diff options
| author | stas <stas@FreeBSD.org> | 2012-03-22 08:48:42 +0000 |
|---|---|---|
| committer | stas <stas@FreeBSD.org> | 2012-03-22 08:48:42 +0000 |
| commit | e7e0b349883e80d63c4e856f16351aaa6607766d (patch) | |
| tree | 5518cb944fa25f627a797b58451ccf506b720fcf /crypto/heimdal/ChangeLog | |
| parent | e02fd6b8423e63f1fdbfc1f984d7c7291a1bacd1 (diff) | |
| parent | 2db247d3fc10ef5304f61dbd66448efff8cc6684 (diff) | |
| download | FreeBSD-src-e7e0b349883e80d63c4e856f16351aaa6607766d.zip FreeBSD-src-e7e0b349883e80d63c4e856f16351aaa6607766d.tar.gz | |
- Update FreeBSD Heimdal distribution to version 1.5.1. This also brings
several new kerberos related libraries and applications to FreeBSD:
o kgetcred(1) allows one to manually get a ticket for a particular service.
o kf(1) securily forwards ticket to another host through an authenticated
and encrypted stream.
o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
and other user kerberos operations. klist and kswitch are just symlinks
to kcc(1) now.
o kswitch(1) allows you to easily switch between kerberos credentials if
you're running KCM.
o hxtool(1) is a certificate management tool to use with PKINIT.
o string2key(1) maps a password into key.
o kdigest(8) is a userland tool to access the KDC's digest interface.
o kimpersonate(8) creates a "fake" ticket for a service.
We also now install manpages for some lirbaries that were not installed
before, libheimntlm and libhx509.
- The new HEIMDAL version no longer supports Kerberos 4. All users are
recommended to switch to Kerberos 5.
- Weak ciphers are now disabled by default. To enable DES support (used
by telnet(8)), use "allow_weak_crypto" option in krb5.conf.
- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
disabled due to the function they use (krb5_get_err_text(3)) being
deprecated. I plan to work on this next.
- Heimdal's KDC now require sqlite to operate. We use the bundled version
and install it as libheimsqlite. If some other FreeBSD components will
require it in the future we can rename it to libbsdsqlite and use for these
components as well.
- This is not a latest Heimdal version, the new one was released while I was
working on the update. I will update it to 1.5.2 soon, as it fixes some
important bugs and security issues.
Diffstat (limited to 'crypto/heimdal/ChangeLog')
| -rw-r--r-- | crypto/heimdal/ChangeLog | 1417 |
1 files changed, 273 insertions, 1144 deletions
diff --git a/crypto/heimdal/ChangeLog b/crypto/heimdal/ChangeLog index e167b09..125740d 100644 --- a/crypto/heimdal/ChangeLog +++ b/crypto/heimdal/ChangeLog @@ -1,1356 +1,485 @@ -2008-01-24 Love Hörnquist Åstrand <lha@it.su.se> - * Release 1.1 - -2008-01-21 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/get_for_creds.c: Use on variable less. - - * lib/krb5/get_for_creds.c: Try to handle ticket full and - ticketless tickets better. Add doxygen comments while here. - - * lib/krb5/test_forward.c: Used for testing - krb5_get_forwarded_creds(). - - * lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward - - * lib/krb5/Makefile.am: drop CHECK_SYMBOLS - - * lib/hdb/Makefile.am: drop CHECK_SYMBOLS - - * kdc/Makefile.am: drop CHECK_SYMBOLS - -2008-01-18 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/version-script.map: Add krb5_digest_probe. - -2008-01-13 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/pkinit.c: Replace hx509_name_to_der_name with - hx509_name_binary. - -2008-01-12 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/Makefile.am: add missing files - -2007-12-28 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/digest.c: Log probe message, add NTLM_TARGET_DOMAIN to the - type2 message. - -2007-12-14 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/hdb/dbinfo.c: Add hdb_default_db(). - - * Makefile.am: Add some extra cf/*. - -2007-12-12 Love Hörnquist Åstrand <lha@it.su.se> - - * kuser/kgetcred.c: Fix type of name-type. From Andy Polyakov. - -2007-12-09 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/log.c: Use hdb_db_dir(). - - * kpasswd/kpasswdd.c: Use hdb_db_dir(). - -2007-12-08 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/config.c: Use hdb_db_dir(). - - * kdc/kdc_locl.h: add KDC_LOG_FILE - - * kdc/hpropd.c: Use hdb_default_db(). - - * kdc/kstash.c: Use hdb_db_dir(). - - * kdc/pkinit.c: Adapt to hx509 changes, use hdb_db_dir(). - - * lib/krb5/rd_req.c: Document krb5_rd_req_in_set_pac_check. - - * lib/krb5/verify_krb5_conf.c: Check check_pac. - - * lib/krb5/rd_req.c: use KRB5_CTX_F_CHECK_PAC to init check_pac - field in the krb5_rd_req_in_ctx - - * lib/krb5/expand_hostname.c: Adapt to changing - dns_canonicalize_hostname into flags field. - - * lib/krb5/context.c: Adapt to changing dns_canonicalize_hostname - into flags field, add check-pac as an libdefaults option. - - * lib/krb5/pkinit.c: Adapt to changes in hx509 interface. - - * doc: add doxygen documentation to hcrypto - - * doc/doxytmpl.dxy: generate links - -2007-12-07 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/Makefile.am: build_HEADERZ += heim_threads.h - - * lib/hdb/dbinfo.c (hdb_db_dir): Return the directory where the - hdb database resides. - - * configure.in: Add --with-hdbdir to specify where the database is - stored. - - * lib/krb5/crypto.c: revert previous patch, the problem is located - in the RAND_file_name() function that will cause recursive nss - lookups, can't fix that here. - -2007-12-06 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/crypto.c (krb5_generate_random_block): try to avoid the - dead-lock in by not holding the lock while running - RAND_file_name. Prompted by Hai Zaar. - - * lib/krb5/n-fold.c: spelling - -2007-12-04 Love Hörnquist Åstrand <lha@it.su.se> - - * kuser/kdigest.c (digest-probe): implement command. - - * kuser/kdigest-commands.in (digest-probe): new command - - * kdc/digest.c: Implement supportedMechs request. - - * lib/krb5/error_string.c: Make krb5_get_error_string return an - allocated string to make the function indempotent. From - Zeqing (Fred) Xia. - -2007-12-03 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/krb5_locl.h (krb5_context_data): Flag if - default_cc_name was set by the user. - - * lib/krb5/fcache.c (fcc_move): make sure ->version is uptodate. - - * kcm/acquire.c: use krb5_free_cred_contents - - * kuser/kimpersonate.c: use krb5_free_cred_contents - - * kuser/kinit.c: Use krb5_cc_move to make an atomic switch of the - cred cache. - - * lib/krb5/cache.c: Put back code that was needed, move gen_new - into new_unique. - - * lib/krb5/mcache.c (mcc_default_name): Remove const - - * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME_KCM, redefine - KRB5_DEFAULT_CCNAME to KRB5_DEFAULT_CCTYPE - - * lib/krb5/cache.c: Use krb5_cc_ops->default_name to get the - default name. - - * lib/krb5/kcm.c: Implement krb5_cc_ops->default_name. - - * lib/krb5/mcache.c: Implement krb5_cc_ops->default_name. - - * lib/krb5/fcache.c: Implement krb5_cc_ops->default_name. - - * lib/krb5/krb5.h: Add krb5_cc_ops->default_name. - - * lib/krb5/acache.c: Free context when done, implement - krb5_cc_ops->default_name. - - * lib/krb5/kcm.c: implement dummy kcm_move - - * lib/krb5/mcache.c: Implement the move operation. - - * lib/krb5/version-script.map: export krb5_cc_move - - * lib/krb5/cache.c: New function krb5_cc_move(). - - * lib/krb5/fcache.c: Implement the move operation. - - * lib/krb5/krb5.h: Add move to the krb5_cc_ops, causes major - version bump. - - * lib/krb5/acache.c: Implement the move operation. Avoid using - cc_set_principal() since it broken on Mac OS X 10.5.0. - -2007-12-02 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/krb5_ccapi.h: Drop variable names to avoid -Wshadow. - -2007-11-14 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/krb5tgs.c: Should pass different key usage constants - depending on whether or not optional sub-session key was passed by - the client for the check of authorization data. The constant is - used to derive "specific key" and its values are specified in - 7.5.1 of RFC4120. - - Patch from Andy Polyakov. - - * kdc/krb5tgs.c: Don't send auth data in referrals, microsoft - clients have started to not like that. Thanks to Andy Polyakov for - excellent research. - -2007-11-11 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/creds.c: use krb5_data_cmp - - * lib/krb5/acache.c: use krb5_free_cred_contents - - * lib/krb5/test_renew.c: use krb5_free_cred_contents - -2007-11-10 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/acl.c: doxygen documentation - - * lib/krb5/addr_families.c: doxygen documentation - - * doc: add doxygen - - * lib/krb5/plugin.c: doxygen documentation - - * lib/krb5/kcm.c: doxygen documentation - - * lib/krb5/fcache.c: doxygen documentation - - * lib/krb5/cache.c: doxygen documentations - - * lib/krb5/doxygen.c: doxygen introduction - - * lib/krb5/error_string.c: Doxygen documentation. - -2007-11-03 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/test_plugin.c: expose krb5_plugin_register - - * lib/krb5/plugin.c: expose krb5_plugin_register - - * lib/krb5/version-script.map: sort, expose krb5_plugin_register - -2007-10-24 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kerberos5.c: Adding same enctype is enough one time. From - Andy Polyakov and Bjorn Sandell. - -2007-10-18 Love <lha@stacken.kth.se> - - * lib/krb5/cache.c (krb5_cc_retrieve_cred): check return value - from krb5_cc_start_seq_get. From Zeqing (Fred) Xia - - * lib/krb5/fcache.c (init_fcc): provide better error codes - - * kdc/kerberos5.c (get_pa_etype_info2): more paranoia, avoid - sending warning about pruned etypes. - - * kdc/kerberos5.c (older_enctype): old windows enctypes (arcfour - based) "old", this to support windows 2000 clients (unjoined to a - domain). From Andy Polyakov. - -2007-10-07 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: Spelling, from Mark Peoples via Bjorn Sandell. - -2007-10-04 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/krb5tgs.c: More prettier printing of enctype, from KAMADA - Ken'ichi. - - * lib/krb5/crypto.c (krb5_enctype_to_string): make sure string is - NULL on failure. - -2007-10-03 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kdc-replay.c: Catch KRB5_PROG_ATYPE_NOSUPP from - krb5_addr2sockaddr and igore thte test is that case. - -2007-09-29 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/context.c (krb5_free_context): free - default_cc_name_env, from Gunther Deschner. - -2007-08-27 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/{krb5.h,pac.c,test_pac.c,send_to_kdc.c,rd_req.c}: Make - work with c++, reported by Hai Zaar - - * lib/krb5/{digest.c,krb5.h}: Make work with c++, reported by Hai Zaar - -2007-08-20 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/hdb/Makefile.am: EXTRA_DIST += hdb.schema - -2007-07-31 Love Hörnquist Åstrand <lha@it.su.se> - - * check return value of alloc functions, from Charles Longeau - - * lib/krb5/principal.c: spelling. - - * kadmin/kadmin.8: spelling - - * lib/krb5/crypto.c: Check return values from alloc - functions. Prompted by patch of Charles Longeau. - - * lib/krb5/n-fold.c: Make _krb5_n_fold return a error - code. Prompted by patch of Charles Longeau. - -2007-07-27 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/init_creds.c: Always set the ticket options, use - KRB5_ADDRESSLESS_DEFAULT as the default value, this make the unset - tri-state not so useful. - -2007-07-24 Love Hörnquist Åstrand <lha@it.su.se> - - * tools/heimdal-gssapi.pc.in: Add LIB_pkinit to the list of - libraries. - - * tools/heimdal-gssapi.pc.in: pkg-config file for libgssapi in - heimdal. - - * tools/Makefile.am: Add heimdal-gssapi.pc and install it into - $(libdir)/pkgconfig - -2007-07-23 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/pkinit.c: Add RFC3526 modp group14 as a default. - -2007-07-22 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/hdb/dbinfo.c (get_dbinfo): use dbname instead of realm as - key if the entry is a correct entry. - - * lib/krb5/get_cred.c: Make krb5_get_renewed_creds work, from - Gunther Deschner. - - * lib/krb5/Makefile.am: Add test_renew to noinst_PROGRAMS. - - * lib/krb5/test_renew.c: Test for krb5_get_renewed_creds. - -2007-07-21 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/hdb/keys.c: Make parse_key_set handle key set string "v5", - from Peter Meinecke. - - * kdc/kaserver.c: Don't ovewrite the error code, from Peter - Meinecke. - -2007-07-18 Love Hörnquist Åstrand <lha@it.su.se> - - * TODO-1.0: remove - - * Makefile.am: remove TODO-1.0 - -2007-07-17 Love Hörnquist Åstrand <lha@it.su.se> - - * Heimdal 1.0 release branch cut here - - * doc/hx509.texi: use version.texi - - * doc/heimdal.texi: use version.texi - - * doc/version.texi: version.texi - - * lib/hdb/db3.c: avoid type-punned pointer warning. - - * kdc/kx509.c: Use unsigned char * as argument to HMAC_Update to - please OpenSSL and gcc. - - * kdc/digest.c: Use unsigned char * as argument to MD5_Update to - please OpenSSL and gcc. - -2007-07-16 Love Hörnquist Åstrand <lha@it.su.se> - - * include/Makefile.am: Add krb_err.h. - - * kdc/set_dbinfo.c: Print acl file too. - - * kdc/kerberos4.c: Error codes are just fine, remove XXX now. - - * lib/krb5/krb5-v4compat.h: Drop duplicate error codes. - - * kdc/kerberos4.c: switch to ET errors. - - * lib/krb5/Makefile.am: Add krb_err.h to build_HEADERZ. - - * lib/krb5/v4_glue.c: If its a Kerberos 4 error-code, remove the - et BASE. - -2007-07-15 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/krb5-v4compat.h: Include "krb_err.h". - - * lib/krb5/v4_glue.c: return more interesting error codes. - - * lib/krb5/plugin.c: Prefix enum plugin_type. - - * lib/krb5/krb5_locl.h: Expose plugin structures. - - * lib/krb5/krb5.h: Add plugin structures. - - * lib/krb5/krb_err.et: V4 errors. - - * lib/krb5/version-script.map: First version of version