12005-12-15 Love Hörnquist Åstrand <lha@it.su.se> 2 3 * kdc/kerberos5.c (tgs_make_reply): less const on hdb_entry_ex to 4 make samba happy 5 6 * fix-export: Build kdc-private.h. 7 82005-12-14 Love Hörnquist Åstrand <lha@it.su.se> 9 10 * kdc/kerberos5.c (tgs_rep2): also print the principal for which 11 the enctype was missing 12 132005-12-13 Love Hörnquist Åstrand <lha@it.su.se> 14 15 * kdc/kaserver.c: Finish up transition from hdb_entry to 16 hdb_entry_ex. 17 18 * kdc/kerberos4.c: Finish up transition from hdb_entry to 19 hdb_entry_ex. 20 21 * kdc/524.c: Finish up transition from hdb_entry to hdb_entry_ex. 22 23 * kdc/kerberos5.c: Finish up transition from hdb_entry with 24 hdb_entry_ex. 25 26 * lib/krb5/cache.c (krb5_cc_set_default_name): use 27 KRB5_DEFAULT_CCNAME. 28 29 * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME, pointer to 30 default credential cache. 31 32 * lib/hdb/ndbm.c: memset hdb_entry_ex before use 33 34 * lib/hdb/db3.c: memset hdb_entry_ex before use 35 36 * lib/hdb/db.c: memset hdb_entry_ex before use 37 382005-12-12 Love Hörnquist Åstrand <lha@it.su.se> 39 40 * lib/krb5/krb5.3: Add some more entrypoints. 41 42 * lib/krb5/changepw.c: If there is a target principal, use the 43 realm of the realm to change the password with, 44 45 * kuser/kinit.c: Default to use DH when fetching keys. 46 47 * lib/hdb, kdc, kadmin/load.c: Wrap hdb_entry with hdb_entry_ex, patch 48 originally from Andrew Bartlet 49 50 * lib/hdb/hdb-ldap.c: Wrap hdb_entry with hdb_entry_ex, add url 51 support, add ldapi support. 52 53 * kdc/kerberos5.c (tgs_make_reply): there are no such things a 54 keytypes any more, just use enctypes. 55 56 * kdc/kdc_locl.h: Remove private prototypes and instead include 57 <kdc-private.h>. 58 59 * kdc/Makefile.am: Build kdc-private.h and depend on it. 60 61 * kdc/config.c (configure): wrap line 62 63 * doc/kerberos4.texi: KDC 4 support is always compiled in. 64 65 * TODO: Remove some stuff that have been done. 66 67 * Makefile.am: Split long line 68 69 * doc/apps.texi: Spelling, From Måns Nilsson. 70 71 * doc/install.texi: spelling, From Måns Nilsson 72 732005-12-11 Love Hörnquist Åstrand <lha@it.su.se> 74 75 * lib/krb5/krb5_principal.3: Constify principal argument to on 76 krb5_principal_get_ functions. 77 78 * lib/krb5/principal.c: Constify principal argument to on 79 krb5_principal_get_ functions. 80 812005-12-08 Love Hörnquist Åstrand <lha@it.su.se> 82 83 * lib/hdb: drop convert_db, 0.0 to 0.1 transition was a long long 84 time ago 85 862005-12-05 Love Hörnquist Åstrand <lha@it.su.se> 87 88 * lib/krb5/test_keytab.c: more tests, From Andrew Bartlet 89 90 * lib/krb5/keytab_memory.c (mkt_remove_entry): realloc can return 91 NULL on success in the case 0 entries are allocated, From Andrew 92 Bartlet 93 942005-12-02 Love Hörnquist Åstrand <lha@it.su.se> 95 96 * lib/krb5/acl.c (acl_parse_format): tmp needs to be freed too on 97 failure to parse format specifier. 98 99 * lib/krb5/store-test.c: Free more of the allocated memory. 100 101 * lib/krb5/crypto.c (krb5_derive_key): Free more of the allocated 102 memory, this function is only used by the test program. 103 104 * lib/krb5/parse-name-test.c: Free more of the allocated memory. 105 106 * lib/krb5/derived-key-test.c: Free more of the allocated memory. 107 1082005-12-01 Love Hörnquist Åstrand <lha@it.su.se> 109 110 * doc/setup.texi: spelling, From Måns Nilsson 111 112 * lib/krb5/krb5_keytab.3: Memory keytab are now named and 113 refcounted. 114 115 * lib/krb5/test_keytab.c: Test that memory keytab are refcounted. 116 117 * lib/krb5/keytab_memory.c: Index by name and start reference 118 counting on entries. 119 1202005-11-30 Love Hörnquist Åstrand <lha@it.su.se> 121 122 * lib/krb5/krb5.h (krb5_address_type): add 123 KRB5_ADDRESS_NETBIOS (20) 124 125 * lib/hdb/hdb.c (find_method): accept relative paths as old db 126 format too. 127 128 * lib/krb5/aes-test.c: Remove usage of krb5_enctype_to_keytype. 129 1302005-11-29 Dave Love <fx@gnu.org> 131 132 * kcm/connect.c (kcm_loop): Use HAVE_DOOR_CREATE, not HAVE_DOORS. 133 1342005-11-29 Love Hörnquist Åstrand <lha@it.su.se> 135 136 * lib/krb5/verify_krb5_conf.c (libdefaults_entries): add 137 default_cc_name 138 139 * lib/hdb/hdb.c: Only match db databases on filename starting with 140 '/'. 141 142 * lib/krb5/rd_req.c (krb5_verify_ap_re2): check timestamp in 143 authenticator 144 145 * lib/krb5/rd_req.c (check_transited): explain the TR-type 0 146 better and why it matters. 147 148 * lib/krb5/test_cc.c: test krb5_cc_get_prefix_ops 149 150 * lib/krb5/cache.c (krb5_cc_get_prefix_ops): change the behavior 151 to return NULL when its not found, and fcc when the name starts 152 with a '/'. Almost matches behavior in other parts of the code, 153 but can't really do that since the name passed in to this function 154 may only contain the prefix itself without the colon. 155 156 * lib/krb5/cache.c (krb5_cc_get_prefix_ops): if there are not 157 colon (:) in the name, its a file credential cache 158 159 * lib/hdb/db3.c (hdb_db_create): use calloc to callocate memory 160 161 * lib/hdb/ndbm.c (hdb_ndbm_create): use calloc to allocate memory 162 163 * lib/hdb/db.c (hdb_db_create): use calloc to allocate memory 164 1652005-11-28 Love Hörnquist Åstrand <lha@it.su.se> 166 167 * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use session 168 key for delegated credentials 169 170 * kdc/kerberos5.c (_kdc_as_rep): add comment when we send 171 ETYPE-INFO and ETYPE-INFO2, from Andrew Bartlett 172 1732005-11-25 Love Hörnquist Åstrand <lha@it.su.se> 174 175 * lib/krb5/keytab.c (krb5_kt_get_full_name): new function 176 1772005-11-24 Love Hörnquist Åstrand <lha@it.su.se> 178 179 * lib/krb5/test_crypto.c: Split encryption and s2k iterations to 180 diffrent counters, 38seconds of aes256 s2k is way too long. 181 182 * lib/krb5/test_crypto.c: Add timing code for s2k function. 183 1842005-11-07 Love Hörnquist Åstrand <lha@it.su.se> 185 186 * kdc/kerberos5.c: Print the time the principal expired, based on 187 patch from Andrew Bartlett. 188 1892005-11-01 Love Hörnquist Åstrand <lha@it.su.se> 190 191 * lib/krb5/cache.c (krb5_cc_get_full_name): Add 192 1932005-11-01 Love Hörnquist Åstrand <lha@it.su.se> 194 195 * configure.in: Spelling, From Michael Banck <mbanck@debian.org> 196 1972005-10-30 Love Hörnquist Åstrand <lha@it.su.se> 198 199 * kcm/headers.h: Maybe include <sys/param.h>. 200 2012005-10-27 Love Hörnquist Åstrand <lha@it.su.se> 202 203 * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): 204 understand KRB5_AUTHDATA_IF_RELEVANT and KRB5_AUTHDATA_AND_OR (but 205 have KRB5_AUTHDATA_KDC_ISSUED commented out for now) 206 2072005-10-26 Love Hörnquist Åstrand <lha@it.su.se> 208 209 * kuser/klist.c: In the list caches view, rename the Status field 210 to Expires. 211 212 * lib/krb5/krb5_encrypt.3: Fix mdoc for 213 krb5_encrypt_EncryptedData, Johnny Lam <jlam@pkgsrc.org> 214 2152005-10-25 Love Hörnquist Åstrand <lha@it.su.se> 216 217 * appl/test/gssapi_client.c: Check return value from asprintf 218 instead of string != NULL since it undefined behavior on 219 Linux. From Björn Sandell 220 2212005-10-21 Love Hörnquist Åstrand <lha@it.su.se> 222 223 * lib/krb5/pkinit.c (_krb5_dh_group_ok): if not enough bits are 224 generated from the DH groups, fail. 225 226 * kdc/pkinit.c (get_dh_param): Pass down config so this function 227 can check pkinit_dh_min_bits 228 229 * kdc/config.c: Fill in pkinit_dh_min_bits from configuration 230 file. 231 232 * kdc/kdc.h: Add pkinit_dh_min_bits to krb5_kdc_configuration. 233 2342005-10-20 Love Hörnquist Åstrand <lha@it.su.se> 235 236 * lib/krb5/pkinit.c: Add option to require binding between reply 237 and response for the win2k version of the protocol. 238 2392005-10-19 Love Hörnquist Åstrand <lha@it.su.se> 240 241 * doc/programming.texi: Text about Kerberos errors. 242 243 * lib/krb5/pkinit.c: Try both ReplyKey and ReplyKey-Win2k for the 244 Windows case to support the updated -09 protocol (using 245 asChecksum). Tell KDC we support this by sending 246 KRB5-PADATA-PK-AS-09-BINDING in the pa-data. 247 248 * lib/krb5/test_cc.c: Test copy FILE -> FILE, and MEMORY -> MEMORY 249 too. 250 251 * lib/krb5/test_cc.c: Test krb5_cc_copy_cache and 252 krb5_cc_cache_match. 253 254 * lib/krb5/cache.c (krb5_cc_cache_match): add function that 255 iterates over all credential caches for a user and returns a 256 match. 257 258 * lib/krb5/krb5_ccache.3: Add krb5_cc_start_seq_get and an 259 example. 