1
2008-04-30 Love H�rnquist �strand <lha@it.su.se>
3
* lib/hdb/hdb-ldap.c: Use the _ext api for OpenLDAP, from Honza
6
2008-04-28 Love H�rnquist �strand <lha@it.su.se>
8
* lib/krb5/crypto.c: Use DES_set_key_unchecked().
10
* lib/krb5/krb5.conf.5: Document default_cc_type.
12
* lib/krb5/cache.c: Pick up [libdefaults]default_cc_type
14
2008-04-27 Love H�rnquist �strand <lha@it.su.se>
16
* kdc/kaserver.c: Use DES_set_key_unchecked().
18
2008-04-21 Love H�rnquist �strand <lha@it.su.se>
20
* doc/hx509.texi: About the pkcs11 module.
22
* doc/hx509.texi: Pick up version from vars.texi
24
* doc/hx509.texi: No MIT code in hx509.
26
* hx509 now includes a pkcs11 implementation.
28
2008-04-20 Love H�rnquist �strand <lha@it.su.se>
30
* lib/hdb/Makefile.am: Move OpenLDAP includes to AM_CPPFLAGS to
31
avoid dropping other defines for the library.
33
2008-04-17 Love H�rnquist �strand <lha@it.su.se>
35
* lib/krb5: add __declspec() for windows.
37
* configure.in: Update rk_WIN32_EXPORT, add gssapi to
40
* configure.in: Lets try dependency tracking for automake 1.10 and
43
* configure.in: Use at least libtool-2.2.
45
* configure.in: Use LT_INIT the right way.
47
* lib/krb5/Makefile.am: Update make-proto usage.
49
* configure.in: Run autoupdate, use LT_INIT().
51
2008-04-15 Love H�rnquist �strand <lha@it.su.se>
53
* lib/krb5/test_forward.c: Don't print krb5_error_code since we
56
* lib/krb5/ticket.c: Cast krb5_error_code to int to avoid warning.
58
* lib/krb5/scache.c: Cast krb5_error_code to int to avoid warning.
60
* lib/krb5/principal.c: Cast enum to int to avoid warning.
62
* lib/krb5/pkinit.c: Cast krb5_error_code to int to avoid warning.
64
* lib/krb5/pac.c: Cast size_t to unsigned long to avoid warning.
66
* lib/krb5/error_string.c: Cast krb5_error_code to int to avoid
69
* lib/krb5/keytab_keyfile.c: Make num_entries an uint32 to avoid
70
negative numbers and type warnings.
72
* lib/krb5: cc_get_version returns an int, update.
74
2008-04-10 Love H�rnquist �strand <lha@it.su.se>
76
* configure.in: Check for <asl.h>.
78
2008-04-09 Love H�rnquist �strand <lha@it.su.se>
80
* lib/krb5/version-script.map: sort and export _krb5_pk_kdf
82
* lib/krb5/crypto.c: Check kdf params. calculate the second half
85
* lib/krb5/Makefile.am: Add test_pknistkdf
87
* lib/krb5/test_pknistkdf.c: Test the new pkinit nist kdf.
89
* lib/krb5/crypto.c: Complete _krb5_pk_kdf.
91
* lib/krb5/crypto.c: First version of KDF in
92
draft-ietf-krb-wg-pkinit-alg-agility-03.txt.
94
2008-04-08 Love H�rnquist �strand <lha@it.su.se>
96
* doc/setup.texi: Add text about smbk5pwd overlay from Buchan
99
* lib/krb5/krb5_locl.h: Name the pkinit type enum.
101
* kdc/pkinit.c: Rename constants to match global header.
103
* lib/krb5/pkinit.c: Drop krb5_pk_identity and rename constants to
106
* kdc/pkinit.c: Pick up krb5_pk_identity from krb5_locl.h.
108
* lib/krb5/scache.c (scc_alloc): %x is unsigned int.
110
2008-04-07 Love H�rnquist �strand <lha@it.su.se>
112
* lib/krb5/version-script.map: Sort and add krb5_cc_switch.
114
* lib/krb5/acache.c: Use unsigned where appropriate.
116
* kcm/glue.c: Adapt to chenge to krb5_cc_ops.
118
* kcm/acl.c: Add missing op.
120
* kdc/connect.c: Use unsigned where appropriate.
122
* lib/krb5/n-fold.c: Use size_t where appropriate.
124
* lib/krb5/get_addrs.c: Use unsigned where appropriate.
126
* lib/krb5/crypto.c: Use unsigned where appropriate.
128
* lib/krb5/crc.c: Use unsigned where appropriate.
130
* lib/krb5/changepw.c: simplify
132
* lib/krb5/copy_host_realm.c: simplify
134
* kuser/kswitch.c: Implement --principal.
136
2008-04-05 Love H�rnquist �strand <lha@it.su.se>
138
* lib/krb5/cache.c: allow returning the default cc-type.
140
* kuser/kswitch.c: Enable switching between existing caches.
142
* lib/krb5/cache.c: Add krb5_cc_switch, to set the default
145
* lib/krb5/acache.c: Implement set_default.
147
* lib/krb5/krb5.h: Extend krb5_cc_ops and add set_default to set
148
the default cc name for a credential type.
150
2008-04-04 Love H�rnquist �strand <lha@it.su.se>
152
* lib/krb5/test_cc.c: test remove
154
* lib/krb5/fcache.c: Make the remove cred slight more atomic, now
155
it might lose creds, but there will be no empty cache at any time.
157
* lib/krb5/scache.c: Do credential iteration by temporary table.
159
2008-04-02 Love H�rnquist �strand <lha@it.su.se>
161
* lib/krb5/acache.c: Translate ccErrInvalidCCache.
163
* lib/krb5/scache.c: implemetation of a sqlite3 backed credential
166
* lib/krb5/test_cc.c: test acc and scc
168
* lib/krb5/acache.c: Only release context if its in use.
170
2008-04-01 Love H�rnquist �strand <lha@it.su.se>
172
* doc/setup.texi: No patching of OpenLDAP is needed, from Buchan
175
2008-03-30 Love H�rnquist �strand <lha@it.su.se>
177
* lib/krb5/Makefile.am: Add scache.
179
* lib/krb5/scache.c: initial implementation
181
* lib/Makefile.am: sqlite
183
* configure.in: lib/sqlite/Makefile
185
2008-03-26 Love H�rnquist �strand <lha@it.su.se>
187
* lib/krb5/fcache.c: Make the storing credential an atomic
188
write(2) to avoid signal races, bug traced by Harald Barth and Lars
191
2008-03-25 Love H�rnquist �strand <lha@it.su.se>
193
* lib/krb5/fcache.c: Make erase_file() do locking too.
195
* kcm/protocol.c: Make work when moving to a non-existant
198
* lib/krb5/test_cc.c: more verbose info.
200
* lib/krb5/test_cc.c: test krb5_cc_move().
202
2008-03-23 Love H�rnquist �strand <lha@it.su.se>
204
* lib/krb5/get_cred.c: Try both kdc server referral and the old
207
* lib/krb5/get_cred.c: Don't do canonicalize by default, make
208
add_cred() sane, make loop detection in credential fetching
211
* lib/krb5/krb5_locl.h: Add flag EXTRACT_TICKET_AS_REQ.
213
* lib/krb5/init_creds_pw.c: Tell _krb5_extract_ticket that this is
216
* lib/krb5/get_in_tkt.c: Make server referral work.
