 e172367898
			
		
	
	e172367898
	
	
	
		
			
			git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23814 ec53bebd-3082-4978-b11e-865c3cabbd6b
		
			
				
	
	
		
			2048 lines
		
	
	
		
			60 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			2048 lines
		
	
	
		
			60 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| 2006-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/process.c: Handle kx509 requests.
 | ||
| 
 | ||
| 	* kdc/connect.c: Listen to 9878 if kca is turned on.
 | ||
| 
 | ||
| 	* kdc/headers.h: Include <kx509_asn1.h>.
 | ||
| 
 | ||
| 	* kdc/config.c: code to parse [kdc]enable-kx509
 | ||
| 
 | ||
| 	* kdc/kdc.h: add enable_kx509
 | ||
| 
 | ||
| 	* kdc/Makefile.am: add kx509.c
 | ||
| 
 | ||
| 	* kdc/kx509.c: Kx509server (external certificate genration).
 | ||
| 
 | ||
| 	* lib/krb5/ticket.c: add krb5_ticket_get_endtime
 | ||
| 
 | ||
| 	* lib/krb5/krb5_ticket.3: Document krb5_ticket_get_endtime
 | ||
| 
 | ||
| 	* kdc/digest.c: Remove <digest_asn.h>, its already included in
 | ||
| 	headers.h
 | ||
| 
 | ||
| 	* kdc/digest.c: Return session key for the NTLMv2 case too
 | ||
| 
 | ||
| 	* lib/krb5/digest.c (krb5_ntlm_rep_get_sessionkey): return value
 | ||
| 	is krb5_error_code
 | ||
| 	
 | ||
| 2006-12-27  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): use md5 for
 | ||
| 	des-cbc-md4 and des-cbc-md5.  This is for (older) windows that
 | ||
| 	will be unhappy anything else.  From Inna Bort-Shatsky
 | ||
| 	
 | ||
| 2006-12-26  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/digest.c: Prefix internal symbol with _kdc_.
 | ||
| 
 | ||
| 	* kdc/kdc.h: add digests_allowed
 | ||
| 
 | ||
| 	* kdc/digest.c: return NTLM2 targetinfo structure.
 | ||
| 
 | ||
| 	* lib/krb5/digest.c: Add krb5_ntlm_init_get_targetinfo.
 | ||
| 
 | ||
| 	* kdc/config.c: Parse digest acl's
 | ||
| 
 | ||
| 	* kdc/kdc_locl.h: forward decl;
 | ||
| 
 | ||
| 	* kdc/digest.c: Add digest acl's
 | ||
| 	
 | ||
| 2006-12-22  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* fix-export: build ntlm-private.h
 | ||
| 	
 | ||
| 2006-12-20  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* include/make_crypto.c: Include <.../hmac.h>.
 | ||
| 
 | ||
| 	* kdc/digest.c: reorder to show slot here ntlmv2 code will be
 | ||
| 	placed.
 | ||
| 
 | ||
| 	* kdc/digest.c: Announce that we support key exchange and add bits
 | ||
| 	to detect when it wasn't used.
 | ||
| 
 | ||
| 	* kdc/digest.c: Add support for generating NTLM2 session security
 | ||
| 	answer.
 | ||
| 	
 | ||
| 2006-12-19  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/krb5/digest.c: Add sessionkey accessor functions.
 | ||
| 	
 | ||
| 2006-12-18  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kdc/digest.c: Unwrap the NTLM session key and return it to the
 | ||
| 	server.
 | ||
| 	
 | ||
| 2006-12-17  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/store.c (krb5_ret_principal): Fix a bug in the malloc
 | ||
| 	failure part, noticed by Arnaud Lacombe in NetBSD coverity scan.
 | ||
| 	
 | ||
| 2006-12-15  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/fcache.c (fcc_get_cache_next): avoid const warning.
 | ||
| 
 | ||
| 	* kdc/digest.c: Support NTLM verification, note that the KDC does
 | ||
| 	no NTLM packet parsing, its all done by the client side, the KDC
 | ||
| 	just calculate and verify the digest and return the result to the
 | ||
| 	service.
 | ||
| 
 | ||
| 	* kuser/kdigest.c: add ntlm-server-init
 | ||
| 
 | ||
| 	* kuser/Makefile.am: kdigest depends on libheimntlm.la
 | ||
| 
 | ||
| 	* kdc/headers.h: Include <heimntlm.h>.
 | ||
| 
 | ||
| 	* kdc/Makefile.am: libkdc needs libheimntlm.la
 | ||
| 
 | ||
| 	* autogen.sh: just run autoreconf -i -f
 | ||
| 
 | ||
| 	* lib/Makefile.am: hook in ntlm
 | ||
| 
 | ||
| 	* configure.in (AC_CONFIG_FILES): add lib/ntlm/Makefile
 | ||
| 
 | ||
| 	* lib/krb5/digest.c: API to authenticate ntlm requests.
 | ||
| 
 | ||
| 	* lib/krb5/fcache.c: Support "iteration" of file credential caches
 | ||
| 	by giving the user back the default file credential cache and only
 | ||
| 	that.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_locl.h: Expand the default root for some of the cc
 | ||
| 	type names.
 | ||
| 	
 | ||
| 2006-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/krb5/init_creds_pw.c (free_paid): free the krb5_data
 | ||
| 	structure too.  Bug report from Stefan Metzmacher.
 | ||
| 	
 | ||
| 2006-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kuser/kinit.c: Read the appdefault configration before we try to
 | ||
| 	use the flags.  Bug reported by Ingemar Nilsson.
 | ||
| 
 | ||
| 	* kuser/kdigest.c: prefix digest commands with digest_
 | ||
| 
 | ||
| 	* kuser/kdigest-commands.in: prefix digest commands with digest-
 | ||
| 	
 | ||
| 2006-12-10  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kdc/hprop.c: Return error codes on failure, improve error
 | ||
| 	reporting.
 | ||
| 	
 | ||
| 2006-12-08  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: sprinkle more _krb5_pk_copy_error
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Copy more hx509 error strings to krb5 error
 | ||
| 	strings
 | ||
| 	
 | ||
| 2006-12-07  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* include/Makefile.am: CLEANFILES += vis.h
 | ||
| 	
 | ||
| 2006-12-06  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/kerberos5.c (_kdc_as_rep): add AD-INITAL-VERIFIED-CAS to the
 | ||
| 	encrypted ticket
 | ||
| 
 | ||
| 	* kdc/pkinit.c (_kdc_add_inital_verified_cas): new function, adds
 | ||
| 	an empty (for now) AD_INITIAL_VERIFIED_CAS to tell the clients
 | ||
| 	that we vouches for the CA.
 | ||
| 
 | ||
| 	* kdc/kerberos5.c (_kdc_tkt_add_if_relevant_ad): new function.
 | ||
| 
 | ||
| 	* lib/Makefile.am: Make the directories test automake conditional
 | ||
| 	so automake can include directories in make dist step.
 | ||
| 
 | ||
| 	* kdc/pkinit.c (_kdc_pk_rd_padata): leak less memory for
 | ||
| 	ExternalPrincipalIdentifiers
 | ||
| 
 | ||
| 	* kdc/pkinit.c: Parse and use PA-PK-AS-REQ.trustedCertifiers
 | ||
| 
 | ||
| 	* kdc/pkinit.c: Add comment that the anchors in the signed data
 | ||
| 	really should be the trust anchors of the client.
 | ||
| 
 | ||
| 	* kuser/generate-requests.c: Use strcspn to remove \n from
 | ||
| 	string returned by fgets.  From Björn Sandell
 | ||
| 	
 | ||
| 	* kpasswd/kpasswd-generator.c: Use strcspn to remove \n from
 | ||
| 	string returned by fgets.  From Björn Sandell
 | ||
| 	
 | ||
| 2006-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/hdb/hdb-ldap.c: Clear errno before calling the strtol
 | ||
| 	functions. From Paul Stoeber to OpenBSD by Ray Lai and Björn
 | ||
| 	Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/config_file.c: Use strcspn to remove \n from fgets
 | ||
| 	result. Prompted by change by Ray Lai of OpenBSD via Björn
 | ||
| 	Sandell.
 | ||
| 
 | ||
| 	* kdc/string2key.c: Use strcspn to remove \n from fgets
 | ||
| 	result. Prompted by change by Ray Lai of OpenBSD via Björn
 | ||
| 	Sandell.
 | ||
| 	
 | ||
| 2006-11-30  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/krbhst.c (plugin_get_hosts): be more paranoid and pass
 | ||
| 	in a NULLed plugin list
 | ||
| 	
 | ||
| 2006-11-29  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/verify_krb5_conf.c: add more pkinit options.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Store what PK-INIT type we used to know reply
 | ||
| 	to expect, this avoids overwriting the real PK-INIT error from
 | ||
| 	just a failed requeat with a Windows PK-INIT error (that always
 | ||
| 	failes).
 | ||
| 
 | ||
| 	* kdc/Makefile.am: Add LIB_pkinit to pacify AIX
 | ||
| 
 | ||
| 	* lib/hdb/Makefile.am: Add LIB_com_err to pacify AIX
 | ||
| 	
 | ||
| 2006-11-28  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/hdb/hdb-ldap.c: Make build again from the hdb_entry
 | ||
| 	wrapping. Patch from Andreas Hasenack.
 | ||
| 
 | ||
| 	* kdc/pkinit.c: Need better code in the DH parameter rejection
 | ||
| 	case, add comment to that effect.
 | ||
| 	
 | ||
| 2006-11-27  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kdc/krb5tgs.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG for too large
 | ||
| 	packets when using datagram based transports.
 | ||
| 
 | ||
| 	* kdc/process.c: Pass down datagram_reply to _kdc_tgs_rep.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (build_auth_pack): set supportedCMSTypes.
 | ||
| 	
 | ||
| 2006-11-26  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Pass down hx509_peer_info.
 | ||
| 
 | ||
| 	* kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and
 | ||
| 	pass in into hx509_cms_create_signed_1 via hx509_peer_info blob.
 | ||
| 
 | ||
| 	* kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and
 | ||
| 	pass in into hx509_cms_create_signed_1 via hx509_peer_info blob.
 | ||
| 	
 | ||
| 2006-11-24  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/krb5/send_to_kdc.c: Set the large_msg_size to 1400, lets not
 | ||
| 	fragment packets and avoid stupid linklayers that doesn't allow
 | ||
| 	fragmented packets (unix dgram sockets on Mac OS X)
 | ||
| 	
 | ||
| 2006-11-23  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (_krb5_pk_create_sign): stuff down the users
 | ||
| 	certs in the pool to make sure a path is returned, without this
 | ||
| 	proxy certificates wont work.
 | ||
| 	
 | ||
| 2006-11-21  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kdc/config.c: Make all pkinit options prefixed with pkinit_
 | ||
| 
 | ||
| 	* lib/krb5/log.c (krb5_get_warn_dest): return warn_dest from
 | ||
| 	krb5_context
 | ||
| 
 | ||
| 	* lib/krb5/krb5_warn.3: document krb5_[gs]et_warn_dest
 | ||
| 
 | ||
| 	* lib/krb5/krb5.h: Drop KRB5_KU_TGS_IMPERSONATE.