260 2612005-10-18 Love Hörnquist Åstrand <lha@it.su.se> 262 263 * doc/programming.texi: Try to explain krb5_ccache, krb5_principal 264 and errors. 265 2662005-10-13 Love Hörnquist Åstrand <lha@it.su.se> 267 268 * lib/krb5/krb5_get_credentials.3: Add example how to use 269 krb5_get_credentials. 270 2712005-10-12 Love Hörnquist Åstrand <lha@it.su.se> 272 273 * lib/krb5/init_creds.c: Rename private to opt_private. 274 275 * lib/krb5/init_creds_pw.c: Rename private to opt_private. 276 277 * lib/krb5/pkinit.c: rename element private to opt_private to make 278 c++ picky compilers less upset. 279 280 * lib/krb5/krb5.h (krb5_get_init_creds_opt): rename element 281 private to opt_private to make c++ picky compilers less upset. 282 2832005-10-08 Love Hörnquist Åstrand <lha@it.su.se> 284 285 * lib/krb5/krbhst.c (_krb5_krbhost_info_move): new function 286 (_krb5_free_krbhst_info): expose to internal use 287 288 * lib/krb5/init_creds_pw.c: Prepare to pass down a 289 krb5_krbhst_info into the pre-auth mechs 290 291 * lib/krb5/pkinit.c: Inline short functions, share more code, 292 rename COMPAT_27 to COMPAT_IETF, pass down a krb5_krbhst_info for 293 verification of KDC info, and general cleaning up. 294 2952005-10-07 Love Hörnquist Åstrand <lha@it.su.se> 296 297 * lib/krb5/Makefile.am: Install krb5.moduli in sysconfdir. 298 299 * lib/krb5/krb5_locl.h: rename moduli file to SYSCONFDIR 300 "/krb5.moduli" 301 302 * lib/krb5/krb5_locl.h: Add forward declaration for 303 krb5_dh_moduli. Add define for MODULI_FILE. 304 305 * kdc/pkinit.c: Removing PK-INIT-19 support. 306 307 * lib/krb5/pkinit.c: Removing PK-INIT-19 support. 308 309 * lib/krb5/pkinit.c (_krb5_dh_group_ok): return DH group name on 310 success. 311 (krb5_get_init_creds_opt_set_pkinit): use moduli file if it exists 312 313 * kdc/pkinit.c: Save DH group name and print it on success. 314 315 * lib/krb5/pkinit.c (_krb5_dh_group_ok): if q is zero, ignore it. 316 317 * kdc/pkinit.c: Check dh group parameters from client. 318 319 * lib/krb5/krb5_err.et: Match error code with pk-init-27. 320 321 * lib/krb5/pkinit.c: Update error codes. Add name to group. Change 322 return value of _krb5_dh_group_ok. 323 324 * lib/krb5/pkinit.c: Add support for reading a moduli-file for DH 325 parameters. 326 3272005-10-06 Love Hörnquist Åstrand <lha@it.su.se> 328 329 * kuser/klist.1: Document --list-caches 330 331 * kuser/klist.c: Change short flag of --list-caches to -l (-v is 332 already used). 333 3342005-10-03 Love Hörnquist Åstrand <lha@it.su.se> 335 336 * lib/krb5/kerberos.8: RFC 1510 was obsoleted by 4120. 337 338 * lib/krb5/acache.c (init_ccapi): return kerberos errors, callers 339 expect it 340 (acc_get_cache_first): don't leak memory or abort on malloc 341 failure 342 3432005-10-02 Love Hörnquist Åstrand <lha@it.su.se> 344 345 * lib/krb5/kerberos.8: Update text about Kerberos RFC's. 346 3472005-10-01 Love Hörnquist Åstrand <lha@it.su.se> 348 349 * kuser/klist.c: Add option --list-caches that lists the avaible 350 caches and their status. 351 352 $ klist --list-caches 353 Principal Cache name Status 354 lha@E.KTH.SE 2 Valid 355 lha@SU.SE 1 Expired 356 lha/root@SU.SE 0 Expired 357 lha@N.L.NXS.SE Initial default ccache Expired 358 3592005-09-30 Love Hörnquist Åstrand <lha@it.su.se> 360 361 * lib/krb5/keytab_keyfile.c: Use all DES keys, not just 362 des-cbc-md5, verify that they all are the same. 363 364 * lib/krb5/mcache.c Implement the cache iteration functions. 365 366 * lib/krb5/acache.c: Implement the cache iteration functions. 367 368 * lib/krb5/test_cc.c: Test the new cache iteration functions. 369 370 * lib/krb5/cache.c: Add cache iteration funcations. Add internal 371 allocation function for the memory of a krb5_ccache, and use it. 372 373 * lib/krb5/krb5.h (krb5_cc_ops): add cache iteration functions 374 3752005-09-25 Love Hörnquist Åstrand <lha@it.su.se> 376 377 * lib/krb5/krb5_mk_req.3: Remove leftovers, remove extra space. 378 379 * kdc/kerberos5.c: More verbose PK-INIT logging. 380 381 * kdc/pkinit.c: The public DH key is encoded as an INTEGER in 382 subjectPublicKey. Don't verify OID's for now. 383 384 * lib/krb5/pkinit.c: Support cached DH variable (still need to 385 store it though), don't check the oid of the DH signedData for 386 now. 387 3882005-09-22 Love Hörnquist Åstrand <lha@it.su.se> 389 390 * lib/krb5/rd_cred.c (krb5_rd_cred): try both the session key and 391 the sender subkey. Both RFC1510 and RFC4120 say that you have to 392 use the session key, Heimdal uses subkey. 393 3942005-09-21 Love Hörnquist Åstrand <lha@it.su.se> 395 396 * lib/krb5/pkinit.c: Don't check oid's too closely, they change in 397 Windows Vista. 398 3992005-09-20 Love Hörnquist Åstrand <lha@it.su.se> 400 401 * lib/krb5/pkinit.c: Disable sending -19, fix parsing -27 of the 402 protocol. 403 404 * kdc/pkinit.c: Support PK-INIT-27 DH (and remove -19) 405 406 * lib/krb5/pkinit.c (pk_verify_chain_standard): set cert to NULL 407 to make sure its not freed. 408 4092005-09-19 Love Hörnquist Åstrand <lha@it.su.se> 410 411 * lib/krb5/crypto.c (krb5_DES_string_to_key): If the opaque length 412 it set to 1, and content is 0x01, use the afs3 string-to-key. 413 414 * kdc/kerberos5.c (make_etype_info2_entry): When its a afs3-salted 415 key, use send the opaque, length 1 (with content set to 0x01) in 416 ETYPE-INFO2-ENTRY. 417 418 * lib/krb5/kcm.c: Remove signedness warnings. 419 4202005-09-15 Love Hörnquist Åstrand <lha@it.su.se> 421 422 * configure.in: Use libtool's default values for building 423 shared/static libaries, ie remove AC_ENABLE_SHARED(no), solves 424 building problems users have on Mac OS X. 425 4262005-09-08 Love Hörnquist Åstrand <lha@it.su.se> 427 428 * lib/krb5/changepw.c: Constify password. 429 4302005-09-05 Love Hörnquist Åstrand <lha@it.su.se> 431 432 * lib/krb5/krb5_mk_req.3: Document krb5_rd_req. 433 434 * lib/krb5/Makefile.am: MAN_mans+= krb5_mk_req.3 435 436 * lib/krb5/krb5_mk_req.3: Document krb5_mk_req, krb5_mk_req_exact, 437 krb5_mk_req_extended, krb5_rd_req, krb5_rd_req_with_keyblock, 438 krb5_mk_rep, krb5_mk_rep_exact, krb5_mk_rep_extended, krb5_rd_rep, 439 krb5_build_ap_req, krb5_verify_ap_req. 440 4412005-09-01 Love Hörnquist Åstrand <lha@it.su.se> 442 443 * kdc/kerberos5.c (make_etype_info_entry): Dont send salttype at 444 all, use KRB5-PADATA-AFS3-SALT 445 4462005-08-31 Love Hörnquist Åstrand <lha@it.su.se> 447 448 * kdc/kerberos5.c (log_timestamp): endtime, not endtype 449 4502005-08-30 Love Hörnquist Åstrand <lha@it.su.se> 451 452 * configure.in: Check for <sys/ucred.h>. 453 454 * kcm/connect.c (update_client_creds): in case there is no 455 UCRED_VERSION, skip LOCAL_PEERCRED 456 457 * kcm/headers.h: include <sys/ucred.h> 458 4592005-08-27 Love Hörnquist Åstrand <lha@it.su.se> 460 461 * lib/krb5/rd_req.c (check_transited): Allow empty content of type 462 0 because that is was Microsoft generates in their TGT. 463 464 * kdc/kerberos5.c (fix_transited_encoding): Allow empty content of 465 type 0 because that is was Microsoft enerates in their TGT. 466 4672005-08-26 Love Hörnquist Åstrand <lha@it.su.se> 468 469 * doc/intro.texi: RFC 4120 replaces RFC 1510 470 4712005-08-25 Love Hörnquist Åstrand <lha@it.su.se> 472 473 * configure.in: Add --disable-afs-support. 474 4752005-08-23 Love Hörnquist Åstrand <lha@it.su.se> 476 477 * lib/krb5/Makefile.am: Add test_hostname to check_PROGRAMS but 478 not TESTS, I have no same dns to use. 479 480 * lib/krb5/test_hostname.c: Testprogram for krb5_expand_hostname() 481 and krb5_expand_hostname_realms(). 482 483 * configure.in: Build KCM if we have doors or unix sockets. 484 485 * lib/krb5/principal.c (krb5_425_conv_principal_ex2): Remove 486 shadowing variable. 487 488 * lib/krb5/get_host_realm.c (dns_find_realm): Fix const warnings, 489 plug memory leak. From: Stefan Metzmacher <metze@samba.org> 490 491 * lib/krb5/krb5_config.3: Document what happens with NULL to 492 krb5_config_free_strings 493 (nothing). Mdoc nit. 494 4952005-08-22 Love Hörnquist Åstrand <lha@it.su.se> 496 497 * kuser/klist.c (check_for_tgt): Re-order code so it only free the 498 credential if one was returned. 499 500 * lib/krb5/test_crypto_wrapping.c: Fix printing of size_t. 501 5022005-08-19 Love Hörnquist Åstrand <lha@it.su.se> 503 504 * lib/hdb/dbinfo.c: provide interface to find databases 505 506 * lib/hdb/mkey.c: hdb_seal_key_mkey): dont double encrypt keys 507 5082005-08-15 Love Hörnquist Åstrand <lha@it.su.se> 509 510 * kdc/kdc_locl.h: Update prototype for _kdc_pk_mk_pa_reply. 