xref: /freebsd/crypto/heimdal/ChangeLog.2004 (revision 8ddb146abcdf061be9f2c0db7e391697dafad85c)
12004-12-30  Love Hörnquist Åstrand  <lha@it.su.se>
2
3	* lib/krb5/Makefile.am (CHECK_SYMBOLS): add heim_ and pkcs7_ for
4	now (used in pkinit)
5
62004-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
7
8	* lib/hdb/Makefile.am: add CHECK_SYMBOLS
9
10	* lib/hdb/keys.c: make all_etypes static
11
12	* lib/krb5/Makefile.am: add CHECK_SYMBOLS, approve of: -com_err
13	-version krb5_ _krb5_ __heimdal krb524_ krb4_fkt_ops
14
15	* kdc/kerberos5.c: use private version of principalname
16
17	* kdc/kerberos4.c: use private version of principalname
18
19	* kdc/hpropd.c: use private version of principalname
20
21	* kdc/524.c: use private version of principalname
22
23	* lib/krb5/rd_req.c: use private version of principalname
24
25	* lib/krb5/rd_cred.c: use private version of principalname
26
27	* lib/krb5/init_creds_pw.c: use private version of principalname
28
29	* lib/krb5/get_in_tkt.c: use private version of principalname
30
31	* lib/krb5/asn1_glue.c: make principalname functions private
32
33	* lib/krb5/krb5.h: add key usage for server referrals
34
352004-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
36
37	* lib/krb5/principal.c: make default_v4_name_convert static
38
39	* lib/krb5/crypto.c: make lots of crypto related variables static
40
41	* lib/krb5/acache.c: make default_acc_name static
42
432004-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
44
45	* doc/setup.texi: add some text about samba, use example.com
46
47	* lib/hdb/hdb-ldap.c: Add account expiration for samba from James
48	F.  Hranicky <jfh@cise.ufl.edu>.
49	Add LDAP_addmod_integer and use it.
50
512004-12-27  Love Hörnquist Åstrand  <lha@it.su.se>
52
53	* doc/{Makefile.am,setup.texi,win2k.texi}: spelling and text
54	fixes, from Dave Love
55
562004-12-18  Love Hörnquist Åstrand  <lha@it.su.se>
57
58	* lib/krb5/heim_threads.h: NetBSD 2.99.11 (any maybe 2.1) just
59	needs pthread.h, threadlib is dead
60
612004-12-17  Love Hörnquist Åstrand  <lha@it.su.se>
62
63	* kdc/config.c (configure): check for deprecated
64	enforce-transited-policy is set and fail if it is
65
66	* lib/asn1/asn1_print.c: don't print garabage for octet strings
67
682004-12-13  Love Hörnquist Åstrand  <lha@it.su.se>
69
70	* kdc/main.c (main): catch sigpipe, we don't bother select()ing
71	for errors
72
73	* kdc/connect.c (handle_http_tcp): handle error from write(2)
74
75	* doc/setup.texi: clarify credentials refreshing stuff
76
77	* doc/setup.texi: add new node: Providing Kerberos credentials to
78	servers and programs
79
80	* doc/whatis.texi: fix spurious cross-reference makeinfo warning
81
82	* lib/hdb/hdb-ldap.c (pos): uppercase in character
83
842004-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
85
86	* lib/hdb/hdb-ldap.c (LDAP__bytes2hex,LDAP__hex2bytes): encode
87	nibbels in the other order
88
89	* lib/hdb/hdb-ldap.c: s/objectclass/objectClass/ check if
90	attribute exists before we try to delete it LDAP__bytes2hex
91	encodes in strange byte order, is this really right ?
92
932004-12-11  Love Hörnquist Åstrand  <lha@it.su.se>
94
95	* lib/hdb/hdb-ldap.c (LDAP_firstkey): When iterating over all
96	entries, search for samba accounts too, From: "James F. Hranicky"
97	<jfh@cise.ufl.edu>
98
99	* lib/hdb/hdb-ldap.c (krb5kdcentry_attrs): ask for attribute uid
100	too
101
102	* lib/hdb/hdb-ldap.c (LDAP_message2entry): if the entry is missing
103	both krb5PrincipalName and uid, it must be broken, ignore it and
104	return it doesn't exists.
105
1062004-12-10  Love Hörnquist Åstrand  <lha@it.su.se>
107
108	* kdc/hpropd.8: spelling, from OpenBSD
109
110	* kdc/kdc.8: use keeps for options, From OpenBSD k
111
1122004-12-09  Love Hörnquist Åstrand  <lha@it.su.se>
113
114	* doc/setup.texi: document --random-key and the need to do backup
115	of the master key
116
117	* kdc/kstash.8: add --random-key
118
119	* kdc/kstash.c: add --random-key
120
1212004-12-08  Love Hörnquist Åstrand  <lha@it.su.se>
122
123	* lib/krb5/verify_krb5_conf.8: spelling, from openbsd
124
125	* lib/krb5/krb5_init_context.3: spelling, from openbsd
126
127	* lib/krb5/krb5.conf.5: spelling, from openbsd
128
129	* kuser/kdestroy.1: use keeps around options, spelling, from
130	openbsd
131
132	* kpasswd/kpasswdd.8: use ., use keeps around options, from OpenBSD
133
134	* kdc/hpropd.8: use keeps around options, from OpenBSD
135
136	* kdc/hprop.8: use keeps around options, from OpenBSD
137
1382004-11-30  Love Hörnquist Åstrand  <lha@it.su.se>
139
140	* lib/krb5/context.c (krb5_free_context): clear error string
141	before destroying mutex
142	(krb5_init_context): don't call krb5_free_context before there is a
143	mutex initialized
144
1452004-11-18  Love Hörnquist Åstrand  <lha@it.su.se>
146
147	* kuser/kinit.c (get_new_tickets): only complain about ticket
148	renewable lifetime when the user asked for a specific renewable
149	lifetime
150
1512004-11-15  Love Hörnquist Åstrand  <lha@it.su.se>
152
153	* kdc/kerberos5.c (find_keys): log what principal is missing
154	enctypes
155
1562004-11-13  Love Hörnquist Åstrand  <lha@it.su.se>
157
158	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear pointer after
159	freeing data
160
161	* lib/krb5/init_creds_pw.c (change_password): handle old_options
162	being NULL From Guenther Deschner on samba-technical.
163
1642004-11-12  Love Hörnquist Åstrand  <lha@it.su.se>
165
166	* lib/krb5/krb5_get_init_creds.3: add more text describing the
167	krb5_get_init_creds functions
168
1692004-11-11  Love Hörnquist Åstrand  <lha@it.su.se>
170
171	* lib/krb5/init_creds_pw.c: make krb5_get_init_creds_keytab work
172	again
173
1742004-11-10  Love Hörnquist Åstrand  <lha@it.su.se>
175
176	* lib/hdb/hdb.asn1: use constrained integers
177
1782004-11-09  Love Hörnquist Åstrand  <lha@it.su.se>
179
180	* lib/krb5/krb5_get_init_creds.3: add description for opt_init,
181	opt_alloc, opt_free
182
183	* lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit
184
185	* lib/krb5/init_creds.c: unexport
186	krb5_get_init_creds_opt_free_pkinit
187
188	* lib/krb5/init_creds_pw.c: fold init_init_creds_ctx into
189	get_init_creds_common
190
191	* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if the in
192	options NULL, just make a clean copy
193
1942004-11-01  Love Hörnquist Åstrand  <lha@it.su.se>
195
196	* lib/krb5/sendauth.c (krb5_rd_rep): free ap_rep message earlier
197	so we don't leak it on error
198
1992004-10-31  Love Hörnquist Åstrand  <lha@it.su.se>
200
201	* lib/krb5/krb5.conf.5: unbreak 2b entry
202
203	* lib/krb5/acache.c (make_cred_from_ccred): the address isn't a
204	sockaddr but rather a kerberos address, deal with that.  Based on
205	bug report from Jakob Schlyter <jakob@rfc.se>.
