a53f6df83e
Changes in release 0.6.3 * fix vulnerabilities in ftpd * support for linux AFS /proc "syscalls" * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in kpasswdd * fix possible KDC denial of service * bug fixes
898 lines
29 KiB
Plaintext
898 lines
29 KiB
Plaintext
2004-09-13 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* Release 0.6.3
|
|
|
|
2004-09-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/der_get.c (decode_enumerated): check that the tag
|
|
length isn't longer the the length
|
|
|
|
2004-08-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password):
|
|
kdc_reply can be set in case of failure too, clean on entry and
|
|
free the exit unconditionally to avoid memory leak
|
|
|
|
2004-08-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/context.c: 1.93: (krb5_get_err_text): if neither of
|
|
com_right nor strerror finds the error-code, return Unknown error.
|
|
|
|
2004-08-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c: based on 1.162: (get_pa_etype_info): check for
|
|
dup enctypes from the client and filter them out.
|
|
|
|
2004-06-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* admin/get.c: 1.23: (kt_get): catch errors from krb5_parse_name
|
|
|
|
2004-06-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: man_MANS += krb5_set_password.3
|
|
|
|
* lib/krb5/krb5_set_password.3: 1.1-1.3: change password manpage
|
|
|
|
* lib/krb5/changepw.c: 1.49: implement
|
|
krb5_set_password_using_ccache 1.47: add tcp support to the set
|
|
protocol, should be cleaned up to enable sharing code with
|
|
krb5_sendto 1.46: (process_reply): log into result_string if
|
|
something goes bad, return 0 (even on failure), not the KPASSWD
|
|
protocol error code 1.45: krb5_princ_realm ->
|
|
krb5_principal_get_realm 1.44: (setpw_send_request): free
|
|
ap_req_data on failure 1.41: ooops, remove cut and paste error
|
|
1.40: draft-ietf-cat-kerb-chg-password-02 and rfc3244 share the
|
|
response packet sure more constants now that they exists 1.39:
|
|
implement rfc3244, partly from shadow@dementia.org
|
|
|
|
* lib/krb5/krb5.h: 1.211: some defines for rfc3244
|
|
|
|
* lib/asn1/Makefile.am: 1.71: (gen_files):
|
|
asn1_ChangePasswdDataMS.x for RFC3244
|
|
|
|
* lib/asn1/k5.asn1: 1.30: add ChangePasswdDataMS, for RFC3244
|
|
|
|
* kuser/kinit.c: 1.114: move "setpag if (argc < 1)" to common path
|
|
|
|
2004-05-06 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* Release 0.6.2
|
|
|
|
2004-04-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/connect.c: case size_t to unsigned long for LP64 platforms
|
|
|
|
2004-04-01 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* Release 0.6.1
|
|
|
|
2004-03-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos4.c: 1.46: stop the client from renewing tickets
|
|
into the future From: Jeffrey Hutzelman <jhutz@cmu.edu>
|
|
|
|
2004-03-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/fcache.c: 1.43: (fcc_store_cred): NULL terminate
|
|
krb5_config_get_bool_default' arglist
|
|
|
|
2004-03-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.conf.5: 1.44: document
|
|
[libdefaults]fcc-mit-ticketflags=boolean 1.43: don't use path's in
|
|
first .Nm, it confuses some locate.updatedb, use FILES section to
|
|
describe where the file is instead.