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c: Use KRB5_KU_OTHER_CKSUM for the impersonate
 | ||
| 	checksum.
 | ||
| 
 | ||
| 	* lib/krb5/get_cred.c: Use KRB5_KU_OTHER_CKSUM for the impersonate
 | ||
| 	checksum.
 | ||
| 	
 | ||
| 2006-11-20  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/verify_user.c: Make krb5_get_init_creds_opt_free take a
 | ||
| 	context argument.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_get_init_creds.3: Make
 | ||
| 	krb5_get_init_creds_opt_free take a context argument.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds_pw.c: Make krb5_get_init_creds_opt_free take
 | ||
| 	a context argument.
 | ||
| 
 | ||
| 	* kuser/kinit.c: Make krb5_get_init_creds_opt_free take a context
 | ||
| 	argument.
 | ||
| 
 | ||
| 	* kpasswd/kpasswd.c: Make krb5_get_init_creds_opt_free take a
 | ||
| 	context argument.
 | ||
| 
 | ||
| 	* kpasswd/kpasswd-generator.c: Make krb5_get_init_creds_opt_free
 | ||
| 	take a context argument.
 | ||
| 
 | ||
| 	* kdc/hprop.c: Make krb5_get_init_creds_opt_free take a context
 | ||
| 	argument.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds.c: Make krb5_get_init_creds_opt_free take a
 | ||
| 	context argument.
 | ||
| 
 | ||
| 	* appl/gssmask/gssmask.c: Make krb5_get_init_creds_opt_free take a
 | ||
| 	context argument.
 | ||
| 	
 | ||
| 2006-11-19  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* doc/setup.texi: fix pkinit option (s/-/_/)
 | ||
| 
 | ||
| 	* kdc/config.c: revert the enable-pkinit change, and make it
 | ||
| 	consistant with all other other enable- options
 | ||
| 	
 | ||
| 2006-11-17  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* doc/setup.texi: Make all pkinit options prefixed with pkinit_
 | ||
| 
 | ||
| 	* kdc/config.c: Make all pkinit options prefixed with pkinit_
 | ||
| 
 | ||
| 	* kdc/pkinit.c: Make app pkinit options prefixed with pkinit_
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Make app pkinit options prefixed with pkinit_
 | ||
| 
 | ||
| 	* lib/krb5/mit_glue.c (krb5_c_keylengths): make compile again.
 | ||
| 
 | ||
| 	* lib/krb5/mit_glue.c (krb5_c_keylengths): rename.
 | ||
| 
 | ||
| 	* lib/krb5/mit_glue.c (krb5_c_keylength): mit changed the api,
 | ||
| 	deal.
 | ||
| 	
 | ||
| 2006-11-13  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/krb5/pac.c (fill_zeros): stop using MIN.
 | ||
| 
 | ||
| 	* kuser/kinit.c: Forward decl
 | ||
| 	
 | ||
| 	* lib/krb5/test_plugin.c: Use NOTHERE.H5L.SE.
 | ||
| 
 | ||
| 	* lib/krb5/krbhst.c: Fill in hints for picky getaddrinfo()s.
 | ||
| 
 | ||
| 	* lib/krb5/test_plugin.c: Set sin_len if it exists.
 | ||
| 
 | ||
| 	* lib/krb5/krbhst.c: Use plugin for the other realm locate types
 | ||
| 	too.
 | ||
| 	
 | ||
| 2006-11-12  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/krb5_locl.h: Add plugin api
 | ||
| 
 | ||
| 	* lib/krb5/Makefile.am: Add plugin api.
 | ||
| 
 | ||
| 	* lib/krb5/krbhst.c: Use the resolve plugin interface.
 | ||
| 
 | ||
| 	* lib/krb5/locate_plugin.h: Add plugin interface for resolving
 | ||
| 	that is API compatible with MITs version.
 | ||
| 
 | ||
| 	* lib/krb5/plugin.c: Add first version of the plugin interface.
 | ||
| 
 | ||
| 	* lib/krb5/test_pac.c: Test signing.
 | ||
| 
 | ||
| 	* lib/krb5/pac.c: Add code to sign PACs, only arcfour for now.
 | ||
| 
 | ||
| 	* lib/krb5/krb5.h: Add struct krb5_pac.
 | ||
| 	
 | ||
| 2006-11-09  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/test_pac.c: PAC testing.
 | ||
| 
 | ||
| 	* lib/krb5/pac.c: Sprinkle error strings.
 | ||
| 
 | ||
| 	* lib/krb5/pac.c: Verify LOGON_NAME.
 | ||
| 
 | ||
| 	* kdc/pkinit.c (_kdc_pk_check_client): drop client_princ as an
 | ||
| 	argument
 | ||
| 
 | ||
| 	* kdc/kerberos5.c (_kdc_as_rep): drop client_princ from
 | ||
| 	_kdc_pk_check_client since its not valid in canonicalize case
 | ||
| 
 | ||
| 	* lib/krb5/krb5_c_make_checksum.3: Document krb5_c_keylength.
 | ||
| 
 | ||
| 	* lib/krb5/mit_glue.c: Add krb5_c_keylength.
 | ||
| 	
 | ||
| 2006-11-08  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/pac.c: Almost enough code to do PAC parsing and
 | ||
| 	verification, missing in the unix2NTTIME and ucs2 corner. The
 | ||
| 	later will be adressed by finally adding libwind.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_init_context.3: document krb5_[gs]et_max_time_skew
 | ||
| 
 | ||
| 	* kdc/hpropd.c: Remove support dumping to a kerberos 4 database.
 | ||
| 	
 | ||
| 2006-11-07  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/context.c: rename krb5_[gs]et_time_wrap to
 | ||
| 	krb5_[gs]et_max_time_skew
 | ||
| 
 | ||
| 	* kdc/pkinit.c: Catch error string from hx509_cms_verify_signed.
 | ||
| 	Check for id-pKKdcEkuOID and warn if its not there.
 | ||
| 
 | ||
| 	* lib/krb5/rd_req.c: Add more krb5_rd_req_out_get functions.
 | ||
| 
 | ||
| 2006-11-06  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/krb5/krb5.h: krb5_rd_req{,_in,_out}_ctx.
 | ||
| 
 | ||
| 	* lib/krb5/rd_req.c (krb5_rd_req_ctx): Add context all singing-all
 | ||
| 	dancing version of the krb5_rd_req and implement krb5_rd_req and
 | ||
| 	krb5_rd_req_with_keyblock using it.
 | ||
| 
 | ||
| 2006-11-04 Love Hörnquist Åstrand <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kdc/kerberos5.c (_kdc_as_rep): More verbose time skew logging.
 | ||
| 	
 | ||
| 2006-11-03  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/expand_hostname.c: Rename various routines and
 | ||
| 	constants from canonize to canonicalize.  From Andrew Bartlett
 | ||
| 
 | ||
| 	* lib/krb5/context.c: Add krb5_[gs]et_time_wrap
 | ||
| 
 | ||
| 	* lib/krb5/krb5_locl.h: Rename various routines and constants from
 | ||
| 	canonize to canonicalize.  From Andrew Bartlett
 | ||
| 
 | ||
| 	* appl/gssmask/common.c (add_list): fix alloc statement.
 | ||
| 	From Alex Deiter
 | ||
| 	
 | ||
| 2006-10-25  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* include/Makefile.am: Move version.h and version.h.in to
 | ||
| 	DISTCLEANFILES.
 | ||
| 	
 | ||
| 2006-10-24  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* appl/gssmask/gssmask.c: Only log when there are resources left.
 | ||
| 
 | ||
| 	* appl/gssmask/gssmask.c: make compile
 | ||
| 
 | ||
| 	* appl/gssmask/gssmask.c (AcquireCreds): free
 | ||
| 	krb5_get_init_creds_opt
 | ||
| 	
 | ||
| 2006-10-23  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* configure.in: heimdal 0.8-RC1
 | ||
| 
 | ||
| 2006-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/digest.c: Try to not leak memory.
 | ||
| 
 | ||
| 	* kdc/digest.c: Try to not leak memory.
 | ||
| 
 | ||
| 	* Makefile.am: remove valgrind target, it doesn't belong here.
 | ||
| 
 | ||
| 	* kuser/kinit.c: Try to not leak memory.
 | ||
| 
 | ||
| 	* kuser/kgetcred.c: Try to not leak memory.
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c (check_KRB5SignedPath): free KRB5SignedPath on
 | ||
| 	successful completion too, not just the error cases.
 | ||
| 
 | ||
| 	* fix-export: Make make fix-export less verbose.
 | ||
| 
 | ||
| 	* kuser/kgetcred.c: Try to not leak memory.
 | ||
| 
 | ||
| 	* lib/hdb/keys.c (hdb_generate_key_set): free list of enctype when
 | ||
| 	done.
 | ||
| 
 | ||
| 	* lib/krb5/crypto.c: Allocate the memory we later use.
 | ||
| 
 | ||
| 	* lib/krb5/test_princ.c: Try to not leak memory.
 | ||
| 
 | ||
| 	* lib/krb5/test_crypto_wrapping.c: Try to not leak memory.
 | ||
| 
 | ||
| 	* lib/krb5/test_cc.c: Try to not leak memory.
 | ||
| 
 | ||
| 	* lib/krb5/addr_families.c (arange_free): Try to not leak memory.
 | ||
| 
 | ||
| 	* lib/krb5/crypto.c (AES_string_to_key): Try to not leak memory.
 | ||
| 
 | ||
| 2006-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* tools/heimdal-build.sh: Add --test-environment
 | ||
| 
 | ||
| 	* tools/heimdal-build.sh: Add --ccache-dir
 | ||
| 
 | ||
| 	* lib/hdb/Makefile.am: remove dependency on et files covert_db
 | ||
| 	that now is removed
 | ||
| 	
 | ||
| 2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* include/Makefile.am: add gssapi to subdirs
 | ||
| 
 | ||
| 	* lib/hdb/hdb-ldap.c: Make compile.
 | ||
| 
 | ||
| 	* configure.in: add include/gssapi/Makefile.
 | ||
| 
 | ||
| 	* include/Makefile.am: clean more files
 | ||
| 
 | ||
| 	* include/make_crypto.c: Avoid creating a file called --version.
 | ||
| 
 | ||
| 	* include/bits.c: Avoid creating a file called --version.
 | ||
| 
 | ||
| 	* appl/test/Makefile.am: add nt_gss_common.h
 | ||
| 
 | ||
| 	* doc/Makefile.am: Disable TEXI2DVI for now.
 | ||
| 
 | ||
| 	* tools/Makefile.am: more files
 | ||
| 
 | ||
| 	* lib/krb5/context.c (krb5_free_context): free send_to_kdc context
 | ||
| 
 | ||
| 	* doc/heimdal.texi: Put Heimdal in the dircategory Security.
 | ||
| 
 | ||
| 	* lib/krb5/send_to_kdc.c: Add sent_to_kdc hook, from Andrew
 | ||
| 	Bartlet.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_locl.h: Add send_to_kdc hook.
 | ||
| 
 | ||
| 	* lib/krb5/krb5.h: Add krb5_send_to_kdc_func prototype.
 | ||
| 
 | ||
| 	* kcm/Makefile.am: more files
 | ||
| 
 | ||
| 	* kdc/Makefile.am: more files
 | ||
| 
 | ||
| 	* lib/hdb/Makefile.am: more files
 | ||
| 
 | ||
| 	* lib/krb5/Makefile.am: add more files
 | ||
| 	
 | ||
| 2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* tools/Makefile.am: Add heimdal-build.sh to EXTRA_DIST.
