4afabfdf3a
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17886 ec53bebd-3082-4978-b11e-865c3cabbd6b
981 lines
29 KiB
Plaintext
981 lines
29 KiB
Plaintext
2006-08-18 Love Hörnquist Åstrand <lha@it.kth.se>
|
||
|
||
* kdc/{Makefile.am,kdigest.c,kdigest-commands.in}:
|
||
Frontend for remote digest service in KDC
|
||
|
||
* lib/krb5/krb5_storage.3: Document krb5_{ret,store}_stringnl
|
||
functions.
|
||
|
||
* lib/krb5/store.c: Add krb5_{ret,store}_stringnl functions,
|
||
stores/retrieves a \n terminated string.
|
||
|
||
* lib/krb5/krb5_locl.h: Default to address-less tickets.
|
||
|
||
* lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): clear
|
||
error string on error.
|
||
|
||
2006-07-20 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/crypto.c: remove aes-192 (CMS)
|
||
|
||
* lib/krb5/crypto.c: Remove more CMS bits.
|
||
|
||
* lib/krb5/crypto.c: Remove CMS symmetric encryption support.
|
||
|
||
2006-07-13 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/pkinit.c (_kdc_pk_check_client): make it not crash when
|
||
there are no acl
|
||
|
||
* kdc/pkinit.c (_kdc_pk_check_client): use the acl in the kerberos
|
||
database
|
||
|
||
* lib/hdb/hdb.asn1: Rename HDB-Ext-PKINIT-certificate to
|
||
HDB-Ext-PKINIT-hash. Add trust anchor to HDB-Ext-PKINIT-acl.
|
||
|
||
* lib/hdb/Makefile.am: rename asn1_HDB_Ext_PKINIT_certificate to
|
||
asn1_HDB_Ext_PKINIT_hash
|
||
|
||
* lib/hdb/ext.c: Add hdb_entry_get_pkinit_hash().
|
||
|
||
2006-07-10 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kuser/kinit.c: If --password-file gets STDIN, read the password
|
||
from the standard input.
|
||
|
||
* kuser/kinit.1: Document --password-file=STDIN.
|
||
|
||
* lib/krb5/krb5_string_to_key.3: Remove duplicate to.
|
||
|
||
2006-07-06 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/krb5tgs.c: (tgs_build_reply): when checking for removed
|
||
principals, check the second component of the krbtgt, otherwise
|
||
cross realm wont work. Prompted by report from Mattias Amnefelt.
|
||
|
||
2006-07-05 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/connect.c (handle_vanilla_tcp): use unsigned integer for for
|
||
length
|
||
(handle_tcp): if the high bit it set in the unknown case, send
|
||
back a KRB_ERR_FIELD_TOOLONG
|
||
|
||
2006-07-03 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* appl/gssmask/gssmaestro.c: Add get_version_capa, cache
|
||
target_name.
|
||
|
||
* appl/gssmask/gssmask.c: use utname() to find the local hostname
|
||
and version of operatingsystem
|
||
|
||
* appl/gssmask/common.h: include <sys/utsname.h>
|
||
|
||
* appl/gssmask/gssmask.c: break out creation of a client and make
|
||
handleServer pthread_create compatible
|
||
|
||
* appl/gssmask/gssmaestro.c: break out out the build context
|
||
function
|
||
|
||
2006-07-01 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* appl/gssmask/gssmaestro.c: externalize slave handling, add
|
||
GetTargetName glue
|
||
|
||
* appl/gssmask/gssmaestro.c: externalize principal/password handling
|
||
|
||
* lib/krb5/principal.c (krb5_parse_name): set *principal to NULL
|
||
the first thing we do, so that on failure its set to a known value
|
||
|
||
* appl/gssmask/gssmask.c: AcquireCreds: set principal to NULL to
|
||
avoid memory corruption GetTargetName: always send a string, even
|
||
though we don't have a targetname
|
||
|
||
* appl/gssmask: break out common function; add gssmaestro (that
|
||
only tests one context for now)
|
||
|
||
2006-06-30 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/store_fd.c (krb5_storage_from_fd): don't leak fd on
|
||
malloc failure
|
||
|
||
* appl/gssmask/gssmask.c: split out fetching of credentials for
|
||
easier reuse for pk-init testing
|
||
|
||
* appl/gssmask: maggot replacement, handles context testing
|
||
|
||
* lib/krb5/cache.c (krb5_cc_new_unique): use KRB5_DEFAULT_CCNAME
|
||
as the default prefix
|
||
|
||
2006-06-28 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* doc/heimdal.texi: Add Doug Rabson's license
|
||
|
||
2006-06-22 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/init_creds.c: Add storing and getting KRB-ERROR in the
|
||
krb5_get_init_creds_opt structure.
|
||
|
||
* lib/krb5/init_creds_pw.c: Save KRB-ERROR on error.
