oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
c7b54c33720edfbda3ad4ee7cdb5ae573614de76
heimdal/ChangeLog
Love Hörnquist Åstrand 72c61fb9f1 x 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18260 ec53bebd-3082-4978-b11e-865c3cabbd6b
2006-10-06 12:06:56 +00:00

1320 lines
39 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

2006-10-06 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/digest.c: Make digest argument o MD5_final unsigned char to
help OpenSSL.
* kuser/kdigest.c: Make digest argument o MD5_final unsigned char
to help OpenSSL.
* appl/gssmask/common.h: Maybe include <sys/wait.h>.
2006-10-05 Love Hörnquist Åstrand <lha@it.su.se>
* appl/gssmask/common.h: disable ENABLE_PTHREAD_SUPPORT and
explain why
* tools/heimdal-build.sh: Another mail header.
* tools/heimdal-build.sh: small fixes
* fix-export: More liberal parsing of AC_INIT
* tools/heimdal-build.sh: first cut
2006-10-04 Love Hörnquist Åstrand <lha@it.su.se>
* configure.in: Call AB_INIT.
* kuser/kinit.c: Add flag --pk-use-enckey.
* kdc/pkinit.c: Sign the request in the encKey case. Bug reported
by Olga Kornievskaia of Umich.
* lib/krb5/Makefile.am: man_MANS += krb5_digest.3
* lib/krb5/krb5_digest.3: Add all protos
2006-10-03 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_digest.3: Basic krb5_digest manpage.
2006-10-02 Love Hörnquist Åstrand <lha@it.su.se>
* fix-export: build gssapi mech private files
* lib/krb5/init_creds_pw.c: minimize layering and remove
krb5_kdc_flags
* lib/krb5/get_in_tkt.c: Always use the kdc_flags in the right bit
order.
* lib/krb5/init_creds_pw.c: Always use the kdc_flags in the right
bit order.
* kuser/kdigest.c: Don't require --kerberos-realm.
* lib/krb5/digest.c (digest_request): if NULL is passed in as
realm, use default realm.
* fix-export: build gssapi mech private files
2006-09-26 Love Hörnquist Åstrand <lha@it.su.se>
* appl/gssmask/gssmaestro.c: Handle FIRST_CALL in the context
building, better error handling.
* appl/gssmask/gssmaestro.c: switch from wrap/unwrap to
encrypt/decrypt
* appl/gssmask/gssmask.c: Don't announce spn if there is none.
* appl/gssmask/gssmaestro.c: Check that the pre-wrapped data is
the same as afterward.
2006-09-25 Love Hörnquist Åstrand <lha@it.su.se>
* appl/gssmask/gssmaestro.c: Remove stray GSS_C_DCE_STYLE.
* appl/gssmask/gssmaestro.c: Add logsocket support.
2006-09-22 Love Hörnquist Åstrand <lha@it.su.se>
* appl/gssmask/gssmaestro.c (build_context): print the step the
context exchange.
2006-09-21 Love Hörnquist Åstrand <lha@it.su.se>
* appl/gssmask/gssmaestro.c: Add GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG
to all context flags
* appl/gssmask/gssmaestro.c: Add wrap and mic tests for all
elements
* appl/gssmask/gssmask.c: Add mic tests
* appl/gssmask/gssmaestro.c: dont exit early then when context
is half built.
* lib/krb5/rd_req.c: disable ETypeList parsing usage for now, cfx
seems broken and its not good to upgrade to a broken enctype.
2006-09-20 Love Hörnquist Åstrand <lha@it.su.se>
* appl/gssmask/gssmask.c: Add wrap/unwrap ops
* appl/gssmask/protocol.h: Add eGetVersionAndCapabilities flags
* appl/gssmask/common.c: Add permutate_all (and support
functions).
* appl/gssmask/common.h: Add permutate_all
* appl/gssmask/gssmask.c: use new flags, return moniker
* appl/gssmask/gssmaestro.c: test self context building and all
permutation of clients
2006-09-19 Love Hörnquist Åstrand <lha@it.su.se>
* appl/gssmask/gssmask.c: add --logfile option, use htons() on
port number
* appl/gssmask/gssmaestro.c: Log port in connection message.
* configure.in: Make pk-init turned on by default.
2006-09-18 Love Hörnquist Åstrand <lha@it.su.se>
* fix-export: Build lib/hx509/{hx509-protos.h,hx509-private.h}.
* kuser/Makefile.am: Add tool for printing tickets.
* kuser/kimpersonate.1: Add tool for printing tickets.
* kuser/kimpersonate.c: Add tool for printing tickets.
* kdc/krb5tgs.c: Check the adtkt in the constrained delegation
case too.
2006-09-16 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/main.c (sigterm): don't _exit, let loop() catch the signal
instead.
* lib/krb5/krb5_timeofday.3: Fixes from Björn Sandell.
* lib/krb5/krb5_get_init_creds.3: Fixes from Björn Sandell.
2006-09-15 Love Hörnquist Åstrand <lha@it.su.se>
* tools/krb5-config.in: Add "kafs" option.
2006-09-12 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/db.c: By using full function calling conversion (*func)
we avoid problem when close(fd) is overridden using a macro.
* lib/krb5/cache.c: By using full function calling
conversion (*func) we avoid problem when close(fd) is overridden
using a macro.