218
2008-03-22 Love H�rnquist �strand <lha@it.su.se>
220
* lib/krb5/get_in_tkt.c: check no server referral, don't use
221
stringent length tests since encryption layer does padding for
224
* kdc/kerberos5.c: Match name in ClientCanonicalizedNames with -10
226
* lib/krb5/principal.c (_krb5_principal_compare_PrincipalName):
227
new function to compare a principal to a PrincipalName.
229
* lib/krb5/init_creds_pw.c: Move client referral checking to
230
_krb5_extract_ticket().
232
* lib/krb5/get_in_tkt.c: More bits for server referral.
234
* lib/krb5/get_in_tkt.c: Make working with client referrals.
236
* lib/krb5/get_cred.c: Try moving referrals checking into
237
_krb5_extract_ticket().
239
* lib/krb5/get_in_tkt.c: Try moving referrals checking into
240
_krb5_extract_ticket().
242
2008-03-21 Love H�rnquist �strand <lha@it.su.se>
244
* kdc/krb5tgs.c: Send SERVER-REFERRAL data in rep.padata instead
245
of auth_data in ticket.
247
2008-03-20 Love H�rnquist �strand <lha@it.su.se>
249
* lib/krb5/init_creds_pw.c: remove lost bits from using
250
krb5_principal_set_realm
252
* kdc/krb5tgs.c: Better referrals support, use canonicalize flag.
254
* kdc/hprop.c: use krb5_principal_set_realm
256
* lib/krb5/init_creds_pw.c: use krb5_principal_set_realm
258
* lib/krb5/verify_user.c: use krb5_principal_set_realm
260
* lib/krb5/version-script.map: add krb5_principal_set_realm
262
* lib/krb5/principal.c: add krb5_principal_set_realm
264
* lib/krb5/get_cred.c: Insecure tgs referrals.
266
* lib/krb5/get_cred.c: Dont try key usage KRB5_KU_AP_REQ_AUTH for
267
TGS-REQ. This drop compatibility with pre 0.3d KDCs.
269
* lib/krb5/get_cred.c: catch KRB5_GC_CANONICALIZE.
271
* lib/krb5/krb5.h: set KRB5_GC_CANONICALIZE.
273
* kuser/kgetcred.c: set KRB5_GC_CANONICALIZE.
275
* kuser/kgetcred.c: Add stub --canonicalize implementation.
277
2008-03-19 Love H�rnquist �strand <lha@it.su.se>
279
* doc/setup.texi: Fix sasl-regexp, from Howard Chu.
281
2008-03-14 Love H�rnquist �strand <lha@it.su.se>
283
* kdc/kx509.c: Adapt to hx509_env changes.
285
2008-03-10 Love H�rnquist �strand <lha@it.su.se>
287
* lib/krb5/pkinit.c: Try searchin the key by to use by first
288
looking for for PK-INIT EKU, then the Microsoft smart card EKU and
289
last, no special EKU at all.
291
2008-03-09 Love H�rnquist �strand <lha@it.su.se>
293
* lib/krb5/acache.c: Create a new credential cache is ->get_name
294
is called, make acc_initialize() reset the existing credential
297
* lib/krb5/acache.c (acc_get_name): just return the cache_name
298
directly instead of trying to resolve it.
300
2008-02-23 Love H�rnquist �strand <lha@it.su.se>
302
* include/Makefile.am (CLEANFILES): add wind.h and wind_err.h and
305
2008-02-11 Love H�rnquist �strand <lha@it.su.se>
307
* lib/hdb/hdb-ldap.c: Use malloc() instead of static buffer.
309
* lib/hdb/hdb-ldap.c: Use ldap_get_values_len, from LaMont Jones
310
via Brian May and Debian.
312
* doc/Makefile.am: add libwind
314
2008-02-05 Love H�rnquist �strand <lha@it.su.se>
316
* lib/krb5/test_renew.c: Remove extra ;, From Dennis Davis.
318
* lib/krb5/store_emem.c: Make compile on-pre c99 compilers. From
321
2008-02-03 Love H�rnquist �strand <lha@it.su.se>
323
* tools/heimdal-gssapi.pc.in: Add wind.
325
* tools/krb5-config.in: Add wind.
327
* lib/krb5/pac.c: Use libwind.
329
2008-02-01 Love H�rnquist �strand <lha@it.su.se>
331
* lib/Makefile.am: SUBDIRS: add wind
333
2008-01-29 Love H�rnquist �strand <lha@it.su.se>
335
* doc/programming.texi: See the Kerberos 5 API introduction and
336
documentation on the Heimdal webpage.
338
2008-01-27 Love H�rnquist �strand <lha@it.su.se>
340
* lib/krb5: better error strings for the keytab fetching functions
342
* lib/krb5/verify_krb5_conf.c: Catch deprecated entries.
344
* lib/krb5/get_cred.c: Remove support
345
for [libdefaults]capath (not [libdefaults] capaths though).
347
2008-01-25 Love H�rnquist �strand <lha@it.su.se>
349
* tools/heimdal-gssapi.pc.in: Fix caps of prefix, from Joakim
1
352
2008-01-24 Love H�rnquist �strand <lha@it.su.se>
354
* lib/krb5/fcache.c (fcc_move): more explict why the fcc_move
355
failes, handle cross device moves.
5
357
2008-01-21 Love H�rnquist �strand <lha@it.su.se>
7
359
* lib/krb5/get_for_creds.c: Use on variable less.
34
386
* lib/krb5/Makefile.am: add missing files
36
2007-12-28 Love H�rnquist �strand <lha@it.su.se>
38
* kdc/digest.c: Log probe message, add NTLM_TARGET_DOMAIN to the
41
2007-12-14 Love H�rnquist �strand <lha@it.su.se>
43
* lib/hdb/dbinfo.c: Add hdb_default_db().
45
* Makefile.am: Add some extra cf/*.
47
2007-12-12 Love H�rnquist �strand <lha@it.su.se>
49
* kuser/kgetcred.c: Fix type of name-type. From Andy Polyakov.
51
2007-12-09 Love H�rnquist �strand <lha@it.su.se>
53
* kdc/log.c: Use hdb_db_dir().
55
* kpasswd/kpasswdd.c: Use hdb_db_dir().
57
2007-12-08 Love H�rnquist �strand <lha@it.su.se>
59
* kdc/config.c: Use hdb_db_dir().
61
* kdc/kdc_locl.h: add KDC_LOG_FILE
63
* kdc/hpropd.c: Use hdb_default_db().
65
* kdc/kstash.c: Use hdb_db_dir().
67
* kdc/pkinit.c: Adapt to hx509 changes, use hdb_db_dir().
69
* lib/krb5/rd_req.c: Document krb5_rd_req_in_set_pac_check.
71
* lib/krb5/verify_krb5_conf.c: Check check_pac.
73
* lib/krb5/rd_req.c: use KRB5_CTX_F_CHECK_PAC to init check_pac
74
field in the krb5_rd_req_in_ctx
76
* lib/krb5/expand_hostname.c: Adapt to changing
77
dns_canonicalize_hostname into flags field.
79
* lib/krb5/context.c: Adapt to changing dns_canonicalize_hostname
80
into flags field, add check-pac as an libdefaults option.
82
* lib/krb5/pkinit.c: Adapt to changes in hx509 interface.
