 DH public key 895 8962004-04-18 Love Hörnquist Åstrand <lha@it.su.se> 897 898 * lib/krb5/krb5_init_context.3: add krb5_context to so its added 899 as manpage-link too 900 9012004-04-17 Love Hörnquist Åstrand <lha@it.su.se> 902 903 * lib/krb5/fcache.c (fcc_remove_cred): simplistic implementation, 904 XXX add locking 905 906 * kuser/kdestroy.c: add --credential argument that just remove one 907 credential entry out of the cache specified 908 909 * kdc/pkinit.c: replace the krb5.conf configuration option that 910 describes the mapping between principals and subject names with a 911 file, default /var/heimdal/pki-mapping. XXX this should be pushed 912 into HDB. XXX should add issuer too 913 914 * kdc/config.c: merge certificate/private_key to a user_id 915 9162004-04-16 Love Hörnquist Åstrand <lha@it.su.se> 917 918 * kdc/kdc_locl.h: update prototype for pk_initialize 919 920 * kuser/kinit.c: merge certificate/private_key to a user_id 921 922 * kdc/pkinit.c: adapt to heim_integer changes 923 924 * lib/krb5/pkinit.c: merge certificate/private_key to a user_id 925 926 * kdc/pkinit.c: adapt to heim_integer changes, 927 merge certificate/private_key to a user_id 928 9292004-04-15 Love Hörnquist Åstrand <lha@it.su.se> 930 931 * lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_WIN free X509_STORE 932 9332004-04-13 Love Hörnquist Åstrand <lha@it.su.se> 934 935 * lib/krb5/Makefile.am: define BUILD_KRB5_LIB when building 936 libkrb5.la, add KRB5_LIB_FUNCTION proto 937 938 * lib/krb5/add_et_list.c: add KRB5_LIB_FUNCTION 939 940 * configure.in: export KRB5_LIB_FUNCTION when building with 941 BUILD_KRB5_LIB 942 943 * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): add 944 error strings 945 946 * lib/krb5/prompter_posix.c (krb5_prompter_posix): if some thing 947 is printed on stderr, fflush it 948 949 * lib/krb5/krb5_keyblock.3: free functions also zeros out the key 950 951 * lib/krb5/krb5_get_init_creds.3: some text about 952 krb5_prompter_posix 953 954 * lib/krb5/krb5.conf.5: document hdb-ldap-structural-object 955 956 * lib/krb5/cache.c: add krb5_cc_get_prefix_ops 957 958 * lib/krb5/krb5_ccache.3: add krb5_cc_get_prefix_ops 959 9602004-04-05 Love Hörnquist Åstrand <lha@it.su.se> 961 962 * appl/test/http_client.c: support GSS_C_DELEG_FLAG and 963 GSS_C_MUTUAL_FLAG 964 965 * appl/test/http_client.c: verbose logging 966 9672004-04-02 Love Hörnquist Åstrand <lha@it.su.se> 968 969 * kdc/connect.c: case size_t to unsigned long for LP64 platforms 970 9712004-04-01 Love Hörnquist Åstrand <lha@it.su.se> 972 973 * lib/hdb/hdb-ldap.c (hdb_ldap_create): allow configuration of 974 default structural object 975 976 * tools/Makefile.am: handle sed expression breaking 977 9782004-03-31 Love Hörnquist Åstrand <lha@it.su.se> 979 980 * lib/krb5/krbhst.c: also lookup _kpasswd._tcp SRV-rr 981 982 * lib/krb5/changepw.c: add tcp support to the set protocol, should 983 be cleaned up to enable sharing code with krb5_sendto 984 985 * kpasswd/kpasswd.c (change_password): remove extra free 986 987 * lib/krb5/krb5_acl_match_file.3: try to pacify mdoc macros on 988 osf/1 989 9902004-03-30 Love Hörnquist Åstrand <lha@it.su.se> 991 992 * lib/krb5/init_creds_pw.c (pa_data_add_pac_request): don't 993 increase md->len, krb5_padata_add already does that 