206
2072004-10-30  Love Hörnquist Åstrand  <lha@it.su.se>
208
209	* kdc/connect.c: Make sure argument passed to ctype isn't signed
210	char
211
2122004-10-14  Love Hörnquist Åstrand  <lha@it.su.se>
213
214	* lib/krb5/pkinit.c: match new error names
215
216	* lib/krb5/krb5_err.et: make error messages sane again
217
2182004-10-13  Love Hörnquist Åstrand  <lha@it.su.se>
219
220	* lib/krb5/keytab.c: use KRB5_KT_BADNAME
221
222	* lib/krb5/krb5_err.et: sync with mit krb5_err.et (require major
223	version bump) add KRB5_DELTAT_BADFORMAT
224
225	* lib/krb5/krb5.conf.5: time defaults to "s"
226
227	* lib/krb5/time.c (krb5_string_to_deltat): default to "s" again,
228	MIT's behavior was actually that it failed to parse the number
229	(and thus used the default). Even better, ticket_lifetime (that
230	was a consumer supposed a of the interface) was documented but
231	never implemented, when it was implemented, people configuraiton
232	files started to fail.  Also, use KRB5_DELTAT_BADFORMAT as a
233	failure code.
234
235	* lib/asn1/k5.asn1: sync enctypes with pkinit branch
236
237	* lib/asn1/parse.y (readd) support negative numbers
238
239	* lib/asn1/lex.l: support hex numbers
240
2412004-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
242
243	* kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS
244
245	* lib/krb5/crypto.c: add enctype_des3_cbc_none_cms add cms padding
246	for rc2 don't to padding for blocksize 1
247
248	* lib/hdb/{keys.c,Makefile.am},lib/kadm5/{keys,set_keys}.c:
249	Move keyset parsing and password based keyset generation into hdb.
250	Requested by Andrew Bartlett <abartlet@samba.org> for hdb-ldb
251	backend.
252
2532004-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
254
255	* kuser/kinit.c: adapt to new signature of
256	krb5_get_init_creds_opt_set_pkinit
257
258	* lib/krb5/pkinit.c: free openssl engine deal with
259	RecipientIdentifier -> CMSIdentifier and heim_any -> name change
260	improve error messages
261
262	* kdc/pkinit.c: free openssl engine deal with RecipientIdentifier
263	-> CMSIdentifier and heim_any -> name change
264
2652004-10-04  Johan Danielsson  <joda@pdc.kth.se>
266
267	* kuser/klist.c: use rtbl_set_separator
268
2692004-10-03  Love Hörnquist Åstrand  <lha@it.su.se>
270
271	* lib/krb5/pkinit.c: filter out dup openssl engine keys, parse
272	user options first
273
274	* lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add
275	openssl engine support for private key
276
277	* lib/krb5/crypto.c: support padding as its done in CMS
278
279	* kdc/pkinit.c: improve error logging
280
281	* kdc/pkinit.c: stop using AlgorithmIdentifierNonOpt
282
2832004-09-30  Love Hörnquist Åstrand <lha@it.su.se>
284
285	* lib/krb5/krb5.conf.5: assume minutes for time
286
287	* lib/krb5/config_file.c (krb5_config_vget_time_default): use
288	krb5_string_to_deltat
289
290	* lib/krb5/appdefault.c (krb5_appdefault_time): use
291	krb5_string_to_deltat
292
293	* lib/krb5/time.c (krb5_string_to_deltat): set default unit to
294	minute for compatibility with MIT Kerberos.
295
296
2972004-09-28  Love Hörnquist Åstrand <lha@it.su.se>
298
299	* lib/krb5/get_cred.c (get_cred_kdc_usage): retry using "large
300	message safe" transport if we get back
301	KRB5KRB_ERR_RESPONSE_TOO_BIG error. Idea from Guenther Deschner
302	<gd@sernet.de>
303
3042004-09-23 Johan Danielsson <joda@pdc.kth.se>
305
306	* admin/list.c: use rtbl
307
308	* admin/ktutil-commands.in: slc source file
309
310	* lib/krb5/constants.c: check
311	/Library/Preferences/edu.mit.Kerberos on OSX
312
3132004-09-21  Johan Danielsson  <joda@pdc.kth.se>
314
315	* lib/krb5/time.c (krb5_format_time): check return value from
316	localtime and strftime
317
3182004-09-14  Johan Danielsson  <joda@pdc.kth.se>
319
320	* kuser/kinit.c: make sure we don't always get renewable creds
321
3222004-09-11   Love Hörnquist Åstrand  <lha@it.su.se>
323
324	* lib/krb5/acache.c: use krb5_ccapi.h
325
326	* lib/krb5/krb5_ccapi.h: break out krb5 api definitions to
327	separate (not installed) file
328
329	* lib/krb5/Makefile.am: add AM_CPPFLAGS to libkrb5_la_CPPFLAGS
330	since AM_CPPFLAGS overridden by target specific _CPPFLAGS
331
3322004-09-08  Love Hörnquist Åstrand  <lha@it.su.se>
333
334	* lib/krb5/pkinit.c: make variable shorter, make error messages
335	from pkinit, make freeing easier
336
3372004-09-06  Love Hörnquist Åstrand  <lha@it.su.se>
338
339	* lib/krb5/Makefile.am: link libkrb5 with LIB_dlopen
340
341	* lib/krb5/crypto.c (seed_something): avoid poking at memory that
342	is uninitialized, make valgrind unhappy. Pointd out by
343	abartlet@samba.org. While where, plug the fd leak.
344
3452004-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
346
347	* lib/asn1/der_get.c (decode_*): name all tag-length variables the
348	same
349	(decode_enumerated): check that the tag-length is not longer the length
350
351	* lib/asn1/der_get.c (decode_boolean): fail if length of tag is
352	larger then len
353
3542004-08-31  Love Hörnquist Åstrand  <lha@it.su.se>
355
356	* lib/krb5/init_creds_pw.c (krb5_get_init_creds): kdc_reply can be
357	set in case of failure too, free unconditionally on exit to avoid
358	memory leak
359
3602004-08-23  Love Hörnquist Åstrand  <lha@it.su.se>
361
362	* lib/krb5/get_cred.c (set_auth_data): set pointer to NULL after
363	free
364
3652004-08-20  Love Hörnquist Åstrand  <lha@it.su.se>
366
367	* lib/krb5/context.c (krb5_get_err_text): if neither of com_right
368	nor strerror finds the error-code, return Unknown error.
