summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/lib/gssapi/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/lib/gssapi/ChangeLog')
-rw-r--r--crypto/heimdal/lib/gssapi/ChangeLog2297
1 files changed, 2236 insertions, 61 deletions
diff --git a/crypto/heimdal/lib/gssapi/ChangeLog b/crypto/heimdal/lib/gssapi/ChangeLog
index b18bde6..3a0c39f 100644
--- a/crypto/heimdal/lib/gssapi/ChangeLog
+++ b/crypto/heimdal/lib/gssapi/ChangeLog
@@ -1,113 +1,2288 @@
-2003-12-19 Love Hörnquist Åstrand <lha@it.su.se>
+2008-01-13 Love Hörnquist Åstrand <lha@it.su.se>
- * accept_sec_context.c: 1.40->1.41: Don't require timestamp to be
- set on delegated token, its already protected by the outer token
- (and windows doesn't alway send it) Pointed out by Zi-Bin Yang
+ * test_ntlm.c: Test source name (and make the acceptor in ntlm gss
+ mech useful).
+
+2007-12-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/init_sec_context.c: Don't confuse target name and source
+ name, make regressiont tests pass again.
+
+2007-12-29 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm: clean up name handling
+
+2007-12-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/init_sec_context.c: Use credential if it was passed in.
+
+ * ntlm/acquire_cred.c: Check if there is initial creds with
+ _gss_ntlm_get_user_cred().
+
+ * ntlm/init_sec_context.c: Add _gss_ntlm_get_user_info() that
+ return the user info so it can be used by external modules.
+
+ * ntlm/inquire_cred.c: use the right error code.
+
+ * ntlm/inquire_cred.c: Return GSS_C_NO_CREDENTIAL if there is no
+ credential, ntlm have (not yet) a default credential.
+
+ * mech/gss_release_oid_set.c: Avoid trying to deref NULL, from
+ Phil Fisher.
+
+2007-12-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_acquire_cred.c: Always try to fetch cred (even with
+ GSS_C_NO_NAME).
+
+2007-08-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_krb5.c: Readd gss_krb5_get_tkt_flags.
+
+2007-08-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * spnego/compat.c (_gss_spnego_internal_delete_sec_context):
+ release ctx->target_name too From Rafal Malinowski.
+
+2007-07-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_mech_switch.c: Don't try to do dlopen if system doesn't
+ have dlopen. From Rune of Chalmers.
+
+2007-07-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_duplicate_name.c: New signature of _gss_find_mn.
+
+ * mech/gss_init_sec_context.c: New signature of _gss_find_mn.
+
+ * mech/gss_acquire_cred.c: New signature of _gss_find_mn.
+
+ * mech/name.h: New signature of _gss_find_mn.
+
+ * mech/gss_canonicalize_name.c: New signature of _gss_find_mn.
+
+ * mech/gss_compare_name.c: New signature of _gss_find_mn.
+
+ * mech/gss_add_cred.c: New signature of _gss_find_mn.
+
+ * mech/gss_names.c (_gss_find_mn): Return an error code for
+ caller.
+
+ * spnego/accept_sec_context.c: remove checks that are done by the
+ previous function.
+
+ * Makefile.am: New library version.
+
+2007-07-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_oid_to_str.c: Refuse to print GSS_C_NULL_OID, from
+ Rafal Malinowski.
+
+ * spnego/spnego.asn1: Indent and make NegTokenInit and
+ NegTokenResp extendable.
+
+2007-06-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/inquire_cred.c: Implement _gss_ntlm_inquire_cred.
+
+ * mech/gss_display_status.c: Provide message for GSS_S_COMPLETE.
+
+ * mech/context.c: If the canned string is "", its no use to the
+ user, make it fall back to the default error string.
+
+2007-06-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_display_name.c (gss_display_name): no name ->
+ fail. From Rafal Malinswski.
+
+ * spnego/accept_sec_context.c: Wrap name in a spnego_name instead
+ of just a copy of the underlaying object. From Rafal Malinswski.
+
+ * spnego/accept_sec_context.c: Handle underlaying mech not
+ returning mn.
+
+ * mech/gss_accept_sec_context.c: Handle underlaying mech not
+ returning mn.
+
+ * spnego/accept_sec_context.c: Make sure src_name is always set to
+ GSS_C_NO_NAME when returning.
+
+ * krb5/acquire_cred.c (acquire_acceptor_cred): don't claim
+ everything is well on failure. From Phil Fisher.
+
+ * mech/gss_duplicate_name.c: catch error (and ignore it)
+
+ * ntlm/init_sec_context.c: Use heim_ntlm_calculate_ntlm2_sess.
+
+ * mech/gss_accept_sec_context.c: Only wrap the delegated cred if
+ we got a delegated mech cred. From Rafal Malinowski.
+
+ * spnego/accept_sec_context.c: Only wrap the delegated cred if we
+ are going to return it to the consumer. From Rafal Malinowski.
+
+ * spnego/accept_sec_context.c: Fixed memory leak pointed out by
+ Rafal Malinowski, also while here moved to use NegotiationToken
+ for decoding.
+
+2007-06-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/prf.c (_gsskrb5_pseudo_random): add missing break.
+
+ * krb5/release_name.c: Set *minor_status unconditionallty, its
+ done later anyway.
+
+ * spnego/accept_sec_context.c: Init get_mic to 0.
+
+ * mech/gss_set_cred_option.c: Free memory in failure case, found
+ by beam.
+
+ * mech/gss_inquire_context.c: Handle mech_type being NULL.
+
+ * mech/gss_inquire_cred_by_mech.c: Handle cred_name being NULL.
+
+ * mech/gss_krb5.c: Free memory in error case, found by beam.
+
+2007-06-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/inquire_context.c: Use ctx->gssflags for flags.
+
+ * krb5/display_name.c: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY, this is
+ not ment for machine consumption.
+
+2007-06-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/digest.c (kdc_alloc): free memory on failure, pointed out
+ by Rafal Malinowski.
+
+ * ntlm/digest.c (kdc_destroy): free context when done, pointed out
+ by Rafal Malinowski.
+
+ * spnego/context_stubs.c (_gss_spnego_display_name): if input_name
+ is null, fail. From Rafal Malinowski.
+
+2007-06-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/digest.c: Free memory when done.
+
+2007-06-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_ntlm.c: Test both with and without keyex.
+
+ * ntlm/digest.c: If we didn't set session key, don't expect one
+ back.
+
+ * test_ntlm.c: Set keyex flag and calculate session key.
+
+2007-05-31 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * spnego/accept_sec_context.c: Use the return value before is
+ overwritten by later calls. From Rafal Malinowski
+
+ * krb5/release_cred.c: Give an minor_status argument to
+ gss_release_oid_set. From Rafal Malinowski
+
+2007-05-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/accept_sec_context.c: Catch errors and return the up the
+ stack.
+
+ * test_kcred.c: more testing of lifetimes
+
+2007-05-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Drop the gss oid_set function for the krb5 mech,
+ use the mech glue versions instead. Pointed out by Rafal
+ Malinowski.
+
+ * krb5: Use gss oid_set functions from mechglue
+
+2007-05-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/accept_sec_context.c: Set session key only if we are
+ returned a session key. Found by David Love.
+
+2007-05-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/prf.c: switched MIN to min to make compile on solaris,
+ pointed out by David Love.
+
+2007-05-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/inquire_cred_by_mech.c: Fill in all of the variables if
+ they are passed in. Pointed out by Phil Fisher.
+
+2007-05-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/inquire_cred.c: Fix copy and paste error, bug spotted by
+ from Phil Fisher.
+
+ * mech: dont keep track of gc_usage, just figure it out at
+ gss_inquire_cred() time
+
+ * mech/gss_mech_switch.c (add_builtin): ok for
+ __gss_mech_initialize() to return NULL
+
+ * test_kcred.c: more correct tests
+
+ * spnego/cred_stubs.c (gss_inquire_cred*): wrap the name with a
+ spnego_name.
+
+ * ntlm/inquire_cred.c: make ntlm gss_inquire_cred fail for now,
+ need to find default cred and friends.
+
+ * krb5/inquire_cred_by_mech.c: reimplement
+
+2007-05-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/acquire_cred.c: drop unused variable.
+
+ * ntlm/acquire_cred.c: Reimplement.
+
+ * Makefile.am: add ntlm/digest.c
+
+ * ntlm: split out backend ntlm server processing
+
+2007-04-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/delete_sec_context.c (_gss_ntlm_delete_sec_context): free
+ credcache when done
+
+2007-04-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/init_sec_context.c: ntlm-key credential entry is prefix with @
+
+ * ntlm/init_sec_context.c (get_user_ccache): pick up the ntlm
+ creds from the krb5 credential cache.
+
+2007-04-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/delete_sec_context.c: free the key stored in the context
+
+ * ntlm/ntlm.h: switch password for a key
+
+ * test_oid.c: Switch oid to one that is exported.
+
+2007-04-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/init_sec_context.c: move where hash is calculated to make
+ it easier to add ccache support.
+
+ * Makefile.am: Add version-script.map to EXTRA_DIST.
+
+2007-04-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Unconfuse newer versions of automake that doesn't
+ know the diffrence between depenences and setting variables. foo:
+ vs foo=.
+
+ * test_ntlm.c: delete sec context when done.
+
+ * version-script.map: export more symbols.
+
+ * Makefile.am: add version script if ld supports it
+
+ * version-script.map: add version script if ld supports it
+
+2007-04-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: test_acquire_cred need test_common.[ch]
+
+ * test_acquire_cred.c: add more test options.
+
+ * krb5/external.c: add GSS_KRB5_CCACHE_NAME_X
+
+ * gssapi/gssapi_krb5.h: add GSS_KRB5_CCACHE_NAME_X
+
+ * krb5/set_sec_context_option.c: refactor code, implement
+ GSS_KRB5_CCACHE_NAME_X
+
+ * mech/gss_krb5.c: reimplement gss_krb5_ccache_name
+
+2007-04-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * spnego/cred_stubs.c: Need to import spnego name before we can
+ use it as a gss_name_t.
