xref: /freebsd/crypto/heimdal/ChangeLog (revision 8ddb146abcdf061be9f2c0db7e391697dafad85c) 
1
2We stop writing change logs, see the source code version control systems history log instead
3
42008-07-28  Love Hornquist Astrand  <lha@h5l.org>
5
6	* lib/krb5/v4_glue.c: The "kaserver" part of Heimdal occasionally
7	issues invalid AFS tokens
8	(here "occasionally" means for certain users in certain realms).
9
10	In lib/krb5/v4_glue.c, in the routine storage_to_etext the ticket
11	is padded to a multiple of 8 bytes. If it is already a multiple of
12	8 bytes, 8 additional 0-bytes are added.
13
14	This catches the AFS krb4 ticket decoder by surprise: unless the
15	ticket is exactly 56 bytes, it only supports the minimum necessary
16	padding.  It detects the superfluous padding by comparing the
17	ticket length decoded to the advertised ticket length.
18
19	Hence a 7-letter userid in "cern.ch" which resulted in a ticket of
20	40 bytes, got "padded" to 48 bytes which the rxkad decoder
21	rejected.
22
23	From Rainer Toebbicke.
24
252008-07-25  Love Hörnquist Åstrand  <lha@h5l.org>
26
27	* kuser/kinit.c: add --ok-as-delegate and --windows flags
28
29	* kpasswd/kpasswd-generator.c: Switch to krb5_set_password.
30
31	* kuser/kinit.c: Use krb5_cc_set_config.
32
33	* lib/krb5/cache.c: Add krb5_cc_[gs]et_config.
34
352008-07-22  Love Hörnquist Åstrand  <lha@h5l.org>
36
37	* lib/krb5/crypto.c: Allow numbers to be enctypes to as long as
38	they are valid.
39
402008-07-17  Love Hörnquist Åstrand  <lha@h5l.org>
41
42	* lib/hdb/version-script.map: some random bits needed for libkadm
43
442008-07-15  Love Hörnquist Åstrand  <lha@h5l.org>
45
46	* lib/krb5/send_to_kdc_plugin.h: add name for send_to_kdc plugin.
47
48	* lib/krb5/krbhst.c: handle KRB5_PLUGIN_NO_HANDLE for lookup
49	plugin.
50
51	* lib/krb5/send_to_kdc.c: Add support for the send_to_kdc plugin
52	interface.
53
54	* lib/krb5/Makefile.am: add send_to_kdc_plugin.h
55
56	* lib/krb5/krb5_err.et: add plugin error codes
57
582008-07-14  Love Hornquist Astrand  <lha@kth.se>
59
60	* lib/hdb/Makefile.am: EXTRA_DIST += version-script.map
61
622008-07-14  Love Hornquist Astrand  <lha@kth.se>
63
64	* lib/krb5/krb5_{address,ccache}.3: spelling, from openbsd via janne
65	johansson
66
672008-07-13  Love Hörnquist Åstrand  <lha@kth.se>
68
69	* lib/krb5/version-script.map: add krb5_free_error_message
70
712008-06-21  Love Hörnquist Åstrand  <lha@kth.se>
72
73	* lib/krb5/init_creds_pw.c: switch to krb5_set_password().
74
752008-06-18  Love Hörnquist Åstrand  <lha@kth.se>
76
77	* lib/krb5/time.c (krb5_set_real_time): handle negative usec
78
792008-05-31  Love Hörnquist Åstrand  <lha@kth.se>
80
81	* lib/krb5/krb5_locl.h: Add <wind.h>
82
83	* lib/krb5/crypto.c: Use wind_utf8ucs2_length to convert the password to utf16.
84
852008-05-30  Love Hörnquist Åstrand  <lha@kth.se>
86
87	* lib/krb5/kcm.c: Add back krb5_kcmcache argument to try_door().
88
892008-05-27  Love Hörnquist Åstrand  <lha@kth.se>
90
91	* lib/krb5/error_string.c (krb5_free_error_message): constify
92
93	* lib/krb5/error_string.c: Add krb5_get_error_message().
94
95	* lib/krb5/doxygen.c: krb5_cc_new_unique() is name of the creation
96	function.
97
982008-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
99
100	* lib/hdb/hdb-ldap.c: Use the _ext api for OpenLDAP, from Honza
101	Machacek (gentoo).
102
1032008-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
104
105	* lib/krb5/crypto.c: Use DES_set_key_unchecked().
106
107	* lib/krb5/krb5.conf.5: Document default_cc_type.
108
109	* lib/krb5/cache.c: Pick up [libdefaults]default_cc_type
110
1112008-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
112
113	* kdc/kaserver.c: Use DES_set_key_unchecked().