 | ||
| 
 | ||
| 	* configure.in: Don't check for timegm, libroken provides it for
 | ||
| 	us.
 | ||
| 
 | ||
| 	* lib/krb5/acache.c: Does function typecasts instead of void *
 | ||
| 	type-casts.
 | ||
| 
 | ||
| 	* lib/krb5/krb5.h: Remove bonus , that Love sneeked in.
 | ||
| 
 | ||
| 	* configure.in: make --disable-pk-init help text also negative
 | ||
| 	
 | ||
| 2006-10-18  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kuser/kgetcred.c: Avoid memory leak.
 | ||
| 
 | ||
| 	* tools/heimdal-build.sh: Add more verbose logging, add version of
 | ||
| 	script and heimdal to the mail.
 | ||
| 
 | ||
| 	* lib/hdb/db3.c: Wrap function call pointer calls in (*func) to
 | ||
| 	avoid macros rewriting open and close.
 | ||
| 
 | ||
| 	* lib/krb5/Makefile.am: Add test_princ.
 | ||
| 
 | ||
| 	* lib/krb5/principal.c: More error strings, handle realm-less
 | ||
| 	printing.
 | ||
| 
 | ||
| 	* lib/krb5/test_princ.c: Test principal parsing and unparsing.
 | ||
| 	
 | ||
| 2006-10-17  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/get_host_realm.c (krb5_get_host_realm): make sure we
 | ||
| 	don't recurse
 | ||
| 
 | ||
| 	* lib/krb5/get_host_realm.c (krb5_get_host_realm): no components
 | ||
| 	-> no dns. no mapping, try local realm and hope KDC knows better.
 | ||
| 
 | ||
| 	* lib/krb5/krb5.h: Add flags for krb5_unparse_name_flags
 | ||
| 
 | ||
| 	* lib/krb5/krb5_principal.3: Document
 | ||
| 	krb5_unparse_name{_fixed,}_flags.
 | ||
| 
 | ||
| 	* lib/krb5/principal.c: Add krb5_unparse_name_flags and
 | ||
| 	krb5_unparse_name_fixed_flags.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_principal.3: Document krb5_parse_name_flags.
 | ||
| 
 | ||
| 	* lib/krb5/principal.c: Add krb5_parse_name_flags.
 | ||
| 
 | ||
| 	* lib/krb5/principal.c: Add krb5_parse_name_flags.
 | ||
| 
 | ||
| 	* lib/krb5/krb5.h: Add krb5_parse_name_flags flags.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_locl.h: Hide krb5_context_data from public
 | ||
| 	exposure.
 | ||
| 
 | ||
| 	* lib/krb5/krb5.h: Hide krb5_context_data from public exposure.
 | ||
| 
 | ||
| 	* kuser/klist.c: Use krb5_get_kdc_sec_offset.
 | ||
| 
 | ||
| 	* lib/krb5/context.c: Document krb5_get_kdc_sec_offset()
 | ||
| 	
 | ||
| 	* lib/krb5/krb5_init_context.3: Add krb5_get_kdc_sec_offset()
 | ||
| 	
 | ||
| 	* lib/krb5/krb5_init_context.3: Add krb5_set_dns_canonize_hostname
 | ||
| 	and krb5_get_dns_canonize_hostname
 | ||
| 
 | ||
| 	* lib/krb5/verify_krb5_conf.c:
 | ||
| 	add [libdefaults]dns_canonize_hostname
 | ||
| 
 | ||
| 	* lib/krb5/expand_hostname.c: use dns_canonize_hostname to
 | ||
| 	determin if we should talk to dns to find the canonical name of
 | ||
| 	the host.
 | ||
| 
 | ||
| 	* lib/krb5/krb5.h (krb5_context): add dns_canonize_hostname.
 | ||
| 
 | ||
| 	* tools/heimdal-build.sh: Set status.
 | ||
| 
 | ||
| 	* appl/gssmask/gssmask.c: handle more bits
 | ||
| 
 | ||
| 	* kdc/kerberos5.c: Prefix asn1 primitives with der_.
 | ||
| 	
 | ||
| 2006-10-16  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* fix-export: Build lib/asn1/der-protos.h.
 | ||
| 	
 | ||
| 2006-10-14  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* appl/gssmask/Makefile.am: Add explit depenency on libroken.
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c: Prefix der primitives with der_.
 | ||
| 
 | ||
| 	* kdc/pkinit.c: Prefix der primitives with der_.
 | ||
| 
 | ||
| 	* lib/hdb/ext.c: Prefix der primitives with der_.
 | ||
| 	
 | ||
| 	* lib/hdb/ext.c: Prefix der primitives with der_.
 | ||
| 
 | ||
| 	* lib/krb5/crypto.c: Remove workaround from when there wasn't
 | ||
| 	always aes.
 | ||
| 
 | ||
| 	* lib/krb5/ticket.c: Prefix der primitives with der_.
 | ||
| 	
 | ||
| 	* lib/krb5/digest.c: Prefix der primitives with der_.
 | ||
| 
 | ||
| 	* lib/krb5/crypto.c: Prefix der primitives with der_.
 | ||
| 
 | ||
| 	* lib/krb5/data.c: Prefix der primitives with der_.
 | ||
| 	
 | ||
| 2006-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break. From
 | ||
| 	Olga Kornievskaia.
 | ||
| 
 | ||
| 	* kdc/kdc.8: document max-kdc-datagram-reply-length
 | ||
| 
 | ||
| 	* include/bits.c: Include Xint64 types.
 | ||
| 	
 | ||
| 2006-10-10  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* tools/heimdal-build.sh: Add socketwrapper and cputime limit.
 | ||
| 
 | ||
| 	* kdc/connect.c (loop): Log that the kdc have started.
 | ||
| 	
 | ||
| 2006-10-09  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kdc/connect.c (do_request): tell krb5_kdc_process_request if its
 | ||
| 	a datagram reply or not
 | ||
| 
 | ||
| 	* kdc/kerberos5.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG error if its
 | ||
| 	a datagram reply and the datagram reply length limit is reached.
 | ||
| 
 | ||
| 	* kdc/process.c: Rename krb5_kdc_process_generic_request to
 | ||
| 	krb5_kdc_process_request Add datagram_reply argument.
 | ||
| 
 | ||
| 	* kdc/config.c: check for [kdc]max-kdc-datagram-reply-length
 | ||
| 
 | ||
| 	* kdc/kdc.h (krb5_kdc_config): Add max_datagram_reply_length.
 | ||
| 
 | ||
| 	* lib/hdb/keytab.c: Change || to |, From metze.
 | ||
| 
 | ||
| 	* lib/hdb/keytab.c: Add back :file to sample format.
 | ||
| 
 | ||
| 	* lib/hdb/keytab.c: Add more HDB_F flags to hdb_fetch. Pointed out
 | ||
| 	by Andrew Bartlet.
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c (tgs_parse_request): set cusec, not csec from
 | ||
| 	auth->cusec.
 | ||
| 	
 | ||
| 2006-10-08  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* fix-export: dist_-ify libkadm5clnt_la_SOURCES too
 | ||
| 
 | ||
| 	* doc/heimdal.texi: Update (c) years.
 | ||
| 
 | ||
| 	* appl/gssmask/protocol.h: Clarify protocol.
 | ||
| 
 | ||
| 	* kdc/hpropd.c: Adapt to signature change of
 | ||
| 	_krb5_principalname2krb5_principal.
 | ||
| 
 | ||
| 	* kdc/kerberos4.c: Adapt to signature change of
 | ||
| 	_krb5_principalname2krb5_principal.
 | ||
| 
 | ||
| 	* kdc/connect.c (handle_vanilla_tcp): shorten length when we
 | ||
| 	shorten the buffer, this matter im the PK-INIT encKey case where a
 | ||
| 	checksum is done over the whole packet. Reported by Olga
 | ||
| 	Kornievskaia
 | ||
| 	
 | ||
| 2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* include/Makefile.am: crypto-headers.h is a nodist header
 | ||
| 
 | ||
| 	* lib/krb5/aes-test.c: Make argument to PKCS5_PBKDF2_HMAC_SHA1
 | ||
| 	unsigned char to make OpenSSL happy.
 | ||
| 
 | ||
| 	* appl/kf/Makefile.am: Add man_MANS to EXTRA_DIST
 | ||
| 
 | ||
| 	* kuser/Makefile.am: split build files into dist_ and noinst_
 | ||
| 	SOURCES
 | ||
| 
 | ||
| 	* lib/hdb/Makefile.am: split build files into dist_ and noinst_
 | ||
| 	SOURCES
 | ||
| 
 | ||
| 	* lib/krb5/Makefile.am: split build files into dist_ and noinst_
 | ||
| 	SOURCES
 | ||
| 
 | ||
| 	* kdc/kerberos5.c: Adapt to signature change of
 | ||
| 	_krb5_principalname2krb5_principal.
 | ||
| 	
 | ||
| 2006-10-06  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/krbhst.c (common_init): don't try DNS when there is
 | ||
| 	realm w/o a dot.
 | ||
| 
 | ||
| 	* kdc/524.c: Adapt to signature change of
 | ||
| 	_krb5_principalname2krb5_principal.
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c: Adapt to signature change of
 | ||
| 	_krb5_principalname2krb5_principal.
 | ||
| 
 | ||
| 	* lib/krb5/get_in_tkt.c: Adapt to signature change of
 | ||
| 	_krb5_principalname2krb5_principal.
 | ||
| 
 | ||
| 	* lib/krb5/rd_cred.c: Adapt to signature change of
 | ||
| 	_krb5_principalname2krb5_principal.
 | ||
| 
 | ||
| 	* lib/krb5/rd_req.c: Adapt to signature change of
 | ||
| 	_krb5_principalname2krb5_principal.
 | ||
| 
 | ||
| 	* lib/krb5/asn1_glue.c (_krb5_principalname2krb5_principal): add
 | ||
| 	krb5_context to signature.
 | ||
| 
 | ||
| 	* kdc/524.c (_krb5_principalname2krb5_principal): adapt to
 | ||
| 	signature change
 | ||
| 
 | ||
| 	* lib/hdb/keytab.c (hdb_get_entry): close and destroy the database
 | ||
| 	later, the hdb_entry_ex might still contain links to the database
 | ||
| 	that it expects to use.
 | ||
| 
 | ||
| 	* kdc/digest.c: Make digest argument o MD5_final unsigned char to
 | ||
| 	help OpenSSL.
 | ||
| 
 | ||
| 	* kuser/kdigest.c: Make digest argument o MD5_final unsigned char
 | ||
| 	to help OpenSSL.
 | ||
| 
 | ||
| 	* appl/gssmask/common.h: Maybe include <sys/wait.h>.
 | ||
| 	
 | ||
| 2006-10-05  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* appl/gssmask/common.h: disable ENABLE_PTHREAD_SUPPORT and
 | ||
| 	explain why
 | ||
| 
 | ||
| 	* tools/heimdal-build.sh: Another mail header.
 | ||
| 
 | ||
| 	* tools/heimdal-build.sh: small fixes
 | ||
| 
 | ||
| 	* fix-export: More liberal parsing of AC_INIT
 | ||
| 
 | ||
| 	* tools/heimdal-build.sh: first cut
 | ||
| 	
 | ||
| 2006-10-04  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* configure.in: Call AB_INIT.