994 995 * lib/krb5/init_creds.c: its PAC not PAQ 996 997 * kuser/kinit.c: its PAC not PAQ 998 999 * kdc/kerberos4.c: stop the client from renewing tickets into the 1000 future From: Jeffrey Hutzelman <jhutz@cmu.edu> 1001 10022004-03-29 Love Hörnquist Åstrand <lha@it.su.se> 1003 1004 * configure.in: try to handle sys/strtty.h needing sys/stream.h 1005 10062004-03-23 Love Hörnquist Åstrand <lha@it.su.se> 1007 1008 * lib/krb5/send_to_kdc.c: remove function krb5_sendto_kdc2, its no 1009 longer used 1010 1011 * kdc/kerberos5.c: s/krb5_get_host_realm_int/_&/ 1012 1013 * lib/krb5/get_host_realm.c: unexport krb5_get_host_realm_int to 1014 external users by prefixing it with _ 1015 1016 * lib/krb5/get_cred.c: s/krb5_mk_req_internal/_&/ 1017 1018 * lib/krb5/mk_req_ext.c: unexport krb5_mk_req_internal to external 1019 users by prefixing it with _ 1020 10212004-03-22 Love Hörnquist Åstrand <lha@it.su.se> 1022 1023 * lib/krb5/pkinit.c: add missing } 1024 10252004-03-21 Love Hörnquist Åstrand <lha@it.su.se> 1026 1027 * kdc/pkinit.c: adapt to change of signature of 1028 _krb5_pk_load_openssl_id 1029 1030 * lib/krb5/pkinit.c: (krb5_get_init_creds_opt_set_pkinit): add 1031 prompter argument and use it 1032 1033 * kuser/kinit.c: adapt to signature change of 1034 krb5_get_init_creds_opt_set_pkinit 1035 1036 * lib/krb5/krb5.3: add more stuff, 105 functions to go 1037 1038 * lib/krb5/krb5_rcache.3: add krb5_get_server_rcache 1039 1040 * lib/krb5/krb5_rcache.3: framework for replay cache manpage 1041 1042 * lib/krb5/krb5_string_to_key.3: document string to key functions 1043 1044 * lib/krb5/Makefile.am: man_MANS += krb5_expand_hostname.3 1045 krb5_find_padata.3 krb5_generate_random_block.3 1046 1047 * lib/krb5/krb5_encrypt.3: document krb5_get_wrapped_length 1048 1049 * lib/krb5/krb5.3: add some more, 137 to go 1050 1051 * lib/krb5/krb5_principal.3: document krb5_get_default_principal 1052 1053 * lib/krb5/krb5_keyblock.3: document krb5_generate_subkey 1054 1055 * lib/krb5/krb5_generate_random_block.3: document 1056 krb5_generate_random_block 1057 1058 * lib/krb5/krb5_find_padata.3: document padata functions 1059 1060 * lib/krb5/krb5.3: add some more, 142 to go 1061 1062 * lib/krb5/krb5_creds.3: drop .Pp before .Sh 1063 1064 * lib/krb5/krb5_set_default_realm.3: document krb5_copy_host_realm 1065 1066 * lib/krb5/krb5_expand_hostname.3: document krb5_expand_hostname 1067 and krb5_expand_hostname_realms 1068 1069 * lib/krb5/krb5.3: add more functions, 147 to go 1070 1071 * lib/krb5/krb5_creds.3: document krb5_creds 1072 1073 * lib/krb5/krb5_get_init_creds.3: add more functions, some more 1074 text 1075 1076 * lib/krb5/krb5_ticket.3: document 1077 krb5_ticket_get_authorization_data_type 1078 10792004-03-20 Love Hörnquist Åstrand <lha@it.su.se> 1080 1081 * lib/krb5/aes-test.c: remove #if 0'ed code 1082 1083 * lib/krb5/krb5.3: add keyblock functions, 177 functions to go 1084 1085 * lib/krb5/krb5_verify_user.3: add krb5_verify_opt_set_ccache 1086 1087 * lib/krb5/krb5_encrypt.3: document krb5_decrypt_ticket 1088 1089 * lib/krb5/krb5_config.3: document krb5_config_free_strings and 1090 krb5_config_file_free 1091 1092 * lib/krb5/krb5_create_checksum.3: add krb5_hmac 1093 1094 * lib/krb5/krb5.3: add keyblock functions, 190 functions to go 1095 1096 * lib/krb5/krb5_keyblock.3: update .Dd 1097 1098 * lib/krb5/krb5_keyblock.3: document krb5_copy_keyblock and 1099 krb5_generate_random_keyblock 1100 1101 * lib/krb5/krb5_init_context.3: add krb5_init_ets 1102 1103 * lib/krb5/krb5_config.3: add more krb5_config_ functions and 1104 prototypes 1105 1106 * lib/krb5/krb5_init_context.3: document context modifcation 1107 functions: address list, config file, use admin kdc, fcc version 1108 1109 * lib/krb5/krb5_storage.3: document krb5_storage and related 1110 functions 1111 1112 * lib/krb5/Makefile.am: add acl and krb524_convert_creds_kdc 1113 manpages and test_acl test program 1114 1115 * lib/krb5/krb5.3: add error string functions and sort 1116 1117 * lib/krb5/krb5_warn.3: document krb5_abort and error string 1118 functions 1119 1120 * lib/krb5/krb5.3: add missing functions, only 285 left to 1121 document 1122 1123 * lib/krb5/krb5_crypto_init.3: remove various enctype related 1124 function 1125 1126 * lib/krb5/krb5_encrypt.3: add various enctype related function 1127 here 1128 1129 * lib/krb5/krb5_create_checksum.3: add krb5_cksumtype_valid 1130 krb5_cksumtype_valid 1131 1132 * lib/krb5/crypto.c: real return values for 1133 krb5_{enctype,cksumtype}_valid 1134 1135 * lib/krb5/krb5_create_checksum.3: add some functions and 1136 descriptions 1137 1138 * lib/krb5/krb5_c_make_checksum.3: move out non krb5_c functions 1139 1140 * lib/krb5/krb5_auth_context.3: document 1141 krb5_auth_con_generatelocalsubkey 1142 1143 * lib/krb5/krb5_krbhst_init.3: document krb5_krbhst_init_flags 1144 1145 * lib/krb5/krb5_keytab.3: document krb5_kt_default_modify_name 1146 1147 * lib/krb5/krb5_init_context.3: document krb5_add_et_list 1148 1149 * lib/krb5/krb524_convert_creds_kdc.3: document 1150 krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache 1151 1152 * lib/krb5/krb5_acl_match_file.3: document krb5_acl_match_* 1153 1154 * lib/krb5/test_acl.c: test for generic acl code 1155 1156 * lib/krb5/acl.c: plug memory leak on file matching, 1157 make it not fall over when no non matching acl, 1158 make fnmatch matching useful by switching arguments 1159 11602004-03-19 Love Hörnquist Åstrand <lha@it.su.se> 1161 1162 * kdc/config.c: add --builtin-hdb command 1163 1164 * lib/hdb/hdb.c (hdb_list_builtin): return a list of builtin 1165 backends 1166 1167 * doc/setup.texi: include Luke Howard of PADL.COM ldap hdb 1168 documentation 1169 1170 * doc/win2k.texi: fix bugs in examples, add more restrictions, use 1171 example.com as an example. From: Pavel Ferdan 1172 <xferdan@informatics.muni.cz> 1173 11742004-03-18 Johan Danielsson <joda@pdc.kth.se> 1175 1176 * lib/krb5/krb5.conf.5: add a bunch of Li and document [kadmin] 1177 password_lifetime; from Henry B. Hotz 1178 11792004-03-14 Love Hörnquist Åstrand <lha@it.su.se> 1180 1181 * lib/krb5/mk_rep.c (krb5_mk_rep): if KRB5_AUTH_CONTEXT_USE_SUBKEY 1182 is set send subkey 1183 (generate if needed) 1184 1185 * lib/krb5/krb5.h: add KRB5_AUTH_CONTEXT_USE_SUBKEY 1186 11872004-03-14 Love Hörnquist Åstrand <lha@it.su.se> 1188 1189 * lib/hdb/hdb-ldap.c: clean up error handling, plug memory leaks, 1190 and free memory in error path, assume realloc(NULL, ...) works, 1191 factor out common code, indent 1192 11932004-03-12 Love Hörnquist Åstrand <lha@it.su.se> 1194 