|
|
|
|
* lib/krb5/fcache.c (fcc_store_cred): default to use old format
|
|
|
|
* lib/krb5/fcache.c: 1.42: (fcc_store_cred): use
|
|
[libdefaults]fcc-mit-ticketflags=boolean to decide what format to
|
|
write the fcc in. Default to mit format (aka heimdal 0.7 format)
|
|
1.41: (_krb5_xlock): handle that everything was ok, and don't put
|
|
an error in the error strings then
|
|
|
|
* lib/krb5/store.c: 1.43: add _krb5_store_creds_heimdal_0_7 and
|
|
_krb5_store_creds_heimdal_pre_0_7 that store the creds in just
|
|
that format make krb5_store_creds default to mit format 1.42:
|
|
(krb5_ret_creds): Runtime detect the what is the higher bits of
|
|
the bitfield 1.41: (krb5_store_creds): add disabled code that
|
|
store the ticket flags in reverse order (bitswap32): new function
|
|
1.40: (krb5_ret_creds): if the higher ticket flags are set, its a
|
|
mit cache, reverse the bits, bug pointed out by Sergio Gelato
|
|
<Sergio.Gelato@astro.su.se>
|
|
|
|
delta modfied to not change the behavior of krb5_store_creds
|
|
|
|
2004-03-07 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/mk_safe.c (krb5_mk_safe): fix assignment of usec2
|
|
|
|
2004-03-06 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/mcache.c: patch based on 1.17 and 1.18 but with
|
|
threading code pulled out;
|
|
|
|
1.18: (mcc_get_principal): also check for primary_principal ==
|
|
NULL now that that isn't used as dead flag 1.17: don't overload
|
|
the primary_principal == NULL as dead since that doesn't always
|
|
work Based on patch from Jeffrey Hutzelman <jhutz@cmu.edu>, but
|
|
tweek by me
|
|
|
|
* lib/krb5/crypto.c: 1.94: (decrypt_internal_special): do not not
|
|
modify the original data test case from Ronnie Sahlberg
|
|
<ronnie_sahlberg@ozemail.com.au>
|
|
|
|
2004-02-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.c: 1.22->1.23: (check_host): don't
|
|
check for EAI_NODATA, because its depricated in RFC3493 Pointed
|
|
out by Hajimu UMEMOTO <ume@mahoroba.org> on heimdal-discuss
|
|
|
|
* lib/krb5/eai_to_heim_errno.c: 1.3->1.4: EAI_ADDRFAMILY and
|
|
EAI_NODATA is deprecated in RFC3493
|
|
|
|
2004-02-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/der_length.c: 1.16: Fix len_unsigned for certain
|
|
negative integers, it got the length wrong, fix from Panasas, Inc.
|
|
|
|
* lib/asn1/der_locl.h: 1.5: add _heim_len_unsigned, _heim_len_int
|
|
|
|
2004-01-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/gen_length.c: 1.14: (length_type): TSequenceOf: add up
|
|
the size of all the elements, don't use just the size of the last
|
|
element.
|
|
|
|
* lib/krb5/fcache.c: 1.40: (_krb5_xlock): catch EINVAL and assume
|
|
that it means that the filesystem doesn't support locking 1.39:
|
|
(_krb5_xlock): fix compile error in last commit 1.38: internally
|
|
export x{,un}lock and thus prefix them with _krb5_
|
|
|
|
2004-01-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kinit.c: 1.106: (renew_validate): if renewable_flag and
|
|
not time specifed, use "1 month"
|
|
1.105: make -9 work again
|
|
|
|
2004-01-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_for_creds.c: 1.36: (add_addrs): don't increase
|
|
addr->len until in contains interesting data, use right iteration
|
|
counter when clearing the addresses 1.39: krb5_princ_realm ->
|
|
krb5_principal_get_realm 1.38: (krb5_get_forwarded_creds): use
|
|
KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded
|
|
krb-cred 1.39: (krb5_get_forwarded_creds): If tickets are
|
|
address-less, forward address-less tickets. 1.40:
|
|
(krb5_get_forwarded_creds): try to handle errors better for
|
|
previous commit 1.41: (add_addrs): don't add same address multiple
|
|
times
|
|
|
|
* lib/krb5/get_cred.c: 1.96->1.97: rename get_krbtgt to
|
|
_krb5_get_krbtgt and export it
|
|
|
|
2003-12-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c: part of 1.146->1.147: handle NULL client/server
|
|
names
|
|
|
|
2003-12-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/crypto.c: 1.90->1.91: require cipher-text to be padded
|
|
to padsize 1.91->1.92: (decrypt_internal_derived): move up padsize