|
||
|
||
* lib/krb5/krb5_locl.h (_krb5_get_init_creds_opt_private): add
|
||
KRB-ERROR
|
||
|
||
2006-06-21 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* doc/setup.texi: section about verify_krb5_conf and kadmin check
|
||
|
||
2006-06-15 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/init_creds_pw.c (get_init_creds_common): drop cred
|
||
argument, its unused
|
||
|
||
* lib/krb5/Makefile.am: install krb5_get_creds.3
|
||
|
||
* lib/krb5/krb5_get_creds.3: new file
|
||
|
||
2006-06-14 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/hdb/hdb-ldap.c: don't use the sambaNTPassword if there is
|
||
ARCFOUR key already. Idea from Andreas Hasenack. While here, set
|
||
pw change time using sambaPwdLastSet
|
||
|
||
* kdc/kerberos4.c: Use enable_v4_per_principal and check the new
|
||
hdb flag.
|
||
|
||
* kdc/kdc.h: Add enable_v4_per_principal
|
||
|
||
2006-06-12 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/kerberos5.c (_kdc_as_rep): if kdc_time +
|
||
config->kdc_warn_pwexpire is past pw_end, add expiration
|
||
message. From Bernard Antoine.
|
||
|
||
* kdc/default_config.c (krb5_kdc_default_config): set
|
||
kdc_warn_pwexpire to 0
|
||
|
||
* kdc/kerberos5.c: indent.
|
||
|
||
2006-06-07 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/kerberos5.c: constify
|
||
|
||
2006-06-06 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/get_cred.c: Allow setting additional tickets in the
|
||
tgs-req
|
||
|
||
* kuser/kgetcred.c: add --delegation-credential-cache
|
||
|
||
* kdc/krb5tgs.c (tgs_build_reply): add constrained delegation.
|
||
|
||
* kdc/krb5tgs.c: Add impersonation.
|
||
|
||
* kuser/kgetcred.c: use new krb5_get_creds interface, add
|
||
impersonation.
|
||
|
||
* lib/krb5/get_cred.c (krb5_get_creds): add
|
||
KRB5_GC_NO_TRANSIT_CHECK
|
||
|
||
* lib/krb5/misc.c: Add impersonate support functions.
|
||
|
||
* lib/krb5/get_cred.c: Add impersonate and new krb5_get_creds interface.
|
||
|
||
* lib/hdb/hdb.asn1 (HDBFlags): add trusted-for-delegation
|
||
|
||
* lib/krb5/krb5.h: Add krb5_get_creds_opt_data and some more
|
||
KRB5_GC flags.
|
||
|
||
2006-06-01 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/hdb/ext.c (hdb_entry_get_ConstrainedDelegACL): new function.
|
||
|
||
* lib/krb5/pkinit.c: Avoid more shadowing.
|
||
|
||
* kdc/connect.c (do_request): clean reply with krb5_data_zero
|
||
|
||
* kdc/krb5tgs.c: Split up the reverse cross krbtgt check and local
|
||
clien must exists test.
|
||
|
||
* kdc/krb5tgs.c: Plug old memory leaks, unify all goto's.
|
||
|
||
* kdc/krb5tgs.c: Split tgs_rep2 into tgs_parse_request and
|
||
tgs_build_reply.
|
||
|
||
* kdc/kerberos5.c: split out krb5 tgs req to make it easier to
|
||
reorganize the code.
|
||
|
||
2006-05-29 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/krb5_get_init_creds.3: spelling Björn Sandell
|
||
|
||
* lib/krb5/krb5_get_in_cred.3: spelling Björn Sandell
|
||
|
||
2006-05-13 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kpasswd/kpasswdd.c (change): select the realm based on the
|
||
target principal From Gabor Gombas
|
||
|
||
* lib/krb5/krb5_get_init_creds.3: Add KRB5_PROMPT_TYPE_INFO
|
||
|
||
* lib/krb5/krb5.h: Add KRB5_PROMPT_TYPE_INFO
|
||
|
||
2006-05-12 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/pkinit.c: Hidden field of hx509 prompter is removed.
|
||
Fix a warning.
|
||
|
||
* doc/setup.texi: Point to more examples, hint that you have to
|
||
use openssl 0.9.8a or later.
|
||
|
||
* doc/setup.texi: DIR now handles both PEM and DER.
|
||
|
||
* kuser/kinit.c: Pass down prompter and password to
|
||
krb5_get_init_creds_opt_set_pkinit.
|
||
|
||
* lib/krb5/pkinit.c (_krb5_pk_load_id): only use password if its
|
||
longer then 0
|
||
|
||
* doc/ack.texi: Add Jason McIntyre.
|
||
|
||
* lib/krb5/krb5_acl_match_file.3: Various tweaks, from Jason
|
||
McIntyre.
|
||
|
||
2006-05-11 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kuser/kinit.c: Move parsing of the PK-INIT configuration file to
|
||
the library so application doesn't need to deal with it.
|
||
|
||
* lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit): move
|
||
parsing of the configuration file to the library so application
|
||
doesn't need to deal with it.