 | ||
| 
 | ||
| 	* kuser/kinit.c: Add flag --pk-use-enckey.
 | ||
| 
 | ||
| 	* kdc/pkinit.c: Sign the request in the encKey case.  Bug reported
 | ||
| 	by Olga Kornievskaia of Umich.
 | ||
| 
 | ||
| 	* lib/krb5/Makefile.am: man_MANS += krb5_digest.3
 | ||
| 
 | ||
| 	* lib/krb5/krb5_digest.3: Add all protos
 | ||
| 	
 | ||
| 2006-10-03  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/krb5/krb5_digest.3: Basic krb5_digest manpage.
 | ||
| 	
 | ||
| 2006-10-02  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* fix-export: build gssapi mech private files
 | ||
| 	
 | ||
| 	* lib/krb5/init_creds_pw.c: minimize layering and remove
 | ||
| 	krb5_kdc_flags
 | ||
| 
 | ||
| 	* lib/krb5/get_in_tkt.c: Always use the kdc_flags in the right bit
 | ||
| 	order.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds_pw.c: Always use the kdc_flags in the right
 | ||
| 	bit order.
 | ||
| 
 | ||
| 	* kuser/kdigest.c: Don't require --kerberos-realm.
 | ||
| 
 | ||
| 	* lib/krb5/digest.c (digest_request): if NULL is passed in as
 | ||
| 	realm, use default realm.
 | ||
| 
 | ||
| 	* fix-export: build gssapi mech private files
 | ||
| 	
 | ||
| 2006-09-26  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* appl/gssmask/gssmaestro.c: Handle FIRST_CALL in the context
 | ||
| 	building, better error handling.
 | ||
| 
 | ||
| 	* appl/gssmask/gssmaestro.c: switch from wrap/unwrap to
 | ||
| 	encrypt/decrypt
 | ||
| 	
 | ||
| 	* appl/gssmask/gssmask.c: Don't announce spn if there is none.
 | ||
| 
 | ||
| 	* appl/gssmask/gssmaestro.c: Check that the pre-wrapped data is
 | ||
| 	the same as afterward.
 | ||
| 	
 | ||
| 2006-09-25  Love Hörnquist Åstrand <lha@it.su.se>
 | ||
| 	
 | ||
| 	* appl/gssmask/gssmaestro.c: Remove stray GSS_C_DCE_STYLE.
 | ||
| 
 | ||
| 	* appl/gssmask/gssmaestro.c: Add logsocket support.
 | ||
| 	
 | ||
| 2006-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* appl/gssmask/gssmaestro.c (build_context): print the step the
 | ||
| 	context exchange.
 | ||
| 	
 | ||
| 2006-09-21  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* appl/gssmask/gssmaestro.c: Add GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG
 | ||
| 	to all context flags
 | ||
| 	
 | ||
| 	* appl/gssmask/gssmaestro.c: Add wrap and mic tests for all
 | ||
| 	elements
 | ||
| 
 | ||
| 	* appl/gssmask/gssmask.c: Add mic tests
 | ||
| 
 | ||
| 	* appl/gssmask/gssmaestro.c: dont exit early then when context
 | ||
| 	is half built.
 | ||
| 	
 | ||
| 	* lib/krb5/rd_req.c: disable ETypeList parsing usage for now, cfx
 | ||
| 	seems broken and its not good to upgrade to a broken enctype.
 | ||
| 	
 | ||
| 2006-09-20  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* appl/gssmask/gssmask.c: Add wrap/unwrap ops
 | ||
| 
 | ||
| 	* appl/gssmask/protocol.h: Add eGetVersionAndCapabilities flags
 | ||
| 
 | ||
| 	* appl/gssmask/common.c: Add permutate_all (and support
 | ||
| 	functions).
 | ||
| 
 | ||
| 	* appl/gssmask/common.h: Add permutate_all
 | ||
| 
 | ||
| 	* appl/gssmask/gssmask.c: use new flags, return moniker
 | ||
| 
 | ||
| 	* appl/gssmask/gssmaestro.c: test self context building and all
 | ||
| 	permutation of clients
 | ||
| 	
 | ||
| 2006-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* appl/gssmask/gssmask.c: add --logfile option, use htons() on
 | ||
| 	port number
 | ||
| 
 | ||
| 	* appl/gssmask/gssmaestro.c: Log port in connection message.
 | ||
| 
 | ||
| 	* configure.in: Make pk-init turned on by default.
 | ||
| 	
 | ||
| 2006-09-18  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* fix-export: Build lib/hx509/{hx509-protos.h,hx509-private.h}.
 | ||
| 
 | ||
| 	* kuser/Makefile.am: Add tool for printing tickets.
 | ||
| 
 | ||
| 	* kuser/kimpersonate.1: Add tool for printing tickets.
 | ||
| 	
 | ||
| 	* kuser/kimpersonate.c: Add tool for printing tickets.
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c: Check the adtkt in the constrained delegation
 | ||
| 	case too.
 | ||
| 	
 | ||
| 2006-09-16  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/main.c (sigterm): don't _exit, let loop() catch the signal
 | ||
| 	instead.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_timeofday.3: Fixes from Björn Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_get_init_creds.3: Fixes from Björn Sandell.
 | ||
| 	
 | ||
| 2006-09-15  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* tools/krb5-config.in: Add "kafs" option.
 | ||
| 	
 | ||
| 2006-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/hdb/db.c: By using full function calling conversion (*func)
 | ||
| 	we avoid problem when close(fd) is overridden using a macro.
 | ||
| 
 | ||
| 	* lib/krb5/cache.c: By using full function calling
 | ||
| 	conversion (*func) we avoid problem when close(fd) is overridden
 | ||
| 	using a macro.
 | ||
| 	
 | ||
| 2006-09-11  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kdc/kerberos5.c: Signing outgoing tickets.
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c: Add signing and checking of tickets to s4u2self
 | ||
| 	works securely.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Adapt to new signature of
 | ||
| 	hx509_cms_unenvelope.
 | ||
| 	
 | ||
| 2006-09-09  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (pk_verify_host): set errorstrings in a
 | ||
| 	sensable way
 | ||
| 	
 | ||
| 2006-09-08  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/krb5_init_context.3: Prevent a font generation warning,
 | ||
| 	from Jason McIntyre.
 | ||
| 	
 | ||
| 2006-09-06  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/context.c (krb5_init_ets): Add the hx errortable
 | ||
| 
 | ||
| 	* lib/krb5/krb5_locl.h: Include hx509_err.h.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (_krb5_pk_verify_sign): catch the error string
 | ||
| 	from the hx509 lib
 | ||
| 	
 | ||
| 2006-09-04  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags):
 | ||
| 	fix argument to krb5_get_init_creds_opt_set_addressless.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds_pw.c (init_cred_loop): try to catch the
 | ||
| 	error when we actually have an error to catch.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds_pw.c: Remove debug printfs.
 | ||
| 
 | ||
| 	* kuser/kinit.c: Remove debug printf
 | ||
| 
 | ||
| 	* lib/krb5/krb5_get_init_creds.3: Document
 | ||
| 	krb5_get_init_creds_opt_set_addressless.
 | ||
| 
 | ||
| 	* kuser/kinit.c: Use new function
 | ||
| 	krb5_get_init_creds_opt_set_addressless.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_locl.h: use new addressless, convert pa-pac option
 | ||
| 	to use the same tri-state option as the new addressless option.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds_pw.c: use new addressless, convert pa-pac
 | ||
| 	option to use the same tri-state option as the new addressless
 | ||
| 	option.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_addressless):
 | ||
| 	used to control the address-lessness of the initial tickets
 | ||
| 	instead of passing in the empty set of address into
 | ||
| 	krb5_get_init_creds_opt_set_addresses.
 | ||
| 	
 | ||
| 2006-09-01  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kuser/kinit.c (renew_validate): inherit the proxiable and
 | ||
| 	forwardable from the orignal ticket, pointed out by Bernard
 | ||
| 	Antoine of CERN.
 | ||
| 	
 | ||
| 	* doc/setup.texi: More text about the acl_file entry and
 | ||
| 	hdb-ldap-structural-object.  From Rüdiger Ranft.
 | ||
| 
 | ||
| 	* lib/krb5/krbhst.c (fallback_get_hosts): limit the fallback
 | ||
| 	lookups to 5.  Patch from Wesley Craig, umich.edu
 | ||
| 
 | ||
| 	* configure.in: Add special tests for <sys/ucred.h>, include test
 | ||
| 	for sys/param.h and sys/types.h
 | ||
| 
 | ||
| 	* appl/test/tcp_server.c (proto): use keytab for krb5_recvauth
 | ||
| 	Patch from Ingemar Nilsson <init@pdc.kth.se>
 | ||
| 	
 | ||
| 2006-08-28  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kuser/kdigest.c (help): use sl_slc_help().
 | ||
| 
 | ||
| 	* kdc/digest.c: Catch more error, add SASL DIGEST MD5.
 | ||
| 
 | ||
| 	* lib/krb5/digest.c: Catch more error.
 | ||
| 
 | ||
| 2006-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* doc/setup.texi: language.
 | ||
| 
 | ||
| 	* doc/heimdal.texi: Add last updated text.
 | ||
| 	
 | ||
| 	* doc/heimdal.css: make box around heimdal title
 | ||
| 	
 | ||
| 	* doc/heimdal.css: Inital Heimdal css for the info manual
 | ||
| 	
 | ||
| 	* lib/krb5/digest.c: In the case where we get a DigestError back,
 | ||
| 	save the error string and code.
 | ||
| 	
 | ||
| 2006-08-24  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/kerberos5.c: Remove _kdc_find_etype(), its no longer used.
 | ||
| 
 | ||
| 	* kdc/digest.c: Remove local error label and have just one exit
 | ||
| 	label, set error strings properly.
 | ||
| 
 | ||
| 	* kdc/digest.c: Simply the disabled-service case.  Check the
 | ||
| 	allow-digest flag in the HDB entry for the client.
 | ||
| 
 | ||
| 	* kdc/process.c (krb5_kdc_process_generic_request): check if we
 | ||
| 	got a digest request and process it.
 | ||
| 
 | ||
| 	* kdc/main.c: Register hdb keytab operations.
 | ||
| 
 | ||
| 	* kdc/kdc.8: document [kdc]enable-digest=boolean
 | ||
| 
 | ||
| 	* kdc/Makefile.am: add digest to libkdc
 | ||
| 
 | ||
| 	* kdc/digest.c: Make a return a goto to avoid freeing un-inited
 | ||
| 	memory in cleanup code.
 | ||
| 
 | ||
| 	* kdc/default_config.c (krb5_kdc_default_config): default to all
 | ||
| 	bits set to zero.
 | ||
| 
 | ||
| 	* kdc/kdc.h (krb5_kdc_configuration): Add enable_digest
 | ||
| 
 | ||
| 	* kdc/headers.h: Include <digest_asn1.h>.
 | ||
| 
 | ||
| 	* lib/krb5/context.c (krb5_kerberos_enctypes): new function,
 | ||
| 	returns the list of Kerberos encryption types sorted in order of
 | ||
| 	most preferred to least preferred encryption type.
 | ||
| 
 | ||
| 	* kdc/misc.c (_kdc_get_preferred_key): new function, Use the order
 | ||
| 	list of preferred encryption types and sort the available keys and
 | ||
| 	return the most preferred key.