|
|
check to avoid memory leak
|
|
|
|
2003-12-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kinit.c: 1.103->1.104: (main): return the return value
|
|
from simple_execvp
|
|
|
|
2003-10-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/transited.c: 1.13->1.14: (krb5_domain_x500_encode):
|
|
always zero out encoding to make sure it have a defined value on
|
|
failure
|
|
|
|
* lib/krb5/transited.c: 1.12->1.13: (krb5_domain_x500_encode): if
|
|
num_realms == 0, set encoding and return (avoids malloc(0)) check
|
|
return value from malloc
|
|
|
|
2003-10-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: 1.35->1.36: spelling
|
|
|
|
* kdc/kdc_locl.h: 1.58->1.59: add flag to always check transited
|
|
policy
|
|
|
|
* doc/setup.texi: 1.27->1.35: many changes
|
|
|
|
* lib/krb5/get_cred.c: 1.95->1.96: get capath info from [capaths]
|
|
section
|
|
|
|
* lib/krb5/rd_req.c: 1.50->1.51: (krb5_decrypt_ticket): try to
|
|
verify transited realms, unless the transited-policy-checked flag
|
|
is set
|
|
|
|
* lib/krb5/transited.c:
|
|
1.12: (krb5_domain_x500_decode): set *num_realms to zero not num_realms
|
|
1.11: (krb5_domain_x500_decode): handle zero length tr data;
|
|
(krb5_check_transited): new function that does more useful stuff
|
|
|
|
* kdc/kdc.8: 1.23->1.24: document enforce-transited-policy
|
|
|
|
* kdc/config.c: 1.47->1.48: add flag to always check transited
|
|
policy
|
|
|
|
* kdc/kerberos5.c:
|
|
1.150: (fix_transited_encoding): also verify with policy,
|
|
unless asked not to
|
|
1.151: always check transited policy if flag set either globally
|
|
(on principal part of patch not pulled up)
|
|
1.152: (fix_transited_encoding): set transited type
|
|
1.153: (fix_transited_encoding): always print cross-realm information
|
|
|
|
2003-10-06 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/config_file.c: 1.48->1.49:
|
|
(krb5_config_parse_file_debug): punt if there is binding before a
|
|
section declaration.
|
|
Bug found by Arkadiusz Miskiewicz <arekm@pld-linux.org>
|
|
|
|
* kdc/kaserver.c: 1.21->1.23:
|
|
(do_getticket): if times data is shorter then 8 bytes, request is
|
|
malformed.
|
|
(do_authenticate): if request length is less then 8 bytes, its a
|
|
bad request and fail. Pointed out by Marco Foglia <marco@foglia.org>
|
|
|
|
2003-09-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.c: 1.17->1.18: add missing " within
|
|
#if 0 From: stefan sokoll <stefansokoll@yahoo.de>
|
|
|
|
2003-09-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/rd_req.c:
|
|
1.47->1.48: (krb5_rd_req): allow caller to pass in a key
|
|
in the auth_context, they way processes that doesn't use the
|
|
keytab can still pass in the key of the service (matches behavior
|
|
of MIT Kerberos).
|
|
|
|
2003-09-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/crypto.c:
|
|
1.87->1.88: (usage2arcfour): simplify, only
|
|
include special cases From: Luke Howard <lukeh@PADL.COM>
|
|
1.86->1.87: (arcfour_checksum_p): return true when is arcfour,
|
|
not when its not pointed out by Luke Howard
|
|
1.82->1.83: Do the arcfour checksum mapping for
|
|
krb5_create_checksum and krb5_verify_checksum, From: Luke Howard
|
|
<lukeh@PADL.COM>
|
|
1.81->1.82: (hmac): make it return an error
|
|
when out of memory, update callsites to either return error or use
|
|
krb5_abortx
|
|
(krb5_hmac): expose hmac
|
|
* lib/krb5/mk_req_ext.c: 1.26->1.27: (krb5_mk_req_internal):
|
|
when using arcfour-hmac-md5, use an unkeyed checksum
|
|
(rsa-md5), since Microsoft calculates the keyed checksum with
|
|
the subkey of the authenticator.
|
|
|
|
* lib/krb5/get_cred.c:
|
|
1.93->1.94 (init_tgs_req): make generation of subkey
|
|
optional on configuration parameter
|
|
[realms]realm={tgs_require_subkey=bool}
|
|
defaults to off. The RFC1510 weakly defines the correct behavior,
|
|
so old DCE secd apparently required the subkey to be there, and MS
|
|
will use it when its there. But the request isn't encrypted in the
|
|
subkey, so you get to choose if you want to talk to a MS mdc or a
|
|
old DCE secd.