script. - -2007-07-13 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kerberos5.c: Java 1.6 expects the name to be the same type, - lets allow that for uncomplicated name-types. - -2007-07-12 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/v4_glue.c (_krb5_krb_rd_req): if ticket contains - address 0, its ticket less and don't really care about - from_addr. return better error codes. - - * kpasswd/kpasswdd.c: Fix pointer vs strict alias rules. - -2007-07-11 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/hdb/hdb-ldap.c: When using sambaNTPassword, avoid adding - more then one enctype 23 to krb5EncryptionType. - - * lib/krb5/cache.c: Spelling. - - * kdc/kerberos5.c: Don't send newer enctypes in ETYPE-INFO. - (get_pa_etype_info2): return the enctypes as sorted in the - database - -2007-07-10 Love Hörnquist Åstrand <lha@it.su.se> - - * kuser/kinit.c: krb5-v4compat.h defines prototypes for - v4 (semiprivate functions) in libkrb5, don't include - krb5-private.h any longer. - - * lib/krb5/krbhst.c: Set error string when there is no KDC for a - realm. - - * lib/krb5/Makefile.am: New library version. - - * kdc/Makefile.am: New library version. - - * lib/krb5/krb5_locl.h: Add default_cc_name_env. - - * lib/krb5/cache.c (enviroment_changed): return non-zero if - enviroment that will determine default krb5cc name has changed. - (krb5_cc_default_name): also check if cached value is uptodate. - - * lib/krb5/krb5_locl.h: Drop pkinit_flags. - -2007-07-05 Love Hörnquist Åstrand <lha@it.su.se> - - * configure.in: add tests/java/Makefile - - * lib/hdb/dbinfo.c: Add hdb_dbinfo_get_log_file. - -2007-07-04 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kerberos5.c: Improve the default salt detection to avoid - returning v4 password salting to java that doesn't look at the - returning padata for salting. - - * kdc: Split out krb5_kdc_set_dbinfo, From Andrew Bartlett - -2007-07-02 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/digest.c: Try harder to provide better error message for - digest messages. - - * lib/krb5/Makefile.am: verify_krb5_conf_OBJECTS depends on - krb5-pr*.h, make -j finds this. +We stop writing change logs, see the source code version control systems history log instead -2007-06-28 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/digest.c: On success, print username, not ip-adress. - -2007-06-26 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/get_cred.c: Add krb5_get_renewed_creds. +2008-07-28 Love Hornquist Astrand <lha@h5l.org> - * lib/krb5/krb5_get_credentials.3: add krb5_get_renewed_creds - - * lib/krb5/pkinit.c: Use hx509_cms_unwrap_ContentInfo. + * lib/krb5/v4_glue.c: The "kaserver" part of Heimdal occasionally + issues invalid AFS tokens + (here "occasionally" means for certain users in certain realms). -2007-06-25 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: Add example for pkinit_win2k_require_binding - in [kdc] section. - - * kdc/default_config.c: Rename require_binding to - win2k_require_binding to match client configuration. - - * kdc/default_config.c: Add [kdc]pkinit_require_binding option. - - * kdc/pkinit.c (pk_mk_pa_reply_enckey): only allow non-bound reply - if its not required. - - * kdc/default_config.c: rename pkinit_princ_in_cert and add - pkinit_require_binding - - * kdc/kdc.h: rename pkinit_princ_in_cert and add - pkinit_require_binding - - * kdc/pkinit.c: rename pkinit_princ_in_cert - -2007-06-24 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/pkinit.c: Adapt to hx509_verify_hostname change. - -2007-06-21 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/krb5tgs.c: Drop unused variable. - - * kdc/krb5tgs.c: disable anonyous tgs requests - - * kdc/krb5tgs.c: Don't check PAC on cross realm for now. - - * kuser/kgetcred.c: Set KRB5_GC_CONSTRAINED_DELEGATION and parse - nametypes. - - * lib/krb5/krb5_principal.3: Document krb5_parse_nametype. - - * lib/krb5/principal.c (krb5_parse_nametype): parse nametype and - return their integer values. - - * lib/krb5/krb5.h (krb5_get_creds): Add - KRB5_GC_CONSTRAINED_DELEGATION. - - * lib/krb5/get_cred.c (krb5_get_creds): if - KRB5_GC_CONSTRAINED_DELEGATION is set, set both request_anonymous - and constrained_delegation. - -2007-06-20 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/digest.c: Return an error message instead of dropping the - packet for more failure cases. - - * lib/krb5/krb5_principal.3: Add KRB5_PRINCIPAL_UNPARSE_DISPLAY. - - * appl/gssmask/gssmask.c (AcquirePKInitCreds): fail more - gracefully - -2007-06-18 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/pac.c: make compile. - - * lib/krb5/pac.c (verify_checksum): memset cksum to avoid using - pointer from stack. - - * lib/krb5/plugin.c: Don't expose free pointer. - - * lib/krb5/pkinit.c (_krb5_pk_load_id): fail directoy for first - calloc. + In lib/krb5/v4_glue.c, in the routine storage_to_etext the ticket + is padded to a multiple of 8 bytes. If it is already a multiple of + 8 bytes, 8 additional 0-bytes are added. - * lib/krb5/pkinit.c (get_reply_key*): don't expose freed memory - - * lib/krb5/krbhst.c: Host is static memory, don't free. - - * lib/krb5/crypto.c (decrypt_internal_derived): make sure length - is longer then confounder + checksum. - - * kdc: export get_dbinfo as krb5_kdc_set_dbinfo and call from - users. This to allows libkdc users to to specify their own - databases - - * lib/krb5/pkinit.c (pk_rd_pa_reply_enckey): simplify handling of - content data (and avoid leaking memory). - - * kdc/misc.c (_kdc_db_fetch): set error string for failures. + This catches the AFS krb4 ticket decoder by surprise: unless the + ticket is exactly 56 bytes, it only supports the minimum necessary + padding. It detects the superfluous padding by comparing the + ticket length decoded to the advertised ticket length. -2007-06-15 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/pkinit.c: Use KRB5_AUTHDATA_INITIAL_VERIFIED_CAS. - -2007-06-13 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/pkinit.c: tell user when they got a pk-init request with - pkinit disabled. - -2007-06-12 Love Hörnquist Åstrand <lha@it.su.se> + Hence a 7-letter userid in "cern.ch" which resulted in a ticket of + 40 bytes, got "padded" to 48 bytes which the rxkad decoder + rejected. - * lib/krb5/principal.c: Rename UNPARSE_NO_QUOTE to - UNPARSE_DISPLAY. - - * lib/krb5/krb5.h: Rename UNPARSE_NO_QUOTE to UNPARSE_DISPLAY. + From Rainer Toebbicke. - * lib/krb5/principal.c: Make no-quote mean replace strange chars - with space. +2008-07-25 Love Hörnquist Ã…strand <lha@h5l.org> - * lib/krb5/principal.c: Support KRB5_PRINCIPAL_UNPARSE_NO_QUOTE. + * kuser/kinit.c: add --ok-as-delegate and --windows flags - * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_UNPARSE_NO_QUOTE. + * kpasswd/kpasswd-generator.c: Switch to krb5_set_password. - * lib/krb5/test_princ.c: Test quoteing. + * kuser/kinit.c: Use