369
3702004-08-19  Johan Danielsson  <joda@pdc.kth.se>
371
372	* lib/krb5/krb5_kuserok.3: update to reality
373
374	* lib/krb5/kuserok.c: if a .k5login file exist, don't give
375	implicit rights to anyone; also check owner/mode of .k5login
376
3772004-08-15  Love Hörnquist Åstrand  <lha@it.su.se>
378
379	* lib/krb5/Makefile.am: man_MANS = krb5_getportbyname.3
380
381	* lib/krb5/krb5_getportbyname.3: manpage for krb5_getportbyname
382
383	* lib/krb5/krb5.3: add krb5_getportbyname
384
385	* lib/krb5/krb5.3: krb5_free_salt and krb5_enctype_valid
386
387	* lib/krb5/krb5_encrypt.3: document krb5_enctype_valid
388
3892004-08-13  Love Hörnquist Åstrand  <lha@it.su.se>
390
391	* kdc/kerberos5.c (get_pa_etype_info{,2}): check for dup enctypes
392	from the client and filter them out.
393
394	* lib/krb5/krb5_string_to_key.3: document krb5_free_salt
395
3962004-08-12  Love Hörnquist Åstrand  <lha@it.su.se>
397
398	* lib/krb5/krb5_ticket.3: data needs to be freed when using
399	krb5_ticket_get_authorization_data_type
400
4012004-08-11  Love Hörnquist Åstrand  <lha@it.su.se>
402
403	* lib/krb5/test_cc.c: test variables in default_cc_name
404
405	* lib/krb5/krb5.conf.5: explain support for varibles in
406	[libdefaults]default_cc_name
407
408	* lib/krb5/cache.c: drop ${time}, its not very useful
409
410	* lib/krb5/cache.c: Add _krb5_expand_default_cc_name that expand
411	variables in the default cc name. Supported variables now are:
412	${time},${uid} and ${null}
413
414	* lib/krb5/krb5.conf.5: document default_cc_name
415
416	* lib/krb5/cache.c (krb5_cc_set_default_name):
417	s/libdefault/libdefaults/
418
4192004-08-06  Love Hörnquist Åstrand  <lha@it.su.se>
420
421	* lib/krb5/acache.c: replace magic 3 with ccapi_version_3
422
423	* lib/krb5/Makefile.am: libkrb5_la_SOURCES += acache.c
424
425	* lib/krb5/krb5.h: add krb5_acc_ops
426
427	* lib/krb5/acache.c: CCAPI v3 implementation, the read only
428	support was from Magnus Ahltorp and then extended by me to support
429	all other operations.  Tested with MIT kerberos cc cache
430	implementation on MacOS 10.3.3
431
432	* lib/krb5/cache.c (krb5_cc_set_default_name): allow setting the
433	default cc name, this is not very useful for general purpose glue
434	since its not possible to glue in user information (like uid), but
435	for CCAPI it works just fine
436
4372004-08-05  Love Hörnquist Åstrand  <lha@it.su.se>
438
439	* kuser/kgetcred.1: document --cache/-c
440
441	* kuser/kgetcred.c: allow to specify what credential cache to use
442
4432004-08-03  Love Hörnquist Åstrand  <lha@it.su.se>
444
445	* lib/krb5/Makefile.am: add krb5_eai_to_heim_errno.3
446
447	* lib/krb5/krb5_eai_to_heim_errno.3: document
448	krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno
449
450	* lib/krb5/krb5.3: add krb5_eai_to_heim_errno,
451	krb5_h_errno_to_heim_errno
452
4532004-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
454
455	* lib/krb5/krb5_expand_hostname.3: krb5_expand_hostname_realms
456	result should be free with krb5_free_host_realm drop
457	krb5_get_host_realm text
458
459	* lib/krb5/krb5_set_default_realm.3: krb5_get_host_realm result
460	should be free with krb5_free_host_realm
461
462	* lib/krb5/krb5_get_in_cred.3: document krb5_free_kdc_rep
463
464	* lib/krb5/krb5_get_init_creds.3: remove dup krb5_get_init_creds
465
466	* lib/krb5/krb5_auth_context.3: sort, add krb5_free_authenticator
467
468	* lib/krb5/Makefile.am: man_MANS += krb5_rd_error
469
470	* lib/krb5/krb5_rd_error.3: krb5_rd_error and friends
471
472	* lib/krb5/krb5_warn.3: clarify on what string
473	krb5_free_error_string should operate on
474
475	* lib/krb5/krb5_get_credentials.3: add krb5_get_kdc_cred
476
477	* lib/krb5/Makefile.am: krb5_get_credentials,
478	krb5_get_forwarded_creds and friends
479
480	* lib/krb5/krb5_get_forwarded_creds.3: krb5_get_forwarded_creds
481	and friends
482
483	* lib/krb5/krb5_get_credentials.3: krb5_get_credentials and
484	friends
485
4862004-07-23  Love Hörnquist Åstrand  <lha@it.su.se>
487
488	* kuser/klist.c (print_cred_verbose): keytypes are no longer, use
489	enctype
490
4912004-07-22  Love Hörnquist Åstrand  <lha@it.su.se>
492
493	* lib/hdb/hdb-ldap.c (LDAP_entry2mods): allow for pre-c99
494	compilers, From metze at samba.org
495
4962004-07-20  Love Hörnquist Åstrand  <lha@it.su.se>
497
498	* lib/krb5/test_cc.c: more cc tests
499
500	* lib/krb5/krb5_check_transited.3: document krb5_check_transited
501
5022004-07-19  Love Hörnquist Åstrand  <lha@it.su.se>
503
504	* kdc/pkinit.c (pk_principal_from_X509): reverse test, makes
505	principal in cert work From: Mayur Patel <patelm4@rpi.edu>
506
5072004-07-18  Love Hörnquist Åstrand  <lha@it.su.se>
508
509	* lib/krb5/Makefile.am: add krb5_verify_init_creds.3
510
511	* lib/krb5/krb5_verify_init_creds.3: add krb5_verify_init_creds
512
5132004-07-15  Love Hörnquist Åstrand  <lha@it.su.se>
514
515	* lib/krb5/krb5_set_password.3: spelling from wiz@netbsd.org
516	description for krb5_passwd_result_to_string
517
5182004-07-14  Love Hörnquist Åstrand  <lha@it.su.se>
519
520	* lib/krb5/krb5_set_password.3: Remove superfluous comma; grammar
521	fixes; split sentence in two for better understanding.  From
522	wiz@NetBSD.org. Describe krb5_set_password_using_ccache while here.
523
524	* lib/krb5/krb5_set_password.3: nroff and spelling, from Jonathan
525	Stone <jonathan@dsg.stanford.edu>
526
527	* lib/krb5/changepw.c (process_reply): cast ssize_t to long and
528	print that From NetBSD via Havard Eidnes.