|
||
|
||
* lib/krb5/pkinit.c (_krb5_pk_load_id): pass the hx509_lock to
|
||
when trying to read the user certificate.
|
||
|
||
* lib/krb5/pkinit.c (hx_pass_prompter): return 0 on success and 1
|
||
on failure. Pointed out by Douglas E. Engert.
|
||
|
||
2006-05-08 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/crypto.c: Catches both keyed checkout w/o crypto
|
||
context cases and doesn't reset the string, and corrects the
|
||
grammar.
|
||
|
||
* lib/krb5/crypto.c: Drop aes-cbc, rc2 and CMS padding support,
|
||
its all containted in libhcrypto and libhx509 now.
|
||
|
||
2006-05-07 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/pkinit.c (_krb5_pk_verify_sign): Use
|
||
hx509_get_one_cert.
|
||
|
||
* lib/krb5/crypto.c (create_checksum): provide a error message
|
||
that a key checksum needs a key. From Andew Bartlett.
|
||
|
||
2006-05-06 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/pkinit.c: Now that hcrypto supports DH, remove check
|
||
for hx509 null DH.
|
||
|
||
* kdc/pkinit.c: Don't call DH_check_pubkey, it doesn't exists in
|
||
older OpenSSL.
|
||
|
||
* doc/heimdal.texi: Add blob about imath.
|
||
|
||
* doc/ack.texi: Add blob about imath.
|
||
|
||
* include/make_crypto.c: Move up evp.h to please OpenSSL, from
|
||
Douglas E. Engert.
|
||
|
||
* kcm/acl.c: Multicache kcm interation isn't done yet, let wait
|
||
with this enum.
|
||
|
||
2006-05-05 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/krb5_set_default_realm.3: Spelling/mdoc from Björn
|
||
Sandell
|
||
|
||
* lib/krb5/krb5_rcache.3: Spelling/mdoc from Björn Sandell
|
||
|
||
* lib/krb5/krb5_keytab.3: Spelling/mdoc from Björn Sandell
|
||
|
||
* lib/krb5/krb5_get_in_cred.3: Spelling/mdoc from Björn Sandell
|
||
|
||
* lib/krb5/krb5_expand_hostname.3: Spelling/mdoc from Björn
|
||
Sandell
|
||
|
||
* lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc from Björn
|
||
Sandell
|
||
|
||
* lib/krb5/keytab_file.c (fkt_next_entry_int): read the 32 bit
|
||
kvno if the reset of the data is longer then 4 bytes in hope to be
|
||
forward compatible. Pointed out by Michael B Allen.
|
||
|
||
* doc/programming.texi: Add fileformats.
|
||
|
||
* appl/test: Rename u_intXX_t to uintXX_t
|
||
|
||
* kuser: Rename u_intXX_t to uintXX_t
|
||
|
||
* kdc: Rename u_intXX_t to uintXX_t
|
||
|
||
* lib/hdb: Rename u_intXX_t to uintXX_t
|
||
|
||
* lib/45]: Rename u_intXX_t to uintXX_t
|
||
|
||
* lib/krb5: Rename u_intXX_t to uintXX_t
|
||
|
||
* lib/krb5/Makefile.am: Add test_store to TESTS
|
||
|
||
* lib/krb5/pkinit.c: Catch using hx509 null DH and print a more
|
||
useful error message.
|
||
|
||
* lib/krb5/store.c: Rewrite the krb5_ret_u as proposed by Johan.
|
||
|
||
2006-05-04 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/kerberos4.c: Use the new unsigned integer storage types.
|
||
|
||
* kdc/kaserver.c: Use the new unsigned integer storage
|
||
types. Sprinkle some error handling.
|
||
|
||
* lib/krb5/krb5_storage.3: Document ret and store function for the
|
||
unsigned fixed size integer types.
|
||
|
||
* lib/krb5/v4_glue.c: Use the new unsigned integer storage
|
||
types. Fail that the address doesn't match, not the reverse.
|
||
|
||
* lib/krb5/store.c: Add ret and store function for the unsigned
|
||
fixed size integer types.
|
||
|
||
* lib/krb5/test_store.c: Test the integer storage types.
|
||
|
||
2006-05-03 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/store.c (krb5_store_principal): make it take a
|
||
krb5_const_principal, indent
|
||
|
||
* lib/krb5/krb5_storage.3: krb5_store_principal takes a
|
||
krb5_const_principal
|
||
|
||
* lib/krb5/pkinit.c: Deal with that hx509_prompt.reply is no
|
||
longer a pointer.
|
||
|
||
* kdc/kdc.h (krb5_kdc_configuration): add pkinit_kdc_ocsp_file
|
||
|
||
* kdc/config.c: read [kdc]pki-kdc-ocsp
|
||
|
||
2006-05-02 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/pkinit.c (_kdc_pk_mk_pa_reply): send back ocsp response if
|
||
it seems to be valid, simplfy the pkinit-windows DH case (it
|
||
doesn't exists).