2006-09-11 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kerberos5.c: Signing outgoing tickets.
* kdc/krb5tgs.c: Add signing and checking of tickets to s4u2self
works securely.
* lib/krb5/pkinit.c: Adapt to new signature of
hx509_cms_unenvelope.
2006-09-09 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c (pk_verify_host): set errorstrings in a
sensable way
2006-09-08 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_init_context.3: Prevent a font generation warning,
from Jason McIntyre.
2006-09-06 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/context.c (krb5_init_ets): Add the hx errortable
* lib/krb5/krb5_locl.h: Include hx509_err.h.
* lib/krb5/pkinit.c (_krb5_pk_verify_sign): catch the error string
from the hx509 lib
2006-09-04 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags):
fix argument to krb5_get_init_creds_opt_set_addressless.
* lib/krb5/init_creds_pw.c (init_cred_loop): try to catch the
error when we actually have an error to catch.
* lib/krb5/init_creds_pw.c: Remove debug printfs.
* kuser/kinit.c: Remove debug printf
* lib/krb5/krb5_get_init_creds.3: Document
krb5_get_init_creds_opt_set_addressless.
* kuser/kinit.c: Use new function
krb5_get_init_creds_opt_set_addressless.
* lib/krb5/krb5_locl.h: use new addressless, convert pa-pac option
to use the same tri-state option as the new addressless option.
* lib/krb5/init_creds_pw.c: use new addressless, convert pa-pac
option to use the same tri-state option as the new addressless
option.
* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_addressless):
used to control the address-lessness of the initial tickets
instead of passing in the empty set of address into
krb5_get_init_creds_opt_set_addresses.
2006-09-01 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kinit.c (renew_validate): inherit the proxiable and
forwardable from the orignal ticket, pointed out by Bernard
Antoine of CERN.
* doc/setup.texi: More text about the acl_file entry and
hdb-ldap-structural-object. From Rüdiger Ranft.
* lib/krb5/krbhst.c (fallback_get_hosts): limit the fallback
lookups to 5. Patch from Wesley Craig, umich.edu
* configure.in: Add special tests for <sys/ucred.h>, include test
for sys/param.h and sys/types.h
* appl/test/tcp_server.c (proto): use keytab for krb5_recvauth
Patch from Ingemar Nilsson <init@pdc.kth.se>
2006-08-28 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kdigest.c (help): use sl_slc_help().
* kdc/digest.c: Catch more error, add SASL DIGEST MD5.
* lib/krb5/digest.c: Catch more error.
2006-08-25 Love Hörnquist Åstrand <lha@it.su.se>
* doc/setup.texi: language.
* doc/heimdal.texi: Add last updated text.
* doc/heimdal.css: make box around heimdal title
* doc/heimdal.css: Inital Heimdal css for the info manual
* lib/krb5/digest.c: In the case where we get a DigestError back,
save the error string and code.
2006-08-24 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kerberos5.c: Remove _kdc_find_etype(), its no longer used.
* kdc/digest.c: Remove local error label and have just one exit
label, set error strings properly.
* kdc/digest.c: Simply the disabled-service case. Check the
allow-digest flag in the HDB entry for the client.
* kdc/process.c (krb5_kdc_process_generic_request): check if we
got a digest request and process it.
* kdc/main.c: Register hdb keytab operations.
* kdc/kdc.8: document [kdc]enable-digest=boolean
* kdc/Makefile.am: add digest to libkdc
* kdc/digest.c: Make a return a goto to avoid freeing un-inited
memory in cleanup code.
* kdc/default_config.c (krb5_kdc_default_config): default to all
bits set to zero.
* kdc/kdc.h (krb5_kdc_configuration): Add enable_digest
* kdc/headers.h: Include <digest_asn1.h>.
* lib/krb5/context.c (krb5_kerberos_enctypes): new function,
returns the list of Kerberos encryption types sorted in order of
most preferred to least preferred encryption type.
* kdc/misc.c (_kdc_get_preferred_key): new function, Use the order
list of preferred encryption types and sort the available keys and
return the most preferred key.
* kdc/krb5tgs.c: Adapt to the new sigature of _kdc_find_keys().
* kdc/kerberos5.c: Handle session key etype separately from the
tgt etype, now the krbtgt can be a aes-only key without the need
to support not-as-good etypes for the krbtgt.
2006-08-23 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/misc.c: Change _kdc_db_fetch() to return the database
pointer to if needed by the consumer.
* kdc/krb5tgs.c: Change _kdc_db_fetch() to return the database
pointer to if needed by the consumer.
* kdc/kerberos5.c: Change _kdc_db_fetch() to return the database
pointer to if needed by the consumer.
* kdc/kerberos4.c: Change _kdc_db_fetch() to return the database
pointer to if needed by the consumer.
* kdc/kaserver.c: Change _kdc_db_fetch() to return the database
pointer to if needed by the consumer.
* kdc/524.c: Change _kdc_db_fetch() to return the database pointer
to if needed by the consumer.
* kuser/kdigest-commands.in: Add --kerberos-realm, add client
request command.
* lib/krb5/Makefile.am: digest.c
* lib/krb5/krb5.h: Add digest glue.