529
5302004-07-09  Love Hörnquist Åstrand  <lha@it.su.se>
531
532	* configure.in: fix helpstring for hdb-openldap-module
533
534	* lib/krb5/test_cc.c: don't use krb5_err on error code 0
535
5362004-07-08  Love Hörnquist Åstrand  <lha@it.su.se>
537
538	* lib/hdb/hdb-ldap.c (LDAP_seq): try handling errors better
539
5402004-07-02  Love Hörnquist Åstrand  <lha@it.su.se>
541
542	* lib/krb5/get_in_tkt.c (set_ptypes): make ptypes const
543
5442004-07-01  Love Hörnquist Åstrand  <lha@it.su.se>
545
546	* lib/hdb/hdb-ldap.c (LDAP__connect): call ldap_initialize with
547	right argument
548
5492004-06-27  Johan Danielsson  <joda@pdc.kth.se>
550
551	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if the
552	krbtgt is without addresses, default to not sending our own
553	addrport
554
555	* lib/asn1/lex.l: add support for /* */ and partial line --
556	comments
557
558	* kuser/Makefile.am: don't install copy_cred_cache manpage
559
5602004-06-24  Johan Danielsson  <joda@pdc.kth.se>
561
562	* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if
563	copying a static opt, make sure to allocate the "private" field
564
5652004-06-24  Love  <lha@stacken.kth.se>
566
567	* kdc/config.c: add enable_pkinit_princ_in_cert
568
569	* kdc/kdc_locl.h: enable_pkinit_princ_in_cert
570
571	* kdc/pkinit.c: Check certificate for Kerberos Principal in
572	OtherName of subjectAltName Based on patch from Mayur Patel
573	<patelm4@rpi.edu>
574
5752004-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
576
577	* lib/krb5/get_cred.c (init_tgs_req): if subkey not avaible, use
578	session key for authorization-data
579
5802004-06-15  Love Hörnquist Åstrand  <lha@it.su.se>
581
582	* kdc/connect.c (handle_tcp): note who is what that closed the
583	connection on us
584
5852004-06-09  Love Hörnquist Åstrand  <lha@it.su.se>
586
587	* admin/get.c (kt_get): catch errors from krb5_parse_name
588
5892004-06-05  Love Hörnquist Åstrand  <lha@it.su.se>
590
591	* lib/hdb/hdb-ldap.c: if its the entry just contains the
592	structural object (no samba nor heimdal object), add an aux
593	heimdal object on to it.
594
5952004-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
596
597	* kpasswd/kpasswd.c: use krb5_set_password_using_ccache
598
599	* lib/krb5/krb5_set_password.3: add krb5_set_password_using_ccache
600
601	* lib/krb5/changepw.c: implement krb5_set_password_using_ccache
602
603	* lib/hdb/hdb-ldap.c: Allow the objectClass to be
604	"sambaSamAccount" or structural_object when searching for uid
605	entries.
606
607	* lib/krb5/krb5.conf.5: document [kdc]hdb-ldap-create-base
608
609	* lib/hdb/hdb-ldap.c: add creation base that defaults to the
610	search base
611
612	* lib/hdb/hdb-ldap.c: indent like the rest of the code
613
6142004-06-01  Love Hörnquist Åstrand  <lha@it.su.se>
615
616	* lib/hdb/hdb-ldap.c: check return values from ldap operations and
617	close it we get back LDAP_SERVER_DOWN. stupid ldap client lib, you
618	should retry by yourself.
619
620	* lib/hdb/hdb-ldap.c: require search base to be configured, create
621	local context structure
622
6232004-05-31  Love Hörnquist Åstrand  <lha@it.su.se>
624
625	* doc/setup.texi: more ldap text, partly from Tarjei Huse
626	<tarjei@nu.no>
627
6282004-05-28  Love Hörnquist Åstrand  <lha@it.su.se>
629
630	* lib/hdb/hdb-ldap.c: clean, indent
631
632	* lib/hdb/hdb-ldap.c (LDAP_entry2mods): make sure
633	krb5KeyVersionNumber is added on new entires
634
6352004-05-27  Love Hörnquist Åstrand  <lha@it.su.se>
636
637	* doc/setup.texi: minor fixes, partly from Tarjei Huse
638	<tarjei@nu.no>
639
640	* lib/krb5/krb5.conf.5: some text about dbname and realm
641
642	* lib/krb5/krb5.conf.5: default value for
643	hdb-ldap-structural-object is account
644
6452004-05-26  Love Hörnquist Åstrand  <lha@it.su.se>
646
647	* tools/Makefile.am: use ! instead of , as sed delimiter
648
6492004-05-25  Love Hörnquist Åstrand  <lha@it.su.se>
650
651	* lib/krb5/*.c: add KRB5_LIB_FUNCTION to all exported functions
652
6532004-05-23  Love Hörnquist Åstrand  <lha@it.su.se>
654
655	* lib/hdb/hdb-ldap.c: make samba_forwardable a krb5_boolean
656
657	* lib/hdb/hdb-ldap.c: make samba forwarding a runtime configure
658	option
659
660	* lib/hdb/hdb-ldap.c (LDAP_message2entry): fix [] test From:
661	Andrew Bartlett <abartlet@samba.org>
662
663	* lib/hdb/hdb-ldap.c (LDAP_message2entry): remove bogus length
664	check From: Andrew Bartlett <abartlet@samba.org>
665
666	* lib/hdb/hdb-ldap.c (LDAP_message2entry): in the sambaNTPassword
667	case, make sure ent->etypes are allocated, From: Andrew Bartlett
668	<abartlet@samba.org>
669
6702004-05-14  Love Hörnquist Åstrand  <lha@it.su.se>
671
672	* kuser/kinit.c: move "setpag if (argc < 1)" to common path
673
6742004-05-12  Love Hörnquist Åstrand  <lha@it.su.se>
675
676	* lib/krb5/verify_krb5_conf.c: pacify pre c99 compilers
677
678	* fix-export: use right argument for -E
679
6802004-05-06  Johan Danielsson  <joda@pdc.kth.se>
681
682	* kuser/kinit.c: print some diagnostics if the exec fails
683
6842004-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
685
686	* lib/krb5/pkinit.c (pk_rd_pa_reply_dh): use krb5_random_to_key
687	From: Luke Howard <lukeh@padl.com>
688
689	* lib/krb5/rd_req.c (krb5_verify_ap_req2): clear the whole ticket,
690	not just a pointer size of it From: Luke Howard <lukeh@padl.com>
691
6922004-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
693
694	* fix-export: add -E flag where needed to make-proto
695
6962004-04-26  Love Hörnquist Åstrand  <lha@it.su.se>
697
698	* lib/krb5/crypto.c: add set_param for RC2
699
700	* lib/krb5/pkinit.c: use krb5_oid_to_enctype and remove all oids
701	that are no longer needed
702
703	* kdc/pkinit.c: use krb5_enctype_to_oid
704
705	* lib/krb5/crypto.c (krb5_oid_to_enctype): make sure oid exists
706	before we compare with it
707
708	* lib/krb5/crypto.c (krb5_crypto_get_params): check ivec length
709	before returning it add aes-oids
710
711	* lib/krb5/crypto.c: add krb5_enctype_to_oid and
712	krb5_oid_to_enctype
713
714	* kdc/pkinit.c: use krb5_crypto_set_params
715
716	* lib/krb5/crypto.c: add krb5_crypto_set_params, add aes-NNN-cbc-none
717
718	* lib/krb5/krb5.h: add KEYTYPE_AES192
719
720	* lib/krb5/pkinit.c: use krb5_crypto_get_params to implement
721	kcrypto RC2 support
722
723	* lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype
724	rc2-cbc XXX RC2CBCParameter is wrong because the compiler is
725	broken
726
727	* lib/krb5/krb5.h: add KEYTYPE_RC2
728
729	* lib/krb5/crypto.c: add partial CMS parameter handling, this is
730	needed for RC2
731
732	* lib/asn1/der_cmp.c: add heim_oid_cmp and heim_octet_string_cmp
733
734	* lib/asn1/Makefile.am (libasn1_la_SOURCES) += der_cmp.c
735
736	* lib/asn1/der.h: add heim_oid_cmp and heim_octet_string_cmp
737
738	* lib/asn1/k5.asn1: add ETYPE_AESNNN_CBC_NONE
739
740	* lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype
741	rc2-cbc, XXX RC2CBCParameter is wrong because the compiler is broken
742
7432004-04-26  Johan Danielsson  <joda@pdc.kth.se>
744
745	* lib/krb5/config_file.c: allow parsing directly from strings with
746	krb5_config_parse_string_multi
747
748	* lib/krb5/verify_krb5_conf.c: try to resolve hostnames
749
7502004-04-25  Johan Danielsson  <joda@pdc.kth.se>
751
752	* lib/krb5/store_fd.c (krb5_storage_from_fd): dup the file
753	descriptor so we don't have to keep track of it in two places
754
755	* kuser/copy_cred_cache.c: krb5_cc_copy_cache_match now lives in
756	libkrb5
757
758	* lib/krb5/krb5_{,compare_}creds.3: move krb5_compare_creds to its
759	own manpage
760
761	* replace krb5_free_creds_contents by krb5_free_cred_contents
762
763	* lib/krb5/cache.c: add krb5_cc_next_cred_match() and
764	krb5_cc_copy_cred_match()
765
766	* lib/krb5/creds.c (krb5_compare_creds): add more matching options
767
768	* lib/krb5/krb5.h: add more creds match flags
769
770	* kuser/copy_cred_cache: add --valid-for option
771
772	* lib/krb5/store.c (krb5_store_creds): set is_skey flag if length
773	of second ticket is > 0
774
7752004-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
776
777	* lib/krb5/pkinit.c: use the right oid for pkauthdata
778
779	* lib/krb5/pkinit.c: always send both win2k compat version and the
780	ietf draft one, this is possible since microsoft use
781	wrong/diffrent PA number.  Make the configuration flag boolean
782	configuring if NOT to send the win2k compat glue.