krb5_cc_set_config. - * lib/krb5/pkinit.c: update (c) - - * lib/krb5/get_cred.c: use krb5_sendto_context to talk to the KDC. + * lib/krb5/cache.c: Add krb5_cc_[gs]et_config. - * lib/krb5/send_to_kdc.c (_krb5_kdc_retry): check if the whole - process needs to restart or just skip this KDC. +2008-07-22 Love Hörnquist Ã…strand <lha@h5l.org> - * lib/krb5/init_creds_pw.c: Use krb5_sendto_context to talk to - KDC. + * lib/krb5/crypto.c: Allow numbers to be enctypes to as long as + they are valid. - * lib/krb5/krb5.h: Add sendto hooks and opaque structure. +2008-07-17 Love Hörnquist Ã…strand <lha@h5l.org> - * lib/krb5/krb5_rd_error.3: Update prototype. + * lib/hdb/version-script.map: some random bits needed for libkadm - * lib/krb5/send_to_kdc.c: Add hooks for processing the reply from - the server. - -2007-06-11 Love Hörnquist Åstrand <lha@it.su.se> +2008-07-15 Love Hörnquist Ã…strand <lha@h5l.org> - * lib/krb5/krb5_err.et: Some new error codes from RFC 4120. + * lib/krb5/send_to_kdc_plugin.h: add name for send_to_kdc plugin. -2007-06-09 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/krb5tgs.c: Constify. - - * kdc/kerberos5.c: Constify. - - * kdc/pkinit.c: Check for KRB5-PADATA-PK-AS-09-BINDING. Constify. + * lib/krb5/krbhst.c: handle KRB5_PLUGIN_NO_HANDLE for lookup + plugin. -2007-06-08 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/send_to_kdc.c: Add support for the send_to_kdc plugin + interface. - * include/Makefile.am: Make krb5-types.h nodist_include_HEADERS. - - * kdc/Makefile.am: EXTRA_DIST += version-script.map. - -2007-06-07 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/Makefile.am: add send_to_kdc_plugin.h - * Makefile.am (print-distdir): print name of dist - - * kdc/pkinit.c: Break out loading of mappings file to a separate - function and remove warning that it can't open the mapping file, - there are now mappings in the db, maybe the users uses that - instead... + * lib/krb5/krb5_err.et: add plugin error codes - * lib/krb5/crypto.c: Require the raw key have the correct size and - do away with the minsize. Minsize was a thing that originated - from RC2, but since RC2 is done in the x509/cms subsystem now - there is no need to keep that around. +2008-07-14 Love Hornquist Astrand <lha@kth.se> - * lib/hdb/dbinfo.c: If there is no default dbname, also check for - unset mkey_file and set it default mkey name, make backward compat - stuff work. + * lib/hdb/Makefile.am: EXTRA_DIST += version-script.map - * kdc/version-script.map: add new symbols +2008-07-14 Love Hornquist Astrand <lha@kth.se> - * kdc/kdc-replay.c: Also update krb5_context view of what the time - is. + * lib/krb5/krb5_{address,ccache}.3: spelling, from openbsd via janne + johansson - * configure.in: add tests/can/Makefile +2008-07-13 Love Hörnquist Ã…strand <lha@kth.se> - * kdc/kdc-replay.c: Add --[version|help]. + * lib/krb5/version-script.map: add krb5_free_error_message - * kdc/pkinit.c: Push down the kdc time into the x509 library. +2008-06-21 Love Hörnquist Ã…strand <lha@kth.se> - * kdc/connect.c: Move up krb5_kdc_save_request so we can catch the - reply data too. + * lib/krb5/init_creds_pw.c: switch to krb5_set_password(). - * kdc/kdc-replay.c: verify reply by checking asn1 class, type and - tag of the reply if there is one. +2008-06-18 Love Hörnquist Ã…strand <lha@kth.se> - * kdc/process.c: Save asn1 class, type and tag of the reply if - there is one. Used to verify the reply in kdc-replay. + * lib/krb5/time.c (krb5_set_real_time): handle negative usec -2007-06-06 Love Hörnquist Åstrand <lha@it.su.se> +2008-05-31 Love Hörnquist Ã…strand <lha@kth.se> - * kdc/kdc_locl.h: extern for request_log. + * lib/krb5/krb5_locl.h: Add <wind.h> - * kdc/Makefile.am: Add kdc-replay. + * lib/krb5/crypto.c: Use wind_utf8ucs2_length to convert the password to utf16. - * kdc/kdc-replay.c: Replay kdc messages to the KDC library. +2008-05-30 Love Hörnquist Ã…strand <lha@kth.se> - * kdc/config.c: Pick up request_log from [kdc]kdc-request-log. + * lib/krb5/kcm.c: Add back krb5_kcmcache argument to try_door(). - * kdc/connect.c: Option to save the request to disk. +2008-05-27 Love Hörnquist Ã…strand <lha@kth.se> - * kdc/process.c (krb5_kdc_save_request): save request to file. - - * kdc/process.c (krb5_kdc_process*): dont update _kdc_time - automagicly. - (krb5_kdc_update_time): set or get current kdc-time. - - * kdc/pkinit.c (_kdc_pk_rd_padata): accept both pkcs-7 and - pkauthdata as the signeddata oid + * lib/krb5/error_string.c (krb5_free_error_message): constify - * kdc/pkinit.c (_kdc_pk_rd_padata): Try to log what went wrong. + * lib/krb5/error_string.c: Add krb5_get_error_message(). -2007-06-05 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/pkinit.c: Use oid_id_pkcs7_data for pkinit-9 encKey reply to - match windows DC behavior better. - -2007-06-04 Love Hörnquist Åstrand <lha@it.su.se> - - * configure.in: use test for -framework Security - - * appl/test/uu_server.c: Print status to stdout. - - * kdc/digest.c (digest ntlm): provide log entires by setting ret - to an error. + * lib/krb5/doxygen.c: krb5_cc_new_unique() is name of the creation + function. -2007-06-03 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/hx509.texi: Indent crl-sign. +2008-04-30 Love Hörnquist Ã…strand <lha@it.su.se> - * doc/hx509.texi: One more crl-sign example. + * lib/hdb/hdb-ldap.c: Use the _ext api for OpenLDAP, from Honza + Machacek (gentoo). - * lib/krb5/test_princ.c: plug memory leaks. +2008-04-28 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/pac.c: plug memory leaks. + * lib/krb5/crypto.c: Use DES_set_key_unchecked(). - * lib/krb5/test_pac.c: plug memory leaks. + * lib/krb5/krb5.conf.5: Document default_cc_type. - * lib/krb5/test_prf.c: plug memory leak. + * lib/krb5/cache.c: Pick up [libdefaults]default_cc_type - * lib/krb5/test_cc.c: plug memory leaks. - - * doc/hx509.texi: Simple blob about publishing CRLs. - - * doc/win2k.texi: drop text about enctypes. +2008-04-27 Love Hörnquist Ã…strand <lha@it.su.se> -2007-06-02 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/kaserver.c: Use DES_set_key_unchecked(). - * kdc/pkinit.c: In case of OCSP verification failure, referash - every 5 min. In case of success, refreash 2 min before expiring or - faster. - -2007-05-31 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/krb5_err.et: add error 68, WRONG_REALM +2008-04-21 Love Hörnquist Ã…strand <lha@it.su.se> - * kdc/pkinit.c: Handle the ms san in a propper way, still cheat - with the realm name. + * doc/hx509.texi: About the pkcs11 module. - * kdc/kerberos5.c: If _kdc_pk_check_client failes, bail out - directly and hand the error back to the client. + * doc/hx509.texi: Pick up version from vars.texi - * lib/krb5/krb5_err.et: Add missing REVOCATION_STATUS_UNAVAILABLE - and fix error message for CLIENT_NAME_MISMATCH. + * doc/hx509.texi: No MIT code in hx509. - * kdc/pkinit.c: More logging for pk-init client mismatch. + * hx509 now