* lib/krb5/digest.c (krb5_digest_set_authentication_user): use
krb5_principal
* lib/krb5/digest.c: Add digest support to the client side.
2006-08-21 Love Hörnquist Åstrand <lha@it.kth.se>
* lib/krb5/rd_rep.c (krb5_rd_rep): free krb5_ap_rep_enc_part on
error and set return pointer to NULL
(krb5_free_ap_rep_enc_part): permit freeing of NULL
2006-08-18 Love Hörnquist Åstrand <lha@it.kth.se>
* kdc/{Makefile.am,kdigest.c,kdigest-commands.in}:
Frontend for remote digest service in KDC
* lib/krb5/krb5_storage.3: Document krb5_{ret,store}_stringnl
functions.
* lib/krb5/store.c: Add krb5_{ret,store}_stringnl functions,
stores/retrieves a \n terminated string.
* lib/krb5/krb5_locl.h: Default to address-less tickets.
* lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): clear
error string on error.
2006-07-20 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/crypto.c: remove aes-192 (CMS)
* lib/krb5/crypto.c: Remove more CMS bits.
* lib/krb5/crypto.c: Remove CMS symmetric encryption support.
2006-07-13 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/pkinit.c (_kdc_pk_check_client): make it not crash when
there are no acl
* kdc/pkinit.c (_kdc_pk_check_client): use the acl in the kerberos
database
* lib/hdb/hdb.asn1: Rename HDB-Ext-PKINIT-certificate to
HDB-Ext-PKINIT-hash. Add trust anchor to HDB-Ext-PKINIT-acl.
* lib/hdb/Makefile.am: rename asn1_HDB_Ext_PKINIT_certificate to
asn1_HDB_Ext_PKINIT_hash
* lib/hdb/ext.c: Add hdb_entry_get_pkinit_hash().
2006-07-10 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kinit.c: If --password-file gets STDIN, read the password
from the standard input.
* kuser/kinit.1: Document --password-file=STDIN.
* lib/krb5/krb5_string_to_key.3: Remove duplicate to.
2006-07-06 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/krb5tgs.c: (tgs_build_reply): when checking for removed
principals, check the second component of the krbtgt, otherwise
cross realm wont work. Prompted by report from Mattias Amnefelt.
2006-07-05 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/connect.c (handle_vanilla_tcp): use unsigned integer for for
length
(handle_tcp): if the high bit it set in the unknown case, send
back a KRB_ERR_FIELD_TOOLONG
2006-07-03 Love Hörnquist Åstrand <lha@it.su.se>
* appl/gssmask/gssmaestro.c: Add get_version_capa, cache
target_name.
* appl/gssmask/gssmask.c: use utname() to find the local hostname
and version of operatingsystem
* appl/gssmask/common.h: include <sys/utsname.h>
* appl/gssmask/gssmask.c: break out creation of a client and make
handleServer pthread_create compatible
* appl/gssmask/gssmaestro.c: break out out the build context
function
2006-07-01 Love Hörnquist Åstrand <lha@it.su.se>
* appl/gssmask/gssmaestro.c: externalize slave handling, add
GetTargetName glue
* appl/gssmask/gssmaestro.c: externalize principal/password handling
* lib/krb5/principal.c (krb5_parse_name): set *principal to NULL
the first thing we do, so that on failure its set to a known value
* appl/gssmask/gssmask.c: AcquireCreds: set principal to NULL to
avoid memory corruption GetTargetName: always send a string, even
though we don't have a targetname
* appl/gssmask: break out common function; add gssmaestro (that
only tests one context for now)
2006-06-30 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/store_fd.c (krb5_storage_from_fd): don't leak fd on
malloc failure
* appl/gssmask/gssmask.c: split out fetching of credentials for
easier reuse for pk-init testing
* appl/gssmask: maggot replacement, handles context testing
* lib/krb5/cache.c (krb5_cc_new_unique): use KRB5_DEFAULT_CCNAME
as the default prefix
2006-06-28 Love Hörnquist Åstrand <lha@it.su.se>
* doc/heimdal.texi: Add Doug Rabson's license
2006-06-22 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/init_creds.c: Add storing and getting KRB-ERROR in the
krb5_get_init_creds_opt structure.
* lib/krb5/init_creds_pw.c: Save KRB-ERROR on error.
* lib/krb5/krb5_locl.h (_krb5_get_init_creds_opt_private): add
KRB-ERROR
2006-06-21 Love Hörnquist Åstrand <lha@it.su.se>
* doc/setup.texi: section about verify_krb5_conf and kadmin check
2006-06-15 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/init_creds_pw.c (get_init_creds_common): drop cred
argument, its unused
* lib/krb5/Makefile.am: install krb5_get_creds.3
* lib/krb5/krb5_get_creds.3: new file
2006-06-14 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/hdb-ldap.c: don't use the sambaNTPassword if there is
ARCFOUR key already. Idea from Andreas Hasenack. While here, set
pw change time using sambaPwdLastSet
* kdc/kerberos4.c: Use enable_v4_per_principal and check the new
hdb flag.
* kdc/kdc.h: Add enable_v4_per_principal
2006-06-12 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kerberos5.c (_kdc_as_rep): if kdc_time +
config->kdc_warn_pwexpire is past pw_end, add expiration
message. From Bernard Antoine.