511 5122005-08-13 Love Hörnquist Åstrand <lha@it.su.se> 513 514 * lib/krb5/init_creds_pw.c: Save the request buffer so that 515 pre-auth mechanism that needs it can verify the reply. 516 5172005-08-12 Love Hörnquist Åstrand <lha@it.su.se> 518 519 * lib/krb5/test_mem.c: Rename logf to avoid shadowing. 520 521 * lib/krb5/krb5_keytab.3: Fix the version number for 522 fcc-mit-ticketflags. 523 524 * lib/krb5/fcache.c: Revert previous, I was confused. 525 526 * lib/krb5/krb5_keytab.3: Document fcc-mit-ticketflags in 527 COMPATIBILITY section. 528 529 * lib/krb5/fcache.c (fcc_store_cred): default to MIT style ticket 530 flags. 531 532 * kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break; 533 534 * lib/krb5/krb5_create_checksum.3: Update prototype for 535 krb5_create_checksum. 536 537 * kdc/pkinit.c: Make compile. 538 539 * lib/krb5/pkinit.c: Implement verification of asChecksum, now 540 client side code is using -27 of the pk-init draft. 541 542 * kdc/kdc_locl.h: update prototype for _kdc_as_rep 543 544 * kdc/pkinit.c: Fill in asChecksum, we now implements -27 in the KDC. 545 546 * kdc/process.c: Pass down the request buffer to _kdc_as_rep(). 547 548 * kdc/kerberos5.c (_kdc_as_rep): Pass down the request buffer to 549 _kdc_pk_mk_pa_reply. 550 5512005-08-11 Love Hörnquist Åstrand <lha@it.su.se> 552 553 * lib/hdb/ext.c: HDB extensions access glue. 554 555 * kcm/acquire.c: Use krb5_set_password instead of 556 krb5_change_password. 557 558 * configure.in: Add tests/Makefile and tests/db/Makefile. 559 560 * NEWS: New ASN.1 compiler 561 562 * lib/hdb/Makefile.am: Build extensions. 563 564 * lib/hdb/print.c: Print extensions. 565 566 * lib/hdb/hdb_err.et: Add error "Entry contains unknown mandatory 567 extension". 568 569 * lib/hdb/hdb.h: Update interface version (and indent). 570 571 * lib/hdb/hdb.asn1: Add support for HDB-extension. 572 5732005-08-10 Love Hörnquist Åstrand <lha@it.su.se> 574 575 * lib/krb5/test_pkinit_dh2key.c: add tests vectors from 576 "Liqiang(Larry) Zhu" <lzhu@windows.microsoft.com> 577 578 * lib/hdb/mkey.c: Expose the crypto operations on the master key. 579 580 * lib/krb5/test_pkinit_dh2key.c: even more bits, not done yet 581 5822005-08-09 Love Hörnquist Åstrand <lha@it.su.se> 583 584 * kdc/kerberos5.c (_kdc_as_rep): preserve the error code in the 585 ENC-TS case. From: Andrew Bartlett <abartlet@samba.org> 586 587 * kdc/kerberos5.c (tgs_rep2): only needs to log "Failed to verify 588 authenticator" once, its already done by 589 tgs_check_authenticator(). 590 591 * kdc/kerberos5.c: Indent strings. 592 593 * kdc/kerberos5.c (log_timestamp): avoid shadow warnings From: 594 Andrew Bartlett <abartlet@samba.org> 595 596 * lib/krb5/verify_user.c: Add krb5_verify_opt_alloc and 597 krb5_verify_opt_free. 598 599 * lib/krb5/krb5_verify_user.3: Document krb5_verify_opt_alloc and 600 krb5_verify_opt_free. 601 602 * lib/hdb/db3.c (DB_open): catch errors from the d->open calls 603 instead of letting them slip though to d->cursor. Bug repport from 604 Andrew Bartlett <abartlet@samba.org> 605 6062005-07-29 Love Hörnquist Åstrand <lha@it.su.se> 607 608 * kdc/Makefile.am (kdc_LDADD): add LDADD 609 6102005-07-28 Love Hörnquist Åstrand <lha@it.su.se> 611 612 * kdc/kerberos5.c (_kdc_as_rep): log what enctypes was using in 613 ENC-TS preauth, both for failure and success. 614 615 * kdc/hprop.c: Use the _krb5_krb_life_to_time function from 616 libkrb5 instead of including our own here too. 617 618 * kdc/kerberos5.c: indent printf strings 619 620 * lib/hdb/mkey.c (hdb_unseal_key_mkey): try to unseal key with 621 keyusage 0 in case the key was encrypted with MIT Kerberos (old 622 patch from Johan) 623 6242005-07-26 Love Hörnquist Åstrand <lha@it.su.se> 625 626 * kdc/pkinit.c: update to pkinit-27 627 6282005-07-23 Love Hörnquist Åstrand <lha@it.su.se> 629 630 * lib/krb5/pkinit.c: Adapt to IMPLICIT changes in CMS module. 631 6322005-07-20 Love Hörnquist Åstrand <lha@it.su.se> 633 634 * lib/krb5/test_pkinit_dh2key.c: framework for testing 635 _krb5_pk_octetstring2key 636 637 * kpasswd/kpasswdd.c (doit): krb5_addr2sockaddr takes a 638 krb5_socklen_t 639 640 * kdc/connect.c (de_http): sscanf takes a char *, not unsigned 641 ditto, cast approriately 642 643 * lib/krb5/crypto.c (_krb5_pk_octetstring2key): make sha1 output 644 unsigned char to match openssl 645 6462005-07-14 Love Hörnquist Åstrand <lha@it.su.se> 647 648 * lib/hdb/common.c: Check encoder lengths from ASN1_MALLOC_ENCODE. 649 6502005-07-13 Love Hörnquist Åstrand <lha@it.su.se> 651 652 * lib/krb5/rd_cred.c (krb5_rd_cred): don't leak memory 653 654 * lib/krb5/get_cred.c (krb5_get_credentials_with_flags): only call 655 krb5_cc_retrieve_cred once, and plug memory leak. 656 6572005-07-13 Love Hörnquist Åstrand <lha@it.su.se> 658 659 * lib/hdb/Makefile.am: the new asn.1 compiler includes the modules 660 name in the depend file 661 662 * lib/krb5/keytab_file.c (fkt_start_seq_get_int): check return 663 value from krb5_storage_from_fd 664 665 * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): client do not contribute 666 to the DH when the server doesn't support the cached DH request. 667 668 * lib/krb5/crypto.c (_krb5_pk_octetstring2key): fix arguments 669 6702005-07-12 Love Hörnquist Åstrand <lha@it.su.se> 671 672 * lib/krb5/pkinit.c: clean up pk-init DH support, not finished 673 yet; improve error reporting 674 675 * lib/krb5/crypto.c (_krb5_pk_octetstring2key): string2key 676 function used in pk-init-25 677 678 * configure.in: Use a configure switch to turn on PK-INIT, not by 679 detecting existence of the new ASN.1 library. 680 681 * lib/asn1: Much improved ASN.1 compiler from joda-choice-branch. 682 683 Highlighs for the compiler is support for CHOICE and in general better 684 support for tags. This compiler support most of what is needed for 685 PK-INIT, LDAP, X.509, PKCS-12 and many other protocols. 686 6872005-07-10 Love Hörnquist Åstrand <lha@it.su.se> 688 689 * lib/asn1: make scope variables unique to avoid shadow warnings 690 6912005-07-09 Love Hörnquist Åstrand <lha@it.su.se> 692 693 * lib/krb5/krb5.h: comment out paramenter name in typedef 694 functions to avoid shadow warnings 695 696 * lib/krb5/crypto.c: make input data to krb5_encrypt{,_ivec} const 697 698 * kuser/klist.c: If there are no addresses, print addressless 699 instead of nothing. 700 701 * lib/krb5/Makefile.am (TESTS): add test_crypto_wrapping 702 703 * lib/krb5/crypto.c (wrapped_length): the underived encrypted 704 types checksum are all unkeyed (matches the code in 705 encrypt_internal() and encrypt_internal_special()) 706 707 * lib/krb5/test_crypto_wrapping.c: ETYPE_ARCFOUR_HMAC_MD5_56 isn't 708 not supported 709 710 * lib/krb5/test_crypto_wrapping.c: test encryption wrapping 711 712 * lib/krb5/test_crypto.c (time_encryption): free cleartext buffer 713 7142005-07-08 Love Hörnquist Åstrand <lha@it.su.se> 715 716 * configure.in: run AM_INIT_AUTOMAKE before AM_PROG_CC_C_O 717 otherwise am_aux_dir will be expanded using ac_aux_dir before the 718 later is set. 719 720 * configure.in: check for strings.h explicitly instead of 721 depending on AC_HEADER_STDC to check it for us 722 7232005-07-07 Assar Westerlund <assar@kth.se> 724 725 * configure.in: add AM_PROG_CC_C_O for automake 1.9 726 7272005-07-06 Love Hörnquist Åstrand <lha@it.su.se> 728 729 * lib/krb5/keytab.c (krb5_kt_get_entry): clear error string when 730 returning a new error 731 732 * lib/krb5/keytab.c: krb5_kt_close frees all resources, even on 733 error. 734 735 * lib/krb5/verify_init.c (krb5_verify_init_creds): `entry' unused, 736 remove From: "Henry B. Hotz" <hotz@jpl.nasa.gov> 737 7382005-07-05 Love Hörnquist Åstrand <lha@it.su.se> 739 740 * doc/win2k.texi: arcfour-hmac-md5 support for windows cross was 741 added in w2k3-sp1 From David Love 742 743 * doc/setup.texi: document kadmin command password-quality instead 744 of the not installed test_pw_quality 745 746 * lib/krb5/krb5_get_init_creds.3: Spelling, from David Love 747 748 * fix-export: build kdc-protos.h 749 7502005-07-01 Love Hörnquist Åstrand <lha@it.su.se> 751 752 * kdc: prefix pkinit symbols with _kdc 753 754 * kuser/kinit.c: avoid shadowing variables 755 756 * kuser: s/optind/optidx/ 757 758 * kdc: adapt pkinit code to libkdc split 759 7602005-06-30 Love Hörnquist Åstrand <lha@it.su.se> 761 762 * tools/Makefile.am: add depency on LIB_dlopen and LIB_door_create 763 764 * tools/krb5-config.in: add depency on LIB_dlopen and LIB_door_create 765 766 * kdc/kdc_locl.h: indent, remove dup prototypes 767 768 * kdc/libkdc: don't pollute namespace, generate public headerfile 769 770 * lib/krb5/principal.c: add krb5_425_conv_principal_ext2 that work 771 just like krb5_425_conv_principal_ext but takes a context variable 772 for the verification function 773 774 * kdc/Makefile.am: there is no export script, not pretend there is 775 776 * kdc: Merge in the libkdc/kdc configuration split from Andrew 777 Bartlet <abartlet@samba.org> 778 779 * lib/krb5/crypto.c: optionally compile in support for afs string2key 780 781 * configure.in: add --disable-afs-string-to-key to allow removal 782 of support for afs string2key (and dependency on crypt) 783 7842005-06-29 Love Hörnquist Åstrand <lha@it.su.se> 785 786 * kdc/kerberos5.c: Add logging of all timestamps in AS-REQ and 787 TGS-REQ, for auditing 788 789 * kdc/kerberos5.c (as_req): print the supported encryption types 790 so its possible to know what clients to update. 