1195 * lib/krb5/verify_krb5_conf.c: understand [password_quality] 1196 spelling 1197 1198 * kuser/kgetcred.1: document --canonicalize 1199 1200 * kuser/kgetcred.c: add --canonicalize 1201 12022004-03-10 Love Hörnquist Åstrand <lha@it.su.se> 1203 1204 * lib/krb5/fcache.c (fcc_store_cred): NULL terminate 1205 krb5_config_get_bool_default' arglist 1206 12072004-03-09 Love Hörnquist Åstrand <lha@it.su.se> 1208 1209 * kdc/kerberos5.c: add missing req argument to pk_mk_pa_reply 1210 1211 * kdc/pkinit.c (pk_mk_pa_reply): add hdb_entry 1212 1213 * kdc/pkinit.c: pass client hdb_entry to pk_check_client 1214 1215 * kdc/kdc_locl.h: pass client hdb_entry to pk_check_client 1216 1217 * kuser/kinit.c: rename ca_dir to pkinit/x509_anchors since its 1218 more like that language in RFC3280 1219 1220 * lib/krb5/pkinit.c: rename ca_dir to pkinit/x509_anchors since 1221 its more like that language in RFC3280 1222 1223 * lib/krb5/krb5.conf.5: document 1224 [libdefaults]fcc-mit-ticketflags=boolean 1225 1226 * lib/krb5/fcache.c (fcc_store_cred): use 1227 [libdefaults]fcc-mit-ticketflags=boolean to decide what format to 1228 write the fcc in. Default to mit version (aka heimdal 0.7) 1229 1230 * lib/krb5/store.c: add _krb5_store_creds_heimdal_0_7 and 1231 _krb5_store_creds_heimdal_pre_0_7 that store the creds in just 1232 that format make krb5_store_creds default to mit format 1233 1234 * lib/krb5/store.c (krb5_ret_creds): Runtime detect the what is 1235 the higher bits of the bitfield 1236 12372004-03-08 Love Hörnquist Åstrand <lha@it.su.se> 1238 1239 * lib/krb5/store.c (krb5_store_creds): add disabled code that 1240 store the ticket flags in reverse order 1241 (bitswap32): new function 1242 1243 * lib/krb5/store.c (krb5_ret_creds): if the higher ticket flags 1244 are set, its a mit cache, reverse the bits, bug pointed out by 1245 Sergio Gelato <Sergio.Gelato@astro.su.se> 1246 12472004-03-07 Love Hörnquist Åstrand <lha@it.su.se> 1248 1249 * lib/hdb/hdb-ldap.c: use macro for HDB * -> LDAP * 1250 1251 * kuser/kinit.c: when running kinit with a subprocess, fetch new 1252 tickets after half the tickets lifetime 1253 1254 * lib/hdb/hdb.c: spelling 1255 1256 * lib/hdb/hdb-ldap.c: Intergrate Heimdal's hdb-ldap and the Samba 1257 password database. From: Andrew Bartlett <abartlet@samba.org> 1258 1259 * kdc/config.c: add --disable-DES 1260 1261 * kdc/kdc.8: document --detach and --disable-DES 1262 1263 * kdc/kerberos5.c: check if enctype is disabled before using it 1264 1265 * lib/krb5/crypto.c: add support for disabling checksum/encryption 1266 types 1267 1268 * tools/kdc-log-analyze.pl: add more cases 1269 1270 * kdc/connect.c: on strange tcp error; log local port number and 1271 socket type 1272 1273 * lib/asn1/der.h: fix prototype of encode_utf8string 1274 1275 * lib/asn1/gen.c: catch CHOICE and generate dummy placeholder 1276 1277 * lib/asn1/lex.l: added dummy parsing of CHOICE 1278 1279 * lib/asn1/parse.y: added dummy parsing of CHOICE 1280 1281 * lib/asn1/k5.asn1: drop SMTP_NAME 1282 12832004-03-06 Love Hörnquist Åstrand <lha@it.su.se> 1284 1285 * lib/hdb/Makefile.am: support building ldap backend as module 1286 sort asn1 hdb files 1287 1288 * lib/hdb/hdb.c: when building ldap as a shared module, don't 1289 include it in the list 1290 1291 * configure.in: add --enable-hdb-openldap-module 1292 1293 * lib/hdb/hdb-ldap.c: make ldap possible to build as a shared 1294 module 1295 1296 * lib/hdb/mkey.c: add hdb_{,un}seal_key{,_mkey} from Andrew 1297 Bartlett <abartlet@samba.org> 1298 1299 * lib/krb5/crypto.c (decrypt_internal_special): do not not modify 1300 the original data test case from Ronnie Sahlberg 1301 <ronnie_sahlberg@ozemail.com.au> 1302 13032004-03-03 Love Hörnquist Åstrand <lha@it.su.se> 1304 1305 * lib/krb5/test_cc.c: more cc tests, mostly related to mcc 1306 behavior 1307 1308 * lib/krb5/mcache.c (mcc_get_principal): also check for 1309 primary_principal == NULL now that that isn't used as dead flag 1310 1311 * lib/krb5/mcache.c: don't overload the primary_principal == NULL 1312 as dead since that doesn't always work. Based on patch from 1313 Jeffrey Hutzelman <jhutz@cmu.edu>, tweeked by me 1314 13152004-02-22 Love Hörnquist Åstrand <lha@it.su.se> 1316 1317 * kdc/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp 1318 1319 * lib/krb5/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp 1320 1321 * lib/hdb/db3.c: fix all db >= 4.1 cases 1322 1323 * doc/setup.texi: add text about hostname to realm mapping using 1324 DNS 1325 13262004-02-20 Love Hörnquist Åstrand <lha@it.su.se> 1327 1328 * kdc/pkinit.c: update error codes 1329 1330 * lib/krb5/krb5_err.et: prefix pkinit error codes with KRB5_ 1331 1332 * lib/krb5/pkinit.c: update error codes 1333 13342004-02-19 Love Hörnquist Åstrand <lha@it.su.se> 1335 1336 * lib/krb5/pkinit.c: indent, use krb5_abortx() instead of abort() 1337 1338 * lib/krb5/init_creds_pw.c (process_pa_data_to_key): spelling 1339 1340 * lib/krb5/store.c: handle memory allocate errors 1341 1342 * lib/krb5/fcache.c (_krb5_xlock): handle that everything was ok, 1343 and don't put an error in the error strings then 1344 13452004-02-13 Love Hörnquist Åstrand <lha@it.su.se> 1346 1347 * kdc/pkinit.c: s/heim_big_integer/heim_integer/ 1348 1349 * lib/krb5/pkinit.c: s/heim_big_integer/heim_integer/ 1350 1351 * kdc/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT errors 1352 1353 * lib/krb5/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT 1354 errors 1355 1356 * lib/krb5/heim_err.et: add HEIM_PKINIT specific errors 1357 13582004-02-12 Love Hörnquist Åstrand <lha@it.su.se> 1359 1360 * configure.in: rename AC_WFLAGS to rk_WFLAGS 1361 1362 * acinclude.m4: use m4_define, over-quote string 1363 13642004-02-11 Love Hörnquist Åstrand <lha@it.su.se> 1365 1366 * lib/krb5/init_creds_pw.c (change_password): handle that 1367 printf("%.*s", 0, (void*)NULL); doesn't work on solaris 1368 13692004-02-10 Love Hörnquist Åstrand <lha@it.su.se> 1370 1371 * kpasswd/kpasswd.c (change_password): handle that printf("%.*s", 1372 0, (void*)NULL); doesn't work on solaris 1373 1374 * lib/krb5/krb5.conf.5: don't use path's in first .Nm, it confuses 1375 some locate.updatedb, use FILES section to describe where the file 1376 is instead. 1377 13782004-02-07 Love Hörnquist Åstrand <lha@it.su.se> 1379 1380 * lib/asn1/check-der.c: test for "der_length.c: Fix len_unsigned 1381 for certain negative integers, it got the length wrong" , from 1382 Panasas, Inc. 1383 1384 * lib/asn1/der_length.c: Fix len_unsigned for certain negative 1385 integers, it got the length wrong, fix from Panasas, Inc. 1386 1387 rename len_int and len_unsigned to _heim_\& 1388 1389 * lib/asn1/der_locl.h: add _heim_len_unsigned, _heim_len_int 1390 13912004-02-06 Dave Love <d.love@dl.ac.uk> 1392 1393 * configure.in: Check for sys/socket.h, net/if.h. Modify term.h, 1394 security/pam_appl.h tests. 