* kdc/default_config.c (krb5_kdc_default_config): set
kdc_warn_pwexpire to 0
* kdc/kerberos5.c: indent.
2006-06-07 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kerberos5.c: constify
2006-06-06 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/get_cred.c: Allow setting additional tickets in the
tgs-req
* kuser/kgetcred.c: add --delegation-credential-cache
* kdc/krb5tgs.c (tgs_build_reply): add constrained delegation.
* kdc/krb5tgs.c: Add impersonation.
* kuser/kgetcred.c: use new krb5_get_creds interface, add
impersonation.
* lib/krb5/get_cred.c (krb5_get_creds): add
KRB5_GC_NO_TRANSIT_CHECK
* lib/krb5/misc.c: Add impersonate support functions.
* lib/krb5/get_cred.c: Add impersonate and new krb5_get_creds interface.
* lib/hdb/hdb.asn1 (HDBFlags): add trusted-for-delegation
* lib/krb5/krb5.h: Add krb5_get_creds_opt_data and some more
KRB5_GC flags.
2006-06-01 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/ext.c (hdb_entry_get_ConstrainedDelegACL): new function.
* lib/krb5/pkinit.c: Avoid more shadowing.
* kdc/connect.c (do_request): clean reply with krb5_data_zero
* kdc/krb5tgs.c: Split up the reverse cross krbtgt check and local
clien must exists test.
* kdc/krb5tgs.c: Plug old memory leaks, unify all goto's.
* kdc/krb5tgs.c: Split tgs_rep2 into tgs_parse_request and
tgs_build_reply.
* kdc/kerberos5.c: split out krb5 tgs req to make it easier to
reorganize the code.
2006-05-29 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_get_init_creds.3: spelling Björn Sandell
* lib/krb5/krb5_get_in_cred.3: spelling Björn Sandell
2006-05-13 Love Hörnquist Åstrand <lha@it.su.se>
* kpasswd/kpasswdd.c (change): select the realm based on the
target principal From Gabor Gombas
* lib/krb5/krb5_get_init_creds.3: Add KRB5_PROMPT_TYPE_INFO
* lib/krb5/krb5.h: Add KRB5_PROMPT_TYPE_INFO
2006-05-12 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c: Hidden field of hx509 prompter is removed.
Fix a warning.
* doc/setup.texi: Point to more examples, hint that you have to
use openssl 0.9.8a or later.
* doc/setup.texi: DIR now handles both PEM and DER.
* kuser/kinit.c: Pass down prompter and password to
krb5_get_init_creds_opt_set_pkinit.
* lib/krb5/pkinit.c (_krb5_pk_load_id): only use password if its
longer then 0
* doc/ack.texi: Add Jason McIntyre.
* lib/krb5/krb5_acl_match_file.3: Various tweaks, from Jason
McIntyre.
2006-05-11 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kinit.c: Move parsing of the PK-INIT configuration file to
the library so application doesn't need to deal with it.
* lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit): move
parsing of the configuration file to the library so application
doesn't need to deal with it.
* lib/krb5/pkinit.c (_krb5_pk_load_id): pass the hx509_lock to
when trying to read the user certificate.
* lib/krb5/pkinit.c (hx_pass_prompter): return 0 on success and 1
on failure. Pointed out by Douglas E. Engert.
2006-05-08 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/crypto.c: Catches both keyed checkout w/o crypto
context cases and doesn't reset the string, and corrects the
grammar.
* lib/krb5/crypto.c: Drop aes-cbc, rc2 and CMS padding support,
its all containted in libhcrypto and libhx509 now.
2006-05-07 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c (_krb5_pk_verify_sign): Use
hx509_get_one_cert.
* lib/krb5/crypto.c (create_checksum): provide a error message
that a key checksum needs a key. From Andew Bartlett.
2006-05-06 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c: Now that hcrypto supports DH, remove check
for hx509 null DH.
* kdc/pkinit.c: Don't call DH_check_pubkey, it doesn't exists in
older OpenSSL.
* doc/heimdal.texi: Add blob about imath.
* doc/ack.texi: Add blob about imath.
* include/make_crypto.c: Move up evp.h to please OpenSSL, from
Douglas E. Engert.
* kcm/acl.c: Multicache kcm interation isn't done yet, let wait
with this enum.
2006-05-05 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_set_default_realm.3: Spelling/mdoc from Björn
Sandell
* lib/krb5/krb5_rcache.3: Spelling/mdoc from Björn Sandell
* lib/krb5/krb5_keytab.3: Spelling/mdoc from Björn Sandell
* lib/krb5/krb5_get_in_cred.3: Spelling/mdoc from Björn Sandell
* lib/krb5/krb5_expand_hostname.3: Spelling/mdoc from Björn
Sandell
* lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc from Björn
Sandell
* lib/krb5/keytab_file.c (fkt_next_entry_int): read the 32 bit
kvno if the reset of the data is longer then 4 bytes in hope to be
forward compatible. Pointed out by Michael B Allen.
* doc/programming.texi: Add fileformats.
* appl/test: Rename u_intXX_t to uintXX_t
* kuser: Rename u_intXX_t to uintXX_t
* kdc: Rename u_intXX_t to uintXX_t
* lib/hdb: Rename u_intXX_t to uintXX_t
* lib/45]: Rename u_intXX_t to uintXX_t
* lib/krb5: Rename u_intXX_t to uintXX_t
* lib/krb5/Makefile.am: Add test_store to TESTS
* lib/krb5/pkinit.c: Catch using hx509 null DH and print a more
useful error message.
