NetBSD/crypto/dist/heimdal/ChangeLog
lha a53f6df83e Import heimdal 0.6.3
Changes in release 0.6.3

 * fix vulnerabilities in ftpd
 * support for linux AFS /proc "syscalls"
 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
   kpasswdd
 * fix possible KDC denial of service
 * bug fixes
2004-09-14 07:45:53 +00:00

898 lines
29 KiB
Plaintext

2004-09-13 Johan Danielsson <joda@pdc.kth.se>
* Release 0.6.3
2004-09-05 Love Hörnquist Åstrand <lha@it.su.se>
* lib/asn1/der_get.c (decode_enumerated): check that the tag
length isn't longer the the length
2004-08-31 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password):
kdc_reply can be set in case of failure too, clean on entry and
free the exit unconditionally to avoid memory leak
2004-08-20 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/context.c: 1.93: (krb5_get_err_text): if neither of
com_right nor strerror finds the error-code, return Unknown error.
2004-08-13 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kerberos5.c: based on 1.162: (get_pa_etype_info): check for
dup enctypes from the client and filter them out.
2004-06-21 Love Hörnquist Åstrand <lha@it.su.se>
* admin/get.c: 1.23: (kt_get): catch errors from krb5_parse_name
2004-06-21 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/Makefile.am: man_MANS += krb5_set_password.3
* lib/krb5/krb5_set_password.3: 1.1-1.3: change password manpage
* lib/krb5/changepw.c: 1.49: implement
krb5_set_password_using_ccache 1.47: add tcp support to the set
protocol, should be cleaned up to enable sharing code with
krb5_sendto 1.46: (process_reply): log into result_string if
something goes bad, return 0 (even on failure), not the KPASSWD
protocol error code 1.45: krb5_princ_realm ->
krb5_principal_get_realm 1.44: (setpw_send_request): free
ap_req_data on failure 1.41: ooops, remove cut and paste error
1.40: draft-ietf-cat-kerb-chg-password-02 and rfc3244 share the
response packet sure more constants now that they exists 1.39:
implement rfc3244, partly from shadow@dementia.org
* lib/krb5/krb5.h: 1.211: some defines for rfc3244
* lib/asn1/Makefile.am: 1.71: (gen_files):
asn1_ChangePasswdDataMS.x for RFC3244
* lib/asn1/k5.asn1: 1.30: add ChangePasswdDataMS, for RFC3244
* kuser/kinit.c: 1.114: move "setpag if (argc < 1)" to common path
2004-05-06 Johan Danielsson <joda@pdc.kth.se>
* Release 0.6.2
2004-04-02 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/connect.c: case size_t to unsigned long for LP64 platforms
2004-04-01 Johan Danielsson <joda@pdc.kth.se>
* Release 0.6.1
2004-03-30 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kerberos4.c: 1.46: stop the client from renewing tickets
into the future From: Jeffrey Hutzelman <jhutz@cmu.edu>
2004-03-10 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/fcache.c: 1.43: (fcc_store_cred): NULL terminate
krb5_config_get_bool_default' arglist
2004-03-09 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.conf.5: 1.44: document
[libdefaults]fcc-mit-ticketflags=boolean 1.43: don't use path's in
first .Nm, it confuses some locate.updatedb, use FILES section to
describe where the file is instead.
