diff options
Diffstat (limited to 'crypto/heimdal/ChangeLog')
-rw-r--r-- | crypto/heimdal/ChangeLog | 1356 |
1 files changed, 0 insertions, 1356 deletions
diff --git a/crypto/heimdal/ChangeLog b/crypto/heimdal/ChangeLog deleted file mode 100644 index e167b09..0000000 --- a/crypto/heimdal/ChangeLog +++ /dev/null @@ -1,1356 +0,0 @@ -2008-01-24 Love Hörnquist Åstrand <lha@it.su.se> - - * Release 1.1 - -2008-01-21 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/get_for_creds.c: Use on variable less. - - * lib/krb5/get_for_creds.c: Try to handle ticket full and - ticketless tickets better. Add doxygen comments while here. - - * lib/krb5/test_forward.c: Used for testing - krb5_get_forwarded_creds(). - - * lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward - - * lib/krb5/Makefile.am: drop CHECK_SYMBOLS - - * lib/hdb/Makefile.am: drop CHECK_SYMBOLS - - * kdc/Makefile.am: drop CHECK_SYMBOLS - -2008-01-18 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/version-script.map: Add krb5_digest_probe. - -2008-01-13 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/pkinit.c: Replace hx509_name_to_der_name with - hx509_name_binary. - -2008-01-12 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/Makefile.am: add missing files - -2007-12-28 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/digest.c: Log probe message, add NTLM_TARGET_DOMAIN to the - type2 message. - -2007-12-14 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/hdb/dbinfo.c: Add hdb_default_db(). - - * Makefile.am: Add some extra cf/*. - -2007-12-12 Love Hörnquist Åstrand <lha@it.su.se> - - * kuser/kgetcred.c: Fix type of name-type. From Andy Polyakov. - -2007-12-09 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/log.c: Use hdb_db_dir(). - - * kpasswd/kpasswdd.c: Use hdb_db_dir(). - -2007-12-08 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/config.c: Use hdb_db_dir(). - - * kdc/kdc_locl.h: add KDC_LOG_FILE - - * kdc/hpropd.c: Use hdb_default_db(). - - * kdc/kstash.c: Use hdb_db_dir(). - - * kdc/pkinit.c: Adapt to hx509 changes, use hdb_db_dir(). - - * lib/krb5/rd_req.c: Document krb5_rd_req_in_set_pac_check. - - * lib/krb5/verify_krb5_conf.c: Check check_pac. - - * lib/krb5/rd_req.c: use KRB5_CTX_F_CHECK_PAC to init check_pac - field in the krb5_rd_req_in_ctx - - * lib/krb5/expand_hostname.c: Adapt to changing - dns_canonicalize_hostname into flags field. - - * lib/krb5/context.c: Adapt to changing dns_canonicalize_hostname - into flags field, add check-pac as an libdefaults option. - - * lib/krb5/pkinit.c: Adapt to changes in hx509 interface. - - * doc: add doxygen documentation to hcrypto - - * doc/doxytmpl.dxy: generate links - -2007-12-07 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/Makefile.am: build_HEADERZ += heim_threads.h - - * lib/hdb/dbinfo.c (hdb_db_dir): Return the directory where the - hdb database resides. - - * configure.in: Add --with-hdbdir to specify where the database is - stored. - - * lib/krb5/crypto.c: revert previous patch, the problem is located - in the RAND_file_name() function that will cause recursive nss - lookups, can't fix that here. - -2007-12-06 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/crypto.c (krb5_generate_random_block): try to avoid the - dead-lock in by not holding the lock while running - RAND_file_name. Prompted by Hai Zaar. - - * lib/krb5/n-fold.c: spelling - -2007-12-04 Love Hörnquist Åstrand <lha@it.su.se> - - * kuser/kdigest.c (digest-probe): implement command. - - * kuser/kdigest-commands.in (digest-probe): new command - - * kdc/digest.c: Implement supportedMechs request. - - * lib/krb5/error_string.c: Make krb5_get_error_string return an - allocated string to make the function indempotent. From - Zeqing (Fred) Xia. - -2007-12-03 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/krb5_locl.h (krb5_context_data): Flag if - default_cc_name was set by the user. - - * lib/krb5/fcache.c (fcc_move): make sure ->version is uptodate. - - * kcm/acquire.c: use krb5_free_cred_contents - - * kuser/kimpersonate.c: use krb5_free_cred_contents - - * kuser/kinit.c: Use krb5_cc_move to make an atomic switch of the - cred cache. - - * lib/krb5/cache.c: Put back code that was needed, move gen_new - into new_unique. - - * lib/krb5/mcache.c (mcc_default_name): Remove const - - * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME_KCM, redefine - KRB5_DEFAULT_CCNAME to KRB5_DEFAULT_CCTYPE - - * lib/krb5/cache.c: Use krb5_cc_ops->default_name to get the - default name. - - * lib/krb5/kcm.c: Implement krb5_cc_ops->default_name. - - * lib/krb5/mcache.c: Implement krb5_cc_ops->default_name. - - * lib/krb5/fcache.c: Implement krb5_cc_ops->default_name. - - * lib/krb5/krb5.h: Add krb5_cc_ops->default_name. - - * lib/krb5/acache.c: Free context when done, implement - krb5_cc_ops->default_name. - - * lib/krb5/kcm.c: implement dummy kcm_move - - * lib/krb5/mcache.c: Implement the move operation. - - * lib/krb5/version-script.map: export