|
||
|
||
2006-05-01 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/krb5_warn.3: Spelling/mdoc changes, from Björn Sandell.
|
||
|
||
* lib/krb5/krb5_verify_user.3: Spelling/mdoc changes, from Björn
|
||
Sandell.
|
||
|
||
* lib/krb5/krb5_verify_init_creds.3: Spelling/mdoc changes, from
|
||
Björn Sandell.
|
||
|
||
* lib/krb5/krb5_timeofday.3: Spelling/mdoc changes, from Björn
|
||
Sandell.
|
||
|
||
* lib/krb5/krb5_ticket.3: Spelling/mdoc changes, from Björn
|
||
Sandell.
|
||
|
||
* lib/krb5/krb5_rd_safe.3: Spelling/mdoc changes, from Björn
|
||
Sandell.
|
||
|
||
* lib/krb5/krb5_rcache.3: Spelling/mdoc changes, from Björn
|
||
Sandell.
|
||
|
||
* lib/krb5/krb5_principal.3: Spelling/mdoc changes, from Björn
|
||
Sandell.
|
||
|
||
* lib/krb5/krb5_parse_name.3: Spelling/mdoc changes, from Björn
|
||
Sandell.
|
||
|
||
* lib/krb5/krb5_mk_safe.3: Spelling/mdoc changes, from Björn
|
||
Sandell.
|
||
|
||
* lib/krb5/krb5_keyblock.3: Spelling/mdoc changes, from Björn
|
||
Sandell.
|
||
|
||
* lib/krb5/krb5_is_thread_safe.3: Spelling/mdoc changes, from
|
||
Björn Sandell.
|
||
|
||
* lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes,
|
||
from Björn Sandell.
|
||
|
||
* lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes,
|
||
from Björn Sandell.
|
||
|
||
* lib/krb5/krb5_expand_hostname.3: Spelling/mdoc changes, from
|
||
Björn Sandell.
|
||
|
||
* lib/krb5/krb5_check_transited.3: Spelling/mdoc changes, from
|
||
Björn Sandell.
|
||
|
||
* lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc changes, from
|
||
Björn Sandell.
|
||
|
||
* lib/krb5/krb5_address.3: Spelling/mdoc changes, from
|
||
Björn Sandell.
|
||
|
||
* lib/krb5/krb5_acl_match_file.3: Spelling/mdoc changes, from
|
||
Björn Sandell.
|
||
|
||
* lib/krb5/krb5.3: Spelling, from Björn Sandell.
|
||
|
||
* doc/ack.texi: add Björn
|
||
|
||
2006-04-30 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/pkinit.c (cert2epi): don't include subject if its null
|
||
|
||
2006-04-29 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/pkinit.c: Send over what trust anchors the client have
|
||
configured.
|
||
|
||
* lib/krb5/pkinit.c (pk_verify_host): set better error string,
|
||
only check kdc name/address when we got a hostname/address passed
|
||
in the the function.
|
||
|
||
* kdc/pkinit.c (_kdc_pk_check_client): reorganize and make log
|
||
when a SAN matches.
|
||
|
||
2006-04-28 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* doc/setup.texi: More options and some text about windows
|
||
clients, certificate and KDCs.
|
||
|
||
* doc/setup.texi: notice about pki-mappings file space sensitive
|
||
|
||
* doc/setup.texi: Example pki-mapping file.
|
||
|
||
* lib/krb5/pkinit.c (pk_verify_host): verify hostname/address
|
||
|
||
* lib/hdb/hdb.h: Bump hdb interface version to 4.
|
||
|
||
2006-04-27 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kuser/kdestroy.1: Document --credential=principal.
|
||
|
||
* kdc/kerberos5.c (tgs_rep2): check that the client exists in the
|
||
kerberos database if its local request.
|
||
|
||
* kdc/{misc.c,524.c,kaserver.c,kerberos5.c}: pass down HDB_F_GET_
|
||
flags as appropriate
|
||
|
||
* kdc/kerberos4.c (_kdc_db_fetch4): pass down flags though
|
||
krb5_425_conv_principal_ext2
|
||
|
||
* kdc/misc.c (_kdc_db_fetch): Break out the that we request from
|
||
principal from the entry and pass it in as a seprate argument.
|
||
|
||
* lib/hdb/keytab.c (hdb_get_entry): Break out the that we request
|
||
from principal from the entry and pass it in as a seprate
|
||
argument.
|
||
|
||
* lib/hdb/common.c: Break out the that we request from principal
|
||
from the entry and pass it in as a seprate argument.
|
||
|
||
* lib/hdb/hdb.h: Break out the that we request from principal from
|
||
the entry and pass it in as a seprate argument. Add more flags to
|
||
->hdb_get(). Re-indent.
|
||
|
||
2006-04-26 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* doc/setup.texi: document pki-allow-proxy-certificate
|
||
|
||
* kdc/pkinit.c: Add option [kdc]pki-allow-proxy-certificate=bool
|
||
to allow using proxy certificate.