1395 13962004-02-03 Love Hörnquist Åstrand <lha@it.su.se> 1397 1398 * lib/asn1/check-gen.c: test for: (length_type): TSequenceOf: add 1399 up the size of all the elements, don't use just the size of the 1400 last element. 1401 1402 * lib/krb5/aes-test.c: add "next iv" test for aes128, check 1403 decryption case too 1404 1405 * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of 1406 the next to last block, fix decryption case too 1407 1408 * lib/krb5/aes-test.c: add "next iv" test for aes128 1409 1410 * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of 1411 the next to last block 1412 1413 * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode 1414 error 1415 1416 * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode 1417 error 1418 1419 * lib/krb5/get_in_tkt.c (krb5_get_in_cred): abort on internal asn1 1420 encode error 1421 1422 * lib/krb5/mk_priv.c (krb5_mk_priv): abort on internal asn1 encode 1423 error 1424 1425 * lib/krb5/get_cred.c (make_pa_tgs_req): abort on internal asn1 1426 encode error 1427 1428 * lib/krb5/build_auth.c (krb5_build_authenticator): abort on 1429 internal asn1 encode error 1430 1431 * lib/krb5/build_ap_req.c (krb5_build_ap_req): abort on internal 1432 asn1 encode error 1433 14342004-01-30 Love Hörnquist Åstrand <lha@it.su.se> 1435 1436 * doc/setup.texi: some text about order of [capaths] realms 1437 14382004-01-25 Love Hörnquist Åstrand <lha@it.su.se> 1439 1440 * lib/krb5/context.c: register WRFILE ops 1441 1442 * lib/krb5/keytab_file.c: add krb5_wrfkt_ops/WRFILE (same as FILE) 1443 1444 * lib/krb5/krb5.h: add krb5_wrfkt_ops 1445 1446 * kpasswd/kpasswdd.c (change): use the right password when 1447 changing the password 1448 14492004-01-21 Love Hörnquist Åstrand <lha@it.su.se> 1450 1451 * lib/krb5/fcache.c (_krb5_xlock): catch EINVAL and assume that it 1452 means that the filesystem doesn't support locking 1453 1454 * lib/krb5/keytab.c: remove #if 0 out file locking code 1455 14562004-01-19 Love Hörnquist Åstrand <lha@it.su.se> 1457 1458 * lib/asn1/gen_length.c (length_type): TSequenceOf: add up the 1459 size of all the elements, don't use just the size of the last 1460 element. 1461 14622004-01-13 Love Hörnquist Åstrand <lha@it.su.se> 1463 1464 * kuser/kinit.c (renew_validate): if renewable_flag and not time 1465 specifed, use "1 month" 1466 14672004-01-08 Love Hörnquist Åstrand <lha@it.su.se> 1468 1469 * lib/krb5/krb5_keyblock.3: add prototypes, describe 1470 krb5_keyblock_zero 1471 14722004-01-05 Love Hörnquist Åstrand <lha@it.su.se> 1473 1474 * lib/krb5/get_for_creds.c (add_addrs): don't add same address 1475 multiple times 1476 1477 * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): try to 1478 handle errors better for previous commit 1479 1480 * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): If tickets 1481 are address-less, forward address-less tickets. 1482 1483 * lib/krb5/get_cred.c: rename get_krbtgt to _krb5_get_krbtgt and 1484 export it 1485 1486