krb5_cc_move - - * lib/krb5/cache.c: New function krb5_cc_move(). - - * lib/krb5/fcache.c: Implement the move operation. - - * lib/krb5/krb5.h: Add move to the krb5_cc_ops, causes major - version bump. - - * lib/krb5/acache.c: Implement the move operation. Avoid using - cc_set_principal() since it broken on Mac OS X 10.5.0. - -2007-12-02 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/krb5_ccapi.h: Drop variable names to avoid -Wshadow. - -2007-11-14 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/krb5tgs.c: Should pass different key usage constants - depending on whether or not optional sub-session key was passed by - the client for the check of authorization data. The constant is - used to derive "specific key" and its values are specified in - 7.5.1 of RFC4120. - - Patch from Andy Polyakov. - - * kdc/krb5tgs.c: Don't send auth data in referrals, microsoft - clients have started to not like that. Thanks to Andy Polyakov for - excellent research. - -2007-11-11 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/creds.c: use krb5_data_cmp - - * lib/krb5/acache.c: use krb5_free_cred_contents - - * lib/krb5/test_renew.c: use krb5_free_cred_contents - -2007-11-10 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/acl.c: doxygen documentation - - * lib/krb5/addr_families.c: doxygen documentation - - * doc: add doxygen - - * lib/krb5/plugin.c: doxygen documentation - - * lib/krb5/kcm.c: doxygen documentation - - * lib/krb5/fcache.c: doxygen documentation - - * lib/krb5/cache.c: doxygen documentations - - * lib/krb5/doxygen.c: doxygen introduction - - * lib/krb5/error_string.c: Doxygen documentation. - -2007-11-03 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/test_plugin.c: expose krb5_plugin_register - - * lib/krb5/plugin.c: expose krb5_plugin_register - - * lib/krb5/version-script.map: sort, expose krb5_plugin_register - -2007-10-24 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kerberos5.c: Adding same enctype is enough one time. From - Andy Polyakov and Bjorn Sandell. - -2007-10-18 Love <lha@stacken.kth.se> - - * lib/krb5/cache.c (krb5_cc_retrieve_cred): check return value - from krb5_cc_start_seq_get. From Zeqing (Fred) Xia - - * lib/krb5/fcache.c (init_fcc): provide better error codes - - * kdc/kerberos5.c (get_pa_etype_info2): more paranoia, avoid - sending warning about pruned etypes. - - * kdc/kerberos5.c (older_enctype): old windows enctypes (arcfour - based) "old", this to support windows 2000 clients (unjoined to a - domain). From Andy Polyakov. - -2007-10-07 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: Spelling, from Mark Peoples via Bjorn Sandell. - -2007-10-04 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/krb5tgs.c: More prettier printing of enctype, from KAMADA - Ken'ichi. - - * lib/krb5/crypto.c (krb5_enctype_to_string): make sure string is - NULL on failure. - -2007-10-03 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kdc-replay.c: Catch KRB5_PROG_ATYPE_NOSUPP from - krb5_addr2sockaddr and igore thte test is that case. - -2007-09-29 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/context.c (krb5_free_context): free - default_cc_name_env, from Gunther Deschner. - -2007-08-27 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/{krb5.h,pac.c,test_pac.c,send_to_kdc.c,rd_req.c}: Make - work with c++, reported by Hai Zaar - - * lib/krb5/{digest.c,krb5.h}: Make work with c++, reported by Hai Zaar - -2007-08-20 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/hdb/Makefile.am: EXTRA_DIST += hdb.schema - -2007-07-31 Love Hörnquist Åstrand <lha@it.su.se> - - * check return value of alloc functions, from Charles Longeau - - * lib/krb5/principal.c: spelling. - - * kadmin/kadmin.8: spelling - - * lib/krb5/crypto.c: Check return values from alloc - functions. Prompted by patch of Charles Longeau. - - * lib/krb5/n-fold.c: Make _krb5_n_fold return a error - code. Prompted by patch of Charles Longeau. - -2007-07-27 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/init_creds.c: Always set the ticket options, use - KRB5_ADDRESSLESS_DEFAULT as the default value, this make the unset - tri-state not so useful. - -2007-07-24 Love Hörnquist Åstrand <lha@it.su.se> - - * tools/heimdal-gssapi.pc.in: Add LIB_pkinit to the list of - libraries. - - * tools/heimdal-gssapi.pc.in: pkg-config file for libgssapi in - heimdal. - - * tools/Makefile.am: Add heimdal-gssapi.pc and install it into - $(libdir)/pkgconfig - -2007-07-23 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/pkinit.c: Add RFC3526 modp group14 as a default. - -2007-07-22 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/hdb/dbinfo.c (get_dbinfo): use dbname instead of realm as - key if the entry is a correct entry. - - * lib/krb5/get_cred.c: Make krb5_get_renewed_creds work, from - Gunther Deschner. - - * lib/krb5/Makefile.am: Add test_renew to noinst_PROGRAMS. - - * lib/krb5/test_renew.c: Test for krb5_get_renewed_creds. - -2007-07-21 