* lib/krb5/fcache.c (fcc_store_cred): default to use old format
* lib/krb5/fcache.c: 1.42: (fcc_store_cred): use
[libdefaults]fcc-mit-ticketflags=boolean to decide what format to
write the fcc in. Default to mit format (aka heimdal 0.7 format)
1.41: (_krb5_xlock): handle that everything was ok, and don't put
an error in the error strings then
* lib/krb5/store.c: 1.43: add _krb5_store_creds_heimdal_0_7 and
_krb5_store_creds_heimdal_pre_0_7 that store the creds in just
that format make krb5_store_creds default to mit format 1.42:
(krb5_ret_creds): Runtime detect the what is the higher bits of
the bitfield 1.41: (krb5_store_creds): add disabled code that
store the ticket flags in reverse order (bitswap32): new function
1.40: (krb5_ret_creds): if the higher ticket flags are set, its a
mit cache, reverse the bits, bug pointed out by Sergio Gelato
<Sergio.Gelato@astro.su.se>
delta modfied to not change the behavior of krb5_store_creds
2004-03-07 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/mk_safe.c (krb5_mk_safe): fix assignment of usec2
2004-03-06 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/mcache.c: patch based on 1.17 and 1.18 but with
threading code pulled out;
1.18: (mcc_get_principal): also check for primary_principal ==
NULL now that that isn't used as dead flag 1.17: don't overload
the primary_principal == NULL as dead since that doesn't always
work Based on patch from Jeffrey Hutzelman <jhutz@cmu.edu>, but
tweek by me
* lib/krb5/crypto.c: 1.94: (decrypt_internal_special): do not not
modify the original data test case from Ronnie Sahlberg
<ronnie_sahlberg@ozemail.com.au>
2004-02-13 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/verify_krb5_conf.c: 1.22->1.23: (check_host): don't
check for EAI_NODATA, because its depricated in RFC3493 Pointed
out by Hajimu UMEMOTO <ume@mahoroba.org> on heimdal-discuss
* lib/krb5/eai_to_heim_errno.c: 1.3->1.4: EAI_ADDRFAMILY and
EAI_NODATA is deprecated in RFC3493
2004-02-09 Love Hörnquist Åstrand <lha@it.su.se>
* lib/asn1/der_length.c: 1.16: Fix len_unsigned for certain
negative integers, it got the length wrong, fix from Panasas, Inc.
* lib/asn1/der_locl.h: 1.5: add _heim_len_unsigned, _heim_len_int
2004-01-26 Love Hörnquist Åstrand <lha@it.su.se>
* lib/asn1/gen_length.c: 1.14: (length_type): TSequenceOf: add up
the size of all the elements, don't use just the size of the last
element.
* lib/krb5/fcache.c: 1.40: (_krb5_xlock): catch EINVAL and assume
that it means that the filesystem doesn't support locking 1.39:
(_krb5_xlock): fix compile error in last commit 1.38: internally
export x{,un}lock and thus prefix them with _krb5_
2004-01-13 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kinit.c: 1.106: (renew_validate): if renewable_flag and
not time specifed, use "1 month"
1.105: make -9 work again
2004-01-09 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/get_for_creds.c: 1.36: (add_addrs): don't increase
addr->len until in contains interesting data, use right iteration
counter when clearing the addresses 1.39: krb5_princ_realm ->
krb5_principal_get_realm 1.38: (krb5_get_forwarded_creds): use
KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded
krb-cred 1.39: (krb5_get_forwarded_creds): If tickets are
address-less, forward address-less tickets. 1.40:
(krb5_get_forwarded_creds): try to handle errors better for
previous commit 1.41: (add_addrs): don't add same address multiple
times
* lib/krb5/get_cred.c: 1.96->1.97: rename get_krbtgt to
_krb5_get_krbtgt and export it
2003-12-14 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kerberos5.c: part of 1.146->1.147: handle NULL client/server
names
2003-12-03 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/crypto.c: 1.90->1.91: require cipher-text to be padded
to padsize 1.91->1.92: (decrypt_internal_derived): move up padsize
check to avoid memory leak
2003-12-01 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kinit.c: 1.103->1.104: (main): return the return value
from simple_execvp
2003-10-22 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/transited.c: 1.13->1.14: (krb5_domain_x500_encode):
always zero out encoding to make sure it have a defined value on
failure
* lib/krb5/transited.c: 1.12->1.13: (krb5_domain_x500_encode): if
num_realms == 0, set encoding and return (avoids malloc(0)) check
return value from malloc
2003-10-21 Love Hörnquist Åstrand <lha@it.su.se>
* doc/setup.texi: 1.35->1.36: spelling
* kdc/kdc_locl.h: 1.58->1.59: add flag to always check transited
policy
* doc/setup.texi: 1.27->1.35: many changes
* lib/krb5/get_cred.c: 1.95->1.96: get capath info from [capaths]
section
* lib/krb5/rd_req.c: 1.50->1.51: (krb5_decrypt_ticket): try to
verify transited realms, unless the transited-policy-checked flag
is set
* lib/krb5/transited.c:
1.12: (krb5_domain_x500_decode): set *num_realms to zero not num_realms
1.11: (krb5_domain_x500_decode): handle zero length tr data;
(krb5_check_transited): new function that does more useful stuff
* kdc/kdc.8: 1.23->1.24: document enforce-transited-policy
* kdc/config.c: 1.47->1.48: add flag to always check transited
policy
* kdc/kerberos5.c:
1.150: (fix_transited_encoding): also verify with policy,
unless asked not to
1.151: always check transited policy if flag set either globally
(on principal part of patch not pulled up)
1.152: (fix_transited_encoding): set transited type
1.153: (fix_transited_encoding): always print cross-realm information
2003-10-06 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/config_file.c: 1.48->1.49:
(krb5_config_parse_file_debug): punt if there is binding before a
section declaration.