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c: Adapt to the new sigature of _kdc_find_keys().
 | ||
| 
 | ||
| 	* kdc/kerberos5.c: Handle session key etype separately from the
 | ||
| 	tgt etype, now the krbtgt can be a aes-only key without the need
 | ||
| 	to support not-as-good etypes for the krbtgt.
 | ||
| 	
 | ||
| 2006-08-23  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/misc.c: Change _kdc_db_fetch() to return the database
 | ||
| 	pointer to if needed by the consumer.
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c: Change _kdc_db_fetch() to return the database
 | ||
| 	pointer to if needed by the consumer.
 | ||
| 
 | ||
| 	* kdc/kerberos5.c: Change _kdc_db_fetch() to return the database
 | ||
| 	pointer to if needed by the consumer.
 | ||
| 	
 | ||
| 	* kdc/kerberos4.c: Change _kdc_db_fetch() to return the database
 | ||
| 	pointer to if needed by the consumer.
 | ||
| 	
 | ||
| 	* kdc/kaserver.c: Change _kdc_db_fetch() to return the database
 | ||
| 	pointer to if needed by the consumer.
 | ||
| 
 | ||
| 	* kdc/524.c: Change _kdc_db_fetch() to return the database pointer
 | ||
| 	to if needed by the consumer.
 | ||
| 
 | ||
| 	* kuser/kdigest-commands.in: Add --kerberos-realm, add client
 | ||
| 	request command.
 | ||
| 
 | ||
| 	* lib/krb5/Makefile.am: digest.c
 | ||
| 	
 | ||
| 	* lib/krb5/krb5.h: Add digest glue.
 | ||
| 
 | ||
| 	* lib/krb5/digest.c (krb5_digest_set_authentication_user): use
 | ||
| 	krb5_principal
 | ||
| 	
 | ||
| 	* lib/krb5/digest.c: Add digest support to the client side.
 | ||
| 	
 | ||
| 2006-08-21  Love Hörnquist Åstrand  <lha@it.kth.se>
 | ||
| 
 | ||
| 	* lib/krb5/rd_rep.c (krb5_rd_rep): free krb5_ap_rep_enc_part on
 | ||
| 	error and set return pointer to NULL
 | ||
| 	(krb5_free_ap_rep_enc_part): permit freeing of NULL
 | ||
| 	
 | ||
| 2006-08-18  Love Hörnquist Åstrand  <lha@it.kth.se>
 | ||
| 
 | ||
| 	* kdc/{Makefile.am,kdigest.c,kdigest-commands.in}:
 | ||
| 	Frontend for remote digest service in KDC
 | ||
| 
 | ||
| 	* lib/krb5/krb5_storage.3: Document krb5_{ret,store}_stringnl
 | ||
| 	functions.
 | ||
| 
 | ||
| 	* lib/krb5/store.c: Add krb5_{ret,store}_stringnl functions,
 | ||
| 	stores/retrieves a \n terminated string.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_locl.h: Default to address-less tickets.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): clear
 | ||
| 	error string on error.
 | ||
| 	
 | ||
| 2006-07-20  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/crypto.c: remove aes-192 (CMS)
 | ||
| 
 | ||
| 	* lib/krb5/crypto.c: Remove more CMS bits.
 | ||
| 	
 | ||
| 	* lib/krb5/crypto.c: Remove CMS symmetric encryption support.
 | ||
| 	
 | ||
| 2006-07-13  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/pkinit.c (_kdc_pk_check_client): make it not crash when
 | ||
| 	there are no acl
 | ||
| 
 | ||
| 	* kdc/pkinit.c (_kdc_pk_check_client): use the acl in the kerberos
 | ||
| 	database
 | ||
| 
 | ||
| 	* lib/hdb/hdb.asn1: Rename HDB-Ext-PKINIT-certificate to
 | ||
| 	HDB-Ext-PKINIT-hash.  Add trust anchor to HDB-Ext-PKINIT-acl.
 | ||
| 
 | ||
| 	* lib/hdb/Makefile.am: rename asn1_HDB_Ext_PKINIT_certificate to
 | ||
| 	asn1_HDB_Ext_PKINIT_hash
 | ||
| 
 | ||
| 	* lib/hdb/ext.c: Add hdb_entry_get_pkinit_hash().
 | ||
| 	
 | ||
| 2006-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kuser/kinit.c: If --password-file gets STDIN, read the password
 | ||
| 	from the standard input.
 | ||
| 
 | ||
| 	* kuser/kinit.1: Document --password-file=STDIN.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_string_to_key.3: Remove duplicate to.
 | ||
| 	
 | ||
| 2006-07-06  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c: (tgs_build_reply): when checking for removed
 | ||
| 	principals, check the second component of the krbtgt, otherwise
 | ||
| 	cross realm wont work.  Prompted by report from Mattias Amnefelt.
 | ||
| 
 | ||
| 2006-07-05  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/connect.c (handle_vanilla_tcp): use unsigned integer for for
 | ||
| 	length
 | ||
| 	(handle_tcp): if the high bit it set in the unknown case, send
 | ||
| 	back a KRB_ERR_FIELD_TOOLONG
 | ||
| 	
 | ||
| 2006-07-03  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* appl/gssmask/gssmaestro.c: Add get_version_capa, cache
 | ||
| 	target_name.
 | ||
| 
 | ||
| 	* appl/gssmask/gssmask.c: use utname() to find the local hostname
 | ||
| 	and version of operatingsystem
 | ||
| 
 | ||
| 	* appl/gssmask/common.h: include <sys/utsname.h>
 | ||
| 
 | ||
| 	* appl/gssmask/gssmask.c: break out creation of a client and make
 | ||
| 	handleServer pthread_create compatible
 | ||
| 
 | ||
| 	* appl/gssmask/gssmaestro.c: break out out the build context
 | ||
| 	function
 | ||
| 	
 | ||
| 2006-07-01  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* appl/gssmask/gssmaestro.c: externalize slave handling, add
 | ||
| 	GetTargetName glue
 | ||
| 
 | ||
| 	* appl/gssmask/gssmaestro.c: externalize principal/password handling
 | ||
| 
 | ||
| 	* lib/krb5/principal.c (krb5_parse_name): set *principal to NULL
 | ||
| 	the first thing we do, so that on failure its set to a known value
 | ||
| 
 | ||
| 	* appl/gssmask/gssmask.c: AcquireCreds: set principal to NULL to
 | ||
| 	avoid memory corruption GetTargetName: always send a string, even
 | ||
| 	though we don't have a targetname
 | ||
| 
 | ||
| 	* appl/gssmask: break out common function; add gssmaestro (that
 | ||
| 	only tests one context for now)
 | ||
| 
 | ||
| 2006-06-30  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/store_fd.c (krb5_storage_from_fd): don't leak fd on
 | ||
| 	malloc failure
 | ||
| 
 | ||
| 	* appl/gssmask/gssmask.c: split out fetching of credentials for
 | ||
| 	easier reuse for pk-init testing
 | ||
| 
 | ||
| 	* appl/gssmask: maggot replacement, handles context testing
 | ||
| 
 | ||
| 	* lib/krb5/cache.c (krb5_cc_new_unique): use KRB5_DEFAULT_CCNAME
 | ||
| 	as the default prefix
 | ||
| 	
 | ||
| 2006-06-28  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* doc/heimdal.texi: Add Doug Rabson's license
 | ||
| 	
 | ||
| 2006-06-22  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/init_creds.c: Add storing and getting KRB-ERROR in the
 | ||
| 	krb5_get_init_creds_opt structure.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds_pw.c: Save KRB-ERROR on error.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_locl.h (_krb5_get_init_creds_opt_private): add
 | ||
| 	KRB-ERROR
 | ||
| 	
 | ||
| 2006-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* doc/setup.texi: section about verify_krb5_conf and kadmin check
 | ||
| 	
 | ||
| 2006-06-15  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/init_creds_pw.c (get_init_creds_common): drop cred
 | ||
| 	argument, its unused
 | ||
| 
 | ||
| 	* lib/krb5/Makefile.am: install krb5_get_creds.3
 | ||
| 	
 | ||
| 	* lib/krb5/krb5_get_creds.3: new file
 | ||
| 	
 | ||
| 2006-06-14  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/hdb/hdb-ldap.c: don't use the sambaNTPassword if there is
 | ||
| 	ARCFOUR key already.  Idea from Andreas Hasenack.  While here, set
 | ||
| 	pw change time using sambaPwdLastSet
 | ||
| 
 | ||
| 	* kdc/kerberos4.c: Use enable_v4_per_principal and check the new
 | ||
| 	hdb flag.
 | ||
| 
 | ||
| 	* kdc/kdc.h: Add enable_v4_per_principal
 | ||
| 	
 | ||
| 2006-06-12  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/kerberos5.c (_kdc_as_rep): if kdc_time +
 | ||
| 	config->kdc_warn_pwexpire is past pw_end, add expiration
 | ||
| 	message. From Bernard Antoine.
 | ||
| 	
 | ||
| 	* kdc/default_config.c (krb5_kdc_default_config): set
 | ||
| 	kdc_warn_pwexpire to 0
 | ||
| 
 | ||
| 	* kdc/kerberos5.c: indent.
 | ||
| 	
 | ||
| 2006-06-07  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/kerberos5.c: constify
 | ||
| 	
 | ||
| 2006-06-06  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/get_cred.c: Allow setting additional tickets in the
 | ||
| 	tgs-req
 | ||
| 
 | ||
| 	* kuser/kgetcred.c: add --delegation-credential-cache
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c (tgs_build_reply): add constrained delegation.
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c: Add impersonation.
 | ||
| 
 | ||
| 	* kuser/kgetcred.c: use new krb5_get_creds interface, add
 | ||
| 	impersonation.
 | ||
| 
 | ||
| 	* lib/krb5/get_cred.c (krb5_get_creds): add
 | ||
| 	KRB5_GC_NO_TRANSIT_CHECK
 | ||
| 
 | ||
| 	* lib/krb5/misc.c: Add impersonate support functions.
 | ||
| 
 | ||
| 	* lib/krb5/get_cred.c: Add impersonate and new krb5_get_creds interface.
 | ||
| 
 | ||
| 	* lib/hdb/hdb.asn1 (HDBFlags): add trusted-for-delegation
 | ||
| 
 | ||
| 	* lib/krb5/krb5.h: Add krb5_get_creds_opt_data and some more
 | ||
| 	KRB5_GC flags.
 | ||
| 	
 | ||
| 2006-06-01  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/hdb/ext.c (hdb_entry_get_ConstrainedDelegACL): new function.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Avoid more shadowing.
 | ||
| 
 | ||
| 	* kdc/connect.c (do_request): clean reply with krb5_data_zero
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c: Split up the reverse cross krbtgt check and local
 | ||
| 	clien must exists test.