84
* doc: add doxygen documentation to hcrypto
86
* doc/doxytmpl.dxy: generate links
88
2007-12-07 Love H�rnquist �strand <lha@it.su.se>
90
* lib/krb5/Makefile.am: build_HEADERZ += heim_threads.h
92
* lib/hdb/dbinfo.c (hdb_db_dir): Return the directory where the
95
* configure.in: Add --with-hdbdir to specify where the database is
98
* lib/krb5/crypto.c: revert previous patch, the problem is located
99
in the RAND_file_name() function that will cause recursive nss
100
lookups, can't fix that here.
102
2007-12-06 Love H�rnquist �strand <lha@it.su.se>
104
* lib/krb5/crypto.c (krb5_generate_random_block): try to avoid the
105
dead-lock in by not holding the lock while running
106
RAND_file_name. Prompted by Hai Zaar.
108
* lib/krb5/n-fold.c: spelling
110
2007-12-04 Love H�rnquist �strand <lha@it.su.se>
112
* kuser/kdigest.c (digest-probe): implement command.
114
* kuser/kdigest-commands.in (digest-probe): new command
116
* kdc/digest.c: Implement supportedMechs request.
118
* lib/krb5/error_string.c: Make krb5_get_error_string return an
119
allocated string to make the function indempotent. From
122
2007-12-03 Love H�rnquist �strand <lha@it.su.se>
124
* lib/krb5/krb5_locl.h (krb5_context_data): Flag if
125
default_cc_name was set by the user.
127
* lib/krb5/fcache.c (fcc_move): make sure ->version is uptodate.
129
* kcm/acquire.c: use krb5_free_cred_contents
131
* kuser/kimpersonate.c: use krb5_free_cred_contents
133
* kuser/kinit.c: Use krb5_cc_move to make an atomic switch of the
136
* lib/krb5/cache.c: Put back code that was needed, move gen_new
139
* lib/krb5/mcache.c (mcc_default_name): Remove const
141
* lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME_KCM, redefine
142
KRB5_DEFAULT_CCNAME to KRB5_DEFAULT_CCTYPE
144
* lib/krb5/cache.c: Use krb5_cc_ops->default_name to get the
147
* lib/krb5/kcm.c: Implement krb5_cc_ops->default_name.
149
* lib/krb5/mcache.c: Implement krb5_cc_ops->default_name.
151
* lib/krb5/fcache.c: Implement krb5_cc_ops->default_name.
153
* lib/krb5/krb5.h: Add krb5_cc_ops->default_name.
155
* lib/krb5/acache.c: Free context when done, implement
156
krb5_cc_ops->default_name.
158
* lib/krb5/kcm.c: implement dummy kcm_move
160
* lib/krb5/mcache.c: Implement the move operation.
162
* lib/krb5/version-script.map: export krb5_cc_move
164
* lib/krb5/cache.c: New function krb5_cc_move().
166
* lib/krb5/fcache.c: Implement the move operation.
168
* lib/krb5/krb5.h: Add move to the krb5_cc_ops, causes major
171
* lib/krb5/acache.c: Implement the move operation. Avoid using
172
cc_set_principal() since it broken on Mac OS X 10.5.0.
174
2007-12-02 Love H�rnquist �strand <lha@it.su.se>
176
* lib/krb5/krb5_ccapi.h: Drop variable names to avoid -Wshadow.
178
2007-11-14 Love H�rnquist �strand <lha@it.su.se>
180
* kdc/krb5tgs.c: Should pass different key usage constants
181
depending on whether or not optional sub-session key was passed by
182
the client for the check of authorization data. The constant is
183
used to derive "specific key" and its values are specified in
186
Patch from Andy Polyakov.
188
* kdc/krb5tgs.c: Don't send auth data in referrals, microsoft
189
clients have started to not like that. Thanks to Andy Polyakov for
192
2007-11-11 Love H�rnquist �strand <lha@it.su.se>
194
* lib/krb5/creds.c: use krb5_data_cmp
196
* lib/krb5/acache.c: use krb5_free_cred_contents
198
* lib/krb5/test_renew.c: use krb5_free_cred_contents
200
2007-11-10 Love H�rnquist �strand <lha@it.su.se>
202
* lib/krb5/acl.c: doxygen documentation
204
* lib/krb5/addr_families.c: doxygen documentation
208
* lib/krb5/plugin.c: doxygen documentation
210
* lib/krb5/kcm.c: doxygen documentation
212
* lib/krb5/fcache.c: doxygen documentation
214
* lib/krb5/cache.c: doxygen documentations
216
* lib/krb5/doxygen.c: doxygen introduction
218
* lib/krb5/error_string.c: Doxygen documentation.
220
2007-11-03 Love H�rnquist �strand <lha@it.su.se>
222
* lib/krb5/test_plugin.c: expose krb5_plugin_register
224
* lib/krb5/plugin.c: expose krb5_plugin_register
226
* lib/krb5/version-script.map: sort, expose krb5_plugin_register
228
2007-10-24 Love H�rnquist �strand <lha@it.su.se>
230
* kdc/kerberos5.c: Adding same enctype is enough one time. From
231
Andy Polyakov and Bjorn Sandell.
233
2007-10-18 Love <lha@stacken.kth.se>
235
* lib/krb5/cache.c (krb5_cc_retrieve_cred): check return value
236
from krb5_cc_start_seq_get. From Zeqing (Fred) Xia
238
* lib/krb5/fcache.c (init_fcc): provide better error codes
240
* kdc/kerberos5.c (get_pa_etype_info2): more paranoia, avoid
241
sending warning about pruned etypes.
243
* kdc/kerberos5.c (older_enctype): old windows enctypes (arcfour
244
based) "old", this to support windows 2000 clients (unjoined to a
245
domain). From Andy Polyakov.
247
2007-10-07 Love H�rnquist �strand <lha@it.su.se>
249
* doc/setup.texi: Spelling, from Mark Peoples via Bjorn Sandell.
251
2007-10-04 Love H�rnquist �strand <lha@it.su.se>
253
* kdc/krb5tgs.c: More prettier printing of enctype, from KAMADA
256
* lib/krb5/crypto.c (krb5_enctype_to_string): make sure string is
259
2007-10-03 Love H�rnquist �strand <lha@it.su.se>
261
* kdc/kdc-replay.c: Catch KRB5_PROG_ATYPE_NOSUPP from
262
krb5_addr2sockaddr and igore thte test is that case.
264
2007-09-29 Love H�rnquist �strand <lha@it.su.se>
266
* lib/krb5/context.c (krb5_free_context): free
267
default_cc_name_env, from Gunther Deschner.
269
2007-08-27 Love H�rnquist �strand <lha@it.su.se>
271
* lib/krb5/{krb5.h,pac.c,test_pac.c,send_to_kdc.c,rd_req.c}: Make
272
work with c++, reported by Hai Zaar
274
* lib/krb5/{digest.c,krb5.h}: Make work with c++, reported by Hai Zaar
276
2007-08-20 Love H�rnquist �strand <lha@it.su.se>
278
* lib/hdb/Makefile.am: EXTRA_DIST += hdb.schema
280
2007-07-31 Love H�rnquist �strand <lha@it.su.se>
282
* check return value of alloc functions, from Charles Longeau
284
* lib/krb5/principal.c: spelling.
286
* kadmin/kadmin.8: spelling
288
* lib/krb5/crypto.c: Check return values from alloc
289
functions. Prompted by patch of Charles Longeau.
291
* lib/krb5/n-fold.c: Make _krb5_n_fold return a error
292
code. Prompted by patch of Charles Longeau.