Bug found by Arkadiusz Miskiewicz <arekm@pld-linux.org>
* kdc/kaserver.c: 1.21->1.23:
(do_getticket): if times data is shorter then 8 bytes, request is
malformed.
(do_authenticate): if request length is less then 8 bytes, its a
bad request and fail. Pointed out by Marco Foglia <marco@foglia.org>
2003-09-22 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/verify_krb5_conf.c: 1.17->1.18: add missing " within
#if 0 From: stefan sokoll <stefansokoll@yahoo.de>
2003-09-19 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/rd_req.c:
1.47->1.48: (krb5_rd_req): allow caller to pass in a key
in the auth_context, they way processes that doesn't use the
keytab can still pass in the key of the service (matches behavior
of MIT Kerberos).
2003-09-18 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/crypto.c:
1.87->1.88: (usage2arcfour): simplify, only
include special cases From: Luke Howard <lukeh@PADL.COM>
1.86->1.87: (arcfour_checksum_p): return true when is arcfour,
not when its not pointed out by Luke Howard
1.82->1.83: Do the arcfour checksum mapping for
krb5_create_checksum and krb5_verify_checksum, From: Luke Howard
<lukeh@PADL.COM>
1.81->1.82: (hmac): make it return an error
when out of memory, update callsites to either return error or use
krb5_abortx
(krb5_hmac): expose hmac
* lib/krb5/mk_req_ext.c: 1.26->1.27: (krb5_mk_req_internal):
when using arcfour-hmac-md5, use an unkeyed checksum
(rsa-md5), since Microsoft calculates the keyed checksum with
the subkey of the authenticator.
* lib/krb5/get_cred.c:
1.93->1.94 (init_tgs_req): make generation of subkey
optional on configuration parameter
[realms]realm={tgs_require_subkey=bool}
defaults to off. The RFC1510 weakly defines the correct behavior,
so old DCE secd apparently required the subkey to be there, and MS
will use it when its there. But the request isn't encrypted in the
subkey, so you get to choose if you want to talk to a MS mdc or a
old DCE secd.
partly 1.91->1.92: (init_tgs_req): in case of error, don't
free in the req_body addresses since they where pass in by caller
lib/krb5/get_in_tkt.c:
1.108->1.1.09: (krb5_get_in_tkt): for compatibility with with
the mit implemtation, don't free `creds' argument when done, its up
the the caller to do that, also allow a NULL ccache.