includes a pkcs11 implementation. - * kdc/kerberos5.c: Also add a KRB5_PADATA_PK_AS_REQ_WIN for - windows pk-init (-9) to make MIT clients happy. - -2007-05-30 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/pkinit.c: Force des3 for win2k. +2008-04-20 Love Hörnquist Ã…strand <lha@it.su.se> - * kdc/pkinit.c: Add wrapping to ContentInfo wrapping to - COMPAT_WIN2K. + * lib/hdb/Makefile.am: Move OpenLDAP includes to AM_CPPFLAGS to + avoid dropping other defines for the library. - * lib/krb5/keytab_keyfile.c: Spelling. +2008-04-17 Love Hörnquist Ã…strand <lha@it.su.se> - * kdc/pkinit.c: Allow matching by MS UPN SAN, note that this delta - doesn't deal with case of realm. - -2007-05-16 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/crypto.c (krb5_crypto_overhead): return static overhead - of encryption. - -2007-05-10 Dave Love <fx@gnu.org> - - * doc/win2k.texi: Update some URLs. - -2007-05-13 Love Hörnquist Åstrand <lha@it.su.se> - - * kuser/kimpersonate.c: Fix version number of ticket, it should be - 5 not the kvno. - -2007-05-08 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: Salting is really Encryption types and salting. - -2007-05-07 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: spelling, from Ronny Blomme - - * doc/win2k.texi: Fix ksetup /SetComputerPassword, from Ronny - Blomme - -2007-05-02 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5: add __declspec() for windows. - * lib/hdb/dbinfo.c (hdb_get_dbinfo) If there are no database - specified, create one and let it use the defaults. + * configure.in: Update rk_WIN32_EXPORT, add gssapi to + rk_WIN32_EXPORT. -2007-04-27 Love Hörnquist Åstrand <lha@it.su.se> + * configure.in: Lets try dependency tracking for automake 1.10 and + later. - * lib/hdb/test_dbinfo.c: test acl file + * configure.in: Use at least libtool-2.2. - * lib/hdb/test_dbinfo.c: test acl file + * configure.in: Use LT_INIT the right way. - * lib/hdb/dbinfo.c: add acl file + * lib/krb5/Makefile.am: Update make-proto usage. - * etc: ignore Makefile.in + * configure.in: Run autoupdate, use LT_INIT(). - * Makefile.am: SUBDIRS += etc +2008-04-15 Love Hörnquist Ã…strand <lha@it.su.se> - * configure.in: Add etc/Makefile. + * lib/krb5/test_forward.c: Don't print krb5_error_code since we + are using krb5_err(). - * etc/Makefile.am: make sure services.append is distributed + * lib/krb5/ticket.c: Cast krb5_error_code to int to avoid warning. -2007-04-24 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/scache.c: Cast krb5_error_code to int to avoid warning. - * kdc: rename windc_init to krb5_kdc_windc_init + * lib/krb5/principal.c: Cast enum to int to avoid warning. - * kdc/version-script.map: version script for libkdc - - * kdc/Makefile.am: version script for libkdc - -2007-04-23 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/pkinit.c: Cast krb5_error_code to int to avoid warning. - * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): - correct the order of the arguments. + * lib/krb5/pac.c: Cast size_t to unsigned long to avoid warning. - * lib/hdb/Makefile.am: Add and test dbinfo. + * lib/krb5/error_string.c: Cast krb5_error_code to int to avoid + warning. - * lib/hdb/hdb.h: Forward declaration for struct hdb_dbinfo; + * lib/krb5/keytab_keyfile.c: Make num_entries an uint32 to avoid + negative numbers and type warnings. - * kdc/config.c: Use krb5_kdc_get_config and just fill in what the - users wanted differently. + * lib/krb5: cc_get_version returns an int, update. - * kdc/default_config.c: Make the default configuration fetch info - from the krb5.conf. - -2007-04-22 Love Hörnquist Åstrand <lha@it.su.se> +2008-04-10 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to - determine if to send the session-key, for the second place in the - function. + * configure.in: Check for <asl.h>. - * tools/krb5-config.in: rename des to hcrypto +2008-04-09 Love Hörnquist Ã…strand <lha@it.su.se> - * kuser/Makefile.am: depend on libheimntlm + * lib/krb5/version-script.map: sort and export _krb5_pk_kdf - * kuser/kinit.c: Add --ntlm-domain that store the ntlm cred for - this domain if the Kerberos password auth worked. + * lib/krb5/crypto.c: Check kdf params. calculate the second half + of the key. - * kuser/klist.c: add new option --hidden that doesn't display - principal that starts with @ + * lib/krb5/Makefile.am: Add test_pknistkdf - * tools/krb5-config.in: Add heimntlm when we use gssapi. + * lib/krb5/test_pknistkdf.c: Test the new pkinit nist kdf. - * lib/krb5/krb5_ccache.3 (krb5_cc_retrieve_cred): document what to - free 'cred' with. + * lib/krb5/crypto.c: Complete _krb5_pk_kdf. - * lib/krb5/cache.c (krb5_cc_retrieve_cred): document what to free - 'cred' with. + * lib/krb5/crypto.c: First version of KDF in + draft-ietf-krb-wg-pkinit-alg-agility-03.txt. -2007-04-21 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to - determine if to send the session-key. +2008-04-08 Love Hörnquist Ã…strand <lha@it.su.se> - * kcm/client.c (kcm_ccache_new_client): make root be able to pass - the name constraints, not the opposite. From Bryan Jacobs. + * doc/setup.texi: Add text about smbk5pwd overlay from Buchan + Milne. -2007-04-20 Love Hörnquist Åstrand <lha@it.su.se> - - * kcm/acl.c: make compile again. + * lib/krb5/krb5_locl.h: Name the pkinit type enum. - * kcm/client.c: fix warning. - - * kcm: First, it allows root to ignore the naming conventions. - Second, it allows root to always perform any operation on any - ccache. Note that root could do this anyway with FILE ccaches. - From Bryan Jacobs. + * kdc/pkinit.c: Rename constants to match global header. - * Rename libdes to libhcrypto. + * lib/krb5/pkinit.c: Drop krb5_pk_identity and rename constants to + match global header. -2007-04-19 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/pkinit.c: Pick up krb5_pk_identity from krb5_locl.h. - * kinit: remove code that depend on kerberos 4 library - - * kdc: remove code that depend on kerberos 4 library + * lib/krb5/scache.c (scc_alloc): %x is unsigned int. - * configure.in: Drop kerberos 4 support. - - * kdc/hpropd.c (main): free the message when done with it. +2008-04-07 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/pkinit.c (_krb5_get_init_creds_opt_free_pkinit): - remember to free memory too. + * lib/krb5/version-script.map: Sort and add krb5_cc_switch. - * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): free content-type when - done. + * lib/krb5/acache.c: Use unsigned where appropriate. - * configure.in: test rk_VERSIONSCRIPT - -2007-04-18 Love Hörnquist Åstrand <lha@it.su.se> - - * fix-export: remove, all done by make dist now + * kcm/glue.c: Adapt to chenge to krb5_cc_ops. -2007-04-15 Love Hörnquist Åstrand <lha@it.su.se> + * kcm/acl.c: Add missing op. - * lib/krb5/krb5_get_credentials.3: spelling, from Jason McIntyre + * kdc/connect.c: Use unsigned where appropriate. -2007-04-11 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/n-fold.c: Use size_t where appropriate. - * kdc/kstash.8: Spelling, from raga <raga@comcast.net> - via Bjorn Sandell. + * lib/krb5/get_addrs.c: Use unsigned where appropriate. - * lib/krb5/store_mem.c: indent. + * lib/krb5/crypto.c: Use unsigned where appropriate. - * lib/krb5/recvauth.c: Set error string. + * lib/krb5/crc.c: Use unsigned where appropriate. - * lib/krb5/rd_req.c: clear error strings. + * lib/krb5/changepw.c: simplify - * lib/krb5/rd_cred.c: clear error string. + * lib/krb5/copy_host_realm.c: simplify - * lib/krb5/pkinit.c: Set error strings. + * kuser/kswitch.c: Implement --principal. - * lib/krb5/get_cred.c: Tell what principal we are not finding for - all KRB5_CC_NOTFOUND. - -2007-02-22 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kerberos5.c: Return the same error codes as a windows KDC. +2008-04-05 Love Hörnquist Ã…strand <lha@it.su.se> - * kuser/kinit.c: KRB5KDC_ERR_PREAUTH_FAILED is also a password - failed. - - * kdc/kerberos5.c: Make handling of replying e_data more generic, - from metze. + * lib/krb5/cache.c: allow returning the default cc-type. - * kdc/kerberos5.c: Fix (string const and shadow) warnings, from - metze. + * kuser/kswitch.c: Enable switching between existing caches. - * lib/krb5/pac.c: Create the PAC element in the same order as - w2k3, maybe there's some broken code in windows which relies on - this... From metze. + * lib/krb5/cache.c: Add krb5_cc_switch, to set the default + credential cache. - * kdc/kerberos5.c: Select a session enctype from the list of the - crypto systems supported enctype, is supported by the client and - is one of the enctype of the enctype of the krbtgt. - - The later is used as a hint what enctype all KDC are supporting to - make sure a newer version of KDC wont generate a session enctype - that and older version of a KDC in the same realm can't decrypt. - - But if the KDC admin is paranoid and doesn't want to have "no the - best" enctypes on the krbtgt, lets save the best pick from the - client list and hope that that will work for any other KDCs. - - Reported by metze. + * lib/krb5/acache.c: Implement set_default. - * kdc/hprop.c (propagate_database): on any failure, drop the - connection to the peer and try next one. - -2007-02-18 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/krb5.h: Extend krb5_cc_ops and add set_default to set + the default cc name for a credential type. - * lib/krb5/krb5_get_init_creds.3: document new options. +2008-04-04 Love Hörnquist Ã…strand <lha@it.su.se> - * kdc/krb5tgs.c: Only check service key for cross realm PACs. + * lib/krb5/test_cc.c: test remove - * lib/krb5/init_creds.c: use the new merged flags field. - (krb5_get_init_creds_opt_set_win2k): new function, turn on all w2k - compat flags. + * lib/krb5/fcache.c: Make the remove cred slight more atomic, now + it might lose creds, but there will be no empty cache at any time. - * lib/krb5/init_creds_pw.c: use the new merged flags field. + * lib/krb5/scache.c: Do credential iteration by temporary table. - * lib/krb5/krb5_locl.h: merge all flags into one entity - -2007-02-11 Dave Love <fx@gnu.org> - - * lib/krb5/krb5_aname_to_localname.3: Small fixes - - * lib/krb5/krb5_digest.3: Small fixes - - * kuser/kimpersonate.1: Small fixes +2008-04-02 Love Hörnquist Ã…strand <lha@it.su.se> -2007-02-17 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/acache.c: Translate ccErrInvalidCCache. - * lib/krb5/init_creds_pw.c (find_pa_data): if there is no list, - there is no entry. + * lib/krb5/scache.c: implemetation of a sqlite3 backed credential + cache. - * kdc/krb5tgs.c: Don't check PACs on cross realm requests. + * lib/krb5/test_cc.c: test acc and scc - * lib/krb5/krb5.h: add KRB5_KU_CANONICALIZED_NAMES. + * lib/krb5/acache.c: Only release context if its in use. - * lib/krb5/init_creds_pw.c: Verify client referral data. +2008-04-01 Love Hörnquist Ã…strand <lha@it.su.se> - * kdc/kerberos5.c: switch some "return ret" to "goto out". - - * kdc/kerberos5.c: Pass down canonicalize request to hdb layer, - sign client referrals. - - * lib/hdb/hdb.h: Add HDB_F_CANON. + * doc/setup.texi: No patching of OpenLDAP is needed, from Buchan + Milne. - * lib/hdb: add simple alias support to the database backends +2008-03-30 Love Hörnquist Ã…strand <lha@it.su.se> -2007-02-16 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/Makefile.am: Add scache. - * kuser/kinit.c: Add canonicalize flag. + * lib/krb5/scache.c: initial implementation - * lib/krb5/init_creds_pw.c: Use EXTRACT_TICKET_* flags, support - canonicalize. + * lib/Makefile.am: sqlite - * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_canonicalize): - new function. - - * lib/krb5/get_cred.c: Use EXTRACT_TICKET_* flags. + * configure.in: lib/sqlite/Makefile - * lib/krb5/get_in_tkt.c: Use EXTRACT_TICKET_* flags. +2008-03-26 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/krb5_locl.h: Add EXTRACT_TICKET_* flags. - -2007-02-15 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/fcache.c: Make the storing credential an atomic + write(2) to avoid signal races, bug traced by Harald Barth and Lars + Malinowsky. - * lib/krb5/test_princ.c: test parsing enterprise-names. +2008-03-25 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/principal.c: Add support for parsing enterprise-names. + * lib/krb5/fcache.c: Make erase_file() do locking too. - * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_PARSE_ENTERPRISE. + * kcm/protocol.c: Make work when moving to a non-existant + cred-cache. - * lib/hdb/hdb-ldap.c: Make work again. + * lib/krb5/test_cc.c: more verbose info. -2007-02-11 Dave Love <fx@gnu.org> - - * kcm/client.c (kcm_ccache_new_client): Cast snprintf'ed value. + * lib/krb5/test_cc.c: test krb5_cc_move(). -2007-02-10 Love Hörnquist Åstrand <lha@it.su.se> +2008-03-23 Love Hörnquist Ã…strand <lha@it.su.se> - * doc/setup.texi: prune trailing space - - * lib/hdb/db.c: Be better at setting and clearing error string. - - * lib/hdb/hdb.c: Be better at setting and clearing error string. - -2007-02-09 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/keytab.c (krb5_kt_get_entry): Use krb5_kt_get_full_name - to print out the keytab name. + * lib/krb5/get_cred.c: Try both kdc server referral and the old + client chasing mode. - * doc/setup.texi: Spelling, from Guido Guenther - -2007-02-08 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/get_cred.c: Don't do canonicalize by default, make + add_cred() sane, make loop detection in credential fetching + better. - * lib/krb5/rd_cred.c: Plug memory leak, from Michael B Allen. + * lib/krb5/krb5_locl.h: Add flag EXTRACT_TICKET_AS_REQ. -2007-02-06 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/init_creds_pw.c: Tell _krb5_extract_ticket that this is + an AS-REQ. - * lib/krb5/test_store.c (test_uint16): unsigned ints can't be - negative + * lib/krb5/get_in_tkt.c: Make server referral work. -2007-02-03 