+
+ * test_acquire_cred.c: use this test as part of the regression
+ suite.
+
+ * mech/gss_acquire_cred.c (gss_acquire_cred): dont init
+ cred->gc_mc every time in the loop.
+
+2007-04-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: add test_common.h
+
+2007-02-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss_acquire_cred.3: Add link for
+ gsskrb5_register_acceptor_identity.
+
+2007-02-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/copy_ccache.c: Try to leak less memory in the failure case.
+
+2007-01-31 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_display_status.c: Use right printf formater.
+
+ * test_*.[ch]: split out the error printing function and try to
+ return better errors
+
+2007-01-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/init_sec_context.c: revert 1.75: (init_auth): only turn on
+ GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it.
+
+ This is because Kerberos always support INT|CONF, matches behavior
+ with MS and MIT. The creates problems for the GSS-SPNEGO mech.
+
+2007-01-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/prf.c: constrain desired_output_len
+
+ * krb5/external.c (krb5_mech): add _gsskrb5_pseudo_random
+
+ * mech/gss_pseudo_random.c: Catch error from underlaying mech on
+ failure.
+
+ * Makefile.am: Add krb5/prf.c
+
+ * krb5/prf.c: gss_pseudo_random for krb5
+
+ * test_context.c: Checks for gss_pseudo_random.
+
+ * krb5/gkrb5_err.et: add KG_INPUT_TOO_LONG
+
+ * Makefile.am: Add mech/gss_pseudo_random.c
+
+ * gssapi/gssapi.h: try to load pseudo_random
+
+ * mech/gss_mech_switch.c: try to load pseudo_random
+
+ * mech/gss_pseudo_random.c: Add gss_pseudo_random.
+
+ * gssapi_mech.h: Add hook for gm_pseudo_random.
+
+2007-01-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_context.c: Don't assume bufer from gss_display_status is
+ ok.
+
+ * mech/gss_wrap_size_limit.c: Reset out variables.
+
+ * mech/gss_wrap.c: Reset out variables.
+
+ * mech/gss_verify_mic.c: Reset out variables.
+
+ * mech/gss_utils.c: Reset out variables.
+
+ * mech/gss_release_oid_set.c: Reset out variables.
+
+ * mech/gss_release_cred.c: Reset out variables.
+
+ * mech/gss_release_buffer.c: Reset variables.
+
+ * mech/gss_oid_to_str.c: Reset out variables.
+
+ * mech/gss_inquire_sec_context_by_oid.c: Fix reset out variables.
+
+ * mech/gss_mech_switch.c: Reset out variables.
+
+ * mech/gss_inquire_sec_context_by_oid.c: Reset out variables.
+
+ * mech/gss_inquire_names_for_mech.c: Reset out variables.
+
+ * mech/gss_inquire_cred_by_oid.c: Reset out variables.
+
+ * mech/gss_inquire_cred_by_oid.c: Reset out variables.
+
+ * mech/gss_inquire_cred_by_mech.c: Reset out variables.
+
+ * mech/gss_inquire_cred.c: Reset out variables, fix memory leak.
+
+ * mech/gss_inquire_context.c: Reset out variables.
+
+ * mech/gss_init_sec_context.c: Zero out outbuffer on failure.
+
+ * mech/gss_import_name.c: Reset out variables.
+
+ * mech/gss_import_name.c: Reset out variables.
+
+ * mech/gss_get_mic.c: Reset out variables.
+
+ * mech/gss_export_name.c: Reset out variables.
+
+ * mech/gss_encapsulate_token.c: Reset out variables.
+
+ * mech/gss_duplicate_oid.c: Reset out variables.
+
+ * mech/gss_duplicate_oid.c: Reset out variables.
+
+ * mech/gss_duplicate_name.c: Reset out variables.
+
+ * mech/gss_display_status.c: Reset out variables.
+
+ * mech/gss_display_name.c: Reset out variables.
+
+ * mech/gss_delete_sec_context.c: Reset out variables using propper
+ macros.
+
+ * mech/gss_decapsulate_token.c: Reset out variables using propper
+ macros.
+
+ * mech/gss_add_cred.c: Reset out variables.
+
+ * mech/gss_acquire_cred.c: Reset out variables.
+
+ * mech/gss_accept_sec_context.c: Reset out variables using propper
+ macros.
+
+ * mech/gss_init_sec_context.c: Reset out variables.
+
+ * mech/mech_locl.h (_mg_buffer_zero): new macro that zaps a
+ gss_buffer_t
+
+2007-01-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech: sprinkel _gss_mg_error
+
+ * mech/gss_display_status.c (gss_display_status): use
+ _gss_mg_get_error to fetch the error from underlaying mech, if it
+ failes, let do the regular dance for GSS-CODE version and a
+ generic print-the-error code for MECH-CODE.
+
+ * mech/gss_oid_to_str.c: Don't include the NUL in the length of
+ the string.
+
+ * mech/context.h: Protoypes for _gss_mg_.
+
+ * mech/context.c: Glue to catch the error from the lower gss-api
+ layer and save that for later so gss_display_status() can show the
+ error.
+
+ * gss.c: Detect NTLM.
+
+2007-01-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_accept_sec_context.c: spelling
+
+2007-01-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Include build (private) prototypes header files.
+
+ * Makefile.am (ntlmsrc): add ntlm/ntlm-private.h
+
+2006-12-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/accept_sec_context.c: Pass signseal argument to
+ _gss_ntlm_set_key.
+
+ * ntlm/init_sec_context.c: Pass signseal argument to
+ _gss_ntlm_set_key.
+
+ * ntlm/crypto.c (_gss_ntlm_set_key): add signseal argument
+
+ * test_ntlm.c: add ntlmv2 test
+
+ * ntlm/ntlm.h: break out struct ntlmv2_key;
+
+ * ntlm/crypto.c (_gss_ntlm_set_key): set ntlm v2 keys.
+
+ * ntlm/accept_sec_context.c: Set dummy ntlmv2 keys and Check TI.
+
+ * ntlm/ntlm.h: NTLMv2 keys.
+
+ * ntlm/crypto.c: NTLMv2 sign and verify.
+
+2006-12-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/accept_sec_context.c: Don't send targetinfo now.
+
+ * ntlm/init_sec_context.c: Build ntlmv2 answer buffer.
+
+ * ntlm/init_sec_context.c: Leak less memory.
+
+ * ntlm/init_sec_context.c: Announce that we support key exchange.
+
+ * ntlm/init_sec_context.c: Add NTLM_NEG_NTLM2_SESSION, NTLMv2
+ session security (disable because missing sign and seal).
+
+2006-12-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/accept_sec_context.c: split RC4 send and recv keystreams
+
+ * ntlm/init_sec_context.c: split RC4 send and recv keystreams
+
+ * ntlm/ntlm.h: split RC4 send and recv keystreams
+
+ * ntlm/crypto.c: Implement SEAL.
+
+ * ntlm/crypto.c: move gss_wrap/gss_unwrap here
+
+ * test_context.c: request INT and CONF from the gss layer, test
+ get and verify MIC.
+
+ * ntlm/ntlm.h: add crypto bits.
+
+ * ntlm/accept_sec_context.c: Save session master key.
+
+ * Makefile.am: Move get and verify mic to the same file (crypto.c)
+ since they share code.
+
+ * ntlm/crypto.c: Move get and verify mic to the same file since
+ they share code, implement NTLM v1 and dummy signatures.
+
+ * ntlm/init_sec_context.c: pass on GSS_C_CONF_FLAG and
+ GSS_C_INTEG_FLAG, save the session master key
+
+ * spnego/accept_sec_context.c: try using gss_accept_sec_context()
+ on the opportunistic token instead of guessing the acceptor name
+ and do gss_acquire_cred, this make SPNEGO work like before.
+
+2006-12-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/init_sec_context.c: Calculate the NTLM version 1 "master"
+ key.
+
+ * spnego/accept_sec_context.c: Resurect negHints for the acceptor
+ sends first packet.
+
+ * Makefile.am: Add "windows" versions of the NegTokenInitWin and
+ friends.
+
+ * test_context.c: add --wrapunwrap flag
+
+ * spnego/compat.c: move _gss_spnego_indicate_mechtypelist() to
+ compat.c, use the sequence types of MechTypeList, make
+ add_mech_type() static.
+
+ * spnego/accept_sec_context.c: move
+ _gss_spnego_indicate_mechtypelist() to compat.c
+
+ * Makefile.am: Generate sequence code for MechTypeList
+
+ * spnego: check that the generated acceptor mechlist is acceptable too
+
+ * spnego/init_sec_context.c: Abstract out the initiator filter
+ function, it will be needed for the acceptor too.
+
+ * spnego/accept_sec_context.c: Abstract out the initiator filter
+ function, it will be needed for the acceptor too. Remove negHints.
+
+ * test_context.c: allow asserting return mech
+
+ * ntlm/accept_sec_context.c: add _gss_ntlm_allocate_ctx
+
+ * ntlm/acquire_cred.c: Check that the KDC seem to there and
+ answering us, we can't do better then that wen checking if we will
+ accept the credential.
+
+ * ntlm/get_mic.c: return GSS_S_UNAVAILABLE
+
+ * mech/utils.h: add _gss_free_oid, reverse of _gss_copy_oid
+
+ * mech/gss_utils.c: add _gss_free_oid, reverse of _gss_copy_oid
+
+ * spnego/spnego.asn1: Its very sad, but NegHints its are not part
+ of the NegTokenInit, this makes SPNEGO acceptor life a lot harder.
+
+ * spnego: try harder to handle names better. handle missing
+ acceptor and initator creds better (ie dont propose/accept mech
+ that there are no credentials for) split NegTokenInit and
+ NegTokenResp in acceptor
+
+2006-12-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/import_name.c: Allocate the buffer from the right length.
+
+2006-12-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * ntlm/init_sec_context.c (init_sec_context): Tell the other side
+ what domain we think we are talking to.
+
+ * ntlm/delete_sec_context.c: free username and password
+
+ * ntlm/release_name.c (_gss_ntlm_release_name): free name.