114
1152008-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
116
117	* doc/hx509.texi: About the pkcs11 module.
118
119	* doc/hx509.texi: Pick up version from vars.texi
120
121	* doc/hx509.texi: No MIT code in hx509.
122
123	* hx509 now includes a pkcs11 implementation.
124
1252008-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
126
127	* lib/hdb/Makefile.am: Move OpenLDAP includes to AM_CPPFLAGS to
128	avoid dropping other defines for the library.
129
1302008-04-17  Love Hörnquist Åstrand  <lha@it.su.se>
131
132	* lib/krb5: add __declspec() for windows.
133
134	* configure.in: Update rk_WIN32_EXPORT, add gssapi to
135	rk_WIN32_EXPORT.
136
137	* configure.in: Lets try dependency tracking for automake 1.10 and
138	later.
139
140	* configure.in: Use at least libtool-2.2.
141
142	* configure.in: Use LT_INIT the right way.
143
144	* lib/krb5/Makefile.am: Update make-proto usage.
145
146	* configure.in: Run autoupdate, use LT_INIT().
147
1482008-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
149
150	* lib/krb5/test_forward.c: Don't print krb5_error_code since we
151	are using krb5_err().
152
153	* lib/krb5/ticket.c: Cast krb5_error_code to int to avoid warning.
154
155	* lib/krb5/scache.c: Cast krb5_error_code to int to avoid warning.
156
157	* lib/krb5/principal.c: Cast enum to int to avoid warning.
158
159	* lib/krb5/pkinit.c: Cast krb5_error_code to int to avoid warning.
160
161	* lib/krb5/pac.c: Cast size_t to unsigned long to avoid warning.
162
163	* lib/krb5/error_string.c: Cast krb5_error_code to int to avoid
164	warning.
165
166	* lib/krb5/keytab_keyfile.c: Make num_entries an uint32 to avoid
167	negative numbers and type warnings.
168
169	* lib/krb5: cc_get_version returns an int, update.
170
1712008-04-10  Love Hörnquist Åstrand  <lha@it.su.se>
172
173	* configure.in: Check for <asl.h>.
174
1752008-04-09  Love Hörnquist Åstrand  <lha@it.su.se>
176
177	* lib/krb5/version-script.map: sort and export _krb5_pk_kdf
178
179	* lib/krb5/crypto.c: Check kdf params. calculate the second half
180	of the key.
181
182	* lib/krb5/Makefile.am: Add test_pknistkdf
183
184	* lib/krb5/test_pknistkdf.c: Test the new pkinit nist kdf.
185
186	* lib/krb5/crypto.c: Complete _krb5_pk_kdf.
187
188	* lib/krb5/crypto.c: First version of KDF in
189	draft-ietf-krb-wg-pkinit-alg-agility-03.txt.
190
1912008-04-08  Love Hörnquist Åstrand  <lha@it.su.se>
192
193	* doc/setup.texi: Add text about smbk5pwd overlay from Buchan
194	Milne.
195
196	* lib/krb5/krb5_locl.h: Name the pkinit type enum.
197
198	* kdc/pkinit.c: Rename constants to match global header.
199
200	* lib/krb5/pkinit.c: Drop krb5_pk_identity and rename constants to
201	match global header.
202
203	* kdc/pkinit.c: Pick up krb5_pk_identity from krb5_locl.h.
204
205	* lib/krb5/scache.c (scc_alloc): %x is unsigned int.
206
2072008-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
208
209	* lib/krb5/version-script.map: Sort and add krb5_cc_switch.
210
211	* lib/krb5/acache.c: Use unsigned where appropriate.
212
213	* kcm/glue.c: Adapt to chenge to krb5_cc_ops.
214
215	* kcm/acl.c: Add missing op.
216
217	* kdc/connect.c: Use unsigned where appropriate.
218
219	* lib/krb5/n-fold.c: Use size_t where appropriate.
220
221	* lib/krb5/get_addrs.c: Use unsigned where appropriate.
222
223	* lib/krb5/crypto.c: Use unsigned where appropriate.
224
225	* lib/krb5/crc.c: Use unsigned where appropriate.
226
227	* lib/krb5/changepw.c: simplify
228
229	* lib/krb5/copy_host_realm.c: simplify
230
231	* kuser/kswitch.c: Implement --principal.
232
2332008-04-05  Love Hörnquist Åstrand  <lha@it.su.se>
234
235	* lib/krb5/cache.c: allow returning the default cc-type.
236
237	* kuser/kswitch.c: Enable switching between existing caches.
238
239	* lib/krb5/cache.c: Add krb5_cc_switch, to set the default
240	credential cache.