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c: Plug old memory leaks, unify all goto's.
 | ||
| 
 | ||
| 	* kdc/krb5tgs.c: Split tgs_rep2 into tgs_parse_request and
 | ||
| 	tgs_build_reply.
 | ||
| 
 | ||
| 	* kdc/kerberos5.c: split out krb5 tgs req to make it easier to
 | ||
|  	reorganize the code.
 | ||
| 	
 | ||
| 2006-05-29  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/krb5_get_init_creds.3: spelling Björn Sandell
 | ||
| 
 | ||
| 	* lib/krb5/krb5_get_in_cred.3: spelling Björn Sandell
 | ||
| 	
 | ||
| 2006-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kpasswd/kpasswdd.c (change): select the realm based on the
 | ||
| 	target principal From Gabor Gombas
 | ||
| 
 | ||
| 	* lib/krb5/krb5_get_init_creds.3: Add KRB5_PROMPT_TYPE_INFO
 | ||
| 	
 | ||
| 	* lib/krb5/krb5.h: Add KRB5_PROMPT_TYPE_INFO
 | ||
| 	
 | ||
| 2006-05-12  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Hidden field of hx509 prompter is removed.
 | ||
| 	Fix a warning.
 | ||
| 
 | ||
| 	* doc/setup.texi: Point to more examples, hint that you have to
 | ||
| 	use openssl 0.9.8a or later.
 | ||
| 
 | ||
| 	* doc/setup.texi: DIR now handles both PEM and DER.
 | ||
| 
 | ||
| 	* kuser/kinit.c: Pass down prompter and password to
 | ||
| 	krb5_get_init_creds_opt_set_pkinit.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (_krb5_pk_load_id): only use password if its
 | ||
| 	longer then 0
 | ||
| 	
 | ||
| 	* doc/ack.texi: Add Jason McIntyre.
 | ||
| 	
 | ||
| 	* lib/krb5/krb5_acl_match_file.3: Various tweaks, from Jason
 | ||
| 	McIntyre.
 | ||
| 	
 | ||
| 2006-05-11  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kuser/kinit.c: Move parsing of the PK-INIT configuration file to
 | ||
| 	the library so application doesn't need to deal with it.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit): move
 | ||
| 	parsing of the configuration file to the library so application
 | ||
| 	doesn't need to deal with it.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (_krb5_pk_load_id): pass the hx509_lock to
 | ||
| 	when trying to read the user certificate.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (hx_pass_prompter): return 0 on success and 1
 | ||
| 	on failure. Pointed out by Douglas E. Engert.
 | ||
| 	
 | ||
| 2006-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/krb5/crypto.c: Catches both keyed checkout w/o crypto
 | ||
| 	context cases and doesn't reset the string, and corrects the
 | ||
| 	grammar.
 | ||
| 
 | ||
| 	* lib/krb5/crypto.c: Drop aes-cbc, rc2 and CMS padding support,
 | ||
| 	its all containted in libhcrypto and libhx509 now.
 | ||
| 	
 | ||
| 2006-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/krb5/pkinit.c (_krb5_pk_verify_sign): Use
 | ||
| 	hx509_get_one_cert.
 | ||
| 
 | ||
| 	* lib/krb5/crypto.c (create_checksum): provide a error message
 | ||
| 	that a key checksum needs a key.  From Andew Bartlett.
 | ||
| 	
 | ||
| 2006-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/krb5/pkinit.c: Now that hcrypto supports DH, remove check
 | ||
| 	for hx509 null DH.
 | ||
| 
 | ||
| 	* kdc/pkinit.c: Don't call DH_check_pubkey, it doesn't exists in
 | ||
| 	older OpenSSL.
 | ||
| 
 | ||
| 	* doc/heimdal.texi: Add blob about imath.
 | ||
| 
 | ||
| 	* doc/ack.texi: Add blob about imath.
 | ||
| 
 | ||
| 	* include/make_crypto.c: Move up evp.h to please OpenSSL, from
 | ||
| 	Douglas E. Engert.
 | ||
| 
 | ||
| 	* kcm/acl.c: Multicache kcm interation isn't done yet, let wait
 | ||
| 	with this enum.
 | ||
| 	
 | ||
| 2006-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/krb5_set_default_realm.3: Spelling/mdoc from Björn
 | ||
| 	Sandell
 | ||
| 
 | ||
| 	* lib/krb5/krb5_rcache.3: Spelling/mdoc from Björn Sandell
 | ||
| 
 | ||
| 	* lib/krb5/krb5_keytab.3: Spelling/mdoc from Björn Sandell
 | ||
| 
 | ||
| 	* lib/krb5/krb5_get_in_cred.3: Spelling/mdoc from Björn Sandell
 | ||
| 
 | ||
| 	* lib/krb5/krb5_expand_hostname.3: Spelling/mdoc from Björn
 | ||
| 	Sandell
 | ||
| 
 | ||
| 	* lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc from Björn
 | ||
| 	Sandell
 | ||
| 
 | ||
| 	* lib/krb5/keytab_file.c (fkt_next_entry_int): read the 32 bit
 | ||
| 	kvno if the reset of the data is longer then 4 bytes in hope to be
 | ||
| 	forward compatible. Pointed out by Michael B Allen.
 | ||
| 
 | ||
| 	* doc/programming.texi: Add fileformats.
 | ||
| 
 | ||
| 	* appl/test: Rename u_intXX_t to uintXX_t
 | ||
| 
 | ||
| 	* kuser: Rename u_intXX_t to uintXX_t
 | ||
| 
 | ||
| 	* kdc: Rename u_intXX_t to uintXX_t
 | ||
| 
 | ||
| 	* lib/hdb: Rename u_intXX_t to uintXX_t
 | ||
| 	
 | ||
| 	* lib/45]: Rename u_intXX_t to uintXX_t
 | ||
| 
 | ||
| 	* lib/krb5: Rename u_intXX_t to uintXX_t
 | ||
| 
 | ||
| 	* lib/krb5/Makefile.am: Add test_store to TESTS
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Catch using hx509 null DH and print a more
 | ||
| 	useful error message.
 | ||
| 
 | ||
| 	* lib/krb5/store.c: Rewrite the krb5_ret_u as proposed by Johan.
 | ||
| 	
 | ||
| 2006-05-04  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/kerberos4.c: Use the new unsigned integer storage types.
 | ||
| 
 | ||
| 	* kdc/kaserver.c: Use the new unsigned integer storage
 | ||
| 	types. Sprinkle some error handling.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_storage.3: Document ret and store function for the
 | ||
| 	unsigned fixed size integer types.
 | ||
| 
 | ||
| 	* lib/krb5/v4_glue.c: Use the new unsigned integer storage
 | ||
| 	types. Fail that the address doesn't match, not the reverse.
 | ||
| 
 | ||
| 	* lib/krb5/store.c: Add ret and store function for the unsigned
 | ||
| 	fixed size integer types.
 | ||
| 
 | ||
| 	* lib/krb5/test_store.c: Test the integer storage types.
 | ||
| 	
 | ||
| 2006-05-03  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/store.c (krb5_store_principal): make it take a
 | ||
| 	krb5_const_principal, indent
 | ||
| 
 | ||
| 	* lib/krb5/krb5_storage.3: krb5_store_principal takes a
 | ||
| 	krb5_const_principal
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Deal with that hx509_prompt.reply is no
 | ||
| 	longer a pointer.
 | ||
| 
 | ||
| 	* kdc/kdc.h (krb5_kdc_configuration): add pkinit_kdc_ocsp_file
 | ||
| 
 | ||
| 	* kdc/config.c: read [kdc]pki-kdc-ocsp
 | ||
| 	
 | ||
| 2006-05-02  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kdc/pkinit.c (_kdc_pk_mk_pa_reply): send back ocsp response if
 | ||
| 	it seems to be valid, simplfy the pkinit-windows DH case (it
 | ||
| 	doesn't exists).
 | ||
| 	
 | ||
| 2006-05-01  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/krb5/krb5_warn.3: Spelling/mdoc changes, from Björn Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_verify_user.3: Spelling/mdoc changes, from Björn
 | ||
| 	Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_verify_init_creds.3: Spelling/mdoc changes, from
 | ||
| 	Björn Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_timeofday.3: Spelling/mdoc changes, from Björn
 | ||
| 	Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_ticket.3: Spelling/mdoc changes, from Björn
 | ||
| 	Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_rd_safe.3: Spelling/mdoc changes, from Björn
 | ||
| 	Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_rcache.3: Spelling/mdoc changes, from Björn
 | ||
| 	Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_principal.3: Spelling/mdoc changes, from Björn
 | ||
| 	Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_parse_name.3: Spelling/mdoc changes, from Björn
 | ||
| 	Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_mk_safe.3: Spelling/mdoc changes, from Björn
 | ||
| 	Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_keyblock.3: Spelling/mdoc changes, from Björn
 | ||
| 	Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_is_thread_safe.3: Spelling/mdoc changes, from
 | ||
| 	Björn Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes,
 | ||
| 	from Björn Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes,
 | ||
| 	from Björn Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_expand_hostname.3: Spelling/mdoc changes, from
 | ||
| 	Björn Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_check_transited.3: Spelling/mdoc changes, from
 | ||
| 	Björn Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc changes, from
 | ||
| 	Björn Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_address.3: Spelling/mdoc changes, from
 | ||
| 	Björn Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_acl_match_file.3: Spelling/mdoc changes, from
 | ||
| 	Björn Sandell.
 | ||
| 
 | ||
| 	* lib/krb5/krb5.3: Spelling, from Björn Sandell.
 | ||
| 	
 | ||
| 	* doc/ack.texi: add Björn
 | ||
| 
 | ||
| 2006-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (cert2epi): don't include subject if its null
 | ||
| 	
 | ||
| 2006-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Send over what trust anchors the client have
 | ||
| 	configured.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (pk_verify_host): set better error string,
 | ||
| 	only check kdc name/address when we got a hostname/address passed
 | ||
| 	in the the function.
 | ||
| 
 | ||
| 	* kdc/pkinit.c (_kdc_pk_check_client): reorganize and make log
 | ||
| 	when a SAN matches.
 | ||
| 	
 | ||
| 2006-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* doc/setup.texi: More options and some text about windows
 | ||
| 	clients, certificate and KDCs.
 | ||
| 
 | ||
| 	* doc/setup.texi: notice about pki-mappings file space sensitive
 | ||
| 
 | ||
| 	* doc/setup.texi: Example pki-mapping file.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (pk_verify_host): verify hostname/address
 | ||
| 
 | ||
| 	* lib/hdb/hdb.h: Bump hdb interface version to 4.
 | ||
| 	
 | ||
| 2006-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kuser/kdestroy.1: Document --credential=principal.
 | ||
| 
 | ||
| 	* kdc/kerberos5.c (tgs_rep2): check that the client exists in the
 | ||
| 	kerberos database if its local request.
 | ||
| 
 | ||
| 	* kdc/{misc.c,524.c,kaserver.c,kerberos5.c}: pass down HDB_F_GET_
 | ||
| 	flags as appropriate
 | ||
| 
 | ||
| 	* kdc/kerberos4.c (_kdc_db_fetch4): pass down flags though
 | ||
| 	krb5_425_conv_principal_ext2
 | ||
| 
 | ||
| 	* kdc/misc.c (_kdc_db_fetch): Break out the that we request from
 | ||
| 	principal from the entry and pass it in as a seprate argument.
 | ||
| 
 | ||
| 	* lib/hdb/keytab.c (hdb_get_entry): Break out the that we request
 | ||
| 	from principal from the entry and pass it in as a seprate
 | ||
| 	argument.
 | ||
| 
 | ||
| 	* lib/hdb/common.c: Break out the that we request from principal
 | ||
| 	from the entry and pass it in as a seprate argument.
 | ||
| 
 | ||
| 	* lib/hdb/hdb.h: Break out the that we request from principal from
 | ||
| 	the entry and pass it in as a seprate argument. Add more flags to
 | ||
| 	->hdb_get(). Re-indent.