+
+ * ntlm/import_name.c (_gss_ntlm_import_name): add support for
+ GSS_C_NT_HOSTBASED_SERVICE names
+
+ * ntlm/ntlm.h: Add ntlm_name.
+
+ * test_context.c: allow testing of ntlm.
+
+ * gssapi_mech.h: add __gss_ntlm_initialize
+
+ * ntlm/accept_sec_context.c (handle_type3): verify that the kdc
+ approved of the ntlm exchange too
+
+ * mech/gss_mech_switch.c: Add the builtin ntlm mech
+
+ * test_ntlm.c: NTLM test app.
+
+ * mech/gss_accept_sec_context.c: Add detection of NTLMSSP.
+
+ * gssapi/gssapi.h: add ntlm mech oid
+
+ * ntlm/external.c: Switch OID to the ms ntlmssp oid
+
+ * Makefile.am: Add ntlm gss-api module.
+
+ * ntlm/accept_sec_context.c: Catch more error errors.
+
+ * ntlm/accept_sec_context.c: Check after a credential to use.
+
+2006-12-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/set_sec_context_option.c (GSS_KRB5_SET_DEFAULT_REALM_X):
+ don't fail on success. Bug report from Stefan Metzmacher.
+
+2006-12-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/init_sec_context.c (init_auth): only turn on
+ GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it.
+ From Stefan Metzmacher.
+
+2006-12-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am (libgssapi_la_OBJECTS): depends on gssapi_asn1.h
+ spnego_asn1.h.
+
+2006-11-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/acquire_cred.c: Make krb5_get_init_creds_opt_free take a
+ context argument.
+
+2006-11-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_context.c: Test that token keys are the same, return
+ actual_mech.
+
+2006-11-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * spnego/spnego_locl.h: Make bitfields unsigned, add maybe_open.
+
+ * spnego/accept_sec_context.c: Use ASN.1 encoder functions to
+ encode CHOICE structure now that we can handle it.
+
+ * spnego/init_sec_context.c: Use ASN.1 encoder functions to encode
+ CHOICE structure now that we can handle it.
+
+ * spnego/accept_sec_context.c (_gss_spnego_accept_sec_context):
+ send back ad accept_completed when the security context is ->open,
+ w/o this the client doesn't know that the server have completed
+ the transaction.
+
+ * test_context.c: Add delegate flag and check that the delegated
+ cred works.
+
+ * spnego/init_sec_context.c: Keep track of the opportunistic token
+ in the inital message, it might be a complete gss-api context, in
+ that case we'll get back accept_completed without any token. With
+ this change, krb5 w/o mutual authentication works.
+
+ * spnego/accept_sec_context.c: Use ASN.1 encoder functions to
+ encode CHOICE structure now that we can handle it.
+
+ * spnego/accept_sec_context.c: Filter out SPNEGO from the out
+ supported mechs list and make sure we don't select that for the
+ preferred mechamism.
+
+2006-11-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_init_sec_context.c (_gss_mech_cred_find): break out the
+ cred finding to its own function
+
+ * krb5/wrap.c: Better error strings, from Andrew Bartlet.
+
+2006-11-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_context.c: Create our own krb5_context.
+
+ * krb5: Switch from using a specific error message context in the
+ TLS to have a whole krb5_context in TLS. This have some
+ interestion side-effekts for the configruration setting options
+ since they operate on per-thread basis now.
+
+ * mech/gss_set_cred_option.c: When calling ->gm_set_cred_option
+ and checking for success, use GSS_S_COMPLETE. From Andrew Bartlet.
+
+2006-11-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: Help solaris make even more.
+
+ * Makefile.am: Help solaris make.
+
+2006-11-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: remove include $(srcdir)/Makefile-digest.am for now
+
+ * mech/gss_accept_sec_context.c: Try better guessing what is mech
+ we are going to select by looking harder at the input_token, idea
+ from Luke Howard's mechglue branch.
+
+ * Makefile.am: libgssapi_la_OBJECTS: add depency on gkrb5_err.h
+
+ * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X
+
+ * mech/gss_krb5.c: implement gss_krb5_set_allowable_enctypes
+
+ * gssapi/gssapi.h: GSS_KRB5_S_
+
+ * krb5/gsskrb5_locl.h: Include <gkrb5_err.h>.
+
+ * gssapi/gssapi_krb5.h: Add gss_krb5_set_allowable_enctypes.
+
+ * Makefile.am: Build and install gkrb5_err.h
+
+ * krb5/gkrb5_err.et: Move the GSS_KRB5_S error here.
+
+2006-11-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_krb5.c: Add gsskrb5_set_default_realm.
+
+ * krb5/set_sec_context_option.c: Support
+ GSS_KRB5_SET_DEFAULT_REALM_X.
+
+ * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DEFAULT_REALM_X
+
+ * krb5/external.c: add GSS_KRB5_SET_DEFAULT_REALM_X
+
+2006-11-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_context.c: rename krb5_[gs]et_time_wrap to
+ krb5_[gs]et_max_time_skew
+
+ * krb5/copy_ccache.c: _gsskrb5_extract_authz_data_from_sec_context
+ no longer used, bye bye
+
+ * mech/gss_krb5.c: No depenency of the krb5 gssapi mech.
+
+ * mech/gss_krb5.c (gsskrb5_extract_authtime_from_sec_context): use
+ _gsskrb5_decode_om_uint32. From Andrew Bartlet.
+
+ * mech/gss_krb5.c: Add dummy gss_krb5_set_allowable_enctypes for
+ now.
+
+ * spnego/spnego_locl.h: Include <roken.h> for compatiblity.
+
+ * krb5/arcfour.c: Use IS_DCE_STYLE flag. There is no padding in
+ DCE-STYLE, don't try to use to. From Andrew Bartlett.
+
+ * test_context.c: test wrap/unwrap, add flag for dce-style and
+ mutual auth, also support multi-roundtrip sessions
+
+ * krb5/gsskrb5_locl.h: Add IS_DCE_STYLE macro.
+
+ * krb5/accept_sec_context.c (gsskrb5_acceptor_start): use
+ krb5_rd_req_ctx
+
+ * mech/gss_krb5.c (gsskrb5_get_subkey): return the per message
+ token subkey
+
+ * krb5/inquire_sec_context_by_oid.c: check if there is any key at
+ all
+
+2006-11-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/inquire_sec_context_by_oid.c: Set more error strings, use
+ right enum for acceptor subkey. From Andrew Bartlett.
+
+2006-11-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_context.c: Test gsskrb5_extract_service_keyblock, needed in
+ PAC valication. From Andrew Bartlett
+
+ * mech/gss_krb5.c: Add gsskrb5_extract_authz_data_from_sec_context
+ and keyblock extraction functions.
+
+ * gssapi/gssapi_krb5.h: Add extraction of keyblock function, from
+ Andrew Bartlett.
+
+ * krb5/external.c: Add GSS_KRB5_GET_SERVICE_KEYBLOCK_X
+
+2006-11-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_context.c: Rename various routines and constants from
+ canonize to canonicalize. From Andrew Bartlett
+
+ * mech/gss_krb5.c: Rename various routines and constants from
+ canonize to canonicalize. From Andrew Bartlett
+
+ * krb5/set_sec_context_option.c: Rename various routines and
+ constants from canonize to canonicalize. From Andrew Bartlett
+
+ * krb5/external.c: Rename various routines and constants from
+ canonize to canonicalize. From Andrew Bartlett
+
+ * gssapi/gssapi_krb5.h: Rename various routines and constants from
+ canonize to canonicalize. From Andrew Bartlett
+
+2006-10-25 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/accept_sec_context.c (gsskrb5_accept_delegated_token): need
+ to free ccache
+
+2006-10-24 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_context.c (loop): free target_name
+
+ * mech/gss_accept_sec_context.c: SLIST_INIT the ->gc_mc'
+
+ * mech/gss_acquire_cred.c : SLIST_INIT the ->gc_mc'
+
+ * krb5/init_sec_context.c: Avoid leaking memory.
+
+ * mech/gss_buffer_set.c (gss_release_buffer_set): don't leak the
+ ->elements memory.
+
+ * test_context.c: make compile
+
+ * krb5/cfx.c (_gssapi_verify_mic_cfx): always free crypto context.
+
+ * krb5/set_cred_option.c (import_cred): free sp
+
+2006-10-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_add_oid_set_member.c: Use old implementation of
+ gss_add_oid_set_member, it leaks less memory.
+
+ * krb5/test_cfx.c: free krb5_crypto.
+
+ * krb5/test_cfx.c: free krb5_context
+
+ * mech/gss_release_name.c (gss_release_name): free input_name
+ it-self.
+
+2006-10-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_context.c: Call setprogname.
+
+ * mech/gss_krb5.c: Add gsskrb5_extract_authtime_from_sec_context.
+
+ * gssapi/gssapi_krb5.h: add
+ gsskrb5_extract_authtime_from_sec_context
+
+2006-10-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/inquire_sec_context_by_oid.c: Add get_authtime.
+
+ * krb5/external.c: add GSS_KRB5_GET_AUTHTIME_X
+
+ * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_AUTHTIME_X
+
+ * krb5/set_sec_context_option.c: Implement GSS_KRB5_SEND_TO_KDC_X.
+
+ * mech/gss_krb5.c: Add gsskrb5_set_send_to_kdc
+
+ * gssapi/gssapi_krb5.h: Add GSS_KRB5_SEND_TO_KDC_X and
+ gsskrb5_set_send_to_kdc
+
+ * krb5/external.c: add GSS_KRB5_SEND_TO_KDC_X
+
+ * Makefile.am: more files
+
+2006-10-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: remove spnego/gssapi_spnego.h, its now in gssapi/
+
+ * test_context.c: Allow specifing mech.
+
+ * krb5/external.c: add GSS_SASL_DIGEST_MD5_MECHANISM (for now)
+
+ * gssapi/gssapi.h: Rename GSS_DIGEST_MECHANISM to
+ GSS_SASL_DIGEST_MD5_MECHANISM
+
+2006-10-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gssapi.asn1: Make it into a heim_any_set, its doesn't
+ except a tag.