783
784	* lib/krb5/krb5_encrypt.3: document krb5_{de,en}crypt_ivec
785
786	* kuser/copy_cred_cache.1: pacify mdoclint
787
788	* kdc/pkinit.c: use IV for envelopeddata encryption, patch
789	originally from Luke Howard <lukeh@padl.com>, tweeked by me.
790
791	* lib/krb5/krb5_storage.3: document
792	KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER
793
794	* lib/krb5/krb5_data.3: document that krb5_data_free cleans the
795	structure too
796
797	* lib/krb5/pkinit.c: use IV for envelopeddata encryption, patch
798	originally from Luke Howard <lukeh@padl.com>, tweeked by me.
799
8002004-04-24  Johan Danielsson  <joda@pdc.kth.se>
801
802	* kuser/copy_cred_cache.{c,1}: add cred cache copy tool
803
804	* configure.in: use rk_SYS_LARGEFILE
805
806	* lib/krb5/{krb5.h,store.c,fcache.c}: Fix the cache flags bitorder
807	issue with a storage flag instead of a separate function.
808
8092004-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
810
811	* lib/krb5/pkinit.c: move out the oid check from get_reply_key
812
813	* lib/krb5/pkinit.c: uniquify error messages
814
815	* lib/krb5/init_creds_pw.c: make the pkinit nonce same os the
816	plain nonce for now
817
818	* lib/krb5/pkinit.c: more w2k compat from Luke Howard
819	<lukeh@padl.com> add RC2 support, clean up error messages
820
821	* lib/krb5/pkinit.c: remove more dependency on
822	krb5_config->pkinit_flags
823
824	* lib/krb5/pkinit.c (_krb5_pk_convert_rep): convert microsoft
825	style answer to IETF, From Luke Howard <lukeh@padl.com>
826	(_krb5_pk_create_sign): ms handles NULL in param, so always send it
827	(_krb5_pk_mk_padata): look for [realms]REALM = { win2k_pkinit = bool }
828
829	* lib/krb5/pkinit.c (_krb5_pk_create_sign): always set the
830	digestAlgorithm to sha1 (both for SignerInfo and SignedData, add
831	new function _set_digest_alg to set it
832
8332004-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
834
835	* include/make_crypto.c: include rc2.h, and when I'm here, make
836	aes mandatory
837
838	* lib/krb5/krb5.h: add ENCTYPE_ARCFOUR_HMAC as compat glue for MIT
839	kerberos
840
841	* lib/krb5/crypto.c (krb5_crypto_init): clear return pointer on
842	failure
843
844	* lib/krb5/crypto.c (DES3_random_to_key): make it produce the
845	right result
846	(DES3_postproc): use DES3_random_to_key
847	(krb5_random_to_key): check the required number of bits (not the size
848	of the key)
849
850	* lib/krb5/aes-test.c: test random to key function
851
852	* lib/krb5/string-to-key-test.c: comment out the "@"/"" test for
853	now
854
8552004-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
856
857	* lib/krb5/krb5_string_to_key.3: document that
858	krb5_string_to_key_derived is broken for non 3des enctypes and
859	thus deprecated
860
861	* kdc/pkinit.c (generate_dh_keyblock): use the new function
862	krb5_random_to_key
863
864	* lib/krb5/crypto.c: add des and DES3 random_to_key hooks, they
865	need special processing
866
867	* lib/krb5/crypto.c (krb5_random_to_key): new function
868
869	* lib/krb5/krb5_keyblock.3: document krb5_random_to_key
870
8712004-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
872
873	* kdc/pkinit.c: use the first proposed enable enctype
874
875	* lib/krb5/context.c (krb5_set_default_in_tkt_etypes): use the
876	return from krb5_enctype_valid
877
878	* kdc/pkinit.c: at least try to handle diffrent enveloped enctypes
879
8802004-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
881
882	* lib/asn1/der_get.c: 1.28.2.16: (der_get_oid): handle all oid
883	components being smaller then 127 and allocate one extra element
884	since first byte is split to to elements.