|
||
|
||
* lib/krb5/pkinit.c (_krb5_pk_allow_proxy_certificates): expose
|
||
hx509_verify_set_proxy_certificate
|
||
|
||
* kdc/pkinit.c (_kdc_pk_check_client): Use
|
||
hx509_cert_get_base_subject to get subject name of the
|
||
certificate, needed for proxy certificates.
|
||
|
||
* kdc/kerberos5.c: Now that find_keys speaks for it self, remove
|
||
extra logging.
|
||
|
||
* kdc/kerberos5.c (find_keys): add client_name and server_name
|
||
argument and use them, and adapt callers.
|
||
|
||
2006-04-25 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kuser/kinit.1: document option password-file
|
||
|
||
* kuser/kinit.c: Add option password-file, read password from the
|
||
first line of a file.
|
||
|
||
* configure.in: make tests/kdc/Makefile
|
||
|
||
* kdc/kerberos5.c: Catch the case where the client sends no
|
||
encryption types or no pa-types.
|
||
|
||
* lib/hdb/ext.c (hdb_replace_extension): set error message on
|
||
failure, not success.
|
||
|
||
* lib/hdb/keys.c (parse_key_set): handle error case better
|
||
(hdb_generate_key_set): return better error
|
||
|
||
2006-04-24 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/hdb/hdb.c (hdb_create): print out what we don't support
|
||
|
||
* lib/krb5/principal.c: Remove a double free introduced in 1.93
|
||
|
||
* lib/krb5/log.c (log_file): reset pointer to freed memory
|
||
|
||
* lib/krb5/keytab_keyfile.c (get_cell_and_realm): reset d->cell to
|
||
make sure its not refereced
|
||
|
||
* tools/krb5-config.in: libhcrypto might depend on libasn1, switch
|
||
order
|
||
|
||
* lib/krb5/recvauth.c: indent
|
||
|
||
* doc/heimdal.texi: Add Setting up PK-INIT to Detailed Node
|
||
Listing.
|
||
|
||
* lib/krb5/pkinit.c: Pass down realm to pk_verify_host so the
|
||
function can verify the certificate is from the right realm.
|
||
|
||
* lib/krb5/init_creds_pw.c: Pass down realm to
|
||
_krb5_pk_rd_pa_reply
|
||
|
||
2006-04-23 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/pkinit.c (pk_verify_host): Add begining of finding
|
||
subjectAltName_otherName pk-init-san and verifing it.
|
||
|
||
* lib/krb5/sendauth.c: reindent
|
||
|
||
* doc/Makefile.am: use --no-split to make one large file, mostly
|
||
for html
|
||
|
||
* doc/setup.texi: "document" pkinit_require_eku and
|
||
pkinit_require_krbtgt_otherName
|
||
|
||
* lib/krb5/pkinit.c: Add pkinit_require_eku and
|
||
pkinit_require_krbtgt_otherName
|
||
|
||
* doc/setup.texi: Add text about pk-init
|
||
|
||
* tools/kdc-log-analyze.pl: count v5 cross realms too
|
||
|
||
2006-04-22 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/pkinit.c: Adapt to change in hx509_cms_create_signed_1.
|
||
|
||
* lib/krb5/pkinit.c: Adapt to change in hx509_cms_create_signed_1.
|
||
|
||
2006-04-20 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/pkinit.c (_kdc_pk_rd_padata): use
|
||
hx509_cms_unwrap_ContentInfo.
|
||
|
||
* kdc/config.c: unbreak
|
||
|
||
* lib/krb5/pkinit.c: Handle diffrences between libhcrypto and
|
||
libcrypto.
|
||
|
||
* kdc/config.c: Rename pki-chain to pki-pool to match rest of
|
||
code.
|
||
|
||
2006-04-12 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/rd_priv.c: Fix argument to krb5_data_zero.
|
||
|
||
* kdc/config.c: Added certificate revoke information from
|
||
configuration file.
|
||
|
||
* kdc/pkinit.c: Added certificate revoke information.
|
||
|
||
* kuser/kinit.c: Added certificate revoke information from
|
||
configuration file.
|
||
|
||
* lib/krb5/pkinit.c (_krb5_pk_load_id): Added certificate revoke
|
||
information, ie CRL's
|
||
|
||
2006-04-10 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/replay.c (krb5_rc_resolve_full): make compile again.
|
||
|
||
* lib/krb5/keytab_krb4.c (krb4_kt_start_seq_get_int): make compile
|
||
again.
|
||
|
||
* lib/krb5/transited.c (make_path): make sure we return allocated
|
||
memory Coverity, NetBSD CID#1892
|
||
|
||
* lib/krb5/transited.c (make_path): make sure we return allocated
|
||
memory Coverity, NetBSD CID#1892
|
||
|
||
* lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): on
|
||
protocol failure, avoid leaking memory Coverity, NetBSD CID#1900
|
||
|
||
* lib/krb5/principal.c (krb5_parse_name): remember to free realm
|
||
in case of error Coverity, NetBSD CID#1883
|
||
|
||
* lib/krb5/principal.c (krb5_425_conv_principal_ext2): remove
|
||
memory leak in case of weird formated dns replys.