+
+ * mech/gssapi.asn1: GSSAPIContextToken is IMPLICIT SEQUENCE
+
+ * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X
+
+ * krb5/external.c: Add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X.
+
+ * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_INITIATOR_SUBKEY_X and
+ GSS_KRB5_GET_SUBKEY_X
+
+ * krb5/external.c: add GSS_KRB5_GET_INITIATOR_SUBKEY_X,
+ GSS_KRB5_GET_SUBKEY_X
+
+2006-10-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_context.c: Support switching on name type oid's
+
+ * test_context.c: add test for dns canon flag
+
+ * mech/gss_krb5.c: Add gsskrb5_set_dns_canonlize.
+
+ * gssapi/gssapi_krb5.h: remove gss_krb5_compat_des3_mic
+
+ * gssapi/gssapi_krb5.h: Add gsskrb5_set_dns_canonlize.
+
+ * krb5/set_sec_context_option.c: implement
+ GSS_KRB5_SET_DNS_CANONIZE_X
+
+ * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DNS_CANONIZE_X
+
+ * krb5/external.c: add GSS_KRB5_SET_DNS_CANONIZE_X
+
+ * mech/gss_krb5.c: add bits to make lucid context work
+
+2006-10-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_oid_to_str.c: Prefix der primitives with der_.
+
+ * krb5/inquire_sec_context_by_oid.c: Prefix der primitives with
+ der_.
+
+ * krb5/encapsulate.c: Prefix der primitives with der_.
+
+ * mech/gss_oid_to_str.c: New der_print_heim_oid signature.
+
+2006-10-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: add test_context
+
+ * krb5/inquire_sec_context_by_oid.c: Make it work.
+
+ * test_oid.c: Test lucid oid.
+
+ * gssapi/gssapi.h: Add OM_uint64_t.
+
+ * krb5/inquire_sec_context_by_oid.c: Add lucid interface.
+
+ * krb5/external.c: Add lucid interface, renumber oids to my
+ delegated space.
+
+ * mech/gss_krb5.c: Add lucid interface.
+
+ * gssapi/gssapi_krb5.h: Add lucid interface.
+
+ * spnego/spnego_locl.h: Maybe include <netdb.h>.
+
+2006-10-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_mech_switch.c: define RTLD_LOCAL to 0 if not defined.
+
+2006-10-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: install gssapi_krb5.H and gssapi_spnego.h
+
+ * gssapi/gssapi_krb5.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>.
+
+ * gssapi/gssapi.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>.
+
+ * Makefile.am: Drop some -I no longer needed.
+
+ * gssapi/gssapi_spnego.h: Move gssapi_spengo.h over here.
+
+ * krb5: reference all include files using 'krb5/'
+
+2006-10-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gssapi.h: Add file inclusion protection.
+
+ * gssapi/gssapi.h: Correct header file inclusion protection.
+
+ * gssapi/gssapi.h: Move the gssapi.h from lib/gssapi/ to
+ lib/gssapi/gssapi/ to please automake.
+
+ * spnego/spnego_locl.h: Maybe include <sys/types.h>.
+
+ * mech/mech_locl.h: Include <roken.h>.
+
+ * Makefile.am: split build files into dist_ and noinst_ SOURCES
+
+2006-10-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss.c: #if 0 out unused code.
+
+ * mech/gss_mech_switch.c: Cast argument to ctype(3) functions
+ to (unsigned char).
+
+2006-10-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/name.h: remove <sys/queue.h>
+
+ * mech/mech_switch.h: remove <sys/queue.h>
+
+ * mech/cred.h: remove <sys/queue.h>
+
+2006-10-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/arcfour.c: Thinker more with header lengths.
+
+ * krb5/arcfour.c: Improve the calcucation of header
+ lengths. DCE-STYLE data is also padded so remove if (1 || ...)
+ code.
+
+ * krb5/wrap.c (_gsskrb5_wrap_size_limit): use
+ _gssapi_wrap_size_arcfour for arcfour
+
+ * krb5/arcfour.c: Move _gssapi_wrap_size_arcfour here.
+
+ * Makefile.am: Split all mech to diffrent mechsrc variables.
+
+ * spnego/context_stubs.c: Make internal function static (and
+ rename).
+
+2006-10-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/inquire_cred.c: Fix "if (x) lock(y)" bug. From Harald
+ Barth.
+
+ * spnego/spnego_locl.h: Include <sys/param.h> for MAXHOSTNAMELEN.
+
+2006-09-25 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/arcfour.c: Add wrap support, interrop with itself but not
+ w2k3s-sp1
+
+ * krb5/gsskrb5_locl.h: move the arcfour specific stuff to the
+ arcfour header.
+
+ * krb5/arcfour.c: Support DCE-style unwrap, tested with
+ w2k3server-sp1.
+
+ * mech/gss_accept_sec_context.c (gss_accept_sec_context): if the
+ token doesn't start with [APPLICATION 0] SEQUENCE, lets assume its
+ a DCE-style kerberos 5 connection. XXX this needs to be made
+ better in cause we get another GSS-API protocol violating
+ protocol. It should be possible to detach the Kerberos DCE-style
+ since it starts with a AP-REQ PDU, but that have to wait for now.
+
+2006-09-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gssapi.h: Add GSS_C flags from
+ draft-brezak-win2k-krb-rc4-hmac-04.txt.
+
+ * krb5/delete_sec_context.c: Free service_keyblock and fwd_data,
+ indent.
+
+ * krb5/accept_sec_context.c: Merge of the acceptor part from the
+ samba patch by Stefan Metzmacher and Andrew Bartlet.
+
+ * krb5/init_sec_context.c: Add GSS_C_DCE_STYLE.
+
+ * krb5/{init_sec_context.c,gsskrb5_locl.h}: merge most of the
+ initiator part from the samba patch by Stefan Metzmacher and
+ Andrew Bartlet (still missing DCE/RPC support)
+
+2006-08-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss.c (help): use sl_slc_help().
+
+2006-07-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss-commands.in: rename command to supported-mechanisms
+
+ * Makefile.am: Make gss objects depend on the slc built
+ gss-commands.h
+
+2006-07-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss-commands.in: add slc commands for gss
+
+ * krb5/gsskrb5_locl.h: Remove dup prototype of _gsskrb5_init()
+
+ * Makefile.am: Add test_cfx
+
+ * krb5/external.c: add GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
+
+ * krb5/set_sec_context_option.c: catch
+ GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
+
+ * krb5/accept_sec_context.c: reimplement
+ gsskrb5_register_acceptor_identity
+
+ * mech/gss_krb5.c: implement gsskrb5_register_acceptor_identity
+
+ * mech/gss_inquire_mechs_for_name.c: call _gss_load_mech
+
+ * mech/gss_inquire_cred.c (gss_inquire_cred): call _gss_load_mech
+
+ * mech/gss_mech_switch.c: Make _gss_load_mech() atomic and run
+ only once, this have the side effect that _gss_mechs and
+ _gss_mech_oids is only initialized once, so if just the users of
+ these two global variables calls _gss_load_mech() first, it will
+ act as a barrier and make sure the variables are never changed and
+ we don't need to lock them.
+
+ * mech/utils.h: no need to mark functions extern.
+
+ * mech/name.h: no need to mark _gss_find_mn extern.
+
+2006-07-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/cfx.c: Redo the wrap length calculations.
+
+ * krb5/test_cfx.c: test max_wrap_size in cfx.c
+
+ * mech/gss_display_status.c: Handle more error codes.
+
+2006-07-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/mech_locl.h: Include <krb5-types.h> and "mechqueue.h"
+
+ * mech/mechqueue.h: Add SLIST macros.
+
+ * krb5/inquire_context.c: Don't free return values on success.
+
+ * krb5/inquire_cred.c (_gsskrb5_inquire_cred): When cred provided
+ is the default cred, acquire the acceptor cred and initator cred
+ in two diffrent steps and then query them for the information,
+ this way, the code wont fail if there are no keytab, but there is
+ a credential cache.
+
+ * mech/gss_inquire_cred.c: move the check if we found any cred
+ where it matter for both cases
+ (default cred and provided cred)
+
+ * mech/gss_init_sec_context.c: If the desired mechanism can't
+ convert the name to a MN, fail with GSS_S_BAD_NAME rather then a
+ NULL de-reference.
+
+2006-07-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * spnego/external.c: readd gss_spnego_inquire_names_for_mech
+
+ * spnego/spnego_locl.h: reimplement
+ gss_spnego_inquire_names_for_mech add support function
+ _gss_spnego_supported_mechs
+
+ * spnego/context_stubs.h: reimplement
+ gss_spnego_inquire_names_for_mech add support function
+ _gss_spnego_supported_mechs
+
+ * spnego/context_stubs.c: drop gss_spnego_indicate_mechs
+
+ * mech/gss_indicate_mechs.c: if the underlaying mech doesn't
+ support gss_indicate_mechs, use the oid in the mechswitch
+ structure
+
+ * spnego/external.c: let the mech glue layer implement
+ gss_indicate_mechs
+
+ * spnego/cred_stubs.c (gss_spnego_acquire_cred): don't care about
+ desired_mechs, get our own list with indicate_mechs and remove
+ ourself.
+
+2006-07-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * spnego/external.c: remove gss_spnego_inquire_names_for_mech, let
+ the mechglue layer implement it
+
+ * spnego/context_stubs.c: remove gss_spnego_inquire_names_for_mech, let
+ the mechglue layer implement it
+
+ * spnego/spnego_locl.c: remove gss_spnego_inquire_names_for_mech, let
+ the mechglue layer implement it
+
+2006-07-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_set_cred_option.c: fix argument to gss_release_cred
+
+2006-06-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/init_sec_context.c: Make work on compilers that are
+ somewhat more picky then gcc4 (like gcc2.95)
+
+ * krb5/init_sec_context.c (do_delegation): use KDCOptions2int to
+ convert fwd_flags to an integer, since otherwise int2KDCOptions in
+ krb5_get_forwarded_creds wont do the right thing.