* doc/ack.texi
1.16->1.17: update Luke Howard email address
* lib/hdb/hdb-ldap.c:
1.13->1.14: code rewrite from Luke Howard <lukeh@PADL.COM>
1.12->1.13: (LDAP_store): log what principal/dn failed
1.11->1.12: use int2HDBFlags/HDBFlags2int
From: Alberto Patino <jalbertop@aranea.com.mx>,
Luke Howard <lukeh@PADL.COM>
Pointed out by Andrew Bartlett of Samba
1.10->1.11: (LDAP__connect): bind sasl "EXTERNAL" to ldap connection
(LDAP_store): remove superfluous argument to asprintf
From Alberto Patino <jalbertop@aranea.com.mx>
* lib/krb5/krb5.h:
1.214->1.2015: add KEYTYPE_ARCFOUR_56
2003-09-12 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/config_file.c: fix prototypes Fredrik Ljungberg
<flag@pobox.se>
2003-09-11 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/hdb_locl.h: 1.18->1.19: include <limits.h> for ULONG_MAX
noted by Wissler Magnus <M.Wissler@abalon.se> on heimdal-discuss
2003-08-29 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/db3.c: 1.8->1.9: patch for working with DB4 on
heimdal-discuss From: Luke Howard <lukeh@PADL.COM> 1.9->1.10: try
to include more db headers
2003-08-25 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/connect.c: 1.92->1.93 (handle_tcp): handle recvfrom
returning 0 (connection closed) 1.91->1.92: (grow_descr):
increment the size after we succeed to allocate the space
2003-08-15 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/principal.c: 1.83->1.85: (unparse_name): len can't be
zero, so, don't check for that
(unparse_name): make sure there are space for a NUL, set *name to NULL
when there is a failure (so caller can't get hold of a freed
pointer)
2003-05-08 Johan Danielsson <joda@ratatosk.pdc.kth.se>
* Release 0.6
2003-05-08 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/klist.c: 1.68->1.69: print tokens even if there isn't v4
support
* kuser/kdestroy.c: 1.14->1.15: destroy tokens even if there isn't
v4 support
* kuser/kinit.c: 1.90->1.91: print tokens even if there isn't v4
support
2003-05-06 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/name-45-test.c: need to use empty krb5.conf for some
tests
* lib/asn1/check-gen.c: there is no \e escape sequence; replace
everything with hex-codes, and cast to unsigned char* to make some
compilers happy
2003-05-06 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first
argument to krb5_us_timeofday have correct type
2003-05-05 Assar Westerlund <assar@kth.se>
* include/make_crypto.c (main): include aes.h if ENABLE_AES
2003-05-05 Love Hörnquist Åstrand <lha@it.su.se>
* NEWS: 1.108->1.110: fix text about gssapi compat
2003-04-28 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/v4_dump.c: 1.4->1.5: (v4_prop_dump): limit strings length,
from openbsd
2003-04-24 Love Hörnquist Åstrand <lha@it.su.se>
* doc/programming.texi: 1.2-1.3: s/managment/management/, from jmc
<jmc@prioris.mini.pw.edu.pl>
2003-04-22 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krbhst.c: 1.43->1.44: copy NUL too, from janj@wenf.org
via openbsd
2003-04-17 Love Hörnquist Åstrand <lha@it.su.se>
* lib/asn1/der_copy.c (copy_general_string): use strdup
* lib/asn1/der_put.c: remove sprintf
* lib/asn1/gen.c: remove strcpy/sprintf
* lib/krb5/name-45-test.c: use a more unique name then ratatosk so
that other (me) have such hosts in the local domain and the tests
fails, to take hokkigai.pdc.kth.se instead
* lib/krb5/test_alname.c: add --version and --help
2003-04-16 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_warn.3: add krb5_get_err_text
* lib/krb5/transited.c: use strlcat/strlcpy, from openbsd
* lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd
* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use
strlcpy, from openbsd
* kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd
* appl/kf/kfd.c: use strlcpy, from openbsd
2003-04-16 Johan Danielsson <joda@pdc.kth.se>
* configure.in: fix for large file support in AIX, _LARGE_FILES
needs to be defined on the command line, since lex likes to
include stdio.h before we get to config.h
2003-04-16 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/*.3: Change .Fd #include <header.h> to .In header.h,
from Thomas Klausner <wiz@netbsd.org>
* lib/krb5/krb5.conf.5: spelling, from Thomas Klausner
<wiz@netbsd.org>
2003-04-15 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kerberos5.c: fix some more memory leaks
2003-04-11 Love Hörnquist Åstrand <lha@it.su.se>
* appl/kf/kf.1: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
2003-04-08 Love Hörnquist Åstrand <lha@it.su.se>
* admin/ktutil.8: typos, from jmc <jmc@acn.waw.pl>
2003-04-06 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.3: s/kerberos/Kerberos/
* lib/krb5/krb5_data.3: s/kerberos/Kerberos/
* lib/krb5/krb5_address.3: s/kerberos/Kerberos/
* lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/
* lib/krb5/krb5.conf.5: s/kerberos/Kerberos/
* kuser/kinit.1: s/kerberos/Kerberos/
* kdc/kdc.8: s/kerberos/Kerberos/
2003-04-01 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/test_alname.c: more krb5_aname_to_localname tests
* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when
converting too root, make sure user is ok according to
krb5_kuserok before allowing it.
* lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname
* lib/krb5/test_alname.c: add test for krb5_aname_to_localname
* lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1
instead of the "illegal" salt #~, same change as kth-krb did
1999. Problems occur with crypt() that behaves like AT&T crypt
(openssl does this). Pointed out by Marcus Watts.
* admin/change.c (kt_change): collect all principals we are going
to change, and pick the highest kvno and use that to guess what
kvno the resulting kvno is going to be. Now two ktutil change in a
row works. XXX fix the protocol to pass the kvno back.
2003-03-31 Love Hörnquist Åstrand <lha@it.su.se>
* appl/kf/kf.1: afs->AFS, from jmc <jmc@acn.waw.pl>
2003-03-30 Love Hörnquist Åstrand <lha@it.su.se>
* doc/setup.texi: add description on how to turn on v4, 524 and
kaserver support
2003-03-29 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog
and afs-use-524
2003-03-28 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kerberos5.c (as_rep): when the second enctype_to_string
failes, remember to free memory from the first enctype_to_string
* lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2,
from Harald Joerg <harald.joerg@fujitsu-siemens.com>
(enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc
* lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key
length when key is longer then expected length, its probably
longer since the encrypted data was padded, reported by Aidan
Cully <aidan@kublai.com>
* lib/krb5/crypto.c (krb5_enctype_keysize): return key size of
encyption type, inspired by Aidan Cully <aidan@kublai.com>
2003-03-27 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0
(wildcard kvno) after principal when the keytab entry isn't found,
reported by Chris Chiappa <chris@chiappa.net>
2003-03-26 Love Hörnquist Åstrand <lha@it.su.se>
* doc/misc.texi: update 2b example to match reality (from
mattiasa@e.kth.se)
* doc/misc.texi: spelling and add `Configuring AFS clients'
subsection
2003-03-25 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.3: add krb5_free_data_contents.3
* lib/krb5/data.c: add krb5_free_data_contents for compat with MIT
API
* lib/krb5/krb5_data.3: add krb5_free_data_contents for compat
with MIT API
* lib/krb5/krb5_verify_user.3: write more about how the ccache
argument should be inited when used
2003-03-25 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/addr_families.c (krb5_print_address): make sure
print_addr is defined for the given address type; make addrports
printable
* kdc/string2key.c: print the used enctype for kerberos 5 keys
2003-03-25 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/aes-test.c: add another arcfour test
2003-03-22 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5
2003-03-20 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_ccache.3: update .Dd
* lib/krb5/krb5.3: sort in krb5_data functions
* lib/krb5/Makefile.am (man_MANS): += krb5_data.3
* lib/krb5/krb5_data.3: document krb5_data
* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if
prompter is NULL, don't try to ask for a password to
change. reported by Iain Moffat @ ufl.edu via Howard Chu
<hyc@highlandsun.com>
2003-03-19 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_keytab.3: spelling, from
<jmc@prioris.mini.pw.edu.pl>
* lib/krb5/krb5.conf.5: . means new line
* lib/krb5/krb5.conf.5: spelling, from
<jmc@prioris.mini.pw.edu.pl>
* lib/krb5/krb5_auth_context.3: spelling, from
<jmc@prioris.mini.pw.edu.pl>
2003-03-18 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5
* lib/krb5/convert_creds.c: add _krb5_krb_life_to_time
* lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time
* kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out
#ifdef KRB4 from enable_v4_cross_realm since 524 needs it
* kdc/config.c: 524 is independent of kerberos 4, so move out
enable_v4_cross_realm from #ifdef KRB4 since 524 needs it
2003-03-17 Assar Westerlund <assar@kth.se>
* kdc/kdc.8: document --kerberos4-cross-realm
* kdc/kerberos4.c: pay attention to enable_v4_cross_realm
* kdc/kdc_locl.h (enable_v4_cross_realm): add
* kdc/524.c (encode_524_response): check the enable_v4_cross_realm
flag before giving out v4 tickets for foreign v5 principals
* kdc/config.c: add --enable-kerberos4-cross-realm option (default
to off)
2003-03-17 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3
* lib/krb5/krb5_aname_to_localname.3: manpage for
krb5_aname_to_localname
* lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/
2003-03-16 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3
* lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3
* lib/krb5/krb5_set_default_realm.3: Manpage for
krb5_free_host_realm, krb5_get_default_realm,
krb5_get_default_realms, krb5_get_host_realm, and
krb5_set_default_realm.