241
242	* lib/krb5/acache.c: Implement set_default.
243
244	* lib/krb5/krb5.h: Extend krb5_cc_ops and add set_default to set
245	the default cc name for a credential type.
246
2472008-04-04  Love Hörnquist Åstrand  <lha@it.su.se>
248
249	* lib/krb5/test_cc.c: test remove
250
251	* lib/krb5/fcache.c: Make the remove cred slight more atomic, now
252	it might lose creds, but there will be no empty cache at any time.
253
254	* lib/krb5/scache.c: Do credential iteration by temporary table.
255
2562008-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
257
258	* lib/krb5/acache.c: Translate ccErrInvalidCCache.
259
260	* lib/krb5/scache.c: implemetation of a sqlite3 backed credential
261	cache.
262
263	* lib/krb5/test_cc.c: test acc and scc
264
265	* lib/krb5/acache.c: Only release context if its in use.
266
2672008-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
268
269	* doc/setup.texi: No patching of OpenLDAP is needed, from Buchan
270	Milne.
271
2722008-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
273
274	* lib/krb5/Makefile.am: Add scache.
275
276	* lib/krb5/scache.c: initial implementation
277
278	* lib/Makefile.am: sqlite
279
280	* configure.in: lib/sqlite/Makefile
281
2822008-03-26  Love Hörnquist Åstrand  <lha@it.su.se>
283
284	* lib/krb5/fcache.c: Make the storing credential an atomic
285	write(2) to avoid signal races, bug traced by Harald Barth and Lars
286	Malinowsky.
287
2882008-03-25  Love Hörnquist Åstrand  <lha@it.su.se>
289
290	* lib/krb5/fcache.c: Make erase_file() do locking too.
291
292	* kcm/protocol.c: Make work when moving to a non-existant
293	cred-cache.
294
295	* lib/krb5/test_cc.c: more verbose info.
296
297	* lib/krb5/test_cc.c: test krb5_cc_move().
298
2992008-03-23  Love Hörnquist Åstrand  <lha@it.su.se>
300
301	* lib/krb5/get_cred.c: Try both kdc server referral and the old
302	client chasing mode.
303
304	* lib/krb5/get_cred.c: Don't do canonicalize by default, make
305	add_cred() sane, make loop detection in credential fetching
306	better.
307
308	* lib/krb5/krb5_locl.h: Add flag EXTRACT_TICKET_AS_REQ.
309
310	* lib/krb5/init_creds_pw.c: Tell _krb5_extract_ticket that this is
311	an AS-REQ.
312
313	* lib/krb5/get_in_tkt.c: Make server referral work.
314
3152008-03-22  Love Hörnquist Åstrand  <lha@it.su.se>
316
317	* lib/krb5/get_in_tkt.c: check no server referral, don't use
318	stringent length tests since encryption layer does padding for
319	us...
320
321	* kdc/kerberos5.c: Match name in ClientCanonicalizedNames with -10
322
323	* lib/krb5/principal.c (_krb5_principal_compare_PrincipalName):
324	new function to compare a principal to a PrincipalName.
325
326	* lib/krb5/init_creds_pw.c: Move client referral checking to
327	_krb5_extract_ticket().
328
329	* lib/krb5/get_in_tkt.c: More bits for server referral.
330
331	* lib/krb5/get_in_tkt.c: Make working with client referrals.
332
333	* lib/krb5/get_cred.c: Try moving referrals checking into
334	_krb5_extract_ticket().
335
336	* lib/krb5/get_in_tkt.c: Try moving referrals checking into
337	_krb5_extract_ticket().
338
3392008-03-21  Love Hörnquist Åstrand  <lha@it.su.se>
340
341	* kdc/krb5tgs.c: Send SERVER-REFERRAL data in rep.padata instead
342	of auth_data in ticket.
343
3442008-03-20  Love Hörnquist Åstrand  <lha@it.su.se>
345
346	* lib/krb5/init_creds_pw.c: remove lost bits from using
347	krb5_principal_set_realm
348
349	* kdc/krb5tgs.c: Better referrals support, use canonicalize flag.
350
351	* kdc/hprop.c: use krb5_principal_set_realm
352
353	* lib/krb5/init_creds_pw.c: use krb5_principal_set_realm
354
355	* lib/krb5/verify_user.c: use krb5_principal_set_realm
356
357	* lib/krb5/version-script.map: add krb5_principal_set_realm
358
359	* lib/krb5/principal.c: add krb5_principal_set_realm
360
361	* lib/krb5/get_cred.c: Insecure tgs referrals.