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/hdb/keys.c: Make parse_key_set handle key set string "v5", - from Peter Meinecke. - - * kdc/kaserver.c: Don't ovewrite the error code, from Peter - Meinecke. - -2007-07-18 Love Hörnquist Åstrand <lha@it.su.se> - - * TODO-1.0: remove - - * Makefile.am: remove TODO-1.0 - -2007-07-17 Love Hörnquist Åstrand <lha@it.su.se> - - * Heimdal 1.0 release branch cut here - - * doc/hx509.texi: use version.texi - - * doc/heimdal.texi: use version.texi - - * doc/version.texi: version.texi - - * lib/hdb/db3.c: avoid type-punned pointer warning. - - * kdc/kx509.c: Use unsigned char * as argument to HMAC_Update to - please OpenSSL and gcc. - - * kdc/digest.c: Use unsigned char * as argument to MD5_Update to - please OpenSSL and gcc. - -2007-07-16 Love Hörnquist Åstrand <lha@it.su.se> - - * include/Makefile.am: Add krb_err.h. - - * kdc/set_dbinfo.c: Print acl file too. - - * kdc/kerberos4.c: Error codes are just fine, remove XXX now. - - * lib/krb5/krb5-v4compat.h: Drop duplicate error codes. - - * kdc/kerberos4.c: switch to ET errors. - - * lib/krb5/Makefile.am: Add krb_err.h to build_HEADERZ. - - * lib/krb5/v4_glue.c: If its a Kerberos 4 error-code, remove the - et BASE. - -2007-07-15 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/krb5-v4compat.h: Include "krb_err.h". - - * lib/krb5/v4_glue.c: return more interesting error codes. - - * lib/krb5/plugin.c: Prefix enum plugin_type. - - * lib/krb5/krb5_locl.h: Expose plugin structures. - - * lib/krb5/krb5.h: Add plugin structures. - - * lib/krb5/krb_err.et: V4 errors. - - * lib/krb5/version-script.map: First version of version script. - -2007-07-13 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kerberos5.c: Java 1.6 expects the name to be the same type, - lets allow that for uncomplicated name-types. - -2007-07-12 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/v4_glue.c (_krb5_krb_rd_req): if ticket contains - address 0, its ticket less and don't really care about - from_addr. return better error codes. - - * kpasswd/kpasswdd.c: Fix pointer vs strict alias rules. - -2007-07-11 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/hdb/hdb-ldap.c: When using sambaNTPassword, avoid adding - more then one enctype 23 to krb5EncryptionType. - - * lib/krb5/cache.c: Spelling. - - * kdc/kerberos5.c: Don't send newer enctypes in ETYPE-INFO. - (get_pa_etype_info2): return the enctypes as sorted in the - database - -2007-07-10 Love Hörnquist Åstrand <lha@it.su.se> - - * kuser/kinit.c: krb5-v4compat.h defines prototypes for - v4 (semiprivate functions) in libkrb5, don't include - krb5-private.h any longer. - - * lib/krb5/krbhst.c: Set error string when there is no KDC for a - realm. - - * lib/krb5/Makefile.am: New library version. - - * kdc/Makefile.am: New library version. - - * lib/krb5/krb5_locl.h: Add default_cc_name_env. - - * lib/krb5/cache.c (enviroment_changed): return non-zero if - enviroment that will determine default krb5cc name has changed. - (krb5_cc_default_name): also check if cached value is uptodate. - - * lib/krb5/krb5_locl.h: Drop pkinit_flags. - -2007-07-05 Love Hörnquist Åstrand <lha@it.su.se> - - * configure.in: add tests/java/Makefile - - * lib/hdb/dbinfo.c: Add hdb_dbinfo_get_log_file. - -2007-07-04 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kerberos5.c: Improve the default salt detection to avoid - returning v4 password salting to java that doesn't look at the - returning padata for salting. - - * kdc: Split out krb5_kdc_set_dbinfo, From Andrew Bartlett - -2007-07-02 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/digest.c: Try harder to provide better error message for - digest messages. - - * lib/krb5/Makefile.am: verify_krb5_conf_OBJECTS depends on - krb5-pr*.h, make -j finds this. - -2007-06-28 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/digest.c: On success, print username, not ip-adress. - -2007-06-26 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/get_cred.c: Add krb5_get_renewed_creds. - - * lib/krb5/krb5_get_credentials.3: add krb5_get_renewed_creds - - * lib/krb5/pkinit.c: Use hx509_cms_unwrap_ContentInfo. - -2007-06-25 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: Add example for pkinit_win2k_require_binding - in [kdc] section. - - * kdc/default_config.c: Rename require_binding to - win2k_require_binding to match client configuration. - - * kdc/default_config.c: Add [kdc]pkinit_require_binding option. - - * kdc/pkinit.c (pk_mk_pa_reply_enckey): only allow non-bound reply - if its not required. - - * kdc/default_config.c: rename pkinit_princ_in_cert and add - pkinit_require_binding - - * kdc/kdc.h: rename pkinit_princ_in_cert and add - pkinit_require_binding - - * kdc/pkinit.c: rename pkinit_princ_in_cert - -2007-06-24 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/pkinit.c: Adapt to hx509_verify_hostname change. - -2007-06-21 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/krb5tgs.c: Drop unused variable. - - * kdc/krb5tgs.c: disable anonyous tgs requests - - * kdc/krb5tgs.c: Don't check PAC on cross realm for now. - - * kuser/kgetcred.c: Set KRB5_GC_CONSTRAINED_DELEGATION and parse - nametypes. - - * lib/krb5/krb5_principal.3: Document krb5_parse_nametype. - - * lib/krb5/principal.c (krb5_parse_nametype): parse nametype and - return their integer values. - - * lib/krb5/krb5.h (krb5_get_creds): Add - KRB5_GC_CONSTRAINED_DELEGATION. - - * lib/krb5/get_cred.c (krb5_get_creds): if - KRB5_GC_CONSTRAINED_DELEGATION is set, set both request_anonymous - and constrained_delegation. - -2007-06-20 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/digest.c: Return an error message instead of dropping the - packet for more failure cases. - - * lib/krb5/krb5_principal.3: Add KRB5_PRINCIPAL_UNPARSE_DISPLAY. - - * appl/gssmask/gssmask.c (AcquirePKInitCreds): fail more - gracefully - -2007-06-18 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/pac.c: make compile. - - * lib/krb5/pac.c (verify_checksum): memset cksum to avoid using - pointer from stack. - - * lib/krb5/plugin.c: Don't expose free pointer. - - * lib/krb5/pkinit.c (_krb5_pk_load_id): fail directoy for first - calloc. - - * lib/krb5/pkinit.c (get_reply_key*): don't expose freed memory - - * lib/krb5/krbhst.c: Host is static memory, don't free. - - * lib/krb5/crypto.c (decrypt_internal_derived): make sure length - is longer then confounder + checksum. - - * kdc: export get_dbinfo as krb5_kdc_set_dbinfo and call from - users. This to allows libkdc users to to specify their own - databases - - * lib/krb5/pkinit.c (pk_rd_pa_reply_enckey): simplify handling of - content data (and avoid leaking memory). - - * kdc/misc.c (_kdc_db_fetch): set error string for failures. - -2007-06-15 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/pkinit.c: Use KRB5_AUTHDATA_INITIAL_VERIFIED_CAS. - -2007-06-13 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/pkinit.c: tell user when they got a pk-init request with - pkinit disabled. - -2007-06-12 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/principal.c: Rename UNPARSE_NO_QUOTE to - UNPARSE_DISPLAY. - - * lib/krb5/krb5.h: Rename UNPARSE_NO_QUOTE to UNPARSE_DISPLAY. - - * lib/krb5/principal.c: Make no-quote mean replace strange chars - with space. - - * lib/krb5/principal.c: Support KRB5_PRINCIPAL_UNPARSE_NO_QUOTE. - - * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_UNPARSE_NO_QUOTE. - - * lib/krb5/test_princ.c: Test quoteing. - - * lib/krb5/pkinit.c: update (c) - - * lib/krb5/get_cred.c: use krb5_sendto_context to talk to the KDC. - - * lib/krb5/send_to_kdc.c (_krb5_kdc_retry): check if the whole - process needs to restart or just skip this KDC. - - * lib/krb5/init_creds_pw.c: Use krb5_sendto_context to talk to - KDC. - - * lib/krb5/krb5.h: Add sendto hooks and opaque structure. - - * lib/krb5/krb5_rd_error.3: Update prototype. - - * lib/krb5/send_to_kdc.c: Add hooks for processing the reply from - the server. - -2007-06-11 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/krb5_err.et: Some new error codes from RFC 4120. - -2007-06-09 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/krb5tgs.c: Constify. - - * kdc/kerberos5.c: Constify. - - * kdc/pkinit.c: Check for KRB5-PADATA-PK-AS-09-BINDING. Constify. - -2007-06-08 Love Hörnquist Åstrand <lha@it.su.se> - - * include/Makefile.am: Make krb5-types.h nodist_include_HEADERS. - - * kdc/Makefile.am: EXTRA_DIST += version-script.map. - -2007-06-07 Love Hörnquist Åstrand <lha@it.su.se> - - * Makefile.am (print-distdir): print name of dist - - * kdc/pkinit.c: Break out loading of mappings file to a separate - function and remove warning that it can't open the mapping file, - there are now mappings in the db, maybe the users uses that - instead... - - * lib/krb5/crypto.c: Require the raw key have the correct size and - do away with the minsize. Minsize was a thing that originated - from RC2, but since RC2 is done in the x509/cms subsystem now - there is no need to keep that around. - - * lib/hdb/dbinfo.c: If there is no default dbname, also check for - unset mkey_file and set it default mkey name, make backward compat - stuff work. - - * kdc/version-script.map: add new symbols - - * kdc/kdc-replay.c: Also update krb5_context view of what the time - is. - - * configure.in: add tests/can/Makefile - - * kdc/kdc-replay.c: Add --[version|help]. - - * kdc/pkinit.c: Push down the kdc time into the x509 library. - - * kdc/connect.c: Move up krb5_kdc_save_request so we can catch the - reply data too. - - * kdc/kdc-replay.c: verify reply by checking asn1 class, type and - tag of the reply if there is one. - - * kdc/process.c: Save asn1 class, type and tag of the reply if - there is one. Used to verify the reply in kdc-replay. - -2007-06-06 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kdc_locl.h: extern for request_log. - - * kdc/Makefile.am: Add kdc-replay. - - * kdc/kdc-replay.c: Replay kdc messages to the KDC library. - - * kdc/config.c: Pick up request_log from [kdc]kdc-request-log. - - * kdc/connect.c: Option to save the request to disk. - - * kdc/process.c (krb5_kdc_save_request): save request to file. - - * kdc/process.c (krb5_kdc_process*): dont update _kdc_time - automagicly. - (krb5_kdc_update_time): set or get current kdc-time. - - * kdc/pkinit.c (_kdc_pk_rd_padata): accept both pkcs-7 and - pkauthdata as the signeddata oid - - * kdc/pkinit.c (_kdc_pk_rd_padata): Try to log what went wrong. - -2007-06-05 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/pkinit.c: Use oid_id_pkcs7_data for pkinit-9 encKey reply to - match windows DC behavior better. - -2007-06-04 Love Hörnquist Åstrand <lha@it.su.se> - - * configure.in: use test for -framework Security - - * appl/test/uu_server.c: Print status to stdout. - - * kdc/digest.c (digest ntlm): provide log entires by setting ret - to an error. - -2007-06-03 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/hx509.texi: Indent crl-sign. - - * doc/hx509.texi: One more crl-sign example. - - * lib/krb5/test_princ.c: plug memory leaks. - - * lib/krb5/pac.c: plug memory leaks. - - * lib/krb5/test_pac.c: plug memory leaks. - - * lib/krb5/test_prf.c: plug memory leak. - - * lib/krb5/test_cc.c: plug memory leaks. - - * doc/hx509.texi: Simple blob about publishing CRLs. - - * doc/win2k.texi: drop text about enctypes. - -2007-06-02 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/pkinit.c: In case of OCSP verification failure, referash - every 5 min. In case of success, refreash 2 min before expiring or - faster. - -2007-05-31 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/krb5_err.et: add error 68, WRONG_REALM - - * kdc/pkinit.c: Handle the ms san in a propper way, still cheat - with the realm name. - - * kdc/kerberos5.c: If _kdc_pk_check_client failes, bail out - directly and hand the error back to the client. - - * lib/krb5/krb5_err.et: Add missing REVOCATION_STATUS_UNAVAILABLE - and fix error message for CLIENT_NAME_MISMATCH. - - * kdc/pkinit.c: More logging for pk-init client mismatch. - - * kdc/kerberos5.c: Also add a KRB5_PADATA_PK_AS_REQ_WIN for - windows pk-init (-9) to make MIT clients happy. - -2007-05-30 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/pkinit.c: Force des3 for win2k. - - * kdc/pkinit.c: Add wrapping to ContentInfo wrapping to - COMPAT_WIN2K. - - * lib/krb5/keytab_keyfile.c: Spelling. - - * kdc/pkinit.c: Allow matching by MS UPN SAN, note that this delta - doesn't deal with case of realm. - -2007-05-16 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/crypto.c (krb5_crypto_overhead): return static overhead - of encryption. - -2007-05-10 Dave Love <fx@gnu.org> - - * doc/win2k.texi: Update some URLs. - -2007-05-13 Love Hörnquist Åstrand <lha@it.su.se> - - * kuser/kimpersonate.c: Fix version number of ticket, it should be - 5 not the kvno. - -2007-05-08 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: Salting is really Encryption types and salting. - -2007-05-07 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: spelling, from Ronny Blomme - - * doc/win2k.texi: Fix ksetup /SetComputerPassword, from Ronny - Blomme - -2007-05-02 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/hdb/dbinfo.c (hdb_get_dbinfo) If there are no database - specified, create one and let it use the defaults. - -2007-04-27 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/hdb/test_dbinfo.c: test acl file - - * lib/hdb/test_dbinfo.c: test acl file - - * lib/hdb/dbinfo.c: add acl file - - * etc: ignore Makefile.in - - * Makefile.am: SUBDIRS += etc - - * configure.in: Add etc/Makefile. - - * etc/Makefile.am: make sure services.append is distributed - -2007-04-24 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc: rename windc_init to krb5_kdc_windc_init - - * kdc/version-script.map: version script for libkdc - - * kdc/Makefile.am: version script for libkdc - -2007-04-23 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): - correct the order of the arguments. - - * lib/hdb/Makefile.am: Add and test dbinfo. - - * lib/hdb/hdb.h: Forward declaration for struct hdb_dbinfo; - - * kdc/config.c: Use krb5_kdc_get_config and just fill in what the - users wanted differently. - - * kdc/default_config.c: Make the default configuration fetch info - from the krb5.conf. - -2007-04-22 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to - determine if to send the session-key, for the second place in the - function. - - * tools/krb5-config.in: rename des to hcrypto - - * kuser/Makefile.am: depend on libheimntlm - - * kuser/kinit.c: Add --ntlm-domain that store the ntlm cred for - this domain if the Kerberos password auth worked. - - * kuser/klist.c: add new option --hidden that doesn't display - principal that starts with @ - - * tools/krb5-config.in: Add heimntlm when we use gssapi. - - * lib/krb5/krb5_ccache.3 (krb5_cc_retrieve_cred): document what to - free 'cred' with. - - * lib/krb5/cache.c (krb5_cc_retrieve_cred): document