 | ||
| 	
 | ||
| 2006-04-26  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* doc/setup.texi: document pki-allow-proxy-certificate
 | ||
| 
 | ||
| 	* kdc/pkinit.c: Add option [kdc]pki-allow-proxy-certificate=bool
 | ||
| 	to allow using proxy certificate.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (_krb5_pk_allow_proxy_certificates): expose
 | ||
| 	hx509_verify_set_proxy_certificate
 | ||
| 
 | ||
| 	* kdc/pkinit.c (_kdc_pk_check_client): Use
 | ||
| 	hx509_cert_get_base_subject to get subject name of the
 | ||
| 	certificate, needed for proxy certificates.
 | ||
| 
 | ||
| 	* kdc/kerberos5.c: Now that find_keys speaks for it self, remove
 | ||
| 	extra logging.
 | ||
| 
 | ||
| 	* kdc/kerberos5.c (find_keys): add client_name and server_name
 | ||
| 	argument and use them, and adapt callers.
 | ||
| 	
 | ||
| 2006-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kuser/kinit.1: document option password-file
 | ||
| 
 | ||
| 	* kuser/kinit.c: Add option password-file, read password from the
 | ||
| 	first line of a file.
 | ||
| 
 | ||
| 	* configure.in: make tests/kdc/Makefile
 | ||
| 
 | ||
| 	* kdc/kerberos5.c: Catch the case where the client sends no
 | ||
| 	encryption types or no pa-types.
 | ||
| 
 | ||
| 	* lib/hdb/ext.c (hdb_replace_extension): set error message on
 | ||
| 	failure, not success.
 | ||
| 
 | ||
| 	* lib/hdb/keys.c (parse_key_set): handle error case better
 | ||
| 	(hdb_generate_key_set): return better error
 | ||
| 	
 | ||
| 2006-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/hdb/hdb.c (hdb_create): print out what we don't support
 | ||
| 
 | ||
| 	* lib/krb5/principal.c: Remove a double free introduced in 1.93
 | ||
| 
 | ||
| 	* lib/krb5/log.c (log_file): reset pointer to freed memory
 | ||
| 
 | ||
| 	* lib/krb5/keytab_keyfile.c (get_cell_and_realm): reset d->cell to
 | ||
| 	make sure its not refereced
 | ||
| 
 | ||
| 	* tools/krb5-config.in: libhcrypto might depend on libasn1, switch
 | ||
| 	order
 | ||
| 
 | ||
| 	* lib/krb5/recvauth.c: indent
 | ||
| 
 | ||
| 	* doc/heimdal.texi: Add Setting up PK-INIT to Detailed Node
 | ||
| 	Listing.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Pass down realm to pk_verify_host so the
 | ||
| 	function can verify the certificate is from the right realm.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds_pw.c: Pass down realm to
 | ||
| 	_krb5_pk_rd_pa_reply
 | ||
| 	
 | ||
| 2006-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (pk_verify_host): Add begining of finding
 | ||
| 	subjectAltName_otherName pk-init-san and verifing it.
 | ||
| 
 | ||
| 	* lib/krb5/sendauth.c: reindent
 | ||
| 
 | ||
| 	* doc/Makefile.am: use --no-split to make one large file, mostly
 | ||
| 	for html
 | ||
| 
 | ||
| 	* doc/setup.texi: "document" pkinit_require_eku and
 | ||
| 	pkinit_require_krbtgt_otherName
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Add pkinit_require_eku and
 | ||
| 	pkinit_require_krbtgt_otherName
 | ||
| 
 | ||
| 	* doc/setup.texi: Add text about pk-init
 | ||
| 
 | ||
| 	* tools/kdc-log-analyze.pl: count v5 cross realms too
 | ||
| 	
 | ||
| 2006-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kdc/pkinit.c: Adapt to change in hx509_cms_create_signed_1.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Adapt to change in hx509_cms_create_signed_1.
 | ||
| 	
 | ||
| 2006-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/pkinit.c (_kdc_pk_rd_padata): use
 | ||
| 	hx509_cms_unwrap_ContentInfo.
 | ||
| 
 | ||
| 	* kdc/config.c: unbreak
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Handle diffrences between libhcrypto and
 | ||
| 	libcrypto.
 | ||
| 
 | ||
| 	* kdc/config.c: Rename pki-chain to pki-pool to match rest of
 | ||
| 	code.
 | ||
| 	
 | ||
| 2006-04-12  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/rd_priv.c: Fix argument to krb5_data_zero.
 | ||
| 
 | ||
| 	* kdc/config.c: Added certificate revoke information from
 | ||
| 	configuration file.
 | ||
| 	
 | ||
| 	* kdc/pkinit.c: Added certificate revoke information.
 | ||
| 
 | ||
| 	* kuser/kinit.c: Added certificate revoke information from
 | ||
| 	configuration file.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (_krb5_pk_load_id): Added certificate revoke
 | ||
| 	information, ie CRL's
 | ||
| 	
 | ||
| 2006-04-10 Love Hörnquist Åstrand <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/replay.c (krb5_rc_resolve_full): make compile again.
 | ||
| 
 | ||
| 	* lib/krb5/keytab_krb4.c (krb4_kt_start_seq_get_int): make compile
 | ||
| 	again.
 | ||
| 
 | ||
| 	* lib/krb5/transited.c (make_path): make sure we return allocated
 | ||
| 	memory Coverity, NetBSD CID#1892
 | ||
| 
 | ||
| 	* lib/krb5/transited.c (make_path): make sure we return allocated
 | ||
| 	memory Coverity, NetBSD CID#1892
 | ||
| 
 | ||
| 	* lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): on
 | ||
| 	protocol failure, avoid leaking memory Coverity, NetBSD CID#1900
 | ||
| 
 | ||
| 	* lib/krb5/principal.c (krb5_parse_name): remember to free realm
 | ||
| 	in case of error Coverity, NetBSD CID#1883
 | ||
| 
 | ||
| 	* lib/krb5/principal.c (krb5_425_conv_principal_ext2): remove
 | ||
| 	memory leak in case of weird formated dns replys.
 | ||
| 	Coverity, NetBSD CID#1885
 | ||
| 	
 | ||
| 	* lib/krb5/replay.c (krb5_rc_resolve_full): don't return pointer
 | ||
| 	to a allocated krb5_rcache in case of error.
 | ||
| 
 | ||
| 	* lib/krb5/log.c (krb5_addlog_dest): free fn in case of error
 | ||
| 	Coverity, NetBSD CID#1882
 | ||
| 	
 | ||
| 	* lib/krb5/keytab_krb4.c: Fix deref before NULL check, fix error
 | ||
| 	handling.  Coverity, NetBSD CID#2369
 | ||
| 
 | ||
| 	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
 | ||
| 	in_creds->client should always be set, assume so.
 | ||
| 
 | ||
| 	* lib/krb5/keytab_any.c (any_next_entry): restructure to make it
 | ||
| 	easier to read Fixes Coverity, NetBSD CID#625
 | ||
| 
 | ||
| 	* lib/krb5/crypto.c (krb5_string_to_key_derived): deref after NULL
 | ||
| 	check.  Coverity NetBSD CID#2367
 | ||
| 
 | ||
| 	* lib/krb5/build_auth.c (krb5_build_authenticator): use
 | ||
| 	calloc. removed check that was never really used. Coverity NetBSD
 | ||
| 	CID#2370
 | ||
| 	
 | ||
| 2006-04-09  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/krb5/rd_req.c (krb5_verify_ap_req2): make sure `ticket´
 | ||
| 	points to NULL in case of error, add error handling, use calloc.
 | ||
| 
 | ||
| 	* kpasswd/kpasswdd.c (doit): when done, close all fd in the
 | ||
| 	sockets array and free it.  Coverity NetBSD CID#1916
 | ||
| 	
 | ||
| 2006-04-08  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/store.c (krb5_ret_principal): fix memory leak Coverity,
 | ||
| 	NetBSD CID#1695
 | ||
| 
 | ||
| 	* kdc/524.c (_kdc_do_524): Handle memory allocation failure
 | ||
| 	Coverity, NetBSD CID#2752
 | ||
| 	
 | ||
| 2006-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/keytab_file.c (krb5_kt_ret_principal): plug a memory
 | ||
| 	leak Coverity NetBSD CID#1890
 | ||
| 
 | ||
| 	* kdc/hprop.c (main): make sure type doesn't need to be set
 | ||
| 
 | ||
| 	* kdc/mit_dump.c (mit_prop_dump): close fd when done processing
 | ||
| 	Coverity NetBSD CID#1955
 | ||
| 
 | ||
| 	* kdc/string2key.c (tokey): catch warnings, free memory after use.
 | ||
| 	Based on Coverity NetBSD CID#1894
 | ||
| 
 | ||
| 	* kdc/hprop.c (main): remove dead code.  Coverity NetBSD CID#633
 | ||
| 	
 | ||
| 2006-04-04  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kpasswd/kpasswd-generator.c (read_words): catch empty file case,
 | ||
| 	will cause PBE (division by zero) later. From Tobias Stoeckmann.
 | ||
| 	
 | ||
| 2006-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/hdb/keytab.c: Remove a delta from last revision that should
 | ||
| 	have gone in later.
 | ||
| 	
 | ||
| 	* lib/krb5/krbhst.c: fix spelling
 | ||
| 
 | ||
| 	* lib/krb5/send_to_kdc.c (send_and_recv_http): don't expose freed
 | ||
| 	pointer, found by IBM checker.
 | ||
| 
 | ||
| 	* lib/krb5/rd_cred.c (krb5_rd_cred): don't expose freed pointer,
 | ||
| 	found by IBM checker.
 | ||
| 
 | ||
| 	* lib/krb5/addr_families.c (krb5_make_addrport): clear return
 | ||
| 	value on error, found by IBM checker.
 | ||
| 
 | ||
| 	* kdc/kerberos5.c (check_addresses): treat netbios as no addresses
 | ||
| 	
 | ||
| 	* kdc/{kerberos4,kaserver}.c: _kdc_check_flags takes hdb_entry_ex
 | ||
| 
 | ||
| 	* kdc/kerberos5.c (_kdc_check_flags): make it take hdb_entry_ex to
 | ||
| 	avoid ?:'s at callers
 | ||
| 
 | ||
| 	* lib/krb5/v4_glue.c: Avoid using free memory, found by IBM
 | ||
| 	checker.
 | ||
| 
 | ||
| 	* lib/krb5/transited.c (expand_realm): avoid passing NULL to
 | ||
| 	strlen, found by IBM checker.
 | ||
| 
 | ||
| 	* lib/krb5/rd_cred.c (krb5_rd_cred): avoid a memory leak on malloc
 | ||
| 	failure, found by IBM checker.
 | ||
| 
 | ||
| 	* lib/krb5/krbhst.c (_krb5_krbhost_info_move): replace a strcpy
 | ||
| 	with a memcpy
 | ||
| 
 | ||
| 	* lib/krb5/keytab_keyfile.c (get_cell_and_realm): plug a memory
 | ||
| 	leak, found by IBM checker.