+
+ * mech/gss_set_cred_option.c (gss_set_cred_option): free memory on
+ failure
+
+ * krb5/set_sec_context_option.c (_gsskrb5_set_sec_context_option):
+ init global kerberos context
+
+ * krb5/set_cred_option.c (_gsskrb5_set_cred_option): init global
+ kerberos context
+
+ * mech/gss_accept_sec_context.c: Insert the delegated sub cred on
+ the delegated cred handle, not cred handle
+
+ * mech/gss_accept_sec_context.c (gss_accept_sec_context): handle
+ the case where ret_flags == NULL
+
+ * mech/gss_mech_switch.c (add_builtin): set
+ _gss_mech_switch->gm_mech_oid
+
+ * mech/gss_set_cred_option.c (gss_set_cred_option): laod mechs
+
+ * test_cred.c (gss_print_errors): don't try to print error when
+ gss_display_status failed
+
+ * Makefile.am: Add mech/gss_release_oid.c
+
+ * mech/gss_release_oid.c: Add gss_release_oid, reverse of
+ gss_duplicate_oid
+
+ * spnego/compat.c: preferred_mech_type was allocated with
+ gss_duplicate_oid in one place and assigned static varianbles a
+ the second place. change that static assignement to
+ gss_duplicate_oid and bring back gss_release_oid.
+
+ * spnego/compat.c (_gss_spnego_delete_sec_context): don't release
+ preferred_mech_type and negotiated_mech_type, they where never
+ allocated from the begining.
+
+2006-06-29 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * mech/gss_import_name.c (gss_import_name): avoid
+ type-punned/strict aliasing rules
+
+ * mech/gss_add_cred.c: avoid type-punned/strict aliasing rules
+
+ * gssapi.h: Make gss_name_t an opaque type.
+
+ * krb5: make gss_name_t an opaque type
+
+ * krb5/set_cred_option.c: Add
+
+ * mech/gss_set_cred_option.c (gss_set_cred_option): support the
+ case where *cred_handle == NULL
+
+ * mech/gss_krb5.c (gss_krb5_import_cred): make sure cred is
+ GSS_C_NO_CREDENTIAL on failure.
+
+ * mech/gss_acquire_cred.c (gss_acquire_cred): if desired_mechs is
+ NO_OID_SET, there is a need to load the mechs, so always do that.
+
+2006-06-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * krb5/inquire_cred_by_oid.c: Reimplement GSS_KRB5_COPY_CCACHE_X
+ to instead pass a fullname to the credential, then resolve and
+ copy out the content, and then close the cred.
+
+ * mech/gss_krb5.c: Reimplement GSS_KRB5_COPY_CCACHE_X to instead
+ pass a fullname to the credential, then resolve and copy out the
+ content, and then close the cred.
+
+ * krb5/inquire_cred_by_oid.c: make "work", GSS_KRB5_COPY_CCACHE_X
+ interface needs to be re-done, currently its utterly broken.
+
+ * mech/gss_set_cred_option.c: Make work.
+
+ * krb5/external.c: Add _gsskrb5_set_{sec_context,cred}_option
+
+ * mech/gss_krb5.c (gss_krb5_import_cred): implement
+
+ * Makefile.am: Add gss_set_{sec_context,cred}_option and sort
+
+ * mech/gss_set_{sec_context,cred}_option.c: add
+
+ * gssapi.h: Add GSS_KRB5_IMPORT_CRED_X
+
+ * test_*.c: make compile again
+
+ * Makefile.am: Add lib dependencies and test programs
+
+ * spnego: remove dependency on libkrb5
+
+ * mech: Bug fixes, cleanup, compiler warnings, restructure code.
+
+ * spnego: Rename gss_context_id_t and gss_cred_id_t to local names
+
+ * krb5: repro copy the krb5 files here
+
+ * mech: import Doug Rabson mechglue from freebsd
+
+ * spnego: Import Luke Howard's SPNEGO from the mechglue branch
+
+2006-06-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gssapi.h: Add oid_to_str.
+
+ * Makefile.am: add oid_to_str and test_oid
+
+ * oid_to_str.c: Add gss_oid_to_str
+
+ * test_oid.c: Add test for gss_oid_to_str()
+
+2006-05-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * verify_mic.c: Less pointer signedness warnings.
+
+ * unwrap.c: Less pointer signedness warnings.
+
+ * arcfour.c: Less pointer signedness warnings.
+
+ * gssapi_locl.h: Use const void * to instead of unsigned char * to
+ avoid pointer signedness warnings.
+
+ * encapsulate.c: Use const void * to instead of unsigned char * to
+ avoid pointer signedness warnings.
+
+ * decapsulate.c: Use const void * to instead of unsigned char * to
+ avoid pointer signedness warnings.
+
+ * decapsulate.c: Less pointer signedness warnings.
+
+ * cfx.c: Less pointer signedness warnings.
+
+ * init_sec_context.c: Less pointer signedness warnings (partly by
+ using the new asn.1 CHOICE decoder)
+
+ * import_sec_context.c: Less pointer signedness warnings.
+
+2006-05-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * accept_sec_context.c (gsskrb5_is_cfx): always set is_cfx. From
+ Andrew Abartlet.
+
+2006-05-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * get_mic.c (mic_des3): make sure message_buffer doesn't point to
+ free()ed memory on failure. Pointed out by IBM checker.
+
+2006-05-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Rename u_intXX_t to uintXX_t
+
+2006-05-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cfx.c: Less pointer signedness warnings.
+
+ * arcfour.c: Avoid pointer signedness warnings.
+
+ * gssapi_locl.h (gssapi_decode_*): make data argument const void *
+
+ * 8003.c (gssapi_decode_*): make data argument const void *
+
+2006-04-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * export_sec_context.c: Export sequence order element. From Wynn
+ Wilkes <wynn.wilkes@quest.com>.
+
+ * import_sec_context.c: Import sequence order element. From Wynn
+ Wilkes <wynn.wilkes@quest.com>.
+
+ * sequence.c (_gssapi_msg_order_import,_gssapi_msg_order_export):
+ New functions, used by {import,export}_sec_context. From Wynn
+ Wilkes <wynn.wilkes@quest.com>.
+
+ * test_sequence.c: Add test for import/export sequence.
+
+2006-04-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * add_cred.c: Check that cred != GSS_C_NO_CREDENTIAL, this is a
+ standard conformance failure, but much better then a crash.
+
+2006-04-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * get_mic.c (get_mic*)_: make sure message_token is cleaned on
+ error, found by IBM checker.
+
+ * wrap.c (wrap*): Reset output_buffer on error, found by IBM
+ checker.
+
+2006-02-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * import_name.c: Accept both GSS_C_NT_HOSTBASED_SERVICE and
+ GSS_C_NT_HOSTBASED_SERVICE_X as nametype for hostbased names.
+
+2006-01-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * delete_sec_context.c (gss_delete_sec_context): if the context
+ handle is GSS_C_NO_CONTEXT, don't fall over.
+
+2005-12-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss_acquire_cred.3: Replace gss_krb5_import_ccache with
+ gss_krb5_import_cred and add more references
+
+2005-12-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gssapi.h: Change gss_krb5_import_ccache to gss_krb5_import_cred,
+ it can handle keytabs too.
+
+ * add_cred.c (gss_add_cred): avoid deadlock
+
+ * context_time.c (gssapi_lifetime_left): define the 0 lifetime as
+ GSS_C_INDEFINITE.
+
+2005-12-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * acquire_cred.c (acquire_acceptor_cred): only check if principal
+ exists if we got called with principal as an argument.
+
+ * acquire_cred.c (acquire_acceptor_cred): check that the acceptor
+ exists in the keytab before returning ok.
+
+2005-11-29 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * copy_ccache.c (gss_krb5_import_cred): fix buglet, from Andrew
+ Bartlett.
+
+2005-11-25 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_kcred.c: Rename gss_krb5_import_ccache to
+ gss_krb5_import_cred.
+
+ * copy_ccache.c: Rename gss_krb5_import_ccache to
+ gss_krb5_import_cred and let it grow code to handle keytabs too.
+
+2005-11-02 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * init_sec_context.c: Change sematics of ok-as-delegate to match
+ windows if
+ [gssapi]realm/ok-as-delegate=true is set, otherwise keep old
+ sematics.
+
+ * release_cred.c (gss_release_cred): use
+ GSS_CF_DESTROY_CRED_ON_RELEASE to decide if the cache should be
+ krb5_cc_destroy-ed
+
+ * acquire_cred.c (acquire_initiator_cred):
+ GSS_CF_DESTROY_CRED_ON_RELEASE on created credentials.
+
+ * accept_sec_context.c (gsskrb5_accept_delegated_token): rewrite
+ to use gss_krb5_import_ccache
+
+2005-11-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * arcfour.c: Remove signedness warnings.
+
+2005-10-31 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss_acquire_cred.3: Document that gss_krb5_import_ccache is copy
+ by reference.
+
+ * copy_ccache.c (gss_krb5_import_ccache): Instead of making a copy
+ of the ccache, make a reference by getting the name and resolving
+ the name. This way the cache is shared, this flipp side is of
+ course that if someone calls krb5_cc_destroy the cache is lost for
+ everyone.
+
+ * test_kcred.c: Remove memory leaks.
+
+2005-10-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: build test_kcred
+
+ * gss_acquire_cred.3: Document gss_krb5_import_ccache
+
+ * gssapi.3: Sort and add gss_krb5_import_ccache.
+
+ * acquire_cred.c (_gssapi_krb5_ccache_lifetime): break out code
+ used to extract lifetime from a credential cache
+
+ * gssapi_locl.h: Add _gssapi_krb5_ccache_lifetime, used to extract
+ lifetime from a credential cache.
+
+ * gssapi.h: add gss_krb5_import_ccache, reverse of
+ gss_krb5_copy_ccache
+
+ * copy_ccache.c: add gss_krb5_import_ccache, reverse of
+ gss_krb5_copy_ccache
+
+ * test_kcred.c: test gss_krb5_import_ccache
+
+2005-10-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * acquire_cred.c (acquire_initiator_cred): use krb5_cc_cache_match
+ to find a matching creditial cache, if that failes, fallback to
+ the default cache.