294
2007-07-27 Love H�rnquist �strand <lha@it.su.se>
296
* lib/krb5/init_creds.c: Always set the ticket options, use
297
KRB5_ADDRESSLESS_DEFAULT as the default value, this make the unset
298
tri-state not so useful.
300
2007-07-24 Love H�rnquist �strand <lha@it.su.se>
302
* tools/heimdal-gssapi.pc.in: Add LIB_pkinit to the list of
305
* tools/heimdal-gssapi.pc.in: pkg-config file for libgssapi in
308
* tools/Makefile.am: Add heimdal-gssapi.pc and install it into
311
2007-07-23 Love H�rnquist �strand <lha@it.su.se>
313
* lib/krb5/pkinit.c: Add RFC3526 modp group14 as a default.
315
2007-07-22 Love H�rnquist �strand <lha@it.su.se>
317
* lib/hdb/dbinfo.c (get_dbinfo): use dbname instead of realm as
318
key if the entry is a correct entry.
320
* lib/krb5/get_cred.c: Make krb5_get_renewed_creds work, from
323
* lib/krb5/Makefile.am: Add test_renew to noinst_PROGRAMS.
325
* lib/krb5/test_renew.c: Test for krb5_get_renewed_creds.
327
2007-07-21 Love H�rnquist �strand <lha@it.su.se>
329
* lib/hdb/keys.c: Make parse_key_set handle key set string "v5",
332
* kdc/kaserver.c: Don't ovewrite the error code, from Peter
335
2007-07-18 Love H�rnquist �strand <lha@it.su.se>
339
* Makefile.am: remove TODO-1.0
341
2007-07-17 Love H�rnquist �strand <lha@it.su.se>
343
* Heimdal 1.0 release branch cut here
345
* doc/hx509.texi: use version.texi
347
* doc/heimdal.texi: use version.texi
349
* doc/version.texi: version.texi
351
* lib/hdb/db3.c: avoid type-punned pointer warning.
353
* kdc/kx509.c: Use unsigned char * as argument to HMAC_Update to
354
please OpenSSL and gcc.
356
* kdc/digest.c: Use unsigned char * as argument to MD5_Update to
357
please OpenSSL and gcc.
359
2007-07-16 Love H�rnquist �strand <lha@it.su.se>
361
* include/Makefile.am: Add krb_err.h.
363
* kdc/set_dbinfo.c: Print acl file too.
365
* kdc/kerberos4.c: Error codes are just fine, remove XXX now.
367
* lib/krb5/krb5-v4compat.h: Drop duplicate error codes.
369
* kdc/kerberos4.c: switch to ET errors.
371
* lib/krb5/Makefile.am: Add krb_err.h to build_HEADERZ.
373
* lib/krb5/v4_glue.c: If its a Kerberos 4 error-code, remove the
376
2007-07-15 Love H�rnquist �strand <lha@it.su.se>
378
* lib/krb5/krb5-v4compat.h: Include "krb_err.h".
380
* lib/krb5/v4_glue.c: return more interesting error codes.
382
* lib/krb5/plugin.c: Prefix enum plugin_type.
384
* lib/krb5/krb5_locl.h: Expose plugin structures.
386
* lib/krb5/krb5.h: Add plugin structures.
388
* lib/krb5/krb_err.et: V4 errors.
390
* lib/krb5/version-script.map: First version of version script.
392
2007-07-13 Love H�rnquist �strand <lha@it.su.se>
394
* kdc/kerberos5.c: Java 1.6 expects the name to be the same type,
395
lets allow that for uncomplicated name-types.
397
2007-07-12 Love H�rnquist �strand <lha@it.su.se>
399
* lib/krb5/v4_glue.c (_krb5_krb_rd_req): if ticket contains
400
address 0, its ticket less and don't really care about
401
from_addr. return better error codes.
403
* kpasswd/kpasswdd.c: Fix pointer vs strict alias rules.
405
2007-07-11 Love H�rnquist �strand <lha@it.su.se>
407
* lib/hdb/hdb-ldap.c: When using sambaNTPassword, avoid adding
408
more then one enctype 23 to krb5EncryptionType.
410
* lib/krb5/cache.c: Spelling.
412
* kdc/kerberos5.c: Don't send newer enctypes in ETYPE-INFO.
413
(get_pa_etype_info2): return the enctypes as sorted in the
416
2007-07-10 Love H�rnquist �strand <lha@it.su.se>
418
* kuser/kinit.c: krb5-v4compat.h defines prototypes for
419
v4 (semiprivate functions) in libkrb5, don't include
420
krb5-private.h any longer.
422
* lib/krb5/krbhst.c: Set error string when there is no KDC for a
425
* lib/krb5/Makefile.am: New library version.
427
* kdc/Makefile.am: New library version.
429
* lib/krb5/krb5_locl.h: Add default_cc_name_env.
431
* lib/krb5/cache.c (enviroment_changed): return non-zero if
432
enviroment that will determine default krb5cc name has changed.
433
(krb5_cc_default_name): also check if cached value is uptodate.
435
* lib/krb5/krb5_locl.h: Drop pkinit_flags.
437
2007-07-05 Love H�rnquist �strand <lha@it.su.se>
439
* configure.in: add tests/java/Makefile
441
* lib/hdb/dbinfo.c: Add hdb_dbinfo_get_log_file.
443
2007-07-04 Love H�rnquist �strand <lha@it.su.se>
445
* kdc/kerberos5.c: Improve the default salt detection to avoid
446
returning v4 password salting to java that doesn't look at the
447
returning padata for salting.
449
* kdc: Split out krb5_kdc_set_dbinfo, From Andrew Bartlett
451
2007-07-02 Love H�rnquist �strand <lha@it.su.se>
453
* kdc/digest.c: Try harder to provide better error message for
456
* lib/krb5/Makefile.am: verify_krb5_conf_OBJECTS depends on
457
krb5-pr*.h, make -j finds this.
459
2007-06-28 Love H�rnquist �strand <lha@it.su.se>
461
* kdc/digest.c: On success, print username, not ip-adress.
463
2007-06-26 Love H�rnquist �strand <lha@it.su.se>
465
* lib/krb5/get_cred.c: Add krb5_get_renewed_creds.
467
* lib/krb5/krb5_get_credentials.3: add krb5_get_renewed_creds
469
* lib/krb5/pkinit.c: Use hx509_cms_unwrap_ContentInfo.
471
2007-06-25 Love H�rnquist �strand <lha@it.su.se>
473
* doc/setup.texi: Add example for pkinit_win2k_require_binding
476
* kdc/default_config.c: Rename require_binding to
477
win2k_require_binding to match client configuration.
479
* kdc/default_config.c: Add [kdc]pkinit_require_binding option.
481
* kdc/pkinit.c (pk_mk_pa_reply_enckey): only allow non-bound reply
484
* kdc/default_config.c: rename pkinit_princ_in_cert and add
485
pkinit_require_binding
487
* kdc/kdc.h: rename pkinit_princ_in_cert and add
488
pkinit_require_binding
490
* kdc/pkinit.c: rename pkinit_princ_in_cert
492
2007-06-24 Love H�rnquist �strand <lha@it.su.se>
494
* lib/krb5/pkinit.c: Adapt to hx509_verify_hostname change.
496
2007-06-21 Love H�rnquist �strand <lha@it.su.se>
498
* kdc/krb5tgs.c: Drop unused variable.
500
* kdc/krb5tgs.c: disable anonyous tgs requests
502
* kdc/krb5tgs.c: Don't check PAC on cross realm for now.