885
8862004-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
887
888	* lib/asn1/k5.asn1: ETYPE_DIGEST_MD5_NONE, ETYPE_CRAM_MD5_NONE:
889	private use, lukeh@padl.com
890
8912004-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
892
893	* lib/krb5/pkinit.c (build_auth_pack): use heim_integer to encode
894	DH public key
895
8962004-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
897
898	* lib/krb5/krb5_init_context.3: add krb5_context to so its added
899	as manpage-link too
900
9012004-04-17  Love Hörnquist Åstrand  <lha@it.su.se>
902
903	* lib/krb5/fcache.c (fcc_remove_cred): simplistic implementation,
904	XXX add locking
905
906	* kuser/kdestroy.c: add --credential argument that just remove one
907	credential entry out of the cache specified
908
909	* kdc/pkinit.c: replace the krb5.conf configuration option that
910	describes the mapping between principals and subject names with a
911	file, default /var/heimdal/pki-mapping. XXX this should be pushed
912	into HDB. XXX should add issuer too
913
914	* kdc/config.c: merge certificate/private_key to a user_id
915
9162004-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
917
918	* kdc/kdc_locl.h: update prototype for pk_initialize
919
920	* kuser/kinit.c: merge certificate/private_key to a user_id
921
922	* kdc/pkinit.c: adapt to heim_integer changes
923
924	* lib/krb5/pkinit.c: merge certificate/private_key to a user_id
925
926	* kdc/pkinit.c: adapt to heim_integer changes,
927	merge certificate/private_key to a user_id
928
9292004-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
930
931	* lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_WIN free X509_STORE
932
9332004-04-13  Love Hörnquist Åstrand  <lha@it.su.se>
934
935	* lib/krb5/Makefile.am: define BUILD_KRB5_LIB when building
936	libkrb5.la, add KRB5_LIB_FUNCTION proto
937
938	* lib/krb5/add_et_list.c: add KRB5_LIB_FUNCTION
939
940	* configure.in: export KRB5_LIB_FUNCTION when building with
941	BUILD_KRB5_LIB
942
943	* lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): add
944	error strings
945
946	* lib/krb5/prompter_posix.c (krb5_prompter_posix): if some thing
947	is printed on stderr, fflush it
948
949	* lib/krb5/krb5_keyblock.3: free functions also zeros out the key
950
951	* lib/krb5/krb5_get_init_creds.3: some text about
952	krb5_prompter_posix
953
954	* lib/krb5/krb5.conf.5: document hdb-ldap-structural-object
955
956	* lib/krb5/cache.c: add krb5_cc_get_prefix_ops
957
958	* lib/krb5/krb5_ccache.3: add krb5_cc_get_prefix_ops
959
9602004-04-05  Love Hörnquist Åstrand  <lha@it.su.se>
961
962	* appl/test/http_client.c: support GSS_C_DELEG_FLAG and
963	GSS_C_MUTUAL_FLAG
964
965	* appl/test/http_client.c: verbose logging
966
9672004-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
968
969	* kdc/connect.c: case size_t to unsigned long for LP64 platforms
970
9712004-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
972
973	* lib/hdb/hdb-ldap.c (hdb_ldap_create): allow configuration of
974	default structural object
975
976	* tools/Makefile.am: handle sed expression breaking
977
9782004-03-31  Love Hörnquist Åstrand  <lha@it.su.se>
979
980	* lib/krb5/krbhst.c: also lookup _kpasswd._tcp SRV-rr
981
982	* lib/krb5/changepw.c: add tcp support to the set protocol, should
983	be cleaned up to enable sharing code with krb5_sendto
984
985	* kpasswd/kpasswd.c (change_password): remove extra free
986
987	* lib/krb5/krb5_acl_match_file.3: try to pacify mdoc macros on
988	osf/1
989
9902004-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
991
992	* lib/krb5/init_creds_pw.c (pa_data_add_pac_request): don't
993	increase md->len, krb5_padata_add already does that
994
995	* lib/krb5/init_creds.c: its PAC not PAQ
996
997	* kuser/kinit.c: its PAC not PAQ
998
999	* kdc/kerberos4.c: stop the client from renewing tickets into the
1000	future From: Jeffrey Hutzelman <jhutz@cmu.edu>
1001
10022004-03-29  Love Hörnquist Åstrand  <lha@it.su.se>
1003
1004	* configure.in: try to handle sys/strtty.h needing sys/stream.h
1005
10062004-03-23  Love Hörnquist Åstrand  <lha@it.su.se>
1007
1008	* lib/krb5/send_to_kdc.c: remove function krb5_sendto_kdc2, its no
1009	longer used
1010
1011	* kdc/kerberos5.c: s/krb5_get_host_realm_int/_&/
1012
1013	* lib/krb5/get_host_realm.c: unexport krb5_get_host_realm_int to
1014	external users by prefixing it with _
1015
1016	* lib/krb5/get_cred.c: s/krb5_mk_req_internal/_&/
1017
1018	* lib/krb5/mk_req_ext.c: unexport krb5_mk_req_internal to external
1019	users by prefixing it with _
1020
10212004-03-22  Love Hörnquist Åstrand  <lha@it.su.se>
1022
1023	* lib/krb5/pkinit.c: add missing }
1024
10252004-03-21  Love Hörnquist Åstrand  <lha@it.su.se>
1026
1027	* kdc/pkinit.c: adapt to change of signature of
1028	_krb5_pk_load_openssl_id
1029
1030	* lib/krb5/pkinit.c: (krb5_get_init_creds_opt_set_pkinit): add
1031	prompter argument and use it
1032
1033	* kuser/kinit.c: adapt to signature change of
1034	krb5_get_init_creds_opt_set_pkinit
1035
1036	* lib/krb5/krb5.3: add more stuff, 105 functions to go
1037
1038	* lib/krb5/krb5_rcache.3: add krb5_get_server_rcache
1039
1040	* lib/krb5/krb5_rcache.3: framework for replay cache manpage
1041
1042	* lib/krb5/krb5_string_to_key.3: document string to key functions
1043
1044	* lib/krb5/Makefile.am: man_MANS += krb5_expand_hostname.3
1045	krb5_find_padata.3 krb5_generate_random_block.3
1046
1047	* lib/krb5/krb5_encrypt.3: document krb5_get_wrapped_length
1048
1049	* lib/krb5/krb5.3: add some more, 137 to go
1050
1051	* lib/krb5/krb5_principal.3: document krb5_get_default_principal
1052
1053	* lib/krb5/krb5_keyblock.3: document krb5_generate_subkey
1054
1055	* lib/krb5/krb5_generate_random_block.3: document
1056	krb5_generate_random_block
1057
1058	* lib/krb5/krb5_find_padata.3: document padata functions
1059
1060	* lib/krb5/krb5.3: add some more, 142 to go
1061
1062	* lib/krb5/krb5_creds.3: drop .Pp before .Sh
1063
1064	* lib/krb5/krb5_set_default_realm.3: document krb5_copy_host_realm
1065
1066	* lib/krb5/krb5_expand_hostname.3: document krb5_expand_hostname
1067	and krb5_expand_hostname_realms
1068
1069	* lib/krb5/krb5.3: add more functions, 147 to go
1070
1071	* lib/krb5/krb5_creds.3: document krb5_creds
1072
1073	* lib/krb5/krb5_get_init_creds.3: add more functions, some more
1074	text
1075
1076	* lib/krb5/krb5_ticket.3: document
1077	krb5_ticket_get_authorization_data_type
1078
10792004-03-20  Love Hörnquist Åstrand  <lha@it.su.se>
1080
1081	* lib/krb5/aes-test.c: remove #if 0'ed code
1082
1083	* lib/krb5/krb5.3: add keyblock functions, 177 functions to go
1084
1085	* lib/krb5/krb5_verify_user.3: add krb5_verify_opt_set_ccache
1086
1087	* lib/krb5/krb5_encrypt.3: document krb5_decrypt_ticket
1088