791 (find_rpath): return const char * and update callers. 792 7932005-06-28 Luke Howard <lukeh@padl.com> 794 795 * kcm/connect.c: fix arguments to kcm_log() when reporting 796 sendmsg() error 797 798 * kcm/connect.c: don't send socket address in msghdr, it 799 returns an already connected error on Linux 800 8012005-06-24 Love Hörnquist Åstrand <lha@it.su.se> 802 803 * kdc/524.c: Always include <krb5-v4compat.h>. 804 8052005-06-23 Love Hörnquist Åstrand <lha@it.su.se> 806 807 * doc/intro.texi: no more libdes, gssapi lib is complete 808 809 * lib/krb5/krb5.conf.5: Documentation for password quality 810 control. From: "James F. Hranicky" <jfh@cise.ufl.edu> 811 812 * lib/krb5/verify_krb5_conf.c (password_quality_entries): add 813 min_length and min_classes 814 815 * kdc/kaserver.c: log the kaserver requests, avoid shadowing 816 variables 817 818 * lib/hdb/db3.c (DB_open): in case of error, close database 819 820 * lib/hdb/ndbm.c (NDBM_open): in case of error, close database 821 822 * lib/hdb/db.c (DB_open): in case of error, close database 823 8242005-06-20 Love Hörnquist Åstrand <lha@it.su.se> 825 826 * kcm/kcm.8: fix example 827 8282005-06-17 Love Hörnquist Åstrand <lha@it.su.se> 829 830 * lib/krb5/rd_rep.c: indent 831 832 * lib/krb5/rd_rep.c (krb5_rd_rep): check if 833 KRB5_AUTH_CONTEXT_DO_TIME set and use that as a que that timestamp 834 should be checked, DCE-STYLE gssapi needs to be able to tweek this 835 836 * kdc/string2key.c: rename optind to optidx 837 838 * lib/hdb/convert_db.c: rename optind to optidx 839 840 * lib/hdb/keytab.c: const poison, add a unconst where needed 841 842 * lib/krb5/crypto.c (krb5_string_to_key): unconst password 843 844 * lib/asn1/k5.asn1: rename pvno to krb5-pvno 845 846 * lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): 847 unconst argument 848 849 * lib/krb5/verify_krb5_conf.c: rename optind to optidx 850 851 * lib/krb5/transited.c: rename the temporary string variable to 852 `str' 853 854 * lib/krb5/test_crypto.c: rename optind to optidx 855 856 * lib/krb5/test_alname.c: rename optind to optidx 857 858 * lib/krb5/store.c: unconst argument to krb5_store (XXX this 859 should be fixed, krb5_store doesn't need to modify its argument) 860 861 * lib/krb5/send_to_kdc.c (krb5_sendto): remove shadowing 862 unnessecery variable ret 863 864 * lib/krb5/rd_cred.c (krb5_rd_cred): remove shadowing unnessecery 865 variable len 866 867 * lib/krb5/prog_setup.c: rename optind to optidx 868 869 * lib/krb5/padata.c: rename variable index to idx 870 871 * lib/krb5/log.c: rename variable time to timestr to avoid 872 shadowing 873 874 * lib/krb5/krbhst.c (krb5_krbhst_init_flags): rename variable to 875 avoid shadowing 876 877 * lib/krb5/krbhst-test.c: rename optind to optidx 878 879 * lib/krb5/kcm.c: unconst argumen to connect, unconst argument to 880 krb5_store (XXX this should be fixed, krb5_store doesn't need to 881 modify its argument) 882 883 * lib/krb5/init_creds_pw.c (default_s2k_func): unconst password 884 885 * lib/krb5/crypto.c: rename `encrypt' to avoid shadow warning 886 8872005-06-16 Love Hörnquist Åstrand <lha@it.su.se> 888 889 * lib/krb5/principal.c: rename index to idx 890 891 * lib/krb5/mk_error.c: use rk_UNCONST 892 893 * lib/krb5/fcache.c: rename to avoid shadowing 894 895 * lib/krb5/config_file.c: rename to avoid shadowing 896 897 * lib/krb5/cache.c (_krb5_expand_default_cc_name): just copy the 898 string instead of losing const 899 900 * lib/krb5/addr_families.c: use rk_UNCONST to silence const 901 warning 902 903 * lib/krb5/addr_families.c: rename sin to sin4 904 905 * lib/asn1/asn1_print.c: rename optind to optidx, remove shadowed 906 variables 907 908 * lib/asn1/main.c: rename optind to optidx 909 910 * lib/asn1/gen_copy.c: rename to avoid shadowing 911 912 * lib/asn1/gen_locl.h: rename function filename to get_filename 913 914 * lib/asn1/lex.l: use get_filename 915 916 * lib/asn1/gen.c: rename function filename to get_filename 917 918 * lib/krb5/acache.c: use HAVE_DLOPEN around cc_handle 919 920 * configure.in: add headers and prototypes to logwtmp, logout and 921 openpty checks 922 923 * configure.in: include headerfiles and set prototype for tgetent 924 925 * kdc/kerberos5.c (make_etype_info2_entry): NUL terminate the 926 string 927 928 * kdc/kerberos5.c: replace strndup with inline copy, free data on 929 failure 930 931 * lib/krb5/cache.c (_krb5_expand_default_cc_name): replace strndup 932 with inline copy 933 934 * lib/krb5/log.c: rename close and log to avoid shadow warnings 935 936 * lib/krb5/get_in_tkt.c: rename index to i to avoid shadowing 937 938 * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): rename two 939 of the local `realm' to srealm to avoid shadowing 940 941 * kdc/kerberos5.c (tgs_rep2): rename one of the tkey to uukey to 942 avoid shadow warning 943 944 * kdc/kerberos5.c (tgs_rep2): rename loop to nloop to avoid shadow 945 warning 946 9472005-06-15 Love Hörnquist Åstrand <lha@it.su.se> 948 949 * Release 0.7, see branch 950 9512005-06-14 Love Hörnquist Åstrand <lha@it.su.se> 952 953 * lib/krb5/Makefile.am: TESTS += test_mem libkrb5_la_SOURCES += 954 kcm.h 955 956 * kuser/kinit.c (main): catch KRB5_CONFIG_BADFORMAT from 957 krb5_init_context 958 959 * kdc/main.c (main): catch KRB5_CONFIG_BADFORMAT from 960 krb5_init_context 961 962 * lib/krb5/verify_krb5_conf.c (main): catch KRB5_CONFIG_BADFORMAT 963 from krb5_init_context From: Mathias Feiler 964 <feiler@uni-hohenheim.de> 965 966 * lib/krb5/verify_krb5_conf.c: Add more missig entires, from 967 Mathias Feiler <feiler@uni-hohenheim.de> 968 9692005-06-11 Love Hörnquist Åstrand <lha@it.su.se> 970 971 * kdc/pkinit.c (pk_principal_from_X509): remember to free 972 KRB5PrincipalName 973 974 * lib/krb5/log.c (krb5_closelog): free all content in 975 krb5_log_facility 976 9772005-06-08 Love Hörnquist Åstrand <lha@it.su.se> 978 979 * kdc/524.c: init kvno to please gcc 980 981 * kdc/kaserver.c (do_authenticate): check return value from 982 unparse_auth_args 983 9842005-06-07 Dave Love <fx@gnu.org> 985 986 * doc/setup.texi: Spelling. 987 988 * doc/programming.texi: Spelling. 989 9902005-06-02 Dave Love <fx@gnu.org> 991 992 * kcm/connect.c (kcm_door_server): Make static. 993 994 * kcm/kcm_locl.h (disallow_getting_krbtgt): Declare. 995 9962005-06-02 Love Hörnquist Åstrand <lha@it.su.se> 997 998 * kdc/mit_dump.c (mit_prop_dump): cast argument to 999 krb5_parse_principal to avoid warning 1000 1001 * kdc/mit_dump.c: rename KRB5_TL_MOD_PRINC to 1002 mit_KRB5_TL_MOD_PRINC to hint its a constant originating from mit 1003 codebase 1004 10052005-06-01 Love Hörnquist Åstrand <lha@it.su.se> 1006 1007 * lib/krb5/store.c: If we are allocating 0 entires, avoid failing 1008 if ALLOC returns NULL 1009 1010 * lib/krb5/verify_krb5_conf.c: Check for [kdc]v4-realm 1011 1012 * lib/krb5/cache.c: When returning a new error code, set error 1013 string. 1014 10152005-05-31 Love Hörnquist Åstrand <lha@it.su.se> 1016 1017 * lib/krb5/keytab_file.c: Adapt to changed signature of 1018 _krb5_xunlock, clear more error string where needed. 