|
|
|
|
partly 1.91->1.92: (init_tgs_req): in case of error, don't
|
|
free in the req_body addresses since they where pass in by caller
|
|
|
|
lib/krb5/get_in_tkt.c:
|
|
1.108->1.1.09: (krb5_get_in_tkt): for compatibility with with
|
|
the mit implemtation, don't free `creds' argument when done, its up
|
|
the the caller to do that, also allow a NULL ccache.
|
|
|
|
* doc/ack.texi
|
|
1.16->1.17: update Luke Howard email address
|
|
|
|
* lib/hdb/hdb-ldap.c:
|
|
1.13->1.14: code rewrite from Luke Howard <lukeh@PADL.COM>
|
|
1.12->1.13: (LDAP_store): log what principal/dn failed
|
|
1.11->1.12: use int2HDBFlags/HDBFlags2int
|
|
From: Alberto Patino <jalbertop@aranea.com.mx>,
|
|
Luke Howard <lukeh@PADL.COM>
|
|
Pointed out by Andrew Bartlett of Samba
|
|
1.10->1.11: (LDAP__connect): bind sasl "EXTERNAL" to ldap connection
|
|
(LDAP_store): remove superfluous argument to asprintf
|
|
From Alberto Patino <jalbertop@aranea.com.mx>
|
|
|
|
* lib/krb5/krb5.h:
|
|
1.214->1.2015: add KEYTYPE_ARCFOUR_56
|
|
|
|
2003-09-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/config_file.c: fix prototypes Fredrik Ljungberg
|
|
<flag@pobox.se>
|
|
|
|
2003-09-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb_locl.h: 1.18->1.19: include <limits.h> for ULONG_MAX
|
|
noted by Wissler Magnus <M.Wissler@abalon.se> on heimdal-discuss
|
|
|
|
2003-08-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/db3.c: 1.8->1.9: patch for working with DB4 on
|
|
heimdal-discuss From: Luke Howard <lukeh@PADL.COM> 1.9->1.10: try
|
|
to include more db headers
|
|
|
|
2003-08-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/connect.c: 1.92->1.93 (handle_tcp): handle recvfrom
|
|
returning 0 (connection closed) 1.91->1.92: (grow_descr):
|
|
increment the size after we succeed to allocate the space
|
|
|
|
2003-08-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/principal.c: 1.83->1.85: (unparse_name): len can't be
|
|
zero, so, don't check for that
|
|
(unparse_name): make sure there are space for a NUL, set *name to NULL
|
|
when there is a failure (so caller can't get hold of a freed
|
|
pointer)
|
|
|
|
2003-05-08 Johan Danielsson <joda@ratatosk.pdc.kth.se>
|
|
|
|
* Release 0.6
|
|
|
|
2003-05-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/klist.c: 1.68->1.69: print tokens even if there isn't v4
|
|
support
|
|
|
|
* kuser/kdestroy.c: 1.14->1.15: destroy tokens even if there isn't
|
|
v4 support
|
|
|
|
* kuser/kinit.c: 1.90->1.91: print tokens even if there isn't v4
|
|
support
|
|
|
|
2003-05-06 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/name-45-test.c: need to use empty krb5.conf for some
|
|
tests
|
|
|
|
* lib/asn1/check-gen.c: there is no \e escape sequence; replace
|
|
everything with hex-codes, and cast to unsigned char* to make some
|
|
compilers happy
|
|
|
|
2003-05-06 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first
|
|
argument to krb5_us_timeofday have correct type
|
|
|
|
2003-05-05 Assar Westerlund <assar@kth.se>
|
|
|
|
* include/make_crypto.c (main): include aes.h if ENABLE_AES
|
|
|
|
2003-05-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* NEWS: 1.108->1.110: fix text about gssapi compat
|
|
|
|
2003-04-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/v4_dump.c: 1.4->1.5: (v4_prop_dump): limit strings length,
|
|
from openbsd
|
|
|
|