1089	* lib/krb5/krb5_config.3: document krb5_config_free_strings and
1090	krb5_config_file_free
1091
1092	* lib/krb5/krb5_create_checksum.3: add krb5_hmac
1093
1094	* lib/krb5/krb5.3: add keyblock functions, 190 functions to go
1095
1096	* lib/krb5/krb5_keyblock.3: update .Dd
1097
1098	* lib/krb5/krb5_keyblock.3: document krb5_copy_keyblock and
1099	krb5_generate_random_keyblock
1100
1101	* lib/krb5/krb5_init_context.3: add krb5_init_ets
1102
1103	* lib/krb5/krb5_config.3: add more krb5_config_ functions and
1104	prototypes
1105
1106	* lib/krb5/krb5_init_context.3: document context modifcation
1107	functions: address list, config file, use admin kdc, fcc version
1108
1109	* lib/krb5/krb5_storage.3: document krb5_storage and related
1110	functions
1111
1112	* lib/krb5/Makefile.am: add acl and krb524_convert_creds_kdc
1113	manpages and test_acl test program
1114
1115	* lib/krb5/krb5.3: add error string functions and sort
1116
1117	* lib/krb5/krb5_warn.3: document krb5_abort and error string
1118	functions
1119
1120	* lib/krb5/krb5.3: add missing functions, only 285 left to
1121	document
1122
1123	* lib/krb5/krb5_crypto_init.3: remove various enctype related
1124	function
1125
1126	* lib/krb5/krb5_encrypt.3: add various enctype related function
1127	here
1128
1129	* lib/krb5/krb5_create_checksum.3: add krb5_cksumtype_valid
1130	krb5_cksumtype_valid
1131
1132	* lib/krb5/crypto.c: real return values for
1133	krb5_{enctype,cksumtype}_valid
1134
1135	* lib/krb5/krb5_create_checksum.3: add some functions and
1136	descriptions
1137
1138	* lib/krb5/krb5_c_make_checksum.3: move out non krb5_c functions
1139
1140	* lib/krb5/krb5_auth_context.3: document
1141	krb5_auth_con_generatelocalsubkey
1142
1143	* lib/krb5/krb5_krbhst_init.3: document krb5_krbhst_init_flags
1144
1145	* lib/krb5/krb5_keytab.3: document krb5_kt_default_modify_name
1146
1147	* lib/krb5/krb5_init_context.3: document krb5_add_et_list
1148
1149	* lib/krb5/krb524_convert_creds_kdc.3: document
1150	krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache
1151
1152	* lib/krb5/krb5_acl_match_file.3: document krb5_acl_match_*
1153
1154	* lib/krb5/test_acl.c: test for generic acl code
1155
1156	* lib/krb5/acl.c: plug memory leak on file matching,
1157	make it not fall over when no non matching acl,
1158	make fnmatch matching useful by switching arguments
1159
11602004-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
1161
1162	* kdc/config.c: add --builtin-hdb command
1163
1164	* lib/hdb/hdb.c (hdb_list_builtin): return a list of builtin
1165	backends
1166
1167	* doc/setup.texi: include Luke Howard of PADL.COM ldap hdb
1168	documentation
1169
1170	* doc/win2k.texi: fix bugs in examples, add more restrictions, use
1171	example.com as an example. From: Pavel Ferdan
1172	<xferdan@informatics.muni.cz>
1173
11742004-03-18  Johan Danielsson  <joda@pdc.kth.se>
1175
1176	* lib/krb5/krb5.conf.5: add a bunch of Li and document [kadmin]
1177	password_lifetime; from Henry B. Hotz
1178
11792004-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
1180
1181	* lib/krb5/mk_rep.c (krb5_mk_rep): if KRB5_AUTH_CONTEXT_USE_SUBKEY
1182	is set send subkey
1183	(generate if needed)
1184
1185	* lib/krb5/krb5.h: add KRB5_AUTH_CONTEXT_USE_SUBKEY
1186
11872004-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
1188
1189	* lib/hdb/hdb-ldap.c: clean up error handling, plug memory leaks,
1190	and free memory in error path, assume realloc(NULL, ...) works,
1191	factor out common code, indent
1192
11932004-03-12  Love Hörnquist Åstrand  <lha@it.su.se>
1194
1195	* lib/krb5/verify_krb5_conf.c: understand [password_quality]
1196	spelling
1197
1198	* kuser/kgetcred.1: document --canonicalize
1199
1200	* kuser/kgetcred.c: add --canonicalize
1201
12022004-03-10  Love Hörnquist Åstrand  <lha@it.su.se>
1203
1204	* lib/krb5/fcache.c (fcc_store_cred): NULL terminate
1205	krb5_config_get_bool_default' arglist
1206
12072004-03-09  Love Hörnquist Åstrand  <lha@it.su.se>
1208
1209	* kdc/kerberos5.c: add missing req argument to pk_mk_pa_reply
1210
1211	* kdc/pkinit.c (pk_mk_pa_reply): add hdb_entry
1212
1213	* kdc/pkinit.c: pass client hdb_entry to pk_check_client
1214
1215	* kdc/kdc_locl.h: pass client hdb_entry to pk_check_client
1216
1217	* kuser/kinit.c: rename ca_dir to pkinit/x509_anchors since its
1218	more like that language in RFC3280
1219
1220	* lib/krb5/pkinit.c: rename ca_dir to pkinit/x509_anchors since
1221	its more like that language in RFC3280
1222
1223	* lib/krb5/krb5.conf.5: document
1224	[libdefaults]fcc-mit-ticketflags=boolean
1225
1226	* lib/krb5/fcache.c (fcc_store_cred): use
1227	[libdefaults]fcc-mit-ticketflags=boolean to decide what format to
1228	write the fcc in. Default to mit version (aka heimdal 0.7)
1229
1230	* lib/krb5/store.c: add _krb5_store_creds_heimdal_0_7 and
1231	_krb5_store_creds_heimdal_pre_0_7 that store the creds in just
1232	that format make krb5_store_creds default to mit format
1233
1234	* lib/krb5/store.c (krb5_ret_creds): Runtime detect the what is
1235	the higher bits of the bitfield
1236
12372004-03-08  Love Hörnquist Åstrand  <lha@it.su.se>
1238
1239	* lib/krb5/store.c (krb5_store_creds): add disabled code that
1240	store the ticket flags in reverse order
1241	(bitswap32): new function
1242
1243	* lib/krb5/store.c (krb5_ret_creds): if the higher ticket flags
1244	are set, its a mit cache, reverse the bits, bug pointed out by
1245	Sergio Gelato <Sergio.Gelato@astro.su.se>
1246
12472004-03-07  Love Hörnquist Åstrand  <lha@it.su.se>
1248
1249	* lib/hdb/hdb-ldap.c: use macro for HDB * -> LDAP *
1250
1251	* kuser/kinit.c: when running kinit with a subprocess, fetch new
1252	tickets after half the tickets lifetime
1253
1254	* lib/hdb/hdb.c: spelling
1255
1256	* lib/hdb/hdb-ldap.c: Intergrate Heimdal's hdb-ldap and the Samba
1257	password database.  From: Andrew Bartlett <abartlet@samba.org>
1258
1259	* kdc/config.c: add --disable-DES
1260
1261	* kdc/kdc.8: document --detach and --disable-DES
1262
1263	* kdc/kerberos5.c: check if enctype is disabled before using it
1264
1265	* lib/krb5/crypto.c: add support for disabling checksum/encryption
1266	types
1267
1268	* tools/kdc-log-analyze.pl: add more cases
1269
1270	* kdc/connect.c: on strange tcp error; log local port number and
1271	socket type
1272
1273	* lib/asn1/der.h: fix prototype of encode_utf8string
1274
1275	* lib/asn1/gen.c: catch CHOICE and generate dummy placeholder
1276
1277	* lib/asn1/lex.l: added dummy parsing of CHOICE
1278
1279	* lib/asn1/parse.y: added dummy parsing of CHOICE
1280
1281	* lib/asn1/k5.asn1: drop SMTP_NAME
1282
12832004-03-06  Love Hörnquist Åstrand  <lha@it.su.se>
1284
1285	* lib/hdb/Makefile.am: support building ldap backend as module
1286	sort asn1 hdb files
1287