1019 1020 * lib/krb5/fcache.c (_krb5_xunlock): catch the error and turn it 1021 into something sensable 1022 10232005-05-30 Love Hörnquist Åstrand <lha@it.su.se> 1024 1025 * kdc/kerberos5.c (tgs_make_reply): copy ok-as-delegate flag from 1026 server entry to encrypted ticket flags 1027 10282005-05-30 Johan Danielsson <joda@pdc.kth.se> 1029 1030 * kdc/connect.c: rename sendlength to prependlength (which 1031 hopefully better represents its purpose), and change type to 1032 krb5_boolean 1033 1034 * kdc/connect.c: log signal causing exit 1035 1036 * kdc/main.c (sigterm): set exit_flag to signal causing exit; 1037 (main): trap SIGXCPU 1038 10392005-05-30 Love Hörnquist Åstrand <lha@it.su.se> 1040 1041 * kcm/kcm.8: document --disallow-getting-krbtgt and --door-path 1042 1043 * kcm/protocol.c (kcm_op_retrieve): check server for krbtgt, not 1044 client 1045 1046 * kcm/main.c: ignore SIGPIPE 1047 1048 * kcm/protocol.c: Add option to disallow getting krbtgt out from 1049 from KCM. KCM will do the fetching part itself. 1050 1051 * kcm/config.c: Add option to disallow getting krbtgt out from 1052 from KCM. KCM will do the fetching part itself. 1053 10542005-05-30 Luke Howard <lukeh@padl.com> 1055 1056 * kcm/events.c: if credentials have expired when attempting 1057 to renew, attempt to reacquire them using initial creds 1058 10592005-05-29 Love Hörnquist Åstrand <lha@it.su.se> 1060 1061 * lib/krb5/krb5_principal.3: Spelling, from Björn Sandell 1062 1063 * doc/setup.texi: spelling, from Björn Sandell 1064 1065 * lib/krb5/name-45-test.c: XXX don't run the test unless the 1066 machine is in kth.se or su.se because it depends on local resolver 1067 configuration. 1068 1069 * lib/hdb/hdb.c: provde RTLD_NOW and RTLD_GLOBAL if they don't 1070 exists 1071 1072 * kcm/connect.c: fix doors support, fix signedness warnings 1073 1074 * kcm/config.c: add --door-path= 1075 1076 * configure.in: comment what the "detect doors on solaris" 1077 fragment tries to do 1078 1079 * kcm/acquire.c (generate_random_pw): fix signed-ness warnings 1080 1081 * kcm/connect.c (update_client_creds): fix compile error in the 1082 getpeerucred case 1083 1084 * lib/krb5/test_cc.c: change format for expantion variables in 1085 default_cc_name to %{variable} to not confuse them with shell 1086 ditto 1087 1088 * kcm/headers.h: Maybe include <door.h>. 1089 1090 * kcm/kcm_locl.h: add extern door_path; 1091 1092 * configure.in: detect doors using door_create 1093 1094 * kcm/Makefile.am: add dependcy on kcm_protos.h add lib depency on 1095 LIB_door_create 1096 1097 * lib/krb5/kcm.h: add _PATH_KCM_DOOR, default path to kcm door 1098 1099 * lib/krb5/kcm.c: use [libdefaults]kcm_door to find the door to 1100 kcm 1101 1102 * lib/krb5/Makefile.am: libkrb5_la_LIBADD += LIB_door_create 1103 1104 * lib/krb5/krb5_locl.h: Maybe include <sys/mman.h>, maybe include 1105 <door.h>. 1106 1107 * lib/krb5/kcm.c (kcm_send_request): add support for doing a door 1108 call to kcm 1109 1110 * lib/asn1: prefix Der_class with ASN1_C_ to avoid problems with 1111 system headerfiles that pollute the name space 1112 1113 * kcm/kcm.8: change format for expantion variables in 1114 default_cc_name to %{variable} to not confuse them with shell 1115 ditto 1116 1117 * lib/krb5/krb5.conf.5: change format for expantion variables in 1118 default_cc_name to %{variable} to not confuse them with shell 1119 ditto 1120 1121 * lib/krb5/cache.c (_krb5_expand_default_cc_name): change format 1122 for expantion variables to %{variable} to not confuse them with 1123 shell ditto 1124 1125 * kcm/connect.c: add LOCAL_PEERCRED and experimental doors support 1126 11272005-05-27 Love Hörnquist Åstrand <lha@it.su.se> 1128 1129 * appl/kf/kfd.c: case uid_t to unsigned long in printf format 1130 11312005-05-25 Love Hörnquist Åstrand <lha@it.su.se> 1132 1133 * lib/krb5/krb5_auth_context.3: remove trailing space 1134 11352005-05-24 Love Hörnquist Åstrand <lha@it.su.se> 1136 1137 * kcm/connect.c (do_request): use sendmsg to send the reply 1138 1139 * fix-export: add make_proto for kcm/kcm_protos.h 1140 1141 * kcm/kcm_locl.h: remove prototypes and add <kcm_protos.h> 1142 1143 * kcm/Makefile.am (kcm_SOURCES): add headerfiles 1144 (kcm_protos.h): generate prototypes 1145 1146 * kcm/protocol.c: fix error in last commit, use right function 1147 1148 * kcm/headers.h: include <ucred.h> if we have getpeerucred 1149 1150 * configure.in: check for functions getpeerucred and getpeereid 1151 1152 * kcm/connect.c (update_client_creds): add support for 1153 getpeerucred and getpeereid 1154 1155 * lib/krb5/kcm.c (kcm_alloc): allow kcm socket to be configured by 1156 [libdefaults]kcm_socket=/path 1157 11582005-05-24 David Love <fx@gnu.org> 1159 1160 * kcm/kcm.8: KRB5CCNAME needs an literal uid, not ${uid}, spelling 1161 11622005-05-23 Love Hörnquist Åstrand <lha@it.su.se> 1163 1164 * kcm/protocol.c: Merge the description and function jumptables 1165 into one structure. Use the length of the array when checking if 1166 opcode is value, not a constant. 1167 1168 * kcm/kcm_locl.h: struct kcm_op: jumptable structure 1169 1170 * kcm/main.c: move declaration of detach_from_console away from 1171 here to kcm_locl.h, Don't test HAVE_DAEMON since roken supplies it. 1172 1173 * kcm/kcm_locl.h: move declaration of detach_from_console here 1174 1175 * kdc/config.c: Don't test HAVE_DAEMON since roken supplies it. 1176 11772005-05-23 Dave Love <fx@gnu.org> 1178 1179 * kcm/config.c: Don't test HAVE_DAEMON since roken supplies it. 1180 1181 * kdc/main.c: Don't test HAVE_DAEMON since roken supplies it. 1182 11832005-05-23 Love Hörnquist Åstrand <lha@it.su.se> 1184 1185 * lib/krb5/krb5_keytab.3: document WRFILE and JAVA14 1186 11872005-05-20 Love Hörnquist Åstrand <lha@it.su.se> 1188 1189 * lib/krb5/krbhst.c (srv_get_hosts): if srv_get_hosts failes, 1190 return and ignore the error 1191 1192 * lib/krb5/krbhst.c (srv_find_realm): make sure `res' and `count' 1193 have good values 1194 1195 * lib/krb5/test_keytab.c: tests all keytab format 1196 11972005-05-19 Love Hörnquist Åstrand <lha@it.su.se> 1198 1199 * lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): non non asn1 decoding 1200 errors, fail. Make sure we free memory on error. 1201 (pk_verify_chain_standard): make sure we provide good errors. 1202 1203 * lib/krb5/verify_krb5_conf.c: add missing options, prompted by 1204 James F. Hranicky mail to heimdal-discuss 1205 1206 * lib/krb5/verify_krb5_conf.c: add pkinit and password quailty 1207 check options 1208 1209 * lib/krb5/pkinit.c (pk_verify_chain_standard): store better error 1210 message in the context for certificate errors. 1211 1212 * lib/krb5/keytab.c (krb5_kt_free_entry): zero out content of all 1213 krb5_free_x_content like functions to make sure data doesnt get 1214 reused, idea from Wynn Wilkes <wwilkes@vintela.com> 1215 1216 * configure.in: depend on automake 1.8, we don't test anything 1217 older 1218 1219 * lib/krb5/init_creds_pw.c (process_pa_data_to_md): add comment 1220 that the caller always free out_md; remove comment about memory, 1221 it doesn't happen. 1222 (init_cred_loop): free ctx->as_req.padata when its reset (From Wynn 1223 Wilkes <wwilkes@vintela.com>), move a comment close the the code 1224 1225 * lib/krb5/keytab_krb4.c (fkt_remove_entry): need to call 1226 krb5_kt_free_entry after each krb5_kt_next_entry. 1227 1228 * lib/krb5/keytab_file.c (fkt_remove_entry): need to call 1229 krb5_kt_free_entry after each fkt_next_entry_int. From: Wynn 1230 Wilkes <wwilkes@vintela.com> 1231 12322005-05-18 Love Hörnquist Åstrand <lha@it.su.se> 1233 1234 * lib/krb5/Makefile.am: TESTS += test_keytab 1235 1236 * lib/krb5/keytab_krb4.c (krb4_kt_remove_entry): plug memory leaks, 1237 avoid crashing on empty keytab 1238 1239 * lib/krb5/krb5_keytab.3: document behavior of 1240 krb5_kt_remove_entry 1241 1242 * lib/krb5/keytab_memory.c (mkt_remove_entry): check if there 1243 isn't any entries in the keytab before removing any since that 1244 leads to bad pointer arithmetic and crashing. From: Wynn Wilkes 1245 <wwilkes@vintela.com>. Make the function return KRB5_KT_NOTFOUND 1246 if the entry wasn't in the keytab (just like the filebased 1247 keytab). 1248 1249 * lib/krb5/test_keytab.c: test memory corruption in MEMORY keytab 1250 1251 * lib/krb5{addr_families,context,creds,free,keyblock, 1252 mit_glue,rd_error}.c:zero out content of all krb5_free_x_content 1253 like functions to make sure data doesnt get reused, idea from 1254 Wynn Wilkes <wwilkes@vintela.com> 1255 1256 * lib/krb5/krb5_get_credentials.3: document KRB5_GC_EXPIRED_OK 1257 1258 * lib/krb5/krb5.3: add krb5_cc_new_unique 1259 12602005-05-17 Love Hörnquist Åstrand <lha@it.su.se> 1261 1262 * lib/krb5/fcache.c (fcc_get_first): check return value from 1263 malloc, memset the structure, make sure cursor doesn't point to 1264 freed memory on failure. From: Wynn Wilkes <wwilkes@vintela.com> 1265 1266 * lib/krb5/krb5_auth_context.3: document 1267 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED 1268 1269 * lib/krb5/get_cred.c: Remove expired credentials, based on 1270 patches and comments from Anders Magnusson <ragge@ltu.se> and Wynn 1271 Wilkes <wwilkes@vintela.com> 1272 1273 * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): honor 1274 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED and create unencrypted 1275 (ENCTYPE_NULL) credentials. for use with old mit server and java based 1276 ones as they can't handle encrypted KRB-CRED. Note that the option 1277 needs to turned on because if the consumer sends the KRB-CRED in 1278 clear bad things will happen. 