* lib/krb5/store.c: Rewrite the krb5_ret_u as proposed by Johan.
2006-05-04 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kerberos4.c: Use the new unsigned integer storage types.
* kdc/kaserver.c: Use the new unsigned integer storage
types. Sprinkle some error handling.
* lib/krb5/krb5_storage.3: Document ret and store function for the
unsigned fixed size integer types.
* lib/krb5/v4_glue.c: Use the new unsigned integer storage
types. Fail that the address doesn't match, not the reverse.
* lib/krb5/store.c: Add ret and store function for the unsigned
fixed size integer types.
* lib/krb5/test_store.c: Test the integer storage types.
2006-05-03 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/store.c (krb5_store_principal): make it take a
krb5_const_principal, indent
* lib/krb5/krb5_storage.3: krb5_store_principal takes a
krb5_const_principal
* lib/krb5/pkinit.c: Deal with that hx509_prompt.reply is no
longer a pointer.
* kdc/kdc.h (krb5_kdc_configuration): add pkinit_kdc_ocsp_file
* kdc/config.c: read [kdc]pki-kdc-ocsp
2006-05-02 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/pkinit.c (_kdc_pk_mk_pa_reply): send back ocsp response if
it seems to be valid, simplfy the pkinit-windows DH case (it
doesn't exists).
2006-05-01 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_warn.3: Spelling/mdoc changes, from Björn Sandell.
* lib/krb5/krb5_verify_user.3: Spelling/mdoc changes, from Björn
Sandell.
* lib/krb5/krb5_verify_init_creds.3: Spelling/mdoc changes, from
Björn Sandell.
* lib/krb5/krb5_timeofday.3: Spelling/mdoc changes, from Björn
Sandell.
* lib/krb5/krb5_ticket.3: Spelling/mdoc changes, from Björn
Sandell.
* lib/krb5/krb5_rd_safe.3: Spelling/mdoc changes, from Björn
Sandell.
* lib/krb5/krb5_rcache.3: Spelling/mdoc changes, from Björn
Sandell.
* lib/krb5/krb5_principal.3: Spelling/mdoc changes, from Björn
Sandell.
* lib/krb5/krb5_parse_name.3: Spelling/mdoc changes, from Björn
Sandell.
* lib/krb5/krb5_mk_safe.3: Spelling/mdoc changes, from Björn
Sandell.
* lib/krb5/krb5_keyblock.3: Spelling/mdoc changes, from Björn
Sandell.
* lib/krb5/krb5_is_thread_safe.3: Spelling/mdoc changes, from
Björn Sandell.
* lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes,
from Björn Sandell.
* lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes,
from Björn Sandell.
* lib/krb5/krb5_expand_hostname.3: Spelling/mdoc changes, from
Björn Sandell.
* lib/krb5/krb5_check_transited.3: Spelling/mdoc changes, from
Björn Sandell.
* lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc changes, from
Björn Sandell.
* lib/krb5/krb5_address.3: Spelling/mdoc changes, from
Björn Sandell.
* lib/krb5/krb5_acl_match_file.3: Spelling/mdoc changes, from
Björn Sandell.
* lib/krb5/krb5.3: Spelling, from Björn Sandell.
* doc/ack.texi: add Björn
2006-04-30 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c (cert2epi): don't include subject if its null
2006-04-29 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c: Send over what trust anchors the client have
configured.
* lib/krb5/pkinit.c (pk_verify_host): set better error string,
only check kdc name/address when we got a hostname/address passed
in the the function.
* kdc/pkinit.c (_kdc_pk_check_client): reorganize and make log
when a SAN matches.
2006-04-28 Love Hörnquist Åstrand <lha@it.su.se>
* doc/setup.texi: More options and some text about windows
clients, certificate and KDCs.
* doc/setup.texi: notice about pki-mappings file space sensitive
* doc/setup.texi: Example pki-mapping file.
* lib/krb5/pkinit.c (pk_verify_host): verify hostname/address
* lib/hdb/hdb.h: Bump hdb interface version to 4.
2006-04-27 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kdestroy.1: Document --credential=principal.
* kdc/kerberos5.c (tgs_rep2): check that the client exists in the
kerberos database if its local request.
* kdc/{misc.c,524.c,kaserver.c,kerberos5.c}: pass down HDB_F_GET_
flags as appropriate
* kdc/kerberos4.c (_kdc_db_fetch4): pass down flags though
krb5_425_conv_principal_ext2
* kdc/misc.c (_kdc_db_fetch): Break out the that we request from
principal from the entry and pass it in as a seprate argument.
* lib/hdb/keytab.c (hdb_get_entry): Break out the that we request
from principal from the entry and pass it in as a seprate
argument.
* lib/hdb/common.c: Break out the that we request from principal
from the entry and pass it in as a seprate argument.
* lib/hdb/hdb.h: Break out the that we request from principal from
the entry and pass it in as a seprate argument. Add more flags to
->hdb_get(). Re-indent.