2003-04-24 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/programming.texi: 1.2-1.3: s/managment/management/, from jmc
|
|
<jmc@prioris.mini.pw.edu.pl>
|
|
|
|
2003-04-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krbhst.c: 1.43->1.44: copy NUL too, from janj@wenf.org
|
|
via openbsd
|
|
|
|
2003-04-17 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/der_copy.c (copy_general_string): use strdup
|
|
* lib/asn1/der_put.c: remove sprintf
|
|
* lib/asn1/gen.c: remove strcpy/sprintf
|
|
|
|
* lib/krb5/name-45-test.c: use a more unique name then ratatosk so
|
|
that other (me) have such hosts in the local domain and the tests
|
|
fails, to take hokkigai.pdc.kth.se instead
|
|
|
|
* lib/krb5/test_alname.c: add --version and --help
|
|
|
|
2003-04-16 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_warn.3: add krb5_get_err_text
|
|
|
|
* lib/krb5/transited.c: use strlcat/strlcpy, from openbsd
|
|
* lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd
|
|
* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use
|
|
strlcpy, from openbsd
|
|
* kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd
|
|
* appl/kf/kfd.c: use strlcpy, from openbsd
|
|
|
|
2003-04-16 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* configure.in: fix for large file support in AIX, _LARGE_FILES
|
|
needs to be defined on the command line, since lex likes to
|
|
include stdio.h before we get to config.h
|
|
|
|
2003-04-16 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/*.3: Change .Fd #include <header.h> to .In header.h,
|
|
from Thomas Klausner <wiz@netbsd.org>
|
|
|
|
* lib/krb5/krb5.conf.5: spelling, from Thomas Klausner
|
|
<wiz@netbsd.org>
|
|
|
|
2003-04-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c: fix some more memory leaks
|
|
|
|
2003-04-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* appl/kf/kf.1: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
|
|
|
|
2003-04-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* admin/ktutil.8: typos, from jmc <jmc@acn.waw.pl>
|
|
|
|
2003-04-06 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.3: s/kerberos/Kerberos/
|
|
* lib/krb5/krb5_data.3: s/kerberos/Kerberos/
|
|
* lib/krb5/krb5_address.3: s/kerberos/Kerberos/
|
|
* lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/
|
|
* lib/krb5/krb5.conf.5: s/kerberos/Kerberos/
|
|
* kuser/kinit.1: s/kerberos/Kerberos/
|
|
* kdc/kdc.8: s/kerberos/Kerberos/
|
|
|
|
2003-04-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/test_alname.c: more krb5_aname_to_localname tests
|
|
|
|
* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when
|
|
converting too root, make sure user is ok according to
|
|
krb5_kuserok before allowing it.
|
|
|
|
* lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname
|
|
|
|
* lib/krb5/test_alname.c: add test for krb5_aname_to_localname
|
|
|
|
* lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1
|
|
instead of the "illegal" salt #~, same change as kth-krb did
|
|
1999. Problems occur with crypt() that behaves like AT&T crypt
|
|
(openssl does this). Pointed out by Marcus Watts.
|
|
|
|
* admin/change.c (kt_change): collect all principals we are going
|
|
to change, and pick the highest kvno and use that to guess what
|
|
kvno the resulting kvno is going to be. Now two ktutil change in a
|
|
row works. XXX fix the protocol to pass the kvno back.