|
||
Coverity, NetBSD CID#1885
|
||
|
||
* lib/krb5/replay.c (krb5_rc_resolve_full): don't return pointer
|
||
to a allocated krb5_rcache in case of error.
|
||
|
||
* lib/krb5/log.c (krb5_addlog_dest): free fn in case of error
|
||
Coverity, NetBSD CID#1882
|
||
|
||
* lib/krb5/keytab_krb4.c: Fix deref before NULL check, fix error
|
||
handling. Coverity, NetBSD CID#2369
|
||
|
||
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
|
||
in_creds->client should always be set, assume so.
|
||
|
||
* lib/krb5/keytab_any.c (any_next_entry): restructure to make it
|
||
easier to read Fixes Coverity, NetBSD CID#625
|
||
|
||
* lib/krb5/crypto.c (krb5_string_to_key_derived): deref after NULL
|
||
check. Coverity NetBSD CID#2367
|
||
|
||
* lib/krb5/build_auth.c (krb5_build_authenticator): use
|
||
calloc. removed check that was never really used. Coverity NetBSD
|
||
CID#2370
|
||
|
||
2006-04-09 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/rd_req.c (krb5_verify_ap_req2): make sure `ticket´
|
||
points to NULL in case of error, add error handling, use calloc.
|
||
|
||
* kpasswd/kpasswdd.c (doit): when done, close all fd in the
|
||
sockets array and free it. Coverity NetBSD CID#1916
|
||
|
||
2006-04-08 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/store.c (krb5_ret_principal): fix memory leak Coverity,
|
||
NetBSD CID#1695
|
||
|
||
* kdc/524.c (_kdc_do_524): Handle memory allocation failure
|
||
Coverity, NetBSD CID#2752
|
||
|
||
2006-04-07 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/keytab_file.c (krb5_kt_ret_principal): plug a memory
|
||
leak Coverity NetBSD CID#1890
|
||
|
||
* kdc/hprop.c (main): make sure type doesn't need to be set
|
||
|
||
* kdc/mit_dump.c (mit_prop_dump): close fd when done processing
|
||
Coverity NetBSD CID#1955
|
||
|
||
* kdc/string2key.c (tokey): catch warnings, free memory after use.
|
||
Based on Coverity NetBSD CID#1894
|
||
|
||
* kdc/hprop.c (main): remove dead code. Coverity NetBSD CID#633
|
||
|
||
2006-04-04 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kpasswd/kpasswd-generator.c (read_words): catch empty file case,
|
||
will cause PBE (division by zero) later. From Tobias Stoeckmann.
|
||
|
||
2006-04-02 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/hdb/keytab.c: Remove a delta from last revision that should
|
||
have gone in later.
|
||
|
||
* lib/krb5/krbhst.c: fix spelling
|
||
|
||
* lib/krb5/send_to_kdc.c (send_and_recv_http): don't expose freed
|
||
pointer, found by IBM checker.
|
||
|
||
* lib/krb5/rd_cred.c (krb5_rd_cred): don't expose freed pointer,
|
||
found by IBM checker.
|
||
|
||
* lib/krb5/addr_families.c (krb5_make_addrport): clear return
|
||
value on error, found by IBM checker.
|
||
|
||
* kdc/kerberos5.c (check_addresses): treat netbios as no addresses
|
||
|
||
* kdc/{kerberos4,kaserver}.c: _kdc_check_flags takes hdb_entry_ex
|
||
|
||
* kdc/kerberos5.c (_kdc_check_flags): make it take hdb_entry_ex to
|
||
avoid ?:'s at callers
|
||
|
||
* lib/krb5/v4_glue.c: Avoid using free memory, found by IBM
|
||
checker.
|
||
|
||
* lib/krb5/transited.c (expand_realm): avoid passing NULL to
|
||
strlen, found by IBM checker.
|
||
|
||
* lib/krb5/rd_cred.c (krb5_rd_cred): avoid a memory leak on malloc
|
||
failure, found by IBM checker.
|
||
|
||
* lib/krb5/krbhst.c (_krb5_krbhost_info_move): replace a strcpy
|
||
with a memcpy
|
||
|
||
* lib/krb5/keytab_keyfile.c (get_cell_and_realm): plug a memory
|
||
leak, found by IBM checker.
|
||
|
||
* lib/krb5/keytab_file.c (fkt_next_entry_int): remove a
|
||
dereferencing NULL pointer, found by IBM checker.
|
||
|
||
* lib/krb5/init_creds_pw.c (init_creds_init_as_req): in AS-REQ the
|
||
cname must always be given, don't avoid that fact and remove a
|
||
cname == NULL case. Plugs a memory leak found by IBM checker.