504
* kuser/kgetcred.c: Set KRB5_GC_CONSTRAINED_DELEGATION and parse
507
* lib/krb5/krb5_principal.3: Document krb5_parse_nametype.
509
* lib/krb5/principal.c (krb5_parse_nametype): parse nametype and
510
return their integer values.
512
* lib/krb5/krb5.h (krb5_get_creds): Add
513
KRB5_GC_CONSTRAINED_DELEGATION.
515
* lib/krb5/get_cred.c (krb5_get_creds): if
516
KRB5_GC_CONSTRAINED_DELEGATION is set, set both request_anonymous
517
and constrained_delegation.
519
2007-06-20 Love H�rnquist �strand <lha@it.su.se>
521
* kdc/digest.c: Return an error message instead of dropping the
522
packet for more failure cases.
524
* lib/krb5/krb5_principal.3: Add KRB5_PRINCIPAL_UNPARSE_DISPLAY.
526
* appl/gssmask/gssmask.c (AcquirePKInitCreds): fail more
529
2007-06-18 Love H�rnquist �strand <lha@it.su.se>
531
* lib/krb5/pac.c: make compile.
533
* lib/krb5/pac.c (verify_checksum): memset cksum to avoid using
536
* lib/krb5/plugin.c: Don't expose free pointer.
538
* lib/krb5/pkinit.c (_krb5_pk_load_id): fail directoy for first
541
* lib/krb5/pkinit.c (get_reply_key*): don't expose freed memory
543
* lib/krb5/krbhst.c: Host is static memory, don't free.
545
* lib/krb5/crypto.c (decrypt_internal_derived): make sure length
546
is longer then confounder + checksum.
548
* kdc: export get_dbinfo as krb5_kdc_set_dbinfo and call from
549
users. This to allows libkdc users to to specify their own
552
* lib/krb5/pkinit.c (pk_rd_pa_reply_enckey): simplify handling of
553
content data (and avoid leaking memory).
555
* kdc/misc.c (_kdc_db_fetch): set error string for failures.
557
2007-06-15 Love H�rnquist �strand <lha@it.su.se>
559
* kdc/pkinit.c: Use KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.
561
2007-06-13 Love H�rnquist �strand <lha@it.su.se>
563
* kdc/pkinit.c: tell user when they got a pk-init request with
566
2007-06-12 Love H�rnquist �strand <lha@it.su.se>
568
* lib/krb5/principal.c: Rename UNPARSE_NO_QUOTE to
571
* lib/krb5/krb5.h: Rename UNPARSE_NO_QUOTE to UNPARSE_DISPLAY.
573
* lib/krb5/principal.c: Make no-quote mean replace strange chars
576
* lib/krb5/principal.c: Support KRB5_PRINCIPAL_UNPARSE_NO_QUOTE.
578
* lib/krb5/krb5.h: Add KRB5_PRINCIPAL_UNPARSE_NO_QUOTE.
580
* lib/krb5/test_princ.c: Test quoteing.
582
* lib/krb5/pkinit.c: update (c)
584
* lib/krb5/get_cred.c: use krb5_sendto_context to talk to the KDC.
586
* lib/krb5/send_to_kdc.c (_krb5_kdc_retry): check if the whole
587
process needs to restart or just skip this KDC.
589
* lib/krb5/init_creds_pw.c: Use krb5_sendto_context to talk to
592
* lib/krb5/krb5.h: Add sendto hooks and opaque structure.
594
* lib/krb5/krb5_rd_error.3: Update prototype.
596
* lib/krb5/send_to_kdc.c: Add hooks for processing the reply from
599
2007-06-11 Love H�rnquist �strand <lha@it.su.se>
601
* lib/krb5/krb5_err.et: Some new error codes from RFC 4120.
603
2007-06-09 Love H�rnquist �strand <lha@it.su.se>
605
* kdc/krb5tgs.c: Constify.
607
* kdc/kerberos5.c: Constify.
609
* kdc/pkinit.c: Check for KRB5-PADATA-PK-AS-09-BINDING. Constify.
611
2007-06-08 Love H�rnquist �strand <lha@it.su.se>
613
* include/Makefile.am: Make krb5-types.h nodist_include_HEADERS.
615
* kdc/Makefile.am: EXTRA_DIST += version-script.map.
617
2007-06-07 Love H�rnquist �strand <lha@it.su.se>
619
* Makefile.am (print-distdir): print name of dist
621
* kdc/pkinit.c: Break out loading of mappings file to a separate
622
function and remove warning that it can't open the mapping file,
623
there are now mappings in the db, maybe the users uses that
626
* lib/krb5/crypto.c: Require the raw key have the correct size and
627
do away with the minsize. Minsize was a thing that originated
628
from RC2, but since RC2 is done in the x509/cms subsystem now
629
there is no need to keep that around.
631
* lib/hdb/dbinfo.c: If there is no default dbname, also check for
632
unset mkey_file and set it default mkey name, make backward compat
635
* kdc/version-script.map: add new symbols
637
* kdc/kdc-replay.c: Also update krb5_context view of what the time
640
* configure.in: add tests/can/Makefile
642
* kdc/kdc-replay.c: Add --[version|help].
644
* kdc/pkinit.c: Push down the kdc time into the x509 library.
646
* kdc/connect.c: Move up krb5_kdc_save_request so we can catch the
649
* kdc/kdc-replay.c: verify reply by checking asn1 class, type and
650
tag of the reply if there is one.
652
* kdc/process.c: Save asn1 class, type and tag of the reply if
653
there is one. Used to verify the reply in kdc-replay.
655
2007-06-06 Love H�rnquist �strand <lha@it.su.se>
657
* kdc/kdc_locl.h: extern for request_log.
659
* kdc/Makefile.am: Add kdc-replay.
661
* kdc/kdc-replay.c: Replay kdc messages to the KDC library.
663
* kdc/config.c: Pick up request_log from [kdc]kdc-request-log.
665
* kdc/connect.c: Option to save the request to disk.
667
* kdc/process.c (krb5_kdc_save_request): save request to file.
669
* kdc/process.c (krb5_kdc_process*): dont update _kdc_time
671
(krb5_kdc_update_time): set or get current kdc-time.
673
* kdc/pkinit.c (_kdc_pk_rd_padata): accept both pkcs-7 and
674
pkauthdata as the signeddata oid
676
* kdc/pkinit.c (_kdc_pk_rd_padata): Try to log what went wrong.
678
2007-06-05 Love H�rnquist �strand <lha@it.su.se>
680
* kdc/pkinit.c: Use oid_id_pkcs7_data for pkinit-9 encKey reply to
681
match windows DC behavior better.
683
2007-06-04 Love H�rnquist �strand <lha@it.su.se>
685
* configure.in: use test for -framework Security
687
* appl/test/uu_server.c: Print status to stdout.
689
* kdc/digest.c (digest ntlm): provide log entires by setting ret
692
2007-06-03 Love H�rnquist �strand <lha@it.su.se>
694
* doc/hx509.texi: Indent crl-sign.
696
* doc/hx509.texi: One more crl-sign example.
698
* lib/krb5/test_princ.c: plug memory leaks.
700
* lib/krb5/pac.c: plug memory leaks.
702
* lib/krb5/test_pac.c: plug memory leaks.
704
* lib/krb5/test_prf.c: plug memory leak.
706
* lib/krb5/test_cc.c: plug memory leaks.
708
* doc/hx509.texi: Simple blob about publishing CRLs.