|
|
|
|
2003-03-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* appl/kf/kf.1: afs->AFS, from jmc <jmc@acn.waw.pl>
|
|
|
|
2003-03-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: add description on how to turn on v4, 524 and
|
|
kaserver support
|
|
|
|
2003-03-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog
|
|
and afs-use-524
|
|
|
|
2003-03-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c (as_rep): when the second enctype_to_string
|
|
failes, remember to free memory from the first enctype_to_string
|
|
|
|
* lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2,
|
|
from Harald Joerg <harald.joerg@fujitsu-siemens.com>
|
|
(enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc
|
|
|
|
* lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key
|
|
length when key is longer then expected length, its probably
|
|
longer since the encrypted data was padded, reported by Aidan
|
|
Cully <aidan@kublai.com>
|
|
|
|
* lib/krb5/crypto.c (krb5_enctype_keysize): return key size of
|
|
encyption type, inspired by Aidan Cully <aidan@kublai.com>
|
|
|
|
2003-03-27 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0
|
|
(wildcard kvno) after principal when the keytab entry isn't found,
|
|
reported by Chris Chiappa <chris@chiappa.net>
|
|
|
|
2003-03-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/misc.texi: update 2b example to match reality (from
|
|
mattiasa@e.kth.se)
|
|
|
|
* doc/misc.texi: spelling and add `Configuring AFS clients'
|
|
subsection
|
|
|
|
2003-03-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.3: add krb5_free_data_contents.3
|
|
|
|
* lib/krb5/data.c: add krb5_free_data_contents for compat with MIT
|
|
API
|
|
|
|
* lib/krb5/krb5_data.3: add krb5_free_data_contents for compat
|
|
with MIT API
|
|
|
|
* lib/krb5/krb5_verify_user.3: write more about how the ccache
|
|
argument should be inited when used
|
|
|
|
2003-03-25 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/addr_families.c (krb5_print_address): make sure
|
|
print_addr is defined for the given address type; make addrports
|
|
printable
|
|
|
|
* kdc/string2key.c: print the used enctype for kerberos 5 keys
|
|
|
|
2003-03-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/aes-test.c: add another arcfour test
|
|
|
|
2003-03-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5
|
|
|
|
2003-03-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_ccache.3: update .Dd
|
|
|
|
* lib/krb5/krb5.3: sort in krb5_data functions
|
|
|
|
* lib/krb5/Makefile.am (man_MANS): += krb5_data.3
|
|
|
|
* lib/krb5/krb5_data.3: document krb5_data
|
|
|
|
* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if
|
|
prompter is NULL, don't try to ask for a password to
|
|
change. reported by Iain Moffat @ ufl.edu via Howard Chu
|
|
<hyc@highlandsun.com>
|
|
|
|
2003-03-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_keytab.3: spelling, from
|
|
<jmc@prioris.mini.pw.edu.pl>
|
|
|
|
* lib/krb5/krb5.conf.5: . means new line
|
|
|
|
* lib/krb5/krb5.conf.5: spelling, from
|
|
<jmc@prioris.mini.pw.edu.pl>
|
|
|
|
* lib/krb5/krb5_auth_context.3: spelling, from
|
|
<jmc@prioris.mini.pw.edu.pl>
|
|
|
|
2003-03-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5
|
|
|
|
* lib/krb5/convert_creds.c: add _krb5_krb_life_to_time
|
|
|
|
* lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time
|
|
|
|
* kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out
|
|
#ifdef KRB4 from enable_v4_cross_realm since 524 needs it
|
|
|
|
* kdc/config.c: 524 is independent of kerberos 4, so move out
|
|
enable_v4_cross_realm from #ifdef KRB4 since 524 needs it
|
|
|
|
2003-03-17 Assar Westerlund <assar@kth.se>
|
|
|
|
* kdc/kdc.8: document --kerberos4-cross-realm
|
|
* kdc/kerberos4.c: pay attention to enable_v4_cross_realm
|
|
* kdc/kdc_locl.h (enable_v4_cross_realm): add
|
|
* kdc/524.c (encode_524_response): check the enable_v4_cross_realm
|
|
flag before giving out v4 tickets for foreign v5 principals
|
|
* kdc/config.c: add --enable-kerberos4-cross-realm option (default
|
|
to off)
|
|
|
|
2003-03-17 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3
|
|
|
|
* lib/krb5/krb5_aname_to_localname.3: manpage for
|
|
krb5_aname_to_localname
|
|
|
|
* lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/
|
|
|
|
2003-03-16 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3
|
|
|
|
* lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3
|
|
|
|
* lib/krb5/krb5_set_default_realm.3: Manpage for
|
|
krb5_free_host_realm, krb5_get_default_realm,
|
|
krb5_get_default_realms, krb5_get_host_realm, and
|
|
krb5_set_default_realm.