* admin/ktutil.8: s/entype/enctype/, from Igor Sobrado
<sobrado@acm.org> via NetBSD
* lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type
* lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab
* lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix
* lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more
types, add krb5_fcc_ops and krb5_mcc_ops
* lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for
a id
2003-03-15 Love Hörnquist Åstrand <lha@it.su.se>
* doc/intro.texi: add reference to source code, binaries and the
manual
* lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal
2003-03-14 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kdc.8: better/difrent english
* kdc/kdc.8: . -> .\n, copyright/license
* kdc/kdc.8: changed configuration file -> restart kdc
* kdc/kerberos4.c: add krb4 into the most error messages written
to the logfile
* lib/krb5/krb5_ccache.3: add missing name of argument
(krb5_context) to most functions
2003-03-13 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of
function and return FALSE when there isn't a local account for
`luser'.
* lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text
describing the function
2003-03-12 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name
returned memory, don't return ENOMEM
2003-03-11 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.3: add krb5_address stuff and sort
* lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description
* lib/krb5/Makefile.am (man_MANS): += krb5_address.3
* lib/krb5/krb5_address.3: document types krb5_address and
krb5_addresses and their helper functions
2003-03-10 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3
* lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se
* lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3
* lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se
* lib/krb5/krb5.3: add more functions
* lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc
functions
* lib/krb5/krb5_kuserok.3: document krb5_kuserok
* lib/krb5/krb5_verify_user.3: document
krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior
* lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and
krb5_verify_user_opt
* lib/krb5/*.[0-9]: add copyright/licenses on more manpages
* kuser/kdestroy.c (main): handle that krb5_cc_default_name can
return NULL
* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor
(TESTS): add test_cc
* lib/krb5/test_cc.c: test some
krb5_cc_default_name/krb5_cc_set_default_name combinations
* lib/krb5/context.c (init_context_from_config_file): set
default_cc_name to NULL
(krb5_free_context): free default_cc_name if set
* lib/krb5/cache.c (krb5_cc_set_default_name): new function
(krb5_cc_default_name): use krb5_cc_set_default_name
* lib/krb5/krb5.h (krb5_context_data): add default_cc_name
2003-02-25 Love Hörnquist Åstrand <lha@it.su.se>
* appl/kf/kf.1: s/securly/securely/ from NetBSD
2003-02-18 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/connect.c: s/intialize/initialize, from
<jmc@prioris.mini.pw.edu.pl>
2003-02-17 Love Hörnquist Åstrand <lha@it.su.se>
* configure.in: add AM_MAINTAINER_MODE
2003-02-16 Love Hörnquist Åstrand <lha@it.su.se>
* **/*.[0-9]: add copyright/licenses on all manpages
2003-14-16 Jacques Vidrine <nectar@kth.se>
* lib/krb5/get_in_tkt.c (init_as_req): Send only a single
PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption
type specified by the KDC.