2006-04-26 Love Hörnquist Åstrand <lha@it.su.se>
* doc/setup.texi: document pki-allow-proxy-certificate
* kdc/pkinit.c: Add option [kdc]pki-allow-proxy-certificate=bool
to allow using proxy certificate.
* lib/krb5/pkinit.c (_krb5_pk_allow_proxy_certificates): expose
hx509_verify_set_proxy_certificate
* kdc/pkinit.c (_kdc_pk_check_client): Use
hx509_cert_get_base_subject to get subject name of the
certificate, needed for proxy certificates.
* kdc/kerberos5.c: Now that find_keys speaks for it self, remove
extra logging.
* kdc/kerberos5.c (find_keys): add client_name and server_name
argument and use them, and adapt callers.
2006-04-25 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kinit.1: document option password-file
* kuser/kinit.c: Add option password-file, read password from the
first line of a file.
* configure.in: make tests/kdc/Makefile
* kdc/kerberos5.c: Catch the case where the client sends no
encryption types or no pa-types.
* lib/hdb/ext.c (hdb_replace_extension): set error message on
failure, not success.
* lib/hdb/keys.c (parse_key_set): handle error case better
(hdb_generate_key_set): return better error
2006-04-24 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/hdb.c (hdb_create): print out what we don't support
* lib/krb5/principal.c: Remove a double free introduced in 1.93
* lib/krb5/log.c (log_file): reset pointer to freed memory
* lib/krb5/keytab_keyfile.c (get_cell_and_realm): reset d->cell to
make sure its not refereced
* tools/krb5-config.in: libhcrypto might depend on libasn1, switch
order
* lib/krb5/recvauth.c: indent
* doc/heimdal.texi: Add Setting up PK-INIT to Detailed Node
Listing.
* lib/krb5/pkinit.c: Pass down realm to pk_verify_host so the
function can verify the certificate is from the right realm.
* lib/krb5/init_creds_pw.c: Pass down realm to
_krb5_pk_rd_pa_reply
2006-04-23 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c (pk_verify_host): Add begining of finding
subjectAltName_otherName pk-init-san and verifing it.
* lib/krb5/sendauth.c: reindent
* doc/Makefile.am: use --no-split to make one large file, mostly
for html
* doc/setup.texi: "document" pkinit_require_eku and
pkinit_require_krbtgt_otherName
* lib/krb5/pkinit.c: Add pkinit_require_eku and
pkinit_require_krbtgt_otherName
* doc/setup.texi: Add text about pk-init
* tools/kdc-log-analyze.pl: count v5 cross realms too
2006-04-22 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/pkinit.c: Adapt to change in hx509_cms_create_signed_1.
* lib/krb5/pkinit.c: Adapt to change in hx509_cms_create_signed_1.
2006-04-20 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/pkinit.c (_kdc_pk_rd_padata): use
hx509_cms_unwrap_ContentInfo.
* kdc/config.c: unbreak
* lib/krb5/pkinit.c: Handle diffrences between libhcrypto and
libcrypto.
* kdc/config.c: Rename pki-chain to pki-pool to match rest of
code.
2006-04-12 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/rd_priv.c: Fix argument to krb5_data_zero.
* kdc/config.c: Added certificate revoke information from
configuration file.
* kdc/pkinit.c: Added certificate revoke information.
* kuser/kinit.c: Added certificate revoke information from
configuration file.
* lib/krb5/pkinit.c (_krb5_pk_load_id): Added certificate revoke
information, ie CRL's
2006-04-10 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/replay.c (krb5_rc_resolve_full): make compile again.
* lib/krb5/keytab_krb4.c (krb4_kt_start_seq_get_int): make compile
again.
* lib/krb5/transited.c (make_path): make sure we return allocated
memory Coverity, NetBSD CID#1892
* lib/krb5/transited.c (make_path): make sure we return allocated
memory Coverity, NetBSD CID#1892
* lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): on
protocol failure, avoid leaking memory Coverity, NetBSD CID#1900
* lib/krb5/principal.c (krb5_parse_name): remember to free realm
in case of error Coverity, NetBSD CID#1883
* lib/krb5/principal.c (krb5_425_conv_principal_ext2): remove
memory leak in case of weird formated dns replys.
Coverity, NetBSD CID#1885
* lib/krb5/replay.c (krb5_rc_resolve_full): don't return pointer
to a allocated krb5_rcache in case of error.
* lib/krb5/log.c (krb5_addlog_dest): free fn in case of error
Coverity, NetBSD CID#1882
* lib/krb5/keytab_krb4.c: Fix deref before NULL check, fix error
handling. Coverity, NetBSD CID#2369
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
in_creds->client should always be set, assume so.
* lib/krb5/keytab_any.c (any_next_entry): restructure to make it
easier to read Fixes Coverity, NetBSD CID#625
* lib/krb5/crypto.c (krb5_string_to_key_derived): deref after NULL
check. Coverity NetBSD CID#2367
* lib/krb5/build_auth.c (krb5_build_authenticator): use
calloc. removed check that was never really used. Coverity NetBSD
CID#2370
2006-04-09 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/rd_req.c (krb5_verify_ap_req2): make sure `ticket´
points to NULL in case of error, add error handling, use calloc.