|
|
|
|
* admin/ktutil.8: s/entype/enctype/, from Igor Sobrado
|
|
<sobrado@acm.org> via NetBSD
|
|
|
|
* lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type
|
|
|
|
* lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab
|
|
|
|
* lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix
|
|
|
|
* lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more
|
|
types, add krb5_fcc_ops and krb5_mcc_ops
|
|
|
|
* lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for
|
|
a id
|
|
|
|
2003-03-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/intro.texi: add reference to source code, binaries and the
|
|
manual
|
|
|
|
* lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal
|
|
|
|
2003-03-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kdc.8: better/difrent english
|
|
|
|
* kdc/kdc.8: . -> .\n, copyright/license
|
|
|
|
* kdc/kdc.8: changed configuration file -> restart kdc
|
|
|
|
* kdc/kerberos4.c: add krb4 into the most error messages written
|
|
to the logfile
|
|
|
|
* lib/krb5/krb5_ccache.3: add missing name of argument
|
|
(krb5_context) to most functions
|
|
|
|
2003-03-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of
|
|
function and return FALSE when there isn't a local account for
|
|
`luser'.
|
|
|
|
* lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text
|
|
describing the function
|
|
|
|
2003-03-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name
|
|
returned memory, don't return ENOMEM
|
|
|
|
2003-03-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.3: add krb5_address stuff and sort
|
|
|
|
* lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description
|
|
|
|
* lib/krb5/Makefile.am (man_MANS): += krb5_address.3
|
|
|
|
* lib/krb5/krb5_address.3: document types krb5_address and
|
|
krb5_addresses and their helper functions
|
|
|
|
2003-03-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3
|
|
|
|
* lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se
|
|
|
|
* lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3
|
|
|
|
* lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se
|
|
|
|
* lib/krb5/krb5.3: add more functions
|
|
|
|
* lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc
|
|
functions
|
|
|
|
* lib/krb5/krb5_kuserok.3: document krb5_kuserok
|
|
|
|
* lib/krb5/krb5_verify_user.3: document
|
|
krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior
|
|
|
|
* lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and
|
|
krb5_verify_user_opt
|
|
|
|
* lib/krb5/*.[0-9]: add copyright/licenses on more manpages
|
|
|
|
* kuser/kdestroy.c (main): handle that krb5_cc_default_name can
|
|
return NULL
|
|
|
|
* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor
|
|
(TESTS): add test_cc
|
|
|
|
* lib/krb5/test_cc.c: test some
|
|
krb5_cc_default_name/krb5_cc_set_default_name combinations
|
|
|
|
* lib/krb5/context.c (init_context_from_config_file): set
|
|
default_cc_name to NULL
|
|
(krb5_free_context): free default_cc_name if set
|
|
|
|
* lib/krb5/cache.c (krb5_cc_set_default_name): new function
|
|
(krb5_cc_default_name): use krb5_cc_set_default_name
|
|
|
|
* lib/krb5/krb5.h (krb5_context_data): add default_cc_name
|
|
|
|
2003-02-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* appl/kf/kf.1: s/securly/securely/ from NetBSD
|
|
|
|
2003-02-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/connect.c: s/intialize/initialize, from
|
|
<jmc@prioris.mini.pw.edu.pl>
|
|
|
|
2003-02-17 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: add AM_MAINTAINER_MODE
|
|
|
|
2003-02-16 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* **/*.[0-9]: add copyright/licenses on all manpages
|
|
|
|
2003-14-16 Jacques Vidrine <nectar@kth.se>
|
|
|
|
* lib/krb5/get_in_tkt.c (init_as_req): Send only a single
|
|
PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption
|
|
type specified by the KDC.
|
|
|
|
2003-02-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* fix-export: some autoconf put their version number in
|
|
autom4te.cache, so remove autom4te*.cache
|
|
|
|
* fix-export: make sure $1 is a directory
|
|
|
|
2003-02-04 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kpasswd/kpasswdd.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
|
|
|
|
* kdc/kdc.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
|
|
|
|
2003-01-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/hpropd.8: s/databases/a database/ s/Not/not/
|
|
|
|
* kdc/hprop.8: add missing .
|
|
|
|
2003-01-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.conf.5: documentation for of boolean, etypes,
|
|
address, write out encryption type in sentences, s/Host/host
|
|
|
|
2003-01-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/check-gen.c: add checks for Authenticator too
|
|
|
|
2003-01-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: in the hprop example, use hprop and the first
|
|
component, not host
|
|
|
|
* lib/krb5/get_addrs.c (find_all_addresses): address-less
|
|
point-to-point might not have an address, just ignore
|
|
those. Reported by Harald Barth.