710
* doc/win2k.texi: drop text about enctypes.
712
2007-06-02 Love H�rnquist �strand <lha@it.su.se>
714
* kdc/pkinit.c: In case of OCSP verification failure, referash
715
every 5 min. In case of success, refreash 2 min before expiring or
718
2007-05-31 Love H�rnquist �strand <lha@it.su.se>
720
* lib/krb5/krb5_err.et: add error 68, WRONG_REALM
722
* kdc/pkinit.c: Handle the ms san in a propper way, still cheat
725
* kdc/kerberos5.c: If _kdc_pk_check_client failes, bail out
726
directly and hand the error back to the client.
728
* lib/krb5/krb5_err.et: Add missing REVOCATION_STATUS_UNAVAILABLE
729
and fix error message for CLIENT_NAME_MISMATCH.
731
* kdc/pkinit.c: More logging for pk-init client mismatch.
733
* kdc/kerberos5.c: Also add a KRB5_PADATA_PK_AS_REQ_WIN for
734
windows pk-init (-9) to make MIT clients happy.
736
2007-05-30 Love H�rnquist �strand <lha@it.su.se>
738
* kdc/pkinit.c: Force des3 for win2k.
740
* kdc/pkinit.c: Add wrapping to ContentInfo wrapping to
743
* lib/krb5/keytab_keyfile.c: Spelling.
745
* kdc/pkinit.c: Allow matching by MS UPN SAN, note that this delta
746
doesn't deal with case of realm.
748
2007-05-16 Love H�rnquist �strand <lha@it.su.se>
750
* lib/krb5/crypto.c (krb5_crypto_overhead): return static overhead
753
2007-05-10 Dave Love <fx@gnu.org>
755
* doc/win2k.texi: Update some URLs.
757
2007-05-13 Love H�rnquist �strand <lha@it.su.se>
759
* kuser/kimpersonate.c: Fix version number of ticket, it should be
762
2007-05-08 Love H�rnquist �strand <lha@it.su.se>
764
* doc/setup.texi: Salting is really Encryption types and salting.
766
2007-05-07 Love H�rnquist �strand <lha@it.su.se>
768
* doc/setup.texi: spelling, from Ronny Blomme
770
* doc/win2k.texi: Fix ksetup /SetComputerPassword, from Ronny
773
2007-05-02 Love H�rnquist �strand <lha@it.su.se>
775
* lib/hdb/dbinfo.c (hdb_get_dbinfo) If there are no database
776
specified, create one and let it use the defaults.
778
2007-04-27 Love H�rnquist �strand <lha@it.su.se>
780
* lib/hdb/test_dbinfo.c: test acl file
782
* lib/hdb/test_dbinfo.c: test acl file
784
* lib/hdb/dbinfo.c: add acl file
786
* etc: ignore Makefile.in
788
* Makefile.am: SUBDIRS += etc
790
* configure.in: Add etc/Makefile.
792
* etc/Makefile.am: make sure services.append is distributed
794
2007-04-24 Love H�rnquist �strand <lha@it.su.se>
796
* kdc: rename windc_init to krb5_kdc_windc_init
798
* kdc/version-script.map: version script for libkdc
800
* kdc/Makefile.am: version script for libkdc
802
2007-04-23 Love H�rnquist �strand <lha@it.su.se>
804
* lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error):
805
correct the order of the arguments.
807
* lib/hdb/Makefile.am: Add and test dbinfo.
809
* lib/hdb/hdb.h: Forward declaration for struct hdb_dbinfo;
811
* kdc/config.c: Use krb5_kdc_get_config and just fill in what the
812
users wanted differently.
814
* kdc/default_config.c: Make the default configuration fetch info
817
2007-04-22 Love H�rnquist �strand <lha@it.su.se>
819
* lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to
820
determine if to send the session-key, for the second place in the
823
* tools/krb5-config.in: rename des to hcrypto
825
* kuser/Makefile.am: depend on libheimntlm
827
* kuser/kinit.c: Add --ntlm-domain that store the ntlm cred for
828
this domain if the Kerberos password auth worked.
830
* kuser/klist.c: add new option --hidden that doesn't display
831
principal that starts with @
833
* tools/krb5-config.in: Add heimntlm when we use gssapi.
835
* lib/krb5/krb5_ccache.3 (krb5_cc_retrieve_cred): document what to
838
* lib/krb5/cache.c (krb5_cc_retrieve_cred): document what to free
841
2007-04-21 Love H�rnquist �strand <lha@it.su.se>
843
* lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to
844
determine if to send the session-key.
846
* kcm/client.c (kcm_ccache_new_client): make root be able to pass
847
the name constraints, not the opposite. From Bryan Jacobs.
849
2007-04-20 Love H�rnquist �strand <lha@it.su.se>
851
* kcm/acl.c: make compile again.
853
* kcm/client.c: fix warning.
855
* kcm: First, it allows root to ignore the naming conventions.
856
Second, it allows root to always perform any operation on any
857
ccache. Note that root could do this anyway with FILE ccaches.
860
* Rename libdes to libhcrypto.
862
2007-04-19 Love H�rnquist �strand <lha@it.su.se>
864
* kinit: remove code that depend on kerberos 4 library
866
* kdc: remove code that depend on kerberos 4 library
868
* configure.in: Drop kerberos 4 support.
870
* kdc/hpropd.c (main): free the message when done with it.
872
* lib/krb5/pkinit.c (_krb5_get_init_creds_opt_free_pkinit):
873
remember to free memory too.
875
* lib/krb5/pkinit.c (pk_rd_pa_reply_dh): free content-type when
878
* configure.in: test rk_VERSIONSCRIPT
880
2007-04-18 Love H�rnquist �strand <lha@it.su.se>
882
* fix-export: remove, all done by make dist now
884
2007-04-15 Love H�rnquist �strand <lha@it.su.se>
886
* lib/krb5/krb5_get_credentials.3: spelling, from Jason McIntyre
888
2007-04-11 Love H�rnquist �strand <lha@it.su.se>
890
* kdc/kstash.8: Spelling, from raga <raga@comcast.net>
893
* lib/krb5/store_mem.c: indent.
895
* lib/krb5/recvauth.c: Set error string.
897
* lib/krb5/rd_req.c: clear error strings.
899
* lib/krb5/rd_cred.c: clear error string.
901
* lib/krb5/pkinit.c: Set error strings.
903
* lib/krb5/get_cred.c: Tell what principal we are not finding for
904
all KRB5_CC_NOTFOUND.
906
2007-02-22 Love H�rnquist �strand <lha@it.su.se>
908
* kdc/kerberos5.c: Return the same error codes as a windows KDC.
910
* kuser/kinit.c: KRB5KDC_ERR_PREAUTH_FAILED is also a password
913
* kdc/kerberos5.c: Make handling of replying e_data more generic,
916
* kdc/kerberos5.c: Fix (string const and shadow) warnings, from
919
* lib/krb5/pac.c: Create the PAC element in the same order as
920
w2k3, maybe there's some broken code in windows which relies on
923
* kdc/kerberos5.c: Select a session enctype from the list of the
924
crypto systems supported enctype, is supported by the client and
925
is one of the enctype of the enctype of the krbtgt.
927
The later is used as a hint what enctype all KDC are supporting to
928
make sure a newer version of KDC wont generate a session enctype
929
that and older version of a KDC in the same realm can't decrypt.
931
But if the KDC admin is paranoid and doesn't want to have "no the
932
best" enctypes on the krbtgt, lets save the best pick from the
933
client list and hope that that will work for any other KDCs.