+
+2005-10-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gssapi_locl.h: Add gssapi_krb5_set_status and
+ gssapi_krb5_clear_status
+
+ * init_sec_context.c (spnego_reply): Don't pass back raw Kerberos
+ errors, use GSS-API errors instead. From Michael B Allen.
+
+ * display_status.c: Add gssapi_krb5_clear_status,
+ gssapi_krb5_set_status for handling error messages.
+
+2005-08-23 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * external.c: Use rk_UNCONST to avoid const warning.
+
+ * display_status.c: Constify strings to avoid warnings.
+
+2005-08-11 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * init_sec_context.c: avoid warnings, update (c)
+
+2005-07-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * init_sec_context.c (spnego_initial): use NegotiationToken
+ encoder now that we have one with the new asn1. compiler.
+
+ * Makefile.am: the new asn.1 compiler includes the modules name in
+ the depend file
+
+2005-06-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * decapsulate.c: use rk_UNCONST
+
+ * ccache_name.c: rename to avoid shadowing
+
+ * gssapi_locl.h: give kret in GSSAPI_KRB5_INIT a more unique name
+
+ * process_context_token.c: use rk_UNCONST to unconstify
+
+ * test_cred.c: rename optind to optidx
+
+2005-05-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * init_sec_context.c (init_auth): honor ok-as-delegate if local
+ configuration approves
+
+ * gssapi_locl.h: prototype for _gss_check_compat
+
+ * compat.c: export check_compat as _gss_check_compat
+
+2005-05-29 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * init_sec_context.c: Prefix Der_class with ASN1_C_ to avoid
+ problems with system headerfiles that pollute the name space.
+
+ * accept_sec_context.c: Prefix Der_class with ASN1_C_ to avoid
+ problems with system headerfiles that pollute the name space.
+
+2005-05-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * init_sec_context.c (init_auth): set
+ KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED (for java compatibility),
+ also while here, use krb5_auth_con_addflags
+
+2005-05-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * arcfour.c (_gssapi_wrap_arcfour): fix calculating the encap
+ length. From: Tom Maher <tmaher@eecs.berkeley.edu>
+
+2005-05-02 Dave Love <fx@gnu.org>
+
+ * test_cred.c (main): Call setprogname.
+
+2005-04-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * prefix all sequence symbols with _, they are not part of the
+ GSS-API api. By comment from Wynn Wilkes <wynnw@vintela.com>
+
+2005-04-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * accept_sec_context.c: break out the processing of the delegated
+ credential to a separate function to make error handling easier,
+ move the credential handling to after other setup is done
+
+ * test_sequence.c: make less verbose in case of success
+
+ * Makefile.am: add test_sequence to TESTS
+
+2005-04-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * 8003.c (gssapi_krb5_verify_8003_checksum): check that cksum
+ isn't NULL From: Nicolas Pouvesle <npouvesle@tenablesecurity.com>
+
+2005-03-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: use $(LIB_roken)
+
+2005-03-16 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * display_status.c (gssapi_krb5_set_error_string): pass in the
+ krb5_context to krb5_free_error_string
+
+2005-03-15 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * display_status.c (gssapi_krb5_set_error_string): don't misuse
+ the krb5_get_error_string api
+
+2005-03-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * compat.c (_gss_DES3_get_mic_compat): don't unlock mutex
+ here. Bug reported by Stefan Metzmacher <metze@samba.org>
+
+2005-02-21 Luke Howard <lukeh@padl.com>
+
+ * init_sec_context.c: don't call krb5_get_credentials() with
+ KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache
+ growing indefinitely as no key is found with KEYTYPE_NULL
+
+ * compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is
+ no longer used (however the mechListMIC behaviour is broken,
+ rfc2478bis support requires the code in the mechglue branch)
+
+ * init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
+
+ * gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
+
+2005-01-05 Luke Howard <lukeh@padl.com>
+
+ * 8003.c: use symbolic name for checksum type
+
+ * accept_sec_context.c: allow client to indicate
+ that subkey should be used
+
+ * acquire_cred.c: plug leak
+
+ * get_mic.c: use gss_krb5_get_subkey() instead
+ of gss_krb5_get_{local,remote}key(), support
+ KEYTYPE_ARCFOUR_56
+
+ * gssapi_local.c: use gss_krb5_get_subkey(),
+ support KEYTYPE_ARCFOUR_56
+
+ * import_sec_context.c: plug leak
+
+ * unwrap.c: use gss_krb5_get_subkey(),
+ support KEYTYPE_ARCFOUR_56
+
+ * verify_mic.c: use gss_krb5_get_subkey(),
+ support KEYTYPE_ARCFOUR_56
+
+ * wrap.c: use gss_krb5_get_subkey(),
+ support KEYTYPE_ARCFOUR_56
+
+2004-11-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * inquire_cred.c: Reverse order of HEIMDAL_MUTEX_unlock and
+ gss_release_cred to avoid deadlock, from Luke Howard
+ <lukeh@padl.com>.
+
+2004-09-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss_acquire_cred.3: gss_krb5_extract_authz_data_from_sec_context
+ was renamed to gsskrb5_extract_authz_data_from_sec_context
+
+2004-08-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * unwrap.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM>
+
+ * arcfour.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM>
+
+2004-05-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gssapi.3: spelling from Josef El-Rayes <josef@FreeBSD.org> while
+ here, write some text about the SPNEGO situation
+
+2004-04-08 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cfx.c: s/CTXAcceptorSubkey/CFXAcceptorSubkey/
+
+2004-04-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gssapi.h: add GSS_C_EXPECTING_MECH_LIST_MIC_FLAG From: Luke
+ Howard <lukeh@padl.com>
+
+ * init_sec_context.c (spnego_reply): use
+ _gss_spnego_require_mechlist_mic to figure out if we need to check
+ MechListMIC; From: Luke Howard <lukeh@padl.com>
+
+ * accept_sec_context.c (send_accept): use
+ _gss_spnego_require_mechlist_mic to figure out if we need to send
+ MechListMIC; From: Luke Howard <lukeh@padl.com>
+
+ * gssapi_locl.h: add _gss_spnego_require_mechlist_mic
+ From: Luke Howard <lukeh@padl.com>
+
+ * compat.c: add _gss_spnego_require_mechlist_mic for compatibility
+ with MS SPNEGO, From: Luke Howard <lukeh@padl.com>
+
+2004-04-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * accept_sec_context.c (gsskrb5_is_cfx): krb5_keyblock->keytype is
+ an enctype, not keytype
+
+ * accept_sec_context.c: use ASN1_MALLOC_ENCODE
+
+ * init_sec_context.c: avoid the malloc loop and just allocate the
+ propper amount of data
+
+ * init_sec_context.c (spnego_initial): handle mech_token better
+
+2004-03-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gssapi.h: add gss_krb5_get_tkt_flags
+
+ * Makefile.am: add ticket_flags.c
+
+ * ticket_flags.c: Get ticket-flags from acceptor ticket From: Luke
+ Howard <lukeh@PADL.COM>
+
+ * gss_acquire_cred.3: document gss_krb5_get_tkt_flags
+
+2004-03-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * acquire_cred.c (gss_acquire_cred): check usage before even
+ bothering to process it, add both keytab and initial tgt if
+ requested
+
+ * wrap.c: support cfx, try to handle acceptor asserted subkey
+
+ * unwrap.c: support cfx, try to handle acceptor asserted subkey
+
+ * verify_mic.c: support cfx
+
+ * get_mic.c: support cfx
+
+ * test_sequence.c: handle changed signature of
+ gssapi_msg_order_create
+
+ * import_sec_context.c: handle acceptor asserted subkey
+
+ * init_sec_context.c: handle acceptor asserted subkey
+
+ * accept_sec_context.c: handle acceptor asserted subkey
+
+ * sequence.c: add dummy use_64 argument to gssapi_msg_order_create
+
+ * gssapi_locl.h: add partial support for CFX
+
+ * Makefile.am (noinst_PROGRAMS) += test_cred
+
+ * test_cred.c: gssapi credential testing
+
+ * test_acquire_cred.c: fix comment
+
+2004-03-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * arcfour.h: drop structures for message formats, no longer used
+
+ * arcfour.c: comment describing message formats
+
+ * accept_sec_context.c (spnego_accept_sec_context): make sure the
+ length of the choice element doesn't overrun us
+
+ * init_sec_context.c (spnego_reply): make sure the length of the
+ choice element doesn't overrun us
+
+ * spnego.asn1: move NegotiationToken to avoid warning
+
+ * spnego.asn1: uncomment NegotiationToken
+
+ * Makefile.am: spnego_files += asn1_NegotiationToken.x
+
+2004-01-25 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gssapi.h: add gss_krb5_ccache_name
+
+ * Makefile.am (libgssapi_la_SOURCES): += ccache_name.c
+
+ * ccache_name.c (gss_krb5_ccache_name): help function enable to
+ set krb5 name, using out_name argument makes function no longer
+ thread-safe
+
+ * gssapi.3: add missing gss_krb5_ references
+
+ * gss_acquire_cred.3: document gss_krb5_ccache_name
+
+2003-12-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cfx.c: make rrc a modulus operation if its longer then the
+ length of the message, noticed by Sam Hartman
+
+2003-12-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * accept_sec_context.c: use krb5_auth_con_addflags
+
+2003-12-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cfx.c: Wrap token id was in wrong order, found by Sam Hartman
+
+2003-12-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cfx.c: add AcceptorSubkey (but no code understand it yet) ignore
+ unknown token flags
+
+2003-11-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * accept_sec_context.c: Don't require timestamp to be set on
+ delegated token, its already protected by the outer token (and
+ windows doesn't alway send it) Pointed out by Zi-Bin Yang
<zbyang@decru.com> on heimdal-discuss
-2003-10-21 Love Hörnquist Åstrand <lha@it.su.se>
+2003-11-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cfx.c: fix {} error, pointed out by Liqiang Zhu
+
+2003-11-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cfx.c: Sequence number should be stored in bigendian order From:
+ Luke Howard <lukeh@padl.com>
+
+2003-11-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * delete_sec_context.c (gss_delete_sec_context): don't free
+ ticket, krb5_free_ticket does that now
+
+2003-11-06 Love Hörnquist Åstrand <lha@it.su.se>
- * add_cred.c: 1.3->1.4: If its a MEMORY cc, make a copy. We need
- to do this since now gss_release_cred will destroy the cred. This
- should be really be solved a better way.