* kpasswd/kpasswdd.c (doit): when done, close all fd in the
sockets array and free it. Coverity NetBSD CID#1916
2006-04-08 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/store.c (krb5_ret_principal): fix memory leak Coverity,
NetBSD CID#1695
* kdc/524.c (_kdc_do_524): Handle memory allocation failure
Coverity, NetBSD CID#2752
2006-04-07 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/keytab_file.c (krb5_kt_ret_principal): plug a memory
leak Coverity NetBSD CID#1890
* kdc/hprop.c (main): make sure type doesn't need to be set
* kdc/mit_dump.c (mit_prop_dump): close fd when done processing
Coverity NetBSD CID#1955
* kdc/string2key.c (tokey): catch warnings, free memory after use.
Based on Coverity NetBSD CID#1894
* kdc/hprop.c (main): remove dead code. Coverity NetBSD CID#633
2006-04-04 Love Hörnquist Åstrand <lha@it.su.se>
* kpasswd/kpasswd-generator.c (read_words): catch empty file case,
will cause PBE (division by zero) later. From Tobias Stoeckmann.
2006-04-02 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/keytab.c: Remove a delta from last revision that should
have gone in later.
* lib/krb5/krbhst.c: fix spelling
* lib/krb5/send_to_kdc.c (send_and_recv_http): don't expose freed
pointer, found by IBM checker.
* lib/krb5/rd_cred.c (krb5_rd_cred): don't expose freed pointer,
found by IBM checker.
* lib/krb5/addr_families.c (krb5_make_addrport): clear return
value on error, found by IBM checker.
* kdc/kerberos5.c (check_addresses): treat netbios as no addresses
* kdc/{kerberos4,kaserver}.c: _kdc_check_flags takes hdb_entry_ex
* kdc/kerberos5.c (_kdc_check_flags): make it take hdb_entry_ex to
avoid ?:'s at callers
* lib/krb5/v4_glue.c: Avoid using free memory, found by IBM
checker.
* lib/krb5/transited.c (expand_realm): avoid passing NULL to
strlen, found by IBM checker.
* lib/krb5/rd_cred.c (krb5_rd_cred): avoid a memory leak on malloc
failure, found by IBM checker.
* lib/krb5/krbhst.c (_krb5_krbhost_info_move): replace a strcpy
with a memcpy
* lib/krb5/keytab_keyfile.c (get_cell_and_realm): plug a memory
leak, found by IBM checker.
* lib/krb5/keytab_file.c (fkt_next_entry_int): remove a
dereferencing NULL pointer, found by IBM checker.
* lib/krb5/init_creds_pw.c (init_creds_init_as_req): in AS-REQ the
cname must always be given, don't avoid that fact and remove a
cname == NULL case. Plugs a memory leak found by IBM checker.
* lib/krb5/init_creds_pw.c (default_s2k_func): avoid exposing
free-ed memory on error. Found by IBM checker.
* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): use
calloc to avoid uninitialized memory problem.
* lib/krb5/data.c (krb5_copy_data): avoid exposing free-ed memory
on error. Found by IBM checker.
* lib/krb5/fcache.c (fcc_gen_new): fix a use after free, found by
IBM checker.
* lib/krb5/config_file.c (krb5_config_vget_strings): IBM checker
thought it found a memory leak, it didn't, but there was another
error in the code, lets fix that instead.
* lib/krb5/cache.c (_krb5_expand_default_cc_name): plug memory
leak. Found by IBM checker.
* lib/krb5/cache.c (_krb5_expand_default_cc_name): avoid return
pointer to freed memory in the error case. Found by IBM checker.
* lib/hdb/keytab.c (hdb_resolve): off by one, found by IBM
checker.
* lib/hdb/keys.c (hdb_generate_key_set): set ret_key_set before
going into the error clause and freeing key_set. Found by IBM
checker. Make sure ret == 0 after of parse error, we catch the
"no entries parsed" case later.
* lib/krb5/log.c (krb5_addlog_dest): make string length match
strings in strcasecmp. Found by IBM checker.
2006-03-30 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/hdb-ldap.c (LDAP_message2entry): in declaration set
variable_name as "hdb_entry_ex"
(hdb_ldap_common): change "arg" in condition (if) to "search_base"
(hdb_ldapi_create): change "serach_base" to "search_base" From
Alex V. Labuta.
* lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit); fix
prototype
* kuser/kinit.c: Add pool of certificates to help certificate path
building for clients sending incomplete path in the signedData.
2006-03-28 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/pkinit.c: Add pool of certificates to help certificate path
building for clients sending incomplete path in the signedData.
* lib/krb5/pkinit.c: Add pool of certificates to help certificate
path building for clients sending incomplete path in the
signedData.
2006-03-27 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/config.c: Allow passing in related certificates used to
build the chain.
* kdc/pkinit.c: Allow passing in related certificates used to
build the chain.
* kdc/kerberos5.c (log_patype): Add case for
KRB5_PADATA_PA_PK_OCSP_RESPONSE.
* tools/Makefile.am: Spelling
* tools/krb5-config.in: Add hx509 when using PK-INIT.
* tools/Makefile.am: Add hx509 when using PK-INIT.
2006-03-26 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/acache.c: Use ticket flags definition, might fix Mac OS
X Kerberos.app problems.
* lib/krb5/krb5_ccapi.h: Add ticket flags definitions
* lib/krb5/pkinit.c: Use less openssl, spell chelling.