362
363	* lib/krb5/get_cred.c: Dont try key usage KRB5_KU_AP_REQ_AUTH for
364	TGS-REQ. This drop compatibility with pre 0.3d KDCs.
365
366	* lib/krb5/get_cred.c: catch KRB5_GC_CANONICALIZE.
367
368	* lib/krb5/krb5.h: set KRB5_GC_CANONICALIZE.
369
370	* kuser/kgetcred.c: set KRB5_GC_CANONICALIZE.
371
372	* kuser/kgetcred.c: Add stub --canonicalize implementation.
373
3742008-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
375
376	* doc/setup.texi: Fix sasl-regexp, from Howard Chu.
377
3782008-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
379
380	* kdc/kx509.c: Adapt to hx509_env changes.
381
3822008-03-10  Love Hörnquist Åstrand  <lha@it.su.se>
383
384	* lib/krb5/pkinit.c: Try searchin the key by to use by first
385	looking for for PK-INIT EKU, then the Microsoft smart card EKU and
386	last, no special EKU at all.
387
3882008-03-09  Love Hörnquist Åstrand  <lha@it.su.se>
389
390	* lib/krb5/acache.c: Create a new credential cache is ->get_name
391	is called, make acc_initialize() reset the existing credential
392	cache if needed.
393
394	* lib/krb5/acache.c (acc_get_name): just return the cache_name
395	directly instead of trying to resolve it.
396
3972008-02-23  Love Hörnquist Åstrand  <lha@it.su.se>
398
399	* include/Makefile.am (CLEANFILES): add wind.h and wind_err.h and
400	sort.
401
4022008-02-11  Love Hörnquist Åstrand  <lha@it.su.se>
403
404	* lib/hdb/hdb-ldap.c: Use malloc() instead of static buffer.
405
406	* lib/hdb/hdb-ldap.c: Use ldap_get_values_len, from LaMont Jones
407	via Brian May and Debian.
408
409	* doc/Makefile.am: add libwind
410
4112008-02-05  Love Hörnquist Åstrand  <lha@it.su.se>
412
413	* lib/krb5/test_renew.c: Remove extra ;, From Dennis Davis.
414
415	* lib/krb5/store_emem.c: Make compile on-pre c99 compilers. From
416	Dennis Davis.
417
4182008-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
419
420	* tools/heimdal-gssapi.pc.in: Add wind.
421
422	* tools/krb5-config.in: Add wind.
423
424	* lib/krb5/pac.c: Use libwind.
425
4262008-02-01  Love Hörnquist Åstrand  <lha@it.su.se>
427
428	* lib/Makefile.am: SUBDIRS: add wind
429
4302008-01-29  Love Hörnquist Åstrand  <lha@it.su.se>
431
432	* doc/programming.texi: See the Kerberos 5 API introduction and
433	documentation on the Heimdal webpage.
434
4352008-01-27  Love Hörnquist Åstrand  <lha@it.su.se>
436
437	* lib/krb5: better error strings for the keytab fetching functions
438
439	* lib/krb5/verify_krb5_conf.c: Catch deprecated entries.
440
441	* lib/krb5/get_cred.c: Remove support
442	for [libdefaults]capath (not [libdefaults] capaths though).
443
4442008-01-25  Love Hörnquist Åstrand  <lha@it.su.se>
445
446	* tools/heimdal-gssapi.pc.in: Fix caps of prefix, from Joakim
447	Fallsjo.
448
4492008-01-24  Love Hörnquist Åstrand  <lha@it.su.se>
450
451	* lib/krb5/fcache.c (fcc_move): more explict why the fcc_move
452	failes, handle cross device moves.
453
4542008-01-21  Love Hörnquist Åstrand  <lha@it.su.se>
455
456	* lib/krb5/get_for_creds.c: Use on variable less.
457
458	* lib/krb5/get_for_creds.c: Try to handle ticket full and
459	ticketless tickets better. Add doxygen comments while here.
460
461	* lib/krb5/test_forward.c: Used for testing
462	krb5_get_forwarded_creds().
463
464	* lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward
465
466	* lib/krb5/Makefile.am: drop CHECK_SYMBOLS
467
468	* lib/hdb/Makefile.am: drop CHECK_SYMBOLS
469
470	* kdc/Makefile.am: drop CHECK_SYMBOLS
471
4722008-01-18  Love Hörnquist Åstrand  <lha@it.su.se>
473
474	* lib/krb5/version-script.map: Add krb5_digest_probe.
475
4762008-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
477
478	* lib/krb5/pkinit.c: Replace hx509_name_to_der_name with
479	hx509_name_binary.
480
4812008-01-12  Love Hörnquist Åstrand  <lha@it.su.se>
482
483	* lib/krb5/Makefile.am: add missing files
484
485	* Happy new year.
486