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/pkinit.c: pass extra flags for detached signatures. - - * lib/krb5/pkinit.c: pass extra flags for detached signatures. - - * kdc/digest.c: Remove debug output. - - * kuser/kdigest.c: Add support for ms-chap-v2 client. +2008-03-22 Love Hörnquist Ã…strand <lha@it.su.se> -2007-02-02 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/digest.c: Fix ms-chap-v2 get_masterkey - - * kdc/digest.c: Fix ms-chap-v2 mutual response auth code. + * lib/krb5/get_in_tkt.c: check no server referral, don't use + stringent length tests since encryption layer does padding for + us... - * kuser/kdigest.c: Print session key if there is one. + * kdc/kerberos5.c: Match name in ClientCanonicalizedNames with -10 - * lib/krb5/digest.c: rename hash-a1 to session key + * lib/krb5/principal.c (_krb5_principal_compare_PrincipalName): + new function to compare a principal to a PrincipalName. - * kdc/digest.c: Add get_master from RFC 3079 3.4 for MS-CHAP-V2 + * lib/krb5/init_creds_pw.c: Move client referral checking to + _krb5_extract_ticket(). - * kuser/kdigest.c: print rsp if there is one, from Klas. + * lib/krb5/get_in_tkt.c: More bits for server referral. - * kdc/digest.c: Use right size, from Klas Lindfors. + * lib/krb5/get_in_tkt.c: Make working with client referrals. - * kuser/kdigest.c: Set client nonce if avaible, from Klas. + * lib/krb5/get_cred.c: Try moving referrals checking into + _krb5_extract_ticket(). - * kdc/digest.c: First version from kllin. + * lib/krb5/get_in_tkt.c: Try moving referrals checking into + _krb5_extract_ticket(). - * kuser/kdigest.c: Don't restrict the type. +2008-03-21 Love Hörnquist Ã…strand <lha@it.su.se> -2007-02-01 Love Hörnquist Åstrand <lha@it.su.se> - - * kuser/kdigest-commands.in: add --client-response - - * kuser/kdigest.c: Print status instead of response. - - * kdc/digest.c: Better logging and return status = FALSE when - checksum doesn't match. - - * kdc/digest.c: Check the digest response in the KDC. - - * lib/krb5/digest.c: New functions to send in requestResponse to - KDC and get status of the request. - - * kdc/digest.c: Add support for MS-CHAP v2. + * kdc/krb5tgs.c: Send SERVER-REFERRAL data in rep.padata instead + of auth_data in ticket. - * lib/hdb/hdb-ldap.c: Set hdb->hdb_db for ldap. - -2007-01-31 Love Hörnquist Åstrand <lha@it.su.se> - - * fix-export: Make hx509.info too +2008-03-20 Love Hörnquist Ã…strand <lha@it.su.se> - * kdc/digest.c: don't verify identifier in CHAP, its the client - that chooses it. + * lib/krb5/init_creds_pw.c: remove lost bits from using + krb5_principal_set_realm -2007-01-23 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/krb5tgs.c: Better referrals support, use canonicalize flag. - * lib/krb5/Makefile.am: Basic test of prf. + * kdc/hprop.c: use krb5_principal_set_realm - * lib/krb5/test_prf.c: Basic test of prf. + * lib/krb5/init_creds_pw.c: use krb5_principal_set_realm - * lib/krb5/mit_glue.c: Add MIT glue for Kerberos RFC 3961 PRF - functions. + * lib/krb5/verify_user.c: use krb5_principal_set_realm - * lib/krb5/crypto.c: Add Kerberos RFC 3961 PRF functions. + * lib/krb5/version-script.map: add krb5_principal_set_realm - * lib/krb5/krb5_data.3: Document krb5_data_cmp. + * lib/krb5/principal.c: add krb5_principal_set_realm - * lib/krb5/data.c: Add krb5_data_cmp. - -2007-01-20 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/get_cred.c: Insecure tgs referrals. - * kdc/kx509.c: Don't use C99 syntax. + * lib/krb5/get_cred.c: Dont try key usage KRB5_KU_AP_REQ_AUTH for + TGS-REQ. This drop compatibility with pre 0.3d KDCs. -2007-01-17 Love Hörnquist Åstrand <lha@it.su.se> - - * configure.in: its LIBADD_roken (and shouldn't really exist, our - libtool usage it broken) - - * configure.in: Add an extra variable for roken, LIBADD, that - should be used for library depencies. + * lib/krb5/get_cred.c: catch KRB5_GC_CANONICALIZE. - * lib/krb5/send_to_kdc.c (krb5_sendto): zero out receive buffer. + * lib/krb5/krb5.h: set KRB5_GC_CANONICALIZE. - * lib/krb5/krb5_init_context.3: fix mdoc errors + * kuser/kgetcred.c: set KRB5_GC_CANONICALIZE. - * Heimdal 0.8 branch cut today + * kuser/kgetcred.c: Add stub --canonicalize implementation. - * doc/hx509.texi: Spelling and more about proxy certificates. +2008-03-19 Love Hörnquist Ã…strand <lha@it.su.se> - * configure.in: check for arc4random - -2007-01-16 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/send_to_kdc.c (krb5_sendto): zero receive krb5_data - before starting + * doc/setup.texi: Fix sasl-regexp, from Howard Chu. - * tools/heimdal-build.sh: make cvs keep quiet +2008-03-14 Love Hörnquist Ã…strand <lha@it.su.se> - * kuser/kverify.c: Use argument as principal if passed an - argument. Bug report from Douglas E. Engert - -2007-01-15 Love Hörnquist Åstrand <lha@it.su.se> + * kdc/kx509.c: Adapt to hx509_env changes. - * lib/krb5/rd_req.c (krb5_rd_req_ctx): The code failed to consider - the enc_tkt_in_skey case, from Douglas E. Engert. - - * kdc/kx509.c: Issue certificates. +2008-03-10 Love Hörnquist Ã…strand <lha@it.su.se> - * kdc/config.c: Parse kx509/kca configuration. - - * kdc/kdc.h: add kx509 config - -2007-01-14 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kerberos5.c (_kdc_find_padata): if there is not padata, - there is nothing find. + * lib/krb5/pkinit.c: Try searchin the key by to use by first + looking for for PK-INIT EKU, then the Microsoft smart card EKU and + last, no special EKU at all. - * doc/hx509.texi: Examples for pk-init. +2008-03-09 Love Hörnquist Ã…strand <lha@it.su.se> - * doc/hx509.texi: About extending ca lifetime and sub cas. - -2007-01-13 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/hx509.texi: More about certificates. - -2007-01-12 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/acache.c: Create a new credential cache is ->get_name + is called, make acc_initialize() reset the existing credential + cache if needed. - * doc/hx509.texi: add Application requirements and write about - xmpp/jabber. - -2007-01-11 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/acache.c (acc_get_name): just return the cache_name + directly instead of trying to resolve it. - * doc/hx509.texi: More about issuing certificates. +2008-02-23 Love Hörnquist Ã…strand <lha@it.su.se> - * doc/hx509.texi: Start of a x.509 manual. + * include/Makefile.am (CLEANFILES): add wind.h and wind_err.h and + sort. - * include/Makefile.am: remove install headerfiles +2008-02-11 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/test_pac.c: Use more interesting data to cause more - errors. + * lib/hdb/hdb-ldap.c: Use malloc() instead of static buffer. - * include/Makefile.am: remove install headerfiles + * lib/hdb/hdb-ldap.c: Use ldap_get_values_len, from LaMont Jones + via Brian May and Debian. - * lib/krb5/mcache.c: MCC_CURSOR not used, remove. + * doc/Makefile.am: add libwind - * lib/krb5/crypto.c: macro kcrypto_oid_enc now