what to free - 'cred' with. - -2007-04-21 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to - determine if to send the session-key. - - * kcm/client.c (kcm_ccache_new_client): make root be able to pass - the name constraints, not the opposite. From Bryan Jacobs. - -2007-04-20 Love Hörnquist Åstrand <lha@it.su.se> - - * kcm/acl.c: make compile again. - - * kcm/client.c: fix warning. - - * kcm: First, it allows root to ignore the naming conventions. - Second, it allows root to always perform any operation on any - ccache. Note that root could do this anyway with FILE ccaches. - From Bryan Jacobs. - - * Rename libdes to libhcrypto. - -2007-04-19 Love Hörnquist Åstrand <lha@it.su.se> - - * kinit: remove code that depend on kerberos 4 library - - * kdc: remove code that depend on kerberos 4 library - - * configure.in: Drop kerberos 4 support. - - * kdc/hpropd.c (main): free the message when done with it. - - * lib/krb5/pkinit.c (_krb5_get_init_creds_opt_free_pkinit): - remember to free memory too. - - * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): free content-type when - done. - - * configure.in: test rk_VERSIONSCRIPT - -2007-04-18 Love Hörnquist Åstrand <lha@it.su.se> - - * fix-export: remove, all done by make dist now - -2007-04-15 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/krb5_get_credentials.3: spelling, from Jason McIntyre - -2007-04-11 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kstash.8: Spelling, from raga <raga@comcast.net> - via Bjorn Sandell. - - * lib/krb5/store_mem.c: indent. - - * lib/krb5/recvauth.c: Set error string. - - * lib/krb5/rd_req.c: clear error strings. - - * lib/krb5/rd_cred.c: clear error string. - - * lib/krb5/pkinit.c: Set error strings. - - * lib/krb5/get_cred.c: Tell what principal we are not finding for - all KRB5_CC_NOTFOUND. - -2007-02-22 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kerberos5.c: Return the same error codes as a windows KDC. - - * kuser/kinit.c: KRB5KDC_ERR_PREAUTH_FAILED is also a password - failed. - - * kdc/kerberos5.c: Make handling of replying e_data more generic, - from metze. - - * kdc/kerberos5.c: Fix (string const and shadow) warnings, from - metze. - - * lib/krb5/pac.c: Create the PAC element in the same order as - w2k3, maybe there's some broken code in windows which relies on - this... From metze. - - * kdc/kerberos5.c: Select a session enctype from the list of the - crypto systems supported enctype, is supported by the client and - is one of the enctype of the enctype of the krbtgt. - - The later is used as a hint what enctype all KDC are supporting to - make sure a newer version of KDC wont generate a session enctype - that and older version of a KDC in the same realm can't decrypt. - - But if the KDC admin is paranoid and doesn't want to have "no the - best" enctypes on the krbtgt, lets save the best pick from the - client list and hope that that will work for any other KDCs. - - Reported by metze. - - * kdc/hprop.c (propagate_database): on any failure, drop the - connection to the peer and try next one. - -2007-02-18 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/krb5_get_init_creds.3: document new options. - - * kdc/krb5tgs.c: Only check service key for cross realm PACs. - - * lib/krb5/init_creds.c: use the new merged flags field. - (krb5_get_init_creds_opt_set_win2k): new function, turn on all w2k - compat flags. - - * lib/krb5/init_creds_pw.c: use the new merged flags field. - - * lib/krb5/krb5_locl.h: merge all flags into one entity - -2007-02-11 Dave Love <fx@gnu.org> - - * lib/krb5/krb5_aname_to_localname.3: Small fixes - - * lib/krb5/krb5_digest.3: Small fixes - - * kuser/kimpersonate.1: Small fixes - -2007-02-17 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/init_creds_pw.c (find_pa_data): if there is no list, - there is no entry. - - * kdc/krb5tgs.c: Don't check PACs on cross realm requests. - - * lib/krb5/krb5.h: add KRB5_KU_CANONICALIZED_NAMES. - - * lib/krb5/init_creds_pw.c: Verify client referral data. - - * kdc/kerberos5.c: switch some "return ret" to "goto out". - - * kdc/kerberos5.c: Pass down canonicalize request to hdb layer, - sign client referrals. - - * lib/hdb/hdb.h: Add HDB_F_CANON. - - * lib/hdb: add simple alias support to the database backends - -2007-02-16 Love Hörnquist Åstrand <lha@it.su.se> - - * kuser/kinit.c: Add canonicalize flag. - - * lib/krb5/init_creds_pw.c: Use EXTRACT_TICKET_* flags, support - canonicalize. - - * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_canonicalize): - new function. - - * lib/krb5/get_cred.c: Use EXTRACT_TICKET_* flags. - - * lib/krb5/get_in_tkt.c: Use EXTRACT_TICKET_* flags. - - * lib/krb5/krb5_locl.h: Add EXTRACT_TICKET_* flags. - -2007-02-15 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/test_princ.c: test parsing enterprise-names. - - * lib/krb5/principal.c: Add support for parsing enterprise-names. - - * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_PARSE_ENTERPRISE. - - * lib/hdb/hdb-ldap.c: Make work again. - -2007-02-11 Dave Love <fx@gnu.org> - - * kcm/client.c (kcm_ccache_new_client): Cast snprintf'ed value. - -2007-02-10 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: prune trailing space - - * lib/hdb/db.c: Be better at setting and clearing error string. - - * lib/hdb/hdb.c: Be better at setting and clearing error string. - -2007-02-09 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/keytab.c (krb5_kt_get_entry): Use krb5_kt_get_full_name - to print out the keytab name. - - * doc/setup.texi: Spelling, from Guido Guenther - -2007-02-08 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/rd_cred.c: Plug memory leak, from Michael B Allen. - -2007-02-06 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/test_store.c (test_uint16): unsigned ints can't be - negative - -2007-02-03 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/pkinit.c: pass extra flags for detached signatures. - - * lib/krb5/pkinit.c: pass extra flags for detached signatures. - - * kdc/digest.c: Remove debug output. - - * kuser/kdigest.c: Add support for ms-chap-v2 client. - -2007-02-02 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/digest.c: Fix ms-chap-v2 get_masterkey - - * kdc/digest.c: Fix ms-chap-v2 mutual response auth code. - - * kuser/kdigest.c: Print session key if there is one. - - * lib/krb5/digest.c: rename hash-a1 to session key - - * kdc/digest.c: Add get_master from RFC 3079 3.4 for MS-CHAP-V2 - - * kuser/kdigest.c: print rsp if there is one, from Klas. - - * kdc/digest.c: Use right size, from Klas Lindfors. - - * kuser/kdigest.c: Set client nonce if avaible, from Klas. - - * kdc/digest.c: First version from kllin. - - * kuser/kdigest.c: Don't restrict the type. - -2007-02-01 Love Hörnquist Åstrand <lha@it.su.se> - - * kuser/kdigest-commands.in: add --client-response - - * kuser/kdigest.c: Print status instead of response. - - * kdc/digest.c: Better logging and return status = FALSE when - checksum doesn't match. - - * kdc/digest.c: Check the digest response in the KDC. - - * lib/krb5/digest.c: New functions to send in requestResponse to - KDC and get status of the request. - - * kdc/digest.c: Add support for MS-CHAP v2. - - * lib/hdb/hdb-ldap.c: Set hdb->hdb_db for ldap. - -2007-01-31 Love Hörnquist Åstrand <lha@it.su.se> - - * fix-export: Make hx509.info too - - * kdc/digest.c: don't verify identifier in CHAP, its the client - that chooses it. - -2007-01-23 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/Makefile.am: Basic test of prf. - - * lib/krb5/test_prf.c: Basic test of prf. - - * lib/krb5/mit_glue.c: Add MIT glue for Kerberos RFC 3961 PRF - functions. - - * lib/krb5/crypto.c: Add Kerberos RFC 3961 PRF functions. - - * lib/krb5/krb5_data.3: Document krb5_data_cmp. - - * lib/krb5/data.c: Add krb5_data_cmp. - -2007-01-20 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kx509.c: Don't use C99 syntax. - -2007-01-17 Love Hörnquist Åstrand <lha@it.su.se> - - * configure.in: its LIBADD_roken (and shouldn't really exist, our - libtool usage it broken) - - * configure.in: Add an extra variable for roken, LIBADD, that - should be used for library depencies. - - * lib/krb5/send_to_kdc.c (krb5_sendto): zero out receive buffer. - - * lib/krb5/krb5_init_context.3: fix mdoc errors - - * Heimdal 0.8 branch cut today - - * doc/hx509.texi: Spelling and more about proxy certificates. - - * configure.in: check for arc4random - -2007-01-16 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/send_to_kdc.c (krb5_sendto): zero receive krb5_data - before starting - - * tools/heimdal-build.sh: make cvs keep quiet - - * kuser/kverify.c: Use argument as principal if passed an - argument. Bug report from Douglas E. Engert - -2007-01-15 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/rd_req.c (krb5_rd_req_ctx): The code failed to consider - the enc_tkt_in_skey case, from Douglas E. Engert. - - * kdc/kx509.c: Issue certificates. - - * kdc/config.c: Parse kx509/kca configuration. - - * kdc/kdc.h: add kx509 config - -2007-01-14 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/kerberos5.c (_kdc_find_padata): if there is not padata, - there is nothing find. - - * doc/hx509.texi: Examples for pk-init. - - * doc/hx509.texi: About extending ca lifetime and sub cas. - -2007-01-13 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/hx509.texi: More about certificates. - -2007-01-12 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/hx509.texi: add Application requirements and write about - xmpp/jabber. - -2007-01-11 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/hx509.texi: More about issuing certificates. - - * doc/hx509.texi: Start of a x.509 manual. - - * include/Makefile.am: remove install headerfiles - - * lib/krb5/test_pac.c: Use more interesting data to cause more - errors. - - * include/Makefile.am: remove install headerfiles - - * lib/krb5/mcache.c: MCC_CURSOR not used, remove. - - * lib/krb5/crypto.c: macro kcrypto_oid_enc