+ * cfx.c: checksum the header last in MIC token, update to -03
+ From: Luke Howard <lukeh@padl.com>
2003-10-07 Love Hörnquist Åstrand <lha@it.su.se>
- * release_cred.c: 1.9->1.10:
- (gss_release_cred): if its a mcc, destroy it rather the just release it
- Found by: "Zi-Bin Yang" <zbyang@decru.com>
+ * add_cred.c: If its a MEMORY cc, make a copy. We need to do this
+ since now gss_release_cred will destroy the cred. This should be
+ really be solved a better way.
+
+ * acquire_cred.c (gss_release_cred): if its a mcc, destroy it
+ rather the just release it Found by: "Zi-Bin Yang"
+ <zbyang@decru.com>
+
+ * acquire_cred.c (acquire_initiator_cred): use kret instead of ret
+ where appropriate
+
+2003-09-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss_acquire_cred.3: spelling
+ From: jmc <jmc@prioris.mini.pw.edu.pl>
+
+2003-09-23 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cfx.c: - EC and RRC are big-endian, not little-endian - The
+ default is now to rotate regardless of GSS_C_DCE_STYLE. There are
+ no longer any references to GSS_C_DCE_STYLE. - rrc_rotate()
+ avoids allocating memory on the heap if rrc <= 256
+ From: Luke Howard <lukeh@padl.com>
+
+2003-09-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cfx.[ch]: rrc_rotate() was untested and broken, fix it.
+ Set and verify wrap Token->Filler.
+ Correct token ID for wrap tokens,
+ were accidentally swapped with delete tokens.
+ From: Luke Howard <lukeh@PADL.COM>
+
+2003-09-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cfx.[ch]: no ASN.1-ish header on per-message tokens
+ From: Luke Howard <lukeh@PADL.COM>
2003-09-19 Love Hörnquist Åstrand <lha@it.su.se>
- * arcfour.c: 1.13->1.14: remove depenency on gss_arcfour_mic_token
- and gss_arcfour_warp_token
+ * arcfour.h: remove depenency on gss_arcfour_mic_token and
+ gss_arcfour_warp_token
+
+ * arcfour.c: remove depenency on gss_arcfour_mic_token and
+ gss_arcfour_warp_token
+
+2003-09-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * 8003.c: remove #if 0'ed code
- * arcfour.h: 1.3->1.4: remove depenency on gss_arcfour_mic_token
- and gss_arcfour_warp_token
+2003-09-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * accept_sec_context.c (gsskrb5_accept_sec_context): set sequence
+ number when not requesting mutual auth From: Luke Howard
+ <lukeh@PADL.COM>
- * arcfour.c: make build
+ * init_sec_context.c (init_auth): set sequence number when not
+ requesting mutual auth From: Luke Howard <lukeh@PADL.COM>
- * get_mic.c, verify_mic.c, unwrap.c, wrap.c:
- glue in arcfour support
+2003-09-16 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi_locl.h: 1.32->1.33: add _gssapi_verify_pad
+ * arcfour.c (*): set minor_status
+ (gss_wrap): set conf_state to conf_req_flags on success
+ From: Luke Howard <lukeh@PADL.COM>
-2003-09-18 Love Hörnquist Åstrand <lha@it.su.se>
+ * wrap.c (gss_wrap_size_limit): use existing function From: Luke
+ Howard <lukeh@PADL.COM>
+
+2003-09-12 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * indicate_mechs.c (gss_indicate_mechs): in case of error, free
+ mech_set
- * encapsulate.c: add _gssapi_make_mech_header
+ * indicate_mechs.c (gss_indicate_mechs): add SPNEGO
+
+2003-09-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * init_sec_context.c (spnego_initial): catch errors and return
+ them
+
+ * init_sec_context.c (spnego_initial): add #if 0 out version of
+ the CHOICE branch encoding, also where here, free no longer used
+ memory
+
+2003-09-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss_acquire_cred.3: support GSS_SPNEGO_MECHANISM
+
+ * accept_sec_context.c: SPNEGO doesn't include gss wrapping on
+ SubsequentContextToken like the Kerberos 5 mech does.
+
+ * init_sec_context.c (spnego_reply): SPNEGO doesn't include gss
+ wrapping on SubsequentContextToken like the Kerberos 5 mech
+ does. Lets check for it anyway.
+
+ * accept_sec_context.c: Add support for SPNEGO on the initator
+ side. Implementation initially from Assar Westerlund, passes
+ though quite a lot of hands before I commited it.
+
+ * init_sec_context.c: Add support for SPNEGO on the initator side.
+ Tested with ldap server on a Windows 2000 DC. Implementation
+ initially from Assar Westerlund, passes though quite a lot of
+ hands before I commited it.
+
+ * gssapi.h: export GSS_SPNEGO_MECHANISM
+
+ * gssapi_locl.h: include spnego_as.h add prototype for
+ gssapi_krb5_get_mech
+
+ * decapsulate.c (gssapi_krb5_get_mech): make non static
+
+ * Makefile.am: build SPNEGO file
- * gssapi_locl.h: add "arcfour.h" and prototype for
- _gssapi_make_mech_header
+2003-09-08 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi_locl.h: add gssapi_{en,de}code_{be_,}om_uint32
+ * external.c: SPENGO and IAKERB oids
- * 8003.c: 1.12->1.13: export and rename
- encode_om_uint32/decode_om_uint32 and start to use them
+ * spnego.asn1: SPENGO ASN1
-2003-08-16 Love Hörnquist Åstrand <lha@it.su.se>
+2003-09-05 Love Hörnquist Åstrand <lha@it.su.se>
- * verify_mic.c: 1.21->1.22: make sure minor_status is always set,
- pointed out by Luke Howard <lukeh@PADL.COM>
+ * cfx.c: RRC also need to be zero before wraping them
+ From: Luke Howard <lukeh@PADL.COM>
-2003-08-15 Love Hörnquist Åstrand <lha@it.su.se>
+2003-09-04 Love Hörnquist Åstrand <lha@it.su.se>
- * context_time.c: 1.7->1.10: return time in seconds from now
+ * encapsulate.c (gssapi_krb5_encap_length): don't return void
- * gssapi_locl.h: add gssapi_lifetime_left
+2003-09-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * verify_mic.c: switch from the des_ to the DES_ api
+
+ * get_mic.c: switch from the des_ to the DES_ api
+
+ * unwrap.c: switch from the des_ to the DES_ api
+
+ * wrap.c: switch from the des_ to the DES_ api
+
+ * cfx.c: EC is not included in the checksum since the length might
+ change depending on the data. From: Luke Howard <lukeh@PADL.COM>
+
+ * acquire_cred.c: use
+ krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free
+
+2003-09-01 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * copy_ccache.c: rename
+ gss_krb5_extract_authz_data_from_sec_context to
+ gsskrb5_extract_authz_data_from_sec_context
+
+ * gssapi.h: rename gss_krb5_extract_authz_data_from_sec_context to
+ gsskrb5_extract_authz_data_from_sec_context
+
+2003-08-31 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context):
+ check that we have a ticket before we start to use it
+
+ * gss_acquire_cred.3: document
+ gss_krb5_extract_authz_data_from_sec_context
+
+ * gssapi.h (gss_krb5_extract_authz_data_from_sec_context):
+ return the kerberos authorizationdata, from idea of Luke Howard
+
+ * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context):
+ return the kerberos authorizationdata, from idea of Luke Howard
+
+ * verify_mic.c (gss_verify_mic_internal): switch type and key
+ argument
+
+2003-08-30 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * cfx.[ch]: draft-ietf-krb-wg-gssapi-cfx-01.txt implemetation
+ From: Luke Howard <lukeh@PADL.COM>
+
+2003-08-28 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * arcfour.c (arcfour_mic_cksum): use free_Checksum to free the
+ checksum
+
+ * arcfour.h: swap two last arguments to verify_mic for consistency
+ with des3
+
+ * wrap.c,unwrap.c,get_mic.c,verify_mic.c,cfx.c,cfx.h:
+ prefix cfx symbols with _gssapi_
+
+ * arcfour.c: release the right buffer
+
+ * arcfour.c: rename token structure in consistency with rest of
+ GSS-API From: Luke Howard <lukeh@PADL.COM>
+
+ * unwrap.c (unwrap_des3): use _gssapi_verify_pad
+ (unwrap_des): use _gssapi_verify_pad
+
+ * arcfour.c (_gssapi_wrap_arcfour): set the correct padding
+ (_gssapi_unwrap_arcfour): verify and strip padding
+
+ * gssapi_locl.h: added _gssapi_verify_pad
+
+ * decapsulate.c (_gssapi_verify_pad): verify padding of a gss
+ wrapped message and return its length
+
+ * arcfour.c: support KEYTYPE_ARCFOUR_56 keys, from Luke Howard
+ <lukeh@PADL.COM>
+
+ * arcfour.c: use right seal alg, inherit keytype from parent key
+
+ * arcfour.c: include the confounder in the checksum use the right
+ key usage number for warped/unwraped tokens
+
+ * gssapi.h: add gss_krb5_nt_general_name as an mit compat glue
+ (same as GSS_KRB5_NT_PRINCIPAL_NAME)
+
+ * unwrap.c: hook in arcfour unwrap
+
+ * wrap.c: hook in arcfour wrap
+
+ * verify_mic.c: hook in arcfour verify_mic
+
+ * get_mic.c: hook in arcfour get_mic
+
+ * arcfour.c: implement wrap/unwarp
+
+ * gssapi_locl.h: add gssapi_{en,de}code_be_om_uint32
+
+ * 8003.c: add gssapi_{en,de}code_be_om_uint32
+
+2003-08-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * arcfour.c (_gssapi_verify_mic_arcfour): Do the checksum on right
+ area. Swap filler check, it was reversed.