|
||
|
||
* lib/krb5/init_creds_pw.c (default_s2k_func): avoid exposing
|
||
free-ed memory on error. Found by IBM checker.
|
||
|
||
* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): use
|
||
calloc to avoid uninitialized memory problem.
|
||
|
||
* lib/krb5/data.c (krb5_copy_data): avoid exposing free-ed memory
|
||
on error. Found by IBM checker.
|
||
|
||
* lib/krb5/fcache.c (fcc_gen_new): fix a use after free, found by
|
||
IBM checker.
|
||
|
||
* lib/krb5/config_file.c (krb5_config_vget_strings): IBM checker
|
||
thought it found a memory leak, it didn't, but there was another
|
||
error in the code, lets fix that instead.
|
||
|
||
* lib/krb5/cache.c (_krb5_expand_default_cc_name): plug memory
|
||
leak. Found by IBM checker.
|
||
|
||
* lib/krb5/cache.c (_krb5_expand_default_cc_name): avoid return
|
||
pointer to freed memory in the error case. Found by IBM checker.
|
||
|
||
* lib/hdb/keytab.c (hdb_resolve): off by one, found by IBM
|
||
checker.
|
||
|
||
* lib/hdb/keys.c (hdb_generate_key_set): set ret_key_set before
|
||
going into the error clause and freeing key_set. Found by IBM
|
||
checker. Make sure ret == 0 after of parse error, we catch the
|
||
"no entries parsed" case later.
|
||
|
||
* lib/krb5/log.c (krb5_addlog_dest): make string length match
|
||
strings in strcasecmp. Found by IBM checker.
|
||
|
||
2006-03-30 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/hdb/hdb-ldap.c (LDAP_message2entry): in declaration set
|
||
variable_name as "hdb_entry_ex"
|
||
(hdb_ldap_common): change "arg" in condition (if) to "search_base"
|
||
(hdb_ldapi_create): change "serach_base" to "search_base" From
|
||
Alex V. Labuta.
|
||
|
||
* lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit); fix
|
||
prototype
|
||
|
||
* kuser/kinit.c: Add pool of certificates to help certificate path
|
||
building for clients sending incomplete path in the signedData.
|
||
|
||
2006-03-28 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/pkinit.c: Add pool of certificates to help certificate path
|
||
building for clients sending incomplete path in the signedData.
|
||
|
||
* lib/krb5/pkinit.c: Add pool of certificates to help certificate
|
||
path building for clients sending incomplete path in the
|
||
signedData.
|
||
|
||
2006-03-27 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/config.c: Allow passing in related certificates used to
|
||
build the chain.
|
||
|
||
* kdc/pkinit.c: Allow passing in related certificates used to
|
||
build the chain.
|
||
|
||
* kdc/kerberos5.c (log_patype): Add case for
|
||
KRB5_PADATA_PA_PK_OCSP_RESPONSE.
|
||
|
||
* tools/Makefile.am: Spelling
|
||
|
||
* tools/krb5-config.in: Add hx509 when using PK-INIT.
|
||
|
||
* tools/Makefile.am: Add hx509 when using PK-INIT.
|
||
|
||
2006-03-26 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/acache.c: Use ticket flags definition, might fix Mac OS
|
||
X Kerberos.app problems.
|
||
|
||
* lib/krb5/krb5_ccapi.h: Add ticket flags definitions
|
||
|
||
* lib/krb5/pkinit.c: Use less openssl, spell chelling.
|
||
|
||
* kdc/pkinit.c (pk_mk_pa_reply_dh): encode the DH public key with
|
||
asn1 wrapping
|
||
|
||
* configure.in (AC_CONFIG_FILES): add lib/hx509/Makefile
|
||
|
||
* lib/Makefile.am: Add hx509.
|
||
|
||
* lib/krb5/Makefile.am: Add libhx509.la when PKINIT is used.
|
||
|
||
* configure.in: define automake PKINIT variable
|
||
|
||
* kdc/pkinit.c: Switch to hx509.
|
||
|
||
* lib/krb5/pkinit.c: Switch to hx509.
|
||
|
||
2006-03-24 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/kerberos5.c (log_patypes): log the patypes requested by the
|
||
client
|
||
|
||
2006-03-23 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): pass down the
|
||
req_buffer in the w2k case too. From Douglas E. Engert.
|
||
|
||
2006-03-19 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): on failure, goto
|
||
error handling. Fixes Coverity NetBSD CID 2591 by catching a
|
||
failing krb5_copy_keyblock()
|
||
|
||
2006-03-17 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/addr_families.c (krb5_free_addresses): reset val,len in
|
||
address when free-ing. Fixes Coverity NetBSD bug #2605
|
||
(krb5_parse_address): reset val,len before possibly return errors
|
||
Fixes Coverity NetBSD bug #2605
|
||
|
||
2006-03-07 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/send_to_kdc.c (recv_loop): it should never happen, but
|
||
make sure nbytes > 0
|
||
|
||
* lib/krb5/get_for_creds.c (add_addrs): handle the case where
|
||
addr->len == 0 and n == 0, then realloc might return NULL.