* kdc/pkinit.c (pk_mk_pa_reply_dh): encode the DH public key with
asn1 wrapping
* configure.in (AC_CONFIG_FILES): add lib/hx509/Makefile
* lib/Makefile.am: Add hx509.
* lib/krb5/Makefile.am: Add libhx509.la when PKINIT is used.
* configure.in: define automake PKINIT variable
* kdc/pkinit.c: Switch to hx509.
* lib/krb5/pkinit.c: Switch to hx509.
2006-03-24 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kerberos5.c (log_patypes): log the patypes requested by the
client
2006-03-23 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): pass down the
req_buffer in the w2k case too. From Douglas E. Engert.
2006-03-19 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): on failure, goto
error handling. Fixes Coverity NetBSD CID 2591 by catching a
failing krb5_copy_keyblock()
2006-03-17 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/addr_families.c (krb5_free_addresses): reset val,len in
address when free-ing. Fixes Coverity NetBSD bug #2605
(krb5_parse_address): reset val,len before possibly return errors
Fixes Coverity NetBSD bug #2605
2006-03-07 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/send_to_kdc.c (recv_loop): it should never happen, but
make sure nbytes > 0
* lib/krb5/get_for_creds.c (add_addrs): handle the case where
addr->len == 0 and n == 0, then realloc might return NULL.
* lib/krb5/crypto.c (decrypt_*): handle the case where the
plaintext is 0 bytes long, realloc might then return NULL.
2006-02-28 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_string_to_key.3: Drop krb5_string_to_key_derived.
* lib/krb5/krb5.3: Remove krb5_string_to_key_derived.
* lib/krb5/crypto.c (AES_string_to_key): drop _krb5_PKCS5_PBKDF2
and use PKCS5_PBKDF2_HMAC_SHA1 instead.
* lib/krb5/aes-test.c: reformat, avoid free-ing un-init'd memory
* lib/krb5/aes-test.c: Only use PKCS5_PBKDF2_HMAC_SHA1.
2006-02-27 Johan Danielsson <joda@pdc.kth.se>
* doc/setup.texi: remove cartouches - we don't use them anywhere
else, they should be around the example, not inside it, and
probably shouldn't be used in html at all
2006-02-18 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_warn.3: Document that applications want to use
krb5_get_error_message, add example.
2006-02-16 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/crypto.c (krb5_generate_random_block): check return
value from RAND_bytes
* lib/krb5/error_string.c: Change indentation, update (c)
2006-02-14 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c: Make struct krb5_dh_moduli available when
compiling w/o pkinit.
2006-02-13 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c: update to new paChecksum definition, update
the dhgroup handling
* kdc/pkinit.c: update to new paChecksum definition, use
hdb_entry_ex
2006-02-09 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_locl.h: Move Configurable options to last in the
file.
* lib/krb5/krb5_locl.h: Wrap KRB5_ADDRESSLESS_DEFAULT with #ifndef
2006-02-03 Love Hörnquist Åstrand <lha@it.su.se>
* kpasswd/kpasswdd.c: Send back a better error-message to the
client in case the password change was rejected.
* lib/krb5/krb5_warn.3: Document krb5_get_error_message.
* lib/krb5/error_string.c (krb5_get_error_message): new function,
and combination of krb5_get_error_string and krb5_get_err_text
* lib/krb5/krb5.3: sort, and krb5_get_error_message
* lib/hdb/hdb-ldap.c: Log the filter string to the error message
when doing searches.
* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags):
Use KRB5_ADDRESSLESS_DEFAULT when
checking [appdefault]no-addresses.
* lib/krb5/get_cred.c (get_cred_from_kdc_flags): Use
KRB5_ADDRESSLESS_DEFAULT when checking
[appdefault]no-addresses.
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
Use [appdefault]no-addresses before checking if the krbtgt is
address-less, use KRB5_ADDRESSLESS_DEFAULT.
* lib/krb5/krb5_locl.h: Introduce KRB5_ADDRESSLESS_DEFAULT that
controlls all address-less behavior. Defaults to false.
2006-02-01 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/n-fold-test.c: main is not a KRB5_LIB_FUNCTION
* lib/krb5/mk_priv.c (krb5_mk_priv): abort if ASN1_MALLOC_ENCODE
failes to produce the matching lenghts.
2006-01-27 Love Hörnquist Åstrand <lha@it.su.se>
* kcm/protocol.c (kcm_op_retrieve): remove unused variable
2006-01-15 Love Hörnquist Åstrand <lha@it.su.se>
* tools/krb5-config.in: Move depenency on @LIB_dbopen@ to
kadm-server, kerberos library doesn't depend on db-library.
2006-01-13 Love Hörnquist Åstrand <lha@it.su.se>
* include/Makefile.am: Don't clean crypto headers, they now live
in hcrypto/. Add hcrypto to SUBDIRS.
* include/hcrypto/Makefile.am: clean installed headers
* include/make_crypto.c: include crypto headers from hcrypto/
* include/make_crypto.c: Include more crypto headerfiles. Remove
support for old hash names.
2006-01-02 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/misc.c (_kdc_db_fetch): use calloc to allocate the entry,
from Andrew Bartlet.
* Happy New Year.
Reference in New Issue View Git Blame Copy Permalink