1279 1280 * lib/krb5/context.c (krb5_init_context): register krb5_javakt_ops 1281 1282 * lib/krb5/krb5.h: KRB5_GC_EXPIRED_OK: expired credentials is ok 1283 to return from krb5_get_credentials. 1284 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED: make forward credentials 1285 be unencrypted, for compatibility with mit kerberos and java 1286 kerberos. krb5_javakt_ops: export 1287 12882005-05-16 Love Hörnquist Åstrand <lha@it.su.se> 1289 1290 * lib/krb5/keytab_file.c: Add new keytab file format JAVA14 that 1291 doesn't the use extended kvnos, as hinted, this is needed for 1292 Java's Kerberos implementation. 1293 12942005-05-10 Love Hörnquist Åstrand <lha@it.su.se> 1295 1296 * lib/krb5/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 1297 enckey, still no DH 1298 1299 * kdc/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 enckey, 1300 still no DH 1301 1302 * kdc/kerberos5.c (as_rep): search for pkinit-9, pkinit-19, and 1303 pkinit-25 pa-data, return empty pkinit pa-data in the 1304 PREAUTH_REQUIRED krb-error 1305 1306 * doc/ack.texi: add pkinit people 1307 1308 * lib/krb5/krb5_storage.3: document krb5_storage_is_flags 1309 1310 * lib/krb5/{krb5_compare_creds.3,krb5_get_init_creds.3, 1311 krb5_krbhst_init.3,krb5_storage.3}: 1312 make more pretty, from Björn Sandell 1313 13142005-05-09 Dave Love <fx@gnu.org> 1315 1316 * doc/setup.texi: Fix and clarify password quality check examples. 1317 13182005-05-09 Love Hörnquist Åstrand <lha@it.su.se> 1319 1320 * lib/krb5/kuserok.c (krb5_kuserok): use POSIX_GETPWNAM_R instead 1321 of HAVE_GETPWNAM_R From: Dave Love <d.love@dl.ac.uk> 1322 13232005-05-07 Love Hörnquist Åstrand <lha@it.su.se> 1324 1325 * lib/krb5/addr_families.c (krb5_print_address): catch when the 1326 unknown adress don't fit. From Björn Sandell <biorn@dce.chalmers.se> 1327 13282005-05-05 Dave Love <d.love@dl.ac.uk> 1329 1330 * configure.in: fix type right test, include <termios.h> for 1331 sys/strtty.h, not sys/ptyvar.h 1332 13332005-05-05 Love Hörnquist Åstrand <lha@it.su.se> 1334 1335 * lib/krb5/krb5.conf.5: spelling 1336 13372005-05-04 Love Hörnquist Åstrand <lha@it.su.se> 1338 1339 * lib/krb5/krb5.conf.5: expand on what "trailing component" means 1340 13412005-05-04 Johan Danielsson <joda@pdc.kth.se> 1342 1343 * lib/krb5/rd_cred.c: put address comparison in separate function 1344 1345 * lib/krb5/krb5_kuserok.3: check the user's ~/.k5login.d directory 1346 for access files, all of which is handled like the regular 1347 ~/.k5login 1348 1349 * lib/krb5/kuserok.c: check the user's ~/.k5login.d directory for 1350 access files, all of which is handled like the regular ~/.k5login 1351 13522005-05-03 Love Hörnquist Åstrand <lha@it.su.se> 1353 1354 * doc/ack.texi: Clearify what version of libdes we are using and 1355 who's code in it we are using. 1356 1357 * kcm/kcm.8: more text about usage 1358 1359 * kcm/Makefile.am: man_MANS += kcm.8 1360 1361 * kcm/kcm.8: initial manpage 1362 1363 * configure.in: if we have a $srcdir/lib/asn1/pkcs12.asn1, define 1364 PKINIT 1365 13662005-05-02 Dave Love <fx@gnu.org> 1367 1368 * configure.in: sys/tty.h (for sys/ptyvar.h) might need termios.h. 1369 13702005-05-02 Love Hörnquist Åstrand <lha@it.su.se> 1371 1372 * tools/krb5-config.in: add com_err to required libs 1373 1374 * lib/krb5/pkinit.c (krb5_ui_method_read_string): use the fill in 1375 length 1376 1377 * lib/krb5/init_creds_pw.c: Now that we fixed the signed-ness of 1378 nonce for windows, remove the code that removed the signed 1379 bit. Instead add comment that they still need to be the same 1380 (Kerberos protocol nonce and pk-init nonce) for Windows. 1381 13822005-05-02 David Love <fx@gnu.org> 1383 1384 * lib/krb5/crypto.c: Don't declare des_salt &c as static with 1385 incomplete type (invalid in c89, at least). 1386 13872005-05-02 Love Hörnquist Åstrand <lha@it.su.se> 1388 1389 * lib/krb5/krb5_locl.h: include <crypt.h> 1390 13912005-05-02 David Love <fx@gnu.org> 1392 1393 * kcm/connect.c (init_socket): rename variable sun to un to avoid 1394 namespace collision. 1395 (handle_stream): Cast arg of krb5_warnx. 1396 13972005-04-30 Love Hörnquist Åstrand <lha@it.su.se> 1398 1399 * lib/krb5/init_creds_pw.c: if we are using PKINIT, strip of the 1400 highest bit to make windows PK-INIT happy. Also make the nonces 1401 the same, again for windows, they are using pk-init-9. 1402 1403 XXX check if it isn't the that nonce is an unsigned variable so 1404 its just a asn1 mismatch. 1405 1406 * kdc/pkinit.c: pass a NULL prompter data to _krb5_pk_load_openssl_id 1407 1408 * kuser/kinit.c: krb5_get_init_creds_opt_set_pkinit 1409 1410 * lib/krb5/pkinit.c: Pass prompter data to the prompter function, 1411 implement a UI prompter function wrapping the kerberos prompter 1412 function so that the the OpenSSL ENGINE can ask for a password 1413 when loading the private key. From: Douglas E. Engert 1414 1415 * lib/krb5: add <err.h> in test programs 1416 1417 * configure.in: sys/ptyvar.h might need <sys/tty.h> 1418 1419 * lib/krb5/Makefile.am: use LIB_com_err for libkrb5.la 1420 14212005-04-29 Love Hörnquist Åstrand <lha@it.su.se> 1422 1423 * lib/asn1/Makefile.am: use $(LIB_com_err) 1424 14252005-04-28 Love Hörnquist Åstrand <lha@it.su.se> 1426 1427 * lib/krb5/context.c (krb5_set_config_files): ignore permission 1428 denied on configuration files, user might not be allowed to read 1429 /var/heimdal/kdc.conf 1430 14312005-04-26 Dave Love <fx@gnu.org> 1432 1433 * lib/krb5/krb5_locl.h: define _POSIX_PTHREAD_SEMANTICS so we get 1434 posix getpwnam_r 1435 14362005-04-25 Love Hörnquist Åstrand <lha@it.su.se> 1437 1438 * lib/asn1/gen_glue.c: switch the units variable to a 1439 function. gcc-4.1 needs the size of the structure if its defined 1440 as extern struct units foo_units[] an we don't want to include 1441 <parse_units.h> in the generate headerfile 1442 14432005-04-25 Love Hörnquist Åstrand <lha@it.su.se> 1444 1445 * lib/hdb/hdb.schema: add EQUALITY rule for krb5ValidStart, 1446 krb5ValidEnd, krb5PasswordEnd From Howard Chu 1447 14482005-04-24 Love Hörnquist Åstrand <lha@it.su.se> 1449 1450 * doc/whatis.texi: comment out docbook stuff for now 1451 1452 * kuser/klist.c: use strlcpy 1453 1454 * doc/ack.texi: we no longer use eay libdes, make acknowledgment 1455 still be there, but claim that we no longer use it. Mark editline 1456 to be a modified version as required by the license. 1457 1458 * lib/krb5/pkinit.c: use the unexported oid_to_enctype function 1459 1460 * lib/krb5/crypto.c: unexport the oid_to_enctype function, not for 1461 external consumers 1462 1463 * kdc/Makefile.am: always add kaserver 1464 1465 * lib/krb5/krb5_ccache.3: document krb5_cc_new_unique 1466 1467 * lib/krb5/cache.c (krb5_cc_new_unique): new function to create a 1468 new credential cache 1469 1470 * kdc/headers.h: don't include kerberos 4 headers here 1471 1472 * kdc/hpropd.c: include kerberos 4 headers here 1473 1474 * kdc/connect.c: add kaserver support independ of having krb4 1475 support 1476 1477 * kdc/config.c: add kaserver support unconditionally, make kdc 1478 only fail to start when there are no v4 realm configured and 1479 krb4/kaserver is turned on 1480 1481 * kdc/kaserver.c: Use the new Kerberos 4 functions in libkrb5 and 1482 so kaserver support is always compiled in (still default disabled) 1483 1484 * lib/krb5/v4_glue.c: simplify error handling 1485 1486 * doc/whatis.texi: add docbook version macro of @sub 1487 1488 * doc/heimdal.texi: change the wrapping around the Top node to 1489 ifnottex, make html generation work 1490 1491 * lib/krb5/krb5_krbhst_init.3: spelling, from Björn Sandell 1492 <biorn@dce.chalmers.se> 1493 1494 * lib/krb5/krb5_get_krbhst.3: spelling, from Björn Sandell 1495 <biorn@dce.chalmers.se> 1496 1497 * lib/krb5/krb5_data.3: spelling, from Björn Sandell 1498 <biorn@dce.chalmers.se> 1499 1500 * lib/krb5/krb5_aname_to_localname.3: spelling, from Björn Sandell 1501 <biorn@dce.chalmers.se> 1502 1503 * lib/krb5/krb5_address.3: spelling, from Björn Sandell 1504 <biorn@dce.chalmers.se> 1505 15062005-04-23 Love Hörnquist Åstrand <lha@it.su.se> 1507 1508 * kdc/config.c: Use the new Kerberos 4 functions in libkrb5 and so 1509 kerberos 4 is always compiled in (still default disabled) 1510 1511 * kdc/kerberos4.c: Use the new Kerberos 4 functions in libkrb5 and 1512 so kerberos 4 is always compiled in (still default disabled) 1513 1514 * lib/krb5/krb5_locl.h: forward declaration of _krb5_krb_auth_data 1515 1516 * lib/krb5/convert_creds.c: Move the kerberos v4 replacement 1517 functions to v4_glue.c 1518 1519 * lib/krb5/v4_glue.c: Implement enough of kerberos 4 protocol to 1520 be a KDC, move the v4 bits over here 1521 1522 * lib/krb5/krb5-v4compat.h: add more v4 defines 1523 15242005-04-22 Love Hörnquist Åstrand <lha@it.su.se> 1525 1526 * kpasswd/kpasswdd.c: Support multi-realms databases, requires 1527 that all the realms are configured on the KDC in krb5.conf with 1528 [libdefaults]default_realm stanzas. 