longer used +2008-02-05 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/rd_safe.c (krb5_rd_safe): set length before trying to - allocate data - -2007-01-10 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: Hint about hxtool validate. + * lib/krb5/test_renew.c: Remove extra ;, From Dennis Davis. - * appl/test/uu_server.c: print both "server" and "client" + * lib/krb5/store_emem.c: Make compile on-pre c99 compilers. From + Dennis Davis. - * kdc/krb5tgs.c: Rename keys to be more obvious what they do. +2008-02-03 Love Hörnquist Ã…strand <lha@it.su.se> - * kdc/kerberos5.c: Use other keys to sign PAC with. From Andrew - Bartlett - - * kdc/windc.c: ident, spelling. + * tools/heimdal-gssapi.pc.in: Add wind. - * kdc/windc_plugin.h: indent. + * tools/krb5-config.in: Add wind. - * kdc/krb5tgs.c: Pass down server entry to verify_pac function. - from Andrew Bartlett + * lib/krb5/pac.c: Use libwind. - * kdc/windc.c: pass down server entry to verify_pac function, from - Andrew Bartlett +2008-02-01 Love Hörnquist Ã…strand <lha@it.su.se> - * kdc/windc_plugin.h: pass down server entry to verify_pac - function, from Andrew Bartlett + * lib/Makefile.am: SUBDIRS: add wind - * configure.in: Provide a automake symbol ENABLE_SHARED if shared - libraries are built. +2008-01-29 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/rd_req.c (krb5_rd_req_ctx): Use the correct keyblock - when verifying the PAC. From Andrew Bartlett. + * doc/programming.texi: See the Kerberos 5 API introduction and + documentation on the Heimdal webpage. -2007-01-09 Love Hörnquist Åstrand <lha@it.su.se> +2008-01-27 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/test_pac.c: move around to code test on real PAC. + * lib/krb5: better error strings for the keytab fetching functions - * lib/krb5/pac.c: A tiny 2 char diffrence that make the code work - for real. + * lib/krb5/verify_krb5_conf.c: Catch deprecated entries. - * lib/krb5/test_pac.c: Test more PAC (note that the values used in - this test is wrong, they have to be fixed when the pac code is - fixed). + * lib/krb5/get_cred.c: Remove support + for [libdefaults]capath (not [libdefaults] capaths though). - * doc/setup.texi: Update to new hxtool issue-certificate usage +2008-01-25 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/init_creds_pw.c: Make sure we don't sent both ENC-TS - and PK-INIT pa data, no need to expose our password protecting our - PKCS12 key. + * tools/heimdal-gssapi.pc.in: Fix caps of prefix, from Joakim + Fallsjo. - * kuser/klist.c (print_cred_verbose): include ticket length in the - verbose output - -2007-01-08 Love Hörnquist Åstrand <lha@it.su.se> +2008-01-24 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/acache.c (loadlib): pass RTLD_LAZY to dlopen, without - it linux is unhappy. - - * lib/krb5/plugin.c (loadlib): pass RTLD_LAZY to dlopen, without - it linux is unhappy. - - * lib/krb5/name-45-test.c: One of the hosts I sometimes uses is - named "bar.domain", this make one of the tests pass when it - shouldn't. - -2007-01-05 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: Change --key argument to --out-key. - - * kuser/kimpersonate.1: mangle my name + * lib/krb5/fcache.c (fcc_move): more explict why the fcc_move + failes, handle cross device moves. -2007-01-04 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: describe how to use hx509 to create - certificates. - - * tools/heimdal-build.sh: Add --distcheck. - - * kdc/kerberos5.c: Check for KRB5_PADATA_PA_PAC_REQUEST to check - if we should include the PAC in the krbtgt. - - * kdc/pkinit.c (_kdc_as_rep): check if - krb5_generate_random_keyblock failes. - - * kdc/kerberos5.c (_kdc_as_rep): check if - krb5_generate_random_keyblock failes. - - * kdc/krb5tgs.c (tgs_build_reply): check if - krb5_generate_random_keyblock failes. +2008-01-21 Love Hörnquist Ã…strand <lha@it.su.se> - * kdc/krb5tgs.c: Scope etype. - - * lib/krb5/rd_req.c: Make it possible to turn off PAC check, its - default on. - - * lib/krb5/rd_req.c (krb5_rd_req_ctx): If there is a PAC, verify - its server signature. - - * kdc/kerberos5.c (_kdc_as_rep): call windc client access hook. - (_kdc_tkt_add_if_relevant_ad): constify in data argument. - - * kdc/windc_plugin.h: More comments add a client_access hook. - - * kdc/windc.c: Add _kdc_windc_client_access. - - * kdc/krb5tgs.c: rename functions after export some more pac - functions. - - * lib/krb5/test_pac.c: export some more pac functions. - - * lib/krb5/pac.c: export some more pac functions. + * lib/krb5/get_for_creds.c: Use on variable less. - * kdc/krb5tgs.c: Resign the PAC in tgsreq if we have a PAC. + * lib/krb5/get_for_creds.c: Try to handle ticket full and + ticketless tickets better. Add doxygen comments while here. - * configure.in: add tests/plugin/Makefile + * lib/krb5/test_forward.c: Used for testing + krb5_get_forwarded_creds(). -2007-01-03 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/krb5tgs.c: Get right key for PAC krbtgt verification. - - * kdc/config.c: spelling - - * lib/krb5/krb5.h: typedef for krb5_pac. - - * kdc/headers.h: Include <windc_plugin.h>. - - * kdc/Makefile.am: Include windc.c and use windc_plugin.h - - * kdc/krb5tgs.c: Call callbacks for emulating a Windows Domain - Controller. - - * kdc/kerberos5.c: Call callbacks for emulating a Windows Domain - Controller. Move the some of the log related stuff to its own - function. - - * kdc/config.c: Init callbacks for emulating a Windows Domain - Controller. + * lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward - * kdc/windc.c: Rename the init function to windc instead of pac. + * lib/krb5/Makefile.am: drop CHECK_SYMBOLS - * kdc/windc.c: Callbacks specific to emulating a Windows Domain - Controller. + * lib/hdb/Makefile.am: drop CHECK_SYMBOLS - * kdc/windc_plugin.h: Callbacks specific to emulating a Windows - Domain Controller. + * kdc/Makefile.am: drop CHECK_SYMBOLS - * lib/krb5/Makefile.am: add krb5_HEADERS to build_HEADERZ +2008-01-18 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/pac.c: Support all keyed checksum types. - -2007-01-02 Love Hörnquist Åstrand <lha@it.su.se> + * lib/krb5/version-script.map: Add krb5_digest_probe. - * lib/krb5/pac.c (krb5_pac_get_types): Return list of types. +2008-01-13 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/test_pac.c: test krb5_pac_get_types - - * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA. - - * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA. - - * lib/krb5/krb5.h: Add KRB5_KRBHST_KCA. - - * lib/krb5/test_pac.c: test Add/remove pac buffer functions. + * lib/krb5/pkinit.c: Replace hx509_name_to_der_name with + hx509_name_binary. - * lib/krb5/pac.c: Add/remove pac buffer functions. +2008-01-12 Love Hörnquist Ã…strand <lha@it.su.se> - * lib/krb5/pac.c: sprinkle const + * lib/krb5/Makefile.am: add missing files - * lib/krb5/pac.c: rename DCHECK to CHECK - - * Happy New Year. + * Happy new year. |