|
|
|
|
2003-01-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.c (check_section): when key isn't
|
|
found, don't print out all known keys
|
|
|
|
* lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity
|
|
and facility start resp
|
|
(check_log): find_value() returns -1 when key isn't found
|
|
|
|
* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a
|
|
'const void *' to avoid AES_KEY being exposed in krb5-private.h
|
|
|
|
* lib/krb5/krb5.conf.5: add [kdc]use_2b
|
|
|
|
* kdc/524.c (encode_524_response): its 2b not b2
|
|
|
|
* doc/misc.texi: quote @ where missing
|
|
|
|
* lib/asn1/Makefile.am: add check-gen
|
|
|
|
* lib/asn1/check-gen.c: add Principal check
|
|
|
|
* lib/asn1/check-common.h: move generic asn1/der functions from
|
|
check-der.c to here
|
|
|
|
* lib/asn1/check-common.c: move generic asn1/der functions from
|
|
check-der.c to here
|
|
|
|
* lib/asn1/check-der.c: move out the generic asn1/der functions to
|
|
a common file
|
|
|
|
2003-01-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/misc.texi: more text about afs, how to get get your KeyFile,
|
|
and how to start use 2b tokens
|
|
|
|
* lib/krb5/krb5.conf.5: spelling, from Jason McIntyre
|
|
<jmc@cvs.openbsd.org>
|
|
|
|
2003-01-21 Jacques Vidrine <nectar@kth.se>
|
|
|
|
* kuser/kuser_locl.h: include crypto-headers.h for
|
|
des_read_pw_string prototype
|
|
|
|
2003-01-16 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* admin/ktutil.8: document -v, --verbose
|
|
|
|
* admin/get.c (kt_get): make getarg usage consistent with other
|
|
other parts of ktutil
|
|
|
|
* admin/copy.c (kt_copy): remove adding verbose_flag to args
|
|
struct, since it will overrun the args array (from Sumit Bose)
|
|
|
|
2003-01-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc =
|
|
... }
|
|
|
|
* lib/krb5/aes-test.c: test vectors in aes-draft
|
|
|
|
* lib/krb5/Makefile.am: add aes-test.c
|
|
|
|
* lib/krb5/crypto.c: Add support for AES
|
|
(draft-raeburn-krb-rijndael-krb-02), not enabled by default.
|
|
(HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify
|
|
to support checksumtype that are have a shorter wireformat then
|
|
their output block size.
|
|
|
|
* lib/krb5/crypto.c (struct encryption_type): split the blocksize
|
|
into blocksize and padsize, padsize is the minimum padding
|
|
size. they are the same for now
|
|
(enctype_*): add padsize
|
|
(encrypt_internal): use padsize
|
|
(encrypt_internal_derived): use padsize
|
|
(wrapped_length): use padsize
|
|
(wrapped_length_dervied): use padsize
|
|
|
|
* lib/krb5/crypto.c: add extra `opaque' argument to string_to_key
|
|
function for each enctype in preparation enctypes that uses
|
|
`Encryption and Checksum Specifications for Kerberos 5' draft
|
|
|
|
* lib/asn1/k5.asn1: add checksum and enctype for AES from
|
|
draft-raeburn-krb-rijndael-krb-02.txt
|
|
|
|
* lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128,
|
|
KEYTYPE_AES256
|
|
|
|
2003-01-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/common.c (_hdb_fetch): handle error code from
|
|
hdb_value2entry
|
|
|
|
* kdc/Makefile.am: always include kerberos4.c and 524.c in
|
|
kdc_SOURCES to support 524
|
|
|
|
* kdc/524.c: always compile in support for 524
|
|
|
|
* kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4
|
|
|
|
* kdc/config.c: always compile in support for 524
|
|
|
|
* kdc/connect.c: always compile in support for 524
|
|
|
|
* kdc/kerberos4.c: export encode_v4_ticket() and get_des_key()
|
|
even when we build without kerberos 4, 524 needs them
|
|
|
|
* lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out
|
|
Kerberos 4 help functions/structures so other parts of the source
|
|
tree can use it (like the KDC)
|
|
|