937
* kdc/hprop.c (propagate_database): on any failure, drop the
938
connection to the peer and try next one.
940
2007-02-18 Love H�rnquist �strand <lha@it.su.se>
942
* lib/krb5/krb5_get_init_creds.3: document new options.
944
* kdc/krb5tgs.c: Only check service key for cross realm PACs.
946
* lib/krb5/init_creds.c: use the new merged flags field.
947
(krb5_get_init_creds_opt_set_win2k): new function, turn on all w2k
950
* lib/krb5/init_creds_pw.c: use the new merged flags field.
952
* lib/krb5/krb5_locl.h: merge all flags into one entity
954
2007-02-11 Dave Love <fx@gnu.org>
956
* lib/krb5/krb5_aname_to_localname.3: Small fixes
958
* lib/krb5/krb5_digest.3: Small fixes
960
* kuser/kimpersonate.1: Small fixes
962
2007-02-17 Love H�rnquist �strand <lha@it.su.se>
964
* lib/krb5/init_creds_pw.c (find_pa_data): if there is no list,
967
* kdc/krb5tgs.c: Don't check PACs on cross realm requests.
969
* lib/krb5/krb5.h: add KRB5_KU_CANONICALIZED_NAMES.
971
* lib/krb5/init_creds_pw.c: Verify client referral data.
973
* kdc/kerberos5.c: switch some "return ret" to "goto out".
975
* kdc/kerberos5.c: Pass down canonicalize request to hdb layer,
976
sign client referrals.
978
* lib/hdb/hdb.h: Add HDB_F_CANON.
980
* lib/hdb: add simple alias support to the database backends
982
2007-02-16 Love H�rnquist �strand <lha@it.su.se>
984
* kuser/kinit.c: Add canonicalize flag.
986
* lib/krb5/init_creds_pw.c: Use EXTRACT_TICKET_* flags, support
989
* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_canonicalize):
992
* lib/krb5/get_cred.c: Use EXTRACT_TICKET_* flags.
994
* lib/krb5/get_in_tkt.c: Use EXTRACT_TICKET_* flags.
996
* lib/krb5/krb5_locl.h: Add EXTRACT_TICKET_* flags.
998
2007-02-15 Love H�rnquist �strand <lha@it.su.se>
1000
* lib/krb5/test_princ.c: test parsing enterprise-names.
1002
* lib/krb5/principal.c: Add support for parsing enterprise-names.
1004
* lib/krb5/krb5.h: Add KRB5_PRINCIPAL_PARSE_ENTERPRISE.
1006
* lib/hdb/hdb-ldap.c: Make work again.
1008
2007-02-11 Dave Love <fx@gnu.org>
1010
* kcm/client.c (kcm_ccache_new_client): Cast snprintf'ed value.
1012
2007-02-10 Love H�rnquist �strand <lha@it.su.se>
1014
* doc/setup.texi: prune trailing space
1016
* lib/hdb/db.c: Be better at setting and clearing error string.
1018
* lib/hdb/hdb.c: Be better at setting and clearing error string.
1020
2007-02-09 Love H�rnquist �strand <lha@it.su.se>
1022
* lib/krb5/keytab.c (krb5_kt_get_entry): Use krb5_kt_get_full_name
1023
to print out the keytab name.
1025
* doc/setup.texi: Spelling, from Guido Guenther
1027
2007-02-08 Love H�rnquist �strand <lha@it.su.se>
1029
* lib/krb5/rd_cred.c: Plug memory leak, from Michael B Allen.
1031
2007-02-06 Love H�rnquist �strand <lha@it.su.se>
1033
* lib/krb5/test_store.c (test_uint16): unsigned ints can't be
1036
2007-02-03 Love H�rnquist �strand <lha@it.su.se>
1038
* kdc/pkinit.c: pass extra flags for detached signatures.
1040
* lib/krb5/pkinit.c: pass extra flags for detached signatures.
1042
* kdc/digest.c: Remove debug output.
1044
* kuser/kdigest.c: Add support for ms-chap-v2 client.
1046
2007-02-02 Love H�rnquist �strand <lha@it.su.se>
1048
* kdc/digest.c: Fix ms-chap-v2 get_masterkey
1050
* kdc/digest.c: Fix ms-chap-v2 mutual response auth code.
1052
* kuser/kdigest.c: Print session key if there is one.
1054
* lib/krb5/digest.c: rename hash-a1 to session key
1056
* kdc/digest.c: Add get_master from RFC 3079 3.4 for MS-CHAP-V2
1058
* kuser/kdigest.c: print rsp if there is one, from Klas.
1060
* kdc/digest.c: Use right size, from Klas Lindfors.
1062
* kuser/kdigest.c: Set client nonce if avaible, from Klas.
1064
* kdc/digest.c: First version from kllin.
1066
* kuser/kdigest.c: Don't restrict the type.
1068
2007-02-01 Love H�rnquist �strand <lha@it.su.se>
1070
* kuser/kdigest-commands.in: add --client-response
1072
* kuser/kdigest.c: Print status instead of response.
1074
* kdc/digest.c: Better logging and return status = FALSE when
1075
checksum doesn't match.
1077
* kdc/digest.c: Check the digest response in the KDC.
1079
* lib/krb5/digest.c: New functions to send in requestResponse to
1080
KDC and get status of the request.
1082
* kdc/digest.c: Add support for MS-CHAP v2.
1084
* lib/hdb/hdb-ldap.c: Set hdb->hdb_db for ldap.
1086
2007-01-31 Love H�rnquist �strand <lha@it.su.se>
1088
* fix-export: Make hx509.info too
1090
* kdc/digest.c: don't verify identifier in CHAP, its the client
1093
2007-01-23 Love H�rnquist �strand <lha@it.su.se>
1095
* lib/krb5/Makefile.am: Basic test of prf.
1097
* lib/krb5/test_prf.c: Basic test of prf.
1099
* lib/krb5/mit_glue.c: Add MIT glue for Kerberos RFC 3961 PRF
1102
* lib/krb5/crypto.c: Add Kerberos RFC 3961 PRF functions.
1104
* lib/krb5/krb5_data.3: Document krb5_data_cmp.
1106
* lib/krb5/data.c: Add krb5_data_cmp.
1108
2007-01-20 Love H�rnquist �strand <lha@it.su.se>
1110
* kdc/kx509.c: Don't use C99 syntax.
1112
2007-01-17 Love H�rnquist �strand <lha@it.su.se>
1114
* configure.in: its LIBADD_roken (and shouldn't really exist, our
1115
libtool usage it broken)
1117
* configure.in: Add an extra variable for roken, LIBADD, that
1118
should be used for library depencies.
1120
* lib/krb5/send_to_kdc.c (krb5_sendto): zero out receive buffer.
1122
* lib/krb5/krb5_init_context.3: fix mdoc errors
1124
* Heimdal 0.8 branch cut today
1126
* doc/hx509.texi: Spelling and more about proxy certificates.
1128
* configure.in: check for arc4random
1130
2007-01-16 Love H�rnquist �strand <lha@it.su.se>
1132
* lib/krb5/send_to_kdc.c (krb5_sendto): zero receive krb5_data
1135
* tools/heimdal-build.sh: make cvs keep quiet
1137
* kuser/kverify.c: Use argument as principal if passed an
1138
argument. Bug report from Douglas E. Engert
1140
2007-01-15 Love H�rnquist �strand <lha@it.su.se>
1142
* lib/krb5/rd_req.c (krb5_rd_req_ctx): The code failed to consider
1143
the enc_tkt_in_skey case, from Douglas E. Engert.