1288	* lib/hdb/hdb.c: when building ldap as a shared module, don't
1289	include it in the list
1290
1291	* configure.in: add --enable-hdb-openldap-module
1292
1293	* lib/hdb/hdb-ldap.c: make ldap possible to build as a shared
1294	module
1295
1296	* lib/hdb/mkey.c: add hdb_{,un}seal_key{,_mkey} from Andrew
1297	Bartlett <abartlet@samba.org>
1298
1299	* lib/krb5/crypto.c (decrypt_internal_special): do not not modify
1300	the original data test case from Ronnie Sahlberg
1301	<ronnie_sahlberg@ozemail.com.au>
1302
13032004-03-03  Love Hörnquist Åstrand  <lha@it.su.se>
1304
1305	* lib/krb5/test_cc.c: more cc tests, mostly related to mcc
1306	behavior
1307
1308	* lib/krb5/mcache.c (mcc_get_principal): also check for
1309	primary_principal == NULL now that that isn't used as dead flag
1310
1311	* lib/krb5/mcache.c: don't overload the primary_principal == NULL
1312	as dead since that doesn't always work. Based on patch from
1313	Jeffrey Hutzelman <jhutz@cmu.edu>, tweeked by me
1314
13152004-02-22  Love Hörnquist Åstrand  <lha@it.su.se>
1316
1317	* kdc/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp
1318
1319	* lib/krb5/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp
1320
1321	* lib/hdb/db3.c: fix all db >= 4.1 cases
1322
1323	* doc/setup.texi: add text about hostname to realm mapping using
1324	DNS
1325
13262004-02-20  Love Hörnquist Åstrand  <lha@it.su.se>
1327
1328	* kdc/pkinit.c: update error codes
1329
1330	* lib/krb5/krb5_err.et: prefix pkinit error codes with KRB5_
1331
1332	* lib/krb5/pkinit.c: update error codes
1333
13342004-02-19  Love Hörnquist Åstrand  <lha@it.su.se>
1335
1336	* lib/krb5/pkinit.c: indent, use krb5_abortx() instead of abort()
1337
1338	* lib/krb5/init_creds_pw.c (process_pa_data_to_key): spelling
1339
1340	* lib/krb5/store.c: handle memory allocate errors
1341
1342	* lib/krb5/fcache.c (_krb5_xlock): handle that everything was ok,
1343	and don't put an error in the error strings then
1344
13452004-02-13  Love Hörnquist Åstrand  <lha@it.su.se>
1346
1347	* kdc/pkinit.c: s/heim_big_integer/heim_integer/
1348
1349	* lib/krb5/pkinit.c: s/heim_big_integer/heim_integer/
1350
1351	* kdc/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT errors
1352
1353	* lib/krb5/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT
1354	errors
1355
1356	* lib/krb5/heim_err.et: add HEIM_PKINIT specific errors
1357
13582004-02-12  Love Hörnquist Åstrand  <lha@it.su.se>
1359
1360	* configure.in: rename AC_WFLAGS to rk_WFLAGS
1361
1362	* acinclude.m4: use m4_define, over-quote string
1363
13642004-02-11  Love Hörnquist Åstrand  <lha@it.su.se>
1365
1366	* lib/krb5/init_creds_pw.c (change_password): handle that
1367	printf("%.*s", 0, (void*)NULL); doesn't work on solaris
1368
13692004-02-10  Love Hörnquist Åstrand  <lha@it.su.se>
1370
1371	* kpasswd/kpasswd.c (change_password): handle that printf("%.*s",
1372	0, (void*)NULL); doesn't work on solaris
1373
1374	* lib/krb5/krb5.conf.5: don't use path's in first .Nm, it confuses
1375	some locate.updatedb, use FILES section to describe where the file
1376	is instead.
1377
13782004-02-07  Love Hörnquist Åstrand  <lha@it.su.se>
1379
1380	* lib/asn1/check-der.c: test for "der_length.c: Fix len_unsigned
1381	for certain negative integers, it got the length wrong" , from
1382	Panasas, Inc.
1383
1384	* lib/asn1/der_length.c: Fix len_unsigned for certain negative
1385	integers, it got the length wrong, fix from Panasas, Inc.
1386
1387	rename len_int and len_unsigned to _heim_\&
1388
1389	* lib/asn1/der_locl.h: add _heim_len_unsigned, _heim_len_int
1390
13912004-02-06  Dave Love  <d.love@dl.ac.uk>
1392
1393	* configure.in: Check for sys/socket.h, net/if.h.  Modify term.h,
1394	security/pam_appl.h tests.
1395
13962004-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
1397
1398	* lib/asn1/check-gen.c: test for: (length_type): TSequenceOf: add
1399	up the size of all the elements, don't use just the size of the
1400	last element.
1401
1402	* lib/krb5/aes-test.c: add "next iv" test for aes128, check
1403	decryption case too
1404
1405	* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of
1406	the next to last block, fix decryption case too
1407
1408	* lib/krb5/aes-test.c: add "next iv" test for aes128
1409
1410	* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of
1411	the next to last block
1412
1413	* lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode
1414	error
1415
1416	* lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode
1417	error
1418
1419	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): abort on internal asn1
1420	encode error
1421
1422	* lib/krb5/mk_priv.c (krb5_mk_priv): abort on internal asn1 encode
1423	error
1424
1425	* lib/krb5/get_cred.c (make_pa_tgs_req): abort on internal asn1
1426	encode error
1427
1428	* lib/krb5/build_auth.c (krb5_build_authenticator): abort on
1429	internal asn1 encode error
1430
1431	* lib/krb5/build_ap_req.c (krb5_build_ap_req): abort on internal
1432	asn1 encode error
1433
14342004-01-30  Love Hörnquist Åstrand  <lha@it.su.se>
1435
1436	* doc/setup.texi: some text about order of [capaths] realms
1437
14382004-01-25  Love Hörnquist Åstrand  <lha@it.su.se>
1439
1440	* lib/krb5/context.c: register WRFILE ops
1441
1442	* lib/krb5/keytab_file.c: add krb5_wrfkt_ops/WRFILE (same as FILE)
1443
1444	* lib/krb5/krb5.h: add krb5_wrfkt_ops
1445
1446	* kpasswd/kpasswdd.c (change): use the right password when
1447	changing the password
1448
14492004-01-21  Love Hörnquist Åstrand  <lha@it.su.se>
1450
1451	* lib/krb5/fcache.c (_krb5_xlock): catch EINVAL and assume that it
1452	means that the filesystem doesn't support locking
1453
1454	* lib/krb5/keytab.c: remove #if 0 out file locking code
1455
14562004-01-19  Love Hörnquist Åstrand  <lha@it.su.se>
1457
1458	* lib/asn1/gen_length.c (length_type): TSequenceOf: add up the
1459	size of all the elements, don't use just the size of the last
1460	element.
1461
14622004-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
1463
1464	* kuser/kinit.c (renew_validate): if renewable_flag and not time
1465	specifed, use "1 month"
1466
14672004-01-08  Love Hörnquist Åstrand  <lha@it.su.se>
1468
1469	* lib/krb5/krb5_keyblock.3: add prototypes, describe
1470	krb5_keyblock_zero
1471
14722004-01-05  Love Hörnquist Åstrand  <lha@it.su.se>
1473
1474	* lib/krb5/get_for_creds.c (add_addrs): don't add same address
1475	multiple times
1476
1477	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): try to
1478	handle errors better for previous commit
1479
1480	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): If tickets
1481	are address-less, forward address-less tickets.
1482
1483	* lib/krb5/get_cred.c: rename get_krbtgt to _krb5_get_krbtgt and
1484	export it
1485
1486