|
||
|
||
* lib/krb5/crypto.c (decrypt_*): handle the case where the
|
||
plaintext is 0 bytes long, realloc might then return NULL.
|
||
|
||
2006-02-28 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/krb5_string_to_key.3: Drop krb5_string_to_key_derived.
|
||
|
||
* lib/krb5/krb5.3: Remove krb5_string_to_key_derived.
|
||
|
||
* lib/krb5/crypto.c (AES_string_to_key): drop _krb5_PKCS5_PBKDF2
|
||
and use PKCS5_PBKDF2_HMAC_SHA1 instead.
|
||
|
||
* lib/krb5/aes-test.c: reformat, avoid free-ing un-init'd memory
|
||
|
||
* lib/krb5/aes-test.c: Only use PKCS5_PBKDF2_HMAC_SHA1.
|
||
|
||
2006-02-27 Johan Danielsson <joda@pdc.kth.se>
|
||
|
||
* doc/setup.texi: remove cartouches - we don't use them anywhere
|
||
else, they should be around the example, not inside it, and
|
||
probably shouldn't be used in html at all
|
||
|
||
2006-02-18 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/krb5_warn.3: Document that applications want to use
|
||
krb5_get_error_message, add example.
|
||
|
||
2006-02-16 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/crypto.c (krb5_generate_random_block): check return
|
||
value from RAND_bytes
|
||
|
||
* lib/krb5/error_string.c: Change indentation, update (c)
|
||
|
||
2006-02-14 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/pkinit.c: Make struct krb5_dh_moduli available when
|
||
compiling w/o pkinit.
|
||
|
||
2006-02-13 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/pkinit.c: update to new paChecksum definition, update
|
||
the dhgroup handling
|
||
|
||
* kdc/pkinit.c: update to new paChecksum definition, use
|
||
hdb_entry_ex
|
||
|
||
2006-02-09 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/krb5_locl.h: Move Configurable options to last in the
|
||
file.
|
||
|
||
* lib/krb5/krb5_locl.h: Wrap KRB5_ADDRESSLESS_DEFAULT with #ifndef
|
||
|
||
2006-02-03 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kpasswd/kpasswdd.c: Send back a better error-message to the
|
||
client in case the password change was rejected.
|
||
|
||
* lib/krb5/krb5_warn.3: Document krb5_get_error_message.
|
||
|
||
* lib/krb5/error_string.c (krb5_get_error_message): new function,
|
||
and combination of krb5_get_error_string and krb5_get_err_text
|
||
|
||
* lib/krb5/krb5.3: sort, and krb5_get_error_message
|
||
|
||
* lib/hdb/hdb-ldap.c: Log the filter string to the error message
|
||
when doing searches.
|
||
|
||
* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags):
|
||
Use KRB5_ADDRESSLESS_DEFAULT when
|
||
checking [appdefault]no-addresses.
|
||
|
||
* lib/krb5/get_cred.c (get_cred_from_kdc_flags): Use
|
||
KRB5_ADDRESSLESS_DEFAULT when checking
|
||
[appdefault]no-addresses.
|
||
|
||
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
|
||
Use [appdefault]no-addresses before checking if the krbtgt is
|
||
address-less, use KRB5_ADDRESSLESS_DEFAULT.
|
||
|
||
* lib/krb5/krb5_locl.h: Introduce KRB5_ADDRESSLESS_DEFAULT that
|
||
controlls all address-less behavior. Defaults to false.
|
||
|
||
2006-02-01 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* lib/krb5/n-fold-test.c: main is not a KRB5_LIB_FUNCTION
|
||
|
||
* lib/krb5/mk_priv.c (krb5_mk_priv): abort if ASN1_MALLOC_ENCODE
|
||
failes to produce the matching lenghts.
|
||
|
||
2006-01-27 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kcm/protocol.c (kcm_op_retrieve): remove unused variable
|
||
|
||
2006-01-15 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* tools/krb5-config.in: Move depenency on @LIB_dbopen@ to
|
||
kadm-server, kerberos library doesn't depend on db-library.
|
||
|
||
2006-01-13 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* include/Makefile.am: Don't clean crypto headers, they now live
|
||
in hcrypto/. Add hcrypto to SUBDIRS.
|
||
|
||
* include/hcrypto/Makefile.am: clean installed headers
|
||
|
||
* include/make_crypto.c: include crypto headers from hcrypto/
|
||
|
||
* include/make_crypto.c: Include more crypto headerfiles. Remove
|
||
support for old hash names.
|
||
|
||
2006-01-02 Love Hörnquist Åstrand <lha@it.su.se>
|
||
|
||
* kdc/misc.c (_kdc_db_fetch): use calloc to allocate the entry,
|
||
from Andrew Bartlet.
|
||
|
||
* Happy New Year.
|