 | ||
| 
 | ||
| 	* lib/krb5/keytab_file.c (fkt_next_entry_int): remove a
 | ||
| 	dereferencing NULL pointer, found by IBM checker.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds_pw.c (init_creds_init_as_req): in AS-REQ the
 | ||
| 	cname must always be given, don't avoid that fact and remove a
 | ||
| 	cname == NULL case. Plugs a memory leak found by IBM checker.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds_pw.c (default_s2k_func): avoid exposing
 | ||
| 	free-ed memory on error. Found by IBM checker.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): use
 | ||
| 	calloc to avoid uninitialized memory problem.
 | ||
| 
 | ||
| 	* lib/krb5/data.c (krb5_copy_data): avoid exposing free-ed memory
 | ||
| 	on error. Found by IBM checker.
 | ||
| 
 | ||
| 	* lib/krb5/fcache.c (fcc_gen_new): fix a use after free, found by
 | ||
| 	IBM checker.
 | ||
| 
 | ||
| 	* lib/krb5/config_file.c (krb5_config_vget_strings): IBM checker
 | ||
| 	thought it found a memory leak, it didn't, but there was another
 | ||
| 	error in the code, lets fix that instead.
 | ||
| 
 | ||
| 	* lib/krb5/cache.c (_krb5_expand_default_cc_name): plug memory
 | ||
| 	leak. Found by IBM checker.
 | ||
| 
 | ||
| 	* lib/krb5/cache.c (_krb5_expand_default_cc_name): avoid return
 | ||
| 	pointer to freed memory in the error case. Found by IBM checker.
 | ||
| 
 | ||
| 	* lib/hdb/keytab.c (hdb_resolve): off by one, found by IBM
 | ||
| 	checker.
 | ||
| 
 | ||
| 	* lib/hdb/keys.c (hdb_generate_key_set): set ret_key_set before
 | ||
| 	going into the error clause and freeing key_set. Found by IBM
 | ||
| 	checker.  Make sure ret == 0 after of parse error, we catch the
 | ||
| 	"no entries parsed" case later.
 | ||
| 
 | ||
| 	* lib/krb5/log.c (krb5_addlog_dest): make string length match
 | ||
| 	strings in strcasecmp.  Found by IBM checker.
 | ||
| 	
 | ||
| 2006-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/hdb/hdb-ldap.c (LDAP_message2entry): in declaration set
 | ||
| 	variable_name as "hdb_entry_ex"
 | ||
| 	(hdb_ldap_common): change "arg" in condition (if) to "search_base"
 | ||
| 	(hdb_ldapi_create): change "serach_base" to "search_base" From
 | ||
| 	Alex V. Labuta.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit); fix
 | ||
| 	prototype
 | ||
| 
 | ||
| 	* kuser/kinit.c: Add pool of certificates to help certificate path
 | ||
| 	building for clients sending incomplete path in the signedData.
 | ||
| 	
 | ||
| 2006-03-28  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/pkinit.c: Add pool of certificates to help certificate path
 | ||
| 	building for clients sending incomplete path in the signedData.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Add pool of certificates to help certificate
 | ||
| 	path building for clients sending incomplete path in the
 | ||
| 	signedData.
 | ||
| 	
 | ||
| 2006-03-27  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kdc/config.c: Allow passing in related certificates used to
 | ||
| 	build the chain.
 | ||
| 
 | ||
| 	* kdc/pkinit.c: Allow passing in related certificates used to
 | ||
| 	build the chain.
 | ||
| 
 | ||
| 	* kdc/kerberos5.c (log_patype): Add case for
 | ||
| 	KRB5_PADATA_PA_PK_OCSP_RESPONSE.
 | ||
| 
 | ||
| 	* tools/Makefile.am: Spelling
 | ||
| 
 | ||
| 	* tools/krb5-config.in: Add hx509 when using PK-INIT.
 | ||
| 
 | ||
| 	* tools/Makefile.am: Add hx509 when using PK-INIT.
 | ||
| 	
 | ||
| 2006-03-26  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/acache.c: Use ticket flags definition, might fix Mac OS
 | ||
| 	X Kerberos.app problems.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_ccapi.h: Add ticket flags definitions
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Use less openssl, spell chelling.
 | ||
| 
 | ||
| 	* kdc/pkinit.c (pk_mk_pa_reply_dh): encode the DH public key with
 | ||
| 	asn1 wrapping
 | ||
| 
 | ||
| 	* configure.in (AC_CONFIG_FILES): add lib/hx509/Makefile
 | ||
| 
 | ||
| 	* lib/Makefile.am: Add hx509.
 | ||
| 
 | ||
| 	* lib/krb5/Makefile.am: Add libhx509.la when PKINIT is used.
 | ||
| 
 | ||
| 	* configure.in: define automake PKINIT variable
 | ||
| 
 | ||
| 	* kdc/pkinit.c: Switch to hx509.
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Switch to hx509.
 | ||
| 	
 | ||
| 2006-03-24  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kdc/kerberos5.c (log_patypes): log the patypes requested by the
 | ||
| 	client
 | ||
| 	
 | ||
| 2006-03-23  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): pass down the
 | ||
| 	req_buffer in the w2k case too. From Douglas E. Engert.
 | ||
| 	
 | ||
| 2006-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): on failure, goto
 | ||
| 	error handling.  Fixes Coverity NetBSD CID 2591 by catching a
 | ||
| 	failing krb5_copy_keyblock()
 | ||
| 	
 | ||
| 2006-03-17  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/addr_families.c (krb5_free_addresses): reset val,len in
 | ||
| 	address when free-ing.  Fixes Coverity NetBSD bug #2605
 | ||
| 	(krb5_parse_address): reset val,len before possibly return errors
 | ||
| 	Fixes Coverity NetBSD bug #2605
 | ||
| 	
 | ||
| 2006-03-07  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* lib/krb5/send_to_kdc.c (recv_loop): it should never happen, but
 | ||
| 	make sure nbytes > 0
 | ||
| 
 | ||
| 	* lib/krb5/get_for_creds.c (add_addrs): handle the case where
 | ||
| 	addr->len == 0 and n == 0, then realloc might return NULL.
 | ||
| 
 | ||
| 	* lib/krb5/crypto.c (decrypt_*): handle the case where the
 | ||
| 	plaintext is 0 bytes long, realloc might then return NULL.
 | ||
| 	
 | ||
| 2006-02-28  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/krb5_string_to_key.3: Drop krb5_string_to_key_derived.
 | ||
| 
 | ||
| 	* lib/krb5/krb5.3: Remove krb5_string_to_key_derived.
 | ||
| 
 | ||
| 	* lib/krb5/crypto.c (AES_string_to_key): drop _krb5_PKCS5_PBKDF2
 | ||
| 	and use PKCS5_PBKDF2_HMAC_SHA1 instead.
 | ||
| 
 | ||
| 	* lib/krb5/aes-test.c: reformat, avoid free-ing un-init'd memory
 | ||
| 
 | ||
| 	* lib/krb5/aes-test.c: Only use PKCS5_PBKDF2_HMAC_SHA1.
 | ||
| 	
 | ||
| 2006-02-27  Johan Danielsson  <joda@pdc.kth.se>
 | ||
| 
 | ||
| 	* doc/setup.texi: remove cartouches - we don't use them anywhere
 | ||
| 	else, they should be around the example, not inside it, and
 | ||
| 	probably shouldn't be used in html at all
 | ||
| 
 | ||
| 2006-02-18  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/krb5_warn.3: Document that applications want to use
 | ||
| 	krb5_get_error_message, add example.
 | ||
| 
 | ||
| 2006-02-16  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/crypto.c (krb5_generate_random_block): check return
 | ||
| 	value from RAND_bytes
 | ||
| 
 | ||
| 	* lib/krb5/error_string.c: Change indentation, update (c)
 | ||
| 
 | ||
| 2006-02-14  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: Make struct krb5_dh_moduli available when
 | ||
| 	compiling w/o pkinit.
 | ||
| 	
 | ||
| 2006-02-13  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/pkinit.c: update to new paChecksum definition, update
 | ||
| 	the dhgroup handling
 | ||
| 
 | ||
| 	* kdc/pkinit.c: update to new paChecksum definition, use
 | ||
| 	hdb_entry_ex
 | ||
| 	
 | ||
| 2006-02-09  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/krb5_locl.h: Move Configurable options to last in the
 | ||
| 	file.
 | ||
| 	
 | ||
| 	* lib/krb5/krb5_locl.h: Wrap KRB5_ADDRESSLESS_DEFAULT with #ifndef
 | ||
| 	
 | ||
| 2006-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kpasswd/kpasswdd.c: Send back a better error-message to the
 | ||
| 	client in case the password change was rejected.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_warn.3: Document krb5_get_error_message.
 | ||
| 
 | ||
| 	* lib/krb5/error_string.c (krb5_get_error_message): new function,
 | ||
| 	and combination of krb5_get_error_string and krb5_get_err_text
 | ||
| 
 | ||
| 	* lib/krb5/krb5.3: sort, and krb5_get_error_message
 | ||
| 
 | ||
| 	* lib/hdb/hdb-ldap.c: Log the filter string to the error message
 | ||
| 	when doing searches.
 | ||
| 
 | ||
| 	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags):
 | ||
| 	Use KRB5_ADDRESSLESS_DEFAULT when
 | ||
| 	checking [appdefault]no-addresses.
 | ||
| 
 | ||
| 	* lib/krb5/get_cred.c (get_cred_from_kdc_flags): Use
 | ||
| 	KRB5_ADDRESSLESS_DEFAULT when checking
 | ||
| 	[appdefault]no-addresses.
 | ||
| 
 | ||
| 	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
 | ||
| 	Use [appdefault]no-addresses before checking if the krbtgt is
 | ||
| 	address-less, use KRB5_ADDRESSLESS_DEFAULT.
 | ||
| 
 | ||
| 	* lib/krb5/krb5_locl.h: Introduce KRB5_ADDRESSLESS_DEFAULT that
 | ||
| 	controlls all address-less behavior.  Defaults to false.
 | ||
| 	
 | ||
| 2006-02-01  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* lib/krb5/n-fold-test.c: main is not a KRB5_LIB_FUNCTION
 | ||
| 
 | ||
| 	* lib/krb5/mk_priv.c (krb5_mk_priv): abort if ASN1_MALLOC_ENCODE
 | ||
| 	failes to produce the matching lenghts.
 | ||
| 	
 | ||
| 2006-01-27  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* kcm/protocol.c (kcm_op_retrieve): remove unused variable
 | ||
| 	
 | ||
| 2006-01-15  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* tools/krb5-config.in: Move depenency on @LIB_dbopen@ to
 | ||
| 	kadm-server, kerberos library doesn't depend on db-library.
 | ||
| 	
 | ||
| 2006-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
 | ||
| 
 | ||
| 	* include/Makefile.am: Don't clean crypto headers, they now live
 | ||
| 	in hcrypto/.  Add hcrypto to SUBDIRS.
 | ||
| 
 | ||
| 	* include/hcrypto/Makefile.am: clean installed headers
 | ||
| 
 | ||
| 	* include/make_crypto.c: include crypto headers from hcrypto/
 | ||
| 
 | ||
| 	* include/make_crypto.c: Include more crypto headerfiles. Remove
 | ||
| 	support for old hash names.
 | ||
| 	
 | ||
| 2006-01-02  Love Hörnquist Åstrand <lha@it.su.se>
 | ||
| 	
 | ||
| 	* kdc/misc.c (_kdc_db_fetch): use calloc to allocate the entry,
 | ||
| 	from Andrew Bartlet.
 | ||
| 	
 | ||
| 	* Happy New Year.
 |