now longer used - - * lib/krb5/rd_safe.c (krb5_rd_safe): set length before trying to - allocate data - -2007-01-10 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: Hint about hxtool validate. - - * appl/test/uu_server.c: print both "server" and "client" - - * kdc/krb5tgs.c: Rename keys to be more obvious what they do. - - * kdc/kerberos5.c: Use other keys to sign PAC with. From Andrew - Bartlett - - * kdc/windc.c: ident, spelling. - - * kdc/windc_plugin.h: indent. - - * kdc/krb5tgs.c: Pass down server entry to verify_pac function. - from Andrew Bartlett - - * kdc/windc.c: pass down server entry to verify_pac function, from - Andrew Bartlett - - * kdc/windc_plugin.h: pass down server entry to verify_pac - function, from Andrew Bartlett - - * configure.in: Provide a automake symbol ENABLE_SHARED if shared - libraries are built. - - * lib/krb5/rd_req.c (krb5_rd_req_ctx): Use the correct keyblock - when verifying the PAC. From Andrew Bartlett. - -2007-01-09 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/test_pac.c: move around to code test on real PAC. - - * lib/krb5/pac.c: A tiny 2 char diffrence that make the code work - for real. - - * lib/krb5/test_pac.c: Test more PAC (note that the values used in - this test is wrong, they have to be fixed when the pac code is - fixed). - - * doc/setup.texi: Update to new hxtool issue-certificate usage - - * lib/krb5/init_creds_pw.c: Make sure we don't sent both ENC-TS - and PK-INIT pa data, no need to expose our password protecting our - PKCS12 key. - - * kuser/klist.c (print_cred_verbose): include ticket length in the - verbose output - -2007-01-08 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/acache.c (loadlib): pass RTLD_LAZY to dlopen, without - it linux is unhappy. - - * lib/krb5/plugin.c (loadlib): pass RTLD_LAZY to dlopen, without - it linux is unhappy. - - * lib/krb5/name-45-test.c: One of the hosts I sometimes uses is - named "bar.domain", this make one of the tests pass when it - shouldn't. - -2007-01-05 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: Change --key argument to --out-key. - - * kuser/kimpersonate.1: mangle my name - -2007-01-04 Love Hörnquist Åstrand <lha@it.su.se> - - * doc/setup.texi: describe how to use hx509 to create - certificates. - - * tools/heimdal-build.sh: Add --distcheck. - - * kdc/kerberos5.c: Check for KRB5_PADATA_PA_PAC_REQUEST to check - if we should include the PAC in the krbtgt. - - * kdc/pkinit.c (_kdc_as_rep): check if - krb5_generate_random_keyblock failes. - - * kdc/kerberos5.c (_kdc_as_rep): check if - krb5_generate_random_keyblock failes. - - * kdc/krb5tgs.c (tgs_build_reply): check if - krb5_generate_random_keyblock failes. - - * kdc/krb5tgs.c: Scope etype. - - * lib/krb5/rd_req.c: Make it possible to turn off PAC check, its - default on. - - * lib/krb5/rd_req.c (krb5_rd_req_ctx): If there is a PAC, verify - its server signature. - - * kdc/kerberos5.c (_kdc_as_rep): call windc client access hook. - (_kdc_tkt_add_if_relevant_ad): constify in data argument. - - * kdc/windc_plugin.h: More comments add a client_access hook. - - * kdc/windc.c: Add _kdc_windc_client_access. - - * kdc/krb5tgs.c: rename functions after export some more pac - functions. - - * lib/krb5/test_pac.c: export some more pac functions. - - * lib/krb5/pac.c: export some more pac functions. - - * kdc/krb5tgs.c: Resign the PAC in tgsreq if we have a PAC. - - * configure.in: add tests/plugin/Makefile - -2007-01-03 Love Hörnquist Åstrand <lha@it.su.se> - - * kdc/krb5tgs.c: Get right key for PAC krbtgt verification. - - * kdc/config.c: spelling - - * lib/krb5/krb5.h: typedef for krb5_pac. - - * kdc/headers.h: Include <windc_plugin.h>. - - * kdc/Makefile.am: Include windc.c and use windc_plugin.h - - * kdc/krb5tgs.c: Call callbacks for emulating a Windows Domain - Controller. - - * kdc/kerberos5.c: Call callbacks for emulating a Windows Domain - Controller. Move the some of the log related stuff to its own - function. - - * kdc/config.c: Init callbacks for emulating a Windows Domain - Controller. - - * kdc/windc.c: Rename the init function to windc instead of pac. - - * kdc/windc.c: Callbacks specific to emulating a Windows Domain - Controller. - - * kdc/windc_plugin.h: Callbacks specific to emulating a Windows - Domain Controller. - - * lib/krb5/Makefile.am: add krb5_HEADERS to build_HEADERZ - - * lib/krb5/pac.c: Support all keyed checksum types. - -2007-01-02 Love Hörnquist Åstrand <lha@it.su.se> - - * lib/krb5/pac.c (krb5_pac_get_types): Return list of types. - - * lib/krb5/test_pac.c: test krb5_pac_get_types - - * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA. - - * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA. - - * lib/krb5/krb5.h: Add KRB5_KRBHST_KCA. - - * lib/krb5/test_pac.c: test Add/remove pac buffer functions. - - * lib/krb5/pac.c: Add/remove pac buffer functions. - - * lib/krb5/pac.c: sprinkle const - - * lib/krb5/pac.c: rename DCHECK to CHECK - - * Happy New Year. |