2003-02-15 Love Hörnquist Åstrand <lha@it.su.se>
* fix-export: some autoconf put their version number in
autom4te.cache, so remove autom4te*.cache
* fix-export: make sure $1 is a directory
2003-02-04 Love Hörnquist Åstrand <lha@it.su.se>
* kpasswd/kpasswdd.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
* kdc/kdc.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
2003-01-31 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/hpropd.8: s/databases/a database/ s/Not/not/
* kdc/hprop.8: add missing .
2003-01-30 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.conf.5: documentation for of boolean, etypes,
address, write out encryption type in sentences, s/Host/host
2003-01-26 Love Hörnquist Åstrand <lha@it.su.se>
* lib/asn1/check-gen.c: add checks for Authenticator too
2003-01-25 Love Hörnquist Åstrand <lha@it.su.se>
* doc/setup.texi: in the hprop example, use hprop and the first
component, not host
* lib/krb5/get_addrs.c (find_all_addresses): address-less
point-to-point might not have an address, just ignore
those. Reported by Harald Barth.
2003-01-23 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/verify_krb5_conf.c (check_section): when key isn't
found, don't print out all known keys
* lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity
and facility start resp
(check_log): find_value() returns -1 when key isn't found
* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a
'const void *' to avoid AES_KEY being exposed in krb5-private.h
* lib/krb5/krb5.conf.5: add [kdc]use_2b
* kdc/524.c (encode_524_response): its 2b not b2
* doc/misc.texi: quote @ where missing
* lib/asn1/Makefile.am: add check-gen
* lib/asn1/check-gen.c: add Principal check
* lib/asn1/check-common.h: move generic asn1/der functions from
check-der.c to here
* lib/asn1/check-common.c: move generic asn1/der functions from
check-der.c to here
* lib/asn1/check-der.c: move out the generic asn1/der functions to
a common file
2003-01-22 Love Hörnquist Åstrand <lha@it.su.se>
* doc/misc.texi: more text about afs, how to get get your KeyFile,
and how to start use 2b tokens
* lib/krb5/krb5.conf.5: spelling, from Jason McIntyre
<jmc@cvs.openbsd.org>
2003-01-21 Jacques Vidrine <nectar@kth.se>
* kuser/kuser_locl.h: include crypto-headers.h for
des_read_pw_string prototype
2003-01-16 Love Hörnquist Åstrand <lha@it.su.se>
* admin/ktutil.8: document -v, --verbose
* admin/get.c (kt_get): make getarg usage consistent with other
other parts of ktutil
* admin/copy.c (kt_copy): remove adding verbose_flag to args
struct, since it will overrun the args array (from Sumit Bose)
2003-01-15 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc =
... }
* lib/krb5/aes-test.c: test vectors in aes-draft
* lib/krb5/Makefile.am: add aes-test.c
* lib/krb5/crypto.c: Add support for AES
(draft-raeburn-krb-rijndael-krb-02), not enabled by default.
(HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify
to support checksumtype that are have a shorter wireformat then
their output block size.
* lib/krb5/crypto.c (struct encryption_type): split the blocksize
into blocksize and padsize, padsize is the minimum padding
size. they are the same for now
(enctype_*): add padsize
(encrypt_internal): use padsize
(encrypt_internal_derived): use padsize
(wrapped_length): use padsize
(wrapped_length_dervied): use padsize
* lib/krb5/crypto.c: add extra `opaque' argument to string_to_key
function for each enctype in preparation enctypes that uses
`Encryption and Checksum Specifications for Kerberos 5' draft
* lib/asn1/k5.asn1: add checksum and enctype for AES from
draft-raeburn-krb-rijndael-krb-02.txt
* lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128,
KEYTYPE_AES256
2003-01-14 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/common.c (_hdb_fetch): handle error code from
hdb_value2entry
* kdc/Makefile.am: always include kerberos4.c and 524.c in
kdc_SOURCES to support 524
* kdc/524.c: always compile in support for 524
* kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4
* kdc/config.c: always compile in support for 524
* kdc/connect.c: always compile in support for 524
* kdc/kerberos4.c: export encode_v4_ticket() and get_des_key()
even when we build without kerberos 4, 524 needs them
* lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out
Kerberos 4 help functions/structures so other parts of the source
tree can use it (like the KDC)