1145
* kdc/kx509.c: Issue certificates.
1147
* kdc/config.c: Parse kx509/kca configuration.
1149
* kdc/kdc.h: add kx509 config
1151
2007-01-14 Love H�rnquist �strand <lha@it.su.se>
1153
* kdc/kerberos5.c (_kdc_find_padata): if there is not padata,
1154
there is nothing find.
1156
* doc/hx509.texi: Examples for pk-init.
1158
* doc/hx509.texi: About extending ca lifetime and sub cas.
1160
2007-01-13 Love H�rnquist �strand <lha@it.su.se>
1162
* doc/hx509.texi: More about certificates.
1164
2007-01-12 Love H�rnquist �strand <lha@it.su.se>
1166
* doc/hx509.texi: add Application requirements and write about
1169
2007-01-11 Love H�rnquist �strand <lha@it.su.se>
1171
* doc/hx509.texi: More about issuing certificates.
1173
* doc/hx509.texi: Start of a x.509 manual.
1175
* include/Makefile.am: remove install headerfiles
1177
* lib/krb5/test_pac.c: Use more interesting data to cause more
1180
* include/Makefile.am: remove install headerfiles
1182
* lib/krb5/mcache.c: MCC_CURSOR not used, remove.
1184
* lib/krb5/crypto.c: macro kcrypto_oid_enc now longer used
1186
* lib/krb5/rd_safe.c (krb5_rd_safe): set length before trying to
1189
2007-01-10 Love H�rnquist �strand <lha@it.su.se>
1191
* doc/setup.texi: Hint about hxtool validate.
1193
* appl/test/uu_server.c: print both "server" and "client"
1195
* kdc/krb5tgs.c: Rename keys to be more obvious what they do.
1197
* kdc/kerberos5.c: Use other keys to sign PAC with. From Andrew
1200
* kdc/windc.c: ident, spelling.
1202
* kdc/windc_plugin.h: indent.
1204
* kdc/krb5tgs.c: Pass down server entry to verify_pac function.
1205
from Andrew Bartlett
1207
* kdc/windc.c: pass down server entry to verify_pac function, from
1210
* kdc/windc_plugin.h: pass down server entry to verify_pac
1211
function, from Andrew Bartlett
1213
* configure.in: Provide a automake symbol ENABLE_SHARED if shared
1214
libraries are built.
1216
* lib/krb5/rd_req.c (krb5_rd_req_ctx): Use the correct keyblock
1217
when verifying the PAC. From Andrew Bartlett.
1219
2007-01-09 Love H�rnquist �strand <lha@it.su.se>
1221
* lib/krb5/test_pac.c: move around to code test on real PAC.
1223
* lib/krb5/pac.c: A tiny 2 char diffrence that make the code work
1226
* lib/krb5/test_pac.c: Test more PAC (note that the values used in
1227
this test is wrong, they have to be fixed when the pac code is
1230
* doc/setup.texi: Update to new hxtool issue-certificate usage
1232
* lib/krb5/init_creds_pw.c: Make sure we don't sent both ENC-TS
1233
and PK-INIT pa data, no need to expose our password protecting our
1236
* kuser/klist.c (print_cred_verbose): include ticket length in the
1239
2007-01-08 Love H�rnquist �strand <lha@it.su.se>
1241
* lib/krb5/acache.c (loadlib): pass RTLD_LAZY to dlopen, without
1242
it linux is unhappy.
1244
* lib/krb5/plugin.c (loadlib): pass RTLD_LAZY to dlopen, without
1245
it linux is unhappy.
1247
* lib/krb5/name-45-test.c: One of the hosts I sometimes uses is
1248
named "bar.domain", this make one of the tests pass when it
1251
2007-01-05 Love H�rnquist �strand <lha@it.su.se>
1253
* doc/setup.texi: Change --key argument to --out-key.
1255
* kuser/kimpersonate.1: mangle my name
1257
2007-01-04 Love H�rnquist �strand <lha@it.su.se>
1259
* doc/setup.texi: describe how to use hx509 to create
1262
* tools/heimdal-build.sh: Add --distcheck.
1264
* kdc/kerberos5.c: Check for KRB5_PADATA_PA_PAC_REQUEST to check
1265
if we should include the PAC in the krbtgt.
1267
* kdc/pkinit.c (_kdc_as_rep): check if
1268
krb5_generate_random_keyblock failes.
1270
* kdc/kerberos5.c (_kdc_as_rep): check if
1271
krb5_generate_random_keyblock failes.
1273
* kdc/krb5tgs.c (tgs_build_reply): check if
1274
krb5_generate_random_keyblock failes.
1276
* kdc/krb5tgs.c: Scope etype.
1278
* lib/krb5/rd_req.c: Make it possible to turn off PAC check, its
1281
* lib/krb5/rd_req.c (krb5_rd_req_ctx): If there is a PAC, verify
1282
its server signature.
1284
* kdc/kerberos5.c (_kdc_as_rep): call windc client access hook.
1285
(_kdc_tkt_add_if_relevant_ad): constify in data argument.
1287
* kdc/windc_plugin.h: More comments add a client_access hook.
1289
* kdc/windc.c: Add _kdc_windc_client_access.
1291
* kdc/krb5tgs.c: rename functions after export some more pac
1294
* lib/krb5/test_pac.c: export some more pac functions.
1296
* lib/krb5/pac.c: export some more pac functions.
1298
* kdc/krb5tgs.c: Resign the PAC in tgsreq if we have a PAC.
1300
* configure.in: add tests/plugin/Makefile
1302
2007-01-03 Love H�rnquist �strand <lha@it.su.se>
1304
* kdc/krb5tgs.c: Get right key for PAC krbtgt verification.
1306
* kdc/config.c: spelling
1308
* lib/krb5/krb5.h: typedef for krb5_pac.
1310
* kdc/headers.h: Include <windc_plugin.h>.
1312
* kdc/Makefile.am: Include windc.c and use windc_plugin.h
1314
* kdc/krb5tgs.c: Call callbacks for emulating a Windows Domain
1317
* kdc/kerberos5.c: Call callbacks for emulating a Windows Domain
1318
Controller. Move the some of the log related stuff to its own
1321
* kdc/config.c: Init callbacks for emulating a Windows Domain
1324
* kdc/windc.c: Rename the init function to windc instead of pac.
1326
* kdc/windc.c: Callbacks specific to emulating a Windows Domain
1329
* kdc/windc_plugin.h: Callbacks specific to emulating a Windows
1332
* lib/krb5/Makefile.am: add krb5_HEADERS to build_HEADERZ
1334
* lib/krb5/pac.c: Support all keyed checksum types.
1336
2007-01-02 Love H�rnquist �strand <lha@it.su.se>
1338
* lib/krb5/pac.c (krb5_pac_get_types): Return list of types.
1340
* lib/krb5/test_pac.c: test krb5_pac_get_types
1342
* lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA.
1344
* lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA.
1346
* lib/krb5/krb5.h: Add KRB5_KRBHST_KCA.
1348
* lib/krb5/test_pac.c: test Add/remove pac buffer functions.
1350
* lib/krb5/pac.c: Add/remove pac buffer functions.
1352
* lib/krb5/pac.c: sprinkle const
1354
* lib/krb5/pac.c: rename DCHECK to CHECK