+
+ * Makefile.am (libgssapi_la_SOURCES): += arcfour.c
+
+ * gssapi_locl.h: include "arcfour.h"
+
+ * arcfour.c: arcfour gss-api mech, get_mic/verify_mic working
+
+ * arcfour.h: arcfour gss-api mech, get_mic/verify_mic working
+
+2003-08-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gssapi_locl.h: always include cfx.h add prototype for
+ _gssapi_decapsulate
+
+ * cfx.[ch]: Implementation of draft-ietf-krb-wg-gssapi-cfx-00.txt
+ from Luke Howard <lukeh@PADL.COM>
+
+ * decapsulate.c: add _gssapi_decapsulate, from Luke Howard
+ <lukeh@PADL.COM>
+
+2003-08-25 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * unwrap.c: encap/decap now takes a oid if the enctype/keytype is
+ arcfour, return error add hook for cfx
+
+ * verify_mic.c: encap/decap now takes a oid if the enctype/keytype
+ is arcfour, return error add hook for cfx
+
+ * get_mic.c: encap/decap now takes a oid if the enctype/keytype is
+ arcfour, return error add hook for cfx
+
+ * accept_sec_context.c: encap/decap now takes a oid
+
+ * init_sec_context.c: encap/decap now takes a oid
+
+ * gssapi_locl.h: include cfx.h if we need it lifetime is a
+ OM_uint32, depend on gssapi interface add all new encap/decap
+ functions
- * init_sec_context.c: part of 1.37->1.38: (init_auth): if the cred
- is expired before we tries to create a token, fail so the peer
- doesn't need reject us
- (*): make sure time is returned in seconds from now, not in
- kerberos time
+ * decapsulate.c: add decap functions that doesn't take the token
+ type also make all decap function take the oid mech that they
+ should use
- * acquire_cred.c: 1.14->1.15: (gss_aquire_cred): make sure time is
+ * encapsulate.c: add encap functions that doesn't take the token
+ type also make all encap function take the oid mech that they
+ should use
+
+ * sequence.c (elem_insert): fix a off by one index counter
+
+ * inquire_cred.c (gss_inquire_cred): handle cred_handle being
+ GSS_C_NO_CREDENTIAL and use the default cred then.
+
+2003-08-19 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss_acquire_cred.3: break out extensions and document
+ gsskrb5_register_acceptor_identity
+
+2003-08-18 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_acquire_cred.c (print_time): time is returned in seconds
+ from now, not unix time
+
+2003-08-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * compat.c (check_compat): avoid leaking principal when finding a
+ match
+
+ * address_to_krb5addr.c: sa_size argument to krb5_addr2sockaddr is
+ a krb5_socklen_t
+
+ * acquire_cred.c (gss_acquire_cred): 4th argument to
+ gss_test_oid_set_member is a int
+
+2003-07-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * init_sec_context.c (repl_mutual): don't set kerberos error where
+ there was no kerberos error
+
+ * gssapi_locl.h: Add destruction/creation prototypes and structure
+ for the thread specific storage.
+
+ * display_status.c: use thread specific storage to set/get the
+ kerberos error message
+
+ * init.c: Provide locking around the creation of the global
+ krb5_context. Add destruction/creation functions for the thread
+ specific storage that the error string handling is using.
+
+2003-07-20 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss_acquire_cred.3: add missing prototype and missing .Ft
+ arguments
+
+2003-06-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * verify_mic.c: reorder code so sequence numbers can can be used
+
+ * unwrap.c: reorder code so sequence numbers can can be used
+
+ * sequence.c: remove unused function, indent, add
+ gssapi_msg_order_f that filter gss flags to gss_msg_order flags
+
+ * gssapi_locl.h: prototypes for
+ gssapi_{encode_om_uint32,decode_om_uint32} add sequence number
+ verifier prototypes
+
+ * delete_sec_context.c: destroy sequence number verifier
+
+ * init_sec_context.c: remember to free data use sequence number
+ verifier
+
+ * accept_sec_context.c: don't clear output_token twice remember to
+ free data use sequence number verifier
+
+ * 8003.c: export and rename encode_om_uint32/decode_om_uint32 and
+ start to use them
+
+2003-06-09 Johan Danielsson <joda@pdc.kth.se>
+
+ * Makefile.am: can't have sequence.c in two different places
+
+2003-06-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_sequence.c: check rollover, print summery
+
+ * wrap.c (sub_wrap_size): gss_wrap_size_limit() has
+ req_output_size and max_input_size around the wrong way -- it
+ returns the output token size for a given input size, rather than
+ the maximum input size for a given output token size.
+
+ From: Luke Howard <lukeh@PADL.COM>
+
+2003-06-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gssapi_locl.h: add prototypes for sequence.c
+
+ * Makefile.am (libgssapi_la_SOURCES): add sequence.c
+ (test_sequence): build
+
+ * sequence.c: sequence number checks, order and replay
+ * test_sequence.c: sequence number checks, order and replay
+
+2003-06-03 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * accept_sec_context.c (gss_accept_sec_context): make sure time is
returned in seconds from now, not in kerberos time
- * accept_sec_context.c: 1.34->1.35: (gss_accept_sec_context): make
- sure time is returned in seconds from now, not in kerberos time
+ * acquire_cred.c (gss_aquire_cred): make sure time is returned in
+ seconds from now, not in kerberos time
-2003-05-07 Love Hörnquist Åstrand <lha@it.su.se>
+ * init_sec_context.c (init_auth): if the cred is expired before we
+ tries to create a token, fail so the peer doesn't need reject us
+ (*): make sure time is returned in seconds from now,
+ not in kerberos time
+ (repl_mutual): remember to unlock the context mutex
+
+ * context_time.c (gss_context_time): remove unused variable
+
+ * verify_mic.c: make sure minor_status is always set, pointed out
+ by Luke Howard <lukeh@PADL.COM>
+
+2003-05-21 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * *.[ch]: do some basic locking (no reference counting so contexts
+ can be removed while still used)
+ - don't export gss_ctx_id_t_desc_struct and gss_cred_id_t_desc_struct
+ - make sure all lifetime are returned in seconds left until expired,
+ not in unix epoch
- * gssapi.h: 1.27->1.28:
- if __cplusplus, wrap the extern variable (just to be safe) and
- functions in extern "C" { }
+ * gss_acquire_cred.3: document argument lifetime_rec to function
+ gss_inquire_context
+2003-05-17 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * test_acquire_cred.c: test gss_add_cred more then once
+
+2003-05-06 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gssapi.h: if __cplusplus, wrap the extern variable (just to be
+ safe) and functions in extern "C" { }
+
2003-04-30 Love Hörnquist Åstrand <lha@it.su.se>
* gssapi.3: more about the des3 mic mess
- * verify_mic.c 1.19->1.20 : (verify_mic_des3): always check if the
- mic is the correct mic or the mic that old heimdal would have
- generated
+ * verify_mic.c (verify_mic_des3): always check if the mic is the
+ correct mic or the mic that old heimdal would have generated
-2003-04-29 Jacques Vidrine <nectar@kth.se>
+2003-04-28 Jacques Vidrine <nectar@kth.se>
+
+ * verify_mic.c (verify_mic_des3): If MIC verification fails,
+ retry using the `old' MIC computation (with zero IV).
+
+2003-04-26 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * gss_acquire_cred.3: more about difference between comparing IN
+ and MN
- * verify_mic.c: 1.18->1.19: verify_mic_des3: If MIC verification
- fails, retry using the `old' MIC computation (with zero IV).
+ * gss_acquire_cred.3: more about name type and access control
-2003-04-28 Love Hörnquist Åstrand <lha@it.su.se>
+2003-04-25 Love Hörnquist Åstrand <lha@it.su.se>
- * compat.c (_gss_DES3_get_mic_compat): default to use compat
+ * gss_acquire_cred.3: document gss_context_time
- * gssapi.3: 1.5->1.6: document [gssapi]correct_des3_mic and
+ * context_time.c: if lifetime of context have expired, set
+ time_rec to 0 and return GSS_S_CONTEXT_EXPIRED
+
+ * gssapi.3: document [gssapi]correct_des3_mic
[gssapi]broken_des3_mic
- * compat.c: 1.2->1.4:
- (gss_krb5_compat_des3_mci): return a value
- (gss_krb5_compat_des3_mic): enable turning on/off des3 mic compat
+ * gss_acquire_cred.3: document gss_krb5_compat_des3_mic
+
+ * compat.c (gss_krb5_compat_des3_mic): enable turning on/off des3
+ mic compat
(_gss_DES3_get_mic_compat): handle [gssapi]correct_des3_mic too
- * gssapi.h: 1.26->1.27:
- (gss_krb5_compat_des3_mic): new function, turn on/off des3 mic compat
+ * gssapi.h (gss_krb5_compat_des3_mic): new function, turn on/off
+ des3 mic compat
(GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if
gss_krb5_compat_des3_mic exists
-2003-04-23 Love Hörnquist Åstrand <lha@it.su.se>
+2003-04-24 Love Hörnquist Åstrand <lha@it.su.se>
- * Makefile.am: 1.44->1.45: test_acquire_cred_LDADD: use
- libgssapi.la not ./libgssapi.la (makes make -jN work)
+ * Makefile.am: (libgssapi_la_LDFLAGS): update major
+ version of gssapi for incompatiblity in 3des getmic support
+2003-04-23 Love Hörnquist Åstrand <lha@it.su.se>
+
+ * Makefile.am: test_acquire_cred_LDADD: use libgssapi.la not
+ ./libgssapi.la (make make -jN work)
+
2003-04-16 Love Hörnquist Åstrand <lha@it.su.se>
* gssapi.3: spelling
OpenPOWER on IntegriCloud