1529 15302005-04-21 Love Hörnquist Åstrand <lha@it.su.se> 1531 1532 * kdc/kerberos5.c: spell succeeded correctly, From Sean Chittenden 1533 1534 * lib/krb5/addr_families.c: catch two more snprintf problems 1535 15362005-04-20 Love Hörnquist Åstrand <lha@it.su.se> 1537 1538 * lib/hdb/Makefile.am: this lib include com_err, add -com_err to 1539 CHECK_SYMBOLS 1540 1541 * appl/test/http_client.c: cast ssize_t to unsigned long, fix 1542 printf format 1543 15442005-04-19 Love Hörnquist Åstrand <lha@it.su.se> 1545 1546 * lib/krb5/kuserok.c: use asprintf to avoid truncating pathnames 1547 1548 * lib/krb5/get_host_realm.c: check return value of snprintf 1549 1550 * lib/krb5/test_addr.c: check address truncation 1551 1552 * lib/krb5/addr_families.c: check return values from snprintf and 1553 clean up semantics of ret_len 1554 1555 * lib/krb5/krb5_address.3: clarify what ret_len is in 1556 krb5_print_address 1557 1558 * lib/krb5/test_kuserok.c: add --version and --help 1559 1560 * lib/krb5/kuserok.c: use getpwnamn_r if it exists 1561 1562 * lib/krb5/Makefile.am: noinst_PROGRAMS += test_kuserok 1563 1564 * lib/krb5/test_kuserok.c: test program for krb5_kuserok 1565 15662005-04-18 Love Hörnquist Åstrand <lha@it.su.se> 1567 1568 * lib/krb5/acache.c (acc_resolve): if open_default_ccache failed 1569 with ccErrCCacheNotFound try again with create_default_ccache, 1570 this fixes the problem where the security server apperenly haven't 1571 started yet on Mac OS X 1572 1573 * lib/krb5/get_default_principal.c 1574 (_krb5_get_default_principal_local): add, for use of functions 1575 that in ccache layer to avoid recursive calls. 1576 1577 * lib/hdb/hdb-ldap.c: drop <ctype.h>, no longer use any of the is* 1578 macros in this file 1579 1580 * include/make_crypto.c: cast to unsigned char to make sure its 1581 not negative when passing it to is* functions 1582 15832005-04-15 Love Hörnquist Åstrand <lha@it.su.se> 1584 1585 * doc/programming.texi: remove manpage macro, add some more 1586 references to manpages 1587 1588 * doc/heimdal.texi: define manpage macro 1589 1590 * doc/setup.texi: document new password policy code 1591 1592 * kpasswd/kpasswdd.c: add verifier libraries with 1593 kadm5_add_passwd_quality_verifier 1594 1595 * lib/krb5/krb5_keyblock.3: document krb5_keyblock_init 1596 15972005-04-14 Love Hörnquist Åstrand <lha@it.su.se> 1598 1599 * kdc/kaserver.c: AUTHENTICATE and AUTHENTICATE_V2 is almost the 1600 same, and clients 1601 (klog) can deal with that the kaserver returns the same thing for 1602 both 1603 1604 * lib/krb5/keyblock.c: Add krb5_keyblock_init to allocate an fill 1605 in a keyblock from key data. 1606 16072005-04-12 Love Hörnquist Åstrand <lha@it.su.se> 1608 1609 * configure.in: rk_WIN32_EXPORT for roken 1610 16112005-04-10 Love Hörnquist Åstrand <lha@it.su.se> 1612 1613 * appl/test/gssapi_server.c: print out client principla of 1614 delegated credential 1615 16162005-04-07 Love Hörnquist Åstrand <lha@it.su.se> 1617 1618 * lib/krb5/init_creds_pw.c (process_pa_data_to_key): also check 1619 for KRB5_PADATA_PK_AS_REP_19, From: Douglas Engert 1620 16212005-04-07 Love Hörnquist Åstrand <lha@it.su.se> 1622 1623 * .cvsignore: ignore more generate files 1624 16252005-04-04 Love Hörnquist Åstrand <lha@it.su.se> 1626 1627 * lib/asn1/check-der.c: use size_t, print size_t by casting to 1628 unsigned long 1629 1630 * lib/krb5/test_crypto.c: print size_t by casting to unsigned long 1631 1632 * lib/krb5/acache.c: Argument to create_new_ccache is a principal, 1633 not a credential cache name. Clean up lossage related to this 1634 problem. 1635 1636 * lib/hdb/Makefile.am: CHECK_SYMBOLS += HDBFlags2int 1637 1638 * lib/krb5/addr_families.c 1639 (krb5_address_prefixlen_boundary,krb5_free_address): 1640 use find_atype when we are dealing with a kerberos address type 1641 1642 * lib/krb5/aes-test.c: size_t vs int + fix printf 1643 1644 * lib/krb5/pkinit.c: Since the decode can't make out the diffrence 1645 between PA-PK-AS-REP-19 and PA-PK-AS-REQ-Win2k, try harder to 1646 verify both cases 1647 16482005-04-03 Love Hörnquist Åstrand <lha@it.su.se> 1649 1650 * appl/test/uu_client.c: print size_t by casting to unsigned long 1651 16522005-04-01 Johan Danielsson <joda@pdc.kth.se> 1653 1654 * kdc/kerberos4.c (do_version4): check client and server max_life 1655 1656 * kdc/kaserver.c (do_getticket): check client max_life 1657 16582005-03-31 Love <lha@kth.se> 1659 1660 * lib/krb5/verify_krb5_conf.c: const poison 1661 1662 * lib/krb5/test_alname.c: const poison 1663 1664 * lib/asn1/main.c: const poison 1665 1666 * lib/krb5/test_addr.c: test parse IPv6 RANGE addresses 1667 1668 * lib/krb5/addr_families.c: implement mask boundary for IPv6 1669 1670 * lib/asn1/gen.c: avoid const string warnings steming from 1671 writeable-string 1672 16732005-03-28 Love Hörnquist Åstrand <lha@it.su.se> 1674 1675 * lib/krb5/Makefile.am: TESTS += test_addr 1676 1677 * lib/krb5/test_addr.c: simple test for addresses 1678 1679 * lib/krb5/addr_families.c: make RANGE parse prefixlen style 1680 addresses too, fix printing of RANGE addresses, add 1681 krb5_address_prefixlen_boundary 1682 1683 * lib/krb5/krb5_keytab.3: stop memory leak in example, expand on 1684 wildcards 1685 16862005-03-26 Love Hörnquist Åstrand <lha@it.su.se> 1687 1688 * lib/krb5/krb5_principal.3: spelling, from Tomas Olsson 1689 1690 * lib/krb5/krb5_warn.3: spelling, from Tomas Olsson 1691 16922005-03-19 Love Hörnquist Åstrand <lha@it.su.se> 1693 1694 * lib/krb5/acache.c: add mutex for global variables, clean up 1695 returned error codes, implement storing addresses into the ccapi 1696 1697 * appl/test/gssapi_server.c: free memory, make error strings match 1698 1699 * appl/test/gssapi_server.c: use print_gss_name, print server name 1700 too 1701 1702 * appl/test/gss_common.h (print_gss_name): common code for 1703 printing gss name 1704 1705 * appl/test/gss_common.c (print_gss_name): common code for 1706 printing gss name 1707 1708 * appl/test/http_client.c: Make constent with rest of the gssapi 1709 test programs 1710 17112005-03-17 Love Hörnquist Åstrand <lha@it.su.se> 1712 1713 * lib/hdb/keys.c: AES is enabled by default, remove ifdefs 1714 1715 * lib/krb5/crypto.c: AES is enabled by default, remove ifdefs 1716 1717 * lib/krb5/aes-test.c: use hex encoder from roken AES is enabled 1718 by default, remove ifdefs 1719 1720 * kdc/kerberos5.c: AES is enabled by default, remove ifdefs 1721 17222005-03-16 Love Hörnquist Åstrand <lha@it.su.se> 1723 1724 * doc/setup.texi: Add some text about modifying the database 1725 17262005-03-15 Love Hörnquist Åstrand <lha@it.su.se> 1727 1728 * kuser/kinit.c: widen lifetime/renewal warning text field, also 1729 make use of unparse_time_approx, no need to be specific to the 1730 second when ticket needs to be renewed or their lifetime. 1731 1732 * doc/heimdal.texi: copyright maintenance, drop eay, use updated 1733 UCB license 1734 1735 * lib/krb5/crypto.c: more static and unsigned issues 1736 1737 * lib/krb5/crypto.c: fix signedness issues, prompted by report of 1738 Magnus Ahltorp 1739 17402005-03-13 Love Hörnquist Åstrand <lha@it.su.se> 1741 1742 * lib/krb5/krb5_keytab.3: more text about how to free returned 1743 resources 1744 17452005-03-10 Love Hörnquist Åstrand <lha@it.su.se> 1746 1747 * lib/krb5/pkinit.c: handle the -25 generation path 1748 1749 * lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_19 1750 1751 * lib/krb5/pkinit.c: fold in pk-init-25 asn1 changes 1752 17532005-03-09 Love Hörnquist Åstrand <lha@it.su.se> 1754 1755 * kdc/pkinit.c: use generated oid's 1756 1757 * lib/krb5/pkinit.c: use generated oid's 1758 17592005-03-08 Love Hörnquist Åstrand <lha@it.su.se> 1760 1761 * kdc/pkinit.c: update to the asn1 structures used in -25's 1762 1763 * lib/krb5/pkinit.c: update to the asn1 structures used in -25's 1764 17652005-03-04 Love Hörnquist Åstrand <lha@it.su.se> 1766 1767 * lib/hdb/hdb-ldap.c: use the newly written hex function from 1768 roken and remove the old implementation 1769 17702005-03-01 Love Hörnquist Åstrand <lha@it.su.se> 1771 1772 * appl/test/http_client.c: allow specifing port to connect to 1773 17742005-02-24 Love Hörnquist Åstrand <lha@it.su.se> 1775 1776 * lib/krb5/Makefile.am: bump version to 21:0:4 1777 1778 * lib/hdb/Makefile.am: bump version to 8:0:1 1779 1780 * lib/asn1/Makefile.am: bump version to 7:0:1 1781 17822005-02-23 Love Hörnquist Åstrand <lha@it.su.se> 1783 1784 * lib/krb5/crypto.c (DES_string_to_key_int): must check for weak 1785 keys after doing the DES_cbc_cksum 1786 17872005-02-19 Luke Howard <lukeh@padl.com> 1788 1789 * lib/krb5/krbhst.c: set KD_CONFIG after calling 1790 config_get_hosts() in kpasswd_get_next() 1791 From: Wynn Wilkes <wynnw@vintela.com> 1792 17932005-02-15 Love Hörnquist Åstrand <lha@it.su.se> 1794 1795 * lib/hdb/db3.c (DB_open): correct the check for O_RDONLY 1796 From: Chaskiel M Grundman <cg2v@andrew.cmu.edu> 1797 17982005-02-09 Love Hörnquist Åstrand <lha@it.su.se> 1799 1800 * lib/krb5/crypto.c (krb5_random_to_key): cast size_t to int to 1801 make %d work 1802 18032005-02-08 Love Hörnquist Åstrand <lha@it.su.se> 1804 1805 * lib/krb5/keytab.c (krb5_kt_get_entry): tell what enctype the 1806 caller requested to provide the user with a glue what the caller 1807 was asking for. 1808 18092005-02-05 Luke Howard <lukeh@padl.com> 1810 1811 * lib/krb5/kcm.c: add _krb5_kcm_is_running, _krb5_kcm_noop 1812 1813 * kcm/acquire.c: don't leak salt if keyproc called multiple 1814 times 1815 1816 * kcm/config.c: allow KCM system ccache to be configured from 1817 krb5.conf, in the system_ccache stanza of [kcm] 1818 18192005-02-03 Love Hörnquist Åstrand <lha@it.su.se> 1820 1821 * kcm/protocol.c: use -1 as the invalid pid number 1822 1823 * kcm/connect.c: support SCM_CREDS (for NetBSD) 1824 1825 * kcm/Makefile.am: LDADD += LIB_pidfile 1826 1827 * kcm/connect.c: make it possible to build on systems without 1828 SO_PEERCRED (still doesn't work) 1829 1830 * kcm/config.c: cast argument to isdigit to unsigned char 1831 1832 * lib/krb5/krb5.conf.5: document large_msg_size 1833 1834 * lib/krb5/context.c (init_context_from_config_file): init 1835 large_msg_size to 6000 1836 1837 * lib/krb5/krb5.h (krb5_context_data): add large_msg_size, 1838 threshold where we start to use transport protocols without tiny 1839 max data transport sizes. 1840 1841 * lib/krb5/kcm.h: drop prototypes, they all live in krb5-private.h 1842 by now 1843 18442005-02-02 Luke Howard <lukeh@padl.com> 1845 1846 * configure.in: generate kcm/Makefile 1847 1848 * Makefile.am: recurse into kcm/ if KCM defined 1849 1850 * kcm: add KCM daemon 1851 18522005-02-02 Love Hörnquist Åstrand <lha@it.su.se> 1853 1854 * lib/krb5/send_to_kdc.c (send_and_recv_udp): make private again 1855 1856 * lib/krb5/kcm.c: use AF_UNIX like the rest of the codebase, add 1857 some more error strings 1858 18592005-02-02 Luke Howard <lukeh@padl.com> 1860 1861 * configure.in: add --enable-kcm option for Kerberos 1862 Credentials Manager (KCM) 1863 1864 * lib/krb5/Makefile.am: add kcm.c 1865 1866 * lib/krb5/cache.c: use cc_retrieve_cred if present rather 1867 than enumerating ccache 1868 1869 * lib/krb5/context.c: register KCM cc_ops 1870 1871 * lib/krb5/get_cred.c: pass all options to cc_retrieve_cred 1872 1873 * lib/krb5/init_creds_pw.c: add krb5_get_init_creds_keyblock 1874 1875 * lib/krb5/kcm.[ch]: add initial implementation of KCM 1876 client library 1877 1878 * lib/krb5/krb5.h: fix cc_retrieve prototype, add KCM cc_ops 1879 1880 * lib/krb5/send_to_kdc.c: add _krb5_send_and_recv_tcp 1881 1882 * lib/krb5/store.c: add krb5_store_creds_tag, krb5_ret_creds_tag 1883 18842005-01-24 Luke Howard <lukeh@padl.com> 1885 1886 * lib/krb5/init_creds_pw.c: allow NULL in_options to be passed 1887 krb5_get_init_creds_password() 1888 1889 * kdc/kerberos5.c: don't crash when logging no server etype 1890 support if client == NULL 1891 18922005-01-17 Love Hörnquist Åstrand <lha@it.su.se> 1893 1894 * kdc/kstash.c: s/random_key/random_key_flag/, From Dave Love 1895 <d.love@dl.ac.uk> 1896 18972005-01-12 Love Hörnquist Åstrand <lha@it.su.se> 1898 1899 * doc/apps.texi: Texinfo fixes. Text about irix 6.5 using 1900 PAM. From: Dave Love <d.love@dl.ac.uk> 1901 19022005-01-08 Love Hörnquist Åstrand <lha@it.su.se> 1903 1904 * lib/krb5/verify_krb5_conf.c: cast argument to isdigit to 1905 unsigned char 1906 1907 * lib/krb5/keytab_keyfile.c: cast argument to toupper to unsigned 1908 char 1909 1910 * lib/asn1/hash.c (hashcaseadd): cast argument to toupper to 1911 unsigned char 1912 1913 * appl/kf/kfd.c (kfd_match_version): cast argument to islower to 1914 unsigned char 1915 1916 * lib/krb5/krb5.3: drop krb5_{checksum,enctype}_is_disabled 1917 1918 * lib/krb5/krb5_encrypt.3: drop krb5_enctype_is_disabled, more 1919 text about krb5_enctype_valid 1920 1921 * lib/krb5/krb5_create_checksum.3: drop 1922 krb5_checksum_is_disabled 1923 1924 * lib/krb5/crypto.c: drop krb5_{checksum,enctype}_isdisabled 1925 1926 * lib/krb5/context.c: krb5_enctype_is_disabled is the same thing 1927 as krb5_enctype_valid, so use the later since its older and the 1928 api doesn't really need another entry point 1929 1930 * lib/krb5/rd_req.c: krb5_enctype_is_disabled is the same thing as 1931 krb5_enctype_valid, so use the later since its older and the api 1932 doesn't really need another entry point 1933 1934 * kdc/kerberos5.c: krb5_enctype_is_disabled is the same thing as 1935 krb5_enctype_valid, so use the later since its older and the api 1936 doesn't really need another entry point 1937 19382005-01-05 Love Hörnquist Åstrand <lha@it.su.se> 1939 1940 * kpasswd/kpasswdd.8: document --addresses, controls what 1941 addresses kpasswd should listen too 1942 1943 * kpasswd/kpasswdd.c: add --addresses, controls what addresses 1944 kpasswd should listen too 1945 1946 * lib/krb5/addr_families.c (krb5_parse_address): filter out dup 1947 addresses from getaddrinfo 1948 1949 * kpasswd/kpasswd.1: document -c 1950 1951 * kpasswd/kpasswd.c: allow specifying a credential cache to use 1952 for the admin principal 1953 1954 * include/bits.c: constify to avoid warning with -Wwrite-string 1955 1956 * NEWS: add 0.6.2 and 0.6.3 items 1957 1958 * lib/krb5/krb5_keyblock.3: document krb5_generate_subkey_extended 1959 1960 * lib/krb5/krb5_is_thread_safe.3: document function 1961 1962 * lib/krb5/Makefile.am (man_MANS) += krb5_is_thread_safe.3 1963 1964 * lib/krb5/context.c (krb5_is_thread_safe): return TRUE is the 1965 library was compiled with multithreading support. If not, 1966 application must global lock the library, it it uses threads that 1967 call kerberos functions at the same time. 1968 19692005-01-05 Luke Howard <lukeh@padl.com> 1970 1971 * lib/krb5/auth_context.c: use krb5_generate_subkey_extended() 1972 1973 * lib/krb5/appdefault.c: remove redundant KRB5_LIB_FUNCTION 1974 1975 * lib/krb5/build_auth.c: support for enctype negotiation 1976 (client sends EtypeList in Authenticator authz data) 1977 1978 * lib/krb5/context.c: mutex should be destroyed last in 1979 krb5_free_context() 1980 1981 * lib/krb5/generate_subkey.c: add krb5_generate_subkey_extended(), 1982 set *subkey to NULL if key geneartion fails 1983 1984 * lib/krb5/krb5.h: add KRB5_KU_PA_SERVER_REFERRAL_DATA 1985 1986 * lib/krb5/mk_req_ext.c: support ETYPE_ARCFOUR_HMAC_MD5_56 1987 1988 * lib/krb5/rd_req.c: support for enctype negotiation 1989 (client sends EtypeList in Authenticator authz data) 1990 19912005-01-04 Luke Howard <lukeh@padl.com> 1992 1993 * lib/asn1/k5.asn1: add authorization data types for enctype 1994 negotiation implementation 1995 19962005-01-04 Love Hörnquist Åstrand <lha@it.su.se> 1997 1998 * lib/krb5/changepw.c (change_password_loop): on failing to find a 1999 kdc, set result_code to KRB5_KPASSWD_HARDERROR 2000 20012005-01-01 Love Hörnquist Åstrand <lha@it.su.se> 2002 2003 * doc/heimdal.texi: Happy New Year 2004 2005